1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net> 4 * 5 * Development of this code funded by Astaro AG (http://www.astaro.com/) 6 */ 7 8 #include <linux/module.h> 9 #include <linux/init.h> 10 #include <linux/list.h> 11 #include <linux/skbuff.h> 12 #include <linux/netlink.h> 13 #include <linux/vmalloc.h> 14 #include <linux/rhashtable.h> 15 #include <linux/audit.h> 16 #include <linux/netfilter.h> 17 #include <linux/netfilter/nfnetlink.h> 18 #include <linux/netfilter/nf_tables.h> 19 #include <net/netfilter/nf_flow_table.h> 20 #include <net/netfilter/nf_tables_core.h> 21 #include <net/netfilter/nf_tables.h> 22 #include <net/netfilter/nf_tables_offload.h> 23 #include <net/net_namespace.h> 24 #include <net/sock.h> 25 26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) 27 28 unsigned int nf_tables_net_id __read_mostly; 29 30 static LIST_HEAD(nf_tables_expressions); 31 static LIST_HEAD(nf_tables_objects); 32 static LIST_HEAD(nf_tables_flowtables); 33 static LIST_HEAD(nf_tables_destroy_list); 34 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock); 35 static u64 table_handle; 36 37 enum { 38 NFT_VALIDATE_SKIP = 0, 39 NFT_VALIDATE_NEED, 40 NFT_VALIDATE_DO, 41 }; 42 43 static struct rhltable nft_objname_ht; 44 45 static u32 nft_chain_hash(const void *data, u32 len, u32 seed); 46 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed); 47 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *); 48 49 static u32 nft_objname_hash(const void *data, u32 len, u32 seed); 50 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed); 51 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *); 52 53 static const struct rhashtable_params nft_chain_ht_params = { 54 .head_offset = offsetof(struct nft_chain, rhlhead), 55 .key_offset = offsetof(struct nft_chain, name), 56 .hashfn = nft_chain_hash, 57 .obj_hashfn = nft_chain_hash_obj, 58 .obj_cmpfn = nft_chain_hash_cmp, 59 .automatic_shrinking = true, 60 }; 61 62 static const struct rhashtable_params nft_objname_ht_params = { 63 .head_offset = offsetof(struct nft_object, rhlhead), 64 .key_offset = offsetof(struct nft_object, key), 65 .hashfn = nft_objname_hash, 66 .obj_hashfn = nft_objname_hash_obj, 67 .obj_cmpfn = nft_objname_hash_cmp, 68 .automatic_shrinking = true, 69 }; 70 71 struct nft_audit_data { 72 struct nft_table *table; 73 int entries; 74 int op; 75 struct list_head list; 76 }; 77 78 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types 79 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER, 80 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID, 81 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER, 82 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER, 83 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID, 84 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER, 85 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER, 86 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID, 87 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER, 88 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER, 89 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID, 90 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER, 91 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER, 92 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID, 93 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER, 94 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER, 95 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID, 96 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID, 97 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER, 98 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID, 99 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER, 100 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET, 101 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER, 102 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID, 103 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, 104 }; 105 106 static void nft_validate_state_update(struct net *net, u8 new_validate_state) 107 { 108 struct nftables_pernet *nft_net = nft_pernet(net); 109 110 switch (nft_net->validate_state) { 111 case NFT_VALIDATE_SKIP: 112 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); 113 break; 114 case NFT_VALIDATE_NEED: 115 break; 116 case NFT_VALIDATE_DO: 117 if (new_validate_state == NFT_VALIDATE_NEED) 118 return; 119 } 120 121 nft_net->validate_state = new_validate_state; 122 } 123 static void nf_tables_trans_destroy_work(struct work_struct *w); 124 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work); 125 126 static void nft_ctx_init(struct nft_ctx *ctx, 127 struct net *net, 128 const struct sk_buff *skb, 129 const struct nlmsghdr *nlh, 130 u8 family, 131 struct nft_table *table, 132 struct nft_chain *chain, 133 const struct nlattr * const *nla) 134 { 135 ctx->net = net; 136 ctx->family = family; 137 ctx->level = 0; 138 ctx->table = table; 139 ctx->chain = chain; 140 ctx->nla = nla; 141 ctx->portid = NETLINK_CB(skb).portid; 142 ctx->report = nlmsg_report(nlh); 143 ctx->flags = nlh->nlmsg_flags; 144 ctx->seq = nlh->nlmsg_seq; 145 } 146 147 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, 148 int msg_type, u32 size, gfp_t gfp) 149 { 150 struct nft_trans *trans; 151 152 trans = kzalloc(sizeof(struct nft_trans) + size, gfp); 153 if (trans == NULL) 154 return NULL; 155 156 trans->msg_type = msg_type; 157 trans->ctx = *ctx; 158 159 return trans; 160 } 161 162 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx, 163 int msg_type, u32 size) 164 { 165 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); 166 } 167 168 static void nft_trans_destroy(struct nft_trans *trans) 169 { 170 list_del(&trans->list); 171 kfree(trans); 172 } 173 174 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) 175 { 176 struct nftables_pernet *nft_net; 177 struct net *net = ctx->net; 178 struct nft_trans *trans; 179 180 if (!nft_set_is_anonymous(set)) 181 return; 182 183 nft_net = nft_pernet(net); 184 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { 185 switch (trans->msg_type) { 186 case NFT_MSG_NEWSET: 187 if (nft_trans_set(trans) == set) 188 nft_trans_set_bound(trans) = true; 189 break; 190 case NFT_MSG_NEWSETELEM: 191 if (nft_trans_elem_set(trans) == set) 192 nft_trans_elem_set_bound(trans) = true; 193 break; 194 } 195 } 196 } 197 198 static int nft_netdev_register_hooks(struct net *net, 199 struct list_head *hook_list) 200 { 201 struct nft_hook *hook; 202 int err, j; 203 204 j = 0; 205 list_for_each_entry(hook, hook_list, list) { 206 err = nf_register_net_hook(net, &hook->ops); 207 if (err < 0) 208 goto err_register; 209 210 j++; 211 } 212 return 0; 213 214 err_register: 215 list_for_each_entry(hook, hook_list, list) { 216 if (j-- <= 0) 217 break; 218 219 nf_unregister_net_hook(net, &hook->ops); 220 } 221 return err; 222 } 223 224 static void nft_netdev_unregister_hooks(struct net *net, 225 struct list_head *hook_list) 226 { 227 struct nft_hook *hook; 228 229 list_for_each_entry(hook, hook_list, list) 230 nf_unregister_net_hook(net, &hook->ops); 231 } 232 233 static int nf_tables_register_hook(struct net *net, 234 const struct nft_table *table, 235 struct nft_chain *chain) 236 { 237 struct nft_base_chain *basechain; 238 const struct nf_hook_ops *ops; 239 240 if (table->flags & NFT_TABLE_F_DORMANT || 241 !nft_is_base_chain(chain)) 242 return 0; 243 244 basechain = nft_base_chain(chain); 245 ops = &basechain->ops; 246 247 if (basechain->type->ops_register) 248 return basechain->type->ops_register(net, ops); 249 250 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 251 return nft_netdev_register_hooks(net, &basechain->hook_list); 252 253 return nf_register_net_hook(net, &basechain->ops); 254 } 255 256 static void nf_tables_unregister_hook(struct net *net, 257 const struct nft_table *table, 258 struct nft_chain *chain) 259 { 260 struct nft_base_chain *basechain; 261 const struct nf_hook_ops *ops; 262 263 if (table->flags & NFT_TABLE_F_DORMANT || 264 !nft_is_base_chain(chain)) 265 return; 266 basechain = nft_base_chain(chain); 267 ops = &basechain->ops; 268 269 if (basechain->type->ops_unregister) 270 return basechain->type->ops_unregister(net, ops); 271 272 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 273 nft_netdev_unregister_hooks(net, &basechain->hook_list); 274 else 275 nf_unregister_net_hook(net, &basechain->ops); 276 } 277 278 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) 279 { 280 struct nftables_pernet *nft_net = nft_pernet(net); 281 282 list_add_tail(&trans->list, &nft_net->commit_list); 283 } 284 285 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type) 286 { 287 struct nft_trans *trans; 288 289 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table)); 290 if (trans == NULL) 291 return -ENOMEM; 292 293 if (msg_type == NFT_MSG_NEWTABLE) 294 nft_activate_next(ctx->net, ctx->table); 295 296 nft_trans_commit_list_add_tail(ctx->net, trans); 297 return 0; 298 } 299 300 static int nft_deltable(struct nft_ctx *ctx) 301 { 302 int err; 303 304 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE); 305 if (err < 0) 306 return err; 307 308 nft_deactivate_next(ctx->net, ctx->table); 309 return err; 310 } 311 312 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type) 313 { 314 struct nft_trans *trans; 315 316 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain)); 317 if (trans == NULL) 318 return ERR_PTR(-ENOMEM); 319 320 if (msg_type == NFT_MSG_NEWCHAIN) { 321 nft_activate_next(ctx->net, ctx->chain); 322 323 if (ctx->nla[NFTA_CHAIN_ID]) { 324 nft_trans_chain_id(trans) = 325 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID])); 326 } 327 } 328 329 nft_trans_commit_list_add_tail(ctx->net, trans); 330 return trans; 331 } 332 333 static int nft_delchain(struct nft_ctx *ctx) 334 { 335 struct nft_trans *trans; 336 337 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN); 338 if (IS_ERR(trans)) 339 return PTR_ERR(trans); 340 341 ctx->table->use--; 342 nft_deactivate_next(ctx->net, ctx->chain); 343 344 return 0; 345 } 346 347 static void nft_rule_expr_activate(const struct nft_ctx *ctx, 348 struct nft_rule *rule) 349 { 350 struct nft_expr *expr; 351 352 expr = nft_expr_first(rule); 353 while (nft_expr_more(rule, expr)) { 354 if (expr->ops->activate) 355 expr->ops->activate(ctx, expr); 356 357 expr = nft_expr_next(expr); 358 } 359 } 360 361 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx, 362 struct nft_rule *rule, 363 enum nft_trans_phase phase) 364 { 365 struct nft_expr *expr; 366 367 expr = nft_expr_first(rule); 368 while (nft_expr_more(rule, expr)) { 369 if (expr->ops->deactivate) 370 expr->ops->deactivate(ctx, expr, phase); 371 372 expr = nft_expr_next(expr); 373 } 374 } 375 376 static int 377 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule) 378 { 379 /* You cannot delete the same rule twice */ 380 if (nft_is_active_next(ctx->net, rule)) { 381 nft_deactivate_next(ctx->net, rule); 382 ctx->chain->use--; 383 return 0; 384 } 385 return -ENOENT; 386 } 387 388 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type, 389 struct nft_rule *rule) 390 { 391 struct nft_trans *trans; 392 393 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule)); 394 if (trans == NULL) 395 return NULL; 396 397 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) { 398 nft_trans_rule_id(trans) = 399 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); 400 } 401 nft_trans_rule(trans) = rule; 402 nft_trans_commit_list_add_tail(ctx->net, trans); 403 404 return trans; 405 } 406 407 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule) 408 { 409 struct nft_flow_rule *flow; 410 struct nft_trans *trans; 411 int err; 412 413 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule); 414 if (trans == NULL) 415 return -ENOMEM; 416 417 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) { 418 flow = nft_flow_rule_create(ctx->net, rule); 419 if (IS_ERR(flow)) { 420 nft_trans_destroy(trans); 421 return PTR_ERR(flow); 422 } 423 424 nft_trans_flow_rule(trans) = flow; 425 } 426 427 err = nf_tables_delrule_deactivate(ctx, rule); 428 if (err < 0) { 429 nft_trans_destroy(trans); 430 return err; 431 } 432 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE); 433 434 return 0; 435 } 436 437 static int nft_delrule_by_chain(struct nft_ctx *ctx) 438 { 439 struct nft_rule *rule; 440 int err; 441 442 list_for_each_entry(rule, &ctx->chain->rules, list) { 443 if (!nft_is_active_next(ctx->net, rule)) 444 continue; 445 446 err = nft_delrule(ctx, rule); 447 if (err < 0) 448 return err; 449 } 450 return 0; 451 } 452 453 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 454 struct nft_set *set) 455 { 456 struct nft_trans *trans; 457 458 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set)); 459 if (trans == NULL) 460 return -ENOMEM; 461 462 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) { 463 nft_trans_set_id(trans) = 464 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID])); 465 nft_activate_next(ctx->net, set); 466 } 467 nft_trans_set(trans) = set; 468 nft_trans_commit_list_add_tail(ctx->net, trans); 469 470 return 0; 471 } 472 473 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) 474 { 475 int err; 476 477 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set); 478 if (err < 0) 479 return err; 480 481 nft_deactivate_next(ctx->net, set); 482 ctx->table->use--; 483 484 return err; 485 } 486 487 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type, 488 struct nft_object *obj) 489 { 490 struct nft_trans *trans; 491 492 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj)); 493 if (trans == NULL) 494 return -ENOMEM; 495 496 if (msg_type == NFT_MSG_NEWOBJ) 497 nft_activate_next(ctx->net, obj); 498 499 nft_trans_obj(trans) = obj; 500 nft_trans_commit_list_add_tail(ctx->net, trans); 501 502 return 0; 503 } 504 505 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj) 506 { 507 int err; 508 509 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj); 510 if (err < 0) 511 return err; 512 513 nft_deactivate_next(ctx->net, obj); 514 ctx->table->use--; 515 516 return err; 517 } 518 519 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, 520 struct nft_flowtable *flowtable) 521 { 522 struct nft_trans *trans; 523 524 trans = nft_trans_alloc(ctx, msg_type, 525 sizeof(struct nft_trans_flowtable)); 526 if (trans == NULL) 527 return -ENOMEM; 528 529 if (msg_type == NFT_MSG_NEWFLOWTABLE) 530 nft_activate_next(ctx->net, flowtable); 531 532 nft_trans_flowtable(trans) = flowtable; 533 nft_trans_commit_list_add_tail(ctx->net, trans); 534 535 return 0; 536 } 537 538 static int nft_delflowtable(struct nft_ctx *ctx, 539 struct nft_flowtable *flowtable) 540 { 541 int err; 542 543 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable); 544 if (err < 0) 545 return err; 546 547 nft_deactivate_next(ctx->net, flowtable); 548 ctx->table->use--; 549 550 return err; 551 } 552 553 /* 554 * Tables 555 */ 556 557 static struct nft_table *nft_table_lookup(const struct net *net, 558 const struct nlattr *nla, 559 u8 family, u8 genmask, u32 nlpid) 560 { 561 struct nftables_pernet *nft_net; 562 struct nft_table *table; 563 564 if (nla == NULL) 565 return ERR_PTR(-EINVAL); 566 567 nft_net = nft_pernet(net); 568 list_for_each_entry_rcu(table, &nft_net->tables, list, 569 lockdep_is_held(&nft_net->commit_mutex)) { 570 if (!nla_strcmp(nla, table->name) && 571 table->family == family && 572 nft_active_genmask(table, genmask)) { 573 if (nft_table_has_owner(table) && 574 nlpid && table->nlpid != nlpid) 575 return ERR_PTR(-EPERM); 576 577 return table; 578 } 579 } 580 581 return ERR_PTR(-ENOENT); 582 } 583 584 static struct nft_table *nft_table_lookup_byhandle(const struct net *net, 585 const struct nlattr *nla, 586 u8 genmask, u32 nlpid) 587 { 588 struct nftables_pernet *nft_net; 589 struct nft_table *table; 590 591 nft_net = nft_pernet(net); 592 list_for_each_entry(table, &nft_net->tables, list) { 593 if (be64_to_cpu(nla_get_be64(nla)) == table->handle && 594 nft_active_genmask(table, genmask)) { 595 if (nft_table_has_owner(table) && 596 nlpid && table->nlpid != nlpid) 597 return ERR_PTR(-EPERM); 598 599 return table; 600 } 601 } 602 603 return ERR_PTR(-ENOENT); 604 } 605 606 static inline u64 nf_tables_alloc_handle(struct nft_table *table) 607 { 608 return ++table->hgenerator; 609 } 610 611 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX]; 612 613 static const struct nft_chain_type * 614 __nft_chain_type_get(u8 family, enum nft_chain_types type) 615 { 616 if (family >= NFPROTO_NUMPROTO || 617 type >= NFT_CHAIN_T_MAX) 618 return NULL; 619 620 return chain_type[family][type]; 621 } 622 623 static const struct nft_chain_type * 624 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family) 625 { 626 const struct nft_chain_type *type; 627 int i; 628 629 for (i = 0; i < NFT_CHAIN_T_MAX; i++) { 630 type = __nft_chain_type_get(family, i); 631 if (!type) 632 continue; 633 if (!nla_strcmp(nla, type->name)) 634 return type; 635 } 636 return NULL; 637 } 638 639 struct nft_module_request { 640 struct list_head list; 641 char module[MODULE_NAME_LEN]; 642 bool done; 643 }; 644 645 #ifdef CONFIG_MODULES 646 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt, 647 ...) 648 { 649 char module_name[MODULE_NAME_LEN]; 650 struct nftables_pernet *nft_net; 651 struct nft_module_request *req; 652 va_list args; 653 int ret; 654 655 va_start(args, fmt); 656 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); 657 va_end(args); 658 if (ret >= MODULE_NAME_LEN) 659 return 0; 660 661 nft_net = nft_pernet(net); 662 list_for_each_entry(req, &nft_net->module_list, list) { 663 if (!strcmp(req->module, module_name)) { 664 if (req->done) 665 return 0; 666 667 /* A request to load this module already exists. */ 668 return -EAGAIN; 669 } 670 } 671 672 req = kmalloc(sizeof(*req), GFP_KERNEL); 673 if (!req) 674 return -ENOMEM; 675 676 req->done = false; 677 strlcpy(req->module, module_name, MODULE_NAME_LEN); 678 list_add_tail(&req->list, &nft_net->module_list); 679 680 return -EAGAIN; 681 } 682 EXPORT_SYMBOL_GPL(nft_request_module); 683 #endif 684 685 static void lockdep_nfnl_nft_mutex_not_held(void) 686 { 687 #ifdef CONFIG_PROVE_LOCKING 688 if (debug_locks) 689 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES)); 690 #endif 691 } 692 693 static const struct nft_chain_type * 694 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla, 695 u8 family, bool autoload) 696 { 697 const struct nft_chain_type *type; 698 699 type = __nf_tables_chain_type_lookup(nla, family); 700 if (type != NULL) 701 return type; 702 703 lockdep_nfnl_nft_mutex_not_held(); 704 #ifdef CONFIG_MODULES 705 if (autoload) { 706 if (nft_request_module(net, "nft-chain-%u-%.*s", family, 707 nla_len(nla), 708 (const char *)nla_data(nla)) == -EAGAIN) 709 return ERR_PTR(-EAGAIN); 710 } 711 #endif 712 return ERR_PTR(-ENOENT); 713 } 714 715 static __be16 nft_base_seq(const struct net *net) 716 { 717 struct nftables_pernet *nft_net = nft_pernet(net); 718 719 return htons(nft_net->base_seq & 0xffff); 720 } 721 722 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { 723 [NFTA_TABLE_NAME] = { .type = NLA_STRING, 724 .len = NFT_TABLE_MAXNAMELEN - 1 }, 725 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 }, 726 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 }, 727 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY, 728 .len = NFT_USERDATA_MAXLEN } 729 }; 730 731 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, 732 u32 portid, u32 seq, int event, u32 flags, 733 int family, const struct nft_table *table) 734 { 735 struct nlmsghdr *nlh; 736 737 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 738 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 739 NFNETLINK_V0, nft_base_seq(net)); 740 if (!nlh) 741 goto nla_put_failure; 742 743 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || 744 nla_put_be32(skb, NFTA_TABLE_FLAGS, 745 htonl(table->flags & NFT_TABLE_F_MASK)) || 746 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) || 747 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle), 748 NFTA_TABLE_PAD)) 749 goto nla_put_failure; 750 if (nft_table_has_owner(table) && 751 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid))) 752 goto nla_put_failure; 753 754 if (table->udata) { 755 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata)) 756 goto nla_put_failure; 757 } 758 759 nlmsg_end(skb, nlh); 760 return 0; 761 762 nla_put_failure: 763 nlmsg_trim(skb, nlh); 764 return -1; 765 } 766 767 struct nftnl_skb_parms { 768 bool report; 769 }; 770 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb)) 771 772 static void nft_notify_enqueue(struct sk_buff *skb, bool report, 773 struct list_head *notify_list) 774 { 775 NFT_CB(skb).report = report; 776 list_add_tail(&skb->list, notify_list); 777 } 778 779 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) 780 { 781 struct nftables_pernet *nft_net; 782 struct sk_buff *skb; 783 u16 flags = 0; 784 int err; 785 786 if (!ctx->report && 787 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 788 return; 789 790 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 791 if (skb == NULL) 792 goto err; 793 794 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 795 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 796 797 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, 798 event, flags, ctx->family, ctx->table); 799 if (err < 0) { 800 kfree_skb(skb); 801 goto err; 802 } 803 804 nft_net = nft_pernet(ctx->net); 805 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 806 return; 807 err: 808 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 809 } 810 811 static int nf_tables_dump_tables(struct sk_buff *skb, 812 struct netlink_callback *cb) 813 { 814 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 815 struct nftables_pernet *nft_net; 816 const struct nft_table *table; 817 unsigned int idx = 0, s_idx = cb->args[0]; 818 struct net *net = sock_net(skb->sk); 819 int family = nfmsg->nfgen_family; 820 821 rcu_read_lock(); 822 nft_net = nft_pernet(net); 823 cb->seq = nft_net->base_seq; 824 825 list_for_each_entry_rcu(table, &nft_net->tables, list) { 826 if (family != NFPROTO_UNSPEC && family != table->family) 827 continue; 828 829 if (idx < s_idx) 830 goto cont; 831 if (idx > s_idx) 832 memset(&cb->args[1], 0, 833 sizeof(cb->args) - sizeof(cb->args[0])); 834 if (!nft_is_active(net, table)) 835 continue; 836 if (nf_tables_fill_table_info(skb, net, 837 NETLINK_CB(cb->skb).portid, 838 cb->nlh->nlmsg_seq, 839 NFT_MSG_NEWTABLE, NLM_F_MULTI, 840 table->family, table) < 0) 841 goto done; 842 843 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 844 cont: 845 idx++; 846 } 847 done: 848 rcu_read_unlock(); 849 cb->args[0] = idx; 850 return skb->len; 851 } 852 853 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb, 854 const struct nlmsghdr *nlh, 855 struct netlink_dump_control *c) 856 { 857 int err; 858 859 if (!try_module_get(THIS_MODULE)) 860 return -EINVAL; 861 862 rcu_read_unlock(); 863 err = netlink_dump_start(nlsk, skb, nlh, c); 864 rcu_read_lock(); 865 module_put(THIS_MODULE); 866 867 return err; 868 } 869 870 /* called with rcu_read_lock held */ 871 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info, 872 const struct nlattr * const nla[]) 873 { 874 struct netlink_ext_ack *extack = info->extack; 875 u8 genmask = nft_genmask_cur(info->net); 876 u8 family = info->nfmsg->nfgen_family; 877 const struct nft_table *table; 878 struct net *net = info->net; 879 struct sk_buff *skb2; 880 int err; 881 882 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 883 struct netlink_dump_control c = { 884 .dump = nf_tables_dump_tables, 885 .module = THIS_MODULE, 886 }; 887 888 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 889 } 890 891 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0); 892 if (IS_ERR(table)) { 893 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]); 894 return PTR_ERR(table); 895 } 896 897 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 898 if (!skb2) 899 return -ENOMEM; 900 901 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid, 902 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 903 0, family, table); 904 if (err < 0) 905 goto err_fill_table_info; 906 907 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 908 909 err_fill_table_info: 910 kfree_skb(skb2); 911 return err; 912 } 913 914 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt) 915 { 916 struct nft_chain *chain; 917 u32 i = 0; 918 919 list_for_each_entry(chain, &table->chains, list) { 920 if (!nft_is_active_next(net, chain)) 921 continue; 922 if (!nft_is_base_chain(chain)) 923 continue; 924 925 if (cnt && i++ == cnt) 926 break; 927 928 nf_tables_unregister_hook(net, table, chain); 929 } 930 } 931 932 static int nf_tables_table_enable(struct net *net, struct nft_table *table) 933 { 934 struct nft_chain *chain; 935 int err, i = 0; 936 937 list_for_each_entry(chain, &table->chains, list) { 938 if (!nft_is_active_next(net, chain)) 939 continue; 940 if (!nft_is_base_chain(chain)) 941 continue; 942 943 err = nf_tables_register_hook(net, table, chain); 944 if (err < 0) 945 goto err_register_hooks; 946 947 i++; 948 } 949 return 0; 950 951 err_register_hooks: 952 if (i) 953 nft_table_disable(net, table, i); 954 return err; 955 } 956 957 static void nf_tables_table_disable(struct net *net, struct nft_table *table) 958 { 959 table->flags &= ~NFT_TABLE_F_DORMANT; 960 nft_table_disable(net, table, 0); 961 table->flags |= NFT_TABLE_F_DORMANT; 962 } 963 964 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1) 965 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0) 966 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1) 967 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \ 968 __NFT_TABLE_F_WAS_AWAKEN) 969 970 static int nf_tables_updtable(struct nft_ctx *ctx) 971 { 972 struct nft_trans *trans; 973 u32 flags; 974 int ret; 975 976 if (!ctx->nla[NFTA_TABLE_FLAGS]) 977 return 0; 978 979 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS])); 980 if (flags & ~NFT_TABLE_F_MASK) 981 return -EOPNOTSUPP; 982 983 if (flags == ctx->table->flags) 984 return 0; 985 986 if ((nft_table_has_owner(ctx->table) && 987 !(flags & NFT_TABLE_F_OWNER)) || 988 (!nft_table_has_owner(ctx->table) && 989 flags & NFT_TABLE_F_OWNER)) 990 return -EOPNOTSUPP; 991 992 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, 993 sizeof(struct nft_trans_table)); 994 if (trans == NULL) 995 return -ENOMEM; 996 997 if ((flags & NFT_TABLE_F_DORMANT) && 998 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) { 999 ctx->table->flags |= NFT_TABLE_F_DORMANT; 1000 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) 1001 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN; 1002 } else if (!(flags & NFT_TABLE_F_DORMANT) && 1003 ctx->table->flags & NFT_TABLE_F_DORMANT) { 1004 ctx->table->flags &= ~NFT_TABLE_F_DORMANT; 1005 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) { 1006 ret = nf_tables_table_enable(ctx->net, ctx->table); 1007 if (ret < 0) 1008 goto err_register_hooks; 1009 1010 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT; 1011 } 1012 } 1013 1014 nft_trans_table_update(trans) = true; 1015 nft_trans_commit_list_add_tail(ctx->net, trans); 1016 1017 return 0; 1018 1019 err_register_hooks: 1020 nft_trans_destroy(trans); 1021 return ret; 1022 } 1023 1024 static u32 nft_chain_hash(const void *data, u32 len, u32 seed) 1025 { 1026 const char *name = data; 1027 1028 return jhash(name, strlen(name), seed); 1029 } 1030 1031 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed) 1032 { 1033 const struct nft_chain *chain = data; 1034 1035 return nft_chain_hash(chain->name, 0, seed); 1036 } 1037 1038 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg, 1039 const void *ptr) 1040 { 1041 const struct nft_chain *chain = ptr; 1042 const char *name = arg->key; 1043 1044 return strcmp(chain->name, name); 1045 } 1046 1047 static u32 nft_objname_hash(const void *data, u32 len, u32 seed) 1048 { 1049 const struct nft_object_hash_key *k = data; 1050 1051 seed ^= hash_ptr(k->table, 32); 1052 1053 return jhash(k->name, strlen(k->name), seed); 1054 } 1055 1056 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed) 1057 { 1058 const struct nft_object *obj = data; 1059 1060 return nft_objname_hash(&obj->key, 0, seed); 1061 } 1062 1063 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg, 1064 const void *ptr) 1065 { 1066 const struct nft_object_hash_key *k = arg->key; 1067 const struct nft_object *obj = ptr; 1068 1069 if (obj->key.table != k->table) 1070 return -1; 1071 1072 return strcmp(obj->key.name, k->name); 1073 } 1074 1075 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, 1076 const struct nlattr * const nla[]) 1077 { 1078 struct nftables_pernet *nft_net = nft_pernet(info->net); 1079 struct netlink_ext_ack *extack = info->extack; 1080 u8 genmask = nft_genmask_next(info->net); 1081 u8 family = info->nfmsg->nfgen_family; 1082 struct net *net = info->net; 1083 const struct nlattr *attr; 1084 struct nft_table *table; 1085 struct nft_ctx ctx; 1086 u32 flags = 0; 1087 int err; 1088 1089 lockdep_assert_held(&nft_net->commit_mutex); 1090 attr = nla[NFTA_TABLE_NAME]; 1091 table = nft_table_lookup(net, attr, family, genmask, 1092 NETLINK_CB(skb).portid); 1093 if (IS_ERR(table)) { 1094 if (PTR_ERR(table) != -ENOENT) 1095 return PTR_ERR(table); 1096 } else { 1097 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 1098 NL_SET_BAD_ATTR(extack, attr); 1099 return -EEXIST; 1100 } 1101 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 1102 return -EOPNOTSUPP; 1103 1104 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1105 1106 return nf_tables_updtable(&ctx); 1107 } 1108 1109 if (nla[NFTA_TABLE_FLAGS]) { 1110 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS])); 1111 if (flags & ~NFT_TABLE_F_MASK) 1112 return -EOPNOTSUPP; 1113 } 1114 1115 err = -ENOMEM; 1116 table = kzalloc(sizeof(*table), GFP_KERNEL); 1117 if (table == NULL) 1118 goto err_kzalloc; 1119 1120 table->name = nla_strdup(attr, GFP_KERNEL); 1121 if (table->name == NULL) 1122 goto err_strdup; 1123 1124 if (nla[NFTA_TABLE_USERDATA]) { 1125 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL); 1126 if (table->udata == NULL) 1127 goto err_table_udata; 1128 1129 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]); 1130 } 1131 1132 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params); 1133 if (err) 1134 goto err_chain_ht; 1135 1136 INIT_LIST_HEAD(&table->chains); 1137 INIT_LIST_HEAD(&table->sets); 1138 INIT_LIST_HEAD(&table->objects); 1139 INIT_LIST_HEAD(&table->flowtables); 1140 table->family = family; 1141 table->flags = flags; 1142 table->handle = ++table_handle; 1143 if (table->flags & NFT_TABLE_F_OWNER) 1144 table->nlpid = NETLINK_CB(skb).portid; 1145 1146 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1147 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); 1148 if (err < 0) 1149 goto err_trans; 1150 1151 list_add_tail_rcu(&table->list, &nft_net->tables); 1152 return 0; 1153 err_trans: 1154 rhltable_destroy(&table->chains_ht); 1155 err_chain_ht: 1156 kfree(table->udata); 1157 err_table_udata: 1158 kfree(table->name); 1159 err_strdup: 1160 kfree(table); 1161 err_kzalloc: 1162 return err; 1163 } 1164 1165 static int nft_flush_table(struct nft_ctx *ctx) 1166 { 1167 struct nft_flowtable *flowtable, *nft; 1168 struct nft_chain *chain, *nc; 1169 struct nft_object *obj, *ne; 1170 struct nft_set *set, *ns; 1171 int err; 1172 1173 list_for_each_entry(chain, &ctx->table->chains, list) { 1174 if (!nft_is_active_next(ctx->net, chain)) 1175 continue; 1176 1177 if (nft_chain_is_bound(chain)) 1178 continue; 1179 1180 ctx->chain = chain; 1181 1182 err = nft_delrule_by_chain(ctx); 1183 if (err < 0) 1184 goto out; 1185 } 1186 1187 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { 1188 if (!nft_is_active_next(ctx->net, set)) 1189 continue; 1190 1191 if (nft_set_is_anonymous(set) && 1192 !list_empty(&set->bindings)) 1193 continue; 1194 1195 err = nft_delset(ctx, set); 1196 if (err < 0) 1197 goto out; 1198 } 1199 1200 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) { 1201 if (!nft_is_active_next(ctx->net, flowtable)) 1202 continue; 1203 1204 err = nft_delflowtable(ctx, flowtable); 1205 if (err < 0) 1206 goto out; 1207 } 1208 1209 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) { 1210 if (!nft_is_active_next(ctx->net, obj)) 1211 continue; 1212 1213 err = nft_delobj(ctx, obj); 1214 if (err < 0) 1215 goto out; 1216 } 1217 1218 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { 1219 if (!nft_is_active_next(ctx->net, chain)) 1220 continue; 1221 1222 if (nft_chain_is_bound(chain)) 1223 continue; 1224 1225 ctx->chain = chain; 1226 1227 err = nft_delchain(ctx); 1228 if (err < 0) 1229 goto out; 1230 } 1231 1232 err = nft_deltable(ctx); 1233 out: 1234 return err; 1235 } 1236 1237 static int nft_flush(struct nft_ctx *ctx, int family) 1238 { 1239 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 1240 const struct nlattr * const *nla = ctx->nla; 1241 struct nft_table *table, *nt; 1242 int err = 0; 1243 1244 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 1245 if (family != AF_UNSPEC && table->family != family) 1246 continue; 1247 1248 ctx->family = table->family; 1249 1250 if (!nft_is_active_next(ctx->net, table)) 1251 continue; 1252 1253 if (nft_table_has_owner(table) && table->nlpid != ctx->portid) 1254 continue; 1255 1256 if (nla[NFTA_TABLE_NAME] && 1257 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) 1258 continue; 1259 1260 ctx->table = table; 1261 1262 err = nft_flush_table(ctx); 1263 if (err < 0) 1264 goto out; 1265 } 1266 out: 1267 return err; 1268 } 1269 1270 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info, 1271 const struct nlattr * const nla[]) 1272 { 1273 struct netlink_ext_ack *extack = info->extack; 1274 u8 genmask = nft_genmask_next(info->net); 1275 u8 family = info->nfmsg->nfgen_family; 1276 struct net *net = info->net; 1277 const struct nlattr *attr; 1278 struct nft_table *table; 1279 struct nft_ctx ctx; 1280 1281 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla); 1282 if (family == AF_UNSPEC || 1283 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE])) 1284 return nft_flush(&ctx, family); 1285 1286 