1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net> 4 * 5 * Development of this code funded by Astaro AG (http://www.astaro.com/) 6 */ 7 8 #include <linux/module.h> 9 #include <linux/init.h> 10 #include <linux/list.h> 11 #include <linux/skbuff.h> 12 #include <linux/netlink.h> 13 #include <linux/vmalloc.h> 14 #include <linux/rhashtable.h> 15 #include <linux/audit.h> 16 #include <linux/netfilter.h> 17 #include <linux/netfilter/nfnetlink.h> 18 #include <linux/netfilter/nf_tables.h> 19 #include <net/netfilter/nf_flow_table.h> 20 #include <net/netfilter/nf_tables_core.h> 21 #include <net/netfilter/nf_tables.h> 22 #include <net/netfilter/nf_tables_offload.h> 23 #include <net/net_namespace.h> 24 #include <net/sock.h> 25 26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) 27 28 static LIST_HEAD(nf_tables_expressions); 29 static LIST_HEAD(nf_tables_objects); 30 static LIST_HEAD(nf_tables_flowtables); 31 static LIST_HEAD(nf_tables_destroy_list); 32 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock); 33 static u64 table_handle; 34 35 enum { 36 NFT_VALIDATE_SKIP = 0, 37 NFT_VALIDATE_NEED, 38 NFT_VALIDATE_DO, 39 }; 40 41 static struct rhltable nft_objname_ht; 42 43 static u32 nft_chain_hash(const void *data, u32 len, u32 seed); 44 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed); 45 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *); 46 47 static u32 nft_objname_hash(const void *data, u32 len, u32 seed); 48 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed); 49 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *); 50 51 static const struct rhashtable_params nft_chain_ht_params = { 52 .head_offset = offsetof(struct nft_chain, rhlhead), 53 .key_offset = offsetof(struct nft_chain, name), 54 .hashfn = nft_chain_hash, 55 .obj_hashfn = nft_chain_hash_obj, 56 .obj_cmpfn = nft_chain_hash_cmp, 57 .automatic_shrinking = true, 58 }; 59 60 static const struct rhashtable_params nft_objname_ht_params = { 61 .head_offset = offsetof(struct nft_object, rhlhead), 62 .key_offset = offsetof(struct nft_object, key), 63 .hashfn = nft_objname_hash, 64 .obj_hashfn = nft_objname_hash_obj, 65 .obj_cmpfn = nft_objname_hash_cmp, 66 .automatic_shrinking = true, 67 }; 68 69 static void nft_validate_state_update(struct net *net, u8 new_validate_state) 70 { 71 switch (net->nft.validate_state) { 72 case NFT_VALIDATE_SKIP: 73 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); 74 break; 75 case NFT_VALIDATE_NEED: 76 break; 77 case NFT_VALIDATE_DO: 78 if (new_validate_state == NFT_VALIDATE_NEED) 79 return; 80 } 81 82 net->nft.validate_state = new_validate_state; 83 } 84 static void nf_tables_trans_destroy_work(struct work_struct *w); 85 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work); 86 87 static void nft_ctx_init(struct nft_ctx *ctx, 88 struct net *net, 89 const struct sk_buff *skb, 90 const struct nlmsghdr *nlh, 91 u8 family, 92 struct nft_table *table, 93 struct nft_chain *chain, 94 const struct nlattr * const *nla) 95 { 96 ctx->net = net; 97 ctx->family = family; 98 ctx->level = 0; 99 ctx->table = table; 100 ctx->chain = chain; 101 ctx->nla = nla; 102 ctx->portid = NETLINK_CB(skb).portid; 103 ctx->report = nlmsg_report(nlh); 104 ctx->flags = nlh->nlmsg_flags; 105 ctx->seq = nlh->nlmsg_seq; 106 } 107 108 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, 109 int msg_type, u32 size, gfp_t gfp) 110 { 111 struct nft_trans *trans; 112 113 trans = kzalloc(sizeof(struct nft_trans) + size, gfp); 114 if (trans == NULL) 115 return NULL; 116 117 trans->msg_type = msg_type; 118 trans->ctx = *ctx; 119 120 return trans; 121 } 122 123 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx, 124 int msg_type, u32 size) 125 { 126 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); 127 } 128 129 static void nft_trans_destroy(struct nft_trans *trans) 130 { 131 list_del(&trans->list); 132 kfree(trans); 133 } 134 135 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) 136 { 137 struct net *net = ctx->net; 138 struct nft_trans *trans; 139 140 if (!nft_set_is_anonymous(set)) 141 return; 142 143 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { 144 switch (trans->msg_type) { 145 case NFT_MSG_NEWSET: 146 if (nft_trans_set(trans) == set) 147 nft_trans_set_bound(trans) = true; 148 break; 149 case NFT_MSG_NEWSETELEM: 150 if (nft_trans_elem_set(trans) == set) 151 nft_trans_elem_set_bound(trans) = true; 152 break; 153 } 154 } 155 } 156 157 static int nft_netdev_register_hooks(struct net *net, 158 struct list_head *hook_list) 159 { 160 struct nft_hook *hook; 161 int err, j; 162 163 j = 0; 164 list_for_each_entry(hook, hook_list, list) { 165 err = nf_register_net_hook(net, &hook->ops); 166 if (err < 0) 167 goto err_register; 168 169 j++; 170 } 171 return 0; 172 173 err_register: 174 list_for_each_entry(hook, hook_list, list) { 175 if (j-- <= 0) 176 break; 177 178 nf_unregister_net_hook(net, &hook->ops); 179 } 180 return err; 181 } 182 183 static void nft_netdev_unregister_hooks(struct net *net, 184 struct list_head *hook_list) 185 { 186 struct nft_hook *hook; 187 188 list_for_each_entry(hook, hook_list, list) 189 nf_unregister_net_hook(net, &hook->ops); 190 } 191 192 static int nf_tables_register_hook(struct net *net, 193 const struct nft_table *table, 194 struct nft_chain *chain) 195 { 196 struct nft_base_chain *basechain; 197 const struct nf_hook_ops *ops; 198 199 if (table->flags & NFT_TABLE_F_DORMANT || 200 !nft_is_base_chain(chain)) 201 return 0; 202 203 basechain = nft_base_chain(chain); 204 ops = &basechain->ops; 205 206 if (basechain->type->ops_register) 207 return basechain->type->ops_register(net, ops); 208 209 if (table->family == NFPROTO_NETDEV) 210 return nft_netdev_register_hooks(net, &basechain->hook_list); 211 212 return nf_register_net_hook(net, &basechain->ops); 213 } 214 215 static void nf_tables_unregister_hook(struct net *net, 216 const struct nft_table *table, 217 struct nft_chain *chain) 218 { 219 struct nft_base_chain *basechain; 220 const struct nf_hook_ops *ops; 221 222 if (table->flags & NFT_TABLE_F_DORMANT || 223 !nft_is_base_chain(chain)) 224 return; 225 basechain = nft_base_chain(chain); 226 ops = &basechain->ops; 227 228 if (basechain->type->ops_unregister) 229 return basechain->type->ops_unregister(net, ops); 230 231 if (table->family == NFPROTO_NETDEV) 232 nft_netdev_unregister_hooks(net, &basechain->hook_list); 233 else 234 nf_unregister_net_hook(net, &basechain->ops); 235 } 236 237 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type) 238 { 239 struct nft_trans *trans; 240 241 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table)); 242 if (trans == NULL) 243 return -ENOMEM; 244 245 if (msg_type == NFT_MSG_NEWTABLE) 246 nft_activate_next(ctx->net, ctx->table); 247 248 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 249 return 0; 250 } 251 252 static int nft_deltable(struct nft_ctx *ctx) 253 { 254 int err; 255 256 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE); 257 if (err < 0) 258 return err; 259 260 nft_deactivate_next(ctx->net, ctx->table); 261 return err; 262 } 263 264 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type) 265 { 266 struct nft_trans *trans; 267 268 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain)); 269 if (trans == NULL) 270 return ERR_PTR(-ENOMEM); 271 272 if (msg_type == NFT_MSG_NEWCHAIN) { 273 nft_activate_next(ctx->net, ctx->chain); 274 275 if (ctx->nla[NFTA_CHAIN_ID]) { 276 nft_trans_chain_id(trans) = 277 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID])); 278 } 279 } 280 281 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 282 return trans; 283 } 284 285 static int nft_delchain(struct nft_ctx *ctx) 286 { 287 struct nft_trans *trans; 288 289 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN); 290 if (IS_ERR(trans)) 291 return PTR_ERR(trans); 292 293 ctx->table->use--; 294 nft_deactivate_next(ctx->net, ctx->chain); 295 296 return 0; 297 } 298 299 static void nft_rule_expr_activate(const struct nft_ctx *ctx, 300 struct nft_rule *rule) 301 { 302 struct nft_expr *expr; 303 304 expr = nft_expr_first(rule); 305 while (expr != nft_expr_last(rule) && expr->ops) { 306 if (expr->ops->activate) 307 expr->ops->activate(ctx, expr); 308 309 expr = nft_expr_next(expr); 310 } 311 } 312 313 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx, 314 struct nft_rule *rule, 315 enum nft_trans_phase phase) 316 { 317 struct nft_expr *expr; 318 319 expr = nft_expr_first(rule); 320 while (expr != nft_expr_last(rule) && expr->ops) { 321 if (expr->ops->deactivate) 322 expr->ops->deactivate(ctx, expr, phase); 323 324 expr = nft_expr_next(expr); 325 } 326 } 327 328 static int 329 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule) 330 { 331 /* You cannot delete the same rule twice */ 332 if (nft_is_active_next(ctx->net, rule)) { 333 nft_deactivate_next(ctx->net, rule); 334 ctx->chain->use--; 335 return 0; 336 } 337 return -ENOENT; 338 } 339 340 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type, 341 struct nft_rule *rule) 342 { 343 struct nft_trans *trans; 344 345 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule)); 346 if (trans == NULL) 347 return NULL; 348 349 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) { 350 nft_trans_rule_id(trans) = 351 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); 352 } 353 nft_trans_rule(trans) = rule; 354 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 355 356 return trans; 357 } 358 359 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule) 360 { 361 struct nft_flow_rule *flow; 362 struct nft_trans *trans; 363 int err; 364 365 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule); 366 if (trans == NULL) 367 return -ENOMEM; 368 369 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) { 370 flow = nft_flow_rule_create(ctx->net, rule); 371 if (IS_ERR(flow)) { 372 nft_trans_destroy(trans); 373 return PTR_ERR(flow); 374 } 375 376 nft_trans_flow_rule(trans) = flow; 377 } 378 379 err = nf_tables_delrule_deactivate(ctx, rule); 380 if (err < 0) { 381 nft_trans_destroy(trans); 382 return err; 383 } 384 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE); 385 386 return 0; 387 } 388 389 static int nft_delrule_by_chain(struct nft_ctx *ctx) 390 { 391 struct nft_rule *rule; 392 int err; 393 394 list_for_each_entry(rule, &ctx->chain->rules, list) { 395 if (!nft_is_active_next(ctx->net, rule)) 396 continue; 397 398 err = nft_delrule(ctx, rule); 399 if (err < 0) 400 return err; 401 } 402 return 0; 403 } 404 405 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 406 struct nft_set *set) 407 { 408 struct nft_trans *trans; 409 410 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set)); 411 if (trans == NULL) 412 return -ENOMEM; 413 414 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) { 415 nft_trans_set_id(trans) = 416 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID])); 417 nft_activate_next(ctx->net, set); 418 } 419 nft_trans_set(trans) = set; 420 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 421 422 return 0; 423 } 424 425 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) 426 { 427 int err; 428 429 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set); 430 if (err < 0) 431 return err; 432 433 nft_deactivate_next(ctx->net, set); 434 ctx->table->use--; 435 436 return err; 437 } 438 439 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type, 440 struct nft_object *obj) 441 { 442 struct nft_trans *trans; 443 444 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj)); 445 if (trans == NULL) 446 return -ENOMEM; 447 448 if (msg_type == NFT_MSG_NEWOBJ) 449 nft_activate_next(ctx->net, obj); 450 451 nft_trans_obj(trans) = obj; 452 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 453 454 return 0; 455 } 456 457 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj) 458 { 459 int err; 460 461 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj); 462 if (err < 0) 463 return err; 464 465 nft_deactivate_next(ctx->net, obj); 466 ctx->table->use--; 467 468 return err; 469 } 470 471 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, 472 struct nft_flowtable *flowtable) 473 { 474 struct nft_trans *trans; 475 476 trans = nft_trans_alloc(ctx, msg_type, 477 sizeof(struct nft_trans_flowtable)); 478 if (trans == NULL) 479 return -ENOMEM; 480 481 if (msg_type == NFT_MSG_NEWFLOWTABLE) 482 nft_activate_next(ctx->net, flowtable); 483 484 nft_trans_flowtable(trans) = flowtable; 485 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 486 487 return 0; 488 } 489 490 static int nft_delflowtable(struct nft_ctx *ctx, 491 struct nft_flowtable *flowtable) 492 { 493 int err; 494 495 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable); 496 if (err < 0) 497 return err; 498 499 nft_deactivate_next(ctx->net, flowtable); 500 ctx->table->use--; 501 502 return err; 503 } 504 505 /* 506 * Tables 507 */ 508 509 static struct nft_table *nft_table_lookup(const struct net *net, 510 const struct nlattr *nla, 511 u8 family, u8 genmask) 512 { 513 struct nft_table *table; 514 515 if (nla == NULL) 516 return ERR_PTR(-EINVAL); 517 518 list_for_each_entry_rcu(table, &net->nft.tables, list, 519 lockdep_is_held(&net->nft.commit_mutex)) { 520 if (!nla_strcmp(nla, table->name) && 521 table->family == family && 522 nft_active_genmask(table, genmask)) 523 return table; 524 } 525 526 return ERR_PTR(-ENOENT); 527 } 528 529 static struct nft_table *nft_table_lookup_byhandle(const struct net *net, 530 const struct nlattr *nla, 531 u8 genmask) 532 { 533 struct nft_table *table; 534 535 list_for_each_entry(table, &net->nft.tables, list) { 536 if (be64_to_cpu(nla_get_be64(nla)) == table->handle && 537 nft_active_genmask(table, genmask)) 538 return table; 539 } 540 541 return ERR_PTR(-ENOENT); 542 } 543 544 static inline u64 nf_tables_alloc_handle(struct nft_table *table) 545 { 546 return ++table->hgenerator; 547 } 548 549 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX]; 550 551 static const struct nft_chain_type * 552 __nft_chain_type_get(u8 family, enum nft_chain_types type) 553 { 554 if (family >= NFPROTO_NUMPROTO || 555 type >= NFT_CHAIN_T_MAX) 556 return NULL; 557 558 return chain_type[family][type]; 559 } 560 561 static const struct nft_chain_type * 562 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family) 563 { 564 const struct nft_chain_type *type; 565 int i; 566 567 for (i = 0; i < NFT_CHAIN_T_MAX; i++) { 568 type = __nft_chain_type_get(family, i); 569 if (!type) 570 continue; 571 if (!nla_strcmp(nla, type->name)) 572 return type; 573 } 574 return NULL; 575 } 576 577 struct nft_module_request { 578 struct list_head list; 579 char module[MODULE_NAME_LEN]; 580 bool done; 581 }; 582 583 #ifdef CONFIG_MODULES 584 static int nft_request_module(struct net *net, const char *fmt, ...) 585 { 586 char module_name[MODULE_NAME_LEN]; 587 struct nft_module_request *req; 588 va_list args; 589 int ret; 590 591 va_start(args, fmt); 592 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); 593 va_end(args); 594 if (ret >= MODULE_NAME_LEN) 595 return 0; 596 597 list_for_each_entry(req, &net->nft.module_list, list) { 598 if (!strcmp(req->module, module_name)) { 599 if (req->done) 600 return 0; 601 602 /* A request to load this module already exists. */ 603 return -EAGAIN; 604 } 605 } 606 607 req = kmalloc(sizeof(*req), GFP_KERNEL); 608 if (!req) 609 return -ENOMEM; 610 611 req->done = false; 612 strlcpy(req->module, module_name, MODULE_NAME_LEN); 613 list_add_tail(&req->list, &net->nft.module_list); 614 615 return -EAGAIN; 616 } 617 #endif 618 619 static void lockdep_nfnl_nft_mutex_not_held(void) 620 { 621 #ifdef CONFIG_PROVE_LOCKING 622 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES)); 623 #endif 624 } 625 626 static const struct nft_chain_type * 627 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla, 628 u8 family, bool autoload) 629 { 630 const struct nft_chain_type *type; 631 632 type = __nf_tables_chain_type_lookup(nla, family); 633 if (type != NULL) 634 return type; 635 636 lockdep_nfnl_nft_mutex_not_held(); 637 #ifdef CONFIG_MODULES 638 if (autoload) { 639 if (nft_request_module(net, "nft-chain-%u-%.*s", family, 640 nla_len(nla), 641 (const char *)nla_data(nla)) == -EAGAIN) 642 return ERR_PTR(-EAGAIN); 643 } 644 #endif 645 return ERR_PTR(-ENOENT); 646 } 647 648 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { 649 [NFTA_TABLE_NAME] = { .type = NLA_STRING, 650 .len = NFT_TABLE_MAXNAMELEN - 1 }, 651 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 }, 652 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 }, 653 }; 654 655 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, 656 u32 portid, u32 seq, int event, u32 flags, 657 int family, const struct nft_table *table) 658 { 659 struct nlmsghdr *nlh; 660 struct nfgenmsg *nfmsg; 661 662 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 663 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 664 if (nlh == NULL) 665 goto nla_put_failure; 666 667 nfmsg = nlmsg_data(nlh); 668 nfmsg->nfgen_family = family; 669 nfmsg->version = NFNETLINK_V0; 670 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 671 672 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || 673 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) || 674 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) || 675 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle), 676 NFTA_TABLE_PAD)) 677 goto nla_put_failure; 678 679 nlmsg_end(skb, nlh); 680 return 0; 681 682 nla_put_failure: 683 nlmsg_trim(skb, nlh); 684 return -1; 685 } 686 687 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) 688 { 689 struct sk_buff *skb; 690 int err; 691 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0", 692 ctx->table->name, ctx->table->handle); 693 694 audit_log_nfcfg(buf, 695 ctx->family, 696 ctx->table->use, 697 event == NFT_MSG_NEWTABLE ? 698 AUDIT_NFT_OP_TABLE_REGISTER : 699 AUDIT_NFT_OP_TABLE_UNREGISTER, 700 GFP_KERNEL); 701 kfree(buf); 702 703 if (!ctx->report && 704 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 705 return; 706 707 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 708 if (skb == NULL) 709 goto err; 710 711 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, 712 event, 0, ctx->family, ctx->table); 713 if (err < 0) { 714 kfree_skb(skb); 715 goto err; 716 } 717 718 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES, 719 ctx->report, GFP_KERNEL); 720 return; 721 err: 722 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 723 } 724 725 static int nf_tables_dump_tables(struct sk_buff *skb, 726 struct netlink_callback *cb) 727 { 728 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 729 const struct nft_table *table; 730 unsigned int idx = 0, s_idx = cb->args[0]; 731 struct net *net = sock_net(skb->sk); 732 int family = nfmsg->nfgen_family; 733 734 rcu_read_lock(); 735 cb->seq = net->nft.base_seq; 736 737 list_for_each_entry_rcu(table, &net->nft.tables, list) { 738 if (family != NFPROTO_UNSPEC && family != table->family) 739 continue; 740 741 if (idx < s_idx) 742 goto cont; 743 if (idx > s_idx) 744 memset(&cb->args[1], 0, 745 sizeof(cb->args) - sizeof(cb->args[0])); 746 if (!nft_is_active(net, table)) 747 continue; 748 if (nf_tables_fill_table_info(skb, net, 749 NETLINK_CB(cb->skb).portid, 750 cb->nlh->nlmsg_seq, 751 NFT_MSG_NEWTABLE, NLM_F_MULTI, 752 table->family, table) < 0) 753 goto done; 754 755 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 756 cont: 757 idx++; 758 } 759 done: 760 rcu_read_unlock(); 761 cb->args[0] = idx; 762 return skb->len; 763 } 764 765 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb, 766 const struct nlmsghdr *nlh, 767 struct netlink_dump_control *c) 768 { 769 int err; 770 771 if (!try_module_get(THIS_MODULE)) 772 return -EINVAL; 773 774 rcu_read_unlock(); 775 err = netlink_dump_start(nlsk, skb, nlh, c); 776 rcu_read_lock(); 777 module_put(THIS_MODULE); 778 779 return err; 780 } 781 782 /* called with rcu_read_lock held */ 783 static int nf_tables_gettable(struct net *net, struct sock *nlsk, 784 struct sk_buff *skb, const struct nlmsghdr *nlh, 785 const struct nlattr * const nla[], 786 struct netlink_ext_ack *extack) 787 { 788 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 789 u8 genmask = nft_genmask_cur(net); 790 const struct nft_table *table; 791 struct sk_buff *skb2; 792 int family = nfmsg->nfgen_family; 793 int err; 794 795 if (nlh->nlmsg_flags & NLM_F_DUMP) { 796 struct netlink_dump_control c = { 797 .dump = nf_tables_dump_tables, 798 .module = THIS_MODULE, 799 }; 800 801 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 802 } 803 804 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask); 805 if (IS_ERR(table)) { 806 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]); 807 return PTR_ERR(table); 808 } 809 810 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 811 if (!skb2) 812 return -ENOMEM; 813 814 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid, 815 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0, 816 family, table); 817 if (err < 0) 818 goto err_fill_table_info; 819 820 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 821 822 err_fill_table_info: 823 kfree_skb(skb2); 824 return err; 825 } 826 827 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt) 828 { 829 struct nft_chain *chain; 830 u32 i = 0; 831 832 list_for_each_entry(chain, &table->chains, list) { 833 if (!nft_is_active_next(net, chain)) 834 continue; 835 if (!nft_is_base_chain(chain)) 836 continue; 837 838 if (cnt && i++ == cnt) 839 break; 840 841 nf_tables_unregister_hook(net, table, chain); 842 } 843 } 844 845 static int nf_tables_table_enable(struct net *net, struct nft_table *table) 846 { 847 struct nft_chain *chain; 848 int err, i = 0; 849 850 list_for_each_entry(chain, &table->chains, list) { 851 if (!nft_is_active_next(net, chain)) 852 continue; 853 if (!nft_is_base_chain(chain)) 854 continue; 855 856 err = nf_tables_register_hook(net, table, chain); 857 if (err < 0) 858 goto err_register_hooks; 859 860 i++; 861 } 862 return 0; 863 864 err_register_hooks: 865 if (i) 866 nft_table_disable(net, table, i); 867 return err; 868 } 869 870 static void nf_tables_table_disable(struct net *net, struct nft_table *table) 871 { 872 nft_table_disable(net, table, 0); 873 } 874 875 static int nf_tables_updtable(struct nft_ctx *ctx) 876 { 877 struct nft_trans *trans; 878 u32 flags; 879 int ret = 0; 880 881 if (!ctx->nla[NFTA_TABLE_FLAGS]) 882 return 0; 883 884 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS])); 885 if (flags & ~NFT_TABLE_F_DORMANT) 886 return -EINVAL; 887 888 if (flags == ctx->table->flags) 889 return 0; 890 891 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, 892 sizeof(struct nft_trans_table)); 893 if (trans == NULL) 894 return -ENOMEM; 895 896 if ((flags & NFT_TABLE_F_DORMANT) && 897 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) { 898 nft_trans_table_enable(trans) = false; 899 } else if (!(flags & NFT_TABLE_F_DORMANT) && 900 ctx->table->flags & NFT_TABLE_F_DORMANT) { 901 ctx->table->flags &= ~NFT_TABLE_F_DORMANT; 902 ret = nf_tables_table_enable(ctx->net, ctx->table); 903 if (ret >= 0) 904 nft_trans_table_enable(trans) = true; 905 else 906 ctx->table->flags |= NFT_TABLE_F_DORMANT; 907 } 908 if (ret < 0) 909 goto err; 910 911 nft_trans_table_update(trans) = true; 912 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 913 return 0; 914 err: 915 nft_trans_destroy(trans); 916 return ret; 917 } 918 919 static u32 nft_chain_hash(const void *data, u32 len, u32 seed) 920 { 921 const char *name = data; 922 923 return jhash(name, strlen(name), seed); 924 } 925 926 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed) 927 { 928 const struct nft_chain *chain = data; 929 930 return nft_chain_hash(chain->name, 0, seed); 931 } 932 933 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg, 934 const void *ptr) 935 { 936 const struct nft_chain *chain = ptr; 937 const char *name = arg->key; 938 939 return strcmp(chain->name, name); 940 } 941 942 static u32 nft_objname_hash(const void *data, u32 len, u32 seed) 943 { 944 const struct nft_object_hash_key *k = data; 945 946 seed ^= hash_ptr(k->table, 32); 947 948 return jhash(k->name, strlen(k->name), seed); 949 } 950 951 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed) 952 { 953 const struct nft_object *obj = data; 954 955 return nft_objname_hash(&obj->key, 0, seed); 956 } 957 958 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg, 959 const void *ptr) 960 { 961 const struct nft_object_hash_key *k = arg->key; 962 const struct nft_object *obj = ptr; 963 964 if (obj->key.table != k->table) 965 return -1; 966 967 return strcmp(obj->key.name, k->name); 968 } 969 970 static int nf_tables_newtable(struct net *net, struct sock *nlsk, 971 struct sk_buff *skb, const struct nlmsghdr *nlh, 972 const struct nlattr * const nla[], 973 struct netlink_ext_ack *extack) 974 { 975 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 976 u8 genmask = nft_genmask_next(net); 977 int family = nfmsg->nfgen_family; 978 const struct nlattr *attr; 979 struct nft_table *table; 980 u32 flags = 0; 981 struct nft_ctx ctx; 982 int err; 983 984 lockdep_assert_held(&net->nft.commit_mutex); 985 attr = nla[NFTA_TABLE_NAME]; 986 table = nft_table_lookup(net, attr, family, genmask); 987 if (IS_ERR(table)) { 988 if (PTR_ERR(table) != -ENOENT) 989 return PTR_ERR(table); 990 } else { 991 if (nlh->nlmsg_flags & NLM_F_EXCL) { 992 NL_SET_BAD_ATTR(extack, attr); 993 return -EEXIST; 994 } 995 if (nlh->nlmsg_flags & NLM_F_REPLACE) 996 return -EOPNOTSUPP; 997 998 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 999 return nf_tables_updtable(&ctx); 1000 } 1001 1002 if (nla[NFTA_TABLE_FLAGS]) { 1003 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS])); 1004 if (flags & ~NFT_TABLE_F_DORMANT) 1005 return -EINVAL; 1006 } 1007 1008 err = -ENOMEM; 1009 table = kzalloc(sizeof(*table), GFP_KERNEL); 1010 if (table == NULL) 1011 goto err_kzalloc; 1012 1013 table->name = nla_strdup(attr, GFP_KERNEL); 1014 if (table->name == NULL) 1015 goto err_strdup; 1016 1017 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params); 1018 if (err) 1019 goto err_chain_ht; 1020 1021 INIT_LIST_HEAD(&table->chains); 1022 INIT_LIST_HEAD(&table->sets); 1023 INIT_LIST_HEAD(&table->objects); 1024 INIT_LIST_HEAD(&table->flowtables); 1025 table->family = family; 1026 table->flags = flags; 1027 table->handle = ++table_handle; 1028 1029 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 1030 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); 1031 if (err < 0) 1032 goto err_trans; 1033 1034 list_add_tail_rcu(&table->list, &net->nft.tables); 1035 return 0; 1036 err_trans: 1037 rhltable_destroy(&table->chains_ht); 1038 err_chain_ht: 1039 kfree(table->name); 1040 err_strdup: 1041 kfree(table); 1042 err_kzalloc: 1043 return err; 1044 } 1045 1046 static int nft_flush_table(struct nft_ctx *ctx) 1047 { 1048 struct nft_flowtable *flowtable, *nft; 1049 struct nft_chain *chain, *nc; 1050 struct nft_object *obj, *ne; 1051 struct nft_set *set, *ns; 1052 int err; 1053 1054 list_for_each_entry(chain, &ctx->table->chains, list) { 1055 if (!nft_is_active_next(ctx->net, chain)) 1056 continue; 1057 1058 if (nft_chain_is_bound(chain)) 1059 continue; 1060 1061 ctx->chain = chain; 1062 1063 err = nft_delrule_by_chain(ctx); 1064 if (err < 0) 1065 goto out; 1066 } 1067 1068 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { 1069 if (!nft_is_active_next(ctx->net, set)) 1070 continue; 1071 1072 if (nft_set_is_anonymous(set) && 1073 !list_empty(&set->bindings)) 1074 continue; 1075 1076 err = nft_delset(ctx, set); 1077 if (err < 0) 1078 goto out; 1079 } 1080 1081 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) { 1082 if (!nft_is_active_next(ctx->net, flowtable)) 1083 continue; 1084 1085 err = nft_delflowtable(ctx, flowtable); 1086 if (err < 0) 1087 goto out; 1088 } 1089 1090 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) { 1091 if (!nft_is_active_next(ctx->net, obj)) 1092 continue; 1093 1094 err = nft_delobj(ctx, obj); 1095 if (err < 0) 1096 goto out; 1097 } 1098 1099 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { 1100 if (!nft_is_active_next(ctx->net, chain)) 1101 continue; 1102 1103 if (nft_chain_is_bound(chain)) 1104 continue; 1105 1106 ctx->chain = chain; 1107 1108 err = nft_delchain(ctx); 1109 if (err < 0) 1110 goto out; 1111 } 1112 1113 err = nft_deltable(ctx); 1114 out: 1115 return err; 1116 } 1117 1118 static int nft_flush(struct nft_ctx *ctx, int family) 1119 { 1120 struct nft_table *table, *nt; 1121 const struct nlattr * const *nla = ctx->nla; 1122 int err = 0; 1123 1124 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) { 1125 if (family != AF_UNSPEC && table->family != family) 1126 continue; 1127 1128 ctx->family = table->family; 1129 1130 if (!nft_is_active_next(ctx->net, table)) 1131 continue; 1132 1133 if (nla[NFTA_TABLE_NAME] && 1134 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) 1135 continue; 1136 1137 ctx->table = table; 1138 1139 err = nft_flush_table(ctx); 1140 if (err < 0) 1141 goto out; 1142 } 1143 out: 1144 return err; 1145 } 1146 1147 static int nf_tables_deltable(struct net *net, struct sock *nlsk, 1148 struct sk_buff *skb, const struct nlmsghdr *nlh, 1149 const struct nlattr * const nla[], 1150 struct netlink_ext_ack *extack) 1151 { 1152 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1153 u8 genmask = nft_genmask_next(net); 1154 int family = nfmsg->nfgen_family; 1155 const struct nlattr *attr; 1156 struct nft_table *table; 1157 struct nft_ctx ctx; 1158 1159 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla); 1160 if (family == AF_UNSPEC || 1161 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE])) 1162 return nft_flush(&ctx, family); 1163 1164 if (nla[NFTA_TABLE_HANDLE]) { 1165 attr = nla[NFTA_TABLE_HANDLE]; 1166 table = nft_table_lookup_byhandle(net, attr, genmask); 1167 } else { 1168 attr = nla[NFTA_TABLE_NAME]; 1169 table = nft_table_lookup(net, attr, family, genmask); 1170 } 1171 1172 if (IS_ERR(table)) { 1173 NL_SET_BAD_ATTR(extack, attr); 1174 return PTR_ERR(table); 1175 } 1176 1177 if (nlh->nlmsg_flags & NLM_F_NONREC && 1178 table->use > 0) 1179 return -EBUSY; 1180 1181 ctx.family = family; 1182 ctx.table = table; 1183 1184 return