1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27 #define NFT_SET_MAX_ANONLEN 16
28
29 /* limit compaction to avoid huge kmalloc/krealloc sizes. */
30 #define NFT_MAX_SET_NELEMS ((2048 - sizeof(struct nft_trans_elem)) / sizeof(struct nft_trans_one_elem))
31
32 unsigned int nf_tables_net_id __read_mostly;
33
34 static LIST_HEAD(nf_tables_expressions);
35 static LIST_HEAD(nf_tables_objects);
36 static LIST_HEAD(nf_tables_flowtables);
37 static LIST_HEAD(nf_tables_gc_list);
38 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
39 static DEFINE_SPINLOCK(nf_tables_gc_list_lock);
40
41 enum {
42 NFT_VALIDATE_SKIP = 0,
43 NFT_VALIDATE_NEED,
44 NFT_VALIDATE_DO,
45 };
46
47 static struct rhltable nft_objname_ht;
48
49 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
50 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
51 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
52
53 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
54 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
55 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
56
57 static const struct rhashtable_params nft_chain_ht_params = {
58 .head_offset = offsetof(struct nft_chain, rhlhead),
59 .key_offset = offsetof(struct nft_chain, name),
60 .hashfn = nft_chain_hash,
61 .obj_hashfn = nft_chain_hash_obj,
62 .obj_cmpfn = nft_chain_hash_cmp,
63 .automatic_shrinking = true,
64 };
65
66 static const struct rhashtable_params nft_objname_ht_params = {
67 .head_offset = offsetof(struct nft_object, rhlhead),
68 .key_offset = offsetof(struct nft_object, key),
69 .hashfn = nft_objname_hash,
70 .obj_hashfn = nft_objname_hash_obj,
71 .obj_cmpfn = nft_objname_hash_cmp,
72 .automatic_shrinking = true,
73 };
74
75 struct nft_audit_data {
76 struct nft_table *table;
77 int entries;
78 int op;
79 struct list_head list;
80 };
81
82 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
83 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
84 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
85 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
86 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
87 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
88 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
89 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
90 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
91 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
92 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
93 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
94 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
95 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
96 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
97 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
98 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
99 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
100 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
101 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
102 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
103 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
104 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
105 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
106 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
107 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
108 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET,
109 };
110
nft_validate_state_update(struct nft_table * table,u8 new_validate_state)111 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
112 {
113 switch (table->validate_state) {
114 case NFT_VALIDATE_SKIP:
115 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
116 break;
117 case NFT_VALIDATE_NEED:
118 break;
119 case NFT_VALIDATE_DO:
120 if (new_validate_state == NFT_VALIDATE_NEED)
121 return;
122 }
123
124 table->validate_state = new_validate_state;
125 }
126
nft_chain_vstate_valid(const struct nft_ctx * ctx,const struct nft_chain * chain)127 static bool nft_chain_vstate_valid(const struct nft_ctx *ctx,
128 const struct nft_chain *chain)
129 {
130 const struct nft_base_chain *base_chain;
131 enum nft_chain_types type;
132 u8 hooknum;
133
134 if (WARN_ON_ONCE(!nft_is_base_chain(ctx->chain)))
135 return false;
136
137 base_chain = nft_base_chain(ctx->chain);
138 hooknum = base_chain->ops.hooknum;
139 type = base_chain->type->type;
140
141 /* chain is already validated for this call depth */
142 if (chain->vstate.depth >= ctx->level &&
143 chain->vstate.hook_mask[type] & BIT(hooknum))
144 return true;
145
146 return false;
147 }
148
149 static void nf_tables_trans_destroy_work(struct work_struct *w);
150
151 static void nft_trans_gc_work(struct work_struct *work);
152 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work);
153
nft_ctx_init(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,u8 family,struct nft_table * table,struct nft_chain * chain,const struct nlattr * const * nla)154 static void nft_ctx_init(struct nft_ctx *ctx,
155 struct net *net,
156 const struct sk_buff *skb,
157 const struct nlmsghdr *nlh,
158 u8 family,
159 struct nft_table *table,
160 struct nft_chain *chain,
161 const struct nlattr * const *nla)
162 {
163 ctx->net = net;
164 ctx->family = family;
165 ctx->level = 0;
166 ctx->table = table;
167 ctx->chain = chain;
168 ctx->nla = nla;
169 ctx->portid = NETLINK_CB(skb).portid;
170 ctx->report = nlmsg_report(nlh);
171 ctx->flags = nlh->nlmsg_flags;
172 ctx->seq = nlh->nlmsg_seq;
173
174 bitmap_zero(ctx->reg_inited, NFT_REG32_NUM);
175 }
176
nft_trans_alloc(const struct nft_ctx * ctx,int msg_type,u32 size)177 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
178 int msg_type, u32 size)
179 {
180 struct nft_trans *trans;
181
182 trans = kzalloc(size, GFP_KERNEL);
183 if (trans == NULL)
184 return NULL;
185
186 INIT_LIST_HEAD(&trans->list);
187 trans->msg_type = msg_type;
188
189 trans->net = ctx->net;
190 trans->table = ctx->table;
191 trans->seq = ctx->seq;
192 trans->flags = ctx->flags;
193 trans->report = ctx->report;
194
195 return trans;
196 }
197
nft_trans_get_binding(struct nft_trans * trans)198 static struct nft_trans_binding *nft_trans_get_binding(struct nft_trans *trans)
199 {
200 switch (trans->msg_type) {
201 case NFT_MSG_NEWCHAIN:
202 case NFT_MSG_NEWSET:
203 return container_of(trans, struct nft_trans_binding, nft_trans);
204 }
205
206 return NULL;
207 }
208
nft_trans_list_del(struct nft_trans * trans)209 static void nft_trans_list_del(struct nft_trans *trans)
210 {
211 struct nft_trans_binding *trans_binding;
212
213 list_del(&trans->list);
214
215 trans_binding = nft_trans_get_binding(trans);
216 if (trans_binding)
217 list_del(&trans_binding->binding_list);
218 }
219
nft_trans_destroy(struct nft_trans * trans)220 static void nft_trans_destroy(struct nft_trans *trans)
221 {
222 nft_trans_list_del(trans);
223 kfree(trans);
224 }
225
__nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set,bool bind)226 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
227 bool bind)
228 {
229 struct nftables_pernet *nft_net;
230 struct net *net = ctx->net;
231 struct nft_trans *trans;
232
233 if (!nft_set_is_anonymous(set))
234 return;
235
236 nft_net = nft_pernet(net);
237 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
238 switch (trans->msg_type) {
239 case NFT_MSG_NEWSET:
240 if (nft_trans_set(trans) == set)
241 nft_trans_set_bound(trans) = bind;
242 break;
243 case NFT_MSG_NEWSETELEM:
244 if (nft_trans_elem_set(trans) == set)
245 nft_trans_elem_set_bound(trans) = bind;
246 break;
247 }
248 }
249 }
250
nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set)251 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
252 {
253 return __nft_set_trans_bind(ctx, set, true);
254 }
255
nft_set_trans_unbind(const struct nft_ctx * ctx,struct nft_set * set)256 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
257 {
258 return __nft_set_trans_bind(ctx, set, false);
259 }
260
__nft_chain_trans_bind(const struct nft_ctx * ctx,struct nft_chain * chain,bool bind)261 static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
262 struct nft_chain *chain, bool bind)
263 {
264 struct nftables_pernet *nft_net;
265 struct net *net = ctx->net;
266 struct nft_trans *trans;
267
268 if (!nft_chain_binding(chain))
269 return;
270
271 nft_net = nft_pernet(net);
272 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
273 switch (trans->msg_type) {
274 case NFT_MSG_NEWCHAIN:
275 if (nft_trans_chain(trans) == chain)
276 nft_trans_chain_bound(trans) = bind;
277 break;
278 case NFT_MSG_NEWRULE:
279 if (nft_trans_rule_chain(trans) == chain)
280 nft_trans_rule_bound(trans) = bind;
281 break;
282 }
283 }
284 }
285
nft_chain_trans_bind(const struct nft_ctx * ctx,struct nft_chain * chain)286 static void nft_chain_trans_bind(const struct nft_ctx *ctx,
287 struct nft_chain *chain)
288 {
289 __nft_chain_trans_bind(ctx, chain, true);
290 }
291
nf_tables_bind_chain(const struct nft_ctx * ctx,struct nft_chain * chain)292 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
293 {
294 if (!nft_chain_binding(chain))
295 return 0;
296
297 if (nft_chain_binding(ctx->chain))
298 return -EOPNOTSUPP;
299
300 if (chain->bound)
301 return -EBUSY;
302
303 if (!nft_use_inc(&chain->use))
304 return -EMFILE;
305
306 chain->bound = true;
307 nft_chain_trans_bind(ctx, chain);
308
309 return 0;
310 }
311
nf_tables_unbind_chain(const struct nft_ctx * ctx,struct nft_chain * chain)312 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
313 {
314 __nft_chain_trans_bind(ctx, chain, false);
315 }
316
nft_netdev_register_hooks(struct net * net,struct list_head * hook_list)317 static int nft_netdev_register_hooks(struct net *net,
318 struct list_head *hook_list)
319 {
320 struct nf_hook_ops *ops;
321 struct nft_hook *hook;
322 int err, j;
323
324 j = 0;
325 list_for_each_entry(hook, hook_list, list) {
326 list_for_each_entry(ops, &hook->ops_list, list) {
327 err = nf_register_net_hook(net, ops);
328 if (err < 0)
329 goto err_register;
330
331 j++;
332 }
333 }
334 return 0;
335
336 err_register:
337 list_for_each_entry(hook, hook_list, list) {
338 list_for_each_entry(ops, &hook->ops_list, list) {
339 if (j-- <= 0)
340 break;
341
342 nf_unregister_net_hook(net, ops);
343 }
344 }
345 return err;
346 }
347
nft_netdev_hook_free_ops(struct nft_hook * hook)348 static void nft_netdev_hook_free_ops(struct nft_hook *hook)
349 {
350 struct nf_hook_ops *ops, *next;
351
352 list_for_each_entry_safe(ops, next, &hook->ops_list, list) {
353 list_del(&ops->list);
354 kfree(ops);
355 }
356 }
357
nft_netdev_hook_free(struct nft_hook * hook)358 static void nft_netdev_hook_free(struct nft_hook *hook)
359 {
360 nft_netdev_hook_free_ops(hook);
361 kfree(hook);
362 }
363
__nft_netdev_hook_free_rcu(struct rcu_head * rcu)364 static void __nft_netdev_hook_free_rcu(struct rcu_head *rcu)
365 {
366 struct nft_hook *hook = container_of(rcu, struct nft_hook, rcu);
367
368 nft_netdev_hook_free(hook);
369 }
370
nft_netdev_hook_free_rcu(struct nft_hook * hook)371 static void nft_netdev_hook_free_rcu(struct nft_hook *hook)
372 {
373 call_rcu(&hook->rcu, __nft_netdev_hook_free_rcu);
374 }
375
nft_netdev_unregister_hooks(struct net * net,struct list_head * hook_list,bool release_netdev)376 static void nft_netdev_unregister_hooks(struct net *net,
377 struct list_head *hook_list,
378 bool release_netdev)
379 {
380 struct nft_hook *hook, *next;
381 struct nf_hook_ops *ops;
382
383 list_for_each_entry_safe(hook, next, hook_list, list) {
384 list_for_each_entry(ops, &hook->ops_list, list)
385 nf_unregister_net_hook(net, ops);
386 if (release_netdev) {
387 list_del(&hook->list);
388 nft_netdev_hook_free_rcu(hook);
389 }
390 }
391 }
392
nf_tables_register_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)393 static int nf_tables_register_hook(struct net *net,
394 const struct nft_table *table,
395 struct nft_chain *chain)
396 {
397 struct nft_base_chain *basechain;
398 const struct nf_hook_ops *ops;
399
400 if (table->flags & NFT_TABLE_F_DORMANT ||
401 !nft_is_base_chain(chain))
402 return 0;
403
404 basechain = nft_base_chain(chain);
405 ops = &basechain->ops;
406
407 if (basechain->type->ops_register)
408 return basechain->type->ops_register(net, ops);
409
410 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
411 return nft_netdev_register_hooks(net, &basechain->hook_list);
412
413 return nf_register_net_hook(net, &basechain->ops);
414 }
415
__nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain,bool release_netdev)416 static void __nf_tables_unregister_hook(struct net *net,
417 const struct nft_table *table,
418 struct nft_chain *chain,
419 bool release_netdev)
420 {
421 struct nft_base_chain *basechain;
422 const struct nf_hook_ops *ops;
423
424 if (table->flags & NFT_TABLE_F_DORMANT ||
425 !nft_is_base_chain(chain))
426 return;
427 basechain = nft_base_chain(chain);
428 ops = &basechain->ops;
429
430 if (basechain->type->ops_unregister)
431 return basechain->type->ops_unregister(net, ops);
432
433 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
434 nft_netdev_unregister_hooks(net, &basechain->hook_list,
435 release_netdev);
436 else
437 nf_unregister_net_hook(net, &basechain->ops);
438 }
439
nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)440 static void nf_tables_unregister_hook(struct net *net,
441 const struct nft_table *table,
442 struct nft_chain *chain)
443 {
444 return __nf_tables_unregister_hook(net, table, chain, false);
445 }
446
nft_trans_collapse_set_elem_allowed(const struct nft_trans_elem * a,const struct nft_trans_elem * b)447 static bool nft_trans_collapse_set_elem_allowed(const struct nft_trans_elem *a, const struct nft_trans_elem *b)
448 {
449 /* NB: the ->bound equality check is defensive, at this time we only merge
450 * a new nft_trans_elem transaction request with the transaction tail
451 * element, but a->bound != b->bound would imply a NEWRULE transaction
452 * is queued in-between.
453 *
454 * The set check is mandatory, the NFT_MAX_SET_NELEMS check prevents
455 * huge krealloc() requests.
456 */
457 return a->set == b->set && a->bound == b->bound && a->nelems < NFT_MAX_SET_NELEMS;
458 }
459
nft_trans_collapse_set_elem(struct nftables_pernet * nft_net,struct nft_trans_elem * tail,struct nft_trans_elem * trans)460 static bool nft_trans_collapse_set_elem(struct nftables_pernet *nft_net,
461 struct nft_trans_elem *tail,
462 struct nft_trans_elem *trans)
463 {
464 unsigned int nelems, old_nelems = tail->nelems;
465 struct nft_trans_elem *new_trans;
466
467 if (!nft_trans_collapse_set_elem_allowed(tail, trans))
468 return false;
469
470 /* "cannot happen", at this time userspace element add
471 * requests always allocate a new transaction element.
472 *
473 * This serves as a reminder to adjust the list_add_tail
474 * logic below in case this ever changes.
475 */
476 if (WARN_ON_ONCE(trans->nelems != 1))
477 return false;
478
479 if (check_add_overflow(old_nelems, trans->nelems, &nelems))
480 return false;
481
482 /* krealloc might free tail which invalidates list pointers */
483 list_del_init(&tail->nft_trans.list);
484
485 new_trans = krealloc(tail, struct_size(tail, elems, nelems),
486 GFP_KERNEL);
487 if (!new_trans) {
488 list_add_tail(&tail->nft_trans.list,
489 &nft_net->commit_list);
490 return false;
491 }
492
493 /*
494 * new_trans->nft_trans.list contains garbage, but
495 * list_add_tail() doesn't care.
496 */
497 new_trans->nelems = nelems;
498 new_trans->elems[old_nelems] = trans->elems[0];
499 list_add_tail(&new_trans->nft_trans.list, &nft_net->commit_list);
500
501 return true;
502 }
503
nft_trans_try_collapse(struct nftables_pernet * nft_net,struct nft_trans * trans)504 static bool nft_trans_try_collapse(struct nftables_pernet *nft_net,
505 struct nft_trans *trans)
506 {
507 struct nft_trans *tail;
508
509 if (list_empty(&nft_net->commit_list))
510 return false;
511
512 tail = list_last_entry(&nft_net->commit_list, struct nft_trans, list);
513
514 if (tail->msg_type != trans->msg_type)
515 return false;
516
517 switch (trans->msg_type) {
518 case NFT_MSG_NEWSETELEM:
519 case NFT_MSG_DELSETELEM:
520 return nft_trans_collapse_set_elem(nft_net,
521 nft_trans_container_elem(tail),
522 nft_trans_container_elem(trans));
523 }
524
525 return false;
526 }
527
nft_trans_commit_list_add_tail(struct net * net,struct nft_trans * trans)528 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
529 {
530 struct nftables_pernet *nft_net = nft_pernet(net);
531 struct nft_trans_binding *binding;
532 struct nft_trans_set *trans_set;
533
534 list_add_tail(&trans->list, &nft_net->commit_list);
535
536 binding = nft_trans_get_binding(trans);
537 if (!binding)
538 return;
539
540 switch (trans->msg_type) {
541 case NFT_MSG_NEWSET:
542 trans_set = nft_trans_container_set(trans);
543
544 if (!nft_trans_set_update(trans) &&
545 nft_set_is_anonymous(nft_trans_set(trans)))
546 list_add_tail(&binding->binding_list, &nft_net->binding_list);
547
548 list_add_tail(&trans_set->list_trans_newset, &nft_net->commit_set_list);
549 break;
550 case NFT_MSG_NEWCHAIN:
551 if (!nft_trans_chain_update(trans) &&
552 nft_chain_binding(nft_trans_chain(trans)))
553 list_add_tail(&binding->binding_list, &nft_net->binding_list);
554 break;
555 }
556 }
557
nft_trans_commit_list_add_elem(struct net * net,struct nft_trans * trans)558 static void nft_trans_commit_list_add_elem(struct net *net, struct nft_trans *trans)
559 {
560 struct nftables_pernet *nft_net = nft_pernet(net);
561
562 WARN_ON_ONCE(trans->msg_type != NFT_MSG_NEWSETELEM &&
563 trans->msg_type != NFT_MSG_DELSETELEM);
564
565 if (nft_trans_try_collapse(nft_net, trans)) {
566 kfree(trans);
567 return;
568 }
569
570 nft_trans_commit_list_add_tail(net, trans);
571 }
572
nft_trans_table_add(struct nft_ctx * ctx,int msg_type)573 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
574 {
575 struct nft_trans *trans;
576
577 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
578 if (trans == NULL)
579 return -ENOMEM;
580
581 if (msg_type == NFT_MSG_NEWTABLE)
582 nft_activate_next(ctx->net, ctx->table);
583
584 nft_trans_commit_list_add_tail(ctx->net, trans);
585 return 0;
586 }
587
nft_deltable(struct nft_ctx * ctx)588 static int nft_deltable(struct nft_ctx *ctx)
589 {
590 int err;
591
592 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
593 if (err < 0)
594 return err;
595
596 nft_deactivate_next(ctx->net, ctx->table);
597 return err;
598 }
599
600 static struct nft_trans *
nft_trans_alloc_chain(const struct nft_ctx * ctx,int msg_type)601 nft_trans_alloc_chain(const struct nft_ctx *ctx, int msg_type)
602 {
603 struct nft_trans_chain *trans_chain;
604 struct nft_trans *trans;
605
606 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
607 if (!trans)
608 return NULL;
609
610 trans_chain = nft_trans_container_chain(trans);
611 INIT_LIST_HEAD(&trans_chain->nft_trans_binding.binding_list);
612 trans_chain->chain = ctx->chain;
613
614 return trans;
615 }
616
nft_trans_chain_add(struct nft_ctx * ctx,int msg_type)617 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
618 {
619 struct nft_trans *trans;
620
621 trans = nft_trans_alloc_chain(ctx, msg_type);
622 if (trans == NULL)
623 return ERR_PTR(-ENOMEM);
624
625 if (msg_type == NFT_MSG_NEWCHAIN) {
626 nft_activate_next(ctx->net, ctx->chain);
627
628 if (ctx->nla[NFTA_CHAIN_ID]) {
629 nft_trans_chain_id(trans) =
630 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
631 }
632 }
633 nft_trans_commit_list_add_tail(ctx->net, trans);
634
635 return trans;
636 }
637
nft_delchain(struct nft_ctx * ctx)638 static int nft_delchain(struct nft_ctx *ctx)
639 {
640 struct nft_trans *trans;
641
642 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
643 if (IS_ERR(trans))
644 return PTR_ERR(trans);
645
646 nft_use_dec(&ctx->table->use);
647 nft_deactivate_next(ctx->net, ctx->chain);
648
649 return 0;
650 }
651
nft_rule_expr_activate(const struct nft_ctx * ctx,struct nft_rule * rule)652 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
653 {
654 struct nft_expr *expr;
655
656 expr = nft_expr_first(rule);
657 while (nft_expr_more(rule, expr)) {
658 if (expr->ops->activate)
659 expr->ops->activate(ctx, expr);
660
661 expr = nft_expr_next(expr);
662 }
663 }
664
nft_rule_expr_deactivate(const struct nft_ctx * ctx,struct nft_rule * rule,enum nft_trans_phase phase)665 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
666 enum nft_trans_phase phase)
667 {
668 struct nft_expr *expr;
669
670 expr = nft_expr_first(rule);
671 while (nft_expr_more(rule, expr)) {
672 if (expr->ops->deactivate)
673 expr->ops->deactivate(ctx, expr, phase);
674
675 expr = nft_expr_next(expr);
676 }
677 }
678
679 static int
nf_tables_delrule_deactivate(struct nft_ctx * ctx,struct nft_rule * rule)680 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
681 {
682 /* You cannot delete the same rule twice */
683 if (nft_is_active_next(ctx->net, rule)) {
684 nft_deactivate_next(ctx->net, rule);
685 nft_use_dec(&ctx->chain->use);
686 return 0;
687 }
688 return -ENOENT;
689 }
690
nft_trans_rule_add(struct nft_ctx * ctx,int msg_type,struct nft_rule * rule)691 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
692 struct nft_rule *rule)
693 {
694 struct nft_trans *trans;
695
696 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
697 if (trans == NULL)
698 return NULL;
699
700 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
701 nft_trans_rule_id(trans) =
702 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
703 }
704 nft_trans_rule(trans) = rule;
705 nft_trans_rule_chain(trans) = ctx->chain;
706 nft_trans_commit_list_add_tail(ctx->net, trans);
707
708 return trans;
709 }
710
nft_delrule(struct nft_ctx * ctx,struct nft_rule * rule)711 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
712 {
713 struct nft_flow_rule *flow;
714 struct nft_trans *trans;
715 int err;
716
717 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
718 if (trans == NULL)
719 return -ENOMEM;
720
721 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
722 flow = nft_flow_rule_create(ctx->net, rule);
723 if (IS_ERR(flow)) {
724 nft_trans_destroy(trans);
725 return PTR_ERR(flow);
726 }
727
728 nft_trans_flow_rule(trans) = flow;
729 }
730
731 err = nf_tables_delrule_deactivate(ctx, rule);
732 if (err < 0) {
733 nft_trans_destroy(trans);
734 return err;
735 }
736 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
737
738 return 0;
739 }
740
nft_delrule_by_chain(struct nft_ctx * ctx)741 static int nft_delrule_by_chain(struct nft_ctx *ctx)
742 {
743 struct nft_rule *rule;
744 int err;
745
746 list_for_each_entry(rule, &ctx->chain->rules, list) {
747 if (!nft_is_active_next(ctx->net, rule))
748 continue;
749
750 err = nft_delrule(ctx, rule);
751 if (err < 0)
752 return err;
753 }
754 return 0;
755 }
756
__nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set,const struct nft_set_desc * desc)757 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
758 struct nft_set *set,
759 const struct nft_set_desc *desc)
760 {
761 struct nft_trans_set *trans_set;
762 struct nft_trans *trans;
763
764 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
765 if (trans == NULL)
766 return -ENOMEM;
767
768 trans_set = nft_trans_container_set(trans);
769 INIT_LIST_HEAD(&trans_set->nft_trans_binding.binding_list);
770 INIT_LIST_HEAD(&trans_set->list_trans_newset);
771
772 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
773 nft_trans_set_id(trans) =
774 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
775 nft_activate_next(ctx->net, set);
776 }
777 nft_trans_set(trans) = set;
778 if (desc) {
779 nft_trans_set_update(trans) = true;
780 nft_trans_set_gc_int(trans) = desc->gc_int;
781 nft_trans_set_timeout(trans) = desc->timeout;
782 nft_trans_set_size(trans) = desc->size;
783 }
784 nft_trans_commit_list_add_tail(ctx->net, trans);
785
786 return 0;
787 }
788
nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set)789 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
790 struct nft_set *set)
791 {
792 return __nft_trans_set_add(ctx, msg_type, set, NULL);
793 }
794
nft_mapelem_deactivate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)795 static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
796 struct nft_set *set,
797 const struct nft_set_iter *iter,
798 struct nft_elem_priv *elem_priv)
799 {
800 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
801
802 if (!nft_set_elem_active(ext, iter->genmask))
803 return 0;
804
805 nft_set_elem_change_active(ctx->net, set, ext);
806 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
807
808 return 0;
809 }
810
811 struct nft_set_elem_catchall {
812 struct list_head list;
813 struct rcu_head rcu;
814 struct nft_elem_priv *elem;
815 };
816
nft_map_catchall_deactivate(const struct nft_ctx * ctx,struct nft_set * set)817 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
818 struct nft_set *set)
819 {
820 u8 genmask = nft_genmask_next(ctx->net);
821 struct nft_set_elem_catchall *catchall;
822 struct nft_set_ext *ext;
823
824 list_for_each_entry(catchall, &set->catchall_list, list) {
825 ext = nft_set_elem_ext(set, catchall->elem);
826 if (!nft_set_elem_active(ext, genmask))
827 continue;
828
829 nft_set_elem_change_active(ctx->net, set, ext);
830 nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
831 break;
832 }
833 }
834
nft_map_deactivate(const struct nft_ctx * ctx,struct nft_set * set)835 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set)
836 {
837 struct nft_set_iter iter = {
838 .genmask = nft_genmask_next(ctx->net),
839 .type = NFT_ITER_UPDATE,
840 .fn = nft_mapelem_deactivate,
841 };
842
843 set->ops->walk(ctx, set, &iter);
844 WARN_ON_ONCE(iter.err);
845
846 nft_map_catchall_deactivate(ctx, set);
847 }
848
nft_delset(const struct nft_ctx * ctx,struct nft_set * set)849 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
850 {
851 int err;
852
853 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
854 if (err < 0)
855 return err;
856
857 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
858 nft_map_deactivate(ctx, set);
859
860 nft_deactivate_next(ctx->net, set);
861 nft_use_dec(&ctx->table->use);
862
863 return err;
864 }
865
nft_trans_obj_add(struct nft_ctx * ctx,int msg_type,struct nft_object * obj)866 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
867 struct nft_object *obj)
868 {
869 struct nft_trans *trans;
870
871 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
872 if (trans == NULL)
873 return -ENOMEM;
874
875 if (msg_type == NFT_MSG_NEWOBJ)
876 nft_activate_next(ctx->net, obj);
877
878 nft_trans_obj(trans) = obj;
879 nft_trans_commit_list_add_tail(ctx->net, trans);
880
881 return 0;
882 }
883
nft_delobj(struct nft_ctx * ctx,struct nft_object * obj)884 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
885 {
886 int err;
887
888 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
889 if (err < 0)
890 return err;
891
892 nft_deactivate_next(ctx->net, obj);
893 nft_use_dec(&ctx->table->use);
894
895 return err;
896 }
897
898 static struct nft_trans *
nft_trans_flowtable_add(struct nft_ctx * ctx,int msg_type,struct nft_flowtable * flowtable)899 nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
900 struct nft_flowtable *flowtable)
901 {
902 struct nft_trans *trans;
903
904 trans = nft_trans_alloc(ctx, msg_type,
905 sizeof(struct nft_trans_flowtable));
906 if (trans == NULL)
907 return ERR_PTR(-ENOMEM);
908
909 if (msg_type == NFT_MSG_NEWFLOWTABLE)
910 nft_activate_next(ctx->net, flowtable);
911
912 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
913 nft_trans_flowtable(trans) = flowtable;
914 nft_trans_commit_list_add_tail(ctx->net, trans);
915
916 return trans;
917 }
918
nft_delflowtable(struct nft_ctx * ctx,struct nft_flowtable * flowtable)919 static int nft_delflowtable(struct nft_ctx *ctx,
920 struct nft_flowtable *flowtable)
921 {
922 struct nft_trans *trans;
923
924 trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
925 if (IS_ERR(trans))
926 return PTR_ERR(trans);
927
928 nft_deactivate_next(ctx->net, flowtable);
929 nft_use_dec(&ctx->table->use);
930
931 return 0;
932 }
933
__nft_reg_track_clobber(struct nft_regs_track * track,u8 dreg)934 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
935 {
936 int i;
937
938 for (i = track->regs[dreg].num_reg; i > 0; i--)
939 __nft_reg_track_cancel(track, dreg - i);
940 }
941
__nft_reg_track_update(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg,u8 num_reg)942 static void __nft_reg_track_update(struct nft_regs_track *track,
943 const struct nft_expr *expr,
944 u8 dreg, u8 num_reg)
945 {
946 track->regs[dreg].selector = expr;
947 track->regs[dreg].bitwise = NULL;
948 track->regs[dreg].num_reg = num_reg;
949 }
950
nft_reg_track_update(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg,u8 len)951 void nft_reg_track_update(struct nft_regs_track *track,
952 const struct nft_expr *expr, u8 dreg, u8 len)
953 {
954 unsigned int regcount;
955 int i;
956
957 __nft_reg_track_clobber(track, dreg);
958
959 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
960 for (i = 0; i < regcount; i++, dreg++)
961 __nft_reg_track_update(track, expr, dreg, i);
962 }
963 EXPORT_SYMBOL_GPL(nft_reg_track_update);
964
nft_reg_track_cancel(struct nft_regs_track * track,u8 dreg,u8 len)965 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
966 {
967 unsigned int regcount;
968 int i;
969
970 __nft_reg_track_clobber(track, dreg);
971
972 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
973 for (i = 0; i < regcount; i++, dreg++)
974 __nft_reg_track_cancel(track, dreg);
975 }
976 EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
977
__nft_reg_track_cancel(struct nft_regs_track * track,u8 dreg)978 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
979 {
980 track->regs[dreg].selector = NULL;
981 track->regs[dreg].bitwise = NULL;
982 track->regs[dreg].num_reg = 0;
983 }
984 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
985
986 /*
987 * Tables
988 */
989
nft_table_lookup(const struct net * net,const struct nlattr * nla,u8 family,u8 genmask,u32 nlpid)990 static struct nft_table *nft_table_lookup(const struct net *net,
991 const struct nlattr *nla,
992 u8 family, u8 genmask, u32 nlpid)
993 {
994 struct nftables_pernet *nft_net;
995 struct nft_table *table;
996
997 if (nla == NULL)
998 return ERR_PTR(-EINVAL);
999
1000 nft_net = nft_pernet(net);
1001 list_for_each_entry_rcu(table, &nft_net->tables, list,
1002 lockdep_is_held(&nft_net->commit_mutex)) {
1003 if (!nla_strcmp(nla, table->name) &&
1004 table->family == family &&
1005 nft_active_genmask(table, genmask)) {
1006 if (nft_table_has_owner(table) &&
1007 nlpid && table->nlpid != nlpid)
1008 return ERR_PTR(-EPERM);
1009
1010 return table;
1011 }
1012 }
1013
1014 return ERR_PTR(-ENOENT);
1015 }
1016
nft_table_lookup_byhandle(const struct net * net,const struct nlattr * nla,int family,u8 genmask,u32 nlpid)1017 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
1018 const struct nlattr *nla,
1019 int family, u8 genmask, u32 nlpid)
1020 {
1021 struct nftables_pernet *nft_net;
1022 struct nft_table *table;
1023
1024 nft_net = nft_pernet(net);
1025 list_for_each_entry(table, &nft_net->tables, list) {
1026 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
1027 table->family == family &&
1028 nft_active_genmask(table, genmask)) {
1029 if (nft_table_has_owner(table) &&
1030 nlpid && table->nlpid != nlpid)
1031 return ERR_PTR(-EPERM);
1032
1033 return table;
1034 }
1035 }
1036
1037 return ERR_PTR(-ENOENT);
1038 }
1039
nf_tables_alloc_handle(struct nft_table * table)1040 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
1041 {
1042 return ++table->hgenerator;
1043 }
1044
1045 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
1046
1047 static const struct nft_chain_type *
__nft_chain_type_get(u8 family,enum nft_chain_types type)1048 __nft_chain_type_get(u8 family, enum nft_chain_types type)
1049 {
1050 if (family >= NFPROTO_NUMPROTO ||
1051 type >= NFT_CHAIN_T_MAX)
1052 return NULL;
1053
1054 return chain_type[family][type];
1055 }
1056
1057 static const struct nft_chain_type *
__nf_tables_chain_type_lookup(const struct nlattr * nla,u8 family)1058 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
1059 {
1060 const struct nft_chain_type *type;
1061 int i;
1062
1063 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
1064 type = __nft_chain_type_get(family, i);
1065 if (!type)
1066 continue;
1067 if (!nla_strcmp(nla, type->name))
1068 return type;
1069 }
1070 return NULL;
1071 }
1072
1073 struct nft_module_request {
1074 struct list_head list;
1075 char module[MODULE_NAME_LEN];
1076 bool done;
1077 };
1078
1079 #ifdef CONFIG_MODULES
nft_request_module(struct net * net,const char * fmt,...)1080 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
1081 ...)