if (nla[NFTA_TABLE_HANDLE]) { 1287 attr = nla[NFTA_TABLE_HANDLE]; 1288 table = nft_table_lookup_byhandle(net, attr, genmask, 1289 NETLINK_CB(skb).portid); 1290 } else { 1291 attr = nla[NFTA_TABLE_NAME]; 1292 table = nft_table_lookup(net, attr, family, genmask, 1293 NETLINK_CB(skb).portid); 1294 } 1295 1296 if (IS_ERR(table)) { 1297 NL_SET_BAD_ATTR(extack, attr); 1298 return PTR_ERR(table); 1299 } 1300 1301 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 1302 table->use > 0) 1303 return -EBUSY; 1304 1305 ctx.family = family; 1306 ctx.table = table; 1307 1308 return nft_flush_table(&ctx); 1309 } 1310 1311 static void nf_tables_table_destroy(struct nft_ctx *ctx) 1312 { 1313 if (WARN_ON(ctx->table->use > 0)) 1314 return; 1315 1316 rhltable_destroy(&ctx->table->chains_ht); 1317 kfree(ctx->table->name); 1318 kfree(ctx->table->udata); 1319 kfree(ctx->table); 1320 } 1321 1322 void nft_register_chain_type(const struct nft_chain_type *ctype) 1323 { 1324 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1325 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) { 1326 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1327 return; 1328 } 1329 chain_type[ctype->family][ctype->type] = ctype; 1330 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1331 } 1332 EXPORT_SYMBOL_GPL(nft_register_chain_type); 1333 1334 void nft_unregister_chain_type(const struct nft_chain_type *ctype) 1335 { 1336 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1337 chain_type[ctype->family][ctype->type] = NULL; 1338 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1339 } 1340 EXPORT_SYMBOL_GPL(nft_unregister_chain_type); 1341 1342 /* 1343 * Chains 1344 */ 1345 1346 static struct nft_chain * 1347 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask) 1348 { 1349 struct nft_chain *chain; 1350 1351 list_for_each_entry(chain, &table->chains, list) { 1352 if (chain->handle == handle && 1353 nft_active_genmask(chain, genmask)) 1354 return chain; 1355 } 1356 1357 return ERR_PTR(-ENOENT); 1358 } 1359 1360 static bool lockdep_commit_lock_is_held(const struct net *net) 1361 { 1362 #ifdef CONFIG_PROVE_LOCKING 1363 struct nftables_pernet *nft_net = nft_pernet(net); 1364 1365 return lockdep_is_held(&nft_net->commit_mutex); 1366 #else 1367 return true; 1368 #endif 1369 } 1370 1371 static struct nft_chain *nft_chain_lookup(struct net *net, 1372 struct nft_table *table, 1373 const struct nlattr *nla, u8 genmask) 1374 { 1375 char search[NFT_CHAIN_MAXNAMELEN + 1]; 1376 struct rhlist_head *tmp, *list; 1377 struct nft_chain *chain; 1378 1379 if (nla == NULL) 1380 return ERR_PTR(-EINVAL); 1381 1382 nla_strscpy(search, nla, sizeof(search)); 1383 1384 WARN_ON(!rcu_read_lock_held() && 1385 !lockdep_commit_lock_is_held(net)); 1386 1387 chain = ERR_PTR(-ENOENT); 1388 rcu_read_lock(); 1389 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params); 1390 if (!list) 1391 goto out_unlock; 1392 1393 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 1394 if (nft_active_genmask(chain, genmask)) 1395 goto out_unlock; 1396 } 1397 chain = ERR_PTR(-ENOENT); 1398 out_unlock: 1399 rcu_read_unlock(); 1400 return chain; 1401 } 1402 1403 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = { 1404 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING, 1405 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1406 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 }, 1407 [NFTA_CHAIN_NAME] = { .type = NLA_STRING, 1408 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 1409 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, 1410 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, 1411 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, 1412 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 1413 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, 1414 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 }, 1415 [NFTA_CHAIN_ID] = { .type = NLA_U32 }, 1416 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY, 1417 .len = NFT_USERDATA_MAXLEN }, 1418 }; 1419 1420 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = { 1421 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 }, 1422 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 }, 1423 [NFTA_HOOK_DEV] = { .type = NLA_STRING, 1424 .len = IFNAMSIZ - 1 }, 1425 }; 1426 1427 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats) 1428 { 1429 struct nft_stats *cpu_stats, total; 1430 struct nlattr *nest; 1431 unsigned int seq; 1432 u64 pkts, bytes; 1433 int cpu; 1434 1435 if (!stats) 1436 return 0; 1437 1438 memset(&total, 0, sizeof(total)); 1439 for_each_possible_cpu(cpu) { 1440 cpu_stats = per_cpu_ptr(stats, cpu); 1441 do { 1442 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp); 1443 pkts = cpu_stats->pkts; 1444 bytes = cpu_stats->bytes; 1445 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq)); 1446 total.pkts += pkts; 1447 total.bytes += bytes; 1448 } 1449 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS); 1450 if (nest == NULL) 1451 goto nla_put_failure; 1452 1453 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts), 1454 NFTA_COUNTER_PAD) || 1455 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes), 1456 NFTA_COUNTER_PAD)) 1457 goto nla_put_failure; 1458 1459 nla_nest_end(skb, nest); 1460 return 0; 1461 1462 nla_put_failure: 1463 return -ENOSPC; 1464 } 1465 1466 static int nft_dump_basechain_hook(struct sk_buff *skb, int family, 1467 const struct nft_base_chain *basechain) 1468 { 1469 const struct nf_hook_ops *ops = &basechain->ops; 1470 struct nft_hook *hook, *first = NULL; 1471 struct nlattr *nest, *nest_devs; 1472 int n = 0; 1473 1474 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK); 1475 if (nest == NULL) 1476 goto nla_put_failure; 1477 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum))) 1478 goto nla_put_failure; 1479 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority))) 1480 goto nla_put_failure; 1481 1482 if (nft_base_chain_netdev(family, ops->hooknum)) { 1483 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS); 1484 list_for_each_entry(hook, &basechain->hook_list, list) { 1485 if (!first) 1486 first = hook; 1487 1488 if (nla_put_string(skb, NFTA_DEVICE_NAME, 1489 hook->ops.dev->name)) 1490 goto nla_put_failure; 1491 n++; 1492 } 1493 nla_nest_end(skb, nest_devs); 1494 1495 if (n == 1 && 1496 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name)) 1497 goto nla_put_failure; 1498 } 1499 nla_nest_end(skb, nest); 1500 1501 return 0; 1502 nla_put_failure: 1503 return -1; 1504 } 1505 1506 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net, 1507 u32 portid, u32 seq, int event, u32 flags, 1508 int family, const struct nft_table *table, 1509 const struct nft_chain *chain) 1510 { 1511 struct nlmsghdr *nlh; 1512 1513 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 1514 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 1515 NFNETLINK_V0, nft_base_seq(net)); 1516 if (!nlh) 1517 goto nla_put_failure; 1518 1519 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) 1520 goto nla_put_failure; 1521 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle), 1522 NFTA_CHAIN_PAD)) 1523 goto nla_put_failure; 1524 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name)) 1525 goto nla_put_failure; 1526 1527 if (nft_is_base_chain(chain)) { 1528 const struct nft_base_chain *basechain = nft_base_chain(chain); 1529 struct nft_stats __percpu *stats; 1530 1531 if (nft_dump_basechain_hook(skb, family, basechain)) 1532 goto nla_put_failure; 1533 1534 if (nla_put_be32(skb, NFTA_CHAIN_POLICY, 1535 htonl(basechain->policy))) 1536 goto nla_put_failure; 1537 1538 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name)) 1539 goto nla_put_failure; 1540 1541 stats = rcu_dereference_check(basechain->stats, 1542 lockdep_commit_lock_is_held(net)); 1543 if (nft_dump_stats(skb, stats)) 1544 goto nla_put_failure; 1545 } 1546 1547 if (chain->flags && 1548 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags))) 1549 goto nla_put_failure; 1550 1551 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use))) 1552 goto nla_put_failure; 1553 1554 if (chain->udata && 1555 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata)) 1556 goto nla_put_failure; 1557 1558 nlmsg_end(skb, nlh); 1559 return 0; 1560 1561 nla_put_failure: 1562 nlmsg_trim(skb, nlh); 1563 return -1; 1564 } 1565 1566 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event) 1567 { 1568 struct nftables_pernet *nft_net; 1569 struct sk_buff *skb; 1570 u16 flags = 0; 1571 int err; 1572 1573 if (!ctx->report && 1574 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1575 return; 1576 1577 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1578 if (skb == NULL) 1579 goto err; 1580 1581 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 1582 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 1583 1584 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, 1585 event, flags, ctx->family, ctx->table, 1586 ctx->chain); 1587 if (err < 0) { 1588 kfree_skb(skb); 1589 goto err; 1590 } 1591 1592 nft_net = nft_pernet(ctx->net); 1593 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 1594 return; 1595 err: 1596 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 1597 } 1598 1599 static int nf_tables_dump_chains(struct sk_buff *skb, 1600 struct netlink_callback *cb) 1601 { 1602 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1603 unsigned int idx = 0, s_idx = cb->args[0]; 1604 struct net *net = sock_net(skb->sk); 1605 int family = nfmsg->nfgen_family; 1606 struct nftables_pernet *nft_net; 1607 const struct nft_table *table; 1608 const struct nft_chain *chain; 1609 1610 rcu_read_lock(); 1611 nft_net = nft_pernet(net); 1612 cb->seq = nft_net->base_seq; 1613 1614 list_for_each_entry_rcu(table, &nft_net->tables, list) { 1615 if (family != NFPROTO_UNSPEC && family != table->family) 1616 continue; 1617 1618 list_for_each_entry_rcu(chain, &table->chains, list) { 1619 if (idx < s_idx) 1620 goto cont; 1621 if (idx > s_idx) 1622 memset(&cb->args[1], 0, 1623 sizeof(cb->args) - sizeof(cb->args[0])); 1624 if (!nft_is_active(net, chain)) 1625 continue; 1626 if (nf_tables_fill_chain_info(skb, net, 1627 NETLINK_CB(cb->skb).portid, 1628 cb->nlh->nlmsg_seq, 1629 NFT_MSG_NEWCHAIN, 1630 NLM_F_MULTI, 1631 table->family, table, 1632 chain) < 0) 1633 goto done; 1634 1635 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1636 cont: 1637 idx++; 1638 } 1639 } 1640 done: 1641 rcu_read_unlock(); 1642 cb->args[0] = idx; 1643 return skb->len; 1644 } 1645 1646 /* called with rcu_read_lock held */ 1647 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info, 1648 const struct nlattr * const nla[]) 1649 { 1650 struct netlink_ext_ack *extack = info->extack; 1651 u8 genmask = nft_genmask_cur(info->net); 1652 u8 family = info->nfmsg->nfgen_family; 1653 const struct nft_chain *chain; 1654 struct net *net = info->net; 1655 struct nft_table *table; 1656 struct sk_buff *skb2; 1657 int err; 1658 1659 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1660 struct netlink_dump_control c = { 1661 .dump = nf_tables_dump_chains, 1662 .module = THIS_MODULE, 1663 }; 1664 1665 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 1666 } 1667 1668 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0); 1669 if (IS_ERR(table)) { 1670 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 1671 return PTR_ERR(table); 1672 } 1673 1674 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask); 1675 if (IS_ERR(chain)) { 1676 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 1677 return PTR_ERR(chain); 1678 } 1679 1680 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 1681 if (!skb2) 1682 return -ENOMEM; 1683 1684 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid, 1685 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 1686 0, family, table, chain); 1687 if (err < 0) 1688 goto err_fill_chain_info; 1689 1690 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 1691 1692 err_fill_chain_info: 1693 kfree_skb(skb2); 1694 return err; 1695 } 1696 1697 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = { 1698 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 }, 1699 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 }, 1700 }; 1701 1702 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr) 1703 { 1704 struct nlattr *tb[NFTA_COUNTER_MAX+1]; 1705 struct nft_stats __percpu *newstats; 1706 struct nft_stats *stats; 1707 int err; 1708 1709 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr, 1710 nft_counter_policy, NULL); 1711 if (err < 0) 1712 return ERR_PTR(err); 1713 1714 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS]) 1715 return ERR_PTR(-EINVAL); 1716 1717 newstats = netdev_alloc_pcpu_stats(struct nft_stats); 1718 if (newstats == NULL) 1719 return ERR_PTR(-ENOMEM); 1720 1721 /* Restore old counters on this cpu, no problem. Per-cpu statistics 1722 * are not exposed to userspace. 1723 */ 1724 preempt_disable(); 1725 stats = this_cpu_ptr(newstats); 1726 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); 1727 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); 1728 preempt_enable(); 1729 1730 return newstats; 1731 } 1732 1733 static void nft_chain_stats_replace(struct nft_trans *trans) 1734 { 1735 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain); 1736 1737 if (!nft_trans_chain_stats(trans)) 1738 return; 1739 1740 nft_trans_chain_stats(trans) = 1741 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans), 1742 lockdep_commit_lock_is_held(trans->ctx.net)); 1743 1744 if (!nft_trans_chain_stats(trans)) 1745 static_branch_inc(&nft_counters_enabled); 1746 } 1747 1748 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain) 1749 { 1750 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0); 1751 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1); 1752 1753 if (g0 != g1) 1754 kvfree(g1); 1755 kvfree(g0); 1756 1757 /* should be NULL either via abort or via successful commit */ 1758 WARN_ON_ONCE(chain->blob_next); 1759 kvfree(chain->blob_next); 1760 } 1761 1762 void nf_tables_chain_destroy(struct nft_ctx *ctx) 1763 { 1764 struct nft_chain *chain = ctx->chain; 1765 struct nft_hook *hook, *next; 1766 1767 if (WARN_ON(chain->use > 0)) 1768 return; 1769 1770 /* no concurrent access possible anymore */ 1771 nf_tables_chain_free_chain_rules(chain); 1772 1773 if (nft_is_base_chain(chain)) { 1774 struct nft_base_chain *basechain = nft_base_chain(chain); 1775 1776 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) { 1777 list_for_each_entry_safe(hook, next, 1778 &basechain->hook_list, list) { 1779 list_del_rcu(&hook->list); 1780 kfree_rcu(hook, rcu); 1781 } 1782 } 1783 module_put(basechain->type->owner); 1784 if (rcu_access_pointer(basechain->stats)) { 1785 static_branch_dec(&nft_counters_enabled); 1786 free_percpu(rcu_dereference_raw(basechain->stats)); 1787 } 1788 kfree(chain->name); 1789 kfree(chain->udata); 1790 kfree(basechain); 1791 } else { 1792 kfree(chain->name); 1793 kfree(chain->udata); 1794 kfree(chain); 1795 } 1796 } 1797 1798 static struct nft_hook *nft_netdev_hook_alloc(struct net *net, 1799 const struct nlattr *attr) 1800 { 1801 struct net_device *dev; 1802 char ifname[IFNAMSIZ]; 1803 struct nft_hook *hook; 1804 int err; 1805 1806 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL); 1807 if (!hook) { 1808 err = -ENOMEM; 1809 goto err_hook_alloc; 1810 } 1811 1812 nla_strscpy(ifname, attr, IFNAMSIZ); 1813 /* nf_tables_netdev_event() is called under rtnl_mutex, this is 1814 * indirectly serializing all the other holders of the commit_mutex with 1815 * the rtnl_mutex. 1816 */ 1817 dev = __dev_get_by_name(net, ifname); 1818 if (!dev) { 1819 err = -ENOENT; 1820 goto err_hook_dev; 1821 } 1822 hook->ops.dev = dev; 1823 hook->inactive = false; 1824 1825 return hook; 1826 1827 err_hook_dev: 1828 kfree(hook); 1829 err_hook_alloc: 1830 return ERR_PTR(err); 1831 } 1832 1833 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list, 1834 const struct nft_hook *this) 1835 { 1836 struct nft_hook *hook; 1837 1838 list_for_each_entry(hook, hook_list, list) { 1839 if (this->ops.dev == hook->ops.dev) 1840 return hook; 1841 } 1842 1843 return NULL; 1844 } 1845 1846 static int nf_tables_parse_netdev_hooks(struct net *net, 1847 const struct nlattr *attr, 1848 struct list_head *hook_list) 1849 { 1850 struct nft_hook *hook, *next; 1851 const struct nlattr *tmp; 1852 int rem, n = 0, err; 1853 1854 nla_for_each_nested(tmp, attr, rem) { 1855 if (nla_type(tmp) != NFTA_DEVICE_NAME) { 1856 err = -EINVAL; 1857 goto err_hook; 1858 } 1859 1860 hook = nft_netdev_hook_alloc(net, tmp); 1861 if (IS_ERR(hook)) { 1862 err = PTR_ERR(hook); 1863 goto err_hook; 1864 } 1865 if (nft_hook_list_find(hook_list, hook)) { 1866 kfree(hook); 1867 err = -EEXIST; 1868 goto err_hook; 1869 } 1870 list_add_tail(&hook->list, hook_list); 1871 n++; 1872 1873 if (n == NFT_NETDEVICE_MAX) { 1874 err = -EFBIG; 1875 goto err_hook; 1876 } 1877 } 1878 1879 return 0; 1880 1881 err_hook: 1882 list_for_each_entry_safe(hook, next, hook_list, list) { 1883 list_del(&hook->list); 1884 kfree(hook); 1885 } 1886 return err; 1887 } 1888 1889 struct nft_chain_hook { 1890 u32 num; 1891 s32 priority; 1892 const struct nft_chain_type *type; 1893 struct list_head list; 1894 }; 1895 1896 static int nft_chain_parse_netdev(struct net *net, 1897 struct nlattr *tb[], 1898 struct list_head *hook_list) 1899 { 1900 struct nft_hook *hook; 1901 int err; 1902 1903 if (tb[NFTA_HOOK_DEV]) { 1904 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]); 1905 if (IS_ERR(hook)) 1906 return PTR_ERR(hook); 1907 1908 list_add_tail(&hook->list, hook_list); 1909 } else if (tb[NFTA_HOOK_DEVS]) { 1910 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS], 1911 hook_list); 1912 if (err < 0) 1913 return err; 1914 1915 if (list_empty(hook_list)) 1916 return -EINVAL; 1917 } else { 1918 return -EINVAL; 1919 } 1920 1921 return 0; 1922 } 1923 1924 static int nft_chain_parse_hook(struct net *net, 1925 const struct nlattr * const nla[], 1926 struct nft_chain_hook *hook, u8 family, 1927 struct netlink_ext_ack *extack, bool autoload) 1928 { 1929 struct nftables_pernet *nft_net = nft_pernet(net); 1930 struct nlattr *ha[NFTA_HOOK_MAX + 1]; 1931 const struct nft_chain_type *type; 1932 int err; 1933 1934 lockdep_assert_held(&nft_net->commit_mutex); 1935 lockdep_nfnl_nft_mutex_not_held(); 1936 1937 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX, 1938 nla[NFTA_CHAIN_HOOK], 1939 nft_hook_policy, NULL); 1940 if (err < 0) 1941 return err; 1942 1943 if (ha[NFTA_HOOK_HOOKNUM] == NULL || 1944 ha[NFTA_HOOK_PRIORITY] == NULL) 1945 return -EINVAL; 1946 1947 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 1948 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 1949 1950 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT); 1951 if (!type) 1952 return -EOPNOTSUPP; 1953 1954 if (nla[NFTA_CHAIN_TYPE]) { 1955 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE], 1956 family, autoload); 1957 if (IS_ERR(type)) { 1958 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 1959 return PTR_ERR(type); 1960 } 1961 } 1962 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num))) 1963 return -EOPNOTSUPP; 1964 1965 if (type->type == NFT_CHAIN_T_NAT && 1966 hook->priority <= NF_IP_PRI_CONNTRACK) 1967 return -EOPNOTSUPP; 1968 1969 if (!try_module_get(type->owner)) { 1970 if (nla[NFTA_CHAIN_TYPE]) 1971 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 1972 return -ENOENT; 1973 } 1974 1975 hook->type = type; 1976 1977 INIT_LIST_HEAD(&hook->list); 1978 if (nft_base_chain_netdev(family, hook->num)) { 1979 err = nft_chain_parse_netdev(net, ha, &hook->list); 1980 if (err < 0) { 1981 module_put(type->owner); 1982 return err; 1983 } 1984 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) { 1985 module_put(type->owner); 1986 return -EOPNOTSUPP; 1987 } 1988 1989 return 0; 1990 } 1991 1992 static void nft_chain_release_hook(struct nft_chain_hook *hook) 1993 { 1994 struct nft_hook *h, *next; 1995 1996 list_for_each_entry_safe(h, next, &hook->list, list) { 1997 list_del(&h->list); 1998 kfree(h); 1999 } 2000 module_put(hook->type->owner); 2001 } 2002 2003 struct nft_rules_old { 2004 struct rcu_head h; 2005 struct nft_rule_blob *blob; 2006 }; 2007 2008 static void nft_last_rule(struct nft_rule_blob *blob, const void *ptr) 2009 { 2010 struct nft_rule_dp *prule; 2011 2012 prule = (struct nft_rule_dp *)ptr; 2013 prule->is_last = 1; 2014 /* blob size does not include the trailer rule */ 2015 } 2016 2017 static struct nft_rule_blob *nf_tables_chain_alloc_rules(unsigned int size) 2018 { 2019 struct nft_rule_blob *blob; 2020 2021 /* size must include room for the last rule */ 2022 if (size < offsetof(struct nft_rule_dp, data)) 2023 return NULL; 2024 2025 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rules_old); 2026 if (size > INT_MAX) 2027 return NULL; 2028 2029 blob = kvmalloc(size, GFP_KERNEL); 2030 if (!blob) 2031 return NULL; 2032 2033 blob->size = 0; 2034 nft_last_rule(blob, blob->data); 2035 2036 return blob; 2037 } 2038 2039 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family, 2040 const struct nft_chain_hook *hook, 2041 struct nft_chain *chain) 2042 { 2043 ops->pf = family; 2044 ops->hooknum = hook->num; 2045 ops->priority = hook->priority; 2046 ops->priv = chain; 2047 ops->hook = hook->type->hooks[ops->hooknum]; 2048 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES; 2049 } 2050 2051 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, 2052 struct nft_chain_hook *hook, u32 flags) 2053 { 2054 struct nft_chain *chain; 2055 struct nft_hook *h; 2056 2057 basechain->type = hook->type; 2058 INIT_LIST_HEAD(&basechain->hook_list); 2059 chain = &basechain->chain; 2060 2061 if (nft_base_chain_netdev(family, hook->num)) { 2062 list_splice_init(&hook->list, &basechain->hook_list); 2063 list_for_each_entry(h, &basechain->hook_list, list) 2064 nft_basechain_hook_init(&h->ops, family, hook, chain); 2065 2066 basechain->ops.hooknum = hook->num; 2067 basechain->ops.priority = hook->priority; 2068 } else { 2069 nft_basechain_hook_init(&basechain->ops, family, hook, chain); 2070 } 2071 2072 chain->flags |= NFT_CHAIN_BASE | flags; 2073 basechain->policy = NF_ACCEPT; 2074 if (chain->flags & NFT_CHAIN_HW_OFFLOAD && 2075 nft_chain_offload_priority(basechain) < 0) 2076 return -EOPNOTSUPP; 2077 2078 flow_block_init(&basechain->flow_block); 2079 2080 return 0; 2081 } 2082 2083 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain) 2084 { 2085 int err; 2086 2087 err = rhltable_insert_key(&table->chains_ht, chain->name, 2088 &chain->rhlhead, nft_chain_ht_params); 2089 if (err) 2090 return err; 2091 2092 list_add_tail_rcu(&chain->list, &table->chains); 2093 2094 return 0; 2095 } 2096 2097 static u64 chain_id; 2098 2099 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, 2100 u8 policy, u32 flags, 2101 struct netlink_ext_ack *extack) 2102 { 2103 const struct nlattr * const *nla = ctx->nla; 2104 struct nft_table *table = ctx->table; 2105 struct nft_base_chain *basechain; 2106 struct nft_stats __percpu *stats; 2107 struct net *net = ctx->net; 2108 char name[NFT_NAME_MAXLEN]; 2109 struct nft_rule_blob *blob; 2110 struct nft_trans *trans; 2111 struct nft_chain *chain; 2112 unsigned int data_size; 2113 int err; 2114 2115 if (table->use == UINT_MAX) 2116 return -EOVERFLOW; 2117 2118 if (nla[NFTA_CHAIN_HOOK]) { 2119 struct nft_chain_hook hook; 2120 2121 if (flags & NFT_CHAIN_BINDING) 2122 return -EOPNOTSUPP; 2123 2124 err = nft_chain_parse_hook(net, nla, &hook, family, extack, 2125 true); 2126 if (err < 0) 2127 return err; 2128 2129 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL); 2130 if (basechain == NULL) { 2131 nft_chain_release_hook(&hook); 2132 return -ENOMEM; 2133 } 2134 chain = &basechain->chain; 2135 2136 if (nla[NFTA_CHAIN_COUNTERS]) { 2137 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2138 if (IS_ERR(stats)) { 2139 nft_chain_release_hook(&hook); 2140 kfree(basechain); 2141 return PTR_ERR(stats); 2142 } 2143 rcu_assign_pointer(basechain->stats, stats); 2144 static_branch_inc(&nft_counters_enabled); 2145 } 2146 2147 err = nft_basechain_init(basechain, family, &hook, flags); 2148 if (err < 0) { 2149 nft_chain_release_hook(&hook); 2150 kfree(basechain); 2151 return err; 2152 } 2153 } else { 2154 if (flags & NFT_CHAIN_BASE) 2155 return -EINVAL; 2156 if (flags & NFT_CHAIN_HW_OFFLOAD) 2157 return -EOPNOTSUPP; 2158 2159 chain = kzalloc(sizeof(*chain), GFP_KERNEL); 2160 if (chain == NULL) 2161 return -ENOMEM; 2162 2163 chain->flags = flags; 2164 } 2165 ctx->chain = chain; 2166 2167 INIT_LIST_HEAD(&chain->rules); 2168 chain->handle = nf_tables_alloc_handle(table); 2169 chain->table = table; 2170 2171 if (nla[NFTA_CHAIN_NAME]) { 2172 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); 2173 } else { 2174 if (!(flags & NFT_CHAIN_BINDING)) { 2175 err = -EINVAL; 2176 goto err_destroy_chain; 2177 } 2178 2179 snprintf(name, sizeof(name), "__chain%llu", ++chain_id); 2180 chain->name = kstrdup(name, GFP_KERNEL); 2181 } 2182 2183 if (!chain->name) { 2184 err = -ENOMEM; 2185 goto err_destroy_chain; 2186 } 2187 2188 if (nla[NFTA_CHAIN_USERDATA]) { 2189 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL); 2190 if (chain->udata == NULL) { 2191 err = -ENOMEM; 2192 goto err_destroy_chain; 2193 } 2194 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]); 2195 } 2196 2197 data_size = offsetof(struct nft_rule_dp, data); /* last rule */ 2198 blob = nf_tables_chain_alloc_rules(data_size); 2199 if (!blob) { 2200 err = -ENOMEM; 2201 goto err_destroy_chain; 2202 } 2203 2204 RCU_INIT_POINTER(chain->blob_gen_0, blob); 2205 RCU_INIT_POINTER(chain->blob_gen_1, blob); 2206 2207 err = nf_tables_register_hook(net, table, chain); 2208 if (err < 0) 2209 goto err_destroy_chain; 2210 2211 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN); 2212 if (IS_ERR(trans)) { 2213 err = PTR_ERR(trans); 2214 goto err_unregister_hook; 2215 } 2216 2217 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET; 2218 if (nft_is_base_chain(chain)) 2219 nft_trans_chain_policy(trans) = policy; 2220 2221 err = nft_chain_add(table, chain); 2222 if (err < 0) { 2223 nft_trans_destroy(trans); 2224 goto err_unregister_hook; 2225 } 2226 2227 table->use++; 2228 2229 return 0; 2230 err_unregister_hook: 2231 nf_tables_unregister_hook(net, table, chain); 2232 err_destroy_chain: 2233 nf_tables_chain_destroy(ctx); 2234 2235 return err; 2236 } 2237 2238 static bool nft_hook_list_equal(struct list_head *hook_list1, 2239 struct list_head *hook_list2) 2240 { 2241 struct nft_hook *hook; 2242 int n = 0, m = 0; 2243 2244 n = 0; 2245 list_for_each_entry(hook, hook_list2, list) { 2246 if (!nft_hook_list_find(hook_list1, hook)) 2247 return false; 2248 2249 n++; 2250 } 2251 list_for_each_entry(hook, hook_list1, list) 2252 m++; 2253 2254 return n == m; 2255 } 2256 2257 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, 2258 u32 flags, const struct nlattr *attr, 2259 struct netlink_ext_ack *extack) 2260 { 2261 const struct nlattr * const *nla = ctx->nla; 2262 struct nft_table *table = ctx->table; 2263 struct nft_chain *chain = ctx->chain; 2264 struct nft_base_chain *basechain; 2265 struct nft_stats *stats = NULL; 2266 struct nft_chain_hook hook; 2267 struct nf_hook_ops *ops; 2268 struct nft_trans *trans; 2269 int err; 2270 2271 if (chain->flags ^ flags) 2272 return -EOPNOTSUPP; 2273 2274 if (nla[NFTA_CHAIN_HOOK]) { 2275 if (!nft_is_base_chain(chain)) { 2276 NL_SET_BAD_ATTR(extack, attr); 2277 return -EEXIST; 2278 } 2279 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family, 2280 extack, false); 2281 if (err < 0) 2282 return err; 2283 2284 basechain = nft_base_chain(chain); 2285 if (basechain->type != hook.type) { 2286 nft_chain_release_hook(&hook); 2287 NL_SET_BAD_ATTR(extack, attr); 2288 return -EEXIST; 2289 } 2290 2291 if (nft_base_chain_netdev(ctx->family, hook.num)) { 2292 if (!nft_hook_list_equal(&basechain->hook_list, 2293 &hook.list)) { 2294 nft_chain_release_hook(&hook); 2295 NL_SET_BAD_ATTR(extack, attr); 2296 return -EEXIST; 2297 } 2298 } else { 2299 ops = &basechain->ops; 2300 if (ops->hooknum != hook.num || 2301 ops->priority != hook.priority) { 2302 nft_chain_release_hook(&hook); 2303 NL_SET_BAD_ATTR(extack, attr); 2304 return -EEXIST; 2305 } 2306 } 2307 nft_chain_release_hook(&hook); 2308 } 2309 2310 if (nla[NFTA_CHAIN_HANDLE] && 2311 nla[NFTA_CHAIN_NAME]) { 2312 struct nft_chain *chain2; 2313 2314 chain2 = nft_chain_lookup(ctx->net, table, 2315 nla[NFTA_CHAIN_NAME], genmask); 2316 if (!IS_ERR(chain2)) { 2317 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2318 return -EEXIST; 2319 } 2320 } 2321 2322 if (nla[NFTA_CHAIN_COUNTERS]) { 2323 if (!nft_is_base_chain(chain)) 2324 return -EOPNOTSUPP; 2325 2326 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2327 if (IS_ERR(stats)) 2328 return PTR_ERR(stats); 2329 } 2330 2331 err = -ENOMEM; 2332 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN, 2333 sizeof(struct nft_trans_chain)); 2334 if (trans == NULL) 2335 goto err; 2336 2337 nft_trans_chain_stats(trans) = stats; 2338 nft_trans_chain_update(trans) = true; 2339 2340 if (nla[NFTA_CHAIN_POLICY]) 2341 nft_trans_chain_policy(trans) = policy; 2342 else 2343 nft_trans_chain_policy(trans) = -1; 2344 2345 if (nla[NFTA_CHAIN_HANDLE] && 2346 nla[NFTA_CHAIN_NAME]) { 2347 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 2348 struct nft_trans *tmp; 2349 char *name; 2350 2351 err = -ENOMEM; 2352 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); 2353 if (!name) 2354 goto err; 2355 2356 err = -EEXIST; 2357 list_for_each_entry(tmp, &nft_net->commit_list, list) { 2358 if (tmp->msg_type == NFT_MSG_NEWCHAIN && 2359 tmp->ctx.table == table && 2360 nft_trans_chain_update(tmp) && 2361 nft_trans_chain_name(tmp) && 2362 strcmp(name, nft_trans_chain_name(tmp)) == 0) { 2363 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2364 kfree(name); 2365 goto err; 2366 } 2367 } 2368 2369 nft_trans_chain_name(trans) = name; 2370 } 2371 nft_trans_commit_list_add_tail(ctx->net, trans); 2372 2373 return 0; 2374 err: 2375 free_percpu(stats); 2376 kfree(trans); 2377 return err; 2378 } 2379 2380 static struct nft_chain *nft_chain_lookup_byid(const struct net *net, 2381 const struct nlattr *nla) 2382 { 2383 struct nftables_pernet *nft_net = nft_pernet(net); 2384 u32 id = ntohl(nla_get_be32(nla)); 2385 struct nft_trans *trans; 2386 2387 list_for_each_entry(trans, &nft_net->commit_list, list) { 2388 struct nft_chain *chain = trans->ctx.chain; 2389 2390 if (trans->msg_type == NFT_MSG_NEWCHAIN && 2391 id == nft_trans_chain_id(trans)) 2392 return chain; 2393 } 2394 return ERR_PTR(-ENOENT); 2395 } 2396 2397 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info, 2398 const struct nlattr * const nla[]) 2399 { 2400 struct nftables_pernet *nft_net = nft_pernet(info->net); 2401 struct netlink_ext_ack *extack = info->extack; 2402 u8 genmask = nft_genmask_next(info->net); 2403 u8 family = info->nfmsg->nfgen_family; 2404 struct nft_chain *chain = NULL; 2405 struct net *net = info->net; 2406 const struct nlattr *attr; 2407 struct nft_table *table; 2408 u8 policy = NF_ACCEPT; 2409 struct nft_ctx ctx; 2410 u64 handle = 0; 2411 u32 flags = 0; 2412 2413 lockdep_assert_held(&nft_net->commit_mutex); 2414 2415 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 2416 NETLINK_CB(skb).portid); 2417 if (IS_ERR(table)) { 2418 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2419 return PTR_ERR(table); 2420 } 2421 2422 chain = NULL; 2423 attr = nla[NFTA_CHAIN_NAME]; 2424 2425 if (nla[NFTA_CHAIN_HANDLE]) { 2426 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE])); 2427 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2428 if (IS_ERR(chain)) { 2429 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]); 2430 return PTR_ERR(chain); 2431 } 2432 attr = nla[NFTA_CHAIN_HANDLE]; 2433 } else if (nla[NFTA_CHAIN_NAME]) { 2434 chain = nft_chain_lookup(net, table, attr, genmask); 2435 if (IS_ERR(chain)) { 2436 if (PTR_ERR(chain) != -ENOENT) { 2437 NL_SET_BAD_ATTR(extack, attr); 2438 return PTR_ERR(chain); 2439 } 2440 chain = NULL; 2441 } 2442 } else if (!nla[NFTA_CHAIN_ID]) { 2443 return -EINVAL; 2444 } 2445 2446 if (nla[NFTA_CHAIN_POLICY]) { 2447 if (chain != NULL && 2448 !nft_is_base_chain(chain)) { 2449 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2450 return -EOPNOTSUPP; 2451 } 2452 2453 if (chain == NULL && 2454 nla[NFTA_CHAIN_HOOK] == NULL) { 2455 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2456 return -EOPNOTSUPP; 2457 } 2458 2459 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY])); 2460 switch (policy) { 2461 case NF_DROP: 2462 case NF_ACCEPT: 2463 break; 2464 default: 2465 return -EINVAL; 2466 } 2467 } 2468 2469 if (nla[NFTA_CHAIN_FLAGS]) 2470 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS])); 2471 else if (chain) 2472 flags = chain->flags; 2473 2474 if (flags & ~NFT_CHAIN_FLAGS) 2475 return -EOPNOTSUPP; 2476 2477 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 2478 2479 if (chain != NULL) { 2480 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 2481 NL_SET_BAD_ATTR(extack, attr); 2482 return -EEXIST; 2483 } 2484 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 2485 return -EOPNOTSUPP; 2486 2487 flags |= chain->flags & NFT_CHAIN_BASE; 2488 return nf_tables_updchain(&ctx, genmask, policy, flags, attr, 2489 extack); 2490 } 2491 2492 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack); 2493 } 2494 2495 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info, 2496 const struct nlattr * const nla[]) 2497 { 2498 struct netlink_ext_ack *extack = info->extack; 2499 u8 genmask = nft_genmask_next(info->net); 2500 u8 family = info->nfmsg->nfgen_family; 2501 struct net *net = info->net; 2502 const struct nlattr *attr; 2503 struct nft_table *table; 2504 struct nft_chain *chain; 2505 struct nft_rule *rule; 2506 struct nft_ctx ctx; 2507 u64 handle; 2508 u32 use; 2509 int err; 2510 2511 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 2512 NETLINK_CB(skb).portid); 2513 if (IS_ERR(table)) { 2514 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2515 return PTR_ERR(table); 2516 } 2517 2518 if (nla[NFTA_CHAIN_HANDLE]) { 2519 attr = nla[NFTA_CHAIN_HANDLE]; 2520 handle = be64_to_cpu(nla_get_be64(attr)); 2521 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2522 } else { 2523 attr = nla[NFTA_CHAIN_NAME]; 2524 chain = nft_chain_lookup(net, table, attr, genmask); 2525 } 2526 if (IS_ERR(chain)) { 2527 NL_SET_BAD_ATTR(extack, attr); 2528 return PTR_ERR(chain); 2529 } 2530 2531 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 2532 chain->use > 0) 2533 return -EBUSY; 2534 2535 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 2536 2537 use = chain->use; 2538 list_for_each_entry(rule, &chain->rules, list) { 2539 if (!nft_is_active_next(net, rule)) 2540 continue; 2541 use--; 2542 2543 err = nft_delrule(&ctx, rule); 2544 if (err < 0) 2545 return err; 2546 } 2547 2548 /* There are rules and elements that are still holding references to us, 2549 * we cannot do a recursive removal in this case. 2550 */ 2551 if (use > 0) { 2552 NL_SET_BAD_ATTR(extack, attr); 2553 return -EBUSY; 2554 } 2555 2556 return nft_delchain(&ctx); 2557 } 2558 2559 /* 2560 * Expressions 2561 */ 2562 2563 /** 2564 * nft_register_expr - register nf_tables expr type 2565 * @type: expr type 2566 * 2567 * Registers the expr type for use with nf_tables. Returns zero on 2568 * success or a negative errno code otherwise. 