1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net> 4 * 5 * Development of this code funded by Astaro AG (http://www.astaro.com/) 6 */ 7 8 #include <linux/module.h> 9 #include <linux/init.h> 10 #include <linux/list.h> 11 #include <linux/skbuff.h> 12 #include <linux/netlink.h> 13 #include <linux/vmalloc.h> 14 #include <linux/rhashtable.h> 15 #include <linux/netfilter.h> 16 #include <linux/netfilter/nfnetlink.h> 17 #include <linux/netfilter/nf_tables.h> 18 #include <net/netfilter/nf_flow_table.h> 19 #include <net/netfilter/nf_tables_core.h> 20 #include <net/netfilter/nf_tables.h> 21 #include <net/netfilter/nf_tables_offload.h> 22 #include <net/net_namespace.h> 23 #include <net/sock.h> 24 25 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) 26 27 static LIST_HEAD(nf_tables_expressions); 28 static LIST_HEAD(nf_tables_objects); 29 static LIST_HEAD(nf_tables_flowtables); 30 static LIST_HEAD(nf_tables_destroy_list); 31 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock); 32 static u64 table_handle; 33 34 enum { 35 NFT_VALIDATE_SKIP = 0, 36 NFT_VALIDATE_NEED, 37 NFT_VALIDATE_DO, 38 }; 39 40 static struct rhltable nft_objname_ht; 41 42 static u32 nft_chain_hash(const void *data, u32 len, u32 seed); 43 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed); 44 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *); 45 46 static u32 nft_objname_hash(const void *data, u32 len, u32 seed); 47 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed); 48 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *); 49 50 static const struct rhashtable_params nft_chain_ht_params = { 51 .head_offset = offsetof(struct nft_chain, rhlhead), 52 .key_offset = offsetof(struct nft_chain, name), 53 .hashfn = nft_chain_hash, 54 .obj_hashfn = nft_chain_hash_obj, 55 .obj_cmpfn = nft_chain_hash_cmp, 56 .automatic_shrinking = true, 57 }; 58 59 static const struct rhashtable_params nft_objname_ht_params = { 60 .head_offset = offsetof(struct nft_object, rhlhead), 61 .key_offset = offsetof(struct nft_object, key), 62 .hashfn = nft_objname_hash, 63 .obj_hashfn = nft_objname_hash_obj, 64 .obj_cmpfn = nft_objname_hash_cmp, 65 .automatic_shrinking = true, 66 }; 67 68 static void nft_validate_state_update(struct net *net, u8 new_validate_state) 69 { 70 switch (net->nft.validate_state) { 71 case NFT_VALIDATE_SKIP: 72 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); 73 break; 74 case NFT_VALIDATE_NEED: 75 break; 76 case NFT_VALIDATE_DO: 77 if (new_validate_state == NFT_VALIDATE_NEED) 78 return; 79 } 80 81 net->nft.validate_state = new_validate_state; 82 } 83 static void nf_tables_trans_destroy_work(struct work_struct *w); 84 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work); 85 86 static void nft_ctx_init(struct nft_ctx *ctx, 87 struct net *net, 88 const struct sk_buff *skb, 89 const struct nlmsghdr *nlh, 90 u8 family, 91 struct nft_table *table, 92 struct nft_chain *chain, 93 const struct nlattr * const *nla) 94 { 95 ctx->net = net; 96 ctx->family = family; 97 ctx->level = 0; 98 ctx->table = table; 99 ctx->chain = chain; 100 ctx->nla = nla; 101 ctx->portid = NETLINK_CB(skb).portid; 102 ctx->report = nlmsg_report(nlh); 103 ctx->flags = nlh->nlmsg_flags; 104 ctx->seq = nlh->nlmsg_seq; 105 } 106 107 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, 108 int msg_type, u32 size, gfp_t gfp) 109 { 110 struct nft_trans *trans; 111 112 trans = kzalloc(sizeof(struct nft_trans) + size, gfp); 113 if (trans == NULL) 114 return NULL; 115 116 trans->msg_type = msg_type; 117 trans->ctx = *ctx; 118 119 return trans; 120 } 121 122 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx, 123 int msg_type, u32 size) 124 { 125 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); 126 } 127 128 static void nft_trans_destroy(struct nft_trans *trans) 129 { 130 list_del(&trans->list); 131 kfree(trans); 132 } 133 134 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) 135 { 136 struct net *net = ctx->net; 137 struct nft_trans *trans; 138 139 if (!nft_set_is_anonymous(set)) 140 return; 141 142 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { 143 switch (trans->msg_type) { 144 case NFT_MSG_NEWSET: 145 if (nft_trans_set(trans) == set) 146 nft_trans_set_bound(trans) = true; 147 break; 148 case NFT_MSG_NEWSETELEM: 149 if (nft_trans_elem_set(trans) == set) 150 nft_trans_elem_set_bound(trans) = true; 151 break; 152 } 153 } 154 } 155 156 static int nft_netdev_register_hooks(struct net *net, 157 struct list_head *hook_list) 158 { 159 struct nft_hook *hook; 160 int err, j; 161 162 j = 0; 163 list_for_each_entry(hook, hook_list, list) { 164 err = nf_register_net_hook(net, &hook->ops); 165 if (err < 0) 166 goto err_register; 167 168 j++; 169 } 170 return 0; 171 172 err_register: 173 list_for_each_entry(hook, hook_list, list) { 174 if (j-- <= 0) 175 break; 176 177 nf_unregister_net_hook(net, &hook->ops); 178 } 179 return err; 180 } 181 182 static void nft_netdev_unregister_hooks(struct net *net, 183 struct list_head *hook_list) 184 { 185 struct nft_hook *hook; 186 187 list_for_each_entry(hook, hook_list, list) 188 nf_unregister_net_hook(net, &hook->ops); 189 } 190 191 static int nft_register_basechain_hooks(struct net *net, int family, 192 struct nft_base_chain *basechain) 193 { 194 if (family == NFPROTO_NETDEV) 195 return nft_netdev_register_hooks(net, &basechain->hook_list); 196 197 return nf_register_net_hook(net, &basechain->ops); 198 } 199 200 static void nft_unregister_basechain_hooks(struct net *net, int family, 201 struct nft_base_chain *basechain) 202 { 203 if (family == NFPROTO_NETDEV) 204 nft_netdev_unregister_hooks(net, &basechain->hook_list); 205 else 206 nf_unregister_net_hook(net, &basechain->ops); 207 } 208 209 static int nf_tables_register_hook(struct net *net, 210 const struct nft_table *table, 211 struct nft_chain *chain) 212 { 213 struct nft_base_chain *basechain; 214 const struct nf_hook_ops *ops; 215 216 if (table->flags & NFT_TABLE_F_DORMANT || 217 !nft_is_base_chain(chain)) 218 return 0; 219 220 basechain = nft_base_chain(chain); 221 ops = &basechain->ops; 222 223 if (basechain->type->ops_register) 224 return basechain->type->ops_register(net, ops); 225 226 return nft_register_basechain_hooks(net, table->family, basechain); 227 } 228 229 static void nf_tables_unregister_hook(struct net *net, 230 const struct nft_table *table, 231 struct nft_chain *chain) 232 { 233 struct nft_base_chain *basechain; 234 const struct nf_hook_ops *ops; 235 236 if (table->flags & NFT_TABLE_F_DORMANT || 237 !nft_is_base_chain(chain)) 238 return; 239 basechain = nft_base_chain(chain); 240 ops = &basechain->ops; 241 242 if (basechain->type->ops_unregister) 243 return basechain->type->ops_unregister(net, ops); 244 245 nft_unregister_basechain_hooks(net, table->family, basechain); 246 } 247 248 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type) 249 { 250 struct nft_trans *trans; 251 252 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table)); 253 if (trans == NULL) 254 return -ENOMEM; 255 256 if (msg_type == NFT_MSG_NEWTABLE) 257 nft_activate_next(ctx->net, ctx->table); 258 259 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 260 return 0; 261 } 262 263 static int nft_deltable(struct nft_ctx *ctx) 264 { 265 int err; 266 267 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE); 268 if (err < 0) 269 return err; 270 271 nft_deactivate_next(ctx->net, ctx->table); 272 return err; 273 } 274 275 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type) 276 { 277 struct nft_trans *trans; 278 279 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain)); 280 if (trans == NULL) 281 return ERR_PTR(-ENOMEM); 282 283 if (msg_type == NFT_MSG_NEWCHAIN) 284 nft_activate_next(ctx->net, ctx->chain); 285 286 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 287 return trans; 288 } 289 290 static int nft_delchain(struct nft_ctx *ctx) 291 { 292 struct nft_trans *trans; 293 294 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN); 295 if (IS_ERR(trans)) 296 return PTR_ERR(trans); 297 298 ctx->table->use--; 299 nft_deactivate_next(ctx->net, ctx->chain); 300 301 return 0; 302 } 303 304 static void nft_rule_expr_activate(const struct nft_ctx *ctx, 305 struct nft_rule *rule) 306 { 307 struct nft_expr *expr; 308 309 expr = nft_expr_first(rule); 310 while (expr != nft_expr_last(rule) && expr->ops) { 311 if (expr->ops->activate) 312 expr->ops->activate(ctx, expr); 313 314 expr = nft_expr_next(expr); 315 } 316 } 317 318 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx, 319 struct nft_rule *rule, 320 enum nft_trans_phase phase) 321 { 322 struct nft_expr *expr; 323 324 expr = nft_expr_first(rule); 325 while (expr != nft_expr_last(rule) && expr->ops) { 326 if (expr->ops->deactivate) 327 expr->ops->deactivate(ctx, expr, phase); 328 329 expr = nft_expr_next(expr); 330 } 331 } 332 333 static int 334 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule) 335 { 336 /* You cannot delete the same rule twice */ 337 if (nft_is_active_next(ctx->net, rule)) { 338 nft_deactivate_next(ctx->net, rule); 339 ctx->chain->use--; 340 return 0; 341 } 342 return -ENOENT; 343 } 344 345 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type, 346 struct nft_rule *rule) 347 { 348 struct nft_trans *trans; 349 350 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule)); 351 if (trans == NULL) 352 return NULL; 353 354 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) { 355 nft_trans_rule_id(trans) = 356 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); 357 } 358 nft_trans_rule(trans) = rule; 359 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 360 361 return trans; 362 } 363 364 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule) 365 { 366 struct nft_flow_rule *flow; 367 struct nft_trans *trans; 368 int err; 369 370 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule); 371 if (trans == NULL) 372 return -ENOMEM; 373 374 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) { 375 flow = nft_flow_rule_create(ctx->net, rule); 376 if (IS_ERR(flow)) { 377 nft_trans_destroy(trans); 378 return PTR_ERR(flow); 379 } 380 381 nft_trans_flow_rule(trans) = flow; 382 } 383 384 err = nf_tables_delrule_deactivate(ctx, rule); 385 if (err < 0) { 386 nft_trans_destroy(trans); 387 return err; 388 } 389 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE); 390 391 return 0; 392 } 393 394 static int nft_delrule_by_chain(struct nft_ctx *ctx) 395 { 396 struct nft_rule *rule; 397 int err; 398 399 list_for_each_entry(rule, &ctx->chain->rules, list) { 400 if (!nft_is_active_next(ctx->net, rule)) 401 continue; 402 403 err = nft_delrule(ctx, rule); 404 if (err < 0) 405 return err; 406 } 407 return 0; 408 } 409 410 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 411 struct nft_set *set) 412 { 413 struct nft_trans *trans; 414 415 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set)); 416 if (trans == NULL) 417 return -ENOMEM; 418 419 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) { 420 nft_trans_set_id(trans) = 421 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID])); 422 nft_activate_next(ctx->net, set); 423 } 424 nft_trans_set(trans) = set; 425 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 426 427 return 0; 428 } 429 430 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) 431 { 432 int err; 433 434 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set); 435 if (err < 0) 436 return err; 437 438 nft_deactivate_next(ctx->net, set); 439 ctx->table->use--; 440 441 return err; 442 } 443 444 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type, 445 struct nft_object *obj) 446 { 447 struct nft_trans *trans; 448 449 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj)); 450 if (trans == NULL) 451 return -ENOMEM; 452 453 if (msg_type == NFT_MSG_NEWOBJ) 454 nft_activate_next(ctx->net, obj); 455 456 nft_trans_obj(trans) = obj; 457 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 458 459 return 0; 460 } 461 462 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj) 463 { 464 int err; 465 466 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj); 467 if (err < 0) 468 return err; 469 470 nft_deactivate_next(ctx->net, obj); 471 ctx->table->use--; 472 473 return err; 474 } 475 476 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, 477 struct nft_flowtable *flowtable) 478 { 479 struct nft_trans *trans; 480 481 trans = nft_trans_alloc(ctx, msg_type, 482 sizeof(struct nft_trans_flowtable)); 483 if (trans == NULL) 484 return -ENOMEM; 485 486 if (msg_type == NFT_MSG_NEWFLOWTABLE) 487 nft_activate_next(ctx->net, flowtable); 488 489 nft_trans_flowtable(trans) = flowtable; 490 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 491 492 return 0; 493 } 494 495 static int nft_delflowtable(struct nft_ctx *ctx, 496 struct nft_flowtable *flowtable) 497 { 498 int err; 499 500 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable); 501 if (err < 0) 502 return err; 503 504 nft_deactivate_next(ctx->net, flowtable); 505 ctx->table->use--; 506 507 return err; 508 } 509 510 /* 511 * Tables 512 */ 513 514 static struct nft_table *nft_table_lookup(const struct net *net, 515 const struct nlattr *nla, 516 u8 family, u8 genmask) 517 { 518 struct nft_table *table; 519 520 if (nla == NULL) 521 return ERR_PTR(-EINVAL); 522 523 list_for_each_entry_rcu(table, &net->nft.tables, list, 524 lockdep_is_held(&net->nft.commit_mutex)) { 525 if (!nla_strcmp(nla, table->name) && 526 table->family == family && 527 nft_active_genmask(table, genmask)) 528 return table; 529 } 530 531 return ERR_PTR(-ENOENT); 532 } 533 534 static struct nft_table *nft_table_lookup_byhandle(const struct net *net, 535 const struct nlattr *nla, 536 u8 genmask) 537 { 538 struct nft_table *table; 539 540 list_for_each_entry(table, &net->nft.tables, list) { 541 if (be64_to_cpu(nla_get_be64(nla)) == table->handle && 542 nft_active_genmask(table, genmask)) 543 return table; 544 } 545 546 return ERR_PTR(-ENOENT); 547 } 548 549 static inline u64 nf_tables_alloc_handle(struct nft_table *table) 550 { 551 return ++table->hgenerator; 552 } 553 554 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX]; 555 556 static const struct nft_chain_type * 557 __nft_chain_type_get(u8 family, enum nft_chain_types type) 558 { 559 if (family >= NFPROTO_NUMPROTO || 560 type >= NFT_CHAIN_T_MAX) 561 return NULL; 562 563 return chain_type[family][type]; 564 } 565 566 static const struct nft_chain_type * 567 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family) 568 { 569 const struct nft_chain_type *type; 570 int i; 571 572 for (i = 0; i < NFT_CHAIN_T_MAX; i++) { 573 type = __nft_chain_type_get(family, i); 574 if (!type) 575 continue; 576 if (!nla_strcmp(nla, type->name)) 577 return type; 578 } 579 return NULL; 580 } 581 582 struct nft_module_request { 583 struct list_head list; 584 char module[MODULE_NAME_LEN]; 585 bool done; 586 }; 587 588 #ifdef CONFIG_MODULES 589 static int nft_request_module(struct net *net, const char *fmt, ...) 590 { 591 char module_name[MODULE_NAME_LEN]; 592 struct nft_module_request *req; 593 va_list args; 594 int ret; 595 596 va_start(args, fmt); 597 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); 598 va_end(args); 599 if (ret >= MODULE_NAME_LEN) 600 return 0; 601 602 list_for_each_entry(req, &net->nft.module_list, list) { 603 if (!strcmp(req->module, module_name)) { 604 if (req->done) 605 return 0; 606 607 /* A request to load this module already exists. */ 608 return -EAGAIN; 609 } 610 } 611 612 req = kmalloc(sizeof(*req), GFP_KERNEL); 613 if (!req) 614 return -ENOMEM; 615 616 req->done = false; 617 strlcpy(req->module, module_name, MODULE_NAME_LEN); 618 list_add_tail(&req->list, &net->nft.module_list); 619 620 return -EAGAIN; 621 } 622 #endif 623 624 static void lockdep_nfnl_nft_mutex_not_held(void) 625 { 626 #ifdef CONFIG_PROVE_LOCKING 627 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES)); 628 #endif 629 } 630 631 static const struct nft_chain_type * 632 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla, 633 u8 family, bool autoload) 634 { 635 const struct nft_chain_type *type; 636 637 type = __nf_tables_chain_type_lookup(nla, family); 638 if (type != NULL) 639 return type; 640 641 lockdep_nfnl_nft_mutex_not_held(); 642 #ifdef CONFIG_MODULES 643 if (autoload) { 644 if (nft_request_module(net, "nft-chain-%u-%.*s", family, 645 nla_len(nla), 646 (const char *)nla_data(nla)) == -EAGAIN) 647 return ERR_PTR(-EAGAIN); 648 } 649 #endif 650 return ERR_PTR(-ENOENT); 651 } 652 653 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { 654 [NFTA_TABLE_NAME] = { .type = NLA_STRING, 655 .len = NFT_TABLE_MAXNAMELEN - 1 }, 656 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 }, 657 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 }, 658 }; 659 660 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, 661 u32 portid, u32 seq, int event, u32 flags, 662 int family, const struct nft_table *table) 663 { 664 struct nlmsghdr *nlh; 665 struct nfgenmsg *nfmsg; 666 667 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 668 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 669 if (nlh == NULL) 670 goto nla_put_failure; 671 672 nfmsg = nlmsg_data(nlh); 673 nfmsg->nfgen_family = family; 674 nfmsg->version = NFNETLINK_V0; 675 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 676 677 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || 678 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) || 679 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) || 680 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle), 681 NFTA_TABLE_PAD)) 682 goto nla_put_failure; 683 684 nlmsg_end(skb, nlh); 685 return 0; 686 687 nla_put_failure: 688 nlmsg_trim(skb, nlh); 689 return -1; 690 } 691 692 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) 693 { 694 struct sk_buff *skb; 695 int err; 696 697 if (!ctx->report && 698 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 699 return; 700 701 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 702 if (skb == NULL) 703 goto err; 704 705 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, 706 event, 0, ctx->family, ctx->table); 707 if (err < 0) { 708 kfree_skb(skb); 709 goto err; 710 } 711 712 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES, 713 ctx->report, GFP_KERNEL); 714 return; 715 err: 716 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 717 } 718 719 static int nf_tables_dump_tables(struct sk_buff *skb, 720 struct netlink_callback *cb) 721 { 722 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 723 const struct nft_table *table; 724 unsigned int idx = 0, s_idx = cb->args[0]; 725 struct net *net = sock_net(skb->sk); 726 int family = nfmsg->nfgen_family; 727 728 rcu_read_lock(); 729 cb->seq = net->nft.base_seq; 730 731 list_for_each_entry_rcu(table, &net->nft.tables, list) { 732 if (family != NFPROTO_UNSPEC && family != table->family) 733 continue; 734 735 if (idx < s_idx) 736 goto cont; 737 if (idx > s_idx) 738 memset(&cb->args[1], 0, 739 sizeof(cb->args) - sizeof(cb->args[0])); 740 if (!nft_is_active(net, table)) 741 continue; 742 if (nf_tables_fill_table_info(skb, net, 743 NETLINK_CB(cb->skb).portid, 744 cb->nlh->nlmsg_seq, 745 NFT_MSG_NEWTABLE, NLM_F_MULTI, 746 table->family, table) < 0) 747 goto done; 748 749 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 750 cont: 751 idx++; 752 } 753 done: 754 rcu_read_unlock(); 755 cb->args[0] = idx; 756 return skb->len; 757 } 758 759 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb, 760 const struct nlmsghdr *nlh, 761 struct netlink_dump_control *c) 762 { 763 int err; 764 765 if (!try_module_get(THIS_MODULE)) 766 return -EINVAL; 767 768 rcu_read_unlock(); 769 err = netlink_dump_start(nlsk, skb, nlh, c); 770 rcu_read_lock(); 771 module_put(THIS_MODULE); 772 773 return err; 774 } 775 776 /* called with rcu_read_lock held */ 777 static int nf_tables_gettable(struct net *net, struct sock *nlsk, 778 struct sk_buff *skb, const struct nlmsghdr *nlh, 779 const struct nlattr * const nla[], 780 struct netlink_ext_ack *extack) 781 { 782 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 783 u8 genmask = nft_genmask_cur(net); 784 const struct nft_table *table; 785 struct sk_buff *skb2; 786 int family = nfmsg->nfgen_family; 787 int err; 788 789 if (nlh->nlmsg_flags & NLM_F_DUMP) { 790 struct netlink_dump_control c = { 791 .dump = nf_tables_dump_tables, 792 .module = THIS_MODULE, 793 }; 794 795 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 796 } 797 798 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask); 799 if (IS_ERR(table)) { 800 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]); 801 return PTR_ERR(table); 802 } 803 804 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 805 if (!skb2) 806 return -ENOMEM; 807 808 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid, 809 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0, 810 family, table); 811 if (err < 0) 812 goto err; 813 814 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 815 816 err: 817 kfree_skb(skb2); 818 return err; 819 } 820 821 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt) 822 { 823 struct nft_chain *chain; 824 u32 i = 0; 825 826 list_for_each_entry(chain, &table->chains, list) { 827 if (!nft_is_active_next(net, chain)) 828 continue; 829 if (!nft_is_base_chain(chain)) 830 continue; 831 832 if (cnt && i++ == cnt) 833 break; 834 835 nft_unregister_basechain_hooks(net, table->family, 836 nft_base_chain(chain)); 837 } 838 } 839 840 static int nf_tables_table_enable(struct net *net, struct nft_table *table) 841 { 842 struct nft_chain *chain; 843 int err, i = 0; 844 845 list_for_each_entry(chain, &table->chains, list) { 846 if (!nft_is_active_next(net, chain)) 847 continue; 848 if (!nft_is_base_chain(chain)) 849 continue; 850 851 err = nft_register_basechain_hooks(net, table->family, 852 nft_base_chain(chain)); 853 if (err < 0) 854 goto err_register_hooks; 855 856 i++; 857 } 858 return 0; 859 860 err_register_hooks: 861 if (i) 862 nft_table_disable(net, table, i); 863 return err; 864 } 865 866 static void nf_tables_table_disable(struct net *net, struct nft_table *table) 867 { 868 nft_table_disable(net, table, 0); 869 } 870 871 static int nf_tables_updtable(struct nft_ctx *ctx) 872 { 873 struct nft_trans *trans; 874 u32 flags; 875 int ret = 0; 876 877 if (!ctx->nla[NFTA_TABLE_FLAGS]) 878 return 0; 879 880 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS])); 881 if (flags & ~NFT_TABLE_F_DORMANT) 882 return -EINVAL; 883 884 if (flags == ctx->table->flags) 885 return 0; 886 887 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, 888 sizeof(struct nft_trans_table)); 889 if (trans == NULL) 890 return -ENOMEM; 891 892 if ((flags & NFT_TABLE_F_DORMANT) && 893 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) { 894 nft_trans_table_enable(trans) = false; 895 } else if (!(flags & NFT_TABLE_F_DORMANT) && 896 ctx->table->flags & NFT_TABLE_F_DORMANT) { 897 ret = nf_tables_table_enable(ctx->net, ctx->table); 898 if (ret >= 0) { 899 ctx->table->flags &= ~NFT_TABLE_F_DORMANT; 900 nft_trans_table_enable(trans) = true; 901 } 902 } 903 if (ret < 0) 904 goto err; 905 906 nft_trans_table_update(trans) = true; 907 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 908 return 0; 909 err: 910 nft_trans_destroy(trans); 911 return ret; 912 } 913 914 static u32 nft_chain_hash(const void *data, u32 len, u32 seed) 915 { 916 const char *name = data; 917 918 return jhash(name, strlen(name), seed); 919 } 920 921 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed) 922 { 923 const struct nft_chain *chain = data; 924 925 return nft_chain_hash(chain->name, 0, seed); 926 } 927 928 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg, 929 const void *ptr) 930 { 931 const struct nft_chain *chain = ptr; 932 const char *name = arg->key; 933 934 return strcmp(chain->name, name); 935 } 936 937 static u32 nft_objname_hash(const void *data, u32 len, u32 seed) 938 { 939 const struct nft_object_hash_key *k = data; 940 941 seed ^= hash_ptr(k->table, 32); 942 943 return jhash(k->name, strlen(k->name), seed); 944 } 945 946 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed) 947 { 948 const struct nft_object *obj = data; 949 950 return nft_objname_hash(&obj->key, 0, seed); 951 } 952 953 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg, 954 const void *ptr) 955 { 956 const struct nft_object_hash_key *k = arg->key; 957 const struct nft_object *obj = ptr; 958 959 if (obj->key.table != k->table) 960 return -1; 961 962 return strcmp(obj->key.name, k->name); 963 } 964 965 static int nf_tables_newtable(struct net *net, struct sock *nlsk, 966 struct sk_buff *skb, const struct nlmsghdr *nlh, 967 const struct nlattr * const nla[], 968 struct netlink_ext_ack *extack) 969 { 970 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 971 u8 genmask = nft_genmask_next(net); 972 int family = nfmsg->nfgen_family; 973 const struct nlattr *attr; 974 struct nft_table *table; 975 u32 flags = 0; 976 struct nft_ctx ctx; 977 int err; 978 979 lockdep_assert_held(&net->nft.commit_mutex); 980 attr = nla[NFTA_TABLE_NAME]; 981 table = nft_table_lookup(net, attr, family, genmask); 982 if (IS_ERR(table)) { 983 if (PTR_ERR(table) != -ENOENT) 984 return PTR_ERR(table); 985 } else { 986 if (nlh->nlmsg_flags & NLM_F_EXCL) { 987 NL_SET_BAD_ATTR(extack, attr); 988 return -EEXIST; 989 } 990 if (nlh->nlmsg_flags & NLM_F_REPLACE) 991 return -EOPNOTSUPP; 992 993 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 994 return nf_tables_updtable(&ctx); 995 } 996 997 if (nla[NFTA_TABLE_FLAGS]) { 998 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS])); 999 if (flags & ~NFT_TABLE_F_DORMANT) 1000 return -EINVAL; 1001 } 1002 1003 err = -ENOMEM; 1004 table = kzalloc(sizeof(*table), GFP_KERNEL); 1005 if (table == NULL) 1006 goto err_kzalloc; 1007 1008 table->name = nla_strdup(attr, GFP_KERNEL); 1009 if (table->name == NULL) 1010 goto err_strdup; 1011 1012 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params); 1013 if (err) 1014 goto err_chain_ht; 1015 1016 INIT_LIST_HEAD(&table->chains); 1017 INIT_LIST_HEAD(&table->sets); 1018 INIT_LIST_HEAD(&table->objects); 1019 INIT_LIST_HEAD(&table->flowtables); 1020 table->family = family; 1021 table->flags = flags; 1022 table->handle = ++table_handle; 1023 1024 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 1025 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); 1026 if (err < 0) 1027 goto err_trans; 1028 1029 list_add_tail_rcu(&table->list, &net->nft.tables); 1030 return 0; 1031 err_trans: 1032 rhltable_destroy(&table->chains_ht); 1033 err_chain_ht: 1034 kfree(table->name); 1035 err_strdup: 1036 kfree(table); 1037 err_kzalloc: 1038 return err; 1039 } 1040 1041 static int nft_flush_table(struct nft_ctx *ctx) 1042 { 1043 struct nft_flowtable *flowtable, *nft; 1044 struct nft_chain *chain, *nc; 1045 struct nft_object *obj, *ne; 1046 struct nft_set *set, *ns; 1047 int err; 1048 1049 list_for_each_entry(chain, &ctx->table->chains, list) { 1050 if (!nft_is_active_next(ctx->net, chain)) 1051 continue; 1052 1053 ctx->chain = chain; 1054 1055 err = nft_delrule_by_chain(ctx); 1056 if (err < 0) 1057 goto out; 1058 } 1059 1060 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { 1061 if (!nft_is_active_next(ctx->net, set)) 1062 continue; 1063 1064 if (nft_set_is_anonymous(set) && 1065 !list_empty(&set->bindings)) 1066 continue; 1067 1068 err = nft_delset(ctx, set); 1069 if (err < 0) 1070 goto out; 1071 } 1072 1073 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) { 1074 if (!nft_is_active_next(ctx->net, flowtable)) 1075 continue; 1076 1077 err = nft_delflowtable(ctx, flowtable); 1078 if (err < 0) 1079 goto out; 1080 } 1081 1082 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) { 1083 if (!nft_is_active_next(ctx->net, obj)) 1084 continue; 1085 1086 err = nft_delobj(ctx, obj); 1087 if (err < 0) 1088 goto out; 1089 } 1090 1091 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { 1092 if (!nft_is_active_next(ctx->net, chain)) 1093 continue; 1094 1095 ctx->chain = chain; 1096 1097 err = nft_delchain(ctx); 1098 if (err < 0) 1099 goto out; 1100 } 1101 1102 err = nft_deltable(ctx); 1103 out: 1104 return err; 1105 } 1106 1107 static int nft_flush(struct nft_ctx *ctx, int family) 1108 { 1109 struct nft_table *table, *nt; 1110 const struct nlattr * const *nla = ctx->nla; 1111 int err = 0; 1112 1113 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) { 1114 if (family != AF_UNSPEC && table->family != family) 1115 continue; 1116 1117 ctx->family = table->family; 1118 1119 if (!nft_is_active_next(ctx->net, table)) 1120 continue; 1121 1122 if (nla[NFTA_TABLE_NAME] && 1123 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) 1124 continue; 1125 1126 ctx->table = table; 1127 1128 err = nft_flush_table(ctx); 1129 if (err < 0) 1130 goto out; 1131 } 1132 out: 1133 return err; 1134 } 1135 1136 static int nf_tables_deltable(struct net *net, struct sock *nlsk, 1137 struct sk_buff *skb, const struct nlmsghdr *nlh, 1138 const struct nlattr * const nla[], 1139 struct netlink_ext_ack *extack) 1140 { 1141 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1142 u8 genmask = nft_genmask_next(net); 1143 int family = nfmsg->nfgen_family; 1144 const struct nlattr *attr; 1145 struct nft_table *table; 1146 struct nft_ctx ctx; 1147 1148 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla); 1149 if (family == AF_UNSPEC || 1150 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE])) 