1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net> 4 * 5 * Development of this code funded by Astaro AG (http://www.astaro.com/) 6 */ 7 8 #include <linux/module.h> 9 #include <linux/init.h> 10 #include <linux/list.h> 11 #include <linux/skbuff.h> 12 #include <linux/netlink.h> 13 #include <linux/vmalloc.h> 14 #include <linux/rhashtable.h> 15 #include <linux/audit.h> 16 #include <linux/netfilter.h> 17 #include <linux/netfilter/nfnetlink.h> 18 #include <linux/netfilter/nf_tables.h> 19 #include <net/netfilter/nf_flow_table.h> 20 #include <net/netfilter/nf_tables_core.h> 21 #include <net/netfilter/nf_tables.h> 22 #include <net/netfilter/nf_tables_offload.h> 23 #include <net/net_namespace.h> 24 #include <net/sock.h> 25 26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) 27 28 unsigned int nf_tables_net_id __read_mostly; 29 30 static LIST_HEAD(nf_tables_expressions); 31 static LIST_HEAD(nf_tables_objects); 32 static LIST_HEAD(nf_tables_flowtables); 33 static LIST_HEAD(nf_tables_destroy_list); 34 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock); 35 static u64 table_handle; 36 37 enum { 38 NFT_VALIDATE_SKIP = 0, 39 NFT_VALIDATE_NEED, 40 NFT_VALIDATE_DO, 41 }; 42 43 static struct rhltable nft_objname_ht; 44 45 static u32 nft_chain_hash(const void *data, u32 len, u32 seed); 46 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed); 47 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *); 48 49 static u32 nft_objname_hash(const void *data, u32 len, u32 seed); 50 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed); 51 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *); 52 53 static const struct rhashtable_params nft_chain_ht_params = { 54 .head_offset = offsetof(struct nft_chain, rhlhead), 55 .key_offset = offsetof(struct nft_chain, name), 56 .hashfn = nft_chain_hash, 57 .obj_hashfn = nft_chain_hash_obj, 58 .obj_cmpfn = nft_chain_hash_cmp, 59 .automatic_shrinking = true, 60 }; 61 62 static const struct rhashtable_params nft_objname_ht_params = { 63 .head_offset = offsetof(struct nft_object, rhlhead), 64 .key_offset = offsetof(struct nft_object, key), 65 .hashfn = nft_objname_hash, 66 .obj_hashfn = nft_objname_hash_obj, 67 .obj_cmpfn = nft_objname_hash_cmp, 68 .automatic_shrinking = true, 69 }; 70 71 struct nft_audit_data { 72 struct nft_table *table; 73 int entries; 74 int op; 75 struct list_head list; 76 }; 77 78 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types 79 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER, 80 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID, 81 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER, 82 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER, 83 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID, 84 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER, 85 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER, 86 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID, 87 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER, 88 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER, 89 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID, 90 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER, 91 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER, 92 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID, 93 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER, 94 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER, 95 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID, 96 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID, 97 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER, 98 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID, 99 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER, 100 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET, 101 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER, 102 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID, 103 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, 104 }; 105 106 static void nft_validate_state_update(struct net *net, u8 new_validate_state) 107 { 108 struct nftables_pernet *nft_net = nft_pernet(net); 109 110 switch (nft_net->validate_state) { 111 case NFT_VALIDATE_SKIP: 112 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); 113 break; 114 case NFT_VALIDATE_NEED: 115 break; 116 case NFT_VALIDATE_DO: 117 if (new_validate_state == NFT_VALIDATE_NEED) 118 return; 119 } 120 121 nft_net->validate_state = new_validate_state; 122 } 123 static void nf_tables_trans_destroy_work(struct work_struct *w); 124 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work); 125 126 static void nft_ctx_init(struct nft_ctx *ctx, 127 struct net *net, 128 const struct sk_buff *skb, 129 const struct nlmsghdr *nlh, 130 u8 family, 131 struct nft_table *table, 132 struct nft_chain *chain, 133 const struct nlattr * const *nla) 134 { 135 ctx->net = net; 136 ctx->family = family; 137 ctx->level = 0; 138 ctx->table = table; 139 ctx->chain = chain; 140 ctx->nla = nla; 141 ctx->portid = NETLINK_CB(skb).portid; 142 ctx->report = nlmsg_report(nlh); 143 ctx->flags = nlh->nlmsg_flags; 144 ctx->seq = nlh->nlmsg_seq; 145 } 146 147 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, 148 int msg_type, u32 size, gfp_t gfp) 149 { 150 struct nft_trans *trans; 151 152 trans = kzalloc(sizeof(struct nft_trans) + size, gfp); 153 if (trans == NULL) 154 return NULL; 155 156 trans->msg_type = msg_type; 157 trans->ctx = *ctx; 158 159 return trans; 160 } 161 162 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx, 163 int msg_type, u32 size) 164 { 165 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); 166 } 167 168 static void nft_trans_destroy(struct nft_trans *trans) 169 { 170 list_del(&trans->list); 171 kfree(trans); 172 } 173 174 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) 175 { 176 struct nftables_pernet *nft_net; 177 struct net *net = ctx->net; 178 struct nft_trans *trans; 179 180 if (!nft_set_is_anonymous(set)) 181 return; 182 183 nft_net = nft_pernet(net); 184 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { 185 switch (trans->msg_type) { 186 case NFT_MSG_NEWSET: 187 if (nft_trans_set(trans) == set) 188 nft_trans_set_bound(trans) = true; 189 break; 190 case NFT_MSG_NEWSETELEM: 191 if (nft_trans_elem_set(trans) == set) 192 nft_trans_elem_set_bound(trans) = true; 193 break; 194 } 195 } 196 } 197 198 static int nft_netdev_register_hooks(struct net *net, 199 struct list_head *hook_list) 200 { 201 struct nft_hook *hook; 202 int err, j; 203 204 j = 0; 205 list_for_each_entry(hook, hook_list, list) { 206 err = nf_register_net_hook(net, &hook->ops); 207 if (err < 0) 208 goto err_register; 209 210 j++; 211 } 212 return 0; 213 214 err_register: 215 list_for_each_entry(hook, hook_list, list) { 216 if (j-- <= 0) 217 break; 218 219 nf_unregister_net_hook(net, &hook->ops); 220 } 221 return err; 222 } 223 224 static void nft_netdev_unregister_hooks(struct net *net, 225 struct list_head *hook_list) 226 { 227 struct nft_hook *hook; 228 229 list_for_each_entry(hook, hook_list, list) 230 nf_unregister_net_hook(net, &hook->ops); 231 } 232 233 static int nf_tables_register_hook(struct net *net, 234 const struct nft_table *table, 235 struct nft_chain *chain) 236 { 237 struct nft_base_chain *basechain; 238 const struct nf_hook_ops *ops; 239 240 if (table->flags & NFT_TABLE_F_DORMANT || 241 !nft_is_base_chain(chain)) 242 return 0; 243 244 basechain = nft_base_chain(chain); 245 ops = &basechain->ops; 246 247 if (basechain->type->ops_register) 248 return basechain->type->ops_register(net, ops); 249 250 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 251 return nft_netdev_register_hooks(net, &basechain->hook_list); 252 253 return nf_register_net_hook(net, &basechain->ops); 254 } 255 256 static void nf_tables_unregister_hook(struct net *net, 257 const struct nft_table *table, 258 struct nft_chain *chain) 259 { 260 struct nft_base_chain *basechain; 261 const struct nf_hook_ops *ops; 262 263 if (table->flags & NFT_TABLE_F_DORMANT || 264 !nft_is_base_chain(chain)) 265 return; 266 basechain = nft_base_chain(chain); 267 ops = &basechain->ops; 268 269 if (basechain->type->ops_unregister) 270 return basechain->type->ops_unregister(net, ops); 271 272 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 273 nft_netdev_unregister_hooks(net, &basechain->hook_list); 274 else 275 nf_unregister_net_hook(net, &basechain->ops); 276 } 277 278 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) 279 { 280 struct nftables_pernet *nft_net = nft_pernet(net); 281 282 list_add_tail(&trans->list, &nft_net->commit_list); 283 } 284 285 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type) 286 { 287 struct nft_trans *trans; 288 289 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table)); 290 if (trans == NULL) 291 return -ENOMEM; 292 293 if (msg_type == NFT_MSG_NEWTABLE) 294 nft_activate_next(ctx->net, ctx->table); 295 296 nft_trans_commit_list_add_tail(ctx->net, trans); 297 return 0; 298 } 299 300 static int nft_deltable(struct nft_ctx *ctx) 301 { 302 int err; 303 304 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE); 305 if (err < 0) 306 return err; 307 308 nft_deactivate_next(ctx->net, ctx->table); 309 return err; 310 } 311 312 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type) 313 { 314 struct nft_trans *trans; 315 316 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain)); 317 if (trans == NULL) 318 return ERR_PTR(-ENOMEM); 319 320 if (msg_type == NFT_MSG_NEWCHAIN) { 321 nft_activate_next(ctx->net, ctx->chain); 322 323 if (ctx->nla[NFTA_CHAIN_ID]) { 324 nft_trans_chain_id(trans) = 325 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID])); 326 } 327 } 328 329 nft_trans_commit_list_add_tail(ctx->net, trans); 330 return trans; 331 } 332 333 static int nft_delchain(struct nft_ctx *ctx) 334 { 335 struct nft_trans *trans; 336 337 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN); 338 if (IS_ERR(trans)) 339 return PTR_ERR(trans); 340 341 ctx->table->use--; 342 nft_deactivate_next(ctx->net, ctx->chain); 343 344 return 0; 345 } 346 347 static void nft_rule_expr_activate(const struct nft_ctx *ctx, 348 struct nft_rule *rule) 349 { 350 struct nft_expr *expr; 351 352 expr = nft_expr_first(rule); 353 while (nft_expr_more(rule, expr)) { 354 if (expr->ops->activate) 355 expr->ops->activate(ctx, expr); 356 357 expr = nft_expr_next(expr); 358 } 359 } 360 361 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx, 362 struct nft_rule *rule, 363 enum nft_trans_phase phase) 364 { 365 struct nft_expr *expr; 366 367 expr = nft_expr_first(rule); 368 while (nft_expr_more(rule, expr)) { 369 if (expr->ops->deactivate) 370 expr->ops->deactivate(ctx, expr, phase); 371 372 expr = nft_expr_next(expr); 373 } 374 } 375 376 static int 377 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule) 378 { 379 /* You cannot delete the same rule twice */ 380 if (nft_is_active_next(ctx->net, rule)) { 381 nft_deactivate_next(ctx->net, rule); 382 ctx->chain->use--; 383 return 0; 384 } 385 return -ENOENT; 386 } 387 388 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type, 389 struct nft_rule *rule) 390 { 391 struct nft_trans *trans; 392 393 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule)); 394 if (trans == NULL) 395 return NULL; 396 397 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) { 398 nft_trans_rule_id(trans) = 399 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); 400 } 401 nft_trans_rule(trans) = rule; 402 nft_trans_commit_list_add_tail(ctx->net, trans); 403 404 return trans; 405 } 406 407 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule) 408 { 409 struct nft_flow_rule *flow; 410 struct nft_trans *trans; 411 int err; 412 413 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule); 414 if (trans == NULL) 415 return -ENOMEM; 416 417 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) { 418 flow = nft_flow_rule_create(ctx->net, rule); 419 if (IS_ERR(flow)) { 420 nft_trans_destroy(trans); 421 return PTR_ERR(flow); 422 } 423 424 nft_trans_flow_rule(trans) = flow; 425 } 426 427 err = nf_tables_delrule_deactivate(ctx, rule); 428 if (err < 0) { 429 nft_trans_destroy(trans); 430 return err; 431 } 432 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE); 433 434 return 0; 435 } 436 437 static int nft_delrule_by_chain(struct nft_ctx *ctx) 438 { 439 struct nft_rule *rule; 440 int err; 441 442 list_for_each_entry(rule, &ctx->chain->rules, list) { 443 if (!nft_is_active_next(ctx->net, rule)) 444 continue; 445 446 err = nft_delrule(ctx, rule); 447 if (err < 0) 448 return err; 449 } 450 return 0; 451 } 452 453 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 454 struct nft_set *set) 455 { 456 struct nft_trans *trans; 457 458 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set)); 459 if (trans == NULL) 460 return -ENOMEM; 461 462 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) { 463 nft_trans_set_id(trans) = 464 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID])); 465 nft_activate_next(ctx->net, set); 466 } 467 nft_trans_set(trans) = set; 468 nft_trans_commit_list_add_tail(ctx->net, trans); 469 470 return 0; 471 } 472 473 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) 474 { 475 int err; 476 477 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set); 478 if (err < 0) 479 return err; 480 481 nft_deactivate_next(ctx->net, set); 482 ctx->table->use--; 483 484 return err; 485 } 486 487 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type, 488 struct nft_object *obj) 489 { 490 struct nft_trans *trans; 491 492 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj)); 493 if (trans == NULL) 494 return -ENOMEM; 495 496 if (msg_type == NFT_MSG_NEWOBJ) 497 nft_activate_next(ctx->net, obj); 498 499 nft_trans_obj(trans) = obj; 500 nft_trans_commit_list_add_tail(ctx->net, trans); 501 502 return 0; 503 } 504 505 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj) 506 { 507 int err; 508 509 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj); 510 if (err < 0) 511 return err; 512 513 nft_deactivate_next(ctx->net, obj); 514 ctx->table->use--; 515 516 return err; 517 } 518 519 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, 520 struct nft_flowtable *flowtable) 521 { 522 struct nft_trans *trans; 523 524 trans = nft_trans_alloc(ctx, msg_type, 525 sizeof(struct nft_trans_flowtable)); 526 if (trans == NULL) 527 return -ENOMEM; 528 529 if (msg_type == NFT_MSG_NEWFLOWTABLE) 530 nft_activate_next(ctx->net, flowtable); 531 532 nft_trans_flowtable(trans) = flowtable; 533 nft_trans_commit_list_add_tail(ctx->net, trans); 534 535 return 0; 536 } 537 538 static int nft_delflowtable(struct nft_ctx *ctx, 539 struct nft_flowtable *flowtable) 540 { 541 int err; 542 543 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable); 544 if (err < 0) 545 return err; 546 547 nft_deactivate_next(ctx->net, flowtable); 548 ctx->table->use--; 549 550 return err; 551 } 552 553 /* 554 * Tables 555 */ 556 557 static struct nft_table *nft_table_lookup(const struct net *net, 558 const struct nlattr *nla, 559 u8 family, u8 genmask, u32 nlpid) 560 { 561 struct nftables_pernet *nft_net; 562 struct nft_table *table; 563 564 if (nla == NULL) 565 return ERR_PTR(-EINVAL); 566 567 nft_net = nft_pernet(net); 568 list_for_each_entry_rcu(table, &nft_net->tables, list, 569 lockdep_is_held(&nft_net->commit_mutex)) { 570 if (!nla_strcmp(nla, table->name) && 571 table->family == family && 572 nft_active_genmask(table, genmask)) { 573 if (nft_table_has_owner(table) && 574 nlpid && table->nlpid != nlpid) 575 return ERR_PTR(-EPERM); 576 577 return table; 578 } 579 } 580 581 return ERR_PTR(-ENOENT); 582 } 583 584 static struct nft_table *nft_table_lookup_byhandle(const struct net *net, 585 const struct nlattr *nla, 586 u8 genmask, u32 nlpid) 587 { 588 struct nftables_pernet *nft_net; 589 struct nft_table *table; 590 591 nft_net = nft_pernet(net); 592 list_for_each_entry(table, &nft_net->tables, list) { 593 if (be64_to_cpu(nla_get_be64(nla)) == table->handle && 594 nft_active_genmask(table, genmask)) { 595 if (nft_table_has_owner(table) && 596 nlpid && table->nlpid != nlpid) 597 return ERR_PTR(-EPERM); 598 599 return table; 600 } 601 } 602 603 return ERR_PTR(-ENOENT); 604 } 605 606 static inline u64 nf_tables_alloc_handle(struct nft_table *table) 607 { 608 return ++table->hgenerator; 609 } 610 611 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX]; 612 613 static const struct nft_chain_type * 614 __nft_chain_type_get(u8 family, enum nft_chain_types type) 615 { 616 if (family >= NFPROTO_NUMPROTO || 617 type >= NFT_CHAIN_T_MAX) 618 return NULL; 619 620 return chain_type[family][type]; 621 } 622 623 static const struct nft_chain_type * 624 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family) 625 { 626 const struct nft_chain_type *type; 627 int i; 628 629 for (i = 0; i < NFT_CHAIN_T_MAX; i++) { 630 type = __nft_chain_type_get(family, i); 631 if (!type) 632 continue; 633 if (!nla_strcmp(nla, type->name)) 634 return type; 635 } 636 return NULL; 637 } 638 639 struct nft_module_request { 640 struct list_head list; 641 char module[MODULE_NAME_LEN]; 642 bool done; 643 }; 644 645 #ifdef CONFIG_MODULES 646 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt, 647 ...) 648 { 649 char module_name[MODULE_NAME_LEN]; 650 struct nftables_pernet *nft_net; 651 struct nft_module_request *req; 652 va_list args; 653 int ret; 654 655 va_start(args, fmt); 656 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); 657 va_end(args); 658 if (ret >= MODULE_NAME_LEN) 659 return 0; 660 661 nft_net = nft_pernet(net); 662 list_for_each_entry(req, &nft_net->module_list, list) { 663 if (!strcmp(req->module, module_name)) { 664 if (req->done) 665 return 0; 666 667 /* A request to load this module already exists. */ 668 return -EAGAIN; 669 } 670 } 671 672 req = kmalloc(sizeof(*req), GFP_KERNEL); 673 if (!req) 674 return -ENOMEM; 675 676 req->done = false; 677 strlcpy(req->module, module_name, MODULE_NAME_LEN); 678 list_add_tail(&req->list, &nft_net->module_list); 679 680 return -EAGAIN; 681 } 682 EXPORT_SYMBOL_GPL(nft_request_module); 683 #endif 684 685 static void lockdep_nfnl_nft_mutex_not_held(void) 686 { 687 #ifdef CONFIG_PROVE_LOCKING 688 if (debug_locks) 689 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES)); 690 #endif 691 } 692 693 static const struct nft_chain_type * 694 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla, 695 u8 family, bool autoload) 696 { 697 const struct nft_chain_type *type; 698 699 type = __nf_tables_chain_type_lookup(nla, family); 700 if (type != NULL) 701 return type; 702 703 lockdep_nfnl_nft_mutex_not_held(); 704 #ifdef CONFIG_MODULES 705 if (autoload) { 706 if (nft_request_module(net, "nft-chain-%u-%.*s", family, 707 nla_len(nla), 708 (const char *)nla_data(nla)) == -EAGAIN) 709 return ERR_PTR(-EAGAIN); 710 } 711 #endif 712 return ERR_PTR(-ENOENT); 713 } 714 715 static __be16 nft_base_seq(const struct net *net) 716 { 717 struct nftables_pernet *nft_net = nft_pernet(net); 718 719 return htons(nft_net->base_seq & 0xffff); 720 } 721 722 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { 723 [NFTA_TABLE_NAME] = { .type = NLA_STRING, 724 .len = NFT_TABLE_MAXNAMELEN - 1 }, 725 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 }, 726 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 }, 727 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY, 728 .len = NFT_USERDATA_MAXLEN } 729 }; 730 731 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, 732 u32 portid, u32 seq, int event, u32 flags, 733 int family, const struct nft_table *table) 734 { 735 struct nlmsghdr *nlh; 736 737 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 738 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 739 NFNETLINK_V0, nft_base_seq(net)); 740 if (!nlh) 741 goto nla_put_failure; 742 743 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || 744 nla_put_be32(skb, NFTA_TABLE_FLAGS, 745 htonl(table->flags & NFT_TABLE_F_MASK)) || 746 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) || 747 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle), 748 NFTA_TABLE_PAD)) 749 goto nla_put_failure; 750 if (nft_table_has_owner(table) && 751 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid))) 752 goto nla_put_failure; 753 754 if (table->udata) { 755 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata)) 756 goto nla_put_failure; 757 } 758 759 nlmsg_end(skb, nlh); 760 return 0; 761 762 nla_put_failure: 763 nlmsg_trim(skb, nlh); 764 return -1; 765 } 766 767 struct nftnl_skb_parms { 768 bool report; 769 }; 770 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb)) 771 772 static void nft_notify_enqueue(struct sk_buff *skb, bool report, 773 struct list_head *notify_list) 774 { 775 NFT_CB(skb).report = report; 776 list_add_tail(&skb->list, notify_list); 777 } 778 779 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) 780 { 781 struct nftables_pernet *nft_net; 782 struct sk_buff *skb; 783 u16 flags = 0; 784 int err; 785 786 if (!ctx->report && 787 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 788 return; 789 790 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 791 if (skb == NULL) 792 goto err; 793 794 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 795 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 796 797 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, 798 event, flags, ctx->family, ctx->table); 799 if (err < 0) { 800 kfree_skb(skb); 801 goto err; 802 } 803 804 nft_net = nft_pernet(ctx->net); 805 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 806 return; 807 err: 808 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 809 } 810 811 static int nf_tables_dump_tables(struct sk_buff *skb, 812 struct netlink_callback *cb) 813 { 814 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 815 struct nftables_pernet *nft_net; 816 const struct nft_table *table; 817 unsigned int idx = 0, s_idx = cb->args[0]; 818 struct net *net = sock_net(skb->sk); 819 int family = nfmsg->nfgen_family; 820 821 rcu_read_lock(); 822 nft_net = nft_pernet(net); 823 cb->seq = nft_net->base_seq; 824 825 list_for_each_entry_rcu(table, &nft_net->tables, list) { 826 if (family != NFPROTO_UNSPEC && family != table->family) 827 continue; 828 829 if (idx < s_idx) 830 goto cont; 831 if (idx > s_idx) 832 memset(&cb->args[1], 0, 833 sizeof(cb->args) - sizeof(cb->args[0])); 834 if (!nft_is_active(net, table)) 835 continue; 836 if (nf_tables_fill_table_info(skb, net, 837 NETLINK_CB(cb->skb).portid, 838 cb->nlh->nlmsg_seq, 839 NFT_MSG_NEWTABLE, NLM_F_MULTI, 840 table->family, table) < 0) 841 goto done; 842 843 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 844 cont: 845 idx++; 846 } 847 done: 848 rcu_read_unlock(); 849 cb->args[0] = idx; 850 return skb->len; 851 } 852 853 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb, 854 const struct nlmsghdr *nlh, 855 struct netlink_dump_control *c) 856 { 857 int err; 858 859 if (!try_module_get(THIS_MODULE)) 860 return -EINVAL; 861 862 rcu_read_unlock(); 863 err = netlink_dump_start(nlsk, skb, nlh, c); 864 rcu_read_lock(); 865 module_put(THIS_MODULE); 866 867 return err; 868 } 869 870 /* called with rcu_read_lock held */ 871 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info, 872 const struct nlattr * const nla[]) 873 { 874 struct netlink_ext_ack *extack = info->extack; 875 u8 genmask = nft_genmask_cur(info->net); 876 u8 family = info->nfmsg->nfgen_family; 877 const struct nft_table *table; 878 struct net *net = info->net; 879 struct sk_buff *skb2; 880 int err; 881 882 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 883 struct netlink_dump_control c = { 884 .dump = nf_tables_dump_tables, 885 .module = THIS_MODULE, 886 }; 887 888 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 889 } 890 891 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0); 892 if (IS_ERR(table)) { 893 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]); 894 return PTR_ERR(table); 895 } 896 897 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 898 if (!skb2) 899 return -ENOMEM; 900 901 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid, 902 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 903 0, family, table); 904 if (err < 0) 905 goto err_fill_table_info; 906 907 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 908 909 err_fill_table_info: 910 kfree_skb(skb2); 911 return err; 912 } 913 914 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt) 915 { 916 struct nft_chain *chain; 917 u32 i = 0; 918 919 list_for_each_entry(chain, &table->chains, list) { 920 if (!nft_is_active_next(net, chain)) 921 continue; 922 if (!nft_is_base_chain(chain)) 923 continue; 924 925 if (cnt && i++ == cnt) 926 break; 927 928 nf_tables_unregister_hook(net, table, chain); 929 } 930 } 931 932 static int nf_tables_table_enable(struct net *net, struct nft_table *table) 933 { 934 struct nft_chain *chain; 935 int err, i = 0; 936 937 list_for_each_entry(chain, &table->chains, list) { 938 if (!nft_is_active_next(net, chain)) 939 continue; 940 if (!nft_is_base_chain(chain)) 941 continue; 942 943 err = nf_tables_register_hook(net, table, chain); 944 if (err < 0) 945 goto err_register_hooks; 946 947 i++; 948 } 949 return 0; 950 951 err_register_hooks: 952 if (i) 953 nft_table_disable(net, table, i); 954 return err; 955 } 956 957 static void nf_tables_table_disable(struct net *net, struct nft_table *table) 958 { 959 table->flags &= ~NFT_TABLE_F_DORMANT; 960 nft_table_disable(net, table, 0); 961 table->flags |= NFT_TABLE_F_DORMANT; 962 } 963 964 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1) 965 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0) 966 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1) 967 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \ 968 __NFT_TABLE_F_WAS_AWAKEN) 969 970 static int nf_tables_updtable(struct nft_ctx *ctx) 971 { 972 struct nft_trans *trans; 973 u32 flags; 974 int ret; 975 976 if (!ctx->nla[NFTA_TABLE_FLAGS]) 977 return 0; 978 979 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS])); 980 if (flags & ~NFT_TABLE_F_MASK) 981 return -EOPNOTSUPP; 982 983 if (flags == ctx->table->flags) 984 return 0; 985 986 if ((nft_table_has_owner(ctx->table) && 987 !(flags & NFT_TABLE_F_OWNER)) || 988 (!nft_table_has_owner(ctx->table) && 989 flags & NFT_TABLE_F_OWNER)) 990 return -EOPNOTSUPP; 991 992 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, 993 sizeof(struct nft_trans_table)); 994 if (trans == NULL) 995 return -ENOMEM; 996 997 if ((flags & NFT_TABLE_F_DORMANT) && 998 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) { 999 ctx->table->flags |= NFT_TABLE_F_DORMANT; 1000 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) 1001 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN; 1002 } else if (!(flags & NFT_TABLE_F_DORMANT) && 1003 ctx->table->flags & NFT_TABLE_F_DORMANT) { 1004 ctx->table->flags &= ~NFT_TABLE_F_DORMANT; 1005 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) { 1006 ret = nf_tables_table_enable(ctx->net, ctx->table); 1007 if (ret < 0) 1008 goto err_register_hooks; 1009 1010 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT; 1011 } 1012 } 1013 1014 nft_trans_table_update(trans) = true; 1015 nft_trans_commit_list_add_tail(ctx->net, trans); 1016 1017 return 0; 1018 1019 err_register_hooks: 1020 nft_trans_destroy(trans); 1021 return ret; 1022 } 1023 1024 static u32 nft_chain_hash(const void *data, u32 len, u32 seed) 1025 { 1026 const char *name = data; 1027 1028 return jhash(name, strlen(name), seed); 1029 } 1030 1031 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed) 1032 { 1033 const struct nft_chain *chain = data; 1034 1035 return nft_chain_hash(chain->name, 0, seed); 1036 } 1037 1038 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg, 1039 const void *ptr) 1040 { 1041 const struct nft_chain *chain = ptr; 1042 const char *name = arg->key; 1043 1044 return strcmp(chain->name, name); 1045 } 1046 1047 static u32 nft_objname_hash(const void *data, u32 len, u32 seed) 1048 { 1049 const struct nft_object_hash_key *k = data; 1050 1051 seed ^= hash_ptr(k->table, 32); 1052 1053 return jhash(k->name, strlen(k->name), seed); 1054 } 1055 1056 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed) 1057 { 1058 const struct nft_object *obj = data; 1059 1060 return nft_objname_hash(&obj->key, 0, seed); 1061 } 1062 1063 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg, 1064 const void *ptr) 1065 { 1066 const struct nft_object_hash_key *k = arg->key; 1067 const struct nft_object *obj = ptr; 1068 1069 if (obj->key.table != k->table) 1070 return -1; 1071 1072 return strcmp(obj->key.name, k->name); 1073 } 1074 1075 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, 1076 const struct nlattr * const nla[]) 1077 { 1078 struct nftables_pernet *nft_net = nft_pernet(info->net); 1079 struct netlink_ext_ack *extack = info->extack; 1080 u8 genmask = nft_genmask_next(info->net); 1081 u8 family = info->nfmsg->nfgen_family; 1082 struct net *net = info->net; 1083 const struct nlattr *attr; 1084 struct nft_table *table; 1085 struct nft_ctx ctx; 1086 u32 flags = 0; 1087 int err; 1088 1089 lockdep_assert_held(&nft_net->commit_mutex); 1090 attr = nla[NFTA_TABLE_NAME]; 1091 table = nft_table_lookup(net, attr, family, genmask, 1092 NETLINK_CB(skb).portid); 1093 if (IS_ERR(table)) { 1094 if (PTR_ERR(table) != -ENOENT) 1095 return PTR_ERR(table); 1096 } else { 1097 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 1098 NL_SET_BAD_ATTR(extack, attr); 1099 return -EEXIST; 1100 } 1101 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 1102 return -EOPNOTSUPP; 1103 1104 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1105 1106 return nf_tables_updtable(&ctx); 1107 } 1108 1109 if (nla[NFTA_TABLE_FLAGS]) { 1110 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS])); 1111 if (flags & ~NFT_TABLE_F_MASK) 1112 return -EOPNOTSUPP; 1113 } 1114 1115 err = -ENOMEM; 1116 table = kzalloc(sizeof(*table), GFP_KERNEL); 1117 if (table == NULL) 1118 goto err_kzalloc; 1119 1120 table->name = nla_strdup(attr, GFP_KERNEL); 1121 if (table->name == NULL) 1122 goto err_strdup; 1123 1124 if (nla[NFTA_TABLE_USERDATA]) { 1125 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL); 1126 if (table->udata == NULL) 1127 goto err_table_udata; 1128 1129 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]); 1130 } 1131 1132 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params); 1133 if (err) 1134 goto err_chain_ht; 1135 1136 INIT_LIST_HEAD(&table->chains); 1137 INIT_LIST_HEAD(&table->sets); 1138 INIT_LIST_HEAD(&table->objects); 1139 INIT_LIST_HEAD(&table->flowtables); 1140 table->family = family; 1141 table->flags = flags; 1142 table->handle = ++table_handle; 1143 if (table->flags & NFT_TABLE_F_OWNER) 1144 table->nlpid = NETLINK_CB(skb).portid; 1145 1146 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1147 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); 1148 if (err < 0) 1149 goto err_trans; 1150 1151 list_add_tail_rcu(&table->list, &nft_net->tables); 1152 return 0; 1153 err_trans: 1154 rhltable_destroy(&table->chains_ht); 1155 err_chain_ht: 1156 kfree(table->udata); 1157 err_table_udata: 1158 kfree(table->name); 1159 err_strdup: 1160 kfree(table); 1161 err_kzalloc: 1162 return err; 1163 } 1164 1165 static int nft_flush_table(struct nft_ctx *ctx) 1166 { 1167 struct nft_flowtable *flowtable, *nft; 1168 struct nft_chain *chain, *nc; 1169 struct nft_object *obj, *ne; 1170 struct nft_set *set, *ns; 1171 int err; 1172 1173 list_for_each_entry(chain, &ctx->table->chains, list) { 1174 if (!nft_is_active_next(ctx->net, chain)) 1175 continue; 1176 1177 if (nft_chain_is_bound(chain)) 1178 continue; 1179 1180 ctx->chain = chain; 1181 1182 err = nft_delrule_by_chain(ctx); 1183 if (err < 0) 1184 goto out; 1185 } 1186 1187 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { 1188 if (!nft_is_active_next(ctx->net, set)) 1189 continue; 1190 1191 if (nft_set_is_anonymous(set) && 1192 !list_empty(&set->bindings)) 1193 continue; 1194 1195 err = nft_delset(ctx, set); 1196 if (err < 0) 1197 goto out; 1198 } 1199 1200 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) { 1201 if (!nft_is_active_next(ctx->net, flowtable)) 1202 continue; 1203 1204 err = nft_delflowtable(ctx, flowtable); 1205 if (err < 0) 1206 goto out; 1207 } 1208 1209 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) { 1210 if (!nft_is_active_next(ctx->net, obj)) 1211 continue; 1212 1213 err = nft_delobj(ctx, obj); 1214 if (err < 0) 1215 goto out; 1216 } 1217 1218 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { 1219 if (!nft_is_active_next(ctx->net, chain)) 1220 continue; 1221 1222 if (nft_chain_is_bound(chain)) 1223 continue; 1224 1225 ctx->chain = chain; 1226 1227 err = nft_delchain(ctx); 1228 if (err < 0) 1229 goto out; 1230 } 1231 1232 err = nft_deltable(ctx); 1233 out: 1234 return err; 1235 } 1236 1237 static int nft_flush(struct nft_ctx *ctx, int family) 1238 { 1239 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 1240 const struct nlattr * const *nla = ctx->nla; 1241 struct nft_table *table, *nt; 1242 int err = 0; 1243 1244 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 1245 if (family != AF_UNSPEC && table->family != family) 1246 continue; 1247 1248 ctx->family = table->family; 1249 1250 if (!nft_is_active_next(ctx->net, table)) 1251 continue; 1252 1253 if (nft_table_has_owner(table) && table->nlpid != ctx->portid) 1254 continue; 1255 1256 if (nla[NFTA_TABLE_NAME] && 1257 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) 1258 continue; 1259 1260 ctx->table = table; 1261 1262 err = nft_flush_table(ctx); 1263 if (err < 0) 1264 goto out; 1265 } 1266 out: 1267 return err; 1268 } 1269 1270 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info, 1271 const struct nlattr * const nla[]) 1272 { 1273 struct netlink_ext_ack *extack = info->extack; 1274 u8 genmask = nft_genmask_next(info->net); 1275 u8 family = info->nfmsg->nfgen_family; 1276 struct net *net = info->net; 1277 const struct nlattr *attr; 1278 struct nft_table *table; 1279 struct nft_ctx ctx; 1280 1281 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla); 1282 if (family == AF_UNSPEC || 1283 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE])) 1284 return nft_flush(&ctx, family); 1285 1286 if (nla[NFTA_TABLE_HANDLE]) { 1287 attr = nla[NFTA_TABLE_HANDLE]; 1288 table = nft_table_lookup_byhandle(net, attr, genmask, 1289 NETLINK_CB(skb).portid); 1290 } else { 1291 attr = nla[NFTA_TABLE_NAME]; 1292 table = nft_table_lookup(net, attr, family, genmask, 1293 NETLINK_CB(skb).portid); 1294 } 1295 1296 if (IS_ERR(table)) { 1297 NL_SET_BAD_ATTR(extack, attr); 1298 return PTR_ERR(table); 1299 } 1300 1301 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 1302 table->use > 0) 1303 return -EBUSY; 1304 1305 ctx.family = family; 1306 ctx.table = table; 1307 1308 return nft_flush_table(&ctx); 1309 } 1310 1311 static void nf_tables_table_destroy(struct nft_ctx *ctx) 1312 { 1313 if (WARN_ON(ctx->table->use > 0)) 1314 return; 1315 1316 rhltable_destroy(&ctx->table->chains_ht); 1317 kfree(ctx->table->name); 1318 kfree(ctx->table->udata); 1319 kfree(ctx->table); 1320 } 1321 1322 void nft_register_chain_type(const struct nft_chain_type *ctype) 1323 { 1324 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1325 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) { 1326 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1327 return; 1328 } 1329 chain_type[ctype->family][ctype->type] = ctype; 1330 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1331 } 1332 EXPORT_SYMBOL_GPL(nft_register_chain_type); 1333 1334 void nft_unregister_chain_type(const struct nft_chain_type *ctype) 1335 { 1336 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1337 chain_type[ctype->family][ctype->type] = NULL; 1338 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1339 } 1340 EXPORT_SYMBOL_GPL(nft_unregister_chain_type); 1341 1342 /* 1343 * Chains 1344 */ 1345 1346 static struct nft_chain * 1347 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask) 1348 { 1349 struct nft_chain *chain; 1350 1351 list_for_each_entry(chain, &table->chains, list) { 1352 if (chain->handle == handle && 1353 nft_active_genmask(chain, genmask)) 1354 return chain; 1355 } 1356 1357 return ERR_PTR(-ENOENT); 1358 } 1359 1360 static bool lockdep_commit_lock_is_held(const struct net *net) 1361 { 1362 #ifdef CONFIG_PROVE_LOCKING 1363 struct nftables_pernet *nft_net = nft_pernet(net); 1364 1365 return lockdep_is_held(&nft_net->commit_mutex); 1366 #else 1367 return true; 1368 #endif 1369 } 1370 1371 static struct nft_chain *nft_chain_lookup(struct net *net, 1372 struct nft_table *table, 1373 const struct nlattr *nla, u8 genmask) 1374 { 1375 char search[NFT_CHAIN_MAXNAMELEN + 1]; 1376 struct rhlist_head *tmp, *list; 1377 struct nft_chain *chain; 1378 1379 if (nla == NULL) 1380 return ERR_PTR(-EINVAL); 1381 1382 nla_strscpy(search, nla, sizeof(search)); 1383 1384 WARN_ON(!rcu_read_lock_held() && 1385 !lockdep_commit_lock_is_held(net)); 1386 1387 chain = ERR_PTR(-ENOENT); 1388 rcu_read_lock(); 1389 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params); 1390 if (!list) 1391 goto out_unlock; 1392 1393 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 1394 if (nft_active_genmask(chain, genmask)) 1395 goto out_unlock; 1396 } 1397 chain = ERR_PTR(-ENOENT); 1398 out_unlock: 1399 rcu_read_unlock(); 1400 return chain; 1401 } 1402 1403 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = { 1404 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING, 1405 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1406 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 }, 1407 [NFTA_CHAIN_NAME] = { .type = NLA_STRING, 1408 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 1409 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, 1410 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, 1411 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, 1412 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 1413 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, 1414 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 }, 1415 [NFTA_CHAIN_ID] = { .type = NLA_U32 }, 1416 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY, 1417 .len = NFT_USERDATA_MAXLEN }, 1418 }; 1419 1420 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = { 1421 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 }, 1422 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 }, 1423 [NFTA_HOOK_DEV] = { .type = NLA_STRING, 1424 .len = IFNAMSIZ - 1 }, 1425 }; 1426 1427 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats) 1428 { 1429 struct nft_stats *cpu_stats, total; 1430 struct nlattr *nest; 1431 unsigned int seq; 1432 u64 pkts, bytes; 1433 int cpu; 1434 1435 if (!stats) 1436 return 0; 1437 1438 memset(&total, 0, sizeof(total)); 1439 for_each_possible_cpu(cpu) { 1440 cpu_stats = per_cpu_ptr(stats, cpu); 1441 do { 1442 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp); 1443 pkts = cpu_stats->pkts; 1444 bytes = cpu_stats->bytes; 1445 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq)); 1446 total.pkts += pkts; 1447 total.bytes += bytes; 1448 } 1449 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS); 1450 if (nest == NULL) 1451 goto nla_put_failure; 1452 1453 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts), 1454 NFTA_COUNTER_PAD) || 1455 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes), 1456 NFTA_COUNTER_PAD)) 1457 goto nla_put_failure; 1458 1459 nla_nest_end(skb, nest); 1460 return 0; 1461 1462 nla_put_failure: 1463 return -ENOSPC; 1464 } 1465 1466 static int nft_dump_basechain_hook(struct sk_buff *skb, int family, 1467 const struct nft_base_chain *basechain) 1468 { 1469 const struct nf_hook_ops *ops = &basechain->ops; 1470 struct nft_hook *hook, *first = NULL; 1471 struct nlattr *nest, *nest_devs; 1472 int n = 0; 1473 1474 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK); 1475 if (nest == NULL) 1476 goto nla_put_failure; 1477 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum))) 1478 goto nla_put_failure; 1479 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority))) 1480 goto nla_put_failure; 1481 1482 if (nft_base_chain_netdev(family, ops->hooknum)) { 1483 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS); 1484 list_for_each_entry(hook, &basechain->hook_list, list) { 1485 if (!first) 1486 first = hook; 1487 1488 if (nla_put_string(skb, NFTA_DEVICE_NAME, 1489 hook->ops.dev->name)) 1490 goto nla_put_failure; 1491 n++; 1492 } 1493 nla_nest_end(skb, nest_devs); 1494 1495 if (n == 1 && 1496 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name)) 1497 goto nla_put_failure; 1498 } 1499 nla_nest_end(skb, nest); 1500 1501 return 0; 1502 nla_put_failure: 1503 return -1; 1504 } 1505 1506 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net, 1507 u32 portid, u32 seq, int event, u32 flags, 1508 int family, const struct nft_table *table, 1509 const struct nft_chain *chain) 1510 { 1511 struct nlmsghdr *nlh; 1512 1513 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 1514 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 1515 NFNETLINK_V0, nft_base_seq(net)); 1516 if (!nlh) 1517 goto nla_put_failure; 1518 1519 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) 1520 goto nla_put_failure; 1521 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle), 1522 NFTA_CHAIN_PAD)) 1523 goto nla_put_failure; 1524 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name)) 1525 goto nla_put_failure; 1526 1527 if (nft_is_base_chain(chain)) { 1528 const struct nft_base_chain *basechain = nft_base_chain(chain); 1529 struct nft_stats __percpu *stats; 1530 1531 if (nft_dump_basechain_hook(skb, family, basechain)) 1532 goto nla_put_failure; 1533 1534 if (nla_put_be32(skb, NFTA_CHAIN_POLICY, 1535 htonl(basechain->policy))) 1536 goto nla_put_failure; 1537 1538 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name)) 1539 goto nla_put_failure; 1540 1541 stats = rcu_dereference_check(basechain->stats, 1542 lockdep_commit_lock_is_held(net)); 1543 if (nft_dump_stats(skb, stats)) 1544 goto nla_put_failure; 1545 } 1546 1547 if (chain->flags && 1548 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags))) 1549 goto nla_put_failure; 1550 1551 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use))) 1552 goto nla_put_failure; 1553 1554 if (chain->udata && 1555 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata)) 1556 goto nla_put_failure; 1557 1558 nlmsg_end(skb, nlh); 1559 return 0; 1560 1561 nla_put_failure: 1562 nlmsg_trim(skb, nlh); 1563 return -1; 1564 } 1565 1566 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event) 1567 { 1568 struct nftables_pernet *nft_net; 1569 struct sk_buff *skb; 1570 u16 flags = 0; 1571 int err; 1572 1573 if (!ctx->report && 1574 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1575 return; 1576 1577 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1578 if (skb == NULL) 1579 goto err; 1580 1581 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 1582 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 1583 1584 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, 1585 event, flags, ctx->family, ctx->table, 1586 ctx->chain); 1587 if (err < 0) { 1588 kfree_skb(skb); 1589 goto err; 1590 } 1591 1592 nft_net = nft_pernet(ctx->net); 1593 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 1594 return; 1595 err: 1596 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 1597 } 1598 1599 static int nf_tables_dump_chains(struct sk_buff *skb, 1600 struct netlink_callback *cb) 1601 { 1602 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1603 unsigned int idx = 0, s_idx = cb->args[0]; 1604 struct net *net = sock_net(skb->sk); 1605 int family = nfmsg->nfgen_family; 1606 struct nftables_pernet *nft_net; 1607 const struct nft_table *table; 1608 const struct nft_chain *chain; 1609 1610 rcu_read_lock(); 1611 nft_net = nft_pernet(net); 1612 cb->seq = nft_net->base_seq; 1613 1614 list_for_each_entry_rcu(table, &nft_net->tables, list) { 1615 if (family != NFPROTO_UNSPEC && family != table->family) 1616 continue; 1617 1618 list_for_each_entry_rcu(chain, &table->chains, list) { 1619 if (idx < s_idx) 1620 goto cont; 1621 if (idx > s_idx) 1622 memset(&cb->args[1], 0, 1623 sizeof(cb->args) - sizeof(cb->args[0])); 1624 if (!nft_is_active(net, chain)) 1625 continue; 1626 if (nf_tables_fill_chain_info(skb, net, 1627 NETLINK_CB(cb->skb).portid, 1628 cb->nlh->nlmsg_seq, 1629 NFT_MSG_NEWCHAIN, 1630 NLM_F_MULTI, 1631 table->family, table, 1632 chain) < 0) 1633 goto done; 1634 1635 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1636 cont: 1637 idx++; 1638 } 1639 } 1640 done: 1641 rcu_read_unlock(); 1642 cb->args[0] = idx; 1643 return skb->len; 1644 } 1645 1646 /* called with rcu_read_lock held */ 1647 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info, 1648 const struct nlattr * const nla[]) 1649 { 1650 struct netlink_ext_ack *extack = info->extack; 1651 u8 genmask = nft_genmask_cur(info->net); 1652 u8 family = info->nfmsg->nfgen_family; 1653 const struct nft_chain *chain; 1654 struct net *net = info->net; 1655 struct nft_table *table; 1656 struct sk_buff *skb2; 1657 int err; 1658 1659 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1660 struct netlink_dump_control c = { 1661 .dump = nf_tables_dump_chains, 1662 .module = THIS_MODULE, 1663 }; 1664 1665 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 1666 } 1667 1668 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0); 1669 if (IS_ERR(table)) { 1670 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 1671 return PTR_ERR(table); 1672 } 1673 1674 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask); 1675 if (IS_ERR(chain)) { 1676 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 1677 return PTR_ERR(chain); 1678 } 1679 1680 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 1681 if (!skb2) 1682 return -ENOMEM; 1683 1684 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid, 1685 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 1686 0, family, table, chain); 1687 if (err < 0) 1688 goto err_fill_chain_info; 1689 1690 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 1691 1692 err_fill_chain_info: 1693 kfree_skb(skb2); 1694 return err; 1695 } 1696 1697 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = { 1698 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 }, 1699 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 }, 1700 }; 1701 1702 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr) 1703 { 1704 struct nlattr *tb[NFTA_COUNTER_MAX+1]; 1705 struct nft_stats __percpu *newstats; 1706 struct nft_stats *stats; 1707 int err; 1708 1709 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr, 1710 nft_counter_policy, NULL); 1711 if (err < 0) 1712 return ERR_PTR(err); 1713 1714 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS]) 1715 return ERR_PTR(-EINVAL); 1716 1717 newstats = netdev_alloc_pcpu_stats(struct nft_stats); 1718 if (newstats == NULL) 1719 return ERR_PTR(-ENOMEM); 1720 1721 /* Restore old counters on this cpu, no problem. Per-cpu statistics 1722 * are not exposed to userspace. 1723 */ 1724 preempt_disable(); 1725 stats = this_cpu_ptr(newstats); 1726 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); 1727 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); 1728 preempt_enable(); 1729 1730 return newstats; 1731 } 1732 1733 static void nft_chain_stats_replace(struct nft_trans *trans) 1734 { 1735 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain); 1736 1737 if (!nft_trans_chain_stats(trans)) 1738 return; 1739 1740 nft_trans_chain_stats(trans) = 1741 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans), 1742 lockdep_commit_lock_is_held(trans->ctx.net)); 1743 1744 if (!nft_trans_chain_stats(trans)) 1745 static_branch_inc(&nft_counters_enabled); 1746 } 1747 1748 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain) 1749 { 1750 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0); 1751 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1); 1752 1753 if (g0 != g1) 1754 kvfree(g1); 1755 kvfree(g0); 1756 1757 /* should be NULL either via abort or via successful commit */ 1758 WARN_ON_ONCE(chain->blob_next); 1759 kvfree(chain->blob_next); 1760 } 1761 1762 void nf_tables_chain_destroy(struct nft_ctx *ctx) 1763 { 1764 struct nft_chain *chain = ctx->chain; 1765 struct nft_hook *hook, *next; 1766 1767 if (WARN_ON(chain->use > 0)) 1768 return; 1769 1770 /* no concurrent access possible anymore */ 1771 nf_tables_chain_free_chain_rules(chain); 1772 1773 if (nft_is_base_chain(chain)) { 1774 struct nft_base_chain *basechain = nft_base_chain(chain); 1775 1776 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) { 1777 list_for_each_entry_safe(hook, next, 1778 &basechain->hook_list, list) { 1779 list_del_rcu(&hook->list); 1780 kfree_rcu(hook, rcu); 1781 } 1782 } 1783 module_put(basechain->type->owner); 1784 if (rcu_access_pointer(basechain->stats)) { 1785 static_branch_dec(&nft_counters_enabled); 1786 free_percpu(rcu_dereference_raw(basechain->stats)); 1787 } 1788 kfree(chain->name); 1789 kfree(chain->udata); 1790 kfree(basechain); 1791 } else { 1792 kfree(chain->name); 1793 kfree(chain->udata); 1794 kfree(chain); 1795 } 1796 } 1797 1798 static struct nft_hook *nft_netdev_hook_alloc(struct net *net, 1799 const struct nlattr *attr) 1800 { 1801 struct net_device *dev; 1802 char ifname[IFNAMSIZ]; 1803 struct nft_hook *hook; 1804 int err; 1805 1806 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL); 1807 if (!hook) { 1808 err = -ENOMEM; 1809 goto err_hook_alloc; 1810 } 1811 1812 nla_strscpy(ifname, attr, IFNAMSIZ); 1813 /* nf_tables_netdev_event() is called under rtnl_mutex, this is 1814 * indirectly serializing all the other holders of the commit_mutex with 1815 * the rtnl_mutex. 1816 */ 1817 dev = __dev_get_by_name(net, ifname); 1818 if (!dev) { 1819 err = -ENOENT; 1820 goto err_hook_dev; 1821 } 1822 hook->ops.dev = dev; 1823 hook->inactive = false; 1824 1825 return hook; 1826 1827 err_hook_dev: 1828 kfree(hook); 1829 err_hook_alloc: 1830 return ERR_PTR(err); 1831 } 1832 1833 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list, 1834 const struct nft_hook *this) 1835 { 1836 struct nft_hook *hook; 1837 1838 list_for_each_entry(hook, hook_list, list) { 1839 if (this->ops.dev == hook->ops.dev) 1840 return hook; 1841 } 1842 1843 return NULL; 1844 } 1845 1846 static int nf_tables_parse_netdev_hooks(struct net *net, 1847 const struct nlattr *attr, 1848 struct list_head *hook_list) 1849 { 1850 struct nft_hook *hook, *next; 1851 const struct nlattr *tmp; 1852 int rem, n = 0, err; 1853 1854 nla_for_each_nested(tmp, attr, rem) { 1855 if (nla_type(tmp) != NFTA_DEVICE_NAME) { 1856 err = -EINVAL; 1857 goto err_hook; 1858 } 1859 1860 hook = nft_netdev_hook_alloc(net, tmp); 1861 if (IS_ERR(hook)) { 1862 err = PTR_ERR(hook); 1863 goto err_hook; 1864 } 1865 if (nft_hook_list_find(hook_list, hook)) { 1866 kfree(hook); 1867 err = -EEXIST; 1868 goto err_hook; 1869 } 1870 list_add_tail(&hook->list, hook_list); 1871 n++; 1872 1873 if (n == NFT_NETDEVICE_MAX) { 1874 err = -EFBIG; 1875 goto err_hook; 1876 } 1877 } 1878 1879 return 0; 1880 1881 err_hook: 1882 list_for_each_entry_safe(hook, next, hook_list, list) { 1883 list_del(&hook->list); 1884 kfree(hook); 1885 } 1886 return err; 1887 } 1888 1889 struct nft_chain_hook { 1890 u32 num; 1891 s32 priority; 1892 const struct nft_chain_type *type; 1893 struct list_head list; 1894 }; 1895 1896 static int nft_chain_parse_netdev(struct net *net, 1897 struct nlattr *tb[], 1898 struct list_head *hook_list) 1899 { 1900 struct nft_hook *hook; 1901 int err; 1902 1903 if (tb[NFTA_HOOK_DEV]) { 1904 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]); 1905 if (IS_ERR(hook)) 1906 return PTR_ERR(hook); 1907 1908 list_add_tail(&hook->list, hook_list); 1909 } else if (tb[NFTA_HOOK_DEVS]) { 1910 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS], 1911 hook_list); 1912 if (err < 0) 1913 return err; 1914 1915 if (list_empty(hook_list)) 1916 return -EINVAL; 1917 } else { 1918 return -EINVAL; 1919 } 1920 1921 return 0; 1922 } 1923 1924 static int nft_chain_parse_hook(struct net *net, 1925 const struct nlattr * const nla[], 1926 struct nft_chain_hook *hook, u8 family, 1927 struct netlink_ext_ack *extack, bool autoload) 1928 { 1929 struct nftables_pernet *nft_net = nft_pernet(net); 1930 struct nlattr *ha[NFTA_HOOK_MAX + 1]; 1931 const struct nft_chain_type *type; 1932 int err; 1933 1934 lockdep_assert_held(&nft_net->commit_mutex); 1935 lockdep_nfnl_nft_mutex_not_held(); 1936 1937 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX, 1938 nla[NFTA_CHAIN_HOOK], 1939 nft_hook_policy, NULL); 1940 if (err < 0) 1941 return err; 1942 1943 if (ha[NFTA_HOOK_HOOKNUM] == NULL || 1944 ha[NFTA_HOOK_PRIORITY] == NULL) 1945 return -EINVAL; 1946 1947 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 1948 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 1949 1950 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT); 1951 if (!type) 1952 return -EOPNOTSUPP; 1953 1954 if (nla[NFTA_CHAIN_TYPE]) { 1955 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE], 1956 family, autoload); 1957 if (IS_ERR(type)) { 1958 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 1959 return PTR_ERR(type); 1960 } 1961 } 1962 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num))) 1963 return -EOPNOTSUPP; 1964 1965 if (type->type == NFT_CHAIN_T_NAT && 1966 hook->priority <= NF_IP_PRI_CONNTRACK) 1967 return -EOPNOTSUPP; 1968 1969 if (!try_module_get(type->owner)) { 1970 if (nla[NFTA_CHAIN_TYPE]) 1971 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 1972 return -ENOENT; 1973 } 1974 1975 hook->type = type; 1976 1977 INIT_LIST_HEAD(&hook->list); 1978 if (nft_base_chain_netdev(family, hook->num)) { 1979 err = nft_chain_parse_netdev(net, ha, &hook->list); 1980 if (err < 0) { 1981 module_put(type->owner); 1982 return err; 1983 } 1984 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) { 1985 module_put(type->owner); 1986 return -EOPNOTSUPP; 1987 } 1988 1989 return 0; 1990 } 1991 1992 static void nft_chain_release_hook(struct nft_chain_hook *hook) 1993 { 1994 struct nft_hook *h, *next; 1995 1996 list_for_each_entry_safe(h, next, &hook->list, list) { 1997 list_del(&h->list); 1998 kfree(h); 1999 } 2000 module_put(hook->type->owner); 2001 } 2002 2003 struct nft_rules_old { 2004 struct rcu_head h; 2005 struct nft_rule_blob *blob; 2006 }; 2007 2008 static void nft_last_rule(struct nft_rule_blob *blob, const void *ptr) 2009 { 2010 struct nft_rule_dp *prule; 2011 2012 prule = (struct nft_rule_dp *)ptr; 2013 prule->is_last = 1; 2014 ptr += offsetof(struct nft_rule_dp, data); 2015 /* blob size does not include the trailer rule */ 2016 } 2017 2018 static struct nft_rule_blob *nf_tables_chain_alloc_rules(unsigned int size) 2019 { 2020 struct nft_rule_blob *blob; 2021 2022 /* size must include room for the last rule */ 2023 if (size < offsetof(struct nft_rule_dp, data)) 2024 return NULL; 2025 2026 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rules_old); 2027 if (size > INT_MAX) 2028 return NULL; 2029 2030 blob = kvmalloc(size, GFP_KERNEL); 2031 if (!blob) 2032 return NULL; 2033 2034 blob->size = 0; 2035 nft_last_rule(blob, blob->data); 2036 2037 return blob; 2038 } 2039 2040 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family, 2041 const struct nft_chain_hook *hook, 2042 struct nft_chain *chain) 2043 { 2044 ops->pf = family; 2045 ops->hooknum = hook->num; 2046 ops->priority = hook->priority; 2047 ops->priv = chain; 2048 ops->hook = hook->type->hooks[ops->hooknum]; 2049 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES; 2050 } 2051 2052 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, 2053 struct nft_chain_hook *hook, u32 flags) 2054 { 2055 struct nft_chain *chain; 2056 struct nft_hook *h; 2057 2058 basechain->type = hook->type; 2059 INIT_LIST_HEAD(&basechain->hook_list); 2060 chain = &basechain->chain; 2061 2062 if (nft_base_chain_netdev(family, hook->num)) { 2063 list_splice_init(&hook->list, &basechain->hook_list); 2064 list_for_each_entry(h, &basechain->hook_list, list) 2065 nft_basechain_hook_init(&h->ops, family, hook, chain); 2066 2067 basechain->ops.hooknum = hook->num; 2068 basechain->ops.priority = hook->priority; 2069 } else { 2070 nft_basechain_hook_init(&basechain->ops, family, hook, chain); 2071 } 2072 2073 chain->flags |= NFT_CHAIN_BASE | flags; 2074 basechain->policy = NF_ACCEPT; 2075 if (chain->flags & NFT_CHAIN_HW_OFFLOAD && 2076 nft_chain_offload_priority(basechain) < 0) 2077 return -EOPNOTSUPP; 2078 2079 flow_block_init(&basechain->flow_block); 2080 2081 return 0; 2082 } 2083 2084 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain) 2085 { 2086 int err; 2087 2088 err = rhltable_insert_key(&table->chains_ht, chain->name, 2089 &chain->rhlhead, nft_chain_ht_params); 2090 if (err) 2091 return err; 2092 2093 list_add_tail_rcu(&chain->list, &table->chains); 2094 2095 return 0; 2096 } 2097 2098 static u64 chain_id; 2099 2100 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, 2101 u8 policy, u32 flags, 2102 struct netlink_ext_ack *extack) 2103 { 2104 const struct nlattr * const *nla = ctx->nla; 2105 struct nft_table *table = ctx->table; 2106 struct nft_base_chain *basechain; 2107 struct nft_stats __percpu *stats; 2108 struct net *net = ctx->net; 2109 char name[NFT_NAME_MAXLEN]; 2110 struct nft_rule_blob *blob; 2111 struct nft_trans *trans; 2112 struct nft_chain *chain; 2113 unsigned int data_size; 2114 int err; 2115 2116 if (table->use == UINT_MAX) 2117 return -EOVERFLOW; 2118 2119 if (nla[NFTA_CHAIN_HOOK]) { 2120 struct nft_chain_hook hook; 2121 2122 if (flags & NFT_CHAIN_BINDING) 2123 return -EOPNOTSUPP; 2124 2125 err = nft_chain_parse_hook(net, nla, &hook, family, extack, 2126 true); 2127 if (err < 0) 2128 return err; 2129 2130 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL); 2131 if (basechain == NULL) { 2132 nft_chain_release_hook(&hook); 2133 return -ENOMEM; 2134 } 2135 chain = &basechain->chain; 2136 2137 if (nla[NFTA_CHAIN_COUNTERS]) { 2138 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2139 if (IS_ERR(stats)) { 2140 nft_chain_release_hook(&hook); 2141 kfree(basechain); 2142 return PTR_ERR(stats); 2143 } 2144 rcu_assign_pointer(basechain->stats, stats); 2145 static_branch_inc(&nft_counters_enabled); 2146 } 2147 2148 err = nft_basechain_init(basechain, family, &hook, flags); 2149 if (err < 0) { 2150 nft_chain_release_hook(&hook); 2151 kfree(basechain); 2152 return err; 2153 } 2154 } else { 2155 if (flags & NFT_CHAIN_BASE) 2156 return -EINVAL; 2157 if (flags & NFT_CHAIN_HW_OFFLOAD) 2158 return -EOPNOTSUPP; 2159 2160 chain = kzalloc(sizeof(*chain), GFP_KERNEL); 2161 if (chain == NULL) 2162 return -ENOMEM; 2163 2164 chain->flags = flags; 2165 } 2166 ctx->chain = chain; 2167 2168 INIT_LIST_HEAD(&chain->rules); 2169 chain->handle = nf_tables_alloc_handle(table); 2170 chain->table = table; 2171 2172 if (nla[NFTA_CHAIN_NAME]) { 2173 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); 2174 } else { 2175 if (!(flags & NFT_CHAIN_BINDING)) { 2176 err = -EINVAL; 2177 goto err_destroy_chain; 2178 } 2179 2180 snprintf(name, sizeof(name), "__chain%llu", ++chain_id); 2181 chain->name = kstrdup(name, GFP_KERNEL); 2182 } 2183 2184 if (!chain->name) { 2185 err = -ENOMEM; 2186 goto err_destroy_chain; 2187 } 2188 2189 if (nla[NFTA_CHAIN_USERDATA]) { 2190 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL); 2191 if (chain->udata == NULL) { 2192 err = -ENOMEM; 2193 goto err_destroy_chain; 2194 } 2195 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]); 2196 } 2197 2198 data_size = offsetof(struct nft_rule_dp, data); /* last rule */ 2199 blob = nf_tables_chain_alloc_rules(data_size); 2200 if (!blob) { 2201 err = -ENOMEM; 2202 goto err_destroy_chain; 2203 } 2204 2205 RCU_INIT_POINTER(chain->blob_gen_0, blob); 2206 RCU_INIT_POINTER(chain->blob_gen_1, blob); 2207 2208 err = nf_tables_register_hook(net, table, chain); 2209 if (err < 0) 2210 goto err_destroy_chain; 2211 2212 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN); 2213 if (IS_ERR(trans)) { 2214 err = PTR_ERR(trans); 2215 goto err_unregister_hook; 2216 } 2217 2218 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET; 2219 if (nft_is_base_chain(chain)) 2220 nft_trans_chain_policy(trans) = policy; 2221 2222 err = nft_chain_add(table, chain); 2223 if (err < 0) { 2224 nft_trans_destroy(trans); 2225 goto err_unregister_hook; 2226 } 2227 2228 table->use++; 2229 2230 return 0; 2231 err_unregister_hook: 2232 nf_tables_unregister_hook(net, table, chain); 2233 err_destroy_chain: 2234 nf_tables_chain_destroy(ctx); 2235 2236 return err; 2237 } 2238 2239 static bool nft_hook_list_equal(struct list_head *hook_list1, 2240 struct list_head *hook_list2) 2241 { 2242 struct nft_hook *hook; 2243 int n = 0, m = 0; 2244 2245 n = 0; 2246 list_for_each_entry(hook, hook_list2, list) { 2247 if (!nft_hook_list_find(hook_list1, hook)) 2248 return false; 2249 2250 n++; 2251 } 2252 list_for_each_entry(hook, hook_list1, list) 2253 m++; 2254 2255 return n == m; 2256 } 2257 2258 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, 2259 u32 flags, const struct nlattr *attr, 2260 struct netlink_ext_ack *extack) 2261 { 2262 const struct nlattr * const *nla = ctx->nla; 2263 struct nft_table *table = ctx->table; 2264 struct nft_chain *chain = ctx->chain; 2265 struct nft_base_chain *basechain; 2266 struct nft_stats *stats = NULL; 2267 struct nft_chain_hook hook; 2268 struct nf_hook_ops *ops; 2269 struct nft_trans *trans; 2270 int err; 2271 2272 if (chain->flags ^ flags) 2273 return -EOPNOTSUPP; 2274 2275 if (nla[NFTA_CHAIN_HOOK]) { 2276 if (!nft_is_base_chain(chain)) { 2277 NL_SET_BAD_ATTR(extack, attr); 2278 return -EEXIST; 2279 } 2280 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family, 2281 extack, false); 2282 if (err < 0) 2283 return err; 2284 2285 basechain = nft_base_chain(chain); 2286 if (basechain->type != hook.type) { 2287 nft_chain_release_hook(&hook); 2288 NL_SET_BAD_ATTR(extack, attr); 2289 return -EEXIST; 2290 } 2291 2292 if (nft_base_chain_netdev(ctx->family, hook.num)) { 2293 if (!nft_hook_list_equal(&basechain->hook_list, 2294 &hook.list)) { 2295 nft_chain_release_hook(&hook); 2296 NL_SET_BAD_ATTR(extack, attr); 2297 return -EEXIST; 2298 } 2299 } else { 2300 ops = &basechain->ops; 2301 if (ops->hooknum != hook.num || 2302 ops->priority != hook.priority) { 2303 nft_chain_release_hook(&hook); 2304 NL_SET_BAD_ATTR(extack, attr); 2305 return -EEXIST; 2306 } 2307 } 2308 nft_chain_release_hook(&hook); 2309 } 2310 2311 if (nla[NFTA_CHAIN_HANDLE] && 2312 nla[NFTA_CHAIN_NAME]) { 2313 struct nft_chain *chain2; 2314 2315 chain2 = nft_chain_lookup(ctx->net, table, 2316 nla[NFTA_CHAIN_NAME], genmask); 2317 if (!IS_ERR(chain2)) { 2318 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2319 return -EEXIST; 2320 } 2321 } 2322 2323 if (nla[NFTA_CHAIN_COUNTERS]) { 2324 if (!nft_is_base_chain(chain)) 2325 return -EOPNOTSUPP; 2326 2327 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2328 if (IS_ERR(stats)) 2329 return PTR_ERR(stats); 2330 } 2331 2332 err = -ENOMEM; 2333 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN, 2334 sizeof(struct nft_trans_chain)); 2335 if (trans == NULL) 2336 goto err; 2337 2338 nft_trans_chain_stats(trans) = stats; 2339 nft_trans_chain_update(trans) = true; 2340 2341 if (nla[NFTA_CHAIN_POLICY]) 2342 nft_trans_chain_policy(trans) = policy; 2343 else 2344 nft_trans_chain_policy(trans) = -1; 2345 2346 if (nla[NFTA_CHAIN_HANDLE] && 2347 nla[NFTA_CHAIN_NAME]) { 2348 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 2349 struct nft_trans *tmp; 2350 char *name; 2351 2352 err = -ENOMEM; 2353 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); 2354 if (!name) 2355 goto err; 2356 2357 err = -EEXIST; 2358 list_for_each_entry(tmp, &nft_net->commit_list, list) { 2359 if (tmp->msg_type == NFT_MSG_NEWCHAIN && 2360 tmp->ctx.table == table && 2361 nft_trans_chain_update(tmp) && 2362 nft_trans_chain_name(tmp) && 2363 strcmp(name, nft_trans_chain_name(tmp)) == 0) { 2364 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2365 kfree(name); 2366 goto err; 2367 } 2368 } 2369 2370 nft_trans_chain_name(trans) = name; 2371 } 2372 nft_trans_commit_list_add_tail(ctx->net, trans); 2373 2374 return 0; 2375 err: 2376 free_percpu(stats); 2377 kfree(trans); 2378 return err; 2379 } 2380 2381 static struct nft_chain *nft_chain_lookup_byid(const struct net *net, 2382 const struct nlattr *nla) 2383 { 2384 struct nftables_pernet *nft_net = nft_pernet(net); 2385 u32 id = ntohl(nla_get_be32(nla)); 2386 struct nft_trans *trans; 2387 2388 list_for_each_entry(trans, &nft_net->commit_list, list) { 2389 struct nft_chain *chain = trans->ctx.chain; 2390 2391 if (trans->msg_type == NFT_MSG_NEWCHAIN && 2392 id == nft_trans_chain_id(trans)) 2393 return chain; 2394 } 2395 return ERR_PTR(-ENOENT); 2396 } 2397 2398 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info, 2399 const struct nlattr * const nla[]) 2400 { 2401 struct nftables_pernet *nft_net = nft_pernet(info->net); 2402 struct netlink_ext_ack *extack = info->extack; 2403 u8 genmask = nft_genmask_next(info->net); 2404 u8 family = info->nfmsg->nfgen_family; 2405 struct nft_chain *chain = NULL; 2406 struct net *net = info->net; 2407 const struct nlattr *attr; 2408 struct nft_table *table; 2409 u8 policy = NF_ACCEPT; 2410 struct nft_ctx ctx; 2411 u64 handle = 0; 2412 u32 flags = 0; 2413 2414 lockdep_assert_held(&nft_net->commit_mutex); 2415 2416 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 2417 NETLINK_CB(skb).portid); 2418 if (IS_ERR(table)) { 2419 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2420 return PTR_ERR(table); 2421 } 2422 2423 chain = NULL; 2424 attr = nla[NFTA_CHAIN_NAME]; 2425 2426 if (nla[NFTA_CHAIN_HANDLE]) { 2427 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE])); 2428 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2429 if (IS_ERR(chain)) { 2430 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]); 2431 return PTR_ERR(chain); 2432 } 2433 attr = nla[NFTA_CHAIN_HANDLE]; 2434 } else if (nla[NFTA_CHAIN_NAME]) { 2435 chain = nft_chain_lookup(net, table, attr, genmask); 2436 if (IS_ERR(chain)) { 2437 if (PTR_ERR(chain) != -ENOENT) { 2438 NL_SET_BAD_ATTR(extack, attr); 2439 return PTR_ERR(chain); 2440 } 2441 chain = NULL; 2442 } 2443 } else if (!nla[NFTA_CHAIN_ID]) { 2444 return -EINVAL; 2445 } 2446 2447 if (nla[NFTA_CHAIN_POLICY]) { 2448 if (chain != NULL && 2449 !nft_is_base_chain(chain)) { 2450 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2451 return -EOPNOTSUPP; 2452 } 2453 2454 if (chain == NULL && 2455 nla[NFTA_CHAIN_HOOK] == NULL) { 2456 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2457 return -EOPNOTSUPP; 2458 } 2459 2460 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY])); 2461 switch (policy) { 2462 case NF_DROP: 2463 case NF_ACCEPT: 2464 break; 2465 default: 2466 return -EINVAL; 2467 } 2468 } 2469 2470 if (nla[NFTA_CHAIN_FLAGS]) 2471 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS])); 2472 else if (chain) 2473 flags = chain->flags; 2474 2475 if (flags & ~NFT_CHAIN_FLAGS) 2476 return -EOPNOTSUPP; 2477 2478 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 2479 2480 if (chain != NULL) { 2481 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 2482 NL_SET_BAD_ATTR(extack, attr); 2483 return -EEXIST; 2484 } 2485 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 2486 return -EOPNOTSUPP; 2487 2488 flags |= chain->flags & NFT_CHAIN_BASE; 2489 return nf_tables_updchain(&ctx, genmask, policy, flags, attr, 2490 extack); 2491 } 2492 2493 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack); 2494 } 2495 2496 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info, 2497 const struct nlattr * const nla[]) 2498 { 2499 struct netlink_ext_ack *extack = info->extack; 2500 u8 genmask = nft_genmask_next(info->net); 2501 u8 family = info->nfmsg->nfgen_family; 2502 struct net *net = info->net; 2503 const struct nlattr *attr; 2504 struct nft_table *table; 2505 struct nft_chain *chain; 2506 struct nft_rule *rule; 2507 struct nft_ctx ctx; 2508 u64 handle; 2509 u32 use; 2510 int err; 2511 2512 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 2513 NETLINK_CB(skb).portid); 2514 if (IS_ERR(table)) { 2515 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2516 return PTR_ERR(table); 2517 } 2518 2519 if (nla[NFTA_CHAIN_HANDLE]) { 2520 attr = nla[NFTA_CHAIN_HANDLE]; 2521 handle = be64_to_cpu(nla_get_be64(attr)); 2522 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2523 } else { 2524 attr = nla[NFTA_CHAIN_NAME]; 2525 chain = nft_chain_lookup(net, table, attr, genmask); 2526 } 2527 if (IS_ERR(chain)) { 2528 NL_SET_BAD_ATTR(extack, attr); 2529 return PTR_ERR(chain); 2530 } 2531 2532 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 2533 chain->use > 0) 2534 return -EBUSY; 2535 2536 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 2537 2538 use = chain->use; 2539 list_for_each_entry(rule, &chain->rules, list) { 2540 if (!nft_is_active_next(net, rule)) 2541 continue; 2542 use--; 2543 2544 err = nft_delrule(&ctx, rule); 2545 if (err < 0) 2546 return err; 2547 } 2548 2549 /* There are rules and elements that are still holding references to us, 2550 * we cannot do a recursive removal in this case. 2551 */ 2552 if (use > 0) { 2553 NL_SET_BAD_ATTR(extack, attr); 2554 return -EBUSY; 2555 } 2556 2557 return nft_delchain(&ctx); 2558 } 2559 2560 /* 2561 * Expressions 2562 */ 2563 2564 /** 2565 * nft_register_expr - register nf_tables expr type 2566 * @type: expr type 2567 * 2568 * Registers the expr type for use with nf_tables. Returns zero on 2569 * success or a negative errno code otherwise. 