1 /* 2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net> 3 * 4 * This program is free software; you can redistribute it and/or modify 5 * it under the terms of the GNU General Public License version 2 as 6 * published by the Free Software Foundation. 7 * 8 * Development of this code funded by Astaro AG (http://www.astaro.com/) 9 */ 10 11 #include <linux/module.h> 12 #include <linux/init.h> 13 #include <linux/list.h> 14 #include <linux/skbuff.h> 15 #include <linux/netlink.h> 16 #include <linux/netfilter.h> 17 #include <linux/netfilter/nfnetlink.h> 18 #include <linux/netfilter/nf_tables.h> 19 #include <net/netfilter/nf_tables_core.h> 20 #include <net/netfilter/nf_tables.h> 21 #include <net/net_namespace.h> 22 #include <net/sock.h> 23 24 static LIST_HEAD(nf_tables_expressions); 25 26 /** 27 * nft_register_afinfo - register nf_tables address family info 28 * 29 * @afi: address family info to register 30 * 31 * Register the address family for use with nf_tables. Returns zero on 32 * success or a negative errno code otherwise. 33 */ 34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi) 35 { 36 INIT_LIST_HEAD(&afi->tables); 37 nfnl_lock(NFNL_SUBSYS_NFTABLES); 38 list_add_tail_rcu(&afi->list, &net->nft.af_info); 39 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 40 return 0; 41 } 42 EXPORT_SYMBOL_GPL(nft_register_afinfo); 43 44 /** 45 * nft_unregister_afinfo - unregister nf_tables address family info 46 * 47 * @afi: address family info to unregister 48 * 49 * Unregister the address family for use with nf_tables. 50 */ 51 void nft_unregister_afinfo(struct nft_af_info *afi) 52 { 53 nfnl_lock(NFNL_SUBSYS_NFTABLES); 54 list_del_rcu(&afi->list); 55 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 56 } 57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo); 58 59 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family) 60 { 61 struct nft_af_info *afi; 62 63 list_for_each_entry(afi, &net->nft.af_info, list) { 64 if (afi->family == family) 65 return afi; 66 } 67 return NULL; 68 } 69 70 static struct nft_af_info * 71 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload) 72 { 73 struct nft_af_info *afi; 74 75 afi = nft_afinfo_lookup(net, family); 76 if (afi != NULL) 77 return afi; 78 #ifdef CONFIG_MODULES 79 if (autoload) { 80 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 81 request_module("nft-afinfo-%u", family); 82 nfnl_lock(NFNL_SUBSYS_NFTABLES); 83 afi = nft_afinfo_lookup(net, family); 84 if (afi != NULL) 85 return ERR_PTR(-EAGAIN); 86 } 87 #endif 88 return ERR_PTR(-EAFNOSUPPORT); 89 } 90 91 static void nft_ctx_init(struct nft_ctx *ctx, 92 const struct sk_buff *skb, 93 const struct nlmsghdr *nlh, 94 struct nft_af_info *afi, 95 struct nft_table *table, 96 struct nft_chain *chain, 97 const struct nlattr * const *nla) 98 { 99 ctx->net = sock_net(skb->sk); 100 ctx->afi = afi; 101 ctx->table = table; 102 ctx->chain = chain; 103 ctx->nla = nla; 104 ctx->portid = NETLINK_CB(skb).portid; 105 ctx->report = nlmsg_report(nlh); 106 ctx->seq = nlh->nlmsg_seq; 107 } 108 109 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type, 110 u32 size) 111 { 112 struct nft_trans *trans; 113 114 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL); 115 if (trans == NULL) 116 return NULL; 117 118 trans->msg_type = msg_type; 119 trans->ctx = *ctx; 120 121 return trans; 122 } 123 124 static void nft_trans_destroy(struct nft_trans *trans) 125 { 126 list_del(&trans->list); 127 kfree(trans); 128 } 129 130 int nft_register_basechain(struct nft_base_chain *basechain, 131 unsigned int hook_nops) 132 { 133 if (basechain->flags & NFT_BASECHAIN_DISABLED) 134 return 0; 135 136 return nf_register_hooks(basechain->ops, hook_nops); 137 } 138 EXPORT_SYMBOL_GPL(nft_register_basechain); 139 140 void nft_unregister_basechain(struct nft_base_chain *basechain, 141 unsigned int hook_nops) 142 { 143 if (basechain->flags & NFT_BASECHAIN_DISABLED) 144 return; 145 146 nf_unregister_hooks(basechain->ops, hook_nops); 147 } 148 EXPORT_SYMBOL_GPL(nft_unregister_basechain); 149 150 static int nf_tables_register_hooks(const struct nft_table *table, 151 struct nft_chain *chain, 152 unsigned int hook_nops) 153 { 154 if (table->flags & NFT_TABLE_F_DORMANT || 155 !(chain->flags & NFT_BASE_CHAIN)) 156 return 0; 157 158 return nft_register_basechain(nft_base_chain(chain), hook_nops); 159 } 160 161 static void nf_tables_unregister_hooks(const struct nft_table *table, 162 struct nft_chain *chain, 163 unsigned int hook_nops) 164 { 165 if (table->flags & NFT_TABLE_F_DORMANT || 166 !(chain->flags & NFT_BASE_CHAIN)) 167 return; 168 169 nft_unregister_basechain(nft_base_chain(chain), hook_nops); 170 } 171 172 /* Internal table flags */ 173 #define NFT_TABLE_INACTIVE (1 << 15) 174 175 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type) 176 { 177 struct nft_trans *trans; 178 179 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table)); 180 if (trans == NULL) 181 return -ENOMEM; 182 183 if (msg_type == NFT_MSG_NEWTABLE) 184 ctx->table->flags |= NFT_TABLE_INACTIVE; 185 186 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 187 return 0; 188 } 189 190 static int nft_deltable(struct nft_ctx *ctx) 191 { 192 int err; 193 194 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE); 195 if (err < 0) 196 return err; 197 198 list_del_rcu(&ctx->table->list); 199 return err; 200 } 201 202 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type) 203 { 204 struct nft_trans *trans; 205 206 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain)); 207 if (trans == NULL) 208 return -ENOMEM; 209 210 if (msg_type == NFT_MSG_NEWCHAIN) 211 ctx->chain->flags |= NFT_CHAIN_INACTIVE; 212 213 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 214 return 0; 215 } 216 217 static int nft_delchain(struct nft_ctx *ctx) 218 { 219 int err; 220 221 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN); 222 if (err < 0) 223 return err; 224 225 ctx->table->use--; 226 list_del_rcu(&ctx->chain->list); 227 228 return err; 229 } 230 231 static inline bool 232 nft_rule_is_active(struct net *net, const struct nft_rule *rule) 233 { 234 return (rule->genmask & nft_genmask_cur(net)) == 0; 235 } 236 237 static inline int 238 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule) 239 { 240 return (rule->genmask & nft_genmask_next(net)) == 0; 241 } 242 243 static inline void 244 nft_rule_activate_next(struct net *net, struct nft_rule *rule) 245 { 246 /* Now inactive, will be active in the future */ 247 rule->genmask = nft_genmask_cur(net); 248 } 249 250 static inline void 251 nft_rule_deactivate_next(struct net *net, struct nft_rule *rule) 252 { 253 rule->genmask = nft_genmask_next(net); 254 } 255 256 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule) 257 { 258 rule->genmask &= ~nft_genmask_next(net); 259 } 260 261 static int 262 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule) 263 { 264 /* You cannot delete the same rule twice */ 265 if (nft_rule_is_active_next(ctx->net, rule)) { 266 nft_rule_deactivate_next(ctx->net, rule); 267 ctx->chain->use--; 268 return 0; 269 } 270 return -ENOENT; 271 } 272 273 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type, 274 struct nft_rule *rule) 275 { 276 struct nft_trans *trans; 277 278 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule)); 279 if (trans == NULL) 280 return NULL; 281 282 nft_trans_rule(trans) = rule; 283 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 284 285 return trans; 286 } 287 288 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule) 289 { 290 struct nft_trans *trans; 291 int err; 292 293 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule); 294 if (trans == NULL) 295 return -ENOMEM; 296 297 err = nf_tables_delrule_deactivate(ctx, rule); 298 if (err < 0) { 299 nft_trans_destroy(trans); 300 return err; 301 } 302 303 return 0; 304 } 305 306 static int nft_delrule_by_chain(struct nft_ctx *ctx) 307 { 308 struct nft_rule *rule; 309 int err; 310 311 list_for_each_entry(rule, &ctx->chain->rules, list) { 312 err = nft_delrule(ctx, rule); 313 if (err < 0) 314 return err; 315 } 316 return 0; 317 } 318 319 /* Internal set flag */ 320 #define NFT_SET_INACTIVE (1 << 15) 321 322 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type, 323 struct nft_set *set) 324 { 325 struct nft_trans *trans; 326 327 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set)); 328 if (trans == NULL) 329 return -ENOMEM; 330 331 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) { 332 nft_trans_set_id(trans) = 333 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID])); 334 set->flags |= NFT_SET_INACTIVE; 335 } 336 nft_trans_set(trans) = set; 337 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 338 339 return 0; 340 } 341 342 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set) 343 { 344 int err; 345 346 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set); 347 if (err < 0) 348 return err; 349 350 list_del_rcu(&set->list); 351 ctx->table->use--; 352 353 return err; 354 } 355 356 /* 357 * Tables 358 */ 359 360 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi, 361 const struct nlattr *nla) 362 { 363 struct nft_table *table; 364 365 list_for_each_entry(table, &afi->tables, list) { 366 if (!nla_strcmp(nla, table->name)) 367 return table; 368 } 369 return NULL; 370 } 371 372 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi, 373 const struct nlattr *nla) 374 { 375 struct nft_table *table; 376 377 if (nla == NULL) 378 return ERR_PTR(-EINVAL); 379 380 table = nft_table_lookup(afi, nla); 381 if (table != NULL) 382 return table; 383 384 return ERR_PTR(-ENOENT); 385 } 386 387 static inline u64 nf_tables_alloc_handle(struct nft_table *table) 388 { 389 return ++table->hgenerator; 390 } 391 392 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX]; 393 394 static const struct nf_chain_type * 395 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla) 396 { 397 int i; 398 399 for (i = 0; i < NFT_CHAIN_T_MAX; i++) { 400 if (chain_type[family][i] != NULL && 401 !nla_strcmp(nla, chain_type[family][i]->name)) 402 return chain_type[family][i]; 403 } 404 return NULL; 405 } 406 407 static const struct nf_chain_type * 408 nf_tables_chain_type_lookup(const struct nft_af_info *afi, 409 const struct nlattr *nla, 410 bool autoload) 411 { 412 const struct nf_chain_type *type; 413 414 type = __nf_tables_chain_type_lookup(afi->family, nla); 415 if (type != NULL) 416 return type; 417 #ifdef CONFIG_MODULES 418 if (autoload) { 419 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 420 request_module("nft-chain-%u-%.*s", afi->family, 421 nla_len(nla), (const char *)nla_data(nla)); 422 nfnl_lock(NFNL_SUBSYS_NFTABLES); 423 type = __nf_tables_chain_type_lookup(afi->family, nla); 424 if (type != NULL) 425 return ERR_PTR(-EAGAIN); 426 } 427 #endif 428 return ERR_PTR(-ENOENT); 429 } 430 431 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { 432 [NFTA_TABLE_NAME] = { .type = NLA_STRING, 433 .len = NFT_TABLE_MAXNAMELEN - 1 }, 434 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 }, 435 }; 436 437 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, 438 u32 portid, u32 seq, int event, u32 flags, 439 int family, const struct nft_table *table) 440 { 441 struct nlmsghdr *nlh; 442 struct nfgenmsg *nfmsg; 443 444 event |= NFNL_SUBSYS_NFTABLES << 8; 445 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 446 if (nlh == NULL) 447 goto nla_put_failure; 448 449 nfmsg = nlmsg_data(nlh); 450 nfmsg->nfgen_family = family; 451 nfmsg->version = NFNETLINK_V0; 452 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 453 454 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || 455 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) || 456 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use))) 457 goto nla_put_failure; 458 459 nlmsg_end(skb, nlh); 460 return 0; 461 462 nla_put_failure: 463 nlmsg_trim(skb, nlh); 464 return -1; 465 } 466 467 static int nf_tables_table_notify(const struct nft_ctx *ctx, int event) 468 { 469 struct sk_buff *skb; 470 int err; 471 472 if (!ctx->report && 473 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 474 return 0; 475 476 err = -ENOBUFS; 477 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 478 if (skb == NULL) 479 goto err; 480 481 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, 482 event, 0, ctx->afi->family, ctx->table); 483 if (err < 0) { 484 kfree_skb(skb); 485 goto err; 486 } 487 488 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES, 489 ctx->report, GFP_KERNEL); 490 err: 491 if (err < 0) { 492 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, 493 err); 494 } 495 return err; 496 } 497 498 static int nf_tables_dump_tables(struct sk_buff *skb, 499 struct netlink_callback *cb) 500 { 501 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 502 const struct nft_af_info *afi; 503 const struct nft_table *table; 504 unsigned int idx = 0, s_idx = cb->args[0]; 505 struct net *net = sock_net(skb->sk); 506 int family = nfmsg->nfgen_family; 507 508 rcu_read_lock(); 509 cb->seq = net->nft.base_seq; 510 511 list_for_each_entry_rcu(afi, &net->nft.af_info, list) { 512 if (family != NFPROTO_UNSPEC && family != afi->family) 513 continue; 514 515 list_for_each_entry_rcu(table, &afi->tables, list) { 516 if (idx < s_idx) 517 goto cont; 518 if (idx > s_idx) 519 memset(&cb->args[1], 0, 520 sizeof(cb->args) - sizeof(cb->args[0])); 521 if (nf_tables_fill_table_info(skb, net, 522 NETLINK_CB(cb->skb).portid, 523 cb->nlh->nlmsg_seq, 524 NFT_MSG_NEWTABLE, 525 NLM_F_MULTI, 526 afi->family, table) < 0) 527 goto done; 528 529 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 530 cont: 531 idx++; 532 } 533 } 534 done: 535 rcu_read_unlock(); 536 cb->args[0] = idx; 537 return skb->len; 538 } 539 540 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb, 541 const struct nlmsghdr *nlh, 542 const struct nlattr * const nla[]) 543 { 544 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 545 const struct nft_af_info *afi; 546 const struct nft_table *table; 547 struct sk_buff *skb2; 548 struct net *net = sock_net(skb->sk); 549 int family = nfmsg->nfgen_family; 550 int err; 551 552 if (nlh->nlmsg_flags & NLM_F_DUMP) { 553 struct netlink_dump_control c = { 554 .dump = nf_tables_dump_tables, 555 }; 556 return netlink_dump_start(nlsk, skb, nlh, &c); 557 } 558 559 afi = nf_tables_afinfo_lookup(net, family, false); 560 if (IS_ERR(afi)) 561 return PTR_ERR(afi); 562 563 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]); 564 if (IS_ERR(table)) 565 return PTR_ERR(table); 566 if (table->flags & NFT_TABLE_INACTIVE) 567 return -ENOENT; 568 569 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 570 if (!skb2) 571 return -ENOMEM; 572 573 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid, 574 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0, 575 family, table); 576 if (err < 0) 577 goto err; 578 579 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 580 581 err: 582 kfree_skb(skb2); 583 return err; 584 } 585 586 static int nf_tables_table_enable(const struct nft_af_info *afi, 587 struct nft_table *table) 588 { 589 struct nft_chain *chain; 590 int err, i = 0; 591 592 list_for_each_entry(chain, &table->chains, list) { 593 if (!(chain->flags & NFT_BASE_CHAIN)) 594 continue; 595 596 err = nft_register_basechain(nft_base_chain(chain), afi->nops); 597 if (err < 0) 598 goto err; 599 600 i++; 601 } 602 return 0; 603 err: 604 list_for_each_entry(chain, &table->chains, list) { 605 if (!