nft_flush_table(&ctx); 1185 } 1186 1187 static void nf_tables_table_destroy(struct nft_ctx *ctx) 1188 { 1189 if (WARN_ON(ctx->table->use > 0)) 1190 return; 1191 1192 rhltable_destroy(&ctx->table->chains_ht); 1193 kfree(ctx->table->name); 1194 kfree(ctx->table); 1195 } 1196 1197 void nft_register_chain_type(const struct nft_chain_type *ctype) 1198 { 1199 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1200 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) { 1201 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1202 return; 1203 } 1204 chain_type[ctype->family][ctype->type] = ctype; 1205 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1206 } 1207 EXPORT_SYMBOL_GPL(nft_register_chain_type); 1208 1209 void nft_unregister_chain_type(const struct nft_chain_type *ctype) 1210 { 1211 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1212 chain_type[ctype->family][ctype->type] = NULL; 1213 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1214 } 1215 EXPORT_SYMBOL_GPL(nft_unregister_chain_type); 1216 1217 /* 1218 * Chains 1219 */ 1220 1221 static struct nft_chain * 1222 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask) 1223 { 1224 struct nft_chain *chain; 1225 1226 list_for_each_entry(chain, &table->chains, list) { 1227 if (chain->handle == handle && 1228 nft_active_genmask(chain, genmask)) 1229 return chain; 1230 } 1231 1232 return ERR_PTR(-ENOENT); 1233 } 1234 1235 static bool lockdep_commit_lock_is_held(const struct net *net) 1236 { 1237 #ifdef CONFIG_PROVE_LOCKING 1238 return lockdep_is_held(&net->nft.commit_mutex); 1239 #else 1240 return true; 1241 #endif 1242 } 1243 1244 static struct nft_chain *nft_chain_lookup(struct net *net, 1245 struct nft_table *table, 1246 const struct nlattr *nla, u8 genmask) 1247 { 1248 char search[NFT_CHAIN_MAXNAMELEN + 1]; 1249 struct rhlist_head *tmp, *list; 1250 struct nft_chain *chain; 1251 1252 if (nla == NULL) 1253 return ERR_PTR(-EINVAL); 1254 1255 nla_strlcpy(search, nla, sizeof(search)); 1256 1257 WARN_ON(!rcu_read_lock_held() && 1258 !lockdep_commit_lock_is_held(net)); 1259 1260 chain = ERR_PTR(-ENOENT); 1261 rcu_read_lock(); 1262 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params); 1263 if (!list) 1264 goto out_unlock; 1265 1266 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 1267 if (nft_active_genmask(chain, genmask)) 1268 goto out_unlock; 1269 } 1270 chain = ERR_PTR(-ENOENT); 1271 out_unlock: 1272 rcu_read_unlock(); 1273 return chain; 1274 } 1275 1276 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = { 1277 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING, 1278 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1279 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 }, 1280 [NFTA_CHAIN_NAME] = { .type = NLA_STRING, 1281 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 1282 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, 1283 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, 1284 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, 1285 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 1286 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, 1287 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 }, 1288 [NFTA_CHAIN_ID] = { .type = NLA_U32 }, 1289 }; 1290 1291 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = { 1292 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 }, 1293 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 }, 1294 [NFTA_HOOK_DEV] = { .type = NLA_STRING, 1295 .len = IFNAMSIZ - 1 }, 1296 }; 1297 1298 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats) 1299 { 1300 struct nft_stats *cpu_stats, total; 1301 struct nlattr *nest; 1302 unsigned int seq; 1303 u64 pkts, bytes; 1304 int cpu; 1305 1306 if (!stats) 1307 return 0; 1308 1309 memset(&total, 0, sizeof(total)); 1310 for_each_possible_cpu(cpu) { 1311 cpu_stats = per_cpu_ptr(stats, cpu); 1312 do { 1313 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp); 1314 pkts = cpu_stats->pkts; 1315 bytes = cpu_stats->bytes; 1316 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq)); 1317 total.pkts += pkts; 1318 total.bytes += bytes; 1319 } 1320 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS); 1321 if (nest == NULL) 1322 goto nla_put_failure; 1323 1324 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts), 1325 NFTA_COUNTER_PAD) || 1326 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes), 1327 NFTA_COUNTER_PAD)) 1328 goto nla_put_failure; 1329 1330 nla_nest_end(skb, nest); 1331 return 0; 1332 1333 nla_put_failure: 1334 return -ENOSPC; 1335 } 1336 1337 static int nft_dump_basechain_hook(struct sk_buff *skb, int family, 1338 const struct nft_base_chain *basechain) 1339 { 1340 const struct nf_hook_ops *ops = &basechain->ops; 1341 struct nft_hook *hook, *first = NULL; 1342 struct nlattr *nest, *nest_devs; 1343 int n = 0; 1344 1345 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK); 1346 if (nest == NULL) 1347 goto nla_put_failure; 1348 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum))) 1349 goto nla_put_failure; 1350 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority))) 1351 goto nla_put_failure; 1352 1353 if (family == NFPROTO_NETDEV) { 1354 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS); 1355 list_for_each_entry(hook, &basechain->hook_list, list) { 1356 if (!first) 1357 first = hook; 1358 1359 if (nla_put_string(skb, NFTA_DEVICE_NAME, 1360 hook->ops.dev->name)) 1361 goto nla_put_failure; 1362 n++; 1363 } 1364 nla_nest_end(skb, nest_devs); 1365 1366 if (n == 1 && 1367 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name)) 1368 goto nla_put_failure; 1369 } 1370 nla_nest_end(skb, nest); 1371 1372 return 0; 1373 nla_put_failure: 1374 return -1; 1375 } 1376 1377 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net, 1378 u32 portid, u32 seq, int event, u32 flags, 1379 int family, const struct nft_table *table, 1380 const struct nft_chain *chain) 1381 { 1382 struct nlmsghdr *nlh; 1383 struct nfgenmsg *nfmsg; 1384 1385 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 1386 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 1387 if (nlh == NULL) 1388 goto nla_put_failure; 1389 1390 nfmsg = nlmsg_data(nlh); 1391 nfmsg->nfgen_family = family; 1392 nfmsg->version = NFNETLINK_V0; 1393 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 1394 1395 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) 1396 goto nla_put_failure; 1397 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle), 1398 NFTA_CHAIN_PAD)) 1399 goto nla_put_failure; 1400 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name)) 1401 goto nla_put_failure; 1402 1403 if (nft_is_base_chain(chain)) { 1404 const struct nft_base_chain *basechain = nft_base_chain(chain); 1405 struct nft_stats __percpu *stats; 1406 1407 if (nft_dump_basechain_hook(skb, family, basechain)) 1408 goto nla_put_failure; 1409 1410 if (nla_put_be32(skb, NFTA_CHAIN_POLICY, 1411 htonl(basechain->policy))) 1412 goto nla_put_failure; 1413 1414 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name)) 1415 goto nla_put_failure; 1416 1417 stats = rcu_dereference_check(basechain->stats, 1418 lockdep_commit_lock_is_held(net)); 1419 if (nft_dump_stats(skb, stats)) 1420 goto nla_put_failure; 1421 } 1422 1423 if (chain->flags && 1424 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags))) 1425 goto nla_put_failure; 1426 1427 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use))) 1428 goto nla_put_failure; 1429 1430 nlmsg_end(skb, nlh); 1431 return 0; 1432 1433 nla_put_failure: 1434 nlmsg_trim(skb, nlh); 1435 return -1; 1436 } 1437 1438 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event) 1439 { 1440 struct sk_buff *skb; 1441 int err; 1442 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu", 1443 ctx->table->name, ctx->table->handle, 1444 ctx->chain->name, ctx->chain->handle); 1445 1446 audit_log_nfcfg(buf, 1447 ctx->family, 1448 ctx->chain->use, 1449 event == NFT_MSG_NEWCHAIN ? 1450 AUDIT_NFT_OP_CHAIN_REGISTER : 1451 AUDIT_NFT_OP_CHAIN_UNREGISTER, 1452 GFP_KERNEL); 1453 kfree(buf); 1454 1455 if (!ctx->report && 1456 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1457 return; 1458 1459 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1460 if (skb == NULL) 1461 goto err; 1462 1463 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, 1464 event, 0, ctx->family, ctx->table, 1465 ctx->chain); 1466 if (err < 0) { 1467 kfree_skb(skb); 1468 goto err; 1469 } 1470 1471 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES, 1472 ctx->report, GFP_KERNEL); 1473 return; 1474 err: 1475 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 1476 } 1477 1478 static int nf_tables_dump_chains(struct sk_buff *skb, 1479 struct netlink_callback *cb) 1480 { 1481 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1482 const struct nft_table *table; 1483 const struct nft_chain *chain; 1484 unsigned int idx = 0, s_idx = cb->args[0]; 1485 struct net *net = sock_net(skb->sk); 1486 int family = nfmsg->nfgen_family; 1487 1488 rcu_read_lock(); 1489 cb->seq = net->nft.base_seq; 1490 1491 list_for_each_entry_rcu(table, &net->nft.tables, list) { 1492 if (family != NFPROTO_UNSPEC && family != table->family) 1493 continue; 1494 1495 list_for_each_entry_rcu(chain, &table->chains, list) { 1496 if (idx < s_idx) 1497 goto cont; 1498 if (idx > s_idx) 1499 memset(&cb->args[1], 0, 1500 sizeof(cb->args) - sizeof(cb->args[0])); 1501 if (!nft_is_active(net, chain)) 1502 continue; 1503 if (nf_tables_fill_chain_info(skb, net, 1504 NETLINK_CB(cb->skb).portid, 1505 cb->nlh->nlmsg_seq, 1506 NFT_MSG_NEWCHAIN, 1507 NLM_F_MULTI, 1508 table->family, table, 1509 chain) < 0) 1510 goto done; 1511 1512 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1513 cont: 1514 idx++; 1515 } 1516 } 1517 done: 1518 rcu_read_unlock(); 1519 cb->args[0] = idx; 1520 return skb->len; 1521 } 1522 1523 /* called with rcu_read_lock held */ 1524 static int nf_tables_getchain(struct net *net, struct sock *nlsk, 1525 struct sk_buff *skb, const struct nlmsghdr *nlh, 1526 const struct nlattr * const nla[], 1527 struct netlink_ext_ack *extack) 1528 { 1529 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1530 u8 genmask = nft_genmask_cur(net); 1531 const struct nft_chain *chain; 1532 struct nft_table *table; 1533 struct sk_buff *skb2; 1534 int family = nfmsg->nfgen_family; 1535 int err; 1536 1537 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1538 struct netlink_dump_control c = { 1539 .dump = nf_tables_dump_chains, 1540 .module = THIS_MODULE, 1541 }; 1542 1543 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 1544 } 1545 1546 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); 1547 if (IS_ERR(table)) { 1548 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 1549 return PTR_ERR(table); 1550 } 1551 1552 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask); 1553 if (IS_ERR(chain)) { 1554 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 1555 return PTR_ERR(chain); 1556 } 1557 1558 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 1559 if (!skb2) 1560 return -ENOMEM; 1561 1562 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid, 1563 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0, 1564 family, table, chain); 1565 if (err < 0) 1566 goto err_fill_chain_info; 1567 1568 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 1569 1570 err_fill_chain_info: 1571 kfree_skb(skb2); 1572 return err; 1573 } 1574 1575 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = { 1576 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 }, 1577 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 }, 1578 }; 1579 1580 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr) 1581 { 1582 struct nlattr *tb[NFTA_COUNTER_MAX+1]; 1583 struct nft_stats __percpu *newstats; 1584 struct nft_stats *stats; 1585 int err; 1586 1587 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr, 1588 nft_counter_policy, NULL); 1589 if (err < 0) 1590 return ERR_PTR(err); 1591 1592 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS]) 1593 return ERR_PTR(-EINVAL); 1594 1595 newstats = netdev_alloc_pcpu_stats(struct nft_stats); 1596 if (newstats == NULL) 1597 return ERR_PTR(-ENOMEM); 1598 1599 /* Restore old counters on this cpu, no problem. Per-cpu statistics 1600 * are not exposed to userspace. 1601 */ 1602 preempt_disable(); 1603 stats = this_cpu_ptr(newstats); 1604 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); 1605 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); 1606 preempt_enable(); 1607 1608 return newstats; 1609 } 1610 1611 static void nft_chain_stats_replace(struct nft_trans *trans) 1612 { 1613 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain); 1614 1615 if (!nft_trans_chain_stats(trans)) 1616 return; 1617 1618 nft_trans_chain_stats(trans) = 1619 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans), 1620 lockdep_commit_lock_is_held(trans->ctx.net)); 1621 1622 if (!nft_trans_chain_stats(trans)) 1623 static_branch_inc(&nft_counters_enabled); 1624 } 1625 1626 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain) 1627 { 1628 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0); 1629 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1); 1630 1631 if (g0 != g1) 1632 kvfree(g1); 1633 kvfree(g0); 1634 1635 /* should be NULL either via abort or via successful commit */ 1636 WARN_ON_ONCE(chain->rules_next); 1637 kvfree(chain->rules_next); 1638 } 1639 1640 void nf_tables_chain_destroy(struct nft_ctx *ctx) 1641 { 1642 struct nft_chain *chain = ctx->chain; 1643 struct nft_hook *hook, *next; 1644 1645 if (WARN_ON(chain->use > 0)) 1646 return; 1647 1648 /* no concurrent access possible anymore */ 1649 nf_tables_chain_free_chain_rules(chain); 1650 1651 if (nft_is_base_chain(chain)) { 1652 struct nft_base_chain *basechain = nft_base_chain(chain); 1653 1654 if (ctx->family == NFPROTO_NETDEV) { 1655 list_for_each_entry_safe(hook, next, 1656 &basechain->hook_list, list) { 1657 list_del_rcu(&hook->list); 1658 kfree_rcu(hook, rcu); 1659 } 1660 } 1661 module_put(basechain->type->owner); 1662 if (rcu_access_pointer(basechain->stats)) { 1663 static_branch_dec(&nft_counters_enabled); 1664 free_percpu(rcu_dereference_raw(basechain->stats)); 1665 } 1666 kfree(chain->name); 1667 kfree(basechain); 1668 } else { 1669 kfree(chain->name); 1670 kfree(chain); 1671 } 1672 } 1673 1674 static struct nft_hook *nft_netdev_hook_alloc(struct net *net, 1675 const struct nlattr *attr) 1676 { 1677 struct net_device *dev; 1678 char ifname[IFNAMSIZ]; 1679 struct nft_hook *hook; 1680 int err; 1681 1682 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL); 1683 if (!hook) { 1684 err = -ENOMEM; 1685 goto err_hook_alloc; 1686 } 1687 1688 nla_strlcpy(ifname, attr, IFNAMSIZ); 1689 dev = __dev_get_by_name(net, ifname); 1690 if (!dev) { 1691 err = -ENOENT; 1692 goto err_hook_dev; 1693 } 1694 hook->ops.dev = dev; 1695 hook->inactive = false; 1696 1697 return hook; 1698 1699 err_hook_dev: 1700 kfree(hook); 1701 err_hook_alloc: 1702 return ERR_PTR(err); 1703 } 1704 1705 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list, 1706 const struct nft_hook *this) 1707 { 1708 struct nft_hook *hook; 1709 1710 list_for_each_entry(hook, hook_list, list) { 1711 if (this->ops.dev == hook->ops.dev) 1712 return hook; 1713 } 1714 1715 return NULL; 1716 } 1717 1718 static int nf_tables_parse_netdev_hooks(struct net *net, 1719 const struct nlattr *attr, 1720 struct list_head *hook_list) 1721 { 1722 struct nft_hook *hook, *next; 1723 const struct nlattr *tmp; 1724 int rem, n = 0, err; 1725 1726 nla_for_each_nested(tmp, attr, rem) { 1727 if (nla_type(tmp) != NFTA_DEVICE_NAME) { 1728 err = -EINVAL; 1729 goto err_hook; 1730 } 1731 1732 hook = nft_netdev_hook_alloc(net, tmp); 1733 if (IS_ERR(hook)) { 1734 err = PTR_ERR(hook); 1735 goto err_hook; 1736 } 1737 if (nft_hook_list_find(hook_list, hook)) { 1738 kfree(hook); 1739 err = -EEXIST; 1740 goto err_hook; 1741 } 1742 list_add_tail(&hook->list, hook_list); 1743 n++; 1744 1745 if (n == NFT_NETDEVICE_MAX) { 1746 err = -EFBIG; 1747 goto err_hook; 1748 } 1749 } 1750 1751 return 0; 1752 1753 err_hook: 1754 list_for_each_entry_safe(hook, next, hook_list, list) { 1755 list_del(&hook->list); 1756 kfree(hook); 1757 } 1758 return err; 1759 } 1760 1761 struct nft_chain_hook { 1762 u32 num; 1763 s32 priority; 1764 const struct nft_chain_type *type; 1765 struct list_head list; 1766 }; 1767 1768 static int nft_chain_parse_netdev(struct net *net, 1769 struct nlattr *tb[], 1770 struct list_head *hook_list) 1771 { 1772 struct nft_hook *hook; 1773 int err; 1774 1775 if (tb[NFTA_HOOK_DEV]) { 1776 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]); 1777 if (IS_ERR(hook)) 1778 return PTR_ERR(hook); 1779 1780 list_add_tail(&hook->list, hook_list); 1781 } else if (tb[NFTA_HOOK_DEVS]) { 1782 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS], 1783 hook_list); 1784 if (err < 0) 1785 return err; 1786 1787 if (list_empty(hook_list)) 1788 return -EINVAL; 1789 } else { 1790 return -EINVAL; 1791 } 1792 1793 return 0; 1794 } 1795 1796 static int nft_chain_parse_hook(struct net *net, 1797 const struct nlattr * const nla[], 1798 struct nft_chain_hook *hook, u8 family, 1799 bool autoload) 1800 { 1801 struct nlattr *ha[NFTA_HOOK_MAX + 1]; 1802 const struct nft_chain_type *type; 1803 int err; 1804 1805 lockdep_assert_held(&net->nft.commit_mutex); 1806 lockdep_nfnl_nft_mutex_not_held(); 1807 1808 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX, 1809 nla[NFTA_CHAIN_HOOK], 1810 nft_hook_policy, NULL); 1811 if (err < 0) 1812 return err; 1813 1814 if (ha[NFTA_HOOK_HOOKNUM] == NULL || 1815 ha[NFTA_HOOK_PRIORITY] == NULL) 1816 return -EINVAL; 1817 1818 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 1819 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 1820 1821 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT); 1822 if (!type) 1823 return -EOPNOTSUPP; 1824 1825 if (nla[NFTA_CHAIN_TYPE]) { 1826 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE], 1827 family, autoload); 1828 if (IS_ERR(type)) 1829 return PTR_ERR(type); 1830 } 1831 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num))) 1832 return -EOPNOTSUPP; 1833 1834 if (type->type == NFT_CHAIN_T_NAT && 1835 hook->priority <= NF_IP_PRI_CONNTRACK) 1836 return -EOPNOTSUPP; 1837 1838 if (!try_module_get(type->owner)) 1839 return -ENOENT; 1840 1841 hook->type = type; 1842 1843 INIT_LIST_HEAD(&hook->list); 1844 if (family == NFPROTO_NETDEV) { 1845 err = nft_chain_parse_netdev(net, ha, &hook->list); 1846 if (err < 0) { 1847 module_put(type->owner); 1848 return err; 1849 } 1850 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) { 1851 module_put(type->owner); 1852 return -EOPNOTSUPP; 1853 } 1854 1855 return 0; 1856 } 1857 1858 static void nft_chain_release_hook(struct nft_chain_hook *hook) 1859 { 1860 struct nft_hook *h, *next; 1861 1862 list_for_each_entry_safe(h, next, &hook->list, list) { 1863 list_del(&h->list); 1864 kfree(h); 1865 } 1866 module_put(hook->type->owner); 1867 } 1868 1869 struct nft_rules_old { 1870 struct rcu_head h; 1871 struct nft_rule **start; 1872 }; 1873 1874 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain, 1875 unsigned int alloc) 1876 { 1877 if (alloc > INT_MAX) 1878 return NULL; 1879 1880 alloc += 1; /* NULL, ends rules */ 1881 if (sizeof(struct nft_rule *) > INT_MAX / alloc) 1882 return NULL; 1883 1884 alloc *= sizeof(struct nft_rule *); 1885 alloc += sizeof(struct nft_rules_old); 1886 1887 return kvmalloc(alloc, GFP_KERNEL); 1888 } 1889 1890 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family, 1891 const struct nft_chain_hook *hook, 1892 struct nft_chain *chain) 1893 { 1894 ops->pf = family; 1895 ops->hooknum = hook->num; 1896 ops->priority = hook->priority; 1897 ops->priv = chain; 1898 ops->hook = hook->type->hooks[ops->hooknum]; 1899 } 1900 1901 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, 1902 struct nft_chain_hook *hook, u32 flags) 1903 { 1904 struct nft_chain *chain; 1905 struct nft_hook *h; 1906 1907 basechain->type = hook->type; 1908 INIT_LIST_HEAD(&basechain->hook_list); 1909 chain = &basechain->chain; 1910 1911 if (family == NFPROTO_NETDEV) { 1912 list_splice_init(&hook->list, &basechain->hook_list); 1913 list_for_each_entry(h, &basechain->hook_list, list) 1914 nft_basechain_hook_init(&h->ops, family, hook, chain); 1915 1916 basechain->ops.hooknum = hook->num; 1917 basechain->ops.priority = hook->priority; 1918 } else { 1919 nft_basechain_hook_init(&basechain->ops, family, hook, chain); 1920 } 1921 1922 chain->flags |= NFT_CHAIN_BASE | flags; 1923 basechain->policy = NF_ACCEPT; 1924 if (chain->flags & NFT_CHAIN_HW_OFFLOAD && 1925 nft_chain_offload_priority(basechain) < 0) 1926 return -EOPNOTSUPP; 1927 1928 flow_block_init(&basechain->flow_block); 1929 1930 return 0; 1931 } 1932 1933 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain) 1934 { 1935 int err; 1936 1937 err = rhltable_insert_key(&table->chains_ht, chain->name, 1938 &chain->rhlhead, nft_chain_ht_params); 1939 if (err) 1940 return err; 1941 1942 list_add_tail_rcu(&chain->list, &table->chains); 1943 1944 return 0; 1945 } 1946 1947 static u64 chain_id; 1948 1949 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, 1950 u8 policy, u32 flags) 1951 { 1952 const struct nlattr * const *nla = ctx->nla; 1953 struct nft_table *table = ctx->table; 1954 struct nft_base_chain *basechain; 1955 struct nft_stats __percpu *stats; 1956 struct net *net = ctx->net; 1957 char name[NFT_NAME_MAXLEN]; 1958 struct nft_trans *trans; 1959 struct nft_chain *chain; 1960 struct nft_rule **rules; 1961 int err; 1962 1963 if (table->use == UINT_MAX) 1964 return -EOVERFLOW; 1965 1966 if (nla[NFTA_CHAIN_HOOK]) { 1967 struct nft_chain_hook hook; 1968 1969 if (flags & NFT_CHAIN_BINDING) 1970 return -EOPNOTSUPP; 1971 1972 err = nft_chain_parse_hook(net, nla, &hook, family, true); 1973 if (err < 0) 1974 return err; 1975 1976 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL); 1977 if (basechain == NULL) { 1978 nft_chain_release_hook(&hook); 1979 return -ENOMEM; 1980 } 1981 chain = &basechain->chain; 1982 1983 if (nla[NFTA_CHAIN_COUNTERS]) { 1984 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 1985 if (IS_ERR(stats)) { 1986 nft_chain_release_hook(&hook); 1987 kfree(basechain); 1988 return PTR_ERR(stats); 1989 } 1990 rcu_assign_pointer(basechain->stats, stats); 1991 static_branch_inc(&nft_counters_enabled); 1992 } 1993 1994 err = nft_basechain_init(basechain, family, &hook, flags); 1995 if (err < 0) { 1996 nft_chain_release_hook(&hook); 1997 kfree(basechain); 1998 return err; 1999 } 2000 } else { 2001 if (flags & NFT_CHAIN_BASE) 2002 return -EINVAL; 2003 if (flags & NFT_CHAIN_HW_OFFLOAD) 2004 return -EOPNOTSUPP; 2005 2006 chain = kzalloc(sizeof(*chain), GFP_KERNEL); 2007 if (chain == NULL) 2008 return -ENOMEM; 2009 2010 chain->flags = flags; 2011 } 2012 ctx->chain = chain; 2013 2014 INIT_LIST_HEAD(&chain->rules); 2015 chain->handle = nf_tables_alloc_handle(table); 2016 chain->table = table; 2017 2018 if (nla[NFTA_CHAIN_NAME]) { 2019 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); 2020 } else { 2021 if (!(flags & NFT_CHAIN_BINDING)) { 2022 err = -EINVAL; 2023 goto err1; 2024 } 2025 2026 snprintf(name, sizeof(name), "__chain%llu", ++chain_id); 2027 chain->name = kstrdup(name, GFP_KERNEL); 2028 } 2029 2030 if (!chain->name) { 2031 err = -ENOMEM; 2032 goto err1; 2033 } 2034 2035 rules = nf_tables_chain_alloc_rules(chain, 0); 2036 if (!rules) { 2037 err = -ENOMEM; 2038 goto err1; 2039 } 2040 2041 *rules = NULL; 2042 rcu_assign_pointer(chain->rules_gen_0, rules); 2043 rcu_assign_pointer(chain->rules_gen_1, rules); 2044 2045 err = nf_tables_register_hook(net, table, chain); 2046 if (err < 0) 2047 goto err1; 2048 2049 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN); 2050 if (IS_ERR(trans)) { 2051 err = PTR_ERR(trans); 2052 goto err2; 2053 } 2054 2055 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET; 2056 if (nft_is_base_chain(chain)) 2057 nft_trans_chain_policy(trans) = policy; 2058 2059 err = nft_chain_add(table, chain); 2060 if (err < 0) { 2061 nft_trans_destroy(trans); 2062 goto err2; 2063 } 2064 2065 table->use++; 2066 2067 return 0; 2068 err2: 2069 nf_tables_unregister_hook(net, table, chain); 2070 err1: 2071 nf_tables_chain_destroy(ctx); 2072 2073 return err; 2074 } 2075 2076 static bool nft_hook_list_equal(struct list_head *hook_list1, 2077 struct list_head *hook_list2) 2078 { 2079 struct nft_hook *hook; 2080 int n = 0, m = 0; 2081 2082 n = 0; 2083 list_for_each_entry(hook, hook_list2, list) { 2084 if (!nft_hook_list_find(hook_list1, hook)) 2085 return false; 2086 2087 n++; 2088 } 2089 list_for_each_entry(hook, hook_list1, list) 2090 m++; 2091 2092 return n == m; 2093 } 2094 2095 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, 2096 u32 flags) 2097 { 2098 const struct nlattr * const *nla = ctx->nla; 2099 struct nft_table *table = ctx->table; 2100 struct nft_chain *chain = ctx->chain; 2101 struct nft_base_chain *basechain; 2102 struct nft_stats *stats = NULL; 2103 struct nft_chain_hook hook; 2104 struct nf_hook_ops *ops; 2105 struct nft_trans *trans; 2106 int err; 2107 2108 if (chain->flags ^ flags) 2109 return -EOPNOTSUPP; 2110 2111 if (nla[NFTA_CHAIN_HOOK]) { 2112 if (!nft_is_base_chain(chain)) 2113 return -EEXIST; 2114 2115 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family, 2116 false); 2117 if (err < 0) 2118 return err; 2119 2120 basechain = nft_base_chain(chain); 2121 if (basechain->type != hook.type) { 2122 nft_chain_release_hook(&hook); 2123 return -EEXIST; 2124 } 2125 2126 if (ctx->family == NFPROTO_NETDEV) { 2127 if (!nft_hook_list_equal(&basechain->hook_list, 2128 &hook.list)) { 2129 nft_chain_release_hook(&hook); 2130 return -EEXIST; 2131 } 2132 } else { 2133 ops = &basechain->ops; 2134 if (ops->hooknum != hook.num || 2135 ops->priority != hook.priority) { 2136 nft_chain_release_hook(&hook); 2137 return -EEXIST; 2138 } 2139 } 2140 nft_chain_release_hook(&hook); 2141 } 2142 2143 if (nla[NFTA_CHAIN_HANDLE] && 2144 nla[NFTA_CHAIN_NAME]) { 2145 struct nft_chain *chain2; 2146 2147 chain2 = nft_chain_lookup(ctx->net, table, 2148 nla[NFTA_CHAIN_NAME], genmask); 2149 if (!IS_ERR(chain2)) 2150 return -EEXIST; 2151 } 2152 2153 if (nla[NFTA_CHAIN_COUNTERS]) { 2154 if (!nft_is_base_chain(chain)) 2155 return -EOPNOTSUPP; 2156 2157 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2158 if (IS_ERR(stats)) 2159 return PTR_ERR(stats); 2160 } 2161 2162 err = -ENOMEM; 2163 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN, 2164 sizeof(struct nft_trans_chain)); 2165 if (trans == NULL) 2166 goto err; 2167 2168 nft_trans_chain_stats(trans) = stats; 2169 nft_trans_chain_update(trans) = true; 2170 2171 if (nla[NFTA_CHAIN_POLICY]) 2172 nft_trans_chain_policy(trans) = policy; 2173 else 2174 nft_trans_chain_policy(trans) = -1; 2175 2176 if (nla[NFTA_CHAIN_HANDLE] && 2177 nla[NFTA_CHAIN_NAME]) { 2178 struct nft_trans *tmp; 2179 char *name; 2180 2181 err = -ENOMEM; 2182 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); 2183 if (!name) 2184 goto err; 2185 2186 err = -EEXIST; 2187 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) { 2188 if (tmp->msg_type == NFT_MSG_NEWCHAIN && 2189 tmp->ctx.table == table && 2190 nft_trans_chain_update(tmp) && 2191 nft_trans_chain_name(tmp) && 2192 strcmp(name, nft_trans_chain_name(tmp)) == 0) { 2193 kfree(name); 2194 goto err; 2195 } 2196 } 2197 2198 nft_trans_chain_name(trans) = name; 2199 } 2200 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 2201 2202 return 0; 2203 err: 2204 free_percpu(stats); 2205 kfree(trans); 2206 return err; 2207 } 2208 2209 static struct nft_chain *nft_chain_lookup_byid(const struct net *net, 2210 const struct nlattr *nla) 2211 { 2212 u32 id = ntohl(nla_get_be32(nla)); 2213 struct nft_trans *trans; 2214 2215 list_for_each_entry(trans, &net->nft.commit_list, list) { 2216 struct nft_chain *chain = trans->ctx.chain; 2217 2218 if (trans->msg_type == NFT_MSG_NEWCHAIN && 2219 id == nft_trans_chain_id(trans)) 2220 return chain; 2221 } 2222 return ERR_PTR(-ENOENT); 2223 } 2224 2225 static int nf_tables_newchain(struct net *net, struct sock *nlsk, 2226 struct sk_buff *skb, const struct nlmsghdr *nlh, 2227 const struct nlattr * const nla[], 2228 struct netlink_ext_ack *extack) 2229 { 2230 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2231 u8 genmask = nft_genmask_next(net); 2232 int family = nfmsg->nfgen_family; 2233 struct nft_chain *chain = NULL; 2234 const struct nlattr *attr; 2235 struct nft_table *table; 2236 u8 policy = NF_ACCEPT; 2237 struct nft_ctx ctx; 2238 u64 handle = 0; 2239 u32 flags = 0; 2240 2241 lockdep_assert_held(&net->nft.commit_mutex); 2242 2243 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); 2244 if (IS_ERR(table)) { 2245 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2246 return PTR_ERR(table); 2247 } 2248 2249 chain = NULL; 2250 attr = nla[NFTA_CHAIN_NAME]; 2251 2252 if (nla[NFTA_CHAIN_HANDLE]) { 2253 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE])); 2254 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2255 if (IS_ERR(chain)) { 2256 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]); 2257 return PTR_ERR(chain); 2258 } 2259 attr = nla[NFTA_CHAIN_HANDLE]; 2260 } else if (nla[NFTA_CHAIN_NAME]) { 2261 chain = nft_chain_lookup(net, table, attr, genmask); 2262 if (IS_ERR(chain)) { 2263 if (PTR_ERR(chain) != -ENOENT) { 2264 NL_SET_BAD_ATTR(extack, attr); 2265 return PTR_ERR(chain); 2266 } 2267 chain = NULL; 2268 } 2269 } else if (!nla[NFTA_CHAIN_ID]) { 2270 return -EINVAL; 2271 } 2272 2273 if (nla[NFTA_CHAIN_POLICY]) { 2274 if (chain != NULL && 2275 !nft_is_base_chain(chain)) { 2276 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2277 return -EOPNOTSUPP; 2278 } 2279 2280 if (chain == NULL && 2281 nla[NFTA_CHAIN_HOOK] == NULL) { 2282 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2283 return -EOPNOTSUPP; 2284 } 2285 2286 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY])); 2287 switch (policy) { 2288 case NF_DROP: 2289 case NF_ACCEPT: 2290 break; 2291 default: 2292 return -EINVAL; 2293 } 2294 } 2295 2296 if (nla[NFTA_CHAIN_FLAGS]) 2297 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS])); 2298 else if (chain) 2299 flags = chain->flags; 2300 2301 if (flags & ~NFT_CHAIN_FLAGS) 2302 return -EOPNOTSUPP; 2303 2304 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 2305 2306 if (chain != NULL) { 2307 if (nlh->nlmsg_flags & NLM_F_EXCL) { 2308 NL_SET_BAD_ATTR(extack, attr); 2309 return -EEXIST; 2310 } 2311 if (nlh->nlmsg_flags & NLM_F_REPLACE) 2312 return -EOPNOTSUPP; 2313 2314 flags |= chain->flags & NFT_CHAIN_BASE; 2315 return nf_tables_updchain(&ctx, genmask, policy, flags); 2316 } 2317 2318 return nf_tables_addchain(&ctx, family, genmask, policy, flags); 2319 } 2320 2321 static int nf_tables_delchain(struct net *net, struct sock *nlsk, 2322 struct sk_buff *skb, const struct nlmsghdr *nlh, 2323 const struct nlattr * const nla[], 2324 struct netlink_ext_ack *extack) 2325 { 2326 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2327 u8 genmask = nft_genmask_next(net); 2328 int family = nfmsg->nfgen_family; 2329 const struct nlattr *attr; 2330 struct nft_table *table; 2331 struct nft_chain *chain; 2332 struct nft_rule *rule; 2333 struct nft_ctx ctx; 2334 u64 handle; 2335 u32 use; 2336 int err; 2337 2338 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); 2339 if (IS_ERR(table)) { 2340 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2341 return PTR_ERR(table); 2342 } 2343 2344 if (nla[NFTA_CHAIN_HANDLE]) { 2345 attr = nla[NFTA_CHAIN_HANDLE]; 2346 handle = be64_to_cpu(nla_get_be64(attr)); 2347 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2348 } else { 2349 attr = nla[NFTA_CHAIN_NAME]; 2350 chain = nft_chain_lookup(net, table, attr, genmask); 2351 } 2352 if (IS_ERR(chain)) { 2353 NL_SET_BAD_ATTR(extack, attr); 2354 return PTR_ERR(chain); 2355 } 2356 2357 if (nlh->nlmsg_flags & NLM_F_NONREC && 2358 chain->use > 0) 2359 return -EBUSY; 2360 2361 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 2362 2363 use = chain->use; 2364 list_for_each_entry(rule, &chain->rules, list) { 2365 if (!nft_is_active_next(net, rule)) 2366 continue; 2367 use--; 2368 2369 err = nft_delrule(&ctx, rule); 2370 if (err < 0) 2371 return err; 2372 } 2373 2374 /* There are rules and elements that are still holding references to us, 2375 * we cannot do a recursive removal in this case. 2376 */ 2377 if (use > 0) { 2378 NL_SET_BAD_ATTR(extack, attr); 2379 return -EBUSY; 2380 } 2381 2382 return nft_delchain(&ctx); 2383 } 2384 2385 /* 2386 * Expressions 2387 */ 2388 2389 /** 2390 * nft_register_expr - register nf_tables expr type 2391 * @type: expr type 2392 * 2393 * Registers the expr type for use with nf_tables. Returns zero on 2394 * success or a negative errno code otherwise. 