2570 */ 2571 int nft_register_expr(struct nft_expr_type *type) 2572 { 2573 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2574 if (type->family == NFPROTO_UNSPEC) 2575 list_add_tail_rcu(&type->list, &nf_tables_expressions); 2576 else 2577 list_add_rcu(&type->list, &nf_tables_expressions); 2578 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2579 return 0; 2580 } 2581 EXPORT_SYMBOL_GPL(nft_register_expr); 2582 2583 /** 2584 * nft_unregister_expr - unregister nf_tables expr type 2585 * @type: expr type 2586 * 2587 * Unregisters the expr typefor use with nf_tables. 2588 */ 2589 void nft_unregister_expr(struct nft_expr_type *type) 2590 { 2591 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2592 list_del_rcu(&type->list); 2593 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2594 } 2595 EXPORT_SYMBOL_GPL(nft_unregister_expr); 2596 2597 static const struct nft_expr_type *__nft_expr_type_get(u8 family, 2598 struct nlattr *nla) 2599 { 2600 const struct nft_expr_type *type, *candidate = NULL; 2601 2602 list_for_each_entry(type, &nf_tables_expressions, list) { 2603 if (!nla_strcmp(nla, type->name)) { 2604 if (!type->family && !candidate) 2605 candidate = type; 2606 else if (type->family == family) 2607 candidate = type; 2608 } 2609 } 2610 return candidate; 2611 } 2612 2613 #ifdef CONFIG_MODULES 2614 static int nft_expr_type_request_module(struct net *net, u8 family, 2615 struct nlattr *nla) 2616 { 2617 if (nft_request_module(net, "nft-expr-%u-%.*s", family, 2618 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN) 2619 return -EAGAIN; 2620 2621 return 0; 2622 } 2623 #endif 2624 2625 static const struct nft_expr_type *nft_expr_type_get(struct net *net, 2626 u8 family, 2627 struct nlattr *nla) 2628 { 2629 const struct nft_expr_type *type; 2630 2631 if (nla == NULL) 2632 return ERR_PTR(-EINVAL); 2633 2634 type = __nft_expr_type_get(family, nla); 2635 if (type != NULL && try_module_get(type->owner)) 2636 return type; 2637 2638 lockdep_nfnl_nft_mutex_not_held(); 2639 #ifdef CONFIG_MODULES 2640 if (type == NULL) { 2641 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN) 2642 return ERR_PTR(-EAGAIN); 2643 2644 if (nft_request_module(net, "nft-expr-%.*s", 2645 nla_len(nla), 2646 (char *)nla_data(nla)) == -EAGAIN) 2647 return ERR_PTR(-EAGAIN); 2648 } 2649 #endif 2650 return ERR_PTR(-ENOENT); 2651 } 2652 2653 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { 2654 [NFTA_EXPR_NAME] = { .type = NLA_STRING, 2655 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 2656 [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, 2657 }; 2658 2659 static int nf_tables_fill_expr_info(struct sk_buff *skb, 2660 const struct nft_expr *expr) 2661 { 2662 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name)) 2663 goto nla_put_failure; 2664 2665 if (expr->ops->dump) { 2666 struct nlattr *data = nla_nest_start_noflag(skb, 2667 NFTA_EXPR_DATA); 2668 if (data == NULL) 2669 goto nla_put_failure; 2670 if (expr->ops->dump(skb, expr) < 0) 2671 goto nla_put_failure; 2672 nla_nest_end(skb, data); 2673 } 2674 2675 return skb->len; 2676 2677 nla_put_failure: 2678 return -1; 2679 }; 2680 2681 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 2682 const struct nft_expr *expr) 2683 { 2684 struct nlattr *nest; 2685 2686 nest = nla_nest_start_noflag(skb, attr); 2687 if (!nest) 2688 goto nla_put_failure; 2689 if (nf_tables_fill_expr_info(skb, expr) < 0) 2690 goto nla_put_failure; 2691 nla_nest_end(skb, nest); 2692 return 0; 2693 2694 nla_put_failure: 2695 return -1; 2696 } 2697 2698 struct nft_expr_info { 2699 const struct nft_expr_ops *ops; 2700 const struct nlattr *attr; 2701 struct nlattr *tb[NFT_EXPR_MAXATTR + 1]; 2702 }; 2703 2704 static int nf_tables_expr_parse(const struct nft_ctx *ctx, 2705 const struct nlattr *nla, 2706 struct nft_expr_info *info) 2707 { 2708 const struct nft_expr_type *type; 2709 const struct nft_expr_ops *ops; 2710 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 2711 int err; 2712 2713 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 2714 nft_expr_policy, NULL); 2715 if (err < 0) 2716 return err; 2717 2718 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]); 2719 if (IS_ERR(type)) 2720 return PTR_ERR(type); 2721 2722 if (tb[NFTA_EXPR_DATA]) { 2723 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 2724 tb[NFTA_EXPR_DATA], 2725 type->policy, NULL); 2726 if (err < 0) 2727 goto err1; 2728 } else 2729 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1)); 2730 2731 if (type->select_ops != NULL) { 2732 ops = type->select_ops(ctx, 2733 (const struct nlattr * const *)info->tb); 2734 if (IS_ERR(ops)) { 2735 err = PTR_ERR(ops); 2736 #ifdef CONFIG_MODULES 2737 if (err == -EAGAIN) 2738 if (nft_expr_type_request_module(ctx->net, 2739 ctx->family, 2740 tb[NFTA_EXPR_NAME]) != -EAGAIN) 2741 err = -ENOENT; 2742 #endif 2743 goto err1; 2744 } 2745 } else 2746 ops = type->ops; 2747 2748 info->attr = nla; 2749 info->ops = ops; 2750 2751 return 0; 2752 2753 err1: 2754 module_put(type->owner); 2755 return err; 2756 } 2757 2758 static int nf_tables_newexpr(const struct nft_ctx *ctx, 2759 const struct nft_expr_info *expr_info, 2760 struct nft_expr *expr) 2761 { 2762 const struct nft_expr_ops *ops = expr_info->ops; 2763 int err; 2764 2765 expr->ops = ops; 2766 if (ops->init) { 2767 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb); 2768 if (err < 0) 2769 goto err1; 2770 } 2771 2772 return 0; 2773 err1: 2774 expr->ops = NULL; 2775 return err; 2776 } 2777 2778 static void nf_tables_expr_destroy(const struct nft_ctx *ctx, 2779 struct nft_expr *expr) 2780 { 2781 const struct nft_expr_type *type = expr->ops->type; 2782 2783 if (expr->ops->destroy) 2784 expr->ops->destroy(ctx, expr); 2785 module_put(type->owner); 2786 } 2787 2788 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 2789 const struct nlattr *nla) 2790 { 2791 struct nft_expr_info expr_info; 2792 struct nft_expr *expr; 2793 struct module *owner; 2794 int err; 2795 2796 err = nf_tables_expr_parse(ctx, nla, &expr_info); 2797 if (err < 0) 2798 goto err1; 2799 2800 err = -ENOMEM; 2801 expr = kzalloc(expr_info.ops->size, GFP_KERNEL); 2802 if (expr == NULL) 2803 goto err2; 2804 2805 err = nf_tables_newexpr(ctx, &expr_info, expr); 2806 if (err < 0) 2807 goto err3; 2808 2809 return expr; 2810 err3: 2811 kfree(expr); 2812 err2: 2813 owner = expr_info.ops->type->owner; 2814 if (expr_info.ops->type->release_ops) 2815 expr_info.ops->type->release_ops(expr_info.ops); 2816 2817 module_put(owner); 2818 err1: 2819 return ERR_PTR(err); 2820 } 2821 2822 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) 2823 { 2824 int err; 2825 2826 if (src->ops->clone) { 2827 dst->ops = src->ops; 2828 err = src->ops->clone(dst, src); 2829 if (err < 0) 2830 return err; 2831 } else { 2832 memcpy(dst, src, src->ops->size); 2833 } 2834 2835 __module_get(src->ops->type->owner); 2836 2837 return 0; 2838 } 2839 2840 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) 2841 { 2842 nf_tables_expr_destroy(ctx, expr); 2843 kfree(expr); 2844 } 2845 2846 /* 2847 * Rules 2848 */ 2849 2850 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain, 2851 u64 handle) 2852 { 2853 struct nft_rule *rule; 2854 2855 // FIXME: this sucks 2856 list_for_each_entry_rcu(rule, &chain->rules, list) { 2857 if (handle == rule->handle) 2858 return rule; 2859 } 2860 2861 return ERR_PTR(-ENOENT); 2862 } 2863 2864 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain, 2865 const struct nlattr *nla) 2866 { 2867 if (nla == NULL) 2868 return ERR_PTR(-EINVAL); 2869 2870 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla))); 2871 } 2872 2873 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = { 2874 [NFTA_RULE_TABLE] = { .type = NLA_STRING, 2875 .len = NFT_TABLE_MAXNAMELEN - 1 }, 2876 [NFTA_RULE_CHAIN] = { .type = NLA_STRING, 2877 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 2878 [NFTA_RULE_HANDLE] = { .type = NLA_U64 }, 2879 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED }, 2880 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED }, 2881 [NFTA_RULE_POSITION] = { .type = NLA_U64 }, 2882 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY, 2883 .len = NFT_USERDATA_MAXLEN }, 2884 [NFTA_RULE_ID] = { .type = NLA_U32 }, 2885 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 }, 2886 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 }, 2887 }; 2888 2889 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net, 2890 u32 portid, u32 seq, int event, 2891 u32 flags, int family, 2892 const struct nft_table *table, 2893 const struct nft_chain *chain, 2894 const struct nft_rule *rule, u64 handle) 2895 { 2896 struct nlmsghdr *nlh; 2897 const struct nft_expr *expr, *next; 2898 struct nlattr *list; 2899 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 2900 2901 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0, 2902 nft_base_seq(net)); 2903 if (!nlh) 2904 goto nla_put_failure; 2905 2906 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) 2907 goto nla_put_failure; 2908 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) 2909 goto nla_put_failure; 2910 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle), 2911 NFTA_RULE_PAD)) 2912 goto nla_put_failure; 2913 2914 if (event != NFT_MSG_DELRULE && handle) { 2915 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle), 2916 NFTA_RULE_PAD)) 2917 goto nla_put_failure; 2918 } 2919 2920 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) 2921 nft_flow_rule_stats(chain, rule); 2922 2923 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS); 2924 if (list == NULL) 2925 goto nla_put_failure; 2926 nft_rule_for_each_expr(expr, next, rule) { 2927 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0) 2928 goto nla_put_failure; 2929 } 2930 nla_nest_end(skb, list); 2931 2932 if (rule->udata) { 2933 struct nft_userdata *udata = nft_userdata(rule); 2934 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1, 2935 udata->data) < 0) 2936 goto nla_put_failure; 2937 } 2938 2939 nlmsg_end(skb, nlh); 2940 return 0; 2941 2942 nla_put_failure: 2943 nlmsg_trim(skb, nlh); 2944 return -1; 2945 } 2946 2947 static void nf_tables_rule_notify(const struct nft_ctx *ctx, 2948 const struct nft_rule *rule, int event) 2949 { 2950 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 2951 const struct nft_rule *prule; 2952 struct sk_buff *skb; 2953 u64 handle = 0; 2954 u16 flags = 0; 2955 int err; 2956 2957 if (!ctx->report && 2958 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 2959 return; 2960 2961 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 2962 if (skb == NULL) 2963 goto err; 2964 2965 if (event == NFT_MSG_NEWRULE && 2966 !list_is_first(&rule->list, &ctx->chain->rules) && 2967 !list_is_last(&rule->list, &ctx->chain->rules)) { 2968 prule = list_prev_entry(rule, list); 2969 handle = prule->handle; 2970 } 2971 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE)) 2972 flags |= NLM_F_APPEND; 2973 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 2974 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 2975 2976 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, 2977 event, flags, ctx->family, ctx->table, 2978 ctx->chain, rule, handle); 2979 if (err < 0) { 2980 kfree_skb(skb); 2981 goto err; 2982 } 2983 2984 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 2985 return; 2986 err: 2987 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 2988 } 2989 2990 struct nft_rule_dump_ctx { 2991 char *table; 2992 char *chain; 2993 }; 2994 2995 static int __nf_tables_dump_rules(struct sk_buff *skb, 2996 unsigned int *idx, 2997 struct netlink_callback *cb, 2998 const struct nft_table *table, 2999 const struct nft_chain *chain) 3000 { 3001 struct net *net = sock_net(skb->sk); 3002 const struct nft_rule *rule, *prule; 3003 unsigned int s_idx = cb->args[0]; 3004 u64 handle; 3005 3006 prule = NULL; 3007 list_for_each_entry_rcu(rule, &chain->rules, list) { 3008 if (!nft_is_active(net, rule)) 3009 goto cont_skip; 3010 if (*idx < s_idx) 3011 goto cont; 3012 if (*idx > s_idx) { 3013 memset(&cb->args[1], 0, 3014 sizeof(cb->args) - sizeof(cb->args[0])); 3015 } 3016 if (prule) 3017 handle = prule->handle; 3018 else 3019 handle = 0; 3020 3021 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, 3022 cb->nlh->nlmsg_seq, 3023 NFT_MSG_NEWRULE, 3024 NLM_F_MULTI | NLM_F_APPEND, 3025 table->family, 3026 table, chain, rule, handle) < 0) 3027 return 1; 3028 3029 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 3030 cont: 3031 prule = rule; 3032 cont_skip: 3033 (*idx)++; 3034 } 3035 return 0; 3036 } 3037 3038 static int nf_tables_dump_rules(struct sk_buff *skb, 3039 struct netlink_callback *cb) 3040 { 3041 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 3042 const struct nft_rule_dump_ctx *ctx = cb->data; 3043 struct nft_table *table; 3044 const struct nft_chain *chain; 3045 unsigned int idx = 0; 3046 struct net *net = sock_net(skb->sk); 3047 int family = nfmsg->nfgen_family; 3048 struct nftables_pernet *nft_net; 3049 3050 rcu_read_lock(); 3051 nft_net = nft_pernet(net); 3052 cb->seq = nft_net->base_seq; 3053 3054 list_for_each_entry_rcu(table, &nft_net->tables, list) { 3055 if (family != NFPROTO_UNSPEC && family != table->family) 3056 continue; 3057 3058 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0) 3059 continue; 3060 3061 if (ctx && ctx->table && ctx->chain) { 3062 struct rhlist_head *list, *tmp; 3063 3064 list = rhltable_lookup(&table->chains_ht, ctx->chain, 3065 nft_chain_ht_params); 3066 if (!list) 3067 goto done; 3068 3069 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 3070 if (!nft_is_active(net, chain)) 3071 continue; 3072 __nf_tables_dump_rules(skb, &idx, 3073 cb, table, chain); 3074 break; 3075 } 3076 goto done; 3077 } 3078 3079 list_for_each_entry_rcu(chain, &table->chains, list) { 3080 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain)) 3081 goto done; 3082 } 3083 3084 if (ctx && ctx->table) 3085 break; 3086 } 3087 done: 3088 rcu_read_unlock(); 3089 3090 cb->args[0] = idx; 3091 return skb->len; 3092 } 3093 3094 static int nf_tables_dump_rules_start(struct netlink_callback *cb) 3095 { 3096 const struct nlattr * const *nla = cb->data; 3097 struct nft_rule_dump_ctx *ctx = NULL; 3098 3099 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) { 3100 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC); 3101 if (!ctx) 3102 return -ENOMEM; 3103 3104 if (nla[NFTA_RULE_TABLE]) { 3105 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], 3106 GFP_ATOMIC); 3107 if (!ctx->table) { 3108 kfree(ctx); 3109 return -ENOMEM; 3110 } 3111 } 3112 if (nla[NFTA_RULE_CHAIN]) { 3113 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], 3114 GFP_ATOMIC); 3115 if (!ctx->chain) { 3116 kfree(ctx->table); 3117 kfree(ctx); 3118 return -ENOMEM; 3119 } 3120 } 3121 } 3122 3123 cb->data = ctx; 3124 return 0; 3125 } 3126 3127 static int nf_tables_dump_rules_done(struct netlink_callback *cb) 3128 { 3129 struct nft_rule_dump_ctx *ctx = cb->data; 3130 3131 if (ctx) { 3132 kfree(ctx->table); 3133 kfree(ctx->chain); 3134 kfree(ctx); 3135 } 3136 return 0; 3137 } 3138 3139 /* called with rcu_read_lock held */ 3140 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info, 3141 const struct nlattr * const nla[]) 3142 { 3143 struct netlink_ext_ack *extack = info->extack; 3144 u8 genmask = nft_genmask_cur(info->net); 3145 u8 family = info->nfmsg->nfgen_family; 3146 const struct nft_chain *chain; 3147 const struct nft_rule *rule; 3148 struct net *net = info->net; 3149 struct nft_table *table; 3150 struct sk_buff *skb2; 3151 int err; 3152 3153 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 3154 struct netlink_dump_control c = { 3155 .start= nf_tables_dump_rules_start, 3156 .dump = nf_tables_dump_rules, 3157 .done = nf_tables_dump_rules_done, 3158 .module = THIS_MODULE, 3159 .data = (void *)nla, 3160 }; 3161 3162 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 3163 } 3164 3165 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0); 3166 if (IS_ERR(table)) { 3167 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3168 return PTR_ERR(table); 3169 } 3170 3171 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask); 3172 if (IS_ERR(chain)) { 3173 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3174 return PTR_ERR(chain); 3175 } 3176 3177 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3178 if (IS_ERR(rule)) { 3179 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3180 return PTR_ERR(rule); 3181 } 3182 3183 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 3184 if (!skb2) 3185 return -ENOMEM; 3186 3187 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid, 3188 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, 3189 family, table, chain, rule, 0); 3190 if (err < 0) 3191 goto err_fill_rule_info; 3192 3193 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 3194 3195 err_fill_rule_info: 3196 kfree_skb(skb2); 3197 return err; 3198 } 3199 3200 static void nf_tables_rule_destroy(const struct nft_ctx *ctx, 3201 struct nft_rule *rule) 3202 { 3203 struct nft_expr *expr, *next; 3204 3205 /* 3206 * Careful: some expressions might not be initialized in case this 3207 * is called on error from nf_tables_newrule(). 3208 */ 3209 expr = nft_expr_first(rule); 3210 while (nft_expr_more(rule, expr)) { 3211 next = nft_expr_next(expr); 3212 nf_tables_expr_destroy(ctx, expr); 3213 expr = next; 3214 } 3215 kfree(rule); 3216 } 3217 3218 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) 3219 { 3220 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); 3221 nf_tables_rule_destroy(ctx, rule); 3222 } 3223 3224 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) 3225 { 3226 struct nft_expr *expr, *last; 3227 const struct nft_data *data; 3228 struct nft_rule *rule; 3229 int err; 3230 3231 if (ctx->level == NFT_JUMP_STACK_SIZE) 3232 return -EMLINK; 3233 3234 list_for_each_entry(rule, &chain->rules, list) { 3235 if (!nft_is_active_next(ctx->net, rule)) 3236 continue; 3237 3238 nft_rule_for_each_expr(expr, last, rule) { 3239 if (!expr->ops->validate) 3240 continue; 3241 3242 err = expr->ops->validate(ctx, expr, &data); 3243 if (err < 0) 3244 return err; 3245 } 3246 } 3247 3248 return 0; 3249 } 3250 EXPORT_SYMBOL_GPL(nft_chain_validate); 3251 3252 static int nft_table_validate(struct net *net, const struct nft_table *table) 3253 { 3254 struct nft_chain *chain; 3255 struct nft_ctx ctx = { 3256 .net = net, 3257 .family = table->family, 3258 }; 3259 int err; 3260 3261 list_for_each_entry(chain, &table->chains, list) { 3262 if (!nft_is_base_chain(chain)) 3263 continue; 3264 3265 ctx.chain = chain; 3266 err = nft_chain_validate(&ctx, chain); 3267 if (err < 0) 3268 return err; 3269 } 3270 3271 return 0; 3272 } 3273 3274 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3275 const struct nlattr *nla); 3276 3277 #define NFT_RULE_MAXEXPRS 128 3278 3279 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, 3280 const struct nlattr * const nla[]) 3281 { 3282 struct nftables_pernet *nft_net = nft_pernet(info->net); 3283 struct netlink_ext_ack *extack = info->extack; 3284 unsigned int size, i, n, ulen = 0, usize = 0; 3285 u8 genmask = nft_genmask_next(info->net); 3286 struct nft_rule *rule, *old_rule = NULL; 3287 struct nft_expr_info *expr_info = NULL; 3288 u8 family = info->nfmsg->nfgen_family; 3289 struct nft_flow_rule *flow = NULL; 3290 struct net *net = info->net; 3291 struct nft_userdata *udata; 3292 struct nft_table *table; 3293 struct nft_chain *chain; 3294 struct nft_trans *trans; 3295 u64 handle, pos_handle; 3296 struct nft_expr *expr; 3297 struct nft_ctx ctx; 3298 struct nlattr *tmp; 3299 int err, rem; 3300 3301 lockdep_assert_held(&nft_net->commit_mutex); 3302 3303 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 3304 NETLINK_CB(skb).portid); 3305 if (IS_ERR(table)) { 3306 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3307 return PTR_ERR(table); 3308 } 3309 3310 if (nla[NFTA_RULE_CHAIN]) { 3311 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 3312 genmask); 3313 if (IS_ERR(chain)) { 3314 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3315 return PTR_ERR(chain); 3316 } 3317 if (nft_chain_is_bound(chain)) 3318 return -EOPNOTSUPP; 3319 3320 } else if (nla[NFTA_RULE_CHAIN_ID]) { 3321 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]); 3322 if (IS_ERR(chain)) { 3323 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]); 3324 return PTR_ERR(chain); 3325 } 3326 } else { 3327 return -EINVAL; 3328 } 3329 3330 if (nla[NFTA_RULE_HANDLE]) { 3331 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE])); 3332 rule = __nft_rule_lookup(chain, handle); 3333 if (IS_ERR(rule)) { 3334 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3335 return PTR_ERR(rule); 3336 } 3337 3338 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 3339 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3340 return -EEXIST; 3341 } 3342 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 3343 old_rule = rule; 3344 else 3345 return -EOPNOTSUPP; 3346 } else { 3347 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) || 3348 info->nlh->nlmsg_flags & NLM_F_REPLACE) 3349 return -EINVAL; 3350 handle = nf_tables_alloc_handle(table); 3351 3352 if (chain->use == UINT_MAX) 3353 return -EOVERFLOW; 3354 3355 if (nla[NFTA_RULE_POSITION]) { 3356 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION])); 3357 old_rule = __nft_rule_lookup(chain, pos_handle); 3358 if (IS_ERR(old_rule)) { 3359 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]); 3360 return PTR_ERR(old_rule); 3361 } 3362 } else if (nla[NFTA_RULE_POSITION_ID]) { 3363 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]); 3364 if (IS_ERR(old_rule)) { 3365 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]); 3366 return PTR_ERR(old_rule); 3367 } 3368 } 3369 } 3370 3371 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 3372 3373 n = 0; 3374 size = 0; 3375 if (nla[NFTA_RULE_EXPRESSIONS]) { 3376 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS, 3377 sizeof(struct nft_expr_info), 3378 GFP_KERNEL); 3379 if (!expr_info) 3380 return -ENOMEM; 3381 3382 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) { 3383 err = -EINVAL; 3384 if (nla_type(tmp) != NFTA_LIST_ELEM) 3385 goto err_release_expr; 3386 if (n == NFT_RULE_MAXEXPRS) 3387 goto err_release_expr; 3388 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]); 3389 if (err < 0) { 3390 NL_SET_BAD_ATTR(extack, tmp); 3391 goto err_release_expr; 3392 } 3393 size += expr_info[n].ops->size; 3394 n++; 3395 } 3396 } 3397 /* Check for overflow of dlen field */ 3398 err = -EFBIG; 3399 if (size >= 1 << 12) 3400 goto err_release_expr; 3401 3402 if (nla[NFTA_RULE_USERDATA]) { 3403 ulen = nla_len(nla[NFTA_RULE_USERDATA]); 3404 if (ulen > 0) 3405 usize = sizeof(struct nft_userdata) + ulen; 3406 } 3407 3408 err = -ENOMEM; 3409 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL); 3410 if (rule == NULL) 3411 goto err_release_expr; 3412 3413 nft_activate_next(net, rule); 3414 3415 rule->handle = handle; 3416 rule->dlen = size; 3417 rule->udata = ulen ? 1 : 0; 3418 3419 if (ulen) { 3420 udata = nft_userdata(rule); 3421 udata->len = ulen - 1; 3422 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen); 3423 } 3424 3425 expr = nft_expr_first(rule); 3426 for (i = 0; i < n; i++) { 3427 err = nf_tables_newexpr(&ctx, &expr_info[i], expr); 3428 if (err < 0) { 3429 NL_SET_BAD_ATTR(extack, expr_info[i].attr); 3430 goto err_release_rule; 3431 } 3432 3433 if (expr_info[i].ops->validate) 3434 nft_validate_state_update(net, NFT_VALIDATE_NEED); 3435 3436 expr_info[i].ops = NULL; 3437 expr = nft_expr_next(expr); 3438 } 3439 3440 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { 3441 flow = nft_flow_rule_create(net, rule); 3442 if (IS_ERR(flow)) { 3443 err = PTR_ERR(flow); 3444 goto err_release_rule; 3445 } 3446 } 3447 3448 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { 3449 err = nft_delrule(&ctx, old_rule); 3450 if (err < 0) 3451 goto err_destroy_flow_rule; 3452 3453 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3454 if (trans == NULL) { 3455 err = -ENOMEM; 3456 goto err_destroy_flow_rule; 3457 } 3458 list_add_tail_rcu(&rule->list, &old_rule->list); 3459 } else { 3460 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3461 if (!trans) { 3462 err = -ENOMEM; 3463 goto err_destroy_flow_rule; 3464 } 3465 3466 if (info->nlh->nlmsg_flags & NLM_F_APPEND) { 3467 if (old_rule) 3468 list_add_rcu(&rule->list, &old_rule->list); 3469 else 3470 list_add_tail_rcu(&rule->list, &chain->rules); 3471 } else { 3472 if (old_rule) 3473 list_add_tail_rcu(&rule->list, &old_rule->list); 3474 else 3475 list_add_rcu(&rule->list, &chain->rules); 3476 } 3477 } 3478 kvfree(expr_info); 3479 chain->use++; 3480 3481 if (flow) 3482 nft_trans_flow_rule(trans) = flow; 3483 3484 if (nft_net->validate_state == NFT_VALIDATE_DO) 3485 return nft_table_validate(net, table); 3486 3487 return 0; 3488 3489 err_destroy_flow_rule: 3490 if (flow) 3491 nft_flow_rule_destroy(flow); 3492 err_release_rule: 3493 nf_tables_rule_release(&ctx, rule); 3494 err_release_expr: 3495 for (i = 0; i < n; i++) { 3496 if (expr_info[i].ops) { 3497 module_put(expr_info[i].ops->type->owner); 3498 if (expr_info[i].ops->type->release_ops) 3499 expr_info[i].ops->type->release_ops(expr_info[i].ops); 3500 } 3501 } 3502 kvfree(expr_info); 3503 3504 return err; 3505 } 3506 3507 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3508 const struct nlattr *nla) 3509 { 3510 struct nftables_pernet *nft_net = nft_pernet(net); 3511 u32 id = ntohl(nla_get_be32(nla)); 3512 struct nft_trans *trans; 3513 3514 list_for_each_entry(trans, &nft_net->commit_list, list) { 3515 struct nft_rule *rule = nft_trans_rule(trans); 3516 3517 if (trans->msg_type == NFT_MSG_NEWRULE && 3518 id == nft_trans_rule_id(trans)) 3519 return rule; 3520 } 3521 return ERR_PTR(-ENOENT); 3522 } 3523 3524 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, 3525 const struct nlattr * const nla[]) 3526 { 3527 struct netlink_ext_ack *extack = info->extack; 3528 u8 genmask = nft_genmask_next(info->net); 3529 u8 family = info->nfmsg->nfgen_family; 3530 struct nft_chain *chain = NULL; 3531 struct net *net = info->net; 3532 struct nft_table *table; 3533 struct nft_rule *rule; 3534 struct nft_ctx ctx; 3535 int err = 0; 3536 3537 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 3538 NETLINK_CB(skb).portid); 3539 if (IS_ERR(table)) { 3540 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3541 return PTR_ERR(table); 3542 } 3543 3544 if (nla[NFTA_RULE_CHAIN]) { 3545 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 3546 genmask); 3547 if (IS_ERR(chain)) { 3548 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3549 return PTR_ERR(chain); 3550 } 3551 if (nft_chain_is_bound(chain)) 3552 return -EOPNOTSUPP; 3553 } 3554 3555 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 3556 3557 if (chain) { 3558 if (nla[NFTA_RULE_HANDLE]) { 3559 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3560 if (IS_ERR(rule)) { 3561 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3562 return PTR_ERR(rule); 3563 } 3564 3565 err = nft_delrule(&ctx, rule); 3566 } else if (nla[NFTA_RULE_ID]) { 3567 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]); 3568 if (IS_ERR(rule)) { 3569 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]); 3570 return PTR_ERR(rule); 3571 } 3572 3573 err = nft_delrule(&ctx, rule); 3574 } else { 3575 err = nft_delrule_by_chain(&ctx); 3576 } 3577 } else { 3578 list_for_each_entry(chain, &table->chains, list) { 3579 if (!nft_is_active_next(net, chain)) 3580 continue; 3581 3582 ctx.chain = chain; 3583 err = nft_delrule_by_chain(&ctx); 3584 if (err < 0) 3585 break; 3586 } 3587 } 3588 3589 return err; 3590 } 3591 3592 /* 3593 * Sets 3594 */ 3595 static const struct nft_set_type *nft_set_types[] = { 3596 &nft_set_hash_fast_type, 3597 &nft_set_hash_type, 3598 &nft_set_rhash_type, 3599 &nft_set_bitmap_type, 3600 &nft_set_rbtree_type, 3601 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML) 3602 &nft_set_pipapo_avx2_type, 3603 #endif 3604 &nft_set_pipapo_type, 3605 }; 3606 3607 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \ 3608 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \ 3609 NFT_SET_EVAL) 3610 3611 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags) 3612 { 3613 return (flags & type->features) == (flags & NFT_SET_FEATURES); 3614 } 3615 3616 /* 3617 * Select a set implementation based on the data characteristics and the 3618 * given policy. The total memory use might not be known if no size is 3619 * given, in that case the amount of memory per element is used. 3620 */ 3621 static const struct nft_set_ops * 3622 nft_select_set_ops(const struct nft_ctx *ctx, 3623 const struct nlattr * const nla[], 3624 const struct nft_set_desc *desc, 3625 enum nft_set_policies policy) 3626 { 3627 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 3628 const struct nft_set_ops *ops, *bops; 3629 struct nft_set_estimate est, best; 3630 const struct nft_set_type *type; 3631 u32 flags = 0; 3632 int i; 3633 3634 lockdep_assert_held(&nft_net->commit_mutex); 3635 lockdep_nfnl_nft_mutex_not_held(); 3636 3637 if (nla[NFTA_SET_FLAGS] != NULL) 3638 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 3639 3640 bops = NULL; 3641 best.size = ~0; 3642 best.lookup = ~0; 3643 best.space = ~0; 3644 3645 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) { 3646 type = nft_set_types[i]; 3647 ops = &type->ops; 3648 3649 if (!nft_set_ops_candidate(type, flags)) 3650 continue; 3651 if (!ops->estimate(desc, flags, &est)) 3652 continue; 3653 3654 switch (policy) { 3655 case NFT_SET_POL_PERFORMANCE: 3656 if (est.lookup < best.lookup) 3657 break; 3658 if (est.lookup == best.lookup && 3659 est.space < best.space) 3660 break; 3661 continue; 3662 case NFT_SET_POL_MEMORY: 3663 if (!desc->size) { 3664 if (est.space < best.space) 3665 break; 3666 if (est.space == best.space && 3667 est.lookup < best.lookup) 3668 break; 3669 } else if (est.size < best.size || !bops) { 3670 break; 3671 } 3672 continue; 3673 default: 3674 break; 3675 } 3676 3677 bops = ops; 3678 best = est; 3679 } 3680 3681 if (bops != NULL) 3682 return bops; 3683 3684 return ERR_PTR(-EOPNOTSUPP); 3685 } 3686 3687 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = { 3688 [NFTA_SET_TABLE] = { .type = NLA_STRING, 3689 .len = NFT_TABLE_MAXNAMELEN - 1 }, 3690 [NFTA_SET_NAME] = { .type = NLA_STRING, 3691 .len = NFT_SET_MAXNAMELEN - 1 }, 3692 [NFTA_SET_FLAGS] = { .type = NLA_U32 }, 3693 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 }, 3694 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 }, 3695 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 }, 3696 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 }, 3697 [NFTA_SET_POLICY] = { .type = NLA_U32 }, 3698 [NFTA_SET_DESC] = { .type = NLA_NESTED }, 3699 [NFTA_SET_ID] = { .type = NLA_U32 }, 3700 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 }, 3701 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 }, 3702 [NFTA_SET_USERDATA] = { .type = NLA_BINARY, 3703 .len = NFT_USERDATA_MAXLEN }, 3704 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 }, 3705 [NFTA_SET_HANDLE] = { .type = NLA_U64 }, 3706 [NFTA_SET_EXPR] = { .type = NLA_NESTED }, 3707 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED }, 3708 }; 3709 3710 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = { 3711 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 }, 3712 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED }, 3713 }; 3714 3715 static struct nft_set *nft_set_lookup(const struct nft_table *table, 3716 const struct nlattr *nla, u8 genmask) 3717 { 3718 struct nft_set *set; 3719 3720 if (nla == NULL) 3721 return ERR_PTR(-EINVAL); 3722 3723 list_for_each_entry_rcu(set, &table->sets, list) { 3724 if (!nla_strcmp(nla, set->name) && 3725 nft_active_genmask(set, genmask)) 3726 return set; 3727 } 3728 return ERR_PTR(-ENOENT); 3729 } 3730 3731 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table, 3732 const struct nlattr *nla, 3733 u8 genmask) 3734 { 3735 struct nft_set *set; 3736 3737 list_for_each_entry(set, &table->sets, list) { 3738 if (be64_to_cpu(nla_get_be64(nla)) == set->handle && 3739 nft_active_genmask(set, genmask)) 3740 return set; 3741 } 3742 return ERR_PTR(-ENOENT); 3743 } 3744 3745 static struct nft_set *nft_set_lookup_byid(const struct net *net, 3746 const struct nlattr *nla, u8 genmask) 3747 { 3748 struct nftables_pernet *nft_net = nft_pernet(net); 3749 u32 id = ntohl(nla_get_be32(nla)); 3750 struct nft_trans *trans; 3751 3752 list_for_each_entry(trans, &nft_net->commit_list, list) { 3753 if (trans->msg_type == NFT_MSG_NEWSET) { 3754 struct nft_set *set = nft_trans_set(trans); 3755 3756 if (id == nft_trans_set_id(trans) && 3757 nft_active_genmask(set, genmask)) 3758 return set; 3759 } 3760 } 3761 return ERR_PTR(-ENOENT); 3762 } 3763 3764 struct nft_set *nft_set_lookup_global(const struct net *net, 3765 const struct nft_table *table, 3766 const struct nlattr *nla_set_name, 3767 const struct nlattr *nla_set_id, 3768 