1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net> 4 * 5 * Development of this code funded by Astaro AG (http://www.astaro.com/) 6 */ 7 8 #include <linux/module.h> 9 #include <linux/init.h> 10 #include <linux/list.h> 11 #include <linux/skbuff.h> 12 #include <linux/netlink.h> 13 #include <linux/vmalloc.h> 14 #include <linux/rhashtable.h> 15 #include <linux/audit.h> 16 #include <linux/netfilter.h> 17 #include <linux/netfilter/nfnetlink.h> 18 #include <linux/netfilter/nf_tables.h> 19 #include <net/netfilter/nf_flow_table.h> 20 #include <net/netfilter/nf_tables_core.h> 21 #include <net/netfilter/nf_tables.h> 22 #include <net/netfilter/nf_tables_offload.h> 23 #include <net/net_namespace.h> 24 #include <net/sock.h> 25 26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) 27 28 unsigned int nf_tables_net_id __read_mostly; 29 30 static LIST_HEAD(nf_tables_expressions); 31 static LIST_HEAD(nf_tables_objects); 32 static LIST_HEAD(nf_tables_flowtables); 33 static LIST_HEAD(nf_tables_destroy_list); 34 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock); 35 static u64 table_handle; 36 37 enum { 38 NFT_VALIDATE_SKIP = 0, 39 NFT_VALIDATE_NEED, 40 NFT_VALIDATE_DO, 41 }; 42 43 static struct rhltable nft_objname_ht; 44 45 static u32 nft_chain_hash(const void *data, u32 len, u32 seed); 46 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed); 47 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *); 48 49 static u32 nft_objname_hash(const void *data, u32 len, u32 seed); 50 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed); 51 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *); 52 53 static const struct rhashtable_params nft_chain_ht_params = { 54 .head_offset = offsetof(struct nft_chain, rhlhead), 55 .key_offset = offsetof(struct nft_chain, name), 56 .hashfn = nft_chain_hash, 57 .obj_hashfn = nft_chain_hash_obj, 58 .obj_cmpfn = nft_chain_hash_cmp, 59 .automatic_shrinking = true, 60 }; 61 62 static const struct rhashtable_params nft_objname_ht_params = { 63 .head_offset = offsetof(struct nft_object, rhlhead), 64 .key_offset = offsetof(struct nft_object, key), 65 .hashfn = nft_objname_hash, 66 .obj_hashfn = nft_objname_hash_obj, 67 .obj_cmpfn = nft_objname_hash_cmp, 68 .automatic_shrinking = true, 69 }; 70 71 struct nft_audit_data { 72 struct nft_table *table; 73 int entries; 74 int op; 75 struct list_head list; 76 }; 77 78 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types 79 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER, 80 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID, 81 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER, 82 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER, 83 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID, 84 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER, 85 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER, 86 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID, 87 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER, 88 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER, 89 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID, 90 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER, 91 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER, 92 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID, 93 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER, 94 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER, 95 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID, 96 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID, 97 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER, 98 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID, 99 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER, 100 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET, 101 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER, 102 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID, 103 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, 104 }; 105 106 static void nft_validate_state_update(struct net *net, u8 new_validate_state) 107 { 108 struct nftables_pernet *nft_net = nft_pernet(net); 109 110 switch (nft_net->validate_state) { 111 case NFT_VALIDATE_SKIP: 112 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); 113 break; 114 case NFT_VALIDATE_NEED: 115 break; 116 case NFT_VALIDATE_DO: 117 if (new_validate_state == NFT_VALIDATE_NEED) 118 return; 119 } 120 121 nft_net->validate_state = new_validate_state; 122 } 123 static void nf_tables_trans_destroy_work(struct work_struct *w); 124 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work); 125 126 static void nft_ctx_init(struct nft_ctx *ctx, 127 struct net *net, 128 const struct sk_buff *skb, 129 const struct nlmsghdr *nlh, 130 u8 family, 131 struct nft_table *table, 132 struct nft_chain *chain, 133 const struct nlattr * const *nla) 134 { 135 ctx->net = net; 136 ctx->family = family; 137 ctx->level = 0; 138 ctx->table = table; 139 ctx->chain = chain; 140 ctx->nla = nla; 141 ctx->portid = NETLINK_CB(skb).portid; 142 ctx->report = nlmsg_report(nlh); 143 ctx->flags = nlh->nlmsg_flags; 144 ctx->seq = nlh->nlmsg_seq; 145 } 146 147 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, 148 int msg_type, u32 size, gfp_t gfp) 149 { 150 struct nft_trans *trans; 151 152 trans = kzalloc(sizeof(struct nft_trans) + size, gfp); 153 if (trans == NULL) 154 return NULL; 155 156 trans->msg_type = msg_type; 157 trans->ctx = *ctx; 158 159 return trans; 160 } 161 162 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx, 163 int msg_type, u32 size) 164 { 165 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); 166 } 167 168 static void nft_trans_destroy(struct nft_trans *trans) 169 { 170 list_del(&trans->list); 171 kfree(trans); 172 } 173 174 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) 175 { 176 struct nftables_pernet *nft_net; 177 struct net *net = ctx->net; 178 struct nft_trans *trans; 179 180 if (!nft_set_is_anonymous(set)) 181 return; 182 183 nft_net = nft_pernet(net); 184 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { 185 switch (trans->msg_type) { 186 case NFT_MSG_NEWSET: 187 if (nft_trans_set(trans) == set) 188 nft_trans_set_bound(trans) = true; 189 break; 190 case NFT_MSG_NEWSETELEM: 191 if (nft_trans_elem_set(trans) == set) 192 nft_trans_elem_set_bound(trans) = true; 193 break; 194 } 195 } 196 } 197 198 static int nft_netdev_register_hooks(struct net *net, 199 struct list_head *hook_list) 200 { 201 struct nft_hook *hook; 202 int err, j; 203 204 j = 0; 205 list_for_each_entry(hook, hook_list, list) { 206 err = nf_register_net_hook(net, &hook->ops); 207 if (err < 0) 208 goto err_register; 209 210 j++; 211 } 212 return 0; 213 214 err_register: 215 list_for_each_entry(hook, hook_list, list) { 216 if (j-- <= 0) 217 break; 218 219 nf_unregister_net_hook(net, &hook->ops); 220 } 221 return err; 222 } 223 224 static void nft_netdev_unregister_hooks(struct net *net, 225 struct list_head *hook_list) 226 { 227 struct nft_hook *hook; 228 229 list_for_each_entry(hook, hook_list, list) 230 nf_unregister_net_hook(net, &hook->ops); 231 } 232 233 static int nf_tables_register_hook(struct net *net, 234 const struct nft_table *table, 235 struct nft_chain *chain) 236 { 237 struct nft_base_chain *basechain; 238 const struct nf_hook_ops *ops; 239 240 if (table->flags & NFT_TABLE_F_DORMANT || 241 !nft_is_base_chain(chain)) 242 return 0; 243 244 basechain = nft_base_chain(chain); 245 ops = &basechain->ops; 246 247 if (basechain->type->ops_register) 248 return basechain->type->ops_register(net, ops); 249 250 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 251 return nft_netdev_register_hooks(net, &basechain->hook_list); 252 253 return nf_register_net_hook(net, &basechain->ops); 254 } 255 256 static void nf_tables_unregister_hook(struct net *net, 257 const struct nft_table *table, 258 struct nft_chain *chain) 259 { 260 struct nft_base_chain *basechain; 261 const struct nf_hook_ops *ops; 262 263 if (table->flags & NFT_TABLE_F_DORMANT || 264 !nft_is_base_chain(chain)) 265 return; 266 basechain = nft_base_chain(chain); 267 ops = &basechain->ops; 268 269 if (basechain->type->ops_unregister) 270 return basechain->type->ops_unregister(net, ops); 271 272 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 273 nft_netdev_unregister_hooks(net, &basechain->hook_list); 274 else 275 nf_unregister_net_hook(net, &basechain->ops); 276 } 277 278 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) 279 { 280 struct nftables_pernet *nft_net = nft_pernet(net); 281 282 list_add_tail(&trans->list, &nft_net->commit_list); 283 } 284 285 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type) 286 { 287 struct nft_trans *trans; 288 289 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table)); 290 if (trans == NULL) 291 return -ENOMEM; 292 293 if (msg_type == NFT_MSG_NEWTABLE) 294 nft_activate_next(ctx->net, ctx->table); 295 296 nft_trans_commit_list_add_tail(ctx->net, trans); 297 return 0; 298 } 299 300 static int nft_deltable(struct nft_ctx *ctx) 301 { 302 int err; 303 304 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE); 305 if (err < 0) 306 return err; 307 308 nft_deactivate_next(ctx->net, ctx->table); 309 return err; 310 } 311 312 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type) 313 { 314 struct nft_trans *trans; 315 316 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain)); 317 if (trans == NULL) 318 return ERR_PTR(-ENOMEM); 319 320 if (msg_type == NFT_MSG_NEWCHAIN) { 321 nft_activate_next(ctx->net, ctx->chain); 322 323 if (ctx->nla[NFTA_CHAIN_ID]) { 324 nft_trans_chain_id(trans) = 325 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID])); 326 } 327 } 328 329 nft_trans_commit_list_add_tail(ctx->net, trans); 330 return trans; 331 } 332 333 static int nft_delchain(struct nft_ctx *ctx) 334 { 335 struct nft_trans *trans; 336 337 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN); 338 if (IS_ERR(trans)) 339 return PTR_ERR(trans); 340 341 ctx->table->use--; 342 nft_deactivate_next(ctx->net, ctx->chain); 343 344 return 0; 345 } 346 347 static void nft_rule_expr_activate(const struct nft_ctx *ctx, 348 struct nft_rule *rule) 349 { 350 struct nft_expr *expr; 351 352 expr = nft_expr_first(rule); 353 while (nft_expr_more(rule, expr)) { 354 if (expr->ops->activate) 355 expr->ops->activate(ctx, expr); 356 357 expr = nft_expr_next(expr); 358 } 359 } 360 361 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx, 362 struct nft_rule *rule, 363 enum nft_trans_phase phase) 364 { 365 struct nft_expr *expr; 366 367 expr = nft_expr_first(rule); 368 while (nft_expr_more(rule, expr)) { 369 if (expr->ops->deactivate) 370 expr->ops->deactivate(ctx, expr, phase); 371 372 expr = nft_expr_next(expr); 373 } 374 } 375 376 static int 377 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule) 378 { 379 /* You cannot delete the same rule twice */ 380 if (nft_is_active_next(ctx->net, rule)) { 381 nft_deactivate_next(ctx->net, rule); 382 ctx->chain->use--; 383 return 0; 384 } 385 return -ENOENT; 386 } 387 388 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type, 389 struct nft_rule *rule) 390 { 391 struct nft_trans *trans; 392 393 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule)); 394 if (trans == NULL) 395 return NULL; 396 397 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) { 398 nft_trans_rule_id(trans) = 399 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); 400 } 401 nft_trans_rule(trans) = rule; 402 nft_trans_commit_list_add_tail(ctx->net, trans); 403 404 return trans; 405 } 406 407 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule) 408 { 409 struct nft_flow_rule *flow; 410 struct nft_trans *trans; 411 int err; 412 413 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule); 414 if (trans == NULL) 415 return -ENOMEM; 416 417 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) { 418 flow = nft_flow_rule_create(ctx->net, rule); 419 if (IS_ERR(flow)) { 420 nft_trans_destroy(trans); 421 return PTR_ERR(flow); 422 } 423 424 nft_trans_flow_rule(trans) = flow; 425 } 426 427 err = nf_tables_delrule_deactivate(ctx, rule); 428 if (err < 0) { 429 nft_trans_destroy(trans); 430 return err; 431 } 432 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE); 433 434 return 0; 435 } 436 437 static int nft_delrule_by_chain(struct nft_ctx *ctx) 438 { 439 struct nft_rule *rule; 440 int err; 441 442 list_for_each_entry(rule, &ctx->chain->rules, list) { 443 if (!nft_is_active_next(ctx->net, rule)) 444 continue; 445 446 err = nft_delrule(ctx, rule); 447 if (err < 0) 448 return err; 449 } 450 return 0; 451 } 452 453 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 454 struct nft_set *set) 455 { 456 struct nft_trans *trans; 457 458 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set)); 459 if (trans == NULL) 460 return -ENOMEM; 461 462 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) { 463 nft_trans_set_id(trans) = 464 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID])); 465 nft_activate_next(ctx->net, set); 466 } 467 nft_trans_set(trans) = set; 468 nft_trans_commit_list_add_tail(ctx->net, trans); 469 470 return 0; 471 } 472 473 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) 474 { 475 int err; 476 477 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set); 478 if (err < 0) 479 return err; 480 481 nft_deactivate_next(ctx->net, set); 482 ctx->table->use--; 483 484 return err; 485 } 486 487 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type, 488 struct nft_object *obj) 489 { 490 struct nft_trans *trans; 491 492 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj)); 493 if (trans == NULL) 494 return -ENOMEM; 495 496 if (msg_type == NFT_MSG_NEWOBJ) 497 nft_activate_next(ctx->net, obj); 498 499 nft_trans_obj(trans) = obj; 500 nft_trans_commit_list_add_tail(ctx->net, trans); 501 502 return 0; 503 } 504 505 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj) 506 { 507 int err; 508 509 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj); 510 if (err < 0) 511 return err; 512 513 nft_deactivate_next(ctx->net, obj); 514 ctx->table->use--; 515 516 return err; 517 } 518 519 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, 520 struct nft_flowtable *flowtable) 521 { 522 struct nft_trans *trans; 523 524 trans = nft_trans_alloc(ctx, msg_type, 525 sizeof(struct nft_trans_flowtable)); 526 if (trans == NULL) 527 return -ENOMEM; 528 529 if (msg_type == NFT_MSG_NEWFLOWTABLE) 530 nft_activate_next(ctx->net, flowtable); 531 532 nft_trans_flowtable(trans) = flowtable; 533 nft_trans_commit_list_add_tail(ctx->net, trans); 534 535 return 0; 536 } 537 538 static int nft_delflowtable(struct nft_ctx *ctx, 539 struct nft_flowtable *flowtable) 540 { 541 int err; 542 543 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable); 544 if (err < 0) 545 return err; 546 547 nft_deactivate_next(ctx->net, flowtable); 548 ctx->table->use--; 549 550 return err; 551 } 552 553 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg) 554 { 555 int i; 556 557 for (i = track->regs[dreg].num_reg; i > 0; i--) 558 __nft_reg_track_cancel(track, dreg - i); 559 } 560 561 static void __nft_reg_track_update(struct nft_regs_track *track, 562 const struct nft_expr *expr, 563 u8 dreg, u8 num_reg) 564 { 565 track->regs[dreg].selector = expr; 566 track->regs[dreg].bitwise = NULL; 567 track->regs[dreg].num_reg = num_reg; 568 } 569 570 void nft_reg_track_update(struct nft_regs_track *track, 571 const struct nft_expr *expr, u8 dreg, u8 len) 572 { 573 unsigned int regcount; 574 int i; 575 576 __nft_reg_track_clobber(track, dreg); 577 578 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE); 579 for (i = 0; i < regcount; i++, dreg++) 580 __nft_reg_track_update(track, expr, dreg, i); 581 } 582 EXPORT_SYMBOL_GPL(nft_reg_track_update); 583 584 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len) 585 { 586 unsigned int regcount; 587 int i; 588 589 __nft_reg_track_clobber(track, dreg); 590 591 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE); 592 for (i = 0; i < regcount; i++, dreg++) 593 __nft_reg_track_cancel(track, dreg); 594 } 595 EXPORT_SYMBOL_GPL(nft_reg_track_cancel); 596 597 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg) 598 { 599 track->regs[dreg].selector = NULL; 600 track->regs[dreg].bitwise = NULL; 601 track->regs[dreg].num_reg = 0; 602 } 603 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel); 604 605 /* 606 * Tables 607 */ 608 609 static struct nft_table *nft_table_lookup(const struct net *net, 610 const struct nlattr *nla, 611 u8 family, u8 genmask, u32 nlpid) 612 { 613 struct nftables_pernet *nft_net; 614 struct nft_table *table; 615 616 if (nla == NULL) 617 return ERR_PTR(-EINVAL); 618 619 nft_net = nft_pernet(net); 620 list_for_each_entry_rcu(table, &nft_net->tables, list, 621 lockdep_is_held(&nft_net->commit_mutex)) { 622 if (!nla_strcmp(nla, table->name) && 623 table->family == family && 624 nft_active_genmask(table, genmask)) { 625 if (nft_table_has_owner(table) && 626 nlpid && table->nlpid != nlpid) 627 return ERR_PTR(-EPERM); 628 629 return table; 630 } 631 } 632 633 return ERR_PTR(-ENOENT); 634 } 635 636 static struct nft_table *nft_table_lookup_byhandle(const struct net *net, 637 const struct nlattr *nla, 638 u8 genmask, u32 nlpid) 639 { 640 struct nftables_pernet *nft_net; 641 struct nft_table *table; 642 643 nft_net = nft_pernet(net); 644 list_for_each_entry(table, &nft_net->tables, list) { 645 if (be64_to_cpu(nla_get_be64(nla)) == table->handle && 646 nft_active_genmask(table, genmask)) { 647 if (nft_table_has_owner(table) && 648 nlpid && table->nlpid != nlpid) 649 return ERR_PTR(-EPERM); 650 651 return table; 652 } 653 } 654 655 return ERR_PTR(-ENOENT); 656 } 657 658 static inline u64 nf_tables_alloc_handle(struct nft_table *table) 659 { 660 return ++table->hgenerator; 661 } 662 663 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX]; 664 665 static const struct nft_chain_type * 666 __nft_chain_type_get(u8 family, enum nft_chain_types type) 667 { 668 if (family >= NFPROTO_NUMPROTO || 669 type >= NFT_CHAIN_T_MAX) 670 return NULL; 671 672 return chain_type[family][type]; 673 } 674 675 static const struct nft_chain_type * 676 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family) 677 { 678 const struct nft_chain_type *type; 679 int i; 680 681 for (i = 0; i < NFT_CHAIN_T_MAX; i++) { 682 type = __nft_chain_type_get(family, i); 683 if (!type) 684 continue; 685 if (!nla_strcmp(nla, type->name)) 686 return type; 687 } 688 return NULL; 689 } 690 691 struct nft_module_request { 692 struct list_head list; 693 char module[MODULE_NAME_LEN]; 694 bool done; 695 }; 696 697 #ifdef CONFIG_MODULES 698 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt, 699 ...) 700 { 701 char module_name[MODULE_NAME_LEN]; 702 struct nftables_pernet *nft_net; 703 struct nft_module_request *req; 704 va_list args; 705 int ret; 706 707 va_start(args, fmt); 708 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); 709 va_end(args); 710 if (ret >= MODULE_NAME_LEN) 711 return 0; 712 713 nft_net = nft_pernet(net); 714 list_for_each_entry(req, &nft_net->module_list, list) { 715 if (!strcmp(req->module, module_name)) { 716 if (req->done) 717 return 0; 718 719 /* A request to load this module already exists. */ 720 return -EAGAIN; 721 } 722 } 723 724 req = kmalloc(sizeof(*req), GFP_KERNEL); 725 if (!req) 726 return -ENOMEM; 727 728 req->done = false; 729 strlcpy(req->module, module_name, MODULE_NAME_LEN); 730 list_add_tail(&req->list, &nft_net->module_list); 731 732 return -EAGAIN; 733 } 734 EXPORT_SYMBOL_GPL(nft_request_module); 735 #endif 736 737 static void lockdep_nfnl_nft_mutex_not_held(void) 738 { 739 #ifdef CONFIG_PROVE_LOCKING 740 if (debug_locks) 741 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES)); 742 #endif 743 } 744 745 static const struct nft_chain_type * 746 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla, 747 u8 family, bool autoload) 748 { 749 const struct nft_chain_type *type; 750 751 type = __nf_tables_chain_type_lookup(nla, family); 752 if (type != NULL) 753 return type; 754 755 lockdep_nfnl_nft_mutex_not_held(); 756 #ifdef CONFIG_MODULES 757 if (autoload) { 758 if (nft_request_module(net, "nft-chain-%u-%.*s", family, 759 nla_len(nla), 760 (const char *)nla_data(nla)) == -EAGAIN) 761 return ERR_PTR(-EAGAIN); 762 } 763 #endif 764 return ERR_PTR(-ENOENT); 765 } 766 767 static __be16 nft_base_seq(const struct net *net) 768 { 769 struct nftables_pernet *nft_net = nft_pernet(net); 770 771 return htons(nft_net->base_seq & 0xffff); 772 } 773 774 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { 775 [NFTA_TABLE_NAME] = { .type = NLA_STRING, 776 .len = NFT_TABLE_MAXNAMELEN - 1 }, 777 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 }, 778 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 }, 779 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY, 780 .len = NFT_USERDATA_MAXLEN } 781 }; 782 783 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, 784 u32 portid, u32 seq, int event, u32 flags, 785 int family, const struct nft_table *table) 786 { 787 struct nlmsghdr *nlh; 788 789 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 790 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 791 NFNETLINK_V0, nft_base_seq(net)); 792 if (!nlh) 793 goto nla_put_failure; 794 795 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || 796 nla_put_be32(skb, NFTA_TABLE_FLAGS, 797 htonl(table->flags & NFT_TABLE_F_MASK)) || 798 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) || 799 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle), 800 NFTA_TABLE_PAD)) 801 goto nla_put_failure; 802 if (nft_table_has_owner(table) && 803 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid))) 804 goto nla_put_failure; 805 806 if (table->udata) { 807 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata)) 808 goto nla_put_failure; 809 } 810 811 nlmsg_end(skb, nlh); 812 return 0; 813 814 nla_put_failure: 815 nlmsg_trim(skb, nlh); 816 return -1; 817 } 818 819 struct nftnl_skb_parms { 820 bool report; 821 }; 822 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb)) 823 824 static void nft_notify_enqueue(struct sk_buff *skb, bool report, 825 struct list_head *notify_list) 826 { 827 NFT_CB(skb).report = report; 828 list_add_tail(&skb->list, notify_list); 829 } 830 831 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) 832 { 833 struct nftables_pernet *nft_net; 834 struct sk_buff *skb; 835 u16 flags = 0; 836 int err; 837 838 if (!ctx->report && 839 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 840 return; 841 842 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 843 if (skb == NULL) 844 goto err; 845 846 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 847 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 848 849 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, 850 event, flags, ctx->family, ctx->table); 851 if (err < 0) { 852 kfree_skb(skb); 853 goto err; 854 } 855 856 nft_net = nft_pernet(ctx->net); 857 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 858 return; 859 err: 860 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 861 } 862 863 static int nf_tables_dump_tables(struct sk_buff *skb, 864 struct netlink_callback *cb) 865 { 866 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 867 struct nftables_pernet *nft_net; 868 const struct nft_table *table; 869 unsigned int idx = 0, s_idx = cb->args[0]; 870 struct net *net = sock_net(skb->sk); 871 int family = nfmsg->nfgen_family; 872 873 rcu_read_lock(); 874 nft_net = nft_pernet(net); 875 cb->seq = nft_net->base_seq; 876 877 list_for_each_entry_rcu(table, &nft_net->tables, list) { 878 if (family != NFPROTO_UNSPEC && family != table->family) 879 continue; 880 881 if (idx < s_idx) 882 goto cont; 883 if (idx > s_idx) 884 memset(&cb->args[1], 0, 885 sizeof(cb->args) - sizeof(cb->args[0])); 886 if (!nft_is_active(net, table)) 887 continue; 888 if (nf_tables_fill_table_info(skb, net, 889 NETLINK_CB(cb->skb).portid, 890 cb->nlh->nlmsg_seq, 891 NFT_MSG_NEWTABLE, NLM_F_MULTI, 892 table->family, table) < 0) 893 goto done; 894 895 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 896 cont: 897 idx++; 898 } 899 done: 900 rcu_read_unlock(); 901 cb->args[0] = idx; 902 return skb->len; 903 } 904 905 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb, 906 const struct nlmsghdr *nlh, 907 struct netlink_dump_control *c) 908 { 909 int err; 910 911 if (!try_module_get(THIS_MODULE)) 912 return -EINVAL; 913 914 rcu_read_unlock(); 915 err = netlink_dump_start(nlsk, skb, nlh, c); 916 rcu_read_lock(); 917 module_put(THIS_MODULE); 918 919 return err; 920 } 921 922 /* called with rcu_read_lock held */ 923 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info, 924 const struct nlattr * const nla[]) 925 { 926 struct netlink_ext_ack *extack = info->extack; 927 u8 genmask = nft_genmask_cur(info->net); 928 u8 family = info->nfmsg->nfgen_family; 929 const struct nft_table *table; 930 struct net *net = info->net; 931 struct sk_buff *skb2; 932 int err; 933 934 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 935 struct netlink_dump_control c = { 936 .dump = nf_tables_dump_tables, 937 .module = THIS_MODULE, 938 }; 939 940 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 941 } 942 943 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0); 944 if (IS_ERR(table)) { 945 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]); 946 return PTR_ERR(table); 947 } 948 949 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 950 if (!skb2) 951 return -ENOMEM; 952 953 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid, 954 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 955 0, family, table); 956 if (err < 0) 957 goto err_fill_table_info; 958 959 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 960 961 err_fill_table_info: 962 kfree_skb(skb2); 963 return err; 964 } 965 966 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt) 967 { 968 struct nft_chain *chain; 969 u32 i = 0; 970 971 list_for_each_entry(chain, &table->chains, list) { 972 if (!nft_is_active_next(net, chain)) 973 continue; 974 if (!nft_is_base_chain(chain)) 975 continue; 976 977 if (cnt && i++ == cnt) 978 break; 979 980 nf_tables_unregister_hook(net, table, chain); 981 } 982 } 983 984 static int nf_tables_table_enable(struct net *net, struct nft_table *table) 985 { 986 struct nft_chain *chain; 987 int err, i = 0; 988 989 list_for_each_entry(chain, &table->chains, list) { 990 if (!nft_is_active_next(net, chain)) 991 continue; 992 if (!nft_is_base_chain(chain)) 993 continue; 994 995 err = nf_tables_register_hook(net, table, chain); 996 if (err < 0) 997 goto err_register_hooks; 998 999 i++; 1000 } 1001 return 0; 1002 1003 err_register_hooks: 1004 if (i) 1005 nft_table_disable(net, table, i); 1006 return err; 1007 } 1008 1009 static void nf_tables_table_disable(struct net *net, struct nft_table *table) 1010 { 1011 table->flags &= ~NFT_TABLE_F_DORMANT; 1012 nft_table_disable(net, table, 0); 1013 table->flags |= NFT_TABLE_F_DORMANT; 1014 } 1015 1016 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1) 1017 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0) 1018 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1) 1019 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \ 1020 __NFT_TABLE_F_WAS_AWAKEN) 1021 1022 static int nf_tables_updtable(struct nft_ctx *ctx) 1023 { 1024 struct nft_trans *trans; 1025 u32 flags; 1026 int ret; 1027 1028 if (!ctx->nla[NFTA_TABLE_FLAGS]) 1029 return 0; 1030 1031 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS])); 1032 if (flags & ~NFT_TABLE_F_MASK) 1033 return -EOPNOTSUPP; 1034 1035 if (flags == ctx->table->flags) 1036 return 0; 1037 1038 if ((nft_table_has_owner(ctx->table) && 1039 !(flags & NFT_TABLE_F_OWNER)) || 1040 (!nft_table_has_owner(ctx->table) && 1041 flags & NFT_TABLE_F_OWNER)) 1042 return -EOPNOTSUPP; 1043 1044 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, 1045 sizeof(struct nft_trans_table)); 1046 if (trans == NULL) 1047 return -ENOMEM; 1048 1049 if ((flags & NFT_TABLE_F_DORMANT) && 1050 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) { 1051 ctx->table->flags |= NFT_TABLE_F_DORMANT; 1052 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) 1053 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN; 1054 } else if (!(flags & NFT_TABLE_F_DORMANT) && 1055 ctx->table->flags & NFT_TABLE_F_DORMANT) { 1056 ctx->table->flags &= ~NFT_TABLE_F_DORMANT; 1057 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) { 1058 ret = nf_tables_table_enable(ctx->net, ctx->table); 1059 if (ret < 0) 1060 goto err_register_hooks; 1061 1062 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT; 1063 } 1064 } 1065 1066 nft_trans_table_update(trans) = true; 1067 nft_trans_commit_list_add_tail(ctx->net, trans); 1068 1069 return 0; 1070 1071 err_register_hooks: 1072 nft_trans_destroy(trans); 1073 return ret; 1074 } 1075 1076 static u32 nft_chain_hash(const void *data, u32 len, u32 seed) 1077 { 1078 const char *name = data; 1079 1080 return jhash(name, strlen(name), seed); 1081 } 1082 1083 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed) 1084 { 1085 const struct nft_chain *chain = data; 1086 1087 return nft_chain_hash(chain->name, 0, seed); 1088 } 1089 1090 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg, 1091 const void *ptr) 1092 { 1093 const struct nft_chain *chain = ptr; 1094 const char *name = arg->key; 1095 1096 return strcmp(chain->name, name); 1097 } 1098 1099 static u32 nft_objname_hash(const void *data, u32 len, u32 seed) 1100 { 1101 const struct nft_object_hash_key *k = data; 1102 1103 seed ^= hash_ptr(k->table, 32); 1104 1105 return jhash(k->name, strlen(k->name), seed); 1106 } 1107 1108 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed) 1109 { 1110 const struct nft_object *obj = data; 1111 1112 return nft_objname_hash(&obj->key, 0, seed); 1113 } 1114 1115 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg, 1116 const void *ptr) 1117 { 1118 const struct nft_object_hash_key *k = arg->key; 1119 const struct nft_object *obj = ptr; 1120 1121 if (obj->key.table != k->table) 1122 return -1; 1123 1124 return strcmp(obj->key.name, k->name); 1125 } 1126 1127 static bool nft_supported_family(u8 family) 1128 { 1129 return false 1130 #ifdef CONFIG_NF_TABLES_INET 1131 || family == NFPROTO_INET 1132 #endif 1133 #ifdef CONFIG_NF_TABLES_IPV4 1134 || family == NFPROTO_IPV4 1135 #endif 1136 #ifdef CONFIG_NF_TABLES_ARP 1137 || family == NFPROTO_ARP 1138 #endif 1139 #ifdef CONFIG_NF_TABLES_NETDEV 1140 || family == NFPROTO_NETDEV 1141 #endif 1142 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE) 1143 || family == NFPROTO_BRIDGE 1144 #endif 1145 #ifdef CONFIG_NF_TABLES_IPV6 1146 || family == NFPROTO_IPV6 1147 #endif 1148 ; 1149 } 1150 1151 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, 1152 const struct nlattr * const nla[]) 1153 { 1154 struct nftables_pernet *nft_net = nft_pernet(info->net); 1155 struct netlink_ext_ack *extack = info->extack; 1156 u8 genmask = nft_genmask_next(info->net); 1157 u8 family = info->nfmsg->nfgen_family; 1158 struct net *net = info->net; 1159 const struct nlattr *attr; 1160 struct nft_table *table; 1161 struct nft_ctx ctx; 1162 u32 flags = 0; 1163 int err; 1164 1165 if (!nft_supported_family(family)) 1166 return -EOPNOTSUPP; 1167 1168 lockdep_assert_held(&nft_net->commit_mutex); 1169 attr = nla[NFTA_TABLE_NAME]; 1170 table = nft_table_lookup(net, attr, family, genmask, 1171 NETLINK_CB(skb).portid); 1172 if (IS_ERR(table)) { 1173 if (PTR_ERR(table) != -ENOENT) 1174 return PTR_ERR(table); 1175 } else { 1176 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 1177 NL_SET_BAD_ATTR(extack, attr); 1178 return -EEXIST; 1179 } 1180 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 1181 return -EOPNOTSUPP; 1182 1183 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1184 1185 return nf_tables_updtable(&ctx); 1186 } 1187 1188 if (nla[NFTA_TABLE_FLAGS]) { 1189 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS])); 1190 if (flags & ~NFT_TABLE_F_MASK) 1191 return -EOPNOTSUPP; 1192 } 1193 1194 err = -ENOMEM; 1195 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT); 1196 if (table == NULL) 1197 goto err_kzalloc; 1198 1199 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT); 1200 if (table->name == NULL) 1201 goto err_strdup; 1202 1203 if (nla[NFTA_TABLE_USERDATA]) { 1204 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT); 1205 if (table->udata == NULL) 1206 goto err_table_udata; 1207 1208 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]); 1209 } 1210 1211 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params); 1212 if (err) 1213 goto err_chain_ht; 1214 1215 INIT_LIST_HEAD(&table->chains); 1216 INIT_LIST_HEAD(&table->sets); 1217 INIT_LIST_HEAD(&table->objects); 1218 INIT_LIST_HEAD(&table->flowtables); 1219 table->family = family; 1220 table->flags = flags; 1221 table->handle = ++table_handle; 1222 if (table->flags & NFT_TABLE_F_OWNER) 1223 table->nlpid = NETLINK_CB(skb).portid; 1224 1225 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1226 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); 1227 if (err < 0) 1228 goto err_trans; 1229 1230 list_add_tail_rcu(&table->list, &nft_net->tables); 1231 return 0; 1232 err_trans: 1233 rhltable_destroy(&table->chains_ht); 1234 err_chain_ht: 1235 kfree(table->udata); 1236 err_table_udata: 1237 kfree(table->name); 1238 err_strdup: 1239 kfree(table); 1240 err_kzalloc: 1241 return err; 1242 } 1243 1244 static int nft_flush_table(struct nft_ctx *ctx) 1245 { 1246 struct nft_flowtable *flowtable, *nft; 1247 struct nft_chain *chain, *nc; 1248 struct nft_object *obj, *ne; 1249 struct nft_set *set, *ns; 1250 int err; 1251 1252 list_for_each_entry(chain, &ctx->table->chains, list) { 1253 if (!nft_is_active_next(ctx->net, chain)) 1254 continue; 1255 1256 if (nft_chain_is_bound(chain)) 1257 continue; 1258 1259 ctx->chain = chain; 1260 1261 err = nft_delrule_by_chain(ctx); 1262 if (err < 0) 1263 goto out; 1264 } 1265 1266 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { 1267 if (!nft_is_active_next(ctx->net, set)) 1268 continue; 1269 1270 if (nft_set_is_anonymous(set) && 1271 !list_empty(&set->bindings)) 1272 continue; 1273 1274 err = nft_delset(ctx, set); 1275 if (err < 0) 1276 goto out; 1277 } 1278 1279 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) { 1280 if (!nft_is_active_next(ctx->net, flowtable)) 1281 continue; 1282 1283 err = nft_delflowtable(ctx, flowtable); 1284 if (err < 0) 1285 goto out; 1286 } 1287 1288 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) { 1289 if (!nft_is_active_next(ctx->net, obj)) 1290 continue; 1291 1292 err = nft_delobj(ctx, obj); 1293 