1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net> 4 * 5 * Development of this code funded by Astaro AG (http://www.astaro.com/) 6 */ 7 8 #include <linux/module.h> 9 #include <linux/init.h> 10 #include <linux/list.h> 11 #include <linux/skbuff.h> 12 #include <linux/netlink.h> 13 #include <linux/vmalloc.h> 14 #include <linux/rhashtable.h> 15 #include <linux/audit.h> 16 #include <linux/netfilter.h> 17 #include <linux/netfilter/nfnetlink.h> 18 #include <linux/netfilter/nf_tables.h> 19 #include <net/netfilter/nf_flow_table.h> 20 #include <net/netfilter/nf_tables_core.h> 21 #include <net/netfilter/nf_tables.h> 22 #include <net/netfilter/nf_tables_offload.h> 23 #include <net/net_namespace.h> 24 #include <net/sock.h> 25 26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) 27 28 static LIST_HEAD(nf_tables_expressions); 29 static LIST_HEAD(nf_tables_objects); 30 static LIST_HEAD(nf_tables_flowtables); 31 static LIST_HEAD(nf_tables_destroy_list); 32 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock); 33 static u64 table_handle; 34 35 enum { 36 NFT_VALIDATE_SKIP = 0, 37 NFT_VALIDATE_NEED, 38 NFT_VALIDATE_DO, 39 }; 40 41 static struct rhltable nft_objname_ht; 42 43 static u32 nft_chain_hash(const void *data, u32 len, u32 seed); 44 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed); 45 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *); 46 47 static u32 nft_objname_hash(const void *data, u32 len, u32 seed); 48 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed); 49 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *); 50 51 static const struct rhashtable_params nft_chain_ht_params = { 52 .head_offset = offsetof(struct nft_chain, rhlhead), 53 .key_offset = offsetof(struct nft_chain, name), 54 .hashfn = nft_chain_hash, 55 .obj_hashfn = nft_chain_hash_obj, 56 .obj_cmpfn = nft_chain_hash_cmp, 57 .automatic_shrinking = true, 58 }; 59 60 static const struct rhashtable_params nft_objname_ht_params = { 61 .head_offset = offsetof(struct nft_object, rhlhead), 62 .key_offset = offsetof(struct nft_object, key), 63 .hashfn = nft_objname_hash, 64 .obj_hashfn = nft_objname_hash_obj, 65 .obj_cmpfn = nft_objname_hash_cmp, 66 .automatic_shrinking = true, 67 }; 68 69 static void nft_validate_state_update(struct net *net, u8 new_validate_state) 70 { 71 switch (net->nft.validate_state) { 72 case NFT_VALIDATE_SKIP: 73 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); 74 break; 75 case NFT_VALIDATE_NEED: 76 break; 77 case NFT_VALIDATE_DO: 78 if (new_validate_state == NFT_VALIDATE_NEED) 79 return; 80 } 81 82 net->nft.validate_state = new_validate_state; 83 } 84 static void nf_tables_trans_destroy_work(struct work_struct *w); 85 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work); 86 87 static void nft_ctx_init(struct nft_ctx *ctx, 88 struct net *net, 89 const struct sk_buff *skb, 90 const struct nlmsghdr *nlh, 91 u8 family, 92 struct nft_table *table, 93 struct nft_chain *chain, 94 const struct nlattr * const *nla) 95 { 96 ctx->net = net; 97 ctx->family = family; 98 ctx->level = 0; 99 ctx->table = table; 100 ctx->chain = chain; 101 ctx->nla = nla; 102 ctx->portid = NETLINK_CB(skb).portid; 103 ctx->report = nlmsg_report(nlh); 104 ctx->flags = nlh->nlmsg_flags; 105 ctx->seq = nlh->nlmsg_seq; 106 } 107 108 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, 109 int msg_type, u32 size, gfp_t gfp) 110 { 111 struct nft_trans *trans; 112 113 trans = kzalloc(sizeof(struct nft_trans) + size, gfp); 114 if (trans == NULL) 115 return NULL; 116 117 trans->msg_type = msg_type; 118 trans->ctx = *ctx; 119 120 return trans; 121 } 122 123 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx, 124 int msg_type, u32 size) 125 { 126 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); 127 } 128 129 static void nft_trans_destroy(struct nft_trans *trans) 130 { 131 list_del(&trans->list); 132 kfree(trans); 133 } 134 135 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) 136 { 137 struct net *net = ctx->net; 138 struct nft_trans *trans; 139 140 if (!nft_set_is_anonymous(set)) 141 return; 142 143 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { 144 switch (trans->msg_type) { 145 case NFT_MSG_NEWSET: 146 if (nft_trans_set(trans) == set) 147 nft_trans_set_bound(trans) = true; 148 break; 149 case NFT_MSG_NEWSETELEM: 150 if (nft_trans_elem_set(trans) == set) 151 nft_trans_elem_set_bound(trans) = true; 152 break; 153 } 154 } 155 } 156 157 static int nft_netdev_register_hooks(struct net *net, 158 struct list_head *hook_list) 159 { 160 struct nft_hook *hook; 161 int err, j; 162 163 j = 0; 164 list_for_each_entry(hook, hook_list, list) { 165 err = nf_register_net_hook(net, &hook->ops); 166 if (err < 0) 167 goto err_register; 168 169 j++; 170 } 171 return 0; 172 173 err_register: 174 list_for_each_entry(hook, hook_list, list) { 175 if (j-- <= 0) 176 break; 177 178 nf_unregister_net_hook(net, &hook->ops); 179 } 180 return err; 181 } 182 183 static void nft_netdev_unregister_hooks(struct net *net, 184 struct list_head *hook_list) 185 { 186 struct nft_hook *hook; 187 188 list_for_each_entry(hook, hook_list, list) 189 nf_unregister_net_hook(net, &hook->ops); 190 } 191 192 static int nf_tables_register_hook(struct net *net, 193 const struct nft_table *table, 194 struct nft_chain *chain) 195 { 196 struct nft_base_chain *basechain; 197 const struct nf_hook_ops *ops; 198 199 if (table->flags & NFT_TABLE_F_DORMANT || 200 !nft_is_base_chain(chain)) 201 return 0; 202 203 basechain = nft_base_chain(chain); 204 ops = &basechain->ops; 205 206 if (basechain->type->ops_register) 207 return basechain->type->ops_register(net, ops); 208 209 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 210 return nft_netdev_register_hooks(net, &basechain->hook_list); 211 212 return nf_register_net_hook(net, &basechain->ops); 213 } 214 215 static void nf_tables_unregister_hook(struct net *net, 216 const struct nft_table *table, 217 struct nft_chain *chain) 218 { 219 struct nft_base_chain *basechain; 220 const struct nf_hook_ops *ops; 221 222 if (table->flags & NFT_TABLE_F_DORMANT || 223 !nft_is_base_chain(chain)) 224 return; 225 basechain = nft_base_chain(chain); 226 ops = &basechain->ops; 227 228 if (basechain->type->ops_unregister) 229 return basechain->type->ops_unregister(net, ops); 230 231 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 232 nft_netdev_unregister_hooks(net, &basechain->hook_list); 233 else 234 nf_unregister_net_hook(net, &basechain->ops); 235 } 236 237 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type) 238 { 239 struct nft_trans *trans; 240 241 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table)); 242 if (trans == NULL) 243 return -ENOMEM; 244 245 if (msg_type == NFT_MSG_NEWTABLE) 246 nft_activate_next(ctx->net, ctx->table); 247 248 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 249 return 0; 250 } 251 252 static int nft_deltable(struct nft_ctx *ctx) 253 { 254 int err; 255 256 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE); 257 if (err < 0) 258 return err; 259 260 nft_deactivate_next(ctx->net, ctx->table); 261 return err; 262 } 263 264 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type) 265 { 266 struct nft_trans *trans; 267 268 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain)); 269 if (trans == NULL) 270 return ERR_PTR(-ENOMEM); 271 272 if (msg_type == NFT_MSG_NEWCHAIN) { 273 nft_activate_next(ctx->net, ctx->chain); 274 275 if (ctx->nla[NFTA_CHAIN_ID]) { 276 nft_trans_chain_id(trans) = 277 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID])); 278 } 279 } 280 281 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 282 return trans; 283 } 284 285 static int nft_delchain(struct nft_ctx *ctx) 286 { 287 struct nft_trans *trans; 288 289 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN); 290 if (IS_ERR(trans)) 291 return PTR_ERR(trans); 292 293 ctx->table->use--; 294 nft_deactivate_next(ctx->net, ctx->chain); 295 296 return 0; 297 } 298 299 static void nft_rule_expr_activate(const struct nft_ctx *ctx, 300 struct nft_rule *rule) 301 { 302 struct nft_expr *expr; 303 304 expr = nft_expr_first(rule); 305 while (nft_expr_more(rule, expr)) { 306 if (expr->ops->activate) 307 expr->ops->activate(ctx, expr); 308 309 expr = nft_expr_next(expr); 310 } 311 } 312 313 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx, 314 struct nft_rule *rule, 315 enum nft_trans_phase phase) 316 { 317 struct nft_expr *expr; 318 319 expr = nft_expr_first(rule); 320 while (nft_expr_more(rule, expr)) { 321 if (expr->ops->deactivate) 322 expr->ops->deactivate(ctx, expr, phase); 323 324 expr = nft_expr_next(expr); 325 } 326 } 327 328 static int 329 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule) 330 { 331 /* You cannot delete the same rule twice */ 332 if (nft_is_active_next(ctx->net, rule)) { 333 nft_deactivate_next(ctx->net, rule); 334 ctx->chain->use--; 335 return 0; 336 } 337 return -ENOENT; 338 } 339 340 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type, 341 struct nft_rule *rule) 342 { 343 struct nft_trans *trans; 344 345 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule)); 346 if (trans == NULL) 347 return NULL; 348 349 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) { 350 nft_trans_rule_id(trans) = 351 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); 352 } 353 nft_trans_rule(trans) = rule; 354 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 355 356 return trans; 357 } 358 359 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule) 360 { 361 struct nft_flow_rule *flow; 362 struct nft_trans *trans; 363 int err; 364 365 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule); 366 if (trans == NULL) 367 return -ENOMEM; 368 369 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) { 370 flow = nft_flow_rule_create(ctx->net, rule); 371 if (IS_ERR(flow)) { 372 nft_trans_destroy(trans); 373 return PTR_ERR(flow); 374 } 375 376 nft_trans_flow_rule(trans) = flow; 377 } 378 379 err = nf_tables_delrule_deactivate(ctx, rule); 380 if (err < 0) { 381 nft_trans_destroy(trans); 382 return err; 383 } 384 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE); 385 386 return 0; 387 } 388 389 static int nft_delrule_by_chain(struct nft_ctx *ctx) 390 { 391 struct nft_rule *rule; 392 int err; 393 394 list_for_each_entry(rule, &ctx->chain->rules, list) { 395 if (!nft_is_active_next(ctx->net, rule)) 396 continue; 397 398 err = nft_delrule(ctx, rule); 399 if (err < 0) 400 return err; 401 } 402 return 0; 403 } 404 405 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 406 struct nft_set *set) 407 { 408 struct nft_trans *trans; 409 410 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set)); 411 if (trans == NULL) 412 return -ENOMEM; 413 414 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) { 415 nft_trans_set_id(trans) = 416 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID])); 417 nft_activate_next(ctx->net, set); 418 } 419 nft_trans_set(trans) = set; 420 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 421 422 return 0; 423 } 424 425 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) 426 { 427 int err; 428 429 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set); 430 if (err < 0) 431 return err; 432 433 nft_deactivate_next(ctx->net, set); 434 ctx->table->use--; 435 436 return err; 437 } 438 439 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type, 440 struct nft_object *obj) 441 { 442 struct nft_trans *trans; 443 444 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj)); 445 if (trans == NULL) 446 return -ENOMEM; 447 448 if (msg_type == NFT_MSG_NEWOBJ) 449 nft_activate_next(ctx->net, obj); 450 451 nft_trans_obj(trans) = obj; 452 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 453 454 return 0; 455 } 456 457 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj) 458 { 459 int err; 460 461 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj); 462 if (err < 0) 463 return err; 464 465 nft_deactivate_next(ctx->net, obj); 466 ctx->table->use--; 467 468 return err; 469 } 470 471 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, 472 struct nft_flowtable *flowtable) 473 { 474 struct nft_trans *trans; 475 476 trans = nft_trans_alloc(ctx, msg_type, 477 sizeof(struct nft_trans_flowtable)); 478 if (trans == NULL) 479 return -ENOMEM; 480 481 if (msg_type == NFT_MSG_NEWFLOWTABLE) 482 nft_activate_next(ctx->net, flowtable); 483 484 nft_trans_flowtable(trans) = flowtable; 485 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 486 487 return 0; 488 } 489 490 static int nft_delflowtable(struct nft_ctx *ctx, 491 struct nft_flowtable *flowtable) 492 { 493 int err; 494 495 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable); 496 if (err < 0) 497 return err; 498 499 nft_deactivate_next(ctx->net, flowtable); 500 ctx->table->use--; 501 502 return err; 503 } 504 505 /* 506 * Tables 507 */ 508 509 static struct nft_table *nft_table_lookup(const struct net *net, 510 const struct nlattr *nla, 511 u8 family, u8 genmask, u32 nlpid) 512 { 513 struct nft_table *table; 514 515 if (nla == NULL) 516 return ERR_PTR(-EINVAL); 517 518 list_for_each_entry_rcu(table, &net->nft.tables, list, 519 lockdep_is_held(&net->nft.commit_mutex)) { 520 if (!nla_strcmp(nla, table->name) && 521 table->family == family && 522 nft_active_genmask(table, genmask)) { 523 if (nft_table_has_owner(table) && 524 table->nlpid != nlpid) 525 return ERR_PTR(-EPERM); 526 527 return table; 528 } 529 } 530 531 return ERR_PTR(-ENOENT); 532 } 533 534 static struct nft_table *nft_table_lookup_byhandle(const struct net *net, 535 const struct nlattr *nla, 536 u8 genmask) 537 { 538 struct nft_table *table; 539 540 list_for_each_entry(table, &net->nft.tables, list) { 541 if (be64_to_cpu(nla_get_be64(nla)) == table->handle && 542 nft_active_genmask(table, genmask)) 543 return table; 544 } 545 546 return ERR_PTR(-ENOENT); 547 } 548 549 static inline u64 nf_tables_alloc_handle(struct nft_table *table) 550 { 551 return ++table->hgenerator; 552 } 553 554 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX]; 555 556 static const struct nft_chain_type * 557 __nft_chain_type_get(u8 family, enum nft_chain_types type) 558 { 559 if (family >= NFPROTO_NUMPROTO || 560 type >= NFT_CHAIN_T_MAX) 561 return NULL; 562 563 return chain_type[family][type]; 564 } 565 566 static const struct nft_chain_type * 567 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family) 568 { 569 const struct nft_chain_type *type; 570 int i; 571 572 for (i = 0; i < NFT_CHAIN_T_MAX; i++) { 573 type = __nft_chain_type_get(family, i); 574 if (!type) 575 continue; 576 if (!nla_strcmp(nla, type->name)) 577 return type; 578 } 579 return NULL; 580 } 581 582 struct nft_module_request { 583 struct list_head list; 584 char module[MODULE_NAME_LEN]; 585 bool done; 586 }; 587 588 #ifdef CONFIG_MODULES 589 static __printf(2, 3) int nft_request_module(struct net *net, const char *fmt, 590 ...) 591 { 592 char module_name[MODULE_NAME_LEN]; 593 struct nft_module_request *req; 594 va_list args; 595 int ret; 596 597 va_start(args, fmt); 598 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); 599 va_end(args); 600 if (ret >= MODULE_NAME_LEN) 601 return 0; 602 603 list_for_each_entry(req, &net->nft.module_list, list) { 604 if (!strcmp(req->module, module_name)) { 605 if (req->done) 606 return 0; 607 608 /* A request to load this module already exists. */ 609 return -EAGAIN; 610 } 611 } 612 613 req = kmalloc(sizeof(*req), GFP_KERNEL); 614 if (!req) 615 return -ENOMEM; 616 617 req->done = false; 618 strlcpy(req->module, module_name, MODULE_NAME_LEN); 619 list_add_tail(&req->list, &net->nft.module_list); 620 621 return -EAGAIN; 622 } 623 #endif 624 625 static void lockdep_nfnl_nft_mutex_not_held(void) 626 { 627 #ifdef CONFIG_PROVE_LOCKING 628 if (debug_locks) 629 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES)); 630 #endif 631 } 632 633 static const struct nft_chain_type * 634 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla, 635 u8 family, bool autoload) 636 { 637 const struct nft_chain_type *type; 638 639 type = __nf_tables_chain_type_lookup(nla, family); 640 if (type != NULL) 641 return type; 642 643 lockdep_nfnl_nft_mutex_not_held(); 644 #ifdef CONFIG_MODULES 645 if (autoload) { 646 if (nft_request_module(net, "nft-chain-%u-%.*s", family, 647 nla_len(nla), 648 (const char *)nla_data(nla)) == -EAGAIN) 649 return ERR_PTR(-EAGAIN); 650 } 651 #endif 652 return ERR_PTR(-ENOENT); 653 } 654 655 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { 656 [NFTA_TABLE_NAME] = { .type = NLA_STRING, 657 .len = NFT_TABLE_MAXNAMELEN - 1 }, 658 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 }, 659 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 }, 660 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY, 661 .len = NFT_USERDATA_MAXLEN } 662 }; 663 664 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, 665 u32 portid, u32 seq, int event, u32 flags, 666 int family, const struct nft_table *table) 667 { 668 struct nlmsghdr *nlh; 669 struct nfgenmsg *nfmsg; 670 671 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 672 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 673 if (nlh == NULL) 674 goto nla_put_failure; 675 676 nfmsg = nlmsg_data(nlh); 677 nfmsg->nfgen_family = family; 678 nfmsg->version = NFNETLINK_V0; 679 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 680 681 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || 682 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) || 683 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) || 684 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle), 685 NFTA_TABLE_PAD)) 686 goto nla_put_failure; 687 if (nft_table_has_owner(table) && 688 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid))) 689 goto nla_put_failure; 690 691 if (table->udata) { 692 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata)) 693 goto nla_put_failure; 694 } 695 696 nlmsg_end(skb, nlh); 697 return 0; 698 699 nla_put_failure: 700 nlmsg_trim(skb, nlh); 701 return -1; 702 } 703 704 struct nftnl_skb_parms { 705 bool report; 706 }; 707 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb)) 708 709 static void nft_notify_enqueue(struct sk_buff *skb, bool report, 710 struct list_head *notify_list) 711 { 712 NFT_CB(skb).report = report; 713 list_add_tail(&skb->list, notify_list); 714 } 715 716 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) 717 { 718 struct sk_buff *skb; 719 int err; 720 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0", 721 ctx->table->name, ctx->table->handle); 722 723 audit_log_nfcfg(buf, 724 ctx->family, 725 ctx->table->use, 726 event == NFT_MSG_NEWTABLE ? 727 AUDIT_NFT_OP_TABLE_REGISTER : 728 AUDIT_NFT_OP_TABLE_UNREGISTER, 729 GFP_KERNEL); 730 kfree(buf); 731 732 if (!ctx->report && 733 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 734 return; 735 736 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 737 if (skb == NULL) 738 goto err; 739 740 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, 741 event, 0, ctx->family, ctx->table); 742 if (err < 0) { 743 kfree_skb(skb); 744 goto err; 745 } 746 747 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); 748 return; 749 err: 750 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 751 } 752 753 static int nf_tables_dump_tables(struct sk_buff *skb, 754 struct netlink_callback *cb) 755 { 756 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 757 const struct nft_table *table; 758 unsigned int idx = 0, s_idx = cb->args[0]; 759 struct net *net = sock_net(skb->sk); 760 int family = nfmsg->nfgen_family; 761 762 rcu_read_lock(); 763 cb->seq = net->nft.base_seq; 764 765 list_for_each_entry_rcu(table, &net->nft.tables, list) { 766 if (family != NFPROTO_UNSPEC && family != table->family) 767 continue; 768 769 if (idx < s_idx) 770 goto cont; 771 if (idx > s_idx) 772 memset(&cb->args[1], 0, 773 sizeof(cb->args) - sizeof(cb->args[0])); 774 if (!nft_is_active(net, table)) 775 continue; 776 if (nf_tables_fill_table_info(skb, net, 777 NETLINK_CB(cb->skb).portid, 778 cb->nlh->nlmsg_seq, 779 NFT_MSG_NEWTABLE, NLM_F_MULTI, 780 table->family, table) < 0) 781 goto done; 782 783 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 784 cont: 785 idx++; 786 } 787 done: 788 rcu_read_unlock(); 789 cb->args[0] = idx; 790 return skb->len; 791 } 792 793 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb, 794 const struct nlmsghdr *nlh, 795 struct netlink_dump_control *c) 796 { 797 int err; 798 799 if (!try_module_get(THIS_MODULE)) 800 return -EINVAL; 801 802 rcu_read_unlock(); 803 err = netlink_dump_start(nlsk, skb, nlh, c); 804 rcu_read_lock(); 805 module_put(THIS_MODULE); 806 807 return err; 808 } 809 810 /* called with rcu_read_lock held */ 811 static int nf_tables_gettable(struct net *net, struct sock *nlsk, 812 struct sk_buff *skb, const struct nlmsghdr *nlh, 813 const struct nlattr * const nla[], 814 struct netlink_ext_ack *extack) 815 { 816 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 817 u8 genmask = nft_genmask_cur(net); 818 const struct nft_table *table; 819 struct sk_buff *skb2; 820 int family = nfmsg->nfgen_family; 821 int err; 822 823 if (nlh->nlmsg_flags & NLM_F_DUMP) { 824 struct netlink_dump_control c = { 825 .dump = nf_tables_dump_tables, 826 .module = THIS_MODULE, 827 }; 828 829 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 830 } 831 832 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0); 833 if (IS_ERR(table)) { 834 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]); 835 return PTR_ERR(table); 836 } 837 838 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 839 if (!skb2) 840 return -ENOMEM; 841 842 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid, 843 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0, 844 family, table); 845 if (err < 0) 846 goto err_fill_table_info; 847 848 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 849 850 err_fill_table_info: 851 kfree_skb(skb2); 852 return err; 853 } 854 855 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt) 856 { 857 struct nft_chain *chain; 858 u32 i = 0; 859 860 list_for_each_entry(chain, &table->chains, list) { 861 if (!nft_is_active_next(net, chain)) 862 continue; 863 if (!nft_is_base_chain(chain)) 864 continue; 865 866 if (cnt && i++ == cnt) 867 break; 868 869 nf_tables_unregister_hook(net, table, chain); 870 } 871 } 872 873 static int nf_tables_table_enable(struct net *net, struct nft_table *table) 874 { 875 struct nft_chain *chain; 876 int err, i = 0; 877 878 list_for_each_entry(chain, &table->chains, list) { 879 if (!nft_is_active_next(net, chain)) 880 continue; 881 if (!nft_is_base_chain(chain)) 882 continue; 883 884 err = nf_tables_register_hook(net, table, chain); 885 if (err < 0) 886 goto err_register_hooks; 887 888 i++; 889 } 890 return 0; 891 892 err_register_hooks: 893 if (i) 894 nft_table_disable(net, table, i); 895 return err; 896 } 897 898 static void nf_tables_table_disable(struct net *net, struct nft_table *table) 899 { 900 nft_table_disable(net, table, 0); 901 } 902 903 static int nf_tables_updtable(struct nft_ctx *ctx) 904 { 905 struct nft_trans *trans; 906 u32 flags; 907 int ret = 0; 908 909 if (!ctx->nla[NFTA_TABLE_FLAGS]) 910 return 0; 911 912 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS])); 913 if (flags & ~NFT_TABLE_F_MASK) 914 return -EOPNOTSUPP; 915 916 if (flags == ctx->table->flags) 917 return 0; 918 919 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, 920 sizeof(struct nft_trans_table)); 921 if (trans == NULL) 922 return -ENOMEM; 923 924 if ((flags & NFT_TABLE_F_DORMANT) && 925 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) { 926 nft_trans_table_enable(trans) = false; 927 } else if (!(flags & NFT_TABLE_F_DORMANT) && 928 ctx->table->flags & NFT_TABLE_F_DORMANT) { 929 ctx->table->flags &= ~NFT_TABLE_F_DORMANT; 930 ret = nf_tables_table_enable(ctx->net, ctx->table); 931 if (ret >= 0) 932 nft_trans_table_enable(trans) = true; 933 else 934 ctx->table->flags |= NFT_TABLE_F_DORMANT; 935 } 936 if (ret < 0) 937 goto err; 938 939 nft_trans_table_update(trans) = true; 940 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 941 return 0; 942 err: 943 nft_trans_destroy(trans); 944 return ret; 945 } 946 947 static u32 nft_chain_hash(const void *data, u32 len, u32 seed) 948 { 949 const char *name = data; 950 951 return jhash(name, strlen(name), seed); 952 } 953 954 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed) 955 { 956 const struct nft_chain *chain = data; 957 958 return nft_chain_hash(chain->name, 0, seed); 959 } 960 961 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg, 962 const void *ptr) 963 { 964 const struct nft_chain *chain = ptr; 965 const char *name = arg->key; 966 967 return strcmp(chain->name, name); 968 } 969 970 static u32 nft_objname_hash(const void *data, u32 len, u32 seed) 971 { 972 const struct nft_object_hash_key *k = data; 973 974 seed ^= hash_ptr(k->table, 32); 975 976 return jhash(k->name, strlen(k->name), seed); 977 } 978 979 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed) 980 { 981 const struct nft_object *obj = data; 982 983 return nft_objname_hash(&obj->key, 0, seed); 984 } 985 986 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg, 987 const void *ptr) 988 { 989 const struct nft_object_hash_key *k = arg->key; 990 const struct nft_object *obj = ptr; 991 992 if (obj->key.table != k->table) 993 return -1; 994 995 return strcmp(obj->key.name, k->name); 996 } 997 998 static int nf_tables_newtable(struct net *net, struct sock *nlsk, 999 struct sk_buff *skb, const struct nlmsghdr *nlh, 1000 const struct nlattr * const nla[], 1001 struct netlink_ext_ack *extack) 1002 { 1003 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1004 u8 genmask = nft_genmask_next(net); 1005 int family = nfmsg->nfgen_family; 1006 const struct nlattr *attr; 1007 struct nft_table *table; 1008 struct nft_ctx ctx; 1009 u32 flags = 0; 1010 int err; 1011 1012 lockdep_assert_held(&net->nft.commit_mutex); 1013 attr = nla[NFTA_TABLE_NAME]; 1014 table = nft_table_lookup(net, attr, family, genmask, 1015 NETLINK_CB(skb).portid); 1016 if (IS_ERR(table)) { 1017 if (PTR_ERR(table) != -ENOENT) 1018 return PTR_ERR(table); 1019 } else { 1020 if (nlh->nlmsg_flags & NLM_F_EXCL) { 1021 NL_SET_BAD_ATTR(extack, attr); 1022 return -EEXIST; 1023 } 1024 if (nlh->nlmsg_flags & NLM_F_REPLACE) 1025 return -EOPNOTSUPP; 1026 1027 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 1028 return nf_tables_updtable(&ctx); 1029 } 1030 1031 if (nla[NFTA_TABLE_FLAGS]) { 1032 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS])); 1033 if (flags & ~NFT_TABLE_F_MASK) 1034 return -EOPNOTSUPP; 1035 } 1036 1037 err = -ENOMEM; 1038 table = kzalloc(sizeof(*table), GFP_KERNEL); 1039 if (table == NULL) 1040 goto err_kzalloc; 1041 1042 table->name = nla_strdup(attr, GFP_KERNEL); 1043 if (table->name == NULL) 1044 goto err_strdup; 1045 1046 if (nla[NFTA_TABLE_USERDATA]) { 1047 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL); 1048 if (table->udata == NULL) 1049 goto err_table_udata; 1050 1051 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]); 1052 } 1053 1054 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params); 1055 if (err) 1056 goto err_chain_ht; 1057 1058 INIT_LIST_HEAD(&table->chains); 1059 INIT_LIST_HEAD(&table->sets); 1060 INIT_LIST_HEAD(&table->objects); 1061 INIT_LIST_HEAD(&table->flowtables); 1062 table->family = family; 1063 table->flags = flags; 1064 table->handle = ++table_handle; 1065 if (table->flags & NFT_TABLE_F_OWNER) 1066 table->nlpid = NETLINK_CB(skb).portid; 1067 1068 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 1069 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); 1070 if (err < 0) 1071 goto err_trans; 1072 1073 list_add_tail_rcu(&table->list, &net->nft.tables); 1074 return 0; 1075 err_trans: 1076 rhltable_destroy(&table->chains_ht); 1077 err_chain_ht: 1078 kfree(table->udata); 1079 err_table_udata: 1080 kfree(table->name); 1081 err_strdup: 1082 kfree(table); 1083 err_kzalloc: 1084 return err; 1085 } 1086 1087 static int nft_flush_table(struct nft_ctx *ctx) 1088 { 1089 struct nft_flowtable *flowtable, *nft; 1090 struct nft_chain *chain, *nc; 1091 struct nft_object *obj, *ne; 1092 struct nft_set *set, *ns; 1093 int err; 1094 1095 list_for_each_entry(chain, &ctx->table->chains, list) { 1096 if (!nft_is_active_next(ctx->net, chain)) 1097 continue; 1098 1099 if (nft_chain_is_bound(chain)) 1100 continue; 1101 1102 ctx->chain = chain; 1103 1104 err = nft_delrule_by_chain(ctx); 1105 if (err < 0) 1106 goto out; 1107 } 1108 1109 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { 1110 if (!nft_is_active_next(ctx->net, set)) 1111 continue; 1112 1113 if (nft_set_is_anonymous(set) && 1114 !list_empty(&set->bindings)) 1115 continue; 1116 1117 err = nft_delset(ctx, set); 1118 if (err < 0) 1119 goto out; 1120 } 1121 1122 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) { 1123 if (!nft_is_active_next(ctx->net, flowtable)) 1124 continue; 1125 1126 err = nft_delflowtable(ctx, flowtable); 1127 if (err < 0) 1128 goto out; 1129 } 1130 1131 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) { 1132 if (!nft_is_active_next(ctx->net, obj)) 1133 continue; 1134 1135 err = nft_delobj(ctx, obj); 1136 if (err < 0) 1137 goto out; 1138 } 1139 1140 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { 1141 if (!nft_is_active_next(ctx->net, chain)) 1142 continue; 1143 1144 if (nft_chain_is_bound(chain)) 1145 continue; 1146 1147 ctx->chain = chain; 1148 1149 err = nft_delchain(ctx); 1150 if (err < 0) 1151 goto out; 1152 } 1153 1154 err = nft_deltable(ctx); 1155 out: 1156 return err; 1157 } 1158 1159 static int nft_flush(struct nft_ctx *ctx, int family) 1160 { 1161 struct nft_table *table, *nt; 1162 const struct nlattr * const *nla = ctx->nla; 1163 int err = 0; 1164 1165 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) { 1166 if (family != AF_UNSPEC && table->family != family) 1167 continue; 1168 1169 ctx->family = table->family; 1170 1171 if (!nft_is_active_next(ctx->net, table)) 1172 continue; 1173 1174 if (nft_table_has_owner(table) && table->nlpid != ctx->portid) 1175 continue; 1176 1177 if (nla[NFTA_TABLE_NAME] && 1178 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) 1179 continue; 1180 1181 ctx->table = table; 1182 1183 err = nft_flush_table(ctx); 1184 if (err < 0) 1185 goto out; 1186 } 1187 out: 1188 return err; 1189 } 1190 1191 static int nf_tables_deltable(struct net *net, struct sock *nlsk, 1192 struct sk_buff *skb, const struct nlmsghdr *nlh, 1193 const struct nlattr * const nla[], 1194 struct netlink_ext_ack *extack) 1195 { 1196 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1197 u8 genmask = nft_genmask_next(net); 1198 int family = nfmsg->nfgen_family; 1199 const struct nlattr *attr; 1200 struct nft_table *table; 1201 struct nft_ctx ctx; 1202 1203 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla); 1204 if (family == AF_UNSPEC || 1205 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE])) 1206 return nft_flush(&ctx, family); 1207 1208 if (nla[NFTA_TABLE_HANDLE]) { 1209 attr = nla[NFTA_TABLE_HANDLE]; 1210 table = nft_table_lookup_byhandle(net, attr, genmask); 1211 } else { 1212 attr = nla[NFTA_TABLE_NAME]; 1213 table = nft_table_lookup(net, attr, family, genmask, 1214 NETLINK_CB(skb).portid); 1215 } 1216 1217 if (IS_ERR(table)) { 1218 NL_SET_BAD_ATTR(extack, attr); 1219 return PTR_ERR(table); 1220 } 1221 1222 if (nlh->nlmsg_flags & NLM_F_NONREC && 1223 table->use > 0) 1224 return -EBUSY; 1225 1226 ctx.family = family; 1227 ctx.table = table; 1228 1229 return nft_flush_table(&ctx); 1230 } 1231 1232 static void nf_tables_table_destroy(struct nft_ctx *ctx) 1233 { 1234 if (WARN_ON(ctx->table->use > 0)) 1235 return; 1236 1237 rhltable_destroy(&ctx->table->chains_ht); 1238 kfree(ctx->table->name); 