2569 */ 2570 int nft_register_expr(struct nft_expr_type *type) 2571 { 2572 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2573 if (type->family == NFPROTO_UNSPEC) 2574 list_add_tail_rcu(&type->list, &nf_tables_expressions); 2575 else 2576 list_add_rcu(&type->list, &nf_tables_expressions); 2577 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2578 return 0; 2579 } 2580 EXPORT_SYMBOL_GPL(nft_register_expr); 2581 2582 /** 2583 * nft_unregister_expr - unregister nf_tables expr type 2584 * @type: expr type 2585 * 2586 * Unregisters the expr typefor use with nf_tables. 2587 */ 2588 void nft_unregister_expr(struct nft_expr_type *type) 2589 { 2590 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2591 list_del_rcu(&type->list); 2592 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2593 } 2594 EXPORT_SYMBOL_GPL(nft_unregister_expr); 2595 2596 static const struct nft_expr_type *__nft_expr_type_get(u8 family, 2597 struct nlattr *nla) 2598 { 2599 const struct nft_expr_type *type, *candidate = NULL; 2600 2601 list_for_each_entry(type, &nf_tables_expressions, list) { 2602 if (!nla_strcmp(nla, type->name)) { 2603 if (!type->family && !candidate) 2604 candidate = type; 2605 else if (type->family == family) 2606 candidate = type; 2607 } 2608 } 2609 return candidate; 2610 } 2611 2612 #ifdef CONFIG_MODULES 2613 static int nft_expr_type_request_module(struct net *net, u8 family, 2614 struct nlattr *nla) 2615 { 2616 if (nft_request_module(net, "nft-expr-%u-%.*s", family, 2617 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN) 2618 return -EAGAIN; 2619 2620 return 0; 2621 } 2622 #endif 2623 2624 static const struct nft_expr_type *nft_expr_type_get(struct net *net, 2625 u8 family, 2626 struct nlattr *nla) 2627 { 2628 const struct nft_expr_type *type; 2629 2630 if (nla == NULL) 2631 return ERR_PTR(-EINVAL); 2632 2633 type = __nft_expr_type_get(family, nla); 2634 if (type != NULL && try_module_get(type->owner)) 2635 return type; 2636 2637 lockdep_nfnl_nft_mutex_not_held(); 2638 #ifdef CONFIG_MODULES 2639 if (type == NULL) { 2640 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN) 2641 return ERR_PTR(-EAGAIN); 2642 2643 if (nft_request_module(net, "nft-expr-%.*s", 2644 nla_len(nla), 2645 (char *)nla_data(nla)) == -EAGAIN) 2646 return ERR_PTR(-EAGAIN); 2647 } 2648 #endif 2649 return ERR_PTR(-ENOENT); 2650 } 2651 2652 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { 2653 [NFTA_EXPR_NAME] = { .type = NLA_STRING, 2654 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 2655 [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, 2656 }; 2657 2658 static int nf_tables_fill_expr_info(struct sk_buff *skb, 2659 const struct nft_expr *expr) 2660 { 2661 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name)) 2662 goto nla_put_failure; 2663 2664 if (expr->ops->dump) { 2665 struct nlattr *data = nla_nest_start_noflag(skb, 2666 NFTA_EXPR_DATA); 2667 if (data == NULL) 2668 goto nla_put_failure; 2669 if (expr->ops->dump(skb, expr) < 0) 2670 goto nla_put_failure; 2671 nla_nest_end(skb, data); 2672 } 2673 2674 return skb->len; 2675 2676 nla_put_failure: 2677 return -1; 2678 }; 2679 2680 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 2681 const struct nft_expr *expr) 2682 { 2683 struct nlattr *nest; 2684 2685 nest = nla_nest_start_noflag(skb, attr); 2686 if (!nest) 2687 goto nla_put_failure; 2688 if (nf_tables_fill_expr_info(skb, expr) < 0) 2689 goto nla_put_failure; 2690 nla_nest_end(skb, nest); 2691 return 0; 2692 2693 nla_put_failure: 2694 return -1; 2695 } 2696 2697 struct nft_expr_info { 2698 const struct nft_expr_ops *ops; 2699 const struct nlattr *attr; 2700 struct nlattr *tb[NFT_EXPR_MAXATTR + 1]; 2701 }; 2702 2703 static int nf_tables_expr_parse(const struct nft_ctx *ctx, 2704 const struct nlattr *nla, 2705 struct nft_expr_info *info) 2706 { 2707 const struct nft_expr_type *type; 2708 const struct nft_expr_ops *ops; 2709 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 2710 int err; 2711 2712 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 2713 nft_expr_policy, NULL); 2714 if (err < 0) 2715 return err; 2716 2717 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]); 2718 if (IS_ERR(type)) 2719 return PTR_ERR(type); 2720 2721 if (tb[NFTA_EXPR_DATA]) { 2722 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 2723 tb[NFTA_EXPR_DATA], 2724 type->policy, NULL); 2725 if (err < 0) 2726 goto err1; 2727 } else 2728 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1)); 2729 2730 if (type->select_ops != NULL) { 2731 ops = type->select_ops(ctx, 2732 (const struct nlattr * const *)info->tb); 2733 if (IS_ERR(ops)) { 2734 err = PTR_ERR(ops); 2735 #ifdef CONFIG_MODULES 2736 if (err == -EAGAIN) 2737 if (nft_expr_type_request_module(ctx->net, 2738 ctx->family, 2739 tb[NFTA_EXPR_NAME]) != -EAGAIN) 2740 err = -ENOENT; 2741 #endif 2742 goto err1; 2743 } 2744 } else 2745 ops = type->ops; 2746 2747 info->attr = nla; 2748 info->ops = ops; 2749 2750 return 0; 2751 2752 err1: 2753 module_put(type->owner); 2754 return err; 2755 } 2756 2757 static int nf_tables_newexpr(const struct nft_ctx *ctx, 2758 const struct nft_expr_info *expr_info, 2759 struct nft_expr *expr) 2760 { 2761 const struct nft_expr_ops *ops = expr_info->ops; 2762 int err; 2763 2764 expr->ops = ops; 2765 if (ops->init) { 2766 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb); 2767 if (err < 0) 2768 goto err1; 2769 } 2770 2771 return 0; 2772 err1: 2773 expr->ops = NULL; 2774 return err; 2775 } 2776 2777 static void nf_tables_expr_destroy(const struct nft_ctx *ctx, 2778 struct nft_expr *expr) 2779 { 2780 const struct nft_expr_type *type = expr->ops->type; 2781 2782 if (expr->ops->destroy) 2783 expr->ops->destroy(ctx, expr); 2784 module_put(type->owner); 2785 } 2786 2787 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 2788 const struct nlattr *nla) 2789 { 2790 struct nft_expr_info expr_info; 2791 struct nft_expr *expr; 2792 struct module *owner; 2793 int err; 2794 2795 err = nf_tables_expr_parse(ctx, nla, &expr_info); 2796 if (err < 0) 2797 goto err1; 2798 2799 err = -ENOMEM; 2800 expr = kzalloc(expr_info.ops->size, GFP_KERNEL); 2801 if (expr == NULL) 2802 goto err2; 2803 2804 err = nf_tables_newexpr(ctx, &expr_info, expr); 2805 if (err < 0) 2806 goto err3; 2807 2808 return expr; 2809 err3: 2810 kfree(expr); 2811 err2: 2812 owner = expr_info.ops->type->owner; 2813 if (expr_info.ops->type->release_ops) 2814 expr_info.ops->type->release_ops(expr_info.ops); 2815 2816 module_put(owner); 2817 err1: 2818 return ERR_PTR(err); 2819 } 2820 2821 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) 2822 { 2823 int err; 2824 2825 if (src->ops->clone) { 2826 dst->ops = src->ops; 2827 err = src->ops->clone(dst, src); 2828 if (err < 0) 2829 return err; 2830 } else { 2831 memcpy(dst, src, src->ops->size); 2832 } 2833 2834 __module_get(src->ops->type->owner); 2835 2836 return 0; 2837 } 2838 2839 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) 2840 { 2841 nf_tables_expr_destroy(ctx, expr); 2842 kfree(expr); 2843 } 2844 2845 /* 2846 * Rules 2847 */ 2848 2849 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain, 2850 u64 handle) 2851 { 2852 struct nft_rule *rule; 2853 2854 // FIXME: this sucks 2855 list_for_each_entry_rcu(rule, &chain->rules, list) { 2856 if (handle == rule->handle) 2857 return rule; 2858 } 2859 2860 return ERR_PTR(-ENOENT); 2861 } 2862 2863 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain, 2864 const struct nlattr *nla) 2865 { 2866 if (nla == NULL) 2867 return ERR_PTR(-EINVAL); 2868 2869 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla))); 2870 } 2871 2872 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = { 2873 [NFTA_RULE_TABLE] = { .type = NLA_STRING, 2874 .len = NFT_TABLE_MAXNAMELEN - 1 }, 2875 [NFTA_RULE_CHAIN] = { .type = NLA_STRING, 2876 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 2877 [NFTA_RULE_HANDLE] = { .type = NLA_U64 }, 2878 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED }, 2879 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED }, 2880 [NFTA_RULE_POSITION] = { .type = NLA_U64 }, 2881 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY, 2882 .len = NFT_USERDATA_MAXLEN }, 2883 [NFTA_RULE_ID] = { .type = NLA_U32 }, 2884 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 }, 2885 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 }, 2886 }; 2887 2888 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net, 2889 u32 portid, u32 seq, int event, 2890 u32 flags, int family, 2891 const struct nft_table *table, 2892 const struct nft_chain *chain, 2893 const struct nft_rule *rule, u64 handle) 2894 { 2895 struct nlmsghdr *nlh; 2896 const struct nft_expr *expr, *next; 2897 struct nlattr *list; 2898 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 2899 2900 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0, 2901 nft_base_seq(net)); 2902 if (!nlh) 2903 goto nla_put_failure; 2904 2905 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) 2906 goto nla_put_failure; 2907 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) 2908 goto nla_put_failure; 2909 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle), 2910 NFTA_RULE_PAD)) 2911 goto nla_put_failure; 2912 2913 if (event != NFT_MSG_DELRULE && handle) { 2914 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle), 2915 NFTA_RULE_PAD)) 2916 goto nla_put_failure; 2917 } 2918 2919 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) 2920 nft_flow_rule_stats(chain, rule); 2921 2922 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS); 2923 if (list == NULL) 2924 goto nla_put_failure; 2925 nft_rule_for_each_expr(expr, next, rule) { 2926 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0) 2927 goto nla_put_failure; 2928 } 2929 nla_nest_end(skb, list); 2930 2931 if (rule->udata) { 2932 struct nft_userdata *udata = nft_userdata(rule); 2933 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1, 2934 udata->data) < 0) 2935 goto nla_put_failure; 2936 } 2937 2938 nlmsg_end(skb, nlh); 2939 return 0; 2940 2941 nla_put_failure: 2942 nlmsg_trim(skb, nlh); 2943 return -1; 2944 } 2945 2946 static void nf_tables_rule_notify(const struct nft_ctx *ctx, 2947 const struct nft_rule *rule, int event) 2948 { 2949 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 2950 const struct nft_rule *prule; 2951 struct sk_buff *skb; 2952 u64 handle = 0; 2953 u16 flags = 0; 2954 int err; 2955 2956 if (!ctx->report && 2957 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 2958 return; 2959 2960 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 2961 if (skb == NULL) 2962 goto err; 2963 2964 if (event == NFT_MSG_NEWRULE && 2965 !list_is_first(&rule->list, &ctx->chain->rules) && 2966 !list_is_last(&rule->list, &ctx->chain->rules)) { 2967 prule = list_prev_entry(rule, list); 2968 handle = prule->handle; 2969 } 2970 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE)) 2971 flags |= NLM_F_APPEND; 2972 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 2973 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 2974 2975 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, 2976 event, flags, ctx->family, ctx->table, 2977 ctx->chain, rule, handle); 2978 if (err < 0) { 2979 kfree_skb(skb); 2980 goto err; 2981 } 2982 2983 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 2984 return; 2985 err: 2986 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 2987 } 2988 2989 struct nft_rule_dump_ctx { 2990 char *table; 2991 char *chain; 2992 }; 2993 2994 static int __nf_tables_dump_rules(struct sk_buff *skb, 2995 unsigned int *idx, 2996 struct netlink_callback *cb, 2997 const struct nft_table *table, 2998 const struct nft_chain *chain) 2999 { 3000 struct net *net = sock_net(skb->sk); 3001 const struct nft_rule *rule, *prule; 3002 unsigned int s_idx = cb->args[0]; 3003 u64 handle; 3004 3005 prule = NULL; 3006 list_for_each_entry_rcu(rule, &chain->rules, list) { 3007 if (!nft_is_active(net, rule)) 3008 goto cont_skip; 3009 if (*idx < s_idx) 3010 goto cont; 3011 if (*idx > s_idx) { 3012 memset(&cb->args[1], 0, 3013 sizeof(cb->args) - sizeof(cb->args[0])); 3014 } 3015 if (prule) 3016 handle = prule->handle; 3017 else 3018 handle = 0; 3019 3020 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, 3021 cb->nlh->nlmsg_seq, 3022 NFT_MSG_NEWRULE, 3023 NLM_F_MULTI | NLM_F_APPEND, 3024 table->family, 3025 table, chain, rule, handle) < 0) 3026 return 1; 3027 3028 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 3029 cont: 3030 prule = rule; 3031 cont_skip: 3032 (*idx)++; 3033 } 3034 return 0; 3035 } 3036 3037 static int nf_tables_dump_rules(struct sk_buff *skb, 3038 struct netlink_callback *cb) 3039 { 3040 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 3041 const struct nft_rule_dump_ctx *ctx = cb->data; 3042 struct nft_table *table; 3043 const struct nft_chain *chain; 3044 unsigned int idx = 0; 3045 struct net *net = sock_net(skb->sk); 3046 int family = nfmsg->nfgen_family; 3047 struct nftables_pernet *nft_net; 3048 3049 rcu_read_lock(); 3050 nft_net = nft_pernet(net); 3051 cb->seq = nft_net->base_seq; 3052 3053 list_for_each_entry_rcu(table, &nft_net->tables, list) { 3054 if (family != NFPROTO_UNSPEC && family != table->family) 3055 continue; 3056 3057 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0) 3058 continue; 3059 3060 if (ctx && ctx->table && ctx->chain) { 3061 struct rhlist_head *list, *tmp; 3062 3063 list = rhltable_lookup(&table->chains_ht, ctx->chain, 3064 nft_chain_ht_params); 3065 if (!list) 3066 goto done; 3067 3068 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 3069 if (!nft_is_active(net, chain)) 3070 continue; 3071 __nf_tables_dump_rules(skb, &idx, 3072 cb, table, chain); 3073 break; 3074 } 3075 goto done; 3076 } 3077 3078 list_for_each_entry_rcu(chain, &table->chains, list) { 3079 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain)) 3080 goto done; 3081 } 3082 3083 if (ctx && ctx->table) 3084 break; 3085 } 3086 done: 3087 rcu_read_unlock(); 3088 3089 cb->args[0] = idx; 3090 return skb->len; 3091 } 3092 3093 static int nf_tables_dump_rules_start(struct netlink_callback *cb) 3094 { 3095 const struct nlattr * const *nla = cb->data; 3096 struct nft_rule_dump_ctx *ctx = NULL; 3097 3098 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) { 3099 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC); 3100 if (!ctx) 3101 return -ENOMEM; 3102 3103 if (nla[NFTA_RULE_TABLE]) { 3104 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], 3105 GFP_ATOMIC); 3106 if (!ctx->table) { 3107 kfree(ctx); 3108 return -ENOMEM; 3109 } 3110 } 3111 if (nla[NFTA_RULE_CHAIN]) { 3112 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], 3113 GFP_ATOMIC); 3114 if (!ctx->chain) { 3115 kfree(ctx->table); 3116 kfree(ctx); 3117 return -ENOMEM; 3118 } 3119 } 3120 } 3121 3122 cb->data = ctx; 3123 return 0; 3124 } 3125 3126 static int nf_tables_dump_rules_done(struct netlink_callback *cb) 3127 { 3128 struct nft_rule_dump_ctx *ctx = cb->data; 3129 3130 if (ctx) { 3131 kfree(ctx->table); 3132 kfree(ctx->chain); 3133 kfree(ctx); 3134 } 3135 return 0; 3136 } 3137 3138 /* called with rcu_read_lock held */ 3139 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info, 3140 const struct nlattr * const nla[]) 3141 { 3142 struct netlink_ext_ack *extack = info->extack; 3143 u8 genmask = nft_genmask_cur(info->net); 3144 u8 family = info->nfmsg->nfgen_family; 3145 const struct nft_chain *chain; 3146 const struct nft_rule *rule; 3147 struct net *net = info->net; 3148 struct nft_table *table; 3149 struct sk_buff *skb2; 3150 int err; 3151 3152 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 3153 struct netlink_dump_control c = { 3154 .start= nf_tables_dump_rules_start, 3155 .dump = nf_tables_dump_rules, 3156 .done = nf_tables_dump_rules_done, 3157 .module = THIS_MODULE, 3158 .data = (void *)nla, 3159 }; 3160 3161 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 3162 } 3163 3164 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0); 3165 if (IS_ERR(table)) { 3166 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3167 return PTR_ERR(table); 3168 } 3169 3170 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask); 3171 if (IS_ERR(chain)) { 3172 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3173 return PTR_ERR(chain); 3174 } 3175 3176 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3177 if (IS_ERR(rule)) { 3178 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3179 return PTR_ERR(rule); 3180 } 3181 3182 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 3183 if (!skb2) 3184 return -ENOMEM; 3185 3186 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid, 3187 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, 3188 family, table, chain, rule, 0); 3189 if (err < 0) 3190 goto err_fill_rule_info; 3191 3192 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 3193 3194 err_fill_rule_info: 3195 kfree_skb(skb2); 3196 return err; 3197 } 3198 3199 static void nf_tables_rule_destroy(const struct nft_ctx *ctx, 3200 struct nft_rule *rule) 3201 { 3202 struct nft_expr *expr, *next; 3203 3204 /* 3205 * Careful: some expressions might not be initialized in case this 3206 * is called on error from nf_tables_newrule(). 3207 */ 3208 expr = nft_expr_first(rule); 3209 while (nft_expr_more(rule, expr)) { 3210 next = nft_expr_next(expr); 3211 nf_tables_expr_destroy(ctx, expr); 3212 expr = next; 3213 } 3214 kfree(rule); 3215 } 3216 3217 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) 3218 { 3219 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); 3220 nf_tables_rule_destroy(ctx, rule); 3221 } 3222 3223 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) 3224 { 3225 struct nft_expr *expr, *last; 3226 const struct nft_data *data; 3227 struct nft_rule *rule; 3228 int err; 3229 3230 if (ctx->level == NFT_JUMP_STACK_SIZE) 3231 return -EMLINK; 3232 3233 list_for_each_entry(rule, &chain->rules, list) { 3234 if (!nft_is_active_next(ctx->net, rule)) 3235 continue; 3236 3237 nft_rule_for_each_expr(expr, last, rule) { 3238 if (!expr->ops->validate) 3239 continue; 3240 3241 err = expr->ops->validate(ctx, expr, &data); 3242 if (err < 0) 3243 return err; 3244 } 3245 } 3246 3247 return 0; 3248 } 3249 EXPORT_SYMBOL_GPL(nft_chain_validate); 3250 3251 static int nft_table_validate(struct net *net, const struct nft_table *table) 3252 { 3253 struct nft_chain *chain; 3254 struct nft_ctx ctx = { 3255 .net = net, 3256 .family = table->family, 3257 }; 3258 int err; 3259 3260 list_for_each_entry(chain, &table->chains, list) { 3261 if (!nft_is_base_chain(chain)) 3262 continue; 3263 3264 ctx.chain = chain; 3265 err = nft_chain_validate(&ctx, chain); 3266 if (err < 0) 3267 return err; 3268 } 3269 3270 return 0; 3271 } 3272 3273 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3274 const struct nlattr *nla); 3275 3276 #define NFT_RULE_MAXEXPRS 128 3277 3278 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, 3279 const struct nlattr * const nla[]) 3280 { 3281 struct nftables_pernet *nft_net = nft_pernet(info->net); 3282 struct netlink_ext_ack *extack = info->extack; 3283 unsigned int size, i, n, ulen = 0, usize = 0; 3284 u8 genmask = nft_genmask_next(info->net); 3285 struct nft_rule *rule, *old_rule = NULL; 3286 struct nft_expr_info *expr_info = NULL; 3287 u8 family = info->nfmsg->nfgen_family; 3288 struct nft_flow_rule *flow = NULL; 3289 struct net *net = info->net; 3290 struct nft_userdata *udata; 3291 struct nft_table *table; 3292 struct nft_chain *chain; 3293 struct nft_trans *trans; 3294 u64 handle, pos_handle; 3295 struct nft_expr *expr; 3296 struct nft_ctx ctx; 3297 struct nlattr *tmp; 3298 int err, rem; 3299 3300 lockdep_assert_held(&nft_net->commit_mutex); 3301 3302 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 3303 NETLINK_CB(skb).portid); 3304 if (IS_ERR(table)) { 3305 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3306 return PTR_ERR(table); 3307 } 3308 3309 if (nla[NFTA_RULE_CHAIN]) { 3310 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 3311 genmask); 3312 if (IS_ERR(chain)) { 3313 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3314 return PTR_ERR(chain); 3315 } 3316 if (nft_chain_is_bound(chain)) 3317 return -EOPNOTSUPP; 3318 3319 } else if (nla[NFTA_RULE_CHAIN_ID]) { 3320 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]); 3321 if (IS_ERR(chain)) { 3322 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]); 3323 return PTR_ERR(chain); 3324 } 3325 } else { 3326 return -EINVAL; 3327 } 3328 3329 if (nla[NFTA_RULE_HANDLE]) { 3330 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE])); 3331 rule = __nft_rule_lookup(chain, handle); 3332 if (IS_ERR(rule)) { 3333 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3334 return PTR_ERR(rule); 3335 } 3336 3337 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 3338 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3339 return -EEXIST; 3340 } 3341 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 3342 old_rule = rule; 3343 else 3344 return -EOPNOTSUPP; 3345 } else { 3346 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) || 3347 info->nlh->nlmsg_flags & NLM_F_REPLACE) 3348 return -EINVAL; 3349 handle = nf_tables_alloc_handle(table); 3350 3351 if (chain->use == UINT_MAX) 3352 return -EOVERFLOW; 3353 3354 if (nla[NFTA_RULE_POSITION]) { 3355 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION])); 3356 old_rule = __nft_rule_lookup(chain, pos_handle); 3357 if (IS_ERR(old_rule)) { 3358 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]); 3359 return PTR_ERR(old_rule); 3360 } 3361 } else if (nla[NFTA_RULE_POSITION_ID]) { 3362 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]); 3363 if (IS_ERR(old_rule)) { 3364 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]); 3365 return PTR_ERR(old_rule); 3366 } 3367 } 3368 } 3369 3370 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 3371 3372 n = 0; 3373 size = 0; 3374 if (nla[NFTA_RULE_EXPRESSIONS]) { 3375 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS, 3376 sizeof(struct nft_expr_info), 3377 GFP_KERNEL); 3378 if (!expr_info) 3379 return -ENOMEM; 3380 3381 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) { 3382 err = -EINVAL; 3383 if (nla_type(tmp) != NFTA_LIST_ELEM) 3384 goto err_release_expr; 3385 if (n == NFT_RULE_MAXEXPRS) 3386 goto err_release_expr; 3387 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]); 3388 if (err < 0) { 3389 NL_SET_BAD_ATTR(extack, tmp); 3390 goto err_release_expr; 3391 } 3392 size += expr_info[n].ops->size; 3393 n++; 3394 } 3395 } 3396 /* Check for overflow of dlen field */ 3397 err = -EFBIG; 3398 if (size >= 1 << 12) 3399 goto err_release_expr; 3400 3401 if (nla[NFTA_RULE_USERDATA]) { 3402 ulen = nla_len(nla[NFTA_RULE_USERDATA]); 3403 if (ulen > 0) 3404 usize = sizeof(struct nft_userdata) + ulen; 3405 } 3406 3407 err = -ENOMEM; 3408 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL); 3409 if (rule == NULL) 3410 goto err_release_expr; 3411 3412 nft_activate_next(net, rule); 3413 3414 rule->handle = handle; 3415 rule->dlen = size; 3416 rule->udata = ulen ? 1 : 0; 3417 3418 if (ulen) { 3419 udata = nft_userdata(rule); 3420 udata->len = ulen - 1; 3421 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen); 3422 } 3423 3424 expr = nft_expr_first(rule); 3425 for (i = 0; i < n; i++) { 3426 err = nf_tables_newexpr(&ctx, &expr_info[i], expr); 3427 if (err < 0) { 3428 NL_SET_BAD_ATTR(extack, expr_info[i].attr); 3429 goto err_release_rule; 3430 } 3431 3432 if (expr_info[i].ops->validate) 3433 nft_validate_state_update(net, NFT_VALIDATE_NEED); 3434 3435 expr_info[i].ops = NULL; 3436 expr = nft_expr_next(expr); 3437 } 3438 3439 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { 3440 flow = nft_flow_rule_create(net, rule); 3441 if (IS_ERR(flow)) { 3442 err = PTR_ERR(flow); 3443 goto err_release_rule; 3444 } 3445 } 3446 3447 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { 3448 err = nft_delrule(&ctx, old_rule); 3449 if (err < 0) 3450 goto err_destroy_flow_rule; 3451 3452 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3453 if (trans == NULL) { 3454 err = -ENOMEM; 3455 goto err_destroy_flow_rule; 3456 } 3457 list_add_tail_rcu(&rule->list, &old_rule->list); 3458 } else { 3459 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3460 if (!trans) { 3461 err = -ENOMEM; 3462 goto err_destroy_flow_rule; 3463 } 3464 3465 if (info->nlh->nlmsg_flags & NLM_F_APPEND) { 3466 if (old_rule) 3467 list_add_rcu(&rule->list, &old_rule->list); 3468 else 3469 list_add_tail_rcu(&rule->list, &chain->rules); 3470 } else { 3471 if (old_rule) 3472 list_add_tail_rcu(&rule->list, &old_rule->list); 3473 else 3474 list_add_rcu(&rule->list, &chain->rules); 3475 } 3476 } 3477 kvfree(expr_info); 3478 chain->use++; 3479 3480 if (flow) 3481 nft_trans_flow_rule(trans) = flow; 3482 3483 if (nft_net->validate_state == NFT_VALIDATE_DO) 3484 return nft_table_validate(net, table); 3485 3486 return 0; 3487 3488 err_destroy_flow_rule: 3489 if (flow) 3490 nft_flow_rule_destroy(flow); 3491 err_release_rule: 3492 nf_tables_rule_release(&ctx, rule); 3493 err_release_expr: 3494 for (i = 0; i < n; i++) { 3495 if (expr_info[i].ops) { 3496 module_put(expr_info[i].ops->type->owner); 3497 if (expr_info[i].ops->type->release_ops) 3498 expr_info[i].ops->type->release_ops(expr_info[i].ops); 3499 } 3500 } 3501 kvfree(expr_info); 3502 3503 return err; 3504 } 3505 3506 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3507 const struct nlattr *nla) 3508 { 3509 struct nftables_pernet *nft_net = nft_pernet(net); 3510 u32 id = ntohl(nla_get_be32(nla)); 3511 struct nft_trans *trans; 3512 3513 list_for_each_entry(trans, &nft_net->commit_list, list) { 3514 struct nft_rule *rule = nft_trans_rule(trans); 3515 3516 if (trans->msg_type == NFT_MSG_NEWRULE && 3517 id == nft_trans_rule_id(trans)) 3518 return rule; 3519 } 3520 return ERR_PTR(-ENOENT); 3521 } 3522 3523 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, 3524 const struct nlattr * const nla[]) 3525 { 3526 struct netlink_ext_ack *extack = info->extack; 3527 u8 genmask = nft_genmask_next(info->net); 3528 u8 family = info->nfmsg->nfgen_family; 3529 struct nft_chain *chain = NULL; 3530 struct net *net = info->net; 3531 struct nft_table *table; 3532 struct nft_rule *rule; 3533 struct nft_ctx ctx; 3534 int err = 0; 3535 3536 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 3537 NETLINK_CB(skb).portid); 3538 if (IS_ERR(table)) { 3539 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3540 return PTR_ERR(table); 3541 } 3542 3543 if (nla[NFTA_RULE_CHAIN]) { 3544 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 3545 genmask); 3546 if (IS_ERR(chain)) { 3547 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3548 return PTR_ERR(chain); 3549 } 3550 if (nft_chain_is_bound(chain)) 3551 return -EOPNOTSUPP; 3552 } 3553 3554 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 3555 3556 if (chain) { 3557 if (nla[NFTA_RULE_HANDLE]) { 3558 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3559 if (IS_ERR(rule)) { 3560 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3561 return PTR_ERR(rule); 3562 } 3563 3564 err = nft_delrule(&ctx, rule); 3565 } else if (nla[NFTA_RULE_ID]) { 3566 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]); 3567 if (IS_ERR(rule)) { 3568 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]); 3569 return PTR_ERR(rule); 3570 } 3571 3572 err = nft_delrule(&ctx, rule); 3573 } else { 3574 err = nft_delrule_by_chain(&ctx); 3575 } 3576 } else { 3577 list_for_each_entry(chain, &table->chains, list) { 3578 if (!nft_is_active_next(net, chain)) 3579 continue; 3580 3581 ctx.chain = chain; 3582 err = nft_delrule_by_chain(&ctx); 3583 if (err < 0) 3584 break; 3585 } 3586 } 3587 3588 return err; 3589 } 3590 3591 /* 3592 * Sets 3593 */ 3594 static const struct nft_set_type *nft_set_types[] = { 3595 &nft_set_hash_fast_type, 3596 &nft_set_hash_type, 3597 &nft_set_rhash_type, 3598 &nft_set_bitmap_type, 3599 &nft_set_rbtree_type, 3600 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML) 3601 &nft_set_pipapo_avx2_type, 3602 #endif 3603 &nft_set_pipapo_type, 3604 }; 3605 3606 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \ 3607 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \ 3608 NFT_SET_EVAL) 3609 3610 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags) 3611 { 3612 return (flags & type->features) == (flags & NFT_SET_FEATURES); 3613 } 3614 3615 /* 3616 * Select a set implementation based on the data characteristics and the 3617 * given policy. The total memory use might not be known if no size is 3618 * given, in that case the amount of memory per element is used. 3619 */ 3620 static const struct nft_set_ops * 3621 nft_select_set_ops(const struct nft_ctx *ctx, 3622 const struct nlattr * const nla[], 3623 const struct nft_set_desc *desc, 3624 enum nft_set_policies policy) 3625 { 3626 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 3627 const struct nft_set_ops *ops, *bops; 3628 struct nft_set_estimate est, best; 3629 const struct nft_set_type *type; 3630 u32 flags = 0; 3631 int i; 3632 3633 lockdep_assert_held(&nft_net->commit_mutex); 3634 lockdep_nfnl_nft_mutex_not_held(); 3635 3636 if (nla[NFTA_SET_FLAGS] != NULL) 3637 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 3638 3639 bops = NULL; 3640 best.size = ~0; 3641 best.lookup = ~0; 3642 best.space = ~0; 3643 3644 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) { 3645 type = nft_set_types[i]; 3646 ops = &type->ops; 3647 3648 if (!nft_set_ops_candidate(type, flags)) 3649 continue; 3650 if (!ops->estimate(desc, flags, &est)) 3651 continue; 3652 3653 switch (policy) { 3654 case NFT_SET_POL_PERFORMANCE: 3655 if (est.lookup < best.lookup) 3656 break; 3657 if (est.lookup == best.lookup && 3658 est.space < best.space) 3659 break; 3660 continue; 3661 case NFT_SET_POL_MEMORY: 3662 if (!desc->size) { 3663 if (est.space < best.space) 3664 break; 3665 if (est.space == best.space && 3666 est.lookup < best.lookup) 3667 break; 3668 } else if (est.size < best.size || !bops) { 3669 break; 3670 } 3671 continue; 3672 default: 3673 break; 3674 } 3675 3676 bops = ops; 3677 best = est; 3678 } 3679 3680 if (bops != NULL) 3681 return bops; 3682 3683 return ERR_PTR(-EOPNOTSUPP); 3684 } 3685 3686 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = { 3687 [NFTA_SET_TABLE] = { .type = NLA_STRING, 3688 .len = NFT_TABLE_MAXNAMELEN - 1 }, 3689 [NFTA_SET_NAME] = { .type = NLA_STRING, 3690 .len = NFT_SET_MAXNAMELEN - 1 }, 3691 [NFTA_SET_FLAGS] = { .type = NLA_U32 }, 3692 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 }, 3693 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 }, 3694 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 }, 3695 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 }, 3696 [NFTA_SET_POLICY] = { .type = NLA_U32 }, 3697 [NFTA_SET_DESC] = { .type = NLA_NESTED }, 3698 [NFTA_SET_ID] = { .type = NLA_U32 }, 3699 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 }, 3700 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 }, 3701 [NFTA_SET_USERDATA] = { .type = NLA_BINARY, 3702 .len = NFT_USERDATA_MAXLEN }, 3703 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 }, 3704 [NFTA_SET_HANDLE] = { .type = NLA_U64 }, 3705 [NFTA_SET_EXPR] = { .type = NLA_NESTED }, 3706 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED }, 3707 }; 3708 3709 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = { 3710 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 }, 3711 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED }, 3712 }; 3713 3714 static struct nft_set *nft_set_lookup(const struct nft_table *table, 3715 const struct nlattr *nla, u8 genmask) 3716 { 3717 struct nft_set *set; 3718 3719 if (nla == NULL) 3720 return ERR_PTR(-EINVAL); 3721 3722 list_for_each_entry_rcu(set, &table->sets, list) { 3723 if (!nla_strcmp(nla, set->name) && 3724 nft_active_genmask(set, genmask)) 3725 return set; 3726 } 3727 return ERR_PTR(-ENOENT); 3728 } 3729 3730 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table, 3731 const struct nlattr *nla, 3732 u8 genmask) 3733 { 3734 struct nft_set *set; 3735 3736 list_for_each_entry(set, &table->sets, list) { 3737 if (be64_to_cpu(nla_get_be64(nla)) == set->handle && 3738 nft_active_genmask(set, genmask)) 3739 return set; 3740 } 3741 return ERR_PTR(-ENOENT); 3742 } 3743 3744 static struct nft_set *nft_set_lookup_byid(const struct net *net, 3745 const struct nlattr *nla, u8 genmask) 3746 { 3747 struct nftables_pernet *nft_net = nft_pernet(net); 3748 u32 id = ntohl(nla_get_be32(nla)); 3749 struct nft_trans *trans; 3750 3751 list_for_each_entry(trans, &nft_net->commit_list, list) { 3752 if (trans->msg_type == NFT_MSG_NEWSET) { 3753 struct nft_set *set = nft_trans_set(trans); 3754 3755 if (id == nft_trans_set_id(trans) && 3756 nft_active_genmask(set, genmask)) 3757 return set; 3758 } 3759 } 3760 return ERR_PTR(-ENOENT); 3761 } 3762 3763 struct nft_set *nft_set_lookup_global(const struct net *net, 3764 const struct nft_table *table, 3765 const struct nlattr *nla_set_name, 3766 const struct nlattr *nla_set_id, 3767 u8 genmask) 3768 { 3769 struct