1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27 #define NFT_SET_MAX_ANONLEN 16
28
29 unsigned int nf_tables_net_id __read_mostly;
30
31 static LIST_HEAD(nf_tables_expressions);
32 static LIST_HEAD(nf_tables_objects);
33 static LIST_HEAD(nf_tables_flowtables);
34 static LIST_HEAD(nf_tables_destroy_list);
35 static LIST_HEAD(nf_tables_gc_list);
36 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
37 static DEFINE_SPINLOCK(nf_tables_gc_list_lock);
38
39 enum {
40 NFT_VALIDATE_SKIP = 0,
41 NFT_VALIDATE_NEED,
42 NFT_VALIDATE_DO,
43 };
44
45 static struct rhltable nft_objname_ht;
46
47 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
48 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
49 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
50
51 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
52 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
53 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
54
55 static const struct rhashtable_params nft_chain_ht_params = {
56 .head_offset = offsetof(struct nft_chain, rhlhead),
57 .key_offset = offsetof(struct nft_chain, name),
58 .hashfn = nft_chain_hash,
59 .obj_hashfn = nft_chain_hash_obj,
60 .obj_cmpfn = nft_chain_hash_cmp,
61 .automatic_shrinking = true,
62 };
63
64 static const struct rhashtable_params nft_objname_ht_params = {
65 .head_offset = offsetof(struct nft_object, rhlhead),
66 .key_offset = offsetof(struct nft_object, key),
67 .hashfn = nft_objname_hash,
68 .obj_hashfn = nft_objname_hash_obj,
69 .obj_cmpfn = nft_objname_hash_cmp,
70 .automatic_shrinking = true,
71 };
72
73 struct nft_audit_data {
74 struct nft_table *table;
75 int entries;
76 int op;
77 struct list_head list;
78 };
79
80 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
81 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
82 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
83 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
84 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
85 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
86 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
87 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
88 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
89 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
90 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
91 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
92 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
93 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
94 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
95 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
96 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
97 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
98 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
99 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
100 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
101 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
102 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
103 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
104 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
105 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
106 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET,
107 };
108
nft_validate_state_update(struct nft_table * table,u8 new_validate_state)109 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
110 {
111 switch (table->validate_state) {
112 case NFT_VALIDATE_SKIP:
113 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
114 break;
115 case NFT_VALIDATE_NEED:
116 break;
117 case NFT_VALIDATE_DO:
118 if (new_validate_state == NFT_VALIDATE_NEED)
119 return;
120 }
121
122 table->validate_state = new_validate_state;
123 }
124 static void nf_tables_trans_destroy_work(struct work_struct *w);
125 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
126
127 static void nft_trans_gc_work(struct work_struct *work);
128 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work);
129
nft_ctx_init(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,u8 family,struct nft_table * table,struct nft_chain * chain,const struct nlattr * const * nla)130 static void nft_ctx_init(struct nft_ctx *ctx,
131 struct net *net,
132 const struct sk_buff *skb,
133 const struct nlmsghdr *nlh,
134 u8 family,
135 struct nft_table *table,
136 struct nft_chain *chain,
137 const struct nlattr * const *nla)
138 {
139 ctx->net = net;
140 ctx->family = family;
141 ctx->level = 0;
142 ctx->table = table;
143 ctx->chain = chain;
144 ctx->nla = nla;
145 ctx->portid = NETLINK_CB(skb).portid;
146 ctx->report = nlmsg_report(nlh);
147 ctx->flags = nlh->nlmsg_flags;
148 ctx->seq = nlh->nlmsg_seq;
149
150 bitmap_zero(ctx->reg_inited, NFT_REG32_NUM);
151 }
152
nft_trans_alloc_gfp(const struct nft_ctx * ctx,int msg_type,u32 size,gfp_t gfp)153 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
154 int msg_type, u32 size, gfp_t gfp)
155 {
156 struct nft_trans *trans;
157
158 trans = kzalloc(size, gfp);
159 if (trans == NULL)
160 return NULL;
161
162 INIT_LIST_HEAD(&trans->list);
163 trans->msg_type = msg_type;
164
165 trans->net = ctx->net;
166 trans->table = ctx->table;
167 trans->seq = ctx->seq;
168 trans->flags = ctx->flags;
169 trans->report = ctx->report;
170
171 return trans;
172 }
173
nft_trans_alloc(const struct nft_ctx * ctx,int msg_type,u32 size)174 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
175 int msg_type, u32 size)
176 {
177 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
178 }
179
nft_trans_get_binding(struct nft_trans * trans)180 static struct nft_trans_binding *nft_trans_get_binding(struct nft_trans *trans)
181 {
182 switch (trans->msg_type) {
183 case NFT_MSG_NEWCHAIN:
184 case NFT_MSG_NEWSET:
185 return container_of(trans, struct nft_trans_binding, nft_trans);
186 }
187
188 return NULL;
189 }
190
nft_trans_list_del(struct nft_trans * trans)191 static void nft_trans_list_del(struct nft_trans *trans)
192 {
193 struct nft_trans_binding *trans_binding;
194
195 list_del(&trans->list);
196
197 trans_binding = nft_trans_get_binding(trans);
198 if (trans_binding)
199 list_del(&trans_binding->binding_list);
200 }
201
nft_trans_destroy(struct nft_trans * trans)202 static void nft_trans_destroy(struct nft_trans *trans)
203 {
204 nft_trans_list_del(trans);
205 kfree(trans);
206 }
207
__nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set,bool bind)208 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
209 bool bind)
210 {
211 struct nftables_pernet *nft_net;
212 struct net *net = ctx->net;
213 struct nft_trans *trans;
214
215 if (!nft_set_is_anonymous(set))
216 return;
217
218 nft_net = nft_pernet(net);
219 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
220 switch (trans->msg_type) {
221 case NFT_MSG_NEWSET:
222 if (nft_trans_set(trans) == set)
223 nft_trans_set_bound(trans) = bind;
224 break;
225 case NFT_MSG_NEWSETELEM:
226 if (nft_trans_elem_set(trans) == set)
227 nft_trans_elem_set_bound(trans) = bind;
228 break;
229 }
230 }
231 }
232
nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set)233 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
234 {
235 return __nft_set_trans_bind(ctx, set, true);
236 }
237
nft_set_trans_unbind(const struct nft_ctx * ctx,struct nft_set * set)238 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
239 {
240 return __nft_set_trans_bind(ctx, set, false);
241 }
242
__nft_chain_trans_bind(const struct nft_ctx * ctx,struct nft_chain * chain,bool bind)243 static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
244 struct nft_chain *chain, bool bind)
245 {
246 struct nftables_pernet *nft_net;
247 struct net *net = ctx->net;
248 struct nft_trans *trans;
249
250 if (!nft_chain_binding(chain))
251 return;
252
253 nft_net = nft_pernet(net);
254 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
255 switch (trans->msg_type) {
256 case NFT_MSG_NEWCHAIN:
257 if (nft_trans_chain(trans) == chain)
258 nft_trans_chain_bound(trans) = bind;
259 break;
260 case NFT_MSG_NEWRULE:
261 if (nft_trans_rule_chain(trans) == chain)
262 nft_trans_rule_bound(trans) = bind;
263 break;
264 }
265 }
266 }
267
nft_chain_trans_bind(const struct nft_ctx * ctx,struct nft_chain * chain)268 static void nft_chain_trans_bind(const struct nft_ctx *ctx,
269 struct nft_chain *chain)
270 {
271 __nft_chain_trans_bind(ctx, chain, true);
272 }
273
nf_tables_bind_chain(const struct nft_ctx * ctx,struct nft_chain * chain)274 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
275 {
276 if (!nft_chain_binding(chain))
277 return 0;
278
279 if (nft_chain_binding(ctx->chain))
280 return -EOPNOTSUPP;
281
282 if (chain->bound)
283 return -EBUSY;
284
285 if (!nft_use_inc(&chain->use))
286 return -EMFILE;
287
288 chain->bound = true;
289 nft_chain_trans_bind(ctx, chain);
290
291 return 0;
292 }
293
nf_tables_unbind_chain(const struct nft_ctx * ctx,struct nft_chain * chain)294 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
295 {
296 __nft_chain_trans_bind(ctx, chain, false);
297 }
298
nft_netdev_register_hooks(struct net * net,struct list_head * hook_list)299 static int nft_netdev_register_hooks(struct net *net,
300 struct list_head *hook_list)
301 {
302 struct nft_hook *hook;
303 int err, j;
304
305 j = 0;
306 list_for_each_entry(hook, hook_list, list) {
307 err = nf_register_net_hook(net, &hook->ops);
308 if (err < 0)
309 goto err_register;
310
311 j++;
312 }
313 return 0;
314
315 err_register:
316 list_for_each_entry(hook, hook_list, list) {
317 if (j-- <= 0)
318 break;
319
320 nf_unregister_net_hook(net, &hook->ops);
321 }
322 return err;
323 }
324
nft_netdev_unregister_hooks(struct net * net,struct list_head * hook_list,bool release_netdev)325 static void nft_netdev_unregister_hooks(struct net *net,
326 struct list_head *hook_list,
327 bool release_netdev)
328 {
329 struct nft_hook *hook, *next;
330
331 list_for_each_entry_safe(hook, next, hook_list, list) {
332 nf_unregister_net_hook(net, &hook->ops);
333 if (release_netdev) {
334 list_del(&hook->list);
335 kfree_rcu(hook, rcu);
336 }
337 }
338 }
339
nf_tables_register_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)340 static int nf_tables_register_hook(struct net *net,
341 const struct nft_table *table,
342 struct nft_chain *chain)
343 {
344 struct nft_base_chain *basechain;
345 const struct nf_hook_ops *ops;
346
347 if (table->flags & NFT_TABLE_F_DORMANT ||
348 !nft_is_base_chain(chain))
349 return 0;
350
351 basechain = nft_base_chain(chain);
352 ops = &basechain->ops;
353
354 if (basechain->type->ops_register)
355 return basechain->type->ops_register(net, ops);
356
357 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
358 return nft_netdev_register_hooks(net, &basechain->hook_list);
359
360 return nf_register_net_hook(net, &basechain->ops);
361 }
362
__nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain,bool release_netdev)363 static void __nf_tables_unregister_hook(struct net *net,
364 const struct nft_table *table,
365 struct nft_chain *chain,
366 bool release_netdev)
367 {
368 struct nft_base_chain *basechain;
369 const struct nf_hook_ops *ops;
370
371 if (table->flags & NFT_TABLE_F_DORMANT ||
372 !nft_is_base_chain(chain))
373 return;
374 basechain = nft_base_chain(chain);
375 ops = &basechain->ops;
376
377 if (basechain->type->ops_unregister)
378 return basechain->type->ops_unregister(net, ops);
379
380 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
381 nft_netdev_unregister_hooks(net, &basechain->hook_list,
382 release_netdev);
383 else
384 nf_unregister_net_hook(net, &basechain->ops);
385 }
386
nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)387 static void nf_tables_unregister_hook(struct net *net,
388 const struct nft_table *table,
389 struct nft_chain *chain)
390 {
391 return __nf_tables_unregister_hook(net, table, chain, false);
392 }
393
nft_trans_commit_list_add_tail(struct net * net,struct nft_trans * trans)394 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
395 {
396 struct nftables_pernet *nft_net = nft_pernet(net);
397 struct nft_trans_binding *binding;
398 struct nft_trans_set *trans_set;
399
400 list_add_tail(&trans->list, &nft_net->commit_list);
401
402 binding = nft_trans_get_binding(trans);
403 if (!binding)
404 return;
405
406 switch (trans->msg_type) {
407 case NFT_MSG_NEWSET:
408 trans_set = nft_trans_container_set(trans);
409
410 if (!nft_trans_set_update(trans) &&
411 nft_set_is_anonymous(nft_trans_set(trans)))
412 list_add_tail(&binding->binding_list, &nft_net->binding_list);
413
414 list_add_tail(&trans_set->list_trans_newset, &nft_net->commit_set_list);
415 break;
416 case NFT_MSG_NEWCHAIN:
417 if (!nft_trans_chain_update(trans) &&
418 nft_chain_binding(nft_trans_chain(trans)))
419 list_add_tail(&binding->binding_list, &nft_net->binding_list);
420 break;
421 }
422 }
423
nft_trans_table_add(struct nft_ctx * ctx,int msg_type)424 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
425 {
426 struct nft_trans *trans;
427
428 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
429 if (trans == NULL)
430 return -ENOMEM;
431
432 if (msg_type == NFT_MSG_NEWTABLE)
433 nft_activate_next(ctx->net, ctx->table);
434
435 nft_trans_commit_list_add_tail(ctx->net, trans);
436 return 0;
437 }
438
nft_deltable(struct nft_ctx * ctx)439 static int nft_deltable(struct nft_ctx *ctx)
440 {
441 int err;
442
443 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
444 if (err < 0)
445 return err;
446
447 nft_deactivate_next(ctx->net, ctx->table);
448 return err;
449 }
450
451 static struct nft_trans *
nft_trans_alloc_chain(const struct nft_ctx * ctx,int msg_type)452 nft_trans_alloc_chain(const struct nft_ctx *ctx, int msg_type)
453 {
454 struct nft_trans_chain *trans_chain;
455 struct nft_trans *trans;
456
457 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
458 if (!trans)
459 return NULL;
460
461 trans_chain = nft_trans_container_chain(trans);
462 INIT_LIST_HEAD(&trans_chain->nft_trans_binding.binding_list);
463 trans_chain->chain = ctx->chain;
464
465 return trans;
466 }
467
nft_trans_chain_add(struct nft_ctx * ctx,int msg_type)468 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
469 {
470 struct nft_trans *trans;
471
472 trans = nft_trans_alloc_chain(ctx, msg_type);
473 if (trans == NULL)
474 return ERR_PTR(-ENOMEM);
475
476 if (msg_type == NFT_MSG_NEWCHAIN) {
477 nft_activate_next(ctx->net, ctx->chain);
478
479 if (ctx->nla[NFTA_CHAIN_ID]) {
480 nft_trans_chain_id(trans) =
481 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
482 }
483 }
484 nft_trans_commit_list_add_tail(ctx->net, trans);
485
486 return trans;
487 }
488
nft_delchain(struct nft_ctx * ctx)489 static int nft_delchain(struct nft_ctx *ctx)
490 {
491 struct nft_trans *trans;
492
493 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
494 if (IS_ERR(trans))
495 return PTR_ERR(trans);
496
497 nft_use_dec(&ctx->table->use);
498 nft_deactivate_next(ctx->net, ctx->chain);
499
500 return 0;
501 }
502
nft_rule_expr_activate(const struct nft_ctx * ctx,struct nft_rule * rule)503 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
504 {
505 struct nft_expr *expr;
506
507 expr = nft_expr_first(rule);
508 while (nft_expr_more(rule, expr)) {
509 if (expr->ops->activate)
510 expr->ops->activate(ctx, expr);
511
512 expr = nft_expr_next(expr);
513 }
514 }
515
nft_rule_expr_deactivate(const struct nft_ctx * ctx,struct nft_rule * rule,enum nft_trans_phase phase)516 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
517 enum nft_trans_phase phase)
518 {
519 struct nft_expr *expr;
520
521 expr = nft_expr_first(rule);
522 while (nft_expr_more(rule, expr)) {
523 if (expr->ops->deactivate)
524 expr->ops->deactivate(ctx, expr, phase);
525
526 expr = nft_expr_next(expr);
527 }
528 }
529
530 static int
nf_tables_delrule_deactivate(struct nft_ctx * ctx,struct nft_rule * rule)531 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
532 {
533 /* You cannot delete the same rule twice */
534 if (nft_is_active_next(ctx->net, rule)) {
535 nft_deactivate_next(ctx->net, rule);
536 nft_use_dec(&ctx->chain->use);
537 return 0;
538 }
539 return -ENOENT;
540 }
541
nft_trans_rule_add(struct nft_ctx * ctx,int msg_type,struct nft_rule * rule)542 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
543 struct nft_rule *rule)
544 {
545 struct nft_trans *trans;
546
547 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
548 if (trans == NULL)
549 return NULL;
550
551 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
552 nft_trans_rule_id(trans) =
553 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
554 }
555 nft_trans_rule(trans) = rule;
556 nft_trans_rule_chain(trans) = ctx->chain;
557 nft_trans_commit_list_add_tail(ctx->net, trans);
558
559 return trans;
560 }
561
nft_delrule(struct nft_ctx * ctx,struct nft_rule * rule)562 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
563 {
564 struct nft_flow_rule *flow;
565 struct nft_trans *trans;
566 int err;
567
568 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
569 if (trans == NULL)
570 return -ENOMEM;
571
572 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
573 flow = nft_flow_rule_create(ctx->net, rule);
574 if (IS_ERR(flow)) {
575 nft_trans_destroy(trans);
576 return PTR_ERR(flow);
577 }
578
579 nft_trans_flow_rule(trans) = flow;
580 }
581
582 err = nf_tables_delrule_deactivate(ctx, rule);
583 if (err < 0) {
584 nft_trans_destroy(trans);
585 return err;
586 }
587 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
588
589 return 0;
590 }
591
nft_delrule_by_chain(struct nft_ctx * ctx)592 static int nft_delrule_by_chain(struct nft_ctx *ctx)
593 {
594 struct nft_rule *rule;
595 int err;
596
597 list_for_each_entry(rule, &ctx->chain->rules, list) {
598 if (!nft_is_active_next(ctx->net, rule))
599 continue;
600
601 err = nft_delrule(ctx, rule);
602 if (err < 0)
603 return err;
604 }
605 return 0;
606 }
607
__nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set,const struct nft_set_desc * desc)608 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
609 struct nft_set *set,
610 const struct nft_set_desc *desc)
611 {
612 struct nft_trans_set *trans_set;
613 struct nft_trans *trans;
614
615 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
616 if (trans == NULL)
617 return -ENOMEM;
618
619 trans_set = nft_trans_container_set(trans);
620 INIT_LIST_HEAD(&trans_set->nft_trans_binding.binding_list);
621 INIT_LIST_HEAD(&trans_set->list_trans_newset);
622
623 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
624 nft_trans_set_id(trans) =
625 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
626 nft_activate_next(ctx->net, set);
627 }
628 nft_trans_set(trans) = set;
629 if (desc) {
630 nft_trans_set_update(trans) = true;
631 nft_trans_set_gc_int(trans) = desc->gc_int;
632 nft_trans_set_timeout(trans) = desc->timeout;
633 nft_trans_set_size(trans) = desc->size;
634 }
635 nft_trans_commit_list_add_tail(ctx->net, trans);
636
637 return 0;
638 }
639
nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set)640 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
641 struct nft_set *set)
642 {
643 return __nft_trans_set_add(ctx, msg_type, set, NULL);
644 }
645
nft_mapelem_deactivate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)646 static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
647 struct nft_set *set,
648 const struct nft_set_iter *iter,
649 struct nft_elem_priv *elem_priv)
650 {
651 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
652
653 if (!nft_set_elem_active(ext, iter->genmask))
654 return 0;
655
656 nft_set_elem_change_active(ctx->net, set, ext);
657 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
658
659 return 0;
660 }
661
662 struct nft_set_elem_catchall {
663 struct list_head list;
664 struct rcu_head rcu;
665 struct nft_elem_priv *elem;
666 };
667
nft_map_catchall_deactivate(const struct nft_ctx * ctx,struct nft_set * set)668 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
669 struct nft_set *set)
670 {
671 u8 genmask = nft_genmask_next(ctx->net);
672 struct nft_set_elem_catchall *catchall;
673 struct nft_set_ext *ext;
674
675 list_for_each_entry(catchall, &set->catchall_list, list) {
676 ext = nft_set_elem_ext(set, catchall->elem);
677 if (!nft_set_elem_active(ext, genmask))
678 continue;
679
680 nft_set_elem_change_active(ctx->net, set, ext);
681 nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
682 break;
683 }
684 }
685
nft_map_deactivate(const struct nft_ctx * ctx,struct nft_set * set)686 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set)
687 {
688 struct nft_set_iter iter = {
689 .genmask = nft_genmask_next(ctx->net),
690 .type = NFT_ITER_UPDATE,
691 .fn = nft_mapelem_deactivate,
692 };
693
694 set->ops->walk(ctx, set, &iter);
695 WARN_ON_ONCE(iter.err);
696
697 nft_map_catchall_deactivate(ctx, set);
698 }
699
nft_delset(const struct nft_ctx * ctx,struct nft_set * set)700 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
701 {
702 int err;
703
704 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
705 if (err < 0)
706 return err;
707
708 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
709 nft_map_deactivate(ctx, set);
710
711 nft_deactivate_next(ctx->net, set);
712 nft_use_dec(&ctx->table->use);
713
714 return err;
715 }
716
nft_trans_obj_add(struct nft_ctx * ctx,int msg_type,struct nft_object * obj)717 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
718 struct nft_object *obj)
719 {
720 struct nft_trans *trans;
721
722 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
723 if (trans == NULL)
724 return -ENOMEM;
725
726 if (msg_type == NFT_MSG_NEWOBJ)
727 nft_activate_next(ctx->net, obj);
728
729 nft_trans_obj(trans) = obj;
730 nft_trans_commit_list_add_tail(ctx->net, trans);
731
732 return 0;
733 }
734
nft_delobj(struct nft_ctx * ctx,struct nft_object * obj)735 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
736 {
737 int err;
738
739 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
740 if (err < 0)
741 return err;
742
743 nft_deactivate_next(ctx->net, obj);
744 nft_use_dec(&ctx->table->use);
745
746 return err;
747 }
748
749 static struct nft_trans *
nft_trans_flowtable_add(struct nft_ctx * ctx,int msg_type,struct nft_flowtable * flowtable)750 nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
751 struct nft_flowtable *flowtable)
752 {
753 struct nft_trans *trans;
754
755 trans = nft_trans_alloc(ctx, msg_type,
756 sizeof(struct nft_trans_flowtable));
757 if (trans == NULL)
758 return ERR_PTR(-ENOMEM);
759
760 if (msg_type == NFT_MSG_NEWFLOWTABLE)
761 nft_activate_next(ctx->net, flowtable);
762
763 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
764 nft_trans_flowtable(trans) = flowtable;
765 nft_trans_commit_list_add_tail(ctx->net, trans);
766
767 return trans;
768 }
769
nft_delflowtable(struct nft_ctx * ctx,struct nft_flowtable * flowtable)770 static int nft_delflowtable(struct nft_ctx *ctx,
771 struct nft_flowtable *flowtable)
772 {
773 struct nft_trans *trans;
774
775 trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
776 if (IS_ERR(trans))
777 return PTR_ERR(trans);
778
779 nft_deactivate_next(ctx->net, flowtable);
780 nft_use_dec(&ctx->table->use);
781
782 return 0;
783 }
784
__nft_reg_track_clobber(struct nft_regs_track * track,u8 dreg)785 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
786 {
787 int i;
788
789 for (i = track->regs[dreg].num_reg; i > 0; i--)
790 __nft_reg_track_cancel(track, dreg - i);
791 }
792
__nft_reg_track_update(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg,u8 num_reg)793 static void __nft_reg_track_update(struct nft_regs_track *track,
794 const struct nft_expr *expr,
795 u8 dreg, u8 num_reg)
796 {
797 track->regs[dreg].selector = expr;
798 track->regs[dreg].bitwise = NULL;
799 track->regs[dreg].num_reg = num_reg;
800 }
801
nft_reg_track_update(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg,u8 len)802 void nft_reg_track_update(struct nft_regs_track *track,
803 const struct nft_expr *expr, u8 dreg, u8 len)
804 {
805 unsigned int regcount;
806 int i;
807
808 __nft_reg_track_clobber(track, dreg);
809
810 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
811 for (i = 0; i < regcount; i++, dreg++)
812 __nft_reg_track_update(track, expr, dreg, i);
813 }
814 EXPORT_SYMBOL_GPL(nft_reg_track_update);
815
nft_reg_track_cancel(struct nft_regs_track * track,u8 dreg,u8 len)816 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
817 {
818 unsigned int regcount;
819 int i;
820
821 __nft_reg_track_clobber(track, dreg);
822
823 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
824 for (i = 0; i < regcount; i++, dreg++)
825 __nft_reg_track_cancel(track, dreg);
826 }
827 EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
828
__nft_reg_track_cancel(struct nft_regs_track * track,u8 dreg)829 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
830 {
831 track->regs[dreg].selector = NULL;
832 track->regs[dreg].bitwise = NULL;
833 track->regs[dreg].num_reg = 0;
834 }
835 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
836
837 /*
838 * Tables
839 */
840
nft_table_lookup(const struct net * net,const struct nlattr * nla,u8 family,u8 genmask,u32 nlpid)841 static struct nft_table *nft_table_lookup(const struct net *net,
842 const struct nlattr *nla,
843 u8 family, u8 genmask, u32 nlpid)
844 {
845 struct nftables_pernet *nft_net;
846 struct nft_table *table;
847
848 if (nla == NULL)
849 return ERR_PTR(-EINVAL);
850
851 nft_net = nft_pernet(net);
852 list_for_each_entry_rcu(table, &nft_net->tables, list,
853 lockdep_is_held(&nft_net->commit_mutex)) {
854 if (!nla_strcmp(nla, table->name) &&
855 table->family == family &&
856 nft_active_genmask(table, genmask)) {
857 if (nft_table_has_owner(table) &&
858 nlpid && table->nlpid != nlpid)
859 return ERR_PTR(-EPERM);
860
861 return table;
862 }
863 }
864
865 return ERR_PTR(-ENOENT);
866 }
867
nft_table_lookup_byhandle(const struct net * net,const struct nlattr * nla,int family,u8 genmask,u32 nlpid)868 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
869 const struct nlattr *nla,
870 int family, u8 genmask, u32 nlpid)
871 {
872 struct nftables_pernet *nft_net;
873 struct nft_table *table;
874
875 nft_net = nft_pernet(net);
876 list_for_each_entry(table, &nft_net->tables, list) {
877 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
878 table->family == family &&
879 nft_active_genmask(table, genmask)) {
880 if (nft_table_has_owner(table) &&
881 nlpid && table->nlpid != nlpid)
882 return ERR_PTR(-EPERM);
883
884 return table;
885 }
886 }
887
888 return ERR_PTR(-ENOENT);
889 }
890
nf_tables_alloc_handle(struct nft_table * table)891 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
892 {
893 return ++table->hgenerator;
894 }
895
896 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
897
898 static const struct nft_chain_type *
__nft_chain_type_get(u8 family,enum nft_chain_types type)899 __nft_chain_type_get(u8 family, enum nft_chain_types type)
900 {
901 if (family >= NFPROTO_NUMPROTO ||
902 type >= NFT_CHAIN_T_MAX)
903 return NULL;
904
905 return chain_type[family][type];
906 }
907
908 static const struct nft_chain_type *
__nf_tables_chain_type_lookup(const struct nlattr * nla,u8 family)909 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
910 {
911 const struct nft_chain_type *type;
912 int i;
913
914 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
915 type = __nft_chain_type_get(family, i);
916 if (!type)
917 continue;
918 if (!nla_strcmp(nla, type->name))
919 return type;
920 }
921 return NULL;
922 }
923
924 struct nft_module_request {
925 struct list_head list;
926 char module[MODULE_NAME_LEN];
927 bool done;
928 };
929
930 #ifdef CONFIG_MODULES
nft_request_module(struct net * net,const char * fmt,...)931 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
932 ...)
933 {
934 char module_name[MODULE_NAME_LEN];
935 struct nftables_pernet *nft_net;
936 struct nft_module_request *req;
937 va_list args;
938 int ret;
939
940 va_start(args, fmt);
941 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
942 va_end(args);
943 if (ret >= MODULE_NAME_LEN)
944 return 0;
945
946 nft_net = nft_pernet(net);
947 list_for_each_entry(req, &nft_net->module_list, list) {
948 if (!strcmp(req->module, module_name)) {
949 if (req->done)
950 return 0;
951
952 /* A request to load this module already exists. */
953 return -EAGAIN;
954 }
955 }
956
957 req = kmalloc(sizeof(*req), GFP_KERNEL);
958 if (!req)
959 return -ENOMEM;
960
961 req->done = false;
962 strscpy(req->module, module_name, MODULE_NAME_LEN);
963 list_add_tail(&req->list, &nft_net->module_list);
964
965 return -EAGAIN;
966 }
967 EXPORT_SYMBOL_GPL(nft_request_module);
968 #endif
969
lockdep_nfnl_nft_mutex_not_held(void)970 static void lockdep_nfnl_nft_mutex_not_held(void)
971 {
972 #ifdef CONFIG_PROVE_LOCKING
973 if (debug_locks)
974 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
975 #endif
976 }
977
978 static const struct nft_chain_type *
nf_tables_chain_type_lookup(struct net * net,const struct nlattr * nla,u8 family,bool autoload)979 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
980 u8 family, bool autoload)
981 {
982 const struct nft_chain_type *type;
983
984 type = __nf_tables_chain_type_lookup(nla, family);
985 if (type != NULL)
986 return type;
987
988 lockdep_nfnl_nft_mutex_not_held();
989 #ifdef CONFIG_MODULES
990 if (autoload) {
991 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
992 nla_len(nla),
993 (const char *)nla_data(nla)) == -EAGAIN)
994 return ERR_PTR(-EAGAIN);
995 }
996 #endif
997 return ERR_PTR(-ENOENT);
998 }
999
nft_base_seq(const struct net * net)1000 static __be16 nft_base_seq(const struct net *net)
1001 {
1002 struct nftables_pernet *nft_net = nft_pernet(net);
1003
1004 return htons(nft_net->base_seq & 0xffff);
1005 }
1006
1007 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
1008 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
1009 .len = NFT_TABLE_MAXNAMELEN - 1 },
1010 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
1011 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
1012 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
1013 .len = NFT_USERDATA_MAXLEN }
1014 };
1015
nf_tables_fill_table_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table)1016 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
1017 u32 portid, u32 seq, int event, u32 flags,
1018 int family, const struct nft_table *table)
1019 {
1020 struct nlmsghdr *nlh;
1021
1022 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1023 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1024 NFNETLINK_V0, nft_base_seq(net));
1025 if (!nlh)
1026 goto nla_put_failure;
1027
1028 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
1029 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
1030 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
1031 NFTA_TABLE_PAD))
1032 goto nla_put_failure;
1033
1034 if (event == NFT_MSG_DELTABLE) {
1035 nlmsg_end(skb, nlh);
1036 return 0;
1037 }
1038
1039 if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
1040 htonl(table->flags & NFT_TABLE_F_MASK)))
1041 goto nla_put_failure;
1042
1043 if (nft_table_has_owner(table) &&
1044 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
1045 goto nla_put_failure;
1046
1047 if (table->udata) {
1048 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
1049 goto nla_put_failure;
1050 }
1051
1052 nlmsg_end(skb, nlh);
1053 return 0;
1054
1055 nla_put_failure:
1056 nlmsg_trim(skb, nlh);
1057 return -1;
1058 }
1059
1060 struct nftnl_skb_parms {
1061 bool report;
1062 };
1063 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
1064
nft_notify_enqueue(struct sk_buff * skb,bool report,struct list_head * notify_list)1065 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
1066 struct list_head *notify_list)
1067 {
1068 NFT_CB(skb).report = report;
1069 list_add_tail(&skb->list, notify_list);
1070 }
1071
nf_tables_table_notify(const struct nft_ctx * ctx,int event)1072 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
1073 {
1074 struct nftables_pernet *nft_net;
1075 struct sk_buff *skb;
1076 u16 flags = 0;
1077 int err;
1078
1079 if (!ctx->report &&
1080 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1081 return;
1082
1083 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1084 if (skb == NULL)
1085 goto err;
1086
1087 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1088 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1089
1090 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
1091 event, flags, ctx->family, ctx->table);
1092 if (err < 0) {
1093 kfree_skb(skb);
1094 goto err;
1095 }
1096
1097 nft_net = nft_pernet(ctx->net);
1098 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1099 return;
1100 err:
1101 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1102 }
1103
nf_tables_dump_tables(struct sk_buff * skb,struct netlink_callback * cb)1104 static int nf_tables_dump_tables(struct sk_buff *skb,
1105 struct netlink_callback *cb)
1106 {
1107 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1108 struct nftables_pernet *nft_net;
1109 const struct nft_table *table;
1110 unsigned int idx = 0, s_idx = cb->args[0];
1111 struct net *net = sock_net(skb->sk);
1112 int family = nfmsg->nfgen_family;
1113
1114 rcu_read_lock();
1115 nft_net = nft_pernet(net);
1116 cb->seq = READ_ONCE(nft_net->base_seq);
1117
1118 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1119 if (family != NFPROTO_UNSPEC && family != table->family)
1120 continue;
1121
1122 if (idx < s_idx)
1123 goto cont;
1124 if (idx > s_idx)
1125 memset(&cb->args[1], 0,
1126 sizeof(cb->args) - sizeof(cb->args[0]));
1127 if (!nft_is_active(net, table))
1128 continue;
1129 if (nf_tables_fill_table_info(skb, net,
1130 NETLINK_CB(cb->skb).portid,
1131 cb->nlh->nlmsg_seq,
1132 NFT_MSG_NEWTABLE, NLM_F_MULTI,
1133 table->family, table) < 0)
1134 goto done;
1135
1136 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1137 cont:
1138 idx++;
1139 }
1140 done:
1141 rcu_read_unlock();
1142 cb->args[0] = idx;
1143 return skb->len;
1144 }
1145
nft_netlink_dump_start_rcu(struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,struct netlink_dump_control * c)1146 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
1147 const struct nlmsghdr *nlh,
1148 struct netlink_dump_control *c)
1149 {
1150 int err;
1151
1152 if (!try_module_get(THIS_MODULE))
1153 return -EINVAL;
1154
1155 rcu_read_unlock();
1156 err = netlink_dump_start(nlsk, skb, nlh, c);
1157 rcu_read_lock();
1158 module_put(THIS_MODULE);
1159
1160 return err;
1161 }
1162
1163 /* called with rcu_read_lock held */
nf_tables_gettable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1164 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
1165 const struct nlattr * const nla[])
1166 {
1167 struct netlink_ext_ack *extack = info->extack;
1168 u8 genmask = nft_genmask_cur(info->net);
1169 u8 family = info->nfmsg->nfgen_family;
1170 const struct nft_table *table;
1171 struct net *net = info->net;
1172 struct sk_buff *skb2;
1173 int err;
1174
1175 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1176 struct netlink_dump_control c = {
1177 .dump = nf_tables_dump_tables,
1178 .module = THIS_MODULE,
1179 };
1180
1181 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1182 }
1183
1184 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
1185 if (IS_ERR(table)) {
1186 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
1187 return PTR_ERR(table);
1188 }
1189
1190 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1191 if (!skb2)
1192 return -ENOMEM;
1193
1194 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
1195 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
1196 0, family, table);
1197 if (err < 0)
1198 goto err_fill_table_info;
1199
1200 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1201
1202 err_fill_table_info:
1203 kfree_skb(skb2);
1204 return err;
1205 }
1206
nft_table_disable(struct net * net,struct nft_table * table,u32 cnt)1207 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
1208 {
1209 struct nft_chain *chain;
1210 u32 i = 0;
1211
1212 list_for_each_entry(chain, &table->chains, list) {
1213 if (!nft_is_active_next(net, chain))
1214 continue;
1215 if (!nft_is_base_chain(chain))
1216 continue;
1217
1218 if (cnt && i++ == cnt)
1219 break;
1220
1221 nf_tables_unregister_hook(net, table, chain);
1222 }
1223 }
1224
nf_tables_table_enable(struct net * net,struct nft_table * table)1225 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1226 {
1227 struct nft_chain *chain;
1228 int err, i = 0;
1229
1230 list_for_each_entry(chain, &table->chains, list) {
1231 if (!nft_is_active_next(net, chain))
1232 continue;
1233 if (!nft_is_base_chain(chain))
1234 continue;
1235
1236 err = nf_tables_register_hook(net, table, chain);
1237 if (err < 0)
1238 goto err_register_hooks;
1239
1240 i++;
1241 }
1242 return 0;
1243
1244 err_register_hooks:
1245 if (i)
1246 nft_table_disable(net, table, i);
1247 return err;
1248 }
1249
nf_tables_table_disable(struct net * net,struct nft_table * table)1250 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1251 {
1252 table->flags &= ~NFT_TABLE_F_DORMANT;
1253 nft_table_disable(net, table, 0);
1254 table->flags |= NFT_TABLE_F_DORMANT;
1255 }
1256
1257 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1258 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1259 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1260 #define __NFT_TABLE_F_WAS_ORPHAN (__NFT_TABLE_F_INTERNAL << 2)
1261 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1262 __NFT_TABLE_F_WAS_AWAKEN | \
1263 __NFT_TABLE_F_WAS_ORPHAN)
1264
nft_table_pending_update(const struct nft_ctx * ctx)1265 static bool nft_table_pending_update(const struct nft_ctx *ctx)
1266 {
1267 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1268 struct nft_trans *trans;
1269
1270 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
1271 return true;
1272
1273 list_for_each_entry(trans, &nft_net->commit_list, list) {
1274 if (trans->table == ctx->table &&
1275 ((trans->msg_type == NFT_MSG_NEWCHAIN &&
1276 nft_trans_chain_update(trans)) ||
1277 (trans->msg_type == NFT_MSG_DELCHAIN &&
1278 nft_is_base_chain(nft_trans_chain(trans)))))
1279 return true;
1280 }
1281
1282 return false;
1283 }
1284
nf_tables_updtable(struct nft_ctx * ctx)1285 static int nf_tables_updtable(struct nft_ctx *ctx)
1286 {
1287 struct nft_trans *trans;
1288 u32 flags;
1289 int ret;
1290
1291 if (!ctx->nla[NFTA_TABLE_FLAGS])
1292 return 0;
1293
1294 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1295 if (flags & ~NFT_TABLE_F_MASK)
1296 return -EOPNOTSUPP;
1297
1298 if (flags == (ctx->table->flags & NFT_TABLE_F_MASK))
1299 return 0;
1300
1301 if ((nft_table_has_owner(ctx->table) &&
1302 !(flags & NFT_TABLE_F_OWNER)) ||
1303 (flags & NFT_TABLE_F_OWNER &&
1304 !nft_table_is_orphan(ctx->table)))
1305 return -EOPNOTSUPP;
1306
1307 if ((flags ^ ctx->table->flags) & NFT_TABLE_F_PERSIST)
1308 return -EOPNOTSUPP;
1309
1310 /* No dormant off/on/off/on games in single transaction */
1311 if (nft_table_pending_update(ctx))
1312 return -EINVAL;
1313
1314 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1315 sizeof(struct nft_trans_table));
1316 if (trans == NULL)
1317 return -ENOMEM;
1318
1319 if ((flags & NFT_TABLE_F_DORMANT) &&
1320 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1321 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1322 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1323 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1324 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1325 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1326 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1327 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1328 ret = nf_tables_table_enable(ctx->net, ctx->table);
1329 if (ret < 0)
1330 goto err_register_hooks;
1331
1332 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1333 }
1334 }
1335
1336 if ((flags & NFT_TABLE_F_OWNER) &&
1337 !nft_table_has_owner(ctx->table)) {
1338 ctx->table->nlpid = ctx->portid;
1339 ctx->table->flags |= NFT_TABLE_F_OWNER |
1340 __NFT_TABLE_F_WAS_ORPHAN;
1341 }
1342
1343 nft_trans_table_update(trans) = true;
1344 nft_trans_commit_list_add_tail(ctx->net, trans);
1345
1346 return 0;
1347
1348 err_register_hooks:
1349 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1350 nft_trans_destroy(trans);
1351 return ret;
1352 }
1353
nft_chain_hash(const void * data,u32 len,u32 seed)1354 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1355 {
1356 const char *name = data;
1357
1358 return jhash(name, strlen(name), seed);
1359 }
1360
nft_chain_hash_obj(const void * data,u32 len,u32 seed)1361 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1362 {
1363 const struct nft_chain *chain = data;
1364
1365 return nft_chain_hash(chain->name, 0, seed);
1366 }
1367
nft_chain_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)1368 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1369 const void *ptr)
1370 {
1371 const struct nft_chain *chain = ptr;
1372 const char *name = arg->key;
1373
1374 return strcmp(chain->name, name);
1375 }
1376
nft_objname_hash(const void * data,u32 len,u32 seed)1377 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1378 {
1379 const struct nft_object_hash_key *k = data;
1380
1381 seed ^= hash_ptr(k->table, 32);
1382
1383 return jhash(k->name, strlen(k->name), seed);
1384 }
1385
nft_objname_hash_obj(const void * data,u32 len,u32 seed)1386 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1387 {
1388 const struct nft_object *obj = data;
1389
1390 return nft_objname_hash(&obj->key, 0, seed);
1391 }
1392
nft_objname_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)1393 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1394 const void *ptr)
1395 {
1396 const struct nft_object_hash_key *k = arg->key;
1397 const struct nft_object *obj = ptr;
1398
1399 if (obj->key.table != k->table)
1400 return -1;
1401
1402 return strcmp(obj->key.name, k->name);
1403 }
1404
nft_supported_family(u8 family)1405 static bool nft_supported_family(u8 family)
1406 {
1407 return false
1408 #ifdef CONFIG_NF_TABLES_INET
1409 || family == NFPROTO_INET
1410 #endif
1411 #ifdef CONFIG_NF_TABLES_IPV4
1412 || family == NFPROTO_IPV4
1413 #endif
1414 #ifdef CONFIG_NF_TABLES_ARP
1415 || family == NFPROTO_ARP
1416 #endif
1417 #ifdef CONFIG_NF_TABLES_NETDEV
1418 || family == NFPROTO_NETDEV
1419 #endif
1420 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1421 || family == NFPROTO_BRIDGE
1422 #endif
1423 #ifdef CONFIG_NF_TABLES_IPV6
1424 || family == NFPROTO_IPV6
1425 #endif
1426 ;
1427 }
1428
nf_tables_newtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1429 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1430 const struct nlattr * const nla[])
1431 {
1432 struct nftables_pernet *nft_net = nft_pernet(info->net);
1433 struct netlink_ext_ack *extack = info->extack;
1434 u8 genmask = nft_genmask_next(info->net);
1435 u8 family = info->nfmsg->nfgen_family;
1436 struct net *net = info->net;
1437 const struct nlattr *attr;
1438 struct nft_table *table;
1439 struct nft_ctx ctx;
1440 u32 flags = 0;
1441 int err;
1442
1443 if (!nft_supported_family(family))
1444 return -EOPNOTSUPP;
1445
1446 lockdep_assert_held(&nft_net->commit_mutex);
1447 attr = nla[NFTA_TABLE_NAME];
1448 table = nft_table_lookup(net, attr, family, genmask,
1449 NETLINK_CB(skb).portid);
1450 if (IS_ERR(table)) {
1451 if (PTR_ERR(table) != -ENOENT)
1452 return PTR_ERR(table);
1453 } else {
1454 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1455 NL_SET_BAD_ATTR(extack, attr);
1456 return -EEXIST;
1457 }
1458 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1459 return -EOPNOTSUPP;
1460
1461 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1462
1463 return nf_tables_updtable(&ctx);
1464 }
1465
1466 if (nla[NFTA_TABLE_FLAGS]) {
1467 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1468 if (flags & ~NFT_TABLE_F_MASK)
1469 return -EOPNOTSUPP;
1470 }
1471
1472 err = -ENOMEM;
1473 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1474 if (table == NULL)
1475 goto err_kzalloc;
1476
1477 table->validate_state = nft_net->validate_state;
1478 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1479 if (table->name == NULL)
1480 goto err_strdup;
1481
1482 if (nla[NFTA_TABLE_USERDATA]) {
1483 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1484 if (table->udata == NULL)
1485 goto err_table_udata;
1486
1487 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1488 }
1489
1490 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1491 if (err)
1492 goto err_chain_ht;
1493
1494 INIT_LIST_HEAD(&table->chains);
1495 INIT_LIST_HEAD(&table->sets);
1496 INIT_LIST_HEAD(&table->objects);
1497 INIT_LIST_HEAD(&table->flowtables);
1498 write_pnet(&table->net, net);
1499 table->family = family;
1500 table->flags = flags;
1501 table->handle = ++nft_net->table_handle;
1502 if (table->flags & NFT_TABLE_F_OWNER)
1503 table->nlpid = NETLINK_CB(skb).portid;
1504
1505 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1506 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1507 if (err < 0)
1508 goto err_trans;
1509
1510 list_add_tail_rcu(&table->list, &nft_net->tables);
1511 return 0;
1512 err_trans:
1513 rhltable_destroy(&table->chains_ht);
1514 err_chain_ht:
1515 kfree(table->udata);
1516 err_table_udata:
1517 kfree(table->name);
1518 err_strdup:
1519 kfree(table);
1520 err_kzalloc:
1521 return err;
1522 }
1523
nft_flush_table(struct nft_ctx * ctx)1524 static int nft_flush_table(struct nft_ctx *ctx)
1525 {
1526 struct nft_flowtable *flowtable, *nft;
1527 struct nft_chain *chain, *nc;