1239 kfree(ctx->table->udata); 1240 kfree(ctx->table); 1241 } 1242 1243 void nft_register_chain_type(const struct nft_chain_type *ctype) 1244 { 1245 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1246 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) { 1247 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1248 return; 1249 } 1250 chain_type[ctype->family][ctype->type] = ctype; 1251 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1252 } 1253 EXPORT_SYMBOL_GPL(nft_register_chain_type); 1254 1255 void nft_unregister_chain_type(const struct nft_chain_type *ctype) 1256 { 1257 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1258 chain_type[ctype->family][ctype->type] = NULL; 1259 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1260 } 1261 EXPORT_SYMBOL_GPL(nft_unregister_chain_type); 1262 1263 /* 1264 * Chains 1265 */ 1266 1267 static struct nft_chain * 1268 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask) 1269 { 1270 struct nft_chain *chain; 1271 1272 list_for_each_entry(chain, &table->chains, list) { 1273 if (chain->handle == handle && 1274 nft_active_genmask(chain, genmask)) 1275 return chain; 1276 } 1277 1278 return ERR_PTR(-ENOENT); 1279 } 1280 1281 static bool lockdep_commit_lock_is_held(const struct net *net) 1282 { 1283 #ifdef CONFIG_PROVE_LOCKING 1284 return lockdep_is_held(&net->nft.commit_mutex); 1285 #else 1286 return true; 1287 #endif 1288 } 1289 1290 static struct nft_chain *nft_chain_lookup(struct net *net, 1291 struct nft_table *table, 1292 const struct nlattr *nla, u8 genmask) 1293 { 1294 char search[NFT_CHAIN_MAXNAMELEN + 1]; 1295 struct rhlist_head *tmp, *list; 1296 struct nft_chain *chain; 1297 1298 if (nla == NULL) 1299 return ERR_PTR(-EINVAL); 1300 1301 nla_strscpy(search, nla, sizeof(search)); 1302 1303 WARN_ON(!rcu_read_lock_held() && 1304 !lockdep_commit_lock_is_held(net)); 1305 1306 chain = ERR_PTR(-ENOENT); 1307 rcu_read_lock(); 1308 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params); 1309 if (!list) 1310 goto out_unlock; 1311 1312 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 1313 if (nft_active_genmask(chain, genmask)) 1314 goto out_unlock; 1315 } 1316 chain = ERR_PTR(-ENOENT); 1317 out_unlock: 1318 rcu_read_unlock(); 1319 return chain; 1320 } 1321 1322 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = { 1323 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING, 1324 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1325 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 }, 1326 [NFTA_CHAIN_NAME] = { .type = NLA_STRING, 1327 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 1328 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, 1329 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, 1330 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, 1331 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 1332 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, 1333 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 }, 1334 [NFTA_CHAIN_ID] = { .type = NLA_U32 }, 1335 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY, 1336 .len = NFT_USERDATA_MAXLEN }, 1337 }; 1338 1339 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = { 1340 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 }, 1341 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 }, 1342 [NFTA_HOOK_DEV] = { .type = NLA_STRING, 1343 .len = IFNAMSIZ - 1 }, 1344 }; 1345 1346 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats) 1347 { 1348 struct nft_stats *cpu_stats, total; 1349 struct nlattr *nest; 1350 unsigned int seq; 1351 u64 pkts, bytes; 1352 int cpu; 1353 1354 if (!stats) 1355 return 0; 1356 1357 memset(&total, 0, sizeof(total)); 1358 for_each_possible_cpu(cpu) { 1359 cpu_stats = per_cpu_ptr(stats, cpu); 1360 do { 1361 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp); 1362 pkts = cpu_stats->pkts; 1363 bytes = cpu_stats->bytes; 1364 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq)); 1365 total.pkts += pkts; 1366 total.bytes += bytes; 1367 } 1368 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS); 1369 if (nest == NULL) 1370 goto nla_put_failure; 1371 1372 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts), 1373 NFTA_COUNTER_PAD) || 1374 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes), 1375 NFTA_COUNTER_PAD)) 1376 goto nla_put_failure; 1377 1378 nla_nest_end(skb, nest); 1379 return 0; 1380 1381 nla_put_failure: 1382 return -ENOSPC; 1383 } 1384 1385 static int nft_dump_basechain_hook(struct sk_buff *skb, int family, 1386 const struct nft_base_chain *basechain) 1387 { 1388 const struct nf_hook_ops *ops = &basechain->ops; 1389 struct nft_hook *hook, *first = NULL; 1390 struct nlattr *nest, *nest_devs; 1391 int n = 0; 1392 1393 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK); 1394 if (nest == NULL) 1395 goto nla_put_failure; 1396 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum))) 1397 goto nla_put_failure; 1398 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority))) 1399 goto nla_put_failure; 1400 1401 if (nft_base_chain_netdev(family, ops->hooknum)) { 1402 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS); 1403 list_for_each_entry(hook, &basechain->hook_list, list) { 1404 if (!first) 1405 first = hook; 1406 1407 if (nla_put_string(skb, NFTA_DEVICE_NAME, 1408 hook->ops.dev->name)) 1409 goto nla_put_failure; 1410 n++; 1411 } 1412 nla_nest_end(skb, nest_devs); 1413 1414 if (n == 1 && 1415 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name)) 1416 goto nla_put_failure; 1417 } 1418 nla_nest_end(skb, nest); 1419 1420 return 0; 1421 nla_put_failure: 1422 return -1; 1423 } 1424 1425 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net, 1426 u32 portid, u32 seq, int event, u32 flags, 1427 int family, const struct nft_table *table, 1428 const struct nft_chain *chain) 1429 { 1430 struct nlmsghdr *nlh; 1431 struct nfgenmsg *nfmsg; 1432 1433 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 1434 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 1435 if (nlh == NULL) 1436 goto nla_put_failure; 1437 1438 nfmsg = nlmsg_data(nlh); 1439 nfmsg->nfgen_family = family; 1440 nfmsg->version = NFNETLINK_V0; 1441 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 1442 1443 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) 1444 goto nla_put_failure; 1445 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle), 1446 NFTA_CHAIN_PAD)) 1447 goto nla_put_failure; 1448 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name)) 1449 goto nla_put_failure; 1450 1451 if (nft_is_base_chain(chain)) { 1452 const struct nft_base_chain *basechain = nft_base_chain(chain); 1453 struct nft_stats __percpu *stats; 1454 1455 if (nft_dump_basechain_hook(skb, family, basechain)) 1456 goto nla_put_failure; 1457 1458 if (nla_put_be32(skb, NFTA_CHAIN_POLICY, 1459 htonl(basechain->policy))) 1460 goto nla_put_failure; 1461 1462 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name)) 1463 goto nla_put_failure; 1464 1465 stats = rcu_dereference_check(basechain->stats, 1466 lockdep_commit_lock_is_held(net)); 1467 if (nft_dump_stats(skb, stats)) 1468 goto nla_put_failure; 1469 } 1470 1471 if (chain->flags && 1472 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags))) 1473 goto nla_put_failure; 1474 1475 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use))) 1476 goto nla_put_failure; 1477 1478 if (chain->udata && 1479 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata)) 1480 goto nla_put_failure; 1481 1482 nlmsg_end(skb, nlh); 1483 return 0; 1484 1485 nla_put_failure: 1486 nlmsg_trim(skb, nlh); 1487 return -1; 1488 } 1489 1490 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event) 1491 { 1492 struct sk_buff *skb; 1493 int err; 1494 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu", 1495 ctx->table->name, ctx->table->handle, 1496 ctx->chain->name, ctx->chain->handle); 1497 1498 audit_log_nfcfg(buf, 1499 ctx->family, 1500 ctx->chain->use, 1501 event == NFT_MSG_NEWCHAIN ? 1502 AUDIT_NFT_OP_CHAIN_REGISTER : 1503 AUDIT_NFT_OP_CHAIN_UNREGISTER, 1504 GFP_KERNEL); 1505 kfree(buf); 1506 1507 if (!ctx->report && 1508 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1509 return; 1510 1511 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1512 if (skb == NULL) 1513 goto err; 1514 1515 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, 1516 event, 0, ctx->family, ctx->table, 1517 ctx->chain); 1518 if (err < 0) { 1519 kfree_skb(skb); 1520 goto err; 1521 } 1522 1523 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); 1524 return; 1525 err: 1526 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 1527 } 1528 1529 static int nf_tables_dump_chains(struct sk_buff *skb, 1530 struct netlink_callback *cb) 1531 { 1532 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1533 const struct nft_table *table; 1534 const struct nft_chain *chain; 1535 unsigned int idx = 0, s_idx = cb->args[0]; 1536 struct net *net = sock_net(skb->sk); 1537 int family = nfmsg->nfgen_family; 1538 1539 rcu_read_lock(); 1540 cb->seq = net->nft.base_seq; 1541 1542 list_for_each_entry_rcu(table, &net->nft.tables, list) { 1543 if (family != NFPROTO_UNSPEC && family != table->family) 1544 continue; 1545 1546 list_for_each_entry_rcu(chain, &table->chains, list) { 1547 if (idx < s_idx) 1548 goto cont; 1549 if (idx > s_idx) 1550 memset(&cb->args[1], 0, 1551 sizeof(cb->args) - sizeof(cb->args[0])); 1552 if (!nft_is_active(net, chain)) 1553 continue; 1554 if (nf_tables_fill_chain_info(skb, net, 1555 NETLINK_CB(cb->skb).portid, 1556 cb->nlh->nlmsg_seq, 1557 NFT_MSG_NEWCHAIN, 1558 NLM_F_MULTI, 1559 table->family, table, 1560 chain) < 0) 1561 goto done; 1562 1563 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1564 cont: 1565 idx++; 1566 } 1567 } 1568 done: 1569 rcu_read_unlock(); 1570 cb->args[0] = idx; 1571 return skb->len; 1572 } 1573 1574 /* called with rcu_read_lock held */ 1575 static int nf_tables_getchain(struct net *net, struct sock *nlsk, 1576 struct sk_buff *skb, const struct nlmsghdr *nlh, 1577 const struct nlattr * const nla[], 1578 struct netlink_ext_ack *extack) 1579 { 1580 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1581 u8 genmask = nft_genmask_cur(net); 1582 const struct nft_chain *chain; 1583 struct nft_table *table; 1584 struct sk_buff *skb2; 1585 int family = nfmsg->nfgen_family; 1586 int err; 1587 1588 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1589 struct netlink_dump_control c = { 1590 .dump = nf_tables_dump_chains, 1591 .module = THIS_MODULE, 1592 }; 1593 1594 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 1595 } 1596 1597 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0); 1598 if (IS_ERR(table)) { 1599 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 1600 return PTR_ERR(table); 1601 } 1602 1603 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask); 1604 if (IS_ERR(chain)) { 1605 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 1606 return PTR_ERR(chain); 1607 } 1608 1609 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 1610 if (!skb2) 1611 return -ENOMEM; 1612 1613 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid, 1614 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0, 1615 family, table, chain); 1616 if (err < 0) 1617 goto err_fill_chain_info; 1618 1619 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 1620 1621 err_fill_chain_info: 1622 kfree_skb(skb2); 1623 return err; 1624 } 1625 1626 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = { 1627 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 }, 1628 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 }, 1629 }; 1630 1631 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr) 1632 { 1633 struct nlattr *tb[NFTA_COUNTER_MAX+1]; 1634 struct nft_stats __percpu *newstats; 1635 struct nft_stats *stats; 1636 int err; 1637 1638 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr, 1639 nft_counter_policy, NULL); 1640 if (err < 0) 1641 return ERR_PTR(err); 1642 1643 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS]) 1644 return ERR_PTR(-EINVAL); 1645 1646 newstats = netdev_alloc_pcpu_stats(struct nft_stats); 1647 if (newstats == NULL) 1648 return ERR_PTR(-ENOMEM); 1649 1650 /* Restore old counters on this cpu, no problem. Per-cpu statistics 1651 * are not exposed to userspace. 1652 */ 1653 preempt_disable(); 1654 stats = this_cpu_ptr(newstats); 1655 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); 1656 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); 1657 preempt_enable(); 1658 1659 return newstats; 1660 } 1661 1662 static void nft_chain_stats_replace(struct nft_trans *trans) 1663 { 1664 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain); 1665 1666 if (!nft_trans_chain_stats(trans)) 1667 return; 1668 1669 nft_trans_chain_stats(trans) = 1670 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans), 1671 lockdep_commit_lock_is_held(trans->ctx.net)); 1672 1673 if (!nft_trans_chain_stats(trans)) 1674 static_branch_inc(&nft_counters_enabled); 1675 } 1676 1677 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain) 1678 { 1679 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0); 1680 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1); 1681 1682 if (g0 != g1) 1683 kvfree(g1); 1684 kvfree(g0); 1685 1686 /* should be NULL either via abort or via successful commit */ 1687 WARN_ON_ONCE(chain->rules_next); 1688 kvfree(chain->rules_next); 1689 } 1690 1691 void nf_tables_chain_destroy(struct nft_ctx *ctx) 1692 { 1693 struct nft_chain *chain = ctx->chain; 1694 struct nft_hook *hook, *next; 1695 1696 if (WARN_ON(chain->use > 0)) 1697 return; 1698 1699 /* no concurrent access possible anymore */ 1700 nf_tables_chain_free_chain_rules(chain); 1701 1702 if (nft_is_base_chain(chain)) { 1703 struct nft_base_chain *basechain = nft_base_chain(chain); 1704 1705 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) { 1706 list_for_each_entry_safe(hook, next, 1707 &basechain->hook_list, list) { 1708 list_del_rcu(&hook->list); 1709 kfree_rcu(hook, rcu); 1710 } 1711 } 1712 module_put(basechain->type->owner); 1713 if (rcu_access_pointer(basechain->stats)) { 1714 static_branch_dec(&nft_counters_enabled); 1715 free_percpu(rcu_dereference_raw(basechain->stats)); 1716 } 1717 kfree(chain->name); 1718 kfree(chain->udata); 1719 kfree(basechain); 1720 } else { 1721 kfree(chain->name); 1722 kfree(chain->udata); 1723 kfree(chain); 1724 } 1725 } 1726 1727 static struct nft_hook *nft_netdev_hook_alloc(struct net *net, 1728 const struct nlattr *attr) 1729 { 1730 struct net_device *dev; 1731 char ifname[IFNAMSIZ]; 1732 struct nft_hook *hook; 1733 int err; 1734 1735 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL); 1736 if (!hook) { 1737 err = -ENOMEM; 1738 goto err_hook_alloc; 1739 } 1740 1741 nla_strscpy(ifname, attr, IFNAMSIZ); 1742 /* nf_tables_netdev_event() is called under rtnl_mutex, this is 1743 * indirectly serializing all the other holders of the commit_mutex with 1744 * the rtnl_mutex. 1745 */ 1746 dev = __dev_get_by_name(net, ifname); 1747 if (!dev) { 1748 err = -ENOENT; 1749 goto err_hook_dev; 1750 } 1751 hook->ops.dev = dev; 1752 hook->inactive = false; 1753 1754 return hook; 1755 1756 err_hook_dev: 1757 kfree(hook); 1758 err_hook_alloc: 1759 return ERR_PTR(err); 1760 } 1761 1762 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list, 1763 const struct nft_hook *this) 1764 { 1765 struct nft_hook *hook; 1766 1767 list_for_each_entry(hook, hook_list, list) { 1768 if (this->ops.dev == hook->ops.dev) 1769 return hook; 1770 } 1771 1772 return NULL; 1773 } 1774 1775 static int nf_tables_parse_netdev_hooks(struct net *net, 1776 const struct nlattr *attr, 1777 struct list_head *hook_list) 1778 { 1779 struct nft_hook *hook, *next; 1780 const struct nlattr *tmp; 1781 int rem, n = 0, err; 1782 1783 nla_for_each_nested(tmp, attr, rem) { 1784 if (nla_type(tmp) != NFTA_DEVICE_NAME) { 1785 err = -EINVAL; 1786 goto err_hook; 1787 } 1788 1789 hook = nft_netdev_hook_alloc(net, tmp); 1790 if (IS_ERR(hook)) { 1791 err = PTR_ERR(hook); 1792 goto err_hook; 1793 } 1794 if (nft_hook_list_find(hook_list, hook)) { 1795 kfree(hook); 1796 err = -EEXIST; 1797 goto err_hook; 1798 } 1799 list_add_tail(&hook->list, hook_list); 1800 n++; 1801 1802 if (n == NFT_NETDEVICE_MAX) { 1803 err = -EFBIG; 1804 goto err_hook; 1805 } 1806 } 1807 1808 return 0; 1809 1810 err_hook: 1811 list_for_each_entry_safe(hook, next, hook_list, list) { 1812 list_del(&hook->list); 1813 kfree(hook); 1814 } 1815 return err; 1816 } 1817 1818 struct nft_chain_hook { 1819 u32 num; 1820 s32 priority; 1821 const struct nft_chain_type *type; 1822 struct list_head list; 1823 }; 1824 1825 static int nft_chain_parse_netdev(struct net *net, 1826 struct nlattr *tb[], 1827 struct list_head *hook_list) 1828 { 1829 struct nft_hook *hook; 1830 int err; 1831 1832 if (tb[NFTA_HOOK_DEV]) { 1833 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]); 1834 if (IS_ERR(hook)) 1835 return PTR_ERR(hook); 1836 1837 list_add_tail(&hook->list, hook_list); 1838 } else if (tb[NFTA_HOOK_DEVS]) { 1839 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS], 1840 hook_list); 1841 if (err < 0) 1842 return err; 1843 1844 if (list_empty(hook_list)) 1845 return -EINVAL; 1846 } else { 1847 return -EINVAL; 1848 } 1849 1850 return 0; 1851 } 1852 1853 static int nft_chain_parse_hook(struct net *net, 1854 const struct nlattr * const nla[], 1855 struct nft_chain_hook *hook, u8 family, 1856 bool autoload) 1857 { 1858 struct nlattr *ha[NFTA_HOOK_MAX + 1]; 1859 const struct nft_chain_type *type; 1860 int err; 1861 1862 lockdep_assert_held(&net->nft.commit_mutex); 1863 lockdep_nfnl_nft_mutex_not_held(); 1864 1865 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX, 1866 nla[NFTA_CHAIN_HOOK], 1867 nft_hook_policy, NULL); 1868 if (err < 0) 1869 return err; 1870 1871 if (ha[NFTA_HOOK_HOOKNUM] == NULL || 1872 ha[NFTA_HOOK_PRIORITY] == NULL) 1873 return -EINVAL; 1874 1875 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 1876 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 1877 1878 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT); 1879 if (!type) 1880 return -EOPNOTSUPP; 1881 1882 if (nla[NFTA_CHAIN_TYPE]) { 1883 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE], 1884 family, autoload); 1885 if (IS_ERR(type)) 1886 return PTR_ERR(type); 1887 } 1888 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num))) 1889 return -EOPNOTSUPP; 1890 1891 if (type->type == NFT_CHAIN_T_NAT && 1892 hook->priority <= NF_IP_PRI_CONNTRACK) 1893 return -EOPNOTSUPP; 1894 1895 if (!try_module_get(type->owner)) 1896 return -ENOENT; 1897 1898 hook->type = type; 1899 1900 INIT_LIST_HEAD(&hook->list); 1901 if (nft_base_chain_netdev(family, hook->num)) { 1902 err = nft_chain_parse_netdev(net, ha, &hook->list); 1903 if (err < 0) { 1904 module_put(type->owner); 1905 return err; 1906 } 1907 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) { 1908 module_put(type->owner); 1909 return -EOPNOTSUPP; 1910 } 1911 1912 return 0; 1913 } 1914 1915 static void nft_chain_release_hook(struct nft_chain_hook *hook) 1916 { 1917 struct nft_hook *h, *next; 1918 1919 list_for_each_entry_safe(h, next, &hook->list, list) { 1920 list_del(&h->list); 1921 kfree(h); 1922 } 1923 module_put(hook->type->owner); 1924 } 1925 1926 struct nft_rules_old { 1927 struct rcu_head h; 1928 struct nft_rule **start; 1929 }; 1930 1931 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain, 1932 unsigned int alloc) 1933 { 1934 if (alloc > INT_MAX) 1935 return NULL; 1936 1937 alloc += 1; /* NULL, ends rules */ 1938 if (sizeof(struct nft_rule *) > INT_MAX / alloc) 1939 return NULL; 1940 1941 alloc *= sizeof(struct nft_rule *); 1942 alloc += sizeof(struct nft_rules_old); 1943 1944 return kvmalloc(alloc, GFP_KERNEL); 1945 } 1946 1947 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family, 1948 const struct nft_chain_hook *hook, 1949 struct nft_chain *chain) 1950 { 1951 ops->pf = family; 1952 ops->hooknum = hook->num; 1953 ops->priority = hook->priority; 1954 ops->priv = chain; 1955 ops->hook = hook->type->hooks[ops->hooknum]; 1956 } 1957 1958 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, 1959 struct nft_chain_hook *hook, u32 flags) 1960 { 1961 struct nft_chain *chain; 1962 struct nft_hook *h; 1963 1964 basechain->type = hook->type; 1965 INIT_LIST_HEAD(&basechain->hook_list); 1966 chain = &basechain->chain; 1967 1968 if (nft_base_chain_netdev(family, hook->num)) { 1969 list_splice_init(&hook->list, &basechain->hook_list); 1970 list_for_each_entry(h, &basechain->hook_list, list) 1971 nft_basechain_hook_init(&h->ops, family, hook, chain); 1972 1973 basechain->ops.hooknum = hook->num; 1974 basechain->ops.priority = hook->priority; 1975 } else { 1976 nft_basechain_hook_init(&basechain->ops, family, hook, chain); 1977 } 1978 1979 chain->flags |= NFT_CHAIN_BASE | flags; 1980 basechain->policy = NF_ACCEPT; 1981 if (chain->flags & NFT_CHAIN_HW_OFFLOAD && 1982 nft_chain_offload_priority(basechain) < 0) 1983 return -EOPNOTSUPP; 1984 1985 flow_block_init(&basechain->flow_block); 1986 1987 return 0; 1988 } 1989 1990 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain) 1991 { 1992 int err; 1993 1994 err = rhltable_insert_key(&table->chains_ht, chain->name, 1995 &chain->rhlhead, nft_chain_ht_params); 1996 if (err) 1997 return err; 1998 1999 list_add_tail_rcu(&chain->list, &table->chains); 2000 2001 return 0; 2002 } 2003 2004 static u64 chain_id; 2005 2006 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, 2007 u8 policy, u32 flags) 2008 { 2009 const struct nlattr * const *nla = ctx->nla; 2010 struct nft_table *table = ctx->table; 2011 struct nft_base_chain *basechain; 2012 struct nft_stats __percpu *stats; 2013 struct net *net = ctx->net; 2014 char name[NFT_NAME_MAXLEN]; 2015 struct nft_trans *trans; 2016 struct nft_chain *chain; 2017 struct nft_rule **rules; 2018 int err; 2019 2020 if (table->use == UINT_MAX) 2021 return -EOVERFLOW; 2022 2023 if (nla[NFTA_CHAIN_HOOK]) { 2024 struct nft_chain_hook hook; 2025 2026 if (flags & NFT_CHAIN_BINDING) 2027 return -EOPNOTSUPP; 2028 2029 err = nft_chain_parse_hook(net, nla, &hook, family, true); 2030 if (err < 0) 2031 return err; 2032 2033 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL); 2034 if (basechain == NULL) { 2035 nft_chain_release_hook(&hook); 2036 return -ENOMEM; 2037 } 2038 chain = &basechain->chain; 2039 2040 if (nla[NFTA_CHAIN_COUNTERS]) { 2041 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2042 if (IS_ERR(stats)) { 2043 nft_chain_release_hook(&hook); 2044 kfree(basechain); 2045 return PTR_ERR(stats); 2046 } 2047 rcu_assign_pointer(basechain->stats, stats); 2048 static_branch_inc(&nft_counters_enabled); 2049 } 2050 2051 err = nft_basechain_init(basechain, family, &hook, flags); 2052 if (err < 0) { 2053 nft_chain_release_hook(&hook); 2054 kfree(basechain); 2055 return err; 2056 } 2057 } else { 2058 if (flags & NFT_CHAIN_BASE) 2059 return -EINVAL; 2060 if (flags & NFT_CHAIN_HW_OFFLOAD) 2061 return -EOPNOTSUPP; 2062 2063 chain = kzalloc(sizeof(*chain), GFP_KERNEL); 2064 if (chain == NULL) 2065 return -ENOMEM; 2066 2067 chain->flags = flags; 2068 } 2069 ctx->chain = chain; 2070 2071 INIT_LIST_HEAD(&chain->rules); 2072 chain->handle = nf_tables_alloc_handle(table); 2073 chain->table = table; 2074 2075 if (nla[NFTA_CHAIN_NAME]) { 2076 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); 2077 } else { 2078 if (!(flags & NFT_CHAIN_BINDING)) { 2079 err = -EINVAL; 2080 goto err_destroy_chain; 2081 } 2082 2083 snprintf(name, sizeof(name), "__chain%llu", ++chain_id); 2084 chain->name = kstrdup(name, GFP_KERNEL); 2085 } 2086 2087 if (!chain->name) { 2088 err = -ENOMEM; 2089 goto err_destroy_chain; 2090 } 2091 2092 if (nla[NFTA_CHAIN_USERDATA]) { 2093 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL); 2094 if (chain->udata == NULL) { 2095 err = -ENOMEM; 2096 goto err_destroy_chain; 2097 } 2098 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]); 2099 } 2100 2101 rules = nf_tables_chain_alloc_rules(chain, 0); 2102 if (!rules) { 2103 err = -ENOMEM; 2104 goto err_destroy_chain; 2105 } 2106 2107 *rules = NULL; 2108 rcu_assign_pointer(chain->rules_gen_0, rules); 2109 rcu_assign_pointer(chain->rules_gen_1, rules); 2110 2111 err = nf_tables_register_hook(net, table, chain); 2112 if (err < 0) 2113 goto err_destroy_chain; 2114 2115 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN); 2116 if (IS_ERR(trans)) { 2117 err = PTR_ERR(trans); 2118 goto err_unregister_hook; 2119 } 2120 2121 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET; 2122 if (nft_is_base_chain(chain)) 2123 nft_trans_chain_policy(trans) = policy; 2124 2125 err = nft_chain_add(table, chain); 2126 if (err < 0) { 2127 nft_trans_destroy(trans); 2128 goto err_unregister_hook; 2129 } 2130 2131 table->use++; 2132 2133 return 0; 2134 err_unregister_hook: 2135 nf_tables_unregister_hook(net, table, chain); 2136 err_destroy_chain: 2137 nf_tables_chain_destroy(ctx); 2138 2139 return err; 2140 } 2141 2142 static bool nft_hook_list_equal(struct list_head *hook_list1, 2143 struct list_head *hook_list2) 2144 { 2145 struct nft_hook *hook; 2146 int n = 0, m = 0; 2147 2148 n = 0; 2149 list_for_each_entry(hook, hook_list2, list) { 2150 if (!nft_hook_list_find(hook_list1, hook)) 2151 return false; 2152 2153 n++; 2154 } 2155 list_for_each_entry(hook, hook_list1, list) 2156 m++; 2157 2158 return n == m; 2159 } 2160 2161 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, 2162 u32 flags, const struct nlattr *attr, 2163 struct netlink_ext_ack *extack) 2164 { 2165 const struct nlattr * const *nla = ctx->nla; 2166 struct nft_table *table = ctx->table; 2167 struct nft_chain *chain = ctx->chain; 2168 struct nft_base_chain *basechain; 2169 struct nft_stats *stats = NULL; 2170 struct nft_chain_hook hook; 2171 struct nf_hook_ops *ops; 2172 struct nft_trans *trans; 2173 int err; 2174 2175 if (chain->flags ^ flags) 2176 return -EOPNOTSUPP; 2177 2178 if (nla[NFTA_CHAIN_HOOK]) { 2179 if (!nft_is_base_chain(chain)) { 2180 NL_SET_BAD_ATTR(extack, attr); 2181 return -EEXIST; 2182 } 2183 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family, 2184 false); 2185 if (err < 0) 2186 return err; 2187 2188 basechain = nft_base_chain(chain); 2189 if (basechain->type != hook.type) { 2190 nft_chain_release_hook(&hook); 2191 NL_SET_BAD_ATTR(extack, attr); 2192 return -EEXIST; 2193 } 2194 2195 if (nft_base_chain_netdev(ctx->family, hook.num)) { 2196 if (!nft_hook_list_equal(&basechain->hook_list, 2197 &hook.list)) { 2198 nft_chain_release_hook(&hook); 2199 NL_SET_BAD_ATTR(extack, attr); 2200 return -EEXIST; 2201 } 2202 } else { 2203 ops = &basechain->ops; 2204 if (ops->hooknum != hook.num || 2205 ops->priority != hook.priority) { 2206 nft_chain_release_hook(&hook); 2207 NL_SET_BAD_ATTR(extack, attr); 2208 return -EEXIST; 2209 } 2210 } 2211 nft_chain_release_hook(&hook); 2212 } 2213 2214 if (nla[NFTA_CHAIN_HANDLE] && 2215 nla[NFTA_CHAIN_NAME]) { 2216 struct nft_chain *chain2; 2217 2218 chain2 = nft_chain_lookup(ctx->net, table, 2219 nla[NFTA_CHAIN_NAME], genmask); 2220 if (!IS_ERR(chain2)) { 2221 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2222 return -EEXIST; 2223 } 2224 } 2225 2226 if (nla[NFTA_CHAIN_COUNTERS]) { 2227 if (!nft_is_base_chain(chain)) 2228 return -EOPNOTSUPP; 2229 2230 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2231 if (IS_ERR(stats)) 2232 return PTR_ERR(stats); 2233 } 2234 2235 err = -ENOMEM; 2236 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN, 2237 sizeof(struct nft_trans_chain)); 2238 if (trans == NULL) 2239 goto err; 2240 2241 nft_trans_chain_stats(trans) = stats; 2242 nft_trans_chain_update(trans) = true; 2243 2244 if (nla[NFTA_CHAIN_POLICY]) 2245 nft_trans_chain_policy(trans) = policy; 2246 else 2247 nft_trans_chain_policy(trans) = -1; 2248 2249 if (nla[NFTA_CHAIN_HANDLE] && 2250 nla[NFTA_CHAIN_NAME]) { 2251 struct nft_trans *tmp; 2252 char *name; 2253 2254 err = -ENOMEM; 2255 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); 2256 if (!name) 2257 goto err; 2258 2259 err = -EEXIST; 2260 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) { 2261 if (tmp->msg_type == NFT_MSG_NEWCHAIN && 2262 tmp->ctx.table == table && 2263 nft_trans_chain_update(tmp) && 2264 nft_trans_chain_name(tmp) && 2265 strcmp(name, nft_trans_chain_name(tmp)) == 0) { 2266 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2267 kfree(name); 2268 goto err; 2269 } 2270 } 2271 2272 nft_trans_chain_name(trans) = name; 2273 } 2274 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 2275 2276 return 0; 2277 err: 2278 free_percpu(stats); 2279 kfree(trans); 2280 return err; 2281 } 2282 2283 static struct nft_chain *nft_chain_lookup_byid(const struct net *net, 2284 const struct nlattr *nla) 2285 { 2286 u32 id = ntohl(nla_get_be32(nla)); 2287 struct nft_trans *trans; 2288 2289 list_for_each_entry(trans, &net->nft.commit_list, list) { 2290 struct nft_chain *chain = trans->ctx.chain; 2291 2292 if (trans->msg_type == NFT_MSG_NEWCHAIN && 2293 id == nft_trans_chain_id(trans)) 2294 return chain; 2295 } 2296 return ERR_PTR(-ENOENT); 2297 } 2298 2299 static int nf_tables_newchain(struct net *net, struct sock *nlsk, 2300 struct sk_buff *skb, const struct nlmsghdr *nlh, 2301 const struct nlattr * const nla[], 2302 struct netlink_ext_ack *extack) 2303 { 2304 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2305 u8 genmask = nft_genmask_next(net); 2306 int family = nfmsg->nfgen_family; 2307 struct nft_chain *chain = NULL; 2308 const struct nlattr *attr; 2309 struct nft_table *table; 2310 u8 policy = NF_ACCEPT; 2311 struct nft_ctx ctx; 2312 u64 handle = 0; 2313 u32 flags = 0; 2314 2315 lockdep_assert_held(&net->nft.commit_mutex); 2316 2317 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 2318 NETLINK_CB(skb).portid); 2319 if (IS_ERR(table)) { 2320 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2321 return PTR_ERR(table); 2322 } 2323 2324 chain = NULL; 2325 attr = nla[NFTA_CHAIN_NAME]; 2326 2327 if (nla[NFTA_CHAIN_HANDLE]) { 2328 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE])); 2329 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2330 if (IS_ERR(chain)) { 2331 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]); 2332 return PTR_ERR(chain); 2333 } 2334 attr = nla[NFTA_CHAIN_HANDLE]; 2335 } else if (nla[NFTA_CHAIN_NAME]) { 2336 chain = nft_chain_lookup(net, table, attr, genmask); 2337 if (IS_ERR(chain)) { 2338 if (PTR_ERR(chain) != -ENOENT) { 2339 NL_SET_BAD_ATTR(extack, attr); 2340 return PTR_ERR(chain); 2341 } 2342 chain = NULL; 2343 } 2344 } else if (!nla[NFTA_CHAIN_ID]) { 2345 return -EINVAL; 2346 } 2347 2348 if (nla[NFTA_CHAIN_POLICY]) { 2349 if (chain != NULL && 2350 !nft_is_base_chain(chain)) { 2351 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2352 return -EOPNOTSUPP; 2353 } 2354 2355 if (chain == NULL && 2356 nla[NFTA_CHAIN_HOOK] == NULL) { 2357 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2358 return -EOPNOTSUPP; 2359 } 2360 2361 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY])); 2362 switch (policy) { 2363 case NF_DROP: 2364 case NF_ACCEPT: 2365 break; 2366 default: 2367 return -EINVAL; 2368 } 2369 } 2370 2371 if (nla[NFTA_CHAIN_FLAGS]) 2372 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS])); 2373 else if (chain) 2374 flags = chain->flags; 2375 2376 if (flags & ~NFT_CHAIN_FLAGS) 2377 return -EOPNOTSUPP; 2378 2379 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 2380 2381 if (chain != NULL) { 2382 if (nlh->nlmsg_flags & NLM_F_EXCL) { 2383 NL_SET_BAD_ATTR(extack, attr); 2384 return -EEXIST; 2385 } 2386 if (nlh->nlmsg_flags & NLM_F_REPLACE) 2387 return -EOPNOTSUPP; 2388 2389 flags |= chain->flags & NFT_CHAIN_BASE; 2390 return nf_tables_updchain(&ctx, genmask, policy, flags, attr, 2391 extack); 2392 } 2393 2394 return nf_tables_addchain(&ctx, family, genmask, policy, flags); 2395 } 2396 2397 static int nf_tables_delchain(struct net *net, struct sock *nlsk, 2398 struct sk_buff *skb, const struct nlmsghdr *nlh, 2399 const struct nlattr * const nla[], 2400 struct netlink_ext_ack *extack) 2401 { 2402 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2403 u8 genmask = nft_genmask_next(net); 2404 int family = nfmsg->nfgen_family; 2405 const struct nlattr *attr; 2406 struct nft_table *table; 2407 struct nft_chain *chain; 2408 struct nft_rule *rule; 2409 struct nft_ctx ctx; 2410 u64 handle; 2411 u32 use; 2412 int err; 2413 2414 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 2415 NETLINK_CB(skb).portid); 2416 if (IS_ERR(table)) { 2417 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2418 return PTR_ERR(table); 2419 } 2420 2421 if (nla[NFTA_CHAIN_HANDLE]) { 2422 attr = nla[NFTA_CHAIN_HANDLE]; 2423 handle = be64_to_cpu(nla_get_be64(attr)); 2424 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2425 } else { 2426 attr = nla[NFTA_CHAIN_NAME]; 2427 chain = nft_chain_lookup(net, table, attr, genmask); 2428 } 2429 if (IS_ERR(chain)) { 2430 NL_SET_BAD_ATTR(extack, attr); 2431 return PTR_ERR(chain); 2432 } 2433 2434 if (nlh->nlmsg_flags & NLM_F_NONREC && 2435 chain->use > 0) 2436 return -EBUSY; 2437 2438 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 2439 2440 use = chain->use; 2441 list_for_each_entry(rule, &chain->rules, list) { 2442 if (!nft_is_active_next(net, rule)) 2443 continue; 2444 use--; 2445 2446 err = nft_delrule(&ctx, rule); 2447 if (err < 0) 2448 return err; 2449 } 2450 2451 /* There are rules and elements that are still holding references to us, 2452 * we cannot do a recursive removal in this case. 2453 */ 2454 if (use > 0) { 2455 NL_SET_BAD_ATTR(extack, attr); 2456 return -EBUSY; 2457 } 2458 2459 return nft_delchain(&ctx); 2460 } 2461 2462 /* 2463 * Expressions 2464 */ 2465 2466 /** 2467 * nft_register_expr - register nf_tables expr type 2468 * @type: expr type 2469 * 2470 * Registers the expr type for use with nf_tables. Returns zero on 2471 * success or a negative errno code otherwise. 