1082 {
1083 char module_name[MODULE_NAME_LEN];
1084 struct nftables_pernet *nft_net;
1085 struct nft_module_request *req;
1086 va_list args;
1087 int ret;
1088
1089 va_start(args, fmt);
1090 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
1091 va_end(args);
1092 if (ret >= MODULE_NAME_LEN)
1093 return 0;
1094
1095 nft_net = nft_pernet(net);
1096 list_for_each_entry(req, &nft_net->module_list, list) {
1097 if (!strcmp(req->module, module_name)) {
1098 if (req->done)
1099 return 0;
1100
1101 /* A request to load this module already exists. */
1102 return -EAGAIN;
1103 }
1104 }
1105
1106 req = kmalloc(sizeof(*req), GFP_KERNEL);
1107 if (!req)
1108 return -ENOMEM;
1109
1110 req->done = false;
1111 strscpy(req->module, module_name, MODULE_NAME_LEN);
1112 list_add_tail(&req->list, &nft_net->module_list);
1113
1114 return -EAGAIN;
1115 }
1116 EXPORT_SYMBOL_GPL(nft_request_module);
1117 #endif
1118
lockdep_nfnl_nft_mutex_not_held(void)1119 static void lockdep_nfnl_nft_mutex_not_held(void)
1120 {
1121 #ifdef CONFIG_PROVE_LOCKING
1122 if (debug_locks)
1123 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
1124 #endif
1125 }
1126
1127 static const struct nft_chain_type *
nf_tables_chain_type_lookup(struct net * net,const struct nlattr * nla,u8 family,bool autoload)1128 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
1129 u8 family, bool autoload)
1130 {
1131 const struct nft_chain_type *type;
1132
1133 type = __nf_tables_chain_type_lookup(nla, family);
1134 if (type != NULL)
1135 return type;
1136
1137 lockdep_nfnl_nft_mutex_not_held();
1138 #ifdef CONFIG_MODULES
1139 if (autoload) {
1140 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
1141 nla_len(nla),
1142 (const char *)nla_data(nla)) == -EAGAIN)
1143 return ERR_PTR(-EAGAIN);
1144 }
1145 #endif
1146 return ERR_PTR(-ENOENT);
1147 }
1148
nft_base_seq(const struct net * net)1149 static unsigned int nft_base_seq(const struct net *net)
1150 {
1151 return READ_ONCE(net->nft.base_seq);
1152 }
1153
nft_base_seq_be16(const struct net * net)1154 static __be16 nft_base_seq_be16(const struct net *net)
1155 {
1156 return htons(nft_base_seq(net) & 0xffff);
1157 }
1158
1159 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
1160 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
1161 .len = NFT_TABLE_MAXNAMELEN - 1 },
1162 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
1163 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
1164 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
1165 .len = NFT_USERDATA_MAXLEN }
1166 };
1167
nf_tables_fill_table_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table)1168 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
1169 u32 portid, u32 seq, int event, u32 flags,
1170 int family, const struct nft_table *table)
1171 {
1172 struct nlmsghdr *nlh;
1173
1174 nlh = nfnl_msg_put(skb, portid, seq,
1175 nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event),
1176 flags, family, NFNETLINK_V0, nft_base_seq_be16(net));
1177 if (!nlh)
1178 goto nla_put_failure;
1179
1180 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
1181 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
1182 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
1183 NFTA_TABLE_PAD))
1184 goto nla_put_failure;
1185
1186 if (event == NFT_MSG_DELTABLE ||
1187 event == NFT_MSG_DESTROYTABLE) {
1188 nlmsg_end(skb, nlh);
1189 return 0;
1190 }
1191
1192 if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
1193 htonl(table->flags & NFT_TABLE_F_MASK)))
1194 goto nla_put_failure;
1195
1196 if (nft_table_has_owner(table) &&
1197 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
1198 goto nla_put_failure;
1199
1200 if (table->udata) {
1201 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
1202 goto nla_put_failure;
1203 }
1204
1205 nlmsg_end(skb, nlh);
1206 return 0;
1207
1208 nla_put_failure:
1209 nlmsg_trim(skb, nlh);
1210 return -1;
1211 }
1212
1213 struct nftnl_skb_parms {
1214 bool report;
1215 };
1216 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
1217
nft_notify_enqueue(struct sk_buff * skb,bool report,struct list_head * notify_list)1218 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
1219 struct list_head *notify_list)
1220 {
1221 NFT_CB(skb).report = report;
1222 list_add_tail(&skb->list, notify_list);
1223 }
1224
nf_tables_table_notify(const struct nft_ctx * ctx,int event)1225 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
1226 {
1227 struct nftables_pernet *nft_net;
1228 struct sk_buff *skb;
1229 u16 flags = 0;
1230 int err;
1231
1232 if (!ctx->report &&
1233 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1234 return;
1235
1236 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1237 if (skb == NULL)
1238 goto err;
1239
1240 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1241 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1242
1243 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
1244 event, flags, ctx->family, ctx->table);
1245 if (err < 0) {
1246 kfree_skb(skb);
1247 goto err;
1248 }
1249
1250 nft_net = nft_pernet(ctx->net);
1251 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1252 return;
1253 err:
1254 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1255 }
1256
nf_tables_dump_tables(struct sk_buff * skb,struct netlink_callback * cb)1257 static int nf_tables_dump_tables(struct sk_buff *skb,
1258 struct netlink_callback *cb)
1259 {
1260 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1261 struct nftables_pernet *nft_net;
1262 const struct nft_table *table;
1263 unsigned int idx = 0, s_idx = cb->args[0];
1264 struct net *net = sock_net(skb->sk);
1265 int family = nfmsg->nfgen_family;
1266
1267 rcu_read_lock();
1268 nft_net = nft_pernet(net);
1269 cb->seq = nft_base_seq(net);
1270
1271 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1272 if (family != NFPROTO_UNSPEC && family != table->family)
1273 continue;
1274
1275 if (idx < s_idx)
1276 goto cont;
1277 if (idx > s_idx)
1278 memset(&cb->args[1], 0,
1279 sizeof(cb->args) - sizeof(cb->args[0]));
1280 if (!nft_is_active(net, table))
1281 continue;
1282 if (nf_tables_fill_table_info(skb, net,
1283 NETLINK_CB(cb->skb).portid,
1284 cb->nlh->nlmsg_seq,
1285 NFT_MSG_NEWTABLE, NLM_F_MULTI,
1286 table->family, table) < 0)
1287 goto done;
1288
1289 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1290 cont:
1291 idx++;
1292 }
1293 done:
1294 rcu_read_unlock();
1295 cb->args[0] = idx;
1296 return skb->len;
1297 }
1298
nft_netlink_dump_start_rcu(struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,struct netlink_dump_control * c)1299 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
1300 const struct nlmsghdr *nlh,
1301 struct netlink_dump_control *c)
1302 {
1303 int err;
1304
1305 if (!try_module_get(THIS_MODULE))
1306 return -EINVAL;
1307
1308 rcu_read_unlock();
1309 err = netlink_dump_start(nlsk, skb, nlh, c);
1310 rcu_read_lock();
1311 module_put(THIS_MODULE);
1312
1313 return err;
1314 }
1315
1316 /* called with rcu_read_lock held */
nf_tables_gettable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1317 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
1318 const struct nlattr * const nla[])
1319 {
1320 struct netlink_ext_ack *extack = info->extack;
1321 u8 genmask = nft_genmask_cur(info->net);
1322 u8 family = info->nfmsg->nfgen_family;
1323 const struct nft_table *table;
1324 struct net *net = info->net;
1325 struct sk_buff *skb2;
1326 int err;
1327
1328 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1329 struct netlink_dump_control c = {
1330 .dump = nf_tables_dump_tables,
1331 .module = THIS_MODULE,
1332 };
1333
1334 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1335 }
1336
1337 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
1338 if (IS_ERR(table)) {
1339 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
1340 return PTR_ERR(table);
1341 }
1342
1343 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1344 if (!skb2)
1345 return -ENOMEM;
1346
1347 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
1348 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
1349 0, family, table);
1350 if (err < 0)
1351 goto err_fill_table_info;
1352
1353 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1354
1355 err_fill_table_info:
1356 kfree_skb(skb2);
1357 return err;
1358 }
1359
nft_table_disable(struct net * net,struct nft_table * table,u32 cnt)1360 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
1361 {
1362 struct nft_chain *chain;
1363 u32 i = 0;
1364
1365 list_for_each_entry(chain, &table->chains, list) {
1366 if (!nft_is_active_next(net, chain))
1367 continue;
1368 if (!nft_is_base_chain(chain))
1369 continue;
1370
1371 if (cnt && i++ == cnt)
1372 break;
1373
1374 nf_tables_unregister_hook(net, table, chain);
1375 }
1376 }
1377
nf_tables_table_enable(struct net * net,struct nft_table * table)1378 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1379 {
1380 struct nft_chain *chain;
1381 int err, i = 0;
1382
1383 list_for_each_entry(chain, &table->chains, list) {
1384 if (!nft_is_active_next(net, chain))
1385 continue;
1386 if (!nft_is_base_chain(chain))
1387 continue;
1388
1389 err = nf_tables_register_hook(net, table, chain);
1390 if (err < 0)
1391 goto err_register_hooks;
1392
1393 i++;
1394 }
1395 return 0;
1396
1397 err_register_hooks:
1398 if (i)
1399 nft_table_disable(net, table, i);
1400 return err;
1401 }
1402
nf_tables_table_disable(struct net * net,struct nft_table * table)1403 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1404 {
1405 table->flags &= ~NFT_TABLE_F_DORMANT;
1406 nft_table_disable(net, table, 0);
1407 table->flags |= NFT_TABLE_F_DORMANT;
1408 }
1409
1410 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1411 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1412 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1413 #define __NFT_TABLE_F_WAS_ORPHAN (__NFT_TABLE_F_INTERNAL << 2)
1414 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1415 __NFT_TABLE_F_WAS_AWAKEN | \
1416 __NFT_TABLE_F_WAS_ORPHAN)
1417
nft_table_pending_update(const struct nft_ctx * ctx)1418 static bool nft_table_pending_update(const struct nft_ctx *ctx)
1419 {
1420 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1421 struct nft_trans *trans;
1422
1423 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
1424 return true;
1425
1426 list_for_each_entry(trans, &nft_net->commit_list, list) {
1427 if (trans->table == ctx->table &&
1428 ((trans->msg_type == NFT_MSG_NEWCHAIN &&
1429 nft_trans_chain_update(trans)) ||
1430 (trans->msg_type == NFT_MSG_DELCHAIN &&
1431 nft_is_base_chain(nft_trans_chain(trans)))))
1432 return true;
1433 }
1434
1435 return false;
1436 }
1437
nf_tables_updtable(struct nft_ctx * ctx)1438 static int nf_tables_updtable(struct nft_ctx *ctx)
1439 {
1440 struct nft_trans *trans;
1441 u32 flags;
1442 int ret;
1443
1444 if (!ctx->nla[NFTA_TABLE_FLAGS])
1445 return 0;
1446
1447 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1448 if (flags & ~NFT_TABLE_F_MASK)
1449 return -EOPNOTSUPP;
1450
1451 if (flags == (ctx->table->flags & NFT_TABLE_F_MASK))
1452 return 0;
1453
1454 if ((nft_table_has_owner(ctx->table) &&
1455 !(flags & NFT_TABLE_F_OWNER)) ||
1456 (flags & NFT_TABLE_F_OWNER &&
1457 !nft_table_is_orphan(ctx->table)))
1458 return -EOPNOTSUPP;
1459
1460 if ((flags ^ ctx->table->flags) & NFT_TABLE_F_PERSIST)
1461 return -EOPNOTSUPP;
1462
1463 /* No dormant off/on/off/on games in single transaction */
1464 if (nft_table_pending_update(ctx))
1465 return -EINVAL;
1466
1467 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1468 sizeof(struct nft_trans_table));
1469 if (trans == NULL)
1470 return -ENOMEM;
1471
1472 if ((flags & NFT_TABLE_F_DORMANT) &&
1473 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1474 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1475 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1476 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1477 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1478 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1479 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1480 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1481 ret = nf_tables_table_enable(ctx->net, ctx->table);
1482 if (ret < 0)
1483 goto err_register_hooks;
1484
1485 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1486 }
1487 }
1488
1489 if ((flags & NFT_TABLE_F_OWNER) &&
1490 !nft_table_has_owner(ctx->table)) {
1491 ctx->table->nlpid = ctx->portid;
1492 ctx->table->flags |= NFT_TABLE_F_OWNER |
1493 __NFT_TABLE_F_WAS_ORPHAN;
1494 }
1495
1496 nft_trans_table_update(trans) = true;
1497 nft_trans_commit_list_add_tail(ctx->net, trans);
1498
1499 return 0;
1500
1501 err_register_hooks:
1502 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1503 nft_trans_destroy(trans);
1504 return ret;
1505 }
1506
nft_chain_hash(const void * data,u32 len,u32 seed)1507 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1508 {
1509 const char *name = data;
1510
1511 return jhash(name, strlen(name), seed);
1512 }
1513
nft_chain_hash_obj(const void * data,u32 len,u32 seed)1514 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1515 {
1516 const struct nft_chain *chain = data;
1517
1518 return nft_chain_hash(chain->name, 0, seed);
1519 }
1520
nft_chain_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)1521 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1522 const void *ptr)
1523 {
1524 const struct nft_chain *chain = ptr;
1525 const char *name = arg->key;
1526
1527 return strcmp(chain->name, name);
1528 }
1529
nft_objname_hash(const void * data,u32 len,u32 seed)1530 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1531 {
1532 const struct nft_object_hash_key *k = data;
1533
1534 seed ^= hash_ptr(k->table, 32);
1535
1536 return jhash(k->name, strlen(k->name), seed);
1537 }
1538
nft_objname_hash_obj(const void * data,u32 len,u32 seed)1539 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1540 {
1541 const struct nft_object *obj = data;
1542
1543 return nft_objname_hash(&obj->key, 0, seed);
1544 }
1545
nft_objname_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)1546 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1547 const void *ptr)
1548 {
1549 const struct nft_object_hash_key *k = arg->key;
1550 const struct nft_object *obj = ptr;
1551
1552 if (obj->key.table != k->table)
1553 return -1;
1554
1555 return strcmp(obj->key.name, k->name);
1556 }
1557
nft_supported_family(u8 family)1558 static bool nft_supported_family(u8 family)
1559 {
1560 return false
1561 #ifdef CONFIG_NF_TABLES_INET
1562 || family == NFPROTO_INET
1563 #endif
1564 #ifdef CONFIG_NF_TABLES_IPV4
1565 || family == NFPROTO_IPV4
1566 #endif
1567 #ifdef CONFIG_NF_TABLES_ARP
1568 || family == NFPROTO_ARP
1569 #endif
1570 #ifdef CONFIG_NF_TABLES_NETDEV
1571 || family == NFPROTO_NETDEV
1572 #endif
1573 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1574 || family == NFPROTO_BRIDGE
1575 #endif
1576 #ifdef CONFIG_NF_TABLES_IPV6
1577 || family == NFPROTO_IPV6
1578 #endif
1579 ;
1580 }
1581
nf_tables_newtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1582 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1583 const struct nlattr * const nla[])
1584 {
1585 struct nftables_pernet *nft_net = nft_pernet(info->net);
1586 struct netlink_ext_ack *extack = info->extack;
1587 u8 genmask = nft_genmask_next(info->net);
1588 u8 family = info->nfmsg->nfgen_family;
1589 struct net *net = info->net;
1590 const struct nlattr *attr;
1591 struct nft_table *table;
1592 struct nft_ctx ctx;
1593 u32 flags = 0;
1594 int err;
1595
1596 if (!nft_supported_family(family))
1597 return -EOPNOTSUPP;
1598
1599 lockdep_assert_held(&nft_net->commit_mutex);
1600 attr = nla[NFTA_TABLE_NAME];
1601 table = nft_table_lookup(net, attr, family, genmask,
1602 NETLINK_CB(skb).portid);
1603 if (IS_ERR(table)) {
1604 if (PTR_ERR(table) != -ENOENT)
1605 return PTR_ERR(table);
1606 } else {
1607 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1608 NL_SET_BAD_ATTR(extack, attr);
1609 return -EEXIST;
1610 }
1611 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1612 return -EOPNOTSUPP;
1613
1614 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1615
1616 return nf_tables_updtable(&ctx);
1617 }
1618
1619 if (nla[NFTA_TABLE_FLAGS]) {
1620 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1621 if (flags & ~NFT_TABLE_F_MASK)
1622 return -EOPNOTSUPP;
1623 }
1624
1625 err = -ENOMEM;
1626 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1627 if (table == NULL)
1628 goto err_kzalloc;
1629
1630 table->validate_state = nft_net->validate_state;
1631 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1632 if (table->name == NULL)
1633 goto err_strdup;
1634
1635 if (nla[NFTA_TABLE_USERDATA]) {
1636 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1637 if (table->udata == NULL)
1638 goto err_table_udata;
1639
1640 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1641 }
1642
1643 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1644 if (err)
1645 goto err_chain_ht;
1646
1647 INIT_LIST_HEAD(&table->chains);
1648 INIT_LIST_HEAD(&table->sets);
1649 INIT_LIST_HEAD(&table->objects);
1650 INIT_LIST_HEAD(&table->flowtables);
1651 table->family = family;
1652 table->flags = flags;
1653 table->handle = ++nft_net->table_handle;
1654 if (table->flags & NFT_TABLE_F_OWNER)
1655 table->nlpid = NETLINK_CB(skb).portid;
1656
1657 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1658 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1659 if (err < 0)
1660 goto err_trans;
1661
1662 list_add_tail_rcu(&table->list, &nft_net->tables);
1663 return 0;
1664 err_trans:
1665 rhltable_destroy(&table->chains_ht);
1666 err_chain_ht:
1667 kfree(table->udata);
1668 err_table_udata:
1669 kfree(table->name);
1670 err_strdup:
1671 kfree(table);
1672 err_kzalloc:
1673 return err;
1674 }
1675
nft_flush_table(struct nft_ctx * ctx)1676 static int nft_flush_table(struct nft_ctx *ctx)
1677 {
1678 struct nft_flowtable *flowtable, *nft;
1679 struct nft_chain *chain, *nc;
1680 struct nft_object *obj, *ne;
1681 struct nft_set *set, *ns;
1682 int err;
1683
1684 list_for_each_entry(chain, &ctx->table->chains, list) {
1685 if (!nft_is_active_next(ctx->net, chain))
1686 continue;
1687
1688 if (nft_chain_binding(chain))
1689 continue;
1690
1691 ctx->chain = chain;
1692
1693 err = nft_delrule_by_chain(ctx);
1694 if (err < 0)
1695 goto out;
1696 }
1697
1698 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1699 if (!nft_is_active_next(ctx->net, set))
1700 continue;
1701
1702 if (nft_set_is_anonymous(set))
1703 continue;
1704
1705 err = nft_delset(ctx, set);
1706 if (err < 0)
1707 goto out;
1708 }
1709
1710 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1711 if (!nft_is_active_next(ctx->net, flowtable))
1712 continue;
1713
1714 err = nft_delflowtable(ctx, flowtable);
1715 if (err < 0)
1716 goto out;
1717 }
1718
1719 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1720 if (!nft_is_active_next(ctx->net, obj))
1721 continue;
1722
1723 err = nft_delobj(ctx, obj);
1724 if (err < 0)
1725 goto out;
1726 }
1727
1728 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1729 if (!nft_is_active_next(ctx->net, chain))
1730 continue;
1731
1732 if (nft_chain_binding(chain))
1733 continue;
1734
1735 ctx->chain = chain;
1736
1737 err = nft_delchain(ctx);
1738 if (err < 0)
1739 goto out;
1740 }
1741
1742 err = nft_deltable(ctx);
1743 out:
1744 return err;
1745 }
1746
nft_flush(struct nft_ctx * ctx,int family)1747 static int nft_flush(struct nft_ctx *ctx, int family)
1748 {
1749 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1750 const struct nlattr * const *nla = ctx->nla;
1751 struct nft_table *table, *nt;
1752 int err = 0;
1753
1754 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1755 if (family != AF_UNSPEC && table->family != family)
1756 continue;
1757
1758 ctx->family = table->family;
1759
1760 if (!nft_is_active_next(ctx->net, table))
1761 continue;
1762
1763 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1764 continue;
1765
1766 if (nla[NFTA_TABLE_NAME] &&
1767 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1768 continue;
1769
1770 ctx->table = table;
1771
1772 err = nft_flush_table(ctx);
1773 if (err < 0)
1774 goto out;
1775 }
1776 out:
1777 return err;
1778 }
1779
nf_tables_deltable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1780 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1781 const struct nlattr * const nla[])
1782 {
1783 struct netlink_ext_ack *extack = info->extack;
1784 u8 genmask = nft_genmask_next(info->net);
1785 u8 family = info->nfmsg->nfgen_family;
1786 struct net *net = info->net;
1787 const struct nlattr *attr;
1788 struct nft_table *table;
1789 struct nft_ctx ctx;
1790
1791 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1792 if (family == AF_UNSPEC ||
1793 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1794 return nft_flush(&ctx, family);
1795
1796 if (nla[NFTA_TABLE_HANDLE]) {
1797 attr = nla[NFTA_TABLE_HANDLE];
1798 table = nft_table_lookup_byhandle(net, attr, family, genmask,
1799 NETLINK_CB(skb).portid);
1800 } else {
1801 attr = nla[NFTA_TABLE_NAME];
1802 table = nft_table_lookup(net, attr, family, genmask,
1803 NETLINK_CB(skb).portid);
1804 }
1805
1806 if (IS_ERR(table)) {
1807 if (PTR_ERR(table) == -ENOENT &&
1808 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1809 return 0;
1810
1811 NL_SET_BAD_ATTR(extack, attr);
1812 return PTR_ERR(table);
1813 }
1814
1815 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1816 table->use > 0)
1817 return -EBUSY;
1818
1819 ctx.family = family;
1820 ctx.table = table;
1821
1822 return nft_flush_table(&ctx);
1823 }
1824
nf_tables_table_destroy(struct nft_table * table)1825 static void nf_tables_table_destroy(struct nft_table *table)
1826 {
1827 if (WARN_ON(table->use > 0))
1828 return;
1829
1830 rhltable_destroy(&table->chains_ht);
1831 kfree(table->name);
1832 kfree(table->udata);
1833 kfree(table);
1834 }
1835
nft_register_chain_type(const struct nft_chain_type * ctype)1836 void nft_register_chain_type(const struct nft_chain_type *ctype)
1837 {
1838 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1839 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1840 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1841 return;
1842 }
1843 chain_type[ctype->family][ctype->type] = ctype;
1844 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1845 }
1846 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1847
nft_unregister_chain_type(const struct nft_chain_type * ctype)1848 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1849 {
1850 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1851 chain_type[ctype->family][ctype->type] = NULL;
1852 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1853 }
1854 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1855
1856 /*
1857 * Chains
1858 */
1859
1860 static struct nft_chain *
nft_chain_lookup_byhandle(const struct nft_table * table,u64 handle,u8 genmask)1861 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1862 {
1863 struct nft_chain *chain;
1864
1865 list_for_each_entry(chain, &table->chains, list) {
1866 if (chain->handle == handle &&
1867 nft_active_genmask(chain, genmask))
1868 return chain;
1869 }
1870
1871 return ERR_PTR(-ENOENT);
1872 }
1873
lockdep_commit_lock_is_held(const struct net * net)1874 static bool lockdep_commit_lock_is_held(const struct net *net)
1875 {
1876 #ifdef CONFIG_PROVE_LOCKING
1877 struct nftables_pernet *nft_net = nft_pernet(net);
1878
1879 return lockdep_is_held(&nft_net->commit_mutex);
1880 #else
1881 return true;
1882 #endif
1883 }
1884
nft_chain_lookup(struct net * net,struct nft_table * table,const struct nlattr * nla,u8 genmask)1885 static struct nft_chain *nft_chain_lookup(struct net *net,
1886 struct nft_table *table,
1887 const struct nlattr *nla, u8 genmask)
1888 {
1889 char search[NFT_CHAIN_MAXNAMELEN + 1];
1890 struct rhlist_head *tmp, *list;
1891 struct nft_chain *chain;
1892
1893 if (nla == NULL)
1894 return ERR_PTR(-EINVAL);
1895
1896 nla_strscpy(search, nla, sizeof(search));
1897
1898 WARN_ON(!rcu_read_lock_held() &&
1899 !lockdep_commit_lock_is_held(net));
1900
1901 chain = ERR_PTR(-ENOENT);
1902 rcu_read_lock();
1903 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1904 if (!list)
1905 goto out_unlock;
1906
1907 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1908 if (nft_active_genmask(chain, genmask))
1909 goto out_unlock;
1910 }
1911 chain = ERR_PTR(-ENOENT);
1912 out_unlock:
1913 rcu_read_unlock();
1914 return chain;
1915 }
1916
1917 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1918 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1919 .len = NFT_TABLE_MAXNAMELEN - 1 },
1920 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1921 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1922 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1923 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1924 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1925 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1926 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1927 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1928 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1929 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1930 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1931 .len = NFT_USERDATA_MAXLEN },
1932 };
1933
1934 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1935 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1936 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1937 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1938 .len = IFNAMSIZ - 1 },
1939 };
1940
nft_dump_stats(struct sk_buff * skb,struct nft_stats __percpu * stats)1941 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1942 {
1943 struct nft_stats *cpu_stats, total;
1944 struct nlattr *nest;
1945 unsigned int seq;
1946 u64 pkts, bytes;
1947 int cpu;
1948
1949 if (!stats)
1950 return 0;
1951
1952 memset(&total, 0, sizeof(total));
1953 for_each_possible_cpu(cpu) {
1954 cpu_stats = per_cpu_ptr(stats, cpu);
1955 do {
1956 seq = u64_stats_fetch_begin(&cpu_stats->syncp);
1957 pkts = cpu_stats->pkts;
1958 bytes = cpu_stats->bytes;
1959 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
1960 total.pkts += pkts;
1961 total.bytes += bytes;
1962 }
1963 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1964 if (nest == NULL)
1965 goto nla_put_failure;
1966
1967 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1968 NFTA_COUNTER_PAD) ||
1969 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1970 NFTA_COUNTER_PAD))
1971 goto nla_put_failure;
1972
1973 nla_nest_end(skb, nest);
1974 return 0;
1975
1976 nla_put_failure:
1977 return -ENOSPC;
1978 }
1979
hook_is_prefix(struct nft_hook * hook)1980 static bool hook_is_prefix(struct nft_hook *hook)
1981 {
1982 return strlen(hook->ifname) >= hook->ifnamelen;
1983 }
1984
nft_nla_put_hook_dev(struct sk_buff * skb,struct nft_hook * hook)1985 static int nft_nla_put_hook_dev(struct sk_buff *skb, struct nft_hook *hook)
1986 {
1987 int attr = hook_is_prefix(hook) ? NFTA_DEVICE_PREFIX : NFTA_DEVICE_NAME;
1988
1989 return nla_put_string(skb, attr, hook->ifname);
1990 }
1991
nft_dump_basechain_hook(struct sk_buff * skb,const struct net * net,int family,const struct nft_base_chain * basechain,const struct list_head * hook_list)1992 static int nft_dump_basechain_hook(struct sk_buff *skb,
1993 const struct net *net, int family,
1994 const struct nft_base_chain *basechain,
1995 const struct list_head *hook_list)
1996 {
1997 const struct nf_hook_ops *ops = &basechain->ops;
1998 struct nft_hook *hook, *first = NULL;
1999 struct nlattr *nest, *nest_devs;
2000 int n = 0;
2001
2002 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
2003 if (nest == NULL)
2004 goto nla_put_failure;
2005 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
2006 goto nla_put_failure;
2007 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
2008 goto nla_put_failure;
2009
2010 if (nft_base_chain_netdev(family, ops->hooknum)) {
2011 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
2012 if (!nest_devs)
2013 goto nla_put_failure;
2014
2015 if (!hook_list)
2016 hook_list = &basechain->hook_list;
2017
2018 list_for_each_entry_rcu(hook, hook_list, list,
2019 lockdep_commit_lock_is_held(net)) {
2020 if (!first)
2021 first = hook;
2022
2023 if (nft_nla_put_hook_dev(skb, hook))
2024 goto nla_put_failure;
2025 n++;
2026 }
2027 nla_nest_end(skb, nest_devs);
2028
2029 if (n == 1 &&
2030 !hook_is_prefix(first) &&
2031 nla_put_string(skb, NFTA_HOOK_DEV, first->ifname))
2032 goto nla_put_failure;
2033 }
2034 nla_nest_end(skb, nest);
2035
2036 return 0;
2037 nla_put_failure:
2038 return -1;
2039 }
2040
nf_tables_fill_chain_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct list_head * hook_list)2041 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
2042 u32 portid, u32 seq, int event, u32 flags,
2043 int family, const struct nft_table *table,
2044 const struct nft_chain *chain,
2045 const struct list_head *hook_list)
2046 {
2047 struct nlmsghdr *nlh;
2048
2049 nlh = nfnl_msg_put(skb, portid, seq,
2050 nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event),
2051 flags, family, NFNETLINK_V0, nft_base_seq_be16(net));
2052 if (!nlh)
2053 goto nla_put_failure;
2054
2055 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) ||
2056 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) ||
2057 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
2058 NFTA_CHAIN_PAD))
2059 goto nla_put_failure;
2060
2061 if (!hook_list &&
2062 (event == NFT_MSG_DELCHAIN ||
2063 event == NFT_MSG_DESTROYCHAIN)) {
2064 nlmsg_end(skb, nlh);
2065 return 0;
2066 }
2067
2068 if (nft_is_base_chain(chain)) {
2069 const struct nft_base_chain *basechain = nft_base_chain(chain);
2070 struct nft_stats __percpu *stats;
2071
2072 if (nft_dump_basechain_hook(skb, net, family, basechain, hook_list))
2073 goto nla_put_failure;
2074
2075 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
2076 htonl(basechain->policy)))
2077 goto nla_put_failure;
2078
2079 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
2080 goto nla_put_failure;
2081
2082 stats = rcu_dereference_check(basechain->stats,
2083 lockdep_commit_lock_is_held(net));
2084 if (nft_dump_stats(skb, stats))
2085 goto nla_put_failure;
2086 }
2087
2088 if (chain->flags &&
2089 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
2090 goto nla_put_failure;
2091
2092 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
2093 goto nla_put_failure;
2094
2095 if (chain->udata &&
2096 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
2097 goto nla_put_failure;
2098
2099 nlmsg_end(skb, nlh);
2100 return 0;
2101
2102 nla_put_failure:
2103 nlmsg_trim(skb, nlh);
2104 return -1;
2105 }
2106
nf_tables_chain_notify(const struct nft_ctx * ctx,int event,const struct list_head * hook_list)2107 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
2108 const struct list_head *hook_list)
2109 {
2110 struct nftables_pernet *nft_net;
2111 struct sk_buff *skb;
2112 u16 flags = 0;
2113 int err;
2114
2115 if (!ctx->report &&
2116 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2117 return;
2118
2119 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2120 if (skb == NULL)
2121 goto err;
2122
2123 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
2124 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
2125
2126 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
2127 event, flags, ctx->family, ctx->table,
2128 ctx->chain, hook_list);
2129 if (err < 0) {
2130 kfree_skb(skb);
2131 goto err;
2132 }
2133
2134 nft_net = nft_pernet(ctx->net);
2135 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
2136 return;
2137 err:
2138 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2139 }
2140
nf_tables_dump_chains(struct sk_buff * skb,struct netlink_callback * cb)2141 static int nf_tables_dump_chains(struct sk_buff *skb,
2142 struct netlink_callback *cb)
2143 {
2144 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2145 unsigned int idx = 0, s_idx = cb->args[0];
2146 struct net *net = sock_net(skb->sk);
2147 int family = nfmsg->nfgen_family;
2148 struct nftables_pernet *nft_net;
2149 const struct nft_table *table;
2150 const struct nft_chain *chain;
2151
2152 rcu_read_lock();
2153 nft_net = nft_pernet(net);
2154 cb->seq = nft_base_seq(net);
2155
2156 list_for_each_entry_rcu(table, &nft_net->tables, list) {
2157 if (family != NFPROTO_UNSPEC && family != table->family)
2158 continue;
2159
2160 list_for_each_entry_rcu(chain, &table->chains, list) {
2161 if (idx < s_idx)
2162 goto cont;
2163 if (idx > s_idx)
2164 memset(&cb->args[1], 0,
2165 sizeof(cb->args) - sizeof(cb->args[0]));
2166 if (!nft_is_active(net, chain))
2167 continue;
2168 if (nf_tables_fill_chain_info(skb, net,
2169 NETLINK_CB(cb->skb).portid,
2170 cb->nlh->nlmsg_seq,
2171 NFT_MSG_NEWCHAIN,
2172 NLM_F_MULTI,
2173 table->family, table,
2174 chain, NULL) < 0)
2175 goto done;
2176
2177 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2178 cont:
2179 idx++;
2180 }
2181 }
2182 done:
2183 rcu_read_unlock();
2184 cb->args[0] = idx;
2185 return skb->len;
2186 }
2187
2188 /* called with rcu_read_lock held */
nf_tables_getchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])2189 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
2190 const struct nlattr * const nla[])
2191 {
2192 struct netlink_ext_ack *extack = info->extack;
2193 u8 genmask = nft_genmask_cur(info->net);
2194 u8 family = info->nfmsg->nfgen_family;
2195 const struct nft_chain *chain;
2196 struct net *net = info->net;
2197 struct nft_table *table;
2198 struct sk_buff *skb2;
2199 int err;
2200
2201 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
2202 struct netlink_dump_control c = {
2203 .dump = nf_tables_dump_chains,
2204 .module = THIS_MODULE,
2205 };
2206
2207 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
2208 }
2209
2210 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
2211 if (IS_ERR(table)) {
2212 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2213 return PTR_ERR(table);
2214 }
2215
2216 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
2217 if (IS_ERR(chain)) {
2218 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2219 return PTR_ERR(chain);
2220 }
2221
2222 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2223 if (!skb2)
2224 return -ENOMEM;
2225
2226 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
2227 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
2228 0, family, table, chain, NULL);
2229 if (err < 0)
2230 goto err_fill_chain_info;
2231
2232 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
2233
2234 err_fill_chain_info:
2235 kfree_skb(skb2);
2236 return err;
2237 }
2238
2239 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
2240 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
2241 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
2242 };
2243
nft_stats_alloc(const struct nlattr * attr)2244 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
2245 {
2246 struct nlattr *tb[NFTA_COUNTER_MAX+1];
2247 struct nft_stats __percpu *newstats;
2248 struct nft_stats *stats;
2249 int err;
2250
2251 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
2252 nft_counter_policy, NULL);
2253 if (err < 0)
2254 return ERR_PTR_PCPU(err);
2255
2256 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
2257 return ERR_PTR_PCPU(-EINVAL);
2258
2259 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
2260 if (newstats == NULL)
2261 return ERR_PTR_PCPU(-ENOMEM);
2262
2263 /* Restore old counters on this cpu, no problem. Per-cpu statistics
2264 * are not exposed to userspace.
2265 */
2266 preempt_disable();
2267 stats = this_cpu_ptr(newstats);
2268 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
2269 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
2270 preempt_enable();
2271
2272 return newstats;
2273 }
2274
nft_chain_stats_replace(struct nft_trans_chain * trans)2275 static void nft_chain_stats_replace(struct nft_trans_chain *trans)
2276 {
2277 const struct nft_trans *t = &trans->nft_trans_binding.nft_trans;
2278 struct nft_base_chain *chain = nft_base_chain(trans->chain);
2279
2280 if (!trans->stats)
2281 return;
2282
2283 trans->stats =
2284 rcu_replace_pointer(chain->stats, trans->stats,
2285 lockdep_commit_lock_is_held(t->net));
2286
2287 if (!trans->stats)
2288 static_branch_inc(&nft_counters_enabled);
2289 }
2290
nf_tables_chain_free_chain_rules(struct nft_chain * chain)2291 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
2292 {
2293 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
2294 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
2295
2296 if (g0 != g1)
2297 kvfree(g1);
2298 kvfree(g0);
2299
2300 /* should be NULL either via abort or via successful commit */
2301 WARN_ON_ONCE(chain->blob_next);
2302 kvfree(chain->blob_next);
2303 }
2304
nf_tables_chain_destroy(struct nft_chain * chain)2305 void nf_tables_chain_destroy(struct nft_chain *chain)
2306 {
2307 const struct nft_table *table = chain->table;
2308 struct nft_hook *hook, *next;
2309
2310 if (WARN_ON(chain->use > 0))
2311 return;
2312
2313 /* no concurrent access possible anymore */
2314 nf_tables_chain_free_chain_rules(chain);
2315
2316 if (nft_is_base_chain(chain)) {
2317 struct nft_base_chain *basechain = nft_base_chain(chain);
2318
2319 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2320 list_for_each_entry_safe(hook, next,
2321 &basechain->hook_list, list) {
2322 list_del_rcu(&hook->list);
2323 nft_netdev_hook_free_rcu(hook);
2324 }
2325 }
2326 module_put(basechain->type->owner);
2327 if (rcu_access_pointer(basechain->stats)) {
2328 static_branch_dec(&nft_counters_enabled);
2329 free_percpu(rcu_dereference_raw(basechain->stats));
2330 }
2331 kfree(chain->name);
2332 kfree(chain->udata);
2333 kfree(basechain);
2334 } else {
2335 kfree(chain->name);
2336 kfree(chain->udata);
2337 kfree(chain);
2338 }
2339 }
2340
nft_netdev_hook_alloc(struct net * net,const struct nlattr * attr,bool prefix)2341 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
2342 const struct nlattr *attr,
2343 bool prefix)
2344 {
2345 struct nf_hook_ops *ops;
2346 struct net_device *dev;
2347 struct nft_hook *hook;
2348 int err;
2349
2350 hook = kzalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
2351 if (!hook)
2352 return ERR_PTR(-ENOMEM);
2353
2354 INIT_LIST_HEAD(&hook->ops_list);
2355
2356 err = nla_strscpy(hook->ifname, attr, IFNAMSIZ);
2357 if (err < 0)
2358 goto err_hook_free;
2359
2360 /* include the terminating NUL-char when comparing non-prefixes */
2361 hook->ifnamelen = strlen(hook->ifname) + !prefix;
2362
2363 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
2364 * indirectly serializing all the other holders of the commit_mutex with
2365 * the rtnl_mutex.