(chain->flags & NFT_BASE_CHAIN)) 606 continue; 607 608 if (i-- <= 0) 609 break; 610 611 nft_unregister_basechain(nft_base_chain(chain), afi->nops); 612 } 613 return err; 614 } 615 616 static void nf_tables_table_disable(const struct nft_af_info *afi, 617 struct nft_table *table) 618 { 619 struct nft_chain *chain; 620 621 list_for_each_entry(chain, &table->chains, list) { 622 if (chain->flags & NFT_BASE_CHAIN) 623 nft_unregister_basechain(nft_base_chain(chain), 624 afi->nops); 625 } 626 } 627 628 static int nf_tables_updtable(struct nft_ctx *ctx) 629 { 630 struct nft_trans *trans; 631 u32 flags; 632 int ret = 0; 633 634 if (!ctx->nla[NFTA_TABLE_FLAGS]) 635 return 0; 636 637 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS])); 638 if (flags & ~NFT_TABLE_F_DORMANT) 639 return -EINVAL; 640 641 if (flags == ctx->table->flags) 642 return 0; 643 644 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, 645 sizeof(struct nft_trans_table)); 646 if (trans == NULL) 647 return -ENOMEM; 648 649 if ((flags & NFT_TABLE_F_DORMANT) && 650 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) { 651 nft_trans_table_enable(trans) = false; 652 } else if (!(flags & NFT_TABLE_F_DORMANT) && 653 ctx->table->flags & NFT_TABLE_F_DORMANT) { 654 ret = nf_tables_table_enable(ctx->afi, ctx->table); 655 if (ret >= 0) { 656 ctx->table->flags &= ~NFT_TABLE_F_DORMANT; 657 nft_trans_table_enable(trans) = true; 658 } 659 } 660 if (ret < 0) 661 goto err; 662 663 nft_trans_table_update(trans) = true; 664 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 665 return 0; 666 err: 667 nft_trans_destroy(trans); 668 return ret; 669 } 670 671 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb, 672 const struct nlmsghdr *nlh, 673 const struct nlattr * const nla[]) 674 { 675 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 676 const struct nlattr *name; 677 struct nft_af_info *afi; 678 struct nft_table *table; 679 struct net *net = sock_net(skb->sk); 680 int family = nfmsg->nfgen_family; 681 u32 flags = 0; 682 struct nft_ctx ctx; 683 int err; 684 685 afi = nf_tables_afinfo_lookup(net, family, true); 686 if (IS_ERR(afi)) 687 return PTR_ERR(afi); 688 689 name = nla[NFTA_TABLE_NAME]; 690 table = nf_tables_table_lookup(afi, name); 691 if (IS_ERR(table)) { 692 if (PTR_ERR(table) != -ENOENT) 693 return PTR_ERR(table); 694 table = NULL; 695 } 696 697 if (table != NULL) { 698 if (table->flags & NFT_TABLE_INACTIVE) 699 return -ENOENT; 700 if (nlh->nlmsg_flags & NLM_F_EXCL) 701 return -EEXIST; 702 if (nlh->nlmsg_flags & NLM_F_REPLACE) 703 return -EOPNOTSUPP; 704 705 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla); 706 return nf_tables_updtable(&ctx); 707 } 708 709 if (nla[NFTA_TABLE_FLAGS]) { 710 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS])); 711 if (flags & ~NFT_TABLE_F_DORMANT) 712 return -EINVAL; 713 } 714 715 err = -EAFNOSUPPORT; 716 if (!try_module_get(afi->owner)) 717 goto err1; 718 719 err = -ENOMEM; 720 table = kzalloc(sizeof(*table), GFP_KERNEL); 721 if (table == NULL) 722 goto err2; 723 724 nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN); 725 INIT_LIST_HEAD(&table->chains); 726 INIT_LIST_HEAD(&table->sets); 727 table->flags = flags; 728 729 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla); 730 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); 731 if (err < 0) 732 goto err3; 733 734 list_add_tail_rcu(&table->list, &afi->tables); 735 return 0; 736 err3: 737 kfree(table); 738 err2: 739 module_put(afi->owner); 740 err1: 741 return err; 742 } 743 744 static int nft_flush_table(struct nft_ctx *ctx) 745 { 746 int err; 747 struct nft_chain *chain, *nc; 748 struct nft_set *set, *ns; 749 750 list_for_each_entry(chain, &ctx->table->chains, list) { 751 ctx->chain = chain; 752 753 err = nft_delrule_by_chain(ctx); 754 if (err < 0) 755 goto out; 756 } 757 758 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { 759 if (set->flags & NFT_SET_ANONYMOUS && 760 !list_empty(&set->bindings)) 761 continue; 762 763 err = nft_delset(ctx, set); 764 if (err < 0) 765 goto out; 766 } 767 768 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { 769 ctx->chain = chain; 770 771 err = nft_delchain(ctx); 772 if (err < 0) 773 goto out; 774 } 775 776 err = nft_deltable(ctx); 777 out: 778 return err; 779 } 780 781 static int nft_flush(struct nft_ctx *ctx, int family) 782 { 783 struct nft_af_info *afi; 784 struct nft_table *table, *nt; 785 const struct nlattr * const *nla = ctx->nla; 786 int err = 0; 787 788 list_for_each_entry(afi, &ctx->net->nft.af_info, list) { 789 if (family != AF_UNSPEC && afi->family != family) 790 continue; 791 792 ctx->afi = afi; 793 list_for_each_entry_safe(table, nt, &afi->tables, list) { 794 if (nla[NFTA_TABLE_NAME] && 795 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) 796 continue; 797 798 ctx->table = table; 799 800 err = nft_flush_table(ctx); 801 if (err < 0) 802 goto out; 803 } 804 } 805 out: 806 return err; 807 } 808 809 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb, 810 const struct nlmsghdr *nlh, 811 const struct nlattr * const nla[]) 812 { 813 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 814 struct nft_af_info *afi; 815 struct nft_table *table; 816 struct net *net = sock_net(skb->sk); 817 int family = nfmsg->nfgen_family; 818 struct nft_ctx ctx; 819 820 nft_ctx_init(&ctx, skb, nlh, NULL, NULL, NULL, nla); 821 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL) 822 return nft_flush(&ctx, family); 823 824 afi = nf_tables_afinfo_lookup(net, family, false); 825 if (IS_ERR(afi)) 826 return PTR_ERR(afi); 827 828 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]); 829 if (IS_ERR(table)) 830 return PTR_ERR(table); 831 if (table->flags & NFT_TABLE_INACTIVE) 832 return -ENOENT; 833 834 ctx.afi = afi; 835 ctx.table = table; 836 837 return nft_flush_table(&ctx); 838 } 839 840 static void nf_tables_table_destroy(struct nft_ctx *ctx) 841 { 842 BUG_ON(ctx->table->use > 0); 843 844 kfree(ctx->table); 845 module_put(ctx->afi->owner); 846 } 847 848 int nft_register_chain_type(const struct nf_chain_type *ctype) 849 { 850 int err = 0; 851 852 nfnl_lock(NFNL_SUBSYS_NFTABLES); 853 if (chain_type[ctype->family][ctype->type] != NULL) { 854 err = -EBUSY; 855 goto out; 856 } 857 chain_type[ctype->family][ctype->type] = ctype; 858 out: 859 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 860 return err; 861 } 862 EXPORT_SYMBOL_GPL(nft_register_chain_type); 863 864 void nft_unregister_chain_type(const struct nf_chain_type *ctype) 865 { 866 nfnl_lock(NFNL_SUBSYS_NFTABLES); 867 chain_type[ctype->family][ctype->type] = NULL; 868 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 869 } 870 EXPORT_SYMBOL_GPL(nft_unregister_chain_type); 871 872 /* 873 * Chains 874 */ 875 876 static struct nft_chain * 877 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle) 878 { 879 struct nft_chain *chain; 880 881 list_for_each_entry(chain, &table->chains, list) { 882 if (chain->handle == handle) 883 return chain; 884 } 885 886 return ERR_PTR(-ENOENT); 887 } 888 889 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table, 890 const struct nlattr *nla) 891 { 892 struct nft_chain *chain; 893 894 if (nla == NULL) 895 return ERR_PTR(-EINVAL); 896 897 list_for_each_entry(chain, &table->chains, list) { 898 if (!nla_strcmp(nla, chain->name)) 899 return chain; 900 } 901 902 return ERR_PTR(-ENOENT); 903 } 904 905 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = { 906 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING }, 907 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 }, 908 [NFTA_CHAIN_NAME] = { .type = NLA_STRING, 909 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 910 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, 911 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, 912 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING }, 913 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, 914 }; 915 916 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = { 917 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 }, 918 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 }, 919 [NFTA_HOOK_DEV] = { .type = NLA_STRING, 920 .len = IFNAMSIZ - 1 }, 921 }; 922 923 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats) 924 { 925 struct nft_stats *cpu_stats, total; 926 struct nlattr *nest; 927 unsigned int seq; 928 u64 pkts, bytes; 929 int cpu; 930 931 memset(&total, 0, sizeof(total)); 932 for_each_possible_cpu(cpu) { 933 cpu_stats = per_cpu_ptr(stats, cpu); 934 do { 935 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp); 936 pkts = cpu_stats->pkts; 937 bytes = cpu_stats->bytes; 938 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq)); 939 total.pkts += pkts; 940 total.bytes += bytes; 941 } 942 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS); 943 if (nest == NULL) 944 goto nla_put_failure; 945 946 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) || 947 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes))) 948 goto nla_put_failure; 949 950 nla_nest_end(skb, nest); 951 return 0; 952 953 nla_put_failure: 954 return -ENOSPC; 955 } 956 957 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net, 958 u32 portid, u32 seq, int event, u32 flags, 959 int family, const struct nft_table *table, 960 const struct nft_chain *chain) 961 { 962 struct nlmsghdr *nlh; 963 struct nfgenmsg *nfmsg; 964 965 event |= NFNL_SUBSYS_NFTABLES << 8; 966 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 967 if (nlh == NULL) 968 goto nla_put_failure; 969 970 nfmsg = nlmsg_data(nlh); 971 nfmsg->nfgen_family = family; 972 nfmsg->version = NFNETLINK_V0; 973 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 974 975 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) 976 goto nla_put_failure; 977 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle))) 978 goto nla_put_failure; 979 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name)) 980 goto nla_put_failure; 981 982 if (chain->flags & NFT_BASE_CHAIN) { 983 const struct nft_base_chain *basechain = nft_base_chain(chain); 984 const struct nf_hook_ops *ops = &basechain->ops[0]; 985 struct nlattr *nest; 986 987 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK); 988 if (nest == NULL) 989 goto nla_put_failure; 990 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum))) 991 goto nla_put_failure; 992 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority))) 993 goto nla_put_failure; 994 if (basechain->dev_name[0] && 995 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name)) 996 goto nla_put_failure; 997 nla_nest_end(skb, nest); 998 999 if (nla_put_be32(skb, NFTA_CHAIN_POLICY, 1000 htonl(basechain->policy))) 1001 goto nla_put_failure; 1002 1003 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name)) 1004 goto nla_put_failure; 1005 1006 if (nft_dump_stats(skb, nft_base_chain(chain)->stats)) 1007 goto nla_put_failure; 1008 } 1009 1010 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use))) 1011 goto nla_put_failure; 1012 1013 nlmsg_end(skb, nlh); 1014 return 0; 1015 1016 nla_put_failure: 1017 nlmsg_trim(skb, nlh); 1018 return -1; 1019 } 1020 1021 static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event) 1022 { 1023 struct sk_buff *skb; 1024 int err; 1025 1026 if (!ctx->report && 1027 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1028 return 0; 1029 1030 err = -ENOBUFS; 1031 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1032 if (skb == NULL) 1033 goto err; 1034 1035 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, 1036 event, 0, ctx->afi->family, ctx->table, 1037 ctx->chain); 1038 if (err < 0) { 1039 kfree_skb(skb); 1040 goto err; 1041 } 1042 1043 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES, 1044 ctx->report, GFP_KERNEL); 1045 err: 1046 if (err < 0) { 1047 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, 1048 err); 1049 } 1050 return err; 1051 } 1052 1053 static int nf_tables_dump_chains(struct sk_buff *skb, 1054 struct netlink_callback *cb) 1055 { 1056 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1057 const struct nft_af_info *afi; 1058 const struct nft_table *table; 1059 const struct nft_chain *chain; 1060 unsigned int idx = 0, s_idx = cb->args[0]; 1061 struct net *net = sock_net(skb->sk); 1062 int family = nfmsg->nfgen_family; 1063 1064 rcu_read_lock(); 1065 cb->seq = net->nft.base_seq; 1066 1067 list_for_each_entry_rcu(afi, &net->nft.af_info, list) { 1068 if (family != NFPROTO_UNSPEC && family != afi->family) 1069 continue; 1070 1071 list_for_each_entry_rcu(table, &afi->tables, list) { 1072 list_for_each_entry_rcu(chain, &table->chains, list) { 1073 if (idx < s_idx) 1074 goto cont; 1075 if (idx > s_idx) 1076 memset(&cb->args[1], 0, 1077 sizeof(cb->args) - sizeof(cb->args[0])); 1078 if (nf_tables_fill_chain_info(skb, net, 1079 NETLINK_CB(cb->skb).portid, 1080 cb->nlh->nlmsg_seq, 1081 NFT_MSG_NEWCHAIN, 1082 NLM_F_MULTI, 1083 afi->family, table, chain) < 0) 1084 goto done; 1085 1086 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1087 cont: 1088 idx++; 1089 } 1090 } 1091 } 1092 done: 1093 rcu_read_unlock(); 1094 cb->args[0] = idx; 1095 return skb->len; 1096 } 1097 1098 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb, 1099 const struct nlmsghdr *nlh, 1100 const struct nlattr * const nla[]) 1101 { 1102 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1103 const struct nft_af_info *afi; 1104 const struct nft_table *table; 1105 const struct nft_chain *chain; 1106 struct sk_buff *skb2; 1107 struct net *net = sock_net(skb->sk); 1108 int family = nfmsg->nfgen_family; 1109 int err; 1110 1111 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1112 struct netlink_dump_control c = { 1113 .dump = nf_tables_dump_chains, 1114 }; 1115 return netlink_dump_start(nlsk, skb, nlh, &c); 1116 } 1117 1118 afi = nf_tables_afinfo_lookup(net, family, false); 1119 if (IS_ERR(afi)) 1120 return PTR_ERR(afi); 1121 1122 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]); 1123 if (IS_ERR(table)) 1124 return PTR_ERR(table); 1125 if (table->flags & NFT_TABLE_INACTIVE) 1126 return -ENOENT; 1127 1128 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]); 1129 if (IS_ERR(chain)) 1130 return PTR_ERR(chain); 1131 if (chain->flags & NFT_CHAIN_INACTIVE) 1132 return -ENOENT; 1133 1134 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 1135 if (!skb2) 1136 return -ENOMEM; 1137 1138 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid, 1139 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0, 1140 family, table, chain); 1141 if (err < 0) 1142 goto err; 1143 1144 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 1145 1146 err: 1147 kfree_skb(skb2); 1148 return err; 1149 } 1150 1151 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = { 1152 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 }, 1153 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 }, 1154 }; 1155 1156 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr) 1157 { 1158 struct nlattr *tb[NFTA_COUNTER_MAX+1]; 1159 struct nft_stats __percpu *newstats; 1160 struct nft_stats *stats; 1161 int err; 1162 1163 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy); 1164 if (err < 0) 1165 return ERR_PTR(err); 1166 1167 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS]) 1168 return ERR_PTR(-EINVAL); 1169 1170 newstats = netdev_alloc_pcpu_stats(struct nft_stats); 1171 if (newstats == NULL) 1172 return ERR_PTR(-ENOMEM); 1173 1174 /* Restore old counters on this cpu, no problem. Per-cpu statistics 1175 * are not exposed to userspace. 