1528 struct nft_object *obj, *ne;
1529 struct nft_set *set, *ns;
1530 int err;
1531
1532 list_for_each_entry(chain, &ctx->table->chains, list) {
1533 if (!nft_is_active_next(ctx->net, chain))
1534 continue;
1535
1536 if (nft_chain_binding(chain))
1537 continue;
1538
1539 ctx->chain = chain;
1540
1541 err = nft_delrule_by_chain(ctx);
1542 if (err < 0)
1543 goto out;
1544 }
1545
1546 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1547 if (!nft_is_active_next(ctx->net, set))
1548 continue;
1549
1550 if (nft_set_is_anonymous(set))
1551 continue;
1552
1553 err = nft_delset(ctx, set);
1554 if (err < 0)
1555 goto out;
1556 }
1557
1558 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1559 if (!nft_is_active_next(ctx->net, flowtable))
1560 continue;
1561
1562 err = nft_delflowtable(ctx, flowtable);
1563 if (err < 0)
1564 goto out;
1565 }
1566
1567 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1568 if (!nft_is_active_next(ctx->net, obj))
1569 continue;
1570
1571 err = nft_delobj(ctx, obj);
1572 if (err < 0)
1573 goto out;
1574 }
1575
1576 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1577 if (!nft_is_active_next(ctx->net, chain))
1578 continue;
1579
1580 if (nft_chain_binding(chain))
1581 continue;
1582
1583 ctx->chain = chain;
1584
1585 err = nft_delchain(ctx);
1586 if (err < 0)
1587 goto out;
1588 }
1589
1590 err = nft_deltable(ctx);
1591 out:
1592 return err;
1593 }
1594
nft_flush(struct nft_ctx * ctx,int family)1595 static int nft_flush(struct nft_ctx *ctx, int family)
1596 {
1597 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1598 const struct nlattr * const *nla = ctx->nla;
1599 struct nft_table *table, *nt;
1600 int err = 0;
1601
1602 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1603 if (family != AF_UNSPEC && table->family != family)
1604 continue;
1605
1606 ctx->family = table->family;
1607
1608 if (!nft_is_active_next(ctx->net, table))
1609 continue;
1610
1611 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1612 continue;
1613
1614 if (nla[NFTA_TABLE_NAME] &&
1615 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1616 continue;
1617
1618 ctx->table = table;
1619
1620 err = nft_flush_table(ctx);
1621 if (err < 0)
1622 goto out;
1623 }
1624 out:
1625 return err;
1626 }
1627
nf_tables_deltable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1628 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1629 const struct nlattr * const nla[])
1630 {
1631 struct netlink_ext_ack *extack = info->extack;
1632 u8 genmask = nft_genmask_next(info->net);
1633 u8 family = info->nfmsg->nfgen_family;
1634 struct net *net = info->net;
1635 const struct nlattr *attr;
1636 struct nft_table *table;
1637 struct nft_ctx ctx;
1638
1639 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1640 if (family == AF_UNSPEC ||
1641 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1642 return nft_flush(&ctx, family);
1643
1644 if (nla[NFTA_TABLE_HANDLE]) {
1645 attr = nla[NFTA_TABLE_HANDLE];
1646 table = nft_table_lookup_byhandle(net, attr, family, genmask,
1647 NETLINK_CB(skb).portid);
1648 } else {
1649 attr = nla[NFTA_TABLE_NAME];
1650 table = nft_table_lookup(net, attr, family, genmask,
1651 NETLINK_CB(skb).portid);
1652 }
1653
1654 if (IS_ERR(table)) {
1655 if (PTR_ERR(table) == -ENOENT &&
1656 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1657 return 0;
1658
1659 NL_SET_BAD_ATTR(extack, attr);
1660 return PTR_ERR(table);
1661 }
1662
1663 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1664 table->use > 0)
1665 return -EBUSY;
1666
1667 ctx.family = family;
1668 ctx.table = table;
1669
1670 return nft_flush_table(&ctx);
1671 }
1672
nf_tables_table_destroy(struct nft_table * table)1673 static void nf_tables_table_destroy(struct nft_table *table)
1674 {
1675 if (WARN_ON(table->use > 0))
1676 return;
1677
1678 rhltable_destroy(&table->chains_ht);
1679 kfree(table->name);
1680 kfree(table->udata);
1681 kfree(table);
1682 }
1683
nft_register_chain_type(const struct nft_chain_type * ctype)1684 void nft_register_chain_type(const struct nft_chain_type *ctype)
1685 {
1686 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1687 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1688 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1689 return;
1690 }
1691 chain_type[ctype->family][ctype->type] = ctype;
1692 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1693 }
1694 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1695
nft_unregister_chain_type(const struct nft_chain_type * ctype)1696 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1697 {
1698 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1699 chain_type[ctype->family][ctype->type] = NULL;
1700 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1701 }
1702 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1703
1704 /*
1705 * Chains
1706 */
1707
1708 static struct nft_chain *
nft_chain_lookup_byhandle(const struct nft_table * table,u64 handle,u8 genmask)1709 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1710 {
1711 struct nft_chain *chain;
1712
1713 list_for_each_entry(chain, &table->chains, list) {
1714 if (chain->handle == handle &&
1715 nft_active_genmask(chain, genmask))
1716 return chain;
1717 }
1718
1719 return ERR_PTR(-ENOENT);
1720 }
1721
lockdep_commit_lock_is_held(const struct net * net)1722 static bool lockdep_commit_lock_is_held(const struct net *net)
1723 {
1724 #ifdef CONFIG_PROVE_LOCKING
1725 struct nftables_pernet *nft_net = nft_pernet(net);
1726
1727 return lockdep_is_held(&nft_net->commit_mutex);
1728 #else
1729 return true;
1730 #endif
1731 }
1732
nft_chain_lookup(struct net * net,struct nft_table * table,const struct nlattr * nla,u8 genmask)1733 static struct nft_chain *nft_chain_lookup(struct net *net,
1734 struct nft_table *table,
1735 const struct nlattr *nla, u8 genmask)
1736 {
1737 char search[NFT_CHAIN_MAXNAMELEN + 1];
1738 struct rhlist_head *tmp, *list;
1739 struct nft_chain *chain;
1740
1741 if (nla == NULL)
1742 return ERR_PTR(-EINVAL);
1743
1744 nla_strscpy(search, nla, sizeof(search));
1745
1746 WARN_ON(!rcu_read_lock_held() &&
1747 !lockdep_commit_lock_is_held(net));
1748
1749 chain = ERR_PTR(-ENOENT);
1750 rcu_read_lock();
1751 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1752 if (!list)
1753 goto out_unlock;
1754
1755 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1756 if (nft_active_genmask(chain, genmask))
1757 goto out_unlock;
1758 }
1759 chain = ERR_PTR(-ENOENT);
1760 out_unlock:
1761 rcu_read_unlock();
1762 return chain;
1763 }
1764
1765 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1766 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1767 .len = NFT_TABLE_MAXNAMELEN - 1 },
1768 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1769 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1770 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1771 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1772 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1773 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1774 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1775 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1776 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1777 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1778 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1779 .len = NFT_USERDATA_MAXLEN },
1780 };
1781
1782 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1783 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1784 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1785 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1786 .len = IFNAMSIZ - 1 },
1787 };
1788
nft_dump_stats(struct sk_buff * skb,struct nft_stats __percpu * stats)1789 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1790 {
1791 struct nft_stats *cpu_stats, total;
1792 struct nlattr *nest;
1793 unsigned int seq;
1794 u64 pkts, bytes;
1795 int cpu;
1796
1797 if (!stats)
1798 return 0;
1799
1800 memset(&total, 0, sizeof(total));
1801 for_each_possible_cpu(cpu) {
1802 cpu_stats = per_cpu_ptr(stats, cpu);
1803 do {
1804 seq = u64_stats_fetch_begin(&cpu_stats->syncp);
1805 pkts = cpu_stats->pkts;
1806 bytes = cpu_stats->bytes;
1807 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
1808 total.pkts += pkts;
1809 total.bytes += bytes;
1810 }
1811 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1812 if (nest == NULL)
1813 goto nla_put_failure;
1814
1815 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1816 NFTA_COUNTER_PAD) ||
1817 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1818 NFTA_COUNTER_PAD))
1819 goto nla_put_failure;
1820
1821 nla_nest_end(skb, nest);
1822 return 0;
1823
1824 nla_put_failure:
1825 return -ENOSPC;
1826 }
1827
nft_dump_basechain_hook(struct sk_buff * skb,int family,const struct nft_base_chain * basechain,const struct list_head * hook_list)1828 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1829 const struct nft_base_chain *basechain,
1830 const struct list_head *hook_list)
1831 {
1832 const struct nf_hook_ops *ops = &basechain->ops;
1833 struct nft_hook *hook, *first = NULL;
1834 struct nlattr *nest, *nest_devs;
1835 int n = 0;
1836
1837 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1838 if (nest == NULL)
1839 goto nla_put_failure;
1840 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1841 goto nla_put_failure;
1842 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1843 goto nla_put_failure;
1844
1845 if (nft_base_chain_netdev(family, ops->hooknum)) {
1846 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1847 if (!nest_devs)
1848 goto nla_put_failure;
1849
1850 if (!hook_list)
1851 hook_list = &basechain->hook_list;
1852
1853 list_for_each_entry_rcu(hook, hook_list, list) {
1854 if (!first)
1855 first = hook;
1856
1857 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1858 hook->ops.dev->name))
1859 goto nla_put_failure;
1860 n++;
1861 }
1862 nla_nest_end(skb, nest_devs);
1863
1864 if (n == 1 &&
1865 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1866 goto nla_put_failure;
1867 }
1868 nla_nest_end(skb, nest);
1869
1870 return 0;
1871 nla_put_failure:
1872 return -1;
1873 }
1874
nf_tables_fill_chain_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct list_head * hook_list)1875 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1876 u32 portid, u32 seq, int event, u32 flags,
1877 int family, const struct nft_table *table,
1878 const struct nft_chain *chain,
1879 const struct list_head *hook_list)
1880 {
1881 struct nlmsghdr *nlh;
1882
1883 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1884 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1885 NFNETLINK_V0, nft_base_seq(net));
1886 if (!nlh)
1887 goto nla_put_failure;
1888
1889 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) ||
1890 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) ||
1891 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1892 NFTA_CHAIN_PAD))
1893 goto nla_put_failure;
1894
1895 if (event == NFT_MSG_DELCHAIN && !hook_list) {
1896 nlmsg_end(skb, nlh);
1897 return 0;
1898 }
1899
1900 if (nft_is_base_chain(chain)) {
1901 const struct nft_base_chain *basechain = nft_base_chain(chain);
1902 struct nft_stats __percpu *stats;
1903
1904 if (nft_dump_basechain_hook(skb, family, basechain, hook_list))
1905 goto nla_put_failure;
1906
1907 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1908 htonl(basechain->policy)))
1909 goto nla_put_failure;
1910
1911 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1912 goto nla_put_failure;
1913
1914 stats = rcu_dereference_check(basechain->stats,
1915 lockdep_commit_lock_is_held(net));
1916 if (nft_dump_stats(skb, stats))
1917 goto nla_put_failure;
1918 }
1919
1920 if (chain->flags &&
1921 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1922 goto nla_put_failure;
1923
1924 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1925 goto nla_put_failure;
1926
1927 if (chain->udata &&
1928 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1929 goto nla_put_failure;
1930
1931 nlmsg_end(skb, nlh);
1932 return 0;
1933
1934 nla_put_failure:
1935 nlmsg_trim(skb, nlh);
1936 return -1;
1937 }
1938
nf_tables_chain_notify(const struct nft_ctx * ctx,int event,const struct list_head * hook_list)1939 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
1940 const struct list_head *hook_list)
1941 {
1942 struct nftables_pernet *nft_net;
1943 struct sk_buff *skb;
1944 u16 flags = 0;
1945 int err;
1946
1947 if (!ctx->report &&
1948 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1949 return;
1950
1951 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1952 if (skb == NULL)
1953 goto err;
1954
1955 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1956 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1957
1958 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1959 event, flags, ctx->family, ctx->table,
1960 ctx->chain, hook_list);
1961 if (err < 0) {
1962 kfree_skb(skb);
1963 goto err;
1964 }
1965
1966 nft_net = nft_pernet(ctx->net);
1967 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1968 return;
1969 err:
1970 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1971 }
1972
nf_tables_dump_chains(struct sk_buff * skb,struct netlink_callback * cb)1973 static int nf_tables_dump_chains(struct sk_buff *skb,
1974 struct netlink_callback *cb)
1975 {
1976 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1977 unsigned int idx = 0, s_idx = cb->args[0];
1978 struct net *net = sock_net(skb->sk);
1979 int family = nfmsg->nfgen_family;
1980 struct nftables_pernet *nft_net;
1981 const struct nft_table *table;
1982 const struct nft_chain *chain;
1983
1984 rcu_read_lock();
1985 nft_net = nft_pernet(net);
1986 cb->seq = READ_ONCE(nft_net->base_seq);
1987
1988 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1989 if (family != NFPROTO_UNSPEC && family != table->family)
1990 continue;
1991
1992 list_for_each_entry_rcu(chain, &table->chains, list) {
1993 if (idx < s_idx)
1994 goto cont;
1995 if (idx > s_idx)
1996 memset(&cb->args[1], 0,
1997 sizeof(cb->args) - sizeof(cb->args[0]));
1998 if (!nft_is_active(net, chain))
1999 continue;
2000 if (nf_tables_fill_chain_info(skb, net,
2001 NETLINK_CB(cb->skb).portid,
2002 cb->nlh->nlmsg_seq,
2003 NFT_MSG_NEWCHAIN,
2004 NLM_F_MULTI,
2005 table->family, table,
2006 chain, NULL) < 0)
2007 goto done;
2008
2009 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2010 cont:
2011 idx++;
2012 }
2013 }
2014 done:
2015 rcu_read_unlock();
2016 cb->args[0] = idx;
2017 return skb->len;
2018 }
2019
2020 /* called with rcu_read_lock held */
nf_tables_getchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])2021 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
2022 const struct nlattr * const nla[])
2023 {
2024 struct netlink_ext_ack *extack = info->extack;
2025 u8 genmask = nft_genmask_cur(info->net);
2026 u8 family = info->nfmsg->nfgen_family;
2027 const struct nft_chain *chain;
2028 struct net *net = info->net;
2029 struct nft_table *table;
2030 struct sk_buff *skb2;
2031 int err;
2032
2033 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
2034 struct netlink_dump_control c = {
2035 .dump = nf_tables_dump_chains,
2036 .module = THIS_MODULE,
2037 };
2038
2039 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
2040 }
2041
2042 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
2043 if (IS_ERR(table)) {
2044 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2045 return PTR_ERR(table);
2046 }
2047
2048 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
2049 if (IS_ERR(chain)) {
2050 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2051 return PTR_ERR(chain);
2052 }
2053
2054 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2055 if (!skb2)
2056 return -ENOMEM;
2057
2058 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
2059 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
2060 0, family, table, chain, NULL);
2061 if (err < 0)
2062 goto err_fill_chain_info;
2063
2064 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
2065
2066 err_fill_chain_info:
2067 kfree_skb(skb2);
2068 return err;
2069 }
2070
2071 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
2072 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
2073 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
2074 };
2075
nft_stats_alloc(const struct nlattr * attr)2076 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
2077 {
2078 struct nlattr *tb[NFTA_COUNTER_MAX+1];
2079 struct nft_stats __percpu *newstats;
2080 struct nft_stats *stats;
2081 int err;
2082
2083 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
2084 nft_counter_policy, NULL);
2085 if (err < 0)
2086 return ERR_PTR(err);
2087
2088 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
2089 return ERR_PTR(-EINVAL);
2090
2091 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
2092 if (newstats == NULL)
2093 return ERR_PTR(-ENOMEM);
2094
2095 /* Restore old counters on this cpu, no problem. Per-cpu statistics
2096 * are not exposed to userspace.
2097 */
2098 preempt_disable();
2099 stats = this_cpu_ptr(newstats);
2100 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
2101 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
2102 preempt_enable();
2103
2104 return newstats;
2105 }
2106
nft_chain_stats_replace(struct nft_trans_chain * trans)2107 static void nft_chain_stats_replace(struct nft_trans_chain *trans)
2108 {
2109 const struct nft_trans *t = &trans->nft_trans_binding.nft_trans;
2110 struct nft_base_chain *chain = nft_base_chain(trans->chain);
2111
2112 if (!trans->stats)
2113 return;
2114
2115 trans->stats =
2116 rcu_replace_pointer(chain->stats, trans->stats,
2117 lockdep_commit_lock_is_held(t->net));
2118
2119 if (!trans->stats)
2120 static_branch_inc(&nft_counters_enabled);
2121 }
2122
nf_tables_chain_free_chain_rules(struct nft_chain * chain)2123 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
2124 {
2125 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
2126 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
2127
2128 if (g0 != g1)
2129 kvfree(g1);
2130 kvfree(g0);
2131
2132 /* should be NULL either via abort or via successful commit */
2133 WARN_ON_ONCE(chain->blob_next);
2134 kvfree(chain->blob_next);
2135 }
2136
nf_tables_chain_destroy(struct nft_chain * chain)2137 void nf_tables_chain_destroy(struct nft_chain *chain)
2138 {
2139 const struct nft_table *table = chain->table;
2140 struct nft_hook *hook, *next;
2141
2142 if (WARN_ON(chain->use > 0))
2143 return;
2144
2145 /* no concurrent access possible anymore */
2146 nf_tables_chain_free_chain_rules(chain);
2147
2148 if (nft_is_base_chain(chain)) {
2149 struct nft_base_chain *basechain = nft_base_chain(chain);
2150
2151 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2152 list_for_each_entry_safe(hook, next,
2153 &basechain->hook_list, list) {
2154 list_del_rcu(&hook->list);
2155 kfree_rcu(hook, rcu);
2156 }
2157 }
2158 module_put(basechain->type->owner);
2159 if (rcu_access_pointer(basechain->stats)) {
2160 static_branch_dec(&nft_counters_enabled);
2161 free_percpu(rcu_dereference_raw(basechain->stats));
2162 }
2163 kfree(chain->name);
2164 kfree(chain->udata);
2165 kfree(basechain);
2166 } else {
2167 kfree(chain->name);
2168 kfree(chain->udata);
2169 kfree(chain);
2170 }
2171 }
2172
nft_netdev_hook_alloc(struct net * net,const struct nlattr * attr)2173 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
2174 const struct nlattr *attr)
2175 {
2176 struct net_device *dev;
2177 char ifname[IFNAMSIZ];
2178 struct nft_hook *hook;
2179 int err;
2180
2181 hook = kzalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
2182 if (!hook) {
2183 err = -ENOMEM;
2184 goto err_hook_alloc;
2185 }
2186
2187 nla_strscpy(ifname, attr, IFNAMSIZ);
2188 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
2189 * indirectly serializing all the other holders of the commit_mutex with
2190 * the rtnl_mutex.
2191 */
2192 dev = __dev_get_by_name(net, ifname);
2193 if (!dev) {
2194 err = -ENOENT;
2195 goto err_hook_dev;
2196 }
2197 hook->ops.dev = dev;
2198
2199 return hook;
2200
2201 err_hook_dev:
2202 kfree(hook);
2203 err_hook_alloc:
2204 return ERR_PTR(err);
2205 }
2206
nft_hook_list_find(struct list_head * hook_list,const struct nft_hook * this)2207 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
2208 const struct nft_hook *this)
2209 {
2210 struct nft_hook *hook;
2211
2212 list_for_each_entry(hook, hook_list, list) {
2213 if (this->ops.dev == hook->ops.dev)
2214 return hook;
2215 }
2216
2217 return NULL;
2218 }
2219
nf_tables_parse_netdev_hooks(struct net * net,const struct nlattr * attr,struct list_head * hook_list,struct netlink_ext_ack * extack)2220 static int nf_tables_parse_netdev_hooks(struct net *net,
2221 const struct nlattr *attr,
2222 struct list_head *hook_list,
2223 struct netlink_ext_ack *extack)
2224 {
2225 struct nft_hook *hook, *next;
2226 const struct nlattr *tmp;
2227 int rem, n = 0, err;
2228
2229 nla_for_each_nested(tmp, attr, rem) {
2230 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
2231 err = -EINVAL;
2232 goto err_hook;
2233 }
2234
2235 hook = nft_netdev_hook_alloc(net, tmp);
2236 if (IS_ERR(hook)) {
2237 NL_SET_BAD_ATTR(extack, tmp);
2238 err = PTR_ERR(hook);
2239 goto err_hook;
2240 }
2241 if (nft_hook_list_find(hook_list, hook)) {
2242 NL_SET_BAD_ATTR(extack, tmp);
2243 kfree(hook);
2244 err = -EEXIST;
2245 goto err_hook;
2246 }
2247 list_add_tail(&hook->list, hook_list);
2248 n++;
2249
2250 if (n == NFT_NETDEVICE_MAX) {
2251 err = -EFBIG;
2252 goto err_hook;
2253 }
2254 }
2255
2256 return 0;
2257
2258 err_hook:
2259 list_for_each_entry_safe(hook, next, hook_list, list) {
2260 list_del(&hook->list);
2261 kfree(hook);
2262 }
2263 return err;
2264 }
2265
2266 struct nft_chain_hook {
2267 u32 num;
2268 s32 priority;
2269 const struct nft_chain_type *type;
2270 struct list_head list;
2271 };
2272
nft_chain_parse_netdev(struct net * net,struct nlattr * tb[],struct list_head * hook_list,struct netlink_ext_ack * extack,u32 flags)2273 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
2274 struct list_head *hook_list,
2275 struct netlink_ext_ack *extack, u32 flags)
2276 {
2277 struct nft_hook *hook;
2278 int err;
2279
2280 if (tb[NFTA_HOOK_DEV]) {
2281 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
2282 if (IS_ERR(hook)) {
2283 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2284 return PTR_ERR(hook);
2285 }
2286
2287 list_add_tail(&hook->list, hook_list);
2288 } else if (tb[NFTA_HOOK_DEVS]) {
2289 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2290 hook_list, extack);
2291 if (err < 0)
2292 return err;
2293
2294 }
2295
2296 if (flags & NFT_CHAIN_HW_OFFLOAD &&
2297 list_empty(hook_list))
2298 return -EINVAL;
2299
2300 return 0;
2301 }
2302
nft_chain_parse_hook(struct net * net,struct nft_base_chain * basechain,const struct nlattr * const nla[],struct nft_chain_hook * hook,u8 family,u32 flags,struct netlink_ext_ack * extack)2303 static int nft_chain_parse_hook(struct net *net,
2304 struct nft_base_chain *basechain,
2305 const struct nlattr * const nla[],
2306 struct nft_chain_hook *hook, u8 family,
2307 u32 flags, struct netlink_ext_ack *extack)
2308 {
2309 struct nftables_pernet *nft_net = nft_pernet(net);
2310 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2311 const struct nft_chain_type *type;
2312 int err;
2313
2314 lockdep_assert_held(&nft_net->commit_mutex);
2315 lockdep_nfnl_nft_mutex_not_held();
2316
2317 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2318 nla[NFTA_CHAIN_HOOK],
2319 nft_hook_policy, NULL);
2320 if (err < 0)
2321 return err;
2322
2323 if (!basechain) {
2324 if (!ha[NFTA_HOOK_HOOKNUM] ||
2325 !ha[NFTA_HOOK_PRIORITY]) {
2326 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2327 return -ENOENT;
2328 }
2329
2330 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2331 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2332
2333 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2334 if (!type)
2335 return -EOPNOTSUPP;
2336
2337 if (nla[NFTA_CHAIN_TYPE]) {
2338 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2339 family, true);
2340 if (IS_ERR(type)) {
2341 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2342 return PTR_ERR(type);
2343 }
2344 }
2345 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2346 return -EOPNOTSUPP;
2347
2348 if (type->type == NFT_CHAIN_T_NAT &&
2349 hook->priority <= NF_IP_PRI_CONNTRACK)
2350 return -EOPNOTSUPP;
2351 } else {
2352 if (ha[NFTA_HOOK_HOOKNUM]) {
2353 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2354 if (hook->num != basechain->ops.hooknum)
2355 return -EOPNOTSUPP;
2356 }
2357 if (ha[NFTA_HOOK_PRIORITY]) {
2358 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2359 if (hook->priority != basechain->ops.priority)
2360 return -EOPNOTSUPP;
2361 }
2362
2363 if (nla[NFTA_CHAIN_TYPE]) {
2364 type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
2365 family);
2366 if (!type) {
2367 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2368 return -ENOENT;
2369 }
2370 } else {
2371 type = basechain->type;
2372 }
2373 }
2374
2375 if (!try_module_get(type->owner)) {
2376 if (nla[NFTA_CHAIN_TYPE])
2377 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2378 return -ENOENT;
2379 }
2380
2381 hook->type = type;
2382
2383 INIT_LIST_HEAD(&hook->list);
2384 if (nft_base_chain_netdev(family, hook->num)) {
2385 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags);
2386 if (err < 0) {
2387 module_put(type->owner);
2388 return err;
2389 }
2390 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2391 module_put(type->owner);
2392 return -EOPNOTSUPP;
2393 }
2394
2395 return 0;
2396 }
2397
nft_chain_release_hook(struct nft_chain_hook * hook)2398 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2399 {
2400 struct nft_hook *h, *next;
2401
2402 list_for_each_entry_safe(h, next, &hook->list, list) {
2403 list_del(&h->list);
2404 kfree(h);
2405 }
2406 module_put(hook->type->owner);
2407 }
2408
nft_last_rule(const struct nft_chain * chain,const void * ptr)2409 static void nft_last_rule(const struct nft_chain *chain, const void *ptr)
2410 {
2411 struct nft_rule_dp_last *lrule;
2412
2413 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0);
2414
2415 lrule = (struct nft_rule_dp_last *)ptr;
2416 lrule->end.is_last = 1;
2417 lrule->chain = chain;
2418 /* blob size does not include the trailer rule */
2419 }
2420
nf_tables_chain_alloc_rules(const struct nft_chain * chain,unsigned int size)2421 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2422 unsigned int size)
2423 {
2424 struct nft_rule_blob *blob;
2425
2426 if (size > INT_MAX)
2427 return NULL;
2428
2429 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last);
2430
2431 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2432 if (!blob)
2433 return NULL;
2434
2435 blob->size = 0;
2436 nft_last_rule(chain, blob->data);
2437
2438 return blob;
2439 }
2440
nft_basechain_hook_init(struct nf_hook_ops * ops,u8 family,const struct nft_chain_hook * hook,struct nft_chain * chain)2441 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2442 const struct nft_chain_hook *hook,
2443 struct nft_chain *chain)
2444 {
2445 ops->pf = family;
2446 ops->hooknum = hook->num;
2447 ops->priority = hook->priority;
2448 ops->priv = chain;
2449 ops->hook = hook->type->hooks[ops->hooknum];
2450 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2451 }
2452
nft_basechain_init(struct nft_base_chain * basechain,u8 family,struct nft_chain_hook * hook,u32 flags)2453 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2454 struct nft_chain_hook *hook, u32 flags)
2455 {
2456 struct nft_chain *chain;
2457 struct nft_hook *h;
2458
2459 basechain->type = hook->type;
2460 INIT_LIST_HEAD(&basechain->hook_list);
2461 chain = &basechain->chain;
2462
2463 if (nft_base_chain_netdev(family, hook->num)) {
2464 list_splice_init(&hook->list, &basechain->hook_list);
2465 list_for_each_entry(h, &basechain->hook_list, list)
2466 nft_basechain_hook_init(&h->ops, family, hook, chain);
2467 }
2468 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2469
2470 chain->flags |= NFT_CHAIN_BASE | flags;
2471 basechain->policy = NF_ACCEPT;
2472 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2473 !nft_chain_offload_support(basechain)) {
2474 list_splice_init(&basechain->hook_list, &hook->list);
2475 return -EOPNOTSUPP;
2476 }
2477
2478 flow_block_init(&basechain->flow_block);
2479
2480 return 0;
2481 }
2482
nft_chain_add(struct nft_table * table,struct nft_chain * chain)2483 int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2484 {
2485 int err;
2486
2487 err = rhltable_insert_key(&table->chains_ht, chain->name,
2488 &chain->rhlhead, nft_chain_ht_params);
2489 if (err)
2490 return err;
2491
2492 list_add_tail_rcu(&chain->list, &table->chains);
2493
2494 return 0;
2495 }
2496
2497 static u64 chain_id;
2498
nf_tables_addchain(struct nft_ctx * ctx,u8 family,u8 genmask,u8 policy,u32 flags,struct netlink_ext_ack * extack)2499 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2500 u8 policy, u32 flags,
2501 struct netlink_ext_ack *extack)
2502 {
2503 const struct nlattr * const *nla = ctx->nla;
2504 struct nft_table *table = ctx->table;
2505 struct nft_base_chain *basechain;
2506 struct net *net = ctx->net;
2507 char name[NFT_NAME_MAXLEN];
2508 struct nft_rule_blob *blob;
2509 struct nft_trans *trans;
2510 struct nft_chain *chain;
2511 int err;
2512
2513 if (nla[NFTA_CHAIN_HOOK]) {
2514 struct nft_stats __percpu *stats = NULL;
2515 struct nft_chain_hook hook = {};
2516
2517 if (table->flags & __NFT_TABLE_F_UPDATE)
2518 return -EINVAL;
2519
2520 if (flags & NFT_CHAIN_BINDING)
2521 return -EOPNOTSUPP;
2522
2523 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags,
2524 extack);
2525 if (err < 0)
2526 return err;
2527
2528 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2529 if (basechain == NULL) {
2530 nft_chain_release_hook(&hook);
2531 return -ENOMEM;
2532 }
2533 chain = &basechain->chain;
2534
2535 if (nla[NFTA_CHAIN_COUNTERS]) {
2536 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2537 if (IS_ERR(stats)) {
2538 nft_chain_release_hook(&hook);
2539 kfree(basechain);
2540 return PTR_ERR(stats);
2541 }
2542 rcu_assign_pointer(basechain->stats, stats);
2543 }
2544
2545 err = nft_basechain_init(basechain, family, &hook, flags);
2546 if (err < 0) {
2547 nft_chain_release_hook(&hook);
2548 kfree(basechain);
2549 free_percpu(stats);
2550 return err;
2551 }
2552 if (stats)
2553 static_branch_inc(&nft_counters_enabled);
2554 } else {
2555 if (flags & NFT_CHAIN_BASE)
2556 return -EINVAL;
2557 if (flags & NFT_CHAIN_HW_OFFLOAD)
2558 return -EOPNOTSUPP;
2559
2560 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2561 if (chain == NULL)
2562 return -ENOMEM;
2563
2564 chain->flags = flags;
2565 }
2566 ctx->chain = chain;
2567
2568 INIT_LIST_HEAD(&chain->rules);
2569 chain->handle = nf_tables_alloc_handle(table);
2570 chain->table = table;
2571
2572 if (nla[NFTA_CHAIN_NAME]) {
2573 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2574 } else {
2575 if (!(flags & NFT_CHAIN_BINDING)) {
2576 err = -EINVAL;
2577 goto err_destroy_chain;
2578 }
2579
2580 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2581 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2582 }
2583
2584 if (!chain->name) {
2585 err = -ENOMEM;
2586 goto err_destroy_chain;
2587 }
2588
2589 if (nla[NFTA_CHAIN_USERDATA]) {
2590 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2591 if (chain->udata == NULL) {
2592 err = -ENOMEM;
2593 goto err_destroy_chain;
2594 }
2595 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2596 }
2597
2598 blob = nf_tables_chain_alloc_rules(chain, 0);
2599 if (!blob) {
2600 err = -ENOMEM;
2601 goto err_destroy_chain;
2602 }
2603
2604 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2605 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2606
2607 if (!nft_use_inc(&table->use)) {
2608 err = -EMFILE;
2609 goto err_destroy_chain;
2610 }
2611
2612 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2613 if (IS_ERR(trans)) {
2614 err = PTR_ERR(trans);
2615 goto err_trans;
2616 }
2617
2618 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2619 if (nft_is_base_chain(chain))
2620 nft_trans_chain_policy(trans) = policy;
2621
2622 err = nft_chain_add(table, chain);
2623 if (err < 0)
2624 goto err_chain_add;
2625
2626 /* This must be LAST to ensure no packets are walking over this chain. */
2627 err = nf_tables_register_hook(net, table, chain);
2628 if (err < 0)
2629 goto err_register_hook;
2630
2631 return 0;
2632
2633 err_register_hook:
2634 nft_chain_del(chain);
2635 err_chain_add:
2636 nft_trans_destroy(trans);
2637 err_trans:
2638 nft_use_dec_restore(&table->use);
2639 err_destroy_chain:
2640 nf_tables_chain_destroy(chain);
2641
2642 return err;
2643 }
2644
nf_tables_updchain(struct nft_ctx * ctx,u8 genmask,u8 policy,u32 flags,const struct nlattr * attr,struct netlink_ext_ack * extack)2645 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2646 u32 flags, const struct nlattr *attr,
2647 struct netlink_ext_ack *extack)
2648 {
2649 const struct nlattr * const *nla = ctx->nla;
2650 struct nft_base_chain *basechain = NULL;
2651 struct nft_table *table = ctx->table;
2652 struct nft_chain *chain = ctx->chain;
2653 struct nft_chain_hook hook = {};
2654 struct nft_stats *stats = NULL;
2655 struct nft_hook *h, *next;
2656 struct nf_hook_ops *ops;
2657 struct nft_trans *trans;
2658 bool unregister = false;
2659 int err;
2660
2661 if (chain->flags ^ flags)
2662 return -EOPNOTSUPP;
2663
2664 INIT_LIST_HEAD(&hook.list);
2665
2666 if (nla[NFTA_CHAIN_HOOK]) {
2667 if (!nft_is_base_chain(chain)) {
2668 NL_SET_BAD_ATTR(extack, attr);
2669 return -EEXIST;
2670 }
2671
2672 basechain = nft_base_chain(chain);
2673 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2674 ctx->family, flags, extack);
2675 if (err < 0)
2676 return err;
2677
2678 if (basechain->type != hook.type) {
2679 nft_chain_release_hook(&hook);
2680 NL_SET_BAD_ATTR(extack, attr);
2681 return -EEXIST;
2682 }
2683
2684 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2685 list_for_each_entry_safe(h, next, &hook.list, list) {
2686 h->ops.pf = basechain->ops.pf;
2687 h->ops.hooknum = basechain->ops.hooknum;
2688 h->ops.priority = basechain->ops.priority;
2689 h->ops.priv = basechain->ops.priv;
2690 h->ops.hook = basechain->ops.hook;
2691
2692 if (nft_hook_list_find(&basechain->hook_list, h)) {
2693 list_del(&h->list);
2694 kfree(h);
2695 }
2696 }
2697 } else {
2698 ops = &basechain->ops;
2699 if (ops->hooknum != hook.num ||
2700 ops->priority != hook.priority) {
2701 nft_chain_release_hook(&hook);
2702 NL_SET_BAD_ATTR(extack, attr);
2703 return -EEXIST;
2704 }
2705 }
2706 }
2707
2708 if (nla[NFTA_CHAIN_HANDLE] &&
2709 nla[NFTA_CHAIN_NAME]) {
2710 struct nft_chain *chain2;
2711
2712 chain2 = nft_chain_lookup(ctx->net, table,
2713 nla[NFTA_CHAIN_NAME], genmask);
2714 if (!IS_ERR(chain2)) {
2715 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2716 err = -EEXIST;
2717 goto err_hooks;
2718 }
2719 }
2720
2721 if (table->flags & __NFT_TABLE_F_UPDATE &&
2722 !list_empty(&hook.list)) {
2723 NL_SET_BAD_ATTR(extack, attr);
2724 err = -EOPNOTSUPP;
2725 goto err_hooks;
2726 }
2727
2728 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2729 nft_is_base_chain(chain) &&
2730 !list_empty(&hook.list)) {
2731 basechain = nft_base_chain(chain);
2732 ops = &basechain->ops;
2733
2734 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2735 err = nft_netdev_register_hooks(ctx->net, &hook.list);
2736 if (err < 0)
2737 goto err_hooks;
2738 }
2739 }
2740
2741 unregister = true;
2742
2743 if (nla[NFTA_CHAIN_COUNTERS]) {
2744 if (!nft_is_base_chain(chain)) {
2745 err = -EOPNOTSUPP;
2746 goto err_hooks;
2747 }
2748
2749 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2750 if (IS_ERR(stats)) {
2751 err = PTR_ERR(stats);
2752 goto err_hooks;
2753 }
2754 }
2755
2756 err = -ENOMEM;
2757 trans = nft_trans_alloc_chain(ctx, NFT_MSG_NEWCHAIN);
2758 if (trans == NULL)
2759 goto err_trans;
2760
2761 nft_trans_chain_stats(trans) = stats;
2762 nft_trans_chain_update(trans) = true;
2763
2764 if (nla[NFTA_CHAIN_POLICY])
2765 nft_trans_chain_policy(trans) = policy;
2766 else
2767 nft_trans_chain_policy(trans) = -1;
2768
2769 if (nla[NFTA_CHAIN_HANDLE] &&
2770 nla[NFTA_CHAIN_NAME]) {
2771 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2772 struct nft_trans *tmp;
2773 char *name;
2774
2775 err = -ENOMEM;
2776 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2777 if (!name)
2778 goto err_trans;
2779
2780 err = -EEXIST;
2781 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2782 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2783 tmp->table == table &&
2784 nft_trans_chain_update(tmp) &&
2785 nft_trans_chain_name(tmp) &&
2786 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2787 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2788 kfree(name);
2789 goto err_trans;
2790 }
2791 }
2792
2793 nft_trans_chain_name(trans) = name;
2794 }
2795
2796 nft_trans_basechain(trans) = basechain;
2797 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2798 list_splice(&hook.list, &nft_trans_chain_hooks(trans));
2799 if (nla[NFTA_CHAIN_HOOK])
2800 module_put(hook.type->owner);
2801
2802 nft_trans_commit_list_add_tail(ctx->net, trans);
2803
2804 return 0;
2805
2806 err_trans:
2807 free_percpu(stats);
2808 kfree(trans);
2809 err_hooks:
2810 if (nla[NFTA_CHAIN_HOOK]) {
2811 list_for_each_entry_safe(h, next, &hook.list, list) {
2812 if (unregister)
2813 nf_unregister_net_hook(ctx->net, &h->ops);
2814 list_del(&h->list);
2815 kfree_rcu(h, rcu);
2816 }
2817 module_put(hook.type->owner);
2818 }
2819
2820 return err;
2821 }
2822
nft_chain_lookup_byid(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)2823 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2824 const struct nft_table *table,
2825 const struct nlattr *nla, u8 genmask)
2826 {
2827 struct nftables_pernet *nft_net = nft_pernet(net);
2828 u32 id = ntohl(nla_get_be32(nla));
2829 struct nft_trans *trans;
2830
2831 list_for_each_entry(trans, &nft_net->commit_list, list) {
2832 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2833 nft_trans_chain(trans)->table == table &&
2834 id == nft_trans_chain_id(trans) &&
2835 nft_active_genmask(nft_trans_chain(trans), genmask))
2836 return nft_trans_chain(trans);
2837 }
2838 return ERR_PTR(-ENOENT);
2839 }
2840
nf_tables_newchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])2841 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2842 const struct nlattr * const nla[])
2843 {
2844 struct nftables_pernet *nft_net = nft_pernet(info->net);
2845 struct netlink_ext_ack *extack = info->extack;
2846 u8 genmask = nft_genmask_next(info->net);
2847 u8 family = info->nfmsg->nfgen_family;
2848 struct nft_chain *chain = NULL;
2849 struct net *net = info->net;
2850 const struct nlattr *attr;
2851 struct nft_table *table;
2852 u8 policy = NF_ACCEPT;
2853 struct nft_ctx ctx;
2854 u64 handle = 0;
2855 u32 flags = 0;
2856
2857 lockdep_assert_held(&nft_net->commit_mutex);
2858
2859 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2860 NETLINK_CB(skb).portid);
2861 if (IS_ERR(table)) {
2862 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2863 return PTR_ERR(table);
2864 }
2865
2866 chain = NULL;
2867 attr = nla[NFTA_CHAIN_NAME];
2868
2869 if (nla[NFTA_CHAIN_HANDLE]) {
2870 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2871 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2872 if (IS_ERR(chain)) {
2873 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2874 return PTR_ERR(chain);
2875 }
2876 attr = nla[NFTA_CHAIN_HANDLE];
2877 } else if (nla[NFTA_CHAIN_NAME]) {
2878 chain = nft_chain_lookup(net, table, attr, genmask);
2879 if (IS_ERR(chain)) {
2880 if (PTR_ERR(chain) != -ENOENT) {
2881 NL_SET_BAD_ATTR(extack, attr);
2882 return PTR_ERR(chain);
2883 }
2884 chain = NULL;
2885 }
2886 } else if (!nla[NFTA_CHAIN_ID]) {
2887 return -EINVAL;
2888 }
2889
2890 if (nla[NFTA_CHAIN_POLICY]) {
2891 if (chain != NULL &&
2892 !nft_is_base_chain(chain)) {
2893 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2894 return -EOPNOTSUPP;
2895 }
2896
2897 if (chain == NULL &&
2898 nla[NFTA_CHAIN_HOOK] == NULL) {
2899 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2900 return -EOPNOTSUPP;
2901 }
2902
2903 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2904 switch (policy) {
2905 case NF_DROP:
2906 case NF_ACCEPT:
2907 break;
2908 default:
2909 return -EINVAL;
2910 }
2911 }
2912
2913 if (nla[NFTA_CHAIN_FLAGS])
2914 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2915 else if (chain)
2916 flags = chain->flags;
2917
2918 if (flags & ~NFT_CHAIN_FLAGS)
2919 return -EOPNOTSUPP;
2920
2921 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2922
2923 if (chain != NULL) {
2924 if (chain->flags & NFT_CHAIN_BINDING)
2925 return -EINVAL;
2926
2927 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2928 NL_SET_BAD_ATTR(extack, attr);
2929 return -EEXIST;
2930 }
2931 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2932 return -EOPNOTSUPP;
2933
2934 flags |= chain->flags & NFT_CHAIN_BASE;
2935 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2936 extack);
2937 }
2938
2939 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2940 }
2941
nft_delchain_hook(struct nft_ctx * ctx,struct nft_base_chain * basechain,struct netlink_ext_ack * extack)2942 static int nft_delchain_hook(struct nft_ctx *ctx,
2943 struct nft_base_chain *basechain,
2944 struct netlink_ext_ack *extack)
2945 {
2946 const struct nft_chain *chain = &basechain->chain;
2947 const struct nlattr * const *nla = ctx->nla;
2948 struct nft_chain_hook chain_hook = {};
2949 struct nft_hook *this, *hook;
2950 LIST_HEAD(chain_del_list);
2951 struct nft_trans *trans;
2952 int err;
2953
2954 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
2955 return -EOPNOTSUPP;
2956
2957 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
2958 ctx->family, chain->flags, extack);
2959 if (err < 0)
2960 return err;
2961
2962 list_for_each_entry(this, &chain_hook.list, list) {
2963 hook = nft_hook_list_find(&basechain->hook_list, this);
2964 if (!hook) {
2965 err = -ENOENT;
2966 goto err_chain_del_hook;
2967 }
2968 list_move(&hook->list, &chain_del_list);
2969 }
2970
2971 trans = nft_trans_alloc_chain(ctx, NFT_MSG_DELCHAIN);
2972 if (!trans) {
2973 err = -ENOMEM;
2974 goto err_chain_del_hook;
2975 }
2976
2977 nft_trans_basechain(trans) = basechain;
2978 nft_trans_chain_update(trans) = true;
2979 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2980 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans));
2981 nft_chain_release_hook(&chain_hook);
2982
2983 nft_trans_commit_list_add_tail(ctx->net, trans);
2984
2985 return 0;
2986
2987 err_chain_del_hook:
2988 list_splice(&chain_del_list, &basechain->hook_list);
2989 nft_chain_release_hook(&chain_hook);
2990
2991 return err;
2992 }
2993
nf_tables_delchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])2994 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2995 const struct nlattr * const nla[])
2996 {
2997 struct netlink_ext_ack *extack = info->extack;
2998 u8 genmask = nft_genmask_next(info->net);
2999 u8 family = info->nfmsg->nfgen_family;
3000 struct net *net = info->net;
3001 const struct nlattr *attr;
3002 struct nft_table *table;
3003 struct nft_chain *chain;
3004 struct nft_rule *rule;
3005 struct nft_ctx ctx;
3006 u64 handle;
3007 u32 use;
3008 int err;
3009
3010 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
3011 NETLINK_CB(skb).portid);
3012 if (IS_ERR(table)) {
3013 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
3014 return PTR_ERR(table);
3015 }
3016
3017 if (nla[NFTA_CHAIN_HANDLE]) {
3018 attr = nla[NFTA_CHAIN_HANDLE];
3019 handle = be64_to_cpu(nla_get_be64(attr));
3020 chain = nft_chain_lookup_byhandle(table, handle, genmask);
3021 } else {
3022 attr = nla[NFTA_CHAIN_NAME];
3023 chain = nft_chain_lookup(net, table, attr, genmask);
3024 }
3025 if (IS_ERR(chain)) {
3026 if (PTR_ERR(chain) == -ENOENT &&
3027 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
3028 return 0;
3029
3030 NL_SET_BAD_ATTR(extack, attr);
3031 return PTR_ERR(chain);
3032 }
3033
3034 if (nft_chain_binding(chain))
3035 return -EOPNOTSUPP;
3036
3037 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3038
3039 if (nla[NFTA_CHAIN_HOOK]) {
3040 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN ||
3041 chain->flags & NFT_CHAIN_HW_OFFLOAD)
3042 return -EOPNOTSUPP;
3043
3044 if (nft_is_base_chain(chain)) {
3045 struct nft_base_chain *basechain = nft_base_chain(chain);
3046
3047 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
3048 return nft_delchain_hook(&ctx, basechain, extack);
3049 }
3050 }
3051
3052 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
3053 chain->use > 0)
3054 return -EBUSY;
3055
3056 use = chain->use;
3057 list_for_each_entry(rule, &chain->rules, list) {
3058 if (!nft_is_active_next(net, rule))
3059 continue;
3060 use--;
3061
3062 err = nft_delrule(&ctx, rule);
3063 if (err < 0)
3064 return err;
3065 }
3066
3067 /* There are rules and elements that are still holding references to us,
3068 * we cannot do a recursive removal in this case.
3069 */
3070 if (use > 0) {
3071 NL_SET_BAD_ATTR(extack, attr);
3072 return -EBUSY;
3073 }
3074
3075 return nft_delchain(&ctx);
3076 }
3077
3078 /*
3079 * Expressions
3080 */
3081
3082 /**
3083 * nft_register_expr - register nf_tables expr type
3084 * @type: expr type
3085 *
3086 * Registers the expr type for use with nf_tables. Returns zero on
3087 * success or a negative errno code otherwise.