2366 */
2367 for_each_netdev(net, dev) {
2368 if (strncmp(dev->name, hook->ifname, hook->ifnamelen))
2369 continue;
2370
2371 ops = kzalloc(sizeof(struct nf_hook_ops), GFP_KERNEL_ACCOUNT);
2372 if (!ops) {
2373 err = -ENOMEM;
2374 goto err_hook_free;
2375 }
2376 ops->dev = dev;
2377 list_add_tail(&ops->list, &hook->ops_list);
2378 }
2379 return hook;
2380
2381 err_hook_free:
2382 nft_netdev_hook_free(hook);
2383 return ERR_PTR(err);
2384 }
2385
nft_hook_list_find(struct list_head * hook_list,const struct nft_hook * this)2386 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
2387 const struct nft_hook *this)
2388 {
2389 struct nft_hook *hook;
2390
2391 list_for_each_entry(hook, hook_list, list) {
2392 if (!strncmp(hook->ifname, this->ifname,
2393 min(hook->ifnamelen, this->ifnamelen)))
2394 return hook;
2395 }
2396
2397 return NULL;
2398 }
2399
nf_tables_parse_netdev_hooks(struct net * net,const struct nlattr * attr,struct list_head * hook_list,struct netlink_ext_ack * extack)2400 static int nf_tables_parse_netdev_hooks(struct net *net,
2401 const struct nlattr *attr,
2402 struct list_head *hook_list,
2403 struct netlink_ext_ack *extack)
2404 {
2405 struct nft_hook *hook, *next;
2406 const struct nlattr *tmp;
2407 int rem, n = 0, err;
2408 bool prefix;
2409
2410 nla_for_each_nested(tmp, attr, rem) {
2411 switch (nla_type(tmp)) {
2412 case NFTA_DEVICE_NAME:
2413 prefix = false;
2414 break;
2415 case NFTA_DEVICE_PREFIX:
2416 prefix = true;
2417 break;
2418 default:
2419 err = -EINVAL;
2420 goto err_hook;
2421 }
2422
2423 hook = nft_netdev_hook_alloc(net, tmp, prefix);
2424 if (IS_ERR(hook)) {
2425 NL_SET_BAD_ATTR(extack, tmp);
2426 err = PTR_ERR(hook);
2427 goto err_hook;
2428 }
2429 if (nft_hook_list_find(hook_list, hook)) {
2430 NL_SET_BAD_ATTR(extack, tmp);
2431 nft_netdev_hook_free(hook);
2432 err = -EEXIST;
2433 goto err_hook;
2434 }
2435 list_add_tail(&hook->list, hook_list);
2436 n++;
2437
2438 if (n == NFT_NETDEVICE_MAX) {
2439 err = -EFBIG;
2440 goto err_hook;
2441 }
2442 }
2443
2444 return 0;
2445
2446 err_hook:
2447 list_for_each_entry_safe(hook, next, hook_list, list) {
2448 list_del(&hook->list);
2449 nft_netdev_hook_free(hook);
2450 }
2451 return err;
2452 }
2453
2454 struct nft_chain_hook {
2455 u32 num;
2456 s32 priority;
2457 const struct nft_chain_type *type;
2458 struct list_head list;
2459 };
2460
nft_chain_parse_netdev(struct net * net,struct nlattr * tb[],struct list_head * hook_list,struct netlink_ext_ack * extack,u32 flags)2461 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
2462 struct list_head *hook_list,
2463 struct netlink_ext_ack *extack, u32 flags)
2464 {
2465 struct nft_hook *hook;
2466 int err;
2467
2468 if (tb[NFTA_HOOK_DEV]) {
2469 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV], false);
2470 if (IS_ERR(hook)) {
2471 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2472 return PTR_ERR(hook);
2473 }
2474
2475 list_add_tail(&hook->list, hook_list);
2476 } else if (tb[NFTA_HOOK_DEVS]) {
2477 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2478 hook_list, extack);
2479 if (err < 0)
2480 return err;
2481
2482 }
2483
2484 if (flags & NFT_CHAIN_HW_OFFLOAD &&
2485 list_empty(hook_list))
2486 return -EINVAL;
2487
2488 return 0;
2489 }
2490
nft_chain_parse_hook(struct net * net,struct nft_base_chain * basechain,const struct nlattr * const nla[],struct nft_chain_hook * hook,u8 family,u32 flags,struct netlink_ext_ack * extack)2491 static int nft_chain_parse_hook(struct net *net,
2492 struct nft_base_chain *basechain,
2493 const struct nlattr * const nla[],
2494 struct nft_chain_hook *hook, u8 family,
2495 u32 flags, struct netlink_ext_ack *extack)
2496 {
2497 struct nftables_pernet *nft_net = nft_pernet(net);
2498 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2499 const struct nft_chain_type *type;
2500 int err;
2501
2502 lockdep_assert_held(&nft_net->commit_mutex);
2503 lockdep_nfnl_nft_mutex_not_held();
2504
2505 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2506 nla[NFTA_CHAIN_HOOK],
2507 nft_hook_policy, NULL);
2508 if (err < 0)
2509 return err;
2510
2511 if (!basechain) {
2512 if (!ha[NFTA_HOOK_HOOKNUM] ||
2513 !ha[NFTA_HOOK_PRIORITY]) {
2514 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2515 return -ENOENT;
2516 }
2517
2518 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2519 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2520
2521 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2522 if (!type)
2523 return -EOPNOTSUPP;
2524
2525 if (nla[NFTA_CHAIN_TYPE]) {
2526 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2527 family, true);
2528 if (IS_ERR(type)) {
2529 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2530 return PTR_ERR(type);
2531 }
2532 }
2533 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2534 return -EOPNOTSUPP;
2535
2536 if (type->type == NFT_CHAIN_T_NAT &&
2537 hook->priority <= NF_IP_PRI_CONNTRACK)
2538 return -EOPNOTSUPP;
2539 } else {
2540 if (ha[NFTA_HOOK_HOOKNUM]) {
2541 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2542 if (hook->num != basechain->ops.hooknum)
2543 return -EOPNOTSUPP;
2544 }
2545 if (ha[NFTA_HOOK_PRIORITY]) {
2546 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2547 if (hook->priority != basechain->ops.priority)
2548 return -EOPNOTSUPP;
2549 }
2550
2551 if (nla[NFTA_CHAIN_TYPE]) {
2552 type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
2553 family);
2554 if (!type) {
2555 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2556 return -ENOENT;
2557 }
2558 } else {
2559 type = basechain->type;
2560 }
2561 }
2562
2563 if (!try_module_get(type->owner)) {
2564 if (nla[NFTA_CHAIN_TYPE])
2565 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2566 return -ENOENT;
2567 }
2568
2569 hook->type = type;
2570
2571 INIT_LIST_HEAD(&hook->list);
2572 if (nft_base_chain_netdev(family, hook->num)) {
2573 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags);
2574 if (err < 0) {
2575 module_put(type->owner);
2576 return err;
2577 }
2578 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2579 module_put(type->owner);
2580 return -EOPNOTSUPP;
2581 }
2582
2583 return 0;
2584 }
2585
nft_chain_release_hook(struct nft_chain_hook * hook)2586 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2587 {
2588 struct nft_hook *h, *next;
2589
2590 list_for_each_entry_safe(h, next, &hook->list, list) {
2591 list_del(&h->list);
2592 nft_netdev_hook_free(h);
2593 }
2594 module_put(hook->type->owner);
2595 }
2596
nft_last_rule(const struct nft_chain * chain,const void * ptr)2597 static void nft_last_rule(const struct nft_chain *chain, const void *ptr)
2598 {
2599 struct nft_rule_dp_last *lrule;
2600
2601 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0);
2602
2603 lrule = (struct nft_rule_dp_last *)ptr;
2604 lrule->end.is_last = 1;
2605 lrule->chain = chain;
2606 /* blob size does not include the trailer rule */
2607 }
2608
nf_tables_chain_alloc_rules(const struct nft_chain * chain,unsigned int size)2609 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2610 unsigned int size)
2611 {
2612 struct nft_rule_blob *blob;
2613
2614 if (size > INT_MAX)
2615 return NULL;
2616
2617 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last);
2618
2619 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2620 if (!blob)
2621 return NULL;
2622
2623 blob->size = 0;
2624 nft_last_rule(chain, blob->data);
2625
2626 return blob;
2627 }
2628
nft_basechain_hook_init(struct nf_hook_ops * ops,u8 family,const struct nft_chain_hook * hook,struct nft_chain * chain)2629 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2630 const struct nft_chain_hook *hook,
2631 struct nft_chain *chain)
2632 {
2633 ops->pf = family;
2634 ops->hooknum = hook->num;
2635 ops->priority = hook->priority;
2636 ops->priv = chain;
2637 ops->hook = hook->type->hooks[ops->hooknum];
2638 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2639 }
2640
nft_basechain_init(struct nft_base_chain * basechain,u8 family,struct nft_chain_hook * hook,u32 flags)2641 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2642 struct nft_chain_hook *hook, u32 flags)
2643 {
2644 struct nft_chain *chain;
2645 struct nf_hook_ops *ops;
2646 struct nft_hook *h;
2647
2648 basechain->type = hook->type;
2649 INIT_LIST_HEAD(&basechain->hook_list);
2650 chain = &basechain->chain;
2651
2652 if (nft_base_chain_netdev(family, hook->num)) {
2653 list_splice_init(&hook->list, &basechain->hook_list);
2654 list_for_each_entry(h, &basechain->hook_list, list) {
2655 list_for_each_entry(ops, &h->ops_list, list)
2656 nft_basechain_hook_init(ops, family, hook, chain);
2657 }
2658 }
2659 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2660
2661 chain->flags |= NFT_CHAIN_BASE | flags;
2662 basechain->policy = NF_ACCEPT;
2663 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2664 !nft_chain_offload_support(basechain)) {
2665 list_splice_init(&basechain->hook_list, &hook->list);
2666 return -EOPNOTSUPP;
2667 }
2668
2669 flow_block_init(&basechain->flow_block);
2670
2671 return 0;
2672 }
2673
nft_chain_add(struct nft_table * table,struct nft_chain * chain)2674 int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2675 {
2676 int err;
2677
2678 err = rhltable_insert_key(&table->chains_ht, chain->name,
2679 &chain->rhlhead, nft_chain_ht_params);
2680 if (err)
2681 return err;
2682
2683 list_add_tail_rcu(&chain->list, &table->chains);
2684
2685 return 0;
2686 }
2687
2688 static u64 chain_id;
2689
nf_tables_addchain(struct nft_ctx * ctx,u8 family,u8 policy,u32 flags,struct netlink_ext_ack * extack)2690 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 policy,
2691 u32 flags, struct netlink_ext_ack *extack)
2692 {
2693 const struct nlattr * const *nla = ctx->nla;
2694 struct nft_table *table = ctx->table;
2695 struct nft_base_chain *basechain;
2696 struct net *net = ctx->net;
2697 char name[NFT_NAME_MAXLEN];
2698 struct nft_rule_blob *blob;
2699 struct nft_trans *trans;
2700 struct nft_chain *chain;
2701 int err;
2702
2703 if (nla[NFTA_CHAIN_HOOK]) {
2704 struct nft_stats __percpu *stats = NULL;
2705 struct nft_chain_hook hook = {};
2706
2707 if (table->flags & __NFT_TABLE_F_UPDATE)
2708 return -EINVAL;
2709
2710 if (flags & NFT_CHAIN_BINDING)
2711 return -EOPNOTSUPP;
2712
2713 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags,
2714 extack);
2715 if (err < 0)
2716 return err;
2717
2718 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2719 if (basechain == NULL) {
2720 nft_chain_release_hook(&hook);
2721 return -ENOMEM;
2722 }
2723 chain = &basechain->chain;
2724
2725 if (nla[NFTA_CHAIN_COUNTERS]) {
2726 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2727 if (IS_ERR_PCPU(stats)) {
2728 nft_chain_release_hook(&hook);
2729 kfree(basechain);
2730 return PTR_ERR_PCPU(stats);
2731 }
2732 rcu_assign_pointer(basechain->stats, stats);
2733 }
2734
2735 err = nft_basechain_init(basechain, family, &hook, flags);
2736 if (err < 0) {
2737 nft_chain_release_hook(&hook);
2738 kfree(basechain);
2739 free_percpu(stats);
2740 return err;
2741 }
2742 if (stats)
2743 static_branch_inc(&nft_counters_enabled);
2744 } else {
2745 if (flags & NFT_CHAIN_BASE)
2746 return -EINVAL;
2747 if (flags & NFT_CHAIN_HW_OFFLOAD)
2748 return -EOPNOTSUPP;
2749
2750 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2751 if (chain == NULL)
2752 return -ENOMEM;
2753
2754 chain->flags = flags;
2755 }
2756 ctx->chain = chain;
2757
2758 INIT_LIST_HEAD(&chain->rules);
2759 chain->handle = nf_tables_alloc_handle(table);
2760 chain->table = table;
2761
2762 if (nla[NFTA_CHAIN_NAME]) {
2763 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2764 } else {
2765 if (!(flags & NFT_CHAIN_BINDING)) {
2766 err = -EINVAL;
2767 goto err_destroy_chain;
2768 }
2769
2770 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2771 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2772 }
2773
2774 if (!chain->name) {
2775 err = -ENOMEM;
2776 goto err_destroy_chain;
2777 }
2778
2779 if (nla[NFTA_CHAIN_USERDATA]) {
2780 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2781 if (chain->udata == NULL) {
2782 err = -ENOMEM;
2783 goto err_destroy_chain;
2784 }
2785 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2786 }
2787
2788 blob = nf_tables_chain_alloc_rules(chain, 0);
2789 if (!blob) {
2790 err = -ENOMEM;
2791 goto err_destroy_chain;
2792 }
2793
2794 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2795 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2796
2797 if (!nft_use_inc(&table->use)) {
2798 err = -EMFILE;
2799 goto err_destroy_chain;
2800 }
2801
2802 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2803 if (IS_ERR(trans)) {
2804 err = PTR_ERR(trans);
2805 goto err_trans;
2806 }
2807
2808 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2809 if (nft_is_base_chain(chain))
2810 nft_trans_chain_policy(trans) = policy;
2811
2812 err = nft_chain_add(table, chain);
2813 if (err < 0)
2814 goto err_chain_add;
2815
2816 /* This must be LAST to ensure no packets are walking over this chain. */
2817 err = nf_tables_register_hook(net, table, chain);
2818 if (err < 0)
2819 goto err_register_hook;
2820
2821 return 0;
2822
2823 err_register_hook:
2824 nft_chain_del(chain);
2825 err_chain_add:
2826 nft_trans_destroy(trans);
2827 err_trans:
2828 nft_use_dec_restore(&table->use);
2829 err_destroy_chain:
2830 nf_tables_chain_destroy(chain);
2831
2832 return err;
2833 }
2834
nf_tables_updchain(struct nft_ctx * ctx,u8 genmask,u8 policy,u32 flags,const struct nlattr * attr,struct netlink_ext_ack * extack)2835 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2836 u32 flags, const struct nlattr *attr,
2837 struct netlink_ext_ack *extack)
2838 {
2839 const struct nlattr * const *nla = ctx->nla;
2840 struct nft_base_chain *basechain = NULL;
2841 struct nft_table *table = ctx->table;
2842 struct nft_chain *chain = ctx->chain;
2843 struct nft_chain_hook hook = {};
2844 struct nft_stats __percpu *stats = NULL;
2845 struct nftables_pernet *nft_net;
2846 struct nft_hook *h, *next;
2847 struct nf_hook_ops *ops;
2848 struct nft_trans *trans;
2849 bool unregister = false;
2850 int err;
2851
2852 if (chain->flags ^ flags)
2853 return -EOPNOTSUPP;
2854
2855 INIT_LIST_HEAD(&hook.list);
2856
2857 if (nla[NFTA_CHAIN_HOOK]) {
2858 if (!nft_is_base_chain(chain)) {
2859 NL_SET_BAD_ATTR(extack, attr);
2860 return -EEXIST;
2861 }
2862
2863 basechain = nft_base_chain(chain);
2864 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2865 ctx->family, flags, extack);
2866 if (err < 0)
2867 return err;
2868
2869 if (basechain->type != hook.type) {
2870 nft_chain_release_hook(&hook);
2871 NL_SET_BAD_ATTR(extack, attr);
2872 return -EEXIST;
2873 }
2874
2875 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2876 list_for_each_entry_safe(h, next, &hook.list, list) {
2877 list_for_each_entry(ops, &h->ops_list, list) {
2878 ops->pf = basechain->ops.pf;
2879 ops->hooknum = basechain->ops.hooknum;
2880 ops->priority = basechain->ops.priority;
2881 ops->priv = basechain->ops.priv;
2882 ops->hook = basechain->ops.hook;
2883 }
2884
2885 if (nft_hook_list_find(&basechain->hook_list, h)) {
2886 list_del(&h->list);
2887 nft_netdev_hook_free(h);
2888 continue;
2889 }
2890
2891 nft_net = nft_pernet(ctx->net);
2892 list_for_each_entry(trans, &nft_net->commit_list, list) {
2893 if (trans->msg_type != NFT_MSG_NEWCHAIN ||
2894 trans->table != ctx->table ||
2895 !nft_trans_chain_update(trans))
2896 continue;
2897
2898 if (nft_hook_list_find(&nft_trans_chain_hooks(trans), h)) {
2899 nft_chain_release_hook(&hook);
2900 return -EEXIST;
2901 }
2902 }
2903 }
2904 } else {
2905 ops = &basechain->ops;
2906 if (ops->hooknum != hook.num ||
2907 ops->priority != hook.priority) {
2908 nft_chain_release_hook(&hook);
2909 NL_SET_BAD_ATTR(extack, attr);
2910 return -EEXIST;
2911 }
2912 }
2913 }
2914
2915 if (nla[NFTA_CHAIN_HANDLE] &&
2916 nla[NFTA_CHAIN_NAME]) {
2917 struct nft_chain *chain2;
2918
2919 chain2 = nft_chain_lookup(ctx->net, table,
2920 nla[NFTA_CHAIN_NAME], genmask);
2921 if (!IS_ERR(chain2)) {
2922 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2923 err = -EEXIST;
2924 goto err_hooks;
2925 }
2926 }
2927
2928 if (table->flags & __NFT_TABLE_F_UPDATE &&
2929 !list_empty(&hook.list)) {
2930 NL_SET_BAD_ATTR(extack, attr);
2931 err = -EOPNOTSUPP;
2932 goto err_hooks;
2933 }
2934
2935 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2936 nft_is_base_chain(chain) &&
2937 !list_empty(&hook.list)) {
2938 basechain = nft_base_chain(chain);
2939 ops = &basechain->ops;
2940
2941 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2942 err = nft_netdev_register_hooks(ctx->net, &hook.list);
2943 if (err < 0)
2944 goto err_hooks;
2945
2946 unregister = true;
2947 }
2948 }
2949
2950 if (nla[NFTA_CHAIN_COUNTERS]) {
2951 if (!nft_is_base_chain(chain)) {
2952 err = -EOPNOTSUPP;
2953 goto err_hooks;
2954 }
2955
2956 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2957 if (IS_ERR_PCPU(stats)) {
2958 err = PTR_ERR_PCPU(stats);
2959 goto err_hooks;
2960 }
2961 }
2962
2963 err = -ENOMEM;
2964 trans = nft_trans_alloc_chain(ctx, NFT_MSG_NEWCHAIN);
2965 if (trans == NULL)
2966 goto err_trans;
2967
2968 nft_trans_chain_stats(trans) = stats;
2969 nft_trans_chain_update(trans) = true;
2970
2971 if (nla[NFTA_CHAIN_POLICY])
2972 nft_trans_chain_policy(trans) = policy;
2973 else
2974 nft_trans_chain_policy(trans) = -1;
2975
2976 if (nla[NFTA_CHAIN_HANDLE] &&
2977 nla[NFTA_CHAIN_NAME]) {
2978 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2979 struct nft_trans *tmp;
2980 char *name;
2981
2982 err = -ENOMEM;
2983 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2984 if (!name)
2985 goto err_trans;
2986
2987 err = -EEXIST;
2988 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2989 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2990 tmp->table == table &&
2991 nft_trans_chain_update(tmp) &&
2992 nft_trans_chain_name(tmp) &&
2993 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2994 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2995 kfree(name);
2996 goto err_trans;
2997 }
2998 }
2999
3000 nft_trans_chain_name(trans) = name;
3001 }
3002
3003 nft_trans_basechain(trans) = basechain;
3004 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
3005 list_splice(&hook.list, &nft_trans_chain_hooks(trans));
3006 if (nla[NFTA_CHAIN_HOOK])
3007 module_put(hook.type->owner);
3008
3009 nft_trans_commit_list_add_tail(ctx->net, trans);
3010
3011 return 0;
3012
3013 err_trans:
3014 free_percpu(stats);
3015 kfree(trans);
3016 err_hooks:
3017 if (nla[NFTA_CHAIN_HOOK]) {
3018 list_for_each_entry_safe(h, next, &hook.list, list) {
3019 if (unregister) {
3020 list_for_each_entry(ops, &h->ops_list, list)
3021 nf_unregister_net_hook(ctx->net, ops);
3022 }
3023 list_del(&h->list);
3024 nft_netdev_hook_free_rcu(h);
3025 }
3026 module_put(hook.type->owner);
3027 }
3028
3029 return err;
3030 }
3031
nft_chain_lookup_byid(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)3032 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
3033 const struct nft_table *table,
3034 const struct nlattr *nla, u8 genmask)
3035 {
3036 struct nftables_pernet *nft_net = nft_pernet(net);
3037 u32 id = ntohl(nla_get_be32(nla));
3038 struct nft_trans *trans;
3039
3040 list_for_each_entry(trans, &nft_net->commit_list, list) {
3041 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
3042 nft_trans_chain(trans)->table == table &&
3043 id == nft_trans_chain_id(trans) &&
3044 nft_active_genmask(nft_trans_chain(trans), genmask))
3045 return nft_trans_chain(trans);
3046 }
3047 return ERR_PTR(-ENOENT);
3048 }
3049
nf_tables_newchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3050 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
3051 const struct nlattr * const nla[])
3052 {
3053 struct nftables_pernet *nft_net = nft_pernet(info->net);
3054 struct netlink_ext_ack *extack = info->extack;
3055 u8 genmask = nft_genmask_next(info->net);
3056 u8 family = info->nfmsg->nfgen_family;
3057 struct nft_chain *chain = NULL;
3058 struct net *net = info->net;
3059 const struct nlattr *attr;
3060 struct nft_table *table;
3061 u8 policy = NF_ACCEPT;
3062 struct nft_ctx ctx;
3063 u64 handle = 0;
3064 u32 flags = 0;
3065
3066 lockdep_assert_held(&nft_net->commit_mutex);
3067
3068 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
3069 NETLINK_CB(skb).portid);
3070 if (IS_ERR(table)) {
3071 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
3072 return PTR_ERR(table);
3073 }
3074
3075 chain = NULL;
3076 attr = nla[NFTA_CHAIN_NAME];
3077
3078 if (nla[NFTA_CHAIN_HANDLE]) {
3079 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
3080 chain = nft_chain_lookup_byhandle(table, handle, genmask);
3081 if (IS_ERR(chain)) {
3082 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
3083 return PTR_ERR(chain);
3084 }
3085 attr = nla[NFTA_CHAIN_HANDLE];
3086 } else if (nla[NFTA_CHAIN_NAME]) {
3087 chain = nft_chain_lookup(net, table, attr, genmask);
3088 if (IS_ERR(chain)) {
3089 if (PTR_ERR(chain) != -ENOENT) {
3090 NL_SET_BAD_ATTR(extack, attr);
3091 return PTR_ERR(chain);
3092 }
3093 chain = NULL;
3094 }
3095 } else if (!nla[NFTA_CHAIN_ID]) {
3096 return -EINVAL;
3097 }
3098
3099 if (nla[NFTA_CHAIN_POLICY]) {
3100 if (chain != NULL &&
3101 !nft_is_base_chain(chain)) {
3102 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
3103 return -EOPNOTSUPP;
3104 }
3105
3106 if (chain == NULL &&
3107 nla[NFTA_CHAIN_HOOK] == NULL) {
3108 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
3109 return -EOPNOTSUPP;
3110 }
3111
3112 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
3113 switch (policy) {
3114 case NF_DROP:
3115 case NF_ACCEPT:
3116 break;
3117 default:
3118 return -EINVAL;
3119 }
3120 }
3121
3122 if (nla[NFTA_CHAIN_FLAGS])
3123 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
3124 else if (chain)
3125 flags = chain->flags;
3126
3127 if (flags & ~NFT_CHAIN_FLAGS)
3128 return -EOPNOTSUPP;
3129
3130 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3131
3132 if (chain != NULL) {
3133 if (chain->flags & NFT_CHAIN_BINDING)
3134 return -EINVAL;
3135
3136 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
3137 NL_SET_BAD_ATTR(extack, attr);
3138 return -EEXIST;
3139 }
3140 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
3141 return -EOPNOTSUPP;
3142
3143 flags |= chain->flags & NFT_CHAIN_BASE;
3144 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
3145 extack);
3146 }
3147
3148 return nf_tables_addchain(&ctx, family, policy, flags, extack);
3149 }
3150
nft_delchain_hook(struct nft_ctx * ctx,struct nft_base_chain * basechain,struct netlink_ext_ack * extack)3151 static int nft_delchain_hook(struct nft_ctx *ctx,
3152 struct nft_base_chain *basechain,
3153 struct netlink_ext_ack *extack)
3154 {
3155 const struct nft_chain *chain = &basechain->chain;
3156 const struct nlattr * const *nla = ctx->nla;
3157 struct nft_chain_hook chain_hook = {};
3158 struct nft_hook *this, *hook;
3159 LIST_HEAD(chain_del_list);
3160 struct nft_trans *trans;
3161 int err;
3162
3163 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
3164 return -EOPNOTSUPP;
3165
3166 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
3167 ctx->family, chain->flags, extack);
3168 if (err < 0)
3169 return err;
3170
3171 list_for_each_entry(this, &chain_hook.list, list) {
3172 hook = nft_hook_list_find(&basechain->hook_list, this);
3173 if (!hook) {
3174 err = -ENOENT;
3175 goto err_chain_del_hook;
3176 }
3177 list_move(&hook->list, &chain_del_list);
3178 }
3179
3180 trans = nft_trans_alloc_chain(ctx, NFT_MSG_DELCHAIN);
3181 if (!trans) {
3182 err = -ENOMEM;
3183 goto err_chain_del_hook;
3184 }
3185
3186 nft_trans_basechain(trans) = basechain;
3187 nft_trans_chain_update(trans) = true;
3188 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
3189 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans));
3190 nft_chain_release_hook(&chain_hook);
3191
3192 nft_trans_commit_list_add_tail(ctx->net, trans);
3193
3194 return 0;
3195
3196 err_chain_del_hook:
3197 list_splice(&chain_del_list, &basechain->hook_list);
3198 nft_chain_release_hook(&chain_hook);
3199
3200 return err;
3201 }
3202
nf_tables_delchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3203 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
3204 const struct nlattr * const nla[])
3205 {
3206 struct netlink_ext_ack *extack = info->extack;
3207 u8 genmask = nft_genmask_next(info->net);
3208 u8 family = info->nfmsg->nfgen_family;
3209 struct net *net = info->net;
3210 const struct nlattr *attr;
3211 struct nft_table *table;
3212 struct nft_chain *chain;
3213 struct nft_rule *rule;
3214 struct nft_ctx ctx;
3215 u64 handle;
3216 u32 use;
3217 int err;
3218
3219 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
3220 NETLINK_CB(skb).portid);
3221 if (IS_ERR(table)) {
3222 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
3223 return PTR_ERR(table);
3224 }
3225
3226 if (nla[NFTA_CHAIN_HANDLE]) {
3227 attr = nla[NFTA_CHAIN_HANDLE];
3228 handle = be64_to_cpu(nla_get_be64(attr));
3229 chain = nft_chain_lookup_byhandle(table, handle, genmask);
3230 } else {
3231 attr = nla[NFTA_CHAIN_NAME];
3232 chain = nft_chain_lookup(net, table, attr, genmask);
3233 }
3234 if (IS_ERR(chain)) {
3235 if (PTR_ERR(chain) == -ENOENT &&
3236 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
3237 return 0;
3238
3239 NL_SET_BAD_ATTR(extack, attr);
3240 return PTR_ERR(chain);
3241 }
3242
3243 if (nft_chain_binding(chain))
3244 return -EOPNOTSUPP;
3245
3246 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3247
3248 if (nla[NFTA_CHAIN_HOOK]) {
3249 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN ||
3250 chain->flags & NFT_CHAIN_HW_OFFLOAD)
3251 return -EOPNOTSUPP;
3252
3253 if (nft_is_base_chain(chain)) {
3254 struct nft_base_chain *basechain = nft_base_chain(chain);
3255
3256 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
3257 return nft_delchain_hook(&ctx, basechain, extack);
3258 }
3259 }
3260
3261 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
3262 chain->use > 0)
3263 return -EBUSY;
3264
3265 use = chain->use;
3266 list_for_each_entry(rule, &chain->rules, list) {
3267 if (!nft_is_active_next(net, rule))
3268 continue;
3269 use--;
3270
3271 err = nft_delrule(&ctx, rule);
3272 if (err < 0)
3273 return err;
3274 }
3275
3276 /* There are rules and elements that are still holding references to us,
3277 * we cannot do a recursive removal in this case.
3278 */
3279 if (use > 0) {
3280 NL_SET_BAD_ATTR(extack, attr);
3281 return -EBUSY;
3282 }
3283
3284 return nft_delchain(&ctx);
3285 }
3286
3287 /*
3288 * Expressions
3289 */
3290
3291 /**
3292 * nft_register_expr - register nf_tables expr type
3293 * @type: expr type
3294 *
3295 * Registers the expr type for use with nf_tables. Returns zero on
3296 * success or a negative errno code otherwise.
3297 */
nft_register_expr(struct nft_expr_type * type)3298 int nft_register_expr(struct nft_expr_type *type)
3299 {
3300 if (WARN_ON_ONCE(type->maxattr > NFT_EXPR_MAXATTR))
3301 return -ENOMEM;
3302
3303 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3304 if (type->family == NFPROTO_UNSPEC)
3305 list_add_tail_rcu(&type->list, &nf_tables_expressions);
3306 else
3307 list_add_rcu(&type->list, &nf_tables_expressions);
3308 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3309 return 0;
3310 }
3311 EXPORT_SYMBOL_GPL(nft_register_expr);
3312
3313 /**
3314 * nft_unregister_expr - unregister nf_tables expr type
3315 * @type: expr type
3316 *
3317 * Unregisters the expr typefor use with nf_tables.
3318 */
nft_unregister_expr(struct nft_expr_type * type)3319 void nft_unregister_expr(struct nft_expr_type *type)
3320 {
3321 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3322 list_del_rcu(&type->list);
3323 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3324 }
3325 EXPORT_SYMBOL_GPL(nft_unregister_expr);
3326
__nft_expr_type_get(u8 family,struct nlattr * nla)3327 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
3328 struct nlattr *nla)
3329 {
3330 const struct nft_expr_type *type, *candidate = NULL;
3331
3332 list_for_each_entry_rcu(type, &nf_tables_expressions, list) {
3333 if (!nla_strcmp(nla, type->name)) {
3334 if (!type->family && !candidate)
3335 candidate = type;
3336 else if (type->family == family)
3337 candidate = type;
3338 }
3339 }
3340 return candidate;
3341 }
3342
3343 #ifdef CONFIG_MODULES
nft_expr_type_request_module(struct net * net,u8 family,struct nlattr * nla)3344 static int nft_expr_type_request_module(struct net *net, u8 family,
3345 struct nlattr *nla)
3346 {
3347 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
3348 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
3349 return -EAGAIN;
3350
3351 return 0;
3352 }
3353 #endif
3354
nft_expr_type_get(struct net * net,u8 family,struct nlattr * nla)3355 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
3356 u8 family,
3357 struct nlattr *nla)
3358 {
3359 const struct nft_expr_type *type;
3360
3361 if (nla == NULL)
3362 return ERR_PTR(-EINVAL);
3363
3364 rcu_read_lock();
3365 type = __nft_expr_type_get(family, nla);
3366 if (type != NULL && try_module_get(type->owner)) {
3367 rcu_read_unlock();
3368 return type;
3369 }
3370 rcu_read_unlock();
3371
3372 lockdep_nfnl_nft_mutex_not_held();
3373 #ifdef CONFIG_MODULES
3374 if (type == NULL) {
3375 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
3376 return ERR_PTR(-EAGAIN);
3377
3378 if (nft_request_module(net, "nft-expr-%.*s",
3379 nla_len(nla),
3380 (char *)nla_data(nla)) == -EAGAIN)
3381 return ERR_PTR(-EAGAIN);
3382 }
3383 #endif
3384 return ERR_PTR(-ENOENT);
3385 }
3386
3387 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
3388 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
3389 .len = NFT_MODULE_AUTOLOAD_LIMIT },
3390 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
3391 };
3392
nf_tables_fill_expr_info(struct sk_buff * skb,const struct nft_expr * expr,bool reset)3393 static int nf_tables_fill_expr_info(struct sk_buff *skb,
3394 const struct nft_expr *expr, bool reset)
3395 {
3396 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
3397 goto nla_put_failure;
3398
3399 if (expr->ops->dump) {
3400 struct nlattr *data = nla_nest_start_noflag(skb,
3401 NFTA_EXPR_DATA);
3402 if (data == NULL)
3403 goto nla_put_failure;
3404 if (expr->ops->dump(skb, expr, reset) < 0)
3405 goto nla_put_failure;
3406 nla_nest_end(skb, data);
3407 }
3408
3409 return skb->len;
3410
3411 nla_put_failure:
3412 return -1;
3413 };
3414
nft_expr_dump(struct sk_buff * skb,unsigned int attr,const struct nft_expr * expr,bool reset)3415 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
3416 const struct nft_expr *expr, bool reset)
3417 {
3418 struct nlattr *nest;
3419
3420 nest = nla_nest_start_noflag(skb, attr);
3421 if (!nest)
3422 goto nla_put_failure;
3423 if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
3424 goto nla_put_failure;
3425 nla_nest_end(skb, nest);
3426 return 0;
3427
3428 nla_put_failure:
3429 return -1;
3430 }
3431
3432 struct nft_expr_info {
3433 const struct nft_expr_ops *ops;
3434 const struct nlattr *attr;
3435 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
3436 };
3437
nf_tables_expr_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)3438 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
3439 const struct nlattr *nla,
3440 struct nft_expr_info *info)
3441 {
3442 const struct nft_expr_type *type;
3443 const struct nft_expr_ops *ops;
3444 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3445 int err;
3446
3447 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3448 nft_expr_policy, NULL);
3449 if (err < 0)
3450 return err;
3451
3452 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
3453 if (IS_ERR(type))
3454 return PTR_ERR(type);
3455
3456 if (tb[NFTA_EXPR_DATA]) {
3457 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3458 tb[NFTA_EXPR_DATA],
3459 type->policy, NULL);
3460 if (err < 0)
3461 goto err1;
3462 } else
3463 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
3464
3465 if (type->select_ops != NULL) {
3466 ops = type->select_ops(ctx,
3467 (const struct nlattr * const *)info->tb);
3468 if (IS_ERR(ops)) {
3469 err = PTR_ERR(ops);
3470 #ifdef CONFIG_MODULES
3471 if (err == -EAGAIN)
3472 if (nft_expr_type_request_module(ctx->net,
3473 ctx->family,
3474 tb[NFTA_EXPR_NAME]) != -EAGAIN)
3475 err = -ENOENT;
3476 #endif
3477 goto err1;
3478 }
3479 } else
3480 ops = type->ops;
3481
3482 info->attr = nla;
3483 info->ops = ops;
3484
3485 return 0;
3486
3487 err1:
3488 module_put(type->owner);
3489 return err;
3490 }
3491
nft_expr_inner_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)3492 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
3493 struct nft_expr_info *info)
3494 {
3495 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3496 const struct nft_expr_type *type;
3497 int err;
3498
3499 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3500 nft_expr_policy, NULL);
3501 if (err < 0)
3502 return err;
3503
3504 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME])
3505 return -EINVAL;
3506
3507 rcu_read_lock();
3508
3509 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
3510 if (!type) {
3511 err = -ENOENT;
3512 goto out_unlock;
3513 }
3514
3515 if (!type->inner_ops) {
3516 err = -EOPNOTSUPP;
3517 goto out_unlock;
3518 }
3519
3520 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3521 tb[NFTA_EXPR_DATA],
3522 type->policy, NULL);
3523 if (err < 0)
3524 goto out_unlock;
3525
3526 info->attr = nla;
3527 info->ops = type->inner_ops;
3528
3529 /* No module reference will be taken on type->owner.
3530 * Presence of type->inner_ops implies that the expression
3531 * is builtin, so it cannot go away.
3532 */
3533 rcu_read_unlock();
3534 return 0;
3535
3536 out_unlock:
3537 rcu_read_unlock();
3538 return err;
3539 }
3540
nf_tables_newexpr(const struct nft_ctx * ctx,const struct nft_expr_info * expr_info,struct nft_expr * expr)3541 static int nf_tables_newexpr(const struct nft_ctx *ctx,
3542 const struct nft_expr_info *expr_info,
3543 struct nft_expr *expr)
3544 {
3545 const struct nft_expr_ops *ops = expr_info->ops;
3546 int err;
3547
3548 expr->ops = ops;
3549 if (ops->init) {
3550 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
3551 if (err < 0)
3552 goto err1;
3553 }
3554
3555 return 0;
3556 err1:
3557 expr->ops = NULL;
3558 return err;
3559 }
3560
nf_tables_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)3561 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
3562 struct nft_expr *expr)
3563 {
3564 const struct nft_expr_type *type = expr->ops->type;
3565
3566 if (expr->ops->destroy)
3567 expr->ops->destroy(ctx, expr);
3568 module_put(type->owner);
3569 }
3570
nft_expr_init(const struct nft_ctx * ctx,const struct nlattr * nla)3571 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3572 const struct nlattr *nla)
3573 {
3574 struct nft_expr_info expr_info;
3575 struct nft_expr *expr;
3576 struct module *owner;
3577 int err;
3578
3579 err = nf_tables_expr_parse(ctx, nla, &expr_info);
3580 if (err < 0)
3581 goto err_expr_parse;
3582
3583 err = -EOPNOTSUPP;
3584 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3585 goto err_expr_stateful;
3586
3587 err = -ENOMEM;
3588 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3589 if (expr == NULL)
3590 goto err_expr_stateful;
3591
3592 err = nf_tables_newexpr(ctx, &expr_info, expr);
3593 if (err < 0)
3594 goto err_expr_new;
3595
3596 return expr;
3597 err_expr_new:
3598 kfree(expr);
3599 err_expr_stateful:
3600 owner = expr_info.ops->type->owner;
3601 if (expr_info.ops->type->release_ops)
3602 expr_info.ops->type->release_ops(expr_info.ops);
3603
3604 module_put(owner);
3605 err_expr_parse:
3606 return ERR_PTR(err);
3607 }
3608
nft_expr_clone(struct nft_expr * dst,struct nft_expr * src,gfp_t gfp)3609 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp)
3610 {
3611 int err;
3612
3613 if (WARN_ON_ONCE(!src->ops->clone))
3614 return -EINVAL;
3615
3616 dst->ops = src->ops;
3617 err = src->ops->clone(dst, src, gfp);
3618 if (err < 0)
3619 return err;
3620
3621 __module_get(src->ops->type->owner);
3622
3623 return 0;
3624 }
3625
nft_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)3626 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3627 {
3628 nf_tables_expr_destroy(ctx, expr);
3629 kfree(expr);
3630 }
3631
3632 /*
3633 * Rules
3634 */
3635
__nft_rule_lookup(const struct net * net,const struct nft_chain * chain,u64 handle)3636 static struct nft_rule *__nft_rule_lookup(const struct net *net,
3637 const struct nft_chain *chain,
3638 u64 handle)
3639 {
3640 struct nft_rule *rule;
3641
3642 // FIXME: this sucks
3643 list_for_each_entry_rcu(rule, &chain->rules, list,
3644 lockdep_commit_lock_is_held(net)) {
3645 if (handle == rule->handle)
3646 return rule;
3647 }
3648
3649 return ERR_PTR(-ENOENT);
3650 }
3651
nft_rule_lookup(const struct net * net,const struct nft_chain * chain,const struct nlattr * nla)3652 static struct nft_rule *nft_rule_lookup(const struct net *net,
3653 const struct nft_chain *chain,
3654 const struct nlattr *nla)
3655 {
3656 if (nla == NULL)
3657 return ERR_PTR(-EINVAL);
3658
3659 return __nft_rule_lookup(net, chain, be64_to_cpu(nla_get_be64(nla)));
3660 }
3661
3662 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3663 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
3664 .len = NFT_TABLE_MAXNAMELEN - 1 },
3665 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
3666 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3667 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
3668 [NFTA_RULE_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
3669 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
3670 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3671 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3672 .len = NFT_USERDATA_MAXLEN },
3673 [NFTA_RULE_ID] = { .type = NLA_U32 },
3674 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3675 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3676 };
3677
nf_tables_fill_rule_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct nft_rule * rule,u64 handle,bool reset)3678 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3679 u32 portid, u32 seq, int event,
3680 u32 flags, int family,
3681 const struct nft_table *table,
3682 const struct nft_chain *chain,
3683 const struct nft_rule *rule, u64 handle,
3684 bool reset)
3685 {
3686 struct nlmsghdr *nlh;
3687 const struct nft_expr *expr, *next;
3688 struct nlattr *list;
3689 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3690
3691 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3692 nft_base_seq_be16(net));
3693 if (!nlh)
3694 goto nla_put_failure;
3695
3696 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3697 goto nla_put_failure;
3698 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3699 goto nla_put_failure;
3700 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3701 NFTA_RULE_PAD))
3702 goto nla_put_failure;
3703
3704 if (event != NFT_MSG_DELRULE && handle) {
3705 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3706 NFTA_RULE_PAD))
3707 goto nla_put_failure;
3708 }
3709
3710 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3711 nft_flow_rule_stats(chain, rule);
3712
3713 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3714 if (list == NULL)
3715 goto nla_put_failure;
3716 nft_rule_for_each_expr(expr, next, rule) {
3717 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
3718 goto nla_put_failure;
3719 }
3720 nla_nest_end(skb, list);
3721
3722 if (rule->udata) {
3723 struct nft_userdata *udata = nft_userdata(rule);
3724 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3725 udata->data) < 0)
3726 goto nla_put_failure;
3727 }
3728
3729 nlmsg_end(skb, nlh);
3730 return 0;
3731
3732 nla_put_failure:
3733 nlmsg_trim(skb, nlh);
3734 return -1;
3735 }
3736
nf_tables_rule_notify(const struct nft_ctx * ctx,const struct nft_rule * rule,int event)3737 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3738 const struct nft_rule *rule, int event)
3739 {
3740 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3741 const struct nft_rule *prule;
3742 struct sk_buff *skb;
3743 u64 handle = 0;
3744 u16 flags = 0;
3745 int err;
3746
3747 if (!ctx->report &&
3748 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3749 return;
3750
3751 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3752 if (skb == NULL)
3753 goto err;
3754
3755 if (event == NFT_MSG_NEWRULE &&
3756 !list_is_first(&rule->list, &ctx->chain->rules) &&
3757 !list_is_last(&rule->list, &ctx->chain->rules)) {
3758 prule = list_prev_entry(rule, list);
3759 handle = prule->handle;
3760 }
3761 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3762 flags |= NLM_F_APPEND;
3763 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3764 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3765
3766 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3767 event, flags, ctx->family, ctx->table,
3768 ctx->chain, rule, handle, false);
3769 if (err < 0) {
3770 kfree_skb(skb);
3771 goto err;
3772 }
3773
3774 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3775 return;
3776 err:
3777 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3778 }
3779
audit_log_rule_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)3780 static void audit_log_rule_reset(const struct nft_table *table,
3781 unsigned int base_seq,
3782 unsigned int nentries)
3783 {
3784 char *buf = kasprintf(GFP_ATOMIC, "%s:%u",
3785 table->name, base_seq);
3786
3787 audit_log_nfcfg(buf, table->family, nentries,
3788 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3789 kfree(buf);
3790 }
3791
3792 struct nft_rule_dump_ctx {
3793 unsigned int s_idx;
3794 char *table;
3795 char *chain;
3796 bool reset;
3797 };
3798
__nf_tables_dump_rules(struct sk_buff * skb,unsigned int * idx,struct netlink_callback * cb,const struct nft_table * table,const struct nft_chain * chain)3799 static int __nf_tables_dump_rules(struct sk_buff *skb,
3800 unsigned int *idx,
3801 struct netlink_callback *cb,
3802 const struct nft_table *table,
3803 const struct nft_chain *chain)
3804 {
3805 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3806 struct net *net = sock_net(skb->sk);
3807 const struct nft_rule *rule, *prule;
3808 unsigned int entries = 0;
3809 int ret = 0;
3810 u64 handle;
3811
3812 prule = NULL;
3813 list_for_each_entry_rcu(rule, &chain->rules, list) {
3814 if (!nft_is_active(net, rule))
3815 goto cont_skip;
3816 if (*idx < ctx->s_idx)
3817 goto cont;
3818 if (prule)
3819 handle = prule->handle;
3820 else
3821 handle = 0;
3822
3823 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3824 cb->nlh->nlmsg_seq,
3825 NFT_MSG_NEWRULE,
3826 NLM_F_MULTI | NLM_F_APPEND,
3827 table->family,
3828 table, chain, rule, handle, ctx->reset) < 0) {
3829 ret = 1;
3830 break;
3831 }
3832 entries++;
3833 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3834 cont:
3835 prule = rule;
3836 cont_skip:
3837 (*idx)++;
3838 }
3839
3840 if (ctx->reset && entries)
3841 audit_log_rule_reset(table, cb->seq, entries);
3842
3843 return ret;
3844 }
3845
nf_tables_dump_rules(struct sk_buff * skb,struct netlink_callback * cb)3846 static int nf_tables_dump_rules(struct sk_buff *skb,
3847 struct netlink_callback *cb)
3848 {
3849 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3850 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3851 struct nft_table *table;
3852 const struct nft_chain *chain;
3853 unsigned int idx = 0;
3854 struct net *net = sock_net(skb->sk);
3855 int family = nfmsg->nfgen_family;
3856 struct nftables_pernet *nft_net;
3857
3858 rcu_read_lock();
3859 nft_net = nft_pernet(net);
3860 cb->seq = nft_base_seq(net);
3861
3862 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3863 if (family != NFPROTO_UNSPEC && family != table->family)
3864 continue;
3865
3866 if (ctx->table && strcmp(ctx->table, table->name) != 0)
3867 continue;
3868
3869 if (ctx->table && ctx->chain) {
3870 struct rhlist_head *list, *tmp;
3871
3872 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3873 nft_chain_ht_params);
3874 if (!list)
3875 goto done;
3876
3877 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3878 if (!nft_is_active(net, chain))
3879 continue;
3880 __nf_tables_dump_rules(skb, &idx,
3881 cb, table, chain);
3882 break;
3883 }
3884 goto done;
3885 }
3886
3887 list_for_each_entry_rcu(chain, &table->chains, list) {
3888 if (__nf_tables_dump_rules(skb, &idx,
3889 cb, table, chain))
3890 goto done;
3891 }
3892
3893 if (ctx->table)
3894 break;
3895 }
3896 done:
3897 rcu_read_unlock();
3898
3899 ctx->s_idx = idx;
3900 return skb->len;
3901 }
3902
nf_tables_dumpreset_rules(struct sk_buff * skb,struct netlink_callback * cb)3903 static int nf_tables_dumpreset_rules(struct sk_buff *skb,
3904 struct netlink_callback *cb)
3905 {
3906 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
3907 int ret;
3908
3909 /* Mutex is held is to prevent that two concurrent dump-and-reset calls
3910 * do not underrun counters and quotas. The commit_mutex is used for
3911 * the lack a better lock, this is not transaction path.
3912 */
3913 mutex_lock(&nft_net->commit_mutex);
3914 ret = nf_tables_dump_rules(skb, cb);
3915 mutex_unlock(&nft_net->commit_mutex);
3916
3917 return ret;
3918 }
3919
nf_tables_dump_rules_start(struct netlink_callback * cb)3920 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3921 {
3922 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3923 const struct nlattr * const *nla = cb->data;
3924
3925 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
3926
3927 if (nla[NFTA_RULE_TABLE]) {
3928 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], GFP_ATOMIC);
3929 if (!ctx->table)
3930 return -ENOMEM;
3931 }
3932 if (nla[NFTA_RULE_CHAIN]) {
3933 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], GFP_ATOMIC);
3934 if (!ctx->chain) {
3935 kfree(ctx->table);
3936 return -ENOMEM;
3937 }
3938 }
3939 return 0;
3940 }
3941
nf_tables_dumpreset_rules_start(struct netlink_callback * cb)3942 static int nf_tables_dumpreset_rules_start(struct netlink_callback *cb)
3943 {
3944 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3945
3946 ctx->reset = true;
3947
3948 return nf_tables_dump_rules_start(cb);
3949 }
3950
nf_tables_dump_rules_done(struct netlink_callback * cb)3951 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3952 {
3953 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3954
3955 kfree(ctx->table);
3956 kfree(ctx->chain);
3957 return 0;
3958 }
3959
3960 /* Caller must hold rcu read lock or transaction mutex */
3961 static struct sk_buff *
nf_tables_getrule_single(u32 portid,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)3962 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info,
3963 const struct nlattr * const nla[], bool reset)
3964 {
3965 struct netlink_ext_ack *extack = info->extack;
3966 u8 genmask = nft_genmask_cur(info->net);
3967 u8 family = info->nfmsg->nfgen_family;
3968 const struct nft_chain *chain;
3969 const struct nft_rule *rule;
3970 struct net *net = info->net;
3971 struct nft_table *table;
3972 struct sk_buff *skb2;
3973 int err;
3974
3975 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3976 if (IS_ERR(table)) {
3977 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3978 return ERR_CAST(table);
3979 }
3980
3981 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3982 if (IS_ERR(chain)) {
3983 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3984 return ERR_CAST(chain);
3985 }
3986
3987 rule = nft_rule_lookup(net, chain, nla[NFTA_RULE_HANDLE]);
3988 if (IS_ERR(rule)) {
3989 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3990 return ERR_CAST(rule);
3991 }
3992
3993 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3994 if (!skb2)
3995 return ERR_PTR(-ENOMEM);
3996
3997 err = nf_tables_fill_rule_info(skb2, net, portid,
3998 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3999 family, table, chain, rule, 0, reset);
4000 if (err < 0) {
4001 kfree_skb(skb2);
4002 return ERR_PTR(err);
4003 }
4004
4005 return skb2;
4006 }
4007
nf_tables_getrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4008 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
4009 const struct nlattr * const nla[])
4010 {
4011 u32 portid = NETLINK_CB(skb).portid;
4012 struct net *net = info->net;
4013 struct sk_buff *skb2;
4014
4015 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4016 struct netlink_dump_control c = {
4017 .start= nf_tables_dump_rules_start,
4018 .dump = nf_tables_dump_rules,
4019 .done = nf_tables_dump_rules_done,
4020 .module = THIS_MODULE,
4021 .data = (void *)nla,
4022 };
4023
4024 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4025 }
4026
4027 skb2 = nf_tables_getrule_single(portid, info, nla, false);
4028 if (IS_ERR(skb2))
4029 return PTR_ERR(skb2);
4030
4031 return nfnetlink_unicast(skb2, net, portid);
4032 }
4033
nf_tables_getrule_reset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4034 static int nf_tables_getrule_reset(struct sk_buff *skb,
4035 const struct nfnl_info *info,
4036 const struct nlattr * const nla[])
4037 {
4038 struct nftables_pernet *nft_net = nft_pernet(info->net);
4039 u32 portid = NETLINK_CB(skb).portid;
4040 struct net *net = info->net;
4041 struct sk_buff *skb2;
4042 char *buf;
4043
4044 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4045 struct netlink_dump_control c = {
4046 .start= nf_tables_dumpreset_rules_start,
4047 .dump = nf_tables_dumpreset_rules,
4048 .done = nf_tables_dump_rules_done,
4049 .module = THIS_MODULE,
4050 .data = (void *)nla,
4051 };
4052
4053 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4054 }
4055
4056 if (!try_module_get(THIS_MODULE))
4057 return -EINVAL;
4058 rcu_read_unlock();
4059 mutex_lock(&nft_net->commit_mutex);
4060 skb2 = nf_tables_getrule_single(portid, info, nla, true);
4061 mutex_unlock(&nft_net->commit_mutex);
4062 rcu_read_lock();
4063 module_put(THIS_MODULE);
4064
4065 if (IS_ERR(skb2))
4066 return PTR_ERR(skb2);
4067
4068 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
4069 nla_len(nla[NFTA_RULE_TABLE]),
4070 (char *)nla_data(nla[NFTA_RULE_TABLE]),
4071 nft_base_seq(net));
4072 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
4073 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
4074 kfree(buf);
4075
4076 return nfnetlink_unicast(skb2, net, portid);
4077 }
4078
nf_tables_rule_destroy(const struct nft_ctx * ctx,struct nft_rule * rule)4079 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
4080 {
4081 struct nft_expr *expr, *next;
4082
4083 /*
4084 * Careful: some expressions might not be initialized in case this
4085 * is called on error from nf_tables_newrule().
