1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net> 4 * 5 * Development of this code funded by Astaro AG (http://www.astaro.com/) 6 */ 7 8 #include <linux/module.h> 9 #include <linux/init.h> 10 #include <linux/list.h> 11 #include <linux/skbuff.h> 12 #include <linux/netlink.h> 13 #include <linux/vmalloc.h> 14 #include <linux/rhashtable.h> 15 #include <linux/audit.h> 16 #include <linux/netfilter.h> 17 #include <linux/netfilter/nfnetlink.h> 18 #include <linux/netfilter/nf_tables.h> 19 #include <net/netfilter/nf_flow_table.h> 20 #include <net/netfilter/nf_tables_core.h> 21 #include <net/netfilter/nf_tables.h> 22 #include <net/netfilter/nf_tables_offload.h> 23 #include <net/net_namespace.h> 24 #include <net/sock.h> 25 26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) 27 #define NFT_SET_MAX_ANONLEN 16 28 29 unsigned int nf_tables_net_id __read_mostly; 30 31 static LIST_HEAD(nf_tables_expressions); 32 static LIST_HEAD(nf_tables_objects); 33 static LIST_HEAD(nf_tables_flowtables); 34 static LIST_HEAD(nf_tables_destroy_list); 35 static LIST_HEAD(nf_tables_gc_list); 36 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock); 37 static DEFINE_SPINLOCK(nf_tables_gc_list_lock); 38 39 enum { 40 NFT_VALIDATE_SKIP = 0, 41 NFT_VALIDATE_NEED, 42 NFT_VALIDATE_DO, 43 }; 44 45 static struct rhltable nft_objname_ht; 46 47 static u32 nft_chain_hash(const void *data, u32 len, u32 seed); 48 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed); 49 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *); 50 51 static u32 nft_objname_hash(const void *data, u32 len, u32 seed); 52 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed); 53 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *); 54 55 static const struct rhashtable_params nft_chain_ht_params = { 56 .head_offset = offsetof(struct nft_chain, rhlhead), 57 .key_offset = offsetof(struct nft_chain, name), 58 .hashfn = nft_chain_hash, 59 .obj_hashfn = nft_chain_hash_obj, 60 .obj_cmpfn = nft_chain_hash_cmp, 61 .automatic_shrinking = true, 62 }; 63 64 static const struct rhashtable_params nft_objname_ht_params = { 65 .head_offset = offsetof(struct nft_object, rhlhead), 66 .key_offset = offsetof(struct nft_object, key), 67 .hashfn = nft_objname_hash, 68 .obj_hashfn = nft_objname_hash_obj, 69 .obj_cmpfn = nft_objname_hash_cmp, 70 .automatic_shrinking = true, 71 }; 72 73 struct nft_audit_data { 74 struct nft_table *table; 75 int entries; 76 int op; 77 struct list_head list; 78 }; 79 80 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types 81 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER, 82 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID, 83 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER, 84 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER, 85 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID, 86 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER, 87 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER, 88 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID, 89 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER, 90 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER, 91 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID, 92 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER, 93 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER, 94 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID, 95 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER, 96 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER, 97 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID, 98 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID, 99 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER, 100 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID, 101 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER, 102 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET, 103 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER, 104 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID, 105 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, 106 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET, 107 }; 108 109 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state) 110 { 111 switch (table->validate_state) { 112 case NFT_VALIDATE_SKIP: 113 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); 114 break; 115 case NFT_VALIDATE_NEED: 116 break; 117 case NFT_VALIDATE_DO: 118 if (new_validate_state == NFT_VALIDATE_NEED) 119 return; 120 } 121 122 table->validate_state = new_validate_state; 123 } 124 static void nf_tables_trans_destroy_work(struct work_struct *w); 125 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work); 126 127 static void nft_trans_gc_work(struct work_struct *work); 128 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work); 129 130 static void nft_ctx_init(struct nft_ctx *ctx, 131 struct net *net, 132 const struct sk_buff *skb, 133 const struct nlmsghdr *nlh, 134 u8 family, 135 struct nft_table *table, 136 struct nft_chain *chain, 137 const struct nlattr * const *nla) 138 { 139 ctx->net = net; 140 ctx->family = family; 141 ctx->level = 0; 142 ctx->table = table; 143 ctx->chain = chain; 144 ctx->nla = nla; 145 ctx->portid = NETLINK_CB(skb).portid; 146 ctx->report = nlmsg_report(nlh); 147 ctx->flags = nlh->nlmsg_flags; 148 ctx->seq = nlh->nlmsg_seq; 149 } 150 151 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, 152 int msg_type, u32 size, gfp_t gfp) 153 { 154 struct nft_trans *trans; 155 156 trans = kzalloc(sizeof(struct nft_trans) + size, gfp); 157 if (trans == NULL) 158 return NULL; 159 160 INIT_LIST_HEAD(&trans->list); 161 INIT_LIST_HEAD(&trans->binding_list); 162 trans->msg_type = msg_type; 163 trans->ctx = *ctx; 164 165 return trans; 166 } 167 168 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx, 169 int msg_type, u32 size) 170 { 171 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); 172 } 173 174 static void nft_trans_list_del(struct nft_trans *trans) 175 { 176 list_del(&trans->list); 177 list_del(&trans->binding_list); 178 } 179 180 static void nft_trans_destroy(struct nft_trans *trans) 181 { 182 nft_trans_list_del(trans); 183 kfree(trans); 184 } 185 186 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set, 187 bool bind) 188 { 189 struct nftables_pernet *nft_net; 190 struct net *net = ctx->net; 191 struct nft_trans *trans; 192 193 if (!nft_set_is_anonymous(set)) 194 return; 195 196 nft_net = nft_pernet(net); 197 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { 198 switch (trans->msg_type) { 199 case NFT_MSG_NEWSET: 200 if (nft_trans_set(trans) == set) 201 nft_trans_set_bound(trans) = bind; 202 break; 203 case NFT_MSG_NEWSETELEM: 204 if (nft_trans_elem_set(trans) == set) 205 nft_trans_elem_set_bound(trans) = bind; 206 break; 207 } 208 } 209 } 210 211 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) 212 { 213 return __nft_set_trans_bind(ctx, set, true); 214 } 215 216 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set) 217 { 218 return __nft_set_trans_bind(ctx, set, false); 219 } 220 221 static void __nft_chain_trans_bind(const struct nft_ctx *ctx, 222 struct nft_chain *chain, bool bind) 223 { 224 struct nftables_pernet *nft_net; 225 struct net *net = ctx->net; 226 struct nft_trans *trans; 227 228 if (!nft_chain_binding(chain)) 229 return; 230 231 nft_net = nft_pernet(net); 232 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { 233 switch (trans->msg_type) { 234 case NFT_MSG_NEWCHAIN: 235 if (nft_trans_chain(trans) == chain) 236 nft_trans_chain_bound(trans) = bind; 237 break; 238 case NFT_MSG_NEWRULE: 239 if (trans->ctx.chain == chain) 240 nft_trans_rule_bound(trans) = bind; 241 break; 242 } 243 } 244 } 245 246 static void nft_chain_trans_bind(const struct nft_ctx *ctx, 247 struct nft_chain *chain) 248 { 249 __nft_chain_trans_bind(ctx, chain, true); 250 } 251 252 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) 253 { 254 if (!nft_chain_binding(chain)) 255 return 0; 256 257 if (nft_chain_binding(ctx->chain)) 258 return -EOPNOTSUPP; 259 260 if (chain->bound) 261 return -EBUSY; 262 263 if (!nft_use_inc(&chain->use)) 264 return -EMFILE; 265 266 chain->bound = true; 267 nft_chain_trans_bind(ctx, chain); 268 269 return 0; 270 } 271 272 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) 273 { 274 __nft_chain_trans_bind(ctx, chain, false); 275 } 276 277 static int nft_netdev_register_hooks(struct net *net, 278 struct list_head *hook_list) 279 { 280 struct nft_hook *hook; 281 int err, j; 282 283 j = 0; 284 list_for_each_entry(hook, hook_list, list) { 285 err = nf_register_net_hook(net, &hook->ops); 286 if (err < 0) 287 goto err_register; 288 289 j++; 290 } 291 return 0; 292 293 err_register: 294 list_for_each_entry(hook, hook_list, list) { 295 if (j-- <= 0) 296 break; 297 298 nf_unregister_net_hook(net, &hook->ops); 299 } 300 return err; 301 } 302 303 static void nft_netdev_unregister_hooks(struct net *net, 304 struct list_head *hook_list, 305 bool release_netdev) 306 { 307 struct nft_hook *hook, *next; 308 309 list_for_each_entry_safe(hook, next, hook_list, list) { 310 nf_unregister_net_hook(net, &hook->ops); 311 if (release_netdev) { 312 list_del(&hook->list); 313 kfree_rcu(hook, rcu); 314 } 315 } 316 } 317 318 static int nf_tables_register_hook(struct net *net, 319 const struct nft_table *table, 320 struct nft_chain *chain) 321 { 322 struct nft_base_chain *basechain; 323 const struct nf_hook_ops *ops; 324 325 if (table->flags & NFT_TABLE_F_DORMANT || 326 !nft_is_base_chain(chain)) 327 return 0; 328 329 basechain = nft_base_chain(chain); 330 ops = &basechain->ops; 331 332 if (basechain->type->ops_register) 333 return basechain->type->ops_register(net, ops); 334 335 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 336 return nft_netdev_register_hooks(net, &basechain->hook_list); 337 338 return nf_register_net_hook(net, &basechain->ops); 339 } 340 341 static void __nf_tables_unregister_hook(struct net *net, 342 const struct nft_table *table, 343 struct nft_chain *chain, 344 bool release_netdev) 345 { 346 struct nft_base_chain *basechain; 347 const struct nf_hook_ops *ops; 348 349 if (table->flags & NFT_TABLE_F_DORMANT || 350 !nft_is_base_chain(chain)) 351 return; 352 basechain = nft_base_chain(chain); 353 ops = &basechain->ops; 354 355 if (basechain->type->ops_unregister) 356 return basechain->type->ops_unregister(net, ops); 357 358 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 359 nft_netdev_unregister_hooks(net, &basechain->hook_list, 360 release_netdev); 361 else 362 nf_unregister_net_hook(net, &basechain->ops); 363 } 364 365 static void nf_tables_unregister_hook(struct net *net, 366 const struct nft_table *table, 367 struct nft_chain *chain) 368 { 369 return __nf_tables_unregister_hook(net, table, chain, false); 370 } 371 372 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) 373 { 374 struct nftables_pernet *nft_net = nft_pernet(net); 375 376 switch (trans->msg_type) { 377 case NFT_MSG_NEWSET: 378 if (!nft_trans_set_update(trans) && 379 nft_set_is_anonymous(nft_trans_set(trans))) 380 list_add_tail(&trans->binding_list, &nft_net->binding_list); 381 break; 382 case NFT_MSG_NEWCHAIN: 383 if (!nft_trans_chain_update(trans) && 384 nft_chain_binding(nft_trans_chain(trans))) 385 list_add_tail(&trans->binding_list, &nft_net->binding_list); 386 break; 387 } 388 389 list_add_tail(&trans->list, &nft_net->commit_list); 390 } 391 392 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type) 393 { 394 struct nft_trans *trans; 395 396 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table)); 397 if (trans == NULL) 398 return -ENOMEM; 399 400 if (msg_type == NFT_MSG_NEWTABLE) 401 nft_activate_next(ctx->net, ctx->table); 402 403 nft_trans_commit_list_add_tail(ctx->net, trans); 404 return 0; 405 } 406 407 static int nft_deltable(struct nft_ctx *ctx) 408 { 409 int err; 410 411 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE); 412 if (err < 0) 413 return err; 414 415 nft_deactivate_next(ctx->net, ctx->table); 416 return err; 417 } 418 419 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type) 420 { 421 struct nft_trans *trans; 422 423 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain)); 424 if (trans == NULL) 425 return ERR_PTR(-ENOMEM); 426 427 if (msg_type == NFT_MSG_NEWCHAIN) { 428 nft_activate_next(ctx->net, ctx->chain); 429 430 if (ctx->nla[NFTA_CHAIN_ID]) { 431 nft_trans_chain_id(trans) = 432 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID])); 433 } 434 } 435 nft_trans_chain(trans) = ctx->chain; 436 nft_trans_commit_list_add_tail(ctx->net, trans); 437 438 return trans; 439 } 440 441 static int nft_delchain(struct nft_ctx *ctx) 442 { 443 struct nft_trans *trans; 444 445 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN); 446 if (IS_ERR(trans)) 447 return PTR_ERR(trans); 448 449 nft_use_dec(&ctx->table->use); 450 nft_deactivate_next(ctx->net, ctx->chain); 451 452 return 0; 453 } 454 455 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule) 456 { 457 struct nft_expr *expr; 458 459 expr = nft_expr_first(rule); 460 while (nft_expr_more(rule, expr)) { 461 if (expr->ops->activate) 462 expr->ops->activate(ctx, expr); 463 464 expr = nft_expr_next(expr); 465 } 466 } 467 468 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule, 469 enum nft_trans_phase phase) 470 { 471 struct nft_expr *expr; 472 473 expr = nft_expr_first(rule); 474 while (nft_expr_more(rule, expr)) { 475 if (expr->ops->deactivate) 476 expr->ops->deactivate(ctx, expr, phase); 477 478 expr = nft_expr_next(expr); 479 } 480 } 481 482 static int 483 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule) 484 { 485 /* You cannot delete the same rule twice */ 486 if (nft_is_active_next(ctx->net, rule)) { 487 nft_deactivate_next(ctx->net, rule); 488 nft_use_dec(&ctx->chain->use); 489 return 0; 490 } 491 return -ENOENT; 492 } 493 494 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type, 495 struct nft_rule *rule) 496 { 497 struct nft_trans *trans; 498 499 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule)); 500 if (trans == NULL) 501 return NULL; 502 503 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) { 504 nft_trans_rule_id(trans) = 505 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); 506 } 507 nft_trans_rule(trans) = rule; 508 nft_trans_commit_list_add_tail(ctx->net, trans); 509 510 return trans; 511 } 512 513 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule) 514 { 515 struct nft_flow_rule *flow; 516 struct nft_trans *trans; 517 int err; 518 519 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule); 520 if (trans == NULL) 521 return -ENOMEM; 522 523 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) { 524 flow = nft_flow_rule_create(ctx->net, rule); 525 if (IS_ERR(flow)) { 526 nft_trans_destroy(trans); 527 return PTR_ERR(flow); 528 } 529 530 nft_trans_flow_rule(trans) = flow; 531 } 532 533 err = nf_tables_delrule_deactivate(ctx, rule); 534 if (err < 0) { 535 nft_trans_destroy(trans); 536 return err; 537 } 538 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE); 539 540 return 0; 541 } 542 543 static int nft_delrule_by_chain(struct nft_ctx *ctx) 544 { 545 struct nft_rule *rule; 546 int err; 547 548 list_for_each_entry(rule, &ctx->chain->rules, list) { 549 if (!nft_is_active_next(ctx->net, rule)) 550 continue; 551 552 err = nft_delrule(ctx, rule); 553 if (err < 0) 554 return err; 555 } 556 return 0; 557 } 558 559 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 560 struct nft_set *set, 561 const struct nft_set_desc *desc) 562 { 563 struct nft_trans *trans; 564 565 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set)); 566 if (trans == NULL) 567 return -ENOMEM; 568 569 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) { 570 nft_trans_set_id(trans) = 571 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID])); 572 nft_activate_next(ctx->net, set); 573 } 574 nft_trans_set(trans) = set; 575 if (desc) { 576 nft_trans_set_update(trans) = true; 577 nft_trans_set_gc_int(trans) = desc->gc_int; 578 nft_trans_set_timeout(trans) = desc->timeout; 579 nft_trans_set_size(trans) = desc->size; 580 } 581 nft_trans_commit_list_add_tail(ctx->net, trans); 582 583 return 0; 584 } 585 586 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 587 struct nft_set *set) 588 { 589 return __nft_trans_set_add(ctx, msg_type, set, NULL); 590 } 591 592 static int nft_mapelem_deactivate(const struct nft_ctx *ctx, 593 struct nft_set *set, 594 const struct nft_set_iter *iter, 595 struct nft_set_elem *elem) 596 { 597 nft_setelem_data_deactivate(ctx->net, set, elem); 598 599 return 0; 600 } 601 602 struct nft_set_elem_catchall { 603 struct list_head list; 604 struct rcu_head rcu; 605 void *elem; 606 }; 607 608 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx, 609 struct nft_set *set) 610 { 611 u8 genmask = nft_genmask_next(ctx->net); 612 struct nft_set_elem_catchall *catchall; 613 struct nft_set_elem elem; 614 struct nft_set_ext *ext; 615 616 list_for_each_entry(catchall, &set->catchall_list, list) { 617 ext = nft_set_elem_ext(set, catchall->elem); 618 if (!nft_set_elem_active(ext, genmask)) 619 continue; 620 621 elem.priv = catchall->elem; 622 nft_setelem_data_deactivate(ctx->net, set, &elem); 623 break; 624 } 625 } 626 627 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set) 628 { 629 struct nft_set_iter iter = { 630 .genmask = nft_genmask_next(ctx->net), 631 .fn = nft_mapelem_deactivate, 632 }; 633 634 set->ops->walk(ctx, set, &iter); 635 WARN_ON_ONCE(iter.err); 636 637 nft_map_catchall_deactivate(ctx, set); 638 } 639 640 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) 641 { 642 int err; 643 644 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set); 645 if (err < 0) 646 return err; 647 648 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 649 nft_map_deactivate(ctx, set); 650 651 nft_deactivate_next(ctx->net, set); 652 nft_use_dec(&ctx->table->use); 653 654 return err; 655 } 656 657 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type, 658 struct nft_object *obj) 659 { 660 struct nft_trans *trans; 661 662 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj)); 663 if (trans == NULL) 664 return -ENOMEM; 665 666 if (msg_type == NFT_MSG_NEWOBJ) 667 nft_activate_next(ctx->net, obj); 668 669 nft_trans_obj(trans) = obj; 670 nft_trans_commit_list_add_tail(ctx->net, trans); 671 672 return 0; 673 } 674 675 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj) 676 { 677 int err; 678 679 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj); 680 if (err < 0) 681 return err; 682 683 nft_deactivate_next(ctx->net, obj); 684 nft_use_dec(&ctx->table->use); 685 686 return err; 687 } 688 689 static struct nft_trans * 690 nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, 691 struct nft_flowtable *flowtable) 692 { 693 struct nft_trans *trans; 694 695 trans = nft_trans_alloc(ctx, msg_type, 696 sizeof(struct nft_trans_flowtable)); 697 if (trans == NULL) 698 return ERR_PTR(-ENOMEM); 699 700 if (msg_type == NFT_MSG_NEWFLOWTABLE) 701 nft_activate_next(ctx->net, flowtable); 702 703 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 704 nft_trans_flowtable(trans) = flowtable; 705 nft_trans_commit_list_add_tail(ctx->net, trans); 706 707 return trans; 708 } 709 710 static int nft_delflowtable(struct nft_ctx *ctx, 711 struct nft_flowtable *flowtable) 712 { 713 struct nft_trans *trans; 714 715 trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable); 716 if (IS_ERR(trans)) 717 return PTR_ERR(trans); 718 719 nft_deactivate_next(ctx->net, flowtable); 720 nft_use_dec(&ctx->table->use); 721 722 return 0; 723 } 724 725 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg) 726 { 727 int i; 728 729 for (i = track->regs[dreg].num_reg; i > 0; i--) 730 __nft_reg_track_cancel(track, dreg - i); 731 } 732 733 static void __nft_reg_track_update(struct nft_regs_track *track, 734 const struct nft_expr *expr, 735 u8 dreg, u8 num_reg) 736 { 737 track->regs[dreg].selector = expr; 738 track->regs[dreg].bitwise = NULL; 739 track->regs[dreg].num_reg = num_reg; 740 } 741 742 void nft_reg_track_update(struct nft_regs_track *track, 743 const struct nft_expr *expr, u8 dreg, u8 len) 744 { 745 unsigned int regcount; 746 int i; 747 748 __nft_reg_track_clobber(track, dreg); 749 750 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE); 751 for (i = 0; i < regcount; i++, dreg++) 752 __nft_reg_track_update(track, expr, dreg, i); 753 } 754 EXPORT_SYMBOL_GPL(nft_reg_track_update); 755 756 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len) 757 { 758 unsigned int regcount; 759 int i; 760 761 __nft_reg_track_clobber(track, dreg); 762 763 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE); 764 for (i = 0; i < regcount; i++, dreg++) 765 __nft_reg_track_cancel(track, dreg); 766 } 767 EXPORT_SYMBOL_GPL(nft_reg_track_cancel); 768 769 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg) 770 { 771 track->regs[dreg].selector = NULL; 772 track->regs[dreg].bitwise = NULL; 773 track->regs[dreg].num_reg = 0; 774 } 775 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel); 776 777 /* 778 * Tables 779 */ 780 781 static struct nft_table *nft_table_lookup(const struct net *net, 782 const struct nlattr *nla, 783 u8 family, u8 genmask, u32 nlpid) 784 { 785 struct nftables_pernet *nft_net; 786 struct nft_table *table; 787 788 if (nla == NULL) 789 return ERR_PTR(-EINVAL); 790 791 nft_net = nft_pernet(net); 792 list_for_each_entry_rcu(table, &nft_net->tables, list, 793 lockdep_is_held(&nft_net->commit_mutex)) { 794 if (!nla_strcmp(nla, table->name) && 795 table->family == family && 796 nft_active_genmask(table, genmask)) { 797 if (nft_table_has_owner(table) && 798 nlpid && table->nlpid != nlpid) 799 return ERR_PTR(-EPERM); 800 801 return table; 802 } 803 } 804 805 return ERR_PTR(-ENOENT); 806 } 807 808 static struct nft_table *nft_table_lookup_byhandle(const struct net *net, 809 const struct nlattr *nla, 810 int family, u8 genmask, u32 nlpid) 811 { 812 struct nftables_pernet *nft_net; 813 struct nft_table *table; 814 815 nft_net = nft_pernet(net); 816 list_for_each_entry(table, &nft_net->tables, list) { 817 if (be64_to_cpu(nla_get_be64(nla)) == table->handle && 818 table->family == family && 819 nft_active_genmask(table, genmask)) { 820 if (nft_table_has_owner(table) && 821 nlpid && table->nlpid != nlpid) 822 return ERR_PTR(-EPERM); 823 824 return table; 825 } 826 } 827 828 return ERR_PTR(-ENOENT); 829 } 830 831 static inline u64 nf_tables_alloc_handle(struct nft_table *table) 832 { 833 return ++table->hgenerator; 834 } 835 836 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX]; 837 838 static const struct nft_chain_type * 839 __nft_chain_type_get(u8 family, enum nft_chain_types type) 840 { 841 if (family >= NFPROTO_NUMPROTO || 842 type >= NFT_CHAIN_T_MAX) 843 return NULL; 844 845 return chain_type[family][type]; 846 } 847 848 static const struct nft_chain_type * 849 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family) 850 { 851 const struct nft_chain_type *type; 852 int i; 853 854 for (i = 0; i < NFT_CHAIN_T_MAX; i++) { 855 type = __nft_chain_type_get(family, i); 856 if (!type) 857 continue; 858 if (!nla_strcmp(nla, type->name)) 859 return type; 860 } 861 return NULL; 862 } 863 864 struct nft_module_request { 865 struct list_head list; 866 char module[MODULE_NAME_LEN]; 867 bool done; 868 }; 869 870 #ifdef CONFIG_MODULES 871 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt, 872 ...) 873 { 874 char module_name[MODULE_NAME_LEN]; 875 struct nftables_pernet *nft_net; 876 struct nft_module_request *req; 877 va_list args; 878 int ret; 879 880 va_start(args, fmt); 881 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); 882 va_end(args); 883 if (ret >= MODULE_NAME_LEN) 884 return 0; 885 886 nft_net = nft_pernet(net); 887 list_for_each_entry(req, &nft_net->module_list, list) { 888 if (!strcmp(req->module, module_name)) { 889 if (req->done) 890 return 0; 891 892 /* A request to load this module already exists. */ 893 return -EAGAIN; 894 } 895 } 896 897 req = kmalloc(sizeof(*req), GFP_KERNEL); 898 if (!req) 899 return -ENOMEM; 900 901 req->done = false; 902 strscpy(req->module, module_name, MODULE_NAME_LEN); 903 list_add_tail(&req->list, &nft_net->module_list); 904 905 return -EAGAIN; 906 } 907 EXPORT_SYMBOL_GPL(nft_request_module); 908 #endif 909 910 static void lockdep_nfnl_nft_mutex_not_held(void) 911 { 912 #ifdef CONFIG_PROVE_LOCKING 913 if (debug_locks) 914 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES)); 915 #endif 916 } 917 918 static const struct nft_chain_type * 919 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla, 920 u8 family, bool autoload) 921 { 922 const struct nft_chain_type *type; 923 924 type = __nf_tables_chain_type_lookup(nla, family); 925 if (type != NULL) 926 return type; 927 928 lockdep_nfnl_nft_mutex_not_held(); 929 #ifdef CONFIG_MODULES 930 if (autoload) { 931 if (nft_request_module(net, "nft-chain-%u-%.*s", family, 932 nla_len(nla), 933 (const char *)nla_data(nla)) == -EAGAIN) 934 return ERR_PTR(-EAGAIN); 935 } 936 #endif 937 return ERR_PTR(-ENOENT); 938 } 939 940 static __be16 nft_base_seq(const struct net *net) 941 { 942 struct nftables_pernet *nft_net = nft_pernet(net); 943 944 return htons(nft_net->base_seq & 0xffff); 945 } 946 947 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { 948 [NFTA_TABLE_NAME] = { .type = NLA_STRING, 949 .len = NFT_TABLE_MAXNAMELEN - 1 }, 950 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 }, 951 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 }, 952 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY, 953 .len = NFT_USERDATA_MAXLEN } 954 }; 955 956 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, 957 u32 portid, u32 seq, int event, u32 flags, 958 int family, const struct nft_table *table) 959 { 960 struct nlmsghdr *nlh; 961 962 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 963 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 964 NFNETLINK_V0, nft_base_seq(net)); 965 if (!nlh) 966 goto nla_put_failure; 967 968 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || 969 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) || 970 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle), 971 NFTA_TABLE_PAD)) 972 goto nla_put_failure; 973 974 if (event == NFT_MSG_DELTABLE) { 975 nlmsg_end(skb, nlh); 976 return 0; 977 } 978 979 if (nla_put_be32(skb, NFTA_TABLE_FLAGS, 980 htonl(table->flags & NFT_TABLE_F_MASK))) 981 goto nla_put_failure; 982 983 if (nft_table_has_owner(table) && 984 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid))) 985 goto nla_put_failure; 986 987 if (table->udata) { 988 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata)) 989 goto nla_put_failure; 990 } 991 992 nlmsg_end(skb, nlh); 993 return 0; 994 995 nla_put_failure: 996 nlmsg_trim(skb, nlh); 997 return -1; 998 } 999 1000 struct nftnl_skb_parms { 1001 bool report; 1002 }; 1003 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb)) 1004 1005 static void nft_notify_enqueue(struct sk_buff *skb, bool report, 1006 struct list_head *notify_list) 1007 { 1008 NFT_CB(skb).report = report; 1009 list_add_tail(&skb->list, notify_list); 1010 } 1011 1012 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) 1013 { 1014 struct nftables_pernet *nft_net; 1015 struct sk_buff *skb; 1016 u16 flags = 0; 1017 int err; 1018 1019 if (!ctx->report && 1020 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1021 return; 1022 1023 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1024 if (skb == NULL) 1025 goto err; 1026 1027 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 1028 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 1029 1030 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, 1031 event, flags, ctx->family, ctx->table); 1032 if (err < 0) { 1033 kfree_skb(skb); 1034 goto err; 1035 } 1036 1037 nft_net = nft_pernet(ctx->net); 1038 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 1039 return; 1040 err: 1041 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 1042 } 1043 1044 static int nf_tables_dump_tables(struct sk_buff *skb, 1045 struct netlink_callback *cb) 1046 { 1047 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1048 struct nftables_pernet *nft_net; 1049 const struct nft_table *table; 1050 unsigned int idx = 0, s_idx = cb->args[0]; 1051 struct net *net = sock_net(skb->sk); 1052 int family = nfmsg->nfgen_family; 1053 1054 rcu_read_lock(); 1055 nft_net = nft_pernet(net); 1056 cb->seq = READ_ONCE(nft_net->base_seq); 1057 1058 list_for_each_entry_rcu(table, &nft_net->tables, list) { 1059 if (family != NFPROTO_UNSPEC && family != table->family) 1060 continue; 1061 1062 if (idx < s_idx) 1063 goto cont; 1064 if (idx > s_idx) 1065 memset(&cb->args[1], 0, 1066 sizeof(cb->args) - sizeof(cb->args[0])); 1067 if (!nft_is_active(net, table)) 1068 continue; 1069 if (nf_tables_fill_table_info(skb, net, 1070 NETLINK_CB(cb->skb).portid, 1071 cb->nlh->nlmsg_seq, 1072 NFT_MSG_NEWTABLE, NLM_F_MULTI, 1073 table->family, table) < 0) 1074 goto done; 1075 1076 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1077 cont: 1078 idx++; 1079 } 1080 done: 1081 rcu_read_unlock(); 1082 cb->args[0] = idx; 1083 return skb->len; 1084 } 1085 1086 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb, 1087 const struct nlmsghdr *nlh, 1088 struct netlink_dump_control *c) 1089 { 1090 int err; 1091 1092 if (!try_module_get(THIS_MODULE)) 1093 return -EINVAL; 1094 1095 rcu_read_unlock(); 1096 err = netlink_dump_start(nlsk, skb, nlh, c); 1097 rcu_read_lock(); 1098 module_put(THIS_MODULE); 1099 1100 return err; 1101 } 1102 1103 /* called with rcu_read_lock held */ 1104 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info, 1105 const struct nlattr * const nla[]) 1106 { 1107 struct netlink_ext_ack *extack = info->extack; 1108 u8 genmask = nft_genmask_cur(info->net); 1109 u8 family = info->nfmsg->nfgen_family; 1110 const struct nft_table *table; 1111 struct net *net = info->net; 1112 struct sk_buff *skb2; 1113 int err; 1114 1115 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1116 struct netlink_dump_control c = { 1117 .dump = nf_tables_dump_tables, 1118 .module = THIS_MODULE, 1119 }; 1120 1121 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 1122 } 1123 1124 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0); 1125 if (IS_ERR(table)) { 1126 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]); 1127 return PTR_ERR(table); 1128 } 1129 1130 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 1131 if (!skb2) 1132 return -ENOMEM; 1133 1134 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid, 1135 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 1136 0, family, table); 1137 if (err < 0) 1138 goto err_fill_table_info; 1139 1140 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 1141 1142 err_fill_table_info: 1143 kfree_skb(skb2); 1144 return err; 1145 } 1146 1147 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt) 1148 { 1149 struct nft_chain *chain; 1150 u32 i = 0; 1151 1152 list_for_each_entry(chain, &table->chains, list) { 1153 if (!nft_is_active_next(net, chain)) 1154 continue; 1155 if (!nft_is_base_chain(chain)) 1156 continue; 1157 1158 if (cnt && i++ == cnt) 1159 break; 1160 1161 nf_tables_unregister_hook(net, table, chain); 1162 } 1163 } 1164 1165 static int nf_tables_table_enable(struct net *net, struct nft_table *table) 1166 { 1167 struct nft_chain *chain; 1168 int err, i = 0; 1169 1170 list_for_each_entry(chain, &table->chains, list) { 1171 if (!nft_is_active_next(net, chain)) 1172 continue; 1173 if (!nft_is_base_chain(chain)) 1174 continue; 1175 1176 err = nf_tables_register_hook(net, table, chain); 1177 if (err < 0) 1178 goto err_register_hooks; 1179 1180 i++; 1181 } 1182 return 0; 1183 1184 err_register_hooks: 1185 if (i) 1186 nft_table_disable(net, table, i); 1187 return err; 1188 } 1189 1190 static void nf_tables_table_disable(struct net *net, struct nft_table *table) 1191 { 1192 table->flags &= ~NFT_TABLE_F_DORMANT; 1193 nft_table_disable(net, table, 0); 1194 table->flags |= NFT_TABLE_F_DORMANT; 1195 } 1196 1197 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1) 1198 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0) 1199 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1) 1200 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \ 1201 __NFT_TABLE_F_WAS_AWAKEN) 1202 1203 static bool nft_table_pending_update(const struct nft_ctx *ctx) 1204 { 1205 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 1206 struct nft_trans *trans; 1207 1208 if (ctx->table->flags & __NFT_TABLE_F_UPDATE) 1209 return true; 1210 1211 list_for_each_entry(trans, &nft_net->commit_list, list) { 1212 if (trans->ctx.table == ctx->table && 1213 ((trans->msg_type == NFT_MSG_NEWCHAIN && 1214 nft_trans_chain_update(trans)) || 1215 (trans->msg_type == NFT_MSG_DELCHAIN && 1216 nft_is_base_chain(trans->ctx.chain)))) 1217 return true; 1218 } 1219 1220 return false; 1221 } 1222 1223 static int nf_tables_updtable(struct nft_ctx *ctx) 1224 { 1225 struct nft_trans *trans; 1226 u32 flags; 1227 int ret; 1228 1229 if (!ctx->nla[NFTA_TABLE_FLAGS]) 1230 return 0; 1231 1232 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS])); 1233 if (flags & ~NFT_TABLE_F_MASK) 1234 return -EOPNOTSUPP; 1235 1236 if (flags == (ctx->table->flags & NFT_TABLE_F_MASK)) 1237 return 0; 1238 1239 if ((nft_table_has_owner(ctx->table) && 1240 !(flags & NFT_TABLE_F_OWNER)) || 1241 (!nft_table_has_owner(ctx->table) && 1242 flags & NFT_TABLE_F_OWNER)) 1243 return -EOPNOTSUPP; 1244 1245 /* No dormant off/on/off/on games in single transaction */ 1246 if (nft_table_pending_update(ctx)) 1247 return -EINVAL; 1248 1249 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, 1250 sizeof(struct nft_trans_table)); 1251 if (trans == NULL) 1252 return -ENOMEM; 1253 1254 if ((flags & NFT_TABLE_F_DORMANT) && 1255 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) { 1256 ctx->table->flags |= NFT_TABLE_F_DORMANT; 1257 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) 1258 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN; 1259 } else if (!