2472 */ 2473 int nft_register_expr(struct nft_expr_type *type) 2474 { 2475 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2476 if (type->family == NFPROTO_UNSPEC) 2477 list_add_tail_rcu(&type->list, &nf_tables_expressions); 2478 else 2479 list_add_rcu(&type->list, &nf_tables_expressions); 2480 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2481 return 0; 2482 } 2483 EXPORT_SYMBOL_GPL(nft_register_expr); 2484 2485 /** 2486 * nft_unregister_expr - unregister nf_tables expr type 2487 * @type: expr type 2488 * 2489 * Unregisters the expr typefor use with nf_tables. 2490 */ 2491 void nft_unregister_expr(struct nft_expr_type *type) 2492 { 2493 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2494 list_del_rcu(&type->list); 2495 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2496 } 2497 EXPORT_SYMBOL_GPL(nft_unregister_expr); 2498 2499 static const struct nft_expr_type *__nft_expr_type_get(u8 family, 2500 struct nlattr *nla) 2501 { 2502 const struct nft_expr_type *type, *candidate = NULL; 2503 2504 list_for_each_entry(type, &nf_tables_expressions, list) { 2505 if (!nla_strcmp(nla, type->name)) { 2506 if (!type->family && !candidate) 2507 candidate = type; 2508 else if (type->family == family) 2509 candidate = type; 2510 } 2511 } 2512 return candidate; 2513 } 2514 2515 #ifdef CONFIG_MODULES 2516 static int nft_expr_type_request_module(struct net *net, u8 family, 2517 struct nlattr *nla) 2518 { 2519 if (nft_request_module(net, "nft-expr-%u-%.*s", family, 2520 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN) 2521 return -EAGAIN; 2522 2523 return 0; 2524 } 2525 #endif 2526 2527 static const struct nft_expr_type *nft_expr_type_get(struct net *net, 2528 u8 family, 2529 struct nlattr *nla) 2530 { 2531 const struct nft_expr_type *type; 2532 2533 if (nla == NULL) 2534 return ERR_PTR(-EINVAL); 2535 2536 type = __nft_expr_type_get(family, nla); 2537 if (type != NULL && try_module_get(type->owner)) 2538 return type; 2539 2540 lockdep_nfnl_nft_mutex_not_held(); 2541 #ifdef CONFIG_MODULES 2542 if (type == NULL) { 2543 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN) 2544 return ERR_PTR(-EAGAIN); 2545 2546 if (nft_request_module(net, "nft-expr-%.*s", 2547 nla_len(nla), 2548 (char *)nla_data(nla)) == -EAGAIN) 2549 return ERR_PTR(-EAGAIN); 2550 } 2551 #endif 2552 return ERR_PTR(-ENOENT); 2553 } 2554 2555 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { 2556 [NFTA_EXPR_NAME] = { .type = NLA_STRING, 2557 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 2558 [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, 2559 }; 2560 2561 static int nf_tables_fill_expr_info(struct sk_buff *skb, 2562 const struct nft_expr *expr) 2563 { 2564 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name)) 2565 goto nla_put_failure; 2566 2567 if (expr->ops->dump) { 2568 struct nlattr *data = nla_nest_start_noflag(skb, 2569 NFTA_EXPR_DATA); 2570 if (data == NULL) 2571 goto nla_put_failure; 2572 if (expr->ops->dump(skb, expr) < 0) 2573 goto nla_put_failure; 2574 nla_nest_end(skb, data); 2575 } 2576 2577 return skb->len; 2578 2579 nla_put_failure: 2580 return -1; 2581 }; 2582 2583 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 2584 const struct nft_expr *expr) 2585 { 2586 struct nlattr *nest; 2587 2588 nest = nla_nest_start_noflag(skb, attr); 2589 if (!nest) 2590 goto nla_put_failure; 2591 if (nf_tables_fill_expr_info(skb, expr) < 0) 2592 goto nla_put_failure; 2593 nla_nest_end(skb, nest); 2594 return 0; 2595 2596 nla_put_failure: 2597 return -1; 2598 } 2599 2600 struct nft_expr_info { 2601 const struct nft_expr_ops *ops; 2602 const struct nlattr *attr; 2603 struct nlattr *tb[NFT_EXPR_MAXATTR + 1]; 2604 }; 2605 2606 static int nf_tables_expr_parse(const struct nft_ctx *ctx, 2607 const struct nlattr *nla, 2608 struct nft_expr_info *info) 2609 { 2610 const struct nft_expr_type *type; 2611 const struct nft_expr_ops *ops; 2612 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 2613 int err; 2614 2615 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 2616 nft_expr_policy, NULL); 2617 if (err < 0) 2618 return err; 2619 2620 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]); 2621 if (IS_ERR(type)) 2622 return PTR_ERR(type); 2623 2624 if (tb[NFTA_EXPR_DATA]) { 2625 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 2626 tb[NFTA_EXPR_DATA], 2627 type->policy, NULL); 2628 if (err < 0) 2629 goto err1; 2630 } else 2631 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1)); 2632 2633 if (type->select_ops != NULL) { 2634 ops = type->select_ops(ctx, 2635 (const struct nlattr * const *)info->tb); 2636 if (IS_ERR(ops)) { 2637 err = PTR_ERR(ops); 2638 #ifdef CONFIG_MODULES 2639 if (err == -EAGAIN) 2640 if (nft_expr_type_request_module(ctx->net, 2641 ctx->family, 2642 tb[NFTA_EXPR_NAME]) != -EAGAIN) 2643 err = -ENOENT; 2644 #endif 2645 goto err1; 2646 } 2647 } else 2648 ops = type->ops; 2649 2650 info->attr = nla; 2651 info->ops = ops; 2652 2653 return 0; 2654 2655 err1: 2656 module_put(type->owner); 2657 return err; 2658 } 2659 2660 static int nf_tables_newexpr(const struct nft_ctx *ctx, 2661 const struct nft_expr_info *info, 2662 struct nft_expr *expr) 2663 { 2664 const struct nft_expr_ops *ops = info->ops; 2665 int err; 2666 2667 expr->ops = ops; 2668 if (ops->init) { 2669 err = ops->init(ctx, expr, (const struct nlattr **)info->tb); 2670 if (err < 0) 2671 goto err1; 2672 } 2673 2674 return 0; 2675 err1: 2676 expr->ops = NULL; 2677 return err; 2678 } 2679 2680 static void nf_tables_expr_destroy(const struct nft_ctx *ctx, 2681 struct nft_expr *expr) 2682 { 2683 const struct nft_expr_type *type = expr->ops->type; 2684 2685 if (expr->ops->destroy) 2686 expr->ops->destroy(ctx, expr); 2687 module_put(type->owner); 2688 } 2689 2690 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 2691 const struct nlattr *nla) 2692 { 2693 struct nft_expr_info info; 2694 struct nft_expr *expr; 2695 struct module *owner; 2696 int err; 2697 2698 err = nf_tables_expr_parse(ctx, nla, &info); 2699 if (err < 0) 2700 goto err1; 2701 2702 err = -ENOMEM; 2703 expr = kzalloc(info.ops->size, GFP_KERNEL); 2704 if (expr == NULL) 2705 goto err2; 2706 2707 err = nf_tables_newexpr(ctx, &info, expr); 2708 if (err < 0) 2709 goto err3; 2710 2711 return expr; 2712 err3: 2713 kfree(expr); 2714 err2: 2715 owner = info.ops->type->owner; 2716 if (info.ops->type->release_ops) 2717 info.ops->type->release_ops(info.ops); 2718 2719 module_put(owner); 2720 err1: 2721 return ERR_PTR(err); 2722 } 2723 2724 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) 2725 { 2726 int err; 2727 2728 if (src->ops->clone) { 2729 dst->ops = src->ops; 2730 err = src->ops->clone(dst, src); 2731 if (err < 0) 2732 return err; 2733 } else { 2734 memcpy(dst, src, src->ops->size); 2735 } 2736 2737 __module_get(src->ops->type->owner); 2738 2739 return 0; 2740 } 2741 2742 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) 2743 { 2744 nf_tables_expr_destroy(ctx, expr); 2745 kfree(expr); 2746 } 2747 2748 /* 2749 * Rules 2750 */ 2751 2752 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain, 2753 u64 handle) 2754 { 2755 struct nft_rule *rule; 2756 2757 // FIXME: this sucks 2758 list_for_each_entry_rcu(rule, &chain->rules, list) { 2759 if (handle == rule->handle) 2760 return rule; 2761 } 2762 2763 return ERR_PTR(-ENOENT); 2764 } 2765 2766 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain, 2767 const struct nlattr *nla) 2768 { 2769 if (nla == NULL) 2770 return ERR_PTR(-EINVAL); 2771 2772 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla))); 2773 } 2774 2775 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = { 2776 [NFTA_RULE_TABLE] = { .type = NLA_STRING, 2777 .len = NFT_TABLE_MAXNAMELEN - 1 }, 2778 [NFTA_RULE_CHAIN] = { .type = NLA_STRING, 2779 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 2780 [NFTA_RULE_HANDLE] = { .type = NLA_U64 }, 2781 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED }, 2782 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED }, 2783 [NFTA_RULE_POSITION] = { .type = NLA_U64 }, 2784 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY, 2785 .len = NFT_USERDATA_MAXLEN }, 2786 [NFTA_RULE_ID] = { .type = NLA_U32 }, 2787 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 }, 2788 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 }, 2789 }; 2790 2791 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net, 2792 u32 portid, u32 seq, int event, 2793 u32 flags, int family, 2794 const struct nft_table *table, 2795 const struct nft_chain *chain, 2796 const struct nft_rule *rule, 2797 const struct nft_rule *prule) 2798 { 2799 struct nlmsghdr *nlh; 2800 struct nfgenmsg *nfmsg; 2801 const struct nft_expr *expr, *next; 2802 struct nlattr *list; 2803 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 2804 2805 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags); 2806 if (nlh == NULL) 2807 goto nla_put_failure; 2808 2809 nfmsg = nlmsg_data(nlh); 2810 nfmsg->nfgen_family = family; 2811 nfmsg->version = NFNETLINK_V0; 2812 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 2813 2814 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) 2815 goto nla_put_failure; 2816 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) 2817 goto nla_put_failure; 2818 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle), 2819 NFTA_RULE_PAD)) 2820 goto nla_put_failure; 2821 2822 if (event != NFT_MSG_DELRULE && prule) { 2823 if (nla_put_be64(skb, NFTA_RULE_POSITION, 2824 cpu_to_be64(prule->handle), 2825 NFTA_RULE_PAD)) 2826 goto nla_put_failure; 2827 } 2828 2829 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS); 2830 if (list == NULL) 2831 goto nla_put_failure; 2832 nft_rule_for_each_expr(expr, next, rule) { 2833 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0) 2834 goto nla_put_failure; 2835 } 2836 nla_nest_end(skb, list); 2837 2838 if (rule->udata) { 2839 struct nft_userdata *udata = nft_userdata(rule); 2840 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1, 2841 udata->data) < 0) 2842 goto nla_put_failure; 2843 } 2844 2845 nlmsg_end(skb, nlh); 2846 return 0; 2847 2848 nla_put_failure: 2849 nlmsg_trim(skb, nlh); 2850 return -1; 2851 } 2852 2853 static void nf_tables_rule_notify(const struct nft_ctx *ctx, 2854 const struct nft_rule *rule, int event) 2855 { 2856 struct sk_buff *skb; 2857 int err; 2858 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu", 2859 ctx->table->name, ctx->table->handle, 2860 ctx->chain->name, ctx->chain->handle); 2861 2862 audit_log_nfcfg(buf, 2863 ctx->family, 2864 rule->handle, 2865 event == NFT_MSG_NEWRULE ? 2866 AUDIT_NFT_OP_RULE_REGISTER : 2867 AUDIT_NFT_OP_RULE_UNREGISTER, 2868 GFP_KERNEL); 2869 kfree(buf); 2870 2871 if (!ctx->report && 2872 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 2873 return; 2874 2875 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 2876 if (skb == NULL) 2877 goto err; 2878 2879 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, 2880 event, 0, ctx->family, ctx->table, 2881 ctx->chain, rule, NULL); 2882 if (err < 0) { 2883 kfree_skb(skb); 2884 goto err; 2885 } 2886 2887 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); 2888 return; 2889 err: 2890 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 2891 } 2892 2893 struct nft_rule_dump_ctx { 2894 char *table; 2895 char *chain; 2896 }; 2897 2898 static int __nf_tables_dump_rules(struct sk_buff *skb, 2899 unsigned int *idx, 2900 struct netlink_callback *cb, 2901 const struct nft_table *table, 2902 const struct nft_chain *chain) 2903 { 2904 struct net *net = sock_net(skb->sk); 2905 const struct nft_rule *rule, *prule; 2906 unsigned int s_idx = cb->args[0]; 2907 2908 prule = NULL; 2909 list_for_each_entry_rcu(rule, &chain->rules, list) { 2910 if (!nft_is_active(net, rule)) 2911 goto cont_skip; 2912 if (*idx < s_idx) 2913 goto cont; 2914 if (*idx > s_idx) { 2915 memset(&cb->args[1], 0, 2916 sizeof(cb->args) - sizeof(cb->args[0])); 2917 } 2918 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, 2919 cb->nlh->nlmsg_seq, 2920 NFT_MSG_NEWRULE, 2921 NLM_F_MULTI | NLM_F_APPEND, 2922 table->family, 2923 table, chain, rule, prule) < 0) 2924 return 1; 2925 2926 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 2927 cont: 2928 prule = rule; 2929 cont_skip: 2930 (*idx)++; 2931 } 2932 return 0; 2933 } 2934 2935 static int nf_tables_dump_rules(struct sk_buff *skb, 2936 struct netlink_callback *cb) 2937 { 2938 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 2939 const struct nft_rule_dump_ctx *ctx = cb->data; 2940 struct nft_table *table; 2941 const struct nft_chain *chain; 2942 unsigned int idx = 0; 2943 struct net *net = sock_net(skb->sk); 2944 int family = nfmsg->nfgen_family; 2945 2946 rcu_read_lock(); 2947 cb->seq = net->nft.base_seq; 2948 2949 list_for_each_entry_rcu(table, &net->nft.tables, list) { 2950 if (family != NFPROTO_UNSPEC && family != table->family) 2951 continue; 2952 2953 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0) 2954 continue; 2955 2956 if (ctx && ctx->table && ctx->chain) { 2957 struct rhlist_head *list, *tmp; 2958 2959 list = rhltable_lookup(&table->chains_ht, ctx->chain, 2960 nft_chain_ht_params); 2961 if (!list) 2962 goto done; 2963 2964 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 2965 if (!nft_is_active(net, chain)) 2966 continue; 2967 __nf_tables_dump_rules(skb, &idx, 2968 cb, table, chain); 2969 break; 2970 } 2971 goto done; 2972 } 2973 2974 list_for_each_entry_rcu(chain, &table->chains, list) { 2975 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain)) 2976 goto done; 2977 } 2978 2979 if (ctx && ctx->table) 2980 break; 2981 } 2982 done: 2983 rcu_read_unlock(); 2984 2985 cb->args[0] = idx; 2986 return skb->len; 2987 } 2988 2989 static int nf_tables_dump_rules_start(struct netlink_callback *cb) 2990 { 2991 const struct nlattr * const *nla = cb->data; 2992 struct nft_rule_dump_ctx *ctx = NULL; 2993 2994 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) { 2995 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC); 2996 if (!ctx) 2997 return -ENOMEM; 2998 2999 if (nla[NFTA_RULE_TABLE]) { 3000 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], 3001 GFP_ATOMIC); 3002 if (!ctx->table) { 3003 kfree(ctx); 3004 return -ENOMEM; 3005 } 3006 } 3007 if (nla[NFTA_RULE_CHAIN]) { 3008 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], 3009 GFP_ATOMIC); 3010 if (!ctx->chain) { 3011 kfree(ctx->table); 3012 kfree(ctx); 3013 return -ENOMEM; 3014 } 3015 } 3016 } 3017 3018 cb->data = ctx; 3019 return 0; 3020 } 3021 3022 static int nf_tables_dump_rules_done(struct netlink_callback *cb) 3023 { 3024 struct nft_rule_dump_ctx *ctx = cb->data; 3025 3026 if (ctx) { 3027 kfree(ctx->table); 3028 kfree(ctx->chain); 3029 kfree(ctx); 3030 } 3031 return 0; 3032 } 3033 3034 /* called with rcu_read_lock held */ 3035 static int nf_tables_getrule(struct net *net, struct sock *nlsk, 3036 struct sk_buff *skb, const struct nlmsghdr *nlh, 3037 const struct nlattr * const nla[], 3038 struct netlink_ext_ack *extack) 3039 { 3040 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3041 u8 genmask = nft_genmask_cur(net); 3042 const struct nft_chain *chain; 3043 const struct nft_rule *rule; 3044 struct nft_table *table; 3045 struct sk_buff *skb2; 3046 int family = nfmsg->nfgen_family; 3047 int err; 3048 3049 if (nlh->nlmsg_flags & NLM_F_DUMP) { 3050 struct netlink_dump_control c = { 3051 .start= nf_tables_dump_rules_start, 3052 .dump = nf_tables_dump_rules, 3053 .done = nf_tables_dump_rules_done, 3054 .module = THIS_MODULE, 3055 .data = (void *)nla, 3056 }; 3057 3058 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 3059 } 3060 3061 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0); 3062 if (IS_ERR(table)) { 3063 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3064 return PTR_ERR(table); 3065 } 3066 3067 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask); 3068 if (IS_ERR(chain)) { 3069 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3070 return PTR_ERR(chain); 3071 } 3072 3073 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3074 if (IS_ERR(rule)) { 3075 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3076 return PTR_ERR(rule); 3077 } 3078 3079 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 3080 if (!skb2) 3081 return -ENOMEM; 3082 3083 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid, 3084 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, 3085 family, table, chain, rule, NULL); 3086 if (err < 0) 3087 goto err_fill_rule_info; 3088 3089 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 3090 3091 err_fill_rule_info: 3092 kfree_skb(skb2); 3093 return err; 3094 } 3095 3096 static void nf_tables_rule_destroy(const struct nft_ctx *ctx, 3097 struct nft_rule *rule) 3098 { 3099 struct nft_expr *expr, *next; 3100 3101 /* 3102 * Careful: some expressions might not be initialized in case this 3103 * is called on error from nf_tables_newrule(). 3104 */ 3105 expr = nft_expr_first(rule); 3106 while (nft_expr_more(rule, expr)) { 3107 next = nft_expr_next(expr); 3108 nf_tables_expr_destroy(ctx, expr); 3109 expr = next; 3110 } 3111 kfree(rule); 3112 } 3113 3114 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) 3115 { 3116 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); 3117 nf_tables_rule_destroy(ctx, rule); 3118 } 3119 3120 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) 3121 { 3122 struct nft_expr *expr, *last; 3123 const struct nft_data *data; 3124 struct nft_rule *rule; 3125 int err; 3126 3127 if (ctx->level == NFT_JUMP_STACK_SIZE) 3128 return -EMLINK; 3129 3130 list_for_each_entry(rule, &chain->rules, list) { 3131 if (!nft_is_active_next(ctx->net, rule)) 3132 continue; 3133 3134 nft_rule_for_each_expr(expr, last, rule) { 3135 if (!expr->ops->validate) 3136 continue; 3137 3138 err = expr->ops->validate(ctx, expr, &data); 3139 if (err < 0) 3140 return err; 3141 } 3142 } 3143 3144 return 0; 3145 } 3146 EXPORT_SYMBOL_GPL(nft_chain_validate); 3147 3148 static int nft_table_validate(struct net *net, const struct nft_table *table) 3149 { 3150 struct nft_chain *chain; 3151 struct nft_ctx ctx = { 3152 .net = net, 3153 .family = table->family, 3154 }; 3155 int err; 3156 3157 list_for_each_entry(chain, &table->chains, list) { 3158 if (!nft_is_base_chain(chain)) 3159 continue; 3160 3161 ctx.chain = chain; 3162 err = nft_chain_validate(&ctx, chain); 3163 if (err < 0) 3164 return err; 3165 } 3166 3167 return 0; 3168 } 3169 3170 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3171 const struct nlattr *nla); 3172 3173 #define NFT_RULE_MAXEXPRS 128 3174 3175 static int nf_tables_newrule(struct net *net, struct sock *nlsk, 3176 struct sk_buff *skb, const struct nlmsghdr *nlh, 3177 const struct nlattr * const nla[], 3178 struct netlink_ext_ack *extack) 3179 { 3180 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3181 u8 genmask = nft_genmask_next(net); 3182 struct nft_expr_info *info = NULL; 3183 int family = nfmsg->nfgen_family; 3184 struct nft_flow_rule *flow; 3185 struct nft_table *table; 3186 struct nft_chain *chain; 3187 struct nft_rule *rule, *old_rule = NULL; 3188 struct nft_userdata *udata; 3189 struct nft_trans *trans = NULL; 3190 struct nft_expr *expr; 3191 struct nft_ctx ctx; 3192 struct nlattr *tmp; 3193 unsigned int size, i, n, ulen = 0, usize = 0; 3194 int err, rem; 3195 u64 handle, pos_handle; 3196 3197 lockdep_assert_held(&net->nft.commit_mutex); 3198 3199 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 3200 NETLINK_CB(skb).portid); 3201 if (IS_ERR(table)) { 3202 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3203 return PTR_ERR(table); 3204 } 3205 3206 if (nla[NFTA_RULE_CHAIN]) { 3207 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 3208 genmask); 3209 if (IS_ERR(chain)) { 3210 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3211 return PTR_ERR(chain); 3212 } 3213 if (nft_chain_is_bound(chain)) 3214 return -EOPNOTSUPP; 3215 3216 } else if (nla[NFTA_RULE_CHAIN_ID]) { 3217 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]); 3218 if (IS_ERR(chain)) { 3219 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]); 3220 return PTR_ERR(chain); 3221 } 3222 } else { 3223 return -EINVAL; 3224 } 3225 3226 if (nla[NFTA_RULE_HANDLE]) { 3227 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE])); 3228 rule = __nft_rule_lookup(chain, handle); 3229 if (IS_ERR(rule)) { 3230 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3231 return PTR_ERR(rule); 3232 } 3233 3234 if (nlh->nlmsg_flags & NLM_F_EXCL) { 3235 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3236 return -EEXIST; 3237 } 3238 if (nlh->nlmsg_flags & NLM_F_REPLACE) 3239 old_rule = rule; 3240 else 3241 return -EOPNOTSUPP; 3242 } else { 3243 if (!(nlh->nlmsg_flags & NLM_F_CREATE) || 3244 nlh->nlmsg_flags & NLM_F_REPLACE) 3245 return -EINVAL; 3246 handle = nf_tables_alloc_handle(table); 3247 3248 if (chain->use == UINT_MAX) 3249 return -EOVERFLOW; 3250 3251 if (nla[NFTA_RULE_POSITION]) { 3252 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION])); 3253 old_rule = __nft_rule_lookup(chain, pos_handle); 3254 if (IS_ERR(old_rule)) { 3255 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]); 3256 return PTR_ERR(old_rule); 3257 } 3258 } else if (nla[NFTA_RULE_POSITION_ID]) { 3259 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]); 3260 if (IS_ERR(old_rule)) { 3261 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]); 3262 return PTR_ERR(old_rule); 3263 } 3264 } 3265 } 3266 3267 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 3268 3269 n = 0; 3270 size = 0; 3271 if (nla[NFTA_RULE_EXPRESSIONS]) { 3272 info = kvmalloc_array(NFT_RULE_MAXEXPRS, 3273 sizeof(struct nft_expr_info), 3274 GFP_KERNEL); 3275 if (!info) 3276 return -ENOMEM; 3277 3278 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) { 3279 err = -EINVAL; 3280 if (nla_type(tmp) != NFTA_LIST_ELEM) 3281 goto err1; 3282 if (n == NFT_RULE_MAXEXPRS) 3283 goto err1; 3284 err = nf_tables_expr_parse(&ctx, tmp, &info[n]); 3285 if (err < 0) 3286 goto err1; 3287 size += info[n].ops->size; 3288 n++; 3289 } 3290 } 3291 /* Check for overflow of dlen field */ 3292 err = -EFBIG; 3293 if (size >= 1 << 12) 3294 goto err1; 3295 3296 if (nla[NFTA_RULE_USERDATA]) { 3297 ulen = nla_len(nla[NFTA_RULE_USERDATA]); 3298 if (ulen > 0) 3299 usize = sizeof(struct nft_userdata) + ulen; 3300 } 3301 3302 err = -ENOMEM; 3303 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL); 3304 if (rule == NULL) 3305 goto err1; 3306 3307 nft_activate_next(net, rule); 3308 3309 rule->handle = handle; 3310 rule->dlen = size; 3311 rule->udata = ulen ? 1 : 0; 3312 3313 if (ulen) { 3314 udata = nft_userdata(rule); 3315 udata->len = ulen - 1; 3316 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen); 3317 } 3318 3319 expr = nft_expr_first(rule); 3320 for (i = 0; i < n; i++) { 3321 err = nf_tables_newexpr(&ctx, &info[i], expr); 3322 if (err < 0) { 3323 NL_SET_BAD_ATTR(extack, info[i].attr); 3324 goto err2; 3325 } 3326 3327 if (info[i].ops->validate) 3328 nft_validate_state_update(net, NFT_VALIDATE_NEED); 3329 3330 info[i].ops = NULL; 3331 expr = nft_expr_next(expr); 3332 } 3333 3334 if (nlh->nlmsg_flags & NLM_F_REPLACE) { 3335 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3336 if (trans == NULL) { 3337 err = -ENOMEM; 3338 goto err2; 3339 } 3340 err = nft_delrule(&ctx, old_rule); 3341 if (err < 0) { 3342 nft_trans_destroy(trans); 3343 goto err2; 3344 } 3345 3346 list_add_tail_rcu(&rule->list, &old_rule->list); 3347 } else { 3348 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3349 if (!trans) { 3350 err = -ENOMEM; 3351 goto err2; 3352 } 3353 3354 if (nlh->nlmsg_flags & NLM_F_APPEND) { 3355 if (old_rule) 3356 list_add_rcu(&rule->list, &old_rule->list); 3357 else 3358 list_add_tail_rcu(&rule->list, &chain->rules); 3359 } else { 3360 if (old_rule) 3361 list_add_tail_rcu(&rule->list, &old_rule->list); 3362 else 3363 list_add_rcu(&rule->list, &chain->rules); 3364 } 3365 } 3366 kvfree(info); 3367 chain->use++; 3368 3369 if (net->nft.validate_state == NFT_VALIDATE_DO) 3370 return nft_table_validate(net, table); 3371 3372 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { 3373 flow = nft_flow_rule_create(net, rule); 3374 if (IS_ERR(flow)) 3375 return PTR_ERR(flow); 3376 3377 nft_trans_flow_rule(trans) = flow; 3378 } 3379 3380 return 0; 3381 err2: 3382 nf_tables_rule_release(&ctx, rule); 3383 err1: 3384 for (i = 0; i < n; i++) { 3385 if (info[i].ops) { 3386 module_put(info[i].ops->type->owner); 3387 if (info[i].ops->type->release_ops) 3388 info[i].ops->type->release_ops(info[i].ops); 3389 } 3390 } 3391 kvfree(info); 3392 return err; 3393 } 3394 3395 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3396 const struct nlattr *nla) 3397 { 3398 u32 id = ntohl(nla_get_be32(nla)); 3399 struct nft_trans *trans; 3400 3401 list_for_each_entry(trans, &net->nft.commit_list, list) { 3402 struct nft_rule *rule = nft_trans_rule(trans); 3403 3404 if (trans->msg_type == NFT_MSG_NEWRULE && 3405 id == nft_trans_rule_id(trans)) 3406 return rule; 3407 } 3408 return ERR_PTR(-ENOENT); 3409 } 3410 3411 static int nf_tables_delrule(struct net *net, struct sock *nlsk, 3412 struct sk_buff *skb, const struct nlmsghdr *nlh, 3413 const struct nlattr * const nla[], 3414 struct netlink_ext_ack *extack) 3415 { 3416 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3417 u8 genmask = nft_genmask_next(net); 3418 struct nft_table *table; 3419 struct nft_chain *chain = NULL; 3420 struct nft_rule *rule; 3421 int family = nfmsg->nfgen_family, err = 0; 3422 struct nft_ctx ctx; 3423 3424 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 3425 NETLINK_CB(skb).portid); 3426 if (IS_ERR(table)) { 3427 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3428 return PTR_ERR(table); 3429 } 3430 3431 if (nla[NFTA_RULE_CHAIN]) { 3432 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 3433 genmask); 3434 if (IS_ERR(chain)) { 3435 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3436 return PTR_ERR(chain); 3437 } 3438 if (nft_chain_is_bound(chain)) 3439 return -EOPNOTSUPP; 3440 } 3441 3442 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 3443 3444 if (chain) { 3445 if (nla[NFTA_RULE_HANDLE]) { 3446 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3447 if (IS_ERR(rule)) { 3448 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3449 return PTR_ERR(rule); 3450 } 3451 3452 err = nft_delrule(&ctx, rule); 3453 } else if (nla[NFTA_RULE_ID]) { 3454 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]); 3455 if (IS_ERR(rule)) { 3456 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]); 3457 return PTR_ERR(rule); 3458 } 3459 3460 err = nft_delrule(&ctx, rule); 3461 } else { 3462 err = nft_delrule_by_chain(&ctx); 3463 } 3464 } else { 3465 list_for_each_entry(chain, &table->chains, list) { 3466 if (!nft_is_active_next(net, chain)) 3467 continue; 3468 3469 ctx.chain = chain; 3470 err = nft_delrule_by_chain(&ctx); 3471 if (err < 0) 3472 break; 3473 } 3474 } 3475 3476 return err; 3477 } 3478 3479 /* 3480 * Sets 3481 */ 3482 static const struct nft_set_type *nft_set_types[] = { 3483 &nft_set_hash_fast_type, 3484 &nft_set_hash_type, 3485 &nft_set_rhash_type, 3486 &nft_set_bitmap_type, 3487 &nft_set_rbtree_type, 3488 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML) 3489 &nft_set_pipapo_avx2_type, 3490 #endif 3491 &nft_set_pipapo_type, 3492 }; 3493 3494 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \ 3495 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \ 3496 NFT_SET_EVAL) 3497 3498 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags) 3499 { 3500 return (flags & type->features) == (flags & NFT_SET_FEATURES); 3501 } 3502 3503 /* 3504 * Select a set implementation based on the data characteristics and the 3505 * given policy. The total memory use might not be known if no size is 3506 * given, in that case the amount of memory per element is used. 3507 */ 3508 static const struct nft_set_ops * 3509 nft_select_set_ops(const struct nft_ctx *ctx, 3510 const struct nlattr * const nla[], 3511 const struct nft_set_desc *desc, 3512 enum nft_set_policies policy) 3513 { 3514 const struct nft_set_ops *ops, *bops; 3515 struct nft_set_estimate est, best; 3516 const struct nft_set_type *type; 3517 u32 flags = 0; 3518 int i; 3519 3520 lockdep_assert_held(&ctx->net->nft.commit_mutex); 3521 lockdep_nfnl_nft_mutex_not_held(); 3522 3523 if (nla[NFTA_SET_FLAGS] != NULL) 3524 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 3525 3526 bops = NULL; 3527 best.size = ~0; 3528 best.lookup = ~0; 3529 best.space = ~0; 3530 3531 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) { 3532 type = nft_set_types[i]; 3533 ops = &type->ops; 3534 3535 if (!nft_set_ops_candidate(type, flags)) 3536 continue; 3537 if (!ops->estimate(desc, flags, &est)) 3538 continue; 3539 3540 switch (policy) { 3541 case NFT_SET_POL_PERFORMANCE: 3542 if (est.lookup < best.lookup) 3543 break; 3544 if (est.lookup == best.lookup && 3545 est.space < best.space) 3546 break; 3547 continue; 3548 case NFT_SET_POL_MEMORY: 3549 if (!desc->size) { 3550 if (est.space < best.space) 3551 break; 3552 if (est.space == best.space && 3553 est.lookup < best.lookup) 3554 break; 3555 } else if (est.size < best.size || !bops) { 3556 break; 3557 } 3558 continue; 3559 default: 3560 break; 3561 } 3562 3563 bops = ops; 3564 best = est; 3565 } 3566 3567 if (bops != NULL) 3568 return bops; 3569 3570 return ERR_PTR(-EOPNOTSUPP); 3571 } 3572 3573 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = { 3574 [NFTA_SET_TABLE] = { .type = NLA_STRING, 3575 .len = NFT_TABLE_MAXNAMELEN - 1 }, 3576 [NFTA_SET_NAME] = { .type = NLA_STRING, 3577 .len = NFT_SET_MAXNAMELEN - 1 }, 3578 [NFTA_SET_FLAGS] = { .type = NLA_U32 }, 3579 