1176 */ 1177 preempt_disable(); 1178 stats = this_cpu_ptr(newstats); 1179 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); 1180 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); 1181 preempt_enable(); 1182 1183 return newstats; 1184 } 1185 1186 static void nft_chain_stats_replace(struct nft_base_chain *chain, 1187 struct nft_stats __percpu *newstats) 1188 { 1189 if (newstats == NULL) 1190 return; 1191 1192 if (chain->stats) { 1193 struct nft_stats __percpu *oldstats = 1194 nft_dereference(chain->stats); 1195 1196 rcu_assign_pointer(chain->stats, newstats); 1197 synchronize_rcu(); 1198 free_percpu(oldstats); 1199 } else 1200 rcu_assign_pointer(chain->stats, newstats); 1201 } 1202 1203 static void nf_tables_chain_destroy(struct nft_chain *chain) 1204 { 1205 BUG_ON(chain->use > 0); 1206 1207 if (chain->flags & NFT_BASE_CHAIN) { 1208 struct nft_base_chain *basechain = nft_base_chain(chain); 1209 1210 module_put(basechain->type->owner); 1211 free_percpu(basechain->stats); 1212 if (basechain->ops[0].dev != NULL) 1213 dev_put(basechain->ops[0].dev); 1214 kfree(basechain); 1215 } else { 1216 kfree(chain); 1217 } 1218 } 1219 1220 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb, 1221 const struct nlmsghdr *nlh, 1222 const struct nlattr * const nla[]) 1223 { 1224 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1225 const struct nlattr * uninitialized_var(name); 1226 struct nft_af_info *afi; 1227 struct nft_table *table; 1228 struct nft_chain *chain; 1229 struct nft_base_chain *basechain = NULL; 1230 struct nlattr *ha[NFTA_HOOK_MAX + 1]; 1231 struct net *net = sock_net(skb->sk); 1232 int family = nfmsg->nfgen_family; 1233 struct net_device *dev = NULL; 1234 u8 policy = NF_ACCEPT; 1235 u64 handle = 0; 1236 unsigned int i; 1237 struct nft_stats __percpu *stats; 1238 int err; 1239 bool create; 1240 struct nft_ctx ctx; 1241 1242 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false; 1243 1244 afi = nf_tables_afinfo_lookup(net, family, true); 1245 if (IS_ERR(afi)) 1246 return PTR_ERR(afi); 1247 1248 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]); 1249 if (IS_ERR(table)) 1250 return PTR_ERR(table); 1251 1252 chain = NULL; 1253 name = nla[NFTA_CHAIN_NAME]; 1254 1255 if (nla[NFTA_CHAIN_HANDLE]) { 1256 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE])); 1257 chain = nf_tables_chain_lookup_byhandle(table, handle); 1258 if (IS_ERR(chain)) 1259 return PTR_ERR(chain); 1260 } else { 1261 chain = nf_tables_chain_lookup(table, name); 1262 if (IS_ERR(chain)) { 1263 if (PTR_ERR(chain) != -ENOENT) 1264 return PTR_ERR(chain); 1265 chain = NULL; 1266 } 1267 } 1268 1269 if (nla[NFTA_CHAIN_POLICY]) { 1270 if ((chain != NULL && 1271 !(chain->flags & NFT_BASE_CHAIN))) 1272 return -EOPNOTSUPP; 1273 1274 if (chain == NULL && 1275 nla[NFTA_CHAIN_HOOK] == NULL) 1276 return -EOPNOTSUPP; 1277 1278 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY])); 1279 switch (policy) { 1280 case NF_DROP: 1281 case NF_ACCEPT: 1282 break; 1283 default: 1284 return -EINVAL; 1285 } 1286 } 1287 1288 if (chain != NULL) { 1289 struct nft_stats *stats = NULL; 1290 struct nft_trans *trans; 1291 1292 if (chain->flags & NFT_CHAIN_INACTIVE) 1293 return -ENOENT; 1294 if (nlh->nlmsg_flags & NLM_F_EXCL) 1295 return -EEXIST; 1296 if (nlh->nlmsg_flags & NLM_F_REPLACE) 1297 return -EOPNOTSUPP; 1298 1299 if (nla[NFTA_CHAIN_HANDLE] && name && 1300 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]))) 1301 return -EEXIST; 1302 1303 if (nla[NFTA_CHAIN_COUNTERS]) { 1304 if (!(chain->flags & NFT_BASE_CHAIN)) 1305 return -EOPNOTSUPP; 1306 1307 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 1308 if (IS_ERR(stats)) 1309 return PTR_ERR(stats); 1310 } 1311 1312 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla); 1313 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN, 1314 sizeof(struct nft_trans_chain)); 1315 if (trans == NULL) { 1316 free_percpu(stats); 1317 return -ENOMEM; 1318 } 1319 1320 nft_trans_chain_stats(trans) = stats; 1321 nft_trans_chain_update(trans) = true; 1322 1323 if (nla[NFTA_CHAIN_POLICY]) 1324 nft_trans_chain_policy(trans) = policy; 1325 else 1326 nft_trans_chain_policy(trans) = -1; 1327 1328 if (nla[NFTA_CHAIN_HANDLE] && name) { 1329 nla_strlcpy(nft_trans_chain_name(trans), name, 1330 NFT_CHAIN_MAXNAMELEN); 1331 } 1332 list_add_tail(&trans->list, &net->nft.commit_list); 1333 return 0; 1334 } 1335 1336 if (table->use == UINT_MAX) 1337 return -EOVERFLOW; 1338 1339 if (nla[NFTA_CHAIN_HOOK]) { 1340 const struct nf_chain_type *type; 1341 struct nf_hook_ops *ops; 1342 nf_hookfn *hookfn; 1343 u32 hooknum, priority; 1344 1345 type = chain_type[family][NFT_CHAIN_T_DEFAULT]; 1346 if (nla[NFTA_CHAIN_TYPE]) { 1347 type = nf_tables_chain_type_lookup(afi, 1348 nla[NFTA_CHAIN_TYPE], 1349 create); 1350 if (IS_ERR(type)) 1351 return PTR_ERR(type); 1352 } 1353 1354 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK], 1355 nft_hook_policy); 1356 if (err < 0) 1357 return err; 1358 if (ha[NFTA_HOOK_HOOKNUM] == NULL || 1359 ha[NFTA_HOOK_PRIORITY] == NULL) 1360 return -EINVAL; 1361 1362 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 1363 if (hooknum >= afi->nhooks) 1364 return -EINVAL; 1365 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 1366 1367 if (!(type->hook_mask & (1 << hooknum))) 1368 return -EOPNOTSUPP; 1369 if (!try_module_get(type->owner)) 1370 return -ENOENT; 1371 hookfn = type->hooks[hooknum]; 1372 1373 if (afi->flags & NFT_AF_NEEDS_DEV) { 1374 char ifname[IFNAMSIZ]; 1375 1376 if (!ha[NFTA_HOOK_DEV]) { 1377 module_put(type->owner); 1378 return -EOPNOTSUPP; 1379 } 1380 1381 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ); 1382 dev = dev_get_by_name(net, ifname); 1383 if (!dev) { 1384 module_put(type->owner); 1385 return -ENOENT; 1386 } 1387 } else if (ha[NFTA_HOOK_DEV]) { 1388 module_put(type->owner); 1389 return -EOPNOTSUPP; 1390 } 1391 1392 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL); 1393 if (basechain == NULL) { 1394 module_put(type->owner); 1395 if (dev != NULL) 1396 dev_put(dev); 1397 return -ENOMEM; 1398 } 1399 1400 if (dev != NULL) 1401 strncpy(basechain->dev_name, dev->name, IFNAMSIZ); 1402 1403 if (nla[NFTA_CHAIN_COUNTERS]) { 1404 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 1405 if (IS_ERR(stats)) { 1406 module_put(type->owner); 1407 kfree(basechain); 1408 if (dev != NULL) 1409 dev_put(dev); 1410 return PTR_ERR(stats); 1411 } 1412 basechain->stats = stats; 1413 } else { 1414 stats = netdev_alloc_pcpu_stats(struct nft_stats); 1415 if (stats == NULL) { 1416 module_put(type->owner); 1417 kfree(basechain); 1418 if (dev != NULL) 1419 dev_put(dev); 1420 return -ENOMEM; 1421 } 1422 rcu_assign_pointer(basechain->stats, stats); 1423 } 1424 1425 write_pnet(&basechain->pnet, net); 1426 basechain->type = type; 1427 chain = &basechain->chain; 1428 1429 for (i = 0; i < afi->nops; i++) { 1430 ops = &basechain->ops[i]; 1431 ops->pf = family; 1432 ops->owner = afi->owner; 1433 ops->hooknum = hooknum; 1434 ops->priority = priority; 1435 ops->priv = chain; 1436 ops->hook = afi->hooks[ops->hooknum]; 1437 ops->dev = dev; 1438 if (hookfn) 1439 ops->hook = hookfn; 1440 if (afi->hook_ops_init) 1441 afi->hook_ops_init(ops, i); 1442 } 1443 1444 chain->flags |= NFT_BASE_CHAIN; 1445 basechain->policy = policy; 1446 } else { 1447 chain = kzalloc(sizeof(*chain), GFP_KERNEL); 1448 if (chain == NULL) 1449 return -ENOMEM; 1450 } 1451 1452 INIT_LIST_HEAD(&chain->rules); 1453 chain->handle = nf_tables_alloc_handle(table); 1454 chain->table = table; 1455 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN); 1456 1457 err = nf_tables_register_hooks(table, chain, afi->nops); 1458 if (err < 0) 1459 goto err1; 1460 1461 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla); 1462 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN); 1463 if (err < 0) 1464 goto err2; 1465 1466 table->use++; 1467 list_add_tail_rcu(&chain->list, &table->chains); 1468 return 0; 1469 err2: 1470 nf_tables_unregister_hooks(table, chain, afi->nops); 1471 err1: 1472 nf_tables_chain_destroy(chain); 1473 return err; 1474 } 1475 1476 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb, 1477 const struct nlmsghdr *nlh, 1478 const struct nlattr * const nla[]) 1479 { 1480 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1481 struct nft_af_info *afi; 1482 struct nft_table *table; 1483 struct nft_chain *chain; 1484 struct net *net = sock_net(skb->sk); 1485 int family = nfmsg->nfgen_family; 1486 struct nft_ctx ctx; 1487 1488 afi = nf_tables_afinfo_lookup(net, family, false); 1489 if (IS_ERR(afi)) 1490 return PTR_ERR(afi); 1491 1492 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]); 1493 if (IS_ERR(table)) 1494 return PTR_ERR(table); 1495 if (table->flags & NFT_TABLE_INACTIVE) 1496 return -ENOENT; 1497 1498 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]); 1499 if (IS_ERR(chain)) 1500 return PTR_ERR(chain); 1501 if (chain->flags & NFT_CHAIN_INACTIVE) 1502 return -ENOENT; 1503 if (chain->use > 0) 1504 return -EBUSY; 1505 1506 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla); 1507 1508 return nft_delchain(&ctx); 1509 } 1510 1511 /* 1512 * Expressions 1513 */ 1514 1515 /** 1516 * nft_register_expr - register nf_tables expr type 1517 * @ops: expr type 1518 * 1519 * Registers the expr type for use with nf_tables. Returns zero on 1520 * success or a negative errno code otherwise. 1521 */ 1522 int nft_register_expr(struct nft_expr_type *type) 1523 { 1524 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1525 if (type->family == NFPROTO_UNSPEC) 1526 list_add_tail_rcu(&type->list, &nf_tables_expressions); 1527 else 1528 list_add_rcu(&type->list, &nf_tables_expressions); 1529 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1530 return 0; 1531 } 1532 EXPORT_SYMBOL_GPL(nft_register_expr); 1533 1534 /** 1535 * nft_unregister_expr - unregister nf_tables expr type 1536 * @ops: expr type 1537 * 1538 * Unregisters the expr typefor use with nf_tables. 1539 */ 1540 void nft_unregister_expr(struct nft_expr_type *type) 1541 { 1542 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1543 list_del_rcu(&type->list); 1544 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1545 } 1546 EXPORT_SYMBOL_GPL(nft_unregister_expr); 1547 1548 static const struct nft_expr_type *__nft_expr_type_get(u8 family, 1549 struct nlattr *nla) 1550 { 1551 const struct nft_expr_type *type; 1552 1553 list_for_each_entry(type, &nf_tables_expressions, list) { 1554 if (!nla_strcmp(nla, type->name) && 1555 (!type->family || type->family == family)) 1556 return type; 1557 } 1558 return NULL; 1559 } 1560 1561 static const struct nft_expr_type *nft_expr_type_get(u8 family, 1562 struct nlattr *nla) 1563 { 1564 const struct nft_expr_type *type; 1565 1566 if (nla == NULL) 1567 return ERR_PTR(-EINVAL); 1568 1569 type = __nft_expr_type_get(family, nla); 1570 if (type != NULL && try_module_get(type->owner)) 1571 return type; 1572 1573 #ifdef CONFIG_MODULES 1574 if (type == NULL) { 1575 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1576 request_module("nft-expr-%u-%.*s", family, 1577 nla_len(nla), (char *)nla_data(nla)); 1578 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1579 if (__nft_expr_type_get(family, nla)) 1580 return ERR_PTR(-EAGAIN); 1581 1582 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1583 request_module("nft-expr-%.*s", 1584 nla_len(nla), (char *)nla_data(nla)); 1585 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1586 if (__nft_expr_type_get(family, nla)) 1587 return ERR_PTR(-EAGAIN); 1588 } 1589 #endif 1590 return ERR_PTR(-ENOENT); 1591 } 1592 1593 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { 1594 [NFTA_EXPR_NAME] = { .type = NLA_STRING }, 1595 [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, 1596 }; 1597 1598 static int nf_tables_fill_expr_info(struct sk_buff *skb, 1599 const struct nft_expr *expr) 1600 { 1601 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name)) 1602 goto nla_put_failure; 1603 1604 if (expr->ops->dump) { 1605 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA); 1606 if (data == NULL) 1607 goto nla_put_failure; 1608 if (expr->ops->dump(skb, expr) < 0) 1609 goto nla_put_failure; 1610 nla_nest_end(skb, data); 1611 } 1612 1613 return skb->len; 1614 1615 nla_put_failure: 1616 return -1; 1617 }; 1618 1619 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 1620 const struct nft_expr *expr) 1621 { 1622 struct nlattr *nest; 1623 1624 nest = nla_nest_start(skb, attr); 1625 if (!nest) 1626 goto nla_put_failure; 1627 if (nf_tables_fill_expr_info(skb, expr) < 0) 1628 goto nla_put_failure; 1629 nla_nest_end(skb, nest); 1630 return 0; 1631 1632 nla_put_failure: 1633 return -1; 1634 } 1635 1636 struct nft_expr_info { 1637 const struct nft_expr_ops *ops; 1638 struct nlattr *tb[NFT_EXPR_MAXATTR + 1]; 1639 }; 1640 1641 static int nf_tables_expr_parse(const struct nft_ctx *ctx, 1642 const struct nlattr *nla, 1643 struct nft_expr_info *info) 1644 { 1645 const struct nft_expr_type *type; 1646 const struct nft_expr_ops *ops; 1647 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 1648 int err; 1649 1650 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy); 1651 if (err < 0) 1652 return err; 1653 1654 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]); 1655 if (IS_ERR(type)) 1656 return PTR_ERR(type); 1657 1658 if (tb[NFTA_EXPR_DATA]) { 1659 err = nla_parse_nested(info->tb, type->maxattr, 1660 tb[NFTA_EXPR_DATA], type->policy); 1661 if (err < 0) 1662 goto err1; 1663 } else 1664 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1)); 1665 1666 if (type->select_ops != NULL) { 1667 ops = type->select_ops(ctx, 1668 (const struct nlattr * const *)info->tb); 1669 if (IS_ERR(ops)) { 1670 err = PTR_ERR(ops); 1671 goto err1; 1672 } 1673 } else 1674 ops = type->ops; 1675 1676 info->ops = ops; 1677 return 0; 1678 1679 err1: 1680 module_put(type->owner); 1681 return err; 1682 } 1683 1684 static int nf_tables_newexpr(const struct nft_ctx *ctx, 1685 const struct nft_expr_info *info, 1686 struct nft_expr *expr) 1687 { 1688 const struct nft_expr_ops *ops = info->ops; 1689 int err; 1690 1691 expr->ops = ops; 1692 if (ops->init) { 1693 err = ops->init(ctx, expr, (const struct nlattr **)info->tb); 1694 if (err < 0) 1695 goto err1; 1696 } 1697 1698 return 0; 1699 1700 err1: 1701 expr->ops = NULL; 1702 return err; 1703 } 1704 1705 static void nf_tables_expr_destroy(const struct nft_ctx *ctx, 1706 struct nft_expr *expr) 1707 { 1708 if (expr->ops->destroy) 1709 expr->ops->destroy(ctx, expr); 1710 module_put(expr->ops->type->owner); 1711 } 1712 1713 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 1714 const struct nlattr *nla) 1715 { 1716 struct nft_expr_info info; 1717 struct nft_expr *expr; 1718 int err; 1719 1720 err = nf_tables_expr_parse(ctx, nla, &info); 1721 if (err < 0) 1722 goto err1; 1723 1724 err = -ENOMEM; 1725 expr = kzalloc(info.ops->size, GFP_KERNEL); 1726 if (expr == NULL) 1727 goto err2; 1728 1729 err = nf_tables_newexpr(ctx, &info, expr); 1730 if (err < 0) 1731 goto err2; 1732 1733 return expr; 1734 err2: 1735 module_put(info.ops->type->owner); 1736 err1: 1737 return ERR_PTR(err); 1738 } 1739 1740 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) 1741 { 1742 nf_tables_expr_destroy(ctx, expr); 1743 kfree(expr); 1744 } 1745 1746 /* 1747 * Rules 1748 */ 1749 1750 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain, 1751 u64 handle) 1752 { 1753 struct nft_rule *rule; 1754 1755 // FIXME: this sucks 1756 list_for_each_entry(rule, &chain->rules, list) { 1757 if (handle == rule->handle) 1758 return rule; 1759 } 1760 1761 return ERR_PTR(-ENOENT); 1762 } 1763 1764 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain, 1765 const struct nlattr *nla) 1766 { 1767 if (nla == NULL) 1768 return ERR_PTR(-EINVAL); 1769 1770 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla))); 1771 } 1772 1773 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = { 1774 [NFTA_RULE_TABLE] = { .type = NLA_STRING }, 1775 [NFTA_RULE_CHAIN] = { .type = NLA_STRING, 1776 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 1777 [NFTA_RULE_HANDLE] = { .type = NLA_U64 }, 1778 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED }, 1779 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED }, 1780 [NFTA_RULE_POSITION] = { .type = NLA_U64 }, 1781 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY, 1782 .len = NFT_USERDATA_MAXLEN }, 1783 }; 1784 1785 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net, 1786 u32 portid, u32 seq, int event, 1787 u32 flags, int family, 1788 const struct nft_table *table, 1789 const struct nft_chain *chain, 1790 const struct nft_rule *rule) 1791 { 1792 struct nlmsghdr *nlh; 1793 struct nfgenmsg *nfmsg; 1794 