(flags & NFT_TABLE_F_DORMANT) && 1260 ctx->table->flags & NFT_TABLE_F_DORMANT) { 1261 ctx->table->flags &= ~NFT_TABLE_F_DORMANT; 1262 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) { 1263 ret = nf_tables_table_enable(ctx->net, ctx->table); 1264 if (ret < 0) 1265 goto err_register_hooks; 1266 1267 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT; 1268 } 1269 } 1270 1271 nft_trans_table_update(trans) = true; 1272 nft_trans_commit_list_add_tail(ctx->net, trans); 1273 1274 return 0; 1275 1276 err_register_hooks: 1277 ctx->table->flags |= NFT_TABLE_F_DORMANT; 1278 nft_trans_destroy(trans); 1279 return ret; 1280 } 1281 1282 static u32 nft_chain_hash(const void *data, u32 len, u32 seed) 1283 { 1284 const char *name = data; 1285 1286 return jhash(name, strlen(name), seed); 1287 } 1288 1289 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed) 1290 { 1291 const struct nft_chain *chain = data; 1292 1293 return nft_chain_hash(chain->name, 0, seed); 1294 } 1295 1296 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg, 1297 const void *ptr) 1298 { 1299 const struct nft_chain *chain = ptr; 1300 const char *name = arg->key; 1301 1302 return strcmp(chain->name, name); 1303 } 1304 1305 static u32 nft_objname_hash(const void *data, u32 len, u32 seed) 1306 { 1307 const struct nft_object_hash_key *k = data; 1308 1309 seed ^= hash_ptr(k->table, 32); 1310 1311 return jhash(k->name, strlen(k->name), seed); 1312 } 1313 1314 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed) 1315 { 1316 const struct nft_object *obj = data; 1317 1318 return nft_objname_hash(&obj->key, 0, seed); 1319 } 1320 1321 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg, 1322 const void *ptr) 1323 { 1324 const struct nft_object_hash_key *k = arg->key; 1325 const struct nft_object *obj = ptr; 1326 1327 if (obj->key.table != k->table) 1328 return -1; 1329 1330 return strcmp(obj->key.name, k->name); 1331 } 1332 1333 static bool nft_supported_family(u8 family) 1334 { 1335 return false 1336 #ifdef CONFIG_NF_TABLES_INET 1337 || family == NFPROTO_INET 1338 #endif 1339 #ifdef CONFIG_NF_TABLES_IPV4 1340 || family == NFPROTO_IPV4 1341 #endif 1342 #ifdef CONFIG_NF_TABLES_ARP 1343 || family == NFPROTO_ARP 1344 #endif 1345 #ifdef CONFIG_NF_TABLES_NETDEV 1346 || family == NFPROTO_NETDEV 1347 #endif 1348 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE) 1349 || family == NFPROTO_BRIDGE 1350 #endif 1351 #ifdef CONFIG_NF_TABLES_IPV6 1352 || family == NFPROTO_IPV6 1353 #endif 1354 ; 1355 } 1356 1357 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, 1358 const struct nlattr * const nla[]) 1359 { 1360 struct nftables_pernet *nft_net = nft_pernet(info->net); 1361 struct netlink_ext_ack *extack = info->extack; 1362 u8 genmask = nft_genmask_next(info->net); 1363 u8 family = info->nfmsg->nfgen_family; 1364 struct net *net = info->net; 1365 const struct nlattr *attr; 1366 struct nft_table *table; 1367 struct nft_ctx ctx; 1368 u32 flags = 0; 1369 int err; 1370 1371 if (!nft_supported_family(family)) 1372 return -EOPNOTSUPP; 1373 1374 lockdep_assert_held(&nft_net->commit_mutex); 1375 attr = nla[NFTA_TABLE_NAME]; 1376 table = nft_table_lookup(net, attr, family, genmask, 1377 NETLINK_CB(skb).portid); 1378 if (IS_ERR(table)) { 1379 if (PTR_ERR(table) != -ENOENT) 1380 return PTR_ERR(table); 1381 } else { 1382 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 1383 NL_SET_BAD_ATTR(extack, attr); 1384 return -EEXIST; 1385 } 1386 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 1387 return -EOPNOTSUPP; 1388 1389 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1390 1391 return nf_tables_updtable(&ctx); 1392 } 1393 1394 if (nla[NFTA_TABLE_FLAGS]) { 1395 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS])); 1396 if (flags & ~NFT_TABLE_F_MASK) 1397 return -EOPNOTSUPP; 1398 } 1399 1400 err = -ENOMEM; 1401 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT); 1402 if (table == NULL) 1403 goto err_kzalloc; 1404 1405 table->validate_state = nft_net->validate_state; 1406 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT); 1407 if (table->name == NULL) 1408 goto err_strdup; 1409 1410 if (nla[NFTA_TABLE_USERDATA]) { 1411 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT); 1412 if (table->udata == NULL) 1413 goto err_table_udata; 1414 1415 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]); 1416 } 1417 1418 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params); 1419 if (err) 1420 goto err_chain_ht; 1421 1422 INIT_LIST_HEAD(&table->chains); 1423 INIT_LIST_HEAD(&table->sets); 1424 INIT_LIST_HEAD(&table->objects); 1425 INIT_LIST_HEAD(&table->flowtables); 1426 table->family = family; 1427 table->flags = flags; 1428 table->handle = ++nft_net->table_handle; 1429 if (table->flags & NFT_TABLE_F_OWNER) 1430 table->nlpid = NETLINK_CB(skb).portid; 1431 1432 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1433 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); 1434 if (err < 0) 1435 goto err_trans; 1436 1437 list_add_tail_rcu(&table->list, &nft_net->tables); 1438 return 0; 1439 err_trans: 1440 rhltable_destroy(&table->chains_ht); 1441 err_chain_ht: 1442 kfree(table->udata); 1443 err_table_udata: 1444 kfree(table->name); 1445 err_strdup: 1446 kfree(table); 1447 err_kzalloc: 1448 return err; 1449 } 1450 1451 static int nft_flush_table(struct nft_ctx *ctx) 1452 { 1453 struct nft_flowtable *flowtable, *nft; 1454 struct nft_chain *chain, *nc; 1455 struct nft_object *obj, *ne; 1456 struct nft_set *set, *ns; 1457 int err; 1458 1459 list_for_each_entry(chain, &ctx->table->chains, list) { 1460 if (!nft_is_active_next(ctx->net, chain)) 1461 continue; 1462 1463 if (nft_chain_binding(chain)) 1464 continue; 1465 1466 ctx->chain = chain; 1467 1468 err = nft_delrule_by_chain(ctx); 1469 if (err < 0) 1470 goto out; 1471 } 1472 1473 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { 1474 if (!nft_is_active_next(ctx->net, set)) 1475 continue; 1476 1477 if (nft_set_is_anonymous(set)) 1478 continue; 1479 1480 err = nft_delset(ctx, set); 1481 if (err < 0) 1482 goto out; 1483 } 1484 1485 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) { 1486 if (!nft_is_active_next(ctx->net, flowtable)) 1487 continue; 1488 1489 err = nft_delflowtable(ctx, flowtable); 1490 if (err < 0) 1491 goto out; 1492 } 1493 1494 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) { 1495 if (!nft_is_active_next(ctx->net, obj)) 1496 continue; 1497 1498 err = nft_delobj(ctx, obj); 1499 if (err < 0) 1500 goto out; 1501 } 1502 1503 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { 1504 if (!nft_is_active_next(ctx->net, chain)) 1505 continue; 1506 1507 if (nft_chain_binding(chain)) 1508 continue; 1509 1510 ctx->chain = chain; 1511 1512 err = nft_delchain(ctx); 1513 if (err < 0) 1514 goto out; 1515 } 1516 1517 err = nft_deltable(ctx); 1518 out: 1519 return err; 1520 } 1521 1522 static int nft_flush(struct nft_ctx *ctx, int family) 1523 { 1524 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 1525 const struct nlattr * const *nla = ctx->nla; 1526 struct nft_table *table, *nt; 1527 int err = 0; 1528 1529 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 1530 if (family != AF_UNSPEC && table->family != family) 1531 continue; 1532 1533 ctx->family = table->family; 1534 1535 if (!nft_is_active_next(ctx->net, table)) 1536 continue; 1537 1538 if (nft_table_has_owner(table) && table->nlpid != ctx->portid) 1539 continue; 1540 1541 if (nla[NFTA_TABLE_NAME] && 1542 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) 1543 continue; 1544 1545 ctx->table = table; 1546 1547 err = nft_flush_table(ctx); 1548 if (err < 0) 1549 goto out; 1550 } 1551 out: 1552 return err; 1553 } 1554 1555 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info, 1556 const struct nlattr * const nla[]) 1557 { 1558 struct netlink_ext_ack *extack = info->extack; 1559 u8 genmask = nft_genmask_next(info->net); 1560 u8 family = info->nfmsg->nfgen_family; 1561 struct net *net = info->net; 1562 const struct nlattr *attr; 1563 struct nft_table *table; 1564 struct nft_ctx ctx; 1565 1566 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla); 1567 if (family == AF_UNSPEC || 1568 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE])) 1569 return nft_flush(&ctx, family); 1570 1571 if (nla[NFTA_TABLE_HANDLE]) { 1572 attr = nla[NFTA_TABLE_HANDLE]; 1573 table = nft_table_lookup_byhandle(net, attr, family, genmask, 1574 NETLINK_CB(skb).portid); 1575 } else { 1576 attr = nla[NFTA_TABLE_NAME]; 1577 table = nft_table_lookup(net, attr, family, genmask, 1578 NETLINK_CB(skb).portid); 1579 } 1580 1581 if (IS_ERR(table)) { 1582 if (PTR_ERR(table) == -ENOENT && 1583 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE) 1584 return 0; 1585 1586 NL_SET_BAD_ATTR(extack, attr); 1587 return PTR_ERR(table); 1588 } 1589 1590 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 1591 table->use > 0) 1592 return -EBUSY; 1593 1594 ctx.family = family; 1595 ctx.table = table; 1596 1597 return nft_flush_table(&ctx); 1598 } 1599 1600 static void nf_tables_table_destroy(struct nft_ctx *ctx) 1601 { 1602 if (WARN_ON(ctx->table->use > 0)) 1603 return; 1604 1605 rhltable_destroy(&ctx->table->chains_ht); 1606 kfree(ctx->table->name); 1607 kfree(ctx->table->udata); 1608 kfree(ctx->table); 1609 } 1610 1611 void nft_register_chain_type(const struct nft_chain_type *ctype) 1612 { 1613 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1614 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) { 1615 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1616 return; 1617 } 1618 chain_type[ctype->family][ctype->type] = ctype; 1619 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1620 } 1621 EXPORT_SYMBOL_GPL(nft_register_chain_type); 1622 1623 void nft_unregister_chain_type(const struct nft_chain_type *ctype) 1624 { 1625 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1626 chain_type[ctype->family][ctype->type] = NULL; 1627 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1628 } 1629 EXPORT_SYMBOL_GPL(nft_unregister_chain_type); 1630 1631 /* 1632 * Chains 1633 */ 1634 1635 static struct nft_chain * 1636 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask) 1637 { 1638 struct nft_chain *chain; 1639 1640 list_for_each_entry(chain, &table->chains, list) { 1641 if (chain->handle == handle && 1642 nft_active_genmask(chain, genmask)) 1643 return chain; 1644 } 1645 1646 return ERR_PTR(-ENOENT); 1647 } 1648 1649 static bool lockdep_commit_lock_is_held(const struct net *net) 1650 { 1651 #ifdef CONFIG_PROVE_LOCKING 1652 struct nftables_pernet *nft_net = nft_pernet(net); 1653 1654 return lockdep_is_held(&nft_net->commit_mutex); 1655 #else 1656 return true; 1657 #endif 1658 } 1659 1660 static struct nft_chain *nft_chain_lookup(struct net *net, 1661 struct nft_table *table, 1662 const struct nlattr *nla, u8 genmask) 1663 { 1664 char search[NFT_CHAIN_MAXNAMELEN + 1]; 1665 struct rhlist_head *tmp, *list; 1666 struct nft_chain *chain; 1667 1668 if (nla == NULL) 1669 return ERR_PTR(-EINVAL); 1670 1671 nla_strscpy(search, nla, sizeof(search)); 1672 1673 WARN_ON(!rcu_read_lock_held() && 1674 !lockdep_commit_lock_is_held(net)); 1675 1676 chain = ERR_PTR(-ENOENT); 1677 rcu_read_lock(); 1678 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params); 1679 if (!list) 1680 goto out_unlock; 1681 1682 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 1683 if (nft_active_genmask(chain, genmask)) 1684 goto out_unlock; 1685 } 1686 chain = ERR_PTR(-ENOENT); 1687 out_unlock: 1688 rcu_read_unlock(); 1689 return chain; 1690 } 1691 1692 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = { 1693 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING, 1694 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1695 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 }, 1696 [NFTA_CHAIN_NAME] = { .type = NLA_STRING, 1697 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 1698 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, 1699 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, 1700 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, 1701 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 1702 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, 1703 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 }, 1704 [NFTA_CHAIN_ID] = { .type = NLA_U32 }, 1705 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY, 1706 .len = NFT_USERDATA_MAXLEN }, 1707 }; 1708 1709 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = { 1710 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 }, 1711 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 }, 1712 [NFTA_HOOK_DEV] = { .type = NLA_STRING, 1713 .len = IFNAMSIZ - 1 }, 1714 }; 1715 1716 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats) 1717 { 1718 struct nft_stats *cpu_stats, total; 1719 struct nlattr *nest; 1720 unsigned int seq; 1721 u64 pkts, bytes; 1722 int cpu; 1723 1724 if (!stats) 1725 return 0; 1726 1727 memset(&total, 0, sizeof(total)); 1728 for_each_possible_cpu(cpu) { 1729 cpu_stats = per_cpu_ptr(stats, cpu); 1730 do { 1731 seq = u64_stats_fetch_begin(&cpu_stats->syncp); 1732 pkts = cpu_stats->pkts; 1733 bytes = cpu_stats->bytes; 1734 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq)); 1735 total.pkts += pkts; 1736 total.bytes += bytes; 1737 } 1738 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS); 1739 if (nest == NULL) 1740 goto nla_put_failure; 1741 1742 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts), 1743 NFTA_COUNTER_PAD) || 1744 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes), 1745 NFTA_COUNTER_PAD)) 1746 goto nla_put_failure; 1747 1748 nla_nest_end(skb, nest); 1749 return 0; 1750 1751 nla_put_failure: 1752 return -ENOSPC; 1753 } 1754 1755 static int nft_dump_basechain_hook(struct sk_buff *skb, int family, 1756 const struct nft_base_chain *basechain, 1757 const struct list_head *hook_list) 1758 { 1759 const struct nf_hook_ops *ops = &basechain->ops; 1760 struct nft_hook *hook, *first = NULL; 1761 struct nlattr *nest, *nest_devs; 1762 int n = 0; 1763 1764 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK); 1765 if (nest == NULL) 1766 goto nla_put_failure; 1767 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum))) 1768 goto nla_put_failure; 1769 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority))) 1770 goto nla_put_failure; 1771 1772 if (nft_base_chain_netdev(family, ops->hooknum)) { 1773 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS); 1774 if (!nest_devs) 1775 goto nla_put_failure; 1776 1777 if (!hook_list) 1778 hook_list = &basechain->hook_list; 1779 1780 list_for_each_entry(hook, hook_list, list) { 1781 if (!first) 1782 first = hook; 1783 1784 if (nla_put_string(skb, NFTA_DEVICE_NAME, 1785 hook->ops.dev->name)) 1786 goto nla_put_failure; 1787 n++; 1788 } 1789 nla_nest_end(skb, nest_devs); 1790 1791 if (n == 1 && 1792 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name)) 1793 goto nla_put_failure; 1794 } 1795 nla_nest_end(skb, nest); 1796 1797 return 0; 1798 nla_put_failure: 1799 return -1; 1800 } 1801 1802 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net, 1803 u32 portid, u32 seq, int event, u32 flags, 1804 int family, const struct nft_table *table, 1805 const struct nft_chain *chain, 1806 const struct list_head *hook_list) 1807 { 1808 struct nlmsghdr *nlh; 1809 1810 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 1811 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 1812 NFNETLINK_V0, nft_base_seq(net)); 1813 if (!nlh) 1814 goto nla_put_failure; 1815 1816 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) || 1817 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) || 1818 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle), 1819 NFTA_CHAIN_PAD)) 1820 goto nla_put_failure; 1821 1822 if (event == NFT_MSG_DELCHAIN && !hook_list) { 1823 nlmsg_end(skb, nlh); 1824 return 0; 1825 } 1826 1827 if (nft_is_base_chain(chain)) { 1828 const struct nft_base_chain *basechain = nft_base_chain(chain); 1829 struct nft_stats __percpu *stats; 1830 1831 if (nft_dump_basechain_hook(skb, family, basechain, hook_list)) 1832 goto nla_put_failure; 1833 1834 if (nla_put_be32(skb, NFTA_CHAIN_POLICY, 1835 htonl(basechain->policy))) 1836 goto nla_put_failure; 1837 1838 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name)) 1839 goto nla_put_failure; 1840 1841 stats = rcu_dereference_check(basechain->stats, 1842 lockdep_commit_lock_is_held(net)); 1843 if (nft_dump_stats(skb, stats)) 1844 goto nla_put_failure; 1845 } 1846 1847 if (chain->flags && 1848 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags))) 1849 goto nla_put_failure; 1850 1851 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use))) 1852 goto nla_put_failure; 1853 1854 if (chain->udata && 1855 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata)) 1856 goto nla_put_failure; 1857 1858 nlmsg_end(skb, nlh); 1859 return 0; 1860 1861 nla_put_failure: 1862 nlmsg_trim(skb, nlh); 1863 return -1; 1864 } 1865 1866 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event, 1867 const struct list_head *hook_list) 1868 { 1869 struct nftables_pernet *nft_net; 1870 struct sk_buff *skb; 1871 u16 flags = 0; 1872 int err; 1873 1874 if (!ctx->report && 1875 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1876 return; 1877 1878 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1879 if (skb == NULL) 1880 goto err; 1881 1882 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 1883 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 1884 1885 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, 1886 event, flags, ctx->family, ctx->table, 1887 ctx->chain, hook_list); 1888 if (err < 0) { 1889 kfree_skb(skb); 1890 goto err; 1891 } 1892 1893 nft_net = nft_pernet(ctx->net); 1894 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 1895 return; 1896 err: 1897 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 1898 } 1899 1900 static int nf_tables_dump_chains(struct sk_buff *skb, 1901 struct netlink_callback *cb) 1902 { 1903 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1904 unsigned int idx = 0, s_idx = cb->args[0]; 1905 struct net *net = sock_net(skb->sk); 1906 int family = nfmsg->nfgen_family; 1907 struct nftables_pernet *nft_net; 1908 const struct nft_table *table; 1909 const struct nft_chain *chain; 1910 1911 rcu_read_lock(); 1912 nft_net = nft_pernet(net); 1913 cb->seq = READ_ONCE(nft_net->base_seq); 1914 1915 list_for_each_entry_rcu(table, &nft_net->tables, list) { 1916 if (family != NFPROTO_UNSPEC && family != table->family) 1917 continue; 1918 1919 list_for_each_entry_rcu(chain, &table->chains, list) { 1920 if (idx < s_idx) 1921 goto cont; 1922 if (idx > s_idx) 1923 memset(&cb->args[1], 0, 1924 sizeof(cb->args) - sizeof(cb->args[0])); 1925 if (!nft_is_active(net, chain)) 1926 continue; 1927 if (nf_tables_fill_chain_info(skb, net, 1928 NETLINK_CB(cb->skb).portid, 1929 cb->nlh->nlmsg_seq, 1930 NFT_MSG_NEWCHAIN, 1931 NLM_F_MULTI, 1932 table->family, table, 1933 chain, NULL) < 0) 1934 goto done; 1935 1936 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1937 cont: 1938 idx++; 1939 } 1940 } 1941 done: 1942 rcu_read_unlock(); 1943 cb->args[0] = idx; 1944 return skb->len; 1945 } 1946 1947 /* called with rcu_read_lock held */ 1948 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info, 1949 const struct nlattr * const nla[]) 1950 { 1951 struct netlink_ext_ack *extack = info->extack; 1952 u8 genmask = nft_genmask_cur(info->net); 1953 u8 family = info->nfmsg->nfgen_family; 1954 const struct nft_chain *chain; 1955 struct net *net = info->net; 1956 struct nft_table *table; 1957 struct sk_buff *skb2; 1958 int err; 1959 1960 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1961 struct netlink_dump_control c = { 1962 .dump = nf_tables_dump_chains, 1963 .module = THIS_MODULE, 1964 }; 1965 1966 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 1967 } 1968 1969 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0); 1970 if (IS_ERR(table)) { 1971 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 1972 return PTR_ERR(table); 1973 } 1974 1975 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask); 1976 if (IS_ERR(chain)) { 1977 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 1978 return PTR_ERR(chain); 1979 } 1980 1981 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 1982 if (!skb2) 1983 return -ENOMEM; 1984 1985 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid, 1986 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 1987 0, family, table, chain, NULL); 1988 if (err < 0) 1989 goto err_fill_chain_info; 1990 1991 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 1992 1993 err_fill_chain_info: 1994 kfree_skb(skb2); 1995 return err; 1996 } 1997 1998 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = { 1999 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 }, 2000 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 }, 2001 }; 2002 2003 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr) 2004 { 2005 struct nlattr *tb[NFTA_COUNTER_MAX+1]; 2006 struct nft_stats __percpu *newstats; 2007 struct nft_stats *stats; 2008 int err; 2009 2010 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr, 2011 nft_counter_policy, NULL); 2012 if (err < 0) 2013 return ERR_PTR(err); 2014 2015 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS]) 2016 return ERR_PTR(-EINVAL); 2017 2018 newstats = netdev_alloc_pcpu_stats(struct nft_stats); 2019 if (newstats == NULL) 2020 return ERR_PTR(-ENOMEM); 2021 2022 /* Restore old counters on this cpu, no problem. Per-cpu statistics 2023 * are not exposed to userspace. 2024 */ 2025 preempt_disable(); 2026 stats = this_cpu_ptr(newstats); 2027 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); 2028 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); 2029 preempt_enable(); 2030 2031 return newstats; 2032 } 2033 2034 static void nft_chain_stats_replace(struct nft_trans *trans) 2035 { 2036 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain); 2037 2038 if (!nft_trans_chain_stats(trans)) 2039 return; 2040 2041 nft_trans_chain_stats(trans) = 2042 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans), 2043 lockdep_commit_lock_is_held(trans->ctx.net)); 2044 2045 if (!nft_trans_chain_stats(trans)) 2046 static_branch_inc(&nft_counters_enabled); 2047 } 2048 2049 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain) 2050 { 2051 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0); 2052 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1); 2053 2054 if (g0 != g1) 2055 kvfree(g1); 2056 kvfree(g0); 2057 2058 /* should be NULL either via abort or via successful commit */ 2059 WARN_ON_ONCE(chain->blob_next); 2060 kvfree(chain->blob_next); 2061 } 2062 2063 void nf_tables_chain_destroy(struct nft_ctx *ctx) 2064 { 2065 struct nft_chain *chain = ctx->chain; 2066 struct nft_hook *hook, *next; 2067 2068 if (WARN_ON(chain->use > 0)) 2069 return; 2070 2071 /* no concurrent access possible anymore */ 2072 nf_tables_chain_free_chain_rules(chain); 2073 2074 if (nft_is_base_chain(chain)) { 2075 struct nft_base_chain *basechain = nft_base_chain(chain); 2076 2077 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) { 2078 list_for_each_entry_safe(hook, next, 2079 &basechain->hook_list, list) { 2080 list_del_rcu(&hook->list); 2081 kfree_rcu(hook, rcu); 2082 } 2083 } 2084 module_put(basechain->type->owner); 2085 if (rcu_access_pointer(basechain->stats)) { 2086 static_branch_dec(&nft_counters_enabled); 2087 free_percpu(rcu_dereference_raw(basechain->stats)); 2088 } 2089 kfree(chain->name); 2090 kfree(chain->udata); 2091 kfree(basechain); 2092 } else { 2093 kfree(chain->name); 2094 kfree(chain->udata); 2095 kfree(chain); 2096 } 2097 } 2098 2099 static struct nft_hook *nft_netdev_hook_alloc(struct net *net, 2100 const struct nlattr *attr) 2101 { 2102 struct net_device *dev; 2103 char ifname[IFNAMSIZ]; 2104 struct nft_hook *hook; 2105 int err; 2106 2107 hook = kzalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT); 2108 if (!hook) { 2109 err = -ENOMEM; 2110 goto err_hook_alloc; 2111 } 2112 2113 nla_strscpy(ifname, attr, IFNAMSIZ); 2114 /* nf_tables_netdev_event() is called under rtnl_mutex, this is 2115 * indirectly serializing all the other holders of the commit_mutex with 2116 * the rtnl_mutex. 2117 */ 2118 dev = __dev_get_by_name(net, ifname); 2119 if (!dev) { 2120 err = -ENOENT; 2121 goto err_hook_dev; 2122 } 2123 hook->ops.dev = dev; 2124 2125 return hook; 2126 2127 err_hook_dev: 2128 kfree(hook); 2129 err_hook_alloc: 2130 return ERR_PTR(err); 2131 } 2132 2133 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list, 2134 const struct nft_hook *this) 2135 { 2136 struct nft_hook *hook; 2137 2138 list_for_each_entry(hook, hook_list, list) { 2139 if (this->ops.dev == hook->ops.dev) 2140 return hook; 2141 } 2142 2143 return NULL; 2144 } 2145 2146 static int nf_tables_parse_netdev_hooks(struct net *net, 2147 const struct nlattr *attr, 2148 struct list_head *hook_list, 2149 struct netlink_ext_ack *extack) 2150 { 2151 struct nft_hook *hook, *next; 2152 const struct nlattr *tmp; 2153 int rem, n = 0, err; 2154 2155 nla_for_each_nested(tmp, attr, rem) { 2156 if (nla_type(tmp) != NFTA_DEVICE_NAME) { 2157 err = -EINVAL; 2158 goto err_hook; 2159 } 2160 2161 hook = nft_netdev_hook_alloc(net, tmp); 2162 if (IS_ERR(hook)) { 2163 NL_SET_BAD_ATTR(extack, tmp); 2164 err = PTR_ERR(hook); 2165 goto err_hook; 2166 } 2167 if (nft_hook_list_find(hook_list, hook)) { 2168 NL_SET_BAD_ATTR(extack, tmp); 2169 kfree(hook); 2170 err = -EEXIST; 2171 goto err_hook; 2172 } 2173 list_add_tail(&hook->list, hook_list); 2174 n++; 2175 2176 if (n == NFT_NETDEVICE_MAX) { 2177 err = -EFBIG; 2178 goto err_hook; 2179 } 2180 } 2181 2182 return 0; 2183 2184 err_hook: 2185 list_for_each_entry_safe(hook, next, hook_list, list) { 2186 list_del(&hook->list); 2187 kfree(hook); 2188 } 2189 return err; 2190 } 2191 2192 struct nft_chain_hook { 2193 u32 num; 2194 s32 priority; 2195 const struct nft_chain_type *type; 2196 struct list_head list; 2197 }; 2198 2199 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[], 2200 struct list_head *hook_list, 2201 struct netlink_ext_ack *extack, u32 flags) 2202 { 2203 struct nft_hook *hook; 2204 int err; 2205 2206 if (tb[NFTA_HOOK_DEV]) { 2207 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]); 2208 if (IS_ERR(hook)) { 2209 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]); 2210 return PTR_ERR(hook); 2211 } 2212 2213 list_add_tail(&hook->list, hook_list); 2214 } else if (tb[NFTA_HOOK_DEVS]) { 2215 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS], 2216 hook_list, extack); 2217 if (err < 0) 2218 return err; 2219 2220 } 2221 2222 if (flags & NFT_CHAIN_HW_OFFLOAD && 2223 list_empty(hook_list)) 2224 return -EINVAL; 2225 2226 return 0; 2227 } 2228 2229 static int nft_chain_parse_hook(struct net *net, 2230 struct nft_base_chain *basechain, 2231 const struct nlattr * const nla[], 2232 struct nft_chain_hook *hook, u8 family, 2233 u32 flags, struct netlink_ext_ack *extack) 2234 { 2235 struct nftables_pernet *nft_net = nft_pernet(net); 2236 struct nlattr *ha[NFTA_HOOK_MAX + 1]; 2237 const struct nft_chain_type *type; 2238 int err; 2239 2240 lockdep_assert_held(&nft_net->commit_mutex); 2241 lockdep_nfnl_nft_mutex_not_held(); 2242 2243 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX, 2244 nla[NFTA_CHAIN_HOOK], 2245 nft_hook_policy, NULL); 2246 if (err < 0) 2247 return err; 2248 2249 if (!basechain) { 2250 if (!ha[NFTA_HOOK_HOOKNUM] || 2251 !ha[NFTA_HOOK_PRIORITY]) { 2252 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2253 return -ENOENT; 2254 } 2255 2256 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 2257 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 2258 2259 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT); 2260 if (!type) 2261 return -EOPNOTSUPP; 2262 2263 if (nla[NFTA_CHAIN_TYPE]) { 2264 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE], 2265 family, true); 2266 if (IS_ERR(type)) { 2267 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2268 return PTR_ERR(type); 2269 } 2270 } 2271 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num))) 2272 return -EOPNOTSUPP; 2273 2274 if (type->type == NFT_CHAIN_T_NAT && 2275 hook->priority <= NF_IP_PRI_CONNTRACK) 2276 return -EOPNOTSUPP; 2277 } else { 2278 if (ha[NFTA_HOOK_HOOKNUM]) { 2279 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 2280 if (hook->num != basechain->ops.hooknum) 2281 return -EOPNOTSUPP; 2282 } 2283 if (ha[NFTA_HOOK_PRIORITY]) { 2284 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 2285 if (hook->priority != basechain->ops.priority) 2286 return -EOPNOTSUPP; 2287 } 2288 2289 if (nla[NFTA_CHAIN_TYPE]) { 2290 type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE], 2291 family); 2292 if (!type) { 2293 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2294 return -ENOENT; 2295 } 2296 } else { 2297 type = basechain->type; 2298 } 2299 } 2300 2301 if (!try_module_get(type->owner)) { 2302 if (nla[NFTA_CHAIN_TYPE]) 2303 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2304 return -ENOENT; 2305 } 2306 2307 hook->type = type; 2308 2309 INIT_LIST_HEAD(&hook->list); 2310 if (nft_base_chain_netdev(family, hook->num)) { 2311 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags); 2312 if (err < 0) { 2313 module_put(type->owner); 2314 return err; 2315 } 2316 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) { 2317 module_put(type->owner); 2318 return -EOPNOTSUPP; 2319 } 2320 2321 return 0; 2322 } 2323 2324 static void nft_chain_release_hook(struct nft_chain_hook *hook) 2325 { 2326 struct nft_hook *h, *next; 2327 2328 list_for_each_entry_safe(h, next, &hook->list, list) { 2329 list_del(&h->list); 2330 kfree(h); 2331 } 2332 module_put(hook->type->owner); 2333 } 2334 2335 static void nft_last_rule(const struct nft_chain *chain, const void *ptr) 2336 { 2337 struct nft_rule_dp_last *lrule; 2338 2339 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0); 2340 2341 lrule = (struct nft_rule_dp_last *)ptr; 2342 lrule->end.is_last = 1; 2343 lrule->chain = chain; 2344 /* blob size does not include the trailer rule */ 2345 } 2346 2347 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain, 2348 unsigned int size) 2349 { 2350 struct nft_rule_blob *blob; 2351 2352 if (size > INT_MAX) 2353 return NULL; 2354 2355 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last); 2356 2357 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT); 2358 if (!blob) 2359 return NULL; 2360 2361 blob->size = 0; 2362 nft_last_rule(chain, blob->data); 2363 2364 return blob; 2365 } 2366 2367 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family, 2368 const struct nft_chain_hook *hook, 2369 struct nft_chain *chain) 2370 { 2371 ops->pf = family; 2372 ops->hooknum = hook->num; 2373 ops->priority = hook->priority; 2374 ops->priv = chain; 2375 ops->hook = hook->type->hooks[ops->hooknum]; 2376 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES; 2377 } 2378 2379 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, 2380 struct nft_chain_hook *hook, u32 flags) 2381 { 2382 struct nft_chain *chain; 2383 struct nft_hook *h; 2384 2385 basechain->type = hook->type; 2386 INIT_LIST_HEAD(&basechain->hook_list); 2387 chain = &basechain->chain; 2388 2389 if (nft_base_chain_netdev(family, hook->num)) { 2390 list_splice_init(&hook->list, &basechain->hook_list); 2391 list_for_each_entry(h, &basechain->hook_list, list) 2392 nft_basechain_hook_init(&h->ops, family, hook, chain); 2393 } 2394 nft_basechain_hook_init(&basechain->ops, family, hook, chain); 2395 2396 chain->flags |= NFT_CHAIN_BASE | flags; 2397 basechain->policy = NF_ACCEPT; 2398 if (chain->flags & NFT_CHAIN_HW_OFFLOAD && 2399 !nft_chain_offload_support(basechain)) { 2400 list_splice_init(&basechain->hook_list, &hook->list); 2401 return -EOPNOTSUPP; 2402 } 2403 2404 flow_block_init(&basechain->flow_block); 2405 2406 return 0; 2407 } 2408 2409 int nft_chain_add(struct nft_table *table, struct nft_chain *chain) 2410 { 2411 int err; 2412 2413 err = rhltable_insert_key(&table->chains_ht, chain->name, 2414 &chain->rhlhead, nft_chain_ht_params); 2415 if (err) 2416 return err; 2417 2418 list_add_tail_rcu(&chain->list, &table->chains); 2419 2420 return 0; 2421 } 2422 2423 static u64 chain_id; 2424 2425 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, 2426 u8 policy, u32 flags, 2427 struct netlink_ext_ack *extack) 2428 { 2429 const struct nlattr * const *nla = ctx->nla; 2430 struct nft_table *table = ctx->table; 2431 struct nft_base_chain *basechain; 2432 struct net *net = ctx->net; 2433 char name[NFT_NAME_MAXLEN]; 2434 struct nft_rule_blob *blob; 2435 struct nft_trans *trans; 2436 struct nft_chain *chain; 2437 int err; 2438 2439 if (nla[NFTA_CHAIN_HOOK]) { 2440 struct nft_stats __percpu *stats = NULL; 2441 struct nft_chain_hook hook = {}; 2442 2443 if (table->flags & __NFT_TABLE_F_UPDATE) 2444 return -EINVAL; 2445 2446 if (flags & NFT_CHAIN_BINDING) 2447 return -EOPNOTSUPP; 2448 2449 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags, 2450 extack); 2451 if (err < 0) 2452 return err; 2453 2454 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT); 2455 if (basechain == NULL) { 2456 nft_chain_release_hook(&hook); 2457 return -ENOMEM; 2458 } 2459 chain = &basechain->chain; 2460 2461 if (nla[NFTA_CHAIN_COUNTERS]) { 2462 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2463 if (IS_ERR(stats)) { 2464 nft_chain_release_hook(&hook); 2465 kfree(basechain); 2466 return PTR_ERR(stats); 2467 } 2468 rcu_assign_pointer(basechain->stats, stats); 2469 } 2470 2471 err = nft_basechain_init(basechain, family, &hook, flags); 2472 if (err < 0) { 2473 nft_chain_release_hook(&hook); 2474 kfree(basechain); 2475 free_percpu(stats); 2476 return err; 2477 } 2478 if (stats) 2479 static_branch_inc(&nft_counters_enabled); 2480 } else { 2481 if (flags & NFT_CHAIN_BASE) 2482 return -EINVAL; 2483 if (flags & NFT_CHAIN_HW_OFFLOAD) 2484 return -EOPNOTSUPP; 2485 2486 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT); 2487 if (chain == NULL) 2488 return -ENOMEM; 2489 2490 chain->flags = flags; 2491 } 2492 ctx->chain = chain; 2493 2494 INIT_LIST_HEAD(&chain->rules); 2495 chain->handle = nf_tables_alloc_handle(table); 2496 chain->table = table; 2497 2498 if (nla[NFTA_CHAIN_NAME]) { 2499 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT); 2500 } else { 2501 if (!(flags & NFT_CHAIN_BINDING)) { 2502 err = -EINVAL; 2503 goto err_destroy_chain; 2504 } 2505 2506 snprintf(name, sizeof(name), "__chain%llu", ++chain_id); 2507 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT); 2508 } 2509 2510 if (!chain->name) { 2511 err = -ENOMEM; 2512 goto err_destroy_chain; 2513 } 2514 2515 if (nla[NFTA_CHAIN_USERDATA]) { 2516 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT); 2517 if (chain->udata == NULL) { 2518 err = -ENOMEM; 2519 goto err_destroy_chain; 2520 } 2521 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]); 2522 } 2523 2524 blob = nf_tables_chain_alloc_rules(chain, 0); 2525 if (!blob) { 2526 err = -ENOMEM; 2527 goto err_destroy_chain; 2528 } 2529 2530 RCU_INIT_POINTER(chain->blob_gen_0, blob); 2531 RCU_INIT_POINTER(chain->blob_gen_1, blob); 2532 2533 if (!nft_use_inc(&table->use)) { 2534 err = -EMFILE; 2535 goto err_destroy_chain; 2536 } 2537 2538 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN); 2539 if (IS_ERR(trans)) { 2540 err = PTR_ERR(trans); 2541 goto err_trans; 2542 } 2543 2544 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET; 2545 if (nft_is_base_chain(chain)) 2546 nft_trans_chain_policy(trans) = policy; 2547 2548 err = nft_chain_add(table, chain); 2549 if (err < 0) 2550 goto err_chain_add; 2551 2552 /* This must be LAST to ensure no packets are walking over this chain. */ 2553 err = nf_tables_register_hook(net, table, chain); 2554 if (err < 0) 2555 goto err_register_hook; 2556 2557 return 0; 2558 2559 err_register_hook: 2560 nft_chain_del(chain); 2561 err_chain_add: 2562 nft_trans_destroy(trans); 2563 err_trans: 2564 nft_use_dec_restore(&table->use); 2565 err_destroy_chain: 2566 nf_tables_chain_destroy(ctx); 2567 2568 return err; 2569 } 2570 2571 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, 2572 u32 flags, const struct nlattr *attr, 2573 struct netlink_ext_ack *extack) 2574 { 2575 const struct nlattr * const *nla = ctx->nla; 2576 struct nft_base_chain *basechain = NULL; 2577 struct nft_table *table = ctx->table; 2578 struct nft_chain *chain = ctx->chain; 2579 struct nft_chain_hook hook = {}; 2580 struct nft_stats *stats = NULL; 2581 struct nft_hook *h, *next; 2582 struct nf_hook_ops *ops; 2583 struct nft_trans *trans; 2584 bool unregister = false; 2585 int err; 2586 2587 if (chain->flags ^ flags) 2588 return -EOPNOTSUPP; 2589 2590 INIT_LIST_HEAD(&hook.list); 2591 2592 if (nla[NFTA_CHAIN_HOOK]) { 2593 if (!nft_is_base_chain(chain)) { 2594 NL_SET_BAD_ATTR(extack, attr); 2595 return -EEXIST; 2596 } 2597 2598 basechain = nft_base_chain(chain); 2599 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook, 2600 ctx->family, flags, extack); 2601 if (err < 0) 2602 return err; 2603 2604 if (basechain->type != hook.type) { 2605 nft_chain_release_hook(&hook); 2606 NL_SET_BAD_ATTR(extack, attr); 2607 return -EEXIST; 2608 } 2609 2610 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) { 2611 list_for_each_entry_safe(h, next, &hook.list, list) { 2612 h->ops.pf = basechain->ops.pf; 2613 h->ops.hooknum = basechain->ops.hooknum; 2614 h->ops.priority = basechain->ops.priority; 2615 h->ops.priv = basechain->ops.priv; 2616 h->ops.hook = basechain->ops.hook; 2617 2618 if (nft_hook_list_find(&basechain->hook_list, h)) { 2619 list_del(&h->list); 2620 kfree(h); 2621 } 2622 } 2623 } else { 2624 ops = &basechain->ops; 2625 if (ops->hooknum != hook.num || 2626 ops->priority != hook.priority) { 2627 nft_chain_release_hook(&hook); 2628 NL_SET_BAD_ATTR(extack, attr); 2629 return -EEXIST; 2630 } 2631 } 2632 } 2633 2634 if (nla[NFTA_CHAIN_HANDLE] && 2635 nla[NFTA_CHAIN_NAME]) { 2636 struct nft_chain *chain2; 2637 2638 chain2 = nft_chain_lookup(ctx->net, table, 2639 nla[NFTA_CHAIN_NAME], genmask); 2640 if (!IS_ERR(chain2)) { 2641 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2642 err = -EEXIST; 2643 goto err_hooks; 2644 } 2645 } 2646 2647 if (table->flags & __NFT_TABLE_F_UPDATE && 2648 !list_empty(&hook.list)) { 2649 NL_SET_BAD_ATTR(extack, attr); 2650 err = -EOPNOTSUPP; 2651 goto err_hooks; 2652 } 2653 2654 if (!(table->flags & NFT_TABLE_F_DORMANT) && 2655 nft_is_base_chain(chain) && 2656 !list_empty(&hook.list)) { 2657 basechain = nft_base_chain(chain); 2658 ops = &basechain->ops; 2659 2660 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) { 2661 err = nft_netdev_register_hooks(ctx->net, &hook.list); 2662 if (err < 0) 2663 goto err_hooks; 2664 } 2665 } 2666 2667 unregister = true; 2668 2669 if (nla[NFTA_CHAIN_COUNTERS]) { 2670 if (!nft_is_base_chain(chain)) { 2671 err = -EOPNOTSUPP; 2672 goto err_hooks; 2673 } 2674 2675 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2676 if (IS_ERR(stats)) { 2677 err = PTR_ERR(stats); 2678 goto err_hooks; 2679 } 2680 } 2681 2682 err = -ENOMEM; 2683 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN, 2684 sizeof(struct nft_trans_chain)); 2685 if (trans == NULL) 2686 goto err_trans; 2687 2688 nft_trans_chain_stats(trans) = stats; 2689 nft_trans_chain_update(trans) = true; 2690 2691 if (nla[NFTA_CHAIN_POLICY]) 2692 nft_trans_chain_policy(trans) = policy; 2693 else 2694 nft_trans_chain_policy(trans) = -1; 2695 2696 if (nla[NFTA_CHAIN_HANDLE] && 2697 nla[NFTA_CHAIN_NAME]) { 2698 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 2699 struct nft_trans *tmp; 2700 char *name; 2701 2702 err = -ENOMEM; 2703 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT); 2704 if (!name) 2705 goto err_trans; 2706 2707 err = -EEXIST; 2708 list_for_each_entry(tmp, &nft_net->commit_list, list) { 2709 if (tmp->msg_type == NFT_MSG_NEWCHAIN && 2710 tmp->ctx.table == table && 2711 nft_trans_chain_update(tmp) && 2712 nft_trans_chain_name(tmp) && 2713 strcmp(name, nft_trans_chain_name(tmp)) == 0) { 2714 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2715 kfree(name); 2716 goto err_trans; 2717 } 2718 } 2719 2720 nft_trans_chain_name(trans) = name; 2721 } 2722 2723 nft_trans_basechain(trans) = basechain; 2724 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans)); 2725 list_splice(&hook.list, &nft_trans_chain_hooks(trans)); 2726 if (nla[NFTA_CHAIN_HOOK]) 2727 module_put(hook.type->owner); 2728 2729 nft_trans_commit_list_add_tail(ctx->net, trans); 2730 2731 return 0; 2732 2733 err_trans: 2734 free_percpu(stats); 2735 kfree(trans); 2736 err_hooks: 2737 if (nla[NFTA_CHAIN_HOOK]) { 2738 list_for_each_entry_safe(h, next, &hook.list, list) { 2739 if (unregister) 2740 nf_unregister_net_hook(ctx->net, &h->ops); 2741 list_del(&h->list); 2742 kfree_rcu(h, rcu); 2743 } 2744 module_put(hook.type->owner); 2745 } 2746 2747 return err; 2748 } 2749 2750 static struct nft_chain *nft_chain_lookup_byid(const struct net *net, 2751 const struct nft_table *table, 2752 const struct nlattr *nla, u8 genmask) 2753 { 2754 struct nftables_pernet *nft_net = nft_pernet(net); 2755 u32 id = ntohl(nla_get_be32(nla)); 2756 struct nft_trans *trans; 2757 2758 list_for_each_entry(trans, &nft_net->commit_list, list) { 2759 struct nft_chain *chain = trans->ctx.chain; 2760 2761 if (trans->msg_type == NFT_MSG_NEWCHAIN && 2762 chain->table == table && 2763 id == nft_trans_chain_id(trans) && 2764 nft_active_genmask(chain, genmask)) 2765 return chain; 2766 } 2767 return ERR_PTR(-ENOENT); 2768 } 2769 2770 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info, 2771 const struct nlattr * const nla[]) 2772 { 2773 struct nftables_pernet *nft_net = nft_pernet(info->net); 2774 struct netlink_ext_ack *extack = info->extack; 2775 u8 genmask = nft_genmask_next(info->net); 2776 u8 family = info->nfmsg->nfgen_family; 2777 struct nft_chain *chain = NULL; 2778 struct net *net = info->net; 2779 const struct nlattr *attr; 2780 struct nft_table *table; 2781 u8 policy = NF_ACCEPT; 2782 struct nft_ctx ctx; 2783 u64 handle = 0; 2784 u32 flags = 0; 2785 2786 lockdep_assert_held(&nft_net->commit_mutex); 2787 2788 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 2789 NETLINK_CB(skb).portid); 2790 if (IS_ERR(table)) { 2791 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2792 return PTR_ERR(table); 2793 } 2794 2795 chain = NULL; 2796 attr = nla[NFTA_CHAIN_NAME]; 2797 2798 if (nla[NFTA_CHAIN_HANDLE]) { 2799 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE])); 2800 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2801 if (IS_ERR(chain)) { 2802 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]); 2803 return PTR_ERR(chain); 2804 } 2805 attr = nla[NFTA_CHAIN_HANDLE]; 2806 } else if (nla[NFTA_CHAIN_NAME]) { 2807 chain = nft_chain_lookup(net, table, attr, genmask); 2808 if (IS_ERR(chain)) { 2809 if (PTR_ERR(chain) != -ENOENT) { 2810 NL_SET_BAD_ATTR(extack, attr); 2811 return PTR_ERR(chain); 2812 } 2813 chain = NULL; 2814 } 2815 } else if (!nla[NFTA_CHAIN_ID]) { 2816 return -EINVAL; 2817 } 2818 2819 if (nla[NFTA_CHAIN_POLICY]) { 2820 if (chain != NULL && 2821 !nft_is_base_chain(chain)) { 2822 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2823 return -EOPNOTSUPP; 2824 } 2825 2826 if (chain == NULL && 2827 nla[NFTA_CHAIN_HOOK] == NULL) { 2828 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2829 return -EOPNOTSUPP; 2830 } 2831 2832 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY])); 2833 switch (policy) { 2834 case NF_DROP: 2835 case NF_ACCEPT: 2836 break; 2837 default: 2838 return -EINVAL; 2839 } 2840 } 2841 2842 if (nla[NFTA_CHAIN_FLAGS]) 2843 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS])); 2844 else if (chain) 2845 flags = chain->flags; 2846 2847 if (flags & ~NFT_CHAIN_FLAGS) 2848 return -EOPNOTSUPP; 2849 2850 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 2851 2852 if (chain != NULL) { 2853 if (chain->flags & NFT_CHAIN_BINDING) 2854 return -EINVAL; 2855 2856 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 2857 NL_SET_BAD_ATTR(extack, attr); 2858 return -EEXIST; 2859 } 2860 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 2861 return -EOPNOTSUPP; 2862 2863 flags |= chain->flags & NFT_CHAIN_BASE; 2864 return nf_tables_updchain(&ctx, genmask, policy, flags, attr, 2865 extack); 2866 } 2867 2868 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack); 2869 } 2870 2871 static int nft_delchain_hook(struct nft_ctx *ctx, 2872 struct nft_base_chain *basechain, 2873 struct netlink_ext_ack *extack) 2874 { 2875 const struct nft_chain *chain = &basechain->chain; 2876 const struct nlattr * const *nla = ctx->nla; 2877 struct nft_chain_hook chain_hook = {}; 2878 struct nft_hook *this, *hook; 2879 LIST_HEAD(chain_del_list); 2880 struct nft_trans *trans; 2881 int err; 2882 2883 if (ctx->table->flags & __NFT_TABLE_F_UPDATE) 2884 return -EOPNOTSUPP; 2885 2886 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook, 2887 ctx->family, chain->flags, extack); 2888 if (err < 0) 2889 return err; 2890 2891 list_for_each_entry(this, &chain_hook.list, list) { 2892 hook = nft_hook_list_find(&basechain->hook_list, this); 2893 if (!hook) { 2894 err = -ENOENT; 2895 goto err_chain_del_hook; 2896 } 2897 list_move(&hook->list, &chain_del_list); 2898 } 2899 2900 trans = nft_trans_alloc(ctx, NFT_MSG_DELCHAIN, 2901 sizeof(struct nft_trans_chain)); 2902 if (!trans) { 2903 err = -ENOMEM; 2904 goto err_chain_del_hook; 2905 } 2906 2907 nft_trans_basechain(trans) = basechain; 2908 nft_trans_chain_update(trans) = true; 2909 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans)); 2910 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans)); 2911 nft_chain_release_hook(&chain_hook); 2912 2913 nft_trans_commit_list_add_tail(ctx->net, trans); 2914 2915 return 0; 2916 2917 err_chain_del_hook: 2918 list_splice(&chain_del_list, &basechain->hook_list); 2919 nft_chain_release_hook(&chain_hook); 2920 2921 return err; 2922 } 2923 2924 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info, 2925 const struct nlattr * const nla[]) 2926 { 2927 struct netlink_ext_ack *extack = info->extack; 2928 u8 genmask = nft_genmask_next(info->net); 2929 u8 family = info->nfmsg->nfgen_family; 2930 struct net *net = info->net; 2931 const struct nlattr *attr; 2932 struct nft_table *table; 2933 struct nft_chain *chain; 2934 struct nft_rule *rule; 2935 struct nft_ctx ctx; 2936 u64 handle; 2937 u32 use; 2938 int err; 2939 2940 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 2941 NETLINK_CB(skb).portid); 2942 if (IS_ERR(table)) { 2943 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2944 return PTR_ERR(table); 2945 } 2946 2947 if (nla[NFTA_CHAIN_HANDLE]) { 2948 attr = nla[NFTA_CHAIN_HANDLE]; 2949 handle = be64_to_cpu(nla_get_be64(attr)); 2950 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2951 } else { 2952 attr = nla[NFTA_CHAIN_NAME]; 2953 chain = nft_chain_lookup(net, table, attr, genmask); 2954 } 2955 if (IS_ERR(chain)) { 2956 if (PTR_ERR(chain) == -ENOENT && 2957 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN) 2958 return 0; 2959 2960 NL_SET_BAD_ATTR(extack, attr); 2961 return PTR_ERR(chain); 2962 } 2963 2964 if (nft_chain_binding(chain)) 2965 return -EOPNOTSUPP; 2966 2967 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 2968 2969 if (nla[NFTA_CHAIN_HOOK]) { 2970 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN || 2971 chain->flags & NFT_CHAIN_HW_OFFLOAD) 2972 return -EOPNOTSUPP; 2973 2974 if (nft_is_base_chain(chain)) { 2975 struct nft_base_chain *basechain = nft_base_chain(chain); 2976 2977 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 2978 return nft_delchain_hook(&ctx, basechain, extack); 2979 } 2980 } 2981 2982 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 2983 chain->use > 0) 2984 return -EBUSY; 2985 2986 use = chain->use; 2987 list_for_each_entry(rule, &chain->rules, list) { 2988 if (!nft_is_active_next(net, rule)) 2989 continue; 2990 use--; 2991 2992 err = nft_delrule(&ctx, rule); 2993 if (err < 0) 2994 return err; 2995 } 2996 2997 /* There are rules and elements that are still holding references to us, 2998 * we cannot do a recursive removal in this case. 2999 */ 3000 if (use > 0) { 3001 NL_SET_BAD_ATTR(extack, attr); 3002 return -EBUSY; 3003 } 3004 3005 return nft_delchain(&ctx); 3006 } 3007 3008 /* 3009 * Expressions 3010 */ 3011 3012 /** 3013 * nft_register_expr - register nf_tables expr type 3014 * @type: expr type 3015 * 3016 * Registers the expr type for use with nf_tables. Returns zero on 3017 * success or a negative errno code otherwise. 