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 }, 3580 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 }, 3581 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 }, 3582 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 }, 3583 [NFTA_SET_POLICY] = { .type = NLA_U32 }, 3584 [NFTA_SET_DESC] = { .type = NLA_NESTED }, 3585 [NFTA_SET_ID] = { .type = NLA_U32 }, 3586 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 }, 3587 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 }, 3588 [NFTA_SET_USERDATA] = { .type = NLA_BINARY, 3589 .len = NFT_USERDATA_MAXLEN }, 3590 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 }, 3591 [NFTA_SET_HANDLE] = { .type = NLA_U64 }, 3592 [NFTA_SET_EXPR] = { .type = NLA_NESTED }, 3593 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED }, 3594 }; 3595 3596 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = { 3597 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 }, 3598 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED }, 3599 }; 3600 3601 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net, 3602 const struct sk_buff *skb, 3603 const struct nlmsghdr *nlh, 3604 const struct nlattr * const nla[], 3605 struct netlink_ext_ack *extack, 3606 u8 genmask, u32 nlpid) 3607 { 3608 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3609 int family = nfmsg->nfgen_family; 3610 struct nft_table *table = NULL; 3611 3612 if (nla[NFTA_SET_TABLE] != NULL) { 3613 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 3614 genmask, nlpid); 3615 if (IS_ERR(table)) { 3616 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 3617 return PTR_ERR(table); 3618 } 3619 } 3620 3621 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla); 3622 return 0; 3623 } 3624 3625 static struct nft_set *nft_set_lookup(const struct nft_table *table, 3626 const struct nlattr *nla, u8 genmask) 3627 { 3628 struct nft_set *set; 3629 3630 if (nla == NULL) 3631 return ERR_PTR(-EINVAL); 3632 3633 list_for_each_entry_rcu(set, &table->sets, list) { 3634 if (!nla_strcmp(nla, set->name) && 3635 nft_active_genmask(set, genmask)) 3636 return set; 3637 } 3638 return ERR_PTR(-ENOENT); 3639 } 3640 3641 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table, 3642 const struct nlattr *nla, 3643 u8 genmask) 3644 { 3645 struct nft_set *set; 3646 3647 list_for_each_entry(set, &table->sets, list) { 3648 if (be64_to_cpu(nla_get_be64(nla)) == set->handle && 3649 nft_active_genmask(set, genmask)) 3650 return set; 3651 } 3652 return ERR_PTR(-ENOENT); 3653 } 3654 3655 static struct nft_set *nft_set_lookup_byid(const struct net *net, 3656 const struct nlattr *nla, u8 genmask) 3657 { 3658 struct nft_trans *trans; 3659 u32 id = ntohl(nla_get_be32(nla)); 3660 3661 list_for_each_entry(trans, &net->nft.commit_list, list) { 3662 if (trans->msg_type == NFT_MSG_NEWSET) { 3663 struct nft_set *set = nft_trans_set(trans); 3664 3665 if (id == nft_trans_set_id(trans) && 3666 nft_active_genmask(set, genmask)) 3667 return set; 3668 } 3669 } 3670 return ERR_PTR(-ENOENT); 3671 } 3672 3673 struct nft_set *nft_set_lookup_global(const struct net *net, 3674 const struct nft_table *table, 3675 const struct nlattr *nla_set_name, 3676 const struct nlattr *nla_set_id, 3677 u8 genmask) 3678 { 3679 struct nft_set *set; 3680 3681 set = nft_set_lookup(table, nla_set_name, genmask); 3682 if (IS_ERR(set)) { 3683 if (!nla_set_id) 3684 return set; 3685 3686 set = nft_set_lookup_byid(net, nla_set_id, genmask); 3687 } 3688 return set; 3689 } 3690 EXPORT_SYMBOL_GPL(nft_set_lookup_global); 3691 3692 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set, 3693 const char *name) 3694 { 3695 const struct nft_set *i; 3696 const char *p; 3697 unsigned long *inuse; 3698 unsigned int n = 0, min = 0; 3699 3700 p = strchr(name, '%'); 3701 if (p != NULL) { 3702 if (p[1] != 'd' || strchr(p + 2, '%')) 3703 return -EINVAL; 3704 3705 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL); 3706 if (inuse == NULL) 3707 return -ENOMEM; 3708 cont: 3709 list_for_each_entry(i, &ctx->table->sets, list) { 3710 int tmp; 3711 3712 if (!nft_is_active_next(ctx->net, set)) 3713 continue; 3714 if (!sscanf(i->name, name, &tmp)) 3715 continue; 3716 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE) 3717 continue; 3718 3719 set_bit(tmp - min, inuse); 3720 } 3721 3722 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE); 3723 if (n >= BITS_PER_BYTE * PAGE_SIZE) { 3724 min += BITS_PER_BYTE * PAGE_SIZE; 3725 memset(inuse, 0, PAGE_SIZE); 3726 goto cont; 3727 } 3728 free_page((unsigned long)inuse); 3729 } 3730 3731 set->name = kasprintf(GFP_KERNEL, name, min + n); 3732 if (!set->name) 3733 return -ENOMEM; 3734 3735 list_for_each_entry(i, &ctx->table->sets, list) { 3736 if (!nft_is_active_next(ctx->net, i)) 3737 continue; 3738 if (!strcmp(set->name, i->name)) { 3739 kfree(set->name); 3740 set->name = NULL; 3741 return -ENFILE; 3742 } 3743 } 3744 return 0; 3745 } 3746 3747 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result) 3748 { 3749 u64 ms = be64_to_cpu(nla_get_be64(nla)); 3750 u64 max = (u64)(~((u64)0)); 3751 3752 max = div_u64(max, NSEC_PER_MSEC); 3753 if (ms >= max) 3754 return -ERANGE; 3755 3756 ms *= NSEC_PER_MSEC; 3757 *result = nsecs_to_jiffies64(ms); 3758 return 0; 3759 } 3760 3761 __be64 nf_jiffies64_to_msecs(u64 input) 3762 { 3763 return cpu_to_be64(jiffies64_to_msecs(input)); 3764 } 3765 3766 static int nf_tables_fill_set_concat(struct sk_buff *skb, 3767 const struct nft_set *set) 3768 { 3769 struct nlattr *concat, *field; 3770 int i; 3771 3772 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT); 3773 if (!concat) 3774 return -ENOMEM; 3775 3776 for (i = 0; i < set->field_count; i++) { 3777 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 3778 if (!field) 3779 return -ENOMEM; 3780 3781 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN, 3782 htonl(set->field_len[i]))) 3783 return -ENOMEM; 3784 3785 nla_nest_end(skb, field); 3786 } 3787 3788 nla_nest_end(skb, concat); 3789 3790 return 0; 3791 } 3792 3793 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, 3794 const struct nft_set *set, u16 event, u16 flags) 3795 { 3796 struct nfgenmsg *nfmsg; 3797 struct nlmsghdr *nlh; 3798 u32 portid = ctx->portid; 3799 struct nlattr *nest; 3800 u32 seq = ctx->seq; 3801 int i; 3802 3803 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 3804 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 3805 flags); 3806 if (nlh == NULL) 3807 goto nla_put_failure; 3808 3809 nfmsg = nlmsg_data(nlh); 3810 nfmsg->nfgen_family = ctx->family; 3811 nfmsg->version = NFNETLINK_V0; 3812 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); 3813 3814 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 3815 goto nla_put_failure; 3816 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 3817 goto nla_put_failure; 3818 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle), 3819 NFTA_SET_PAD)) 3820 goto nla_put_failure; 3821 if (set->flags != 0) 3822 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags))) 3823 goto nla_put_failure; 3824 3825 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype))) 3826 goto nla_put_failure; 3827 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen))) 3828 goto nla_put_failure; 3829 if (set->flags & NFT_SET_MAP) { 3830 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype))) 3831 goto nla_put_failure; 3832 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen))) 3833 goto nla_put_failure; 3834 } 3835 if (set->flags & NFT_SET_OBJECT && 3836 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype))) 3837 goto nla_put_failure; 3838 3839 if (set->timeout && 3840 nla_put_be64(skb, NFTA_SET_TIMEOUT, 3841 nf_jiffies64_to_msecs(set->timeout), 3842 NFTA_SET_PAD)) 3843 goto nla_put_failure; 3844 if (set->gc_int && 3845 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int))) 3846 goto nla_put_failure; 3847 3848 if (set->policy != NFT_SET_POL_PERFORMANCE) { 3849 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy))) 3850 goto nla_put_failure; 3851 } 3852 3853 if (set->udata && 3854 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) 3855 goto nla_put_failure; 3856 3857 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC); 3858 if (!nest) 3859 goto nla_put_failure; 3860 if (set->size && 3861 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size))) 3862 goto nla_put_failure; 3863 3864 if (set->field_count > 1 && 3865 nf_tables_fill_set_concat(skb, set)) 3866 goto nla_put_failure; 3867 3868 nla_nest_end(skb, nest); 3869 3870 if (set->num_exprs == 1) { 3871 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR); 3872 if (nf_tables_fill_expr_info(skb, set->exprs[0]) < 0) 3873 goto nla_put_failure; 3874 3875 nla_nest_end(skb, nest); 3876 } else if (set->num_exprs > 1) { 3877 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS); 3878 if (nest == NULL) 3879 goto nla_put_failure; 3880 3881 for (i = 0; i < set->num_exprs; i++) { 3882 if (nft_expr_dump(skb, NFTA_LIST_ELEM, 3883 set->exprs[i]) < 0) 3884 goto nla_put_failure; 3885 } 3886 nla_nest_end(skb, nest); 3887 } 3888 3889 nlmsg_end(skb, nlh); 3890 return 0; 3891 3892 nla_put_failure: 3893 nlmsg_trim(skb, nlh); 3894 return -1; 3895 } 3896 3897 static void nf_tables_set_notify(const struct nft_ctx *ctx, 3898 const struct nft_set *set, int event, 3899 gfp_t gfp_flags) 3900 { 3901 struct sk_buff *skb; 3902 u32 portid = ctx->portid; 3903 int err; 3904 char *buf = kasprintf(gfp_flags, "%s:%llu;%s:%llu", 3905 ctx->table->name, ctx->table->handle, 3906 set->name, set->handle); 3907 3908 audit_log_nfcfg(buf, 3909 ctx->family, 3910 set->field_count, 3911 event == NFT_MSG_NEWSET ? 3912 AUDIT_NFT_OP_SET_REGISTER : 3913 AUDIT_NFT_OP_SET_UNREGISTER, 3914 gfp_flags); 3915 kfree(buf); 3916 3917 if (!ctx->report && 3918 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 3919 return; 3920 3921 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags); 3922 if (skb == NULL) 3923 goto err; 3924 3925 err = nf_tables_fill_set(skb, ctx, set, event, 0); 3926 if (err < 0) { 3927 kfree_skb(skb); 3928 goto err; 3929 } 3930 3931 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); 3932 return; 3933 err: 3934 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 3935 } 3936 3937 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) 3938 { 3939 const struct nft_set *set; 3940 unsigned int idx, s_idx = cb->args[0]; 3941 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; 3942 struct net *net = sock_net(skb->sk); 3943 struct nft_ctx *ctx = cb->data, ctx_set; 3944 3945 if (cb->args[1]) 3946 return skb->len; 3947 3948 rcu_read_lock(); 3949 cb->seq = net->nft.base_seq; 3950 3951 list_for_each_entry_rcu(table, &net->nft.tables, list) { 3952 if (ctx->family != NFPROTO_UNSPEC && 3953 ctx->family != table->family) 3954 continue; 3955 3956 if (ctx->table && ctx->table != table) 3957 continue; 3958 3959 if (cur_table) { 3960 if (cur_table != table) 3961 continue; 3962 3963 cur_table = NULL; 3964 } 3965 idx = 0; 3966 list_for_each_entry_rcu(set, &table->sets, list) { 3967 if (idx < s_idx) 3968 goto cont; 3969 if (!nft_is_active(net, set)) 3970 goto cont; 3971 3972 ctx_set = *ctx; 3973 ctx_set.table = table; 3974 ctx_set.family = table->family; 3975 3976 if (nf_tables_fill_set(skb, &ctx_set, set, 3977 NFT_MSG_NEWSET, 3978 NLM_F_MULTI) < 0) { 3979 cb->args[0] = idx; 3980 cb->args[2] = (unsigned long) table; 3981 goto done; 3982 } 3983 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 3984 cont: 3985 idx++; 3986 } 3987 if (s_idx) 3988 s_idx = 0; 3989 } 3990 cb->args[1] = 1; 3991 done: 3992 rcu_read_unlock(); 3993 return skb->len; 3994 } 3995 3996 static int nf_tables_dump_sets_start(struct netlink_callback *cb) 3997 { 3998 struct nft_ctx *ctx_dump = NULL; 3999 4000 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC); 4001 if (ctx_dump == NULL) 4002 return -ENOMEM; 4003 4004 cb->data = ctx_dump; 4005 return 0; 4006 } 4007 4008 static int nf_tables_dump_sets_done(struct netlink_callback *cb) 4009 { 4010 kfree(cb->data); 4011 return 0; 4012 } 4013 4014 /* called with rcu_read_lock held */ 4015 static int nf_tables_getset(struct net *net, struct sock *nlsk, 4016 struct sk_buff *skb, const struct nlmsghdr *nlh, 4017 const struct nlattr * const nla[], 4018 struct netlink_ext_ack *extack) 4019 { 4020 u8 genmask = nft_genmask_cur(net); 4021 const struct nft_set *set; 4022 struct nft_ctx ctx; 4023 struct sk_buff *skb2; 4024 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 4025 int err; 4026 4027 /* Verify existence before starting dump */ 4028 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack, 4029 genmask, 0); 4030 if (err < 0) 4031 return err; 4032 4033 if (nlh->nlmsg_flags & NLM_F_DUMP) { 4034 struct netlink_dump_control c = { 4035 .start = nf_tables_dump_sets_start, 4036 .dump = nf_tables_dump_sets, 4037 .done = nf_tables_dump_sets_done, 4038 .data = &ctx, 4039 .module = THIS_MODULE, 4040 }; 4041 4042 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 4043 } 4044 4045 /* Only accept unspec with dump */ 4046 if (nfmsg->nfgen_family == NFPROTO_UNSPEC) 4047 return -EAFNOSUPPORT; 4048 if (!nla[NFTA_SET_TABLE]) 4049 return -EINVAL; 4050 4051 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask); 4052 if (IS_ERR(set)) 4053 return PTR_ERR(set); 4054 4055 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 4056 if (skb2 == NULL) 4057 return -ENOMEM; 4058 4059 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); 4060 if (err < 0) 4061 goto err_fill_set_info; 4062 4063 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 4064 4065 err_fill_set_info: 4066 kfree_skb(skb2); 4067 return err; 4068 } 4069 4070 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = { 4071 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 }, 4072 }; 4073 4074 static int nft_set_desc_concat_parse(const struct nlattr *attr, 4075 struct nft_set_desc *desc) 4076 { 4077 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1]; 4078 u32 len; 4079 int err; 4080 4081 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr, 4082 nft_concat_policy, NULL); 4083 if (err < 0) 4084 return err; 4085 4086 if (!tb[NFTA_SET_FIELD_LEN]) 4087 return -EINVAL; 4088 4089 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN])); 4090 4091 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT) 4092 return -E2BIG; 4093 4094 desc->field_len[desc->field_count++] = len; 4095 4096 return 0; 4097 } 4098 4099 static int nft_set_desc_concat(struct nft_set_desc *desc, 4100 const struct nlattr *nla) 4101 { 4102 struct nlattr *attr; 4103 int rem, err; 4104 4105 nla_for_each_nested(attr, nla, rem) { 4106 if (nla_type(attr) != NFTA_LIST_ELEM) 4107 return -EINVAL; 4108 4109 err = nft_set_desc_concat_parse(attr, desc); 4110 if (err < 0) 4111 return err; 4112 } 4113 4114 return 0; 4115 } 4116 4117 static int nf_tables_set_desc_parse(struct nft_set_desc *desc, 4118 const struct nlattr *nla) 4119 { 4120 struct nlattr *da[NFTA_SET_DESC_MAX + 1]; 4121 int err; 4122 4123 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla, 4124 nft_set_desc_policy, NULL); 4125 if (err < 0) 4126 return err; 4127 4128 if (da[NFTA_SET_DESC_SIZE] != NULL) 4129 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE])); 4130 if (da[NFTA_SET_DESC_CONCAT]) 4131 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]); 4132 4133 return err; 4134 } 4135 4136 static int nf_tables_newset(struct net *net, struct sock *nlsk, 4137 struct sk_buff *skb, const struct nlmsghdr *nlh, 4138 const struct nlattr * const nla[], 4139 struct netlink_ext_ack *extack) 4140 { 4141 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 4142 u8 genmask = nft_genmask_next(net); 4143 int family = nfmsg->nfgen_family; 4144 const struct nft_set_ops *ops; 4145 struct nft_expr *expr = NULL; 4146 struct nft_table *table; 4147 struct nft_set *set; 4148 struct nft_ctx ctx; 4149 char *name; 4150 u64 size; 4151 u64 timeout; 4152 u32 ktype, dtype, flags, policy, gc_int, objtype; 4153 struct nft_set_desc desc; 4154 unsigned char *udata; 4155 u16 udlen; 4156 int err; 4157 int i; 4158 4159 if (nla[NFTA_SET_TABLE] == NULL || 4160 nla[NFTA_SET_NAME] == NULL || 4161 nla[NFTA_SET_KEY_LEN] == NULL || 4162 nla[NFTA_SET_ID] == NULL) 4163 return -EINVAL; 4164 4165 memset(&desc, 0, sizeof(desc)); 4166 4167 ktype = NFT_DATA_VALUE; 4168 if (nla[NFTA_SET_KEY_TYPE] != NULL) { 4169 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE])); 4170 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK) 4171 return -EINVAL; 4172 } 4173 4174 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN])); 4175 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN) 4176 return -EINVAL; 4177 4178 flags = 0; 4179 if (nla[NFTA_SET_FLAGS] != NULL) { 4180 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 4181 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | 4182 NFT_SET_INTERVAL | NFT_SET_TIMEOUT | 4183 NFT_SET_MAP | NFT_SET_EVAL | 4184 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR)) 4185 return -EOPNOTSUPP; 4186 /* Only one of these operations is supported */ 4187 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) == 4188 (NFT_SET_MAP | NFT_SET_OBJECT)) 4189 return -EOPNOTSUPP; 4190 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) == 4191 (NFT_SET_EVAL | NFT_SET_OBJECT)) 4192 return -EOPNOTSUPP; 4193 } 4194 4195 dtype = 0; 4196 if (nla[NFTA_SET_DATA_TYPE] != NULL) { 4197 if (!(flags & NFT_SET_MAP)) 4198 return -EINVAL; 4199 4200 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE])); 4201 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK && 4202 dtype != NFT_DATA_VERDICT) 4203 return -EINVAL; 4204 4205 if (dtype != NFT_DATA_VERDICT) { 4206 if (nla[NFTA_SET_DATA_LEN] == NULL) 4207 return -EINVAL; 4208 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN])); 4209 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN) 4210 return -EINVAL; 4211 } else 4212 desc.dlen = sizeof(struct nft_verdict); 4213 } else if (flags & NFT_SET_MAP) 4214 return -EINVAL; 4215 4216 if (nla[NFTA_SET_OBJ_TYPE] != NULL) { 4217 if (!(flags & NFT_SET_OBJECT)) 4218 return -EINVAL; 4219 4220 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE])); 4221 if (objtype == NFT_OBJECT_UNSPEC || 4222 objtype > NFT_OBJECT_MAX) 4223 return -EOPNOTSUPP; 4224 } else if (flags & NFT_SET_OBJECT) 4225 return -EINVAL; 4226 else 4227 objtype = NFT_OBJECT_UNSPEC; 4228 4229 timeout = 0; 4230 if (nla[NFTA_SET_TIMEOUT] != NULL) { 4231 if (!(flags & NFT_SET_TIMEOUT)) 4232 return -EINVAL; 4233 4234 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout); 4235 if (err) 4236 return err; 4237 } 4238 gc_int = 0; 4239 if (nla[NFTA_SET_GC_INTERVAL] != NULL) { 4240 if (!(flags & NFT_SET_TIMEOUT)) 4241 return -EINVAL; 4242 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL])); 4243 } 4244 4245 policy = NFT_SET_POL_PERFORMANCE; 4246 if (nla[NFTA_SET_POLICY] != NULL) 4247 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY])); 4248 4249 if (nla[NFTA_SET_DESC] != NULL) { 4250 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]); 4251 if (err < 0) 4252 return err; 4253 } 4254 4255 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS]) 4256 desc.expr = true; 4257 4258 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask, 4259 NETLINK_CB(skb).portid); 4260 if (IS_ERR(table)) { 4261 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4262 return PTR_ERR(table); 4263 } 4264 4265 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 4266 4267 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4268 if (IS_ERR(set)) { 4269 if (PTR_ERR(set) != -ENOENT) { 4270 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4271 return PTR_ERR(set); 4272 } 4273 } else { 4274 if (nlh->nlmsg_flags & NLM_F_EXCL) { 4275 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4276 return -EEXIST; 4277 } 4278 if (nlh->nlmsg_flags & NLM_F_REPLACE) 4279 return -EOPNOTSUPP; 4280 4281 return 0; 4282 } 4283 4284 if (!(nlh->nlmsg_flags & NLM_F_CREATE)) 4285 return -ENOENT; 4286 4287 ops = nft_select_set_ops(&ctx, nla, &desc, policy); 4288 if (IS_ERR(ops)) 4289 return PTR_ERR(ops); 4290 4291 udlen = 0; 4292 if (nla[NFTA_SET_USERDATA]) 4293 udlen = nla_len(nla[NFTA_SET_USERDATA]); 4294 4295 size = 0; 4296 if (ops->privsize != NULL) 4297 size = ops->privsize(nla, &desc); 4298 4299 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL); 4300 if (!set) 4301 return -ENOMEM; 4302 4303 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL); 4304 if (!name) { 4305 err = -ENOMEM; 4306 goto err_set_name; 4307 } 4308 4309 err = nf_tables_set_alloc_name(&ctx, set, name); 4310 kfree(name); 4311 if (err < 0) 4312 goto err_set_alloc_name; 4313 4314 if (nla[NFTA_SET_EXPR]) { 4315 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]); 4316 if (IS_ERR(expr)) { 4317 err = PTR_ERR(expr); 4318 goto err_set_alloc_name; 4319 } 4320 set->exprs[0] = expr; 4321 set->num_exprs++; 4322 } else if (nla[NFTA_SET_EXPRESSIONS]) { 4323 struct nft_expr *expr; 4324 struct nlattr *tmp; 4325 int left; 4326 4327 if (!(flags & NFT_SET_EXPR)) { 4328 err = -EINVAL; 4329 goto err_set_alloc_name; 4330 } 4331 i = 0; 4332 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) { 4333 if (i == NFT_SET_EXPR_MAX) { 4334 err = -E2BIG; 4335 goto err_set_init; 4336 } 4337 if (nla_type(tmp) != NFTA_LIST_ELEM) { 4338 err = -EINVAL; 4339 goto err_set_init; 4340 } 4341 expr = nft_set_elem_expr_alloc(&ctx, set, tmp); 4342 if (IS_ERR(expr)) { 4343 err = PTR_ERR(expr); 4344 goto err_set_init; 4345 } 4346 set->exprs[i++] = expr; 4347 set->num_exprs++; 4348 } 4349 } 4350 4351 udata = NULL; 4352 if (udlen) { 4353 udata = set->data + size; 4354 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen); 4355 } 4356 4357 INIT_LIST_HEAD(&set->bindings); 4358 set->table = table; 4359 write_pnet(&set->net, net); 4360 set->ops = ops; 4361 set->ktype = ktype; 4362 set->klen = desc.klen; 4363 set->dtype = dtype; 4364 set->objtype = objtype; 4365 set->dlen = desc.dlen; 4366 set->flags = flags; 4367 set->size = desc.size; 4368 set->policy = policy; 4369 set->udlen = udlen; 4370 set->udata = udata; 4371 set->timeout = timeout; 4372 set->gc_int = gc_int; 4373 set->handle = nf_tables_alloc_handle(table); 4374 4375 set->field_count = desc.field_count; 4376 for (i = 0; i < desc.field_count; i++) 4377 set->field_len[i] = desc.field_len[i]; 4378 4379 err = ops->init(set, &desc, nla); 4380 if (err < 0) 4381 goto err_set_init; 4382 4383 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); 4384 if (err < 0) 4385 goto err_set_trans; 4386 4387 list_add_tail_rcu(&set->list, &table->sets); 4388 table->use++; 4389 return 0; 4390 4391 err_set_trans: 4392 ops->destroy(set); 4393 err_set_init: 4394 for (i = 0; i < set->num_exprs; i++) 4395 nft_expr_destroy(&ctx, set->exprs[i]); 4396 err_set_alloc_name: 4397 kfree(set->name); 4398 err_set_name: 4399 kvfree(set); 4400 return err; 4401 } 4402 4403 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) 4404 { 4405 int i; 4406 4407 if (WARN_ON(set->use > 0)) 4408 return; 4409 4410 for (i = 0; i < set->num_exprs; i++) 4411 nft_expr_destroy(ctx, set->exprs[i]); 4412 4413 set->ops->destroy(set); 4414 kfree(set->name); 4415 kvfree(set); 4416 } 4417 4418 static int nf_tables_delset(struct net *net, struct sock *nlsk, 4419 struct sk_buff *skb, const struct nlmsghdr *nlh, 4420 const struct nlattr * const nla[], 4421 struct netlink_ext_ack *extack) 4422 { 4423 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 4424 u8 genmask = nft_genmask_next(net); 4425 const struct nlattr *attr; 4426 struct nft_set *set; 4427 struct nft_ctx ctx; 4428 int err; 4429 4430 if (nfmsg->nfgen_family == NFPROTO_UNSPEC) 4431 return -EAFNOSUPPORT; 4432 if (nla[NFTA_SET_TABLE] == NULL) 4433 return -EINVAL; 4434 4435 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack, 4436 genmask, NETLINK_CB(skb).portid); 4437 if (err < 0) 4438 return err; 4439 4440 if (nla[NFTA_SET_HANDLE]) { 4441 attr = nla[NFTA_SET_HANDLE]; 4442 set = nft_set_lookup_byhandle(ctx.table, attr, genmask); 4443 } else { 4444 attr = nla[NFTA_SET_NAME]; 4445 set = nft_set_lookup(ctx.table, attr, genmask); 4446 } 4447 4448 if (IS_ERR(set)) { 4449 NL_SET_BAD_ATTR(extack, attr); 4450 return PTR_ERR(set); 4451 } 4452 if (set->use || 4453 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) { 4454 NL_SET_BAD_ATTR(extack, attr); 4455 return -EBUSY; 4456 } 4457 4458 return nft_delset(&ctx, set); 4459 } 4460 4461 static int nft_validate_register_store(const struct nft_ctx *ctx, 4462 enum nft_registers reg, 4463 const struct nft_data *data, 4464 enum nft_data_types type, 4465 unsigned int len); 4466 4467 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, 4468 struct nft_set *set, 4469 const struct nft_set_iter *iter, 4470 struct nft_set_elem *elem) 4471 { 4472 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4473 enum nft_registers dreg; 4474 4475 dreg = nft_type_to_reg(set->dtype); 4476 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext), 4477 set->dtype == NFT_DATA_VERDICT ? 4478 NFT_DATA_VERDICT : NFT_DATA_VALUE, 4479 set->dlen); 4480 } 4481 4482 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 4483 struct nft_set_binding *binding) 4484 { 4485 struct nft_set_binding *i; 4486 struct nft_set_iter iter; 4487 4488 if (set->use == UINT_MAX) 4489 return -EOVERFLOW; 4490 4491 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4492 return -EBUSY; 4493 4494 if (binding->flags & NFT_SET_MAP) { 4495 /* If the set is already bound to the same chain all 4496 * jumps are already validated for that chain. 4497 */ 4498 list_for_each_entry(i, &set->bindings, list) { 4499 if (i->flags & NFT_SET_MAP && 4500 i->chain == binding->chain) 4501 goto bind; 4502 } 4503 4504 iter.genmask = nft_genmask_next(ctx->net); 4505 iter.skip = 0; 4506 iter.count = 0; 4507 iter.err = 0; 4508 iter.fn = nf_tables_bind_check_setelem; 4509 4510 set->ops->walk(ctx, set, &iter); 4511 if (iter.err < 0) 4512 return iter.err; 4513 } 4514 bind: 4515 binding->chain = ctx->chain; 4516 list_add_tail_rcu(&binding->list, &set->bindings); 4517 nft_set_trans_bind(ctx, set); 4518 set->use++; 4519 4520 return 0; 4521 } 4522 EXPORT_SYMBOL_GPL(nf_tables_bind_set); 4523 4524 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 4525 struct nft_set_binding *binding, bool event) 4526 { 4527 list_del_rcu(&binding->list); 4528 4529 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { 4530 list_del_rcu(&set->list); 4531 if (event) 4532 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, 4533 GFP_KERNEL); 4534 } 4535 } 4536 4537 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, 4538 struct nft_set_binding *binding, 4539 enum nft_trans_phase phase) 4540 { 4541 switch (phase) { 4542 case NFT_TRANS_PREPARE: 4543 set->use--; 4544 return; 4545 case NFT_TRANS_ABORT: 4546 case NFT_TRANS_RELEASE: 4547 set->use--; 4548 fallthrough; 4549 default: 4550 nf_tables_unbind_set(ctx, set, binding, 4551 phase == NFT_TRANS_COMMIT); 4552 } 4553 } 4554 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); 4555 4556 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) 4557 { 4558 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4559 nft_set_destroy(ctx, set); 4560 } 4561 EXPORT_SYMBOL_GPL(nf_tables_destroy_set); 4562 4563 const struct nft_set_ext_type nft_set_ext_types[] = { 4564 [NFT_SET_EXT_KEY] = { 4565 .align = __alignof__(u32), 4566 }, 4567 [NFT_SET_EXT_DATA] = { 4568 .align = __alignof__(u32), 4569 }, 4570 [NFT_SET_EXT_EXPRESSIONS] = { 4571 .align = __alignof__(struct nft_set_elem_expr), 4572 }, 4573 [NFT_SET_EXT_OBJREF] = { 4574 .len = sizeof(struct nft_object *), 4575 .align = __alignof__(struct nft_object *), 4576 }, 4577 [NFT_SET_EXT_FLAGS] = { 4578 .len = sizeof(u8), 4579 .align = __alignof__(u8), 4580 }, 4581 [NFT_SET_EXT_TIMEOUT] = { 4582 .len = sizeof(u64), 4583 .align = __alignof__(u64), 4584 }, 4585 [NFT_SET_EXT_EXPIRATION] = { 4586 .len = sizeof(u64), 4587 .align = __alignof__(u64), 4588 }, 4589 [NFT_SET_EXT_USERDATA] = { 4590 .len = sizeof(struct nft_userdata), 4591 .align = __alignof__(struct nft_userdata), 4592 }, 4593 [NFT_SET_EXT_KEY_END] = { 4594 .align = __alignof__(u32), 4595 }, 4596 }; 4597 4598 /* 4599 * Set elements 4600 */ 4601 4602 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { 4603 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED }, 4604 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED }, 4605 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 }, 4606 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 }, 4607 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 }, 4608 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, 4609 .len = NFT_USERDATA_MAXLEN }, 4610 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED }, 4611 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING, 4612 .len = NFT_OBJ_MAXNAMELEN - 1 }, 4613 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED }, 4614 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED }, 4615 }; 4616 4617 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { 4618 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING, 4619 .len = NFT_TABLE_MAXNAMELEN - 1 }, 4620 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING, 4621 .len = NFT_SET_MAXNAMELEN - 1 }, 4622 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED }, 4623 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 }, 4624 }; 4625 4626 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net, 4627 const struct sk_buff *skb, 4628 const struct nlmsghdr *nlh, 4629 const struct nlattr * const nla[], 4630 struct netlink_ext_ack *extack, 4631 u8 genmask, u32 nlpid) 4632 { 4633 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 4634 int family = nfmsg->nfgen_family; 4635 struct nft_table *table; 4636 4637 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 4638 genmask, nlpid); 4639 if (IS_ERR(table)) { 4640 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 4641 return PTR_ERR(table); 4642 } 4643 4644 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla); 4645 return 0; 4646 } 4647 4648 static int nft_set_elem_expr_dump(struct sk_buff *skb, 4649 const struct nft_set *set, 4650 const struct nft_set_ext *ext) 4651 { 4652 struct nft_set_elem_expr *elem_expr; 4653 u32 size, num_exprs = 0; 4654 struct nft_expr *expr; 4655 struct nlattr *nest; 4656 4657 elem_expr = nft_set_ext_expr(ext); 4658 nft_setelem_expr_foreach(expr, elem_expr, size) 4659 num_exprs++; 4660 4661 if (num_exprs == 1) { 4662 expr = nft_setelem_expr_at(elem_expr, 0); 4663 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr) < 0) 4664 return -1; 4665 4666 return 0; 4667 } else if (num_exprs > 1) { 4668 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS); 4669 if (nest == NULL) 4670 goto nla_put_failure; 4671 4672 nft_setelem_expr_foreach(expr, elem_expr, size) { 4673 expr = nft_setelem_expr_at(elem_expr, size); 4674 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0) 4675 goto nla_put_failure; 4676 } 4677 nla_nest_end(skb, nest); 4678 } 4679 return 0; 4680 4681 nla_put_failure: 4682 return -1; 4683 } 4684 4685 static int nf_tables_fill_setelem(struct sk_buff *skb, 4686 const struct nft_set *set, 4687 const struct nft_set_elem *elem) 4688 { 4689 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4690 unsigned char *b = skb_tail_pointer(skb); 4691 struct nlattr *nest; 4692 4693 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 4694 if (nest == NULL) 4695 goto nla_put_failure; 4696 4697 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext), 4698 NFT_DATA_VALUE, set->klen) < 0) 4699 goto nla_put_failure; 4700 4701 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 4702 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext), 4703 NFT_DATA_VALUE, set->klen) < 0) 4704 goto nla_put_failure; 4705 4706 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 4707 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext), 