nft_set *set; 3770 3771 set = nft_set_lookup(table, nla_set_name, genmask); 3772 if (IS_ERR(set)) { 3773 if (!nla_set_id) 3774 return set; 3775 3776 set = nft_set_lookup_byid(net, nla_set_id, genmask); 3777 } 3778 return set; 3779 } 3780 EXPORT_SYMBOL_GPL(nft_set_lookup_global); 3781 3782 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set, 3783 const char *name) 3784 { 3785 const struct nft_set *i; 3786 const char *p; 3787 unsigned long *inuse; 3788 unsigned int n = 0, min = 0; 3789 3790 p = strchr(name, '%'); 3791 if (p != NULL) { 3792 if (p[1] != 'd' || strchr(p + 2, '%')) 3793 return -EINVAL; 3794 3795 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL); 3796 if (inuse == NULL) 3797 return -ENOMEM; 3798 cont: 3799 list_for_each_entry(i, &ctx->table->sets, list) { 3800 int tmp; 3801 3802 if (!nft_is_active_next(ctx->net, set)) 3803 continue; 3804 if (!sscanf(i->name, name, &tmp)) 3805 continue; 3806 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE) 3807 continue; 3808 3809 set_bit(tmp - min, inuse); 3810 } 3811 3812 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE); 3813 if (n >= BITS_PER_BYTE * PAGE_SIZE) { 3814 min += BITS_PER_BYTE * PAGE_SIZE; 3815 memset(inuse, 0, PAGE_SIZE); 3816 goto cont; 3817 } 3818 free_page((unsigned long)inuse); 3819 } 3820 3821 set->name = kasprintf(GFP_KERNEL, name, min + n); 3822 if (!set->name) 3823 return -ENOMEM; 3824 3825 list_for_each_entry(i, &ctx->table->sets, list) { 3826 if (!nft_is_active_next(ctx->net, i)) 3827 continue; 3828 if (!strcmp(set->name, i->name)) { 3829 kfree(set->name); 3830 set->name = NULL; 3831 return -ENFILE; 3832 } 3833 } 3834 return 0; 3835 } 3836 3837 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result) 3838 { 3839 u64 ms = be64_to_cpu(nla_get_be64(nla)); 3840 u64 max = (u64)(~((u64)0)); 3841 3842 max = div_u64(max, NSEC_PER_MSEC); 3843 if (ms >= max) 3844 return -ERANGE; 3845 3846 ms *= NSEC_PER_MSEC; 3847 *result = nsecs_to_jiffies64(ms); 3848 return 0; 3849 } 3850 3851 __be64 nf_jiffies64_to_msecs(u64 input) 3852 { 3853 return cpu_to_be64(jiffies64_to_msecs(input)); 3854 } 3855 3856 static int nf_tables_fill_set_concat(struct sk_buff *skb, 3857 const struct nft_set *set) 3858 { 3859 struct nlattr *concat, *field; 3860 int i; 3861 3862 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT); 3863 if (!concat) 3864 return -ENOMEM; 3865 3866 for (i = 0; i < set->field_count; i++) { 3867 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 3868 if (!field) 3869 return -ENOMEM; 3870 3871 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN, 3872 htonl(set->field_len[i]))) 3873 return -ENOMEM; 3874 3875 nla_nest_end(skb, field); 3876 } 3877 3878 nla_nest_end(skb, concat); 3879 3880 return 0; 3881 } 3882 3883 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, 3884 const struct nft_set *set, u16 event, u16 flags) 3885 { 3886 struct nlmsghdr *nlh; 3887 u32 portid = ctx->portid; 3888 struct nlattr *nest; 3889 u32 seq = ctx->seq; 3890 int i; 3891 3892 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 3893 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 3894 NFNETLINK_V0, nft_base_seq(ctx->net)); 3895 if (!nlh) 3896 goto nla_put_failure; 3897 3898 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 3899 goto nla_put_failure; 3900 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 3901 goto nla_put_failure; 3902 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle), 3903 NFTA_SET_PAD)) 3904 goto nla_put_failure; 3905 if (set->flags != 0) 3906 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags))) 3907 goto nla_put_failure; 3908 3909 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype))) 3910 goto nla_put_failure; 3911 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen))) 3912 goto nla_put_failure; 3913 if (set->flags & NFT_SET_MAP) { 3914 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype))) 3915 goto nla_put_failure; 3916 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen))) 3917 goto nla_put_failure; 3918 } 3919 if (set->flags & NFT_SET_OBJECT && 3920 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype))) 3921 goto nla_put_failure; 3922 3923 if (set->timeout && 3924 nla_put_be64(skb, NFTA_SET_TIMEOUT, 3925 nf_jiffies64_to_msecs(set->timeout), 3926 NFTA_SET_PAD)) 3927 goto nla_put_failure; 3928 if (set->gc_int && 3929 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int))) 3930 goto nla_put_failure; 3931 3932 if (set->policy != NFT_SET_POL_PERFORMANCE) { 3933 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy))) 3934 goto nla_put_failure; 3935 } 3936 3937 if (set->udata && 3938 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) 3939 goto nla_put_failure; 3940 3941 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC); 3942 if (!nest) 3943 goto nla_put_failure; 3944 if (set->size && 3945 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size))) 3946 goto nla_put_failure; 3947 3948 if (set->field_count > 1 && 3949 nf_tables_fill_set_concat(skb, set)) 3950 goto nla_put_failure; 3951 3952 nla_nest_end(skb, nest); 3953 3954 if (set->num_exprs == 1) { 3955 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR); 3956 if (nf_tables_fill_expr_info(skb, set->exprs[0]) < 0) 3957 goto nla_put_failure; 3958 3959 nla_nest_end(skb, nest); 3960 } else if (set->num_exprs > 1) { 3961 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS); 3962 if (nest == NULL) 3963 goto nla_put_failure; 3964 3965 for (i = 0; i < set->num_exprs; i++) { 3966 if (nft_expr_dump(skb, NFTA_LIST_ELEM, 3967 set->exprs[i]) < 0) 3968 goto nla_put_failure; 3969 } 3970 nla_nest_end(skb, nest); 3971 } 3972 3973 nlmsg_end(skb, nlh); 3974 return 0; 3975 3976 nla_put_failure: 3977 nlmsg_trim(skb, nlh); 3978 return -1; 3979 } 3980 3981 static void nf_tables_set_notify(const struct nft_ctx *ctx, 3982 const struct nft_set *set, int event, 3983 gfp_t gfp_flags) 3984 { 3985 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 3986 u32 portid = ctx->portid; 3987 struct sk_buff *skb; 3988 u16 flags = 0; 3989 int err; 3990 3991 if (!ctx->report && 3992 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 3993 return; 3994 3995 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags); 3996 if (skb == NULL) 3997 goto err; 3998 3999 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 4000 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 4001 4002 err = nf_tables_fill_set(skb, ctx, set, event, flags); 4003 if (err < 0) { 4004 kfree_skb(skb); 4005 goto err; 4006 } 4007 4008 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 4009 return; 4010 err: 4011 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 4012 } 4013 4014 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) 4015 { 4016 const struct nft_set *set; 4017 unsigned int idx, s_idx = cb->args[0]; 4018 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; 4019 struct net *net = sock_net(skb->sk); 4020 struct nft_ctx *ctx = cb->data, ctx_set; 4021 struct nftables_pernet *nft_net; 4022 4023 if (cb->args[1]) 4024 return skb->len; 4025 4026 rcu_read_lock(); 4027 nft_net = nft_pernet(net); 4028 cb->seq = nft_net->base_seq; 4029 4030 list_for_each_entry_rcu(table, &nft_net->tables, list) { 4031 if (ctx->family != NFPROTO_UNSPEC && 4032 ctx->family != table->family) 4033 continue; 4034 4035 if (ctx->table && ctx->table != table) 4036 continue; 4037 4038 if (cur_table) { 4039 if (cur_table != table) 4040 continue; 4041 4042 cur_table = NULL; 4043 } 4044 idx = 0; 4045 list_for_each_entry_rcu(set, &table->sets, list) { 4046 if (idx < s_idx) 4047 goto cont; 4048 if (!nft_is_active(net, set)) 4049 goto cont; 4050 4051 ctx_set = *ctx; 4052 ctx_set.table = table; 4053 ctx_set.family = table->family; 4054 4055 if (nf_tables_fill_set(skb, &ctx_set, set, 4056 NFT_MSG_NEWSET, 4057 NLM_F_MULTI) < 0) { 4058 cb->args[0] = idx; 4059 cb->args[2] = (unsigned long) table; 4060 goto done; 4061 } 4062 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 4063 cont: 4064 idx++; 4065 } 4066 if (s_idx) 4067 s_idx = 0; 4068 } 4069 cb->args[1] = 1; 4070 done: 4071 rcu_read_unlock(); 4072 return skb->len; 4073 } 4074 4075 static int nf_tables_dump_sets_start(struct netlink_callback *cb) 4076 { 4077 struct nft_ctx *ctx_dump = NULL; 4078 4079 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC); 4080 if (ctx_dump == NULL) 4081 return -ENOMEM; 4082 4083 cb->data = ctx_dump; 4084 return 0; 4085 } 4086 4087 static int nf_tables_dump_sets_done(struct netlink_callback *cb) 4088 { 4089 kfree(cb->data); 4090 return 0; 4091 } 4092 4093 /* called with rcu_read_lock held */ 4094 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info, 4095 const struct nlattr * const nla[]) 4096 { 4097 struct netlink_ext_ack *extack = info->extack; 4098 u8 genmask = nft_genmask_cur(info->net); 4099 u8 family = info->nfmsg->nfgen_family; 4100 struct nft_table *table = NULL; 4101 struct net *net = info->net; 4102 const struct nft_set *set; 4103 struct sk_buff *skb2; 4104 struct nft_ctx ctx; 4105 int err; 4106 4107 if (nla[NFTA_SET_TABLE]) { 4108 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 4109 genmask, 0); 4110 if (IS_ERR(table)) { 4111 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4112 return PTR_ERR(table); 4113 } 4114 } 4115 4116 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 4117 4118 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 4119 struct netlink_dump_control c = { 4120 .start = nf_tables_dump_sets_start, 4121 .dump = nf_tables_dump_sets, 4122 .done = nf_tables_dump_sets_done, 4123 .data = &ctx, 4124 .module = THIS_MODULE, 4125 }; 4126 4127 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 4128 } 4129 4130 /* Only accept unspec with dump */ 4131 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 4132 return -EAFNOSUPPORT; 4133 if (!nla[NFTA_SET_TABLE]) 4134 return -EINVAL; 4135 4136 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4137 if (IS_ERR(set)) 4138 return PTR_ERR(set); 4139 4140 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 4141 if (skb2 == NULL) 4142 return -ENOMEM; 4143 4144 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); 4145 if (err < 0) 4146 goto err_fill_set_info; 4147 4148 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 4149 4150 err_fill_set_info: 4151 kfree_skb(skb2); 4152 return err; 4153 } 4154 4155 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = { 4156 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 }, 4157 }; 4158 4159 static int nft_set_desc_concat_parse(const struct nlattr *attr, 4160 struct nft_set_desc *desc) 4161 { 4162 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1]; 4163 u32 len; 4164 int err; 4165 4166 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr, 4167 nft_concat_policy, NULL); 4168 if (err < 0) 4169 return err; 4170 4171 if (!tb[NFTA_SET_FIELD_LEN]) 4172 return -EINVAL; 4173 4174 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN])); 4175 4176 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT) 4177 return -E2BIG; 4178 4179 desc->field_len[desc->field_count++] = len; 4180 4181 return 0; 4182 } 4183 4184 static int nft_set_desc_concat(struct nft_set_desc *desc, 4185 const struct nlattr *nla) 4186 { 4187 struct nlattr *attr; 4188 int rem, err; 4189 4190 nla_for_each_nested(attr, nla, rem) { 4191 if (nla_type(attr) != NFTA_LIST_ELEM) 4192 return -EINVAL; 4193 4194 err = nft_set_desc_concat_parse(attr, desc); 4195 if (err < 0) 4196 return err; 4197 } 4198 4199 return 0; 4200 } 4201 4202 static int nf_tables_set_desc_parse(struct nft_set_desc *desc, 4203 const struct nlattr *nla) 4204 { 4205 struct nlattr *da[NFTA_SET_DESC_MAX + 1]; 4206 int err; 4207 4208 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla, 4209 nft_set_desc_policy, NULL); 4210 if (err < 0) 4211 return err; 4212 4213 if (da[NFTA_SET_DESC_SIZE] != NULL) 4214 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE])); 4215 if (da[NFTA_SET_DESC_CONCAT]) 4216 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]); 4217 4218 return err; 4219 } 4220 4221 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 4222 const struct nlattr * const nla[]) 4223 { 4224 u32 ktype, dtype, flags, policy, gc_int, objtype; 4225 struct netlink_ext_ack *extack = info->extack; 4226 u8 genmask = nft_genmask_next(info->net); 4227 u8 family = info->nfmsg->nfgen_family; 4228 const struct nft_set_ops *ops; 4229 struct nft_expr *expr = NULL; 4230 struct net *net = info->net; 4231 struct nft_set_desc desc; 4232 struct nft_table *table; 4233 unsigned char *udata; 4234 struct nft_set *set; 4235 struct nft_ctx ctx; 4236 size_t alloc_size; 4237 u64 timeout; 4238 char *name; 4239 int err, i; 4240 u16 udlen; 4241 u64 size; 4242 4243 if (nla[NFTA_SET_TABLE] == NULL || 4244 nla[NFTA_SET_NAME] == NULL || 4245 nla[NFTA_SET_KEY_LEN] == NULL || 4246 nla[NFTA_SET_ID] == NULL) 4247 return -EINVAL; 4248 4249 memset(&desc, 0, sizeof(desc)); 4250 4251 ktype = NFT_DATA_VALUE; 4252 if (nla[NFTA_SET_KEY_TYPE] != NULL) { 4253 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE])); 4254 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK) 4255 return -EINVAL; 4256 } 4257 4258 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN])); 4259 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN) 4260 return -EINVAL; 4261 4262 flags = 0; 4263 if (nla[NFTA_SET_FLAGS] != NULL) { 4264 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 4265 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | 4266 NFT_SET_INTERVAL | NFT_SET_TIMEOUT | 4267 NFT_SET_MAP | NFT_SET_EVAL | 4268 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR)) 4269 return -EOPNOTSUPP; 4270 /* Only one of these operations is supported */ 4271 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) == 4272 (NFT_SET_MAP | NFT_SET_OBJECT)) 4273 return -EOPNOTSUPP; 4274 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) == 4275 (NFT_SET_EVAL | NFT_SET_OBJECT)) 4276 return -EOPNOTSUPP; 4277 } 4278 4279 dtype = 0; 4280 if (nla[NFTA_SET_DATA_TYPE] != NULL) { 4281 if (!(flags & NFT_SET_MAP)) 4282 return -EINVAL; 4283 4284 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE])); 4285 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK && 4286 dtype != NFT_DATA_VERDICT) 4287 return -EINVAL; 4288 4289 if (dtype != NFT_DATA_VERDICT) { 4290 if (nla[NFTA_SET_DATA_LEN] == NULL) 4291 return -EINVAL; 4292 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN])); 4293 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN) 4294 return -EINVAL; 4295 } else 4296 desc.dlen = sizeof(struct nft_verdict); 4297 } else if (flags & NFT_SET_MAP) 4298 return -EINVAL; 4299 4300 if (nla[NFTA_SET_OBJ_TYPE] != NULL) { 4301 if (!(flags & NFT_SET_OBJECT)) 4302 return -EINVAL; 4303 4304 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE])); 4305 if (objtype == NFT_OBJECT_UNSPEC || 4306 objtype > NFT_OBJECT_MAX) 4307 return -EOPNOTSUPP; 4308 } else if (flags & NFT_SET_OBJECT) 4309 return -EINVAL; 4310 else 4311 objtype = NFT_OBJECT_UNSPEC; 4312 4313 timeout = 0; 4314 if (nla[NFTA_SET_TIMEOUT] != NULL) { 4315 if (!(flags & NFT_SET_TIMEOUT)) 4316 return -EINVAL; 4317 4318 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout); 4319 if (err) 4320 return err; 4321 } 4322 gc_int = 0; 4323 if (nla[NFTA_SET_GC_INTERVAL] != NULL) { 4324 if (!(flags & NFT_SET_TIMEOUT)) 4325 return -EINVAL; 4326 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL])); 4327 } 4328 4329 policy = NFT_SET_POL_PERFORMANCE; 4330 if (nla[NFTA_SET_POLICY] != NULL) 4331 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY])); 4332 4333 if (nla[NFTA_SET_DESC] != NULL) { 4334 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]); 4335 if (err < 0) 4336 return err; 4337 } 4338 4339 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS]) 4340 desc.expr = true; 4341 4342 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask, 4343 NETLINK_CB(skb).portid); 4344 if (IS_ERR(table)) { 4345 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4346 return PTR_ERR(table); 4347 } 4348 4349 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 4350 4351 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4352 if (IS_ERR(set)) { 4353 if (PTR_ERR(set) != -ENOENT) { 4354 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4355 return PTR_ERR(set); 4356 } 4357 } else { 4358 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 4359 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4360 return -EEXIST; 4361 } 4362 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 4363 return -EOPNOTSUPP; 4364 4365 return 0; 4366 } 4367 4368 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE)) 4369 return -ENOENT; 4370 4371 ops = nft_select_set_ops(&ctx, nla, &desc, policy); 4372 if (IS_ERR(ops)) 4373 return PTR_ERR(ops); 4374 4375 udlen = 0; 4376 if (nla[NFTA_SET_USERDATA]) 4377 udlen = nla_len(nla[NFTA_SET_USERDATA]); 4378 4379 size = 0; 4380 if (ops->privsize != NULL) 4381 size = ops->privsize(nla, &desc); 4382 alloc_size = sizeof(*set) + size + udlen; 4383 if (alloc_size < size || alloc_size > INT_MAX) 4384 return -ENOMEM; 4385 set = kvzalloc(alloc_size, GFP_KERNEL); 4386 if (!set) 4387 return -ENOMEM; 4388 4389 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL); 4390 if (!name) { 4391 err = -ENOMEM; 4392 goto err_set_name; 4393 } 4394 4395 err = nf_tables_set_alloc_name(&ctx, set, name); 4396 kfree(name); 4397 if (err < 0) 4398 goto err_set_name; 4399 4400 udata = NULL; 4401 if (udlen) { 4402 udata = set->data + size; 4403 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen); 4404 } 4405 4406 INIT_LIST_HEAD(&set->bindings); 4407 INIT_LIST_HEAD(&set->catchall_list); 4408 set->table = table; 4409 write_pnet(&set->net, net); 4410 set->ops = ops; 4411 set->ktype = ktype; 4412 set->klen = desc.klen; 4413 set->dtype = dtype; 4414 set->objtype = objtype; 4415 set->dlen = desc.dlen; 4416 set->flags = flags; 4417 set->size = desc.size; 4418 set->policy = policy; 4419 set->udlen = udlen; 4420 set->udata = udata; 4421 set->timeout = timeout; 4422 set->gc_int = gc_int; 4423 4424 set->field_count = desc.field_count; 4425 for (i = 0; i < desc.field_count; i++) 4426 set->field_len[i] = desc.field_len[i]; 4427 4428 err = ops->init(set, &desc, nla); 4429 if (err < 0) 4430 goto err_set_init; 4431 4432 if (nla[NFTA_SET_EXPR]) { 4433 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]); 4434 if (IS_ERR(expr)) { 4435 err = PTR_ERR(expr); 4436 goto err_set_expr_alloc; 4437 } 4438 set->exprs[0] = expr; 4439 set->num_exprs++; 4440 } else if (nla[NFTA_SET_EXPRESSIONS]) { 4441 struct nft_expr *expr; 4442 struct nlattr *tmp; 4443 int left; 4444 4445 if (!(flags & NFT_SET_EXPR)) { 4446 err = -EINVAL; 4447 goto err_set_expr_alloc; 4448 } 4449 i = 0; 4450 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) { 4451 if (i == NFT_SET_EXPR_MAX) { 4452 err = -E2BIG; 4453 goto err_set_expr_alloc; 4454 } 4455 if (nla_type(tmp) != NFTA_LIST_ELEM) { 4456 err = -EINVAL; 4457 goto err_set_expr_alloc; 4458 } 4459 expr = nft_set_elem_expr_alloc(&ctx, set, tmp); 4460 if (IS_ERR(expr)) { 4461 err = PTR_ERR(expr); 4462 goto err_set_expr_alloc; 4463 } 4464 set->exprs[i++] = expr; 4465 set->num_exprs++; 4466 } 4467 } 4468 4469 set->handle = nf_tables_alloc_handle(table); 4470 4471 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); 4472 if (err < 0) 4473 goto err_set_expr_alloc; 4474 4475 list_add_tail_rcu(&set->list, &table->sets); 4476 table->use++; 4477 return 0; 4478 4479 err_set_expr_alloc: 4480 for (i = 0; i < set->num_exprs; i++) 4481 nft_expr_destroy(&ctx, set->exprs[i]); 4482 4483 ops->destroy(set); 4484 err_set_init: 4485 kfree(set->name); 4486 err_set_name: 4487 kvfree(set); 4488 return err; 4489 } 4490 4491 struct nft_set_elem_catchall { 4492 struct list_head list; 4493 struct rcu_head rcu; 4494 void *elem; 4495 }; 4496 4497 static void nft_set_catchall_destroy(const struct nft_ctx *ctx, 4498 struct nft_set *set) 4499 { 4500 struct nft_set_elem_catchall *next, *catchall; 4501 4502 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 4503 list_del_rcu(&catchall->list); 4504 nft_set_elem_destroy(set, catchall->elem, true); 4505 kfree_rcu(catchall); 4506 } 4507 } 4508 4509 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) 4510 { 4511 int i; 4512 4513 if (WARN_ON(set->use > 0)) 4514 return; 4515 4516 for (i = 0; i < set->num_exprs; i++) 4517 nft_expr_destroy(ctx, set->exprs[i]); 4518 4519 set->ops->destroy(set); 4520 nft_set_catchall_destroy(ctx, set); 4521 kfree(set->name); 4522 kvfree(set); 4523 } 4524 4525 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info, 4526 const struct nlattr * const nla[]) 4527 { 4528 struct netlink_ext_ack *extack = info->extack; 4529 u8 genmask = nft_genmask_next(info->net); 4530 u8 family = info->nfmsg->nfgen_family; 4531 struct net *net = info->net; 4532 const struct nlattr *attr; 4533 struct nft_table *table; 4534 struct nft_set *set; 4535 struct nft_ctx ctx; 4536 4537 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 4538 return -EAFNOSUPPORT; 4539 4540 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 4541 genmask, NETLINK_CB(skb).portid); 4542 if (IS_ERR(table)) { 4543 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4544 return PTR_ERR(table); 4545 } 4546 4547 if (nla[NFTA_SET_HANDLE]) { 4548 attr = nla[NFTA_SET_HANDLE]; 4549 set = nft_set_lookup_byhandle(table, attr, genmask); 4550 } else { 4551 attr = nla[NFTA_SET_NAME]; 4552 set = nft_set_lookup(table, attr, genmask); 4553 } 4554 4555 if (IS_ERR(set)) { 4556 NL_SET_BAD_ATTR(extack, attr); 4557 return PTR_ERR(set); 4558 } 4559 if (set->use || 4560 (info->nlh->nlmsg_flags & NLM_F_NONREC && 4561 atomic_read(&set->nelems) > 0)) { 4562 NL_SET_BAD_ATTR(extack, attr); 4563 return -EBUSY; 4564 } 4565 4566 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 4567 4568 return nft_delset(&ctx, set); 4569 } 4570 4571 static int nft_validate_register_store(const struct nft_ctx *ctx, 4572 enum nft_registers reg, 4573 const struct nft_data *data, 4574 enum nft_data_types type, 4575 unsigned int len); 4576 4577 static int nft_setelem_data_validate(const struct nft_ctx *ctx, 4578 struct nft_set *set, 4579 struct nft_set_elem *elem) 4580 { 4581 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4582 enum nft_registers dreg; 4583 4584 dreg = nft_type_to_reg(set->dtype); 4585 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext), 4586 set->dtype == NFT_DATA_VERDICT ? 4587 NFT_DATA_VERDICT : NFT_DATA_VALUE, 4588 set->dlen); 4589 } 4590 4591 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, 4592 struct nft_set *set, 4593 const struct nft_set_iter *iter, 4594 struct nft_set_elem *elem) 4595 { 4596 return nft_setelem_data_validate(ctx, set, elem); 4597 } 4598 4599 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx, 4600 struct nft_set *set) 4601 { 4602 u8 genmask = nft_genmask_next(ctx->net); 4603 struct nft_set_elem_catchall *catchall; 4604 struct nft_set_elem elem; 4605 struct nft_set_ext *ext; 4606 int ret = 0; 4607 4608 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 4609 ext = nft_set_elem_ext(set, catchall->elem); 4610 if (!nft_set_elem_active(ext, genmask)) 4611 continue; 4612 4613 elem.priv = catchall->elem; 4614 ret = nft_setelem_data_validate(ctx, set, &elem); 4615 if (ret < 0) 4616 break; 4617 } 4618 4619 return ret; 4620 } 4621 4622 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 4623 struct nft_set_binding *binding) 4624 { 4625 struct nft_set_binding *i; 4626 struct nft_set_iter iter; 4627 4628 if (set->use == UINT_MAX) 4629 return -EOVERFLOW; 4630 4631 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4632 return -EBUSY; 4633 4634 if (binding->flags & NFT_SET_MAP) { 4635 /* If the set is already bound to the same chain all 4636 * jumps are already validated for that chain. 4637 */ 4638 list_for_each_entry(i, &set->bindings, list) { 4639 if (i->flags & NFT_SET_MAP && 4640 i->chain == binding->chain) 4641 goto bind; 4642 } 4643 4644 iter.genmask = nft_genmask_next(ctx->net); 4645 iter.skip = 0; 4646 iter.count = 0; 4647 iter.err = 0; 4648 iter.fn = nf_tables_bind_check_setelem; 4649 4650 set->ops->walk(ctx, set, &iter); 4651 if (!iter.err) 4652 iter.err = nft_set_catchall_bind_check(ctx, set); 4653 4654 if (iter.err < 0) 4655 return iter.err; 4656 } 4657 bind: 4658 binding->chain = ctx->chain; 4659 list_add_tail_rcu(&binding->list, &set->bindings); 4660 nft_set_trans_bind(ctx, set); 4661 set->use++; 4662 4663 return 0; 4664 } 4665 EXPORT_SYMBOL_GPL(nf_tables_bind_set); 4666 4667 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 4668 struct nft_set_binding *binding, bool event) 4669 { 4670 list_del_rcu(&binding->list); 4671 4672 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { 4673 list_del_rcu(&set->list); 4674 if (event) 4675 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, 4676 GFP_KERNEL); 4677 } 4678 } 4679 4680 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, 4681 struct nft_set_binding *binding, 4682 enum nft_trans_phase phase) 4683 { 4684 switch (phase) { 4685 case NFT_TRANS_PREPARE: 4686 set->use--; 4687 return; 4688 case NFT_TRANS_ABORT: 4689 case NFT_TRANS_RELEASE: 4690 set->use--; 4691 fallthrough; 4692 default: 4693 nf_tables_unbind_set(ctx, set, binding, 4694 phase == NFT_TRANS_COMMIT); 4695 } 4696 } 4697 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); 4698 4699 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) 4700 { 4701 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4702 nft_set_destroy(ctx, set); 4703 } 4704 EXPORT_SYMBOL_GPL(nf_tables_destroy_set); 4705 4706 const struct nft_set_ext_type nft_set_ext_types[] = { 4707 [NFT_SET_EXT_KEY] = { 4708 .align = __alignof__(u32), 4709 }, 4710 [NFT_SET_EXT_DATA] = { 4711 .align = __alignof__(u32), 4712 }, 4713 [NFT_SET_EXT_EXPRESSIONS] = { 4714 .align = __alignof__(struct nft_set_elem_expr), 4715 }, 4716 [NFT_SET_EXT_OBJREF] = { 4717 .len = sizeof(struct nft_object *), 4718 .align = __alignof__(struct nft_object *), 4719 }, 4720 [NFT_SET_EXT_FLAGS] = { 4721 .len = sizeof(u8), 4722 .align = __alignof__(u8), 4723 }, 4724 [NFT_SET_EXT_TIMEOUT] = { 4725 .len = sizeof(u64), 4726 .align = __alignof__(u64), 4727 }, 4728 [NFT_SET_EXT_EXPIRATION] = { 4729 .len = sizeof(u64), 4730 .align = __alignof__(u64), 4731 }, 4732 [NFT_SET_EXT_USERDATA] = { 4733 .len = sizeof(struct nft_userdata), 4734 .align = __alignof__(struct nft_userdata), 4735 }, 4736 [NFT_SET_EXT_KEY_END] = { 4737 .align = __alignof__(u32), 4738 }, 4739 }; 4740 4741 /* 4742 * Set elements 4743 */ 4744 4745 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { 4746 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED }, 4747 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED }, 4748 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 }, 4749 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 }, 4750 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 }, 4751 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, 4752 .len = NFT_USERDATA_MAXLEN }, 4753 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED }, 4754 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING, 4755 .len = NFT_OBJ_MAXNAMELEN - 1 }, 4756 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED }, 4757 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED }, 4758 }; 4759 4760 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { 4761 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING, 4762 .len = NFT_TABLE_MAXNAMELEN - 1 }, 4763 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING, 4764 .len = NFT_SET_MAXNAMELEN - 1 }, 4765 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED }, 4766 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 }, 4767 }; 4768 4769 static int nft_set_elem_expr_dump(struct sk_buff *skb, 4770 const struct nft_set *set, 4771 const struct nft_set_ext *ext) 4772 { 4773 struct nft_set_elem_expr *elem_expr; 4774 u32 size, num_exprs = 0; 4775 struct nft_expr *expr; 4776 struct nlattr *nest; 4777 4778 elem_expr = nft_set_ext_expr(ext); 4779 nft_setelem_expr_foreach(expr, elem_expr, size) 4780 num_exprs++; 4781 4782 if (num_exprs == 1) { 4783 expr = nft_setelem_expr_at(elem_expr, 0); 4784 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr) < 0) 4785 return -1; 4786 4787 return 0; 4788 } else if (num_exprs > 1) { 4789 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS); 4790 if (nest == NULL) 4791 goto nla_put_failure; 4792 4793 nft_setelem_expr_foreach(expr, elem_expr, size) { 4794 expr = nft_setelem_expr_at(elem_expr, size); 4795 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0) 4796 goto nla_put_failure; 4797 } 4798 nla_nest_end(skb, nest); 4799 } 4800 return 0; 4801 4802 nla_put_failure: 4803 return -1; 4804 } 4805 4806 static int nf_tables_fill_setelem(struct sk_buff *skb, 4807 const struct nft_set *set, 4808 const struct nft_set_elem *elem) 4809 { 4810 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4811 unsigned char *b = skb_tail_pointer(skb); 4812 struct nlattr *nest; 4813 4814 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 4815 if (nest == NULL) 4816 goto nla_put_failure; 4817 4818 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) && 4819 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext), 4820 NFT_DATA_VALUE, set->klen) < 0) 4821 goto nla_put_failure; 4822 4823 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 4824 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext), 4825 NFT_DATA_VALUE, set->klen) < 0) 4826 goto nla_put_failure; 4827 4828 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 4829 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext), 4830 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE, 4831 set->dlen) < 0) 4832 goto nla_put_failure; 4833 4834 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) && 4835 nft_set_elem_expr_dump(skb, set, ext)) 4836 goto nla_put_failure; 4837 4838 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 4839 nla_put_string(skb, NFTA_SET_ELEM_OBJREF, 4840 (*nft_set_ext_obj(ext))->key.name) < 0) 4841 goto nla_put_failure; 4842 4843 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 4844 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, 4845 htonl(*nft_set_ext_flags(ext)))) 4846 goto nla_put_failure; 4847 4848 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) && 4849 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, 4850 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)), 4851 NFTA_SET_ELEM_PAD)) 4852 goto nla_put_failure; 4853 4854 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 4855 u64 expires, now = get_jiffies_64(); 4856 4857 expires = *nft_set_ext_expiration(ext); 4858 if (time_before64(now, expires)) 4859 expires -= now; 4860 else 4861 expires = 0; 4862 4863 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION, 4864 nf_jiffies64_to_msecs(expires), 4865 NFTA_SET_ELEM_PAD)) 4866 goto nla_put_failure; 4867 } 4868 4869 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) { 4870 struct nft_userdata *udata; 4871 4872 udata = nft_set_ext_userdata(ext); 4873 if (nla_put(skb, NFTA_SET_ELEM_USERDATA, 4874 udata->len + 1, udata->data)) 4875 goto nla_put_failure; 4876 } 4877 4878 nla_nest_end(skb, nest); 4879 return 0; 4880 4881 nla_put_failure: 4882 nlmsg_trim(skb, b); 4883 return -EMSGSIZE; 4884 } 4885 4886 struct nft_set_dump_args { 4887 const struct netlink_callback *cb; 4888 struct nft_set_iter iter; 4889 struct sk_buff *skb; 4890 }; 4891 4892 static int nf_tables_dump_setelem(const struct nft_ctx *ctx, 4893 struct nft_set *set, 4894 const struct nft_set_iter *iter, 4895 struct nft_set_elem *elem) 4896 { 4897 struct nft_set_dump_args *args; 4898 4899 args = container_of(iter, struct nft_set_dump_args, iter); 4900 return nf_tables_fill_setelem(args->skb, set, elem); 4901 } 4902 4903 struct nft_set_dump_ctx { 4904 const struct nft_set *set; 4905 struct nft_ctx ctx; 4906 }; 4907 4908 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb, 4909 const struct nft_set *set) 4910 { 4911 struct nft_set_elem_catchall *catchall; 4912 u8 genmask = nft_genmask_cur(net); 4913 struct nft_set_elem elem; 4914 struct nft_set_ext *ext; 4915 int ret = 0; 4916 4917 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 4918 ext = nft_set_elem_ext(set, catchall->elem); 4919 if (!nft_set_elem_active(ext, genmask) || 4920 nft_set_elem_expired(ext)) 4921 continue; 4922 4923 elem.priv = catchall->elem; 4924 ret = nf_tables_fill_setelem(skb, set, &elem); 4925 break; 4926 } 4927 4928 return ret; 4929 } 4930 4931 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) 4932 { 4933 struct nft_set_dump_ctx *dump_ctx = cb->data; 4934 struct net *net = sock_net(skb->sk); 4935 struct nftables_pernet *nft_net; 4936 struct nft_table *table; 4937 struct nft_set *set; 4938 struct nft_set_dump_args args; 4939 bool set_found = false; 4940 struct nlmsghdr *nlh; 4941 struct nlattr *nest; 4942 u32 portid, seq; 4943 int event; 4944 4945 rcu_read_lock(); 4946 nft_net = nft_pernet(net); 4947 list_for_each_entry_rcu(table, &nft_net->tables, list) { 4948 if (dump_ctx->ctx.family != NFPROTO_UNSPEC && 4949 dump_ctx->ctx.family != table->family) 4950 continue; 4951 4952 if (table != dump_ctx->ctx.table) 4953 continue; 4954 4955 list_for_each_entry_rcu(set, &table->sets, list) { 4956 if (set == dump_ctx->set) { 4957 set_found = true; 4958 break; 4959 } 4960 } 4961 break; 4962 } 4963 4964 if (!set_found) { 4965 rcu_read_unlock(); 4966 return -ENOENT; 4967 } 4968 4969 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM); 4970 portid = NETLINK_CB(cb->skb).portid; 4971 seq = cb->nlh->nlmsg_seq; 4972 4973 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI, 4974 table->family, NFNETLINK_V0, nft_base_seq(net)); 4975 if (!nlh) 4976 goto nla_put_failure; 4977 4978 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) 4979 goto nla_put_failure; 4980 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) 4981 goto nla_put_failure; 4982 4983 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 4984 if (nest == NULL) 4985 goto nla_put_failure; 4986 4987 args.cb = cb; 4988 args.skb = skb; 4989 args.iter.genmask = nft_genmask_cur(net); 4990 args.iter.skip = cb->args[0]; 4991 args.iter.count = 0; 4992 args.iter.err = 0; 4993 args.iter.fn = nf_tables_dump_setelem; 4994 set->ops->walk(&dump_ctx->ctx, set, &args.iter); 4995 4996 if (!args.iter.err && args.iter.count == cb->args[0]) 4997 args.iter.err = nft_set_catchall_dump(net, skb, set); 4998 rcu_read_unlock(); 4999 5000 nla_nest_end(skb, nest); 5001 nlmsg_end(skb, nlh); 5002 5003 if (args.iter.err && args.iter.err != -EMSGSIZE) 5004 return args.iter.err; 5005 if (args.iter.count == cb->args[0]) 5006 return 0; 5007 5008 cb->args[0] = args.iter.count; 5009 return skb->len; 5010 5011 nla_put_failure: 5012 rcu_read_unlock(); 5013 return -ENOSPC; 5014 } 5015 5016 static int nf_tables_dump_set_start(struct netlink_callback *cb) 5017 { 5018 struct nft_set_dump_ctx *dump_ctx = cb->data; 5019 5020 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC); 5021 5022 return cb->data ? 