3018 */ 3019 int nft_register_expr(struct nft_expr_type *type) 3020 { 3021 nfnl_lock(NFNL_SUBSYS_NFTABLES); 3022 if (type->family == NFPROTO_UNSPEC) 3023 list_add_tail_rcu(&type->list, &nf_tables_expressions); 3024 else 3025 list_add_rcu(&type->list, &nf_tables_expressions); 3026 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 3027 return 0; 3028 } 3029 EXPORT_SYMBOL_GPL(nft_register_expr); 3030 3031 /** 3032 * nft_unregister_expr - unregister nf_tables expr type 3033 * @type: expr type 3034 * 3035 * Unregisters the expr typefor use with nf_tables. 3036 */ 3037 void nft_unregister_expr(struct nft_expr_type *type) 3038 { 3039 nfnl_lock(NFNL_SUBSYS_NFTABLES); 3040 list_del_rcu(&type->list); 3041 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 3042 } 3043 EXPORT_SYMBOL_GPL(nft_unregister_expr); 3044 3045 static const struct nft_expr_type *__nft_expr_type_get(u8 family, 3046 struct nlattr *nla) 3047 { 3048 const struct nft_expr_type *type, *candidate = NULL; 3049 3050 list_for_each_entry_rcu(type, &nf_tables_expressions, list) { 3051 if (!nla_strcmp(nla, type->name)) { 3052 if (!type->family && !candidate) 3053 candidate = type; 3054 else if (type->family == family) 3055 candidate = type; 3056 } 3057 } 3058 return candidate; 3059 } 3060 3061 #ifdef CONFIG_MODULES 3062 static int nft_expr_type_request_module(struct net *net, u8 family, 3063 struct nlattr *nla) 3064 { 3065 if (nft_request_module(net, "nft-expr-%u-%.*s", family, 3066 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN) 3067 return -EAGAIN; 3068 3069 return 0; 3070 } 3071 #endif 3072 3073 static const struct nft_expr_type *nft_expr_type_get(struct net *net, 3074 u8 family, 3075 struct nlattr *nla) 3076 { 3077 const struct nft_expr_type *type; 3078 3079 if (nla == NULL) 3080 return ERR_PTR(-EINVAL); 3081 3082 rcu_read_lock(); 3083 type = __nft_expr_type_get(family, nla); 3084 if (type != NULL && try_module_get(type->owner)) { 3085 rcu_read_unlock(); 3086 return type; 3087 } 3088 rcu_read_unlock(); 3089 3090 lockdep_nfnl_nft_mutex_not_held(); 3091 #ifdef CONFIG_MODULES 3092 if (type == NULL) { 3093 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN) 3094 return ERR_PTR(-EAGAIN); 3095 3096 if (nft_request_module(net, "nft-expr-%.*s", 3097 nla_len(nla), 3098 (char *)nla_data(nla)) == -EAGAIN) 3099 return ERR_PTR(-EAGAIN); 3100 } 3101 #endif 3102 return ERR_PTR(-ENOENT); 3103 } 3104 3105 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { 3106 [NFTA_EXPR_NAME] = { .type = NLA_STRING, 3107 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 3108 [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, 3109 }; 3110 3111 static int nf_tables_fill_expr_info(struct sk_buff *skb, 3112 const struct nft_expr *expr, bool reset) 3113 { 3114 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name)) 3115 goto nla_put_failure; 3116 3117 if (expr->ops->dump) { 3118 struct nlattr *data = nla_nest_start_noflag(skb, 3119 NFTA_EXPR_DATA); 3120 if (data == NULL) 3121 goto nla_put_failure; 3122 if (expr->ops->dump(skb, expr, reset) < 0) 3123 goto nla_put_failure; 3124 nla_nest_end(skb, data); 3125 } 3126 3127 return skb->len; 3128 3129 nla_put_failure: 3130 return -1; 3131 }; 3132 3133 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 3134 const struct nft_expr *expr, bool reset) 3135 { 3136 struct nlattr *nest; 3137 3138 nest = nla_nest_start_noflag(skb, attr); 3139 if (!nest) 3140 goto nla_put_failure; 3141 if (nf_tables_fill_expr_info(skb, expr, reset) < 0) 3142 goto nla_put_failure; 3143 nla_nest_end(skb, nest); 3144 return 0; 3145 3146 nla_put_failure: 3147 return -1; 3148 } 3149 3150 struct nft_expr_info { 3151 const struct nft_expr_ops *ops; 3152 const struct nlattr *attr; 3153 struct nlattr *tb[NFT_EXPR_MAXATTR + 1]; 3154 }; 3155 3156 static int nf_tables_expr_parse(const struct nft_ctx *ctx, 3157 const struct nlattr *nla, 3158 struct nft_expr_info *info) 3159 { 3160 const struct nft_expr_type *type; 3161 const struct nft_expr_ops *ops; 3162 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 3163 int err; 3164 3165 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 3166 nft_expr_policy, NULL); 3167 if (err < 0) 3168 return err; 3169 3170 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]); 3171 if (IS_ERR(type)) 3172 return PTR_ERR(type); 3173 3174 if (tb[NFTA_EXPR_DATA]) { 3175 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 3176 tb[NFTA_EXPR_DATA], 3177 type->policy, NULL); 3178 if (err < 0) 3179 goto err1; 3180 } else 3181 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1)); 3182 3183 if (type->select_ops != NULL) { 3184 ops = type->select_ops(ctx, 3185 (const struct nlattr * const *)info->tb); 3186 if (IS_ERR(ops)) { 3187 err = PTR_ERR(ops); 3188 #ifdef CONFIG_MODULES 3189 if (err == -EAGAIN) 3190 if (nft_expr_type_request_module(ctx->net, 3191 ctx->family, 3192 tb[NFTA_EXPR_NAME]) != -EAGAIN) 3193 err = -ENOENT; 3194 #endif 3195 goto err1; 3196 } 3197 } else 3198 ops = type->ops; 3199 3200 info->attr = nla; 3201 info->ops = ops; 3202 3203 return 0; 3204 3205 err1: 3206 module_put(type->owner); 3207 return err; 3208 } 3209 3210 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla, 3211 struct nft_expr_info *info) 3212 { 3213 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 3214 const struct nft_expr_type *type; 3215 int err; 3216 3217 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 3218 nft_expr_policy, NULL); 3219 if (err < 0) 3220 return err; 3221 3222 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME]) 3223 return -EINVAL; 3224 3225 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]); 3226 if (!type) 3227 return -ENOENT; 3228 3229 if (!type->inner_ops) 3230 return -EOPNOTSUPP; 3231 3232 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 3233 tb[NFTA_EXPR_DATA], 3234 type->policy, NULL); 3235 if (err < 0) 3236 goto err_nla_parse; 3237 3238 info->attr = nla; 3239 info->ops = type->inner_ops; 3240 3241 return 0; 3242 3243 err_nla_parse: 3244 return err; 3245 } 3246 3247 static int nf_tables_newexpr(const struct nft_ctx *ctx, 3248 const struct nft_expr_info *expr_info, 3249 struct nft_expr *expr) 3250 { 3251 const struct nft_expr_ops *ops = expr_info->ops; 3252 int err; 3253 3254 expr->ops = ops; 3255 if (ops->init) { 3256 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb); 3257 if (err < 0) 3258 goto err1; 3259 } 3260 3261 return 0; 3262 err1: 3263 expr->ops = NULL; 3264 return err; 3265 } 3266 3267 static void nf_tables_expr_destroy(const struct nft_ctx *ctx, 3268 struct nft_expr *expr) 3269 { 3270 const struct nft_expr_type *type = expr->ops->type; 3271 3272 if (expr->ops->destroy) 3273 expr->ops->destroy(ctx, expr); 3274 module_put(type->owner); 3275 } 3276 3277 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 3278 const struct nlattr *nla) 3279 { 3280 struct nft_expr_info expr_info; 3281 struct nft_expr *expr; 3282 struct module *owner; 3283 int err; 3284 3285 err = nf_tables_expr_parse(ctx, nla, &expr_info); 3286 if (err < 0) 3287 goto err_expr_parse; 3288 3289 err = -EOPNOTSUPP; 3290 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL)) 3291 goto err_expr_stateful; 3292 3293 err = -ENOMEM; 3294 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT); 3295 if (expr == NULL) 3296 goto err_expr_stateful; 3297 3298 err = nf_tables_newexpr(ctx, &expr_info, expr); 3299 if (err < 0) 3300 goto err_expr_new; 3301 3302 return expr; 3303 err_expr_new: 3304 kfree(expr); 3305 err_expr_stateful: 3306 owner = expr_info.ops->type->owner; 3307 if (expr_info.ops->type->release_ops) 3308 expr_info.ops->type->release_ops(expr_info.ops); 3309 3310 module_put(owner); 3311 err_expr_parse: 3312 return ERR_PTR(err); 3313 } 3314 3315 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) 3316 { 3317 int err; 3318 3319 if (src->ops->clone) { 3320 dst->ops = src->ops; 3321 err = src->ops->clone(dst, src); 3322 if (err < 0) 3323 return err; 3324 } else { 3325 memcpy(dst, src, src->ops->size); 3326 } 3327 3328 __module_get(src->ops->type->owner); 3329 3330 return 0; 3331 } 3332 3333 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) 3334 { 3335 nf_tables_expr_destroy(ctx, expr); 3336 kfree(expr); 3337 } 3338 3339 /* 3340 * Rules 3341 */ 3342 3343 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain, 3344 u64 handle) 3345 { 3346 struct nft_rule *rule; 3347 3348 // FIXME: this sucks 3349 list_for_each_entry_rcu(rule, &chain->rules, list) { 3350 if (handle == rule->handle) 3351 return rule; 3352 } 3353 3354 return ERR_PTR(-ENOENT); 3355 } 3356 3357 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain, 3358 const struct nlattr *nla) 3359 { 3360 if (nla == NULL) 3361 return ERR_PTR(-EINVAL); 3362 3363 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla))); 3364 } 3365 3366 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = { 3367 [NFTA_RULE_TABLE] = { .type = NLA_STRING, 3368 .len = NFT_TABLE_MAXNAMELEN - 1 }, 3369 [NFTA_RULE_CHAIN] = { .type = NLA_STRING, 3370 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 3371 [NFTA_RULE_HANDLE] = { .type = NLA_U64 }, 3372 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED }, 3373 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED }, 3374 [NFTA_RULE_POSITION] = { .type = NLA_U64 }, 3375 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY, 3376 .len = NFT_USERDATA_MAXLEN }, 3377 [NFTA_RULE_ID] = { .type = NLA_U32 }, 3378 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 }, 3379 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 }, 3380 }; 3381 3382 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net, 3383 u32 portid, u32 seq, int event, 3384 u32 flags, int family, 3385 const struct nft_table *table, 3386 const struct nft_chain *chain, 3387 const struct nft_rule *rule, u64 handle, 3388 bool reset) 3389 { 3390 struct nlmsghdr *nlh; 3391 const struct nft_expr *expr, *next; 3392 struct nlattr *list; 3393 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 3394 3395 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0, 3396 nft_base_seq(net)); 3397 if (!nlh) 3398 goto nla_put_failure; 3399 3400 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) 3401 goto nla_put_failure; 3402 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) 3403 goto nla_put_failure; 3404 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle), 3405 NFTA_RULE_PAD)) 3406 goto nla_put_failure; 3407 3408 if (event != NFT_MSG_DELRULE && handle) { 3409 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle), 3410 NFTA_RULE_PAD)) 3411 goto nla_put_failure; 3412 } 3413 3414 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) 3415 nft_flow_rule_stats(chain, rule); 3416 3417 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS); 3418 if (list == NULL) 3419 goto nla_put_failure; 3420 nft_rule_for_each_expr(expr, next, rule) { 3421 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0) 3422 goto nla_put_failure; 3423 } 3424 nla_nest_end(skb, list); 3425 3426 if (rule->udata) { 3427 struct nft_userdata *udata = nft_userdata(rule); 3428 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1, 3429 udata->data) < 0) 3430 goto nla_put_failure; 3431 } 3432 3433 nlmsg_end(skb, nlh); 3434 return 0; 3435 3436 nla_put_failure: 3437 nlmsg_trim(skb, nlh); 3438 return -1; 3439 } 3440 3441 static void nf_tables_rule_notify(const struct nft_ctx *ctx, 3442 const struct nft_rule *rule, int event) 3443 { 3444 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 3445 const struct nft_rule *prule; 3446 struct sk_buff *skb; 3447 u64 handle = 0; 3448 u16 flags = 0; 3449 int err; 3450 3451 if (!ctx->report && 3452 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 3453 return; 3454 3455 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 3456 if (skb == NULL) 3457 goto err; 3458 3459 if (event == NFT_MSG_NEWRULE && 3460 !list_is_first(&rule->list, &ctx->chain->rules) && 3461 !list_is_last(&rule->list, &ctx->chain->rules)) { 3462 prule = list_prev_entry(rule, list); 3463 handle = prule->handle; 3464 } 3465 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE)) 3466 flags |= NLM_F_APPEND; 3467 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 3468 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 3469 3470 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, 3471 event, flags, ctx->family, ctx->table, 3472 ctx->chain, rule, handle, false); 3473 if (err < 0) { 3474 kfree_skb(skb); 3475 goto err; 3476 } 3477 3478 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 3479 return; 3480 err: 3481 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 3482 } 3483 3484 static void audit_log_rule_reset(const struct nft_table *table, 3485 unsigned int base_seq, 3486 unsigned int nentries) 3487 { 3488 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", 3489 table->name, base_seq); 3490 3491 audit_log_nfcfg(buf, table->family, nentries, 3492 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC); 3493 kfree(buf); 3494 } 3495 3496 struct nft_rule_dump_ctx { 3497 char *table; 3498 char *chain; 3499 }; 3500 3501 static int __nf_tables_dump_rules(struct sk_buff *skb, 3502 unsigned int *idx, 3503 struct netlink_callback *cb, 3504 const struct nft_table *table, 3505 const struct nft_chain *chain, 3506 bool reset) 3507 { 3508 struct net *net = sock_net(skb->sk); 3509 const struct nft_rule *rule, *prule; 3510 unsigned int s_idx = cb->args[0]; 3511 unsigned int entries = 0; 3512 int ret = 0; 3513 u64 handle; 3514 3515 prule = NULL; 3516 list_for_each_entry_rcu(rule, &chain->rules, list) { 3517 if (!nft_is_active(net, rule)) 3518 goto cont_skip; 3519 if (*idx < s_idx) 3520 goto cont; 3521 if (prule) 3522 handle = prule->handle; 3523 else 3524 handle = 0; 3525 3526 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, 3527 cb->nlh->nlmsg_seq, 3528 NFT_MSG_NEWRULE, 3529 NLM_F_MULTI | NLM_F_APPEND, 3530 table->family, 3531 table, chain, rule, handle, reset) < 0) { 3532 ret = 1; 3533 break; 3534 } 3535 entries++; 3536 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 3537 cont: 3538 prule = rule; 3539 cont_skip: 3540 (*idx)++; 3541 } 3542 3543 if (reset && entries) 3544 audit_log_rule_reset(table, cb->seq, entries); 3545 3546 return ret; 3547 } 3548 3549 static int nf_tables_dump_rules(struct sk_buff *skb, 3550 struct netlink_callback *cb) 3551 { 3552 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 3553 const struct nft_rule_dump_ctx *ctx = cb->data; 3554 struct nft_table *table; 3555 const struct nft_chain *chain; 3556 unsigned int idx = 0; 3557 struct net *net = sock_net(skb->sk); 3558 int family = nfmsg->nfgen_family; 3559 struct nftables_pernet *nft_net; 3560 bool reset = false; 3561 3562 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET) 3563 reset = true; 3564 3565 rcu_read_lock(); 3566 nft_net = nft_pernet(net); 3567 cb->seq = READ_ONCE(nft_net->base_seq); 3568 3569 list_for_each_entry_rcu(table, &nft_net->tables, list) { 3570 if (family != NFPROTO_UNSPEC && family != table->family) 3571 continue; 3572 3573 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0) 3574 continue; 3575 3576 if (ctx && ctx->table && ctx->chain) { 3577 struct rhlist_head *list, *tmp; 3578 3579 list = rhltable_lookup(&table->chains_ht, ctx->chain, 3580 nft_chain_ht_params); 3581 if (!list) 3582 goto done; 3583 3584 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 3585 if (!nft_is_active(net, chain)) 3586 continue; 3587 __nf_tables_dump_rules(skb, &idx, 3588 cb, table, chain, reset); 3589 break; 3590 } 3591 goto done; 3592 } 3593 3594 list_for_each_entry_rcu(chain, &table->chains, list) { 3595 if (__nf_tables_dump_rules(skb, &idx, 3596 cb, table, chain, reset)) 3597 goto done; 3598 } 3599 3600 if (ctx && ctx->table) 3601 break; 3602 } 3603 done: 3604 rcu_read_unlock(); 3605 3606 cb->args[0] = idx; 3607 return skb->len; 3608 } 3609 3610 static int nf_tables_dump_rules_start(struct netlink_callback *cb) 3611 { 3612 const struct nlattr * const *nla = cb->data; 3613 struct nft_rule_dump_ctx *ctx = NULL; 3614 3615 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) { 3616 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC); 3617 if (!ctx) 3618 return -ENOMEM; 3619 3620 if (nla[NFTA_RULE_TABLE]) { 3621 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], 3622 GFP_ATOMIC); 3623 if (!ctx->table) { 3624 kfree(ctx); 3625 return -ENOMEM; 3626 } 3627 } 3628 if (nla[NFTA_RULE_CHAIN]) { 3629 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], 3630 GFP_ATOMIC); 3631 if (!ctx->chain) { 3632 kfree(ctx->table); 3633 kfree(ctx); 3634 return -ENOMEM; 3635 } 3636 } 3637 } 3638 3639 cb->data = ctx; 3640 return 0; 3641 } 3642 3643 static int nf_tables_dump_rules_done(struct netlink_callback *cb) 3644 { 3645 struct nft_rule_dump_ctx *ctx = cb->data; 3646 3647 if (ctx) { 3648 kfree(ctx->table); 3649 kfree(ctx->chain); 3650 kfree(ctx); 3651 } 3652 return 0; 3653 } 3654 3655 /* called with rcu_read_lock held */ 3656 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info, 3657 const struct nlattr * const nla[]) 3658 { 3659 struct netlink_ext_ack *extack = info->extack; 3660 u8 genmask = nft_genmask_cur(info->net); 3661 u8 family = info->nfmsg->nfgen_family; 3662 const struct nft_chain *chain; 3663 const struct nft_rule *rule; 3664 struct net *net = info->net; 3665 struct nft_table *table; 3666 struct sk_buff *skb2; 3667 bool reset = false; 3668 int err; 3669 3670 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 3671 struct netlink_dump_control c = { 3672 .start= nf_tables_dump_rules_start, 3673 .dump = nf_tables_dump_rules, 3674 .done = nf_tables_dump_rules_done, 3675 .module = THIS_MODULE, 3676 .data = (void *)nla, 3677 }; 3678 3679 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 3680 } 3681 3682 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0); 3683 if (IS_ERR(table)) { 3684 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3685 return PTR_ERR(table); 3686 } 3687 3688 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask); 3689 if (IS_ERR(chain)) { 3690 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3691 return PTR_ERR(chain); 3692 } 3693 3694 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3695 if (IS_ERR(rule)) { 3696 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3697 return PTR_ERR(rule); 3698 } 3699 3700 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 3701 if (!skb2) 3702 return -ENOMEM; 3703 3704 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET) 3705 reset = true; 3706 3707 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid, 3708 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, 3709 family, table, chain, rule, 0, reset); 3710 if (err < 0) 3711 goto err_fill_rule_info; 3712 3713 if (reset) 3714 audit_log_rule_reset(table, nft_pernet(net)->base_seq, 1); 3715 3716 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 3717 3718 err_fill_rule_info: 3719 kfree_skb(skb2); 3720 return err; 3721 } 3722 3723 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule) 3724 { 3725 struct nft_expr *expr, *next; 3726 3727 /* 3728 * Careful: some expressions might not be initialized in case this 3729 * is called on error from nf_tables_newrule(). 3730 */ 3731 expr = nft_expr_first(rule); 3732 while (nft_expr_more(rule, expr)) { 3733 next = nft_expr_next(expr); 3734 nf_tables_expr_destroy(ctx, expr); 3735 expr = next; 3736 } 3737 kfree(rule); 3738 } 3739 3740 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) 3741 { 3742 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); 3743 nf_tables_rule_destroy(ctx, rule); 3744 } 3745 3746 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) 3747 { 3748 struct nft_expr *expr, *last; 3749 const struct nft_data *data; 3750 struct nft_rule *rule; 3751 int err; 3752 3753 if (ctx->level == NFT_JUMP_STACK_SIZE) 3754 return -EMLINK; 3755 3756 list_for_each_entry(rule, &chain->rules, list) { 3757 if (fatal_signal_pending(current)) 3758 return -EINTR; 3759 3760 if (!nft_is_active_next(ctx->net, rule)) 3761 continue; 3762 3763 nft_rule_for_each_expr(expr, last, rule) { 3764 if (!expr->ops->validate) 3765 continue; 3766 3767 err = expr->ops->validate(ctx, expr, &data); 3768 if (err < 0) 3769 return err; 3770 } 3771 } 3772 3773 return 0; 3774 } 3775 EXPORT_SYMBOL_GPL(nft_chain_validate); 3776 3777 static int nft_table_validate(struct net *net, const struct nft_table *table) 3778 { 3779 struct nft_chain *chain; 3780 struct nft_ctx ctx = { 3781 .net = net, 3782 .family = table->family, 3783 }; 3784 int err; 3785 3786 list_for_each_entry(chain, &table->chains, list) { 3787 if (!nft_is_base_chain(chain)) 3788 continue; 3789 3790 ctx.chain = chain; 3791 err = nft_chain_validate(&ctx, chain); 3792 if (err < 0) 3793 return err; 3794 3795 cond_resched(); 3796 } 3797 3798 return 0; 3799 } 3800 3801 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, 3802 const struct nft_set_iter *iter, 3803 struct nft_set_elem *elem) 3804 { 3805 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 3806 struct nft_ctx *pctx = (struct nft_ctx *)ctx; 3807 const struct nft_data *data; 3808 int err; 3809 3810 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 3811 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) 3812 return 0; 3813 3814 data = nft_set_ext_data(ext); 3815 switch (data->verdict.code) { 3816 case NFT_JUMP: 3817 case NFT_GOTO: 3818 pctx->level++; 3819 err = nft_chain_validate(ctx, data->verdict.chain); 3820 if (err < 0) 3821 return err; 3822 pctx->level--; 3823 break; 3824 default: 3825 break; 3826 } 3827 3828 return 0; 3829 } 3830 3831 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set) 3832 { 3833 u8 genmask = nft_genmask_next(ctx->net); 3834 struct nft_set_elem_catchall *catchall; 3835 struct nft_set_elem elem; 3836 struct nft_set_ext *ext; 3837 int ret = 0; 3838 3839 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 3840 ext = nft_set_elem_ext(set, catchall->elem); 3841 if (!nft_set_elem_active(ext, genmask)) 3842 continue; 3843 3844 elem.priv = catchall->elem; 3845 ret = nft_setelem_validate(ctx, set, NULL, &elem); 3846 if (ret < 0) 3847 return ret; 3848 } 3849 3850 return ret; 3851 } 3852 3853 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3854 const struct nft_chain *chain, 3855 const struct nlattr *nla); 3856 3857 #define NFT_RULE_MAXEXPRS 128 3858 3859 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, 3860 const struct nlattr * const nla[]) 3861 { 3862 struct nftables_pernet *nft_net = nft_pernet(info->net); 3863 struct netlink_ext_ack *extack = info->extack; 3864 unsigned int size, i, n, ulen = 0, usize = 0; 3865 u8 genmask = nft_genmask_next(info->net); 3866 struct nft_rule *rule, *old_rule = NULL; 3867 struct nft_expr_info *expr_info = NULL; 3868 u8 family = info->nfmsg->nfgen_family; 3869 struct nft_flow_rule *flow = NULL; 3870 struct net *net = info->net; 3871 struct nft_userdata *udata; 3872 struct nft_table *table; 3873 struct nft_chain *chain; 3874 struct nft_trans *trans; 3875 u64 handle, pos_handle; 3876 struct nft_expr *expr; 3877 struct nft_ctx ctx; 3878 struct nlattr *tmp; 3879 int err, rem; 3880 3881 lockdep_assert_held(&nft_net->commit_mutex); 3882 3883 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 3884 NETLINK_CB(skb).portid); 3885 if (IS_ERR(table)) { 3886 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3887 return PTR_ERR(table); 3888 } 3889 3890 if (nla[NFTA_RULE_CHAIN]) { 3891 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 3892 genmask); 3893 if (IS_ERR(chain)) { 3894 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3895 return PTR_ERR(chain); 3896 } 3897 3898 } else if (nla[NFTA_RULE_CHAIN_ID]) { 3899 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID], 3900 genmask); 3901 if (IS_ERR(chain)) { 3902 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]); 3903 return PTR_ERR(chain); 3904 } 3905 } else { 3906 return -EINVAL; 3907 } 3908 3909 if (nft_chain_is_bound(chain)) 3910 return -EOPNOTSUPP; 3911 3912 if (nla[NFTA_RULE_HANDLE]) { 3913 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE])); 3914 rule = __nft_rule_lookup(chain, handle); 3915 if (IS_ERR(rule)) { 3916 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3917 return PTR_ERR(rule); 3918 } 3919 3920 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 3921 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3922 return -EEXIST; 3923 } 3924 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 3925 old_rule = rule; 3926 else 3927 return -EOPNOTSUPP; 3928 } else { 3929 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) || 3930 info->nlh->nlmsg_flags & NLM_F_REPLACE) 3931 return -EINVAL; 3932 handle = nf_tables_alloc_handle(table); 3933 3934 if (nla[NFTA_RULE_POSITION]) { 3935 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION])); 3936 old_rule = __nft_rule_lookup(chain, pos_handle); 3937 if (IS_ERR(old_rule)) { 3938 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]); 3939 return PTR_ERR(old_rule); 3940 } 3941 } else if (nla[NFTA_RULE_POSITION_ID]) { 3942 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]); 3943 if (IS_ERR(old_rule)) { 3944 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]); 3945 return PTR_ERR(old_rule); 3946 } 3947 } 3948 } 3949 3950 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 3951 3952 n = 0; 3953 size = 0; 3954 if (nla[NFTA_RULE_EXPRESSIONS]) { 3955 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS, 3956 sizeof(struct nft_expr_info), 3957 GFP_KERNEL); 3958 if (!expr_info) 3959 return -ENOMEM; 3960 3961 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) { 3962 err = -EINVAL; 3963 if (nla_type(tmp) != NFTA_LIST_ELEM) 3964 goto err_release_expr; 3965 if (n == NFT_RULE_MAXEXPRS) 3966 goto err_release_expr; 3967 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]); 3968 if (err < 0) { 3969 NL_SET_BAD_ATTR(extack, tmp); 3970 goto err_release_expr; 3971 } 3972 size += expr_info[n].ops->size; 3973 n++; 3974 } 3975 } 3976 /* Check for overflow of dlen field */ 3977 err = -EFBIG; 3978 if (size >= 1 << 12) 3979 goto err_release_expr; 3980 3981 if (nla[NFTA_RULE_USERDATA]) { 3982 ulen = nla_len(nla[NFTA_RULE_USERDATA]); 3983 if (ulen > 0) 3984 usize = sizeof(struct nft_userdata) + ulen; 3985 } 3986 3987 err = -ENOMEM; 3988 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT); 3989 if (rule == NULL) 3990 goto err_release_expr; 3991 3992 nft_activate_next(net, rule); 3993 3994 rule->handle = handle; 3995 rule->dlen = size; 3996 rule->udata = ulen ? 1 : 0; 3997 3998 if (ulen) { 3999 udata = nft_userdata(rule); 4000 udata->len = ulen - 1; 4001 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen); 4002 } 4003 4004 expr = nft_expr_first(rule); 4005 for (i = 0; i < n; i++) { 4006 err = nf_tables_newexpr(&ctx, &expr_info[i], expr); 4007 if (err < 0) { 4008 NL_SET_BAD_ATTR(extack, expr_info[i].attr); 4009 goto err_release_rule; 4010 } 4011 4012 if (expr_info[i].ops->validate) 4013 nft_validate_state_update(table, NFT_VALIDATE_NEED); 4014 4015 expr_info[i].ops = NULL; 4016 expr = nft_expr_next(expr); 4017 } 4018 4019 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { 4020 flow = nft_flow_rule_create(net, rule); 4021 if (IS_ERR(flow)) { 4022 err = PTR_ERR(flow); 4023 goto err_release_rule; 4024 } 4025 } 4026 4027 if (!nft_use_inc(&chain->use)) { 4028 err = -EMFILE; 4029 goto err_release_rule; 4030 } 4031 4032 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { 4033 if (nft_chain_binding(chain)) { 4034 err = -EOPNOTSUPP; 4035 goto err_destroy_flow_rule; 4036 } 4037 4038 err = nft_delrule(&ctx, old_rule); 4039 if (err < 0) 4040 goto err_destroy_flow_rule; 4041 4042 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 4043 if (trans == NULL) { 4044 err = -ENOMEM; 4045 goto err_destroy_flow_rule; 4046 } 4047 list_add_tail_rcu(&rule->list, &old_rule->list); 4048 } else { 4049 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 4050 if (!trans) { 4051 err = -ENOMEM; 4052 goto err_destroy_flow_rule; 4053 } 4054 4055 if (info->nlh->nlmsg_flags & NLM_F_APPEND) { 4056 if (old_rule) 4057 list_add_rcu(&rule->list, &old_rule->list); 4058 else 4059 list_add_tail_rcu(&rule->list, &chain->rules); 4060 } else { 4061 if (old_rule) 4062 list_add_tail_rcu(&rule->list, &old_rule->list); 4063 else 4064 list_add_rcu(&rule->list, &chain->rules); 4065 } 4066 } 4067 kvfree(expr_info); 4068 4069 if (flow) 4070 nft_trans_flow_rule(trans) = flow; 4071 4072 if (table->validate_state == NFT_VALIDATE_DO) 4073 return nft_table_validate(net, table); 4074 4075 return 0; 4076 4077 err_destroy_flow_rule: 4078 nft_use_dec_restore(&chain->use); 4079 if (flow) 4080 nft_flow_rule_destroy(flow); 4081 err_release_rule: 4082 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR); 4083 nf_tables_rule_destroy(&ctx, rule); 4084 err_release_expr: 4085 for (i = 0; i < n; i++) { 4086 if (expr_info[i].ops) { 4087 module_put(expr_info[i].ops->type->owner); 4088 if (expr_info[i].ops->type->release_ops) 4089 expr_info[i].ops->type->release_ops(expr_info[i].ops); 4090 } 4091 } 4092 kvfree(expr_info); 4093 4094 return err; 4095 } 4096 4097 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 4098 const struct nft_chain *chain, 4099 const struct nlattr *nla) 4100 { 4101 struct nftables_pernet *nft_net = nft_pernet(net); 4102 u32 id = ntohl(nla_get_be32(nla)); 4103 struct nft_trans *trans; 4104 4105 list_for_each_entry(trans, &nft_net->commit_list, list) { 4106 if (trans->msg_type == NFT_MSG_NEWRULE && 4107 trans->ctx.chain == chain && 4108 id == nft_trans_rule_id(trans)) 4109 return nft_trans_rule(trans); 4110 } 4111 return ERR_PTR(-ENOENT); 4112 } 4113 4114 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, 4115 const struct nlattr * const nla[]) 4116 { 4117 struct netlink_ext_ack *extack = info->extack; 4118 u8 genmask = nft_genmask_next(info->net); 4119 u8 family = info->nfmsg->nfgen_family; 4120 struct nft_chain *chain = NULL; 4121 struct net *net = info->net; 4122 struct nft_table *table; 4123 struct nft_rule *rule; 4124 struct nft_ctx ctx; 4125 int err = 0; 4126 4127 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 4128 NETLINK_CB(skb).portid); 4129 if (IS_ERR(table)) { 4130 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 4131 return PTR_ERR(table); 4132 } 4133 4134 if (nla[NFTA_RULE_CHAIN]) { 4135 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 4136 genmask); 4137 if (IS_ERR(chain)) { 4138 if (PTR_ERR(chain) == -ENOENT && 4139 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE) 4140 return 0; 4141 4142 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 4143 return PTR_ERR(chain); 4144 } 4145 if (nft_chain_binding(chain)) 4146 return -EOPNOTSUPP; 4147 } 4148 4149 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 4150 4151 if (chain) { 4152 if (nla[NFTA_RULE_HANDLE]) { 4153 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 4154 if (IS_ERR(rule)) { 4155 if (PTR_ERR(rule) == -ENOENT && 4156 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE) 4157 return 0; 4158 4159 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 4160 return PTR_ERR(rule); 4161 } 4162 4163 err = nft_delrule(&ctx, rule); 4164 } else if (nla[NFTA_RULE_ID]) { 4165 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]); 4166 if (IS_ERR(rule)) { 4167 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]); 4168 return PTR_ERR(rule); 4169 } 4170 4171 err = nft_delrule(&ctx, rule); 4172 } else { 4173 err = nft_delrule_by_chain(&ctx); 4174 } 4175 } else { 4176 list_for_each_entry(chain, &table->chains, list) { 4177 if (!nft_is_active_next(net, chain)) 4178 continue; 4179 if (nft_chain_binding(chain)) 4180 continue; 4181 4182 ctx.chain = chain; 4183 err = nft_delrule_by_chain(&ctx); 4184 if (err < 0) 4185 break; 4186 } 4187 } 4188 4189 return err; 4190 } 4191 4192 /* 4193 * Sets 4194 */ 4195 static const struct nft_set_type *nft_set_types[] = { 4196 &nft_set_hash_fast_type, 4197 &nft_set_hash_type, 4198 &nft_set_rhash_type, 4199 &nft_set_bitmap_type, 4200 &nft_set_rbtree_type, 4201 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML) 4202 &nft_set_pipapo_avx2_type, 4203 #endif 4204 &nft_set_pipapo_type, 4205 }; 4206 4207 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \ 4208 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \ 4209 NFT_SET_EVAL) 4210 4211 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags) 4212 { 4213 return (flags & type->features) == (flags & NFT_SET_FEATURES); 4214 } 4215 4216 /* 4217 * Select a set implementation based on the data characteristics and the 4218 * given policy. The total memory use might not be known if no size is 4219 * given, in that case the amount of memory per element is used. 4220 */ 4221 static const struct nft_set_ops * 4222 nft_select_set_ops(const struct nft_ctx *ctx, 4223 const struct nlattr * const nla[], 4224 const struct nft_set_desc *desc) 4225 { 4226 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 4227 const struct nft_set_ops *ops, *bops; 4228 struct nft_set_estimate est, best; 4229 const struct nft_set_type *type; 4230 u32 flags = 0; 4231 int i; 4232 4233 lockdep_assert_held(&nft_net->commit_mutex); 4234 lockdep_nfnl_nft_mutex_not_held(); 4235 4236 if (nla[NFTA_SET_FLAGS] != NULL) 4237 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 4238 4239 bops = NULL; 4240 best.size = ~0; 4241 best.lookup = ~0; 4242 best.space = ~0; 4243 4244 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) { 4245 type = nft_set_types[i]; 4246 ops = &type->ops; 4247 4248 if (!nft_set_ops_candidate(type, flags)) 4249 continue; 4250 if (!ops->estimate(desc, flags, &est)) 4251 continue; 4252 4253 switch (desc->policy) { 4254 case NFT_SET_POL_PERFORMANCE: 4255 if (est.lookup < best.lookup) 4256 break; 4257 if (est.lookup == best.lookup && 4258 est.space < best.space) 4259 break; 4260 continue; 4261 case NFT_SET_POL_MEMORY: 4262 if (!desc->size) { 4263 if (est.space < best.space) 4264 break; 4265 if (est.space == best.space && 4266 est.lookup < best.lookup) 4267 break; 4268 } else if (est.size < best.size || !bops) { 4269 break; 4270 } 4271 continue; 4272 default: 4273 break; 4274 } 4275 4276 bops = ops; 4277 best = est; 4278 } 4279 4280 if (bops != NULL) 4281 return bops; 4282 4283 return ERR_PTR(-EOPNOTSUPP); 4284 } 4285 4286 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = { 4287 [NFTA_SET_TABLE] = { .type = NLA_STRING, 4288 .len = NFT_TABLE_MAXNAMELEN - 1 }, 4289 [NFTA_SET_NAME] = { .type = NLA_STRING, 4290 .len = NFT_SET_MAXNAMELEN - 1 }, 4291 [NFTA_SET_FLAGS] = { .type = NLA_U32 }, 4292 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 }, 4293 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 }, 4294 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 }, 4295 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 }, 4296 [NFTA_SET_POLICY] = { .type = NLA_U32 }, 4297 [NFTA_SET_DESC] = { .type = NLA_NESTED }, 4298 [NFTA_SET_ID] = { .type = NLA_U32 }, 4299 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 }, 4300 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 }, 4301 [NFTA_SET_USERDATA] = { .type = NLA_BINARY, 4302 .len = NFT_USERDATA_MAXLEN }, 4303 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 }, 4304 [NFTA_SET_HANDLE] = { .type = NLA_U64 }, 4305 [NFTA_SET_EXPR] = { .type = NLA_NESTED }, 4306 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED }, 4307 }; 4308 4309 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = { 4310 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 }, 4311 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED }, 4312 }; 4313 4314 static struct nft_set *nft_set_lookup(const struct nft_table *table, 4315 const struct nlattr *nla, u8 genmask) 4316 { 4317 struct nft_set *set; 4318 4319 if (nla == NULL) 4320 return ERR_PTR(-EINVAL); 4321 4322 list_for_each_entry_rcu(set, &table->sets, list) { 4323 if (!nla_strcmp(nla, set->name) && 4324 nft_active_genmask(set, genmask)) 4325 return set; 4326 } 4327 return ERR_PTR(-ENOENT); 4328 } 4329 4330 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table, 4331 const struct nlattr *nla, 4332 u8 genmask) 4333 { 4334 struct nft_set *set; 4335 4336 list_for_each_entry(set, &table->sets, list) { 4337 if (be64_to_cpu(nla_get_be64(nla)) == set->handle && 4338 nft_active_genmask(set, genmask)) 4339 return set; 4340 } 4341 return ERR_PTR(-ENOENT); 4342 } 4343 4344 static struct nft_set *nft_set_lookup_byid(const struct net *net, 4345 const struct nft_table *table, 4346 const struct nlattr *nla, u8 genmask) 4347 { 4348 struct nftables_pernet *nft_net = nft_pernet(net); 4349 u32 id = ntohl(nla_get_be32(nla)); 4350 struct nft_trans *trans; 4351 4352 list_for_each_entry(trans, &nft_net->commit_list, list) { 4353 if (trans->msg_type == NFT_MSG_NEWSET) { 4354 struct nft_set *set = nft_trans_set(trans); 4355 4356 if (id == nft_trans_set_id(trans) && 4357 set->table == table && 4358 nft_active_genmask(set, genmask)) 4359 return set; 4360 } 4361 } 4362 return ERR_PTR(-ENOENT); 4363 } 4364 4365 struct nft_set *nft_set_lookup_global(const struct net *net, 4366 const struct nft_table *table, 4367 const struct nlattr *nla_set_name, 4368 const struct nlattr *nla_set_id, 4369 u8 genmask) 4370 { 4371 struct nft_set *set; 4372 4373 set = nft_set_lookup(table, nla_set_name, genmask); 4374 if (IS_ERR(set)) { 4375 if (!nla_set_id) 4376 return set; 4377 4378 set = nft_set_lookup_byid(net, table, nla_set_id, genmask); 4379 } 4380 return set; 4381 } 4382 EXPORT_SYMBOL_GPL(nft_set_lookup_global); 4383 4384 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set, 4385 const char *name) 4386 { 4387 const struct nft_set *i; 4388 const char *p; 4389 unsigned long *inuse; 4390 unsigned int n = 0, min = 0; 4391 4392 p = strchr(name, '%'); 4393 if (p != NULL) { 4394 if (p[1] != 'd' || strchr(p + 2, '%')) 4395 return -EINVAL; 4396 4397 if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN) 4398 return -EINVAL; 4399 4400 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL); 4401 if (inuse == NULL) 4402 return -ENOMEM; 4403 cont: 4404 list_for_each_entry(i, &ctx->table->sets, list) { 4405 int tmp; 4406 4407 if (!nft_is_active_next(ctx->net, i)) 4408 continue; 4409 if (!sscanf(i->name, name, &tmp)) 4410 continue; 4411 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE) 4412 continue; 4413 4414 set_bit(tmp - min, inuse); 4415 } 4416 4417 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE); 4418 if (n >= BITS_PER_BYTE * PAGE_SIZE) { 4419 min += BITS_PER_BYTE * PAGE_SIZE; 4420 memset(inuse, 0, PAGE_SIZE); 4421 goto cont; 4422 } 4423 free_page((unsigned long)inuse); 4424 } 4425 4426 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n); 4427 if (!set->name) 4428 return -ENOMEM; 4429 4430 list_for_each_entry(i, &ctx->table->sets, list) { 4431 if (!nft_is_active_next(ctx->net, i)) 4432 continue; 4433 if (!strcmp(set->name, i->name)) { 4434 kfree(set->name); 4435 set->name = NULL; 4436 return -ENFILE; 4437 } 4438 } 4439 return 0; 4440 } 4441 4442 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result) 4443 { 4444 u64 ms = be64_to_cpu(nla_get_be64(nla)); 4445 u64 max = (u64)(~((u64)0)); 4446 4447 max = div_u64(max, NSEC_PER_MSEC); 4448 if (ms >= max) 4449 return -ERANGE; 4450 4451 ms *= NSEC_PER_MSEC; 4452 *result = nsecs_to_jiffies64(ms); 4453 return 0; 4454 } 4455 4456 __be64 nf_jiffies64_to_msecs(u64 input) 4457 { 4458 return cpu_to_be64(jiffies64_to_msecs(input)); 4459 } 4460 4461 static int nf_tables_fill_set_concat(struct sk_buff *skb, 4462 const struct nft_set *set) 4463 { 4464 struct nlattr *concat, *field; 4465 int i; 4466 4467 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT); 4468 if (!concat) 4469 return -ENOMEM; 4470 4471 for (i = 0; i < set->field_count; i++) { 4472 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 4473 if (!field) 4474 return -ENOMEM; 4475 4476 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN, 4477 htonl(set->field_len[i]))) 4478 return -ENOMEM; 4479 4480 nla_nest_end(skb, field); 4481 } 4482 4483 nla_nest_end(skb, concat); 4484 4485 return 0; 4486 } 4487 4488 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, 4489 const struct nft_set *set, u16 event, u16 flags) 4490 { 4491 u64 timeout = READ_ONCE(set->timeout); 4492 u32 gc_int = READ_ONCE(set->gc_int); 4493 u32 portid = ctx->portid; 4494 struct nlmsghdr *nlh; 4495 struct nlattr *nest; 4496 u32 seq = ctx->seq; 4497 int i; 4498 4499 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 4500 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 4501 NFNETLINK_V0, nft_base_seq(ctx->net)); 4502 if (!nlh) 4503 goto nla_put_failure; 4504 4505 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 4506 goto nla_put_failure; 4507 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 4508 goto nla_put_failure; 4509 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle), 4510 NFTA_SET_PAD)) 4511 goto nla_put_failure; 4512 4513 if (event == NFT_MSG_DELSET) { 4514 nlmsg_end(skb, nlh); 4515 return 0; 4516 } 4517 4518 if (set->flags != 0) 4519 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags))) 4520 goto nla_put_failure; 4521 4522 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype))) 4523 goto nla_put_failure; 4524 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen))) 4525 goto nla_put_failure; 4526 if (set->flags & NFT_SET_MAP) { 4527 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype))) 4528 goto nla_put_failure; 4529 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen))) 4530 goto nla_put_failure; 4531 } 4532 if (set->flags & NFT_SET_OBJECT && 4533 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype))) 4534 goto nla_put_failure; 4535 4536 if (timeout && 4537 nla_put_be64(skb, NFTA_SET_TIMEOUT, 4538 nf_jiffies64_to_msecs(timeout), 4539 NFTA_SET_PAD)) 4540 goto nla_put_failure; 4541 if (gc_int && 4542 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int))) 4543 goto nla_put_failure; 4544 4545 if (set->policy != NFT_SET_POL_PERFORMANCE) { 4546 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy))) 4547 goto nla_put_failure; 4548 } 4549 4550 if (set->udata && 4551 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) 4552 goto nla_put_failure; 4553 4554 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC); 4555 if (!nest) 4556 goto nla_put_failure; 4557 if (set->size && 4558 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size))) 4559 goto nla_put_failure; 4560 4561 if (set->field_count > 1 && 4562 nf_tables_fill_set_concat(skb, set)) 4563 goto nla_put_failure; 4564 4565 nla_nest_end(skb, nest); 4566 4567 if (set->num_exprs == 1) { 4568 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR); 4569 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0) 4570 goto nla_put_failure; 4571 4572 nla_nest_end(skb, nest); 4573 } else if (set->num_exprs > 1) { 4574 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS); 4575 if (nest == NULL) 4576 goto nla_put_failure; 4577 4578 for (i = 0; i < set->num_exprs; i++) { 4579 if (nft_expr_dump(skb, NFTA_LIST_ELEM, 4580 set->exprs[i], false) < 0) 4581 goto nla_put_failure; 4582 } 4583 nla_nest_end(skb, nest); 4584 } 4585 4586 nlmsg_end(skb, nlh); 4587 return 0; 4588 4589 nla_put_failure: 4590 nlmsg_trim(skb, nlh); 4591 return -1; 4592 } 4593 4594 static void nf_tables_set_notify(const struct nft_ctx *ctx, 4595 const struct nft_set *set, int event, 4596 gfp_t gfp_flags) 4597 { 4598 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 4599 u32 portid = ctx->portid; 4600 struct sk_buff *skb; 4601 u16 flags = 0; 4602 int err; 4603 4604 if (!ctx->report && 4605 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 4606 return; 4607 4608 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags); 4609 if (skb == NULL) 4610 goto err; 4611 4612 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 4613 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 4614 4615 err = nf_tables_fill_set(skb, ctx, set, event, flags); 4616 if (err < 0) { 4617 kfree_skb(skb); 4618 goto err; 4619 } 4620 4621 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 4622 return; 4623 err: 4624 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 4625 } 4626 4627 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) 4628 { 4629 const struct nft_set *set; 4630 unsigned int idx, s_idx = cb->args[0]; 4631 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; 4632 struct net *net = sock_net(skb->sk); 4633 struct nft_ctx *ctx = cb->data, ctx_set; 4634 struct nftables_pernet *nft_net; 4635 4636 if (cb->args[1]) 4637 return skb->len; 4638 4639 rcu_read_lock(); 4640 nft_net = nft_pernet(net); 4641 cb->seq = READ_ONCE(nft_net->base_seq); 4642 4643 list_for_each_entry_rcu(table, &nft_net->tables, list) { 4644 if (ctx->family != NFPROTO_UNSPEC && 4645 ctx->family != table->family) 4646 continue; 4647 4648 if (ctx->table && ctx->table != table) 4649 continue; 4650 4651 if (cur_table) { 4652 if (cur_table != table) 4653 continue; 4654 4655 cur_table = NULL; 4656 } 4657 idx = 0; 4658 list_for_each_entry_rcu(set, &table->sets, list) { 4659 if (idx < s_idx) 4660 goto cont; 4661 if (!nft_is_active(net, set)) 4662 goto cont; 4663 4664 ctx_set = *ctx; 4665 ctx_set.table = table; 4666 ctx_set.family = table->family; 4667 4668 if (nf_tables_fill_set(skb, &ctx_set, set, 4669 NFT_MSG_NEWSET, 4670 NLM_F_MULTI) < 0) { 4671 cb->args[0] = idx; 4672 cb->args[2] = (unsigned long) table; 4673 goto done; 4674 } 4675 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 4676 cont: 4677 idx++; 4678 } 4679 if (s_idx) 4680 s_idx = 0; 4681 } 4682 cb->args[1] = 1; 4683 done: 4684 rcu_read_unlock(); 4685 return skb->len; 4686 } 4687 4688 static int nf_tables_dump_sets_start(struct netlink_callback *cb) 4689 { 4690 struct nft_ctx *ctx_dump = NULL; 4691 4692 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC); 4693 if (ctx_dump == NULL) 4694 return -ENOMEM; 4695 4696 cb->data = ctx_dump; 4697 return 0; 4698 } 4699 4700 static int nf_tables_dump_sets_done(struct netlink_callback *cb) 4701 { 4702 kfree(cb->data); 4703 return 0; 4704 } 4705 4706 /* called with rcu_read_lock held */ 4707 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info, 4708 const struct nlattr * const nla[]) 4709 { 4710 struct netlink_ext_ack *extack = info->extack; 4711 u8 genmask = nft_genmask_cur(info->net); 4712 u8 family = info->nfmsg->nfgen_family; 4713 struct nft_table *table = NULL; 4714 struct net *net = info->net; 4715 const struct nft_set *set; 4716 struct sk_buff *skb2; 4717 struct nft_ctx ctx; 4718 int err; 4719 4720 if (nla[NFTA_SET_TABLE]) { 4721 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 4722 genmask, 0); 4723 if (IS_ERR(table)) { 4724 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4725 return PTR_ERR(table); 4726 } 4727 } 4728 4729 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 4730 4731 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 4732 struct netlink_dump_control c = { 4733 .start = nf_tables_dump_sets_start, 4734 .dump = nf_tables_dump_sets, 4735 .done = nf_tables_dump_sets_done, 4736 .data = &ctx, 4737 .module = THIS_MODULE, 4738 }; 4739 4740 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 4741 } 4742 4743 /* Only accept unspec with dump */ 4744 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 4745 return -EAFNOSUPPORT; 4746 if (!nla[NFTA_SET_TABLE]) 4747 return -EINVAL; 4748 4749 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4750 if (IS_ERR(set)) 4751 return PTR_ERR(set); 4752 4753 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 4754 if (skb2 == NULL) 4755 return -ENOMEM; 4756 4757 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); 4758 if (err < 0) 4759 goto err_fill_set_info; 4760 4761 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 4762 4763 err_fill_set_info: 4764 kfree_skb(skb2); 4765 return err; 4766 } 4767 4768 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = { 4769 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 }, 4770 }; 4771 4772 static int nft_set_desc_concat_parse(const struct nlattr *attr, 4773 struct nft_set_desc *desc) 4774 { 4775 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1]; 4776 u32 len; 4777 int err; 4778 4779 if (desc->field_count >= ARRAY_SIZE(desc->field_len)) 4780 return -E2BIG; 4781 4782 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr, 4783 nft_concat_policy, NULL); 4784 if (err < 0) 4785 return err; 4786 4787 if (!tb[NFTA_SET_FIELD_LEN]) 4788 return -EINVAL; 4789 4790 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN])); 4791 if (!len || len > U8_MAX) 4792 return -EINVAL; 4793 4794 desc->field_len[desc->field_count++] = len; 4795 4796 return 0; 4797 } 4798 4799 static int nft_set_desc_concat(struct nft_set_desc *desc, 4800 const struct nlattr *nla) 4801 { 4802 u32 num_regs = 0, key_num_regs = 0; 4803 struct nlattr *attr; 4804 int rem, err, i; 4805 4806 nla_for_each_nested(attr, nla, rem) { 4807 if (nla_type(attr) != NFTA_LIST_ELEM) 4808 return -EINVAL; 4809 4810 err = nft_set_desc_concat_parse(attr, desc); 4811 if (err < 0) 4812 return err; 4813 } 4814 4815 for (i = 0; i < desc->field_count; i++) 4816 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32)); 4817 4818 key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32)); 4819 if (key_num_regs != num_regs) 4820 return -EINVAL; 4821 4822 if (num_regs > NFT_REG32_COUNT) 4823 return -E2BIG; 4824 4825 return 0; 4826 } 4827 4828 static int nf_tables_set_desc_parse(struct nft_set_desc *desc, 4829 const struct nlattr *nla) 4830 { 4831 struct nlattr *da[NFTA_SET_DESC_MAX + 1]; 4832 int err; 4833 4834 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla, 4835 nft_set_desc_policy, NULL); 4836 if (err < 0) 4837 return err; 4838 4839 if (da[NFTA_SET_DESC_SIZE] != NULL) 4840 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE])); 4841 if (da[NFTA_SET_DESC_CONCAT]) 4842 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]); 4843 4844 return err; 4845 } 4846 4847 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set, 4848 const struct nlattr * const *nla, 4849 struct nft_expr **exprs, int *num_exprs, 4850 u32 flags) 4851 { 4852 struct nft_expr *expr; 4853 int err, i; 4854 4855 if (nla[NFTA_SET_EXPR]) { 4856 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]); 4857 if (IS_ERR(expr)) { 4858 err = PTR_ERR(expr); 4859 goto err_set_expr_alloc; 4860 } 4861 exprs[0] = expr; 4862 (*num_exprs)++; 4863 } else if (nla[NFTA_SET_EXPRESSIONS]) { 4864 struct nlattr *tmp; 4865 int left; 4866 4867 if (!(flags & NFT_SET_EXPR)) { 4868 err = -EINVAL; 4869 goto err_set_expr_alloc; 4870 } 4871 i = 0; 4872 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) { 4873 if (i == NFT_SET_EXPR_MAX) { 4874 err = -E2BIG; 4875 goto err_set_expr_alloc; 4876 } 4877 if (nla_type(tmp) != NFTA_LIST_ELEM) { 4878 err = -EINVAL; 4879 goto err_set_expr_alloc; 4880 } 4881 expr = nft_set_elem_expr_alloc(ctx, set, tmp); 4882 if (IS_ERR(expr)) { 4883 err = PTR_ERR(expr); 4884 goto err_set_expr_alloc; 4885 } 4886 exprs[i++] = expr; 4887 (*num_exprs)++; 4888 } 4889 } 4890 4891 return 0; 4892 4893 err_set_expr_alloc: 4894 for (i = 0; i < *num_exprs; i++) 4895 nft_expr_destroy(ctx, exprs[i]); 4896 4897 return err; 4898 } 4899 4900 static bool nft_set_is_same(const struct nft_set *set, 4901 const struct nft_set_desc *desc, 4902 struct nft_expr *exprs[], u32 num_exprs, u32 flags) 4903 { 4904 int i; 4905 4906 if (set->ktype != desc->ktype || 4907 set->dtype != desc->dtype || 4908 set->flags != flags || 4909 set->klen != desc->klen || 4910 set->dlen != desc->dlen || 4911 set->field_count != desc->field_count || 4912 set->num_exprs != num_exprs) 4913 return false; 4914 4915 for (i = 0; i < desc->field_count; i++) { 4916 if (set->field_len[i] != desc->field_len[i]) 4917 return false; 4918 } 4919 4920 for (i = 0; i < num_exprs; i++) { 4921 if (set->exprs[i]->ops != exprs[i]->ops) 4922 return false; 4923 } 4924 4925 return true; 4926 } 4927 4928 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 4929 const struct nlattr * const nla[]) 4930 { 4931 struct netlink_ext_ack *extack = info->extack; 4932 u8 genmask = nft_genmask_next(info->net); 4933 u8 family = info->nfmsg->nfgen_family; 4934 const struct nft_set_ops *ops; 4935 struct net *net = info->net; 4936 struct nft_set_desc desc; 4937 struct nft_table *table; 4938 unsigned char *udata; 4939 struct nft_set *set; 4940 struct nft_ctx ctx; 4941 size_t alloc_size; 4942 int num_exprs = 0; 4943 char *name; 4944 int err, i; 4945 u16 udlen; 4946 u32 flags; 4947 u64 size; 4948 4949 if (nla[NFTA_SET_TABLE] == NULL || 4950 nla[NFTA_SET_NAME] == NULL || 4951 nla[NFTA_SET_KEY_LEN] == NULL || 4952 nla[NFTA_SET_ID] == NULL) 4953 return -EINVAL; 4954 4955 memset(&desc, 0, sizeof(desc)); 4956 4957 desc.ktype = NFT_DATA_VALUE; 4958 if (nla[NFTA_SET_KEY_TYPE] != NULL) { 4959 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE])); 4960 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK) 4961 return -EINVAL; 4962 } 4963 4964 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN])); 4965 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN) 4966 return -EINVAL; 4967 4968 flags = 0; 4969 if (nla[NFTA_SET_FLAGS] != NULL) { 4970 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 4971 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | 4972 NFT_SET_INTERVAL | NFT_SET_TIMEOUT | 4973 NFT_SET_MAP | NFT_SET_EVAL | 4974 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR)) 4975 return -EOPNOTSUPP; 4976 /* Only one of these operations is supported */ 4977 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) == 4978 (NFT_SET_MAP | NFT_SET_OBJECT)) 4979 return -EOPNOTSUPP; 4980 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) == 4981 (NFT_SET_EVAL | NFT_SET_OBJECT)) 4982 return -EOPNOTSUPP; 4983 if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) == 4984 (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT)) 4985 return -EOPNOTSUPP; 4986 if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) == 4987 (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) 4988 return -EOPNOTSUPP; 4989 } 4990 4991 desc.dtype = 0; 4992 if (nla[NFTA_SET_DATA_TYPE] != NULL) { 4993 if (!(flags & NFT_SET_MAP)) 4994 return -EINVAL; 4995 4996 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE])); 4997 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK && 4998 desc.dtype != NFT_DATA_VERDICT) 4999 return -EINVAL; 5000 5001 if (desc.dtype != NFT_DATA_VERDICT) { 5002 if (nla[NFTA_SET_DATA_LEN] == NULL) 5003 return -EINVAL; 5004 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN])); 5005 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN) 5006 return -EINVAL; 5007 } else 5008 desc.dlen = sizeof(struct nft_verdict); 5009 } else if (flags & NFT_SET_MAP) 5010 return -EINVAL; 5011 5012 if (nla[NFTA_SET_OBJ_TYPE] != NULL) { 5013 if (!(flags & NFT_SET_OBJECT)) 5014 return -EINVAL; 5015 5016 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE])); 5017 if (desc.objtype == NFT_OBJECT_UNSPEC || 5018 desc.objtype > NFT_OBJECT_MAX) 5019 return -EOPNOTSUPP; 5020 } else if (flags & NFT_SET_OBJECT) 5021 return -EINVAL; 5022 else 5023 desc.objtype = NFT_OBJECT_UNSPEC; 5024 5025 desc.timeout = 0; 5026 if (nla[NFTA_SET_TIMEOUT] != NULL) { 5027 if (!(flags & NFT_SET_TIMEOUT)) 5028 return -EINVAL; 5029 5030 if (flags & NFT_SET_ANONYMOUS) 5031 return -EOPNOTSUPP; 5032 5033 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout); 5034 if (err) 5035 return err; 5036 } 5037 desc.gc_int = 0; 5038 if (nla[NFTA_SET_GC_INTERVAL] != NULL) { 5039 if (!(flags & NFT_SET_TIMEOUT)) 5040 return -EINVAL; 5041 5042 if (flags & NFT_SET_ANONYMOUS) 5043 return -EOPNOTSUPP; 5044 5045 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL])); 5046 } 5047 5048 desc.policy = NFT_SET_POL_PERFORMANCE; 5049 if (nla[NFTA_SET_POLICY] != NULL) { 5050 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY])); 5051 switch (desc.policy) { 5052 case NFT_SET_POL_PERFORMANCE: 5053 case NFT_SET_POL_MEMORY: 5054 break; 5055 default: 5056 return -EOPNOTSUPP; 5057 } 5058 } 5059 5060 if (nla[NFTA_SET_DESC] != NULL) { 5061 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]); 5062 if (err < 0) 5063 return err; 5064 5065 if (desc.field_count > 1) { 5066 if (!(flags & NFT_SET_CONCAT)) 5067 return -EINVAL; 5068 } else if (flags & NFT_SET_CONCAT) { 5069 return -EINVAL; 5070 } 5071 } else if (flags & NFT_SET_CONCAT) { 5072 return -EINVAL; 5073 } 5074 5075 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS]) 5076 desc.expr = true; 5077 5078 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask, 5079 NETLINK_CB(skb).portid); 5080 if (IS_ERR(table)) { 5081 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 5082 return PTR_ERR(table); 5083 } 5084 5085 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 5086 5087 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 5088 if (IS_ERR(set)) { 5089 if (PTR_ERR(set) != -ENOENT) { 5090 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 5091 return PTR_ERR(set); 5092 } 5093 } else { 5094 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {}; 5095 5096 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 5097 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 5098 return -EEXIST; 5099 } 5100 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 5101 return -EOPNOTSUPP; 5102 5103 if (nft_set_is_anonymous(set)) 5104 return -EOPNOTSUPP; 5105 5106 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags); 5107 if (err < 0) 5108 return err; 5109 5110 err = 0; 5111 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) { 5112 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 5113 err = -EEXIST; 5114 } 5115 5116 for (i = 0; i < num_exprs; i++) 5117 nft_expr_destroy(&ctx, exprs[i]); 5118 5119 if (err < 0) 5120 return err; 5121 5122 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc); 5123 } 5124 5125 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE)) 5126 return -ENOENT; 5127 5128 ops = nft_select_set_ops(&ctx, nla, &desc); 5129 if (IS_ERR(ops)) 5130 return PTR_ERR(ops); 5131 5132 udlen = 0; 5133 if (nla[NFTA_SET_USERDATA]) 5134 udlen = nla_len(nla[NFTA_SET_USERDATA]); 5135 5136 size = 0; 5137 if (ops->privsize != NULL) 5138 size = ops->privsize(nla, &desc); 5139 alloc_size = sizeof(*set) + size + udlen; 5140 if (alloc_size < size || alloc_size > INT_MAX) 5141 return -ENOMEM; 5142 5143 if (!nft_use_inc(&table->use)) 5144 return -EMFILE; 5145 5146 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT); 5147 if (!set) { 5148 err = -ENOMEM; 5149 goto err_alloc; 5150 } 5151 5152 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT); 5153 if (!name) { 5154 err = -ENOMEM; 5155 goto err_set_name; 5156 } 5157 5158 err = nf_tables_set_alloc_name(&ctx, set, name); 5159 kfree(name); 5160 if (err < 0) 5161 goto err_set_name; 5162 5163 udata = NULL; 5164 if (udlen) { 5165 udata = set->data + size; 5166 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen); 5167 } 5168 5169 INIT_LIST_HEAD(&set->bindings); 5170 INIT_LIST_HEAD(&set->catchall_list); 5171 refcount_set(&set->refs, 1); 5172 set->table = table; 5173 write_pnet(&set->net, net); 5174 set->ops = ops; 5175 set->ktype = desc.ktype; 5176 set->klen = desc.klen; 5177 set->dtype = desc.dtype; 5178 set->objtype = desc.objtype; 5179 set->dlen = desc.dlen; 5180 set->flags = flags; 5181 set->size = desc.size; 5182 set->policy = desc.policy; 5183 set->udlen = udlen; 5184 set->udata = udata; 5185 set->timeout = desc.timeout; 5186 set->gc_int = desc.gc_int; 5187 5188 set->field_count = desc.field_count; 5189 for (i = 0; i < desc.field_count; i++) 5190 set->field_len[i] = desc.field_len[i]; 5191 5192 err = ops->init(set, &desc, nla); 5193 if (err < 0) 5194 goto err_set_init; 5195 5196 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags); 5197 if (err < 0) 5198 goto err_set_destroy; 5199 5200 set->num_exprs = num_exprs; 5201 set->handle = nf_tables_alloc_handle(table); 5202 INIT_LIST_HEAD(&set->pending_update); 5203 5204 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); 5205 if (err < 0) 5206 goto err_set_expr_alloc; 5207 5208 list_add_tail_rcu(&set->list, &table->sets); 5209 5210 return 0; 5211 5212 err_set_expr_alloc: 5213 for (i = 0; i < set->num_exprs; i++) 5214 nft_expr_destroy(&ctx, set->exprs[i]); 5215 err_set_destroy: 5216 ops->destroy(&ctx, set); 5217 err_set_init: 5218 kfree(set->name); 5219 err_set_name: 5220 kvfree(set); 5221 err_alloc: 5222 nft_use_dec_restore(&table->use); 5223 5224 return err; 5225 } 5226 5227 static void nft_set_catchall_destroy(const struct nft_ctx *ctx, 5228 struct nft_set *set) 5229 { 5230 struct nft_set_elem_catchall *next, *catchall; 5231 5232 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 5233 list_del_rcu(&catchall->list); 5234 nf_tables_set_elem_destroy(ctx, set, catchall->elem); 5235 kfree_rcu(catchall, rcu); 5236 } 5237 } 5238 5239 static void nft_set_put(struct nft_set *set) 5240 { 5241 if (refcount_dec_and_test(&set->refs)) { 5242 kfree(set->name); 5243 kvfree(set); 5244 } 5245 } 5246 5247 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) 5248 { 5249 int i; 5250 5251 if (WARN_ON(set->use > 0)) 5252 return; 5253 5254 for (i = 0; i < set->num_exprs; i++) 5255 nft_expr_destroy(ctx, set->exprs[i]); 5256 5257 set->ops->destroy(ctx, set); 5258 nft_set_catchall_destroy(ctx, set); 5259 nft_set_put(set); 5260 } 5261 5262 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info, 5263 const struct nlattr * const nla[]) 5264 { 5265 struct netlink_ext_ack *extack = info->extack; 5266 u8 genmask = nft_genmask_next(info->net); 5267 u8 family = info->nfmsg->nfgen_family; 5268 struct net *net = info->net; 5269 const struct nlattr *attr; 5270 struct nft_table *table; 5271 struct nft_set *set; 5272 struct nft_ctx ctx; 5273 5274 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 5275 return -EAFNOSUPPORT; 5276 5277 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 5278 genmask, NETLINK_CB(skb).portid); 5279 if (IS_ERR(table)) { 5280 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 5281 return PTR_ERR(table); 5282 } 5283 5284 if (nla[NFTA_SET_HANDLE]) { 5285 attr = nla[NFTA_SET_HANDLE]; 5286 set = nft_set_lookup_byhandle(table, attr, genmask); 5287 } else { 5288 attr = nla[NFTA_SET_NAME]; 5289 set = nft_set_lookup(table, attr, genmask); 5290 } 5291 5292 if (IS_ERR(set)) { 5293 if (PTR_ERR(set) == -ENOENT && 5294 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET) 5295 return 0; 5296 5297 NL_SET_BAD_ATTR(extack, attr); 5298 return PTR_ERR(set); 5299 } 5300 if (set->use || 5301 (info->nlh->nlmsg_flags & NLM_F_NONREC && 5302 atomic_read(&set->nelems) > 0)) { 5303 NL_SET_BAD_ATTR(extack, attr); 5304 return -EBUSY; 5305 } 5306 5307 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 5308 5309 return nft_delset(&ctx, set); 5310 } 5311 5312 static int nft_validate_register_store(const struct nft_ctx *ctx, 5313 enum nft_registers reg, 5314 const struct nft_data *data, 5315 enum nft_data_types type, 5316 unsigned int len); 5317 5318 static int nft_setelem_data_validate(const struct nft_ctx *ctx, 5319 struct nft_set *set, 5320 struct nft_set_elem *elem) 5321 { 5322 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5323 enum nft_registers dreg; 5324 5325 dreg = nft_type_to_reg(set->dtype); 5326 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext), 5327 set->dtype == NFT_DATA_VERDICT ? 5328 NFT_DATA_VERDICT : NFT_DATA_VALUE, 5329 set->dlen); 5330 } 5331 5332 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, 5333 struct nft_set *set, 5334 const struct nft_set_iter *iter, 5335 struct nft_set_elem *elem) 5336 { 5337 return nft_setelem_data_validate(ctx, set, elem); 5338 } 5339 5340 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx, 5341 struct nft_set *set) 5342 { 5343 u8 genmask = nft_genmask_next(ctx->net); 5344 struct nft_set_elem_catchall *catchall; 5345 struct nft_set_elem elem; 5346 struct nft_set_ext *ext; 5347 int ret = 0; 5348 5349 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5350 ext = nft_set_elem_ext(set, catchall->elem); 5351 if (!nft_set_elem_active(ext, genmask)) 5352 continue; 5353 5354 elem.priv = catchall->elem; 5355 ret = nft_setelem_data_validate(ctx, set, &elem); 5356 if (ret < 0) 5357 break; 5358 } 5359 5360 return ret; 5361 } 5362 5363 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 5364 struct nft_set_binding *binding) 5365 { 5366 struct nft_set_binding *i; 5367 struct nft_set_iter iter; 5368 5369 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) 5370 return -EBUSY; 5371 5372 if (binding->flags & NFT_SET_MAP) { 5373 /* If the set is already bound to the same chain all 5374 * jumps are already validated for that chain. 5375 */ 5376 list_for_each_entry(i, &set->bindings, list) { 5377 if (i->flags & NFT_SET_MAP && 5378 i->chain == binding->chain) 5379 goto bind; 5380 } 5381 5382 iter.genmask = nft_genmask_next(ctx->net); 5383 iter.skip = 0; 5384 iter.count = 0; 5385 iter.err = 0; 5386 iter.fn = nf_tables_bind_check_setelem; 5387 5388 set->ops->walk(ctx, set, &iter); 5389 if (!iter.err) 5390 iter.err = nft_set_catchall_bind_check(ctx, set); 5391 5392 if (iter.err < 0) 5393 return iter.err; 5394 } 5395 bind: 5396 if (!nft_use_inc(&set->use)) 5397 return -EMFILE; 5398 5399 binding->chain = ctx->chain; 5400 list_add_tail_rcu(&binding->list, &set->bindings); 5401 nft_set_trans_bind(ctx, set); 5402 5403 return 0; 5404 } 5405 EXPORT_SYMBOL_GPL(nf_tables_bind_set); 5406 5407 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 5408 struct nft_set_binding *binding, bool event) 5409 { 5410 list_del_rcu(&binding->list); 5411 5412 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { 5413 list_del_rcu(&set->list); 5414 set->dead = 1; 5415 if (event) 5416 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, 5417 GFP_KERNEL); 5418 } 5419 } 5420 5421 static void nft_setelem_data_activate(const struct net *net, 5422 const struct nft_set *set, 5423 struct nft_set_elem *elem); 5424 5425 static int nft_mapelem_activate(const struct nft_ctx *ctx, 5426 struct nft_set *set, 5427 const struct nft_set_iter *iter, 5428 struct nft_set_elem *elem) 5429 { 5430 nft_setelem_data_activate(ctx->net, set, elem); 5431 5432 return 0; 5433 } 5434 5435 static void nft_map_catchall_activate(const struct nft_ctx *ctx, 5436 struct nft_set *set) 5437 { 5438 u8 genmask = nft_genmask_next(ctx->net); 5439 struct nft_set_elem_catchall *catchall; 5440 struct nft_set_elem elem; 5441 struct nft_set_ext *ext; 5442 5443 list_for_each_entry(catchall, &set->catchall_list, list) { 5444 ext = nft_set_elem_ext(set, catchall->elem); 5445 if (!nft_set_elem_active(ext, genmask)) 5446 continue; 5447 5448 elem.priv = catchall->elem; 5449 nft_setelem_data_activate(ctx->net, set, &elem); 5450 break; 5451 } 5452 } 5453 5454 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set) 5455 { 5456 struct nft_set_iter iter = { 5457 .genmask = nft_genmask_next(ctx->net), 5458 .fn = nft_mapelem_activate, 5459 }; 5460 5461 set->ops->walk(ctx, set, &iter); 5462 WARN_ON_ONCE(iter.err); 5463 5464 nft_map_catchall_activate(ctx, set); 5465 } 5466 5467 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set) 5468 { 5469 if (nft_set_is_anonymous(set)) { 5470 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 5471 nft_map_activate(ctx, set); 5472 5473 nft_clear(ctx->net, set); 5474 } 5475 5476 nft_use_inc_restore(&set->use); 5477 } 5478 EXPORT_SYMBOL_GPL(nf_tables_activate_set); 5479 5480 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, 5481 struct nft_set_binding *binding, 5482 enum nft_trans_phase phase) 5483 { 5484 switch (phase) { 5485 case NFT_TRANS_PREPARE_ERROR: 5486 nft_set_trans_unbind(ctx, set); 5487 if (nft_set_is_anonymous(set)) 5488 nft_deactivate_next(ctx->net, set); 5489 else 5490 list_del_rcu(&binding->list); 5491 5492 nft_use_dec(&set->use); 5493 break; 5494 case NFT_TRANS_PREPARE: 5495 if (nft_set_is_anonymous(set)) { 5496 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 5497 nft_map_deactivate(ctx, set); 5498 5499 nft_deactivate_next(ctx->net, set); 5500 } 5501 nft_use_dec(&set->use); 5502 return; 5503 case NFT_TRANS_ABORT: 5504 case NFT_TRANS_RELEASE: 5505 if (nft_set_is_anonymous(set) && 5506 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 5507 nft_map_deactivate(ctx, set); 5508 5509 nft_use_dec(&set->use); 5510 fallthrough; 5511 default: 5512 nf_tables_unbind_set(ctx, set, binding, 5513 phase == NFT_TRANS_COMMIT); 5514 } 5515 } 5516 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); 5517 5518 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) 5519 { 5520 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) 5521 nft_set_destroy(ctx, set); 5522 } 5523 EXPORT_SYMBOL_GPL(nf_tables_destroy_set); 5524 5525 const struct nft_set_ext_type nft_set_ext_types[] = { 5526 [NFT_SET_EXT_KEY] = { 5527 .align = __alignof__(u32), 5528 }, 5529 [NFT_SET_EXT_DATA] = { 5530 .align = __alignof__(u32), 5531 }, 5532 [NFT_SET_EXT_EXPRESSIONS] = { 5533 .align = __alignof__(struct nft_set_elem_expr), 5534 }, 5535 [NFT_SET_EXT_OBJREF] = { 5536 .len = sizeof(struct nft_object *), 5537 .align = __alignof__(struct nft_object *), 5538 }, 5539 [NFT_SET_EXT_FLAGS] = { 5540 .len = sizeof(u8), 5541 .align = __alignof__(u8), 5542 }, 5543 [NFT_SET_EXT_TIMEOUT] = { 5544 .len = sizeof(u64), 5545 .align = __alignof__(u64), 5546 }, 5547 [NFT_SET_EXT_EXPIRATION] = { 5548 .len = sizeof(u64), 5549 .align = __alignof__(u64), 5550 }, 5551 [NFT_SET_EXT_USERDATA] = { 5552 .len = sizeof(struct nft_userdata), 5553 .align = __alignof__(struct nft_userdata), 5554 }, 5555 [NFT_SET_EXT_KEY_END] = { 5556 .align = __alignof__(u32), 5557 }, 5558 }; 5559 5560 /* 5561 * Set elements 5562 */ 5563 5564 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { 5565 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED }, 5566 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED }, 5567 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 }, 5568 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 }, 5569 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 }, 5570 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, 5571 .len = NFT_USERDATA_MAXLEN }, 5572 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED }, 5573 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING, 5574 .len = NFT_OBJ_MAXNAMELEN - 1 }, 5575 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED }, 5576 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED }, 5577 }; 5578 5579 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { 5580 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING, 5581 .len = NFT_TABLE_MAXNAMELEN - 1 }, 5582 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING, 5583 .len = NFT_SET_MAXNAMELEN - 1 }, 5584 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED }, 5585 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 }, 5586 }; 5587 5588 static int nft_set_elem_expr_dump(struct sk_buff *skb, 5589 const struct nft_set *set, 5590 const struct nft_set_ext *ext, 5591 bool reset) 5592 { 5593 struct nft_set_elem_expr *elem_expr; 5594 u32 size, num_exprs = 0; 5595 struct nft_expr *expr; 5596 struct nlattr *nest; 5597 5598 elem_expr = nft_set_ext_expr(ext); 5599 nft_setelem_expr_foreach(expr, elem_expr, size) 5600 num_exprs++; 5601 5602 if (num_exprs == 1) { 5603 expr = nft_setelem_expr_at(elem_expr, 0); 5604 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0) 5605 return -1; 5606 5607 return 0; 5608 } else if (num_exprs > 1) { 5609 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS); 5610 if (nest == NULL) 5611 goto nla_put_failure; 5612 5613 nft_setelem_expr_foreach(expr, elem_expr, size) { 5614 expr = nft_setelem_expr_at(elem_expr, size); 5615 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0) 5616 goto nla_put_failure; 5617 } 5618 nla_nest_end(skb, nest); 5619 } 5620 return 0; 5621 5622 nla_put_failure: 5623 return -1; 5624 } 5625 5626 static int nf_tables_fill_setelem(struct sk_buff *skb, 5627 const struct nft_set *set, 5628 const struct nft_set_elem *elem, 5629 bool reset) 5630 { 5631 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5632 unsigned char *b = skb_tail_pointer(skb); 5633 struct nlattr *nest; 5634 5635 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 5636 if (nest == NULL) 5637 goto nla_put_failure; 5638 5639 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) && 5640 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext), 5641 NFT_DATA_VALUE, set->klen) < 0) 5642 goto nla_put_failure; 5643 5644 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 5645 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext), 5646 NFT_DATA_VALUE, set->klen) < 0) 5647 goto nla_put_failure; 5648 5649 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 5650 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext), 5651 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE, 5652 set->dlen) < 0) 5653 goto nla_put_failure; 5654 5655 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) && 5656 nft_set_elem_expr_dump(skb, set, ext, reset)) 5657 goto nla_put_failure; 5658 5659 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 5660 nla_put_string(skb, NFTA_SET_ELEM_OBJREF, 5661 (*nft_set_ext_obj(ext))->key.name) < 0) 5662 goto nla_put_failure; 5663 5664 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 5665 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, 5666 htonl(*nft_set_ext_flags(ext)))) 5667 goto nla_put_failure; 5668 5669 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) && 5670 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, 5671 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)), 5672 NFTA_SET_ELEM_PAD)) 5673 goto nla_put_failure; 5674 5675 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 5676 u64 expires, now = get_jiffies_64(); 5677 5678 expires = *nft_set_ext_expiration(ext); 5679 if (time_before64(now, expires)) 5680 expires -= now; 5681 else 5682 expires = 0; 5683 5684 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION, 5685 nf_jiffies64_to_msecs(expires), 5686 NFTA_SET_ELEM_PAD)) 5687 goto nla_put_failure; 5688 } 5689 5690 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) { 5691 struct nft_userdata *udata; 5692 5693 udata = nft_set_ext_userdata(ext); 5694 if (nla_put(skb, NFTA_SET_ELEM_USERDATA, 5695 udata->len + 1, udata->data)) 5696 goto nla_put_failure; 5697 } 5698 5699 nla_nest_end(skb, nest); 5700 return 0; 5701 5702 nla_put_failure: 5703 nlmsg_trim(skb, b); 5704 return -EMSGSIZE; 5705 } 5706 5707 struct nft_set_dump_args { 5708 const struct netlink_callback *cb; 5709 struct nft_set_iter iter; 5710 struct sk_buff *skb; 5711 bool reset; 5712 }; 5713 5714 static int nf_tables_dump_setelem(const struct nft_ctx *ctx, 5715 struct nft_set *set, 5716 const struct nft_set_iter *iter, 5717 struct nft_set_elem *elem) 5718 { 5719 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5720 struct nft_set_dump_args *args; 5721 5722 if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext)) 5723 return 0; 5724 5725 args = container_of(iter, struct nft_set_dump_args, iter); 5726 return nf_tables_fill_setelem(args->skb, set, elem, args->reset); 5727 } 5728 5729 static void audit_log_nft_set_reset(const struct nft_table *table, 5730 unsigned int base_seq, 5731 unsigned int nentries) 5732 { 5733 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq); 5734 5735 audit_log_nfcfg(buf, table->family, nentries, 5736 AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC); 5737 kfree(buf); 5738 } 5739 5740 struct nft_set_dump_ctx { 5741 const struct nft_set *set; 5742 struct nft_ctx ctx; 5743 }; 5744 5745 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb, 5746 const struct nft_set *set, bool reset, 5747 unsigned int base_seq) 5748 { 5749 struct nft_set_elem_catchall *catchall; 5750 u8 genmask = nft_genmask_cur(net); 5751 struct nft_set_elem elem; 5752 struct nft_set_ext *ext; 5753 int ret = 0; 5754 5755 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5756 ext = nft_set_elem_ext(set, catchall->elem); 5757 if (!nft_set_elem_active(ext, genmask) || 5758 nft_set_elem_expired(ext)) 5759 continue; 5760 5761 elem.priv = catchall->elem; 5762 ret = nf_tables_fill_setelem(skb, set, &elem, reset); 5763 if (reset && !ret) 5764 audit_log_nft_set_reset(set->table, base_seq, 1); 5765 break; 5766 } 5767 5768 return ret; 5769 } 5770 5771 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) 5772 { 5773 struct nft_set_dump_ctx *dump_ctx = cb->data; 5774 struct net *net = sock_net(skb->sk); 5775 struct nftables_pernet *nft_net; 5776 struct nft_table *table; 5777 struct nft_set *set; 5778 struct nft_set_dump_args args; 5779 bool set_found = false; 5780 struct nlmsghdr *nlh; 5781 struct nlattr *nest; 5782 bool reset = false; 5783 u32 portid, seq; 5784 int event; 5785 5786 rcu_read_lock(); 5787 nft_net = nft_pernet(net); 5788 cb->seq = READ_ONCE(nft_net->base_seq); 5789 5790 list_for_each_entry_rcu(table, &nft_net->tables, list) { 5791 if (dump_ctx->ctx.family != NFPROTO_UNSPEC && 5792 dump_ctx->ctx.family != table->family) 5793 continue; 5794 5795 if (table != dump_ctx->ctx.table) 5796 continue; 5797 5798 list_for_each_entry_rcu(set, &table->sets, list) { 5799 if (set == dump_ctx->set) { 5800 set_found = true; 5801 break; 5802 } 5803 } 5804 break; 5805 } 5806 5807 if (!set_found) { 5808 rcu_read_unlock(); 5809 return -ENOENT; 5810 } 5811 5812 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM); 5813 portid = NETLINK_CB(cb->skb).portid; 5814 seq = cb->nlh->nlmsg_seq; 5815 5816 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI, 5817 table->family, NFNETLINK_V0, nft_base_seq(net)); 5818 if (!nlh) 5819 goto nla_put_failure; 5820 5821 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) 5822 goto nla_put_failure; 5823 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) 5824 goto nla_put_failure; 5825 5826 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 5827 if (nest == NULL) 5828 goto nla_put_failure; 5829 5830 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETSETELEM_RESET) 5831 reset = true; 5832 5833 args.cb = cb; 5834 args.skb = skb; 5835 args.reset = reset; 5836 args.iter.genmask = nft_genmask_cur(net); 5837 args.iter.skip = cb->args[0]; 5838 args.iter.count = 0; 5839 args.iter.err = 0; 5840 args.iter.fn = nf_tables_dump_setelem; 5841 set->ops->walk(&dump_ctx->ctx, set, &args.iter); 5842 5843 if (!args.iter.err && args.iter.count == cb->args[0]) 5844 args.iter.err = nft_set_catchall_dump(net, skb, set, 5845 reset, cb->seq); 5846 nla_nest_end(skb, nest); 5847 nlmsg_end(skb, nlh); 5848 5849 if (reset && args.iter.count > args.iter.skip) 5850 audit_log_nft_set_reset(table, cb->seq, 5851 args.iter.count - args.iter.skip); 5852 5853 rcu_read_unlock(); 5854 5855 if (args.iter.err && args.iter.err != -EMSGSIZE) 5856 return args.iter.err; 5857 if (args.iter.count == cb->args[0]) 5858 return 0; 5859 5860 cb->args[0] = args.iter.count; 5861 return skb->len; 5862 5863 nla_put_failure: 5864 rcu_read_unlock(); 5865 return -ENOSPC; 5866 } 5867 5868 static int nf_tables_dump_set_start(struct netlink_callback *cb) 5869 { 5870 struct nft_set_dump_ctx *dump_ctx = cb->data; 5871 5872 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC); 5873 5874 return cb->data ? 