3088 */
nft_register_expr(struct nft_expr_type * type)3089 int nft_register_expr(struct nft_expr_type *type)
3090 {
3091 if (WARN_ON_ONCE(type->maxattr > NFT_EXPR_MAXATTR))
3092 return -ENOMEM;
3093
3094 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3095 if (type->family == NFPROTO_UNSPEC)
3096 list_add_tail_rcu(&type->list, &nf_tables_expressions);
3097 else
3098 list_add_rcu(&type->list, &nf_tables_expressions);
3099 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3100 return 0;
3101 }
3102 EXPORT_SYMBOL_GPL(nft_register_expr);
3103
3104 /**
3105 * nft_unregister_expr - unregister nf_tables expr type
3106 * @type: expr type
3107 *
3108 * Unregisters the expr typefor use with nf_tables.
3109 */
nft_unregister_expr(struct nft_expr_type * type)3110 void nft_unregister_expr(struct nft_expr_type *type)
3111 {
3112 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3113 list_del_rcu(&type->list);
3114 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3115 }
3116 EXPORT_SYMBOL_GPL(nft_unregister_expr);
3117
__nft_expr_type_get(u8 family,struct nlattr * nla)3118 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
3119 struct nlattr *nla)
3120 {
3121 const struct nft_expr_type *type, *candidate = NULL;
3122
3123 list_for_each_entry_rcu(type, &nf_tables_expressions, list) {
3124 if (!nla_strcmp(nla, type->name)) {
3125 if (!type->family && !candidate)
3126 candidate = type;
3127 else if (type->family == family)
3128 candidate = type;
3129 }
3130 }
3131 return candidate;
3132 }
3133
3134 #ifdef CONFIG_MODULES
nft_expr_type_request_module(struct net * net,u8 family,struct nlattr * nla)3135 static int nft_expr_type_request_module(struct net *net, u8 family,
3136 struct nlattr *nla)
3137 {
3138 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
3139 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
3140 return -EAGAIN;
3141
3142 return 0;
3143 }
3144 #endif
3145
nft_expr_type_get(struct net * net,u8 family,struct nlattr * nla)3146 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
3147 u8 family,
3148 struct nlattr *nla)
3149 {
3150 const struct nft_expr_type *type;
3151
3152 if (nla == NULL)
3153 return ERR_PTR(-EINVAL);
3154
3155 rcu_read_lock();
3156 type = __nft_expr_type_get(family, nla);
3157 if (type != NULL && try_module_get(type->owner)) {
3158 rcu_read_unlock();
3159 return type;
3160 }
3161 rcu_read_unlock();
3162
3163 lockdep_nfnl_nft_mutex_not_held();
3164 #ifdef CONFIG_MODULES
3165 if (type == NULL) {
3166 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
3167 return ERR_PTR(-EAGAIN);
3168
3169 if (nft_request_module(net, "nft-expr-%.*s",
3170 nla_len(nla),
3171 (char *)nla_data(nla)) == -EAGAIN)
3172 return ERR_PTR(-EAGAIN);
3173 }
3174 #endif
3175 return ERR_PTR(-ENOENT);
3176 }
3177
3178 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
3179 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
3180 .len = NFT_MODULE_AUTOLOAD_LIMIT },
3181 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
3182 };
3183
nf_tables_fill_expr_info(struct sk_buff * skb,const struct nft_expr * expr,bool reset)3184 static int nf_tables_fill_expr_info(struct sk_buff *skb,
3185 const struct nft_expr *expr, bool reset)
3186 {
3187 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
3188 goto nla_put_failure;
3189
3190 if (expr->ops->dump) {
3191 struct nlattr *data = nla_nest_start_noflag(skb,
3192 NFTA_EXPR_DATA);
3193 if (data == NULL)
3194 goto nla_put_failure;
3195 if (expr->ops->dump(skb, expr, reset) < 0)
3196 goto nla_put_failure;
3197 nla_nest_end(skb, data);
3198 }
3199
3200 return skb->len;
3201
3202 nla_put_failure:
3203 return -1;
3204 };
3205
nft_expr_dump(struct sk_buff * skb,unsigned int attr,const struct nft_expr * expr,bool reset)3206 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
3207 const struct nft_expr *expr, bool reset)
3208 {
3209 struct nlattr *nest;
3210
3211 nest = nla_nest_start_noflag(skb, attr);
3212 if (!nest)
3213 goto nla_put_failure;
3214 if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
3215 goto nla_put_failure;
3216 nla_nest_end(skb, nest);
3217 return 0;
3218
3219 nla_put_failure:
3220 return -1;
3221 }
3222
3223 struct nft_expr_info {
3224 const struct nft_expr_ops *ops;
3225 const struct nlattr *attr;
3226 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
3227 };
3228
nf_tables_expr_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)3229 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
3230 const struct nlattr *nla,
3231 struct nft_expr_info *info)
3232 {
3233 const struct nft_expr_type *type;
3234 const struct nft_expr_ops *ops;
3235 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3236 int err;
3237
3238 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3239 nft_expr_policy, NULL);
3240 if (err < 0)
3241 return err;
3242
3243 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
3244 if (IS_ERR(type))
3245 return PTR_ERR(type);
3246
3247 if (tb[NFTA_EXPR_DATA]) {
3248 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3249 tb[NFTA_EXPR_DATA],
3250 type->policy, NULL);
3251 if (err < 0)
3252 goto err1;
3253 } else
3254 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
3255
3256 if (type->select_ops != NULL) {
3257 ops = type->select_ops(ctx,
3258 (const struct nlattr * const *)info->tb);
3259 if (IS_ERR(ops)) {
3260 err = PTR_ERR(ops);
3261 #ifdef CONFIG_MODULES
3262 if (err == -EAGAIN)
3263 if (nft_expr_type_request_module(ctx->net,
3264 ctx->family,
3265 tb[NFTA_EXPR_NAME]) != -EAGAIN)
3266 err = -ENOENT;
3267 #endif
3268 goto err1;
3269 }
3270 } else
3271 ops = type->ops;
3272
3273 info->attr = nla;
3274 info->ops = ops;
3275
3276 return 0;
3277
3278 err1:
3279 module_put(type->owner);
3280 return err;
3281 }
3282
nft_expr_inner_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)3283 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
3284 struct nft_expr_info *info)
3285 {
3286 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3287 const struct nft_expr_type *type;
3288 int err;
3289
3290 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3291 nft_expr_policy, NULL);
3292 if (err < 0)
3293 return err;
3294
3295 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME])
3296 return -EINVAL;
3297
3298 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
3299 if (!type)
3300 return -ENOENT;
3301
3302 if (!type->inner_ops)
3303 return -EOPNOTSUPP;
3304
3305 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3306 tb[NFTA_EXPR_DATA],
3307 type->policy, NULL);
3308 if (err < 0)
3309 goto err_nla_parse;
3310
3311 info->attr = nla;
3312 info->ops = type->inner_ops;
3313
3314 return 0;
3315
3316 err_nla_parse:
3317 return err;
3318 }
3319
nf_tables_newexpr(const struct nft_ctx * ctx,const struct nft_expr_info * expr_info,struct nft_expr * expr)3320 static int nf_tables_newexpr(const struct nft_ctx *ctx,
3321 const struct nft_expr_info *expr_info,
3322 struct nft_expr *expr)
3323 {
3324 const struct nft_expr_ops *ops = expr_info->ops;
3325 int err;
3326
3327 expr->ops = ops;
3328 if (ops->init) {
3329 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
3330 if (err < 0)
3331 goto err1;
3332 }
3333
3334 return 0;
3335 err1:
3336 expr->ops = NULL;
3337 return err;
3338 }
3339
nf_tables_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)3340 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
3341 struct nft_expr *expr)
3342 {
3343 const struct nft_expr_type *type = expr->ops->type;
3344
3345 if (expr->ops->destroy)
3346 expr->ops->destroy(ctx, expr);
3347 module_put(type->owner);
3348 }
3349
nft_expr_init(const struct nft_ctx * ctx,const struct nlattr * nla)3350 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3351 const struct nlattr *nla)
3352 {
3353 struct nft_expr_info expr_info;
3354 struct nft_expr *expr;
3355 struct module *owner;
3356 int err;
3357
3358 err = nf_tables_expr_parse(ctx, nla, &expr_info);
3359 if (err < 0)
3360 goto err_expr_parse;
3361
3362 err = -EOPNOTSUPP;
3363 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3364 goto err_expr_stateful;
3365
3366 err = -ENOMEM;
3367 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3368 if (expr == NULL)
3369 goto err_expr_stateful;
3370
3371 err = nf_tables_newexpr(ctx, &expr_info, expr);
3372 if (err < 0)
3373 goto err_expr_new;
3374
3375 return expr;
3376 err_expr_new:
3377 kfree(expr);
3378 err_expr_stateful:
3379 owner = expr_info.ops->type->owner;
3380 if (expr_info.ops->type->release_ops)
3381 expr_info.ops->type->release_ops(expr_info.ops);
3382
3383 module_put(owner);
3384 err_expr_parse:
3385 return ERR_PTR(err);
3386 }
3387
nft_expr_clone(struct nft_expr * dst,struct nft_expr * src,gfp_t gfp)3388 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp)
3389 {
3390 int err;
3391
3392 if (WARN_ON_ONCE(!src->ops->clone))
3393 return -EINVAL;
3394
3395 dst->ops = src->ops;
3396 err = src->ops->clone(dst, src, gfp);
3397 if (err < 0)
3398 return err;
3399
3400 __module_get(src->ops->type->owner);
3401
3402 return 0;
3403 }
3404
nft_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)3405 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3406 {
3407 nf_tables_expr_destroy(ctx, expr);
3408 kfree(expr);
3409 }
3410
3411 /*
3412 * Rules
3413 */
3414
__nft_rule_lookup(const struct nft_chain * chain,u64 handle)3415 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
3416 u64 handle)
3417 {
3418 struct nft_rule *rule;
3419
3420 // FIXME: this sucks
3421 list_for_each_entry_rcu(rule, &chain->rules, list) {
3422 if (handle == rule->handle)
3423 return rule;
3424 }
3425
3426 return ERR_PTR(-ENOENT);
3427 }
3428
nft_rule_lookup(const struct nft_chain * chain,const struct nlattr * nla)3429 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
3430 const struct nlattr *nla)
3431 {
3432 if (nla == NULL)
3433 return ERR_PTR(-EINVAL);
3434
3435 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
3436 }
3437
3438 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3439 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
3440 .len = NFT_TABLE_MAXNAMELEN - 1 },
3441 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
3442 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3443 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
3444 [NFTA_RULE_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
3445 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
3446 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3447 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3448 .len = NFT_USERDATA_MAXLEN },
3449 [NFTA_RULE_ID] = { .type = NLA_U32 },
3450 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3451 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3452 };
3453
nf_tables_fill_rule_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct nft_rule * rule,u64 handle,bool reset)3454 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3455 u32 portid, u32 seq, int event,
3456 u32 flags, int family,
3457 const struct nft_table *table,
3458 const struct nft_chain *chain,
3459 const struct nft_rule *rule, u64 handle,
3460 bool reset)
3461 {
3462 struct nlmsghdr *nlh;
3463 const struct nft_expr *expr, *next;
3464 struct nlattr *list;
3465 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3466
3467 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3468 nft_base_seq(net));
3469 if (!nlh)
3470 goto nla_put_failure;
3471
3472 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3473 goto nla_put_failure;
3474 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3475 goto nla_put_failure;
3476 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3477 NFTA_RULE_PAD))
3478 goto nla_put_failure;
3479
3480 if (event != NFT_MSG_DELRULE && handle) {
3481 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3482 NFTA_RULE_PAD))
3483 goto nla_put_failure;
3484 }
3485
3486 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3487 nft_flow_rule_stats(chain, rule);
3488
3489 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3490 if (list == NULL)
3491 goto nla_put_failure;
3492 nft_rule_for_each_expr(expr, next, rule) {
3493 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
3494 goto nla_put_failure;
3495 }
3496 nla_nest_end(skb, list);
3497
3498 if (rule->udata) {
3499 struct nft_userdata *udata = nft_userdata(rule);
3500 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3501 udata->data) < 0)
3502 goto nla_put_failure;
3503 }
3504
3505 nlmsg_end(skb, nlh);
3506 return 0;
3507
3508 nla_put_failure:
3509 nlmsg_trim(skb, nlh);
3510 return -1;
3511 }
3512
nf_tables_rule_notify(const struct nft_ctx * ctx,const struct nft_rule * rule,int event)3513 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3514 const struct nft_rule *rule, int event)
3515 {
3516 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3517 const struct nft_rule *prule;
3518 struct sk_buff *skb;
3519 u64 handle = 0;
3520 u16 flags = 0;
3521 int err;
3522
3523 if (!ctx->report &&
3524 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3525 return;
3526
3527 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3528 if (skb == NULL)
3529 goto err;
3530
3531 if (event == NFT_MSG_NEWRULE &&
3532 !list_is_first(&rule->list, &ctx->chain->rules) &&
3533 !list_is_last(&rule->list, &ctx->chain->rules)) {
3534 prule = list_prev_entry(rule, list);
3535 handle = prule->handle;
3536 }
3537 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3538 flags |= NLM_F_APPEND;
3539 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3540 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3541
3542 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3543 event, flags, ctx->family, ctx->table,
3544 ctx->chain, rule, handle, false);
3545 if (err < 0) {
3546 kfree_skb(skb);
3547 goto err;
3548 }
3549
3550 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3551 return;
3552 err:
3553 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3554 }
3555
audit_log_rule_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)3556 static void audit_log_rule_reset(const struct nft_table *table,
3557 unsigned int base_seq,
3558 unsigned int nentries)
3559 {
3560 char *buf = kasprintf(GFP_ATOMIC, "%s:%u",
3561 table->name, base_seq);
3562
3563 audit_log_nfcfg(buf, table->family, nentries,
3564 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3565 kfree(buf);
3566 }
3567
3568 struct nft_rule_dump_ctx {
3569 unsigned int s_idx;
3570 char *table;
3571 char *chain;
3572 bool reset;
3573 };
3574
__nf_tables_dump_rules(struct sk_buff * skb,unsigned int * idx,struct netlink_callback * cb,const struct nft_table * table,const struct nft_chain * chain)3575 static int __nf_tables_dump_rules(struct sk_buff *skb,
3576 unsigned int *idx,
3577 struct netlink_callback *cb,
3578 const struct nft_table *table,
3579 const struct nft_chain *chain)
3580 {
3581 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3582 struct net *net = sock_net(skb->sk);
3583 const struct nft_rule *rule, *prule;
3584 unsigned int entries = 0;
3585 int ret = 0;
3586 u64 handle;
3587
3588 prule = NULL;
3589 list_for_each_entry_rcu(rule, &chain->rules, list) {
3590 if (!nft_is_active(net, rule))
3591 goto cont_skip;
3592 if (*idx < ctx->s_idx)
3593 goto cont;
3594 if (prule)
3595 handle = prule->handle;
3596 else
3597 handle = 0;
3598
3599 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3600 cb->nlh->nlmsg_seq,
3601 NFT_MSG_NEWRULE,
3602 NLM_F_MULTI | NLM_F_APPEND,
3603 table->family,
3604 table, chain, rule, handle, ctx->reset) < 0) {
3605 ret = 1;
3606 break;
3607 }
3608 entries++;
3609 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3610 cont:
3611 prule = rule;
3612 cont_skip:
3613 (*idx)++;
3614 }
3615
3616 if (ctx->reset && entries)
3617 audit_log_rule_reset(table, cb->seq, entries);
3618
3619 return ret;
3620 }
3621
nf_tables_dump_rules(struct sk_buff * skb,struct netlink_callback * cb)3622 static int nf_tables_dump_rules(struct sk_buff *skb,
3623 struct netlink_callback *cb)
3624 {
3625 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3626 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3627 struct nft_table *table;
3628 const struct nft_chain *chain;
3629 unsigned int idx = 0;
3630 struct net *net = sock_net(skb->sk);
3631 int family = nfmsg->nfgen_family;
3632 struct nftables_pernet *nft_net;
3633
3634 rcu_read_lock();
3635 nft_net = nft_pernet(net);
3636 cb->seq = READ_ONCE(nft_net->base_seq);
3637
3638 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3639 if (family != NFPROTO_UNSPEC && family != table->family)
3640 continue;
3641
3642 if (ctx->table && strcmp(ctx->table, table->name) != 0)
3643 continue;
3644
3645 if (ctx->table && ctx->chain) {
3646 struct rhlist_head *list, *tmp;
3647
3648 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3649 nft_chain_ht_params);
3650 if (!list)
3651 goto done;
3652
3653 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3654 if (!nft_is_active(net, chain))
3655 continue;
3656 __nf_tables_dump_rules(skb, &idx,
3657 cb, table, chain);
3658 break;
3659 }
3660 goto done;
3661 }
3662
3663 list_for_each_entry_rcu(chain, &table->chains, list) {
3664 if (__nf_tables_dump_rules(skb, &idx,
3665 cb, table, chain))
3666 goto done;
3667 }
3668
3669 if (ctx->table)
3670 break;
3671 }
3672 done:
3673 rcu_read_unlock();
3674
3675 ctx->s_idx = idx;
3676 return skb->len;
3677 }
3678
nf_tables_dumpreset_rules(struct sk_buff * skb,struct netlink_callback * cb)3679 static int nf_tables_dumpreset_rules(struct sk_buff *skb,
3680 struct netlink_callback *cb)
3681 {
3682 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
3683 int ret;
3684
3685 /* Mutex is held is to prevent that two concurrent dump-and-reset calls
3686 * do not underrun counters and quotas. The commit_mutex is used for
3687 * the lack a better lock, this is not transaction path.
3688 */
3689 mutex_lock(&nft_net->commit_mutex);
3690 ret = nf_tables_dump_rules(skb, cb);
3691 mutex_unlock(&nft_net->commit_mutex);
3692
3693 return ret;
3694 }
3695
nf_tables_dump_rules_start(struct netlink_callback * cb)3696 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3697 {
3698 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3699 const struct nlattr * const *nla = cb->data;
3700
3701 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
3702
3703 if (nla[NFTA_RULE_TABLE]) {
3704 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], GFP_ATOMIC);
3705 if (!ctx->table)
3706 return -ENOMEM;
3707 }
3708 if (nla[NFTA_RULE_CHAIN]) {
3709 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], GFP_ATOMIC);
3710 if (!ctx->chain) {
3711 kfree(ctx->table);
3712 return -ENOMEM;
3713 }
3714 }
3715 return 0;
3716 }
3717
nf_tables_dumpreset_rules_start(struct netlink_callback * cb)3718 static int nf_tables_dumpreset_rules_start(struct netlink_callback *cb)
3719 {
3720 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3721
3722 ctx->reset = true;
3723
3724 return nf_tables_dump_rules_start(cb);
3725 }
3726
nf_tables_dump_rules_done(struct netlink_callback * cb)3727 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3728 {
3729 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3730
3731 kfree(ctx->table);
3732 kfree(ctx->chain);
3733 return 0;
3734 }
3735
3736 /* called with rcu_read_lock held */
3737 static struct sk_buff *
nf_tables_getrule_single(u32 portid,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)3738 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info,
3739 const struct nlattr * const nla[], bool reset)
3740 {
3741 struct netlink_ext_ack *extack = info->extack;
3742 u8 genmask = nft_genmask_cur(info->net);
3743 u8 family = info->nfmsg->nfgen_family;
3744 const struct nft_chain *chain;
3745 const struct nft_rule *rule;
3746 struct net *net = info->net;
3747 struct nft_table *table;
3748 struct sk_buff *skb2;
3749 int err;
3750
3751 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3752 if (IS_ERR(table)) {
3753 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3754 return ERR_CAST(table);
3755 }
3756
3757 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3758 if (IS_ERR(chain)) {
3759 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3760 return ERR_CAST(chain);
3761 }
3762
3763 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3764 if (IS_ERR(rule)) {
3765 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3766 return ERR_CAST(rule);
3767 }
3768
3769 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3770 if (!skb2)
3771 return ERR_PTR(-ENOMEM);
3772
3773 err = nf_tables_fill_rule_info(skb2, net, portid,
3774 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3775 family, table, chain, rule, 0, reset);
3776 if (err < 0) {
3777 kfree_skb(skb2);
3778 return ERR_PTR(err);
3779 }
3780
3781 return skb2;
3782 }
3783
nf_tables_getrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3784 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3785 const struct nlattr * const nla[])
3786 {
3787 u32 portid = NETLINK_CB(skb).portid;
3788 struct net *net = info->net;
3789 struct sk_buff *skb2;
3790
3791 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3792 struct netlink_dump_control c = {
3793 .start= nf_tables_dump_rules_start,
3794 .dump = nf_tables_dump_rules,
3795 .done = nf_tables_dump_rules_done,
3796 .module = THIS_MODULE,
3797 .data = (void *)nla,
3798 };
3799
3800 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3801 }
3802
3803 skb2 = nf_tables_getrule_single(portid, info, nla, false);
3804 if (IS_ERR(skb2))
3805 return PTR_ERR(skb2);
3806
3807 return nfnetlink_unicast(skb2, net, portid);
3808 }
3809
nf_tables_getrule_reset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3810 static int nf_tables_getrule_reset(struct sk_buff *skb,
3811 const struct nfnl_info *info,
3812 const struct nlattr * const nla[])
3813 {
3814 struct nftables_pernet *nft_net = nft_pernet(info->net);
3815 u32 portid = NETLINK_CB(skb).portid;
3816 struct net *net = info->net;
3817 struct sk_buff *skb2;
3818 char *buf;
3819
3820 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3821 struct netlink_dump_control c = {
3822 .start= nf_tables_dumpreset_rules_start,
3823 .dump = nf_tables_dumpreset_rules,
3824 .done = nf_tables_dump_rules_done,
3825 .module = THIS_MODULE,
3826 .data = (void *)nla,
3827 };
3828
3829 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3830 }
3831
3832 if (!try_module_get(THIS_MODULE))
3833 return -EINVAL;
3834 rcu_read_unlock();
3835 mutex_lock(&nft_net->commit_mutex);
3836 skb2 = nf_tables_getrule_single(portid, info, nla, true);
3837 mutex_unlock(&nft_net->commit_mutex);
3838 rcu_read_lock();
3839 module_put(THIS_MODULE);
3840
3841 if (IS_ERR(skb2))
3842 return PTR_ERR(skb2);
3843
3844 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
3845 nla_len(nla[NFTA_RULE_TABLE]),
3846 (char *)nla_data(nla[NFTA_RULE_TABLE]),
3847 nft_net->base_seq);
3848 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
3849 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3850 kfree(buf);
3851
3852 return nfnetlink_unicast(skb2, net, portid);
3853 }
3854
nf_tables_rule_destroy(const struct nft_ctx * ctx,struct nft_rule * rule)3855 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
3856 {
3857 struct nft_expr *expr, *next;
3858
3859 /*
3860 * Careful: some expressions might not be initialized in case this
3861 * is called on error from nf_tables_newrule().
3862 */
3863 expr = nft_expr_first(rule);
3864 while (nft_expr_more(rule, expr)) {
3865 next = nft_expr_next(expr);
3866 nf_tables_expr_destroy(ctx, expr);
3867 expr = next;
3868 }
3869 kfree(rule);
3870 }
3871
nf_tables_rule_release(const struct nft_ctx * ctx,struct nft_rule * rule)3872 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3873 {
3874 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3875 nf_tables_rule_destroy(ctx, rule);
3876 }
3877
3878 /** nft_chain_validate - loop detection and hook validation
3879 *
3880 * @ctx: context containing call depth and base chain
3881 * @chain: chain to validate
3882 *
3883 * Walk through the rules of the given chain and chase all jumps/gotos
3884 * and set lookups until either the jump limit is hit or all reachable
3885 * chains have been validated.
3886 */
nft_chain_validate(const struct nft_ctx * ctx,const struct nft_chain * chain)3887 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3888 {
3889 struct nft_expr *expr, *last;
3890 struct nft_rule *rule;
3891 int err;
3892
3893 if (ctx->level == NFT_JUMP_STACK_SIZE)
3894 return -EMLINK;
3895
3896 list_for_each_entry(rule, &chain->rules, list) {
3897 if (fatal_signal_pending(current))
3898 return -EINTR;
3899
3900 if (!nft_is_active_next(ctx->net, rule))
3901 continue;
3902
3903 nft_rule_for_each_expr(expr, last, rule) {
3904 if (!expr->ops->validate)
3905 continue;
3906
3907 /* This may call nft_chain_validate() recursively,
3908 * callers that do so must increment ctx->level.
3909 */
3910 err = expr->ops->validate(ctx, expr);
3911 if (err < 0)
3912 return err;
3913 }
3914 }
3915
3916 return 0;
3917 }
3918 EXPORT_SYMBOL_GPL(nft_chain_validate);
3919
nft_table_validate(struct net * net,const struct nft_table * table)3920 static int nft_table_validate(struct net *net, const struct nft_table *table)
3921 {
3922 struct nft_chain *chain;
3923 struct nft_ctx ctx = {
3924 .net = net,
3925 .family = table->family,
3926 };
3927 int err;
3928
3929 list_for_each_entry(chain, &table->chains, list) {
3930 if (!nft_is_base_chain(chain))
3931 continue;
3932
3933 ctx.chain = chain;
3934 err = nft_chain_validate(&ctx, chain);
3935 if (err < 0)
3936 return err;
3937
3938 cond_resched();
3939 }
3940
3941 return 0;
3942 }
3943
nft_setelem_validate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)3944 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
3945 const struct nft_set_iter *iter,
3946 struct nft_elem_priv *elem_priv)
3947 {
3948 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
3949 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
3950 const struct nft_data *data;
3951 int err;
3952
3953 if (!nft_set_elem_active(ext, iter->genmask))
3954 return 0;
3955
3956 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3957 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
3958 return 0;
3959
3960 data = nft_set_ext_data(ext);
3961 switch (data->verdict.code) {
3962 case NFT_JUMP:
3963 case NFT_GOTO:
3964 pctx->level++;
3965 err = nft_chain_validate(ctx, data->verdict.chain);
3966 if (err < 0)
3967 return err;
3968 pctx->level--;
3969 break;
3970 default:
3971 break;
3972 }
3973
3974 return 0;
3975 }
3976
nft_set_catchall_validate(const struct nft_ctx * ctx,struct nft_set * set)3977 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
3978 {
3979 struct nft_set_iter dummy_iter = {
3980 .genmask = nft_genmask_next(ctx->net),
3981 };
3982 struct nft_set_elem_catchall *catchall;
3983
3984 struct nft_set_ext *ext;
3985 int ret = 0;
3986
3987 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
3988 ext = nft_set_elem_ext(set, catchall->elem);
3989 if (!nft_set_elem_active(ext, dummy_iter.genmask))
3990 continue;
3991
3992 ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem);
3993 if (ret < 0)
3994 return ret;
3995 }
3996
3997 return ret;
3998 }
3999
4000 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4001 const struct nft_chain *chain,
4002 const struct nlattr *nla);
4003
4004 #define NFT_RULE_MAXEXPRS 128
4005
nf_tables_newrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4006 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
4007 const struct nlattr * const nla[])
4008 {
4009 struct nftables_pernet *nft_net = nft_pernet(info->net);
4010 struct netlink_ext_ack *extack = info->extack;
4011 unsigned int size, i, n, ulen = 0, usize = 0;
4012 u8 genmask = nft_genmask_next(info->net);
4013 struct nft_rule *rule, *old_rule = NULL;
4014 struct nft_expr_info *expr_info = NULL;
4015 u8 family = info->nfmsg->nfgen_family;
4016 struct nft_flow_rule *flow = NULL;
4017 struct net *net = info->net;
4018 struct nft_userdata *udata;
4019 struct nft_table *table;
4020 struct nft_chain *chain;
4021 struct nft_trans *trans;
4022 u64 handle, pos_handle;
4023 struct nft_expr *expr;
4024 struct nft_ctx ctx;
4025 struct nlattr *tmp;
4026 int err, rem;
4027
4028 lockdep_assert_held(&nft_net->commit_mutex);
4029
4030 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4031 NETLINK_CB(skb).portid);
4032 if (IS_ERR(table)) {
4033 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4034 return PTR_ERR(table);
4035 }
4036
4037 if (nla[NFTA_RULE_CHAIN]) {
4038 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4039 genmask);
4040 if (IS_ERR(chain)) {
4041 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4042 return PTR_ERR(chain);
4043 }
4044
4045 } else if (nla[NFTA_RULE_CHAIN_ID]) {
4046 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID],
4047 genmask);
4048 if (IS_ERR(chain)) {
4049 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
4050 return PTR_ERR(chain);
4051 }
4052 } else {
4053 return -EINVAL;
4054 }
4055
4056 if (nft_chain_is_bound(chain))
4057 return -EOPNOTSUPP;
4058
4059 if (nla[NFTA_RULE_HANDLE]) {
4060 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
4061 rule = __nft_rule_lookup(chain, handle);
4062 if (IS_ERR(rule)) {
4063 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4064 return PTR_ERR(rule);
4065 }
4066
4067 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4068 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4069 return -EEXIST;
4070 }
4071 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4072 old_rule = rule;
4073 else
4074 return -EOPNOTSUPP;
4075 } else {
4076 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
4077 info->nlh->nlmsg_flags & NLM_F_REPLACE)
4078 return -EINVAL;
4079 handle = nf_tables_alloc_handle(table);
4080
4081 if (nla[NFTA_RULE_POSITION]) {
4082 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
4083 old_rule = __nft_rule_lookup(chain, pos_handle);
4084 if (IS_ERR(old_rule)) {
4085 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
4086 return PTR_ERR(old_rule);
4087 }
4088 } else if (nla[NFTA_RULE_POSITION_ID]) {
4089 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
4090 if (IS_ERR(old_rule)) {
4091 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
4092 return PTR_ERR(old_rule);
4093 }
4094 }
4095 }
4096
4097 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4098
4099 n = 0;
4100 size = 0;
4101 if (nla[NFTA_RULE_EXPRESSIONS]) {
4102 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
4103 sizeof(struct nft_expr_info),
4104 GFP_KERNEL);
4105 if (!expr_info)
4106 return -ENOMEM;
4107
4108 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
4109 err = -EINVAL;
4110 if (nla_type(tmp) != NFTA_LIST_ELEM)
4111 goto err_release_expr;
4112 if (n == NFT_RULE_MAXEXPRS)
4113 goto err_release_expr;
4114 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
4115 if (err < 0) {
4116 NL_SET_BAD_ATTR(extack, tmp);
4117 goto err_release_expr;
4118 }
4119 size += expr_info[n].ops->size;
4120 n++;
4121 }
4122 }
4123 /* Check for overflow of dlen field */
4124 err = -EFBIG;
4125 if (size >= 1 << 12)
4126 goto err_release_expr;
4127
4128 if (nla[NFTA_RULE_USERDATA]) {
4129 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
4130 if (ulen > 0)
4131 usize = sizeof(struct nft_userdata) + ulen;
4132 }
4133
4134 err = -ENOMEM;
4135 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
4136 if (rule == NULL)
4137 goto err_release_expr;
4138
4139 nft_activate_next(net, rule);
4140
4141 rule->handle = handle;
4142 rule->dlen = size;
4143 rule->udata = ulen ? 1 : 0;
4144
4145 if (ulen) {
4146 udata = nft_userdata(rule);
4147 udata->len = ulen - 1;
4148 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
4149 }
4150
4151 expr = nft_expr_first(rule);
4152 for (i = 0; i < n; i++) {
4153 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
4154 if (err < 0) {
4155 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
4156 goto err_release_rule;
4157 }
4158
4159 if (expr_info[i].ops->validate)
4160 nft_validate_state_update(table, NFT_VALIDATE_NEED);
4161
4162 expr_info[i].ops = NULL;
4163 expr = nft_expr_next(expr);
4164 }
4165
4166 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
4167 flow = nft_flow_rule_create(net, rule);
4168 if (IS_ERR(flow)) {
4169 err = PTR_ERR(flow);
4170 goto err_release_rule;
4171 }
4172 }
4173
4174 if (!nft_use_inc(&chain->use)) {
4175 err = -EMFILE;
4176 goto err_release_rule;
4177 }
4178
4179 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
4180 if (nft_chain_binding(chain)) {
4181 err = -EOPNOTSUPP;
4182 goto err_destroy_flow_rule;
4183 }
4184
4185 err = nft_delrule(&ctx, old_rule);
4186 if (err < 0)
4187 goto err_destroy_flow_rule;
4188
4189 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4190 if (trans == NULL) {
4191 err = -ENOMEM;
4192 goto err_destroy_flow_rule;
4193 }
4194 list_add_tail_rcu(&rule->list, &old_rule->list);
4195 } else {
4196 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4197 if (!trans) {
4198 err = -ENOMEM;
4199 goto err_destroy_flow_rule;
4200 }
4201
4202 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
4203 if (old_rule)
4204 list_add_rcu(&rule->list, &old_rule->list);
4205 else
4206 list_add_tail_rcu(&rule->list, &chain->rules);
4207 } else {
4208 if (old_rule)
4209 list_add_tail_rcu(&rule->list, &old_rule->list);
4210 else
4211 list_add_rcu(&rule->list, &chain->rules);
4212 }
4213 }
4214 kvfree(expr_info);
4215
4216 if (flow)
4217 nft_trans_flow_rule(trans) = flow;
4218
4219 if (table->validate_state == NFT_VALIDATE_DO)
4220 return nft_table_validate(net, table);
4221
4222 return 0;
4223
4224 err_destroy_flow_rule:
4225 nft_use_dec_restore(&chain->use);
4226 if (flow)
4227 nft_flow_rule_destroy(flow);
4228 err_release_rule:
4229 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
4230 nf_tables_rule_destroy(&ctx, rule);
4231 err_release_expr:
4232 for (i = 0; i < n; i++) {
4233 if (expr_info[i].ops) {
4234 module_put(expr_info[i].ops->type->owner);
4235 if (expr_info[i].ops->type->release_ops)
4236 expr_info[i].ops->type->release_ops(expr_info[i].ops);
4237 }
4238 }
4239 kvfree(expr_info);
4240
4241 return err;
4242 }
4243
nft_rule_lookup_byid(const struct net * net,const struct nft_chain * chain,const struct nlattr * nla)4244 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4245 const struct nft_chain *chain,
4246 const struct nlattr *nla)
4247 {
4248 struct nftables_pernet *nft_net = nft_pernet(net);
4249 u32 id = ntohl(nla_get_be32(nla));
4250 struct nft_trans *trans;
4251
4252 list_for_each_entry(trans, &nft_net->commit_list, list) {
4253 if (trans->msg_type == NFT_MSG_NEWRULE &&
4254 nft_trans_rule_chain(trans) == chain &&
4255 id == nft_trans_rule_id(trans))
4256 return nft_trans_rule(trans);
4257 }
4258 return ERR_PTR(-ENOENT);
4259 }
4260
nf_tables_delrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4261 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
4262 const struct nlattr * const nla[])
4263 {
4264 struct netlink_ext_ack *extack = info->extack;
4265 u8 genmask = nft_genmask_next(info->net);
4266 u8 family = info->nfmsg->nfgen_family;
4267 struct nft_chain *chain = NULL;
4268 struct net *net = info->net;
4269 struct nft_table *table;
4270 struct nft_rule *rule;
4271 struct nft_ctx ctx;
4272 int err = 0;
4273
4274 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4275 NETLINK_CB(skb).portid);
4276 if (IS_ERR(table)) {
4277 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4278 return PTR_ERR(table);
4279 }
4280
4281 if (nla[NFTA_RULE_CHAIN]) {
4282 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4283 genmask);
4284 if (IS_ERR(chain)) {
4285 if (PTR_ERR(chain) == -ENOENT &&
4286 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4287 return 0;
4288
4289 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4290 return PTR_ERR(chain);
4291 }
4292 if (nft_chain_binding(chain))
4293 return -EOPNOTSUPP;
4294 }
4295
4296 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4297
4298 if (chain) {
4299 if (nla[NFTA_RULE_HANDLE]) {
4300 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
4301 if (IS_ERR(rule)) {
4302 if (PTR_ERR(rule) == -ENOENT &&
4303 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4304 return 0;
4305
4306 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4307 return PTR_ERR(rule);
4308 }
4309
4310 err = nft_delrule(&ctx, rule);
4311 } else if (nla[NFTA_RULE_ID]) {
4312 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
4313 if (IS_ERR(rule)) {
4314 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
4315 return PTR_ERR(rule);
4316 }
4317
4318 err = nft_delrule(&ctx, rule);
4319 } else {
4320 err = nft_delrule_by_chain(&ctx);
4321 }
4322 } else {
4323 list_for_each_entry(chain, &table->chains, list) {
4324 if (!nft_is_active_next(net, chain))
4325 continue;
4326 if (nft_chain_binding(chain))
4327 continue;
4328
4329 ctx.chain = chain;
4330 err = nft_delrule_by_chain(&ctx);
4331 if (err < 0)
4332 break;
4333 }
4334 }
4335
4336 return err;
4337 }
4338
4339 /*
4340 * Sets
4341 */
4342 static const struct nft_set_type *nft_set_types[] = {
4343 &nft_set_hash_fast_type,
4344 &nft_set_hash_type,
4345 &nft_set_rhash_type,
4346 &nft_set_bitmap_type,
4347 &nft_set_rbtree_type,
4348 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
4349 &nft_set_pipapo_avx2_type,
4350 #endif
4351 &nft_set_pipapo_type,
4352 };
4353
4354 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
4355 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
4356 NFT_SET_EVAL)
4357
nft_set_ops_candidate(const struct nft_set_type * type,u32 flags)4358 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
4359 {
4360 return (flags & type->features) == (flags & NFT_SET_FEATURES);
4361 }
4362
4363 /*
4364 * Select a set implementation based on the data characteristics and the
4365 * given policy. The total memory use might not be known if no size is
4366 * given, in that case the amount of memory per element is used.