if (err < 0) 1294 goto out; 1295 } 1296 1297 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { 1298 if (!nft_is_active_next(ctx->net, chain)) 1299 continue; 1300 1301 if (nft_chain_is_bound(chain)) 1302 continue; 1303 1304 ctx->chain = chain; 1305 1306 err = nft_delchain(ctx); 1307 if (err < 0) 1308 goto out; 1309 } 1310 1311 err = nft_deltable(ctx); 1312 out: 1313 return err; 1314 } 1315 1316 static int nft_flush(struct nft_ctx *ctx, int family) 1317 { 1318 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 1319 const struct nlattr * const *nla = ctx->nla; 1320 struct nft_table *table, *nt; 1321 int err = 0; 1322 1323 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 1324 if (family != AF_UNSPEC && table->family != family) 1325 continue; 1326 1327 ctx->family = table->family; 1328 1329 if (!nft_is_active_next(ctx->net, table)) 1330 continue; 1331 1332 if (nft_table_has_owner(table) && table->nlpid != ctx->portid) 1333 continue; 1334 1335 if (nla[NFTA_TABLE_NAME] && 1336 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) 1337 continue; 1338 1339 ctx->table = table; 1340 1341 err = nft_flush_table(ctx); 1342 if (err < 0) 1343 goto out; 1344 } 1345 out: 1346 return err; 1347 } 1348 1349 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info, 1350 const struct nlattr * const nla[]) 1351 { 1352 struct netlink_ext_ack *extack = info->extack; 1353 u8 genmask = nft_genmask_next(info->net); 1354 u8 family = info->nfmsg->nfgen_family; 1355 struct net *net = info->net; 1356 const struct nlattr *attr; 1357 struct nft_table *table; 1358 struct nft_ctx ctx; 1359 1360 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla); 1361 if (family == AF_UNSPEC || 1362 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE])) 1363 return nft_flush(&ctx, family); 1364 1365 if (nla[NFTA_TABLE_HANDLE]) { 1366 attr = nla[NFTA_TABLE_HANDLE]; 1367 table = nft_table_lookup_byhandle(net, attr, genmask, 1368 NETLINK_CB(skb).portid); 1369 } else { 1370 attr = nla[NFTA_TABLE_NAME]; 1371 table = nft_table_lookup(net, attr, family, genmask, 1372 NETLINK_CB(skb).portid); 1373 } 1374 1375 if (IS_ERR(table)) { 1376 NL_SET_BAD_ATTR(extack, attr); 1377 return PTR_ERR(table); 1378 } 1379 1380 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 1381 table->use > 0) 1382 return -EBUSY; 1383 1384 ctx.family = family; 1385 ctx.table = table; 1386 1387 return nft_flush_table(&ctx); 1388 } 1389 1390 static void nf_tables_table_destroy(struct nft_ctx *ctx) 1391 { 1392 if (WARN_ON(ctx->table->use > 0)) 1393 return; 1394 1395 rhltable_destroy(&ctx->table->chains_ht); 1396 kfree(ctx->table->name); 1397 kfree(ctx->table->udata); 1398 kfree(ctx->table); 1399 } 1400 1401 void nft_register_chain_type(const struct nft_chain_type *ctype) 1402 { 1403 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1404 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) { 1405 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1406 return; 1407 } 1408 chain_type[ctype->family][ctype->type] = ctype; 1409 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1410 } 1411 EXPORT_SYMBOL_GPL(nft_register_chain_type); 1412 1413 void nft_unregister_chain_type(const struct nft_chain_type *ctype) 1414 { 1415 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1416 chain_type[ctype->family][ctype->type] = NULL; 1417 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1418 } 1419 EXPORT_SYMBOL_GPL(nft_unregister_chain_type); 1420 1421 /* 1422 * Chains 1423 */ 1424 1425 static struct nft_chain * 1426 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask) 1427 { 1428 struct nft_chain *chain; 1429 1430 list_for_each_entry(chain, &table->chains, list) { 1431 if (chain->handle == handle && 1432 nft_active_genmask(chain, genmask)) 1433 return chain; 1434 } 1435 1436 return ERR_PTR(-ENOENT); 1437 } 1438 1439 static bool lockdep_commit_lock_is_held(const struct net *net) 1440 { 1441 #ifdef CONFIG_PROVE_LOCKING 1442 struct nftables_pernet *nft_net = nft_pernet(net); 1443 1444 return lockdep_is_held(&nft_net->commit_mutex); 1445 #else 1446 return true; 1447 #endif 1448 } 1449 1450 static struct nft_chain *nft_chain_lookup(struct net *net, 1451 struct nft_table *table, 1452 const struct nlattr *nla, u8 genmask) 1453 { 1454 char search[NFT_CHAIN_MAXNAMELEN + 1]; 1455 struct rhlist_head *tmp, *list; 1456 struct nft_chain *chain; 1457 1458 if (nla == NULL) 1459 return ERR_PTR(-EINVAL); 1460 1461 nla_strscpy(search, nla, sizeof(search)); 1462 1463 WARN_ON(!rcu_read_lock_held() && 1464 !lockdep_commit_lock_is_held(net)); 1465 1466 chain = ERR_PTR(-ENOENT); 1467 rcu_read_lock(); 1468 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params); 1469 if (!list) 1470 goto out_unlock; 1471 1472 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 1473 if (nft_active_genmask(chain, genmask)) 1474 goto out_unlock; 1475 } 1476 chain = ERR_PTR(-ENOENT); 1477 out_unlock: 1478 rcu_read_unlock(); 1479 return chain; 1480 } 1481 1482 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = { 1483 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING, 1484 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1485 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 }, 1486 [NFTA_CHAIN_NAME] = { .type = NLA_STRING, 1487 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 1488 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, 1489 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, 1490 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, 1491 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 1492 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, 1493 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 }, 1494 [NFTA_CHAIN_ID] = { .type = NLA_U32 }, 1495 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY, 1496 .len = NFT_USERDATA_MAXLEN }, 1497 }; 1498 1499 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = { 1500 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 }, 1501 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 }, 1502 [NFTA_HOOK_DEV] = { .type = NLA_STRING, 1503 .len = IFNAMSIZ - 1 }, 1504 }; 1505 1506 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats) 1507 { 1508 struct nft_stats *cpu_stats, total; 1509 struct nlattr *nest; 1510 unsigned int seq; 1511 u64 pkts, bytes; 1512 int cpu; 1513 1514 if (!stats) 1515 return 0; 1516 1517 memset(&total, 0, sizeof(total)); 1518 for_each_possible_cpu(cpu) { 1519 cpu_stats = per_cpu_ptr(stats, cpu); 1520 do { 1521 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp); 1522 pkts = cpu_stats->pkts; 1523 bytes = cpu_stats->bytes; 1524 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq)); 1525 total.pkts += pkts; 1526 total.bytes += bytes; 1527 } 1528 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS); 1529 if (nest == NULL) 1530 goto nla_put_failure; 1531 1532 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts), 1533 NFTA_COUNTER_PAD) || 1534 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes), 1535 NFTA_COUNTER_PAD)) 1536 goto nla_put_failure; 1537 1538 nla_nest_end(skb, nest); 1539 return 0; 1540 1541 nla_put_failure: 1542 return -ENOSPC; 1543 } 1544 1545 static int nft_dump_basechain_hook(struct sk_buff *skb, int family, 1546 const struct nft_base_chain *basechain) 1547 { 1548 const struct nf_hook_ops *ops = &basechain->ops; 1549 struct nft_hook *hook, *first = NULL; 1550 struct nlattr *nest, *nest_devs; 1551 int n = 0; 1552 1553 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK); 1554 if (nest == NULL) 1555 goto nla_put_failure; 1556 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum))) 1557 goto nla_put_failure; 1558 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority))) 1559 goto nla_put_failure; 1560 1561 if (nft_base_chain_netdev(family, ops->hooknum)) { 1562 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS); 1563 list_for_each_entry(hook, &basechain->hook_list, list) { 1564 if (!first) 1565 first = hook; 1566 1567 if (nla_put_string(skb, NFTA_DEVICE_NAME, 1568 hook->ops.dev->name)) 1569 goto nla_put_failure; 1570 n++; 1571 } 1572 nla_nest_end(skb, nest_devs); 1573 1574 if (n == 1 && 1575 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name)) 1576 goto nla_put_failure; 1577 } 1578 nla_nest_end(skb, nest); 1579 1580 return 0; 1581 nla_put_failure: 1582 return -1; 1583 } 1584 1585 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net, 1586 u32 portid, u32 seq, int event, u32 flags, 1587 int family, const struct nft_table *table, 1588 const struct nft_chain *chain) 1589 { 1590 struct nlmsghdr *nlh; 1591 1592 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 1593 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 1594 NFNETLINK_V0, nft_base_seq(net)); 1595 if (!nlh) 1596 goto nla_put_failure; 1597 1598 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) 1599 goto nla_put_failure; 1600 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle), 1601 NFTA_CHAIN_PAD)) 1602 goto nla_put_failure; 1603 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name)) 1604 goto nla_put_failure; 1605 1606 if (nft_is_base_chain(chain)) { 1607 const struct nft_base_chain *basechain = nft_base_chain(chain); 1608 struct nft_stats __percpu *stats; 1609 1610 if (nft_dump_basechain_hook(skb, family, basechain)) 1611 goto nla_put_failure; 1612 1613 if (nla_put_be32(skb, NFTA_CHAIN_POLICY, 1614 htonl(basechain->policy))) 1615 goto nla_put_failure; 1616 1617 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name)) 1618 goto nla_put_failure; 1619 1620 stats = rcu_dereference_check(basechain->stats, 1621 lockdep_commit_lock_is_held(net)); 1622 if (nft_dump_stats(skb, stats)) 1623 goto nla_put_failure; 1624 } 1625 1626 if (chain->flags && 1627 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags))) 1628 goto nla_put_failure; 1629 1630 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use))) 1631 goto nla_put_failure; 1632 1633 if (chain->udata && 1634 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata)) 1635 goto nla_put_failure; 1636 1637 nlmsg_end(skb, nlh); 1638 return 0; 1639 1640 nla_put_failure: 1641 nlmsg_trim(skb, nlh); 1642 return -1; 1643 } 1644 1645 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event) 1646 { 1647 struct nftables_pernet *nft_net; 1648 struct sk_buff *skb; 1649 u16 flags = 0; 1650 int err; 1651 1652 if (!ctx->report && 1653 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1654 return; 1655 1656 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1657 if (skb == NULL) 1658 goto err; 1659 1660 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 1661 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 1662 1663 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, 1664 event, flags, ctx->family, ctx->table, 1665 ctx->chain); 1666 if (err < 0) { 1667 kfree_skb(skb); 1668 goto err; 1669 } 1670 1671 nft_net = nft_pernet(ctx->net); 1672 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 1673 return; 1674 err: 1675 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 1676 } 1677 1678 static int nf_tables_dump_chains(struct sk_buff *skb, 1679 struct netlink_callback *cb) 1680 { 1681 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1682 unsigned int idx = 0, s_idx = cb->args[0]; 1683 struct net *net = sock_net(skb->sk); 1684 int family = nfmsg->nfgen_family; 1685 struct nftables_pernet *nft_net; 1686 const struct nft_table *table; 1687 const struct nft_chain *chain; 1688 1689 rcu_read_lock(); 1690 nft_net = nft_pernet(net); 1691 cb->seq = nft_net->base_seq; 1692 1693 list_for_each_entry_rcu(table, &nft_net->tables, list) { 1694 if (family != NFPROTO_UNSPEC && family != table->family) 1695 continue; 1696 1697 list_for_each_entry_rcu(chain, &table->chains, list) { 1698 if (idx < s_idx) 1699 goto cont; 1700 if (idx > s_idx) 1701 memset(&cb->args[1], 0, 1702 sizeof(cb->args) - sizeof(cb->args[0])); 1703 if (!nft_is_active(net, chain)) 1704 continue; 1705 if (nf_tables_fill_chain_info(skb, net, 1706 NETLINK_CB(cb->skb).portid, 1707 cb->nlh->nlmsg_seq, 1708 NFT_MSG_NEWCHAIN, 1709 NLM_F_MULTI, 1710 table->family, table, 1711 chain) < 0) 1712 goto done; 1713 1714 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1715 cont: 1716 idx++; 1717 } 1718 } 1719 done: 1720 rcu_read_unlock(); 1721 cb->args[0] = idx; 1722 return skb->len; 1723 } 1724 1725 /* called with rcu_read_lock held */ 1726 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info, 1727 const struct nlattr * const nla[]) 1728 { 1729 struct netlink_ext_ack *extack = info->extack; 1730 u8 genmask = nft_genmask_cur(info->net); 1731 u8 family = info->nfmsg->nfgen_family; 1732 const struct nft_chain *chain; 1733 struct net *net = info->net; 1734 struct nft_table *table; 1735 struct sk_buff *skb2; 1736 int err; 1737 1738 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1739 struct netlink_dump_control c = { 1740 .dump = nf_tables_dump_chains, 1741 .module = THIS_MODULE, 1742 }; 1743 1744 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 1745 } 1746 1747 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0); 1748 if (IS_ERR(table)) { 1749 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 1750 return PTR_ERR(table); 1751 } 1752 1753 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask); 1754 if (IS_ERR(chain)) { 1755 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 1756 return PTR_ERR(chain); 1757 } 1758 1759 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 1760 if (!skb2) 1761 return -ENOMEM; 1762 1763 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid, 1764 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 1765 0, family, table, chain); 1766 if (err < 0) 1767 goto err_fill_chain_info; 1768 1769 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 1770 1771 err_fill_chain_info: 1772 kfree_skb(skb2); 1773 return err; 1774 } 1775 1776 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = { 1777 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 }, 1778 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 }, 1779 }; 1780 1781 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr) 1782 { 1783 struct nlattr *tb[NFTA_COUNTER_MAX+1]; 1784 struct nft_stats __percpu *newstats; 1785 struct nft_stats *stats; 1786 int err; 1787 1788 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr, 1789 nft_counter_policy, NULL); 1790 if (err < 0) 1791 return ERR_PTR(err); 1792 1793 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS]) 1794 return ERR_PTR(-EINVAL); 1795 1796 newstats = netdev_alloc_pcpu_stats(struct nft_stats); 1797 if (newstats == NULL) 1798 return ERR_PTR(-ENOMEM); 1799 1800 /* Restore old counters on this cpu, no problem. Per-cpu statistics 1801 * are not exposed to userspace. 1802 */ 1803 preempt_disable(); 1804 stats = this_cpu_ptr(newstats); 1805 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); 1806 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); 1807 preempt_enable(); 1808 1809 return newstats; 1810 } 1811 1812 static void nft_chain_stats_replace(struct nft_trans *trans) 1813 { 1814 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain); 1815 1816 if (!nft_trans_chain_stats(trans)) 1817 return; 1818 1819 nft_trans_chain_stats(trans) = 1820 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans), 1821 lockdep_commit_lock_is_held(trans->ctx.net)); 1822 1823 if (!nft_trans_chain_stats(trans)) 1824 static_branch_inc(&nft_counters_enabled); 1825 } 1826 1827 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain) 1828 { 1829 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0); 1830 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1); 1831 1832 if (g0 != g1) 1833 kvfree(g1); 1834 kvfree(g0); 1835 1836 /* should be NULL either via abort or via successful commit */ 1837 WARN_ON_ONCE(chain->blob_next); 1838 kvfree(chain->blob_next); 1839 } 1840 1841 void nf_tables_chain_destroy(struct nft_ctx *ctx) 1842 { 1843 struct nft_chain *chain = ctx->chain; 1844 struct nft_hook *hook, *next; 1845 1846 if (WARN_ON(chain->use > 0)) 1847 return; 1848 1849 /* no concurrent access possible anymore */ 1850 nf_tables_chain_free_chain_rules(chain); 1851 1852 if (nft_is_base_chain(chain)) { 1853 struct nft_base_chain *basechain = nft_base_chain(chain); 1854 1855 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) { 1856 list_for_each_entry_safe(hook, next, 1857 &basechain->hook_list, list) { 1858 list_del_rcu(&hook->list); 1859 kfree_rcu(hook, rcu); 1860 } 1861 } 1862 module_put(basechain->type->owner); 1863 if (rcu_access_pointer(basechain->stats)) { 1864 static_branch_dec(&nft_counters_enabled); 1865 free_percpu(rcu_dereference_raw(basechain->stats)); 1866 } 1867 kfree(chain->name); 1868 kfree(chain->udata); 1869 kfree(basechain); 1870 } else { 1871 kfree(chain->name); 1872 kfree(chain->udata); 1873 kfree(chain); 1874 } 1875 } 1876 1877 static struct nft_hook *nft_netdev_hook_alloc(struct net *net, 1878 const struct nlattr *attr) 1879 { 1880 struct net_device *dev; 1881 char ifname[IFNAMSIZ]; 1882 struct nft_hook *hook; 1883 int err; 1884 1885 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT); 1886 if (!hook) { 1887 err = -ENOMEM; 1888 goto err_hook_alloc; 1889 } 1890 1891 nla_strscpy(ifname, attr, IFNAMSIZ); 1892 /* nf_tables_netdev_event() is called under rtnl_mutex, this is 1893 * indirectly serializing all the other holders of the commit_mutex with 1894 * the rtnl_mutex. 1895 */ 1896 dev = __dev_get_by_name(net, ifname); 1897 if (!dev) { 1898 err = -ENOENT; 1899 goto err_hook_dev; 1900 } 1901 hook->ops.dev = dev; 1902 hook->inactive = false; 1903 1904 return hook; 1905 1906 err_hook_dev: 1907 kfree(hook); 1908 err_hook_alloc: 1909 return ERR_PTR(err); 1910 } 1911 1912 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list, 1913 const struct nft_hook *this) 1914 { 1915 struct nft_hook *hook; 1916 1917 list_for_each_entry(hook, hook_list, list) { 1918 if (this->ops.dev == hook->ops.dev) 1919 return hook; 1920 } 1921 1922 return NULL; 1923 } 1924 1925 static int nf_tables_parse_netdev_hooks(struct net *net, 1926 const struct nlattr *attr, 1927 struct list_head *hook_list) 1928 { 1929 struct nft_hook *hook, *next; 1930 const struct nlattr *tmp; 1931 int rem, n = 0, err; 1932 1933 nla_for_each_nested(tmp, attr, rem) { 1934 if (nla_type(tmp) != NFTA_DEVICE_NAME) { 1935 err = -EINVAL; 1936 goto err_hook; 1937 } 1938 1939 hook = nft_netdev_hook_alloc(net, tmp); 1940 if (IS_ERR(hook)) { 1941 err = PTR_ERR(hook); 1942 goto err_hook; 1943 } 1944 if (nft_hook_list_find(hook_list, hook)) { 1945 kfree(hook); 1946 err = -EEXIST; 1947 goto err_hook; 1948 } 1949 list_add_tail(&hook->list, hook_list); 1950 n++; 1951 1952 if (n == NFT_NETDEVICE_MAX) { 1953 err = -EFBIG; 1954 goto err_hook; 1955 } 1956 } 1957 1958 return 0; 1959 1960 err_hook: 1961 list_for_each_entry_safe(hook, next, hook_list, list) { 1962 list_del(&hook->list); 1963 kfree(hook); 1964 } 1965 return err; 1966 } 1967 1968 struct nft_chain_hook { 1969 u32 num; 1970 s32 priority; 1971 const struct nft_chain_type *type; 1972 struct list_head list; 1973 }; 1974 1975 static int nft_chain_parse_netdev(struct net *net, 1976 struct nlattr *tb[], 1977 struct list_head *hook_list) 1978 { 1979 struct nft_hook *hook; 1980 int err; 1981 1982 if (tb[NFTA_HOOK_DEV]) { 1983 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]); 1984 if (IS_ERR(hook)) 1985 return PTR_ERR(hook); 1986 1987 list_add_tail(&hook->list, hook_list); 1988 } else if (tb[NFTA_HOOK_DEVS]) { 1989 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS], 1990 hook_list); 1991 if (err < 0) 1992 return err; 1993 1994 if (list_empty(hook_list)) 1995 return -EINVAL; 1996 } else { 1997 return -EINVAL; 1998 } 1999 2000 return 0; 2001 } 2002 2003 static int nft_chain_parse_hook(struct net *net, 2004 const struct nlattr * const nla[], 2005 struct nft_chain_hook *hook, u8 family, 2006 struct netlink_ext_ack *extack, bool autoload) 2007 { 2008 struct nftables_pernet *nft_net = nft_pernet(net); 2009 struct nlattr *ha[NFTA_HOOK_MAX + 1]; 2010 const struct nft_chain_type *type; 2011 int err; 2012 2013 lockdep_assert_held(&nft_net->commit_mutex); 2014 lockdep_nfnl_nft_mutex_not_held(); 2015 2016 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX, 2017 nla[NFTA_CHAIN_HOOK], 2018 nft_hook_policy, NULL); 2019 if (err < 0) 2020 return err; 2021 2022 if (ha[NFTA_HOOK_HOOKNUM] == NULL || 2023 ha[NFTA_HOOK_PRIORITY] == NULL) 2024 return -EINVAL; 2025 2026 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 2027 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 2028 2029 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT); 2030 if (!type) 2031 return -EOPNOTSUPP; 2032 2033 if (nla[NFTA_CHAIN_TYPE]) { 2034 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE], 2035 family, autoload); 2036 if (IS_ERR(type)) { 2037 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2038 return PTR_ERR(type); 2039 } 2040 } 2041 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num))) 2042 return -EOPNOTSUPP; 2043 2044 if (type->type == NFT_CHAIN_T_NAT && 2045 hook->priority <= NF_IP_PRI_CONNTRACK) 2046 return -EOPNOTSUPP; 2047 2048 if (!try_module_get(type->owner)) { 2049 if (nla[NFTA_CHAIN_TYPE]) 2050 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2051 return -ENOENT; 2052 } 2053 2054 hook->type = type; 2055 2056 INIT_LIST_HEAD(&hook->list); 2057 if (nft_base_chain_netdev(family, hook->num)) { 2058 err = nft_chain_parse_netdev(net, ha, &hook->list); 2059 if (err < 0) { 2060 module_put(type->owner); 2061 return err; 2062 } 2063 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) { 2064 module_put(type->owner); 2065 return -EOPNOTSUPP; 2066 } 2067 2068 return 0; 2069 } 2070 2071 static void nft_chain_release_hook(struct nft_chain_hook *hook) 2072 { 2073 struct nft_hook *h, *next; 2074 2075 list_for_each_entry_safe(h, next, &hook->list, list) { 2076 list_del(&h->list); 2077 kfree(h); 2078 } 2079 module_put(hook->type->owner); 2080 } 2081 2082 struct nft_rules_old { 2083 struct rcu_head h; 2084 struct nft_rule_blob *blob; 2085 }; 2086 2087 static void nft_last_rule(struct nft_rule_blob *blob, const void *ptr) 2088 { 2089 struct nft_rule_dp *prule; 2090 2091 prule = (struct nft_rule_dp *)ptr; 2092 prule->is_last = 1; 2093 /* blob size does not include the trailer rule */ 2094 } 2095 2096 static struct nft_rule_blob *nf_tables_chain_alloc_rules(unsigned int size) 2097 { 2098 struct nft_rule_blob *blob; 2099 2100 /* size must include room for the last rule */ 2101 if (size < offsetof(struct nft_rule_dp, data)) 2102 return NULL; 2103 2104 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rules_old); 2105 if (size > INT_MAX) 2106 return NULL; 2107 2108 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT); 2109 if (!blob) 2110 return NULL; 2111 2112 blob->size = 0; 2113 nft_last_rule(blob, blob->data); 2114 2115 return blob; 2116 } 2117 2118 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family, 2119 const struct nft_chain_hook *hook, 2120 struct nft_chain *chain) 2121 { 2122 ops->pf = family; 2123 ops->hooknum = hook->num; 2124 ops->priority = hook->priority; 2125 ops->priv = chain; 2126 ops->hook = hook->type->hooks[ops->hooknum]; 2127 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES; 2128 } 2129 2130 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, 2131 struct nft_chain_hook *hook, u32 flags) 2132 { 2133 struct nft_chain *chain; 2134 struct nft_hook *h; 2135 2136 basechain->type = hook->type; 2137 INIT_LIST_HEAD(&basechain->hook_list); 2138 chain = &basechain->chain; 2139 2140 if (nft_base_chain_netdev(family, hook->num)) { 2141 list_splice_init(&hook->list, &basechain->hook_list); 2142 list_for_each_entry(h, &basechain->hook_list, list) 2143 nft_basechain_hook_init(&h->ops, family, hook, chain); 2144 2145 basechain->ops.hooknum = hook->num; 2146 basechain->ops.priority = hook->priority; 2147 } else { 2148 nft_basechain_hook_init(&basechain->ops, family, hook, chain); 2149 } 2150 2151 chain->flags |= NFT_CHAIN_BASE | flags; 2152 basechain->policy = NF_ACCEPT; 2153 if (chain->flags & NFT_CHAIN_HW_OFFLOAD && 2154 nft_chain_offload_priority(basechain) < 0) 2155 return -EOPNOTSUPP; 2156 2157 flow_block_init(&basechain->flow_block); 2158 2159 return 0; 2160 } 2161 2162 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain) 2163 { 2164 int err; 2165 2166 err = rhltable_insert_key(&table->chains_ht, chain->name, 2167 &chain->rhlhead, nft_chain_ht_params); 2168 if (err) 2169 return err; 2170 2171 list_add_tail_rcu(&chain->list, &table->chains); 2172 2173 return 0; 2174 } 2175 2176 static u64 chain_id; 2177 2178 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, 2179 u8 policy, u32 flags, 2180 struct netlink_ext_ack *extack) 2181 { 2182 const struct nlattr * const *nla = ctx->nla; 2183 struct nft_table *table = ctx->table; 2184 struct nft_base_chain *basechain; 2185 struct nft_stats __percpu *stats; 2186 struct net *net = ctx->net; 2187 char name[NFT_NAME_MAXLEN]; 2188 struct nft_rule_blob *blob; 2189 struct nft_trans *trans; 2190 struct nft_chain *chain; 2191 unsigned int data_size; 2192 int err; 2193 2194 if (table->use == UINT_MAX) 2195 return -EOVERFLOW; 2196 2197 if (nla[NFTA_CHAIN_HOOK]) { 2198 struct nft_chain_hook hook; 2199 2200 if (flags & NFT_CHAIN_BINDING) 2201 return -EOPNOTSUPP; 2202 2203 err = nft_chain_parse_hook(net, nla, &hook, family, extack, 2204 true); 2205 if (err < 0) 2206 return err; 2207 2208 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT); 2209 if (basechain == NULL) { 2210 nft_chain_release_hook(&hook); 2211 return -ENOMEM; 2212 } 2213 chain = &basechain->chain; 2214 2215 if (nla[NFTA_CHAIN_COUNTERS]) { 2216 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2217 if (IS_ERR(stats)) { 2218 nft_chain_release_hook(&hook); 2219 kfree(basechain); 2220 return PTR_ERR(stats); 2221 } 2222 rcu_assign_pointer(basechain->stats, stats); 2223 static_branch_inc(&nft_counters_enabled); 2224 } 2225 2226 err = nft_basechain_init(basechain, family, &hook, flags); 2227 if (err < 0) { 2228 nft_chain_release_hook(&hook); 2229 kfree(basechain); 2230 return err; 2231 } 2232 } else { 2233 if (flags & NFT_CHAIN_BASE) 2234 return -EINVAL; 2235 if (flags & NFT_CHAIN_HW_OFFLOAD) 2236 return -EOPNOTSUPP; 2237 2238 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT); 2239 if (chain == NULL) 2240 return -ENOMEM; 2241 2242 chain->flags = flags; 2243 } 2244 ctx->chain = chain; 2245 2246 INIT_LIST_HEAD(&chain->rules); 2247 chain->handle = nf_tables_alloc_handle(table); 2248 chain->table = table; 2249 2250 if (nla[NFTA_CHAIN_NAME]) { 2251 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT); 2252 } else { 2253 if (!(flags & NFT_CHAIN_BINDING)) { 2254 err = -EINVAL; 2255 goto err_destroy_chain; 2256 } 2257 2258 snprintf(name, sizeof(name), "__chain%llu", ++chain_id); 2259 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT); 2260 } 2261 2262 if (!chain->name) { 2263 err = -ENOMEM; 2264 goto err_destroy_chain; 2265 } 2266 2267 if (nla[NFTA_CHAIN_USERDATA]) { 2268 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT); 2269 if (chain->udata == NULL) { 2270 err = -ENOMEM; 2271 goto err_destroy_chain; 2272 } 2273 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]); 2274 } 2275 2276 data_size = offsetof(struct nft_rule_dp, data); /* last rule */ 2277 blob = nf_tables_chain_alloc_rules(data_size); 2278 if (!blob) { 2279 err = -ENOMEM; 2280 goto err_destroy_chain; 2281 } 2282 2283 RCU_INIT_POINTER(chain->blob_gen_0, blob); 2284 RCU_INIT_POINTER(chain->blob_gen_1, blob); 2285 2286 err = nf_tables_register_hook(net, table, chain); 2287 if (err < 0) 2288 goto err_destroy_chain; 2289 2290 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN); 2291 if (IS_ERR(trans)) { 2292 err = PTR_ERR(trans); 2293 goto err_unregister_hook; 2294 } 2295 2296 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET; 2297 if (nft_is_base_chain(chain)) 2298 nft_trans_chain_policy(trans) = policy; 2299 2300 err = nft_chain_add(table, chain); 2301 if (err < 0) { 2302 nft_trans_destroy(trans); 2303 goto err_unregister_hook; 2304 } 2305 2306 table->use++; 2307 2308 return 0; 2309 err_unregister_hook: 2310 nf_tables_unregister_hook(net, table, chain); 2311 err_destroy_chain: 2312 nf_tables_chain_destroy(ctx); 2313 2314 return err; 2315 } 2316 2317 static bool nft_hook_list_equal(struct list_head *hook_list1, 2318 struct list_head *hook_list2) 2319 { 2320 struct nft_hook *hook; 2321 int n = 0, m = 0; 2322 2323 n = 0; 2324 list_for_each_entry(hook, hook_list2, list) { 2325 if (!nft_hook_list_find(hook_list1, hook)) 2326 return false; 2327 2328 n++; 2329 } 2330 list_for_each_entry(hook, hook_list1, list) 2331 m++; 2332 2333 return n == m; 2334 } 2335 2336 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, 2337 u32 flags, const struct nlattr *attr, 2338 struct netlink_ext_ack *extack) 2339 { 2340 const struct nlattr * const *nla = ctx->nla; 2341 struct nft_table *table = ctx->table; 2342 struct nft_chain *chain = ctx->chain; 2343 struct nft_base_chain *basechain; 2344 struct nft_stats *stats = NULL; 2345 struct nft_chain_hook hook; 2346 struct nf_hook_ops *ops; 2347 struct nft_trans *trans; 2348 int err; 2349 2350 if (chain->flags ^ flags) 2351 return -EOPNOTSUPP; 2352 2353 if (nla[NFTA_CHAIN_HOOK]) { 2354 if (!nft_is_base_chain(chain)) { 2355 NL_SET_BAD_ATTR(extack, attr); 2356 return -EEXIST; 2357 } 2358 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family, 2359 extack, false); 2360 if (err < 0) 2361 return err; 2362 2363 basechain = nft_base_chain(chain); 2364 if (basechain->type != hook.type) { 2365 nft_chain_release_hook(&hook); 2366 NL_SET_BAD_ATTR(extack, attr); 2367 return -EEXIST; 2368 } 2369 2370 if (nft_base_chain_netdev(ctx->family, hook.num)) { 2371 if (!nft_hook_list_equal(&basechain->hook_list, 2372 &hook.list)) { 2373 nft_chain_release_hook(&hook); 2374 NL_SET_BAD_ATTR(extack, attr); 2375 return -EEXIST; 2376 } 2377 } else { 2378 ops = &basechain->ops; 2379 if (ops->hooknum != hook.num || 2380 ops->priority != hook.priority) { 2381 nft_chain_release_hook(&hook); 2382 NL_SET_BAD_ATTR(extack, attr); 2383 return -EEXIST; 2384 } 2385 } 2386 nft_chain_release_hook(&hook); 2387 } 2388 2389 if (nla[NFTA_CHAIN_HANDLE] && 2390 nla[NFTA_CHAIN_NAME]) { 2391 struct nft_chain *chain2; 2392 2393 chain2 = nft_chain_lookup(ctx->net, table, 2394 nla[NFTA_CHAIN_NAME], genmask); 2395 if (!IS_ERR(chain2)) { 2396 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2397 return -EEXIST; 2398 } 2399 } 2400 2401 if (nla[NFTA_CHAIN_COUNTERS]) { 2402 if (!nft_is_base_chain(chain)) 2403 return -EOPNOTSUPP; 2404 2405 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2406 if (IS_ERR(stats)) 2407 return PTR_ERR(stats); 2408 } 2409 2410 err = -ENOMEM; 2411 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN, 2412 sizeof(struct nft_trans_chain)); 2413 if (trans == NULL) 2414 goto err; 2415 2416 nft_trans_chain_stats(trans) = stats; 2417 nft_trans_chain_update(trans) = true; 2418 2419 if (nla[NFTA_CHAIN_POLICY]) 2420 nft_trans_chain_policy(trans) = policy; 2421 else 2422 nft_trans_chain_policy(trans) = -1; 2423 2424 if (nla[NFTA_CHAIN_HANDLE] && 2425 nla[NFTA_CHAIN_NAME]) { 2426 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 2427 struct nft_trans *tmp; 2428 char *name; 2429 2430 err = -ENOMEM; 2431 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT); 2432 if (!name) 2433 goto err; 2434 2435 err = -EEXIST; 2436 list_for_each_entry(tmp, &nft_net->commit_list, list) { 2437 if (tmp->msg_type == NFT_MSG_NEWCHAIN && 2438 tmp->ctx.table == table && 2439 nft_trans_chain_update(tmp) && 2440 nft_trans_chain_name(tmp) && 2441 strcmp(name, nft_trans_chain_name(tmp)) == 0) { 2442 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2443 kfree(name); 2444 goto err; 2445 } 2446 } 2447 2448 nft_trans_chain_name(trans) = name; 2449 } 2450 nft_trans_commit_list_add_tail(ctx->net, trans); 2451 2452 return 0; 2453 err: 2454 free_percpu(stats); 2455 kfree(trans); 2456 return err; 2457 } 2458 2459 static struct nft_chain *nft_chain_lookup_byid(const struct net *net, 2460 const struct nlattr *nla) 2461 { 2462 struct nftables_pernet *nft_net = nft_pernet(net); 2463 u32 id = ntohl(nla_get_be32(nla)); 2464 struct nft_trans *trans; 2465 2466 list_for_each_entry(trans, &nft_net->commit_list, list) { 2467 struct nft_chain *chain = trans->ctx.chain; 2468 2469 if (trans->msg_type == NFT_MSG_NEWCHAIN && 2470 id == nft_trans_chain_id(trans)) 2471 return chain; 2472 } 2473 return ERR_PTR(-ENOENT); 2474 } 2475 2476 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info, 2477 const struct nlattr * const nla[]) 2478 { 2479 struct nftables_pernet *nft_net = nft_pernet(info->net); 2480 struct netlink_ext_ack *extack = info->extack; 2481 u8 genmask = nft_genmask_next(info->net); 2482 u8 family = info->nfmsg->nfgen_family; 2483 struct nft_chain *chain = NULL; 2484 struct net *net = info->net; 2485 const struct nlattr *attr; 2486 struct nft_table *table; 2487 u8 policy = NF_ACCEPT; 2488 struct nft_ctx ctx; 2489 u64 handle = 0; 2490 u32 flags = 0; 2491 2492 lockdep_assert_held(&nft_net->commit_mutex); 2493 2494 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 2495 NETLINK_CB(skb).portid); 2496 if (IS_ERR(table)) { 2497 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2498 return PTR_ERR(table); 2499 } 2500 2501 chain = NULL; 2502 attr = nla[NFTA_CHAIN_NAME]; 2503 2504 if (nla[NFTA_CHAIN_HANDLE]) { 2505 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE])); 2506 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2507 if (IS_ERR(chain)) { 2508 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]); 2509 return PTR_ERR(chain); 2510 } 2511 attr = nla[NFTA_CHAIN_HANDLE]; 2512 } else if (nla[NFTA_CHAIN_NAME]) { 2513 chain = nft_chain_lookup(net, table, attr, genmask); 2514 if (IS_ERR(chain)) { 2515 if (PTR_ERR(chain) != -ENOENT) { 2516 NL_SET_BAD_ATTR(extack, attr); 2517 return PTR_ERR(chain); 2518 } 2519 chain = NULL; 2520 } 2521 } else if (!nla[NFTA_CHAIN_ID]) { 2522 return -EINVAL; 2523 } 2524 2525 if (nla[NFTA_CHAIN_POLICY]) { 2526 if (chain != NULL && 2527 !nft_is_base_chain(chain)) { 2528 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2529 return -EOPNOTSUPP; 2530 } 2531 2532 if (chain == NULL && 2533 nla[NFTA_CHAIN_HOOK] == NULL) { 2534 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2535 return -EOPNOTSUPP; 2536 } 2537 2538 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY])); 2539 switch (policy) { 2540 case NF_DROP: 2541 case NF_ACCEPT: 2542 break; 2543 default: 2544 return -EINVAL; 2545 } 2546 } 2547 2548 if (nla[NFTA_CHAIN_FLAGS]) 2549 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS])); 2550 else if (chain) 2551 flags = chain->flags; 2552 2553 if (flags & ~NFT_CHAIN_FLAGS) 2554 return -EOPNOTSUPP; 2555 2556 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 2557 2558 if (chain != NULL) { 2559 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 2560 NL_SET_BAD_ATTR(extack, attr); 2561 return -EEXIST; 2562 } 2563 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 2564 return -EOPNOTSUPP; 2565 2566 flags |= chain->flags & NFT_CHAIN_BASE; 2567 return nf_tables_updchain(&ctx, genmask, policy, flags, attr, 2568 extack); 2569 } 2570 2571 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack); 2572 } 2573 2574 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info, 2575 const struct nlattr * const nla[]) 2576 { 2577 struct netlink_ext_ack *extack = info->extack; 2578 u8 genmask = nft_genmask_next(info->net); 2579 u8 family = info->nfmsg->nfgen_family; 2580 struct net *net = info->net; 2581 const struct nlattr *attr; 2582 struct nft_table *table; 2583 struct nft_chain *chain; 2584 struct nft_rule *rule; 2585 struct nft_ctx ctx; 2586 u64 handle; 2587 u32 use; 2588 int err; 2589 2590 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 2591 NETLINK_CB(skb).portid); 2592 if (IS_ERR(table)) { 2593 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2594 return PTR_ERR(table); 2595 } 2596 2597 if (nla[NFTA_CHAIN_HANDLE]) { 2598 attr = nla[NFTA_CHAIN_HANDLE]; 2599 handle = be64_to_cpu(nla_get_be64(attr)); 2600 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2601 } else { 2602 attr = nla[NFTA_CHAIN_NAME]; 2603 chain = nft_chain_lookup(net, table, attr, genmask); 2604 } 2605 if (IS_ERR(chain)) { 2606 NL_SET_BAD_ATTR(extack, attr); 2607 return PTR_ERR(chain); 2608 } 2609 2610 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 2611 chain->use > 0) 2612 return -EBUSY; 2613 2614 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 2615 2616 use = chain->use; 2617 list_for_each_entry(rule, &chain->rules, list) { 2618 if (!nft_is_active_next(net, rule)) 2619 continue; 2620 use--; 2621 2622 err = nft_delrule(&ctx, rule); 2623 if (err < 0) 2624 return err; 2625 } 2626 2627 /* There are rules and elements that are still holding references to us, 2628 * we cannot do a recursive removal in this case. 2629 */ 2630 if (use > 0) { 2631 NL_SET_BAD_ATTR(extack, attr); 2632 return -EBUSY; 2633 } 2634 2635 return nft_delchain(&ctx); 2636 } 2637 2638 /* 2639 * Expressions 2640 */ 2641 2642 /** 2643 * nft_register_expr - register nf_tables expr type 2644 * @type: expr type 2645 * 2646 * Registers the expr type for use with nf_tables. Returns zero on 2647 * success or a negative errno code otherwise. 