4708 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE, 4709 set->dlen) < 0) 4710 goto nla_put_failure; 4711 4712 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) && 4713 nft_set_elem_expr_dump(skb, set, ext)) 4714 goto nla_put_failure; 4715 4716 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 4717 nla_put_string(skb, NFTA_SET_ELEM_OBJREF, 4718 (*nft_set_ext_obj(ext))->key.name) < 0) 4719 goto nla_put_failure; 4720 4721 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 4722 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, 4723 htonl(*nft_set_ext_flags(ext)))) 4724 goto nla_put_failure; 4725 4726 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) && 4727 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, 4728 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)), 4729 NFTA_SET_ELEM_PAD)) 4730 goto nla_put_failure; 4731 4732 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 4733 u64 expires, now = get_jiffies_64(); 4734 4735 expires = *nft_set_ext_expiration(ext); 4736 if (time_before64(now, expires)) 4737 expires -= now; 4738 else 4739 expires = 0; 4740 4741 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION, 4742 nf_jiffies64_to_msecs(expires), 4743 NFTA_SET_ELEM_PAD)) 4744 goto nla_put_failure; 4745 } 4746 4747 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) { 4748 struct nft_userdata *udata; 4749 4750 udata = nft_set_ext_userdata(ext); 4751 if (nla_put(skb, NFTA_SET_ELEM_USERDATA, 4752 udata->len + 1, udata->data)) 4753 goto nla_put_failure; 4754 } 4755 4756 nla_nest_end(skb, nest); 4757 return 0; 4758 4759 nla_put_failure: 4760 nlmsg_trim(skb, b); 4761 return -EMSGSIZE; 4762 } 4763 4764 struct nft_set_dump_args { 4765 const struct netlink_callback *cb; 4766 struct nft_set_iter iter; 4767 struct sk_buff *skb; 4768 }; 4769 4770 static int nf_tables_dump_setelem(const struct nft_ctx *ctx, 4771 struct nft_set *set, 4772 const struct nft_set_iter *iter, 4773 struct nft_set_elem *elem) 4774 { 4775 struct nft_set_dump_args *args; 4776 4777 args = container_of(iter, struct nft_set_dump_args, iter); 4778 return nf_tables_fill_setelem(args->skb, set, elem); 4779 } 4780 4781 struct nft_set_dump_ctx { 4782 const struct nft_set *set; 4783 struct nft_ctx ctx; 4784 }; 4785 4786 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) 4787 { 4788 struct nft_set_dump_ctx *dump_ctx = cb->data; 4789 struct net *net = sock_net(skb->sk); 4790 struct nft_table *table; 4791 struct nft_set *set; 4792 struct nft_set_dump_args args; 4793 bool set_found = false; 4794 struct nfgenmsg *nfmsg; 4795 struct nlmsghdr *nlh; 4796 struct nlattr *nest; 4797 u32 portid, seq; 4798 int event; 4799 4800 rcu_read_lock(); 4801 list_for_each_entry_rcu(table, &net->nft.tables, list) { 4802 if (dump_ctx->ctx.family != NFPROTO_UNSPEC && 4803 dump_ctx->ctx.family != table->family) 4804 continue; 4805 4806 if (table != dump_ctx->ctx.table) 4807 continue; 4808 4809 list_for_each_entry_rcu(set, &table->sets, list) { 4810 if (set == dump_ctx->set) { 4811 set_found = true; 4812 break; 4813 } 4814 } 4815 break; 4816 } 4817 4818 if (!set_found) { 4819 rcu_read_unlock(); 4820 return -ENOENT; 4821 } 4822 4823 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM); 4824 portid = NETLINK_CB(cb->skb).portid; 4825 seq = cb->nlh->nlmsg_seq; 4826 4827 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 4828 NLM_F_MULTI); 4829 if (nlh == NULL) 4830 goto nla_put_failure; 4831 4832 nfmsg = nlmsg_data(nlh); 4833 nfmsg->nfgen_family = table->family; 4834 nfmsg->version = NFNETLINK_V0; 4835 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 4836 4837 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) 4838 goto nla_put_failure; 4839 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) 4840 goto nla_put_failure; 4841 4842 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 4843 if (nest == NULL) 4844 goto nla_put_failure; 4845 4846 args.cb = cb; 4847 args.skb = skb; 4848 args.iter.genmask = nft_genmask_cur(net); 4849 args.iter.skip = cb->args[0]; 4850 args.iter.count = 0; 4851 args.iter.err = 0; 4852 args.iter.fn = nf_tables_dump_setelem; 4853 set->ops->walk(&dump_ctx->ctx, set, &args.iter); 4854 rcu_read_unlock(); 4855 4856 nla_nest_end(skb, nest); 4857 nlmsg_end(skb, nlh); 4858 4859 if (args.iter.err && args.iter.err != -EMSGSIZE) 4860 return args.iter.err; 4861 if (args.iter.count == cb->args[0]) 4862 return 0; 4863 4864 cb->args[0] = args.iter.count; 4865 return skb->len; 4866 4867 nla_put_failure: 4868 rcu_read_unlock(); 4869 return -ENOSPC; 4870 } 4871 4872 static int nf_tables_dump_set_start(struct netlink_callback *cb) 4873 { 4874 struct nft_set_dump_ctx *dump_ctx = cb->data; 4875 4876 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC); 4877 4878 return cb->data ? 0 : -ENOMEM; 4879 } 4880 4881 static int nf_tables_dump_set_done(struct netlink_callback *cb) 4882 { 4883 kfree(cb->data); 4884 return 0; 4885 } 4886 4887 static int nf_tables_fill_setelem_info(struct sk_buff *skb, 4888 const struct nft_ctx *ctx, u32 seq, 4889 u32 portid, int event, u16 flags, 4890 const struct nft_set *set, 4891 const struct nft_set_elem *elem) 4892 { 4893 struct nfgenmsg *nfmsg; 4894 struct nlmsghdr *nlh; 4895 struct nlattr *nest; 4896 int err; 4897 4898 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 4899 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 4900 flags); 4901 if (nlh == NULL) 4902 goto nla_put_failure; 4903 4904 nfmsg = nlmsg_data(nlh); 4905 nfmsg->nfgen_family = ctx->family; 4906 nfmsg->version = NFNETLINK_V0; 4907 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); 4908 4909 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 4910 goto nla_put_failure; 4911 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 4912 goto nla_put_failure; 4913 4914 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 4915 if (nest == NULL) 4916 goto nla_put_failure; 4917 4918 err = nf_tables_fill_setelem(skb, set, elem); 4919 if (err < 0) 4920 goto nla_put_failure; 4921 4922 nla_nest_end(skb, nest); 4923 4924 nlmsg_end(skb, nlh); 4925 return 0; 4926 4927 nla_put_failure: 4928 nlmsg_trim(skb, nlh); 4929 return -1; 4930 } 4931 4932 static int nft_setelem_parse_flags(const struct nft_set *set, 4933 const struct nlattr *attr, u32 *flags) 4934 { 4935 if (attr == NULL) 4936 return 0; 4937 4938 *flags = ntohl(nla_get_be32(attr)); 4939 if (*flags & ~NFT_SET_ELEM_INTERVAL_END) 4940 return -EINVAL; 4941 if (!(set->flags & NFT_SET_INTERVAL) && 4942 *flags & NFT_SET_ELEM_INTERVAL_END) 4943 return -EINVAL; 4944 4945 return 0; 4946 } 4947 4948 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set, 4949 struct nft_data *key, struct nlattr *attr) 4950 { 4951 struct nft_data_desc desc; 4952 int err; 4953 4954 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr); 4955 if (err < 0) 4956 return err; 4957 4958 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) { 4959 nft_data_release(key, desc.type); 4960 return -EINVAL; 4961 } 4962 4963 return 0; 4964 } 4965 4966 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, 4967 struct nft_data_desc *desc, 4968 struct nft_data *data, 4969 struct nlattr *attr) 4970 { 4971 int err; 4972 4973 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr); 4974 if (err < 0) 4975 return err; 4976 4977 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) { 4978 nft_data_release(data, desc->type); 4979 return -EINVAL; 4980 } 4981 4982 return 0; 4983 } 4984 4985 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set, 4986 const struct nlattr *attr) 4987 { 4988 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 4989 struct nft_set_elem elem; 4990 struct sk_buff *skb; 4991 uint32_t flags = 0; 4992 void *priv; 4993 int err; 4994 4995 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 4996 nft_set_elem_policy, NULL); 4997 if (err < 0) 4998 return err; 4999 5000 if (!nla[NFTA_SET_ELEM_KEY]) 5001 return -EINVAL; 5002 5003 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 5004 if (err < 0) 5005 return err; 5006 5007 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5008 nla[NFTA_SET_ELEM_KEY]); 5009 if (err < 0) 5010 return err; 5011 5012 if (nla[NFTA_SET_ELEM_KEY_END]) { 5013 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5014 nla[NFTA_SET_ELEM_KEY_END]); 5015 if (err < 0) 5016 return err; 5017 } 5018 5019 priv = set->ops->get(ctx->net, set, &elem, flags); 5020 if (IS_ERR(priv)) 5021 return PTR_ERR(priv); 5022 5023 elem.priv = priv; 5024 5025 err = -ENOMEM; 5026 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); 5027 if (skb == NULL) 5028 return err; 5029 5030 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, 5031 NFT_MSG_NEWSETELEM, 0, set, &elem); 5032 if (err < 0) 5033 goto err_fill_setelem; 5034 5035 return nfnetlink_unicast(skb, ctx->net, ctx->portid); 5036 5037 err_fill_setelem: 5038 kfree_skb(skb); 5039 return err; 5040 } 5041 5042 /* called with rcu_read_lock held */ 5043 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk, 5044 struct sk_buff *skb, const struct nlmsghdr *nlh, 5045 const struct nlattr * const nla[], 5046 struct netlink_ext_ack *extack) 5047 { 5048 u8 genmask = nft_genmask_cur(net); 5049 struct nft_set *set; 5050 struct nlattr *attr; 5051 struct nft_ctx ctx; 5052 int rem, err = 0; 5053 5054 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack, 5055 genmask, NETLINK_CB(skb).portid); 5056 if (err < 0) 5057 return err; 5058 5059 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 5060 if (IS_ERR(set)) 5061 return PTR_ERR(set); 5062 5063 if (nlh->nlmsg_flags & NLM_F_DUMP) { 5064 struct netlink_dump_control c = { 5065 .start = nf_tables_dump_set_start, 5066 .dump = nf_tables_dump_set, 5067 .done = nf_tables_dump_set_done, 5068 .module = THIS_MODULE, 5069 }; 5070 struct nft_set_dump_ctx dump_ctx = { 5071 .set = set, 5072 .ctx = ctx, 5073 }; 5074 5075 c.data = &dump_ctx; 5076 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 5077 } 5078 5079 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 5080 return -EINVAL; 5081 5082 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 5083 err = nft_get_set_elem(&ctx, set, attr); 5084 if (err < 0) 5085 break; 5086 } 5087 5088 return err; 5089 } 5090 5091 static void nf_tables_setelem_notify(const struct nft_ctx *ctx, 5092 const struct nft_set *set, 5093 const struct nft_set_elem *elem, 5094 int event, u16 flags) 5095 { 5096 struct net *net = ctx->net; 5097 u32 portid = ctx->portid; 5098 struct sk_buff *skb; 5099 int err; 5100 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu", 5101 ctx->table->name, ctx->table->handle, 5102 set->name, set->handle); 5103 5104 audit_log_nfcfg(buf, 5105 ctx->family, 5106 set->handle, 5107 event == NFT_MSG_NEWSETELEM ? 5108 AUDIT_NFT_OP_SETELEM_REGISTER : 5109 AUDIT_NFT_OP_SETELEM_UNREGISTER, 5110 GFP_KERNEL); 5111 kfree(buf); 5112 5113 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 5114 return; 5115 5116 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 5117 if (skb == NULL) 5118 goto err; 5119 5120 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags, 5121 set, elem); 5122 if (err < 0) { 5123 kfree_skb(skb); 5124 goto err; 5125 } 5126 5127 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); 5128 return; 5129 err: 5130 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 5131 } 5132 5133 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx, 5134 int msg_type, 5135 struct nft_set *set) 5136 { 5137 struct nft_trans *trans; 5138 5139 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem)); 5140 if (trans == NULL) 5141 return NULL; 5142 5143 nft_trans_elem_set(trans) = set; 5144 return trans; 5145 } 5146 5147 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx, 5148 const struct nft_set *set, 5149 const struct nlattr *attr) 5150 { 5151 struct nft_expr *expr; 5152 int err; 5153 5154 expr = nft_expr_init(ctx, attr); 5155 if (IS_ERR(expr)) 5156 return expr; 5157 5158 err = -EOPNOTSUPP; 5159 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL)) 5160 goto err_set_elem_expr; 5161 5162 if (expr->ops->type->flags & NFT_EXPR_GC) { 5163 if (set->flags & NFT_SET_TIMEOUT) 5164 goto err_set_elem_expr; 5165 if (!set->ops->gc_init) 5166 goto err_set_elem_expr; 5167 set->ops->gc_init(set); 5168 } 5169 5170 return expr; 5171 5172 err_set_elem_expr: 5173 nft_expr_destroy(ctx, expr); 5174 return ERR_PTR(err); 5175 } 5176 5177 void *nft_set_elem_init(const struct nft_set *set, 5178 const struct nft_set_ext_tmpl *tmpl, 5179 const u32 *key, const u32 *key_end, 5180 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp) 5181 { 5182 struct nft_set_ext *ext; 5183 void *elem; 5184 5185 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp); 5186 if (elem == NULL) 5187 return NULL; 5188 5189 ext = nft_set_elem_ext(set, elem); 5190 nft_set_ext_init(ext, tmpl); 5191 5192 memcpy(nft_set_ext_key(ext), key, set->klen); 5193 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) 5194 memcpy(nft_set_ext_key_end(ext), key_end, set->klen); 5195 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5196 memcpy(nft_set_ext_data(ext), data, set->dlen); 5197 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 5198 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration; 5199 if (expiration == 0) 5200 *nft_set_ext_expiration(ext) += timeout; 5201 } 5202 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) 5203 *nft_set_ext_timeout(ext) = timeout; 5204 5205 return elem; 5206 } 5207 5208 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 5209 struct nft_expr *expr) 5210 { 5211 if (expr->ops->destroy_clone) { 5212 expr->ops->destroy_clone(ctx, expr); 5213 module_put(expr->ops->type->owner); 5214 } else { 5215 nf_tables_expr_destroy(ctx, expr); 5216 } 5217 } 5218 5219 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 5220 struct nft_set_elem_expr *elem_expr) 5221 { 5222 struct nft_expr *expr; 5223 u32 size; 5224 5225 nft_setelem_expr_foreach(expr, elem_expr, size) 5226 __nft_set_elem_expr_destroy(ctx, expr); 5227 } 5228 5229 void nft_set_elem_destroy(const struct nft_set *set, void *elem, 5230 bool destroy_expr) 5231 { 5232 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 5233 struct nft_ctx ctx = { 5234 .net = read_pnet(&set->net), 5235 .family = set->table->family, 5236 }; 5237 5238 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE); 5239 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5240 nft_data_release(nft_set_ext_data(ext), set->dtype); 5241 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 5242 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext)); 5243 5244 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 5245 (*nft_set_ext_obj(ext))->use--; 5246 kfree(elem); 5247 } 5248 EXPORT_SYMBOL_GPL(nft_set_elem_destroy); 5249 5250 /* Only called from commit path, nft_set_elem_deactivate() already deals with 5251 * the refcounting from the preparation phase. 5252 */ 5253 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, 5254 const struct nft_set *set, void *elem) 5255 { 5256 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 5257 5258 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 5259 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext)); 5260 5261 kfree(elem); 5262 } 5263 5264 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, 5265 struct nft_expr *expr_array[]) 5266 { 5267 struct nft_expr *expr; 5268 int err, i, k; 5269 5270 for (i = 0; i < set->num_exprs; i++) { 5271 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL); 5272 if (!expr) 5273 goto err_expr; 5274 5275 err = nft_expr_clone(expr, set->exprs[i]); 5276 if (err < 0) { 5277 nft_expr_destroy(ctx, expr); 5278 goto err_expr; 5279 } 5280 expr_array[i] = expr; 5281 } 5282 5283 return 0; 5284 5285 err_expr: 5286 for (k = i - 1; k >= 0; k--) 5287 nft_expr_destroy(ctx, expr_array[k]); 5288 5289 return -ENOMEM; 5290 } 5291 5292 static void nft_set_elem_expr_setup(const struct nft_set_ext *ext, int i, 5293 struct nft_expr *expr_array[]) 5294 { 5295 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); 5296 struct nft_expr *expr = nft_setelem_expr_at(elem_expr, elem_expr->size); 5297 5298 memcpy(expr, expr_array[i], expr_array[i]->ops->size); 5299 elem_expr->size += expr_array[i]->ops->size; 5300 kfree(expr_array[i]); 5301 expr_array[i] = NULL; 5302 } 5303 5304 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 5305 const struct nlattr *attr, u32 nlmsg_flags) 5306 { 5307 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {}; 5308 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 5309 u8 genmask = nft_genmask_next(ctx->net); 5310 u32 flags = 0, size = 0, num_exprs = 0; 5311 struct nft_set_ext_tmpl tmpl; 5312 struct nft_set_ext *ext, *ext2; 5313 struct nft_set_elem elem; 5314 struct nft_set_binding *binding; 5315 struct nft_object *obj = NULL; 5316 struct nft_userdata *udata; 5317 struct nft_data_desc desc; 5318 enum nft_registers dreg; 5319 struct nft_trans *trans; 5320 u64 timeout; 5321 u64 expiration; 5322 int err, i; 5323 u8 ulen; 5324 5325 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 5326 nft_set_elem_policy, NULL); 5327 if (err < 0) 5328 return err; 5329 5330 if (nla[NFTA_SET_ELEM_KEY] == NULL) 5331 return -EINVAL; 5332 5333 nft_set_ext_prepare(&tmpl); 5334 5335 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 5336 if (err < 0) 5337 return err; 5338 if (flags != 0) 5339 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 5340 5341 if (set->flags & NFT_SET_MAP) { 5342 if (nla[NFTA_SET_ELEM_DATA] == NULL && 5343 !(flags & NFT_SET_ELEM_INTERVAL_END)) 5344 return -EINVAL; 5345 } else { 5346 if (nla[NFTA_SET_ELEM_DATA] != NULL) 5347 return -EINVAL; 5348 } 5349 5350 if ((flags & NFT_SET_ELEM_INTERVAL_END) && 5351 (nla[NFTA_SET_ELEM_DATA] || 5352 nla[NFTA_SET_ELEM_OBJREF] || 5353 nla[NFTA_SET_ELEM_TIMEOUT] || 5354 nla[NFTA_SET_ELEM_EXPIRATION] || 5355 nla[NFTA_SET_ELEM_USERDATA] || 5356 nla[NFTA_SET_ELEM_EXPR] || 5357 nla[NFTA_SET_ELEM_EXPRESSIONS])) 5358 return -EINVAL; 5359 5360 timeout = 0; 5361 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { 5362 if (!(set->flags & NFT_SET_TIMEOUT)) 5363 return -EINVAL; 5364 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT], 5365 &timeout); 5366 if (err) 5367 return err; 5368 } else if (set->flags & NFT_SET_TIMEOUT) { 5369 timeout = set->timeout; 5370 } 5371 5372 expiration = 0; 5373 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { 5374 if (!(set->flags & NFT_SET_TIMEOUT)) 5375 return -EINVAL; 5376 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], 5377 &expiration); 5378 if (err) 5379 return err; 5380 } 5381 5382 if (nla[NFTA_SET_ELEM_EXPR]) { 5383 struct nft_expr *expr; 5384 5385 if (set->num_exprs && set->num_exprs != 1) 5386 return -EOPNOTSUPP; 5387 5388 expr = nft_set_elem_expr_alloc(ctx, set, 5389 nla[NFTA_SET_ELEM_EXPR]); 5390 if (IS_ERR(expr)) 5391 return PTR_ERR(expr); 5392 5393 expr_array[0] = expr; 5394 num_exprs = 1; 5395 5396 if (set->num_exprs && set->exprs[0]->ops != expr->ops) { 5397 err = -EOPNOTSUPP; 5398 goto err_set_elem_expr; 5399 } 5400 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) { 5401 struct nft_expr *expr; 5402 struct nlattr *tmp; 5403 int left; 5404 5405 i = 0; 5406 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) { 5407 if (i == NFT_SET_EXPR_MAX || 5408 (set->num_exprs && set->num_exprs == i)) { 5409 err = -E2BIG; 5410 goto err_set_elem_expr; 5411 } 5412 if (nla_type(tmp) != NFTA_LIST_ELEM) { 5413 err = -EINVAL; 5414 goto err_set_elem_expr; 5415 } 5416 expr = nft_set_elem_expr_alloc(ctx, set, tmp); 5417 if (IS_ERR(expr)) { 5418 err = PTR_ERR(expr); 5419 goto err_set_elem_expr; 5420 } 5421 expr_array[i] = expr; 5422 num_exprs++; 5423 5424 if (set->num_exprs && expr->ops != set->exprs[i]->ops) { 5425 err = -EOPNOTSUPP; 5426 goto err_set_elem_expr; 5427 } 5428 i++; 5429 } 5430 if (set->num_exprs && set->num_exprs != i) { 5431 err = -EOPNOTSUPP; 5432 goto err_set_elem_expr; 5433 } 5434 } else if (set->num_exprs > 0) { 5435 err = nft_set_elem_expr_clone(ctx, set, expr_array); 5436 if (err < 0) 5437 goto err_set_elem_expr_clone; 5438 5439 num_exprs = set->num_exprs; 5440 } 5441 5442 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5443 nla[NFTA_SET_ELEM_KEY]); 5444 if (err < 0) 5445 goto err_set_elem_expr; 5446 5447 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 5448 5449 if (nla[NFTA_SET_ELEM_KEY_END]) { 5450 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5451 nla[NFTA_SET_ELEM_KEY_END]); 5452 if (err < 0) 5453 goto err_parse_key; 5454 5455 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 5456 } 5457 5458 if (timeout > 0) { 5459 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION); 5460 if (timeout != set->timeout) 5461 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT); 5462 } 5463 5464 if (num_exprs) { 5465 for (i = 0; i < num_exprs; i++) 5466 size += expr_array[i]->ops->size; 5467 5468 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS, 5469 sizeof(struct nft_set_elem_expr) + 5470 size); 5471 } 5472 5473 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) { 5474 if (!(set->flags & NFT_SET_OBJECT)) { 5475 err = -EINVAL; 5476 goto err_parse_key_end; 5477 } 5478 obj = nft_obj_lookup(ctx->net, ctx->table, 5479 nla[NFTA_SET_ELEM_OBJREF], 5480 set->objtype, genmask); 5481 if (IS_ERR(obj)) { 5482 err = PTR_ERR(obj); 5483 goto err_parse_key_end; 5484 } 5485 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF); 5486 } 5487 5488 if (nla[NFTA_SET_ELEM_DATA] != NULL) { 5489 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val, 5490 nla[NFTA_SET_ELEM_DATA]); 5491 if (err < 0) 5492 goto err_parse_key_end; 5493 5494 dreg = nft_type_to_reg(set->dtype); 5495 list_for_each_entry(binding, &set->bindings, list) { 5496 struct nft_ctx bind_ctx = { 5497 .net = ctx->net, 5498 .family = ctx->family, 5499 .table = ctx->table, 5500 .chain = (struct nft_chain *)binding->chain, 5501 }; 5502 5503 if (!(binding->flags & NFT_SET_MAP)) 5504 continue; 5505 5506 err = nft_validate_register_store(&bind_ctx, dreg, 5507 &elem.data.val, 5508 desc.type, desc.len); 5509 if (err < 0) 5510 goto err_parse_data; 5511 5512 if (desc.type == NFT_DATA_VERDICT && 5513 (elem.data.val.verdict.code == NFT_GOTO || 5514 elem.data.val.verdict.code == NFT_JUMP)) 5515 nft_validate_state_update(ctx->net, 5516 NFT_VALIDATE_NEED); 5517 } 5518 5519 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len); 5520 } 5521 5522 /* The full maximum length of userdata can exceed the maximum 5523 * offset value (U8_MAX) for following extensions, therefor it 5524 * must be the last extension added. 5525 */ 5526 ulen = 0; 5527 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) { 5528 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]); 5529 if (ulen > 0) 5530 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA, 5531 ulen); 5532 } 5533 5534 err = -ENOMEM; 5535 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 5536 elem.key_end.val.data, elem.data.val.data, 5537 timeout, expiration, GFP_KERNEL); 5538 if (elem.priv == NULL) 5539 goto err_parse_data; 5540 5541 ext = nft_set_elem_ext(set, elem.priv); 5542 if (flags) 5543 *nft_set_ext_flags(ext) = flags; 5544 if (ulen > 0) { 5545 udata = nft_set_ext_userdata(ext); 5546 udata->len = ulen - 1; 5547 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen); 5548 } 5549 if (obj) { 5550 *nft_set_ext_obj(ext) = obj; 5551 obj->use++; 5552 } 5553 for (i = 0; i < num_exprs; i++) 5554 nft_set_elem_expr_setup(ext, i, expr_array); 5555 5556 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); 5557 if (trans == NULL) 5558 goto err_trans; 5559 5560 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK; 5561 err = set->ops->insert(ctx->net, set, &elem, &ext2); 5562 if (err) { 5563 if (err == -EEXIST) { 5564 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^ 5565 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) || 5566 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^ 5567 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) 5568 goto err_element_clash; 5569 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 5570 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) && 5571 memcmp(nft_set_ext_data(ext), 5572 nft_set_ext_data(ext2), set->dlen) != 0) || 5573 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 5574 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) && 5575 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2))) 5576 goto err_element_clash; 5577 else if (!(nlmsg_flags & NLM_F_EXCL)) 5578 err = 0; 5579 } else if (err == -ENOTEMPTY) { 5580 /* ENOTEMPTY reports overlapping between this element 5581 * and an existing one. 5582 */ 5583 err = -EEXIST; 5584 } 5585 goto err_element_clash; 5586 } 5587 5588 if (set->size && 5589 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) { 5590 err = -ENFILE; 5591 goto err_set_full; 5592 } 5593 5594 nft_trans_elem(trans) = elem; 5595 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5596 return 0; 5597 5598 err_set_full: 5599 set->ops->remove(ctx->net, set, &elem); 5600 err_element_clash: 5601 kfree(trans); 5602 err_trans: 5603 if (obj) 5604 obj->use--; 5605 5606 nf_tables_set_elem_destroy(ctx, set, elem.priv); 5607 err_parse_data: 5608 if (nla[NFTA_SET_ELEM_DATA] != NULL) 5609 nft_data_release(&elem.data.val, desc.type); 5610 err_parse_key_end: 5611 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 5612 err_parse_key: 5613 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 5614 err_set_elem_expr: 5615 for (i = 0; i < num_exprs && expr_array[i]; i++) 5616 nft_expr_destroy(ctx, expr_array[i]); 5617 err_set_elem_expr_clone: 5618 return err; 5619 } 5620 5621 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk, 5622 struct sk_buff *skb, const struct nlmsghdr *nlh, 5623 const struct nlattr * const nla[], 5624 struct netlink_ext_ack *extack) 5625 { 5626 u8 genmask = nft_genmask_next(net); 5627 const struct nlattr *attr; 5628 struct nft_set *set; 5629 struct nft_ctx ctx; 5630 int rem, err; 5631 5632 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) 5633 return -EINVAL; 5634 5635 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack, 5636 genmask, NETLINK_CB(skb).portid); 5637 if (err < 0) 5638 return err; 5639 5640 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET], 5641 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask); 5642 if (IS_ERR(set)) 5643 return PTR_ERR(set); 5644 5645 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 5646 return -EBUSY; 5647 5648 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 5649 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags); 5650 if (err < 0) 5651 return err; 5652 } 5653 5654 if (net->nft.validate_state == NFT_VALIDATE_DO) 5655 return nft_table_validate(net, ctx.table); 5656 5657 return 0; 5658 } 5659 5660 /** 5661 * nft_data_hold - hold a nft_data item 5662 * 5663 * @data: struct nft_data to release 5664 * @type: type of data 5665 * 5666 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded, 5667 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and 5668 * NFT_GOTO verdicts. This function must be called on active data objects 5669 * from the second phase of the commit protocol. 5670 */ 5671 void nft_data_hold(const struct nft_data *data, enum nft_data_types type) 5672 { 5673 struct nft_chain *chain; 5674 struct nft_rule *rule; 5675 5676 if (type == NFT_DATA_VERDICT) { 5677 switch (data->verdict.code) { 5678 case NFT_JUMP: 5679 case NFT_GOTO: 5680 chain = data->verdict.chain; 5681 chain->use++; 5682 5683 if (!nft_chain_is_bound(chain)) 5684 break; 5685 5686 chain->table->use++; 5687 list_for_each_entry(rule, &chain->rules, list) 5688 chain->use++; 5689 5690 nft_chain_add(chain->table, chain); 5691 break; 5692 } 5693 } 5694 } 5695 5696 static void nft_set_elem_activate(const struct net *net, 5697 const struct nft_set *set, 5698 struct nft_set_elem *elem) 5699 { 5700 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5701 5702 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5703 nft_data_hold(nft_set_ext_data(ext), set->dtype); 5704 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 5705 (*nft_set_ext_obj(ext))->use++; 5706 } 5707 5708 static void nft_set_elem_deactivate(const struct net *net, 5709 const struct nft_set *set, 5710 struct nft_set_elem *elem) 5711 { 5712 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5713 5714 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5715 nft_data_release(nft_set_ext_data(ext), set->dtype); 5716 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 5717 (*nft_set_ext_obj(ext))->use--; 5718 } 5719 5720 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, 5721 const struct nlattr *attr) 5722 { 5723 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 5724 struct nft_set_ext_tmpl tmpl; 5725 struct nft_set_elem elem; 5726 struct nft_set_ext *ext; 5727 struct nft_trans *trans; 5728 u32 flags = 0; 5729 void *priv; 5730 int err; 5731 5732 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 5733 nft_set_elem_policy, NULL); 5734 if (err < 0) 5735 return err; 5736 5737 if (nla[NFTA_SET_ELEM_KEY] == NULL) 5738 return -EINVAL; 5739 5740 nft_set_ext_prepare(&tmpl); 5741 5742 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 5743 if (err < 0) 5744 return err; 5745 if (flags != 0) 5746 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 5747 5748 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5749 nla[NFTA_SET_ELEM_KEY]); 5750 if (err < 0) 5751 return err; 5752 5753 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 5754 5755 if (nla[NFTA_SET_ELEM_KEY_END]) { 5756 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5757 nla[NFTA_SET_ELEM_KEY_END]); 5758 if (err < 0) 5759 return err; 5760 5761 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 5762 } 5763 5764 err = -ENOMEM; 5765 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 5766 elem.key_end.val.data, NULL, 0, 0, 5767 GFP_KERNEL); 5768 if (elem.priv == NULL) 5769 goto fail_elem; 5770 5771 ext = nft_set_elem_ext(set, elem.priv); 5772 if (flags) 5773 *nft_set_ext_flags(ext) = flags; 5774 5775 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 5776 if (trans == NULL) 5777 goto fail_trans; 5778 5779 priv = set->ops->deactivate(ctx->net, set, &elem); 5780 if (priv == NULL) { 5781 err = -ENOENT; 5782 goto fail_ops; 5783 } 5784 kfree(elem.priv); 5785 elem.priv = priv; 5786 5787 nft_set_elem_deactivate(ctx->net, set, &elem); 5788 5789 nft_trans_elem(trans) = elem; 5790 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5791 return 0; 5792 5793 fail_ops: 5794 kfree(trans); 5795 fail_trans: 5796 kfree(elem.priv); 5797 fail_elem: 5798 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 5799 return err; 5800 } 5801 5802 static int nft_flush_set(const struct nft_ctx *ctx, 5803 struct nft_set *set, 5804 const struct nft_set_iter *iter, 5805 struct nft_set_elem *elem) 5806 { 5807 struct nft_trans *trans; 5808 int err; 5809 5810 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 5811 sizeof(struct nft_trans_elem), GFP_ATOMIC); 5812 if (!trans) 5813 return -ENOMEM; 5814 5815 if (!set->ops->flush(ctx->net, set, elem->priv)) { 5816 err = -ENOENT; 5817 goto err1; 5818 } 5819 set->ndeact++; 5820 5821 nft_set_elem_deactivate(ctx->net, set, elem); 5822 nft_trans_elem_set(trans) = set; 5823 nft_trans_elem(trans) = *elem; 5824 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5825 5826 return 0; 5827 err1: 5828 kfree(trans); 5829 return err; 5830 } 5831 5832 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk, 5833 struct sk_buff *skb, const struct nlmsghdr *nlh, 5834 const struct nlattr * const nla[], 5835 struct netlink_ext_ack *extack) 5836 { 5837 u8 genmask = nft_genmask_next(net); 5838 const struct nlattr *attr; 5839 struct nft_set *set; 5840 struct nft_ctx ctx; 5841 int rem, err = 0; 5842 5843 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack, 5844 genmask, NETLINK_CB(skb).portid); 5845 if (err < 0) 5846 return err; 5847 5848 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 5849 if (IS_ERR(set)) 5850 return PTR_ERR(set); 5851 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 5852 return -EBUSY; 5853 5854 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) { 5855 struct nft_set_iter iter = { 5856 .genmask = genmask, 5857 .fn = nft_flush_set, 5858 }; 5859 set->ops->walk(&ctx, set, &iter); 5860 5861 return iter.err; 5862 } 5863 5864 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 5865 err = nft_del_setelem(&ctx, set, attr); 5866 if (err < 0) 5867 break; 5868 5869 set->ndeact++; 5870 } 5871 return err; 5872 } 5873 5874 void nft_set_gc_batch_release(struct rcu_head *rcu) 5875 { 5876 struct nft_set_gc_batch *gcb; 5877 unsigned int i; 5878 5879 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu); 5880 for (i = 0; i < gcb->head.cnt; i++) 5881 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true); 5882 kfree(gcb); 5883 } 5884 5885 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set, 5886 gfp_t gfp) 5887 { 5888 struct nft_set_gc_batch *gcb; 5889 5890 gcb = kzalloc(sizeof(*gcb), gfp); 5891 if (gcb == NULL) 5892 return gcb; 5893 gcb->head.set = set; 5894 return gcb; 5895 } 5896 5897 /* 5898 * Stateful objects 5899 */ 5900 5901 /** 5902 * nft_register_obj- register nf_tables stateful object type 5903 * @obj_type: object type 5904 * 5905 * Registers the object type for use with nf_tables. Returns zero on 5906 * success or a negative errno code otherwise. 