2395 */ 2396 int nft_register_expr(struct nft_expr_type *type) 2397 { 2398 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2399 if (type->family == NFPROTO_UNSPEC) 2400 list_add_tail_rcu(&type->list, &nf_tables_expressions); 2401 else 2402 list_add_rcu(&type->list, &nf_tables_expressions); 2403 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2404 return 0; 2405 } 2406 EXPORT_SYMBOL_GPL(nft_register_expr); 2407 2408 /** 2409 * nft_unregister_expr - unregister nf_tables expr type 2410 * @type: expr type 2411 * 2412 * Unregisters the expr typefor use with nf_tables. 2413 */ 2414 void nft_unregister_expr(struct nft_expr_type *type) 2415 { 2416 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2417 list_del_rcu(&type->list); 2418 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2419 } 2420 EXPORT_SYMBOL_GPL(nft_unregister_expr); 2421 2422 static const struct nft_expr_type *__nft_expr_type_get(u8 family, 2423 struct nlattr *nla) 2424 { 2425 const struct nft_expr_type *type, *candidate = NULL; 2426 2427 list_for_each_entry(type, &nf_tables_expressions, list) { 2428 if (!nla_strcmp(nla, type->name)) { 2429 if (!type->family && !candidate) 2430 candidate = type; 2431 else if (type->family == family) 2432 candidate = type; 2433 } 2434 } 2435 return candidate; 2436 } 2437 2438 #ifdef CONFIG_MODULES 2439 static int nft_expr_type_request_module(struct net *net, u8 family, 2440 struct nlattr *nla) 2441 { 2442 if (nft_request_module(net, "nft-expr-%u-%.*s", family, 2443 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN) 2444 return -EAGAIN; 2445 2446 return 0; 2447 } 2448 #endif 2449 2450 static const struct nft_expr_type *nft_expr_type_get(struct net *net, 2451 u8 family, 2452 struct nlattr *nla) 2453 { 2454 const struct nft_expr_type *type; 2455 2456 if (nla == NULL) 2457 return ERR_PTR(-EINVAL); 2458 2459 type = __nft_expr_type_get(family, nla); 2460 if (type != NULL && try_module_get(type->owner)) 2461 return type; 2462 2463 lockdep_nfnl_nft_mutex_not_held(); 2464 #ifdef CONFIG_MODULES 2465 if (type == NULL) { 2466 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN) 2467 return ERR_PTR(-EAGAIN); 2468 2469 if (nft_request_module(net, "nft-expr-%.*s", 2470 nla_len(nla), 2471 (char *)nla_data(nla)) == -EAGAIN) 2472 return ERR_PTR(-EAGAIN); 2473 } 2474 #endif 2475 return ERR_PTR(-ENOENT); 2476 } 2477 2478 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { 2479 [NFTA_EXPR_NAME] = { .type = NLA_STRING, 2480 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 2481 [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, 2482 }; 2483 2484 static int nf_tables_fill_expr_info(struct sk_buff *skb, 2485 const struct nft_expr *expr) 2486 { 2487 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name)) 2488 goto nla_put_failure; 2489 2490 if (expr->ops->dump) { 2491 struct nlattr *data = nla_nest_start_noflag(skb, 2492 NFTA_EXPR_DATA); 2493 if (data == NULL) 2494 goto nla_put_failure; 2495 if (expr->ops->dump(skb, expr) < 0) 2496 goto nla_put_failure; 2497 nla_nest_end(skb, data); 2498 } 2499 2500 return skb->len; 2501 2502 nla_put_failure: 2503 return -1; 2504 }; 2505 2506 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 2507 const struct nft_expr *expr) 2508 { 2509 struct nlattr *nest; 2510 2511 nest = nla_nest_start_noflag(skb, attr); 2512 if (!nest) 2513 goto nla_put_failure; 2514 if (nf_tables_fill_expr_info(skb, expr) < 0) 2515 goto nla_put_failure; 2516 nla_nest_end(skb, nest); 2517 return 0; 2518 2519 nla_put_failure: 2520 return -1; 2521 } 2522 2523 struct nft_expr_info { 2524 const struct nft_expr_ops *ops; 2525 const struct nlattr *attr; 2526 struct nlattr *tb[NFT_EXPR_MAXATTR + 1]; 2527 }; 2528 2529 static int nf_tables_expr_parse(const struct nft_ctx *ctx, 2530 const struct nlattr *nla, 2531 struct nft_expr_info *info) 2532 { 2533 const struct nft_expr_type *type; 2534 const struct nft_expr_ops *ops; 2535 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 2536 int err; 2537 2538 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 2539 nft_expr_policy, NULL); 2540 if (err < 0) 2541 return err; 2542 2543 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]); 2544 if (IS_ERR(type)) 2545 return PTR_ERR(type); 2546 2547 if (tb[NFTA_EXPR_DATA]) { 2548 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 2549 tb[NFTA_EXPR_DATA], 2550 type->policy, NULL); 2551 if (err < 0) 2552 goto err1; 2553 } else 2554 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1)); 2555 2556 if (type->select_ops != NULL) { 2557 ops = type->select_ops(ctx, 2558 (const struct nlattr * const *)info->tb); 2559 if (IS_ERR(ops)) { 2560 err = PTR_ERR(ops); 2561 #ifdef CONFIG_MODULES 2562 if (err == -EAGAIN) 2563 if (nft_expr_type_request_module(ctx->net, 2564 ctx->family, 2565 tb[NFTA_EXPR_NAME]) != -EAGAIN) 2566 err = -ENOENT; 2567 #endif 2568 goto err1; 2569 } 2570 } else 2571 ops = type->ops; 2572 2573 info->attr = nla; 2574 info->ops = ops; 2575 2576 return 0; 2577 2578 err1: 2579 module_put(type->owner); 2580 return err; 2581 } 2582 2583 static int nf_tables_newexpr(const struct nft_ctx *ctx, 2584 const struct nft_expr_info *info, 2585 struct nft_expr *expr) 2586 { 2587 const struct nft_expr_ops *ops = info->ops; 2588 int err; 2589 2590 expr->ops = ops; 2591 if (ops->init) { 2592 err = ops->init(ctx, expr, (const struct nlattr **)info->tb); 2593 if (err < 0) 2594 goto err1; 2595 } 2596 2597 return 0; 2598 err1: 2599 expr->ops = NULL; 2600 return err; 2601 } 2602 2603 static void nf_tables_expr_destroy(const struct nft_ctx *ctx, 2604 struct nft_expr *expr) 2605 { 2606 const struct nft_expr_type *type = expr->ops->type; 2607 2608 if (expr->ops->destroy) 2609 expr->ops->destroy(ctx, expr); 2610 module_put(type->owner); 2611 } 2612 2613 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 2614 const struct nlattr *nla) 2615 { 2616 struct nft_expr_info info; 2617 struct nft_expr *expr; 2618 struct module *owner; 2619 int err; 2620 2621 err = nf_tables_expr_parse(ctx, nla, &info); 2622 if (err < 0) 2623 goto err1; 2624 2625 err = -ENOMEM; 2626 expr = kzalloc(info.ops->size, GFP_KERNEL); 2627 if (expr == NULL) 2628 goto err2; 2629 2630 err = nf_tables_newexpr(ctx, &info, expr); 2631 if (err < 0) 2632 goto err3; 2633 2634 return expr; 2635 err3: 2636 kfree(expr); 2637 err2: 2638 owner = info.ops->type->owner; 2639 if (info.ops->type->release_ops) 2640 info.ops->type->release_ops(info.ops); 2641 2642 module_put(owner); 2643 err1: 2644 return ERR_PTR(err); 2645 } 2646 2647 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) 2648 { 2649 int err; 2650 2651 if (src->ops->clone) { 2652 dst->ops = src->ops; 2653 err = src->ops->clone(dst, src); 2654 if (err < 0) 2655 return err; 2656 } else { 2657 memcpy(dst, src, src->ops->size); 2658 } 2659 2660 __module_get(src->ops->type->owner); 2661 2662 return 0; 2663 } 2664 2665 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) 2666 { 2667 nf_tables_expr_destroy(ctx, expr); 2668 kfree(expr); 2669 } 2670 2671 /* 2672 * Rules 2673 */ 2674 2675 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain, 2676 u64 handle) 2677 { 2678 struct nft_rule *rule; 2679 2680 // FIXME: this sucks 2681 list_for_each_entry_rcu(rule, &chain->rules, list) { 2682 if (handle == rule->handle) 2683 return rule; 2684 } 2685 2686 return ERR_PTR(-ENOENT); 2687 } 2688 2689 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain, 2690 const struct nlattr *nla) 2691 { 2692 if (nla == NULL) 2693 return ERR_PTR(-EINVAL); 2694 2695 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla))); 2696 } 2697 2698 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = { 2699 [NFTA_RULE_TABLE] = { .type = NLA_STRING, 2700 .len = NFT_TABLE_MAXNAMELEN - 1 }, 2701 [NFTA_RULE_CHAIN] = { .type = NLA_STRING, 2702 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 2703 [NFTA_RULE_HANDLE] = { .type = NLA_U64 }, 2704 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED }, 2705 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED }, 2706 [NFTA_RULE_POSITION] = { .type = NLA_U64 }, 2707 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY, 2708 .len = NFT_USERDATA_MAXLEN }, 2709 [NFTA_RULE_ID] = { .type = NLA_U32 }, 2710 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 }, 2711 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 }, 2712 }; 2713 2714 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net, 2715 u32 portid, u32 seq, int event, 2716 u32 flags, int family, 2717 const struct nft_table *table, 2718 const struct nft_chain *chain, 2719 const struct nft_rule *rule, 2720 const struct nft_rule *prule) 2721 { 2722 struct nlmsghdr *nlh; 2723 struct nfgenmsg *nfmsg; 2724 const struct nft_expr *expr, *next; 2725 struct nlattr *list; 2726 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 2727 2728 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags); 2729 if (nlh == NULL) 2730 goto nla_put_failure; 2731 2732 nfmsg = nlmsg_data(nlh); 2733 nfmsg->nfgen_family = family; 2734 nfmsg->version = NFNETLINK_V0; 2735 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 2736 2737 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) 2738 goto nla_put_failure; 2739 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) 2740 goto nla_put_failure; 2741 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle), 2742 NFTA_RULE_PAD)) 2743 goto nla_put_failure; 2744 2745 if (event != NFT_MSG_DELRULE && prule) { 2746 if (nla_put_be64(skb, NFTA_RULE_POSITION, 2747 cpu_to_be64(prule->handle), 2748 NFTA_RULE_PAD)) 2749 goto nla_put_failure; 2750 } 2751 2752 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS); 2753 if (list == NULL) 2754 goto nla_put_failure; 2755 nft_rule_for_each_expr(expr, next, rule) { 2756 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0) 2757 goto nla_put_failure; 2758 } 2759 nla_nest_end(skb, list); 2760 2761 if (rule->udata) { 2762 struct nft_userdata *udata = nft_userdata(rule); 2763 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1, 2764 udata->data) < 0) 2765 goto nla_put_failure; 2766 } 2767 2768 nlmsg_end(skb, nlh); 2769 return 0; 2770 2771 nla_put_failure: 2772 nlmsg_trim(skb, nlh); 2773 return -1; 2774 } 2775 2776 static void nf_tables_rule_notify(const struct nft_ctx *ctx, 2777 const struct nft_rule *rule, int event) 2778 { 2779 struct sk_buff *skb; 2780 int err; 2781 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu", 2782 ctx->table->name, ctx->table->handle, 2783 ctx->chain->name, ctx->chain->handle); 2784 2785 audit_log_nfcfg(buf, 2786 ctx->family, 2787 rule->handle, 2788 event == NFT_MSG_NEWRULE ? 2789 AUDIT_NFT_OP_RULE_REGISTER : 2790 AUDIT_NFT_OP_RULE_UNREGISTER, 2791 GFP_KERNEL); 2792 kfree(buf); 2793 2794 if (!ctx->report && 2795 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 2796 return; 2797 2798 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 2799 if (skb == NULL) 2800 goto err; 2801 2802 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, 2803 event, 0, ctx->family, ctx->table, 2804 ctx->chain, rule, NULL); 2805 if (err < 0) { 2806 kfree_skb(skb); 2807 goto err; 2808 } 2809 2810 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES, 2811 ctx->report, GFP_KERNEL); 2812 return; 2813 err: 2814 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 2815 } 2816 2817 struct nft_rule_dump_ctx { 2818 char *table; 2819 char *chain; 2820 }; 2821 2822 static int __nf_tables_dump_rules(struct sk_buff *skb, 2823 unsigned int *idx, 2824 struct netlink_callback *cb, 2825 const struct nft_table *table, 2826 const struct nft_chain *chain) 2827 { 2828 struct net *net = sock_net(skb->sk); 2829 const struct nft_rule *rule, *prule; 2830 unsigned int s_idx = cb->args[0]; 2831 2832 prule = NULL; 2833 list_for_each_entry_rcu(rule, &chain->rules, list) { 2834 if (!nft_is_active(net, rule)) 2835 goto cont_skip; 2836 if (*idx < s_idx) 2837 goto cont; 2838 if (*idx > s_idx) { 2839 memset(&cb->args[1], 0, 2840 sizeof(cb->args) - sizeof(cb->args[0])); 2841 } 2842 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, 2843 cb->nlh->nlmsg_seq, 2844 NFT_MSG_NEWRULE, 2845 NLM_F_MULTI | NLM_F_APPEND, 2846 table->family, 2847 table, chain, rule, prule) < 0) 2848 return 1; 2849 2850 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 2851 cont: 2852 prule = rule; 2853 cont_skip: 2854 (*idx)++; 2855 } 2856 return 0; 2857 } 2858 2859 static int nf_tables_dump_rules(struct sk_buff *skb, 2860 struct netlink_callback *cb) 2861 { 2862 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 2863 const struct nft_rule_dump_ctx *ctx = cb->data; 2864 struct nft_table *table; 2865 const struct nft_chain *chain; 2866 unsigned int idx = 0; 2867 struct net *net = sock_net(skb->sk); 2868 int family = nfmsg->nfgen_family; 2869 2870 rcu_read_lock(); 2871 cb->seq = net->nft.base_seq; 2872 2873 list_for_each_entry_rcu(table, &net->nft.tables, list) { 2874 if (family != NFPROTO_UNSPEC && family != table->family) 2875 continue; 2876 2877 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0) 2878 continue; 2879 2880 if (ctx && ctx->table && ctx->chain) { 2881 struct rhlist_head *list, *tmp; 2882 2883 list = rhltable_lookup(&table->chains_ht, ctx->chain, 2884 nft_chain_ht_params); 2885 if (!list) 2886 goto done; 2887 2888 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 2889 if (!nft_is_active(net, chain)) 2890 continue; 2891 __nf_tables_dump_rules(skb, &idx, 2892 cb, table, chain); 2893 break; 2894 } 2895 goto done; 2896 } 2897 2898 list_for_each_entry_rcu(chain, &table->chains, list) { 2899 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain)) 2900 goto done; 2901 } 2902 2903 if (ctx && ctx->table) 2904 break; 2905 } 2906 done: 2907 rcu_read_unlock(); 2908 2909 cb->args[0] = idx; 2910 return skb->len; 2911 } 2912 2913 static int nf_tables_dump_rules_start(struct netlink_callback *cb) 2914 { 2915 const struct nlattr * const *nla = cb->data; 2916 struct nft_rule_dump_ctx *ctx = NULL; 2917 2918 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) { 2919 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC); 2920 if (!ctx) 2921 return -ENOMEM; 2922 2923 if (nla[NFTA_RULE_TABLE]) { 2924 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], 2925 GFP_ATOMIC); 2926 if (!ctx->table) { 2927 kfree(ctx); 2928 return -ENOMEM; 2929 } 2930 } 2931 if (nla[NFTA_RULE_CHAIN]) { 2932 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], 2933 GFP_ATOMIC); 2934 if (!ctx->chain) { 2935 kfree(ctx->table); 2936 kfree(ctx); 2937 return -ENOMEM; 2938 } 2939 } 2940 } 2941 2942 cb->data = ctx; 2943 return 0; 2944 } 2945 2946 static int nf_tables_dump_rules_done(struct netlink_callback *cb) 2947 { 2948 struct nft_rule_dump_ctx *ctx = cb->data; 2949 2950 if (ctx) { 2951 kfree(ctx->table); 2952 kfree(ctx->chain); 2953 kfree(ctx); 2954 } 2955 return 0; 2956 } 2957 2958 /* called with rcu_read_lock held */ 2959 static int nf_tables_getrule(struct net *net, struct sock *nlsk, 2960 struct sk_buff *skb, const struct nlmsghdr *nlh, 2961 const struct nlattr * const nla[], 2962 struct netlink_ext_ack *extack) 2963 { 2964 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2965 u8 genmask = nft_genmask_cur(net); 2966 const struct nft_chain *chain; 2967 const struct nft_rule *rule; 2968 struct nft_table *table; 2969 struct sk_buff *skb2; 2970 int family = nfmsg->nfgen_family; 2971 int err; 2972 2973 if (nlh->nlmsg_flags & NLM_F_DUMP) { 2974 struct netlink_dump_control c = { 2975 .start= nf_tables_dump_rules_start, 2976 .dump = nf_tables_dump_rules, 2977 .done = nf_tables_dump_rules_done, 2978 .module = THIS_MODULE, 2979 .data = (void *)nla, 2980 }; 2981 2982 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 2983 } 2984 2985 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); 2986 if (IS_ERR(table)) { 2987 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 2988 return PTR_ERR(table); 2989 } 2990 2991 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask); 2992 if (IS_ERR(chain)) { 2993 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 2994 return PTR_ERR(chain); 2995 } 2996 2997 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 2998 if (IS_ERR(rule)) { 2999 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3000 return PTR_ERR(rule); 3001 } 3002 3003 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 3004 if (!skb2) 3005 return -ENOMEM; 3006 3007 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid, 3008 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, 3009 family, table, chain, rule, NULL); 3010 if (err < 0) 3011 goto err_fill_rule_info; 3012 3013 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 3014 3015 err_fill_rule_info: 3016 kfree_skb(skb2); 3017 return err; 3018 } 3019 3020 static void nf_tables_rule_destroy(const struct nft_ctx *ctx, 3021 struct nft_rule *rule) 3022 { 3023 struct nft_expr *expr, *next; 3024 3025 /* 3026 * Careful: some expressions might not be initialized in case this 3027 * is called on error from nf_tables_newrule(). 3028 */ 3029 expr = nft_expr_first(rule); 3030 while (expr != nft_expr_last(rule) && expr->ops) { 3031 next = nft_expr_next(expr); 3032 nf_tables_expr_destroy(ctx, expr); 3033 expr = next; 3034 } 3035 kfree(rule); 3036 } 3037 3038 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) 3039 { 3040 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); 3041 nf_tables_rule_destroy(ctx, rule); 3042 } 3043 3044 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) 3045 { 3046 struct nft_expr *expr, *last; 3047 const struct nft_data *data; 3048 struct nft_rule *rule; 3049 int err; 3050 3051 if (ctx->level == NFT_JUMP_STACK_SIZE) 3052 return -EMLINK; 3053 3054 list_for_each_entry(rule, &chain->rules, list) { 3055 if (!nft_is_active_next(ctx->net, rule)) 3056 continue; 3057 3058 nft_rule_for_each_expr(expr, last, rule) { 3059 if (!expr->ops->validate) 3060 continue; 3061 3062 err = expr->ops->validate(ctx, expr, &data); 3063 if (err < 0) 3064 return err; 3065 } 3066 } 3067 3068 return 0; 3069 } 3070 EXPORT_SYMBOL_GPL(nft_chain_validate); 3071 3072 static int nft_table_validate(struct net *net, const struct nft_table *table) 3073 { 3074 struct nft_chain *chain; 3075 struct nft_ctx ctx = { 3076 .net = net, 3077 .family = table->family, 3078 }; 3079 int err; 3080 3081 list_for_each_entry(chain, &table->chains, list) { 3082 if (!nft_is_base_chain(chain)) 3083 continue; 3084 3085 ctx.chain = chain; 3086 err = nft_chain_validate(&ctx, chain); 3087 if (err < 0) 3088 return err; 3089 } 3090 3091 return 0; 3092 } 3093 3094 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3095 const struct nlattr *nla); 3096 3097 #define NFT_RULE_MAXEXPRS 128 3098 3099 static int nf_tables_newrule(struct net *net, struct sock *nlsk, 3100 struct sk_buff *skb, const struct nlmsghdr *nlh, 3101 const struct nlattr * const nla[], 3102 struct netlink_ext_ack *extack) 3103 { 3104 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3105 u8 genmask = nft_genmask_next(net); 3106 struct nft_expr_info *info = NULL; 3107 int family = nfmsg->nfgen_family; 3108 struct nft_flow_rule *flow; 3109 struct nft_table *table; 3110 struct nft_chain *chain; 3111 struct nft_rule *rule, *old_rule = NULL; 3112 struct nft_userdata *udata; 3113 struct nft_trans *trans = NULL; 3114 struct nft_expr *expr; 3115 struct nft_ctx ctx; 3116 struct nlattr *tmp; 3117 unsigned int size, i, n, ulen = 0, usize = 0; 3118 int err, rem; 3119 u64 handle, pos_handle; 3120 3121 lockdep_assert_held(&net->nft.commit_mutex); 3122 3123 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); 3124 if (IS_ERR(table)) { 3125 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3126 return PTR_ERR(table); 3127 } 3128 3129 if (nla[NFTA_RULE_CHAIN]) { 3130 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 3131 genmask); 3132 if (IS_ERR(chain)) { 3133 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3134 return PTR_ERR(chain); 3135 } 3136 if (nft_chain_is_bound(chain)) 3137 return -EOPNOTSUPP; 3138 3139 } else if (nla[NFTA_RULE_CHAIN_ID]) { 3140 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]); 3141 if (IS_ERR(chain)) { 3142 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]); 3143 return PTR_ERR(chain); 3144 } 3145 } else { 3146 return -EINVAL; 3147 } 3148 3149 if (nla[NFTA_RULE_HANDLE]) { 3150 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE])); 3151 rule = __nft_rule_lookup(chain, handle); 3152 if (IS_ERR(rule)) { 3153 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3154 return PTR_ERR(rule); 3155 } 3156 3157 if (nlh->nlmsg_flags & NLM_F_EXCL) { 3158 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3159 return -EEXIST; 3160 } 3161 if (nlh->nlmsg_flags & NLM_F_REPLACE) 3162 old_rule = rule; 3163 else 3164 return -EOPNOTSUPP; 3165 } else { 3166 if (!(nlh->nlmsg_flags & NLM_F_CREATE) || 3167 nlh->nlmsg_flags & NLM_F_REPLACE) 3168 return -EINVAL; 3169 handle = nf_tables_alloc_handle(table); 3170 3171 if (chain->use == UINT_MAX) 3172 return -EOVERFLOW; 3173 3174 if (nla[NFTA_RULE_POSITION]) { 3175 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION])); 3176 old_rule = __nft_rule_lookup(chain, pos_handle); 3177 if (IS_ERR(old_rule)) { 3178 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]); 3179 return PTR_ERR(old_rule); 3180 } 3181 } else if (nla[NFTA_RULE_POSITION_ID]) { 3182 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]); 3183 if (IS_ERR(old_rule)) { 3184 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]); 3185 return PTR_ERR(old_rule); 3186 } 3187 } 3188 } 3189 3190 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 3191 3192 n = 0; 3193 size = 0; 3194 if (nla[NFTA_RULE_EXPRESSIONS]) { 3195 info = kvmalloc_array(NFT_RULE_MAXEXPRS, 3196 sizeof(struct nft_expr_info), 3197 GFP_KERNEL); 3198 if (!info) 3199 return -ENOMEM; 3200 3201 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) { 3202 err = -EINVAL; 3203 if (nla_type(tmp) != NFTA_LIST_ELEM) 3204 goto err1; 3205 if (n == NFT_RULE_MAXEXPRS) 3206 goto err1; 3207 err = nf_tables_expr_parse(&ctx, tmp, &info[n]); 3208 if (err < 0) 3209 goto err1; 3210 size += info[n].ops->size; 3211 n++; 3212 } 3213 } 3214 /* Check for overflow of dlen field */ 3215 err = -EFBIG; 3216 if (size >= 1 << 12) 3217 goto err1; 3218 3219 if (nla[NFTA_RULE_USERDATA]) { 3220 ulen = nla_len(nla[NFTA_RULE_USERDATA]); 3221 if (ulen > 0) 3222 usize = sizeof(struct nft_userdata) + ulen; 3223 } 3224 3225 err = -ENOMEM; 3226 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL); 3227 if (rule == NULL) 3228 goto err1; 3229 3230 nft_activate_next(net, rule); 3231 3232 rule->handle = handle; 3233 rule->dlen = size; 3234 rule->udata = ulen ? 1 : 0; 3235 3236 if (ulen) { 3237 udata = nft_userdata(rule); 3238 udata->len = ulen - 1; 3239 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen); 3240 } 3241 3242 expr = nft_expr_first(rule); 3243 for (i = 0; i < n; i++) { 3244 err = nf_tables_newexpr(&ctx, &info[i], expr); 3245 if (err < 0) { 3246 NL_SET_BAD_ATTR(extack, info[i].attr); 3247 goto err2; 3248 } 3249 3250 if (info[i].ops->validate) 3251 nft_validate_state_update(net, NFT_VALIDATE_NEED); 3252 3253 info[i].ops = NULL; 3254 expr = nft_expr_next(expr); 3255 } 3256 3257 if (nlh->nlmsg_flags & NLM_F_REPLACE) { 3258 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3259 if (trans == NULL) { 3260 err = -ENOMEM; 3261 goto err2; 3262 } 3263 err = nft_delrule(&ctx, old_rule); 3264 if (err < 0) { 3265 nft_trans_destroy(trans); 3266 goto err2; 3267 } 3268 3269 list_add_tail_rcu(&rule->list, &old_rule->list); 3270 } else { 3271 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3272 if (!trans) { 3273 err = -ENOMEM; 3274 goto err2; 3275 } 3276 3277 if (nlh->nlmsg_flags & NLM_F_APPEND) { 3278 if (old_rule) 3279 list_add_rcu(&rule->list, &old_rule->list); 3280 else 3281 list_add_tail_rcu(&rule->list, &chain->rules); 3282 } else { 3283 if (old_rule) 3284 list_add_tail_rcu(&rule->list, &old_rule->list); 3285 else 3286 list_add_rcu(&rule->list, &chain->rules); 3287 } 3288 } 3289 kvfree(info); 3290 chain->use++; 3291 3292 if (net->nft.validate_state == NFT_VALIDATE_DO) 3293 return nft_table_validate(net, table); 3294 3295 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { 3296 flow = nft_flow_rule_create(net, rule); 3297 if (IS_ERR(flow)) 3298 return PTR_ERR(flow); 3299 3300 nft_trans_flow_rule(trans) = flow; 3301 } 3302 3303 return 0; 3304 err2: 3305 nf_tables_rule_release(&ctx, rule); 3306 err1: 3307 for (i = 0; i < n; i++) { 3308 if (info[i].ops) { 3309 module_put(info[i].ops->type->owner); 3310 if (info[i].ops->type->release_ops) 3311 info[i].ops->type->release_ops(info[i].ops); 3312 } 3313 } 3314 kvfree(info); 3315 return err; 3316 } 3317 3318 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3319 const struct nlattr *nla) 3320 { 3321 u32 id = ntohl(nla_get_be32(nla)); 3322 struct nft_trans *trans; 3323 3324 list_for_each_entry(trans, &net->nft.commit_list, list) { 3325 struct nft_rule *rule = nft_trans_rule(trans); 3326 3327 if (trans->msg_type == NFT_MSG_NEWRULE && 3328 id == nft_trans_rule_id(trans)) 3329 return rule; 3330 } 3331 return ERR_PTR(-ENOENT); 3332 } 3333 3334 static int nf_tables_delrule(struct net *net, struct sock *nlsk, 3335 struct sk_buff *skb, const struct nlmsghdr *nlh, 3336 const struct nlattr * const nla[], 3337 struct netlink_ext_ack *extack) 3338 { 3339 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3340 u8 genmask = nft_genmask_next(net); 3341 struct nft_table *table; 3342 struct nft_chain *chain = NULL; 3343 struct nft_rule *rule; 3344 int family = nfmsg->nfgen_family, err = 0; 3345 struct nft_ctx ctx; 3346 3347 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); 3348 if (IS_ERR(table)) { 3349 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3350 return PTR_ERR(table); 3351 } 3352 3353 if (nla[NFTA_RULE_CHAIN]) { 3354 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 3355 genmask); 3356 if (IS_ERR(chain)) { 3357 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3358 return PTR_ERR(chain); 3359 } 3360 if (nft_chain_is_bound(chain)) 3361 return -EOPNOTSUPP; 3362 } 3363 3364 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 3365 3366 if (chain) { 3367 if (nla[NFTA_RULE_HANDLE]) { 3368 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3369 if (IS_ERR(rule)) { 3370 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3371 return PTR_ERR(rule); 3372 } 3373 3374 err = nft_delrule(&ctx, rule); 3375 } else if (nla[NFTA_RULE_ID]) { 3376 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]); 3377 if (IS_ERR(rule)) { 3378 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]); 3379 return PTR_ERR(rule); 3380 } 3381 3382 err = nft_delrule(&ctx, rule); 3383 } else { 3384 err = nft_delrule_by_chain(&ctx); 3385 } 3386 } else { 3387 list_for_each_entry(chain, &table->chains, list) { 3388 if (!nft_is_active_next(net, chain)) 3389 continue; 3390 3391 ctx.chain = chain; 3392 err = nft_delrule_by_chain(&ctx); 3393 if (err < 0) 3394 break; 3395 } 3396 } 3397 3398 return err; 3399 } 3400 3401 /* 3402 * Sets 3403 */ 3404 static const struct nft_set_type *nft_set_types[] = { 3405 &nft_set_hash_fast_type, 3406 &nft_set_hash_type, 3407 &nft_set_rhash_type, 3408 &nft_set_bitmap_type, 3409 &nft_set_rbtree_type, 3410 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML) 3411 &nft_set_pipapo_avx2_type, 3412 #endif 3413 &nft_set_pipapo_type, 3414 }; 3415 3416 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \ 3417 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \ 3418 NFT_SET_EVAL) 3419 3420 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags) 3421 { 3422 return (flags & type->features) == (flags & NFT_SET_FEATURES); 3423 } 3424 3425 /* 3426 * Select a set implementation based