1151 return nft_flush(&ctx, family); 1152 1153 if (nla[NFTA_TABLE_HANDLE]) { 1154 attr = nla[NFTA_TABLE_HANDLE]; 1155 table = nft_table_lookup_byhandle(net, attr, genmask); 1156 } else { 1157 attr = nla[NFTA_TABLE_NAME]; 1158 table = nft_table_lookup(net, attr, family, genmask); 1159 } 1160 1161 if (IS_ERR(table)) { 1162 NL_SET_BAD_ATTR(extack, attr); 1163 return PTR_ERR(table); 1164 } 1165 1166 if (nlh->nlmsg_flags & NLM_F_NONREC && 1167 table->use > 0) 1168 return -EBUSY; 1169 1170 ctx.family = family; 1171 ctx.table = table; 1172 1173 return nft_flush_table(&ctx); 1174 } 1175 1176 static void nf_tables_table_destroy(struct nft_ctx *ctx) 1177 { 1178 if (WARN_ON(ctx->table->use > 0)) 1179 return; 1180 1181 rhltable_destroy(&ctx->table->chains_ht); 1182 kfree(ctx->table->name); 1183 kfree(ctx->table); 1184 } 1185 1186 void nft_register_chain_type(const struct nft_chain_type *ctype) 1187 { 1188 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1189 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) { 1190 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1191 return; 1192 } 1193 chain_type[ctype->family][ctype->type] = ctype; 1194 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1195 } 1196 EXPORT_SYMBOL_GPL(nft_register_chain_type); 1197 1198 void nft_unregister_chain_type(const struct nft_chain_type *ctype) 1199 { 1200 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1201 chain_type[ctype->family][ctype->type] = NULL; 1202 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1203 } 1204 EXPORT_SYMBOL_GPL(nft_unregister_chain_type); 1205 1206 /* 1207 * Chains 1208 */ 1209 1210 static struct nft_chain * 1211 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask) 1212 { 1213 struct nft_chain *chain; 1214 1215 list_for_each_entry(chain, &table->chains, list) { 1216 if (chain->handle == handle && 1217 nft_active_genmask(chain, genmask)) 1218 return chain; 1219 } 1220 1221 return ERR_PTR(-ENOENT); 1222 } 1223 1224 static bool lockdep_commit_lock_is_held(const struct net *net) 1225 { 1226 #ifdef CONFIG_PROVE_LOCKING 1227 return lockdep_is_held(&net->nft.commit_mutex); 1228 #else 1229 return true; 1230 #endif 1231 } 1232 1233 static struct nft_chain *nft_chain_lookup(struct net *net, 1234 struct nft_table *table, 1235 const struct nlattr *nla, u8 genmask) 1236 { 1237 char search[NFT_CHAIN_MAXNAMELEN + 1]; 1238 struct rhlist_head *tmp, *list; 1239 struct nft_chain *chain; 1240 1241 if (nla == NULL) 1242 return ERR_PTR(-EINVAL); 1243 1244 nla_strlcpy(search, nla, sizeof(search)); 1245 1246 WARN_ON(!rcu_read_lock_held() && 1247 !lockdep_commit_lock_is_held(net)); 1248 1249 chain = ERR_PTR(-ENOENT); 1250 rcu_read_lock(); 1251 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params); 1252 if (!list) 1253 goto out_unlock; 1254 1255 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 1256 if (nft_active_genmask(chain, genmask)) 1257 goto out_unlock; 1258 } 1259 chain = ERR_PTR(-ENOENT); 1260 out_unlock: 1261 rcu_read_unlock(); 1262 return chain; 1263 } 1264 1265 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = { 1266 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING, 1267 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1268 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 }, 1269 [NFTA_CHAIN_NAME] = { .type = NLA_STRING, 1270 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 1271 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, 1272 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, 1273 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, 1274 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 1275 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, 1276 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 }, 1277 }; 1278 1279 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = { 1280 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 }, 1281 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 }, 1282 [NFTA_HOOK_DEV] = { .type = NLA_STRING, 1283 .len = IFNAMSIZ - 1 }, 1284 }; 1285 1286 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats) 1287 { 1288 struct nft_stats *cpu_stats, total; 1289 struct nlattr *nest; 1290 unsigned int seq; 1291 u64 pkts, bytes; 1292 int cpu; 1293 1294 if (!stats) 1295 return 0; 1296 1297 memset(&total, 0, sizeof(total)); 1298 for_each_possible_cpu(cpu) { 1299 cpu_stats = per_cpu_ptr(stats, cpu); 1300 do { 1301 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp); 1302 pkts = cpu_stats->pkts; 1303 bytes = cpu_stats->bytes; 1304 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq)); 1305 total.pkts += pkts; 1306 total.bytes += bytes; 1307 } 1308 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS); 1309 if (nest == NULL) 1310 goto nla_put_failure; 1311 1312 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts), 1313 NFTA_COUNTER_PAD) || 1314 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes), 1315 NFTA_COUNTER_PAD)) 1316 goto nla_put_failure; 1317 1318 nla_nest_end(skb, nest); 1319 return 0; 1320 1321 nla_put_failure: 1322 return -ENOSPC; 1323 } 1324 1325 static int nft_dump_basechain_hook(struct sk_buff *skb, int family, 1326 const struct nft_base_chain *basechain) 1327 { 1328 const struct nf_hook_ops *ops = &basechain->ops; 1329 struct nft_hook *hook, *first = NULL; 1330 struct nlattr *nest, *nest_devs; 1331 int n = 0; 1332 1333 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK); 1334 if (nest == NULL) 1335 goto nla_put_failure; 1336 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum))) 1337 goto nla_put_failure; 1338 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority))) 1339 goto nla_put_failure; 1340 1341 if (family == NFPROTO_NETDEV) { 1342 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS); 1343 list_for_each_entry(hook, &basechain->hook_list, list) { 1344 if (!first) 1345 first = hook; 1346 1347 if (nla_put_string(skb, NFTA_DEVICE_NAME, 1348 hook->ops.dev->name)) 1349 goto nla_put_failure; 1350 n++; 1351 } 1352 nla_nest_end(skb, nest_devs); 1353 1354 if (n == 1 && 1355 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name)) 1356 goto nla_put_failure; 1357 } 1358 nla_nest_end(skb, nest); 1359 1360 return 0; 1361 nla_put_failure: 1362 return -1; 1363 } 1364 1365 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net, 1366 u32 portid, u32 seq, int event, u32 flags, 1367 int family, const struct nft_table *table, 1368 const struct nft_chain *chain) 1369 { 1370 struct nlmsghdr *nlh; 1371 struct nfgenmsg *nfmsg; 1372 1373 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 1374 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 1375 if (nlh == NULL) 1376 goto nla_put_failure; 1377 1378 nfmsg = nlmsg_data(nlh); 1379 nfmsg->nfgen_family = family; 1380 nfmsg->version = NFNETLINK_V0; 1381 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 1382 1383 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) 1384 goto nla_put_failure; 1385 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle), 1386 NFTA_CHAIN_PAD)) 1387 goto nla_put_failure; 1388 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name)) 1389 goto nla_put_failure; 1390 1391 if (nft_is_base_chain(chain)) { 1392 const struct nft_base_chain *basechain = nft_base_chain(chain); 1393 struct nft_stats __percpu *stats; 1394 1395 if (nft_dump_basechain_hook(skb, family, basechain)) 1396 goto nla_put_failure; 1397 1398 if (nla_put_be32(skb, NFTA_CHAIN_POLICY, 1399 htonl(basechain->policy))) 1400 goto nla_put_failure; 1401 1402 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name)) 1403 goto nla_put_failure; 1404 1405 stats = rcu_dereference_check(basechain->stats, 1406 lockdep_commit_lock_is_held(net)); 1407 if (nft_dump_stats(skb, stats)) 1408 goto nla_put_failure; 1409 1410 if ((chain->flags & NFT_CHAIN_HW_OFFLOAD) && 1411 nla_put_be32(skb, NFTA_CHAIN_FLAGS, 1412 htonl(NFT_CHAIN_HW_OFFLOAD))) 1413 goto nla_put_failure; 1414 } 1415 1416 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use))) 1417 goto nla_put_failure; 1418 1419 nlmsg_end(skb, nlh); 1420 return 0; 1421 1422 nla_put_failure: 1423 nlmsg_trim(skb, nlh); 1424 return -1; 1425 } 1426 1427 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event) 1428 { 1429 struct sk_buff *skb; 1430 int err; 1431 1432 if (!ctx->report && 1433 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1434 return; 1435 1436 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1437 if (skb == NULL) 1438 goto err; 1439 1440 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, 1441 event, 0, ctx->family, ctx->table, 1442 ctx->chain); 1443 if (err < 0) { 1444 kfree_skb(skb); 1445 goto err; 1446 } 1447 1448 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES, 1449 ctx->report, GFP_KERNEL); 1450 return; 1451 err: 1452 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 1453 } 1454 1455 static int nf_tables_dump_chains(struct sk_buff *skb, 1456 struct netlink_callback *cb) 1457 { 1458 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1459 const struct nft_table *table; 1460 const struct nft_chain *chain; 1461 unsigned int idx = 0, s_idx = cb->args[0]; 1462 struct net *net = sock_net(skb->sk); 1463 int family = nfmsg->nfgen_family; 1464 1465 rcu_read_lock(); 1466 cb->seq = net->nft.base_seq; 1467 1468 list_for_each_entry_rcu(table, &net->nft.tables, list) { 1469 if (family != NFPROTO_UNSPEC && family != table->family) 1470 continue; 1471 1472 list_for_each_entry_rcu(chain, &table->chains, list) { 1473 if (idx < s_idx) 1474 goto cont; 1475 if (idx > s_idx) 1476 memset(&cb->args[1], 0, 1477 sizeof(cb->args) - sizeof(cb->args[0])); 1478 if (!nft_is_active(net, chain)) 1479 continue; 1480 if (nf_tables_fill_chain_info(skb, net, 1481 NETLINK_CB(cb->skb).portid, 1482 cb->nlh->nlmsg_seq, 1483 NFT_MSG_NEWCHAIN, 1484 NLM_F_MULTI, 1485 table->family, table, 1486 chain) < 0) 1487 goto done; 1488 1489 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1490 cont: 1491 idx++; 1492 } 1493 } 1494 done: 1495 rcu_read_unlock(); 1496 cb->args[0] = idx; 1497 return skb->len; 1498 } 1499 1500 /* called with rcu_read_lock held */ 1501 static int nf_tables_getchain(struct net *net, struct sock *nlsk, 1502 struct sk_buff *skb, const struct nlmsghdr *nlh, 1503 const struct nlattr * const nla[], 1504 struct netlink_ext_ack *extack) 1505 { 1506 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1507 u8 genmask = nft_genmask_cur(net); 1508 const struct nft_chain *chain; 1509 struct nft_table *table; 1510 struct sk_buff *skb2; 1511 int family = nfmsg->nfgen_family; 1512 int err; 1513 1514 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1515 struct netlink_dump_control c = { 1516 .dump = nf_tables_dump_chains, 1517 .module = THIS_MODULE, 1518 }; 1519 1520 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 1521 } 1522 1523 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); 1524 if (IS_ERR(table)) { 1525 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 1526 return PTR_ERR(table); 1527 } 1528 1529 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask); 1530 if (IS_ERR(chain)) { 1531 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 1532 return PTR_ERR(chain); 1533 } 1534 1535 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 1536 if (!skb2) 1537 return -ENOMEM; 1538 1539 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid, 1540 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0, 1541 family, table, chain); 1542 if (err < 0) 1543 goto err; 1544 1545 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 1546 1547 err: 1548 kfree_skb(skb2); 1549 return err; 1550 } 1551 1552 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = { 1553 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 }, 1554 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 }, 1555 }; 1556 1557 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr) 1558 { 1559 struct nlattr *tb[NFTA_COUNTER_MAX+1]; 1560 struct nft_stats __percpu *newstats; 1561 struct nft_stats *stats; 1562 int err; 1563 1564 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr, 1565 nft_counter_policy, NULL); 1566 if (err < 0) 1567 return ERR_PTR(err); 1568 1569 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS]) 1570 return ERR_PTR(-EINVAL); 1571 1572 newstats = netdev_alloc_pcpu_stats(struct nft_stats); 1573 if (newstats == NULL) 1574 return ERR_PTR(-ENOMEM); 1575 1576 /* Restore old counters on this cpu, no problem. Per-cpu statistics 1577 * are not exposed to userspace. 1578 */ 1579 preempt_disable(); 1580 stats = this_cpu_ptr(newstats); 1581 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); 1582 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); 1583 preempt_enable(); 1584 1585 return newstats; 1586 } 1587 1588 static void nft_chain_stats_replace(struct nft_trans *trans) 1589 { 1590 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain); 1591 1592 if (!nft_trans_chain_stats(trans)) 1593 return; 1594 1595 nft_trans_chain_stats(trans) = 1596 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans), 1597 lockdep_commit_lock_is_held(trans->ctx.net)); 1598 1599 if (!nft_trans_chain_stats(trans)) 1600 static_branch_inc(&nft_counters_enabled); 1601 } 1602 1603 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain) 1604 { 1605 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0); 1606 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1); 1607 1608 if (g0 != g1) 1609 kvfree(g1); 1610 kvfree(g0); 1611 1612 /* should be NULL either via abort or via successful commit */ 1613 WARN_ON_ONCE(chain->rules_next); 1614 kvfree(chain->rules_next); 1615 } 1616 1617 static void nf_tables_chain_destroy(struct nft_ctx *ctx) 1618 { 1619 struct nft_chain *chain = ctx->chain; 1620 struct nft_hook *hook, *next; 1621 1622 if (WARN_ON(chain->use > 0)) 1623 return; 1624 1625 /* no concurrent access possible anymore */ 1626 nf_tables_chain_free_chain_rules(chain); 1627 1628 if (nft_is_base_chain(chain)) { 1629 struct nft_base_chain *basechain = nft_base_chain(chain); 1630 1631 if (ctx->family == NFPROTO_NETDEV) { 1632 list_for_each_entry_safe(hook, next, 1633 &basechain->hook_list, list) { 1634 list_del_rcu(&hook->list); 1635 kfree_rcu(hook, rcu); 1636 } 1637 } 1638 module_put(basechain->type->owner); 1639 if (rcu_access_pointer(basechain->stats)) { 1640 static_branch_dec(&nft_counters_enabled); 1641 free_percpu(rcu_dereference_raw(basechain->stats)); 1642 } 1643 kfree(chain->name); 1644 kfree(basechain); 1645 } else { 1646 kfree(chain->name); 1647 kfree(chain); 1648 } 1649 } 1650 1651 static struct nft_hook *nft_netdev_hook_alloc(struct net *net, 1652 const struct nlattr *attr) 1653 { 1654 struct net_device *dev; 1655 char ifname[IFNAMSIZ]; 1656 struct nft_hook *hook; 1657 int err; 1658 1659 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL); 1660 if (!hook) { 1661 err = -ENOMEM; 1662 goto err_hook_alloc; 1663 } 1664 1665 nla_strlcpy(ifname, attr, IFNAMSIZ); 1666 dev = __dev_get_by_name(net, ifname); 1667 if (!dev) { 1668 err = -ENOENT; 1669 goto err_hook_dev; 1670 } 1671 hook->ops.dev = dev; 1672 hook->inactive = false; 1673 1674 return hook; 1675 1676 err_hook_dev: 1677 kfree(hook); 1678 err_hook_alloc: 1679 return ERR_PTR(err); 1680 } 1681 1682 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list, 1683 const struct nft_hook *this) 1684 { 1685 struct nft_hook *hook; 1686 1687 list_for_each_entry(hook, hook_list, list) { 1688 if (this->ops.dev == hook->ops.dev) 1689 return hook; 1690 } 1691 1692 return NULL; 1693 } 1694 1695 static int nf_tables_parse_netdev_hooks(struct net *net, 1696 const struct nlattr *attr, 1697 struct list_head *hook_list) 1698 { 1699 struct nft_hook *hook, *next; 1700 const struct nlattr *tmp; 1701 int rem, n = 0, err; 1702 1703 nla_for_each_nested(tmp, attr, rem) { 1704 if (nla_type(tmp) != NFTA_DEVICE_NAME) { 1705 err = -EINVAL; 1706 goto err_hook; 1707 } 1708 1709 hook = nft_netdev_hook_alloc(net, tmp); 1710 if (IS_ERR(hook)) { 1711 err = PTR_ERR(hook); 1712 goto err_hook; 1713 } 1714 if (nft_hook_list_find(hook_list, hook)) { 1715 kfree(hook); 1716 err = -EEXIST; 1717 goto err_hook; 1718 } 1719 list_add_tail(&hook->list, hook_list); 1720 n++; 1721 1722 if (n == NFT_NETDEVICE_MAX) { 1723 err = -EFBIG; 1724 goto err_hook; 1725 } 1726 } 1727 1728 return 0; 1729 1730 err_hook: 1731 list_for_each_entry_safe(hook, next, hook_list, list) { 1732 list_del(&hook->list); 1733 kfree(hook); 1734 } 1735 return err; 1736 } 1737 1738 struct nft_chain_hook { 1739 u32 num; 1740 s32 priority; 1741 const struct nft_chain_type *type; 1742 struct list_head list; 1743 }; 1744 1745 static int nft_chain_parse_netdev(struct net *net, 1746 struct nlattr *tb[], 1747 struct list_head *hook_list) 1748 { 1749 struct nft_hook *hook; 1750 int err; 1751 1752 if (tb[NFTA_HOOK_DEV]) { 1753 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]); 1754 if (IS_ERR(hook)) 1755 return PTR_ERR(hook); 1756 1757 list_add_tail(&hook->list, hook_list); 1758 } else if (tb[NFTA_HOOK_DEVS]) { 1759 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS], 1760 hook_list); 1761 if (err < 0) 1762 return err; 1763 1764 if (list_empty(hook_list)) 1765 return -EINVAL; 1766 } else { 1767 return -EINVAL; 1768 } 1769 1770 return 0; 1771 } 1772 1773 static int nft_chain_parse_hook(struct net *net, 1774 const struct nlattr * const nla[], 1775 struct nft_chain_hook *hook, u8 family, 1776 bool autoload) 1777 { 1778 struct nlattr *ha[NFTA_HOOK_MAX + 1]; 1779 const struct nft_chain_type *type; 1780 int err; 1781 1782 lockdep_assert_held(&net->nft.commit_mutex); 1783 lockdep_nfnl_nft_mutex_not_held(); 1784 1785 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX, 1786 nla[NFTA_CHAIN_HOOK], 1787 nft_hook_policy, NULL); 1788 if (err < 0) 1789 return err; 1790 1791 if (ha[NFTA_HOOK_HOOKNUM] == NULL || 1792 ha[NFTA_HOOK_PRIORITY] == NULL) 1793 return -EINVAL; 1794 1795 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 1796 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 1797 1798 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT); 1799 if (!type) 1800 return -EOPNOTSUPP; 1801 1802 if (nla[NFTA_CHAIN_TYPE]) { 1803 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE], 1804 family, autoload); 1805 if (IS_ERR(type)) 1806 return PTR_ERR(type); 1807 } 1808 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num))) 1809 return -EOPNOTSUPP; 1810 1811 if (type->type == NFT_CHAIN_T_NAT && 1812 hook->priority <= NF_IP_PRI_CONNTRACK) 1813 return -EOPNOTSUPP; 1814 1815 if (!try_module_get(type->owner)) 1816 return -ENOENT; 1817 1818 hook->type = type; 1819 1820 INIT_LIST_HEAD(&hook->list); 1821 if (family == NFPROTO_NETDEV) { 1822 err = nft_chain_parse_netdev(net, ha, &hook->list); 1823 if (err < 0) { 1824 module_put(type->owner); 1825 return err; 1826 } 1827 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) { 1828 module_put(type->owner); 1829 return -EOPNOTSUPP; 1830 } 1831 1832 return 0; 1833 } 1834 1835 static void nft_chain_release_hook(struct nft_chain_hook *hook) 1836 { 1837 struct nft_hook *h, *next; 1838 1839 list_for_each_entry_safe(h, next, &hook->list, list) { 1840 list_del(&h->list); 1841 kfree(h); 1842 } 1843 module_put(hook->type->owner); 1844 } 1845 1846 struct nft_rules_old { 1847 struct rcu_head h; 1848 struct nft_rule **start; 1849 }; 1850 1851 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain, 1852 unsigned int alloc) 1853 { 1854 if (alloc > INT_MAX) 1855 return NULL; 1856 1857 alloc += 1; /* NULL, ends rules */ 1858 if (sizeof(struct nft_rule *) > INT_MAX / alloc) 1859 return NULL; 1860 1861 alloc *= sizeof(struct nft_rule *); 1862 alloc += sizeof(struct nft_rules_old); 1863 1864 return kvmalloc(alloc, GFP_KERNEL); 1865 } 1866 1867 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family, 1868 const struct nft_chain_hook *hook, 1869 struct nft_chain *chain) 1870 { 1871 ops->pf = family; 1872 ops->hooknum = hook->num; 1873 ops->priority = hook->priority; 1874 ops->priv = chain; 1875 ops->hook = hook->type->hooks[ops->hooknum]; 1876 } 1877 1878 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, 1879 struct nft_chain_hook *hook, u32 flags) 1880 { 1881 struct nft_chain *chain; 1882 struct nft_hook *h; 1883 1884 basechain->type = hook->type; 1885 INIT_LIST_HEAD(&basechain->hook_list); 1886 chain = &basechain->chain; 1887 1888 if (family == NFPROTO_NETDEV) { 1889 list_splice_init(&hook->list, &basechain->hook_list); 1890 list_for_each_entry(h, &basechain->hook_list, list) 1891 nft_basechain_hook_init(&h->ops, family, hook, chain); 1892 1893 basechain->ops.hooknum = hook->num; 1894 basechain->ops.priority = hook->priority; 1895 } else { 1896 nft_basechain_hook_init(&basechain->ops, family, hook, chain); 1897 } 1898 1899 chain->flags |= NFT_BASE_CHAIN | flags; 1900 basechain->policy = NF_ACCEPT; 1901 if (chain->flags & NFT_CHAIN_HW_OFFLOAD && 1902 nft_chain_offload_priority(basechain) < 0) 1903 return -EOPNOTSUPP; 1904 1905 flow_block_init(&basechain->flow_block); 1906 1907 return 0; 1908 } 1909 1910 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, 1911 u8 policy, u32 flags) 1912 { 1913 const struct nlattr * const *nla = ctx->nla; 1914 struct nft_table *table = ctx->table; 1915 struct nft_base_chain *basechain; 1916 struct nft_stats __percpu *stats; 1917 struct net *net = ctx->net; 1918 struct nft_trans *trans; 1919 struct nft_chain *chain; 1920 struct nft_rule **rules; 1921 int err; 1922 1923 if (table->use == UINT_MAX) 1924 return -EOVERFLOW; 1925 1926 if (nla[NFTA_CHAIN_HOOK]) { 1927 struct nft_chain_hook hook; 1928 1929 err = nft_chain_parse_hook(net, nla, &hook, family, true); 1930 if (err < 0) 1931 return err; 1932 1933 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL); 1934 if (basechain == NULL) { 1935 nft_chain_release_hook(&hook); 1936 return -ENOMEM; 1937 } 1938 chain = &basechain->chain; 1939 1940 if (nla[NFTA_CHAIN_COUNTERS]) { 1941 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 1942 if (IS_ERR(stats)) { 1943 nft_chain_release_hook(&hook); 1944 kfree(basechain); 1945 return PTR_ERR(stats); 1946 } 1947 rcu_assign_pointer(basechain->stats, stats); 1948 static_branch_inc(&nft_counters_enabled); 1949 } 1950 1951 err = nft_basechain_init(basechain, family, &hook, flags); 1952 if (err < 0) { 1953 nft_chain_release_hook(&hook); 1954 kfree(basechain); 1955 return err; 1956 } 1957 } else { 1958 chain = kzalloc(sizeof(*chain), GFP_KERNEL); 1959 if (chain == NULL) 1960 return -ENOMEM; 1961 } 1962 ctx->chain = chain; 1963 1964 INIT_LIST_HEAD(&chain->rules); 1965 chain->handle = nf_tables_alloc_handle(table); 1966 chain->table = table; 1967 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); 1968 if (!chain->name) { 1969 err = -ENOMEM; 1970 goto err1; 1971 } 1972 1973 rules = nf_tables_chain_alloc_rules(chain, 0); 1974 if (!rules) { 1975 err = -ENOMEM; 1976 goto err1; 1977 } 1978 1979 *rules = NULL; 1980 rcu_assign_pointer(chain->rules_gen_0, rules); 1981 rcu_assign_pointer(chain->rules_gen_1, rules); 1982 1983 err = nf_tables_register_hook(net, table, chain); 1984 if (err < 0) 1985 goto err1; 1986 1987 err = rhltable_insert_key(&table->chains_ht, chain->name, 1988 &chain->rhlhead, nft_chain_ht_params); 1989 if (err) 1990 goto err2; 1991 1992 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN); 1993 if (IS_ERR(trans)) { 1994 err = PTR_ERR(trans); 1995 rhltable_remove(&table->chains_ht, &chain->rhlhead, 1996 nft_chain_ht_params); 1997 goto err2; 1998 } 1999 2000 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET; 2001 if (nft_is_base_chain(chain)) 2002 nft_trans_chain_policy(trans) = policy; 2003 2004 table->use++; 2005 list_add_tail_rcu(&chain->list, &table->chains); 2006 2007 return 0; 2008 err2: 2009 nf_tables_unregister_hook(net, table, chain); 2010 err1: 2011 nf_tables_chain_destroy(ctx); 2012 2013 return err; 2014 } 2015 2016 static bool nft_hook_list_equal(struct list_head *hook_list1, 2017 struct list_head *hook_list2) 2018 { 2019 struct nft_hook *hook; 2020 int n = 0, m = 0; 2021 2022 n = 0; 2023 list_for_each_entry(hook, hook_list2, list) { 2024 if (!nft_hook_list_find(hook_list1, hook)) 2025 return false; 2026 2027 n++; 2028 } 2029 list_for_each_entry(hook, hook_list1, list) 2030 m++; 2031 2032 return n == m; 2033 } 2034 2035 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, 2036 u32 flags) 2037 { 2038 const struct nlattr * const *nla = ctx->nla; 2039 struct nft_table *table = ctx->table; 2040 struct nft_chain *chain = ctx->chain; 2041 struct nft_base_chain *basechain; 2042 struct nft_stats *stats = NULL; 2043 struct nft_chain_hook hook; 2044 struct nf_hook_ops *ops; 2045 struct nft_trans *trans; 2046 int err; 2047 2048 if (chain->flags ^ flags) 2049 return -EOPNOTSUPP; 2050 2051 if (nla[NFTA_CHAIN_HOOK]) { 2052 if (!nft_is_base_chain(chain)) 2053 return -EBUSY; 2054 2055 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family, 2056 false); 2057 if (err < 0) 2058 return err; 2059 2060 basechain = nft_base_chain(chain); 2061 if (basechain->type != hook.type) { 2062 nft_chain_release_hook(&hook); 2063 return -EBUSY; 2064 } 2065 2066 if (ctx->family == NFPROTO_NETDEV) { 2067 if (!nft_hook_list_equal(&basechain->hook_list, 2068 &hook.list)) { 2069 nft_chain_release_hook(&hook); 2070 return -EBUSY; 2071 } 2072 } else { 2073 ops = &basechain->ops; 2074 if (ops->hooknum != hook.num || 2075 ops->priority != hook.priority) { 2076 nft_chain_release_hook(&hook); 2077 return -EBUSY; 2078 } 2079 } 2080 nft_chain_release_hook(&hook); 2081 } 2082 2083 if (nla[NFTA_CHAIN_HANDLE] && 2084 nla[NFTA_CHAIN_NAME]) { 2085 struct nft_chain *chain2; 2086 2087 chain2 = nft_chain_lookup(ctx->net, table, 2088 nla[NFTA_CHAIN_NAME], genmask); 2089 if (!IS_ERR(chain2)) 2090 return -EEXIST; 2091 } 2092 2093 if (nla[NFTA_CHAIN_COUNTERS]) { 2094 if (!nft_is_base_chain(chain)) 2095 return -EOPNOTSUPP; 2096 2097 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2098 if (IS_ERR(stats)) 2099 return PTR_ERR(stats); 2100 } 2101 2102 err = -ENOMEM; 2103 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN, 2104 sizeof(struct nft_trans_chain)); 2105 if (trans == NULL) 2106 goto err; 2107 2108 nft_trans_chain_stats(trans) = stats; 2109 nft_trans_chain_update(trans) = true; 2110 2111 if (nla[NFTA_CHAIN_POLICY]) 2112 nft_trans_chain_policy(trans) = policy; 2113 else 2114 nft_trans_chain_policy(trans) = -1; 2115 2116 if (nla[NFTA_CHAIN_HANDLE] && 2117 nla[NFTA_CHAIN_NAME]) { 2118 struct nft_trans *tmp; 2119 char *name; 2120 2121 err = -ENOMEM; 2122 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); 2123 if (!name) 2124 goto err; 2125 2126 err = -EEXIST; 2127 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) { 2128 if (tmp->msg_type == NFT_MSG_NEWCHAIN && 2129 tmp->ctx.table == table && 2130 nft_trans_chain_update(tmp) && 2131 nft_trans_chain_name(tmp) && 2132 strcmp(name, nft_trans_chain_name(tmp)) == 0) { 2133 kfree(name); 2134 goto err; 2135 } 2136 } 2137 2138 nft_trans_chain_name(trans) = name; 2139 } 2140 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 2141 2142 return 0; 2143 err: 2144 free_percpu(stats); 2145 kfree(trans); 2146 return err; 2147 } 2148 2149 static int nf_tables_newchain(struct net *net, struct sock *nlsk, 2150 struct sk_buff *skb, const struct nlmsghdr *nlh, 2151 const struct nlattr * const nla[], 2152 struct netlink_ext_ack *extack) 2153 { 2154 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2155 u8 genmask = nft_genmask_next(net); 2156 int family = nfmsg->nfgen_family; 2157 const struct nlattr *attr; 2158 struct nft_table *table; 2159 struct nft_chain *chain; 2160 u8 policy = NF_ACCEPT; 2161 struct nft_ctx ctx; 2162 u64 handle = 0; 2163 u32 flags = 0; 2164 2165 lockdep_assert_held(&net->nft.commit_mutex); 2166 2167 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); 2168 if (IS_ERR(table)) { 2169 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2170 return PTR_ERR(table); 2171 } 2172 2173 chain = NULL; 2174 attr = nla[NFTA_CHAIN_NAME]; 2175 2176 if (nla[NFTA_CHAIN_HANDLE]) { 2177 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE])); 2178 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2179 if (IS_ERR(chain)) { 2180 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]); 2181 return PTR_ERR(chain); 2182 } 2183 attr = nla[NFTA_CHAIN_HANDLE]; 2184 } else { 2185 chain = nft_chain_lookup(net, table, attr, genmask); 2186 if (IS_ERR(chain)) { 2187 if (PTR_ERR(chain) != -ENOENT) { 2188 NL_SET_BAD_ATTR(extack, attr); 2189 return PTR_ERR(chain); 2190 } 2191 chain = NULL; 2192 } 2193 } 2194 2195 if (nla[NFTA_CHAIN_POLICY]) { 2196 if (chain != NULL && 2197 !nft_is_base_chain(chain)) { 2198 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2199 return -EOPNOTSUPP; 2200 } 2201 2202 if (chain == NULL && 2203 nla[NFTA_CHAIN_HOOK] == NULL) { 2204 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2205 return -EOPNOTSUPP; 2206 } 2207 2208 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY])); 2209 switch (policy) { 2210 case NF_DROP: 2211 case NF_ACCEPT: 2212 break; 2213 default: 2214 return -EINVAL; 2215 } 2216 } 2217 2218 if (nla[NFTA_CHAIN_FLAGS]) 2219 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS])); 2220 else if (chain) 2221 flags = chain->flags; 2222 2223 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 2224 2225 if (chain != NULL) { 2226 if (nlh->nlmsg_flags & NLM_F_EXCL) { 2227 NL_SET_BAD_ATTR(extack, attr); 2228 return -EEXIST; 2229 } 2230 if (nlh->nlmsg_flags & NLM_F_REPLACE) 2231 return -EOPNOTSUPP; 2232 2233 flags |= chain->flags & NFT_BASE_CHAIN; 2234 return nf_tables_updchain(&ctx, genmask, policy, flags); 2235 } 2236 2237 return nf_tables_addchain(&ctx, family, genmask, policy, flags); 2238 } 2239 2240 static int nf_tables_delchain(struct net *net, struct sock *nlsk, 2241 struct sk_buff *skb, const struct nlmsghdr *nlh, 2242 const struct nlattr * const nla[], 2243 struct netlink_ext_ack *extack) 2244 { 2245 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2246 u8 genmask = nft_genmask_next(net); 2247 int family = nfmsg->nfgen_family; 2248 const struct nlattr *attr; 2249 struct nft_table *table; 2250 struct nft_chain *chain; 2251 struct nft_rule *rule; 2252 struct nft_ctx ctx; 2253 u64 handle; 2254 u32 use; 2255 int err; 2256 2257 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); 2258 if (IS_ERR(table)) { 2259 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2260 return PTR_ERR(table); 2261 } 2262 2263 if (nla[NFTA_CHAIN_HANDLE]) { 2264 attr = nla[NFTA_CHAIN_HANDLE]; 2265 handle = be64_to_cpu(nla_get_be64(attr)); 2266 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2267 } else { 2268 attr = nla[NFTA_CHAIN_NAME]; 2269 chain = nft_chain_lookup(net, table, attr, genmask); 2270 } 2271 if (IS_ERR(chain)) { 2272 NL_SET_BAD_ATTR(extack, attr); 2273 return PTR_ERR(chain); 2274 } 2275 2276 if (nlh->nlmsg_flags & NLM_F_NONREC && 2277 chain->use > 0) 2278 return -EBUSY; 2279 2280 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 2281 2282 use = chain->use; 2283 list_for_each_entry(rule, &chain->rules, list) { 2284 if (!nft_is_active_next(net, rule)) 2285 continue; 2286 use--; 2287 2288 err = nft_delrule(&ctx, rule); 2289 if (err < 0) 2290 return err; 2291 } 2292 2293 /* There are rules and elements that are still holding references to us, 2294 * we cannot do a recursive removal in this case. 2295 */ 2296 if (use > 0) { 2297 NL_SET_BAD_ATTR(extack, attr); 2298 return -EBUSY; 2299 } 2300 2301 return nft_delchain(&ctx); 2302 } 2303 2304 /* 2305 * Expressions 2306 */ 2307 2308 /** 2309 * nft_register_expr - register nf_tables expr type 2310 * @ops: expr type 2311 * 2312 * Registers the expr type for use with nf_tables. Returns zero on 2313 * success or a negative errno code otherwise. 