4367 */
4368 static const struct nft_set_ops *
nft_select_set_ops(const struct nft_ctx * ctx,u32 flags,const struct nft_set_desc * desc)4369 nft_select_set_ops(const struct nft_ctx *ctx, u32 flags,
4370 const struct nft_set_desc *desc)
4371 {
4372 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4373 const struct nft_set_ops *ops, *bops;
4374 struct nft_set_estimate est, best;
4375 const struct nft_set_type *type;
4376 int i;
4377
4378 lockdep_assert_held(&nft_net->commit_mutex);
4379 lockdep_nfnl_nft_mutex_not_held();
4380
4381 bops = NULL;
4382 best.size = ~0;
4383 best.lookup = ~0;
4384 best.space = ~0;
4385
4386 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
4387 type = nft_set_types[i];
4388 ops = &type->ops;
4389
4390 if (!nft_set_ops_candidate(type, flags))
4391 continue;
4392 if (!ops->estimate(desc, flags, &est))
4393 continue;
4394
4395 switch (desc->policy) {
4396 case NFT_SET_POL_PERFORMANCE:
4397 if (est.lookup < best.lookup)
4398 break;
4399 if (est.lookup == best.lookup &&
4400 est.space < best.space)
4401 break;
4402 continue;
4403 case NFT_SET_POL_MEMORY:
4404 if (!desc->size) {
4405 if (est.space < best.space)
4406 break;
4407 if (est.space == best.space &&
4408 est.lookup < best.lookup)
4409 break;
4410 } else if (est.size < best.size || !bops) {
4411 break;
4412 }
4413 continue;
4414 default:
4415 break;
4416 }
4417
4418 bops = ops;
4419 best = est;
4420 }
4421
4422 if (bops != NULL)
4423 return bops;
4424
4425 return ERR_PTR(-EOPNOTSUPP);
4426 }
4427
4428 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
4429 [NFTA_SET_TABLE] = { .type = NLA_STRING,
4430 .len = NFT_TABLE_MAXNAMELEN - 1 },
4431 [NFTA_SET_NAME] = { .type = NLA_STRING,
4432 .len = NFT_SET_MAXNAMELEN - 1 },
4433 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
4434 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
4435 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
4436 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
4437 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
4438 [NFTA_SET_POLICY] = { .type = NLA_U32 },
4439 [NFTA_SET_DESC] = { .type = NLA_NESTED },
4440 [NFTA_SET_ID] = { .type = NLA_U32 },
4441 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
4442 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
4443 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
4444 .len = NFT_USERDATA_MAXLEN },
4445 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
4446 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
4447 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
4448 [NFTA_SET_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
4449 };
4450
4451 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4452 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4453 };
4454
4455 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4456 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
4457 [NFTA_SET_DESC_CONCAT] = NLA_POLICY_NESTED_ARRAY(nft_concat_policy),
4458 };
4459
nft_set_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)4460 static struct nft_set *nft_set_lookup(const struct nft_table *table,
4461 const struct nlattr *nla, u8 genmask)
4462 {
4463 struct nft_set *set;
4464
4465 if (nla == NULL)
4466 return ERR_PTR(-EINVAL);
4467
4468 list_for_each_entry_rcu(set, &table->sets, list) {
4469 if (!nla_strcmp(nla, set->name) &&
4470 nft_active_genmask(set, genmask))
4471 return set;
4472 }
4473 return ERR_PTR(-ENOENT);
4474 }
4475
nft_set_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)4476 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4477 const struct nlattr *nla,
4478 u8 genmask)
4479 {
4480 struct nft_set *set;
4481
4482 list_for_each_entry(set, &table->sets, list) {
4483 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4484 nft_active_genmask(set, genmask))
4485 return set;
4486 }
4487 return ERR_PTR(-ENOENT);
4488 }
4489
nft_set_lookup_byid(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)4490 static struct nft_set *nft_set_lookup_byid(const struct net *net,
4491 const struct nft_table *table,
4492 const struct nlattr *nla, u8 genmask)
4493 {
4494 struct nftables_pernet *nft_net = nft_pernet(net);
4495 u32 id = ntohl(nla_get_be32(nla));
4496 struct nft_trans_set *trans;
4497
4498 /* its likely the id we need is at the tail, not at start */
4499 list_for_each_entry_reverse(trans, &nft_net->commit_set_list, list_trans_newset) {
4500 struct nft_set *set = trans->set;
4501
4502 if (id == trans->set_id &&
4503 set->table == table &&
4504 nft_active_genmask(set, genmask))
4505 return set;
4506 }
4507 return ERR_PTR(-ENOENT);
4508 }
4509
nft_set_lookup_global(const struct net * net,const struct nft_table * table,const struct nlattr * nla_set_name,const struct nlattr * nla_set_id,u8 genmask)4510 struct nft_set *nft_set_lookup_global(const struct net *net,
4511 const struct nft_table *table,
4512 const struct nlattr *nla_set_name,
4513 const struct nlattr *nla_set_id,
4514 u8 genmask)
4515 {
4516 struct nft_set *set;
4517
4518 set = nft_set_lookup(table, nla_set_name, genmask);
4519 if (IS_ERR(set)) {
4520 if (!nla_set_id)
4521 return set;
4522
4523 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
4524 }
4525 return set;
4526 }
4527 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
4528
nf_tables_set_alloc_name(struct nft_ctx * ctx,struct nft_set * set,const char * name)4529 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4530 const char *name)
4531 {
4532 const struct nft_set *i;
4533 const char *p;
4534 unsigned long *inuse;
4535 unsigned int n = 0, min = 0;
4536
4537 p = strchr(name, '%');
4538 if (p != NULL) {
4539 if (p[1] != 'd' || strchr(p + 2, '%'))
4540 return -EINVAL;
4541
4542 if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN)
4543 return -EINVAL;
4544
4545 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4546 if (inuse == NULL)
4547 return -ENOMEM;
4548 cont:
4549 list_for_each_entry(i, &ctx->table->sets, list) {
4550 int tmp;
4551
4552 if (!nft_is_active_next(ctx->net, i))
4553 continue;
4554 if (!sscanf(i->name, name, &tmp))
4555 continue;
4556 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4557 continue;
4558
4559 set_bit(tmp - min, inuse);
4560 }
4561
4562 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
4563 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4564 min += BITS_PER_BYTE * PAGE_SIZE;
4565 memset(inuse, 0, PAGE_SIZE);
4566 goto cont;
4567 }
4568 free_page((unsigned long)inuse);
4569 }
4570
4571 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
4572 if (!set->name)
4573 return -ENOMEM;
4574
4575 list_for_each_entry(i, &ctx->table->sets, list) {
4576 if (!nft_is_active_next(ctx->net, i))
4577 continue;
4578 if (!strcmp(set->name, i->name)) {
4579 kfree(set->name);
4580 set->name = NULL;
4581 return -ENFILE;
4582 }
4583 }
4584 return 0;
4585 }
4586
nf_msecs_to_jiffies64(const struct nlattr * nla,u64 * result)4587 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4588 {
4589 u64 ms = be64_to_cpu(nla_get_be64(nla));
4590 u64 max = (u64)(~((u64)0));
4591
4592 max = div_u64(max, NSEC_PER_MSEC);
4593 if (ms >= max)
4594 return -ERANGE;
4595
4596 ms *= NSEC_PER_MSEC;
4597 *result = nsecs_to_jiffies64(ms) ? : !!ms;
4598 return 0;
4599 }
4600
nf_jiffies64_to_msecs(u64 input)4601 __be64 nf_jiffies64_to_msecs(u64 input)
4602 {
4603 return cpu_to_be64(jiffies64_to_msecs(input));
4604 }
4605
nf_tables_fill_set_concat(struct sk_buff * skb,const struct nft_set * set)4606 static int nf_tables_fill_set_concat(struct sk_buff *skb,
4607 const struct nft_set *set)
4608 {
4609 struct nlattr *concat, *field;
4610 int i;
4611
4612 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
4613 if (!concat)
4614 return -ENOMEM;
4615
4616 for (i = 0; i < set->field_count; i++) {
4617 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4618 if (!field)
4619 return -ENOMEM;
4620
4621 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
4622 htonl(set->field_len[i])))
4623 return -ENOMEM;
4624
4625 nla_nest_end(skb, field);
4626 }
4627
4628 nla_nest_end(skb, concat);
4629
4630 return 0;
4631 }
4632
nf_tables_fill_set(struct sk_buff * skb,const struct nft_ctx * ctx,const struct nft_set * set,u16 event,u16 flags)4633 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4634 const struct nft_set *set, u16 event, u16 flags)
4635 {
4636 u64 timeout = READ_ONCE(set->timeout);
4637 u32 gc_int = READ_ONCE(set->gc_int);
4638 u32 portid = ctx->portid;
4639 struct nlmsghdr *nlh;
4640 struct nlattr *nest;
4641 u32 seq = ctx->seq;
4642 int i;
4643
4644 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4645 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
4646 NFNETLINK_V0, nft_base_seq(ctx->net));
4647 if (!nlh)
4648 goto nla_put_failure;
4649
4650 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4651 goto nla_put_failure;
4652 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4653 goto nla_put_failure;
4654 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4655 NFTA_SET_PAD))
4656 goto nla_put_failure;
4657
4658 if (event == NFT_MSG_DELSET) {
4659 nlmsg_end(skb, nlh);
4660 return 0;
4661 }
4662
4663 if (set->flags != 0)
4664 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
4665 goto nla_put_failure;
4666
4667 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4668 goto nla_put_failure;
4669 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
4670 goto nla_put_failure;
4671 if (set->flags & NFT_SET_MAP) {
4672 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4673 goto nla_put_failure;
4674 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
4675 goto nla_put_failure;
4676 }
4677 if (set->flags & NFT_SET_OBJECT &&
4678 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4679 goto nla_put_failure;
4680
4681 if (timeout &&
4682 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4683 nf_jiffies64_to_msecs(timeout),
4684 NFTA_SET_PAD))
4685 goto nla_put_failure;
4686 if (gc_int &&
4687 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4688 goto nla_put_failure;
4689
4690 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4691 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4692 goto nla_put_failure;
4693 }
4694
4695 if (set->udata &&
4696 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4697 goto nla_put_failure;
4698
4699 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4700 if (!nest)
4701 goto nla_put_failure;
4702 if (set->size &&
4703 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
4704 goto nla_put_failure;
4705
4706 if (set->field_count > 1 &&
4707 nf_tables_fill_set_concat(skb, set))
4708 goto nla_put_failure;
4709
4710 nla_nest_end(skb, nest);
4711
4712 if (set->num_exprs == 1) {
4713 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
4714 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
4715 goto nla_put_failure;
4716
4717 nla_nest_end(skb, nest);
4718 } else if (set->num_exprs > 1) {
4719 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
4720 if (nest == NULL)
4721 goto nla_put_failure;
4722
4723 for (i = 0; i < set->num_exprs; i++) {
4724 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
4725 set->exprs[i], false) < 0)
4726 goto nla_put_failure;
4727 }
4728 nla_nest_end(skb, nest);
4729 }
4730
4731 nlmsg_end(skb, nlh);
4732 return 0;
4733
4734 nla_put_failure:
4735 nlmsg_trim(skb, nlh);
4736 return -1;
4737 }
4738
nf_tables_set_notify(const struct nft_ctx * ctx,const struct nft_set * set,int event,gfp_t gfp_flags)4739 static void nf_tables_set_notify(const struct nft_ctx *ctx,
4740 const struct nft_set *set, int event,
4741 gfp_t gfp_flags)
4742 {
4743 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4744 u32 portid = ctx->portid;
4745 struct sk_buff *skb;
4746 u16 flags = 0;
4747 int err;
4748
4749 if (!ctx->report &&
4750 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
4751 return;
4752
4753 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
4754 if (skb == NULL)
4755 goto err;
4756
4757 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
4758 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
4759
4760 err = nf_tables_fill_set(skb, ctx, set, event, flags);
4761 if (err < 0) {
4762 kfree_skb(skb);
4763 goto err;
4764 }
4765
4766 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
4767 return;
4768 err:
4769 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4770 }
4771
nf_tables_dump_sets(struct sk_buff * skb,struct netlink_callback * cb)4772 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4773 {
4774 const struct nft_set *set;
4775 unsigned int idx, s_idx = cb->args[0];
4776 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4777 struct net *net = sock_net(skb->sk);
4778 struct nft_ctx *ctx = cb->data, ctx_set;
4779 struct nftables_pernet *nft_net;
4780
4781 if (cb->args[1])
4782 return skb->len;
4783
4784 rcu_read_lock();
4785 nft_net = nft_pernet(net);
4786 cb->seq = READ_ONCE(nft_net->base_seq);
4787
4788 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4789 if (ctx->family != NFPROTO_UNSPEC &&
4790 ctx->family != table->family)
4791 continue;
4792
4793 if (ctx->table && ctx->table != table)
4794 continue;
4795
4796 if (cur_table) {
4797 if (cur_table != table)
4798 continue;
4799
4800 cur_table = NULL;
4801 }
4802 idx = 0;
4803 list_for_each_entry_rcu(set, &table->sets, list) {
4804 if (idx < s_idx)
4805 goto cont;
4806 if (!nft_is_active(net, set))
4807 goto cont;
4808
4809 ctx_set = *ctx;
4810 ctx_set.table = table;
4811 ctx_set.family = table->family;
4812
4813 if (nf_tables_fill_set(skb, &ctx_set, set,
4814 NFT_MSG_NEWSET,
4815 NLM_F_MULTI) < 0) {
4816 cb->args[0] = idx;
4817 cb->args[2] = (unsigned long) table;
4818 goto done;
4819 }
4820 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4821 cont:
4822 idx++;
4823 }
4824 if (s_idx)
4825 s_idx = 0;
4826 }
4827 cb->args[1] = 1;
4828 done:
4829 rcu_read_unlock();
4830 return skb->len;
4831 }
4832
nf_tables_dump_sets_start(struct netlink_callback * cb)4833 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4834 {
4835 struct nft_ctx *ctx_dump = NULL;
4836
4837 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4838 if (ctx_dump == NULL)
4839 return -ENOMEM;
4840
4841 cb->data = ctx_dump;
4842 return 0;
4843 }
4844
nf_tables_dump_sets_done(struct netlink_callback * cb)4845 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4846 {
4847 kfree(cb->data);
4848 return 0;
4849 }
4850
4851 /* called with rcu_read_lock held */
nf_tables_getset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4852 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4853 const struct nlattr * const nla[])
4854 {
4855 struct netlink_ext_ack *extack = info->extack;
4856 u8 genmask = nft_genmask_cur(info->net);
4857 u8 family = info->nfmsg->nfgen_family;
4858 struct nft_table *table = NULL;
4859 struct net *net = info->net;
4860 const struct nft_set *set;
4861 struct sk_buff *skb2;
4862 struct nft_ctx ctx;
4863 int err;
4864
4865 if (nla[NFTA_SET_TABLE]) {
4866 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4867 genmask, 0);
4868 if (IS_ERR(table)) {
4869 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4870 return PTR_ERR(table);
4871 }
4872 }
4873
4874 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4875
4876 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4877 struct netlink_dump_control c = {
4878 .start = nf_tables_dump_sets_start,
4879 .dump = nf_tables_dump_sets,
4880 .done = nf_tables_dump_sets_done,
4881 .data = &ctx,
4882 .module = THIS_MODULE,
4883 };
4884
4885 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4886 }
4887
4888 /* Only accept unspec with dump */
4889 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4890 return -EAFNOSUPPORT;
4891 if (!nla[NFTA_SET_TABLE])
4892 return -EINVAL;
4893
4894 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4895 if (IS_ERR(set)) {
4896 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4897 return PTR_ERR(set);
4898 }
4899
4900 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4901 if (skb2 == NULL)
4902 return -ENOMEM;
4903
4904 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4905 if (err < 0)
4906 goto err_fill_set_info;
4907
4908 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4909
4910 err_fill_set_info:
4911 kfree_skb(skb2);
4912 return err;
4913 }
4914
nft_set_desc_concat_parse(const struct nlattr * attr,struct nft_set_desc * desc)4915 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4916 struct nft_set_desc *desc)
4917 {
4918 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4919 u32 len;
4920 int err;
4921
4922 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
4923 return -E2BIG;
4924
4925 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4926 nft_concat_policy, NULL);
4927 if (err < 0)
4928 return err;
4929
4930 if (!tb[NFTA_SET_FIELD_LEN])
4931 return -EINVAL;
4932
4933 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4934 if (!len || len > U8_MAX)
4935 return -EINVAL;
4936
4937 desc->field_len[desc->field_count++] = len;
4938
4939 return 0;
4940 }
4941
nft_set_desc_concat(struct nft_set_desc * desc,const struct nlattr * nla)4942 static int nft_set_desc_concat(struct nft_set_desc *desc,
4943 const struct nlattr *nla)
4944 {
4945 u32 num_regs = 0, key_num_regs = 0;
4946 struct nlattr *attr;
4947 int rem, err, i;
4948
4949 nla_for_each_nested(attr, nla, rem) {
4950 if (nla_type(attr) != NFTA_LIST_ELEM)
4951 return -EINVAL;
4952
4953 err = nft_set_desc_concat_parse(attr, desc);
4954 if (err < 0)
4955 return err;
4956 }
4957
4958 for (i = 0; i < desc->field_count; i++)
4959 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
4960
4961 key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
4962 if (key_num_regs != num_regs)
4963 return -EINVAL;
4964
4965 if (num_regs > NFT_REG32_COUNT)
4966 return -E2BIG;
4967
4968 return 0;
4969 }
4970
nf_tables_set_desc_parse(struct nft_set_desc * desc,const struct nlattr * nla)4971 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4972 const struct nlattr *nla)
4973 {
4974 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4975 int err;
4976
4977 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4978 nft_set_desc_policy, NULL);
4979 if (err < 0)
4980 return err;
4981
4982 if (da[NFTA_SET_DESC_SIZE] != NULL)
4983 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4984 if (da[NFTA_SET_DESC_CONCAT])
4985 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4986
4987 return err;
4988 }
4989
nft_set_expr_alloc(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * const * nla,struct nft_expr ** exprs,int * num_exprs,u32 flags)4990 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
4991 const struct nlattr * const *nla,
4992 struct nft_expr **exprs, int *num_exprs,
4993 u32 flags)
4994 {
4995 struct nft_expr *expr;
4996 int err, i;
4997
4998 if (nla[NFTA_SET_EXPR]) {
4999 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
5000 if (IS_ERR(expr)) {
5001 err = PTR_ERR(expr);
5002 goto err_set_expr_alloc;
5003 }
5004 exprs[0] = expr;
5005 (*num_exprs)++;
5006 } else if (nla[NFTA_SET_EXPRESSIONS]) {
5007 struct nlattr *tmp;
5008 int left;
5009
5010 if (!(flags & NFT_SET_EXPR)) {
5011 err = -EINVAL;
5012 goto err_set_expr_alloc;
5013 }
5014 i = 0;
5015 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
5016 if (i == NFT_SET_EXPR_MAX) {
5017 err = -E2BIG;
5018 goto err_set_expr_alloc;
5019 }
5020 if (nla_type(tmp) != NFTA_LIST_ELEM) {
5021 err = -EINVAL;
5022 goto err_set_expr_alloc;
5023 }
5024 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
5025 if (IS_ERR(expr)) {
5026 err = PTR_ERR(expr);
5027 goto err_set_expr_alloc;
5028 }
5029 exprs[i++] = expr;
5030 (*num_exprs)++;
5031 }
5032 }
5033
5034 return 0;
5035
5036 err_set_expr_alloc:
5037 for (i = 0; i < *num_exprs; i++)
5038 nft_expr_destroy(ctx, exprs[i]);
5039
5040 return err;
5041 }
5042
nft_set_is_same(const struct nft_set * set,const struct nft_set_desc * desc,struct nft_expr * exprs[],u32 num_exprs,u32 flags)5043 static bool nft_set_is_same(const struct nft_set *set,
5044 const struct nft_set_desc *desc,
5045 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
5046 {
5047 int i;
5048
5049 if (set->ktype != desc->ktype ||
5050 set->dtype != desc->dtype ||
5051 set->flags != flags ||
5052 set->klen != desc->klen ||
5053 set->dlen != desc->dlen ||
5054 set->field_count != desc->field_count ||
5055 set->num_exprs != num_exprs)
5056 return false;
5057
5058 for (i = 0; i < desc->field_count; i++) {
5059 if (set->field_len[i] != desc->field_len[i])
5060 return false;
5061 }
5062
5063 for (i = 0; i < num_exprs; i++) {
5064 if (set->exprs[i]->ops != exprs[i]->ops)
5065 return false;
5066 }
5067
5068 return true;
5069 }
5070
nf_tables_newset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])5071 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
5072 const struct nlattr * const nla[])
5073 {
5074 struct netlink_ext_ack *extack = info->extack;
5075 u8 genmask = nft_genmask_next(info->net);
5076 u8 family = info->nfmsg->nfgen_family;
5077 const struct nft_set_ops *ops;
5078 struct net *net = info->net;
5079 struct nft_set_desc desc;
5080 struct nft_table *table;
5081 unsigned char *udata;
5082 struct nft_set *set;
5083 struct nft_ctx ctx;
5084 size_t alloc_size;
5085 int num_exprs = 0;
5086 char *name;
5087 int err, i;
5088 u16 udlen;
5089 u32 flags;
5090 u64 size;
5091
5092 if (nla[NFTA_SET_TABLE] == NULL ||
5093 nla[NFTA_SET_NAME] == NULL ||
5094 nla[NFTA_SET_KEY_LEN] == NULL ||
5095 nla[NFTA_SET_ID] == NULL)
5096 return -EINVAL;
5097
5098 memset(&desc, 0, sizeof(desc));
5099
5100 desc.ktype = NFT_DATA_VALUE;
5101 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
5102 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
5103 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
5104 return -EINVAL;
5105 }
5106
5107 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
5108 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
5109 return -EINVAL;
5110
5111 flags = 0;
5112 if (nla[NFTA_SET_FLAGS] != NULL) {
5113 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
5114 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
5115 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
5116 NFT_SET_MAP | NFT_SET_EVAL |
5117 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
5118 return -EOPNOTSUPP;
5119 /* Only one of these operations is supported */
5120 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
5121 (NFT_SET_MAP | NFT_SET_OBJECT))
5122 return -EOPNOTSUPP;
5123 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
5124 (NFT_SET_EVAL | NFT_SET_OBJECT))
5125 return -EOPNOTSUPP;
5126 if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) ==
5127 (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT))
5128 return -EOPNOTSUPP;
5129 if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) ==
5130 (NFT_SET_CONSTANT | NFT_SET_TIMEOUT))
5131 return -EOPNOTSUPP;
5132 }
5133
5134 desc.dtype = 0;
5135 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
5136 if (!(flags & NFT_SET_MAP))
5137 return -EINVAL;
5138
5139 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
5140 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
5141 desc.dtype != NFT_DATA_VERDICT)
5142 return -EINVAL;
5143
5144 if (desc.dtype != NFT_DATA_VERDICT) {
5145 if (nla[NFTA_SET_DATA_LEN] == NULL)
5146 return -EINVAL;
5147 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
5148 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
5149 return -EINVAL;
5150 } else
5151 desc.dlen = sizeof(struct nft_verdict);
5152 } else if (flags & NFT_SET_MAP)
5153 return -EINVAL;
5154
5155 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
5156 if (!(flags & NFT_SET_OBJECT))
5157 return -EINVAL;
5158
5159 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
5160 if (desc.objtype == NFT_OBJECT_UNSPEC ||
5161 desc.objtype > NFT_OBJECT_MAX)
5162 return -EOPNOTSUPP;
5163 } else if (flags & NFT_SET_OBJECT)
5164 return -EINVAL;
5165 else
5166 desc.objtype = NFT_OBJECT_UNSPEC;
5167
5168 desc.timeout = 0;
5169 if (nla[NFTA_SET_TIMEOUT] != NULL) {
5170 if (!(flags & NFT_SET_TIMEOUT))
5171 return -EINVAL;
5172
5173 if (flags & NFT_SET_ANONYMOUS)
5174 return -EOPNOTSUPP;
5175
5176 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
5177 if (err)
5178 return err;
5179 }
5180 desc.gc_int = 0;
5181 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
5182 if (!(flags & NFT_SET_TIMEOUT))
5183 return -EINVAL;
5184
5185 if (flags & NFT_SET_ANONYMOUS)
5186 return -EOPNOTSUPP;
5187
5188 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
5189 }
5190
5191 desc.policy = NFT_SET_POL_PERFORMANCE;
5192 if (nla[NFTA_SET_POLICY] != NULL) {
5193 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
5194 switch (desc.policy) {
5195 case NFT_SET_POL_PERFORMANCE:
5196 case NFT_SET_POL_MEMORY:
5197 break;
5198 default:
5199 return -EOPNOTSUPP;
5200 }
5201 }
5202
5203 if (nla[NFTA_SET_DESC] != NULL) {
5204 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
5205 if (err < 0)
5206 return err;
5207
5208 if (desc.field_count > 1) {
5209 if (!(flags & NFT_SET_CONCAT))
5210 return -EINVAL;
5211 } else if (flags & NFT_SET_CONCAT) {
5212 return -EINVAL;
5213 }
5214 } else if (flags & NFT_SET_CONCAT) {
5215 return -EINVAL;
5216 }
5217
5218 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
5219 desc.expr = true;
5220
5221 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
5222 NETLINK_CB(skb).portid);
5223 if (IS_ERR(table)) {
5224 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5225 return PTR_ERR(table);
5226 }
5227
5228 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5229
5230 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
5231 if (IS_ERR(set)) {
5232 if (PTR_ERR(set) != -ENOENT) {
5233 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5234 return PTR_ERR(set);
5235 }
5236 } else {
5237 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
5238
5239 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
5240 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5241 return -EEXIST;
5242 }
5243 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
5244 return -EOPNOTSUPP;
5245
5246 if (nft_set_is_anonymous(set))
5247 return -EOPNOTSUPP;
5248
5249 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
5250 if (err < 0)
5251 return err;
5252
5253 err = 0;
5254 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
5255 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5256 err = -EEXIST;
5257 }
5258
5259 for (i = 0; i < num_exprs; i++)
5260 nft_expr_destroy(&ctx, exprs[i]);
5261
5262 if (err < 0)
5263 return err;
5264
5265 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
5266 }
5267
5268 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
5269 return -ENOENT;
5270
5271 ops = nft_select_set_ops(&ctx, flags, &desc);
5272 if (IS_ERR(ops))
5273 return PTR_ERR(ops);
5274
5275 udlen = 0;
5276 if (nla[NFTA_SET_USERDATA])
5277 udlen = nla_len(nla[NFTA_SET_USERDATA]);
5278
5279 size = 0;
5280 if (ops->privsize != NULL)
5281 size = ops->privsize(nla, &desc);
5282 alloc_size = sizeof(*set) + size + udlen;
5283 if (alloc_size < size || alloc_size > INT_MAX)
5284 return -ENOMEM;
5285
5286 if (!nft_use_inc(&table->use))
5287 return -EMFILE;
5288
5289 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
5290 if (!set) {
5291 err = -ENOMEM;
5292 goto err_alloc;
5293 }
5294
5295 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
5296 if (!name) {
5297 err = -ENOMEM;
5298 goto err_set_name;
5299 }
5300
5301 err = nf_tables_set_alloc_name(&ctx, set, name);
5302 kfree(name);
5303 if (err < 0)
5304 goto err_set_name;
5305
5306 udata = NULL;
5307 if (udlen) {
5308 udata = set->data + size;
5309 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
5310 }
5311
5312 INIT_LIST_HEAD(&set->bindings);
5313 INIT_LIST_HEAD(&set->catchall_list);
5314 refcount_set(&set->refs, 1);
5315 set->table = table;
5316 write_pnet(&set->net, net);
5317 set->ops = ops;
5318 set->ktype = desc.ktype;
5319 set->klen = desc.klen;
5320 set->dtype = desc.dtype;
5321 set->objtype = desc.objtype;
5322 set->dlen = desc.dlen;
5323 set->flags = flags;
5324 set->size = desc.size;
5325 set->policy = desc.policy;
5326 set->udlen = udlen;
5327 set->udata = udata;
5328 set->timeout = desc.timeout;
5329 set->gc_int = desc.gc_int;
5330
5331 set->field_count = desc.field_count;
5332 for (i = 0; i < desc.field_count; i++)
5333 set->field_len[i] = desc.field_len[i];
5334
5335 err = ops->init(set, &desc, nla);
5336 if (err < 0)
5337 goto err_set_init;
5338
5339 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
5340 if (err < 0)
5341 goto err_set_destroy;
5342
5343 set->num_exprs = num_exprs;
5344 set->handle = nf_tables_alloc_handle(table);
5345 INIT_LIST_HEAD(&set->pending_update);
5346
5347 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
5348 if (err < 0)
5349 goto err_set_expr_alloc;
5350
5351 list_add_tail_rcu(&set->list, &table->sets);
5352
5353 return 0;
5354
5355 err_set_expr_alloc:
5356 for (i = 0; i < set->num_exprs; i++)
5357 nft_expr_destroy(&ctx, set->exprs[i]);
5358 err_set_destroy:
5359 ops->destroy(&ctx, set);
5360 err_set_init:
5361 kfree(set->name);
5362 err_set_name:
5363 kvfree(set);
5364 err_alloc:
5365 nft_use_dec_restore(&table->use);
5366
5367 return err;
5368 }
5369
nft_set_catchall_destroy(const struct nft_ctx * ctx,struct nft_set * set)5370 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
5371 struct nft_set *set)
5372 {
5373 struct nft_set_elem_catchall *next, *catchall;
5374
5375 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5376 list_del_rcu(&catchall->list);
5377 nf_tables_set_elem_destroy(ctx, set, catchall->elem);
5378 kfree_rcu(catchall, rcu);
5379 }
5380 }
5381
nft_set_put(struct nft_set * set)5382 static void nft_set_put(struct nft_set *set)
5383 {
5384 if (refcount_dec_and_test(&set->refs)) {
5385 kfree(set->name);
5386 kvfree(set);
5387 }
5388 }
5389
nft_set_destroy(const struct nft_ctx * ctx,struct nft_set * set)5390 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
5391 {
5392 int i;
5393
5394 if (WARN_ON(set->use > 0))
5395 return;
5396
5397 for (i = 0; i < set->num_exprs; i++)
5398 nft_expr_destroy(ctx, set->exprs[i]);
5399
5400 set->ops->destroy(ctx, set);
5401 nft_set_catchall_destroy(ctx, set);
5402 nft_set_put(set);
5403 }
5404
nf_tables_delset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])5405 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
5406 const struct nlattr * const nla[])
5407 {
5408 struct netlink_ext_ack *extack = info->extack;
5409 u8 genmask = nft_genmask_next(info->net);
5410 u8 family = info->nfmsg->nfgen_family;
5411 struct net *net = info->net;
5412 const struct nlattr *attr;
5413 struct nft_table *table;
5414 struct nft_set *set;
5415 struct nft_ctx ctx;
5416
5417 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5418 return -EAFNOSUPPORT;
5419
5420 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5421 genmask, NETLINK_CB(skb).portid);
5422 if (IS_ERR(table)) {
5423 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5424 return PTR_ERR(table);
5425 }
5426
5427 if (nla[NFTA_SET_HANDLE]) {
5428 attr = nla[NFTA_SET_HANDLE];
5429 set = nft_set_lookup_byhandle(table, attr, genmask);
5430 } else {
5431 attr = nla[NFTA_SET_NAME];
5432 set = nft_set_lookup(table, attr, genmask);
5433 }
5434
5435 if (IS_ERR(set)) {
5436 if (PTR_ERR(set) == -ENOENT &&
5437 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
5438 return 0;
5439
5440 NL_SET_BAD_ATTR(extack, attr);
5441 return PTR_ERR(set);
5442 }
5443 if (set->use ||
5444 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
5445 atomic_read(&set->nelems) > 0)) {
5446 NL_SET_BAD_ATTR(extack, attr);
5447 return -EBUSY;
5448 }
5449
5450 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5451
5452 return nft_delset(&ctx, set);
5453 }
5454
5455 static int nft_validate_register_store(const struct nft_ctx *ctx,
5456 enum nft_registers reg,
5457 const struct nft_data *data,
5458 enum nft_data_types type,
5459 unsigned int len);
5460
nft_setelem_data_validate(const struct nft_ctx * ctx,struct nft_set * set,struct nft_elem_priv * elem_priv)5461 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
5462 struct nft_set *set,
5463 struct nft_elem_priv *elem_priv)
5464 {
5465 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5466 enum nft_registers dreg;
5467
5468 dreg = nft_type_to_reg(set->dtype);
5469 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
5470 set->dtype == NFT_DATA_VERDICT ?
5471 NFT_DATA_VERDICT : NFT_DATA_VALUE,
5472 set->dlen);
5473 }
5474
nf_tables_bind_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5475 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
5476 struct nft_set *set,
5477 const struct nft_set_iter *iter,
5478 struct nft_elem_priv *elem_priv)
5479 {
5480 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5481
5482 if (!nft_set_elem_active(ext, iter->genmask))
5483 return 0;
5484
5485 return nft_setelem_data_validate(ctx, set, elem_priv);
5486 }
5487
nft_set_catchall_bind_check(const struct nft_ctx * ctx,struct nft_set * set)5488 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
5489 struct nft_set *set)
5490 {
5491 u8 genmask = nft_genmask_next(ctx->net);
5492 struct nft_set_elem_catchall *catchall;
5493 struct nft_set_ext *ext;
5494 int ret = 0;
5495
5496 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5497 ext = nft_set_elem_ext(set, catchall->elem);
5498 if (!nft_set_elem_active(ext, genmask))
5499 continue;
5500
5501 ret = nft_setelem_data_validate(ctx, set, catchall->elem);
5502 if (ret < 0)
5503 break;
5504 }
5505
5506 return ret;
5507 }
5508
nf_tables_bind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding)5509 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5510 struct nft_set_binding *binding)
5511 {
5512 struct nft_set_binding *i;
5513 struct nft_set_iter iter;
5514
5515 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5516 return -EBUSY;
5517
5518 if (binding->flags & NFT_SET_MAP) {
5519 /* If the set is already bound to the same chain all
5520 * jumps are already validated for that chain.
5521 */
5522 list_for_each_entry(i, &set->bindings, list) {
5523 if (i->flags & NFT_SET_MAP &&
5524 i->chain == binding->chain)
5525 goto bind;
5526 }
5527
5528 iter.genmask = nft_genmask_next(ctx->net);
5529 iter.type = NFT_ITER_UPDATE;
5530 iter.skip = 0;
5531 iter.count = 0;
5532 iter.err = 0;
5533 iter.fn = nf_tables_bind_check_setelem;
5534
5535 set->ops->walk(ctx, set, &iter);
5536 if (!iter.err)
5537 iter.err = nft_set_catchall_bind_check(ctx, set);
5538
5539 if (iter.err < 0)
5540 return iter.err;
5541 }
5542 bind:
5543 if (!nft_use_inc(&set->use))
5544 return -EMFILE;
5545
5546 binding->chain = ctx->chain;
5547 list_add_tail_rcu(&binding->list, &set->bindings);
5548 nft_set_trans_bind(ctx, set);
5549
5550 return 0;
5551 }
5552 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
5553
nf_tables_unbind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,bool event)5554 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5555 struct nft_set_binding *binding, bool event)
5556 {
5557 list_del_rcu(&binding->list);
5558
5559 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
5560 list_del_rcu(&set->list);
5561 set->dead = 1;
5562 if (event)
5563 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
5564 GFP_KERNEL);
5565 }
5566 }
5567
5568 static void nft_setelem_data_activate(const struct net *net,
5569 const struct nft_set *set,
5570 struct nft_elem_priv *elem_priv);
5571
nft_mapelem_activate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5572 static int nft_mapelem_activate(const struct nft_ctx *ctx,
5573 struct nft_set *set,
5574 const struct nft_set_iter *iter,
5575 struct nft_elem_priv *elem_priv)
5576 {
5577 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5578
5579 /* called from abort path, reverse check to undo changes. */
5580 if (nft_set_elem_active(ext, iter->genmask))
5581 return 0;
5582
5583 nft_clear(ctx->net, ext);
5584 nft_setelem_data_activate(ctx->net, set, elem_priv);
5585
5586 return 0;
5587 }
5588
nft_map_catchall_activate(const struct nft_ctx * ctx,struct nft_set * set)5589 static void nft_map_catchall_activate(const struct nft_ctx *ctx,
5590 struct nft_set *set)
5591 {
5592 u8 genmask = nft_genmask_next(ctx->net);
5593 struct nft_set_elem_catchall *catchall;
5594 struct nft_set_ext *ext;
5595
5596 list_for_each_entry(catchall, &set->catchall_list, list) {
5597 ext = nft_set_elem_ext(set, catchall->elem);
5598 if (!nft_set_elem_active(ext, genmask))
5599 continue;
5600
5601 nft_clear(ctx->net, ext);
5602 nft_setelem_data_activate(ctx->net, set, catchall->elem);
5603 break;
5604 }
5605 }
5606
nft_map_activate(const struct nft_ctx * ctx,struct nft_set * set)5607 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set)
5608 {
5609 struct nft_set_iter iter = {
5610 .genmask = nft_genmask_next(ctx->net),
5611 .type = NFT_ITER_UPDATE,
5612 .fn = nft_mapelem_activate,
5613 };
5614
5615 set->ops->walk(ctx, set, &iter);
5616 WARN_ON_ONCE(iter.err);
5617
5618 nft_map_catchall_activate(ctx, set);
5619 }
5620
nf_tables_activate_set(const struct nft_ctx * ctx,struct nft_set * set)5621 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5622 {
5623 if (nft_set_is_anonymous(set)) {
5624 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5625 nft_map_activate(ctx, set);
5626
5627 nft_clear(ctx->net, set);
5628 }
5629
5630 nft_use_inc_restore(&set->use);
5631 }
5632 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
5633
nf_tables_deactivate_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,enum nft_trans_phase phase)5634 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5635 struct nft_set_binding *binding,
5636 enum nft_trans_phase phase)
5637 {
5638 switch (phase) {
5639 case NFT_TRANS_PREPARE_ERROR:
5640 nft_set_trans_unbind(ctx, set);
5641 if (nft_set_is_anonymous(set))
5642 nft_deactivate_next(ctx->net, set);
5643 else
5644 list_del_rcu(&binding->list);
5645
5646 nft_use_dec(&set->use);
5647 break;
5648 case NFT_TRANS_PREPARE:
5649 if (nft_set_is_anonymous(set)) {
5650 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5651 nft_map_deactivate(ctx, set);
5652
5653 nft_deactivate_next(ctx->net, set);
5654 }
5655 nft_use_dec(&set->use);
5656 return;
5657 case NFT_TRANS_ABORT:
5658 case NFT_TRANS_RELEASE:
5659 if (nft_set_is_anonymous(set) &&
5660 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5661 nft_map_deactivate(ctx, set);
5662
5663 nft_use_dec(&set->use);
5664 fallthrough;
5665 default:
5666 nf_tables_unbind_set(ctx, set, binding,
5667 phase == NFT_TRANS_COMMIT);
5668 }
5669 }
5670 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
5671
nf_tables_destroy_set(const struct nft_ctx * ctx,struct nft_set * set)5672 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
5673 {
5674 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
5675 nft_set_destroy(ctx, set);
5676 }
5677 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
5678
5679 const struct nft_set_ext_type nft_set_ext_types[] = {
5680 [NFT_SET_EXT_KEY] = {
5681 .align = __alignof__(u32),
5682 },
5683 [NFT_SET_EXT_DATA] = {
5684 .align = __alignof__(u32),
5685 },
5686 [NFT_SET_EXT_EXPRESSIONS] = {
5687 .align = __alignof__(struct nft_set_elem_expr),
5688 },
5689 [NFT_SET_EXT_OBJREF] = {
5690 .len = sizeof(struct nft_object *),
5691 .align = __alignof__(struct nft_object *),
5692 },
5693 [NFT_SET_EXT_FLAGS] = {
5694 .len = sizeof(u8),
5695 .align = __alignof__(u8),
5696 },
5697 [NFT_SET_EXT_TIMEOUT] = {
5698 .len = sizeof(struct nft_timeout),
5699 .align = __alignof__(struct nft_timeout),
5700 },
5701 [NFT_SET_EXT_USERDATA] = {
5702 .len = sizeof(struct nft_userdata),
5703 .align = __alignof__(struct nft_userdata),
5704 },
5705 [NFT_SET_EXT_KEY_END] = {
5706 .align = __alignof__(u32),
5707 },
5708 };
5709
5710 /*
5711 * Set elements
5712 */
5713
5714 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
5715 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
5716 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
5717 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
5718 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
5719 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
5720 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
5721 .len = NFT_USERDATA_MAXLEN },
5722 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
5723 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
5724 .len = NFT_OBJ_MAXNAMELEN - 1 },
5725 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
5726 [NFTA_SET_ELEM_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
5727 };
5728
5729 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
5730 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
5731 .len = NFT_TABLE_MAXNAMELEN - 1 },
5732 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
5733 .len = NFT_SET_MAXNAMELEN - 1 },
5734 [NFTA_SET_ELEM_LIST_ELEMENTS] = NLA_POLICY_NESTED_ARRAY(nft_set_elem_policy),
5735 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
5736 };
5737
nft_set_elem_expr_dump(struct sk_buff * skb,const struct nft_set * set,const struct nft_set_ext * ext,bool reset)5738 static int nft_set_elem_expr_dump(struct sk_buff *skb,
5739 const struct nft_set *set,
5740 const struct nft_set_ext *ext,
5741 bool reset)
5742 {
5743 struct nft_set_elem_expr *elem_expr;
5744 u32 size, num_exprs = 0;
5745 struct nft_expr *expr;
5746 struct nlattr *nest;
5747
5748 elem_expr = nft_set_ext_expr(ext);
5749 nft_setelem_expr_foreach(expr, elem_expr, size)
5750 num_exprs++;
5751
5752 if (num_exprs == 1) {
5753 expr = nft_setelem_expr_at(elem_expr, 0);
5754 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0)
5755 return -1;
5756
5757 return 0;
5758 } else if (num_exprs > 1) {
5759 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
5760 if (nest == NULL)
5761 goto nla_put_failure;
5762
5763 nft_setelem_expr_foreach(expr, elem_expr, size) {
5764 expr = nft_setelem_expr_at(elem_expr, size);
5765 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
5766 goto nla_put_failure;
5767 }
5768 nla_nest_end(skb, nest);
5769 }
5770 return 0;
5771
5772 nla_put_failure:
5773 return -1;
5774 }
5775
nf_tables_fill_setelem(struct sk_buff * skb,const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool reset)5776 static int nf_tables_fill_setelem(struct sk_buff *skb,
5777 const struct nft_set *set,
5778 const struct nft_elem_priv *elem_priv,
5779 bool reset)
5780 {
5781 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5782 unsigned char *b = skb_tail_pointer(skb);
5783 struct nlattr *nest;
5784
5785 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
5786 if (nest == NULL)
5787 goto nla_put_failure;
5788
5789 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5790 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
5791 NFT_DATA_VALUE, set->klen) < 0)
5792 goto nla_put_failure;
5793
5794 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5795 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
5796 NFT_DATA_VALUE, set->klen) < 0)
5797 goto nla_put_failure;
5798
5799 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5800 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
5801 nft_set_datatype(set), set->dlen) < 0)
5802 goto nla_put_failure;
5803
5804 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
5805 nft_set_elem_expr_dump(skb, set, ext, reset))
5806 goto nla_put_failure;
5807
5808 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5809 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
5810 (*nft_set_ext_obj(ext))->key.name) < 0)
5811 goto nla_put_failure;
5812
5813 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5814 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
5815 htonl(*nft_set_ext_flags(ext))))
5816 goto nla_put_failure;
5817
5818 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
5819 u64 timeout = READ_ONCE(nft_set_ext_timeout(ext)->timeout);
5820 u64 set_timeout = READ_ONCE(set->timeout);
5821 __be64 msecs = 0;
5822
5823 if (set_timeout != timeout) {
5824 msecs = nf_jiffies64_to_msecs(timeout);
5825 if (nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, msecs,
5826 NFTA_SET_ELEM_PAD))
5827 goto nla_put_failure;
5828 }
5829
5830 if (timeout > 0) {
5831 u64 expires, now = get_jiffies_64();
5832
5833 expires = READ_ONCE(nft_set_ext_timeout(ext)->expiration);
5834 if (time_before64(now, expires))
5835 expires -= now;
5836 else
5837 expires = 0;
5838
5839 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
5840 nf_jiffies64_to_msecs(expires),
5841 NFTA_SET_ELEM_PAD))
5842 goto nla_put_failure;
5843 }
5844 }
5845
5846 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
5847 struct nft_userdata *udata;
5848
5849 udata = nft_set_ext_userdata(ext);
5850 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
5851 udata->len + 1, udata->data))
5852 goto nla_put_failure;
5853 }
5854
5855 nla_nest_end(skb, nest);
5856 return 0;
5857
5858 nla_put_failure:
5859 nlmsg_trim(skb, b);
5860 return -EMSGSIZE;
5861 }
5862
5863 struct nft_set_dump_args {
5864 const struct netlink_callback *cb;
5865 struct nft_set_iter iter;
5866 struct sk_buff *skb;
5867 bool reset;
5868 };
5869
nf_tables_dump_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5870 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
5871 struct nft_set *set,
5872 const struct nft_set_iter *iter,
5873 struct nft_elem_priv *elem_priv)
5874 {
5875 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5876 struct nft_set_dump_args *args;
5877
5878 if (!nft_set_elem_active(ext, iter->genmask))
5879 return 0;
5880
5881 if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
5882 return 0;
5883
5884 args = container_of(iter, struct nft_set_dump_args, iter);
5885 return nf_tables_fill_setelem(args->skb, set, elem_priv, args->reset);
5886 }
5887
audit_log_nft_set_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)5888 static void audit_log_nft_set_reset(const struct nft_table *table,
5889 unsigned int base_seq,
5890 unsigned int nentries)
5891 {
5892 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
5893
5894 audit_log_nfcfg(buf, table->family, nentries,
5895 AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC);
5896 kfree(buf);
5897 }
5898
5899 struct nft_set_dump_ctx {
5900 const struct nft_set *set;
5901 struct nft_ctx ctx;
5902 bool reset;
5903 };
5904
nft_set_catchall_dump(struct net * net,struct sk_buff * skb,const struct nft_set * set,bool reset,unsigned int base_seq)5905 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
5906 const struct nft_set *set, bool reset,
5907 unsigned int base_seq)
5908 {
5909 struct nft_set_elem_catchall *catchall;
5910 u8 genmask = nft_genmask_cur(net);
5911 struct nft_set_ext *ext;
5912 int ret = 0;
5913
5914 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5915 ext = nft_set_elem_ext(set, catchall->elem);
5916 if (!nft_set_elem_active(ext, genmask) ||
5917 nft_set_elem_expired(ext))
5918 continue;
5919
5920 ret = nf_tables_fill_setelem(skb, set, catchall->elem, reset);
5921 if (reset && !ret)
5922 audit_log_nft_set_reset(set->table, base_seq, 1);
5923 break;
5924 }
5925
5926 return ret;
5927 }
5928
nf_tables_dump_set(struct sk_buff * skb,struct netlink_callback * cb)5929 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
5930 {
5931 struct nft_set_dump_ctx *dump_ctx = cb->data;
5932 struct net *net = sock_net(skb->sk);
5933 struct nftables_pernet *nft_net;
5934 struct nft_table *table;
5935 struct nft_set *set;
5936 struct nft_set_dump_args args;
5937 bool set_found = false;
5938 struct nlmsghdr *nlh;
5939 struct nlattr *nest;
5940 u32 portid, seq;
5941 int event;
5942
5943 rcu_read_lock();
5944 nft_net = nft_pernet(net);
5945 cb->seq = READ_ONCE(nft_net->base_seq);
5946
5947 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5948 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
5949 dump_ctx->ctx.family != table->family)
5950 continue;
5951
5952 if (table != dump_ctx->ctx.table)
5953 continue;
5954
5955 list_for_each_entry_rcu(set, &table->sets, list) {
5956 if (set == dump_ctx->set) {
5957 set_found = true;
5958 break;
5959 }
5960 }
5961 break;
5962 }
5963
5964 if (!set_found) {
5965 rcu_read_unlock();
5966 return -ENOENT;
5967 }
5968
5969 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
5970 portid = NETLINK_CB(cb->skb).portid;
5971 seq = cb->nlh->nlmsg_seq;
5972
5973 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
5974 table->family, NFNETLINK_V0, nft_base_seq(net));
5975 if (!nlh)
5976 goto nla_put_failure;
5977
5978 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
5979 goto nla_put_failure;
5980 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
5981 goto nla_put_failure;
5982
5983 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5984 if (nest == NULL)
5985 goto nla_put_failure;
5986
5987 args.cb = cb;
5988 args.skb = skb;
5989 args.reset = dump_ctx->reset;
5990 args.iter.genmask = nft_genmask_cur(net);
5991 args.iter.type = NFT_ITER_READ;
5992 args.iter.skip = cb->args[0];
5993 args.iter.count = 0;
5994 args.iter.err = 0;
5995 args.iter.fn = nf_tables_dump_setelem;
5996 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
5997
5998 if (!args.iter.err && args.iter.count == cb->args[0])
5999 args.iter.err = nft_set_catchall_dump(net, skb, set,
6000 dump_ctx->reset, cb->seq);
6001 nla_nest_end(skb, nest);
6002 nlmsg_end(skb, nlh);
6003
6004 rcu_read_unlock();
6005
6006 if (args.iter.err && args.iter.err != -EMSGSIZE)
6007 return args.iter.err;
6008 if (args.iter.count == cb->args[0])
6009 return 0;
6010
6011 cb->args[0] = args.iter.count;
6012 return skb->len;
6013
6014 nla_put_failure:
6015 rcu_read_unlock();
6016 return -ENOSPC;
6017 }
6018
nf_tables_dumpreset_set(struct sk_buff * skb,struct netlink_callback * cb)6019 static int nf_tables_dumpreset_set(struct sk_buff *skb,
6020 struct netlink_callback *cb)
6021 {
6022 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
6023 struct nft_set_dump_ctx *dump_ctx = cb->data;
6024 int ret, skip = cb->args[0];
6025
6026 mutex_lock(&nft_net->commit_mutex);
6027
6028 ret = nf_tables_dump_set(skb, cb);
6029
6030 if (cb->args[0] > skip)
6031 audit_log_nft_set_reset(dump_ctx->ctx.table, cb->seq,
6032 cb->args[0] - skip);
6033
6034 mutex_unlock(&nft_net->commit_mutex);
6035
6036 return ret;
6037 }
6038
nf_tables_dump_set_start(struct netlink_callback * cb)6039 static int nf_tables_dump_set_start(struct netlink_callback *cb)
6040 {
6041 struct nft_set_dump_ctx *dump_ctx = cb->data;
6042
6043 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
6044
6045 return cb->data ? 0 : -ENOMEM;
6046 }
6047
nf_tables_dump_set_done(struct netlink_callback * cb)6048 static int nf_tables_dump_set_done(struct netlink_callback *cb)
6049 {
6050 kfree(cb->data);
6051 return 0;
6052 }
6053
nf_tables_fill_setelem_info(struct sk_buff * skb,const struct nft_ctx * ctx,u32 seq,u32 portid,int event,u16 flags,const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool reset)6054 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
6055 const struct nft_ctx *ctx, u32 seq,
6056 u32 portid, int event, u16 flags,
6057 const struct nft_set *set,
6058 const struct nft_elem_priv *elem_priv,
6059 bool reset)
6060 {
6061 struct nlmsghdr *nlh;
6062 struct nlattr *nest;
6063 int err;
6064
6065 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6066 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
6067 NFNETLINK_V0, nft_base_seq(ctx->net));
6068 if (!nlh)
6069 goto nla_put_failure;
6070
6071 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
6072 goto nla_put_failure;
6073 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
6074 goto nla_put_failure;
6075
6076 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
6077 if (nest == NULL)
6078 goto nla_put_failure;
6079
6080 err = nf_tables_fill_setelem(skb, set, elem_priv, reset);
6081 if (err < 0)
6082 goto nla_put_failure;
6083
6084 nla_nest_end(skb, nest);
6085
6086 nlmsg_end(skb, nlh);
6087 return 0;
6088
6089 nla_put_failure:
6090 nlmsg_trim(skb, nlh);
6091 return -1;
6092 }
6093
nft_setelem_parse_flags(const struct nft_set * set,const struct nlattr * attr,u32 * flags)6094 static int nft_setelem_parse_flags(const struct nft_set *set,
6095 const struct nlattr *attr, u32 *flags)
6096 {
6097 if (attr == NULL)
6098 return 0;
6099
6100 *flags = ntohl(nla_get_be32(attr));
6101 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6102 return -EOPNOTSUPP;
6103 if (!(set->flags & NFT_SET_INTERVAL) &&
6104 *flags & NFT_SET_ELEM_INTERVAL_END)
6105 return -EINVAL;
6106 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
6107 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6108 return -EINVAL;
6109
6110 return 0;
6111 }
6112
nft_setelem_parse_key(struct nft_ctx * ctx,const struct nft_set * set,struct nft_data * key,struct nlattr * attr)6113 static int nft_setelem_parse_key(struct nft_ctx *ctx, const struct nft_set *set,
6114 struct nft_data *key, struct nlattr *attr)
6115 {
6116 struct nft_data_desc desc = {
6117 .type = NFT_DATA_VALUE,
6118 .size = NFT_DATA_VALUE_MAXLEN,
6119 .len = set->klen,
6120 };
6121
6122 return nft_data_init(ctx, key, &desc, attr);
6123 }
6124
nft_setelem_parse_data(struct nft_ctx * ctx,struct nft_set * set,struct nft_data_desc * desc,struct nft_data * data,struct nlattr * attr)6125 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
6126 struct nft_data_desc *desc,
6127 struct nft_data *data,
6128 struct nlattr *attr)
6129 {
6130 u32 dtype;
6131
6132 if (set->dtype == NFT_DATA_VERDICT)
6133 dtype = NFT_DATA_VERDICT;
6134 else
6135 dtype = NFT_DATA_VALUE;
6136
6137 desc->type = dtype;
6138 desc->size = NFT_DATA_VALUE_MAXLEN;
6139 desc->len = set->dlen;
6140 desc->flags = NFT_DATA_DESC_SETELEM;
6141
6142 return nft_data_init(ctx, data, desc, attr);
6143 }
6144
nft_setelem_catchall_get(const struct net * net,const struct nft_set * set)6145 static void *nft_setelem_catchall_get(const struct net *net,
6146 const struct nft_set *set)
6147 {
6148 struct nft_set_elem_catchall *catchall;
6149 u8 genmask = nft_genmask_cur(net);
6150 struct nft_set_ext *ext;
6151 void *priv = NULL;
6152
6153 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6154 ext = nft_set_elem_ext(set, catchall->elem);
6155 if (!nft_set_elem_active(ext, genmask) ||
6156 nft_set_elem_expired(ext))
6157 continue;
6158
6159 priv = catchall->elem;
6160 break;
6161 }
6162
6163 return priv;
6164 }
6165
nft_setelem_get(struct nft_ctx * ctx,const struct nft_set * set,struct nft_set_elem * elem,u32 flags)6166 static int nft_setelem_get(struct nft_ctx *ctx, const struct nft_set *set,
6167 struct nft_set_elem *elem, u32 flags)
6168 {
6169 void *priv;
6170
6171 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
6172 priv = set->ops->get(ctx->net, set, elem, flags);
6173 if (IS_ERR(priv))
6174 return PTR_ERR(priv);
6175 } else {
6176 priv = nft_setelem_catchall_get(ctx->net, set);
6177 if (!priv)
6178 return -ENOENT;
6179 }
6180 elem->priv = priv;
6181
6182 return 0;
6183 }
6184
nft_get_set_elem(struct nft_ctx * ctx,const struct nft_set * set,const struct nlattr * attr,bool reset)6185 static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set,
6186 const struct nlattr *attr, bool reset)
6187 {
6188 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6189 struct nft_set_elem elem;
6190 struct sk_buff *skb;
6191 uint32_t flags = 0;
6192 int err;
6193
6194 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6195 nft_set_elem_policy, NULL);
6196 if (err < 0)
6197 return err;
6198
6199 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6200 if (err < 0)
6201 return err;
6202
6203 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6204 return -EINVAL;
6205
6206 if (nla[NFTA_SET_ELEM_KEY]) {
6207 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6208 nla[NFTA_SET_ELEM_KEY]);
6209 if (err < 0)
6210 return err;
6211 }
6212
6213 if (nla[NFTA_SET_ELEM_KEY_END]) {
6214 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6215 nla[NFTA_SET_ELEM_KEY_END]);
6216 if (err < 0)
6217 return err;
6218 }
6219
6220 err = nft_setelem_get(ctx, set, &elem, flags);
6221 if (err < 0)
6222 return err;
6223
6224 err = -ENOMEM;
6225 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
6226 if (skb == NULL)
6227 return err;
6228
6229 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
6230 NFT_MSG_NEWSETELEM, 0, set, elem.priv,
6231 reset);
6232 if (err < 0)
6233 goto err_fill_setelem;
6234
6235 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
6236
6237 err_fill_setelem:
6238 kfree_skb(skb);
6239 return err;
6240 }
6241
nft_set_dump_ctx_init(struct nft_set_dump_ctx * dump_ctx,const struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)6242 static int nft_set_dump_ctx_init(struct nft_set_dump_ctx *dump_ctx,
6243 const struct sk_buff *skb,
6244 const struct nfnl_info *info,
6245 const struct nlattr * const nla[],
6246 bool reset)
6247 {
6248 struct netlink_ext_ack *extack = info->extack;
6249 u8 genmask = nft_genmask_cur(info->net);
6250 u8 family = info->nfmsg->nfgen_family;
6251 struct net *net = info->net;
6252 struct nft_table *table;
6253 struct nft_set *set;
6254
6255 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6256 genmask, 0);
6257 if (IS_ERR(table)) {
6258 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6259 return PTR_ERR(table);
6260 }
6261
6262 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6263 if (IS_ERR(set)) {
6264 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
6265 return PTR_ERR(set);
6266 }
6267
6268 nft_ctx_init(&dump_ctx->ctx, net, skb,
6269 info->nlh, family, table, NULL, nla);
6270 dump_ctx->set = set;
6271 dump_ctx->reset = reset;
6272 return 0;
6273 }
6274
6275 /* called with rcu_read_lock held */
nf_tables_getsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])6276 static int nf_tables_getsetelem(struct sk_buff *skb,
6277 const struct nfnl_info *info,
6278 const struct nlattr * const nla[])
6279 {
6280 struct netlink_ext_ack *extack = info->extack;
6281 struct nft_set_dump_ctx dump_ctx;
6282 struct nlattr *attr;
6283 int rem, err = 0;
6284
6285 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6286 struct netlink_dump_control c = {
6287 .start = nf_tables_dump_set_start,
6288 .dump = nf_tables_dump_set,
6289 .done = nf_tables_dump_set_done,
6290 .module = THIS_MODULE,
6291 };
6292
6293 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6294 if (err)
6295 return err;
6296
6297 c.data = &dump_ctx;
6298 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6299 }
6300
6301 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6302 return -EINVAL;
6303
6304 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6305 if (err)
6306 return err;
6307
6308 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6309 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, false);
6310 if (err < 0) {
6311 NL_SET_BAD_ATTR(extack, attr);
6312 break;
6313 }
6314 }
6315
6316 return err;
6317 }
6318
nf_tables_getsetelem_reset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])6319 static int nf_tables_getsetelem_reset(struct sk_buff *skb,
6320 const struct nfnl_info *info,
6321 const struct nlattr * const nla[])
6322 {
6323 struct nftables_pernet *nft_net = nft_pernet(info->net);
6324 struct netlink_ext_ack *extack = info->extack;
6325 struct nft_set_dump_ctx dump_ctx;
6326 int rem, err = 0, nelems = 0;
6327 struct nlattr *attr;
6328
6329 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6330 struct netlink_dump_control c = {
6331 .start = nf_tables_dump_set_start,
6332 .dump = nf_tables_dumpreset_set,
6333 .done = nf_tables_dump_set_done,
6334 .module = THIS_MODULE,
6335 };
6336
6337 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6338 if (err)
6339 return err;
6340
6341 c.data = &dump_ctx;
6342 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6343 }
6344
6345 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6346 return -EINVAL;
6347
6348 if (!try_module_get(THIS_MODULE))
6349 return -EINVAL;
6350 rcu_read_unlock();
6351 mutex_lock(&nft_net->commit_mutex);
6352 rcu_read_lock();
6353
6354 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6355 if (err)
6356 goto out_unlock;
6357
6358 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6359 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, true);
6360 if (err < 0) {
6361 NL_SET_BAD_ATTR(extack, attr);
6362 break;
6363 }
6364 nelems++;
6365 }
6366 audit_log_nft_set_reset(dump_ctx.ctx.table, nft_net->base_seq, nelems);
6367
6368 out_unlock:
6369 rcu_read_unlock();
6370 mutex_unlock(&nft_net->commit_mutex);
6371 rcu_read_lock();
6372 module_put(THIS_MODULE);
6373
6374 return err;
6375 }
6376
nf_tables_setelem_notify(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_elem_priv * elem_priv,int event)6377 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
6378 const struct nft_set *set,
6379 const struct nft_elem_priv *elem_priv,
6380 int event)
6381 {
6382 struct nftables_pernet *nft_net;
6383 struct net *net = ctx->net;
6384 u32 portid = ctx->portid;
6385 struct sk_buff *skb;
6386 u16 flags = 0;
6387 int err;
6388
6389 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6390 return;
6391
6392 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6393 if (skb == NULL)
6394 goto err;
6395
6396 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
6397 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
6398
6399 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
6400 set, elem_priv, false);
6401 if (err < 0) {
6402 kfree_skb(skb);
6403 goto err;
6404 }
6405
6406 nft_net = nft_pernet(net);
6407 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
6408 return;
6409 err:
6410 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6411 }
6412
nft_trans_elem_alloc(struct nft_ctx * ctx,int msg_type,struct nft_set * set)6413 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
6414 int msg_type,
6415 struct nft_set *set)
6416 {
6417 struct nft_trans *trans;
6418
6419 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
6420 if (trans == NULL)
6421 return NULL;
6422
6423 nft_trans_elem_set(trans) = set;
6424 return trans;
6425 }
6426
nft_set_elem_expr_alloc(const struct nft_ctx * ctx,const struct nft_set * set,const struct nlattr * attr)6427 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
6428 const struct nft_set *set,
6429 const struct nlattr *attr)
6430 {
6431 struct nft_expr *expr;
6432 int err;
6433
6434 expr = nft_expr_init(ctx, attr);
6435 if (IS_ERR(expr))
6436 return expr;
6437
6438 err = -EOPNOTSUPP;
6439 if (expr->ops->type->flags & NFT_EXPR_GC) {
6440 if (set->flags & NFT_SET_TIMEOUT)
6441 goto err_set_elem_expr;
6442 if (!set->ops->gc_init)
6443 goto err_set_elem_expr;
6444 set->ops->gc_init(set);
6445 }
6446
6447 return expr;
6448
6449 err_set_elem_expr:
6450 nft_expr_destroy(ctx, expr);
6451 return ERR_PTR(err);
6452 }
6453
nft_set_ext_check(const struct nft_set_ext_tmpl * tmpl,u8 id,u32 len)6454 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
6455 {
6456 len += nft_set_ext_types[id].len;
6457 if (len > tmpl->ext_len[id] ||
6458 len > U8_MAX)
6459 return -1;
6460
6461 return 0;
6462 }
6463
nft_set_ext_memcpy(const struct nft_set_ext_tmpl * tmpl,u8 id,void * to,const void * from,u32 len)6464 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
6465 void *to, const void *from, u32 len)
6466 {
6467 if (nft_set_ext_check(tmpl, id, len) < 0)
6468 return -1;
6469
6470 memcpy(to, from, len);
6471
6472 return 0;
6473 }
6474
nft_set_elem_init(const struct nft_set * set,const struct nft_set_ext_tmpl * tmpl,const u32 * key,const u32 * key_end,const u32 * data,u64 timeout,u64 expiration,gfp_t gfp)6475 struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
6476 const struct nft_set_ext_tmpl *tmpl,
6477 const u32 *key, const u32 *key_end,
6478 const u32 *data,
6479 u64 timeout, u64 expiration, gfp_t gfp)
6480 {
6481 struct nft_set_ext *ext;
6482 void *elem;
6483
6484 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
6485 if (elem == NULL)
6486 return ERR_PTR(-ENOMEM);
6487
6488 ext = nft_set_elem_ext(set, elem);
6489 nft_set_ext_init(ext, tmpl);
6490
6491 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
6492 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
6493 nft_set_ext_key(ext), key, set->klen) < 0)
6494 goto err_ext_check;
6495
6496 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
6497 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
6498 nft_set_ext_key_end(ext), key_end, set->klen) < 0)
6499 goto err_ext_check;
6500
6501 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6502 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
6503 nft_set_ext_data(ext), data, set->dlen) < 0)
6504 goto err_ext_check;
6505
6506 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
6507 nft_set_ext_timeout(ext)->timeout = timeout;
6508
6509 if (expiration == 0)
6510 expiration = timeout;
6511
6512 nft_set_ext_timeout(ext)->expiration = get_jiffies_64() + expiration;
6513 }
6514
6515 return elem;
6516
6517 err_ext_check:
6518 kfree(elem);
6519
6520 return ERR_PTR(-EINVAL);
6521 }
6522
__nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)6523 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6524 struct nft_expr *expr)
6525 {
6526 if (expr->ops->destroy_clone) {
6527 expr->ops->destroy_clone(ctx, expr);
6528 module_put(expr->ops->type->owner);
6529 } else {
6530 nf_tables_expr_destroy(ctx, expr);
6531 }
6532 }
6533
nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_set_elem_expr * elem_expr)6534 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6535 struct nft_set_elem_expr *elem_expr)
6536 {
6537 struct nft_expr *expr;
6538 u32 size;
6539
6540 nft_setelem_expr_foreach(expr, elem_expr, size)
6541 __nft_set_elem_expr_destroy(ctx, expr);
6542 }
6543
6544 /* Drop references and destroy. Called from gc, dynset and abort path. */
nft_set_elem_destroy(const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool destroy_expr)6545 void nft_set_elem_destroy(const struct nft_set *set,
6546 const struct nft_elem_priv *elem_priv,
6547 bool destroy_expr)
6548 {
6549 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6550 struct nft_ctx ctx = {
6551 .net = read_pnet(&set->net),
6552 .family = set->table->family,
6553 };
6554
6555 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
6556 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6557 nft_data_release(nft_set_ext_data(ext), set->dtype);
6558 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6559 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
6560 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6561 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
6562
6563 kfree(elem_priv);
6564 }
6565 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
6566
6567 /* Destroy element. References have been already dropped in the preparation
6568 * path via nft_setelem_data_deactivate().