0 : -ENOMEM; 5875 } 5876 5877 static int nf_tables_dump_set_done(struct netlink_callback *cb) 5878 { 5879 kfree(cb->data); 5880 return 0; 5881 } 5882 5883 static int nf_tables_fill_setelem_info(struct sk_buff *skb, 5884 const struct nft_ctx *ctx, u32 seq, 5885 u32 portid, int event, u16 flags, 5886 const struct nft_set *set, 5887 const struct nft_set_elem *elem, 5888 bool reset) 5889 { 5890 struct nlmsghdr *nlh; 5891 struct nlattr *nest; 5892 int err; 5893 5894 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 5895 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 5896 NFNETLINK_V0, nft_base_seq(ctx->net)); 5897 if (!nlh) 5898 goto nla_put_failure; 5899 5900 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 5901 goto nla_put_failure; 5902 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 5903 goto nla_put_failure; 5904 5905 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 5906 if (nest == NULL) 5907 goto nla_put_failure; 5908 5909 err = nf_tables_fill_setelem(skb, set, elem, reset); 5910 if (err < 0) 5911 goto nla_put_failure; 5912 5913 nla_nest_end(skb, nest); 5914 5915 nlmsg_end(skb, nlh); 5916 return 0; 5917 5918 nla_put_failure: 5919 nlmsg_trim(skb, nlh); 5920 return -1; 5921 } 5922 5923 static int nft_setelem_parse_flags(const struct nft_set *set, 5924 const struct nlattr *attr, u32 *flags) 5925 { 5926 if (attr == NULL) 5927 return 0; 5928 5929 *flags = ntohl(nla_get_be32(attr)); 5930 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) 5931 return -EOPNOTSUPP; 5932 if (!(set->flags & NFT_SET_INTERVAL) && 5933 *flags & NFT_SET_ELEM_INTERVAL_END) 5934 return -EINVAL; 5935 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) == 5936 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) 5937 return -EINVAL; 5938 5939 return 0; 5940 } 5941 5942 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set, 5943 struct nft_data *key, struct nlattr *attr) 5944 { 5945 struct nft_data_desc desc = { 5946 .type = NFT_DATA_VALUE, 5947 .size = NFT_DATA_VALUE_MAXLEN, 5948 .len = set->klen, 5949 }; 5950 5951 return nft_data_init(ctx, key, &desc, attr); 5952 } 5953 5954 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, 5955 struct nft_data_desc *desc, 5956 struct nft_data *data, 5957 struct nlattr *attr) 5958 { 5959 u32 dtype; 5960 5961 if (set->dtype == NFT_DATA_VERDICT) 5962 dtype = NFT_DATA_VERDICT; 5963 else 5964 dtype = NFT_DATA_VALUE; 5965 5966 desc->type = dtype; 5967 desc->size = NFT_DATA_VALUE_MAXLEN; 5968 desc->len = set->dlen; 5969 desc->flags = NFT_DATA_DESC_SETELEM; 5970 5971 return nft_data_init(ctx, data, desc, attr); 5972 } 5973 5974 static void *nft_setelem_catchall_get(const struct net *net, 5975 const struct nft_set *set) 5976 { 5977 struct nft_set_elem_catchall *catchall; 5978 u8 genmask = nft_genmask_cur(net); 5979 struct nft_set_ext *ext; 5980 void *priv = NULL; 5981 5982 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5983 ext = nft_set_elem_ext(set, catchall->elem); 5984 if (!nft_set_elem_active(ext, genmask) || 5985 nft_set_elem_expired(ext)) 5986 continue; 5987 5988 priv = catchall->elem; 5989 break; 5990 } 5991 5992 return priv; 5993 } 5994 5995 static int nft_setelem_get(struct nft_ctx *ctx, struct nft_set *set, 5996 struct nft_set_elem *elem, u32 flags) 5997 { 5998 void *priv; 5999 6000 if (!(flags & NFT_SET_ELEM_CATCHALL)) { 6001 priv = set->ops->get(ctx->net, set, elem, flags); 6002 if (IS_ERR(priv)) 6003 return PTR_ERR(priv); 6004 } else { 6005 priv = nft_setelem_catchall_get(ctx->net, set); 6006 if (!priv) 6007 return -ENOENT; 6008 } 6009 elem->priv = priv; 6010 6011 return 0; 6012 } 6013 6014 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set, 6015 const struct nlattr *attr, bool reset) 6016 { 6017 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 6018 struct nft_set_elem elem; 6019 struct sk_buff *skb; 6020 uint32_t flags = 0; 6021 int err; 6022 6023 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 6024 nft_set_elem_policy, NULL); 6025 if (err < 0) 6026 return err; 6027 6028 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 6029 if (err < 0) 6030 return err; 6031 6032 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 6033 return -EINVAL; 6034 6035 if (nla[NFTA_SET_ELEM_KEY]) { 6036 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 6037 nla[NFTA_SET_ELEM_KEY]); 6038 if (err < 0) 6039 return err; 6040 } 6041 6042 if (nla[NFTA_SET_ELEM_KEY_END]) { 6043 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 6044 nla[NFTA_SET_ELEM_KEY_END]); 6045 if (err < 0) 6046 return err; 6047 } 6048 6049 err = nft_setelem_get(ctx, set, &elem, flags); 6050 if (err < 0) 6051 return err; 6052 6053 err = -ENOMEM; 6054 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); 6055 if (skb == NULL) 6056 return err; 6057 6058 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, 6059 NFT_MSG_NEWSETELEM, 0, set, &elem, 6060 reset); 6061 if (err < 0) 6062 goto err_fill_setelem; 6063 6064 return nfnetlink_unicast(skb, ctx->net, ctx->portid); 6065 6066 err_fill_setelem: 6067 kfree_skb(skb); 6068 return err; 6069 } 6070 6071 /* called with rcu_read_lock held */ 6072 static int nf_tables_getsetelem(struct sk_buff *skb, 6073 const struct nfnl_info *info, 6074 const struct nlattr * const nla[]) 6075 { 6076 struct netlink_ext_ack *extack = info->extack; 6077 u8 genmask = nft_genmask_cur(info->net); 6078 u8 family = info->nfmsg->nfgen_family; 6079 int rem, err = 0, nelems = 0; 6080 struct net *net = info->net; 6081 struct nft_table *table; 6082 struct nft_set *set; 6083 struct nlattr *attr; 6084 struct nft_ctx ctx; 6085 bool reset = false; 6086 6087 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 6088 genmask, 0); 6089 if (IS_ERR(table)) { 6090 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 6091 return PTR_ERR(table); 6092 } 6093 6094 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 6095 if (IS_ERR(set)) 6096 return PTR_ERR(set); 6097 6098 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6099 6100 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 6101 struct netlink_dump_control c = { 6102 .start = nf_tables_dump_set_start, 6103 .dump = nf_tables_dump_set, 6104 .done = nf_tables_dump_set_done, 6105 .module = THIS_MODULE, 6106 }; 6107 struct nft_set_dump_ctx dump_ctx = { 6108 .set = set, 6109 .ctx = ctx, 6110 }; 6111 6112 c.data = &dump_ctx; 6113 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 6114 } 6115 6116 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 6117 return -EINVAL; 6118 6119 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETSETELEM_RESET) 6120 reset = true; 6121 6122 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 6123 err = nft_get_set_elem(&ctx, set, attr, reset); 6124 if (err < 0) { 6125 NL_SET_BAD_ATTR(extack, attr); 6126 break; 6127 } 6128 nelems++; 6129 } 6130 6131 if (reset) 6132 audit_log_nft_set_reset(table, nft_pernet(net)->base_seq, 6133 nelems); 6134 6135 return err; 6136 } 6137 6138 static void nf_tables_setelem_notify(const struct nft_ctx *ctx, 6139 const struct nft_set *set, 6140 const struct nft_set_elem *elem, 6141 int event) 6142 { 6143 struct nftables_pernet *nft_net; 6144 struct net *net = ctx->net; 6145 u32 portid = ctx->portid; 6146 struct sk_buff *skb; 6147 u16 flags = 0; 6148 int err; 6149 6150 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 6151 return; 6152 6153 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 6154 if (skb == NULL) 6155 goto err; 6156 6157 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 6158 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 6159 6160 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags, 6161 set, elem, false); 6162 if (err < 0) { 6163 kfree_skb(skb); 6164 goto err; 6165 } 6166 6167 nft_net = nft_pernet(net); 6168 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 6169 return; 6170 err: 6171 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 6172 } 6173 6174 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx, 6175 int msg_type, 6176 struct nft_set *set) 6177 { 6178 struct nft_trans *trans; 6179 6180 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem)); 6181 if (trans == NULL) 6182 return NULL; 6183 6184 nft_trans_elem_set(trans) = set; 6185 return trans; 6186 } 6187 6188 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx, 6189 const struct nft_set *set, 6190 const struct nlattr *attr) 6191 { 6192 struct nft_expr *expr; 6193 int err; 6194 6195 expr = nft_expr_init(ctx, attr); 6196 if (IS_ERR(expr)) 6197 return expr; 6198 6199 err = -EOPNOTSUPP; 6200 if (expr->ops->type->flags & NFT_EXPR_GC) { 6201 if (set->flags & NFT_SET_TIMEOUT) 6202 goto err_set_elem_expr; 6203 if (!set->ops->gc_init) 6204 goto err_set_elem_expr; 6205 set->ops->gc_init(set); 6206 } 6207 6208 return expr; 6209 6210 err_set_elem_expr: 6211 nft_expr_destroy(ctx, expr); 6212 return ERR_PTR(err); 6213 } 6214 6215 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len) 6216 { 6217 len += nft_set_ext_types[id].len; 6218 if (len > tmpl->ext_len[id] || 6219 len > U8_MAX) 6220 return -1; 6221 6222 return 0; 6223 } 6224 6225 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id, 6226 void *to, const void *from, u32 len) 6227 { 6228 if (nft_set_ext_check(tmpl, id, len) < 0) 6229 return -1; 6230 6231 memcpy(to, from, len); 6232 6233 return 0; 6234 } 6235 6236 void *nft_set_elem_init(const struct nft_set *set, 6237 const struct nft_set_ext_tmpl *tmpl, 6238 const u32 *key, const u32 *key_end, 6239 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp) 6240 { 6241 struct nft_set_ext *ext; 6242 void *elem; 6243 6244 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp); 6245 if (elem == NULL) 6246 return ERR_PTR(-ENOMEM); 6247 6248 ext = nft_set_elem_ext(set, elem); 6249 nft_set_ext_init(ext, tmpl); 6250 6251 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) && 6252 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY, 6253 nft_set_ext_key(ext), key, set->klen) < 0) 6254 goto err_ext_check; 6255 6256 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 6257 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END, 6258 nft_set_ext_key_end(ext), key_end, set->klen) < 0) 6259 goto err_ext_check; 6260 6261 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 6262 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA, 6263 nft_set_ext_data(ext), data, set->dlen) < 0) 6264 goto err_ext_check; 6265 6266 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 6267 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration; 6268 if (expiration == 0) 6269 *nft_set_ext_expiration(ext) += timeout; 6270 } 6271 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) 6272 *nft_set_ext_timeout(ext) = timeout; 6273 6274 return elem; 6275 6276 err_ext_check: 6277 kfree(elem); 6278 6279 return ERR_PTR(-EINVAL); 6280 } 6281 6282 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 6283 struct nft_expr *expr) 6284 { 6285 if (expr->ops->destroy_clone) { 6286 expr->ops->destroy_clone(ctx, expr); 6287 module_put(expr->ops->type->owner); 6288 } else { 6289 nf_tables_expr_destroy(ctx, expr); 6290 } 6291 } 6292 6293 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 6294 struct nft_set_elem_expr *elem_expr) 6295 { 6296 struct nft_expr *expr; 6297 u32 size; 6298 6299 nft_setelem_expr_foreach(expr, elem_expr, size) 6300 __nft_set_elem_expr_destroy(ctx, expr); 6301 } 6302 6303 /* Drop references and destroy. Called from gc, dynset and abort path. */ 6304 void nft_set_elem_destroy(const struct nft_set *set, void *elem, 6305 bool destroy_expr) 6306 { 6307 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 6308 struct nft_ctx ctx = { 6309 .net = read_pnet(&set->net), 6310 .family = set->table->family, 6311 }; 6312 6313 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE); 6314 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 6315 nft_data_release(nft_set_ext_data(ext), set->dtype); 6316 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 6317 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext)); 6318 6319 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 6320 nft_use_dec(&(*nft_set_ext_obj(ext))->use); 6321 kfree(elem); 6322 } 6323 EXPORT_SYMBOL_GPL(nft_set_elem_destroy); 6324 6325 /* Destroy element. References have been already dropped in the preparation 6326 * path via nft_setelem_data_deactivate(). 6327 */ 6328 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, 6329 const struct nft_set *set, void *elem) 6330 { 6331 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 6332 6333 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 6334 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext)); 6335 6336 kfree(elem); 6337 } 6338 6339 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, 6340 struct nft_expr *expr_array[]) 6341 { 6342 struct nft_expr *expr; 6343 int err, i, k; 6344 6345 for (i = 0; i < set->num_exprs; i++) { 6346 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT); 6347 if (!expr) 6348 goto err_expr; 6349 6350 err = nft_expr_clone(expr, set->exprs[i]); 6351 if (err < 0) { 6352 kfree(expr); 6353 goto err_expr; 6354 } 6355 expr_array[i] = expr; 6356 } 6357 6358 return 0; 6359 6360 err_expr: 6361 for (k = i - 1; k >= 0; k--) 6362 nft_expr_destroy(ctx, expr_array[k]); 6363 6364 return -ENOMEM; 6365 } 6366 6367 static int nft_set_elem_expr_setup(struct nft_ctx *ctx, 6368 const struct nft_set_ext_tmpl *tmpl, 6369 const struct nft_set_ext *ext, 6370 struct nft_expr *expr_array[], 6371 u32 num_exprs) 6372 { 6373 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); 6374 u32 len = sizeof(struct nft_set_elem_expr); 6375 struct nft_expr *expr; 6376 int i, err; 6377 6378 if (num_exprs == 0) 6379 return 0; 6380 6381 for (i = 0; i < num_exprs; i++) 6382 len += expr_array[i]->ops->size; 6383 6384 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0) 6385 return -EINVAL; 6386 6387 for (i = 0; i < num_exprs; i++) { 6388 expr = nft_setelem_expr_at(elem_expr, elem_expr->size); 6389 err = nft_expr_clone(expr, expr_array[i]); 6390 if (err < 0) 6391 goto err_elem_expr_setup; 6392 6393 elem_expr->size += expr_array[i]->ops->size; 6394 nft_expr_destroy(ctx, expr_array[i]); 6395 expr_array[i] = NULL; 6396 } 6397 6398 return 0; 6399 6400 err_elem_expr_setup: 6401 for (; i < num_exprs; i++) { 6402 nft_expr_destroy(ctx, expr_array[i]); 6403 expr_array[i] = NULL; 6404 } 6405 6406 return -ENOMEM; 6407 } 6408 6409 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net, 6410 const struct nft_set *set) 6411 { 6412 struct nft_set_elem_catchall *catchall; 6413 u8 genmask = nft_genmask_cur(net); 6414 struct nft_set_ext *ext; 6415 6416 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 6417 ext = nft_set_elem_ext(set, catchall->elem); 6418 if (nft_set_elem_active(ext, genmask) && 6419 !nft_set_elem_expired(ext) && 6420 !nft_set_elem_is_dead(ext)) 6421 return ext; 6422 } 6423 6424 return NULL; 6425 } 6426 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup); 6427 6428 static int nft_setelem_catchall_insert(const struct net *net, 6429 struct nft_set *set, 6430 const struct nft_set_elem *elem, 6431 struct nft_set_ext **pext) 6432 { 6433 struct nft_set_elem_catchall *catchall; 6434 u8 genmask = nft_genmask_next(net); 6435 struct nft_set_ext *ext; 6436 6437 list_for_each_entry(catchall, &set->catchall_list, list) { 6438 ext = nft_set_elem_ext(set, catchall->elem); 6439 if (nft_set_elem_active(ext, genmask)) { 6440 *pext = ext; 6441 return -EEXIST; 6442 } 6443 } 6444 6445 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL); 6446 if (!catchall) 6447 return -ENOMEM; 6448 6449 catchall->elem = elem->priv; 6450 list_add_tail_rcu(&catchall->list, &set->catchall_list); 6451 6452 return 0; 6453 } 6454 6455 static int nft_setelem_insert(const struct net *net, 6456 struct nft_set *set, 6457 const struct nft_set_elem *elem, 6458 struct nft_set_ext **ext, unsigned int flags) 6459 { 6460 int ret; 6461 6462 if (flags & NFT_SET_ELEM_CATCHALL) 6463 ret = nft_setelem_catchall_insert(net, set, elem, ext); 6464 else 6465 ret = set->ops->insert(net, set, elem, ext); 6466 6467 return ret; 6468 } 6469 6470 static bool nft_setelem_is_catchall(const struct nft_set *set, 6471 const struct nft_set_elem *elem) 6472 { 6473 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 6474 6475 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 6476 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL) 6477 return true; 6478 6479 return false; 6480 } 6481 6482 static void nft_setelem_activate(struct net *net, struct nft_set *set, 6483 struct nft_set_elem *elem) 6484 { 6485 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 6486 6487 if (nft_setelem_is_catchall(set, elem)) { 6488 nft_set_elem_change_active(net, set, ext); 6489 } else { 6490 set->ops->activate(net, set, elem); 6491 } 6492 } 6493 6494 static int nft_setelem_catchall_deactivate(const struct net *net, 6495 struct nft_set *set, 6496 struct nft_set_elem *elem) 6497 { 6498 struct nft_set_elem_catchall *catchall; 6499 struct nft_set_ext *ext; 6500 6501 list_for_each_entry(catchall, &set->catchall_list, list) { 6502 ext = nft_set_elem_ext(set, catchall->elem); 6503 if (!nft_is_active_next(net, ext)) 6504 continue; 6505 6506 kfree(elem->priv); 6507 elem->priv = catchall->elem; 6508 nft_set_elem_change_active(net, set, ext); 6509 return 0; 6510 } 6511 6512 return -ENOENT; 6513 } 6514 6515 static int __nft_setelem_deactivate(const struct net *net, 6516 struct nft_set *set, 6517 struct nft_set_elem *elem) 6518 { 6519 void *priv; 6520 6521 priv = set->ops->deactivate(net, set, elem); 6522 if (!priv) 6523 return -ENOENT; 6524 6525 kfree(elem->priv); 6526 elem->priv = priv; 6527 set->ndeact++; 6528 6529 return 0; 6530 } 6531 6532 static int nft_setelem_deactivate(const struct net *net, 6533 struct nft_set *set, 6534 struct nft_set_elem *elem, u32 flags) 6535 { 6536 int ret; 6537 6538 if (flags & NFT_SET_ELEM_CATCHALL) 6539 ret = nft_setelem_catchall_deactivate(net, set, elem); 6540 else 6541 ret = __nft_setelem_deactivate(net, set, elem); 6542 6543 return ret; 6544 } 6545 6546 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall) 6547 { 6548 list_del_rcu(&catchall->list); 6549 kfree_rcu(catchall, rcu); 6550 } 6551 6552 static void nft_setelem_catchall_remove(const struct net *net, 6553 const struct nft_set *set, 6554 const struct nft_set_elem *elem) 6555 { 6556 struct nft_set_elem_catchall *catchall, *next; 6557 6558 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 6559 if (catchall->elem == elem->priv) { 6560 nft_setelem_catchall_destroy(catchall); 6561 break; 6562 } 6563 } 6564 } 6565 6566 static void nft_setelem_remove(const struct net *net, 6567 const struct nft_set *set, 6568 const struct nft_set_elem *elem) 6569 { 6570 if (nft_setelem_is_catchall(set, elem)) 6571 nft_setelem_catchall_remove(net, set, elem); 6572 else 6573 set->ops->remove(net, set, elem); 6574 } 6575 6576 static bool nft_setelem_valid_key_end(const struct nft_set *set, 6577 struct nlattr **nla, u32 flags) 6578 { 6579 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) == 6580 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) { 6581 if (flags & NFT_SET_ELEM_INTERVAL_END) 6582 return false; 6583 6584 if (nla[NFTA_SET_ELEM_KEY_END] && 6585 flags & NFT_SET_ELEM_CATCHALL) 6586 return false; 6587 } else { 6588 if (nla[NFTA_SET_ELEM_KEY_END]) 6589 return false; 6590 } 6591 6592 return true; 6593 } 6594 6595 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 6596 const struct nlattr *attr, u32 nlmsg_flags) 6597 { 6598 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {}; 6599 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 6600 u8 genmask = nft_genmask_next(ctx->net); 6601 u32 flags = 0, size = 0, num_exprs = 0; 6602 struct nft_set_ext_tmpl tmpl; 6603 struct nft_set_ext *ext, *ext2; 6604 struct nft_set_elem elem; 6605 struct nft_set_binding *binding; 6606 struct nft_object *obj = NULL; 6607 struct nft_userdata *udata; 6608 struct nft_data_desc desc; 6609 enum nft_registers dreg; 6610 struct nft_trans *trans; 6611 u64 timeout; 6612 u64 expiration; 6613 int err, i; 6614 u8 ulen; 6615 6616 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 6617 nft_set_elem_policy, NULL); 6618 if (err < 0) 6619 return err; 6620 6621 nft_set_ext_prepare(&tmpl); 6622 6623 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 6624 if (err < 0) 6625 return err; 6626 6627 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) || 6628 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY])) 6629 return -EINVAL; 6630 6631 if (flags != 0) { 6632 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 6633 if (err < 0) 6634 return err; 6635 } 6636 6637 if (set->flags & NFT_SET_MAP) { 6638 if (nla[NFTA_SET_ELEM_DATA] == NULL && 6639 !(flags & NFT_SET_ELEM_INTERVAL_END)) 6640 return -EINVAL; 6641 } else { 6642 if (nla[NFTA_SET_ELEM_DATA] != NULL) 6643 return -EINVAL; 6644 } 6645 6646 if (set->flags & NFT_SET_OBJECT) { 6647 if (!nla[NFTA_SET_ELEM_OBJREF] && 6648 !(flags & NFT_SET_ELEM_INTERVAL_END)) 6649 return -EINVAL; 6650 } else { 6651 if (nla[NFTA_SET_ELEM_OBJREF]) 6652 return -EINVAL; 6653 } 6654 6655 if (!nft_setelem_valid_key_end(set, nla, flags)) 6656 return -EINVAL; 6657 6658 if ((flags & NFT_SET_ELEM_INTERVAL_END) && 6659 (nla[NFTA_SET_ELEM_DATA] || 6660 nla[NFTA_SET_ELEM_OBJREF] || 6661 nla[NFTA_SET_ELEM_TIMEOUT] || 6662 nla[NFTA_SET_ELEM_EXPIRATION] || 6663 nla[NFTA_SET_ELEM_USERDATA] || 6664 nla[NFTA_SET_ELEM_EXPR] || 6665 nla[NFTA_SET_ELEM_KEY_END] || 6666 nla[NFTA_SET_ELEM_EXPRESSIONS])) 6667 return -EINVAL; 6668 6669 timeout = 0; 6670 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { 6671 if (!(set->flags & NFT_SET_TIMEOUT)) 6672 return -EINVAL; 6673 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT], 6674 &timeout); 6675 if (err) 6676 return err; 6677 } else if (set->flags & NFT_SET_TIMEOUT && 6678 !(flags & NFT_SET_ELEM_INTERVAL_END)) { 6679 timeout = READ_ONCE(set->timeout); 6680 } 6681 6682 expiration = 0; 6683 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { 6684 if (!(set->flags & NFT_SET_TIMEOUT)) 6685 return -EINVAL; 6686 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], 6687 &expiration); 6688 if (err) 6689 return err; 6690 } 6691 6692 if (nla[NFTA_SET_ELEM_EXPR]) { 6693 struct nft_expr *expr; 6694 6695 if (set->num_exprs && set->num_exprs != 1) 6696 return -EOPNOTSUPP; 6697 6698 expr = nft_set_elem_expr_alloc(ctx, set, 6699 nla[NFTA_SET_ELEM_EXPR]); 6700 if (IS_ERR(expr)) 6701 return PTR_ERR(expr); 6702 6703 expr_array[0] = expr; 6704 num_exprs = 1; 6705 6706 if (set->num_exprs && set->exprs[0]->ops != expr->ops) { 6707 err = -EOPNOTSUPP; 6708 goto err_set_elem_expr; 6709 } 6710 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) { 6711 struct nft_expr *expr; 6712 struct nlattr *tmp; 6713 int left; 6714 6715 i = 0; 6716 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) { 6717 if (i == NFT_SET_EXPR_MAX || 6718 (set->num_exprs && set->num_exprs == i)) { 6719 err = -E2BIG; 6720 goto err_set_elem_expr; 6721 } 6722 if (nla_type(tmp) != NFTA_LIST_ELEM) { 6723 err = -EINVAL; 6724 goto err_set_elem_expr; 6725 } 6726 expr = nft_set_elem_expr_alloc(ctx, set, tmp); 6727 if (IS_ERR(expr)) { 6728 err = PTR_ERR(expr); 6729 goto err_set_elem_expr; 6730 } 6731 expr_array[i] = expr; 6732 num_exprs++; 6733 6734 if (set->num_exprs && expr->ops != set->exprs[i]->ops) { 6735 err = -EOPNOTSUPP; 6736 goto err_set_elem_expr; 6737 } 6738 i++; 6739 } 6740 if (set->num_exprs && set->num_exprs != i) { 6741 err = -EOPNOTSUPP; 6742 goto err_set_elem_expr; 6743 } 6744 } else if (set->num_exprs > 0 && 6745 !(flags & NFT_SET_ELEM_INTERVAL_END)) { 6746 err = nft_set_elem_expr_clone(ctx, set, expr_array); 6747 if (err < 0) 6748 goto err_set_elem_expr_clone; 6749 6750 num_exprs = set->num_exprs; 6751 } 6752 6753 if (nla[NFTA_SET_ELEM_KEY]) { 6754 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 6755 nla[NFTA_SET_ELEM_KEY]); 6756 if (err < 0) 6757 goto err_set_elem_expr; 6758 6759 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 6760 if (err < 0) 6761 goto err_parse_key; 6762 } 6763 6764 if (nla[NFTA_SET_ELEM_KEY_END]) { 6765 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 6766 nla[NFTA_SET_ELEM_KEY_END]); 6767 if (err < 0) 6768 goto err_parse_key; 6769 6770 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 6771 if (err < 0) 6772 goto err_parse_key_end; 6773 } 6774 6775 if (timeout > 0) { 6776 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION); 6777 if (err < 0) 6778 goto err_parse_key_end; 6779 6780 if (timeout != READ_ONCE(set->timeout)) { 6781 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT); 6782 if (err < 0) 6783 goto err_parse_key_end; 6784 } 6785 } 6786 6787 if (num_exprs) { 6788 for (i = 0; i < num_exprs; i++) 6789 size += expr_array[i]->ops->size; 6790 6791 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS, 6792 sizeof(struct nft_set_elem_expr) + size); 6793 if (err < 0) 6794 goto err_parse_key_end; 6795 } 6796 6797 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) { 6798 obj = nft_obj_lookup(ctx->net, ctx->table, 6799 nla[NFTA_SET_ELEM_OBJREF], 6800 set->objtype, genmask); 6801 if (IS_ERR(obj)) { 6802 err = PTR_ERR(obj); 6803 obj = NULL; 6804 goto err_parse_key_end; 6805 } 6806 6807 if (!nft_use_inc(&obj->use)) { 6808 err = -EMFILE; 6809 obj = NULL; 6810 goto err_parse_key_end; 6811 } 6812 6813 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF); 6814 if (err < 0) 6815 goto err_parse_key_end; 6816 } 6817 6818 if (nla[NFTA_SET_ELEM_DATA] != NULL) { 6819 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val, 6820 nla[NFTA_SET_ELEM_DATA]); 6821 if (err < 0) 6822 goto err_parse_key_end; 6823 6824 dreg = nft_type_to_reg(set->dtype); 6825 list_for_each_entry(binding, &set->bindings, list) { 6826 struct nft_ctx bind_ctx = { 6827 .net = ctx->net, 6828 .family = ctx->family, 6829 .table = ctx->table, 6830 .chain = (struct nft_chain *)binding->chain, 6831 }; 6832 6833 if (!(binding->flags & NFT_SET_MAP)) 6834 continue; 6835 6836 err = nft_validate_register_store(&bind_ctx, dreg, 6837 &elem.data.val, 6838 desc.type, desc.len); 6839 if (err < 0) 6840 goto err_parse_data; 6841 6842 if (desc.type == NFT_DATA_VERDICT && 6843 (elem.data.val.verdict.code == NFT_GOTO || 6844 elem.data.val.verdict.code == NFT_JUMP)) 6845 nft_validate_state_update(ctx->table, 6846 NFT_VALIDATE_NEED); 6847 } 6848 6849 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len); 6850 if (err < 0) 6851 goto err_parse_data; 6852 } 6853 6854 /* The full maximum length of userdata can exceed the maximum 6855 * offset value (U8_MAX) for following extensions, therefor it 6856 * must be the last extension added. 6857 */ 6858 ulen = 0; 6859 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) { 6860 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]); 6861 if (ulen > 0) { 6862 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA, 6863 ulen); 6864 if (err < 0) 6865 goto err_parse_data; 6866 } 6867 } 6868 6869 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 6870 elem.key_end.val.data, elem.data.val.data, 6871 timeout, expiration, GFP_KERNEL_ACCOUNT); 6872 if (IS_ERR(elem.priv)) { 6873 err = PTR_ERR(elem.priv); 6874 goto err_parse_data; 6875 } 6876 6877 ext = nft_set_elem_ext(set, elem.priv); 6878 if (flags) 6879 *nft_set_ext_flags(ext) = flags; 6880 6881 if (obj) 6882 *nft_set_ext_obj(ext) = obj; 6883 6884 if (ulen > 0) { 6885 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) { 6886 err = -EINVAL; 6887 goto err_elem_free; 6888 } 6889 udata = nft_set_ext_userdata(ext); 6890 udata->len = ulen - 1; 6891 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen); 6892 } 6893 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs); 6894 if (err < 0) 6895 goto err_elem_free; 6896 6897 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); 6898 if (trans == NULL) { 6899 err = -ENOMEM; 6900 goto err_elem_free; 6901 } 6902 6903 ext->genmask = nft_genmask_cur(ctx->net); 6904 6905 err = nft_setelem_insert(ctx->net, set, &elem, &ext2, flags); 6906 if (err) { 6907 if (err == -EEXIST) { 6908 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^ 6909 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) || 6910 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^ 6911 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) 6912 goto err_element_clash; 6913 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 6914 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) && 6915 memcmp(nft_set_ext_data(ext), 6916 nft_set_ext_data(ext2), set->dlen) != 0) || 6917 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 6918 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) && 6919 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2))) 6920 goto err_element_clash; 6921 else if (!(nlmsg_flags & NLM_F_EXCL)) 6922 err = 0; 6923 } else if (err == -ENOTEMPTY) { 6924 /* ENOTEMPTY reports overlapping between this element 6925 * and an existing one. 6926 */ 6927 err = -EEXIST; 6928 } 6929 goto err_element_clash; 6930 } 6931 6932 if (!(flags & NFT_SET_ELEM_CATCHALL)) { 6933 unsigned int max = set->size ? set->size + set->ndeact : UINT_MAX; 6934 6935 if (!atomic_add_unless(&set->nelems, 1, max)) { 6936 err = -ENFILE; 6937 goto err_set_full; 6938 } 6939 } 6940 6941 nft_trans_elem(trans) = elem; 6942 nft_trans_commit_list_add_tail(ctx->net, trans); 6943 return 0; 6944 6945 err_set_full: 6946 nft_setelem_remove(ctx->net, set, &elem); 6947 err_element_clash: 6948 kfree(trans); 6949 err_elem_free: 6950 nf_tables_set_elem_destroy(ctx, set, elem.priv); 6951 err_parse_data: 6952 if (nla[NFTA_SET_ELEM_DATA] != NULL) 6953 nft_data_release(&elem.data.val, desc.type); 6954 err_parse_key_end: 6955 if (obj) 6956 nft_use_dec_restore(&obj->use); 6957 6958 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 6959 err_parse_key: 6960 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 6961 err_set_elem_expr: 6962 for (i = 0; i < num_exprs && expr_array[i]; i++) 6963 nft_expr_destroy(ctx, expr_array[i]); 6964 err_set_elem_expr_clone: 6965 return err; 6966 } 6967 6968 static int nf_tables_newsetelem(struct sk_buff *skb, 6969 const struct nfnl_info *info, 6970 const struct nlattr * const nla[]) 6971 { 6972 struct netlink_ext_ack *extack = info->extack; 6973 u8 genmask = nft_genmask_next(info->net); 6974 u8 family = info->nfmsg->nfgen_family; 6975 struct net *net = info->net; 6976 const struct nlattr *attr; 6977 struct nft_table *table; 6978 struct nft_set *set; 6979 struct nft_ctx ctx; 6980 int rem, err; 6981 6982 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) 6983 return -EINVAL; 6984 6985 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 6986 genmask, NETLINK_CB(skb).portid); 6987 if (IS_ERR(table)) { 6988 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 6989 return PTR_ERR(table); 6990 } 6991 6992 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET], 6993 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask); 6994 if (IS_ERR(set)) 6995 return PTR_ERR(set); 6996 6997 if (!list_empty(&set->bindings) && 6998 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS))) 6999 return -EBUSY; 7000 7001 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7002 7003 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 7004 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags); 7005 if (err < 0) { 7006 NL_SET_BAD_ATTR(extack, attr); 7007 return err; 7008 } 7009 } 7010 7011 if (table->validate_state == NFT_VALIDATE_DO) 7012 return nft_table_validate(net, table); 7013 7014 return 0; 7015 } 7016 7017 /** 7018 * nft_data_hold - hold a nft_data item 7019 * 7020 * @data: struct nft_data to release 7021 * @type: type of data 7022 * 7023 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded, 7024 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and 7025 * NFT_GOTO verdicts. This function must be called on active data objects 7026 * from the second phase of the commit protocol. 7027 */ 7028 void nft_data_hold(const struct nft_data *data, enum nft_data_types type) 7029 { 7030 struct nft_chain *chain; 7031 7032 if (type == NFT_DATA_VERDICT) { 7033 switch (data->verdict.code) { 7034 case NFT_JUMP: 7035 case NFT_GOTO: 7036 chain = data->verdict.chain; 7037 nft_use_inc_restore(&chain->use); 7038 break; 7039 } 7040 } 7041 } 7042 7043 static void nft_setelem_data_activate(const struct net *net, 7044 const struct nft_set *set, 7045 struct nft_set_elem *elem) 7046 { 7047 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 7048 7049 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 7050 nft_data_hold(nft_set_ext_data(ext), set->dtype); 7051 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 7052 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use); 7053 } 7054 7055 void nft_setelem_data_deactivate(const struct net *net, 7056 const struct nft_set *set, 7057 struct nft_set_elem *elem) 7058 { 7059 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 7060 7061 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 7062 nft_data_release(nft_set_ext_data(ext), set->dtype); 7063 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 7064 nft_use_dec(&(*nft_set_ext_obj(ext))->use); 7065 } 7066 7067 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, 7068 const struct nlattr *attr) 7069 { 7070 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 7071 struct nft_set_ext_tmpl tmpl; 7072 struct nft_set_elem elem; 7073 struct nft_set_ext *ext; 7074 struct nft_trans *trans; 7075 u32 flags = 0; 7076 int err; 7077 7078 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 7079 nft_set_elem_policy, NULL); 7080 if (err < 0) 7081 return err; 7082 7083 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 7084 if (err < 0) 7085 return err; 7086 7087 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 7088 return -EINVAL; 7089 7090 if (!nft_setelem_valid_key_end(set, nla, flags)) 7091 return -EINVAL; 7092 7093 nft_set_ext_prepare(&tmpl); 7094 7095 if (flags != 0) { 7096 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 7097 if (err < 0) 7098 return err; 7099 } 7100 7101 if (nla[NFTA_SET_ELEM_KEY]) { 7102 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 7103 nla[NFTA_SET_ELEM_KEY]); 7104 if (err < 0) 7105 return err; 7106 7107 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 7108 if (err < 0) 7109 goto fail_elem; 7110 } 7111 7112 if (nla[NFTA_SET_ELEM_KEY_END]) { 7113 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 7114 nla[NFTA_SET_ELEM_KEY_END]); 7115 if (err < 0) 7116 goto fail_elem; 7117 7118 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 7119 if (err < 0) 7120 goto fail_elem_key_end; 7121 } 7122 7123 err = -ENOMEM; 7124 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 7125 elem.key_end.val.data, NULL, 0, 0, 7126 GFP_KERNEL_ACCOUNT); 7127 if (IS_ERR(elem.priv)) { 7128 err = PTR_ERR(elem.priv); 7129 goto fail_elem_key_end; 7130 } 7131 7132 ext = nft_set_elem_ext(set, elem.priv); 7133 if (flags) 7134 *nft_set_ext_flags(ext) = flags; 7135 7136 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 7137 if (trans == NULL) 7138 goto fail_trans; 7139 7140 err = nft_setelem_deactivate(ctx->net, set, &elem, flags); 7141 if (err < 0) 7142 goto fail_ops; 7143 7144 nft_setelem_data_deactivate(ctx->net, set, &elem); 7145 7146 nft_trans_elem(trans) = elem; 7147 nft_trans_commit_list_add_tail(ctx->net, trans); 7148 return 0; 7149 7150 fail_ops: 7151 kfree(trans); 7152 fail_trans: 7153 kfree(elem.priv); 7154 fail_elem_key_end: 7155 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 7156 fail_elem: 7157 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 7158 return err; 7159 } 7160 7161 static int nft_setelem_flush(const struct nft_ctx *ctx, 7162 struct nft_set *set, 7163 const struct nft_set_iter *iter, 7164 struct nft_set_elem *elem) 7165 { 7166 struct nft_trans *trans; 7167 int err; 7168 7169 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 7170 sizeof(struct nft_trans_elem), GFP_ATOMIC); 7171 if (!trans) 7172 return -ENOMEM; 7173 7174 if (!set->ops->flush(ctx->net, set, elem->priv)) { 7175 err = -ENOENT; 7176 goto err1; 7177 } 7178 set->ndeact++; 7179 7180 nft_setelem_data_deactivate(ctx->net, set, elem); 7181 nft_trans_elem_set(trans) = set; 7182 nft_trans_elem(trans) = *elem; 7183 nft_trans_commit_list_add_tail(ctx->net, trans); 7184 7185 return 0; 7186 err1: 7187 kfree(trans); 7188 return err; 7189 } 7190 7191 static int __nft_set_catchall_flush(const struct nft_ctx *ctx, 7192 struct nft_set *set, 7193 struct nft_set_elem *elem) 7194 { 7195 struct nft_trans *trans; 7196 7197 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 7198 sizeof(struct nft_trans_elem), GFP_KERNEL); 7199 if (!trans) 7200 return -ENOMEM; 7201 7202 nft_setelem_data_deactivate(ctx->net, set, elem); 7203 nft_trans_elem_set(trans) = set; 7204 nft_trans_elem(trans) = *elem; 7205 nft_trans_commit_list_add_tail(ctx->net, trans); 7206 7207 return 0; 7208 } 7209 7210 static int nft_set_catchall_flush(const struct nft_ctx *ctx, 7211 struct nft_set *set) 7212 { 7213 u8 genmask = nft_genmask_next(ctx->net); 7214 struct nft_set_elem_catchall *catchall; 7215 struct nft_set_elem elem; 7216 struct nft_set_ext *ext; 7217 int ret = 0; 7218 7219 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 7220 ext = nft_set_elem_ext(set, catchall->elem); 7221 if (!nft_set_elem_active(ext, genmask)) 7222 continue; 7223 7224 elem.priv = catchall->elem; 7225 ret = __nft_set_catchall_flush(ctx, set, &elem); 7226 if (ret < 0) 7227 break; 7228 nft_set_elem_change_active(ctx->net, set, ext); 7229 } 7230 7231 return ret; 7232 } 7233 7234 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask) 7235 { 7236 struct nft_set_iter iter = { 7237 .genmask = genmask, 7238 .fn = nft_setelem_flush, 7239 }; 7240 7241 set->ops->walk(ctx, set, &iter); 7242 if (!iter.err) 7243 iter.err = nft_set_catchall_flush(ctx, set); 7244 7245 return iter.err; 7246 } 7247 7248 static int nf_tables_delsetelem(struct sk_buff *skb, 7249 const struct nfnl_info *info, 7250 const struct nlattr * const nla[]) 7251 { 7252 struct netlink_ext_ack *extack = info->extack; 7253 u8 genmask = nft_genmask_next(info->net); 7254 u8 family = info->nfmsg->nfgen_family; 7255 struct net *net = info->net; 7256 const struct nlattr *attr; 7257 struct nft_table *table; 7258 struct nft_set *set; 7259 struct nft_ctx ctx; 7260 int rem, err = 0; 7261 7262 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 7263 genmask, NETLINK_CB(skb).portid); 7264 if (IS_ERR(table)) { 7265 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 7266 return PTR_ERR(table); 7267 } 7268 7269 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 7270 if (IS_ERR(set)) 7271 return PTR_ERR(set); 7272 7273 if (nft_set_is_anonymous(set)) 7274 return -EOPNOTSUPP; 7275 7276 if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT)) 7277 return -EBUSY; 7278 7279 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7280 7281 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 7282 return nft_set_flush(&ctx, set, genmask); 7283 7284 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 7285 err = nft_del_setelem(&ctx, set, attr); 7286 if (err == -ENOENT && 7287 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM) 7288 continue; 7289 7290 if (err < 0) { 7291 NL_SET_BAD_ATTR(extack, attr); 7292 return err; 7293 } 7294 } 7295 7296 return 0; 7297 } 7298 7299 /* 7300 * Stateful objects 7301 */ 7302 7303 /** 7304 * nft_register_obj- register nf_tables stateful object type 7305 * @obj_type: object type 7306 * 7307 * Registers the object type for use with nf_tables. Returns zero on 7308 * success or a negative errno code otherwise. 