4086 */
4087 expr = nft_expr_first(rule);
4088 while (nft_expr_more(rule, expr)) {
4089 next = nft_expr_next(expr);
4090 nf_tables_expr_destroy(ctx, expr);
4091 expr = next;
4092 }
4093 kfree(rule);
4094 }
4095
4096 /* can only be used if rule is no longer visible to dumps */
nf_tables_rule_release(const struct nft_ctx * ctx,struct nft_rule * rule)4097 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
4098 {
4099 WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net));
4100
4101 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
4102 nf_tables_rule_destroy(ctx, rule);
4103 }
4104
nft_chain_vstate_update(const struct nft_ctx * ctx,struct nft_chain * chain)4105 static void nft_chain_vstate_update(const struct nft_ctx *ctx, struct nft_chain *chain)
4106 {
4107 const struct nft_base_chain *base_chain;
4108 enum nft_chain_types type;
4109 u8 hooknum;
4110
4111 /* ctx->chain must hold the calling base chain. */
4112 if (WARN_ON_ONCE(!nft_is_base_chain(ctx->chain))) {
4113 memset(&chain->vstate, 0, sizeof(chain->vstate));
4114 return;
4115 }
4116
4117 base_chain = nft_base_chain(ctx->chain);
4118 hooknum = base_chain->ops.hooknum;
4119 type = base_chain->type->type;
4120
4121 BUILD_BUG_ON(BIT(NF_INET_NUMHOOKS) > U8_MAX);
4122
4123 chain->vstate.hook_mask[type] |= BIT(hooknum);
4124 if (chain->vstate.depth < ctx->level)
4125 chain->vstate.depth = ctx->level;
4126 }
4127
4128 /** nft_chain_validate - loop detection and hook validation
4129 *
4130 * @ctx: context containing call depth and base chain
4131 * @chain: chain to validate
4132 *
4133 * Walk through the rules of the given chain and chase all jumps/gotos
4134 * and set lookups until either the jump limit is hit or all reachable
4135 * chains have been validated.
4136 */
nft_chain_validate(const struct nft_ctx * ctx,struct nft_chain * chain)4137 int nft_chain_validate(const struct nft_ctx *ctx, struct nft_chain *chain)
4138 {
4139 struct nft_expr *expr, *last;
4140 struct nft_rule *rule;
4141 int err;
4142
4143 BUILD_BUG_ON(NFT_JUMP_STACK_SIZE > 255);
4144 if (ctx->level == NFT_JUMP_STACK_SIZE)
4145 return -EMLINK;
4146
4147 if (ctx->level > 0) {
4148 /* jumps to base chains are not allowed. */
4149 if (nft_is_base_chain(chain))
4150 return -ELOOP;
4151
4152 if (nft_chain_vstate_valid(ctx, chain))
4153 return 0;
4154 }
4155
4156 list_for_each_entry(rule, &chain->rules, list) {
4157 if (fatal_signal_pending(current))
4158 return -EINTR;
4159
4160 if (!nft_is_active_next(ctx->net, rule))
4161 continue;
4162
4163 nft_rule_for_each_expr(expr, last, rule) {
4164 if (!expr->ops->validate)
4165 continue;
4166
4167 /* This may call nft_chain_validate() recursively,
4168 * callers that do so must increment ctx->level.
4169 */
4170 err = expr->ops->validate(ctx, expr);
4171 if (err < 0)
4172 return err;
4173 }
4174
4175 cond_resched();
4176 }
4177
4178 nft_chain_vstate_update(ctx, chain);
4179 return 0;
4180 }
4181 EXPORT_SYMBOL_GPL(nft_chain_validate);
4182
nft_table_validate(struct net * net,const struct nft_table * table)4183 static int nft_table_validate(struct net *net, const struct nft_table *table)
4184 {
4185 struct nft_chain *chain;
4186 struct nft_ctx ctx = {
4187 .net = net,
4188 .family = table->family,
4189 };
4190 int err = 0;
4191
4192 list_for_each_entry(chain, &table->chains, list) {
4193 if (!nft_is_base_chain(chain))
4194 continue;
4195
4196 ctx.chain = chain;
4197 err = nft_chain_validate(&ctx, chain);
4198 if (err < 0)
4199 goto err;
4200 }
4201
4202 err:
4203 list_for_each_entry(chain, &table->chains, list)
4204 memset(&chain->vstate, 0, sizeof(chain->vstate));
4205
4206 return err;
4207 }
4208
nft_setelem_validate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)4209 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
4210 const struct nft_set_iter *iter,
4211 struct nft_elem_priv *elem_priv)
4212 {
4213 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
4214 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
4215 const struct nft_data *data;
4216 int err;
4217
4218 if (!nft_set_elem_active(ext, iter->genmask))
4219 return 0;
4220
4221 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4222 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
4223 return 0;
4224
4225 data = nft_set_ext_data(ext);
4226 switch (data->verdict.code) {
4227 case NFT_JUMP:
4228 case NFT_GOTO:
4229 pctx->level++;
4230 err = nft_chain_validate(ctx, data->verdict.chain);
4231 if (err < 0)
4232 return err;
4233 pctx->level--;
4234 break;
4235 default:
4236 break;
4237 }
4238
4239 return 0;
4240 }
4241
nft_set_catchall_validate(const struct nft_ctx * ctx,struct nft_set * set)4242 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
4243 {
4244 struct nft_set_iter dummy_iter = {
4245 .genmask = nft_genmask_next(ctx->net),
4246 };
4247 struct nft_set_elem_catchall *catchall;
4248
4249 struct nft_set_ext *ext;
4250 int ret = 0;
4251
4252 list_for_each_entry_rcu(catchall, &set->catchall_list, list,
4253 lockdep_commit_lock_is_held(ctx->net)) {
4254 ext = nft_set_elem_ext(set, catchall->elem);
4255 if (!nft_set_elem_active(ext, dummy_iter.genmask))
4256 continue;
4257
4258 ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem);
4259 if (ret < 0)
4260 return ret;
4261 }
4262
4263 return ret;
4264 }
4265
4266 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4267 const struct nft_chain *chain,
4268 const struct nlattr *nla);
4269
4270 #define NFT_RULE_MAXEXPRS 128
4271
nf_tables_newrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4272 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
4273 const struct nlattr * const nla[])
4274 {
4275 struct nftables_pernet *nft_net = nft_pernet(info->net);
4276 struct netlink_ext_ack *extack = info->extack;
4277 unsigned int size, i, n, ulen = 0, usize = 0;
4278 u8 genmask = nft_genmask_next(info->net);
4279 struct nft_rule *rule, *old_rule = NULL;
4280 struct nft_expr_info *expr_info = NULL;
4281 u8 family = info->nfmsg->nfgen_family;
4282 struct nft_flow_rule *flow = NULL;
4283 struct net *net = info->net;
4284 struct nft_userdata *udata;
4285 struct nft_table *table;
4286 struct nft_chain *chain;
4287 struct nft_trans *trans;
4288 u64 handle, pos_handle;
4289 struct nft_expr *expr;
4290 struct nft_ctx ctx;
4291 struct nlattr *tmp;
4292 int err, rem;
4293
4294 lockdep_assert_held(&nft_net->commit_mutex);
4295
4296 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4297 NETLINK_CB(skb).portid);
4298 if (IS_ERR(table)) {
4299 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4300 return PTR_ERR(table);
4301 }
4302
4303 if (nla[NFTA_RULE_CHAIN]) {
4304 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4305 genmask);
4306 if (IS_ERR(chain)) {
4307 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4308 return PTR_ERR(chain);
4309 }
4310
4311 } else if (nla[NFTA_RULE_CHAIN_ID]) {
4312 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID],
4313 genmask);
4314 if (IS_ERR(chain)) {
4315 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
4316 return PTR_ERR(chain);
4317 }
4318 } else {
4319 return -EINVAL;
4320 }
4321
4322 if (nft_chain_is_bound(chain))
4323 return -EOPNOTSUPP;
4324
4325 if (nla[NFTA_RULE_HANDLE]) {
4326 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
4327 rule = __nft_rule_lookup(net, chain, handle);
4328 if (IS_ERR(rule)) {
4329 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4330 return PTR_ERR(rule);
4331 }
4332
4333 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4334 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4335 return -EEXIST;
4336 }
4337 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4338 old_rule = rule;
4339 else
4340 return -EOPNOTSUPP;
4341 } else {
4342 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
4343 info->nlh->nlmsg_flags & NLM_F_REPLACE)
4344 return -EINVAL;
4345 handle = nf_tables_alloc_handle(table);
4346
4347 if (nla[NFTA_RULE_POSITION]) {
4348 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
4349 old_rule = __nft_rule_lookup(net, chain, pos_handle);
4350 if (IS_ERR(old_rule)) {
4351 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
4352 return PTR_ERR(old_rule);
4353 }
4354 } else if (nla[NFTA_RULE_POSITION_ID]) {
4355 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
4356 if (IS_ERR(old_rule)) {
4357 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
4358 return PTR_ERR(old_rule);
4359 }
4360 }
4361 }
4362
4363 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4364
4365 n = 0;
4366 size = 0;
4367 if (nla[NFTA_RULE_EXPRESSIONS]) {
4368 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
4369 sizeof(struct nft_expr_info),
4370 GFP_KERNEL);
4371 if (!expr_info)
4372 return -ENOMEM;
4373
4374 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
4375 err = -EINVAL;
4376 if (nla_type(tmp) != NFTA_LIST_ELEM)
4377 goto err_release_expr;
4378 if (n == NFT_RULE_MAXEXPRS)
4379 goto err_release_expr;
4380 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
4381 if (err < 0) {
4382 NL_SET_BAD_ATTR(extack, tmp);
4383 goto err_release_expr;
4384 }
4385 size += expr_info[n].ops->size;
4386 n++;
4387 }
4388 }
4389 /* Check for overflow of dlen field */
4390 err = -EFBIG;
4391 if (size >= 1 << 12)
4392 goto err_release_expr;
4393
4394 if (nla[NFTA_RULE_USERDATA]) {
4395 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
4396 if (ulen > 0)
4397 usize = sizeof(struct nft_userdata) + ulen;
4398 }
4399
4400 err = -ENOMEM;
4401 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
4402 if (rule == NULL)
4403 goto err_release_expr;
4404
4405 nft_activate_next(net, rule);
4406
4407 rule->handle = handle;
4408 rule->dlen = size;
4409 rule->udata = ulen ? 1 : 0;
4410
4411 if (ulen) {
4412 udata = nft_userdata(rule);
4413 udata->len = ulen - 1;
4414 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
4415 }
4416
4417 expr = nft_expr_first(rule);
4418 for (i = 0; i < n; i++) {
4419 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
4420 if (err < 0) {
4421 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
4422 goto err_release_rule;
4423 }
4424
4425 if (expr_info[i].ops->validate)
4426 nft_validate_state_update(table, NFT_VALIDATE_NEED);
4427
4428 expr_info[i].ops = NULL;
4429 expr = nft_expr_next(expr);
4430 }
4431
4432 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
4433 flow = nft_flow_rule_create(net, rule);
4434 if (IS_ERR(flow)) {
4435 err = PTR_ERR(flow);
4436 goto err_release_rule;
4437 }
4438 }
4439
4440 if (!nft_use_inc(&chain->use)) {
4441 err = -EMFILE;
4442 goto err_destroy_flow;
4443 }
4444
4445 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
4446 if (nft_chain_binding(chain)) {
4447 err = -EOPNOTSUPP;
4448 goto err_destroy_flow_rule;
4449 }
4450
4451 err = nft_delrule(&ctx, old_rule);
4452 if (err < 0)
4453 goto err_destroy_flow_rule;
4454
4455 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4456 if (trans == NULL) {
4457 err = -ENOMEM;
4458 goto err_destroy_flow_rule;
4459 }
4460 list_add_tail_rcu(&rule->list, &old_rule->list);
4461 } else {
4462 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4463 if (!trans) {
4464 err = -ENOMEM;
4465 goto err_destroy_flow_rule;
4466 }
4467
4468 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
4469 if (old_rule)
4470 list_add_rcu(&rule->list, &old_rule->list);
4471 else
4472 list_add_tail_rcu(&rule->list, &chain->rules);
4473 } else {
4474 if (old_rule)
4475 list_add_tail_rcu(&rule->list, &old_rule->list);
4476 else
4477 list_add_rcu(&rule->list, &chain->rules);
4478 }
4479 }
4480 kvfree(expr_info);
4481
4482 if (flow)
4483 nft_trans_flow_rule(trans) = flow;
4484
4485 if (table->validate_state == NFT_VALIDATE_DO)
4486 return nft_table_validate(net, table);
4487
4488 return 0;
4489
4490 err_destroy_flow_rule:
4491 nft_use_dec_restore(&chain->use);
4492 err_destroy_flow:
4493 if (flow)
4494 nft_flow_rule_destroy(flow);
4495 err_release_rule:
4496 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
4497 nf_tables_rule_destroy(&ctx, rule);
4498 err_release_expr:
4499 for (i = 0; i < n; i++) {
4500 if (expr_info[i].ops) {
4501 module_put(expr_info[i].ops->type->owner);
4502 if (expr_info[i].ops->type->release_ops)
4503 expr_info[i].ops->type->release_ops(expr_info[i].ops);
4504 }
4505 }
4506 kvfree(expr_info);
4507
4508 return err;
4509 }
4510
nft_rule_lookup_byid(const struct net * net,const struct nft_chain * chain,const struct nlattr * nla)4511 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4512 const struct nft_chain *chain,
4513 const struct nlattr *nla)
4514 {
4515 struct nftables_pernet *nft_net = nft_pernet(net);
4516 u32 id = ntohl(nla_get_be32(nla));
4517 struct nft_trans *trans;
4518
4519 list_for_each_entry(trans, &nft_net->commit_list, list) {
4520 if (trans->msg_type == NFT_MSG_NEWRULE &&
4521 nft_trans_rule_chain(trans) == chain &&
4522 id == nft_trans_rule_id(trans))
4523 return nft_trans_rule(trans);
4524 }
4525 return ERR_PTR(-ENOENT);
4526 }
4527
nf_tables_delrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4528 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
4529 const struct nlattr * const nla[])
4530 {
4531 struct netlink_ext_ack *extack = info->extack;
4532 u8 genmask = nft_genmask_next(info->net);
4533 u8 family = info->nfmsg->nfgen_family;
4534 struct nft_chain *chain = NULL;
4535 struct net *net = info->net;
4536 struct nft_table *table;
4537 struct nft_rule *rule;
4538 struct nft_ctx ctx;
4539 int err = 0;
4540
4541 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4542 NETLINK_CB(skb).portid);
4543 if (IS_ERR(table)) {
4544 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4545 return PTR_ERR(table);
4546 }
4547
4548 if (nla[NFTA_RULE_CHAIN]) {
4549 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4550 genmask);
4551 if (IS_ERR(chain)) {
4552 if (PTR_ERR(chain) == -ENOENT &&
4553 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4554 return 0;
4555
4556 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4557 return PTR_ERR(chain);
4558 }
4559 if (nft_chain_binding(chain))
4560 return -EOPNOTSUPP;
4561 }
4562
4563 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4564
4565 if (chain) {
4566 if (nla[NFTA_RULE_HANDLE]) {
4567 rule = nft_rule_lookup(info->net, chain, nla[NFTA_RULE_HANDLE]);
4568 if (IS_ERR(rule)) {
4569 if (PTR_ERR(rule) == -ENOENT &&
4570 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4571 return 0;
4572
4573 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4574 return PTR_ERR(rule);
4575 }
4576
4577 err = nft_delrule(&ctx, rule);
4578 } else if (nla[NFTA_RULE_ID]) {
4579 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
4580 if (IS_ERR(rule)) {
4581 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
4582 return PTR_ERR(rule);
4583 }
4584
4585 err = nft_delrule(&ctx, rule);
4586 } else {
4587 err = nft_delrule_by_chain(&ctx);
4588 }
4589 } else {
4590 list_for_each_entry(chain, &table->chains, list) {
4591 if (!nft_is_active_next(net, chain))
4592 continue;
4593 if (nft_chain_binding(chain))
4594 continue;
4595
4596 ctx.chain = chain;
4597 err = nft_delrule_by_chain(&ctx);
4598 if (err < 0)
4599 break;
4600 }
4601 }
4602
4603 return err;
4604 }
4605
4606 /*
4607 * Sets
4608 */
4609 static const struct nft_set_type *nft_set_types[] = {
4610 &nft_set_hash_fast_type,
4611 &nft_set_hash_type,
4612 &nft_set_rhash_type,
4613 &nft_set_bitmap_type,
4614 &nft_set_rbtree_type,
4615 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
4616 &nft_set_pipapo_avx2_type,
4617 #endif
4618 &nft_set_pipapo_type,
4619 };
4620
4621 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
4622 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
4623 NFT_SET_EVAL)
4624
nft_set_ops_candidate(const struct nft_set_type * type,u32 flags)4625 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
4626 {
4627 return (flags & type->features) == (flags & NFT_SET_FEATURES);
4628 }
4629
4630 /*
4631 * Select a set implementation based on the data characteristics and the
4632 * given policy. The total memory use might not be known if no size is
4633 * given, in that case the amount of memory per element is used.
4634 */
4635 static const struct nft_set_ops *
nft_select_set_ops(const struct nft_ctx * ctx,u32 flags,const struct nft_set_desc * desc)4636 nft_select_set_ops(const struct nft_ctx *ctx, u32 flags,
4637 const struct nft_set_desc *desc)
4638 {
4639 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4640 const struct nft_set_ops *ops, *bops;
4641 struct nft_set_estimate est, best;
4642 const struct nft_set_type *type;
4643 int i;
4644
4645 lockdep_assert_held(&nft_net->commit_mutex);
4646 lockdep_nfnl_nft_mutex_not_held();
4647
4648 bops = NULL;
4649 best.size = ~0;
4650 best.lookup = ~0;
4651 best.space = ~0;
4652
4653 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
4654 type = nft_set_types[i];
4655 ops = &type->ops;
4656
4657 if (!nft_set_ops_candidate(type, flags))
4658 continue;
4659 if (!ops->estimate(desc, flags, &est))
4660 continue;
4661
4662 switch (desc->policy) {
4663 case NFT_SET_POL_PERFORMANCE:
4664 if (est.lookup < best.lookup)
4665 break;
4666 if (est.lookup == best.lookup &&
4667 est.space < best.space)
4668 break;
4669 continue;
4670 case NFT_SET_POL_MEMORY:
4671 if (!desc->size) {
4672 if (est.space < best.space)
4673 break;
4674 if (est.space == best.space &&
4675 est.lookup < best.lookup)
4676 break;
4677 } else if (est.size < best.size || !bops) {
4678 break;
4679 }
4680 continue;
4681 default:
4682 break;
4683 }
4684
4685 bops = ops;
4686 best = est;
4687 }
4688
4689 if (bops != NULL)
4690 return bops;
4691
4692 return ERR_PTR(-EOPNOTSUPP);
4693 }
4694
4695 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
4696 [NFTA_SET_TABLE] = { .type = NLA_STRING,
4697 .len = NFT_TABLE_MAXNAMELEN - 1 },
4698 [NFTA_SET_NAME] = { .type = NLA_STRING,
4699 .len = NFT_SET_MAXNAMELEN - 1 },
4700 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
4701 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
4702 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
4703 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
4704 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
4705 [NFTA_SET_POLICY] = { .type = NLA_U32 },
4706 [NFTA_SET_DESC] = { .type = NLA_NESTED },
4707 [NFTA_SET_ID] = { .type = NLA_U32 },
4708 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
4709 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
4710 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
4711 .len = NFT_USERDATA_MAXLEN },
4712 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
4713 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
4714 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
4715 [NFTA_SET_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
4716 [NFTA_SET_TYPE] = { .type = NLA_REJECT },
4717 [NFTA_SET_COUNT] = { .type = NLA_REJECT },
4718 };
4719
4720 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4721 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4722 };
4723
4724 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4725 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
4726 [NFTA_SET_DESC_CONCAT] = NLA_POLICY_NESTED_ARRAY(nft_concat_policy),
4727 };
4728
nft_set_lookup(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)4729 static struct nft_set *nft_set_lookup(const struct net *net,
4730 const struct nft_table *table,
4731 const struct nlattr *nla, u8 genmask)
4732 {
4733 struct nft_set *set;
4734
4735 if (nla == NULL)
4736 return ERR_PTR(-EINVAL);
4737
4738 list_for_each_entry_rcu(set, &table->sets, list,
4739 lockdep_commit_lock_is_held(net)) {
4740 if (!nla_strcmp(nla, set->name) &&
4741 nft_active_genmask(set, genmask))
4742 return set;
4743 }
4744 return ERR_PTR(-ENOENT);
4745 }
4746
nft_set_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)4747 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4748 const struct nlattr *nla,
4749 u8 genmask)
4750 {
4751 struct nft_set *set;
4752
4753 list_for_each_entry(set, &table->sets, list) {
4754 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4755 nft_active_genmask(set, genmask))
4756 return set;
4757 }
4758 return ERR_PTR(-ENOENT);
4759 }
4760
nft_set_lookup_byid(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)4761 static struct nft_set *nft_set_lookup_byid(const struct net *net,
4762 const struct nft_table *table,
4763 const struct nlattr *nla, u8 genmask)
4764 {
4765 struct nftables_pernet *nft_net = nft_pernet(net);
4766 u32 id = ntohl(nla_get_be32(nla));
4767 struct nft_trans_set *trans;
4768
4769 /* its likely the id we need is at the tail, not at start */
4770 list_for_each_entry_reverse(trans, &nft_net->commit_set_list, list_trans_newset) {
4771 struct nft_set *set = trans->set;
4772
4773 if (id == trans->set_id &&
4774 set->table == table &&
4775 nft_active_genmask(set, genmask))
4776 return set;
4777 }
4778 return ERR_PTR(-ENOENT);
4779 }
4780
nft_set_lookup_global(const struct net * net,const struct nft_table * table,const struct nlattr * nla_set_name,const struct nlattr * nla_set_id,u8 genmask)4781 struct nft_set *nft_set_lookup_global(const struct net *net,
4782 const struct nft_table *table,
4783 const struct nlattr *nla_set_name,
4784 const struct nlattr *nla_set_id,
4785 u8 genmask)
4786 {
4787 struct nft_set *set;
4788
4789 set = nft_set_lookup(net, table, nla_set_name, genmask);
4790 if (IS_ERR(set)) {
4791 if (!nla_set_id)
4792 return set;
4793
4794 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
4795 }
4796 return set;
4797 }
4798 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
4799
nf_tables_set_alloc_name(struct nft_ctx * ctx,struct nft_set * set,const char * name)4800 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4801 const char *name)
4802 {
4803 const struct nft_set *i;
4804 const char *p;
4805 unsigned long *inuse;
4806 unsigned int n = 0, min = 0;
4807
4808 p = strchr(name, '%');
4809 if (p != NULL) {
4810 if (p[1] != 'd' || strchr(p + 2, '%'))
4811 return -EINVAL;
4812
4813 if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN)
4814 return -EINVAL;
4815
4816 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4817 if (inuse == NULL)
4818 return -ENOMEM;
4819 cont:
4820 list_for_each_entry(i, &ctx->table->sets, list) {
4821 int tmp;
4822
4823 if (!nft_is_active_next(ctx->net, i))
4824 continue;
4825 if (!sscanf(i->name, name, &tmp))
4826 continue;
4827 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4828 continue;
4829
4830 set_bit(tmp - min, inuse);
4831 }
4832
4833 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
4834 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4835 min += BITS_PER_BYTE * PAGE_SIZE;
4836 memset(inuse, 0, PAGE_SIZE);
4837 goto cont;
4838 }
4839 free_page((unsigned long)inuse);
4840 }
4841
4842 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
4843 if (!set->name)
4844 return -ENOMEM;
4845
4846 list_for_each_entry(i, &ctx->table->sets, list) {
4847 if (!nft_is_active_next(ctx->net, i))
4848 continue;
4849 if (!strcmp(set->name, i->name)) {
4850 kfree(set->name);
4851 set->name = NULL;
4852 return -ENFILE;
4853 }
4854 }
4855 return 0;
4856 }
4857
nf_msecs_to_jiffies64(const struct nlattr * nla,u64 * result)4858 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4859 {
4860 u64 ms = be64_to_cpu(nla_get_be64(nla));
4861 u64 max = (u64)(~((u64)0));
4862
4863 max = div_u64(max, NSEC_PER_MSEC);
4864 if (ms >= max)
4865 return -ERANGE;
4866
4867 ms *= NSEC_PER_MSEC;
4868 *result = nsecs_to_jiffies64(ms) ? : !!ms;
4869 return 0;
4870 }
4871
nf_jiffies64_to_msecs(u64 input)4872 __be64 nf_jiffies64_to_msecs(u64 input)
4873 {
4874 return cpu_to_be64(jiffies64_to_msecs(input));
4875 }
4876
nf_tables_fill_set_concat(struct sk_buff * skb,const struct nft_set * set)4877 static int nf_tables_fill_set_concat(struct sk_buff *skb,
4878 const struct nft_set *set)
4879 {
4880 struct nlattr *concat, *field;
4881 int i;
4882
4883 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
4884 if (!concat)
4885 return -ENOMEM;
4886
4887 for (i = 0; i < set->field_count; i++) {
4888 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4889 if (!field)
4890 return -ENOMEM;
4891
4892 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
4893 htonl(set->field_len[i])))
4894 return -ENOMEM;
4895
4896 nla_nest_end(skb, field);
4897 }
4898
4899 nla_nest_end(skb, concat);
4900
4901 return 0;
4902 }
4903
nft_set_userspace_size(const struct nft_set_ops * ops,u32 size)4904 static u32 nft_set_userspace_size(const struct nft_set_ops *ops, u32 size)
4905 {
4906 if (ops->usize)
4907 return ops->usize(size);
4908
4909 return size;
4910 }
4911
4912 static noinline_for_stack int
nf_tables_fill_set_info(struct sk_buff * skb,const struct nft_set * set)4913 nf_tables_fill_set_info(struct sk_buff *skb, const struct nft_set *set)
4914 {
4915 unsigned int nelems;
4916 char str[40];
4917 int ret;
4918
4919 ret = snprintf(str, sizeof(str), "%ps", set->ops);
4920
4921 /* Not expected to happen and harmless: NFTA_SET_TYPE is dumped
4922 * to userspace purely for informational/debug purposes.
4923 */
4924 DEBUG_NET_WARN_ON_ONCE(ret >= sizeof(str));
4925
4926 if (nla_put_string(skb, NFTA_SET_TYPE, str))
4927 return -EMSGSIZE;
4928
4929 nelems = nft_set_userspace_size(set->ops, atomic_read(&set->nelems));
4930 return nla_put_be32(skb, NFTA_SET_COUNT, htonl(nelems));
4931 }
4932
nf_tables_fill_set(struct sk_buff * skb,const struct nft_ctx * ctx,const struct nft_set * set,u16 event,u16 flags)4933 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4934 const struct nft_set *set, u16 event, u16 flags)
4935 {
4936 u64 timeout = READ_ONCE(set->timeout);
4937 u32 gc_int = READ_ONCE(set->gc_int);
4938 u32 portid = ctx->portid;
4939 struct nlmsghdr *nlh;
4940 struct nlattr *nest;
4941 u32 seq = ctx->seq;
4942 int i;
4943
4944 nlh = nfnl_msg_put(skb, portid, seq,
4945 nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event),
4946 flags, ctx->family, NFNETLINK_V0,
4947 nft_base_seq_be16(ctx->net));
4948 if (!nlh)
4949 goto nla_put_failure;
4950
4951 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4952 goto nla_put_failure;
4953 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4954 goto nla_put_failure;
4955 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4956 NFTA_SET_PAD))
4957 goto nla_put_failure;
4958
4959 if (event == NFT_MSG_DELSET ||
4960 event == NFT_MSG_DESTROYSET) {
4961 nlmsg_end(skb, nlh);
4962 return 0;
4963 }
4964
4965 if (set->flags != 0)
4966 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
4967 goto nla_put_failure;
4968
4969 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4970 goto nla_put_failure;
4971 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
4972 goto nla_put_failure;
4973 if (set->flags & NFT_SET_MAP) {
4974 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4975 goto nla_put_failure;
4976 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
4977 goto nla_put_failure;
4978 }
4979 if (set->flags & NFT_SET_OBJECT &&
4980 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4981 goto nla_put_failure;
4982
4983 if (timeout &&
4984 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4985 nf_jiffies64_to_msecs(timeout),
4986 NFTA_SET_PAD))
4987 goto nla_put_failure;
4988 if (gc_int &&
4989 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4990 goto nla_put_failure;
4991
4992 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4993 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4994 goto nla_put_failure;
4995 }
4996
4997 if (set->udata &&
4998 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4999 goto nla_put_failure;
5000
5001 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
5002 if (!nest)
5003 goto nla_put_failure;
5004 if (set->size &&
5005 nla_put_be32(skb, NFTA_SET_DESC_SIZE,
5006 htonl(nft_set_userspace_size(set->ops, set->size))))
5007 goto nla_put_failure;
5008
5009 if (set->field_count > 1 &&
5010 nf_tables_fill_set_concat(skb, set))
5011 goto nla_put_failure;
5012
5013 nla_nest_end(skb, nest);
5014
5015 if (nf_tables_fill_set_info(skb, set))
5016 goto nla_put_failure;
5017
5018 if (set->num_exprs == 1) {
5019 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
5020 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
5021 goto nla_put_failure;
5022
5023 nla_nest_end(skb, nest);
5024 } else if (set->num_exprs > 1) {
5025 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
5026 if (nest == NULL)
5027 goto nla_put_failure;
5028
5029 for (i = 0; i < set->num_exprs; i++) {
5030 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
5031 set->exprs[i], false) < 0)
5032 goto nla_put_failure;
5033 }
5034 nla_nest_end(skb, nest);
5035 }
5036
5037 nlmsg_end(skb, nlh);
5038 return 0;
5039
5040 nla_put_failure:
5041 nlmsg_trim(skb, nlh);
5042 return -1;
5043 }
5044
nf_tables_set_notify(const struct nft_ctx * ctx,const struct nft_set * set,int event,gfp_t gfp_flags)5045 static void nf_tables_set_notify(const struct nft_ctx *ctx,
5046 const struct nft_set *set, int event,
5047 gfp_t gfp_flags)
5048 {
5049 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
5050 u32 portid = ctx->portid;
5051 struct sk_buff *skb;
5052 u16 flags = 0;
5053 int err;
5054
5055 if (!ctx->report &&
5056 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5057 return;
5058
5059 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
5060 if (skb == NULL)
5061 goto err;
5062
5063 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
5064 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
5065
5066 err = nf_tables_fill_set(skb, ctx, set, event, flags);
5067 if (err < 0) {
5068 kfree_skb(skb);
5069 goto err;
5070 }
5071
5072 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
5073 return;
5074 err:
5075 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5076 }
5077
nf_tables_dump_sets(struct sk_buff * skb,struct netlink_callback * cb)5078 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
5079 {
5080 const struct nft_set *set;
5081 unsigned int idx, s_idx = cb->args[0];
5082 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
5083 struct net *net = sock_net(skb->sk);
5084 struct nft_ctx *ctx = cb->data, ctx_set;
5085 struct nftables_pernet *nft_net;
5086
5087 if (cb->args[1])
5088 return skb->len;
5089
5090 rcu_read_lock();
5091 nft_net = nft_pernet(net);
5092 cb->seq = nft_base_seq(net);
5093
5094 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5095 if (ctx->family != NFPROTO_UNSPEC &&
5096 ctx->family != table->family)
5097 continue;
5098
5099 if (ctx->table && ctx->table != table)
5100 continue;
5101
5102 if (cur_table) {
5103 if (cur_table != table)
5104 continue;
5105
5106 cur_table = NULL;
5107 }
5108 idx = 0;
5109 list_for_each_entry_rcu(set, &table->sets, list) {
5110 if (idx < s_idx)
5111 goto cont;
5112 if (!nft_is_active(net, set))
5113 goto cont;
5114
5115 ctx_set = *ctx;
5116 ctx_set.table = table;
5117 ctx_set.family = table->family;
5118
5119 if (nf_tables_fill_set(skb, &ctx_set, set,
5120 NFT_MSG_NEWSET,
5121 NLM_F_MULTI) < 0) {
5122 cb->args[0] = idx;
5123 cb->args[2] = (unsigned long) table;
5124 goto done;
5125 }
5126 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5127 cont:
5128 idx++;
5129 }
5130 if (s_idx)
5131 s_idx = 0;
5132 }
5133 cb->args[1] = 1;
5134 done:
5135 rcu_read_unlock();
5136 return skb->len;
5137 }
5138
nf_tables_dump_sets_start(struct netlink_callback * cb)5139 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
5140 {
5141 struct nft_ctx *ctx_dump = NULL;
5142
5143 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
5144 if (ctx_dump == NULL)
5145 return -ENOMEM;
5146
5147 cb->data = ctx_dump;
5148 return 0;
5149 }
5150
nf_tables_dump_sets_done(struct netlink_callback * cb)5151 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
5152 {
5153 kfree(cb->data);
5154 return 0;
5155 }
5156
5157 /* called with rcu_read_lock held */
nf_tables_getset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])5158 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
5159 const struct nlattr * const nla[])
5160 {
5161 struct netlink_ext_ack *extack = info->extack;
5162 u8 genmask = nft_genmask_cur(info->net);
5163 u8 family = info->nfmsg->nfgen_family;
5164 struct nft_table *table = NULL;
5165 struct net *net = info->net;
5166 const struct nft_set *set;
5167 struct sk_buff *skb2;
5168 struct nft_ctx ctx;
5169 int err;
5170
5171 if (nla[NFTA_SET_TABLE]) {
5172 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5173 genmask, 0);
5174 if (IS_ERR(table)) {
5175 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5176 return PTR_ERR(table);
5177 }
5178 }
5179
5180 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5181
5182 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
5183 struct netlink_dump_control c = {
5184 .start = nf_tables_dump_sets_start,
5185 .dump = nf_tables_dump_sets,
5186 .done = nf_tables_dump_sets_done,
5187 .data = &ctx,
5188 .module = THIS_MODULE,
5189 };
5190
5191 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
5192 }
5193
5194 /* Only accept unspec with dump */
5195 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5196 return -EAFNOSUPPORT;
5197 if (!nla[NFTA_SET_TABLE])
5198 return -EINVAL;
5199
5200 set = nft_set_lookup(net, table, nla[NFTA_SET_NAME], genmask);
5201 if (IS_ERR(set)) {
5202 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5203 return PTR_ERR(set);
5204 }
5205
5206 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5207 if (skb2 == NULL)
5208 return -ENOMEM;
5209
5210 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
5211 if (err < 0)
5212 goto err_fill_set_info;
5213
5214 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
5215
5216 err_fill_set_info:
5217 kfree_skb(skb2);
5218 return err;
5219 }
5220
nft_set_desc_concat_parse(const struct nlattr * attr,struct nft_set_desc * desc)5221 static int nft_set_desc_concat_parse(const struct nlattr *attr,
5222 struct nft_set_desc *desc)
5223 {
5224 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
5225 u32 len;
5226 int err;
5227
5228 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
5229 return -E2BIG;
5230
5231 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
5232 nft_concat_policy, NULL);
5233 if (err < 0)
5234 return err;
5235
5236 if (!tb[NFTA_SET_FIELD_LEN])
5237 return -EINVAL;
5238
5239 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
5240 if (!len || len > U8_MAX)
5241 return -EINVAL;
5242
5243 desc->field_len[desc->field_count++] = len;
5244
5245 return 0;
5246 }
5247
nft_set_desc_concat(struct nft_set_desc * desc,const struct nlattr * nla)5248 static int nft_set_desc_concat(struct nft_set_desc *desc,
5249 const struct nlattr *nla)
5250 {
5251 u32 len = 0, num_regs;
5252 struct nlattr *attr;
5253 int rem, err, i;
5254
5255 nla_for_each_nested(attr, nla, rem) {
5256 if (nla_type(attr) != NFTA_LIST_ELEM)
5257 return -EINVAL;
5258
5259 err = nft_set_desc_concat_parse(attr, desc);
5260 if (err < 0)
5261 return err;
5262 }
5263
5264 for (i = 0; i < desc->field_count; i++)
5265 len += round_up(desc->field_len[i], sizeof(u32));
5266
5267 if (len != desc->klen)
5268 return -EINVAL;
5269
5270 num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
5271 if (num_regs > NFT_REG32_COUNT)
5272 return -E2BIG;
5273
5274 return 0;
5275 }
5276
nf_tables_set_desc_parse(struct nft_set_desc * desc,const struct nlattr * nla)5277 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
5278 const struct nlattr *nla)
5279 {
5280 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
5281 int err;
5282
5283 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
5284 nft_set_desc_policy, NULL);
5285 if (err < 0)
5286 return err;
5287
5288 if (da[NFTA_SET_DESC_SIZE] != NULL)
5289 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
5290 if (da[NFTA_SET_DESC_CONCAT])
5291 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
5292
5293 return err;
5294 }
5295
nft_set_expr_alloc(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * const * nla,struct nft_expr ** exprs,int * num_exprs,u32 flags)5296 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
5297 const struct nlattr * const *nla,
5298 struct nft_expr **exprs, int *num_exprs,
5299 u32 flags)
5300 {
5301 struct nft_expr *expr;
5302 int err, i;
5303
5304 if (nla[NFTA_SET_EXPR]) {
5305 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
5306 if (IS_ERR(expr)) {
5307 err = PTR_ERR(expr);
5308 goto err_set_expr_alloc;
5309 }
5310 exprs[0] = expr;
5311 (*num_exprs)++;
5312 } else if (nla[NFTA_SET_EXPRESSIONS]) {
5313 struct nlattr *tmp;
5314 int left;
5315
5316 if (!(flags & NFT_SET_EXPR)) {
5317 err = -EINVAL;
5318 goto err_set_expr_alloc;
5319 }
5320 i = 0;
5321 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
5322 if (i == NFT_SET_EXPR_MAX) {
5323 err = -E2BIG;
5324 goto err_set_expr_alloc;
5325 }
5326 if (nla_type(tmp) != NFTA_LIST_ELEM) {
5327 err = -EINVAL;
5328 goto err_set_expr_alloc;
5329 }
5330 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
5331 if (IS_ERR(expr)) {
5332 err = PTR_ERR(expr);
5333 goto err_set_expr_alloc;
5334 }
5335 exprs[i++] = expr;
5336 (*num_exprs)++;
5337 }
5338 }
5339
5340 return 0;
5341
5342 err_set_expr_alloc:
5343 for (i = 0; i < *num_exprs; i++)
5344 nft_expr_destroy(ctx, exprs[i]);
5345
5346 return err;
5347 }
5348
nft_set_is_same(const struct nft_set * set,const struct nft_set_desc * desc,struct nft_expr * exprs[],u32 num_exprs,u32 flags)5349 static bool nft_set_is_same(const struct nft_set *set,
5350 const struct nft_set_desc *desc,
5351 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
5352 {
5353 int i;
5354
5355 if (set->ktype != desc->ktype ||
5356 set->dtype != desc->dtype ||
5357 set->flags != flags ||
5358 set->klen != desc->klen ||
5359 set->dlen != desc->dlen ||
5360 set->field_count != desc->field_count ||
5361 set->num_exprs != num_exprs)
5362 return false;
5363
5364 for (i = 0; i < desc->field_count; i++) {
5365 if (set->field_len[i] != desc->field_len[i])
5366 return false;
5367 }
5368
5369 for (i = 0; i < num_exprs; i++) {
5370 if (set->exprs[i]->ops != exprs[i]->ops)
5371 return false;
5372 }
5373
5374 return true;
5375 }
5376
nft_set_kernel_size(const struct nft_set_ops * ops,const struct nft_set_desc * desc)5377 static u32 nft_set_kernel_size(const struct nft_set_ops *ops,
5378 const struct nft_set_desc *desc)
5379 {
5380 if (ops->ksize)
5381 return ops->ksize(desc->size);
5382
5383 return desc->size;
5384 }
5385
nf_tables_newset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])5386 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
5387 const struct nlattr * const nla[])
5388 {
5389 struct netlink_ext_ack *extack = info->extack;
5390 u8 genmask = nft_genmask_next(info->net);
5391 u8 family = info->nfmsg->nfgen_family;
5392 const struct nft_set_ops *ops;
5393 struct net *net = info->net;
5394 struct nft_set_desc desc;
5395 struct nft_table *table;
5396 unsigned char *udata;
5397 struct nft_set *set;
5398 struct nft_ctx ctx;
5399 size_t alloc_size;
5400 int num_exprs = 0;
5401 char *name;
5402 int err, i;
5403 u16 udlen;
5404 u32 flags;
5405 u64 size;
5406
5407 if (nla[NFTA_SET_TABLE] == NULL ||
5408 nla[NFTA_SET_NAME] == NULL ||
5409 nla[NFTA_SET_KEY_LEN] == NULL ||
5410 nla[NFTA_SET_ID] == NULL)
5411 return -EINVAL;
5412
5413 memset(&desc, 0, sizeof(desc));
5414
5415 desc.ktype = NFT_DATA_VALUE;
5416 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
5417 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
5418 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
5419 return -EINVAL;
5420 }
5421
5422 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
5423 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
5424 return -EINVAL;
5425
5426 flags = 0;
5427 if (nla[NFTA_SET_FLAGS] != NULL) {
5428 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
5429 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
5430 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
5431 NFT_SET_MAP | NFT_SET_EVAL |
5432 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
5433 return -EOPNOTSUPP;
5434 /* Only one of these operations is supported */
5435 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
5436 (NFT_SET_MAP | NFT_SET_OBJECT))
5437 return -EOPNOTSUPP;
5438 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
5439 (NFT_SET_EVAL | NFT_SET_OBJECT))
5440 return -EOPNOTSUPP;
5441 if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) ==
5442 (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT))
5443 return -EOPNOTSUPP;
5444 if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) ==
5445 (NFT_SET_CONSTANT | NFT_SET_TIMEOUT))
5446 return -EOPNOTSUPP;
5447 }
5448
5449 desc.dtype = 0;
5450 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
5451 if (!(flags & NFT_SET_MAP))
5452 return -EINVAL;
5453
5454 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
5455 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
5456 desc.dtype != NFT_DATA_VERDICT)
5457 return -EINVAL;
5458
5459 if (desc.dtype != NFT_DATA_VERDICT) {
5460 if (nla[NFTA_SET_DATA_LEN] == NULL)
5461 return -EINVAL;
5462 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
5463 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
5464 return -EINVAL;
5465 } else
5466 desc.dlen = sizeof(struct nft_verdict);
5467 } else if (flags & NFT_SET_MAP)
5468 return -EINVAL;
5469
5470 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
5471 if (!(flags & NFT_SET_OBJECT))
5472 return -EINVAL;
5473
5474 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
5475 if (desc.objtype == NFT_OBJECT_UNSPEC ||
5476 desc.objtype > NFT_OBJECT_MAX)
5477 return -EOPNOTSUPP;
5478 } else if (flags & NFT_SET_OBJECT)
5479 return -EINVAL;
5480 else
5481 desc.objtype = NFT_OBJECT_UNSPEC;
5482
5483 desc.timeout = 0;
5484 if (nla[NFTA_SET_TIMEOUT] != NULL) {
5485 if (!(flags & NFT_SET_TIMEOUT))
5486 return -EINVAL;
5487
5488 if (flags & NFT_SET_ANONYMOUS)
5489 return -EOPNOTSUPP;
5490
5491 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
5492 if (err)
5493 return err;
5494 }
5495 desc.gc_int = 0;
5496 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
5497 if (!(flags & NFT_SET_TIMEOUT))
5498 return -EINVAL;
5499
5500 if (flags & NFT_SET_ANONYMOUS)
5501 return -EOPNOTSUPP;
5502
5503 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
5504 }
5505
5506 desc.policy = NFT_SET_POL_PERFORMANCE;
5507 if (nla[NFTA_SET_POLICY] != NULL) {
5508 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
5509 switch (desc.policy) {
5510 case NFT_SET_POL_PERFORMANCE:
5511 case NFT_SET_POL_MEMORY:
5512 break;
5513 default:
5514 return -EOPNOTSUPP;
5515 }
5516 }
5517
5518 if (nla[NFTA_SET_DESC] != NULL) {
5519 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
5520 if (err < 0)
5521 return err;
5522
5523 if (desc.field_count > 1) {
5524 if (!(flags & NFT_SET_CONCAT))
5525 return -EINVAL;
5526 } else if (flags & NFT_SET_CONCAT) {
5527 return -EINVAL;
5528 }
5529 } else if (flags & NFT_SET_CONCAT) {