on the data characteristics and the 3427 * given policy. The total memory use might not be known if no size is 3428 * given, in that case the amount of memory per element is used. 3429 */ 3430 static const struct nft_set_ops * 3431 nft_select_set_ops(const struct nft_ctx *ctx, 3432 const struct nlattr * const nla[], 3433 const struct nft_set_desc *desc, 3434 enum nft_set_policies policy) 3435 { 3436 const struct nft_set_ops *ops, *bops; 3437 struct nft_set_estimate est, best; 3438 const struct nft_set_type *type; 3439 u32 flags = 0; 3440 int i; 3441 3442 lockdep_assert_held(&ctx->net->nft.commit_mutex); 3443 lockdep_nfnl_nft_mutex_not_held(); 3444 3445 if (nla[NFTA_SET_FLAGS] != NULL) 3446 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 3447 3448 bops = NULL; 3449 best.size = ~0; 3450 best.lookup = ~0; 3451 best.space = ~0; 3452 3453 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) { 3454 type = nft_set_types[i]; 3455 ops = &type->ops; 3456 3457 if (!nft_set_ops_candidate(type, flags)) 3458 continue; 3459 if (!ops->estimate(desc, flags, &est)) 3460 continue; 3461 3462 switch (policy) { 3463 case NFT_SET_POL_PERFORMANCE: 3464 if (est.lookup < best.lookup) 3465 break; 3466 if (est.lookup == best.lookup && 3467 est.space < best.space) 3468 break; 3469 continue; 3470 case NFT_SET_POL_MEMORY: 3471 if (!desc->size) { 3472 if (est.space < best.space) 3473 break; 3474 if (est.space == best.space && 3475 est.lookup < best.lookup) 3476 break; 3477 } else if (est.size < best.size || !bops) { 3478 break; 3479 } 3480 continue; 3481 default: 3482 break; 3483 } 3484 3485 bops = ops; 3486 best = est; 3487 } 3488 3489 if (bops != NULL) 3490 return bops; 3491 3492 return ERR_PTR(-EOPNOTSUPP); 3493 } 3494 3495 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = { 3496 [NFTA_SET_TABLE] = { .type = NLA_STRING, 3497 .len = NFT_TABLE_MAXNAMELEN - 1 }, 3498 [NFTA_SET_NAME] = { .type = NLA_STRING, 3499 .len = NFT_SET_MAXNAMELEN - 1 }, 3500 [NFTA_SET_FLAGS] = { .type = NLA_U32 }, 3501 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 }, 3502 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 }, 3503 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 }, 3504 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 }, 3505 [NFTA_SET_POLICY] = { .type = NLA_U32 }, 3506 [NFTA_SET_DESC] = { .type = NLA_NESTED }, 3507 [NFTA_SET_ID] = { .type = NLA_U32 }, 3508 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 }, 3509 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 }, 3510 [NFTA_SET_USERDATA] = { .type = NLA_BINARY, 3511 .len = NFT_USERDATA_MAXLEN }, 3512 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 }, 3513 [NFTA_SET_HANDLE] = { .type = NLA_U64 }, 3514 [NFTA_SET_EXPR] = { .type = NLA_NESTED }, 3515 }; 3516 3517 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = { 3518 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 }, 3519 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED }, 3520 }; 3521 3522 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net, 3523 const struct sk_buff *skb, 3524 const struct nlmsghdr *nlh, 3525 const struct nlattr * const nla[], 3526 struct netlink_ext_ack *extack, 3527 u8 genmask) 3528 { 3529 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3530 int family = nfmsg->nfgen_family; 3531 struct nft_table *table = NULL; 3532 3533 if (nla[NFTA_SET_TABLE] != NULL) { 3534 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 3535 genmask); 3536 if (IS_ERR(table)) { 3537 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 3538 return PTR_ERR(table); 3539 } 3540 } 3541 3542 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla); 3543 return 0; 3544 } 3545 3546 static struct nft_set *nft_set_lookup(const struct nft_table *table, 3547 const struct nlattr *nla, u8 genmask) 3548 { 3549 struct nft_set *set; 3550 3551 if (nla == NULL) 3552 return ERR_PTR(-EINVAL); 3553 3554 list_for_each_entry_rcu(set, &table->sets, list) { 3555 if (!nla_strcmp(nla, set->name) && 3556 nft_active_genmask(set, genmask)) 3557 return set; 3558 } 3559 return ERR_PTR(-ENOENT); 3560 } 3561 3562 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table, 3563 const struct nlattr *nla, 3564 u8 genmask) 3565 { 3566 struct nft_set *set; 3567 3568 list_for_each_entry(set, &table->sets, list) { 3569 if (be64_to_cpu(nla_get_be64(nla)) == set->handle && 3570 nft_active_genmask(set, genmask)) 3571 return set; 3572 } 3573 return ERR_PTR(-ENOENT); 3574 } 3575 3576 static struct nft_set *nft_set_lookup_byid(const struct net *net, 3577 const struct nlattr *nla, u8 genmask) 3578 { 3579 struct nft_trans *trans; 3580 u32 id = ntohl(nla_get_be32(nla)); 3581 3582 list_for_each_entry(trans, &net->nft.commit_list, list) { 3583 if (trans->msg_type == NFT_MSG_NEWSET) { 3584 struct nft_set *set = nft_trans_set(trans); 3585 3586 if (id == nft_trans_set_id(trans) && 3587 nft_active_genmask(set, genmask)) 3588 return set; 3589 } 3590 } 3591 return ERR_PTR(-ENOENT); 3592 } 3593 3594 struct nft_set *nft_set_lookup_global(const struct net *net, 3595 const struct nft_table *table, 3596 const struct nlattr *nla_set_name, 3597 const struct nlattr *nla_set_id, 3598 u8 genmask) 3599 { 3600 struct nft_set *set; 3601 3602 set = nft_set_lookup(table, nla_set_name, genmask); 3603 if (IS_ERR(set)) { 3604 if (!nla_set_id) 3605 return set; 3606 3607 set = nft_set_lookup_byid(net, nla_set_id, genmask); 3608 } 3609 return set; 3610 } 3611 EXPORT_SYMBOL_GPL(nft_set_lookup_global); 3612 3613 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set, 3614 const char *name) 3615 { 3616 const struct nft_set *i; 3617 const char *p; 3618 unsigned long *inuse; 3619 unsigned int n = 0, min = 0; 3620 3621 p = strchr(name, '%'); 3622 if (p != NULL) { 3623 if (p[1] != 'd' || strchr(p + 2, '%')) 3624 return -EINVAL; 3625 3626 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL); 3627 if (inuse == NULL) 3628 return -ENOMEM; 3629 cont: 3630 list_for_each_entry(i, &ctx->table->sets, list) { 3631 int tmp; 3632 3633 if (!nft_is_active_next(ctx->net, set)) 3634 continue; 3635 if (!sscanf(i->name, name, &tmp)) 3636 continue; 3637 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE) 3638 continue; 3639 3640 set_bit(tmp - min, inuse); 3641 } 3642 3643 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE); 3644 if (n >= BITS_PER_BYTE * PAGE_SIZE) { 3645 min += BITS_PER_BYTE * PAGE_SIZE; 3646 memset(inuse, 0, PAGE_SIZE); 3647 goto cont; 3648 } 3649 free_page((unsigned long)inuse); 3650 } 3651 3652 set->name = kasprintf(GFP_KERNEL, name, min + n); 3653 if (!set->name) 3654 return -ENOMEM; 3655 3656 list_for_each_entry(i, &ctx->table->sets, list) { 3657 if (!nft_is_active_next(ctx->net, i)) 3658 continue; 3659 if (!strcmp(set->name, i->name)) { 3660 kfree(set->name); 3661 set->name = NULL; 3662 return -ENFILE; 3663 } 3664 } 3665 return 0; 3666 } 3667 3668 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result) 3669 { 3670 u64 ms = be64_to_cpu(nla_get_be64(nla)); 3671 u64 max = (u64)(~((u64)0)); 3672 3673 max = div_u64(max, NSEC_PER_MSEC); 3674 if (ms >= max) 3675 return -ERANGE; 3676 3677 ms *= NSEC_PER_MSEC; 3678 *result = nsecs_to_jiffies64(ms); 3679 return 0; 3680 } 3681 3682 static __be64 nf_jiffies64_to_msecs(u64 input) 3683 { 3684 return cpu_to_be64(jiffies64_to_msecs(input)); 3685 } 3686 3687 static int nf_tables_fill_set_concat(struct sk_buff *skb, 3688 const struct nft_set *set) 3689 { 3690 struct nlattr *concat, *field; 3691 int i; 3692 3693 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT); 3694 if (!concat) 3695 return -ENOMEM; 3696 3697 for (i = 0; i < set->field_count; i++) { 3698 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 3699 if (!field) 3700 return -ENOMEM; 3701 3702 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN, 3703 htonl(set->field_len[i]))) 3704 return -ENOMEM; 3705 3706 nla_nest_end(skb, field); 3707 } 3708 3709 nla_nest_end(skb, concat); 3710 3711 return 0; 3712 } 3713 3714 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, 3715 const struct nft_set *set, u16 event, u16 flags) 3716 { 3717 struct nfgenmsg *nfmsg; 3718 struct nlmsghdr *nlh; 3719 u32 portid = ctx->portid; 3720 struct nlattr *nest; 3721 u32 seq = ctx->seq; 3722 3723 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 3724 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 3725 flags); 3726 if (nlh == NULL) 3727 goto nla_put_failure; 3728 3729 nfmsg = nlmsg_data(nlh); 3730 nfmsg->nfgen_family = ctx->family; 3731 nfmsg->version = NFNETLINK_V0; 3732 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); 3733 3734 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 3735 goto nla_put_failure; 3736 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 3737 goto nla_put_failure; 3738 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle), 3739 NFTA_SET_PAD)) 3740 goto nla_put_failure; 3741 if (set->flags != 0) 3742 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags))) 3743 goto nla_put_failure; 3744 3745 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype))) 3746 goto nla_put_failure; 3747 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen))) 3748 goto nla_put_failure; 3749 if (set->flags & NFT_SET_MAP) { 3750 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype))) 3751 goto nla_put_failure; 3752 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen))) 3753 goto nla_put_failure; 3754 } 3755 if (set->flags & NFT_SET_OBJECT && 3756 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype))) 3757 goto nla_put_failure; 3758 3759 if (set->timeout && 3760 nla_put_be64(skb, NFTA_SET_TIMEOUT, 3761 nf_jiffies64_to_msecs(set->timeout), 3762 NFTA_SET_PAD)) 3763 goto nla_put_failure; 3764 if (set->gc_int && 3765 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int))) 3766 goto nla_put_failure; 3767 3768 if (set->policy != NFT_SET_POL_PERFORMANCE) { 3769 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy))) 3770 goto nla_put_failure; 3771 } 3772 3773 if (set->udata && 3774 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) 3775 goto nla_put_failure; 3776 3777 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC); 3778 if (!nest) 3779 goto nla_put_failure; 3780 if (set->size && 3781 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size))) 3782 goto nla_put_failure; 3783 3784 if (set->field_count > 1 && 3785 nf_tables_fill_set_concat(skb, set)) 3786 goto nla_put_failure; 3787 3788 nla_nest_end(skb, nest); 3789 3790 if (set->expr) { 3791 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR); 3792 if (nf_tables_fill_expr_info(skb, set->expr) < 0) 3793 goto nla_put_failure; 3794 3795 nla_nest_end(skb, nest); 3796 } 3797 3798 nlmsg_end(skb, nlh); 3799 return 0; 3800 3801 nla_put_failure: 3802 nlmsg_trim(skb, nlh); 3803 return -1; 3804 } 3805 3806 static void nf_tables_set_notify(const struct nft_ctx *ctx, 3807 const struct nft_set *set, int event, 3808 gfp_t gfp_flags) 3809 { 3810 struct sk_buff *skb; 3811 u32 portid = ctx->portid; 3812 int err; 3813 char *buf = kasprintf(gfp_flags, "%s:%llu;%s:%llu", 3814 ctx->table->name, ctx->table->handle, 3815 set->name, set->handle); 3816 3817 audit_log_nfcfg(buf, 3818 ctx->family, 3819 set->field_count, 3820 event == NFT_MSG_NEWSET ? 3821 AUDIT_NFT_OP_SET_REGISTER : 3822 AUDIT_NFT_OP_SET_UNREGISTER, 3823 gfp_flags); 3824 kfree(buf); 3825 3826 if (!ctx->report && 3827 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 3828 return; 3829 3830 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags); 3831 if (skb == NULL) 3832 goto err; 3833 3834 err = nf_tables_fill_set(skb, ctx, set, event, 0); 3835 if (err < 0) { 3836 kfree_skb(skb); 3837 goto err; 3838 } 3839 3840 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report, 3841 gfp_flags); 3842 return; 3843 err: 3844 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 3845 } 3846 3847 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) 3848 { 3849 const struct nft_set *set; 3850 unsigned int idx, s_idx = cb->args[0]; 3851 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; 3852 struct net *net = sock_net(skb->sk); 3853 struct nft_ctx *ctx = cb->data, ctx_set; 3854 3855 if (cb->args[1]) 3856 return skb->len; 3857 3858 rcu_read_lock(); 3859 cb->seq = net->nft.base_seq; 3860 3861 list_for_each_entry_rcu(table, &net->nft.tables, list) { 3862 if (ctx->family != NFPROTO_UNSPEC && 3863 ctx->family != table->family) 3864 continue; 3865 3866 if (ctx->table && ctx->table != table) 3867 continue; 3868 3869 if (cur_table) { 3870 if (cur_table != table) 3871 continue; 3872 3873 cur_table = NULL; 3874 } 3875 idx = 0; 3876 list_for_each_entry_rcu(set, &table->sets, list) { 3877 if (idx < s_idx) 3878 goto cont; 3879 if (!nft_is_active(net, set)) 3880 goto cont; 3881 3882 ctx_set = *ctx; 3883 ctx_set.table = table; 3884 ctx_set.family = table->family; 3885 3886 if (nf_tables_fill_set(skb, &ctx_set, set, 3887 NFT_MSG_NEWSET, 3888 NLM_F_MULTI) < 0) { 3889 cb->args[0] = idx; 3890 cb->args[2] = (unsigned long) table; 3891 goto done; 3892 } 3893 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 3894 cont: 3895 idx++; 3896 } 3897 if (s_idx) 3898 s_idx = 0; 3899 } 3900 cb->args[1] = 1; 3901 done: 3902 rcu_read_unlock(); 3903 return skb->len; 3904 } 3905 3906 static int nf_tables_dump_sets_start(struct netlink_callback *cb) 3907 { 3908 struct nft_ctx *ctx_dump = NULL; 3909 3910 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC); 3911 if (ctx_dump == NULL) 3912 return -ENOMEM; 3913 3914 cb->data = ctx_dump; 3915 return 0; 3916 } 3917 3918 static int nf_tables_dump_sets_done(struct netlink_callback *cb) 3919 { 3920 kfree(cb->data); 3921 return 0; 3922 } 3923 3924 /* called with rcu_read_lock held */ 3925 static int nf_tables_getset(struct net *net, struct sock *nlsk, 3926 struct sk_buff *skb, const struct nlmsghdr *nlh, 3927 const struct nlattr * const nla[], 3928 struct netlink_ext_ack *extack) 3929 { 3930 u8 genmask = nft_genmask_cur(net); 3931 const struct nft_set *set; 3932 struct nft_ctx ctx; 3933 struct sk_buff *skb2; 3934 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3935 int err; 3936 3937 /* Verify existence before starting dump */ 3938 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack, 3939 genmask); 3940 if (err < 0) 3941 return err; 3942 3943 if (nlh->nlmsg_flags & NLM_F_DUMP) { 3944 struct netlink_dump_control c = { 3945 .start = nf_tables_dump_sets_start, 3946 .dump = nf_tables_dump_sets, 3947 .done = nf_tables_dump_sets_done, 3948 .data = &ctx, 3949 .module = THIS_MODULE, 3950 }; 3951 3952 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 3953 } 3954 3955 /* Only accept unspec with dump */ 3956 if (nfmsg->nfgen_family == NFPROTO_UNSPEC) 3957 return -EAFNOSUPPORT; 3958 if (!nla[NFTA_SET_TABLE]) 3959 return -EINVAL; 3960 3961 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask); 3962 if (IS_ERR(set)) 3963 return PTR_ERR(set); 3964 3965 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 3966 if (skb2 == NULL) 3967 return -ENOMEM; 3968 3969 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); 3970 if (err < 0) 3971 goto err_fill_set_info; 3972 3973 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 3974 3975 err_fill_set_info: 3976 kfree_skb(skb2); 3977 return err; 3978 } 3979 3980 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = { 3981 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 }, 3982 }; 3983 3984 static int nft_set_desc_concat_parse(const struct nlattr *attr, 3985 struct nft_set_desc *desc) 3986 { 3987 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1]; 3988 u32 len; 3989 int err; 3990 3991 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr, 3992 nft_concat_policy, NULL); 3993 if (err < 0) 3994 return err; 3995 3996 if (!tb[NFTA_SET_FIELD_LEN]) 3997 return -EINVAL; 3998 3999 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN])); 4000 4001 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT) 4002 return -E2BIG; 4003 4004 desc->field_len[desc->field_count++] = len; 4005 4006 return 0; 4007 } 4008 4009 static int nft_set_desc_concat(struct nft_set_desc *desc, 4010 const struct nlattr *nla) 4011 { 4012 struct nlattr *attr; 4013 int rem, err; 4014 4015 nla_for_each_nested(attr, nla, rem) { 4016 if (nla_type(attr) != NFTA_LIST_ELEM) 4017 return -EINVAL; 4018 4019 err = nft_set_desc_concat_parse(attr, desc); 4020 if (err < 0) 4021 return err; 4022 } 4023 4024 return 0; 4025 } 4026 4027 static int nf_tables_set_desc_parse(struct nft_set_desc *desc, 4028 const struct nlattr *nla) 4029 { 4030 struct nlattr *da[NFTA_SET_DESC_MAX + 1]; 4031 int err; 4032 4033 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla, 4034 nft_set_desc_policy, NULL); 4035 if (err < 0) 4036 return err; 4037 4038 if (da[NFTA_SET_DESC_SIZE] != NULL) 4039 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE])); 4040 if (da[NFTA_SET_DESC_CONCAT]) 4041 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]); 4042 4043 return err; 4044 } 4045 4046 static int nf_tables_newset(struct net *net, struct sock *nlsk, 4047 struct sk_buff *skb, const struct nlmsghdr *nlh, 4048 const struct nlattr * const nla[], 4049 struct netlink_ext_ack *extack) 4050 { 4051 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 4052 u8 genmask = nft_genmask_next(net); 4053 int family = nfmsg->nfgen_family; 4054 const struct nft_set_ops *ops; 4055 struct nft_expr *expr = NULL; 4056 struct nft_table *table; 4057 struct nft_set *set; 4058 struct nft_ctx ctx; 4059 char *name; 4060 u64 size; 4061 u64 timeout; 4062 u32 ktype, dtype, flags, policy, gc_int, objtype; 4063 struct nft_set_desc desc; 4064 unsigned char *udata; 4065 u16 udlen; 4066 int err; 4067 int i; 4068 4069 if (nla[NFTA_SET_TABLE] == NULL || 4070 nla[NFTA_SET_NAME] == NULL || 4071 nla[NFTA_SET_KEY_LEN] == NULL || 4072 nla[NFTA_SET_ID] == NULL) 4073 return -EINVAL; 4074 4075 memset(&desc, 0, sizeof(desc)); 4076 4077 ktype = NFT_DATA_VALUE; 4078 if (nla[NFTA_SET_KEY_TYPE] != NULL) { 4079 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE])); 4080 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK) 4081 return -EINVAL; 4082 } 4083 4084 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN])); 4085 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN) 4086 return -EINVAL; 4087 4088 flags = 0; 4089 if (nla[NFTA_SET_FLAGS] != NULL) { 4090 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 4091 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | 4092 NFT_SET_INTERVAL | NFT_SET_TIMEOUT | 4093 NFT_SET_MAP | NFT_SET_EVAL | 4094 NFT_SET_OBJECT | NFT_SET_CONCAT)) 4095 return -EOPNOTSUPP; 4096 /* Only one of these operations is supported */ 4097 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) == 4098 (NFT_SET_MAP | NFT_SET_OBJECT)) 4099 return -EOPNOTSUPP; 4100 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) == 4101 (NFT_SET_EVAL | NFT_SET_OBJECT)) 4102 return -EOPNOTSUPP; 4103 } 4104 4105 dtype = 0; 4106 if (nla[NFTA_SET_DATA_TYPE] != NULL) { 4107 if (!(flags & NFT_SET_MAP)) 4108 return -EINVAL; 4109 4110 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE])); 4111 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK && 4112 dtype != NFT_DATA_VERDICT) 4113 return -EINVAL; 4114 4115 if (dtype != NFT_DATA_VERDICT) { 4116 if (nla[NFTA_SET_DATA_LEN] == NULL) 4117 return -EINVAL; 4118 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN])); 4119 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN) 4120 return -EINVAL; 4121 } else 4122 desc.dlen = sizeof(struct nft_verdict); 4123 } else if (flags & NFT_SET_MAP) 4124 return -EINVAL; 4125 4126 if (nla[NFTA_SET_OBJ_TYPE] != NULL) { 4127 if (!(flags & NFT_SET_OBJECT)) 4128 return -EINVAL; 4129 4130 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE])); 4131 if (objtype == NFT_OBJECT_UNSPEC || 4132 objtype > NFT_OBJECT_MAX) 4133 return -EOPNOTSUPP; 4134 } else if (flags & NFT_SET_OBJECT) 4135 return -EINVAL; 4136 else 4137 objtype = NFT_OBJECT_UNSPEC; 4138 4139 timeout = 0; 4140 if (nla[NFTA_SET_TIMEOUT] != NULL) { 4141 if (!(flags & NFT_SET_TIMEOUT)) 4142 return -EINVAL; 4143 4144 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout); 4145 if (err) 4146 return err; 4147 } 4148 gc_int = 0; 4149 if (nla[NFTA_SET_GC_INTERVAL] != NULL) { 4150 if (!(flags & NFT_SET_TIMEOUT)) 4151 return -EINVAL; 4152 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL])); 4153 } 4154 4155 policy = NFT_SET_POL_PERFORMANCE; 4156 if (nla[NFTA_SET_POLICY] != NULL) 4157 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY])); 4158 4159 if (nla[NFTA_SET_DESC] != NULL) { 4160 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]); 4161 if (err < 0) 4162 return err; 4163 } 4164 4165 if (nla[NFTA_SET_EXPR]) 4166 desc.expr = true; 4167 4168 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask); 4169 if (IS_ERR(table)) { 4170 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4171 return PTR_ERR(table); 4172 } 4173 4174 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 4175 4176 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4177 if (IS_ERR(set)) { 4178 if (PTR_ERR(set) != -ENOENT) { 4179 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4180 return PTR_ERR(set); 4181 } 4182 } else { 4183 if (nlh->nlmsg_flags & NLM_F_EXCL) { 4184 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4185 return -EEXIST; 4186 } 4187 if (nlh->nlmsg_flags & NLM_F_REPLACE) 4188 return -EOPNOTSUPP; 4189 4190 return 0; 4191 } 4192 4193 if (!(nlh->nlmsg_flags & NLM_F_CREATE)) 4194 return -ENOENT; 4195 4196 ops = nft_select_set_ops(&ctx, nla, &desc, policy); 4197 if (IS_ERR(ops)) 4198 return PTR_ERR(ops); 4199 4200 udlen = 0; 4201 if (nla[NFTA_SET_USERDATA]) 4202 udlen = nla_len(nla[NFTA_SET_USERDATA]); 4203 4204 size = 0; 4205 if (ops->privsize != NULL) 4206 size = ops->privsize(nla, &desc); 4207 4208 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL); 4209 if (!set) 4210 return -ENOMEM; 4211 4212 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL); 4213 if (!name) { 4214 err = -ENOMEM; 4215 goto err_set_name; 4216 } 4217 4218 err = nf_tables_set_alloc_name(&ctx, set, name); 4219 kfree(name); 4220 if (err < 0) 4221 goto err_set_alloc_name; 4222 4223 if (nla[NFTA_SET_EXPR]) { 4224 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]); 4225 if (IS_ERR(expr)) { 4226 err = PTR_ERR(expr); 4227 goto err_set_alloc_name; 4228 } 4229 } 4230 4231 udata = NULL; 4232 if (udlen) { 4233 udata = set->data + size; 4234 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen); 4235 } 4236 4237 INIT_LIST_HEAD(&set->bindings); 4238 set->table = table; 4239 write_pnet(&set->net, net); 4240 set->ops = ops; 4241 set->ktype = ktype; 4242 set->klen = desc.klen; 4243 set->dtype = dtype; 4244 set->objtype = objtype; 4245 set->dlen = desc.dlen; 4246 set->expr = expr; 4247 set->flags = flags; 4248 set->size = desc.size; 4249 set->policy = policy; 4250 set->udlen = udlen; 4251 set->udata = udata; 4252 set->timeout = timeout; 4253 set->gc_int = gc_int; 4254 set->handle = nf_tables_alloc_handle(table); 4255 4256 set->field_count = desc.field_count; 4257 for (i = 0; i < desc.field_count; i++) 4258 set->field_len[i] = desc.field_len[i]; 4259 4260 err = ops->init(set, &desc, nla); 4261 if (err < 0) 4262 goto err_set_init; 4263 4264 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); 4265 if (err < 0) 4266 goto err_set_trans; 4267 4268 list_add_tail_rcu(&set->list, &table->sets); 4269 table->use++; 4270 return 0; 4271 4272 err_set_trans: 4273 ops->destroy(set); 4274 err_set_init: 4275 if (expr) 4276 nft_expr_destroy(&ctx, expr); 4277 err_set_alloc_name: 4278 kfree(set->name); 4279 err_set_name: 4280 kvfree(set); 4281 return err; 4282 } 4283 4284 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) 4285 { 4286 if (WARN_ON(set->use > 0)) 4287 return; 4288 4289 if (set->expr) 4290 nft_expr_destroy(ctx, set->expr); 4291 4292 set->ops->destroy(set); 4293 kfree(set->name); 4294 kvfree(set); 4295 } 4296 4297 static int nf_tables_delset(struct net *net, struct sock *nlsk, 4298 struct sk_buff *skb, const struct nlmsghdr *nlh, 4299 const struct nlattr * const nla[], 4300 struct netlink_ext_ack *extack) 4301 { 4302 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 4303 u8 genmask = nft_genmask_next(net); 4304 const struct nlattr *attr; 4305 struct nft_set *set; 4306 struct nft_ctx ctx; 4307 int err; 4308 4309 if (nfmsg->nfgen_family == NFPROTO_UNSPEC) 4310 return -EAFNOSUPPORT; 4311 if (nla[NFTA_SET_TABLE] == NULL) 4312 return -EINVAL; 4313 4314 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack, 4315 genmask); 4316 if (err < 0) 4317 return err; 4318 4319 if (nla[NFTA_SET_HANDLE]) { 4320 attr = nla[NFTA_SET_HANDLE]; 4321 set = nft_set_lookup_byhandle(ctx.table, attr, genmask); 4322 } else { 4323 attr = nla[NFTA_SET_NAME]; 4324 set = nft_set_lookup(ctx.table, attr, genmask); 4325 } 4326 4327 if (IS_ERR(set)) { 4328 NL_SET_BAD_ATTR(extack, attr); 4329 return PTR_ERR(set); 4330 } 4331 if (set->use || 4332 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) { 4333 NL_SET_BAD_ATTR(extack, attr); 4334 return -EBUSY; 4335 } 4336 4337 return nft_delset(&ctx, set); 4338 } 4339 4340 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, 4341 struct nft_set *set, 4342 const struct nft_set_iter *iter, 4343 struct nft_set_elem *elem) 4344 { 4345 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4346 enum nft_registers dreg; 4347 4348 dreg = nft_type_to_reg(set->dtype); 4349 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext), 4350 set->dtype == NFT_DATA_VERDICT ? 4351 NFT_DATA_VERDICT : NFT_DATA_VALUE, 4352 set->dlen); 4353 } 4354 4355 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 4356 struct nft_set_binding *binding) 4357 { 4358 struct nft_set_binding *i; 4359 struct nft_set_iter iter; 4360 4361 if (set->use == UINT_MAX) 4362 return -EOVERFLOW; 4363 4364 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4365 return -EBUSY; 4366 4367 if (binding->flags & NFT_SET_MAP) { 4368 /* If the set is already bound to the same chain all 4369 * jumps are already validated for that chain. 