2314 */ 2315 int nft_register_expr(struct nft_expr_type *type) 2316 { 2317 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2318 if (type->family == NFPROTO_UNSPEC) 2319 list_add_tail_rcu(&type->list, &nf_tables_expressions); 2320 else 2321 list_add_rcu(&type->list, &nf_tables_expressions); 2322 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2323 return 0; 2324 } 2325 EXPORT_SYMBOL_GPL(nft_register_expr); 2326 2327 /** 2328 * nft_unregister_expr - unregister nf_tables expr type 2329 * @ops: expr type 2330 * 2331 * Unregisters the expr typefor use with nf_tables. 2332 */ 2333 void nft_unregister_expr(struct nft_expr_type *type) 2334 { 2335 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2336 list_del_rcu(&type->list); 2337 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2338 } 2339 EXPORT_SYMBOL_GPL(nft_unregister_expr); 2340 2341 static const struct nft_expr_type *__nft_expr_type_get(u8 family, 2342 struct nlattr *nla) 2343 { 2344 const struct nft_expr_type *type, *candidate = NULL; 2345 2346 list_for_each_entry(type, &nf_tables_expressions, list) { 2347 if (!nla_strcmp(nla, type->name)) { 2348 if (!type->family && !candidate) 2349 candidate = type; 2350 else if (type->family == family) 2351 candidate = type; 2352 } 2353 } 2354 return candidate; 2355 } 2356 2357 #ifdef CONFIG_MODULES 2358 static int nft_expr_type_request_module(struct net *net, u8 family, 2359 struct nlattr *nla) 2360 { 2361 if (nft_request_module(net, "nft-expr-%u-%.*s", family, 2362 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN) 2363 return -EAGAIN; 2364 2365 return 0; 2366 } 2367 #endif 2368 2369 static const struct nft_expr_type *nft_expr_type_get(struct net *net, 2370 u8 family, 2371 struct nlattr *nla) 2372 { 2373 const struct nft_expr_type *type; 2374 2375 if (nla == NULL) 2376 return ERR_PTR(-EINVAL); 2377 2378 type = __nft_expr_type_get(family, nla); 2379 if (type != NULL && try_module_get(type->owner)) 2380 return type; 2381 2382 lockdep_nfnl_nft_mutex_not_held(); 2383 #ifdef CONFIG_MODULES 2384 if (type == NULL) { 2385 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN) 2386 return ERR_PTR(-EAGAIN); 2387 2388 if (nft_request_module(net, "nft-expr-%.*s", 2389 nla_len(nla), 2390 (char *)nla_data(nla)) == -EAGAIN) 2391 return ERR_PTR(-EAGAIN); 2392 } 2393 #endif 2394 return ERR_PTR(-ENOENT); 2395 } 2396 2397 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { 2398 [NFTA_EXPR_NAME] = { .type = NLA_STRING, 2399 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 2400 [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, 2401 }; 2402 2403 static int nf_tables_fill_expr_info(struct sk_buff *skb, 2404 const struct nft_expr *expr) 2405 { 2406 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name)) 2407 goto nla_put_failure; 2408 2409 if (expr->ops->dump) { 2410 struct nlattr *data = nla_nest_start_noflag(skb, 2411 NFTA_EXPR_DATA); 2412 if (data == NULL) 2413 goto nla_put_failure; 2414 if (expr->ops->dump(skb, expr) < 0) 2415 goto nla_put_failure; 2416 nla_nest_end(skb, data); 2417 } 2418 2419 return skb->len; 2420 2421 nla_put_failure: 2422 return -1; 2423 }; 2424 2425 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 2426 const struct nft_expr *expr) 2427 { 2428 struct nlattr *nest; 2429 2430 nest = nla_nest_start_noflag(skb, attr); 2431 if (!nest) 2432 goto nla_put_failure; 2433 if (nf_tables_fill_expr_info(skb, expr) < 0) 2434 goto nla_put_failure; 2435 nla_nest_end(skb, nest); 2436 return 0; 2437 2438 nla_put_failure: 2439 return -1; 2440 } 2441 2442 struct nft_expr_info { 2443 const struct nft_expr_ops *ops; 2444 struct nlattr *tb[NFT_EXPR_MAXATTR + 1]; 2445 }; 2446 2447 static int nf_tables_expr_parse(const struct nft_ctx *ctx, 2448 const struct nlattr *nla, 2449 struct nft_expr_info *info) 2450 { 2451 const struct nft_expr_type *type; 2452 const struct nft_expr_ops *ops; 2453 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 2454 int err; 2455 2456 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 2457 nft_expr_policy, NULL); 2458 if (err < 0) 2459 return err; 2460 2461 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]); 2462 if (IS_ERR(type)) 2463 return PTR_ERR(type); 2464 2465 if (tb[NFTA_EXPR_DATA]) { 2466 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 2467 tb[NFTA_EXPR_DATA], 2468 type->policy, NULL); 2469 if (err < 0) 2470 goto err1; 2471 } else 2472 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1)); 2473 2474 if (type->select_ops != NULL) { 2475 ops = type->select_ops(ctx, 2476 (const struct nlattr * const *)info->tb); 2477 if (IS_ERR(ops)) { 2478 err = PTR_ERR(ops); 2479 #ifdef CONFIG_MODULES 2480 if (err == -EAGAIN) 2481 if (nft_expr_type_request_module(ctx->net, 2482 ctx->family, 2483 tb[NFTA_EXPR_NAME]) != -EAGAIN) 2484 err = -ENOENT; 2485 #endif 2486 goto err1; 2487 } 2488 } else 2489 ops = type->ops; 2490 2491 info->ops = ops; 2492 return 0; 2493 2494 err1: 2495 module_put(type->owner); 2496 return err; 2497 } 2498 2499 static int nf_tables_newexpr(const struct nft_ctx *ctx, 2500 const struct nft_expr_info *info, 2501 struct nft_expr *expr) 2502 { 2503 const struct nft_expr_ops *ops = info->ops; 2504 int err; 2505 2506 expr->ops = ops; 2507 if (ops->init) { 2508 err = ops->init(ctx, expr, (const struct nlattr **)info->tb); 2509 if (err < 0) 2510 goto err1; 2511 } 2512 2513 return 0; 2514 err1: 2515 expr->ops = NULL; 2516 return err; 2517 } 2518 2519 static void nf_tables_expr_destroy(const struct nft_ctx *ctx, 2520 struct nft_expr *expr) 2521 { 2522 const struct nft_expr_type *type = expr->ops->type; 2523 2524 if (expr->ops->destroy) 2525 expr->ops->destroy(ctx, expr); 2526 module_put(type->owner); 2527 } 2528 2529 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 2530 const struct nlattr *nla) 2531 { 2532 struct nft_expr_info info; 2533 struct nft_expr *expr; 2534 struct module *owner; 2535 int err; 2536 2537 err = nf_tables_expr_parse(ctx, nla, &info); 2538 if (err < 0) 2539 goto err1; 2540 2541 err = -ENOMEM; 2542 expr = kzalloc(info.ops->size, GFP_KERNEL); 2543 if (expr == NULL) 2544 goto err2; 2545 2546 err = nf_tables_newexpr(ctx, &info, expr); 2547 if (err < 0) 2548 goto err3; 2549 2550 return expr; 2551 err3: 2552 kfree(expr); 2553 err2: 2554 owner = info.ops->type->owner; 2555 if (info.ops->type->release_ops) 2556 info.ops->type->release_ops(info.ops); 2557 2558 module_put(owner); 2559 err1: 2560 return ERR_PTR(err); 2561 } 2562 2563 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) 2564 { 2565 int err; 2566 2567 if (src->ops->clone) { 2568 dst->ops = src->ops; 2569 err = src->ops->clone(dst, src); 2570 if (err < 0) 2571 return err; 2572 } else { 2573 memcpy(dst, src, src->ops->size); 2574 } 2575 2576 __module_get(src->ops->type->owner); 2577 2578 return 0; 2579 } 2580 2581 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) 2582 { 2583 nf_tables_expr_destroy(ctx, expr); 2584 kfree(expr); 2585 } 2586 2587 /* 2588 * Rules 2589 */ 2590 2591 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain, 2592 u64 handle) 2593 { 2594 struct nft_rule *rule; 2595 2596 // FIXME: this sucks 2597 list_for_each_entry_rcu(rule, &chain->rules, list) { 2598 if (handle == rule->handle) 2599 return rule; 2600 } 2601 2602 return ERR_PTR(-ENOENT); 2603 } 2604 2605 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain, 2606 const struct nlattr *nla) 2607 { 2608 if (nla == NULL) 2609 return ERR_PTR(-EINVAL); 2610 2611 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla))); 2612 } 2613 2614 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = { 2615 [NFTA_RULE_TABLE] = { .type = NLA_STRING, 2616 .len = NFT_TABLE_MAXNAMELEN - 1 }, 2617 [NFTA_RULE_CHAIN] = { .type = NLA_STRING, 2618 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 2619 [NFTA_RULE_HANDLE] = { .type = NLA_U64 }, 2620 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED }, 2621 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED }, 2622 [NFTA_RULE_POSITION] = { .type = NLA_U64 }, 2623 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY, 2624 .len = NFT_USERDATA_MAXLEN }, 2625 [NFTA_RULE_ID] = { .type = NLA_U32 }, 2626 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 }, 2627 }; 2628 2629 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net, 2630 u32 portid, u32 seq, int event, 2631 u32 flags, int family, 2632 const struct nft_table *table, 2633 const struct nft_chain *chain, 2634 const struct nft_rule *rule, 2635 const struct nft_rule *prule) 2636 { 2637 struct nlmsghdr *nlh; 2638 struct nfgenmsg *nfmsg; 2639 const struct nft_expr *expr, *next; 2640 struct nlattr *list; 2641 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 2642 2643 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags); 2644 if (nlh == NULL) 2645 goto nla_put_failure; 2646 2647 nfmsg = nlmsg_data(nlh); 2648 nfmsg->nfgen_family = family; 2649 nfmsg->version = NFNETLINK_V0; 2650 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 2651 2652 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) 2653 goto nla_put_failure; 2654 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) 2655 goto nla_put_failure; 2656 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle), 2657 NFTA_RULE_PAD)) 2658 goto nla_put_failure; 2659 2660 if (event != NFT_MSG_DELRULE && prule) { 2661 if (nla_put_be64(skb, NFTA_RULE_POSITION, 2662 cpu_to_be64(prule->handle), 2663 NFTA_RULE_PAD)) 2664 goto nla_put_failure; 2665 } 2666 2667 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS); 2668 if (list == NULL) 2669 goto nla_put_failure; 2670 nft_rule_for_each_expr(expr, next, rule) { 2671 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0) 2672 goto nla_put_failure; 2673 } 2674 nla_nest_end(skb, list); 2675 2676 if (rule->udata) { 2677 struct nft_userdata *udata = nft_userdata(rule); 2678 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1, 2679 udata->data) < 0) 2680 goto nla_put_failure; 2681 } 2682 2683 nlmsg_end(skb, nlh); 2684 return 0; 2685 2686 nla_put_failure: 2687 nlmsg_trim(skb, nlh); 2688 return -1; 2689 } 2690 2691 static void nf_tables_rule_notify(const struct nft_ctx *ctx, 2692 const struct nft_rule *rule, int event) 2693 { 2694 struct sk_buff *skb; 2695 int err; 2696 2697 if (!ctx->report && 2698 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 2699 return; 2700 2701 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 2702 if (skb == NULL) 2703 goto err; 2704 2705 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, 2706 event, 0, ctx->family, ctx->table, 2707 ctx->chain, rule, NULL); 2708 if (err < 0) { 2709 kfree_skb(skb); 2710 goto err; 2711 } 2712 2713 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES, 2714 ctx->report, GFP_KERNEL); 2715 return; 2716 err: 2717 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 2718 } 2719 2720 struct nft_rule_dump_ctx { 2721 char *table; 2722 char *chain; 2723 }; 2724 2725 static int __nf_tables_dump_rules(struct sk_buff *skb, 2726 unsigned int *idx, 2727 struct netlink_callback *cb, 2728 const struct nft_table *table, 2729 const struct nft_chain *chain) 2730 { 2731 struct net *net = sock_net(skb->sk); 2732 const struct nft_rule *rule, *prule; 2733 unsigned int s_idx = cb->args[0]; 2734 2735 prule = NULL; 2736 list_for_each_entry_rcu(rule, &chain->rules, list) { 2737 if (!nft_is_active(net, rule)) 2738 goto cont_skip; 2739 if (*idx < s_idx) 2740 goto cont; 2741 if (*idx > s_idx) { 2742 memset(&cb->args[1], 0, 2743 sizeof(cb->args) - sizeof(cb->args[0])); 2744 } 2745 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, 2746 cb->nlh->nlmsg_seq, 2747 NFT_MSG_NEWRULE, 2748 NLM_F_MULTI | NLM_F_APPEND, 2749 table->family, 2750 table, chain, rule, prule) < 0) 2751 return 1; 2752 2753 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 2754 cont: 2755 prule = rule; 2756 cont_skip: 2757 (*idx)++; 2758 } 2759 return 0; 2760 } 2761 2762 static int nf_tables_dump_rules(struct sk_buff *skb, 2763 struct netlink_callback *cb) 2764 { 2765 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 2766 const struct nft_rule_dump_ctx *ctx = cb->data; 2767 struct nft_table *table; 2768 const struct nft_chain *chain; 2769 unsigned int idx = 0; 2770 struct net *net = sock_net(skb->sk); 2771 int family = nfmsg->nfgen_family; 2772 2773 rcu_read_lock(); 2774 cb->seq = net->nft.base_seq; 2775 2776 list_for_each_entry_rcu(table, &net->nft.tables, list) { 2777 if (family != NFPROTO_UNSPEC && family != table->family) 2778 continue; 2779 2780 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0) 2781 continue; 2782 2783 if (ctx && ctx->table && ctx->chain) { 2784 struct rhlist_head *list, *tmp; 2785 2786 list = rhltable_lookup(&table->chains_ht, ctx->chain, 2787 nft_chain_ht_params); 2788 if (!list) 2789 goto done; 2790 2791 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 2792 if (!nft_is_active(net, chain)) 2793 continue; 2794 __nf_tables_dump_rules(skb, &idx, 2795 cb, table, chain); 2796 break; 2797 } 2798 goto done; 2799 } 2800 2801 list_for_each_entry_rcu(chain, &table->chains, list) { 2802 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain)) 2803 goto done; 2804 } 2805 2806 if (ctx && ctx->table) 2807 break; 2808 } 2809 done: 2810 rcu_read_unlock(); 2811 2812 cb->args[0] = idx; 2813 return skb->len; 2814 } 2815 2816 static int nf_tables_dump_rules_start(struct netlink_callback *cb) 2817 { 2818 const struct nlattr * const *nla = cb->data; 2819 struct nft_rule_dump_ctx *ctx = NULL; 2820 2821 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) { 2822 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC); 2823 if (!ctx) 2824 return -ENOMEM; 2825 2826 if (nla[NFTA_RULE_TABLE]) { 2827 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], 2828 GFP_ATOMIC); 2829 if (!ctx->table) { 2830 kfree(ctx); 2831 return -ENOMEM; 2832 } 2833 } 2834 if (nla[NFTA_RULE_CHAIN]) { 2835 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], 2836 GFP_ATOMIC); 2837 if (!ctx->chain) { 2838 kfree(ctx->table); 2839 kfree(ctx); 2840 return -ENOMEM; 2841 } 2842 } 2843 } 2844 2845 cb->data = ctx; 2846 return 0; 2847 } 2848 2849 static int nf_tables_dump_rules_done(struct netlink_callback *cb) 2850 { 2851 struct nft_rule_dump_ctx *ctx = cb->data; 2852 2853 if (ctx) { 2854 kfree(ctx->table); 2855 kfree(ctx->chain); 2856 kfree(ctx); 2857 } 2858 return 0; 2859 } 2860 2861 /* called with rcu_read_lock held */ 2862 static int nf_tables_getrule(struct net *net, struct sock *nlsk, 2863 struct sk_buff *skb, const struct nlmsghdr *nlh, 2864 const struct nlattr * const nla[], 2865 struct netlink_ext_ack *extack) 2866 { 2867 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2868 u8 genmask = nft_genmask_cur(net); 2869 const struct nft_chain *chain; 2870 const struct nft_rule *rule; 2871 struct nft_table *table; 2872 struct sk_buff *skb2; 2873 int family = nfmsg->nfgen_family; 2874 int err; 2875 2876 if (nlh->nlmsg_flags & NLM_F_DUMP) { 2877 struct netlink_dump_control c = { 2878 .start= nf_tables_dump_rules_start, 2879 .dump = nf_tables_dump_rules, 2880 .done = nf_tables_dump_rules_done, 2881 .module = THIS_MODULE, 2882 .data = (void *)nla, 2883 }; 2884 2885 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 2886 } 2887 2888 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); 2889 if (IS_ERR(table)) { 2890 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 2891 return PTR_ERR(table); 2892 } 2893 2894 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask); 2895 if (IS_ERR(chain)) { 2896 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 2897 return PTR_ERR(chain); 2898 } 2899 2900 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 2901 if (IS_ERR(rule)) { 2902 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 2903 return PTR_ERR(rule); 2904 } 2905 2906 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 2907 if (!skb2) 2908 return -ENOMEM; 2909 2910 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid, 2911 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, 2912 family, table, chain, rule, NULL); 2913 if (err < 0) 2914 goto err; 2915 2916 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 2917 2918 err: 2919 kfree_skb(skb2); 2920 return err; 2921 } 2922 2923 static void nf_tables_rule_destroy(const struct nft_ctx *ctx, 2924 struct nft_rule *rule) 2925 { 2926 struct nft_expr *expr, *next; 2927 2928 /* 2929 * Careful: some expressions might not be initialized in case this 2930 * is called on error from nf_tables_newrule(). 2931 */ 2932 expr = nft_expr_first(rule); 2933 while (expr != nft_expr_last(rule) && expr->ops) { 2934 next = nft_expr_next(expr); 2935 nf_tables_expr_destroy(ctx, expr); 2936 expr = next; 2937 } 2938 kfree(rule); 2939 } 2940 2941 static void nf_tables_rule_release(const struct nft_ctx *ctx, 2942 struct nft_rule *rule) 2943 { 2944 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); 2945 nf_tables_rule_destroy(ctx, rule); 2946 } 2947 2948 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) 2949 { 2950 struct nft_expr *expr, *last; 2951 const struct nft_data *data; 2952 struct nft_rule *rule; 2953 int err; 2954 2955 if (ctx->level == NFT_JUMP_STACK_SIZE) 2956 return -EMLINK; 2957 2958 list_for_each_entry(rule, &chain->rules, list) { 2959 if (!nft_is_active_next(ctx->net, rule)) 2960 continue; 2961 2962 nft_rule_for_each_expr(expr, last, rule) { 2963 if (!expr->ops->validate) 2964 continue; 2965 2966 err = expr->ops->validate(ctx, expr, &data); 2967 if (err < 0) 2968 return err; 2969 } 2970 } 2971 2972 return 0; 2973 } 2974 EXPORT_SYMBOL_GPL(nft_chain_validate); 2975 2976 static int nft_table_validate(struct net *net, const struct nft_table *table) 2977 { 2978 struct nft_chain *chain; 2979 struct nft_ctx ctx = { 2980 .net = net, 2981 .family = table->family, 2982 }; 2983 int err; 2984 2985 list_for_each_entry(chain, &table->chains, list) { 2986 if (!nft_is_base_chain(chain)) 2987 continue; 2988 2989 ctx.chain = chain; 2990 err = nft_chain_validate(&ctx, chain); 2991 if (err < 0) 2992 return err; 2993 } 2994 2995 return 0; 2996 } 2997 2998 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 2999 const struct nlattr *nla); 3000 3001 #define NFT_RULE_MAXEXPRS 128 3002 3003 static int nf_tables_newrule(struct net *net, struct sock *nlsk, 3004 struct sk_buff *skb, const struct nlmsghdr *nlh, 3005 const struct nlattr * const nla[], 3006 struct netlink_ext_ack *extack) 3007 { 3008 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3009 u8 genmask = nft_genmask_next(net); 3010 struct nft_expr_info *info = NULL; 3011 int family = nfmsg->nfgen_family; 3012 struct nft_flow_rule *flow; 3013 struct nft_table *table; 3014 struct nft_chain *chain; 3015 struct nft_rule *rule, *old_rule = NULL; 3016 struct nft_userdata *udata; 3017 struct nft_trans *trans = NULL; 3018 struct nft_expr *expr; 3019 struct nft_ctx ctx; 3020 struct nlattr *tmp; 3021 unsigned int size, i, n, ulen = 0, usize = 0; 3022 int err, rem; 3023 u64 handle, pos_handle; 3024 3025 lockdep_assert_held(&net->nft.commit_mutex); 3026 3027 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); 3028 if (IS_ERR(table)) { 3029 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3030 return PTR_ERR(table); 3031 } 3032 3033 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask); 3034 if (IS_ERR(chain)) { 3035 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3036 return PTR_ERR(chain); 3037 } 3038 3039 if (nla[NFTA_RULE_HANDLE]) { 3040 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE])); 3041 rule = __nft_rule_lookup(chain, handle); 3042 if (IS_ERR(rule)) { 3043 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3044 return PTR_ERR(rule); 3045 } 3046 3047 if (nlh->nlmsg_flags & NLM_F_EXCL) { 3048 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3049 return -EEXIST; 3050 } 3051 if (nlh->nlmsg_flags & NLM_F_REPLACE) 3052 old_rule = rule; 3053 else 3054 return -EOPNOTSUPP; 3055 } else { 3056 if (!(nlh->nlmsg_flags & NLM_F_CREATE) || 3057 nlh->nlmsg_flags & NLM_F_REPLACE) 3058 return -EINVAL; 3059 handle = nf_tables_alloc_handle(table); 3060 3061 if (chain->use == UINT_MAX) 3062 return -EOVERFLOW; 3063 3064 if (nla[NFTA_RULE_POSITION]) { 3065 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION])); 3066 old_rule = __nft_rule_lookup(chain, pos_handle); 3067 if (IS_ERR(old_rule)) { 3068 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]); 3069 return PTR_ERR(old_rule); 3070 } 3071 } else if (nla[NFTA_RULE_POSITION_ID]) { 3072 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]); 3073 if (IS_ERR(old_rule)) { 3074 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]); 3075 return PTR_ERR(old_rule); 3076 } 3077 } 3078 } 3079 3080 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 3081 3082 n = 0; 3083 size = 0; 3084 if (nla[NFTA_RULE_EXPRESSIONS]) { 3085 info = kvmalloc_array(NFT_RULE_MAXEXPRS, 3086 sizeof(struct nft_expr_info), 3087 GFP_KERNEL); 3088 if (!info) 3089 return -ENOMEM; 3090 3091 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) { 3092 err = -EINVAL; 3093 if (nla_type(tmp) != NFTA_LIST_ELEM) 3094 goto err1; 3095 if (n == NFT_RULE_MAXEXPRS) 3096 goto err1; 3097 err = nf_tables_expr_parse(&ctx, tmp, &info[n]); 3098 if (err < 0) 3099 goto err1; 3100 size += info[n].ops->size; 3101 n++; 3102 } 3103 } 3104 /* Check for overflow of dlen field */ 3105 err = -EFBIG; 3106 if (size >= 1 << 12) 3107 goto err1; 3108 3109 if (nla[NFTA_RULE_USERDATA]) { 3110 ulen = nla_len(nla[NFTA_RULE_USERDATA]); 3111 if (ulen > 0) 3112 usize = sizeof(struct nft_userdata) + ulen; 3113 } 3114 3115 err = -ENOMEM; 3116 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL); 3117 if (rule == NULL) 3118 goto err1; 3119 3120 nft_activate_next(net, rule); 3121 3122 rule->handle = handle; 3123 rule->dlen = size; 3124 rule->udata = ulen ? 1 : 0; 3125 3126 if (ulen) { 3127 udata = nft_userdata(rule); 3128 udata->len = ulen - 1; 3129 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen); 3130 } 3131 3132 expr = nft_expr_first(rule); 3133 for (i = 0; i < n; i++) { 3134 err = nf_tables_newexpr(&ctx, &info[i], expr); 3135 if (err < 0) 3136 goto err2; 3137 3138 if (info[i].ops->validate) 3139 nft_validate_state_update(net, NFT_VALIDATE_NEED); 3140 3141 info[i].ops = NULL; 3142 expr = nft_expr_next(expr); 3143 } 3144 3145 if (nlh->nlmsg_flags & NLM_F_REPLACE) { 3146 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3147 if (trans == NULL) { 3148 err = -ENOMEM; 3149 goto err2; 3150 } 3151 err = nft_delrule(&ctx, old_rule); 3152 if (err < 0) { 3153 nft_trans_destroy(trans); 3154 goto err2; 3155 } 3156 3157 list_add_tail_rcu(&rule->list, &old_rule->list); 3158 } else { 3159 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3160 if (!trans) { 3161 err = -ENOMEM; 3162 goto err2; 3163 } 3164 3165 if (nlh->nlmsg_flags & NLM_F_APPEND) { 3166 if (old_rule) 3167 list_add_rcu(&rule->list, &old_rule->list); 3168 else 3169 list_add_tail_rcu(&rule->list, &chain->rules); 3170 } else { 3171 if (old_rule) 3172 list_add_tail_rcu(&rule->list, &old_rule->list); 3173 else 3174 list_add_rcu(&rule->list, &chain->rules); 3175 } 3176 } 3177 kvfree(info); 3178 chain->use++; 3179 3180 if (net->nft.validate_state == NFT_VALIDATE_DO) 3181 return nft_table_validate(net, table); 3182 3183 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { 3184 flow = nft_flow_rule_create(net, rule); 3185 if (IS_ERR(flow)) 3186 return PTR_ERR(flow); 3187 3188 nft_trans_flow_rule(trans) = flow; 3189 } 3190 3191 return 0; 3192 err2: 3193 nf_tables_rule_release(&ctx, rule); 3194 err1: 3195 for (i = 0; i < n; i++) { 3196 if (info[i].ops) { 3197 module_put(info[i].ops->type->owner); 3198 if (info[i].ops->type->release_ops) 3199 info[i].ops->type->release_ops(info[i].ops); 3200 } 3201 } 3202 kvfree(info); 3203 return err; 3204 } 3205 3206 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3207 const struct nlattr *nla) 3208 { 3209 u32 id = ntohl(nla_get_be32(nla)); 3210 struct nft_trans *trans; 3211 3212 list_for_each_entry(trans, &net->nft.commit_list, list) { 3213 struct nft_rule *rule = nft_trans_rule(trans); 3214 3215 if (trans->msg_type == NFT_MSG_NEWRULE && 3216 id == nft_trans_rule_id(trans)) 3217 return rule; 3218 } 3219 return ERR_PTR(-ENOENT); 3220 } 3221 3222 static int nf_tables_delrule(struct net *net, struct sock *nlsk, 3223 struct sk_buff *skb, const struct nlmsghdr *nlh, 3224 const struct nlattr * const nla[], 3225 struct netlink_ext_ack *extack) 3226 { 3227 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3228 u8 genmask = nft_genmask_next(net); 3229 struct nft_table *table; 3230 struct nft_chain *chain = NULL; 3231 struct nft_rule *rule; 3232 int family = nfmsg->nfgen_family, err = 0; 3233 struct nft_ctx ctx; 3234 3235 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); 3236 if (IS_ERR(table)) { 3237 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3238 return PTR_ERR(table); 3239 } 3240 3241 if (nla[NFTA_RULE_CHAIN]) { 3242 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 3243 genmask); 3244 if (IS_ERR(chain)) { 3245 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3246 return PTR_ERR(chain); 3247 } 3248 } 3249 3250 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 3251 3252 if (chain) { 3253 if (nla[NFTA_RULE_HANDLE]) { 3254 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3255 if (IS_ERR(rule)) { 3256 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3257 return PTR_ERR(rule); 3258 } 3259 3260 err = nft_delrule(&ctx, rule); 3261 } else if (nla[NFTA_RULE_ID]) { 3262 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]); 3263 if (IS_ERR(rule)) { 3264 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]); 3265 return PTR_ERR(rule); 3266 } 3267 3268 err = nft_delrule(&ctx, rule); 3269 } else { 3270 err = nft_delrule_by_chain(&ctx); 3271 } 3272 } else { 3273 list_for_each_entry(chain, &table->chains, list) { 3274 if (!nft_is_active_next(net, chain)) 3275 continue; 3276 3277 ctx.chain = chain; 3278 err = nft_delrule_by_chain(&ctx); 3279 if (err < 0) 3280 break; 3281 } 3282 } 3283 3284 return err; 3285 } 3286 3287 /* 3288 * Sets 3289 */ 3290 static const struct nft_set_type *nft_set_types[] = { 3291 &nft_set_hash_fast_type, 3292 &nft_set_hash_type, 3293 &nft_set_rhash_type, 3294 &nft_set_bitmap_type, 3295 &nft_set_rbtree_type, 3296 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML) 3297 &nft_set_pipapo_avx2_type, 3298 #endif 3299 &nft_set_pipapo_type, 3300 }; 3301 3302 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \ 3303 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \ 3304 NFT_SET_EVAL) 3305 3306 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags) 3307 { 3308 return (flags & type->features) == (flags & NFT_SET_FEATURES); 3309 } 3310 3311 /* 3312 * Select a set implementation based on the data characteristics and the 3313 * given policy. The total memory use might not be known if no size is 3314 * given, in that case the amount of memory per element is used. 3315 */ 3316 static const struct nft_set_ops * 3317 nft_select_set_ops(const struct nft_ctx *ctx, 3318 const struct nlattr * const nla[], 3319 const struct nft_set_desc *desc, 3320 enum nft_set_policies policy) 3321 { 3322 const struct nft_set_ops *ops, *bops; 3323 struct nft_set_estimate est, best; 3324 const struct nft_set_type *type; 3325 u32 