u8 genmask) 3769 { 3770 struct nft_set *set; 3771 3772 set = nft_set_lookup(table, nla_set_name, genmask); 3773 if (IS_ERR(set)) { 3774 if (!nla_set_id) 3775 return set; 3776 3777 set = nft_set_lookup_byid(net, nla_set_id, genmask); 3778 } 3779 return set; 3780 } 3781 EXPORT_SYMBOL_GPL(nft_set_lookup_global); 3782 3783 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set, 3784 const char *name) 3785 { 3786 const struct nft_set *i; 3787 const char *p; 3788 unsigned long *inuse; 3789 unsigned int n = 0, min = 0; 3790 3791 p = strchr(name, '%'); 3792 if (p != NULL) { 3793 if (p[1] != 'd' || strchr(p + 2, '%')) 3794 return -EINVAL; 3795 3796 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL); 3797 if (inuse == NULL) 3798 return -ENOMEM; 3799 cont: 3800 list_for_each_entry(i, &ctx->table->sets, list) { 3801 int tmp; 3802 3803 if (!nft_is_active_next(ctx->net, set)) 3804 continue; 3805 if (!sscanf(i->name, name, &tmp)) 3806 continue; 3807 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE) 3808 continue; 3809 3810 set_bit(tmp - min, inuse); 3811 } 3812 3813 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE); 3814 if (n >= BITS_PER_BYTE * PAGE_SIZE) { 3815 min += BITS_PER_BYTE * PAGE_SIZE; 3816 memset(inuse, 0, PAGE_SIZE); 3817 goto cont; 3818 } 3819 free_page((unsigned long)inuse); 3820 } 3821 3822 set->name = kasprintf(GFP_KERNEL, name, min + n); 3823 if (!set->name) 3824 return -ENOMEM; 3825 3826 list_for_each_entry(i, &ctx->table->sets, list) { 3827 if (!nft_is_active_next(ctx->net, i)) 3828 continue; 3829 if (!strcmp(set->name, i->name)) { 3830 kfree(set->name); 3831 set->name = NULL; 3832 return -ENFILE; 3833 } 3834 } 3835 return 0; 3836 } 3837 3838 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result) 3839 { 3840 u64 ms = be64_to_cpu(nla_get_be64(nla)); 3841 u64 max = (u64)(~((u64)0)); 3842 3843 max = div_u64(max, NSEC_PER_MSEC); 3844 if (ms >= max) 3845 return -ERANGE; 3846 3847 ms *= NSEC_PER_MSEC; 3848 *result = nsecs_to_jiffies64(ms); 3849 return 0; 3850 } 3851 3852 __be64 nf_jiffies64_to_msecs(u64 input) 3853 { 3854 return cpu_to_be64(jiffies64_to_msecs(input)); 3855 } 3856 3857 static int nf_tables_fill_set_concat(struct sk_buff *skb, 3858 const struct nft_set *set) 3859 { 3860 struct nlattr *concat, *field; 3861 int i; 3862 3863 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT); 3864 if (!concat) 3865 return -ENOMEM; 3866 3867 for (i = 0; i < set->field_count; i++) { 3868 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 3869 if (!field) 3870 return -ENOMEM; 3871 3872 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN, 3873 htonl(set->field_len[i]))) 3874 return -ENOMEM; 3875 3876 nla_nest_end(skb, field); 3877 } 3878 3879 nla_nest_end(skb, concat); 3880 3881 return 0; 3882 } 3883 3884 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, 3885 const struct nft_set *set, u16 event, u16 flags) 3886 { 3887 struct nlmsghdr *nlh; 3888 u32 portid = ctx->portid; 3889 struct nlattr *nest; 3890 u32 seq = ctx->seq; 3891 int i; 3892 3893 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 3894 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 3895 NFNETLINK_V0, nft_base_seq(ctx->net)); 3896 if (!nlh) 3897 goto nla_put_failure; 3898 3899 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 3900 goto nla_put_failure; 3901 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 3902 goto nla_put_failure; 3903 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle), 3904 NFTA_SET_PAD)) 3905 goto nla_put_failure; 3906 if (set->flags != 0) 3907 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags))) 3908 goto nla_put_failure; 3909 3910 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype))) 3911 goto nla_put_failure; 3912 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen))) 3913 goto nla_put_failure; 3914 if (set->flags & NFT_SET_MAP) { 3915 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype))) 3916 goto nla_put_failure; 3917 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen))) 3918 goto nla_put_failure; 3919 } 3920 if (set->flags & NFT_SET_OBJECT && 3921 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype))) 3922 goto nla_put_failure; 3923 3924 if (set->timeout && 3925 nla_put_be64(skb, NFTA_SET_TIMEOUT, 3926 nf_jiffies64_to_msecs(set->timeout), 3927 NFTA_SET_PAD)) 3928 goto nla_put_failure; 3929 if (set->gc_int && 3930 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int))) 3931 goto nla_put_failure; 3932 3933 if (set->policy != NFT_SET_POL_PERFORMANCE) { 3934 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy))) 3935 goto nla_put_failure; 3936 } 3937 3938 if (set->udata && 3939 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) 3940 goto nla_put_failure; 3941 3942 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC); 3943 if (!nest) 3944 goto nla_put_failure; 3945 if (set->size && 3946 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size))) 3947 goto nla_put_failure; 3948 3949 if (set->field_count > 1 && 3950 nf_tables_fill_set_concat(skb, set)) 3951 goto nla_put_failure; 3952 3953 nla_nest_end(skb, nest); 3954 3955 if (set->num_exprs == 1) { 3956 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR); 3957 if (nf_tables_fill_expr_info(skb, set->exprs[0]) < 0) 3958 goto nla_put_failure; 3959 3960 nla_nest_end(skb, nest); 3961 } else if (set->num_exprs > 1) { 3962 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS); 3963 if (nest == NULL) 3964 goto nla_put_failure; 3965 3966 for (i = 0; i < set->num_exprs; i++) { 3967 if (nft_expr_dump(skb, NFTA_LIST_ELEM, 3968 set->exprs[i]) < 0) 3969 goto nla_put_failure; 3970 } 3971 nla_nest_end(skb, nest); 3972 } 3973 3974 nlmsg_end(skb, nlh); 3975 return 0; 3976 3977 nla_put_failure: 3978 nlmsg_trim(skb, nlh); 3979 return -1; 3980 } 3981 3982 static void nf_tables_set_notify(const struct nft_ctx *ctx, 3983 const struct nft_set *set, int event, 3984 gfp_t gfp_flags) 3985 { 3986 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 3987 u32 portid = ctx->portid; 3988 struct sk_buff *skb; 3989 u16 flags = 0; 3990 int err; 3991 3992 if (!ctx->report && 3993 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 3994 return; 3995 3996 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags); 3997 if (skb == NULL) 3998 goto err; 3999 4000 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 4001 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 4002 4003 err = nf_tables_fill_set(skb, ctx, set, event, flags); 4004 if (err < 0) { 4005 kfree_skb(skb); 4006 goto err; 4007 } 4008 4009 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 4010 return; 4011 err: 4012 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 4013 } 4014 4015 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) 4016 { 4017 const struct nft_set *set; 4018 unsigned int idx, s_idx = cb->args[0]; 4019 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; 4020 struct net *net = sock_net(skb->sk); 4021 struct nft_ctx *ctx = cb->data, ctx_set; 4022 struct nftables_pernet *nft_net; 4023 4024 if (cb->args[1]) 4025 return skb->len; 4026 4027 rcu_read_lock(); 4028 nft_net = nft_pernet(net); 4029 cb->seq = nft_net->base_seq; 4030 4031 list_for_each_entry_rcu(table, &nft_net->tables, list) { 4032 if (ctx->family != NFPROTO_UNSPEC && 4033 ctx->family != table->family) 4034 continue; 4035 4036 if (ctx->table && ctx->table != table) 4037 continue; 4038 4039 if (cur_table) { 4040 if (cur_table != table) 4041 continue; 4042 4043 cur_table = NULL; 4044 } 4045 idx = 0; 4046 list_for_each_entry_rcu(set, &table->sets, list) { 4047 if (idx < s_idx) 4048 goto cont; 4049 if (!nft_is_active(net, set)) 4050 goto cont; 4051 4052 ctx_set = *ctx; 4053 ctx_set.table = table; 4054 ctx_set.family = table->family; 4055 4056 if (nf_tables_fill_set(skb, &ctx_set, set, 4057 NFT_MSG_NEWSET, 4058 NLM_F_MULTI) < 0) { 4059 cb->args[0] = idx; 4060 cb->args[2] = (unsigned long) table; 4061 goto done; 4062 } 4063 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 4064 cont: 4065 idx++; 4066 } 4067 if (s_idx) 4068 s_idx = 0; 4069 } 4070 cb->args[1] = 1; 4071 done: 4072 rcu_read_unlock(); 4073 return skb->len; 4074 } 4075 4076 static int nf_tables_dump_sets_start(struct netlink_callback *cb) 4077 { 4078 struct nft_ctx *ctx_dump = NULL; 4079 4080 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC); 4081 if (ctx_dump == NULL) 4082 return -ENOMEM; 4083 4084 cb->data = ctx_dump; 4085 return 0; 4086 } 4087 4088 static int nf_tables_dump_sets_done(struct netlink_callback *cb) 4089 { 4090 kfree(cb->data); 4091 return 0; 4092 } 4093 4094 /* called with rcu_read_lock held */ 4095 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info, 4096 const struct nlattr * const nla[]) 4097 { 4098 struct netlink_ext_ack *extack = info->extack; 4099 u8 genmask = nft_genmask_cur(info->net); 4100 u8 family = info->nfmsg->nfgen_family; 4101 struct nft_table *table = NULL; 4102 struct net *net = info->net; 4103 const struct nft_set *set; 4104 struct sk_buff *skb2; 4105 struct nft_ctx ctx; 4106 int err; 4107 4108 if (nla[NFTA_SET_TABLE]) { 4109 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 4110 genmask, 0); 4111 if (IS_ERR(table)) { 4112 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4113 return PTR_ERR(table); 4114 } 4115 } 4116 4117 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 4118 4119 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 4120 struct netlink_dump_control c = { 4121 .start = nf_tables_dump_sets_start, 4122 .dump = nf_tables_dump_sets, 4123 .done = nf_tables_dump_sets_done, 4124 .data = &ctx, 4125 .module = THIS_MODULE, 4126 }; 4127 4128 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 4129 } 4130 4131 /* Only accept unspec with dump */ 4132 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 4133 return -EAFNOSUPPORT; 4134 if (!nla[NFTA_SET_TABLE]) 4135 return -EINVAL; 4136 4137 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4138 if (IS_ERR(set)) 4139 return PTR_ERR(set); 4140 4141 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 4142 if (skb2 == NULL) 4143 return -ENOMEM; 4144 4145 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); 4146 if (err < 0) 4147 goto err_fill_set_info; 4148 4149 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 4150 4151 err_fill_set_info: 4152 kfree_skb(skb2); 4153 return err; 4154 } 4155 4156 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = { 4157 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 }, 4158 }; 4159 4160 static int nft_set_desc_concat_parse(const struct nlattr *attr, 4161 struct nft_set_desc *desc) 4162 { 4163 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1]; 4164 u32 len; 4165 int err; 4166 4167 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr, 4168 nft_concat_policy, NULL); 4169 if (err < 0) 4170 return err; 4171 4172 if (!tb[NFTA_SET_FIELD_LEN]) 4173 return -EINVAL; 4174 4175 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN])); 4176 4177 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT) 4178 return -E2BIG; 4179 4180 desc->field_len[desc->field_count++] = len; 4181 4182 return 0; 4183 } 4184 4185 static int nft_set_desc_concat(struct nft_set_desc *desc, 4186 const struct nlattr *nla) 4187 { 4188 struct nlattr *attr; 4189 int rem, err; 4190 4191 nla_for_each_nested(attr, nla, rem) { 4192 if (nla_type(attr) != NFTA_LIST_ELEM) 4193 return -EINVAL; 4194 4195 err = nft_set_desc_concat_parse(attr, desc); 4196 if (err < 0) 4197 return err; 4198 } 4199 4200 return 0; 4201 } 4202 4203 static int nf_tables_set_desc_parse(struct nft_set_desc *desc, 4204 const struct nlattr *nla) 4205 { 4206 struct nlattr *da[NFTA_SET_DESC_MAX + 1]; 4207 int err; 4208 4209 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla, 4210 nft_set_desc_policy, NULL); 4211 if (err < 0) 4212 return err; 4213 4214 if (da[NFTA_SET_DESC_SIZE] != NULL) 4215 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE])); 4216 if (da[NFTA_SET_DESC_CONCAT]) 4217 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]); 4218 4219 return err; 4220 } 4221 4222 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 4223 const struct nlattr * const nla[]) 4224 { 4225 u32 ktype, dtype, flags, policy, gc_int, objtype; 4226 struct netlink_ext_ack *extack = info->extack; 4227 u8 genmask = nft_genmask_next(info->net); 4228 u8 family = info->nfmsg->nfgen_family; 4229 const struct nft_set_ops *ops; 4230 struct nft_expr *expr = NULL; 4231 struct net *net = info->net; 4232 struct nft_set_desc desc; 4233 struct nft_table *table; 4234 unsigned char *udata; 4235 struct nft_set *set; 4236 struct nft_ctx ctx; 4237 size_t alloc_size; 4238 u64 timeout; 4239 char *name; 4240 int err, i; 4241 u16 udlen; 4242 u64 size; 4243 4244 if (nla[NFTA_SET_TABLE] == NULL || 4245 nla[NFTA_SET_NAME] == NULL || 4246 nla[NFTA_SET_KEY_LEN] == NULL || 4247 nla[NFTA_SET_ID] == NULL) 4248 return -EINVAL; 4249 4250 memset(&desc, 0, sizeof(desc)); 4251 4252 ktype = NFT_DATA_VALUE; 4253 if (nla[NFTA_SET_KEY_TYPE] != NULL) { 4254 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE])); 4255 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK) 4256 return -EINVAL; 4257 } 4258 4259 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN])); 4260 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN) 4261 return -EINVAL; 4262 4263 flags = 0; 4264 if (nla[NFTA_SET_FLAGS] != NULL) { 4265 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 4266 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | 4267 NFT_SET_INTERVAL | NFT_SET_TIMEOUT | 4268 NFT_SET_MAP | NFT_SET_EVAL | 4269 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR)) 4270 return -EOPNOTSUPP; 4271 /* Only one of these operations is supported */ 4272 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) == 4273 (NFT_SET_MAP | NFT_SET_OBJECT)) 4274 return -EOPNOTSUPP; 4275 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) == 4276 (NFT_SET_EVAL | NFT_SET_OBJECT)) 4277 return -EOPNOTSUPP; 4278 } 4279 4280 dtype = 0; 4281 if (nla[NFTA_SET_DATA_TYPE] != NULL) { 4282 if (!(flags & NFT_SET_MAP)) 4283 return -EINVAL; 4284 4285 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE])); 4286 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK && 4287 dtype != NFT_DATA_VERDICT) 4288 return -EINVAL; 4289 4290 if (dtype != NFT_DATA_VERDICT) { 4291 if (nla[NFTA_SET_DATA_LEN] == NULL) 4292 return -EINVAL; 4293 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN])); 4294 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN) 4295 return -EINVAL; 4296 } else 4297 desc.dlen = sizeof(struct nft_verdict); 4298 } else if (flags & NFT_SET_MAP) 4299 return -EINVAL; 4300 4301 if (nla[NFTA_SET_OBJ_TYPE] != NULL) { 4302 if (!(flags & NFT_SET_OBJECT)) 4303 return -EINVAL; 4304 4305 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE])); 4306 if (objtype == NFT_OBJECT_UNSPEC || 4307 objtype > NFT_OBJECT_MAX) 4308 return -EOPNOTSUPP; 4309 } else if (flags & NFT_SET_OBJECT) 4310 return -EINVAL; 4311 else 4312 objtype = NFT_OBJECT_UNSPEC; 4313 4314 timeout = 0; 4315 if (nla[NFTA_SET_TIMEOUT] != NULL) { 4316 if (!(flags & NFT_SET_TIMEOUT)) 4317 return -EINVAL; 4318 4319 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout); 4320 if (err) 4321 return err; 4322 } 4323 gc_int = 0; 4324 if (nla[NFTA_SET_GC_INTERVAL] != NULL) { 4325 if (!(flags & NFT_SET_TIMEOUT)) 4326 return -EINVAL; 4327 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL])); 4328 } 4329 4330 policy = NFT_SET_POL_PERFORMANCE; 4331 if (nla[NFTA_SET_POLICY] != NULL) 4332 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY])); 4333 4334 if (nla[NFTA_SET_DESC] != NULL) { 4335 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]); 4336 if (err < 0) 4337 return err; 4338 } 4339 4340 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS]) 4341 desc.expr = true; 4342 4343 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask, 4344 NETLINK_CB(skb).portid); 4345 if (IS_ERR(table)) { 4346 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4347 return PTR_ERR(table); 4348 } 4349 4350 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 4351 4352 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4353 if (IS_ERR(set)) { 4354 if (PTR_ERR(set) != -ENOENT) { 4355 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4356 return PTR_ERR(set); 4357 } 4358 } else { 4359 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 4360 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4361 return -EEXIST; 4362 } 4363 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 4364 return -EOPNOTSUPP; 4365 4366 return 0; 4367 } 4368 4369 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE)) 4370 return -ENOENT; 4371 4372 ops = nft_select_set_ops(&ctx, nla, &desc, policy); 4373 if (IS_ERR(ops)) 4374 return PTR_ERR(ops); 4375 4376 udlen = 0; 4377 if (nla[NFTA_SET_USERDATA]) 4378 udlen = nla_len(nla[NFTA_SET_USERDATA]); 4379 4380 size = 0; 4381 if (ops->privsize != NULL) 4382 size = ops->privsize(nla, &desc); 4383 alloc_size = sizeof(*set) + size + udlen; 4384 if (alloc_size < size || alloc_size > INT_MAX) 4385 return -ENOMEM; 4386 set = kvzalloc(alloc_size, GFP_KERNEL); 4387 if (!set) 4388 return -ENOMEM; 4389 4390 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL); 4391 if (!name) { 4392 err = -ENOMEM; 4393 goto err_set_name; 4394 } 4395 4396 err = nf_tables_set_alloc_name(&ctx, set, name); 4397 kfree(name); 4398 if (err < 0) 4399 goto err_set_name; 4400 4401 udata = NULL; 4402 if (udlen) { 4403 udata = set->data + size; 4404 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen); 4405 } 4406 4407 INIT_LIST_HEAD(&set->bindings); 4408 INIT_LIST_HEAD(&set->catchall_list); 4409 set->table = table; 4410 write_pnet(&set->net, net); 4411 set->ops = ops; 4412 set->ktype = ktype; 4413 set->klen = desc.klen; 4414 set->dtype = dtype; 4415 set->objtype = objtype; 4416 set->dlen = desc.dlen; 4417 set->flags = flags; 4418 set->size = desc.size; 4419 set->policy = policy; 4420 set->udlen = udlen; 4421 set->udata = udata; 4422 set->timeout = timeout; 4423 set->gc_int = gc_int; 4424 4425 set->field_count = desc.field_count; 4426 for (i = 0; i < desc.field_count; i++) 4427 set->field_len[i] = desc.field_len[i]; 4428 4429 err = ops->init(set, &desc, nla); 4430 if (err < 0) 4431 goto err_set_init; 4432 4433 if (nla[NFTA_SET_EXPR]) { 4434 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]); 4435 if (IS_ERR(expr)) { 4436 err = PTR_ERR(expr); 4437 goto err_set_expr_alloc; 4438 } 4439 set->exprs[0] = expr; 4440 set->num_exprs++; 4441 } else if (nla[NFTA_SET_EXPRESSIONS]) { 4442 struct nft_expr *expr; 4443 struct nlattr *tmp; 4444 int left; 4445 4446 if (!(flags & NFT_SET_EXPR)) { 4447 err = -EINVAL; 4448 goto err_set_expr_alloc; 4449 } 4450 i = 0; 4451 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) { 4452 if (i == NFT_SET_EXPR_MAX) { 4453 err = -E2BIG; 4454 goto err_set_expr_alloc; 4455 } 4456 if (nla_type(tmp) != NFTA_LIST_ELEM) { 4457 err = -EINVAL; 4458 goto err_set_expr_alloc; 4459 } 4460 expr = nft_set_elem_expr_alloc(&ctx, set, tmp); 4461 if (IS_ERR(expr)) { 4462 err = PTR_ERR(expr); 4463 goto err_set_expr_alloc; 4464 } 4465 set->exprs[i++] = expr; 4466 set->num_exprs++; 4467 } 4468 } 4469 4470 set->handle = nf_tables_alloc_handle(table); 4471 4472 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); 4473 if (err < 0) 4474 goto err_set_expr_alloc; 4475 4476 list_add_tail_rcu(&set->list, &table->sets); 4477 table->use++; 4478 return 0; 4479 4480 err_set_expr_alloc: 4481 for (i = 0; i < set->num_exprs; i++) 4482 nft_expr_destroy(&ctx, set->exprs[i]); 4483 4484 ops->destroy(set); 4485 err_set_init: 4486 kfree(set->name); 4487 err_set_name: 4488 kvfree(set); 4489 return err; 4490 } 4491 4492 struct nft_set_elem_catchall { 4493 struct list_head list; 4494 struct rcu_head rcu; 4495 void *elem; 4496 }; 4497 4498 static void nft_set_catchall_destroy(const struct nft_ctx *ctx, 4499 struct nft_set *set) 4500 { 4501 struct nft_set_elem_catchall *next, *catchall; 4502 4503 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 4504 list_del_rcu(&catchall->list); 4505 nft_set_elem_destroy(set, catchall->elem, true); 4506 kfree_rcu(catchall); 4507 } 4508 } 4509 4510 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) 4511 { 4512 int i; 4513 4514 if (WARN_ON(set->use > 0)) 4515 return; 4516 4517 for (i = 0; i < set->num_exprs; i++) 4518 nft_expr_destroy(ctx, set->exprs[i]); 4519 4520 set->ops->destroy(set); 4521 nft_set_catchall_destroy(ctx, set); 4522 kfree(set->name); 4523 kvfree(set); 4524 } 4525 4526 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info, 4527 const struct nlattr * const nla[]) 4528 { 4529 struct netlink_ext_ack *extack = info->extack; 4530 u8 genmask = nft_genmask_next(info->net); 4531 u8 family = info->nfmsg->nfgen_family; 4532 struct net *net = info->net; 4533 const struct nlattr *attr; 4534 struct nft_table *table; 4535 struct nft_set *set; 4536 struct nft_ctx ctx; 4537 4538 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 4539 return -EAFNOSUPPORT; 4540 4541 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 4542 genmask, NETLINK_CB(skb).portid); 4543 if (IS_ERR(table)) { 4544 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4545 return PTR_ERR(table); 4546 } 4547 4548 if (nla[NFTA_SET_HANDLE]) { 4549 attr = nla[NFTA_SET_HANDLE]; 4550 set = nft_set_lookup_byhandle(table, attr, genmask); 4551 } else { 4552 attr = nla[NFTA_SET_NAME]; 4553 set = nft_set_lookup(table, attr, genmask); 4554 } 4555 4556 if (IS_ERR(set)) { 4557 NL_SET_BAD_ATTR(extack, attr); 4558 return PTR_ERR(set); 4559 } 4560 if (set->use || 4561 (info->nlh->nlmsg_flags & NLM_F_NONREC && 4562 atomic_read(&set->nelems) > 0)) { 4563 NL_SET_BAD_ATTR(extack, attr); 4564 return -EBUSY; 4565 } 4566 4567 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 4568 4569 return nft_delset(&ctx, set); 4570 } 4571 4572 static int nft_validate_register_store(const struct nft_ctx *ctx, 4573 enum nft_registers reg, 4574 const struct nft_data *data, 4575 enum nft_data_types type, 4576 unsigned int len); 4577 4578 static int nft_setelem_data_validate(const struct nft_ctx *ctx, 4579 struct nft_set *set, 4580 struct nft_set_elem *elem) 4581 { 4582 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4583 enum nft_registers dreg; 4584 4585 dreg = nft_type_to_reg(set->dtype); 4586 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext), 4587 set->dtype == NFT_DATA_VERDICT ? 4588 NFT_DATA_VERDICT : NFT_DATA_VALUE, 4589 set->dlen); 4590 } 4591 4592 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, 4593 struct nft_set *set, 4594 const struct nft_set_iter *iter, 4595 struct nft_set_elem *elem) 4596 { 4597 return nft_setelem_data_validate(ctx, set, elem); 4598 } 4599 4600 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx, 4601 struct nft_set *set) 4602 { 4603 u8 genmask = nft_genmask_next(ctx->net); 4604 struct nft_set_elem_catchall *catchall; 4605 struct nft_set_elem elem; 4606 struct nft_set_ext *ext; 4607 int ret = 0; 4608 4609 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 4610 ext = nft_set_elem_ext(set, catchall->elem); 4611 if (!nft_set_elem_active(ext, genmask)) 4612 continue; 4613 4614 elem.priv = catchall->elem; 4615 ret = nft_setelem_data_validate(ctx, set, &elem); 4616 if (ret < 0) 4617 break; 4618 } 4619 4620 return ret; 4621 } 4622 4623 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 4624 struct nft_set_binding *binding) 4625 { 4626 struct nft_set_binding *i; 4627 struct nft_set_iter iter; 4628 4629 if (set->use == UINT_MAX) 4630 return -EOVERFLOW; 4631 4632 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4633 return -EBUSY; 4634 4635 if (binding->flags & NFT_SET_MAP) { 4636 /* If the set is already bound to the same chain all 4637 * jumps are already validated for that chain. 4638 */ 4639 list_for_each_entry(i, &set->bindings, list) { 4640 if (i->flags & NFT_SET_MAP && 4641 i->chain == binding->chain) 4642 goto bind; 4643 } 4644 4645 iter.genmask = nft_genmask_next(ctx->net); 4646 iter.skip = 0; 4647 iter.count = 0; 4648 iter.err = 0; 4649 iter.fn = nf_tables_bind_check_setelem; 4650 4651 set->ops->walk(ctx, set, &iter); 4652 if (!iter.err) 4653 iter.err = nft_set_catchall_bind_check(ctx, set); 4654 4655 if (iter.err < 0) 4656 return iter.err; 4657 } 4658 bind: 4659 binding->chain = ctx->chain; 4660 list_add_tail_rcu(&binding->list, &set->bindings); 4661 nft_set_trans_bind(ctx, set); 4662 set->use++; 4663 4664 return 0; 4665 } 4666 EXPORT_SYMBOL_GPL(nf_tables_bind_set); 4667 4668 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 4669 struct nft_set_binding *binding, bool event) 4670 { 4671 list_del_rcu(&binding->list); 4672 4673 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { 4674 list_del_rcu(&set->list); 4675 if (event) 4676 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, 4677 GFP_KERNEL); 4678 } 4679 } 4680 4681 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, 4682 struct nft_set_binding *binding, 4683 enum nft_trans_phase phase) 4684 { 4685 switch (phase) { 4686 case NFT_TRANS_PREPARE: 4687 set->use--; 4688 return; 4689 case NFT_TRANS_ABORT: 4690 case NFT_TRANS_RELEASE: 4691 set->use--; 4692 fallthrough; 4693 default: 4694 nf_tables_unbind_set(ctx, set, binding, 4695 phase == NFT_TRANS_COMMIT); 4696 } 4697 } 4698 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); 4699 4700 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) 4701 { 4702 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4703 nft_set_destroy(ctx, set); 4704 } 4705 EXPORT_SYMBOL_GPL(nf_tables_destroy_set); 4706 4707 const struct nft_set_ext_type nft_set_ext_types[] = { 4708 [NFT_SET_EXT_KEY] = { 4709 .align = __alignof__(u32), 4710 }, 4711 [NFT_SET_EXT_DATA] = { 4712 .align = __alignof__(u32), 4713 }, 4714 [NFT_SET_EXT_EXPRESSIONS] = { 4715 .align = __alignof__(struct nft_set_elem_expr), 4716 }, 4717 [NFT_SET_EXT_OBJREF] = { 4718 .len = sizeof(struct nft_object *), 4719 .align = __alignof__(struct nft_object *), 4720 }, 4721 [NFT_SET_EXT_FLAGS] = { 4722 .len = sizeof(u8), 4723 .align = __alignof__(u8), 4724 }, 4725 [NFT_SET_EXT_TIMEOUT] = { 4726 .len = sizeof(u64), 4727 .align = __alignof__(u64), 4728 }, 4729 [NFT_SET_EXT_EXPIRATION] = { 4730 .len = sizeof(u64), 4731 .align = __alignof__(u64), 4732 }, 4733 [NFT_SET_EXT_USERDATA] = { 4734 .len = sizeof(struct nft_userdata), 4735 .align = __alignof__(struct nft_userdata), 4736 }, 4737 [NFT_SET_EXT_KEY_END] = { 4738 .align = __alignof__(u32), 4739 }, 4740 }; 4741 4742 /* 4743 * Set elements 4744 */ 4745 4746 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { 4747 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED }, 4748 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED }, 4749 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 }, 4750 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 }, 4751 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 }, 4752 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, 4753 .len = NFT_USERDATA_MAXLEN }, 4754 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED }, 4755 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING, 4756 .len = NFT_OBJ_MAXNAMELEN - 1 }, 4757 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED }, 4758 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED }, 4759 }; 4760 4761 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { 4762 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING, 4763 .len = NFT_TABLE_MAXNAMELEN - 1 }, 4764 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING, 4765 .len = NFT_SET_MAXNAMELEN - 1 }, 4766 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED }, 4767 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 }, 4768 }; 4769 4770 static int nft_set_elem_expr_dump(struct sk_buff *skb, 4771 const struct nft_set *set, 4772 const struct nft_set_ext *ext) 4773 { 4774 struct nft_set_elem_expr *elem_expr; 4775 u32 size, num_exprs = 0; 4776 struct nft_expr *expr; 4777 struct nlattr *nest; 4778 4779 elem_expr = nft_set_ext_expr(ext); 4780 nft_setelem_expr_foreach(expr, elem_expr, size) 4781 num_exprs++; 4782 4783 if (num_exprs == 1) { 4784 expr = nft_setelem_expr_at(elem_expr, 0); 4785 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr) < 0) 4786 return -1; 4787 4788 return 0; 4789 } else if (num_exprs > 1) { 4790 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS); 4791 if (nest == NULL) 4792 goto nla_put_failure; 4793 4794 nft_setelem_expr_foreach(expr, elem_expr, size) { 4795 expr = nft_setelem_expr_at(elem_expr, size); 4796 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0) 4797 goto nla_put_failure; 4798 } 4799 nla_nest_end(skb, nest); 4800 } 4801 return 0; 4802 4803 nla_put_failure: 4804 return -1; 4805 } 4806 4807 static int nf_tables_fill_setelem(struct sk_buff *skb, 4808 const struct nft_set *set, 4809 const struct nft_set_elem *elem) 4810 { 4811 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4812 unsigned char *b = skb_tail_pointer(skb); 4813 struct nlattr *nest; 4814 4815 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 4816 if (nest == NULL) 4817 goto nla_put_failure; 4818 4819 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) && 4820 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext), 4821 NFT_DATA_VALUE, set->klen) < 0) 4822 goto nla_put_failure; 4823 4824 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 4825 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext), 4826 NFT_DATA_VALUE, set->klen) < 0) 4827 goto nla_put_failure; 4828 4829 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 4830 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext), 4831 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE, 4832 set->dlen) < 0) 4833 goto nla_put_failure; 4834 4835 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) && 4836 nft_set_elem_expr_dump(skb, set, ext)) 4837 goto nla_put_failure; 4838 4839 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 4840 nla_put_string(skb, NFTA_SET_ELEM_OBJREF, 4841 (*nft_set_ext_obj(ext))->key.name) < 0) 4842 goto nla_put_failure; 4843 4844 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 4845 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, 4846 htonl(*nft_set_ext_flags(ext)))) 4847 goto nla_put_failure; 4848 4849 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) && 4850 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, 4851 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)), 4852 NFTA_SET_ELEM_PAD)) 4853 goto nla_put_failure; 4854 4855 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 4856 u64 expires, now = get_jiffies_64(); 4857 4858 expires = *nft_set_ext_expiration(ext); 4859 if (time_before64(now, expires)) 4860 expires -= now; 4861 else 4862 expires = 0; 4863 4864 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION, 4865 nf_jiffies64_to_msecs(expires), 4866 NFTA_SET_ELEM_PAD)) 4867 goto nla_put_failure; 4868 } 4869 4870 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) { 4871 struct nft_userdata *udata; 4872 4873 udata = nft_set_ext_userdata(ext); 4874 if (nla_put(skb, NFTA_SET_ELEM_USERDATA, 4875 udata->len + 1, udata->data)) 4876 goto nla_put_failure; 4877 } 4878 4879 nla_nest_end(skb, nest); 4880 return 0; 4881 4882 nla_put_failure: 4883 nlmsg_trim(skb, b); 4884 return -EMSGSIZE; 4885 } 4886 4887 struct nft_set_dump_args { 4888 const struct netlink_callback *cb; 4889 struct nft_set_iter iter; 4890 struct sk_buff *skb; 4891 }; 4892 4893 static int nf_tables_dump_setelem(const struct nft_ctx *ctx, 4894 struct nft_set *set, 4895 const struct nft_set_iter *iter, 4896 struct nft_set_elem *elem) 4897 { 4898 struct nft_set_dump_args *args; 4899 4900 args = container_of(iter, struct nft_set_dump_args, iter); 4901 return nf_tables_fill_setelem(args->skb, set, elem); 4902 } 4903 4904 struct nft_set_dump_ctx { 4905 const struct nft_set *set; 4906 struct nft_ctx ctx; 4907 }; 4908 4909 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb, 4910 const struct nft_set *set) 4911 { 4912 struct nft_set_elem_catchall *catchall; 4913 u8 genmask = nft_genmask_cur(net); 4914 struct nft_set_elem elem; 4915 struct nft_set_ext *ext; 4916 int ret = 0; 4917 4918 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 4919 ext = nft_set_elem_ext(set, catchall->elem); 4920 if (!nft_set_elem_active(ext, genmask) || 4921 nft_set_elem_expired(ext)) 4922 continue; 4923 4924 elem.priv = catchall->elem; 4925 ret = nf_tables_fill_setelem(skb, set, &elem); 4926 break; 4927 } 4928 4929 return ret; 4930 } 4931 4932 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) 4933 { 4934 struct nft_set_dump_ctx *dump_ctx = cb->data; 4935 struct net *net = sock_net(skb->sk); 4936 struct nftables_pernet *nft_net; 4937 struct nft_table *table; 4938 struct nft_set *set; 4939 struct nft_set_dump_args args; 4940 bool set_found = false; 4941 struct nlmsghdr *nlh; 4942 struct nlattr *nest; 4943 u32 portid, seq; 4944 int event; 4945 4946 rcu_read_lock(); 4947 nft_net = nft_pernet(net); 4948 list_for_each_entry_rcu(table, &nft_net->tables, list) { 4949 if (dump_ctx->ctx.family != NFPROTO_UNSPEC && 4950 dump_ctx->ctx.family != table->family) 4951 continue; 4952 4953 if (table != dump_ctx->ctx.table) 4954 continue; 4955 4956 list_for_each_entry_rcu(set, &table->sets, list) { 4957 if (set == dump_ctx->set) { 4958 set_found = true; 4959 break; 4960 } 4961 } 4962 break; 4963 } 4964 4965 if (!set_found) { 4966 rcu_read_unlock(); 4967 return -ENOENT; 4968 } 4969 4970 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM); 4971 portid = NETLINK_CB(cb->skb).portid; 4972 seq = cb->nlh->nlmsg_seq; 4973 4974 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI, 4975 table->family, NFNETLINK_V0, nft_base_seq(net)); 4976 if (!nlh) 4977 goto nla_put_failure; 4978 4979 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) 4980 goto nla_put_failure; 4981 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) 4982 goto nla_put_failure; 4983 4984 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 4985 if (nest == NULL) 4986 goto nla_put_failure; 4987 4988 args.cb = cb; 4989 args.skb = skb; 4990 args.iter.genmask = nft_genmask_cur(net); 4991 args.iter.skip = cb->args[0]; 4992 args.iter.count = 0; 4993 args.iter.err = 0; 4994 args.iter.fn = nf_tables_dump_setelem; 4995 set->ops->walk(&dump_ctx->ctx, set, &args.iter); 4996 4997 if (!args.iter.err && args.iter.count == cb->args[0]) 4998 args.iter.err = nft_set_catchall_dump(net, skb, set); 4999 rcu_read_unlock(); 5000 5001 nla_nest_end(skb, nest); 5002 nlmsg_end(skb, nlh); 5003 5004 if (args.iter.err && args.iter.err != -EMSGSIZE) 5005 return args.iter.err; 5006 if (args.iter.count == cb->args[0]) 5007 return 0; 5008 5009 cb->args[0] = args.iter.count; 5010 return skb->len; 5011 5012 nla_put_failure: 5013 rcu_read_unlock(); 5014 return -ENOSPC; 5015 } 5016 5017 static int nf_tables_dump_set_start(struct netlink_callback *cb) 5018 { 5019 struct nft_set_dump_ctx *dump_ctx = cb->data; 5020 5021 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC); 5022 5023 return cb->data ? 