2648 */ 2649 int nft_register_expr(struct nft_expr_type *type) 2650 { 2651 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2652 if (type->family == NFPROTO_UNSPEC) 2653 list_add_tail_rcu(&type->list, &nf_tables_expressions); 2654 else 2655 list_add_rcu(&type->list, &nf_tables_expressions); 2656 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2657 return 0; 2658 } 2659 EXPORT_SYMBOL_GPL(nft_register_expr); 2660 2661 /** 2662 * nft_unregister_expr - unregister nf_tables expr type 2663 * @type: expr type 2664 * 2665 * Unregisters the expr typefor use with nf_tables. 2666 */ 2667 void nft_unregister_expr(struct nft_expr_type *type) 2668 { 2669 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2670 list_del_rcu(&type->list); 2671 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2672 } 2673 EXPORT_SYMBOL_GPL(nft_unregister_expr); 2674 2675 static const struct nft_expr_type *__nft_expr_type_get(u8 family, 2676 struct nlattr *nla) 2677 { 2678 const struct nft_expr_type *type, *candidate = NULL; 2679 2680 list_for_each_entry(type, &nf_tables_expressions, list) { 2681 if (!nla_strcmp(nla, type->name)) { 2682 if (!type->family && !candidate) 2683 candidate = type; 2684 else if (type->family == family) 2685 candidate = type; 2686 } 2687 } 2688 return candidate; 2689 } 2690 2691 #ifdef CONFIG_MODULES 2692 static int nft_expr_type_request_module(struct net *net, u8 family, 2693 struct nlattr *nla) 2694 { 2695 if (nft_request_module(net, "nft-expr-%u-%.*s", family, 2696 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN) 2697 return -EAGAIN; 2698 2699 return 0; 2700 } 2701 #endif 2702 2703 static const struct nft_expr_type *nft_expr_type_get(struct net *net, 2704 u8 family, 2705 struct nlattr *nla) 2706 { 2707 const struct nft_expr_type *type; 2708 2709 if (nla == NULL) 2710 return ERR_PTR(-EINVAL); 2711 2712 type = __nft_expr_type_get(family, nla); 2713 if (type != NULL && try_module_get(type->owner)) 2714 return type; 2715 2716 lockdep_nfnl_nft_mutex_not_held(); 2717 #ifdef CONFIG_MODULES 2718 if (type == NULL) { 2719 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN) 2720 return ERR_PTR(-EAGAIN); 2721 2722 if (nft_request_module(net, "nft-expr-%.*s", 2723 nla_len(nla), 2724 (char *)nla_data(nla)) == -EAGAIN) 2725 return ERR_PTR(-EAGAIN); 2726 } 2727 #endif 2728 return ERR_PTR(-ENOENT); 2729 } 2730 2731 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { 2732 [NFTA_EXPR_NAME] = { .type = NLA_STRING, 2733 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 2734 [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, 2735 }; 2736 2737 static int nf_tables_fill_expr_info(struct sk_buff *skb, 2738 const struct nft_expr *expr) 2739 { 2740 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name)) 2741 goto nla_put_failure; 2742 2743 if (expr->ops->dump) { 2744 struct nlattr *data = nla_nest_start_noflag(skb, 2745 NFTA_EXPR_DATA); 2746 if (data == NULL) 2747 goto nla_put_failure; 2748 if (expr->ops->dump(skb, expr) < 0) 2749 goto nla_put_failure; 2750 nla_nest_end(skb, data); 2751 } 2752 2753 return skb->len; 2754 2755 nla_put_failure: 2756 return -1; 2757 }; 2758 2759 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 2760 const struct nft_expr *expr) 2761 { 2762 struct nlattr *nest; 2763 2764 nest = nla_nest_start_noflag(skb, attr); 2765 if (!nest) 2766 goto nla_put_failure; 2767 if (nf_tables_fill_expr_info(skb, expr) < 0) 2768 goto nla_put_failure; 2769 nla_nest_end(skb, nest); 2770 return 0; 2771 2772 nla_put_failure: 2773 return -1; 2774 } 2775 2776 struct nft_expr_info { 2777 const struct nft_expr_ops *ops; 2778 const struct nlattr *attr; 2779 struct nlattr *tb[NFT_EXPR_MAXATTR + 1]; 2780 }; 2781 2782 static int nf_tables_expr_parse(const struct nft_ctx *ctx, 2783 const struct nlattr *nla, 2784 struct nft_expr_info *info) 2785 { 2786 const struct nft_expr_type *type; 2787 const struct nft_expr_ops *ops; 2788 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 2789 int err; 2790 2791 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 2792 nft_expr_policy, NULL); 2793 if (err < 0) 2794 return err; 2795 2796 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]); 2797 if (IS_ERR(type)) 2798 return PTR_ERR(type); 2799 2800 if (tb[NFTA_EXPR_DATA]) { 2801 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 2802 tb[NFTA_EXPR_DATA], 2803 type->policy, NULL); 2804 if (err < 0) 2805 goto err1; 2806 } else 2807 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1)); 2808 2809 if (type->select_ops != NULL) { 2810 ops = type->select_ops(ctx, 2811 (const struct nlattr * const *)info->tb); 2812 if (IS_ERR(ops)) { 2813 err = PTR_ERR(ops); 2814 #ifdef CONFIG_MODULES 2815 if (err == -EAGAIN) 2816 if (nft_expr_type_request_module(ctx->net, 2817 ctx->family, 2818 tb[NFTA_EXPR_NAME]) != -EAGAIN) 2819 err = -ENOENT; 2820 #endif 2821 goto err1; 2822 } 2823 } else 2824 ops = type->ops; 2825 2826 info->attr = nla; 2827 info->ops = ops; 2828 2829 return 0; 2830 2831 err1: 2832 module_put(type->owner); 2833 return err; 2834 } 2835 2836 static int nf_tables_newexpr(const struct nft_ctx *ctx, 2837 const struct nft_expr_info *expr_info, 2838 struct nft_expr *expr) 2839 { 2840 const struct nft_expr_ops *ops = expr_info->ops; 2841 int err; 2842 2843 expr->ops = ops; 2844 if (ops->init) { 2845 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb); 2846 if (err < 0) 2847 goto err1; 2848 } 2849 2850 return 0; 2851 err1: 2852 expr->ops = NULL; 2853 return err; 2854 } 2855 2856 static void nf_tables_expr_destroy(const struct nft_ctx *ctx, 2857 struct nft_expr *expr) 2858 { 2859 const struct nft_expr_type *type = expr->ops->type; 2860 2861 if (expr->ops->destroy) 2862 expr->ops->destroy(ctx, expr); 2863 module_put(type->owner); 2864 } 2865 2866 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 2867 const struct nlattr *nla) 2868 { 2869 struct nft_expr_info expr_info; 2870 struct nft_expr *expr; 2871 struct module *owner; 2872 int err; 2873 2874 err = nf_tables_expr_parse(ctx, nla, &expr_info); 2875 if (err < 0) 2876 goto err1; 2877 2878 err = -ENOMEM; 2879 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT); 2880 if (expr == NULL) 2881 goto err2; 2882 2883 err = nf_tables_newexpr(ctx, &expr_info, expr); 2884 if (err < 0) 2885 goto err3; 2886 2887 return expr; 2888 err3: 2889 kfree(expr); 2890 err2: 2891 owner = expr_info.ops->type->owner; 2892 if (expr_info.ops->type->release_ops) 2893 expr_info.ops->type->release_ops(expr_info.ops); 2894 2895 module_put(owner); 2896 err1: 2897 return ERR_PTR(err); 2898 } 2899 2900 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) 2901 { 2902 int err; 2903 2904 if (src->ops->clone) { 2905 dst->ops = src->ops; 2906 err = src->ops->clone(dst, src); 2907 if (err < 0) 2908 return err; 2909 } else { 2910 memcpy(dst, src, src->ops->size); 2911 } 2912 2913 __module_get(src->ops->type->owner); 2914 2915 return 0; 2916 } 2917 2918 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) 2919 { 2920 nf_tables_expr_destroy(ctx, expr); 2921 kfree(expr); 2922 } 2923 2924 /* 2925 * Rules 2926 */ 2927 2928 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain, 2929 u64 handle) 2930 { 2931 struct nft_rule *rule; 2932 2933 // FIXME: this sucks 2934 list_for_each_entry_rcu(rule, &chain->rules, list) { 2935 if (handle == rule->handle) 2936 return rule; 2937 } 2938 2939 return ERR_PTR(-ENOENT); 2940 } 2941 2942 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain, 2943 const struct nlattr *nla) 2944 { 2945 if (nla == NULL) 2946 return ERR_PTR(-EINVAL); 2947 2948 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla))); 2949 } 2950 2951 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = { 2952 [NFTA_RULE_TABLE] = { .type = NLA_STRING, 2953 .len = NFT_TABLE_MAXNAMELEN - 1 }, 2954 [NFTA_RULE_CHAIN] = { .type = NLA_STRING, 2955 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 2956 [NFTA_RULE_HANDLE] = { .type = NLA_U64 }, 2957 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED }, 2958 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED }, 2959 [NFTA_RULE_POSITION] = { .type = NLA_U64 }, 2960 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY, 2961 .len = NFT_USERDATA_MAXLEN }, 2962 [NFTA_RULE_ID] = { .type = NLA_U32 }, 2963 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 }, 2964 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 }, 2965 }; 2966 2967 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net, 2968 u32 portid, u32 seq, int event, 2969 u32 flags, int family, 2970 const struct nft_table *table, 2971 const struct nft_chain *chain, 2972 const struct nft_rule *rule, u64 handle) 2973 { 2974 struct nlmsghdr *nlh; 2975 const struct nft_expr *expr, *next; 2976 struct nlattr *list; 2977 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 2978 2979 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0, 2980 nft_base_seq(net)); 2981 if (!nlh) 2982 goto nla_put_failure; 2983 2984 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) 2985 goto nla_put_failure; 2986 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) 2987 goto nla_put_failure; 2988 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle), 2989 NFTA_RULE_PAD)) 2990 goto nla_put_failure; 2991 2992 if (event != NFT_MSG_DELRULE && handle) { 2993 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle), 2994 NFTA_RULE_PAD)) 2995 goto nla_put_failure; 2996 } 2997 2998 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) 2999 nft_flow_rule_stats(chain, rule); 3000 3001 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS); 3002 if (list == NULL) 3003 goto nla_put_failure; 3004 nft_rule_for_each_expr(expr, next, rule) { 3005 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0) 3006 goto nla_put_failure; 3007 } 3008 nla_nest_end(skb, list); 3009 3010 if (rule->udata) { 3011 struct nft_userdata *udata = nft_userdata(rule); 3012 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1, 3013 udata->data) < 0) 3014 goto nla_put_failure; 3015 } 3016 3017 nlmsg_end(skb, nlh); 3018 return 0; 3019 3020 nla_put_failure: 3021 nlmsg_trim(skb, nlh); 3022 return -1; 3023 } 3024 3025 static void nf_tables_rule_notify(const struct nft_ctx *ctx, 3026 const struct nft_rule *rule, int event) 3027 { 3028 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 3029 const struct nft_rule *prule; 3030 struct sk_buff *skb; 3031 u64 handle = 0; 3032 u16 flags = 0; 3033 int err; 3034 3035 if (!ctx->report && 3036 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 3037 return; 3038 3039 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 3040 if (skb == NULL) 3041 goto err; 3042 3043 if (event == NFT_MSG_NEWRULE && 3044 !list_is_first(&rule->list, &ctx->chain->rules) && 3045 !list_is_last(&rule->list, &ctx->chain->rules)) { 3046 prule = list_prev_entry(rule, list); 3047 handle = prule->handle; 3048 } 3049 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE)) 3050 flags |= NLM_F_APPEND; 3051 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 3052 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 3053 3054 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, 3055 event, flags, ctx->family, ctx->table, 3056 ctx->chain, rule, handle); 3057 if (err < 0) { 3058 kfree_skb(skb); 3059 goto err; 3060 } 3061 3062 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 3063 return; 3064 err: 3065 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 3066 } 3067 3068 struct nft_rule_dump_ctx { 3069 char *table; 3070 char *chain; 3071 }; 3072 3073 static int __nf_tables_dump_rules(struct sk_buff *skb, 3074 unsigned int *idx, 3075 struct netlink_callback *cb, 3076 const struct nft_table *table, 3077 const struct nft_chain *chain) 3078 { 3079 struct net *net = sock_net(skb->sk); 3080 const struct nft_rule *rule, *prule; 3081 unsigned int s_idx = cb->args[0]; 3082 u64 handle; 3083 3084 prule = NULL; 3085 list_for_each_entry_rcu(rule, &chain->rules, list) { 3086 if (!nft_is_active(net, rule)) 3087 goto cont_skip; 3088 if (*idx < s_idx) 3089 goto cont; 3090 if (*idx > s_idx) { 3091 memset(&cb->args[1], 0, 3092 sizeof(cb->args) - sizeof(cb->args[0])); 3093 } 3094 if (prule) 3095 handle = prule->handle; 3096 else 3097 handle = 0; 3098 3099 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, 3100 cb->nlh->nlmsg_seq, 3101 NFT_MSG_NEWRULE, 3102 NLM_F_MULTI | NLM_F_APPEND, 3103 table->family, 3104 table, chain, rule, handle) < 0) 3105 return 1; 3106 3107 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 3108 cont: 3109 prule = rule; 3110 cont_skip: 3111 (*idx)++; 3112 } 3113 return 0; 3114 } 3115 3116 static int nf_tables_dump_rules(struct sk_buff *skb, 3117 struct netlink_callback *cb) 3118 { 3119 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 3120 const struct nft_rule_dump_ctx *ctx = cb->data; 3121 struct nft_table *table; 3122 const struct nft_chain *chain; 3123 unsigned int idx = 0; 3124 struct net *net = sock_net(skb->sk); 3125 int family = nfmsg->nfgen_family; 3126 struct nftables_pernet *nft_net; 3127 3128 rcu_read_lock(); 3129 nft_net = nft_pernet(net); 3130 cb->seq = nft_net->base_seq; 3131 3132 list_for_each_entry_rcu(table, &nft_net->tables, list) { 3133 if (family != NFPROTO_UNSPEC && family != table->family) 3134 continue; 3135 3136 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0) 3137 continue; 3138 3139 if (ctx && ctx->table && ctx->chain) { 3140 struct rhlist_head *list, *tmp; 3141 3142 list = rhltable_lookup(&table->chains_ht, ctx->chain, 3143 nft_chain_ht_params); 3144 if (!list) 3145 goto done; 3146 3147 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 3148 if (!nft_is_active(net, chain)) 3149 continue; 3150 __nf_tables_dump_rules(skb, &idx, 3151 cb, table, chain); 3152 break; 3153 } 3154 goto done; 3155 } 3156 3157 list_for_each_entry_rcu(chain, &table->chains, list) { 3158 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain)) 3159 goto done; 3160 } 3161 3162 if (ctx && ctx->table) 3163 break; 3164 } 3165 done: 3166 rcu_read_unlock(); 3167 3168 cb->args[0] = idx; 3169 return skb->len; 3170 } 3171 3172 static int nf_tables_dump_rules_start(struct netlink_callback *cb) 3173 { 3174 const struct nlattr * const *nla = cb->data; 3175 struct nft_rule_dump_ctx *ctx = NULL; 3176 3177 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) { 3178 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC); 3179 if (!ctx) 3180 return -ENOMEM; 3181 3182 if (nla[NFTA_RULE_TABLE]) { 3183 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], 3184 GFP_ATOMIC); 3185 if (!ctx->table) { 3186 kfree(ctx); 3187 return -ENOMEM; 3188 } 3189 } 3190 if (nla[NFTA_RULE_CHAIN]) { 3191 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], 3192 GFP_ATOMIC); 3193 if (!ctx->chain) { 3194 kfree(ctx->table); 3195 kfree(ctx); 3196 return -ENOMEM; 3197 } 3198 } 3199 } 3200 3201 cb->data = ctx; 3202 return 0; 3203 } 3204 3205 static int nf_tables_dump_rules_done(struct netlink_callback *cb) 3206 { 3207 struct nft_rule_dump_ctx *ctx = cb->data; 3208 3209 if (ctx) { 3210 kfree(ctx->table); 3211 kfree(ctx->chain); 3212 kfree(ctx); 3213 } 3214 return 0; 3215 } 3216 3217 /* called with rcu_read_lock held */ 3218 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info, 3219 const struct nlattr * const nla[]) 3220 { 3221 struct netlink_ext_ack *extack = info->extack; 3222 u8 genmask = nft_genmask_cur(info->net); 3223 u8 family = info->nfmsg->nfgen_family; 3224 const struct nft_chain *chain; 3225 const struct nft_rule *rule; 3226 struct net *net = info->net; 3227 struct nft_table *table; 3228 struct sk_buff *skb2; 3229 int err; 3230 3231 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 3232 struct netlink_dump_control c = { 3233 .start= nf_tables_dump_rules_start, 3234 .dump = nf_tables_dump_rules, 3235 .done = nf_tables_dump_rules_done, 3236 .module = THIS_MODULE, 3237 .data = (void *)nla, 3238 }; 3239 3240 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 3241 } 3242 3243 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0); 3244 if (IS_ERR(table)) { 3245 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3246 return PTR_ERR(table); 3247 } 3248 3249 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask); 3250 if (IS_ERR(chain)) { 3251 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3252 return PTR_ERR(chain); 3253 } 3254 3255 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3256 if (IS_ERR(rule)) { 3257 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3258 return PTR_ERR(rule); 3259 } 3260 3261 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 3262 if (!skb2) 3263 return -ENOMEM; 3264 3265 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid, 3266 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, 3267 family, table, chain, rule, 0); 3268 if (err < 0) 3269 goto err_fill_rule_info; 3270 3271 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 3272 3273 err_fill_rule_info: 3274 kfree_skb(skb2); 3275 return err; 3276 } 3277 3278 static void nf_tables_rule_destroy(const struct nft_ctx *ctx, 3279 struct nft_rule *rule) 3280 { 3281 struct nft_expr *expr, *next; 3282 3283 /* 3284 * Careful: some expressions might not be initialized in case this 3285 * is called on error from nf_tables_newrule(). 3286 */ 3287 expr = nft_expr_first(rule); 3288 while (nft_expr_more(rule, expr)) { 3289 next = nft_expr_next(expr); 3290 nf_tables_expr_destroy(ctx, expr); 3291 expr = next; 3292 } 3293 kfree(rule); 3294 } 3295 3296 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) 3297 { 3298 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); 3299 nf_tables_rule_destroy(ctx, rule); 3300 } 3301 3302 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) 3303 { 3304 struct nft_expr *expr, *last; 3305 const struct nft_data *data; 3306 struct nft_rule *rule; 3307 int err; 3308 3309 if (ctx->level == NFT_JUMP_STACK_SIZE) 3310 return -EMLINK; 3311 3312 list_for_each_entry(rule, &chain->rules, list) { 3313 if (!nft_is_active_next(ctx->net, rule)) 3314 continue; 3315 3316 nft_rule_for_each_expr(expr, last, rule) { 3317 if (!expr->ops->validate) 3318 continue; 3319 3320 err = expr->ops->validate(ctx, expr, &data); 3321 if (err < 0) 3322 return err; 3323 } 3324 } 3325 3326 return 0; 3327 } 3328 EXPORT_SYMBOL_GPL(nft_chain_validate); 3329 3330 static int nft_table_validate(struct net *net, const struct nft_table *table) 3331 { 3332 struct nft_chain *chain; 3333 struct nft_ctx ctx = { 3334 .net = net, 3335 .family = table->family, 3336 }; 3337 int err; 3338 3339 list_for_each_entry(chain, &table->chains, list) { 3340 if (!nft_is_base_chain(chain)) 3341 continue; 3342 3343 ctx.chain = chain; 3344 err = nft_chain_validate(&ctx, chain); 3345 if (err < 0) 3346 return err; 3347 } 3348 3349 return 0; 3350 } 3351 3352 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3353 const struct nlattr *nla); 3354 3355 #define NFT_RULE_MAXEXPRS 128 3356 3357 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, 3358 const struct nlattr * const nla[]) 3359 { 3360 struct nftables_pernet *nft_net = nft_pernet(info->net); 3361 struct netlink_ext_ack *extack = info->extack; 3362 unsigned int size, i, n, ulen = 0, usize = 0; 3363 u8 genmask = nft_genmask_next(info->net); 3364 struct nft_rule *rule, *old_rule = NULL; 3365 struct nft_expr_info *expr_info = NULL; 3366 u8 family = info->nfmsg->nfgen_family; 3367 struct nft_flow_rule *flow = NULL; 3368 struct net *net = info->net; 3369 struct nft_userdata *udata; 3370 struct nft_table *table; 3371 struct nft_chain *chain; 3372 struct nft_trans *trans; 3373 u64 handle, pos_handle; 3374 struct nft_expr *expr; 3375 struct nft_ctx ctx; 3376 struct nlattr *tmp; 3377 int err, rem; 3378 3379 lockdep_assert_held(&nft_net->commit_mutex); 3380 3381 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 3382 NETLINK_CB(skb).portid); 3383 if (IS_ERR(table)) { 3384 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3385 return PTR_ERR(table); 3386 } 3387 3388 if (nla[NFTA_RULE_CHAIN]) { 3389 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 3390 genmask); 3391 if (IS_ERR(chain)) { 3392 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3393 return PTR_ERR(chain); 3394 } 3395 if (nft_chain_is_bound(chain)) 3396 return -EOPNOTSUPP; 3397 3398 } else if (nla[NFTA_RULE_CHAIN_ID]) { 3399 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]); 3400 if (IS_ERR(chain)) { 3401 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]); 3402 return PTR_ERR(chain); 3403 } 3404 } else { 3405 return -EINVAL; 3406 } 3407 3408 if (nla[NFTA_RULE_HANDLE]) { 3409 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE])); 3410 rule = __nft_rule_lookup(chain, handle); 3411 if (IS_ERR(rule)) { 3412 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3413 return PTR_ERR(rule); 3414 } 3415 3416 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 3417 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3418 return -EEXIST; 3419 } 3420 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 3421 old_rule = rule; 3422 else 3423 return -EOPNOTSUPP; 3424 } else { 3425 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) || 3426 info->nlh->nlmsg_flags & NLM_F_REPLACE) 3427 return -EINVAL; 3428 handle = nf_tables_alloc_handle(table); 3429 3430 if (chain->use == UINT_MAX) 3431 return -EOVERFLOW; 3432 3433 if (nla[NFTA_RULE_POSITION]) { 3434 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION])); 3435 old_rule = __nft_rule_lookup(chain, pos_handle); 3436 if (IS_ERR(old_rule)) { 3437 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]); 3438 return PTR_ERR(old_rule); 3439 } 3440 } else if (nla[NFTA_RULE_POSITION_ID]) { 3441 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]); 3442 if (IS_ERR(old_rule)) { 3443 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]); 3444 return PTR_ERR(old_rule); 3445 } 3446 } 3447 } 3448 3449 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 3450 3451 n = 0; 3452 size = 0; 3453 if (nla[NFTA_RULE_EXPRESSIONS]) { 3454 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS, 3455 sizeof(struct nft_expr_info), 3456 GFP_KERNEL); 3457 if (!expr_info) 3458 return -ENOMEM; 3459 3460 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) { 3461 err = -EINVAL; 3462 if (nla_type(tmp) != NFTA_LIST_ELEM) 3463 goto err_release_expr; 3464 if (n == NFT_RULE_MAXEXPRS) 3465 goto err_release_expr; 3466 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]); 3467 if (err < 0) { 3468 NL_SET_BAD_ATTR(extack, tmp); 3469 goto err_release_expr; 3470 } 3471 size += expr_info[n].ops->size; 3472 n++; 3473 } 3474 } 3475 /* Check for overflow of dlen field */ 3476 err = -EFBIG; 3477 if (size >= 1 << 12) 3478 goto err_release_expr; 3479 3480 if (nla[NFTA_RULE_USERDATA]) { 3481 ulen = nla_len(nla[NFTA_RULE_USERDATA]); 3482 if (ulen > 0) 3483 usize = sizeof(struct nft_userdata) + ulen; 3484 } 3485 3486 err = -ENOMEM; 3487 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT); 3488 if (rule == NULL) 3489 goto err_release_expr; 3490 3491 nft_activate_next(net, rule); 3492 3493 rule->handle = handle; 3494 rule->dlen = size; 3495 rule->udata = ulen ? 1 : 0; 3496 3497 if (ulen) { 3498 udata = nft_userdata(rule); 3499 udata->len = ulen - 1; 3500 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen); 3501 } 3502 3503 expr = nft_expr_first(rule); 3504 for (i = 0; i < n; i++) { 3505 err = nf_tables_newexpr(&ctx, &expr_info[i], expr); 3506 if (err < 0) { 3507 NL_SET_BAD_ATTR(extack, expr_info[i].attr); 3508 goto err_release_rule; 3509 } 3510 3511 if (expr_info[i].ops->validate) 3512 nft_validate_state_update(net, NFT_VALIDATE_NEED); 3513 3514 expr_info[i].ops = NULL; 3515 expr = nft_expr_next(expr); 3516 } 3517 3518 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { 3519 flow = nft_flow_rule_create(net, rule); 3520 if (IS_ERR(flow)) { 3521 err = PTR_ERR(flow); 3522 goto err_release_rule; 3523 } 3524 } 3525 3526 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { 3527 err = nft_delrule(&ctx, old_rule); 3528 if (err < 0) 3529 goto err_destroy_flow_rule; 3530 3531 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3532 if (trans == NULL) { 3533 err = -ENOMEM; 3534 goto err_destroy_flow_rule; 3535 } 3536 list_add_tail_rcu(&rule->list, &old_rule->list); 3537 } else { 3538 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3539 if (!trans) { 3540 err = -ENOMEM; 3541 goto err_destroy_flow_rule; 3542 } 3543 3544 if (info->nlh->nlmsg_flags & NLM_F_APPEND) { 3545 if (old_rule) 3546 list_add_rcu(&rule->list, &old_rule->list); 3547 else 3548 list_add_tail_rcu(&rule->list, &chain->rules); 3549 } else { 3550 if (old_rule) 3551 list_add_tail_rcu(&rule->list, &old_rule->list); 3552 else 3553 list_add_rcu(&rule->list, &chain->rules); 3554 } 3555 } 3556 kvfree(expr_info); 3557 chain->use++; 3558 3559 if (flow) 3560 nft_trans_flow_rule(trans) = flow; 3561 3562 if (nft_net->validate_state == NFT_VALIDATE_DO) 3563 return nft_table_validate(net, table); 3564 3565 return 0; 3566 3567 err_destroy_flow_rule: 3568 if (flow) 3569 nft_flow_rule_destroy(flow); 3570 err_release_rule: 3571 nf_tables_rule_release(&ctx, rule); 3572 err_release_expr: 3573 for (i = 0; i < n; i++) { 3574 if (expr_info[i].ops) { 3575 module_put(expr_info[i].ops->type->owner); 3576 if (expr_info[i].ops->type->release_ops) 3577 expr_info[i].ops->type->release_ops(expr_info[i].ops); 3578 } 3579 } 3580 kvfree(expr_info); 3581 3582 return err; 3583 } 3584 3585 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3586 const struct nlattr *nla) 3587 { 3588 struct nftables_pernet *nft_net = nft_pernet(net); 3589 u32 id = ntohl(nla_get_be32(nla)); 3590 struct nft_trans *trans; 3591 3592 list_for_each_entry(trans, &nft_net->commit_list, list) { 3593 struct nft_rule *rule = nft_trans_rule(trans); 3594 3595 if (trans->msg_type == NFT_MSG_NEWRULE && 3596 id == nft_trans_rule_id(trans)) 3597 return rule; 3598 } 3599 return ERR_PTR(-ENOENT); 3600 } 3601 3602 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, 3603 const struct nlattr * const nla[]) 3604 { 3605 struct netlink_ext_ack *extack = info->extack; 3606 u8 genmask = nft_genmask_next(info->net); 3607 u8 family = info->nfmsg->nfgen_family; 3608 struct nft_chain *chain = NULL; 3609 struct net *net = info->net; 3610 struct nft_table *table; 3611 struct nft_rule *rule; 3612 struct nft_ctx ctx; 3613 int err = 0; 3614 3615 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 3616 NETLINK_CB(skb).portid); 3617 if (IS_ERR(table)) { 3618 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3619 return PTR_ERR(table); 3620 } 3621 3622 if (nla[NFTA_RULE_CHAIN]) { 3623 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 3624 genmask); 3625 if (IS_ERR(chain)) { 3626 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3627 return PTR_ERR(chain); 3628 } 3629 if (nft_chain_is_bound(chain)) 3630 return -EOPNOTSUPP; 3631 } 3632 3633 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 3634 3635 if (chain) { 3636 if (nla[NFTA_RULE_HANDLE]) { 3637 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3638 if (IS_ERR(rule)) { 3639 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3640 return PTR_ERR(rule); 3641 } 3642 3643 err = nft_delrule(&ctx, rule); 3644 } else if (nla[NFTA_RULE_ID]) { 3645 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]); 3646 if (IS_ERR(rule)) { 3647 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]); 3648 return PTR_ERR(rule); 3649 } 3650 3651 err = nft_delrule(&ctx, rule); 3652 } else { 3653 err = nft_delrule_by_chain(&ctx); 3654 } 3655 } else { 3656 list_for_each_entry(chain, &table->chains, list) { 3657 if (!nft_is_active_next(net, chain)) 3658 continue; 3659 3660 ctx.chain = chain; 3661 err = nft_delrule_by_chain(&ctx); 3662 if (err < 0) 3663 break; 3664 } 3665 } 3666 3667 return err; 3668 } 3669 3670 /* 3671 * Sets 3672 */ 3673 static const struct nft_set_type *nft_set_types[] = { 3674 &nft_set_hash_fast_type, 3675 &nft_set_hash_type, 3676 &nft_set_rhash_type, 3677 &nft_set_bitmap_type, 3678 &nft_set_rbtree_type, 3679 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML) 3680 &nft_set_pipapo_avx2_type, 3681 #endif 3682 &nft_set_pipapo_type, 3683 }; 3684 3685 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \ 3686 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \ 3687 NFT_SET_EVAL) 3688 3689 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags) 3690 { 3691 return (flags & type->features) == (flags & NFT_SET_FEATURES); 3692 } 3693 3694 /* 3695 * Select a set implementation based on the data characteristics and the 3696 * given policy. The total memory use might not be known if no size is 3697 * given, in that case the amount of memory per element is used. 3698 */ 3699 static const struct nft_set_ops * 3700 nft_select_set_ops(const struct nft_ctx *ctx, 3701 const struct nlattr * const nla[], 3702 const struct nft_set_desc *desc, 3703 enum nft_set_policies policy) 3704 { 3705 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 3706 const struct nft_set_ops *ops, *bops; 3707 struct nft_set_estimate est, best; 3708 const struct nft_set_type *type; 3709 u32 flags = 0; 3710 int i; 3711 3712 lockdep_assert_held(&nft_net->commit_mutex); 3713 lockdep_nfnl_nft_mutex_not_held(); 3714 3715 if (nla[NFTA_SET_FLAGS] != NULL) 3716 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 3717 3718 bops = NULL; 3719 best.size = ~0; 3720 best.lookup = ~0; 3721 best.space = ~0; 3722 3723 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) { 3724 type = nft_set_types[i]; 3725 ops = &type->ops; 3726 3727 if (!nft_set_ops_candidate(type, flags)) 3728 continue; 3729 if (!ops->estimate(desc, flags, &est)) 3730 continue; 3731 3732 switch (policy) { 3733 case NFT_SET_POL_PERFORMANCE: 3734 if (est.lookup < best.lookup) 3735 break; 3736 if (est.lookup == best.lookup && 3737 est.space < best.space) 3738 break; 3739 continue; 3740 case NFT_SET_POL_MEMORY: 3741 if (!desc->size) { 3742 if (est.space < best.space) 3743 break; 3744 if (est.space == best.space && 3745 est.lookup < best.lookup) 3746 break; 3747 } else if (est.size < best.size || !bops) { 3748 break; 3749 } 3750 continue; 3751 default: 3752 break; 3753 } 3754 3755 bops = ops; 3756 best = est; 3757 } 3758 3759 if (bops != NULL) 3760 return bops; 3761 3762 return ERR_PTR(-EOPNOTSUPP); 3763 } 3764 3765 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = { 3766 [NFTA_SET_TABLE] = { .type = NLA_STRING, 3767 .len = NFT_TABLE_MAXNAMELEN - 1 }, 3768 [NFTA_SET_NAME] = { .type = NLA_STRING, 3769 .len = NFT_SET_MAXNAMELEN - 1 }, 3770 [NFTA_SET_FLAGS] = { .type = NLA_U32 }, 3771 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 }, 3772 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 }, 3773 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 }, 3774 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 }, 3775 [NFTA_SET_POLICY] = { .type = NLA_U32 }, 3776 [NFTA_SET_DESC] = { .type = NLA_NESTED }, 3777 [NFTA_SET_ID] = { .type = NLA_U32 }, 3778 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 }, 3779 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 }, 3780 [NFTA_SET_USERDATA] = { .type = NLA_BINARY, 3781 .len = NFT_USERDATA_MAXLEN }, 3782 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 }, 3783 [NFTA_SET_HANDLE] = { .type = NLA_U64 }, 3784 [NFTA_SET_EXPR] = { .type = NLA_NESTED }, 3785 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED }, 3786 }; 3787 3788 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = { 3789 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 }, 3790 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED }, 3791 }; 3792 3793 static struct nft_set *nft_set_lookup(const struct nft_table *table, 3794 const struct nlattr *nla, u8 genmask) 3795 { 3796 struct nft_set *set; 3797 3798 if (nla == NULL) 3799 return ERR_PTR(-EINVAL); 3800 3801 list_for_each_entry_rcu(set, &table->sets, list) { 3802 if (!nla_strcmp(nla, set->name) && 3803 nft_active_genmask(set, genmask)) 3804 return set; 3805 } 3806 return ERR_PTR(-ENOENT); 3807 } 3808 3809 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table, 3810 const struct nlattr *nla, 3811 u8 genmask) 3812 { 3813 struct nft_set *set; 3814 3815 list_for_each_entry(set, &table->sets, list) { 3816 if (be64_to_cpu(nla_get_be64(nla)) == set->handle && 3817 nft_active_genmask(set, genmask)) 3818 return set; 3819 } 3820 return ERR_PTR(-ENOENT); 3821 } 3822 3823 static struct nft_set *nft_set_lookup_byid(const struct net *net, 3824 const struct nlattr *nla, u8 genmask) 3825 { 3826 struct nftables_pernet *nft_net = nft_pernet(net); 3827 u32 id = ntohl(nla_get_be32(nla)); 3828 struct nft_trans *trans; 3829 3830 list_for_each_entry(trans, &nft_net->commit_list, list) { 3831 if (trans->msg_type == NFT_MSG_NEWSET) { 3832 struct nft_set *set = nft_trans_set(trans); 3833 3834 if (id == nft_trans_set_id(trans) && 3835 nft_active_genmask(set, genmask)) 3836 return set; 3837 } 3838 } 3839 return ERR_PTR(-ENOENT); 3840 } 3841 3842 struct nft_set *nft_set_lookup_global(const struct net *net, 3843 const struct nft_table *table, 3844 const struct nlattr *nla_set_name, 3845 const struct nlattr *nla_set_id, 3846 u8 genmask) 3847 { 3848 struct nft_set *set; 3849 3850 set = nft_set_lookup(table, nla_set_name, genmask); 3851 if (IS_ERR(set)) { 3852 if (!nla_set_id) 3853 return set; 3854 3855 set = nft_set_lookup_byid(net, nla_set_id, genmask); 3856 } 3857 return set; 3858 } 3859 EXPORT_SYMBOL_GPL(nft_set_lookup_global); 3860 3861 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set, 3862 const char *name) 3863 { 3864 const struct nft_set *i; 3865 const char *p; 3866 unsigned long *inuse; 3867 unsigned int n = 0, min = 0; 3868 3869 p = strchr(name, '%'); 3870 if (p != NULL) { 3871 if (p[1] != 'd' || strchr(p + 2, '%')) 3872 return -EINVAL; 3873 3874 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL); 3875 if (inuse == NULL) 3876 return -ENOMEM; 3877 cont: 3878 list_for_each_entry(i, &ctx->table->sets, list) { 3879 int tmp; 3880 3881 if (!nft_is_active_next(ctx->net, set)) 3882 continue; 3883 if (!sscanf(i->name, name, &tmp)) 3884 continue; 3885 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE) 3886 continue; 3887 3888 set_bit(tmp - min, inuse); 3889 } 3890 3891 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE); 3892 if (n >= BITS_PER_BYTE * PAGE_SIZE) { 3893 min += BITS_PER_BYTE * PAGE_SIZE; 3894 memset(inuse, 0, PAGE_SIZE); 3895 goto cont; 3896 } 3897 free_page((unsigned long)inuse); 3898 } 3899 3900 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n); 3901 if (!set->name) 3902 return -ENOMEM; 3903 3904 list_for_each_entry(i, &ctx->table->sets, list) { 3905 if (!nft_is_active_next(ctx->net, i)) 3906 continue; 3907 if (!strcmp(set->name, i->name)) { 3908 kfree(set->name); 3909 set->name = NULL; 3910 return -ENFILE; 3911 } 3912 } 3913 return 0; 3914 } 3915 3916 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result) 3917 { 3918 u64 ms = be64_to_cpu(nla_get_be64(nla)); 3919 u64 max = (u64)(~((u64)0)); 3920 3921 max = div_u64(max, NSEC_PER_MSEC); 3922 if (ms >= max) 3923 return -ERANGE; 3924 3925 ms *= NSEC_PER_MSEC; 3926 *result = nsecs_to_jiffies64(ms); 3927 return 0; 3928 } 3929 3930 __be64 nf_jiffies64_to_msecs(u64 input) 3931 { 3932 return cpu_to_be64(jiffies64_to_msecs(input)); 3933 } 3934 3935 static int nf_tables_fill_set_concat(struct sk_buff *skb, 3936 const struct nft_set *set) 3937 { 3938 struct nlattr *concat, *field; 3939 int i; 3940 3941 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT); 3942 if (!concat) 3943 return -ENOMEM; 3944 3945 for (i = 0; i < set->field_count; i++) { 3946 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 3947 if (!field) 3948 return -ENOMEM; 3949 3950 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN, 3951 htonl(set->field_len[i]))) 3952 return -ENOMEM; 3953 3954 nla_nest_end(skb, field); 3955 } 3956 3957 nla_nest_end(skb, concat); 3958 3959 return 0; 3960 } 3961 3962 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, 3963 const struct nft_set *set, u16 event, u16 flags) 3964 { 3965 struct nlmsghdr *nlh; 3966 u32 portid = ctx->portid; 3967 struct nlattr *nest; 3968 u32 seq = ctx->seq; 3969 int i; 3970 3971 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 3972 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 3973 NFNETLINK_V0, nft_base_seq(ctx->net)); 3974 if (!nlh) 3975 goto nla_put_failure; 3976 3977 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 3978 goto nla_put_failure; 3979 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 3980 goto nla_put_failure; 3981 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle), 3982 NFTA_SET_PAD)) 3983 goto nla_put_failure; 3984 if (set->flags != 0) 3985 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags))) 3986 goto nla_put_failure; 3987 3988 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype))) 3989 goto nla_put_failure; 3990 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen))) 3991 goto nla_put_failure; 3992 if (set->flags & NFT_SET_MAP) { 3993 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype))) 3994 goto nla_put_failure; 3995 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen))) 3996 goto nla_put_failure; 3997 } 3998 if (set->flags & NFT_SET_OBJECT && 3999 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype))) 4000 goto nla_put_failure; 4001 4002 if (set->timeout && 4003 nla_put_be64(skb, NFTA_SET_TIMEOUT, 4004 nf_jiffies64_to_msecs(set->timeout), 4005 NFTA_SET_PAD)) 4006 goto nla_put_failure; 4007 if (set->gc_int && 4008 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int))) 4009 goto nla_put_failure; 4010 4011 if (set->policy != NFT_SET_POL_PERFORMANCE) { 4012 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy))) 4013 goto nla_put_failure; 4014 } 4015 4016 if (set->udata && 4017 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) 4018 goto nla_put_failure; 4019 4020 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC); 4021 if (!nest) 4022 goto nla_put_failure; 4023 if (set->size && 4024 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size))) 4025 goto nla_put_failure; 4026 4027 if (set->field_count > 1 && 4028 nf_tables_fill_set_concat(skb, set)) 4029 goto nla_put_failure; 4030 4031 nla_nest_end(skb, nest); 4032 4033 if (set->num_exprs == 1) { 4034 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR); 4035 if (nf_tables_fill_expr_info(skb, set->exprs[0]) < 0) 4036 goto nla_put_failure; 4037 4038 nla_nest_end(skb, nest); 4039 } else if (set->num_exprs > 1) { 4040 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS); 4041 if (nest == NULL) 4042 goto nla_put_failure; 4043 4044 for (i = 0; i < set->num_exprs; i++) { 4045 if (nft_expr_dump(skb, NFTA_LIST_ELEM, 4046 set->exprs[i]) < 0) 4047 goto nla_put_failure; 4048 } 4049 nla_nest_end(skb, nest); 4050 } 4051 4052 nlmsg_end(skb, nlh); 4053 return 0; 4054 4055 nla_put_failure: 4056 nlmsg_trim(skb, nlh); 4057 return -1; 4058 } 4059 4060 static void nf_tables_set_notify(const struct nft_ctx *ctx, 4061 const struct nft_set *set, int event, 4062 gfp_t gfp_flags) 4063 { 4064 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 4065 u32 portid = ctx->portid; 4066 struct sk_buff *skb; 4067 u16 flags = 0; 4068 int err; 4069 4070 if (!ctx->report && 4071 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 4072 return; 4073 4074 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags); 4075 if (skb == NULL) 4076 goto err; 4077 4078 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 4079 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 4080 4081 err = nf_tables_fill_set(skb, ctx, set, event, flags); 4082 if (err < 0) { 4083 kfree_skb(skb); 4084 goto err; 4085 } 4086 4087 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 4088 return; 4089 err: 4090 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 4091 } 4092 4093 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) 4094 { 4095 const struct nft_set *set; 4096 unsigned int idx, s_idx = cb->args[0]; 4097 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; 4098 struct net *net = sock_net(skb->sk); 4099 struct nft_ctx *ctx = cb->data, ctx_set; 4100 struct nftables_pernet *nft_net; 4101 4102 if (cb->args[1]) 4103 return skb->len; 4104 4105 rcu_read_lock(); 4106 nft_net = nft_pernet(net); 4107 cb->seq = nft_net->base_seq; 4108 4109 list_for_each_entry_rcu(table, &nft_net->tables, list) { 4110 if (ctx->family != NFPROTO_UNSPEC && 4111 ctx->family != table->family) 4112 continue; 4113 4114 if (ctx->table && ctx->table != table) 4115 continue; 4116 4117 if (cur_table) { 4118 if (cur_table != table) 4119 continue; 4120 4121 cur_table = NULL; 4122 } 4123 idx = 0; 4124 list_for_each_entry_rcu(set, &table->sets, list) { 4125 if (idx < s_idx) 4126 goto cont; 4127 if (!nft_is_active(net, set)) 4128 goto cont; 4129 4130 ctx_set = *ctx; 4131 ctx_set.table = table; 4132 ctx_set.family = table->family; 4133 4134 if (nf_tables_fill_set(skb, &ctx_set, set, 4135 NFT_MSG_NEWSET, 4136 NLM_F_MULTI) < 0) { 4137 cb->args[0] = idx; 4138 cb->args[2] = (unsigned long) table; 4139 goto done; 4140 } 4141 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 4142 cont: 4143 idx++; 4144 } 4145 if (s_idx) 4146 s_idx = 0; 4147 } 4148 cb->args[1] = 1; 4149 done: 4150 rcu_read_unlock(); 4151 return skb->len; 4152 } 4153 4154 static int nf_tables_dump_sets_start(struct netlink_callback *cb) 4155 { 4156 struct nft_ctx *ctx_dump = NULL; 4157 4158 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC); 4159 if (ctx_dump == NULL) 4160 return -ENOMEM; 4161 4162 cb->data = ctx_dump; 4163 return 0; 4164 } 4165 4166 static int nf_tables_dump_sets_done(struct netlink_callback *cb) 4167 { 4168 kfree(cb->data); 4169 return 0; 4170 } 4171 4172 /* called with rcu_read_lock held */ 4173 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info, 4174 const struct nlattr * const nla[]) 4175 { 4176 struct netlink_ext_ack *extack = info->extack; 4177 u8 genmask = nft_genmask_cur(info->net); 4178 u8 family = info->nfmsg->nfgen_family; 4179 struct nft_table *table = NULL; 4180 struct net *net = info->net; 4181 const struct nft_set *set; 4182 struct sk_buff *skb2; 4183 struct nft_ctx ctx; 4184 int err; 4185 4186 if (nla[NFTA_SET_TABLE]) { 4187 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 4188 genmask, 0); 4189 if (IS_ERR(table)) { 4190 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4191 return PTR_ERR(table); 4192 } 4193 } 4194 4195 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 4196 4197 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 4198 struct netlink_dump_control c = { 4199 .start = nf_tables_dump_sets_start, 4200 .dump = nf_tables_dump_sets, 4201 .done = nf_tables_dump_sets_done, 4202 .data = &ctx, 4203 .module = THIS_MODULE, 4204 }; 4205 4206 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 4207 } 4208 4209 /* Only accept unspec with dump */ 4210 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 4211 return -EAFNOSUPPORT; 4212 if (!nla[NFTA_SET_TABLE]) 4213 return -EINVAL; 4214 4215 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4216 if (IS_ERR(set)) 4217 return PTR_ERR(set); 4218 4219 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 4220 if (skb2 == NULL) 4221 return -ENOMEM; 4222 4223 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); 4224 if (err < 0) 4225 goto err_fill_set_info; 4226 4227 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 4228 4229 err_fill_set_info: 4230 kfree_skb(skb2); 4231 return err; 4232 } 4233 4234 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = { 4235 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 }, 4236 }; 4237 4238 static int nft_set_desc_concat_parse(const struct nlattr *attr, 4239 struct nft_set_desc *desc) 4240 { 4241 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1]; 4242 u32 len; 4243 int err; 4244 4245 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr, 4246 nft_concat_policy, NULL); 4247 if (err < 0) 4248 return err; 4249 4250 if (!tb[NFTA_SET_FIELD_LEN]) 4251 return -EINVAL; 4252 4253 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN])); 4254 4255 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT) 4256 return -E2BIG; 4257 4258 desc->field_len[desc->field_count++] = len; 4259 4260 return 0; 4261 } 4262 4263 static int nft_set_desc_concat(struct nft_set_desc *desc, 4264 const struct nlattr *nla) 4265 { 4266 struct nlattr *attr; 4267 int rem, err; 4268 4269 nla_for_each_nested(attr, nla, rem) { 4270 if (nla_type(attr) != NFTA_LIST_ELEM) 4271 return -EINVAL; 4272 4273 err = nft_set_desc_concat_parse(attr, desc); 4274 if (err < 0) 4275 return err; 4276 } 4277 4278 return 0; 4279 } 4280 4281 static int nf_tables_set_desc_parse(struct nft_set_desc *desc, 4282 const struct nlattr *nla) 4283 { 4284 struct nlattr *da[NFTA_SET_DESC_MAX + 1]; 4285 int err; 4286 4287 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla, 4288 nft_set_desc_policy, NULL); 4289 if (err < 0) 4290 return err; 4291 4292 if (da[NFTA_SET_DESC_SIZE] != NULL) 4293 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE])); 4294 if (da[NFTA_SET_DESC_CONCAT]) 4295 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]); 4296 4297 return err; 4298 } 4299 4300 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 4301 const struct nlattr * const nla[]) 4302 { 4303 u32 ktype, dtype, flags, policy, gc_int, objtype; 4304 struct netlink_ext_ack *extack = info->extack; 4305 u8 genmask = nft_genmask_next(info->net); 4306 u8 family = info->nfmsg->nfgen_family; 4307 const struct nft_set_ops *ops; 4308 struct nft_expr *expr = NULL; 4309 struct net *net = info->net; 4310 struct nft_set_desc desc; 4311 struct nft_table *table; 4312 unsigned char *udata; 4313 struct nft_set *set; 4314 struct nft_ctx ctx; 4315 size_t alloc_size; 4316 u64 timeout; 4317 char *name; 4318 int err, i; 4319 u16 udlen; 4320 u64 size; 4321 4322 if (nla[NFTA_SET_TABLE] == NULL || 4323 nla[NFTA_SET_NAME] == NULL || 4324 nla[NFTA_SET_KEY_LEN] == NULL || 4325 nla[NFTA_SET_ID] == NULL) 4326 return -EINVAL; 4327 4328 memset(&desc, 0, sizeof(desc)); 4329 4330 ktype = NFT_DATA_VALUE; 4331 if (nla[NFTA_SET_KEY_TYPE] != NULL) { 4332 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE])); 4333 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK) 4334 return -EINVAL; 4335 } 4336 4337 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN])); 4338 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN) 4339 return -EINVAL; 4340 4341 flags = 0; 4342 if (nla[NFTA_SET_FLAGS] != NULL) { 4343 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 4344 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | 4345 NFT_SET_INTERVAL | NFT_SET_TIMEOUT | 4346 NFT_SET_MAP | NFT_SET_EVAL | 4347 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR)) 4348 return -EOPNOTSUPP; 4349 /* Only one of these operations is supported */ 4350 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) == 4351 (NFT_SET_MAP | NFT_SET_OBJECT)) 4352 return -EOPNOTSUPP; 4353 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) == 4354 (NFT_SET_EVAL | NFT_SET_OBJECT)) 4355 return -EOPNOTSUPP; 4356 } 4357 4358 dtype = 0; 4359 if (nla[NFTA_SET_DATA_TYPE] != NULL) { 4360 if (!(flags & NFT_SET_MAP)) 4361 return -EINVAL; 4362 4363 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE])); 4364 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK && 4365 dtype != NFT_DATA_VERDICT) 4366 return -EINVAL; 4367 4368 if (dtype != NFT_DATA_VERDICT) { 4369 if (nla[NFTA_SET_DATA_LEN] == NULL) 4370 return -EINVAL; 4371 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN])); 4372 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN) 4373 return -EINVAL; 4374 } else 4375 desc.dlen = sizeof(struct nft_verdict); 4376 } else if (flags & NFT_SET_MAP) 4377 return -EINVAL; 4378 4379 if (nla[NFTA_SET_OBJ_TYPE] != NULL) { 4380 if (!(flags & NFT_SET_OBJECT)) 4381 return -EINVAL; 4382 4383 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE])); 4384 if (objtype == NFT_OBJECT_UNSPEC || 4385 objtype > NFT_OBJECT_MAX) 4386 return -EOPNOTSUPP; 4387 } else if (flags & NFT_SET_OBJECT) 4388 return -EINVAL; 4389 else 4390 objtype = NFT_OBJECT_UNSPEC; 4391 4392 timeout = 0; 4393 if (nla[NFTA_SET_TIMEOUT] != NULL) { 4394 if (!(flags & NFT_SET_TIMEOUT)) 4395 return -EINVAL; 4396 4397 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout); 4398 if (err) 4399 return err; 4400 } 4401 gc_int = 0; 4402 if (nla[NFTA_SET_GC_INTERVAL] != NULL) { 4403 if (!(flags & NFT_SET_TIMEOUT)) 4404 return -EINVAL; 4405 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL])); 4406 } 4407 4408 policy = NFT_SET_POL_PERFORMANCE; 4409 if (nla[NFTA_SET_POLICY] != NULL) 4410 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY])); 4411 4412 if (nla[NFTA_SET_DESC] != NULL) { 4413 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]); 4414 if (err < 0) 4415 return err; 4416 } 4417 4418 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS]) 4419 desc.expr = true; 4420 4421 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask, 4422 NETLINK_CB(skb).portid); 4423 if (IS_ERR(table)) { 4424 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4425 return PTR_ERR(table); 4426 } 4427 4428 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 4429 4430 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4431 if (IS_ERR(set)) { 4432 if (PTR_ERR(set) != -ENOENT) { 4433 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4434 return PTR_ERR(set); 4435 } 4436 } else { 4437 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 4438 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4439 return -EEXIST; 4440 } 4441 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 4442 return -EOPNOTSUPP; 4443 4444 return 0; 4445 } 4446 4447 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE)) 4448 return -ENOENT; 4449 4450 ops = nft_select_set_ops(&ctx, nla, &desc, policy); 4451 if (IS_ERR(ops)) 4452 return PTR_ERR(ops); 4453 4454 udlen = 0; 4455 if (nla[NFTA_SET_USERDATA]) 4456 udlen = nla_len(nla[NFTA_SET_USERDATA]); 4457 4458 size = 0; 4459 if (ops->privsize != NULL) 4460 size = ops->privsize(nla, &desc); 4461 alloc_size = sizeof(*set) + size + udlen; 4462 if (alloc_size < size || alloc_size > INT_MAX) 4463 return -ENOMEM; 4464 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT); 4465 if (!set) 4466 return -ENOMEM; 4467 4468 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT); 4469 if (!name) { 4470 err = -ENOMEM; 4471 goto err_set_name; 4472 } 4473 4474 err = nf_tables_set_alloc_name(&ctx, set, name); 4475 kfree(name); 4476 if (err < 0) 4477 goto err_set_name; 4478 4479 udata = NULL; 4480 if (udlen) { 4481 udata = set->data + size; 4482 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen); 4483 } 4484 4485 INIT_LIST_HEAD(&set->bindings); 4486 INIT_LIST_HEAD(&set->catchall_list); 4487 set->table = table; 4488 write_pnet(&set->net, net); 4489 set->ops = ops; 4490 set->ktype = ktype; 4491 set->klen = desc.klen; 4492 set->dtype = dtype; 4493 set->objtype = objtype; 4494 set->dlen = desc.dlen; 4495 set->flags = flags; 4496 set->size = desc.size; 4497 set->policy = policy; 4498 set->udlen = udlen; 4499 set->udata = udata; 4500 set->timeout = timeout; 4501 set->gc_int = gc_int; 4502 4503 set->field_count = desc.field_count; 4504 for (i = 0; i < desc.field_count; i++) 4505 set->field_len[i] = desc.field_len[i]; 4506 4507 err = ops->init(set, &desc, nla); 4508 if (err < 0) 4509 goto err_set_init; 4510 4511 if (nla[NFTA_SET_EXPR]) { 4512 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]); 4513 if (IS_ERR(expr)) { 4514 err = PTR_ERR(expr); 4515 goto err_set_expr_alloc; 4516 } 4517 set->exprs[0] = expr; 4518 set->num_exprs++; 4519 } else if (nla[NFTA_SET_EXPRESSIONS]) { 4520 struct nft_expr *expr; 4521 struct nlattr *tmp; 4522 int left; 4523 4524 if (!(flags & NFT_SET_EXPR)) { 4525 err = -EINVAL; 4526 goto err_set_expr_alloc; 4527 } 4528 i = 0; 4529 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) { 4530 if (i == NFT_SET_EXPR_MAX) { 4531 err = -E2BIG; 4532 goto err_set_expr_alloc; 4533 } 4534 if (nla_type(tmp) != NFTA_LIST_ELEM) { 4535 err = -EINVAL; 4536 goto err_set_expr_alloc; 4537 } 4538 expr = nft_set_elem_expr_alloc(&ctx, set, tmp); 4539 if (IS_ERR(expr)) { 4540 err = PTR_ERR(expr); 4541 goto err_set_expr_alloc; 4542 } 4543 set->exprs[i++] = expr; 4544 set->num_exprs++; 4545 } 4546 } 4547 4548 set->handle = nf_tables_alloc_handle(table); 4549 4550 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); 4551 if (err < 0) 4552 goto err_set_expr_alloc; 4553 4554 list_add_tail_rcu(&set->list, &table->sets); 4555 table->use++; 4556 return 0; 4557 4558 err_set_expr_alloc: 4559 for (i = 0; i < set->num_exprs; i++) 4560 nft_expr_destroy(&ctx, set->exprs[i]); 4561 4562 ops->destroy(set); 4563 err_set_init: 4564 kfree(set->name); 4565 err_set_name: 4566 kvfree(set); 4567 return err; 4568 } 4569 4570 struct nft_set_elem_catchall { 4571 struct list_head list; 4572 struct rcu_head rcu; 4573 void *elem; 4574 }; 4575 4576 static void nft_set_catchall_destroy(const struct nft_ctx *ctx, 4577 struct nft_set *set) 4578 { 4579 struct nft_set_elem_catchall *next, *catchall; 4580 4581 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 4582 list_del_rcu(&catchall->list); 4583 nft_set_elem_destroy(set, catchall->elem, true); 4584 kfree_rcu(catchall, rcu); 4585 } 4586 } 4587 4588 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) 4589 { 4590 int i; 4591 4592 if (WARN_ON(set->use > 0)) 4593 return; 4594 4595 for (i = 0; i < set->num_exprs; i++) 4596 nft_expr_destroy(ctx, set->exprs[i]); 4597 4598 set->ops->destroy(set); 4599 nft_set_catchall_destroy(ctx, set); 4600 kfree(set->name); 4601 kvfree(set); 4602 } 4603 4604 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info, 4605 const struct nlattr * const nla[]) 4606 { 4607 struct netlink_ext_ack *extack = info->extack; 4608 u8 genmask = nft_genmask_next(info->net); 4609 u8 family = info->nfmsg->nfgen_family; 4610 struct net *net = info->net; 4611 const struct nlattr *attr; 4612 struct nft_table *table; 4613 struct nft_set *set; 4614 struct nft_ctx ctx; 4615 4616 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 4617 return -EAFNOSUPPORT; 4618 4619 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 4620 genmask, NETLINK_CB(skb).portid); 4621 if (IS_ERR(table)) { 4622 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4623 return PTR_ERR(table); 4624 } 4625 4626 if (nla[NFTA_SET_HANDLE]) { 4627 attr = nla[NFTA_SET_HANDLE]; 4628 set = nft_set_lookup_byhandle(table, attr, genmask); 4629 } else { 4630 attr = nla[NFTA_SET_NAME]; 4631 set = nft_set_lookup(table, attr, genmask); 4632 } 4633 4634 if (IS_ERR(set)) { 4635 NL_SET_BAD_ATTR(extack, attr); 4636 return PTR_ERR(set); 4637 } 4638 if (set->use || 4639 (info->nlh->nlmsg_flags & NLM_F_NONREC && 4640 atomic_read(&set->nelems) > 0)) { 4641 NL_SET_BAD_ATTR(extack, attr); 4642 return -EBUSY; 4643 } 4644 4645 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 4646 4647 return nft_delset(&ctx, set); 4648 } 4649 4650 static int nft_validate_register_store(const struct nft_ctx *ctx, 4651 enum nft_registers reg, 4652 const struct nft_data *data, 4653 enum nft_data_types type, 4654 unsigned int len); 4655 4656 static int nft_setelem_data_validate(const struct nft_ctx *ctx, 4657 struct nft_set *set, 4658 struct nft_set_elem *elem) 4659 { 4660 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4661 enum nft_registers dreg; 4662 4663 dreg = nft_type_to_reg(set->dtype); 4664 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext), 4665 set->dtype == NFT_DATA_VERDICT ? 4666 NFT_DATA_VERDICT : NFT_DATA_VALUE, 4667 set->dlen); 4668 } 4669 4670 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, 4671 struct nft_set *set, 4672 const struct nft_set_iter *iter, 4673 struct nft_set_elem *elem) 4674 { 4675 return nft_setelem_data_validate(ctx, set, elem); 4676 } 4677 4678 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx, 4679 struct nft_set *set) 4680 { 4681 u8 genmask = nft_genmask_next(ctx->net); 4682 struct nft_set_elem_catchall *catchall; 4683 struct nft_set_elem elem; 4684 struct nft_set_ext *ext; 4685 int ret = 0; 4686 4687 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 4688 ext = nft_set_elem_ext(set, catchall->elem); 4689 if (!nft_set_elem_active(ext, genmask)) 4690 continue; 4691 4692 elem.priv = catchall->elem; 4693 ret = nft_setelem_data_validate(ctx, set, &elem); 4694 if (ret < 0) 4695 break; 4696 } 4697 4698 return ret; 4699 } 4700 4701 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 4702 struct nft_set_binding *binding) 4703 { 4704 struct nft_set_binding *i; 4705 struct nft_set_iter iter; 4706 4707 if (set->use == UINT_MAX) 4708 return -EOVERFLOW; 4709 4710 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4711 return -EBUSY; 4712 4713 if (binding->flags & NFT_SET_MAP) { 4714 /* If the set is already bound to the same chain all 4715 * jumps are already validated for that chain. 4716 */ 4717 list_for_each_entry(i, &set->bindings, list) { 4718 if (i->flags & NFT_SET_MAP && 4719 i->chain == binding->chain) 4720 goto bind; 4721 } 4722 4723 iter.genmask = nft_genmask_next(ctx->net); 4724 iter.skip = 0; 4725 iter.count = 0; 4726 iter.err = 0; 4727 iter.fn = nf_tables_bind_check_setelem; 4728 4729 set->ops->walk(ctx, set, &iter); 4730 if (!iter.err) 4731 iter.err = nft_set_catchall_bind_check(ctx, set); 4732 4733 if (iter.err < 0) 4734 return iter.err; 4735 } 4736 bind: 4737 binding->chain = ctx->chain; 4738 list_add_tail_rcu(&binding->list, &set->bindings); 4739 nft_set_trans_bind(ctx, set); 4740 set->use++; 4741 4742 return 0; 4743 } 4744 EXPORT_SYMBOL_GPL(nf_tables_bind_set); 4745 4746 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 4747 struct nft_set_binding *binding, bool event) 4748 { 4749 list_del_rcu(&binding->list); 4750 4751 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { 4752 list_del_rcu(&set->list); 4753 if (event) 4754 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, 4755 GFP_KERNEL); 4756 } 4757 } 4758 4759 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, 4760 struct nft_set_binding *binding, 4761 enum nft_trans_phase phase) 4762 { 4763 switch (phase) { 4764 case NFT_TRANS_PREPARE: 4765 set->use--; 4766 return; 4767 case NFT_TRANS_ABORT: 4768 case NFT_TRANS_RELEASE: 4769 set->use--; 4770 fallthrough; 4771 default: 4772 nf_tables_unbind_set(ctx, set, binding, 4773 phase == NFT_TRANS_COMMIT); 4774 } 4775 } 4776 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); 4777 4778 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) 4779 { 4780 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4781 nft_set_destroy(ctx, set); 4782 } 4783 EXPORT_SYMBOL_GPL(nf_tables_destroy_set); 4784 4785 const struct nft_set_ext_type nft_set_ext_types[] = { 4786 [NFT_SET_EXT_KEY] = { 4787 .align = __alignof__(u32), 4788 }, 4789 [NFT_SET_EXT_DATA] = { 4790 .align = __alignof__(u32), 4791 }, 4792 [NFT_SET_EXT_EXPRESSIONS] = { 4793 .align = __alignof__(struct nft_set_elem_expr), 4794 }, 4795 [NFT_SET_EXT_OBJREF] = { 4796 .len = sizeof(struct nft_object *), 4797 .align = __alignof__(struct nft_object *), 4798 }, 4799 [NFT_SET_EXT_FLAGS] = { 4800 .len = sizeof(u8), 4801 .align = __alignof__(u8), 4802 }, 4803 [NFT_SET_EXT_TIMEOUT] = { 4804 .len = sizeof(u64), 4805 .align = __alignof__(u64), 4806 }, 4807 [NFT_SET_EXT_EXPIRATION] = { 4808 .len = sizeof(u64), 4809 .align = __alignof__(u64), 4810 }, 4811 [NFT_SET_EXT_USERDATA] = { 4812 .len = sizeof(struct nft_userdata), 4813 .align = __alignof__(struct nft_userdata), 4814 }, 4815 [NFT_SET_EXT_KEY_END] = { 4816 .align = __alignof__(u32), 4817 }, 4818 }; 4819 4820 /* 4821 * Set elements 4822 */ 4823 4824 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { 4825 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED }, 4826 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED }, 4827 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 }, 4828 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 }, 4829 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 }, 4830 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, 4831 .len = NFT_USERDATA_MAXLEN }, 4832 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED }, 4833 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING, 4834 .len = NFT_OBJ_MAXNAMELEN - 1 }, 4835 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED }, 4836 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED }, 4837 }; 4838 4839 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { 4840 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING, 4841 .len = NFT_TABLE_MAXNAMELEN - 1 }, 4842 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING, 4843 .len = NFT_SET_MAXNAMELEN - 1 }, 4844 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED }, 4845 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 }, 4846 }; 4847 4848 static int nft_set_elem_expr_dump(struct sk_buff *skb, 4849 const struct nft_set *set, 4850 const struct nft_set_ext *ext) 4851 { 4852 struct nft_set_elem_expr *elem_expr; 4853 u32 size, num_exprs = 0; 4854 struct nft_expr *expr; 4855 struct nlattr *nest; 4856 4857 elem_expr = nft_set_ext_expr(ext); 4858 nft_setelem_expr_foreach(expr, elem_expr, size) 4859 num_exprs++; 4860 4861 if (num_exprs == 1) { 4862 expr = nft_setelem_expr_at(elem_expr, 0); 4863 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr) < 0) 4864 return -1; 4865 4866 return 0; 4867 } else if (num_exprs > 1) { 4868 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS); 4869 if (nest == NULL) 4870 goto nla_put_failure; 4871 4872 nft_setelem_expr_foreach(expr, elem_expr, size) { 4873 expr = nft_setelem_expr_at(elem_expr, size); 4874 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0) 4875 goto nla_put_failure; 4876 } 4877 nla_nest_end(skb, nest); 4878 } 4879 return 0; 4880 4881 nla_put_failure: 4882 return -1; 4883 } 4884 4885 static int nf_tables_fill_setelem(struct sk_buff *skb, 4886 const struct nft_set *set, 4887 const struct nft_set_elem *elem) 4888 { 4889 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4890 unsigned char *b = skb_tail_pointer(skb); 4891 struct nlattr *nest; 4892 4893 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 4894 if (nest == NULL) 4895 goto nla_put_failure; 4896 4897 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) && 4898 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext), 4899 NFT_DATA_VALUE, set->klen) < 0) 4900 goto nla_put_failure; 4901 4902 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 4903 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext), 4904 NFT_DATA_VALUE, set->klen) < 0) 4905 goto nla_put_failure; 4906 4907 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 4908 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext), 4909 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE, 4910 set->dlen) < 0) 4911 goto nla_put_failure; 4912 4913 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) && 4914 nft_set_elem_expr_dump(skb, set, ext)) 4915 goto nla_put_failure; 4916 4917 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 4918 nla_put_string(skb, NFTA_SET_ELEM_OBJREF, 4919 (*nft_set_ext_obj(ext))->key.name) < 0) 4920 goto nla_put_failure; 4921 4922 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 4923 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, 4924 htonl(*nft_set_ext_flags(ext)))) 4925 goto nla_put_failure; 4926 4927 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) && 4928 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, 4929 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)), 4930 NFTA_SET_ELEM_PAD)) 4931 goto nla_put_failure; 4932 4933 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 4934 u64 expires, now = get_jiffies_64(); 4935 4936 expires = *nft_set_ext_expiration(ext); 4937 if (time_before64(now, expires)) 4938 expires -= now; 4939 else 4940 expires = 0; 4941 4942 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION, 4943 nf_jiffies64_to_msecs(expires), 4944 NFTA_SET_ELEM_PAD)) 4945 goto nla_put_failure; 4946 } 4947 4948 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) { 4949 struct nft_userdata *udata; 4950 4951 udata = nft_set_ext_userdata(ext); 4952 if (nla_put(skb, NFTA_SET_ELEM_USERDATA, 4953 udata->len + 1, udata->data)) 4954 goto nla_put_failure; 4955 } 4956 4957 nla_nest_end(skb, nest); 4958 return 0; 4959 4960 nla_put_failure: 4961 nlmsg_trim(skb, b); 4962 return -EMSGSIZE; 4963 } 4964 4965 struct nft_set_dump_args { 4966 const struct netlink_callback *cb; 4967 struct nft_set_iter iter; 4968 struct sk_buff *skb; 4969 }; 4970 4971 static int nf_tables_dump_setelem(const struct nft_ctx *ctx, 4972 struct nft_set *set, 4973 const struct nft_set_iter *iter, 4974 struct nft_set_elem *elem) 4975 { 4976 struct nft_set_dump_args *args; 4977 4978 args = container_of(iter, struct nft_set_dump_args, iter); 4979 return nf_tables_fill_setelem(args->skb, set, elem); 4980 } 4981 4982 struct nft_set_dump_ctx { 4983 const struct nft_set *set; 4984 struct nft_ctx ctx; 4985 }; 4986 4987 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb, 4988 const struct nft_set *set) 4989 { 4990 struct nft_set_elem_catchall *catchall; 4991 u8 genmask = nft_genmask_cur(net); 4992 struct nft_set_elem elem; 4993 struct nft_set_ext *ext; 4994 int ret = 0; 4995 4996 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 4997 ext = nft_set_elem_ext(set, catchall->elem); 4998 if (!nft_set_elem_active(ext, genmask) || 4999 nft_set_elem_expired(ext)) 5000 continue; 5001 5002 elem.priv = catchall->elem; 5003 ret = nf_tables_fill_setelem(skb, set, &elem); 5004 break; 5005 } 5006 5007 return ret; 5008 } 5009 5010 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) 5011 { 5012 struct nft_set_dump_ctx *dump_ctx = cb->data; 5013 struct net *net = sock_net(skb->sk); 5014 struct nftables_pernet *nft_net; 5015 struct nft_table *table; 5016 struct nft_set *set; 5017 struct nft_set_dump_args args; 5018 bool set_found = false; 5019 struct nlmsghdr *nlh; 5020 struct nlattr *nest; 5021 u32 portid, seq; 5022 int event; 5023 5024 rcu_read_lock(); 5025 nft_net = nft_pernet(net); 5026 list_for_each_entry_rcu(table, &nft_net->tables, list) { 5027 if (dump_ctx->ctx.family != NFPROTO_UNSPEC && 5028 dump_ctx->ctx.family != table->family) 5029 continue; 5030 5031 if (table != dump_ctx->ctx.table) 5032 continue; 5033 5034 list_for_each_entry_rcu(set, &table->sets, list) { 5035 if (set == dump_ctx->set) { 5036 set_found = true; 5037 break; 5038 } 5039 } 5040 break; 5041 } 5042 5043 if (!set_found) { 5044 rcu_read_unlock(); 5045 return -ENOENT; 5046 } 5047 5048 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM); 5049 portid = NETLINK_CB(cb->skb).portid; 5050 seq = cb->nlh->nlmsg_seq; 5051 5052 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI, 5053 table->family, NFNETLINK_V0, nft_base_seq(net)); 5054 if (!nlh) 5055 goto nla_put_failure; 5056 5057 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) 5058 goto nla_put_failure; 5059 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) 5060 goto nla_put_failure; 5061 5062 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 5063 if (nest == NULL) 5064 goto nla_put_failure; 5065 5066 args.cb = cb; 5067 args.skb = skb; 5068 args.iter.genmask = nft_genmask_cur(net); 5069 args.iter.skip = cb->args[0]; 5070 args.iter.count = 0; 5071 args.iter.err = 0; 5072 args.iter.fn = nf_tables_dump_setelem; 5073 set->ops->walk(&dump_ctx->ctx, set, &args.iter); 5074 5075 if (!args.iter.err && args.iter.count == cb->args[0]) 5076 args.iter.err = nft_set_catchall_dump(net, skb, set); 5077 rcu_read_unlock(); 5078 5079 nla_nest_end(skb, nest); 5080 nlmsg_end(skb, nlh); 5081 5082 if (args.iter.err && args.iter.err != -EMSGSIZE) 5083 return args.iter.err; 5084 if (args.iter.count == cb->args[0]) 5085 return 0; 5086 5087 cb->args[0] = args.iter.count; 5088 return skb->len; 5089 5090 nla_put_failure: 5091 rcu_read_unlock(); 5092 return -ENOSPC; 5093 } 5094 5095 static int nf_tables_dump_set_start(struct netlink_callback *cb) 5096 { 5097 struct nft_set_dump_ctx *dump_ctx = cb->data; 5098 5099 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC); 5100 5101 return cb->data ? 