flags = 0; 3326 int i; 3327 3328 lockdep_assert_held(&ctx->net->nft.commit_mutex); 3329 lockdep_nfnl_nft_mutex_not_held(); 3330 3331 if (nla[NFTA_SET_FLAGS] != NULL) 3332 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 3333 3334 bops = NULL; 3335 best.size = ~0; 3336 best.lookup = ~0; 3337 best.space = ~0; 3338 3339 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) { 3340 type = nft_set_types[i]; 3341 ops = &type->ops; 3342 3343 if (!nft_set_ops_candidate(type, flags)) 3344 continue; 3345 if (!ops->estimate(desc, flags, &est)) 3346 continue; 3347 3348 switch (policy) { 3349 case NFT_SET_POL_PERFORMANCE: 3350 if (est.lookup < best.lookup) 3351 break; 3352 if (est.lookup == best.lookup && 3353 est.space < best.space) 3354 break; 3355 continue; 3356 case NFT_SET_POL_MEMORY: 3357 if (!desc->size) { 3358 if (est.space < best.space) 3359 break; 3360 if (est.space == best.space && 3361 est.lookup < best.lookup) 3362 break; 3363 } else if (est.size < best.size || !bops) { 3364 break; 3365 } 3366 continue; 3367 default: 3368 break; 3369 } 3370 3371 bops = ops; 3372 best = est; 3373 } 3374 3375 if (bops != NULL) 3376 return bops; 3377 3378 return ERR_PTR(-EOPNOTSUPP); 3379 } 3380 3381 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = { 3382 [NFTA_SET_TABLE] = { .type = NLA_STRING, 3383 .len = NFT_TABLE_MAXNAMELEN - 1 }, 3384 [NFTA_SET_NAME] = { .type = NLA_STRING, 3385 .len = NFT_SET_MAXNAMELEN - 1 }, 3386 [NFTA_SET_FLAGS] = { .type = NLA_U32 }, 3387 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 }, 3388 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 }, 3389 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 }, 3390 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 }, 3391 [NFTA_SET_POLICY] = { .type = NLA_U32 }, 3392 [NFTA_SET_DESC] = { .type = NLA_NESTED }, 3393 [NFTA_SET_ID] = { .type = NLA_U32 }, 3394 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 }, 3395 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 }, 3396 [NFTA_SET_USERDATA] = { .type = NLA_BINARY, 3397 .len = NFT_USERDATA_MAXLEN }, 3398 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 }, 3399 [NFTA_SET_HANDLE] = { .type = NLA_U64 }, 3400 [NFTA_SET_EXPR] = { .type = NLA_NESTED }, 3401 }; 3402 3403 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = { 3404 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 }, 3405 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED }, 3406 }; 3407 3408 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net, 3409 const struct sk_buff *skb, 3410 const struct nlmsghdr *nlh, 3411 const struct nlattr * const nla[], 3412 struct netlink_ext_ack *extack, 3413 u8 genmask) 3414 { 3415 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3416 int family = nfmsg->nfgen_family; 3417 struct nft_table *table = NULL; 3418 3419 if (nla[NFTA_SET_TABLE] != NULL) { 3420 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 3421 genmask); 3422 if (IS_ERR(table)) { 3423 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 3424 return PTR_ERR(table); 3425 } 3426 } 3427 3428 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla); 3429 return 0; 3430 } 3431 3432 static struct nft_set *nft_set_lookup(const struct nft_table *table, 3433 const struct nlattr *nla, u8 genmask) 3434 { 3435 struct nft_set *set; 3436 3437 if (nla == NULL) 3438 return ERR_PTR(-EINVAL); 3439 3440 list_for_each_entry_rcu(set, &table->sets, list) { 3441 if (!nla_strcmp(nla, set->name) && 3442 nft_active_genmask(set, genmask)) 3443 return set; 3444 } 3445 return ERR_PTR(-ENOENT); 3446 } 3447 3448 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table, 3449 const struct nlattr *nla, 3450 u8 genmask) 3451 { 3452 struct nft_set *set; 3453 3454 list_for_each_entry(set, &table->sets, list) { 3455 if (be64_to_cpu(nla_get_be64(nla)) == set->handle && 3456 nft_active_genmask(set, genmask)) 3457 return set; 3458 } 3459 return ERR_PTR(-ENOENT); 3460 } 3461 3462 static struct nft_set *nft_set_lookup_byid(const struct net *net, 3463 const struct nlattr *nla, u8 genmask) 3464 { 3465 struct nft_trans *trans; 3466 u32 id = ntohl(nla_get_be32(nla)); 3467 3468 list_for_each_entry(trans, &net->nft.commit_list, list) { 3469 if (trans->msg_type == NFT_MSG_NEWSET) { 3470 struct nft_set *set = nft_trans_set(trans); 3471 3472 if (id == nft_trans_set_id(trans) && 3473 nft_active_genmask(set, genmask)) 3474 return set; 3475 } 3476 } 3477 return ERR_PTR(-ENOENT); 3478 } 3479 3480 struct nft_set *nft_set_lookup_global(const struct net *net, 3481 const struct nft_table *table, 3482 const struct nlattr *nla_set_name, 3483 const struct nlattr *nla_set_id, 3484 u8 genmask) 3485 { 3486 struct nft_set *set; 3487 3488 set = nft_set_lookup(table, nla_set_name, genmask); 3489 if (IS_ERR(set)) { 3490 if (!nla_set_id) 3491 return set; 3492 3493 set = nft_set_lookup_byid(net, nla_set_id, genmask); 3494 } 3495 return set; 3496 } 3497 EXPORT_SYMBOL_GPL(nft_set_lookup_global); 3498 3499 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set, 3500 const char *name) 3501 { 3502 const struct nft_set *i; 3503 const char *p; 3504 unsigned long *inuse; 3505 unsigned int n = 0, min = 0; 3506 3507 p = strchr(name, '%'); 3508 if (p != NULL) { 3509 if (p[1] != 'd' || strchr(p + 2, '%')) 3510 return -EINVAL; 3511 3512 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL); 3513 if (inuse == NULL) 3514 return -ENOMEM; 3515 cont: 3516 list_for_each_entry(i, &ctx->table->sets, list) { 3517 int tmp; 3518 3519 if (!nft_is_active_next(ctx->net, set)) 3520 continue; 3521 if (!sscanf(i->name, name, &tmp)) 3522 continue; 3523 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE) 3524 continue; 3525 3526 set_bit(tmp - min, inuse); 3527 } 3528 3529 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE); 3530 if (n >= BITS_PER_BYTE * PAGE_SIZE) { 3531 min += BITS_PER_BYTE * PAGE_SIZE; 3532 memset(inuse, 0, PAGE_SIZE); 3533 goto cont; 3534 } 3535 free_page((unsigned long)inuse); 3536 } 3537 3538 set->name = kasprintf(GFP_KERNEL, name, min + n); 3539 if (!set->name) 3540 return -ENOMEM; 3541 3542 list_for_each_entry(i, &ctx->table->sets, list) { 3543 if (!nft_is_active_next(ctx->net, i)) 3544 continue; 3545 if (!strcmp(set->name, i->name)) { 3546 kfree(set->name); 3547 set->name = NULL; 3548 return -ENFILE; 3549 } 3550 } 3551 return 0; 3552 } 3553 3554 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result) 3555 { 3556 u64 ms = be64_to_cpu(nla_get_be64(nla)); 3557 u64 max = (u64)(~((u64)0)); 3558 3559 max = div_u64(max, NSEC_PER_MSEC); 3560 if (ms >= max) 3561 return -ERANGE; 3562 3563 ms *= NSEC_PER_MSEC; 3564 *result = nsecs_to_jiffies64(ms); 3565 return 0; 3566 } 3567 3568 static __be64 nf_jiffies64_to_msecs(u64 input) 3569 { 3570 return cpu_to_be64(jiffies64_to_msecs(input)); 3571 } 3572 3573 static int nf_tables_fill_set_concat(struct sk_buff *skb, 3574 const struct nft_set *set) 3575 { 3576 struct nlattr *concat, *field; 3577 int i; 3578 3579 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT); 3580 if (!concat) 3581 return -ENOMEM; 3582 3583 for (i = 0; i < set->field_count; i++) { 3584 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 3585 if (!field) 3586 return -ENOMEM; 3587 3588 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN, 3589 htonl(set->field_len[i]))) 3590 return -ENOMEM; 3591 3592 nla_nest_end(skb, field); 3593 } 3594 3595 nla_nest_end(skb, concat); 3596 3597 return 0; 3598 } 3599 3600 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, 3601 const struct nft_set *set, u16 event, u16 flags) 3602 { 3603 struct nfgenmsg *nfmsg; 3604 struct nlmsghdr *nlh; 3605 u32 portid = ctx->portid; 3606 struct nlattr *nest; 3607 u32 seq = ctx->seq; 3608 3609 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 3610 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 3611 flags); 3612 if (nlh == NULL) 3613 goto nla_put_failure; 3614 3615 nfmsg = nlmsg_data(nlh); 3616 nfmsg->nfgen_family = ctx->family; 3617 nfmsg->version = NFNETLINK_V0; 3618 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); 3619 3620 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 3621 goto nla_put_failure; 3622 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 3623 goto nla_put_failure; 3624 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle), 3625 NFTA_SET_PAD)) 3626 goto nla_put_failure; 3627 if (set->flags != 0) 3628 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags))) 3629 goto nla_put_failure; 3630 3631 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype))) 3632 goto nla_put_failure; 3633 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen))) 3634 goto nla_put_failure; 3635 if (set->flags & NFT_SET_MAP) { 3636 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype))) 3637 goto nla_put_failure; 3638 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen))) 3639 goto nla_put_failure; 3640 } 3641 if (set->flags & NFT_SET_OBJECT && 3642 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype))) 3643 goto nla_put_failure; 3644 3645 if (set->timeout && 3646 nla_put_be64(skb, NFTA_SET_TIMEOUT, 3647 nf_jiffies64_to_msecs(set->timeout), 3648 NFTA_SET_PAD)) 3649 goto nla_put_failure; 3650 if (set->gc_int && 3651 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int))) 3652 goto nla_put_failure; 3653 3654 if (set->policy != NFT_SET_POL_PERFORMANCE) { 3655 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy))) 3656 goto nla_put_failure; 3657 } 3658 3659 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) 3660 goto nla_put_failure; 3661 3662 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC); 3663 if (!nest) 3664 goto nla_put_failure; 3665 if (set->size && 3666 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size))) 3667 goto nla_put_failure; 3668 3669 if (set->field_count > 1 && 3670 nf_tables_fill_set_concat(skb, set)) 3671 goto nla_put_failure; 3672 3673 nla_nest_end(skb, nest); 3674 3675 if (set->expr) { 3676 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR); 3677 if (nf_tables_fill_expr_info(skb, set->expr) < 0) 3678 goto nla_put_failure; 3679 3680 nla_nest_end(skb, nest); 3681 } 3682 3683 nlmsg_end(skb, nlh); 3684 return 0; 3685 3686 nla_put_failure: 3687 nlmsg_trim(skb, nlh); 3688 return -1; 3689 } 3690 3691 static void nf_tables_set_notify(const struct nft_ctx *ctx, 3692 const struct nft_set *set, int event, 3693 gfp_t gfp_flags) 3694 { 3695 struct sk_buff *skb; 3696 u32 portid = ctx->portid; 3697 int err; 3698 3699 if (!ctx->report && 3700 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 3701 return; 3702 3703 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags); 3704 if (skb == NULL) 3705 goto err; 3706 3707 err = nf_tables_fill_set(skb, ctx, set, event, 0); 3708 if (err < 0) { 3709 kfree_skb(skb); 3710 goto err; 3711 } 3712 3713 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report, 3714 gfp_flags); 3715 return; 3716 err: 3717 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 3718 } 3719 3720 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) 3721 { 3722 const struct nft_set *set; 3723 unsigned int idx, s_idx = cb->args[0]; 3724 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; 3725 struct net *net = sock_net(skb->sk); 3726 struct nft_ctx *ctx = cb->data, ctx_set; 3727 3728 if (cb->args[1]) 3729 return skb->len; 3730 3731 rcu_read_lock(); 3732 cb->seq = net->nft.base_seq; 3733 3734 list_for_each_entry_rcu(table, &net->nft.tables, list) { 3735 if (ctx->family != NFPROTO_UNSPEC && 3736 ctx->family != table->family) 3737 continue; 3738 3739 if (ctx->table && ctx->table != table) 3740 continue; 3741 3742 if (cur_table) { 3743 if (cur_table != table) 3744 continue; 3745 3746 cur_table = NULL; 3747 } 3748 idx = 0; 3749 list_for_each_entry_rcu(set, &table->sets, list) { 3750 if (idx < s_idx) 3751 goto cont; 3752 if (!nft_is_active(net, set)) 3753 goto cont; 3754 3755 ctx_set = *ctx; 3756 ctx_set.table = table; 3757 ctx_set.family = table->family; 3758 3759 if (nf_tables_fill_set(skb, &ctx_set, set, 3760 NFT_MSG_NEWSET, 3761 NLM_F_MULTI) < 0) { 3762 cb->args[0] = idx; 3763 cb->args[2] = (unsigned long) table; 3764 goto done; 3765 } 3766 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 3767 cont: 3768 idx++; 3769 } 3770 if (s_idx) 3771 s_idx = 0; 3772 } 3773 cb->args[1] = 1; 3774 done: 3775 rcu_read_unlock(); 3776 return skb->len; 3777 } 3778 3779 static int nf_tables_dump_sets_start(struct netlink_callback *cb) 3780 { 3781 struct nft_ctx *ctx_dump = NULL; 3782 3783 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC); 3784 if (ctx_dump == NULL) 3785 return -ENOMEM; 3786 3787 cb->data = ctx_dump; 3788 return 0; 3789 } 3790 3791 static int nf_tables_dump_sets_done(struct netlink_callback *cb) 3792 { 3793 kfree(cb->data); 3794 return 0; 3795 } 3796 3797 /* called with rcu_read_lock held */ 3798 static int nf_tables_getset(struct net *net, struct sock *nlsk, 3799 struct sk_buff *skb, const struct nlmsghdr *nlh, 3800 const struct nlattr * const nla[], 3801 struct netlink_ext_ack *extack) 3802 { 3803 u8 genmask = nft_genmask_cur(net); 3804 const struct nft_set *set; 3805 struct nft_ctx ctx; 3806 struct sk_buff *skb2; 3807 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3808 int err; 3809 3810 /* Verify existence before starting dump */ 3811 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack, 3812 genmask); 3813 if (err < 0) 3814 return err; 3815 3816 if (nlh->nlmsg_flags & NLM_F_DUMP) { 3817 struct netlink_dump_control c = { 3818 .start = nf_tables_dump_sets_start, 3819 .dump = nf_tables_dump_sets, 3820 .done = nf_tables_dump_sets_done, 3821 .data = &ctx, 3822 .module = THIS_MODULE, 3823 }; 3824 3825 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 3826 } 3827 3828 /* Only accept unspec with dump */ 3829 if (nfmsg->nfgen_family == NFPROTO_UNSPEC) 3830 return -EAFNOSUPPORT; 3831 if (!nla[NFTA_SET_TABLE]) 3832 return -EINVAL; 3833 3834 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask); 3835 if (IS_ERR(set)) 3836 return PTR_ERR(set); 3837 3838 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 3839 if (skb2 == NULL) 3840 return -ENOMEM; 3841 3842 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); 3843 if (err < 0) 3844 goto err; 3845 3846 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 3847 3848 err: 3849 kfree_skb(skb2); 3850 return err; 3851 } 3852 3853 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = { 3854 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 }, 3855 }; 3856 3857 static int nft_set_desc_concat_parse(const struct nlattr *attr, 3858 struct nft_set_desc *desc) 3859 { 3860 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1]; 3861 u32 len; 3862 int err; 3863 3864 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr, 3865 nft_concat_policy, NULL); 3866 if (err < 0) 3867 return err; 3868 3869 if (!tb[NFTA_SET_FIELD_LEN]) 3870 return -EINVAL; 3871 3872 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN])); 3873 3874 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT) 3875 return -E2BIG; 3876 3877 desc->field_len[desc->field_count++] = len; 3878 3879 return 0; 3880 } 3881 3882 static int nft_set_desc_concat(struct nft_set_desc *desc, 3883 const struct nlattr *nla) 3884 { 3885 struct nlattr *attr; 3886 int rem, err; 3887 3888 nla_for_each_nested(attr, nla, rem) { 3889 if (nla_type(attr) != NFTA_LIST_ELEM) 3890 return -EINVAL; 3891 3892 err = nft_set_desc_concat_parse(attr, desc); 3893 if (err < 0) 3894 return err; 3895 } 3896 3897 return 0; 3898 } 3899 3900 static int nf_tables_set_desc_parse(struct nft_set_desc *desc, 3901 const struct nlattr *nla) 3902 { 3903 struct nlattr *da[NFTA_SET_DESC_MAX + 1]; 3904 int err; 3905 3906 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla, 3907 nft_set_desc_policy, NULL); 3908 if (err < 0) 3909 return err; 3910 3911 if (da[NFTA_SET_DESC_SIZE] != NULL) 3912 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE])); 3913 if (da[NFTA_SET_DESC_CONCAT]) 3914 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]); 3915 3916 return err; 3917 } 3918 3919 static int nf_tables_newset(struct net *net, struct sock *nlsk, 3920 struct sk_buff *skb, const struct nlmsghdr *nlh, 3921 const struct nlattr * const nla[], 3922 struct netlink_ext_ack *extack) 3923 { 3924 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3925 u8 genmask = nft_genmask_next(net); 3926 int family = nfmsg->nfgen_family; 3927 const struct nft_set_ops *ops; 3928 struct nft_expr *expr = NULL; 3929 struct nft_table *table; 3930 struct nft_set *set; 3931 struct nft_ctx ctx; 3932 char *name; 3933 u64 size; 3934 u64 timeout; 3935 u32 ktype, dtype, flags, policy, gc_int, objtype; 3936 struct nft_set_desc desc; 3937 unsigned char *udata; 3938 u16 udlen; 3939 int err; 3940 int i; 3941 3942 if (nla[NFTA_SET_TABLE] == NULL || 3943 nla[NFTA_SET_NAME] == NULL || 3944 nla[NFTA_SET_KEY_LEN] == NULL || 3945 nla[NFTA_SET_ID] == NULL) 3946 return -EINVAL; 3947 3948 memset(&desc, 0, sizeof(desc)); 3949 3950 ktype = NFT_DATA_VALUE; 3951 if (nla[NFTA_SET_KEY_TYPE] != NULL) { 3952 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE])); 3953 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK) 3954 return -EINVAL; 3955 } 3956 3957 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN])); 3958 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN) 3959 return -EINVAL; 3960 3961 flags = 0; 3962 if (nla[NFTA_SET_FLAGS] != NULL) { 3963 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 3964 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | 3965 NFT_SET_INTERVAL | NFT_SET_TIMEOUT | 3966 NFT_SET_MAP | NFT_SET_EVAL | 3967 NFT_SET_OBJECT | NFT_SET_CONCAT)) 3968 return -EOPNOTSUPP; 3969 /* Only one of these operations is supported */ 3970 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) == 3971 (NFT_SET_MAP | NFT_SET_OBJECT)) 3972 return -EOPNOTSUPP; 3973 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) == 3974 (NFT_SET_EVAL | NFT_SET_OBJECT)) 3975 return -EOPNOTSUPP; 3976 } 3977 3978 dtype = 0; 3979 if (nla[NFTA_SET_DATA_TYPE] != NULL) { 3980 if (!(flags & NFT_SET_MAP)) 3981 return -EINVAL; 3982 3983 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE])); 3984 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK && 3985 dtype != NFT_DATA_VERDICT) 3986 return -EINVAL; 3987 3988 if (dtype != NFT_DATA_VERDICT) { 3989 if (nla[NFTA_SET_DATA_LEN] == NULL) 3990 return -EINVAL; 3991 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN])); 3992 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN) 3993 return -EINVAL; 3994 } else 3995 desc.dlen = sizeof(struct nft_verdict); 3996 } else if (flags & NFT_SET_MAP) 3997 return -EINVAL; 3998 3999 if (nla[NFTA_SET_OBJ_TYPE] != NULL) { 4000 if (!(flags & NFT_SET_OBJECT)) 4001 return -EINVAL; 4002 4003 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE])); 4004 if (objtype == NFT_OBJECT_UNSPEC || 4005 objtype > NFT_OBJECT_MAX) 4006 return -EOPNOTSUPP; 4007 } else if (flags & NFT_SET_OBJECT) 4008 return -EINVAL; 4009 else 4010 objtype = NFT_OBJECT_UNSPEC; 4011 4012 timeout = 0; 4013 if (nla[NFTA_SET_TIMEOUT] != NULL) { 4014 if (!(flags & NFT_SET_TIMEOUT)) 4015 return -EINVAL; 4016 4017 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout); 4018 if (err) 4019 return err; 4020 } 4021 gc_int = 0; 4022 if (nla[NFTA_SET_GC_INTERVAL] != NULL) { 4023 if (!(flags & NFT_SET_TIMEOUT)) 4024 return -EINVAL; 4025 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL])); 4026 } 4027 4028 policy = NFT_SET_POL_PERFORMANCE; 4029 if (nla[NFTA_SET_POLICY] != NULL) 4030 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY])); 4031 4032 if (nla[NFTA_SET_DESC] != NULL) { 4033 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]); 4034 if (err < 0) 4035 return err; 4036 } 4037 4038 if (nla[NFTA_SET_EXPR]) 4039 desc.expr = true; 4040 4041 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask); 4042 if (IS_ERR(table)) { 4043 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4044 return PTR_ERR(table); 4045 } 4046 4047 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 4048 4049 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4050 if (IS_ERR(set)) { 4051 if (PTR_ERR(set) != -ENOENT) { 4052 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4053 return PTR_ERR(set); 4054 } 4055 } else { 4056 if (nlh->nlmsg_flags & NLM_F_EXCL) { 4057 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4058 return -EEXIST; 4059 } 4060 if (nlh->nlmsg_flags & NLM_F_REPLACE) 4061 return -EOPNOTSUPP; 4062 4063 return 0; 4064 } 4065 4066 if (!(nlh->nlmsg_flags & NLM_F_CREATE)) 4067 return -ENOENT; 4068 4069 ops = nft_select_set_ops(&ctx, nla, &desc, policy); 4070 if (IS_ERR(ops)) 4071 return PTR_ERR(ops); 4072 4073 udlen = 0; 4074 if (nla[NFTA_SET_USERDATA]) 4075 udlen = nla_len(nla[NFTA_SET_USERDATA]); 4076 4077 size = 0; 4078 if (ops->privsize != NULL) 4079 size = ops->privsize(nla, &desc); 4080 4081 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL); 4082 if (!set) 4083 return -ENOMEM; 4084 4085 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL); 4086 if (!name) { 4087 err = -ENOMEM; 4088 goto err_set_name; 4089 } 4090 4091 err = nf_tables_set_alloc_name(&ctx, set, name); 4092 kfree(name); 4093 if (err < 0) 4094 goto err_set_alloc_name; 4095 4096 if (nla[NFTA_SET_EXPR]) { 4097 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]); 4098 if (IS_ERR(expr)) { 4099 err = PTR_ERR(expr); 4100 goto err_set_alloc_name; 4101 } 4102 } 4103 4104 udata = NULL; 4105 if (udlen) { 4106 udata = set->data + size; 4107 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen); 4108 } 4109 4110 INIT_LIST_HEAD(&set->bindings); 4111 set->table = table; 4112 write_pnet(&set->net, net); 4113 set->ops = ops; 4114 set->ktype = ktype; 4115 set->klen = desc.klen; 4116 set->dtype = dtype; 4117 set->objtype = objtype; 4118 set->dlen = desc.dlen; 4119 set->expr = expr; 4120 set->flags = flags; 4121 set->size = desc.size; 4122 set->policy = policy; 4123 set->udlen = udlen; 4124 set->udata = udata; 4125 set->timeout = timeout; 4126 set->gc_int = gc_int; 4127 set->handle = nf_tables_alloc_handle(table); 4128 4129 set->field_count = desc.field_count; 4130 for (i = 0; i < desc.field_count; i++) 4131 set->field_len[i] = desc.field_len[i]; 4132 4133 err = ops->init(set, &desc, nla); 4134 if (err < 0) 4135 goto err_set_init; 4136 4137 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); 4138 if (err < 0) 4139 goto err_set_trans; 4140 4141 list_add_tail_rcu(&set->list, &table->sets); 4142 table->use++; 4143 return 0; 4144 4145 err_set_trans: 4146 ops->destroy(set); 4147 err_set_init: 4148 if (expr) 4149 nft_expr_destroy(&ctx, expr); 4150 err_set_alloc_name: 4151 kfree(set->name); 4152 err_set_name: 4153 kvfree(set); 4154 return err; 4155 } 4156 4157 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) 4158 { 4159 if (WARN_ON(set->use > 0)) 4160 return; 4161 4162 if (set->expr) 4163 nft_expr_destroy(ctx, set->expr); 4164 4165 set->ops->destroy(set); 4166 kfree(set->name); 4167 kvfree(set); 4168 } 4169 4170 static int nf_tables_delset(struct net *net, struct sock *nlsk, 4171 struct sk_buff *skb, const struct nlmsghdr *nlh, 4172 const struct nlattr * const nla[], 4173 struct netlink_ext_ack *extack) 4174 { 4175 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 4176 u8 genmask = nft_genmask_next(net); 4177 const struct nlattr *attr; 4178 struct nft_set *set; 4179 struct nft_ctx ctx; 4180 int err; 4181 4182 if (nfmsg->nfgen_family == NFPROTO_UNSPEC) 4183 return -EAFNOSUPPORT; 4184 if (nla[NFTA_SET_TABLE] == NULL) 4185 return -EINVAL; 4186 4187 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack, 4188 genmask); 4189 if (err < 0) 4190 return err; 4191 4192 if (nla[NFTA_SET_HANDLE]) { 4193 attr = nla[NFTA_SET_HANDLE]; 4194 set = nft_set_lookup_byhandle(ctx.table, attr, genmask); 4195 } else { 4196 attr = nla[NFTA_SET_NAME]; 4197 set = nft_set_lookup(ctx.table, attr, genmask); 4198 } 4199 4200 if (IS_ERR(set)) { 4201 NL_SET_BAD_ATTR(extack, attr); 4202 return PTR_ERR(set); 4203 } 4204 if (set->use || 4205 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) { 4206 NL_SET_BAD_ATTR(extack, attr); 4207 return -EBUSY; 4208 } 4209 4210 return nft_delset(&ctx, set); 4211 } 4212 4213 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, 4214 struct nft_set *set, 4215 const struct nft_set_iter *iter, 4216 struct nft_set_elem *elem) 4217 { 4218 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4219 enum nft_registers dreg; 4220 4221 dreg = nft_type_to_reg(set->dtype); 4222 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext), 4223 set->dtype == NFT_DATA_VERDICT ? 4224 NFT_DATA_VERDICT : NFT_DATA_VALUE, 4225 set->dlen); 4226 } 4227 4228 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 4229 struct nft_set_binding *binding) 4230 { 4231 struct nft_set_binding *i; 4232 struct nft_set_iter iter; 4233 4234 if (set->use == UINT_MAX) 4235 return -EOVERFLOW; 4236 4237 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4238 return -EBUSY; 4239 4240 if (binding->flags & NFT_SET_MAP) { 4241 /* If the set is already bound to the same chain all 4242 * jumps are already validated for that chain. 