0 : -ENOMEM; 5024 } 5025 5026 static int nf_tables_dump_set_done(struct netlink_callback *cb) 5027 { 5028 kfree(cb->data); 5029 return 0; 5030 } 5031 5032 static int nf_tables_fill_setelem_info(struct sk_buff *skb, 5033 const struct nft_ctx *ctx, u32 seq, 5034 u32 portid, int event, u16 flags, 5035 const struct nft_set *set, 5036 const struct nft_set_elem *elem) 5037 { 5038 struct nlmsghdr *nlh; 5039 struct nlattr *nest; 5040 int err; 5041 5042 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 5043 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 5044 NFNETLINK_V0, nft_base_seq(ctx->net)); 5045 if (!nlh) 5046 goto nla_put_failure; 5047 5048 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 5049 goto nla_put_failure; 5050 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 5051 goto nla_put_failure; 5052 5053 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 5054 if (nest == NULL) 5055 goto nla_put_failure; 5056 5057 err = nf_tables_fill_setelem(skb, set, elem); 5058 if (err < 0) 5059 goto nla_put_failure; 5060 5061 nla_nest_end(skb, nest); 5062 5063 nlmsg_end(skb, nlh); 5064 return 0; 5065 5066 nla_put_failure: 5067 nlmsg_trim(skb, nlh); 5068 return -1; 5069 } 5070 5071 static int nft_setelem_parse_flags(const struct nft_set *set, 5072 const struct nlattr *attr, u32 *flags) 5073 { 5074 if (attr == NULL) 5075 return 0; 5076 5077 *flags = ntohl(nla_get_be32(attr)); 5078 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) 5079 return -EOPNOTSUPP; 5080 if (!(set->flags & NFT_SET_INTERVAL) && 5081 *flags & NFT_SET_ELEM_INTERVAL_END) 5082 return -EINVAL; 5083 5084 return 0; 5085 } 5086 5087 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set, 5088 struct nft_data *key, struct nlattr *attr) 5089 { 5090 struct nft_data_desc desc; 5091 int err; 5092 5093 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr); 5094 if (err < 0) 5095 return err; 5096 5097 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) { 5098 nft_data_release(key, desc.type); 5099 return -EINVAL; 5100 } 5101 5102 return 0; 5103 } 5104 5105 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, 5106 struct nft_data_desc *desc, 5107 struct nft_data *data, 5108 struct nlattr *attr) 5109 { 5110 int err; 5111 5112 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr); 5113 if (err < 0) 5114 return err; 5115 5116 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) { 5117 nft_data_release(data, desc->type); 5118 return -EINVAL; 5119 } 5120 5121 return 0; 5122 } 5123 5124 static void *nft_setelem_catchall_get(const struct net *net, 5125 const struct nft_set *set) 5126 { 5127 struct nft_set_elem_catchall *catchall; 5128 u8 genmask = nft_genmask_cur(net); 5129 struct nft_set_ext *ext; 5130 void *priv = NULL; 5131 5132 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5133 ext = nft_set_elem_ext(set, catchall->elem); 5134 if (!nft_set_elem_active(ext, genmask) || 5135 nft_set_elem_expired(ext)) 5136 continue; 5137 5138 priv = catchall->elem; 5139 break; 5140 } 5141 5142 return priv; 5143 } 5144 5145 static int nft_setelem_get(struct nft_ctx *ctx, struct nft_set *set, 5146 struct nft_set_elem *elem, u32 flags) 5147 { 5148 void *priv; 5149 5150 if (!(flags & NFT_SET_ELEM_CATCHALL)) { 5151 priv = set->ops->get(ctx->net, set, elem, flags); 5152 if (IS_ERR(priv)) 5153 return PTR_ERR(priv); 5154 } else { 5155 priv = nft_setelem_catchall_get(ctx->net, set); 5156 if (!priv) 5157 return -ENOENT; 5158 } 5159 elem->priv = priv; 5160 5161 return 0; 5162 } 5163 5164 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set, 5165 const struct nlattr *attr) 5166 { 5167 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 5168 struct nft_set_elem elem; 5169 struct sk_buff *skb; 5170 uint32_t flags = 0; 5171 int err; 5172 5173 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 5174 nft_set_elem_policy, NULL); 5175 if (err < 0) 5176 return err; 5177 5178 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 5179 if (err < 0) 5180 return err; 5181 5182 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 5183 return -EINVAL; 5184 5185 if (nla[NFTA_SET_ELEM_KEY]) { 5186 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5187 nla[NFTA_SET_ELEM_KEY]); 5188 if (err < 0) 5189 return err; 5190 } 5191 5192 if (nla[NFTA_SET_ELEM_KEY_END]) { 5193 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5194 nla[NFTA_SET_ELEM_KEY_END]); 5195 if (err < 0) 5196 return err; 5197 } 5198 5199 err = nft_setelem_get(ctx, set, &elem, flags); 5200 if (err < 0) 5201 return err; 5202 5203 err = -ENOMEM; 5204 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); 5205 if (skb == NULL) 5206 return err; 5207 5208 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, 5209 NFT_MSG_NEWSETELEM, 0, set, &elem); 5210 if (err < 0) 5211 goto err_fill_setelem; 5212 5213 return nfnetlink_unicast(skb, ctx->net, ctx->portid); 5214 5215 err_fill_setelem: 5216 kfree_skb(skb); 5217 return err; 5218 } 5219 5220 /* called with rcu_read_lock held */ 5221 static int nf_tables_getsetelem(struct sk_buff *skb, 5222 const struct nfnl_info *info, 5223 const struct nlattr * const nla[]) 5224 { 5225 struct netlink_ext_ack *extack = info->extack; 5226 u8 genmask = nft_genmask_cur(info->net); 5227 u8 family = info->nfmsg->nfgen_family; 5228 struct net *net = info->net; 5229 struct nft_table *table; 5230 struct nft_set *set; 5231 struct nlattr *attr; 5232 struct nft_ctx ctx; 5233 int rem, err = 0; 5234 5235 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 5236 genmask, NETLINK_CB(skb).portid); 5237 if (IS_ERR(table)) { 5238 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 5239 return PTR_ERR(table); 5240 } 5241 5242 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 5243 if (IS_ERR(set)) 5244 return PTR_ERR(set); 5245 5246 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 5247 5248 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 5249 struct netlink_dump_control c = { 5250 .start = nf_tables_dump_set_start, 5251 .dump = nf_tables_dump_set, 5252 .done = nf_tables_dump_set_done, 5253 .module = THIS_MODULE, 5254 }; 5255 struct nft_set_dump_ctx dump_ctx = { 5256 .set = set, 5257 .ctx = ctx, 5258 }; 5259 5260 c.data = &dump_ctx; 5261 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 5262 } 5263 5264 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 5265 return -EINVAL; 5266 5267 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 5268 err = nft_get_set_elem(&ctx, set, attr); 5269 if (err < 0) 5270 break; 5271 } 5272 5273 return err; 5274 } 5275 5276 static void nf_tables_setelem_notify(const struct nft_ctx *ctx, 5277 const struct nft_set *set, 5278 const struct nft_set_elem *elem, 5279 int event) 5280 { 5281 struct nftables_pernet *nft_net; 5282 struct net *net = ctx->net; 5283 u32 portid = ctx->portid; 5284 struct sk_buff *skb; 5285 u16 flags = 0; 5286 int err; 5287 5288 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 5289 return; 5290 5291 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 5292 if (skb == NULL) 5293 goto err; 5294 5295 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 5296 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 5297 5298 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags, 5299 set, elem); 5300 if (err < 0) { 5301 kfree_skb(skb); 5302 goto err; 5303 } 5304 5305 nft_net = nft_pernet(net); 5306 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 5307 return; 5308 err: 5309 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 5310 } 5311 5312 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx, 5313 int msg_type, 5314 struct nft_set *set) 5315 { 5316 struct nft_trans *trans; 5317 5318 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem)); 5319 if (trans == NULL) 5320 return NULL; 5321 5322 nft_trans_elem_set(trans) = set; 5323 return trans; 5324 } 5325 5326 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx, 5327 const struct nft_set *set, 5328 const struct nlattr *attr) 5329 { 5330 struct nft_expr *expr; 5331 int err; 5332 5333 expr = nft_expr_init(ctx, attr); 5334 if (IS_ERR(expr)) 5335 return expr; 5336 5337 err = -EOPNOTSUPP; 5338 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL)) 5339 goto err_set_elem_expr; 5340 5341 if (expr->ops->type->flags & NFT_EXPR_GC) { 5342 if (set->flags & NFT_SET_TIMEOUT) 5343 goto err_set_elem_expr; 5344 if (!set->ops->gc_init) 5345 goto err_set_elem_expr; 5346 set->ops->gc_init(set); 5347 } 5348 5349 return expr; 5350 5351 err_set_elem_expr: 5352 nft_expr_destroy(ctx, expr); 5353 return ERR_PTR(err); 5354 } 5355 5356 void *nft_set_elem_init(const struct nft_set *set, 5357 const struct nft_set_ext_tmpl *tmpl, 5358 const u32 *key, const u32 *key_end, 5359 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp) 5360 { 5361 struct nft_set_ext *ext; 5362 void *elem; 5363 5364 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp); 5365 if (elem == NULL) 5366 return NULL; 5367 5368 ext = nft_set_elem_ext(set, elem); 5369 nft_set_ext_init(ext, tmpl); 5370 5371 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY)) 5372 memcpy(nft_set_ext_key(ext), key, set->klen); 5373 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) 5374 memcpy(nft_set_ext_key_end(ext), key_end, set->klen); 5375 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5376 memcpy(nft_set_ext_data(ext), data, set->dlen); 5377 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 5378 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration; 5379 if (expiration == 0) 5380 *nft_set_ext_expiration(ext) += timeout; 5381 } 5382 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) 5383 *nft_set_ext_timeout(ext) = timeout; 5384 5385 return elem; 5386 } 5387 5388 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 5389 struct nft_expr *expr) 5390 { 5391 if (expr->ops->destroy_clone) { 5392 expr->ops->destroy_clone(ctx, expr); 5393 module_put(expr->ops->type->owner); 5394 } else { 5395 nf_tables_expr_destroy(ctx, expr); 5396 } 5397 } 5398 5399 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 5400 struct nft_set_elem_expr *elem_expr) 5401 { 5402 struct nft_expr *expr; 5403 u32 size; 5404 5405 nft_setelem_expr_foreach(expr, elem_expr, size) 5406 __nft_set_elem_expr_destroy(ctx, expr); 5407 } 5408 5409 void nft_set_elem_destroy(const struct nft_set *set, void *elem, 5410 bool destroy_expr) 5411 { 5412 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 5413 struct nft_ctx ctx = { 5414 .net = read_pnet(&set->net), 5415 .family = set->table->family, 5416 }; 5417 5418 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE); 5419 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5420 nft_data_release(nft_set_ext_data(ext), set->dtype); 5421 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 5422 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext)); 5423 5424 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 5425 (*nft_set_ext_obj(ext))->use--; 5426 kfree(elem); 5427 } 5428 EXPORT_SYMBOL_GPL(nft_set_elem_destroy); 5429 5430 /* Only called from commit path, nft_setelem_data_deactivate() already deals 5431 * with the refcounting from the preparation phase. 5432 */ 5433 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, 5434 const struct nft_set *set, void *elem) 5435 { 5436 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 5437 5438 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 5439 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext)); 5440 5441 kfree(elem); 5442 } 5443 5444 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, 5445 struct nft_expr *expr_array[]) 5446 { 5447 struct nft_expr *expr; 5448 int err, i, k; 5449 5450 for (i = 0; i < set->num_exprs; i++) { 5451 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL); 5452 if (!expr) 5453 goto err_expr; 5454 5455 err = nft_expr_clone(expr, set->exprs[i]); 5456 if (err < 0) { 5457 nft_expr_destroy(ctx, expr); 5458 goto err_expr; 5459 } 5460 expr_array[i] = expr; 5461 } 5462 5463 return 0; 5464 5465 err_expr: 5466 for (k = i - 1; k >= 0; k--) 5467 nft_expr_destroy(ctx, expr_array[k]); 5468 5469 return -ENOMEM; 5470 } 5471 5472 static int nft_set_elem_expr_setup(struct nft_ctx *ctx, 5473 const struct nft_set_ext *ext, 5474 struct nft_expr *expr_array[], 5475 u32 num_exprs) 5476 { 5477 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); 5478 struct nft_expr *expr; 5479 int i, err; 5480 5481 for (i = 0; i < num_exprs; i++) { 5482 expr = nft_setelem_expr_at(elem_expr, elem_expr->size); 5483 err = nft_expr_clone(expr, expr_array[i]); 5484 if (err < 0) 5485 goto err_elem_expr_setup; 5486 5487 elem_expr->size += expr_array[i]->ops->size; 5488 nft_expr_destroy(ctx, expr_array[i]); 5489 expr_array[i] = NULL; 5490 } 5491 5492 return 0; 5493 5494 err_elem_expr_setup: 5495 for (; i < num_exprs; i++) { 5496 nft_expr_destroy(ctx, expr_array[i]); 5497 expr_array[i] = NULL; 5498 } 5499 5500 return -ENOMEM; 5501 } 5502 5503 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net, 5504 const struct nft_set *set) 5505 { 5506 struct nft_set_elem_catchall *catchall; 5507 u8 genmask = nft_genmask_cur(net); 5508 struct nft_set_ext *ext; 5509 5510 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5511 ext = nft_set_elem_ext(set, catchall->elem); 5512 if (nft_set_elem_active(ext, genmask) && 5513 !nft_set_elem_expired(ext)) 5514 return ext; 5515 } 5516 5517 return NULL; 5518 } 5519 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup); 5520 5521 void *nft_set_catchall_gc(const struct nft_set *set) 5522 { 5523 struct nft_set_elem_catchall *catchall, *next; 5524 struct nft_set_ext *ext; 5525 void *elem = NULL; 5526 5527 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 5528 ext = nft_set_elem_ext(set, catchall->elem); 5529 5530 if (!nft_set_elem_expired(ext) || 5531 nft_set_elem_mark_busy(ext)) 5532 continue; 5533 5534 elem = catchall->elem; 5535 list_del_rcu(&catchall->list); 5536 kfree_rcu(catchall, rcu); 5537 break; 5538 } 5539 5540 return elem; 5541 } 5542 EXPORT_SYMBOL_GPL(nft_set_catchall_gc); 5543 5544 static int nft_setelem_catchall_insert(const struct net *net, 5545 struct nft_set *set, 5546 const struct nft_set_elem *elem, 5547 struct nft_set_ext **pext) 5548 { 5549 struct nft_set_elem_catchall *catchall; 5550 u8 genmask = nft_genmask_next(net); 5551 struct nft_set_ext *ext; 5552 5553 list_for_each_entry(catchall, &set->catchall_list, list) { 5554 ext = nft_set_elem_ext(set, catchall->elem); 5555 if (nft_set_elem_active(ext, genmask)) { 5556 *pext = ext; 5557 return -EEXIST; 5558 } 5559 } 5560 5561 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL); 5562 if (!catchall) 5563 return -ENOMEM; 5564 5565 catchall->elem = elem->priv; 5566 list_add_tail_rcu(&catchall->list, &set->catchall_list); 5567 5568 return 0; 5569 } 5570 5571 static int nft_setelem_insert(const struct net *net, 5572 struct nft_set *set, 5573 const struct nft_set_elem *elem, 5574 struct nft_set_ext **ext, unsigned int flags) 5575 { 5576 int ret; 5577 5578 if (flags & NFT_SET_ELEM_CATCHALL) 5579 ret = nft_setelem_catchall_insert(net, set, elem, ext); 5580 else 5581 ret = set->ops->insert(net, set, elem, ext); 5582 5583 return ret; 5584 } 5585 5586 static bool nft_setelem_is_catchall(const struct nft_set *set, 5587 const struct nft_set_elem *elem) 5588 { 5589 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5590 5591 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 5592 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL) 5593 return true; 5594 5595 return false; 5596 } 5597 5598 static void nft_setelem_activate(struct net *net, struct nft_set *set, 5599 struct nft_set_elem *elem) 5600 { 5601 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5602 5603 if (nft_setelem_is_catchall(set, elem)) { 5604 nft_set_elem_change_active(net, set, ext); 5605 nft_set_elem_clear_busy(ext); 5606 } else { 5607 set->ops->activate(net, set, elem); 5608 } 5609 } 5610 5611 static int nft_setelem_catchall_deactivate(const struct net *net, 5612 struct nft_set *set, 5613 struct nft_set_elem *elem) 5614 { 5615 struct nft_set_elem_catchall *catchall; 5616 struct nft_set_ext *ext; 5617 5618 list_for_each_entry(catchall, &set->catchall_list, list) { 5619 ext = nft_set_elem_ext(set, catchall->elem); 5620 if (!nft_is_active(net, ext) || 5621 nft_set_elem_mark_busy(ext)) 5622 continue; 5623 5624 kfree(elem->priv); 5625 elem->priv = catchall->elem; 5626 nft_set_elem_change_active(net, set, ext); 5627 return 0; 5628 } 5629 5630 return -ENOENT; 5631 } 5632 5633 static int __nft_setelem_deactivate(const struct net *net, 5634 struct nft_set *set, 5635 struct nft_set_elem *elem) 5636 { 5637 void *priv; 5638 5639 priv = set->ops->deactivate(net, set, elem); 5640 if (!priv) 5641 return -ENOENT; 5642 5643 kfree(elem->priv); 5644 elem->priv = priv; 5645 set->ndeact++; 5646 5647 return 0; 5648 } 5649 5650 static int nft_setelem_deactivate(const struct net *net, 5651 struct nft_set *set, 5652 struct nft_set_elem *elem, u32 flags) 5653 { 5654 int ret; 5655 5656 if (flags & NFT_SET_ELEM_CATCHALL) 5657 ret = nft_setelem_catchall_deactivate(net, set, elem); 5658 else 5659 ret = __nft_setelem_deactivate(net, set, elem); 5660 5661 return ret; 5662 } 5663 5664 static void nft_setelem_catchall_remove(const struct net *net, 5665 const struct nft_set *set, 5666 const struct nft_set_elem *elem) 5667 { 5668 struct nft_set_elem_catchall *catchall, *next; 5669 5670 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 5671 if (catchall->elem == elem->priv) { 5672 list_del_rcu(&catchall->list); 5673 kfree_rcu(catchall); 5674 break; 5675 } 5676 } 5677 } 5678 5679 static void nft_setelem_remove(const struct net *net, 5680 const struct nft_set *set, 5681 const struct nft_set_elem *elem) 5682 { 5683 if (nft_setelem_is_catchall(set, elem)) 5684 nft_setelem_catchall_remove(net, set, elem); 5685 else 5686 set->ops->remove(net, set, elem); 5687 } 5688 5689 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 5690 const struct nlattr *attr, u32 nlmsg_flags) 5691 { 5692 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {}; 5693 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 5694 u8 genmask = nft_genmask_next(ctx->net); 5695 u32 flags = 0, size = 0, num_exprs = 0; 5696 struct nft_set_ext_tmpl tmpl; 5697 struct nft_set_ext *ext, *ext2; 5698 struct nft_set_elem elem; 5699 struct nft_set_binding *binding; 5700 struct nft_object *obj = NULL; 5701 struct nft_userdata *udata; 5702 struct nft_data_desc desc; 5703 enum nft_registers dreg; 5704 struct nft_trans *trans; 5705 u64 timeout; 5706 u64 expiration; 5707 int err, i; 5708 u8 ulen; 5709 5710 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 5711 nft_set_elem_policy, NULL); 5712 if (err < 0) 5713 return err; 5714 5715 nft_set_ext_prepare(&tmpl); 5716 5717 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 5718 if (err < 0) 5719 return err; 5720 5721 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 5722 return -EINVAL; 5723 5724 if (flags != 0) 5725 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 5726 5727 if (set->flags & NFT_SET_MAP) { 5728 if (nla[NFTA_SET_ELEM_DATA] == NULL && 5729 !(flags & NFT_SET_ELEM_INTERVAL_END)) 5730 return -EINVAL; 5731 } else { 5732 if (nla[NFTA_SET_ELEM_DATA] != NULL) 5733 return -EINVAL; 5734 } 5735 5736 if ((flags & NFT_SET_ELEM_INTERVAL_END) && 5737 (nla[NFTA_SET_ELEM_DATA] || 5738 nla[NFTA_SET_ELEM_OBJREF] || 5739 nla[NFTA_SET_ELEM_TIMEOUT] || 5740 nla[NFTA_SET_ELEM_EXPIRATION] || 5741 nla[NFTA_SET_ELEM_USERDATA] || 5742 nla[NFTA_SET_ELEM_EXPR] || 5743 nla[NFTA_SET_ELEM_EXPRESSIONS])) 5744 return -EINVAL; 5745 5746 timeout = 0; 5747 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { 5748 if (!(set->flags & NFT_SET_TIMEOUT)) 5749 return -EINVAL; 5750 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT], 5751 &timeout); 5752 if (err) 5753 return err; 5754 } else if (set->flags & NFT_SET_TIMEOUT) { 5755 timeout = set->timeout; 5756 } 5757 5758 expiration = 0; 5759 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { 5760 if (!(set->flags & NFT_SET_TIMEOUT)) 5761 return -EINVAL; 5762 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], 5763 &expiration); 5764 if (err) 5765 return err; 5766 } 5767 5768 if (nla[NFTA_SET_ELEM_EXPR]) { 5769 struct nft_expr *expr; 5770 5771 if (set->num_exprs && set->num_exprs != 1) 5772 return -EOPNOTSUPP; 5773 5774 expr = nft_set_elem_expr_alloc(ctx, set, 5775 nla[NFTA_SET_ELEM_EXPR]); 5776 if (IS_ERR(expr)) 5777 return PTR_ERR(expr); 5778 5779 expr_array[0] = expr; 5780 num_exprs = 1; 5781 5782 if (set->num_exprs && set->exprs[0]->ops != expr->ops) { 5783 err = -EOPNOTSUPP; 5784 goto err_set_elem_expr; 5785 } 5786 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) { 5787 struct nft_expr *expr; 5788 struct nlattr *tmp; 5789 int left; 5790 5791 i = 0; 5792 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) { 5793 if (i == NFT_SET_EXPR_MAX || 5794 (set->num_exprs && set->num_exprs == i)) { 5795 err = -E2BIG; 5796 goto err_set_elem_expr; 5797 } 5798 if (nla_type(tmp) != NFTA_LIST_ELEM) { 5799 err = -EINVAL; 5800 goto err_set_elem_expr; 5801 } 5802 expr = nft_set_elem_expr_alloc(ctx, set, tmp); 5803 if (IS_ERR(expr)) { 5804 err = PTR_ERR(expr); 5805 goto err_set_elem_expr; 5806 } 5807 expr_array[i] = expr; 5808 num_exprs++; 5809 5810 if (set->num_exprs && expr->ops != set->exprs[i]->ops) { 5811 err = -EOPNOTSUPP; 5812 goto err_set_elem_expr; 5813 } 5814 i++; 5815 } 5816 if (set->num_exprs && set->num_exprs != i) { 5817 err = -EOPNOTSUPP; 5818 goto err_set_elem_expr; 5819 } 5820 } else if (set->num_exprs > 0) { 5821 err = nft_set_elem_expr_clone(ctx, set, expr_array); 5822 if (err < 0) 5823 goto err_set_elem_expr_clone; 5824 5825 num_exprs = set->num_exprs; 5826 } 5827 5828 if (nla[NFTA_SET_ELEM_KEY]) { 5829 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5830 nla[NFTA_SET_ELEM_KEY]); 5831 if (err < 0) 5832 goto err_set_elem_expr; 5833 5834 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 5835 } 5836 5837 if (nla[NFTA_SET_ELEM_KEY_END]) { 5838 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5839 nla[NFTA_SET_ELEM_KEY_END]); 5840 if (err < 0) 5841 goto err_parse_key; 5842 5843 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 5844 } 5845 5846 if (timeout > 0) { 5847 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION); 5848 if (timeout != set->timeout) 5849 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT); 5850 } 5851 5852 if (num_exprs) { 5853 for (i = 0; i < num_exprs; i++) 5854 size += expr_array[i]->ops->size; 5855 5856 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS, 5857 sizeof(struct nft_set_elem_expr) + 5858 size); 5859 } 5860 5861 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) { 5862 if (!(set->flags & NFT_SET_OBJECT)) { 5863 err = -EINVAL; 5864 goto err_parse_key_end; 5865 } 5866 obj = nft_obj_lookup(ctx->net, ctx->table, 5867 nla[NFTA_SET_ELEM_OBJREF], 5868 set->objtype, genmask); 5869 if (IS_ERR(obj)) { 5870 err = PTR_ERR(obj); 5871 goto err_parse_key_end; 5872 } 5873 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF); 5874 } 5875 5876 if (nla[NFTA_SET_ELEM_DATA] != NULL) { 5877 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val, 5878 nla[NFTA_SET_ELEM_DATA]); 5879 if (err < 0) 5880 goto err_parse_key_end; 5881 5882 dreg = nft_type_to_reg(set->dtype); 5883 list_for_each_entry(binding, &set->bindings, list) { 5884 struct nft_ctx bind_ctx = { 5885 .net = ctx->net, 5886 .family = ctx->family, 5887 .table = ctx->table, 5888 .chain = (struct nft_chain *)binding->chain, 5889 }; 5890 5891 if (!(binding->flags & NFT_SET_MAP)) 5892 continue; 5893 5894 err = nft_validate_register_store(&bind_ctx, dreg, 5895 &elem.data.val, 5896 desc.type, desc.len); 5897 if (err < 0) 5898 goto err_parse_data; 5899 5900 if (desc.type == NFT_DATA_VERDICT && 5901 (elem.data.val.verdict.code == NFT_GOTO || 5902 elem.data.val.verdict.code == NFT_JUMP)) 5903 nft_validate_state_update(ctx->net, 5904 NFT_VALIDATE_NEED); 5905 } 5906 5907 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len); 5908 } 5909 5910 /* The full maximum length of userdata can exceed the maximum 5911 * offset value (U8_MAX) for following extensions, therefor it 5912 * must be the last extension added. 5913 */ 5914 ulen = 0; 5915 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) { 5916 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]); 5917 if (ulen > 0) 5918 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA, 5919 ulen); 5920 } 5921 5922 err = -ENOMEM; 5923 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 5924 elem.key_end.val.data, elem.data.val.data, 5925 timeout, expiration, GFP_KERNEL); 5926 if (elem.priv == NULL) 5927 goto err_parse_data; 5928 5929 ext = nft_set_elem_ext(set, elem.priv); 5930 if (flags) 5931 *nft_set_ext_flags(ext) = flags; 5932 if (ulen > 0) { 5933 udata = nft_set_ext_userdata(ext); 5934 udata->len = ulen - 1; 5935 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen); 5936 } 5937 if (obj) { 5938 *nft_set_ext_obj(ext) = obj; 5939 obj->use++; 5940 } 5941 err = nft_set_elem_expr_setup(ctx, ext, expr_array, num_exprs); 5942 if (err < 0) 5943 goto err_elem_expr; 5944 5945 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); 5946 if (trans == NULL) { 5947 err = -ENOMEM; 5948 goto err_elem_expr; 5949 } 5950 5951 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK; 5952 5953 err = nft_setelem_insert(ctx->net, set, &elem, &ext2, flags); 5954 if (err) { 5955 if (err == -EEXIST) { 5956 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^ 5957 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) || 5958 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^ 5959 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) 5960 goto err_element_clash; 5961 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 5962 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) && 5963 memcmp(nft_set_ext_data(ext), 5964 nft_set_ext_data(ext2), set->dlen) != 0) || 5965 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 5966 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) && 5967 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2))) 5968 goto err_element_clash; 5969 else if (!(nlmsg_flags & NLM_F_EXCL)) 5970 err = 0; 5971 } else if (err == -ENOTEMPTY) { 5972 /* ENOTEMPTY reports overlapping between this element 5973 * and an existing one. 5974 */ 5975 err = -EEXIST; 5976 } 5977 goto err_element_clash; 5978 } 5979 5980 if (!(flags & NFT_SET_ELEM_CATCHALL) && set->size && 5981 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) { 5982 err = -ENFILE; 5983 goto err_set_full; 5984 } 5985 5986 nft_trans_elem(trans) = elem; 5987 nft_trans_commit_list_add_tail(ctx->net, trans); 5988 return 0; 5989 5990 err_set_full: 5991 nft_setelem_remove(ctx->net, set, &elem); 5992 err_element_clash: 5993 kfree(trans); 5994 err_elem_expr: 5995 if (obj) 5996 obj->use--; 5997 5998 nf_tables_set_elem_destroy(ctx, set, elem.priv); 5999 err_parse_data: 6000 if (nla[NFTA_SET_ELEM_DATA] != NULL) 6001 nft_data_release(&elem.data.val, desc.type); 6002 err_parse_key_end: 6003 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 6004 err_parse_key: 6005 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 6006 err_set_elem_expr: 6007 for (i = 0; i < num_exprs && expr_array[i]; i++) 6008 nft_expr_destroy(ctx, expr_array[i]); 6009 err_set_elem_expr_clone: 6010 return err; 6011 } 6012 6013 static int nf_tables_newsetelem(struct sk_buff *skb, 6014 const struct nfnl_info *info, 6015 const struct nlattr * const nla[]) 6016 { 6017 struct nftables_pernet *nft_net = nft_pernet(info->net); 6018 struct netlink_ext_ack *extack = info->extack; 6019 u8 genmask = nft_genmask_next(info->net); 6020 u8 family = info->nfmsg->nfgen_family; 6021 struct net *net = info->net; 6022 const struct nlattr *attr; 6023 struct nft_table *table; 6024 struct nft_set *set; 6025 struct nft_ctx ctx; 6026 int rem, err; 6027 6028 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) 6029 return -EINVAL; 6030 6031 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 6032 genmask, NETLINK_CB(skb).portid); 6033 if (IS_ERR(table)) { 6034 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 6035 return PTR_ERR(table); 6036 } 6037 6038 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET], 6039 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask); 6040 if (IS_ERR(set)) 6041 return PTR_ERR(set); 6042 6043 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 6044 return -EBUSY; 6045 6046 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6047 6048 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 6049 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags); 6050 if (err < 0) 6051 return err; 6052 } 6053 6054 if (nft_net->validate_state == NFT_VALIDATE_DO) 6055 return nft_table_validate(net, table); 6056 6057 return 0; 6058 } 6059 6060 /** 6061 * nft_data_hold - hold a nft_data item 6062 * 6063 * @data: struct nft_data to release 6064 * @type: type of data 6065 * 6066 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded, 6067 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and 6068 * NFT_GOTO verdicts. This function must be called on active data objects 6069 * from the second phase of the commit protocol. 6070 */ 6071 void nft_data_hold(const struct nft_data *data, enum nft_data_types type) 6072 { 6073 struct nft_chain *chain; 6074 struct nft_rule *rule; 6075 6076 if (type == NFT_DATA_VERDICT) { 6077 switch (data->verdict.code) { 6078 case NFT_JUMP: 6079 case NFT_GOTO: 6080 chain = data->verdict.chain; 6081 chain->use++; 6082 6083 if (!nft_chain_is_bound(chain)) 6084 break; 6085 6086 chain->table->use++; 6087 list_for_each_entry(rule, &chain->rules, list) 6088 chain->use++; 6089 6090 nft_chain_add(chain->table, chain); 6091 break; 6092 } 6093 } 6094 } 6095 6096 static void nft_setelem_data_activate(const struct net *net, 6097 const struct nft_set *set, 6098 struct nft_set_elem *elem) 6099 { 6100 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 6101 6102 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 6103 nft_data_hold(nft_set_ext_data(ext), set->dtype); 6104 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 6105 (*nft_set_ext_obj(ext))->use++; 6106 } 6107 6108 static void nft_setelem_data_deactivate(const struct net *net, 6109 const struct nft_set *set, 6110 struct nft_set_elem *elem) 6111 { 6112 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 6113 6114 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 6115 nft_data_release(nft_set_ext_data(ext), set->dtype); 6116 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 6117 (*nft_set_ext_obj(ext))->use--; 6118 } 6119 6120 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, 6121 const struct nlattr *attr) 6122 { 6123 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 6124 struct nft_set_ext_tmpl tmpl; 6125 struct nft_set_elem elem; 6126 struct nft_set_ext *ext; 6127 struct nft_trans *trans; 6128 u32 flags = 0; 6129 int err; 6130 6131 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 6132 nft_set_elem_policy, NULL); 6133 if (err < 0) 6134 return err; 6135 6136 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 6137 if (err < 0) 6138 return err; 6139 6140 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 6141 return -EINVAL; 6142 6143 nft_set_ext_prepare(&tmpl); 6144 6145 if (flags != 0) 6146 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 6147 6148 if (nla[NFTA_SET_ELEM_KEY]) { 6149 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 6150 nla[NFTA_SET_ELEM_KEY]); 6151 if (err < 0) 6152 return err; 6153 6154 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 6155 } 6156 6157 if (nla[NFTA_SET_ELEM_KEY_END]) { 6158 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 6159 nla[NFTA_SET_ELEM_KEY_END]); 6160 if (err < 0) 6161 return err; 6162 6163 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 6164 } 6165 6166 err = -ENOMEM; 6167 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 6168 elem.key_end.val.data, NULL, 0, 0, 6169 GFP_KERNEL); 6170 if (elem.priv == NULL) 6171 goto fail_elem; 6172 6173 ext = nft_set_elem_ext(set, elem.priv); 6174 if (flags) 6175 *nft_set_ext_flags(ext) = flags; 6176 6177 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 6178 if (trans == NULL) 6179 goto fail_trans; 6180 6181 err = nft_setelem_deactivate(ctx->net, set, &elem, flags); 6182 if (err < 0) 6183 goto fail_ops; 6184 6185 nft_setelem_data_deactivate(ctx->net, set, &elem); 6186 6187 nft_trans_elem(trans) = elem; 6188 nft_trans_commit_list_add_tail(ctx->net, trans); 6189 return 0; 6190 6191 fail_ops: 6192 kfree(trans); 6193 fail_trans: 6194 kfree(elem.priv); 6195 fail_elem: 6196 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 6197 return err; 6198 } 6199 6200 static int nft_setelem_flush(const struct nft_ctx *ctx, 6201 struct nft_set *set, 6202 const struct nft_set_iter *iter, 6203 struct nft_set_elem *elem) 6204 { 6205 struct nft_trans *trans; 6206 int err; 6207 6208 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 6209 sizeof(struct nft_trans_elem), GFP_ATOMIC); 6210 if (!trans) 6211 return -ENOMEM; 6212 6213 if (!set->ops->flush(ctx->net, set, elem->priv)) { 6214 err = -ENOENT; 6215 goto err1; 6216 } 6217 set->ndeact++; 6218 6219 nft_setelem_data_deactivate(ctx->net, set, elem); 6220 nft_trans_elem_set(trans) = set; 6221 nft_trans_elem(trans) = *elem; 6222 nft_trans_commit_list_add_tail(ctx->net, trans); 6223 6224 return 0; 6225 err1: 6226 kfree(trans); 6227 return err; 6228 } 6229 6230 static int __nft_set_catchall_flush(const struct nft_ctx *ctx, 6231 struct nft_set *set, 6232 struct nft_set_elem *elem) 6233 { 6234 struct nft_trans *trans; 6235 6236 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 6237 sizeof(struct nft_trans_elem), GFP_KERNEL); 6238 if (!trans) 6239 return -ENOMEM; 6240 6241 nft_setelem_data_deactivate(ctx->net, set, elem); 6242 nft_trans_elem_set(trans) = set; 6243 nft_trans_elem(trans) = *elem; 6244 nft_trans_commit_list_add_tail(ctx->net, trans); 6245 6246 return 0; 6247 } 6248 6249 static int nft_set_catchall_flush(const struct nft_ctx *ctx, 6250 struct nft_set *set) 6251 { 6252 u8 genmask = nft_genmask_next(ctx->net); 6253 struct nft_set_elem_catchall *catchall; 6254 struct nft_set_elem elem; 6255 struct nft_set_ext *ext; 6256 int ret = 0; 6257 6258 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 6259 ext = nft_set_elem_ext(set, catchall->elem); 6260 if (!nft_set_elem_active(ext, genmask) || 6261 nft_set_elem_mark_busy(ext)) 6262 continue; 6263 6264 elem.priv = catchall->elem; 6265 ret = __nft_set_catchall_flush(ctx, set, &elem); 6266 if (ret < 0) 6267 break; 6268 } 6269 6270 return ret; 6271 } 6272 6273 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask) 6274 { 6275 struct nft_set_iter iter = { 6276 .genmask = genmask, 6277 .fn = nft_setelem_flush, 6278 }; 6279 6280 set->ops->walk(ctx, set, &iter); 6281 if (!iter.err) 6282 iter.err = nft_set_catchall_flush(ctx, set); 6283 6284 return iter.err; 6285 } 6286 6287 static int nf_tables_delsetelem(struct sk_buff *skb, 6288 const struct nfnl_info *info, 6289 const struct nlattr * const nla[]) 6290 { 6291 struct netlink_ext_ack *extack = info->extack; 6292 u8 genmask = nft_genmask_next(info->net); 6293 u8 family = info->nfmsg->nfgen_family; 6294 struct net *net = info->net; 6295 const struct nlattr *attr; 6296 struct nft_table *table; 6297 struct nft_set *set; 6298 struct nft_ctx ctx; 6299 int rem, err = 0; 6300 6301 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 6302 genmask, NETLINK_CB(skb).portid); 6303 if (IS_ERR(table)) { 6304 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 6305 return PTR_ERR(table); 6306 } 6307 6308 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 6309 if (IS_ERR(set)) 6310 return PTR_ERR(set); 6311 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 6312 return -EBUSY; 6313 6314 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6315 6316 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 6317 return nft_set_flush(&ctx, set, genmask); 6318 6319 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 6320 err = nft_del_setelem(&ctx, set, attr); 6321 if (err < 0) 6322 break; 6323 } 6324 return err; 6325 } 6326 6327 void nft_set_gc_batch_release(struct rcu_head *rcu) 6328 { 6329 struct nft_set_gc_batch *gcb; 6330 unsigned int i; 6331 6332 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu); 6333 for (i = 0; i < gcb->head.cnt; i++) 6334 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true); 6335 kfree(gcb); 6336 } 6337 6338 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set, 6339 gfp_t gfp) 6340 { 6341 struct nft_set_gc_batch *gcb; 6342 6343 gcb = kzalloc(sizeof(*gcb), gfp); 6344 if (gcb == NULL) 6345 return gcb; 6346 gcb->head.set = set; 6347 return gcb; 6348 } 6349 6350 /* 6351 * Stateful objects 6352 */ 6353 6354 /** 6355 * nft_register_obj- register nf_tables stateful object type 6356 * @obj_type: object type 6357 * 6358 * Registers the object type for use with nf_tables. Returns zero on 6359 * success or a negative errno code otherwise. 