6569 */
nf_tables_set_elem_destroy(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_elem_priv * elem_priv)6570 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
6571 const struct nft_set *set,
6572 const struct nft_elem_priv *elem_priv)
6573 {
6574 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6575
6576 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6577 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6578
6579 kfree(elem_priv);
6580 }
6581
nft_set_elem_expr_clone(const struct nft_ctx * ctx,struct nft_set * set,struct nft_expr * expr_array[])6582 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
6583 struct nft_expr *expr_array[])
6584 {
6585 struct nft_expr *expr;
6586 int err, i, k;
6587
6588 for (i = 0; i < set->num_exprs; i++) {
6589 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
6590 if (!expr)
6591 goto err_expr;
6592
6593 err = nft_expr_clone(expr, set->exprs[i], GFP_KERNEL_ACCOUNT);
6594 if (err < 0) {
6595 kfree(expr);
6596 goto err_expr;
6597 }
6598 expr_array[i] = expr;
6599 }
6600
6601 return 0;
6602
6603 err_expr:
6604 for (k = i - 1; k >= 0; k--)
6605 nft_expr_destroy(ctx, expr_array[k]);
6606
6607 return -ENOMEM;
6608 }
6609
nft_set_elem_expr_setup(struct nft_ctx * ctx,const struct nft_set_ext_tmpl * tmpl,const struct nft_set_ext * ext,struct nft_expr * expr_array[],u32 num_exprs)6610 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
6611 const struct nft_set_ext_tmpl *tmpl,
6612 const struct nft_set_ext *ext,
6613 struct nft_expr *expr_array[],
6614 u32 num_exprs)
6615 {
6616 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
6617 u32 len = sizeof(struct nft_set_elem_expr);
6618 struct nft_expr *expr;
6619 int i, err;
6620
6621 if (num_exprs == 0)
6622 return 0;
6623
6624 for (i = 0; i < num_exprs; i++)
6625 len += expr_array[i]->ops->size;
6626
6627 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
6628 return -EINVAL;
6629
6630 for (i = 0; i < num_exprs; i++) {
6631 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
6632 err = nft_expr_clone(expr, expr_array[i], GFP_KERNEL_ACCOUNT);
6633 if (err < 0)
6634 goto err_elem_expr_setup;
6635
6636 elem_expr->size += expr_array[i]->ops->size;
6637 nft_expr_destroy(ctx, expr_array[i]);
6638 expr_array[i] = NULL;
6639 }
6640
6641 return 0;
6642
6643 err_elem_expr_setup:
6644 for (; i < num_exprs; i++) {
6645 nft_expr_destroy(ctx, expr_array[i]);
6646 expr_array[i] = NULL;
6647 }
6648
6649 return -ENOMEM;
6650 }
6651
nft_set_catchall_lookup(const struct net * net,const struct nft_set * set)6652 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
6653 const struct nft_set *set)
6654 {
6655 struct nft_set_elem_catchall *catchall;
6656 u8 genmask = nft_genmask_cur(net);
6657 struct nft_set_ext *ext;
6658
6659 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6660 ext = nft_set_elem_ext(set, catchall->elem);
6661 if (nft_set_elem_active(ext, genmask) &&
6662 !nft_set_elem_expired(ext) &&
6663 !nft_set_elem_is_dead(ext))
6664 return ext;
6665 }
6666
6667 return NULL;
6668 }
6669 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
6670
nft_setelem_catchall_insert(const struct net * net,struct nft_set * set,const struct nft_set_elem * elem,struct nft_elem_priv ** priv)6671 static int nft_setelem_catchall_insert(const struct net *net,
6672 struct nft_set *set,
6673 const struct nft_set_elem *elem,
6674 struct nft_elem_priv **priv)
6675 {
6676 struct nft_set_elem_catchall *catchall;
6677 u8 genmask = nft_genmask_next(net);
6678 struct nft_set_ext *ext;
6679
6680 list_for_each_entry(catchall, &set->catchall_list, list) {
6681 ext = nft_set_elem_ext(set, catchall->elem);
6682 if (nft_set_elem_active(ext, genmask)) {
6683 *priv = catchall->elem;
6684 return -EEXIST;
6685 }
6686 }
6687
6688 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL_ACCOUNT);
6689 if (!catchall)
6690 return -ENOMEM;
6691
6692 catchall->elem = elem->priv;
6693 list_add_tail_rcu(&catchall->list, &set->catchall_list);
6694
6695 return 0;
6696 }
6697
nft_setelem_insert(const struct net * net,struct nft_set * set,const struct nft_set_elem * elem,struct nft_elem_priv ** elem_priv,unsigned int flags)6698 static int nft_setelem_insert(const struct net *net,
6699 struct nft_set *set,
6700 const struct nft_set_elem *elem,
6701 struct nft_elem_priv **elem_priv,
6702 unsigned int flags)
6703 {
6704 int ret;
6705
6706 if (flags & NFT_SET_ELEM_CATCHALL)
6707 ret = nft_setelem_catchall_insert(net, set, elem, elem_priv);
6708 else
6709 ret = set->ops->insert(net, set, elem, elem_priv);
6710
6711 return ret;
6712 }
6713
nft_setelem_is_catchall(const struct nft_set * set,const struct nft_elem_priv * elem_priv)6714 static bool nft_setelem_is_catchall(const struct nft_set *set,
6715 const struct nft_elem_priv *elem_priv)
6716 {
6717 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6718
6719 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6720 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
6721 return true;
6722
6723 return false;
6724 }
6725
nft_setelem_activate(struct net * net,struct nft_set * set,struct nft_elem_priv * elem_priv)6726 static void nft_setelem_activate(struct net *net, struct nft_set *set,
6727 struct nft_elem_priv *elem_priv)
6728 {
6729 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6730
6731 if (nft_setelem_is_catchall(set, elem_priv)) {
6732 nft_clear(net, ext);
6733 } else {
6734 set->ops->activate(net, set, elem_priv);
6735 }
6736 }
6737
nft_setelem_catchall_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem)6738 static int nft_setelem_catchall_deactivate(const struct net *net,
6739 struct nft_set *set,
6740 struct nft_set_elem *elem)
6741 {
6742 struct nft_set_elem_catchall *catchall;
6743 struct nft_set_ext *ext;
6744
6745 list_for_each_entry(catchall, &set->catchall_list, list) {
6746 ext = nft_set_elem_ext(set, catchall->elem);
6747 if (!nft_is_active_next(net, ext))
6748 continue;
6749
6750 kfree(elem->priv);
6751 elem->priv = catchall->elem;
6752 nft_set_elem_change_active(net, set, ext);
6753 return 0;
6754 }
6755
6756 return -ENOENT;
6757 }
6758
__nft_setelem_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem)6759 static int __nft_setelem_deactivate(const struct net *net,
6760 struct nft_set *set,
6761 struct nft_set_elem *elem)
6762 {
6763 void *priv;
6764
6765 priv = set->ops->deactivate(net, set, elem);
6766 if (!priv)
6767 return -ENOENT;
6768
6769 kfree(elem->priv);
6770 elem->priv = priv;
6771 set->ndeact++;
6772
6773 return 0;
6774 }
6775
nft_setelem_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem,u32 flags)6776 static int nft_setelem_deactivate(const struct net *net,
6777 struct nft_set *set,
6778 struct nft_set_elem *elem, u32 flags)
6779 {
6780 int ret;
6781
6782 if (flags & NFT_SET_ELEM_CATCHALL)
6783 ret = nft_setelem_catchall_deactivate(net, set, elem);
6784 else
6785 ret = __nft_setelem_deactivate(net, set, elem);
6786
6787 return ret;
6788 }
6789
nft_setelem_catchall_destroy(struct nft_set_elem_catchall * catchall)6790 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
6791 {
6792 list_del_rcu(&catchall->list);
6793 kfree_rcu(catchall, rcu);
6794 }
6795
nft_setelem_catchall_remove(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)6796 static void nft_setelem_catchall_remove(const struct net *net,
6797 const struct nft_set *set,
6798 struct nft_elem_priv *elem_priv)
6799 {
6800 struct nft_set_elem_catchall *catchall, *next;
6801
6802 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
6803 if (catchall->elem == elem_priv) {
6804 nft_setelem_catchall_destroy(catchall);
6805 break;
6806 }
6807 }
6808 }
6809
nft_setelem_remove(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)6810 static void nft_setelem_remove(const struct net *net,
6811 const struct nft_set *set,
6812 struct nft_elem_priv *elem_priv)
6813 {
6814 if (nft_setelem_is_catchall(set, elem_priv))
6815 nft_setelem_catchall_remove(net, set, elem_priv);
6816 else
6817 set->ops->remove(net, set, elem_priv);
6818 }
6819
nft_setelem_valid_key_end(const struct nft_set * set,struct nlattr ** nla,u32 flags)6820 static bool nft_setelem_valid_key_end(const struct nft_set *set,
6821 struct nlattr **nla, u32 flags)
6822 {
6823 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
6824 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
6825 if (flags & NFT_SET_ELEM_INTERVAL_END)
6826 return false;
6827
6828 if (nla[NFTA_SET_ELEM_KEY_END] &&
6829 flags & NFT_SET_ELEM_CATCHALL)
6830 return false;
6831 } else {
6832 if (nla[NFTA_SET_ELEM_KEY_END])
6833 return false;
6834 }
6835
6836 return true;
6837 }
6838
nft_add_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr,u32 nlmsg_flags)6839 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
6840 const struct nlattr *attr, u32 nlmsg_flags)
6841 {
6842 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
6843 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6844 u8 genmask = nft_genmask_next(ctx->net);
6845 u32 flags = 0, size = 0, num_exprs = 0;
6846 struct nft_set_ext_tmpl tmpl;
6847 struct nft_set_ext *ext, *ext2;
6848 struct nft_set_elem elem;
6849 struct nft_set_binding *binding;
6850 struct nft_elem_priv *elem_priv;
6851 struct nft_object *obj = NULL;
6852 struct nft_userdata *udata;
6853 struct nft_data_desc desc;
6854 enum nft_registers dreg;
6855 struct nft_trans *trans;
6856 u8 update_flags;
6857 u64 expiration;
6858 u64 timeout;
6859 int err, i;
6860 u8 ulen;
6861
6862 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6863 nft_set_elem_policy, NULL);
6864 if (err < 0)
6865 return err;
6866
6867 nft_set_ext_prepare(&tmpl);
6868
6869 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6870 if (err < 0)
6871 return err;
6872
6873 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
6874 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
6875 return -EINVAL;
6876
6877 if (flags != 0) {
6878 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6879 if (err < 0)
6880 return err;
6881 }
6882
6883 if (set->flags & NFT_SET_MAP) {
6884 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
6885 !(flags & NFT_SET_ELEM_INTERVAL_END))
6886 return -EINVAL;
6887 } else {
6888 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6889 return -EINVAL;
6890 }
6891
6892 if (set->flags & NFT_SET_OBJECT) {
6893 if (!nla[NFTA_SET_ELEM_OBJREF] &&
6894 !(flags & NFT_SET_ELEM_INTERVAL_END))
6895 return -EINVAL;
6896 } else {
6897 if (nla[NFTA_SET_ELEM_OBJREF])
6898 return -EINVAL;
6899 }
6900
6901 if (!nft_setelem_valid_key_end(set, nla, flags))
6902 return -EINVAL;
6903
6904 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
6905 (nla[NFTA_SET_ELEM_DATA] ||
6906 nla[NFTA_SET_ELEM_OBJREF] ||
6907 nla[NFTA_SET_ELEM_TIMEOUT] ||
6908 nla[NFTA_SET_ELEM_EXPIRATION] ||
6909 nla[NFTA_SET_ELEM_USERDATA] ||
6910 nla[NFTA_SET_ELEM_EXPR] ||
6911 nla[NFTA_SET_ELEM_KEY_END] ||
6912 nla[NFTA_SET_ELEM_EXPRESSIONS]))
6913 return -EINVAL;
6914
6915 timeout = 0;
6916 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
6917 if (!(set->flags & NFT_SET_TIMEOUT))
6918 return -EINVAL;
6919 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
6920 &timeout);
6921 if (err)
6922 return err;
6923 } else if (set->flags & NFT_SET_TIMEOUT &&
6924 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6925 timeout = set->timeout;
6926 }
6927
6928 expiration = 0;
6929 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
6930 if (!(set->flags & NFT_SET_TIMEOUT))
6931 return -EINVAL;
6932 if (timeout == 0)
6933 return -EOPNOTSUPP;
6934
6935 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
6936 &expiration);
6937 if (err)
6938 return err;
6939
6940 if (expiration > timeout)
6941 return -ERANGE;
6942 }
6943
6944 if (nla[NFTA_SET_ELEM_EXPR]) {
6945 struct nft_expr *expr;
6946
6947 if (set->num_exprs && set->num_exprs != 1)
6948 return -EOPNOTSUPP;
6949
6950 expr = nft_set_elem_expr_alloc(ctx, set,
6951 nla[NFTA_SET_ELEM_EXPR]);
6952 if (IS_ERR(expr))
6953 return PTR_ERR(expr);
6954
6955 expr_array[0] = expr;
6956 num_exprs = 1;
6957
6958 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
6959 err = -EOPNOTSUPP;
6960 goto err_set_elem_expr;
6961 }
6962 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
6963 struct nft_expr *expr;
6964 struct nlattr *tmp;
6965 int left;
6966
6967 i = 0;
6968 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
6969 if (i == NFT_SET_EXPR_MAX ||
6970 (set->num_exprs && set->num_exprs == i)) {
6971 err = -E2BIG;
6972 goto err_set_elem_expr;
6973 }
6974 if (nla_type(tmp) != NFTA_LIST_ELEM) {
6975 err = -EINVAL;
6976 goto err_set_elem_expr;
6977 }
6978 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
6979 if (IS_ERR(expr)) {
6980 err = PTR_ERR(expr);
6981 goto err_set_elem_expr;
6982 }
6983 expr_array[i] = expr;
6984 num_exprs++;
6985
6986 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
6987 err = -EOPNOTSUPP;
6988 goto err_set_elem_expr;
6989 }
6990 i++;
6991 }
6992 if (set->num_exprs && set->num_exprs != i) {
6993 err = -EOPNOTSUPP;
6994 goto err_set_elem_expr;
6995 }
6996 } else if (set->num_exprs > 0 &&
6997 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6998 err = nft_set_elem_expr_clone(ctx, set, expr_array);
6999 if (err < 0)
7000 goto err_set_elem_expr_clone;
7001
7002 num_exprs = set->num_exprs;
7003 }
7004
7005 if (nla[NFTA_SET_ELEM_KEY]) {
7006 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7007 nla[NFTA_SET_ELEM_KEY]);
7008 if (err < 0)
7009 goto err_set_elem_expr;
7010
7011 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7012 if (err < 0)
7013 goto err_parse_key;
7014 }
7015
7016 if (nla[NFTA_SET_ELEM_KEY_END]) {
7017 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7018 nla[NFTA_SET_ELEM_KEY_END]);
7019 if (err < 0)
7020 goto err_parse_key;
7021
7022 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7023 if (err < 0)
7024 goto err_parse_key_end;
7025 }
7026
7027 if (set->flags & NFT_SET_TIMEOUT) {
7028 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
7029 if (err < 0)
7030 goto err_parse_key_end;
7031 }
7032
7033 if (num_exprs) {
7034 for (i = 0; i < num_exprs; i++)
7035 size += expr_array[i]->ops->size;
7036
7037 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
7038 sizeof(struct nft_set_elem_expr) + size);
7039 if (err < 0)
7040 goto err_parse_key_end;
7041 }
7042
7043 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
7044 obj = nft_obj_lookup(ctx->net, ctx->table,
7045 nla[NFTA_SET_ELEM_OBJREF],
7046 set->objtype, genmask);
7047 if (IS_ERR(obj)) {
7048 err = PTR_ERR(obj);
7049 obj = NULL;
7050 goto err_parse_key_end;
7051 }
7052
7053 if (!nft_use_inc(&obj->use)) {
7054 err = -EMFILE;
7055 obj = NULL;
7056 goto err_parse_key_end;
7057 }
7058
7059 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
7060 if (err < 0)
7061 goto err_parse_key_end;
7062 }
7063
7064 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
7065 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
7066 nla[NFTA_SET_ELEM_DATA]);
7067 if (err < 0)
7068 goto err_parse_key_end;
7069
7070 dreg = nft_type_to_reg(set->dtype);
7071 list_for_each_entry(binding, &set->bindings, list) {
7072 struct nft_ctx bind_ctx = {
7073 .net = ctx->net,
7074 .family = ctx->family,
7075 .table = ctx->table,
7076 .chain = (struct nft_chain *)binding->chain,
7077 };
7078
7079 if (!(binding->flags & NFT_SET_MAP))
7080 continue;
7081
7082 err = nft_validate_register_store(&bind_ctx, dreg,
7083 &elem.data.val,
7084 desc.type, desc.len);
7085 if (err < 0)
7086 goto err_parse_data;
7087
7088 if (desc.type == NFT_DATA_VERDICT &&
7089 (elem.data.val.verdict.code == NFT_GOTO ||
7090 elem.data.val.verdict.code == NFT_JUMP))
7091 nft_validate_state_update(ctx->table,
7092 NFT_VALIDATE_NEED);
7093 }
7094
7095 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
7096 if (err < 0)
7097 goto err_parse_data;
7098 }
7099
7100 /* The full maximum length of userdata can exceed the maximum
7101 * offset value (U8_MAX) for following extensions, therefor it
7102 * must be the last extension added.
7103 */
7104 ulen = 0;
7105 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
7106 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
7107 if (ulen > 0) {
7108 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
7109 ulen);
7110 if (err < 0)
7111 goto err_parse_data;
7112 }
7113 }
7114
7115 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7116 elem.key_end.val.data, elem.data.val.data,
7117 timeout, expiration, GFP_KERNEL_ACCOUNT);
7118 if (IS_ERR(elem.priv)) {
7119 err = PTR_ERR(elem.priv);
7120 goto err_parse_data;
7121 }
7122
7123 ext = nft_set_elem_ext(set, elem.priv);
7124 if (flags)
7125 *nft_set_ext_flags(ext) = flags;
7126
7127 if (obj)
7128 *nft_set_ext_obj(ext) = obj;
7129
7130 if (ulen > 0) {
7131 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
7132 err = -EINVAL;
7133 goto err_elem_free;
7134 }
7135 udata = nft_set_ext_userdata(ext);
7136 udata->len = ulen - 1;
7137 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
7138 }
7139 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
7140 if (err < 0)
7141 goto err_elem_free;
7142
7143 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
7144 if (trans == NULL) {
7145 err = -ENOMEM;
7146 goto err_elem_free;
7147 }
7148
7149 ext->genmask = nft_genmask_cur(ctx->net);
7150
7151 err = nft_setelem_insert(ctx->net, set, &elem, &elem_priv, flags);
7152 if (err) {
7153 if (err == -EEXIST) {
7154 ext2 = nft_set_elem_ext(set, elem_priv);
7155 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
7156 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
7157 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
7158 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
7159 goto err_element_clash;
7160 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
7161 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
7162 memcmp(nft_set_ext_data(ext),
7163 nft_set_ext_data(ext2), set->dlen) != 0) ||
7164 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
7165 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
7166 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
7167 goto err_element_clash;
7168 else if (!(nlmsg_flags & NLM_F_EXCL)) {
7169 err = 0;
7170 if (nft_set_ext_exists(ext2, NFT_SET_EXT_TIMEOUT)) {
7171 update_flags = 0;
7172 if (timeout != nft_set_ext_timeout(ext2)->timeout) {
7173 nft_trans_elem_timeout(trans) = timeout;
7174 if (expiration == 0)
7175 expiration = timeout;
7176
7177 update_flags |= NFT_TRANS_UPD_TIMEOUT;
7178 }
7179 if (expiration) {
7180 nft_trans_elem_expiration(trans) = expiration;
7181 update_flags |= NFT_TRANS_UPD_EXPIRATION;
7182 }
7183
7184 if (update_flags) {
7185 nft_trans_elem_priv(trans) = elem_priv;
7186 nft_trans_elem_update_flags(trans) = update_flags;
7187 nft_trans_commit_list_add_tail(ctx->net, trans);
7188 goto err_elem_free;
7189 }
7190 }
7191 }
7192 } else if (err == -ENOTEMPTY) {
7193 /* ENOTEMPTY reports overlapping between this element
7194 * and an existing one.
7195 */
7196 err = -EEXIST;
7197 }
7198 goto err_element_clash;
7199 }
7200
7201 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
7202 unsigned int max = set->size ? set->size + set->ndeact : UINT_MAX;
7203
7204 if (!atomic_add_unless(&set->nelems, 1, max)) {
7205 err = -ENFILE;
7206 goto err_set_full;
7207 }
7208 }
7209
7210 nft_trans_elem_priv(trans) = elem.priv;
7211 nft_trans_commit_list_add_tail(ctx->net, trans);
7212 return 0;
7213
7214 err_set_full:
7215 nft_setelem_remove(ctx->net, set, elem.priv);
7216 err_element_clash:
7217 kfree(trans);
7218 err_elem_free:
7219 nf_tables_set_elem_destroy(ctx, set, elem.priv);
7220 err_parse_data:
7221 if (nla[NFTA_SET_ELEM_DATA] != NULL)
7222 nft_data_release(&elem.data.val, desc.type);
7223 err_parse_key_end:
7224 if (obj)
7225 nft_use_dec_restore(&obj->use);
7226
7227 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7228 err_parse_key:
7229 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7230 err_set_elem_expr:
7231 for (i = 0; i < num_exprs && expr_array[i]; i++)
7232 nft_expr_destroy(ctx, expr_array[i]);
7233 err_set_elem_expr_clone:
7234 return err;
7235 }
7236
nf_tables_newsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7237 static int nf_tables_newsetelem(struct sk_buff *skb,
7238 const struct nfnl_info *info,
7239 const struct nlattr * const nla[])
7240 {
7241 struct netlink_ext_ack *extack = info->extack;
7242 u8 genmask = nft_genmask_next(info->net);
7243 u8 family = info->nfmsg->nfgen_family;
7244 struct net *net = info->net;
7245 const struct nlattr *attr;
7246 struct nft_table *table;
7247 struct nft_set *set;
7248 struct nft_ctx ctx;
7249 int rem, err;
7250
7251 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
7252 return -EINVAL;
7253
7254 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7255 genmask, NETLINK_CB(skb).portid);
7256 if (IS_ERR(table)) {
7257 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7258 return PTR_ERR(table);
7259 }
7260
7261 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
7262 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
7263 if (IS_ERR(set)) {
7264 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7265 return PTR_ERR(set);
7266 }
7267
7268 if (!list_empty(&set->bindings) &&
7269 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
7270 return -EBUSY;
7271
7272 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7273
7274 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7275 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
7276 if (err < 0) {
7277 NL_SET_BAD_ATTR(extack, attr);
7278 return err;
7279 }
7280 }
7281
7282 if (table->validate_state == NFT_VALIDATE_DO)
7283 return nft_table_validate(net, table);
7284
7285 return 0;
7286 }
7287
7288 /**
7289 * nft_data_hold - hold a nft_data item
7290 *
7291 * @data: struct nft_data to release
7292 * @type: type of data
7293 *
7294 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7295 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
7296 * NFT_GOTO verdicts. This function must be called on active data objects
7297 * from the second phase of the commit protocol.
7298 */
nft_data_hold(const struct nft_data * data,enum nft_data_types type)7299 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
7300 {
7301 struct nft_chain *chain;
7302
7303 if (type == NFT_DATA_VERDICT) {
7304 switch (data->verdict.code) {
7305 case NFT_JUMP:
7306 case NFT_GOTO:
7307 chain = data->verdict.chain;
7308 nft_use_inc_restore(&chain->use);
7309 break;
7310 }
7311 }
7312 }
7313
nft_setelem_active_next(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7314 static int nft_setelem_active_next(const struct net *net,
7315 const struct nft_set *set,
7316 struct nft_elem_priv *elem_priv)
7317 {
7318 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7319 u8 genmask = nft_genmask_next(net);
7320
7321 return nft_set_elem_active(ext, genmask);
7322 }
7323
nft_setelem_data_activate(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7324 static void nft_setelem_data_activate(const struct net *net,
7325 const struct nft_set *set,
7326 struct nft_elem_priv *elem_priv)
7327 {
7328 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7329
7330 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7331 nft_data_hold(nft_set_ext_data(ext), set->dtype);
7332 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7333 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use);
7334 }
7335
nft_setelem_data_deactivate(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7336 void nft_setelem_data_deactivate(const struct net *net,
7337 const struct nft_set *set,
7338 struct nft_elem_priv *elem_priv)
7339 {
7340 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7341
7342 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7343 nft_data_release(nft_set_ext_data(ext), set->dtype);
7344 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7345 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
7346 }
7347
nft_del_setelem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr)7348 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
7349 const struct nlattr *attr)
7350 {
7351 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7352 struct nft_set_ext_tmpl tmpl;
7353 struct nft_set_elem elem;
7354 struct nft_set_ext *ext;
7355 struct nft_trans *trans;
7356 u32 flags = 0;
7357 int err;
7358
7359 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7360 nft_set_elem_policy, NULL);
7361 if (err < 0)
7362 return err;
7363
7364 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7365 if (err < 0)
7366 return err;
7367
7368 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
7369 return -EINVAL;
7370
7371 if (!nft_setelem_valid_key_end(set, nla, flags))
7372 return -EINVAL;
7373
7374 nft_set_ext_prepare(&tmpl);
7375
7376 if (flags != 0) {
7377 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7378 if (err < 0)
7379 return err;
7380 }
7381
7382 if (nla[NFTA_SET_ELEM_KEY]) {
7383 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7384 nla[NFTA_SET_ELEM_KEY]);
7385 if (err < 0)
7386 return err;
7387
7388 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7389 if (err < 0)
7390 goto fail_elem;
7391 }
7392
7393 if (nla[NFTA_SET_ELEM_KEY_END]) {
7394 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7395 nla[NFTA_SET_ELEM_KEY_END]);
7396 if (err < 0)
7397 goto fail_elem;
7398
7399 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7400 if (err < 0)
7401 goto fail_elem_key_end;
7402 }
7403
7404 err = -ENOMEM;
7405 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7406 elem.key_end.val.data, NULL, 0, 0,
7407 GFP_KERNEL_ACCOUNT);
7408 if (IS_ERR(elem.priv)) {
7409 err = PTR_ERR(elem.priv);
7410 goto fail_elem_key_end;
7411 }
7412
7413 ext = nft_set_elem_ext(set, elem.priv);
7414 if (flags)
7415 *nft_set_ext_flags(ext) = flags;
7416
7417 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7418 if (trans == NULL)
7419 goto fail_trans;
7420
7421 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
7422 if (err < 0)
7423 goto fail_ops;
7424
7425 nft_setelem_data_deactivate(ctx->net, set, elem.priv);
7426
7427 nft_trans_elem_priv(trans) = elem.priv;
7428 nft_trans_commit_list_add_tail(ctx->net, trans);
7429 return 0;
7430
7431 fail_ops:
7432 kfree(trans);
7433 fail_trans:
7434 kfree(elem.priv);
7435 fail_elem_key_end:
7436 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7437 fail_elem:
7438 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7439 return err;
7440 }
7441
nft_setelem_flush(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)7442 static int nft_setelem_flush(const struct nft_ctx *ctx,
7443 struct nft_set *set,
7444 const struct nft_set_iter *iter,
7445 struct nft_elem_priv *elem_priv)
7446 {
7447 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7448 struct nft_trans *trans;
7449
7450 if (!nft_set_elem_active(ext, iter->genmask))
7451 return 0;
7452
7453 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7454 sizeof(struct nft_trans_elem), GFP_ATOMIC);
7455 if (!trans)
7456 return -ENOMEM;
7457
7458 set->ops->flush(ctx->net, set, elem_priv);
7459 set->ndeact++;
7460
7461 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7462 nft_trans_elem_set(trans) = set;
7463 nft_trans_elem_priv(trans) = elem_priv;
7464 nft_trans_commit_list_add_tail(ctx->net, trans);
7465
7466 return 0;
7467 }
7468
__nft_set_catchall_flush(const struct nft_ctx * ctx,struct nft_set * set,struct nft_elem_priv * elem_priv)7469 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
7470 struct nft_set *set,
7471 struct nft_elem_priv *elem_priv)
7472 {
7473 struct nft_trans *trans;
7474
7475 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7476 sizeof(struct nft_trans_elem), GFP_KERNEL);
7477 if (!trans)
7478 return -ENOMEM;
7479
7480 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7481 nft_trans_elem_set(trans) = set;
7482 nft_trans_elem_priv(trans) = elem_priv;
7483 nft_trans_commit_list_add_tail(ctx->net, trans);
7484
7485 return 0;
7486 }
7487
nft_set_catchall_flush(const struct nft_ctx * ctx,struct nft_set * set)7488 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
7489 struct nft_set *set)
7490 {
7491 u8 genmask = nft_genmask_next(ctx->net);
7492 struct nft_set_elem_catchall *catchall;
7493 struct nft_set_ext *ext;
7494 int ret = 0;
7495
7496 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
7497 ext = nft_set_elem_ext(set, catchall->elem);
7498 if (!nft_set_elem_active(ext, genmask))
7499 continue;
7500
7501 ret = __nft_set_catchall_flush(ctx, set, catchall->elem);
7502 if (ret < 0)
7503 break;
7504 nft_set_elem_change_active(ctx->net, set, ext);
7505 }
7506
7507 return ret;
7508 }
7509
nft_set_flush(struct nft_ctx * ctx,struct nft_set * set,u8 genmask)7510 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
7511 {
7512 struct nft_set_iter iter = {
7513 .genmask = genmask,
7514 .type = NFT_ITER_UPDATE,
7515 .fn = nft_setelem_flush,
7516 };
7517
7518 set->ops->walk(ctx, set, &iter);
7519 if (!iter.err)
7520 iter.err = nft_set_catchall_flush(ctx, set);
7521
7522 return iter.err;
7523 }
7524
nf_tables_delsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7525 static int nf_tables_delsetelem(struct sk_buff *skb,
7526 const struct nfnl_info *info,
7527 const struct nlattr * const nla[])
7528 {
7529 struct netlink_ext_ack *extack = info->extack;
7530 u8 genmask = nft_genmask_next(info->net);
7531 u8 family = info->nfmsg->nfgen_family;
7532 struct net *net = info->net;
7533 const struct nlattr *attr;
7534 struct nft_table *table;
7535 struct nft_set *set;
7536 struct nft_ctx ctx;
7537 int rem, err = 0;
7538
7539 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7540 genmask, NETLINK_CB(skb).portid);
7541 if (IS_ERR(table)) {
7542 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7543 return PTR_ERR(table);
7544 }
7545
7546 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
7547 if (IS_ERR(set)) {
7548 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7549 return PTR_ERR(set);
7550 }
7551
7552 if (nft_set_is_anonymous(set))
7553 return -EOPNOTSUPP;
7554
7555 if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
7556 return -EBUSY;
7557
7558 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7559
7560 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
7561 return nft_set_flush(&ctx, set, genmask);
7562
7563 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7564 err = nft_del_setelem(&ctx, set, attr);
7565 if (err == -ENOENT &&
7566 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
7567 continue;
7568
7569 if (err < 0) {
7570 NL_SET_BAD_ATTR(extack, attr);
7571 return err;
7572 }
7573 }
7574
7575 return 0;
7576 }
7577
7578 /*
7579 * Stateful objects
7580 */
7581
7582 /**
7583 * nft_register_obj- register nf_tables stateful object type
7584 * @obj_type: object type
7585 *
7586 * Registers the object type for use with nf_tables. Returns zero on
7587 * success or a negative errno code otherwise.
7588 */
nft_register_obj(struct nft_object_type * obj_type)7589 int nft_register_obj(struct nft_object_type *obj_type)
7590 {
7591 if (obj_type->type == NFT_OBJECT_UNSPEC)
7592 return -EINVAL;
7593
7594 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7595 list_add_rcu(&obj_type->list, &nf_tables_objects);
7596 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7597 return 0;
7598 }
7599 EXPORT_SYMBOL_GPL(nft_register_obj);
7600
7601 /**
7602 * nft_unregister_obj - unregister nf_tables object type
7603 * @obj_type: object type
7604 *
7605 * Unregisters the object type for use with nf_tables.