4243 */ 4244 list_for_each_entry(i, &set->bindings, list) { 4245 if (i->flags & NFT_SET_MAP && 4246 i->chain == binding->chain) 4247 goto bind; 4248 } 4249 4250 iter.genmask = nft_genmask_next(ctx->net); 4251 iter.skip = 0; 4252 iter.count = 0; 4253 iter.err = 0; 4254 iter.fn = nf_tables_bind_check_setelem; 4255 4256 set->ops->walk(ctx, set, &iter); 4257 if (iter.err < 0) 4258 return iter.err; 4259 } 4260 bind: 4261 binding->chain = ctx->chain; 4262 list_add_tail_rcu(&binding->list, &set->bindings); 4263 nft_set_trans_bind(ctx, set); 4264 set->use++; 4265 4266 return 0; 4267 } 4268 EXPORT_SYMBOL_GPL(nf_tables_bind_set); 4269 4270 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 4271 struct nft_set_binding *binding, bool event) 4272 { 4273 list_del_rcu(&binding->list); 4274 4275 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { 4276 list_del_rcu(&set->list); 4277 if (event) 4278 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, 4279 GFP_KERNEL); 4280 } 4281 } 4282 4283 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, 4284 struct nft_set_binding *binding, 4285 enum nft_trans_phase phase) 4286 { 4287 switch (phase) { 4288 case NFT_TRANS_PREPARE: 4289 set->use--; 4290 return; 4291 case NFT_TRANS_ABORT: 4292 case NFT_TRANS_RELEASE: 4293 set->use--; 4294 /* fall through */ 4295 default: 4296 nf_tables_unbind_set(ctx, set, binding, 4297 phase == NFT_TRANS_COMMIT); 4298 } 4299 } 4300 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); 4301 4302 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) 4303 { 4304 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4305 nft_set_destroy(ctx, set); 4306 } 4307 EXPORT_SYMBOL_GPL(nf_tables_destroy_set); 4308 4309 const struct nft_set_ext_type nft_set_ext_types[] = { 4310 [NFT_SET_EXT_KEY] = { 4311 .align = __alignof__(u32), 4312 }, 4313 [NFT_SET_EXT_DATA] = { 4314 .align = __alignof__(u32), 4315 }, 4316 [NFT_SET_EXT_EXPR] = { 4317 .align = __alignof__(struct nft_expr), 4318 }, 4319 [NFT_SET_EXT_OBJREF] = { 4320 .len = sizeof(struct nft_object *), 4321 .align = __alignof__(struct nft_object *), 4322 }, 4323 [NFT_SET_EXT_FLAGS] = { 4324 .len = sizeof(u8), 4325 .align = __alignof__(u8), 4326 }, 4327 [NFT_SET_EXT_TIMEOUT] = { 4328 .len = sizeof(u64), 4329 .align = __alignof__(u64), 4330 }, 4331 [NFT_SET_EXT_EXPIRATION] = { 4332 .len = sizeof(u64), 4333 .align = __alignof__(u64), 4334 }, 4335 [NFT_SET_EXT_USERDATA] = { 4336 .len = sizeof(struct nft_userdata), 4337 .align = __alignof__(struct nft_userdata), 4338 }, 4339 [NFT_SET_EXT_KEY_END] = { 4340 .align = __alignof__(u32), 4341 }, 4342 }; 4343 4344 /* 4345 * Set elements 4346 */ 4347 4348 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { 4349 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED }, 4350 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED }, 4351 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 }, 4352 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 }, 4353 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 }, 4354 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, 4355 .len = NFT_USERDATA_MAXLEN }, 4356 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED }, 4357 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING, 4358 .len = NFT_OBJ_MAXNAMELEN - 1 }, 4359 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED }, 4360 }; 4361 4362 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { 4363 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING, 4364 .len = NFT_TABLE_MAXNAMELEN - 1 }, 4365 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING, 4366 .len = NFT_SET_MAXNAMELEN - 1 }, 4367 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED }, 4368 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 }, 4369 }; 4370 4371 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net, 4372 const struct sk_buff *skb, 4373 const struct nlmsghdr *nlh, 4374 const struct nlattr * const nla[], 4375 struct netlink_ext_ack *extack, 4376 u8 genmask) 4377 { 4378 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 4379 int family = nfmsg->nfgen_family; 4380 struct nft_table *table; 4381 4382 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 4383 genmask); 4384 if (IS_ERR(table)) { 4385 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 4386 return PTR_ERR(table); 4387 } 4388 4389 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla); 4390 return 0; 4391 } 4392 4393 static int nf_tables_fill_setelem(struct sk_buff *skb, 4394 const struct nft_set *set, 4395 const struct nft_set_elem *elem) 4396 { 4397 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4398 unsigned char *b = skb_tail_pointer(skb); 4399 struct nlattr *nest; 4400 4401 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 4402 if (nest == NULL) 4403 goto nla_put_failure; 4404 4405 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext), 4406 NFT_DATA_VALUE, set->klen) < 0) 4407 goto nla_put_failure; 4408 4409 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 4410 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext), 4411 NFT_DATA_VALUE, set->klen) < 0) 4412 goto nla_put_failure; 4413 4414 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 4415 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext), 4416 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE, 4417 set->dlen) < 0) 4418 goto nla_put_failure; 4419 4420 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) && 4421 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0) 4422 goto nla_put_failure; 4423 4424 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 4425 nla_put_string(skb, NFTA_SET_ELEM_OBJREF, 4426 (*nft_set_ext_obj(ext))->key.name) < 0) 4427 goto nla_put_failure; 4428 4429 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 4430 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, 4431 htonl(*nft_set_ext_flags(ext)))) 4432 goto nla_put_failure; 4433 4434 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) && 4435 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, 4436 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)), 4437 NFTA_SET_ELEM_PAD)) 4438 goto nla_put_failure; 4439 4440 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 4441 u64 expires, now = get_jiffies_64(); 4442 4443 expires = *nft_set_ext_expiration(ext); 4444 if (time_before64(now, expires)) 4445 expires -= now; 4446 else 4447 expires = 0; 4448 4449 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION, 4450 nf_jiffies64_to_msecs(expires), 4451 NFTA_SET_ELEM_PAD)) 4452 goto nla_put_failure; 4453 } 4454 4455 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) { 4456 struct nft_userdata *udata; 4457 4458 udata = nft_set_ext_userdata(ext); 4459 if (nla_put(skb, NFTA_SET_ELEM_USERDATA, 4460 udata->len + 1, udata->data)) 4461 goto nla_put_failure; 4462 } 4463 4464 nla_nest_end(skb, nest); 4465 return 0; 4466 4467 nla_put_failure: 4468 nlmsg_trim(skb, b); 4469 return -EMSGSIZE; 4470 } 4471 4472 struct nft_set_dump_args { 4473 const struct netlink_callback *cb; 4474 struct nft_set_iter iter; 4475 struct sk_buff *skb; 4476 }; 4477 4478 static int nf_tables_dump_setelem(const struct nft_ctx *ctx, 4479 struct nft_set *set, 4480 const struct nft_set_iter *iter, 4481 struct nft_set_elem *elem) 4482 { 4483 struct nft_set_dump_args *args; 4484 4485 args = container_of(iter, struct nft_set_dump_args, iter); 4486 return nf_tables_fill_setelem(args->skb, set, elem); 4487 } 4488 4489 struct nft_set_dump_ctx { 4490 const struct nft_set *set; 4491 struct nft_ctx ctx; 4492 }; 4493 4494 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) 4495 { 4496 struct nft_set_dump_ctx *dump_ctx = cb->data; 4497 struct net *net = sock_net(skb->sk); 4498 struct nft_table *table; 4499 struct nft_set *set; 4500 struct nft_set_dump_args args; 4501 bool set_found = false; 4502 struct nfgenmsg *nfmsg; 4503 struct nlmsghdr *nlh; 4504 struct nlattr *nest; 4505 u32 portid, seq; 4506 int event; 4507 4508 rcu_read_lock(); 4509 list_for_each_entry_rcu(table, &net->nft.tables, list) { 4510 if (dump_ctx->ctx.family != NFPROTO_UNSPEC && 4511 dump_ctx->ctx.family != table->family) 4512 continue; 4513 4514 if (table != dump_ctx->ctx.table) 4515 continue; 4516 4517 list_for_each_entry_rcu(set, &table->sets, list) { 4518 if (set == dump_ctx->set) { 4519 set_found = true; 4520 break; 4521 } 4522 } 4523 break; 4524 } 4525 4526 if (!set_found) { 4527 rcu_read_unlock(); 4528 return -ENOENT; 4529 } 4530 4531 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM); 4532 portid = NETLINK_CB(cb->skb).portid; 4533 seq = cb->nlh->nlmsg_seq; 4534 4535 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 4536 NLM_F_MULTI); 4537 if (nlh == NULL) 4538 goto nla_put_failure; 4539 4540 nfmsg = nlmsg_data(nlh); 4541 nfmsg->nfgen_family = table->family; 4542 nfmsg->version = NFNETLINK_V0; 4543 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 4544 4545 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) 4546 goto nla_put_failure; 4547 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) 4548 goto nla_put_failure; 4549 4550 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 4551 if (nest == NULL) 4552 goto nla_put_failure; 4553 4554 args.cb = cb; 4555 args.skb = skb; 4556 args.iter.genmask = nft_genmask_cur(net); 4557 args.iter.skip = cb->args[0]; 4558 args.iter.count = 0; 4559 args.iter.err = 0; 4560 args.iter.fn = nf_tables_dump_setelem; 4561 set->ops->walk(&dump_ctx->ctx, set, &args.iter); 4562 rcu_read_unlock(); 4563 4564 nla_nest_end(skb, nest); 4565 nlmsg_end(skb, nlh); 4566 4567 if (args.iter.err && args.iter.err != -EMSGSIZE) 4568 return args.iter.err; 4569 if (args.iter.count == cb->args[0]) 4570 return 0; 4571 4572 cb->args[0] = args.iter.count; 4573 return skb->len; 4574 4575 nla_put_failure: 4576 rcu_read_unlock(); 4577 return -ENOSPC; 4578 } 4579 4580 static int nf_tables_dump_set_start(struct netlink_callback *cb) 4581 { 4582 struct nft_set_dump_ctx *dump_ctx = cb->data; 4583 4584 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC); 4585 4586 return cb->data ? 0 : -ENOMEM; 4587 } 4588 4589 static int nf_tables_dump_set_done(struct netlink_callback *cb) 4590 { 4591 kfree(cb->data); 4592 return 0; 4593 } 4594 4595 static int nf_tables_fill_setelem_info(struct sk_buff *skb, 4596 const struct nft_ctx *ctx, u32 seq, 4597 u32 portid, int event, u16 flags, 4598 const struct nft_set *set, 4599 const struct nft_set_elem *elem) 4600 { 4601 struct nfgenmsg *nfmsg; 4602 struct nlmsghdr *nlh; 4603 struct nlattr *nest; 4604 int err; 4605 4606 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 4607 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 4608 flags); 4609 if (nlh == NULL) 4610 goto nla_put_failure; 4611 4612 nfmsg = nlmsg_data(nlh); 4613 nfmsg->nfgen_family = ctx->family; 4614 nfmsg->version = NFNETLINK_V0; 4615 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); 4616 4617 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 4618 goto nla_put_failure; 4619 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 4620 goto nla_put_failure; 4621 4622 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 4623 if (nest == NULL) 4624 goto nla_put_failure; 4625 4626 err = nf_tables_fill_setelem(skb, set, elem); 4627 if (err < 0) 4628 goto nla_put_failure; 4629 4630 nla_nest_end(skb, nest); 4631 4632 nlmsg_end(skb, nlh); 4633 return 0; 4634 4635 nla_put_failure: 4636 nlmsg_trim(skb, nlh); 4637 return -1; 4638 } 4639 4640 static int nft_setelem_parse_flags(const struct nft_set *set, 4641 const struct nlattr *attr, u32 *flags) 4642 { 4643 if (attr == NULL) 4644 return 0; 4645 4646 *flags = ntohl(nla_get_be32(attr)); 4647 if (*flags & ~NFT_SET_ELEM_INTERVAL_END) 4648 return -EINVAL; 4649 if (!(set->flags & NFT_SET_INTERVAL) && 4650 *flags & NFT_SET_ELEM_INTERVAL_END) 4651 return -EINVAL; 4652 4653 return 0; 4654 } 4655 4656 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set, 4657 struct nft_data *key, struct nlattr *attr) 4658 { 4659 struct nft_data_desc desc; 4660 int err; 4661 4662 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr); 4663 if (err < 0) 4664 return err; 4665 4666 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) { 4667 nft_data_release(key, desc.type); 4668 return -EINVAL; 4669 } 4670 4671 return 0; 4672 } 4673 4674 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, 4675 struct nft_data_desc *desc, 4676 struct nft_data *data, 4677 struct nlattr *attr) 4678 { 4679 int err; 4680 4681 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr); 4682 if (err < 0) 4683 return err; 4684 4685 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) { 4686 nft_data_release(data, desc->type); 4687 return -EINVAL; 4688 } 4689 4690 return 0; 4691 } 4692 4693 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set, 4694 const struct nlattr *attr) 4695 { 4696 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 4697 struct nft_set_elem elem; 4698 struct sk_buff *skb; 4699 uint32_t flags = 0; 4700 void *priv; 4701 int err; 4702 4703 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 4704 nft_set_elem_policy, NULL); 4705 if (err < 0) 4706 return err; 4707 4708 if (!nla[NFTA_SET_ELEM_KEY]) 4709 return -EINVAL; 4710 4711 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 4712 if (err < 0) 4713 return err; 4714 4715 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 4716 nla[NFTA_SET_ELEM_KEY]); 4717 if (err < 0) 4718 return err; 4719 4720 if (nla[NFTA_SET_ELEM_KEY_END]) { 4721 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 4722 nla[NFTA_SET_ELEM_KEY_END]); 4723 if (err < 0) 4724 return err; 4725 } 4726 4727 priv = set->ops->get(ctx->net, set, &elem, flags); 4728 if (IS_ERR(priv)) 4729 return PTR_ERR(priv); 4730 4731 elem.priv = priv; 4732 4733 err = -ENOMEM; 4734 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); 4735 if (skb == NULL) 4736 goto err1; 4737 4738 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, 4739 NFT_MSG_NEWSETELEM, 0, set, &elem); 4740 if (err < 0) 4741 goto err2; 4742 4743 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT); 4744 /* This avoids a loop in nfnetlink. */ 4745 if (err < 0) 4746 goto err1; 4747 4748 return 0; 4749 err2: 4750 kfree_skb(skb); 4751 err1: 4752 /* this avoids a loop in nfnetlink. */ 4753 return err == -EAGAIN ? -ENOBUFS : err; 4754 } 4755 4756 /* called with rcu_read_lock held */ 4757 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk, 4758 struct sk_buff *skb, const struct nlmsghdr *nlh, 4759 const struct nlattr * const nla[], 4760 struct netlink_ext_ack *extack) 4761 { 4762 u8 genmask = nft_genmask_cur(net); 4763 struct nft_set *set; 4764 struct nlattr *attr; 4765 struct nft_ctx ctx; 4766 int rem, err = 0; 4767 4768 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack, 4769 genmask); 4770 if (err < 0) 4771 return err; 4772 4773 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 4774 if (IS_ERR(set)) 4775 return PTR_ERR(set); 4776 4777 if (nlh->nlmsg_flags & NLM_F_DUMP) { 4778 struct netlink_dump_control c = { 4779 .start = nf_tables_dump_set_start, 4780 .dump = nf_tables_dump_set, 4781 .done = nf_tables_dump_set_done, 4782 .module = THIS_MODULE, 4783 }; 4784 struct nft_set_dump_ctx dump_ctx = { 4785 .set = set, 4786 .ctx = ctx, 4787 }; 4788 4789 c.data = &dump_ctx; 4790 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 4791 } 4792 4793 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 4794 return -EINVAL; 4795 4796 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 4797 err = nft_get_set_elem(&ctx, set, attr); 4798 if (err < 0) 4799 break; 4800 } 4801 4802 return err; 4803 } 4804 4805 static void nf_tables_setelem_notify(const struct nft_ctx *ctx, 4806 const struct nft_set *set, 4807 const struct nft_set_elem *elem, 4808 int event, u16 flags) 4809 { 4810 struct net *net = ctx->net; 4811 u32 portid = ctx->portid; 4812 struct sk_buff *skb; 4813 int err; 4814 4815 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 4816 return; 4817 4818 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 4819 if (skb == NULL) 4820 goto err; 4821 4822 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags, 4823 set, elem); 4824 if (err < 0) { 4825 kfree_skb(skb); 4826 goto err; 4827 } 4828 4829 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report, 4830 GFP_KERNEL); 4831 return; 4832 err: 4833 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 4834 } 4835 4836 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx, 4837 int msg_type, 4838 struct nft_set *set) 4839 { 4840 struct nft_trans *trans; 4841 4842 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem)); 4843 if (trans == NULL) 4844 return NULL; 4845 4846 nft_trans_elem_set(trans) = set; 4847 return trans; 4848 } 4849 4850 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx, 4851 const struct nft_set *set, 4852 const struct nlattr *attr) 4853 { 4854 struct nft_expr *expr; 4855 int err; 4856 4857 expr = nft_expr_init(ctx, attr); 4858 if (IS_ERR(expr)) 4859 return expr; 4860 4861 err = -EOPNOTSUPP; 4862 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL)) 4863 goto err_set_elem_expr; 4864 4865 if (expr->ops->type->flags & NFT_EXPR_GC) { 4866 if (set->flags & NFT_SET_TIMEOUT) 4867 goto err_set_elem_expr; 4868 if (!set->ops->gc_init) 4869 goto err_set_elem_expr; 4870 set->ops->gc_init(set); 4871 } 4872 4873 return expr; 4874 4875 err_set_elem_expr: 4876 nft_expr_destroy(ctx, expr); 4877 return ERR_PTR(err); 4878 } 4879 4880 void *nft_set_elem_init(const struct nft_set *set, 4881 const struct nft_set_ext_tmpl *tmpl, 4882 const u32 *key, const u32 *key_end, 4883 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp) 4884 { 4885 struct nft_set_ext *ext; 4886 void *elem; 4887 4888 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp); 4889 if (elem == NULL) 4890 return NULL; 4891 4892 ext = nft_set_elem_ext(set, elem); 4893 nft_set_ext_init(ext, tmpl); 4894 4895 memcpy(nft_set_ext_key(ext), key, set->klen); 4896 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) 4897 memcpy(nft_set_ext_key_end(ext), key_end, set->klen); 4898 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 4899 memcpy(nft_set_ext_data(ext), data, set->dlen); 4900 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 4901 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration; 4902 if (expiration == 0) 4903 *nft_set_ext_expiration(ext) += timeout; 4904 } 4905 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) 4906 *nft_set_ext_timeout(ext) = timeout; 4907 4908 return elem; 4909 } 4910 4911 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 4912 struct nft_expr *expr) 4913 { 4914 if (expr->ops->destroy_clone) { 4915 expr->ops->destroy_clone(ctx, expr); 4916 module_put(expr->ops->type->owner); 4917 } else { 4918 nf_tables_expr_destroy(ctx, expr); 4919 } 4920 } 4921 4922 void nft_set_elem_destroy(const struct nft_set *set, void *elem, 4923 bool destroy_expr) 4924 { 4925 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 4926 struct nft_ctx ctx = { 4927 .net = read_pnet(&set->net), 4928 .family = set->table->family, 4929 }; 4930 4931 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE); 4932 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 4933 nft_data_release(nft_set_ext_data(ext), set->dtype); 4934 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) 4935 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext)); 4936 4937 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 4938 (*nft_set_ext_obj(ext))->use--; 4939 kfree(elem); 4940 } 4941 EXPORT_SYMBOL_GPL(nft_set_elem_destroy); 4942 4943 /* Only called from commit path, nft_set_elem_deactivate() already deals with 4944 * the refcounting from the preparation phase. 4945 */ 4946 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, 4947 const struct nft_set *set, void *elem) 4948 { 4949 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 4950 4951 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) 4952 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext)); 4953 4954 kfree(elem); 4955 } 4956 4957 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 4958 const struct nlattr *attr, u32 nlmsg_flags) 4959 { 4960 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 4961 u8 genmask = nft_genmask_next(ctx->net); 4962 struct nft_set_ext_tmpl tmpl; 4963 struct nft_set_ext *ext, *ext2; 4964 struct nft_set_elem elem; 4965 struct nft_set_binding *binding; 4966 struct nft_object *obj = NULL; 4967 struct nft_expr *expr = NULL; 4968 struct nft_userdata *udata; 4969 struct nft_data_desc desc; 4970 enum nft_registers dreg; 4971 struct nft_trans *trans; 4972 u32 flags = 0; 4973 u64 timeout; 4974 u64 expiration; 4975 u8 ulen; 4976 int err; 4977 4978 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 4979 nft_set_elem_policy, NULL); 4980 if (err < 0) 4981 return err; 4982 4983 if (nla[NFTA_SET_ELEM_KEY] == NULL) 4984 return -EINVAL; 4985 4986 nft_set_ext_prepare(&tmpl); 4987 4988 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 4989 if (err < 0) 4990 return err; 4991 if (flags != 0) 4992 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 4993 4994 if (set->flags & NFT_SET_MAP) { 4995 if (nla[NFTA_SET_ELEM_DATA] == NULL && 4996 !(flags & NFT_SET_ELEM_INTERVAL_END)) 4997 return -EINVAL; 4998 } else { 4999 if (nla[NFTA_SET_ELEM_DATA] != NULL) 5000 return -EINVAL; 5001 } 5002 5003 if ((flags & NFT_SET_ELEM_INTERVAL_END) && 5004 (nla[NFTA_SET_ELEM_DATA] || 5005 nla[NFTA_SET_ELEM_OBJREF] || 5006 nla[NFTA_SET_ELEM_TIMEOUT] || 5007 nla[NFTA_SET_ELEM_EXPIRATION] || 5008 nla[NFTA_SET_ELEM_USERDATA] || 5009 nla[NFTA_SET_ELEM_EXPR])) 5010 return -EINVAL; 5011 5012 timeout = 0; 5013 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { 5014 if (!(set->flags & NFT_SET_TIMEOUT)) 5015 return -EINVAL; 5016 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT], 5017 &timeout); 5018 if (err) 5019 return err; 5020 } else if (set->flags & NFT_SET_TIMEOUT) { 5021 timeout = set->timeout; 5022 } 5023 5024 expiration = 0; 5025 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { 5026 if (!(set->flags & NFT_SET_TIMEOUT)) 5027 return -EINVAL; 5028 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], 5029 &expiration); 5030 if (err) 5031 return err; 5032 } 5033 5034 if (nla[NFTA_SET_ELEM_EXPR] != NULL) { 5035 expr = nft_set_elem_expr_alloc(ctx, set, 5036 nla[NFTA_SET_ELEM_EXPR]); 5037 if (IS_ERR(expr)) 5038 return PTR_ERR(expr); 5039 5040 err = -EOPNOTSUPP; 5041 if (set->expr && set->expr->ops != expr->ops) 5042 goto err_set_elem_expr; 5043 } else if (set->expr) { 5044 expr = kzalloc(set->expr->ops->size, GFP_KERNEL); 5045 if (!expr) 5046 return -ENOMEM; 5047 5048 err = nft_expr_clone(expr, set->expr); 5049 if (err < 0) 5050 goto err_set_elem_expr; 5051 } 5052 5053 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5054 nla[NFTA_SET_ELEM_KEY]); 5055 if (err < 0) 5056 goto err_set_elem_expr; 5057 5058 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 5059 5060 if (nla[NFTA_SET_ELEM_KEY_END]) { 5061 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5062 nla[NFTA_SET_ELEM_KEY_END]); 5063 if (err < 0) 5064 goto err_parse_key; 5065 5066 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 5067 } 5068 5069 if (timeout > 0) { 5070 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION); 5071 if (timeout != set->timeout) 5072 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT); 5073 } 5074 5075 if (expr) 5076 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPR, 5077 expr->ops->size); 5078 5079 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) { 5080 if (!(set->flags & NFT_SET_OBJECT)) { 5081 err = -EINVAL; 5082 goto err_parse_key_end; 5083 } 5084 obj = nft_obj_lookup(ctx->net, ctx->table, 5085 nla[NFTA_SET_ELEM_OBJREF], 5086 set->objtype, genmask); 5087 if (IS_ERR(obj)) { 5088 err = PTR_ERR(obj); 5089 goto err_parse_key_end; 5090 } 5091 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF); 5092 } 5093 5094 if (nla[NFTA_SET_ELEM_DATA] != NULL) { 5095 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val, 5096 nla[NFTA_SET_ELEM_DATA]); 5097 if (err < 0) 5098 goto err_parse_key_end; 5099 5100 dreg = nft_type_to_reg(set->dtype); 5101 list_for_each_entry(binding, &set->bindings, list) { 5102 struct nft_ctx bind_ctx = { 5103 .net = ctx->net, 5104 .family = ctx->family, 5105 .table = ctx->table, 5106 .chain = (struct nft_chain *)binding->chain, 5107 }; 5108 5109 if (!(binding->flags & NFT_SET_MAP)) 5110 continue; 5111 5112 err = nft_validate_register_store(&bind_ctx, dreg, 5113 &elem.data.val, 5114 desc.type, desc.len); 5115 if (err < 0) 5116 goto err_parse_data; 5117 5118 if (desc.type == NFT_DATA_VERDICT && 5119 (elem.data.val.verdict.code == NFT_GOTO || 5120 elem.data.val.verdict.code == NFT_JUMP)) 5121 nft_validate_state_update(ctx->net, 5122 NFT_VALIDATE_NEED); 5123 } 5124 5125 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len); 5126 } 5127 5128 /* The full maximum length of userdata can exceed the maximum 5129 * offset value (U8_MAX) for following extensions, therefor it 5130 * must be the last extension added. 5131 */ 5132 ulen = 0; 5133 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) { 5134 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]); 5135 if (ulen > 0) 5136 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA, 5137 ulen); 5138 } 5139 5140 err = -ENOMEM; 5141 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 5142 elem.key_end.val.data, elem.data.val.data, 5143 timeout, expiration, GFP_KERNEL); 5144 if (elem.priv == NULL) 5145 goto err_parse_data; 5146 5147 ext = nft_set_elem_ext(set, elem.priv); 5148 if (flags) 5149 *nft_set_ext_flags(ext) = flags; 5150 if (ulen > 0) { 5151 udata = nft_set_ext_userdata(ext); 5152 udata->len = ulen - 1; 5153 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen); 5154 } 5155 if (obj) { 5156 *nft_set_ext_obj(ext) = obj; 5157 obj->use++; 5158 } 5159 if (expr) { 5160 memcpy(nft_set_ext_expr(ext), expr, expr->ops->size); 5161 kfree(expr); 5162 expr = NULL; 5163 } 5164 5165 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); 5166 if (trans == NULL) 5167 goto err_trans; 5168 5169 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK; 5170 err = set->ops->insert(ctx->net, set, &elem, &ext2); 5171 if (err) { 5172 if (err == -EEXIST) { 5173 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^ 5174 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) || 5175 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^ 5176 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) { 5177 err = -EBUSY; 5178 goto err_element_clash; 5179 } 5180 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 5181 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) && 5182 memcmp(nft_set_ext_data(ext), 5183 nft_set_ext_data(ext2), set->dlen) != 0) || 5184 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 5185 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) && 5186 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2))) 5187 err = -EBUSY; 5188 else if (!(nlmsg_flags & NLM_F_EXCL)) 5189 err = 0; 5190 } else if (err == -ENOTEMPTY) { 5191 /* ENOTEMPTY reports overlapping between this element 5192 * and an existing one. 5193 */ 5194 err = -EEXIST; 5195 } 5196 goto err_element_clash; 5197 } 5198 5199 if (set->size && 5200 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) { 5201 err = -ENFILE; 5202 goto err_set_full; 5203 } 5204 5205 nft_trans_elem(trans) = elem; 5206 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5207 return 0; 5208 5209 err_set_full: 5210 set->ops->remove(ctx->net, set, &elem); 5211 err_element_clash: 5212 kfree(trans); 5213 err_trans: 5214 if (obj) 5215 obj->use--; 5216 5217 nf_tables_set_elem_destroy(ctx, set, elem.priv); 5218 err_parse_data: 5219 if (nla[NFTA_SET_ELEM_DATA] != NULL) 5220 nft_data_release(&elem.data.val, desc.type); 5221 err_parse_key_end: 5222 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 5223 err_parse_key: 5224 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 5225 err_set_elem_expr: 5226 if (expr != NULL) 5227 nft_expr_destroy(ctx, expr); 5228 5229 return err; 5230 } 5231 5232 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk, 5233 struct sk_buff *skb, const struct nlmsghdr *nlh, 5234 const struct nlattr * const nla[], 5235 struct netlink_ext_ack *extack) 5236 { 5237 u8 genmask = nft_genmask_next(net); 5238 const struct nlattr *attr; 5239 struct nft_set *set; 5240 struct nft_ctx ctx; 5241 int rem, err; 5242 5243 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) 5244 return -EINVAL; 5245 5246 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack, 5247 genmask); 5248 if (err < 0) 5249 return err; 5250 5251 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET], 5252 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask); 5253 if (IS_ERR(set)) 5254 return PTR_ERR(set); 5255 5256 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 5257 return -EBUSY; 5258 5259 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 5260 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags); 5261 if (err < 0) 5262 return err; 5263 } 5264 5265 if (net->nft.validate_state == NFT_VALIDATE_DO) 5266 return nft_table_validate(net, ctx.table); 5267 5268 return 0; 5269 } 5270 5271 /** 5272 * nft_data_hold - hold a nft_data item 5273 * 5274 * @data: struct nft_data to release 5275 * @type: type of data 5276 * 5277 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded, 5278 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and 5279 * NFT_GOTO verdicts. This function must be called on active data objects 5280 * from the second phase of the commit protocol. 5281 */ 5282 void nft_data_hold(const struct nft_data *data, enum nft_data_types type) 5283 { 5284 if (type == NFT_DATA_VERDICT) { 5285 switch (data->verdict.code) { 5286 case NFT_JUMP: 5287 case NFT_GOTO: 5288 data->verdict.chain->use++; 5289 break; 5290 } 5291 } 5292 } 5293 5294 static void nft_set_elem_activate(const struct net *net, 5295 const struct nft_set *set, 5296 struct nft_set_elem *elem) 5297 { 5298 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5299 5300 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5301 nft_data_hold(nft_set_ext_data(ext), set->dtype); 5302 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 5303 (*nft_set_ext_obj(ext))->use++; 5304 } 5305 5306 static void nft_set_elem_deactivate(const struct net *net, 5307 const struct nft_set *set, 5308 struct nft_set_elem *elem) 5309 { 5310 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5311 5312 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5313 nft_data_release(nft_set_ext_data(ext), set->dtype); 5314 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 5315 (*nft_set_ext_obj(ext))->use--; 5316 } 5317 5318 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, 5319 const struct nlattr *attr) 5320 { 5321 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 5322 struct nft_set_ext_tmpl tmpl; 5323 struct nft_set_elem elem; 5324 struct nft_set_ext *ext; 5325 struct nft_trans *trans; 5326 u32 flags = 0; 5327 void *priv; 5328 int err; 5329 5330 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 5331 nft_set_elem_policy, NULL); 5332 if (err < 0) 5333 return err; 5334 5335 if (nla[NFTA_SET_ELEM_KEY] == NULL) 5336 return -EINVAL; 5337 5338 nft_set_ext_prepare(&tmpl); 5339 5340 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 5341 if (err < 0) 5342 return err; 5343 if (flags != 0) 5344 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 5345 5346 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5347 nla[NFTA_SET_ELEM_KEY]); 5348 if (err < 0) 5349 return err; 5350 5351 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 5352 5353 if (nla[NFTA_SET_ELEM_KEY_END]) { 5354 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5355 nla[NFTA_SET_ELEM_KEY_END]); 5356 if (err < 0) 5357 return err; 5358 5359 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 5360 } 5361 5362 err = -ENOMEM; 5363 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 5364 elem.key_end.val.data, NULL, 0, 0, 5365 GFP_KERNEL); 5366 if (elem.priv == NULL) 5367 goto fail_elem; 5368 5369 ext = nft_set_elem_ext(set, elem.priv); 5370 if (flags) 5371 *nft_set_ext_flags(ext) = flags; 5372 5373 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 5374 if (trans == NULL) 5375 goto fail_trans; 5376 5377 priv = set->ops->deactivate(ctx->net, set, &elem); 5378 if (priv == NULL) { 5379 err = -ENOENT; 5380 goto fail_ops; 5381 } 5382 kfree(elem.priv); 5383 elem.priv = priv; 5384 5385 nft_set_elem_deactivate(ctx->net, set, &elem); 5386 5387 nft_trans_elem(trans) = elem; 5388 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5389 return 0; 5390 5391 fail_ops: 5392 kfree(trans); 5393 fail_trans: 5394 kfree(elem.priv); 5395 fail_elem: 5396 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 5397 return err; 5398 } 5399 5400 static int nft_flush_set(const struct nft_ctx *ctx, 5401 struct nft_set *set, 5402 const struct nft_set_iter *iter, 5403 struct nft_set_elem *elem) 5404 { 5405 struct nft_trans *trans; 5406 int err; 5407 5408 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 5409 sizeof(struct nft_trans_elem), GFP_ATOMIC); 5410 if (!trans) 5411 return -ENOMEM; 5412 5413 if (!set->ops->flush(ctx->net, set, elem->priv)) { 5414 err = -ENOENT; 5415 goto err1; 5416 } 5417 set->ndeact++; 5418 5419 nft_set_elem_deactivate(ctx->net, set, elem); 5420 nft_trans_elem_set(trans) = set; 5421 nft_trans_elem(trans) = *elem; 5422 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5423 5424 return 0; 5425 err1: 5426 kfree(trans); 5427 return err; 5428 } 5429 5430 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk, 5431 struct sk_buff *skb, const struct nlmsghdr *nlh, 5432 const struct nlattr * const nla[], 5433 struct netlink_ext_ack *extack) 5434 { 5435 u8 genmask = nft_genmask_next(net); 5436 const struct nlattr *attr; 5437 struct nft_set *set; 5438 struct nft_ctx ctx; 5439 int rem, err = 0; 5440 5441 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack, 5442 genmask); 5443 if (err < 0) 5444 return err; 5445 5446 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 5447 if (IS_ERR(set)) 5448 return PTR_ERR(set); 5449 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 5450 return -EBUSY; 5451 5452 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) { 5453 struct nft_set_iter iter = { 5454 .genmask = genmask, 5455 .fn = nft_flush_set, 5456 }; 5457 set->ops->walk(&ctx, set, &iter); 5458 5459 return iter.err; 5460 } 5461 5462 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 5463 err = nft_del_setelem(&ctx, set, attr); 5464 if (err < 0) 5465 break; 5466 5467 set->ndeact++; 5468 } 5469 return err; 5470 } 5471 5472 void nft_set_gc_batch_release(struct rcu_head *rcu) 5473 { 5474 struct nft_set_gc_batch *gcb; 5475 unsigned int i; 5476 5477 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu); 5478 for (i = 0; i < gcb->head.cnt; i++) 5479 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true); 5480 kfree(gcb); 5481 } 5482 5483 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set, 5484 gfp_t gfp) 5485 { 5486 struct nft_set_gc_batch *gcb; 5487 5488 gcb = kzalloc(sizeof(*gcb), gfp); 5489 if (gcb == NULL) 5490 return gcb; 5491 gcb->head.set = set; 5492 return gcb; 5493 } 5494 5495 /* 5496 * Stateful objects 5497 */ 5498 5499 /** 5500 * nft_register_obj- register nf_tables stateful object type 5501 * @obj: object type 5502 * 5503 * Registers the object type for use with nf_tables. Returns zero on 5504 * success or a negative errno code otherwise. 