6360 */ 6361 int nft_register_obj(struct nft_object_type *obj_type) 6362 { 6363 if (obj_type->type == NFT_OBJECT_UNSPEC) 6364 return -EINVAL; 6365 6366 nfnl_lock(NFNL_SUBSYS_NFTABLES); 6367 list_add_rcu(&obj_type->list, &nf_tables_objects); 6368 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6369 return 0; 6370 } 6371 EXPORT_SYMBOL_GPL(nft_register_obj); 6372 6373 /** 6374 * nft_unregister_obj - unregister nf_tables object type 6375 * @obj_type: object type 6376 * 6377 * Unregisters the object type for use with nf_tables. 6378 */ 6379 void nft_unregister_obj(struct nft_object_type *obj_type) 6380 { 6381 nfnl_lock(NFNL_SUBSYS_NFTABLES); 6382 list_del_rcu(&obj_type->list); 6383 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6384 } 6385 EXPORT_SYMBOL_GPL(nft_unregister_obj); 6386 6387 struct nft_object *nft_obj_lookup(const struct net *net, 6388 const struct nft_table *table, 6389 const struct nlattr *nla, u32 objtype, 6390 u8 genmask) 6391 { 6392 struct nft_object_hash_key k = { .table = table }; 6393 char search[NFT_OBJ_MAXNAMELEN]; 6394 struct rhlist_head *tmp, *list; 6395 struct nft_object *obj; 6396 6397 nla_strscpy(search, nla, sizeof(search)); 6398 k.name = search; 6399 6400 WARN_ON_ONCE(!rcu_read_lock_held() && 6401 !lockdep_commit_lock_is_held(net)); 6402 6403 rcu_read_lock(); 6404 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params); 6405 if (!list) 6406 goto out; 6407 6408 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) { 6409 if (objtype == obj->ops->type->type && 6410 nft_active_genmask(obj, genmask)) { 6411 rcu_read_unlock(); 6412 return obj; 6413 } 6414 } 6415 out: 6416 rcu_read_unlock(); 6417 return ERR_PTR(-ENOENT); 6418 } 6419 EXPORT_SYMBOL_GPL(nft_obj_lookup); 6420 6421 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table, 6422 const struct nlattr *nla, 6423 u32 objtype, u8 genmask) 6424 { 6425 struct nft_object *obj; 6426 6427 list_for_each_entry(obj, &table->objects, list) { 6428 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle && 6429 objtype == obj->ops->type->type && 6430 nft_active_genmask(obj, genmask)) 6431 return obj; 6432 } 6433 return ERR_PTR(-ENOENT); 6434 } 6435 6436 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = { 6437 [NFTA_OBJ_TABLE] = { .type = NLA_STRING, 6438 .len = NFT_TABLE_MAXNAMELEN - 1 }, 6439 [NFTA_OBJ_NAME] = { .type = NLA_STRING, 6440 .len = NFT_OBJ_MAXNAMELEN - 1 }, 6441 [NFTA_OBJ_TYPE] = { .type = NLA_U32 }, 6442 [NFTA_OBJ_DATA] = { .type = NLA_NESTED }, 6443 [NFTA_OBJ_HANDLE] = { .type = NLA_U64}, 6444 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY, 6445 .len = NFT_USERDATA_MAXLEN }, 6446 }; 6447 6448 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx, 6449 const struct nft_object_type *type, 6450 const struct nlattr *attr) 6451 { 6452 struct nlattr **tb; 6453 const struct nft_object_ops *ops; 6454 struct nft_object *obj; 6455 int err = -ENOMEM; 6456 6457 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL); 6458 if (!tb) 6459 goto err1; 6460 6461 if (attr) { 6462 err = nla_parse_nested_deprecated(tb, type->maxattr, attr, 6463 type->policy, NULL); 6464 if (err < 0) 6465 goto err2; 6466 } else { 6467 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1)); 6468 } 6469 6470 if (type->select_ops) { 6471 ops = type->select_ops(ctx, (const struct nlattr * const *)tb); 6472 if (IS_ERR(ops)) { 6473 err = PTR_ERR(ops); 6474 goto err2; 6475 } 6476 } else { 6477 ops = type->ops; 6478 } 6479 6480 err = -ENOMEM; 6481 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL); 6482 if (!obj) 6483 goto err2; 6484 6485 err = ops->init(ctx, (const struct nlattr * const *)tb, obj); 6486 if (err < 0) 6487 goto err3; 6488 6489 obj->ops = ops; 6490 6491 kfree(tb); 6492 return obj; 6493 err3: 6494 kfree(obj); 6495 err2: 6496 kfree(tb); 6497 err1: 6498 return ERR_PTR(err); 6499 } 6500 6501 static int nft_object_dump(struct sk_buff *skb, unsigned int attr, 6502 struct nft_object *obj, bool reset) 6503 { 6504 struct nlattr *nest; 6505 6506 nest = nla_nest_start_noflag(skb, attr); 6507 if (!nest) 6508 goto nla_put_failure; 6509 if (obj->ops->dump(skb, obj, reset) < 0) 6510 goto nla_put_failure; 6511 nla_nest_end(skb, nest); 6512 return 0; 6513 6514 nla_put_failure: 6515 return -1; 6516 } 6517 6518 static const struct nft_object_type *__nft_obj_type_get(u32 objtype) 6519 { 6520 const struct nft_object_type *type; 6521 6522 list_for_each_entry(type, &nf_tables_objects, list) { 6523 if (objtype == type->type) 6524 return type; 6525 } 6526 return NULL; 6527 } 6528 6529 static const struct nft_object_type * 6530 nft_obj_type_get(struct net *net, u32 objtype) 6531 { 6532 const struct nft_object_type *type; 6533 6534 type = __nft_obj_type_get(objtype); 6535 if (type != NULL && try_module_get(type->owner)) 6536 return type; 6537 6538 lockdep_nfnl_nft_mutex_not_held(); 6539 #ifdef CONFIG_MODULES 6540 if (type == NULL) { 6541 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN) 6542 return ERR_PTR(-EAGAIN); 6543 } 6544 #endif 6545 return ERR_PTR(-ENOENT); 6546 } 6547 6548 static int nf_tables_updobj(const struct nft_ctx *ctx, 6549 const struct nft_object_type *type, 6550 const struct nlattr *attr, 6551 struct nft_object *obj) 6552 { 6553 struct nft_object *newobj; 6554 struct nft_trans *trans; 6555 int err; 6556 6557 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ, 6558 sizeof(struct nft_trans_obj)); 6559 if (!trans) 6560 return -ENOMEM; 6561 6562 newobj = nft_obj_init(ctx, type, attr); 6563 if (IS_ERR(newobj)) { 6564 err = PTR_ERR(newobj); 6565 goto err_free_trans; 6566 } 6567 6568 nft_trans_obj(trans) = obj; 6569 nft_trans_obj_update(trans) = true; 6570 nft_trans_obj_newobj(trans) = newobj; 6571 nft_trans_commit_list_add_tail(ctx->net, trans); 6572 6573 return 0; 6574 6575 err_free_trans: 6576 kfree(trans); 6577 return err; 6578 } 6579 6580 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info, 6581 const struct nlattr * const nla[]) 6582 { 6583 struct netlink_ext_ack *extack = info->extack; 6584 u8 genmask = nft_genmask_next(info->net); 6585 u8 family = info->nfmsg->nfgen_family; 6586 const struct nft_object_type *type; 6587 struct net *net = info->net; 6588 struct nft_table *table; 6589 struct nft_object *obj; 6590 struct nft_ctx ctx; 6591 u32 objtype; 6592 int err; 6593 6594 if (!nla[NFTA_OBJ_TYPE] || 6595 !nla[NFTA_OBJ_NAME] || 6596 !nla[NFTA_OBJ_DATA]) 6597 return -EINVAL; 6598 6599 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 6600 NETLINK_CB(skb).portid); 6601 if (IS_ERR(table)) { 6602 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6603 return PTR_ERR(table); 6604 } 6605 6606 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6607 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 6608 if (IS_ERR(obj)) { 6609 err = PTR_ERR(obj); 6610 if (err != -ENOENT) { 6611 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6612 return err; 6613 } 6614 } else { 6615 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 6616 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6617 return -EEXIST; 6618 } 6619 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 6620 return -EOPNOTSUPP; 6621 6622 type = __nft_obj_type_get(objtype); 6623 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6624 6625 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); 6626 } 6627 6628 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6629 6630 type = nft_obj_type_get(net, objtype); 6631 if (IS_ERR(type)) 6632 return PTR_ERR(type); 6633 6634 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]); 6635 if (IS_ERR(obj)) { 6636 err = PTR_ERR(obj); 6637 goto err_init; 6638 } 6639 obj->key.table = table; 6640 obj->handle = nf_tables_alloc_handle(table); 6641 6642 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL); 6643 if (!obj->key.name) { 6644 err = -ENOMEM; 6645 goto err_strdup; 6646 } 6647 6648 if (nla[NFTA_OBJ_USERDATA]) { 6649 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL); 6650 if (obj->udata == NULL) 6651 goto err_userdata; 6652 6653 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]); 6654 } 6655 6656 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj); 6657 if (err < 0) 6658 goto err_trans; 6659 6660 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead, 6661 nft_objname_ht_params); 6662 if (err < 0) 6663 goto err_obj_ht; 6664 6665 list_add_tail_rcu(&obj->list, &table->objects); 6666 table->use++; 6667 return 0; 6668 err_obj_ht: 6669 /* queued in transaction log */ 6670 INIT_LIST_HEAD(&obj->list); 6671 return err; 6672 err_trans: 6673 kfree(obj->udata); 6674 err_userdata: 6675 kfree(obj->key.name); 6676 err_strdup: 6677 if (obj->ops->destroy) 6678 obj->ops->destroy(&ctx, obj); 6679 kfree(obj); 6680 err_init: 6681 module_put(type->owner); 6682 return err; 6683 } 6684 6685 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net, 6686 u32 portid, u32 seq, int event, u32 flags, 6687 int family, const struct nft_table *table, 6688 struct nft_object *obj, bool reset) 6689 { 6690 struct nlmsghdr *nlh; 6691 6692 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 6693 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 6694 NFNETLINK_V0, nft_base_seq(net)); 6695 if (!nlh) 6696 goto nla_put_failure; 6697 6698 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || 6699 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || 6700 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || 6701 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) || 6702 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) || 6703 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle), 6704 NFTA_OBJ_PAD)) 6705 goto nla_put_failure; 6706 6707 if (obj->udata && 6708 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata)) 6709 goto nla_put_failure; 6710 6711 nlmsg_end(skb, nlh); 6712 return 0; 6713 6714 nla_put_failure: 6715 nlmsg_trim(skb, nlh); 6716 return -1; 6717 } 6718 6719 struct nft_obj_filter { 6720 char *table; 6721 u32 type; 6722 }; 6723 6724 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) 6725 { 6726 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 6727 const struct nft_table *table; 6728 unsigned int idx = 0, s_idx = cb->args[0]; 6729 struct nft_obj_filter *filter = cb->data; 6730 struct net *net = sock_net(skb->sk); 6731 int family = nfmsg->nfgen_family; 6732 struct nftables_pernet *nft_net; 6733 struct nft_object *obj; 6734 bool reset = false; 6735 6736 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 6737 reset = true; 6738 6739 rcu_read_lock(); 6740 nft_net = nft_pernet(net); 6741 cb->seq = nft_net->base_seq; 6742 6743 list_for_each_entry_rcu(table, &nft_net->tables, list) { 6744 if (family != NFPROTO_UNSPEC && family != table->family) 6745 continue; 6746 6747 list_for_each_entry_rcu(obj, &table->objects, list) { 6748 if (!nft_is_active(net, obj)) 6749 goto cont; 6750 if (idx < s_idx) 6751 goto cont; 6752 if (idx > s_idx) 6753 memset(&cb->args[1], 0, 6754 sizeof(cb->args) - sizeof(cb->args[0])); 6755 if (filter && filter->table && 6756 strcmp(filter->table, table->name)) 6757 goto cont; 6758 if (filter && 6759 filter->type != NFT_OBJECT_UNSPEC && 6760 obj->ops->type->type != filter->type) 6761 goto cont; 6762 if (reset) { 6763 char *buf = kasprintf(GFP_ATOMIC, 6764 "%s:%u", 6765 table->name, 6766 nft_net->base_seq); 6767 6768 audit_log_nfcfg(buf, 6769 family, 6770 obj->handle, 6771 AUDIT_NFT_OP_OBJ_RESET, 6772 GFP_ATOMIC); 6773 kfree(buf); 6774 } 6775 6776 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid, 6777 cb->nlh->nlmsg_seq, 6778 NFT_MSG_NEWOBJ, 6779 NLM_F_MULTI | NLM_F_APPEND, 6780 table->family, table, 6781 obj, reset) < 0) 6782 goto done; 6783 6784 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 6785 cont: 6786 idx++; 6787 } 6788 } 6789 done: 6790 rcu_read_unlock(); 6791 6792 cb->args[0] = idx; 6793 return skb->len; 6794 } 6795 6796 static int nf_tables_dump_obj_start(struct netlink_callback *cb) 6797 { 6798 const struct nlattr * const *nla = cb->data; 6799 struct nft_obj_filter *filter = NULL; 6800 6801 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) { 6802 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 6803 if (!filter) 6804 return -ENOMEM; 6805 6806 if (nla[NFTA_OBJ_TABLE]) { 6807 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC); 6808 if (!filter->table) { 6809 kfree(filter); 6810 return -ENOMEM; 6811 } 6812 } 6813 6814 if (nla[NFTA_OBJ_TYPE]) 6815 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6816 } 6817 6818 cb->data = filter; 6819 return 0; 6820 } 6821 6822 static int nf_tables_dump_obj_done(struct netlink_callback *cb) 6823 { 6824 struct nft_obj_filter *filter = cb->data; 6825 6826 if (filter) { 6827 kfree(filter->table); 6828 kfree(filter); 6829 } 6830 6831 return 0; 6832 } 6833 6834 /* called with rcu_read_lock held */ 6835 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info, 6836 const struct nlattr * const nla[]) 6837 { 6838 struct netlink_ext_ack *extack = info->extack; 6839 u8 genmask = nft_genmask_cur(info->net); 6840 u8 family = info->nfmsg->nfgen_family; 6841 const struct nft_table *table; 6842 struct net *net = info->net; 6843 struct nft_object *obj; 6844 struct sk_buff *skb2; 6845 bool reset = false; 6846 u32 objtype; 6847 int err; 6848 6849 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 6850 struct netlink_dump_control c = { 6851 .start = nf_tables_dump_obj_start, 6852 .dump = nf_tables_dump_obj, 6853 .done = nf_tables_dump_obj_done, 6854 .module = THIS_MODULE, 6855 .data = (void *)nla, 6856 }; 6857 6858 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 6859 } 6860 6861 if (!nla[NFTA_OBJ_NAME] || 6862 !nla[NFTA_OBJ_TYPE]) 6863 return -EINVAL; 6864 6865 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0); 6866 if (IS_ERR(table)) { 6867 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6868 return PTR_ERR(table); 6869 } 6870 6871 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6872 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 6873 if (IS_ERR(obj)) { 6874 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6875 return PTR_ERR(obj); 6876 } 6877 6878 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 6879 if (!skb2) 6880 return -ENOMEM; 6881 6882 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 6883 reset = true; 6884 6885 if (reset) { 6886 const struct nftables_pernet *nft_net; 6887 char *buf; 6888 6889 nft_net = nft_pernet(net); 6890 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq); 6891 6892 audit_log_nfcfg(buf, 6893 family, 6894 obj->handle, 6895 AUDIT_NFT_OP_OBJ_RESET, 6896 GFP_ATOMIC); 6897 kfree(buf); 6898 } 6899 6900 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid, 6901 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, 6902 family, table, obj, reset); 6903 if (err < 0) 6904 goto err_fill_obj_info; 6905 6906 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 6907 6908 err_fill_obj_info: 6909 kfree_skb(skb2); 6910 return err; 6911 } 6912 6913 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) 6914 { 6915 if (obj->ops->destroy) 6916 obj->ops->destroy(ctx, obj); 6917 6918 module_put(obj->ops->type->owner); 6919 kfree(obj->key.name); 6920 kfree(obj->udata); 6921 kfree(obj); 6922 } 6923 6924 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info, 6925 const struct nlattr * const nla[]) 6926 { 6927 struct netlink_ext_ack *extack = info->extack; 6928 u8 genmask = nft_genmask_next(info->net); 6929 u8 family = info->nfmsg->nfgen_family; 6930 struct net *net = info->net; 6931 const struct nlattr *attr; 6932 struct nft_table *table; 6933 struct nft_object *obj; 6934 struct nft_ctx ctx; 6935 u32 objtype; 6936 6937 if (!nla[NFTA_OBJ_TYPE] || 6938 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE])) 6939 return -EINVAL; 6940 6941 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 6942 NETLINK_CB(skb).portid); 6943 if (IS_ERR(table)) { 6944 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6945 return PTR_ERR(table); 6946 } 6947 6948 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6949 if (nla[NFTA_OBJ_HANDLE]) { 6950 attr = nla[NFTA_OBJ_HANDLE]; 6951 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask); 6952 } else { 6953 attr = nla[NFTA_OBJ_NAME]; 6954 obj = nft_obj_lookup(net, table, attr, objtype, genmask); 6955 } 6956 6957 if (IS_ERR(obj)) { 6958 NL_SET_BAD_ATTR(extack, attr); 6959 return PTR_ERR(obj); 6960 } 6961 if (obj->use > 0) { 6962 NL_SET_BAD_ATTR(extack, attr); 6963 return -EBUSY; 6964 } 6965 6966 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6967 6968 return nft_delobj(&ctx, obj); 6969 } 6970 6971 void nft_obj_notify(struct net *net, const struct nft_table *table, 6972 struct nft_object *obj, u32 portid, u32 seq, int event, 6973 u16 flags, int family, int report, gfp_t gfp) 6974 { 6975 struct nftables_pernet *nft_net = nft_pernet(net); 6976 struct sk_buff *skb; 6977 int err; 6978 char *buf = kasprintf(gfp, "%s:%u", 6979 table->name, nft_net->base_seq); 6980 6981 audit_log_nfcfg(buf, 6982 family, 6983 obj->handle, 6984 event == NFT_MSG_NEWOBJ ? 6985 AUDIT_NFT_OP_OBJ_REGISTER : 6986 AUDIT_NFT_OP_OBJ_UNREGISTER, 6987 gfp); 6988 kfree(buf); 6989 6990 if (!report && 6991 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 6992 return; 6993 6994 skb = nlmsg_new(NLMSG_GOODSIZE, gfp); 6995 if (skb == NULL) 6996 goto err; 6997 6998 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 6999 flags & (NLM_F_CREATE | NLM_F_EXCL), 7000 family, table, obj, false); 7001 if (err < 0) { 7002 kfree_skb(skb); 7003 goto err; 7004 } 7005 7006 nft_notify_enqueue(skb, report, &nft_net->notify_list); 7007 return; 7008 err: 7009 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 7010 } 7011 EXPORT_SYMBOL_GPL(nft_obj_notify); 7012 7013 static void nf_tables_obj_notify(const struct nft_ctx *ctx, 7014 struct nft_object *obj, int event) 7015 { 7016 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event, 7017 ctx->flags, ctx->family, ctx->report, GFP_KERNEL); 7018 } 7019 7020 /* 7021 * Flow tables 7022 */ 7023 void nft_register_flowtable_type(struct nf_flowtable_type *type) 7024 { 7025 nfnl_lock(NFNL_SUBSYS_NFTABLES); 7026 list_add_tail_rcu(&type->list, &nf_tables_flowtables); 7027 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 7028 } 7029 EXPORT_SYMBOL_GPL(nft_register_flowtable_type); 7030 7031 void nft_unregister_flowtable_type(struct nf_flowtable_type *type) 7032 { 7033 nfnl_lock(NFNL_SUBSYS_NFTABLES); 7034 list_del_rcu(&type->list); 7035 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 7036 } 7037 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type); 7038 7039 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = { 7040 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING, 7041 .len = NFT_NAME_MAXLEN - 1 }, 7042 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING, 7043 .len = NFT_NAME_MAXLEN - 1 }, 7044 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED }, 7045 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 }, 7046 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 }, 7047 }; 7048 7049 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 7050 const struct nlattr *nla, u8 genmask) 7051 { 7052 struct nft_flowtable *flowtable; 7053 7054 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 7055 if (!nla_strcmp(nla, flowtable->name) && 7056 nft_active_genmask(flowtable, genmask)) 7057 return flowtable; 7058 } 7059 return ERR_PTR(-ENOENT); 7060 } 7061 EXPORT_SYMBOL_GPL(nft_flowtable_lookup); 7062 7063 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, 7064 struct nft_flowtable *flowtable, 7065 enum nft_trans_phase phase) 7066 { 7067 switch (phase) { 7068 case NFT_TRANS_PREPARE: 7069 case NFT_TRANS_ABORT: 7070 case NFT_TRANS_RELEASE: 7071 flowtable->use--; 7072 fallthrough; 7073 default: 7074 return; 7075 } 7076 } 7077 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable); 7078 7079 static struct nft_flowtable * 7080 nft_flowtable_lookup_byhandle(const struct nft_table *table, 7081 const struct nlattr *nla, u8 genmask) 7082 { 7083 struct nft_flowtable *flowtable; 7084 7085 list_for_each_entry(flowtable, &table->flowtables, list) { 7086 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle && 7087 nft_active_genmask(flowtable, genmask)) 7088 return flowtable; 7089 } 7090 return ERR_PTR(-ENOENT); 7091 } 7092 7093 struct nft_flowtable_hook { 7094 u32 num; 7095 int priority; 7096 struct list_head list; 7097 }; 7098 7099 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = { 7100 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 }, 7101 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 }, 7102 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED }, 7103 }; 7104 7105 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx, 7106 const struct nlattr *attr, 7107 struct nft_flowtable_hook *flowtable_hook, 7108 struct nft_flowtable *flowtable, bool add) 7109 { 7110 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1]; 7111 struct nft_hook *hook; 7112 int hooknum, priority; 7113 int err; 7114 7115 INIT_LIST_HEAD(&flowtable_hook->list); 7116 7117 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr, 7118 nft_flowtable_hook_policy, NULL); 7119 if (err < 0) 7120 return err; 7121 7122 if (add) { 7123 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] || 7124 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) 7125 return -EINVAL; 7126 7127 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 7128 if (hooknum != NF_NETDEV_INGRESS) 7129 return -EOPNOTSUPP; 7130 7131 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 7132 7133 flowtable_hook->priority = priority; 7134 flowtable_hook->num = hooknum; 7135 } else { 7136 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) { 7137 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 7138 if (hooknum != flowtable->hooknum) 7139 return -EOPNOTSUPP; 7140 } 7141 7142 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) { 7143 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 7144 if (priority != flowtable->data.priority) 7145 return -EOPNOTSUPP; 7146 } 7147 7148 flowtable_hook->priority = flowtable->data.priority; 7149 flowtable_hook->num = flowtable->hooknum; 7150 } 7151 7152 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) { 7153 err = nf_tables_parse_netdev_hooks(ctx->net, 7154 tb[NFTA_FLOWTABLE_HOOK_DEVS], 7155 &flowtable_hook->list); 7156 if (err < 0) 7157 return err; 7158 } 7159 7160 list_for_each_entry(hook, &flowtable_hook->list, list) { 7161 hook->ops.pf = NFPROTO_NETDEV; 7162 hook->ops.hooknum = flowtable_hook->num; 7163 hook->ops.priority = flowtable_hook->priority; 7164 hook->ops.priv = &flowtable->data; 7165 hook->ops.hook = flowtable->data.type->hook; 7166 } 7167 7168 return err; 7169 } 7170 7171 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) 7172 { 7173 const struct nf_flowtable_type *type; 7174 7175 list_for_each_entry(type, &nf_tables_flowtables, list) { 7176 if (family == type->family) 7177 return type; 7178 } 7179 return NULL; 7180 } 7181 7182 static const struct nf_flowtable_type * 7183 nft_flowtable_type_get(struct net *net, u8 family) 7184 { 7185 const struct nf_flowtable_type *type; 7186 7187 type = __nft_flowtable_type_get(family); 7188 if (type != NULL && try_module_get(type->owner)) 7189 return type; 7190 7191 lockdep_nfnl_nft_mutex_not_held(); 7192 #ifdef CONFIG_MODULES 7193 if (type == NULL) { 7194 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN) 7195 return ERR_PTR(-EAGAIN); 7196 } 7197 #endif 7198 return ERR_PTR(-ENOENT); 7199 } 7200 7201 /* Only called from error and netdev event paths. */ 7202 static void nft_unregister_flowtable_hook(struct net *net, 7203 struct nft_flowtable *flowtable, 7204 struct nft_hook *hook) 7205 { 7206 nf_unregister_net_hook(net, &hook->ops); 7207 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 7208 FLOW_BLOCK_UNBIND); 7209 } 7210 7211 static void nft_unregister_flowtable_net_hooks(struct net *net, 7212 struct list_head *hook_list) 7213 { 7214 struct nft_hook *hook; 7215 7216 list_for_each_entry(hook, hook_list, list) 7217 nf_unregister_net_hook(net, &hook->ops); 7218 } 7219 7220 static int nft_register_flowtable_net_hooks(struct net *net, 7221 struct nft_table *table, 7222 struct list_head *hook_list, 7223 struct nft_flowtable *flowtable) 7224 { 7225 struct nft_hook *hook, *hook2, *next; 7226 struct nft_flowtable *ft; 7227 int err, i = 0; 7228 7229 list_for_each_entry(hook, hook_list, list) { 7230 list_for_each_entry(ft, &table->flowtables, list) { 7231 if (!nft_is_active_next(net, ft)) 7232 continue; 7233 7234 list_for_each_entry(hook2, &ft->hook_list, list) { 7235 if (hook->ops.dev == hook2->ops.dev && 7236 hook->ops.pf == hook2->ops.pf) { 7237 err = -EEXIST; 7238 goto err_unregister_net_hooks; 7239 } 7240 } 7241 } 7242 7243 err = flowtable->data.type->setup(&flowtable->data, 7244 hook->ops.dev, 7245 FLOW_BLOCK_BIND); 7246 if (err < 0) 7247 goto err_unregister_net_hooks; 7248 7249 err = nf_register_net_hook(net, &hook->ops); 7250 if (err < 0) { 7251 flowtable->data.type->setup(&flowtable->data, 7252 hook->ops.dev, 7253 FLOW_BLOCK_UNBIND); 7254 goto err_unregister_net_hooks; 7255 } 7256 7257 i++; 7258 } 7259 7260 return 0; 7261 7262 err_unregister_net_hooks: 7263 list_for_each_entry_safe(hook, next, hook_list, list) { 7264 if (i-- <= 0) 7265 break; 7266 7267 nft_unregister_flowtable_hook(net, flowtable, hook); 7268 list_del_rcu(&hook->list); 7269 kfree_rcu(hook, rcu); 7270 } 7271 7272 return err; 7273 } 7274 7275 static void nft_flowtable_hooks_destroy(struct list_head *hook_list) 7276 { 7277 struct nft_hook *hook, *next; 7278 7279 list_for_each_entry_safe(hook, next, hook_list, list) { 7280 list_del_rcu(&hook->list); 7281 kfree_rcu(hook, rcu); 7282 } 7283 } 7284 7285 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, 7286 struct nft_flowtable *flowtable) 7287 { 7288 const struct nlattr * const *nla = ctx->nla; 7289 struct nft_flowtable_hook flowtable_hook; 7290 struct nft_hook *hook, *next; 7291 struct nft_trans *trans; 7292 bool unregister = false; 7293 u32 flags; 7294 int err; 7295 7296 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], 7297 &flowtable_hook, flowtable, false); 7298 if (err < 0) 7299 return err; 7300 7301 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 7302 if (nft_hook_list_find(&flowtable->hook_list, hook)) { 7303 list_del(&hook->list); 7304 kfree(hook); 7305 } 7306 } 7307 7308 if (nla[NFTA_FLOWTABLE_FLAGS]) { 7309 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 7310 if (flags & ~NFT_FLOWTABLE_MASK) 7311 return -EOPNOTSUPP; 7312 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^ 7313 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) 7314 return -EOPNOTSUPP; 7315 } else { 7316 flags = flowtable->data.flags; 7317 } 7318 7319 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table, 7320 &flowtable_hook.list, flowtable); 7321 if (err < 0) 7322 goto err_flowtable_update_hook; 7323 7324 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE, 7325 sizeof(struct nft_trans_flowtable)); 7326 if (!trans) { 7327 unregister = true; 7328 err = -ENOMEM; 7329 goto err_flowtable_update_hook; 7330 } 7331 7332 nft_trans_flowtable_flags(trans) = flags; 7333 nft_trans_flowtable(trans) = flowtable; 7334 nft_trans_flowtable_update(trans) = true; 7335 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 7336 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans)); 7337 7338 nft_trans_commit_list_add_tail(ctx->net, trans); 7339 7340 return 0; 7341 7342 err_flowtable_update_hook: 7343 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 7344 if (unregister) 7345 nft_unregister_flowtable_hook(ctx->net, flowtable, hook); 7346 list_del_rcu(&hook->list); 7347 kfree_rcu(hook, rcu); 7348 } 7349 7350 return err; 7351 7352 } 7353 7354 static int nf_tables_newflowtable(struct sk_buff *skb, 7355 const struct nfnl_info *info, 7356 const struct nlattr * const nla[]) 7357 { 7358 struct netlink_ext_ack *extack = info->extack; 7359 struct nft_flowtable_hook flowtable_hook; 7360 u8 genmask = nft_genmask_next(info->net); 7361 u8 family = info->nfmsg->nfgen_family; 7362 const struct nf_flowtable_type *type; 7363 struct nft_flowtable *flowtable; 7364 struct nft_hook *hook, *next; 7365 struct net *net = info->net; 7366 struct nft_table *table; 7367 struct nft_ctx ctx; 7368 int err; 7369 7370 if (!nla[NFTA_FLOWTABLE_TABLE] || 7371 !nla[NFTA_FLOWTABLE_NAME] || 7372 !nla[NFTA_FLOWTABLE_HOOK]) 7373 return -EINVAL; 7374 7375 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 7376 genmask, NETLINK_CB(skb).portid); 7377 if (IS_ERR(table)) { 7378 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 7379 return PTR_ERR(table); 7380 } 7381 7382 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 7383 genmask); 7384 if (IS_ERR(flowtable)) { 7385 err = PTR_ERR(flowtable); 7386 if (err != -ENOENT) { 7387 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 7388 return err; 7389 } 7390 } else { 7391 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 7392 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 7393 return -EEXIST; 7394 } 7395 7396 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7397 7398 return nft_flowtable_update(&ctx, info->nlh, flowtable); 7399 } 7400 7401 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7402 7403 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL); 7404 if (!flowtable) 7405 return -ENOMEM; 7406 7407 flowtable->table = table; 7408 flowtable->handle = nf_tables_alloc_handle(table); 7409 INIT_LIST_HEAD(&flowtable->hook_list); 7410 7411 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL); 7412 if (!flowtable->name) { 7413 err = -ENOMEM; 7414 goto err1; 7415 } 7416 7417 type = nft_flowtable_type_get(net, family); 7418 if (IS_ERR(type)) { 7419 err = PTR_ERR(type); 7420 goto err2; 7421 } 7422 7423 if (nla[NFTA_FLOWTABLE_FLAGS]) { 7424 flowtable->data.flags = 7425 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 7426 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) { 7427 err = -EOPNOTSUPP; 7428 goto err3; 7429 } 7430 } 7431 7432 write_pnet(&flowtable->data.net, net); 7433 flowtable->data.type = type; 7434 err = type->init(&flowtable->data); 7435 if (err < 0) 7436 goto err3; 7437 7438 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK], 7439 &flowtable_hook, flowtable, true); 7440 if (err < 0) 7441 goto err4; 7442 7443 list_splice(&flowtable_hook.list, &flowtable->hook_list); 7444 flowtable->data.priority = flowtable_hook.priority; 7445 flowtable->hooknum = flowtable_hook.num; 7446 7447 err = nft_register_flowtable_net_hooks(ctx.net, table, 7448 &flowtable->hook_list, 7449 flowtable); 7450 if (err < 0) { 7451 nft_flowtable_hooks_destroy(&flowtable->hook_list); 7452 goto err4; 7453 } 7454 7455 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable); 