0 : -ENOMEM; 5102 } 5103 5104 static int nf_tables_dump_set_done(struct netlink_callback *cb) 5105 { 5106 kfree(cb->data); 5107 return 0; 5108 } 5109 5110 static int nf_tables_fill_setelem_info(struct sk_buff *skb, 5111 const struct nft_ctx *ctx, u32 seq, 5112 u32 portid, int event, u16 flags, 5113 const struct nft_set *set, 5114 const struct nft_set_elem *elem) 5115 { 5116 struct nlmsghdr *nlh; 5117 struct nlattr *nest; 5118 int err; 5119 5120 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 5121 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 5122 NFNETLINK_V0, nft_base_seq(ctx->net)); 5123 if (!nlh) 5124 goto nla_put_failure; 5125 5126 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 5127 goto nla_put_failure; 5128 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 5129 goto nla_put_failure; 5130 5131 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 5132 if (nest == NULL) 5133 goto nla_put_failure; 5134 5135 err = nf_tables_fill_setelem(skb, set, elem); 5136 if (err < 0) 5137 goto nla_put_failure; 5138 5139 nla_nest_end(skb, nest); 5140 5141 nlmsg_end(skb, nlh); 5142 return 0; 5143 5144 nla_put_failure: 5145 nlmsg_trim(skb, nlh); 5146 return -1; 5147 } 5148 5149 static int nft_setelem_parse_flags(const struct nft_set *set, 5150 const struct nlattr *attr, u32 *flags) 5151 { 5152 if (attr == NULL) 5153 return 0; 5154 5155 *flags = ntohl(nla_get_be32(attr)); 5156 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) 5157 return -EOPNOTSUPP; 5158 if (!(set->flags & NFT_SET_INTERVAL) && 5159 *flags & NFT_SET_ELEM_INTERVAL_END) 5160 return -EINVAL; 5161 5162 return 0; 5163 } 5164 5165 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set, 5166 struct nft_data *key, struct nlattr *attr) 5167 { 5168 struct nft_data_desc desc; 5169 int err; 5170 5171 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr); 5172 if (err < 0) 5173 return err; 5174 5175 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) { 5176 nft_data_release(key, desc.type); 5177 return -EINVAL; 5178 } 5179 5180 return 0; 5181 } 5182 5183 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, 5184 struct nft_data_desc *desc, 5185 struct nft_data *data, 5186 struct nlattr *attr) 5187 { 5188 int err; 5189 5190 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr); 5191 if (err < 0) 5192 return err; 5193 5194 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) { 5195 nft_data_release(data, desc->type); 5196 return -EINVAL; 5197 } 5198 5199 return 0; 5200 } 5201 5202 static void *nft_setelem_catchall_get(const struct net *net, 5203 const struct nft_set *set) 5204 { 5205 struct nft_set_elem_catchall *catchall; 5206 u8 genmask = nft_genmask_cur(net); 5207 struct nft_set_ext *ext; 5208 void *priv = NULL; 5209 5210 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5211 ext = nft_set_elem_ext(set, catchall->elem); 5212 if (!nft_set_elem_active(ext, genmask) || 5213 nft_set_elem_expired(ext)) 5214 continue; 5215 5216 priv = catchall->elem; 5217 break; 5218 } 5219 5220 return priv; 5221 } 5222 5223 static int nft_setelem_get(struct nft_ctx *ctx, struct nft_set *set, 5224 struct nft_set_elem *elem, u32 flags) 5225 { 5226 void *priv; 5227 5228 if (!(flags & NFT_SET_ELEM_CATCHALL)) { 5229 priv = set->ops->get(ctx->net, set, elem, flags); 5230 if (IS_ERR(priv)) 5231 return PTR_ERR(priv); 5232 } else { 5233 priv = nft_setelem_catchall_get(ctx->net, set); 5234 if (!priv) 5235 return -ENOENT; 5236 } 5237 elem->priv = priv; 5238 5239 return 0; 5240 } 5241 5242 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set, 5243 const struct nlattr *attr) 5244 { 5245 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 5246 struct nft_set_elem elem; 5247 struct sk_buff *skb; 5248 uint32_t flags = 0; 5249 int err; 5250 5251 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 5252 nft_set_elem_policy, NULL); 5253 if (err < 0) 5254 return err; 5255 5256 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 5257 if (err < 0) 5258 return err; 5259 5260 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 5261 return -EINVAL; 5262 5263 if (nla[NFTA_SET_ELEM_KEY]) { 5264 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5265 nla[NFTA_SET_ELEM_KEY]); 5266 if (err < 0) 5267 return err; 5268 } 5269 5270 if (nla[NFTA_SET_ELEM_KEY_END]) { 5271 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5272 nla[NFTA_SET_ELEM_KEY_END]); 5273 if (err < 0) 5274 return err; 5275 } 5276 5277 err = nft_setelem_get(ctx, set, &elem, flags); 5278 if (err < 0) 5279 return err; 5280 5281 err = -ENOMEM; 5282 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); 5283 if (skb == NULL) 5284 return err; 5285 5286 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, 5287 NFT_MSG_NEWSETELEM, 0, set, &elem); 5288 if (err < 0) 5289 goto err_fill_setelem; 5290 5291 return nfnetlink_unicast(skb, ctx->net, ctx->portid); 5292 5293 err_fill_setelem: 5294 kfree_skb(skb); 5295 return err; 5296 } 5297 5298 /* called with rcu_read_lock held */ 5299 static int nf_tables_getsetelem(struct sk_buff *skb, 5300 const struct nfnl_info *info, 5301 const struct nlattr * const nla[]) 5302 { 5303 struct netlink_ext_ack *extack = info->extack; 5304 u8 genmask = nft_genmask_cur(info->net); 5305 u8 family = info->nfmsg->nfgen_family; 5306 struct net *net = info->net; 5307 struct nft_table *table; 5308 struct nft_set *set; 5309 struct nlattr *attr; 5310 struct nft_ctx ctx; 5311 int rem, err = 0; 5312 5313 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 5314 genmask, NETLINK_CB(skb).portid); 5315 if (IS_ERR(table)) { 5316 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 5317 return PTR_ERR(table); 5318 } 5319 5320 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 5321 if (IS_ERR(set)) 5322 return PTR_ERR(set); 5323 5324 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 5325 5326 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 5327 struct netlink_dump_control c = { 5328 .start = nf_tables_dump_set_start, 5329 .dump = nf_tables_dump_set, 5330 .done = nf_tables_dump_set_done, 5331 .module = THIS_MODULE, 5332 }; 5333 struct nft_set_dump_ctx dump_ctx = { 5334 .set = set, 5335 .ctx = ctx, 5336 }; 5337 5338 c.data = &dump_ctx; 5339 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 5340 } 5341 5342 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 5343 return -EINVAL; 5344 5345 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 5346 err = nft_get_set_elem(&ctx, set, attr); 5347 if (err < 0) 5348 break; 5349 } 5350 5351 return err; 5352 } 5353 5354 static void nf_tables_setelem_notify(const struct nft_ctx *ctx, 5355 const struct nft_set *set, 5356 const struct nft_set_elem *elem, 5357 int event) 5358 { 5359 struct nftables_pernet *nft_net; 5360 struct net *net = ctx->net; 5361 u32 portid = ctx->portid; 5362 struct sk_buff *skb; 5363 u16 flags = 0; 5364 int err; 5365 5366 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 5367 return; 5368 5369 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 5370 if (skb == NULL) 5371 goto err; 5372 5373 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 5374 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 5375 5376 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags, 5377 set, elem); 5378 if (err < 0) { 5379 kfree_skb(skb); 5380 goto err; 5381 } 5382 5383 nft_net = nft_pernet(net); 5384 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 5385 return; 5386 err: 5387 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 5388 } 5389 5390 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx, 5391 int msg_type, 5392 struct nft_set *set) 5393 { 5394 struct nft_trans *trans; 5395 5396 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem)); 5397 if (trans == NULL) 5398 return NULL; 5399 5400 nft_trans_elem_set(trans) = set; 5401 return trans; 5402 } 5403 5404 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx, 5405 const struct nft_set *set, 5406 const struct nlattr *attr) 5407 { 5408 struct nft_expr *expr; 5409 int err; 5410 5411 expr = nft_expr_init(ctx, attr); 5412 if (IS_ERR(expr)) 5413 return expr; 5414 5415 err = -EOPNOTSUPP; 5416 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL)) 5417 goto err_set_elem_expr; 5418 5419 if (expr->ops->type->flags & NFT_EXPR_GC) { 5420 if (set->flags & NFT_SET_TIMEOUT) 5421 goto err_set_elem_expr; 5422 if (!set->ops->gc_init) 5423 goto err_set_elem_expr; 5424 set->ops->gc_init(set); 5425 } 5426 5427 return expr; 5428 5429 err_set_elem_expr: 5430 nft_expr_destroy(ctx, expr); 5431 return ERR_PTR(err); 5432 } 5433 5434 void *nft_set_elem_init(const struct nft_set *set, 5435 const struct nft_set_ext_tmpl *tmpl, 5436 const u32 *key, const u32 *key_end, 5437 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp) 5438 { 5439 struct nft_set_ext *ext; 5440 void *elem; 5441 5442 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp); 5443 if (elem == NULL) 5444 return NULL; 5445 5446 ext = nft_set_elem_ext(set, elem); 5447 nft_set_ext_init(ext, tmpl); 5448 5449 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY)) 5450 memcpy(nft_set_ext_key(ext), key, set->klen); 5451 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) 5452 memcpy(nft_set_ext_key_end(ext), key_end, set->klen); 5453 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5454 memcpy(nft_set_ext_data(ext), data, set->dlen); 5455 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 5456 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration; 5457 if (expiration == 0) 5458 *nft_set_ext_expiration(ext) += timeout; 5459 } 5460 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) 5461 *nft_set_ext_timeout(ext) = timeout; 5462 5463 return elem; 5464 } 5465 5466 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 5467 struct nft_expr *expr) 5468 { 5469 if (expr->ops->destroy_clone) { 5470 expr->ops->destroy_clone(ctx, expr); 5471 module_put(expr->ops->type->owner); 5472 } else { 5473 nf_tables_expr_destroy(ctx, expr); 5474 } 5475 } 5476 5477 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 5478 struct nft_set_elem_expr *elem_expr) 5479 { 5480 struct nft_expr *expr; 5481 u32 size; 5482 5483 nft_setelem_expr_foreach(expr, elem_expr, size) 5484 __nft_set_elem_expr_destroy(ctx, expr); 5485 } 5486 5487 void nft_set_elem_destroy(const struct nft_set *set, void *elem, 5488 bool destroy_expr) 5489 { 5490 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 5491 struct nft_ctx ctx = { 5492 .net = read_pnet(&set->net), 5493 .family = set->table->family, 5494 }; 5495 5496 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE); 5497 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5498 nft_data_release(nft_set_ext_data(ext), set->dtype); 5499 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 5500 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext)); 5501 5502 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 5503 (*nft_set_ext_obj(ext))->use--; 5504 kfree(elem); 5505 } 5506 EXPORT_SYMBOL_GPL(nft_set_elem_destroy); 5507 5508 /* Only called from commit path, nft_setelem_data_deactivate() already deals 5509 * with the refcounting from the preparation phase. 5510 */ 5511 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, 5512 const struct nft_set *set, void *elem) 5513 { 5514 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 5515 5516 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 5517 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext)); 5518 5519 kfree(elem); 5520 } 5521 5522 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, 5523 struct nft_expr *expr_array[]) 5524 { 5525 struct nft_expr *expr; 5526 int err, i, k; 5527 5528 for (i = 0; i < set->num_exprs; i++) { 5529 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL); 5530 if (!expr) 5531 goto err_expr; 5532 5533 err = nft_expr_clone(expr, set->exprs[i]); 5534 if (err < 0) { 5535 nft_expr_destroy(ctx, expr); 5536 goto err_expr; 5537 } 5538 expr_array[i] = expr; 5539 } 5540 5541 return 0; 5542 5543 err_expr: 5544 for (k = i - 1; k >= 0; k--) 5545 nft_expr_destroy(ctx, expr_array[k]); 5546 5547 return -ENOMEM; 5548 } 5549 5550 static int nft_set_elem_expr_setup(struct nft_ctx *ctx, 5551 const struct nft_set_ext *ext, 5552 struct nft_expr *expr_array[], 5553 u32 num_exprs) 5554 { 5555 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); 5556 struct nft_expr *expr; 5557 int i, err; 5558 5559 for (i = 0; i < num_exprs; i++) { 5560 expr = nft_setelem_expr_at(elem_expr, elem_expr->size); 5561 err = nft_expr_clone(expr, expr_array[i]); 5562 if (err < 0) 5563 goto err_elem_expr_setup; 5564 5565 elem_expr->size += expr_array[i]->ops->size; 5566 nft_expr_destroy(ctx, expr_array[i]); 5567 expr_array[i] = NULL; 5568 } 5569 5570 return 0; 5571 5572 err_elem_expr_setup: 5573 for (; i < num_exprs; i++) { 5574 nft_expr_destroy(ctx, expr_array[i]); 5575 expr_array[i] = NULL; 5576 } 5577 5578 return -ENOMEM; 5579 } 5580 5581 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net, 5582 const struct nft_set *set) 5583 { 5584 struct nft_set_elem_catchall *catchall; 5585 u8 genmask = nft_genmask_cur(net); 5586 struct nft_set_ext *ext; 5587 5588 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5589 ext = nft_set_elem_ext(set, catchall->elem); 5590 if (nft_set_elem_active(ext, genmask) && 5591 !nft_set_elem_expired(ext)) 5592 return ext; 5593 } 5594 5595 return NULL; 5596 } 5597 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup); 5598 5599 void *nft_set_catchall_gc(const struct nft_set *set) 5600 { 5601 struct nft_set_elem_catchall *catchall, *next; 5602 struct nft_set_ext *ext; 5603 void *elem = NULL; 5604 5605 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 5606 ext = nft_set_elem_ext(set, catchall->elem); 5607 5608 if (!nft_set_elem_expired(ext) || 5609 nft_set_elem_mark_busy(ext)) 5610 continue; 5611 5612 elem = catchall->elem; 5613 list_del_rcu(&catchall->list); 5614 kfree_rcu(catchall, rcu); 5615 break; 5616 } 5617 5618 return elem; 5619 } 5620 EXPORT_SYMBOL_GPL(nft_set_catchall_gc); 5621 5622 static int nft_setelem_catchall_insert(const struct net *net, 5623 struct nft_set *set, 5624 const struct nft_set_elem *elem, 5625 struct nft_set_ext **pext) 5626 { 5627 struct nft_set_elem_catchall *catchall; 5628 u8 genmask = nft_genmask_next(net); 5629 struct nft_set_ext *ext; 5630 5631 list_for_each_entry(catchall, &set->catchall_list, list) { 5632 ext = nft_set_elem_ext(set, catchall->elem); 5633 if (nft_set_elem_active(ext, genmask)) { 5634 *pext = ext; 5635 return -EEXIST; 5636 } 5637 } 5638 5639 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL); 5640 if (!catchall) 5641 return -ENOMEM; 5642 5643 catchall->elem = elem->priv; 5644 list_add_tail_rcu(&catchall->list, &set->catchall_list); 5645 5646 return 0; 5647 } 5648 5649 static int nft_setelem_insert(const struct net *net, 5650 struct nft_set *set, 5651 const struct nft_set_elem *elem, 5652 struct nft_set_ext **ext, unsigned int flags) 5653 { 5654 int ret; 5655 5656 if (flags & NFT_SET_ELEM_CATCHALL) 5657 ret = nft_setelem_catchall_insert(net, set, elem, ext); 5658 else 5659 ret = set->ops->insert(net, set, elem, ext); 5660 5661 return ret; 5662 } 5663 5664 static bool nft_setelem_is_catchall(const struct nft_set *set, 5665 const struct nft_set_elem *elem) 5666 { 5667 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5668 5669 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 5670 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL) 5671 return true; 5672 5673 return false; 5674 } 5675 5676 static void nft_setelem_activate(struct net *net, struct nft_set *set, 5677 struct nft_set_elem *elem) 5678 { 5679 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5680 5681 if (nft_setelem_is_catchall(set, elem)) { 5682 nft_set_elem_change_active(net, set, ext); 5683 nft_set_elem_clear_busy(ext); 5684 } else { 5685 set->ops->activate(net, set, elem); 5686 } 5687 } 5688 5689 static int nft_setelem_catchall_deactivate(const struct net *net, 5690 struct nft_set *set, 5691 struct nft_set_elem *elem) 5692 { 5693 struct nft_set_elem_catchall *catchall; 5694 struct nft_set_ext *ext; 5695 5696 list_for_each_entry(catchall, &set->catchall_list, list) { 5697 ext = nft_set_elem_ext(set, catchall->elem); 5698 if (!nft_is_active(net, ext) || 5699 nft_set_elem_mark_busy(ext)) 5700 continue; 5701 5702 kfree(elem->priv); 5703 elem->priv = catchall->elem; 5704 nft_set_elem_change_active(net, set, ext); 5705 return 0; 5706 } 5707 5708 return -ENOENT; 5709 } 5710 5711 static int __nft_setelem_deactivate(const struct net *net, 5712 struct nft_set *set, 5713 struct nft_set_elem *elem) 5714 { 5715 void *priv; 5716 5717 priv = set->ops->deactivate(net, set, elem); 5718 if (!priv) 5719 return -ENOENT; 5720 5721 kfree(elem->priv); 5722 elem->priv = priv; 5723 set->ndeact++; 5724 5725 return 0; 5726 } 5727 5728 static int nft_setelem_deactivate(const struct net *net, 5729 struct nft_set *set, 5730 struct nft_set_elem *elem, u32 flags) 5731 { 5732 int ret; 5733 5734 if (flags & NFT_SET_ELEM_CATCHALL) 5735 ret = nft_setelem_catchall_deactivate(net, set, elem); 5736 else 5737 ret = __nft_setelem_deactivate(net, set, elem); 5738 5739 return ret; 5740 } 5741 5742 static void nft_setelem_catchall_remove(const struct net *net, 5743 const struct nft_set *set, 5744 const struct nft_set_elem *elem) 5745 { 5746 struct nft_set_elem_catchall *catchall, *next; 5747 5748 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 5749 if (catchall->elem == elem->priv) { 5750 list_del_rcu(&catchall->list); 5751 kfree_rcu(catchall, rcu); 5752 break; 5753 } 5754 } 5755 } 5756 5757 static void nft_setelem_remove(const struct net *net, 5758 const struct nft_set *set, 5759 const struct nft_set_elem *elem) 5760 { 5761 if (nft_setelem_is_catchall(set, elem)) 5762 nft_setelem_catchall_remove(net, set, elem); 5763 else 5764 set->ops->remove(net, set, elem); 5765 } 5766 5767 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 5768 const struct nlattr *attr, u32 nlmsg_flags) 5769 { 5770 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {}; 5771 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 5772 u8 genmask = nft_genmask_next(ctx->net); 5773 u32 flags = 0, size = 0, num_exprs = 0; 5774 struct nft_set_ext_tmpl tmpl; 5775 struct nft_set_ext *ext, *ext2; 5776 struct nft_set_elem elem; 5777 struct nft_set_binding *binding; 5778 struct nft_object *obj = NULL; 5779 struct nft_userdata *udata; 5780 struct nft_data_desc desc; 5781 enum nft_registers dreg; 5782 struct nft_trans *trans; 5783 u64 timeout; 5784 u64 expiration; 5785 int err, i; 5786 u8 ulen; 5787 5788 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 5789 nft_set_elem_policy, NULL); 5790 if (err < 0) 5791 return err; 5792 5793 nft_set_ext_prepare(&tmpl); 5794 5795 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 5796 if (err < 0) 5797 return err; 5798 5799 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 5800 return -EINVAL; 5801 5802 if (flags != 0) 5803 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 5804 5805 if (set->flags & NFT_SET_MAP) { 5806 if (nla[NFTA_SET_ELEM_DATA] == NULL && 5807 !(flags & NFT_SET_ELEM_INTERVAL_END)) 5808 return -EINVAL; 5809 } else { 5810 if (nla[NFTA_SET_ELEM_DATA] != NULL) 5811 return -EINVAL; 5812 } 5813 5814 if ((flags & NFT_SET_ELEM_INTERVAL_END) && 5815 (nla[NFTA_SET_ELEM_DATA] || 5816 nla[NFTA_SET_ELEM_OBJREF] || 5817 nla[NFTA_SET_ELEM_TIMEOUT] || 5818 nla[NFTA_SET_ELEM_EXPIRATION] || 5819 nla[NFTA_SET_ELEM_USERDATA] || 5820 nla[NFTA_SET_ELEM_EXPR] || 5821 nla[NFTA_SET_ELEM_EXPRESSIONS])) 5822 return -EINVAL; 5823 5824 timeout = 0; 5825 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { 5826 if (!(set->flags & NFT_SET_TIMEOUT)) 5827 return -EINVAL; 5828 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT], 5829 &timeout); 5830 if (err) 5831 return err; 5832 } else if (set->flags & NFT_SET_TIMEOUT) { 5833 timeout = set->timeout; 5834 } 5835 5836 expiration = 0; 5837 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { 5838 if (!(set->flags & NFT_SET_TIMEOUT)) 5839 return -EINVAL; 5840 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], 5841 &expiration); 5842 if (err) 5843 return err; 5844 } 5845 5846 if (nla[NFTA_SET_ELEM_EXPR]) { 5847 struct nft_expr *expr; 5848 5849 if (set->num_exprs && set->num_exprs != 1) 5850 return -EOPNOTSUPP; 5851 5852 expr = nft_set_elem_expr_alloc(ctx, set, 5853 nla[NFTA_SET_ELEM_EXPR]); 5854 if (IS_ERR(expr)) 5855 return PTR_ERR(expr); 5856 5857 expr_array[0] = expr; 5858 num_exprs = 1; 5859 5860 if (set->num_exprs && set->exprs[0]->ops != expr->ops) { 5861 err = -EOPNOTSUPP; 5862 goto err_set_elem_expr; 5863 } 5864 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) { 5865 struct nft_expr *expr; 5866 struct nlattr *tmp; 5867 int left; 5868 5869 i = 0; 5870 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) { 5871 if (i == NFT_SET_EXPR_MAX || 5872 (set->num_exprs && set->num_exprs == i)) { 5873 err = -E2BIG; 5874 goto err_set_elem_expr; 5875 } 5876 if (nla_type(tmp) != NFTA_LIST_ELEM) { 5877 err = -EINVAL; 5878 goto err_set_elem_expr; 5879 } 5880 expr = nft_set_elem_expr_alloc(ctx, set, tmp); 5881 if (IS_ERR(expr)) { 5882 err = PTR_ERR(expr); 5883 goto err_set_elem_expr; 5884 } 5885 expr_array[i] = expr; 5886 num_exprs++; 5887 5888 if (set->num_exprs && expr->ops != set->exprs[i]->ops) { 5889 err = -EOPNOTSUPP; 5890 goto err_set_elem_expr; 5891 } 5892 i++; 5893 } 5894 if (set->num_exprs && set->num_exprs != i) { 5895 err = -EOPNOTSUPP; 5896 goto err_set_elem_expr; 5897 } 5898 } else if (set->num_exprs > 0) { 5899 err = nft_set_elem_expr_clone(ctx, set, expr_array); 5900 if (err < 0) 5901 goto err_set_elem_expr_clone; 5902 5903 num_exprs = set->num_exprs; 5904 } 5905 5906 if (nla[NFTA_SET_ELEM_KEY]) { 5907 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5908 nla[NFTA_SET_ELEM_KEY]); 5909 if (err < 0) 5910 goto err_set_elem_expr; 5911 5912 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 5913 } 5914 5915 if (nla[NFTA_SET_ELEM_KEY_END]) { 5916 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5917 nla[NFTA_SET_ELEM_KEY_END]); 5918 if (err < 0) 5919 goto err_parse_key; 5920 5921 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 5922 } 5923 5924 if (timeout > 0) { 5925 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION); 5926 if (timeout != set->timeout) 5927 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT); 5928 } 5929 5930 if (num_exprs) { 5931 for (i = 0; i < num_exprs; i++) 5932 size += expr_array[i]->ops->size; 5933 5934 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS, 5935 sizeof(struct nft_set_elem_expr) + 5936 size); 5937 } 5938 5939 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) { 5940 if (!(set->flags & NFT_SET_OBJECT)) { 5941 err = -EINVAL; 5942 goto err_parse_key_end; 5943 } 5944 obj = nft_obj_lookup(ctx->net, ctx->table, 5945 nla[NFTA_SET_ELEM_OBJREF], 5946 set->objtype, genmask); 5947 if (IS_ERR(obj)) { 5948 err = PTR_ERR(obj); 5949 goto err_parse_key_end; 5950 } 5951 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF); 5952 } 5953 5954 if (nla[NFTA_SET_ELEM_DATA] != NULL) { 5955 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val, 5956 nla[NFTA_SET_ELEM_DATA]); 5957 if (err < 0) 5958 goto err_parse_key_end; 5959 5960 dreg = nft_type_to_reg(set->dtype); 5961 list_for_each_entry(binding, &set->bindings, list) { 5962 struct nft_ctx bind_ctx = { 5963 .net = ctx->net, 5964 .family = ctx->family, 5965 .table = ctx->table, 5966 .chain = (struct nft_chain *)binding->chain, 5967 }; 5968 5969 if (!(binding->flags & NFT_SET_MAP)) 5970 continue; 5971 5972 err = nft_validate_register_store(&bind_ctx, dreg, 5973 &elem.data.val, 5974 desc.type, desc.len); 5975 if (err < 0) 5976 goto err_parse_data; 5977 5978 if (desc.type == NFT_DATA_VERDICT && 5979 (elem.data.val.verdict.code == NFT_GOTO || 5980 elem.data.val.verdict.code == NFT_JUMP)) 5981 nft_validate_state_update(ctx->net, 5982 NFT_VALIDATE_NEED); 5983 } 5984 5985 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len); 5986 } 5987 5988 /* The full maximum length of userdata can exceed the maximum 5989 * offset value (U8_MAX) for following extensions, therefor it 5990 * must be the last extension added. 5991 */ 5992 ulen = 0; 5993 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) { 5994 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]); 5995 if (ulen > 0) 5996 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA, 5997 ulen); 5998 } 5999 6000 err = -ENOMEM; 6001 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 6002 elem.key_end.val.data, elem.data.val.data, 6003 timeout, expiration, GFP_KERNEL_ACCOUNT); 6004 if (elem.priv == NULL) 6005 goto err_parse_data; 6006 6007 ext = nft_set_elem_ext(set, elem.priv); 6008 if (flags) 6009 *nft_set_ext_flags(ext) = flags; 6010 if (ulen > 0) { 6011 udata = nft_set_ext_userdata(ext); 6012 udata->len = ulen - 1; 6013 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen); 6014 } 6015 if (obj) { 6016 *nft_set_ext_obj(ext) = obj; 6017 obj->use++; 6018 } 6019 err = nft_set_elem_expr_setup(ctx, ext, expr_array, num_exprs); 6020 if (err < 0) 6021 goto err_elem_expr; 6022 6023 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); 6024 if (trans == NULL) { 6025 err = -ENOMEM; 6026 goto err_elem_expr; 6027 } 6028 6029 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK; 6030 6031 err = nft_setelem_insert(ctx->net, set, &elem, &ext2, flags); 6032 if (err) { 6033 if (err == -EEXIST) { 6034 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^ 6035 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) || 6036 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^ 6037 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) 6038 goto err_element_clash; 6039 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 6040 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) && 6041 memcmp(nft_set_ext_data(ext), 6042 nft_set_ext_data(ext2), set->dlen) != 0) || 6043 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 6044 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) && 6045 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2))) 6046 goto err_element_clash; 6047 else if (!(nlmsg_flags & NLM_F_EXCL)) 6048 err = 0; 6049 } else if (err == -ENOTEMPTY) { 6050 /* ENOTEMPTY reports overlapping between this element 6051 * and an existing one. 6052 */ 6053 err = -EEXIST; 6054 } 6055 goto err_element_clash; 6056 } 6057 6058 if (!(flags & NFT_SET_ELEM_CATCHALL) && set->size && 6059 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) { 6060 err = -ENFILE; 6061 goto err_set_full; 6062 } 6063 6064 nft_trans_elem(trans) = elem; 6065 nft_trans_commit_list_add_tail(ctx->net, trans); 6066 return 0; 6067 6068 err_set_full: 6069 nft_setelem_remove(ctx->net, set, &elem); 6070 err_element_clash: 6071 kfree(trans); 6072 err_elem_expr: 6073 if (obj) 6074 obj->use--; 6075 6076 nf_tables_set_elem_destroy(ctx, set, elem.priv); 6077 err_parse_data: 6078 if (nla[NFTA_SET_ELEM_DATA] != NULL) 6079 nft_data_release(&elem.data.val, desc.type); 6080 err_parse_key_end: 6081 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 6082 err_parse_key: 6083 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 6084 err_set_elem_expr: 6085 for (i = 0; i < num_exprs && expr_array[i]; i++) 6086 nft_expr_destroy(ctx, expr_array[i]); 6087 err_set_elem_expr_clone: 6088 return err; 6089 } 6090 6091 static int nf_tables_newsetelem(struct sk_buff *skb, 6092 const struct nfnl_info *info, 6093 const struct nlattr * const nla[]) 6094 { 6095 struct nftables_pernet *nft_net = nft_pernet(info->net); 6096 struct netlink_ext_ack *extack = info->extack; 6097 u8 genmask = nft_genmask_next(info->net); 6098 u8 family = info->nfmsg->nfgen_family; 6099 struct net *net = info->net; 6100 const struct nlattr *attr; 6101 struct nft_table *table; 6102 struct nft_set *set; 6103 struct nft_ctx ctx; 6104 int rem, err; 6105 6106 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) 6107 return -EINVAL; 6108 6109 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 6110 genmask, NETLINK_CB(skb).portid); 6111 if (IS_ERR(table)) { 6112 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 6113 return PTR_ERR(table); 6114 } 6115 6116 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET], 6117 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask); 6118 if (IS_ERR(set)) 6119 return PTR_ERR(set); 6120 6121 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 6122 return -EBUSY; 6123 6124 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6125 6126 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 6127 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags); 6128 if (err < 0) 6129 return err; 6130 } 6131 6132 if (nft_net->validate_state == NFT_VALIDATE_DO) 6133 return nft_table_validate(net, table); 6134 6135 return 0; 6136 } 6137 6138 /** 6139 * nft_data_hold - hold a nft_data item 6140 * 6141 * @data: struct nft_data to release 6142 * @type: type of data 6143 * 6144 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded, 6145 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and 6146 * NFT_GOTO verdicts. This function must be called on active data objects 6147 * from the second phase of the commit protocol. 6148 */ 6149 void nft_data_hold(const struct nft_data *data, enum nft_data_types type) 6150 { 6151 struct nft_chain *chain; 6152 struct nft_rule *rule; 6153 6154 if (type == NFT_DATA_VERDICT) { 6155 switch (data->verdict.code) { 6156 case NFT_JUMP: 6157 case NFT_GOTO: 6158 chain = data->verdict.chain; 6159 chain->use++; 6160 6161 if (!nft_chain_is_bound(chain)) 6162 break; 6163 6164 chain->table->use++; 6165 list_for_each_entry(rule, &chain->rules, list) 6166 chain->use++; 6167 6168 nft_chain_add(chain->table, chain); 6169 break; 6170 } 6171 } 6172 } 6173 6174 static void nft_setelem_data_activate(const struct net *net, 6175 const struct nft_set *set, 6176 struct nft_set_elem *elem) 6177 { 6178 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 6179 6180 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 6181 nft_data_hold(nft_set_ext_data(ext), set->dtype); 6182 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 6183 (*nft_set_ext_obj(ext))->use++; 6184 } 6185 6186 static void nft_setelem_data_deactivate(const struct net *net, 6187 const struct nft_set *set, 6188 struct nft_set_elem *elem) 6189 { 6190 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 6191 6192 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 6193 nft_data_release(nft_set_ext_data(ext), set->dtype); 6194 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 6195 (*nft_set_ext_obj(ext))->use--; 6196 } 6197 6198 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, 6199 const struct nlattr *attr) 6200 { 6201 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 6202 struct nft_set_ext_tmpl tmpl; 6203 struct nft_set_elem elem; 6204 struct nft_set_ext *ext; 6205 struct nft_trans *trans; 6206 u32 flags = 0; 6207 int err; 6208 6209 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 6210 nft_set_elem_policy, NULL); 6211 if (err < 0) 6212 return err; 6213 6214 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 6215 if (err < 0) 6216 return err; 6217 6218 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 6219 return -EINVAL; 6220 6221 nft_set_ext_prepare(&tmpl); 6222 6223 if (flags != 0) 6224 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 6225 6226 if (nla[NFTA_SET_ELEM_KEY]) { 6227 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 6228 nla[NFTA_SET_ELEM_KEY]); 6229 if (err < 0) 6230 return err; 6231 6232 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 6233 } 6234 6235 if (nla[NFTA_SET_ELEM_KEY_END]) { 6236 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 6237 nla[NFTA_SET_ELEM_KEY_END]); 6238 if (err < 0) 6239 return err; 6240 6241 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 6242 } 6243 6244 err = -ENOMEM; 6245 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 6246 elem.key_end.val.data, NULL, 0, 0, 6247 GFP_KERNEL_ACCOUNT); 6248 if (elem.priv == NULL) 6249 goto fail_elem; 6250 6251 ext = nft_set_elem_ext(set, elem.priv); 6252 if (flags) 6253 *nft_set_ext_flags(ext) = flags; 6254 6255 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 6256 if (trans == NULL) 6257 goto fail_trans; 6258 6259 err = nft_setelem_deactivate(ctx->net, set, &elem, flags); 6260 if (err < 0) 6261 goto fail_ops; 6262 6263 nft_setelem_data_deactivate(ctx->net, set, &elem); 6264 6265 nft_trans_elem(trans) = elem; 6266 nft_trans_commit_list_add_tail(ctx->net, trans); 6267 return 0; 6268 6269 fail_ops: 6270 kfree(trans); 6271 fail_trans: 6272 kfree(elem.priv); 6273 fail_elem: 6274 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 6275 return err; 6276 } 6277 6278 static int nft_setelem_flush(const struct nft_ctx *ctx, 6279 struct nft_set *set, 6280 const struct nft_set_iter *iter, 6281 struct nft_set_elem *elem) 6282 { 6283 struct nft_trans *trans; 6284 int err; 6285 6286 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 6287 sizeof(struct nft_trans_elem), GFP_ATOMIC); 6288 if (!trans) 6289 return -ENOMEM; 6290 6291 if (!set->ops->flush(ctx->net, set, elem->priv)) { 6292 err = -ENOENT; 6293 goto err1; 6294 } 6295 set->ndeact++; 6296 6297 nft_setelem_data_deactivate(ctx->net, set, elem); 6298 nft_trans_elem_set(trans) = set; 6299 nft_trans_elem(trans) = *elem; 6300 nft_trans_commit_list_add_tail(ctx->net, trans); 6301 6302 return 0; 6303 err1: 6304 kfree(trans); 6305 return err; 6306 } 6307 6308 static int __nft_set_catchall_flush(const struct nft_ctx *ctx, 6309 struct nft_set *set, 6310 struct nft_set_elem *elem) 6311 { 6312 struct nft_trans *trans; 6313 6314 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 6315 sizeof(struct nft_trans_elem), GFP_KERNEL); 6316 if (!trans) 6317 return -ENOMEM; 6318 6319 nft_setelem_data_deactivate(ctx->net, set, elem); 6320 nft_trans_elem_set(trans) = set; 6321 nft_trans_elem(trans) = *elem; 6322 nft_trans_commit_list_add_tail(ctx->net, trans); 6323 6324 return 0; 6325 } 6326 6327 static int nft_set_catchall_flush(const struct nft_ctx *ctx, 6328 struct nft_set *set) 6329 { 6330 u8 genmask = nft_genmask_next(ctx->net); 6331 struct nft_set_elem_catchall *catchall; 6332 struct nft_set_elem elem; 6333 struct nft_set_ext *ext; 6334 int ret = 0; 6335 6336 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 6337 ext = nft_set_elem_ext(set, catchall->elem); 6338 if (!nft_set_elem_active(ext, genmask) || 6339 nft_set_elem_mark_busy(ext)) 6340 continue; 6341 6342 elem.priv = catchall->elem; 6343 ret = __nft_set_catchall_flush(ctx, set, &elem); 6344 if (ret < 0) 6345 break; 6346 } 6347 6348 return ret; 6349 } 6350 6351 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask) 6352 { 6353 struct nft_set_iter iter = { 6354 .genmask = genmask, 6355 .fn = nft_setelem_flush, 6356 }; 6357 6358 set->ops->walk(ctx, set, &iter); 6359 if (!iter.err) 6360 iter.err = nft_set_catchall_flush(ctx, set); 6361 6362 return iter.err; 6363 } 6364 6365 static int nf_tables_delsetelem(struct sk_buff *skb, 6366 const struct nfnl_info *info, 6367 const struct nlattr * const nla[]) 6368 { 6369 struct netlink_ext_ack *extack = info->extack; 6370 u8 genmask = nft_genmask_next(info->net); 6371 u8 family = info->nfmsg->nfgen_family; 6372 struct net *net = info->net; 6373 const struct nlattr *attr; 6374 struct nft_table *table; 6375 struct nft_set *set; 6376 struct nft_ctx ctx; 6377 int rem, err = 0; 6378 6379 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 6380 genmask, NETLINK_CB(skb).portid); 6381 if (IS_ERR(table)) { 6382 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 6383 return PTR_ERR(table); 6384 } 6385 6386 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 6387 if (IS_ERR(set)) 6388 return PTR_ERR(set); 6389 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 6390 return -EBUSY; 6391 6392 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6393 6394 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 6395 return nft_set_flush(&ctx, set, genmask); 6396 6397 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 6398 err = nft_del_setelem(&ctx, set, attr); 6399 if (err < 0) 6400 break; 6401 } 6402 return err; 6403 } 6404 6405 void nft_set_gc_batch_release(struct rcu_head *rcu) 6406 { 6407 struct nft_set_gc_batch *gcb; 6408 unsigned int i; 6409 6410 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu); 6411 for (i = 0; i < gcb->head.cnt; i++) 6412 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true); 6413 kfree(gcb); 6414 } 6415 6416 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set, 6417 gfp_t gfp) 6418 { 6419 struct nft_set_gc_batch *gcb; 6420 6421 gcb = kzalloc(sizeof(*gcb), gfp); 6422 if (gcb == NULL) 6423 return gcb; 6424 gcb->head.set = set; 6425 return gcb; 6426 } 6427 6428 /* 6429 * Stateful objects 6430 */ 6431 6432 /** 6433 * nft_register_obj- register nf_tables stateful object type 6434 * @obj_type: object type 6435 * 6436 * Registers the object type for use with nf_tables. Returns zero on 6437 * success or a negative errno code otherwise. 