0 : -ENOMEM; 5023 } 5024 5025 static int nf_tables_dump_set_done(struct netlink_callback *cb) 5026 { 5027 kfree(cb->data); 5028 return 0; 5029 } 5030 5031 static int nf_tables_fill_setelem_info(struct sk_buff *skb, 5032 const struct nft_ctx *ctx, u32 seq, 5033 u32 portid, int event, u16 flags, 5034 const struct nft_set *set, 5035 const struct nft_set_elem *elem) 5036 { 5037 struct nlmsghdr *nlh; 5038 struct nlattr *nest; 5039 int err; 5040 5041 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 5042 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 5043 NFNETLINK_V0, nft_base_seq(ctx->net)); 5044 if (!nlh) 5045 goto nla_put_failure; 5046 5047 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 5048 goto nla_put_failure; 5049 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 5050 goto nla_put_failure; 5051 5052 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 5053 if (nest == NULL) 5054 goto nla_put_failure; 5055 5056 err = nf_tables_fill_setelem(skb, set, elem); 5057 if (err < 0) 5058 goto nla_put_failure; 5059 5060 nla_nest_end(skb, nest); 5061 5062 nlmsg_end(skb, nlh); 5063 return 0; 5064 5065 nla_put_failure: 5066 nlmsg_trim(skb, nlh); 5067 return -1; 5068 } 5069 5070 static int nft_setelem_parse_flags(const struct nft_set *set, 5071 const struct nlattr *attr, u32 *flags) 5072 { 5073 if (attr == NULL) 5074 return 0; 5075 5076 *flags = ntohl(nla_get_be32(attr)); 5077 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) 5078 return -EOPNOTSUPP; 5079 if (!(set->flags & NFT_SET_INTERVAL) && 5080 *flags & NFT_SET_ELEM_INTERVAL_END) 5081 return -EINVAL; 5082 5083 return 0; 5084 } 5085 5086 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set, 5087 struct nft_data *key, struct nlattr *attr) 5088 { 5089 struct nft_data_desc desc; 5090 int err; 5091 5092 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr); 5093 if (err < 0) 5094 return err; 5095 5096 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) { 5097 nft_data_release(key, desc.type); 5098 return -EINVAL; 5099 } 5100 5101 return 0; 5102 } 5103 5104 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, 5105 struct nft_data_desc *desc, 5106 struct nft_data *data, 5107 struct nlattr *attr) 5108 { 5109 int err; 5110 5111 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr); 5112 if (err < 0) 5113 return err; 5114 5115 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) { 5116 nft_data_release(data, desc->type); 5117 return -EINVAL; 5118 } 5119 5120 return 0; 5121 } 5122 5123 static void *nft_setelem_catchall_get(const struct net *net, 5124 const struct nft_set *set) 5125 { 5126 struct nft_set_elem_catchall *catchall; 5127 u8 genmask = nft_genmask_cur(net); 5128 struct nft_set_ext *ext; 5129 void *priv = NULL; 5130 5131 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5132 ext = nft_set_elem_ext(set, catchall->elem); 5133 if (!nft_set_elem_active(ext, genmask) || 5134 nft_set_elem_expired(ext)) 5135 continue; 5136 5137 priv = catchall->elem; 5138 break; 5139 } 5140 5141 return priv; 5142 } 5143 5144 static int nft_setelem_get(struct nft_ctx *ctx, struct nft_set *set, 5145 struct nft_set_elem *elem, u32 flags) 5146 { 5147 void *priv; 5148 5149 if (!(flags & NFT_SET_ELEM_CATCHALL)) { 5150 priv = set->ops->get(ctx->net, set, elem, flags); 5151 if (IS_ERR(priv)) 5152 return PTR_ERR(priv); 5153 } else { 5154 priv = nft_setelem_catchall_get(ctx->net, set); 5155 if (!priv) 5156 return -ENOENT; 5157 } 5158 elem->priv = priv; 5159 5160 return 0; 5161 } 5162 5163 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set, 5164 const struct nlattr *attr) 5165 { 5166 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 5167 struct nft_set_elem elem; 5168 struct sk_buff *skb; 5169 uint32_t flags = 0; 5170 int err; 5171 5172 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 5173 nft_set_elem_policy, NULL); 5174 if (err < 0) 5175 return err; 5176 5177 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 5178 if (err < 0) 5179 return err; 5180 5181 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 5182 return -EINVAL; 5183 5184 if (nla[NFTA_SET_ELEM_KEY]) { 5185 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5186 nla[NFTA_SET_ELEM_KEY]); 5187 if (err < 0) 5188 return err; 5189 } 5190 5191 if (nla[NFTA_SET_ELEM_KEY_END]) { 5192 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5193 nla[NFTA_SET_ELEM_KEY_END]); 5194 if (err < 0) 5195 return err; 5196 } 5197 5198 err = nft_setelem_get(ctx, set, &elem, flags); 5199 if (err < 0) 5200 return err; 5201 5202 err = -ENOMEM; 5203 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); 5204 if (skb == NULL) 5205 return err; 5206 5207 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, 5208 NFT_MSG_NEWSETELEM, 0, set, &elem); 5209 if (err < 0) 5210 goto err_fill_setelem; 5211 5212 return nfnetlink_unicast(skb, ctx->net, ctx->portid); 5213 5214 err_fill_setelem: 5215 kfree_skb(skb); 5216 return err; 5217 } 5218 5219 /* called with rcu_read_lock held */ 5220 static int nf_tables_getsetelem(struct sk_buff *skb, 5221 const struct nfnl_info *info, 5222 const struct nlattr * const nla[]) 5223 { 5224 struct netlink_ext_ack *extack = info->extack; 5225 u8 genmask = nft_genmask_cur(info->net); 5226 u8 family = info->nfmsg->nfgen_family; 5227 struct net *net = info->net; 5228 struct nft_table *table; 5229 struct nft_set *set; 5230 struct nlattr *attr; 5231 struct nft_ctx ctx; 5232 int rem, err = 0; 5233 5234 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 5235 genmask, NETLINK_CB(skb).portid); 5236 if (IS_ERR(table)) { 5237 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 5238 return PTR_ERR(table); 5239 } 5240 5241 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 5242 if (IS_ERR(set)) 5243 return PTR_ERR(set); 5244 5245 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 5246 5247 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 5248 struct netlink_dump_control c = { 5249 .start = nf_tables_dump_set_start, 5250 .dump = nf_tables_dump_set, 5251 .done = nf_tables_dump_set_done, 5252 .module = THIS_MODULE, 5253 }; 5254 struct nft_set_dump_ctx dump_ctx = { 5255 .set = set, 5256 .ctx = ctx, 5257 }; 5258 5259 c.data = &dump_ctx; 5260 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 5261 } 5262 5263 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 5264 return -EINVAL; 5265 5266 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 5267 err = nft_get_set_elem(&ctx, set, attr); 5268 if (err < 0) 5269 break; 5270 } 5271 5272 return err; 5273 } 5274 5275 static void nf_tables_setelem_notify(const struct nft_ctx *ctx, 5276 const struct nft_set *set, 5277 const struct nft_set_elem *elem, 5278 int event) 5279 { 5280 struct nftables_pernet *nft_net; 5281 struct net *net = ctx->net; 5282 u32 portid = ctx->portid; 5283 struct sk_buff *skb; 5284 u16 flags = 0; 5285 int err; 5286 5287 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 5288 return; 5289 5290 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 5291 if (skb == NULL) 5292 goto err; 5293 5294 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 5295 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 5296 5297 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags, 5298 set, elem); 5299 if (err < 0) { 5300 kfree_skb(skb); 5301 goto err; 5302 } 5303 5304 nft_net = nft_pernet(net); 5305 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 5306 return; 5307 err: 5308 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 5309 } 5310 5311 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx, 5312 int msg_type, 5313 struct nft_set *set) 5314 { 5315 struct nft_trans *trans; 5316 5317 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem)); 5318 if (trans == NULL) 5319 return NULL; 5320 5321 nft_trans_elem_set(trans) = set; 5322 return trans; 5323 } 5324 5325 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx, 5326 const struct nft_set *set, 5327 const struct nlattr *attr) 5328 { 5329 struct nft_expr *expr; 5330 int err; 5331 5332 expr = nft_expr_init(ctx, attr); 5333 if (IS_ERR(expr)) 5334 return expr; 5335 5336 err = -EOPNOTSUPP; 5337 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL)) 5338 goto err_set_elem_expr; 5339 5340 if (expr->ops->type->flags & NFT_EXPR_GC) { 5341 if (set->flags & NFT_SET_TIMEOUT) 5342 goto err_set_elem_expr; 5343 if (!set->ops->gc_init) 5344 goto err_set_elem_expr; 5345 set->ops->gc_init(set); 5346 } 5347 5348 return expr; 5349 5350 err_set_elem_expr: 5351 nft_expr_destroy(ctx, expr); 5352 return ERR_PTR(err); 5353 } 5354 5355 void *nft_set_elem_init(const struct nft_set *set, 5356 const struct nft_set_ext_tmpl *tmpl, 5357 const u32 *key, const u32 *key_end, 5358 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp) 5359 { 5360 struct nft_set_ext *ext; 5361 void *elem; 5362 5363 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp); 5364 if (elem == NULL) 5365 return NULL; 5366 5367 ext = nft_set_elem_ext(set, elem); 5368 nft_set_ext_init(ext, tmpl); 5369 5370 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY)) 5371 memcpy(nft_set_ext_key(ext), key, set->klen); 5372 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) 5373 memcpy(nft_set_ext_key_end(ext), key_end, set->klen); 5374 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5375 memcpy(nft_set_ext_data(ext), data, set->dlen); 5376 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 5377 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration; 5378 if (expiration == 0) 5379 *nft_set_ext_expiration(ext) += timeout; 5380 } 5381 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) 5382 *nft_set_ext_timeout(ext) = timeout; 5383 5384 return elem; 5385 } 5386 5387 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 5388 struct nft_expr *expr) 5389 { 5390 if (expr->ops->destroy_clone) { 5391 expr->ops->destroy_clone(ctx, expr); 5392 module_put(expr->ops->type->owner); 5393 } else { 5394 nf_tables_expr_destroy(ctx, expr); 5395 } 5396 } 5397 5398 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 5399 struct nft_set_elem_expr *elem_expr) 5400 { 5401 struct nft_expr *expr; 5402 u32 size; 5403 5404 nft_setelem_expr_foreach(expr, elem_expr, size) 5405 __nft_set_elem_expr_destroy(ctx, expr); 5406 } 5407 5408 void nft_set_elem_destroy(const struct nft_set *set, void *elem, 5409 bool destroy_expr) 5410 { 5411 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 5412 struct nft_ctx ctx = { 5413 .net = read_pnet(&set->net), 5414 .family = set->table->family, 5415 }; 5416 5417 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE); 5418 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5419 nft_data_release(nft_set_ext_data(ext), set->dtype); 5420 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 5421 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext)); 5422 5423 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 5424 (*nft_set_ext_obj(ext))->use--; 5425 kfree(elem); 5426 } 5427 EXPORT_SYMBOL_GPL(nft_set_elem_destroy); 5428 5429 /* Only called from commit path, nft_setelem_data_deactivate() already deals 5430 * with the refcounting from the preparation phase. 5431 */ 5432 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, 5433 const struct nft_set *set, void *elem) 5434 { 5435 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 5436 5437 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 5438 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext)); 5439 5440 kfree(elem); 5441 } 5442 5443 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, 5444 struct nft_expr *expr_array[]) 5445 { 5446 struct nft_expr *expr; 5447 int err, i, k; 5448 5449 for (i = 0; i < set->num_exprs; i++) { 5450 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL); 5451 if (!expr) 5452 goto err_expr; 5453 5454 err = nft_expr_clone(expr, set->exprs[i]); 5455 if (err < 0) { 5456 nft_expr_destroy(ctx, expr); 5457 goto err_expr; 5458 } 5459 expr_array[i] = expr; 5460 } 5461 5462 return 0; 5463 5464 err_expr: 5465 for (k = i - 1; k >= 0; k--) 5466 nft_expr_destroy(ctx, expr_array[k]); 5467 5468 return -ENOMEM; 5469 } 5470 5471 static int nft_set_elem_expr_setup(struct nft_ctx *ctx, 5472 const struct nft_set_ext *ext, 5473 struct nft_expr *expr_array[], 5474 u32 num_exprs) 5475 { 5476 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); 5477 struct nft_expr *expr; 5478 int i, err; 5479 5480 for (i = 0; i < num_exprs; i++) { 5481 expr = nft_setelem_expr_at(elem_expr, elem_expr->size); 5482 err = nft_expr_clone(expr, expr_array[i]); 5483 if (err < 0) 5484 goto err_elem_expr_setup; 5485 5486 elem_expr->size += expr_array[i]->ops->size; 5487 nft_expr_destroy(ctx, expr_array[i]); 5488 expr_array[i] = NULL; 5489 } 5490 5491 return 0; 5492 5493 err_elem_expr_setup: 5494 for (; i < num_exprs; i++) { 5495 nft_expr_destroy(ctx, expr_array[i]); 5496 expr_array[i] = NULL; 5497 } 5498 5499 return -ENOMEM; 5500 } 5501 5502 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net, 5503 const struct nft_set *set) 5504 { 5505 struct nft_set_elem_catchall *catchall; 5506 u8 genmask = nft_genmask_cur(net); 5507 struct nft_set_ext *ext; 5508 5509 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5510 ext = nft_set_elem_ext(set, catchall->elem); 5511 if (nft_set_elem_active(ext, genmask) && 5512 !nft_set_elem_expired(ext)) 5513 return ext; 5514 } 5515 5516 return NULL; 5517 } 5518 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup); 5519 5520 void *nft_set_catchall_gc(const struct nft_set *set) 5521 { 5522 struct nft_set_elem_catchall *catchall, *next; 5523 struct nft_set_ext *ext; 5524 void *elem = NULL; 5525 5526 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 5527 ext = nft_set_elem_ext(set, catchall->elem); 5528 5529 if (!nft_set_elem_expired(ext) || 5530 nft_set_elem_mark_busy(ext)) 5531 continue; 5532 5533 elem = catchall->elem; 5534 list_del_rcu(&catchall->list); 5535 kfree_rcu(catchall, rcu); 5536 break; 5537 } 5538 5539 return elem; 5540 } 5541 EXPORT_SYMBOL_GPL(nft_set_catchall_gc); 5542 5543 static int nft_setelem_catchall_insert(const struct net *net, 5544 struct nft_set *set, 5545 const struct nft_set_elem *elem, 5546 struct nft_set_ext **pext) 5547 { 5548 struct nft_set_elem_catchall *catchall; 5549 u8 genmask = nft_genmask_next(net); 5550 struct nft_set_ext *ext; 5551 5552 list_for_each_entry(catchall, &set->catchall_list, list) { 5553 ext = nft_set_elem_ext(set, catchall->elem); 5554 if (nft_set_elem_active(ext, genmask)) { 5555 *pext = ext; 5556 return -EEXIST; 5557 } 5558 } 5559 5560 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL); 5561 if (!catchall) 5562 return -ENOMEM; 5563 5564 catchall->elem = elem->priv; 5565 list_add_tail_rcu(&catchall->list, &set->catchall_list); 5566 5567 return 0; 5568 } 5569 5570 static int nft_setelem_insert(const struct net *net, 5571 struct nft_set *set, 5572 const struct nft_set_elem *elem, 5573 struct nft_set_ext **ext, unsigned int flags) 5574 { 5575 int ret; 5576 5577 if (flags & NFT_SET_ELEM_CATCHALL) 5578 ret = nft_setelem_catchall_insert(net, set, elem, ext); 5579 else 5580 ret = set->ops->insert(net, set, elem, ext); 5581 5582 return ret; 5583 } 5584 5585 static bool nft_setelem_is_catchall(const struct nft_set *set, 5586 const struct nft_set_elem *elem) 5587 { 5588 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5589 5590 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 5591 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL) 5592 return true; 5593 5594 return false; 5595 } 5596 5597 static void nft_setelem_activate(struct net *net, struct nft_set *set, 5598 struct nft_set_elem *elem) 5599 { 5600 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5601 5602 if (nft_setelem_is_catchall(set, elem)) { 5603 nft_set_elem_change_active(net, set, ext); 5604 nft_set_elem_clear_busy(ext); 5605 } else { 5606 set->ops->activate(net, set, elem); 5607 } 5608 } 5609 5610 static int nft_setelem_catchall_deactivate(const struct net *net, 5611 struct nft_set *set, 5612 struct nft_set_elem *elem) 5613 { 5614 struct nft_set_elem_catchall *catchall; 5615 struct nft_set_ext *ext; 5616 5617 list_for_each_entry(catchall, &set->catchall_list, list) { 5618 ext = nft_set_elem_ext(set, catchall->elem); 5619 if (!nft_is_active(net, ext) || 5620 nft_set_elem_mark_busy(ext)) 5621 continue; 5622 5623 kfree(elem->priv); 5624 elem->priv = catchall->elem; 5625 nft_set_elem_change_active(net, set, ext); 5626 return 0; 5627 } 5628 5629 return -ENOENT; 5630 } 5631 5632 static int __nft_setelem_deactivate(const struct net *net, 5633 struct nft_set *set, 5634 struct nft_set_elem *elem) 5635 { 5636 void *priv; 5637 5638 priv = set->ops->deactivate(net, set, elem); 5639 if (!priv) 5640 return -ENOENT; 5641 5642 kfree(elem->priv); 5643 elem->priv = priv; 5644 set->ndeact++; 5645 5646 return 0; 5647 } 5648 5649 static int nft_setelem_deactivate(const struct net *net, 5650 struct nft_set *set, 5651 struct nft_set_elem *elem, u32 flags) 5652 { 5653 int ret; 5654 5655 if (flags & NFT_SET_ELEM_CATCHALL) 5656 ret = nft_setelem_catchall_deactivate(net, set, elem); 5657 else 5658 ret = __nft_setelem_deactivate(net, set, elem); 5659 5660 return ret; 5661 } 5662 5663 static void nft_setelem_catchall_remove(const struct net *net, 5664 const struct nft_set *set, 5665 const struct nft_set_elem *elem) 5666 { 5667 struct nft_set_elem_catchall *catchall, *next; 5668 5669 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 5670 if (catchall->elem == elem->priv) { 5671 list_del_rcu(&catchall->list); 5672 kfree_rcu(catchall); 5673 break; 5674 } 5675 } 5676 } 5677 5678 static void nft_setelem_remove(const struct net *net, 5679 const struct nft_set *set, 5680 const struct nft_set_elem *elem) 5681 { 5682 if (nft_setelem_is_catchall(set, elem)) 5683 nft_setelem_catchall_remove(net, set, elem); 5684 else 5685 set->ops->remove(net, set, elem); 5686 } 5687 5688 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 5689 const struct nlattr *attr, u32 nlmsg_flags) 5690 { 5691 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {}; 5692 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 5693 u8 genmask = nft_genmask_next(ctx->net); 5694 u32 flags = 0, size = 0, num_exprs = 0; 5695 struct nft_set_ext_tmpl tmpl; 5696 struct nft_set_ext *ext, *ext2; 5697 struct nft_set_elem elem; 5698 struct nft_set_binding *binding; 5699 struct nft_object *obj = NULL; 5700 struct nft_userdata *udata; 5701 struct nft_data_desc desc; 5702 enum nft_registers dreg; 5703 struct nft_trans *trans; 5704 u64 timeout; 5705 u64 expiration; 5706 int err, i; 5707 u8 ulen; 5708 5709 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 5710 nft_set_elem_policy, NULL); 5711 if (err < 0) 5712 return err; 5713 5714 nft_set_ext_prepare(&tmpl); 5715 5716 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 5717 if (err < 0) 5718 return err; 5719 5720 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 5721 return -EINVAL; 5722 5723 if (flags != 0) 5724 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 5725 5726 if (set->flags & NFT_SET_MAP) { 5727 if (nla[NFTA_SET_ELEM_DATA] == NULL && 5728 !(flags & NFT_SET_ELEM_INTERVAL_END)) 5729 return -EINVAL; 5730 } else { 5731 if (nla[NFTA_SET_ELEM_DATA] != NULL) 5732 return -EINVAL; 5733 } 5734 5735 if ((flags & NFT_SET_ELEM_INTERVAL_END) && 5736 (nla[NFTA_SET_ELEM_DATA] || 5737 nla[NFTA_SET_ELEM_OBJREF] || 5738 nla[NFTA_SET_ELEM_TIMEOUT] || 5739 nla[NFTA_SET_ELEM_EXPIRATION] || 5740 nla[NFTA_SET_ELEM_USERDATA] || 5741 nla[NFTA_SET_ELEM_EXPR] || 5742 nla[NFTA_SET_ELEM_EXPRESSIONS])) 5743 return -EINVAL; 5744 5745 timeout = 0; 5746 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { 5747 if (!(set->flags & NFT_SET_TIMEOUT)) 5748 return -EINVAL; 5749 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT], 5750 &timeout); 5751 if (err) 5752 return err; 5753 } else if (set->flags & NFT_SET_TIMEOUT) { 5754 timeout = set->timeout; 5755 } 5756 5757 expiration = 0; 5758 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { 5759 if (!(set->flags & NFT_SET_TIMEOUT)) 5760 return -EINVAL; 5761 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], 5762 &expiration); 5763 if (err) 5764 return err; 5765 } 5766 5767 if (nla[NFTA_SET_ELEM_EXPR]) { 5768 struct nft_expr *expr; 5769 5770 if (set->num_exprs && set->num_exprs != 1) 5771 return -EOPNOTSUPP; 5772 5773 expr = nft_set_elem_expr_alloc(ctx, set, 5774 nla[NFTA_SET_ELEM_EXPR]); 5775 if (IS_ERR(expr)) 5776 return PTR_ERR(expr); 5777 5778 expr_array[0] = expr; 5779 num_exprs = 1; 5780 5781 if (set->num_exprs && set->exprs[0]->ops != expr->ops) { 5782 err = -EOPNOTSUPP; 5783 goto err_set_elem_expr; 5784 } 5785 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) { 5786 struct nft_expr *expr; 5787 struct nlattr *tmp; 5788 int left; 5789 5790 i = 0; 5791 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) { 5792 if (i == NFT_SET_EXPR_MAX || 5793 (set->num_exprs && set->num_exprs == i)) { 5794 err = -E2BIG; 5795 goto err_set_elem_expr; 5796 } 5797 if (nla_type(tmp) != NFTA_LIST_ELEM) { 5798 err = -EINVAL; 5799 goto err_set_elem_expr; 5800 } 5801 expr = nft_set_elem_expr_alloc(ctx, set, tmp); 5802 if (IS_ERR(expr)) { 5803 err = PTR_ERR(expr); 5804 goto err_set_elem_expr; 5805 } 5806 expr_array[i] = expr; 5807 num_exprs++; 5808 5809 if (set->num_exprs && expr->ops != set->exprs[i]->ops) { 5810 err = -EOPNOTSUPP; 5811 goto err_set_elem_expr; 5812 } 5813 i++; 5814 } 5815 if (set->num_exprs && set->num_exprs != i) { 5816 err = -EOPNOTSUPP; 5817 goto err_set_elem_expr; 5818 } 5819 } else if (set->num_exprs > 0) { 5820 err = nft_set_elem_expr_clone(ctx, set, expr_array); 5821 if (err < 0) 5822 goto err_set_elem_expr_clone; 5823 5824 num_exprs = set->num_exprs; 5825 } 5826 5827 if (nla[NFTA_SET_ELEM_KEY]) { 5828 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5829 nla[NFTA_SET_ELEM_KEY]); 5830 if (err < 0) 5831 goto err_set_elem_expr; 5832 5833 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 5834 } 5835 5836 if (nla[NFTA_SET_ELEM_KEY_END]) { 5837 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5838 nla[NFTA_SET_ELEM_KEY_END]); 5839 if (err < 0) 5840 goto err_parse_key; 5841 5842 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 5843 } 5844 5845 if (timeout > 0) { 5846 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION); 5847 if (timeout != set->timeout) 5848 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT); 5849 } 5850 5851 if (num_exprs) { 5852 for (i = 0; i < num_exprs; i++) 5853 size += expr_array[i]->ops->size; 5854 5855 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS, 5856 sizeof(struct nft_set_elem_expr) + 5857 size); 5858 } 5859 5860 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) { 5861 if (!(set->flags & NFT_SET_OBJECT)) { 5862 err = -EINVAL; 5863 goto err_parse_key_end; 5864 } 5865 obj = nft_obj_lookup(ctx->net, ctx->table, 5866 nla[NFTA_SET_ELEM_OBJREF], 5867 set->objtype, genmask); 5868 if (IS_ERR(obj)) { 5869 err = PTR_ERR(obj); 5870 goto err_parse_key_end; 5871 } 5872 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF); 5873 } 5874 5875 if (nla[NFTA_SET_ELEM_DATA] != NULL) { 5876 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val, 5877 nla[NFTA_SET_ELEM_DATA]); 5878 if (err < 0) 5879 goto err_parse_key_end; 5880 5881 dreg = nft_type_to_reg(set->dtype); 5882 list_for_each_entry(binding, &set->bindings, list) { 5883 struct nft_ctx bind_ctx = { 5884 .net = ctx->net, 5885 .family = ctx->family, 5886 .table = ctx->table, 5887 .chain = (struct nft_chain *)binding->chain, 5888 }; 5889 5890 if (!(binding->flags & NFT_SET_MAP)) 5891 continue; 5892 5893 err = nft_validate_register_store(&bind_ctx, dreg, 5894 &elem.data.val, 5895 desc.type, desc.len); 5896 if (err < 0) 5897 goto err_parse_data; 5898 5899 if (desc.type == NFT_DATA_VERDICT && 5900 (elem.data.val.verdict.code == NFT_GOTO || 5901 elem.data.val.verdict.code == NFT_JUMP)) 5902 nft_validate_state_update(ctx->net, 5903 NFT_VALIDATE_NEED); 5904 } 5905 5906 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len); 5907 } 5908 5909 /* The full maximum length of userdata can exceed the maximum 5910 * offset value (U8_MAX) for following extensions, therefor it 5911 * must be the last extension added. 5912 */ 5913 ulen = 0; 5914 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) { 5915 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]); 5916 if (ulen > 0) 5917 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA, 5918 ulen); 5919 } 5920 5921 err = -ENOMEM; 5922 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 5923 elem.key_end.val.data, elem.data.val.data, 5924 timeout, expiration, GFP_KERNEL); 5925 if (elem.priv == NULL) 5926 goto err_parse_data; 5927 5928 ext = nft_set_elem_ext(set, elem.priv); 5929 if (flags) 5930 *nft_set_ext_flags(ext) = flags; 5931 if (ulen > 0) { 5932 udata = nft_set_ext_userdata(ext); 5933 udata->len = ulen - 1; 5934 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen); 5935 } 5936 if (obj) { 5937 *nft_set_ext_obj(ext) = obj; 5938 obj->use++; 5939 } 5940 err = nft_set_elem_expr_setup(ctx, ext, expr_array, num_exprs); 5941 if (err < 0) 5942 goto err_elem_expr; 5943 5944 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); 5945 if (trans == NULL) { 5946 err = -ENOMEM; 5947 goto err_elem_expr; 5948 } 5949 5950 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK; 5951 5952 err = nft_setelem_insert(ctx->net, set, &elem, &ext2, flags); 5953 if (err) { 5954 if (err == -EEXIST) { 5955 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^ 5956 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) || 5957 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^ 5958 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) 5959 goto err_element_clash; 5960 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 5961 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) && 5962 memcmp(nft_set_ext_data(ext), 5963 nft_set_ext_data(ext2), set->dlen) != 0) || 5964 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 5965 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) && 5966 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2))) 5967 goto err_element_clash; 5968 else if (!(nlmsg_flags & NLM_F_EXCL)) 5969 err = 0; 5970 } else if (err == -ENOTEMPTY) { 5971 /* ENOTEMPTY reports overlapping between this element 5972 * and an existing one. 5973 */ 5974 err = -EEXIST; 5975 } 5976 goto err_element_clash; 5977 } 5978 5979 if (!(flags & NFT_SET_ELEM_CATCHALL) && set->size && 5980 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) { 5981 err = -ENFILE; 5982 goto err_set_full; 5983 } 5984 5985 nft_trans_elem(trans) = elem; 5986 nft_trans_commit_list_add_tail(ctx->net, trans); 5987 return 0; 5988 5989 err_set_full: 5990 nft_setelem_remove(ctx->net, set, &elem); 5991 err_element_clash: 5992 kfree(trans); 5993 err_elem_expr: 5994 if (obj) 5995 obj->use--; 5996 5997 nf_tables_set_elem_destroy(ctx, set, elem.priv); 5998 err_parse_data: 5999 if (nla[NFTA_SET_ELEM_DATA] != NULL) 6000 nft_data_release(&elem.data.val, desc.type); 6001 err_parse_key_end: 6002 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 6003 err_parse_key: 6004 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 6005 err_set_elem_expr: 6006 for (i = 0; i < num_exprs && expr_array[i]; i++) 6007 nft_expr_destroy(ctx, expr_array[i]); 6008 err_set_elem_expr_clone: 6009 return err; 6010 } 6011 6012 static int nf_tables_newsetelem(struct sk_buff *skb, 6013 const struct nfnl_info *info, 6014 const struct nlattr * const nla[]) 6015 { 6016 struct nftables_pernet *nft_net = nft_pernet(info->net); 6017 struct netlink_ext_ack *extack = info->extack; 6018 u8 genmask = nft_genmask_next(info->net); 6019 u8 family = info->nfmsg->nfgen_family; 6020 struct net *net = info->net; 6021 const struct nlattr *attr; 6022 struct nft_table *table; 6023 struct nft_set *set; 6024 struct nft_ctx ctx; 6025 int rem, err; 6026 6027 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) 6028 return -EINVAL; 6029 6030 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 6031 genmask, NETLINK_CB(skb).portid); 6032 if (IS_ERR(table)) { 6033 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 6034 return PTR_ERR(table); 6035 } 6036 6037 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET], 6038 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask); 6039 if (IS_ERR(set)) 6040 return PTR_ERR(set); 6041 6042 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 6043 return -EBUSY; 6044 6045 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6046 6047 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 6048 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags); 6049 if (err < 0) 6050 return err; 6051 } 6052 6053 if (nft_net->validate_state == NFT_VALIDATE_DO) 6054 return nft_table_validate(net, table); 6055 6056 return 0; 6057 } 6058 6059 /** 6060 * nft_data_hold - hold a nft_data item 6061 * 6062 * @data: struct nft_data to release 6063 * @type: type of data 6064 * 6065 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded, 6066 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and 6067 * NFT_GOTO verdicts. This function must be called on active data objects 6068 * from the second phase of the commit protocol. 6069 */ 6070 void nft_data_hold(const struct nft_data *data, enum nft_data_types type) 6071 { 6072 struct nft_chain *chain; 6073 struct nft_rule *rule; 6074 6075 if (type == NFT_DATA_VERDICT) { 6076 switch (data->verdict.code) { 6077 case NFT_JUMP: 6078 case NFT_GOTO: 6079 chain = data->verdict.chain; 6080 chain->use++; 6081 6082 if (!nft_chain_is_bound(chain)) 6083 break; 6084 6085 chain->table->use++; 6086 list_for_each_entry(rule, &chain->rules, list) 6087 chain->use++; 6088 6089 nft_chain_add(chain->table, chain); 6090 break; 6091 } 6092 } 6093 } 6094 6095 static void nft_setelem_data_activate(const struct net *net, 6096 const struct nft_set *set, 6097 struct nft_set_elem *elem) 6098 { 6099 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 6100 6101 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 6102 nft_data_hold(nft_set_ext_data(ext), set->dtype); 6103 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 6104 (*nft_set_ext_obj(ext))->use++; 6105 } 6106 6107 static void nft_setelem_data_deactivate(const struct net *net, 6108 const struct nft_set *set, 6109 struct nft_set_elem *elem) 6110 { 6111 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 6112 6113 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 6114 nft_data_release(nft_set_ext_data(ext), set->dtype); 6115 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 6116 (*nft_set_ext_obj(ext))->use--; 6117 } 6118 6119 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, 6120 const struct nlattr *attr) 6121 { 6122 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 6123 struct nft_set_ext_tmpl tmpl; 6124 struct nft_set_elem elem; 6125 struct nft_set_ext *ext; 6126 struct nft_trans *trans; 6127 u32 flags = 0; 6128 int err; 6129 6130 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 6131 nft_set_elem_policy, NULL); 6132 if (err < 0) 6133 return err; 6134 6135 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 6136 if (err < 0) 6137 return err; 6138 6139 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 6140 return -EINVAL; 6141 6142 nft_set_ext_prepare(&tmpl); 6143 6144 if (flags != 0) 6145 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 6146 6147 if (nla[NFTA_SET_ELEM_KEY]) { 6148 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 6149 nla[NFTA_SET_ELEM_KEY]); 6150 if (err < 0) 6151 return err; 6152 6153 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 6154 } 6155 6156 if (nla[NFTA_SET_ELEM_KEY_END]) { 6157 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 6158 nla[NFTA_SET_ELEM_KEY_END]); 6159 if (err < 0) 6160 return err; 6161 6162 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 6163 } 6164 6165 err = -ENOMEM; 6166 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 6167 elem.key_end.val.data, NULL, 0, 0, 6168 GFP_KERNEL); 6169 if (elem.priv == NULL) 6170 goto fail_elem; 6171 6172 ext = nft_set_elem_ext(set, elem.priv); 6173 if (flags) 6174 *nft_set_ext_flags(ext) = flags; 6175 6176 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 6177 if (trans == NULL) 6178 goto fail_trans; 6179 6180 err = nft_setelem_deactivate(ctx->net, set, &elem, flags); 6181 if (err < 0) 6182 goto fail_ops; 6183 6184 nft_setelem_data_deactivate(ctx->net, set, &elem); 6185 6186 nft_trans_elem(trans) = elem; 6187 nft_trans_commit_list_add_tail(ctx->net, trans); 6188 return 0; 6189 6190 fail_ops: 6191 kfree(trans); 6192 fail_trans: 6193 kfree(elem.priv); 6194 fail_elem: 6195 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 6196 return err; 6197 } 6198 6199 static int nft_setelem_flush(const struct nft_ctx *ctx, 6200 struct nft_set *set, 6201 const struct nft_set_iter *iter, 6202 struct nft_set_elem *elem) 6203 { 6204 struct nft_trans *trans; 6205 int err; 6206 6207 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 6208 sizeof(struct nft_trans_elem), GFP_ATOMIC); 6209 if (!trans) 6210 return -ENOMEM; 6211 6212 if (!set->ops->flush(ctx->net, set, elem->priv)) { 6213 err = -ENOENT; 6214 goto err1; 6215 } 6216 set->ndeact++; 6217 6218 nft_setelem_data_deactivate(ctx->net, set, elem); 6219 nft_trans_elem_set(trans) = set; 6220 nft_trans_elem(trans) = *elem; 6221 nft_trans_commit_list_add_tail(ctx->net, trans); 6222 6223 return 0; 6224 err1: 6225 kfree(trans); 6226 return err; 6227 } 6228 6229 static int __nft_set_catchall_flush(const struct nft_ctx *ctx, 6230 struct nft_set *set, 6231 struct nft_set_elem *elem) 6232 { 6233 struct nft_trans *trans; 6234 6235 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 6236 sizeof(struct nft_trans_elem), GFP_KERNEL); 6237 if (!trans) 6238 return -ENOMEM; 6239 6240 nft_setelem_data_deactivate(ctx->net, set, elem); 6241 nft_trans_elem_set(trans) = set; 6242 nft_trans_elem(trans) = *elem; 6243 nft_trans_commit_list_add_tail(ctx->net, trans); 6244 6245 return 0; 6246 } 6247 6248 static int nft_set_catchall_flush(const struct nft_ctx *ctx, 6249 struct nft_set *set) 6250 { 6251 u8 genmask = nft_genmask_next(ctx->net); 6252 struct nft_set_elem_catchall *catchall; 6253 struct nft_set_elem elem; 6254 struct nft_set_ext *ext; 6255 int ret = 0; 6256 6257 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 6258 ext = nft_set_elem_ext(set, catchall->elem); 6259 if (!nft_set_elem_active(ext, genmask) || 6260 nft_set_elem_mark_busy(ext)) 6261 continue; 6262 6263 elem.priv = catchall->elem; 6264 ret = __nft_set_catchall_flush(ctx, set, &elem); 6265 if (ret < 0) 6266 break; 6267 } 6268 6269 return ret; 6270 } 6271 6272 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask) 6273 { 6274 struct nft_set_iter iter = { 6275 .genmask = genmask, 6276 .fn = nft_setelem_flush, 6277 }; 6278 6279 set->ops->walk(ctx, set, &iter); 6280 if (!iter.err) 6281 iter.err = nft_set_catchall_flush(ctx, set); 6282 6283 return iter.err; 6284 } 6285 6286 static int nf_tables_delsetelem(struct sk_buff *skb, 6287 const struct nfnl_info *info, 6288 const struct nlattr * const nla[]) 6289 { 6290 struct netlink_ext_ack *extack = info->extack; 6291 u8 genmask = nft_genmask_next(info->net); 6292 u8 family = info->nfmsg->nfgen_family; 6293 struct net *net = info->net; 6294 const struct nlattr *attr; 6295 struct nft_table *table; 6296 struct nft_set *set; 6297 struct nft_ctx ctx; 6298 int rem, err = 0; 6299 6300 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 6301 genmask, NETLINK_CB(skb).portid); 6302 if (IS_ERR(table)) { 6303 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 6304 return PTR_ERR(table); 6305 } 6306 6307 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 6308 if (IS_ERR(set)) 6309 return PTR_ERR(set); 6310 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 6311 return -EBUSY; 6312 6313 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6314 6315 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 6316 return nft_set_flush(&ctx, set, genmask); 6317 6318 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 6319 err = nft_del_setelem(&ctx, set, attr); 6320 if (err < 0) 6321 break; 6322 } 6323 return err; 6324 } 6325 6326 void nft_set_gc_batch_release(struct rcu_head *rcu) 6327 { 6328 struct nft_set_gc_batch *gcb; 6329 unsigned int i; 6330 6331 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu); 6332 for (i = 0; i < gcb->head.cnt; i++) 6333 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true); 6334 kfree(gcb); 6335 } 6336 6337 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set, 6338 gfp_t gfp) 6339 { 6340 struct nft_set_gc_batch *gcb; 6341 6342 gcb = kzalloc(sizeof(*gcb), gfp); 6343 if (gcb == NULL) 6344 return gcb; 6345 gcb->head.set = set; 6346 return gcb; 6347 } 6348 6349 /* 6350 * Stateful objects 6351 */ 6352 6353 /** 6354 * nft_register_obj- register nf_tables stateful object type 6355 * @obj_type: object type 6356 * 6357 * Registers the object type for use with nf_tables. Returns zero on 6358 * success or a negative errno code otherwise. 