7456 if (err < 0) 7457 goto err5; 7458 7459 list_add_tail_rcu(&flowtable->list, &table->flowtables); 7460 table->use++; 7461 7462 return 0; 7463 err5: 7464 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 7465 nft_unregister_flowtable_hook(net, flowtable, hook); 7466 list_del_rcu(&hook->list); 7467 kfree_rcu(hook, rcu); 7468 } 7469 err4: 7470 flowtable->data.type->free(&flowtable->data); 7471 err3: 7472 module_put(type->owner); 7473 err2: 7474 kfree(flowtable->name); 7475 err1: 7476 kfree(flowtable); 7477 return err; 7478 } 7479 7480 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook) 7481 { 7482 struct nft_hook *this, *next; 7483 7484 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) { 7485 list_del(&this->list); 7486 kfree(this); 7487 } 7488 } 7489 7490 static int nft_delflowtable_hook(struct nft_ctx *ctx, 7491 struct nft_flowtable *flowtable) 7492 { 7493 const struct nlattr * const *nla = ctx->nla; 7494 struct nft_flowtable_hook flowtable_hook; 7495 struct nft_hook *this, *hook; 7496 struct nft_trans *trans; 7497 int err; 7498 7499 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], 7500 &flowtable_hook, flowtable, false); 7501 if (err < 0) 7502 return err; 7503 7504 list_for_each_entry(this, &flowtable_hook.list, list) { 7505 hook = nft_hook_list_find(&flowtable->hook_list, this); 7506 if (!hook) { 7507 err = -ENOENT; 7508 goto err_flowtable_del_hook; 7509 } 7510 hook->inactive = true; 7511 } 7512 7513 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE, 7514 sizeof(struct nft_trans_flowtable)); 7515 if (!trans) { 7516 err = -ENOMEM; 7517 goto err_flowtable_del_hook; 7518 } 7519 7520 nft_trans_flowtable(trans) = flowtable; 7521 nft_trans_flowtable_update(trans) = true; 7522 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 7523 nft_flowtable_hook_release(&flowtable_hook); 7524 7525 nft_trans_commit_list_add_tail(ctx->net, trans); 7526 7527 return 0; 7528 7529 err_flowtable_del_hook: 7530 list_for_each_entry(this, &flowtable_hook.list, list) { 7531 hook = nft_hook_list_find(&flowtable->hook_list, this); 7532 if (!hook) 7533 break; 7534 7535 hook->inactive = false; 7536 } 7537 nft_flowtable_hook_release(&flowtable_hook); 7538 7539 return err; 7540 } 7541 7542 static int nf_tables_delflowtable(struct sk_buff *skb, 7543 const struct nfnl_info *info, 7544 const struct nlattr * const nla[]) 7545 { 7546 struct netlink_ext_ack *extack = info->extack; 7547 u8 genmask = nft_genmask_next(info->net); 7548 u8 family = info->nfmsg->nfgen_family; 7549 struct nft_flowtable *flowtable; 7550 struct net *net = info->net; 7551 const struct nlattr *attr; 7552 struct nft_table *table; 7553 struct nft_ctx ctx; 7554 7555 if (!nla[NFTA_FLOWTABLE_TABLE] || 7556 (!nla[NFTA_FLOWTABLE_NAME] && 7557 !nla[NFTA_FLOWTABLE_HANDLE])) 7558 return -EINVAL; 7559 7560 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 7561 genmask, NETLINK_CB(skb).portid); 7562 if (IS_ERR(table)) { 7563 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 7564 return PTR_ERR(table); 7565 } 7566 7567 if (nla[NFTA_FLOWTABLE_HANDLE]) { 7568 attr = nla[NFTA_FLOWTABLE_HANDLE]; 7569 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask); 7570 } else { 7571 attr = nla[NFTA_FLOWTABLE_NAME]; 7572 flowtable = nft_flowtable_lookup(table, attr, genmask); 7573 } 7574 7575 if (IS_ERR(flowtable)) { 7576 NL_SET_BAD_ATTR(extack, attr); 7577 return PTR_ERR(flowtable); 7578 } 7579 7580 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7581 7582 if (nla[NFTA_FLOWTABLE_HOOK]) 7583 return nft_delflowtable_hook(&ctx, flowtable); 7584 7585 if (flowtable->use > 0) { 7586 NL_SET_BAD_ATTR(extack, attr); 7587 return -EBUSY; 7588 } 7589 7590 return nft_delflowtable(&ctx, flowtable); 7591 } 7592 7593 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, 7594 u32 portid, u32 seq, int event, 7595 u32 flags, int family, 7596 struct nft_flowtable *flowtable, 7597 struct list_head *hook_list) 7598 { 7599 struct nlattr *nest, *nest_devs; 7600 struct nft_hook *hook; 7601 struct nlmsghdr *nlh; 7602 7603 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 7604 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 7605 NFNETLINK_V0, nft_base_seq(net)); 7606 if (!nlh) 7607 goto nla_put_failure; 7608 7609 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || 7610 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || 7611 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || 7612 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle), 7613 NFTA_FLOWTABLE_PAD) || 7614 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags))) 7615 goto nla_put_failure; 7616 7617 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK); 7618 if (!nest) 7619 goto nla_put_failure; 7620 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) || 7621 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority))) 7622 goto nla_put_failure; 7623 7624 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS); 7625 if (!nest_devs) 7626 goto nla_put_failure; 7627 7628 list_for_each_entry_rcu(hook, hook_list, list) { 7629 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name)) 7630 goto nla_put_failure; 7631 } 7632 nla_nest_end(skb, nest_devs); 7633 nla_nest_end(skb, nest); 7634 7635 nlmsg_end(skb, nlh); 7636 return 0; 7637 7638 nla_put_failure: 7639 nlmsg_trim(skb, nlh); 7640 return -1; 7641 } 7642 7643 struct nft_flowtable_filter { 7644 char *table; 7645 }; 7646 7647 static int nf_tables_dump_flowtable(struct sk_buff *skb, 7648 struct netlink_callback *cb) 7649 { 7650 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 7651 struct nft_flowtable_filter *filter = cb->data; 7652 unsigned int idx = 0, s_idx = cb->args[0]; 7653 struct net *net = sock_net(skb->sk); 7654 int family = nfmsg->nfgen_family; 7655 struct nft_flowtable *flowtable; 7656 struct nftables_pernet *nft_net; 7657 const struct nft_table *table; 7658 7659 rcu_read_lock(); 7660 nft_net = nft_pernet(net); 7661 cb->seq = nft_net->base_seq; 7662 7663 list_for_each_entry_rcu(table, &nft_net->tables, list) { 7664 if (family != NFPROTO_UNSPEC && family != table->family) 7665 continue; 7666 7667 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 7668 if (!nft_is_active(net, flowtable)) 7669 goto cont; 7670 if (idx < s_idx) 7671 goto cont; 7672 if (idx > s_idx) 7673 memset(&cb->args[1], 0, 7674 sizeof(cb->args) - sizeof(cb->args[0])); 7675 if (filter && filter->table && 7676 strcmp(filter->table, table->name)) 7677 goto cont; 7678 7679 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, 7680 cb->nlh->nlmsg_seq, 7681 NFT_MSG_NEWFLOWTABLE, 7682 NLM_F_MULTI | NLM_F_APPEND, 7683 table->family, 7684 flowtable, 7685 &flowtable->hook_list) < 0) 7686 goto done; 7687 7688 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 7689 cont: 7690 idx++; 7691 } 7692 } 7693 done: 7694 rcu_read_unlock(); 7695 7696 cb->args[0] = idx; 7697 return skb->len; 7698 } 7699 7700 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb) 7701 { 7702 const struct nlattr * const *nla = cb->data; 7703 struct nft_flowtable_filter *filter = NULL; 7704 7705 if (nla[NFTA_FLOWTABLE_TABLE]) { 7706 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 7707 if (!filter) 7708 return -ENOMEM; 7709 7710 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE], 7711 GFP_ATOMIC); 7712 if (!filter->table) { 7713 kfree(filter); 7714 return -ENOMEM; 7715 } 7716 } 7717 7718 cb->data = filter; 7719 return 0; 7720 } 7721 7722 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb) 7723 { 7724 struct nft_flowtable_filter *filter = cb->data; 7725 7726 if (!filter) 7727 return 0; 7728 7729 kfree(filter->table); 7730 kfree(filter); 7731 7732 return 0; 7733 } 7734 7735 /* called with rcu_read_lock held */ 7736 static int nf_tables_getflowtable(struct sk_buff *skb, 7737 const struct nfnl_info *info, 7738 const struct nlattr * const nla[]) 7739 { 7740 u8 genmask = nft_genmask_cur(info->net); 7741 u8 family = info->nfmsg->nfgen_family; 7742 struct nft_flowtable *flowtable; 7743 const struct nft_table *table; 7744 struct net *net = info->net; 7745 struct sk_buff *skb2; 7746 int err; 7747 7748 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 7749 struct netlink_dump_control c = { 7750 .start = nf_tables_dump_flowtable_start, 7751 .dump = nf_tables_dump_flowtable, 7752 .done = nf_tables_dump_flowtable_done, 7753 .module = THIS_MODULE, 7754 .data = (void *)nla, 7755 }; 7756 7757 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 7758 } 7759 7760 if (!nla[NFTA_FLOWTABLE_NAME]) 7761 return -EINVAL; 7762 7763 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 7764 genmask, 0); 7765 if (IS_ERR(table)) 7766 return PTR_ERR(table); 7767 7768 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 7769 genmask); 7770 if (IS_ERR(flowtable)) 7771 return PTR_ERR(flowtable); 7772 7773 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 7774 if (!skb2) 7775 return -ENOMEM; 7776 7777 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid, 7778 info->nlh->nlmsg_seq, 7779 NFT_MSG_NEWFLOWTABLE, 0, family, 7780 flowtable, &flowtable->hook_list); 7781 if (err < 0) 7782 goto err_fill_flowtable_info; 7783 7784 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 7785 7786 err_fill_flowtable_info: 7787 kfree_skb(skb2); 7788 return err; 7789 } 7790 7791 static void nf_tables_flowtable_notify(struct nft_ctx *ctx, 7792 struct nft_flowtable *flowtable, 7793 struct list_head *hook_list, 7794 int event) 7795 { 7796 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 7797 struct sk_buff *skb; 7798 u16 flags = 0; 7799 int err; 7800 7801 if (!ctx->report && 7802 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 7803 return; 7804 7805 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 7806 if (skb == NULL) 7807 goto err; 7808 7809 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 7810 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 7811 7812 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid, 7813 ctx->seq, event, flags, 7814 ctx->family, flowtable, hook_list); 7815 if (err < 0) { 7816 kfree_skb(skb); 7817 goto err; 7818 } 7819 7820 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 7821 return; 7822 err: 7823 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 7824 } 7825 7826 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) 7827 { 7828 struct nft_hook *hook, *next; 7829 7830 flowtable->data.type->free(&flowtable->data); 7831 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 7832 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 7833 FLOW_BLOCK_UNBIND); 7834 list_del_rcu(&hook->list); 7835 kfree(hook); 7836 } 7837 kfree(flowtable->name); 7838 module_put(flowtable->data.type->owner); 7839 kfree(flowtable); 7840 } 7841 7842 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, 7843 u32 portid, u32 seq) 7844 { 7845 struct nftables_pernet *nft_net = nft_pernet(net); 7846 struct nlmsghdr *nlh; 7847 char buf[TASK_COMM_LEN]; 7848 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); 7849 7850 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC, 7851 NFNETLINK_V0, nft_base_seq(net)); 7852 if (!nlh) 7853 goto nla_put_failure; 7854 7855 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) || 7856 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || 7857 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) 7858 goto nla_put_failure; 7859 7860 nlmsg_end(skb, nlh); 7861 return 0; 7862 7863 nla_put_failure: 7864 nlmsg_trim(skb, nlh); 7865 return -EMSGSIZE; 7866 } 7867 7868 static void nft_flowtable_event(unsigned long event, struct net_device *dev, 7869 struct nft_flowtable *flowtable) 7870 { 7871 struct nft_hook *hook; 7872 7873 list_for_each_entry(hook, &flowtable->hook_list, list) { 7874 if (hook->ops.dev != dev) 7875 continue; 7876 7877 /* flow_offload_netdev_event() cleans up entries for us. */ 7878 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook); 7879 list_del_rcu(&hook->list); 7880 kfree_rcu(hook, rcu); 7881 break; 7882 } 7883 } 7884 7885 static int nf_tables_flowtable_event(struct notifier_block *this, 7886 unsigned long event, void *ptr) 7887 { 7888 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 7889 struct nft_flowtable *flowtable; 7890 struct nftables_pernet *nft_net; 7891 struct nft_table *table; 7892 struct net *net; 7893 7894 if (event != NETDEV_UNREGISTER) 7895 return 0; 7896 7897 net = dev_net(dev); 7898 nft_net = nft_pernet(net); 7899 mutex_lock(&nft_net->commit_mutex); 7900 list_for_each_entry(table, &nft_net->tables, list) { 7901 list_for_each_entry(flowtable, &table->flowtables, list) { 7902 nft_flowtable_event(event, dev, flowtable); 7903 } 7904 } 7905 mutex_unlock(&nft_net->commit_mutex); 7906 7907 return NOTIFY_DONE; 7908 } 7909 7910 static struct notifier_block nf_tables_flowtable_notifier = { 7911 .notifier_call = nf_tables_flowtable_event, 7912 }; 7913 7914 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb, 7915 int event) 7916 { 7917 struct nlmsghdr *nlh = nlmsg_hdr(skb); 7918 struct sk_buff *skb2; 7919 int err; 7920 7921 if (!nlmsg_report(nlh) && 7922 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 7923 return; 7924 7925 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 7926 if (skb2 == NULL) 7927 goto err; 7928 7929 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 7930 nlh->nlmsg_seq); 7931 if (err < 0) { 7932 kfree_skb(skb2); 7933 goto err; 7934 } 7935 7936 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 7937 nlmsg_report(nlh), GFP_KERNEL); 7938 return; 7939 err: 7940 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 7941 -ENOBUFS); 7942 } 7943 7944 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info, 7945 const struct nlattr * const nla[]) 7946 { 7947 struct sk_buff *skb2; 7948 int err; 7949 7950 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 7951 if (skb2 == NULL) 7952 return -ENOMEM; 7953 7954 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid, 7955 info->nlh->nlmsg_seq); 7956 if (err < 0) 7957 goto err_fill_gen_info; 7958 7959 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 7960 7961 err_fill_gen_info: 7962 kfree_skb(skb2); 7963 return err; 7964 } 7965 7966 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = { 7967 [NFT_MSG_NEWTABLE] = { 7968 .call = nf_tables_newtable, 7969 .type = NFNL_CB_BATCH, 7970 .attr_count = NFTA_TABLE_MAX, 7971 .policy = nft_table_policy, 7972 }, 7973 [NFT_MSG_GETTABLE] = { 7974 .call = nf_tables_gettable, 7975 .type = NFNL_CB_RCU, 7976 .attr_count = NFTA_TABLE_MAX, 7977 .policy = nft_table_policy, 7978 }, 7979 [NFT_MSG_DELTABLE] = { 7980 .call = nf_tables_deltable, 7981 .type = NFNL_CB_BATCH, 7982 .attr_count = NFTA_TABLE_MAX, 7983 .policy = nft_table_policy, 7984 }, 7985 [NFT_MSG_NEWCHAIN] = { 7986 .call = nf_tables_newchain, 7987 .type = NFNL_CB_BATCH, 7988 .attr_count = NFTA_CHAIN_MAX, 7989 .policy = nft_chain_policy, 7990 }, 7991 [NFT_MSG_GETCHAIN] = { 7992 .call = nf_tables_getchain, 7993 .type = NFNL_CB_RCU, 7994 .attr_count = NFTA_CHAIN_MAX, 7995 .policy = nft_chain_policy, 7996 }, 7997 [NFT_MSG_DELCHAIN] = { 7998 .call = nf_tables_delchain, 7999 .type = NFNL_CB_BATCH, 8000 .attr_count = NFTA_CHAIN_MAX, 8001 .policy = nft_chain_policy, 8002 }, 8003 [NFT_MSG_NEWRULE] = { 8004 .call = nf_tables_newrule, 8005 .type = NFNL_CB_BATCH, 8006 .attr_count = NFTA_RULE_MAX, 8007 .policy = nft_rule_policy, 8008 }, 8009 [NFT_MSG_GETRULE] = { 8010 .call = nf_tables_getrule, 8011 .type = NFNL_CB_RCU, 8012 .attr_count = NFTA_RULE_MAX, 8013 .policy = nft_rule_policy, 8014 }, 8015 [NFT_MSG_DELRULE] = { 8016 .call = nf_tables_delrule, 8017 .type = NFNL_CB_BATCH, 8018 .attr_count = NFTA_RULE_MAX, 8019 .policy = nft_rule_policy, 8020 }, 8021 [NFT_MSG_NEWSET] = { 8022 .call = nf_tables_newset, 8023 .type = NFNL_CB_BATCH, 8024 .attr_count = NFTA_SET_MAX, 8025 .policy = nft_set_policy, 8026 }, 8027 [NFT_MSG_GETSET] = { 8028 .call = nf_tables_getset, 8029 .type = NFNL_CB_RCU, 8030 .attr_count = NFTA_SET_MAX, 8031 .policy = nft_set_policy, 8032 }, 8033 [NFT_MSG_DELSET] = { 8034 .call = nf_tables_delset, 8035 .type = NFNL_CB_BATCH, 8036 .attr_count = NFTA_SET_MAX, 8037 .policy = nft_set_policy, 8038 }, 8039 [NFT_MSG_NEWSETELEM] = { 8040 .call = nf_tables_newsetelem, 8041 .type = NFNL_CB_BATCH, 8042 .attr_count = NFTA_SET_ELEM_LIST_MAX, 8043 .policy = nft_set_elem_list_policy, 8044 }, 8045 [NFT_MSG_GETSETELEM] = { 8046 .call = nf_tables_getsetelem, 8047 .type = NFNL_CB_RCU, 8048 .attr_count = NFTA_SET_ELEM_LIST_MAX, 8049 .policy = nft_set_elem_list_policy, 8050 }, 8051 [NFT_MSG_DELSETELEM] = { 8052 .call = nf_tables_delsetelem, 8053 .type = NFNL_CB_BATCH, 8054 .attr_count = NFTA_SET_ELEM_LIST_MAX, 8055 .policy = nft_set_elem_list_policy, 8056 }, 8057 [NFT_MSG_GETGEN] = { 8058 .call = nf_tables_getgen, 8059 .type = NFNL_CB_RCU, 8060 }, 8061 [NFT_MSG_NEWOBJ] = { 8062 .call = nf_tables_newobj, 8063 .type = NFNL_CB_BATCH, 8064 .attr_count = NFTA_OBJ_MAX, 8065 .policy = nft_obj_policy, 8066 }, 8067 [NFT_MSG_GETOBJ] = { 8068 .call = nf_tables_getobj, 8069 .type = NFNL_CB_RCU, 8070 .attr_count = NFTA_OBJ_MAX, 8071 .policy = nft_obj_policy, 8072 }, 8073 [NFT_MSG_DELOBJ] = { 8074 .call = nf_tables_delobj, 8075 .type = NFNL_CB_BATCH, 8076 .attr_count = NFTA_OBJ_MAX, 8077 .policy = nft_obj_policy, 8078 }, 8079 [NFT_MSG_GETOBJ_RESET] = { 8080 .call = nf_tables_getobj, 8081 .type = NFNL_CB_RCU, 8082 .attr_count = NFTA_OBJ_MAX, 8083 .policy = nft_obj_policy, 8084 }, 8085 [NFT_MSG_NEWFLOWTABLE] = { 8086 .call = nf_tables_newflowtable, 8087 .type = NFNL_CB_BATCH, 8088 .attr_count = NFTA_FLOWTABLE_MAX, 8089 .policy = nft_flowtable_policy, 8090 }, 8091 [NFT_MSG_GETFLOWTABLE] = { 8092 .call = nf_tables_getflowtable, 8093 .type = NFNL_CB_RCU, 8094 .attr_count = NFTA_FLOWTABLE_MAX, 8095 .policy = nft_flowtable_policy, 8096 }, 8097 [NFT_MSG_DELFLOWTABLE] = { 8098 .call = nf_tables_delflowtable, 8099 .type = NFNL_CB_BATCH, 8100 .attr_count = NFTA_FLOWTABLE_MAX, 8101 .policy = nft_flowtable_policy, 8102 }, 8103 }; 8104 8105 static int nf_tables_validate(struct net *net) 8106 { 8107 struct nftables_pernet *nft_net = nft_pernet(net); 8108 struct nft_table *table; 8109 8110 switch (nft_net->validate_state) { 8111 case NFT_VALIDATE_SKIP: 8112 break; 8113 case NFT_VALIDATE_NEED: 8114 nft_validate_state_update(net, NFT_VALIDATE_DO); 8115 fallthrough; 8116 case NFT_VALIDATE_DO: 8117 list_for_each_entry(table, &nft_net->tables, list) { 8118 if (nft_table_validate(net, table) < 0) 8119 return -EAGAIN; 8120 } 8121 break; 8122 } 8123 8124 return 0; 8125 } 8126 8127 /* a drop policy has to be deferred until all rules have been activated, 8128 * otherwise a large ruleset that contains a drop-policy base chain will 8129 * cause all packets to get dropped until the full transaction has been 8130 * processed. 8131 * 8132 * We defer the drop policy until the transaction has been finalized. 8133 */ 8134 static void nft_chain_commit_drop_policy(struct nft_trans *trans) 8135 { 8136 struct nft_base_chain *basechain; 8137 8138 if (nft_trans_chain_policy(trans) != NF_DROP) 8139 return; 8140 8141 if (!nft_is_base_chain(trans->ctx.chain)) 8142 return; 8143 8144 basechain = nft_base_chain(trans->ctx.chain); 8145 basechain->policy = NF_DROP; 8146 } 8147 8148 static void nft_chain_commit_update(struct nft_trans *trans) 8149 { 8150 struct nft_base_chain *basechain; 8151 8152 if (nft_trans_chain_name(trans)) { 8153 rhltable_remove(&trans->ctx.table->chains_ht, 8154 &trans->ctx.chain->rhlhead, 8155 nft_chain_ht_params); 8156 swap(trans->ctx.chain->name, nft_trans_chain_name(trans)); 8157 rhltable_insert_key(&trans->ctx.table->chains_ht, 8158 trans->ctx.chain->name, 8159 &trans->ctx.chain->rhlhead, 8160 nft_chain_ht_params); 8161 } 8162 8163 if (!nft_is_base_chain(trans->ctx.chain)) 8164 return; 8165 8166 nft_chain_stats_replace(trans); 8167 8168 basechain = nft_base_chain(trans->ctx.chain); 8169 8170 switch (nft_trans_chain_policy(trans)) { 8171 case NF_DROP: 8172 case NF_ACCEPT: 8173 basechain->policy = nft_trans_chain_policy(trans); 8174 break; 8175 } 8176 } 8177 8178 static void nft_obj_commit_update(struct nft_trans *trans) 8179 { 8180 struct nft_object *newobj; 8181 struct nft_object *obj; 8182 8183 obj = nft_trans_obj(trans); 8184 newobj = nft_trans_obj_newobj(trans); 8185 8186 if (obj->ops->update) 8187 obj->ops->update(obj, newobj); 8188 8189 kfree(newobj); 8190 } 8191 8192 static void nft_commit_release(struct nft_trans *trans) 8193 { 8194 switch (trans->msg_type) { 8195 case NFT_MSG_DELTABLE: 8196 nf_tables_table_destroy(&trans->ctx); 8197 break; 8198 case NFT_MSG_NEWCHAIN: 8199 free_percpu(nft_trans_chain_stats(trans)); 8200 kfree(nft_trans_chain_name(trans)); 8201 break; 8202 case NFT_MSG_DELCHAIN: 8203 nf_tables_chain_destroy(&trans->ctx); 8204 break; 8205 case NFT_MSG_DELRULE: 8206 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 8207 break; 8208 case NFT_MSG_DELSET: 8209 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 8210 break; 8211 case NFT_MSG_DELSETELEM: 8212 nf_tables_set_elem_destroy(&trans->ctx, 8213 nft_trans_elem_set(trans), 8214 nft_trans_elem(trans).priv); 8215 break; 8216 case NFT_MSG_DELOBJ: 8217 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 8218 break; 8219 case NFT_MSG_DELFLOWTABLE: 8220 if (nft_trans_flowtable_update(trans)) 8221 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 8222 else 8223 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 8224 break; 8225 } 8226 8227 if (trans->put_net) 8228 put_net(trans->ctx.net); 8229 8230 kfree(trans); 8231 } 8232 8233 static void nf_tables_trans_destroy_work(struct work_struct *w) 8234 { 8235 struct nft_trans *trans, *next; 8236 LIST_HEAD(head); 8237 8238 spin_lock(&nf_tables_destroy_list_lock); 8239 list_splice_init(&nf_tables_destroy_list, &head); 8240 spin_unlock(&nf_tables_destroy_list_lock); 8241 8242 if (list_empty(&head)) 8243 return; 8244 8245 synchronize_rcu(); 8246 8247 list_for_each_entry_safe(trans, next, &head, list) { 8248 list_del(&trans->list); 8249 nft_commit_release(trans); 8250 } 8251 } 8252 8253 void nf_tables_trans_destroy_flush_work(void) 8254 { 8255 flush_work(&trans_destroy_work); 8256 } 8257 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work); 8258 8259 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain) 8260 { 8261 const struct nft_expr *expr, *last; 8262 struct nft_regs_track track = {}; 8263 unsigned int size, data_size; 8264 void *data, *data_boundary; 8265 struct nft_rule_dp *prule; 8266 struct nft_rule *rule; 8267 int i; 8268 8269 /* already handled or inactive chain? */ 8270 if (chain->blob_next || !nft_is_active_next(net, chain)) 8271 return 0; 8272 8273 rule = list_entry(&chain->rules, struct nft_rule, list); 8274 i = 0; 8275 8276 data_size = 0; 8277 list_for_each_entry_continue(rule, &chain->rules, list) { 8278 if (nft_is_active_next(net, rule)) { 8279 data_size += sizeof(*prule) + rule->dlen; 8280 if (data_size > INT_MAX) 8281 return -ENOMEM; 8282 } 8283 } 8284 data_size += offsetof(struct nft_rule_dp, data); /* last rule */ 8285 8286 chain->blob_next = nf_tables_chain_alloc_rules(data_size); 8287 if (!chain->blob_next) 8288 return -ENOMEM; 8289 8290 data = (void *)chain->blob_next->data; 8291 data_boundary = data + data_size; 8292 size = 0; 8293 8294 list_for_each_entry_continue(rule, &chain->rules, list) { 8295 if (!nft_is_active_next(net, rule)) 8296 continue; 8297 8298 prule = (struct nft_rule_dp *)data; 8299 data += offsetof(struct nft_rule_dp, data); 8300 if (WARN_ON_ONCE(data > data_boundary)) 8301 return -ENOMEM; 8302 8303 size = 0; 8304 track.last = last; 8305 nft_rule_for_each_expr(expr, last, rule) { 8306 track.cur = expr; 8307 8308 if (expr->ops->reduce && 8309 expr->ops->reduce(&track, expr)) { 8310 expr = track.cur; 8311 continue; 8312 } 8313 8314 if (WARN_ON_ONCE(data + expr->ops->size > data_boundary)) 8315 return -ENOMEM; 8316 8317 memcpy(data + size, expr, expr->ops->size); 8318 size += expr->ops->size; 8319 } 8320 if (WARN_ON_ONCE(size >= 1 << 12)) 8321 return -ENOMEM; 8322 8323 prule->handle = rule->handle; 8324 prule->dlen = size; 8325 prule->is_last = 0; 8326 8327 data += size; 8328 size = 0; 8329 chain->blob_next->size += (unsigned long)(data - (void *)prule); 8330 } 8331 8332 prule = (struct nft_rule_dp *)data; 8333 data += offsetof(struct nft_rule_dp, data); 8334 if (WARN_ON_ONCE(data > data_boundary)) 8335 return -ENOMEM; 8336 8337 nft_last_rule(chain->blob_next, prule); 8338 8339 return 0; 8340 } 8341 8342 static void nf_tables_commit_chain_prepare_cancel(struct net *net) 8343 { 8344 struct nftables_pernet *nft_net = nft_pernet(net); 8345 struct nft_trans *trans, *next; 8346 8347 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 8348 struct nft_chain *chain = trans->ctx.chain; 8349 8350 if (trans->msg_type == NFT_MSG_NEWRULE || 8351 trans->msg_type == NFT_MSG_DELRULE) { 8352 kvfree(chain->blob_next); 8353 chain->blob_next = NULL; 8354 } 8355 } 8356 } 8357 8358 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h) 8359 { 8360 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h); 8361 8362 kvfree(o->blob); 8363 } 8364 8365 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob) 8366 { 8367 struct nft_rules_old *old; 8368 8369 /* rcu_head is after end marker */ 8370 old = (void *)blob + sizeof(*blob) + blob->size; 8371 old->blob = blob; 8372 8373 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old); 8374 } 8375 8376 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain) 8377 { 8378 struct nft_rule_blob *g0, *g1; 8379 bool next_genbit; 8380 8381 next_genbit = nft_gencursor_next(net); 8382 8383 g0 = rcu_dereference_protected(chain->blob_gen_0, 8384 lockdep_commit_lock_is_held(net)); 8385 g1 = rcu_dereference_protected(chain->blob_gen_1, 8386 lockdep_commit_lock_is_held(net)); 8387 8388 /* No changes to this chain? */ 8389 if (chain->blob_next == NULL) { 8390 /* chain had no change in last or next generation */ 8391 if (g0 == g1) 8392 return; 8393 /* 8394 * chain had no change in this generation; make sure next 8395 * one uses same rules as current generation. 8396 */ 8397 if (next_genbit) { 8398 rcu_assign_pointer(chain->blob_gen_1, g0); 8399 nf_tables_commit_chain_free_rules_old(g1); 8400 } else { 8401 rcu_assign_pointer(chain->blob_gen_0, g1); 8402 nf_tables_commit_chain_free_rules_old(g0); 8403 } 8404 8405 return; 8406 } 8407 8408 if (next_genbit) 8409 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next); 8410 else 8411 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next); 8412 8413 chain->blob_next = NULL; 8414 8415 if (g0 == g1) 8416 return; 8417 8418 if (next_genbit) 8419 nf_tables_commit_chain_free_rules_old(g1); 8420 else 8421 nf_tables_commit_chain_free_rules_old(g0); 8422 } 8423 8424 static void nft_obj_del(struct nft_object *obj) 8425 { 8426 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params); 8427 list_del_rcu(&obj->list); 8428 } 8429 8430 void nft_chain_del(struct nft_chain *chain) 8431 { 8432 struct nft_table *table = chain->table; 8433 8434 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead, 8435 nft_chain_ht_params)); 8436 list_del_rcu(&chain->list); 8437 } 8438 8439 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable, 8440 struct list_head *hook_list) 8441 { 8442 struct nft_hook *hook, *next; 8443 8444 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 8445 if (hook->inactive) 8446 list_move(&hook->list, hook_list); 8447 } 8448 } 8449 8450 static void nf_tables_module_autoload_cleanup(struct net *net) 8451 { 8452 struct nftables_pernet *nft_net = nft_pernet(net); 8453 struct nft_module_request *req, *next; 8454 8455 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 8456 list_for_each_entry_safe(req, next, &nft_net->module_list, list) { 8457 WARN_ON_ONCE(!req->done); 8458 list_del(&req->list); 8459 kfree(req); 8460 } 8461 } 8462 8463 static void nf_tables_commit_release(struct net *net) 8464 { 8465 struct nftables_pernet *nft_net = nft_pernet(net); 8466 struct nft_trans *trans; 8467 8468 /* all side effects have to be made visible. 8469 * For example, if a chain named 'foo' has been deleted, a 8470 * new transaction must not find it anymore. 8471 * 8472 * Memory reclaim happens asynchronously from work queue 8473 * to prevent expensive synchronize_rcu() in commit phase. 8474 */ 8475 if (list_empty(&nft_net->commit_list)) { 8476 nf_tables_module_autoload_cleanup(net); 8477 mutex_unlock(&nft_net->commit_mutex); 8478 return; 8479 } 8480 8481 trans = list_last_entry(&nft_net->commit_list, 8482 struct nft_trans, list); 8483 get_net(trans->ctx.net); 8484 WARN_ON_ONCE(trans->put_net); 8485 8486 trans->put_net = true; 8487 spin_lock(&nf_tables_destroy_list_lock); 8488 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list); 8489 spin_unlock(&nf_tables_destroy_list_lock); 8490 8491 nf_tables_module_autoload_cleanup(net); 8492 schedule_work(&trans_destroy_work); 8493 8494 mutex_unlock(&nft_net->commit_mutex); 8495 } 8496 8497 static void nft_commit_notify(struct net *net, u32 portid) 8498 { 8499 struct nftables_pernet *nft_net = nft_pernet(net); 8500 struct sk_buff *batch_skb = NULL, *nskb, *skb; 8501 unsigned char *data; 8502 int len; 8503 8504 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) { 8505 if (!batch_skb) { 8506 new_batch: 8507 batch_skb = skb; 8508 len = NLMSG_GOODSIZE - skb->len; 8509 list_del(&skb->list); 8510 continue; 8511 } 8512 len -= skb->len; 8513 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) { 8514 data = skb_put(batch_skb, skb->len); 8515 memcpy(data, skb->data, skb->len); 8516 list_del(&skb->list); 8517 kfree_skb(skb); 8518 continue; 8519 } 8520 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 8521 NFT_CB(batch_skb).report, GFP_KERNEL); 8522 goto new_batch; 8523 } 8524 8525 if (batch_skb) { 8526 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 8527 NFT_CB(batch_skb).report, GFP_KERNEL); 8528 } 8529 8530 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 8531 } 8532 8533 static int nf_tables_commit_audit_alloc(struct list_head *adl, 8534 struct nft_table *table) 8535 { 8536 struct nft_audit_data *adp; 8537 8538 list_for_each_entry(adp, adl, list) { 8539 if (adp->table == table) 8540 return 0; 8541 } 8542 adp = kzalloc(sizeof(*adp), GFP_KERNEL); 8543 if (!adp) 8544 return -ENOMEM; 8545 adp->table = table; 8546 list_add(&adp->list, adl); 8547 return 0; 8548 } 8549 8550 static void nf_tables_commit_audit_free(struct list_head *adl) 8551 { 8552 struct nft_audit_data *adp, *adn; 8553 8554 list_for_each_entry_safe(adp, adn, adl, list) { 8555 list_del(&adp->list); 8556 kfree(adp); 8557 } 8558 } 8559 8560 static void nf_tables_commit_audit_collect(struct list_head *adl, 8561 struct nft_table *table, u32 op) 8562 { 8563 struct nft_audit_data *adp; 8564 8565 list_for_each_entry(adp, adl, list) { 8566 if (adp->table == table) 8567 goto found; 8568 } 8569 WARN_ONCE(1, "table=%s not expected in commit list", table->name); 8570 return; 8571 found: 8572 adp->entries++; 8573 if (!adp->op || adp->op > op) 8574 adp->op = op; 8575 } 8576 8577 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22) 8578 8579 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation) 8580 { 8581 struct nft_audit_data *adp, *adn; 8582 char aubuf[AUNFTABLENAMELEN]; 8583 8584 list_for_each_entry_safe(adp, adn, adl, list) { 8585 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name, 8586 generation); 8587 audit_log_nfcfg(aubuf, adp->table->family, adp->entries, 8588 nft2audit_op[adp->op], GFP_KERNEL); 8589 list_del(&adp->list); 8590 kfree(adp); 8591 } 8592 } 8593 8594 static int nf_tables_commit(struct net *net, struct sk_buff *skb) 8595 { 8596 struct nftables_pernet *nft_net = nft_pernet(net); 8597 struct nft_trans *trans, *next; 8598 struct nft_trans_elem *te; 8599 struct nft_chain *chain; 8600 struct nft_table *table; 8601 LIST_HEAD(adl); 8602 int err; 8603 8604 if (list_empty(&nft_net->commit_list)) { 8605 mutex_unlock(&nft_net->commit_mutex); 8606 return 0; 8607 } 8608 8609 /* 0. Validate ruleset, otherwise roll back for error reporting. */ 8610 if (nf_tables_validate(net) < 0) 8611 return -EAGAIN; 8612 8613 err = nft_flow_rule_offload_commit(net); 8614 if (err < 0) 8615 return err; 8616 8617 /* 1. Allocate space for next generation rules_gen_X[] */ 8618 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 8619 int ret; 8620 8621 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table); 8622 if (ret) { 8623 nf_tables_commit_chain_prepare_cancel(net); 8624 nf_tables_commit_audit_free(&adl); 8625 return ret; 8626 } 8627 if (trans->msg_type == NFT_MSG_NEWRULE || 8628 trans->msg_type == NFT_MSG_DELRULE) { 8629 chain = trans->ctx.chain; 8630 8631 ret = nf_tables_commit_chain_prepare(net, chain); 8632 if (ret < 0) { 8633 nf_tables_commit_chain_prepare_cancel(net); 8634 nf_tables_commit_audit_free(&adl); 8635 return ret; 8636 } 8637 } 8638 } 8639 8640 /* step 2. Make rules_gen_X visible to packet path */ 8641 list_for_each_entry(table, &nft_net->tables, list) { 8642 list_for_each_entry(chain, &table->chains, list) 8643 nf_tables_commit_chain(net, chain); 8644 } 8645 8646 /* 8647 * Bump generation counter, invalidate any dump in progress. 8648 * Cannot fail after this point. 