6438 */ 6439 int nft_register_obj(struct nft_object_type *obj_type) 6440 { 6441 if (obj_type->type == NFT_OBJECT_UNSPEC) 6442 return -EINVAL; 6443 6444 nfnl_lock(NFNL_SUBSYS_NFTABLES); 6445 list_add_rcu(&obj_type->list, &nf_tables_objects); 6446 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6447 return 0; 6448 } 6449 EXPORT_SYMBOL_GPL(nft_register_obj); 6450 6451 /** 6452 * nft_unregister_obj - unregister nf_tables object type 6453 * @obj_type: object type 6454 * 6455 * Unregisters the object type for use with nf_tables. 6456 */ 6457 void nft_unregister_obj(struct nft_object_type *obj_type) 6458 { 6459 nfnl_lock(NFNL_SUBSYS_NFTABLES); 6460 list_del_rcu(&obj_type->list); 6461 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6462 } 6463 EXPORT_SYMBOL_GPL(nft_unregister_obj); 6464 6465 struct nft_object *nft_obj_lookup(const struct net *net, 6466 const struct nft_table *table, 6467 const struct nlattr *nla, u32 objtype, 6468 u8 genmask) 6469 { 6470 struct nft_object_hash_key k = { .table = table }; 6471 char search[NFT_OBJ_MAXNAMELEN]; 6472 struct rhlist_head *tmp, *list; 6473 struct nft_object *obj; 6474 6475 nla_strscpy(search, nla, sizeof(search)); 6476 k.name = search; 6477 6478 WARN_ON_ONCE(!rcu_read_lock_held() && 6479 !lockdep_commit_lock_is_held(net)); 6480 6481 rcu_read_lock(); 6482 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params); 6483 if (!list) 6484 goto out; 6485 6486 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) { 6487 if (objtype == obj->ops->type->type && 6488 nft_active_genmask(obj, genmask)) { 6489 rcu_read_unlock(); 6490 return obj; 6491 } 6492 } 6493 out: 6494 rcu_read_unlock(); 6495 return ERR_PTR(-ENOENT); 6496 } 6497 EXPORT_SYMBOL_GPL(nft_obj_lookup); 6498 6499 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table, 6500 const struct nlattr *nla, 6501 u32 objtype, u8 genmask) 6502 { 6503 struct nft_object *obj; 6504 6505 list_for_each_entry(obj, &table->objects, list) { 6506 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle && 6507 objtype == obj->ops->type->type && 6508 nft_active_genmask(obj, genmask)) 6509 return obj; 6510 } 6511 return ERR_PTR(-ENOENT); 6512 } 6513 6514 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = { 6515 [NFTA_OBJ_TABLE] = { .type = NLA_STRING, 6516 .len = NFT_TABLE_MAXNAMELEN - 1 }, 6517 [NFTA_OBJ_NAME] = { .type = NLA_STRING, 6518 .len = NFT_OBJ_MAXNAMELEN - 1 }, 6519 [NFTA_OBJ_TYPE] = { .type = NLA_U32 }, 6520 [NFTA_OBJ_DATA] = { .type = NLA_NESTED }, 6521 [NFTA_OBJ_HANDLE] = { .type = NLA_U64}, 6522 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY, 6523 .len = NFT_USERDATA_MAXLEN }, 6524 }; 6525 6526 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx, 6527 const struct nft_object_type *type, 6528 const struct nlattr *attr) 6529 { 6530 struct nlattr **tb; 6531 const struct nft_object_ops *ops; 6532 struct nft_object *obj; 6533 int err = -ENOMEM; 6534 6535 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL); 6536 if (!tb) 6537 goto err1; 6538 6539 if (attr) { 6540 err = nla_parse_nested_deprecated(tb, type->maxattr, attr, 6541 type->policy, NULL); 6542 if (err < 0) 6543 goto err2; 6544 } else { 6545 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1)); 6546 } 6547 6548 if (type->select_ops) { 6549 ops = type->select_ops(ctx, (const struct nlattr * const *)tb); 6550 if (IS_ERR(ops)) { 6551 err = PTR_ERR(ops); 6552 goto err2; 6553 } 6554 } else { 6555 ops = type->ops; 6556 } 6557 6558 err = -ENOMEM; 6559 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT); 6560 if (!obj) 6561 goto err2; 6562 6563 err = ops->init(ctx, (const struct nlattr * const *)tb, obj); 6564 if (err < 0) 6565 goto err3; 6566 6567 obj->ops = ops; 6568 6569 kfree(tb); 6570 return obj; 6571 err3: 6572 kfree(obj); 6573 err2: 6574 kfree(tb); 6575 err1: 6576 return ERR_PTR(err); 6577 } 6578 6579 static int nft_object_dump(struct sk_buff *skb, unsigned int attr, 6580 struct nft_object *obj, bool reset) 6581 { 6582 struct nlattr *nest; 6583 6584 nest = nla_nest_start_noflag(skb, attr); 6585 if (!nest) 6586 goto nla_put_failure; 6587 if (obj->ops->dump(skb, obj, reset) < 0) 6588 goto nla_put_failure; 6589 nla_nest_end(skb, nest); 6590 return 0; 6591 6592 nla_put_failure: 6593 return -1; 6594 } 6595 6596 static const struct nft_object_type *__nft_obj_type_get(u32 objtype) 6597 { 6598 const struct nft_object_type *type; 6599 6600 list_for_each_entry(type, &nf_tables_objects, list) { 6601 if (objtype == type->type) 6602 return type; 6603 } 6604 return NULL; 6605 } 6606 6607 static const struct nft_object_type * 6608 nft_obj_type_get(struct net *net, u32 objtype) 6609 { 6610 const struct nft_object_type *type; 6611 6612 type = __nft_obj_type_get(objtype); 6613 if (type != NULL && try_module_get(type->owner)) 6614 return type; 6615 6616 lockdep_nfnl_nft_mutex_not_held(); 6617 #ifdef CONFIG_MODULES 6618 if (type == NULL) { 6619 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN) 6620 return ERR_PTR(-EAGAIN); 6621 } 6622 #endif 6623 return ERR_PTR(-ENOENT); 6624 } 6625 6626 static int nf_tables_updobj(const struct nft_ctx *ctx, 6627 const struct nft_object_type *type, 6628 const struct nlattr *attr, 6629 struct nft_object *obj) 6630 { 6631 struct nft_object *newobj; 6632 struct nft_trans *trans; 6633 int err = -ENOMEM; 6634 6635 if (!try_module_get(type->owner)) 6636 return -ENOENT; 6637 6638 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ, 6639 sizeof(struct nft_trans_obj)); 6640 if (!trans) 6641 goto err_trans; 6642 6643 newobj = nft_obj_init(ctx, type, attr); 6644 if (IS_ERR(newobj)) { 6645 err = PTR_ERR(newobj); 6646 goto err_free_trans; 6647 } 6648 6649 nft_trans_obj(trans) = obj; 6650 nft_trans_obj_update(trans) = true; 6651 nft_trans_obj_newobj(trans) = newobj; 6652 nft_trans_commit_list_add_tail(ctx->net, trans); 6653 6654 return 0; 6655 6656 err_free_trans: 6657 kfree(trans); 6658 err_trans: 6659 module_put(type->owner); 6660 return err; 6661 } 6662 6663 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info, 6664 const struct nlattr * const nla[]) 6665 { 6666 struct netlink_ext_ack *extack = info->extack; 6667 u8 genmask = nft_genmask_next(info->net); 6668 u8 family = info->nfmsg->nfgen_family; 6669 const struct nft_object_type *type; 6670 struct net *net = info->net; 6671 struct nft_table *table; 6672 struct nft_object *obj; 6673 struct nft_ctx ctx; 6674 u32 objtype; 6675 int err; 6676 6677 if (!nla[NFTA_OBJ_TYPE] || 6678 !nla[NFTA_OBJ_NAME] || 6679 !nla[NFTA_OBJ_DATA]) 6680 return -EINVAL; 6681 6682 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 6683 NETLINK_CB(skb).portid); 6684 if (IS_ERR(table)) { 6685 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6686 return PTR_ERR(table); 6687 } 6688 6689 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6690 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 6691 if (IS_ERR(obj)) { 6692 err = PTR_ERR(obj); 6693 if (err != -ENOENT) { 6694 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6695 return err; 6696 } 6697 } else { 6698 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 6699 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6700 return -EEXIST; 6701 } 6702 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 6703 return -EOPNOTSUPP; 6704 6705 type = __nft_obj_type_get(objtype); 6706 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6707 6708 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); 6709 } 6710 6711 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6712 6713 type = nft_obj_type_get(net, objtype); 6714 if (IS_ERR(type)) 6715 return PTR_ERR(type); 6716 6717 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]); 6718 if (IS_ERR(obj)) { 6719 err = PTR_ERR(obj); 6720 goto err_init; 6721 } 6722 obj->key.table = table; 6723 obj->handle = nf_tables_alloc_handle(table); 6724 6725 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT); 6726 if (!obj->key.name) { 6727 err = -ENOMEM; 6728 goto err_strdup; 6729 } 6730 6731 if (nla[NFTA_OBJ_USERDATA]) { 6732 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL); 6733 if (obj->udata == NULL) 6734 goto err_userdata; 6735 6736 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]); 6737 } 6738 6739 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj); 6740 if (err < 0) 6741 goto err_trans; 6742 6743 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead, 6744 nft_objname_ht_params); 6745 if (err < 0) 6746 goto err_obj_ht; 6747 6748 list_add_tail_rcu(&obj->list, &table->objects); 6749 table->use++; 6750 return 0; 6751 err_obj_ht: 6752 /* queued in transaction log */ 6753 INIT_LIST_HEAD(&obj->list); 6754 return err; 6755 err_trans: 6756 kfree(obj->udata); 6757 err_userdata: 6758 kfree(obj->key.name); 6759 err_strdup: 6760 if (obj->ops->destroy) 6761 obj->ops->destroy(&ctx, obj); 6762 kfree(obj); 6763 err_init: 6764 module_put(type->owner); 6765 return err; 6766 } 6767 6768 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net, 6769 u32 portid, u32 seq, int event, u32 flags, 6770 int family, const struct nft_table *table, 6771 struct nft_object *obj, bool reset) 6772 { 6773 struct nlmsghdr *nlh; 6774 6775 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 6776 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 6777 NFNETLINK_V0, nft_base_seq(net)); 6778 if (!nlh) 6779 goto nla_put_failure; 6780 6781 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || 6782 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || 6783 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || 6784 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) || 6785 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) || 6786 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle), 6787 NFTA_OBJ_PAD)) 6788 goto nla_put_failure; 6789 6790 if (obj->udata && 6791 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata)) 6792 goto nla_put_failure; 6793 6794 nlmsg_end(skb, nlh); 6795 return 0; 6796 6797 nla_put_failure: 6798 nlmsg_trim(skb, nlh); 6799 return -1; 6800 } 6801 6802 struct nft_obj_filter { 6803 char *table; 6804 u32 type; 6805 }; 6806 6807 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) 6808 { 6809 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 6810 const struct nft_table *table; 6811 unsigned int idx = 0, s_idx = cb->args[0]; 6812 struct nft_obj_filter *filter = cb->data; 6813 struct net *net = sock_net(skb->sk); 6814 int family = nfmsg->nfgen_family; 6815 struct nftables_pernet *nft_net; 6816 struct nft_object *obj; 6817 bool reset = false; 6818 6819 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 6820 reset = true; 6821 6822 rcu_read_lock(); 6823 nft_net = nft_pernet(net); 6824 cb->seq = nft_net->base_seq; 6825 6826 list_for_each_entry_rcu(table, &nft_net->tables, list) { 6827 if (family != NFPROTO_UNSPEC && family != table->family) 6828 continue; 6829 6830 list_for_each_entry_rcu(obj, &table->objects, list) { 6831 if (!nft_is_active(net, obj)) 6832 goto cont; 6833 if (idx < s_idx) 6834 goto cont; 6835 if (idx > s_idx) 6836 memset(&cb->args[1], 0, 6837 sizeof(cb->args) - sizeof(cb->args[0])); 6838 if (filter && filter->table && 6839 strcmp(filter->table, table->name)) 6840 goto cont; 6841 if (filter && 6842 filter->type != NFT_OBJECT_UNSPEC && 6843 obj->ops->type->type != filter->type) 6844 goto cont; 6845 if (reset) { 6846 char *buf = kasprintf(GFP_ATOMIC, 6847 "%s:%u", 6848 table->name, 6849 nft_net->base_seq); 6850 6851 audit_log_nfcfg(buf, 6852 family, 6853 obj->handle, 6854 AUDIT_NFT_OP_OBJ_RESET, 6855 GFP_ATOMIC); 6856 kfree(buf); 6857 } 6858 6859 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid, 6860 cb->nlh->nlmsg_seq, 6861 NFT_MSG_NEWOBJ, 6862 NLM_F_MULTI | NLM_F_APPEND, 6863 table->family, table, 6864 obj, reset) < 0) 6865 goto done; 6866 6867 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 6868 cont: 6869 idx++; 6870 } 6871 } 6872 done: 6873 rcu_read_unlock(); 6874 6875 cb->args[0] = idx; 6876 return skb->len; 6877 } 6878 6879 static int nf_tables_dump_obj_start(struct netlink_callback *cb) 6880 { 6881 const struct nlattr * const *nla = cb->data; 6882 struct nft_obj_filter *filter = NULL; 6883 6884 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) { 6885 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 6886 if (!filter) 6887 return -ENOMEM; 6888 6889 if (nla[NFTA_OBJ_TABLE]) { 6890 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC); 6891 if (!filter->table) { 6892 kfree(filter); 6893 return -ENOMEM; 6894 } 6895 } 6896 6897 if (nla[NFTA_OBJ_TYPE]) 6898 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6899 } 6900 6901 cb->data = filter; 6902 return 0; 6903 } 6904 6905 static int nf_tables_dump_obj_done(struct netlink_callback *cb) 6906 { 6907 struct nft_obj_filter *filter = cb->data; 6908 6909 if (filter) { 6910 kfree(filter->table); 6911 kfree(filter); 6912 } 6913 6914 return 0; 6915 } 6916 6917 /* called with rcu_read_lock held */ 6918 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info, 6919 const struct nlattr * const nla[]) 6920 { 6921 struct netlink_ext_ack *extack = info->extack; 6922 u8 genmask = nft_genmask_cur(info->net); 6923 u8 family = info->nfmsg->nfgen_family; 6924 const struct nft_table *table; 6925 struct net *net = info->net; 6926 struct nft_object *obj; 6927 struct sk_buff *skb2; 6928 bool reset = false; 6929 u32 objtype; 6930 int err; 6931 6932 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 6933 struct netlink_dump_control c = { 6934 .start = nf_tables_dump_obj_start, 6935 .dump = nf_tables_dump_obj, 6936 .done = nf_tables_dump_obj_done, 6937 .module = THIS_MODULE, 6938 .data = (void *)nla, 6939 }; 6940 6941 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 6942 } 6943 6944 if (!nla[NFTA_OBJ_NAME] || 6945 !nla[NFTA_OBJ_TYPE]) 6946 return -EINVAL; 6947 6948 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0); 6949 if (IS_ERR(table)) { 6950 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6951 return PTR_ERR(table); 6952 } 6953 6954 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6955 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 6956 if (IS_ERR(obj)) { 6957 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6958 return PTR_ERR(obj); 6959 } 6960 6961 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 6962 if (!skb2) 6963 return -ENOMEM; 6964 6965 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 6966 reset = true; 6967 6968 if (reset) { 6969 const struct nftables_pernet *nft_net; 6970 char *buf; 6971 6972 nft_net = nft_pernet(net); 6973 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq); 6974 6975 audit_log_nfcfg(buf, 6976 family, 6977 obj->handle, 6978 AUDIT_NFT_OP_OBJ_RESET, 6979 GFP_ATOMIC); 6980 kfree(buf); 6981 } 6982 6983 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid, 6984 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, 6985 family, table, obj, reset); 6986 if (err < 0) 6987 goto err_fill_obj_info; 6988 6989 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 6990 6991 err_fill_obj_info: 6992 kfree_skb(skb2); 6993 return err; 6994 } 6995 6996 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) 6997 { 6998 if (obj->ops->destroy) 6999 obj->ops->destroy(ctx, obj); 7000 7001 module_put(obj->ops->type->owner); 7002 kfree(obj->key.name); 7003 kfree(obj->udata); 7004 kfree(obj); 7005 } 7006 7007 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info, 7008 const struct nlattr * const nla[]) 7009 { 7010 struct netlink_ext_ack *extack = info->extack; 7011 u8 genmask = nft_genmask_next(info->net); 7012 u8 family = info->nfmsg->nfgen_family; 7013 struct net *net = info->net; 7014 const struct nlattr *attr; 7015 struct nft_table *table; 7016 struct nft_object *obj; 7017 struct nft_ctx ctx; 7018 u32 objtype; 7019 7020 if (!nla[NFTA_OBJ_TYPE] || 7021 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE])) 7022 return -EINVAL; 7023 7024 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 7025 NETLINK_CB(skb).portid); 7026 if (IS_ERR(table)) { 7027 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 7028 return PTR_ERR(table); 7029 } 7030 7031 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 7032 if (nla[NFTA_OBJ_HANDLE]) { 7033 attr = nla[NFTA_OBJ_HANDLE]; 7034 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask); 7035 } else { 7036 attr = nla[NFTA_OBJ_NAME]; 7037 obj = nft_obj_lookup(net, table, attr, objtype, genmask); 7038 } 7039 7040 if (IS_ERR(obj)) { 7041 NL_SET_BAD_ATTR(extack, attr); 7042 return PTR_ERR(obj); 7043 } 7044 if (obj->use > 0) { 7045 NL_SET_BAD_ATTR(extack, attr); 7046 return -EBUSY; 7047 } 7048 7049 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7050 7051 return nft_delobj(&ctx, obj); 7052 } 7053 7054 void nft_obj_notify(struct net *net, const struct nft_table *table, 7055 struct nft_object *obj, u32 portid, u32 seq, int event, 7056 u16 flags, int family, int report, gfp_t gfp) 7057 { 7058 struct nftables_pernet *nft_net = nft_pernet(net); 7059 struct sk_buff *skb; 7060 int err; 7061 char *buf = kasprintf(gfp, "%s:%u", 7062 table->name, nft_net->base_seq); 7063 7064 audit_log_nfcfg(buf, 7065 family, 7066 obj->handle, 7067 event == NFT_MSG_NEWOBJ ? 7068 AUDIT_NFT_OP_OBJ_REGISTER : 7069 AUDIT_NFT_OP_OBJ_UNREGISTER, 7070 gfp); 7071 kfree(buf); 7072 7073 if (!report && 7074 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 7075 return; 7076 7077 skb = nlmsg_new(NLMSG_GOODSIZE, gfp); 7078 if (skb == NULL) 7079 goto err; 7080 7081 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 7082 flags & (NLM_F_CREATE | NLM_F_EXCL), 7083 family, table, obj, false); 7084 if (err < 0) { 7085 kfree_skb(skb); 7086 goto err; 7087 } 7088 7089 nft_notify_enqueue(skb, report, &nft_net->notify_list); 7090 return; 7091 err: 7092 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 7093 } 7094 EXPORT_SYMBOL_GPL(nft_obj_notify); 7095 7096 static void nf_tables_obj_notify(const struct nft_ctx *ctx, 7097 struct nft_object *obj, int event) 7098 { 7099 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event, 7100 ctx->flags, ctx->family, ctx->report, GFP_KERNEL); 7101 } 7102 7103 /* 7104 * Flow tables 7105 */ 7106 void nft_register_flowtable_type(struct nf_flowtable_type *type) 7107 { 7108 nfnl_lock(NFNL_SUBSYS_NFTABLES); 7109 list_add_tail_rcu(&type->list, &nf_tables_flowtables); 7110 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 7111 } 7112 EXPORT_SYMBOL_GPL(nft_register_flowtable_type); 7113 7114 void nft_unregister_flowtable_type(struct nf_flowtable_type *type) 7115 { 7116 nfnl_lock(NFNL_SUBSYS_NFTABLES); 7117 list_del_rcu(&type->list); 7118 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 7119 } 7120 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type); 7121 7122 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = { 7123 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING, 7124 .len = NFT_NAME_MAXLEN - 1 }, 7125 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING, 7126 .len = NFT_NAME_MAXLEN - 1 }, 7127 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED }, 7128 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 }, 7129 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 }, 7130 }; 7131 7132 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 7133 const struct nlattr *nla, u8 genmask) 7134 { 7135 struct nft_flowtable *flowtable; 7136 7137 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 7138 if (!nla_strcmp(nla, flowtable->name) && 7139 nft_active_genmask(flowtable, genmask)) 7140 return flowtable; 7141 } 7142 return ERR_PTR(-ENOENT); 7143 } 7144 EXPORT_SYMBOL_GPL(nft_flowtable_lookup); 7145 7146 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, 7147 struct nft_flowtable *flowtable, 7148 enum nft_trans_phase phase) 7149 { 7150 switch (phase) { 7151 case NFT_TRANS_PREPARE: 7152 case NFT_TRANS_ABORT: 7153 case NFT_TRANS_RELEASE: 7154 flowtable->use--; 7155 fallthrough; 7156 default: 7157 return; 7158 } 7159 } 7160 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable); 7161 7162 static struct nft_flowtable * 7163 nft_flowtable_lookup_byhandle(const struct nft_table *table, 7164 const struct nlattr *nla, u8 genmask) 7165 { 7166 struct nft_flowtable *flowtable; 7167 7168 list_for_each_entry(flowtable, &table->flowtables, list) { 7169 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle && 7170 nft_active_genmask(flowtable, genmask)) 7171 return flowtable; 7172 } 7173 return ERR_PTR(-ENOENT); 7174 } 7175 7176 struct nft_flowtable_hook { 7177 u32 num; 7178 int priority; 7179 struct list_head list; 7180 }; 7181 7182 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = { 7183 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 }, 7184 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 }, 7185 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED }, 7186 }; 7187 7188 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx, 7189 const struct nlattr *attr, 7190 struct nft_flowtable_hook *flowtable_hook, 7191 struct nft_flowtable *flowtable, bool add) 7192 { 7193 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1]; 7194 struct nft_hook *hook; 7195 int hooknum, priority; 7196 int err; 7197 7198 INIT_LIST_HEAD(&flowtable_hook->list); 7199 7200 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr, 7201 nft_flowtable_hook_policy, NULL); 7202 if (err < 0) 7203 return err; 7204 7205 if (add) { 7206 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] || 7207 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) 7208 return -EINVAL; 7209 7210 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 7211 if (hooknum != NF_NETDEV_INGRESS) 7212 return -EOPNOTSUPP; 7213 7214 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 7215 7216 flowtable_hook->priority = priority; 7217 flowtable_hook->num = hooknum; 7218 } else { 7219 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) { 7220 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 7221 if (hooknum != flowtable->hooknum) 7222 return -EOPNOTSUPP; 7223 } 7224 7225 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) { 7226 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 7227 if (priority != flowtable->data.priority) 7228 return -EOPNOTSUPP; 7229 } 7230 7231 flowtable_hook->priority = flowtable->data.priority; 7232 flowtable_hook->num = flowtable->hooknum; 7233 } 7234 7235 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) { 7236 err = nf_tables_parse_netdev_hooks(ctx->net, 7237 tb[NFTA_FLOWTABLE_HOOK_DEVS], 7238 &flowtable_hook->list); 7239 if (err < 0) 7240 return err; 7241 } 7242 7243 list_for_each_entry(hook, &flowtable_hook->list, list) { 7244 hook->ops.pf = NFPROTO_NETDEV; 7245 hook->ops.hooknum = flowtable_hook->num; 7246 hook->ops.priority = flowtable_hook->priority; 7247 hook->ops.priv = &flowtable->data; 7248 hook->ops.hook = flowtable->data.type->hook; 7249 } 7250 7251 return err; 7252 } 7253 7254 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) 7255 { 7256 const struct nf_flowtable_type *type; 7257 7258 list_for_each_entry(type, &nf_tables_flowtables, list) { 7259 if (family == type->family) 7260 return type; 7261 } 7262 return NULL; 7263 } 7264 7265 static const struct nf_flowtable_type * 7266 nft_flowtable_type_get(struct net *net, u8 family) 7267 { 7268 const struct nf_flowtable_type *type; 7269 7270 type = __nft_flowtable_type_get(family); 7271 if (type != NULL && try_module_get(type->owner)) 7272 return type; 7273 7274 lockdep_nfnl_nft_mutex_not_held(); 7275 #ifdef CONFIG_MODULES 7276 if (type == NULL) { 7277 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN) 7278 return ERR_PTR(-EAGAIN); 7279 } 7280 #endif 7281 return ERR_PTR(-ENOENT); 7282 } 7283 7284 /* Only called from error and netdev event paths. */ 7285 static void nft_unregister_flowtable_hook(struct net *net, 7286 struct nft_flowtable *flowtable, 7287 struct nft_hook *hook) 7288 { 7289 nf_unregister_net_hook(net, &hook->ops); 7290 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 7291 FLOW_BLOCK_UNBIND); 7292 } 7293 7294 static void nft_unregister_flowtable_net_hooks(struct net *net, 7295 struct list_head *hook_list) 7296 { 7297 struct nft_hook *hook; 7298 7299 list_for_each_entry(hook, hook_list, list) 7300 nf_unregister_net_hook(net, &hook->ops); 7301 } 7302 7303 static int nft_register_flowtable_net_hooks(struct net *net, 7304 struct nft_table *table, 7305 struct list_head *hook_list, 7306 struct nft_flowtable *flowtable) 7307 { 7308 struct nft_hook *hook, *hook2, *next; 7309 struct nft_flowtable *ft; 7310 int err, i = 0; 7311 7312 list_for_each_entry(hook, hook_list, list) { 7313 list_for_each_entry(ft, &table->flowtables, list) { 7314 if (!nft_is_active_next(net, ft)) 7315 continue; 7316 7317 list_for_each_entry(hook2, &ft->hook_list, list) { 7318 if (hook->ops.dev == hook2->ops.dev && 7319 hook->ops.pf == hook2->ops.pf) { 7320 err = -EEXIST; 7321 goto err_unregister_net_hooks; 7322 } 7323 } 7324 } 7325 7326 err = flowtable->data.type->setup(&flowtable->data, 7327 hook->ops.dev, 7328 FLOW_BLOCK_BIND); 7329 if (err < 0) 7330 goto err_unregister_net_hooks; 7331 7332 err = nf_register_net_hook(net, &hook->ops); 7333 if (err < 0) { 7334 flowtable->data.type->setup(&flowtable->data, 7335 hook->ops.dev, 7336 FLOW_BLOCK_UNBIND); 7337 goto err_unregister_net_hooks; 7338 } 7339 7340 i++; 7341 } 7342 7343 return 0; 7344 7345 err_unregister_net_hooks: 7346 list_for_each_entry_safe(hook, next, hook_list, list) { 7347 if (i-- <= 0) 7348 break; 7349 7350 nft_unregister_flowtable_hook(net, flowtable, hook); 7351 list_del_rcu(&hook->list); 7352 kfree_rcu(hook, rcu); 7353 } 7354 7355 return err; 7356 } 7357 7358 static void nft_flowtable_hooks_destroy(struct list_head *hook_list) 7359 { 7360 struct nft_hook *hook, *next; 7361 7362 list_for_each_entry_safe(hook, next, hook_list, list) { 7363 list_del_rcu(&hook->list); 7364 kfree_rcu(hook, rcu); 7365 } 7366 } 7367 7368 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, 7369 struct nft_flowtable *flowtable) 7370 { 7371 const struct nlattr * const *nla = ctx->nla; 7372 struct nft_flowtable_hook flowtable_hook; 7373 struct nft_hook *hook, *next; 7374 struct nft_trans *trans; 7375 bool unregister = false; 7376 u32 flags; 7377 int err; 7378 7379 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], 7380 &flowtable_hook, flowtable, false); 7381 if (err < 0) 7382 return err; 7383 7384 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 7385 if (nft_hook_list_find(&flowtable->hook_list, hook)) { 7386 list_del(&hook->list); 7387 kfree(hook); 7388 } 7389 } 7390 7391 if (nla[NFTA_FLOWTABLE_FLAGS]) { 7392 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 7393 if (flags & ~NFT_FLOWTABLE_MASK) 7394 return -EOPNOTSUPP; 7395 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^ 7396 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) 7397 return -EOPNOTSUPP; 7398 } else { 7399 flags = flowtable->data.flags; 7400 } 7401 7402 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table, 7403 &flowtable_hook.list, flowtable); 7404 if (err < 0) 7405 goto err_flowtable_update_hook; 7406 7407 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE, 7408 sizeof(struct nft_trans_flowtable)); 7409 if (!trans) { 7410 unregister = true; 7411 err = -ENOMEM; 7412 goto err_flowtable_update_hook; 7413 } 7414 7415 nft_trans_flowtable_flags(trans) = flags; 7416 nft_trans_flowtable(trans) = flowtable; 7417 nft_trans_flowtable_update(trans) = true; 7418 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 7419 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans)); 7420 7421 nft_trans_commit_list_add_tail(ctx->net, trans); 7422 7423 return 0; 7424 7425 err_flowtable_update_hook: 7426 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 7427 if (unregister) 7428 nft_unregister_flowtable_hook(ctx->net, flowtable, hook); 7429 list_del_rcu(&hook->list); 7430 kfree_rcu(hook, rcu); 7431 } 7432 7433 return err; 7434 7435 } 7436 7437 static int nf_tables_newflowtable(struct sk_buff *skb, 7438 const struct nfnl_info *info, 7439 const struct nlattr * const nla[]) 7440 { 7441 struct netlink_ext_ack *extack = info->extack; 7442 struct nft_flowtable_hook flowtable_hook; 7443 u8 genmask = nft_genmask_next(info->net); 7444 u8 family = info->nfmsg->nfgen_family; 7445 const struct nf_flowtable_type *type; 7446 struct nft_flowtable *flowtable; 7447 struct nft_hook *hook, *next; 7448 struct net *net = info->net; 7449 struct nft_table *table; 7450 struct nft_ctx ctx; 7451 int err; 7452 7453 if (!nla[NFTA_FLOWTABLE_TABLE] || 7454 !nla[NFTA_FLOWTABLE_NAME] || 7455 !nla[NFTA_FLOWTABLE_HOOK]) 7456 return -EINVAL; 7457 7458 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 7459 genmask, NETLINK_CB(skb).portid); 7460 if (IS_ERR(table)) { 7461 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 7462 return PTR_ERR(table); 7463 } 7464 7465 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 7466 genmask); 7467 if (IS_ERR(flowtable)) { 7468 err = PTR_ERR(flowtable); 7469 if (err != -ENOENT) { 7470 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 7471 return err; 7472 } 7473 } else { 7474 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 7475 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 7476 return -EEXIST; 7477 } 7478 7479 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7480 7481 return nft_flowtable_update(&ctx, info->nlh, flowtable); 7482 } 7483 7484 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7485 7486 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT); 7487 if (!flowtable) 7488 return -ENOMEM; 7489 7490 flowtable->table = table; 7491 flowtable->handle = nf_tables_alloc_handle(table); 7492 INIT_LIST_HEAD(&flowtable->hook_list); 7493 7494 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT); 7495 if (!flowtable->name) { 7496 err = -ENOMEM; 7497 goto err1; 7498 } 7499 7500 type = nft_flowtable_type_get(net, family); 7501 if (IS_ERR(type)) { 7502 err = PTR_ERR(type); 7503 goto err2; 7504 } 7505 7506 if (nla[NFTA_FLOWTABLE_FLAGS]) { 7507 flowtable->data.flags = 7508 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 7509 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) { 7510 err = -EOPNOTSUPP; 7511 goto err3; 7512 } 7513 } 7514 7515 write_pnet(&flowtable->data.net, net); 7516 flowtable->data.type = type; 7517 err = type->init(&flowtable->data); 7518 if (err < 0) 7519 goto err3; 7520 7521 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK], 7522 &flowtable_hook, flowtable, true); 7523 if (err < 0) 7524 goto err4; 7525 7526 list_splice(&flowtable_hook.list, &flowtable->hook_list); 7527 flowtable->data.priority = flowtable_hook.priority; 7528 flowtable->hooknum = flowtable_hook.num; 7529 7530 err = nft_register_flowtable_net_hooks(ctx.net, table, 7531 &flowtable->hook_list, 7532 flowtable); 7533 if (err < 0) { 7534 nft_flowtable_hooks_destroy(&flowtable->hook_list); 7535 goto err4; 7536 } 7537 7538 