6359 */ 6360 int nft_register_obj(struct nft_object_type *obj_type) 6361 { 6362 if (obj_type->type == NFT_OBJECT_UNSPEC) 6363 return -EINVAL; 6364 6365 nfnl_lock(NFNL_SUBSYS_NFTABLES); 6366 list_add_rcu(&obj_type->list, &nf_tables_objects); 6367 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6368 return 0; 6369 } 6370 EXPORT_SYMBOL_GPL(nft_register_obj); 6371 6372 /** 6373 * nft_unregister_obj - unregister nf_tables object type 6374 * @obj_type: object type 6375 * 6376 * Unregisters the object type for use with nf_tables. 6377 */ 6378 void nft_unregister_obj(struct nft_object_type *obj_type) 6379 { 6380 nfnl_lock(NFNL_SUBSYS_NFTABLES); 6381 list_del_rcu(&obj_type->list); 6382 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6383 } 6384 EXPORT_SYMBOL_GPL(nft_unregister_obj); 6385 6386 struct nft_object *nft_obj_lookup(const struct net *net, 6387 const struct nft_table *table, 6388 const struct nlattr *nla, u32 objtype, 6389 u8 genmask) 6390 { 6391 struct nft_object_hash_key k = { .table = table }; 6392 char search[NFT_OBJ_MAXNAMELEN]; 6393 struct rhlist_head *tmp, *list; 6394 struct nft_object *obj; 6395 6396 nla_strscpy(search, nla, sizeof(search)); 6397 k.name = search; 6398 6399 WARN_ON_ONCE(!rcu_read_lock_held() && 6400 !lockdep_commit_lock_is_held(net)); 6401 6402 rcu_read_lock(); 6403 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params); 6404 if (!list) 6405 goto out; 6406 6407 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) { 6408 if (objtype == obj->ops->type->type && 6409 nft_active_genmask(obj, genmask)) { 6410 rcu_read_unlock(); 6411 return obj; 6412 } 6413 } 6414 out: 6415 rcu_read_unlock(); 6416 return ERR_PTR(-ENOENT); 6417 } 6418 EXPORT_SYMBOL_GPL(nft_obj_lookup); 6419 6420 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table, 6421 const struct nlattr *nla, 6422 u32 objtype, u8 genmask) 6423 { 6424 struct nft_object *obj; 6425 6426 list_for_each_entry(obj, &table->objects, list) { 6427 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle && 6428 objtype == obj->ops->type->type && 6429 nft_active_genmask(obj, genmask)) 6430 return obj; 6431 } 6432 return ERR_PTR(-ENOENT); 6433 } 6434 6435 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = { 6436 [NFTA_OBJ_TABLE] = { .type = NLA_STRING, 6437 .len = NFT_TABLE_MAXNAMELEN - 1 }, 6438 [NFTA_OBJ_NAME] = { .type = NLA_STRING, 6439 .len = NFT_OBJ_MAXNAMELEN - 1 }, 6440 [NFTA_OBJ_TYPE] = { .type = NLA_U32 }, 6441 [NFTA_OBJ_DATA] = { .type = NLA_NESTED }, 6442 [NFTA_OBJ_HANDLE] = { .type = NLA_U64}, 6443 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY, 6444 .len = NFT_USERDATA_MAXLEN }, 6445 }; 6446 6447 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx, 6448 const struct nft_object_type *type, 6449 const struct nlattr *attr) 6450 { 6451 struct nlattr **tb; 6452 const struct nft_object_ops *ops; 6453 struct nft_object *obj; 6454 int err = -ENOMEM; 6455 6456 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL); 6457 if (!tb) 6458 goto err1; 6459 6460 if (attr) { 6461 err = nla_parse_nested_deprecated(tb, type->maxattr, attr, 6462 type->policy, NULL); 6463 if (err < 0) 6464 goto err2; 6465 } else { 6466 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1)); 6467 } 6468 6469 if (type->select_ops) { 6470 ops = type->select_ops(ctx, (const struct nlattr * const *)tb); 6471 if (IS_ERR(ops)) { 6472 err = PTR_ERR(ops); 6473 goto err2; 6474 } 6475 } else { 6476 ops = type->ops; 6477 } 6478 6479 err = -ENOMEM; 6480 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL); 6481 if (!obj) 6482 goto err2; 6483 6484 err = ops->init(ctx, (const struct nlattr * const *)tb, obj); 6485 if (err < 0) 6486 goto err3; 6487 6488 obj->ops = ops; 6489 6490 kfree(tb); 6491 return obj; 6492 err3: 6493 kfree(obj); 6494 err2: 6495 kfree(tb); 6496 err1: 6497 return ERR_PTR(err); 6498 } 6499 6500 static int nft_object_dump(struct sk_buff *skb, unsigned int attr, 6501 struct nft_object *obj, bool reset) 6502 { 6503 struct nlattr *nest; 6504 6505 nest = nla_nest_start_noflag(skb, attr); 6506 if (!nest) 6507 goto nla_put_failure; 6508 if (obj->ops->dump(skb, obj, reset) < 0) 6509 goto nla_put_failure; 6510 nla_nest_end(skb, nest); 6511 return 0; 6512 6513 nla_put_failure: 6514 return -1; 6515 } 6516 6517 static const struct nft_object_type *__nft_obj_type_get(u32 objtype) 6518 { 6519 const struct nft_object_type *type; 6520 6521 list_for_each_entry(type, &nf_tables_objects, list) { 6522 if (objtype == type->type) 6523 return type; 6524 } 6525 return NULL; 6526 } 6527 6528 static const struct nft_object_type * 6529 nft_obj_type_get(struct net *net, u32 objtype) 6530 { 6531 const struct nft_object_type *type; 6532 6533 type = __nft_obj_type_get(objtype); 6534 if (type != NULL && try_module_get(type->owner)) 6535 return type; 6536 6537 lockdep_nfnl_nft_mutex_not_held(); 6538 #ifdef CONFIG_MODULES 6539 if (type == NULL) { 6540 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN) 6541 return ERR_PTR(-EAGAIN); 6542 } 6543 #endif 6544 return ERR_PTR(-ENOENT); 6545 } 6546 6547 static int nf_tables_updobj(const struct nft_ctx *ctx, 6548 const struct nft_object_type *type, 6549 const struct nlattr *attr, 6550 struct nft_object *obj) 6551 { 6552 struct nft_object *newobj; 6553 struct nft_trans *trans; 6554 int err; 6555 6556 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ, 6557 sizeof(struct nft_trans_obj)); 6558 if (!trans) 6559 return -ENOMEM; 6560 6561 newobj = nft_obj_init(ctx, type, attr); 6562 if (IS_ERR(newobj)) { 6563 err = PTR_ERR(newobj); 6564 goto err_free_trans; 6565 } 6566 6567 nft_trans_obj(trans) = obj; 6568 nft_trans_obj_update(trans) = true; 6569 nft_trans_obj_newobj(trans) = newobj; 6570 nft_trans_commit_list_add_tail(ctx->net, trans); 6571 6572 return 0; 6573 6574 err_free_trans: 6575 kfree(trans); 6576 return err; 6577 } 6578 6579 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info, 6580 const struct nlattr * const nla[]) 6581 { 6582 struct netlink_ext_ack *extack = info->extack; 6583 u8 genmask = nft_genmask_next(info->net); 6584 u8 family = info->nfmsg->nfgen_family; 6585 const struct nft_object_type *type; 6586 struct net *net = info->net; 6587 struct nft_table *table; 6588 struct nft_object *obj; 6589 struct nft_ctx ctx; 6590 u32 objtype; 6591 int err; 6592 6593 if (!nla[NFTA_OBJ_TYPE] || 6594 !nla[NFTA_OBJ_NAME] || 6595 !nla[NFTA_OBJ_DATA]) 6596 return -EINVAL; 6597 6598 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 6599 NETLINK_CB(skb).portid); 6600 if (IS_ERR(table)) { 6601 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6602 return PTR_ERR(table); 6603 } 6604 6605 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6606 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 6607 if (IS_ERR(obj)) { 6608 err = PTR_ERR(obj); 6609 if (err != -ENOENT) { 6610 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6611 return err; 6612 } 6613 } else { 6614 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 6615 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6616 return -EEXIST; 6617 } 6618 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 6619 return -EOPNOTSUPP; 6620 6621 type = __nft_obj_type_get(objtype); 6622 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6623 6624 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); 6625 } 6626 6627 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6628 6629 type = nft_obj_type_get(net, objtype); 6630 if (IS_ERR(type)) 6631 return PTR_ERR(type); 6632 6633 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]); 6634 if (IS_ERR(obj)) { 6635 err = PTR_ERR(obj); 6636 goto err_init; 6637 } 6638 obj->key.table = table; 6639 obj->handle = nf_tables_alloc_handle(table); 6640 6641 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL); 6642 if (!obj->key.name) { 6643 err = -ENOMEM; 6644 goto err_strdup; 6645 } 6646 6647 if (nla[NFTA_OBJ_USERDATA]) { 6648 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL); 6649 if (obj->udata == NULL) 6650 goto err_userdata; 6651 6652 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]); 6653 } 6654 6655 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj); 6656 if (err < 0) 6657 goto err_trans; 6658 6659 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead, 6660 nft_objname_ht_params); 6661 if (err < 0) 6662 goto err_obj_ht; 6663 6664 list_add_tail_rcu(&obj->list, &table->objects); 6665 table->use++; 6666 return 0; 6667 err_obj_ht: 6668 /* queued in transaction log */ 6669 INIT_LIST_HEAD(&obj->list); 6670 return err; 6671 err_trans: 6672 kfree(obj->udata); 6673 err_userdata: 6674 kfree(obj->key.name); 6675 err_strdup: 6676 if (obj->ops->destroy) 6677 obj->ops->destroy(&ctx, obj); 6678 kfree(obj); 6679 err_init: 6680 module_put(type->owner); 6681 return err; 6682 } 6683 6684 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net, 6685 u32 portid, u32 seq, int event, u32 flags, 6686 int family, const struct nft_table *table, 6687 struct nft_object *obj, bool reset) 6688 { 6689 struct nlmsghdr *nlh; 6690 6691 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 6692 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 6693 NFNETLINK_V0, nft_base_seq(net)); 6694 if (!nlh) 6695 goto nla_put_failure; 6696 6697 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || 6698 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || 6699 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || 6700 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) || 6701 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) || 6702 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle), 6703 NFTA_OBJ_PAD)) 6704 goto nla_put_failure; 6705 6706 if (obj->udata && 6707 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata)) 6708 goto nla_put_failure; 6709 6710 nlmsg_end(skb, nlh); 6711 return 0; 6712 6713 nla_put_failure: 6714 nlmsg_trim(skb, nlh); 6715 return -1; 6716 } 6717 6718 struct nft_obj_filter { 6719 char *table; 6720 u32 type; 6721 }; 6722 6723 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) 6724 { 6725 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 6726 const struct nft_table *table; 6727 unsigned int idx = 0, s_idx = cb->args[0]; 6728 struct nft_obj_filter *filter = cb->data; 6729 struct net *net = sock_net(skb->sk); 6730 int family = nfmsg->nfgen_family; 6731 struct nftables_pernet *nft_net; 6732 struct nft_object *obj; 6733 bool reset = false; 6734 6735 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 6736 reset = true; 6737 6738 rcu_read_lock(); 6739 nft_net = nft_pernet(net); 6740 cb->seq = nft_net->base_seq; 6741 6742 list_for_each_entry_rcu(table, &nft_net->tables, list) { 6743 if (family != NFPROTO_UNSPEC && family != table->family) 6744 continue; 6745 6746 list_for_each_entry_rcu(obj, &table->objects, list) { 6747 if (!nft_is_active(net, obj)) 6748 goto cont; 6749 if (idx < s_idx) 6750 goto cont; 6751 if (idx > s_idx) 6752 memset(&cb->args[1], 0, 6753 sizeof(cb->args) - sizeof(cb->args[0])); 6754 if (filter && filter->table && 6755 strcmp(filter->table, table->name)) 6756 goto cont; 6757 if (filter && 6758 filter->type != NFT_OBJECT_UNSPEC && 6759 obj->ops->type->type != filter->type) 6760 goto cont; 6761 if (reset) { 6762 char *buf = kasprintf(GFP_ATOMIC, 6763 "%s:%u", 6764 table->name, 6765 nft_net->base_seq); 6766 6767 audit_log_nfcfg(buf, 6768 family, 6769 obj->handle, 6770 AUDIT_NFT_OP_OBJ_RESET, 6771 GFP_ATOMIC); 6772 kfree(buf); 6773 } 6774 6775 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid, 6776 cb->nlh->nlmsg_seq, 6777 NFT_MSG_NEWOBJ, 6778 NLM_F_MULTI | NLM_F_APPEND, 6779 table->family, table, 6780 obj, reset) < 0) 6781 goto done; 6782 6783 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 6784 cont: 6785 idx++; 6786 } 6787 } 6788 done: 6789 rcu_read_unlock(); 6790 6791 cb->args[0] = idx; 6792 return skb->len; 6793 } 6794 6795 static int nf_tables_dump_obj_start(struct netlink_callback *cb) 6796 { 6797 const struct nlattr * const *nla = cb->data; 6798 struct nft_obj_filter *filter = NULL; 6799 6800 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) { 6801 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 6802 if (!filter) 6803 return -ENOMEM; 6804 6805 if (nla[NFTA_OBJ_TABLE]) { 6806 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC); 6807 if (!filter->table) { 6808 kfree(filter); 6809 return -ENOMEM; 6810 } 6811 } 6812 6813 if (nla[NFTA_OBJ_TYPE]) 6814 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6815 } 6816 6817 cb->data = filter; 6818 return 0; 6819 } 6820 6821 static int nf_tables_dump_obj_done(struct netlink_callback *cb) 6822 { 6823 struct nft_obj_filter *filter = cb->data; 6824 6825 if (filter) { 6826 kfree(filter->table); 6827 kfree(filter); 6828 } 6829 6830 return 0; 6831 } 6832 6833 /* called with rcu_read_lock held */ 6834 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info, 6835 const struct nlattr * const nla[]) 6836 { 6837 struct netlink_ext_ack *extack = info->extack; 6838 u8 genmask = nft_genmask_cur(info->net); 6839 u8 family = info->nfmsg->nfgen_family; 6840 const struct nft_table *table; 6841 struct net *net = info->net; 6842 struct nft_object *obj; 6843 struct sk_buff *skb2; 6844 bool reset = false; 6845 u32 objtype; 6846 int err; 6847 6848 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 6849 struct netlink_dump_control c = { 6850 .start = nf_tables_dump_obj_start, 6851 .dump = nf_tables_dump_obj, 6852 .done = nf_tables_dump_obj_done, 6853 .module = THIS_MODULE, 6854 .data = (void *)nla, 6855 }; 6856 6857 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 6858 } 6859 6860 if (!nla[NFTA_OBJ_NAME] || 6861 !nla[NFTA_OBJ_TYPE]) 6862 return -EINVAL; 6863 6864 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0); 6865 if (IS_ERR(table)) { 6866 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6867 return PTR_ERR(table); 6868 } 6869 6870 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6871 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 6872 if (IS_ERR(obj)) { 6873 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6874 return PTR_ERR(obj); 6875 } 6876 6877 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 6878 if (!skb2) 6879 return -ENOMEM; 6880 6881 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 6882 reset = true; 6883 6884 if (reset) { 6885 const struct nftables_pernet *nft_net; 6886 char *buf; 6887 6888 nft_net = nft_pernet(net); 6889 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq); 6890 6891 audit_log_nfcfg(buf, 6892 family, 6893 obj->handle, 6894 AUDIT_NFT_OP_OBJ_RESET, 6895 GFP_ATOMIC); 6896 kfree(buf); 6897 } 6898 6899 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid, 6900 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, 6901 family, table, obj, reset); 6902 if (err < 0) 6903 goto err_fill_obj_info; 6904 6905 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 6906 6907 err_fill_obj_info: 6908 kfree_skb(skb2); 6909 return err; 6910 } 6911 6912 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) 6913 { 6914 if (obj->ops->destroy) 6915 obj->ops->destroy(ctx, obj); 6916 6917 module_put(obj->ops->type->owner); 6918 kfree(obj->key.name); 6919 kfree(obj->udata); 6920 kfree(obj); 6921 } 6922 6923 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info, 6924 const struct nlattr * const nla[]) 6925 { 6926 struct netlink_ext_ack *extack = info->extack; 6927 u8 genmask = nft_genmask_next(info->net); 6928 u8 family = info->nfmsg->nfgen_family; 6929 struct net *net = info->net; 6930 const struct nlattr *attr; 6931 struct nft_table *table; 6932 struct nft_object *obj; 6933 struct nft_ctx ctx; 6934 u32 objtype; 6935 6936 if (!nla[NFTA_OBJ_TYPE] || 6937 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE])) 6938 return -EINVAL; 6939 6940 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 6941 NETLINK_CB(skb).portid); 6942 if (IS_ERR(table)) { 6943 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6944 return PTR_ERR(table); 6945 } 6946 6947 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6948 if (nla[NFTA_OBJ_HANDLE]) { 6949 attr = nla[NFTA_OBJ_HANDLE]; 6950 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask); 6951 } else { 6952 attr = nla[NFTA_OBJ_NAME]; 6953 obj = nft_obj_lookup(net, table, attr, objtype, genmask); 6954 } 6955 6956 if (IS_ERR(obj)) { 6957 NL_SET_BAD_ATTR(extack, attr); 6958 return PTR_ERR(obj); 6959 } 6960 if (obj->use > 0) { 6961 NL_SET_BAD_ATTR(extack, attr); 6962 return -EBUSY; 6963 } 6964 6965 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6966 6967 return nft_delobj(&ctx, obj); 6968 } 6969 6970 void nft_obj_notify(struct net *net, const struct nft_table *table, 6971 struct nft_object *obj, u32 portid, u32 seq, int event, 6972 u16 flags, int family, int report, gfp_t gfp) 6973 { 6974 struct nftables_pernet *nft_net = nft_pernet(net); 6975 struct sk_buff *skb; 6976 int err; 6977 char *buf = kasprintf(gfp, "%s:%u", 6978 table->name, nft_net->base_seq); 6979 6980 audit_log_nfcfg(buf, 6981 family, 6982 obj->handle, 6983 event == NFT_MSG_NEWOBJ ? 6984 AUDIT_NFT_OP_OBJ_REGISTER : 6985 AUDIT_NFT_OP_OBJ_UNREGISTER, 6986 gfp); 6987 kfree(buf); 6988 6989 if (!report && 6990 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 6991 return; 6992 6993 skb = nlmsg_new(NLMSG_GOODSIZE, gfp); 6994 if (skb == NULL) 6995 goto err; 6996 6997 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 6998 flags & (NLM_F_CREATE | NLM_F_EXCL), 6999 family, table, obj, false); 7000 if (err < 0) { 7001 kfree_skb(skb); 7002 goto err; 7003 } 7004 7005 nft_notify_enqueue(skb, report, &nft_net->notify_list); 7006 return; 7007 err: 7008 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 7009 } 7010 EXPORT_SYMBOL_GPL(nft_obj_notify); 7011 7012 static void nf_tables_obj_notify(const struct nft_ctx *ctx, 7013 struct nft_object *obj, int event) 7014 { 7015 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event, 7016 ctx->flags, ctx->family, ctx->report, GFP_KERNEL); 7017 } 7018 7019 /* 7020 * Flow tables 7021 */ 7022 void nft_register_flowtable_type(struct nf_flowtable_type *type) 7023 { 7024 nfnl_lock(NFNL_SUBSYS_NFTABLES); 7025 list_add_tail_rcu(&type->list, &nf_tables_flowtables); 7026 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 7027 } 7028 EXPORT_SYMBOL_GPL(nft_register_flowtable_type); 7029 7030 void nft_unregister_flowtable_type(struct nf_flowtable_type *type) 7031 { 7032 nfnl_lock(NFNL_SUBSYS_NFTABLES); 7033 list_del_rcu(&type->list); 7034 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 7035 } 7036 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type); 7037 7038 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = { 7039 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING, 7040 .len = NFT_NAME_MAXLEN - 1 }, 7041 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING, 7042 .len = NFT_NAME_MAXLEN - 1 }, 7043 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED }, 7044 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 }, 7045 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 }, 7046 }; 7047 7048 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 7049 const struct nlattr *nla, u8 genmask) 7050 { 7051 struct nft_flowtable *flowtable; 7052 7053 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 7054 if (!nla_strcmp(nla, flowtable->name) && 7055 nft_active_genmask(flowtable, genmask)) 7056 return flowtable; 7057 } 7058 return ERR_PTR(-ENOENT); 7059 } 7060 EXPORT_SYMBOL_GPL(nft_flowtable_lookup); 7061 7062 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, 7063 struct nft_flowtable *flowtable, 7064 enum nft_trans_phase phase) 7065 { 7066 switch (phase) { 7067 case NFT_TRANS_PREPARE: 7068 case NFT_TRANS_ABORT: 7069 case NFT_TRANS_RELEASE: 7070 flowtable->use--; 7071 fallthrough; 7072 default: 7073 return; 7074 } 7075 } 7076 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable); 7077 7078 static struct nft_flowtable * 7079 nft_flowtable_lookup_byhandle(const struct nft_table *table, 7080 const struct nlattr *nla, u8 genmask) 7081 { 7082 struct nft_flowtable *flowtable; 7083 7084 list_for_each_entry(flowtable, &table->flowtables, list) { 7085 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle && 7086 nft_active_genmask(flowtable, genmask)) 7087 return flowtable; 7088 } 7089 return ERR_PTR(-ENOENT); 7090 } 7091 7092 struct nft_flowtable_hook { 7093 u32 num; 7094 int priority; 7095 struct list_head list; 7096 }; 7097 7098 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = { 7099 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 }, 7100 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 }, 7101 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED }, 7102 }; 7103 7104 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx, 7105 const struct nlattr *attr, 7106 struct nft_flowtable_hook *flowtable_hook, 7107 struct nft_flowtable *flowtable, bool add) 7108 { 7109 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1]; 7110 struct nft_hook *hook; 7111 int hooknum, priority; 7112 int err; 7113 7114 INIT_LIST_HEAD(&flowtable_hook->list); 7115 7116 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr, 7117 nft_flowtable_hook_policy, NULL); 7118 if (err < 0) 7119 return err; 7120 7121 if (add) { 7122 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] || 7123 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) 7124 return -EINVAL; 7125 7126 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 7127 if (hooknum != NF_NETDEV_INGRESS) 7128 return -EOPNOTSUPP; 7129 7130 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 7131 7132 flowtable_hook->priority = priority; 7133 flowtable_hook->num = hooknum; 7134 } else { 7135 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) { 7136 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 7137 if (hooknum != flowtable->hooknum) 7138 return -EOPNOTSUPP; 7139 } 7140 7141 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) { 7142 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 7143 if (priority != flowtable->data.priority) 7144 return -EOPNOTSUPP; 7145 } 7146 7147 flowtable_hook->priority = flowtable->data.priority; 7148 flowtable_hook->num = flowtable->hooknum; 7149 } 7150 7151 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) { 7152 err = nf_tables_parse_netdev_hooks(ctx->net, 7153 tb[NFTA_FLOWTABLE_HOOK_DEVS], 7154 &flowtable_hook->list); 7155 if (err < 0) 7156 return err; 7157 } 7158 7159 list_for_each_entry(hook, &flowtable_hook->list, list) { 7160 hook->ops.pf = NFPROTO_NETDEV; 7161 hook->ops.hooknum = flowtable_hook->num; 7162 hook->ops.priority = flowtable_hook->priority; 7163 hook->ops.priv = &flowtable->data; 7164 hook->ops.hook = flowtable->data.type->hook; 7165 } 7166 7167 return err; 7168 } 7169 7170 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) 7171 { 7172 const struct nf_flowtable_type *type; 7173 7174 list_for_each_entry(type, &nf_tables_flowtables, list) { 7175 if (family == type->family) 7176 return type; 7177 } 7178 return NULL; 7179 } 7180 7181 static const struct nf_flowtable_type * 7182 nft_flowtable_type_get(struct net *net, u8 family) 7183 { 7184 const struct nf_flowtable_type *type; 7185 7186 type = __nft_flowtable_type_get(family); 7187 if (type != NULL && try_module_get(type->owner)) 7188 return type; 7189 7190 lockdep_nfnl_nft_mutex_not_held(); 7191 #ifdef CONFIG_MODULES 7192 if (type == NULL) { 7193 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN) 7194 return ERR_PTR(-EAGAIN); 7195 } 7196 #endif 7197 return ERR_PTR(-ENOENT); 7198 } 7199 7200 /* Only called from error and netdev event paths. */ 7201 static void nft_unregister_flowtable_hook(struct net *net, 7202 struct nft_flowtable *flowtable, 7203 struct nft_hook *hook) 7204 { 7205 nf_unregister_net_hook(net, &hook->ops); 7206 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 7207 FLOW_BLOCK_UNBIND); 7208 } 7209 7210 static void nft_unregister_flowtable_net_hooks(struct net *net, 7211 struct list_head *hook_list) 7212 { 7213 struct nft_hook *hook; 7214 7215 list_for_each_entry(hook, hook_list, list) 7216 nf_unregister_net_hook(net, &hook->ops); 7217 } 7218 7219 static int nft_register_flowtable_net_hooks(struct net *net, 7220 struct nft_table *table, 7221 struct list_head *hook_list, 7222 struct nft_flowtable *flowtable) 7223 { 7224 struct nft_hook *hook, *hook2, *next; 7225 struct nft_flowtable *ft; 7226 int err, i = 0; 7227 7228 list_for_each_entry(hook, hook_list, list) { 7229 list_for_each_entry(ft, &table->flowtables, list) { 7230 if (!nft_is_active_next(net, ft)) 7231 continue; 7232 7233 list_for_each_entry(hook2, &ft->hook_list, list) { 7234 if (hook->ops.dev == hook2->ops.dev && 7235 hook->ops.pf == hook2->ops.pf) { 7236 err = -EEXIST; 7237 goto err_unregister_net_hooks; 7238 } 7239 } 7240 } 7241 7242 err = flowtable->data.type->setup(&flowtable->data, 7243 hook->ops.dev, 7244 FLOW_BLOCK_BIND); 7245 if (err < 0) 7246 goto err_unregister_net_hooks; 7247 7248 err = nf_register_net_hook(net, &hook->ops); 7249 if (err < 0) { 7250 flowtable->data.type->setup(&flowtable->data, 7251 hook->ops.dev, 7252 FLOW_BLOCK_UNBIND); 7253 goto err_unregister_net_hooks; 7254 } 7255 7256 i++; 7257 } 7258 7259 return 0; 7260 7261 err_unregister_net_hooks: 7262 list_for_each_entry_safe(hook, next, hook_list, list) { 7263 if (i-- <= 0) 7264 break; 7265 7266 nft_unregister_flowtable_hook(net, flowtable, hook); 7267 list_del_rcu(&hook->list); 7268 kfree_rcu(hook, rcu); 7269 } 7270 7271 return err; 7272 } 7273 7274 static void nft_flowtable_hooks_destroy(struct list_head *hook_list) 7275 { 7276 struct nft_hook *hook, *next; 7277 7278 list_for_each_entry_safe(hook, next, hook_list, list) { 7279 list_del_rcu(&hook->list); 7280 kfree_rcu(hook, rcu); 7281 } 7282 } 7283 7284 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, 7285 struct nft_flowtable *flowtable) 7286 { 7287 const struct nlattr * const *nla = ctx->nla; 7288 struct nft_flowtable_hook flowtable_hook; 7289 struct nft_hook *hook, *next; 7290 struct nft_trans *trans; 7291 bool unregister = false; 7292 u32 flags; 7293 int err; 7294 7295 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], 7296 &flowtable_hook, flowtable, false); 7297 if (err < 0) 7298 return err; 7299 7300 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 7301 if (nft_hook_list_find(&flowtable->hook_list, hook)) { 7302 list_del(&hook->list); 7303 kfree(hook); 7304 } 7305 } 7306 7307 if (nla[NFTA_FLOWTABLE_FLAGS]) { 7308 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 7309 if (flags & ~NFT_FLOWTABLE_MASK) 7310 return -EOPNOTSUPP; 7311 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^ 7312 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) 7313 return -EOPNOTSUPP; 7314 } else { 7315 flags = flowtable->data.flags; 7316 } 7317 7318 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table, 7319 &flowtable_hook.list, flowtable); 7320 if (err < 0) 7321 goto err_flowtable_update_hook; 7322 7323 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE, 7324 sizeof(struct nft_trans_flowtable)); 7325 if (!trans) { 7326 unregister = true; 7327 err = -ENOMEM; 7328 goto err_flowtable_update_hook; 7329 } 7330 7331 nft_trans_flowtable_flags(trans) = flags; 7332 nft_trans_flowtable(trans) = flowtable; 7333 nft_trans_flowtable_update(trans) = true; 7334 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 7335 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans)); 7336 7337 nft_trans_commit_list_add_tail(ctx->net, trans); 7338 7339 return 0; 7340 7341 err_flowtable_update_hook: 7342 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 7343 if (unregister) 7344 nft_unregister_flowtable_hook(ctx->net, flowtable, hook); 7345 list_del_rcu(&hook->list); 7346 kfree_rcu(hook, rcu); 7347 } 7348 7349 return err; 7350 7351 } 7352 7353 static int nf_tables_newflowtable(struct sk_buff *skb, 7354 const struct nfnl_info *info, 7355 const struct nlattr * const nla[]) 7356 { 7357 struct netlink_ext_ack *extack = info->extack; 7358 struct nft_flowtable_hook flowtable_hook; 7359 u8 genmask = nft_genmask_next(info->net); 7360 u8 family = info->nfmsg->nfgen_family; 7361 const struct nf_flowtable_type *type; 7362 struct nft_flowtable *flowtable; 7363 struct nft_hook *hook, *next; 7364 struct net *net = info->net; 7365 struct nft_table *table; 7366 struct nft_ctx ctx; 7367 int err; 7368 7369 if (!nla[NFTA_FLOWTABLE_TABLE] || 7370 !nla[NFTA_FLOWTABLE_NAME] || 7371 !nla[NFTA_FLOWTABLE_HOOK]) 7372 return -EINVAL; 7373 7374 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 7375 genmask, NETLINK_CB(skb).portid); 7376 if (IS_ERR(table)) { 7377 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 7378 return PTR_ERR(table); 7379 } 7380 7381 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 7382 genmask); 7383 if (IS_ERR(flowtable)) { 7384 err = PTR_ERR(flowtable); 7385 if (err != -ENOENT) { 7386 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 7387 return err; 7388 } 7389 } else { 7390 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 7391 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 7392 return -EEXIST; 7393 } 7394 7395 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7396 7397 return nft_flowtable_update(&ctx, info->nlh, flowtable); 7398 } 7399 7400 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7401 7402 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL); 7403 if (!flowtable) 7404 return -ENOMEM; 7405 7406 flowtable->table = table; 7407 flowtable->handle = nf_tables_alloc_handle(table); 7408 INIT_LIST_HEAD(&flowtable->hook_list); 7409 7410 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL); 7411 if (!flowtable->name) { 7412 err = -ENOMEM; 7413 goto err1; 7414 } 7415 7416 type = nft_flowtable_type_get(net, family); 7417 if (IS_ERR(type)) { 7418 err = PTR_ERR(type); 7419 goto err2; 7420 } 7421 7422 if (nla[NFTA_FLOWTABLE_FLAGS]) { 7423 flowtable->data.flags = 7424 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 7425 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) { 7426 err = -EOPNOTSUPP; 7427 goto err3; 7428 } 7429 } 7430 7431 write_pnet(&flowtable->data.net, net); 7432 flowtable->data.type = type; 7433 err = type->init(&flowtable->data); 7434 if (err < 0) 7435 goto err3; 7436 7437 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK], 7438 &flowtable_hook, flowtable, true); 7439 if (err < 0) 7440 goto err4; 7441 7442 list_splice(&flowtable_hook.list, &flowtable->hook_list); 7443 flowtable->data.priority = flowtable_hook.priority; 7444 flowtable->hooknum = flowtable_hook.num; 7445 7446 err = nft_register_flowtable_net_hooks(ctx.net, table, 7447 &flowtable->hook_list, 7448 flowtable); 7449 if (err < 0) { 7450 nft_flowtable_hooks_destroy(&flowtable->hook_list); 7451 goto err4; 7452 } 7453 7454 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable); 