7606 */
nft_unregister_obj(struct nft_object_type * obj_type)7607 void nft_unregister_obj(struct nft_object_type *obj_type)
7608 {
7609 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7610 list_del_rcu(&obj_type->list);
7611 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7612 }
7613 EXPORT_SYMBOL_GPL(nft_unregister_obj);
7614
nft_obj_lookup(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)7615 struct nft_object *nft_obj_lookup(const struct net *net,
7616 const struct nft_table *table,
7617 const struct nlattr *nla, u32 objtype,
7618 u8 genmask)
7619 {
7620 struct nft_object_hash_key k = { .table = table };
7621 char search[NFT_OBJ_MAXNAMELEN];
7622 struct rhlist_head *tmp, *list;
7623 struct nft_object *obj;
7624
7625 nla_strscpy(search, nla, sizeof(search));
7626 k.name = search;
7627
7628 WARN_ON_ONCE(!rcu_read_lock_held() &&
7629 !lockdep_commit_lock_is_held(net));
7630
7631 rcu_read_lock();
7632 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
7633 if (!list)
7634 goto out;
7635
7636 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
7637 if (objtype == obj->ops->type->type &&
7638 nft_active_genmask(obj, genmask)) {
7639 rcu_read_unlock();
7640 return obj;
7641 }
7642 }
7643 out:
7644 rcu_read_unlock();
7645 return ERR_PTR(-ENOENT);
7646 }
7647 EXPORT_SYMBOL_GPL(nft_obj_lookup);
7648
nft_obj_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)7649 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
7650 const struct nlattr *nla,
7651 u32 objtype, u8 genmask)
7652 {
7653 struct nft_object *obj;
7654
7655 list_for_each_entry(obj, &table->objects, list) {
7656 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
7657 objtype == obj->ops->type->type &&
7658 nft_active_genmask(obj, genmask))
7659 return obj;
7660 }
7661 return ERR_PTR(-ENOENT);
7662 }
7663
7664 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
7665 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
7666 .len = NFT_TABLE_MAXNAMELEN - 1 },
7667 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
7668 .len = NFT_OBJ_MAXNAMELEN - 1 },
7669 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
7670 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
7671 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
7672 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
7673 .len = NFT_USERDATA_MAXLEN },
7674 };
7675
nft_obj_init(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr)7676 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
7677 const struct nft_object_type *type,
7678 const struct nlattr *attr)
7679 {
7680 struct nlattr **tb;
7681 const struct nft_object_ops *ops;
7682 struct nft_object *obj;
7683 int err = -ENOMEM;
7684
7685 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
7686 if (!tb)
7687 goto err1;
7688
7689 if (attr) {
7690 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
7691 type->policy, NULL);
7692 if (err < 0)
7693 goto err2;
7694 } else {
7695 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
7696 }
7697
7698 if (type->select_ops) {
7699 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
7700 if (IS_ERR(ops)) {
7701 err = PTR_ERR(ops);
7702 goto err2;
7703 }
7704 } else {
7705 ops = type->ops;
7706 }
7707
7708 err = -ENOMEM;
7709 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
7710 if (!obj)
7711 goto err2;
7712
7713 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
7714 if (err < 0)
7715 goto err3;
7716
7717 obj->ops = ops;
7718
7719 kfree(tb);
7720 return obj;
7721 err3:
7722 kfree(obj);
7723 err2:
7724 kfree(tb);
7725 err1:
7726 return ERR_PTR(err);
7727 }
7728
nft_object_dump(struct sk_buff * skb,unsigned int attr,struct nft_object * obj,bool reset)7729 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
7730 struct nft_object *obj, bool reset)
7731 {
7732 struct nlattr *nest;
7733
7734 nest = nla_nest_start_noflag(skb, attr);
7735 if (!nest)
7736 goto nla_put_failure;
7737 if (obj->ops->dump(skb, obj, reset) < 0)
7738 goto nla_put_failure;
7739 nla_nest_end(skb, nest);
7740 return 0;
7741
7742 nla_put_failure:
7743 return -1;
7744 }
7745
__nft_obj_type_get(u32 objtype,u8 family)7746 static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family)
7747 {
7748 const struct nft_object_type *type;
7749
7750 list_for_each_entry_rcu(type, &nf_tables_objects, list) {
7751 if (type->family != NFPROTO_UNSPEC &&
7752 type->family != family)
7753 continue;
7754
7755 if (objtype == type->type)
7756 return type;
7757 }
7758 return NULL;
7759 }
7760
7761 static const struct nft_object_type *
nft_obj_type_get(struct net * net,u32 objtype,u8 family)7762 nft_obj_type_get(struct net *net, u32 objtype, u8 family)
7763 {
7764 const struct nft_object_type *type;
7765
7766 rcu_read_lock();
7767 type = __nft_obj_type_get(objtype, family);
7768 if (type != NULL && try_module_get(type->owner)) {
7769 rcu_read_unlock();
7770 return type;
7771 }
7772 rcu_read_unlock();
7773
7774 lockdep_nfnl_nft_mutex_not_held();
7775 #ifdef CONFIG_MODULES
7776 if (type == NULL) {
7777 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
7778 return ERR_PTR(-EAGAIN);
7779 }
7780 #endif
7781 return ERR_PTR(-ENOENT);
7782 }
7783
nf_tables_updobj(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr,struct nft_object * obj)7784 static int nf_tables_updobj(const struct nft_ctx *ctx,
7785 const struct nft_object_type *type,
7786 const struct nlattr *attr,
7787 struct nft_object *obj)
7788 {
7789 struct nft_object *newobj;
7790 struct nft_trans *trans;
7791 int err = -ENOMEM;
7792
7793 if (!try_module_get(type->owner))
7794 return -ENOENT;
7795
7796 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
7797 sizeof(struct nft_trans_obj));
7798 if (!trans)
7799 goto err_trans;
7800
7801 newobj = nft_obj_init(ctx, type, attr);
7802 if (IS_ERR(newobj)) {
7803 err = PTR_ERR(newobj);
7804 goto err_free_trans;
7805 }
7806
7807 nft_trans_obj(trans) = obj;
7808 nft_trans_obj_update(trans) = true;
7809 nft_trans_obj_newobj(trans) = newobj;
7810 nft_trans_commit_list_add_tail(ctx->net, trans);
7811
7812 return 0;
7813
7814 err_free_trans:
7815 kfree(trans);
7816 err_trans:
7817 module_put(type->owner);
7818 return err;
7819 }
7820
nf_tables_newobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7821 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
7822 const struct nlattr * const nla[])
7823 {
7824 struct netlink_ext_ack *extack = info->extack;
7825 u8 genmask = nft_genmask_next(info->net);
7826 u8 family = info->nfmsg->nfgen_family;
7827 const struct nft_object_type *type;
7828 struct net *net = info->net;
7829 struct nft_table *table;
7830 struct nft_object *obj;
7831 struct nft_ctx ctx;
7832 u32 objtype;
7833 int err;
7834
7835 if (!nla[NFTA_OBJ_TYPE] ||
7836 !nla[NFTA_OBJ_NAME] ||
7837 !nla[NFTA_OBJ_DATA])
7838 return -EINVAL;
7839
7840 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7841 NETLINK_CB(skb).portid);
7842 if (IS_ERR(table)) {
7843 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7844 return PTR_ERR(table);
7845 }
7846
7847 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7848 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7849 if (IS_ERR(obj)) {
7850 err = PTR_ERR(obj);
7851 if (err != -ENOENT) {
7852 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7853 return err;
7854 }
7855 } else {
7856 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7857 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7858 return -EEXIST;
7859 }
7860 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
7861 return -EOPNOTSUPP;
7862
7863 type = __nft_obj_type_get(objtype, family);
7864 if (WARN_ON_ONCE(!type))
7865 return -ENOENT;
7866
7867 if (!obj->ops->update)
7868 return 0;
7869
7870 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7871
7872 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
7873 }
7874
7875 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7876
7877 if (!nft_use_inc(&table->use))
7878 return -EMFILE;
7879
7880 type = nft_obj_type_get(net, objtype, family);
7881 if (IS_ERR(type)) {
7882 err = PTR_ERR(type);
7883 goto err_type;
7884 }
7885
7886 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
7887 if (IS_ERR(obj)) {
7888 err = PTR_ERR(obj);
7889 goto err_init;
7890 }
7891 obj->key.table = table;
7892 obj->handle = nf_tables_alloc_handle(table);
7893
7894 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
7895 if (!obj->key.name) {
7896 err = -ENOMEM;
7897 goto err_strdup;
7898 }
7899
7900 if (nla[NFTA_OBJ_USERDATA]) {
7901 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
7902 if (obj->udata == NULL)
7903 goto err_userdata;
7904
7905 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
7906 }
7907
7908 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
7909 if (err < 0)
7910 goto err_trans;
7911
7912 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
7913 nft_objname_ht_params);
7914 if (err < 0)
7915 goto err_obj_ht;
7916
7917 list_add_tail_rcu(&obj->list, &table->objects);
7918
7919 return 0;
7920 err_obj_ht:
7921 /* queued in transaction log */
7922 INIT_LIST_HEAD(&obj->list);
7923 return err;
7924 err_trans:
7925 kfree(obj->udata);
7926 err_userdata:
7927 kfree(obj->key.name);
7928 err_strdup:
7929 if (obj->ops->destroy)
7930 obj->ops->destroy(&ctx, obj);
7931 kfree(obj);
7932 err_init:
7933 module_put(type->owner);
7934 err_type:
7935 nft_use_dec_restore(&table->use);
7936
7937 return err;
7938 }
7939
nf_tables_fill_obj_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,struct nft_object * obj,bool reset)7940 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
7941 u32 portid, u32 seq, int event, u32 flags,
7942 int family, const struct nft_table *table,
7943 struct nft_object *obj, bool reset)
7944 {
7945 struct nlmsghdr *nlh;
7946
7947 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7948 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7949 NFNETLINK_V0, nft_base_seq(net));
7950 if (!nlh)
7951 goto nla_put_failure;
7952
7953 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
7954 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
7955 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
7956 NFTA_OBJ_PAD))
7957 goto nla_put_failure;
7958
7959 if (event == NFT_MSG_DELOBJ) {
7960 nlmsg_end(skb, nlh);
7961 return 0;
7962 }
7963
7964 if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
7965 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
7966 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
7967 goto nla_put_failure;
7968
7969 if (obj->udata &&
7970 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
7971 goto nla_put_failure;
7972
7973 nlmsg_end(skb, nlh);
7974 return 0;
7975
7976 nla_put_failure:
7977 nlmsg_trim(skb, nlh);
7978 return -1;
7979 }
7980
audit_log_obj_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)7981 static void audit_log_obj_reset(const struct nft_table *table,
7982 unsigned int base_seq, unsigned int nentries)
7983 {
7984 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
7985
7986 audit_log_nfcfg(buf, table->family, nentries,
7987 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
7988 kfree(buf);
7989 }
7990
7991 struct nft_obj_dump_ctx {
7992 unsigned int s_idx;
7993 char *table;
7994 u32 type;
7995 bool reset;
7996 };
7997
nf_tables_dump_obj(struct sk_buff * skb,struct netlink_callback * cb)7998 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
7999 {
8000 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
8001 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8002 struct net *net = sock_net(skb->sk);
8003 int family = nfmsg->nfgen_family;
8004 struct nftables_pernet *nft_net;
8005 const struct nft_table *table;
8006 unsigned int entries = 0;
8007 struct nft_object *obj;
8008 unsigned int idx = 0;
8009 int rc = 0;
8010
8011 rcu_read_lock();
8012 nft_net = nft_pernet(net);
8013 cb->seq = READ_ONCE(nft_net->base_seq);
8014
8015 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8016 if (family != NFPROTO_UNSPEC && family != table->family)
8017 continue;
8018
8019 entries = 0;
8020 list_for_each_entry_rcu(obj, &table->objects, list) {
8021 if (!nft_is_active(net, obj))
8022 goto cont;
8023 if (idx < ctx->s_idx)
8024 goto cont;
8025 if (ctx->table && strcmp(ctx->table, table->name))
8026 goto cont;
8027 if (ctx->type != NFT_OBJECT_UNSPEC &&
8028 obj->ops->type->type != ctx->type)
8029 goto cont;
8030
8031 rc = nf_tables_fill_obj_info(skb, net,
8032 NETLINK_CB(cb->skb).portid,
8033 cb->nlh->nlmsg_seq,
8034 NFT_MSG_NEWOBJ,
8035 NLM_F_MULTI | NLM_F_APPEND,
8036 table->family, table,
8037 obj, ctx->reset);
8038 if (rc < 0)
8039 break;
8040
8041 entries++;
8042 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8043 cont:
8044 idx++;
8045 }
8046 if (ctx->reset && entries)
8047 audit_log_obj_reset(table, nft_net->base_seq, entries);
8048 if (rc < 0)
8049 break;
8050 }
8051 rcu_read_unlock();
8052
8053 ctx->s_idx = idx;
8054 return skb->len;
8055 }
8056
nf_tables_dumpreset_obj(struct sk_buff * skb,struct netlink_callback * cb)8057 static int nf_tables_dumpreset_obj(struct sk_buff *skb,
8058 struct netlink_callback *cb)
8059 {
8060 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
8061 int ret;
8062
8063 mutex_lock(&nft_net->commit_mutex);
8064 ret = nf_tables_dump_obj(skb, cb);
8065 mutex_unlock(&nft_net->commit_mutex);
8066
8067 return ret;
8068 }
8069
nf_tables_dump_obj_start(struct netlink_callback * cb)8070 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
8071 {
8072 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8073 const struct nlattr * const *nla = cb->data;
8074
8075 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
8076
8077 if (nla[NFTA_OBJ_TABLE]) {
8078 ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
8079 if (!ctx->table)
8080 return -ENOMEM;
8081 }
8082
8083 if (nla[NFTA_OBJ_TYPE])
8084 ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8085
8086 return 0;
8087 }
8088
nf_tables_dumpreset_obj_start(struct netlink_callback * cb)8089 static int nf_tables_dumpreset_obj_start(struct netlink_callback *cb)
8090 {
8091 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8092
8093 ctx->reset = true;
8094
8095 return nf_tables_dump_obj_start(cb);
8096 }
8097
nf_tables_dump_obj_done(struct netlink_callback * cb)8098 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
8099 {
8100 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8101
8102 kfree(ctx->table);
8103
8104 return 0;
8105 }
8106
8107 /* called with rcu_read_lock held */
8108 static struct sk_buff *
nf_tables_getobj_single(u32 portid,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)8109 nf_tables_getobj_single(u32 portid, const struct nfnl_info *info,
8110 const struct nlattr * const nla[], bool reset)
8111 {
8112 struct netlink_ext_ack *extack = info->extack;
8113 u8 genmask = nft_genmask_cur(info->net);
8114 u8 family = info->nfmsg->nfgen_family;
8115 const struct nft_table *table;
8116 struct net *net = info->net;
8117 struct nft_object *obj;
8118 struct sk_buff *skb2;
8119 u32 objtype;
8120 int err;
8121
8122 if (!nla[NFTA_OBJ_NAME] ||
8123 !nla[NFTA_OBJ_TYPE])
8124 return ERR_PTR(-EINVAL);
8125
8126 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
8127 if (IS_ERR(table)) {
8128 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8129 return ERR_CAST(table);
8130 }
8131
8132 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8133 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
8134 if (IS_ERR(obj)) {
8135 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8136 return ERR_CAST(obj);
8137 }
8138
8139 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8140 if (!skb2)
8141 return ERR_PTR(-ENOMEM);
8142
8143 err = nf_tables_fill_obj_info(skb2, net, portid,
8144 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
8145 family, table, obj, reset);
8146 if (err < 0) {
8147 kfree_skb(skb2);
8148 return ERR_PTR(err);
8149 }
8150
8151 return skb2;
8152 }
8153
nf_tables_getobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8154 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
8155 const struct nlattr * const nla[])
8156 {
8157 u32 portid = NETLINK_CB(skb).portid;
8158 struct sk_buff *skb2;
8159
8160 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8161 struct netlink_dump_control c = {
8162 .start = nf_tables_dump_obj_start,
8163 .dump = nf_tables_dump_obj,
8164 .done = nf_tables_dump_obj_done,
8165 .module = THIS_MODULE,
8166 .data = (void *)nla,
8167 };
8168
8169 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8170 }
8171
8172 skb2 = nf_tables_getobj_single(portid, info, nla, false);
8173 if (IS_ERR(skb2))
8174 return PTR_ERR(skb2);
8175
8176 return nfnetlink_unicast(skb2, info->net, portid);
8177 }
8178
nf_tables_getobj_reset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8179 static int nf_tables_getobj_reset(struct sk_buff *skb,
8180 const struct nfnl_info *info,
8181 const struct nlattr * const nla[])
8182 {
8183 struct nftables_pernet *nft_net = nft_pernet(info->net);
8184 u32 portid = NETLINK_CB(skb).portid;
8185 struct net *net = info->net;
8186 struct sk_buff *skb2;
8187 char *buf;
8188
8189 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8190 struct netlink_dump_control c = {
8191 .start = nf_tables_dumpreset_obj_start,
8192 .dump = nf_tables_dumpreset_obj,
8193 .done = nf_tables_dump_obj_done,
8194 .module = THIS_MODULE,
8195 .data = (void *)nla,
8196 };
8197
8198 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8199 }
8200
8201 if (!try_module_get(THIS_MODULE))
8202 return -EINVAL;
8203 rcu_read_unlock();
8204 mutex_lock(&nft_net->commit_mutex);
8205 skb2 = nf_tables_getobj_single(portid, info, nla, true);
8206 mutex_unlock(&nft_net->commit_mutex);
8207 rcu_read_lock();
8208 module_put(THIS_MODULE);
8209
8210 if (IS_ERR(skb2))
8211 return PTR_ERR(skb2);
8212
8213 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
8214 nla_len(nla[NFTA_OBJ_TABLE]),
8215 (char *)nla_data(nla[NFTA_OBJ_TABLE]),
8216 nft_net->base_seq);
8217 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
8218 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
8219 kfree(buf);
8220
8221 return nfnetlink_unicast(skb2, net, portid);
8222 }
8223
nft_obj_destroy(const struct nft_ctx * ctx,struct nft_object * obj)8224 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
8225 {
8226 if (obj->ops->destroy)
8227 obj->ops->destroy(ctx, obj);
8228
8229 module_put(obj->ops->type->owner);
8230 kfree(obj->key.name);
8231 kfree(obj->udata);
8232 kfree(obj);
8233 }
8234
nf_tables_delobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8235 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
8236 const struct nlattr * const nla[])
8237 {
8238 struct netlink_ext_ack *extack = info->extack;
8239 u8 genmask = nft_genmask_next(info->net);
8240 u8 family = info->nfmsg->nfgen_family;
8241 struct net *net = info->net;
8242 const struct nlattr *attr;
8243 struct nft_table *table;
8244 struct nft_object *obj;
8245 struct nft_ctx ctx;
8246 u32 objtype;
8247
8248 if (!nla[NFTA_OBJ_TYPE] ||
8249 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
8250 return -EINVAL;
8251
8252 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
8253 NETLINK_CB(skb).portid);
8254 if (IS_ERR(table)) {
8255 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8256 return PTR_ERR(table);
8257 }
8258
8259 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8260 if (nla[NFTA_OBJ_HANDLE]) {
8261 attr = nla[NFTA_OBJ_HANDLE];
8262 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
8263 } else {
8264 attr = nla[NFTA_OBJ_NAME];
8265 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
8266 }
8267
8268 if (IS_ERR(obj)) {
8269 if (PTR_ERR(obj) == -ENOENT &&
8270 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
8271 return 0;
8272
8273 NL_SET_BAD_ATTR(extack, attr);
8274 return PTR_ERR(obj);
8275 }
8276 if (obj->use > 0) {
8277 NL_SET_BAD_ATTR(extack, attr);
8278 return -EBUSY;
8279 }
8280
8281 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8282
8283 return nft_delobj(&ctx, obj);
8284 }
8285
8286 static void
__nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,u16 flags,int family,int report,gfp_t gfp)8287 __nft_obj_notify(struct net *net, const struct nft_table *table,
8288 struct nft_object *obj, u32 portid, u32 seq, int event,
8289 u16 flags, int family, int report, gfp_t gfp)
8290 {
8291 struct nftables_pernet *nft_net = nft_pernet(net);
8292 struct sk_buff *skb;
8293 int err;
8294
8295 if (!report &&
8296 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8297 return;
8298
8299 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
8300 if (skb == NULL)
8301 goto err;
8302
8303 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
8304 flags & (NLM_F_CREATE | NLM_F_EXCL),
8305 family, table, obj, false);
8306 if (err < 0) {
8307 kfree_skb(skb);
8308 goto err;
8309 }
8310
8311 nft_notify_enqueue(skb, report, &nft_net->notify_list);
8312 return;
8313 err:
8314 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
8315 }
8316
nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,u16 flags,int family,int report,gfp_t gfp)8317 void nft_obj_notify(struct net *net, const struct nft_table *table,
8318 struct nft_object *obj, u32 portid, u32 seq, int event,
8319 u16 flags, int family, int report, gfp_t gfp)
8320 {
8321 struct nftables_pernet *nft_net = nft_pernet(net);
8322 char *buf = kasprintf(gfp, "%s:%u",
8323 table->name, nft_net->base_seq);
8324
8325 audit_log_nfcfg(buf,
8326 family,
8327 obj->handle,
8328 event == NFT_MSG_NEWOBJ ?
8329 AUDIT_NFT_OP_OBJ_REGISTER :
8330 AUDIT_NFT_OP_OBJ_UNREGISTER,
8331 gfp);
8332 kfree(buf);
8333
8334 __nft_obj_notify(net, table, obj, portid, seq, event,
8335 flags, family, report, gfp);
8336 }
8337 EXPORT_SYMBOL_GPL(nft_obj_notify);
8338
nf_tables_obj_notify(const struct nft_ctx * ctx,struct nft_object * obj,int event)8339 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
8340 struct nft_object *obj, int event)
8341 {
8342 __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid,
8343 ctx->seq, event, ctx->flags, ctx->family,
8344 ctx->report, GFP_KERNEL);
8345 }
8346
8347 /*
8348 * Flow tables
8349 */
nft_register_flowtable_type(struct nf_flowtable_type * type)8350 void nft_register_flowtable_type(struct nf_flowtable_type *type)
8351 {
8352 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8353 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
8354 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8355 }
8356 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
8357
nft_unregister_flowtable_type(struct nf_flowtable_type * type)8358 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
8359 {
8360 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8361 list_del_rcu(&type->list);
8362 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8363 }
8364 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
8365
8366 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
8367 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
8368 .len = NFT_NAME_MAXLEN - 1 },
8369 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
8370 .len = NFT_NAME_MAXLEN - 1 },
8371 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
8372 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
8373 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
8374 };
8375
nft_flowtable_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)8376 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
8377 const struct nlattr *nla, u8 genmask)
8378 {
8379 struct nft_flowtable *flowtable;
8380
8381 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8382 if (!nla_strcmp(nla, flowtable->name) &&
8383 nft_active_genmask(flowtable, genmask))
8384 return flowtable;
8385 }
8386 return ERR_PTR(-ENOENT);
8387 }
8388 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
8389
nf_tables_deactivate_flowtable(const struct nft_ctx * ctx,struct nft_flowtable * flowtable,enum nft_trans_phase phase)8390 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
8391 struct nft_flowtable *flowtable,
8392 enum nft_trans_phase phase)
8393 {
8394 switch (phase) {
8395 case NFT_TRANS_PREPARE_ERROR:
8396 case NFT_TRANS_PREPARE:
8397 case NFT_TRANS_ABORT:
8398 case NFT_TRANS_RELEASE:
8399 nft_use_dec(&flowtable->use);
8400 fallthrough;
8401 default:
8402 return;
8403 }
8404 }
8405 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
8406
8407 static struct nft_flowtable *
nft_flowtable_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)8408 nft_flowtable_lookup_byhandle(const struct nft_table *table,
8409 const struct nlattr *nla, u8 genmask)
8410 {
8411 struct nft_flowtable *flowtable;
8412
8413 list_for_each_entry(flowtable, &table->flowtables, list) {
8414 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
8415 nft_active_genmask(flowtable, genmask))
8416 return flowtable;
8417 }
8418 return ERR_PTR(-ENOENT);
8419 }
8420
8421 struct nft_flowtable_hook {
8422 u32 num;
8423 int priority;
8424 struct list_head list;
8425 };
8426
8427 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
8428 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
8429 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
8430 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
8431 };
8432
nft_flowtable_parse_hook(const struct nft_ctx * ctx,const struct nlattr * const nla[],struct nft_flowtable_hook * flowtable_hook,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack,bool add)8433 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
8434 const struct nlattr * const nla[],
8435 struct nft_flowtable_hook *flowtable_hook,
8436 struct nft_flowtable *flowtable,
8437 struct netlink_ext_ack *extack, bool add)
8438 {
8439 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
8440 struct nft_hook *hook;
8441 int hooknum, priority;
8442 int err;
8443
8444 INIT_LIST_HEAD(&flowtable_hook->list);
8445
8446 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
8447 nla[NFTA_FLOWTABLE_HOOK],
8448 nft_flowtable_hook_policy, NULL);
8449 if (err < 0)
8450 return err;
8451
8452 if (add) {
8453 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
8454 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8455 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8456 return -ENOENT;
8457 }
8458
8459 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8460 if (hooknum != NF_NETDEV_INGRESS)
8461 return -EOPNOTSUPP;
8462
8463 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8464
8465 flowtable_hook->priority = priority;
8466 flowtable_hook->num = hooknum;
8467 } else {
8468 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
8469 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8470 if (hooknum != flowtable->hooknum)
8471 return -EOPNOTSUPP;
8472 }
8473
8474 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8475 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8476 if (priority != flowtable->data.priority)
8477 return -EOPNOTSUPP;
8478 }
8479
8480 flowtable_hook->priority = flowtable->data.priority;
8481 flowtable_hook->num = flowtable->hooknum;
8482 }
8483
8484 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
8485 err = nf_tables_parse_netdev_hooks(ctx->net,
8486 tb[NFTA_FLOWTABLE_HOOK_DEVS],
8487 &flowtable_hook->list,
8488 extack);
8489 if (err < 0)
8490 return err;
8491 }
8492
8493 list_for_each_entry(hook, &flowtable_hook->list, list) {
8494 hook->ops.pf = NFPROTO_NETDEV;
8495 hook->ops.hooknum = flowtable_hook->num;
8496 hook->ops.priority = flowtable_hook->priority;
8497 hook->ops.priv = &flowtable->data;
8498 hook->ops.hook = flowtable->data.type->hook;
8499 }
8500
8501 return err;
8502 }
8503
8504 /* call under rcu_read_lock */
__nft_flowtable_type_get(u8 family)8505 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
8506 {
8507 const struct nf_flowtable_type *type;
8508
8509 list_for_each_entry_rcu(type, &nf_tables_flowtables, list) {
8510 if (family == type->family)
8511 return type;
8512 }
8513 return NULL;
8514 }
8515
8516 static const struct nf_flowtable_type *
nft_flowtable_type_get(struct net * net,u8 family)8517 nft_flowtable_type_get(struct net *net, u8 family)
8518 {
8519 const struct nf_flowtable_type *type;
8520
8521 rcu_read_lock();
8522 type = __nft_flowtable_type_get(family);
8523 if (type != NULL && try_module_get(type->owner)) {
8524 rcu_read_unlock();
8525 return type;
8526 }
8527 rcu_read_unlock();
8528
8529 lockdep_nfnl_nft_mutex_not_held();
8530 #ifdef CONFIG_MODULES
8531 if (type == NULL) {
8532 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
8533 return ERR_PTR(-EAGAIN);
8534 }
8535 #endif
8536 return ERR_PTR(-ENOENT);
8537 }
8538
8539 /* Only called from error and netdev event paths. */
nft_unregister_flowtable_hook(struct net * net,struct nft_flowtable * flowtable,struct nft_hook * hook)8540 static void nft_unregister_flowtable_hook(struct net *net,
8541 struct nft_flowtable *flowtable,
8542 struct nft_hook *hook)
8543 {
8544 nf_unregister_net_hook(net, &hook->ops);
8545 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8546 FLOW_BLOCK_UNBIND);
8547 }
8548
__nft_unregister_flowtable_net_hooks(struct net * net,struct list_head * hook_list,bool release_netdev)8549 static void __nft_unregister_flowtable_net_hooks(struct net *net,
8550 struct list_head *hook_list,
8551 bool release_netdev)
8552 {
8553 struct nft_hook *hook, *next;
8554
8555 list_for_each_entry_safe(hook, next, hook_list, list) {
8556 nf_unregister_net_hook(net, &hook->ops);
8557 if (release_netdev) {
8558 list_del(&hook->list);
8559 kfree_rcu(hook, rcu);
8560 }
8561 }
8562 }
8563
nft_unregister_flowtable_net_hooks(struct net * net,struct list_head * hook_list)8564 static void nft_unregister_flowtable_net_hooks(struct net *net,
8565 struct list_head *hook_list)
8566 {
8567 __nft_unregister_flowtable_net_hooks(net, hook_list, false);
8568 }
8569
nft_register_flowtable_net_hooks(struct net * net,struct nft_table * table,struct list_head * hook_list,struct nft_flowtable * flowtable)8570 static int nft_register_flowtable_net_hooks(struct net *net,
8571 struct nft_table *table,
8572 struct list_head *hook_list,
8573 struct nft_flowtable *flowtable)
8574 {
8575 struct nft_hook *hook, *hook2, *next;
8576 struct nft_flowtable *ft;
8577 int err, i = 0;
8578
8579 list_for_each_entry(hook, hook_list, list) {
8580 list_for_each_entry(ft, &table->flowtables, list) {
8581 if (!nft_is_active_next(net, ft))
8582 continue;
8583
8584 list_for_each_entry(hook2, &ft->hook_list, list) {
8585 if (hook->ops.dev == hook2->ops.dev &&
8586 hook->ops.pf == hook2->ops.pf) {
8587 err = -EEXIST;
8588 goto err_unregister_net_hooks;
8589 }
8590 }
8591 }
8592
8593 err = flowtable->data.type->setup(&flowtable->data,
8594 hook->ops.dev,
8595 FLOW_BLOCK_BIND);
8596 if (err < 0)
8597 goto err_unregister_net_hooks;
8598
8599 err = nf_register_net_hook(net, &hook->ops);
8600 if (err < 0) {
8601 flowtable->data.type->setup(&flowtable->data,
8602 hook->ops.dev,
8603 FLOW_BLOCK_UNBIND);
8604 goto err_unregister_net_hooks;
8605 }
8606
8607 i++;
8608 }
8609
8610 return 0;
8611
8612 err_unregister_net_hooks:
8613 list_for_each_entry_safe(hook, next, hook_list, list) {
8614 if (i-- <= 0)
8615 break;
8616
8617 nft_unregister_flowtable_hook(net, flowtable, hook);
8618 list_del_rcu(&hook->list);
8619 kfree_rcu(hook, rcu);
8620 }
8621
8622 return err;
8623 }
8624
nft_hooks_destroy(struct list_head * hook_list)8625 static void nft_hooks_destroy(struct list_head *hook_list)
8626 {
8627 struct nft_hook *hook, *next;
8628
8629 list_for_each_entry_safe(hook, next, hook_list, list) {
8630 list_del_rcu(&hook->list);
8631 kfree_rcu(hook, rcu);
8632 }
8633 }
8634
nft_flowtable_update(struct nft_ctx * ctx,const struct nlmsghdr * nlh,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack)8635 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
8636 struct nft_flowtable *flowtable,
8637 struct netlink_ext_ack *extack)
8638 {
8639 const struct nlattr * const *nla = ctx->nla;
8640 struct nft_flowtable_hook flowtable_hook;
8641 struct nft_hook *hook, *next;
8642 struct nft_trans *trans;
8643 bool unregister = false;
8644 u32 flags;
8645 int err;
8646
8647 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8648 extack, false);
8649 if (err < 0)
8650 return err;
8651
8652 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8653 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
8654 list_del(&hook->list);
8655 kfree(hook);
8656 }
8657 }
8658
8659 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8660 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8661 if (flags & ~NFT_FLOWTABLE_MASK) {
8662 err = -EOPNOTSUPP;
8663 goto err_flowtable_update_hook;
8664 }
8665 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
8666 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
8667 err = -EOPNOTSUPP;
8668 goto err_flowtable_update_hook;
8669 }
8670 } else {
8671 flags = flowtable->data.flags;
8672 }
8673
8674 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
8675 &flowtable_hook.list, flowtable);
8676 if (err < 0)
8677 goto err_flowtable_update_hook;
8678
8679 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
8680 sizeof(struct nft_trans_flowtable));
8681 if (!trans) {
8682 unregister = true;
8683 err = -ENOMEM;
8684 goto err_flowtable_update_hook;
8685 }
8686
8687 nft_trans_flowtable_flags(trans) = flags;
8688 nft_trans_flowtable(trans) = flowtable;
8689 nft_trans_flowtable_update(trans) = true;
8690 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8691 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
8692
8693 nft_trans_commit_list_add_tail(ctx->net, trans);
8694
8695 return 0;
8696
8697 err_flowtable_update_hook:
8698 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8699 if (unregister)
8700 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
8701 list_del_rcu(&hook->list);
8702 kfree_rcu(hook, rcu);
8703 }
8704
8705 return err;
8706
8707 }
8708
nf_tables_newflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8709 static int nf_tables_newflowtable(struct sk_buff *skb,
8710 const struct nfnl_info *info,
8711 const struct nlattr * const nla[])
8712 {
8713 struct netlink_ext_ack *extack = info->extack;
8714 struct nft_flowtable_hook flowtable_hook;
8715 u8 genmask = nft_genmask_next(info->net);
8716 u8 family = info->nfmsg->nfgen_family;
8717 const struct nf_flowtable_type *type;
8718 struct nft_flowtable *flowtable;
8719 struct net *net = info->net;
8720 struct nft_table *table;
8721 struct nft_trans *trans;
8722 struct nft_ctx ctx;
8723 int err;
8724
8725 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8726 !nla[NFTA_FLOWTABLE_NAME] ||
8727 !nla[NFTA_FLOWTABLE_HOOK])
8728 return -EINVAL;
8729
8730 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8731 genmask, NETLINK_CB(skb).portid);
8732 if (IS_ERR(table)) {
8733 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8734 return PTR_ERR(table);
8735 }
8736
8737 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8738 genmask);
8739 if (IS_ERR(flowtable)) {
8740 err = PTR_ERR(flowtable);
8741 if (err != -ENOENT) {
8742 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8743 return err;
8744 }
8745 } else {
8746 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
8747 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8748 return -EEXIST;
8749 }
8750
8751 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8752
8753 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
8754 }
8755
8756 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8757
8758 if (!nft_use_inc(&table->use))
8759 return -EMFILE;
8760
8761 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
8762 if (!flowtable) {
8763 err = -ENOMEM;
8764 goto flowtable_alloc;
8765 }
8766
8767 flowtable->table = table;
8768 flowtable->handle = nf_tables_alloc_handle(table);
8769 INIT_LIST_HEAD(&flowtable->hook_list);
8770
8771 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
8772 if (!flowtable->name) {
8773 err = -ENOMEM;
8774 goto err1;
8775 }
8776
8777 type = nft_flowtable_type_get(net, family);
8778 if (IS_ERR(type)) {
8779 err = PTR_ERR(type);
8780 goto err2;
8781 }
8782
8783 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8784 flowtable->data.flags =
8785 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8786 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
8787 err = -EOPNOTSUPP;
8788 goto err3;
8789 }
8790 }
8791
8792 write_pnet(&flowtable->data.net, net);
8793 flowtable->data.type = type;
8794 err = type->init(&flowtable->data);
8795 if (err < 0)
8796 goto err3;
8797
8798 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
8799 extack, true);
8800 if (err < 0)
8801 goto err_flowtable_parse_hooks;
8802
8803 list_splice(&flowtable_hook.list, &flowtable->hook_list);
8804 flowtable->data.priority = flowtable_hook.priority;
8805 flowtable->hooknum = flowtable_hook.num;
8806
8807 trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
8808 if (IS_ERR(trans)) {
8809 err = PTR_ERR(trans);
8810 goto err_flowtable_trans;
8811 }
8812
8813 /* This must be LAST to ensure no packets are walking over this flowtable. */
8814 err = nft_register_flowtable_net_hooks(ctx.net, table,
8815 &flowtable->hook_list,
8816 flowtable);
8817 if (err < 0)
8818 goto err_flowtable_hooks;
8819
8820 list_add_tail_rcu(&flowtable->list, &table->flowtables);
8821
8822 return 0;
8823
8824 err_flowtable_hooks:
8825 nft_trans_destroy(trans);
8826 err_flowtable_trans:
8827 nft_hooks_destroy(&flowtable->hook_list);
8828 err_flowtable_parse_hooks:
8829 flowtable->data.type->free(&flowtable->data);
8830 err3:
8831 module_put(type->owner);
8832 err2:
8833 kfree(flowtable->name);
8834 err1:
8835 kfree(flowtable);
8836 flowtable_alloc:
8837 nft_use_dec_restore(&table->use);
8838
8839 return err;
8840 }
8841
nft_flowtable_hook_release(struct nft_flowtable_hook * flowtable_hook)8842 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
8843 {
8844 struct nft_hook *this, *next;
8845
8846 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
8847 list_del(&this->list);
8848 kfree(this);
8849 }
8850 }
8851
nft_delflowtable_hook(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack)8852 static int nft_delflowtable_hook(struct nft_ctx *ctx,
8853 struct nft_flowtable *flowtable,
8854 struct netlink_ext_ack *extack)
8855 {
8856 const struct nlattr * const *nla = ctx->nla;
8857 struct nft_flowtable_hook flowtable_hook;
8858 LIST_HEAD(flowtable_del_list);
8859 struct nft_hook *this, *hook;
8860 struct nft_trans *trans;
8861 int err;
8862
8863 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8864 extack, false);
8865 if (err < 0)
8866 return err;
8867
8868 list_for_each_entry(this, &flowtable_hook.list, list) {
8869 hook = nft_hook_list_find(&flowtable->hook_list, this);
8870 if (!hook) {
8871 err = -ENOENT;
8872 goto err_flowtable_del_hook;
8873 }
8874 list_move(&hook->list, &flowtable_del_list);
8875 }
8876
8877 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
8878 sizeof(struct nft_trans_flowtable));
8879 if (!trans) {
8880 err = -ENOMEM;
8881 goto err_flowtable_del_hook;
8882 }
8883
8884 nft_trans_flowtable(trans) = flowtable;
8885 nft_trans_flowtable_update(trans) = true;
8886 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8887 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
8888 nft_flowtable_hook_release(&flowtable_hook);
8889
8890 nft_trans_commit_list_add_tail(ctx->net, trans);
8891
8892 return 0;
8893
8894 err_flowtable_del_hook:
8895 list_splice(&flowtable_del_list, &flowtable->hook_list);
8896 nft_flowtable_hook_release(&flowtable_hook);
8897
8898 return err;
8899 }
8900
nf_tables_delflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8901 static int nf_tables_delflowtable(struct sk_buff *skb,
8902 const struct nfnl_info *info,
8903 const struct nlattr * const nla[])
8904 {
8905 struct netlink_ext_ack *extack = info->extack;
8906 u8 genmask = nft_genmask_next(info->net);
8907 u8 family = info->nfmsg->nfgen_family;
8908 struct nft_flowtable *flowtable;
8909 struct net *net = info->net;
8910 const struct nlattr *attr;
8911 struct nft_table *table;
8912 struct nft_ctx ctx;
8913
8914 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8915 (!nla[NFTA_FLOWTABLE_NAME] &&
8916 !nla[NFTA_FLOWTABLE_HANDLE]))
8917 return -EINVAL;
8918
8919 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8920 genmask, NETLINK_CB(skb).portid);
8921 if (IS_ERR(table)) {
8922 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8923 return PTR_ERR(table);
8924 }
8925
8926 if (nla[NFTA_FLOWTABLE_HANDLE]) {
8927 attr = nla[NFTA_FLOWTABLE_HANDLE];
8928 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
8929 } else {
8930 attr = nla[NFTA_FLOWTABLE_NAME];
8931 flowtable = nft_flowtable_lookup(table, attr, genmask);
8932 }
8933
8934 if (IS_ERR(flowtable)) {
8935 if (PTR_ERR(flowtable) == -ENOENT &&
8936 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
8937 return 0;
8938
8939 NL_SET_BAD_ATTR(extack, attr);
8940 return PTR_ERR(flowtable);
8941 }
8942
8943 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8944
8945 if (nla[NFTA_FLOWTABLE_HOOK])
8946 return nft_delflowtable_hook(&ctx, flowtable, extack);
8947
8948 if (flowtable->use > 0) {
8949 NL_SET_BAD_ATTR(extack, attr);
8950 return -EBUSY;
8951 }
8952
8953 return nft_delflowtable(&ctx, flowtable);
8954 }
8955
nf_tables_fill_flowtable_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,struct nft_flowtable * flowtable,struct list_head * hook_list)8956 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
8957 u32 portid, u32 seq, int event,
8958 u32 flags, int family,
8959 struct nft_flowtable *flowtable,
8960 struct list_head *hook_list)
8961 {
8962 struct nlattr *nest, *nest_devs;
8963 struct nft_hook *hook;
8964 struct nlmsghdr *nlh;
8965
8966 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
8967 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
8968 NFNETLINK_V0, nft_base_seq(net));
8969 if (!nlh)
8970 goto nla_put_failure;
8971
8972 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
8973 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
8974 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
8975 NFTA_FLOWTABLE_PAD))
8976 goto nla_put_failure;
8977
8978 if (event == NFT_MSG_DELFLOWTABLE && !hook_list) {
8979 nlmsg_end(skb, nlh);
8980 return 0;
8981 }
8982
8983 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
8984 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
8985 goto nla_put_failure;
8986
8987 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
8988 if (!nest)
8989 goto nla_put_failure;
8990 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
8991 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
8992 goto nla_put_failure;
8993
8994 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
8995 if (!nest_devs)
8996 goto nla_put_failure;
8997
8998 if (!hook_list)
8999 hook_list = &flowtable->hook_list;
9000
9001 list_for_each_entry_rcu(hook, hook_list, list) {
9002 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
9003 goto nla_put_failure;
9004 }
9005 nla_nest_end(skb, nest_devs);
9006 nla_nest_end(skb, nest);
9007
9008 nlmsg_end(skb, nlh);
9009 return 0;
9010
9011 nla_put_failure:
9012 nlmsg_trim(skb, nlh);
9013 return -1;
9014 }
9015
9016 struct nft_flowtable_filter {
9017 char *table;
9018 };
9019
nf_tables_dump_flowtable(struct sk_buff * skb,struct netlink_callback * cb)9020 static int nf_tables_dump_flowtable(struct sk_buff *skb,
9021 struct netlink_callback *cb)
9022 {
9023 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
9024 struct nft_flowtable_filter *filter = cb->data;
9025 unsigned int idx = 0, s_idx = cb->args[0];
9026 struct net *net = sock_net(skb->sk);
9027 int family = nfmsg->nfgen_family;
9028 struct nft_flowtable *flowtable;
9029 struct nftables_pernet *nft_net;
9030 const struct nft_table *table;
9031
9032 rcu_read_lock();
9033 nft_net = nft_pernet(net);
9034 cb->seq = READ_ONCE(nft_net->base_seq);
9035
9036 list_for_each_entry_rcu(table, &nft_net->tables, list) {
9037 if (family != NFPROTO_UNSPEC && family != table->family)
9038 continue;
9039
9040 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
9041 if (!nft_is_active(net, flowtable))
9042 goto cont;