5907 */ 5908 int nft_register_obj(struct nft_object_type *obj_type) 5909 { 5910 if (obj_type->type == NFT_OBJECT_UNSPEC) 5911 return -EINVAL; 5912 5913 nfnl_lock(NFNL_SUBSYS_NFTABLES); 5914 list_add_rcu(&obj_type->list, &nf_tables_objects); 5915 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 5916 return 0; 5917 } 5918 EXPORT_SYMBOL_GPL(nft_register_obj); 5919 5920 /** 5921 * nft_unregister_obj - unregister nf_tables object type 5922 * @obj_type: object type 5923 * 5924 * Unregisters the object type for use with nf_tables. 5925 */ 5926 void nft_unregister_obj(struct nft_object_type *obj_type) 5927 { 5928 nfnl_lock(NFNL_SUBSYS_NFTABLES); 5929 list_del_rcu(&obj_type->list); 5930 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 5931 } 5932 EXPORT_SYMBOL_GPL(nft_unregister_obj); 5933 5934 struct nft_object *nft_obj_lookup(const struct net *net, 5935 const struct nft_table *table, 5936 const struct nlattr *nla, u32 objtype, 5937 u8 genmask) 5938 { 5939 struct nft_object_hash_key k = { .table = table }; 5940 char search[NFT_OBJ_MAXNAMELEN]; 5941 struct rhlist_head *tmp, *list; 5942 struct nft_object *obj; 5943 5944 nla_strscpy(search, nla, sizeof(search)); 5945 k.name = search; 5946 5947 WARN_ON_ONCE(!rcu_read_lock_held() && 5948 !lockdep_commit_lock_is_held(net)); 5949 5950 rcu_read_lock(); 5951 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params); 5952 if (!list) 5953 goto out; 5954 5955 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) { 5956 if (objtype == obj->ops->type->type && 5957 nft_active_genmask(obj, genmask)) { 5958 rcu_read_unlock(); 5959 return obj; 5960 } 5961 } 5962 out: 5963 rcu_read_unlock(); 5964 return ERR_PTR(-ENOENT); 5965 } 5966 EXPORT_SYMBOL_GPL(nft_obj_lookup); 5967 5968 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table, 5969 const struct nlattr *nla, 5970 u32 objtype, u8 genmask) 5971 { 5972 struct nft_object *obj; 5973 5974 list_for_each_entry(obj, &table->objects, list) { 5975 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle && 5976 objtype == obj->ops->type->type && 5977 nft_active_genmask(obj, genmask)) 5978 return obj; 5979 } 5980 return ERR_PTR(-ENOENT); 5981 } 5982 5983 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = { 5984 [NFTA_OBJ_TABLE] = { .type = NLA_STRING, 5985 .len = NFT_TABLE_MAXNAMELEN - 1 }, 5986 [NFTA_OBJ_NAME] = { .type = NLA_STRING, 5987 .len = NFT_OBJ_MAXNAMELEN - 1 }, 5988 [NFTA_OBJ_TYPE] = { .type = NLA_U32 }, 5989 [NFTA_OBJ_DATA] = { .type = NLA_NESTED }, 5990 [NFTA_OBJ_HANDLE] = { .type = NLA_U64}, 5991 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY, 5992 .len = NFT_USERDATA_MAXLEN }, 5993 }; 5994 5995 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx, 5996 const struct nft_object_type *type, 5997 const struct nlattr *attr) 5998 { 5999 struct nlattr **tb; 6000 const struct nft_object_ops *ops; 6001 struct nft_object *obj; 6002 int err = -ENOMEM; 6003 6004 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL); 6005 if (!tb) 6006 goto err1; 6007 6008 if (attr) { 6009 err = nla_parse_nested_deprecated(tb, type->maxattr, attr, 6010 type->policy, NULL); 6011 if (err < 0) 6012 goto err2; 6013 } else { 6014 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1)); 6015 } 6016 6017 if (type->select_ops) { 6018 ops = type->select_ops(ctx, (const struct nlattr * const *)tb); 6019 if (IS_ERR(ops)) { 6020 err = PTR_ERR(ops); 6021 goto err2; 6022 } 6023 } else { 6024 ops = type->ops; 6025 } 6026 6027 err = -ENOMEM; 6028 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL); 6029 if (!obj) 6030 goto err2; 6031 6032 err = ops->init(ctx, (const struct nlattr * const *)tb, obj); 6033 if (err < 0) 6034 goto err3; 6035 6036 obj->ops = ops; 6037 6038 kfree(tb); 6039 return obj; 6040 err3: 6041 kfree(obj); 6042 err2: 6043 kfree(tb); 6044 err1: 6045 return ERR_PTR(err); 6046 } 6047 6048 static int nft_object_dump(struct sk_buff *skb, unsigned int attr, 6049 struct nft_object *obj, bool reset) 6050 { 6051 struct nlattr *nest; 6052 6053 nest = nla_nest_start_noflag(skb, attr); 6054 if (!nest) 6055 goto nla_put_failure; 6056 if (obj->ops->dump(skb, obj, reset) < 0) 6057 goto nla_put_failure; 6058 nla_nest_end(skb, nest); 6059 return 0; 6060 6061 nla_put_failure: 6062 return -1; 6063 } 6064 6065 static const struct nft_object_type *__nft_obj_type_get(u32 objtype) 6066 { 6067 const struct nft_object_type *type; 6068 6069 list_for_each_entry(type, &nf_tables_objects, list) { 6070 if (objtype == type->type) 6071 return type; 6072 } 6073 return NULL; 6074 } 6075 6076 static const struct nft_object_type * 6077 nft_obj_type_get(struct net *net, u32 objtype) 6078 { 6079 const struct nft_object_type *type; 6080 6081 type = __nft_obj_type_get(objtype); 6082 if (type != NULL && try_module_get(type->owner)) 6083 return type; 6084 6085 lockdep_nfnl_nft_mutex_not_held(); 6086 #ifdef CONFIG_MODULES 6087 if (type == NULL) { 6088 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN) 6089 return ERR_PTR(-EAGAIN); 6090 } 6091 #endif 6092 return ERR_PTR(-ENOENT); 6093 } 6094 6095 static int nf_tables_updobj(const struct nft_ctx *ctx, 6096 const struct nft_object_type *type, 6097 const struct nlattr *attr, 6098 struct nft_object *obj) 6099 { 6100 struct nft_object *newobj; 6101 struct nft_trans *trans; 6102 int err; 6103 6104 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ, 6105 sizeof(struct nft_trans_obj)); 6106 if (!trans) 6107 return -ENOMEM; 6108 6109 newobj = nft_obj_init(ctx, type, attr); 6110 if (IS_ERR(newobj)) { 6111 err = PTR_ERR(newobj); 6112 goto err_free_trans; 6113 } 6114 6115 nft_trans_obj(trans) = obj; 6116 nft_trans_obj_update(trans) = true; 6117 nft_trans_obj_newobj(trans) = newobj; 6118 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 6119 6120 return 0; 6121 6122 err_free_trans: 6123 kfree(trans); 6124 return err; 6125 } 6126 6127 static int nf_tables_newobj(struct net *net, struct sock *nlsk, 6128 struct sk_buff *skb, const struct nlmsghdr *nlh, 6129 const struct nlattr * const nla[], 6130 struct netlink_ext_ack *extack) 6131 { 6132 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 6133 const struct nft_object_type *type; 6134 u8 genmask = nft_genmask_next(net); 6135 int family = nfmsg->nfgen_family; 6136 struct nft_table *table; 6137 struct nft_object *obj; 6138 struct nft_ctx ctx; 6139 u32 objtype; 6140 int err; 6141 6142 if (!nla[NFTA_OBJ_TYPE] || 6143 !nla[NFTA_OBJ_NAME] || 6144 !nla[NFTA_OBJ_DATA]) 6145 return -EINVAL; 6146 6147 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 6148 NETLINK_CB(skb).portid); 6149 if (IS_ERR(table)) { 6150 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6151 return PTR_ERR(table); 6152 } 6153 6154 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6155 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 6156 if (IS_ERR(obj)) { 6157 err = PTR_ERR(obj); 6158 if (err != -ENOENT) { 6159 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6160 return err; 6161 } 6162 } else { 6163 if (nlh->nlmsg_flags & NLM_F_EXCL) { 6164 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6165 return -EEXIST; 6166 } 6167 if (nlh->nlmsg_flags & NLM_F_REPLACE) 6168 return -EOPNOTSUPP; 6169 6170 type = __nft_obj_type_get(objtype); 6171 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 6172 6173 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); 6174 } 6175 6176 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 6177 6178 type = nft_obj_type_get(net, objtype); 6179 if (IS_ERR(type)) 6180 return PTR_ERR(type); 6181 6182 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]); 6183 if (IS_ERR(obj)) { 6184 err = PTR_ERR(obj); 6185 goto err_init; 6186 } 6187 obj->key.table = table; 6188 obj->handle = nf_tables_alloc_handle(table); 6189 6190 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL); 6191 if (!obj->key.name) { 6192 err = -ENOMEM; 6193 goto err_strdup; 6194 } 6195 6196 if (nla[NFTA_OBJ_USERDATA]) { 6197 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL); 6198 if (obj->udata == NULL) 6199 goto err_userdata; 6200 6201 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]); 6202 } 6203 6204 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj); 6205 if (err < 0) 6206 goto err_trans; 6207 6208 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead, 6209 nft_objname_ht_params); 6210 if (err < 0) 6211 goto err_obj_ht; 6212 6213 list_add_tail_rcu(&obj->list, &table->objects); 6214 table->use++; 6215 return 0; 6216 err_obj_ht: 6217 /* queued in transaction log */ 6218 INIT_LIST_HEAD(&obj->list); 6219 return err; 6220 err_trans: 6221 kfree(obj->key.name); 6222 err_userdata: 6223 kfree(obj->udata); 6224 err_strdup: 6225 if (obj->ops->destroy) 6226 obj->ops->destroy(&ctx, obj); 6227 kfree(obj); 6228 err_init: 6229 module_put(type->owner); 6230 return err; 6231 } 6232 6233 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net, 6234 u32 portid, u32 seq, int event, u32 flags, 6235 int family, const struct nft_table *table, 6236 struct nft_object *obj, bool reset) 6237 { 6238 struct nfgenmsg *nfmsg; 6239 struct nlmsghdr *nlh; 6240 6241 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 6242 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 6243 if (nlh == NULL) 6244 goto nla_put_failure; 6245 6246 nfmsg = nlmsg_data(nlh); 6247 nfmsg->nfgen_family = family; 6248 nfmsg->version = NFNETLINK_V0; 6249 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 6250 6251 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || 6252 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || 6253 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || 6254 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) || 6255 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) || 6256 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle), 6257 NFTA_OBJ_PAD)) 6258 goto nla_put_failure; 6259 6260 if (obj->udata && 6261 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata)) 6262 goto nla_put_failure; 6263 6264 nlmsg_end(skb, nlh); 6265 return 0; 6266 6267 nla_put_failure: 6268 nlmsg_trim(skb, nlh); 6269 return -1; 6270 } 6271 6272 struct nft_obj_filter { 6273 char *table; 6274 u32 type; 6275 }; 6276 6277 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) 6278 { 6279 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 6280 const struct nft_table *table; 6281 unsigned int idx = 0, s_idx = cb->args[0]; 6282 struct nft_obj_filter *filter = cb->data; 6283 struct net *net = sock_net(skb->sk); 6284 int family = nfmsg->nfgen_family; 6285 struct nft_object *obj; 6286 bool reset = false; 6287 6288 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 6289 reset = true; 6290 6291 rcu_read_lock(); 6292 cb->seq = net->nft.base_seq; 6293 6294 list_for_each_entry_rcu(table, &net->nft.tables, list) { 6295 if (family != NFPROTO_UNSPEC && family != table->family) 6296 continue; 6297 6298 list_for_each_entry_rcu(obj, &table->objects, list) { 6299 if (!nft_is_active(net, obj)) 6300 goto cont; 6301 if (idx < s_idx) 6302 goto cont; 6303 if (idx > s_idx) 6304 memset(&cb->args[1], 0, 6305 sizeof(cb->args) - sizeof(cb->args[0])); 6306 if (filter && filter->table && 6307 strcmp(filter->table, table->name)) 6308 goto cont; 6309 if (filter && 6310 filter->type != NFT_OBJECT_UNSPEC && 6311 obj->ops->type->type != filter->type) 6312 goto cont; 6313 6314 if (reset) { 6315 char *buf = kasprintf(GFP_ATOMIC, 6316 "%s:%llu;?:0", 6317 table->name, 6318 table->handle); 6319 6320 audit_log_nfcfg(buf, 6321 family, 6322 obj->handle, 6323 AUDIT_NFT_OP_OBJ_RESET, 6324 GFP_ATOMIC); 6325 kfree(buf); 6326 } 6327 6328 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid, 6329 cb->nlh->nlmsg_seq, 6330 NFT_MSG_NEWOBJ, 6331 NLM_F_MULTI | NLM_F_APPEND, 6332 table->family, table, 6333 obj, reset) < 0) 6334 goto done; 6335 6336 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 6337 cont: 6338 idx++; 6339 } 6340 } 6341 done: 6342 rcu_read_unlock(); 6343 6344 cb->args[0] = idx; 6345 return skb->len; 6346 } 6347 6348 static int nf_tables_dump_obj_start(struct netlink_callback *cb) 6349 { 6350 const struct nlattr * const *nla = cb->data; 6351 struct nft_obj_filter *filter = NULL; 6352 6353 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) { 6354 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 6355 if (!filter) 6356 return -ENOMEM; 6357 6358 if (nla[NFTA_OBJ_TABLE]) { 6359 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC); 6360 if (!filter->table) { 6361 kfree(filter); 6362 return -ENOMEM; 6363 } 6364 } 6365 6366 if (nla[NFTA_OBJ_TYPE]) 6367 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6368 } 6369 6370 cb->data = filter; 6371 return 0; 6372 } 6373 6374 static int nf_tables_dump_obj_done(struct netlink_callback *cb) 6375 { 6376 struct nft_obj_filter *filter = cb->data; 6377 6378 if (filter) { 6379 kfree(filter->table); 6380 kfree(filter); 6381 } 6382 6383 return 0; 6384 } 6385 6386 /* called with rcu_read_lock held */ 6387 static int nf_tables_getobj(struct net *net, struct sock *nlsk, 6388 struct sk_buff *skb, const struct nlmsghdr *nlh, 6389 const struct nlattr * const nla[], 6390 struct netlink_ext_ack *extack) 6391 { 6392 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 6393 u8 genmask = nft_genmask_cur(net); 6394 int family = nfmsg->nfgen_family; 6395 const struct nft_table *table; 6396 struct nft_object *obj; 6397 struct sk_buff *skb2; 6398 bool reset = false; 6399 u32 objtype; 6400 int err; 6401 6402 if (nlh->nlmsg_flags & NLM_F_DUMP) { 6403 struct netlink_dump_control c = { 6404 .start = nf_tables_dump_obj_start, 6405 .dump = nf_tables_dump_obj, 6406 .done = nf_tables_dump_obj_done, 6407 .module = THIS_MODULE, 6408 .data = (void *)nla, 6409 }; 6410 6411 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 6412 } 6413 6414 if (!nla[NFTA_OBJ_NAME] || 6415 !nla[NFTA_OBJ_TYPE]) 6416 return -EINVAL; 6417 6418 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0); 6419 if (IS_ERR(table)) { 6420 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6421 return PTR_ERR(table); 6422 } 6423 6424 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6425 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 6426 if (IS_ERR(obj)) { 6427 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6428 return PTR_ERR(obj); 6429 } 6430 6431 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 6432 if (!skb2) 6433 return -ENOMEM; 6434 6435 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 6436 reset = true; 6437 6438 if (reset) { 6439 char *buf = kasprintf(GFP_ATOMIC, "%s:%llu;?:0", 6440 table->name, table->handle); 6441 6442 audit_log_nfcfg(buf, 6443 family, 6444 obj->handle, 6445 AUDIT_NFT_OP_OBJ_RESET, 6446 GFP_ATOMIC); 6447 kfree(buf); 6448 } 6449 6450 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid, 6451 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, 6452 family, table, obj, reset); 6453 if (err < 0) 6454 goto err_fill_obj_info; 6455 6456 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 6457 6458 err_fill_obj_info: 6459 kfree_skb(skb2); 6460 return err; 6461 } 6462 6463 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) 6464 { 6465 if (obj->ops->destroy) 6466 obj->ops->destroy(ctx, obj); 6467 6468 module_put(obj->ops->type->owner); 6469 kfree(obj->key.name); 6470 kfree(obj->udata); 6471 kfree(obj); 6472 } 6473 6474 static int nf_tables_delobj(struct net *net, struct sock *nlsk, 6475 struct sk_buff *skb, const struct nlmsghdr *nlh, 6476 const struct nlattr * const nla[], 6477 struct netlink_ext_ack *extack) 6478 { 6479 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 6480 u8 genmask = nft_genmask_next(net); 6481 int family = nfmsg->nfgen_family; 6482 const struct nlattr *attr; 6483 struct nft_table *table; 6484 struct nft_object *obj; 6485 struct nft_ctx ctx; 6486 u32 objtype; 6487 6488 if (!nla[NFTA_OBJ_TYPE] || 6489 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE])) 6490 return -EINVAL; 6491 6492 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 6493 NETLINK_CB(skb).portid); 6494 if (IS_ERR(table)) { 6495 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6496 return PTR_ERR(table); 6497 } 6498 6499 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6500 if (nla[NFTA_OBJ_HANDLE]) { 6501 attr = nla[NFTA_OBJ_HANDLE]; 6502 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask); 6503 } else { 6504 attr = nla[NFTA_OBJ_NAME]; 6505 obj = nft_obj_lookup(net, table, attr, objtype, genmask); 6506 } 6507 6508 if (IS_ERR(obj)) { 6509 NL_SET_BAD_ATTR(extack, attr); 6510 return PTR_ERR(obj); 6511 } 6512 if (obj->use > 0) { 6513 NL_SET_BAD_ATTR(extack, attr); 6514 return -EBUSY; 6515 } 6516 6517 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 6518 6519 return nft_delobj(&ctx, obj); 6520 } 6521 6522 void nft_obj_notify(struct net *net, const struct nft_table *table, 6523 struct nft_object *obj, u32 portid, u32 seq, int event, 6524 int family, int report, gfp_t gfp) 6525 { 6526 struct sk_buff *skb; 6527 int err; 6528 char *buf = kasprintf(gfp, "%s:%llu;?:0", 6529 table->name, table->handle); 6530 6531 audit_log_nfcfg(buf, 6532 family, 6533 obj->handle, 6534 event == NFT_MSG_NEWOBJ ? 6535 AUDIT_NFT_OP_OBJ_REGISTER : 6536 AUDIT_NFT_OP_OBJ_UNREGISTER, 6537 gfp); 6538 kfree(buf); 6539 6540 if (!report && 6541 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 6542 return; 6543 6544 skb = nlmsg_new(NLMSG_GOODSIZE, gfp); 6545 if (skb == NULL) 6546 goto err; 6547 6548 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family, 6549 table, obj, false); 6550 if (err < 0) { 6551 kfree_skb(skb); 6552 goto err; 6553 } 6554 6555 nft_notify_enqueue(skb, report, &net->nft.notify_list); 6556 return; 6557 err: 6558 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 6559 } 6560 EXPORT_SYMBOL_GPL(nft_obj_notify); 6561 6562 static void nf_tables_obj_notify(const struct nft_ctx *ctx, 6563 struct nft_object *obj, int event) 6564 { 6565 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event, 6566 ctx->family, ctx->report, GFP_KERNEL); 6567 } 6568 6569 /* 6570 * Flow tables 6571 */ 6572 void nft_register_flowtable_type(struct nf_flowtable_type *type) 6573 { 6574 nfnl_lock(NFNL_SUBSYS_NFTABLES); 6575 list_add_tail_rcu(&type->list, &nf_tables_flowtables); 6576 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6577 } 6578 EXPORT_SYMBOL_GPL(nft_register_flowtable_type); 6579 6580 void nft_unregister_flowtable_type(struct nf_flowtable_type *type) 6581 { 6582 nfnl_lock(NFNL_SUBSYS_NFTABLES); 6583 list_del_rcu(&type->list); 6584 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6585 } 6586 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type); 6587 6588 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = { 6589 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING, 6590 .len = NFT_NAME_MAXLEN - 1 }, 6591 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING, 6592 .len = NFT_NAME_MAXLEN - 1 }, 6593 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED }, 6594 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 }, 6595 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 }, 6596 }; 6597 6598 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 6599 const struct nlattr *nla, u8 genmask) 6600 { 6601 struct nft_flowtable *flowtable; 6602 6603 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 6604 if (!nla_strcmp(nla, flowtable->name) && 6605 nft_active_genmask(flowtable, genmask)) 6606 return flowtable; 6607 } 6608 return ERR_PTR(-ENOENT); 6609 } 6610 EXPORT_SYMBOL_GPL(nft_flowtable_lookup); 6611 6612 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, 6613 struct nft_flowtable *flowtable, 6614 enum nft_trans_phase phase) 6615 { 6616 switch (phase) { 6617 case NFT_TRANS_PREPARE: 6618 case NFT_TRANS_ABORT: 6619 case NFT_TRANS_RELEASE: 6620 flowtable->use--; 6621 fallthrough; 6622 default: 6623 return; 6624 } 6625 } 6626 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable); 6627 6628 static struct nft_flowtable * 6629 nft_flowtable_lookup_byhandle(const struct nft_table *table, 6630 const struct nlattr *nla, u8 genmask) 6631 { 6632 struct nft_flowtable *flowtable; 6633 6634 list_for_each_entry(flowtable, &table->flowtables, list) { 6635 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle && 6636 nft_active_genmask(flowtable, genmask)) 6637 return flowtable; 6638 } 6639 return ERR_PTR(-ENOENT); 6640 } 6641 6642 struct nft_flowtable_hook { 6643 u32 num; 6644 int priority; 6645 struct list_head list; 6646 }; 6647 6648 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = { 6649 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 }, 6650 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 }, 6651 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED }, 6652 }; 6653 6654 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx, 6655 const struct nlattr *attr, 6656 struct nft_flowtable_hook *flowtable_hook, 6657 struct nft_flowtable *flowtable, bool add) 6658 { 6659 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1]; 6660 struct nft_hook *hook; 6661 int hooknum, priority; 6662 int err; 6663 6664 INIT_LIST_HEAD(&flowtable_hook->list); 6665 6666 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr, 6667 nft_flowtable_hook_policy, NULL); 6668 if (err < 0) 6669 return err; 6670 6671 if (add) { 6672 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] || 6673 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) 6674 return -EINVAL; 6675 6676 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 6677 if (hooknum != NF_NETDEV_INGRESS) 6678 return -EOPNOTSUPP; 6679 6680 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 6681 6682 flowtable_hook->priority = priority; 6683 flowtable_hook->num = hooknum; 6684 } else { 6685 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) { 6686 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 6687 if (hooknum != flowtable->hooknum) 6688 return -EOPNOTSUPP; 6689 } 6690 6691 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) { 6692 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 6693 if (priority != flowtable->data.priority) 6694 return -EOPNOTSUPP; 6695 } 6696 6697 flowtable_hook->priority = flowtable->data.priority; 6698 flowtable_hook->num = flowtable->hooknum; 6699 } 6700 6701 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) { 6702 err = nf_tables_parse_netdev_hooks(ctx->net, 6703 tb[NFTA_FLOWTABLE_HOOK_DEVS], 6704 &flowtable_hook->list); 6705 if (err < 0) 6706 return err; 6707 } 6708 6709 list_for_each_entry(hook, &flowtable_hook->list, list) { 6710 hook->ops.pf = NFPROTO_NETDEV; 6711 hook->ops.hooknum = flowtable_hook->num; 6712 hook->ops.priority = flowtable_hook->priority; 6713 hook->ops.priv = &flowtable->data; 6714 hook->ops.hook = flowtable->data.type->hook; 6715 } 6716 6717 return err; 6718 } 6719 6720 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) 6721 { 6722 const struct nf_flowtable_type *type; 6723 6724 list_for_each_entry(type, &nf_tables_flowtables, list) { 6725 if (family == type->family) 6726 return type; 6727 } 6728 return NULL; 6729 } 6730 6731 static const struct nf_flowtable_type * 6732 nft_flowtable_type_get(struct net *net, u8 family) 6733 { 6734 const struct nf_flowtable_type *type; 6735 6736 type = __nft_flowtable_type_get(family); 6737 if (type != NULL && try_module_get(type->owner)) 6738 return type; 6739 6740 lockdep_nfnl_nft_mutex_not_held(); 6741 #ifdef CONFIG_MODULES 6742 if (type == NULL) { 6743 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN) 6744 return ERR_PTR(-EAGAIN); 6745 } 6746 #endif 6747 return ERR_PTR(-ENOENT); 6748 } 6749 6750 /* Only called from error and netdev event paths. */ 6751 static void nft_unregister_flowtable_hook(struct net *net, 6752 struct nft_flowtable *flowtable, 6753 struct nft_hook *hook) 6754 { 6755 nf_unregister_net_hook(net, &hook->ops); 6756 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 6757 FLOW_BLOCK_UNBIND); 6758 } 6759 6760 static void nft_unregister_flowtable_net_hooks(struct net *net, 6761 struct list_head *hook_list) 6762 { 6763 struct nft_hook *hook; 6764 6765 list_for_each_entry(hook, hook_list, list) 6766 nf_unregister_net_hook(net, &hook->ops); 6767 } 6768 6769 static int nft_register_flowtable_net_hooks(struct net *net, 6770 struct nft_table *table, 6771 struct list_head *hook_list, 6772 struct nft_flowtable *flowtable) 6773 { 6774 struct nft_hook *hook, *hook2, *next; 6775 struct nft_flowtable *ft; 6776 int err, i = 0; 6777 6778 list_for_each_entry(hook, hook_list, list) { 6779 list_for_each_entry(ft, &table->flowtables, list) { 6780 list_for_each_entry(hook2, &ft->hook_list, list) { 6781 if (hook->ops.dev == hook2->ops.dev && 6782 hook->ops.pf == hook2->ops.pf) { 6783 err = -EEXIST; 6784 goto err_unregister_net_hooks; 6785 } 6786 } 6787 } 6788 6789 err = flowtable->data.type->setup(&flowtable->data, 6790 hook->ops.dev, 6791 FLOW_BLOCK_BIND); 6792 if (err < 0) 6793 goto err_unregister_net_hooks; 6794 6795 err = nf_register_net_hook(net, &hook->ops); 6796 if (err < 0) { 6797 flowtable->data.type->setup(&flowtable->data, 6798 hook->ops.dev, 6799 FLOW_BLOCK_UNBIND); 6800 goto err_unregister_net_hooks; 6801 } 6802 6803 i++; 6804 } 6805 6806 return 0; 6807 6808 err_unregister_net_hooks: 6809 list_for_each_entry_safe(hook, next, hook_list, list) { 6810 if (i-- <= 0) 6811 break; 6812 6813 nft_unregister_flowtable_hook(net, flowtable, hook); 6814 list_del_rcu(&hook->list); 6815 kfree_rcu(hook, rcu); 6816 } 6817 6818 return err; 6819 } 6820 6821 static void nft_flowtable_hooks_destroy(struct list_head *hook_list) 6822 { 6823 struct nft_hook *hook, *next; 6824 6825 list_for_each_entry_safe(hook, next, hook_list, list) { 6826 list_del_rcu(&hook->list); 6827 kfree_rcu(hook, rcu); 6828 } 6829 } 6830 6831 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, 6832 struct nft_flowtable *flowtable) 6833 { 6834 const struct nlattr * const *nla = ctx->nla; 6835 struct nft_flowtable_hook flowtable_hook; 6836 struct nft_hook *hook, *next; 6837 struct nft_trans *trans; 6838 bool unregister = false; 6839 int err; 6840 6841 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], 6842 &flowtable_hook, flowtable, false); 6843 if (err < 0) 6844 return err; 6845 6846 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 6847 if (nft_hook_list_find(&flowtable->hook_list, hook)) { 6848 list_del(&hook->list); 6849 kfree(hook); 6850 } 6851 } 6852 6853 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table, 6854 &flowtable_hook.list, flowtable); 6855 if (err < 0) 6856 goto err_flowtable_update_hook; 6857 6858 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE, 6859 sizeof(struct nft_trans_flowtable)); 6860 if (!trans) { 6861 unregister = true; 6862 err = -ENOMEM; 6863 goto err_flowtable_update_hook; 6864 } 6865 6866 nft_trans_flowtable(trans) = flowtable; 6867 nft_trans_flowtable_update(trans) = true; 6868 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 6869 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans)); 6870 6871 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 6872 6873 return 0; 6874 6875 err_flowtable_update_hook: 6876 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 6877 if (unregister) 6878 nft_unregister_flowtable_hook(ctx->net, flowtable, hook); 6879 list_del_rcu(&hook->list); 6880 kfree_rcu(hook, rcu); 6881 } 6882 6883 return err; 6884 6885 } 6886 6887 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk, 6888 struct sk_buff *skb, 6889 const struct nlmsghdr *nlh, 6890 const struct nlattr * const nla[], 6891 struct netlink_ext_ack *extack) 6892 { 6893 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 6894 struct nft_flowtable_hook flowtable_hook; 6895 const struct nf_flowtable_type *type; 6896 u8 genmask = nft_genmask_next(net); 6897 int family = nfmsg->nfgen_family; 6898 struct nft_flowtable *flowtable; 6899 struct nft_hook *hook, *next; 6900 struct nft_table *table; 6901 struct nft_ctx ctx; 6902 int err; 6903 6904 if (!nla[NFTA_FLOWTABLE_TABLE] || 6905 !nla[NFTA_FLOWTABLE_NAME] || 6906 !nla[NFTA_FLOWTABLE_HOOK]) 6907 return -EINVAL; 6908 6909 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 6910 genmask, NETLINK_CB(skb).portid); 6911 if (IS_ERR(table)) { 6912 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 6913 return PTR_ERR(table); 6914 } 6915 6916 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 6917 genmask); 6918 if (IS_ERR(flowtable)) { 6919 err = PTR_ERR(flowtable); 6920 if (err != -ENOENT) { 6921 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 6922 return err; 6923 } 6924 } else { 6925 if (nlh->nlmsg_flags & NLM_F_EXCL) { 6926 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 6927 return -EEXIST; 6928 } 6929 6930 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 6931 6932 return nft_flowtable_update(&ctx, nlh, flowtable); 6933 } 6934 6935 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 6936 6937 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL); 6938 if (!flowtable) 6939 return -ENOMEM; 6940 6941 flowtable->table = table; 6942 flowtable->handle = nf_tables_alloc_handle(table); 6943 INIT_LIST_HEAD(&flowtable->hook_list); 6944 6945 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL); 6946 if (!flowtable->name) { 6947 err = -ENOMEM; 6948 goto err1; 6949 } 6950 6951 type = nft_flowtable_type_get(net, family); 6952 if (IS_ERR(type)) { 6953 err = PTR_ERR(type); 6954 goto err2; 6955 } 6956 6957 if (nla[NFTA_FLOWTABLE_FLAGS]) { 6958 flowtable->data.flags = 6959 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 6960 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) 6961 goto err3; 6962 } 6963 6964 write_pnet(&flowtable->data.net, net); 6965 flowtable->data.type = type; 6966 err = type->init(&flowtable->data); 6967 if (err < 0) 6968 goto err3; 6969 6970 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK], 6971 &flowtable_hook, flowtable, true); 6972 if (err < 0) 6973 goto err4; 6974 6975 list_splice(&flowtable_hook.list, &flowtable->hook_list); 6976 flowtable->data.priority = flowtable_hook.priority; 6977 flowtable->hooknum = flowtable_hook.num; 6978 6979 err = nft_register_flowtable_net_hooks(ctx.net, table, 6980 &flowtable->hook_list, 6981 flowtable); 6982 if (err < 0) { 6983 nft_flowtable_hooks_destroy(&flowtable->hook_list); 6984 goto err4; 6985 } 6986 6987 