5505 */ 5506 int nft_register_obj(struct nft_object_type *obj_type) 5507 { 5508 if (obj_type->type == NFT_OBJECT_UNSPEC) 5509 return -EINVAL; 5510 5511 nfnl_lock(NFNL_SUBSYS_NFTABLES); 5512 list_add_rcu(&obj_type->list, &nf_tables_objects); 5513 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 5514 return 0; 5515 } 5516 EXPORT_SYMBOL_GPL(nft_register_obj); 5517 5518 /** 5519 * nft_unregister_obj - unregister nf_tables object type 5520 * @obj: object type 5521 * 5522 * Unregisters the object type for use with nf_tables. 5523 */ 5524 void nft_unregister_obj(struct nft_object_type *obj_type) 5525 { 5526 nfnl_lock(NFNL_SUBSYS_NFTABLES); 5527 list_del_rcu(&obj_type->list); 5528 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 5529 } 5530 EXPORT_SYMBOL_GPL(nft_unregister_obj); 5531 5532 struct nft_object *nft_obj_lookup(const struct net *net, 5533 const struct nft_table *table, 5534 const struct nlattr *nla, u32 objtype, 5535 u8 genmask) 5536 { 5537 struct nft_object_hash_key k = { .table = table }; 5538 char search[NFT_OBJ_MAXNAMELEN]; 5539 struct rhlist_head *tmp, *list; 5540 struct nft_object *obj; 5541 5542 nla_strlcpy(search, nla, sizeof(search)); 5543 k.name = search; 5544 5545 WARN_ON_ONCE(!rcu_read_lock_held() && 5546 !lockdep_commit_lock_is_held(net)); 5547 5548 rcu_read_lock(); 5549 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params); 5550 if (!list) 5551 goto out; 5552 5553 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) { 5554 if (objtype == obj->ops->type->type && 5555 nft_active_genmask(obj, genmask)) { 5556 rcu_read_unlock(); 5557 return obj; 5558 } 5559 } 5560 out: 5561 rcu_read_unlock(); 5562 return ERR_PTR(-ENOENT); 5563 } 5564 EXPORT_SYMBOL_GPL(nft_obj_lookup); 5565 5566 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table, 5567 const struct nlattr *nla, 5568 u32 objtype, u8 genmask) 5569 { 5570 struct nft_object *obj; 5571 5572 list_for_each_entry(obj, &table->objects, list) { 5573 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle && 5574 objtype == obj->ops->type->type && 5575 nft_active_genmask(obj, genmask)) 5576 return obj; 5577 } 5578 return ERR_PTR(-ENOENT); 5579 } 5580 5581 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = { 5582 [NFTA_OBJ_TABLE] = { .type = NLA_STRING, 5583 .len = NFT_TABLE_MAXNAMELEN - 1 }, 5584 [NFTA_OBJ_NAME] = { .type = NLA_STRING, 5585 .len = NFT_OBJ_MAXNAMELEN - 1 }, 5586 [NFTA_OBJ_TYPE] = { .type = NLA_U32 }, 5587 [NFTA_OBJ_DATA] = { .type = NLA_NESTED }, 5588 [NFTA_OBJ_HANDLE] = { .type = NLA_U64}, 5589 }; 5590 5591 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx, 5592 const struct nft_object_type *type, 5593 const struct nlattr *attr) 5594 { 5595 struct nlattr **tb; 5596 const struct nft_object_ops *ops; 5597 struct nft_object *obj; 5598 int err = -ENOMEM; 5599 5600 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL); 5601 if (!tb) 5602 goto err1; 5603 5604 if (attr) { 5605 err = nla_parse_nested_deprecated(tb, type->maxattr, attr, 5606 type->policy, NULL); 5607 if (err < 0) 5608 goto err2; 5609 } else { 5610 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1)); 5611 } 5612 5613 if (type->select_ops) { 5614 ops = type->select_ops(ctx, (const struct nlattr * const *)tb); 5615 if (IS_ERR(ops)) { 5616 err = PTR_ERR(ops); 5617 goto err2; 5618 } 5619 } else { 5620 ops = type->ops; 5621 } 5622 5623 err = -ENOMEM; 5624 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL); 5625 if (!obj) 5626 goto err2; 5627 5628 err = ops->init(ctx, (const struct nlattr * const *)tb, obj); 5629 if (err < 0) 5630 goto err3; 5631 5632 obj->ops = ops; 5633 5634 kfree(tb); 5635 return obj; 5636 err3: 5637 kfree(obj); 5638 err2: 5639 kfree(tb); 5640 err1: 5641 return ERR_PTR(err); 5642 } 5643 5644 static int nft_object_dump(struct sk_buff *skb, unsigned int attr, 5645 struct nft_object *obj, bool reset) 5646 { 5647 struct nlattr *nest; 5648 5649 nest = nla_nest_start_noflag(skb, attr); 5650 if (!nest) 5651 goto nla_put_failure; 5652 if (obj->ops->dump(skb, obj, reset) < 0) 5653 goto nla_put_failure; 5654 nla_nest_end(skb, nest); 5655 return 0; 5656 5657 nla_put_failure: 5658 return -1; 5659 } 5660 5661 static const struct nft_object_type *__nft_obj_type_get(u32 objtype) 5662 { 5663 const struct nft_object_type *type; 5664 5665 list_for_each_entry(type, &nf_tables_objects, list) { 5666 if (objtype == type->type) 5667 return type; 5668 } 5669 return NULL; 5670 } 5671 5672 static const struct nft_object_type * 5673 nft_obj_type_get(struct net *net, u32 objtype) 5674 { 5675 const struct nft_object_type *type; 5676 5677 type = __nft_obj_type_get(objtype); 5678 if (type != NULL && try_module_get(type->owner)) 5679 return type; 5680 5681 lockdep_nfnl_nft_mutex_not_held(); 5682 #ifdef CONFIG_MODULES 5683 if (type == NULL) { 5684 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN) 5685 return ERR_PTR(-EAGAIN); 5686 } 5687 #endif 5688 return ERR_PTR(-ENOENT); 5689 } 5690 5691 static int nf_tables_updobj(const struct nft_ctx *ctx, 5692 const struct nft_object_type *type, 5693 const struct nlattr *attr, 5694 struct nft_object *obj) 5695 { 5696 struct nft_object *newobj; 5697 struct nft_trans *trans; 5698 int err; 5699 5700 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ, 5701 sizeof(struct nft_trans_obj)); 5702 if (!trans) 5703 return -ENOMEM; 5704 5705 newobj = nft_obj_init(ctx, type, attr); 5706 if (IS_ERR(newobj)) { 5707 err = PTR_ERR(newobj); 5708 goto err_free_trans; 5709 } 5710 5711 nft_trans_obj(trans) = obj; 5712 nft_trans_obj_update(trans) = true; 5713 nft_trans_obj_newobj(trans) = newobj; 5714 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5715 5716 return 0; 5717 5718 err_free_trans: 5719 kfree(trans); 5720 return err; 5721 } 5722 5723 static int nf_tables_newobj(struct net *net, struct sock *nlsk, 5724 struct sk_buff *skb, const struct nlmsghdr *nlh, 5725 const struct nlattr * const nla[], 5726 struct netlink_ext_ack *extack) 5727 { 5728 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 5729 const struct nft_object_type *type; 5730 u8 genmask = nft_genmask_next(net); 5731 int family = nfmsg->nfgen_family; 5732 struct nft_table *table; 5733 struct nft_object *obj; 5734 struct nft_ctx ctx; 5735 u32 objtype; 5736 int err; 5737 5738 if (!nla[NFTA_OBJ_TYPE] || 5739 !nla[NFTA_OBJ_NAME] || 5740 !nla[NFTA_OBJ_DATA]) 5741 return -EINVAL; 5742 5743 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask); 5744 if (IS_ERR(table)) { 5745 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 5746 return PTR_ERR(table); 5747 } 5748 5749 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 5750 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 5751 if (IS_ERR(obj)) { 5752 err = PTR_ERR(obj); 5753 if (err != -ENOENT) { 5754 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 5755 return err; 5756 } 5757 } else { 5758 if (nlh->nlmsg_flags & NLM_F_EXCL) { 5759 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 5760 return -EEXIST; 5761 } 5762 if (nlh->nlmsg_flags & NLM_F_REPLACE) 5763 return -EOPNOTSUPP; 5764 5765 type = __nft_obj_type_get(objtype); 5766 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 5767 5768 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); 5769 } 5770 5771 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 5772 5773 type = nft_obj_type_get(net, objtype); 5774 if (IS_ERR(type)) 5775 return PTR_ERR(type); 5776 5777 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]); 5778 if (IS_ERR(obj)) { 5779 err = PTR_ERR(obj); 5780 goto err1; 5781 } 5782 obj->key.table = table; 5783 obj->handle = nf_tables_alloc_handle(table); 5784 5785 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL); 5786 if (!obj->key.name) { 5787 err = -ENOMEM; 5788 goto err2; 5789 } 5790 5791 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj); 5792 if (err < 0) 5793 goto err3; 5794 5795 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead, 5796 nft_objname_ht_params); 5797 if (err < 0) 5798 goto err4; 5799 5800 list_add_tail_rcu(&obj->list, &table->objects); 5801 table->use++; 5802 return 0; 5803 err4: 5804 /* queued in transaction log */ 5805 INIT_LIST_HEAD(&obj->list); 5806 return err; 5807 err3: 5808 kfree(obj->key.name); 5809 err2: 5810 if (obj->ops->destroy) 5811 obj->ops->destroy(&ctx, obj); 5812 kfree(obj); 5813 err1: 5814 module_put(type->owner); 5815 return err; 5816 } 5817 5818 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net, 5819 u32 portid, u32 seq, int event, u32 flags, 5820 int family, const struct nft_table *table, 5821 struct nft_object *obj, bool reset) 5822 { 5823 struct nfgenmsg *nfmsg; 5824 struct nlmsghdr *nlh; 5825 5826 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 5827 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 5828 if (nlh == NULL) 5829 goto nla_put_failure; 5830 5831 nfmsg = nlmsg_data(nlh); 5832 nfmsg->nfgen_family = family; 5833 nfmsg->version = NFNETLINK_V0; 5834 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 5835 5836 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || 5837 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || 5838 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || 5839 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) || 5840 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) || 5841 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle), 5842 NFTA_OBJ_PAD)) 5843 goto nla_put_failure; 5844 5845 nlmsg_end(skb, nlh); 5846 return 0; 5847 5848 nla_put_failure: 5849 nlmsg_trim(skb, nlh); 5850 return -1; 5851 } 5852 5853 struct nft_obj_filter { 5854 char *table; 5855 u32 type; 5856 }; 5857 5858 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) 5859 { 5860 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 5861 const struct nft_table *table; 5862 unsigned int idx = 0, s_idx = cb->args[0]; 5863 struct nft_obj_filter *filter = cb->data; 5864 struct net *net = sock_net(skb->sk); 5865 int family = nfmsg->nfgen_family; 5866 struct nft_object *obj; 5867 bool reset = false; 5868 5869 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 5870 reset = true; 5871 5872 rcu_read_lock(); 5873 cb->seq = net->nft.base_seq; 5874 5875 list_for_each_entry_rcu(table, &net->nft.tables, list) { 5876 if (family != NFPROTO_UNSPEC && family != table->family) 5877 continue; 5878 5879 list_for_each_entry_rcu(obj, &table->objects, list) { 5880 if (!nft_is_active(net, obj)) 5881 goto cont; 5882 if (idx < s_idx) 5883 goto cont; 5884 if (idx > s_idx) 5885 memset(&cb->args[1], 0, 5886 sizeof(cb->args) - sizeof(cb->args[0])); 5887 if (filter && filter->table && 5888 strcmp(filter->table, table->name)) 5889 goto cont; 5890 if (filter && 5891 filter->type != NFT_OBJECT_UNSPEC && 5892 obj->ops->type->type != filter->type) 5893 goto cont; 5894 5895 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid, 5896 cb->nlh->nlmsg_seq, 5897 NFT_MSG_NEWOBJ, 5898 NLM_F_MULTI | NLM_F_APPEND, 5899 table->family, table, 5900 obj, reset) < 0) 5901 goto done; 5902 5903 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 5904 cont: 5905 idx++; 5906 } 5907 } 5908 done: 5909 rcu_read_unlock(); 5910 5911 cb->args[0] = idx; 5912 return skb->len; 5913 } 5914 5915 static int nf_tables_dump_obj_start(struct netlink_callback *cb) 5916 { 5917 const struct nlattr * const *nla = cb->data; 5918 struct nft_obj_filter *filter = NULL; 5919 5920 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) { 5921 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 5922 if (!filter) 5923 return -ENOMEM; 5924 5925 if (nla[NFTA_OBJ_TABLE]) { 5926 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC); 5927 if (!filter->table) { 5928 kfree(filter); 5929 return -ENOMEM; 5930 } 5931 } 5932 5933 if (nla[NFTA_OBJ_TYPE]) 5934 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 5935 } 5936 5937 cb->data = filter; 5938 return 0; 5939 } 5940 5941 static int nf_tables_dump_obj_done(struct netlink_callback *cb) 5942 { 5943 struct nft_obj_filter *filter = cb->data; 5944 5945 if (filter) { 5946 kfree(filter->table); 5947 kfree(filter); 5948 } 5949 5950 return 0; 5951 } 5952 5953 /* called with rcu_read_lock held */ 5954 static int nf_tables_getobj(struct net *net, struct sock *nlsk, 5955 struct sk_buff *skb, const struct nlmsghdr *nlh, 5956 const struct nlattr * const nla[], 5957 struct netlink_ext_ack *extack) 5958 { 5959 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 5960 u8 genmask = nft_genmask_cur(net); 5961 int family = nfmsg->nfgen_family; 5962 const struct nft_table *table; 5963 struct nft_object *obj; 5964 struct sk_buff *skb2; 5965 bool reset = false; 5966 u32 objtype; 5967 int err; 5968 5969 if (nlh->nlmsg_flags & NLM_F_DUMP) { 5970 struct netlink_dump_control c = { 5971 .start = nf_tables_dump_obj_start, 5972 .dump = nf_tables_dump_obj, 5973 .done = nf_tables_dump_obj_done, 5974 .module = THIS_MODULE, 5975 .data = (void *)nla, 5976 }; 5977 5978 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 5979 } 5980 5981 if (!nla[NFTA_OBJ_NAME] || 5982 !nla[NFTA_OBJ_TYPE]) 5983 return -EINVAL; 5984 5985 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask); 5986 if (IS_ERR(table)) { 5987 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 5988 return PTR_ERR(table); 5989 } 5990 5991 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 5992 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 5993 if (IS_ERR(obj)) { 5994 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 5995 return PTR_ERR(obj); 5996 } 5997 5998 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 5999 if (!skb2) 6000 return -ENOMEM; 6001 6002 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 6003 reset = true; 6004 6005 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid, 6006 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, 6007 family, table, obj, reset); 6008 if (err < 0) 6009 goto err; 6010 6011 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 6012 err: 6013 kfree_skb(skb2); 6014 return err; 6015 } 6016 6017 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) 6018 { 6019 if (obj->ops->destroy) 6020 obj->ops->destroy(ctx, obj); 6021 6022 module_put(obj->ops->type->owner); 6023 kfree(obj->key.name); 6024 kfree(obj); 6025 } 6026 6027 static int nf_tables_delobj(struct net *net, struct sock *nlsk, 6028 struct sk_buff *skb, const struct nlmsghdr *nlh, 6029 const struct nlattr * const nla[], 6030 struct netlink_ext_ack *extack) 6031 { 6032 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 6033 u8 genmask = nft_genmask_next(net); 6034 int family = nfmsg->nfgen_family; 6035 const struct nlattr *attr; 6036 struct nft_table *table; 6037 struct nft_object *obj; 6038 struct nft_ctx ctx; 6039 u32 objtype; 6040 6041 if (!nla[NFTA_OBJ_TYPE] || 6042 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE])) 6043 return -EINVAL; 6044 6045 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask); 6046 if (IS_ERR(table)) { 6047 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6048 return PTR_ERR(table); 6049 } 6050 6051 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6052 if (nla[NFTA_OBJ_HANDLE]) { 6053 attr = nla[NFTA_OBJ_HANDLE]; 6054 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask); 6055 } else { 6056 attr = nla[NFTA_OBJ_NAME]; 6057 obj = nft_obj_lookup(net, table, attr, objtype, genmask); 6058 } 6059 6060 if (IS_ERR(obj)) { 6061 NL_SET_BAD_ATTR(extack, attr); 6062 return PTR_ERR(obj); 6063 } 6064 if (obj->use > 0) { 6065 NL_SET_BAD_ATTR(extack, attr); 6066 return -EBUSY; 6067 } 6068 6069 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 6070 6071 return nft_delobj(&ctx, obj); 6072 } 6073 6074 void nft_obj_notify(struct net *net, const struct nft_table *table, 6075 struct nft_object *obj, u32 portid, u32 seq, int event, 6076 int family, int report, gfp_t gfp) 6077 { 6078 struct sk_buff *skb; 6079 int err; 6080 6081 if (!report && 6082 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 6083 return; 6084 6085 skb = nlmsg_new(NLMSG_GOODSIZE, gfp); 6086 if (skb == NULL) 6087 goto err; 6088 6089 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family, 6090 table, obj, false); 6091 if (err < 0) { 6092 kfree_skb(skb); 6093 goto err; 6094 } 6095 6096 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp); 6097 return; 6098 err: 6099 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 6100 } 6101 EXPORT_SYMBOL_GPL(nft_obj_notify); 6102 6103 static void nf_tables_obj_notify(const struct nft_ctx *ctx, 6104 struct nft_object *obj, int event) 6105 { 6106 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event, 6107 ctx->family, ctx->report, GFP_KERNEL); 6108 } 6109 6110 /* 6111 * Flow tables 6112 */ 6113 void nft_register_flowtable_type(struct nf_flowtable_type *type) 6114 { 6115 nfnl_lock(NFNL_SUBSYS_NFTABLES); 6116 list_add_tail_rcu(&type->list, &nf_tables_flowtables); 6117 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6118 } 6119 EXPORT_SYMBOL_GPL(nft_register_flowtable_type); 6120 6121 void nft_unregister_flowtable_type(struct nf_flowtable_type *type) 6122 { 6123 nfnl_lock(NFNL_SUBSYS_NFTABLES); 6124 list_del_rcu(&type->list); 6125 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6126 } 6127 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type); 6128 6129 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = { 6130 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING, 6131 .len = NFT_NAME_MAXLEN - 1 }, 6132 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING, 6133 .len = NFT_NAME_MAXLEN - 1 }, 6134 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED }, 6135 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 }, 6136 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 }, 6137 }; 6138 6139 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 6140 const struct nlattr *nla, u8 genmask) 6141 { 6142 struct nft_flowtable *flowtable; 6143 6144 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 6145 if (!nla_strcmp(nla, flowtable->name) && 6146 nft_active_genmask(flowtable, genmask)) 6147 return flowtable; 6148 } 6149 return ERR_PTR(-ENOENT); 6150 } 6151 EXPORT_SYMBOL_GPL(nft_flowtable_lookup); 6152 6153 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, 6154 struct nft_flowtable *flowtable, 6155 enum nft_trans_phase phase) 6156 { 6157 switch (phase) { 6158 case NFT_TRANS_PREPARE: 6159 case NFT_TRANS_ABORT: 6160 case NFT_TRANS_RELEASE: 6161 flowtable->use--; 6162 /* fall through */ 6163 default: 6164 return; 6165 } 6166 } 6167 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable); 6168 6169 static struct nft_flowtable * 6170 nft_flowtable_lookup_byhandle(const struct nft_table *table, 6171 const struct nlattr *nla, u8 genmask) 6172 { 6173 struct nft_flowtable *flowtable; 6174 6175 list_for_each_entry(flowtable, &table->flowtables, list) { 6176 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle && 6177 nft_active_genmask(flowtable, genmask)) 6178 return flowtable; 6179 } 6180 return ERR_PTR(-ENOENT); 6181 } 6182 6183 struct nft_flowtable_hook { 6184 u32 num; 6185 int priority; 6186 struct list_head list; 6187 }; 6188 6189 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = { 6190 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 }, 6191 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 }, 6192 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED }, 6193 }; 6194 6195 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx, 6196 const struct nlattr *attr, 6197 struct nft_flowtable_hook *flowtable_hook, 6198 struct nft_flowtable *flowtable, bool add) 6199 { 6200 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1]; 6201 struct nft_hook *hook; 6202 int hooknum, priority; 6203 int err; 6204 6205 INIT_LIST_HEAD(&flowtable_hook->list); 6206 6207 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr, 6208 nft_flowtable_hook_policy, NULL); 6209 if (err < 0) 6210 return err; 6211 6212 if (add) { 6213 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] || 6214 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) 6215 return -EINVAL; 6216 6217 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 6218 if (hooknum != NF_NETDEV_INGRESS) 6219 return -EOPNOTSUPP; 6220 6221 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 6222 6223 flowtable_hook->priority = priority; 6224 flowtable_hook->num = hooknum; 6225 } else { 6226 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) { 6227 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 6228 if (hooknum != flowtable->hooknum) 6229 return -EOPNOTSUPP; 6230 } 6231 6232 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) { 6233 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 6234 if (priority != flowtable->data.priority) 6235 return -EOPNOTSUPP; 6236 } 6237 6238 flowtable_hook->priority = flowtable->data.priority; 6239 flowtable_hook->num = flowtable->hooknum; 6240 } 6241 6242 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) { 6243 err = nf_tables_parse_netdev_hooks(ctx->net, 6244 tb[NFTA_FLOWTABLE_HOOK_DEVS], 6245 &flowtable_hook->list); 6246 if (err < 0) 6247 return err; 6248 } 6249 6250 list_for_each_entry(hook, &flowtable_hook->list, list) { 6251 hook->ops.pf = NFPROTO_NETDEV; 6252 hook->ops.hooknum = flowtable_hook->num; 6253 hook->ops.priority = flowtable_hook->priority; 6254 hook->ops.priv = &flowtable->data; 6255 hook->ops.hook = flowtable->data.type->hook; 6256 } 6257 6258 return err; 6259 } 6260 6261 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) 6262 { 6263 const struct nf_flowtable_type *type; 6264 6265 list_for_each_entry(type, &nf_tables_flowtables, list) { 6266 if (family == type->family) 6267 return type; 6268 } 6269 return NULL; 6270 } 6271 6272 static const struct nf_flowtable_type * 6273 nft_flowtable_type_get(struct net *net, u8 family) 6274 { 6275 const struct nf_flowtable_type *type; 6276 6277 type = __nft_flowtable_type_get(family); 6278 if (type != NULL && try_module_get(type->owner)) 6279 return type; 6280 6281 lockdep_nfnl_nft_mutex_not_held(); 6282 #ifdef CONFIG_MODULES 6283 if (type == NULL) { 6284 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN) 6285 return ERR_PTR(-EAGAIN); 6286 } 6287 #endif 6288 return ERR_PTR(-ENOENT); 6289 } 6290 6291 /* Only called from error and netdev event paths. */ 6292 static void nft_unregister_flowtable_hook(struct net *net, 6293 struct nft_flowtable *flowtable, 6294 struct nft_hook *hook) 6295 { 6296 nf_unregister_net_hook(net, &hook->ops); 6297 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 6298 FLOW_BLOCK_UNBIND); 6299 } 6300 6301 static void nft_unregister_flowtable_net_hooks(struct net *net, 6302 struct list_head *hook_list) 6303 { 6304 struct nft_hook *hook; 6305 6306 list_for_each_entry(hook, hook_list, list) 6307 nf_unregister_net_hook(net, &hook->ops); 6308 } 6309 6310 static int nft_register_flowtable_net_hooks(struct net *net, 6311 struct nft_table *table, 6312 struct list_head *hook_list, 6313 struct nft_flowtable *flowtable) 6314 { 6315 struct nft_hook *hook, *hook2, *next; 6316 struct nft_flowtable *ft; 6317 int err, i = 0; 6318 6319 list_for_each_entry(hook, hook_list, list) { 6320 list_for_each_entry(ft, &table->flowtables, list) { 6321 list_for_each_entry(hook2, &ft->hook_list, list) { 6322 if (hook->ops.dev == hook2->ops.dev && 6323 hook->ops.pf == hook2->ops.pf) { 6324 err = -EBUSY; 6325 goto err_unregister_net_hooks; 6326 } 6327 } 6328 } 6329 6330 err = flowtable->data.type->setup(&flowtable->data, 6331 hook->ops.dev, 6332 FLOW_BLOCK_BIND); 6333 if (err < 0) 6334 goto err_unregister_net_hooks; 6335 6336 err = nf_register_net_hook(net, &hook->ops); 6337 if (err < 0) { 6338 flowtable->data.type->setup(&flowtable->data, 6339 hook->ops.dev, 6340 FLOW_BLOCK_UNBIND); 6341 goto err_unregister_net_hooks; 6342 } 6343 6344 i++; 6345 } 6346 6347 return 0; 6348 6349 err_unregister_net_hooks: 6350 list_for_each_entry_safe(hook, next, hook_list, list) { 6351 if (i-- <= 0) 6352 break; 6353 6354 nft_unregister_flowtable_hook(net, flowtable, hook); 6355 list_del_rcu(&hook->list); 6356 kfree_rcu(hook, rcu); 6357 } 6358 6359 return err; 6360 } 6361 6362 static void nft_flowtable_hooks_destroy(struct list_head *hook_list) 6363 { 6364 struct nft_hook *hook, *next; 6365 6366 list_for_each_entry_safe(hook, next, hook_list, list) { 6367 list_del_rcu(&hook->list); 6368 kfree_rcu(hook, rcu); 6369 } 6370 } 6371 6372 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, 6373 struct nft_flowtable *flowtable) 6374 { 6375 const struct nlattr * const *nla = ctx->nla; 6376 struct nft_flowtable_hook flowtable_hook; 6377 struct nft_hook *hook, *next; 6378 struct nft_trans *trans; 6379 bool unregister = false; 6380 int err; 6381 6382 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], 6383 &flowtable_hook, flowtable, false); 6384 if (err < 0) 6385 return err; 6386 6387 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 6388 if (nft_hook_list_find(&flowtable->hook_list, hook)) { 6389 list_del(&hook->list); 6390 kfree(hook); 6391 } 6392 } 6393 6394 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table, 6395 &flowtable_hook.list, flowtable); 6396 if (err < 0) 6397 goto err_flowtable_update_hook; 6398 6399 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE, 6400 sizeof(struct nft_trans_flowtable)); 6401 if (!trans) { 6402 unregister = true; 6403 err = -ENOMEM; 6404 goto err_flowtable_update_hook; 6405 } 6406 6407 nft_trans_flowtable(trans) = flowtable; 6408 nft_trans_flowtable_update(trans) = true; 6409 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 6410 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans)); 6411 6412 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 6413 6414 return 0; 6415 6416 err_flowtable_update_hook: 6417 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 6418 if (unregister) 6419 nft_unregister_flowtable_hook(ctx->net, flowtable, hook); 6420 list_del_rcu(&hook->list); 6421 kfree_rcu(hook, rcu); 6422 } 6423 6424 return err; 6425 6426 } 6427 6428 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk, 6429 struct sk_buff *skb, 6430 const struct nlmsghdr *nlh, 6431 const struct nlattr * const nla[], 6432 struct netlink_ext_ack *extack) 6433 { 6434 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 6435 struct nft_flowtable_hook flowtable_hook; 6436 const struct nf_flowtable_type *type; 6437 u8 genmask = nft_genmask_next(net); 6438 int family = nfmsg->nfgen_family; 6439 struct nft_flowtable *flowtable; 6440 struct nft_hook *hook, *next; 6441 struct nft_table *table; 6442 struct nft_ctx ctx; 6443 int err; 6444 6445 if (!nla[NFTA_FLOWTABLE_TABLE] || 6446 !nla[NFTA_FLOWTABLE_NAME] || 6447 !nla[NFTA_FLOWTABLE_HOOK]) 6448 return -EINVAL; 6449 6450 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 6451 genmask); 6452 if (IS_ERR(table)) { 6453 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 6454 return PTR_ERR(table); 6455 } 6456 6457 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 6458 genmask); 6459 if (IS_ERR(flowtable)) { 6460 err = PTR_ERR(flowtable); 6461 if (err != -ENOENT) { 6462 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 6463 return err; 6464 } 6465 } else { 6466 if (nlh->nlmsg_flags & NLM_F_EXCL) { 6467 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 6468 return -EEXIST; 6469 } 6470 6471 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 6472 6473 return nft_flowtable_update(&ctx, nlh, flowtable); 6474 } 6475 6476 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 6477 6478 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL); 6479 if (!flowtable) 6480 return -ENOMEM; 6481 6482 flowtable->table = table; 6483 flowtable->handle = nf_tables_alloc_handle(table); 6484 INIT_LIST_HEAD(&flowtable->hook_list); 6485 6486 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL); 6487 if (!flowtable->name) { 6488 err = -ENOMEM; 6489 goto