const struct nft_expr *expr, *next; 1795 struct nlattr *list; 1796 const struct nft_rule *prule; 1797 int type = event | NFNL_SUBSYS_NFTABLES << 8; 1798 1799 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), 1800 flags); 1801 if (nlh == NULL) 1802 goto nla_put_failure; 1803 1804 nfmsg = nlmsg_data(nlh); 1805 nfmsg->nfgen_family = family; 1806 nfmsg->version = NFNETLINK_V0; 1807 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 1808 1809 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) 1810 goto nla_put_failure; 1811 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) 1812 goto nla_put_failure; 1813 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle))) 1814 goto nla_put_failure; 1815 1816 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) { 1817 prule = list_entry(rule->list.prev, struct nft_rule, list); 1818 if (nla_put_be64(skb, NFTA_RULE_POSITION, 1819 cpu_to_be64(prule->handle))) 1820 goto nla_put_failure; 1821 } 1822 1823 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS); 1824 if (list == NULL) 1825 goto nla_put_failure; 1826 nft_rule_for_each_expr(expr, next, rule) { 1827 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0) 1828 goto nla_put_failure; 1829 } 1830 nla_nest_end(skb, list); 1831 1832 if (rule->udata) { 1833 struct nft_userdata *udata = nft_userdata(rule); 1834 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1, 1835 udata->data) < 0) 1836 goto nla_put_failure; 1837 } 1838 1839 nlmsg_end(skb, nlh); 1840 return 0; 1841 1842 nla_put_failure: 1843 nlmsg_trim(skb, nlh); 1844 return -1; 1845 } 1846 1847 static int nf_tables_rule_notify(const struct nft_ctx *ctx, 1848 const struct nft_rule *rule, 1849 int event) 1850 { 1851 struct sk_buff *skb; 1852 int err; 1853 1854 if (!ctx->report && 1855 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1856 return 0; 1857 1858 err = -ENOBUFS; 1859 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1860 if (skb == NULL) 1861 goto err; 1862 1863 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, 1864 event, 0, ctx->afi->family, ctx->table, 1865 ctx->chain, rule); 1866 if (err < 0) { 1867 kfree_skb(skb); 1868 goto err; 1869 } 1870 1871 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES, 1872 ctx->report, GFP_KERNEL); 1873 err: 1874 if (err < 0) { 1875 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, 1876 err); 1877 } 1878 return err; 1879 } 1880 1881 static int nf_tables_dump_rules(struct sk_buff *skb, 1882 struct netlink_callback *cb) 1883 { 1884 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1885 const struct nft_af_info *afi; 1886 const struct nft_table *table; 1887 const struct nft_chain *chain; 1888 const struct nft_rule *rule; 1889 unsigned int idx = 0, s_idx = cb->args[0]; 1890 struct net *net = sock_net(skb->sk); 1891 int family = nfmsg->nfgen_family; 1892 1893 rcu_read_lock(); 1894 cb->seq = net->nft.base_seq; 1895 1896 list_for_each_entry_rcu(afi, &net->nft.af_info, list) { 1897 if (family != NFPROTO_UNSPEC && family != afi->family) 1898 continue; 1899 1900 list_for_each_entry_rcu(table, &afi->tables, list) { 1901 list_for_each_entry_rcu(chain, &table->chains, list) { 1902 list_for_each_entry_rcu(rule, &chain->rules, list) { 1903 if (!nft_rule_is_active(net, rule)) 1904 goto cont; 1905 if (idx < s_idx) 1906 goto cont; 1907 if (idx > s_idx) 1908 memset(&cb->args[1], 0, 1909 sizeof(cb->args) - sizeof(cb->args[0])); 1910 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, 1911 cb->nlh->nlmsg_seq, 1912 NFT_MSG_NEWRULE, 1913 NLM_F_MULTI | NLM_F_APPEND, 1914 afi->family, table, chain, rule) < 0) 1915 goto done; 1916 1917 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1918 cont: 1919 idx++; 1920 } 1921 } 1922 } 1923 } 1924 done: 1925 rcu_read_unlock(); 1926 1927 cb->args[0] = idx; 1928 return skb->len; 1929 } 1930 1931 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb, 1932 const struct nlmsghdr *nlh, 1933 const struct nlattr * const nla[]) 1934 { 1935 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1936 const struct nft_af_info *afi; 1937 const struct nft_table *table; 1938 const struct nft_chain *chain; 1939 const struct nft_rule *rule; 1940 struct sk_buff *skb2; 1941 struct net *net = sock_net(skb->sk); 1942 int family = nfmsg->nfgen_family; 1943 int err; 1944 1945 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1946 struct netlink_dump_control c = { 1947 .dump = nf_tables_dump_rules, 1948 }; 1949 return netlink_dump_start(nlsk, skb, nlh, &c); 1950 } 1951 1952 afi = nf_tables_afinfo_lookup(net, family, false); 1953 if (IS_ERR(afi)) 1954 return PTR_ERR(afi); 1955 1956 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]); 1957 if (IS_ERR(table)) 1958 return PTR_ERR(table); 1959 if (table->flags & NFT_TABLE_INACTIVE) 1960 return -ENOENT; 1961 1962 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]); 1963 if (IS_ERR(chain)) 1964 return PTR_ERR(chain); 1965 if (chain->flags & NFT_CHAIN_INACTIVE) 1966 return -ENOENT; 1967 1968 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 1969 if (IS_ERR(rule)) 1970 return PTR_ERR(rule); 1971 1972 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 1973 if (!skb2) 1974 return -ENOMEM; 1975 1976 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid, 1977 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, 1978 family, table, chain, rule); 1979 if (err < 0) 1980 goto err; 1981 1982 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 1983 1984 err: 1985 kfree_skb(skb2); 1986 return err; 1987 } 1988 1989 static void nf_tables_rule_destroy(const struct nft_ctx *ctx, 1990 struct nft_rule *rule) 1991 { 1992 struct nft_expr *expr; 1993 1994 /* 1995 * Careful: some expressions might not be initialized in case this 1996 * is called on error from nf_tables_newrule(). 1997 */ 1998 expr = nft_expr_first(rule); 1999 while (expr->ops && expr != nft_expr_last(rule)) { 2000 nf_tables_expr_destroy(ctx, expr); 2001 expr = nft_expr_next(expr); 2002 } 2003 kfree(rule); 2004 } 2005 2006 #define NFT_RULE_MAXEXPRS 128 2007 2008 static struct nft_expr_info *info; 2009 2010 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb, 2011 const struct nlmsghdr *nlh, 2012 const struct nlattr * const nla[]) 2013 { 2014 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2015 struct nft_af_info *afi; 2016 struct net *net = sock_net(skb->sk); 2017 struct nft_table *table; 2018 struct nft_chain *chain; 2019 struct nft_rule *rule, *old_rule = NULL; 2020 struct nft_userdata *udata; 2021 struct nft_trans *trans = NULL; 2022 struct nft_expr *expr; 2023 struct nft_ctx ctx; 2024 struct nlattr *tmp; 2025 unsigned int size, i, n, ulen = 0, usize = 0; 2026 int err, rem; 2027 bool create; 2028 u64 handle, pos_handle; 2029 2030 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false; 2031 2032 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create); 2033 if (IS_ERR(afi)) 2034 return PTR_ERR(afi); 2035 2036 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]); 2037 if (IS_ERR(table)) 2038 return PTR_ERR(table); 2039 2040 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]); 2041 if (IS_ERR(chain)) 2042 return PTR_ERR(chain); 2043 2044 if (nla[NFTA_RULE_HANDLE]) { 2045 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE])); 2046 rule = __nf_tables_rule_lookup(chain, handle); 2047 if (IS_ERR(rule)) 2048 return PTR_ERR(rule); 2049 2050 if (nlh->nlmsg_flags & NLM_F_EXCL) 2051 return -EEXIST; 2052 if (nlh->nlmsg_flags & NLM_F_REPLACE) 2053 old_rule = rule; 2054 else 2055 return -EOPNOTSUPP; 2056 } else { 2057 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE) 2058 return -EINVAL; 2059 handle = nf_tables_alloc_handle(table); 2060 2061 if (chain->use == UINT_MAX) 2062 return -EOVERFLOW; 2063 } 2064 2065 if (nla[NFTA_RULE_POSITION]) { 2066 if (!(nlh->nlmsg_flags & NLM_F_CREATE)) 2067 return -EOPNOTSUPP; 2068 2069 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION])); 2070 old_rule = __nf_tables_rule_lookup(chain, pos_handle); 2071 if (IS_ERR(old_rule)) 2072 return PTR_ERR(old_rule); 2073 } 2074 2075 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla); 2076 2077 n = 0; 2078 size = 0; 2079 if (nla[NFTA_RULE_EXPRESSIONS]) { 2080 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) { 2081 err = -EINVAL; 2082 if (nla_type(tmp) != NFTA_LIST_ELEM) 2083 goto err1; 2084 if (n == NFT_RULE_MAXEXPRS) 2085 goto err1; 2086 err = nf_tables_expr_parse(&ctx, tmp, &info[n]); 2087 if (err < 0) 2088 goto err1; 2089 size += info[n].ops->size; 2090 n++; 2091 } 2092 } 2093 /* Check for overflow of dlen field */ 2094 err = -EFBIG; 2095 if (size >= 1 << 12) 2096 goto err1; 2097 2098 if (nla[NFTA_RULE_USERDATA]) { 2099 ulen = nla_len(nla[NFTA_RULE_USERDATA]); 2100 if (ulen > 0) 2101 usize = sizeof(struct nft_userdata) + ulen; 2102 } 2103 2104 err = -ENOMEM; 2105 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL); 2106 if (rule == NULL) 2107 goto err1; 2108 2109 nft_rule_activate_next(net, rule); 2110 2111 rule->handle = handle; 2112 rule->dlen = size; 2113 rule->udata = ulen ? 1 : 0; 2114 2115 if (ulen) { 2116 udata = nft_userdata(rule); 2117 udata->len = ulen - 1; 2118 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen); 2119 } 2120 2121 expr = nft_expr_first(rule); 2122 for (i = 0; i < n; i++) { 2123 err = nf_tables_newexpr(&ctx, &info[i], expr); 2124 if (err < 0) 2125 goto err2; 2126 info[i].ops = NULL; 2127 expr = nft_expr_next(expr); 2128 } 2129 2130 if (nlh->nlmsg_flags & NLM_F_REPLACE) { 2131 if (nft_rule_is_active_next(net, old_rule)) { 2132 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE, 2133 old_rule); 2134 if (trans == NULL) { 2135 err = -ENOMEM; 2136 goto err2; 2137 } 2138 nft_rule_deactivate_next(net, old_rule); 2139 chain->use--; 2140 list_add_tail_rcu(&rule->list, &old_rule->list); 2141 } else { 2142 err = -ENOENT; 2143 goto err2; 2144 } 2145 } else if (nlh->nlmsg_flags & NLM_F_APPEND) 2146 if (old_rule) 2147 list_add_rcu(&rule->list, &old_rule->list); 2148 else 2149 list_add_tail_rcu(&rule->list, &chain->rules); 2150 else { 2151 if (old_rule) 2152 list_add_tail_rcu(&rule->list, &old_rule->list); 2153 else 2154 list_add_rcu(&rule->list, &chain->rules); 2155 } 2156 2157 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) { 2158 err = -ENOMEM; 2159 goto err3; 2160 } 2161 chain->use++; 2162 return 0; 2163 2164 err3: 2165 list_del_rcu(&rule->list); 2166 err2: 2167 nf_tables_rule_destroy(&ctx, rule); 2168 err1: 2169 for (i = 0; i < n; i++) { 2170 if (info[i].ops != NULL) 2171 module_put(info[i].ops->type->owner); 2172 } 2173 return err; 2174 } 2175 2176 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb, 2177 const struct nlmsghdr *nlh, 2178 const struct nlattr * const nla[]) 2179 { 2180 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2181 struct nft_af_info *afi; 2182 struct net *net = sock_net(skb->sk); 2183 struct nft_table *table; 2184 struct nft_chain *chain = NULL; 2185 struct nft_rule *rule; 2186 int family = nfmsg->nfgen_family, err = 0; 2187 struct nft_ctx ctx; 2188 2189 afi = nf_tables_afinfo_lookup(net, family, false); 2190 if (IS_ERR(afi)) 2191 return PTR_ERR(afi); 2192 2193 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]); 2194 if (IS_ERR(table)) 2195 return PTR_ERR(table); 2196 if (table->flags & NFT_TABLE_INACTIVE) 2197 return -ENOENT; 2198 2199 if (nla[NFTA_RULE_CHAIN]) { 2200 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]); 2201 if (IS_ERR(chain)) 2202 return PTR_ERR(chain); 2203 } 2204 2205 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla); 2206 2207 if (chain) { 2208 if (nla[NFTA_RULE_HANDLE]) { 2209 rule = nf_tables_rule_lookup(chain, 2210 nla[NFTA_RULE_HANDLE]); 2211 if (IS_ERR(rule)) 2212 return PTR_ERR(rule); 2213 2214 err = nft_delrule(&ctx, rule); 2215 } else { 2216 err = nft_delrule_by_chain(&ctx); 2217 } 2218 } else { 2219 list_for_each_entry(chain, &table->chains, list) { 2220 ctx.chain = chain; 2221 err = nft_delrule_by_chain(&ctx); 2222 if (err < 0) 2223 break; 2224 } 2225 } 2226 2227 return err; 2228 } 2229 2230 /* 2231 * Sets 2232 */ 2233 2234 static LIST_HEAD(nf_tables_set_ops); 2235 2236 int nft_register_set(struct nft_set_ops *ops) 2237 { 2238 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2239 list_add_tail_rcu(&ops->list, &nf_tables_set_ops); 2240 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2241 return 0; 2242 } 2243 EXPORT_SYMBOL_GPL(nft_register_set); 2244 2245 void nft_unregister_set(struct nft_set_ops *ops) 2246 { 2247 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2248 list_del_rcu(&ops->list); 2249 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2250 } 2251 EXPORT_SYMBOL_GPL(nft_unregister_set); 2252 2253 /* 2254 * Select a set implementation based on the data characteristics and the 2255 * given policy. The total memory use might not be known if no size is 2256 * given, in that case the amount of memory per element is used. 2257 */ 2258 static const struct nft_set_ops * 2259 nft_select_set_ops(const struct nlattr * const nla[], 2260 const struct nft_set_desc *desc, 2261 enum nft_set_policies policy) 2262 { 2263 const struct nft_set_ops *ops, *bops; 2264 struct nft_set_estimate est, best; 2265 u32 features; 2266 2267 #ifdef CONFIG_MODULES 2268 if (list_empty(&nf_tables_set_ops)) { 2269 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2270 request_module("nft-set"); 2271 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2272 if (!list_empty(&nf_tables_set_ops)) 2273 return ERR_PTR(-EAGAIN); 2274 } 2275 #endif 2276 features = 0; 2277 if (nla[NFTA_SET_FLAGS] != NULL) { 2278 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 2279 features &= NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_TIMEOUT; 2280 } 2281 2282 bops = NULL; 2283 best.size = ~0; 2284 best.class = ~0; 2285 2286 list_for_each_entry(ops, &nf_tables_set_ops, list) { 2287 if ((ops->features & features) != features) 2288 continue; 2289 if (!ops->estimate(desc, features, &est)) 2290 continue; 2291 2292 switch (policy) { 2293 case NFT_SET_POL_PERFORMANCE: 2294 if (est.class < best.class) 2295 break; 2296 if (est.class == best.class && est.size < best.size) 2297 break; 2298 continue; 2299 case NFT_SET_POL_MEMORY: 2300 if (est.size < best.size) 2301 break; 2302 if (est.size == best.size && est.class < best.class) 2303 break; 2304 continue; 2305 default: 2306 break; 2307 } 2308 2309 if (!try_module_get(ops->owner)) 2310 continue; 2311 if (bops != NULL) 2312 module_put(bops->owner); 2313 2314 bops = ops; 2315 best = est; 2316 } 2317 2318 if (bops != NULL) 2319 return bops; 2320 2321 return ERR_PTR(-EOPNOTSUPP); 2322 } 2323 2324 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = { 2325 [NFTA_SET_TABLE] = { .type = NLA_STRING }, 2326 [NFTA_SET_NAME] = { .type = NLA_STRING, 2327 .len = IFNAMSIZ - 1 }, 2328 [NFTA_SET_FLAGS] = { .type = NLA_U32 }, 2329 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 }, 2330 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 }, 2331 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 }, 2332 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 }, 2333 [NFTA_SET_POLICY] = { .type = NLA_U32 }, 2334 [NFTA_SET_DESC] = { .type = NLA_NESTED }, 2335 [NFTA_SET_ID] = { .type = NLA_U32 }, 2336 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 }, 2337 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 }, 2338 }; 2339 2340 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = { 2341 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 }, 2342 }; 2343 2344 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, 2345 const struct sk_buff *skb, 2346 const struct nlmsghdr *nlh, 2347 const struct nlattr * const nla[]) 2348 { 2349 struct net *net = sock_net(skb->sk); 2350 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2351 struct nft_af_info *afi = NULL; 2352 struct nft_table *table = NULL; 2353 2354 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) { 2355 