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable); 6988 if (err < 0) 6989 goto err5; 6990 6991 list_add_tail_rcu(&flowtable->list, &table->flowtables); 6992 table->use++; 6993 6994 return 0; 6995 err5: 6996 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 6997 nft_unregister_flowtable_hook(net, flowtable, hook); 6998 list_del_rcu(&hook->list); 6999 kfree_rcu(hook, rcu); 7000 } 7001 err4: 7002 flowtable->data.type->free(&flowtable->data); 7003 err3: 7004 module_put(type->owner); 7005 err2: 7006 kfree(flowtable->name); 7007 err1: 7008 kfree(flowtable); 7009 return err; 7010 } 7011 7012 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook) 7013 { 7014 struct nft_hook *this, *next; 7015 7016 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) { 7017 list_del(&this->list); 7018 kfree(this); 7019 } 7020 } 7021 7022 static int nft_delflowtable_hook(struct nft_ctx *ctx, 7023 struct nft_flowtable *flowtable) 7024 { 7025 const struct nlattr * const *nla = ctx->nla; 7026 struct nft_flowtable_hook flowtable_hook; 7027 struct nft_hook *this, *hook; 7028 struct nft_trans *trans; 7029 int err; 7030 7031 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], 7032 &flowtable_hook, flowtable, false); 7033 if (err < 0) 7034 return err; 7035 7036 list_for_each_entry(this, &flowtable_hook.list, list) { 7037 hook = nft_hook_list_find(&flowtable->hook_list, this); 7038 if (!hook) { 7039 err = -ENOENT; 7040 goto err_flowtable_del_hook; 7041 } 7042 hook->inactive = true; 7043 } 7044 7045 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE, 7046 sizeof(struct nft_trans_flowtable)); 7047 if (!trans) { 7048 err = -ENOMEM; 7049 goto err_flowtable_del_hook; 7050 } 7051 7052 nft_trans_flowtable(trans) = flowtable; 7053 nft_trans_flowtable_update(trans) = true; 7054 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 7055 nft_flowtable_hook_release(&flowtable_hook); 7056 7057 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 7058 7059 return 0; 7060 7061 err_flowtable_del_hook: 7062 list_for_each_entry(this, &flowtable_hook.list, list) { 7063 hook = nft_hook_list_find(&flowtable->hook_list, this); 7064 if (!hook) 7065 break; 7066 7067 hook->inactive = false; 7068 } 7069 nft_flowtable_hook_release(&flowtable_hook); 7070 7071 return err; 7072 } 7073 7074 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk, 7075 struct sk_buff *skb, 7076 const struct nlmsghdr *nlh, 7077 const struct nlattr * const nla[], 7078 struct netlink_ext_ack *extack) 7079 { 7080 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 7081 u8 genmask = nft_genmask_next(net); 7082 int family = nfmsg->nfgen_family; 7083 struct nft_flowtable *flowtable; 7084 const struct nlattr *attr; 7085 struct nft_table *table; 7086 struct nft_ctx ctx; 7087 7088 if (!nla[NFTA_FLOWTABLE_TABLE] || 7089 (!nla[NFTA_FLOWTABLE_NAME] && 7090 !nla[NFTA_FLOWTABLE_HANDLE])) 7091 return -EINVAL; 7092 7093 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 7094 genmask, NETLINK_CB(skb).portid); 7095 if (IS_ERR(table)) { 7096 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 7097 return PTR_ERR(table); 7098 } 7099 7100 if (nla[NFTA_FLOWTABLE_HANDLE]) { 7101 attr = nla[NFTA_FLOWTABLE_HANDLE]; 7102 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask); 7103 } else { 7104 attr = nla[NFTA_FLOWTABLE_NAME]; 7105 flowtable = nft_flowtable_lookup(table, attr, genmask); 7106 } 7107 7108 if (IS_ERR(flowtable)) { 7109 NL_SET_BAD_ATTR(extack, attr); 7110 return PTR_ERR(flowtable); 7111 } 7112 7113 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 7114 7115 if (nla[NFTA_FLOWTABLE_HOOK]) 7116 return nft_delflowtable_hook(&ctx, flowtable); 7117 7118 if (flowtable->use > 0) { 7119 NL_SET_BAD_ATTR(extack, attr); 7120 return -EBUSY; 7121 } 7122 7123 return nft_delflowtable(&ctx, flowtable); 7124 } 7125 7126 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, 7127 u32 portid, u32 seq, int event, 7128 u32 flags, int family, 7129 struct nft_flowtable *flowtable, 7130 struct list_head *hook_list) 7131 { 7132 struct nlattr *nest, *nest_devs; 7133 struct nfgenmsg *nfmsg; 7134 struct nft_hook *hook; 7135 struct nlmsghdr *nlh; 7136 7137 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 7138 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 7139 if (nlh == NULL) 7140 goto nla_put_failure; 7141 7142 nfmsg = nlmsg_data(nlh); 7143 nfmsg->nfgen_family = family; 7144 nfmsg->version = NFNETLINK_V0; 7145 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 7146 7147 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || 7148 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || 7149 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || 7150 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle), 7151 NFTA_FLOWTABLE_PAD) || 7152 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags))) 7153 goto nla_put_failure; 7154 7155 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK); 7156 if (!nest) 7157 goto nla_put_failure; 7158 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) || 7159 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority))) 7160 goto nla_put_failure; 7161 7162 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS); 7163 if (!nest_devs) 7164 goto nla_put_failure; 7165 7166 list_for_each_entry_rcu(hook, hook_list, list) { 7167 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name)) 7168 goto nla_put_failure; 7169 } 7170 nla_nest_end(skb, nest_devs); 7171 nla_nest_end(skb, nest); 7172 7173 nlmsg_end(skb, nlh); 7174 return 0; 7175 7176 nla_put_failure: 7177 nlmsg_trim(skb, nlh); 7178 return -1; 7179 } 7180 7181 struct nft_flowtable_filter { 7182 char *table; 7183 }; 7184 7185 static int nf_tables_dump_flowtable(struct sk_buff *skb, 7186 struct netlink_callback *cb) 7187 { 7188 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 7189 struct nft_flowtable_filter *filter = cb->data; 7190 unsigned int idx = 0, s_idx = cb->args[0]; 7191 struct net *net = sock_net(skb->sk); 7192 int family = nfmsg->nfgen_family; 7193 struct nft_flowtable *flowtable; 7194 const struct nft_table *table; 7195 7196 rcu_read_lock(); 7197 cb->seq = net->nft.base_seq; 7198 7199 list_for_each_entry_rcu(table, &net->nft.tables, list) { 7200 if (family != NFPROTO_UNSPEC && family != table->family) 7201 continue; 7202 7203 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 7204 if (!nft_is_active(net, flowtable)) 7205 goto cont; 7206 if (idx < s_idx) 7207 goto cont; 7208 if (idx > s_idx) 7209 memset(&cb->args[1], 0, 7210 sizeof(cb->args) - sizeof(cb->args[0])); 7211 if (filter && filter->table && 7212 strcmp(filter->table, table->name)) 7213 goto cont; 7214 7215 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, 7216 cb->nlh->nlmsg_seq, 7217 NFT_MSG_NEWFLOWTABLE, 7218 NLM_F_MULTI | NLM_F_APPEND, 7219 table->family, 7220 flowtable, 7221 &flowtable->hook_list) < 0) 7222 goto done; 7223 7224 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 7225 cont: 7226 idx++; 7227 } 7228 } 7229 done: 7230 rcu_read_unlock(); 7231 7232 cb->args[0] = idx; 7233 return skb->len; 7234 } 7235 7236 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb) 7237 { 7238 const struct nlattr * const *nla = cb->data; 7239 struct nft_flowtable_filter *filter = NULL; 7240 7241 if (nla[NFTA_FLOWTABLE_TABLE]) { 7242 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 7243 if (!filter) 7244 return -ENOMEM; 7245 7246 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE], 7247 GFP_ATOMIC); 7248 if (!filter->table) { 7249 kfree(filter); 7250 return -ENOMEM; 7251 } 7252 } 7253 7254 cb->data = filter; 7255 return 0; 7256 } 7257 7258 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb) 7259 { 7260 struct nft_flowtable_filter *filter = cb->data; 7261 7262 if (!filter) 7263 return 0; 7264 7265 kfree(filter->table); 7266 kfree(filter); 7267 7268 return 0; 7269 } 7270 7271 /* called with rcu_read_lock held */ 7272 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk, 7273 struct sk_buff *skb, 7274 const struct nlmsghdr *nlh, 7275 const struct nlattr * const nla[], 7276 struct netlink_ext_ack *extack) 7277 { 7278 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 7279 u8 genmask = nft_genmask_cur(net); 7280 int family = nfmsg->nfgen_family; 7281 struct nft_flowtable *flowtable; 7282 const struct nft_table *table; 7283 struct sk_buff *skb2; 7284 int err; 7285 7286 if (nlh->nlmsg_flags & NLM_F_DUMP) { 7287 struct netlink_dump_control c = { 7288 .start = nf_tables_dump_flowtable_start, 7289 .dump = nf_tables_dump_flowtable, 7290 .done = nf_tables_dump_flowtable_done, 7291 .module = THIS_MODULE, 7292 .data = (void *)nla, 7293 }; 7294 7295 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 7296 } 7297 7298 if (!nla[NFTA_FLOWTABLE_NAME]) 7299 return -EINVAL; 7300 7301 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 7302 genmask, 0); 7303 if (IS_ERR(table)) 7304 return PTR_ERR(table); 7305 7306 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 7307 genmask); 7308 if (IS_ERR(flowtable)) 7309 return PTR_ERR(flowtable); 7310 7311 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 7312 if (!skb2) 7313 return -ENOMEM; 7314 7315 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid, 7316 nlh->nlmsg_seq, 7317 NFT_MSG_NEWFLOWTABLE, 0, family, 7318 flowtable, &flowtable->hook_list); 7319 if (err < 0) 7320 goto err_fill_flowtable_info; 7321 7322 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 7323 7324 err_fill_flowtable_info: 7325 kfree_skb(skb2); 7326 return err; 7327 } 7328 7329 static void nf_tables_flowtable_notify(struct nft_ctx *ctx, 7330 struct nft_flowtable *flowtable, 7331 struct list_head *hook_list, 7332 int event) 7333 { 7334 struct sk_buff *skb; 7335 int err; 7336 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu", 7337 flowtable->table->name, flowtable->table->handle, 7338 flowtable->name, flowtable->handle); 7339 7340 audit_log_nfcfg(buf, 7341 ctx->family, 7342 flowtable->hooknum, 7343 event == NFT_MSG_NEWFLOWTABLE ? 7344 AUDIT_NFT_OP_FLOWTABLE_REGISTER : 7345 AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, 7346 GFP_KERNEL); 7347 kfree(buf); 7348 7349 if (!ctx->report && 7350 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 7351 return; 7352 7353 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 7354 if (skb == NULL) 7355 goto err; 7356 7357 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid, 7358 ctx->seq, event, 0, 7359 ctx->family, flowtable, hook_list); 7360 if (err < 0) { 7361 kfree_skb(skb); 7362 goto err; 7363 } 7364 7365 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); 7366 return; 7367 err: 7368 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 7369 } 7370 7371 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) 7372 { 7373 struct nft_hook *hook, *next; 7374 7375 flowtable->data.type->free(&flowtable->data); 7376 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 7377 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 7378 FLOW_BLOCK_UNBIND); 7379 list_del_rcu(&hook->list); 7380 kfree(hook); 7381 } 7382 kfree(flowtable->name); 7383 module_put(flowtable->data.type->owner); 7384 kfree(flowtable); 7385 } 7386 7387 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, 7388 u32 portid, u32 seq) 7389 { 7390 struct nlmsghdr *nlh; 7391 struct nfgenmsg *nfmsg; 7392 char buf[TASK_COMM_LEN]; 7393 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); 7394 7395 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0); 7396 if (nlh == NULL) 7397 goto nla_put_failure; 7398 7399 nfmsg = nlmsg_data(nlh); 7400 nfmsg->nfgen_family = AF_UNSPEC; 7401 nfmsg->version = NFNETLINK_V0; 7402 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 7403 7404 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || 7405 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || 7406 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) 7407 goto nla_put_failure; 7408 7409 nlmsg_end(skb, nlh); 7410 return 0; 7411 7412 nla_put_failure: 7413 nlmsg_trim(skb, nlh); 7414 return -EMSGSIZE; 7415 } 7416 7417 static void nft_flowtable_event(unsigned long event, struct net_device *dev, 7418 struct nft_flowtable *flowtable) 7419 { 7420 struct nft_hook *hook; 7421 7422 list_for_each_entry(hook, &flowtable->hook_list, list) { 7423 if (hook->ops.dev != dev) 7424 continue; 7425 7426 /* flow_offload_netdev_event() cleans up entries for us. */ 7427 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook); 7428 list_del_rcu(&hook->list); 7429 kfree_rcu(hook, rcu); 7430 break; 7431 } 7432 } 7433 7434 static int nf_tables_flowtable_event(struct notifier_block *this, 7435 unsigned long event, void *ptr) 7436 { 7437 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 7438 struct nft_flowtable *flowtable; 7439 struct nft_table *table; 7440 struct net *net; 7441 7442 if (event != NETDEV_UNREGISTER) 7443 return 0; 7444 7445 net = dev_net(dev); 7446 mutex_lock(&net->nft.commit_mutex); 7447 list_for_each_entry(table, &net->nft.tables, list) { 7448 list_for_each_entry(flowtable, &table->flowtables, list) { 7449 nft_flowtable_event(event, dev, flowtable); 7450 } 7451 } 7452 mutex_unlock(&net->nft.commit_mutex); 7453 7454 return NOTIFY_DONE; 7455 } 7456 7457 static struct notifier_block nf_tables_flowtable_notifier = { 7458 .notifier_call = nf_tables_flowtable_event, 7459 }; 7460 7461 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb, 7462 int event) 7463 { 7464 struct nlmsghdr *nlh = nlmsg_hdr(skb); 7465 struct sk_buff *skb2; 7466 int err; 7467 7468 audit_log_nfcfg("?:0;?:0", 0, net->nft.base_seq, 7469 AUDIT_NFT_OP_GEN_REGISTER, GFP_KERNEL); 7470 7471 if (!nlmsg_report(nlh) && 7472 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 7473 return; 7474 7475 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 7476 if (skb2 == NULL) 7477 goto err; 7478 7479 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 7480 nlh->nlmsg_seq); 7481 if (err < 0) { 7482 kfree_skb(skb2); 7483 goto err; 7484 } 7485 7486 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 7487 nlmsg_report(nlh), GFP_KERNEL); 7488 return; 7489 err: 7490 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 7491 -ENOBUFS); 7492 } 7493 7494 static int nf_tables_getgen(struct net *net, struct sock *nlsk, 7495 struct sk_buff *skb, const struct nlmsghdr *nlh, 7496 const struct nlattr * const nla[], 7497 struct netlink_ext_ack *extack) 7498 { 7499 struct sk_buff *skb2; 7500 int err; 7501 7502 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 7503 if (skb2 == NULL) 7504 return -ENOMEM; 7505 7506 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 7507 nlh->nlmsg_seq); 7508 if (err < 0) 7509 goto err_fill_gen_info; 7510 7511 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 7512 7513 err_fill_gen_info: 7514 kfree_skb(skb2); 7515 return err; 7516 } 7517 7518 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = { 7519 [NFT_MSG_NEWTABLE] = { 7520 .call_batch = nf_tables_newtable, 7521 .attr_count = NFTA_TABLE_MAX, 7522 .policy = nft_table_policy, 7523 }, 7524 [NFT_MSG_GETTABLE] = { 7525 .call_rcu = nf_tables_gettable, 7526 .attr_count = NFTA_TABLE_MAX, 7527 .policy = nft_table_policy, 7528 }, 7529 [NFT_MSG_DELTABLE] = { 7530 .call_batch = nf_tables_deltable, 7531 .attr_count = NFTA_TABLE_MAX, 7532 .policy = nft_table_policy, 7533 }, 7534 [NFT_MSG_NEWCHAIN] = { 7535 .call_batch = nf_tables_newchain, 7536 .attr_count = NFTA_CHAIN_MAX, 7537 .policy = nft_chain_policy, 7538 }, 7539 [NFT_MSG_GETCHAIN] = { 7540 .call_rcu = nf_tables_getchain, 7541 .attr_count = NFTA_CHAIN_MAX, 7542 .policy = nft_chain_policy, 7543 }, 7544 [NFT_MSG_DELCHAIN] = { 7545 .call_batch = nf_tables_delchain, 7546 .attr_count = NFTA_CHAIN_MAX, 7547 .policy = nft_chain_policy, 7548 }, 7549 [NFT_MSG_NEWRULE] = { 7550 .call_batch = nf_tables_newrule, 7551 .attr_count = NFTA_RULE_MAX, 7552 .policy = nft_rule_policy, 7553 }, 7554 [NFT_MSG_GETRULE] = { 7555 .call_rcu = nf_tables_getrule, 7556 .attr_count = NFTA_RULE_MAX, 7557 .policy = nft_rule_policy, 7558 }, 7559 [NFT_MSG_DELRULE] = { 7560 .call_batch = nf_tables_delrule, 7561 .attr_count = NFTA_RULE_MAX, 7562 .policy = nft_rule_policy, 7563 }, 7564 [NFT_MSG_NEWSET] = { 7565 .call_batch = nf_tables_newset, 7566 .attr_count = NFTA_SET_MAX, 7567 .policy = nft_set_policy, 7568 }, 7569 [NFT_MSG_GETSET] = { 7570 .call_rcu = nf_tables_getset, 7571 .attr_count = NFTA_SET_MAX, 7572 .policy = nft_set_policy, 7573 }, 7574 [NFT_MSG_DELSET] = { 7575 .call_batch = nf_tables_delset, 7576 .attr_count = NFTA_SET_MAX, 7577 .policy = nft_set_policy, 7578 }, 7579 [NFT_MSG_NEWSETELEM] = { 7580 .call_batch = nf_tables_newsetelem, 7581 .attr_count = NFTA_SET_ELEM_LIST_MAX, 7582 .policy = nft_set_elem_list_policy, 7583 }, 7584 [NFT_MSG_GETSETELEM] = { 7585 .call_rcu = nf_tables_getsetelem, 7586 .attr_count = NFTA_SET_ELEM_LIST_MAX, 7587 .policy = nft_set_elem_list_policy, 7588 }, 7589 [NFT_MSG_DELSETELEM] = { 7590 .call_batch = nf_tables_delsetelem, 7591 .attr_count = NFTA_SET_ELEM_LIST_MAX, 7592 .policy = nft_set_elem_list_policy, 7593 }, 7594 [NFT_MSG_GETGEN] = { 7595 .call_rcu = nf_tables_getgen, 7596 }, 7597 [NFT_MSG_NEWOBJ] = { 7598 .call_batch = nf_tables_newobj, 7599 .attr_count = NFTA_OBJ_MAX, 7600 .policy = nft_obj_policy, 7601 }, 7602 [NFT_MSG_GETOBJ] = { 7603 .call_rcu = nf_tables_getobj, 7604 .attr_count = NFTA_OBJ_MAX, 7605 .policy = nft_obj_policy, 7606 }, 7607 [NFT_MSG_DELOBJ] = { 7608 .call_batch = nf_tables_delobj, 7609 .attr_count = NFTA_OBJ_MAX, 7610 .policy = nft_obj_policy, 7611 }, 7612 [NFT_MSG_GETOBJ_RESET] = { 7613 .call_rcu = nf_tables_getobj, 7614 .attr_count = NFTA_OBJ_MAX, 7615 .policy = nft_obj_policy, 7616 }, 7617 [NFT_MSG_NEWFLOWTABLE] = { 7618 .call_batch = nf_tables_newflowtable, 7619 .attr_count = NFTA_FLOWTABLE_MAX, 7620 .policy = nft_flowtable_policy, 7621 }, 7622 [NFT_MSG_GETFLOWTABLE] = { 7623 .call_rcu = nf_tables_getflowtable, 7624 .attr_count = NFTA_FLOWTABLE_MAX, 7625 .policy = nft_flowtable_policy, 7626 }, 7627 [NFT_MSG_DELFLOWTABLE] = { 7628 .call_batch = nf_tables_delflowtable, 7629 .attr_count = NFTA_FLOWTABLE_MAX, 7630 .policy = nft_flowtable_policy, 7631 }, 7632 }; 7633 7634 static int nf_tables_validate(struct net *net) 7635 { 7636 struct nft_table *table; 7637 7638 switch (net->nft.validate_state) { 7639 case NFT_VALIDATE_SKIP: 7640 break; 7641 case NFT_VALIDATE_NEED: 7642 nft_validate_state_update(net, NFT_VALIDATE_DO); 7643 fallthrough; 7644 case NFT_VALIDATE_DO: 7645 list_for_each_entry(table, &net->nft.tables, list) { 7646 if (nft_table_validate(net, table) < 0) 7647 return -EAGAIN; 7648 } 7649 break; 7650 } 7651 7652 return 0; 7653 } 7654 7655 /* a drop policy has to be deferred until all rules have been activated, 7656 * otherwise a large ruleset that contains a drop-policy base chain will 7657 * cause all packets to get dropped until the full transaction has been 7658 * processed. 7659 * 7660 * We defer the drop policy until the transaction has been finalized. 7661 */ 7662 static void nft_chain_commit_drop_policy(struct nft_trans *trans) 7663 { 7664 struct nft_base_chain *basechain; 7665 7666 if (nft_trans_chain_policy(trans) != NF_DROP) 7667 return; 7668 7669 if (!nft_is_base_chain(trans->ctx.chain)) 7670 return; 7671 7672 basechain = nft_base_chain(trans->ctx.chain); 7673 basechain->policy = NF_DROP; 7674 } 7675 7676 static void nft_chain_commit_update(struct nft_trans *trans) 7677 { 7678 struct nft_base_chain *basechain; 7679 7680 if (nft_trans_chain_name(trans)) { 7681 rhltable_remove(&trans->ctx.table->chains_ht, 7682 &trans->ctx.chain->rhlhead, 7683 nft_chain_ht_params); 7684 swap(trans->ctx.chain->name, nft_trans_chain_name(trans)); 7685 rhltable_insert_key(&trans->ctx.table->chains_ht, 7686 trans->ctx.chain->name, 7687 &trans->ctx.chain->rhlhead, 7688 nft_chain_ht_params); 7689 } 7690 7691 if (!nft_is_base_chain(trans->ctx.chain)) 7692 return; 7693 7694 nft_chain_stats_replace(trans); 7695 7696 basechain = nft_base_chain(trans->ctx.chain); 7697 7698 switch (nft_trans_chain_policy(trans)) { 7699 case NF_DROP: 7700 case NF_ACCEPT: 7701 basechain->policy = nft_trans_chain_policy(trans); 7702 break; 7703 } 7704 } 7705 7706 static void nft_obj_commit_update(struct nft_trans *trans) 7707 { 7708 struct nft_object *newobj; 7709 struct nft_object *obj; 7710 7711 obj = nft_trans_obj(trans); 7712 newobj = nft_trans_obj_newobj(trans); 7713 7714 if (obj->ops->update) 7715 obj->ops->update(obj, newobj); 7716 7717 kfree(newobj); 7718 } 7719 7720 static void nft_commit_release(struct nft_trans *trans) 7721 { 7722 switch (trans->msg_type) { 7723 case NFT_MSG_DELTABLE: 7724 nf_tables_table_destroy(&trans->ctx); 7725 break; 7726 case NFT_MSG_NEWCHAIN: 7727 free_percpu(nft_trans_chain_stats(trans)); 7728 kfree(nft_trans_chain_name(trans)); 7729 break; 7730 case NFT_MSG_DELCHAIN: 7731 nf_tables_chain_destroy(&trans->ctx); 7732 break; 7733 case NFT_MSG_DELRULE: 7734 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 7735 break; 7736 case NFT_MSG_DELSET: 7737 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 7738 break; 7739 case NFT_MSG_DELSETELEM: 7740 nf_tables_set_elem_destroy(&trans->ctx, 7741 nft_trans_elem_set(trans), 7742 nft_trans_elem(trans).priv); 7743 break; 7744 case NFT_MSG_DELOBJ: 7745 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 7746 break; 7747 case NFT_MSG_DELFLOWTABLE: 7748 if (nft_trans_flowtable_update(trans)) 7749 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 7750 else 7751 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 7752 break; 7753 } 7754 7755 if (trans->put_net) 7756 put_net(trans->ctx.net); 7757 7758 kfree(trans); 7759 } 7760 7761 static void nf_tables_trans_destroy_work(struct work_struct *w) 7762 { 7763 struct nft_trans *trans, *next; 7764 LIST_HEAD(head); 7765 7766 spin_lock(&nf_tables_destroy_list_lock); 7767 list_splice_init(&nf_tables_destroy_list, &head); 7768 spin_unlock(&nf_tables_destroy_list_lock); 7769 7770 if (list_empty(&head)) 7771 return; 7772 7773 synchronize_rcu(); 7774 7775 list_for_each_entry_safe(trans, next, &head, list) { 7776 list_del(&trans->list); 7777 nft_commit_release(trans); 7778 } 7779 } 7780 7781 void nf_tables_trans_destroy_flush_work(void) 7782 { 7783 flush_work(&trans_destroy_work); 7784 } 7785 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work); 7786 7787 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain) 7788 { 7789 struct nft_rule *rule; 7790 unsigned int alloc = 0; 7791 int i; 7792 7793 /* already handled or inactive chain? */ 7794 if (chain->rules_next || !nft_is_active_next(net, chain)) 7795 return 0; 7796 7797 rule = list_entry(&chain->rules, struct nft_rule, list); 7798 i = 0; 7799 7800 list_for_each_entry_continue(rule, &chain->rules, list) { 7801 if (nft_is_active_next(net, rule)) 7802 alloc++; 7803 } 7804 7805 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc); 7806 if (!chain->rules_next) 7807 return -ENOMEM; 7808 7809 list_for_each_entry_continue(rule, &chain->rules, list) { 7810 if (nft_is_active_next(net, rule)) 7811 chain->rules_next[i++] = rule; 7812 } 7813 7814 chain->rules_next[i] = NULL; 7815 return 0; 7816 } 7817 7818 static void nf_tables_commit_chain_prepare_cancel(struct net *net) 7819 { 7820 struct nft_trans *trans, *next; 7821 7822 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 7823 struct nft_chain *chain = trans->ctx.chain; 7824 7825 if (trans->msg_type == NFT_MSG_NEWRULE || 7826 trans->msg_type == NFT_MSG_DELRULE) { 7827 kvfree(chain->rules_next); 7828 chain->rules_next = NULL; 7829 } 7830 } 7831 } 7832 7833 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h) 7834 { 7835 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h); 7836 7837 kvfree(o->start); 7838 } 7839 7840 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules) 7841 { 7842 struct nft_rule **r = rules; 7843 struct nft_rules_old *old; 7844 7845 while (*r) 7846 r++; 7847 7848 r++; /* rcu_head is after end marker */ 7849 old = (void *) r; 7850 old->start = rules; 7851 7852 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old); 7853 } 7854 7855 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain) 7856 { 7857 struct nft_rule **g0, **g1; 7858 bool next_genbit; 7859 7860 next_genbit = nft_gencursor_next(net); 7861 7862 g0 = rcu_dereference_protected(chain->rules_gen_0, 7863 lockdep_commit_lock_is_held(net)); 7864 g1 = rcu_dereference_protected(chain->rules_gen_1, 7865 lockdep_commit_lock_is_held(net)); 7866 7867 /* No changes to this chain? */ 7868 if (chain->rules_next == NULL) { 7869 /* chain had no change in last or next generation */ 7870 if (g0 == g1) 7871 return; 7872 /* 7873 * chain had no change in this generation; make sure next 7874 * one uses same rules as current generation. 7875 */ 7876 if (next_genbit) { 7877 rcu_assign_pointer(chain->rules_gen_1, g0); 7878 nf_tables_commit_chain_free_rules_old(g1); 7879 } else { 7880 rcu_assign_pointer(chain->rules_gen_0, g1); 7881 nf_tables_commit_chain_free_rules_old(g0); 7882 } 7883 7884 return; 7885 } 7886 7887 if (next_genbit) 7888 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next); 7889 else 7890 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next); 7891 7892 chain->rules_next = NULL; 7893 7894 if (g0 == g1) 7895 return; 7896 7897 if (next_genbit) 7898 nf_tables_commit_chain_free_rules_old(g1); 7899 else 7900 nf_tables_commit_chain_free_rules_old(g0); 7901 } 7902 7903 static void nft_obj_del(struct nft_object *obj) 7904 { 7905 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params); 7906 list_del_rcu(&obj->list); 7907 } 7908 7909 void nft_chain_del(struct nft_chain *chain) 7910 { 7911 struct nft_table *table = chain->table; 7912 7913 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead, 7914 nft_chain_ht_params)); 7915 list_del_rcu(&chain->list); 7916 } 7917 7918 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable, 7919 struct list_head *hook_list) 7920 { 7921 struct nft_hook *hook, *next; 7922 7923 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 7924 if (hook->inactive) 7925 list_move(&hook->list, hook_list); 7926 } 7927 } 7928 7929 static void nf_tables_module_autoload_cleanup(struct net *net) 7930 { 7931 struct nft_module_request *req, *next; 7932 7933 WARN_ON_ONCE(!list_empty(&net->nft.commit_list)); 7934 list_for_each_entry_safe(req, next, &net->nft.module_list, list) { 7935 WARN_ON_ONCE(!req->done); 7936 list_del(&req->list); 7937 kfree(req); 7938 } 7939 } 7940 7941 static void nf_tables_commit_release(struct net *net) 7942 { 7943 struct nft_trans *trans; 7944 7945 /* all side effects have to be made visible. 7946 * For example, if a chain named 'foo' has been deleted, a 7947 * new transaction must not find it anymore. 7948 * 7949 * Memory reclaim happens asynchronously from work queue 7950 * to prevent expensive synchronize_rcu() in commit phase. 7951 */ 7952 if (list_empty(&net->nft.commit_list)) { 7953 nf_tables_module_autoload_cleanup(net); 7954 mutex_unlock(&net->nft.commit_mutex); 7955 return; 7956 } 7957 7958 trans = list_last_entry(&net->nft.commit_list, 7959 struct nft_trans, list); 7960 get_net(trans->ctx.net); 7961 WARN_ON_ONCE(trans->put_net); 7962 7963 trans->put_net = true; 7964 spin_lock(&nf_tables_destroy_list_lock); 7965 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list); 7966 spin_unlock(&nf_tables_destroy_list_lock); 7967 7968 nf_tables_module_autoload_cleanup(net); 7969 schedule_work(&trans_destroy_work); 7970 7971 mutex_unlock(&net->nft.commit_mutex); 7972 } 7973 7974 static void nft_commit_notify(struct net *net, u32 portid) 7975 { 7976 struct sk_buff *batch_skb = NULL, *nskb, *skb; 7977 unsigned char *data; 7978 int len; 7979 7980 list_for_each_entry_safe(skb, nskb, &net->nft.notify_list, list) { 7981 if (!batch_skb) { 7982 new_batch: 7983 batch_skb = skb; 7984 len = NLMSG_GOODSIZE - skb->len; 7985 list_del(&skb->list); 7986 continue; 7987 } 7988 len -= skb->len; 7989 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) { 7990 data = skb_put(batch_skb, skb->len); 7991 memcpy(data, skb->data, skb->len); 7992 list_del(&skb->list); 7993 kfree_skb(skb); 7994 continue; 7995 } 7996 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 7997 NFT_CB(batch_skb).report, GFP_KERNEL); 7998 goto new_batch; 7999 } 8000 8001 if (batch_skb) { 8002 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 8003 NFT_CB(batch_skb).report, GFP_KERNEL); 8004 } 8005 8006 WARN_ON_ONCE(!list_empty(&net->nft.notify_list)); 8007 } 8008 8009 static int nf_tables_commit(struct net *net, struct sk_buff *skb) 8010 { 8011 struct nft_trans *trans, *next; 8012 struct nft_trans_elem *te; 8013 struct nft_chain *chain; 8014 struct nft_table *table; 8015 int err; 8016 8017 if (list_empty(&net->nft.commit_list)) { 8018 mutex_unlock(&net->nft.commit_mutex); 8019 return 0; 8020 } 8021 8022 /* 0. Validate ruleset, otherwise roll back for error reporting. */ 8023 if (nf_tables_validate(net) < 0) 8024 return -EAGAIN; 8025 8026 err = nft_flow_rule_offload_commit(net); 8027 if (err < 0) 8028 return err; 8029 8030 /* 1. Allocate space for next generation rules_gen_X[] */ 8031 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 8032 int ret; 8033 8034 if (trans->msg_type == NFT_MSG_NEWRULE || 8035 trans->msg_type == NFT_MSG_DELRULE) { 8036 chain = trans->ctx.chain; 8037 8038 ret = nf_tables_commit_chain_prepare(net, chain); 8039 if (ret < 0) { 8040 nf_tables_commit_chain_prepare_cancel(net); 8041 return ret; 8042 } 8043 } 8044 } 8045 8046 /* step 2. Make rules_gen_X visible to packet path */ 8047 list_for_each_entry(table, &net->nft.tables, list) { 8048 list_for_each_entry(chain, &table->chains, list) 8049 nf_tables_commit_chain(net, chain); 8050 } 8051 8052 /* 8053 * Bump generation counter, invalidate any dump in progress. 8054 * Cannot fail after this point. 8055 */ 8056 while (++net->nft.base_seq == 0); 8057 8058 /* step 3. Start new generation, rules_gen_X now in use. */ 8059 net->nft.gencursor = nft_gencursor_next(net); 8060 8061 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 8062 switch (trans->msg_type) { 8063 case NFT_MSG_NEWTABLE: 8064 if (nft_trans_table_update(trans)) { 8065 if (!nft_trans_table_enable(trans)) { 8066 nf_tables_table_disable(net, 8067 trans->ctx.table); 8068 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT; 8069 } 8070 } else { 8071 nft_clear(net, trans->ctx.table); 8072 } 8073 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE); 8074 nft_trans_destroy(trans); 8075 break; 8076 case NFT_MSG_DELTABLE: 8077 list_del_rcu(&trans->ctx.table->list); 8078 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE); 8079 break; 8080 case NFT_MSG_NEWCHAIN: 8081 if (nft_trans_chain_update(trans)) { 8082 nft_chain_commit_update(trans); 8083 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 8084 /* trans destroyed after rcu grace period */ 8085 } else { 8086 nft_chain_commit_drop_policy(trans); 8087 nft_clear(net, trans->ctx.chain); 8088 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 8089 nft_trans_destroy(trans); 8090 } 8091 break; 8092 case NFT_MSG_DELCHAIN: 8093 nft_chain_del(trans->ctx.chain); 8094 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN); 8095 nf_tables_unregister_hook(trans->ctx.net, 8096 trans->ctx.table, 8097 trans->ctx.chain); 8098 break; 8099 case NFT_MSG_NEWRULE: 8100 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 8101 nf_tables_rule_notify(&trans->ctx, 8102 nft_trans_rule(trans), 8103 NFT_MSG_NEWRULE); 8104 nft_trans_destroy(trans); 8105 break; 8106 case NFT_MSG_DELRULE: 8107 list_del_rcu(&nft_trans_rule(trans)->list); 8108 nf_tables_rule_notify(&trans->ctx, 8109 nft_trans_rule(trans), 8110 NFT_MSG_DELRULE); 8111 nft_rule_expr_deactivate(&trans->ctx, 8112 nft_trans_rule(trans), 8113 NFT_TRANS_COMMIT); 8114 break; 8115 case NFT_MSG_NEWSET: 8116 nft_clear(net, nft_trans_set(trans)); 8117 /* This avoids hitting -EBUSY when deleting the table 8118 * from the transaction. 