5530 return -EINVAL;
5531 }
5532
5533 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
5534 desc.expr = true;
5535
5536 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
5537 NETLINK_CB(skb).portid);
5538 if (IS_ERR(table)) {
5539 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5540 return PTR_ERR(table);
5541 }
5542
5543 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5544
5545 set = nft_set_lookup(net, table, nla[NFTA_SET_NAME], genmask);
5546 if (IS_ERR(set)) {
5547 if (PTR_ERR(set) != -ENOENT) {
5548 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5549 return PTR_ERR(set);
5550 }
5551 } else {
5552 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
5553
5554 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
5555 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5556 return -EEXIST;
5557 }
5558 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
5559 return -EOPNOTSUPP;
5560
5561 if (nft_set_is_anonymous(set))
5562 return -EOPNOTSUPP;
5563
5564 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
5565 if (err < 0)
5566 return err;
5567
5568 if (desc.size)
5569 desc.size = nft_set_kernel_size(set->ops, &desc);
5570
5571 err = 0;
5572 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
5573 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5574 err = -EEXIST;
5575 }
5576
5577 for (i = 0; i < num_exprs; i++)
5578 nft_expr_destroy(&ctx, exprs[i]);
5579
5580 if (err < 0)
5581 return err;
5582
5583 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
5584 }
5585
5586 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
5587 return -ENOENT;
5588
5589 ops = nft_select_set_ops(&ctx, flags, &desc);
5590 if (IS_ERR(ops))
5591 return PTR_ERR(ops);
5592
5593 if (desc.size)
5594 desc.size = nft_set_kernel_size(ops, &desc);
5595
5596 udlen = 0;
5597 if (nla[NFTA_SET_USERDATA])
5598 udlen = nla_len(nla[NFTA_SET_USERDATA]);
5599
5600 size = 0;
5601 if (ops->privsize != NULL)
5602 size = ops->privsize(nla, &desc);
5603 alloc_size = sizeof(*set) + size + udlen;
5604 if (alloc_size < size || alloc_size > INT_MAX)
5605 return -ENOMEM;
5606
5607 if (!nft_use_inc(&table->use))
5608 return -EMFILE;
5609
5610 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
5611 if (!set) {
5612 err = -ENOMEM;
5613 goto err_alloc;
5614 }
5615
5616 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
5617 if (!name) {
5618 err = -ENOMEM;
5619 goto err_set_name;
5620 }
5621
5622 err = nf_tables_set_alloc_name(&ctx, set, name);
5623 kfree(name);
5624 if (err < 0)
5625 goto err_set_name;
5626
5627 udata = NULL;
5628 if (udlen) {
5629 udata = set->data + size;
5630 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
5631 }
5632
5633 INIT_LIST_HEAD(&set->bindings);
5634 INIT_LIST_HEAD(&set->catchall_list);
5635 refcount_set(&set->refs, 1);
5636 set->table = table;
5637 write_pnet(&set->net, net);
5638 set->ops = ops;
5639 set->ktype = desc.ktype;
5640 set->klen = desc.klen;
5641 set->dtype = desc.dtype;
5642 set->objtype = desc.objtype;
5643 set->dlen = desc.dlen;
5644 set->flags = flags;
5645 set->size = desc.size;
5646 set->policy = desc.policy;
5647 set->udlen = udlen;
5648 set->udata = udata;
5649 set->timeout = desc.timeout;
5650 set->gc_int = desc.gc_int;
5651
5652 set->field_count = desc.field_count;
5653 for (i = 0; i < desc.field_count; i++)
5654 set->field_len[i] = desc.field_len[i];
5655
5656 err = ops->init(set, &desc, nla);
5657 if (err < 0)
5658 goto err_set_init;
5659
5660 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
5661 if (err < 0)
5662 goto err_set_destroy;
5663
5664 set->num_exprs = num_exprs;
5665 set->handle = nf_tables_alloc_handle(table);
5666 INIT_LIST_HEAD(&set->pending_update);
5667
5668 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
5669 if (err < 0)
5670 goto err_set_expr_alloc;
5671
5672 list_add_tail_rcu(&set->list, &table->sets);
5673
5674 return 0;
5675
5676 err_set_expr_alloc:
5677 for (i = 0; i < set->num_exprs; i++)
5678 nft_expr_destroy(&ctx, set->exprs[i]);
5679 err_set_destroy:
5680 ops->destroy(&ctx, set);
5681 err_set_init:
5682 kfree(set->name);
5683 err_set_name:
5684 kvfree(set);
5685 err_alloc:
5686 nft_use_dec_restore(&table->use);
5687
5688 return err;
5689 }
5690
nft_set_catchall_destroy(const struct nft_ctx * ctx,struct nft_set * set)5691 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
5692 struct nft_set *set)
5693 {
5694 struct nft_set_elem_catchall *next, *catchall;
5695
5696 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5697 list_del_rcu(&catchall->list);
5698 nf_tables_set_elem_destroy(ctx, set, catchall->elem);
5699 kfree_rcu(catchall, rcu);
5700 }
5701 }
5702
nft_set_put(struct nft_set * set)5703 static void nft_set_put(struct nft_set *set)
5704 {
5705 if (refcount_dec_and_test(&set->refs)) {
5706 kfree(set->name);
5707 kvfree(set);
5708 }
5709 }
5710
nft_set_destroy(const struct nft_ctx * ctx,struct nft_set * set)5711 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
5712 {
5713 int i;
5714
5715 if (WARN_ON(set->use > 0))
5716 return;
5717
5718 for (i = 0; i < set->num_exprs; i++)
5719 nft_expr_destroy(ctx, set->exprs[i]);
5720
5721 set->ops->destroy(ctx, set);
5722 nft_set_catchall_destroy(ctx, set);
5723 nft_set_put(set);
5724 }
5725
nf_tables_delset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])5726 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
5727 const struct nlattr * const nla[])
5728 {
5729 struct netlink_ext_ack *extack = info->extack;
5730 u8 genmask = nft_genmask_next(info->net);
5731 u8 family = info->nfmsg->nfgen_family;
5732 struct net *net = info->net;
5733 const struct nlattr *attr;
5734 struct nft_table *table;
5735 struct nft_set *set;
5736 struct nft_ctx ctx;
5737
5738 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5739 return -EAFNOSUPPORT;
5740
5741 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5742 genmask, NETLINK_CB(skb).portid);
5743 if (IS_ERR(table)) {
5744 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5745 return PTR_ERR(table);
5746 }
5747
5748 if (nla[NFTA_SET_HANDLE]) {
5749 attr = nla[NFTA_SET_HANDLE];
5750 set = nft_set_lookup_byhandle(table, attr, genmask);
5751 } else {
5752 attr = nla[NFTA_SET_NAME];
5753 set = nft_set_lookup(net, table, attr, genmask);
5754 }
5755
5756 if (IS_ERR(set)) {
5757 if (PTR_ERR(set) == -ENOENT &&
5758 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
5759 return 0;
5760
5761 NL_SET_BAD_ATTR(extack, attr);
5762 return PTR_ERR(set);
5763 }
5764 if (set->use ||
5765 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
5766 atomic_read(&set->nelems) > 0)) {
5767 NL_SET_BAD_ATTR(extack, attr);
5768 return -EBUSY;
5769 }
5770
5771 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5772
5773 return nft_delset(&ctx, set);
5774 }
5775
5776 static int nft_validate_register_store(const struct nft_ctx *ctx,
5777 enum nft_registers reg,
5778 const struct nft_data *data,
5779 enum nft_data_types type,
5780 unsigned int len);
5781
nft_setelem_data_validate(const struct nft_ctx * ctx,struct nft_set * set,struct nft_elem_priv * elem_priv)5782 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
5783 struct nft_set *set,
5784 struct nft_elem_priv *elem_priv)
5785 {
5786 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5787 enum nft_registers dreg;
5788
5789 dreg = nft_type_to_reg(set->dtype);
5790 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
5791 set->dtype == NFT_DATA_VERDICT ?
5792 NFT_DATA_VERDICT : NFT_DATA_VALUE,
5793 set->dlen);
5794 }
5795
nf_tables_bind_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5796 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
5797 struct nft_set *set,
5798 const struct nft_set_iter *iter,
5799 struct nft_elem_priv *elem_priv)
5800 {
5801 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5802
5803 if (!nft_set_elem_active(ext, iter->genmask))
5804 return 0;
5805
5806 return nft_setelem_data_validate(ctx, set, elem_priv);
5807 }
5808
nft_set_catchall_bind_check(const struct nft_ctx * ctx,struct nft_set * set)5809 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
5810 struct nft_set *set)
5811 {
5812 u8 genmask = nft_genmask_next(ctx->net);
5813 struct nft_set_elem_catchall *catchall;
5814 struct nft_set_ext *ext;
5815 int ret = 0;
5816
5817 list_for_each_entry_rcu(catchall, &set->catchall_list, list,
5818 lockdep_commit_lock_is_held(ctx->net)) {
5819 ext = nft_set_elem_ext(set, catchall->elem);
5820 if (!nft_set_elem_active(ext, genmask))
5821 continue;
5822
5823 ret = nft_setelem_data_validate(ctx, set, catchall->elem);
5824 if (ret < 0)
5825 break;
5826 }
5827
5828 return ret;
5829 }
5830
nf_tables_bind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding)5831 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5832 struct nft_set_binding *binding)
5833 {
5834 struct nft_set_binding *i;
5835 struct nft_set_iter iter = {
5836 .genmask = nft_genmask_next(ctx->net),
5837 .type = NFT_ITER_UPDATE,
5838 .fn = nf_tables_bind_check_setelem,
5839 };
5840
5841 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5842 return -EBUSY;
5843
5844 if (binding->flags & NFT_SET_MAP) {
5845 /* If the set is already bound to the same chain all
5846 * jumps are already validated for that chain.
5847 */
5848 list_for_each_entry(i, &set->bindings, list) {
5849 if (i->flags & NFT_SET_MAP &&
5850 i->chain == binding->chain)
5851 goto bind;
5852 }
5853
5854 set->ops->walk(ctx, set, &iter);
5855 if (!iter.err)
5856 iter.err = nft_set_catchall_bind_check(ctx, set);
5857
5858 if (iter.err < 0)
5859 return iter.err;
5860 }
5861 bind:
5862 if (!nft_use_inc(&set->use))
5863 return -EMFILE;
5864
5865 binding->chain = ctx->chain;
5866 list_add_tail_rcu(&binding->list, &set->bindings);
5867 nft_set_trans_bind(ctx, set);
5868
5869 return 0;
5870 }
5871 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
5872
nf_tables_unbind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,bool event)5873 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5874 struct nft_set_binding *binding, bool event)
5875 {
5876 list_del_rcu(&binding->list);
5877
5878 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
5879 list_del_rcu(&set->list);
5880 set->dead = 1;
5881 if (event)
5882 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
5883 GFP_KERNEL);
5884 }
5885 }
5886
5887 static void nft_setelem_data_activate(const struct net *net,
5888 const struct nft_set *set,
5889 struct nft_elem_priv *elem_priv);
5890
nft_mapelem_activate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5891 static int nft_mapelem_activate(const struct nft_ctx *ctx,
5892 struct nft_set *set,
5893 const struct nft_set_iter *iter,
5894 struct nft_elem_priv *elem_priv)
5895 {
5896 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5897
5898 /* called from abort path, reverse check to undo changes. */
5899 if (nft_set_elem_active(ext, iter->genmask))
5900 return 0;
5901
5902 nft_clear(ctx->net, ext);
5903 nft_setelem_data_activate(ctx->net, set, elem_priv);
5904
5905 return 0;
5906 }
5907
nft_map_catchall_activate(const struct nft_ctx * ctx,struct nft_set * set)5908 static void nft_map_catchall_activate(const struct nft_ctx *ctx,
5909 struct nft_set *set)
5910 {
5911 u8 genmask = nft_genmask_next(ctx->net);
5912 struct nft_set_elem_catchall *catchall;
5913 struct nft_set_ext *ext;
5914
5915 list_for_each_entry(catchall, &set->catchall_list, list) {
5916 ext = nft_set_elem_ext(set, catchall->elem);
5917 if (!nft_set_elem_active(ext, genmask))
5918 continue;
5919
5920 nft_clear(ctx->net, ext);
5921 nft_setelem_data_activate(ctx->net, set, catchall->elem);
5922 break;
5923 }
5924 }
5925
nft_map_activate(const struct nft_ctx * ctx,struct nft_set * set)5926 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set)
5927 {
5928 struct nft_set_iter iter = {
5929 .genmask = nft_genmask_next(ctx->net),
5930 .type = NFT_ITER_UPDATE,
5931 .fn = nft_mapelem_activate,
5932 };
5933
5934 set->ops->walk(ctx, set, &iter);
5935 WARN_ON_ONCE(iter.err);
5936
5937 nft_map_catchall_activate(ctx, set);
5938 }
5939
nf_tables_activate_set(const struct nft_ctx * ctx,struct nft_set * set)5940 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5941 {
5942 if (nft_set_is_anonymous(set)) {
5943 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5944 nft_map_activate(ctx, set);
5945
5946 nft_clear(ctx->net, set);
5947 }
5948
5949 nft_use_inc_restore(&set->use);
5950 }
5951 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
5952
nf_tables_deactivate_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,enum nft_trans_phase phase)5953 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5954 struct nft_set_binding *binding,
5955 enum nft_trans_phase phase)
5956 {
5957 WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net));
5958
5959 switch (phase) {
5960 case NFT_TRANS_PREPARE_ERROR:
5961 nft_set_trans_unbind(ctx, set);
5962 if (nft_set_is_anonymous(set))
5963 nft_deactivate_next(ctx->net, set);
5964 else
5965 list_del_rcu(&binding->list);
5966
5967 nft_use_dec(&set->use);
5968 break;
5969 case NFT_TRANS_PREPARE:
5970 if (nft_set_is_anonymous(set)) {
5971 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5972 nft_map_deactivate(ctx, set);
5973
5974 nft_deactivate_next(ctx->net, set);
5975 }
5976 nft_use_dec(&set->use);
5977 return;
5978 case NFT_TRANS_ABORT:
5979 case NFT_TRANS_RELEASE:
5980 if (nft_set_is_anonymous(set) &&
5981 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5982 nft_map_deactivate(ctx, set);
5983
5984 nft_use_dec(&set->use);
5985 fallthrough;
5986 default:
5987 nf_tables_unbind_set(ctx, set, binding,
5988 phase == NFT_TRANS_COMMIT);
5989 }
5990 }
5991 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
5992
nf_tables_destroy_set(const struct nft_ctx * ctx,struct nft_set * set)5993 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
5994 {
5995 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
5996 nft_set_destroy(ctx, set);
5997 }
5998 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
5999
6000 const struct nft_set_ext_type nft_set_ext_types[] = {
6001 [NFT_SET_EXT_KEY] = {
6002 .align = __alignof__(u32),
6003 },
6004 [NFT_SET_EXT_DATA] = {
6005 .align = __alignof__(u32),
6006 },
6007 [NFT_SET_EXT_EXPRESSIONS] = {
6008 .align = __alignof__(struct nft_set_elem_expr),
6009 },
6010 [NFT_SET_EXT_OBJREF] = {
6011 .len = sizeof(struct nft_object *),
6012 .align = __alignof__(struct nft_object *),
6013 },
6014 [NFT_SET_EXT_FLAGS] = {
6015 .len = sizeof(u8),
6016 .align = __alignof__(u8),
6017 },
6018 [NFT_SET_EXT_TIMEOUT] = {
6019 .len = sizeof(struct nft_timeout),
6020 .align = __alignof__(struct nft_timeout),
6021 },
6022 [NFT_SET_EXT_USERDATA] = {
6023 .len = sizeof(struct nft_userdata),
6024 .align = __alignof__(struct nft_userdata),
6025 },
6026 [NFT_SET_EXT_KEY_END] = {
6027 .align = __alignof__(u32),
6028 },
6029 };
6030
6031 /*
6032 * Set elements
6033 */
6034
6035 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
6036 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
6037 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
6038 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
6039 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
6040 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
6041 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
6042 .len = NFT_USERDATA_MAXLEN },
6043 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
6044 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
6045 .len = NFT_OBJ_MAXNAMELEN - 1 },
6046 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
6047 [NFTA_SET_ELEM_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
6048 };
6049
6050 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
6051 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
6052 .len = NFT_TABLE_MAXNAMELEN - 1 },
6053 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
6054 .len = NFT_SET_MAXNAMELEN - 1 },
6055 [NFTA_SET_ELEM_LIST_ELEMENTS] = NLA_POLICY_NESTED_ARRAY(nft_set_elem_policy),
6056 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
6057 };
6058
nft_set_elem_expr_dump(struct sk_buff * skb,const struct nft_set * set,const struct nft_set_ext * ext,bool reset)6059 static int nft_set_elem_expr_dump(struct sk_buff *skb,
6060 const struct nft_set *set,
6061 const struct nft_set_ext *ext,
6062 bool reset)
6063 {
6064 struct nft_set_elem_expr *elem_expr;
6065 u32 size, num_exprs = 0;
6066 struct nft_expr *expr;
6067 struct nlattr *nest;
6068
6069 elem_expr = nft_set_ext_expr(ext);
6070 nft_setelem_expr_foreach(expr, elem_expr, size)
6071 num_exprs++;
6072
6073 if (num_exprs == 1) {
6074 expr = nft_setelem_expr_at(elem_expr, 0);
6075 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0)
6076 return -1;
6077
6078 return 0;
6079 } else if (num_exprs > 1) {
6080 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
6081 if (nest == NULL)
6082 goto nla_put_failure;
6083
6084 nft_setelem_expr_foreach(expr, elem_expr, size) {
6085 expr = nft_setelem_expr_at(elem_expr, size);
6086 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
6087 goto nla_put_failure;
6088 }
6089 nla_nest_end(skb, nest);
6090 }
6091 return 0;
6092
6093 nla_put_failure:
6094 return -1;
6095 }
6096
nf_tables_fill_setelem(struct sk_buff * skb,const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool reset)6097 static int nf_tables_fill_setelem(struct sk_buff *skb,
6098 const struct nft_set *set,
6099 const struct nft_elem_priv *elem_priv,
6100 bool reset)
6101 {
6102 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6103 unsigned char *b = skb_tail_pointer(skb);
6104 struct nlattr *nest;
6105
6106 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
6107 if (nest == NULL)
6108 goto nla_put_failure;
6109
6110 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
6111 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
6112 NFT_DATA_VALUE, set->klen) < 0)
6113 goto nla_put_failure;
6114
6115 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
6116 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
6117 NFT_DATA_VALUE, set->klen) < 0)
6118 goto nla_put_failure;
6119
6120 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6121 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
6122 nft_set_datatype(set), set->dlen) < 0)
6123 goto nla_put_failure;
6124
6125 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
6126 nft_set_elem_expr_dump(skb, set, ext, reset))
6127 goto nla_put_failure;
6128
6129 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
6130 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
6131 (*nft_set_ext_obj(ext))->key.name) < 0)
6132 goto nla_put_failure;
6133
6134 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6135 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
6136 htonl(*nft_set_ext_flags(ext))))
6137 goto nla_put_failure;
6138
6139 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
6140 u64 timeout = READ_ONCE(nft_set_ext_timeout(ext)->timeout);
6141 u64 set_timeout = READ_ONCE(set->timeout);
6142 __be64 msecs = 0;
6143
6144 if (set_timeout != timeout) {
6145 msecs = nf_jiffies64_to_msecs(timeout);
6146 if (nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, msecs,
6147 NFTA_SET_ELEM_PAD))
6148 goto nla_put_failure;
6149 }
6150
6151 if (timeout > 0) {
6152 u64 expires, now = get_jiffies_64();
6153
6154 expires = READ_ONCE(nft_set_ext_timeout(ext)->expiration);
6155 if (time_before64(now, expires))
6156 expires -= now;
6157 else
6158 expires = 0;
6159
6160 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
6161 nf_jiffies64_to_msecs(expires),
6162 NFTA_SET_ELEM_PAD))
6163 goto nla_put_failure;
6164 }
6165 }
6166
6167 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
6168 struct nft_userdata *udata;
6169
6170 udata = nft_set_ext_userdata(ext);
6171 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
6172 udata->len + 1, udata->data))
6173 goto nla_put_failure;
6174 }
6175
6176 nla_nest_end(skb, nest);
6177 return 0;
6178
6179 nla_put_failure:
6180 nlmsg_trim(skb, b);
6181 return -EMSGSIZE;
6182 }
6183
6184 struct nft_set_dump_args {
6185 const struct netlink_callback *cb;
6186 struct nft_set_iter iter;
6187 struct sk_buff *skb;
6188 bool reset;
6189 };
6190
nf_tables_dump_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)6191 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
6192 struct nft_set *set,
6193 const struct nft_set_iter *iter,
6194 struct nft_elem_priv *elem_priv)
6195 {
6196 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6197 struct nft_set_dump_args *args;
6198
6199 if (!nft_set_elem_active(ext, iter->genmask))
6200 return 0;
6201
6202 if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
6203 return 0;
6204
6205 args = container_of(iter, struct nft_set_dump_args, iter);
6206 return nf_tables_fill_setelem(args->skb, set, elem_priv, args->reset);
6207 }
6208
audit_log_nft_set_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)6209 static void audit_log_nft_set_reset(const struct nft_table *table,
6210 unsigned int base_seq,
6211 unsigned int nentries)
6212 {
6213 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
6214
6215 audit_log_nfcfg(buf, table->family, nentries,
6216 AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC);
6217 kfree(buf);
6218 }
6219
6220 struct nft_set_dump_ctx {
6221 const struct nft_set *set;
6222 struct nft_ctx ctx;
6223 bool reset;
6224 };
6225
nft_set_catchall_dump(struct net * net,struct sk_buff * skb,const struct nft_set * set,bool reset,unsigned int base_seq)6226 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
6227 const struct nft_set *set, bool reset,
6228 unsigned int base_seq)
6229 {
6230 struct nft_set_elem_catchall *catchall;
6231 u8 genmask = nft_genmask_cur(net);
6232 struct nft_set_ext *ext;
6233 int ret = 0;
6234
6235 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6236 ext = nft_set_elem_ext(set, catchall->elem);
6237 if (!nft_set_elem_active(ext, genmask) ||
6238 nft_set_elem_expired(ext))
6239 continue;
6240
6241 ret = nf_tables_fill_setelem(skb, set, catchall->elem, reset);
6242 if (reset && !ret)
6243 audit_log_nft_set_reset(set->table, base_seq, 1);
6244 break;
6245 }
6246
6247 return ret;
6248 }
6249
nf_tables_dump_set(struct sk_buff * skb,struct netlink_callback * cb)6250 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
6251 {
6252 struct nft_set_dump_ctx *dump_ctx = cb->data;
6253 struct net *net = sock_net(skb->sk);
6254 struct nftables_pernet *nft_net;
6255 struct nft_table *table;
6256 struct nft_set *set;
6257 struct nft_set_dump_args args = {
6258 .cb = cb,
6259 .skb = skb,
6260 .reset = dump_ctx->reset,
6261 .iter = {
6262 .genmask = nft_genmask_cur(net),
6263 .type = NFT_ITER_READ,
6264 .skip = cb->args[0],
6265 .fn = nf_tables_dump_setelem,
6266 },
6267 };
6268 bool set_found = false;
6269 struct nlmsghdr *nlh;
6270 struct nlattr *nest;
6271 u32 portid, seq;
6272 int event;
6273
6274 rcu_read_lock();
6275 nft_net = nft_pernet(net);
6276 cb->seq = nft_base_seq(net);
6277
6278 list_for_each_entry_rcu(table, &nft_net->tables, list) {
6279 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
6280 dump_ctx->ctx.family != table->family)
6281 continue;
6282
6283 if (table != dump_ctx->ctx.table)
6284 continue;
6285
6286 list_for_each_entry_rcu(set, &table->sets, list) {
6287 if (set == dump_ctx->set) {
6288 set_found = true;
6289 break;
6290 }
6291 }
6292 break;
6293 }
6294
6295 if (!set_found) {
6296 rcu_read_unlock();
6297 return -ENOENT;
6298 }
6299
6300 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
6301 portid = NETLINK_CB(cb->skb).portid;
6302 seq = cb->nlh->nlmsg_seq;
6303
6304 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
6305 table->family, NFNETLINK_V0, nft_base_seq_be16(net));
6306 if (!nlh)
6307 goto nla_put_failure;
6308
6309 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
6310 goto nla_put_failure;
6311 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
6312 goto nla_put_failure;
6313
6314 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
6315 if (nest == NULL)
6316 goto nla_put_failure;
6317
6318 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
6319
6320 if (!args.iter.err && args.iter.count == cb->args[0])
6321 args.iter.err = nft_set_catchall_dump(net, skb, set,
6322 dump_ctx->reset, cb->seq);
6323 nla_nest_end(skb, nest);
6324 nlmsg_end(skb, nlh);
6325
6326 rcu_read_unlock();
6327
6328 if (args.iter.err && args.iter.err != -EMSGSIZE)
6329 return args.iter.err;
6330 if (args.iter.count == cb->args[0])
6331 return 0;
6332
6333 cb->args[0] = args.iter.count;
6334 return skb->len;
6335
6336 nla_put_failure:
6337 rcu_read_unlock();
6338 return -ENOSPC;
6339 }
6340
nf_tables_dumpreset_set(struct sk_buff * skb,struct netlink_callback * cb)6341 static int nf_tables_dumpreset_set(struct sk_buff *skb,
6342 struct netlink_callback *cb)
6343 {
6344 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
6345 struct nft_set_dump_ctx *dump_ctx = cb->data;
6346 int ret, skip = cb->args[0];
6347
6348 mutex_lock(&nft_net->commit_mutex);
6349
6350 ret = nf_tables_dump_set(skb, cb);
6351
6352 if (cb->args[0] > skip)
6353 audit_log_nft_set_reset(dump_ctx->ctx.table, cb->seq,
6354 cb->args[0] - skip);
6355
6356 mutex_unlock(&nft_net->commit_mutex);
6357
6358 return ret;
6359 }
6360
nf_tables_dump_set_start(struct netlink_callback * cb)6361 static int nf_tables_dump_set_start(struct netlink_callback *cb)
6362 {
6363 struct nft_set_dump_ctx *dump_ctx = cb->data;
6364
6365 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
6366
6367 return cb->data ? 0 : -ENOMEM;
6368 }
6369
nf_tables_dump_set_done(struct netlink_callback * cb)6370 static int nf_tables_dump_set_done(struct netlink_callback *cb)
6371 {
6372 kfree(cb->data);
6373 return 0;
6374 }
6375
nf_tables_fill_setelem_info(struct sk_buff * skb,const struct nft_ctx * ctx,u32 seq,u32 portid,int event,u16 flags,const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool reset)6376 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
6377 const struct nft_ctx *ctx, u32 seq,
6378 u32 portid, int event, u16 flags,
6379 const struct nft_set *set,
6380 const struct nft_elem_priv *elem_priv,
6381 bool reset)
6382 {
6383 struct nlmsghdr *nlh;
6384 struct nlattr *nest;
6385 int err;
6386
6387 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6388 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
6389 NFNETLINK_V0, nft_base_seq_be16(ctx->net));
6390 if (!nlh)
6391 goto nla_put_failure;
6392
6393 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
6394 goto nla_put_failure;
6395 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
6396 goto nla_put_failure;
6397
6398 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
6399 if (nest == NULL)
6400 goto nla_put_failure;
6401
6402 err = nf_tables_fill_setelem(skb, set, elem_priv, reset);
6403 if (err < 0)
6404 goto nla_put_failure;
6405
6406 nla_nest_end(skb, nest);
6407
6408 nlmsg_end(skb, nlh);
6409 return 0;
6410
6411 nla_put_failure:
6412 nlmsg_trim(skb, nlh);
6413 return -1;
6414 }
6415
nft_setelem_parse_flags(const struct nft_set * set,const struct nlattr * attr,u32 * flags)6416 static int nft_setelem_parse_flags(const struct nft_set *set,
6417 const struct nlattr *attr, u32 *flags)
6418 {
6419 if (attr == NULL)
6420 return 0;
6421
6422 *flags = ntohl(nla_get_be32(attr));
6423 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6424 return -EOPNOTSUPP;
6425 if (!(set->flags & NFT_SET_INTERVAL) &&
6426 *flags & NFT_SET_ELEM_INTERVAL_END)
6427 return -EINVAL;
6428 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
6429 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6430 return -EINVAL;
6431
6432 return 0;
6433 }
6434
nft_setelem_parse_key(struct nft_ctx * ctx,const struct nft_set * set,struct nft_data * key,struct nlattr * attr)6435 static int nft_setelem_parse_key(struct nft_ctx *ctx, const struct nft_set *set,
6436 struct nft_data *key, struct nlattr *attr)
6437 {
6438 struct nft_data_desc desc = {
6439 .type = NFT_DATA_VALUE,
6440 .size = NFT_DATA_VALUE_MAXLEN,
6441 .len = set->klen,
6442 };
6443
6444 return nft_data_init(ctx, key, &desc, attr);
6445 }
6446
nft_setelem_parse_data(struct nft_ctx * ctx,struct nft_set * set,struct nft_data_desc * desc,struct nft_data * data,struct nlattr * attr)6447 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
6448 struct nft_data_desc *desc,
6449 struct nft_data *data,
6450 struct nlattr *attr)
6451 {
6452 u32 dtype;
6453
6454 if (set->dtype == NFT_DATA_VERDICT)
6455 dtype = NFT_DATA_VERDICT;
6456 else
6457 dtype = NFT_DATA_VALUE;
6458
6459 desc->type = dtype;
6460 desc->size = NFT_DATA_VALUE_MAXLEN;
6461 desc->len = set->dlen;
6462 desc->flags = NFT_DATA_DESC_SETELEM;
6463
6464 return nft_data_init(ctx, data, desc, attr);
6465 }
6466
nft_setelem_catchall_get(const struct net * net,const struct nft_set * set)6467 static void *nft_setelem_catchall_get(const struct net *net,
6468 const struct nft_set *set)
6469 {
6470 struct nft_set_elem_catchall *catchall;
6471 u8 genmask = nft_genmask_cur(net);
6472 struct nft_set_ext *ext;
6473 void *priv = NULL;
6474
6475 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6476 ext = nft_set_elem_ext(set, catchall->elem);
6477 if (!nft_set_elem_active(ext, genmask) ||
6478 nft_set_elem_expired(ext))
6479 continue;
6480
6481 priv = catchall->elem;
6482 break;
6483 }
6484
6485 return priv;
6486 }
6487
nft_setelem_get(struct nft_ctx * ctx,const struct nft_set * set,struct nft_set_elem * elem,u32 flags)6488 static int nft_setelem_get(struct nft_ctx *ctx, const struct nft_set *set,
6489 struct nft_set_elem *elem, u32 flags)
6490 {
6491 void *priv;
6492
6493 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
6494 priv = set->ops->get(ctx->net, set, elem, flags);
6495 if (IS_ERR(priv))
6496 return PTR_ERR(priv);
6497 } else {
6498 priv = nft_setelem_catchall_get(ctx->net, set);
6499 if (!priv)
6500 return -ENOENT;
6501 }
6502 elem->priv = priv;
6503
6504 return 0;
6505 }
6506
nft_get_set_elem(struct nft_ctx * ctx,const struct nft_set * set,const struct nlattr * attr,bool reset)6507 static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set,
6508 const struct nlattr *attr, bool reset)
6509 {
6510 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6511 struct nft_set_elem elem;
6512 struct sk_buff *skb;
6513 uint32_t flags = 0;
6514 int err;
6515
6516 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6517 nft_set_elem_policy, NULL);
6518 if (err < 0)
6519 return err;
6520
6521 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6522 if (err < 0)
6523 return err;
6524
6525 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6526 return -EINVAL;
6527
6528 if (nla[NFTA_SET_ELEM_KEY]) {
6529 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6530 nla[NFTA_SET_ELEM_KEY]);
6531 if (err < 0)
6532 return err;
6533 }
6534
6535 if (nla[NFTA_SET_ELEM_KEY_END]) {
6536 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6537 nla[NFTA_SET_ELEM_KEY_END]);
6538 if (err < 0)
6539 return err;
6540 }
6541
6542 err = nft_setelem_get(ctx, set, &elem, flags);
6543 if (err < 0)
6544 return err;
6545
6546 err = -ENOMEM;
6547 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
6548 if (skb == NULL)
6549 return err;
6550
6551 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
6552 NFT_MSG_NEWSETELEM, 0, set, elem.priv,
6553 reset);
6554 if (err < 0)
6555 goto err_fill_setelem;
6556
6557 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
6558
6559 err_fill_setelem:
6560 kfree_skb(skb);
6561 return err;
6562 }
6563
nft_set_dump_ctx_init(struct nft_set_dump_ctx * dump_ctx,const struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)6564 static int nft_set_dump_ctx_init(struct nft_set_dump_ctx *dump_ctx,
6565 const struct sk_buff *skb,
6566 const struct nfnl_info *info,
6567 const struct nlattr * const nla[],
6568 bool reset)
6569 {
6570 struct netlink_ext_ack *extack = info->extack;
6571 u8 genmask = nft_genmask_cur(info->net);
6572 u8 family = info->nfmsg->nfgen_family;
6573 struct net *net = info->net;
6574 struct nft_table *table;
6575 struct nft_set *set;
6576
6577 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6578 genmask, 0);
6579 if (IS_ERR(table)) {
6580 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6581 return PTR_ERR(table);
6582 }
6583
6584 set = nft_set_lookup(net, table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6585 if (IS_ERR(set)) {
6586 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
6587 return PTR_ERR(set);
6588 }
6589
6590 nft_ctx_init(&dump_ctx->ctx, net, skb,
6591 info->nlh, family, table, NULL, nla);
6592 dump_ctx->set = set;
6593 dump_ctx->reset = reset;
6594 return 0;
6595 }
6596
6597 /* called with rcu_read_lock held */
nf_tables_getsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])6598 static int nf_tables_getsetelem(struct sk_buff *skb,
6599 const struct nfnl_info *info,
6600 const struct nlattr * const nla[])
6601 {
6602 struct netlink_ext_ack *extack = info->extack;
6603 struct nft_set_dump_ctx dump_ctx;
6604 struct nlattr *attr;
6605 int rem, err = 0;
6606
6607 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6608 struct netlink_dump_control c = {
6609 .start = nf_tables_dump_set_start,
6610 .dump = nf_tables_dump_set,
6611 .done = nf_tables_dump_set_done,
6612 .module = THIS_MODULE,
6613 };
6614
6615 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6616 if (err)
6617 return err;
6618
6619 c.data = &dump_ctx;
6620 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6621 }
6622
6623 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6624 return -EINVAL;
6625
6626 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6627 if (err)
6628 return err;
6629
6630 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6631 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, false);
6632 if (err < 0) {
6633 NL_SET_BAD_ATTR(extack, attr);
6634 break;
6635 }
6636 }
6637
6638 return err;
6639 }
6640
nf_tables_getsetelem_reset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])6641 static int nf_tables_getsetelem_reset(struct sk_buff *skb,
6642 const struct nfnl_info *info,
6643 const struct nlattr * const nla[])
6644 {
6645 struct nftables_pernet *nft_net = nft_pernet(info->net);
6646 struct netlink_ext_ack *extack = info->extack;
6647 struct nft_set_dump_ctx dump_ctx;
6648 int rem, err = 0, nelems = 0;
6649 struct nlattr *attr;
6650
6651 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6652 struct netlink_dump_control c = {
6653 .start = nf_tables_dump_set_start,
6654 .dump = nf_tables_dumpreset_set,
6655 .done = nf_tables_dump_set_done,
6656 .module = THIS_MODULE,
6657 };
6658
6659 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6660 if (err)
6661 return err;
6662
6663 c.data = &dump_ctx;
6664 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6665 }
6666
6667 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6668 return -EINVAL;
6669
6670 if (!try_module_get(THIS_MODULE))
6671 return -EINVAL;
6672 rcu_read_unlock();
6673 mutex_lock(&nft_net->commit_mutex);
6674 rcu_read_lock();
6675
6676 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6677 if (err)
6678 goto out_unlock;
6679
6680 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6681 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, true);
6682 if (err < 0) {
6683 NL_SET_BAD_ATTR(extack, attr);
6684 break;
6685 }
6686 nelems++;
6687 }
6688 audit_log_nft_set_reset(dump_ctx.ctx.table, nft_base_seq(info->net), nelems);
6689
6690 out_unlock:
6691 rcu_read_unlock();
6692 mutex_unlock(&nft_net->commit_mutex);
6693 rcu_read_lock();
6694 module_put(THIS_MODULE);
6695
6696 return err;
6697 }
6698
nf_tables_setelem_notify(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_elem_priv * elem_priv,int event)6699 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
6700 const struct nft_set *set,
6701 const struct nft_elem_priv *elem_priv,
6702 int event)
6703 {
6704 struct nftables_pernet *nft_net;
6705 struct net *net = ctx->net;
6706 u32 portid = ctx->portid;
6707 struct sk_buff *skb;
6708 u16 flags = 0;
6709 int err;
6710
6711 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6712 return;
6713
6714 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6715 if (skb == NULL)
6716 goto err;
6717
6718 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
6719 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
6720
6721 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
6722 set, elem_priv, false);
6723 if (err < 0) {
6724 kfree_skb(skb);
6725 goto err;
6726 }
6727
6728 nft_net = nft_pernet(net);
6729 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
6730 return;
6731 err:
6732 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6733 }
6734
nft_trans_elem_alloc(const struct nft_ctx * ctx,int msg_type,struct nft_set * set)6735 static struct nft_trans *nft_trans_elem_alloc(const struct nft_ctx *ctx,
6736 int msg_type,
6737 struct nft_set *set)
6738 {
6739 struct nft_trans_elem *te;
6740 struct nft_trans *trans;
6741
6742 trans = nft_trans_alloc(ctx, msg_type, struct_size(te, elems, 1));
6743 if (trans == NULL)
6744 return NULL;
6745
6746 te = nft_trans_container_elem(trans);
6747 te->nelems = 1;
6748 te->set = set;
6749
6750 return trans;
6751 }
6752
nft_set_elem_expr_alloc(const struct nft_ctx * ctx,const struct nft_set * set,const struct nlattr * attr)6753 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
6754 const struct nft_set *set,
6755 const struct nlattr *attr)
6756 {
6757 struct nft_expr *expr;
6758 int err;
6759
6760 expr = nft_expr_init(ctx, attr);
6761 if (IS_ERR(expr))
6762 return expr;
6763
6764 err = -EOPNOTSUPP;
6765 if (expr->ops->type->flags & NFT_EXPR_GC) {
6766 if (set->flags & NFT_SET_TIMEOUT)
6767 goto err_set_elem_expr;
6768 if (!set->ops->gc_init)
6769 goto err_set_elem_expr;
6770 set->ops->gc_init(set);
6771 }
6772
6773 return expr;
6774
6775 err_set_elem_expr:
6776 nft_expr_destroy(ctx, expr);
6777 return ERR_PTR(err);
6778 }
6779
nft_set_ext_check(const struct nft_set_ext_tmpl * tmpl,u8 id,u32 len)6780 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
6781 {
6782 len += nft_set_ext_types[id].len;
6783 if (len > tmpl->ext_len[id] ||
6784 len > U8_MAX)
6785 return -1;
6786
6787 return 0;
6788 }
6789
nft_set_ext_memcpy(const struct nft_set_ext_tmpl * tmpl,u8 id,void * to,const void * from,u32 len)6790 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
6791 void *to, const void *from, u32 len)
6792 {
6793 if (nft_set_ext_check(tmpl, id, len) < 0)
6794 return -1;
6795
6796 memcpy(to, from, len);
6797
6798 return 0;
6799 }
6800
nft_set_elem_init(const struct nft_set * set,const struct nft_set_ext_tmpl * tmpl,const u32 * key,const u32 * key_end,const u32 * data,u64 timeout,u64 expiration,gfp_t gfp)6801 struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
6802 const struct nft_set_ext_tmpl *tmpl,
6803 const u32 *key, const u32 *key_end,
6804 const u32 *data,
6805 u64 timeout, u64 expiration, gfp_t gfp)
6806 {
6807 struct nft_set_ext *ext;
6808 void *elem;
6809
6810 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
6811 if (elem == NULL)
6812 return ERR_PTR(-ENOMEM);
6813
6814 ext = nft_set_elem_ext(set, elem);
6815 nft_set_ext_init(ext, tmpl);
6816
6817 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
6818 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
6819 nft_set_ext_key(ext), key, set->klen) < 0)
6820 goto err_ext_check;
6821
6822 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
6823 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
6824 nft_set_ext_key_end(ext), key_end, set->klen) < 0)
6825 goto err_ext_check;
6826
6827 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6828 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
6829 nft_set_ext_data(ext), data, set->dlen) < 0)
6830 goto err_ext_check;
6831
6832 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
6833 nft_set_ext_timeout(ext)->timeout = timeout;
6834
6835 if (expiration == 0)
6836 expiration = timeout;
6837
6838 nft_set_ext_timeout(ext)->expiration = get_jiffies_64() + expiration;
6839 }
6840
6841 return elem;
6842
6843 err_ext_check:
6844 kfree(elem);
6845
6846 return ERR_PTR(-EINVAL);
6847 }
6848
__nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)6849 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6850 struct nft_expr *expr)
6851 {
6852 if (expr->ops->destroy_clone) {
6853 expr->ops->destroy_clone(ctx, expr);
6854 module_put(expr->ops->type->owner);
6855 } else {
6856 nf_tables_expr_destroy(ctx, expr);
6857 }
6858 }
6859
nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_set_elem_expr * elem_expr)6860 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6861 struct nft_set_elem_expr *elem_expr)
6862 {
6863 struct nft_expr *expr;
6864 u32 size;
6865
6866 nft_setelem_expr_foreach(expr, elem_expr, size)
6867 __nft_set_elem_expr_destroy(ctx, expr);
6868 }
6869
6870 /* Drop references and destroy. Called from gc, dynset and abort path. */
__nft_set_elem_destroy(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool destroy_expr)6871 static void __nft_set_elem_destroy(const struct nft_ctx *ctx,
6872 const struct nft_set *set,
6873 const struct nft_elem_priv *elem_priv,
6874 bool destroy_expr)
6875 {
6876 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6877
6878 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
6879 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6880 nft_data_release(nft_set_ext_data(ext), set->dtype);
6881 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6882 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6883 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6884 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
6885
6886 kfree(elem_priv);
6887 }
6888
6889 /* Drop references and destroy. Called from gc and dynset. */
nft_set_elem_destroy(const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool destroy_expr)6890 void nft_set_elem_destroy(const struct nft_set *set,
6891 const struct nft_elem_priv *elem_priv,
6892 bool destroy_expr)
6893 {
6894 struct nft_ctx ctx = {
6895 .net = read_pnet(&set->net),
6896 .family = set->table->family,
6897 };
6898
6899 __nft_set_elem_destroy(&ctx, set, elem_priv, destroy_expr);
6900 }
6901 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
6902
6903 /* Drop references and destroy. Called from abort path. */
nft_trans_set_elem_destroy(const struct nft_ctx * ctx,struct nft_trans_elem * te)6904 static void nft_trans_set_elem_destroy(const struct nft_ctx *ctx, struct nft_trans_elem *te)
6905 {
6906 int i;
6907
6908 for (i = 0; i < te->nelems; i++) {
6909 /* skip update request, see nft_trans_elems_new_abort() */
6910 if (!te->elems[i].priv)
6911 continue;
6912
6913 __nft_set_elem_destroy(ctx, te->set, te->elems[i].priv, true);
6914 }
6915 }
6916
6917 /* Destroy element. References have been already dropped in the preparation
6918 * path via nft_setelem_data_deactivate().