9043 if (idx < s_idx)
9044 goto cont;
9045 if (idx > s_idx)
9046 memset(&cb->args[1], 0,
9047 sizeof(cb->args) - sizeof(cb->args[0]));
9048 if (filter && filter->table &&
9049 strcmp(filter->table, table->name))
9050 goto cont;
9051
9052 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
9053 cb->nlh->nlmsg_seq,
9054 NFT_MSG_NEWFLOWTABLE,
9055 NLM_F_MULTI | NLM_F_APPEND,
9056 table->family,
9057 flowtable, NULL) < 0)
9058 goto done;
9059
9060 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
9061 cont:
9062 idx++;
9063 }
9064 }
9065 done:
9066 rcu_read_unlock();
9067
9068 cb->args[0] = idx;
9069 return skb->len;
9070 }
9071
nf_tables_dump_flowtable_start(struct netlink_callback * cb)9072 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
9073 {
9074 const struct nlattr * const *nla = cb->data;
9075 struct nft_flowtable_filter *filter = NULL;
9076
9077 if (nla[NFTA_FLOWTABLE_TABLE]) {
9078 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
9079 if (!filter)
9080 return -ENOMEM;
9081
9082 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
9083 GFP_ATOMIC);
9084 if (!filter->table) {
9085 kfree(filter);
9086 return -ENOMEM;
9087 }
9088 }
9089
9090 cb->data = filter;
9091 return 0;
9092 }
9093
nf_tables_dump_flowtable_done(struct netlink_callback * cb)9094 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
9095 {
9096 struct nft_flowtable_filter *filter = cb->data;
9097
9098 if (!filter)
9099 return 0;
9100
9101 kfree(filter->table);
9102 kfree(filter);
9103
9104 return 0;
9105 }
9106
9107 /* called with rcu_read_lock held */
nf_tables_getflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9108 static int nf_tables_getflowtable(struct sk_buff *skb,
9109 const struct nfnl_info *info,
9110 const struct nlattr * const nla[])
9111 {
9112 struct netlink_ext_ack *extack = info->extack;
9113 u8 genmask = nft_genmask_cur(info->net);
9114 u8 family = info->nfmsg->nfgen_family;
9115 struct nft_flowtable *flowtable;
9116 const struct nft_table *table;
9117 struct net *net = info->net;
9118 struct sk_buff *skb2;
9119 int err;
9120
9121 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
9122 struct netlink_dump_control c = {
9123 .start = nf_tables_dump_flowtable_start,
9124 .dump = nf_tables_dump_flowtable,
9125 .done = nf_tables_dump_flowtable_done,
9126 .module = THIS_MODULE,
9127 .data = (void *)nla,
9128 };
9129
9130 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
9131 }
9132
9133 if (!nla[NFTA_FLOWTABLE_NAME])
9134 return -EINVAL;
9135
9136 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9137 genmask, 0);
9138 if (IS_ERR(table)) {
9139 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
9140 return PTR_ERR(table);
9141 }
9142
9143 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
9144 genmask);
9145 if (IS_ERR(flowtable)) {
9146 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9147 return PTR_ERR(flowtable);
9148 }
9149
9150 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9151 if (!skb2)
9152 return -ENOMEM;
9153
9154 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
9155 info->nlh->nlmsg_seq,
9156 NFT_MSG_NEWFLOWTABLE, 0, family,
9157 flowtable, NULL);
9158 if (err < 0)
9159 goto err_fill_flowtable_info;
9160
9161 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
9162
9163 err_fill_flowtable_info:
9164 kfree_skb(skb2);
9165 return err;
9166 }
9167
nf_tables_flowtable_notify(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct list_head * hook_list,int event)9168 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
9169 struct nft_flowtable *flowtable,
9170 struct list_head *hook_list, int event)
9171 {
9172 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
9173 struct sk_buff *skb;
9174 u16 flags = 0;
9175 int err;
9176
9177 if (!ctx->report &&
9178 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
9179 return;
9180
9181 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9182 if (skb == NULL)
9183 goto err;
9184
9185 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
9186 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
9187
9188 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
9189 ctx->seq, event, flags,
9190 ctx->family, flowtable, hook_list);
9191 if (err < 0) {
9192 kfree_skb(skb);
9193 goto err;
9194 }
9195
9196 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
9197 return;
9198 err:
9199 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
9200 }
9201
nf_tables_flowtable_destroy(struct nft_flowtable * flowtable)9202 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
9203 {
9204 struct nft_hook *hook, *next;
9205
9206 flowtable->data.type->free(&flowtable->data);
9207 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
9208 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
9209 FLOW_BLOCK_UNBIND);
9210 list_del_rcu(&hook->list);
9211 kfree_rcu(hook, rcu);
9212 }
9213 kfree(flowtable->name);
9214 module_put(flowtable->data.type->owner);
9215 kfree(flowtable);
9216 }
9217
nf_tables_fill_gen_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq)9218 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
9219 u32 portid, u32 seq)
9220 {
9221 struct nftables_pernet *nft_net = nft_pernet(net);
9222 struct nlmsghdr *nlh;
9223 char buf[TASK_COMM_LEN];
9224 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
9225
9226 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
9227 NFNETLINK_V0, nft_base_seq(net));
9228 if (!nlh)
9229 goto nla_put_failure;
9230
9231 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
9232 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
9233 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
9234 goto nla_put_failure;
9235
9236 nlmsg_end(skb, nlh);
9237 return 0;
9238
9239 nla_put_failure:
9240 nlmsg_trim(skb, nlh);
9241 return -EMSGSIZE;
9242 }
9243
nft_flowtable_event(unsigned long event,struct net_device * dev,struct nft_flowtable * flowtable)9244 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
9245 struct nft_flowtable *flowtable)
9246 {
9247 struct nft_hook *hook;
9248
9249 list_for_each_entry(hook, &flowtable->hook_list, list) {
9250 if (hook->ops.dev != dev)
9251 continue;
9252
9253 /* flow_offload_netdev_event() cleans up entries for us. */
9254 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
9255 list_del_rcu(&hook->list);
9256 kfree_rcu(hook, rcu);
9257 break;
9258 }
9259 }
9260
nf_tables_flowtable_event(struct notifier_block * this,unsigned long event,void * ptr)9261 static int nf_tables_flowtable_event(struct notifier_block *this,
9262 unsigned long event, void *ptr)
9263 {
9264 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
9265 struct nft_flowtable *flowtable;
9266 struct nftables_pernet *nft_net;
9267 struct nft_table *table;
9268 struct net *net;
9269
9270 if (event != NETDEV_UNREGISTER)
9271 return 0;
9272
9273 net = dev_net(dev);
9274 nft_net = nft_pernet(net);
9275 mutex_lock(&nft_net->commit_mutex);
9276 list_for_each_entry(table, &nft_net->tables, list) {
9277 list_for_each_entry(flowtable, &table->flowtables, list) {
9278 nft_flowtable_event(event, dev, flowtable);
9279 }
9280 }
9281 mutex_unlock(&nft_net->commit_mutex);
9282
9283 return NOTIFY_DONE;
9284 }
9285
9286 static struct notifier_block nf_tables_flowtable_notifier = {
9287 .notifier_call = nf_tables_flowtable_event,
9288 };
9289
nf_tables_gen_notify(struct net * net,struct sk_buff * skb,int event)9290 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
9291 int event)
9292 {
9293 struct nlmsghdr *nlh = nlmsg_hdr(skb);
9294 struct sk_buff *skb2;
9295 int err;
9296
9297 if (!nlmsg_report(nlh) &&
9298 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
9299 return;
9300
9301 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9302 if (skb2 == NULL)
9303 goto err;
9304
9305 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
9306 nlh->nlmsg_seq);
9307 if (err < 0) {
9308 kfree_skb(skb2);
9309 goto err;
9310 }
9311
9312 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9313 nlmsg_report(nlh), GFP_KERNEL);
9314 return;
9315 err:
9316 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9317 -ENOBUFS);
9318 }
9319
nf_tables_getgen(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9320 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
9321 const struct nlattr * const nla[])
9322 {
9323 struct sk_buff *skb2;
9324 int err;
9325
9326 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9327 if (skb2 == NULL)
9328 return -ENOMEM;
9329
9330 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
9331 info->nlh->nlmsg_seq);
9332 if (err < 0)
9333 goto err_fill_gen_info;
9334
9335 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
9336
9337 err_fill_gen_info:
9338 kfree_skb(skb2);
9339 return err;
9340 }
9341
9342 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
9343 [NFT_MSG_NEWTABLE] = {
9344 .call = nf_tables_newtable,
9345 .type = NFNL_CB_BATCH,
9346 .attr_count = NFTA_TABLE_MAX,
9347 .policy = nft_table_policy,
9348 },
9349 [NFT_MSG_GETTABLE] = {
9350 .call = nf_tables_gettable,
9351 .type = NFNL_CB_RCU,
9352 .attr_count = NFTA_TABLE_MAX,
9353 .policy = nft_table_policy,
9354 },
9355 [NFT_MSG_DELTABLE] = {
9356 .call = nf_tables_deltable,
9357 .type = NFNL_CB_BATCH,
9358 .attr_count = NFTA_TABLE_MAX,
9359 .policy = nft_table_policy,
9360 },
9361 [NFT_MSG_DESTROYTABLE] = {
9362 .call = nf_tables_deltable,
9363 .type = NFNL_CB_BATCH,
9364 .attr_count = NFTA_TABLE_MAX,
9365 .policy = nft_table_policy,
9366 },
9367 [NFT_MSG_NEWCHAIN] = {
9368 .call = nf_tables_newchain,
9369 .type = NFNL_CB_BATCH,
9370 .attr_count = NFTA_CHAIN_MAX,
9371 .policy = nft_chain_policy,
9372 },
9373 [NFT_MSG_GETCHAIN] = {
9374 .call = nf_tables_getchain,
9375 .type = NFNL_CB_RCU,
9376 .attr_count = NFTA_CHAIN_MAX,
9377 .policy = nft_chain_policy,
9378 },
9379 [NFT_MSG_DELCHAIN] = {
9380 .call = nf_tables_delchain,
9381 .type = NFNL_CB_BATCH,
9382 .attr_count = NFTA_CHAIN_MAX,
9383 .policy = nft_chain_policy,
9384 },
9385 [NFT_MSG_DESTROYCHAIN] = {
9386 .call = nf_tables_delchain,
9387 .type = NFNL_CB_BATCH,
9388 .attr_count = NFTA_CHAIN_MAX,
9389 .policy = nft_chain_policy,
9390 },
9391 [NFT_MSG_NEWRULE] = {
9392 .call = nf_tables_newrule,
9393 .type = NFNL_CB_BATCH,
9394 .attr_count = NFTA_RULE_MAX,
9395 .policy = nft_rule_policy,
9396 },
9397 [NFT_MSG_GETRULE] = {
9398 .call = nf_tables_getrule,
9399 .type = NFNL_CB_RCU,
9400 .attr_count = NFTA_RULE_MAX,
9401 .policy = nft_rule_policy,
9402 },
9403 [NFT_MSG_GETRULE_RESET] = {
9404 .call = nf_tables_getrule_reset,
9405 .type = NFNL_CB_RCU,
9406 .attr_count = NFTA_RULE_MAX,
9407 .policy = nft_rule_policy,
9408 },
9409 [NFT_MSG_DELRULE] = {
9410 .call = nf_tables_delrule,
9411 .type = NFNL_CB_BATCH,
9412 .attr_count = NFTA_RULE_MAX,
9413 .policy = nft_rule_policy,
9414 },
9415 [NFT_MSG_DESTROYRULE] = {
9416 .call = nf_tables_delrule,
9417 .type = NFNL_CB_BATCH,
9418 .attr_count = NFTA_RULE_MAX,
9419 .policy = nft_rule_policy,
9420 },
9421 [NFT_MSG_NEWSET] = {
9422 .call = nf_tables_newset,
9423 .type = NFNL_CB_BATCH,
9424 .attr_count = NFTA_SET_MAX,
9425 .policy = nft_set_policy,
9426 },
9427 [NFT_MSG_GETSET] = {
9428 .call = nf_tables_getset,
9429 .type = NFNL_CB_RCU,
9430 .attr_count = NFTA_SET_MAX,
9431 .policy = nft_set_policy,
9432 },
9433 [NFT_MSG_DELSET] = {
9434 .call = nf_tables_delset,
9435 .type = NFNL_CB_BATCH,
9436 .attr_count = NFTA_SET_MAX,
9437 .policy = nft_set_policy,
9438 },
9439 [NFT_MSG_DESTROYSET] = {
9440 .call = nf_tables_delset,
9441 .type = NFNL_CB_BATCH,
9442 .attr_count = NFTA_SET_MAX,
9443 .policy = nft_set_policy,
9444 },
9445 [NFT_MSG_NEWSETELEM] = {
9446 .call = nf_tables_newsetelem,
9447 .type = NFNL_CB_BATCH,
9448 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9449 .policy = nft_set_elem_list_policy,
9450 },
9451 [NFT_MSG_GETSETELEM] = {
9452 .call = nf_tables_getsetelem,
9453 .type = NFNL_CB_RCU,
9454 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9455 .policy = nft_set_elem_list_policy,
9456 },
9457 [NFT_MSG_GETSETELEM_RESET] = {
9458 .call = nf_tables_getsetelem_reset,
9459 .type = NFNL_CB_RCU,
9460 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9461 .policy = nft_set_elem_list_policy,
9462 },
9463 [NFT_MSG_DELSETELEM] = {
9464 .call = nf_tables_delsetelem,
9465 .type = NFNL_CB_BATCH,
9466 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9467 .policy = nft_set_elem_list_policy,
9468 },
9469 [NFT_MSG_DESTROYSETELEM] = {
9470 .call = nf_tables_delsetelem,
9471 .type = NFNL_CB_BATCH,
9472 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9473 .policy = nft_set_elem_list_policy,
9474 },
9475 [NFT_MSG_GETGEN] = {
9476 .call = nf_tables_getgen,
9477 .type = NFNL_CB_RCU,
9478 },
9479 [NFT_MSG_NEWOBJ] = {
9480 .call = nf_tables_newobj,
9481 .type = NFNL_CB_BATCH,
9482 .attr_count = NFTA_OBJ_MAX,
9483 .policy = nft_obj_policy,
9484 },
9485 [NFT_MSG_GETOBJ] = {
9486 .call = nf_tables_getobj,
9487 .type = NFNL_CB_RCU,
9488 .attr_count = NFTA_OBJ_MAX,
9489 .policy = nft_obj_policy,
9490 },
9491 [NFT_MSG_DELOBJ] = {
9492 .call = nf_tables_delobj,
9493 .type = NFNL_CB_BATCH,
9494 .attr_count = NFTA_OBJ_MAX,
9495 .policy = nft_obj_policy,
9496 },
9497 [NFT_MSG_DESTROYOBJ] = {
9498 .call = nf_tables_delobj,
9499 .type = NFNL_CB_BATCH,
9500 .attr_count = NFTA_OBJ_MAX,
9501 .policy = nft_obj_policy,
9502 },
9503 [NFT_MSG_GETOBJ_RESET] = {
9504 .call = nf_tables_getobj_reset,
9505 .type = NFNL_CB_RCU,
9506 .attr_count = NFTA_OBJ_MAX,
9507 .policy = nft_obj_policy,
9508 },
9509 [NFT_MSG_NEWFLOWTABLE] = {
9510 .call = nf_tables_newflowtable,
9511 .type = NFNL_CB_BATCH,
9512 .attr_count = NFTA_FLOWTABLE_MAX,
9513 .policy = nft_flowtable_policy,
9514 },
9515 [NFT_MSG_GETFLOWTABLE] = {
9516 .call = nf_tables_getflowtable,
9517 .type = NFNL_CB_RCU,
9518 .attr_count = NFTA_FLOWTABLE_MAX,
9519 .policy = nft_flowtable_policy,
9520 },
9521 [NFT_MSG_DELFLOWTABLE] = {
9522 .call = nf_tables_delflowtable,
9523 .type = NFNL_CB_BATCH,
9524 .attr_count = NFTA_FLOWTABLE_MAX,
9525 .policy = nft_flowtable_policy,
9526 },
9527 [NFT_MSG_DESTROYFLOWTABLE] = {
9528 .call = nf_tables_delflowtable,
9529 .type = NFNL_CB_BATCH,
9530 .attr_count = NFTA_FLOWTABLE_MAX,
9531 .policy = nft_flowtable_policy,
9532 },
9533 };
9534
nf_tables_validate(struct net * net)9535 static int nf_tables_validate(struct net *net)
9536 {
9537 struct nftables_pernet *nft_net = nft_pernet(net);
9538 struct nft_table *table;
9539
9540 list_for_each_entry(table, &nft_net->tables, list) {
9541 switch (table->validate_state) {
9542 case NFT_VALIDATE_SKIP:
9543 continue;
9544 case NFT_VALIDATE_NEED:
9545 nft_validate_state_update(table, NFT_VALIDATE_DO);
9546 fallthrough;
9547 case NFT_VALIDATE_DO:
9548 if (nft_table_validate(net, table) < 0)
9549 return -EAGAIN;
9550
9551 nft_validate_state_update(table, NFT_VALIDATE_SKIP);
9552 break;
9553 }
9554 }
9555
9556 return 0;
9557 }
9558
9559 /* a drop policy has to be deferred until all rules have been activated,
9560 * otherwise a large ruleset that contains a drop-policy base chain will
9561 * cause all packets to get dropped until the full transaction has been
9562 * processed.
9563 *
9564 * We defer the drop policy until the transaction has been finalized.
9565 */
nft_chain_commit_drop_policy(struct nft_trans_chain * trans)9566 static void nft_chain_commit_drop_policy(struct nft_trans_chain *trans)
9567 {
9568 struct nft_base_chain *basechain;
9569
9570 if (trans->policy != NF_DROP)
9571 return;
9572
9573 if (!nft_is_base_chain(trans->chain))
9574 return;
9575
9576 basechain = nft_base_chain(trans->chain);
9577 basechain->policy = NF_DROP;
9578 }
9579
nft_chain_commit_update(struct nft_trans_chain * trans)9580 static void nft_chain_commit_update(struct nft_trans_chain *trans)
9581 {
9582 struct nft_table *table = trans->nft_trans_binding.nft_trans.table;
9583 struct nft_base_chain *basechain;
9584
9585 if (trans->name) {
9586 rhltable_remove(&table->chains_ht,
9587 &trans->chain->rhlhead,
9588 nft_chain_ht_params);
9589 swap(trans->chain->name, trans->name);
9590 rhltable_insert_key(&table->chains_ht,
9591 trans->chain->name,
9592 &trans->chain->rhlhead,
9593 nft_chain_ht_params);
9594 }
9595
9596 if (!nft_is_base_chain(trans->chain))
9597 return;
9598
9599 nft_chain_stats_replace(trans);
9600
9601 basechain = nft_base_chain(trans->chain);
9602
9603 switch (trans->policy) {
9604 case NF_DROP:
9605 case NF_ACCEPT:
9606 basechain->policy = trans->policy;
9607 break;
9608 }
9609 }
9610
nft_obj_commit_update(const struct nft_ctx * ctx,struct nft_trans * trans)9611 static void nft_obj_commit_update(const struct nft_ctx *ctx,
9612 struct nft_trans *trans)
9613 {
9614 struct nft_object *newobj;
9615 struct nft_object *obj;
9616
9617 obj = nft_trans_obj(trans);
9618 newobj = nft_trans_obj_newobj(trans);
9619
9620 if (WARN_ON_ONCE(!obj->ops->update))
9621 return;
9622
9623 obj->ops->update(obj, newobj);
9624 nft_obj_destroy(ctx, newobj);
9625 }
9626
nft_commit_release(struct nft_trans * trans)9627 static void nft_commit_release(struct nft_trans *trans)
9628 {
9629 struct nft_ctx ctx = {
9630 .net = trans->net,
9631 };
9632
9633 nft_ctx_update(&ctx, trans);
9634
9635 switch (trans->msg_type) {
9636 case NFT_MSG_DELTABLE:
9637 case NFT_MSG_DESTROYTABLE:
9638 nf_tables_table_destroy(trans->table);
9639 break;
9640 case NFT_MSG_NEWCHAIN:
9641 free_percpu(nft_trans_chain_stats(trans));
9642 kfree(nft_trans_chain_name(trans));
9643 break;
9644 case NFT_MSG_DELCHAIN:
9645 case NFT_MSG_DESTROYCHAIN:
9646 if (nft_trans_chain_update(trans))
9647 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
9648 else
9649 nf_tables_chain_destroy(nft_trans_chain(trans));
9650 break;
9651 case NFT_MSG_DELRULE:
9652 case NFT_MSG_DESTROYRULE:
9653 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans));
9654 break;
9655 case NFT_MSG_DELSET:
9656 case NFT_MSG_DESTROYSET:
9657 nft_set_destroy(&ctx, nft_trans_set(trans));
9658 break;
9659 case NFT_MSG_DELSETELEM:
9660 case NFT_MSG_DESTROYSETELEM:
9661 nf_tables_set_elem_destroy(&ctx,
9662 nft_trans_elem_set(trans),
9663 nft_trans_elem_priv(trans));
9664 break;
9665 case NFT_MSG_DELOBJ:
9666 case NFT_MSG_DESTROYOBJ:
9667 nft_obj_destroy(&ctx, nft_trans_obj(trans));
9668 break;
9669 case NFT_MSG_DELFLOWTABLE:
9670 case NFT_MSG_DESTROYFLOWTABLE:
9671 if (nft_trans_flowtable_update(trans))
9672 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
9673 else
9674 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
9675 break;
9676 }
9677
9678 if (trans->put_net)
9679 put_net(trans->net);
9680
9681 kfree(trans);
9682 }
9683
nf_tables_trans_destroy_work(struct work_struct * w)9684 static void nf_tables_trans_destroy_work(struct work_struct *w)
9685 {
9686 struct nft_trans *trans, *next;
9687 LIST_HEAD(head);
9688
9689 spin_lock(&nf_tables_destroy_list_lock);
9690 list_splice_init(&nf_tables_destroy_list, &head);
9691 spin_unlock(&nf_tables_destroy_list_lock);
9692
9693 if (list_empty(&head))
9694 return;
9695
9696 synchronize_rcu();
9697
9698 list_for_each_entry_safe(trans, next, &head, list) {
9699 nft_trans_list_del(trans);
9700 nft_commit_release(trans);
9701 }
9702 }
9703
nf_tables_trans_destroy_flush_work(void)9704 void nf_tables_trans_destroy_flush_work(void)
9705 {
9706 flush_work(&trans_destroy_work);
9707 }
9708 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
9709
nft_expr_reduce(struct nft_regs_track * track,const struct nft_expr * expr)9710 static bool nft_expr_reduce(struct nft_regs_track *track,
9711 const struct nft_expr *expr)
9712 {
9713 return false;
9714 }
9715
nf_tables_commit_chain_prepare(struct net * net,struct nft_chain * chain)9716 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
9717 {
9718 const struct nft_expr *expr, *last;
9719 struct nft_regs_track track = {};
9720 unsigned int size, data_size;
9721 void *data, *data_boundary;
9722 struct nft_rule_dp *prule;
9723 struct nft_rule *rule;
9724
9725 /* already handled or inactive chain? */
9726 if (chain->blob_next || !nft_is_active_next(net, chain))
9727 return 0;
9728
9729 data_size = 0;
9730 list_for_each_entry(rule, &chain->rules, list) {
9731 if (nft_is_active_next(net, rule)) {
9732 data_size += sizeof(*prule) + rule->dlen;
9733 if (data_size > INT_MAX)
9734 return -ENOMEM;
9735 }
9736 }
9737
9738 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size);
9739 if (!chain->blob_next)
9740 return -ENOMEM;
9741
9742 data = (void *)chain->blob_next->data;
9743 data_boundary = data + data_size;
9744 size = 0;
9745
9746 list_for_each_entry(rule, &chain->rules, list) {
9747 if (!nft_is_active_next(net, rule))
9748 continue;
9749
9750 prule = (struct nft_rule_dp *)data;
9751 data += offsetof(struct nft_rule_dp, data);
9752 if (WARN_ON_ONCE(data > data_boundary))
9753 return -ENOMEM;
9754
9755 size = 0;
9756 track.last = nft_expr_last(rule);
9757 nft_rule_for_each_expr(expr, last, rule) {
9758 track.cur = expr;
9759
9760 if (nft_expr_reduce(&track, expr)) {
9761 expr = track.cur;
9762 continue;
9763 }
9764
9765 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
9766 return -ENOMEM;
9767
9768 memcpy(data + size, expr, expr->ops->size);
9769 size += expr->ops->size;
9770 }
9771 if (WARN_ON_ONCE(size >= 1 << 12))
9772 return -ENOMEM;
9773
9774 prule->handle = rule->handle;
9775 prule->dlen = size;
9776 prule->is_last = 0;
9777
9778 data += size;
9779 size = 0;
9780 chain->blob_next->size += (unsigned long)(data - (void *)prule);
9781 }
9782
9783 if (WARN_ON_ONCE(data > data_boundary))
9784 return -ENOMEM;
9785
9786 prule = (struct nft_rule_dp *)data;
9787 nft_last_rule(chain, prule);
9788
9789 return 0;
9790 }
9791
nf_tables_commit_chain_prepare_cancel(struct net * net)9792 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
9793 {
9794 struct nftables_pernet *nft_net = nft_pernet(net);
9795 struct nft_trans *trans, *next;
9796
9797 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9798 if (trans->msg_type == NFT_MSG_NEWRULE ||
9799 trans->msg_type == NFT_MSG_DELRULE) {
9800 struct nft_chain *chain = nft_trans_rule_chain(trans);
9801
9802 kvfree(chain->blob_next);
9803 chain->blob_next = NULL;
9804 }
9805 }
9806 }
9807
__nf_tables_commit_chain_free_rules(struct rcu_head * h)9808 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h)
9809 {
9810 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h);
9811
9812 kvfree(l->blob);
9813 }
9814
nf_tables_commit_chain_free_rules_old(struct nft_rule_blob * blob)9815 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
9816 {
9817 struct nft_rule_dp_last *last;
9818
9819 /* last rule trailer is after end marker */
9820 last = (void *)blob + sizeof(*blob) + blob->size;
9821 last->blob = blob;
9822
9823 call_rcu(&last->h, __nf_tables_commit_chain_free_rules);
9824 }
9825
nf_tables_commit_chain(struct net * net,struct nft_chain * chain)9826 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
9827 {
9828 struct nft_rule_blob *g0, *g1;
9829 bool next_genbit;
9830
9831 next_genbit = nft_gencursor_next(net);
9832
9833 g0 = rcu_dereference_protected(chain->blob_gen_0,
9834 lockdep_commit_lock_is_held(net));
9835 g1 = rcu_dereference_protected(chain->blob_gen_1,
9836 lockdep_commit_lock_is_held(net));
9837
9838 /* No changes to this chain? */
9839 if (chain->blob_next == NULL) {
9840 /* chain had no change in last or next generation */
9841 if (g0 == g1)
9842 return;
9843 /*
9844 * chain had no change in this generation; make sure next
9845 * one uses same rules as current generation.
9846 */
9847 if (next_genbit) {
9848 rcu_assign_pointer(chain->blob_gen_1, g0);
9849 nf_tables_commit_chain_free_rules_old(g1);
9850 } else {
9851 rcu_assign_pointer(chain->blob_gen_0, g1);
9852 nf_tables_commit_chain_free_rules_old(g0);
9853 }
9854
9855 return;
9856 }
9857
9858 if (next_genbit)
9859 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
9860 else
9861 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
9862
9863 chain->blob_next = NULL;
9864
9865 if (g0 == g1)
9866 return;
9867
9868 if (next_genbit)
9869 nf_tables_commit_chain_free_rules_old(g1);
9870 else
9871 nf_tables_commit_chain_free_rules_old(g0);
9872 }
9873
nft_obj_del(struct nft_object * obj)9874 static void nft_obj_del(struct nft_object *obj)
9875 {
9876 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
9877 list_del_rcu(&obj->list);
9878 }
9879
nft_chain_del(struct nft_chain * chain)9880 void nft_chain_del(struct nft_chain *chain)
9881 {
9882 struct nft_table *table = chain->table;
9883
9884 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
9885 nft_chain_ht_params));
9886 list_del_rcu(&chain->list);
9887 }
9888
nft_trans_gc_setelem_remove(struct nft_ctx * ctx,struct nft_trans_gc * trans)9889 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx,
9890 struct nft_trans_gc *trans)
9891 {
9892 struct nft_elem_priv **priv = trans->priv;
9893 unsigned int i;
9894
9895 for (i = 0; i < trans->count; i++) {
9896 nft_setelem_data_deactivate(ctx->net, trans->set, priv[i]);
9897 nft_setelem_remove(ctx->net, trans->set, priv[i]);
9898 }
9899 }
9900
nft_trans_gc_destroy(struct nft_trans_gc * trans)9901 void nft_trans_gc_destroy(struct nft_trans_gc *trans)
9902 {
9903 nft_set_put(trans->set);
9904 put_net(trans->net);
9905 kfree(trans);
9906 }
9907
nft_trans_gc_trans_free(struct rcu_head * rcu)9908 static void nft_trans_gc_trans_free(struct rcu_head *rcu)
9909 {
9910 struct nft_elem_priv *elem_priv;
9911 struct nft_trans_gc *trans;
9912 struct nft_ctx ctx = {};
9913 unsigned int i;
9914
9915 trans = container_of(rcu, struct nft_trans_gc, rcu);
9916 ctx.net = read_pnet(&trans->set->net);
9917
9918 for (i = 0; i < trans->count; i++) {
9919 elem_priv = trans->priv[i];
9920 if (!nft_setelem_is_catchall(trans->set, elem_priv))
9921 atomic_dec(&trans->set->nelems);
9922
9923 nf_tables_set_elem_destroy(&ctx, trans->set, elem_priv);
9924 }
9925
9926 nft_trans_gc_destroy(trans);
9927 }
9928
nft_trans_gc_work_done(struct nft_trans_gc * trans)9929 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans)
9930 {
9931 struct nftables_pernet *nft_net;
9932 struct nft_ctx ctx = {};
9933
9934 nft_net = nft_pernet(trans->net);
9935
9936 mutex_lock(&nft_net->commit_mutex);
9937
9938 /* Check for race with transaction, otherwise this batch refers to
9939 * stale objects that might not be there anymore. Skip transaction if
9940 * set has been destroyed from control plane transaction in case gc
9941 * worker loses race.
9942 */
9943 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) {
9944 mutex_unlock(&nft_net->commit_mutex);
9945 return false;
9946 }
9947
9948 ctx.net = trans->net;
9949 ctx.table = trans->set->table;
9950
9951 nft_trans_gc_setelem_remove(&ctx, trans);
9952 mutex_unlock(&nft_net->commit_mutex);
9953
9954 return true;
9955 }
9956
nft_trans_gc_work(struct work_struct * work)9957 static void nft_trans_gc_work(struct work_struct *work)
9958 {
9959 struct nft_trans_gc *trans, *next;
9960 LIST_HEAD(trans_gc_list);
9961
9962 spin_lock(&nf_tables_gc_list_lock);
9963 list_splice_init(&nf_tables_gc_list, &trans_gc_list);
9964 spin_unlock(&nf_tables_gc_list_lock);
9965
9966 list_for_each_entry_safe(trans, next, &trans_gc_list, list) {
9967 list_del(&trans->list);
9968 if (!nft_trans_gc_work_done(trans)) {
9969 nft_trans_gc_destroy(trans);
9970 continue;
9971 }
9972 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
9973 }
9974 }
9975
nft_trans_gc_alloc(struct nft_set * set,unsigned int gc_seq,gfp_t gfp)9976 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
9977 unsigned int gc_seq, gfp_t gfp)
9978 {
9979 struct net *net = read_pnet(&set->net);
9980 struct nft_trans_gc *trans;
9981
9982 trans = kzalloc(sizeof(*trans), gfp);
9983 if (!trans)
9984 return NULL;
9985
9986 trans->net = maybe_get_net(net);
9987 if (!trans->net) {
9988 kfree(trans);
9989 return NULL;
9990 }
9991
9992 refcount_inc(&set->refs);
9993 trans->set = set;
9994 trans->seq = gc_seq;
9995
9996 return trans;
9997 }
9998
nft_trans_gc_elem_add(struct nft_trans_gc * trans,void * priv)9999 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv)
10000 {
10001 trans->priv[trans->count++] = priv;
10002 }
10003
nft_trans_gc_queue_work(struct nft_trans_gc * trans)10004 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans)
10005 {
10006 spin_lock(&nf_tables_gc_list_lock);
10007 list_add_tail(&trans->list, &nf_tables_gc_list);
10008 spin_unlock(&nf_tables_gc_list_lock);
10009
10010 schedule_work(&trans_gc_work);
10011 }
10012
nft_trans_gc_space(struct nft_trans_gc * trans)10013 static int nft_trans_gc_space(struct nft_trans_gc *trans)
10014 {
10015 return NFT_TRANS_GC_BATCHCOUNT - trans->count;
10016 }
10017
nft_trans_gc_queue_async(struct nft_trans_gc * gc,unsigned int gc_seq,gfp_t gfp)10018 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc,
10019 unsigned int gc_seq, gfp_t gfp)
10020 {
10021 struct nft_set *set;
10022
10023 if (nft_trans_gc_space(gc))
10024 return gc;
10025
10026 set = gc->set;
10027 nft_trans_gc_queue_work(gc);
10028
10029 return nft_trans_gc_alloc(set, gc_seq, gfp);
10030 }
10031
nft_trans_gc_queue_async_done(struct nft_trans_gc * trans)10032 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans)
10033 {
10034 if (trans->count == 0) {
10035 nft_trans_gc_destroy(trans);
10036 return;
10037 }
10038
10039 nft_trans_gc_queue_work(trans);
10040 }
10041
nft_trans_gc_queue_sync(struct nft_trans_gc * gc,gfp_t gfp)10042 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp)
10043 {
10044 struct nft_set *set;
10045
10046 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)))
10047 return NULL;
10048
10049 if (nft_trans_gc_space(gc))
10050 return gc;
10051
10052 set = gc->set;
10053 call_rcu(&gc->rcu, nft_trans_gc_trans_free);
10054
10055 return nft_trans_gc_alloc(set, 0, gfp);
10056 }
10057
nft_trans_gc_queue_sync_done(struct nft_trans_gc * trans)10058 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans)
10059 {
10060 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net));
10061
10062 if (trans->count == 0) {
10063 nft_trans_gc_destroy(trans);
10064 return;
10065 }
10066
10067 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
10068 }
10069
nft_trans_gc_catchall_async(struct nft_trans_gc * gc,unsigned int gc_seq)10070 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc,
10071 unsigned int gc_seq)
10072 {
10073 struct nft_set_elem_catchall *catchall;
10074 const struct nft_set *set = gc->set;
10075 struct nft_set_ext *ext;
10076
10077 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
10078 ext = nft_set_elem_ext(set, catchall->elem);
10079
10080 if (!nft_set_elem_expired(ext))
10081 continue;
10082 if (nft_set_elem_is_dead(ext))
10083 goto dead_elem;
10084
10085 nft_set_elem_dead(ext);
10086 dead_elem:
10087 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC);
10088 if (!gc)
10089 return NULL;
10090
10091 nft_trans_gc_elem_add(gc, catchall->elem);
10092 }
10093
10094 return gc;
10095 }
10096
nft_trans_gc_catchall_sync(struct nft_trans_gc * gc)10097 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc)
10098 {
10099 struct nft_set_elem_catchall *catchall, *next;
10100 u64 tstamp = nft_net_tstamp(gc->net);
10101 const struct nft_set *set = gc->set;
10102 struct nft_elem_priv *elem_priv;
10103 struct nft_set_ext *ext;
10104
10105 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net));
10106
10107 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
10108 ext = nft_set_elem_ext(set, catchall->elem);
10109
10110 if (!__nft_set_elem_expired(ext, tstamp))
10111 continue;
10112
10113 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
10114 if (!gc)
10115 return NULL;
10116
10117 elem_priv = catchall->elem;
10118 nft_setelem_data_deactivate(gc->net, gc->set, elem_priv);
10119 nft_setelem_catchall_destroy(catchall);
10120 nft_trans_gc_elem_add(gc, elem_priv);
10121 }
10122
10123 return gc;
10124 }
10125
nf_tables_module_autoload_cleanup(struct net * net)10126 static void nf_tables_module_autoload_cleanup(struct net *net)
10127 {
10128 struct nftables_pernet *nft_net = nft_pernet(net);
10129 struct nft_module_request *req, *next;
10130
10131 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
10132 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
10133 WARN_ON_ONCE(!req->done);
10134 list_del(&req->list);
10135 kfree(req);
10136 }
10137 }
10138
nf_tables_commit_release(struct net * net)10139 static void nf_tables_commit_release(struct net *net)
10140 {
10141 struct nftables_pernet *nft_net = nft_pernet(net);
10142 struct nft_trans *trans;
10143
10144 /* all side effects have to be made visible.
10145 * For example, if a chain named 'foo' has been deleted, a
10146 * new transaction must not find it anymore.
10147 *
10148 * Memory reclaim happens asynchronously from work queue
10149 * to prevent expensive synchronize_rcu() in commit phase.
10150 */
10151 if (list_empty(&nft_net->commit_list)) {
10152 nf_tables_module_autoload_cleanup(net);
10153 mutex_unlock(&nft_net->commit_mutex);
10154 return;
10155 }
10156
10157 trans = list_last_entry(&nft_net->commit_list,
10158 struct nft_trans, list);
10159 get_net(trans->net);
10160 WARN_ON_ONCE(trans->put_net);
10161
10162 trans->put_net = true;
10163 spin_lock(&nf_tables_destroy_list_lock);
10164 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
10165 spin_unlock(&nf_tables_destroy_list_lock);
10166
10167 nf_tables_module_autoload_cleanup(net);
10168 schedule_work(&trans_destroy_work);
10169
10170 mutex_unlock(&nft_net->commit_mutex);
10171 }
10172
nft_commit_notify(struct net * net,u32 portid)10173 static void nft_commit_notify(struct net *net, u32 portid)
10174 {
10175 struct nftables_pernet *nft_net = nft_pernet(net);
10176 struct sk_buff *batch_skb = NULL, *nskb, *skb;
10177 unsigned char *data;
10178 int len;
10179
10180 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
10181 if (!batch_skb) {
10182 new_batch:
10183 batch_skb = skb;
10184 len = NLMSG_GOODSIZE - skb->len;
10185 list_del(&skb->list);
10186 continue;
10187 }
10188 len -= skb->len;
10189 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
10190 data = skb_put(batch_skb, skb->len);
10191 memcpy(data, skb->data, skb->len);
10192 list_del(&skb->list);
10193 kfree_skb(skb);
10194 continue;
10195 }
10196 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10197 NFT_CB(batch_skb).report, GFP_KERNEL);
10198 goto new_batch;
10199 }
10200
10201 if (batch_skb) {
10202 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10203 NFT_CB(batch_skb).report, GFP_KERNEL);
10204 }
10205
10206 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
10207 }
10208
nf_tables_commit_audit_alloc(struct list_head * adl,struct nft_table * table)10209 static int nf_tables_commit_audit_alloc(struct list_head *adl,
10210 struct nft_table *table)
10211 {
10212 struct nft_audit_data *adp;
10213
10214 list_for_each_entry(adp, adl, list) {
10215 if (adp->table == table)
10216 return 0;
10217 }
10218 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
10219 if (!adp)
10220 return -ENOMEM;
10221 adp->table = table;
10222 list_add(&adp->list, adl);
10223 return 0;
10224 }
10225
nf_tables_commit_audit_free(struct list_head * adl)10226 static void nf_tables_commit_audit_free(struct list_head *adl)
10227 {
10228 struct nft_audit_data *adp, *adn;
10229
10230 list_for_each_entry_safe(adp, adn, adl, list) {
10231 list_del(&adp->list);
10232 kfree(adp);
10233 }
10234 }
10235
nf_tables_commit_audit_collect(struct list_head * adl,struct nft_table * table,u32 op)10236 static void nf_tables_commit_audit_collect(struct list_head *adl,
10237 struct nft_table *table, u32 op)
10238 {
10239 struct nft_audit_data *adp;
10240
10241 list_for_each_entry(adp, adl, list) {
10242 if (adp->table == table)
10243 goto found;
10244 }
10245 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
10246 return;
10247 found:
10248 adp->entries++;
10249 if (!adp->op || adp->op > op)
10250 adp->op = op;
10251 }
10252
10253 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
10254
nf_tables_commit_audit_log(struct list_head * adl,u32 generation)10255 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
10256 {
10257 struct nft_audit_data *adp, *adn;
10258 char aubuf[AUNFTABLENAMELEN];
10259
10260 list_for_each_entry_safe(adp, adn, adl, list) {
10261 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
10262 generation);
10263 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
10264 nft2audit_op[adp->op], GFP_KERNEL);
10265 list_del(&adp->list);
10266 kfree(adp);
10267 }
10268 }
10269
nft_set_commit_update(struct list_head * set_update_list)10270 static void nft_set_commit_update(struct list_head *set_update_list)
10271 {
10272 struct nft_set *set, *next;
10273
10274 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10275 list_del_init(&set->pending_update);
10276
10277 if (!set->ops->commit || set->dead)
10278 continue;
10279
10280 set->ops->commit(set);
10281 }
10282 }
10283
nft_gc_seq_begin(struct nftables_pernet * nft_net)10284 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net)
10285 {
10286 unsigned int gc_seq;
10287
10288 /* Bump gc counter, it becomes odd, this is the busy mark. */
10289 gc_seq = READ_ONCE(nft_net->gc_seq);
10290 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10291
10292 return gc_seq;
10293 }
10294
nft_gc_seq_end(struct nftables_pernet * nft_net,unsigned int gc_seq)10295 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq)
10296 {
10297 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10298 }
10299
nf_tables_commit(struct net * net,struct sk_buff * skb)10300 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
10301 {
10302 struct nftables_pernet *nft_net = nft_pernet(net);
10303 const struct nlmsghdr *nlh = nlmsg_hdr(skb);
10304 struct nft_trans_binding *trans_binding;
10305 struct nft_trans *trans, *next;
10306 unsigned int base_seq, gc_seq;
10307 LIST_HEAD(set_update_list);
10308 struct nft_trans_elem *te;
10309 struct nft_chain *chain;
10310 struct nft_table *table;
10311 struct nft_ctx ctx;
10312 LIST_HEAD(adl);
10313 int err;
10314
10315 if (list_empty(&nft_net->commit_list)) {
10316 mutex_unlock(&nft_net->commit_mutex);
10317 return 0;
10318 }
10319
10320 nft_ctx_init(&ctx, net, skb, nlh, NFPROTO_UNSPEC, NULL, NULL, NULL);
10321
10322 list_for_each_entry(trans_binding, &nft_net->binding_list, binding_list) {
10323 trans = &trans_binding->nft_trans;
10324 switch (trans->msg_type) {
10325 case NFT_MSG_NEWSET:
10326 if (!nft_trans_set_update(trans) &&
10327 nft_set_is_anonymous(nft_trans_set(trans)) &&
10328 !nft_trans_set_bound(trans)) {
10329 pr_warn_once("nftables ruleset with unbound set\n");
10330 return -EINVAL;
10331 }
10332 break;
10333 case NFT_MSG_NEWCHAIN:
10334 if (!nft_trans_chain_update(trans) &&
10335 nft_chain_binding(nft_trans_chain(trans)) &&
10336 !nft_trans_chain_bound(trans)) {
10337 pr_warn_once("nftables ruleset with unbound chain\n");
10338 return -EINVAL;
10339 }
10340 break;
10341 default:
10342 WARN_ONCE(1, "Unhandled bind type %d", trans->msg_type);
10343 break;
10344 }
10345 }
10346
10347 /* 0. Validate ruleset, otherwise roll back for error reporting. */
10348 if (nf_tables_validate(net) < 0) {
10349 nft_net->validate_state = NFT_VALIDATE_DO;
10350 return -EAGAIN;
10351 }
10352
10353 err = nft_flow_rule_offload_commit(net);
10354 if (err < 0)
10355 return err;
10356
10357 /* 1. Allocate space for next generation rules_gen_X[] */
10358 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10359 struct nft_table *table = trans->table;
10360 int ret;
10361
10362 ret = nf_tables_commit_audit_alloc(&adl, table);
10363 if (ret) {
10364 nf_tables_commit_chain_prepare_cancel(net);
10365 nf_tables_commit_audit_free(&adl);
10366 return ret;
10367 }
10368 if (trans->msg_type == NFT_MSG_NEWRULE ||
10369 trans->msg_type == NFT_MSG_DELRULE) {
10370 chain = nft_trans_rule_chain(trans);
10371
10372 ret = nf_tables_commit_chain_prepare(net, chain);
10373 if (ret < 0) {
10374 nf_tables_commit_chain_prepare_cancel(net);
10375 nf_tables_commit_audit_free(&adl);
10376 return ret;
10377 }
10378 }
10379 }
10380
10381 /* step 2. Make rules_gen_X visible to packet path */
10382 list_for_each_entry(table, &nft_net->tables, list) {
10383 list_for_each_entry(chain, &table->chains, list)
10384 nf_tables_commit_chain(net, chain);
10385 }
10386
10387 /*
10388 * Bump generation counter, invalidate any dump in progress.
10389 * Cannot fail after this point.
10390 */
10391 base_seq = READ_ONCE(nft_net->base_seq);
10392 while (++base_seq == 0)
10393 ;
10394
10395 WRITE_ONCE(nft_net->base_seq, base_seq);
10396
10397 gc_seq = nft_gc_seq_begin(nft_net);
10398
10399 /* step 3. Start new generation, rules_gen_X now in use. */
10400 net->nft.gencursor = nft_gencursor_next(net);
10401
10402 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10403 struct nft_table *table = trans->table;
10404
10405 nft_ctx_update(&ctx, trans);
10406
10407 nf_tables_commit_audit_collect(&adl, table, trans->msg_type);
10408 switch (trans->msg_type) {
10409 case NFT_MSG_NEWTABLE:
10410 if (nft_trans_table_update(trans)) {
10411 if (!(table->flags & __NFT_TABLE_F_UPDATE)) {
10412 nft_trans_destroy(trans);
10413 break;
10414 }
10415 if (table->flags & NFT_TABLE_F_DORMANT)
10416 nf_tables_table_disable(net, table);
10417
10418 table->flags &= ~__NFT_TABLE_F_UPDATE;
10419 } else {
10420 nft_clear(net, table);
10421 }
10422 nf_tables_table_notify(&ctx, NFT_MSG_NEWTABLE);
10423 nft_trans_destroy(trans);
10424 break;
10425 case NFT_MSG_DELTABLE:
10426 case NFT_MSG_DESTROYTABLE:
10427 list_del_rcu(&table->list);
10428 nf_tables_table_notify(&ctx, trans->msg_type);
10429 break;
10430 case NFT_MSG_NEWCHAIN:
10431 if (nft_trans_chain_update(trans)) {
10432 nft_chain_commit_update(nft_trans_container_chain(trans));
10433 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN,
10434 &nft_trans_chain_hooks(trans));
10435 list_splice(&nft_trans_chain_hooks(trans),
10436 &nft_trans_basechain(trans)->hook_list);
10437 /* trans destroyed after rcu grace period */
10438 } else {
10439 nft_chain_commit_drop_policy(nft_trans_container_chain(trans));
10440 nft_clear(net, nft_trans_chain(trans));
10441 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN, NULL);
10442 nft_trans_destroy(trans);
10443 }
10444 break;
10445 case NFT_MSG_DELCHAIN:
10446 case NFT_MSG_DESTROYCHAIN:
10447 if (nft_trans_chain_update(trans)) {
10448 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,
10449 &nft_trans_chain_hooks(trans));
10450 if (!(table->flags & NFT_TABLE_F_DORMANT)) {
10451 nft_netdev_unregister_hooks(net,
10452 &nft_trans_chain_hooks(trans),
10453 true);
10454 }
10455 } else {
10456 nft_chain_del(nft_trans_chain(trans));
10457 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,
10458 NULL);
10459 nf_tables_unregister_hook(ctx.net, ctx.table,
10460 nft_trans_chain(trans));
10461 }
10462 break;
10463 case NFT_MSG_NEWRULE:
10464 nft_clear(net, nft_trans_rule(trans));
10465 nf_tables_rule_notify(&ctx, nft_trans_rule(trans),
10466 NFT_MSG_NEWRULE);
10467 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10468 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10469
10470 nft_trans_destroy(trans);
10471 break;
10472 case NFT_MSG_DELRULE:
10473 case NFT_MSG_DESTROYRULE:
10474 list_del_rcu(&nft_trans_rule(trans)->list);
10475 nf_tables_rule_notify(&ctx, nft_trans_rule(trans),
10476 trans->msg_type);
10477 nft_rule_expr_deactivate(&ctx, nft_trans_rule(trans),
10478 NFT_TRANS_COMMIT);
10479
10480 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10481 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10482 break;
10483 case NFT_MSG_NEWSET:
10484 list_del(&nft_trans_container_set(trans)->list_trans_newset);
10485 if (nft_trans_set_update(trans)) {
10486 struct nft_set *set = nft_trans_set(trans);
10487
10488 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
10489 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
10490
10491 if (nft_trans_set_size(trans))
10492 WRITE_ONCE(set->size, nft_trans_set_size(trans));
10493 } else {
10494 nft_clear(net, nft_trans_set(trans));
10495 /* This avoids hitting -EBUSY when deleting the table
10496 * from the transaction.