7455 if (err < 0) 7456 goto err5; 7457 7458 list_add_tail_rcu(&flowtable->list, &table->flowtables); 7459 table->use++; 7460 7461 return 0; 7462 err5: 7463 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 7464 nft_unregister_flowtable_hook(net, flowtable, hook); 7465 list_del_rcu(&hook->list); 7466 kfree_rcu(hook, rcu); 7467 } 7468 err4: 7469 flowtable->data.type->free(&flowtable->data); 7470 err3: 7471 module_put(type->owner); 7472 err2: 7473 kfree(flowtable->name); 7474 err1: 7475 kfree(flowtable); 7476 return err; 7477 } 7478 7479 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook) 7480 { 7481 struct nft_hook *this, *next; 7482 7483 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) { 7484 list_del(&this->list); 7485 kfree(this); 7486 } 7487 } 7488 7489 static int nft_delflowtable_hook(struct nft_ctx *ctx, 7490 struct nft_flowtable *flowtable) 7491 { 7492 const struct nlattr * const *nla = ctx->nla; 7493 struct nft_flowtable_hook flowtable_hook; 7494 struct nft_hook *this, *hook; 7495 struct nft_trans *trans; 7496 int err; 7497 7498 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], 7499 &flowtable_hook, flowtable, false); 7500 if (err < 0) 7501 return err; 7502 7503 list_for_each_entry(this, &flowtable_hook.list, list) { 7504 hook = nft_hook_list_find(&flowtable->hook_list, this); 7505 if (!hook) { 7506 err = -ENOENT; 7507 goto err_flowtable_del_hook; 7508 } 7509 hook->inactive = true; 7510 } 7511 7512 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE, 7513 sizeof(struct nft_trans_flowtable)); 7514 if (!trans) { 7515 err = -ENOMEM; 7516 goto err_flowtable_del_hook; 7517 } 7518 7519 nft_trans_flowtable(trans) = flowtable; 7520 nft_trans_flowtable_update(trans) = true; 7521 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 7522 nft_flowtable_hook_release(&flowtable_hook); 7523 7524 nft_trans_commit_list_add_tail(ctx->net, trans); 7525 7526 return 0; 7527 7528 err_flowtable_del_hook: 7529 list_for_each_entry(this, &flowtable_hook.list, list) { 7530 hook = nft_hook_list_find(&flowtable->hook_list, this); 7531 if (!hook) 7532 break; 7533 7534 hook->inactive = false; 7535 } 7536 nft_flowtable_hook_release(&flowtable_hook); 7537 7538 return err; 7539 } 7540 7541 static int nf_tables_delflowtable(struct sk_buff *skb, 7542 const struct nfnl_info *info, 7543 const struct nlattr * const nla[]) 7544 { 7545 struct netlink_ext_ack *extack = info->extack; 7546 u8 genmask = nft_genmask_next(info->net); 7547 u8 family = info->nfmsg->nfgen_family; 7548 struct nft_flowtable *flowtable; 7549 struct net *net = info->net; 7550 const struct nlattr *attr; 7551 struct nft_table *table; 7552 struct nft_ctx ctx; 7553 7554 if (!nla[NFTA_FLOWTABLE_TABLE] || 7555 (!nla[NFTA_FLOWTABLE_NAME] && 7556 !nla[NFTA_FLOWTABLE_HANDLE])) 7557 return -EINVAL; 7558 7559 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 7560 genmask, NETLINK_CB(skb).portid); 7561 if (IS_ERR(table)) { 7562 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 7563 return PTR_ERR(table); 7564 } 7565 7566 if (nla[NFTA_FLOWTABLE_HANDLE]) { 7567 attr = nla[NFTA_FLOWTABLE_HANDLE]; 7568 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask); 7569 } else { 7570 attr = nla[NFTA_FLOWTABLE_NAME]; 7571 flowtable = nft_flowtable_lookup(table, attr, genmask); 7572 } 7573 7574 if (IS_ERR(flowtable)) { 7575 NL_SET_BAD_ATTR(extack, attr); 7576 return PTR_ERR(flowtable); 7577 } 7578 7579 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7580 7581 if (nla[NFTA_FLOWTABLE_HOOK]) 7582 return nft_delflowtable_hook(&ctx, flowtable); 7583 7584 if (flowtable->use > 0) { 7585 NL_SET_BAD_ATTR(extack, attr); 7586 return -EBUSY; 7587 } 7588 7589 return nft_delflowtable(&ctx, flowtable); 7590 } 7591 7592 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, 7593 u32 portid, u32 seq, int event, 7594 u32 flags, int family, 7595 struct nft_flowtable *flowtable, 7596 struct list_head *hook_list) 7597 { 7598 struct nlattr *nest, *nest_devs; 7599 struct nft_hook *hook; 7600 struct nlmsghdr *nlh; 7601 7602 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 7603 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 7604 NFNETLINK_V0, nft_base_seq(net)); 7605 if (!nlh) 7606 goto nla_put_failure; 7607 7608 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || 7609 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || 7610 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || 7611 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle), 7612 NFTA_FLOWTABLE_PAD) || 7613 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags))) 7614 goto nla_put_failure; 7615 7616 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK); 7617 if (!nest) 7618 goto nla_put_failure; 7619 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) || 7620 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority))) 7621 goto nla_put_failure; 7622 7623 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS); 7624 if (!nest_devs) 7625 goto nla_put_failure; 7626 7627 list_for_each_entry_rcu(hook, hook_list, list) { 7628 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name)) 7629 goto nla_put_failure; 7630 } 7631 nla_nest_end(skb, nest_devs); 7632 nla_nest_end(skb, nest); 7633 7634 nlmsg_end(skb, nlh); 7635 return 0; 7636 7637 nla_put_failure: 7638 nlmsg_trim(skb, nlh); 7639 return -1; 7640 } 7641 7642 struct nft_flowtable_filter { 7643 char *table; 7644 }; 7645 7646 static int nf_tables_dump_flowtable(struct sk_buff *skb, 7647 struct netlink_callback *cb) 7648 { 7649 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 7650 struct nft_flowtable_filter *filter = cb->data; 7651 unsigned int idx = 0, s_idx = cb->args[0]; 7652 struct net *net = sock_net(skb->sk); 7653 int family = nfmsg->nfgen_family; 7654 struct nft_flowtable *flowtable; 7655 struct nftables_pernet *nft_net; 7656 const struct nft_table *table; 7657 7658 rcu_read_lock(); 7659 nft_net = nft_pernet(net); 7660 cb->seq = nft_net->base_seq; 7661 7662 list_for_each_entry_rcu(table, &nft_net->tables, list) { 7663 if (family != NFPROTO_UNSPEC && family != table->family) 7664 continue; 7665 7666 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 7667 if (!nft_is_active(net, flowtable)) 7668 goto cont; 7669 if (idx < s_idx) 7670 goto cont; 7671 if (idx > s_idx) 7672 memset(&cb->args[1], 0, 7673 sizeof(cb->args) - sizeof(cb->args[0])); 7674 if (filter && filter->table && 7675 strcmp(filter->table, table->name)) 7676 goto cont; 7677 7678 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, 7679 cb->nlh->nlmsg_seq, 7680 NFT_MSG_NEWFLOWTABLE, 7681 NLM_F_MULTI | NLM_F_APPEND, 7682 table->family, 7683 flowtable, 7684 &flowtable->hook_list) < 0) 7685 goto done; 7686 7687 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 7688 cont: 7689 idx++; 7690 } 7691 } 7692 done: 7693 rcu_read_unlock(); 7694 7695 cb->args[0] = idx; 7696 return skb->len; 7697 } 7698 7699 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb) 7700 { 7701 const struct nlattr * const *nla = cb->data; 7702 struct nft_flowtable_filter *filter = NULL; 7703 7704 if (nla[NFTA_FLOWTABLE_TABLE]) { 7705 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 7706 if (!filter) 7707 return -ENOMEM; 7708 7709 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE], 7710 GFP_ATOMIC); 7711 if (!filter->table) { 7712 kfree(filter); 7713 return -ENOMEM; 7714 } 7715 } 7716 7717 cb->data = filter; 7718 return 0; 7719 } 7720 7721 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb) 7722 { 7723 struct nft_flowtable_filter *filter = cb->data; 7724 7725 if (!filter) 7726 return 0; 7727 7728 kfree(filter->table); 7729 kfree(filter); 7730 7731 return 0; 7732 } 7733 7734 /* called with rcu_read_lock held */ 7735 static int nf_tables_getflowtable(struct sk_buff *skb, 7736 const struct nfnl_info *info, 7737 const struct nlattr * const nla[]) 7738 { 7739 u8 genmask = nft_genmask_cur(info->net); 7740 u8 family = info->nfmsg->nfgen_family; 7741 struct nft_flowtable *flowtable; 7742 const struct nft_table *table; 7743 struct net *net = info->net; 7744 struct sk_buff *skb2; 7745 int err; 7746 7747 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 7748 struct netlink_dump_control c = { 7749 .start = nf_tables_dump_flowtable_start, 7750 .dump = nf_tables_dump_flowtable, 7751 .done = nf_tables_dump_flowtable_done, 7752 .module = THIS_MODULE, 7753 .data = (void *)nla, 7754 }; 7755 7756 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 7757 } 7758 7759 if (!nla[NFTA_FLOWTABLE_NAME]) 7760 return -EINVAL; 7761 7762 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 7763 genmask, 0); 7764 if (IS_ERR(table)) 7765 return PTR_ERR(table); 7766 7767 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 7768 genmask); 7769 if (IS_ERR(flowtable)) 7770 return PTR_ERR(flowtable); 7771 7772 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 7773 if (!skb2) 7774 return -ENOMEM; 7775 7776 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid, 7777 info->nlh->nlmsg_seq, 7778 NFT_MSG_NEWFLOWTABLE, 0, family, 7779 flowtable, &flowtable->hook_list); 7780 if (err < 0) 7781 goto err_fill_flowtable_info; 7782 7783 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 7784 7785 err_fill_flowtable_info: 7786 kfree_skb(skb2); 7787 return err; 7788 } 7789 7790 static void nf_tables_flowtable_notify(struct nft_ctx *ctx, 7791 struct nft_flowtable *flowtable, 7792 struct list_head *hook_list, 7793 int event) 7794 { 7795 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 7796 struct sk_buff *skb; 7797 u16 flags = 0; 7798 int err; 7799 7800 if (!ctx->report && 7801 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 7802 return; 7803 7804 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 7805 if (skb == NULL) 7806 goto err; 7807 7808 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 7809 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 7810 7811 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid, 7812 ctx->seq, event, flags, 7813 ctx->family, flowtable, hook_list); 7814 if (err < 0) { 7815 kfree_skb(skb); 7816 goto err; 7817 } 7818 7819 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 7820 return; 7821 err: 7822 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 7823 } 7824 7825 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) 7826 { 7827 struct nft_hook *hook, *next; 7828 7829 flowtable->data.type->free(&flowtable->data); 7830 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 7831 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 7832 FLOW_BLOCK_UNBIND); 7833 list_del_rcu(&hook->list); 7834 kfree(hook); 7835 } 7836 kfree(flowtable->name); 7837 module_put(flowtable->data.type->owner); 7838 kfree(flowtable); 7839 } 7840 7841 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, 7842 u32 portid, u32 seq) 7843 { 7844 struct nftables_pernet *nft_net = nft_pernet(net); 7845 struct nlmsghdr *nlh; 7846 char buf[TASK_COMM_LEN]; 7847 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); 7848 7849 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC, 7850 NFNETLINK_V0, nft_base_seq(net)); 7851 if (!nlh) 7852 goto nla_put_failure; 7853 7854 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) || 7855 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || 7856 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) 7857 goto nla_put_failure; 7858 7859 nlmsg_end(skb, nlh); 7860 return 0; 7861 7862 nla_put_failure: 7863 nlmsg_trim(skb, nlh); 7864 return -EMSGSIZE; 7865 } 7866 7867 static void nft_flowtable_event(unsigned long event, struct net_device *dev, 7868 struct nft_flowtable *flowtable) 7869 { 7870 struct nft_hook *hook; 7871 7872 list_for_each_entry(hook, &flowtable->hook_list, list) { 7873 if (hook->ops.dev != dev) 7874 continue; 7875 7876 /* flow_offload_netdev_event() cleans up entries for us. */ 7877 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook); 7878 list_del_rcu(&hook->list); 7879 kfree_rcu(hook, rcu); 7880 break; 7881 } 7882 } 7883 7884 static int nf_tables_flowtable_event(struct notifier_block *this, 7885 unsigned long event, void *ptr) 7886 { 7887 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 7888 struct nft_flowtable *flowtable; 7889 struct nftables_pernet *nft_net; 7890 struct nft_table *table; 7891 struct net *net; 7892 7893 if (event != NETDEV_UNREGISTER) 7894 return 0; 7895 7896 net = dev_net(dev); 7897 nft_net = nft_pernet(net); 7898 mutex_lock(&nft_net->commit_mutex); 7899 list_for_each_entry(table, &nft_net->tables, list) { 7900 list_for_each_entry(flowtable, &table->flowtables, list) { 7901 nft_flowtable_event(event, dev, flowtable); 7902 } 7903 } 7904 mutex_unlock(&nft_net->commit_mutex); 7905 7906 return NOTIFY_DONE; 7907 } 7908 7909 static struct notifier_block nf_tables_flowtable_notifier = { 7910 .notifier_call = nf_tables_flowtable_event, 7911 }; 7912 7913 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb, 7914 int event) 7915 { 7916 struct nlmsghdr *nlh = nlmsg_hdr(skb); 7917 struct sk_buff *skb2; 7918 int err; 7919 7920 if (!nlmsg_report(nlh) && 7921 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 7922 return; 7923 7924 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 7925 if (skb2 == NULL) 7926 goto err; 7927 7928 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 7929 nlh->nlmsg_seq); 7930 if (err < 0) { 7931 kfree_skb(skb2); 7932 goto err; 7933 } 7934 7935 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 7936 nlmsg_report(nlh), GFP_KERNEL); 7937 return; 7938 err: 7939 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 7940 -ENOBUFS); 7941 } 7942 7943 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info, 7944 const struct nlattr * const nla[]) 7945 { 7946 struct sk_buff *skb2; 7947 int err; 7948 7949 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 7950 if (skb2 == NULL) 7951 return -ENOMEM; 7952 7953 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid, 7954 info->nlh->nlmsg_seq); 7955 if (err < 0) 7956 goto err_fill_gen_info; 7957 7958 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 7959 7960 err_fill_gen_info: 7961 kfree_skb(skb2); 7962 return err; 7963 } 7964 7965 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = { 7966 [NFT_MSG_NEWTABLE] = { 7967 .call = nf_tables_newtable, 7968 .type = NFNL_CB_BATCH, 7969 .attr_count = NFTA_TABLE_MAX, 7970 .policy = nft_table_policy, 7971 }, 7972 [NFT_MSG_GETTABLE] = { 7973 .call = nf_tables_gettable, 7974 .type = NFNL_CB_RCU, 7975 .attr_count = NFTA_TABLE_MAX, 7976 .policy = nft_table_policy, 7977 }, 7978 [NFT_MSG_DELTABLE] = { 7979 .call = nf_tables_deltable, 7980 .type = NFNL_CB_BATCH, 7981 .attr_count = NFTA_TABLE_MAX, 7982 .policy = nft_table_policy, 7983 }, 7984 [NFT_MSG_NEWCHAIN] = { 7985 .call = nf_tables_newchain, 7986 .type = NFNL_CB_BATCH, 7987 .attr_count = NFTA_CHAIN_MAX, 7988 .policy = nft_chain_policy, 7989 }, 7990 [NFT_MSG_GETCHAIN] = { 7991 .call = nf_tables_getchain, 7992 .type = NFNL_CB_RCU, 7993 .attr_count = NFTA_CHAIN_MAX, 7994 .policy = nft_chain_policy, 7995 }, 7996 [NFT_MSG_DELCHAIN] = { 7997 .call = nf_tables_delchain, 7998 .type = NFNL_CB_BATCH, 7999 .attr_count = NFTA_CHAIN_MAX, 8000 .policy = nft_chain_policy, 8001 }, 8002 [NFT_MSG_NEWRULE] = { 8003 .call = nf_tables_newrule, 8004 .type = NFNL_CB_BATCH, 8005 .attr_count = NFTA_RULE_MAX, 8006 .policy = nft_rule_policy, 8007 }, 8008 [NFT_MSG_GETRULE] = { 8009 .call = nf_tables_getrule, 8010 .type = NFNL_CB_RCU, 8011 .attr_count = NFTA_RULE_MAX, 8012 .policy = nft_rule_policy, 8013 }, 8014 [NFT_MSG_DELRULE] = { 8015 .call = nf_tables_delrule, 8016 .type = NFNL_CB_BATCH, 8017 .attr_count = NFTA_RULE_MAX, 8018 .policy = nft_rule_policy, 8019 }, 8020 [NFT_MSG_NEWSET] = { 8021 .call = nf_tables_newset, 8022 .type = NFNL_CB_BATCH, 8023 .attr_count = NFTA_SET_MAX, 8024 .policy = nft_set_policy, 8025 }, 8026 [NFT_MSG_GETSET] = { 8027 .call = nf_tables_getset, 8028 .type = NFNL_CB_RCU, 8029 .attr_count = NFTA_SET_MAX, 8030 .policy = nft_set_policy, 8031 }, 8032 [NFT_MSG_DELSET] = { 8033 .call = nf_tables_delset, 8034 .type = NFNL_CB_BATCH, 8035 .attr_count = NFTA_SET_MAX, 8036 .policy = nft_set_policy, 8037 }, 8038 [NFT_MSG_NEWSETELEM] = { 8039 .call = nf_tables_newsetelem, 8040 .type = NFNL_CB_BATCH, 8041 .attr_count = NFTA_SET_ELEM_LIST_MAX, 8042 .policy = nft_set_elem_list_policy, 8043 }, 8044 [NFT_MSG_GETSETELEM] = { 8045 .call = nf_tables_getsetelem, 8046 .type = NFNL_CB_RCU, 8047 .attr_count = NFTA_SET_ELEM_LIST_MAX, 8048 .policy = nft_set_elem_list_policy, 8049 }, 8050 [NFT_MSG_DELSETELEM] = { 8051 .call = nf_tables_delsetelem, 8052 .type = NFNL_CB_BATCH, 8053 .attr_count = NFTA_SET_ELEM_LIST_MAX, 8054 .policy = nft_set_elem_list_policy, 8055 }, 8056 [NFT_MSG_GETGEN] = { 8057 .call = nf_tables_getgen, 8058 .type = NFNL_CB_RCU, 8059 }, 8060 [NFT_MSG_NEWOBJ] = { 8061 .call = nf_tables_newobj, 8062 .type = NFNL_CB_BATCH, 8063 .attr_count = NFTA_OBJ_MAX, 8064 .policy = nft_obj_policy, 8065 }, 8066 [NFT_MSG_GETOBJ] = { 8067 .call = nf_tables_getobj, 8068 .type = NFNL_CB_RCU, 8069 .attr_count = NFTA_OBJ_MAX, 8070 .policy = nft_obj_policy, 8071 }, 8072 [NFT_MSG_DELOBJ] = { 8073 .call = nf_tables_delobj, 8074 .type = NFNL_CB_BATCH, 8075 .attr_count = NFTA_OBJ_MAX, 8076 .policy = nft_obj_policy, 8077 }, 8078 [NFT_MSG_GETOBJ_RESET] = { 8079 .call = nf_tables_getobj, 8080 .type = NFNL_CB_RCU, 8081 .attr_count = NFTA_OBJ_MAX, 8082 .policy = nft_obj_policy, 8083 }, 8084 [NFT_MSG_NEWFLOWTABLE] = { 8085 .call = nf_tables_newflowtable, 8086 .type = NFNL_CB_BATCH, 8087 .attr_count = NFTA_FLOWTABLE_MAX, 8088 .policy = nft_flowtable_policy, 8089 }, 8090 [NFT_MSG_GETFLOWTABLE] = { 8091 .call = nf_tables_getflowtable, 8092 .type = NFNL_CB_RCU, 8093 .attr_count = NFTA_FLOWTABLE_MAX, 8094 .policy = nft_flowtable_policy, 8095 }, 8096 [NFT_MSG_DELFLOWTABLE] = { 8097 .call = nf_tables_delflowtable, 8098 .type = NFNL_CB_BATCH, 8099 .attr_count = NFTA_FLOWTABLE_MAX, 8100 .policy = nft_flowtable_policy, 8101 }, 8102 }; 8103 8104 static int nf_tables_validate(struct net *net) 8105 { 8106 struct nftables_pernet *nft_net = nft_pernet(net); 8107 struct nft_table *table; 8108 8109 switch (nft_net->validate_state) { 8110 case NFT_VALIDATE_SKIP: 8111 break; 8112 case NFT_VALIDATE_NEED: 8113 nft_validate_state_update(net, NFT_VALIDATE_DO); 8114 fallthrough; 8115 case NFT_VALIDATE_DO: 8116 list_for_each_entry(table, &nft_net->tables, list) { 8117 if (nft_table_validate(net, table) < 0) 8118 return -EAGAIN; 8119 } 8120 break; 8121 } 8122 8123 return 0; 8124 } 8125 8126 /* a drop policy has to be deferred until all rules have been activated, 8127 * otherwise a large ruleset that contains a drop-policy base chain will 8128 * cause all packets to get dropped until the full transaction has been 8129 * processed. 8130 * 8131 * We defer the drop policy until the transaction has been finalized. 8132 */ 8133 static void nft_chain_commit_drop_policy(struct nft_trans *trans) 8134 { 8135 struct nft_base_chain *basechain; 8136 8137 if (nft_trans_chain_policy(trans) != NF_DROP) 8138 return; 8139 8140 if (!nft_is_base_chain(trans->ctx.chain)) 8141 return; 8142 8143 basechain = nft_base_chain(trans->ctx.chain); 8144 basechain->policy = NF_DROP; 8145 } 8146 8147 static void nft_chain_commit_update(struct nft_trans *trans) 8148 { 8149 struct nft_base_chain *basechain; 8150 8151 if (nft_trans_chain_name(trans)) { 8152 rhltable_remove(&trans->ctx.table->chains_ht, 8153 &trans->ctx.chain->rhlhead, 8154 nft_chain_ht_params); 8155 swap(trans->ctx.chain->name, nft_trans_chain_name(trans)); 8156 rhltable_insert_key(&trans->ctx.table->chains_ht, 8157 trans->ctx.chain->name, 8158 &trans->ctx.chain->rhlhead, 8159 nft_chain_ht_params); 8160 } 8161 8162 if (!nft_is_base_chain(trans->ctx.chain)) 8163 return; 8164 8165 nft_chain_stats_replace(trans); 8166 8167 basechain = nft_base_chain(trans->ctx.chain); 8168 8169 switch (nft_trans_chain_policy(trans)) { 8170 case NF_DROP: 8171 case NF_ACCEPT: 8172 basechain->policy = nft_trans_chain_policy(trans); 8173 break; 8174 } 8175 } 8176 8177 static void nft_obj_commit_update(struct nft_trans *trans) 8178 { 8179 struct nft_object *newobj; 8180 struct nft_object *obj; 8181 8182 obj = nft_trans_obj(trans); 8183 newobj = nft_trans_obj_newobj(trans); 8184 8185 if (obj->ops->update) 8186 obj->ops->update(obj, newobj); 8187 8188 kfree(newobj); 8189 } 8190 8191 static void nft_commit_release(struct nft_trans *trans) 8192 { 8193 switch (trans->msg_type) { 8194 case NFT_MSG_DELTABLE: 8195 nf_tables_table_destroy(&trans->ctx); 8196 break; 8197 case NFT_MSG_NEWCHAIN: 8198 free_percpu(nft_trans_chain_stats(trans)); 8199 kfree(nft_trans_chain_name(trans)); 8200 break; 8201 case NFT_MSG_DELCHAIN: 8202 nf_tables_chain_destroy(&trans->ctx); 8203 break; 8204 case NFT_MSG_DELRULE: 8205 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 8206 break; 8207 case NFT_MSG_DELSET: 8208 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 8209 break; 8210 case NFT_MSG_DELSETELEM: 8211 nf_tables_set_elem_destroy(&trans->ctx, 8212 nft_trans_elem_set(trans), 8213 nft_trans_elem(trans).priv); 8214 break; 8215 case NFT_MSG_DELOBJ: 8216 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 8217 break; 8218 case NFT_MSG_DELFLOWTABLE: 8219 if (nft_trans_flowtable_update(trans)) 8220 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 8221 else 8222 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 8223 break; 8224 } 8225 8226 if (trans->put_net) 8227 put_net(trans->ctx.net); 8228 8229 kfree(trans); 8230 } 8231 8232 static void nf_tables_trans_destroy_work(struct work_struct *w) 8233 { 8234 struct nft_trans *trans, *next; 8235 LIST_HEAD(head); 8236 8237 spin_lock(&nf_tables_destroy_list_lock); 8238 list_splice_init(&nf_tables_destroy_list, &head); 8239 spin_unlock(&nf_tables_destroy_list_lock); 8240 8241 if (list_empty(&head)) 8242 return; 8243 8244 synchronize_rcu(); 8245 8246 list_for_each_entry_safe(trans, next, &head, list) { 8247 list_del(&trans->list); 8248 nft_commit_release(trans); 8249 } 8250 } 8251 8252 void nf_tables_trans_destroy_flush_work(void) 8253 { 8254 flush_work(&trans_destroy_work); 8255 } 8256 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work); 8257 8258 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain) 8259 { 8260 const struct nft_expr *expr, *last; 8261 struct nft_regs_track track = {}; 8262 unsigned int size, data_size; 8263 void *data, *data_boundary; 8264 struct nft_rule_dp *prule; 8265 struct nft_rule *rule; 8266 8267 /* already handled or inactive chain? */ 8268 if (chain->blob_next || !nft_is_active_next(net, chain)) 8269 return 0; 8270 8271 rule = list_entry(&chain->rules, struct nft_rule, list); 8272 8273 data_size = 0; 8274 list_for_each_entry_continue(rule, &chain->rules, list) { 8275 if (nft_is_active_next(net, rule)) { 8276 data_size += sizeof(*prule) + rule->dlen; 8277 if (data_size > INT_MAX) 8278 return -ENOMEM; 8279 } 8280 } 8281 data_size += offsetof(struct nft_rule_dp, data); /* last rule */ 8282 8283 chain->blob_next = nf_tables_chain_alloc_rules(data_size); 8284 if (!chain->blob_next) 8285 return -ENOMEM; 8286 8287 data = (void *)chain->blob_next->data; 8288 data_boundary = data + data_size; 8289 size = 0; 8290 8291 list_for_each_entry_continue(rule, &chain->rules, list) { 8292 if (!nft_is_active_next(net, rule)) 8293 continue; 8294 8295 prule = (struct nft_rule_dp *)data; 8296 data += offsetof(struct nft_rule_dp, data); 8297 if (WARN_ON_ONCE(data > data_boundary)) 8298 return -ENOMEM; 8299 8300 size = 0; 8301 track.last = nft_expr_last(rule); 8302 nft_rule_for_each_expr(expr, last, rule) { 8303 track.cur = expr; 8304 8305 if (expr->ops->reduce && 8306 expr->ops->reduce(&track, expr)) { 8307 expr = track.cur; 8308 continue; 8309 } 8310 8311 if (WARN_ON_ONCE(data + expr->ops->size > data_boundary)) 8312 return -ENOMEM; 8313 8314 memcpy(data + size, expr, expr->ops->size); 8315 size += expr->ops->size; 8316 } 8317 if (WARN_ON_ONCE(size >= 1 << 12)) 8318 return -ENOMEM; 8319 8320 prule->handle = rule->handle; 8321 prule->dlen = size; 8322 prule->is_last = 0; 8323 8324 data += size; 8325 size = 0; 8326 chain->blob_next->size += (unsigned long)(data - (void *)prule); 8327 } 8328 8329 prule = (struct nft_rule_dp *)data; 8330 data += offsetof(struct nft_rule_dp, data); 8331 if (WARN_ON_ONCE(data > data_boundary)) 8332 return -ENOMEM; 8333 8334 nft_last_rule(chain->blob_next, prule); 8335 8336 return 0; 8337 } 8338 8339 static void nf_tables_commit_chain_prepare_cancel(struct net *net) 8340 { 8341 struct nftables_pernet *nft_net = nft_pernet(net); 8342 struct nft_trans *trans, *next; 8343 8344 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 8345 struct nft_chain *chain = trans->ctx.chain; 8346 8347 if (trans->msg_type == NFT_MSG_NEWRULE || 8348 trans->msg_type == NFT_MSG_DELRULE) { 8349 kvfree(chain->blob_next); 8350 chain->blob_next = NULL; 8351 } 8352 } 8353 } 8354 8355 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h) 8356 { 8357 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h); 8358 8359 kvfree(o->blob); 8360 } 8361 8362 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob) 8363 { 8364 struct nft_rules_old *old; 8365 8366 /* rcu_head is after end marker */ 8367 old = (void *)blob + sizeof(*blob) + blob->size; 8368 old->blob = blob; 8369 8370 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old); 8371 } 8372 8373 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain) 8374 { 8375 struct nft_rule_blob *g0, *g1; 8376 bool next_genbit; 8377 8378 next_genbit = nft_gencursor_next(net); 8379 8380 g0 = rcu_dereference_protected(chain->blob_gen_0, 8381 lockdep_commit_lock_is_held(net)); 8382 g1 = rcu_dereference_protected(chain->blob_gen_1, 8383 lockdep_commit_lock_is_held(net)); 8384 8385 /* No changes to this chain? */ 8386 if (chain->blob_next == NULL) { 8387 /* chain had no change in last or next generation */ 8388 if (g0 == g1) 8389 return; 8390 /* 8391 * chain had no change in this generation; make sure next 8392 * one uses same rules as current generation. 8393 */ 8394 if (next_genbit) { 8395 rcu_assign_pointer(chain->blob_gen_1, g0); 8396 nf_tables_commit_chain_free_rules_old(g1); 8397 } else { 8398 rcu_assign_pointer(chain->blob_gen_0, g1); 8399 nf_tables_commit_chain_free_rules_old(g0); 8400 } 8401 8402 return; 8403 } 8404 8405 if (next_genbit) 8406 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next); 8407 else 8408 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next); 8409 8410 chain->blob_next = NULL; 8411 8412 if (g0 == g1) 8413 return; 8414 8415 if (next_genbit) 8416 nf_tables_commit_chain_free_rules_old(g1); 8417 else 8418 nf_tables_commit_chain_free_rules_old(g0); 8419 } 8420 8421 static void nft_obj_del(struct nft_object *obj) 8422 { 8423 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params); 8424 list_del_rcu(&obj->list); 8425 } 8426 8427 void nft_chain_del(struct nft_chain *chain) 8428 { 8429 struct nft_table *table = chain->table; 8430 8431 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead, 8432 nft_chain_ht_params)); 8433 list_del_rcu(&chain->list); 8434 } 8435 8436 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable, 8437 struct list_head *hook_list) 8438 { 8439 struct nft_hook *hook, *next; 8440 8441 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 8442 if (hook->inactive) 8443 list_move(&hook->list, hook_list); 8444 } 8445 } 8446 8447 static void nf_tables_module_autoload_cleanup(struct net *net) 8448 { 8449 struct nftables_pernet *nft_net = nft_pernet(net); 8450 struct nft_module_request *req, *next; 8451 8452 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 8453 list_for_each_entry_safe(req, next, &nft_net->module_list, list) { 8454 WARN_ON_ONCE(!req->done); 8455 list_del(&req->list); 8456 kfree(req); 8457 } 8458 } 8459 8460 static void nf_tables_commit_release(struct net *net) 8461 { 8462 struct nftables_pernet *nft_net = nft_pernet(net); 8463 struct nft_trans *trans; 8464 8465 /* all side effects have to be made visible. 8466 * For example, if a chain named 'foo' has been deleted, a 8467 * new transaction must not find it anymore. 8468 * 8469 * Memory reclaim happens asynchronously from work queue 8470 * to prevent expensive synchronize_rcu() in commit phase. 8471 */ 8472 if (list_empty(&nft_net->commit_list)) { 8473 nf_tables_module_autoload_cleanup(net); 8474 mutex_unlock(&nft_net->commit_mutex); 8475 return; 8476 } 8477 8478 trans = list_last_entry(&nft_net->commit_list, 8479 struct nft_trans, list); 8480 get_net(trans->ctx.net); 8481 WARN_ON_ONCE(trans->put_net); 8482 8483 trans->put_net = true; 8484 spin_lock(&nf_tables_destroy_list_lock); 8485 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list); 8486 spin_unlock(&nf_tables_destroy_list_lock); 8487 8488 nf_tables_module_autoload_cleanup(net); 8489 schedule_work(&trans_destroy_work); 8490 8491 mutex_unlock(&nft_net->commit_mutex); 8492 } 8493 8494 static void nft_commit_notify(struct net *net, u32 portid) 8495 { 8496 struct nftables_pernet *nft_net = nft_pernet(net); 8497 struct sk_buff *batch_skb = NULL, *nskb, *skb; 8498 unsigned char *data; 8499 int len; 8500 8501 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) { 8502 if (!batch_skb) { 8503 new_batch: 8504 batch_skb = skb; 8505 len = NLMSG_GOODSIZE - skb->len; 8506 list_del(&skb->list); 8507 continue; 8508 } 8509 len -= skb->len; 8510 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) { 8511 data = skb_put(batch_skb, skb->len); 8512 memcpy(data, skb->data, skb->len); 8513 list_del(&skb->list); 8514 kfree_skb(skb); 8515 continue; 8516 } 8517 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 8518 NFT_CB(batch_skb).report, GFP_KERNEL); 8519 goto new_batch; 8520 } 8521 8522 if (batch_skb) { 8523 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 8524 NFT_CB(batch_skb).report, GFP_KERNEL); 8525 } 8526 8527 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 8528 } 8529 8530 static int nf_tables_commit_audit_alloc(struct list_head *adl, 8531 struct nft_table *table) 8532 { 8533 struct nft_audit_data *adp; 8534 8535 list_for_each_entry(adp, adl, list) { 8536 if (adp->table == table) 8537 return 0; 8538 } 8539 adp = kzalloc(sizeof(*adp), GFP_KERNEL); 8540 if (!adp) 8541 return -ENOMEM; 8542 adp->table = table; 8543 list_add(&adp->list, adl); 8544 return 0; 8545 } 8546 8547 static void nf_tables_commit_audit_free(struct list_head *adl) 8548 { 8549 struct nft_audit_data *adp, *adn; 8550 8551 list_for_each_entry_safe(adp, adn, adl, list) { 8552 list_del(&adp->list); 8553 kfree(adp); 8554 } 8555 } 8556 8557 static void nf_tables_commit_audit_collect(struct list_head *adl, 8558 struct nft_table *table, u32 op) 8559 { 8560 struct nft_audit_data *adp; 8561 8562 list_for_each_entry(adp, adl, list) { 8563 if (adp->table == table) 8564 goto found; 8565 } 8566 WARN_ONCE(1, "table=%s not expected in commit list", table->name); 8567 return; 8568 found: 8569 adp->entries++; 8570 if (!adp->op || adp->op > op) 8571 adp->op = op; 8572 } 8573 8574 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22) 8575 8576 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation) 8577 { 8578 struct nft_audit_data *adp, *adn; 8579 char aubuf[AUNFTABLENAMELEN]; 8580 8581 list_for_each_entry_safe(adp, adn, adl, list) { 8582 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name, 8583 generation); 8584 audit_log_nfcfg(aubuf, adp->table->family, adp->entries, 8585 nft2audit_op[adp->op], GFP_KERNEL); 8586 list_del(&adp->list); 8587 kfree(adp); 8588 } 8589 } 8590 8591 static int nf_tables_commit(struct net *net, struct sk_buff *skb) 8592 { 8593 struct nftables_pernet *nft_net = nft_pernet(net); 8594 struct nft_trans *trans, *next; 8595 struct nft_trans_elem *te; 8596 struct nft_chain *chain; 8597 struct nft_table *table; 8598 LIST_HEAD(adl); 8599 int err; 8600 8601 if (list_empty(&nft_net->commit_list)) { 8602 mutex_unlock(&nft_net->commit_mutex); 8603 return 0; 8604 } 8605 8606 /* 0. Validate ruleset, otherwise roll back for error reporting. */ 8607 if (nf_tables_validate(net) < 0) 8608 return -EAGAIN; 8609 8610 err = nft_flow_rule_offload_commit(net); 8611 if (err < 0) 8612 return err; 8613 8614 /* 1. Allocate space for next generation rules_gen_X[] */ 8615 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 8616 int ret; 8617 8618 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table); 8619 if (ret) { 8620 nf_tables_commit_chain_prepare_cancel(net); 8621 nf_tables_commit_audit_free(&adl); 8622 return ret; 8623 } 8624 if (trans->msg_type == NFT_MSG_NEWRULE || 8625 trans->msg_type == NFT_MSG_DELRULE) { 8626 chain = trans->ctx.chain; 8627 8628 ret = nf_tables_commit_chain_prepare(net, chain); 8629 if (ret < 0) { 8630 nf_tables_commit_chain_prepare_cancel(net); 8631 nf_tables_commit_audit_free(&adl); 8632 return ret; 8633 } 8634 } 8635 } 8636 8637 /* step 2. Make rules_gen_X visible to packet path */ 8638 list_for_each_entry(table, &nft_net->tables, list) { 8639 list_for_each_entry(chain, &table->chains, list) 8640 nf_tables_commit_chain(net, chain); 8641 } 8642 8643 /* 8644 * Bump generation counter, invalidate any dump in progress. 8645 * Cannot fail after this point. 