8119 */ 8120 if (nft_set_is_anonymous(nft_trans_set(trans)) && 8121 !list_empty(&nft_trans_set(trans)->bindings)) 8122 trans->ctx.table->use--; 8123 8124 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 8125 NFT_MSG_NEWSET, GFP_KERNEL); 8126 nft_trans_destroy(trans); 8127 break; 8128 case NFT_MSG_DELSET: 8129 list_del_rcu(&nft_trans_set(trans)->list); 8130 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 8131 NFT_MSG_DELSET, GFP_KERNEL); 8132 break; 8133 case NFT_MSG_NEWSETELEM: 8134 te = (struct nft_trans_elem *)trans->data; 8135 8136 te->set->ops->activate(net, te->set, &te->elem); 8137 nf_tables_setelem_notify(&trans->ctx, te->set, 8138 &te->elem, 8139 NFT_MSG_NEWSETELEM, 0); 8140 nft_trans_destroy(trans); 8141 break; 8142 case NFT_MSG_DELSETELEM: 8143 te = (struct nft_trans_elem *)trans->data; 8144 8145 nf_tables_setelem_notify(&trans->ctx, te->set, 8146 &te->elem, 8147 NFT_MSG_DELSETELEM, 0); 8148 te->set->ops->remove(net, te->set, &te->elem); 8149 atomic_dec(&te->set->nelems); 8150 te->set->ndeact--; 8151 break; 8152 case NFT_MSG_NEWOBJ: 8153 if (nft_trans_obj_update(trans)) { 8154 nft_obj_commit_update(trans); 8155 nf_tables_obj_notify(&trans->ctx, 8156 nft_trans_obj(trans), 8157 NFT_MSG_NEWOBJ); 8158 } else { 8159 nft_clear(net, nft_trans_obj(trans)); 8160 nf_tables_obj_notify(&trans->ctx, 8161 nft_trans_obj(trans), 8162 NFT_MSG_NEWOBJ); 8163 nft_trans_destroy(trans); 8164 } 8165 break; 8166 case NFT_MSG_DELOBJ: 8167 nft_obj_del(nft_trans_obj(trans)); 8168 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans), 8169 NFT_MSG_DELOBJ); 8170 break; 8171 case NFT_MSG_NEWFLOWTABLE: 8172 if (nft_trans_flowtable_update(trans)) { 8173 nf_tables_flowtable_notify(&trans->ctx, 8174 nft_trans_flowtable(trans), 8175 &nft_trans_flowtable_hooks(trans), 8176 NFT_MSG_NEWFLOWTABLE); 8177 list_splice(&nft_trans_flowtable_hooks(trans), 8178 &nft_trans_flowtable(trans)->hook_list); 8179 } else { 8180 nft_clear(net, nft_trans_flowtable(trans)); 8181 nf_tables_flowtable_notify(&trans->ctx, 8182 nft_trans_flowtable(trans), 8183 &nft_trans_flowtable(trans)->hook_list, 8184 NFT_MSG_NEWFLOWTABLE); 8185 } 8186 nft_trans_destroy(trans); 8187 break; 8188 case NFT_MSG_DELFLOWTABLE: 8189 if (nft_trans_flowtable_update(trans)) { 8190 nft_flowtable_hooks_del(nft_trans_flowtable(trans), 8191 &nft_trans_flowtable_hooks(trans)); 8192 nf_tables_flowtable_notify(&trans->ctx, 8193 nft_trans_flowtable(trans), 8194 &nft_trans_flowtable_hooks(trans), 8195 NFT_MSG_DELFLOWTABLE); 8196 nft_unregister_flowtable_net_hooks(net, 8197 &nft_trans_flowtable_hooks(trans)); 8198 } else { 8199 list_del_rcu(&nft_trans_flowtable(trans)->list); 8200 nf_tables_flowtable_notify(&trans->ctx, 8201 nft_trans_flowtable(trans), 8202 &nft_trans_flowtable(trans)->hook_list, 8203 NFT_MSG_DELFLOWTABLE); 8204 nft_unregister_flowtable_net_hooks(net, 8205 &nft_trans_flowtable(trans)->hook_list); 8206 } 8207 break; 8208 } 8209 } 8210 8211 nft_commit_notify(net, NETLINK_CB(skb).portid); 8212 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); 8213 nf_tables_commit_release(net); 8214 8215 return 0; 8216 } 8217 8218 static void nf_tables_module_autoload(struct net *net) 8219 { 8220 struct nft_module_request *req, *next; 8221 LIST_HEAD(module_list); 8222 8223 list_splice_init(&net->nft.module_list, &module_list); 8224 mutex_unlock(&net->nft.commit_mutex); 8225 list_for_each_entry_safe(req, next, &module_list, list) { 8226 request_module("%s", req->module); 8227 req->done = true; 8228 } 8229 mutex_lock(&net->nft.commit_mutex); 8230 list_splice(&module_list, &net->nft.module_list); 8231 } 8232 8233 static void nf_tables_abort_release(struct nft_trans *trans) 8234 { 8235 switch (trans->msg_type) { 8236 case NFT_MSG_NEWTABLE: 8237 nf_tables_table_destroy(&trans->ctx); 8238 break; 8239 case NFT_MSG_NEWCHAIN: 8240 nf_tables_chain_destroy(&trans->ctx); 8241 break; 8242 case NFT_MSG_NEWRULE: 8243 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 8244 break; 8245 case NFT_MSG_NEWSET: 8246 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 8247 break; 8248 case NFT_MSG_NEWSETELEM: 8249 nft_set_elem_destroy(nft_trans_elem_set(trans), 8250 nft_trans_elem(trans).priv, true); 8251 break; 8252 case NFT_MSG_NEWOBJ: 8253 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 8254 break; 8255 case NFT_MSG_NEWFLOWTABLE: 8256 if (nft_trans_flowtable_update(trans)) 8257 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 8258 else 8259 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 8260 break; 8261 } 8262 kfree(trans); 8263 } 8264 8265 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) 8266 { 8267 struct nft_trans *trans, *next; 8268 struct nft_trans_elem *te; 8269 struct nft_hook *hook; 8270 8271 if (action == NFNL_ABORT_VALIDATE && 8272 nf_tables_validate(net) < 0) 8273 return -EAGAIN; 8274 8275 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list, 8276 list) { 8277 switch (trans->msg_type) { 8278 case NFT_MSG_NEWTABLE: 8279 if (nft_trans_table_update(trans)) { 8280 if (nft_trans_table_enable(trans)) { 8281 nf_tables_table_disable(net, 8282 trans->ctx.table); 8283 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT; 8284 } 8285 nft_trans_destroy(trans); 8286 } else { 8287 list_del_rcu(&trans->ctx.table->list); 8288 } 8289 break; 8290 case NFT_MSG_DELTABLE: 8291 nft_clear(trans->ctx.net, trans->ctx.table); 8292 nft_trans_destroy(trans); 8293 break; 8294 case NFT_MSG_NEWCHAIN: 8295 if (nft_trans_chain_update(trans)) { 8296 free_percpu(nft_trans_chain_stats(trans)); 8297 kfree(nft_trans_chain_name(trans)); 8298 nft_trans_destroy(trans); 8299 } else { 8300 if (nft_chain_is_bound(trans->ctx.chain)) { 8301 nft_trans_destroy(trans); 8302 break; 8303 } 8304 trans->ctx.table->use--; 8305 nft_chain_del(trans->ctx.chain); 8306 nf_tables_unregister_hook(trans->ctx.net, 8307 trans->ctx.table, 8308 trans->ctx.chain); 8309 } 8310 break; 8311 case NFT_MSG_DELCHAIN: 8312 trans->ctx.table->use++; 8313 nft_clear(trans->ctx.net, trans->ctx.chain); 8314 nft_trans_destroy(trans); 8315 break; 8316 case NFT_MSG_NEWRULE: 8317 trans->ctx.chain->use--; 8318 list_del_rcu(&nft_trans_rule(trans)->list); 8319 nft_rule_expr_deactivate(&trans->ctx, 8320 nft_trans_rule(trans), 8321 NFT_TRANS_ABORT); 8322 break; 8323 case NFT_MSG_DELRULE: 8324 trans->ctx.chain->use++; 8325 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 8326 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans)); 8327 nft_trans_destroy(trans); 8328 break; 8329 case NFT_MSG_NEWSET: 8330 trans->ctx.table->use--; 8331 if (nft_trans_set_bound(trans)) { 8332 nft_trans_destroy(trans); 8333 break; 8334 } 8335 list_del_rcu(&nft_trans_set(trans)->list); 8336 break; 8337 case NFT_MSG_DELSET: 8338 trans->ctx.table->use++; 8339 nft_clear(trans->ctx.net, nft_trans_set(trans)); 8340 nft_trans_destroy(trans); 8341 break; 8342 case NFT_MSG_NEWSETELEM: 8343 if (nft_trans_elem_set_bound(trans)) { 8344 nft_trans_destroy(trans); 8345 break; 8346 } 8347 te = (struct nft_trans_elem *)trans->data; 8348 te->set->ops->remove(net, te->set, &te->elem); 8349 atomic_dec(&te->set->nelems); 8350 break; 8351 case NFT_MSG_DELSETELEM: 8352 te = (struct nft_trans_elem *)trans->data; 8353 8354 nft_set_elem_activate(net, te->set, &te->elem); 8355 te->set->ops->activate(net, te->set, &te->elem); 8356 te->set->ndeact--; 8357 8358 nft_trans_destroy(trans); 8359 break; 8360 case NFT_MSG_NEWOBJ: 8361 if (nft_trans_obj_update(trans)) { 8362 kfree(nft_trans_obj_newobj(trans)); 8363 nft_trans_destroy(trans); 8364 } else { 8365 trans->ctx.table->use--; 8366 nft_obj_del(nft_trans_obj(trans)); 8367 } 8368 break; 8369 case NFT_MSG_DELOBJ: 8370 trans->ctx.table->use++; 8371 nft_clear(trans->ctx.net, nft_trans_obj(trans)); 8372 nft_trans_destroy(trans); 8373 break; 8374 case NFT_MSG_NEWFLOWTABLE: 8375 if (nft_trans_flowtable_update(trans)) { 8376 nft_unregister_flowtable_net_hooks(net, 8377 &nft_trans_flowtable_hooks(trans)); 8378 } else { 8379 trans->ctx.table->use--; 8380 list_del_rcu(&nft_trans_flowtable(trans)->list); 8381 nft_unregister_flowtable_net_hooks(net, 8382 &nft_trans_flowtable(trans)->hook_list); 8383 } 8384 break; 8385 case NFT_MSG_DELFLOWTABLE: 8386 if (nft_trans_flowtable_update(trans)) { 8387 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list) 8388 hook->inactive = false; 8389 } else { 8390 trans->ctx.table->use++; 8391 nft_clear(trans->ctx.net, nft_trans_flowtable(trans)); 8392 } 8393 nft_trans_destroy(trans); 8394 break; 8395 } 8396 } 8397 8398 synchronize_rcu(); 8399 8400 list_for_each_entry_safe_reverse(trans, next, 8401 &net->nft.commit_list, list) { 8402 list_del(&trans->list); 8403 nf_tables_abort_release(trans); 8404 } 8405 8406 if (action == NFNL_ABORT_AUTOLOAD) 8407 nf_tables_module_autoload(net); 8408 else 8409 nf_tables_module_autoload_cleanup(net); 8410 8411 return 0; 8412 } 8413 8414 static void nf_tables_cleanup(struct net *net) 8415 { 8416 nft_validate_state_update(net, NFT_VALIDATE_SKIP); 8417 } 8418 8419 static int nf_tables_abort(struct net *net, struct sk_buff *skb, 8420 enum nfnl_abort_action action) 8421 { 8422 int ret = __nf_tables_abort(net, action); 8423 8424 mutex_unlock(&net->nft.commit_mutex); 8425 8426 return ret; 8427 } 8428 8429 static bool nf_tables_valid_genid(struct net *net, u32 genid) 8430 { 8431 bool genid_ok; 8432 8433 mutex_lock(&net->nft.commit_mutex); 8434 8435 genid_ok = genid == 0 || net->nft.base_seq == genid; 8436 if (!genid_ok) 8437 mutex_unlock(&net->nft.commit_mutex); 8438 8439 /* else, commit mutex has to be released by commit or abort function */ 8440 return genid_ok; 8441 } 8442 8443 static const struct nfnetlink_subsystem nf_tables_subsys = { 8444 .name = "nf_tables", 8445 .subsys_id = NFNL_SUBSYS_NFTABLES, 8446 .cb_count = NFT_MSG_MAX, 8447 .cb = nf_tables_cb, 8448 .commit = nf_tables_commit, 8449 .abort = nf_tables_abort, 8450 .cleanup = nf_tables_cleanup, 8451 .valid_genid = nf_tables_valid_genid, 8452 .owner = THIS_MODULE, 8453 }; 8454 8455 int nft_chain_validate_dependency(const struct nft_chain *chain, 8456 enum nft_chain_types type) 8457 { 8458 const struct nft_base_chain *basechain; 8459 8460 if (nft_is_base_chain(chain)) { 8461 basechain = nft_base_chain(chain); 8462 if (basechain->type->type != type) 8463 return -EOPNOTSUPP; 8464 } 8465 return 0; 8466 } 8467 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency); 8468 8469 int nft_chain_validate_hooks(const struct nft_chain *chain, 8470 unsigned int hook_flags) 8471 { 8472 struct nft_base_chain *basechain; 8473 8474 if (nft_is_base_chain(chain)) { 8475 basechain = nft_base_chain(chain); 8476 8477 if ((1 << basechain->ops.hooknum) & hook_flags) 8478 return 0; 8479 8480 return -EOPNOTSUPP; 8481 } 8482 8483 return 0; 8484 } 8485 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks); 8486 8487 /* 8488 * Loop detection - walk through the ruleset beginning at the destination chain 8489 * of a new jump until either the source chain is reached (loop) or all 8490 * reachable chains have been traversed. 8491 * 8492 * The loop check is performed whenever a new jump verdict is added to an 8493 * expression or verdict map or a verdict map is bound to a new chain. 8494 */ 8495 8496 static int nf_tables_check_loops(const struct nft_ctx *ctx, 8497 const struct nft_chain *chain); 8498 8499 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, 8500 struct nft_set *set, 8501 const struct nft_set_iter *iter, 8502 struct nft_set_elem *elem) 8503 { 8504 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 8505 const struct nft_data *data; 8506 8507 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 8508 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) 8509 return 0; 8510 8511 data = nft_set_ext_data(ext); 8512 switch (data->verdict.code) { 8513 case NFT_JUMP: 8514 case NFT_GOTO: 8515 return nf_tables_check_loops(ctx, data->verdict.chain); 8516 default: 8517 return 0; 8518 } 8519 } 8520 8521 static int nf_tables_check_loops(const struct nft_ctx *ctx, 8522 const struct nft_chain *chain) 8523 { 8524 const struct nft_rule *rule; 8525 const struct nft_expr *expr, *last; 8526 struct nft_set *set; 8527 struct nft_set_binding *binding; 8528 struct nft_set_iter iter; 8529 8530 if (ctx->chain == chain) 8531 return -ELOOP; 8532 8533 list_for_each_entry(rule, &chain->rules, list) { 8534 nft_rule_for_each_expr(expr, last, rule) { 8535 struct nft_immediate_expr *priv; 8536 const struct nft_data *data; 8537 int err; 8538 8539 if (strcmp(expr->ops->type->name, "immediate")) 8540 continue; 8541 8542 priv = nft_expr_priv(expr); 8543 if (priv->dreg != NFT_REG_VERDICT) 8544 continue; 8545 8546 data = &priv->data; 8547 switch (data->verdict.code) { 8548 case NFT_JUMP: 8549 case NFT_GOTO: 8550 err = nf_tables_check_loops(ctx, 8551 data->verdict.chain); 8552 if (err < 0) 8553 return err; 8554 default: 8555 break; 8556 } 8557 } 8558 } 8559 8560 list_for_each_entry(set, &ctx->table->sets, list) { 8561 if (!nft_is_active_next(ctx->net, set)) 8562 continue; 8563 if (!(set->flags & NFT_SET_MAP) || 8564 set->dtype != NFT_DATA_VERDICT) 8565 continue; 8566 8567 list_for_each_entry(binding, &set->bindings, list) { 8568 if (!(binding->flags & NFT_SET_MAP) || 8569 binding->chain != chain) 8570 continue; 8571 8572 iter.genmask = nft_genmask_next(ctx->net); 8573 iter.skip = 0; 8574 iter.count = 0; 8575 iter.err = 0; 8576 iter.fn = nf_tables_loop_check_setelem; 8577 8578 set->ops->walk(ctx, set, &iter); 8579 if (iter.err < 0) 8580 return iter.err; 8581 } 8582 } 8583 8584 return 0; 8585 } 8586 8587 /** 8588 * nft_parse_u32_check - fetch u32 attribute and check for maximum value 8589 * 8590 * @attr: netlink attribute to fetch value from 8591 * @max: maximum value to be stored in dest 8592 * @dest: pointer to the variable 8593 * 8594 * Parse, check and store a given u32 netlink attribute into variable. 8595 * This function returns -ERANGE if the value goes over maximum value. 8596 * Otherwise a 0 is returned and the attribute value is stored in the 8597 * destination variable. 8598 */ 8599 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest) 8600 { 8601 u32 val; 8602 8603 val = ntohl(nla_get_be32(attr)); 8604 if (val > max) 8605 return -ERANGE; 8606 8607 *dest = val; 8608 return 0; 8609 } 8610 EXPORT_SYMBOL_GPL(nft_parse_u32_check); 8611 8612 /** 8613 * nft_parse_register - parse a register value from a netlink attribute 8614 * 8615 * @attr: netlink attribute 8616 * 8617 * Parse and translate a register value from a netlink attribute. 8618 * Registers used to be 128 bit wide, these register numbers will be 8619 * mapped to the corresponding 32 bit register numbers. 8620 */ 8621 static unsigned int nft_parse_register(const struct nlattr *attr) 8622 { 8623 unsigned int reg; 8624 8625 reg = ntohl(nla_get_be32(attr)); 8626 switch (reg) { 8627 case NFT_REG_VERDICT...NFT_REG_4: 8628 return reg * NFT_REG_SIZE / NFT_REG32_SIZE; 8629 default: 8630 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; 8631 } 8632 } 8633 8634 /** 8635 * nft_dump_register - dump a register value to a netlink attribute 8636 * 8637 * @skb: socket buffer 8638 * @attr: attribute number 8639 * @reg: register number 8640 * 8641 * Construct a netlink attribute containing the register number. For 8642 * compatibility reasons, register numbers being a multiple of 4 are 8643 * translated to the corresponding 128 bit register numbers. 8644 */ 8645 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg) 8646 { 8647 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0) 8648 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE); 8649 else 8650 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00; 8651 8652 return nla_put_be32(skb, attr, htonl(reg)); 8653 } 8654 EXPORT_SYMBOL_GPL(nft_dump_register); 8655 8656 /** 8657 * nft_validate_register_load - validate a load from a register 8658 * 8659 * @reg: the register number 8660 * @len: the length of the data 8661 * 8662 * Validate that the input register is one of the general purpose 8663 * registers and that the length of the load is within the bounds. 8664 */ 8665 static int nft_validate_register_load(enum nft_registers reg, unsigned int len) 8666 { 8667 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 8668 return -EINVAL; 8669 if (len == 0) 8670 return -EINVAL; 8671 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data)) 8672 return -ERANGE; 8673 8674 return 0; 8675 } 8676 8677 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len) 8678 { 8679 u32 reg; 8680 int err; 8681 8682 reg = nft_parse_register(attr); 8683 err = nft_validate_register_load(reg, len); 8684 if (err < 0) 8685 return err; 8686 8687 *sreg = reg; 8688 return 0; 8689 } 8690 EXPORT_SYMBOL_GPL(nft_parse_register_load); 8691 8692 /** 8693 * nft_validate_register_store - validate an expressions' register store 8694 * 8695 * @ctx: context of the expression performing the load 8696 * @reg: the destination register number 8697 * @data: the data to load 8698 * @type: the data type 8699 * @len: the length of the data 8700 * 8701 * Validate that a data load uses the appropriate data type for 8702 * the destination register and the length is within the bounds. 8703 * A value of NULL for the data means that its runtime gathered 8704 * data. 8705 */ 8706 static int nft_validate_register_store(const struct nft_ctx *ctx, 8707 enum nft_registers reg, 8708 const struct nft_data *data, 8709 enum nft_data_types type, 8710 unsigned int len) 8711 { 8712 int err; 8713 8714 switch (reg) { 8715 case NFT_REG_VERDICT: 8716 if (type != NFT_DATA_VERDICT) 8717 return -EINVAL; 8718 8719 if (data != NULL && 8720 (data->verdict.code == NFT_GOTO || 8721 data->verdict.code == NFT_JUMP)) { 8722 err = nf_tables_check_loops(ctx, data->verdict.chain); 8723 if (err < 0) 8724 return err; 8725 } 8726 8727 return 0; 8728 default: 8729 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 8730 return -EINVAL; 8731 if (len == 0) 8732 return -EINVAL; 8733 if (reg * NFT_REG32_SIZE + len > 8734 sizeof_field(struct nft_regs, data)) 8735 return -ERANGE; 8736 8737 if (data != NULL && type != NFT_DATA_VALUE) 8738 return -EINVAL; 8739 return 0; 8740 } 8741 } 8742 8743 int nft_parse_register_store(const struct nft_ctx *ctx, 8744 const struct nlattr *attr, u8 *dreg, 8745 const struct nft_data *data, 8746 enum nft_data_types type, unsigned int len) 8747 { 8748 int err; 8749 u32 reg; 8750 8751 reg = nft_parse_register(attr); 8752 err = nft_validate_register_store(ctx, reg, data, type, len); 8753 if (err < 0) 8754 return err; 8755 8756 *dreg = reg; 8757 return 0; 8758 } 8759 EXPORT_SYMBOL_GPL(nft_parse_register_store); 8760 8761 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = { 8762 [NFTA_VERDICT_CODE] = { .type = NLA_U32 }, 8763 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING, 8764 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 8765 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 }, 8766 }; 8767 8768 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, 8769 struct nft_data_desc *desc, const struct nlattr *nla) 8770 { 8771 u8 genmask = nft_genmask_next(ctx->net); 8772 struct nlattr *tb[NFTA_VERDICT_MAX + 1]; 8773 struct nft_chain *chain; 8774 int err; 8775 8776 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla, 8777 nft_verdict_policy, NULL); 8778 if (err < 0) 8779 return err; 8780 8781 if (!tb[NFTA_VERDICT_CODE]) 8782 return -EINVAL; 8783 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); 8784 8785 switch (data->verdict.code) { 8786 default: 8787 switch (data->verdict.code & NF_VERDICT_MASK) { 8788 case NF_ACCEPT: 8789 case NF_DROP: 8790 case NF_QUEUE: 8791 break; 8792 default: 8793 return -EINVAL; 8794 } 8795 fallthrough; 8796 case NFT_CONTINUE: 8797 case NFT_BREAK: 8798 case NFT_RETURN: 8799 break; 8800 case NFT_JUMP: 8801 case NFT_GOTO: 8802 if (tb[NFTA_VERDICT_CHAIN]) { 8803 chain = nft_chain_lookup(ctx->net, ctx->table, 8804 tb[NFTA_VERDICT_CHAIN], 8805 genmask); 8806 } else if (tb[NFTA_VERDICT_CHAIN_ID]) { 8807 chain = nft_chain_lookup_byid(ctx->net, 8808 tb[NFTA_VERDICT_CHAIN_ID]); 8809 if (IS_ERR(chain)) 8810 return PTR_ERR(chain); 8811 } else { 8812 return -EINVAL; 8813 } 8814 8815 if (IS_ERR(chain)) 8816 return PTR_ERR(chain); 8817 if (nft_is_base_chain(chain)) 8818 return -EOPNOTSUPP; 8819 8820 chain->use++; 8821 data->verdict.chain = chain; 8822 break; 8823 } 8824 8825 desc->len = sizeof(data->verdict); 8826 desc->type = NFT_DATA_VERDICT; 8827 return 0; 8828 } 8829 8830 static void nft_verdict_uninit(const struct nft_data *data) 8831 { 8832 struct nft_chain *chain; 8833 struct nft_rule *rule; 8834 8835 switch (data->verdict.code) { 8836 case NFT_JUMP: 8837 case NFT_GOTO: 8838 chain = data->verdict.chain; 8839 chain->use--; 8840 8841 if (!nft_chain_is_bound(chain)) 8842 break; 8843 8844 chain->table->use--; 8845 list_for_each_entry(rule, &chain->rules, list) 8846 chain->use--; 8847 8848 nft_chain_del(chain); 8849 break; 8850 } 8851 } 8852 8853 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v) 8854 { 8855 struct nlattr *nest; 8856 8857 nest = nla_nest_start_noflag(skb, type); 8858 if (!nest) 8859 goto nla_put_failure; 8860 8861 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code))) 8862 goto nla_put_failure; 8863 8864 switch (v->code) { 8865 case NFT_JUMP: 8866 case NFT_GOTO: 8867 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, 8868 v->chain->name)) 8869 goto nla_put_failure; 8870 } 8871 nla_nest_end(skb, nest); 8872 return 0; 8873 8874 nla_put_failure: 8875 return -1; 8876 } 8877 8878 static int nft_value_init(const struct nft_ctx *ctx, 8879 struct nft_data *data, unsigned int size, 8880 struct nft_data_desc *desc, const struct nlattr *nla) 8881 { 8882 unsigned int len; 8883 8884 len = nla_len(nla); 8885 if (len == 0) 8886 return -EINVAL; 8887 if (len > size) 8888 return -EOVERFLOW; 8889 8890 nla_memcpy(data->data, nla, len); 8891 desc->type = NFT_DATA_VALUE; 8892 desc->len = len; 8893 return 0; 8894 } 8895 8896 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data, 8897 unsigned int len) 8898 { 8899 return nla_put(skb, NFTA_DATA_VALUE, len, data->data); 8900 } 8901 8902 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = { 8903 [NFTA_DATA_VALUE] = { .type = NLA_BINARY }, 8904 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED }, 8905 }; 8906 8907 /** 8908 * nft_data_init - parse nf_tables data netlink attributes 8909 * 8910 * @ctx: context of the expression using the data 8911 * @data: destination struct nft_data 8912 * @size: maximum data length 8913 * @desc: data description 8914 * @nla: netlink attribute containing data 8915 * 8916 * Parse the netlink data attributes and initialize a struct nft_data. 8917 * The type and length of data are returned in the data description. 8918 * 8919 * The caller can indicate that it only wants to accept data of type 8920 * NFT_DATA_VALUE by passing NULL for the ctx argument. 8921 */ 8922 int nft_data_init(const struct nft_ctx *ctx, 8923 struct nft_data *data, unsigned int size, 8924 struct nft_data_desc *desc, const struct nlattr *nla) 8925 { 8926 struct nlattr *tb[NFTA_DATA_MAX + 1]; 8927 int err; 8928 8929 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla, 8930 nft_data_policy, NULL); 8931 if (err < 0) 8932 return err; 8933 8934 if (tb[NFTA_DATA_VALUE]) 8935 return nft_value_init(ctx, data, size, desc, 8936 tb[NFTA_DATA_VALUE]); 8937 if (tb[NFTA_DATA_VERDICT] && ctx != NULL) 8938 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]); 8939 return -EINVAL; 8940 } 8941 EXPORT_SYMBOL_GPL(nft_data_init); 8942 8943 /** 8944 * nft_data_release - release a nft_data item 8945 * 8946 * @data: struct nft_data to release 8947 * @type: type of data 8948 * 8949 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded, 8950 * all others need to be released by calling this function. 8951 */ 8952 void nft_data_release(const struct nft_data *data, enum nft_data_types type) 8953 { 8954 if (type < NFT_DATA_VERDICT) 8955 return; 8956 switch (type) { 8957 case NFT_DATA_VERDICT: 8958 return nft_verdict_uninit(data); 8959 default: 8960 WARN_ON(1); 8961 } 8962 } 8963 EXPORT_SYMBOL_GPL(nft_data_release); 8964 8965 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 8966 enum nft_data_types type, unsigned int len) 8967 { 8968 struct nlattr *nest; 8969 int err; 8970 8971 nest = nla_nest_start_noflag(skb, attr); 8972 if (nest == NULL) 8973 return -1; 8974 8975 switch (type) { 8976 case NFT_DATA_VALUE: 8977 err = nft_value_dump(skb, data, len); 8978 break; 8979 case NFT_DATA_VERDICT: 8980 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict); 8981 break; 8982 default: 8983 err = -EINVAL; 8984 WARN_ON(1); 8985 } 8986 8987 nla_nest_end(skb, nest); 8988 return err; 8989 } 8990 EXPORT_SYMBOL_GPL(nft_data_dump); 8991 8992 int __nft_release_basechain(struct nft_ctx *ctx) 8993 { 8994 struct nft_rule *rule, *nr; 8995 8996 if (WARN_ON(!nft_is_base_chain(ctx->chain))) 8997 return 0; 8998 8999 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain); 9000 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) { 9001 list_del(&rule->list); 9002 ctx->chain->use--; 9003 nf_tables_rule_release(ctx, rule); 9004 } 9005 nft_chain_del(ctx->chain); 9006 ctx->table->use--; 9007 nf_tables_chain_destroy(ctx); 9008 9009 return 0; 9010 } 9011 EXPORT_SYMBOL_GPL(__nft_release_basechain); 9012 9013 static void __nft_release_hook(struct net *net, struct nft_table *table) 9014 { 9015 struct nft_chain *chain; 9016 9017 list_for_each_entry(chain, &table->chains, list) 9018 nf_tables_unregister_hook(net, table, chain); 9019 } 9020 9021 static void __nft_release_hooks(struct net *net) 9022 { 9023 struct nft_table *table; 9024 9025 list_for_each_entry(table, &net->nft.tables, list) 9026 __nft_release_hook(net, table); 9027 } 9028 9029 static void __nft_release_table(struct net *net, struct nft_table *table) 9030 { 9031 struct nft_flowtable *flowtable, *nf; 9032 struct nft_chain *chain, *nc; 9033 struct nft_object *obj, *ne; 9034 struct nft_rule *rule, *nr; 9035 struct nft_set *set, *ns; 9036 struct nft_ctx ctx = { 9037 .net = net, 9038 .family = NFPROTO_NETDEV, 9039 }; 9040 9041 ctx.family = table->family; 9042 ctx.table = table; 9043 list_for_each_entry(chain, &table->chains, list) { 9044 ctx.chain = chain; 9045 list_for_each_entry_safe(rule, nr, &chain->rules, list) { 9046 list_del(&rule->list); 9047 chain->use--; 9048 nf_tables_rule_release(&ctx, rule); 9049 } 9050 } 9051 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 9052 list_del(&flowtable->list); 9053 table->use--; 9054 nf_tables_flowtable_destroy(flowtable); 9055 } 9056 list_for_each_entry_safe(set, ns, &table->sets, list) { 9057 list_del(&set->list); 9058 table->use--; 9059 nft_set_destroy(&ctx, set); 9060 } 9061 list_for_each_entry_safe(obj, ne, &table->objects, list) { 9062 nft_obj_del(obj); 9063 table->use--; 9064 nft_obj_destroy(&ctx, obj); 9065 } 9066 list_for_each_entry_safe(chain, nc, &table->chains, list) { 9067 ctx.chain = chain; 9068 nft_chain_del(chain); 9069 table->use--; 9070 nf_tables_chain_destroy(&ctx); 9071 } 9072 list_del(&table->list); 9073 nf_tables_table_destroy(&ctx); 9074 } 9075 9076 static void __nft_release_tables(struct net *net, u32 nlpid) 9077 { 9078 struct nft_table *table, *nt; 9079 9080 list_for_each_entry_safe(table, nt, &net->nft.tables, list) { 9081 if (nft_table_has_owner(table) && 9082 nlpid != table->nlpid) 9083 continue; 9084 9085 __nft_release_table(net, table); 9086 } 9087 } 9088 9089 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, 9090 void *ptr) 9091 { 9092 struct netlink_notify *n = ptr; 9093 struct nft_table *table, *nt; 9094 struct net *net = n->net; 9095 bool release = false; 9096 9097 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER) 9098 return NOTIFY_DONE; 9099 9100 mutex_lock(&net->nft.commit_mutex); 9101 list_for_each_entry(table, &net->nft.tables, list) { 9102 if (nft_table_has_owner(table) && 9103 n->portid == table->nlpid) { 9104 __nft_release_hook(net, table); 9105 release = true; 9106 } 9107 } 9108 if (release) { 9109 synchronize_rcu(); 9110 list_for_each_entry_safe(table, nt, &net->nft.tables, list) { 9111 if (nft_table_has_owner(table) && 9112 n->portid == table->nlpid) 9113 __nft_release_table(net, table); 9114 } 9115 } 9116 mutex_unlock(&net->nft.commit_mutex); 9117 9118 return NOTIFY_DONE; 9119 } 9120 9121 static struct notifier_block nft_nl_notifier = { 9122 .notifier_call = nft_rcv_nl_event, 9123 }; 9124 9125 static int __net_init nf_tables_init_net(struct net *net) 9126 { 9127 INIT_LIST_HEAD(&net->nft.tables); 9128 INIT_LIST_HEAD(&net->nft.commit_list); 9129 INIT_LIST_HEAD(&net->nft.module_list); 9130 INIT_LIST_HEAD(&net->nft.notify_list); 9131 mutex_init(&net->nft.commit_mutex); 9132 net->nft.base_seq = 1; 9133 net->nft.validate_state = NFT_VALIDATE_SKIP; 9134 9135 return 0; 9136 } 9137 9138 static void __net_exit nf_tables_pre_exit_net(struct net *net) 9139 { 9140 __nft_release_hooks(net); 9141 } 9142 9143 static void __net_exit nf_tables_exit_net(struct net *net) 9144 { 9145 mutex_lock(&net->nft.commit_mutex); 9146 if (!list_empty(&net->nft.commit_list)) 9147 __nf_tables_abort(net, NFNL_ABORT_NONE); 9148 __nft_release_tables(net, 0); 9149 mutex_unlock(&net->nft.commit_mutex); 9150 WARN_ON_ONCE(!list_empty(&net->nft.tables)); 9151 WARN_ON_ONCE(!list_empty(&net->nft.module_list)); 9152 WARN_ON_ONCE(!list_empty(&net->nft.notify_list)); 9153 } 9154 9155 static struct pernet_operations nf_tables_net_ops = { 9156 .init = nf_tables_init_net, 9157 .pre_exit = nf_tables_pre_exit_net, 9158 .exit = nf_tables_exit_net, 9159 }; 9160 9161 static int __init nf_tables_module_init(void) 9162 { 9163 int err; 9164 9165 spin_lock_init(&nf_tables_destroy_list_lock); 9166 err = register_pernet_subsys(&nf_tables_net_ops); 9167 if (err < 0) 9168 return err; 9169 9170 err = nft_chain_filter_init(); 9171 if (err < 0) 9172 goto err_chain_filter; 9173 9174 err = nf_tables_core_module_init(); 9175 if (err < 0) 9176 goto err_core_module; 9177 9178 err = register_netdevice_notifier(&nf_tables_flowtable_notifier); 9179 if (err < 0) 9180 goto err_netdev_notifier; 9181 9182 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params); 9183 if (err < 0) 9184 goto err_rht_objname; 9185 9186 err = nft_offload_init(); 9187 if (err < 0) 9188 goto err_offload; 9189 9190 err = netlink_register_notifier(&nft_nl_notifier); 9191 if (err < 0) 9192 goto err_netlink_notifier; 9193 9194 /* must be last */ 9195 err = nfnetlink_subsys_register(&nf_tables_subsys); 9196 if (err < 0) 9197 goto err_nfnl_subsys; 9198 9199 nft_chain_route_init(); 9200 9201 return err; 9202 9203 err_nfnl_subsys: 9204 netlink_unregister_notifier(&nft_nl_notifier); 9205 err_netlink_notifier: 9206 nft_offload_exit(); 9207 err_offload: 9208 rhltable_destroy(&nft_objname_ht); 9209 err_rht_objname: 9210 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 9211 err_netdev_notifier: 9212 nf_tables_core_module_exit(); 9213 err_core_module: 9214 nft_chain_filter_fini(); 9215 err_chain_filter: 9216 unregister_pernet_subsys(&nf_tables_net_ops); 9217 return err; 9218 } 9219 9220 static void __exit nf_tables_module_exit(void) 9221 { 9222 nfnetlink_subsys_unregister(&nf_tables_subsys); 9223 netlink_unregister_notifier(&nft_nl_notifier); 9224 nft_offload_exit(); 9225 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 9226 nft_chain_filter_fini(); 9227 nft_chain_route_fini(); 9228 unregister_pernet_subsys(&nf_tables_net_ops); 9229 cancel_work_sync(&trans_destroy_work); 9230 rcu_barrier(); 9231 rhltable_destroy(&nft_objname_ht); 9232 nf_tables_core_module_exit(); 9233 } 9234 9235 module_init(nf_tables_module_init); 9236 module_exit(nf_tables_module_exit); 9237 9238 MODULE_LICENSE("GPL"); 9239 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 9240 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES); 9241