7309 */ 7310 int nft_register_obj(struct nft_object_type *obj_type) 7311 { 7312 if (obj_type->type == NFT_OBJECT_UNSPEC) 7313 return -EINVAL; 7314 7315 nfnl_lock(NFNL_SUBSYS_NFTABLES); 7316 list_add_rcu(&obj_type->list, &nf_tables_objects); 7317 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 7318 return 0; 7319 } 7320 EXPORT_SYMBOL_GPL(nft_register_obj); 7321 7322 /** 7323 * nft_unregister_obj - unregister nf_tables object type 7324 * @obj_type: object type 7325 * 7326 * Unregisters the object type for use with nf_tables. 7327 */ 7328 void nft_unregister_obj(struct nft_object_type *obj_type) 7329 { 7330 nfnl_lock(NFNL_SUBSYS_NFTABLES); 7331 list_del_rcu(&obj_type->list); 7332 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 7333 } 7334 EXPORT_SYMBOL_GPL(nft_unregister_obj); 7335 7336 struct nft_object *nft_obj_lookup(const struct net *net, 7337 const struct nft_table *table, 7338 const struct nlattr *nla, u32 objtype, 7339 u8 genmask) 7340 { 7341 struct nft_object_hash_key k = { .table = table }; 7342 char search[NFT_OBJ_MAXNAMELEN]; 7343 struct rhlist_head *tmp, *list; 7344 struct nft_object *obj; 7345 7346 nla_strscpy(search, nla, sizeof(search)); 7347 k.name = search; 7348 7349 WARN_ON_ONCE(!rcu_read_lock_held() && 7350 !lockdep_commit_lock_is_held(net)); 7351 7352 rcu_read_lock(); 7353 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params); 7354 if (!list) 7355 goto out; 7356 7357 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) { 7358 if (objtype == obj->ops->type->type && 7359 nft_active_genmask(obj, genmask)) { 7360 rcu_read_unlock(); 7361 return obj; 7362 } 7363 } 7364 out: 7365 rcu_read_unlock(); 7366 return ERR_PTR(-ENOENT); 7367 } 7368 EXPORT_SYMBOL_GPL(nft_obj_lookup); 7369 7370 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table, 7371 const struct nlattr *nla, 7372 u32 objtype, u8 genmask) 7373 { 7374 struct nft_object *obj; 7375 7376 list_for_each_entry(obj, &table->objects, list) { 7377 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle && 7378 objtype == obj->ops->type->type && 7379 nft_active_genmask(obj, genmask)) 7380 return obj; 7381 } 7382 return ERR_PTR(-ENOENT); 7383 } 7384 7385 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = { 7386 [NFTA_OBJ_TABLE] = { .type = NLA_STRING, 7387 .len = NFT_TABLE_MAXNAMELEN - 1 }, 7388 [NFTA_OBJ_NAME] = { .type = NLA_STRING, 7389 .len = NFT_OBJ_MAXNAMELEN - 1 }, 7390 [NFTA_OBJ_TYPE] = { .type = NLA_U32 }, 7391 [NFTA_OBJ_DATA] = { .type = NLA_NESTED }, 7392 [NFTA_OBJ_HANDLE] = { .type = NLA_U64}, 7393 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY, 7394 .len = NFT_USERDATA_MAXLEN }, 7395 }; 7396 7397 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx, 7398 const struct nft_object_type *type, 7399 const struct nlattr *attr) 7400 { 7401 struct nlattr **tb; 7402 const struct nft_object_ops *ops; 7403 struct nft_object *obj; 7404 int err = -ENOMEM; 7405 7406 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL); 7407 if (!tb) 7408 goto err1; 7409 7410 if (attr) { 7411 err = nla_parse_nested_deprecated(tb, type->maxattr, attr, 7412 type->policy, NULL); 7413 if (err < 0) 7414 goto err2; 7415 } else { 7416 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1)); 7417 } 7418 7419 if (type->select_ops) { 7420 ops = type->select_ops(ctx, (const struct nlattr * const *)tb); 7421 if (IS_ERR(ops)) { 7422 err = PTR_ERR(ops); 7423 goto err2; 7424 } 7425 } else { 7426 ops = type->ops; 7427 } 7428 7429 err = -ENOMEM; 7430 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT); 7431 if (!obj) 7432 goto err2; 7433 7434 err = ops->init(ctx, (const struct nlattr * const *)tb, obj); 7435 if (err < 0) 7436 goto err3; 7437 7438 obj->ops = ops; 7439 7440 kfree(tb); 7441 return obj; 7442 err3: 7443 kfree(obj); 7444 err2: 7445 kfree(tb); 7446 err1: 7447 return ERR_PTR(err); 7448 } 7449 7450 static int nft_object_dump(struct sk_buff *skb, unsigned int attr, 7451 struct nft_object *obj, bool reset) 7452 { 7453 struct nlattr *nest; 7454 7455 nest = nla_nest_start_noflag(skb, attr); 7456 if (!nest) 7457 goto nla_put_failure; 7458 if (obj->ops->dump(skb, obj, reset) < 0) 7459 goto nla_put_failure; 7460 nla_nest_end(skb, nest); 7461 return 0; 7462 7463 nla_put_failure: 7464 return -1; 7465 } 7466 7467 static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family) 7468 { 7469 const struct nft_object_type *type; 7470 7471 list_for_each_entry_rcu(type, &nf_tables_objects, list) { 7472 if (type->family != NFPROTO_UNSPEC && 7473 type->family != family) 7474 continue; 7475 7476 if (objtype == type->type) 7477 return type; 7478 } 7479 return NULL; 7480 } 7481 7482 static const struct nft_object_type * 7483 nft_obj_type_get(struct net *net, u32 objtype, u8 family) 7484 { 7485 const struct nft_object_type *type; 7486 7487 rcu_read_lock(); 7488 type = __nft_obj_type_get(objtype, family); 7489 if (type != NULL && try_module_get(type->owner)) { 7490 rcu_read_unlock(); 7491 return type; 7492 } 7493 rcu_read_unlock(); 7494 7495 lockdep_nfnl_nft_mutex_not_held(); 7496 #ifdef CONFIG_MODULES 7497 if (type == NULL) { 7498 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN) 7499 return ERR_PTR(-EAGAIN); 7500 } 7501 #endif 7502 return ERR_PTR(-ENOENT); 7503 } 7504 7505 static int nf_tables_updobj(const struct nft_ctx *ctx, 7506 const struct nft_object_type *type, 7507 const struct nlattr *attr, 7508 struct nft_object *obj) 7509 { 7510 struct nft_object *newobj; 7511 struct nft_trans *trans; 7512 int err = -ENOMEM; 7513 7514 if (!try_module_get(type->owner)) 7515 return -ENOENT; 7516 7517 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ, 7518 sizeof(struct nft_trans_obj)); 7519 if (!trans) 7520 goto err_trans; 7521 7522 newobj = nft_obj_init(ctx, type, attr); 7523 if (IS_ERR(newobj)) { 7524 err = PTR_ERR(newobj); 7525 goto err_free_trans; 7526 } 7527 7528 nft_trans_obj(trans) = obj; 7529 nft_trans_obj_update(trans) = true; 7530 nft_trans_obj_newobj(trans) = newobj; 7531 nft_trans_commit_list_add_tail(ctx->net, trans); 7532 7533 return 0; 7534 7535 err_free_trans: 7536 kfree(trans); 7537 err_trans: 7538 module_put(type->owner); 7539 return err; 7540 } 7541 7542 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info, 7543 const struct nlattr * const nla[]) 7544 { 7545 struct netlink_ext_ack *extack = info->extack; 7546 u8 genmask = nft_genmask_next(info->net); 7547 u8 family = info->nfmsg->nfgen_family; 7548 const struct nft_object_type *type; 7549 struct net *net = info->net; 7550 struct nft_table *table; 7551 struct nft_object *obj; 7552 struct nft_ctx ctx; 7553 u32 objtype; 7554 int err; 7555 7556 if (!nla[NFTA_OBJ_TYPE] || 7557 !nla[NFTA_OBJ_NAME] || 7558 !nla[NFTA_OBJ_DATA]) 7559 return -EINVAL; 7560 7561 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 7562 NETLINK_CB(skb).portid); 7563 if (IS_ERR(table)) { 7564 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 7565 return PTR_ERR(table); 7566 } 7567 7568 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 7569 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 7570 if (IS_ERR(obj)) { 7571 err = PTR_ERR(obj); 7572 if (err != -ENOENT) { 7573 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 7574 return err; 7575 } 7576 } else { 7577 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 7578 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 7579 return -EEXIST; 7580 } 7581 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 7582 return -EOPNOTSUPP; 7583 7584 type = __nft_obj_type_get(objtype, family); 7585 if (WARN_ON_ONCE(!type)) 7586 return -ENOENT; 7587 7588 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7589 7590 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); 7591 } 7592 7593 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7594 7595 if (!nft_use_inc(&table->use)) 7596 return -EMFILE; 7597 7598 type = nft_obj_type_get(net, objtype, family); 7599 if (IS_ERR(type)) { 7600 err = PTR_ERR(type); 7601 goto err_type; 7602 } 7603 7604 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]); 7605 if (IS_ERR(obj)) { 7606 err = PTR_ERR(obj); 7607 goto err_init; 7608 } 7609 obj->key.table = table; 7610 obj->handle = nf_tables_alloc_handle(table); 7611 7612 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT); 7613 if (!obj->key.name) { 7614 err = -ENOMEM; 7615 goto err_strdup; 7616 } 7617 7618 if (nla[NFTA_OBJ_USERDATA]) { 7619 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT); 7620 if (obj->udata == NULL) 7621 goto err_userdata; 7622 7623 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]); 7624 } 7625 7626 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj); 7627 if (err < 0) 7628 goto err_trans; 7629 7630 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead, 7631 nft_objname_ht_params); 7632 if (err < 0) 7633 goto err_obj_ht; 7634 7635 list_add_tail_rcu(&obj->list, &table->objects); 7636 7637 return 0; 7638 err_obj_ht: 7639 /* queued in transaction log */ 7640 INIT_LIST_HEAD(&obj->list); 7641 return err; 7642 err_trans: 7643 kfree(obj->udata); 7644 err_userdata: 7645 kfree(obj->key.name); 7646 err_strdup: 7647 if (obj->ops->destroy) 7648 obj->ops->destroy(&ctx, obj); 7649 kfree(obj); 7650 err_init: 7651 module_put(type->owner); 7652 err_type: 7653 nft_use_dec_restore(&table->use); 7654 7655 return err; 7656 } 7657 7658 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net, 7659 u32 portid, u32 seq, int event, u32 flags, 7660 int family, const struct nft_table *table, 7661 struct nft_object *obj, bool reset) 7662 { 7663 struct nlmsghdr *nlh; 7664 7665 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 7666 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 7667 NFNETLINK_V0, nft_base_seq(net)); 7668 if (!nlh) 7669 goto nla_put_failure; 7670 7671 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || 7672 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || 7673 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle), 7674 NFTA_OBJ_PAD)) 7675 goto nla_put_failure; 7676 7677 if (event == NFT_MSG_DELOBJ) { 7678 nlmsg_end(skb, nlh); 7679 return 0; 7680 } 7681 7682 if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || 7683 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) || 7684 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset)) 7685 goto nla_put_failure; 7686 7687 if (obj->udata && 7688 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata)) 7689 goto nla_put_failure; 7690 7691 nlmsg_end(skb, nlh); 7692 return 0; 7693 7694 nla_put_failure: 7695 nlmsg_trim(skb, nlh); 7696 return -1; 7697 } 7698 7699 static void audit_log_obj_reset(const struct nft_table *table, 7700 unsigned int base_seq, unsigned int nentries) 7701 { 7702 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq); 7703 7704 audit_log_nfcfg(buf, table->family, nentries, 7705 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC); 7706 kfree(buf); 7707 } 7708 7709 struct nft_obj_filter { 7710 char *table; 7711 u32 type; 7712 }; 7713 7714 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) 7715 { 7716 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 7717 const struct nft_table *table; 7718 unsigned int idx = 0, s_idx = cb->args[0]; 7719 struct nft_obj_filter *filter = cb->data; 7720 struct net *net = sock_net(skb->sk); 7721 int family = nfmsg->nfgen_family; 7722 struct nftables_pernet *nft_net; 7723 unsigned int entries = 0; 7724 struct nft_object *obj; 7725 bool reset = false; 7726 int rc = 0; 7727 7728 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 7729 reset = true; 7730 7731 rcu_read_lock(); 7732 nft_net = nft_pernet(net); 7733 cb->seq = READ_ONCE(nft_net->base_seq); 7734 7735 list_for_each_entry_rcu(table, &nft_net->tables, list) { 7736 if (family != NFPROTO_UNSPEC && family != table->family) 7737 continue; 7738 7739 entries = 0; 7740 list_for_each_entry_rcu(obj, &table->objects, list) { 7741 if (!nft_is_active(net, obj)) 7742 goto cont; 7743 if (idx < s_idx) 7744 goto cont; 7745 if (idx > s_idx) 7746 memset(&cb->args[1], 0, 7747 sizeof(cb->args) - sizeof(cb->args[0])); 7748 if (filter && filter->table && 7749 strcmp(filter->table, table->name)) 7750 goto cont; 7751 if (filter && 7752 filter->type != NFT_OBJECT_UNSPEC && 7753 obj->ops->type->type != filter->type) 7754 goto cont; 7755 7756 rc = nf_tables_fill_obj_info(skb, net, 7757 NETLINK_CB(cb->skb).portid, 7758 cb->nlh->nlmsg_seq, 7759 NFT_MSG_NEWOBJ, 7760 NLM_F_MULTI | NLM_F_APPEND, 7761 table->family, table, 7762 obj, reset); 7763 if (rc < 0) 7764 break; 7765 7766 entries++; 7767 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 7768 cont: 7769 idx++; 7770 } 7771 if (reset && entries) 7772 audit_log_obj_reset(table, nft_net->base_seq, entries); 7773 if (rc < 0) 7774 break; 7775 } 7776 rcu_read_unlock(); 7777 7778 cb->args[0] = idx; 7779 return skb->len; 7780 } 7781 7782 static int nf_tables_dump_obj_start(struct netlink_callback *cb) 7783 { 7784 const struct nlattr * const *nla = cb->data; 7785 struct nft_obj_filter *filter = NULL; 7786 7787 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) { 7788 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 7789 if (!filter) 7790 return -ENOMEM; 7791 7792 if (nla[NFTA_OBJ_TABLE]) { 7793 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC); 7794 if (!filter->table) { 7795 kfree(filter); 7796 return -ENOMEM; 7797 } 7798 } 7799 7800 if (nla[NFTA_OBJ_TYPE]) 7801 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 7802 } 7803 7804 cb->data = filter; 7805 return 0; 7806 } 7807 7808 static int nf_tables_dump_obj_done(struct netlink_callback *cb) 7809 { 7810 struct nft_obj_filter *filter = cb->data; 7811 7812 if (filter) { 7813 kfree(filter->table); 7814 kfree(filter); 7815 } 7816 7817 return 0; 7818 } 7819 7820 /* called with rcu_read_lock held */ 7821 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info, 7822 const struct nlattr * const nla[]) 7823 { 7824 struct netlink_ext_ack *extack = info->extack; 7825 u8 genmask = nft_genmask_cur(info->net); 7826 u8 family = info->nfmsg->nfgen_family; 7827 const struct nft_table *table; 7828 struct net *net = info->net; 7829 struct nft_object *obj; 7830 struct sk_buff *skb2; 7831 bool reset = false; 7832 u32 objtype; 7833 int err; 7834 7835 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 7836 struct netlink_dump_control c = { 7837 .start = nf_tables_dump_obj_start, 7838 .dump = nf_tables_dump_obj, 7839 .done = nf_tables_dump_obj_done, 7840 .module = THIS_MODULE, 7841 .data = (void *)nla, 7842 }; 7843 7844 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 7845 } 7846 7847 if (!nla[NFTA_OBJ_NAME] || 7848 !nla[NFTA_OBJ_TYPE]) 7849 return -EINVAL; 7850 7851 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0); 7852 if (IS_ERR(table)) { 7853 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 7854 return PTR_ERR(table); 7855 } 7856 7857 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 7858 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 7859 if (IS_ERR(obj)) { 7860 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 7861 return PTR_ERR(obj); 7862 } 7863 7864 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 7865 if (!skb2) 7866 return -ENOMEM; 7867 7868 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 7869 reset = true; 7870 7871 if (reset) { 7872 const struct nftables_pernet *nft_net; 7873 char *buf; 7874 7875 nft_net = nft_pernet(net); 7876 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq); 7877 7878 audit_log_nfcfg(buf, 7879 family, 7880 1, 7881 AUDIT_NFT_OP_OBJ_RESET, 7882 GFP_ATOMIC); 7883 kfree(buf); 7884 } 7885 7886 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid, 7887 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, 7888 family, table, obj, reset); 7889 if (err < 0) 7890 goto err_fill_obj_info; 7891 7892 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 7893 7894 err_fill_obj_info: 7895 kfree_skb(skb2); 7896 return err; 7897 } 7898 7899 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) 7900 { 7901 if (obj->ops->destroy) 7902 obj->ops->destroy(ctx, obj); 7903 7904 module_put(obj->ops->type->owner); 7905 kfree(obj->key.name); 7906 kfree(obj->udata); 7907 kfree(obj); 7908 } 7909 7910 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info, 7911 const struct nlattr * const nla[]) 7912 { 7913 struct netlink_ext_ack *extack = info->extack; 7914 u8 genmask = nft_genmask_next(info->net); 7915 u8 family = info->nfmsg->nfgen_family; 7916 struct net *net = info->net; 7917 const struct nlattr *attr; 7918 struct nft_table *table; 7919 struct nft_object *obj; 7920 struct nft_ctx ctx; 7921 u32 objtype; 7922 7923 if (!nla[NFTA_OBJ_TYPE] || 7924 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE])) 7925 return -EINVAL; 7926 7927 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 7928 NETLINK_CB(skb).portid); 7929 if (IS_ERR(table)) { 7930 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 7931 return PTR_ERR(table); 7932 } 7933 7934 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 7935 if (nla[NFTA_OBJ_HANDLE]) { 7936 attr = nla[NFTA_OBJ_HANDLE]; 7937 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask); 7938 } else { 7939 attr = nla[NFTA_OBJ_NAME]; 7940 obj = nft_obj_lookup(net, table, attr, objtype, genmask); 7941 } 7942 7943 if (IS_ERR(obj)) { 7944 if (PTR_ERR(obj) == -ENOENT && 7945 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ) 7946 return 0; 7947 7948 NL_SET_BAD_ATTR(extack, attr); 7949 return PTR_ERR(obj); 7950 } 7951 if (obj->use > 0) { 7952 NL_SET_BAD_ATTR(extack, attr); 7953 return -EBUSY; 7954 } 7955 7956 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7957 7958 return nft_delobj(&ctx, obj); 7959 } 7960 7961 static void 7962 __nft_obj_notify(struct net *net, const struct nft_table *table, 7963 struct nft_object *obj, u32 portid, u32 seq, int event, 7964 u16 flags, int family, int report, gfp_t gfp) 7965 { 7966 struct nftables_pernet *nft_net = nft_pernet(net); 7967 struct sk_buff *skb; 7968 int err; 7969 7970 if (!report && 7971 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 7972 return; 7973 7974 skb = nlmsg_new(NLMSG_GOODSIZE, gfp); 7975 if (skb == NULL) 7976 goto err; 7977 7978 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 7979 flags & (NLM_F_CREATE | NLM_F_EXCL), 7980 family, table, obj, false); 7981 if (err < 0) { 7982 kfree_skb(skb); 7983 goto err; 7984 } 7985 7986 nft_notify_enqueue(skb, report, &nft_net->notify_list); 7987 return; 7988 err: 7989 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 7990 } 7991 7992 void nft_obj_notify(struct net *net, const struct nft_table *table, 7993 struct nft_object *obj, u32 portid, u32 seq, int event, 7994 u16 flags, int family, int report, gfp_t gfp) 7995 { 7996 struct nftables_pernet *nft_net = nft_pernet(net); 7997 char *buf = kasprintf(gfp, "%s:%u", 7998 table->name, nft_net->base_seq); 7999 8000 audit_log_nfcfg(buf, 8001 family, 8002 obj->handle, 8003 event == NFT_MSG_NEWOBJ ? 8004 AUDIT_NFT_OP_OBJ_REGISTER : 8005 AUDIT_NFT_OP_OBJ_UNREGISTER, 8006 gfp); 8007 kfree(buf); 8008 8009 __nft_obj_notify(net, table, obj, portid, seq, event, 8010 flags, family, report, gfp); 8011 } 8012 EXPORT_SYMBOL_GPL(nft_obj_notify); 8013 8014 static void nf_tables_obj_notify(const struct nft_ctx *ctx, 8015 struct nft_object *obj, int event) 8016 { 8017 __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, 8018 ctx->seq, event, ctx->flags, ctx->family, 8019 ctx->report, GFP_KERNEL); 8020 } 8021 8022 /* 8023 * Flow tables 8024 */ 8025 void nft_register_flowtable_type(struct nf_flowtable_type *type) 8026 { 8027 nfnl_lock(NFNL_SUBSYS_NFTABLES); 8028 list_add_tail_rcu(&type->list, &nf_tables_flowtables); 8029 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 8030 } 8031 EXPORT_SYMBOL_GPL(nft_register_flowtable_type); 8032 8033 void nft_unregister_flowtable_type(struct nf_flowtable_type *type) 8034 { 8035 nfnl_lock(NFNL_SUBSYS_NFTABLES); 8036 list_del_rcu(&type->list); 8037 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 8038 } 8039 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type); 8040 8041 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = { 8042 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING, 8043 .len = NFT_NAME_MAXLEN - 1 }, 8044 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING, 8045 .len = NFT_NAME_MAXLEN - 1 }, 8046 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED }, 8047 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 }, 8048 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 }, 8049 }; 8050 8051 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 8052 const struct nlattr *nla, u8 genmask) 8053 { 8054 struct nft_flowtable *flowtable; 8055 8056 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 8057 if (!nla_strcmp(nla, flowtable->name) && 8058 nft_active_genmask(flowtable, genmask)) 8059 return flowtable; 8060 } 8061 return ERR_PTR(-ENOENT); 8062 } 8063 EXPORT_SYMBOL_GPL(nft_flowtable_lookup); 8064 8065 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, 8066 struct nft_flowtable *flowtable, 8067 enum nft_trans_phase phase) 8068 { 8069 switch (phase) { 8070 case NFT_TRANS_PREPARE_ERROR: 8071 case NFT_TRANS_PREPARE: 8072 case NFT_TRANS_ABORT: 8073 case NFT_TRANS_RELEASE: 8074 nft_use_dec(&flowtable->use); 8075 fallthrough; 8076 default: 8077 return; 8078 } 8079 } 8080 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable); 8081 8082 static struct nft_flowtable * 8083 nft_flowtable_lookup_byhandle(const struct nft_table *table, 8084 const struct nlattr *nla, u8 genmask) 8085 { 8086 struct nft_flowtable *flowtable; 8087 8088 list_for_each_entry(flowtable, &table->flowtables, list) { 8089 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle && 8090 nft_active_genmask(flowtable, genmask)) 8091 return flowtable; 8092 } 8093 return ERR_PTR(-ENOENT); 8094 } 8095 8096 struct nft_flowtable_hook { 8097 u32 num; 8098 int priority; 8099 struct list_head list; 8100 }; 8101 8102 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = { 8103 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 }, 8104 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 }, 8105 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED }, 8106 }; 8107 8108 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx, 8109 const struct nlattr * const nla[], 8110 struct nft_flowtable_hook *flowtable_hook, 8111 struct nft_flowtable *flowtable, 8112 struct netlink_ext_ack *extack, bool add) 8113 { 8114 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1]; 8115 struct nft_hook *hook; 8116 int hooknum, priority; 8117 int err; 8118 8119 INIT_LIST_HEAD(&flowtable_hook->list); 8120 8121 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, 8122 nla[NFTA_FLOWTABLE_HOOK], 8123 nft_flowtable_hook_policy, NULL); 8124 if (err < 0) 8125 return err; 8126 8127 if (add) { 8128 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] || 8129 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) { 8130 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 8131 return -ENOENT; 8132 } 8133 8134 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 8135 if (hooknum != NF_NETDEV_INGRESS) 8136 return -EOPNOTSUPP; 8137 8138 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 8139 8140 flowtable_hook->priority = priority; 8141 flowtable_hook->num = hooknum; 8142 } else { 8143 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) { 8144 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 8145 if (hooknum != flowtable->hooknum) 8146 return -EOPNOTSUPP; 8147 } 8148 8149 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) { 8150 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 8151 if (priority != flowtable->data.priority) 8152 return -EOPNOTSUPP; 8153 } 8154 8155 flowtable_hook->priority = flowtable->data.priority; 8156 flowtable_hook->num = flowtable->hooknum; 8157 } 8158 8159 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) { 8160 err = nf_tables_parse_netdev_hooks(ctx->net, 8161 tb[NFTA_FLOWTABLE_HOOK_DEVS], 8162 &flowtable_hook->list, 8163 extack); 8164 if (err < 0) 8165 return err; 8166 } 8167 8168 list_for_each_entry(hook, &flowtable_hook->list, list) { 8169 hook->ops.pf = NFPROTO_NETDEV; 8170 hook->ops.hooknum = flowtable_hook->num; 8171 hook->ops.priority = flowtable_hook->priority; 8172 hook->ops.priv = &flowtable->data; 8173 hook->ops.hook = flowtable->data.type->hook; 8174 } 8175 8176 return err; 8177 } 8178 8179 /* call under rcu_read_lock */ 8180 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) 8181 { 8182 const struct nf_flowtable_type *type; 8183 8184 list_for_each_entry_rcu(type, &nf_tables_flowtables, list) { 8185 if (family == type->family) 8186 return type; 8187 } 8188 return NULL; 8189 } 8190 8191 static const struct nf_flowtable_type * 8192 nft_flowtable_type_get(struct net *net, u8 family) 8193 { 8194 const struct nf_flowtable_type *type; 8195 8196 rcu_read_lock(); 8197 type = __nft_flowtable_type_get(family); 8198 if (type != NULL && try_module_get(type->owner)) { 8199 rcu_read_unlock(); 8200 return type; 8201 } 8202 rcu_read_unlock(); 8203 8204 lockdep_nfnl_nft_mutex_not_held(); 8205 #ifdef CONFIG_MODULES 8206 if (type == NULL) { 8207 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN) 8208 return ERR_PTR(-EAGAIN); 8209 } 8210 #endif 8211 return ERR_PTR(-ENOENT); 8212 } 8213 8214 /* Only called from error and netdev event paths. */ 8215 static void nft_unregister_flowtable_hook(struct net *net, 8216 struct nft_flowtable *flowtable, 8217 struct nft_hook *hook) 8218 { 8219 nf_unregister_net_hook(net, &hook->ops); 8220 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 8221 FLOW_BLOCK_UNBIND); 8222 } 8223 8224 static void __nft_unregister_flowtable_net_hooks(struct net *net, 8225 struct list_head *hook_list, 8226 bool release_netdev) 8227 { 8228 struct nft_hook *hook, *next; 8229 8230 list_for_each_entry_safe(hook, next, hook_list, list) { 8231 nf_unregister_net_hook(net, &hook->ops); 8232 if (release_netdev) { 8233 list_del(&hook->list); 8234 kfree_rcu(hook, rcu); 8235 } 8236 } 8237 } 8238 8239 static void nft_unregister_flowtable_net_hooks(struct net *net, 8240 struct list_head *hook_list) 8241 { 8242 __nft_unregister_flowtable_net_hooks(net, hook_list, false); 8243 } 8244 8245 static int nft_register_flowtable_net_hooks(struct net *net, 8246 struct nft_table *table, 8247 struct list_head *hook_list, 8248 struct nft_flowtable *flowtable) 8249 { 8250 struct nft_hook *hook, *hook2, *next; 8251 struct nft_flowtable *ft; 8252 int err, i = 0; 8253 8254 list_for_each_entry(hook, hook_list, list) { 8255 list_for_each_entry(ft, &table->flowtables, list) { 8256 if (!nft_is_active_next(net, ft)) 8257 continue; 8258 8259 list_for_each_entry(hook2, &ft->hook_list, list) { 8260 if (hook->ops.dev == hook2->ops.dev && 8261 hook->ops.pf == hook2->ops.pf) { 8262 err = -EEXIST; 8263 goto err_unregister_net_hooks; 8264 } 8265 } 8266 } 8267 8268 err = flowtable->data.type->setup(&flowtable->data, 8269 hook->ops.dev, 8270 FLOW_BLOCK_BIND); 8271 if (err < 0) 8272 goto err_unregister_net_hooks; 8273 8274 err = nf_register_net_hook(net, &hook->ops); 8275 if (err < 0) { 8276 flowtable->data.type->setup(&flowtable->data, 8277 hook->ops.dev, 8278 FLOW_BLOCK_UNBIND); 8279 goto err_unregister_net_hooks; 8280 } 8281 8282 i++; 8283 } 8284 8285 return 0; 8286 8287 err_unregister_net_hooks: 8288 list_for_each_entry_safe(hook, next, hook_list, list) { 8289 if (i-- <= 0) 8290 break; 8291 8292 nft_unregister_flowtable_hook(net, flowtable, hook); 8293 list_del_rcu(&hook->list); 8294 kfree_rcu(hook, rcu); 8295 } 8296 8297 return err; 8298 } 8299 8300 static void nft_hooks_destroy(struct list_head *hook_list) 8301 { 8302 struct nft_hook *hook, *next; 8303 8304 list_for_each_entry_safe(hook, next, hook_list, list) { 8305 list_del_rcu(&hook->list); 8306 kfree_rcu(hook, rcu); 8307 } 8308 } 8309 8310 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, 8311 struct nft_flowtable *flowtable, 8312 struct netlink_ext_ack *extack) 8313 { 8314 const struct nlattr * const *nla = ctx->nla; 8315 struct nft_flowtable_hook flowtable_hook; 8316 struct nft_hook *hook, *next; 8317 struct nft_trans *trans; 8318 bool unregister = false; 8319 u32 flags; 8320 int err; 8321 8322 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable, 8323 extack, false); 8324 if (err < 0) 8325 return err; 8326 8327 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 8328 if (nft_hook_list_find(&flowtable->hook_list, hook)) { 8329 list_del(&hook->list); 8330 kfree(hook); 8331 } 8332 } 8333 8334 if (nla[NFTA_FLOWTABLE_FLAGS]) { 8335 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 8336 if (flags & ~NFT_FLOWTABLE_MASK) { 8337 err = -EOPNOTSUPP; 8338 goto err_flowtable_update_hook; 8339 } 8340 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^ 8341 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) { 8342 err = -EOPNOTSUPP; 8343 goto err_flowtable_update_hook; 8344 } 8345 } else { 8346 flags = flowtable->data.flags; 8347 } 8348 8349 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table, 8350 &flowtable_hook.list, flowtable); 8351 if (err < 0) 8352 goto err_flowtable_update_hook; 8353 8354 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE, 8355 sizeof(struct nft_trans_flowtable)); 8356 if (!trans) { 8357 unregister = true; 8358 err = -ENOMEM; 8359 goto err_flowtable_update_hook; 8360 } 8361 8362 nft_trans_flowtable_flags(trans) = flags; 8363 nft_trans_flowtable(trans) = flowtable; 8364 nft_trans_flowtable_update(trans) = true; 8365 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 8366 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans)); 8367 8368 nft_trans_commit_list_add_tail(ctx->net, trans); 8369 8370 return 0; 8371 8372 err_flowtable_update_hook: 8373 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 8374 if (unregister) 8375 nft_unregister_flowtable_hook(ctx->net, flowtable, hook); 8376 list_del_rcu(&hook->list); 8377 kfree_rcu(hook, rcu); 8378 } 8379 8380 return err; 8381 8382 } 8383 8384 static int nf_tables_newflowtable(struct sk_buff *skb, 8385 const struct nfnl_info *info, 8386 const struct nlattr * const nla[]) 8387 { 8388 struct netlink_ext_ack *extack = info->extack; 8389 struct nft_flowtable_hook flowtable_hook; 8390 u8 genmask = nft_genmask_next(info->net); 8391 u8 family = info->nfmsg->nfgen_family; 8392 const struct nf_flowtable_type *type; 8393 struct nft_flowtable *flowtable; 8394 struct net *net = info->net; 8395 struct nft_table *table; 8396 struct nft_trans *trans; 8397 struct nft_ctx ctx; 8398 int err; 8399 8400 if (!nla[NFTA_FLOWTABLE_TABLE] || 8401 !nla[NFTA_FLOWTABLE_NAME] || 8402 !nla[NFTA_FLOWTABLE_HOOK]) 8403 return -EINVAL; 8404 8405 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 8406 genmask, NETLINK_CB(skb).portid); 8407 if (IS_ERR(table)) { 8408 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 8409 return PTR_ERR(table); 8410 } 8411 8412 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 8413 genmask); 8414 if (IS_ERR(flowtable)) { 8415 err = PTR_ERR(flowtable); 8416 if (err != -ENOENT) { 8417 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 8418 return err; 8419 } 8420 } else { 8421 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 8422 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 8423 return -EEXIST; 8424 } 8425 8426 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 8427 8428 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack); 8429 } 8430 8431 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 8432 8433 if (!nft_use_inc(&table->use)) 8434 return -EMFILE; 8435 8436 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT); 8437 if (!flowtable) { 8438 err = -ENOMEM; 8439 goto flowtable_alloc; 8440 } 8441 8442 flowtable->table = table; 8443 flowtable->handle = nf_tables_alloc_handle(table); 8444 INIT_LIST_HEAD(&flowtable->hook_list); 8445 8446 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT); 8447 if (!flowtable->name) { 8448 err = -ENOMEM; 8449 goto err1; 8450 } 8451 8452 type = nft_flowtable_type_get(net, family); 8453 if (IS_ERR(type)) { 8454 err = PTR_ERR(type); 8455 goto err2; 8456 } 8457 8458 if (nla[NFTA_FLOWTABLE_FLAGS]) { 8459 flowtable->data.flags = 8460 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 8461 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) { 8462 err = -EOPNOTSUPP; 8463 goto err3; 8464 } 8465 } 8466 8467 write_pnet(&flowtable->data.net, net); 8468 flowtable->data.type = type; 8469 err = type->init(&flowtable->data); 8470 if (err < 0) 8471 goto err3; 8472 8473 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable, 8474 extack, true); 8475 if (err < 0) 8476 goto err_flowtable_parse_hooks; 8477 8478 list_splice(&flowtable_hook.list, &flowtable->hook_list); 8479 flowtable->data.priority = flowtable_hook.priority; 8480 flowtable->hooknum = flowtable_hook.num; 8481 8482 trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable); 8483 if (IS_ERR(trans)) { 8484 err = PTR_ERR(trans); 8485 goto err_flowtable_trans; 8486 } 8487 8488 /* This must be LAST to ensure no packets are walking over this flowtable. */ 8489 err = nft_register_flowtable_net_hooks(ctx.net, table, 8490 &flowtable->hook_list, 8491 flowtable); 8492 if (err < 0) 8493 goto err_flowtable_hooks; 8494 8495 list_add_tail_rcu(&flowtable->list, &table->flowtables); 8496 8497 return 0; 8498 8499 err_flowtable_hooks: 8500 nft_trans_destroy(trans); 8501 err_flowtable_trans: 8502 nft_hooks_destroy(&flowtable->hook_list); 8503 err_flowtable_parse_hooks: 8504 flowtable->data.type->free(&flowtable->data); 8505 err3: 8506 module_put(type->owner); 8507 err2: 8508 kfree(flowtable->name); 8509 err1: 8510 kfree(flowtable); 8511 flowtable_alloc: 8512 nft_use_dec_restore(&table->use); 8513 8514 return err; 8515 } 8516 8517 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook) 8518 { 8519 struct nft_hook *this, *next; 8520 8521 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) { 8522 list_del(&this->list); 8523 kfree(this); 8524 } 8525 } 8526 8527 static int nft_delflowtable_hook(struct nft_ctx *ctx, 8528 struct nft_flowtable *flowtable, 8529 struct netlink_ext_ack *extack) 8530 { 8531 const struct nlattr * const *nla = ctx->nla; 8532 struct nft_flowtable_hook flowtable_hook; 8533 LIST_HEAD(flowtable_del_list); 8534 struct nft_hook *this, *hook; 8535 struct nft_trans *trans; 8536 int err; 8537 8538 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable, 8539 extack, false); 8540 if (err < 0) 8541 return err; 8542 8543 list_for_each_entry(this, &flowtable_hook.list, list) { 8544 hook = nft_hook_list_find(&flowtable->hook_list, this); 8545 if (!hook) { 8546 err = -ENOENT; 8547 goto err_flowtable_del_hook; 8548 } 8549 list_move(&hook->list, &flowtable_del_list); 8550 } 8551 8552 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE, 8553 sizeof(struct nft_trans_flowtable)); 8554 if (!trans) { 8555 err = -ENOMEM; 8556 goto err_flowtable_del_hook; 8557 } 8558 8559 nft_trans_flowtable(trans) = flowtable; 8560 nft_trans_flowtable_update(trans) = true; 8561 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 8562 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans)); 8563 nft_flowtable_hook_release(&flowtable_hook); 8564 8565 nft_trans_commit_list_add_tail(ctx->net, trans); 8566 8567 return 0; 8568 8569 err_flowtable_del_hook: 8570 list_splice(&flowtable_del_list, &flowtable->hook_list); 8571 nft_flowtable_hook_release(&flowtable_hook); 8572 8573 return err; 8574 } 8575 8576 static int nf_tables_delflowtable(struct sk_buff *skb, 8577 const struct nfnl_info *info, 8578 const struct nlattr * const nla[]) 8579 { 8580 struct netlink_ext_ack *extack = info->extack; 8581 u8 genmask = nft_genmask_next(info->net); 8582 u8 family = info->nfmsg->nfgen_family; 8583 struct nft_flowtable *flowtable; 8584 struct net *net = info->net; 8585 const struct nlattr *attr; 8586 struct nft_table *table; 8587 struct nft_ctx ctx; 8588 8589 if (!nla[NFTA_FLOWTABLE_TABLE] || 8590 (!nla[NFTA_FLOWTABLE_NAME] && 8591 !nla[NFTA_FLOWTABLE_HANDLE])) 8592 return -EINVAL; 8593 8594 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 8595 genmask, NETLINK_CB(skb).portid); 8596 if (IS_ERR(table)) { 8597 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 8598 return PTR_ERR(table); 8599 } 8600 8601 if (nla[NFTA_FLOWTABLE_HANDLE]) { 8602 attr = nla[NFTA_FLOWTABLE_HANDLE]; 8603 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask); 8604 } else { 8605 attr = nla[NFTA_FLOWTABLE_NAME]; 8606 flowtable = nft_flowtable_lookup(table, attr, genmask); 8607 } 8608 8609 if (IS_ERR(flowtable)) { 8610 if (PTR_ERR(flowtable) == -ENOENT && 8611 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE) 8612 return 0; 8613 8614 NL_SET_BAD_ATTR(extack, attr); 8615 return PTR_ERR(flowtable); 8616 } 8617 8618 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 8619 8620 if (nla[NFTA_FLOWTABLE_HOOK]) 8621 return nft_delflowtable_hook(&ctx, flowtable, extack); 8622 8623 if (flowtable->use > 0) { 8624 NL_SET_BAD_ATTR(extack, attr); 8625 return -EBUSY; 8626 } 8627 8628 return nft_delflowtable(&ctx, flowtable); 8629 } 8630 8631 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, 8632 u32 portid, u32 seq, int event, 8633 u32 flags, int family, 8634 struct nft_flowtable *flowtable, 8635 struct list_head *hook_list) 8636 { 8637 struct nlattr *nest, *nest_devs; 8638 struct nft_hook *hook; 8639 struct nlmsghdr *nlh; 8640 8641 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 8642 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 8643 NFNETLINK_V0, nft_base_seq(net)); 8644 if (!nlh) 8645 goto nla_put_failure; 8646 8647 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || 8648 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || 8649 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle), 8650 NFTA_FLOWTABLE_PAD)) 8651 goto nla_put_failure; 8652 8653 if (event == NFT_MSG_DELFLOWTABLE && !hook_list) { 8654 nlmsg_end(skb, nlh); 8655 return 0; 8656 } 8657 8658 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || 8659 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags))) 8660 goto nla_put_failure; 8661 8662 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK); 8663 if (!nest) 8664 goto nla_put_failure; 8665 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) || 8666 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority))) 8667 goto nla_put_failure; 8668 8669 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS); 8670 if (!nest_devs) 8671 goto nla_put_failure; 8672 8673 if (!hook_list) 8674 hook_list = &flowtable->hook_list; 8675 8676 list_for_each_entry_rcu(hook, hook_list, list) { 8677 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name)) 8678 goto nla_put_failure; 8679 } 8680 nla_nest_end(skb, nest_devs); 8681 nla_nest_end(skb, nest); 8682 8683 nlmsg_end(skb, nlh); 8684 return 0; 8685 8686 nla_put_failure: 8687 nlmsg_trim(skb, nlh); 8688 return -1; 8689 } 8690 8691 struct nft_flowtable_filter { 8692 char *table; 8693 }; 8694 8695 static int nf_tables_dump_flowtable(struct sk_buff *skb, 8696 struct netlink_callback *cb) 8697 { 8698 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 8699 struct nft_flowtable_filter *filter = cb->data; 8700 unsigned int idx = 0, s_idx = cb->args[0]; 8701 struct net *net = sock_net(skb->sk); 8702 int family = nfmsg->nfgen_family; 8703 struct nft_flowtable *flowtable; 8704 struct nftables_pernet *nft_net; 8705 const struct nft_table *table; 8706 8707 rcu_read_lock(); 8708 nft_net = nft_pernet(net); 8709 cb->seq = READ_ONCE(nft_net->base_seq); 8710 8711 list_for_each_entry_rcu(table, &nft_net->tables, list) { 8712 if (family != NFPROTO_UNSPEC && family != table->family) 8713 continue; 8714 8715 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 8716 if (!nft_is_active(net, flowtable)) 8717 goto cont; 8718 if (idx < s_idx) 8719 goto cont; 8720 if (idx > s_idx) 8721 memset(&cb->args[1], 0, 8722 sizeof(cb->args) - sizeof(cb->args[0])); 8723 if (filter && filter->table && 8724 strcmp(filter->table, table->name)) 8725 goto cont; 8726 8727 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, 8728 cb->nlh->nlmsg_seq, 8729 NFT_MSG_NEWFLOWTABLE, 8730 NLM_F_MULTI | NLM_F_APPEND, 8731 table->family, 8732 flowtable, NULL) < 0) 8733 goto done; 8734 8735 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 8736 cont: 8737 idx++; 8738 } 8739 } 8740 done: 8741 rcu_read_unlock(); 8742 8743 cb->args[0] = idx; 8744 return skb->len; 8745 } 8746 8747 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb) 8748 { 8749 const struct nlattr * const *nla = cb->data; 8750 struct nft_flowtable_filter *filter = NULL; 8751 8752 if (nla[NFTA_FLOWTABLE_TABLE]) { 8753 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 8754 if (!filter) 8755 return -ENOMEM; 8756 8757 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE], 8758 GFP_ATOMIC); 8759 if (!filter->table) { 8760 kfree(filter); 8761 return -ENOMEM; 8762 } 8763 } 8764 8765 cb->data = filter; 8766 return 0; 8767 } 8768 8769 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb) 8770 { 8771 struct nft_flowtable_filter *filter = cb->data; 8772 8773 if (!filter) 8774 return 0; 8775 8776 kfree(filter->table); 8777 kfree(filter); 8778 8779 return 0; 8780 } 8781 8782 /* called with rcu_read_lock held */ 8783 static int nf_tables_getflowtable(struct sk_buff *skb, 8784 const struct nfnl_info *info, 8785 const struct nlattr * const nla[]) 8786 { 8787 u8 genmask = nft_genmask_cur(info->net); 8788 u8 family = info->nfmsg->nfgen_family; 8789 struct nft_flowtable *flowtable; 8790 const struct nft_table *table; 8791 struct net *net = info->net; 8792 struct sk_buff *skb2; 8793 int err; 8794 8795 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 8796 struct netlink_dump_control c = { 8797 .start = nf_tables_dump_flowtable_start, 8798 .dump = nf_tables_dump_flowtable, 8799 .done = nf_tables_dump_flowtable_done, 8800 .module = THIS_MODULE, 8801 .data = (void *)nla, 8802 }; 8803 8804 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 8805 } 8806 8807 if (!nla[NFTA_FLOWTABLE_NAME]) 8808 return -EINVAL; 8809 8810 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 8811 genmask, 0); 8812 if (IS_ERR(table)) 8813 return PTR_ERR(table); 8814 8815 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 8816 genmask); 8817 if (IS_ERR(flowtable)) 8818 return PTR_ERR(flowtable); 8819 8820 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 8821 if (!skb2) 8822 return -ENOMEM; 8823 8824 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid, 8825 info->nlh->nlmsg_seq, 8826 NFT_MSG_NEWFLOWTABLE, 0, family, 8827 flowtable, NULL); 8828 if (err < 0) 8829 goto err_fill_flowtable_info; 8830 8831 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 8832 8833 err_fill_flowtable_info: 8834 kfree_skb(skb2); 8835 return err; 8836 } 8837 8838 static void nf_tables_flowtable_notify(struct nft_ctx *ctx, 8839 struct nft_flowtable *flowtable, 8840 struct list_head *hook_list, int event) 8841 { 8842 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 8843 struct sk_buff *skb; 8844 u16 flags = 0; 8845 int err; 8846 8847 if (!ctx->report && 8848 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 8849 return; 8850 8851 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 8852 if (skb == NULL) 8853 goto err; 8854 8855 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 8856 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 8857 8858 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid, 8859 ctx->seq, event, flags, 8860 ctx->family, flowtable, hook_list); 8861 if (err < 0) { 8862 kfree_skb(skb); 8863 goto err; 8864 } 8865 8866 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 8867 return; 8868 err: 8869 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 8870 } 8871 8872 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) 8873 { 8874 struct nft_hook *hook, *next; 8875 8876 flowtable->data.type->free(&flowtable->data); 8877 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 8878 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 8879 FLOW_BLOCK_UNBIND); 8880 list_del_rcu(&hook->list); 8881 kfree(hook); 8882 } 8883 kfree(flowtable->name); 8884 module_put(flowtable->data.type->owner); 8885 kfree(flowtable); 8886 } 8887 8888 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, 8889 u32 portid, u32 seq) 8890 { 8891 struct nftables_pernet *nft_net = nft_pernet(net); 8892 struct nlmsghdr *nlh; 8893 char buf[TASK_COMM_LEN]; 8894 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); 8895 8896 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC, 8897 NFNETLINK_V0, nft_base_seq(net)); 8898 if (!nlh) 8899 goto nla_put_failure; 8900 8901 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) || 8902 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || 8903 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) 8904 goto nla_put_failure; 8905 8906 nlmsg_end(skb, nlh); 8907 return 0; 8908 8909 nla_put_failure: 8910 nlmsg_trim(skb, nlh); 8911 return -EMSGSIZE; 8912 } 8913 8914 static void nft_flowtable_event(unsigned long event, struct net_device *dev, 8915 struct nft_flowtable *flowtable) 8916 { 8917 struct nft_hook *hook; 8918 8919 list_for_each_entry(hook, &flowtable->hook_list, list) { 8920 if (hook->ops.dev != dev) 8921 continue; 8922 8923 /* flow_offload_netdev_event() cleans up entries for us. */ 8924 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook); 8925 list_del_rcu(&hook->list); 8926 kfree_rcu(hook, rcu); 8927 break; 8928 } 8929 } 8930 8931 static int nf_tables_flowtable_event(struct notifier_block *this, 8932 unsigned long event, void *ptr) 8933 { 8934 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 8935 struct nft_flowtable *flowtable; 8936 struct nftables_pernet *nft_net; 8937 struct nft_table *table; 8938 struct net *net; 8939 8940 if (event != NETDEV_UNREGISTER) 8941 return 0; 8942 8943 net = dev_net(dev); 8944 nft_net = nft_pernet(net); 8945 mutex_lock(&nft_net->commit_mutex); 8946 list_for_each_entry(table, &nft_net->tables, list) { 8947 list_for_each_entry(flowtable, &table->flowtables, list) { 8948 nft_flowtable_event(event, dev, flowtable); 8949 } 8950 } 8951 mutex_unlock(&nft_net->commit_mutex); 8952 8953 return NOTIFY_DONE; 8954 } 8955 8956 static struct notifier_block nf_tables_flowtable_notifier = { 8957 .notifier_call = nf_tables_flowtable_event, 8958 }; 8959 8960 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb, 8961 int event) 8962 { 8963 struct nlmsghdr *nlh = nlmsg_hdr(skb); 8964 struct sk_buff *skb2; 8965 int err; 8966 8967 if (!nlmsg_report(nlh) && 8968 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 8969 return; 8970 8971 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 8972 if (skb2 == NULL) 8973 goto err; 8974 8975 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 8976 nlh->nlmsg_seq); 8977 if (err < 0) { 8978 kfree_skb(skb2); 8979 goto err; 8980 } 8981 8982 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 8983 nlmsg_report(nlh), GFP_KERNEL); 8984 return; 8985 err: 8986 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 8987 -ENOBUFS); 8988 } 8989 8990 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info, 8991 const struct nlattr * const nla[]) 8992 { 8993 struct sk_buff *skb2; 8994 int err; 8995 8996 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 8997 if (skb2 == NULL) 8998 return -ENOMEM; 8999 9000 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid, 9001 info->nlh->nlmsg_seq); 9002 if (err < 0) 9003 goto err_fill_gen_info; 9004 9005 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 9006 9007 err_fill_gen_info: 9008 kfree_skb(skb2); 9009 return err; 9010 } 9011 9012 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = { 9013 [NFT_MSG_NEWTABLE] = { 9014 .call = nf_tables_newtable, 9015 .type = NFNL_CB_BATCH, 9016 .attr_count = NFTA_TABLE_MAX, 9017 .policy = nft_table_policy, 9018 }, 9019 [NFT_MSG_GETTABLE] = { 9020 .call = nf_tables_gettable, 9021 .type = NFNL_CB_RCU, 9022 .attr_count = NFTA_TABLE_MAX, 9023 .policy = nft_table_policy, 9024 }, 9025 [NFT_MSG_DELTABLE] = { 9026 .call = nf_tables_deltable, 9027 .type = NFNL_CB_BATCH, 9028 .attr_count = NFTA_TABLE_MAX, 9029 .policy = nft_table_policy, 9030 }, 9031 [NFT_MSG_DESTROYTABLE] = { 9032 .call = nf_tables_deltable, 9033 .type = NFNL_CB_BATCH, 9034 .attr_count = NFTA_TABLE_MAX, 9035 .policy = nft_table_policy, 9036 }, 9037 [NFT_MSG_NEWCHAIN] = { 9038 .call = nf_tables_newchain, 9039 .type = NFNL_CB_BATCH, 9040 .attr_count = NFTA_CHAIN_MAX, 9041 .policy = nft_chain_policy, 9042 }, 9043 [NFT_MSG_GETCHAIN] = { 9044 .call = nf_tables_getchain, 9045 .type = NFNL_CB_RCU, 9046 .attr_count = NFTA_CHAIN_MAX, 9047 .policy = nft_chain_policy, 9048 }, 9049 [NFT_MSG_DELCHAIN] = { 9050 .call = nf_tables_delchain, 9051 .type = NFNL_CB_BATCH, 9052 .attr_count = NFTA_CHAIN_MAX, 9053 .policy = nft_chain_policy, 9054 }, 9055 [NFT_MSG_DESTROYCHAIN] = { 9056 .call = nf_tables_delchain, 9057 .type = NFNL_CB_BATCH, 9058 .attr_count = NFTA_CHAIN_MAX, 9059 .policy = nft_chain_policy, 9060 }, 9061 [NFT_MSG_NEWRULE] = { 9062 .call = nf_tables_newrule, 9063 .type = NFNL_CB_BATCH, 9064 .attr_count = NFTA_RULE_MAX, 9065 .policy = nft_rule_policy, 9066 }, 9067 [NFT_MSG_GETRULE] = { 9068 .call = nf_tables_getrule, 9069 .type = NFNL_CB_RCU, 9070 .attr_count = NFTA_RULE_MAX, 9071 .policy = nft_rule_policy, 9072 }, 9073 [NFT_MSG_GETRULE_RESET] = { 9074 .call = nf_tables_getrule, 9075 .type = NFNL_CB_RCU, 9076 .attr_count = NFTA_RULE_MAX, 9077 .policy = nft_rule_policy, 9078 }, 9079 [NFT_MSG_DELRULE] = { 9080 .call = nf_tables_delrule, 9081 .type = NFNL_CB_BATCH, 9082 .attr_count = NFTA_RULE_MAX, 9083 .policy = nft_rule_policy, 9084 }, 9085 [NFT_MSG_DESTROYRULE] = { 9086 .call = nf_tables_delrule, 9087 .type = NFNL_CB_BATCH, 9088 .attr_count = NFTA_RULE_MAX, 9089 .policy = nft_rule_policy, 9090 }, 9091 [NFT_MSG_NEWSET] = { 9092 .call = nf_tables_newset, 9093 .type = NFNL_CB_BATCH, 9094 .attr_count = NFTA_SET_MAX, 9095 .policy = nft_set_policy, 9096 }, 9097 [NFT_MSG_GETSET] = { 9098 .call = nf_tables_getset, 9099 .type = NFNL_CB_RCU, 9100 .attr_count = NFTA_SET_MAX, 9101 .policy = nft_set_policy, 9102 }, 9103 [NFT_MSG_DELSET] = { 9104 .call = nf_tables_delset, 9105 .type = NFNL_CB_BATCH, 9106 .attr_count = NFTA_SET_MAX, 9107 .policy = nft_set_policy, 9108 }, 9109 [NFT_MSG_DESTROYSET] = { 9110 .call = nf_tables_delset, 9111 .type = NFNL_CB_BATCH, 9112 .attr_count = NFTA_SET_MAX, 9113 .policy = nft_set_policy, 9114 }, 9115 [NFT_MSG_NEWSETELEM] = { 9116 .call = nf_tables_newsetelem, 9117 .type = NFNL_CB_BATCH, 9118 .attr_count = NFTA_SET_ELEM_LIST_MAX, 9119 .policy = nft_set_elem_list_policy, 9120 }, 9121 [NFT_MSG_GETSETELEM] = { 9122 .call = nf_tables_getsetelem, 9123 .type = NFNL_CB_RCU, 9124 .attr_count = NFTA_SET_ELEM_LIST_MAX, 9125 .policy = nft_set_elem_list_policy, 9126 }, 9127 [NFT_MSG_GETSETELEM_RESET] = { 9128 .call = nf_tables_getsetelem, 9129 .type = NFNL_CB_RCU, 9130 .attr_count = NFTA_SET_ELEM_LIST_MAX, 9131 .policy = nft_set_elem_list_policy, 9132 }, 9133 [NFT_MSG_DELSETELEM] = { 9134 .call = nf_tables_delsetelem, 9135 .type = NFNL_CB_BATCH, 9136 .attr_count = NFTA_SET_ELEM_LIST_MAX, 9137 .policy = nft_set_elem_list_policy, 9138 }, 9139 [NFT_MSG_DESTROYSETELEM] = { 9140 .call = nf_tables_delsetelem, 9141 .type = NFNL_CB_BATCH, 9142 .attr_count = NFTA_SET_ELEM_LIST_MAX, 9143 .policy = nft_set_elem_list_policy, 9144 }, 9145 [NFT_MSG_GETGEN] = { 9146 .call = nf_tables_getgen, 9147 .type = NFNL_CB_RCU, 9148 }, 9149 [NFT_MSG_NEWOBJ] = { 9150 .call = nf_tables_newobj, 9151 .type = NFNL_CB_BATCH, 9152 .attr_count = NFTA_OBJ_MAX, 9153 .policy = nft_obj_policy, 9154 }, 9155 [NFT_MSG_GETOBJ] = { 9156 .call = nf_tables_getobj, 9157 .type = NFNL_CB_RCU, 9158 .attr_count = NFTA_OBJ_MAX, 9159 .policy = nft_obj_policy, 9160 }, 9161 [NFT_MSG_DELOBJ] = { 9162 .call = nf_tables_delobj, 9163 .type = NFNL_CB_BATCH, 9164 .attr_count = NFTA_OBJ_MAX, 9165 .policy = nft_obj_policy, 9166 }, 9167 [NFT_MSG_DESTROYOBJ] = { 9168 .call = nf_tables_delobj, 9169 .type = NFNL_CB_BATCH, 9170 .attr_count = NFTA_OBJ_MAX, 9171 .policy = nft_obj_policy, 9172 }, 9173 [NFT_MSG_GETOBJ_RESET] = { 9174 .call = nf_tables_getobj, 9175 .type = NFNL_CB_RCU, 9176 .attr_count = NFTA_OBJ_MAX, 9177 .policy = nft_obj_policy, 9178 }, 9179 [NFT_MSG_NEWFLOWTABLE] = { 9180 .call = nf_tables_newflowtable, 9181 .type = NFNL_CB_BATCH, 9182 .attr_count = NFTA_FLOWTABLE_MAX, 9183 .policy = nft_flowtable_policy, 9184 }, 9185 [NFT_MSG_GETFLOWTABLE] = { 9186 .call = nf_tables_getflowtable, 9187 .type = NFNL_CB_RCU, 9188 .attr_count = NFTA_FLOWTABLE_MAX, 9189 .policy = nft_flowtable_policy, 9190 }, 9191 [NFT_MSG_DELFLOWTABLE] = { 9192 .call = nf_tables_delflowtable, 9193 .type = NFNL_CB_BATCH, 9194 .attr_count = NFTA_FLOWTABLE_MAX, 9195 .policy = nft_flowtable_policy, 9196 }, 9197 [NFT_MSG_DESTROYFLOWTABLE] = { 9198 .call = nf_tables_delflowtable, 9199 .type = NFNL_CB_BATCH, 9200 .attr_count = NFTA_FLOWTABLE_MAX, 9201 .policy = nft_flowtable_policy, 9202 }, 9203 }; 9204 9205 static int nf_tables_validate(struct net *net) 9206 { 9207 struct nftables_pernet *nft_net = nft_pernet(net); 9208 struct nft_table *table; 9209 9210 list_for_each_entry(table, &nft_net->tables, list) { 9211 switch (table->validate_state) { 9212 case NFT_VALIDATE_SKIP: 9213 continue; 9214 case NFT_VALIDATE_NEED: 9215 nft_validate_state_update(table, NFT_VALIDATE_DO); 9216 fallthrough; 9217 case NFT_VALIDATE_DO: 9218 if (nft_table_validate(net, table) < 0) 9219 return -EAGAIN; 9220 9221 nft_validate_state_update(table, NFT_VALIDATE_SKIP); 9222 break; 9223 } 9224 } 9225 9226 return 0; 9227 } 9228 9229 /* a drop policy has to be deferred until all rules have been activated, 9230 * otherwise a large ruleset that contains a drop-policy base chain will 9231 * cause all packets to get dropped until the full transaction has been 9232 * processed. 9233 * 9234 * We defer the drop policy until the transaction has been finalized. 9235 */ 9236 static void nft_chain_commit_drop_policy(struct nft_trans *trans) 9237 { 9238 struct nft_base_chain *basechain; 9239 9240 if (nft_trans_chain_policy(trans) != NF_DROP) 9241 return; 9242 9243 if (!nft_is_base_chain(trans->ctx.chain)) 9244 return; 9245 9246 basechain = nft_base_chain(trans->ctx.chain); 9247 basechain->policy = NF_DROP; 9248 } 9249 9250 static void nft_chain_commit_update(struct nft_trans *trans) 9251 { 9252 struct nft_base_chain *basechain; 9253 9254 if (nft_trans_chain_name(trans)) { 9255 rhltable_remove(&trans->ctx.table->chains_ht, 9256 &trans->ctx.chain->rhlhead, 9257 nft_chain_ht_params); 9258 swap(trans->ctx.chain->name, nft_trans_chain_name(trans)); 9259 rhltable_insert_key(&trans->ctx.table->chains_ht, 9260 trans->ctx.chain->name, 9261 &trans->ctx.chain->rhlhead, 9262 nft_chain_ht_params); 9263 } 9264 9265 if (!nft_is_base_chain(trans->ctx.chain)) 9266 return; 9267 9268 nft_chain_stats_replace(trans); 9269 9270 basechain = nft_base_chain(trans->ctx.chain); 9271 9272 switch (nft_trans_chain_policy(trans)) { 9273 case NF_DROP: 9274 case NF_ACCEPT: 9275 basechain->policy = nft_trans_chain_policy(trans); 9276 break; 9277 } 9278 } 9279 9280 static void nft_obj_commit_update(struct nft_trans *trans) 9281 { 9282 struct nft_object *newobj; 9283 struct nft_object *obj; 9284 9285 obj = nft_trans_obj(trans); 9286 newobj = nft_trans_obj_newobj(trans); 9287 9288 if (obj->ops->update) 9289 obj->ops->update(obj, newobj); 9290 9291 nft_obj_destroy(&trans->ctx, newobj); 9292 } 9293 9294 static void nft_commit_release(struct nft_trans *trans) 9295 { 9296 switch (trans->msg_type) { 9297 case NFT_MSG_DELTABLE: 9298 case NFT_MSG_DESTROYTABLE: 9299 nf_tables_table_destroy(&trans->ctx); 9300 break; 9301 case NFT_MSG_NEWCHAIN: 9302 free_percpu(nft_trans_chain_stats(trans)); 9303 kfree(nft_trans_chain_name(trans)); 9304 break; 9305 case NFT_MSG_DELCHAIN: 9306 case NFT_MSG_DESTROYCHAIN: 9307 if (nft_trans_chain_update(trans)) 9308 nft_hooks_destroy(&nft_trans_chain_hooks(trans)); 9309 else 9310 nf_tables_chain_destroy(&trans->ctx); 9311 break; 9312 case NFT_MSG_DELRULE: 9313 case NFT_MSG_DESTROYRULE: 9314 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 9315 break; 9316 case NFT_MSG_DELSET: 9317 case NFT_MSG_DESTROYSET: 9318 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 9319 break; 9320 case NFT_MSG_DELSETELEM: 9321 case NFT_MSG_DESTROYSETELEM: 9322 nf_tables_set_elem_destroy(&trans->ctx, 9323 nft_trans_elem_set(trans), 9324 nft_trans_elem(trans).priv); 9325 break; 9326 case NFT_MSG_DELOBJ: 9327 case NFT_MSG_DESTROYOBJ: 9328 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 9329 break; 9330 case NFT_MSG_DELFLOWTABLE: 9331 case NFT_MSG_DESTROYFLOWTABLE: 9332 if (nft_trans_flowtable_update(trans)) 9333 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 9334 else 9335 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 9336 break; 9337 } 9338 9339 if (trans->put_net) 9340 put_net(trans->ctx.net); 9341 9342 kfree(trans); 9343 } 9344 9345 static void nf_tables_trans_destroy_work(struct work_struct *w) 9346 { 9347 struct nft_trans *trans, *next; 9348 LIST_HEAD(head); 9349 9350 spin_lock(&nf_tables_destroy_list_lock); 9351 list_splice_init(&nf_tables_destroy_list, &head); 9352 spin_unlock(&nf_tables_destroy_list_lock); 9353 9354 if (list_empty(&head)) 9355 return; 9356 9357 synchronize_rcu(); 9358 9359 list_for_each_entry_safe(trans, next, &head, list) { 9360 nft_trans_list_del(trans); 9361 nft_commit_release(trans); 9362 } 9363 } 9364 9365 void nf_tables_trans_destroy_flush_work(void) 9366 { 9367 flush_work(&trans_destroy_work); 9368 } 9369 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work); 9370 9371 static bool nft_expr_reduce(struct nft_regs_track *track, 9372 const struct nft_expr *expr) 9373 { 9374 return false; 9375 } 9376 9377 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain) 9378 { 9379 const struct nft_expr *expr, *last; 9380 struct nft_regs_track track = {}; 9381 unsigned int size, data_size; 9382 void *data, *data_boundary; 9383 struct nft_rule_dp *prule; 9384 struct nft_rule *rule; 9385 9386 /* already handled or inactive chain? */ 9387 if (chain->blob_next || !nft_is_active_next(net, chain)) 9388 return 0; 9389 9390 data_size = 0; 9391 list_for_each_entry(rule, &chain->rules, list) { 9392 if (nft_is_active_next(net, rule)) { 9393 data_size += sizeof(*prule) + rule->dlen; 9394 if (data_size > INT_MAX) 9395 return -ENOMEM; 9396 } 9397 } 9398 9399 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size); 9400 if (!chain->blob_next) 9401 return -ENOMEM; 9402 9403 data = (void *)chain->blob_next->data; 9404 data_boundary = data + data_size; 9405 size = 0; 9406 9407 list_for_each_entry(rule, &chain->rules, list) { 9408 if (!nft_is_active_next(net, rule)) 9409 continue; 9410 9411 prule = (struct nft_rule_dp *)data; 9412 data += offsetof(struct nft_rule_dp, data); 9413 if (WARN_ON_ONCE(data > data_boundary)) 9414 return -ENOMEM; 9415 9416 size = 0; 9417 track.last = nft_expr_last(rule); 9418 nft_rule_for_each_expr(expr, last, rule) { 9419 track.cur = expr; 9420 9421 if (nft_expr_reduce(&track, expr)) { 9422 expr = track.cur; 9423 continue; 9424 } 9425 9426 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary)) 9427 return -ENOMEM; 9428 9429 memcpy(data + size, expr, expr->ops->size); 9430 size += expr->ops->size; 9431 } 9432 if (WARN_ON_ONCE(size >= 1 << 12)) 9433 return -ENOMEM; 9434 9435 prule->handle = rule->handle; 9436 prule->dlen = size; 9437 prule->is_last = 0; 9438 9439 data += size; 9440 size = 0; 9441 chain->blob_next->size += (unsigned long)(data - (void *)prule); 9442 } 9443 9444 if (WARN_ON_ONCE(data > data_boundary)) 9445 return -ENOMEM; 9446 9447 prule = (struct nft_rule_dp *)data; 9448 nft_last_rule(chain, prule); 9449 9450 return 0; 9451 } 9452 9453 static void nf_tables_commit_chain_prepare_cancel(struct net *net) 9454 { 9455 struct nftables_pernet *nft_net = nft_pernet(net); 9456 struct nft_trans *trans, *next; 9457 9458 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 9459 struct nft_chain *chain = trans->ctx.chain; 9460 9461 if (trans->msg_type == NFT_MSG_NEWRULE || 9462 trans->msg_type == NFT_MSG_DELRULE) { 9463 kvfree(chain->blob_next); 9464 chain->blob_next = NULL; 9465 } 9466 } 9467 } 9468 9469 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h) 9470 { 9471 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h); 9472 9473 kvfree(l->blob); 9474 } 9475 9476 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob) 9477 { 9478 struct nft_rule_dp_last *last; 9479 9480 /* last rule trailer is after end marker */ 9481 last = (void *)blob + sizeof(*blob) + blob->size; 9482 last->blob = blob; 9483 9484 call_rcu(&last->h, __nf_tables_commit_chain_free_rules); 9485 } 9486 9487 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain) 9488 { 9489 struct nft_rule_blob *g0, *g1; 9490 bool next_genbit; 9491 9492 next_genbit = nft_gencursor_next(net); 9493 9494 g0 = rcu_dereference_protected(chain->blob_gen_0, 9495 lockdep_commit_lock_is_held(net)); 9496 g1 = rcu_dereference_protected(chain->blob_gen_1, 9497 lockdep_commit_lock_is_held(net)); 9498 9499 /* No changes to this chain? */ 9500 if (chain->blob_next == NULL) { 9501 /* chain had no change in last or next generation */ 9502 if (g0 == g1) 9503 return; 9504 /* 9505 * chain had no change in this generation; make sure next 9506 * one uses same rules as current generation. 9507 */ 9508 if (next_genbit) { 9509 rcu_assign_pointer(chain->blob_gen_1, g0); 9510 nf_tables_commit_chain_free_rules_old(g1); 9511 } else { 9512 rcu_assign_pointer(chain->blob_gen_0, g1); 9513 nf_tables_commit_chain_free_rules_old(g0); 9514 } 9515 9516 return; 9517 } 9518 9519 if (next_genbit) 9520 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next); 9521 else 9522 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next); 9523 9524 chain->blob_next = NULL; 9525 9526 if (g0 == g1) 9527 return; 9528 9529 if (next_genbit) 9530 nf_tables_commit_chain_free_rules_old(g1); 9531 else 9532 nf_tables_commit_chain_free_rules_old(g0); 9533 } 9534 9535 static void nft_obj_del(struct nft_object *obj) 9536 { 9537 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params); 9538 list_del_rcu(&obj->list); 9539 } 9540 9541 void nft_chain_del(struct nft_chain *chain) 9542 { 9543 struct nft_table *table = chain->table; 9544 9545 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead, 9546 nft_chain_ht_params)); 9547 list_del_rcu(&chain->list); 9548 } 9549 9550 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx, 9551 struct nft_trans_gc *trans) 9552 { 9553 void **priv = trans->priv; 9554 unsigned int i; 9555 9556 for (i = 0; i < trans->count; i++) { 9557 struct nft_set_elem elem = { 9558 .priv = priv[i], 9559 }; 9560 9561 nft_setelem_data_deactivate(ctx->net, trans->set, &elem); 9562 nft_setelem_remove(ctx->net, trans->set, &elem); 9563 } 9564 } 9565 9566 void nft_trans_gc_destroy(struct nft_trans_gc *trans) 9567 { 9568 nft_set_put(trans->set); 9569 put_net(trans->net); 9570 kfree(trans); 9571 } 9572 9573 static void nft_trans_gc_trans_free(struct rcu_head *rcu) 9574 { 9575 struct nft_set_elem elem = {}; 9576 struct nft_trans_gc *trans; 9577 struct nft_ctx ctx = {}; 9578 unsigned int i; 9579 9580 trans = container_of(rcu, struct nft_trans_gc, rcu); 9581 ctx.net = read_pnet(&trans->set->net); 9582 9583 for (i = 0; i < trans->count; i++) { 9584 elem.priv = trans->priv[i]; 9585 if (!nft_setelem_is_catchall(trans->set, &elem)) 9586 atomic_dec(&trans->set->nelems); 9587 9588 nf_tables_set_elem_destroy(&ctx, trans->set, elem.priv); 9589 } 9590 9591 nft_trans_gc_destroy(trans); 9592 } 9593 9594 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans) 9595 { 9596 struct nftables_pernet *nft_net; 9597 struct nft_ctx ctx = {}; 9598 9599 nft_net = nft_pernet(trans->net); 9600 9601 mutex_lock(&nft_net->commit_mutex); 9602 9603 /* Check for race with transaction, otherwise this batch refers to 9604 * stale objects that might not be there anymore. Skip transaction if 9605 * set has been destroyed from control plane transaction in case gc 9606 * worker loses race. 9607 */ 9608 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) { 9609 mutex_unlock(&nft_net->commit_mutex); 9610 return false; 9611 } 9612 9613 ctx.net = trans->net; 9614 ctx.table = trans->set->table; 9615 9616 nft_trans_gc_setelem_remove(&ctx, trans); 9617 mutex_unlock(&nft_net->commit_mutex); 9618 9619 return true; 9620 } 9621 9622 static void nft_trans_gc_work(struct work_struct *work) 9623 { 9624 struct nft_trans_gc *trans, *next; 9625 LIST_HEAD(trans_gc_list); 9626 9627 spin_lock(&nf_tables_gc_list_lock); 9628 list_splice_init(&nf_tables_gc_list, &trans_gc_list); 9629 spin_unlock(&nf_tables_gc_list_lock); 9630 9631 list_for_each_entry_safe(trans, next, &trans_gc_list, list) { 9632 list_del(&trans->list); 9633 if (!nft_trans_gc_work_done(trans)) { 9634 nft_trans_gc_destroy(trans); 9635 continue; 9636 } 9637 call_rcu(&trans->rcu, nft_trans_gc_trans_free); 9638 } 9639 } 9640 9641 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set, 9642 unsigned int gc_seq, gfp_t gfp) 9643 { 9644 struct net *net = read_pnet(&set->net); 9645 struct nft_trans_gc *trans; 9646 9647 trans = kzalloc(sizeof(*trans), gfp); 9648 if (!trans) 9649 return NULL; 9650 9651 trans->net = maybe_get_net(net); 9652 if (!trans->net) { 9653 kfree(trans); 9654 return NULL; 9655 } 9656 9657 refcount_inc(&set->refs); 9658 trans->set = set; 9659 trans->seq = gc_seq; 9660 9661 return trans; 9662 } 9663 9664 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv) 9665 { 9666 trans->priv[trans->count++] = priv; 9667 } 9668 9669 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans) 9670 { 9671 spin_lock(&nf_tables_gc_list_lock); 9672 list_add_tail(&trans->list, &nf_tables_gc_list); 9673 spin_unlock(&nf_tables_gc_list_lock); 9674 9675 schedule_work(&trans_gc_work); 9676 } 9677 9678 static int nft_trans_gc_space(struct nft_trans_gc *trans) 9679 { 9680 return NFT_TRANS_GC_BATCHCOUNT - trans->count; 9681 } 9682 9683 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc, 9684 unsigned int gc_seq, gfp_t gfp) 9685 { 9686 struct nft_set *set; 9687 9688 if (nft_trans_gc_space(gc)) 9689 return gc; 9690 9691 set = gc->set; 9692 nft_trans_gc_queue_work(gc); 9693 9694 return nft_trans_gc_alloc(set, gc_seq, gfp); 9695 } 9696 9697 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans) 9698 { 9699 if (trans->count == 0) { 9700 nft_trans_gc_destroy(trans); 9701 return; 9702 } 9703 9704 nft_trans_gc_queue_work(trans); 9705 } 9706 9707 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp) 9708 { 9709 struct nft_set *set; 9710 9711 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net))) 9712 return NULL; 9713 9714 if (nft_trans_gc_space(gc)) 9715 return gc; 9716 9717 set = gc->set; 9718 call_rcu(&gc->rcu, nft_trans_gc_trans_free); 9719 9720 return nft_trans_gc_alloc(set, 0, gfp); 9721 } 9722 9723 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans) 9724 { 9725 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net)); 9726 9727 if (trans->count == 0) { 9728 nft_trans_gc_destroy(trans); 9729 return; 9730 } 9731 9732 call_rcu(&trans->rcu, nft_trans_gc_trans_free); 9733 } 9734 9735 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc, 9736 unsigned int gc_seq) 9737 { 9738 struct nft_set_elem_catchall *catchall; 9739 const struct nft_set *set = gc->set; 9740 struct nft_set_ext *ext; 9741 9742 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 9743 ext = nft_set_elem_ext(set, catchall->elem); 9744 9745 if (!nft_set_elem_expired(ext)) 9746 continue; 9747 if (nft_set_elem_is_dead(ext)) 9748 goto dead_elem; 9749 9750 nft_set_elem_dead(ext); 9751 dead_elem: 9752 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC); 9753 if (!gc) 9754 return NULL; 9755 9756 nft_trans_gc_elem_add(gc, catchall->elem); 9757 } 9758 9759 return gc; 9760 } 9761 9762 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc) 9763 { 9764 struct nft_set_elem_catchall *catchall, *next; 9765 const struct nft_set *set = gc->set; 9766 struct nft_set_elem elem; 9767 struct nft_set_ext *ext; 9768 9769 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)); 9770 9771 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 9772 ext = nft_set_elem_ext(set, catchall->elem); 9773 9774 if (!nft_set_elem_expired(ext)) 9775 continue; 9776 9777 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL); 9778 if (!gc) 9779 return NULL; 9780 9781 memset(&elem, 0, sizeof(elem)); 9782 elem.priv = catchall->elem; 9783 9784 nft_setelem_data_deactivate(gc->net, gc->set, &elem); 9785 nft_setelem_catchall_destroy(catchall); 9786 nft_trans_gc_elem_add(gc, elem.priv); 9787 } 9788 9789 return gc; 9790 } 9791 9792 static void nf_tables_module_autoload_cleanup(struct net *net) 9793 { 9794 struct nftables_pernet *nft_net = nft_pernet(net); 9795 struct nft_module_request *req, *next; 9796 9797 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 9798 list_for_each_entry_safe(req, next, &nft_net->module_list, list) { 9799 WARN_ON_ONCE(!req->done); 9800 list_del(&req->list); 9801 kfree(req); 9802 } 9803 } 9804 9805 static void nf_tables_commit_release(struct net *net) 9806 { 9807 struct nftables_pernet *nft_net = nft_pernet(net); 9808 struct nft_trans *trans; 9809 9810 /* all side effects have to be made visible. 9811 * For example, if a chain named 'foo' has been deleted, a 9812 * new transaction must not find it anymore. 9813 * 9814 * Memory reclaim happens asynchronously from work queue 9815 * to prevent expensive synchronize_rcu() in commit phase. 9816 */ 9817 if (list_empty(&nft_net->commit_list)) { 9818 nf_tables_module_autoload_cleanup(net); 9819 mutex_unlock(&nft_net->commit_mutex); 9820 return; 9821 } 9822 9823 trans = list_last_entry(&nft_net->commit_list, 9824 struct nft_trans, list); 9825 get_net(trans->ctx.net); 9826 WARN_ON_ONCE(trans->put_net); 9827 9828 trans->put_net = true; 9829 spin_lock(&nf_tables_destroy_list_lock); 9830 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list); 9831 spin_unlock(&nf_tables_destroy_list_lock); 9832 9833 nf_tables_module_autoload_cleanup(net); 9834 schedule_work(&trans_destroy_work); 9835 9836 mutex_unlock(&nft_net->commit_mutex); 9837 } 9838 9839 static void nft_commit_notify(struct net *net, u32 portid) 9840 { 9841 struct nftables_pernet *nft_net = nft_pernet(net); 9842 struct sk_buff *batch_skb = NULL, *nskb, *skb; 9843 unsigned char *data; 9844 int len; 9845 9846 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) { 9847 if (!batch_skb) { 9848 new_batch: 9849 batch_skb = skb; 9850 len = NLMSG_GOODSIZE - skb->len; 9851 list_del(&skb->list); 9852 continue; 9853 } 9854 len -= skb->len; 9855 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) { 9856 data = skb_put(batch_skb, skb->len); 9857 memcpy(data, skb->data, skb->len); 9858 list_del(&skb->list); 9859 kfree_skb(skb); 9860 continue; 9861 } 9862 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 9863 NFT_CB(batch_skb).report, GFP_KERNEL); 9864 goto new_batch; 9865 } 9866 9867 if (batch_skb) { 9868 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 9869 NFT_CB(batch_skb).report, GFP_KERNEL); 9870 } 9871 9872 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 9873 } 9874 9875 static int nf_tables_commit_audit_alloc(struct list_head *adl, 9876 struct nft_table *table) 9877 { 9878 struct nft_audit_data *adp; 9879 9880 list_for_each_entry(adp, adl, list) { 9881 if (adp->table == table) 9882 return 0; 9883 } 9884 adp = kzalloc(sizeof(*adp), GFP_KERNEL); 9885 if (!adp) 9886 return -ENOMEM; 9887 adp->table = table; 9888 list_add(&adp->list, adl); 9889 return 0; 9890 } 9891 9892 static void nf_tables_commit_audit_free(struct list_head *adl) 9893 { 9894 struct nft_audit_data *adp, *adn; 9895 9896 list_for_each_entry_safe(adp, adn, adl, list) { 9897 list_del(&adp->list); 9898 kfree(adp); 9899 } 9900 } 9901 9902 static void nf_tables_commit_audit_collect(struct list_head *adl, 9903 struct nft_table *table, u32 op) 9904 { 9905 struct nft_audit_data *adp; 9906 9907 list_for_each_entry(adp, adl, list) { 9908 if (adp->table == table) 9909 goto found; 9910 } 9911 WARN_ONCE(1, "table=%s not expected in commit list", table->name); 9912 return; 9913 found: 9914 adp->entries++; 9915 if (!adp->op || adp->op > op) 9916 adp->op = op; 9917 } 9918 9919 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22) 9920 9921 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation) 9922 { 9923 struct nft_audit_data *adp, *adn; 9924 char aubuf[AUNFTABLENAMELEN]; 9925 9926 list_for_each_entry_safe(adp, adn, adl, list) { 9927 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name, 9928 generation); 9929 audit_log_nfcfg(aubuf, adp->table->family, adp->entries, 9930 nft2audit_op[adp->op], GFP_KERNEL); 9931 list_del(&adp->list); 9932 kfree(adp); 9933 } 9934 } 9935 9936 static void nft_set_commit_update(struct list_head *set_update_list) 9937 { 9938 struct nft_set *set, *next; 9939 9940 list_for_each_entry_safe(set, next, set_update_list, pending_update) { 9941 list_del_init(&set->pending_update); 9942 9943 if (!set->ops->commit || set->dead) 9944 continue; 9945 9946 set->ops->commit(set); 9947 } 9948 } 9949 9950 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net) 9951 { 9952 unsigned int gc_seq; 9953 9954 /* Bump gc counter, it becomes odd, this is the busy mark. */ 9955 gc_seq = READ_ONCE(nft_net->gc_seq); 9956 WRITE_ONCE(nft_net->gc_seq, ++gc_seq); 9957 9958 return gc_seq; 9959 } 9960 9961 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq) 9962 { 9963 WRITE_ONCE(nft_net->gc_seq, ++gc_seq); 9964 } 9965 9966 static int nf_tables_commit(struct net *net, struct sk_buff *skb) 9967 { 9968 struct nftables_pernet *nft_net = nft_pernet(net); 9969 struct nft_trans *trans, *next; 9970 unsigned int base_seq, gc_seq; 9971 LIST_HEAD(set_update_list); 9972 struct nft_trans_elem *te; 9973 struct nft_chain *chain; 9974 struct nft_table *table; 9975 LIST_HEAD(adl); 9976 int err; 9977 9978 if (list_empty(&nft_net->commit_list)) { 9979 mutex_unlock(&nft_net->commit_mutex); 9980 return 0; 9981 } 9982 9983 list_for_each_entry(trans, &nft_net->binding_list, binding_list) { 9984 switch (trans->msg_type) { 9985 case NFT_MSG_NEWSET: 9986 if (!nft_trans_set_update(trans) && 9987 nft_set_is_anonymous(nft_trans_set(trans)) && 9988 !nft_trans_set_bound(trans)) { 9989 pr_warn_once("nftables ruleset with unbound set\n"); 9990 return -EINVAL; 9991 } 9992 break; 9993 case NFT_MSG_NEWCHAIN: 9994 if (!nft_trans_chain_update(trans) && 9995 nft_chain_binding(nft_trans_chain(trans)) && 9996 !nft_trans_chain_bound(trans)) { 9997 pr_warn_once("nftables ruleset with unbound chain\n"); 9998 return -EINVAL; 9999 } 10000 break; 10001 } 10002 } 10003 10004 /* 0. Validate ruleset, otherwise roll back for error reporting. */ 10005 if (nf_tables_validate(net) < 0) { 10006 nft_net->validate_state = NFT_VALIDATE_DO; 10007 return -EAGAIN; 10008 } 10009 10010 err = nft_flow_rule_offload_commit(net); 10011 if (err < 0) 10012 return err; 10013 10014 /* 1. Allocate space for next generation rules_gen_X[] */ 10015 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 10016 int ret; 10017 10018 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table); 10019 if (ret) { 10020 nf_tables_commit_chain_prepare_cancel(net); 10021 nf_tables_commit_audit_free(&adl); 10022 return ret; 10023 } 10024 if (trans->msg_type == NFT_MSG_NEWRULE || 10025 trans->msg_type == NFT_MSG_DELRULE) { 10026 chain = trans->ctx.chain; 10027 10028 ret = nf_tables_commit_chain_prepare(net, chain); 10029 if (ret < 0) { 10030 nf_tables_commit_chain_prepare_cancel(net); 10031 nf_tables_commit_audit_free(&adl); 10032 return ret; 10033 } 10034 } 10035 } 10036 10037 /* step 2. Make rules_gen_X visible to packet path */ 10038 list_for_each_entry(table, &nft_net->tables, list) { 10039 list_for_each_entry(chain, &table->chains, list) 10040 nf_tables_commit_chain(net, chain); 10041 } 10042 10043 /* 10044 * Bump generation counter, invalidate any dump in progress. 10045 * Cannot fail after this point. 10046 */ 10047 base_seq = READ_ONCE(nft_net->base_seq); 10048 while (++base_seq == 0) 10049 ; 10050 10051 WRITE_ONCE(nft_net->base_seq, base_seq); 10052 10053 gc_seq = nft_gc_seq_begin(nft_net); 10054 10055 /* step 3. Start new generation, rules_gen_X now in use. */ 10056 net->nft.gencursor = nft_gencursor_next(net); 10057 10058 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 10059 nf_tables_commit_audit_collect(&adl, trans->ctx.table, 10060 trans->msg_type); 10061 switch (trans->msg_type) { 10062 case NFT_MSG_NEWTABLE: 10063 if (nft_trans_table_update(trans)) { 10064 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) { 10065 nft_trans_destroy(trans); 10066 break; 10067 } 10068 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT) 10069 nf_tables_table_disable(net, trans->ctx.table); 10070 10071 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE; 10072 } else { 10073 nft_clear(net, trans->ctx.table); 10074 } 10075 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE); 10076 nft_trans_destroy(trans); 10077 break; 10078 case NFT_MSG_DELTABLE: 10079 case NFT_MSG_DESTROYTABLE: 10080 list_del_rcu(&trans->ctx.table->list); 10081 nf_tables_table_notify(&trans->ctx, trans->msg_type); 10082 break; 10083 case NFT_MSG_NEWCHAIN: 10084 if (nft_trans_chain_update(trans)) { 10085 nft_chain_commit_update(trans); 10086 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN, 10087 &nft_trans_chain_hooks(trans)); 10088 list_splice(&nft_trans_chain_hooks(trans), 10089 &nft_trans_basechain(trans)->hook_list); 10090 /* trans destroyed after rcu grace period */ 10091 } else { 10092 nft_chain_commit_drop_policy(trans); 10093 nft_clear(net, trans->ctx.chain); 10094 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN, NULL); 10095 nft_trans_destroy(trans); 10096 } 10097 break; 10098 case NFT_MSG_DELCHAIN: 10099 case NFT_MSG_DESTROYCHAIN: 10100 if (nft_trans_chain_update(trans)) { 10101 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN, 10102 &nft_trans_chain_hooks(trans)); 10103 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT)) { 10104 nft_netdev_unregister_hooks(net, 10105 &nft_trans_chain_hooks(trans), 10106 true); 10107 } 10108 } else { 10109 nft_chain_del(trans->ctx.chain); 10110 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN, 10111 NULL); 10112 nf_tables_unregister_hook(trans->ctx.net, 10113 trans->ctx.table, 10114 trans->ctx.chain); 10115 } 10116 break; 10117 case NFT_MSG_NEWRULE: 10118 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 10119 nf_tables_rule_notify(&trans->ctx, 10120 nft_trans_rule(trans), 10121 NFT_MSG_NEWRULE); 10122 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) 10123 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 10124 10125 nft_trans_destroy(trans); 10126 break; 10127 case NFT_MSG_DELRULE: 10128 case NFT_MSG_DESTROYRULE: 10129 list_del_rcu(&nft_trans_rule(trans)->list); 10130 nf_tables_rule_notify(&trans->ctx, 10131 nft_trans_rule(trans), 10132 trans->msg_type); 10133 nft_rule_expr_deactivate(&trans->ctx, 10134 nft_trans_rule(trans), 10135 NFT_TRANS_COMMIT); 10136 10137 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) 10138 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 10139 break; 10140 case NFT_MSG_NEWSET: 10141 if (nft_trans_set_update(trans)) { 10142 struct nft_set *set = nft_trans_set(trans); 10143 10144 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans)); 10145 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans)); 10146 10147 if (nft_trans_set_size(trans)) 10148 WRITE_ONCE(set->size, nft_trans_set_size(trans)); 10149 } else { 10150 nft_clear(net, nft_trans_set(trans)); 10151 /* This avoids hitting -EBUSY when deleting the table 10152 * from the transaction. 