8646 */ 8647 while (++nft_net->base_seq == 0) 8648 ; 8649 8650 /* step 3. Start new generation, rules_gen_X now in use. */ 8651 net->nft.gencursor = nft_gencursor_next(net); 8652 8653 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 8654 nf_tables_commit_audit_collect(&adl, trans->ctx.table, 8655 trans->msg_type); 8656 switch (trans->msg_type) { 8657 case NFT_MSG_NEWTABLE: 8658 if (nft_trans_table_update(trans)) { 8659 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) { 8660 nft_trans_destroy(trans); 8661 break; 8662 } 8663 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT) 8664 nf_tables_table_disable(net, trans->ctx.table); 8665 8666 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE; 8667 } else { 8668 nft_clear(net, trans->ctx.table); 8669 } 8670 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE); 8671 nft_trans_destroy(trans); 8672 break; 8673 case NFT_MSG_DELTABLE: 8674 list_del_rcu(&trans->ctx.table->list); 8675 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE); 8676 break; 8677 case NFT_MSG_NEWCHAIN: 8678 if (nft_trans_chain_update(trans)) { 8679 nft_chain_commit_update(trans); 8680 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 8681 /* trans destroyed after rcu grace period */ 8682 } else { 8683 nft_chain_commit_drop_policy(trans); 8684 nft_clear(net, trans->ctx.chain); 8685 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 8686 nft_trans_destroy(trans); 8687 } 8688 break; 8689 case NFT_MSG_DELCHAIN: 8690 nft_chain_del(trans->ctx.chain); 8691 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN); 8692 nf_tables_unregister_hook(trans->ctx.net, 8693 trans->ctx.table, 8694 trans->ctx.chain); 8695 break; 8696 case NFT_MSG_NEWRULE: 8697 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 8698 nf_tables_rule_notify(&trans->ctx, 8699 nft_trans_rule(trans), 8700 NFT_MSG_NEWRULE); 8701 nft_trans_destroy(trans); 8702 break; 8703 case NFT_MSG_DELRULE: 8704 list_del_rcu(&nft_trans_rule(trans)->list); 8705 nf_tables_rule_notify(&trans->ctx, 8706 nft_trans_rule(trans), 8707 NFT_MSG_DELRULE); 8708 nft_rule_expr_deactivate(&trans->ctx, 8709 nft_trans_rule(trans), 8710 NFT_TRANS_COMMIT); 8711 break; 8712 case NFT_MSG_NEWSET: 8713 nft_clear(net, nft_trans_set(trans)); 8714 /* This avoids hitting -EBUSY when deleting the table 8715 * from the transaction. 8716 */ 8717 if (nft_set_is_anonymous(nft_trans_set(trans)) && 8718 !list_empty(&nft_trans_set(trans)->bindings)) 8719 trans->ctx.table->use--; 8720 8721 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 8722 NFT_MSG_NEWSET, GFP_KERNEL); 8723 nft_trans_destroy(trans); 8724 break; 8725 case NFT_MSG_DELSET: 8726 list_del_rcu(&nft_trans_set(trans)->list); 8727 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 8728 NFT_MSG_DELSET, GFP_KERNEL); 8729 break; 8730 case NFT_MSG_NEWSETELEM: 8731 te = (struct nft_trans_elem *)trans->data; 8732 8733 nft_setelem_activate(net, te->set, &te->elem); 8734 nf_tables_setelem_notify(&trans->ctx, te->set, 8735 &te->elem, 8736 NFT_MSG_NEWSETELEM); 8737 nft_trans_destroy(trans); 8738 break; 8739 case NFT_MSG_DELSETELEM: 8740 te = (struct nft_trans_elem *)trans->data; 8741 8742 nf_tables_setelem_notify(&trans->ctx, te->set, 8743 &te->elem, 8744 NFT_MSG_DELSETELEM); 8745 nft_setelem_remove(net, te->set, &te->elem); 8746 if (!nft_setelem_is_catchall(te->set, &te->elem)) { 8747 atomic_dec(&te->set->nelems); 8748 te->set->ndeact--; 8749 } 8750 break; 8751 case NFT_MSG_NEWOBJ: 8752 if (nft_trans_obj_update(trans)) { 8753 nft_obj_commit_update(trans); 8754 nf_tables_obj_notify(&trans->ctx, 8755 nft_trans_obj(trans), 8756 NFT_MSG_NEWOBJ); 8757 } else { 8758 nft_clear(net, nft_trans_obj(trans)); 8759 nf_tables_obj_notify(&trans->ctx, 8760 nft_trans_obj(trans), 8761 NFT_MSG_NEWOBJ); 8762 nft_trans_destroy(trans); 8763 } 8764 break; 8765 case NFT_MSG_DELOBJ: 8766 nft_obj_del(nft_trans_obj(trans)); 8767 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans), 8768 NFT_MSG_DELOBJ); 8769 break; 8770 case NFT_MSG_NEWFLOWTABLE: 8771 if (nft_trans_flowtable_update(trans)) { 8772 nft_trans_flowtable(trans)->data.flags = 8773 nft_trans_flowtable_flags(trans); 8774 nf_tables_flowtable_notify(&trans->ctx, 8775 nft_trans_flowtable(trans), 8776 &nft_trans_flowtable_hooks(trans), 8777 NFT_MSG_NEWFLOWTABLE); 8778 list_splice(&nft_trans_flowtable_hooks(trans), 8779 &nft_trans_flowtable(trans)->hook_list); 8780 } else { 8781 nft_clear(net, nft_trans_flowtable(trans)); 8782 nf_tables_flowtable_notify(&trans->ctx, 8783 nft_trans_flowtable(trans), 8784 &nft_trans_flowtable(trans)->hook_list, 8785 NFT_MSG_NEWFLOWTABLE); 8786 } 8787 nft_trans_destroy(trans); 8788 break; 8789 case NFT_MSG_DELFLOWTABLE: 8790 if (nft_trans_flowtable_update(trans)) { 8791 nft_flowtable_hooks_del(nft_trans_flowtable(trans), 8792 &nft_trans_flowtable_hooks(trans)); 8793 nf_tables_flowtable_notify(&trans->ctx, 8794 nft_trans_flowtable(trans), 8795 &nft_trans_flowtable_hooks(trans), 8796 NFT_MSG_DELFLOWTABLE); 8797 nft_unregister_flowtable_net_hooks(net, 8798 &nft_trans_flowtable_hooks(trans)); 8799 } else { 8800 list_del_rcu(&nft_trans_flowtable(trans)->list); 8801 nf_tables_flowtable_notify(&trans->ctx, 8802 nft_trans_flowtable(trans), 8803 &nft_trans_flowtable(trans)->hook_list, 8804 NFT_MSG_DELFLOWTABLE); 8805 nft_unregister_flowtable_net_hooks(net, 8806 &nft_trans_flowtable(trans)->hook_list); 8807 } 8808 break; 8809 } 8810 } 8811 8812 nft_commit_notify(net, NETLINK_CB(skb).portid); 8813 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); 8814 nf_tables_commit_audit_log(&adl, nft_net->base_seq); 8815 nf_tables_commit_release(net); 8816 8817 return 0; 8818 } 8819 8820 static void nf_tables_module_autoload(struct net *net) 8821 { 8822 struct nftables_pernet *nft_net = nft_pernet(net); 8823 struct nft_module_request *req, *next; 8824 LIST_HEAD(module_list); 8825 8826 list_splice_init(&nft_net->module_list, &module_list); 8827 mutex_unlock(&nft_net->commit_mutex); 8828 list_for_each_entry_safe(req, next, &module_list, list) { 8829 request_module("%s", req->module); 8830 req->done = true; 8831 } 8832 mutex_lock(&nft_net->commit_mutex); 8833 list_splice(&module_list, &nft_net->module_list); 8834 } 8835 8836 static void nf_tables_abort_release(struct nft_trans *trans) 8837 { 8838 switch (trans->msg_type) { 8839 case NFT_MSG_NEWTABLE: 8840 nf_tables_table_destroy(&trans->ctx); 8841 break; 8842 case NFT_MSG_NEWCHAIN: 8843 nf_tables_chain_destroy(&trans->ctx); 8844 break; 8845 case NFT_MSG_NEWRULE: 8846 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 8847 break; 8848 case NFT_MSG_NEWSET: 8849 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 8850 break; 8851 case NFT_MSG_NEWSETELEM: 8852 nft_set_elem_destroy(nft_trans_elem_set(trans), 8853 nft_trans_elem(trans).priv, true); 8854 break; 8855 case NFT_MSG_NEWOBJ: 8856 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 8857 break; 8858 case NFT_MSG_NEWFLOWTABLE: 8859 if (nft_trans_flowtable_update(trans)) 8860 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 8861 else 8862 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 8863 break; 8864 } 8865 kfree(trans); 8866 } 8867 8868 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) 8869 { 8870 struct nftables_pernet *nft_net = nft_pernet(net); 8871 struct nft_trans *trans, *next; 8872 struct nft_trans_elem *te; 8873 struct nft_hook *hook; 8874 8875 if (action == NFNL_ABORT_VALIDATE && 8876 nf_tables_validate(net) < 0) 8877 return -EAGAIN; 8878 8879 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list, 8880 list) { 8881 switch (trans->msg_type) { 8882 case NFT_MSG_NEWTABLE: 8883 if (nft_trans_table_update(trans)) { 8884 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) { 8885 nft_trans_destroy(trans); 8886 break; 8887 } 8888 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) { 8889 nf_tables_table_disable(net, trans->ctx.table); 8890 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT; 8891 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) { 8892 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT; 8893 } 8894 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE; 8895 nft_trans_destroy(trans); 8896 } else { 8897 list_del_rcu(&trans->ctx.table->list); 8898 } 8899 break; 8900 case NFT_MSG_DELTABLE: 8901 nft_clear(trans->ctx.net, trans->ctx.table); 8902 nft_trans_destroy(trans); 8903 break; 8904 case NFT_MSG_NEWCHAIN: 8905 if (nft_trans_chain_update(trans)) { 8906 free_percpu(nft_trans_chain_stats(trans)); 8907 kfree(nft_trans_chain_name(trans)); 8908 nft_trans_destroy(trans); 8909 } else { 8910 if (nft_chain_is_bound(trans->ctx.chain)) { 8911 nft_trans_destroy(trans); 8912 break; 8913 } 8914 trans->ctx.table->use--; 8915 nft_chain_del(trans->ctx.chain); 8916 nf_tables_unregister_hook(trans->ctx.net, 8917 trans->ctx.table, 8918 trans->ctx.chain); 8919 } 8920 break; 8921 case NFT_MSG_DELCHAIN: 8922 trans->ctx.table->use++; 8923 nft_clear(trans->ctx.net, trans->ctx.chain); 8924 nft_trans_destroy(trans); 8925 break; 8926 case NFT_MSG_NEWRULE: 8927 trans->ctx.chain->use--; 8928 list_del_rcu(&nft_trans_rule(trans)->list); 8929 nft_rule_expr_deactivate(&trans->ctx, 8930 nft_trans_rule(trans), 8931 NFT_TRANS_ABORT); 8932 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) 8933 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 8934 break; 8935 case NFT_MSG_DELRULE: 8936 trans->ctx.chain->use++; 8937 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 8938 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans)); 8939 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) 8940 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 8941 8942 nft_trans_destroy(trans); 8943 break; 8944 case NFT_MSG_NEWSET: 8945 trans->ctx.table->use--; 8946 if (nft_trans_set_bound(trans)) { 8947 nft_trans_destroy(trans); 8948 break; 8949 } 8950 list_del_rcu(&nft_trans_set(trans)->list); 8951 break; 8952 case NFT_MSG_DELSET: 8953 trans->ctx.table->use++; 8954 nft_clear(trans->ctx.net, nft_trans_set(trans)); 8955 nft_trans_destroy(trans); 8956 break; 8957 case NFT_MSG_NEWSETELEM: 8958 if (nft_trans_elem_set_bound(trans)) { 8959 nft_trans_destroy(trans); 8960 break; 8961 } 8962 te = (struct nft_trans_elem *)trans->data; 8963 nft_setelem_remove(net, te->set, &te->elem); 8964 if (!nft_setelem_is_catchall(te->set, &te->elem)) 8965 atomic_dec(&te->set->nelems); 8966 break; 8967 case NFT_MSG_DELSETELEM: 8968 te = (struct nft_trans_elem *)trans->data; 8969 8970 nft_setelem_data_activate(net, te->set, &te->elem); 8971 nft_setelem_activate(net, te->set, &te->elem); 8972 if (!nft_setelem_is_catchall(te->set, &te->elem)) 8973 te->set->ndeact--; 8974 8975 nft_trans_destroy(trans); 8976 break; 8977 case NFT_MSG_NEWOBJ: 8978 if (nft_trans_obj_update(trans)) { 8979 kfree(nft_trans_obj_newobj(trans)); 8980 nft_trans_destroy(trans); 8981 } else { 8982 trans->ctx.table->use--; 8983 nft_obj_del(nft_trans_obj(trans)); 8984 } 8985 break; 8986 case NFT_MSG_DELOBJ: 8987 trans->ctx.table->use++; 8988 nft_clear(trans->ctx.net, nft_trans_obj(trans)); 8989 nft_trans_destroy(trans); 8990 break; 8991 case NFT_MSG_NEWFLOWTABLE: 8992 if (nft_trans_flowtable_update(trans)) { 8993 nft_unregister_flowtable_net_hooks(net, 8994 &nft_trans_flowtable_hooks(trans)); 8995 } else { 8996 trans->ctx.table->use--; 8997 list_del_rcu(&nft_trans_flowtable(trans)->list); 8998 nft_unregister_flowtable_net_hooks(net, 8999 &nft_trans_flowtable(trans)->hook_list); 9000 } 9001 break; 9002 case NFT_MSG_DELFLOWTABLE: 9003 if (nft_trans_flowtable_update(trans)) { 9004 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list) 9005 hook->inactive = false; 9006 } else { 9007 trans->ctx.table->use++; 9008 nft_clear(trans->ctx.net, nft_trans_flowtable(trans)); 9009 } 9010 nft_trans_destroy(trans); 9011 break; 9012 } 9013 } 9014 9015 synchronize_rcu(); 9016 9017 list_for_each_entry_safe_reverse(trans, next, 9018 &nft_net->commit_list, list) { 9019 list_del(&trans->list); 9020 nf_tables_abort_release(trans); 9021 } 9022 9023 if (action == NFNL_ABORT_AUTOLOAD) 9024 nf_tables_module_autoload(net); 9025 else 9026 nf_tables_module_autoload_cleanup(net); 9027 9028 return 0; 9029 } 9030 9031 static void nf_tables_cleanup(struct net *net) 9032 { 9033 nft_validate_state_update(net, NFT_VALIDATE_SKIP); 9034 } 9035 9036 static int nf_tables_abort(struct net *net, struct sk_buff *skb, 9037 enum nfnl_abort_action action) 9038 { 9039 struct nftables_pernet *nft_net = nft_pernet(net); 9040 int ret = __nf_tables_abort(net, action); 9041 9042 mutex_unlock(&nft_net->commit_mutex); 9043 9044 return ret; 9045 } 9046 9047 static bool nf_tables_valid_genid(struct net *net, u32 genid) 9048 { 9049 struct nftables_pernet *nft_net = nft_pernet(net); 9050 bool genid_ok; 9051 9052 mutex_lock(&nft_net->commit_mutex); 9053 9054 genid_ok = genid == 0 || nft_net->base_seq == genid; 9055 if (!genid_ok) 9056 mutex_unlock(&nft_net->commit_mutex); 9057 9058 /* else, commit mutex has to be released by commit or abort function */ 9059 return genid_ok; 9060 } 9061 9062 static const struct nfnetlink_subsystem nf_tables_subsys = { 9063 .name = "nf_tables", 9064 .subsys_id = NFNL_SUBSYS_NFTABLES, 9065 .cb_count = NFT_MSG_MAX, 9066 .cb = nf_tables_cb, 9067 .commit = nf_tables_commit, 9068 .abort = nf_tables_abort, 9069 .cleanup = nf_tables_cleanup, 9070 .valid_genid = nf_tables_valid_genid, 9071 .owner = THIS_MODULE, 9072 }; 9073 9074 int nft_chain_validate_dependency(const struct nft_chain *chain, 9075 enum nft_chain_types type) 9076 { 9077 const struct nft_base_chain *basechain; 9078 9079 if (nft_is_base_chain(chain)) { 9080 basechain = nft_base_chain(chain); 9081 if (basechain->type->type != type) 9082 return -EOPNOTSUPP; 9083 } 9084 return 0; 9085 } 9086 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency); 9087 9088 int nft_chain_validate_hooks(const struct nft_chain *chain, 9089 unsigned int hook_flags) 9090 { 9091 struct nft_base_chain *basechain; 9092 9093 if (nft_is_base_chain(chain)) { 9094 basechain = nft_base_chain(chain); 9095 9096 if ((1 << basechain->ops.hooknum) & hook_flags) 9097 return 0; 9098 9099 return -EOPNOTSUPP; 9100 } 9101 9102 return 0; 9103 } 9104 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks); 9105 9106 /* 9107 * Loop detection - walk through the ruleset beginning at the destination chain 9108 * of a new jump until either the source chain is reached (loop) or all 9109 * reachable chains have been traversed. 9110 * 9111 * The loop check is performed whenever a new jump verdict is added to an 9112 * expression or verdict map or a verdict map is bound to a new chain. 9113 */ 9114 9115 static int nf_tables_check_loops(const struct nft_ctx *ctx, 9116 const struct nft_chain *chain); 9117 9118 static int nft_check_loops(const struct nft_ctx *ctx, 9119 const struct nft_set_ext *ext) 9120 { 9121 const struct nft_data *data; 9122 int ret; 9123 9124 data = nft_set_ext_data(ext); 9125 switch (data->verdict.code) { 9126 case NFT_JUMP: 9127 case NFT_GOTO: 9128 ret = nf_tables_check_loops(ctx, data->verdict.chain); 9129 break; 9130 default: 9131 ret = 0; 9132 break; 9133 } 9134 9135 return ret; 9136 } 9137 9138 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, 9139 struct nft_set *set, 9140 const struct nft_set_iter *iter, 9141 struct nft_set_elem *elem) 9142 { 9143 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 9144 9145 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 9146 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) 9147 return 0; 9148 9149 return nft_check_loops(ctx, ext); 9150 } 9151 9152 static int nft_set_catchall_loops(const struct nft_ctx *ctx, 9153 struct nft_set *set) 9154 { 9155 u8 genmask = nft_genmask_next(ctx->net); 9156 struct nft_set_elem_catchall *catchall; 9157 struct nft_set_ext *ext; 9158 int ret = 0; 9159 9160 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 9161 ext = nft_set_elem_ext(set, catchall->elem); 9162 if (!nft_set_elem_active(ext, genmask)) 9163 continue; 9164 9165 ret = nft_check_loops(ctx, ext); 9166 if (ret < 0) 9167 return ret; 9168 } 9169 9170 return ret; 9171 } 9172 9173 static int nf_tables_check_loops(const struct nft_ctx *ctx, 9174 const struct nft_chain *chain) 9175 { 9176 const struct nft_rule *rule; 9177 const struct nft_expr *expr, *last; 9178 struct nft_set *set; 9179 struct nft_set_binding *binding; 9180 struct nft_set_iter iter; 9181 9182 if (ctx->chain == chain) 9183 return -ELOOP; 9184 9185 list_for_each_entry(rule, &chain->rules, list) { 9186 nft_rule_for_each_expr(expr, last, rule) { 9187 struct nft_immediate_expr *priv; 9188 const struct nft_data *data; 9189 int err; 9190 9191 if (strcmp(expr->ops->type->name, "immediate")) 9192 continue; 9193 9194 priv = nft_expr_priv(expr); 9195 if (priv->dreg != NFT_REG_VERDICT) 9196 continue; 9197 9198 data = &priv->data; 9199 switch (data->verdict.code) { 9200 case NFT_JUMP: 9201 case NFT_GOTO: 9202 err = nf_tables_check_loops(ctx, 9203 data->verdict.chain); 9204 if (err < 0) 9205 return err; 9206 break; 9207 default: 9208 break; 9209 } 9210 } 9211 } 9212 9213 list_for_each_entry(set, &ctx->table->sets, list) { 9214 if (!nft_is_active_next(ctx->net, set)) 9215 continue; 9216 if (!(set->flags & NFT_SET_MAP) || 9217 set->dtype != NFT_DATA_VERDICT) 9218 continue; 9219 9220 list_for_each_entry(binding, &set->bindings, list) { 9221 if (!(binding->flags & NFT_SET_MAP) || 9222 binding->chain != chain) 9223 continue; 9224 9225 iter.genmask = nft_genmask_next(ctx->net); 9226 iter.skip = 0; 9227 iter.count = 0; 9228 iter.err = 0; 9229 iter.fn = nf_tables_loop_check_setelem; 9230 9231 set->ops->walk(ctx, set, &iter); 9232 if (!iter.err) 9233 iter.err = nft_set_catchall_loops(ctx, set); 9234 9235 if (iter.err < 0) 9236 return iter.err; 9237 } 9238 } 9239 9240 return 0; 9241 } 9242 9243 /** 9244 * nft_parse_u32_check - fetch u32 attribute and check for maximum value 9245 * 9246 * @attr: netlink attribute to fetch value from 9247 * @max: maximum value to be stored in dest 9248 * @dest: pointer to the variable 9249 * 9250 * Parse, check and store a given u32 netlink attribute into variable. 9251 * This function returns -ERANGE if the value goes over maximum value. 9252 * Otherwise a 0 is returned and the attribute value is stored in the 9253 * destination variable. 9254 */ 9255 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest) 9256 { 9257 u32 val; 9258 9259 val = ntohl(nla_get_be32(attr)); 9260 if (val > max) 9261 return -ERANGE; 9262 9263 *dest = val; 9264 return 0; 9265 } 9266 EXPORT_SYMBOL_GPL(nft_parse_u32_check); 9267 9268 static unsigned int nft_parse_register(const struct nlattr *attr) 9269 { 9270 unsigned int reg; 9271 9272 reg = ntohl(nla_get_be32(attr)); 9273 switch (reg) { 9274 case NFT_REG_VERDICT...NFT_REG_4: 9275 return reg * NFT_REG_SIZE / NFT_REG32_SIZE; 9276 default: 9277 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; 9278 } 9279 } 9280 9281 /** 9282 * nft_dump_register - dump a register value to a netlink attribute 9283 * 9284 * @skb: socket buffer 9285 * @attr: attribute number 9286 * @reg: register number 9287 * 9288 * Construct a netlink attribute containing the register number. For 9289 * compatibility reasons, register numbers being a multiple of 4 are 9290 * translated to the corresponding 128 bit register numbers. 9291 */ 9292 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg) 9293 { 9294 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0) 9295 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE); 9296 else 9297 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00; 9298 9299 return nla_put_be32(skb, attr, htonl(reg)); 9300 } 9301 EXPORT_SYMBOL_GPL(nft_dump_register); 9302 9303 static int nft_validate_register_load(enum nft_registers reg, unsigned int len) 9304 { 9305 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 9306 return -EINVAL; 9307 if (len == 0) 9308 return -EINVAL; 9309 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data)) 9310 return -ERANGE; 9311 9312 return 0; 9313 } 9314 9315 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len) 9316 { 9317 u32 reg; 9318 int err; 9319 9320 reg = nft_parse_register(attr); 9321 err = nft_validate_register_load(reg, len); 9322 if (err < 0) 9323 return err; 9324 9325 *sreg = reg; 9326 return 0; 9327 } 9328 EXPORT_SYMBOL_GPL(nft_parse_register_load); 9329 9330 static int nft_validate_register_store(const struct nft_ctx *ctx, 9331 enum nft_registers reg, 9332 const struct nft_data *data, 9333 enum nft_data_types type, 9334 unsigned int len) 9335 { 9336 int err; 9337 9338 switch (reg) { 9339 case NFT_REG_VERDICT: 9340 if (type != NFT_DATA_VERDICT) 9341 return -EINVAL; 9342 9343 if (data != NULL && 9344 (data->verdict.code == NFT_GOTO || 9345 data->verdict.code == NFT_JUMP)) { 9346 err = nf_tables_check_loops(ctx, data->verdict.chain); 9347 if (err < 0) 9348 return err; 9349 } 9350 9351 return 0; 9352 default: 9353 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 9354 return -EINVAL; 9355 if (len == 0) 9356 return -EINVAL; 9357 if (reg * NFT_REG32_SIZE + len > 9358 sizeof_field(struct nft_regs, data)) 9359 return -ERANGE; 9360 9361 if (data != NULL && type != NFT_DATA_VALUE) 9362 return -EINVAL; 9363 return 0; 9364 } 9365 } 9366 9367 int nft_parse_register_store(const struct nft_ctx *ctx, 9368 const struct nlattr *attr, u8 *dreg, 9369 const struct nft_data *data, 9370 enum nft_data_types type, unsigned int len) 9371 { 9372 int err; 9373 u32 reg; 9374 9375 reg = nft_parse_register(attr); 9376 err = nft_validate_register_store(ctx, reg, data, type, len); 9377 if (err < 0) 9378 return err; 9379 9380 *dreg = reg; 9381 return 0; 9382 } 9383 EXPORT_SYMBOL_GPL(nft_parse_register_store); 9384 9385 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = { 9386 [NFTA_VERDICT_CODE] = { .type = NLA_U32 }, 9387 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING, 9388 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 9389 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 }, 9390 }; 9391 9392 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, 9393 struct nft_data_desc *desc, const struct nlattr *nla) 9394 { 9395 u8 genmask = nft_genmask_next(ctx->net); 9396 struct nlattr *tb[NFTA_VERDICT_MAX + 1]; 9397 struct nft_chain *chain; 9398 int err; 9399 9400 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla, 9401 nft_verdict_policy, NULL); 9402 if (err < 0) 9403 return err; 9404 9405 if (!tb[NFTA_VERDICT_CODE]) 9406 return -EINVAL; 9407 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); 9408 9409 switch (data->verdict.code) { 9410 default: 9411 switch (data->verdict.code & NF_VERDICT_MASK) { 9412 case NF_ACCEPT: 9413 case NF_DROP: 9414 case NF_QUEUE: 9415 break; 9416 default: 9417 return -EINVAL; 9418 } 9419 fallthrough; 9420 case NFT_CONTINUE: 9421 case NFT_BREAK: 9422 case NFT_RETURN: 9423 break; 9424 case NFT_JUMP: 9425 case NFT_GOTO: 9426 if (tb[NFTA_VERDICT_CHAIN]) { 9427 chain = nft_chain_lookup(ctx->net, ctx->table, 9428 tb[NFTA_VERDICT_CHAIN], 9429 genmask); 9430 } else if (tb[NFTA_VERDICT_CHAIN_ID]) { 9431 chain = nft_chain_lookup_byid(ctx->net, 9432 tb[NFTA_VERDICT_CHAIN_ID]); 9433 if (IS_ERR(chain)) 9434 return PTR_ERR(chain); 9435 } else { 9436 return -EINVAL; 9437 } 9438 9439 if (IS_ERR(chain)) 9440 return PTR_ERR(chain); 9441 if (nft_is_base_chain(chain)) 9442 return -EOPNOTSUPP; 9443 9444 chain->use++; 9445 data->verdict.chain = chain; 9446 break; 9447 } 9448 9449 desc->len = sizeof(data->verdict); 9450 desc->type = NFT_DATA_VERDICT; 9451 return 0; 9452 } 9453 9454 static void nft_verdict_uninit(const struct nft_data *data) 9455 { 9456 struct nft_chain *chain; 9457 struct nft_rule *rule; 9458 9459 switch (data->verdict.code) { 9460 case NFT_JUMP: 9461 case NFT_GOTO: 9462 chain = data->verdict.chain; 9463 chain->use--; 9464 9465 if (!nft_chain_is_bound(chain)) 9466 break; 9467 9468 chain->table->use--; 9469 list_for_each_entry(rule, &chain->rules, list) 9470 chain->use--; 9471 9472 nft_chain_del(chain); 9473 break; 9474 } 9475 } 9476 9477 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v) 9478 { 9479 struct nlattr *nest; 9480 9481 nest = nla_nest_start_noflag(skb, type); 9482 if (!nest) 9483 goto nla_put_failure; 9484 9485 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code))) 9486 goto nla_put_failure; 9487 9488 switch (v->code) { 9489 case NFT_JUMP: 9490 case NFT_GOTO: 9491 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, 9492 v->chain->name)) 9493 goto nla_put_failure; 9494 } 9495 nla_nest_end(skb, nest); 9496 return 0; 9497 9498 nla_put_failure: 9499 return -1; 9500 } 9501 9502 static int nft_value_init(const struct nft_ctx *ctx, 9503 struct nft_data *data, unsigned int size, 9504 struct nft_data_desc *desc, const struct nlattr *nla) 9505 { 9506 unsigned int len; 9507 9508 len = nla_len(nla); 9509 if (len == 0) 9510 return -EINVAL; 9511 if (len > size) 9512 return -EOVERFLOW; 9513 9514 nla_memcpy(data->data, nla, len); 9515 desc->type = NFT_DATA_VALUE; 9516 desc->len = len; 9517 return 0; 9518 } 9519 9520 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data, 9521 unsigned int len) 9522 { 9523 return nla_put(skb, NFTA_DATA_VALUE, len, data->data); 9524 } 9525 9526 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = { 9527 [NFTA_DATA_VALUE] = { .type = NLA_BINARY }, 9528 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED }, 9529 }; 9530 9531 /** 9532 * nft_data_init - parse nf_tables data netlink attributes 9533 * 9534 * @ctx: context of the expression using the data 9535 * @data: destination struct nft_data 9536 * @size: maximum data length 9537 * @desc: data description 9538 * @nla: netlink attribute containing data 9539 * 9540 * Parse the netlink data attributes and initialize a struct nft_data. 9541 * The type and length of data are returned in the data description. 9542 * 9543 * The caller can indicate that it only wants to accept data of type 9544 * NFT_DATA_VALUE by passing NULL for the ctx argument. 9545 */ 9546 int nft_data_init(const struct nft_ctx *ctx, 9547 struct nft_data *data, unsigned int size, 9548 struct nft_data_desc *desc, const struct nlattr *nla) 9549 { 9550 struct nlattr *tb[NFTA_DATA_MAX + 1]; 9551 int err; 9552 9553 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla, 9554 nft_data_policy, NULL); 9555 if (err < 0) 9556 return err; 9557 9558 if (tb[NFTA_DATA_VALUE]) 9559 return nft_value_init(ctx, data, size, desc, 9560 tb[NFTA_DATA_VALUE]); 9561 if (tb[NFTA_DATA_VERDICT] && ctx != NULL) 9562 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]); 9563 return -EINVAL; 9564 } 9565 EXPORT_SYMBOL_GPL(nft_data_init); 9566 9567 /** 9568 * nft_data_release - release a nft_data item 9569 * 9570 * @data: struct nft_data to release 9571 * @type: type of data 9572 * 9573 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded, 9574 * all others need to be released by calling this function. 9575 */ 9576 void nft_data_release(const struct nft_data *data, enum nft_data_types type) 9577 { 9578 if (type < NFT_DATA_VERDICT) 9579 return; 9580 switch (type) { 9581 case NFT_DATA_VERDICT: 9582 return nft_verdict_uninit(data); 9583 default: 9584 WARN_ON(1); 9585 } 9586 } 9587 EXPORT_SYMBOL_GPL(nft_data_release); 9588 9589 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 9590 enum nft_data_types type, unsigned int len) 9591 { 9592 struct nlattr *nest; 9593 int err; 9594 9595 nest = nla_nest_start_noflag(skb, attr); 9596 if (nest == NULL) 9597 return -1; 9598 9599 switch (type) { 9600 case NFT_DATA_VALUE: 9601 err = nft_value_dump(skb, data, len); 9602 break; 9603 case NFT_DATA_VERDICT: 9604 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict); 9605 break; 9606 default: 9607 err = -EINVAL; 9608 WARN_ON(1); 9609 } 9610 9611 nla_nest_end(skb, nest); 9612 return err; 9613 } 9614 EXPORT_SYMBOL_GPL(nft_data_dump); 9615 9616 int __nft_release_basechain(struct nft_ctx *ctx) 9617 { 9618 struct nft_rule *rule, *nr; 9619 9620 if (WARN_ON(!nft_is_base_chain(ctx->chain))) 9621 return 0; 9622 9623 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain); 9624 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) { 9625 list_del(&rule->list); 9626 ctx->chain->use--; 9627 nf_tables_rule_release(ctx, rule); 9628 } 9629 nft_chain_del(ctx->chain); 9630 ctx->table->use--; 9631 nf_tables_chain_destroy(ctx); 9632 9633 return 0; 9634 } 9635 EXPORT_SYMBOL_GPL(__nft_release_basechain); 9636 9637 static void __nft_release_hook(struct net *net, struct nft_table *table) 9638 { 9639 struct nft_chain *chain; 9640 9641 list_for_each_entry(chain, &table->chains, list) 9642 nf_tables_unregister_hook(net, table, chain); 9643 } 9644 9645 static void __nft_release_hooks(struct net *net) 9646 { 9647 struct nftables_pernet *nft_net = nft_pernet(net); 9648 struct nft_table *table; 9649 9650 list_for_each_entry(table, &nft_net->tables, list) { 9651 if (nft_table_has_owner(table)) 9652 continue; 9653 9654 __nft_release_hook(net, table); 9655 } 9656 } 9657 9658 static void __nft_release_table(struct net *net, struct nft_table *table) 9659 { 9660 struct nft_flowtable *flowtable, *nf; 9661 struct nft_chain *chain, *nc; 9662 struct nft_object *obj, *ne; 9663 struct nft_rule *rule, *nr; 9664 struct nft_set *set, *ns; 9665 struct nft_ctx ctx = { 9666 .net = net, 9667 .family = NFPROTO_NETDEV, 9668 }; 9669 9670 ctx.family = table->family; 9671 ctx.table = table; 9672 list_for_each_entry(chain, &table->chains, list) { 9673 ctx.chain = chain; 9674 list_for_each_entry_safe(rule, nr, &chain->rules, list) { 9675 list_del(&rule->list); 9676 chain->use--; 9677 nf_tables_rule_release(&ctx, rule); 9678 } 9679 } 9680 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 9681 list_del(&flowtable->list); 9682 table->use--; 9683 nf_tables_flowtable_destroy(flowtable); 9684 } 9685 list_for_each_entry_safe(set, ns, &table->sets, list) { 9686 list_del(&set->list); 9687 table->use--; 9688 nft_set_destroy(&ctx, set); 9689 } 9690 list_for_each_entry_safe(obj, ne, &table->objects, list) { 9691 nft_obj_del(obj); 9692 table->use--; 9693 nft_obj_destroy(&ctx, obj); 9694 } 9695 list_for_each_entry_safe(chain, nc, &table->chains, list) { 9696 ctx.chain = chain; 9697 nft_chain_del(chain); 9698 table->use--; 9699 nf_tables_chain_destroy(&ctx); 9700 } 9701 nf_tables_table_destroy(&ctx); 9702 } 9703 9704 static void __nft_release_tables(struct net *net) 9705 { 9706 struct nftables_pernet *nft_net = nft_pernet(net); 9707 struct nft_table *table, *nt; 9708 9709 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 9710 if (nft_table_has_owner(table)) 9711 continue; 9712 9713 list_del(&table->list); 9714 9715 __nft_release_table(net, table); 9716 } 9717 } 9718 9719 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, 9720 void *ptr) 9721 { 9722 struct nft_table *table, *to_delete[8]; 9723 struct nftables_pernet *nft_net; 9724 struct netlink_notify *n = ptr; 9725 struct net *net = n->net; 9726 unsigned int deleted; 9727 bool restart = false; 9728 9729 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER) 9730 return NOTIFY_DONE; 9731 9732 nft_net = nft_pernet(net); 9733 deleted = 0; 9734 mutex_lock(&nft_net->commit_mutex); 9735 again: 9736 list_for_each_entry(table, &nft_net->tables, list) { 9737 if (nft_table_has_owner(table) && 9738 n->portid == table->nlpid) { 9739 __nft_release_hook(net, table); 9740 list_del_rcu(&table->list); 9741 to_delete[deleted++] = table; 9742 if (deleted >= ARRAY_SIZE(to_delete)) 9743 break; 9744 } 9745 } 9746 if (deleted) { 9747 restart = deleted >= ARRAY_SIZE(to_delete); 9748 synchronize_rcu(); 9749 while (deleted) 9750 __nft_release_table(net, to_delete[--deleted]); 9751 9752 if (restart) 9753 goto again; 9754 } 9755 mutex_unlock(&nft_net->commit_mutex); 9756 9757 return NOTIFY_DONE; 9758 } 9759 9760 static struct notifier_block nft_nl_notifier = { 9761 .notifier_call = nft_rcv_nl_event, 9762 }; 9763 9764 static int __net_init nf_tables_init_net(struct net *net) 9765 { 9766 struct nftables_pernet *nft_net = nft_pernet(net); 9767 9768 INIT_LIST_HEAD(&nft_net->tables); 9769 INIT_LIST_HEAD(&nft_net->commit_list); 9770 INIT_LIST_HEAD(&nft_net->module_list); 9771 INIT_LIST_HEAD(&nft_net->notify_list); 9772 mutex_init(&nft_net->commit_mutex); 9773 nft_net->base_seq = 1; 9774 nft_net->validate_state = NFT_VALIDATE_SKIP; 9775 9776 return 0; 9777 } 9778 9779 static void __net_exit nf_tables_pre_exit_net(struct net *net) 9780 { 9781 __nft_release_hooks(net); 9782 } 9783 9784 static void __net_exit nf_tables_exit_net(struct net *net) 9785 { 9786 struct nftables_pernet *nft_net = nft_pernet(net); 9787 9788 mutex_lock(&nft_net->commit_mutex); 9789 if (!list_empty(&nft_net->commit_list)) 9790 __nf_tables_abort(net, NFNL_ABORT_NONE); 9791 __nft_release_tables(net); 9792 mutex_unlock(&nft_net->commit_mutex); 9793 WARN_ON_ONCE(!list_empty(&nft_net->tables)); 9794 WARN_ON_ONCE(!list_empty(&nft_net->module_list)); 9795 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 9796 } 9797 9798 static struct pernet_operations nf_tables_net_ops = { 9799 .init = nf_tables_init_net, 9800 .pre_exit = nf_tables_pre_exit_net, 9801 .exit = nf_tables_exit_net, 9802 .id = &nf_tables_net_id, 9803 .size = sizeof(struct nftables_pernet), 9804 }; 9805 9806 static int __init nf_tables_module_init(void) 9807 { 9808 int err; 9809 9810 err = register_pernet_subsys(&nf_tables_net_ops); 9811 if (err < 0) 9812 return err; 9813 9814 err = nft_chain_filter_init(); 9815 if (err < 0) 9816 goto err_chain_filter; 9817 9818 err = nf_tables_core_module_init(); 9819 if (err < 0) 9820 goto err_core_module; 9821 9822 err = register_netdevice_notifier(&nf_tables_flowtable_notifier); 9823 if (err < 0) 9824 goto err_netdev_notifier; 9825 9826 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params); 9827 if (err < 0) 9828 goto err_rht_objname; 9829 9830 err = nft_offload_init(); 9831 if (err < 0) 9832 goto err_offload; 9833 9834 err = netlink_register_notifier(&nft_nl_notifier); 9835 if (err < 0) 9836 goto err_netlink_notifier; 9837 9838 /* must be last */ 9839 err = nfnetlink_subsys_register(&nf_tables_subsys); 9840 if (err < 0) 9841 goto err_nfnl_subsys; 9842 9843 nft_chain_route_init(); 9844 9845 return err; 9846 9847 err_nfnl_subsys: 9848 netlink_unregister_notifier(&nft_nl_notifier); 9849 err_netlink_notifier: 9850 nft_offload_exit(); 9851 err_offload: 9852 rhltable_destroy(&nft_objname_ht); 9853 err_rht_objname: 9854 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 9855 err_netdev_notifier: 9856 nf_tables_core_module_exit(); 9857 err_core_module: 9858 nft_chain_filter_fini(); 9859 err_chain_filter: 9860 unregister_pernet_subsys(&nf_tables_net_ops); 9861 return err; 9862 } 9863 9864 static void __exit nf_tables_module_exit(void) 9865 { 9866 nfnetlink_subsys_unregister(&nf_tables_subsys); 9867 netlink_unregister_notifier(&nft_nl_notifier); 9868 nft_offload_exit(); 9869 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 9870 nft_chain_filter_fini(); 9871 nft_chain_route_fini(); 9872 unregister_pernet_subsys(&nf_tables_net_ops); 9873 cancel_work_sync(&trans_destroy_work); 9874 rcu_barrier(); 9875 rhltable_destroy(&nft_objname_ht); 9876 nf_tables_core_module_exit(); 9877 } 9878 9879 module_init(nf_tables_module_init); 9880 module_exit(nf_tables_module_exit); 9881 9882 MODULE_LICENSE("GPL"); 9883 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 9884 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES); 9885