err1; 6490 } 6491 6492 type = nft_flowtable_type_get(net, family); 6493 if (IS_ERR(type)) { 6494 err = PTR_ERR(type); 6495 goto err2; 6496 } 6497 6498 if (nla[NFTA_FLOWTABLE_FLAGS]) { 6499 flowtable->data.flags = 6500 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 6501 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) 6502 goto err3; 6503 } 6504 6505 write_pnet(&flowtable->data.net, net); 6506 flowtable->data.type = type; 6507 err = type->init(&flowtable->data); 6508 if (err < 0) 6509 goto err3; 6510 6511 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK], 6512 &flowtable_hook, flowtable, true); 6513 if (err < 0) 6514 goto err4; 6515 6516 list_splice(&flowtable_hook.list, &flowtable->hook_list); 6517 flowtable->data.priority = flowtable_hook.priority; 6518 flowtable->hooknum = flowtable_hook.num; 6519 6520 err = nft_register_flowtable_net_hooks(ctx.net, table, 6521 &flowtable->hook_list, 6522 flowtable); 6523 if (err < 0) { 6524 nft_flowtable_hooks_destroy(&flowtable->hook_list); 6525 goto err4; 6526 } 6527 6528 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable); 6529 if (err < 0) 6530 goto err5; 6531 6532 list_add_tail_rcu(&flowtable->list, &table->flowtables); 6533 table->use++; 6534 6535 return 0; 6536 err5: 6537 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 6538 nft_unregister_flowtable_hook(net, flowtable, hook); 6539 list_del_rcu(&hook->list); 6540 kfree_rcu(hook, rcu); 6541 } 6542 err4: 6543 flowtable->data.type->free(&flowtable->data); 6544 err3: 6545 module_put(type->owner); 6546 err2: 6547 kfree(flowtable->name); 6548 err1: 6549 kfree(flowtable); 6550 return err; 6551 } 6552 6553 static int nft_delflowtable_hook(struct nft_ctx *ctx, 6554 struct nft_flowtable *flowtable) 6555 { 6556 const struct nlattr * const *nla = ctx->nla; 6557 struct nft_flowtable_hook flowtable_hook; 6558 struct nft_hook *this, *next, *hook; 6559 struct nft_trans *trans; 6560 int err; 6561 6562 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], 6563 &flowtable_hook, flowtable, false); 6564 if (err < 0) 6565 return err; 6566 6567 list_for_each_entry_safe(this, next, &flowtable_hook.list, list) { 6568 hook = nft_hook_list_find(&flowtable->hook_list, this); 6569 if (!hook) { 6570 err = -ENOENT; 6571 goto err_flowtable_del_hook; 6572 } 6573 hook->inactive = true; 6574 list_del(&this->list); 6575 kfree(this); 6576 } 6577 6578 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE, 6579 sizeof(struct nft_trans_flowtable)); 6580 if (!trans) 6581 return -ENOMEM; 6582 6583 nft_trans_flowtable(trans) = flowtable; 6584 nft_trans_flowtable_update(trans) = true; 6585 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 6586 6587 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 6588 6589 return 0; 6590 6591 err_flowtable_del_hook: 6592 list_for_each_entry(hook, &flowtable_hook.list, list) 6593 hook->inactive = false; 6594 6595 return err; 6596 } 6597 6598 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk, 6599 struct sk_buff *skb, 6600 const struct nlmsghdr *nlh, 6601 const struct nlattr * const nla[], 6602 struct netlink_ext_ack *extack) 6603 { 6604 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 6605 u8 genmask = nft_genmask_next(net); 6606 int family = nfmsg->nfgen_family; 6607 struct nft_flowtable *flowtable; 6608 const struct nlattr *attr; 6609 struct nft_table *table; 6610 struct nft_ctx ctx; 6611 6612 if (!nla[NFTA_FLOWTABLE_TABLE] || 6613 (!nla[NFTA_FLOWTABLE_NAME] && 6614 !nla[NFTA_FLOWTABLE_HANDLE])) 6615 return -EINVAL; 6616 6617 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 6618 genmask); 6619 if (IS_ERR(table)) { 6620 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 6621 return PTR_ERR(table); 6622 } 6623 6624 if (nla[NFTA_FLOWTABLE_HANDLE]) { 6625 attr = nla[NFTA_FLOWTABLE_HANDLE]; 6626 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask); 6627 } else { 6628 attr = nla[NFTA_FLOWTABLE_NAME]; 6629 flowtable = nft_flowtable_lookup(table, attr, genmask); 6630 } 6631 6632 if (IS_ERR(flowtable)) { 6633 NL_SET_BAD_ATTR(extack, attr); 6634 return PTR_ERR(flowtable); 6635 } 6636 6637 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 6638 6639 if (nla[NFTA_FLOWTABLE_HOOK]) 6640 return nft_delflowtable_hook(&ctx, flowtable); 6641 6642 if (flowtable->use > 0) { 6643 NL_SET_BAD_ATTR(extack, attr); 6644 return -EBUSY; 6645 } 6646 6647 return nft_delflowtable(&ctx, flowtable); 6648 } 6649 6650 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, 6651 u32 portid, u32 seq, int event, 6652 u32 flags, int family, 6653 struct nft_flowtable *flowtable, 6654 struct list_head *hook_list) 6655 { 6656 struct nlattr *nest, *nest_devs; 6657 struct nfgenmsg *nfmsg; 6658 struct nft_hook *hook; 6659 struct nlmsghdr *nlh; 6660 6661 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 6662 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 6663 if (nlh == NULL) 6664 goto nla_put_failure; 6665 6666 nfmsg = nlmsg_data(nlh); 6667 nfmsg->nfgen_family = family; 6668 nfmsg->version = NFNETLINK_V0; 6669 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 6670 6671 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || 6672 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || 6673 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || 6674 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle), 6675 NFTA_FLOWTABLE_PAD) || 6676 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags))) 6677 goto nla_put_failure; 6678 6679 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK); 6680 if (!nest) 6681 goto nla_put_failure; 6682 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) || 6683 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority))) 6684 goto nla_put_failure; 6685 6686 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS); 6687 if (!nest_devs) 6688 goto nla_put_failure; 6689 6690 list_for_each_entry_rcu(hook, hook_list, list) { 6691 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name)) 6692 goto nla_put_failure; 6693 } 6694 nla_nest_end(skb, nest_devs); 6695 nla_nest_end(skb, nest); 6696 6697 nlmsg_end(skb, nlh); 6698 return 0; 6699 6700 nla_put_failure: 6701 nlmsg_trim(skb, nlh); 6702 return -1; 6703 } 6704 6705 struct nft_flowtable_filter { 6706 char *table; 6707 }; 6708 6709 static int nf_tables_dump_flowtable(struct sk_buff *skb, 6710 struct netlink_callback *cb) 6711 { 6712 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 6713 struct nft_flowtable_filter *filter = cb->data; 6714 unsigned int idx = 0, s_idx = cb->args[0]; 6715 struct net *net = sock_net(skb->sk); 6716 int family = nfmsg->nfgen_family; 6717 struct nft_flowtable *flowtable; 6718 const struct nft_table *table; 6719 6720 rcu_read_lock(); 6721 cb->seq = net->nft.base_seq; 6722 6723 list_for_each_entry_rcu(table, &net->nft.tables, list) { 6724 if (family != NFPROTO_UNSPEC && family != table->family) 6725 continue; 6726 6727 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 6728 if (!nft_is_active(net, flowtable)) 6729 goto cont; 6730 if (idx < s_idx) 6731 goto cont; 6732 if (idx > s_idx) 6733 memset(&cb->args[1], 0, 6734 sizeof(cb->args) - sizeof(cb->args[0])); 6735 if (filter && filter->table && 6736 strcmp(filter->table, table->name)) 6737 goto cont; 6738 6739 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, 6740 cb->nlh->nlmsg_seq, 6741 NFT_MSG_NEWFLOWTABLE, 6742 NLM_F_MULTI | NLM_F_APPEND, 6743 table->family, 6744 flowtable, 6745 &flowtable->hook_list) < 0) 6746 goto done; 6747 6748 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 6749 cont: 6750 idx++; 6751 } 6752 } 6753 done: 6754 rcu_read_unlock(); 6755 6756 cb->args[0] = idx; 6757 return skb->len; 6758 } 6759 6760 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb) 6761 { 6762 const struct nlattr * const *nla = cb->data; 6763 struct nft_flowtable_filter *filter = NULL; 6764 6765 if (nla[NFTA_FLOWTABLE_TABLE]) { 6766 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 6767 if (!filter) 6768 return -ENOMEM; 6769 6770 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE], 6771 GFP_ATOMIC); 6772 if (!filter->table) { 6773 kfree(filter); 6774 return -ENOMEM; 6775 } 6776 } 6777 6778 cb->data = filter; 6779 return 0; 6780 } 6781 6782 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb) 6783 { 6784 struct nft_flowtable_filter *filter = cb->data; 6785 6786 if (!filter) 6787 return 0; 6788 6789 kfree(filter->table); 6790 kfree(filter); 6791 6792 return 0; 6793 } 6794 6795 /* called with rcu_read_lock held */ 6796 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk, 6797 struct sk_buff *skb, 6798 const struct nlmsghdr *nlh, 6799 const struct nlattr * const nla[], 6800 struct netlink_ext_ack *extack) 6801 { 6802 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 6803 u8 genmask = nft_genmask_cur(net); 6804 int family = nfmsg->nfgen_family; 6805 struct nft_flowtable *flowtable; 6806 const struct nft_table *table; 6807 struct sk_buff *skb2; 6808 int err; 6809 6810 if (nlh->nlmsg_flags & NLM_F_DUMP) { 6811 struct netlink_dump_control c = { 6812 .start = nf_tables_dump_flowtable_start, 6813 .dump = nf_tables_dump_flowtable, 6814 .done = nf_tables_dump_flowtable_done, 6815 .module = THIS_MODULE, 6816 .data = (void *)nla, 6817 }; 6818 6819 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 6820 } 6821 6822 if (!nla[NFTA_FLOWTABLE_NAME]) 6823 return -EINVAL; 6824 6825 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 6826 genmask); 6827 if (IS_ERR(table)) 6828 return PTR_ERR(table); 6829 6830 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 6831 genmask); 6832 if (IS_ERR(flowtable)) 6833 return PTR_ERR(flowtable); 6834 6835 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 6836 if (!skb2) 6837 return -ENOMEM; 6838 6839 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid, 6840 nlh->nlmsg_seq, 6841 NFT_MSG_NEWFLOWTABLE, 0, family, 6842 flowtable, &flowtable->hook_list); 6843 if (err < 0) 6844 goto err; 6845 6846 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 6847 err: 6848 kfree_skb(skb2); 6849 return err; 6850 } 6851 6852 static void nf_tables_flowtable_notify(struct nft_ctx *ctx, 6853 struct nft_flowtable *flowtable, 6854 struct list_head *hook_list, 6855 int event) 6856 { 6857 struct sk_buff *skb; 6858 int err; 6859 6860 if (ctx->report && 6861 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 6862 return; 6863 6864 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 6865 if (skb == NULL) 6866 goto err; 6867 6868 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid, 6869 ctx->seq, event, 0, 6870 ctx->family, flowtable, hook_list); 6871 if (err < 0) { 6872 kfree_skb(skb); 6873 goto err; 6874 } 6875 6876 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES, 6877 ctx->report, GFP_KERNEL); 6878 return; 6879 err: 6880 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 6881 } 6882 6883 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) 6884 { 6885 struct nft_hook *hook, *next; 6886 6887 flowtable->data.type->free(&flowtable->data); 6888 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 6889 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 6890 FLOW_BLOCK_UNBIND); 6891 list_del_rcu(&hook->list); 6892 kfree(hook); 6893 } 6894 kfree(flowtable->name); 6895 module_put(flowtable->data.type->owner); 6896 kfree(flowtable); 6897 } 6898 6899 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, 6900 u32 portid, u32 seq) 6901 { 6902 struct nlmsghdr *nlh; 6903 struct nfgenmsg *nfmsg; 6904 char buf[TASK_COMM_LEN]; 6905 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); 6906 6907 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0); 6908 if (nlh == NULL) 6909 goto nla_put_failure; 6910 6911 nfmsg = nlmsg_data(nlh); 6912 nfmsg->nfgen_family = AF_UNSPEC; 6913 nfmsg->version = NFNETLINK_V0; 6914 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 6915 6916 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || 6917 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || 6918 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) 6919 goto nla_put_failure; 6920 6921 nlmsg_end(skb, nlh); 6922 return 0; 6923 6924 nla_put_failure: 6925 nlmsg_trim(skb, nlh); 6926 return -EMSGSIZE; 6927 } 6928 6929 static void nft_flowtable_event(unsigned long event, struct net_device *dev, 6930 struct nft_flowtable *flowtable) 6931 { 6932 struct nft_hook *hook; 6933 6934 list_for_each_entry(hook, &flowtable->hook_list, list) { 6935 if (hook->ops.dev != dev) 6936 continue; 6937 6938 /* flow_offload_netdev_event() cleans up entries for us. */ 6939 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook); 6940 list_del_rcu(&hook->list); 6941 kfree_rcu(hook, rcu); 6942 break; 6943 } 6944 } 6945 6946 static int nf_tables_flowtable_event(struct notifier_block *this, 6947 unsigned long event, void *ptr) 6948 { 6949 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 6950 struct nft_flowtable *flowtable; 6951 struct nft_table *table; 6952 struct net *net; 6953 6954 if (event != NETDEV_UNREGISTER) 6955 return 0; 6956 6957 net = dev_net(dev); 6958 mutex_lock(&net->nft.commit_mutex); 6959 list_for_each_entry(table, &net->nft.tables, list) { 6960 list_for_each_entry(flowtable, &table->flowtables, list) { 6961 nft_flowtable_event(event, dev, flowtable); 6962 } 6963 } 6964 mutex_unlock(&net->nft.commit_mutex); 6965 6966 return NOTIFY_DONE; 6967 } 6968 6969 static struct notifier_block nf_tables_flowtable_notifier = { 6970 .notifier_call = nf_tables_flowtable_event, 6971 }; 6972 6973 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb, 6974 int event) 6975 { 6976 struct nlmsghdr *nlh = nlmsg_hdr(skb); 6977 struct sk_buff *skb2; 6978 int err; 6979 6980 if (nlmsg_report(nlh) && 6981 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 6982 return; 6983 6984 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 6985 if (skb2 == NULL) 6986 goto err; 6987 6988 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 6989 nlh->nlmsg_seq); 6990 if (err < 0) { 6991 kfree_skb(skb2); 6992 goto err; 6993 } 6994 6995 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 6996 nlmsg_report(nlh), GFP_KERNEL); 6997 return; 6998 err: 6999 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 7000 -ENOBUFS); 7001 } 7002 7003 static int nf_tables_getgen(struct net *net, struct sock *nlsk, 7004 struct sk_buff *skb, const struct nlmsghdr *nlh, 7005 const struct nlattr * const nla[], 7006 struct netlink_ext_ack *extack) 7007 { 7008 struct sk_buff *skb2; 7009 int err; 7010 7011 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 7012 if (skb2 == NULL) 7013 return -ENOMEM; 7014 7015 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 7016 nlh->nlmsg_seq); 7017 if (err < 0) 7018 goto err; 7019 7020 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 7021 err: 7022 kfree_skb(skb2); 7023 return err; 7024 } 7025 7026 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = { 7027 [NFT_MSG_NEWTABLE] = { 7028 .call_batch = nf_tables_newtable, 7029 .attr_count = NFTA_TABLE_MAX, 7030 .policy = nft_table_policy, 7031 }, 7032 [NFT_MSG_GETTABLE] = { 7033 .call_rcu = nf_tables_gettable, 7034 .attr_count = NFTA_TABLE_MAX, 7035 .policy = nft_table_policy, 7036 }, 7037 [NFT_MSG_DELTABLE] = { 7038 .call_batch = nf_tables_deltable, 7039 .attr_count = NFTA_TABLE_MAX, 7040 .policy = nft_table_policy, 7041 }, 7042 [NFT_MSG_NEWCHAIN] = { 7043 .call_batch = nf_tables_newchain, 7044 .attr_count = NFTA_CHAIN_MAX, 7045 .policy = nft_chain_policy, 7046 }, 7047 [NFT_MSG_GETCHAIN] = { 7048 .call_rcu = nf_tables_getchain, 7049 .attr_count = NFTA_CHAIN_MAX, 7050 .policy = nft_chain_policy, 7051 }, 7052 [NFT_MSG_DELCHAIN] = { 7053 .call_batch = nf_tables_delchain, 7054 .attr_count = NFTA_CHAIN_MAX, 7055 .policy = nft_chain_policy, 7056 }, 7057 [NFT_MSG_NEWRULE] = { 7058 .call_batch = nf_tables_newrule, 7059 .attr_count = NFTA_RULE_MAX, 7060 .policy = nft_rule_policy, 7061 }, 7062 [NFT_MSG_GETRULE] = { 7063 .call_rcu = nf_tables_getrule, 7064 .attr_count = NFTA_RULE_MAX, 7065 .policy = nft_rule_policy, 7066 }, 7067 [NFT_MSG_DELRULE] = { 7068 .call_batch = nf_tables_delrule, 7069 .attr_count = NFTA_RULE_MAX, 7070 .policy = nft_rule_policy, 7071 }, 7072 [NFT_MSG_NEWSET] = { 7073 .call_batch = nf_tables_newset, 7074 .attr_count = NFTA_SET_MAX, 7075 .policy = nft_set_policy, 7076 }, 7077 [NFT_MSG_GETSET] = { 7078 .call_rcu = nf_tables_getset, 7079 .attr_count = NFTA_SET_MAX, 7080 .policy = nft_set_policy, 7081 }, 7082 [NFT_MSG_DELSET] = { 7083 .call_batch = nf_tables_delset, 7084 .attr_count = NFTA_SET_MAX, 7085 .policy = nft_set_policy, 7086 }, 7087 [NFT_MSG_NEWSETELEM] = { 7088 .call_batch = nf_tables_newsetelem, 7089 .attr_count = NFTA_SET_ELEM_LIST_MAX, 7090 .policy = nft_set_elem_list_policy, 7091 }, 7092 [NFT_MSG_GETSETELEM] = { 7093 .call_rcu = nf_tables_getsetelem, 7094 .attr_count = NFTA_SET_ELEM_LIST_MAX, 7095 .policy = nft_set_elem_list_policy, 7096 }, 7097 [NFT_MSG_DELSETELEM] = { 7098 .call_batch = nf_tables_delsetelem, 7099 .attr_count = NFTA_SET_ELEM_LIST_MAX, 7100 .policy = nft_set_elem_list_policy, 7101 }, 7102 [NFT_MSG_GETGEN] = { 7103 .call_rcu = nf_tables_getgen, 7104 }, 7105 [NFT_MSG_NEWOBJ] = { 7106 .call_batch = nf_tables_newobj, 7107 .attr_count = NFTA_OBJ_MAX, 7108 .policy = nft_obj_policy, 7109 }, 7110 [NFT_MSG_GETOBJ] = { 7111 .call_rcu = nf_tables_getobj, 7112 .attr_count = NFTA_OBJ_MAX, 7113 .policy = nft_obj_policy, 7114 }, 7115 [NFT_MSG_DELOBJ] = { 7116 .call_batch = nf_tables_delobj, 7117 .attr_count = NFTA_OBJ_MAX, 7118 .policy = nft_obj_policy, 7119 }, 7120 [NFT_MSG_GETOBJ_RESET] = { 7121 .call_rcu = nf_tables_getobj, 7122 .attr_count = NFTA_OBJ_MAX, 7123 .policy = nft_obj_policy, 7124 }, 7125 [NFT_MSG_NEWFLOWTABLE] = { 7126 .call_batch = nf_tables_newflowtable, 7127 .attr_count = NFTA_FLOWTABLE_MAX, 7128 .policy = nft_flowtable_policy, 7129 }, 7130 [NFT_MSG_GETFLOWTABLE] = { 7131 .call_rcu = nf_tables_getflowtable, 7132 .attr_count = NFTA_FLOWTABLE_MAX, 7133 .policy = nft_flowtable_policy, 7134 }, 7135 [NFT_MSG_DELFLOWTABLE] = { 7136 .call_batch = nf_tables_delflowtable, 7137 .attr_count = NFTA_FLOWTABLE_MAX, 7138 .policy = nft_flowtable_policy, 7139 }, 7140 }; 7141 7142 static int nf_tables_validate(struct net *net) 7143 { 7144 struct nft_table *table; 7145 7146 switch (net->nft.validate_state) { 7147 case NFT_VALIDATE_SKIP: 7148 break; 7149 case NFT_VALIDATE_NEED: 7150 nft_validate_state_update(net, NFT_VALIDATE_DO); 7151 /* fall through */ 7152 case NFT_VALIDATE_DO: 7153 list_for_each_entry(table, &net->nft.tables, list) { 7154 if (nft_table_validate(net, table) < 0) 7155 return -EAGAIN; 7156 } 7157 break; 7158 } 7159 7160 return 0; 7161 } 7162 7163 /* a drop policy has to be deferred until all rules have been activated, 7164 * otherwise a large ruleset that contains a drop-policy base chain will 7165 * cause all packets to get dropped until the full transaction has been 7166 * processed. 7167 * 7168 * We defer the drop policy until the transaction has been finalized. 7169 */ 7170 static void nft_chain_commit_drop_policy(struct nft_trans *trans) 7171 { 7172 struct nft_base_chain *basechain; 7173 7174 if (nft_trans_chain_policy(trans) != NF_DROP) 7175 return; 7176 7177 if (!nft_is_base_chain(trans->ctx.chain)) 7178 return; 7179 7180 basechain = nft_base_chain(trans->ctx.chain); 7181 basechain->policy = NF_DROP; 7182 } 7183 7184 static void nft_chain_commit_update(struct nft_trans *trans) 7185 { 7186 struct nft_base_chain *basechain; 7187 7188 if (nft_trans_chain_name(trans)) { 7189 rhltable_remove(&trans->ctx.table->chains_ht, 7190 &trans->ctx.chain->rhlhead, 7191 nft_chain_ht_params); 7192 swap(trans->ctx.chain->name, nft_trans_chain_name(trans)); 7193 rhltable_insert_key(&trans->ctx.table->chains_ht, 7194 trans->ctx.chain->name, 7195 &trans->ctx.chain->rhlhead, 7196 nft_chain_ht_params); 7197 } 7198 7199 if (!nft_is_base_chain(trans->ctx.chain)) 7200 return; 7201 7202 nft_chain_stats_replace(trans); 7203 7204 basechain = nft_base_chain(trans->ctx.chain); 7205 7206 switch (nft_trans_chain_policy(trans)) { 7207 case NF_DROP: 7208 case NF_ACCEPT: 7209 basechain->policy = nft_trans_chain_policy(trans); 7210 break; 7211 } 7212 } 7213 7214 static void nft_obj_commit_update(struct nft_trans *trans) 7215 { 7216 struct nft_object *newobj; 7217 struct nft_object *obj; 7218 7219 obj = nft_trans_obj(trans); 7220 newobj = nft_trans_obj_newobj(trans); 7221 7222 if (obj->ops->update) 7223 obj->ops->update(obj, newobj); 7224 7225 kfree(newobj); 7226 } 7227 7228 static void nft_commit_release(struct nft_trans *trans) 7229 { 7230 switch (trans->msg_type) { 7231 case NFT_MSG_DELTABLE: 7232 nf_tables_table_destroy(&trans->ctx); 7233 break; 7234 case NFT_MSG_NEWCHAIN: 7235 free_percpu(nft_trans_chain_stats(trans)); 7236 kfree(nft_trans_chain_name(trans)); 7237 break; 7238 case NFT_MSG_DELCHAIN: 7239 nf_tables_chain_destroy(&trans->ctx); 7240 break; 7241 case NFT_MSG_DELRULE: 7242 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 7243 break; 7244 case NFT_MSG_DELSET: 7245 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 7246 break; 7247 case NFT_MSG_DELSETELEM: 7248 nf_tables_set_elem_destroy(&trans->ctx, 7249 nft_trans_elem_set(trans), 7250 nft_trans_elem(trans).priv); 7251 break; 7252 case NFT_MSG_DELOBJ: 7253 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 7254 break; 7255 case NFT_MSG_DELFLOWTABLE: 7256 if (nft_trans_flowtable_update(trans)) 7257 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 7258 else 7259 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 7260 break; 7261 } 7262 7263 if (trans->put_net) 7264 put_net(trans->ctx.net); 7265 7266 kfree(trans); 7267 } 7268 7269 static void nf_tables_trans_destroy_work(struct work_struct *w) 7270 { 7271 struct nft_trans *trans, *next; 7272 LIST_HEAD(head); 7273 7274 spin_lock(&nf_tables_destroy_list_lock); 7275 list_splice_init(&nf_tables_destroy_list, &head); 7276 spin_unlock(&nf_tables_destroy_list_lock); 7277 7278 if (list_empty(&head)) 7279 return; 7280 7281 synchronize_rcu(); 7282 7283 list_for_each_entry_safe(trans, next, &head, list) { 7284 list_del(&trans->list); 7285 nft_commit_release(trans); 7286 } 7287 } 7288 7289 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain) 7290 { 7291 struct nft_rule *rule; 7292 unsigned int alloc = 0; 7293 int i; 7294 7295 /* already handled or inactive chain? */ 7296 if (chain->rules_next || !nft_is_active_next(net, chain)) 7297 return 0; 7298 7299 rule = list_entry(&chain->rules, struct nft_rule, list); 7300 i = 0; 7301 7302 list_for_each_entry_continue(rule, &chain->rules, list) { 7303 if (nft_is_active_next(net, rule)) 7304 alloc++; 7305 } 7306 7307 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc); 7308 if (!chain->rules_next) 7309 return -ENOMEM; 7310 7311 list_for_each_entry_continue(rule, &chain->rules, list) { 7312 if (nft_is_active_next(net, rule)) 7313 chain->rules_next[i++] = rule; 7314 } 7315 7316 chain->rules_next[i] = NULL; 7317 return 0; 7318 } 7319 7320 static void nf_tables_commit_chain_prepare_cancel(struct net *net) 7321 { 7322 struct nft_trans *trans, *next; 7323 7324 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 7325 struct nft_chain *chain = trans->ctx.chain; 7326 7327 if (trans->msg_type == NFT_MSG_NEWRULE || 7328 trans->msg_type == NFT_MSG_DELRULE) { 7329 kvfree(chain->rules_next); 7330 chain->rules_next = NULL; 7331 } 7332 } 7333 } 7334 7335 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h) 7336 { 7337 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h); 7338 7339 kvfree(o->start); 7340 } 7341 7342 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules) 7343 { 7344 struct nft_rule **r = rules; 7345 struct nft_rules_old *old; 7346 7347 while (*r) 7348 r++; 7349 7350 r++; /* rcu_head is after end marker */ 7351 old = (void *) r; 7352 old->start = rules; 7353 7354 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old); 7355 } 7356 7357 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain) 7358 { 7359 struct nft_rule **g0, **g1; 7360 bool next_genbit; 7361 7362 next_genbit = nft_gencursor_next(net); 7363 7364 g0 = rcu_dereference_protected(chain->rules_gen_0, 7365 lockdep_commit_lock_is_held(net)); 7366 g1 = rcu_dereference_protected(chain->rules_gen_1, 7367 lockdep_commit_lock_is_held(net)); 7368 7369 /* No changes to this chain? */ 7370 if (chain->rules_next == NULL) { 7371 /* chain had no change in last or next generation */ 7372 if (g0 == g1) 7373 return; 7374 /* 7375 * chain had no change in this generation; make sure next 7376 * one uses same rules as current generation. 7377 */ 7378 if (next_genbit) { 7379 rcu_assign_pointer(chain->rules_gen_1, g0); 7380 nf_tables_commit_chain_free_rules_old(g1); 7381 } else { 7382 rcu_assign_pointer(chain->rules_gen_0, g1); 7383 nf_tables_commit_chain_free_rules_old(g0); 7384 } 7385 7386 return; 7387 } 7388 7389 if (next_genbit) 7390 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next); 7391 else 7392 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next); 7393 7394 chain->rules_next = NULL; 7395 7396 if (g0 == g1) 7397 return; 7398 7399 if (next_genbit) 7400 nf_tables_commit_chain_free_rules_old(g1); 7401 else 7402 nf_tables_commit_chain_free_rules_old(g0); 7403 } 7404 7405 static void nft_obj_del(struct nft_object *obj) 7406 { 7407 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params); 7408 list_del_rcu(&obj->list); 7409 } 7410 7411 static void nft_chain_del(struct nft_chain *chain) 7412 { 7413 struct nft_table *table = chain->table; 7414 7415 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead, 7416 nft_chain_ht_params)); 7417 list_del_rcu(&chain->list); 7418 } 7419 7420 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable, 7421 struct list_head *hook_list) 7422 { 7423 struct nft_hook *hook, *next; 7424 7425 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 7426 if (hook->inactive) 7427 list_move(&hook->list, hook_list); 7428 } 7429 } 7430 7431 static void nf_tables_module_autoload_cleanup(struct net *net) 7432 { 7433 struct nft_module_request *req, *next; 7434 7435 WARN_ON_ONCE(!list_empty(&net->nft.commit_list)); 7436 list_for_each_entry_safe(req, next, &net->nft.module_list, list) { 7437 WARN_ON_ONCE(!req->done); 7438 list_del(&req->list); 7439 kfree(req); 7440 } 7441 } 7442 7443 static void nf_tables_commit_release(struct net *net) 7444 { 7445 struct nft_trans *trans; 7446 7447 /* all side effects have to be made visible. 7448 * For example, if a chain named 'foo' has been deleted, a 7449 * new transaction must not find it anymore. 7450 * 7451 * Memory reclaim happens asynchronously from work queue 7452 * to prevent expensive synchronize_rcu() in commit phase. 7453 */ 7454 if (list_empty(&net->nft.commit_list)) { 7455 nf_tables_module_autoload_cleanup(net); 7456 mutex_unlock(&net->nft.commit_mutex); 7457 return; 7458 } 7459 7460 trans = list_last_entry(&net->nft.commit_list, 7461 struct nft_trans, list); 7462 get_net(trans->ctx.net); 7463 WARN_ON_ONCE(trans->put_net); 7464 7465 trans->put_net = true; 7466 spin_lock(&nf_tables_destroy_list_lock); 7467 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list); 7468 spin_unlock(&nf_tables_destroy_list_lock); 7469 7470 nf_tables_module_autoload_cleanup(net); 7471 mutex_unlock(&net->nft.commit_mutex); 7472 7473 schedule_work(&trans_destroy_work); 7474 } 7475 7476 static int nf_tables_commit(struct net *net, struct sk_buff *skb) 7477 { 7478 struct nft_trans *trans, *next; 7479 struct nft_trans_elem *te; 7480 struct nft_chain *chain; 7481 struct nft_table *table; 7482 int err; 7483 7484 if (list_empty(&net->nft.commit_list)) { 7485 mutex_unlock(&net->nft.commit_mutex); 7486 return 0; 7487 } 7488 7489 /* 0. Validate ruleset, otherwise roll back for error reporting. */ 7490 if (nf_tables_validate(net) < 0) 7491 return -EAGAIN; 7492 7493 err = nft_flow_rule_offload_commit(net); 7494 if (err < 0) 7495 return err; 7496 7497 /* 1. Allocate space for next generation rules_gen_X[] */ 7498 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 7499 int ret; 7500 7501 if (trans->msg_type == NFT_MSG_NEWRULE || 7502 trans->msg_type == NFT_MSG_DELRULE) { 7503 chain = trans->ctx.chain; 7504 7505 ret = nf_tables_commit_chain_prepare(net, chain); 7506 if (ret < 0) { 7507 nf_tables_commit_chain_prepare_cancel(net); 7508 return ret; 7509 } 7510 } 7511 } 7512 7513 /* step 2. Make rules_gen_X visible to packet path */ 7514 list_for_each_entry(table, &net->nft.tables, list) { 7515 list_for_each_entry(chain, &table->chains, list) 7516 nf_tables_commit_chain(net, chain); 7517 } 7518 7519 /* 7520 * Bump generation counter, invalidate any dump in progress. 7521 * Cannot fail after this point. 