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false); 2356 if (IS_ERR(afi)) 2357 return PTR_ERR(afi); 2358 } 2359 2360 if (nla[NFTA_SET_TABLE] != NULL) { 2361 if (afi == NULL) 2362 return -EAFNOSUPPORT; 2363 2364 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]); 2365 if (IS_ERR(table)) 2366 return PTR_ERR(table); 2367 if (table->flags & NFT_TABLE_INACTIVE) 2368 return -ENOENT; 2369 } 2370 2371 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla); 2372 return 0; 2373 } 2374 2375 struct nft_set *nf_tables_set_lookup(const struct nft_table *table, 2376 const struct nlattr *nla) 2377 { 2378 struct nft_set *set; 2379 2380 if (nla == NULL) 2381 return ERR_PTR(-EINVAL); 2382 2383 list_for_each_entry(set, &table->sets, list) { 2384 if (!nla_strcmp(nla, set->name)) 2385 return set; 2386 } 2387 return ERR_PTR(-ENOENT); 2388 } 2389 2390 struct nft_set *nf_tables_set_lookup_byid(const struct net *net, 2391 const struct nlattr *nla) 2392 { 2393 struct nft_trans *trans; 2394 u32 id = ntohl(nla_get_be32(nla)); 2395 2396 list_for_each_entry(trans, &net->nft.commit_list, list) { 2397 if (trans->msg_type == NFT_MSG_NEWSET && 2398 id == nft_trans_set_id(trans)) 2399 return nft_trans_set(trans); 2400 } 2401 return ERR_PTR(-ENOENT); 2402 } 2403 2404 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set, 2405 const char *name) 2406 { 2407 const struct nft_set *i; 2408 const char *p; 2409 unsigned long *inuse; 2410 unsigned int n = 0, min = 0; 2411 2412 p = strnchr(name, IFNAMSIZ, '%'); 2413 if (p != NULL) { 2414 if (p[1] != 'd' || strchr(p + 2, '%')) 2415 return -EINVAL; 2416 2417 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL); 2418 if (inuse == NULL) 2419 return -ENOMEM; 2420 cont: 2421 list_for_each_entry(i, &ctx->table->sets, list) { 2422 int tmp; 2423 2424 if (!sscanf(i->name, name, &tmp)) 2425 continue; 2426 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE) 2427 continue; 2428 2429 set_bit(tmp - min, inuse); 2430 } 2431 2432 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE); 2433 if (n >= BITS_PER_BYTE * PAGE_SIZE) { 2434 min += BITS_PER_BYTE * PAGE_SIZE; 2435 memset(inuse, 0, PAGE_SIZE); 2436 goto cont; 2437 } 2438 free_page((unsigned long)inuse); 2439 } 2440 2441 snprintf(set->name, sizeof(set->name), name, min + n); 2442 list_for_each_entry(i, &ctx->table->sets, list) { 2443 if (!strcmp(set->name, i->name)) 2444 return -ENFILE; 2445 } 2446 return 0; 2447 } 2448 2449 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, 2450 const struct nft_set *set, u16 event, u16 flags) 2451 { 2452 struct nfgenmsg *nfmsg; 2453 struct nlmsghdr *nlh; 2454 struct nlattr *desc; 2455 u32 portid = ctx->portid; 2456 u32 seq = ctx->seq; 2457 2458 event |= NFNL_SUBSYS_NFTABLES << 8; 2459 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 2460 flags); 2461 if (nlh == NULL) 2462 goto nla_put_failure; 2463 2464 nfmsg = nlmsg_data(nlh); 2465 nfmsg->nfgen_family = ctx->afi->family; 2466 nfmsg->version = NFNETLINK_V0; 2467 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); 2468 2469 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 2470 goto nla_put_failure; 2471 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 2472 goto nla_put_failure; 2473 if (set->flags != 0) 2474 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags))) 2475 goto nla_put_failure; 2476 2477 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype))) 2478 goto nla_put_failure; 2479 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen))) 2480 goto nla_put_failure; 2481 if (set->flags & NFT_SET_MAP) { 2482 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype))) 2483 goto nla_put_failure; 2484 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen))) 2485 goto nla_put_failure; 2486 } 2487 2488 if (set->timeout && 2489 nla_put_be64(skb, NFTA_SET_TIMEOUT, cpu_to_be64(set->timeout))) 2490 goto nla_put_failure; 2491 if (set->gc_int && 2492 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int))) 2493 goto nla_put_failure; 2494 2495 if (set->policy != NFT_SET_POL_PERFORMANCE) { 2496 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy))) 2497 goto nla_put_failure; 2498 } 2499 2500 desc = nla_nest_start(skb, NFTA_SET_DESC); 2501 if (desc == NULL) 2502 goto nla_put_failure; 2503 if (set->size && 2504 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size))) 2505 goto nla_put_failure; 2506 nla_nest_end(skb, desc); 2507 2508 nlmsg_end(skb, nlh); 2509 return 0; 2510 2511 nla_put_failure: 2512 nlmsg_trim(skb, nlh); 2513 return -1; 2514 } 2515 2516 static int nf_tables_set_notify(const struct nft_ctx *ctx, 2517 const struct nft_set *set, 2518 int event, gfp_t gfp_flags) 2519 { 2520 struct sk_buff *skb; 2521 u32 portid = ctx->portid; 2522 int err; 2523 2524 if (!ctx->report && 2525 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 2526 return 0; 2527 2528 err = -ENOBUFS; 2529 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags); 2530 if (skb == NULL) 2531 goto err; 2532 2533 err = nf_tables_fill_set(skb, ctx, set, event, 0); 2534 if (err < 0) { 2535 kfree_skb(skb); 2536 goto err; 2537 } 2538 2539 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, 2540 ctx->report, gfp_flags); 2541 err: 2542 if (err < 0) 2543 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err); 2544 return err; 2545 } 2546 2547 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) 2548 { 2549 const struct nft_set *set; 2550 unsigned int idx, s_idx = cb->args[0]; 2551 struct nft_af_info *afi; 2552 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; 2553 struct net *net = sock_net(skb->sk); 2554 int cur_family = cb->args[3]; 2555 struct nft_ctx *ctx = cb->data, ctx_set; 2556 2557 if (cb->args[1]) 2558 return skb->len; 2559 2560 rcu_read_lock(); 2561 cb->seq = net->nft.base_seq; 2562 2563 list_for_each_entry_rcu(afi, &net->nft.af_info, list) { 2564 if (ctx->afi && ctx->afi != afi) 2565 continue; 2566 2567 if (cur_family) { 2568 if (afi->family != cur_family) 2569 continue; 2570 2571 cur_family = 0; 2572 } 2573 list_for_each_entry_rcu(table, &afi->tables, list) { 2574 if (ctx->table && ctx->table != table) 2575 continue; 2576 2577 if (cur_table) { 2578 if (cur_table != table) 2579 continue; 2580 2581 cur_table = NULL; 2582 } 2583 idx = 0; 2584 list_for_each_entry_rcu(set, &table->sets, list) { 2585 if (idx < s_idx) 2586 goto cont; 2587 2588 ctx_set = *ctx; 2589 ctx_set.table = table; 2590 ctx_set.afi = afi; 2591 if (nf_tables_fill_set(skb, &ctx_set, set, 2592 NFT_MSG_NEWSET, 2593 NLM_F_MULTI) < 0) { 2594 cb->args[0] = idx; 2595 cb->args[2] = (unsigned long) table; 2596 cb->args[3] = afi->family; 2597 goto done; 2598 } 2599 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 2600 cont: 2601 idx++; 2602 } 2603 if (s_idx) 2604 s_idx = 0; 2605 } 2606 } 2607 cb->args[1] = 1; 2608 done: 2609 rcu_read_unlock(); 2610 return skb->len; 2611 } 2612 2613 static int nf_tables_dump_sets_done(struct netlink_callback *cb) 2614 { 2615 kfree(cb->data); 2616 return 0; 2617 } 2618 2619 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb, 2620 const struct nlmsghdr *nlh, 2621 const struct nlattr * const nla[]) 2622 { 2623 const struct nft_set *set; 2624 struct nft_ctx ctx; 2625 struct sk_buff *skb2; 2626 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2627 int err; 2628 2629 /* Verify existence before starting dump */ 2630 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla); 2631 if (err < 0) 2632 return err; 2633 2634 if (nlh->nlmsg_flags & NLM_F_DUMP) { 2635 struct netlink_dump_control c = { 2636 .dump = nf_tables_dump_sets, 2637 .done = nf_tables_dump_sets_done, 2638 }; 2639 struct nft_ctx *ctx_dump; 2640 2641 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL); 2642 if (ctx_dump == NULL) 2643 return -ENOMEM; 2644 2645 *ctx_dump = ctx; 2646 c.data = ctx_dump; 2647 2648 return netlink_dump_start(nlsk, skb, nlh, &c); 2649 } 2650 2651 /* Only accept unspec with dump */ 2652 if (nfmsg->nfgen_family == NFPROTO_UNSPEC) 2653 return -EAFNOSUPPORT; 2654 2655 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]); 2656 if (IS_ERR(set)) 2657 return PTR_ERR(set); 2658 if (set->flags & NFT_SET_INACTIVE) 2659 return -ENOENT; 2660 2661 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 2662 if (skb2 == NULL) 2663 return -ENOMEM; 2664 2665 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); 2666 if (err < 0) 2667 goto err; 2668 2669 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 2670 2671 err: 2672 kfree_skb(skb2); 2673 return err; 2674 } 2675 2676 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx, 2677 struct nft_set_desc *desc, 2678 const struct nlattr *nla) 2679 { 2680 struct nlattr *da[NFTA_SET_DESC_MAX + 1]; 2681 int err; 2682 2683 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy); 2684 if (err < 0) 2685 return err; 2686 2687 if (da[NFTA_SET_DESC_SIZE] != NULL) 2688 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE])); 2689 2690 return 0; 2691 } 2692 2693 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb, 2694 const struct nlmsghdr *nlh, 2695 const struct nlattr * const nla[]) 2696 { 2697 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2698 const struct nft_set_ops *ops; 2699 struct nft_af_info *afi; 2700 struct net *net = sock_net(skb->sk); 2701 struct nft_table *table; 2702 struct nft_set *set; 2703 struct nft_ctx ctx; 2704 char name[IFNAMSIZ]; 2705 unsigned int size; 2706 bool create; 2707 u64 timeout; 2708 u32 ktype, dtype, flags, policy, gc_int; 2709 struct nft_set_desc desc; 2710 int err; 2711 2712 if (nla[NFTA_SET_TABLE] == NULL || 2713 nla[NFTA_SET_NAME] == NULL || 2714 nla[NFTA_SET_KEY_LEN] == NULL || 2715 nla[NFTA_SET_ID] == NULL) 2716 return -EINVAL; 2717 2718 memset(&desc, 0, sizeof(desc)); 2719 2720 ktype = NFT_DATA_VALUE; 2721 if (nla[NFTA_SET_KEY_TYPE] != NULL) { 2722 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE])); 2723 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK) 2724 return -EINVAL; 2725 } 2726 2727 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN])); 2728 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN) 2729 return -EINVAL; 2730 2731 flags = 0; 2732 if (nla[NFTA_SET_FLAGS] != NULL) { 2733 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 2734 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | 2735 NFT_SET_INTERVAL | NFT_SET_TIMEOUT | 2736 NFT_SET_MAP | NFT_SET_EVAL)) 2737 return -EINVAL; 2738 /* Only one of both operations is supported */ 2739 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL)) == 2740 (NFT_SET_MAP | NFT_SET_EVAL)) 2741 return -EOPNOTSUPP; 2742 } 2743 2744 dtype = 0; 2745 if (nla[NFTA_SET_DATA_TYPE] != NULL) { 2746 if (!(flags & NFT_SET_MAP)) 2747 return -EINVAL; 2748 2749 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE])); 2750 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK && 2751 dtype != NFT_DATA_VERDICT) 2752 return -EINVAL; 2753 2754 if (dtype != NFT_DATA_VERDICT) { 2755 if (nla[NFTA_SET_DATA_LEN] == NULL) 2756 return -EINVAL; 2757 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN])); 2758 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN) 2759 return -EINVAL; 2760 } else 2761 desc.dlen = sizeof(struct nft_verdict); 2762 } else if (flags & NFT_SET_MAP) 2763 return -EINVAL; 2764 2765 timeout = 0; 2766 if (nla[NFTA_SET_TIMEOUT] != NULL) { 2767 if (!(flags & NFT_SET_TIMEOUT)) 2768 return -EINVAL; 2769 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_TIMEOUT])); 2770 } 2771 gc_int = 0; 2772 if (nla[NFTA_SET_GC_INTERVAL] != NULL) { 2773 if (!(flags & NFT_SET_TIMEOUT)) 2774 return -EINVAL; 2775 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL])); 2776 } 2777 2778 policy = NFT_SET_POL_PERFORMANCE; 2779 if (nla[NFTA_SET_POLICY] != NULL) 2780 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY])); 2781 2782 if (nla[NFTA_SET_DESC] != NULL) { 2783 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]); 2784 if (err < 0) 2785 return err; 2786 } 2787 2788 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false; 2789 2790 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create); 2791 if (IS_ERR(afi)) 2792 return PTR_ERR(afi); 2793 2794 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]); 2795 if (IS_ERR(table)) 2796 return PTR_ERR(table); 2797 2798 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla); 2799 2800 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]); 2801 if (IS_ERR(set)) { 2802 if (PTR_ERR(set) != -ENOENT) 2803 return PTR_ERR(set); 2804 set = NULL; 2805 } 2806 2807 if (set != NULL) { 2808 if (nlh->nlmsg_flags & NLM_F_EXCL) 2809 return -EEXIST; 2810 if (nlh->nlmsg_flags & NLM_F_REPLACE) 2811 return -EOPNOTSUPP; 2812 return 0; 2813 } 2814 2815 if (!(nlh->nlmsg_flags & NLM_F_CREATE)) 2816 return -ENOENT; 2817 2818 ops = nft_select_set_ops(nla, &desc, policy); 2819 if (IS_ERR(ops)) 2820 return PTR_ERR(ops); 2821 2822 size = 0; 2823 if (ops->privsize != NULL) 2824 size = ops->privsize(nla); 2825 2826 err = -ENOMEM; 2827 set = kzalloc(sizeof(*set) + size, GFP_KERNEL); 2828 if (set == NULL) 2829 goto err1; 2830 2831 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name)); 2832 err = nf_tables_set_alloc_name(&ctx, set, name); 2833 if (err < 0) 2834 goto err2; 2835 2836 INIT_LIST_HEAD(&set->bindings); 2837 write_pnet(&set->pnet, net); 2838 set->ops = ops; 2839 set->ktype = ktype; 2840 set->klen = desc.klen; 2841 set->dtype = dtype; 2842 set->dlen = desc.dlen; 2843 set->flags = flags; 2844 set->size = desc.size; 2845 set->policy = policy; 2846 set->timeout = timeout; 2847 set->gc_int = gc_int; 2848 2849 err = ops->init(set, &desc, nla); 2850 if (err < 0) 2851 goto err2; 2852 2853 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); 2854 if (err < 0) 2855 goto err2; 2856 2857 list_add_tail_rcu(&set->list, &table->sets); 2858 table->use++; 2859 return 0; 2860 2861 err2: 2862 kfree(set); 2863 err1: 2864 module_put(ops->owner); 2865 return err; 2866 } 2867 2868 static void nft_set_destroy(struct nft_set *set) 2869 { 2870 set->ops->destroy(set); 2871 module_put(set->ops->owner); 2872 kfree(set); 2873 } 2874 2875 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) 2876 { 2877 list_del_rcu(&set->list); 2878 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC); 2879 nft_set_destroy(set); 2880 } 2881 2882 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb, 2883 const struct nlmsghdr *nlh, 2884 const struct nlattr * const nla[]) 2885 { 2886 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2887 struct nft_set *set; 2888 struct nft_ctx ctx; 2889 int err; 2890 2891 if (nfmsg->nfgen_family == NFPROTO_UNSPEC) 2892 return -EAFNOSUPPORT; 2893 if (nla[NFTA_SET_TABLE] == NULL) 2894 return -EINVAL; 2895 2896 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla); 2897 if (err < 0) 2898 return err; 2899 2900 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]); 2901 if (IS_ERR(set)) 2902 return PTR_ERR(set); 2903 if (set->flags & NFT_SET_INACTIVE) 2904 return -ENOENT; 2905 if (!list_empty(&set->bindings)) 2906 return -EBUSY; 2907 2908 return nft_delset(&ctx, set); 2909 } 2910 2911 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, 2912 const struct nft_set *set, 2913 const struct nft_set_iter *iter, 2914 const struct nft_set_elem *elem) 2915 { 2916 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 2917 enum nft_registers dreg; 2918 2919 dreg = nft_type_to_reg(set->dtype); 2920 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext), 2921 set->dtype == NFT_DATA_VERDICT ? 2922 NFT_DATA_VERDICT : NFT_DATA_VALUE, 2923 set->dlen); 2924 } 2925 2926 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 2927 struct nft_set_binding *binding) 2928 { 2929 struct nft_set_binding *i; 2930 struct nft_set_iter iter; 2931 2932 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS) 2933 return -EBUSY; 2934 2935 if (binding->flags & NFT_SET_MAP) { 2936 /* If the set is already bound to the same chain all 2937 * jumps are already validated for that chain. 