4370 */ 4371 list_for_each_entry(i, &set->bindings, list) { 4372 if (i->flags & NFT_SET_MAP && 4373 i->chain == binding->chain) 4374 goto bind; 4375 } 4376 4377 iter.genmask = nft_genmask_next(ctx->net); 4378 iter.skip = 0; 4379 iter.count = 0; 4380 iter.err = 0; 4381 iter.fn = nf_tables_bind_check_setelem; 4382 4383 set->ops->walk(ctx, set, &iter); 4384 if (iter.err < 0) 4385 return iter.err; 4386 } 4387 bind: 4388 binding->chain = ctx->chain; 4389 list_add_tail_rcu(&binding->list, &set->bindings); 4390 nft_set_trans_bind(ctx, set); 4391 set->use++; 4392 4393 return 0; 4394 } 4395 EXPORT_SYMBOL_GPL(nf_tables_bind_set); 4396 4397 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 4398 struct nft_set_binding *binding, bool event) 4399 { 4400 list_del_rcu(&binding->list); 4401 4402 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { 4403 list_del_rcu(&set->list); 4404 if (event) 4405 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, 4406 GFP_KERNEL); 4407 } 4408 } 4409 4410 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, 4411 struct nft_set_binding *binding, 4412 enum nft_trans_phase phase) 4413 { 4414 switch (phase) { 4415 case NFT_TRANS_PREPARE: 4416 set->use--; 4417 return; 4418 case NFT_TRANS_ABORT: 4419 case NFT_TRANS_RELEASE: 4420 set->use--; 4421 fallthrough; 4422 default: 4423 nf_tables_unbind_set(ctx, set, binding, 4424 phase == NFT_TRANS_COMMIT); 4425 } 4426 } 4427 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); 4428 4429 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) 4430 { 4431 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4432 nft_set_destroy(ctx, set); 4433 } 4434 EXPORT_SYMBOL_GPL(nf_tables_destroy_set); 4435 4436 const struct nft_set_ext_type nft_set_ext_types[] = { 4437 [NFT_SET_EXT_KEY] = { 4438 .align = __alignof__(u32), 4439 }, 4440 [NFT_SET_EXT_DATA] = { 4441 .align = __alignof__(u32), 4442 }, 4443 [NFT_SET_EXT_EXPR] = { 4444 .align = __alignof__(struct nft_expr), 4445 }, 4446 [NFT_SET_EXT_OBJREF] = { 4447 .len = sizeof(struct nft_object *), 4448 .align = __alignof__(struct nft_object *), 4449 }, 4450 [NFT_SET_EXT_FLAGS] = { 4451 .len = sizeof(u8), 4452 .align = __alignof__(u8), 4453 }, 4454 [NFT_SET_EXT_TIMEOUT] = { 4455 .len = sizeof(u64), 4456 .align = __alignof__(u64), 4457 }, 4458 [NFT_SET_EXT_EXPIRATION] = { 4459 .len = sizeof(u64), 4460 .align = __alignof__(u64), 4461 }, 4462 [NFT_SET_EXT_USERDATA] = { 4463 .len = sizeof(struct nft_userdata), 4464 .align = __alignof__(struct nft_userdata), 4465 }, 4466 [NFT_SET_EXT_KEY_END] = { 4467 .align = __alignof__(u32), 4468 }, 4469 }; 4470 4471 /* 4472 * Set elements 4473 */ 4474 4475 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { 4476 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED }, 4477 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED }, 4478 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 }, 4479 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 }, 4480 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 }, 4481 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, 4482 .len = NFT_USERDATA_MAXLEN }, 4483 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED }, 4484 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING, 4485 .len = NFT_OBJ_MAXNAMELEN - 1 }, 4486 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED }, 4487 }; 4488 4489 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { 4490 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING, 4491 .len = NFT_TABLE_MAXNAMELEN - 1 }, 4492 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING, 4493 .len = NFT_SET_MAXNAMELEN - 1 }, 4494 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED }, 4495 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 }, 4496 }; 4497 4498 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net, 4499 const struct sk_buff *skb, 4500 const struct nlmsghdr *nlh, 4501 const struct nlattr * const nla[], 4502 struct netlink_ext_ack *extack, 4503 u8 genmask) 4504 { 4505 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 4506 int family = nfmsg->nfgen_family; 4507 struct nft_table *table; 4508 4509 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 4510 genmask); 4511 if (IS_ERR(table)) { 4512 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 4513 return PTR_ERR(table); 4514 } 4515 4516 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla); 4517 return 0; 4518 } 4519 4520 static int nf_tables_fill_setelem(struct sk_buff *skb, 4521 const struct nft_set *set, 4522 const struct nft_set_elem *elem) 4523 { 4524 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4525 unsigned char *b = skb_tail_pointer(skb); 4526 struct nlattr *nest; 4527 4528 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 4529 if (nest == NULL) 4530 goto nla_put_failure; 4531 4532 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext), 4533 NFT_DATA_VALUE, set->klen) < 0) 4534 goto nla_put_failure; 4535 4536 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 4537 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext), 4538 NFT_DATA_VALUE, set->klen) < 0) 4539 goto nla_put_failure; 4540 4541 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 4542 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext), 4543 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE, 4544 set->dlen) < 0) 4545 goto nla_put_failure; 4546 4547 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) && 4548 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0) 4549 goto nla_put_failure; 4550 4551 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 4552 nla_put_string(skb, NFTA_SET_ELEM_OBJREF, 4553 (*nft_set_ext_obj(ext))->key.name) < 0) 4554 goto nla_put_failure; 4555 4556 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 4557 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, 4558 htonl(*nft_set_ext_flags(ext)))) 4559 goto nla_put_failure; 4560 4561 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) && 4562 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, 4563 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)), 4564 NFTA_SET_ELEM_PAD)) 4565 goto nla_put_failure; 4566 4567 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 4568 u64 expires, now = get_jiffies_64(); 4569 4570 expires = *nft_set_ext_expiration(ext); 4571 if (time_before64(now, expires)) 4572 expires -= now; 4573 else 4574 expires = 0; 4575 4576 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION, 4577 nf_jiffies64_to_msecs(expires), 4578 NFTA_SET_ELEM_PAD)) 4579 goto nla_put_failure; 4580 } 4581 4582 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) { 4583 struct nft_userdata *udata; 4584 4585 udata = nft_set_ext_userdata(ext); 4586 if (nla_put(skb, NFTA_SET_ELEM_USERDATA, 4587 udata->len + 1, udata->data)) 4588 goto nla_put_failure; 4589 } 4590 4591 nla_nest_end(skb, nest); 4592 return 0; 4593 4594 nla_put_failure: 4595 nlmsg_trim(skb, b); 4596 return -EMSGSIZE; 4597 } 4598 4599 struct nft_set_dump_args { 4600 const struct netlink_callback *cb; 4601 struct nft_set_iter iter; 4602 struct sk_buff *skb; 4603 }; 4604 4605 static int nf_tables_dump_setelem(const struct nft_ctx *ctx, 4606 struct nft_set *set, 4607 const struct nft_set_iter *iter, 4608 struct nft_set_elem *elem) 4609 { 4610 struct nft_set_dump_args *args; 4611 4612 args = container_of(iter, struct nft_set_dump_args, iter); 4613 return nf_tables_fill_setelem(args->skb, set, elem); 4614 } 4615 4616 struct nft_set_dump_ctx { 4617 const struct nft_set *set; 4618 struct nft_ctx ctx; 4619 }; 4620 4621 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) 4622 { 4623 struct nft_set_dump_ctx *dump_ctx = cb->data; 4624 struct net *net = sock_net(skb->sk); 4625 struct nft_table *table; 4626 struct nft_set *set; 4627 struct nft_set_dump_args args; 4628 bool set_found = false; 4629 struct nfgenmsg *nfmsg; 4630 struct nlmsghdr *nlh; 4631 struct nlattr *nest; 4632 u32 portid, seq; 4633 int event; 4634 4635 rcu_read_lock(); 4636 list_for_each_entry_rcu(table, &net->nft.tables, list) { 4637 if (dump_ctx->ctx.family != NFPROTO_UNSPEC && 4638 dump_ctx->ctx.family != table->family) 4639 continue; 4640 4641 if (table != dump_ctx->ctx.table) 4642 continue; 4643 4644 list_for_each_entry_rcu(set, &table->sets, list) { 4645 if (set == dump_ctx->set) { 4646 set_found = true; 4647 break; 4648 } 4649 } 4650 break; 4651 } 4652 4653 if (!set_found) { 4654 rcu_read_unlock(); 4655 return -ENOENT; 4656 } 4657 4658 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM); 4659 portid = NETLINK_CB(cb->skb).portid; 4660 seq = cb->nlh->nlmsg_seq; 4661 4662 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 4663 NLM_F_MULTI); 4664 if (nlh == NULL) 4665 goto nla_put_failure; 4666 4667 nfmsg = nlmsg_data(nlh); 4668 nfmsg->nfgen_family = table->family; 4669 nfmsg->version = NFNETLINK_V0; 4670 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 4671 4672 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) 4673 goto nla_put_failure; 4674 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) 4675 goto nla_put_failure; 4676 4677 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 4678 if (nest == NULL) 4679 goto nla_put_failure; 4680 4681 args.cb = cb; 4682 args.skb = skb; 4683 args.iter.genmask = nft_genmask_cur(net); 4684 args.iter.skip = cb->args[0]; 4685 args.iter.count = 0; 4686 args.iter.err = 0; 4687 args.iter.fn = nf_tables_dump_setelem; 4688 set->ops->walk(&dump_ctx->ctx, set, &args.iter); 4689 rcu_read_unlock(); 4690 4691 nla_nest_end(skb, nest); 4692 nlmsg_end(skb, nlh); 4693 4694 if (args.iter.err && args.iter.err != -EMSGSIZE) 4695 return args.iter.err; 4696 if (args.iter.count == cb->args[0]) 4697 return 0; 4698 4699 cb->args[0] = args.iter.count; 4700 return skb->len; 4701 4702 nla_put_failure: 4703 rcu_read_unlock(); 4704 return -ENOSPC; 4705 } 4706 4707 static int nf_tables_dump_set_start(struct netlink_callback *cb) 4708 { 4709 struct nft_set_dump_ctx *dump_ctx = cb->data; 4710 4711 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC); 4712 4713 return cb->data ? 0 : -ENOMEM; 4714 } 4715 4716 static int nf_tables_dump_set_done(struct netlink_callback *cb) 4717 { 4718 kfree(cb->data); 4719 return 0; 4720 } 4721 4722 static int nf_tables_fill_setelem_info(struct sk_buff *skb, 4723 const struct nft_ctx *ctx, u32 seq, 4724 u32 portid, int event, u16 flags, 4725 const struct nft_set *set, 4726 const struct nft_set_elem *elem) 4727 { 4728 struct nfgenmsg *nfmsg; 4729 struct nlmsghdr *nlh; 4730 struct nlattr *nest; 4731 int err; 4732 4733 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 4734 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 4735 flags); 4736 if (nlh == NULL) 4737 goto nla_put_failure; 4738 4739 nfmsg = nlmsg_data(nlh); 4740 nfmsg->nfgen_family = ctx->family; 4741 nfmsg->version = NFNETLINK_V0; 4742 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); 4743 4744 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 4745 goto nla_put_failure; 4746 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 4747 goto nla_put_failure; 4748 4749 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 4750 if (nest == NULL) 4751 goto nla_put_failure; 4752 4753 err = nf_tables_fill_setelem(skb, set, elem); 4754 if (err < 0) 4755 goto nla_put_failure; 4756 4757 nla_nest_end(skb, nest); 4758 4759 nlmsg_end(skb, nlh); 4760 return 0; 4761 4762 nla_put_failure: 4763 nlmsg_trim(skb, nlh); 4764 return -1; 4765 } 4766 4767 static int nft_setelem_parse_flags(const struct nft_set *set, 4768 const struct nlattr *attr, u32 *flags) 4769 { 4770 if (attr == NULL) 4771 return 0; 4772 4773 *flags = ntohl(nla_get_be32(attr)); 4774 if (*flags & ~NFT_SET_ELEM_INTERVAL_END) 4775 return -EINVAL; 4776 if (!(set->flags & NFT_SET_INTERVAL) && 4777 *flags & NFT_SET_ELEM_INTERVAL_END) 4778 return -EINVAL; 4779 4780 return 0; 4781 } 4782 4783 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set, 4784 struct nft_data *key, struct nlattr *attr) 4785 { 4786 struct nft_data_desc desc; 4787 int err; 4788 4789 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr); 4790 if (err < 0) 4791 return err; 4792 4793 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) { 4794 nft_data_release(key, desc.type); 4795 return -EINVAL; 4796 } 4797 4798 return 0; 4799 } 4800 4801 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, 4802 struct nft_data_desc *desc, 4803 struct nft_data *data, 4804 struct nlattr *attr) 4805 { 4806 int err; 4807 4808 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr); 4809 if (err < 0) 4810 return err; 4811 4812 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) { 4813 nft_data_release(data, desc->type); 4814 return -EINVAL; 4815 } 4816 4817 return 0; 4818 } 4819 4820 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set, 4821 const struct nlattr *attr) 4822 { 4823 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 4824 struct nft_set_elem elem; 4825 struct sk_buff *skb; 4826 uint32_t flags = 0; 4827 void *priv; 4828 int err; 4829 4830 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 4831 nft_set_elem_policy, NULL); 4832 if (err < 0) 4833 return err; 4834 4835 if (!nla[NFTA_SET_ELEM_KEY]) 4836 return -EINVAL; 4837 4838 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 4839 if (err < 0) 4840 return err; 4841 4842 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 4843 nla[NFTA_SET_ELEM_KEY]); 4844 if (err < 0) 4845 return err; 4846 4847 if (nla[NFTA_SET_ELEM_KEY_END]) { 4848 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 4849 nla[NFTA_SET_ELEM_KEY_END]); 4850 if (err < 0) 4851 return err; 4852 } 4853 4854 priv = set->ops->get(ctx->net, set, &elem, flags); 4855 if (IS_ERR(priv)) 4856 return PTR_ERR(priv); 4857 4858 elem.priv = priv; 4859 4860 err = -ENOMEM; 4861 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); 4862 if (skb == NULL) 4863 return err; 4864 4865 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, 4866 NFT_MSG_NEWSETELEM, 0, set, &elem); 4867 if (err < 0) 4868 goto err_fill_setelem; 4869 4870 return nfnetlink_unicast(skb, ctx->net, ctx->portid); 4871 4872 err_fill_setelem: 4873 kfree_skb(skb); 4874 return err; 4875 } 4876 4877 /* called with rcu_read_lock held */ 4878 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk, 4879 struct sk_buff *skb, const struct nlmsghdr *nlh, 4880 const struct nlattr * const nla[], 4881 struct netlink_ext_ack *extack) 4882 { 4883 u8 genmask = nft_genmask_cur(net); 4884 struct nft_set *set; 4885 struct nlattr *attr; 4886 struct nft_ctx ctx; 4887 int rem, err = 0; 4888 4889 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack, 4890 genmask); 4891 if (err < 0) 4892 return err; 4893 4894 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 4895 if (IS_ERR(set)) 4896 return PTR_ERR(set); 4897 4898 if (nlh->nlmsg_flags & NLM_F_DUMP) { 4899 struct netlink_dump_control c = { 4900 .start = nf_tables_dump_set_start, 4901 .dump = nf_tables_dump_set, 4902 .done = nf_tables_dump_set_done, 4903 .module = THIS_MODULE, 4904 }; 4905 struct nft_set_dump_ctx dump_ctx = { 4906 .set = set, 4907 .ctx = ctx, 4908 }; 4909 4910 c.data = &dump_ctx; 4911 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 4912 } 4913 4914 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 4915 return -EINVAL; 4916 4917 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 4918 err = nft_get_set_elem(&ctx, set, attr); 4919 if (err < 0) 4920 break; 4921 } 4922 4923 return err; 4924 } 4925 4926 static void nf_tables_setelem_notify(const struct nft_ctx *ctx, 4927 const struct nft_set *set, 4928 const struct nft_set_elem *elem, 4929 int event, u16 flags) 4930 { 4931 struct net *net = ctx->net; 4932 u32 portid = ctx->portid; 4933 struct sk_buff *skb; 4934 int err; 4935 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu", 4936 ctx->table->name, ctx->table->handle, 4937 set->name, set->handle); 4938 4939 audit_log_nfcfg(buf, 4940 ctx->family, 4941 set->handle, 4942 event == NFT_MSG_NEWSETELEM ? 4943 AUDIT_NFT_OP_SETELEM_REGISTER : 4944 AUDIT_NFT_OP_SETELEM_UNREGISTER, 4945 GFP_KERNEL); 4946 kfree(buf); 4947 4948 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 4949 return; 4950 4951 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 4952 if (skb == NULL) 4953 goto err; 4954 4955 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags, 4956 set, elem); 4957 if (err < 0) { 4958 kfree_skb(skb); 4959 goto err; 4960 } 4961 4962 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report, 4963 GFP_KERNEL); 4964 return; 4965 err: 4966 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 4967 } 4968 4969 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx, 4970 int msg_type, 4971 struct nft_set *set) 4972 { 4973 struct nft_trans *trans; 4974 4975 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem)); 4976 if (trans == NULL) 4977 return NULL; 4978 4979 nft_trans_elem_set(trans) = set; 4980 return trans; 4981 } 4982 4983 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx, 4984 const struct nft_set *set, 4985 const struct nlattr *attr) 4986 { 4987 struct nft_expr *expr; 4988 int err; 4989 4990 expr = nft_expr_init(ctx, attr); 4991 if (IS_ERR(expr)) 4992 return expr; 4993 4994 err = -EOPNOTSUPP; 4995 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL)) 4996 goto err_set_elem_expr; 4997 4998 if (expr->ops->type->flags & NFT_EXPR_GC) { 4999 if (set->flags & NFT_SET_TIMEOUT) 5000 goto err_set_elem_expr; 5001 if (!set->ops->gc_init) 5002 goto err_set_elem_expr; 5003 set->ops->gc_init(set); 5004 } 5005 5006 return expr; 5007 5008 err_set_elem_expr: 5009 nft_expr_destroy(ctx, expr); 5010 return ERR_PTR(err); 5011 } 5012 5013 void *nft_set_elem_init(const struct nft_set *set, 5014 const struct nft_set_ext_tmpl *tmpl, 5015 const u32 *key, const u32 *key_end, 5016 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp) 5017 { 5018 struct nft_set_ext *ext; 5019 void *elem; 5020 5021 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp); 5022 if (elem == NULL) 5023 return NULL; 5024 5025 ext = nft_set_elem_ext(set, elem); 5026 nft_set_ext_init(ext, tmpl); 5027 5028 memcpy(nft_set_ext_key(ext), key, set->klen); 5029 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) 5030 memcpy(nft_set_ext_key_end(ext), key_end, set->klen); 5031 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5032 memcpy(nft_set_ext_data(ext), data, set->dlen); 5033 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 5034 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration; 5035 if (expiration == 0) 5036 *nft_set_ext_expiration(ext) += timeout; 5037 } 5038 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) 5039 *nft_set_ext_timeout(ext) = timeout; 5040 5041 return elem; 5042 } 5043 5044 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 5045 struct nft_expr *expr) 5046 { 5047 if (expr->ops->destroy_clone) { 5048 expr->ops->destroy_clone(ctx, expr); 5049 module_put(expr->ops->type->owner); 5050 } else { 5051 nf_tables_expr_destroy(ctx, expr); 5052 } 5053 } 5054 5055 void nft_set_elem_destroy(const struct nft_set *set, void *elem, 5056 bool destroy_expr) 5057 { 5058 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 5059 struct nft_ctx ctx = { 5060 .net = read_pnet(&set->net), 5061 .family = set->table->family, 5062 }; 5063 5064 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE); 5065 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5066 nft_data_release(nft_set_ext_data(ext), set->dtype); 5067 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) 5068 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext)); 5069 5070 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 5071 (*nft_set_ext_obj(ext))->use--; 5072 kfree(elem); 5073 } 5074 EXPORT_SYMBOL_GPL(nft_set_elem_destroy); 5075 5076 /* Only called from commit path, nft_set_elem_deactivate() already deals with 5077 * the refcounting from the preparation phase. 5078 */ 5079 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, 5080 const struct nft_set *set, void *elem) 5081 { 5082 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 5083 5084 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) 5085 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext)); 5086 5087 kfree(elem); 5088 } 5089 5090 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 5091 const struct nlattr *attr, u32 nlmsg_flags) 5092 { 5093 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 5094 u8 genmask = nft_genmask_next(ctx->net); 5095 struct nft_set_ext_tmpl tmpl; 5096 struct nft_set_ext *ext, *ext2; 5097 struct nft_set_elem elem; 5098 struct nft_set_binding *binding; 5099 struct nft_object *obj = NULL; 5100 struct nft_expr *expr = NULL; 5101 struct nft_userdata *udata; 5102 struct nft_data_desc desc; 5103 enum nft_registers dreg; 5104 struct nft_trans *trans; 5105 u32 flags = 0; 5106 u64 timeout; 5107 u64 expiration; 5108 u8 ulen; 5109 int err; 5110 5111 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 5112 nft_set_elem_policy, NULL); 5113 if (err < 0) 5114 return err; 5115 5116 if (nla[NFTA_SET_ELEM_KEY] == NULL) 5117 return -EINVAL; 5118 5119 nft_set_ext_prepare(&tmpl); 5120 5121 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 5122 if (err < 0) 5123 return err; 5124 if (flags != 0) 5125 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 5126 5127 if (set->flags & NFT_SET_MAP) { 5128 if (nla[NFTA_SET_ELEM_DATA] == NULL && 5129 !(flags & NFT_SET_ELEM_INTERVAL_END)) 5130 return -EINVAL; 5131 } else { 5132 if (nla[NFTA_SET_ELEM_DATA] != NULL) 5133 return -EINVAL; 5134 } 5135 5136 if ((flags & NFT_SET_ELEM_INTERVAL_END) && 5137 (nla[NFTA_SET_ELEM_DATA] || 5138 nla[NFTA_SET_ELEM_OBJREF] || 5139 nla[NFTA_SET_ELEM_TIMEOUT] || 5140 nla[NFTA_SET_ELEM_EXPIRATION] || 5141 nla[NFTA_SET_ELEM_USERDATA] || 5142 nla[NFTA_SET_ELEM_EXPR])) 5143 return -EINVAL; 5144 5145 timeout = 0; 5146 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { 5147 if (!(set->flags & NFT_SET_TIMEOUT)) 5148 return -EINVAL; 5149 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT], 5150 &timeout); 5151 if (err) 5152 return err; 5153 } else if (set->flags & NFT_SET_TIMEOUT) { 5154 timeout = set->timeout; 5155 } 5156 5157 expiration = 0; 5158 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { 5159 if (!(set->flags & NFT_SET_TIMEOUT)) 5160 return -EINVAL; 5161 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], 5162 &expiration); 5163 if (err) 5164 return err; 5165 } 5166 5167 if (nla[NFTA_SET_ELEM_EXPR] != NULL) { 5168 expr = nft_set_elem_expr_alloc(ctx, set, 5169 nla[NFTA_SET_ELEM_EXPR]); 5170 if (IS_ERR(expr)) 5171 return PTR_ERR(expr); 5172 5173 err = -EOPNOTSUPP; 5174 if (set->expr && set->expr->ops != expr->ops) 5175 goto err_set_elem_expr; 5176 } else if (set->expr) { 5177 expr = kzalloc(set->expr->ops->size, GFP_KERNEL); 5178 if (!expr) 5179 return -ENOMEM; 5180 5181 err = nft_expr_clone(expr, set->expr); 5182 if (err < 0) 5183 goto err_set_elem_expr; 5184 } 5185 5186 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5187 nla[NFTA_SET_ELEM_KEY]); 5188 if (err < 0) 5189 goto err_set_elem_expr; 5190 5191 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 5192 5193 if (nla[NFTA_SET_ELEM_KEY_END]) { 5194 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5195 nla[NFTA_SET_ELEM_KEY_END]); 5196 if (err < 0) 5197 goto err_parse_key; 5198 5199 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 5200 } 5201 5202 if (timeout > 0) { 5203 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION); 5204 if (timeout != set->timeout) 5205 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT); 5206 } 5207 5208 if (expr) 5209 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPR, 5210 expr->ops->size); 5211 5212 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) { 5213 if (!(set->flags & NFT_SET_OBJECT)) { 5214 err = -EINVAL; 5215 goto err_parse_key_end; 5216 } 5217 obj = nft_obj_lookup(ctx->net, ctx->table, 5218 nla[NFTA_SET_ELEM_OBJREF], 5219 set->objtype, genmask); 5220 if (IS_ERR(obj)) { 5221 err = PTR_ERR(obj); 5222 goto err_parse_key_end; 5223 } 5224 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF); 5225 } 5226 5227 if (nla[NFTA_SET_ELEM_DATA] != NULL) { 5228 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val, 5229 nla[NFTA_SET_ELEM_DATA]); 5230 if (err < 0) 5231 goto err_parse_key_end; 5232 5233 dreg = nft_type_to_reg(set->dtype); 5234 list_for_each_entry(binding, &set->bindings, list) { 5235 struct nft_ctx bind_ctx = { 5236 .net = ctx->net, 5237 .family = ctx->family, 5238 .table = ctx->table, 5239 .chain = (struct nft_chain *)binding->chain, 5240 }; 5241 5242 if (!(binding->flags & NFT_SET_MAP)) 5243 continue; 5244 5245 err = nft_validate_register_store(&bind_ctx, dreg, 5246 &elem.data.val, 5247 desc.type, desc.len); 5248 if (err < 0) 5249 goto err_parse_data; 5250 5251 if (desc.type == NFT_DATA_VERDICT && 5252 (elem.data.val.verdict.code == NFT_GOTO || 5253 elem.data.val.verdict.code == NFT_JUMP)) 5254 nft_validate_state_update(ctx->net, 5255 NFT_VALIDATE_NEED); 5256 } 5257 5258 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len); 5259 } 5260 5261 /* The full maximum length of userdata can exceed the maximum 5262 * offset value (U8_MAX) for following extensions, therefor it 5263 * must be the last extension added. 5264 */ 5265 ulen = 0; 5266 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) { 5267 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]); 5268 if (ulen > 0) 5269 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA, 5270 ulen); 5271 } 5272 5273 err = -ENOMEM; 5274 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 5275 elem.key_end.val.data, elem.data.val.data, 5276 timeout, expiration, GFP_KERNEL); 5277 if (elem.priv == NULL) 5278 goto err_parse_data; 5279 5280 ext = nft_set_elem_ext(set, elem.priv); 5281 if (flags) 5282 *nft_set_ext_flags(ext) = flags; 5283 if (ulen > 0) { 5284 udata = nft_set_ext_userdata(ext); 5285 udata->len = ulen - 1; 5286 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen); 5287 } 5288 if (obj) { 5289 *nft_set_ext_obj(ext) = obj; 5290 obj->use++; 5291 } 5292 if (expr) { 5293 memcpy(nft_set_ext_expr(ext), expr, expr->ops->size); 5294 kfree(expr); 5295 expr = NULL; 5296 } 5297 5298 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); 5299 if (trans == NULL) 5300 goto err_trans; 5301 5302 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK; 5303 err = set->ops->insert(ctx->net, set, &elem, &ext2); 5304 if (err) { 5305 if (err == -EEXIST) { 5306 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^ 5307 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) || 5308 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^ 5309 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) 5310 goto err_element_clash; 5311 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 5312 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) && 5313 memcmp(nft_set_ext_data(ext), 5314 nft_set_ext_data(ext2), set->dlen) != 0) || 5315 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 5316 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) && 5317 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2))) 5318 goto err_element_clash; 5319 else if (!(nlmsg_flags & NLM_F_EXCL)) 5320 err = 0; 5321 } else if (err == -ENOTEMPTY) { 5322 /* ENOTEMPTY reports overlapping between this element 5323 * and an existing one. 5324 */ 5325 err = -EEXIST; 5326 } 5327 goto err_element_clash; 5328 } 5329 5330 if (set->size && 5331 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) { 5332 err = -ENFILE; 5333 goto err_set_full; 5334 } 5335 5336 nft_trans_elem(trans) = elem; 5337 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5338 return 0; 5339 5340 err_set_full: 5341 set->ops->remove(ctx->net, set, &elem); 5342 err_element_clash: 5343 kfree(trans); 5344 err_trans: 5345 if (obj) 5346 obj->use--; 5347 5348 nf_tables_set_elem_destroy(ctx, set, elem.priv); 5349 err_parse_data: 5350 if (nla[NFTA_SET_ELEM_DATA] != NULL) 5351 nft_data_release(&elem.data.val, desc.type); 5352 err_parse_key_end: 5353 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 5354 err_parse_key: 5355 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 5356 err_set_elem_expr: 5357 if (expr != NULL) 5358 nft_expr_destroy(ctx, expr); 5359 5360 return err; 5361 } 5362 5363 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk, 5364 struct sk_buff *skb, const struct nlmsghdr *nlh, 5365 const struct nlattr * const nla[], 5366 struct netlink_ext_ack *extack) 5367 { 5368 u8 genmask = nft_genmask_next(net); 5369 const struct nlattr *attr; 5370 struct nft_set *set; 5371 struct nft_ctx ctx; 5372 int rem, err; 5373 5374 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) 5375 return -EINVAL; 5376 5377 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack, 5378 genmask); 5379 if (err < 0) 5380 return err; 5381 5382 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET], 5383 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask); 5384 if (IS_ERR(set)) 5385 return PTR_ERR(set); 5386 5387 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 5388 return -EBUSY; 5389 5390 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 5391 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags); 5392 if (err < 0) 5393 return err; 5394 } 5395 5396 if (net->nft.validate_state == NFT_VALIDATE_DO) 5397 return nft_table_validate(net, ctx.table); 5398 5399 return 0; 5400 } 5401 5402 /** 5403 * nft_data_hold - hold a nft_data item 5404 * 5405 * @data: struct nft_data to release 5406 * @type: type of data 5407 * 5408 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded, 5409 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and 5410 * NFT_GOTO verdicts. This function must be called on active data objects 5411 * from the second phase of the commit protocol. 5412 */ 5413 void nft_data_hold(const struct nft_data *data, enum nft_data_types type) 5414 { 5415 struct nft_chain *chain; 5416 struct nft_rule *rule; 5417 5418 if (type == NFT_DATA_VERDICT) { 5419 switch (data->verdict.code) { 5420 case NFT_JUMP: 5421 case NFT_GOTO: 5422 chain = data->verdict.chain; 5423 chain->use++; 5424 5425 if (!nft_chain_is_bound(chain)) 5426 break; 5427 5428 chain->table->use++; 5429 list_for_each_entry(rule, &chain->rules, list) 5430 chain->use++; 5431 5432 nft_chain_add(chain->table, chain); 5433 break; 5434 } 5435 } 5436 } 5437 5438 static void nft_set_elem_activate(const struct net *net, 5439 const struct nft_set *set, 5440 struct nft_set_elem *elem) 5441 { 5442 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5443 5444 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5445 nft_data_hold(nft_set_ext_data(ext), set->dtype); 5446 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 5447 (*nft_set_ext_obj(ext))->use++; 5448 } 5449 5450 static void nft_set_elem_deactivate(const struct net *net, 5451 const struct nft_set *set, 5452 struct nft_set_elem *elem) 5453 { 5454 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5455 5456 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5457 nft_data_release(nft_set_ext_data(ext), set->dtype); 5458 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 5459 (*nft_set_ext_obj(ext))->use--; 5460 } 5461 5462 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, 5463 const struct nlattr *attr) 5464 { 5465 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 5466 struct nft_set_ext_tmpl tmpl; 5467 struct nft_set_elem elem; 5468 struct nft_set_ext *ext; 5469 struct nft_trans *trans; 5470 u32 flags = 0; 5471 void *priv; 5472 int err; 5473 5474 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 5475 nft_set_elem_policy, NULL); 5476 if (err < 0) 5477 return err; 5478 5479 if (nla[NFTA_SET_ELEM_KEY] == NULL) 5480 return -EINVAL; 5481 5482 nft_set_ext_prepare(&tmpl); 5483 5484 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 5485 if (err < 0) 5486 return err; 5487 if (flags != 0) 5488 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 5489 5490 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5491 nla[NFTA_SET_ELEM_KEY]); 5492 if (err < 0) 5493 return err; 5494 5495 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 5496 5497 if (nla[NFTA_SET_ELEM_KEY_END]) { 5498 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5499 nla[NFTA_SET_ELEM_KEY_END]); 5500 if (err < 0) 5501 return err; 5502 5503 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 5504 } 5505 5506 err = -ENOMEM; 5507 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 5508 elem.key_end.val.data, NULL, 0, 0, 5509 GFP_KERNEL); 5510 if (elem.priv == NULL) 5511 goto fail_elem; 5512 5513 ext = nft_set_elem_ext(set, elem.priv); 5514 if (flags) 5515 *nft_set_ext_flags(ext) = flags; 5516 5517 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 5518 if (trans == NULL) 5519 goto fail_trans; 5520 5521 priv = set->ops->deactivate(ctx->net, set, &elem); 5522 if (priv == NULL) { 5523 err = -ENOENT; 5524 goto fail_ops; 5525 } 5526 kfree(elem.priv); 5527 elem.priv = priv; 5528 5529 nft_set_elem_deactivate(ctx->net, set, &elem); 5530 5531 nft_trans_elem(trans) = elem; 5532 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5533 return 0; 5534 5535 fail_ops: 5536 kfree(trans); 5537 fail_trans: 5538 kfree(elem.priv); 5539 fail_elem: 5540 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 5541 return err; 5542 } 5543 5544 static int nft_flush_set(const struct nft_ctx *ctx, 5545 struct nft_set *set, 5546 const struct nft_set_iter *iter, 5547 struct nft_set_elem *elem) 5548 { 5549 struct nft_trans *trans; 5550 int err; 5551 5552 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 5553 sizeof(struct nft_trans_elem), GFP_ATOMIC); 5554 if (!trans) 5555 return -ENOMEM; 5556 5557 if (!set->ops->flush(ctx->net, set, elem->priv)) { 5558 err = -ENOENT; 5559 goto err1; 5560 } 5561 set->ndeact++; 5562 5563 nft_set_elem_deactivate(ctx->net, set, elem); 5564 nft_trans_elem_set(trans) = set; 5565 nft_trans_elem(trans) = *elem; 5566 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5567 5568 return 0; 5569 err1: 5570 kfree(trans); 5571 return err; 5572 } 5573 5574 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk, 5575 struct sk_buff *skb, const struct nlmsghdr *nlh, 5576 const struct nlattr * const nla[], 5577 struct netlink_ext_ack *extack) 5578 { 5579 u8 genmask = nft_genmask_next(net); 5580 const struct nlattr *attr; 5581 struct nft_set *set; 5582 struct nft_ctx ctx; 5583 int rem, err = 0; 5584 5585 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack, 5586 genmask); 5587 if (err < 0) 5588 return err; 5589 5590 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 5591 if (IS_ERR(set)) 5592 return PTR_ERR(set); 5593 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 5594 return -EBUSY; 5595 5596 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) { 5597 struct nft_set_iter iter = { 5598 .genmask = genmask, 5599 .fn = nft_flush_set, 5600 }; 5601 set->ops->walk(&ctx, set, &iter); 5602 5603 return iter.err; 5604 } 5605 5606 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 5607 err = nft_del_setelem(&ctx, set, attr); 5608 if (err < 0) 5609 break; 5610 5611 set->ndeact++; 5612 } 5613 return err; 5614 } 5615 5616 void nft_set_gc_batch_release(struct rcu_head *rcu) 5617 { 5618 struct nft_set_gc_batch *gcb; 5619 unsigned int i; 5620 5621 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu); 5622 for (i = 0; i < gcb->head.cnt; i++) 5623 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true); 5624 kfree(gcb); 5625 } 5626 5627 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set, 5628 gfp_t gfp) 5629 { 5630 struct nft_set_gc_batch *gcb; 5631 5632 gcb = kzalloc(sizeof(*gcb), gfp); 5633 if (gcb == NULL) 5634 return gcb; 5635 gcb->head.set = set; 5636 return gcb; 5637 } 5638 5639 /* 5640 * Stateful objects 5641 */ 5642 5643 /** 5644 * nft_register_obj- register nf_tables stateful object type 5645 * @obj_type: object type 5646 * 5647 * Registers the object type for use with nf_tables. Returns zero on 5648 * success or a negative errno code otherwise. 