8649 */ 8650 while (++nft_net->base_seq == 0) 8651 ; 8652 8653 /* step 3. Start new generation, rules_gen_X now in use. */ 8654 net->nft.gencursor = nft_gencursor_next(net); 8655 8656 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 8657 nf_tables_commit_audit_collect(&adl, trans->ctx.table, 8658 trans->msg_type); 8659 switch (trans->msg_type) { 8660 case NFT_MSG_NEWTABLE: 8661 if (nft_trans_table_update(trans)) { 8662 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) { 8663 nft_trans_destroy(trans); 8664 break; 8665 } 8666 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT) 8667 nf_tables_table_disable(net, trans->ctx.table); 8668 8669 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE; 8670 } else { 8671 nft_clear(net, trans->ctx.table); 8672 } 8673 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE); 8674 nft_trans_destroy(trans); 8675 break; 8676 case NFT_MSG_DELTABLE: 8677 list_del_rcu(&trans->ctx.table->list); 8678 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE); 8679 break; 8680 case NFT_MSG_NEWCHAIN: 8681 if (nft_trans_chain_update(trans)) { 8682 nft_chain_commit_update(trans); 8683 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 8684 /* trans destroyed after rcu grace period */ 8685 } else { 8686 nft_chain_commit_drop_policy(trans); 8687 nft_clear(net, trans->ctx.chain); 8688 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 8689 nft_trans_destroy(trans); 8690 } 8691 break; 8692 case NFT_MSG_DELCHAIN: 8693 nft_chain_del(trans->ctx.chain); 8694 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN); 8695 nf_tables_unregister_hook(trans->ctx.net, 8696 trans->ctx.table, 8697 trans->ctx.chain); 8698 break; 8699 case NFT_MSG_NEWRULE: 8700 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 8701 nf_tables_rule_notify(&trans->ctx, 8702 nft_trans_rule(trans), 8703 NFT_MSG_NEWRULE); 8704 nft_trans_destroy(trans); 8705 break; 8706 case NFT_MSG_DELRULE: 8707 list_del_rcu(&nft_trans_rule(trans)->list); 8708 nf_tables_rule_notify(&trans->ctx, 8709 nft_trans_rule(trans), 8710 NFT_MSG_DELRULE); 8711 nft_rule_expr_deactivate(&trans->ctx, 8712 nft_trans_rule(trans), 8713 NFT_TRANS_COMMIT); 8714 break; 8715 case NFT_MSG_NEWSET: 8716 nft_clear(net, nft_trans_set(trans)); 8717 /* This avoids hitting -EBUSY when deleting the table 8718 * from the transaction. 8719 */ 8720 if (nft_set_is_anonymous(nft_trans_set(trans)) && 8721 !list_empty(&nft_trans_set(trans)->bindings)) 8722 trans->ctx.table->use--; 8723 8724 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 8725 NFT_MSG_NEWSET, GFP_KERNEL); 8726 nft_trans_destroy(trans); 8727 break; 8728 case NFT_MSG_DELSET: 8729 list_del_rcu(&nft_trans_set(trans)->list); 8730 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 8731 NFT_MSG_DELSET, GFP_KERNEL); 8732 break; 8733 case NFT_MSG_NEWSETELEM: 8734 te = (struct nft_trans_elem *)trans->data; 8735 8736 nft_setelem_activate(net, te->set, &te->elem); 8737 nf_tables_setelem_notify(&trans->ctx, te->set, 8738 &te->elem, 8739 NFT_MSG_NEWSETELEM); 8740 nft_trans_destroy(trans); 8741 break; 8742 case NFT_MSG_DELSETELEM: 8743 te = (struct nft_trans_elem *)trans->data; 8744 8745 nf_tables_setelem_notify(&trans->ctx, te->set, 8746 &te->elem, 8747 NFT_MSG_DELSETELEM); 8748 nft_setelem_remove(net, te->set, &te->elem); 8749 if (!nft_setelem_is_catchall(te->set, &te->elem)) { 8750 atomic_dec(&te->set->nelems); 8751 te->set->ndeact--; 8752 } 8753 break; 8754 case NFT_MSG_NEWOBJ: 8755 if (nft_trans_obj_update(trans)) { 8756 nft_obj_commit_update(trans); 8757 nf_tables_obj_notify(&trans->ctx, 8758 nft_trans_obj(trans), 8759 NFT_MSG_NEWOBJ); 8760 } else { 8761 nft_clear(net, nft_trans_obj(trans)); 8762 nf_tables_obj_notify(&trans->ctx, 8763 nft_trans_obj(trans), 8764 NFT_MSG_NEWOBJ); 8765 nft_trans_destroy(trans); 8766 } 8767 break; 8768 case NFT_MSG_DELOBJ: 8769 nft_obj_del(nft_trans_obj(trans)); 8770 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans), 8771 NFT_MSG_DELOBJ); 8772 break; 8773 case NFT_MSG_NEWFLOWTABLE: 8774 if (nft_trans_flowtable_update(trans)) { 8775 nft_trans_flowtable(trans)->data.flags = 8776 nft_trans_flowtable_flags(trans); 8777 nf_tables_flowtable_notify(&trans->ctx, 8778 nft_trans_flowtable(trans), 8779 &nft_trans_flowtable_hooks(trans), 8780 NFT_MSG_NEWFLOWTABLE); 8781 list_splice(&nft_trans_flowtable_hooks(trans), 8782 &nft_trans_flowtable(trans)->hook_list); 8783 } else { 8784 nft_clear(net, nft_trans_flowtable(trans)); 8785 nf_tables_flowtable_notify(&trans->ctx, 8786 nft_trans_flowtable(trans), 8787 &nft_trans_flowtable(trans)->hook_list, 8788 NFT_MSG_NEWFLOWTABLE); 8789 } 8790 nft_trans_destroy(trans); 8791 break; 8792 case NFT_MSG_DELFLOWTABLE: 8793 if (nft_trans_flowtable_update(trans)) { 8794 nft_flowtable_hooks_del(nft_trans_flowtable(trans), 8795 &nft_trans_flowtable_hooks(trans)); 8796 nf_tables_flowtable_notify(&trans->ctx, 8797 nft_trans_flowtable(trans), 8798 &nft_trans_flowtable_hooks(trans), 8799 NFT_MSG_DELFLOWTABLE); 8800 nft_unregister_flowtable_net_hooks(net, 8801 &nft_trans_flowtable_hooks(trans)); 8802 } else { 8803 list_del_rcu(&nft_trans_flowtable(trans)->list); 8804 nf_tables_flowtable_notify(&trans->ctx, 8805 nft_trans_flowtable(trans), 8806 &nft_trans_flowtable(trans)->hook_list, 8807 NFT_MSG_DELFLOWTABLE); 8808 nft_unregister_flowtable_net_hooks(net, 8809 &nft_trans_flowtable(trans)->hook_list); 8810 } 8811 break; 8812 } 8813 } 8814 8815 nft_commit_notify(net, NETLINK_CB(skb).portid); 8816 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); 8817 nf_tables_commit_audit_log(&adl, nft_net->base_seq); 8818 nf_tables_commit_release(net); 8819 8820 return 0; 8821 } 8822 8823 static void nf_tables_module_autoload(struct net *net) 8824 { 8825 struct nftables_pernet *nft_net = nft_pernet(net); 8826 struct nft_module_request *req, *next; 8827 LIST_HEAD(module_list); 8828 8829 list_splice_init(&nft_net->module_list, &module_list); 8830 mutex_unlock(&nft_net->commit_mutex); 8831 list_for_each_entry_safe(req, next, &module_list, list) { 8832 request_module("%s", req->module); 8833 req->done = true; 8834 } 8835 mutex_lock(&nft_net->commit_mutex); 8836 list_splice(&module_list, &nft_net->module_list); 8837 } 8838 8839 static void nf_tables_abort_release(struct nft_trans *trans) 8840 { 8841 switch (trans->msg_type) { 8842 case NFT_MSG_NEWTABLE: 8843 nf_tables_table_destroy(&trans->ctx); 8844 break; 8845 case NFT_MSG_NEWCHAIN: 8846 nf_tables_chain_destroy(&trans->ctx); 8847 break; 8848 case NFT_MSG_NEWRULE: 8849 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 8850 break; 8851 case NFT_MSG_NEWSET: 8852 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 8853 break; 8854 case NFT_MSG_NEWSETELEM: 8855 nft_set_elem_destroy(nft_trans_elem_set(trans), 8856 nft_trans_elem(trans).priv, true); 8857 break; 8858 case NFT_MSG_NEWOBJ: 8859 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 8860 break; 8861 case NFT_MSG_NEWFLOWTABLE: 8862 if (nft_trans_flowtable_update(trans)) 8863 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 8864 else 8865 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 8866 break; 8867 } 8868 kfree(trans); 8869 } 8870 8871 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) 8872 { 8873 struct nftables_pernet *nft_net = nft_pernet(net); 8874 struct nft_trans *trans, *next; 8875 struct nft_trans_elem *te; 8876 struct nft_hook *hook; 8877 8878 if (action == NFNL_ABORT_VALIDATE && 8879 nf_tables_validate(net) < 0) 8880 return -EAGAIN; 8881 8882 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list, 8883 list) { 8884 switch (trans->msg_type) { 8885 case NFT_MSG_NEWTABLE: 8886 if (nft_trans_table_update(trans)) { 8887 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) { 8888 nft_trans_destroy(trans); 8889 break; 8890 } 8891 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) { 8892 nf_tables_table_disable(net, trans->ctx.table); 8893 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT; 8894 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) { 8895 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT; 8896 } 8897 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE; 8898 nft_trans_destroy(trans); 8899 } else { 8900 list_del_rcu(&trans->ctx.table->list); 8901 } 8902 break; 8903 case NFT_MSG_DELTABLE: 8904 nft_clear(trans->ctx.net, trans->ctx.table); 8905 nft_trans_destroy(trans); 8906 break; 8907 case NFT_MSG_NEWCHAIN: 8908 if (nft_trans_chain_update(trans)) { 8909 free_percpu(nft_trans_chain_stats(trans)); 8910 kfree(nft_trans_chain_name(trans)); 8911 nft_trans_destroy(trans); 8912 } else { 8913 if (nft_chain_is_bound(trans->ctx.chain)) { 8914 nft_trans_destroy(trans); 8915 break; 8916 } 8917 trans->ctx.table->use--; 8918 nft_chain_del(trans->ctx.chain); 8919 nf_tables_unregister_hook(trans->ctx.net, 8920 trans->ctx.table, 8921 trans->ctx.chain); 8922 } 8923 break; 8924 case NFT_MSG_DELCHAIN: 8925 trans->ctx.table->use++; 8926 nft_clear(trans->ctx.net, trans->ctx.chain); 8927 nft_trans_destroy(trans); 8928 break; 8929 case NFT_MSG_NEWRULE: 8930 trans->ctx.chain->use--; 8931 list_del_rcu(&nft_trans_rule(trans)->list); 8932 nft_rule_expr_deactivate(&trans->ctx, 8933 nft_trans_rule(trans), 8934 NFT_TRANS_ABORT); 8935 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) 8936 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 8937 break; 8938 case NFT_MSG_DELRULE: 8939 trans->ctx.chain->use++; 8940 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 8941 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans)); 8942 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) 8943 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 8944 8945 nft_trans_destroy(trans); 8946 break; 8947 case NFT_MSG_NEWSET: 8948 trans->ctx.table->use--; 8949 if (nft_trans_set_bound(trans)) { 8950 nft_trans_destroy(trans); 8951 break; 8952 } 8953 list_del_rcu(&nft_trans_set(trans)->list); 8954 break; 8955 case NFT_MSG_DELSET: 8956 trans->ctx.table->use++; 8957 nft_clear(trans->ctx.net, nft_trans_set(trans)); 8958 nft_trans_destroy(trans); 8959 break; 8960 case NFT_MSG_NEWSETELEM: 8961 if (nft_trans_elem_set_bound(trans)) { 8962 nft_trans_destroy(trans); 8963 break; 8964 } 8965 te = (struct nft_trans_elem *)trans->data; 8966 nft_setelem_remove(net, te->set, &te->elem); 8967 if (!nft_setelem_is_catchall(te->set, &te->elem)) 8968 atomic_dec(&te->set->nelems); 8969 break; 8970 case NFT_MSG_DELSETELEM: 8971 te = (struct nft_trans_elem *)trans->data; 8972 8973 nft_setelem_data_activate(net, te->set, &te->elem); 8974 nft_setelem_activate(net, te->set, &te->elem); 8975 if (!nft_setelem_is_catchall(te->set, &te->elem)) 8976 te->set->ndeact--; 8977 8978 nft_trans_destroy(trans); 8979 break; 8980 case NFT_MSG_NEWOBJ: 8981 if (nft_trans_obj_update(trans)) { 8982 kfree(nft_trans_obj_newobj(trans)); 8983 nft_trans_destroy(trans); 8984 } else { 8985 trans->ctx.table->use--; 8986 nft_obj_del(nft_trans_obj(trans)); 8987 } 8988 break; 8989 case NFT_MSG_DELOBJ: 8990 trans->ctx.table->use++; 8991 nft_clear(trans->ctx.net, nft_trans_obj(trans)); 8992 nft_trans_destroy(trans); 8993 break; 8994 case NFT_MSG_NEWFLOWTABLE: 8995 if (nft_trans_flowtable_update(trans)) { 8996 nft_unregister_flowtable_net_hooks(net, 8997 &nft_trans_flowtable_hooks(trans)); 8998 } else { 8999 trans->ctx.table->use--; 9000 list_del_rcu(&nft_trans_flowtable(trans)->list); 9001 nft_unregister_flowtable_net_hooks(net, 9002 &nft_trans_flowtable(trans)->hook_list); 9003 } 9004 break; 9005 case NFT_MSG_DELFLOWTABLE: 9006 if (nft_trans_flowtable_update(trans)) { 9007 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list) 9008 hook->inactive = false; 9009 } else { 9010 trans->ctx.table->use++; 9011 nft_clear(trans->ctx.net, nft_trans_flowtable(trans)); 9012 } 9013 nft_trans_destroy(trans); 9014 break; 9015 } 9016 } 9017 9018 synchronize_rcu(); 9019 9020 list_for_each_entry_safe_reverse(trans, next, 9021 &nft_net->commit_list, list) { 9022 list_del(&trans->list); 9023 nf_tables_abort_release(trans); 9024 } 9025 9026 if (action == NFNL_ABORT_AUTOLOAD) 9027 nf_tables_module_autoload(net); 9028 else 9029 nf_tables_module_autoload_cleanup(net); 9030 9031 return 0; 9032 } 9033 9034 static void nf_tables_cleanup(struct net *net) 9035 { 9036 nft_validate_state_update(net, NFT_VALIDATE_SKIP); 9037 } 9038 9039 static int nf_tables_abort(struct net *net, struct sk_buff *skb, 9040 enum nfnl_abort_action action) 9041 { 9042 struct nftables_pernet *nft_net = nft_pernet(net); 9043 int ret = __nf_tables_abort(net, action); 9044 9045 mutex_unlock(&nft_net->commit_mutex); 9046 9047 return ret; 9048 } 9049 9050 static bool nf_tables_valid_genid(struct net *net, u32 genid) 9051 { 9052 struct nftables_pernet *nft_net = nft_pernet(net); 9053 bool genid_ok; 9054 9055 mutex_lock(&nft_net->commit_mutex); 9056 9057 genid_ok = genid == 0 || nft_net->base_seq == genid; 9058 if (!genid_ok) 9059 mutex_unlock(&nft_net->commit_mutex); 9060 9061 /* else, commit mutex has to be released by commit or abort function */ 9062 return genid_ok; 9063 } 9064 9065 static const struct nfnetlink_subsystem nf_tables_subsys = { 9066 .name = "nf_tables", 9067 .subsys_id = NFNL_SUBSYS_NFTABLES, 9068 .cb_count = NFT_MSG_MAX, 9069 .cb = nf_tables_cb, 9070 .commit = nf_tables_commit, 9071 .abort = nf_tables_abort, 9072 .cleanup = nf_tables_cleanup, 9073 .valid_genid = nf_tables_valid_genid, 9074 .owner = THIS_MODULE, 9075 }; 9076 9077 int nft_chain_validate_dependency(const struct nft_chain *chain, 9078 enum nft_chain_types type) 9079 { 9080 const struct nft_base_chain *basechain; 9081 9082 if (nft_is_base_chain(chain)) { 9083 basechain = nft_base_chain(chain); 9084 if (basechain->type->type != type) 9085 return -EOPNOTSUPP; 9086 } 9087 return 0; 9088 } 9089 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency); 9090 9091 int nft_chain_validate_hooks(const struct nft_chain *chain, 9092 unsigned int hook_flags) 9093 { 9094 struct nft_base_chain *basechain; 9095 9096 if (nft_is_base_chain(chain)) { 9097 basechain = nft_base_chain(chain); 9098 9099 if ((1 << basechain->ops.hooknum) & hook_flags) 9100 return 0; 9101 9102 return -EOPNOTSUPP; 9103 } 9104 9105 return 0; 9106 } 9107 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks); 9108 9109 /* 9110 * Loop detection - walk through the ruleset beginning at the destination chain 9111 * of a new jump until either the source chain is reached (loop) or all 9112 * reachable chains have been traversed. 9113 * 9114 * The loop check is performed whenever a new jump verdict is added to an 9115 * expression or verdict map or a verdict map is bound to a new chain. 9116 */ 9117 9118 static int nf_tables_check_loops(const struct nft_ctx *ctx, 9119 const struct nft_chain *chain); 9120 9121 static int nft_check_loops(const struct nft_ctx *ctx, 9122 const struct nft_set_ext *ext) 9123 { 9124 const struct nft_data *data; 9125 int ret; 9126 9127 data = nft_set_ext_data(ext); 9128 switch (data->verdict.code) { 9129 case NFT_JUMP: 9130 case NFT_GOTO: 9131 ret = nf_tables_check_loops(ctx, data->verdict.chain); 9132 break; 9133 default: 9134 ret = 0; 9135 break; 9136 } 9137 9138 return ret; 9139 } 9140 9141 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, 9142 struct nft_set *set, 9143 const struct nft_set_iter *iter, 9144 struct nft_set_elem *elem) 9145 { 9146 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 9147 9148 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 9149 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) 9150 return 0; 9151 9152 return nft_check_loops(ctx, ext); 9153 } 9154 9155 static int nft_set_catchall_loops(const struct nft_ctx *ctx, 9156 struct nft_set *set) 9157 { 9158 u8 genmask = nft_genmask_next(ctx->net); 9159 struct nft_set_elem_catchall *catchall; 9160 struct nft_set_ext *ext; 9161 int ret = 0; 9162 9163 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 9164 ext = nft_set_elem_ext(set, catchall->elem); 9165 if (!nft_set_elem_active(ext, genmask)) 9166 continue; 9167 9168 ret = nft_check_loops(ctx, ext); 9169 if (ret < 0) 9170 return ret; 9171 } 9172 9173 return ret; 9174 } 9175 9176 static int nf_tables_check_loops(const struct nft_ctx *ctx, 9177 const struct nft_chain *chain) 9178 { 9179 const struct nft_rule *rule; 9180 const struct nft_expr *expr, *last; 9181 struct nft_set *set; 9182 struct nft_set_binding *binding; 9183 struct nft_set_iter iter; 9184 9185 if (ctx->chain == chain) 9186 return -ELOOP; 9187 9188 list_for_each_entry(rule, &chain->rules, list) { 9189 nft_rule_for_each_expr(expr, last, rule) { 9190 struct nft_immediate_expr *priv; 9191 const struct nft_data *data; 9192 int err; 9193 9194 if (strcmp(expr->ops->type->name, "immediate")) 9195 continue; 9196 9197 priv = nft_expr_priv(expr); 9198 if (priv->dreg != NFT_REG_VERDICT) 9199 continue; 9200 9201 data = &priv->data; 9202 switch (data->verdict.code) { 9203 case NFT_JUMP: 9204 case NFT_GOTO: 9205 err = nf_tables_check_loops(ctx, 9206 data->verdict.chain); 9207 if (err < 0) 9208 return err; 9209 break; 9210 default: 9211 break; 9212 } 9213 } 9214 } 9215 9216 list_for_each_entry(set, &ctx->table->sets, list) { 9217 if (!nft_is_active_next(ctx->net, set)) 9218 continue; 9219 if (!(set->flags & NFT_SET_MAP) || 9220 set->dtype != NFT_DATA_VERDICT) 9221 continue; 9222 9223 list_for_each_entry(binding, &set->bindings, list) { 9224 if (!(binding->flags & NFT_SET_MAP) || 9225 binding->chain != chain) 9226 continue; 9227 9228 iter.genmask = nft_genmask_next(ctx->net); 9229 iter.skip = 0; 9230 iter.count = 0; 9231 iter.err = 0; 9232 iter.fn = nf_tables_loop_check_setelem; 9233 9234 set->ops->walk(ctx, set, &iter); 9235 if (!iter.err) 9236 iter.err = nft_set_catchall_loops(ctx, set); 9237 9238 if (iter.err < 0) 9239 return iter.err; 9240 } 9241 } 9242 9243 return 0; 9244 } 9245 9246 /** 9247 * nft_parse_u32_check - fetch u32 attribute and check for maximum value 9248 * 9249 * @attr: netlink attribute to fetch value from 9250 * @max: maximum value to be stored in dest 9251 * @dest: pointer to the variable 9252 * 9253 * Parse, check and store a given u32 netlink attribute into variable. 9254 * This function returns -ERANGE if the value goes over maximum value. 9255 * Otherwise a 0 is returned and the attribute value is stored in the 9256 * destination variable. 9257 */ 9258 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest) 9259 { 9260 u32 val; 9261 9262 val = ntohl(nla_get_be32(attr)); 9263 if (val > max) 9264 return -ERANGE; 9265 9266 *dest = val; 9267 return 0; 9268 } 9269 EXPORT_SYMBOL_GPL(nft_parse_u32_check); 9270 9271 static unsigned int nft_parse_register(const struct nlattr *attr) 9272 { 9273 unsigned int reg; 9274 9275 reg = ntohl(nla_get_be32(attr)); 9276 switch (reg) { 9277 case NFT_REG_VERDICT...NFT_REG_4: 9278 return reg * NFT_REG_SIZE / NFT_REG32_SIZE; 9279 default: 9280 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; 9281 } 9282 } 9283 9284 /** 9285 * nft_dump_register - dump a register value to a netlink attribute 9286 * 9287 * @skb: socket buffer 9288 * @attr: attribute number 9289 * @reg: register number 9290 * 9291 * Construct a netlink attribute containing the register number. For 9292 * compatibility reasons, register numbers being a multiple of 4 are 9293 * translated to the corresponding 128 bit register numbers. 9294 */ 9295 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg) 9296 { 9297 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0) 9298 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE); 9299 else 9300 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00; 9301 9302 return nla_put_be32(skb, attr, htonl(reg)); 9303 } 9304 EXPORT_SYMBOL_GPL(nft_dump_register); 9305 9306 static int nft_validate_register_load(enum nft_registers reg, unsigned int len) 9307 { 9308 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 9309 return -EINVAL; 9310 if (len == 0) 9311 return -EINVAL; 9312 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data)) 9313 return -ERANGE; 9314 9315 return 0; 9316 } 9317 9318 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len) 9319 { 9320 u32 reg; 9321 int err; 9322 9323 reg = nft_parse_register(attr); 9324 err = nft_validate_register_load(reg, len); 9325 if (err < 0) 9326 return err; 9327 9328 *sreg = reg; 9329 return 0; 9330 } 9331 EXPORT_SYMBOL_GPL(nft_parse_register_load); 9332 9333 static int nft_validate_register_store(const struct nft_ctx *ctx, 9334 enum nft_registers reg, 9335 const struct nft_data *data, 9336 enum nft_data_types type, 9337 unsigned int len) 9338 { 9339 int err; 9340 9341 switch (reg) { 9342 case NFT_REG_VERDICT: 9343 if (type != NFT_DATA_VERDICT) 9344 return -EINVAL; 9345 9346 if (data != NULL && 9347 (data->verdict.code == NFT_GOTO || 9348 data->verdict.code == NFT_JUMP)) { 9349 err = nf_tables_check_loops(ctx, data->verdict.chain); 9350 if (err < 0) 9351 return err; 9352 } 9353 9354 return 0; 9355 default: 9356 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 9357 return -EINVAL; 9358 if (len == 0) 9359 return -EINVAL; 9360 if (reg * NFT_REG32_SIZE + len > 9361 sizeof_field(struct nft_regs, data)) 9362 return -ERANGE; 9363 9364 if (data != NULL && type != NFT_DATA_VALUE) 9365 return -EINVAL; 9366 return 0; 9367 } 9368 } 9369 9370 int nft_parse_register_store(const struct nft_ctx *ctx, 9371 const struct nlattr *attr, u8 *dreg, 9372 const struct nft_data *data, 9373 enum nft_data_types type, unsigned int len) 9374 { 9375 int err; 9376 u32 reg; 9377 9378 reg = nft_parse_register(attr); 9379 err = nft_validate_register_store(ctx, reg, data, type, len); 9380 if (err < 0) 9381 return err; 9382 9383 *dreg = reg; 9384 return 0; 9385 } 9386 EXPORT_SYMBOL_GPL(nft_parse_register_store); 9387 9388 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = { 9389 [NFTA_VERDICT_CODE] = { .type = NLA_U32 }, 9390 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING, 9391 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 9392 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 }, 9393 }; 9394 9395 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, 9396 struct nft_data_desc *desc, const struct nlattr *nla) 9397 { 9398 u8 genmask = nft_genmask_next(ctx->net); 9399 struct nlattr *tb[NFTA_VERDICT_MAX + 1]; 9400 struct nft_chain *chain; 9401 int err; 9402 9403 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla, 9404 nft_verdict_policy, NULL); 9405 if (err < 0) 9406 return err; 9407 9408 if (!tb[NFTA_VERDICT_CODE]) 9409 return -EINVAL; 9410 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); 9411 9412 switch (data->verdict.code) { 9413 default: 9414 switch (data->verdict.code & NF_VERDICT_MASK) { 9415 case NF_ACCEPT: 9416 case NF_DROP: 9417 case NF_QUEUE: 9418 break; 9419 default: 9420 return -EINVAL; 9421 } 9422 fallthrough; 9423 case NFT_CONTINUE: 9424 case NFT_BREAK: 9425 case NFT_RETURN: 9426 break; 9427 case NFT_JUMP: 9428 case NFT_GOTO: 9429 if (tb[NFTA_VERDICT_CHAIN]) { 9430 chain = nft_chain_lookup(ctx->net, ctx->table, 9431 tb[NFTA_VERDICT_CHAIN], 9432 genmask); 9433 } else if (tb[NFTA_VERDICT_CHAIN_ID]) { 9434 chain = nft_chain_lookup_byid(ctx->net, 9435 tb[NFTA_VERDICT_CHAIN_ID]); 9436 if (IS_ERR(chain)) 9437 return PTR_ERR(chain); 9438 } else { 9439 return -EINVAL; 9440 } 9441 9442 if (IS_ERR(chain)) 9443 return PTR_ERR(chain); 9444 if (nft_is_base_chain(chain)) 9445 return -EOPNOTSUPP; 9446 9447 chain->use++; 9448 data->verdict.chain = chain; 9449 break; 9450 } 9451 9452 desc->len = sizeof(data->verdict); 9453 desc->type = NFT_DATA_VERDICT; 9454 return 0; 9455 } 9456 9457 static void nft_verdict_uninit(const struct nft_data *data) 9458 { 9459 struct nft_chain *chain; 9460 struct nft_rule *rule; 9461 9462 switch (data->verdict.code) { 9463 case NFT_JUMP: 9464 case NFT_GOTO: 9465 chain = data->verdict.chain; 9466 chain->use--; 9467 9468 if (!nft_chain_is_bound(chain)) 9469 break; 9470 9471 chain->table->use--; 9472 list_for_each_entry(rule, &chain->rules, list) 9473 chain->use--; 9474 9475 nft_chain_del(chain); 9476 break; 9477 } 9478 } 9479 9480 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v) 9481 { 9482 struct nlattr *nest; 9483 9484 nest = nla_nest_start_noflag(skb, type); 9485 if (!nest) 9486 goto nla_put_failure; 9487 9488 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code))) 9489 goto nla_put_failure; 9490 9491 switch (v->code) { 9492 case NFT_JUMP: 9493 case NFT_GOTO: 9494 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, 9495 v->chain->name)) 9496 goto nla_put_failure; 9497 } 9498 nla_nest_end(skb, nest); 9499 return 0; 9500 9501 nla_put_failure: 9502 return -1; 9503 } 9504 9505 static int nft_value_init(const struct nft_ctx *ctx, 9506 struct nft_data *data, unsigned int size, 9507 struct nft_data_desc *desc, const struct nlattr *nla) 9508 { 9509 unsigned int len; 9510 9511 len = nla_len(nla); 9512 if (len == 0) 9513 return -EINVAL; 9514 if (len > size) 9515 return -EOVERFLOW; 9516 9517 nla_memcpy(data->data, nla, len); 9518 desc->type = NFT_DATA_VALUE; 9519 desc->len = len; 9520 return 0; 9521 } 9522 9523 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data, 9524 unsigned int len) 9525 { 9526 return nla_put(skb, NFTA_DATA_VALUE, len, data->data); 9527 } 9528 9529 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = { 9530 [NFTA_DATA_VALUE] = { .type = NLA_BINARY }, 9531 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED }, 9532 }; 9533 9534 /** 9535 * nft_data_init - parse nf_tables data netlink attributes 9536 * 9537 * @ctx: context of the expression using the data 9538 * @data: destination struct nft_data 9539 * @size: maximum data length 9540 * @desc: data description 9541 * @nla: netlink attribute containing data 9542 * 9543 * Parse the netlink data attributes and initialize a struct nft_data. 9544 * The type and length of data are returned in the data description. 9545 * 9546 * The caller can indicate that it only wants to accept data of type 9547 * NFT_DATA_VALUE by passing NULL for the ctx argument. 9548 */ 9549 int nft_data_init(const struct nft_ctx *ctx, 9550 struct nft_data *data, unsigned int size, 9551 struct nft_data_desc *desc, const struct nlattr *nla) 9552 { 9553 struct nlattr *tb[NFTA_DATA_MAX + 1]; 9554 int err; 9555 9556 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla, 9557 nft_data_policy, NULL); 9558 if (err < 0) 9559 return err; 9560 9561 if (tb[NFTA_DATA_VALUE]) 9562 return nft_value_init(ctx, data, size, desc, 9563 tb[NFTA_DATA_VALUE]); 9564 if (tb[NFTA_DATA_VERDICT] && ctx != NULL) 9565 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]); 9566 return -EINVAL; 9567 } 9568 EXPORT_SYMBOL_GPL(nft_data_init); 9569 9570 /** 9571 * nft_data_release - release a nft_data item 9572 * 9573 * @data: struct nft_data to release 9574 * @type: type of data 9575 * 9576 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded, 9577 * all others need to be released by calling this function. 9578 */ 9579 void nft_data_release(const struct nft_data *data, enum nft_data_types type) 9580 { 9581 if (type < NFT_DATA_VERDICT) 9582 return; 9583 switch (type) { 9584 case NFT_DATA_VERDICT: 9585 return nft_verdict_uninit(data); 9586 default: 9587 WARN_ON(1); 9588 } 9589 } 9590 EXPORT_SYMBOL_GPL(nft_data_release); 9591 9592 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 9593 enum nft_data_types type, unsigned int len) 9594 { 9595 struct nlattr *nest; 9596 int err; 9597 9598 nest = nla_nest_start_noflag(skb, attr); 9599 if (nest == NULL) 9600 return -1; 9601 9602 switch (type) { 9603 case NFT_DATA_VALUE: 9604 err = nft_value_dump(skb, data, len); 9605 break; 9606 case NFT_DATA_VERDICT: 9607 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict); 9608 break; 9609 default: 9610 err = -EINVAL; 9611 WARN_ON(1); 9612 } 9613 9614 nla_nest_end(skb, nest); 9615 return err; 9616 } 9617 EXPORT_SYMBOL_GPL(nft_data_dump); 9618 9619 int __nft_release_basechain(struct nft_ctx *ctx) 9620 { 9621 struct nft_rule *rule, *nr; 9622 9623 if (WARN_ON(!nft_is_base_chain(ctx->chain))) 9624 return 0; 9625 9626 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain); 9627 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) { 9628 list_del(&rule->list); 9629 ctx->chain->use--; 9630 nf_tables_rule_release(ctx, rule); 9631 } 9632 nft_chain_del(ctx->chain); 9633 ctx->table->use--; 9634 nf_tables_chain_destroy(ctx); 9635 9636 return 0; 9637 } 9638 EXPORT_SYMBOL_GPL(__nft_release_basechain); 9639 9640 static void __nft_release_hook(struct net *net, struct nft_table *table) 9641 { 9642 struct nft_chain *chain; 9643 9644 list_for_each_entry(chain, &table->chains, list) 9645 nf_tables_unregister_hook(net, table, chain); 9646 } 9647 9648 static void __nft_release_hooks(struct net *net) 9649 { 9650 struct nftables_pernet *nft_net = nft_pernet(net); 9651 struct nft_table *table; 9652 9653 list_for_each_entry(table, &nft_net->tables, list) { 9654 if (nft_table_has_owner(table)) 9655 continue; 9656 9657 __nft_release_hook(net, table); 9658 } 9659 } 9660 9661 static void __nft_release_table(struct net *net, struct nft_table *table) 9662 { 9663 struct nft_flowtable *flowtable, *nf; 9664 struct nft_chain *chain, *nc; 9665 struct nft_object *obj, *ne; 9666 struct nft_rule *rule, *nr; 9667 struct nft_set *set, *ns; 9668 struct nft_ctx ctx = { 9669 .net = net, 9670 .family = NFPROTO_NETDEV, 9671 }; 9672 9673 ctx.family = table->family; 9674 ctx.table = table; 9675 list_for_each_entry(chain, &table->chains, list) { 9676 ctx.chain = chain; 9677 list_for_each_entry_safe(rule, nr, &chain->rules, list) { 9678 list_del(&rule->list); 9679 chain->use--; 9680 nf_tables_rule_release(&ctx, rule); 9681 } 9682 } 9683 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 9684 list_del(&flowtable->list); 9685 table->use--; 9686 nf_tables_flowtable_destroy(flowtable); 9687 } 9688 list_for_each_entry_safe(set, ns, &table->sets, list) { 9689 list_del(&set->list); 9690 table->use--; 9691 nft_set_destroy(&ctx, set); 9692 } 9693 list_for_each_entry_safe(obj, ne, &table->objects, list) { 9694 nft_obj_del(obj); 9695 table->use--; 9696 nft_obj_destroy(&ctx, obj); 9697 } 9698 list_for_each_entry_safe(chain, nc, &table->chains, list) { 9699 ctx.chain = chain; 9700 nft_chain_del(chain); 9701 table->use--; 9702 nf_tables_chain_destroy(&ctx); 9703 } 9704 nf_tables_table_destroy(&ctx); 9705 } 9706 9707 static void __nft_release_tables(struct net *net) 9708 { 9709 struct nftables_pernet *nft_net = nft_pernet(net); 9710 struct nft_table *table, *nt; 9711 9712 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 9713 if (nft_table_has_owner(table)) 9714 continue; 9715 9716 list_del(&table->list); 9717 9718 __nft_release_table(net, table); 9719 } 9720 } 9721 9722 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, 9723 void *ptr) 9724 { 9725 struct nft_table *table, *to_delete[8]; 9726 struct nftables_pernet *nft_net; 9727 struct netlink_notify *n = ptr; 9728 struct net *net = n->net; 9729 unsigned int deleted; 9730 bool restart = false; 9731 9732 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER) 9733 return NOTIFY_DONE; 9734 9735 nft_net = nft_pernet(net); 9736 deleted = 0; 9737 mutex_lock(&nft_net->commit_mutex); 9738 again: 9739 list_for_each_entry(table, &nft_net->tables, list) { 9740 if (nft_table_has_owner(table) && 9741 n->portid == table->nlpid) { 9742 __nft_release_hook(net, table); 9743 list_del_rcu(&table->list); 9744 to_delete[deleted++] = table; 9745 if (deleted >= ARRAY_SIZE(to_delete)) 9746 break; 9747 } 9748 } 9749 if (deleted) { 9750 restart = deleted >= ARRAY_SIZE(to_delete); 9751 synchronize_rcu(); 9752 while (deleted) 9753 __nft_release_table(net, to_delete[--deleted]); 9754 9755 if (restart) 9756 goto again; 9757 } 9758 mutex_unlock(&nft_net->commit_mutex); 9759 9760 return NOTIFY_DONE; 9761 } 9762 9763 static struct notifier_block nft_nl_notifier = { 9764 .notifier_call = nft_rcv_nl_event, 9765 }; 9766 9767 static int __net_init nf_tables_init_net(struct net *net) 9768 { 9769 struct nftables_pernet *nft_net = nft_pernet(net); 9770 9771 INIT_LIST_HEAD(&nft_net->tables); 9772 INIT_LIST_HEAD(&nft_net->commit_list); 9773 INIT_LIST_HEAD(&nft_net->module_list); 9774 INIT_LIST_HEAD(&nft_net->notify_list); 9775 mutex_init(&nft_net->commit_mutex); 9776 nft_net->base_seq = 1; 9777 nft_net->validate_state = NFT_VALIDATE_SKIP; 9778 9779 return 0; 9780 } 9781 9782 static void __net_exit nf_tables_pre_exit_net(struct net *net) 9783 { 9784 __nft_release_hooks(net); 9785 } 9786 9787 static void __net_exit nf_tables_exit_net(struct net *net) 9788 { 9789 struct nftables_pernet *nft_net = nft_pernet(net); 9790 9791 mutex_lock(&nft_net->commit_mutex); 9792 if (!list_empty(&nft_net->commit_list)) 9793 __nf_tables_abort(net, NFNL_ABORT_NONE); 9794 __nft_release_tables(net); 9795 mutex_unlock(&nft_net->commit_mutex); 9796 WARN_ON_ONCE(!list_empty(&nft_net->tables)); 9797 WARN_ON_ONCE(!list_empty(&nft_net->module_list)); 9798 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 9799 } 9800 9801 static struct pernet_operations nf_tables_net_ops = { 9802 .init = nf_tables_init_net, 9803 .pre_exit = nf_tables_pre_exit_net, 9804 .exit = nf_tables_exit_net, 9805 .id = &nf_tables_net_id, 9806 .size = sizeof(struct nftables_pernet), 9807 }; 9808 9809 static int __init nf_tables_module_init(void) 9810 { 9811 int err; 9812 9813 err = register_pernet_subsys(&nf_tables_net_ops); 9814 if (err < 0) 9815 return err; 9816 9817 err = nft_chain_filter_init(); 9818 if (err < 0) 9819 goto err_chain_filter; 9820 9821 err = nf_tables_core_module_init(); 9822 if (err < 0) 9823 goto err_core_module; 9824 9825 err = register_netdevice_notifier(&nf_tables_flowtable_notifier); 9826 if (err < 0) 9827 goto err_netdev_notifier; 9828 9829 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params); 9830 if (err < 0) 9831 goto err_rht_objname; 9832 9833 err = nft_offload_init(); 9834 if (err < 0) 9835 goto err_offload; 9836 9837 err = netlink_register_notifier(&nft_nl_notifier); 9838 if (err < 0) 9839 goto err_netlink_notifier; 9840 9841 /* must be last */ 9842 err = nfnetlink_subsys_register(&nf_tables_subsys); 9843 if (err < 0) 9844 goto err_nfnl_subsys; 9845 9846 nft_chain_route_init(); 9847 9848 return err; 9849 9850 err_nfnl_subsys: 9851 netlink_unregister_notifier(&nft_nl_notifier); 9852 err_netlink_notifier: 9853 nft_offload_exit(); 9854 err_offload: 9855 rhltable_destroy(&nft_objname_ht); 9856 err_rht_objname: 9857 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 9858 err_netdev_notifier: 9859 nf_tables_core_module_exit(); 9860 err_core_module: 9861 nft_chain_filter_fini(); 9862 err_chain_filter: 9863 unregister_pernet_subsys(&nf_tables_net_ops); 9864 return err; 9865 } 9866 9867 static void __exit nf_tables_module_exit(void) 9868 { 9869 nfnetlink_subsys_unregister(&nf_tables_subsys); 9870 netlink_unregister_notifier(&nft_nl_notifier); 9871 nft_offload_exit(); 9872 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 9873 nft_chain_filter_fini(); 9874 nft_chain_route_fini(); 9875 unregister_pernet_subsys(&nf_tables_net_ops); 9876 cancel_work_sync(&trans_destroy_work); 9877 rcu_barrier(); 9878 rhltable_destroy(&nft_objname_ht); 9879 nf_tables_core_module_exit(); 9880 } 9881 9882 module_init(nf_tables_module_init); 9883 module_exit(nf_tables_module_exit); 9884 9885 MODULE_LICENSE("GPL"); 9886 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 9887 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES); 9888