2938 */ 2939 list_for_each_entry(i, &set->bindings, list) { 2940 if (binding->flags & NFT_SET_MAP && 2941 i->chain == binding->chain) 2942 goto bind; 2943 } 2944 2945 iter.skip = 0; 2946 iter.count = 0; 2947 iter.err = 0; 2948 iter.fn = nf_tables_bind_check_setelem; 2949 2950 set->ops->walk(ctx, set, &iter); 2951 if (iter.err < 0) { 2952 /* Destroy anonymous sets if binding fails */ 2953 if (set->flags & NFT_SET_ANONYMOUS) 2954 nf_tables_set_destroy(ctx, set); 2955 2956 return iter.err; 2957 } 2958 } 2959 bind: 2960 binding->chain = ctx->chain; 2961 list_add_tail_rcu(&binding->list, &set->bindings); 2962 return 0; 2963 } 2964 2965 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 2966 struct nft_set_binding *binding) 2967 { 2968 list_del_rcu(&binding->list); 2969 2970 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS && 2971 !(set->flags & NFT_SET_INACTIVE)) 2972 nf_tables_set_destroy(ctx, set); 2973 } 2974 2975 const struct nft_set_ext_type nft_set_ext_types[] = { 2976 [NFT_SET_EXT_KEY] = { 2977 .align = __alignof__(u32), 2978 }, 2979 [NFT_SET_EXT_DATA] = { 2980 .align = __alignof__(u32), 2981 }, 2982 [NFT_SET_EXT_EXPR] = { 2983 .align = __alignof__(struct nft_expr), 2984 }, 2985 [NFT_SET_EXT_FLAGS] = { 2986 .len = sizeof(u8), 2987 .align = __alignof__(u8), 2988 }, 2989 [NFT_SET_EXT_TIMEOUT] = { 2990 .len = sizeof(u64), 2991 .align = __alignof__(u64), 2992 }, 2993 [NFT_SET_EXT_EXPIRATION] = { 2994 .len = sizeof(unsigned long), 2995 .align = __alignof__(unsigned long), 2996 }, 2997 [NFT_SET_EXT_USERDATA] = { 2998 .len = sizeof(struct nft_userdata), 2999 .align = __alignof__(struct nft_userdata), 3000 }, 3001 }; 3002 EXPORT_SYMBOL_GPL(nft_set_ext_types); 3003 3004 /* 3005 * Set elements 3006 */ 3007 3008 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { 3009 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED }, 3010 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED }, 3011 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 }, 3012 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 }, 3013 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, 3014 .len = NFT_USERDATA_MAXLEN }, 3015 }; 3016 3017 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { 3018 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING }, 3019 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING }, 3020 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED }, 3021 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 }, 3022 }; 3023 3024 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, 3025 const struct sk_buff *skb, 3026 const struct nlmsghdr *nlh, 3027 const struct nlattr * const nla[], 3028 bool trans) 3029 { 3030 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3031 struct nft_af_info *afi; 3032 struct nft_table *table; 3033 struct net *net = sock_net(skb->sk); 3034 3035 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false); 3036 if (IS_ERR(afi)) 3037 return PTR_ERR(afi); 3038 3039 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]); 3040 if (IS_ERR(table)) 3041 return PTR_ERR(table); 3042 if (!trans && (table->flags & NFT_TABLE_INACTIVE)) 3043 return -ENOENT; 3044 3045 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla); 3046 return 0; 3047 } 3048 3049 static int nf_tables_fill_setelem(struct sk_buff *skb, 3050 const struct nft_set *set, 3051 const struct nft_set_elem *elem) 3052 { 3053 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 3054 unsigned char *b = skb_tail_pointer(skb); 3055 struct nlattr *nest; 3056 3057 nest = nla_nest_start(skb, NFTA_LIST_ELEM); 3058 if (nest == NULL) 3059 goto nla_put_failure; 3060 3061 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext), 3062 NFT_DATA_VALUE, set->klen) < 0) 3063 goto nla_put_failure; 3064 3065 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 3066 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext), 3067 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE, 3068 set->dlen) < 0) 3069 goto nla_put_failure; 3070 3071 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) && 3072 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0) 3073 goto nla_put_failure; 3074 3075 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 3076 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, 3077 htonl(*nft_set_ext_flags(ext)))) 3078 goto nla_put_failure; 3079 3080 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) && 3081 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, 3082 cpu_to_be64(*nft_set_ext_timeout(ext)))) 3083 goto nla_put_failure; 3084 3085 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 3086 unsigned long expires, now = jiffies; 3087 3088 expires = *nft_set_ext_expiration(ext); 3089 if (time_before(now, expires)) 3090 expires -= now; 3091 else 3092 expires = 0; 3093 3094 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION, 3095 cpu_to_be64(jiffies_to_msecs(expires)))) 3096 goto nla_put_failure; 3097 } 3098 3099 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) { 3100 struct nft_userdata *udata; 3101 3102 udata = nft_set_ext_userdata(ext); 3103 if (nla_put(skb, NFTA_SET_ELEM_USERDATA, 3104 udata->len + 1, udata->data)) 3105 goto nla_put_failure; 3106 } 3107 3108 nla_nest_end(skb, nest); 3109 return 0; 3110 3111 nla_put_failure: 3112 nlmsg_trim(skb, b); 3113 return -EMSGSIZE; 3114 } 3115 3116 struct nft_set_dump_args { 3117 const struct netlink_callback *cb; 3118 struct nft_set_iter iter; 3119 struct sk_buff *skb; 3120 }; 3121 3122 static int nf_tables_dump_setelem(const struct nft_ctx *ctx, 3123 const struct nft_set *set, 3124 const struct nft_set_iter *iter, 3125 const struct nft_set_elem *elem) 3126 { 3127 struct nft_set_dump_args *args; 3128 3129 args = container_of(iter, struct nft_set_dump_args, iter); 3130 return nf_tables_fill_setelem(args->skb, set, elem); 3131 } 3132 3133 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) 3134 { 3135 const struct nft_set *set; 3136 struct nft_set_dump_args args; 3137 struct nft_ctx ctx; 3138 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1]; 3139 struct nfgenmsg *nfmsg; 3140 struct nlmsghdr *nlh; 3141 struct nlattr *nest; 3142 u32 portid, seq; 3143 int event, err; 3144 3145 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla, 3146 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy); 3147 if (err < 0) 3148 return err; 3149 3150 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla, 3151 false); 3152 if (err < 0) 3153 return err; 3154 3155 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]); 3156 if (IS_ERR(set)) 3157 return PTR_ERR(set); 3158 if (set->flags & NFT_SET_INACTIVE) 3159 return -ENOENT; 3160 3161 event = NFT_MSG_NEWSETELEM; 3162 event |= NFNL_SUBSYS_NFTABLES << 8; 3163 portid = NETLINK_CB(cb->skb).portid; 3164 seq = cb->nlh->nlmsg_seq; 3165 3166 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 3167 NLM_F_MULTI); 3168 if (nlh == NULL) 3169 goto nla_put_failure; 3170 3171 nfmsg = nlmsg_data(nlh); 3172 nfmsg->nfgen_family = ctx.afi->family; 3173 nfmsg->version = NFNETLINK_V0; 3174 nfmsg->res_id = htons(ctx.net->nft.base_seq & 0xffff); 3175 3176 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name)) 3177 goto nla_put_failure; 3178 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) 3179 goto nla_put_failure; 3180 3181 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 3182 if (nest == NULL) 3183 goto nla_put_failure; 3184 3185 args.cb = cb; 3186 args.skb = skb; 3187 args.iter.skip = cb->args[0]; 3188 args.iter.count = 0; 3189 args.iter.err = 0; 3190 args.iter.fn = nf_tables_dump_setelem; 3191 set->ops->walk(&ctx, set, &args.iter); 3192 3193 nla_nest_end(skb, nest); 3194 nlmsg_end(skb, nlh); 3195 3196 if (args.iter.err && args.iter.err != -EMSGSIZE) 3197 return args.iter.err; 3198 if (args.iter.count == cb->args[0]) 3199 return 0; 3200 3201 cb->args[0] = args.iter.count; 3202 return skb->len; 3203 3204 nla_put_failure: 3205 return -ENOSPC; 3206 } 3207 3208 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb, 3209 const struct nlmsghdr *nlh, 3210 const struct nlattr * const nla[]) 3211 { 3212 const struct nft_set *set; 3213 struct nft_ctx ctx; 3214 int err; 3215 3216 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false); 3217 if (err < 0) 3218 return err; 3219 3220 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]); 3221 if (IS_ERR(set)) 3222 return PTR_ERR(set); 3223 if (set->flags & NFT_SET_INACTIVE) 3224 return -ENOENT; 3225 3226 if (nlh->nlmsg_flags & NLM_F_DUMP) { 3227 struct netlink_dump_control c = { 3228 .dump = nf_tables_dump_set, 3229 }; 3230 return netlink_dump_start(nlsk, skb, nlh, &c); 3231 } 3232 return -EOPNOTSUPP; 3233 } 3234 3235 static int nf_tables_fill_setelem_info(struct sk_buff *skb, 3236 const struct nft_ctx *ctx, u32 seq, 3237 u32 portid, int event, u16 flags, 3238 const struct nft_set *set, 3239 const struct nft_set_elem *elem) 3240 { 3241 struct nfgenmsg *nfmsg; 3242 struct nlmsghdr *nlh; 3243 struct nlattr *nest; 3244 int err; 3245 3246 event |= NFNL_SUBSYS_NFTABLES << 8; 3247 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 3248 flags); 3249 if (nlh == NULL) 3250 goto nla_put_failure; 3251 3252 nfmsg = nlmsg_data(nlh); 3253 nfmsg->nfgen_family = ctx->afi->family; 3254 nfmsg->version = NFNETLINK_V0; 3255 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); 3256 3257 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 3258 goto nla_put_failure; 3259 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 3260 goto nla_put_failure; 3261 3262 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 3263 if (nest == NULL) 3264 goto nla_put_failure; 3265 3266 err = nf_tables_fill_setelem(skb, set, elem); 3267 if (err < 0) 3268 goto nla_put_failure; 3269 3270 nla_nest_end(skb, nest); 3271 3272 nlmsg_end(skb, nlh); 3273 return 0; 3274 3275 nla_put_failure: 3276 nlmsg_trim(skb, nlh); 3277 return -1; 3278 } 3279 3280 static int nf_tables_setelem_notify(const struct nft_ctx *ctx, 3281 const struct nft_set *set, 3282 const struct nft_set_elem *elem, 3283 int event, u16 flags) 3284 { 3285 struct net *net = ctx->net; 3286 u32 portid = ctx->portid; 3287 struct sk_buff *skb; 3288 int err; 3289 3290 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 3291 return 0; 3292 3293 err = -ENOBUFS; 3294 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 3295 if (skb == NULL) 3296 goto err; 3297 3298 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags, 3299 set, elem); 3300 if (err < 0) { 3301 kfree_skb(skb); 3302 goto err; 3303 } 3304 3305 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report, 3306 GFP_KERNEL); 3307 err: 3308 if (err < 0) 3309 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err); 3310 return err; 3311 } 3312 3313 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx, 3314 int msg_type, 3315 struct nft_set *set) 3316 { 3317 struct nft_trans *trans; 3318 3319 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem)); 3320 if (trans == NULL) 3321 return NULL; 3322 3323 nft_trans_elem_set(trans) = set; 3324 return trans; 3325 } 3326 3327 void *nft_set_elem_init(const struct nft_set *set, 3328 const struct nft_set_ext_tmpl *tmpl, 3329 const u32 *key, const u32 *data, 3330 u64 timeout, gfp_t gfp) 3331 { 3332 struct nft_set_ext *ext; 3333 void *elem; 3334 3335 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp); 3336 if (elem == NULL) 3337 return NULL; 3338 3339 ext = nft_set_elem_ext(set, elem); 3340 nft_set_ext_init(ext, tmpl); 3341 3342 memcpy(nft_set_ext_key(ext), key, set->klen); 3343 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 3344 memcpy(nft_set_ext_data(ext), data, set->dlen); 3345 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) 3346 *nft_set_ext_expiration(ext) = 3347 jiffies + msecs_to_jiffies(timeout); 3348 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) 3349 *nft_set_ext_timeout(ext) = timeout; 3350 3351 return elem; 3352 } 3353 3354 void nft_set_elem_destroy(const struct nft_set *set, void *elem) 3355 { 3356 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 3357 3358 nft_data_uninit(nft_set_ext_key(ext), NFT_DATA_VALUE); 3359 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 3360 nft_data_uninit(nft_set_ext_data(ext), set->dtype); 3361 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) 3362 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext)); 3363 3364 kfree(elem); 3365 } 3366 EXPORT_SYMBOL_GPL(nft_set_elem_destroy); 3367 3368 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 3369 const struct nlattr *attr) 3370 { 3371 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 3372 struct nft_data_desc d1, d2; 3373 struct nft_set_ext_tmpl tmpl; 3374 struct nft_set_ext *ext; 3375 struct nft_set_elem elem; 3376 struct nft_set_binding *binding; 3377 struct nft_userdata *udata; 3378 struct nft_data data; 3379 enum nft_registers dreg; 3380 struct nft_trans *trans; 3381 u64 timeout; 3382 u32 flags; 3383 u8 ulen; 3384 int err; 3385 3386 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr, 3387 nft_set_elem_policy); 3388 if (err < 0) 3389 return err; 3390 3391 if (nla[NFTA_SET_ELEM_KEY] == NULL) 3392 return -EINVAL; 3393 3394 nft_set_ext_prepare(&tmpl); 3395 3396 flags = 0; 3397 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) { 3398 flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS])); 3399 if (flags & ~NFT_SET_ELEM_INTERVAL_END) 3400 return -EINVAL; 3401 if (!(set->flags & NFT_SET_INTERVAL) && 3402 flags & NFT_SET_ELEM_INTERVAL_END) 3403 return -EINVAL; 3404 if (flags != 0) 3405 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 3406 } 3407 3408 if (set->flags & NFT_SET_MAP) { 3409 if (nla[NFTA_SET_ELEM_DATA] == NULL && 3410 !(flags & NFT_SET_ELEM_INTERVAL_END)) 3411 return -EINVAL; 3412 if (nla[NFTA_SET_ELEM_DATA] != NULL && 3413 flags & NFT_SET_ELEM_INTERVAL_END) 3414 return -EINVAL; 3415 } else { 3416 if (nla[NFTA_SET_ELEM_DATA] != NULL) 3417 return -EINVAL; 3418 } 3419 3420 timeout = 0; 3421 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { 3422 if (!(set->flags & NFT_SET_TIMEOUT)) 3423 return -EINVAL; 3424 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_ELEM_TIMEOUT])); 3425 } else if (set->flags & NFT_SET_TIMEOUT) { 3426 timeout = set->timeout; 3427 } 3428 3429 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1, 3430 nla[NFTA_SET_ELEM_KEY]); 3431 if (err < 0) 3432 goto err1; 3433 err = -EINVAL; 3434 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen) 3435 goto err2; 3436 3437 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len); 3438 if (timeout > 0) { 3439 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION); 3440 if (timeout != set->timeout) 3441 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT); 3442 } 3443 3444 if (nla[NFTA_SET_ELEM_DATA] != NULL) { 3445 err = nft_data_init(ctx, &data, sizeof(data), &d2, 3446 nla[NFTA_SET_ELEM_DATA]); 3447 if (err < 0) 3448 goto err2; 3449 3450 err = -EINVAL; 3451 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen) 3452 goto err3; 3453 3454 dreg = nft_type_to_reg(set->dtype); 3455 list_for_each_entry(binding, &set->bindings, list) { 3456 struct nft_ctx bind_ctx = { 3457 .afi = ctx->afi, 3458 .table = ctx->table, 3459 .chain = (struct nft_chain *)binding->chain, 3460 }; 3461 3462 if (!(binding->flags & NFT_SET_MAP)) 3463 continue; 3464 3465 err = nft_validate_register_store(&bind_ctx, dreg, 3466 &data, 3467 d2.type, d2.len); 3468 if (err < 0) 3469 goto err3; 3470 } 3471 3472 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len); 3473 } 3474 3475 /* The full maximum length of userdata can exceed the maximum 3476 * offset value (U8_MAX) for following extensions, therefor it 3477 * must be the last extension added. 