5649 */ 5650 int nft_register_obj(struct nft_object_type *obj_type) 5651 { 5652 if (obj_type->type == NFT_OBJECT_UNSPEC) 5653 return -EINVAL; 5654 5655 nfnl_lock(NFNL_SUBSYS_NFTABLES); 5656 list_add_rcu(&obj_type->list, &nf_tables_objects); 5657 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 5658 return 0; 5659 } 5660 EXPORT_SYMBOL_GPL(nft_register_obj); 5661 5662 /** 5663 * nft_unregister_obj - unregister nf_tables object type 5664 * @obj_type: object type 5665 * 5666 * Unregisters the object type for use with nf_tables. 5667 */ 5668 void nft_unregister_obj(struct nft_object_type *obj_type) 5669 { 5670 nfnl_lock(NFNL_SUBSYS_NFTABLES); 5671 list_del_rcu(&obj_type->list); 5672 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 5673 } 5674 EXPORT_SYMBOL_GPL(nft_unregister_obj); 5675 5676 struct nft_object *nft_obj_lookup(const struct net *net, 5677 const struct nft_table *table, 5678 const struct nlattr *nla, u32 objtype, 5679 u8 genmask) 5680 { 5681 struct nft_object_hash_key k = { .table = table }; 5682 char search[NFT_OBJ_MAXNAMELEN]; 5683 struct rhlist_head *tmp, *list; 5684 struct nft_object *obj; 5685 5686 nla_strlcpy(search, nla, sizeof(search)); 5687 k.name = search; 5688 5689 WARN_ON_ONCE(!rcu_read_lock_held() && 5690 !lockdep_commit_lock_is_held(net)); 5691 5692 rcu_read_lock(); 5693 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params); 5694 if (!list) 5695 goto out; 5696 5697 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) { 5698 if (objtype == obj->ops->type->type && 5699 nft_active_genmask(obj, genmask)) { 5700 rcu_read_unlock(); 5701 return obj; 5702 } 5703 } 5704 out: 5705 rcu_read_unlock(); 5706 return ERR_PTR(-ENOENT); 5707 } 5708 EXPORT_SYMBOL_GPL(nft_obj_lookup); 5709 5710 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table, 5711 const struct nlattr *nla, 5712 u32 objtype, u8 genmask) 5713 { 5714 struct nft_object *obj; 5715 5716 list_for_each_entry(obj, &table->objects, list) { 5717 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle && 5718 objtype == obj->ops->type->type && 5719 nft_active_genmask(obj, genmask)) 5720 return obj; 5721 } 5722 return ERR_PTR(-ENOENT); 5723 } 5724 5725 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = { 5726 [NFTA_OBJ_TABLE] = { .type = NLA_STRING, 5727 .len = NFT_TABLE_MAXNAMELEN - 1 }, 5728 [NFTA_OBJ_NAME] = { .type = NLA_STRING, 5729 .len = NFT_OBJ_MAXNAMELEN - 1 }, 5730 [NFTA_OBJ_TYPE] = { .type = NLA_U32 }, 5731 [NFTA_OBJ_DATA] = { .type = NLA_NESTED }, 5732 [NFTA_OBJ_HANDLE] = { .type = NLA_U64}, 5733 }; 5734 5735 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx, 5736 const struct nft_object_type *type, 5737 const struct nlattr *attr) 5738 { 5739 struct nlattr **tb; 5740 const struct nft_object_ops *ops; 5741 struct nft_object *obj; 5742 int err = -ENOMEM; 5743 5744 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL); 5745 if (!tb) 5746 goto err1; 5747 5748 if (attr) { 5749 err = nla_parse_nested_deprecated(tb, type->maxattr, attr, 5750 type->policy, NULL); 5751 if (err < 0) 5752 goto err2; 5753 } else { 5754 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1)); 5755 } 5756 5757 if (type->select_ops) { 5758 ops = type->select_ops(ctx, (const struct nlattr * const *)tb); 5759 if (IS_ERR(ops)) { 5760 err = PTR_ERR(ops); 5761 goto err2; 5762 } 5763 } else { 5764 ops = type->ops; 5765 } 5766 5767 err = -ENOMEM; 5768 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL); 5769 if (!obj) 5770 goto err2; 5771 5772 err = ops->init(ctx, (const struct nlattr * const *)tb, obj); 5773 if (err < 0) 5774 goto err3; 5775 5776 obj->ops = ops; 5777 5778 kfree(tb); 5779 return obj; 5780 err3: 5781 kfree(obj); 5782 err2: 5783 kfree(tb); 5784 err1: 5785 return ERR_PTR(err); 5786 } 5787 5788 static int nft_object_dump(struct sk_buff *skb, unsigned int attr, 5789 struct nft_object *obj, bool reset) 5790 { 5791 struct nlattr *nest; 5792 5793 nest = nla_nest_start_noflag(skb, attr); 5794 if (!nest) 5795 goto nla_put_failure; 5796 if (obj->ops->dump(skb, obj, reset) < 0) 5797 goto nla_put_failure; 5798 nla_nest_end(skb, nest); 5799 return 0; 5800 5801 nla_put_failure: 5802 return -1; 5803 } 5804 5805 static const struct nft_object_type *__nft_obj_type_get(u32 objtype) 5806 { 5807 const struct nft_object_type *type; 5808 5809 list_for_each_entry(type, &nf_tables_objects, list) { 5810 if (objtype == type->type) 5811 return type; 5812 } 5813 return NULL; 5814 } 5815 5816 static const struct nft_object_type * 5817 nft_obj_type_get(struct net *net, u32 objtype) 5818 { 5819 const struct nft_object_type *type; 5820 5821 type = __nft_obj_type_get(objtype); 5822 if (type != NULL && try_module_get(type->owner)) 5823 return type; 5824 5825 lockdep_nfnl_nft_mutex_not_held(); 5826 #ifdef CONFIG_MODULES 5827 if (type == NULL) { 5828 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN) 5829 return ERR_PTR(-EAGAIN); 5830 } 5831 #endif 5832 return ERR_PTR(-ENOENT); 5833 } 5834 5835 static int nf_tables_updobj(const struct nft_ctx *ctx, 5836 const struct nft_object_type *type, 5837 const struct nlattr *attr, 5838 struct nft_object *obj) 5839 { 5840 struct nft_object *newobj; 5841 struct nft_trans *trans; 5842 int err; 5843 5844 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ, 5845 sizeof(struct nft_trans_obj)); 5846 if (!trans) 5847 return -ENOMEM; 5848 5849 newobj = nft_obj_init(ctx, type, attr); 5850 if (IS_ERR(newobj)) { 5851 err = PTR_ERR(newobj); 5852 goto err_free_trans; 5853 } 5854 5855 nft_trans_obj(trans) = obj; 5856 nft_trans_obj_update(trans) = true; 5857 nft_trans_obj_newobj(trans) = newobj; 5858 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5859 5860 return 0; 5861 5862 err_free_trans: 5863 kfree(trans); 5864 return err; 5865 } 5866 5867 static int nf_tables_newobj(struct net *net, struct sock *nlsk, 5868 struct sk_buff *skb, const struct nlmsghdr *nlh, 5869 const struct nlattr * const nla[], 5870 struct netlink_ext_ack *extack) 5871 { 5872 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 5873 const struct nft_object_type *type; 5874 u8 genmask = nft_genmask_next(net); 5875 int family = nfmsg->nfgen_family; 5876 struct nft_table *table; 5877 struct nft_object *obj; 5878 struct nft_ctx ctx; 5879 u32 objtype; 5880 int err; 5881 5882 if (!nla[NFTA_OBJ_TYPE] || 5883 !nla[NFTA_OBJ_NAME] || 5884 !nla[NFTA_OBJ_DATA]) 5885 return -EINVAL; 5886 5887 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask); 5888 if (IS_ERR(table)) { 5889 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 5890 return PTR_ERR(table); 5891 } 5892 5893 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 5894 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 5895 if (IS_ERR(obj)) { 5896 err = PTR_ERR(obj); 5897 if (err != -ENOENT) { 5898 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 5899 return err; 5900 } 5901 } else { 5902 if (nlh->nlmsg_flags & NLM_F_EXCL) { 5903 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 5904 return -EEXIST; 5905 } 5906 if (nlh->nlmsg_flags & NLM_F_REPLACE) 5907 return -EOPNOTSUPP; 5908 5909 type = __nft_obj_type_get(objtype); 5910 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 5911 5912 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); 5913 } 5914 5915 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 5916 5917 type = nft_obj_type_get(net, objtype); 5918 if (IS_ERR(type)) 5919 return PTR_ERR(type); 5920 5921 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]); 5922 if (IS_ERR(obj)) { 5923 err = PTR_ERR(obj); 5924 goto err1; 5925 } 5926 obj->key.table = table; 5927 obj->handle = nf_tables_alloc_handle(table); 5928 5929 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL); 5930 if (!obj->key.name) { 5931 err = -ENOMEM; 5932 goto err2; 5933 } 5934 5935 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj); 5936 if (err < 0) 5937 goto err3; 5938 5939 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead, 5940 nft_objname_ht_params); 5941 if (err < 0) 5942 goto err4; 5943 5944 list_add_tail_rcu(&obj->list, &table->objects); 5945 table->use++; 5946 return 0; 5947 err4: 5948 /* queued in transaction log */ 5949 INIT_LIST_HEAD(&obj->list); 5950 return err; 5951 err3: 5952 kfree(obj->key.name); 5953 err2: 5954 if (obj->ops->destroy) 5955 obj->ops->destroy(&ctx, obj); 5956 kfree(obj); 5957 err1: 5958 module_put(type->owner); 5959 return err; 5960 } 5961 5962 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net, 5963 u32 portid, u32 seq, int event, u32 flags, 5964 int family, const struct nft_table *table, 5965 struct nft_object *obj, bool reset) 5966 { 5967 struct nfgenmsg *nfmsg; 5968 struct nlmsghdr *nlh; 5969 5970 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 5971 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 5972 if (nlh == NULL) 5973 goto nla_put_failure; 5974 5975 nfmsg = nlmsg_data(nlh); 5976 nfmsg->nfgen_family = family; 5977 nfmsg->version = NFNETLINK_V0; 5978 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 5979 5980 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || 5981 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || 5982 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || 5983 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) || 5984 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) || 5985 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle), 5986 NFTA_OBJ_PAD)) 5987 goto nla_put_failure; 5988 5989 nlmsg_end(skb, nlh); 5990 return 0; 5991 5992 nla_put_failure: 5993 nlmsg_trim(skb, nlh); 5994 return -1; 5995 } 5996 5997 struct nft_obj_filter { 5998 char *table; 5999 u32 type; 6000 }; 6001 6002 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) 6003 { 6004 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 6005 const struct nft_table *table; 6006 unsigned int idx = 0, s_idx = cb->args[0]; 6007 struct nft_obj_filter *filter = cb->data; 6008 struct net *net = sock_net(skb->sk); 6009 int family = nfmsg->nfgen_family; 6010 struct nft_object *obj; 6011 bool reset = false; 6012 6013 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 6014 reset = true; 6015 6016 rcu_read_lock(); 6017 cb->seq = net->nft.base_seq; 6018 6019 list_for_each_entry_rcu(table, &net->nft.tables, list) { 6020 if (family != NFPROTO_UNSPEC && family != table->family) 6021 continue; 6022 6023 list_for_each_entry_rcu(obj, &table->objects, list) { 6024 if (!nft_is_active(net, obj)) 6025 goto cont; 6026 if (idx < s_idx) 6027 goto cont; 6028 if (idx > s_idx) 6029 memset(&cb->args[1], 0, 6030 sizeof(cb->args) - sizeof(cb->args[0])); 6031 if (filter && filter->table && 6032 strcmp(filter->table, table->name)) 6033 goto cont; 6034 if (filter && 6035 filter->type != NFT_OBJECT_UNSPEC && 6036 obj->ops->type->type != filter->type) 6037 goto cont; 6038 6039 if (reset) { 6040 char *buf = kasprintf(GFP_ATOMIC, 6041 "%s:%llu;?:0", 6042 table->name, 6043 table->handle); 6044 6045 audit_log_nfcfg(buf, 6046 family, 6047 obj->handle, 6048 AUDIT_NFT_OP_OBJ_RESET, 6049 GFP_ATOMIC); 6050 kfree(buf); 6051 } 6052 6053 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid, 6054 cb->nlh->nlmsg_seq, 6055 NFT_MSG_NEWOBJ, 6056 NLM_F_MULTI | NLM_F_APPEND, 6057 table->family, table, 6058 obj, reset) < 0) 6059 goto done; 6060 6061 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 6062 cont: 6063 idx++; 6064 } 6065 } 6066 done: 6067 rcu_read_unlock(); 6068 6069 cb->args[0] = idx; 6070 return skb->len; 6071 } 6072 6073 static int nf_tables_dump_obj_start(struct netlink_callback *cb) 6074 { 6075 const struct nlattr * const *nla = cb->data; 6076 struct nft_obj_filter *filter = NULL; 6077 6078 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) { 6079 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 6080 if (!filter) 6081 return -ENOMEM; 6082 6083 if (nla[NFTA_OBJ_TABLE]) { 6084 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC); 6085 if (!filter->table) { 6086 kfree(filter); 6087 return -ENOMEM; 6088 } 6089 } 6090 6091 if (nla[NFTA_OBJ_TYPE]) 6092 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6093 } 6094 6095 cb->data = filter; 6096 return 0; 6097 } 6098 6099 static int nf_tables_dump_obj_done(struct netlink_callback *cb) 6100 { 6101 struct nft_obj_filter *filter = cb->data; 6102 6103 if (filter) { 6104 kfree(filter->table); 6105 kfree(filter); 6106 } 6107 6108 return 0; 6109 } 6110 6111 /* called with rcu_read_lock held */ 6112 static int nf_tables_getobj(struct net *net, struct sock *nlsk, 6113 struct sk_buff *skb, const struct nlmsghdr *nlh, 6114 const struct nlattr * const nla[], 6115 struct netlink_ext_ack *extack) 6116 { 6117 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 6118 u8 genmask = nft_genmask_cur(net); 6119 int family = nfmsg->nfgen_family; 6120 const struct nft_table *table; 6121 struct nft_object *obj; 6122 struct sk_buff *skb2; 6123 bool reset = false; 6124 u32 objtype; 6125 int err; 6126 6127 if (nlh->nlmsg_flags & NLM_F_DUMP) { 6128 struct netlink_dump_control c = { 6129 .start = nf_tables_dump_obj_start, 6130 .dump = nf_tables_dump_obj, 6131 .done = nf_tables_dump_obj_done, 6132 .module = THIS_MODULE, 6133 .data = (void *)nla, 6134 }; 6135 6136 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 6137 } 6138 6139 if (!nla[NFTA_OBJ_NAME] || 6140 !nla[NFTA_OBJ_TYPE]) 6141 return -EINVAL; 6142 6143 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask); 6144 if (IS_ERR(table)) { 6145 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6146 return PTR_ERR(table); 6147 } 6148 6149 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6150 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 6151 if (IS_ERR(obj)) { 6152 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6153 return PTR_ERR(obj); 6154 } 6155 6156 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 6157 if (!skb2) 6158 return -ENOMEM; 6159 6160 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 6161 reset = true; 6162 6163 if (reset) { 6164 char *buf = kasprintf(GFP_ATOMIC, "%s:%llu;?:0", 6165 table->name, table->handle); 6166 6167 audit_log_nfcfg(buf, 6168 family, 6169 obj->handle, 6170 AUDIT_NFT_OP_OBJ_RESET, 6171 GFP_ATOMIC); 6172 kfree(buf); 6173 } 6174 6175 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid, 6176 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, 6177 family, table, obj, reset); 6178 if (err < 0) 6179 goto err_fill_obj_info; 6180 6181 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 6182 6183 err_fill_obj_info: 6184 kfree_skb(skb2); 6185 return err; 6186 } 6187 6188 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) 6189 { 6190 if (obj->ops->destroy) 6191 obj->ops->destroy(ctx, obj); 6192 6193 module_put(obj->ops->type->owner); 6194 kfree(obj->key.name); 6195 kfree(obj); 6196 } 6197 6198 static int nf_tables_delobj(struct net *net, struct sock *nlsk, 6199 struct sk_buff *skb, const struct nlmsghdr *nlh, 6200 const struct nlattr * const nla[], 6201 struct netlink_ext_ack *extack) 6202 { 6203 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 6204 u8 genmask = nft_genmask_next(net); 6205 int family = nfmsg->nfgen_family; 6206 const struct nlattr *attr; 6207 struct nft_table *table; 6208 struct nft_object *obj; 6209 struct nft_ctx ctx; 6210 u32 objtype; 6211 6212 if (!nla[NFTA_OBJ_TYPE] || 6213 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE])) 6214 return -EINVAL; 6215 6216 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask); 6217 if (IS_ERR(table)) { 6218 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6219 return PTR_ERR(table); 6220 } 6221 6222 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6223 if (nla[NFTA_OBJ_HANDLE]) { 6224 attr = nla[NFTA_OBJ_HANDLE]; 6225 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask); 6226 } else { 6227 attr = nla[NFTA_OBJ_NAME]; 6228 obj = nft_obj_lookup(net, table, attr, objtype, genmask); 6229 } 6230 6231 if (IS_ERR(obj)) { 6232 NL_SET_BAD_ATTR(extack, attr); 6233 return PTR_ERR(obj); 6234 } 6235 if (obj->use > 0) { 6236 NL_SET_BAD_ATTR(extack, attr); 6237 return -EBUSY; 6238 } 6239 6240 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 6241 6242 return nft_delobj(&ctx, obj); 6243 } 6244 6245 void nft_obj_notify(struct net *net, const struct nft_table *table, 6246 struct nft_object *obj, u32 portid, u32 seq, int event, 6247 int family, int report, gfp_t gfp) 6248 { 6249 struct sk_buff *skb; 6250 int err; 6251 char *buf = kasprintf(gfp, "%s:%llu;?:0", 6252 table->name, table->handle); 6253 6254 audit_log_nfcfg(buf, 6255 family, 6256 obj->handle, 6257 event == NFT_MSG_NEWOBJ ? 6258 AUDIT_NFT_OP_OBJ_REGISTER : 6259 AUDIT_NFT_OP_OBJ_UNREGISTER, 6260 gfp); 6261 kfree(buf); 6262 6263 if (!report && 6264 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 6265 return; 6266 6267 skb = nlmsg_new(NLMSG_GOODSIZE, gfp); 6268 if (skb == NULL) 6269 goto err; 6270 6271 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family, 6272 table, obj, false); 6273 if (err < 0) { 6274 kfree_skb(skb); 6275 goto err; 6276 } 6277 6278 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp); 6279 return; 6280 err: 6281 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 6282 } 6283 EXPORT_SYMBOL_GPL(nft_obj_notify); 6284 6285 static void nf_tables_obj_notify(const struct nft_ctx *ctx, 6286 struct nft_object *obj, int event) 6287 { 6288 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event, 6289 ctx->family, ctx->report, GFP_KERNEL); 6290 } 6291 6292 /* 6293 * Flow tables 6294 */ 6295 void nft_register_flowtable_type(struct nf_flowtable_type *type) 6296 { 6297 nfnl_lock(NFNL_SUBSYS_NFTABLES); 6298 list_add_tail_rcu(&type->list, &nf_tables_flowtables); 6299 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6300 } 6301 EXPORT_SYMBOL_GPL(nft_register_flowtable_type); 6302 6303 void nft_unregister_flowtable_type(struct nf_flowtable_type *type) 6304 { 6305 nfnl_lock(NFNL_SUBSYS_NFTABLES); 6306 list_del_rcu(&type->list); 6307 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6308 } 6309 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type); 6310 6311 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = { 6312 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING, 6313 .len = NFT_NAME_MAXLEN - 1 }, 6314 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING, 6315 .len = NFT_NAME_MAXLEN - 1 }, 6316 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED }, 6317 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 }, 6318 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 }, 6319 }; 6320 6321 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 6322 const struct nlattr *nla, u8 genmask) 6323 { 6324 struct nft_flowtable *flowtable; 6325 6326 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 6327 if (!nla_strcmp(nla, flowtable->name) && 6328 nft_active_genmask(flowtable, genmask)) 6329 return flowtable; 6330 } 6331 return ERR_PTR(-ENOENT); 6332 } 6333 EXPORT_SYMBOL_GPL(nft_flowtable_lookup); 6334 6335 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, 6336 struct nft_flowtable *flowtable, 6337 enum nft_trans_phase phase) 6338 { 6339 switch (phase) { 6340 case NFT_TRANS_PREPARE: 6341 case NFT_TRANS_ABORT: 6342 case NFT_TRANS_RELEASE: 6343 flowtable->use--; 6344 fallthrough; 6345 default: 6346 return; 6347 } 6348 } 6349 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable); 6350 6351 static struct nft_flowtable * 6352 nft_flowtable_lookup_byhandle(const struct nft_table *table, 6353 const struct nlattr *nla, u8 genmask) 6354 { 6355 struct nft_flowtable *flowtable; 6356 6357 list_for_each_entry(flowtable, &table->flowtables, list) { 6358 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle && 6359 nft_active_genmask(flowtable, genmask)) 6360 return flowtable; 6361 } 6362 return ERR_PTR(-ENOENT); 6363 } 6364 6365 struct nft_flowtable_hook { 6366 u32 num; 6367 int priority; 6368 struct list_head list; 6369 }; 6370 6371 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = { 6372 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 }, 6373 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 }, 6374 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED }, 6375 }; 6376 6377 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx, 6378 const struct nlattr *attr, 6379 struct nft_flowtable_hook *flowtable_hook, 6380 struct nft_flowtable *flowtable, bool add) 6381 { 6382 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1]; 6383 struct nft_hook *hook; 6384 int hooknum, priority; 6385 int err; 6386 6387 INIT_LIST_HEAD(&flowtable_hook->list); 6388 6389 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr, 6390 nft_flowtable_hook_policy, NULL); 6391 if (err < 0) 6392 return err; 6393 6394 if (add) { 6395 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] || 6396 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) 6397 return -EINVAL; 6398 6399 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 6400 if (hooknum != NF_NETDEV_INGRESS) 6401 return -EOPNOTSUPP; 6402 6403 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 6404 6405 flowtable_hook->priority = priority; 6406 flowtable_hook->num = hooknum; 6407 } else { 6408 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) { 6409 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 6410 if (hooknum != flowtable->hooknum) 6411 return -EOPNOTSUPP; 6412 } 6413 6414 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) { 6415 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 6416 if (priority != flowtable->data.priority) 6417 return -EOPNOTSUPP; 6418 } 6419 6420 flowtable_hook->priority = flowtable->data.priority; 6421 flowtable_hook->num = flowtable->hooknum; 6422 } 6423 6424 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) { 6425 err = nf_tables_parse_netdev_hooks(ctx->net, 6426 tb[NFTA_FLOWTABLE_HOOK_DEVS], 6427 &flowtable_hook->list); 6428 if (err < 0) 6429 return err; 6430 } 6431 6432 list_for_each_entry(hook, &flowtable_hook->list, list) { 6433 hook->ops.pf = NFPROTO_NETDEV; 6434 hook->ops.hooknum = flowtable_hook->num; 6435 hook->ops.priority = flowtable_hook->priority; 6436 hook->ops.priv = &flowtable->data; 6437 hook->ops.hook = flowtable->data.type->hook; 6438 } 6439 6440 return err; 6441 } 6442 6443 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) 6444 { 6445 const struct nf_flowtable_type *type; 6446 6447 list_for_each_entry(type, &nf_tables_flowtables, list) { 6448 if (family == type->family) 6449 return type; 6450 } 6451 return NULL; 6452 } 6453 6454 static const struct nf_flowtable_type * 6455 nft_flowtable_type_get(struct net *net, u8 family) 6456 { 6457 const struct nf_flowtable_type *type; 6458 6459 type = __nft_flowtable_type_get(family); 6460 if (type != NULL && try_module_get(type->owner)) 6461 return type; 6462 6463 lockdep_nfnl_nft_mutex_not_held(); 6464 #ifdef CONFIG_MODULES 6465 if (type == NULL) { 6466 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN) 6467 return ERR_PTR(-EAGAIN); 6468 } 6469 #endif 6470 return ERR_PTR(-ENOENT); 6471 } 6472 6473 /* Only called from error and netdev event paths. */ 6474 static void nft_unregister_flowtable_hook(struct net *net, 6475 struct nft_flowtable *flowtable, 6476 struct nft_hook *hook) 6477 { 6478 nf_unregister_net_hook(net, &hook->ops); 6479 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 6480 FLOW_BLOCK_UNBIND); 6481 } 6482 6483 static void nft_unregister_flowtable_net_hooks(struct net *net, 6484 struct list_head *hook_list) 6485 { 6486 struct nft_hook *hook; 6487 6488 list_for_each_entry(hook, hook_list, list) 6489 nf_unregister_net_hook(net, &hook->ops); 6490 } 6491 6492 static int nft_register_flowtable_net_hooks(struct net *net, 6493 struct nft_table *table, 6494 struct list_head *hook_list, 6495 struct nft_flowtable *flowtable) 6496 { 6497 struct nft_hook *hook, *hook2, *next; 6498 struct nft_flowtable *ft; 6499 int err, i = 0; 6500 6501 list_for_each_entry(hook, hook_list, list) { 6502 list_for_each_entry(ft, &table->flowtables, list) { 6503 list_for_each_entry(hook2, &ft->hook_list, list) { 6504 if (hook->ops.dev == hook2->ops.dev && 6505 hook->ops.pf == hook2->ops.pf) { 6506 err = -EEXIST; 6507 goto err_unregister_net_hooks; 6508 } 6509 } 6510 } 6511 6512 err = flowtable->data.type->setup(&flowtable->data, 6513 hook->ops.dev, 6514 FLOW_BLOCK_BIND); 6515 if (err < 0) 6516 goto err_unregister_net_hooks; 6517 6518 err = nf_register_net_hook(net, &hook->ops); 6519 if (err < 0) { 6520 flowtable->data.type->setup(&flowtable->data, 6521 hook->ops.dev, 6522 FLOW_BLOCK_UNBIND); 6523 goto err_unregister_net_hooks; 6524 } 6525 6526 i++; 6527 } 6528 6529 return 0; 6530 6531 err_unregister_net_hooks: 6532 list_for_each_entry_safe(hook, next, hook_list, list) { 6533 if (i-- <= 0) 6534 break; 6535 6536 nft_unregister_flowtable_hook(net, flowtable, hook); 6537 list_del_rcu(&hook->list); 6538 kfree_rcu(hook, rcu); 6539 } 6540 6541 return err; 6542 } 6543 6544 static void nft_flowtable_hooks_destroy(struct list_head *hook_list) 6545 { 6546 struct nft_hook *hook, *next; 6547 6548 list_for_each_entry_safe(hook, next, hook_list, list) { 6549 list_del_rcu(&hook->list); 6550 kfree_rcu(hook, rcu); 6551 } 6552 } 6553 6554 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, 6555 struct nft_flowtable *flowtable) 6556 { 6557 const struct nlattr * const *nla = ctx->nla; 6558 struct nft_flowtable_hook flowtable_hook; 6559 struct nft_hook *hook, *next; 6560 struct nft_trans *trans; 6561 bool unregister = false; 6562 int err; 6563 6564 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], 6565 &flowtable_hook, flowtable, false); 6566 if (err < 0) 6567 return err; 6568 6569 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 6570 if (nft_hook_list_find(&flowtable->hook_list, hook)) { 6571 list_del(&hook->list); 6572 kfree(hook); 6573 } 6574 } 6575 6576 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table, 6577 &flowtable_hook.list, flowtable); 6578 if (err < 0) 6579 goto err_flowtable_update_hook; 6580 6581 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE, 6582 sizeof(struct nft_trans_flowtable)); 6583 if (!trans) { 6584 unregister = true; 6585 err = -ENOMEM; 6586 goto err_flowtable_update_hook; 6587 } 6588 6589 nft_trans_flowtable(trans) = flowtable; 6590 nft_trans_flowtable_update(trans) = true; 6591 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 6592 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans)); 6593 6594 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 6595 6596 return 0; 6597 6598 err_flowtable_update_hook: 6599 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 6600 if (unregister) 6601 nft_unregister_flowtable_hook(ctx->net, flowtable, hook); 6602 list_del_rcu(&hook->list); 6603 kfree_rcu(hook, rcu); 6604 } 6605 6606 return err; 6607 6608 } 6609 6610 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk, 6611 struct sk_buff *skb, 6612 const struct nlmsghdr *nlh, 6613 const struct nlattr * const nla[], 6614 struct netlink_ext_ack *extack) 6615 { 6616 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 6617 struct nft_flowtable_hook flowtable_hook; 6618 const struct nf_flowtable_type *type; 6619 u8 genmask = nft_genmask_next(net); 6620 int family = nfmsg->nfgen_family; 6621 struct nft_flowtable *flowtable; 6622 struct nft_hook *hook, *next; 6623 struct nft_table *table; 6624 struct nft_ctx ctx; 6625 int err; 6626 6627 if (!nla[NFTA_FLOWTABLE_TABLE] || 6628 !nla[NFTA_FLOWTABLE_NAME] || 6629 !nla[NFTA_FLOWTABLE_HOOK]) 6630 return -EINVAL; 6631 6632 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 6633 genmask); 6634 if (IS_ERR(table)) { 6635 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 6636 return PTR_ERR(table); 6637 } 6638 6639 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 6640 genmask); 6641 if (IS_ERR(flowtable)) { 6642 err = PTR_ERR(flowtable); 6643 if (err != -ENOENT) { 6644 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 6645 return err; 6646 } 6647 } else { 6648 if (nlh->nlmsg_flags & NLM_F_EXCL) { 6649 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 6650 return -EEXIST; 6651 } 6652 6653 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 6654 6655 return nft_flowtable_update(&ctx, nlh, flowtable); 6656 } 6657 6658 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 6659 6660 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL); 6661 if (!flowtable) 6662 return -ENOMEM; 6663 6664 flowtable->table = table; 6665 flowtable->handle = nf_tables_alloc_handle(table); 6666 INIT_LIST_HEAD(&flowtable->hook_list); 6667 6668 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL); 6669 if (!flowtable->name) { 6670 err = -ENOMEM; 6671 goto err1; 6672 } 6673 6674 type = nft_flowtable_type_get(net, family); 6675 if (IS_ERR(type)) { 6676 err = PTR_ERR(type); 6677 goto err2; 6678 } 6679 6680 if (nla[NFTA_FLOWTABLE_FLAGS]) { 6681 flowtable->data.flags = 6682 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 6683 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) 6684 goto err3; 6685 } 6686 6687 write_pnet(&flowtable->data.net, net); 6688 flowtable->data.type = type; 6689 err = type->init(&flowtable->data); 6690 if (err < 0) 6691 goto err3; 6692 6693 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK], 6694 &flowtable_hook, flowtable, true); 6695 if (err < 0) 6696 goto err4; 6697 6698 list_splice(&flowtable_hook.list, &flowtable->hook_list); 6699 flowtable->data.priority = flowtable_hook.priority; 6700 flowtable->hooknum = flowtable_hook.num; 6701 6702 err = nft_register_flowtable_net_hooks(ctx.net, table, 6703 &flowtable->hook_list, 6704 flowtable); 6705 if (err < 0) { 6706 nft_flowtable_hooks_destroy(&flowtable->hook_list); 6707 goto err4; 6708 } 6709 6710 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable); 6711 if (err < 0) 6712 goto err5; 6713 6714 list_add_tail_rcu(&flowtable->list, &table->flowtables); 6715 table->use++; 6716 6717 return 0; 6718 err5: 6719 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 6720 nft_unregister_flowtable_hook(net, flowtable, hook); 6721 list_del_rcu(&hook->list); 6722 kfree_rcu(hook, rcu); 6723 } 6724 err4: 6725 flowtable->data.type->free(&flowtable->data); 6726 err3: 6727 module_put(type->owner); 6728 err2: 6729 kfree(flowtable->name); 6730 err1: 6731 kfree(flowtable); 6732 return err; 6733 } 6734 6735 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook) 6736 { 6737 struct nft_hook *this, *next; 6738 6739 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) { 6740 list_del(&this->list); 6741 kfree(this); 6742 } 6743 } 6744 6745 static int nft_delflowtable_hook(struct nft_ctx *ctx, 6746 struct nft_flowtable *flowtable) 6747 { 6748 const struct nlattr * const *nla = ctx->nla; 6749 struct nft_flowtable_hook flowtable_hook; 6750 struct nft_hook *this, *hook; 6751 struct nft_trans *trans; 6752 int err; 6753 6754 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], 6755 &flowtable_hook, flowtable, false); 6756 if (err < 0) 6757 return err; 6758 6759 list_for_each_entry(this, &flowtable_hook.list, list) { 6760 hook = nft_hook_list_find(&flowtable->hook_list, this); 6761 if (!hook) { 6762 err = -ENOENT; 6763 goto err_flowtable_del_hook; 6764 } 6765 hook->inactive = true; 6766 } 6767 6768 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE, 6769 sizeof(struct nft_trans_flowtable)); 6770 if (!trans) { 6771 err = -ENOMEM; 6772 goto err_flowtable_del_hook; 6773 } 6774 6775 nft_trans_flowtable(trans) = flowtable; 6776 nft_trans_flowtable_update(trans) = true; 6777 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 6778 nft_flowtable_hook_release(&flowtable_hook); 6779 6780 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 6781 6782 return 0; 6783 6784 err_flowtable_del_hook: 6785 list_for_each_entry(this, &flowtable_hook.list, list) { 6786 hook = nft_hook_list_find(&flowtable->hook_list, this); 6787 if (!hook) 6788 break; 6789 6790 hook->inactive = false; 6791 } 6792 nft_flowtable_hook_release(&flowtable_hook); 6793 6794 return err; 6795 } 6796 6797 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk, 6798 struct sk_buff *skb, 6799 const struct nlmsghdr *nlh, 6800 const struct nlattr * const nla[], 6801 struct netlink_ext_ack *extack) 6802 { 6803 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 6804 u8 genmask = nft_genmask_next(net); 6805 int family = nfmsg->nfgen_family; 6806 struct nft_flowtable *flowtable; 6807 const struct nlattr *attr; 6808 struct nft_table *table; 6809 struct nft_ctx ctx; 6810 6811 if (!nla[NFTA_FLOWTABLE_TABLE] || 6812 (!nla[NFTA_FLOWTABLE_NAME] && 6813 !nla[NFTA_FLOWTABLE_HANDLE])) 6814 return -EINVAL; 6815 6816 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 6817 genmask); 6818 if (IS_ERR(table)) { 6819 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 6820 return PTR_ERR(table); 6821 } 6822 6823 if (nla[NFTA_FLOWTABLE_HANDLE]) { 6824 attr = nla[NFTA_FLOWTABLE_HANDLE]; 6825 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask); 6826 } else { 6827 attr = nla[NFTA_FLOWTABLE_NAME]; 6828 flowtable = nft_flowtable_lookup(table, attr, genmask); 6829 } 6830 6831 if (IS_ERR(flowtable)) { 6832 NL_SET_BAD_ATTR(extack, attr); 6833 return PTR_ERR(flowtable); 6834 } 6835 6836 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 6837 6838 if (nla[NFTA_FLOWTABLE_HOOK]) 6839 return nft_delflowtable_hook(&ctx, flowtable); 6840 6841 if (flowtable->use > 0) { 6842 NL_SET_BAD_ATTR(extack, attr); 6843 return -EBUSY; 6844 } 6845 6846 return nft_delflowtable(&ctx, flowtable); 6847 } 6848 6849 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, 6850 u32 portid, u32 seq, int event, 6851 u32 flags, int family, 6852 struct nft_flowtable *flowtable, 6853 struct list_head *hook_list) 6854 { 6855 struct nlattr *nest, *nest_devs; 6856 struct nfgenmsg *nfmsg; 6857 struct nft_hook *hook; 6858 struct nlmsghdr *nlh; 6859 6860 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 6861 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 6862 if (nlh == NULL) 6863 goto nla_put_failure; 6864 6865 nfmsg = nlmsg_data(nlh); 6866 nfmsg->nfgen_family = family; 6867 nfmsg->version = NFNETLINK_V0; 6868 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 6869 6870 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || 6871 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || 6872 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || 6873 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle), 6874 NFTA_FLOWTABLE_PAD) || 6875 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags))) 6876 goto nla_put_failure; 6877 6878 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK); 6879 if (!nest) 6880 goto nla_put_failure; 6881 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) || 6882 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority))) 6883 goto nla_put_failure; 6884 6885 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS); 6886 if (!nest_devs) 6887 goto nla_put_failure; 6888 6889 list_for_each_entry_rcu(hook, hook_list, list) { 6890 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name)) 6891 goto nla_put_failure; 6892 } 6893 nla_nest_end(skb, nest_devs); 6894 nla_nest_end(skb, nest); 6895 6896 nlmsg_end(skb, nlh); 6897 return 0; 6898 6899 nla_put_failure: 6900 nlmsg_trim(skb, nlh); 6901 return -1; 6902 } 6903 6904 struct nft_flowtable_filter { 6905 char *table; 6906 }; 6907 6908 static int nf_tables_dump_flowtable(struct sk_buff *skb, 6909 struct netlink_callback *cb) 6910 { 6911 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 6912 struct nft_flowtable_filter *filter = cb->data; 6913 unsigned int idx = 0, s_idx = cb->args[0]; 6914 struct net *net = sock_net(skb->sk); 6915 int family = nfmsg->nfgen_family; 6916 struct nft_flowtable *flowtable; 6917 const struct nft_table *table; 6918 6919 rcu_read_lock(); 6920 cb->seq = net->nft.base_seq; 6921 6922 list_for_each_entry_rcu(table, &net->nft.tables, list) { 6923 if (family != NFPROTO_UNSPEC && family != table->family) 6924 continue; 6925 6926 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 6927 if (!nft_is_active(net, flowtable)) 6928 goto cont; 6929 if (idx < s_idx) 6930 goto cont; 6931 if (idx > s_idx) 6932 memset(&cb->args[1], 0, 6933 sizeof(cb->args) - sizeof(cb->args[0])); 6934 if (filter && filter->table && 6935 strcmp(filter->table, table->name)) 6936 goto cont; 6937 6938 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, 6939 cb->nlh->nlmsg_seq, 6940 NFT_MSG_NEWFLOWTABLE, 6941 NLM_F_MULTI | NLM_F_APPEND, 6942 table->family, 6943 flowtable, 6944 &flowtable->hook_list) < 0) 6945 goto done; 6946 6947 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 6948 cont: 6949 idx++; 6950 } 6951 } 6952 done: 6953 rcu_read_unlock(); 6954 6955 cb->args[0] = idx; 6956 return skb->len; 6957 } 6958 6959 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb) 6960 { 6961 const struct nlattr * const *nla = cb->data; 6962 struct nft_flowtable_filter *filter = NULL; 6963 6964 if (nla[NFTA_FLOWTABLE_TABLE]) { 6965 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 6966 if (!filter) 6967 return -ENOMEM; 6968 6969 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE], 6970 GFP_ATOMIC); 6971 if (!filter->table) { 6972 kfree(filter); 6973 return -ENOMEM; 6974 } 6975 } 6976 6977 cb->data = filter; 6978 return 0; 6979 } 6980 6981 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb) 6982 { 6983 struct nft_flowtable_filter *filter = cb->data; 6984 6985 if (!filter) 6986 return 0; 6987 6988 kfree(filter->table); 6989 kfree(filter); 6990 6991 return 0; 6992 } 6993 6994 /* called with rcu_read_lock held */ 6995 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk, 6996 struct sk_buff *skb, 6997 const struct nlmsghdr *nlh, 6998 const struct nlattr * const nla[], 6999 struct netlink_ext_ack *extack) 7000 { 7001 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 7002 u8 genmask = nft_genmask_cur(net); 7003 int family = nfmsg->nfgen_family; 7004 struct nft_flowtable *flowtable; 7005 const struct nft_table *table; 7006 struct sk_buff *skb2; 7007 int err; 7008 7009 if (nlh->nlmsg_flags & NLM_F_DUMP) { 7010 struct netlink_dump_control c = { 7011 .start = nf_tables_dump_flowtable_start, 7012 .dump = nf_tables_dump_flowtable, 7013 .done = nf_tables_dump_flowtable_done, 7014 .module = THIS_MODULE, 7015 .data = (void *)nla, 7016 }; 7017 7018 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 7019 } 7020 7021 if (!nla[NFTA_FLOWTABLE_NAME]) 7022 return -EINVAL; 7023 7024 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 7025 genmask); 7026 if (IS_ERR(table)) 7027 return PTR_ERR(table); 7028 7029 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 7030 genmask); 7031 if (IS_ERR(flowtable)) 7032 return PTR_ERR(flowtable); 7033 7034 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 7035 if (!skb2) 7036 return -ENOMEM; 7037 7038 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid, 7039 nlh->nlmsg_seq, 7040 NFT_MSG_NEWFLOWTABLE, 0, family, 7041 flowtable, &flowtable->hook_list); 7042 if (err < 0) 7043 goto err_fill_flowtable_info; 7044 7045 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 7046 7047 err_fill_flowtable_info: 7048 kfree_skb(skb2); 7049 return err; 7050 } 7051 7052 static void nf_tables_flowtable_notify(struct nft_ctx *ctx, 7053 struct nft_flowtable *flowtable, 7054 struct list_head *hook_list, 7055 int event) 7056 { 7057 struct sk_buff *skb; 7058 int err; 7059 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu", 7060 flowtable->table->name, flowtable->table->handle, 7061 flowtable->name, flowtable->handle); 7062 7063 audit_log_nfcfg(buf, 7064 ctx->family, 7065 flowtable->hooknum, 7066 event == NFT_MSG_NEWFLOWTABLE ? 7067 AUDIT_NFT_OP_FLOWTABLE_REGISTER : 7068 AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, 7069 GFP_KERNEL); 7070 kfree(buf); 7071 7072 if (ctx->report && 7073 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 7074 return; 7075 7076 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 7077 if (skb == NULL) 7078 goto err; 7079 7080 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid, 7081 ctx->seq, event, 0, 7082 ctx->family, flowtable, hook_list); 7083 if (err < 0) { 7084 kfree_skb(skb); 7085 goto err; 7086 } 7087 7088 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES, 7089 ctx->report, GFP_KERNEL); 7090 return; 7091 err: 7092 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 7093 } 7094 7095 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) 7096 { 7097 struct nft_hook *hook, *next; 7098 7099 flowtable->data.type->free(&flowtable->data); 7100 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 7101 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 7102 FLOW_BLOCK_UNBIND); 7103 list_del_rcu(&hook->list); 7104 kfree(hook); 7105 } 7106 kfree(flowtable->name); 7107 module_put(flowtable->data.type->owner); 7108 kfree(flowtable); 7109 } 7110 7111 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, 7112 u32 portid, u32 seq) 7113 { 7114 struct nlmsghdr *nlh; 7115 struct nfgenmsg *nfmsg; 7116 char buf[TASK_COMM_LEN]; 7117 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); 7118 7119 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0); 7120 if (nlh == NULL) 7121 goto nla_put_failure; 7122 7123 nfmsg = nlmsg_data(nlh); 7124 nfmsg->nfgen_family = AF_UNSPEC; 7125 nfmsg->version = NFNETLINK_V0; 7126 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 7127 7128 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || 7129 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || 7130 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) 7131 goto nla_put_failure; 7132 7133 nlmsg_end(skb, nlh); 7134 return 0; 7135 7136 nla_put_failure: 7137 nlmsg_trim(skb, nlh); 7138 return -EMSGSIZE; 7139 } 7140 7141 static void nft_flowtable_event(unsigned long event, struct net_device *dev, 7142 struct nft_flowtable *flowtable) 7143 { 7144 struct nft_hook *hook; 7145 7146 list_for_each_entry(hook, &flowtable->hook_list, list) { 7147 if (hook->ops.dev != dev) 7148 continue; 7149 7150 /* flow_offload_netdev_event() cleans up entries for us. */ 7151 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook); 7152 list_del_rcu(&hook->list); 7153 kfree_rcu(hook, rcu); 7154 break; 7155 } 7156 } 7157 7158 static int nf_tables_flowtable_event(struct notifier_block *this, 7159 unsigned long event, void *ptr) 7160 { 7161 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 7162 struct nft_flowtable *flowtable; 7163 struct nft_table *table; 7164 struct net *net; 7165 7166 if (event != NETDEV_UNREGISTER) 7167 return 0; 7168 7169 net = dev_net(dev); 7170 mutex_lock(&net->nft.commit_mutex); 7171 list_for_each_entry(table, &net->nft.tables, list) { 7172 list_for_each_entry(flowtable, &table->flowtables, list) { 7173 nft_flowtable_event(event, dev, flowtable); 7174 } 7175 } 7176 mutex_unlock(&net->nft.commit_mutex); 7177 7178 return NOTIFY_DONE; 7179 } 7180 7181 static struct notifier_block nf_tables_flowtable_notifier = { 7182 .notifier_call = nf_tables_flowtable_event, 7183 }; 7184 7185 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb, 7186 int event) 7187 { 7188 struct nlmsghdr *nlh = nlmsg_hdr(skb); 7189 struct sk_buff *skb2; 7190 int err; 7191 7192 audit_log_nfcfg("?:0;?:0", 0, net->nft.base_seq, 7193 AUDIT_NFT_OP_GEN_REGISTER, GFP_KERNEL); 7194 7195 if (nlmsg_report(nlh) && 7196 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 7197 return; 7198 7199 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 7200 if (skb2 == NULL) 7201 goto err; 7202 7203 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 7204 nlh->nlmsg_seq); 7205 if (err < 0) { 7206 kfree_skb(skb2); 7207 goto err; 7208 } 7209 7210 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 7211 nlmsg_report(nlh), GFP_KERNEL); 7212 return; 7213 err: 7214 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 7215 -ENOBUFS); 7216 } 7217 7218 static int nf_tables_getgen(struct net *net, struct sock *nlsk, 7219 struct sk_buff *skb, const struct nlmsghdr *nlh, 7220 const struct nlattr * const nla[], 7221 struct netlink_ext_ack *extack) 7222 { 7223 struct sk_buff *skb2; 7224 int err; 7225 7226 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 7227 if (skb2 == NULL) 7228 return -ENOMEM; 7229 7230 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 7231 nlh->nlmsg_seq); 7232 if (err < 0) 7233 goto err_fill_gen_info; 7234 7235 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 7236 7237 err_fill_gen_info: 7238 kfree_skb(skb2); 7239 return err; 7240 } 7241 7242 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = { 7243 [NFT_MSG_NEWTABLE] = { 7244 .call_batch = nf_tables_newtable, 7245 .attr_count = NFTA_TABLE_MAX, 7246 .policy = nft_table_policy, 7247 }, 7248 [NFT_MSG_GETTABLE] = { 7249 .call_rcu = nf_tables_gettable, 7250 .attr_count = NFTA_TABLE_MAX, 7251 .policy = nft_table_policy, 7252 }, 7253 [NFT_MSG_DELTABLE] = { 7254 .call_batch = nf_tables_deltable, 7255 .attr_count = NFTA_TABLE_MAX, 7256 .policy = nft_table_policy, 7257 }, 7258 [NFT_MSG_NEWCHAIN] = { 7259 .call_batch = nf_tables_newchain, 7260 .attr_count = NFTA_CHAIN_MAX, 7261 .policy = nft_chain_policy, 7262 }, 7263 [NFT_MSG_GETCHAIN] = { 7264 .call_rcu = nf_tables_getchain, 7265 .attr_count = NFTA_CHAIN_MAX, 7266 .policy = nft_chain_policy, 7267 }, 7268 [NFT_MSG_DELCHAIN] = { 7269 .call_batch = nf_tables_delchain, 7270 .attr_count = NFTA_CHAIN_MAX, 7271 .policy = nft_chain_policy, 7272 }, 7273 [NFT_MSG_NEWRULE] = { 7274 .call_batch = nf_tables_newrule, 7275 .attr_count = NFTA_RULE_MAX, 7276 .policy = nft_rule_policy, 7277 }, 7278 [NFT_MSG_GETRULE] = { 7279 .call_rcu = nf_tables_getrule, 7280 .attr_count = NFTA_RULE_MAX, 7281 .policy = nft_rule_policy, 7282 }, 7283 [NFT_MSG_DELRULE] = { 7284 .call_batch = nf_tables_delrule, 7285 .attr_count = NFTA_RULE_MAX, 7286 .policy = nft_rule_policy, 7287 }, 7288 [NFT_MSG_NEWSET] = { 7289 .call_batch = nf_tables_newset, 7290 .attr_count = NFTA_SET_MAX, 7291 .policy = nft_set_policy, 7292 }, 7293 [NFT_MSG_GETSET] = { 7294 .call_rcu = nf_tables_getset, 7295 .attr_count = NFTA_SET_MAX, 7296 .policy = nft_set_policy, 7297 }, 7298 [NFT_MSG_DELSET] = { 7299 .call_batch = nf_tables_delset, 7300 .attr_count = NFTA_SET_MAX, 7301 .policy = nft_set_policy, 7302 }, 7303 [NFT_MSG_NEWSETELEM] = { 7304 .call_batch = nf_tables_newsetelem, 7305 .attr_count = NFTA_SET_ELEM_LIST_MAX, 7306 .policy = nft_set_elem_list_policy, 7307 }, 7308 [NFT_MSG_GETSETELEM] = { 7309 .call_rcu = nf_tables_getsetelem, 7310 .attr_count = NFTA_SET_ELEM_LIST_MAX, 7311 .policy = nft_set_elem_list_policy, 7312 }, 7313 [NFT_MSG_DELSETELEM] = { 7314 .call_batch = nf_tables_delsetelem, 7315 .attr_count = NFTA_SET_ELEM_LIST_MAX, 7316 .policy = nft_set_elem_list_policy, 7317 }, 7318 [NFT_MSG_GETGEN] = { 7319 .call_rcu = nf_tables_getgen, 7320 }, 7321 [NFT_MSG_NEWOBJ] = { 7322 .call_batch = nf_tables_newobj, 7323 .attr_count = NFTA_OBJ_MAX, 7324 .policy = nft_obj_policy, 7325 }, 7326 [NFT_MSG_GETOBJ] = { 7327 .call_rcu = nf_tables_getobj, 7328 .attr_count = NFTA_OBJ_MAX, 7329 .policy = nft_obj_policy, 7330 }, 7331 [NFT_MSG_DELOBJ] = { 7332 .call_batch = nf_tables_delobj, 7333 .attr_count = NFTA_OBJ_MAX, 7334 .policy = nft_obj_policy, 7335 }, 7336 [NFT_MSG_GETOBJ_RESET] = { 7337 .call_rcu = nf_tables_getobj, 7338 .attr_count = NFTA_OBJ_MAX, 7339 .policy = nft_obj_policy, 7340 }, 7341 [NFT_MSG_NEWFLOWTABLE] = { 7342 .call_batch = nf_tables_newflowtable, 7343 .attr_count = NFTA_FLOWTABLE_MAX, 7344 .policy = nft_flowtable_policy, 7345 }, 7346 [NFT_MSG_GETFLOWTABLE] = { 7347 .call_rcu = nf_tables_getflowtable, 7348 .attr_count = NFTA_FLOWTABLE_MAX, 7349 .policy = nft_flowtable_policy, 7350 }, 7351 [NFT_MSG_DELFLOWTABLE] = { 7352 .call_batch = nf_tables_delflowtable, 7353 .attr_count = NFTA_FLOWTABLE_MAX, 7354 .policy = nft_flowtable_policy, 7355 }, 7356 }; 7357 7358 static int nf_tables_validate(struct net *net) 7359 { 7360 struct nft_table *table; 7361 7362 switch (net->nft.validate_state) { 7363 case NFT_VALIDATE_SKIP: 7364 break; 7365 case NFT_VALIDATE_NEED: 7366 nft_validate_state_update(net, NFT_VALIDATE_DO); 7367 fallthrough; 7368 case NFT_VALIDATE_DO: 7369 list_for_each_entry(table, &net->nft.tables, list) { 7370 if (nft_table_validate(net, table) < 0) 7371 return -EAGAIN; 7372 } 7373 break; 7374 } 7375 7376 return 0; 7377 } 7378 7379 /* a drop policy has to be deferred until all rules have been activated, 7380 * otherwise a large ruleset that contains a drop-policy base chain will 7381 * cause all packets to get dropped until the full transaction has been 7382 * processed. 7383 * 7384 * We defer the drop policy until the transaction has been finalized. 7385 */ 7386 static void nft_chain_commit_drop_policy(struct nft_trans *trans) 7387 { 7388 struct nft_base_chain *basechain; 7389 7390 if (nft_trans_chain_policy(trans) != NF_DROP) 7391 return; 7392 7393 if (!nft_is_base_chain(trans->ctx.chain)) 7394 return; 7395 7396 basechain = nft_base_chain(trans->ctx.chain); 7397 basechain->policy = NF_DROP; 7398 } 7399 7400 static void nft_chain_commit_update(struct nft_trans *trans) 7401 { 7402 struct nft_base_chain *basechain; 7403 7404 if (nft_trans_chain_name(trans)) { 7405 rhltable_remove(&trans->ctx.table->chains_ht, 7406 &trans->ctx.chain->rhlhead, 7407 nft_chain_ht_params); 7408 swap(trans->ctx.chain->name, nft_trans_chain_name(trans)); 7409 rhltable_insert_key(&trans->ctx.table->chains_ht, 7410 trans->ctx.chain->name, 7411 &trans->ctx.chain->rhlhead, 7412 nft_chain_ht_params); 7413 } 7414 7415 if (!nft_is_base_chain(trans->ctx.chain)) 7416 return; 7417 7418 nft_chain_stats_replace(trans); 7419 7420 basechain = nft_base_chain(trans->ctx.chain); 7421 7422 switch (nft_trans_chain_policy(trans)) { 7423 case NF_DROP: 7424 case NF_ACCEPT: 7425 basechain->policy = nft_trans_chain_policy(trans); 7426 break; 7427 } 7428 } 7429 7430 static void nft_obj_commit_update(struct nft_trans *trans) 7431 { 7432 struct nft_object *newobj; 7433 struct nft_object *obj; 7434 7435 obj = nft_trans_obj(trans); 7436 newobj = nft_trans_obj_newobj(trans); 7437 7438 if (obj->ops->update) 7439 obj->ops->update(obj, newobj); 7440 7441 kfree(newobj); 7442 } 7443 7444 static void nft_commit_release(struct nft_trans *trans) 7445 { 7446 switch (trans->msg_type) { 7447 case NFT_MSG_DELTABLE: 7448 nf_tables_table_destroy(&trans->ctx); 7449 break; 7450 case NFT_MSG_NEWCHAIN: 7451 free_percpu(nft_trans_chain_stats(trans)); 7452 kfree(nft_trans_chain_name(trans)); 7453 break; 7454 case NFT_MSG_DELCHAIN: 7455 nf_tables_chain_destroy(&trans->ctx); 7456 break; 7457 case NFT_MSG_DELRULE: 7458 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 7459 break; 7460 case NFT_MSG_DELSET: 7461 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 7462 break; 7463 case NFT_MSG_DELSETELEM: 7464 nf_tables_set_elem_destroy(&trans->ctx, 7465 nft_trans_elem_set(trans), 7466 nft_trans_elem(trans).priv); 7467 break; 7468 case NFT_MSG_DELOBJ: 7469 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 7470 break; 7471 case NFT_MSG_DELFLOWTABLE: 7472 if (nft_trans_flowtable_update(trans)) 7473 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 7474 else 7475 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 7476 break; 7477 } 7478 7479 if (trans->put_net) 7480 put_net(trans->ctx.net); 7481 7482 kfree(trans); 7483 } 7484 7485 static void nf_tables_trans_destroy_work(struct work_struct *w) 7486 { 7487 struct nft_trans *trans, *next; 7488 LIST_HEAD(head); 7489 7490 spin_lock(&nf_tables_destroy_list_lock); 7491 list_splice_init(&nf_tables_destroy_list, &head); 7492 spin_unlock(&nf_tables_destroy_list_lock); 7493 7494 if (list_empty(&head)) 7495 return; 7496 7497 synchronize_rcu(); 7498 7499 list_for_each_entry_safe(trans, next, &head, list) { 7500 list_del(&trans->list); 7501 nft_commit_release(trans); 7502 } 7503 } 7504 7505 void nf_tables_trans_destroy_flush_work(void) 7506 { 7507 flush_work(&trans_destroy_work); 7508 } 7509 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work); 7510 7511 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain) 7512 { 7513 struct nft_rule *rule; 7514 unsigned int alloc = 0; 7515 int i; 7516 7517 /* already handled or inactive chain? */ 7518 if (chain->rules_next || !nft_is_active_next(net, chain)) 7519 return 0; 7520 7521 rule = list_entry(&chain->rules, struct nft_rule, list); 7522 i = 0; 7523 7524 list_for_each_entry_continue(rule, &chain->rules, list) { 7525 if (nft_is_active_next(net, rule)) 7526 alloc++; 7527 } 7528 7529 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc); 7530 if (!chain->rules_next) 7531 return -ENOMEM; 7532 7533 list_for_each_entry_continue(rule, &chain->rules, list) { 7534 if (nft_is_active_next(net, rule)) 7535 chain->rules_next[i++] = rule; 7536 } 7537 7538 chain->rules_next[i] = NULL; 7539 return 0; 7540 } 7541 7542 static void nf_tables_commit_chain_prepare_cancel(struct net *net) 7543 { 7544 struct nft_trans *trans, *next; 7545 7546 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 7547 struct nft_chain *chain = trans->ctx.chain; 7548 7549 if (trans->msg_type == NFT_MSG_NEWRULE || 7550 trans->msg_type == NFT_MSG_DELRULE) { 7551 kvfree(chain->rules_next); 7552 chain->rules_next = NULL; 7553 } 7554 } 7555 } 7556 7557 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h) 7558 { 7559 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h); 7560 7561 kvfree(o->start); 7562 } 7563 7564 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules) 7565 { 7566 struct nft_rule **r = rules; 7567 struct nft_rules_old *old; 7568 7569 while (*r) 7570 r++; 7571 7572 r++; /* rcu_head is after end marker */ 7573 old = (void *) r; 7574 old->start = rules; 7575 7576 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old); 7577 } 7578 7579 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain) 7580 { 7581 struct nft_rule **g0, **g1; 7582 bool next_genbit; 7583 7584 next_genbit = nft_gencursor_next(net); 7585 7586 g0 = rcu_dereference_protected(chain->rules_gen_0, 7587 lockdep_commit_lock_is_held(net)); 7588 g1 = rcu_dereference_protected(chain->rules_gen_1, 7589 lockdep_commit_lock_is_held(net)); 7590 7591 /* No changes to this chain? */ 7592 if (chain->rules_next == NULL) { 7593 /* chain had no change in last or next generation */ 7594 if (g0 == g1) 7595 return; 7596 /* 7597 * chain had no change in this generation; make sure next 7598 * one uses same rules as current generation. 7599 */ 7600 if (next_genbit) { 7601 rcu_assign_pointer(chain->rules_gen_1, g0); 7602 nf_tables_commit_chain_free_rules_old(g1); 7603 } else { 7604 rcu_assign_pointer(chain->rules_gen_0, g1); 7605 nf_tables_commit_chain_free_rules_old(g0); 7606 } 7607 7608 return; 7609 } 7610 7611 if (next_genbit) 7612 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next); 7613 else 7614 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next); 7615 7616 chain->rules_next = NULL; 7617 7618 if (g0 == g1) 7619 return; 7620 7621 if (next_genbit) 7622 nf_tables_commit_chain_free_rules_old(g1); 7623 else 7624 nf_tables_commit_chain_free_rules_old(g0); 7625 } 7626 7627 static void nft_obj_del(struct nft_object *obj) 7628 { 7629 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params); 7630 list_del_rcu(&obj->list); 7631 } 7632 7633 void nft_chain_del(struct nft_chain *chain) 7634 { 7635 struct nft_table *table = chain->table; 7636 7637 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead, 7638 nft_chain_ht_params)); 7639 list_del_rcu(&chain->list); 7640 } 7641 7642 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable, 7643 struct list_head *hook_list) 7644 { 7645 struct nft_hook *hook, *next; 7646 7647 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 7648 if (hook->inactive) 7649 list_move(&hook->list, hook_list); 7650 } 7651 } 7652 7653 static void nf_tables_module_autoload_cleanup(struct net *net) 7654 { 7655 struct nft_module_request *req, *next; 7656 7657 WARN_ON_ONCE(!list_empty(&net->nft.commit_list)); 7658 list_for_each_entry_safe(req, next, &net->nft.module_list, list) { 7659 WARN_ON_ONCE(!req->done); 7660 list_del(&req->list); 7661 kfree(req); 7662 } 7663 } 7664 7665 static void nf_tables_commit_release(struct net *net) 7666 { 7667 struct nft_trans *trans; 7668 7669 /* all side effects have to be made visible. 7670 * For example, if a chain named 'foo' has been deleted, a 7671 * new transaction must not find it anymore. 7672 * 7673 * Memory reclaim happens asynchronously from work queue 7674 * to prevent expensive synchronize_rcu() in commit phase. 7675 */ 7676 if (list_empty(&net->nft.commit_list)) { 7677 nf_tables_module_autoload_cleanup(net); 7678 mutex_unlock(&net->nft.commit_mutex); 7679 return; 7680 } 7681 7682 trans = list_last_entry(&net->nft.commit_list, 7683 struct nft_trans, list); 7684 get_net(trans->ctx.net); 7685 WARN_ON_ONCE(trans->put_net); 7686 7687 trans->put_net = true; 7688 spin_lock(&nf_tables_destroy_list_lock); 7689 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list); 7690 spin_unlock(&nf_tables_destroy_list_lock); 7691 7692 nf_tables_module_autoload_cleanup(net); 7693 schedule_work(&trans_destroy_work); 7694 7695 mutex_unlock(&net->nft.commit_mutex); 7696 } 7697 7698 static int nf_tables_commit(struct net *net, struct sk_buff *skb) 7699 { 7700 struct nft_trans *trans, *next; 7701 struct nft_trans_elem *te; 7702 struct nft_chain *chain; 7703 struct nft_table *table; 7704 int err; 7705 7706 if (list_empty(&net->nft.commit_list)) { 7707 mutex_unlock(&net->nft.commit_mutex); 7708 return 0; 7709 } 7710 7711 /* 0. Validate ruleset, otherwise roll back for error reporting. */ 7712 if (nf_tables_validate(net) < 0) 7713 return -EAGAIN; 7714 7715 err = nft_flow_rule_offload_commit(net); 7716 if (err < 0) 7717 return err; 7718 7719 /* 1. Allocate space for next generation rules_gen_X[] */ 7720 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 7721 int ret; 7722 7723 if (trans->msg_type == NFT_MSG_NEWRULE || 7724 trans->msg_type == NFT_MSG_DELRULE) { 7725 chain = trans->ctx.chain; 7726 7727 ret = nf_tables_commit_chain_prepare(net, chain); 7728 if (ret < 0) { 7729 nf_tables_commit_chain_prepare_cancel(net); 7730 return ret; 7731 } 7732 } 7733 } 7734 7735 /* step 2. Make rules_gen_X visible to packet path */ 7736 list_for_each_entry(table, &net->nft.tables, list) { 7737 list_for_each_entry(chain, &table->chains, list) 7738 nf_tables_commit_chain(net, chain); 7739 } 7740 7741 /* 7742 * Bump generation counter, invalidate any dump in progress. 7743 * Cannot fail after this point. 