10497 */
10498 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
10499 !list_empty(&nft_trans_set(trans)->bindings))
10500 nft_use_dec(&table->use);
10501 }
10502 nf_tables_set_notify(&ctx, nft_trans_set(trans),
10503 NFT_MSG_NEWSET, GFP_KERNEL);
10504 nft_trans_destroy(trans);
10505 break;
10506 case NFT_MSG_DELSET:
10507 case NFT_MSG_DESTROYSET:
10508 nft_trans_set(trans)->dead = 1;
10509 list_del_rcu(&nft_trans_set(trans)->list);
10510 nf_tables_set_notify(&ctx, nft_trans_set(trans),
10511 trans->msg_type, GFP_KERNEL);
10512 break;
10513 case NFT_MSG_NEWSETELEM:
10514 te = nft_trans_container_elem(trans);
10515
10516 if (te->update_flags) {
10517 const struct nft_set_ext *ext =
10518 nft_set_elem_ext(te->set, te->elem_priv);
10519
10520 if (te->update_flags & NFT_TRANS_UPD_TIMEOUT) {
10521 WRITE_ONCE(nft_set_ext_timeout(ext)->timeout,
10522 te->timeout);
10523 }
10524 if (te->update_flags & NFT_TRANS_UPD_EXPIRATION) {
10525 WRITE_ONCE(nft_set_ext_timeout(ext)->expiration,
10526 get_jiffies_64() + te->expiration);
10527 }
10528 } else {
10529 nft_setelem_activate(net, te->set, te->elem_priv);
10530 }
10531
10532 nf_tables_setelem_notify(&ctx, te->set,
10533 te->elem_priv,
10534 NFT_MSG_NEWSETELEM);
10535 if (te->set->ops->commit &&
10536 list_empty(&te->set->pending_update)) {
10537 list_add_tail(&te->set->pending_update,
10538 &set_update_list);
10539 }
10540 nft_trans_destroy(trans);
10541 break;
10542 case NFT_MSG_DELSETELEM:
10543 case NFT_MSG_DESTROYSETELEM:
10544 te = nft_trans_container_elem(trans);
10545
10546 nf_tables_setelem_notify(&ctx, te->set,
10547 te->elem_priv,
10548 trans->msg_type);
10549 nft_setelem_remove(net, te->set, te->elem_priv);
10550 if (!nft_setelem_is_catchall(te->set, te->elem_priv)) {
10551 atomic_dec(&te->set->nelems);
10552 te->set->ndeact--;
10553 }
10554 if (te->set->ops->commit &&
10555 list_empty(&te->set->pending_update)) {
10556 list_add_tail(&te->set->pending_update,
10557 &set_update_list);
10558 }
10559 break;
10560 case NFT_MSG_NEWOBJ:
10561 if (nft_trans_obj_update(trans)) {
10562 nft_obj_commit_update(&ctx, trans);
10563 nf_tables_obj_notify(&ctx,
10564 nft_trans_obj(trans),
10565 NFT_MSG_NEWOBJ);
10566 } else {
10567 nft_clear(net, nft_trans_obj(trans));
10568 nf_tables_obj_notify(&ctx,
10569 nft_trans_obj(trans),
10570 NFT_MSG_NEWOBJ);
10571 nft_trans_destroy(trans);
10572 }
10573 break;
10574 case NFT_MSG_DELOBJ:
10575 case NFT_MSG_DESTROYOBJ:
10576 nft_obj_del(nft_trans_obj(trans));
10577 nf_tables_obj_notify(&ctx, nft_trans_obj(trans),
10578 trans->msg_type);
10579 break;
10580 case NFT_MSG_NEWFLOWTABLE:
10581 if (nft_trans_flowtable_update(trans)) {
10582 nft_trans_flowtable(trans)->data.flags =
10583 nft_trans_flowtable_flags(trans);
10584 nf_tables_flowtable_notify(&ctx,
10585 nft_trans_flowtable(trans),
10586 &nft_trans_flowtable_hooks(trans),
10587 NFT_MSG_NEWFLOWTABLE);
10588 list_splice(&nft_trans_flowtable_hooks(trans),
10589 &nft_trans_flowtable(trans)->hook_list);
10590 } else {
10591 nft_clear(net, nft_trans_flowtable(trans));
10592 nf_tables_flowtable_notify(&ctx,
10593 nft_trans_flowtable(trans),
10594 NULL,
10595 NFT_MSG_NEWFLOWTABLE);
10596 }
10597 nft_trans_destroy(trans);
10598 break;
10599 case NFT_MSG_DELFLOWTABLE:
10600 case NFT_MSG_DESTROYFLOWTABLE:
10601 if (nft_trans_flowtable_update(trans)) {
10602 nf_tables_flowtable_notify(&ctx,
10603 nft_trans_flowtable(trans),
10604 &nft_trans_flowtable_hooks(trans),
10605 trans->msg_type);
10606 nft_unregister_flowtable_net_hooks(net,
10607 &nft_trans_flowtable_hooks(trans));
10608 } else {
10609 list_del_rcu(&nft_trans_flowtable(trans)->list);
10610 nf_tables_flowtable_notify(&ctx,
10611 nft_trans_flowtable(trans),
10612 NULL,
10613 trans->msg_type);
10614 nft_unregister_flowtable_net_hooks(net,
10615 &nft_trans_flowtable(trans)->hook_list);
10616 }
10617 break;
10618 }
10619 }
10620
10621 nft_set_commit_update(&set_update_list);
10622
10623 nft_commit_notify(net, NETLINK_CB(skb).portid);
10624 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
10625 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
10626
10627 nft_gc_seq_end(nft_net, gc_seq);
10628 nft_net->validate_state = NFT_VALIDATE_SKIP;
10629 nf_tables_commit_release(net);
10630
10631 return 0;
10632 }
10633
nf_tables_module_autoload(struct net * net)10634 static void nf_tables_module_autoload(struct net *net)
10635 {
10636 struct nftables_pernet *nft_net = nft_pernet(net);
10637 struct nft_module_request *req, *next;
10638 LIST_HEAD(module_list);
10639
10640 list_splice_init(&nft_net->module_list, &module_list);
10641 mutex_unlock(&nft_net->commit_mutex);
10642 list_for_each_entry_safe(req, next, &module_list, list) {
10643 request_module("%s", req->module);
10644 req->done = true;
10645 }
10646 mutex_lock(&nft_net->commit_mutex);
10647 list_splice(&module_list, &nft_net->module_list);
10648 }
10649
nf_tables_abort_release(struct nft_trans * trans)10650 static void nf_tables_abort_release(struct nft_trans *trans)
10651 {
10652 struct nft_ctx ctx = { };
10653
10654 nft_ctx_update(&ctx, trans);
10655
10656 switch (trans->msg_type) {
10657 case NFT_MSG_NEWTABLE:
10658 nf_tables_table_destroy(trans->table);
10659 break;
10660 case NFT_MSG_NEWCHAIN:
10661 if (nft_trans_chain_update(trans))
10662 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
10663 else
10664 nf_tables_chain_destroy(nft_trans_chain(trans));
10665 break;
10666 case NFT_MSG_NEWRULE:
10667 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans));
10668 break;
10669 case NFT_MSG_NEWSET:
10670 nft_set_destroy(&ctx, nft_trans_set(trans));
10671 break;
10672 case NFT_MSG_NEWSETELEM:
10673 nft_set_elem_destroy(nft_trans_elem_set(trans),
10674 nft_trans_elem_priv(trans), true);
10675 break;
10676 case NFT_MSG_NEWOBJ:
10677 nft_obj_destroy(&ctx, nft_trans_obj(trans));
10678 break;
10679 case NFT_MSG_NEWFLOWTABLE:
10680 if (nft_trans_flowtable_update(trans))
10681 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
10682 else
10683 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
10684 break;
10685 }
10686 kfree(trans);
10687 }
10688
nft_set_abort_update(struct list_head * set_update_list)10689 static void nft_set_abort_update(struct list_head *set_update_list)
10690 {
10691 struct nft_set *set, *next;
10692
10693 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10694 list_del_init(&set->pending_update);
10695
10696 if (!set->ops->abort)
10697 continue;
10698
10699 set->ops->abort(set);
10700 }
10701 }
10702
__nf_tables_abort(struct net * net,enum nfnl_abort_action action)10703 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
10704 {
10705 struct nftables_pernet *nft_net = nft_pernet(net);
10706 struct nft_trans *trans, *next;
10707 LIST_HEAD(set_update_list);
10708 struct nft_trans_elem *te;
10709 struct nft_ctx ctx = {
10710 .net = net,
10711 };
10712 int err = 0;
10713
10714 if (action == NFNL_ABORT_VALIDATE &&
10715 nf_tables_validate(net) < 0)
10716 err = -EAGAIN;
10717
10718 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
10719 list) {
10720 struct nft_table *table = trans->table;
10721
10722 nft_ctx_update(&ctx, trans);
10723
10724 switch (trans->msg_type) {
10725 case NFT_MSG_NEWTABLE:
10726 if (nft_trans_table_update(trans)) {
10727 if (!(table->flags & __NFT_TABLE_F_UPDATE)) {
10728 nft_trans_destroy(trans);
10729 break;
10730 }
10731 if (table->flags & __NFT_TABLE_F_WAS_DORMANT) {
10732 nf_tables_table_disable(net, table);
10733 table->flags |= NFT_TABLE_F_DORMANT;
10734 } else if (table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
10735 table->flags &= ~NFT_TABLE_F_DORMANT;
10736 }
10737 if (table->flags & __NFT_TABLE_F_WAS_ORPHAN) {
10738 table->flags &= ~NFT_TABLE_F_OWNER;
10739 table->nlpid = 0;
10740 }
10741 table->flags &= ~__NFT_TABLE_F_UPDATE;
10742 nft_trans_destroy(trans);
10743 } else {
10744 list_del_rcu(&table->list);
10745 }
10746 break;
10747 case NFT_MSG_DELTABLE:
10748 case NFT_MSG_DESTROYTABLE:
10749 nft_clear(trans->net, table);
10750 nft_trans_destroy(trans);
10751 break;
10752 case NFT_MSG_NEWCHAIN:
10753 if (nft_trans_chain_update(trans)) {
10754 if (!(table->flags & NFT_TABLE_F_DORMANT)) {
10755 nft_netdev_unregister_hooks(net,
10756 &nft_trans_chain_hooks(trans),
10757 true);
10758 }
10759 free_percpu(nft_trans_chain_stats(trans));
10760 kfree(nft_trans_chain_name(trans));
10761 nft_trans_destroy(trans);
10762 } else {
10763 if (nft_trans_chain_bound(trans)) {
10764 nft_trans_destroy(trans);
10765 break;
10766 }
10767 nft_use_dec_restore(&table->use);
10768 nft_chain_del(nft_trans_chain(trans));
10769 nf_tables_unregister_hook(trans->net, table,
10770 nft_trans_chain(trans));
10771 }
10772 break;
10773 case NFT_MSG_DELCHAIN:
10774 case NFT_MSG_DESTROYCHAIN:
10775 if (nft_trans_chain_update(trans)) {
10776 list_splice(&nft_trans_chain_hooks(trans),
10777 &nft_trans_basechain(trans)->hook_list);
10778 } else {
10779 nft_use_inc_restore(&table->use);
10780 nft_clear(trans->net, nft_trans_chain(trans));
10781 }
10782 nft_trans_destroy(trans);
10783 break;
10784 case NFT_MSG_NEWRULE:
10785 if (nft_trans_rule_bound(trans)) {
10786 nft_trans_destroy(trans);
10787 break;
10788 }
10789 nft_use_dec_restore(&nft_trans_rule_chain(trans)->use);
10790 list_del_rcu(&nft_trans_rule(trans)->list);
10791 nft_rule_expr_deactivate(&ctx,
10792 nft_trans_rule(trans),
10793 NFT_TRANS_ABORT);
10794 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10795 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10796 break;
10797 case NFT_MSG_DELRULE:
10798 case NFT_MSG_DESTROYRULE:
10799 nft_use_inc_restore(&nft_trans_rule_chain(trans)->use);
10800 nft_clear(trans->net, nft_trans_rule(trans));
10801 nft_rule_expr_activate(&ctx, nft_trans_rule(trans));
10802 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10803 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10804
10805 nft_trans_destroy(trans);
10806 break;
10807 case NFT_MSG_NEWSET:
10808 list_del(&nft_trans_container_set(trans)->list_trans_newset);
10809 if (nft_trans_set_update(trans)) {
10810 nft_trans_destroy(trans);
10811 break;
10812 }
10813 nft_use_dec_restore(&table->use);
10814 if (nft_trans_set_bound(trans)) {
10815 nft_trans_destroy(trans);
10816 break;
10817 }
10818 nft_trans_set(trans)->dead = 1;
10819 list_del_rcu(&nft_trans_set(trans)->list);
10820 break;
10821 case NFT_MSG_DELSET:
10822 case NFT_MSG_DESTROYSET:
10823 nft_use_inc_restore(&table->use);
10824 nft_clear(trans->net, nft_trans_set(trans));
10825 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
10826 nft_map_activate(&ctx, nft_trans_set(trans));
10827
10828 nft_trans_destroy(trans);
10829 break;
10830 case NFT_MSG_NEWSETELEM:
10831 if (nft_trans_elem_update_flags(trans) ||
10832 nft_trans_elem_set_bound(trans)) {
10833 nft_trans_destroy(trans);
10834 break;
10835 }
10836 te = nft_trans_container_elem(trans);
10837 if (!te->set->ops->abort ||
10838 nft_setelem_is_catchall(te->set, te->elem_priv))
10839 nft_setelem_remove(net, te->set, te->elem_priv);
10840
10841 if (!nft_setelem_is_catchall(te->set, te->elem_priv))
10842 atomic_dec(&te->set->nelems);
10843
10844 if (te->set->ops->abort &&
10845 list_empty(&te->set->pending_update)) {
10846 list_add_tail(&te->set->pending_update,
10847 &set_update_list);
10848 }
10849 break;
10850 case NFT_MSG_DELSETELEM:
10851 case NFT_MSG_DESTROYSETELEM:
10852 te = nft_trans_container_elem(trans);
10853
10854 if (!nft_setelem_active_next(net, te->set, te->elem_priv)) {
10855 nft_setelem_data_activate(net, te->set, te->elem_priv);
10856 nft_setelem_activate(net, te->set, te->elem_priv);
10857 }
10858 if (!nft_setelem_is_catchall(te->set, te->elem_priv))
10859 te->set->ndeact--;
10860
10861 if (te->set->ops->abort &&
10862 list_empty(&te->set->pending_update)) {
10863 list_add_tail(&te->set->pending_update,
10864 &set_update_list);
10865 }
10866 nft_trans_destroy(trans);
10867 break;
10868 case NFT_MSG_NEWOBJ:
10869 if (nft_trans_obj_update(trans)) {
10870 nft_obj_destroy(&ctx, nft_trans_obj_newobj(trans));
10871 nft_trans_destroy(trans);
10872 } else {
10873 nft_use_dec_restore(&table->use);
10874 nft_obj_del(nft_trans_obj(trans));
10875 }
10876 break;
10877 case NFT_MSG_DELOBJ:
10878 case NFT_MSG_DESTROYOBJ:
10879 nft_use_inc_restore(&table->use);
10880 nft_clear(trans->net, nft_trans_obj(trans));
10881 nft_trans_destroy(trans);
10882 break;
10883 case NFT_MSG_NEWFLOWTABLE:
10884 if (nft_trans_flowtable_update(trans)) {
10885 nft_unregister_flowtable_net_hooks(net,
10886 &nft_trans_flowtable_hooks(trans));
10887 } else {
10888 nft_use_dec_restore(&table->use);
10889 list_del_rcu(&nft_trans_flowtable(trans)->list);
10890 nft_unregister_flowtable_net_hooks(net,
10891 &nft_trans_flowtable(trans)->hook_list);
10892 }
10893 break;
10894 case NFT_MSG_DELFLOWTABLE:
10895 case NFT_MSG_DESTROYFLOWTABLE:
10896 if (nft_trans_flowtable_update(trans)) {
10897 list_splice(&nft_trans_flowtable_hooks(trans),
10898 &nft_trans_flowtable(trans)->hook_list);
10899 } else {
10900 nft_use_inc_restore(&table->use);
10901 nft_clear(trans->net, nft_trans_flowtable(trans));
10902 }
10903 nft_trans_destroy(trans);
10904 break;
10905 }
10906 }
10907
10908 WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list));
10909
10910 nft_set_abort_update(&set_update_list);
10911
10912 synchronize_rcu();
10913
10914 list_for_each_entry_safe_reverse(trans, next,
10915 &nft_net->commit_list, list) {
10916 nft_trans_list_del(trans);
10917 nf_tables_abort_release(trans);
10918 }
10919
10920 return err;
10921 }
10922
nf_tables_abort(struct net * net,struct sk_buff * skb,enum nfnl_abort_action action)10923 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
10924 enum nfnl_abort_action action)
10925 {
10926 struct nftables_pernet *nft_net = nft_pernet(net);
10927 unsigned int gc_seq;
10928 int ret;
10929
10930 gc_seq = nft_gc_seq_begin(nft_net);
10931 ret = __nf_tables_abort(net, action);
10932 nft_gc_seq_end(nft_net, gc_seq);
10933
10934 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
10935
10936 /* module autoload needs to happen after GC sequence update because it
10937 * temporarily releases and grabs mutex again.
10938 */
10939 if (action == NFNL_ABORT_AUTOLOAD)
10940 nf_tables_module_autoload(net);
10941 else
10942 nf_tables_module_autoload_cleanup(net);
10943
10944 mutex_unlock(&nft_net->commit_mutex);
10945
10946 return ret;
10947 }
10948
nf_tables_valid_genid(struct net * net,u32 genid)10949 static bool nf_tables_valid_genid(struct net *net, u32 genid)
10950 {
10951 struct nftables_pernet *nft_net = nft_pernet(net);
10952 bool genid_ok;
10953
10954 mutex_lock(&nft_net->commit_mutex);
10955 nft_net->tstamp = get_jiffies_64();
10956
10957 genid_ok = genid == 0 || nft_net->base_seq == genid;
10958 if (!genid_ok)
10959 mutex_unlock(&nft_net->commit_mutex);
10960
10961 /* else, commit mutex has to be released by commit or abort function */
10962 return genid_ok;
10963 }
10964
10965 static const struct nfnetlink_subsystem nf_tables_subsys = {
10966 .name = "nf_tables",
10967 .subsys_id = NFNL_SUBSYS_NFTABLES,
10968 .cb_count = NFT_MSG_MAX,
10969 .cb = nf_tables_cb,
10970 .commit = nf_tables_commit,
10971 .abort = nf_tables_abort,
10972 .valid_genid = nf_tables_valid_genid,
10973 .owner = THIS_MODULE,
10974 };
10975
nft_chain_validate_dependency(const struct nft_chain * chain,enum nft_chain_types type)10976 int nft_chain_validate_dependency(const struct nft_chain *chain,
10977 enum nft_chain_types type)
10978 {
10979 const struct nft_base_chain *basechain;
10980
10981 if (nft_is_base_chain(chain)) {
10982 basechain = nft_base_chain(chain);
10983 if (basechain->type->type != type)
10984 return -EOPNOTSUPP;
10985 }
10986 return 0;
10987 }
10988 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
10989
nft_chain_validate_hooks(const struct nft_chain * chain,unsigned int hook_flags)10990 int nft_chain_validate_hooks(const struct nft_chain *chain,
10991 unsigned int hook_flags)
10992 {
10993 struct nft_base_chain *basechain;
10994
10995 if (nft_is_base_chain(chain)) {
10996 basechain = nft_base_chain(chain);
10997
10998 if ((1 << basechain->ops.hooknum) & hook_flags)
10999 return 0;
11000
11001 return -EOPNOTSUPP;
11002 }
11003
11004 return 0;
11005 }
11006 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
11007
11008 /**
11009 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
11010 *
11011 * @attr: netlink attribute to fetch value from
11012 * @max: maximum value to be stored in dest
11013 * @dest: pointer to the variable
11014 *
11015 * Parse, check and store a given u32 netlink attribute into variable.
11016 * This function returns -ERANGE if the value goes over maximum value.
11017 * Otherwise a 0 is returned and the attribute value is stored in the
11018 * destination variable.
11019 */
nft_parse_u32_check(const struct nlattr * attr,int max,u32 * dest)11020 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
11021 {
11022 u32 val;
11023
11024 val = ntohl(nla_get_be32(attr));
11025 if (val > max)
11026 return -ERANGE;
11027
11028 *dest = val;
11029 return 0;
11030 }
11031 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
11032
nft_parse_register(const struct nlattr * attr,u32 * preg)11033 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
11034 {
11035 unsigned int reg;
11036
11037 reg = ntohl(nla_get_be32(attr));
11038 switch (reg) {
11039 case NFT_REG_VERDICT...NFT_REG_4:
11040 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
11041 break;
11042 case NFT_REG32_00...NFT_REG32_15:
11043 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
11044 break;
11045 default:
11046 return -ERANGE;
11047 }
11048
11049 return 0;
11050 }
11051
11052 /**
11053 * nft_dump_register - dump a register value to a netlink attribute
11054 *
11055 * @skb: socket buffer
11056 * @attr: attribute number
11057 * @reg: register number
11058 *
11059 * Construct a netlink attribute containing the register number. For
11060 * compatibility reasons, register numbers being a multiple of 4 are
11061 * translated to the corresponding 128 bit register numbers.
11062 */
nft_dump_register(struct sk_buff * skb,unsigned int attr,unsigned int reg)11063 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
11064 {
11065 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
11066 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
11067 else
11068 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
11069
11070 return nla_put_be32(skb, attr, htonl(reg));
11071 }
11072 EXPORT_SYMBOL_GPL(nft_dump_register);
11073
nft_validate_register_load(enum nft_registers reg,unsigned int len)11074 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
11075 {
11076 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11077 return -EINVAL;
11078 if (len == 0)
11079 return -EINVAL;
11080 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
11081 return -ERANGE;
11082
11083 return 0;
11084 }
11085
nft_parse_register_load(const struct nft_ctx * ctx,const struct nlattr * attr,u8 * sreg,u32 len)11086 int nft_parse_register_load(const struct nft_ctx *ctx,
11087 const struct nlattr *attr, u8 *sreg, u32 len)
11088 {
11089 int err, invalid_reg;
11090 u32 reg, next_register;
11091
11092 err = nft_parse_register(attr, ®);
11093 if (err < 0)
11094 return err;
11095
11096 err = nft_validate_register_load(reg, len);
11097 if (err < 0)
11098 return err;
11099
11100 next_register = DIV_ROUND_UP(len, NFT_REG32_SIZE) + reg;
11101
11102 /* Can't happen: nft_validate_register_load() should have failed */
11103 if (WARN_ON_ONCE(next_register > NFT_REG32_NUM))
11104 return -EINVAL;
11105
11106 /* find first register that did not see an earlier store. */
11107 invalid_reg = find_next_zero_bit(ctx->reg_inited, NFT_REG32_NUM, reg);
11108
11109 /* invalid register within the range that we're loading from? */
11110 if (invalid_reg < next_register)
11111 return -ENODATA;
11112
11113 *sreg = reg;
11114 return 0;
11115 }
11116 EXPORT_SYMBOL_GPL(nft_parse_register_load);
11117
nft_saw_register_store(const struct nft_ctx * __ctx,int reg,unsigned int len)11118 static void nft_saw_register_store(const struct nft_ctx *__ctx,
11119 int reg, unsigned int len)
11120 {
11121 unsigned int registers = DIV_ROUND_UP(len, NFT_REG32_SIZE);
11122 struct nft_ctx *ctx = (struct nft_ctx *)__ctx;
11123
11124 if (WARN_ON_ONCE(len == 0 || reg < 0))
11125 return;
11126
11127 bitmap_set(ctx->reg_inited, reg, registers);
11128 }
11129
nft_validate_register_store(const struct nft_ctx * ctx,enum nft_registers reg,const struct nft_data * data,enum nft_data_types type,unsigned int len)11130 static int nft_validate_register_store(const struct nft_ctx *ctx,
11131 enum nft_registers reg,
11132 const struct nft_data *data,
11133 enum nft_data_types type,
11134 unsigned int len)
11135 {
11136 int err;
11137
11138 switch (reg) {
11139 case NFT_REG_VERDICT:
11140 if (type != NFT_DATA_VERDICT)
11141 return -EINVAL;
11142
11143 if (data != NULL &&
11144 (data->verdict.code == NFT_GOTO ||
11145 data->verdict.code == NFT_JUMP)) {
11146 err = nft_chain_validate(ctx, data->verdict.chain);
11147 if (err < 0)
11148 return err;
11149 }
11150
11151 break;
11152 default:
11153 if (type != NFT_DATA_VALUE)
11154 return -EINVAL;
11155
11156 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11157 return -EINVAL;
11158 if (len == 0)
11159 return -EINVAL;
11160 if (reg * NFT_REG32_SIZE + len >
11161 sizeof_field(struct nft_regs, data))
11162 return -ERANGE;
11163
11164 break;
11165 }
11166
11167 nft_saw_register_store(ctx, reg, len);
11168 return 0;
11169 }
11170
nft_parse_register_store(const struct nft_ctx * ctx,const struct nlattr * attr,u8 * dreg,const struct nft_data * data,enum nft_data_types type,unsigned int len)11171 int nft_parse_register_store(const struct nft_ctx *ctx,
11172 const struct nlattr *attr, u8 *dreg,
11173 const struct nft_data *data,
11174 enum nft_data_types type, unsigned int len)
11175 {
11176 int err;
11177 u32 reg;
11178
11179 err = nft_parse_register(attr, ®);
11180 if (err < 0)
11181 return err;
11182
11183 err = nft_validate_register_store(ctx, reg, data, type, len);
11184 if (err < 0)
11185 return err;
11186
11187 *dreg = reg;
11188 return 0;
11189 }
11190 EXPORT_SYMBOL_GPL(nft_parse_register_store);
11191
11192 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
11193 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
11194 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
11195 .len = NFT_CHAIN_MAXNAMELEN - 1 },
11196 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
11197 };
11198
nft_verdict_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11199 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
11200 struct nft_data_desc *desc, const struct nlattr *nla)
11201 {
11202 u8 genmask = nft_genmask_next(ctx->net);
11203 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
11204 struct nft_chain *chain;
11205 int err;
11206
11207 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
11208 nft_verdict_policy, NULL);
11209 if (err < 0)
11210 return err;
11211
11212 if (!tb[NFTA_VERDICT_CODE])
11213 return -EINVAL;
11214
11215 /* zero padding hole for memcmp */
11216 memset(data, 0, sizeof(*data));
11217 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
11218
11219 switch (data->verdict.code) {
11220 case NF_ACCEPT:
11221 case NF_DROP:
11222 case NF_QUEUE:
11223 break;
11224 case NFT_CONTINUE:
11225 case NFT_BREAK:
11226 case NFT_RETURN:
11227 break;
11228 case NFT_JUMP:
11229 case NFT_GOTO:
11230 if (tb[NFTA_VERDICT_CHAIN]) {
11231 chain = nft_chain_lookup(ctx->net, ctx->table,
11232 tb[NFTA_VERDICT_CHAIN],
11233 genmask);
11234 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
11235 chain = nft_chain_lookup_byid(ctx->net, ctx->table,
11236 tb[NFTA_VERDICT_CHAIN_ID],
11237 genmask);
11238 if (IS_ERR(chain))
11239 return PTR_ERR(chain);
11240 } else {
11241 return -EINVAL;
11242 }
11243
11244 if (IS_ERR(chain))
11245 return PTR_ERR(chain);
11246 if (nft_is_base_chain(chain))
11247 return -EOPNOTSUPP;
11248 if (nft_chain_is_bound(chain))
11249 return -EINVAL;
11250 if (desc->flags & NFT_DATA_DESC_SETELEM &&
11251 chain->flags & NFT_CHAIN_BINDING)
11252 return -EINVAL;
11253 if (!nft_use_inc(&chain->use))
11254 return -EMFILE;
11255
11256 data->verdict.chain = chain;
11257 break;
11258 default:
11259 return -EINVAL;
11260 }
11261
11262 desc->len = sizeof(data->verdict);
11263
11264 return 0;
11265 }
11266
nft_verdict_uninit(const struct nft_data * data)11267 static void nft_verdict_uninit(const struct nft_data *data)
11268 {
11269 struct nft_chain *chain;
11270
11271 switch (data->verdict.code) {
11272 case NFT_JUMP:
11273 case NFT_GOTO:
11274 chain = data->verdict.chain;
11275 nft_use_dec(&chain->use);
11276 break;
11277 }
11278 }
11279
nft_verdict_dump(struct sk_buff * skb,int type,const struct nft_verdict * v)11280 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
11281 {
11282 struct nlattr *nest;
11283
11284 nest = nla_nest_start_noflag(skb, type);
11285 if (!nest)
11286 goto nla_put_failure;
11287
11288 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
11289 goto nla_put_failure;
11290
11291 switch (v->code) {
11292 case NFT_JUMP:
11293 case NFT_GOTO:
11294 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
11295 v->chain->name))
11296 goto nla_put_failure;
11297 }
11298 nla_nest_end(skb, nest);
11299 return 0;
11300
11301 nla_put_failure:
11302 return -1;
11303 }
11304
nft_value_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11305 static int nft_value_init(const struct nft_ctx *ctx,
11306 struct nft_data *data, struct nft_data_desc *desc,
11307 const struct nlattr *nla)
11308 {
11309 unsigned int len;
11310
11311 len = nla_len(nla);
11312 if (len == 0)
11313 return -EINVAL;
11314 if (len > desc->size)
11315 return -EOVERFLOW;
11316 if (desc->len) {
11317 if (len != desc->len)
11318 return -EINVAL;
11319 } else {
11320 desc->len = len;
11321 }
11322
11323 nla_memcpy(data->data, nla, len);
11324
11325 return 0;
11326 }
11327
nft_value_dump(struct sk_buff * skb,const struct nft_data * data,unsigned int len)11328 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
11329 unsigned int len)
11330 {
11331 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
11332 }
11333
11334 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
11335 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
11336 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
11337 };
11338
11339 /**
11340 * nft_data_init - parse nf_tables data netlink attributes
11341 *
11342 * @ctx: context of the expression using the data
11343 * @data: destination struct nft_data
11344 * @desc: data description
11345 * @nla: netlink attribute containing data
11346 *
11347 * Parse the netlink data attributes and initialize a struct nft_data.
11348 * The type and length of data are returned in the data description.
11349 *
11350 * The caller can indicate that it only wants to accept data of type
11351 * NFT_DATA_VALUE by passing NULL for the ctx argument.
11352 */
nft_data_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11353 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
11354 struct nft_data_desc *desc, const struct nlattr *nla)
11355 {
11356 struct nlattr *tb[NFTA_DATA_MAX + 1];
11357 int err;
11358
11359 if (WARN_ON_ONCE(!desc->size))
11360 return -EINVAL;
11361
11362 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
11363 nft_data_policy, NULL);
11364 if (err < 0)
11365 return err;
11366
11367 if (tb[NFTA_DATA_VALUE]) {
11368 if (desc->type != NFT_DATA_VALUE)
11369 return -EINVAL;
11370
11371 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
11372 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
11373 if (desc->type != NFT_DATA_VERDICT)
11374 return -EINVAL;
11375
11376 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
11377 } else {
11378 err = -EINVAL;
11379 }
11380
11381 return err;
11382 }
11383 EXPORT_SYMBOL_GPL(nft_data_init);
11384
11385 /**
11386 * nft_data_release - release a nft_data item
11387 *
11388 * @data: struct nft_data to release
11389 * @type: type of data
11390 *
11391 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
11392 * all others need to be released by calling this function.
11393 */
nft_data_release(const struct nft_data * data,enum nft_data_types type)11394 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
11395 {
11396 if (type < NFT_DATA_VERDICT)
11397 return;
11398 switch (type) {
11399 case NFT_DATA_VERDICT:
11400 return nft_verdict_uninit(data);
11401 default:
11402 WARN_ON(1);
11403 }
11404 }
11405 EXPORT_SYMBOL_GPL(nft_data_release);
11406
nft_data_dump(struct sk_buff * skb,int attr,const struct nft_data * data,enum nft_data_types type,unsigned int len)11407 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
11408 enum nft_data_types type, unsigned int len)
11409 {
11410 struct nlattr *nest;
11411 int err;
11412
11413 nest = nla_nest_start_noflag(skb, attr);
11414 if (nest == NULL)
11415 return -1;
11416
11417 switch (type) {
11418 case NFT_DATA_VALUE:
11419 err = nft_value_dump(skb, data, len);
11420 break;
11421 case NFT_DATA_VERDICT:
11422 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
11423 break;
11424 default:
11425 err = -EINVAL;
11426 WARN_ON(1);
11427 }
11428
11429 nla_nest_end(skb, nest);
11430 return err;
11431 }
11432 EXPORT_SYMBOL_GPL(nft_data_dump);
11433
__nft_release_basechain_now(struct nft_ctx * ctx)11434 static void __nft_release_basechain_now(struct nft_ctx *ctx)
11435 {
11436 struct nft_rule *rule, *nr;
11437
11438 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
11439 list_del(&rule->list);
11440 nf_tables_rule_release(ctx, rule);
11441 }
11442 nf_tables_chain_destroy(ctx->chain);
11443 }
11444
nft_release_basechain_rcu(struct rcu_head * head)11445 static void nft_release_basechain_rcu(struct rcu_head *head)
11446 {
11447 struct nft_chain *chain = container_of(head, struct nft_chain, rcu_head);
11448 struct nft_ctx ctx = {
11449 .family = chain->table->family,
11450 .chain = chain,
11451 .net = read_pnet(&chain->table->net),
11452 };
11453
11454 __nft_release_basechain_now(&ctx);
11455 put_net(ctx.net);
11456 }
11457
__nft_release_basechain(struct nft_ctx * ctx)11458 int __nft_release_basechain(struct nft_ctx *ctx)
11459 {
11460 struct nft_rule *rule;
11461
11462 if (WARN_ON_ONCE(!nft_is_base_chain(ctx->chain)))
11463 return 0;
11464
11465 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
11466 list_for_each_entry(rule, &ctx->chain->rules, list)
11467 nft_use_dec(&ctx->chain->use);
11468
11469 nft_chain_del(ctx->chain);
11470 nft_use_dec(&ctx->table->use);
11471
11472 if (maybe_get_net(ctx->net))
11473 call_rcu(&ctx->chain->rcu_head, nft_release_basechain_rcu);
11474 else
11475 __nft_release_basechain_now(ctx);
11476
11477 return 0;
11478 }
11479 EXPORT_SYMBOL_GPL(__nft_release_basechain);
11480
__nft_release_hook(struct net * net,struct nft_table * table)11481 static void __nft_release_hook(struct net *net, struct nft_table *table)
11482 {
11483 struct nft_flowtable *flowtable;
11484 struct nft_chain *chain;
11485
11486 list_for_each_entry(chain, &table->chains, list)
11487 __nf_tables_unregister_hook(net, table, chain, true);
11488 list_for_each_entry(flowtable, &table->flowtables, list)
11489 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list,
11490 true);
11491 }
11492
__nft_release_hooks(struct net * net)11493 static void __nft_release_hooks(struct net *net)
11494 {
11495 struct nftables_pernet *nft_net = nft_pernet(net);
11496 struct nft_table *table;
11497
11498 list_for_each_entry(table, &nft_net->tables, list) {
11499 if (nft_table_has_owner(table))
11500 continue;
11501
11502 __nft_release_hook(net, table);
11503 }
11504 }
11505
__nft_release_table(struct net * net,struct nft_table * table)11506 static void __nft_release_table(struct net *net, struct nft_table *table)
11507 {
11508 struct nft_flowtable *flowtable, *nf;
11509 struct nft_chain *chain, *nc;
11510 struct nft_object *obj, *ne;
11511 struct nft_rule *rule, *nr;
11512 struct nft_set *set, *ns;
11513 struct nft_ctx ctx = {
11514 .net = net,
11515 .family = NFPROTO_NETDEV,
11516 };
11517
11518 ctx.family = table->family;
11519 ctx.table = table;
11520 list_for_each_entry(chain, &table->chains, list) {
11521 if (nft_chain_binding(chain))
11522 continue;
11523
11524 ctx.chain = chain;
11525 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
11526 list_del(&rule->list);
11527 nft_use_dec(&chain->use);
11528 nf_tables_rule_release(&ctx, rule);
11529 }
11530 }
11531 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
11532 list_del(&flowtable->list);
11533 nft_use_dec(&table->use);
11534 nf_tables_flowtable_destroy(flowtable);
11535 }
11536 list_for_each_entry_safe(set, ns, &table->sets, list) {
11537 list_del(&set->list);
11538 nft_use_dec(&table->use);
11539 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11540 nft_map_deactivate(&ctx, set);
11541
11542 nft_set_destroy(&ctx, set);
11543 }
11544 list_for_each_entry_safe(obj, ne, &table->objects, list) {
11545 nft_obj_del(obj);
11546 nft_use_dec(&table->use);
11547 nft_obj_destroy(&ctx, obj);
11548 }
11549 list_for_each_entry_safe(chain, nc, &table->chains, list) {
11550 nft_chain_del(chain);
11551 nft_use_dec(&table->use);
11552 nf_tables_chain_destroy(chain);
11553 }
11554 nf_tables_table_destroy(table);
11555 }
11556
__nft_release_tables(struct net * net)11557 static void __nft_release_tables(struct net *net)
11558 {
11559 struct nftables_pernet *nft_net = nft_pernet(net);
11560 struct nft_table *table, *nt;
11561
11562 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
11563 if (nft_table_has_owner(table))
11564 continue;
11565
11566 list_del(&table->list);
11567
11568 __nft_release_table(net, table);
11569 }
11570 }
11571
nft_rcv_nl_event(struct notifier_block * this,unsigned long event,void * ptr)11572 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
11573 void *ptr)
11574 {
11575 struct nft_table *table, *to_delete[8];
11576 struct nftables_pernet *nft_net;
11577 struct netlink_notify *n = ptr;
11578 struct net *net = n->net;
11579 unsigned int deleted;
11580 bool restart = false;
11581 unsigned int gc_seq;
11582
11583 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
11584 return NOTIFY_DONE;
11585
11586 nft_net = nft_pernet(net);
11587 deleted = 0;
11588 mutex_lock(&nft_net->commit_mutex);
11589
11590 gc_seq = nft_gc_seq_begin(nft_net);
11591
11592 nf_tables_trans_destroy_flush_work();
11593 again:
11594 list_for_each_entry(table, &nft_net->tables, list) {
11595 if (nft_table_has_owner(table) &&
11596 n->portid == table->nlpid) {
11597 if (table->flags & NFT_TABLE_F_PERSIST) {
11598 table->flags &= ~NFT_TABLE_F_OWNER;
11599 continue;
11600 }
11601 __nft_release_hook(net, table);
11602 list_del_rcu(&table->list);
11603 to_delete[deleted++] = table;
11604 if (deleted >= ARRAY_SIZE(to_delete))
11605 break;
11606 }
11607 }
11608 if (deleted) {
11609 restart = deleted >= ARRAY_SIZE(to_delete);
11610 synchronize_rcu();
11611 while (deleted)
11612 __nft_release_table(net, to_delete[--deleted]);
11613
11614 if (restart)
11615 goto again;
11616 }
11617 nft_gc_seq_end(nft_net, gc_seq);
11618
11619 mutex_unlock(&nft_net->commit_mutex);
11620
11621 return NOTIFY_DONE;
11622 }
11623
11624 static struct notifier_block nft_nl_notifier = {
11625 .notifier_call = nft_rcv_nl_event,
11626 };
11627
nf_tables_init_net(struct net * net)11628 static int __net_init nf_tables_init_net(struct net *net)
11629 {
11630 struct nftables_pernet *nft_net = nft_pernet(net);
11631
11632 INIT_LIST_HEAD(&nft_net->tables);
11633 INIT_LIST_HEAD(&nft_net->commit_list);
11634 INIT_LIST_HEAD(&nft_net->commit_set_list);
11635 INIT_LIST_HEAD(&nft_net->binding_list);
11636 INIT_LIST_HEAD(&nft_net->module_list);
11637 INIT_LIST_HEAD(&nft_net->notify_list);
11638 mutex_init(&nft_net->commit_mutex);
11639 nft_net->base_seq = 1;
11640 nft_net->gc_seq = 0;
11641 nft_net->validate_state = NFT_VALIDATE_SKIP;
11642
11643 return 0;
11644 }
11645
nf_tables_pre_exit_net(struct net * net)11646 static void __net_exit nf_tables_pre_exit_net(struct net *net)
11647 {
11648 struct nftables_pernet *nft_net = nft_pernet(net);
11649
11650 mutex_lock(&nft_net->commit_mutex);
11651 __nft_release_hooks(net);
11652 mutex_unlock(&nft_net->commit_mutex);
11653 }
11654
nf_tables_exit_net(struct net * net)11655 static void __net_exit nf_tables_exit_net(struct net *net)
11656 {
11657 struct nftables_pernet *nft_net = nft_pernet(net);
11658 unsigned int gc_seq;
11659
11660 mutex_lock(&nft_net->commit_mutex);
11661
11662 gc_seq = nft_gc_seq_begin(nft_net);
11663
11664 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
11665 WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list));
11666
11667 if (!list_empty(&nft_net->module_list))
11668 nf_tables_module_autoload_cleanup(net);
11669
11670 __nft_release_tables(net);
11671
11672 nft_gc_seq_end(nft_net, gc_seq);
11673
11674 mutex_unlock(&nft_net->commit_mutex);
11675 WARN_ON_ONCE(!list_empty(&nft_net->tables));
11676 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
11677 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
11678 }
11679
nf_tables_exit_batch(struct list_head * net_exit_list)11680 static void nf_tables_exit_batch(struct list_head *net_exit_list)
11681 {
11682 flush_work(&trans_gc_work);
11683 }
11684
11685 static struct pernet_operations nf_tables_net_ops = {
11686 .init = nf_tables_init_net,
11687 .pre_exit = nf_tables_pre_exit_net,
11688 .exit = nf_tables_exit_net,
11689 .exit_batch = nf_tables_exit_batch,
11690 .id = &nf_tables_net_id,
11691 .size = sizeof(struct nftables_pernet),
11692 };
11693
nf_tables_module_init(void)11694 static int __init nf_tables_module_init(void)
11695 {
11696 int err;
11697
11698 BUILD_BUG_ON(offsetof(struct nft_trans_table, nft_trans) != 0);
11699 BUILD_BUG_ON(offsetof(struct nft_trans_chain, nft_trans_binding.nft_trans) != 0);
11700 BUILD_BUG_ON(offsetof(struct nft_trans_rule, nft_trans) != 0);
11701 BUILD_BUG_ON(offsetof(struct nft_trans_set, nft_trans_binding.nft_trans) != 0);
11702 BUILD_BUG_ON(offsetof(struct nft_trans_elem, nft_trans) != 0);
11703 BUILD_BUG_ON(offsetof(struct nft_trans_obj, nft_trans) != 0);
11704 BUILD_BUG_ON(offsetof(struct nft_trans_flowtable, nft_trans) != 0);
11705
11706 err = register_pernet_subsys(&nf_tables_net_ops);
11707 if (err < 0)
11708 return err;
11709
11710 err = nft_chain_filter_init();
11711 if (err < 0)
11712 goto err_chain_filter;
11713
11714 err = nf_tables_core_module_init();
11715 if (err < 0)
11716 goto err_core_module;
11717
11718 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
11719 if (err < 0)
11720 goto err_netdev_notifier;
11721
11722 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
11723 if (err < 0)
11724 goto err_rht_objname;
11725
11726 err = nft_offload_init();
11727 if (err < 0)
11728 goto err_offload;
11729
11730 err = netlink_register_notifier(&nft_nl_notifier);
11731 if (err < 0)
11732 goto err_netlink_notifier;
11733
11734 /* must be last */
11735 err = nfnetlink_subsys_register(&nf_tables_subsys);
11736 if (err < 0)
11737 goto err_nfnl_subsys;
11738
11739 nft_chain_route_init();
11740
11741 return err;
11742
11743 err_nfnl_subsys:
11744 netlink_unregister_notifier(&nft_nl_notifier);
11745 err_netlink_notifier:
11746 nft_offload_exit();
11747 err_offload:
11748 rhltable_destroy(&nft_objname_ht);
11749 err_rht_objname:
11750 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11751 err_netdev_notifier:
11752 nf_tables_core_module_exit();
11753 err_core_module:
11754 nft_chain_filter_fini();
11755 err_chain_filter:
11756 unregister_pernet_subsys(&nf_tables_net_ops);
11757 return err;
11758 }
11759
nf_tables_module_exit(void)11760 static void __exit nf_tables_module_exit(void)
11761 {
11762 nfnetlink_subsys_unregister(&nf_tables_subsys);
11763 netlink_unregister_notifier(&nft_nl_notifier);
11764 nft_offload_exit();
11765 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11766 nft_chain_filter_fini();
11767 nft_chain_route_fini();
11768 nf_tables_trans_destroy_flush_work();
11769 unregister_pernet_subsys(&nf_tables_net_ops);
11770 cancel_work_sync(&trans_gc_work);
11771 cancel_work_sync(&trans_destroy_work);
11772 rcu_barrier();
11773 rhltable_destroy(&nft_objname_ht);
11774 nf_tables_core_module_exit();
11775 }
11776
11777 module_init(nf_tables_module_init);
11778 module_exit(nf_tables_module_exit);
11779
11780 MODULE_LICENSE("GPL");
11781 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
11782 MODULE_DESCRIPTION("Framework for packet filtering and classification");
11783 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
11784