3478 */ 3479 ulen = 0; 3480 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) { 3481 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]); 3482 if (ulen > 0) 3483 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA, 3484 ulen); 3485 } 3486 3487 err = -ENOMEM; 3488 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data, 3489 timeout, GFP_KERNEL); 3490 if (elem.priv == NULL) 3491 goto err3; 3492 3493 ext = nft_set_elem_ext(set, elem.priv); 3494 if (flags) 3495 *nft_set_ext_flags(ext) = flags; 3496 if (ulen > 0) { 3497 udata = nft_set_ext_userdata(ext); 3498 udata->len = ulen - 1; 3499 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen); 3500 } 3501 3502 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); 3503 if (trans == NULL) 3504 goto err4; 3505 3506 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK; 3507 err = set->ops->insert(set, &elem); 3508 if (err < 0) 3509 goto err5; 3510 3511 nft_trans_elem(trans) = elem; 3512 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 3513 return 0; 3514 3515 err5: 3516 kfree(trans); 3517 err4: 3518 kfree(elem.priv); 3519 err3: 3520 if (nla[NFTA_SET_ELEM_DATA] != NULL) 3521 nft_data_uninit(&data, d2.type); 3522 err2: 3523 nft_data_uninit(&elem.key.val, d1.type); 3524 err1: 3525 return err; 3526 } 3527 3528 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb, 3529 const struct nlmsghdr *nlh, 3530 const struct nlattr * const nla[]) 3531 { 3532 struct net *net = sock_net(skb->sk); 3533 const struct nlattr *attr; 3534 struct nft_set *set; 3535 struct nft_ctx ctx; 3536 int rem, err = 0; 3537 3538 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) 3539 return -EINVAL; 3540 3541 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, true); 3542 if (err < 0) 3543 return err; 3544 3545 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]); 3546 if (IS_ERR(set)) { 3547 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) { 3548 set = nf_tables_set_lookup_byid(net, 3549 nla[NFTA_SET_ELEM_LIST_SET_ID]); 3550 } 3551 if (IS_ERR(set)) 3552 return PTR_ERR(set); 3553 } 3554 3555 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 3556 return -EBUSY; 3557 3558 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 3559 if (set->size && 3560 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) 3561 return -ENFILE; 3562 3563 err = nft_add_set_elem(&ctx, set, attr); 3564 if (err < 0) { 3565 atomic_dec(&set->nelems); 3566 break; 3567 } 3568 } 3569 return err; 3570 } 3571 3572 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, 3573 const struct nlattr *attr) 3574 { 3575 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 3576 struct nft_data_desc desc; 3577 struct nft_set_elem elem; 3578 struct nft_trans *trans; 3579 int err; 3580 3581 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr, 3582 nft_set_elem_policy); 3583 if (err < 0) 3584 goto err1; 3585 3586 err = -EINVAL; 3587 if (nla[NFTA_SET_ELEM_KEY] == NULL) 3588 goto err1; 3589 3590 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc, 3591 nla[NFTA_SET_ELEM_KEY]); 3592 if (err < 0) 3593 goto err1; 3594 3595 err = -EINVAL; 3596 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) 3597 goto err2; 3598 3599 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 3600 if (trans == NULL) { 3601 err = -ENOMEM; 3602 goto err2; 3603 } 3604 3605 elem.priv = set->ops->deactivate(set, &elem); 3606 if (elem.priv == NULL) { 3607 err = -ENOENT; 3608 goto err3; 3609 } 3610 3611 nft_trans_elem(trans) = elem; 3612 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 3613 return 0; 3614 3615 err3: 3616 kfree(trans); 3617 err2: 3618 nft_data_uninit(&elem.key.val, desc.type); 3619 err1: 3620 return err; 3621 } 3622 3623 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb, 3624 const struct nlmsghdr *nlh, 3625 const struct nlattr * const nla[]) 3626 { 3627 const struct nlattr *attr; 3628 struct nft_set *set; 3629 struct nft_ctx ctx; 3630 int rem, err = 0; 3631 3632 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) 3633 return -EINVAL; 3634 3635 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false); 3636 if (err < 0) 3637 return err; 3638 3639 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]); 3640 if (IS_ERR(set)) 3641 return PTR_ERR(set); 3642 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 3643 return -EBUSY; 3644 3645 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 3646 err = nft_del_setelem(&ctx, set, attr); 3647 if (err < 0) 3648 break; 3649 3650 set->ndeact++; 3651 } 3652 return err; 3653 } 3654 3655 void nft_set_gc_batch_release(struct rcu_head *rcu) 3656 { 3657 struct nft_set_gc_batch *gcb; 3658 unsigned int i; 3659 3660 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu); 3661 for (i = 0; i < gcb->head.cnt; i++) 3662 nft_set_elem_destroy(gcb->head.set, gcb->elems[i]); 3663 kfree(gcb); 3664 } 3665 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release); 3666 3667 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set, 3668 gfp_t gfp) 3669 { 3670 struct nft_set_gc_batch *gcb; 3671 3672 gcb = kzalloc(sizeof(*gcb), gfp); 3673 if (gcb == NULL) 3674 return gcb; 3675 gcb->head.set = set; 3676 return gcb; 3677 } 3678 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc); 3679 3680 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, 3681 u32 portid, u32 seq) 3682 { 3683 struct nlmsghdr *nlh; 3684 struct nfgenmsg *nfmsg; 3685 int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWGEN; 3686 3687 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0); 3688 if (nlh == NULL) 3689 goto nla_put_failure; 3690 3691 nfmsg = nlmsg_data(nlh); 3692 nfmsg->nfgen_family = AF_UNSPEC; 3693 nfmsg->version = NFNETLINK_V0; 3694 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 3695 3696 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq))) 3697 goto nla_put_failure; 3698 3699 nlmsg_end(skb, nlh); 3700 return 0; 3701 3702 nla_put_failure: 3703 nlmsg_trim(skb, nlh); 3704 return -EMSGSIZE; 3705 } 3706 3707 static int nf_tables_gen_notify(struct net *net, struct sk_buff *skb, int event) 3708 { 3709 struct nlmsghdr *nlh = nlmsg_hdr(skb); 3710 struct sk_buff *skb2; 3711 int err; 3712 3713 if (nlmsg_report(nlh) && 3714 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 3715 return 0; 3716 3717 err = -ENOBUFS; 3718 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 3719 if (skb2 == NULL) 3720 goto err; 3721 3722 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 3723 nlh->nlmsg_seq); 3724 if (err < 0) { 3725 kfree_skb(skb2); 3726 goto err; 3727 } 3728 3729 err = nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, 3730 NFNLGRP_NFTABLES, nlmsg_report(nlh), GFP_KERNEL); 3731 err: 3732 if (err < 0) { 3733 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 3734 err); 3735 } 3736 return err; 3737 } 3738 3739 static int nf_tables_getgen(struct sock *nlsk, struct sk_buff *skb, 3740 const struct nlmsghdr *nlh, 3741 const struct nlattr * const nla[]) 3742 { 3743 struct net *net = sock_net(skb->sk); 3744 struct sk_buff *skb2; 3745 int err; 3746 3747 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 3748 if (skb2 == NULL) 3749 return -ENOMEM; 3750 3751 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 3752 nlh->nlmsg_seq); 3753 if (err < 0) 3754 goto err; 3755 3756 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 3757 err: 3758 kfree_skb(skb2); 3759 return err; 3760 } 3761 3762 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = { 3763 [NFT_MSG_NEWTABLE] = { 3764 .call_batch = nf_tables_newtable, 3765 .attr_count = NFTA_TABLE_MAX, 3766 .policy = nft_table_policy, 3767 }, 3768 [NFT_MSG_GETTABLE] = { 3769 .call = nf_tables_gettable, 3770 .attr_count = NFTA_TABLE_MAX, 3771 .policy = nft_table_policy, 3772 }, 3773 [NFT_MSG_DELTABLE] = { 3774 .call_batch = nf_tables_deltable, 3775 .attr_count = NFTA_TABLE_MAX, 3776 .policy = nft_table_policy, 3777 }, 3778 [NFT_MSG_NEWCHAIN] = { 3779 .call_batch = nf_tables_newchain, 3780 .attr_count = NFTA_CHAIN_MAX, 3781 .policy = nft_chain_policy, 3782 }, 3783 [NFT_MSG_GETCHAIN] = { 3784 .call = nf_tables_getchain, 3785 .attr_count = NFTA_CHAIN_MAX, 3786 .policy = nft_chain_policy, 3787 }, 3788 [NFT_MSG_DELCHAIN] = { 3789 .call_batch = nf_tables_delchain, 3790 .attr_count = NFTA_CHAIN_MAX, 3791 .policy = nft_chain_policy, 3792 }, 3793 [NFT_MSG_NEWRULE] = { 3794 .call_batch = nf_tables_newrule, 3795 .attr_count = NFTA_RULE_MAX, 3796 .policy = nft_rule_policy, 3797 }, 3798 [NFT_MSG_GETRULE] = { 3799 .call = nf_tables_getrule, 3800 .attr_count = NFTA_RULE_MAX, 3801 .policy = nft_rule_policy, 3802 }, 3803 [NFT_MSG_DELRULE] = { 3804 .call_batch = nf_tables_delrule, 3805 .attr_count = NFTA_RULE_MAX, 3806 .policy = nft_rule_policy, 3807 }, 3808 [NFT_MSG_NEWSET] = { 3809 .call_batch = nf_tables_newset, 3810 .attr_count = NFTA_SET_MAX, 3811 .policy = nft_set_policy, 3812 }, 3813 [NFT_MSG_GETSET] = { 3814 .call = nf_tables_getset, 3815 .attr_count = NFTA_SET_MAX, 3816 .policy = nft_set_policy, 3817 }, 3818 [NFT_MSG_DELSET] = { 3819 .call_batch = nf_tables_delset, 3820 .attr_count = NFTA_SET_MAX, 3821 .policy = nft_set_policy, 3822 }, 3823 [NFT_MSG_NEWSETELEM] = { 3824 .call_batch = nf_tables_newsetelem, 3825 .attr_count = NFTA_SET_ELEM_LIST_MAX, 3826 .policy = nft_set_elem_list_policy, 3827 }, 3828 [NFT_MSG_GETSETELEM] = { 3829 .call = nf_tables_getsetelem, 3830 .attr_count = NFTA_SET_ELEM_LIST_MAX, 3831 .policy = nft_set_elem_list_policy, 3832 }, 3833 [NFT_MSG_DELSETELEM] = { 3834 .call_batch = nf_tables_delsetelem, 3835 .attr_count = NFTA_SET_ELEM_LIST_MAX, 3836 .policy = nft_set_elem_list_policy, 3837 }, 3838 [NFT_MSG_GETGEN] = { 3839 .call = nf_tables_getgen, 3840 }, 3841 }; 3842 3843 static void nft_chain_commit_update(struct nft_trans *trans) 3844 { 3845 struct nft_base_chain *basechain; 3846 3847 if (nft_trans_chain_name(trans)[0]) 3848 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans)); 3849 3850 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN)) 3851 return; 3852 3853 basechain = nft_base_chain(trans->ctx.chain); 3854 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans)); 3855 3856 switch (nft_trans_chain_policy(trans)) { 3857 case NF_DROP: 3858 case NF_ACCEPT: 3859 basechain->policy = nft_trans_chain_policy(trans); 3860 break; 3861 } 3862 } 3863 3864 static void nf_tables_commit_release(struct nft_trans *trans) 3865 { 3866 switch (trans->msg_type) { 3867 case NFT_MSG_DELTABLE: 3868 nf_tables_table_destroy(&trans->ctx); 3869 break; 3870 case NFT_MSG_DELCHAIN: 3871 nf_tables_chain_destroy(trans->ctx.chain); 3872 break; 3873 case NFT_MSG_DELRULE: 3874 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 3875 break; 3876 case NFT_MSG_DELSET: 3877 nft_set_destroy(nft_trans_set(trans)); 3878 break; 3879 case NFT_MSG_DELSETELEM: 3880 nft_set_elem_destroy(nft_trans_elem_set(trans), 3881 nft_trans_elem(trans).priv); 3882 break; 3883 } 3884 kfree(trans); 3885 } 3886 3887 static int nf_tables_commit(struct sk_buff *skb) 3888 { 3889 struct net *net = sock_net(skb->sk); 3890 struct nft_trans *trans, *next; 3891 struct nft_trans_elem *te; 3892 3893 /* Bump generation counter, invalidate any dump in progress */ 3894 while (++net->nft.base_seq == 0); 3895 3896 /* A new generation has just started */ 3897 net->nft.gencursor = nft_gencursor_next(net); 3898 3899 /* Make sure all packets have left the previous generation before 3900 * purging old rules. 3901 */ 3902 synchronize_rcu(); 3903 3904 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 3905 switch (trans->msg_type) { 3906 case NFT_MSG_NEWTABLE: 3907 if (nft_trans_table_update(trans)) { 3908 if (!nft_trans_table_enable(trans)) { 3909 nf_tables_table_disable(trans->ctx.afi, 3910 trans->ctx.table); 3911 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT; 3912 } 3913 } else { 3914 trans->ctx.table->flags &= ~NFT_TABLE_INACTIVE; 3915 } 3916 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE); 3917 nft_trans_destroy(trans); 3918 break; 3919 case NFT_MSG_DELTABLE: 3920 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE); 3921 break; 3922 case NFT_MSG_NEWCHAIN: 3923 if (nft_trans_chain_update(trans)) 3924 nft_chain_commit_update(trans); 3925 else 3926 trans->ctx.chain->flags &= ~NFT_CHAIN_INACTIVE; 3927 3928 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 3929 nft_trans_destroy(trans); 3930 break; 3931 case NFT_MSG_DELCHAIN: 3932 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN); 3933 nf_tables_unregister_hooks(trans->ctx.table, 3934 trans->ctx.chain, 3935 trans->ctx.afi->nops); 3936 break; 3937 case NFT_MSG_NEWRULE: 3938 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans)); 3939 nf_tables_rule_notify(&trans->ctx, 3940 nft_trans_rule(trans), 3941 NFT_MSG_NEWRULE); 3942 nft_trans_destroy(trans); 3943 break; 3944 case NFT_MSG_DELRULE: 3945 list_del_rcu(&nft_trans_rule(trans)->list); 3946 nf_tables_rule_notify(&trans->ctx, 3947 nft_trans_rule(trans), 3948 NFT_MSG_DELRULE); 3949 break; 3950 case NFT_MSG_NEWSET: 3951 nft_trans_set(trans)->flags &= ~NFT_SET_INACTIVE; 3952 /* This avoids hitting -EBUSY when deleting the table 3953 * from the transaction. 3954 */ 3955 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS && 3956 !list_empty(&nft_trans_set(trans)->bindings)) 3957 trans->ctx.table->use--; 3958 3959 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 3960 NFT_MSG_NEWSET, GFP_KERNEL); 3961 nft_trans_destroy(trans); 3962 break; 3963 case NFT_MSG_DELSET: 3964 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 3965 NFT_MSG_DELSET, GFP_KERNEL); 3966 break; 3967 case NFT_MSG_NEWSETELEM: 3968 te = (struct nft_trans_elem *)trans->data; 3969 3970 te->set->ops->activate(te->set, &te->elem); 3971 nf_tables_setelem_notify(&trans->ctx, te->set, 3972 &te->elem, 3973 NFT_MSG_NEWSETELEM, 0); 3974 nft_trans_destroy(trans); 3975 break; 3976 case NFT_MSG_DELSETELEM: 3977 te = (struct nft_trans_elem *)trans->data; 3978 3979 nf_tables_setelem_notify(&trans->ctx, te->set, 3980 &te->elem, 3981 NFT_MSG_DELSETELEM, 0); 3982 te->set->ops->remove(te->set, &te->elem); 3983 atomic_dec(&te->set->nelems); 3984 te->set->ndeact--; 3985 break; 3986 } 3987 } 3988 3989 synchronize_rcu(); 3990 3991 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 3992 list_del(&trans->list); 3993 nf_tables_commit_release(trans); 3994 } 3995 3996 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); 3997 3998 return 0; 3999 } 4000 4001 static void nf_tables_abort_release(struct nft_trans *trans) 4002 { 4003 switch (trans->msg_type) { 4004 case NFT_MSG_NEWTABLE: 4005 nf_tables_table_destroy(&trans->ctx); 4006 break; 4007 case NFT_MSG_NEWCHAIN: 4008 nf_tables_chain_destroy(trans->ctx.chain); 4009 break; 4010 case NFT_MSG_NEWRULE: 4011 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 4012 break; 4013 case NFT_MSG_NEWSET: 4014 nft_set_destroy(nft_trans_set(trans)); 4015 break; 4016 case NFT_MSG_NEWSETELEM: 4017 nft_set_elem_destroy(nft_trans_elem_set(trans), 4018 nft_trans_elem(trans).priv); 4019 break; 4020 } 4021 kfree(trans); 4022 } 4023 4024 static int nf_tables_abort(struct sk_buff *skb) 4025 { 4026 struct net *net = sock_net(skb->sk); 4027 struct nft_trans *trans, *next; 4028 struct nft_trans_elem *te; 4029 4030 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 4031 switch (trans->msg_type) { 4032 case NFT_MSG_NEWTABLE: 4033 if (nft_trans_table_update(trans)) { 4034 if (nft_trans_table_enable(trans)) { 4035 nf_tables_table_disable(trans->ctx.afi, 4036 trans->ctx.table); 4037 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT; 4038 } 4039 nft_trans_destroy(trans); 4040 } else { 4041 list_del_rcu(&trans->ctx.table->list); 4042 } 4043 break; 4044 case NFT_MSG_DELTABLE: 4045 list_add_tail_rcu(&trans->ctx.table->list, 4046 &trans->ctx.afi->tables); 4047 nft_trans_destroy(trans); 4048 break; 4049 case NFT_MSG_NEWCHAIN: 4050 if (nft_trans_chain_update(trans)) { 4051 free_percpu(nft_trans_chain_stats(trans)); 4052 4053 nft_trans_destroy(trans); 4054 } else { 4055 trans->ctx.table->use--; 4056 list_del_rcu(&trans->ctx.chain->list); 4057 nf_tables_unregister_hooks(trans->ctx.table, 4058 trans->ctx.chain, 