10153 */ 10154 if (nft_set_is_anonymous(nft_trans_set(trans)) && 10155 !list_empty(&nft_trans_set(trans)->bindings)) 10156 nft_use_dec(&trans->ctx.table->use); 10157 } 10158 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 10159 NFT_MSG_NEWSET, GFP_KERNEL); 10160 nft_trans_destroy(trans); 10161 break; 10162 case NFT_MSG_DELSET: 10163 case NFT_MSG_DESTROYSET: 10164 nft_trans_set(trans)->dead = 1; 10165 list_del_rcu(&nft_trans_set(trans)->list); 10166 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 10167 trans->msg_type, GFP_KERNEL); 10168 break; 10169 case NFT_MSG_NEWSETELEM: 10170 te = (struct nft_trans_elem *)trans->data; 10171 10172 nft_setelem_activate(net, te->set, &te->elem); 10173 nf_tables_setelem_notify(&trans->ctx, te->set, 10174 &te->elem, 10175 NFT_MSG_NEWSETELEM); 10176 if (te->set->ops->commit && 10177 list_empty(&te->set->pending_update)) { 10178 list_add_tail(&te->set->pending_update, 10179 &set_update_list); 10180 } 10181 nft_trans_destroy(trans); 10182 break; 10183 case NFT_MSG_DELSETELEM: 10184 case NFT_MSG_DESTROYSETELEM: 10185 te = (struct nft_trans_elem *)trans->data; 10186 10187 nf_tables_setelem_notify(&trans->ctx, te->set, 10188 &te->elem, 10189 trans->msg_type); 10190 nft_setelem_remove(net, te->set, &te->elem); 10191 if (!nft_setelem_is_catchall(te->set, &te->elem)) { 10192 atomic_dec(&te->set->nelems); 10193 te->set->ndeact--; 10194 } 10195 if (te->set->ops->commit && 10196 list_empty(&te->set->pending_update)) { 10197 list_add_tail(&te->set->pending_update, 10198 &set_update_list); 10199 } 10200 break; 10201 case NFT_MSG_NEWOBJ: 10202 if (nft_trans_obj_update(trans)) { 10203 nft_obj_commit_update(trans); 10204 nf_tables_obj_notify(&trans->ctx, 10205 nft_trans_obj(trans), 10206 NFT_MSG_NEWOBJ); 10207 } else { 10208 nft_clear(net, nft_trans_obj(trans)); 10209 nf_tables_obj_notify(&trans->ctx, 10210 nft_trans_obj(trans), 10211 NFT_MSG_NEWOBJ); 10212 nft_trans_destroy(trans); 10213 } 10214 break; 10215 case NFT_MSG_DELOBJ: 10216 case NFT_MSG_DESTROYOBJ: 10217 nft_obj_del(nft_trans_obj(trans)); 10218 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans), 10219 trans->msg_type); 10220 break; 10221 case NFT_MSG_NEWFLOWTABLE: 10222 if (nft_trans_flowtable_update(trans)) { 10223 nft_trans_flowtable(trans)->data.flags = 10224 nft_trans_flowtable_flags(trans); 10225 nf_tables_flowtable_notify(&trans->ctx, 10226 nft_trans_flowtable(trans), 10227 &nft_trans_flowtable_hooks(trans), 10228 NFT_MSG_NEWFLOWTABLE); 10229 list_splice(&nft_trans_flowtable_hooks(trans), 10230 &nft_trans_flowtable(trans)->hook_list); 10231 } else { 10232 nft_clear(net, nft_trans_flowtable(trans)); 10233 nf_tables_flowtable_notify(&trans->ctx, 10234 nft_trans_flowtable(trans), 10235 NULL, 10236 NFT_MSG_NEWFLOWTABLE); 10237 } 10238 nft_trans_destroy(trans); 10239 break; 10240 case NFT_MSG_DELFLOWTABLE: 10241 case NFT_MSG_DESTROYFLOWTABLE: 10242 if (nft_trans_flowtable_update(trans)) { 10243 nf_tables_flowtable_notify(&trans->ctx, 10244 nft_trans_flowtable(trans), 10245 &nft_trans_flowtable_hooks(trans), 10246 trans->msg_type); 10247 nft_unregister_flowtable_net_hooks(net, 10248 &nft_trans_flowtable_hooks(trans)); 10249 } else { 10250 list_del_rcu(&nft_trans_flowtable(trans)->list); 10251 nf_tables_flowtable_notify(&trans->ctx, 10252 nft_trans_flowtable(trans), 10253 NULL, 10254 trans->msg_type); 10255 nft_unregister_flowtable_net_hooks(net, 10256 &nft_trans_flowtable(trans)->hook_list); 10257 } 10258 break; 10259 } 10260 } 10261 10262 nft_set_commit_update(&set_update_list); 10263 10264 nft_commit_notify(net, NETLINK_CB(skb).portid); 10265 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); 10266 nf_tables_commit_audit_log(&adl, nft_net->base_seq); 10267 10268 nft_gc_seq_end(nft_net, gc_seq); 10269 nft_net->validate_state = NFT_VALIDATE_SKIP; 10270 nf_tables_commit_release(net); 10271 10272 return 0; 10273 } 10274 10275 static void nf_tables_module_autoload(struct net *net) 10276 { 10277 struct nftables_pernet *nft_net = nft_pernet(net); 10278 struct nft_module_request *req, *next; 10279 LIST_HEAD(module_list); 10280 10281 list_splice_init(&nft_net->module_list, &module_list); 10282 mutex_unlock(&nft_net->commit_mutex); 10283 list_for_each_entry_safe(req, next, &module_list, list) { 10284 request_module("%s", req->module); 10285 req->done = true; 10286 } 10287 mutex_lock(&nft_net->commit_mutex); 10288 list_splice(&module_list, &nft_net->module_list); 10289 } 10290 10291 static void nf_tables_abort_release(struct nft_trans *trans) 10292 { 10293 switch (trans->msg_type) { 10294 case NFT_MSG_NEWTABLE: 10295 nf_tables_table_destroy(&trans->ctx); 10296 break; 10297 case NFT_MSG_NEWCHAIN: 10298 if (nft_trans_chain_update(trans)) 10299 nft_hooks_destroy(&nft_trans_chain_hooks(trans)); 10300 else 10301 nf_tables_chain_destroy(&trans->ctx); 10302 break; 10303 case NFT_MSG_NEWRULE: 10304 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 10305 break; 10306 case NFT_MSG_NEWSET: 10307 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 10308 break; 10309 case NFT_MSG_NEWSETELEM: 10310 nft_set_elem_destroy(nft_trans_elem_set(trans), 10311 nft_trans_elem(trans).priv, true); 10312 break; 10313 case NFT_MSG_NEWOBJ: 10314 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 10315 break; 10316 case NFT_MSG_NEWFLOWTABLE: 10317 if (nft_trans_flowtable_update(trans)) 10318 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 10319 else 10320 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 10321 break; 10322 } 10323 kfree(trans); 10324 } 10325 10326 static void nft_set_abort_update(struct list_head *set_update_list) 10327 { 10328 struct nft_set *set, *next; 10329 10330 list_for_each_entry_safe(set, next, set_update_list, pending_update) { 10331 list_del_init(&set->pending_update); 10332 10333 if (!set->ops->abort) 10334 continue; 10335 10336 set->ops->abort(set); 10337 } 10338 } 10339 10340 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) 10341 { 10342 struct nftables_pernet *nft_net = nft_pernet(net); 10343 struct nft_trans *trans, *next; 10344 LIST_HEAD(set_update_list); 10345 struct nft_trans_elem *te; 10346 int err = 0; 10347 10348 if (action == NFNL_ABORT_VALIDATE && 10349 nf_tables_validate(net) < 0) 10350 err = -EAGAIN; 10351 10352 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list, 10353 list) { 10354 switch (trans->msg_type) { 10355 case NFT_MSG_NEWTABLE: 10356 if (nft_trans_table_update(trans)) { 10357 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) { 10358 nft_trans_destroy(trans); 10359 break; 10360 } 10361 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) { 10362 nf_tables_table_disable(net, trans->ctx.table); 10363 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT; 10364 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) { 10365 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT; 10366 } 10367 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE; 10368 nft_trans_destroy(trans); 10369 } else { 10370 list_del_rcu(&trans->ctx.table->list); 10371 } 10372 break; 10373 case NFT_MSG_DELTABLE: 10374 case NFT_MSG_DESTROYTABLE: 10375 nft_clear(trans->ctx.net, trans->ctx.table); 10376 nft_trans_destroy(trans); 10377 break; 10378 case NFT_MSG_NEWCHAIN: 10379 if (nft_trans_chain_update(trans)) { 10380 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT)) { 10381 nft_netdev_unregister_hooks(net, 10382 &nft_trans_chain_hooks(trans), 10383 true); 10384 } 10385 free_percpu(nft_trans_chain_stats(trans)); 10386 kfree(nft_trans_chain_name(trans)); 10387 nft_trans_destroy(trans); 10388 } else { 10389 if (nft_trans_chain_bound(trans)) { 10390 nft_trans_destroy(trans); 10391 break; 10392 } 10393 nft_use_dec_restore(&trans->ctx.table->use); 10394 nft_chain_del(trans->ctx.chain); 10395 nf_tables_unregister_hook(trans->ctx.net, 10396 trans->ctx.table, 10397 trans->ctx.chain); 10398 } 10399 break; 10400 case NFT_MSG_DELCHAIN: 10401 case NFT_MSG_DESTROYCHAIN: 10402 if (nft_trans_chain_update(trans)) { 10403 list_splice(&nft_trans_chain_hooks(trans), 10404 &nft_trans_basechain(trans)->hook_list); 10405 } else { 10406 nft_use_inc_restore(&trans->ctx.table->use); 10407 nft_clear(trans->ctx.net, trans->ctx.chain); 10408 } 10409 nft_trans_destroy(trans); 10410 break; 10411 case NFT_MSG_NEWRULE: 10412 if (nft_trans_rule_bound(trans)) { 10413 nft_trans_destroy(trans); 10414 break; 10415 } 10416 nft_use_dec_restore(&trans->ctx.chain->use); 10417 list_del_rcu(&nft_trans_rule(trans)->list); 10418 nft_rule_expr_deactivate(&trans->ctx, 10419 nft_trans_rule(trans), 10420 NFT_TRANS_ABORT); 10421 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) 10422 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 10423 break; 10424 case NFT_MSG_DELRULE: 10425 case NFT_MSG_DESTROYRULE: 10426 nft_use_inc_restore(&trans->ctx.chain->use); 10427 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 10428 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans)); 10429 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) 10430 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 10431 10432 nft_trans_destroy(trans); 10433 break; 10434 case NFT_MSG_NEWSET: 10435 if (nft_trans_set_update(trans)) { 10436 nft_trans_destroy(trans); 10437 break; 10438 } 10439 nft_use_dec_restore(&trans->ctx.table->use); 10440 if (nft_trans_set_bound(trans)) { 10441 nft_trans_destroy(trans); 10442 break; 10443 } 10444 nft_trans_set(trans)->dead = 1; 10445 list_del_rcu(&nft_trans_set(trans)->list); 10446 break; 10447 case NFT_MSG_DELSET: 10448 case NFT_MSG_DESTROYSET: 10449 nft_use_inc_restore(&trans->ctx.table->use); 10450 nft_clear(trans->ctx.net, nft_trans_set(trans)); 10451 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 10452 nft_map_activate(&trans->ctx, nft_trans_set(trans)); 10453 10454 nft_trans_destroy(trans); 10455 break; 10456 case NFT_MSG_NEWSETELEM: 10457 if (nft_trans_elem_set_bound(trans)) { 10458 nft_trans_destroy(trans); 10459 break; 10460 } 10461 te = (struct nft_trans_elem *)trans->data; 10462 nft_setelem_remove(net, te->set, &te->elem); 10463 if (!nft_setelem_is_catchall(te->set, &te->elem)) 10464 atomic_dec(&te->set->nelems); 10465 10466 if (te->set->ops->abort && 10467 list_empty(&te->set->pending_update)) { 10468 list_add_tail(&te->set->pending_update, 10469 &set_update_list); 10470 } 10471 break; 10472 case NFT_MSG_DELSETELEM: 10473 case NFT_MSG_DESTROYSETELEM: 10474 te = (struct nft_trans_elem *)trans->data; 10475 10476 nft_setelem_data_activate(net, te->set, &te->elem); 10477 nft_setelem_activate(net, te->set, &te->elem); 10478 if (!nft_setelem_is_catchall(te->set, &te->elem)) 10479 te->set->ndeact--; 10480 10481 if (te->set->ops->abort && 10482 list_empty(&te->set->pending_update)) { 10483 list_add_tail(&te->set->pending_update, 10484 &set_update_list); 10485 } 10486 nft_trans_destroy(trans); 10487 break; 10488 case NFT_MSG_NEWOBJ: 10489 if (nft_trans_obj_update(trans)) { 10490 nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans)); 10491 nft_trans_destroy(trans); 10492 } else { 10493 nft_use_dec_restore(&trans->ctx.table->use); 10494 nft_obj_del(nft_trans_obj(trans)); 10495 } 10496 break; 10497 case NFT_MSG_DELOBJ: 10498 case NFT_MSG_DESTROYOBJ: 10499 nft_use_inc_restore(&trans->ctx.table->use); 10500 nft_clear(trans->ctx.net, nft_trans_obj(trans)); 10501 nft_trans_destroy(trans); 10502 break; 10503 case NFT_MSG_NEWFLOWTABLE: 10504 if (nft_trans_flowtable_update(trans)) { 10505 nft_unregister_flowtable_net_hooks(net, 10506 &nft_trans_flowtable_hooks(trans)); 10507 } else { 10508 nft_use_dec_restore(&trans->ctx.table->use); 10509 list_del_rcu(&nft_trans_flowtable(trans)->list); 10510 nft_unregister_flowtable_net_hooks(net, 10511 &nft_trans_flowtable(trans)->hook_list); 10512 } 10513 break; 10514 case NFT_MSG_DELFLOWTABLE: 10515 case NFT_MSG_DESTROYFLOWTABLE: 10516 if (nft_trans_flowtable_update(trans)) { 10517 list_splice(&nft_trans_flowtable_hooks(trans), 10518 &nft_trans_flowtable(trans)->hook_list); 10519 } else { 10520 nft_use_inc_restore(&trans->ctx.table->use); 10521 nft_clear(trans->ctx.net, nft_trans_flowtable(trans)); 10522 } 10523 nft_trans_destroy(trans); 10524 break; 10525 } 10526 } 10527 10528 nft_set_abort_update(&set_update_list); 10529 10530 synchronize_rcu(); 10531 10532 list_for_each_entry_safe_reverse(trans, next, 10533 &nft_net->commit_list, list) { 10534 nft_trans_list_del(trans); 10535 nf_tables_abort_release(trans); 10536 } 10537 10538 return err; 10539 } 10540 10541 static int nf_tables_abort(struct net *net, struct sk_buff *skb, 10542 enum nfnl_abort_action action) 10543 { 10544 struct nftables_pernet *nft_net = nft_pernet(net); 10545 unsigned int gc_seq; 10546 int ret; 10547 10548 gc_seq = nft_gc_seq_begin(nft_net); 10549 ret = __nf_tables_abort(net, action); 10550 nft_gc_seq_end(nft_net, gc_seq); 10551 10552 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 10553 10554 /* module autoload needs to happen after GC sequence update because it 10555 * temporarily releases and grabs mutex again. 10556 */ 10557 if (action == NFNL_ABORT_AUTOLOAD) 10558 nf_tables_module_autoload(net); 10559 else 10560 nf_tables_module_autoload_cleanup(net); 10561 10562 mutex_unlock(&nft_net->commit_mutex); 10563 10564 return ret; 10565 } 10566 10567 static bool nf_tables_valid_genid(struct net *net, u32 genid) 10568 { 10569 struct nftables_pernet *nft_net = nft_pernet(net); 10570 bool genid_ok; 10571 10572 mutex_lock(&nft_net->commit_mutex); 10573 10574 genid_ok = genid == 0 || nft_net->base_seq == genid; 10575 if (!genid_ok) 10576 mutex_unlock(&nft_net->commit_mutex); 10577 10578 /* else, commit mutex has to be released by commit or abort function */ 10579 return genid_ok; 10580 } 10581 10582 static const struct nfnetlink_subsystem nf_tables_subsys = { 10583 .name = "nf_tables", 10584 .subsys_id = NFNL_SUBSYS_NFTABLES, 10585 .cb_count = NFT_MSG_MAX, 10586 .cb = nf_tables_cb, 10587 .commit = nf_tables_commit, 10588 .abort = nf_tables_abort, 10589 .valid_genid = nf_tables_valid_genid, 10590 .owner = THIS_MODULE, 10591 }; 10592 10593 int nft_chain_validate_dependency(const struct nft_chain *chain, 10594 enum nft_chain_types type) 10595 { 10596 const struct nft_base_chain *basechain; 10597 10598 if (nft_is_base_chain(chain)) { 10599 basechain = nft_base_chain(chain); 10600 if (basechain->type->type != type) 10601 return -EOPNOTSUPP; 10602 } 10603 return 0; 10604 } 10605 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency); 10606 10607 int nft_chain_validate_hooks(const struct nft_chain *chain, 10608 unsigned int hook_flags) 10609 { 10610 struct nft_base_chain *basechain; 10611 10612 if (nft_is_base_chain(chain)) { 10613 basechain = nft_base_chain(chain); 10614 10615 if ((1 << basechain->ops.hooknum) & hook_flags) 10616 return 0; 10617 10618 return -EOPNOTSUPP; 10619 } 10620 10621 return 0; 10622 } 10623 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks); 10624 10625 /* 10626 * Loop detection - walk through the ruleset beginning at the destination chain 10627 * of a new jump until either the source chain is reached (loop) or all 10628 * reachable chains have been traversed. 10629 * 10630 * The loop check is performed whenever a new jump verdict is added to an 10631 * expression or verdict map or a verdict map is bound to a new chain. 10632 */ 10633 10634 static int nf_tables_check_loops(const struct nft_ctx *ctx, 10635 const struct nft_chain *chain); 10636 10637 static int nft_check_loops(const struct nft_ctx *ctx, 10638 const struct nft_set_ext *ext) 10639 { 10640 const struct nft_data *data; 10641 int ret; 10642 10643 data = nft_set_ext_data(ext); 10644 switch (data->verdict.code) { 10645 case NFT_JUMP: 10646 case NFT_GOTO: 10647 ret = nf_tables_check_loops(ctx, data->verdict.chain); 10648 break; 10649 default: 10650 ret = 0; 10651 break; 10652 } 10653 10654 return ret; 10655 } 10656 10657 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, 10658 struct nft_set *set, 10659 const struct nft_set_iter *iter, 10660 struct nft_set_elem *elem) 10661 { 10662 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 10663 10664 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 10665 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) 10666 return 0; 10667 10668 return nft_check_loops(ctx, ext); 10669 } 10670 10671 static int nft_set_catchall_loops(const struct nft_ctx *ctx, 10672 struct nft_set *set) 10673 { 10674 u8 genmask = nft_genmask_next(ctx->net); 10675 struct nft_set_elem_catchall *catchall; 10676 struct nft_set_ext *ext; 10677 int ret = 0; 10678 10679 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 10680 ext = nft_set_elem_ext(set, catchall->elem); 10681 if (!nft_set_elem_active(ext, genmask)) 10682 continue; 10683 10684 ret = nft_check_loops(ctx, ext); 10685 if (ret < 0) 10686 return ret; 10687 } 10688 10689 return ret; 10690 } 10691 10692 static int nf_tables_check_loops(const struct nft_ctx *ctx, 10693 const struct nft_chain *chain) 10694 { 10695 const struct nft_rule *rule; 10696 const struct nft_expr *expr, *last; 10697 struct nft_set *set; 10698 struct nft_set_binding *binding; 10699 struct nft_set_iter iter; 10700 10701 if (ctx->chain == chain) 10702 return -ELOOP; 10703 10704 if (fatal_signal_pending(current)) 10705 return -EINTR; 10706 10707 list_for_each_entry(rule, &chain->rules, list) { 10708 nft_rule_for_each_expr(expr, last, rule) { 10709 struct nft_immediate_expr *priv; 10710 const struct nft_data *data; 10711 int err; 10712 10713 if (strcmp(expr->ops->type->name, "immediate")) 10714 continue; 10715 10716 priv = nft_expr_priv(expr); 10717 if (priv->dreg != NFT_REG_VERDICT) 10718 continue; 10719 10720 data = &priv->data; 10721 switch (data->verdict.code) { 10722 case NFT_JUMP: 10723 case NFT_GOTO: 10724 err = nf_tables_check_loops(ctx, 10725 data->verdict.chain); 10726 if (err < 0) 10727 return err; 10728 break; 10729 default: 10730 break; 10731 } 10732 } 10733 } 10734 10735 list_for_each_entry(set, &ctx->table->sets, list) { 10736 if (!nft_is_active_next(ctx->net, set)) 10737 continue; 10738 if (!(set->flags & NFT_SET_MAP) || 10739 set->dtype != NFT_DATA_VERDICT) 10740 continue; 10741 10742 list_for_each_entry(binding, &set->bindings, list) { 10743 if (!(binding->flags & NFT_SET_MAP) || 10744 binding->chain != chain) 10745 continue; 10746 10747 iter.genmask = nft_genmask_next(ctx->net); 10748 iter.skip = 0; 10749 iter.count = 0; 10750 iter.err = 0; 10751 iter.fn = nf_tables_loop_check_setelem; 10752 10753 set->ops->walk(ctx, set, &iter); 10754 if (!iter.err) 10755 iter.err = nft_set_catchall_loops(ctx, set); 10756 10757 if (iter.err < 0) 10758 return iter.err; 10759 } 10760 } 10761 10762 return 0; 10763 } 10764 10765 /** 10766 * nft_parse_u32_check - fetch u32 attribute and check for maximum value 10767 * 10768 * @attr: netlink attribute to fetch value from 10769 * @max: maximum value to be stored in dest 10770 * @dest: pointer to the variable 10771 * 10772 * Parse, check and store a given u32 netlink attribute into variable. 10773 * This function returns -ERANGE if the value goes over maximum value. 10774 * Otherwise a 0 is returned and the attribute value is stored in the 10775 * destination variable. 10776 */ 10777 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest) 10778 { 10779 u32 val; 10780 10781 val = ntohl(nla_get_be32(attr)); 10782 if (val > max) 10783 return -ERANGE; 10784 10785 *dest = val; 10786 return 0; 10787 } 10788 EXPORT_SYMBOL_GPL(nft_parse_u32_check); 10789 10790 static int nft_parse_register(const struct nlattr *attr, u32 *preg) 10791 { 10792 unsigned int reg; 10793 10794 reg = ntohl(nla_get_be32(attr)); 10795 switch (reg) { 10796 case NFT_REG_VERDICT...NFT_REG_4: 10797 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE; 10798 break; 10799 case NFT_REG32_00...NFT_REG32_15: 10800 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; 10801 break; 10802 default: 10803 return -ERANGE; 10804 } 10805 10806 return 0; 10807 } 10808 10809 /** 10810 * nft_dump_register - dump a register value to a netlink attribute 10811 * 10812 * @skb: socket buffer 10813 * @attr: attribute number 10814 * @reg: register number 10815 * 10816 * Construct a netlink attribute containing the register number. For 10817 * compatibility reasons, register numbers being a multiple of 4 are 10818 * translated to the corresponding 128 bit register numbers. 10819 */ 10820 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg) 10821 { 10822 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0) 10823 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE); 10824 else 10825 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00; 10826 10827 return nla_put_be32(skb, attr, htonl(reg)); 10828 } 10829 EXPORT_SYMBOL_GPL(nft_dump_register); 10830 10831 static int nft_validate_register_load(enum nft_registers reg, unsigned int len) 10832 { 10833 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 10834 return -EINVAL; 10835 if (len == 0) 10836 return -EINVAL; 10837 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data)) 10838 return -ERANGE; 10839 10840 return 0; 10841 } 10842 10843 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len) 10844 { 10845 u32 reg; 10846 int err; 10847 10848 err = nft_parse_register(attr, ®); 10849 if (err < 0) 10850 return err; 10851 10852 err = nft_validate_register_load(reg, len); 10853 if (err < 0) 10854 return err; 10855 10856 *sreg = reg; 10857 return 0; 10858 } 10859 EXPORT_SYMBOL_GPL(nft_parse_register_load); 10860 10861 static int nft_validate_register_store(const struct nft_ctx *ctx, 10862 enum nft_registers reg, 10863 const struct nft_data *data, 10864 enum nft_data_types type, 10865 unsigned int len) 10866 { 10867 int err; 10868 10869 switch (reg) { 10870 case NFT_REG_VERDICT: 10871 if (type != NFT_DATA_VERDICT) 10872 return -EINVAL; 10873 10874 if (data != NULL && 10875 (data->verdict.code == NFT_GOTO || 10876 data->verdict.code == NFT_JUMP)) { 10877 err = nf_tables_check_loops(ctx, data->verdict.chain); 10878 if (err < 0) 10879 return err; 10880 } 10881 10882 return 0; 10883 default: 10884 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 10885 return -EINVAL; 10886 if (len == 0) 10887 return -EINVAL; 10888 if (reg * NFT_REG32_SIZE + len > 10889 sizeof_field(struct nft_regs, data)) 10890 return -ERANGE; 10891 10892 if (data != NULL && type != NFT_DATA_VALUE) 10893 return -EINVAL; 10894 return 0; 10895 } 10896 } 10897 10898 int nft_parse_register_store(const struct nft_ctx *ctx, 10899 const struct nlattr *attr, u8 *dreg, 10900 const struct nft_data *data, 10901 enum nft_data_types type, unsigned int len) 10902 { 10903 int err; 10904 u32 reg; 10905 10906 err = nft_parse_register(attr, ®); 10907 if (err < 0) 10908 return err; 10909 10910 err = nft_validate_register_store(ctx, reg, data, type, len); 10911 if (err < 0) 10912 return err; 10913 10914 *dreg = reg; 10915 return 0; 10916 } 10917 EXPORT_SYMBOL_GPL(nft_parse_register_store); 10918 10919 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = { 10920 [NFTA_VERDICT_CODE] = { .type = NLA_U32 }, 10921 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING, 10922 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 10923 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 }, 10924 }; 10925 10926 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, 10927 struct nft_data_desc *desc, const struct nlattr *nla) 10928 { 10929 u8 genmask = nft_genmask_next(ctx->net); 10930 struct nlattr *tb[NFTA_VERDICT_MAX + 1]; 10931 struct nft_chain *chain; 10932 int err; 10933 10934 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla, 10935 nft_verdict_policy, NULL); 10936 if (err < 0) 10937 return err; 10938 10939 if (!tb[NFTA_VERDICT_CODE]) 10940 return -EINVAL; 10941 10942 /* zero padding hole for memcmp */ 10943 memset(data, 0, sizeof(*data)); 10944 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); 10945 10946 switch (data->verdict.code) { 10947 case NF_ACCEPT: 10948 case NF_DROP: 10949 case NF_QUEUE: 10950 break; 10951 case NFT_CONTINUE: 10952 case NFT_BREAK: 10953 case NFT_RETURN: 10954 break; 10955 case NFT_JUMP: 10956 case NFT_GOTO: 10957 if (tb[NFTA_VERDICT_CHAIN]) { 10958 chain = nft_chain_lookup(ctx->net, ctx->table, 10959 tb[NFTA_VERDICT_CHAIN], 10960 genmask); 10961 } else if (tb[NFTA_VERDICT_CHAIN_ID]) { 10962 chain = nft_chain_lookup_byid(ctx->net, ctx->table, 10963 tb[NFTA_VERDICT_CHAIN_ID], 10964 genmask); 10965 if (IS_ERR(chain)) 10966 return PTR_ERR(chain); 10967 } else { 10968 return -EINVAL; 10969 } 10970 10971 if (IS_ERR(chain)) 10972 return PTR_ERR(chain); 10973 if (nft_is_base_chain(chain)) 10974 return -EOPNOTSUPP; 10975 if (nft_chain_is_bound(chain)) 10976 return -EINVAL; 10977 if (desc->flags & NFT_DATA_DESC_SETELEM && 10978 chain->flags & NFT_CHAIN_BINDING) 10979 return -EINVAL; 10980 if (!nft_use_inc(&chain->use)) 10981 return -EMFILE; 10982 10983 data->verdict.chain = chain; 10984 break; 10985 default: 10986 return -EINVAL; 10987 } 10988 10989 desc->len = sizeof(data->verdict); 10990 10991 return 0; 10992 } 10993 10994 static void nft_verdict_uninit(const struct nft_data *data) 10995 { 10996 struct nft_chain *chain; 10997 10998 switch (data->verdict.code) { 10999 case NFT_JUMP: 11000 case NFT_GOTO: 11001 chain = data->verdict.chain; 11002 nft_use_dec(&chain->use); 11003 break; 11004 } 11005 } 11006 11007 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v) 11008 { 11009 struct nlattr *nest; 11010 11011 nest = nla_nest_start_noflag(skb, type); 11012 if (!nest) 11013 goto nla_put_failure; 11014 11015 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code))) 11016 goto nla_put_failure; 11017 11018 switch (v->code) { 11019 case NFT_JUMP: 11020 case NFT_GOTO: 11021 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, 11022 v->chain->name)) 11023 goto nla_put_failure; 11024 } 11025 nla_nest_end(skb, nest); 11026 return 0; 11027 11028 nla_put_failure: 11029 return -1; 11030 } 11031 11032 static int nft_value_init(const struct nft_ctx *ctx, 11033 struct nft_data *data, struct nft_data_desc *desc, 11034 const struct nlattr *nla) 11035 { 11036 unsigned int len; 11037 11038 len = nla_len(nla); 11039 if (len == 0) 11040 return -EINVAL; 11041 if (len > desc->size) 11042 return -EOVERFLOW; 11043 if (desc->len) { 11044 if (len != desc->len) 11045 return -EINVAL; 11046 } else { 11047 desc->len = len; 11048 } 11049 11050 nla_memcpy(data->data, nla, len); 11051 11052 return 0; 11053 } 11054 11055 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data, 11056 unsigned int len) 11057 { 11058 return nla_put(skb, NFTA_DATA_VALUE, len, data->data); 11059 } 11060 11061 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = { 11062 [NFTA_DATA_VALUE] = { .type = NLA_BINARY }, 11063 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED }, 11064 }; 11065 11066 /** 11067 * nft_data_init - parse nf_tables data netlink attributes 11068 * 11069 * @ctx: context of the expression using the data 11070 * @data: destination struct nft_data 11071 * @desc: data description 11072 * @nla: netlink attribute containing data 11073 * 11074 * Parse the netlink data attributes and initialize a struct nft_data. 11075 * The type and length of data are returned in the data description. 11076 * 11077 * The caller can indicate that it only wants to accept data of type 11078 * NFT_DATA_VALUE by passing NULL for the ctx argument. 11079 */ 11080 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data, 11081 struct nft_data_desc *desc, const struct nlattr *nla) 11082 { 11083 struct nlattr *tb[NFTA_DATA_MAX + 1]; 11084 int err; 11085 11086 if (WARN_ON_ONCE(!desc->size)) 11087 return -EINVAL; 11088 11089 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla, 11090 nft_data_policy, NULL); 11091 if (err < 0) 11092 return err; 11093 11094 if (tb[NFTA_DATA_VALUE]) { 11095 if (desc->type != NFT_DATA_VALUE) 11096 return -EINVAL; 11097 11098 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]); 11099 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) { 11100 if (desc->type != NFT_DATA_VERDICT) 11101 return -EINVAL; 11102 11103 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]); 11104 } else { 11105 err = -EINVAL; 11106 } 11107 11108 return err; 11109 } 11110 EXPORT_SYMBOL_GPL(nft_data_init); 11111 11112 /** 11113 * nft_data_release - release a nft_data item 11114 * 11115 * @data: struct nft_data to release 11116 * @type: type of data 11117 * 11118 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded, 11119 * all others need to be released by calling this function. 11120 */ 11121 void nft_data_release(const struct nft_data *data, enum nft_data_types type) 11122 { 11123 if (type < NFT_DATA_VERDICT) 11124 return; 11125 switch (type) { 11126 case NFT_DATA_VERDICT: 11127 return nft_verdict_uninit(data); 11128 default: 11129 WARN_ON(1); 11130 } 11131 } 11132 EXPORT_SYMBOL_GPL(nft_data_release); 11133 11134 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 11135 enum nft_data_types type, unsigned int len) 11136 { 11137 struct nlattr *nest; 11138 int err; 11139 11140 nest = nla_nest_start_noflag(skb, attr); 11141 if (nest == NULL) 11142 return -1; 11143 11144 switch (type) { 11145 case NFT_DATA_VALUE: 11146 err = nft_value_dump(skb, data, len); 11147 break; 11148 case NFT_DATA_VERDICT: 11149 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict); 11150 break; 11151 default: 11152 err = -EINVAL; 11153 WARN_ON(1); 11154 } 11155 11156 nla_nest_end(skb, nest); 11157 return err; 11158 } 11159 EXPORT_SYMBOL_GPL(nft_data_dump); 11160 11161 int __nft_release_basechain(struct nft_ctx *ctx) 11162 { 11163 struct nft_rule *rule, *nr; 11164 11165 if (WARN_ON(!nft_is_base_chain(ctx->chain))) 11166 return 0; 11167 11168 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain); 11169 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) { 11170 list_del(&rule->list); 11171 nft_use_dec(&ctx->chain->use); 11172 nf_tables_rule_release(ctx, rule); 11173 } 11174 nft_chain_del(ctx->chain); 11175 nft_use_dec(&ctx->table->use); 11176 nf_tables_chain_destroy(ctx); 11177 11178 return 0; 11179 } 11180 EXPORT_SYMBOL_GPL(__nft_release_basechain); 11181 11182 static void __nft_release_hook(struct net *net, struct nft_table *table) 11183 { 11184 struct nft_flowtable *flowtable; 11185 struct nft_chain *chain; 11186 11187 list_for_each_entry(chain, &table->chains, list) 11188 __nf_tables_unregister_hook(net, table, chain, true); 11189 list_for_each_entry(flowtable, &table->flowtables, list) 11190 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list, 11191 true); 11192 } 11193 11194 static void __nft_release_hooks(struct net *net) 11195 { 11196 struct nftables_pernet *nft_net = nft_pernet(net); 11197 struct nft_table *table; 11198 11199 list_for_each_entry(table, &nft_net->tables, list) { 11200 if (nft_table_has_owner(table)) 11201 continue; 11202 11203 __nft_release_hook(net, table); 11204 } 11205 } 11206 11207 static void __nft_release_table(struct net *net, struct nft_table *table) 11208 { 11209 struct nft_flowtable *flowtable, *nf; 11210 struct nft_chain *chain, *nc; 11211 struct nft_object *obj, *ne; 11212 struct nft_rule *rule, *nr; 11213 struct nft_set *set, *ns; 11214 struct nft_ctx ctx = { 11215 .net = net, 11216 .family = NFPROTO_NETDEV, 11217 }; 11218 11219 ctx.family = table->family; 11220 ctx.table = table; 11221 list_for_each_entry(chain, &table->chains, list) { 11222 if (nft_chain_binding(chain)) 11223 continue; 11224 11225 ctx.chain = chain; 11226 list_for_each_entry_safe(rule, nr, &chain->rules, list) { 11227 list_del(&rule->list); 11228 nft_use_dec(&chain->use); 11229 nf_tables_rule_release(&ctx, rule); 11230 } 11231 } 11232 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 11233 list_del(&flowtable->list); 11234 nft_use_dec(&table->use); 11235 nf_tables_flowtable_destroy(flowtable); 11236 } 11237 list_for_each_entry_safe(set, ns, &table->sets, list) { 11238 list_del(&set->list); 11239 nft_use_dec(&table->use); 11240 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 11241 nft_map_deactivate(&ctx, set); 11242 11243 nft_set_destroy(&ctx, set); 11244 } 11245 list_for_each_entry_safe(obj, ne, &table->objects, list) { 11246 nft_obj_del(obj); 11247 nft_use_dec(&table->use); 11248 nft_obj_destroy(&ctx, obj); 11249 } 11250 list_for_each_entry_safe(chain, nc, &table->chains, list) { 11251 ctx.chain = chain; 11252 nft_chain_del(chain); 11253 nft_use_dec(&table->use); 11254 nf_tables_chain_destroy(&ctx); 11255 } 11256 nf_tables_table_destroy(&ctx); 11257 } 11258 11259 static void __nft_release_tables(struct net *net) 11260 { 11261 struct nftables_pernet *nft_net = nft_pernet(net); 11262 struct nft_table *table, *nt; 11263 11264 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 11265 if (nft_table_has_owner(table)) 11266 continue; 11267 11268 list_del(&table->list); 11269 11270 __nft_release_table(net, table); 11271 } 11272 } 11273 11274 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, 11275 void *ptr) 11276 { 11277 struct nft_table *table, *to_delete[8]; 11278 struct nftables_pernet *nft_net; 11279 struct netlink_notify *n = ptr; 11280 struct net *net = n->net; 11281 unsigned int deleted; 11282 bool restart = false; 11283 unsigned int gc_seq; 11284 11285 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER) 11286 return NOTIFY_DONE; 11287 11288 nft_net = nft_pernet(net); 11289 deleted = 0; 11290 mutex_lock(&nft_net->commit_mutex); 11291 11292 gc_seq = nft_gc_seq_begin(nft_net); 11293 11294 if (!list_empty(&nf_tables_destroy_list)) 11295 nf_tables_trans_destroy_flush_work(); 11296 again: 11297 list_for_each_entry(table, &nft_net->tables, list) { 11298 if (nft_table_has_owner(table) && 11299 n->portid == table->nlpid) { 11300 __nft_release_hook(net, table); 11301 list_del_rcu(&table->list); 11302 to_delete[deleted++] = table; 11303 if (deleted >= ARRAY_SIZE(to_delete)) 11304 break; 11305 } 11306 } 11307 if (deleted) { 11308 restart = deleted >= ARRAY_SIZE(to_delete); 11309 synchronize_rcu(); 11310 while (deleted) 11311 __nft_release_table(net, to_delete[--deleted]); 11312 11313 if (restart) 11314 goto again; 11315 } 11316 nft_gc_seq_end(nft_net, gc_seq); 11317 11318 mutex_unlock(&nft_net->commit_mutex); 11319 11320 return NOTIFY_DONE; 11321 } 11322 11323 static struct notifier_block nft_nl_notifier = { 11324 .notifier_call = nft_rcv_nl_event, 11325 }; 11326 11327 static int __net_init nf_tables_init_net(struct net *net) 11328 { 11329 struct nftables_pernet *nft_net = nft_pernet(net); 11330 11331 INIT_LIST_HEAD(&nft_net->tables); 11332 INIT_LIST_HEAD(&nft_net->commit_list); 11333 INIT_LIST_HEAD(&nft_net->binding_list); 11334 INIT_LIST_HEAD(&nft_net->module_list); 11335 INIT_LIST_HEAD(&nft_net->notify_list); 11336 mutex_init(&nft_net->commit_mutex); 11337 nft_net->base_seq = 1; 11338 nft_net->gc_seq = 0; 11339 nft_net->validate_state = NFT_VALIDATE_SKIP; 11340 11341 return 0; 11342 } 11343 11344 static void __net_exit nf_tables_pre_exit_net(struct net *net) 11345 { 11346 struct nftables_pernet *nft_net = nft_pernet(net); 11347 11348 mutex_lock(&nft_net->commit_mutex); 11349 __nft_release_hooks(net); 11350 mutex_unlock(&nft_net->commit_mutex); 11351 } 11352 11353 static void __net_exit nf_tables_exit_net(struct net *net) 11354 { 11355 struct nftables_pernet *nft_net = nft_pernet(net); 11356 unsigned int gc_seq; 11357 11358 mutex_lock(&nft_net->commit_mutex); 11359 11360 gc_seq = nft_gc_seq_begin(nft_net); 11361 11362 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 11363 11364 if (!list_empty(&nft_net->module_list)) 11365 nf_tables_module_autoload_cleanup(net); 11366 11367 __nft_release_tables(net); 11368 11369 nft_gc_seq_end(nft_net, gc_seq); 11370 11371 mutex_unlock(&nft_net->commit_mutex); 11372 WARN_ON_ONCE(!list_empty(&nft_net->tables)); 11373 WARN_ON_ONCE(!list_empty(&nft_net->module_list)); 11374 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 11375 } 11376 11377 static void nf_tables_exit_batch(struct list_head *net_exit_list) 11378 { 11379 flush_work(&trans_gc_work); 11380 } 11381 11382 static struct pernet_operations nf_tables_net_ops = { 11383 .init = nf_tables_init_net, 11384 .pre_exit = nf_tables_pre_exit_net, 11385 .exit = nf_tables_exit_net, 11386 .exit_batch = nf_tables_exit_batch, 11387 .id = &nf_tables_net_id, 11388 .size = sizeof(struct nftables_pernet), 11389 }; 11390 11391 static int __init nf_tables_module_init(void) 11392 { 11393 int err; 11394 11395 err = register_pernet_subsys(&nf_tables_net_ops); 11396 if (err < 0) 11397 return err; 11398 11399 err = nft_chain_filter_init(); 11400 if (err < 0) 11401 goto err_chain_filter; 11402 11403 err = nf_tables_core_module_init(); 11404 if (err < 0) 11405 goto err_core_module; 11406 11407 err = register_netdevice_notifier(&nf_tables_flowtable_notifier); 11408 if (err < 0) 11409 goto err_netdev_notifier; 11410 11411 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params); 11412 if (err < 0) 11413 goto err_rht_objname; 11414 11415 err = nft_offload_init(); 11416 if (err < 0) 11417 goto err_offload; 11418 11419 err = netlink_register_notifier(&nft_nl_notifier); 11420 if (err < 0) 11421 goto err_netlink_notifier; 11422 11423 /* must be last */ 11424 err = nfnetlink_subsys_register(&nf_tables_subsys); 11425 if (err < 0) 11426 goto err_nfnl_subsys; 11427 11428 nft_chain_route_init(); 11429 11430 return err; 11431 11432 err_nfnl_subsys: 11433 netlink_unregister_notifier(&nft_nl_notifier); 11434 err_netlink_notifier: 11435 nft_offload_exit(); 11436 err_offload: 11437 rhltable_destroy(&nft_objname_ht); 11438 err_rht_objname: 11439 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 11440 err_netdev_notifier: 11441 nf_tables_core_module_exit(); 11442 err_core_module: 11443 nft_chain_filter_fini(); 11444 err_chain_filter: 11445 unregister_pernet_subsys(&nf_tables_net_ops); 11446 return err; 11447 } 11448 11449 static void __exit nf_tables_module_exit(void) 11450 { 11451 nfnetlink_subsys_unregister(&nf_tables_subsys); 11452 netlink_unregister_notifier(&nft_nl_notifier); 11453 nft_offload_exit(); 11454 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 11455 nft_chain_filter_fini(); 11456 nft_chain_route_fini(); 11457 nf_tables_trans_destroy_flush_work(); 11458 unregister_pernet_subsys(&nf_tables_net_ops); 11459 cancel_work_sync(&trans_gc_work); 11460 cancel_work_sync(&trans_destroy_work); 11461 rcu_barrier(); 11462 rhltable_destroy(&nft_objname_ht); 11463 nf_tables_core_module_exit(); 11464 } 11465 11466 module_init(nf_tables_module_init); 11467 module_exit(nf_tables_module_exit); 11468 11469 MODULE_LICENSE("GPL"); 11470 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 11471 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES); 11472