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable); 7539 if (err < 0) 7540 goto err5; 7541 7542 list_add_tail_rcu(&flowtable->list, &table->flowtables); 7543 table->use++; 7544 7545 return 0; 7546 err5: 7547 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 7548 nft_unregister_flowtable_hook(net, flowtable, hook); 7549 list_del_rcu(&hook->list); 7550 kfree_rcu(hook, rcu); 7551 } 7552 err4: 7553 flowtable->data.type->free(&flowtable->data); 7554 err3: 7555 module_put(type->owner); 7556 err2: 7557 kfree(flowtable->name); 7558 err1: 7559 kfree(flowtable); 7560 return err; 7561 } 7562 7563 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook) 7564 { 7565 struct nft_hook *this, *next; 7566 7567 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) { 7568 list_del(&this->list); 7569 kfree(this); 7570 } 7571 } 7572 7573 static int nft_delflowtable_hook(struct nft_ctx *ctx, 7574 struct nft_flowtable *flowtable) 7575 { 7576 const struct nlattr * const *nla = ctx->nla; 7577 struct nft_flowtable_hook flowtable_hook; 7578 struct nft_hook *this, *hook; 7579 struct nft_trans *trans; 7580 int err; 7581 7582 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], 7583 &flowtable_hook, flowtable, false); 7584 if (err < 0) 7585 return err; 7586 7587 list_for_each_entry(this, &flowtable_hook.list, list) { 7588 hook = nft_hook_list_find(&flowtable->hook_list, this); 7589 if (!hook) { 7590 err = -ENOENT; 7591 goto err_flowtable_del_hook; 7592 } 7593 hook->inactive = true; 7594 } 7595 7596 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE, 7597 sizeof(struct nft_trans_flowtable)); 7598 if (!trans) { 7599 err = -ENOMEM; 7600 goto err_flowtable_del_hook; 7601 } 7602 7603 nft_trans_flowtable(trans) = flowtable; 7604 nft_trans_flowtable_update(trans) = true; 7605 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 7606 nft_flowtable_hook_release(&flowtable_hook); 7607 7608 nft_trans_commit_list_add_tail(ctx->net, trans); 7609 7610 return 0; 7611 7612 err_flowtable_del_hook: 7613 list_for_each_entry(this, &flowtable_hook.list, list) { 7614 hook = nft_hook_list_find(&flowtable->hook_list, this); 7615 if (!hook) 7616 break; 7617 7618 hook->inactive = false; 7619 } 7620 nft_flowtable_hook_release(&flowtable_hook); 7621 7622 return err; 7623 } 7624 7625 static int nf_tables_delflowtable(struct sk_buff *skb, 7626 const struct nfnl_info *info, 7627 const struct nlattr * const nla[]) 7628 { 7629 struct netlink_ext_ack *extack = info->extack; 7630 u8 genmask = nft_genmask_next(info->net); 7631 u8 family = info->nfmsg->nfgen_family; 7632 struct nft_flowtable *flowtable; 7633 struct net *net = info->net; 7634 const struct nlattr *attr; 7635 struct nft_table *table; 7636 struct nft_ctx ctx; 7637 7638 if (!nla[NFTA_FLOWTABLE_TABLE] || 7639 (!nla[NFTA_FLOWTABLE_NAME] && 7640 !nla[NFTA_FLOWTABLE_HANDLE])) 7641 return -EINVAL; 7642 7643 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 7644 genmask, NETLINK_CB(skb).portid); 7645 if (IS_ERR(table)) { 7646 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 7647 return PTR_ERR(table); 7648 } 7649 7650 if (nla[NFTA_FLOWTABLE_HANDLE]) { 7651 attr = nla[NFTA_FLOWTABLE_HANDLE]; 7652 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask); 7653 } else { 7654 attr = nla[NFTA_FLOWTABLE_NAME]; 7655 flowtable = nft_flowtable_lookup(table, attr, genmask); 7656 } 7657 7658 if (IS_ERR(flowtable)) { 7659 NL_SET_BAD_ATTR(extack, attr); 7660 return PTR_ERR(flowtable); 7661 } 7662 7663 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7664 7665 if (nla[NFTA_FLOWTABLE_HOOK]) 7666 return nft_delflowtable_hook(&ctx, flowtable); 7667 7668 if (flowtable->use > 0) { 7669 NL_SET_BAD_ATTR(extack, attr); 7670 return -EBUSY; 7671 } 7672 7673 return nft_delflowtable(&ctx, flowtable); 7674 } 7675 7676 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, 7677 u32 portid, u32 seq, int event, 7678 u32 flags, int family, 7679 struct nft_flowtable *flowtable, 7680 struct list_head *hook_list) 7681 { 7682 struct nlattr *nest, *nest_devs; 7683 struct nft_hook *hook; 7684 struct nlmsghdr *nlh; 7685 7686 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 7687 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 7688 NFNETLINK_V0, nft_base_seq(net)); 7689 if (!nlh) 7690 goto nla_put_failure; 7691 7692 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || 7693 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || 7694 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || 7695 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle), 7696 NFTA_FLOWTABLE_PAD) || 7697 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags))) 7698 goto nla_put_failure; 7699 7700 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK); 7701 if (!nest) 7702 goto nla_put_failure; 7703 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) || 7704 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority))) 7705 goto nla_put_failure; 7706 7707 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS); 7708 if (!nest_devs) 7709 goto nla_put_failure; 7710 7711 list_for_each_entry_rcu(hook, hook_list, list) { 7712 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name)) 7713 goto nla_put_failure; 7714 } 7715 nla_nest_end(skb, nest_devs); 7716 nla_nest_end(skb, nest); 7717 7718 nlmsg_end(skb, nlh); 7719 return 0; 7720 7721 nla_put_failure: 7722 nlmsg_trim(skb, nlh); 7723 return -1; 7724 } 7725 7726 struct nft_flowtable_filter { 7727 char *table; 7728 }; 7729 7730 static int nf_tables_dump_flowtable(struct sk_buff *skb, 7731 struct netlink_callback *cb) 7732 { 7733 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 7734 struct nft_flowtable_filter *filter = cb->data; 7735 unsigned int idx = 0, s_idx = cb->args[0]; 7736 struct net *net = sock_net(skb->sk); 7737 int family = nfmsg->nfgen_family; 7738 struct nft_flowtable *flowtable; 7739 struct nftables_pernet *nft_net; 7740 const struct nft_table *table; 7741 7742 rcu_read_lock(); 7743 nft_net = nft_pernet(net); 7744 cb->seq = nft_net->base_seq; 7745 7746 list_for_each_entry_rcu(table, &nft_net->tables, list) { 7747 if (family != NFPROTO_UNSPEC && family != table->family) 7748 continue; 7749 7750 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 7751 if (!nft_is_active(net, flowtable)) 7752 goto cont; 7753 if (idx < s_idx) 7754 goto cont; 7755 if (idx > s_idx) 7756 memset(&cb->args[1], 0, 7757 sizeof(cb->args) - sizeof(cb->args[0])); 7758 if (filter && filter->table && 7759 strcmp(filter->table, table->name)) 7760 goto cont; 7761 7762 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, 7763 cb->nlh->nlmsg_seq, 7764 NFT_MSG_NEWFLOWTABLE, 7765 NLM_F_MULTI | NLM_F_APPEND, 7766 table->family, 7767 flowtable, 7768 &flowtable->hook_list) < 0) 7769 goto done; 7770 7771 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 7772 cont: 7773 idx++; 7774 } 7775 } 7776 done: 7777 rcu_read_unlock(); 7778 7779 cb->args[0] = idx; 7780 return skb->len; 7781 } 7782 7783 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb) 7784 { 7785 const struct nlattr * const *nla = cb->data; 7786 struct nft_flowtable_filter *filter = NULL; 7787 7788 if (nla[NFTA_FLOWTABLE_TABLE]) { 7789 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 7790 if (!filter) 7791 return -ENOMEM; 7792 7793 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE], 7794 GFP_ATOMIC); 7795 if (!filter->table) { 7796 kfree(filter); 7797 return -ENOMEM; 7798 } 7799 } 7800 7801 cb->data = filter; 7802 return 0; 7803 } 7804 7805 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb) 7806 { 7807 struct nft_flowtable_filter *filter = cb->data; 7808 7809 if (!filter) 7810 return 0; 7811 7812 kfree(filter->table); 7813 kfree(filter); 7814 7815 return 0; 7816 } 7817 7818 /* called with rcu_read_lock held */ 7819 static int nf_tables_getflowtable(struct sk_buff *skb, 7820 const struct nfnl_info *info, 7821 const struct nlattr * const nla[]) 7822 { 7823 u8 genmask = nft_genmask_cur(info->net); 7824 u8 family = info->nfmsg->nfgen_family; 7825 struct nft_flowtable *flowtable; 7826 const struct nft_table *table; 7827 struct net *net = info->net; 7828 struct sk_buff *skb2; 7829 int err; 7830 7831 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 7832 struct netlink_dump_control c = { 7833 .start = nf_tables_dump_flowtable_start, 7834 .dump = nf_tables_dump_flowtable, 7835 .done = nf_tables_dump_flowtable_done, 7836 .module = THIS_MODULE, 7837 .data = (void *)nla, 7838 }; 7839 7840 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 7841 } 7842 7843 if (!nla[NFTA_FLOWTABLE_NAME]) 7844 return -EINVAL; 7845 7846 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 7847 genmask, 0); 7848 if (IS_ERR(table)) 7849 return PTR_ERR(table); 7850 7851 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 7852 genmask); 7853 if (IS_ERR(flowtable)) 7854 return PTR_ERR(flowtable); 7855 7856 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 7857 if (!skb2) 7858 return -ENOMEM; 7859 7860 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid, 7861 info->nlh->nlmsg_seq, 7862 NFT_MSG_NEWFLOWTABLE, 0, family, 7863 flowtable, &flowtable->hook_list); 7864 if (err < 0) 7865 goto err_fill_flowtable_info; 7866 7867 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 7868 7869 err_fill_flowtable_info: 7870 kfree_skb(skb2); 7871 return err; 7872 } 7873 7874 static void nf_tables_flowtable_notify(struct nft_ctx *ctx, 7875 struct nft_flowtable *flowtable, 7876 struct list_head *hook_list, 7877 int event) 7878 { 7879 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 7880 struct sk_buff *skb; 7881 u16 flags = 0; 7882 int err; 7883 7884 if (!ctx->report && 7885 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 7886 return; 7887 7888 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 7889 if (skb == NULL) 7890 goto err; 7891 7892 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 7893 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 7894 7895 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid, 7896 ctx->seq, event, flags, 7897 ctx->family, flowtable, hook_list); 7898 if (err < 0) { 7899 kfree_skb(skb); 7900 goto err; 7901 } 7902 7903 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 7904 return; 7905 err: 7906 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 7907 } 7908 7909 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) 7910 { 7911 struct nft_hook *hook, *next; 7912 7913 flowtable->data.type->free(&flowtable->data); 7914 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 7915 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 7916 FLOW_BLOCK_UNBIND); 7917 list_del_rcu(&hook->list); 7918 kfree(hook); 7919 } 7920 kfree(flowtable->name); 7921 module_put(flowtable->data.type->owner); 7922 kfree(flowtable); 7923 } 7924 7925 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, 7926 u32 portid, u32 seq) 7927 { 7928 struct nftables_pernet *nft_net = nft_pernet(net); 7929 struct nlmsghdr *nlh; 7930 char buf[TASK_COMM_LEN]; 7931 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); 7932 7933 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC, 7934 NFNETLINK_V0, nft_base_seq(net)); 7935 if (!nlh) 7936 goto nla_put_failure; 7937 7938 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) || 7939 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || 7940 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) 7941 goto nla_put_failure; 7942 7943 nlmsg_end(skb, nlh); 7944 return 0; 7945 7946 nla_put_failure: 7947 nlmsg_trim(skb, nlh); 7948 return -EMSGSIZE; 7949 } 7950 7951 static void nft_flowtable_event(unsigned long event, struct net_device *dev, 7952 struct nft_flowtable *flowtable) 7953 { 7954 struct nft_hook *hook; 7955 7956 list_for_each_entry(hook, &flowtable->hook_list, list) { 7957 if (hook->ops.dev != dev) 7958 continue; 7959 7960 /* flow_offload_netdev_event() cleans up entries for us. */ 7961 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook); 7962 list_del_rcu(&hook->list); 7963 kfree_rcu(hook, rcu); 7964 break; 7965 } 7966 } 7967 7968 static int nf_tables_flowtable_event(struct notifier_block *this, 7969 unsigned long event, void *ptr) 7970 { 7971 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 7972 struct nft_flowtable *flowtable; 7973 struct nftables_pernet *nft_net; 7974 struct nft_table *table; 7975 struct net *net; 7976 7977 if (event != NETDEV_UNREGISTER) 7978 return 0; 7979 7980 net = dev_net(dev); 7981 nft_net = nft_pernet(net); 7982 mutex_lock(&nft_net->commit_mutex); 7983 list_for_each_entry(table, &nft_net->tables, list) { 7984 list_for_each_entry(flowtable, &table->flowtables, list) { 7985 nft_flowtable_event(event, dev, flowtable); 7986 } 7987 } 7988 mutex_unlock(&nft_net->commit_mutex); 7989 7990 return NOTIFY_DONE; 7991 } 7992 7993 static struct notifier_block nf_tables_flowtable_notifier = { 7994 .notifier_call = nf_tables_flowtable_event, 7995 }; 7996 7997 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb, 7998 int event) 7999 { 8000 struct nlmsghdr *nlh = nlmsg_hdr(skb); 8001 struct sk_buff *skb2; 8002 int err; 8003 8004 if (!nlmsg_report(nlh) && 8005 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 8006 return; 8007 8008 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 8009 if (skb2 == NULL) 8010 goto err; 8011 8012 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 8013 nlh->nlmsg_seq); 8014 if (err < 0) { 8015 kfree_skb(skb2); 8016 goto err; 8017 } 8018 8019 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 8020 nlmsg_report(nlh), GFP_KERNEL); 8021 return; 8022 err: 8023 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 8024 -ENOBUFS); 8025 } 8026 8027 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info, 8028 const struct nlattr * const nla[]) 8029 { 8030 struct sk_buff *skb2; 8031 int err; 8032 8033 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 8034 if (skb2 == NULL) 8035 return -ENOMEM; 8036 8037 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid, 8038 info->nlh->nlmsg_seq); 8039 if (err < 0) 8040 goto err_fill_gen_info; 8041 8042 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 8043 8044 err_fill_gen_info: 8045 kfree_skb(skb2); 8046 return err; 8047 } 8048 8049 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = { 8050 [NFT_MSG_NEWTABLE] = { 8051 .call = nf_tables_newtable, 8052 .type = NFNL_CB_BATCH, 8053 .attr_count = NFTA_TABLE_MAX, 8054 .policy = nft_table_policy, 8055 }, 8056 [NFT_MSG_GETTABLE] = { 8057 .call = nf_tables_gettable, 8058 .type = NFNL_CB_RCU, 8059 .attr_count = NFTA_TABLE_MAX, 8060 .policy = nft_table_policy, 8061 }, 8062 [NFT_MSG_DELTABLE] = { 8063 .call = nf_tables_deltable, 8064 .type = NFNL_CB_BATCH, 8065 .attr_count = NFTA_TABLE_MAX, 8066 .policy = nft_table_policy, 8067 }, 8068 [NFT_MSG_NEWCHAIN] = { 8069 .call = nf_tables_newchain, 8070 .type = NFNL_CB_BATCH, 8071 .attr_count = NFTA_CHAIN_MAX, 8072 .policy = nft_chain_policy, 8073 }, 8074 [NFT_MSG_GETCHAIN] = { 8075 .call = nf_tables_getchain, 8076 .type = NFNL_CB_RCU, 8077 .attr_count = NFTA_CHAIN_MAX, 8078 .policy = nft_chain_policy, 8079 }, 8080 [NFT_MSG_DELCHAIN] = { 8081 .call = nf_tables_delchain, 8082 .type = NFNL_CB_BATCH, 8083 .attr_count = NFTA_CHAIN_MAX, 8084 .policy = nft_chain_policy, 8085 }, 8086 [NFT_MSG_NEWRULE] = { 8087 .call = nf_tables_newrule, 8088 .type = NFNL_CB_BATCH, 8089 .attr_count = NFTA_RULE_MAX, 8090 .policy = nft_rule_policy, 8091 }, 8092 [NFT_MSG_GETRULE] = { 8093 .call = nf_tables_getrule, 8094 .type = NFNL_CB_RCU, 8095 .attr_count = NFTA_RULE_MAX, 8096 .policy = nft_rule_policy, 8097 }, 8098 [NFT_MSG_DELRULE] = { 8099 .call = nf_tables_delrule, 8100 .type = NFNL_CB_BATCH, 8101 .attr_count = NFTA_RULE_MAX, 8102 .policy = nft_rule_policy, 8103 }, 8104 [NFT_MSG_NEWSET] = { 8105 .call = nf_tables_newset, 8106 .type = NFNL_CB_BATCH, 8107 .attr_count = NFTA_SET_MAX, 8108 .policy = nft_set_policy, 8109 }, 8110 [NFT_MSG_GETSET] = { 8111 .call = nf_tables_getset, 8112 .type = NFNL_CB_RCU, 8113 .attr_count = NFTA_SET_MAX, 8114 .policy = nft_set_policy, 8115 }, 8116 [NFT_MSG_DELSET] = { 8117 .call = nf_tables_delset, 8118 .type = NFNL_CB_BATCH, 8119 .attr_count = NFTA_SET_MAX, 8120 .policy = nft_set_policy, 8121 }, 8122 [NFT_MSG_NEWSETELEM] = { 8123 .call = nf_tables_newsetelem, 8124 .type = NFNL_CB_BATCH, 8125 .attr_count = NFTA_SET_ELEM_LIST_MAX, 8126 .policy = nft_set_elem_list_policy, 8127 }, 8128 [NFT_MSG_GETSETELEM] = { 8129 .call = nf_tables_getsetelem, 8130 .type = NFNL_CB_RCU, 8131 .attr_count = NFTA_SET_ELEM_LIST_MAX, 8132 .policy = nft_set_elem_list_policy, 8133 }, 8134 [NFT_MSG_DELSETELEM] = { 8135 .call = nf_tables_delsetelem, 8136 .type = NFNL_CB_BATCH, 8137 .attr_count = NFTA_SET_ELEM_LIST_MAX, 8138 .policy = nft_set_elem_list_policy, 8139 }, 8140 [NFT_MSG_GETGEN] = { 8141 .call = nf_tables_getgen, 8142 .type = NFNL_CB_RCU, 8143 }, 8144 [NFT_MSG_NEWOBJ] = { 8145 .call = nf_tables_newobj, 8146 .type = NFNL_CB_BATCH, 8147 .attr_count = NFTA_OBJ_MAX, 8148 .policy = nft_obj_policy, 8149 }, 8150 [NFT_MSG_GETOBJ] = { 8151 .call = nf_tables_getobj, 8152 .type = NFNL_CB_RCU, 8153 .attr_count = NFTA_OBJ_MAX, 8154 .policy = nft_obj_policy, 8155 }, 8156 [NFT_MSG_DELOBJ] = { 8157 .call = nf_tables_delobj, 8158 .type = NFNL_CB_BATCH, 8159 .attr_count = NFTA_OBJ_MAX, 8160 .policy = nft_obj_policy, 8161 }, 8162 [NFT_MSG_GETOBJ_RESET] = { 8163 .call = nf_tables_getobj, 8164 .type = NFNL_CB_RCU, 8165 .attr_count = NFTA_OBJ_MAX, 8166 .policy = nft_obj_policy, 8167 }, 8168 [NFT_MSG_NEWFLOWTABLE] = { 8169 .call = nf_tables_newflowtable, 8170 .type = NFNL_CB_BATCH, 8171 .attr_count = NFTA_FLOWTABLE_MAX, 8172 .policy = nft_flowtable_policy, 8173 }, 8174 [NFT_MSG_GETFLOWTABLE] = { 8175 .call = nf_tables_getflowtable, 8176 .type = NFNL_CB_RCU, 8177 .attr_count = NFTA_FLOWTABLE_MAX, 8178 .policy = nft_flowtable_policy, 8179 }, 8180 [NFT_MSG_DELFLOWTABLE] = { 8181 .call = nf_tables_delflowtable, 8182 .type = NFNL_CB_BATCH, 8183 .attr_count = NFTA_FLOWTABLE_MAX, 8184 .policy = nft_flowtable_policy, 8185 }, 8186 }; 8187 8188 static int nf_tables_validate(struct net *net) 8189 { 8190 struct nftables_pernet *nft_net = nft_pernet(net); 8191 struct nft_table *table; 8192 8193 switch (nft_net->validate_state) { 8194 case NFT_VALIDATE_SKIP: 8195 break; 8196 case NFT_VALIDATE_NEED: 8197 nft_validate_state_update(net, NFT_VALIDATE_DO); 8198 fallthrough; 8199 case NFT_VALIDATE_DO: 8200 list_for_each_entry(table, &nft_net->tables, list) { 8201 if (nft_table_validate(net, table) < 0) 8202 return -EAGAIN; 8203 } 8204 break; 8205 } 8206 8207 return 0; 8208 } 8209 8210 /* a drop policy has to be deferred until all rules have been activated, 8211 * otherwise a large ruleset that contains a drop-policy base chain will 8212 * cause all packets to get dropped until the full transaction has been 8213 * processed. 8214 * 8215 * We defer the drop policy until the transaction has been finalized. 8216 */ 8217 static void nft_chain_commit_drop_policy(struct nft_trans *trans) 8218 { 8219 struct nft_base_chain *basechain; 8220 8221 if (nft_trans_chain_policy(trans) != NF_DROP) 8222 return; 8223 8224 if (!nft_is_base_chain(trans->ctx.chain)) 8225 return; 8226 8227 basechain = nft_base_chain(trans->ctx.chain); 8228 basechain->policy = NF_DROP; 8229 } 8230 8231 static void nft_chain_commit_update(struct nft_trans *trans) 8232 { 8233 struct nft_base_chain *basechain; 8234 8235 if (nft_trans_chain_name(trans)) { 8236 rhltable_remove(&trans->ctx.table->chains_ht, 8237 &trans->ctx.chain->rhlhead, 8238 nft_chain_ht_params); 8239 swap(trans->ctx.chain->name, nft_trans_chain_name(trans)); 8240 rhltable_insert_key(&trans->ctx.table->chains_ht, 8241 trans->ctx.chain->name, 8242 &trans->ctx.chain->rhlhead, 8243 nft_chain_ht_params); 8244 } 8245 8246 if (!nft_is_base_chain(trans->ctx.chain)) 8247 return; 8248 8249 nft_chain_stats_replace(trans); 8250 8251 basechain = nft_base_chain(trans->ctx.chain); 8252 8253 switch (nft_trans_chain_policy(trans)) { 8254 case NF_DROP: 8255 case NF_ACCEPT: 8256 basechain->policy = nft_trans_chain_policy(trans); 8257 break; 8258 } 8259 } 8260 8261 static void nft_obj_commit_update(struct nft_trans *trans) 8262 { 8263 struct nft_object *newobj; 8264 struct nft_object *obj; 8265 8266 obj = nft_trans_obj(trans); 8267 newobj = nft_trans_obj_newobj(trans); 8268 8269 if (obj->ops->update) 8270 obj->ops->update(obj, newobj); 8271 8272 nft_obj_destroy(&trans->ctx, newobj); 8273 } 8274 8275 static void nft_commit_release(struct nft_trans *trans) 8276 { 8277 switch (trans->msg_type) { 8278 case NFT_MSG_DELTABLE: 8279 nf_tables_table_destroy(&trans->ctx); 8280 break; 8281 case NFT_MSG_NEWCHAIN: 8282 free_percpu(nft_trans_chain_stats(trans)); 8283 kfree(nft_trans_chain_name(trans)); 8284 break; 8285 case NFT_MSG_DELCHAIN: 8286 nf_tables_chain_destroy(&trans->ctx); 8287 break; 8288 case NFT_MSG_DELRULE: 8289 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 8290 break; 8291 case NFT_MSG_DELSET: 8292 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 8293 break; 8294 case NFT_MSG_DELSETELEM: 8295 nf_tables_set_elem_destroy(&trans->ctx, 8296 nft_trans_elem_set(trans), 8297 nft_trans_elem(trans).priv); 8298 break; 8299 case NFT_MSG_DELOBJ: 8300 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 8301 break; 8302 case NFT_MSG_DELFLOWTABLE: 8303 if (nft_trans_flowtable_update(trans)) 8304 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 8305 else 8306 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 8307 break; 8308 } 8309 8310 if (trans->put_net) 8311 put_net(trans->ctx.net); 8312 8313 kfree(trans); 8314 } 8315 8316 static void nf_tables_trans_destroy_work(struct work_struct *w) 8317 { 8318 struct nft_trans *trans, *next; 8319 LIST_HEAD(head); 8320 8321 spin_lock(&nf_tables_destroy_list_lock); 8322 list_splice_init(&nf_tables_destroy_list, &head); 8323 spin_unlock(&nf_tables_destroy_list_lock); 8324 8325 if (list_empty(&head)) 8326 return; 8327 8328 synchronize_rcu(); 8329 8330 list_for_each_entry_safe(trans, next, &head, list) { 8331 list_del(&trans->list); 8332 nft_commit_release(trans); 8333 } 8334 } 8335 8336 void nf_tables_trans_destroy_flush_work(void) 8337 { 8338 flush_work(&trans_destroy_work); 8339 } 8340 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work); 8341 8342 static bool nft_expr_reduce(struct nft_regs_track *track, 8343 const struct nft_expr *expr) 8344 { 8345 if (!expr->ops->reduce) { 8346 pr_warn_once("missing reduce for expression %s ", 8347 expr->ops->type->name); 8348 return false; 8349 } 8350 8351 if (nft_reduce_is_readonly(expr)) 8352 return false; 8353 8354 return expr->ops->reduce(track, expr); 8355 } 8356 8357 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain) 8358 { 8359 const struct nft_expr *expr, *last; 8360 struct nft_regs_track track = {}; 8361 unsigned int size, data_size; 8362 void *data, *data_boundary; 8363 struct nft_rule_dp *prule; 8364 struct nft_rule *rule; 8365 8366 /* already handled or inactive chain? */ 8367 if (chain->blob_next || !nft_is_active_next(net, chain)) 8368 return 0; 8369 8370 rule = list_entry(&chain->rules, struct nft_rule, list); 8371 8372 data_size = 0; 8373 list_for_each_entry_continue(rule, &chain->rules, list) { 8374 if (nft_is_active_next(net, rule)) { 8375 data_size += sizeof(*prule) + rule->dlen; 8376 if (data_size > INT_MAX) 8377 return -ENOMEM; 8378 } 8379 } 8380 data_size += offsetof(struct nft_rule_dp, data); /* last rule */ 8381 8382 chain->blob_next = nf_tables_chain_alloc_rules(data_size); 8383 if (!chain->blob_next) 8384 return -ENOMEM; 8385 8386 data = (void *)chain->blob_next->data; 8387 data_boundary = data + data_size; 8388 size = 0; 8389 8390 list_for_each_entry_continue(rule, &chain->rules, list) { 8391 if (!nft_is_active_next(net, rule)) 8392 continue; 8393 8394 prule = (struct nft_rule_dp *)data; 8395 data += offsetof(struct nft_rule_dp, data); 8396 if (WARN_ON_ONCE(data > data_boundary)) 8397 return -ENOMEM; 8398 8399 size = 0; 8400 track.last = nft_expr_last(rule); 8401 nft_rule_for_each_expr(expr, last, rule) { 8402 track.cur = expr; 8403 8404 if (nft_expr_reduce(&track, expr)) { 8405 expr = track.cur; 8406 continue; 8407 } 8408 8409 if (WARN_ON_ONCE(data + expr->ops->size > data_boundary)) 8410 return -ENOMEM; 8411 8412 memcpy(data + size, expr, expr->ops->size); 8413 size += expr->ops->size; 8414 } 8415 if (WARN_ON_ONCE(size >= 1 << 12)) 8416 return -ENOMEM; 8417 8418 prule->handle = rule->handle; 8419 prule->dlen = size; 8420 prule->is_last = 0; 8421 8422 data += size; 8423 size = 0; 8424 chain->blob_next->size += (unsigned long)(data - (void *)prule); 8425 } 8426 8427 prule = (struct nft_rule_dp *)data; 8428 data += offsetof(struct nft_rule_dp, data); 8429 if (WARN_ON_ONCE(data > data_boundary)) 8430 return -ENOMEM; 8431 8432 nft_last_rule(chain->blob_next, prule); 8433 8434 return 0; 8435 } 8436 8437 static void nf_tables_commit_chain_prepare_cancel(struct net *net) 8438 { 8439 struct nftables_pernet *nft_net = nft_pernet(net); 8440 struct nft_trans *trans, *next; 8441 8442 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 8443 struct nft_chain *chain = trans->ctx.chain; 8444 8445 if (trans->msg_type == NFT_MSG_NEWRULE || 8446 trans->msg_type == NFT_MSG_DELRULE) { 8447 kvfree(chain->blob_next); 8448 chain->blob_next = NULL; 8449 } 8450 } 8451 } 8452 8453 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h) 8454 { 8455 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h); 8456 8457 kvfree(o->blob); 8458 } 8459 8460 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob) 8461 { 8462 struct nft_rules_old *old; 8463 8464 /* rcu_head is after end marker */ 8465 old = (void *)blob + sizeof(*blob) + blob->size; 8466 old->blob = blob; 8467 8468 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old); 8469 } 8470 8471 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain) 8472 { 8473 struct nft_rule_blob *g0, *g1; 8474 bool next_genbit; 8475 8476 next_genbit = nft_gencursor_next(net); 8477 8478 g0 = rcu_dereference_protected(chain->blob_gen_0, 8479 lockdep_commit_lock_is_held(net)); 8480 g1 = rcu_dereference_protected(chain->blob_gen_1, 8481 lockdep_commit_lock_is_held(net)); 8482 8483 /* No changes to this chain? */ 8484 if (chain->blob_next == NULL) { 8485 /* chain had no change in last or next generation */ 8486 if (g0 == g1) 8487 return; 8488 /* 8489 * chain had no change in this generation; make sure next 8490 * one uses same rules as current generation. 8491 */ 8492 if (next_genbit) { 8493 rcu_assign_pointer(chain->blob_gen_1, g0); 8494 nf_tables_commit_chain_free_rules_old(g1); 8495 } else { 8496 rcu_assign_pointer(chain->blob_gen_0, g1); 8497 nf_tables_commit_chain_free_rules_old(g0); 8498 } 8499 8500 return; 8501 } 8502 8503 if (next_genbit) 8504 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next); 8505 else 8506 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next); 8507 8508 chain->blob_next = NULL; 8509 8510 if (g0 == g1) 8511 return; 8512 8513 if (next_genbit) 8514 nf_tables_commit_chain_free_rules_old(g1); 8515 else 8516 nf_tables_commit_chain_free_rules_old(g0); 8517 } 8518 8519 static void nft_obj_del(struct nft_object *obj) 8520 { 8521 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params); 8522 list_del_rcu(&obj->list); 8523 } 8524 8525 void nft_chain_del(struct nft_chain *chain) 8526 { 8527 struct nft_table *table = chain->table; 8528 8529 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead, 8530 nft_chain_ht_params)); 8531 list_del_rcu(&chain->list); 8532 } 8533 8534 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable, 8535 struct list_head *hook_list) 8536 { 8537 struct nft_hook *hook, *next; 8538 8539 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 8540 if (hook->inactive) 8541 list_move(&hook->list, hook_list); 8542 } 8543 } 8544 8545 static void nf_tables_module_autoload_cleanup(struct net *net) 8546 { 8547 struct nftables_pernet *nft_net = nft_pernet(net); 8548 struct nft_module_request *req, *next; 8549 8550 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 8551 list_for_each_entry_safe(req, next, &nft_net->module_list, list) { 8552 WARN_ON_ONCE(!req->done); 8553 list_del(&req->list); 8554 kfree(req); 8555 } 8556 } 8557 8558 static void nf_tables_commit_release(struct net *net) 8559 { 8560 struct nftables_pernet *nft_net = nft_pernet(net); 8561 struct nft_trans *trans; 8562 8563 /* all side effects have to be made visible. 8564 * For example, if a chain named 'foo' has been deleted, a 8565 * new transaction must not find it anymore. 8566 * 8567 * Memory reclaim happens asynchronously from work queue 8568 * to prevent expensive synchronize_rcu() in commit phase. 8569 */ 8570 if (list_empty(&nft_net->commit_list)) { 8571 nf_tables_module_autoload_cleanup(net); 8572 mutex_unlock(&nft_net->commit_mutex); 8573 return; 8574 } 8575 8576 trans = list_last_entry(&nft_net->commit_list, 8577 struct nft_trans, list); 8578 get_net(trans->ctx.net); 8579 WARN_ON_ONCE(trans->put_net); 8580 8581 trans->put_net = true; 8582 spin_lock(&nf_tables_destroy_list_lock); 8583 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list); 8584 spin_unlock(&nf_tables_destroy_list_lock); 8585 8586 nf_tables_module_autoload_cleanup(net); 8587 schedule_work(&trans_destroy_work); 8588 8589 mutex_unlock(&nft_net->commit_mutex); 8590 } 8591 8592 static void nft_commit_notify(struct net *net, u32 portid) 8593 { 8594 struct nftables_pernet *nft_net = nft_pernet(net); 8595 struct sk_buff *batch_skb = NULL, *nskb, *skb; 8596 unsigned char *data; 8597 int len; 8598 8599 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) { 8600 if (!batch_skb) { 8601 new_batch: 8602 batch_skb = skb; 8603 len = NLMSG_GOODSIZE - skb->len; 8604 list_del(&skb->list); 8605 continue; 8606 } 8607 len -= skb->len; 8608 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) { 8609 data = skb_put(batch_skb, skb->len); 8610 memcpy(data, skb->data, skb->len); 8611 list_del(&skb->list); 8612 kfree_skb(skb); 8613 continue; 8614 } 8615 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 8616 NFT_CB(batch_skb).report, GFP_KERNEL); 8617 goto new_batch; 8618 } 8619 8620 if (batch_skb) { 8621 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 8622 NFT_CB(batch_skb).report, GFP_KERNEL); 8623 } 8624 8625 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 8626 } 8627 8628 static int nf_tables_commit_audit_alloc(struct list_head *adl, 8629 struct nft_table *table) 8630 { 8631 struct nft_audit_data *adp; 8632 8633 list_for_each_entry(adp, adl, list) { 8634 if (adp->table == table) 8635 return 0; 8636 } 8637 adp = kzalloc(sizeof(*adp), GFP_KERNEL); 8638 if (!adp) 8639 return -ENOMEM; 8640 adp->table = table; 8641 list_add(&adp->list, adl); 8642 return 0; 8643 } 8644 8645 static void nf_tables_commit_audit_free(struct list_head *adl) 8646 { 8647 struct nft_audit_data *adp, *adn; 8648 8649 list_for_each_entry_safe(adp, adn, adl, list) { 8650 list_del(&adp->list); 8651 kfree(adp); 8652 } 8653 } 8654 8655 static void nf_tables_commit_audit_collect(struct list_head *adl, 8656 struct nft_table *table, u32 op) 8657 { 8658 struct nft_audit_data *adp; 8659 8660 list_for_each_entry(adp, adl, list) { 8661 if (adp->table == table) 8662 goto found; 8663 } 8664 WARN_ONCE(1, "table=%s not expected in commit list", table->name); 8665 return; 8666 found: 8667 adp->entries++; 8668 if (!adp->op || adp->op > op) 8669 adp->op = op; 8670 } 8671 8672 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22) 8673 8674 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation) 8675 { 8676 struct nft_audit_data *adp, *adn; 8677 char aubuf[AUNFTABLENAMELEN]; 8678 8679 list_for_each_entry_safe(adp, adn, adl, list) { 8680 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name, 8681 generation); 8682 audit_log_nfcfg(aubuf, adp->table->family, adp->entries, 8683 nft2audit_op[adp->op], GFP_KERNEL); 8684 list_del(&adp->list); 8685 kfree(adp); 8686 } 8687 } 8688 8689 static int nf_tables_commit(struct net *net, struct sk_buff *skb) 8690 { 8691 struct nftables_pernet *nft_net = nft_pernet(net); 8692 struct nft_trans *trans, *next; 8693 struct nft_trans_elem *te; 8694 struct nft_chain *chain; 8695 struct nft_table *table; 8696 LIST_HEAD(adl); 8697 int err; 8698 8699 if (list_empty(&nft_net->commit_list)) { 8700 mutex_unlock(&nft_net->commit_mutex); 8701 return 0; 8702 } 8703 8704 /* 0. Validate ruleset, otherwise roll back for error reporting. */ 8705 if (nf_tables_validate(net) < 0) 8706 return -EAGAIN; 8707 8708 err = nft_flow_rule_offload_commit(net); 8709 if (err < 0) 8710 return err; 8711 8712 /* 1. Allocate space for next generation rules_gen_X[] */ 8713 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 8714 int ret; 8715 8716 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table); 8717 if (ret) { 8718 nf_tables_commit_chain_prepare_cancel(net); 8719 nf_tables_commit_audit_free(&adl); 8720 return ret; 8721 } 8722 if (trans->msg_type == NFT_MSG_NEWRULE || 8723 trans->msg_type == NFT_MSG_DELRULE) { 8724 chain = trans->ctx.chain; 8725 8726 ret = nf_tables_commit_chain_prepare(net, chain); 8727 if (ret < 0) { 8728 nf_tables_commit_chain_prepare_cancel(net); 8729 nf_tables_commit_audit_free(&adl); 8730 return ret; 8731 } 8732 } 8733 } 8734 8735 /* step 2. Make rules_gen_X visible to packet path */ 8736 list_for_each_entry(table, &nft_net->tables, list) { 8737 list_for_each_entry(chain, &table->chains, list) 8738 nf_tables_commit_chain(net, chain); 8739 } 8740 8741 /* 8742 * Bump generation counter, invalidate any dump in progress. 8743 * Cannot fail after this point. 