4059 trans->ctx.afi->nops); 4060 } 4061 break; 4062 case NFT_MSG_DELCHAIN: 4063 trans->ctx.table->use++; 4064 list_add_tail_rcu(&trans->ctx.chain->list, 4065 &trans->ctx.table->chains); 4066 nft_trans_destroy(trans); 4067 break; 4068 case NFT_MSG_NEWRULE: 4069 trans->ctx.chain->use--; 4070 list_del_rcu(&nft_trans_rule(trans)->list); 4071 break; 4072 case NFT_MSG_DELRULE: 4073 trans->ctx.chain->use++; 4074 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans)); 4075 nft_trans_destroy(trans); 4076 break; 4077 case NFT_MSG_NEWSET: 4078 trans->ctx.table->use--; 4079 list_del_rcu(&nft_trans_set(trans)->list); 4080 break; 4081 case NFT_MSG_DELSET: 4082 trans->ctx.table->use++; 4083 list_add_tail_rcu(&nft_trans_set(trans)->list, 4084 &trans->ctx.table->sets); 4085 nft_trans_destroy(trans); 4086 break; 4087 case NFT_MSG_NEWSETELEM: 4088 te = (struct nft_trans_elem *)trans->data; 4089 4090 te->set->ops->remove(te->set, &te->elem); 4091 atomic_dec(&te->set->nelems); 4092 break; 4093 case NFT_MSG_DELSETELEM: 4094 te = (struct nft_trans_elem *)trans->data; 4095 4096 te->set->ops->activate(te->set, &te->elem); 4097 te->set->ndeact--; 4098 4099 nft_trans_destroy(trans); 4100 break; 4101 } 4102 } 4103 4104 synchronize_rcu(); 4105 4106 list_for_each_entry_safe_reverse(trans, next, 4107 &net->nft.commit_list, list) { 4108 list_del(&trans->list); 4109 nf_tables_abort_release(trans); 4110 } 4111 4112 return 0; 4113 } 4114 4115 static const struct nfnetlink_subsystem nf_tables_subsys = { 4116 .name = "nf_tables", 4117 .subsys_id = NFNL_SUBSYS_NFTABLES, 4118 .cb_count = NFT_MSG_MAX, 4119 .cb = nf_tables_cb, 4120 .commit = nf_tables_commit, 4121 .abort = nf_tables_abort, 4122 }; 4123 4124 int nft_chain_validate_dependency(const struct nft_chain *chain, 4125 enum nft_chain_type type) 4126 { 4127 const struct nft_base_chain *basechain; 4128 4129 if (chain->flags & NFT_BASE_CHAIN) { 4130 basechain = nft_base_chain(chain); 4131 if (basechain->type->type != type) 4132 return -EOPNOTSUPP; 4133 } 4134 return 0; 4135 } 4136 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency); 4137 4138 int nft_chain_validate_hooks(const struct nft_chain *chain, 4139 unsigned int hook_flags) 4140 { 4141 struct nft_base_chain *basechain; 4142 4143 if (chain->flags & NFT_BASE_CHAIN) { 4144 basechain = nft_base_chain(chain); 4145 4146 if ((1 << basechain->ops[0].hooknum) & hook_flags) 4147 return 0; 4148 4149 return -EOPNOTSUPP; 4150 } 4151 4152 return 0; 4153 } 4154 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks); 4155 4156 /* 4157 * Loop detection - walk through the ruleset beginning at the destination chain 4158 * of a new jump until either the source chain is reached (loop) or all 4159 * reachable chains have been traversed. 4160 * 4161 * The loop check is performed whenever a new jump verdict is added to an 4162 * expression or verdict map or a verdict map is bound to a new chain. 4163 */ 4164 4165 static int nf_tables_check_loops(const struct nft_ctx *ctx, 4166 const struct nft_chain *chain); 4167 4168 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, 4169 const struct nft_set *set, 4170 const struct nft_set_iter *iter, 4171 const struct nft_set_elem *elem) 4172 { 4173 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4174 const struct nft_data *data; 4175 4176 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 4177 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) 4178 return 0; 4179 4180 data = nft_set_ext_data(ext); 4181 switch (data->verdict.code) { 4182 case NFT_JUMP: 4183 case NFT_GOTO: 4184 return nf_tables_check_loops(ctx, data->verdict.chain); 4185 default: 4186 return 0; 4187 } 4188 } 4189 4190 static int nf_tables_check_loops(const struct nft_ctx *ctx, 4191 const struct nft_chain *chain) 4192 { 4193 const struct nft_rule *rule; 4194 const struct nft_expr *expr, *last; 4195 const struct nft_set *set; 4196 struct nft_set_binding *binding; 4197 struct nft_set_iter iter; 4198 4199 if (ctx->chain == chain) 4200 return -ELOOP; 4201 4202 list_for_each_entry(rule, &chain->rules, list) { 4203 nft_rule_for_each_expr(expr, last, rule) { 4204 const struct nft_data *data = NULL; 4205 int err; 4206 4207 if (!expr->ops->validate) 4208 continue; 4209 4210 err = expr->ops->validate(ctx, expr, &data); 4211 if (err < 0) 4212 return err; 4213 4214 if (data == NULL) 4215 continue; 4216 4217 switch (data->verdict.code) { 4218 case NFT_JUMP: 4219 case NFT_GOTO: 4220 err = nf_tables_check_loops(ctx, 4221 data->verdict.chain); 4222 if (err < 0) 4223 return err; 4224 default: 4225 break; 4226 } 4227 } 4228 } 4229 4230 list_for_each_entry(set, &ctx->table->sets, list) { 4231 if (!(set->flags & NFT_SET_MAP) || 4232 set->dtype != NFT_DATA_VERDICT) 4233 continue; 4234 4235 list_for_each_entry(binding, &set->bindings, list) { 4236 if (!(binding->flags & NFT_SET_MAP) || 4237 binding->chain != chain) 4238 continue; 4239 4240 iter.skip = 0; 4241 iter.count = 0; 4242 iter.err = 0; 4243 iter.fn = nf_tables_loop_check_setelem; 4244 4245 set->ops->walk(ctx, set, &iter); 4246 if (iter.err < 0) 4247 return iter.err; 4248 } 4249 } 4250 4251 return 0; 4252 } 4253 4254 /** 4255 * nft_parse_register - parse a register value from a netlink attribute 4256 * 4257 * @attr: netlink attribute 4258 * 4259 * Parse and translate a register value from a netlink attribute. 4260 * Registers used to be 128 bit wide, these register numbers will be 4261 * mapped to the corresponding 32 bit register numbers. 4262 */ 4263 unsigned int nft_parse_register(const struct nlattr *attr) 4264 { 4265 unsigned int reg; 4266 4267 reg = ntohl(nla_get_be32(attr)); 4268 switch (reg) { 4269 case NFT_REG_VERDICT...NFT_REG_4: 4270 return reg * NFT_REG_SIZE / NFT_REG32_SIZE; 4271 default: 4272 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; 4273 } 4274 } 4275 EXPORT_SYMBOL_GPL(nft_parse_register); 4276 4277 /** 4278 * nft_dump_register - dump a register value to a netlink attribute 4279 * 4280 * @skb: socket buffer 4281 * @attr: attribute number 4282 * @reg: register number 4283 * 4284 * Construct a netlink attribute containing the register number. For 4285 * compatibility reasons, register numbers being a multiple of 4 are 4286 * translated to the corresponding 128 bit register numbers. 4287 */ 4288 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg) 4289 { 4290 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0) 4291 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE); 4292 else 4293 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00; 4294 4295 return nla_put_be32(skb, attr, htonl(reg)); 4296 } 4297 EXPORT_SYMBOL_GPL(nft_dump_register); 4298 4299 /** 4300 * nft_validate_register_load - validate a load from a register 4301 * 4302 * @reg: the register number 4303 * @len: the length of the data 4304 * 4305 * Validate that the input register is one of the general purpose 4306 * registers and that the length of the load is within the bounds. 4307 */ 4308 int nft_validate_register_load(enum nft_registers reg, unsigned int len) 4309 { 4310 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 4311 return -EINVAL; 4312 if (len == 0) 4313 return -EINVAL; 4314 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data)) 4315 return -ERANGE; 4316 4317 return 0; 4318 } 4319 EXPORT_SYMBOL_GPL(nft_validate_register_load); 4320 4321 /** 4322 * nft_validate_register_store - validate an expressions' register store 4323 * 4324 * @ctx: context of the expression performing the load 4325 * @reg: the destination register number 4326 * @data: the data to load 4327 * @type: the data type 4328 * @len: the length of the data 4329 * 4330 * Validate that a data load uses the appropriate data type for 4331 * the destination register and the length is within the bounds. 4332 * A value of NULL for the data means that its runtime gathered 4333 * data. 4334 */ 4335 int nft_validate_register_store(const struct nft_ctx *ctx, 4336 enum nft_registers reg, 4337 const struct nft_data *data, 4338 enum nft_data_types type, unsigned int len) 4339 { 4340 int err; 4341 4342 switch (reg) { 4343 case NFT_REG_VERDICT: 4344 if (type != NFT_DATA_VERDICT) 4345 return -EINVAL; 4346 4347 if (data != NULL && 4348 (data->verdict.code == NFT_GOTO || 4349 data->verdict.code == NFT_JUMP)) { 4350 err = nf_tables_check_loops(ctx, data->verdict.chain); 4351 if (err < 0) 4352 return err; 4353 4354 if (ctx->chain->level + 1 > 4355 data->verdict.chain->level) { 4356 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE) 4357 return -EMLINK; 4358 data->verdict.chain->level = ctx->chain->level + 1; 4359 } 4360 } 4361 4362 return 0; 4363 default: 4364 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 4365 return -EINVAL; 4366 if (len == 0) 4367 return -EINVAL; 4368 if (reg * NFT_REG32_SIZE + len > 4369 FIELD_SIZEOF(struct nft_regs, data)) 4370 return -ERANGE; 4371 4372 if (data != NULL && type != NFT_DATA_VALUE) 4373 return -EINVAL; 4374 return 0; 4375 } 4376 } 4377 EXPORT_SYMBOL_GPL(nft_validate_register_store); 4378 4379 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = { 4380 [NFTA_VERDICT_CODE] = { .type = NLA_U32 }, 4381 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING, 4382 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 4383 }; 4384 4385 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, 4386 struct nft_data_desc *desc, const struct nlattr *nla) 4387 { 4388 struct nlattr *tb[NFTA_VERDICT_MAX + 1]; 4389 struct nft_chain *chain; 4390 int err; 4391 4392 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy); 4393 if (err < 0) 4394 return err; 4395 4396 if (!tb[NFTA_VERDICT_CODE]) 4397 return -EINVAL; 4398 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); 4399 4400 switch (data->verdict.code) { 4401 default: 4402 switch (data->verdict.code & NF_VERDICT_MASK) { 4403 case NF_ACCEPT: 4404 case NF_DROP: 4405 case NF_QUEUE: 4406 break; 4407 default: 4408 return -EINVAL; 4409 } 4410 /* fall through */ 4411 case NFT_CONTINUE: 4412 case NFT_BREAK: 4413 case NFT_RETURN: 4414 break; 4415 case NFT_JUMP: 4416 case NFT_GOTO: 4417 if (!tb[NFTA_VERDICT_CHAIN]) 4418 return -EINVAL; 4419 chain = nf_tables_chain_lookup(ctx->table, 4420 tb[NFTA_VERDICT_CHAIN]); 4421 if (IS_ERR(chain)) 4422 return PTR_ERR(chain); 4423 if (chain->flags & NFT_BASE_CHAIN) 4424 return -EOPNOTSUPP; 4425 4426 chain->use++; 4427 data->verdict.chain = chain; 4428 break; 4429 } 4430 4431 desc->len = sizeof(data->verdict); 4432 desc->type = NFT_DATA_VERDICT; 4433 return 0; 4434 } 4435 4436 static void nft_verdict_uninit(const struct nft_data *data) 4437 { 4438 switch (data->verdict.code) { 4439 case NFT_JUMP: 4440 case NFT_GOTO: 4441 data->verdict.chain->use--; 4442 break; 4443 } 4444 } 4445 4446 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data) 4447 { 4448 struct nlattr *nest; 4449 4450 nest = nla_nest_start(skb, NFTA_DATA_VERDICT); 4451 if (!nest) 4452 goto nla_put_failure; 4453 4454 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict.code))) 4455 goto nla_put_failure; 4456 4457 switch (data->verdict.code) { 4458 case NFT_JUMP: 4459 case NFT_GOTO: 4460 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, 4461 data->verdict.chain->name)) 4462 goto nla_put_failure; 4463 } 4464 nla_nest_end(skb, nest); 4465 return 0; 4466 4467 nla_put_failure: 4468 return -1; 4469 } 4470 4471 static int nft_value_init(const struct nft_ctx *ctx, 4472 struct nft_data *data, unsigned int size, 4473 struct nft_data_desc *desc, const struct nlattr *nla) 4474 { 4475 unsigned int len; 4476 4477 len = nla_len(nla); 4478 if (len == 0) 4479 return -EINVAL; 4480 if (len > size) 4481 return -EOVERFLOW; 4482 4483 nla_memcpy(data->data, nla, len); 4484 desc->type = NFT_DATA_VALUE; 4485 desc->len = len; 4486 return 0; 4487 } 4488 4489 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data, 4490 unsigned int len) 4491 { 4492 return nla_put(skb, NFTA_DATA_VALUE, len, data->data); 4493 } 4494 4495 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = { 4496 [NFTA_DATA_VALUE] = { .type = NLA_BINARY }, 4497 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED }, 4498 }; 4499 4500 /** 4501 * nft_data_init - parse nf_tables data netlink attributes 4502 * 4503 * @ctx: context of the expression using the data 4504 * @data: destination struct nft_data 4505 * @size: maximum data length 4506 * @desc: data description 4507 * @nla: netlink attribute containing data 4508 * 4509 * Parse the netlink data attributes and initialize a struct nft_data. 4510 * The type and length of data are returned in the data description. 4511 * 4512 * The caller can indicate that it only wants to accept data of type 4513 * NFT_DATA_VALUE by passing NULL for the ctx argument. 4514 */ 4515 int nft_data_init(const struct nft_ctx *ctx, 4516 struct nft_data *data, unsigned int size, 4517 struct nft_data_desc *desc, const struct nlattr *nla) 4518 { 4519 struct nlattr *tb[NFTA_DATA_MAX + 1]; 4520 int err; 4521 4522 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy); 4523 if (err < 0) 4524 return err; 4525 4526 if (tb[NFTA_DATA_VALUE]) 4527 return nft_value_init(ctx, data, size, desc, 4528 tb[NFTA_DATA_VALUE]); 4529 if (tb[NFTA_DATA_VERDICT] && ctx != NULL) 4530 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]); 4531 return -EINVAL; 4532 } 4533 EXPORT_SYMBOL_GPL(nft_data_init); 4534 4535 /** 4536 * nft_data_uninit - release a nft_data item 4537 * 4538 * @data: struct nft_data to release 4539 * @type: type of data 4540 * 4541 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded, 4542 * all others need to be released by calling this function. 4543 */ 4544 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type) 4545 { 4546 if (type < NFT_DATA_VERDICT) 4547 return; 4548 switch (type) { 4549 case NFT_DATA_VERDICT: 4550 return nft_verdict_uninit(data); 4551 default: 4552 WARN_ON(1); 4553 } 4554 } 4555 EXPORT_SYMBOL_GPL(nft_data_uninit); 4556 4557 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 4558 enum nft_data_types type, unsigned int len) 4559 { 4560 struct nlattr *nest; 4561 int err; 4562 4563 nest = nla_nest_start(skb, attr); 4564 if (nest == NULL) 4565 return -1; 4566 4567 switch (type) { 4568 case NFT_DATA_VALUE: 4569 err = nft_value_dump(skb, data, len); 4570 break; 4571 case NFT_DATA_VERDICT: 4572 err = nft_verdict_dump(skb, data); 4573 break; 4574 default: 4575 err = -EINVAL; 4576 WARN_ON(1); 4577 } 4578 4579 nla_nest_end(skb, nest); 4580 return err; 4581 } 4582 EXPORT_SYMBOL_GPL(nft_data_dump); 4583 4584 static int nf_tables_init_net(struct net *net) 4585 { 4586 INIT_LIST_HEAD(&net->nft.af_info); 4587 INIT_LIST_HEAD(&net->nft.commit_list); 4588 net->nft.base_seq = 1; 4589 return 0; 4590 } 4591 4592 static struct pernet_operations nf_tables_net_ops = { 4593 .init = nf_tables_init_net, 4594 }; 4595 4596 static int __init nf_tables_module_init(void) 4597 { 4598 int err; 4599 4600 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS, 4601 GFP_KERNEL); 4602 if (info == NULL) { 4603 err = -ENOMEM; 4604 goto err1; 4605 } 4606 4607 err = nf_tables_core_module_init(); 4608 if (err < 0) 4609 goto err2; 4610 4611 err = nfnetlink_subsys_register(&nf_tables_subsys); 4612 if (err < 0) 4613 goto err3; 4614 4615 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n"); 4616 return register_pernet_subsys(&nf_tables_net_ops); 4617 err3: 4618 nf_tables_core_module_exit(); 4619 err2: 4620 kfree(info); 4621 err1: 4622 return err; 4623 } 4624 4625 static void __exit nf_tables_module_exit(void) 4626 { 4627 unregister_pernet_subsys(&nf_tables_net_ops); 4628 nfnetlink_subsys_unregister(&nf_tables_subsys); 4629 rcu_barrier(); 4630 nf_tables_core_module_exit(); 4631 kfree(info); 4632 } 4633 4634 module_init(nf_tables_module_init); 4635 module_exit(nf_tables_module_exit); 4636 4637 MODULE_LICENSE("GPL"); 4638 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 4639 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES); 4640