6919 */
nf_tables_set_elem_destroy(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_elem_priv * elem_priv)6920 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
6921 const struct nft_set *set,
6922 const struct nft_elem_priv *elem_priv)
6923 {
6924 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6925
6926 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6927 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6928
6929 kfree(elem_priv);
6930 }
6931
nft_trans_elems_destroy(const struct nft_ctx * ctx,const struct nft_trans_elem * te)6932 static void nft_trans_elems_destroy(const struct nft_ctx *ctx,
6933 const struct nft_trans_elem *te)
6934 {
6935 int i;
6936
6937 for (i = 0; i < te->nelems; i++)
6938 nf_tables_set_elem_destroy(ctx, te->set, te->elems[i].priv);
6939 }
6940
nft_set_elem_expr_clone(const struct nft_ctx * ctx,struct nft_set * set,struct nft_expr * expr_array[])6941 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
6942 struct nft_expr *expr_array[])
6943 {
6944 struct nft_expr *expr;
6945 int err, i, k;
6946
6947 for (i = 0; i < set->num_exprs; i++) {
6948 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
6949 if (!expr)
6950 goto err_expr;
6951
6952 err = nft_expr_clone(expr, set->exprs[i], GFP_KERNEL_ACCOUNT);
6953 if (err < 0) {
6954 kfree(expr);
6955 goto err_expr;
6956 }
6957 expr_array[i] = expr;
6958 }
6959
6960 return 0;
6961
6962 err_expr:
6963 for (k = i - 1; k >= 0; k--)
6964 nft_expr_destroy(ctx, expr_array[k]);
6965
6966 return -ENOMEM;
6967 }
6968
nft_set_elem_expr_setup(struct nft_ctx * ctx,const struct nft_set_ext_tmpl * tmpl,const struct nft_set_ext * ext,struct nft_expr * expr_array[],u32 num_exprs)6969 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
6970 const struct nft_set_ext_tmpl *tmpl,
6971 const struct nft_set_ext *ext,
6972 struct nft_expr *expr_array[],
6973 u32 num_exprs)
6974 {
6975 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
6976 u32 len = sizeof(struct nft_set_elem_expr);
6977 struct nft_expr *expr;
6978 int i, err;
6979
6980 if (num_exprs == 0)
6981 return 0;
6982
6983 for (i = 0; i < num_exprs; i++)
6984 len += expr_array[i]->ops->size;
6985
6986 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
6987 return -EINVAL;
6988
6989 for (i = 0; i < num_exprs; i++) {
6990 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
6991 err = nft_expr_clone(expr, expr_array[i], GFP_KERNEL_ACCOUNT);
6992 if (err < 0)
6993 goto err_elem_expr_setup;
6994
6995 elem_expr->size += expr_array[i]->ops->size;
6996 nft_expr_destroy(ctx, expr_array[i]);
6997 expr_array[i] = NULL;
6998 }
6999
7000 return 0;
7001
7002 err_elem_expr_setup:
7003 for (; i < num_exprs; i++) {
7004 nft_expr_destroy(ctx, expr_array[i]);
7005 expr_array[i] = NULL;
7006 }
7007
7008 return -ENOMEM;
7009 }
7010
nft_set_catchall_lookup(const struct net * net,const struct nft_set * set)7011 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
7012 const struct nft_set *set)
7013 {
7014 struct nft_set_elem_catchall *catchall;
7015 u8 genmask = nft_genmask_cur(net);
7016 struct nft_set_ext *ext;
7017
7018 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
7019 ext = nft_set_elem_ext(set, catchall->elem);
7020 if (nft_set_elem_active(ext, genmask) &&
7021 !nft_set_elem_expired(ext) &&
7022 !nft_set_elem_is_dead(ext))
7023 return ext;
7024 }
7025
7026 return NULL;
7027 }
7028 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
7029
nft_setelem_catchall_insert(const struct net * net,struct nft_set * set,const struct nft_set_elem * elem,struct nft_elem_priv ** priv)7030 static int nft_setelem_catchall_insert(const struct net *net,
7031 struct nft_set *set,
7032 const struct nft_set_elem *elem,
7033 struct nft_elem_priv **priv)
7034 {
7035 struct nft_set_elem_catchall *catchall;
7036 u8 genmask = nft_genmask_next(net);
7037 struct nft_set_ext *ext;
7038
7039 list_for_each_entry(catchall, &set->catchall_list, list) {
7040 ext = nft_set_elem_ext(set, catchall->elem);
7041 if (nft_set_elem_active(ext, genmask)) {
7042 *priv = catchall->elem;
7043 return -EEXIST;
7044 }
7045 }
7046
7047 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL_ACCOUNT);
7048 if (!catchall)
7049 return -ENOMEM;
7050
7051 catchall->elem = elem->priv;
7052 list_add_tail_rcu(&catchall->list, &set->catchall_list);
7053
7054 return 0;
7055 }
7056
nft_setelem_insert(const struct net * net,struct nft_set * set,const struct nft_set_elem * elem,struct nft_elem_priv ** elem_priv,unsigned int flags)7057 static int nft_setelem_insert(const struct net *net,
7058 struct nft_set *set,
7059 const struct nft_set_elem *elem,
7060 struct nft_elem_priv **elem_priv,
7061 unsigned int flags)
7062 {
7063 int ret;
7064
7065 if (flags & NFT_SET_ELEM_CATCHALL)
7066 ret = nft_setelem_catchall_insert(net, set, elem, elem_priv);
7067 else
7068 ret = set->ops->insert(net, set, elem, elem_priv);
7069
7070 return ret;
7071 }
7072
nft_setelem_is_catchall(const struct nft_set * set,const struct nft_elem_priv * elem_priv)7073 static bool nft_setelem_is_catchall(const struct nft_set *set,
7074 const struct nft_elem_priv *elem_priv)
7075 {
7076 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7077
7078 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7079 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
7080 return true;
7081
7082 return false;
7083 }
7084
nft_setelem_activate(struct net * net,struct nft_set * set,struct nft_elem_priv * elem_priv)7085 static void nft_setelem_activate(struct net *net, struct nft_set *set,
7086 struct nft_elem_priv *elem_priv)
7087 {
7088 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7089
7090 if (nft_setelem_is_catchall(set, elem_priv)) {
7091 nft_clear(net, ext);
7092 } else {
7093 set->ops->activate(net, set, elem_priv);
7094 }
7095 }
7096
nft_trans_elem_update(const struct nft_set * set,const struct nft_trans_one_elem * elem)7097 static void nft_trans_elem_update(const struct nft_set *set,
7098 const struct nft_trans_one_elem *elem)
7099 {
7100 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7101 const struct nft_elem_update *update = elem->update;
7102
7103 if (update->flags & NFT_TRANS_UPD_TIMEOUT)
7104 WRITE_ONCE(nft_set_ext_timeout(ext)->timeout, update->timeout);
7105
7106 if (update->flags & NFT_TRANS_UPD_EXPIRATION)
7107 WRITE_ONCE(nft_set_ext_timeout(ext)->expiration, get_jiffies_64() + update->expiration);
7108 }
7109
nft_trans_elems_add(const struct nft_ctx * ctx,struct nft_trans_elem * te)7110 static void nft_trans_elems_add(const struct nft_ctx *ctx,
7111 struct nft_trans_elem *te)
7112 {
7113 int i;
7114
7115 for (i = 0; i < te->nelems; i++) {
7116 struct nft_trans_one_elem *elem = &te->elems[i];
7117
7118 if (elem->update)
7119 nft_trans_elem_update(te->set, elem);
7120 else
7121 nft_setelem_activate(ctx->net, te->set, elem->priv);
7122
7123 nf_tables_setelem_notify(ctx, te->set, elem->priv,
7124 NFT_MSG_NEWSETELEM);
7125 kfree(elem->update);
7126 }
7127 }
7128
nft_setelem_catchall_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem)7129 static int nft_setelem_catchall_deactivate(const struct net *net,
7130 struct nft_set *set,
7131 struct nft_set_elem *elem)
7132 {
7133 struct nft_set_elem_catchall *catchall;
7134 struct nft_set_ext *ext;
7135
7136 list_for_each_entry(catchall, &set->catchall_list, list) {
7137 ext = nft_set_elem_ext(set, catchall->elem);
7138 if (!nft_is_active_next(net, ext))
7139 continue;
7140
7141 kfree(elem->priv);
7142 elem->priv = catchall->elem;
7143 nft_set_elem_change_active(net, set, ext);
7144 return 0;
7145 }
7146
7147 return -ENOENT;
7148 }
7149
__nft_setelem_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem)7150 static int __nft_setelem_deactivate(const struct net *net,
7151 struct nft_set *set,
7152 struct nft_set_elem *elem)
7153 {
7154 void *priv;
7155
7156 priv = set->ops->deactivate(net, set, elem);
7157 if (!priv)
7158 return -ENOENT;
7159
7160 kfree(elem->priv);
7161 elem->priv = priv;
7162 set->ndeact++;
7163
7164 return 0;
7165 }
7166
nft_setelem_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem,u32 flags)7167 static int nft_setelem_deactivate(const struct net *net,
7168 struct nft_set *set,
7169 struct nft_set_elem *elem, u32 flags)
7170 {
7171 int ret;
7172
7173 if (flags & NFT_SET_ELEM_CATCHALL)
7174 ret = nft_setelem_catchall_deactivate(net, set, elem);
7175 else
7176 ret = __nft_setelem_deactivate(net, set, elem);
7177
7178 return ret;
7179 }
7180
nft_setelem_catchall_destroy(struct nft_set_elem_catchall * catchall)7181 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
7182 {
7183 list_del_rcu(&catchall->list);
7184 kfree_rcu(catchall, rcu);
7185 }
7186
nft_setelem_catchall_remove(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7187 static void nft_setelem_catchall_remove(const struct net *net,
7188 const struct nft_set *set,
7189 struct nft_elem_priv *elem_priv)
7190 {
7191 struct nft_set_elem_catchall *catchall, *next;
7192
7193 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
7194 if (catchall->elem == elem_priv) {
7195 nft_setelem_catchall_destroy(catchall);
7196 break;
7197 }
7198 }
7199 }
7200
nft_setelem_remove(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7201 static void nft_setelem_remove(const struct net *net,
7202 const struct nft_set *set,
7203 struct nft_elem_priv *elem_priv)
7204 {
7205 if (nft_setelem_is_catchall(set, elem_priv))
7206 nft_setelem_catchall_remove(net, set, elem_priv);
7207 else
7208 set->ops->remove(net, set, elem_priv);
7209 }
7210
nft_trans_elems_remove(const struct nft_ctx * ctx,const struct nft_trans_elem * te)7211 static void nft_trans_elems_remove(const struct nft_ctx *ctx,
7212 const struct nft_trans_elem *te)
7213 {
7214 int i;
7215
7216 for (i = 0; i < te->nelems; i++) {
7217 WARN_ON_ONCE(te->elems[i].update);
7218
7219 nf_tables_setelem_notify(ctx, te->set,
7220 te->elems[i].priv,
7221 te->nft_trans.msg_type);
7222
7223 nft_setelem_remove(ctx->net, te->set, te->elems[i].priv);
7224 if (!nft_setelem_is_catchall(te->set, te->elems[i].priv)) {
7225 atomic_dec(&te->set->nelems);
7226 te->set->ndeact--;
7227 }
7228 }
7229 }
7230
nft_setelem_valid_key_end(const struct nft_set * set,struct nlattr ** nla,u32 flags)7231 static bool nft_setelem_valid_key_end(const struct nft_set *set,
7232 struct nlattr **nla, u32 flags)
7233 {
7234 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
7235 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
7236 if (flags & NFT_SET_ELEM_INTERVAL_END)
7237 return false;
7238
7239 if (nla[NFTA_SET_ELEM_KEY_END] &&
7240 flags & NFT_SET_ELEM_CATCHALL)
7241 return false;
7242 } else {
7243 if (nla[NFTA_SET_ELEM_KEY_END])
7244 return false;
7245 }
7246
7247 return true;
7248 }
7249
nft_set_maxsize(const struct nft_set * set)7250 static u32 nft_set_maxsize(const struct nft_set *set)
7251 {
7252 u32 maxsize, delta;
7253
7254 if (!set->size)
7255 return UINT_MAX;
7256
7257 if (set->ops->adjust_maxsize)
7258 delta = set->ops->adjust_maxsize(set);
7259 else
7260 delta = 0;
7261
7262 if (check_add_overflow(set->size, set->ndeact, &maxsize))
7263 return UINT_MAX;
7264
7265 if (check_add_overflow(maxsize, delta, &maxsize))
7266 return UINT_MAX;
7267
7268 return maxsize;
7269 }
7270
nft_add_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr,u32 nlmsg_flags)7271 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
7272 const struct nlattr *attr, u32 nlmsg_flags)
7273 {
7274 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
7275 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7276 u8 genmask = nft_genmask_next(ctx->net);
7277 u32 flags = 0, size = 0, num_exprs = 0;
7278 struct nft_set_ext_tmpl tmpl;
7279 struct nft_set_ext *ext, *ext2;
7280 struct nft_set_elem elem;
7281 struct nft_set_binding *binding;
7282 struct nft_elem_priv *elem_priv;
7283 struct nft_object *obj = NULL;
7284 struct nft_userdata *udata;
7285 struct nft_data_desc desc;
7286 enum nft_registers dreg;
7287 struct nft_trans *trans;
7288 u64 expiration;
7289 u64 timeout;
7290 int err, i;
7291 u8 ulen;
7292
7293 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7294 nft_set_elem_policy, NULL);
7295 if (err < 0)
7296 return err;
7297
7298 nft_set_ext_prepare(&tmpl);
7299
7300 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7301 if (err < 0)
7302 return err;
7303
7304 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
7305 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
7306 return -EINVAL;
7307
7308 if (flags != 0) {
7309 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7310 if (err < 0)
7311 return err;
7312 }
7313
7314 if (set->flags & NFT_SET_MAP) {
7315 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
7316 !(flags & NFT_SET_ELEM_INTERVAL_END))
7317 return -EINVAL;
7318 } else {
7319 if (nla[NFTA_SET_ELEM_DATA] != NULL)
7320 return -EINVAL;
7321 }
7322
7323 if (set->flags & NFT_SET_OBJECT) {
7324 if (!nla[NFTA_SET_ELEM_OBJREF] &&
7325 !(flags & NFT_SET_ELEM_INTERVAL_END))
7326 return -EINVAL;
7327 } else {
7328 if (nla[NFTA_SET_ELEM_OBJREF])
7329 return -EINVAL;
7330 }
7331
7332 if (!nft_setelem_valid_key_end(set, nla, flags))
7333 return -EINVAL;
7334
7335 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
7336 (nla[NFTA_SET_ELEM_DATA] ||
7337 nla[NFTA_SET_ELEM_OBJREF] ||
7338 nla[NFTA_SET_ELEM_TIMEOUT] ||
7339 nla[NFTA_SET_ELEM_EXPIRATION] ||
7340 nla[NFTA_SET_ELEM_USERDATA] ||
7341 nla[NFTA_SET_ELEM_EXPR] ||
7342 nla[NFTA_SET_ELEM_KEY_END] ||
7343 nla[NFTA_SET_ELEM_EXPRESSIONS]))
7344 return -EINVAL;
7345
7346 timeout = 0;
7347 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
7348 if (!(set->flags & NFT_SET_TIMEOUT))
7349 return -EINVAL;
7350 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
7351 &timeout);
7352 if (err)
7353 return err;
7354 } else if (set->flags & NFT_SET_TIMEOUT &&
7355 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
7356 timeout = set->timeout;
7357 }
7358
7359 expiration = 0;
7360 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
7361 if (!(set->flags & NFT_SET_TIMEOUT))
7362 return -EINVAL;
7363 if (timeout == 0)
7364 return -EOPNOTSUPP;
7365
7366 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
7367 &expiration);
7368 if (err)
7369 return err;
7370
7371 if (expiration > timeout)
7372 return -ERANGE;
7373 }
7374
7375 if (nla[NFTA_SET_ELEM_EXPR]) {
7376 struct nft_expr *expr;
7377
7378 if (set->num_exprs && set->num_exprs != 1)
7379 return -EOPNOTSUPP;
7380
7381 expr = nft_set_elem_expr_alloc(ctx, set,
7382 nla[NFTA_SET_ELEM_EXPR]);
7383 if (IS_ERR(expr))
7384 return PTR_ERR(expr);
7385
7386 expr_array[0] = expr;
7387 num_exprs = 1;
7388
7389 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
7390 err = -EOPNOTSUPP;
7391 goto err_set_elem_expr;
7392 }
7393 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
7394 struct nft_expr *expr;
7395 struct nlattr *tmp;
7396 int left;
7397
7398 i = 0;
7399 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
7400 if (i == NFT_SET_EXPR_MAX ||
7401 (set->num_exprs && set->num_exprs == i)) {
7402 err = -E2BIG;
7403 goto err_set_elem_expr;
7404 }
7405 if (nla_type(tmp) != NFTA_LIST_ELEM) {
7406 err = -EINVAL;
7407 goto err_set_elem_expr;
7408 }
7409 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
7410 if (IS_ERR(expr)) {
7411 err = PTR_ERR(expr);
7412 goto err_set_elem_expr;
7413 }
7414 expr_array[i] = expr;
7415 num_exprs++;
7416
7417 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
7418 err = -EOPNOTSUPP;
7419 goto err_set_elem_expr;
7420 }
7421 i++;
7422 }
7423 if (set->num_exprs && set->num_exprs != i) {
7424 err = -EOPNOTSUPP;
7425 goto err_set_elem_expr;
7426 }
7427 } else if (set->num_exprs > 0 &&
7428 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
7429 err = nft_set_elem_expr_clone(ctx, set, expr_array);
7430 if (err < 0)
7431 goto err_set_elem_expr_clone;
7432
7433 num_exprs = set->num_exprs;
7434 }
7435
7436 if (nla[NFTA_SET_ELEM_KEY]) {
7437 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7438 nla[NFTA_SET_ELEM_KEY]);
7439 if (err < 0)
7440 goto err_set_elem_expr;
7441
7442 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7443 if (err < 0)
7444 goto err_parse_key;
7445 }
7446
7447 if (nla[NFTA_SET_ELEM_KEY_END]) {
7448 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7449 nla[NFTA_SET_ELEM_KEY_END]);
7450 if (err < 0)
7451 goto err_parse_key;
7452
7453 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7454 if (err < 0)
7455 goto err_parse_key_end;
7456 }
7457
7458 if (set->flags & NFT_SET_TIMEOUT) {
7459 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
7460 if (err < 0)
7461 goto err_parse_key_end;
7462 }
7463
7464 if (num_exprs) {
7465 for (i = 0; i < num_exprs; i++)
7466 size += expr_array[i]->ops->size;
7467
7468 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
7469 sizeof(struct nft_set_elem_expr) + size);
7470 if (err < 0)
7471 goto err_parse_key_end;
7472 }
7473
7474 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
7475 obj = nft_obj_lookup(ctx->net, ctx->table,
7476 nla[NFTA_SET_ELEM_OBJREF],
7477 set->objtype, genmask);
7478 if (IS_ERR(obj)) {
7479 err = PTR_ERR(obj);
7480 obj = NULL;
7481 goto err_parse_key_end;
7482 }
7483
7484 if (!nft_use_inc(&obj->use)) {
7485 err = -EMFILE;
7486 obj = NULL;
7487 goto err_parse_key_end;
7488 }
7489
7490 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
7491 if (err < 0)
7492 goto err_parse_key_end;
7493 }
7494
7495 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
7496 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
7497 nla[NFTA_SET_ELEM_DATA]);
7498 if (err < 0)
7499 goto err_parse_key_end;
7500
7501 dreg = nft_type_to_reg(set->dtype);
7502 list_for_each_entry(binding, &set->bindings, list) {
7503 struct nft_ctx bind_ctx = {
7504 .net = ctx->net,
7505 .family = ctx->family,
7506 .table = ctx->table,
7507 .chain = (struct nft_chain *)binding->chain,
7508 };
7509
7510 if (!(binding->flags & NFT_SET_MAP))
7511 continue;
7512
7513 err = nft_validate_register_store(&bind_ctx, dreg,
7514 &elem.data.val,
7515 desc.type, desc.len);
7516 if (err < 0)
7517 goto err_parse_data;
7518
7519 if (desc.type == NFT_DATA_VERDICT &&
7520 (elem.data.val.verdict.code == NFT_GOTO ||
7521 elem.data.val.verdict.code == NFT_JUMP))
7522 nft_validate_state_update(ctx->table,
7523 NFT_VALIDATE_NEED);
7524 }
7525
7526 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
7527 if (err < 0)
7528 goto err_parse_data;
7529 }
7530
7531 /* The full maximum length of userdata can exceed the maximum
7532 * offset value (U8_MAX) for following extensions, therefor it
7533 * must be the last extension added.
7534 */
7535 ulen = 0;
7536 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
7537 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
7538 if (ulen > 0) {
7539 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
7540 ulen);
7541 if (err < 0)
7542 goto err_parse_data;
7543 }
7544 }
7545
7546 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7547 elem.key_end.val.data, elem.data.val.data,
7548 timeout, expiration, GFP_KERNEL_ACCOUNT);
7549 if (IS_ERR(elem.priv)) {
7550 err = PTR_ERR(elem.priv);
7551 goto err_parse_data;
7552 }
7553
7554 ext = nft_set_elem_ext(set, elem.priv);
7555 if (flags)
7556 *nft_set_ext_flags(ext) = flags;
7557
7558 if (obj)
7559 *nft_set_ext_obj(ext) = obj;
7560
7561 if (ulen > 0) {
7562 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
7563 err = -EINVAL;
7564 goto err_elem_free;
7565 }
7566 udata = nft_set_ext_userdata(ext);
7567 udata->len = ulen - 1;
7568 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
7569 }
7570 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
7571 if (err < 0)
7572 goto err_elem_free;
7573
7574 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
7575 if (trans == NULL) {
7576 err = -ENOMEM;
7577 goto err_elem_free;
7578 }
7579
7580 ext->genmask = nft_genmask_cur(ctx->net);
7581
7582 err = nft_setelem_insert(ctx->net, set, &elem, &elem_priv, flags);
7583 if (err) {
7584 if (err == -EEXIST) {
7585 ext2 = nft_set_elem_ext(set, elem_priv);
7586 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
7587 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
7588 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
7589 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
7590 goto err_element_clash;
7591 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
7592 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
7593 memcmp(nft_set_ext_data(ext),
7594 nft_set_ext_data(ext2), set->dlen) != 0) ||
7595 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
7596 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
7597 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
7598 goto err_element_clash;
7599 else if (!(nlmsg_flags & NLM_F_EXCL)) {
7600 err = 0;
7601 if (nft_set_ext_exists(ext2, NFT_SET_EXT_TIMEOUT)) {
7602 struct nft_elem_update update = { };
7603
7604 if (timeout != nft_set_ext_timeout(ext2)->timeout) {
7605 update.timeout = timeout;
7606 if (expiration == 0)
7607 expiration = timeout;
7608
7609 update.flags |= NFT_TRANS_UPD_TIMEOUT;
7610 }
7611 if (expiration) {
7612 update.expiration = expiration;
7613 update.flags |= NFT_TRANS_UPD_EXPIRATION;
7614 }
7615
7616 if (update.flags) {
7617 struct nft_trans_one_elem *ue;
7618
7619 ue = &nft_trans_container_elem(trans)->elems[0];
7620
7621 ue->update = kmemdup(&update, sizeof(update), GFP_KERNEL);
7622 if (!ue->update) {
7623 err = -ENOMEM;
7624 goto err_element_clash;
7625 }
7626
7627 ue->priv = elem_priv;
7628 nft_trans_commit_list_add_elem(ctx->net, trans);
7629 goto err_elem_free;
7630 }
7631 }
7632 }
7633 } else if (err == -ENOTEMPTY) {
7634 /* ENOTEMPTY reports overlapping between this element
7635 * and an existing one.
7636 */
7637 err = -EEXIST;
7638 }
7639 goto err_element_clash;
7640 }
7641
7642 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
7643 unsigned int max = nft_set_maxsize(set);
7644
7645 if (!atomic_add_unless(&set->nelems, 1, max)) {
7646 err = -ENFILE;
7647 goto err_set_full;
7648 }
7649 }
7650
7651 nft_trans_container_elem(trans)->elems[0].priv = elem.priv;
7652 nft_trans_commit_list_add_elem(ctx->net, trans);
7653 return 0;
7654
7655 err_set_full:
7656 nft_setelem_remove(ctx->net, set, elem.priv);
7657 err_element_clash:
7658 kfree(trans);
7659 err_elem_free:
7660 nf_tables_set_elem_destroy(ctx, set, elem.priv);
7661 err_parse_data:
7662 if (nla[NFTA_SET_ELEM_DATA] != NULL)
7663 nft_data_release(&elem.data.val, desc.type);
7664 err_parse_key_end:
7665 if (obj)
7666 nft_use_dec_restore(&obj->use);
7667
7668 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7669 err_parse_key:
7670 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7671 err_set_elem_expr:
7672 for (i = 0; i < num_exprs && expr_array[i]; i++)
7673 nft_expr_destroy(ctx, expr_array[i]);
7674 err_set_elem_expr_clone:
7675 return err;
7676 }
7677
nf_tables_newsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7678 static int nf_tables_newsetelem(struct sk_buff *skb,
7679 const struct nfnl_info *info,
7680 const struct nlattr * const nla[])
7681 {
7682 struct netlink_ext_ack *extack = info->extack;
7683 u8 genmask = nft_genmask_next(info->net);
7684 u8 family = info->nfmsg->nfgen_family;
7685 struct net *net = info->net;
7686 const struct nlattr *attr;
7687 struct nft_table *table;
7688 struct nft_set *set;
7689 struct nft_ctx ctx;
7690 int rem, err;
7691
7692 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
7693 return -EINVAL;
7694
7695 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7696 genmask, NETLINK_CB(skb).portid);
7697 if (IS_ERR(table)) {
7698 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7699 return PTR_ERR(table);
7700 }
7701
7702 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
7703 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
7704 if (IS_ERR(set)) {
7705 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7706 return PTR_ERR(set);
7707 }
7708
7709 if (!list_empty(&set->bindings) &&
7710 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
7711 return -EBUSY;
7712
7713 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7714
7715 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7716 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
7717 if (err < 0) {
7718 NL_SET_BAD_ATTR(extack, attr);
7719 return err;
7720 }
7721 }
7722
7723 if (table->validate_state == NFT_VALIDATE_DO)
7724 return nft_table_validate(net, table);
7725
7726 return 0;
7727 }
7728
7729 /**
7730 * nft_data_hold - hold a nft_data item
7731 *
7732 * @data: struct nft_data to release
7733 * @type: type of data
7734 *
7735 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7736 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
7737 * NFT_GOTO verdicts. This function must be called on active data objects
7738 * from the second phase of the commit protocol.
7739 */
nft_data_hold(const struct nft_data * data,enum nft_data_types type)7740 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
7741 {
7742 struct nft_chain *chain;
7743
7744 if (type == NFT_DATA_VERDICT) {
7745 switch (data->verdict.code) {
7746 case NFT_JUMP:
7747 case NFT_GOTO:
7748 chain = data->verdict.chain;
7749 nft_use_inc_restore(&chain->use);
7750 break;
7751 }
7752 }
7753 }
7754
nft_setelem_active_next(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7755 static int nft_setelem_active_next(const struct net *net,
7756 const struct nft_set *set,
7757 struct nft_elem_priv *elem_priv)
7758 {
7759 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7760 u8 genmask = nft_genmask_next(net);
7761
7762 return nft_set_elem_active(ext, genmask);
7763 }
7764
nft_setelem_data_activate(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7765 static void nft_setelem_data_activate(const struct net *net,
7766 const struct nft_set *set,
7767 struct nft_elem_priv *elem_priv)
7768 {
7769 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7770
7771 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7772 nft_data_hold(nft_set_ext_data(ext), set->dtype);
7773 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7774 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use);
7775 }
7776
nft_setelem_data_deactivate(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7777 void nft_setelem_data_deactivate(const struct net *net,
7778 const struct nft_set *set,
7779 struct nft_elem_priv *elem_priv)
7780 {
7781 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7782
7783 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7784 nft_data_release(nft_set_ext_data(ext), set->dtype);
7785 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7786 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
7787 }
7788
7789 /* similar to nft_trans_elems_remove, but called from abort path to undo newsetelem.
7790 * No notifications and no ndeact changes.
7791 *
7792 * Returns true if set had been added to (i.e., elements need to be removed again).