8744 */ 8745 while (++nft_net->base_seq == 0) 8746 ; 8747 8748 /* step 3. Start new generation, rules_gen_X now in use. */ 8749 net->nft.gencursor = nft_gencursor_next(net); 8750 8751 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 8752 nf_tables_commit_audit_collect(&adl, trans->ctx.table, 8753 trans->msg_type); 8754 switch (trans->msg_type) { 8755 case NFT_MSG_NEWTABLE: 8756 if (nft_trans_table_update(trans)) { 8757 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) { 8758 nft_trans_destroy(trans); 8759 break; 8760 } 8761 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT) 8762 nf_tables_table_disable(net, trans->ctx.table); 8763 8764 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE; 8765 } else { 8766 nft_clear(net, trans->ctx.table); 8767 } 8768 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE); 8769 nft_trans_destroy(trans); 8770 break; 8771 case NFT_MSG_DELTABLE: 8772 list_del_rcu(&trans->ctx.table->list); 8773 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE); 8774 break; 8775 case NFT_MSG_NEWCHAIN: 8776 if (nft_trans_chain_update(trans)) { 8777 nft_chain_commit_update(trans); 8778 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 8779 /* trans destroyed after rcu grace period */ 8780 } else { 8781 nft_chain_commit_drop_policy(trans); 8782 nft_clear(net, trans->ctx.chain); 8783 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 8784 nft_trans_destroy(trans); 8785 } 8786 break; 8787 case NFT_MSG_DELCHAIN: 8788 nft_chain_del(trans->ctx.chain); 8789 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN); 8790 nf_tables_unregister_hook(trans->ctx.net, 8791 trans->ctx.table, 8792 trans->ctx.chain); 8793 break; 8794 case NFT_MSG_NEWRULE: 8795 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 8796 nf_tables_rule_notify(&trans->ctx, 8797 nft_trans_rule(trans), 8798 NFT_MSG_NEWRULE); 8799 nft_trans_destroy(trans); 8800 break; 8801 case NFT_MSG_DELRULE: 8802 list_del_rcu(&nft_trans_rule(trans)->list); 8803 nf_tables_rule_notify(&trans->ctx, 8804 nft_trans_rule(trans), 8805 NFT_MSG_DELRULE); 8806 nft_rule_expr_deactivate(&trans->ctx, 8807 nft_trans_rule(trans), 8808 NFT_TRANS_COMMIT); 8809 break; 8810 case NFT_MSG_NEWSET: 8811 nft_clear(net, nft_trans_set(trans)); 8812 /* This avoids hitting -EBUSY when deleting the table 8813 * from the transaction. 8814 */ 8815 if (nft_set_is_anonymous(nft_trans_set(trans)) && 8816 !list_empty(&nft_trans_set(trans)->bindings)) 8817 trans->ctx.table->use--; 8818 8819 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 8820 NFT_MSG_NEWSET, GFP_KERNEL); 8821 nft_trans_destroy(trans); 8822 break; 8823 case NFT_MSG_DELSET: 8824 list_del_rcu(&nft_trans_set(trans)->list); 8825 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 8826 NFT_MSG_DELSET, GFP_KERNEL); 8827 break; 8828 case NFT_MSG_NEWSETELEM: 8829 te = (struct nft_trans_elem *)trans->data; 8830 8831 nft_setelem_activate(net, te->set, &te->elem); 8832 nf_tables_setelem_notify(&trans->ctx, te->set, 8833 &te->elem, 8834 NFT_MSG_NEWSETELEM); 8835 nft_trans_destroy(trans); 8836 break; 8837 case NFT_MSG_DELSETELEM: 8838 te = (struct nft_trans_elem *)trans->data; 8839 8840 nf_tables_setelem_notify(&trans->ctx, te->set, 8841 &te->elem, 8842 NFT_MSG_DELSETELEM); 8843 nft_setelem_remove(net, te->set, &te->elem); 8844 if (!nft_setelem_is_catchall(te->set, &te->elem)) { 8845 atomic_dec(&te->set->nelems); 8846 te->set->ndeact--; 8847 } 8848 break; 8849 case NFT_MSG_NEWOBJ: 8850 if (nft_trans_obj_update(trans)) { 8851 nft_obj_commit_update(trans); 8852 nf_tables_obj_notify(&trans->ctx, 8853 nft_trans_obj(trans), 8854 NFT_MSG_NEWOBJ); 8855 } else { 8856 nft_clear(net, nft_trans_obj(trans)); 8857 nf_tables_obj_notify(&trans->ctx, 8858 nft_trans_obj(trans), 8859 NFT_MSG_NEWOBJ); 8860 nft_trans_destroy(trans); 8861 } 8862 break; 8863 case NFT_MSG_DELOBJ: 8864 nft_obj_del(nft_trans_obj(trans)); 8865 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans), 8866 NFT_MSG_DELOBJ); 8867 break; 8868 case NFT_MSG_NEWFLOWTABLE: 8869 if (nft_trans_flowtable_update(trans)) { 8870 nft_trans_flowtable(trans)->data.flags = 8871 nft_trans_flowtable_flags(trans); 8872 nf_tables_flowtable_notify(&trans->ctx, 8873 nft_trans_flowtable(trans), 8874 &nft_trans_flowtable_hooks(trans), 8875 NFT_MSG_NEWFLOWTABLE); 8876 list_splice(&nft_trans_flowtable_hooks(trans), 8877 &nft_trans_flowtable(trans)->hook_list); 8878 } else { 8879 nft_clear(net, nft_trans_flowtable(trans)); 8880 nf_tables_flowtable_notify(&trans->ctx, 8881 nft_trans_flowtable(trans), 8882 &nft_trans_flowtable(trans)->hook_list, 8883 NFT_MSG_NEWFLOWTABLE); 8884 } 8885 nft_trans_destroy(trans); 8886 break; 8887 case NFT_MSG_DELFLOWTABLE: 8888 if (nft_trans_flowtable_update(trans)) { 8889 nft_flowtable_hooks_del(nft_trans_flowtable(trans), 8890 &nft_trans_flowtable_hooks(trans)); 8891 nf_tables_flowtable_notify(&trans->ctx, 8892 nft_trans_flowtable(trans), 8893 &nft_trans_flowtable_hooks(trans), 8894 NFT_MSG_DELFLOWTABLE); 8895 nft_unregister_flowtable_net_hooks(net, 8896 &nft_trans_flowtable_hooks(trans)); 8897 } else { 8898 list_del_rcu(&nft_trans_flowtable(trans)->list); 8899 nf_tables_flowtable_notify(&trans->ctx, 8900 nft_trans_flowtable(trans), 8901 &nft_trans_flowtable(trans)->hook_list, 8902 NFT_MSG_DELFLOWTABLE); 8903 nft_unregister_flowtable_net_hooks(net, 8904 &nft_trans_flowtable(trans)->hook_list); 8905 } 8906 break; 8907 } 8908 } 8909 8910 nft_commit_notify(net, NETLINK_CB(skb).portid); 8911 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); 8912 nf_tables_commit_audit_log(&adl, nft_net->base_seq); 8913 nf_tables_commit_release(net); 8914 8915 return 0; 8916 } 8917 8918 static void nf_tables_module_autoload(struct net *net) 8919 { 8920 struct nftables_pernet *nft_net = nft_pernet(net); 8921 struct nft_module_request *req, *next; 8922 LIST_HEAD(module_list); 8923 8924 list_splice_init(&nft_net->module_list, &module_list); 8925 mutex_unlock(&nft_net->commit_mutex); 8926 list_for_each_entry_safe(req, next, &module_list, list) { 8927 request_module("%s", req->module); 8928 req->done = true; 8929 } 8930 mutex_lock(&nft_net->commit_mutex); 8931 list_splice(&module_list, &nft_net->module_list); 8932 } 8933 8934 static void nf_tables_abort_release(struct nft_trans *trans) 8935 { 8936 switch (trans->msg_type) { 8937 case NFT_MSG_NEWTABLE: 8938 nf_tables_table_destroy(&trans->ctx); 8939 break; 8940 case NFT_MSG_NEWCHAIN: 8941 nf_tables_chain_destroy(&trans->ctx); 8942 break; 8943 case NFT_MSG_NEWRULE: 8944 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 8945 break; 8946 case NFT_MSG_NEWSET: 8947 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 8948 break; 8949 case NFT_MSG_NEWSETELEM: 8950 nft_set_elem_destroy(nft_trans_elem_set(trans), 8951 nft_trans_elem(trans).priv, true); 8952 break; 8953 case NFT_MSG_NEWOBJ: 8954 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 8955 break; 8956 case NFT_MSG_NEWFLOWTABLE: 8957 if (nft_trans_flowtable_update(trans)) 8958 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 8959 else 8960 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 8961 break; 8962 } 8963 kfree(trans); 8964 } 8965 8966 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) 8967 { 8968 struct nftables_pernet *nft_net = nft_pernet(net); 8969 struct nft_trans *trans, *next; 8970 struct nft_trans_elem *te; 8971 struct nft_hook *hook; 8972 8973 if (action == NFNL_ABORT_VALIDATE && 8974 nf_tables_validate(net) < 0) 8975 return -EAGAIN; 8976 8977 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list, 8978 list) { 8979 switch (trans->msg_type) { 8980 case NFT_MSG_NEWTABLE: 8981 if (nft_trans_table_update(trans)) { 8982 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) { 8983 nft_trans_destroy(trans); 8984 break; 8985 } 8986 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) { 8987 nf_tables_table_disable(net, trans->ctx.table); 8988 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT; 8989 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) { 8990 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT; 8991 } 8992 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE; 8993 nft_trans_destroy(trans); 8994 } else { 8995 list_del_rcu(&trans->ctx.table->list); 8996 } 8997 break; 8998 case NFT_MSG_DELTABLE: 8999 nft_clear(trans->ctx.net, trans->ctx.table); 9000 nft_trans_destroy(trans); 9001 break; 9002 case NFT_MSG_NEWCHAIN: 9003 if (nft_trans_chain_update(trans)) { 9004 free_percpu(nft_trans_chain_stats(trans)); 9005 kfree(nft_trans_chain_name(trans)); 9006 nft_trans_destroy(trans); 9007 } else { 9008 if (nft_chain_is_bound(trans->ctx.chain)) { 9009 nft_trans_destroy(trans); 9010 break; 9011 } 9012 trans->ctx.table->use--; 9013 nft_chain_del(trans->ctx.chain); 9014 nf_tables_unregister_hook(trans->ctx.net, 9015 trans->ctx.table, 9016 trans->ctx.chain); 9017 } 9018 break; 9019 case NFT_MSG_DELCHAIN: 9020 trans->ctx.table->use++; 9021 nft_clear(trans->ctx.net, trans->ctx.chain); 9022 nft_trans_destroy(trans); 9023 break; 9024 case NFT_MSG_NEWRULE: 9025 trans->ctx.chain->use--; 9026 list_del_rcu(&nft_trans_rule(trans)->list); 9027 nft_rule_expr_deactivate(&trans->ctx, 9028 nft_trans_rule(trans), 9029 NFT_TRANS_ABORT); 9030 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) 9031 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 9032 break; 9033 case NFT_MSG_DELRULE: 9034 trans->ctx.chain->use++; 9035 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 9036 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans)); 9037 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) 9038 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 9039 9040 nft_trans_destroy(trans); 9041 break; 9042 case NFT_MSG_NEWSET: 9043 trans->ctx.table->use--; 9044 if (nft_trans_set_bound(trans)) { 9045 nft_trans_destroy(trans); 9046 break; 9047 } 9048 list_del_rcu(&nft_trans_set(trans)->list); 9049 break; 9050 case NFT_MSG_DELSET: 9051 trans->ctx.table->use++; 9052 nft_clear(trans->ctx.net, nft_trans_set(trans)); 9053 nft_trans_destroy(trans); 9054 break; 9055 case NFT_MSG_NEWSETELEM: 9056 if (nft_trans_elem_set_bound(trans)) { 9057 nft_trans_destroy(trans); 9058 break; 9059 } 9060 te = (struct nft_trans_elem *)trans->data; 9061 nft_setelem_remove(net, te->set, &te->elem); 9062 if (!nft_setelem_is_catchall(te->set, &te->elem)) 9063 atomic_dec(&te->set->nelems); 9064 break; 9065 case NFT_MSG_DELSETELEM: 9066 te = (struct nft_trans_elem *)trans->data; 9067 9068 nft_setelem_data_activate(net, te->set, &te->elem); 9069 nft_setelem_activate(net, te->set, &te->elem); 9070 if (!nft_setelem_is_catchall(te->set, &te->elem)) 9071 te->set->ndeact--; 9072 9073 nft_trans_destroy(trans); 9074 break; 9075 case NFT_MSG_NEWOBJ: 9076 if (nft_trans_obj_update(trans)) { 9077 nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans)); 9078 nft_trans_destroy(trans); 9079 } else { 9080 trans->ctx.table->use--; 9081 nft_obj_del(nft_trans_obj(trans)); 9082 } 9083 break; 9084 case NFT_MSG_DELOBJ: 9085 trans->ctx.table->use++; 9086 nft_clear(trans->ctx.net, nft_trans_obj(trans)); 9087 nft_trans_destroy(trans); 9088 break; 9089 case NFT_MSG_NEWFLOWTABLE: 9090 if (nft_trans_flowtable_update(trans)) { 9091 nft_unregister_flowtable_net_hooks(net, 9092 &nft_trans_flowtable_hooks(trans)); 9093 } else { 9094 trans->ctx.table->use--; 9095 list_del_rcu(&nft_trans_flowtable(trans)->list); 9096 nft_unregister_flowtable_net_hooks(net, 9097 &nft_trans_flowtable(trans)->hook_list); 9098 } 9099 break; 9100 case NFT_MSG_DELFLOWTABLE: 9101 if (nft_trans_flowtable_update(trans)) { 9102 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list) 9103 hook->inactive = false; 9104 } else { 9105 trans->ctx.table->use++; 9106 nft_clear(trans->ctx.net, nft_trans_flowtable(trans)); 9107 } 9108 nft_trans_destroy(trans); 9109 break; 9110 } 9111 } 9112 9113 synchronize_rcu(); 9114 9115 list_for_each_entry_safe_reverse(trans, next, 9116 &nft_net->commit_list, list) { 9117 list_del(&trans->list); 9118 nf_tables_abort_release(trans); 9119 } 9120 9121 if (action == NFNL_ABORT_AUTOLOAD) 9122 nf_tables_module_autoload(net); 9123 else 9124 nf_tables_module_autoload_cleanup(net); 9125 9126 return 0; 9127 } 9128 9129 static void nf_tables_cleanup(struct net *net) 9130 { 9131 nft_validate_state_update(net, NFT_VALIDATE_SKIP); 9132 } 9133 9134 static int nf_tables_abort(struct net *net, struct sk_buff *skb, 9135 enum nfnl_abort_action action) 9136 { 9137 struct nftables_pernet *nft_net = nft_pernet(net); 9138 int ret = __nf_tables_abort(net, action); 9139 9140 mutex_unlock(&nft_net->commit_mutex); 9141 9142 return ret; 9143 } 9144 9145 static bool nf_tables_valid_genid(struct net *net, u32 genid) 9146 { 9147 struct nftables_pernet *nft_net = nft_pernet(net); 9148 bool genid_ok; 9149 9150 mutex_lock(&nft_net->commit_mutex); 9151 9152 genid_ok = genid == 0 || nft_net->base_seq == genid; 9153 if (!genid_ok) 9154 mutex_unlock(&nft_net->commit_mutex); 9155 9156 /* else, commit mutex has to be released by commit or abort function */ 9157 return genid_ok; 9158 } 9159 9160 static const struct nfnetlink_subsystem nf_tables_subsys = { 9161 .name = "nf_tables", 9162 .subsys_id = NFNL_SUBSYS_NFTABLES, 9163 .cb_count = NFT_MSG_MAX, 9164 .cb = nf_tables_cb, 9165 .commit = nf_tables_commit, 9166 .abort = nf_tables_abort, 9167 .cleanup = nf_tables_cleanup, 9168 .valid_genid = nf_tables_valid_genid, 9169 .owner = THIS_MODULE, 9170 }; 9171 9172 int nft_chain_validate_dependency(const struct nft_chain *chain, 9173 enum nft_chain_types type) 9174 { 9175 const struct nft_base_chain *basechain; 9176 9177 if (nft_is_base_chain(chain)) { 9178 basechain = nft_base_chain(chain); 9179 if (basechain->type->type != type) 9180 return -EOPNOTSUPP; 9181 } 9182 return 0; 9183 } 9184 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency); 9185 9186 int nft_chain_validate_hooks(const struct nft_chain *chain, 9187 unsigned int hook_flags) 9188 { 9189 struct nft_base_chain *basechain; 9190 9191 if (nft_is_base_chain(chain)) { 9192 basechain = nft_base_chain(chain); 9193 9194 if ((1 << basechain->ops.hooknum) & hook_flags) 9195 return 0; 9196 9197 return -EOPNOTSUPP; 9198 } 9199 9200 return 0; 9201 } 9202 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks); 9203 9204 /* 9205 * Loop detection - walk through the ruleset beginning at the destination chain 9206 * of a new jump until either the source chain is reached (loop) or all 9207 * reachable chains have been traversed. 9208 * 9209 * The loop check is performed whenever a new jump verdict is added to an 9210 * expression or verdict map or a verdict map is bound to a new chain. 9211 */ 9212 9213 static int nf_tables_check_loops(const struct nft_ctx *ctx, 9214 const struct nft_chain *chain); 9215 9216 static int nft_check_loops(const struct nft_ctx *ctx, 9217 const struct nft_set_ext *ext) 9218 { 9219 const struct nft_data *data; 9220 int ret; 9221 9222 data = nft_set_ext_data(ext); 9223 switch (data->verdict.code) { 9224 case NFT_JUMP: 9225 case NFT_GOTO: 9226 ret = nf_tables_check_loops(ctx, data->verdict.chain); 9227 break; 9228 default: 9229 ret = 0; 9230 break; 9231 } 9232 9233 return ret; 9234 } 9235 9236 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, 9237 struct nft_set *set, 9238 const struct nft_set_iter *iter, 9239 struct nft_set_elem *elem) 9240 { 9241 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 9242 9243 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 9244 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) 9245 return 0; 9246 9247 return nft_check_loops(ctx, ext); 9248 } 9249 9250 static int nft_set_catchall_loops(const struct nft_ctx *ctx, 9251 struct nft_set *set) 9252 { 9253 u8 genmask = nft_genmask_next(ctx->net); 9254 struct nft_set_elem_catchall *catchall; 9255 struct nft_set_ext *ext; 9256 int ret = 0; 9257 9258 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 9259 ext = nft_set_elem_ext(set, catchall->elem); 9260 if (!nft_set_elem_active(ext, genmask)) 9261 continue; 9262 9263 ret = nft_check_loops(ctx, ext); 9264 if (ret < 0) 9265 return ret; 9266 } 9267 9268 return ret; 9269 } 9270 9271 static int nf_tables_check_loops(const struct nft_ctx *ctx, 9272 const struct nft_chain *chain) 9273 { 9274 const struct nft_rule *rule; 9275 const struct nft_expr *expr, *last; 9276 struct nft_set *set; 9277 struct nft_set_binding *binding; 9278 struct nft_set_iter iter; 9279 9280 if (ctx->chain == chain) 9281 return -ELOOP; 9282 9283 list_for_each_entry(rule, &chain->rules, list) { 9284 nft_rule_for_each_expr(expr, last, rule) { 9285 struct nft_immediate_expr *priv; 9286 const struct nft_data *data; 9287 int err; 9288 9289 if (strcmp(expr->ops->type->name, "immediate")) 9290 continue; 9291 9292 priv = nft_expr_priv(expr); 9293 if (priv->dreg != NFT_REG_VERDICT) 9294 continue; 9295 9296 data = &priv->data; 9297 switch (data->verdict.code) { 9298 case NFT_JUMP: 9299 case NFT_GOTO: 9300 err = nf_tables_check_loops(ctx, 9301 data->verdict.chain); 9302 if (err < 0) 9303 return err; 9304 break; 9305 default: 9306 break; 9307 } 9308 } 9309 } 9310 9311 list_for_each_entry(set, &ctx->table->sets, list) { 9312 if (!nft_is_active_next(ctx->net, set)) 9313 continue; 9314 if (!(set->flags & NFT_SET_MAP) || 9315 set->dtype != NFT_DATA_VERDICT) 9316 continue; 9317 9318 list_for_each_entry(binding, &set->bindings, list) { 9319 if (!(binding->flags & NFT_SET_MAP) || 9320 binding->chain != chain) 9321 continue; 9322 9323 iter.genmask = nft_genmask_next(ctx->net); 9324 iter.skip = 0; 9325 iter.count = 0; 9326 iter.err = 0; 9327 iter.fn = nf_tables_loop_check_setelem; 9328 9329 set->ops->walk(ctx, set, &iter); 9330 if (!iter.err) 9331 iter.err = nft_set_catchall_loops(ctx, set); 9332 9333 if (iter.err < 0) 9334 return iter.err; 9335 } 9336 } 9337 9338 return 0; 9339 } 9340 9341 /** 9342 * nft_parse_u32_check - fetch u32 attribute and check for maximum value 9343 * 9344 * @attr: netlink attribute to fetch value from 9345 * @max: maximum value to be stored in dest 9346 * @dest: pointer to the variable 9347 * 9348 * Parse, check and store a given u32 netlink attribute into variable. 9349 * This function returns -ERANGE if the value goes over maximum value. 9350 * Otherwise a 0 is returned and the attribute value is stored in the 9351 * destination variable. 9352 */ 9353 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest) 9354 { 9355 u32 val; 9356 9357 val = ntohl(nla_get_be32(attr)); 9358 if (val > max) 9359 return -ERANGE; 9360 9361 *dest = val; 9362 return 0; 9363 } 9364 EXPORT_SYMBOL_GPL(nft_parse_u32_check); 9365 9366 static unsigned int nft_parse_register(const struct nlattr *attr, u32 *preg) 9367 { 9368 unsigned int reg; 9369 9370 reg = ntohl(nla_get_be32(attr)); 9371 switch (reg) { 9372 case NFT_REG_VERDICT...NFT_REG_4: 9373 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE; 9374 break; 9375 case NFT_REG32_00...NFT_REG32_15: 9376 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; 9377 break; 9378 default: 9379 return -ERANGE; 9380 } 9381 9382 return 0; 9383 } 9384 9385 /** 9386 * nft_dump_register - dump a register value to a netlink attribute 9387 * 9388 * @skb: socket buffer 9389 * @attr: attribute number 9390 * @reg: register number 9391 * 9392 * Construct a netlink attribute containing the register number. For 9393 * compatibility reasons, register numbers being a multiple of 4 are 9394 * translated to the corresponding 128 bit register numbers. 9395 */ 9396 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg) 9397 { 9398 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0) 9399 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE); 9400 else 9401 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00; 9402 9403 return nla_put_be32(skb, attr, htonl(reg)); 9404 } 9405 EXPORT_SYMBOL_GPL(nft_dump_register); 9406 9407 static int nft_validate_register_load(enum nft_registers reg, unsigned int len) 9408 { 9409 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 9410 return -EINVAL; 9411 if (len == 0) 9412 return -EINVAL; 9413 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data)) 9414 return -ERANGE; 9415 9416 return 0; 9417 } 9418 9419 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len) 9420 { 9421 u32 reg; 9422 int err; 9423 9424 err = nft_parse_register(attr, ®); 9425 if (err < 0) 9426 return err; 9427 9428 err = nft_validate_register_load(reg, len); 9429 if (err < 0) 9430 return err; 9431 9432 *sreg = reg; 9433 return 0; 9434 } 9435 EXPORT_SYMBOL_GPL(nft_parse_register_load); 9436 9437 static int nft_validate_register_store(const struct nft_ctx *ctx, 9438 enum nft_registers reg, 9439 const struct nft_data *data, 9440 enum nft_data_types type, 9441 unsigned int len) 9442 { 9443 int err; 9444 9445 switch (reg) { 9446 case NFT_REG_VERDICT: 9447 if (type != NFT_DATA_VERDICT) 9448 return -EINVAL; 9449 9450 if (data != NULL && 9451 (data->verdict.code == NFT_GOTO || 9452 data->verdict.code == NFT_JUMP)) { 9453 err = nf_tables_check_loops(ctx, data->verdict.chain); 9454 if (err < 0) 9455 return err; 9456 } 9457 9458 return 0; 9459 default: 9460 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 9461 return -EINVAL; 9462 if (len == 0) 9463 return -EINVAL; 9464 if (reg * NFT_REG32_SIZE + len > 9465 sizeof_field(struct nft_regs, data)) 9466 return -ERANGE; 9467 9468 if (data != NULL && type != NFT_DATA_VALUE) 9469 return -EINVAL; 9470 return 0; 9471 } 9472 } 9473 9474 int nft_parse_register_store(const struct nft_ctx *ctx, 9475 const struct nlattr *attr, u8 *dreg, 9476 const struct nft_data *data, 9477 enum nft_data_types type, unsigned int len) 9478 { 9479 int err; 9480 u32 reg; 9481 9482 err = nft_parse_register(attr, ®); 9483 if (err < 0) 9484 return err; 9485 9486 err = nft_validate_register_store(ctx, reg, data, type, len); 9487 if (err < 0) 9488 return err; 9489 9490 *dreg = reg; 9491 return 0; 9492 } 9493 EXPORT_SYMBOL_GPL(nft_parse_register_store); 9494 9495 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = { 9496 [NFTA_VERDICT_CODE] = { .type = NLA_U32 }, 9497 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING, 9498 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 9499 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 }, 9500 }; 9501 9502 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, 9503 struct nft_data_desc *desc, const struct nlattr *nla) 9504 { 9505 u8 genmask = nft_genmask_next(ctx->net); 9506 struct nlattr *tb[NFTA_VERDICT_MAX + 1]; 9507 struct nft_chain *chain; 9508 int err; 9509 9510 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla, 9511 nft_verdict_policy, NULL); 9512 if (err < 0) 9513 return err; 9514 9515 if (!tb[NFTA_VERDICT_CODE]) 9516 return -EINVAL; 9517 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); 9518 9519 switch (data->verdict.code) { 9520 default: 9521 switch (data->verdict.code & NF_VERDICT_MASK) { 9522 case NF_ACCEPT: 9523 case NF_DROP: 9524 case NF_QUEUE: 9525 break; 9526 default: 9527 return -EINVAL; 9528 } 9529 fallthrough; 9530 case NFT_CONTINUE: 9531 case NFT_BREAK: 9532 case NFT_RETURN: 9533 break; 9534 case NFT_JUMP: 9535 case NFT_GOTO: 9536 if (tb[NFTA_VERDICT_CHAIN]) { 9537 chain = nft_chain_lookup(ctx->net, ctx->table, 9538 tb[NFTA_VERDICT_CHAIN], 9539 genmask); 9540 } else if (tb[NFTA_VERDICT_CHAIN_ID]) { 9541 chain = nft_chain_lookup_byid(ctx->net, 9542 tb[NFTA_VERDICT_CHAIN_ID]); 9543 if (IS_ERR(chain)) 9544 return PTR_ERR(chain); 9545 } else { 9546 return -EINVAL; 9547 } 9548 9549 if (IS_ERR(chain)) 9550 return PTR_ERR(chain); 9551 if (nft_is_base_chain(chain)) 9552 return -EOPNOTSUPP; 9553 9554 chain->use++; 9555 data->verdict.chain = chain; 9556 break; 9557 } 9558 9559 desc->len = sizeof(data->verdict); 9560 desc->type = NFT_DATA_VERDICT; 9561 return 0; 9562 } 9563 9564 static void nft_verdict_uninit(const struct nft_data *data) 9565 { 9566 struct nft_chain *chain; 9567 struct nft_rule *rule; 9568 9569 switch (data->verdict.code) { 9570 case NFT_JUMP: 9571 case NFT_GOTO: 9572 chain = data->verdict.chain; 9573 chain->use--; 9574 9575 if (!nft_chain_is_bound(chain)) 9576 break; 9577 9578 chain->table->use--; 9579 list_for_each_entry(rule, &chain->rules, list) 9580 chain->use--; 9581 9582 nft_chain_del(chain); 9583 break; 9584 } 9585 } 9586 9587 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v) 9588 { 9589 struct nlattr *nest; 9590 9591 nest = nla_nest_start_noflag(skb, type); 9592 if (!nest) 9593 goto nla_put_failure; 9594 9595 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code))) 9596 goto nla_put_failure; 9597 9598 switch (v->code) { 9599 case NFT_JUMP: 9600 case NFT_GOTO: 9601 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, 9602 v->chain->name)) 9603 goto nla_put_failure; 9604 } 9605 nla_nest_end(skb, nest); 9606 return 0; 9607 9608 nla_put_failure: 9609 return -1; 9610 } 9611 9612 static int nft_value_init(const struct nft_ctx *ctx, 9613 struct nft_data *data, unsigned int size, 9614 struct nft_data_desc *desc, const struct nlattr *nla) 9615 { 9616 unsigned int len; 9617 9618 len = nla_len(nla); 9619 if (len == 0) 9620 return -EINVAL; 9621 if (len > size) 9622 return -EOVERFLOW; 9623 9624 nla_memcpy(data->data, nla, len); 9625 desc->type = NFT_DATA_VALUE; 9626 desc->len = len; 9627 return 0; 9628 } 9629 9630 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data, 9631 unsigned int len) 9632 { 9633 return nla_put(skb, NFTA_DATA_VALUE, len, data->data); 9634 } 9635 9636 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = { 9637 [NFTA_DATA_VALUE] = { .type = NLA_BINARY }, 9638 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED }, 9639 }; 9640 9641 /** 9642 * nft_data_init - parse nf_tables data netlink attributes 9643 * 9644 * @ctx: context of the expression using the data 9645 * @data: destination struct nft_data 9646 * @size: maximum data length 9647 * @desc: data description 9648 * @nla: netlink attribute containing data 9649 * 9650 * Parse the netlink data attributes and initialize a struct nft_data. 9651 * The type and length of data are returned in the data description. 9652 * 9653 * The caller can indicate that it only wants to accept data of type 9654 * NFT_DATA_VALUE by passing NULL for the ctx argument. 9655 */ 9656 int nft_data_init(const struct nft_ctx *ctx, 9657 struct nft_data *data, unsigned int size, 9658 struct nft_data_desc *desc, const struct nlattr *nla) 9659 { 9660 struct nlattr *tb[NFTA_DATA_MAX + 1]; 9661 int err; 9662 9663 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla, 9664 nft_data_policy, NULL); 9665 if (err < 0) 9666 return err; 9667 9668 if (tb[NFTA_DATA_VALUE]) 9669 return nft_value_init(ctx, data, size, desc, 9670 tb[NFTA_DATA_VALUE]); 9671 if (tb[NFTA_DATA_VERDICT] && ctx != NULL) 9672 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]); 9673 return -EINVAL; 9674 } 9675 EXPORT_SYMBOL_GPL(nft_data_init); 9676 9677 /** 9678 * nft_data_release - release a nft_data item 9679 * 9680 * @data: struct nft_data to release 9681 * @type: type of data 9682 * 9683 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded, 9684 * all others need to be released by calling this function. 9685 */ 9686 void nft_data_release(const struct nft_data *data, enum nft_data_types type) 9687 { 9688 if (type < NFT_DATA_VERDICT) 9689 return; 9690 switch (type) { 9691 case NFT_DATA_VERDICT: 9692 return nft_verdict_uninit(data); 9693 default: 9694 WARN_ON(1); 9695 } 9696 } 9697 EXPORT_SYMBOL_GPL(nft_data_release); 9698 9699 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 9700 enum nft_data_types type, unsigned int len) 9701 { 9702 struct nlattr *nest; 9703 int err; 9704 9705 nest = nla_nest_start_noflag(skb, attr); 9706 if (nest == NULL) 9707 return -1; 9708 9709 switch (type) { 9710 case NFT_DATA_VALUE: 9711 err = nft_value_dump(skb, data, len); 9712 break; 9713 case NFT_DATA_VERDICT: 9714 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict); 9715 break; 9716 default: 9717 err = -EINVAL; 9718 WARN_ON(1); 9719 } 9720 9721 nla_nest_end(skb, nest); 9722 return err; 9723 } 9724 EXPORT_SYMBOL_GPL(nft_data_dump); 9725 9726 int __nft_release_basechain(struct nft_ctx *ctx) 9727 { 9728 struct nft_rule *rule, *nr; 9729 9730 if (WARN_ON(!nft_is_base_chain(ctx->chain))) 9731 return 0; 9732 9733 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain); 9734 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) { 9735 list_del(&rule->list); 9736 ctx->chain->use--; 9737 nf_tables_rule_release(ctx, rule); 9738 } 9739 nft_chain_del(ctx->chain); 9740 ctx->table->use--; 9741 nf_tables_chain_destroy(ctx); 9742 9743 return 0; 9744 } 9745 EXPORT_SYMBOL_GPL(__nft_release_basechain); 9746 9747 static void __nft_release_hook(struct net *net, struct nft_table *table) 9748 { 9749 struct nft_flowtable *flowtable; 9750 struct nft_chain *chain; 9751 9752 list_for_each_entry(chain, &table->chains, list) 9753 nf_tables_unregister_hook(net, table, chain); 9754 list_for_each_entry(flowtable, &table->flowtables, list) 9755 nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list); 9756 } 9757 9758 static void __nft_release_hooks(struct net *net) 9759 { 9760 struct nftables_pernet *nft_net = nft_pernet(net); 9761 struct nft_table *table; 9762 9763 list_for_each_entry(table, &nft_net->tables, list) { 9764 if (nft_table_has_owner(table)) 9765 continue; 9766 9767 __nft_release_hook(net, table); 9768 } 9769 } 9770 9771 static void __nft_release_table(struct net *net, struct nft_table *table) 9772 { 9773 struct nft_flowtable *flowtable, *nf; 9774 struct nft_chain *chain, *nc; 9775 struct nft_object *obj, *ne; 9776 struct nft_rule *rule, *nr; 9777 struct nft_set *set, *ns; 9778 struct nft_ctx ctx = { 9779 .net = net, 9780 .family = NFPROTO_NETDEV, 9781 }; 9782 9783 ctx.family = table->family; 9784 ctx.table = table; 9785 list_for_each_entry(chain, &table->chains, list) { 9786 ctx.chain = chain; 9787 list_for_each_entry_safe(rule, nr, &chain->rules, list) { 9788 list_del(&rule->list); 9789 chain->use--; 9790 nf_tables_rule_release(&ctx, rule); 9791 } 9792 } 9793 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 9794 list_del(&flowtable->list); 9795 table->use--; 9796 nf_tables_flowtable_destroy(flowtable); 9797 } 9798 list_for_each_entry_safe(set, ns, &table->sets, list) { 9799 list_del(&set->list); 9800 table->use--; 9801 nft_set_destroy(&ctx, set); 9802 } 9803 list_for_each_entry_safe(obj, ne, &table->objects, list) { 9804 nft_obj_del(obj); 9805 table->use--; 9806 nft_obj_destroy(&ctx, obj); 9807 } 9808 list_for_each_entry_safe(chain, nc, &table->chains, list) { 9809 ctx.chain = chain; 9810 nft_chain_del(chain); 9811 table->use--; 9812 nf_tables_chain_destroy(&ctx); 9813 } 9814 nf_tables_table_destroy(&ctx); 9815 } 9816 9817 static void __nft_release_tables(struct net *net) 9818 { 9819 struct nftables_pernet *nft_net = nft_pernet(net); 9820 struct nft_table *table, *nt; 9821 9822 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 9823 if (nft_table_has_owner(table)) 9824 continue; 9825 9826 list_del(&table->list); 9827 9828 __nft_release_table(net, table); 9829 } 9830 } 9831 9832 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, 9833 void *ptr) 9834 { 9835 struct nft_table *table, *to_delete[8]; 9836 struct nftables_pernet *nft_net; 9837 struct netlink_notify *n = ptr; 9838 struct net *net = n->net; 9839 unsigned int deleted; 9840 bool restart = false; 9841 9842 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER) 9843 return NOTIFY_DONE; 9844 9845 nft_net = nft_pernet(net); 9846 deleted = 0; 9847 mutex_lock(&nft_net->commit_mutex); 9848 again: 9849 list_for_each_entry(table, &nft_net->tables, list) { 9850 if (nft_table_has_owner(table) && 9851 n->portid == table->nlpid) { 9852 __nft_release_hook(net, table); 9853 list_del_rcu(&table->list); 9854 to_delete[deleted++] = table; 9855 if (deleted >= ARRAY_SIZE(to_delete)) 9856 break; 9857 } 9858 } 9859 if (deleted) { 9860 restart = deleted >= ARRAY_SIZE(to_delete); 9861 synchronize_rcu(); 9862 while (deleted) 9863 __nft_release_table(net, to_delete[--deleted]); 9864 9865 if (restart) 9866 goto again; 9867 } 9868 mutex_unlock(&nft_net->commit_mutex); 9869 9870 return NOTIFY_DONE; 9871 } 9872 9873 static struct notifier_block nft_nl_notifier = { 9874 .notifier_call = nft_rcv_nl_event, 9875 }; 9876 9877 static int __net_init nf_tables_init_net(struct net *net) 9878 { 9879 struct nftables_pernet *nft_net = nft_pernet(net); 9880 9881 INIT_LIST_HEAD(&nft_net->tables); 9882 INIT_LIST_HEAD(&nft_net->commit_list); 9883 INIT_LIST_HEAD(&nft_net->module_list); 9884 INIT_LIST_HEAD(&nft_net->notify_list); 9885 mutex_init(&nft_net->commit_mutex); 9886 nft_net->base_seq = 1; 9887 nft_net->validate_state = NFT_VALIDATE_SKIP; 9888 9889 return 0; 9890 } 9891 9892 static void __net_exit nf_tables_pre_exit_net(struct net *net) 9893 { 9894 __nft_release_hooks(net); 9895 } 9896 9897 static void __net_exit nf_tables_exit_net(struct net *net) 9898 { 9899 struct nftables_pernet *nft_net = nft_pernet(net); 9900 9901 mutex_lock(&nft_net->commit_mutex); 9902 if (!list_empty(&nft_net->commit_list)) 9903 __nf_tables_abort(net, NFNL_ABORT_NONE); 9904 __nft_release_tables(net); 9905 mutex_unlock(&nft_net->commit_mutex); 9906 WARN_ON_ONCE(!list_empty(&nft_net->tables)); 9907 WARN_ON_ONCE(!list_empty(&nft_net->module_list)); 9908 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 9909 } 9910 9911 static struct pernet_operations nf_tables_net_ops = { 9912 .init = nf_tables_init_net, 9913 .pre_exit = nf_tables_pre_exit_net, 9914 .exit = nf_tables_exit_net, 9915 .id = &nf_tables_net_id, 9916 .size = sizeof(struct nftables_pernet), 9917 }; 9918 9919 static int __init nf_tables_module_init(void) 9920 { 9921 int err; 9922 9923 err = register_pernet_subsys(&nf_tables_net_ops); 9924 if (err < 0) 9925 return err; 9926 9927 err = nft_chain_filter_init(); 9928 if (err < 0) 9929 goto err_chain_filter; 9930 9931 err = nf_tables_core_module_init(); 9932 if (err < 0) 9933 goto err_core_module; 9934 9935 err = register_netdevice_notifier(&nf_tables_flowtable_notifier); 9936 if (err < 0) 9937 goto err_netdev_notifier; 9938 9939 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params); 9940 if (err < 0) 9941 goto err_rht_objname; 9942 9943 err = nft_offload_init(); 9944 if (err < 0) 9945 goto err_offload; 9946 9947 err = netlink_register_notifier(&nft_nl_notifier); 9948 if (err < 0) 9949 goto err_netlink_notifier; 9950 9951 /* must be last */ 9952 err = nfnetlink_subsys_register(&nf_tables_subsys); 9953 if (err < 0) 9954 goto err_nfnl_subsys; 9955 9956 nft_chain_route_init(); 9957 9958 return err; 9959 9960 err_nfnl_subsys: 9961 netlink_unregister_notifier(&nft_nl_notifier); 9962 err_netlink_notifier: 9963 nft_offload_exit(); 9964 err_offload: 9965 rhltable_destroy(&nft_objname_ht); 9966 err_rht_objname: 9967 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 9968 err_netdev_notifier: 9969 nf_tables_core_module_exit(); 9970 err_core_module: 9971 nft_chain_filter_fini(); 9972 err_chain_filter: 9973 unregister_pernet_subsys(&nf_tables_net_ops); 9974 return err; 9975 } 9976 9977 static void __exit nf_tables_module_exit(void) 9978 { 9979 nfnetlink_subsys_unregister(&nf_tables_subsys); 9980 netlink_unregister_notifier(&nft_nl_notifier); 9981 nft_offload_exit(); 9982 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 9983 nft_chain_filter_fini(); 9984 nft_chain_route_fini(); 9985 unregister_pernet_subsys(&nf_tables_net_ops); 9986 cancel_work_sync(&trans_destroy_work); 9987 rcu_barrier(); 9988 rhltable_destroy(&nft_objname_ht); 9989 nf_tables_core_module_exit(); 9990 } 9991 9992 module_init(nf_tables_module_init); 9993 module_exit(nf_tables_module_exit); 9994 9995 MODULE_LICENSE("GPL"); 9996 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 9997 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES); 9998