7744 */ 7745 while (++net->nft.base_seq == 0); 7746 7747 /* step 3. Start new generation, rules_gen_X now in use. */ 7748 net->nft.gencursor = nft_gencursor_next(net); 7749 7750 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 7751 switch (trans->msg_type) { 7752 case NFT_MSG_NEWTABLE: 7753 if (nft_trans_table_update(trans)) { 7754 if (!nft_trans_table_enable(trans)) { 7755 nf_tables_table_disable(net, 7756 trans->ctx.table); 7757 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT; 7758 } 7759 } else { 7760 nft_clear(net, trans->ctx.table); 7761 } 7762 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE); 7763 nft_trans_destroy(trans); 7764 break; 7765 case NFT_MSG_DELTABLE: 7766 list_del_rcu(&trans->ctx.table->list); 7767 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE); 7768 break; 7769 case NFT_MSG_NEWCHAIN: 7770 if (nft_trans_chain_update(trans)) { 7771 nft_chain_commit_update(trans); 7772 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 7773 /* trans destroyed after rcu grace period */ 7774 } else { 7775 nft_chain_commit_drop_policy(trans); 7776 nft_clear(net, trans->ctx.chain); 7777 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 7778 nft_trans_destroy(trans); 7779 } 7780 break; 7781 case NFT_MSG_DELCHAIN: 7782 nft_chain_del(trans->ctx.chain); 7783 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN); 7784 nf_tables_unregister_hook(trans->ctx.net, 7785 trans->ctx.table, 7786 trans->ctx.chain); 7787 break; 7788 case NFT_MSG_NEWRULE: 7789 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 7790 nf_tables_rule_notify(&trans->ctx, 7791 nft_trans_rule(trans), 7792 NFT_MSG_NEWRULE); 7793 nft_trans_destroy(trans); 7794 break; 7795 case NFT_MSG_DELRULE: 7796 list_del_rcu(&nft_trans_rule(trans)->list); 7797 nf_tables_rule_notify(&trans->ctx, 7798 nft_trans_rule(trans), 7799 NFT_MSG_DELRULE); 7800 nft_rule_expr_deactivate(&trans->ctx, 7801 nft_trans_rule(trans), 7802 NFT_TRANS_COMMIT); 7803 break; 7804 case NFT_MSG_NEWSET: 7805 nft_clear(net, nft_trans_set(trans)); 7806 /* This avoids hitting -EBUSY when deleting the table 7807 * from the transaction. 7808 */ 7809 if (nft_set_is_anonymous(nft_trans_set(trans)) && 7810 !list_empty(&nft_trans_set(trans)->bindings)) 7811 trans->ctx.table->use--; 7812 7813 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 7814 NFT_MSG_NEWSET, GFP_KERNEL); 7815 nft_trans_destroy(trans); 7816 break; 7817 case NFT_MSG_DELSET: 7818 list_del_rcu(&nft_trans_set(trans)->list); 7819 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 7820 NFT_MSG_DELSET, GFP_KERNEL); 7821 break; 7822 case NFT_MSG_NEWSETELEM: 7823 te = (struct nft_trans_elem *)trans->data; 7824 7825 te->set->ops->activate(net, te->set, &te->elem); 7826 nf_tables_setelem_notify(&trans->ctx, te->set, 7827 &te->elem, 7828 NFT_MSG_NEWSETELEM, 0); 7829 nft_trans_destroy(trans); 7830 break; 7831 case NFT_MSG_DELSETELEM: 7832 te = (struct nft_trans_elem *)trans->data; 7833 7834 nf_tables_setelem_notify(&trans->ctx, te->set, 7835 &te->elem, 7836 NFT_MSG_DELSETELEM, 0); 7837 te->set->ops->remove(net, te->set, &te->elem); 7838 atomic_dec(&te->set->nelems); 7839 te->set->ndeact--; 7840 break; 7841 case NFT_MSG_NEWOBJ: 7842 if (nft_trans_obj_update(trans)) { 7843 nft_obj_commit_update(trans); 7844 nf_tables_obj_notify(&trans->ctx, 7845 nft_trans_obj(trans), 7846 NFT_MSG_NEWOBJ); 7847 } else { 7848 nft_clear(net, nft_trans_obj(trans)); 7849 nf_tables_obj_notify(&trans->ctx, 7850 nft_trans_obj(trans), 7851 NFT_MSG_NEWOBJ); 7852 nft_trans_destroy(trans); 7853 } 7854 break; 7855 case NFT_MSG_DELOBJ: 7856 nft_obj_del(nft_trans_obj(trans)); 7857 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans), 7858 NFT_MSG_DELOBJ); 7859 break; 7860 case NFT_MSG_NEWFLOWTABLE: 7861 if (nft_trans_flowtable_update(trans)) { 7862 nf_tables_flowtable_notify(&trans->ctx, 7863 nft_trans_flowtable(trans), 7864 &nft_trans_flowtable_hooks(trans), 7865 NFT_MSG_NEWFLOWTABLE); 7866 list_splice(&nft_trans_flowtable_hooks(trans), 7867 &nft_trans_flowtable(trans)->hook_list); 7868 } else { 7869 nft_clear(net, nft_trans_flowtable(trans)); 7870 nf_tables_flowtable_notify(&trans->ctx, 7871 nft_trans_flowtable(trans), 7872 &nft_trans_flowtable(trans)->hook_list, 7873 NFT_MSG_NEWFLOWTABLE); 7874 } 7875 nft_trans_destroy(trans); 7876 break; 7877 case NFT_MSG_DELFLOWTABLE: 7878 if (nft_trans_flowtable_update(trans)) { 7879 nft_flowtable_hooks_del(nft_trans_flowtable(trans), 7880 &nft_trans_flowtable_hooks(trans)); 7881 nf_tables_flowtable_notify(&trans->ctx, 7882 nft_trans_flowtable(trans), 7883 &nft_trans_flowtable_hooks(trans), 7884 NFT_MSG_DELFLOWTABLE); 7885 nft_unregister_flowtable_net_hooks(net, 7886 &nft_trans_flowtable_hooks(trans)); 7887 } else { 7888 list_del_rcu(&nft_trans_flowtable(trans)->list); 7889 nf_tables_flowtable_notify(&trans->ctx, 7890 nft_trans_flowtable(trans), 7891 &nft_trans_flowtable(trans)->hook_list, 7892 NFT_MSG_DELFLOWTABLE); 7893 nft_unregister_flowtable_net_hooks(net, 7894 &nft_trans_flowtable(trans)->hook_list); 7895 } 7896 break; 7897 } 7898 } 7899 7900 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); 7901 nf_tables_commit_release(net); 7902 7903 return 0; 7904 } 7905 7906 static void nf_tables_module_autoload(struct net *net) 7907 { 7908 struct nft_module_request *req, *next; 7909 LIST_HEAD(module_list); 7910 7911 list_splice_init(&net->nft.module_list, &module_list); 7912 mutex_unlock(&net->nft.commit_mutex); 7913 list_for_each_entry_safe(req, next, &module_list, list) { 7914 request_module("%s", req->module); 7915 req->done = true; 7916 } 7917 mutex_lock(&net->nft.commit_mutex); 7918 list_splice(&module_list, &net->nft.module_list); 7919 } 7920 7921 static void nf_tables_abort_release(struct nft_trans *trans) 7922 { 7923 switch (trans->msg_type) { 7924 case NFT_MSG_NEWTABLE: 7925 nf_tables_table_destroy(&trans->ctx); 7926 break; 7927 case NFT_MSG_NEWCHAIN: 7928 nf_tables_chain_destroy(&trans->ctx); 7929 break; 7930 case NFT_MSG_NEWRULE: 7931 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 7932 break; 7933 case NFT_MSG_NEWSET: 7934 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 7935 break; 7936 case NFT_MSG_NEWSETELEM: 7937 nft_set_elem_destroy(nft_trans_elem_set(trans), 7938 nft_trans_elem(trans).priv, true); 7939 break; 7940 case NFT_MSG_NEWOBJ: 7941 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 7942 break; 7943 case NFT_MSG_NEWFLOWTABLE: 7944 if (nft_trans_flowtable_update(trans)) 7945 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 7946 else 7947 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 7948 break; 7949 } 7950 kfree(trans); 7951 } 7952 7953 static int __nf_tables_abort(struct net *net, bool autoload) 7954 { 7955 struct nft_trans *trans, *next; 7956 struct nft_trans_elem *te; 7957 struct nft_hook *hook; 7958 7959 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list, 7960 list) { 7961 switch (trans->msg_type) { 7962 case NFT_MSG_NEWTABLE: 7963 if (nft_trans_table_update(trans)) { 7964 if (nft_trans_table_enable(trans)) { 7965 nf_tables_table_disable(net, 7966 trans->ctx.table); 7967 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT; 7968 } 7969 nft_trans_destroy(trans); 7970 } else { 7971 list_del_rcu(&trans->ctx.table->list); 7972 } 7973 break; 7974 case NFT_MSG_DELTABLE: 7975 nft_clear(trans->ctx.net, trans->ctx.table); 7976 nft_trans_destroy(trans); 7977 break; 7978 case NFT_MSG_NEWCHAIN: 7979 if (nft_trans_chain_update(trans)) { 7980 free_percpu(nft_trans_chain_stats(trans)); 7981 kfree(nft_trans_chain_name(trans)); 7982 nft_trans_destroy(trans); 7983 } else { 7984 if (nft_chain_is_bound(trans->ctx.chain)) { 7985 nft_trans_destroy(trans); 7986 break; 7987 } 7988 trans->ctx.table->use--; 7989 nft_chain_del(trans->ctx.chain); 7990 nf_tables_unregister_hook(trans->ctx.net, 7991 trans->ctx.table, 7992 trans->ctx.chain); 7993 } 7994 break; 7995 case NFT_MSG_DELCHAIN: 7996 trans->ctx.table->use++; 7997 nft_clear(trans->ctx.net, trans->ctx.chain); 7998 nft_trans_destroy(trans); 7999 break; 8000 case NFT_MSG_NEWRULE: 8001 trans->ctx.chain->use--; 8002 list_del_rcu(&nft_trans_rule(trans)->list); 8003 nft_rule_expr_deactivate(&trans->ctx, 8004 nft_trans_rule(trans), 8005 NFT_TRANS_ABORT); 8006 break; 8007 case NFT_MSG_DELRULE: 8008 trans->ctx.chain->use++; 8009 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 8010 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans)); 8011 nft_trans_destroy(trans); 8012 break; 8013 case NFT_MSG_NEWSET: 8014 trans->ctx.table->use--; 8015 if (nft_trans_set_bound(trans)) { 8016 nft_trans_destroy(trans); 8017 break; 8018 } 8019 list_del_rcu(&nft_trans_set(trans)->list); 8020 break; 8021 case NFT_MSG_DELSET: 8022 trans->ctx.table->use++; 8023 nft_clear(trans->ctx.net, nft_trans_set(trans)); 8024 nft_trans_destroy(trans); 8025 break; 8026 case NFT_MSG_NEWSETELEM: 8027 if (nft_trans_elem_set_bound(trans)) { 8028 nft_trans_destroy(trans); 8029 break; 8030 } 8031 te = (struct nft_trans_elem *)trans->data; 8032 te->set->ops->remove(net, te->set, &te->elem); 8033 atomic_dec(&te->set->nelems); 8034 break; 8035 case NFT_MSG_DELSETELEM: 8036 te = (struct nft_trans_elem *)trans->data; 8037 8038 nft_set_elem_activate(net, te->set, &te->elem); 8039 te->set->ops->activate(net, te->set, &te->elem); 8040 te->set->ndeact--; 8041 8042 nft_trans_destroy(trans); 8043 break; 8044 case NFT_MSG_NEWOBJ: 8045 if (nft_trans_obj_update(trans)) { 8046 kfree(nft_trans_obj_newobj(trans)); 8047 nft_trans_destroy(trans); 8048 } else { 8049 trans->ctx.table->use--; 8050 nft_obj_del(nft_trans_obj(trans)); 8051 } 8052 break; 8053 case NFT_MSG_DELOBJ: 8054 trans->ctx.table->use++; 8055 nft_clear(trans->ctx.net, nft_trans_obj(trans)); 8056 nft_trans_destroy(trans); 8057 break; 8058 case NFT_MSG_NEWFLOWTABLE: 8059 if (nft_trans_flowtable_update(trans)) { 8060 nft_unregister_flowtable_net_hooks(net, 8061 &nft_trans_flowtable_hooks(trans)); 8062 } else { 8063 trans->ctx.table->use--; 8064 list_del_rcu(&nft_trans_flowtable(trans)->list); 8065 nft_unregister_flowtable_net_hooks(net, 8066 &nft_trans_flowtable(trans)->hook_list); 8067 } 8068 break; 8069 case NFT_MSG_DELFLOWTABLE: 8070 if (nft_trans_flowtable_update(trans)) { 8071 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list) 8072 hook->inactive = false; 8073 } else { 8074 trans->ctx.table->use++; 8075 nft_clear(trans->ctx.net, nft_trans_flowtable(trans)); 8076 } 8077 nft_trans_destroy(trans); 8078 break; 8079 } 8080 } 8081 8082 synchronize_rcu(); 8083 8084 list_for_each_entry_safe_reverse(trans, next, 8085 &net->nft.commit_list, list) { 8086 list_del(&trans->list); 8087 nf_tables_abort_release(trans); 8088 } 8089 8090 if (autoload) 8091 nf_tables_module_autoload(net); 8092 else 8093 nf_tables_module_autoload_cleanup(net); 8094 8095 return 0; 8096 } 8097 8098 static void nf_tables_cleanup(struct net *net) 8099 { 8100 nft_validate_state_update(net, NFT_VALIDATE_SKIP); 8101 } 8102 8103 static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload) 8104 { 8105 int ret = __nf_tables_abort(net, autoload); 8106 8107 mutex_unlock(&net->nft.commit_mutex); 8108 8109 return ret; 8110 } 8111 8112 static bool nf_tables_valid_genid(struct net *net, u32 genid) 8113 { 8114 bool genid_ok; 8115 8116 mutex_lock(&net->nft.commit_mutex); 8117 8118 genid_ok = genid == 0 || net->nft.base_seq == genid; 8119 if (!genid_ok) 8120 mutex_unlock(&net->nft.commit_mutex); 8121 8122 /* else, commit mutex has to be released by commit or abort function */ 8123 return genid_ok; 8124 } 8125 8126 static const struct nfnetlink_subsystem nf_tables_subsys = { 8127 .name = "nf_tables", 8128 .subsys_id = NFNL_SUBSYS_NFTABLES, 8129 .cb_count = NFT_MSG_MAX, 8130 .cb = nf_tables_cb, 8131 .commit = nf_tables_commit, 8132 .abort = nf_tables_abort, 8133 .cleanup = nf_tables_cleanup, 8134 .valid_genid = nf_tables_valid_genid, 8135 .owner = THIS_MODULE, 8136 }; 8137 8138 int nft_chain_validate_dependency(const struct nft_chain *chain, 8139 enum nft_chain_types type) 8140 { 8141 const struct nft_base_chain *basechain; 8142 8143 if (nft_is_base_chain(chain)) { 8144 basechain = nft_base_chain(chain); 8145 if (basechain->type->type != type) 8146 return -EOPNOTSUPP; 8147 } 8148 return 0; 8149 } 8150 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency); 8151 8152 int nft_chain_validate_hooks(const struct nft_chain *chain, 8153 unsigned int hook_flags) 8154 { 8155 struct nft_base_chain *basechain; 8156 8157 if (nft_is_base_chain(chain)) { 8158 basechain = nft_base_chain(chain); 8159 8160 if ((1 << basechain->ops.hooknum) & hook_flags) 8161 return 0; 8162 8163 return -EOPNOTSUPP; 8164 } 8165 8166 return 0; 8167 } 8168 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks); 8169 8170 /* 8171 * Loop detection - walk through the ruleset beginning at the destination chain 8172 * of a new jump until either the source chain is reached (loop) or all 8173 * reachable chains have been traversed. 8174 * 8175 * The loop check is performed whenever a new jump verdict is added to an 8176 * expression or verdict map or a verdict map is bound to a new chain. 8177 */ 8178 8179 static int nf_tables_check_loops(const struct nft_ctx *ctx, 8180 const struct nft_chain *chain); 8181 8182 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, 8183 struct nft_set *set, 8184 const struct nft_set_iter *iter, 8185 struct nft_set_elem *elem) 8186 { 8187 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 8188 const struct nft_data *data; 8189 8190 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 8191 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) 8192 return 0; 8193 8194 data = nft_set_ext_data(ext); 8195 switch (data->verdict.code) { 8196 case NFT_JUMP: 8197 case NFT_GOTO: 8198 return nf_tables_check_loops(ctx, data->verdict.chain); 8199 default: 8200 return 0; 8201 } 8202 } 8203 8204 static int nf_tables_check_loops(const struct nft_ctx *ctx, 8205 const struct nft_chain *chain) 8206 { 8207 const struct nft_rule *rule; 8208 const struct nft_expr *expr, *last; 8209 struct nft_set *set; 8210 struct nft_set_binding *binding; 8211 struct nft_set_iter iter; 8212 8213 if (ctx->chain == chain) 8214 return -ELOOP; 8215 8216 list_for_each_entry(rule, &chain->rules, list) { 8217 nft_rule_for_each_expr(expr, last, rule) { 8218 struct nft_immediate_expr *priv; 8219 const struct nft_data *data; 8220 int err; 8221 8222 if (strcmp(expr->ops->type->name, "immediate")) 8223 continue; 8224 8225 priv = nft_expr_priv(expr); 8226 if (priv->dreg != NFT_REG_VERDICT) 8227 continue; 8228 8229 data = &priv->data; 8230 switch (data->verdict.code) { 8231 case NFT_JUMP: 8232 case NFT_GOTO: 8233 err = nf_tables_check_loops(ctx, 8234 data->verdict.chain); 8235 if (err < 0) 8236 return err; 8237 default: 8238 break; 8239 } 8240 } 8241 } 8242 8243 list_for_each_entry(set, &ctx->table->sets, list) { 8244 if (!nft_is_active_next(ctx->net, set)) 8245 continue; 8246 if (!(set->flags & NFT_SET_MAP) || 8247 set->dtype != NFT_DATA_VERDICT) 8248 continue; 8249 8250 list_for_each_entry(binding, &set->bindings, list) { 8251 if (!(binding->flags & NFT_SET_MAP) || 8252 binding->chain != chain) 8253 continue; 8254 8255 iter.genmask = nft_genmask_next(ctx->net); 8256 iter.skip = 0; 8257 iter.count = 0; 8258 iter.err = 0; 8259 iter.fn = nf_tables_loop_check_setelem; 8260 8261 set->ops->walk(ctx, set, &iter); 8262 if (iter.err < 0) 8263 return iter.err; 8264 } 8265 } 8266 8267 return 0; 8268 } 8269 8270 /** 8271 * nft_parse_u32_check - fetch u32 attribute and check for maximum value 8272 * 8273 * @attr: netlink attribute to fetch value from 8274 * @max: maximum value to be stored in dest 8275 * @dest: pointer to the variable 8276 * 8277 * Parse, check and store a given u32 netlink attribute into variable. 8278 * This function returns -ERANGE if the value goes over maximum value. 8279 * Otherwise a 0 is returned and the attribute value is stored in the 8280 * destination variable. 8281 */ 8282 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest) 8283 { 8284 u32 val; 8285 8286 val = ntohl(nla_get_be32(attr)); 8287 if (val > max) 8288 return -ERANGE; 8289 8290 *dest = val; 8291 return 0; 8292 } 8293 EXPORT_SYMBOL_GPL(nft_parse_u32_check); 8294 8295 /** 8296 * nft_parse_register - parse a register value from a netlink attribute 8297 * 8298 * @attr: netlink attribute 8299 * 8300 * Parse and translate a register value from a netlink attribute. 8301 * Registers used to be 128 bit wide, these register numbers will be 8302 * mapped to the corresponding 32 bit register numbers. 8303 */ 8304 unsigned int nft_parse_register(const struct nlattr *attr) 8305 { 8306 unsigned int reg; 8307 8308 reg = ntohl(nla_get_be32(attr)); 8309 switch (reg) { 8310 case NFT_REG_VERDICT...NFT_REG_4: 8311 return reg * NFT_REG_SIZE / NFT_REG32_SIZE; 8312 default: 8313 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; 8314 } 8315 } 8316 EXPORT_SYMBOL_GPL(nft_parse_register); 8317 8318 /** 8319 * nft_dump_register - dump a register value to a netlink attribute 8320 * 8321 * @skb: socket buffer 8322 * @attr: attribute number 8323 * @reg: register number 8324 * 8325 * Construct a netlink attribute containing the register number. For 8326 * compatibility reasons, register numbers being a multiple of 4 are 8327 * translated to the corresponding 128 bit register numbers. 8328 */ 8329 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg) 8330 { 8331 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0) 8332 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE); 8333 else 8334 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00; 8335 8336 return nla_put_be32(skb, attr, htonl(reg)); 8337 } 8338 EXPORT_SYMBOL_GPL(nft_dump_register); 8339 8340 /** 8341 * nft_validate_register_load - validate a load from a register 8342 * 8343 * @reg: the register number 8344 * @len: the length of the data 8345 * 8346 * Validate that the input register is one of the general purpose 8347 * registers and that the length of the load is within the bounds. 8348 */ 8349 int nft_validate_register_load(enum nft_registers reg, unsigned int len) 8350 { 8351 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 8352 return -EINVAL; 8353 if (len == 0) 8354 return -EINVAL; 8355 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data)) 8356 return -ERANGE; 8357 8358 return 0; 8359 } 8360 EXPORT_SYMBOL_GPL(nft_validate_register_load); 8361 8362 /** 8363 * nft_validate_register_store - validate an expressions' register store 8364 * 8365 * @ctx: context of the expression performing the load 8366 * @reg: the destination register number 8367 * @data: the data to load 8368 * @type: the data type 8369 * @len: the length of the data 8370 * 8371 * Validate that a data load uses the appropriate data type for 8372 * the destination register and the length is within the bounds. 8373 * A value of NULL for the data means that its runtime gathered 8374 * data. 8375 */ 8376 int nft_validate_register_store(const struct nft_ctx *ctx, 8377 enum nft_registers reg, 8378 const struct nft_data *data, 8379 enum nft_data_types type, unsigned int len) 8380 { 8381 int err; 8382 8383 switch (reg) { 8384 case NFT_REG_VERDICT: 8385 if (type != NFT_DATA_VERDICT) 8386 return -EINVAL; 8387 8388 if (data != NULL && 8389 (data->verdict.code == NFT_GOTO || 8390 data->verdict.code == NFT_JUMP)) { 8391 err = nf_tables_check_loops(ctx, data->verdict.chain); 8392 if (err < 0) 8393 return err; 8394 } 8395 8396 return 0; 8397 default: 8398 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 8399 return -EINVAL; 8400 if (len == 0) 8401 return -EINVAL; 8402 if (reg * NFT_REG32_SIZE + len > 8403 sizeof_field(struct nft_regs, data)) 8404 return -ERANGE; 8405 8406 if (data != NULL && type != NFT_DATA_VALUE) 8407 return -EINVAL; 8408 return 0; 8409 } 8410 } 8411 EXPORT_SYMBOL_GPL(nft_validate_register_store); 8412 8413 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = { 8414 [NFTA_VERDICT_CODE] = { .type = NLA_U32 }, 8415 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING, 8416 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 8417 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 }, 8418 }; 8419 8420 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, 8421 struct nft_data_desc *desc, const struct nlattr *nla) 8422 { 8423 u8 genmask = nft_genmask_next(ctx->net); 8424 struct nlattr *tb[NFTA_VERDICT_MAX + 1]; 8425 struct nft_chain *chain; 8426 int err; 8427 8428 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla, 8429 nft_verdict_policy, NULL); 8430 if (err < 0) 8431 return err; 8432 8433 if (!tb[NFTA_VERDICT_CODE]) 8434 return -EINVAL; 8435 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); 8436 8437 switch (data->verdict.code) { 8438 default: 8439 switch (data->verdict.code & NF_VERDICT_MASK) { 8440 case NF_ACCEPT: 8441 case NF_DROP: 8442 case NF_QUEUE: 8443 break; 8444 default: 8445 return -EINVAL; 8446 } 8447 fallthrough; 8448 case NFT_CONTINUE: 8449 case NFT_BREAK: 8450 case NFT_RETURN: 8451 break; 8452 case NFT_JUMP: 8453 case NFT_GOTO: 8454 if (tb[NFTA_VERDICT_CHAIN]) { 8455 chain = nft_chain_lookup(ctx->net, ctx->table, 8456 tb[NFTA_VERDICT_CHAIN], 8457 genmask); 8458 } else if (tb[NFTA_VERDICT_CHAIN_ID]) { 8459 chain = nft_chain_lookup_byid(ctx->net, 8460 tb[NFTA_VERDICT_CHAIN_ID]); 8461 if (IS_ERR(chain)) 8462 return PTR_ERR(chain); 8463 } else { 8464 return -EINVAL; 8465 } 8466 8467 if (IS_ERR(chain)) 8468 return PTR_ERR(chain); 8469 if (nft_is_base_chain(chain)) 8470 return -EOPNOTSUPP; 8471 8472 chain->use++; 8473 data->verdict.chain = chain; 8474 break; 8475 } 8476 8477 desc->len = sizeof(data->verdict); 8478 desc->type = NFT_DATA_VERDICT; 8479 return 0; 8480 } 8481 8482 static void nft_verdict_uninit(const struct nft_data *data) 8483 { 8484 struct nft_chain *chain; 8485 struct nft_rule *rule; 8486 8487 switch (data->verdict.code) { 8488 case NFT_JUMP: 8489 case NFT_GOTO: 8490 chain = data->verdict.chain; 8491 chain->use--; 8492 8493 if (!nft_chain_is_bound(chain)) 8494 break; 8495 8496 chain->table->use--; 8497 list_for_each_entry(rule, &chain->rules, list) 8498 chain->use--; 8499 8500 nft_chain_del(chain); 8501 break; 8502 } 8503 } 8504 8505 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v) 8506 { 8507 struct nlattr *nest; 8508 8509 nest = nla_nest_start_noflag(skb, type); 8510 if (!nest) 8511 goto nla_put_failure; 8512 8513 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code))) 8514 goto nla_put_failure; 8515 8516 switch (v->code) { 8517 case NFT_JUMP: 8518 case NFT_GOTO: 8519 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, 8520 v->chain->name)) 8521 goto nla_put_failure; 8522 } 8523 nla_nest_end(skb, nest); 8524 return 0; 8525 8526 nla_put_failure: 8527 return -1; 8528 } 8529 8530 static int nft_value_init(const struct nft_ctx *ctx, 8531 struct nft_data *data, unsigned int size, 8532 struct nft_data_desc *desc, const struct nlattr *nla) 8533 { 8534 unsigned int len; 8535 8536 len = nla_len(nla); 8537 if (len == 0) 8538 return -EINVAL; 8539 if (len > size) 8540 return -EOVERFLOW; 8541 8542 nla_memcpy(data->data, nla, len); 8543 desc->type = NFT_DATA_VALUE; 8544 desc->len = len; 8545 return 0; 8546 } 8547 8548 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data, 8549 unsigned int len) 8550 { 8551 return nla_put(skb, NFTA_DATA_VALUE, len, data->data); 8552 } 8553 8554 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = { 8555 [NFTA_DATA_VALUE] = { .type = NLA_BINARY }, 8556 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED }, 8557 }; 8558 8559 /** 8560 * nft_data_init - parse nf_tables data netlink attributes 8561 * 8562 * @ctx: context of the expression using the data 8563 * @data: destination struct nft_data 8564 * @size: maximum data length 8565 * @desc: data description 8566 * @nla: netlink attribute containing data 8567 * 8568 * Parse the netlink data attributes and initialize a struct nft_data. 8569 * The type and length of data are returned in the data description. 8570 * 8571 * The caller can indicate that it only wants to accept data of type 8572 * NFT_DATA_VALUE by passing NULL for the ctx argument. 8573 */ 8574 int nft_data_init(const struct nft_ctx *ctx, 8575 struct nft_data *data, unsigned int size, 8576 struct nft_data_desc *desc, const struct nlattr *nla) 8577 { 8578 struct nlattr *tb[NFTA_DATA_MAX + 1]; 8579 int err; 8580 8581 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla, 8582 nft_data_policy, NULL); 8583 if (err < 0) 8584 return err; 8585 8586 if (tb[NFTA_DATA_VALUE]) 8587 return nft_value_init(ctx, data, size, desc, 8588 tb[NFTA_DATA_VALUE]); 8589 if (tb[NFTA_DATA_VERDICT] && ctx != NULL) 8590 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]); 8591 return -EINVAL; 8592 } 8593 EXPORT_SYMBOL_GPL(nft_data_init); 8594 8595 /** 8596 * nft_data_release - release a nft_data item 8597 * 8598 * @data: struct nft_data to release 8599 * @type: type of data 8600 * 8601 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded, 8602 * all others need to be released by calling this function. 8603 */ 8604 void nft_data_release(const struct nft_data *data, enum nft_data_types type) 8605 { 8606 if (type < NFT_DATA_VERDICT) 8607 return; 8608 switch (type) { 8609 case NFT_DATA_VERDICT: 8610 return nft_verdict_uninit(data); 8611 default: 8612 WARN_ON(1); 8613 } 8614 } 8615 EXPORT_SYMBOL_GPL(nft_data_release); 8616 8617 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 8618 enum nft_data_types type, unsigned int len) 8619 { 8620 struct nlattr *nest; 8621 int err; 8622 8623 nest = nla_nest_start_noflag(skb, attr); 8624 if (nest == NULL) 8625 return -1; 8626 8627 switch (type) { 8628 case NFT_DATA_VALUE: 8629 err = nft_value_dump(skb, data, len); 8630 break; 8631 case NFT_DATA_VERDICT: 8632 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict); 8633 break; 8634 default: 8635 err = -EINVAL; 8636 WARN_ON(1); 8637 } 8638 8639 nla_nest_end(skb, nest); 8640 return err; 8641 } 8642 EXPORT_SYMBOL_GPL(nft_data_dump); 8643 8644 int __nft_release_basechain(struct nft_ctx *ctx) 8645 { 8646 struct nft_rule *rule, *nr; 8647 8648 if (WARN_ON(!nft_is_base_chain(ctx->chain))) 8649 return 0; 8650 8651 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain); 8652 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) { 8653 list_del(&rule->list); 8654 ctx->chain->use--; 8655 nf_tables_rule_release(ctx, rule); 8656 } 8657 nft_chain_del(ctx->chain); 8658 ctx->table->use--; 8659 nf_tables_chain_destroy(ctx); 8660 8661 return 0; 8662 } 8663 EXPORT_SYMBOL_GPL(__nft_release_basechain); 8664 8665 static void __nft_release_tables(struct net *net) 8666 { 8667 struct nft_flowtable *flowtable, *nf; 8668 struct nft_table *table, *nt; 8669 struct nft_chain *chain, *nc; 8670 struct nft_object *obj, *ne; 8671 struct nft_rule *rule, *nr; 8672 struct nft_set *set, *ns; 8673 struct nft_ctx ctx = { 8674 .net = net, 8675 .family = NFPROTO_NETDEV, 8676 }; 8677 8678 list_for_each_entry_safe(table, nt, &net->nft.tables, list) { 8679 ctx.family = table->family; 8680 8681 list_for_each_entry(chain, &table->chains, list) 8682 nf_tables_unregister_hook(net, table, chain); 8683 /* No packets are walking on these chains anymore. */ 8684 ctx.table = table; 8685 list_for_each_entry(chain, &table->chains, list) { 8686 ctx.chain = chain; 8687 list_for_each_entry_safe(rule, nr, &chain->rules, list) { 8688 list_del(&rule->list); 8689 chain->use--; 8690 nf_tables_rule_release(&ctx, rule); 8691 } 8692 } 8693 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 8694 list_del(&flowtable->list); 8695 table->use--; 8696 nf_tables_flowtable_destroy(flowtable); 8697 } 8698 list_for_each_entry_safe(set, ns, &table->sets, list) { 8699 list_del(&set->list); 8700 table->use--; 8701 nft_set_destroy(&ctx, set); 8702 } 8703 list_for_each_entry_safe(obj, ne, &table->objects, list) { 8704 nft_obj_del(obj); 8705 table->use--; 8706 nft_obj_destroy(&ctx, obj); 8707 } 8708 list_for_each_entry_safe(chain, nc, &table->chains, list) { 8709 ctx.chain = chain; 8710 nft_chain_del(chain); 8711 table->use--; 8712 nf_tables_chain_destroy(&ctx); 8713 } 8714 list_del(&table->list); 8715 nf_tables_table_destroy(&ctx); 8716 } 8717 } 8718 8719 static int __net_init nf_tables_init_net(struct net *net) 8720 { 8721 INIT_LIST_HEAD(&net->nft.tables); 8722 INIT_LIST_HEAD(&net->nft.commit_list); 8723 INIT_LIST_HEAD(&net->nft.module_list); 8724 mutex_init(&net->nft.commit_mutex); 8725 net->nft.base_seq = 1; 8726 net->nft.validate_state = NFT_VALIDATE_SKIP; 8727 8728 return 0; 8729 } 8730 8731 static void __net_exit nf_tables_exit_net(struct net *net) 8732 { 8733 mutex_lock(&net->nft.commit_mutex); 8734 if (!list_empty(&net->nft.commit_list)) 8735 __nf_tables_abort(net, false); 8736 __nft_release_tables(net); 8737 mutex_unlock(&net->nft.commit_mutex); 8738 WARN_ON_ONCE(!list_empty(&net->nft.tables)); 8739 WARN_ON_ONCE(!list_empty(&net->nft.module_list)); 8740 } 8741 8742 static struct pernet_operations nf_tables_net_ops = { 8743 .init = nf_tables_init_net, 8744 .exit = nf_tables_exit_net, 8745 }; 8746 8747 static int __init nf_tables_module_init(void) 8748 { 8749 int err; 8750 8751 spin_lock_init(&nf_tables_destroy_list_lock); 8752 err = register_pernet_subsys(&nf_tables_net_ops); 8753 if (err < 0) 8754 return err; 8755 8756 err = nft_chain_filter_init(); 8757 if (err < 0) 8758 goto err1; 8759 8760 err = nf_tables_core_module_init(); 8761 if (err < 0) 8762 goto err2; 8763 8764 err = register_netdevice_notifier(&nf_tables_flowtable_notifier); 8765 if (err < 0) 8766 goto err3; 8767 8768 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params); 8769 if (err < 0) 8770 goto err4; 8771 8772 err = nft_offload_init(); 8773 if (err < 0) 8774 goto err5; 8775 8776 /* must be last */ 8777 err = nfnetlink_subsys_register(&nf_tables_subsys); 8778 if (err < 0) 8779 goto err6; 8780 8781 nft_chain_route_init(); 8782 8783 return err; 8784 err6: 8785 nft_offload_exit(); 8786 err5: 8787 rhltable_destroy(&nft_objname_ht); 8788 err4: 8789 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 8790 err3: 8791 nf_tables_core_module_exit(); 8792 err2: 8793 nft_chain_filter_fini(); 8794 err1: 8795 unregister_pernet_subsys(&nf_tables_net_ops); 8796 return err; 8797 } 8798 8799 static void __exit nf_tables_module_exit(void) 8800 { 8801 nfnetlink_subsys_unregister(&nf_tables_subsys); 8802 nft_offload_exit(); 8803 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 8804 nft_chain_filter_fini(); 8805 nft_chain_route_fini(); 8806 unregister_pernet_subsys(&nf_tables_net_ops); 8807 cancel_work_sync(&trans_destroy_work); 8808 rcu_barrier(); 8809 rhltable_destroy(&nft_objname_ht); 8810 nf_tables_core_module_exit(); 8811 } 8812 8813 module_init(nf_tables_module_init); 8814 module_exit(nf_tables_module_exit); 8815 8816 MODULE_LICENSE("GPL"); 8817 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 8818 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES); 8819