7793 */
nft_trans_elems_new_abort(const struct nft_ctx * ctx,struct nft_trans_elem * te)7794 static bool nft_trans_elems_new_abort(const struct nft_ctx *ctx,
7795 struct nft_trans_elem *te)
7796 {
7797 bool removed = false;
7798 int i;
7799
7800 for (i = 0; i < te->nelems; i++) {
7801 if (te->elems[i].update) {
7802 kfree(te->elems[i].update);
7803 te->elems[i].update = NULL;
7804 /* Update request, so do not release this element */
7805 te->elems[i].priv = NULL;
7806 continue;
7807 }
7808
7809 if (!te->set->ops->abort || nft_setelem_is_catchall(te->set, te->elems[i].priv))
7810 nft_setelem_remove(ctx->net, te->set, te->elems[i].priv);
7811
7812 if (!nft_setelem_is_catchall(te->set, te->elems[i].priv))
7813 atomic_dec(&te->set->nelems);
7814
7815 removed = true;
7816 }
7817
7818 return removed;
7819 }
7820
7821 /* Called from abort path to undo DELSETELEM/DESTROYSETELEM. */
nft_trans_elems_destroy_abort(const struct nft_ctx * ctx,const struct nft_trans_elem * te)7822 static void nft_trans_elems_destroy_abort(const struct nft_ctx *ctx,
7823 const struct nft_trans_elem *te)
7824 {
7825 int i;
7826
7827 for (i = 0; i < te->nelems; i++) {
7828 if (!nft_setelem_active_next(ctx->net, te->set, te->elems[i].priv)) {
7829 nft_setelem_data_activate(ctx->net, te->set, te->elems[i].priv);
7830 nft_setelem_activate(ctx->net, te->set, te->elems[i].priv);
7831 }
7832
7833 if (!nft_setelem_is_catchall(te->set, te->elems[i].priv))
7834 te->set->ndeact--;
7835 }
7836 }
7837
nft_del_setelem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr)7838 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
7839 const struct nlattr *attr)
7840 {
7841 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7842 struct nft_set_ext_tmpl tmpl;
7843 struct nft_set_elem elem;
7844 struct nft_set_ext *ext;
7845 struct nft_trans *trans;
7846 u32 flags = 0;
7847 int err;
7848
7849 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7850 nft_set_elem_policy, NULL);
7851 if (err < 0)
7852 return err;
7853
7854 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7855 if (err < 0)
7856 return err;
7857
7858 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
7859 return -EINVAL;
7860
7861 if (!nft_setelem_valid_key_end(set, nla, flags))
7862 return -EINVAL;
7863
7864 nft_set_ext_prepare(&tmpl);
7865
7866 if (flags != 0) {
7867 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7868 if (err < 0)
7869 return err;
7870 }
7871
7872 if (nla[NFTA_SET_ELEM_KEY]) {
7873 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7874 nla[NFTA_SET_ELEM_KEY]);
7875 if (err < 0)
7876 return err;
7877
7878 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7879 if (err < 0)
7880 goto fail_elem;
7881 }
7882
7883 if (nla[NFTA_SET_ELEM_KEY_END]) {
7884 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7885 nla[NFTA_SET_ELEM_KEY_END]);
7886 if (err < 0)
7887 goto fail_elem;
7888
7889 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7890 if (err < 0)
7891 goto fail_elem_key_end;
7892 }
7893
7894 err = -ENOMEM;
7895 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7896 elem.key_end.val.data, NULL, 0, 0,
7897 GFP_KERNEL_ACCOUNT);
7898 if (IS_ERR(elem.priv)) {
7899 err = PTR_ERR(elem.priv);
7900 goto fail_elem_key_end;
7901 }
7902
7903 ext = nft_set_elem_ext(set, elem.priv);
7904 if (flags)
7905 *nft_set_ext_flags(ext) = flags;
7906
7907 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7908 if (trans == NULL)
7909 goto fail_trans;
7910
7911 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
7912 if (err < 0)
7913 goto fail_ops;
7914
7915 nft_setelem_data_deactivate(ctx->net, set, elem.priv);
7916
7917 nft_trans_container_elem(trans)->elems[0].priv = elem.priv;
7918 nft_trans_commit_list_add_elem(ctx->net, trans);
7919 return 0;
7920
7921 fail_ops:
7922 kfree(trans);
7923 fail_trans:
7924 kfree(elem.priv);
7925 fail_elem_key_end:
7926 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7927 fail_elem:
7928 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7929 return err;
7930 }
7931
nft_setelem_flush(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)7932 static int nft_setelem_flush(const struct nft_ctx *ctx,
7933 struct nft_set *set,
7934 const struct nft_set_iter *iter,
7935 struct nft_elem_priv *elem_priv)
7936 {
7937 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7938 struct nft_trans *trans;
7939
7940 if (!nft_set_elem_active(ext, iter->genmask))
7941 return 0;
7942
7943 trans = nft_trans_alloc(ctx, NFT_MSG_DELSETELEM,
7944 struct_size_t(struct nft_trans_elem, elems, 1));
7945 if (!trans)
7946 return -ENOMEM;
7947
7948 set->ops->flush(ctx->net, set, elem_priv);
7949 set->ndeact++;
7950
7951 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7952 nft_trans_elem_set(trans) = set;
7953 nft_trans_container_elem(trans)->nelems = 1;
7954 nft_trans_container_elem(trans)->elems[0].priv = elem_priv;
7955 nft_trans_commit_list_add_elem(ctx->net, trans);
7956
7957 return 0;
7958 }
7959
__nft_set_catchall_flush(const struct nft_ctx * ctx,struct nft_set * set,struct nft_elem_priv * elem_priv)7960 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
7961 struct nft_set *set,
7962 struct nft_elem_priv *elem_priv)
7963 {
7964 struct nft_trans *trans;
7965
7966 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7967 if (!trans)
7968 return -ENOMEM;
7969
7970 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7971 nft_trans_container_elem(trans)->elems[0].priv = elem_priv;
7972 nft_trans_commit_list_add_elem(ctx->net, trans);
7973
7974 return 0;
7975 }
7976
nft_set_catchall_flush(const struct nft_ctx * ctx,struct nft_set * set)7977 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
7978 struct nft_set *set)
7979 {
7980 u8 genmask = nft_genmask_next(ctx->net);
7981 struct nft_set_elem_catchall *catchall;
7982 struct nft_set_ext *ext;
7983 int ret = 0;
7984
7985 list_for_each_entry_rcu(catchall, &set->catchall_list, list,
7986 lockdep_commit_lock_is_held(ctx->net)) {
7987 ext = nft_set_elem_ext(set, catchall->elem);
7988 if (!nft_set_elem_active(ext, genmask))
7989 continue;
7990
7991 ret = __nft_set_catchall_flush(ctx, set, catchall->elem);
7992 if (ret < 0)
7993 break;
7994 nft_set_elem_change_active(ctx->net, set, ext);
7995 }
7996
7997 return ret;
7998 }
7999
nft_set_flush(struct nft_ctx * ctx,struct nft_set * set,u8 genmask)8000 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
8001 {
8002 struct nft_set_iter iter = {
8003 .genmask = genmask,
8004 .type = NFT_ITER_UPDATE,
8005 .fn = nft_setelem_flush,
8006 };
8007
8008 set->ops->walk(ctx, set, &iter);
8009 if (!iter.err)
8010 iter.err = nft_set_catchall_flush(ctx, set);
8011
8012 return iter.err;
8013 }
8014
nf_tables_delsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8015 static int nf_tables_delsetelem(struct sk_buff *skb,
8016 const struct nfnl_info *info,
8017 const struct nlattr * const nla[])
8018 {
8019 struct netlink_ext_ack *extack = info->extack;
8020 u8 genmask = nft_genmask_next(info->net);
8021 u8 family = info->nfmsg->nfgen_family;
8022 struct net *net = info->net;
8023 const struct nlattr *attr;
8024 struct nft_table *table;
8025 struct nft_set *set;
8026 struct nft_ctx ctx;
8027 int rem, err = 0;
8028
8029 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
8030 genmask, NETLINK_CB(skb).portid);
8031 if (IS_ERR(table)) {
8032 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
8033 return PTR_ERR(table);
8034 }
8035
8036 set = nft_set_lookup(net, table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
8037 if (IS_ERR(set)) {
8038 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
8039 return PTR_ERR(set);
8040 }
8041
8042 if (nft_set_is_anonymous(set))
8043 return -EOPNOTSUPP;
8044
8045 if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
8046 return -EBUSY;
8047
8048 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8049
8050 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
8051 return nft_set_flush(&ctx, set, genmask);
8052
8053 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
8054 err = nft_del_setelem(&ctx, set, attr);
8055 if (err == -ENOENT &&
8056 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
8057 continue;
8058
8059 if (err < 0) {
8060 NL_SET_BAD_ATTR(extack, attr);
8061 return err;
8062 }
8063 }
8064
8065 return 0;
8066 }
8067
8068 /*
8069 * Stateful objects
8070 */
8071
8072 /**
8073 * nft_register_obj- register nf_tables stateful object type
8074 * @obj_type: object type
8075 *
8076 * Registers the object type for use with nf_tables. Returns zero on
8077 * success or a negative errno code otherwise.
8078 */
nft_register_obj(struct nft_object_type * obj_type)8079 int nft_register_obj(struct nft_object_type *obj_type)
8080 {
8081 if (obj_type->type == NFT_OBJECT_UNSPEC)
8082 return -EINVAL;
8083
8084 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8085 list_add_rcu(&obj_type->list, &nf_tables_objects);
8086 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8087 return 0;
8088 }
8089 EXPORT_SYMBOL_GPL(nft_register_obj);
8090
8091 /**
8092 * nft_unregister_obj - unregister nf_tables object type
8093 * @obj_type: object type
8094 *
8095 * Unregisters the object type for use with nf_tables.
8096 */
nft_unregister_obj(struct nft_object_type * obj_type)8097 void nft_unregister_obj(struct nft_object_type *obj_type)
8098 {
8099 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8100 list_del_rcu(&obj_type->list);
8101 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8102 }
8103 EXPORT_SYMBOL_GPL(nft_unregister_obj);
8104
nft_obj_lookup(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)8105 struct nft_object *nft_obj_lookup(const struct net *net,
8106 const struct nft_table *table,
8107 const struct nlattr *nla, u32 objtype,
8108 u8 genmask)
8109 {
8110 struct nft_object_hash_key k = { .table = table };
8111 char search[NFT_OBJ_MAXNAMELEN];
8112 struct rhlist_head *tmp, *list;
8113 struct nft_object *obj;
8114
8115 nla_strscpy(search, nla, sizeof(search));
8116 k.name = search;
8117
8118 WARN_ON_ONCE(!rcu_read_lock_held() &&
8119 !lockdep_commit_lock_is_held(net));
8120
8121 rcu_read_lock();
8122 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
8123 if (!list)
8124 goto out;
8125
8126 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
8127 if (objtype == obj->ops->type->type &&
8128 nft_active_genmask(obj, genmask)) {
8129 rcu_read_unlock();
8130 return obj;
8131 }
8132 }
8133 out:
8134 rcu_read_unlock();
8135 return ERR_PTR(-ENOENT);
8136 }
8137 EXPORT_SYMBOL_GPL(nft_obj_lookup);
8138
nft_obj_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)8139 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
8140 const struct nlattr *nla,
8141 u32 objtype, u8 genmask)
8142 {
8143 struct nft_object *obj;
8144
8145 list_for_each_entry(obj, &table->objects, list) {
8146 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
8147 objtype == obj->ops->type->type &&
8148 nft_active_genmask(obj, genmask))
8149 return obj;
8150 }
8151 return ERR_PTR(-ENOENT);
8152 }
8153
8154 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
8155 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
8156 .len = NFT_TABLE_MAXNAMELEN - 1 },
8157 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
8158 .len = NFT_OBJ_MAXNAMELEN - 1 },
8159 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
8160 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
8161 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
8162 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
8163 .len = NFT_USERDATA_MAXLEN },
8164 };
8165
nft_obj_init(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr)8166 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
8167 const struct nft_object_type *type,
8168 const struct nlattr *attr)
8169 {
8170 struct nlattr **tb;
8171 const struct nft_object_ops *ops;
8172 struct nft_object *obj;
8173 int err = -ENOMEM;
8174
8175 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
8176 if (!tb)
8177 goto err1;
8178
8179 if (attr) {
8180 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
8181 type->policy, NULL);
8182 if (err < 0)
8183 goto err2;
8184 } else {
8185 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
8186 }
8187
8188 if (type->select_ops) {
8189 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
8190 if (IS_ERR(ops)) {
8191 err = PTR_ERR(ops);
8192 goto err2;
8193 }
8194 } else {
8195 ops = type->ops;
8196 }
8197
8198 err = -ENOMEM;
8199 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
8200 if (!obj)
8201 goto err2;
8202
8203 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
8204 if (err < 0)
8205 goto err3;
8206
8207 obj->ops = ops;
8208
8209 kfree(tb);
8210 return obj;
8211 err3:
8212 kfree(obj);
8213 err2:
8214 kfree(tb);
8215 err1:
8216 return ERR_PTR(err);
8217 }
8218
nft_object_dump(struct sk_buff * skb,unsigned int attr,struct nft_object * obj,bool reset)8219 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
8220 struct nft_object *obj, bool reset)
8221 {
8222 struct nlattr *nest;
8223
8224 nest = nla_nest_start_noflag(skb, attr);
8225 if (!nest)
8226 goto nla_put_failure;
8227 if (obj->ops->dump(skb, obj, reset) < 0)
8228 goto nla_put_failure;
8229 nla_nest_end(skb, nest);
8230 return 0;
8231
8232 nla_put_failure:
8233 return -1;
8234 }
8235
__nft_obj_type_get(u32 objtype,u8 family)8236 static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family)
8237 {
8238 const struct nft_object_type *type;
8239
8240 list_for_each_entry_rcu(type, &nf_tables_objects, list) {
8241 if (type->family != NFPROTO_UNSPEC &&
8242 type->family != family)
8243 continue;
8244
8245 if (objtype == type->type)
8246 return type;
8247 }
8248 return NULL;
8249 }
8250
8251 static const struct nft_object_type *
nft_obj_type_get(struct net * net,u32 objtype,u8 family)8252 nft_obj_type_get(struct net *net, u32 objtype, u8 family)
8253 {
8254 const struct nft_object_type *type;
8255
8256 rcu_read_lock();
8257 type = __nft_obj_type_get(objtype, family);
8258 if (type != NULL && try_module_get(type->owner)) {
8259 rcu_read_unlock();
8260 return type;
8261 }
8262 rcu_read_unlock();
8263
8264 lockdep_nfnl_nft_mutex_not_held();
8265 #ifdef CONFIG_MODULES
8266 if (type == NULL) {
8267 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
8268 return ERR_PTR(-EAGAIN);
8269 }
8270 #endif
8271 return ERR_PTR(-ENOENT);
8272 }
8273
nf_tables_updobj(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr,struct nft_object * obj)8274 static int nf_tables_updobj(const struct nft_ctx *ctx,
8275 const struct nft_object_type *type,
8276 const struct nlattr *attr,
8277 struct nft_object *obj)
8278 {
8279 struct nft_object *newobj;
8280 struct nft_trans *trans;
8281 int err = -ENOMEM;
8282
8283 /* caller must have obtained type->owner reference. */
8284 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
8285 sizeof(struct nft_trans_obj));
8286 if (!trans)
8287 goto err_trans;
8288
8289 newobj = nft_obj_init(ctx, type, attr);
8290 if (IS_ERR(newobj)) {
8291 err = PTR_ERR(newobj);
8292 goto err_free_trans;
8293 }
8294
8295 nft_trans_obj(trans) = obj;
8296 nft_trans_obj_update(trans) = true;
8297 nft_trans_obj_newobj(trans) = newobj;
8298 nft_trans_commit_list_add_tail(ctx->net, trans);
8299
8300 return 0;
8301
8302 err_free_trans:
8303 kfree(trans);
8304 err_trans:
8305 module_put(type->owner);
8306 return err;
8307 }
8308
nf_tables_newobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8309 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
8310 const struct nlattr * const nla[])
8311 {
8312 struct netlink_ext_ack *extack = info->extack;
8313 u8 genmask = nft_genmask_next(info->net);
8314 u8 family = info->nfmsg->nfgen_family;
8315 const struct nft_object_type *type;
8316 struct net *net = info->net;
8317 struct nft_table *table;
8318 struct nft_object *obj;
8319 struct nft_ctx ctx;
8320 u32 objtype;
8321 int err;
8322
8323 if (!nla[NFTA_OBJ_TYPE] ||
8324 !nla[NFTA_OBJ_NAME] ||
8325 !nla[NFTA_OBJ_DATA])
8326 return -EINVAL;
8327
8328 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
8329 NETLINK_CB(skb).portid);
8330 if (IS_ERR(table)) {
8331 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8332 return PTR_ERR(table);
8333 }
8334
8335 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8336 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
8337 if (IS_ERR(obj)) {
8338 err = PTR_ERR(obj);
8339 if (err != -ENOENT) {
8340 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8341 return err;
8342 }
8343 } else {
8344 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
8345 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8346 return -EEXIST;
8347 }
8348 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
8349 return -EOPNOTSUPP;
8350
8351 if (!obj->ops->update)
8352 return 0;
8353
8354 type = nft_obj_type_get(net, objtype, family);
8355 if (WARN_ON_ONCE(IS_ERR(type)))
8356 return PTR_ERR(type);
8357
8358 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8359
8360 /* type->owner reference is put when transaction object is released. */
8361 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
8362 }
8363
8364 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8365
8366 if (!nft_use_inc(&table->use))
8367 return -EMFILE;
8368
8369 type = nft_obj_type_get(net, objtype, family);
8370 if (IS_ERR(type)) {
8371 err = PTR_ERR(type);
8372 goto err_type;
8373 }
8374
8375 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
8376 if (IS_ERR(obj)) {
8377 err = PTR_ERR(obj);
8378 goto err_init;
8379 }
8380 obj->key.table = table;
8381 obj->handle = nf_tables_alloc_handle(table);
8382
8383 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
8384 if (!obj->key.name) {
8385 err = -ENOMEM;
8386 goto err_strdup;
8387 }
8388
8389 if (nla[NFTA_OBJ_USERDATA]) {
8390 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
8391 if (obj->udata == NULL)
8392 goto err_userdata;
8393
8394 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
8395 }
8396
8397 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
8398 if (err < 0)
8399 goto err_trans;
8400
8401 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
8402 nft_objname_ht_params);
8403 if (err < 0)
8404 goto err_obj_ht;
8405
8406 list_add_tail_rcu(&obj->list, &table->objects);
8407
8408 return 0;
8409 err_obj_ht:
8410 /* queued in transaction log */
8411 INIT_LIST_HEAD(&obj->list);
8412 return err;
8413 err_trans:
8414 kfree(obj->udata);
8415 err_userdata:
8416 kfree(obj->key.name);
8417 err_strdup:
8418 if (obj->ops->destroy)
8419 obj->ops->destroy(&ctx, obj);
8420 kfree(obj);
8421 err_init:
8422 module_put(type->owner);
8423 err_type:
8424 nft_use_dec_restore(&table->use);
8425
8426 return err;
8427 }
8428
nf_tables_fill_obj_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,struct nft_object * obj,bool reset)8429 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
8430 u32 portid, u32 seq, int event, u32 flags,
8431 int family, const struct nft_table *table,
8432 struct nft_object *obj, bool reset)
8433 {
8434 struct nlmsghdr *nlh;
8435
8436 nlh = nfnl_msg_put(skb, portid, seq,
8437 nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event),
8438 flags, family, NFNETLINK_V0, nft_base_seq_be16(net));
8439 if (!nlh)
8440 goto nla_put_failure;
8441
8442 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
8443 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
8444 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
8445 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
8446 NFTA_OBJ_PAD))
8447 goto nla_put_failure;
8448
8449 if (event == NFT_MSG_DELOBJ ||
8450 event == NFT_MSG_DESTROYOBJ) {
8451 nlmsg_end(skb, nlh);
8452 return 0;
8453 }
8454
8455 if (nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
8456 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
8457 goto nla_put_failure;
8458
8459 if (obj->udata &&
8460 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
8461 goto nla_put_failure;
8462
8463 nlmsg_end(skb, nlh);
8464 return 0;
8465
8466 nla_put_failure:
8467 nlmsg_trim(skb, nlh);
8468 return -1;
8469 }
8470
audit_log_obj_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)8471 static void audit_log_obj_reset(const struct nft_table *table,
8472 unsigned int base_seq, unsigned int nentries)
8473 {
8474 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
8475
8476 audit_log_nfcfg(buf, table->family, nentries,
8477 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
8478 kfree(buf);
8479 }
8480
8481 struct nft_obj_dump_ctx {
8482 unsigned int s_idx;
8483 char *table;
8484 u32 type;
8485 bool reset;
8486 };
8487
nf_tables_dump_obj(struct sk_buff * skb,struct netlink_callback * cb)8488 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
8489 {
8490 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
8491 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8492 struct net *net = sock_net(skb->sk);
8493 int family = nfmsg->nfgen_family;
8494 struct nftables_pernet *nft_net;
8495 const struct nft_table *table;
8496 unsigned int entries = 0;
8497 struct nft_object *obj;
8498 unsigned int idx = 0;
8499 int rc = 0;
8500
8501 rcu_read_lock();
8502 nft_net = nft_pernet(net);
8503 cb->seq = nft_base_seq(net);
8504
8505 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8506 if (family != NFPROTO_UNSPEC && family != table->family)
8507 continue;
8508
8509 entries = 0;
8510 list_for_each_entry_rcu(obj, &table->objects, list) {
8511 if (!nft_is_active(net, obj))
8512 goto cont;
8513 if (idx < ctx->s_idx)
8514 goto cont;
8515 if (ctx->table && strcmp(ctx->table, table->name))
8516 goto cont;
8517 if (ctx->type != NFT_OBJECT_UNSPEC &&
8518 obj->ops->type->type != ctx->type)
8519 goto cont;
8520
8521 rc = nf_tables_fill_obj_info(skb, net,
8522 NETLINK_CB(cb->skb).portid,
8523 cb->nlh->nlmsg_seq,
8524 NFT_MSG_NEWOBJ,
8525 NLM_F_MULTI | NLM_F_APPEND,
8526 table->family, table,
8527 obj, ctx->reset);
8528 if (rc < 0)
8529 break;
8530
8531 entries++;
8532 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8533 cont:
8534 idx++;
8535 }
8536 if (ctx->reset && entries)
8537 audit_log_obj_reset(table, nft_base_seq(net), entries);
8538 if (rc < 0)
8539 break;
8540 }
8541 rcu_read_unlock();
8542
8543 ctx->s_idx = idx;
8544 return skb->len;
8545 }
8546
nf_tables_dumpreset_obj(struct sk_buff * skb,struct netlink_callback * cb)8547 static int nf_tables_dumpreset_obj(struct sk_buff *skb,
8548 struct netlink_callback *cb)
8549 {
8550 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
8551 int ret;
8552
8553 mutex_lock(&nft_net->commit_mutex);
8554 ret = nf_tables_dump_obj(skb, cb);
8555 mutex_unlock(&nft_net->commit_mutex);
8556
8557 return ret;
8558 }
8559
nf_tables_dump_obj_start(struct netlink_callback * cb)8560 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
8561 {
8562 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8563 const struct nlattr * const *nla = cb->data;
8564
8565 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
8566
8567 if (nla[NFTA_OBJ_TABLE]) {
8568 ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
8569 if (!ctx->table)
8570 return -ENOMEM;
8571 }
8572
8573 if (nla[NFTA_OBJ_TYPE])
8574 ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8575
8576 return 0;
8577 }
8578
nf_tables_dumpreset_obj_start(struct netlink_callback * cb)8579 static int nf_tables_dumpreset_obj_start(struct netlink_callback *cb)
8580 {
8581 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8582
8583 ctx->reset = true;
8584
8585 return nf_tables_dump_obj_start(cb);
8586 }
8587
nf_tables_dump_obj_done(struct netlink_callback * cb)8588 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
8589 {
8590 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8591
8592 kfree(ctx->table);
8593
8594 return 0;
8595 }
8596
8597 /* Caller must hold rcu read lock or transaction mutex */
8598 static struct sk_buff *
nf_tables_getobj_single(u32 portid,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)8599 nf_tables_getobj_single(u32 portid, const struct nfnl_info *info,
8600 const struct nlattr * const nla[], bool reset)
8601 {
8602 struct netlink_ext_ack *extack = info->extack;
8603 u8 genmask = nft_genmask_cur(info->net);
8604 u8 family = info->nfmsg->nfgen_family;
8605 const struct nft_table *table;
8606 struct net *net = info->net;
8607 struct nft_object *obj;
8608 struct sk_buff *skb2;
8609 u32 objtype;
8610 int err;
8611
8612 if (!nla[NFTA_OBJ_NAME] ||
8613 !nla[NFTA_OBJ_TYPE])
8614 return ERR_PTR(-EINVAL);
8615
8616 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
8617 if (IS_ERR(table)) {
8618 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8619 return ERR_CAST(table);
8620 }
8621
8622 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8623 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
8624 if (IS_ERR(obj)) {
8625 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8626 return ERR_CAST(obj);
8627 }
8628
8629 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8630 if (!skb2)
8631 return ERR_PTR(-ENOMEM);
8632
8633 err = nf_tables_fill_obj_info(skb2, net, portid,
8634 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
8635 family, table, obj, reset);
8636 if (err < 0) {
8637 kfree_skb(skb2);
8638 return ERR_PTR(err);
8639 }
8640
8641 return skb2;
8642 }
8643
nf_tables_getobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8644 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
8645 const struct nlattr * const nla[])
8646 {
8647 u32 portid = NETLINK_CB(skb).portid;
8648 struct sk_buff *skb2;
8649
8650 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8651 struct netlink_dump_control c = {
8652 .start = nf_tables_dump_obj_start,
8653 .dump = nf_tables_dump_obj,
8654 .done = nf_tables_dump_obj_done,
8655 .module = THIS_MODULE,
8656 .data = (void *)nla,
8657 };
8658
8659 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8660 }
8661
8662 skb2 = nf_tables_getobj_single(portid, info, nla, false);
8663 if (IS_ERR(skb2))
8664 return PTR_ERR(skb2);
8665
8666 return nfnetlink_unicast(skb2, info->net, portid);
8667 }
8668
nf_tables_getobj_reset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8669 static int nf_tables_getobj_reset(struct sk_buff *skb,
8670 const struct nfnl_info *info,
8671 const struct nlattr * const nla[])
8672 {
8673 struct nftables_pernet *nft_net = nft_pernet(info->net);
8674 u32 portid = NETLINK_CB(skb).portid;
8675 struct net *net = info->net;
8676 struct sk_buff *skb2;
8677 char *buf;
8678
8679 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8680 struct netlink_dump_control c = {
8681 .start = nf_tables_dumpreset_obj_start,
8682 .dump = nf_tables_dumpreset_obj,
8683 .done = nf_tables_dump_obj_done,
8684 .module = THIS_MODULE,
8685 .data = (void *)nla,
8686 };
8687
8688 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8689 }
8690
8691 if (!try_module_get(THIS_MODULE))
8692 return -EINVAL;
8693 rcu_read_unlock();
8694 mutex_lock(&nft_net->commit_mutex);
8695 skb2 = nf_tables_getobj_single(portid, info, nla, true);
8696 mutex_unlock(&nft_net->commit_mutex);
8697 rcu_read_lock();
8698 module_put(THIS_MODULE);
8699
8700 if (IS_ERR(skb2))
8701 return PTR_ERR(skb2);
8702
8703 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
8704 nla_len(nla[NFTA_OBJ_TABLE]),
8705 (char *)nla_data(nla[NFTA_OBJ_TABLE]),
8706 nft_base_seq(net));
8707 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
8708 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
8709 kfree(buf);
8710
8711 return nfnetlink_unicast(skb2, net, portid);
8712 }
8713
nft_obj_destroy(const struct nft_ctx * ctx,struct nft_object * obj)8714 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
8715 {
8716 if (obj->ops->destroy)
8717 obj->ops->destroy(ctx, obj);
8718
8719 module_put(obj->ops->type->owner);
8720 kfree(obj->key.name);
8721 kfree(obj->udata);
8722 kfree(obj);
8723 }
8724
nf_tables_delobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8725 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
8726 const struct nlattr * const nla[])
8727 {
8728 struct netlink_ext_ack *extack = info->extack;
8729 u8 genmask = nft_genmask_next(info->net);
8730 u8 family = info->nfmsg->nfgen_family;
8731 struct net *net = info->net;
8732 const struct nlattr *attr;
8733 struct nft_table *table;
8734 struct nft_object *obj;
8735 struct nft_ctx ctx;
8736 u32 objtype;
8737
8738 if (!nla[NFTA_OBJ_TYPE] ||
8739 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
8740 return -EINVAL;
8741
8742 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
8743 NETLINK_CB(skb).portid);
8744 if (IS_ERR(table)) {
8745 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8746 return PTR_ERR(table);
8747 }
8748
8749 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8750 if (nla[NFTA_OBJ_HANDLE]) {
8751 attr = nla[NFTA_OBJ_HANDLE];
8752 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
8753 } else {
8754 attr = nla[NFTA_OBJ_NAME];
8755 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
8756 }
8757
8758 if (IS_ERR(obj)) {
8759 if (PTR_ERR(obj) == -ENOENT &&
8760 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
8761 return 0;
8762
8763 NL_SET_BAD_ATTR(extack, attr);
8764 return PTR_ERR(obj);
8765 }
8766 if (obj->use > 0) {
8767 NL_SET_BAD_ATTR(extack, attr);
8768 return -EBUSY;
8769 }
8770
8771 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8772
8773 return nft_delobj(&ctx, obj);
8774 }
8775
8776 static void
__nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,u16 flags,int family,int report,gfp_t gfp)8777 __nft_obj_notify(struct net *net, const struct nft_table *table,
8778 struct nft_object *obj, u32 portid, u32 seq, int event,
8779 u16 flags, int family, int report, gfp_t gfp)
8780 {
8781 struct nftables_pernet *nft_net = nft_pernet(net);
8782 struct sk_buff *skb;
8783 int err;
8784
8785 if (!report &&
8786 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8787 return;
8788
8789 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
8790 if (skb == NULL)
8791 goto err;
8792
8793 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
8794 flags & (NLM_F_CREATE | NLM_F_EXCL),
8795 family, table, obj, false);
8796 if (err < 0) {
8797 kfree_skb(skb);
8798 goto err;
8799 }
8800
8801 nft_notify_enqueue(skb, report, &nft_net->notify_list);
8802 return;
8803 err:
8804 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
8805 }
8806
nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,u16 flags,int family,int report,gfp_t gfp)8807 void nft_obj_notify(struct net *net, const struct nft_table *table,
8808 struct nft_object *obj, u32 portid, u32 seq, int event,
8809 u16 flags, int family, int report, gfp_t gfp)
8810 {
8811 char *buf = kasprintf(gfp, "%s:%u",
8812 table->name, nft_base_seq(net));
8813
8814 audit_log_nfcfg(buf,
8815 family,
8816 obj->handle,
8817 event == NFT_MSG_NEWOBJ ?
8818 AUDIT_NFT_OP_OBJ_REGISTER :
8819 AUDIT_NFT_OP_OBJ_UNREGISTER,
8820 gfp);
8821 kfree(buf);
8822
8823 __nft_obj_notify(net, table, obj, portid, seq, event,
8824 flags, family, report, gfp);
8825 }
8826 EXPORT_SYMBOL_GPL(nft_obj_notify);
8827
nf_tables_obj_notify(const struct nft_ctx * ctx,struct nft_object * obj,int event)8828 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
8829 struct nft_object *obj, int event)
8830 {
8831 __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid,
8832 ctx->seq, event, ctx->flags, ctx->family,
8833 ctx->report, GFP_KERNEL);
8834 }
8835
8836 /*
8837 * Flow tables
8838 */
nft_register_flowtable_type(struct nf_flowtable_type * type)8839 void nft_register_flowtable_type(struct nf_flowtable_type *type)
8840 {
8841 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8842 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
8843 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8844 }
8845 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
8846
nft_unregister_flowtable_type(struct nf_flowtable_type * type)8847 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
8848 {
8849 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8850 list_del_rcu(&type->list);
8851 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8852 }
8853 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
8854
8855 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
8856 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
8857 .len = NFT_NAME_MAXLEN - 1 },
8858 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
8859 .len = NFT_NAME_MAXLEN - 1 },
8860 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
8861 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
8862 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
8863 };
8864
nft_flowtable_lookup(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)8865 struct nft_flowtable *nft_flowtable_lookup(const struct net *net,
8866 const struct nft_table *table,
8867 const struct nlattr *nla, u8 genmask)
8868 {
8869 struct nft_flowtable *flowtable;
8870
8871 list_for_each_entry_rcu(flowtable, &table->flowtables, list,
8872 lockdep_commit_lock_is_held(net)) {
8873 if (!nla_strcmp(nla, flowtable->name) &&
8874 nft_active_genmask(flowtable, genmask))
8875 return flowtable;
8876 }
8877 return ERR_PTR(-ENOENT);
8878 }
8879 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
8880
nf_tables_deactivate_flowtable(const struct nft_ctx * ctx,struct nft_flowtable * flowtable,enum nft_trans_phase phase)8881 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
8882 struct nft_flowtable *flowtable,
8883 enum nft_trans_phase phase)
8884 {
8885 switch (phase) {
8886 case NFT_TRANS_PREPARE_ERROR:
8887 case NFT_TRANS_PREPARE:
8888 case NFT_TRANS_ABORT:
8889 case NFT_TRANS_RELEASE:
8890 nft_use_dec(&flowtable->use);
8891 fallthrough;
8892 default:
8893 return;
8894 }
8895 }
8896 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
8897
8898 static struct nft_flowtable *
nft_flowtable_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)8899 nft_flowtable_lookup_byhandle(const struct nft_table *table,
8900 const struct nlattr *nla, u8 genmask)
8901 {
8902 struct nft_flowtable *flowtable;
8903
8904 list_for_each_entry(flowtable, &table->flowtables, list) {
8905 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
8906 nft_active_genmask(flowtable, genmask))
8907 return flowtable;
8908 }
8909 return ERR_PTR(-ENOENT);
8910 }
8911
8912 struct nft_flowtable_hook {
8913 u32 num;
8914 int priority;
8915 struct list_head list;
8916 };
8917
8918 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
8919 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
8920 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
8921 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
8922 };
8923
nft_flowtable_parse_hook(const struct nft_ctx * ctx,const struct nlattr * const nla[],struct nft_flowtable_hook * flowtable_hook,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack,bool add)8924 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
8925 const struct nlattr * const nla[],
8926 struct nft_flowtable_hook *flowtable_hook,
8927 struct nft_flowtable *flowtable,
8928 struct netlink_ext_ack *extack, bool add)
8929 {
8930 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
8931 struct nf_hook_ops *ops;
8932 struct nft_hook *hook;
8933 int hooknum, priority;
8934 int err;
8935
8936 INIT_LIST_HEAD(&flowtable_hook->list);
8937
8938 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
8939 nla[NFTA_FLOWTABLE_HOOK],
8940 nft_flowtable_hook_policy, NULL);
8941 if (err < 0)
8942 return err;
8943
8944 if (add) {
8945 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
8946 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8947 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8948 return -ENOENT;
8949 }
8950
8951 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8952 if (hooknum != NF_NETDEV_INGRESS)
8953 return -EOPNOTSUPP;
8954
8955 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8956
8957 flowtable_hook->priority = priority;
8958 flowtable_hook->num = hooknum;
8959 } else {
8960 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
8961 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8962 if (hooknum != flowtable->hooknum)
8963 return -EOPNOTSUPP;
8964 }
8965
8966 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8967 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8968 if (priority != flowtable->data.priority)
8969 return -EOPNOTSUPP;
8970 }
8971
8972 flowtable_hook->priority = flowtable->data.priority;
8973 flowtable_hook->num = flowtable->hooknum;
8974 }
8975
8976 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
8977 err = nf_tables_parse_netdev_hooks(ctx->net,
8978 tb[NFTA_FLOWTABLE_HOOK_DEVS],
8979 &flowtable_hook->list,
8980 extack);
8981 if (err < 0)
8982 return err;
8983 }
8984
8985 list_for_each_entry(hook, &flowtable_hook->list, list) {
8986 list_for_each_entry(ops, &hook->ops_list, list) {
8987 ops->pf = NFPROTO_NETDEV;
8988 ops->hooknum = flowtable_hook->num;
8989 ops->priority = flowtable_hook->priority;
8990 ops->priv = &flowtable->data;
8991 ops->hook = flowtable->data.type->hook;
8992 ops->hook_ops_type = NF_HOOK_OP_NFT_FT;
8993 }
8994 }
8995
8996 return err;
8997 }
8998
8999 /* call under rcu_read_lock */
__nft_flowtable_type_get(u8 family)9000 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
9001 {
9002 const struct nf_flowtable_type *type;
9003
9004 list_for_each_entry_rcu(type, &nf_tables_flowtables, list) {
9005 if (family == type->family)
9006 return type;
9007 }
9008 return NULL;
9009 }
9010
9011 static const struct nf_flowtable_type *
nft_flowtable_type_get(struct net * net,u8 family)9012 nft_flowtable_type_get(struct net *net, u8 family)
9013 {
9014 const struct nf_flowtable_type *type;
9015
9016 rcu_read_lock();
9017 type = __nft_flowtable_type_get(family);
9018 if (type != NULL && try_module_get(type->owner)) {
9019 rcu_read_unlock();
9020 return type;
9021 }
9022 rcu_read_unlock();
9023
9024 lockdep_nfnl_nft_mutex_not_held();
9025 #ifdef CONFIG_MODULES
9026 if (type == NULL) {
9027 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
9028 return ERR_PTR(-EAGAIN);
9029 }
9030 #endif
9031 return ERR_PTR(-ENOENT);
9032 }
9033
9034 /* Only called from error and netdev event paths. */
nft_unregister_flowtable_ops(struct net * net,struct nft_flowtable * flowtable,struct nf_hook_ops * ops)9035 static void nft_unregister_flowtable_ops(struct net *net,
9036 struct nft_flowtable *flowtable,
9037 struct nf_hook_ops *ops)
9038 {
9039 nf_unregister_net_hook(net, ops);
9040 flowtable->data.type->setup(&flowtable->data, ops->dev,
9041 FLOW_BLOCK_UNBIND);
9042 }
9043
__nft_unregister_flowtable_net_hooks(struct net * net,struct nft_flowtable * flowtable,struct list_head * hook_list,bool release_netdev)9044 static void __nft_unregister_flowtable_net_hooks(struct net *net,
9045 struct nft_flowtable *flowtable,
9046 struct list_head *hook_list,
9047 bool release_netdev)
9048 {
9049 struct nft_hook *hook, *next;
9050 struct nf_hook_ops *ops;
9051
9052 list_for_each_entry_safe(hook, next, hook_list, list) {
9053 list_for_each_entry(ops, &hook->ops_list, list)
9054 nft_unregister_flowtable_ops(net, flowtable, ops);
9055 if (release_netdev) {
9056 list_del(&hook->list);
9057 nft_netdev_hook_free_rcu(hook);
9058 }
9059 }
9060 }
9061
nft_unregister_flowtable_net_hooks(struct net * net,struct nft_flowtable * flowtable,struct list_head * hook_list)9062 static void nft_unregister_flowtable_net_hooks(struct net *net,
9063 struct nft_flowtable *flowtable,
9064 struct list_head *hook_list)
9065 {
9066 __nft_unregister_flowtable_net_hooks(net, flowtable, hook_list, false);
9067 }
9068
nft_register_flowtable_ops(struct net * net,struct nft_flowtable * flowtable,struct nf_hook_ops * ops)9069 static int nft_register_flowtable_ops(struct net *net,
9070 struct nft_flowtable *flowtable,
9071 struct nf_hook_ops *ops)
9072 {
9073 int err;
9074
9075 err = flowtable->data.type->setup(&flowtable->data,
9076 ops->dev, FLOW_BLOCK_BIND);
9077 if (err < 0)
9078 return err;
9079
9080 err = nf_register_net_hook(net, ops);
9081 if (!err)
9082 return 0;
9083
9084 flowtable->data.type->setup(&flowtable->data,