7522 */ 7523 while (++net->nft.base_seq == 0); 7524 7525 /* step 3. Start new generation, rules_gen_X now in use. */ 7526 net->nft.gencursor = nft_gencursor_next(net); 7527 7528 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 7529 switch (trans->msg_type) { 7530 case NFT_MSG_NEWTABLE: 7531 if (nft_trans_table_update(trans)) { 7532 if (!nft_trans_table_enable(trans)) { 7533 nf_tables_table_disable(net, 7534 trans->ctx.table); 7535 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT; 7536 } 7537 } else { 7538 nft_clear(net, trans->ctx.table); 7539 } 7540 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE); 7541 nft_trans_destroy(trans); 7542 break; 7543 case NFT_MSG_DELTABLE: 7544 list_del_rcu(&trans->ctx.table->list); 7545 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE); 7546 break; 7547 case NFT_MSG_NEWCHAIN: 7548 if (nft_trans_chain_update(trans)) { 7549 nft_chain_commit_update(trans); 7550 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 7551 /* trans destroyed after rcu grace period */ 7552 } else { 7553 nft_chain_commit_drop_policy(trans); 7554 nft_clear(net, trans->ctx.chain); 7555 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 7556 nft_trans_destroy(trans); 7557 } 7558 break; 7559 case NFT_MSG_DELCHAIN: 7560 nft_chain_del(trans->ctx.chain); 7561 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN); 7562 nf_tables_unregister_hook(trans->ctx.net, 7563 trans->ctx.table, 7564 trans->ctx.chain); 7565 break; 7566 case NFT_MSG_NEWRULE: 7567 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 7568 nf_tables_rule_notify(&trans->ctx, 7569 nft_trans_rule(trans), 7570 NFT_MSG_NEWRULE); 7571 nft_trans_destroy(trans); 7572 break; 7573 case NFT_MSG_DELRULE: 7574 list_del_rcu(&nft_trans_rule(trans)->list); 7575 nf_tables_rule_notify(&trans->ctx, 7576 nft_trans_rule(trans), 7577 NFT_MSG_DELRULE); 7578 nft_rule_expr_deactivate(&trans->ctx, 7579 nft_trans_rule(trans), 7580 NFT_TRANS_COMMIT); 7581 break; 7582 case NFT_MSG_NEWSET: 7583 nft_clear(net, nft_trans_set(trans)); 7584 /* This avoids hitting -EBUSY when deleting the table 7585 * from the transaction. 7586 */ 7587 if (nft_set_is_anonymous(nft_trans_set(trans)) && 7588 !list_empty(&nft_trans_set(trans)->bindings)) 7589 trans->ctx.table->use--; 7590 7591 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 7592 NFT_MSG_NEWSET, GFP_KERNEL); 7593 nft_trans_destroy(trans); 7594 break; 7595 case NFT_MSG_DELSET: 7596 list_del_rcu(&nft_trans_set(trans)->list); 7597 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 7598 NFT_MSG_DELSET, GFP_KERNEL); 7599 break; 7600 case NFT_MSG_NEWSETELEM: 7601 te = (struct nft_trans_elem *)trans->data; 7602 7603 te->set->ops->activate(net, te->set, &te->elem); 7604 nf_tables_setelem_notify(&trans->ctx, te->set, 7605 &te->elem, 7606 NFT_MSG_NEWSETELEM, 0); 7607 nft_trans_destroy(trans); 7608 break; 7609 case NFT_MSG_DELSETELEM: 7610 te = (struct nft_trans_elem *)trans->data; 7611 7612 nf_tables_setelem_notify(&trans->ctx, te->set, 7613 &te->elem, 7614 NFT_MSG_DELSETELEM, 0); 7615 te->set->ops->remove(net, te->set, &te->elem); 7616 atomic_dec(&te->set->nelems); 7617 te->set->ndeact--; 7618 break; 7619 case NFT_MSG_NEWOBJ: 7620 if (nft_trans_obj_update(trans)) { 7621 nft_obj_commit_update(trans); 7622 nf_tables_obj_notify(&trans->ctx, 7623 nft_trans_obj(trans), 7624 NFT_MSG_NEWOBJ); 7625 } else { 7626 nft_clear(net, nft_trans_obj(trans)); 7627 nf_tables_obj_notify(&trans->ctx, 7628 nft_trans_obj(trans), 7629 NFT_MSG_NEWOBJ); 7630 nft_trans_destroy(trans); 7631 } 7632 break; 7633 case NFT_MSG_DELOBJ: 7634 nft_obj_del(nft_trans_obj(trans)); 7635 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans), 7636 NFT_MSG_DELOBJ); 7637 break; 7638 case NFT_MSG_NEWFLOWTABLE: 7639 if (nft_trans_flowtable_update(trans)) { 7640 nf_tables_flowtable_notify(&trans->ctx, 7641 nft_trans_flowtable(trans), 7642 &nft_trans_flowtable_hooks(trans), 7643 NFT_MSG_NEWFLOWTABLE); 7644 list_splice(&nft_trans_flowtable_hooks(trans), 7645 &nft_trans_flowtable(trans)->hook_list); 7646 } else { 7647 nft_clear(net, nft_trans_flowtable(trans)); 7648 nf_tables_flowtable_notify(&trans->ctx, 7649 nft_trans_flowtable(trans), 7650 &nft_trans_flowtable(trans)->hook_list, 7651 NFT_MSG_NEWFLOWTABLE); 7652 } 7653 nft_trans_destroy(trans); 7654 break; 7655 case NFT_MSG_DELFLOWTABLE: 7656 if (nft_trans_flowtable_update(trans)) { 7657 nft_flowtable_hooks_del(nft_trans_flowtable(trans), 7658 &nft_trans_flowtable_hooks(trans)); 7659 nf_tables_flowtable_notify(&trans->ctx, 7660 nft_trans_flowtable(trans), 7661 &nft_trans_flowtable_hooks(trans), 7662 NFT_MSG_DELFLOWTABLE); 7663 nft_unregister_flowtable_net_hooks(net, 7664 &nft_trans_flowtable_hooks(trans)); 7665 } else { 7666 list_del_rcu(&nft_trans_flowtable(trans)->list); 7667 nf_tables_flowtable_notify(&trans->ctx, 7668 nft_trans_flowtable(trans), 7669 &nft_trans_flowtable(trans)->hook_list, 7670 NFT_MSG_DELFLOWTABLE); 7671 nft_unregister_flowtable_net_hooks(net, 7672 &nft_trans_flowtable(trans)->hook_list); 7673 } 7674 break; 7675 } 7676 } 7677 7678 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); 7679 nf_tables_commit_release(net); 7680 7681 return 0; 7682 } 7683 7684 static void nf_tables_module_autoload(struct net *net) 7685 { 7686 struct nft_module_request *req, *next; 7687 LIST_HEAD(module_list); 7688 7689 list_splice_init(&net->nft.module_list, &module_list); 7690 mutex_unlock(&net->nft.commit_mutex); 7691 list_for_each_entry_safe(req, next, &module_list, list) { 7692 request_module("%s", req->module); 7693 req->done = true; 7694 } 7695 mutex_lock(&net->nft.commit_mutex); 7696 list_splice(&module_list, &net->nft.module_list); 7697 } 7698 7699 static void nf_tables_abort_release(struct nft_trans *trans) 7700 { 7701 switch (trans->msg_type) { 7702 case NFT_MSG_NEWTABLE: 7703 nf_tables_table_destroy(&trans->ctx); 7704 break; 7705 case NFT_MSG_NEWCHAIN: 7706 nf_tables_chain_destroy(&trans->ctx); 7707 break; 7708 case NFT_MSG_NEWRULE: 7709 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 7710 break; 7711 case NFT_MSG_NEWSET: 7712 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 7713 break; 7714 case NFT_MSG_NEWSETELEM: 7715 nft_set_elem_destroy(nft_trans_elem_set(trans), 7716 nft_trans_elem(trans).priv, true); 7717 break; 7718 case NFT_MSG_NEWOBJ: 7719 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 7720 break; 7721 case NFT_MSG_NEWFLOWTABLE: 7722 if (nft_trans_flowtable_update(trans)) 7723 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 7724 else 7725 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 7726 break; 7727 } 7728 kfree(trans); 7729 } 7730 7731 static int __nf_tables_abort(struct net *net, bool autoload) 7732 { 7733 struct nft_trans *trans, *next; 7734 struct nft_trans_elem *te; 7735 struct nft_hook *hook; 7736 7737 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list, 7738 list) { 7739 switch (trans->msg_type) { 7740 case NFT_MSG_NEWTABLE: 7741 if (nft_trans_table_update(trans)) { 7742 if (nft_trans_table_enable(trans)) { 7743 nf_tables_table_disable(net, 7744 trans->ctx.table); 7745 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT; 7746 } 7747 nft_trans_destroy(trans); 7748 } else { 7749 list_del_rcu(&trans->ctx.table->list); 7750 } 7751 break; 7752 case NFT_MSG_DELTABLE: 7753 nft_clear(trans->ctx.net, trans->ctx.table); 7754 nft_trans_destroy(trans); 7755 break; 7756 case NFT_MSG_NEWCHAIN: 7757 if (nft_trans_chain_update(trans)) { 7758 free_percpu(nft_trans_chain_stats(trans)); 7759 kfree(nft_trans_chain_name(trans)); 7760 nft_trans_destroy(trans); 7761 } else { 7762 trans->ctx.table->use--; 7763 nft_chain_del(trans->ctx.chain); 7764 nf_tables_unregister_hook(trans->ctx.net, 7765 trans->ctx.table, 7766 trans->ctx.chain); 7767 } 7768 break; 7769 case NFT_MSG_DELCHAIN: 7770 trans->ctx.table->use++; 7771 nft_clear(trans->ctx.net, trans->ctx.chain); 7772 nft_trans_destroy(trans); 7773 break; 7774 case NFT_MSG_NEWRULE: 7775 trans->ctx.chain->use--; 7776 list_del_rcu(&nft_trans_rule(trans)->list); 7777 nft_rule_expr_deactivate(&trans->ctx, 7778 nft_trans_rule(trans), 7779 NFT_TRANS_ABORT); 7780 break; 7781 case NFT_MSG_DELRULE: 7782 trans->ctx.chain->use++; 7783 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 7784 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans)); 7785 nft_trans_destroy(trans); 7786 break; 7787 case NFT_MSG_NEWSET: 7788 trans->ctx.table->use--; 7789 if (nft_trans_set_bound(trans)) { 7790 nft_trans_destroy(trans); 7791 break; 7792 } 7793 list_del_rcu(&nft_trans_set(trans)->list); 7794 break; 7795 case NFT_MSG_DELSET: 7796 trans->ctx.table->use++; 7797 nft_clear(trans->ctx.net, nft_trans_set(trans)); 7798 nft_trans_destroy(trans); 7799 break; 7800 case NFT_MSG_NEWSETELEM: 7801 if (nft_trans_elem_set_bound(trans)) { 7802 nft_trans_destroy(trans); 7803 break; 7804 } 7805 te = (struct nft_trans_elem *)trans->data; 7806 te->set->ops->remove(net, te->set, &te->elem); 7807 atomic_dec(&te->set->nelems); 7808 break; 7809 case NFT_MSG_DELSETELEM: 7810 te = (struct nft_trans_elem *)trans->data; 7811 7812 nft_set_elem_activate(net, te->set, &te->elem); 7813 te->set->ops->activate(net, te->set, &te->elem); 7814 te->set->ndeact--; 7815 7816 nft_trans_destroy(trans); 7817 break; 7818 case NFT_MSG_NEWOBJ: 7819 if (nft_trans_obj_update(trans)) { 7820 kfree(nft_trans_obj_newobj(trans)); 7821 nft_trans_destroy(trans); 7822 } else { 7823 trans->ctx.table->use--; 7824 nft_obj_del(nft_trans_obj(trans)); 7825 } 7826 break; 7827 case NFT_MSG_DELOBJ: 7828 trans->ctx.table->use++; 7829 nft_clear(trans->ctx.net, nft_trans_obj(trans)); 7830 nft_trans_destroy(trans); 7831 break; 7832 case NFT_MSG_NEWFLOWTABLE: 7833 if (nft_trans_flowtable_update(trans)) { 7834 nft_unregister_flowtable_net_hooks(net, 7835 &nft_trans_flowtable_hooks(trans)); 7836 } else { 7837 trans->ctx.table->use--; 7838 list_del_rcu(&nft_trans_flowtable(trans)->list); 7839 nft_unregister_flowtable_net_hooks(net, 7840 &nft_trans_flowtable(trans)->hook_list); 7841 } 7842 break; 7843 case NFT_MSG_DELFLOWTABLE: 7844 if (nft_trans_flowtable_update(trans)) { 7845 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list) 7846 hook->inactive = false; 7847 } else { 7848 trans->ctx.table->use++; 7849 nft_clear(trans->ctx.net, nft_trans_flowtable(trans)); 7850 } 7851 nft_trans_destroy(trans); 7852 break; 7853 } 7854 } 7855 7856 synchronize_rcu(); 7857 7858 list_for_each_entry_safe_reverse(trans, next, 7859 &net->nft.commit_list, list) { 7860 list_del(&trans->list); 7861 nf_tables_abort_release(trans); 7862 } 7863 7864 if (autoload) 7865 nf_tables_module_autoload(net); 7866 else 7867 nf_tables_module_autoload_cleanup(net); 7868 7869 return 0; 7870 } 7871 7872 static void nf_tables_cleanup(struct net *net) 7873 { 7874 nft_validate_state_update(net, NFT_VALIDATE_SKIP); 7875 } 7876 7877 static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload) 7878 { 7879 int ret = __nf_tables_abort(net, autoload); 7880 7881 mutex_unlock(&net->nft.commit_mutex); 7882 7883 return ret; 7884 } 7885 7886 static bool nf_tables_valid_genid(struct net *net, u32 genid) 7887 { 7888 bool genid_ok; 7889 7890 mutex_lock(&net->nft.commit_mutex); 7891 7892 genid_ok = genid == 0 || net->nft.base_seq == genid; 7893 if (!genid_ok) 7894 mutex_unlock(&net->nft.commit_mutex); 7895 7896 /* else, commit mutex has to be released by commit or abort function */ 7897 return genid_ok; 7898 } 7899 7900 static const struct nfnetlink_subsystem nf_tables_subsys = { 7901 .name = "nf_tables", 7902 .subsys_id = NFNL_SUBSYS_NFTABLES, 7903 .cb_count = NFT_MSG_MAX, 7904 .cb = nf_tables_cb, 7905 .commit = nf_tables_commit, 7906 .abort = nf_tables_abort, 7907 .cleanup = nf_tables_cleanup, 7908 .valid_genid = nf_tables_valid_genid, 7909 .owner = THIS_MODULE, 7910 }; 7911 7912 int nft_chain_validate_dependency(const struct nft_chain *chain, 7913 enum nft_chain_types type) 7914 { 7915 const struct nft_base_chain *basechain; 7916 7917 if (nft_is_base_chain(chain)) { 7918 basechain = nft_base_chain(chain); 7919 if (basechain->type->type != type) 7920 return -EOPNOTSUPP; 7921 } 7922 return 0; 7923 } 7924 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency); 7925 7926 int nft_chain_validate_hooks(const struct nft_chain *chain, 7927 unsigned int hook_flags) 7928 { 7929 struct nft_base_chain *basechain; 7930 7931 if (nft_is_base_chain(chain)) { 7932 basechain = nft_base_chain(chain); 7933 7934 if ((1 << basechain->ops.hooknum) & hook_flags) 7935 return 0; 7936 7937 return -EOPNOTSUPP; 7938 } 7939 7940 return 0; 7941 } 7942 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks); 7943 7944 /* 7945 * Loop detection - walk through the ruleset beginning at the destination chain 7946 * of a new jump until either the source chain is reached (loop) or all 7947 * reachable chains have been traversed. 7948 * 7949 * The loop check is performed whenever a new jump verdict is added to an 7950 * expression or verdict map or a verdict map is bound to a new chain. 7951 */ 7952 7953 static int nf_tables_check_loops(const struct nft_ctx *ctx, 7954 const struct nft_chain *chain); 7955 7956 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, 7957 struct nft_set *set, 7958 const struct nft_set_iter *iter, 7959 struct nft_set_elem *elem) 7960 { 7961 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 7962 const struct nft_data *data; 7963 7964 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 7965 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) 7966 return 0; 7967 7968 data = nft_set_ext_data(ext); 7969 switch (data->verdict.code) { 7970 case NFT_JUMP: 7971 case NFT_GOTO: 7972 return nf_tables_check_loops(ctx, data->verdict.chain); 7973 default: 7974 return 0; 7975 } 7976 } 7977 7978 static int nf_tables_check_loops(const struct nft_ctx *ctx, 7979 const struct nft_chain *chain) 7980 { 7981 const struct nft_rule *rule; 7982 const struct nft_expr *expr, *last; 7983 struct nft_set *set; 7984 struct nft_set_binding *binding; 7985 struct nft_set_iter iter; 7986 7987 if (ctx->chain == chain) 7988 return -ELOOP; 7989 7990 list_for_each_entry(rule, &chain->rules, list) { 7991 nft_rule_for_each_expr(expr, last, rule) { 7992 struct nft_immediate_expr *priv; 7993 const struct nft_data *data; 7994 int err; 7995 7996 if (strcmp(expr->ops->type->name, "immediate")) 7997 continue; 7998 7999 priv = nft_expr_priv(expr); 8000 if (priv->dreg != NFT_REG_VERDICT) 8001 continue; 8002 8003 data = &priv->data; 8004 switch (data->verdict.code) { 8005 case NFT_JUMP: 8006 case NFT_GOTO: 8007 err = nf_tables_check_loops(ctx, 8008 data->verdict.chain); 8009 if (err < 0) 8010 return err; 8011 default: 8012 break; 8013 } 8014 } 8015 } 8016 8017 list_for_each_entry(set, &ctx->table->sets, list) { 8018 if (!nft_is_active_next(ctx->net, set)) 8019 continue; 8020 if (!(set->flags & NFT_SET_MAP) || 8021 set->dtype != NFT_DATA_VERDICT) 8022 continue; 8023 8024 list_for_each_entry(binding, &set->bindings, list) { 8025 if (!(binding->flags & NFT_SET_MAP) || 8026 binding->chain != chain) 8027 continue; 8028 8029 iter.genmask = nft_genmask_next(ctx->net); 8030 iter.skip = 0; 8031 iter.count = 0; 8032 iter.err = 0; 8033 iter.fn = nf_tables_loop_check_setelem; 8034 8035 set->ops->walk(ctx, set, &iter); 8036 if (iter.err < 0) 8037 return iter.err; 8038 } 8039 } 8040 8041 return 0; 8042 } 8043 8044 /** 8045 * nft_parse_u32_check - fetch u32 attribute and check for maximum value 8046 * 8047 * @attr: netlink attribute to fetch value from 8048 * @max: maximum value to be stored in dest 8049 * @dest: pointer to the variable 8050 * 8051 * Parse, check and store a given u32 netlink attribute into variable. 8052 * This function returns -ERANGE if the value goes over maximum value. 8053 * Otherwise a 0 is returned and the attribute value is stored in the 8054 * destination variable. 8055 */ 8056 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest) 8057 { 8058 u32 val; 8059 8060 val = ntohl(nla_get_be32(attr)); 8061 if (val > max) 8062 return -ERANGE; 8063 8064 *dest = val; 8065 return 0; 8066 } 8067 EXPORT_SYMBOL_GPL(nft_parse_u32_check); 8068 8069 /** 8070 * nft_parse_register - parse a register value from a netlink attribute 8071 * 8072 * @attr: netlink attribute 8073 * 8074 * Parse and translate a register value from a netlink attribute. 8075 * Registers used to be 128 bit wide, these register numbers will be 8076 * mapped to the corresponding 32 bit register numbers. 8077 */ 8078 unsigned int nft_parse_register(const struct nlattr *attr) 8079 { 8080 unsigned int reg; 8081 8082 reg = ntohl(nla_get_be32(attr)); 8083 switch (reg) { 8084 case NFT_REG_VERDICT...NFT_REG_4: 8085 return reg * NFT_REG_SIZE / NFT_REG32_SIZE; 8086 default: 8087 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; 8088 } 8089 } 8090 EXPORT_SYMBOL_GPL(nft_parse_register); 8091 8092 /** 8093 * nft_dump_register - dump a register value to a netlink attribute 8094 * 8095 * @skb: socket buffer 8096 * @attr: attribute number 8097 * @reg: register number 8098 * 8099 * Construct a netlink attribute containing the register number. For 8100 * compatibility reasons, register numbers being a multiple of 4 are 8101 * translated to the corresponding 128 bit register numbers. 8102 */ 8103 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg) 8104 { 8105 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0) 8106 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE); 8107 else 8108 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00; 8109 8110 return nla_put_be32(skb, attr, htonl(reg)); 8111 } 8112 EXPORT_SYMBOL_GPL(nft_dump_register); 8113 8114 /** 8115 * nft_validate_register_load - validate a load from a register 8116 * 8117 * @reg: the register number 8118 * @len: the length of the data 8119 * 8120 * Validate that the input register is one of the general purpose 8121 * registers and that the length of the load is within the bounds. 8122 */ 8123 int nft_validate_register_load(enum nft_registers reg, unsigned int len) 8124 { 8125 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 8126 return -EINVAL; 8127 if (len == 0) 8128 return -EINVAL; 8129 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data)) 8130 return -ERANGE; 8131 8132 return 0; 8133 } 8134 EXPORT_SYMBOL_GPL(nft_validate_register_load); 8135 8136 /** 8137 * nft_validate_register_store - validate an expressions' register store 8138 * 8139 * @ctx: context of the expression performing the load 8140 * @reg: the destination register number 8141 * @data: the data to load 8142 * @type: the data type 8143 * @len: the length of the data 8144 * 8145 * Validate that a data load uses the appropriate data type for 8146 * the destination register and the length is within the bounds. 8147 * A value of NULL for the data means that its runtime gathered 8148 * data. 8149 */ 8150 int nft_validate_register_store(const struct nft_ctx *ctx, 8151 enum nft_registers reg, 8152 const struct nft_data *data, 8153 enum nft_data_types type, unsigned int len) 8154 { 8155 int err; 8156 8157 switch (reg) { 8158 case NFT_REG_VERDICT: 8159 if (type != NFT_DATA_VERDICT) 8160 return -EINVAL; 8161 8162 if (data != NULL && 8163 (data->verdict.code == NFT_GOTO || 8164 data->verdict.code == NFT_JUMP)) { 8165 err = nf_tables_check_loops(ctx, data->verdict.chain); 8166 if (err < 0) 8167 return err; 8168 } 8169 8170 return 0; 8171 default: 8172 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 8173 return -EINVAL; 8174 if (len == 0) 8175 return -EINVAL; 8176 if (reg * NFT_REG32_SIZE + len > 8177 sizeof_field(struct nft_regs, data)) 8178 return -ERANGE; 8179 8180 if (data != NULL && type != NFT_DATA_VALUE) 8181 return -EINVAL; 8182 return 0; 8183 } 8184 } 8185 EXPORT_SYMBOL_GPL(nft_validate_register_store); 8186 8187 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = { 8188 [NFTA_VERDICT_CODE] = { .type = NLA_U32 }, 8189 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING, 8190 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 8191 }; 8192 8193 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, 8194 struct nft_data_desc *desc, const struct nlattr *nla) 8195 { 8196 u8 genmask = nft_genmask_next(ctx->net); 8197 struct nlattr *tb[NFTA_VERDICT_MAX + 1]; 8198 struct nft_chain *chain; 8199 int err; 8200 8201 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla, 8202 nft_verdict_policy, NULL); 8203 if (err < 0) 8204 return err; 8205 8206 if (!tb[NFTA_VERDICT_CODE]) 8207 return -EINVAL; 8208 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); 8209 8210 switch (data->verdict.code) { 8211 default: 8212 switch (data->verdict.code & NF_VERDICT_MASK) { 8213 case NF_ACCEPT: 8214 case NF_DROP: 8215 case NF_QUEUE: 8216 break; 8217 default: 8218 return -EINVAL; 8219 } 8220 /* fall through */ 8221 case NFT_CONTINUE: 8222 case NFT_BREAK: 8223 case NFT_RETURN: 8224 break; 8225 case NFT_JUMP: 8226 case NFT_GOTO: 8227 if (!tb[NFTA_VERDICT_CHAIN]) 8228 return -EINVAL; 8229 chain = nft_chain_lookup(ctx->net, ctx->table, 8230 tb[NFTA_VERDICT_CHAIN], genmask); 8231 if (IS_ERR(chain)) 8232 return PTR_ERR(chain); 8233 if (nft_is_base_chain(chain)) 8234 return -EOPNOTSUPP; 8235 8236 chain->use++; 8237 data->verdict.chain = chain; 8238 break; 8239 } 8240 8241 desc->len = sizeof(data->verdict); 8242 desc->type = NFT_DATA_VERDICT; 8243 return 0; 8244 } 8245 8246 static void nft_verdict_uninit(const struct nft_data *data) 8247 { 8248 switch (data->verdict.code) { 8249 case NFT_JUMP: 8250 case NFT_GOTO: 8251 data->verdict.chain->use--; 8252 break; 8253 } 8254 } 8255 8256 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v) 8257 { 8258 struct nlattr *nest; 8259 8260 nest = nla_nest_start_noflag(skb, type); 8261 if (!nest) 8262 goto nla_put_failure; 8263 8264 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code))) 8265 goto nla_put_failure; 8266 8267 switch (v->code) { 8268 case NFT_JUMP: 8269 case NFT_GOTO: 8270 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, 8271 v->chain->name)) 8272 goto nla_put_failure; 8273 } 8274 nla_nest_end(skb, nest); 8275 return 0; 8276 8277 nla_put_failure: 8278 return -1; 8279 } 8280 8281 static int nft_value_init(const struct nft_ctx *ctx, 8282 struct nft_data *data, unsigned int size, 8283 struct nft_data_desc *desc, const struct nlattr *nla) 8284 { 8285 unsigned int len; 8286 8287 len = nla_len(nla); 8288 if (len == 0) 8289 return -EINVAL; 8290 if (len > size) 8291 return -EOVERFLOW; 8292 8293 nla_memcpy(data->data, nla, len); 8294 desc->type = NFT_DATA_VALUE; 8295 desc->len = len; 8296 return 0; 8297 } 8298 8299 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data, 8300 unsigned int len) 8301 { 8302 return nla_put(skb, NFTA_DATA_VALUE, len, data->data); 8303 } 8304 8305 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = { 8306 [NFTA_DATA_VALUE] = { .type = NLA_BINARY }, 8307 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED }, 8308 }; 8309 8310 /** 8311 * nft_data_init - parse nf_tables data netlink attributes 8312 * 8313 * @ctx: context of the expression using the data 8314 * @data: destination struct nft_data 8315 * @size: maximum data length 8316 * @desc: data description 8317 * @nla: netlink attribute containing data 8318 * 8319 * Parse the netlink data attributes and initialize a struct nft_data. 8320 * The type and length of data are returned in the data description. 8321 * 8322 * The caller can indicate that it only wants to accept data of type 8323 * NFT_DATA_VALUE by passing NULL for the ctx argument. 8324 */ 8325 int nft_data_init(const struct nft_ctx *ctx, 8326 struct nft_data *data, unsigned int size, 8327 struct nft_data_desc *desc, const struct nlattr *nla) 8328 { 8329 struct nlattr *tb[NFTA_DATA_MAX + 1]; 8330 int err; 8331 8332 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla, 8333 nft_data_policy, NULL); 8334 if (err < 0) 8335 return err; 8336 8337 if (tb[NFTA_DATA_VALUE]) 8338 return nft_value_init(ctx, data, size, desc, 8339 tb[NFTA_DATA_VALUE]); 8340 if (tb[NFTA_DATA_VERDICT] && ctx != NULL) 8341 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]); 8342 return -EINVAL; 8343 } 8344 EXPORT_SYMBOL_GPL(nft_data_init); 8345 8346 /** 8347 * nft_data_release - release a nft_data item 8348 * 8349 * @data: struct nft_data to release 8350 * @type: type of data 8351 * 8352 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded, 8353 * all others need to be released by calling this function. 8354 */ 8355 void nft_data_release(const struct nft_data *data, enum nft_data_types type) 8356 { 8357 if (type < NFT_DATA_VERDICT) 8358 return; 8359 switch (type) { 8360 case NFT_DATA_VERDICT: 8361 return nft_verdict_uninit(data); 8362 default: 8363 WARN_ON(1); 8364 } 8365 } 8366 EXPORT_SYMBOL_GPL(nft_data_release); 8367 8368 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 8369 enum nft_data_types type, unsigned int len) 8370 { 8371 struct nlattr *nest; 8372 int err; 8373 8374 nest = nla_nest_start_noflag(skb, attr); 8375 if (nest == NULL) 8376 return -1; 8377 8378 switch (type) { 8379 case NFT_DATA_VALUE: 8380 err = nft_value_dump(skb, data, len); 8381 break; 8382 case NFT_DATA_VERDICT: 8383 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict); 8384 break; 8385 default: 8386 err = -EINVAL; 8387 WARN_ON(1); 8388 } 8389 8390 nla_nest_end(skb, nest); 8391 return err; 8392 } 8393 EXPORT_SYMBOL_GPL(nft_data_dump); 8394 8395 int __nft_release_basechain(struct nft_ctx *ctx) 8396 { 8397 struct nft_rule *rule, *nr; 8398 8399 if (WARN_ON(!nft_is_base_chain(ctx->chain))) 8400 return 0; 8401 8402 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain); 8403 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) { 8404 list_del(&rule->list); 8405 ctx->chain->use--; 8406 nf_tables_rule_release(ctx, rule); 8407 } 8408 nft_chain_del(ctx->chain); 8409 ctx->table->use--; 8410 nf_tables_chain_destroy(ctx); 8411 8412 return 0; 8413 } 8414 EXPORT_SYMBOL_GPL(__nft_release_basechain); 8415 8416 static void __nft_release_tables(struct net *net) 8417 { 8418 struct nft_flowtable *flowtable, *nf; 8419 struct nft_table *table, *nt; 8420 struct nft_chain *chain, *nc; 8421 struct nft_object *obj, *ne; 8422 struct nft_rule *rule, *nr; 8423 struct nft_set *set, *ns; 8424 struct nft_ctx ctx = { 8425 .net = net, 8426 .family = NFPROTO_NETDEV, 8427 }; 8428 8429 list_for_each_entry_safe(table, nt, &net->nft.tables, list) { 8430 ctx.family = table->family; 8431 8432 list_for_each_entry(chain, &table->chains, list) 8433 nf_tables_unregister_hook(net, table, chain); 8434 /* No packets are walking on these chains anymore. */ 8435 ctx.table = table; 8436 list_for_each_entry(chain, &table->chains, list) { 8437 ctx.chain = chain; 8438 list_for_each_entry_safe(rule, nr, &chain->rules, list) { 8439 list_del(&rule->list); 8440 chain->use--; 8441 nf_tables_rule_release(&ctx, rule); 8442 } 8443 } 8444 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 8445 list_del(&flowtable->list); 8446 table->use--; 8447 nf_tables_flowtable_destroy(flowtable); 8448 } 8449 list_for_each_entry_safe(set, ns, &table->sets, list) { 8450 list_del(&set->list); 8451 table->use--; 8452 nft_set_destroy(&ctx, set); 8453 } 8454 list_for_each_entry_safe(obj, ne, &table->objects, list) { 8455 nft_obj_del(obj); 8456 table->use--; 8457 nft_obj_destroy(&ctx, obj); 8458 } 8459 list_for_each_entry_safe(chain, nc, &table->chains, list) { 8460 ctx.chain = chain; 8461 nft_chain_del(chain); 8462 table->use--; 8463 nf_tables_chain_destroy(&ctx); 8464 } 8465 list_del(&table->list); 8466 nf_tables_table_destroy(&ctx); 8467 } 8468 } 8469 8470 static int __net_init nf_tables_init_net(struct net *net) 8471 { 8472 INIT_LIST_HEAD(&net->nft.tables); 8473 INIT_LIST_HEAD(&net->nft.commit_list); 8474 INIT_LIST_HEAD(&net->nft.module_list); 8475 mutex_init(&net->nft.commit_mutex); 8476 net->nft.base_seq = 1; 8477 net->nft.validate_state = NFT_VALIDATE_SKIP; 8478 8479 return 0; 8480 } 8481 8482 static void __net_exit nf_tables_exit_net(struct net *net) 8483 { 8484 mutex_lock(&net->nft.commit_mutex); 8485 if (!list_empty(&net->nft.commit_list)) 8486 __nf_tables_abort(net, false); 8487 __nft_release_tables(net); 8488 mutex_unlock(&net->nft.commit_mutex); 8489 WARN_ON_ONCE(!list_empty(&net->nft.tables)); 8490 WARN_ON_ONCE(!list_empty(&net->nft.module_list)); 8491 } 8492 8493 static struct pernet_operations nf_tables_net_ops = { 8494 .init = nf_tables_init_net, 8495 .exit = nf_tables_exit_net, 8496 }; 8497 8498 static int __init nf_tables_module_init(void) 8499 { 8500 int err; 8501 8502 spin_lock_init(&nf_tables_destroy_list_lock); 8503 err = register_pernet_subsys(&nf_tables_net_ops); 8504 if (err < 0) 8505 return err; 8506 8507 err = nft_chain_filter_init(); 8508 if (err < 0) 8509 goto err1; 8510 8511 err = nf_tables_core_module_init(); 8512 if (err < 0) 8513 goto err2; 8514 8515 err = register_netdevice_notifier(&nf_tables_flowtable_notifier); 8516 if (err < 0) 8517 goto err3; 8518 8519 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params); 8520 if (err < 0) 8521 goto err4; 8522 8523 err = nft_offload_init(); 8524 if (err < 0) 8525 goto err5; 8526 8527 /* must be last */ 8528 err = nfnetlink_subsys_register(&nf_tables_subsys); 8529 if (err < 0) 8530 goto err6; 8531 8532 nft_chain_route_init(); 8533 8534 return err; 8535 err6: 8536 nft_offload_exit(); 8537 err5: 8538 rhltable_destroy(&nft_objname_ht); 8539 err4: 8540 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 8541 err3: 8542 nf_tables_core_module_exit(); 8543 err2: 8544 nft_chain_filter_fini(); 8545 err1: 8546 unregister_pernet_subsys(&nf_tables_net_ops); 8547 return err; 8548 } 8549 8550 static void __exit nf_tables_module_exit(void) 8551 { 8552 nfnetlink_subsys_unregister(&nf_tables_subsys); 8553 nft_offload_exit(); 8554 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 8555 nft_chain_filter_fini(); 8556 nft_chain_route_fini(); 8557 unregister_pernet_subsys(&nf_tables_net_ops); 8558 cancel_work_sync(&trans_destroy_work); 8559 rcu_barrier(); 8560 rhltable_destroy(&nft_objname_ht); 8561 nf_tables_core_module_exit(); 8562 } 8563 8564 module_init(nf_tables_module_init); 8565 module_exit(nf_tables_module_exit); 8566 8567 MODULE_LICENSE("GPL"); 8568 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 8569 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES); 8570