9085 ops->dev, FLOW_BLOCK_UNBIND);
9086 return err;
9087 }
9088
nft_register_flowtable_net_hooks(struct net * net,struct nft_table * table,struct list_head * hook_list,struct nft_flowtable * flowtable)9089 static int nft_register_flowtable_net_hooks(struct net *net,
9090 struct nft_table *table,
9091 struct list_head *hook_list,
9092 struct nft_flowtable *flowtable)
9093 {
9094 struct nft_hook *hook, *next;
9095 struct nft_flowtable *ft;
9096 struct nf_hook_ops *ops;
9097 int err, i = 0;
9098
9099 list_for_each_entry(hook, hook_list, list) {
9100 list_for_each_entry(ft, &table->flowtables, list) {
9101 if (!nft_is_active_next(net, ft))
9102 continue;
9103
9104 if (nft_hook_list_find(&ft->hook_list, hook)) {
9105 err = -EEXIST;
9106 goto err_unregister_net_hooks;
9107 }
9108 }
9109
9110 list_for_each_entry(ops, &hook->ops_list, list) {
9111 err = nft_register_flowtable_ops(net, flowtable, ops);
9112 if (err < 0)
9113 goto err_unregister_net_hooks;
9114
9115 i++;
9116 }
9117 }
9118
9119 return 0;
9120
9121 err_unregister_net_hooks:
9122 list_for_each_entry_safe(hook, next, hook_list, list) {
9123 list_for_each_entry(ops, &hook->ops_list, list) {
9124 if (i-- <= 0)
9125 break;
9126
9127 nft_unregister_flowtable_ops(net, flowtable, ops);
9128 }
9129 list_del_rcu(&hook->list);
9130 nft_netdev_hook_free_rcu(hook);
9131 }
9132
9133 return err;
9134 }
9135
nft_hooks_destroy(struct list_head * hook_list)9136 static void nft_hooks_destroy(struct list_head *hook_list)
9137 {
9138 struct nft_hook *hook, *next;
9139
9140 list_for_each_entry_safe(hook, next, hook_list, list) {
9141 list_del_rcu(&hook->list);
9142 nft_netdev_hook_free_rcu(hook);
9143 }
9144 }
9145
nft_flowtable_update(struct nft_ctx * ctx,const struct nlmsghdr * nlh,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack)9146 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
9147 struct nft_flowtable *flowtable,
9148 struct netlink_ext_ack *extack)
9149 {
9150 const struct nlattr * const *nla = ctx->nla;
9151 struct nft_flowtable_hook flowtable_hook;
9152 struct nftables_pernet *nft_net;
9153 struct nft_hook *hook, *next;
9154 struct nf_hook_ops *ops;
9155 struct nft_trans *trans;
9156 bool unregister = false;
9157 u32 flags;
9158 int err;
9159
9160 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
9161 extack, false);
9162 if (err < 0)
9163 return err;
9164
9165 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
9166 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
9167 list_del(&hook->list);
9168 nft_netdev_hook_free(hook);
9169 continue;
9170 }
9171
9172 nft_net = nft_pernet(ctx->net);
9173 list_for_each_entry(trans, &nft_net->commit_list, list) {
9174 if (trans->msg_type != NFT_MSG_NEWFLOWTABLE ||
9175 trans->table != ctx->table ||
9176 !nft_trans_flowtable_update(trans))
9177 continue;
9178
9179 if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) {
9180 err = -EEXIST;
9181 goto err_flowtable_update_hook;
9182 }
9183 }
9184 }
9185
9186 if (nla[NFTA_FLOWTABLE_FLAGS]) {
9187 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
9188 if (flags & ~NFT_FLOWTABLE_MASK) {
9189 err = -EOPNOTSUPP;
9190 goto err_flowtable_update_hook;
9191 }
9192 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
9193 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
9194 err = -EOPNOTSUPP;
9195 goto err_flowtable_update_hook;
9196 }
9197 } else {
9198 flags = flowtable->data.flags;
9199 }
9200
9201 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
9202 &flowtable_hook.list, flowtable);
9203 if (err < 0)
9204 goto err_flowtable_update_hook;
9205
9206 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
9207 sizeof(struct nft_trans_flowtable));
9208 if (!trans) {
9209 unregister = true;
9210 err = -ENOMEM;
9211 goto err_flowtable_update_hook;
9212 }
9213
9214 nft_trans_flowtable_flags(trans) = flags;
9215 nft_trans_flowtable(trans) = flowtable;
9216 nft_trans_flowtable_update(trans) = true;
9217 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
9218 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
9219
9220 nft_trans_commit_list_add_tail(ctx->net, trans);
9221
9222 return 0;
9223
9224 err_flowtable_update_hook:
9225 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
9226 if (unregister) {
9227 list_for_each_entry(ops, &hook->ops_list, list)
9228 nft_unregister_flowtable_ops(ctx->net,
9229 flowtable, ops);
9230 }
9231 list_del_rcu(&hook->list);
9232 nft_netdev_hook_free_rcu(hook);
9233 }
9234
9235 return err;
9236
9237 }
9238
nf_tables_newflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9239 static int nf_tables_newflowtable(struct sk_buff *skb,
9240 const struct nfnl_info *info,
9241 const struct nlattr * const nla[])
9242 {
9243 struct netlink_ext_ack *extack = info->extack;
9244 struct nft_flowtable_hook flowtable_hook;
9245 u8 genmask = nft_genmask_next(info->net);
9246 u8 family = info->nfmsg->nfgen_family;
9247 const struct nf_flowtable_type *type;
9248 struct nft_flowtable *flowtable;
9249 struct net *net = info->net;
9250 struct nft_table *table;
9251 struct nft_trans *trans;
9252 struct nft_ctx ctx;
9253 int err;
9254
9255 if (!nla[NFTA_FLOWTABLE_TABLE] ||
9256 !nla[NFTA_FLOWTABLE_NAME] ||
9257 !nla[NFTA_FLOWTABLE_HOOK])
9258 return -EINVAL;
9259
9260 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9261 genmask, NETLINK_CB(skb).portid);
9262 if (IS_ERR(table)) {
9263 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
9264 return PTR_ERR(table);
9265 }
9266
9267 flowtable = nft_flowtable_lookup(net, table, nla[NFTA_FLOWTABLE_NAME],
9268 genmask);
9269 if (IS_ERR(flowtable)) {
9270 err = PTR_ERR(flowtable);
9271 if (err != -ENOENT) {
9272 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9273 return err;
9274 }
9275 } else {
9276 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
9277 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9278 return -EEXIST;
9279 }
9280
9281 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
9282
9283 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
9284 }
9285
9286 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
9287
9288 if (!nft_use_inc(&table->use))
9289 return -EMFILE;
9290
9291 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
9292 if (!flowtable) {
9293 err = -ENOMEM;
9294 goto flowtable_alloc;
9295 }
9296
9297 flowtable->table = table;
9298 flowtable->handle = nf_tables_alloc_handle(table);
9299 INIT_LIST_HEAD(&flowtable->hook_list);
9300
9301 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
9302 if (!flowtable->name) {
9303 err = -ENOMEM;
9304 goto err1;
9305 }
9306
9307 type = nft_flowtable_type_get(net, family);
9308 if (IS_ERR(type)) {
9309 err = PTR_ERR(type);
9310 goto err2;
9311 }
9312
9313 if (nla[NFTA_FLOWTABLE_FLAGS]) {
9314 flowtable->data.flags =
9315 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
9316 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
9317 err = -EOPNOTSUPP;
9318 goto err3;
9319 }
9320 }
9321
9322 write_pnet(&flowtable->data.net, net);
9323 flowtable->data.type = type;
9324 err = type->init(&flowtable->data);
9325 if (err < 0)
9326 goto err3;
9327
9328 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
9329 extack, true);
9330 if (err < 0)
9331 goto err_flowtable_parse_hooks;
9332
9333 list_splice(&flowtable_hook.list, &flowtable->hook_list);
9334 flowtable->data.priority = flowtable_hook.priority;
9335 flowtable->hooknum = flowtable_hook.num;
9336
9337 trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
9338 if (IS_ERR(trans)) {
9339 err = PTR_ERR(trans);
9340 goto err_flowtable_trans;
9341 }
9342
9343 /* This must be LAST to ensure no packets are walking over this flowtable. */
9344 err = nft_register_flowtable_net_hooks(ctx.net, table,
9345 &flowtable->hook_list,
9346 flowtable);
9347 if (err < 0)
9348 goto err_flowtable_hooks;
9349
9350 list_add_tail_rcu(&flowtable->list, &table->flowtables);
9351
9352 return 0;
9353
9354 err_flowtable_hooks:
9355 nft_trans_destroy(trans);
9356 err_flowtable_trans:
9357 nft_hooks_destroy(&flowtable->hook_list);
9358 err_flowtable_parse_hooks:
9359 flowtable->data.type->free(&flowtable->data);
9360 err3:
9361 module_put(type->owner);
9362 err2:
9363 kfree(flowtable->name);
9364 err1:
9365 kfree(flowtable);
9366 flowtable_alloc:
9367 nft_use_dec_restore(&table->use);
9368
9369 return err;
9370 }
9371
nft_flowtable_hook_release(struct nft_flowtable_hook * flowtable_hook)9372 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
9373 {
9374 struct nft_hook *this, *next;
9375
9376 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
9377 list_del(&this->list);
9378 nft_netdev_hook_free(this);
9379 }
9380 }
9381
nft_delflowtable_hook(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack)9382 static int nft_delflowtable_hook(struct nft_ctx *ctx,
9383 struct nft_flowtable *flowtable,
9384 struct netlink_ext_ack *extack)
9385 {
9386 const struct nlattr * const *nla = ctx->nla;
9387 struct nft_flowtable_hook flowtable_hook;
9388 LIST_HEAD(flowtable_del_list);
9389 struct nft_hook *this, *hook;
9390 struct nft_trans *trans;
9391 int err;
9392
9393 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
9394 extack, false);
9395 if (err < 0)
9396 return err;
9397
9398 list_for_each_entry(this, &flowtable_hook.list, list) {
9399 hook = nft_hook_list_find(&flowtable->hook_list, this);
9400 if (!hook) {
9401 err = -ENOENT;
9402 goto err_flowtable_del_hook;
9403 }
9404 list_move(&hook->list, &flowtable_del_list);
9405 }
9406
9407 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
9408 sizeof(struct nft_trans_flowtable));
9409 if (!trans) {
9410 err = -ENOMEM;
9411 goto err_flowtable_del_hook;
9412 }
9413
9414 nft_trans_flowtable(trans) = flowtable;
9415 nft_trans_flowtable_update(trans) = true;
9416 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
9417 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
9418 nft_flowtable_hook_release(&flowtable_hook);
9419
9420 nft_trans_commit_list_add_tail(ctx->net, trans);
9421
9422 return 0;
9423
9424 err_flowtable_del_hook:
9425 list_splice(&flowtable_del_list, &flowtable->hook_list);
9426 nft_flowtable_hook_release(&flowtable_hook);
9427
9428 return err;
9429 }
9430
nf_tables_delflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9431 static int nf_tables_delflowtable(struct sk_buff *skb,
9432 const struct nfnl_info *info,
9433 const struct nlattr * const nla[])
9434 {
9435 struct netlink_ext_ack *extack = info->extack;
9436 u8 genmask = nft_genmask_next(info->net);
9437 u8 family = info->nfmsg->nfgen_family;
9438 struct nft_flowtable *flowtable;
9439 struct net *net = info->net;
9440 const struct nlattr *attr;
9441 struct nft_table *table;
9442 struct nft_ctx ctx;
9443
9444 if (!nla[NFTA_FLOWTABLE_TABLE] ||
9445 (!nla[NFTA_FLOWTABLE_NAME] &&
9446 !nla[NFTA_FLOWTABLE_HANDLE]))
9447 return -EINVAL;
9448
9449 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9450 genmask, NETLINK_CB(skb).portid);
9451 if (IS_ERR(table)) {
9452 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
9453 return PTR_ERR(table);
9454 }
9455
9456 if (nla[NFTA_FLOWTABLE_HANDLE]) {
9457 attr = nla[NFTA_FLOWTABLE_HANDLE];
9458 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
9459 } else {
9460 attr = nla[NFTA_FLOWTABLE_NAME];
9461 flowtable = nft_flowtable_lookup(net, table, attr, genmask);
9462 }
9463
9464 if (IS_ERR(flowtable)) {
9465 if (PTR_ERR(flowtable) == -ENOENT &&
9466 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
9467 return 0;
9468
9469 NL_SET_BAD_ATTR(extack, attr);
9470 return PTR_ERR(flowtable);
9471 }
9472
9473 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
9474
9475 if (nla[NFTA_FLOWTABLE_HOOK])
9476 return nft_delflowtable_hook(&ctx, flowtable, extack);
9477
9478 if (flowtable->use > 0) {
9479 NL_SET_BAD_ATTR(extack, attr);
9480 return -EBUSY;
9481 }
9482
9483 return nft_delflowtable(&ctx, flowtable);
9484 }
9485
nf_tables_fill_flowtable_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,struct nft_flowtable * flowtable,struct list_head * hook_list)9486 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
9487 u32 portid, u32 seq, int event,
9488 u32 flags, int family,
9489 struct nft_flowtable *flowtable,
9490 struct list_head *hook_list)
9491 {
9492 struct nlattr *nest, *nest_devs;
9493 struct nft_hook *hook;
9494 struct nlmsghdr *nlh;
9495
9496 nlh = nfnl_msg_put(skb, portid, seq,
9497 nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event),
9498 flags, family, NFNETLINK_V0, nft_base_seq_be16(net));
9499 if (!nlh)
9500 goto nla_put_failure;
9501
9502 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
9503 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
9504 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
9505 NFTA_FLOWTABLE_PAD))
9506 goto nla_put_failure;
9507
9508 if (!hook_list &&
9509 (event == NFT_MSG_DELFLOWTABLE ||
9510 event == NFT_MSG_DESTROYFLOWTABLE)) {
9511 nlmsg_end(skb, nlh);
9512 return 0;
9513 }
9514
9515 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
9516 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
9517 goto nla_put_failure;
9518
9519 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
9520 if (!nest)
9521 goto nla_put_failure;
9522 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
9523 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
9524 goto nla_put_failure;
9525
9526 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
9527 if (!nest_devs)
9528 goto nla_put_failure;
9529
9530 if (!hook_list)
9531 hook_list = &flowtable->hook_list;
9532
9533 list_for_each_entry_rcu(hook, hook_list, list,
9534 lockdep_commit_lock_is_held(net)) {
9535 if (nft_nla_put_hook_dev(skb, hook))
9536 goto nla_put_failure;
9537 }
9538 nla_nest_end(skb, nest_devs);
9539 nla_nest_end(skb, nest);
9540
9541 nlmsg_end(skb, nlh);
9542 return 0;
9543
9544 nla_put_failure:
9545 nlmsg_trim(skb, nlh);
9546 return -1;
9547 }
9548
9549 struct nft_flowtable_filter {
9550 char *table;
9551 };
9552
nf_tables_dump_flowtable(struct sk_buff * skb,struct netlink_callback * cb)9553 static int nf_tables_dump_flowtable(struct sk_buff *skb,
9554 struct netlink_callback *cb)
9555 {
9556 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
9557 struct nft_flowtable_filter *filter = cb->data;
9558 unsigned int idx = 0, s_idx = cb->args[0];
9559 struct net *net = sock_net(skb->sk);
9560 int family = nfmsg->nfgen_family;
9561 struct nft_flowtable *flowtable;
9562 struct nftables_pernet *nft_net;
9563 const struct nft_table *table;
9564
9565 rcu_read_lock();
9566 nft_net = nft_pernet(net);
9567 cb->seq = nft_base_seq(net);
9568
9569 list_for_each_entry_rcu(table, &nft_net->tables, list) {
9570 if (family != NFPROTO_UNSPEC && family != table->family)
9571 continue;
9572
9573 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
9574 if (!nft_is_active(net, flowtable))
9575 goto cont;
9576 if (idx < s_idx)
9577 goto cont;
9578 if (idx > s_idx)
9579 memset(&cb->args[1], 0,
9580 sizeof(cb->args) - sizeof(cb->args[0]));
9581 if (filter && filter->table &&
9582 strcmp(filter->table, table->name))
9583 goto cont;
9584
9585 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
9586 cb->nlh->nlmsg_seq,
9587 NFT_MSG_NEWFLOWTABLE,
9588 NLM_F_MULTI | NLM_F_APPEND,
9589 table->family,
9590 flowtable, NULL) < 0)
9591 goto done;
9592
9593 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
9594 cont:
9595 idx++;
9596 }
9597 }
9598 done:
9599 rcu_read_unlock();
9600
9601 cb->args[0] = idx;
9602 return skb->len;
9603 }
9604
nf_tables_dump_flowtable_start(struct netlink_callback * cb)9605 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
9606 {
9607 const struct nlattr * const *nla = cb->data;
9608 struct nft_flowtable_filter *filter = NULL;
9609
9610 if (nla[NFTA_FLOWTABLE_TABLE]) {
9611 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
9612 if (!filter)
9613 return -ENOMEM;
9614
9615 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
9616 GFP_ATOMIC);
9617 if (!filter->table) {
9618 kfree(filter);
9619 return -ENOMEM;
9620 }
9621 }
9622
9623 cb->data = filter;
9624 return 0;
9625 }
9626
nf_tables_dump_flowtable_done(struct netlink_callback * cb)9627 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
9628 {
9629 struct nft_flowtable_filter *filter = cb->data;
9630
9631 if (!filter)
9632 return 0;
9633
9634 kfree(filter->table);
9635 kfree(filter);
9636
9637 return 0;
9638 }
9639
9640 /* called with rcu_read_lock held */
nf_tables_getflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9641 static int nf_tables_getflowtable(struct sk_buff *skb,
9642 const struct nfnl_info *info,
9643 const struct nlattr * const nla[])
9644 {
9645 struct netlink_ext_ack *extack = info->extack;
9646 u8 genmask = nft_genmask_cur(info->net);
9647 u8 family = info->nfmsg->nfgen_family;
9648 struct nft_flowtable *flowtable;
9649 const struct nft_table *table;
9650 struct net *net = info->net;
9651 struct sk_buff *skb2;
9652 int err;
9653
9654 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
9655 struct netlink_dump_control c = {
9656 .start = nf_tables_dump_flowtable_start,
9657 .dump = nf_tables_dump_flowtable,
9658 .done = nf_tables_dump_flowtable_done,
9659 .module = THIS_MODULE,
9660 .data = (void *)nla,
9661 };
9662
9663 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
9664 }
9665
9666 if (!nla[NFTA_FLOWTABLE_NAME])
9667 return -EINVAL;
9668
9669 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9670 genmask, 0);
9671 if (IS_ERR(table)) {
9672 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
9673 return PTR_ERR(table);
9674 }
9675
9676 flowtable = nft_flowtable_lookup(net, table, nla[NFTA_FLOWTABLE_NAME],
9677 genmask);
9678 if (IS_ERR(flowtable)) {
9679 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9680 return PTR_ERR(flowtable);
9681 }
9682
9683 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9684 if (!skb2)
9685 return -ENOMEM;
9686
9687 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
9688 info->nlh->nlmsg_seq,
9689 NFT_MSG_NEWFLOWTABLE, 0, family,
9690 flowtable, NULL);
9691 if (err < 0)
9692 goto err_fill_flowtable_info;
9693
9694 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
9695
9696 err_fill_flowtable_info:
9697 kfree_skb(skb2);
9698 return err;
9699 }
9700
nf_tables_flowtable_notify(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct list_head * hook_list,int event)9701 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
9702 struct nft_flowtable *flowtable,
9703 struct list_head *hook_list, int event)
9704 {
9705 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
9706 struct sk_buff *skb;
9707 u16 flags = 0;
9708 int err;
9709
9710 if (!ctx->report &&
9711 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
9712 return;
9713
9714 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9715 if (skb == NULL)
9716 goto err;
9717
9718 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
9719 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
9720
9721 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
9722 ctx->seq, event, flags,
9723 ctx->family, flowtable, hook_list);
9724 if (err < 0) {
9725 kfree_skb(skb);
9726 goto err;
9727 }
9728
9729 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
9730 return;
9731 err:
9732 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
9733 }
9734
nf_tables_flowtable_destroy(struct nft_flowtable * flowtable)9735 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
9736 {
9737 struct nft_hook *hook, *next;
9738
9739 flowtable->data.type->free(&flowtable->data);
9740 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
9741 list_del_rcu(&hook->list);
9742 nft_netdev_hook_free_rcu(hook);
9743 }
9744 kfree(flowtable->name);
9745 module_put(flowtable->data.type->owner);
9746 kfree(flowtable);
9747 }
9748
nf_tables_fill_gen_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq)9749 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
9750 u32 portid, u32 seq)
9751 {
9752 struct nlmsghdr *nlh;
9753 char buf[TASK_COMM_LEN];
9754 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
9755
9756 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
9757 NFNETLINK_V0, nft_base_seq_be16(net));
9758 if (!nlh)
9759 goto nla_put_failure;
9760
9761 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_base_seq(net))) ||
9762 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
9763 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
9764 goto nla_put_failure;
9765
9766 nlmsg_end(skb, nlh);
9767 return 0;
9768
9769 nla_put_failure:
9770 nlmsg_trim(skb, nlh);
9771 return -EMSGSIZE;
9772 }
9773
nft_hook_find_ops(const struct nft_hook * hook,const struct net_device * dev)9774 struct nf_hook_ops *nft_hook_find_ops(const struct nft_hook *hook,
9775 const struct net_device *dev)
9776 {
9777 struct nf_hook_ops *ops;
9778
9779 list_for_each_entry(ops, &hook->ops_list, list) {
9780 if (ops->dev == dev)
9781 return ops;
9782 }
9783 return NULL;
9784 }
9785 EXPORT_SYMBOL_GPL(nft_hook_find_ops);
9786
nft_hook_find_ops_rcu(const struct nft_hook * hook,const struct net_device * dev)9787 struct nf_hook_ops *nft_hook_find_ops_rcu(const struct nft_hook *hook,
9788 const struct net_device *dev)
9789 {
9790 struct nf_hook_ops *ops;
9791
9792 list_for_each_entry_rcu(ops, &hook->ops_list, list) {
9793 if (ops->dev == dev)
9794 return ops;
9795 }
9796 return NULL;
9797 }
9798 EXPORT_SYMBOL_GPL(nft_hook_find_ops_rcu);
9799
nft_flowtable_event(unsigned long event,struct net_device * dev,struct nft_flowtable * flowtable,bool changename)9800 static int nft_flowtable_event(unsigned long event, struct net_device *dev,
9801 struct nft_flowtable *flowtable, bool changename)
9802 {
9803 struct nf_hook_ops *ops;
9804 struct nft_hook *hook;
9805 bool match;
9806
9807 list_for_each_entry(hook, &flowtable->hook_list, list) {
9808 ops = nft_hook_find_ops(hook, dev);
9809 match = !strncmp(hook->ifname, dev->name, hook->ifnamelen);
9810
9811 switch (event) {
9812 case NETDEV_UNREGISTER:
9813 /* NOP if not found or new name still matching */
9814 if (!ops || (changename && match))
9815 continue;
9816
9817 /* flow_offload_netdev_event() cleans up entries for us. */
9818 nft_unregister_flowtable_ops(dev_net(dev),
9819 flowtable, ops);
9820 list_del_rcu(&ops->list);
9821 kfree_rcu(ops, rcu);
9822 break;
9823 case NETDEV_REGISTER:
9824 /* NOP if not matching or already registered */
9825 if (!match || (changename && ops))
9826 continue;
9827
9828 ops = kzalloc(sizeof(struct nf_hook_ops),
9829 GFP_KERNEL_ACCOUNT);
9830 if (!ops)
9831 return 1;
9832
9833 ops->pf = NFPROTO_NETDEV;
9834 ops->hooknum = flowtable->hooknum;
9835 ops->priority = flowtable->data.priority;
9836 ops->priv = &flowtable->data;
9837 ops->hook = flowtable->data.type->hook;
9838 ops->hook_ops_type = NF_HOOK_OP_NFT_FT;
9839 ops->dev = dev;
9840 if (nft_register_flowtable_ops(dev_net(dev),
9841 flowtable, ops)) {
9842 kfree(ops);
9843 return 1;
9844 }
9845 list_add_tail_rcu(&ops->list, &hook->ops_list);
9846 break;
9847 }
9848 break;
9849 }
9850 return 0;
9851 }
9852
__nf_tables_flowtable_event(unsigned long event,struct net_device * dev,bool changename)9853 static int __nf_tables_flowtable_event(unsigned long event,
9854 struct net_device *dev,
9855 bool changename)
9856 {
9857 struct nftables_pernet *nft_net = nft_pernet(dev_net(dev));
9858 struct nft_flowtable *flowtable;
9859 struct nft_table *table;
9860
9861 list_for_each_entry(table, &nft_net->tables, list) {
9862 list_for_each_entry(flowtable, &table->flowtables, list) {
9863 if (nft_flowtable_event(event, dev,
9864 flowtable, changename))
9865 return 1;
9866 }
9867 }
9868 return 0;
9869 }
9870
nf_tables_flowtable_event(struct notifier_block * this,unsigned long event,void * ptr)9871 static int nf_tables_flowtable_event(struct notifier_block *this,
9872 unsigned long event, void *ptr)
9873 {
9874 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
9875 struct nftables_pernet *nft_net;
9876 int ret = NOTIFY_DONE;
9877 struct net *net;
9878
9879 if (event != NETDEV_REGISTER &&
9880 event != NETDEV_UNREGISTER &&
9881 event != NETDEV_CHANGENAME)
9882 return NOTIFY_DONE;
9883
9884 net = dev_net(dev);
9885 nft_net = nft_pernet(net);
9886 mutex_lock(&nft_net->commit_mutex);
9887
9888 if (event == NETDEV_CHANGENAME) {
9889 if (__nf_tables_flowtable_event(NETDEV_REGISTER, dev, true)) {
9890 ret = NOTIFY_BAD;
9891 goto out_unlock;
9892 }
9893 __nf_tables_flowtable_event(NETDEV_UNREGISTER, dev, true);
9894 } else if (__nf_tables_flowtable_event(event, dev, false)) {
9895 ret = NOTIFY_BAD;
9896 }
9897 out_unlock:
9898 mutex_unlock(&nft_net->commit_mutex);
9899 return ret;
9900 }
9901
9902 static struct notifier_block nf_tables_flowtable_notifier = {
9903 .notifier_call = nf_tables_flowtable_event,
9904 };
9905
nf_tables_gen_notify(struct net * net,struct sk_buff * skb,int event)9906 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
9907 int event)
9908 {
9909 struct nlmsghdr *nlh = nlmsg_hdr(skb);
9910 struct sk_buff *skb2;
9911 int err;
9912
9913 if (!nlmsg_report(nlh) &&
9914 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
9915 return;
9916
9917 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9918 if (skb2 == NULL)
9919 goto err;
9920
9921 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
9922 nlh->nlmsg_seq);
9923 if (err < 0) {
9924 kfree_skb(skb2);
9925 goto err;
9926 }
9927
9928 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9929 nlmsg_report(nlh), GFP_KERNEL);
9930 return;
9931 err:
9932 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9933 -ENOBUFS);
9934 }
9935
nf_tables_getgen(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9936 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
9937 const struct nlattr * const nla[])
9938 {
9939 struct sk_buff *skb2;
9940 int err;
9941
9942 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9943 if (skb2 == NULL)
9944 return -ENOMEM;
9945
9946 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
9947 info->nlh->nlmsg_seq);
9948 if (err < 0)
9949 goto err_fill_gen_info;
9950
9951 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
9952
9953 err_fill_gen_info:
9954 kfree_skb(skb2);
9955 return err;
9956 }
9957
9958 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
9959 [NFT_MSG_NEWTABLE] = {
9960 .call = nf_tables_newtable,
9961 .type = NFNL_CB_BATCH,
9962 .attr_count = NFTA_TABLE_MAX,
9963 .policy = nft_table_policy,
9964 },
9965 [NFT_MSG_GETTABLE] = {
9966 .call = nf_tables_gettable,
9967 .type = NFNL_CB_RCU,
9968 .attr_count = NFTA_TABLE_MAX,
9969 .policy = nft_table_policy,
9970 },
9971 [NFT_MSG_DELTABLE] = {
9972 .call = nf_tables_deltable,
9973 .type = NFNL_CB_BATCH,
9974 .attr_count = NFTA_TABLE_MAX,
9975 .policy = nft_table_policy,
9976 },
9977 [NFT_MSG_DESTROYTABLE] = {
9978 .call = nf_tables_deltable,
9979 .type = NFNL_CB_BATCH,
9980 .attr_count = NFTA_TABLE_MAX,
9981 .policy = nft_table_policy,
9982 },
9983 [NFT_MSG_NEWCHAIN] = {
9984 .call = nf_tables_newchain,
9985 .type = NFNL_CB_BATCH,
9986 .attr_count = NFTA_CHAIN_MAX,
9987 .policy = nft_chain_policy,
9988 },
9989 [NFT_MSG_GETCHAIN] = {
9990 .call = nf_tables_getchain,
9991 .type = NFNL_CB_RCU,
9992 .attr_count = NFTA_CHAIN_MAX,
9993 .policy = nft_chain_policy,
9994 },
9995 [NFT_MSG_DELCHAIN] = {
9996 .call = nf_tables_delchain,
9997 .type = NFNL_CB_BATCH,
9998 .attr_count = NFTA_CHAIN_MAX,
9999 .policy = nft_chain_policy,
10000 },
10001 [NFT_MSG_DESTROYCHAIN] = {
10002 .call = nf_tables_delchain,
10003 .type = NFNL_CB_BATCH,
10004 .attr_count = NFTA_CHAIN_MAX,
10005 .policy = nft_chain_policy,
10006 },
10007 [NFT_MSG_NEWRULE] = {
10008 .call = nf_tables_newrule,
10009 .type = NFNL_CB_BATCH,
10010 .attr_count = NFTA_RULE_MAX,
10011 .policy = nft_rule_policy,
10012 },
10013 [NFT_MSG_GETRULE] = {
10014 .call = nf_tables_getrule,
10015 .type = NFNL_CB_RCU,
10016 .attr_count = NFTA_RULE_MAX,
10017 .policy = nft_rule_policy,
10018 },
10019 [NFT_MSG_GETRULE_RESET] = {
10020 .call = nf_tables_getrule_reset,
10021 .type = NFNL_CB_RCU,
10022 .attr_count = NFTA_RULE_MAX,
10023 .policy = nft_rule_policy,
10024 },
10025 [NFT_MSG_DELRULE] = {
10026 .call = nf_tables_delrule,
10027 .type = NFNL_CB_BATCH,
10028 .attr_count = NFTA_RULE_MAX,
10029 .policy = nft_rule_policy,
10030 },
10031 [NFT_MSG_DESTROYRULE] = {
10032 .call = nf_tables_delrule,
10033 .type = NFNL_CB_BATCH,
10034 .attr_count = NFTA_RULE_MAX,
10035 .policy = nft_rule_policy,
10036 },
10037 [NFT_MSG_NEWSET] = {
10038 .call = nf_tables_newset,
10039 .type = NFNL_CB_BATCH,
10040 .attr_count = NFTA_SET_MAX,
10041 .policy = nft_set_policy,
10042 },
10043 [NFT_MSG_GETSET] = {
10044 .call = nf_tables_getset,
10045 .type = NFNL_CB_RCU,
10046 .attr_count = NFTA_SET_MAX,
10047 .policy = nft_set_policy,
10048 },
10049 [NFT_MSG_DELSET] = {
10050 .call = nf_tables_delset,
10051 .type = NFNL_CB_BATCH,
10052 .attr_count = NFTA_SET_MAX,
10053 .policy = nft_set_policy,
10054 },
10055 [NFT_MSG_DESTROYSET] = {
10056 .call = nf_tables_delset,
10057 .type = NFNL_CB_BATCH,
10058 .attr_count = NFTA_SET_MAX,
10059 .policy = nft_set_policy,
10060 },
10061 [NFT_MSG_NEWSETELEM] = {
10062 .call = nf_tables_newsetelem,
10063 .type = NFNL_CB_BATCH,
10064 .attr_count = NFTA_SET_ELEM_LIST_MAX,
10065 .policy = nft_set_elem_list_policy,
10066 },
10067 [NFT_MSG_GETSETELEM] = {
10068 .call = nf_tables_getsetelem,
10069 .type = NFNL_CB_RCU,
10070 .attr_count = NFTA_SET_ELEM_LIST_MAX,
10071 .policy = nft_set_elem_list_policy,
10072 },
10073 [NFT_MSG_GETSETELEM_RESET] = {
10074 .call = nf_tables_getsetelem_reset,
10075 .type = NFNL_CB_RCU,
10076 .attr_count = NFTA_SET_ELEM_LIST_MAX,
10077 .policy = nft_set_elem_list_policy,
10078 },
10079 [NFT_MSG_DELSETELEM] = {
10080 .call = nf_tables_delsetelem,
10081 .type = NFNL_CB_BATCH,
10082 .attr_count = NFTA_SET_ELEM_LIST_MAX,
10083 .policy = nft_set_elem_list_policy,
10084 },
10085 [NFT_MSG_DESTROYSETELEM] = {
10086 .call = nf_tables_delsetelem,
10087 .type = NFNL_CB_BATCH,
10088 .attr_count = NFTA_SET_ELEM_LIST_MAX,
10089 .policy = nft_set_elem_list_policy,
10090 },
10091 [NFT_MSG_GETGEN] = {
10092 .call = nf_tables_getgen,
10093 .type = NFNL_CB_RCU,
10094 },
10095 [NFT_MSG_NEWOBJ] = {
10096 .call = nf_tables_newobj,
10097 .type = NFNL_CB_BATCH,
10098 .attr_count = NFTA_OBJ_MAX,
10099 .policy = nft_obj_policy,
10100 },
10101 [NFT_MSG_GETOBJ] = {
10102 .call = nf_tables_getobj,
10103 .type = NFNL_CB_RCU,
10104 .attr_count = NFTA_OBJ_MAX,
10105 .policy = nft_obj_policy,
10106 },
10107 [NFT_MSG_DELOBJ] = {
10108 .call = nf_tables_delobj,
10109 .type = NFNL_CB_BATCH,
10110 .attr_count = NFTA_OBJ_MAX,
10111 .policy = nft_obj_policy,
10112 },
10113 [NFT_MSG_DESTROYOBJ] = {
10114 .call = nf_tables_delobj,
10115 .type = NFNL_CB_BATCH,
10116 .attr_count = NFTA_OBJ_MAX,
10117 .policy = nft_obj_policy,
10118 },
10119 [NFT_MSG_GETOBJ_RESET] = {
10120 .call = nf_tables_getobj_reset,
10121 .type = NFNL_CB_RCU,
10122 .attr_count = NFTA_OBJ_MAX,
10123 .policy = nft_obj_policy,
10124 },
10125 [NFT_MSG_NEWFLOWTABLE] = {
10126 .call = nf_tables_newflowtable,
10127 .type = NFNL_CB_BATCH,
10128 .attr_count = NFTA_FLOWTABLE_MAX,
10129 .policy = nft_flowtable_policy,
10130 },
10131 [NFT_MSG_GETFLOWTABLE] = {
10132 .call = nf_tables_getflowtable,
10133 .type = NFNL_CB_RCU,
10134 .attr_count = NFTA_FLOWTABLE_MAX,
10135 .policy = nft_flowtable_policy,
10136 },
10137 [NFT_MSG_DELFLOWTABLE] = {
10138 .call = nf_tables_delflowtable,
10139 .type = NFNL_CB_BATCH,
10140 .attr_count = NFTA_FLOWTABLE_MAX,
10141 .policy = nft_flowtable_policy,
10142 },
10143 [NFT_MSG_DESTROYFLOWTABLE] = {
10144 .call = nf_tables_delflowtable,
10145 .type = NFNL_CB_BATCH,
10146 .attr_count = NFTA_FLOWTABLE_MAX,
10147 .policy = nft_flowtable_policy,
10148 },
10149 };
10150
nf_tables_validate(struct net * net)10151 static int nf_tables_validate(struct net *net)
10152 {
10153 struct nftables_pernet *nft_net = nft_pernet(net);
10154 struct nft_table *table;
10155
10156 list_for_each_entry(table, &nft_net->tables, list) {
10157 switch (table->validate_state) {
10158 case NFT_VALIDATE_SKIP:
10159 continue;
10160 case NFT_VALIDATE_NEED:
10161 nft_validate_state_update(table, NFT_VALIDATE_DO);
10162 fallthrough;
10163 case NFT_VALIDATE_DO:
10164 if (nft_table_validate(net, table) < 0)
10165 return -EAGAIN;
10166
10167 nft_validate_state_update(table, NFT_VALIDATE_SKIP);
10168 break;
10169 }
10170 }
10171
10172 return 0;
10173 }
10174
10175 /* a drop policy has to be deferred until all rules have been activated,
10176 * otherwise a large ruleset that contains a drop-policy base chain will
10177 * cause all packets to get dropped until the full transaction has been
10178 * processed.
10179 *
10180 * We defer the drop policy until the transaction has been finalized.
10181 */
nft_chain_commit_drop_policy(struct nft_trans_chain * trans)10182 static void nft_chain_commit_drop_policy(struct nft_trans_chain *trans)
10183 {
10184 struct nft_base_chain *basechain;
10185
10186 if (trans->policy != NF_DROP)
10187 return;
10188
10189 if (!nft_is_base_chain(trans->chain))
10190 return;
10191
10192 basechain = nft_base_chain(trans->chain);
10193 basechain->policy = NF_DROP;
10194 }
10195
nft_chain_commit_update(struct nft_trans_chain * trans)10196 static void nft_chain_commit_update(struct nft_trans_chain *trans)
10197 {
10198 struct nft_table *table = trans->nft_trans_binding.nft_trans.table;
10199 struct nft_base_chain *basechain;
10200
10201 if (trans->name) {
10202 rhltable_remove(&table->chains_ht,
10203 &trans->chain->rhlhead,
10204 nft_chain_ht_params);
10205 swap(trans->chain->name, trans->name);
10206 rhltable_insert_key(&table->chains_ht,
10207 trans->chain->name,
10208 &trans->chain->rhlhead,
10209 nft_chain_ht_params);
10210 }
10211
10212 if (!nft_is_base_chain(trans->chain))
10213 return;
10214
10215 nft_chain_stats_replace(trans);
10216
10217 basechain = nft_base_chain(trans->chain);
10218
10219 switch (trans->policy) {
10220 case NF_DROP:
10221 case NF_ACCEPT:
10222 basechain->policy = trans->policy;
10223 break;
10224 }
10225 }
10226
nft_obj_commit_update(const struct nft_ctx * ctx,struct nft_trans * trans)10227 static void nft_obj_commit_update(const struct nft_ctx *ctx,
10228 struct nft_trans *trans)
10229 {
10230 struct nft_object *newobj;
10231 struct nft_object *obj;
10232
10233 obj = nft_trans_obj(trans);
10234 newobj = nft_trans_obj_newobj(trans);
10235
10236 if (WARN_ON_ONCE(!obj->ops->update))
10237 return;
10238
10239 obj->ops->update(obj, newobj);
10240 nft_obj_destroy(ctx, newobj);
10241 }
10242
nft_commit_release(struct nft_trans * trans)10243 static void nft_commit_release(struct nft_trans *trans)
10244 {
10245 struct nft_ctx ctx = {
10246 .net = trans->net,
10247 };
10248
10249 nft_ctx_update(&ctx, trans);
10250
10251 switch (trans->msg_type) {
10252 case NFT_MSG_DELTABLE:
10253 case NFT_MSG_DESTROYTABLE:
10254 nf_tables_table_destroy(trans->table);
10255 break;
10256 case NFT_MSG_NEWCHAIN:
10257 free_percpu(nft_trans_chain_stats(trans));
10258 kfree(nft_trans_chain_name(trans));
10259 break;
10260 case NFT_MSG_DELCHAIN:
10261 case NFT_MSG_DESTROYCHAIN:
10262 if (nft_trans_chain_update(trans))
10263 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
10264 else
10265 nf_tables_chain_destroy(nft_trans_chain(trans));
10266 break;
10267 case NFT_MSG_DELRULE:
10268 case NFT_MSG_DESTROYRULE:
10269 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans));
10270 break;
10271 case NFT_MSG_DELSET:
10272 case NFT_MSG_DESTROYSET:
10273 nft_set_destroy(&ctx, nft_trans_set(trans));
10274 break;
10275 case NFT_MSG_DELSETELEM:
10276 case NFT_MSG_DESTROYSETELEM:
10277 nft_trans_elems_destroy(&ctx, nft_trans_container_elem(trans));
10278 break;
10279 case NFT_MSG_DELOBJ:
10280 case NFT_MSG_DESTROYOBJ:
10281 nft_obj_destroy(&ctx, nft_trans_obj(trans));
10282 break;
10283 case NFT_MSG_DELFLOWTABLE:
10284 case NFT_MSG_DESTROYFLOWTABLE:
10285 if (nft_trans_flowtable_update(trans))
10286 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
10287 else
10288 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
10289 break;
10290 }
10291
10292 if (trans->put_net)
10293 put_net(trans->net);
10294
10295 kfree(trans);
10296 }
10297
nf_tables_trans_destroy_work(struct work_struct * w)10298 static void nf_tables_trans_destroy_work(struct work_struct *w)
10299 {
10300 struct nftables_pernet *nft_net = container_of(w, struct nftables_pernet, destroy_work);
10301 struct nft_trans *trans, *next;
10302 LIST_HEAD(head);
10303
10304 spin_lock(&nf_tables_destroy_list_lock);
10305 list_splice_init(&nft_net->destroy_list, &head);
10306 spin_unlock(&nf_tables_destroy_list_lock);
10307
10308 if (list_empty(&head))
10309 return;
10310
10311 synchronize_rcu();
10312
10313 list_for_each_entry_safe(trans, next, &head, list) {
10314 nft_trans_list_del(trans);
10315 nft_commit_release(trans);
10316 }
10317 }
10318
nf_tables_trans_destroy_flush_work(struct net * net)10319 void nf_tables_trans_destroy_flush_work(struct net *net)
10320 {
10321 struct nftables_pernet *nft_net = nft_pernet(net);
10322
10323 flush_work(&nft_net->destroy_work);
10324 }
10325 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
10326
nft_expr_reduce(struct nft_regs_track * track,const struct nft_expr * expr)10327 static bool nft_expr_reduce(struct nft_regs_track *track,
10328 const struct nft_expr *expr)
10329 {
10330 return false;
10331 }
10332
nf_tables_commit_chain_prepare(struct net * net,struct nft_chain * chain)10333 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
10334 {
10335 const struct nft_expr *expr, *last;
10336 struct nft_regs_track track = {};
10337 unsigned int size, data_size;
10338 void *data, *data_boundary;
10339 struct nft_rule_dp *prule;
10340 struct nft_rule *rule;
10341
10342 /* already handled or inactive chain? */
10343 if (chain->blob_next || !nft_is_active_next(net, chain))
10344 return 0;
10345
10346 data_size = 0;
10347 list_for_each_entry(rule, &chain->rules, list) {
10348 if (nft_is_active_next(net, rule)) {
10349 data_size += sizeof(*prule) + rule->dlen;
10350 if (data_size > INT_MAX)
10351 return -ENOMEM;
10352 }
10353 }
10354
10355 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size);
10356 if (!chain->blob_next)
10357 return -ENOMEM;
10358
10359 data = (void *)chain->blob_next->data;
10360 data_boundary = data + data_size;
10361 size = 0;
10362
10363 list_for_each_entry(rule, &chain->rules, list) {
10364 if (!nft_is_active_next(net, rule))
10365 continue;
10366
10367 prule = (struct nft_rule_dp *)data;
10368 data += offsetof(struct nft_rule_dp, data);
10369 if (WARN_ON_ONCE(data > data_boundary))
10370 return -ENOMEM;
10371
10372 size = 0;
10373 track.last = nft_expr_last(rule);
10374 nft_rule_for_each_expr(expr, last, rule) {
10375 track.cur = expr;
10376
10377 if (nft_expr_reduce(&track, expr)) {
10378 expr = track.cur;
10379 continue;
10380 }
10381
10382 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
10383 return -ENOMEM;
10384
10385 memcpy(data + size, expr, expr->ops->size);
10386 size += expr->ops->size;
10387 }
10388 if (WARN_ON_ONCE(size >= 1 << 12))
10389 return -ENOMEM;
10390
10391 prule->handle = rule->handle;
10392 prule->dlen = size;
10393 prule->is_last = 0;
10394
10395 data += size;
10396 size = 0;
10397 chain->blob_next->size += (unsigned long)(data - (void *)prule);
10398 }
10399
10400 if (WARN_ON_ONCE(data > data_boundary))
10401 return -ENOMEM;
10402
10403 prule = (struct nft_rule_dp *)data;
10404 nft_last_rule(chain, prule);
10405
10406 return 0;
10407 }
10408
nf_tables_commit_chain_prepare_cancel(struct net * net)10409 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
10410 {
10411 struct nftables_pernet *nft_net = nft_pernet(net);
10412 struct nft_trans *trans, *next;
10413
10414 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10415 if (trans->msg_type == NFT_MSG_NEWRULE ||
10416 trans->msg_type == NFT_MSG_DELRULE) {
10417 struct nft_chain *chain = nft_trans_rule_chain(trans);
10418
10419 kvfree(chain->blob_next);
10420 chain->blob_next = NULL;
10421 }
10422 }
10423 }
10424
__nf_tables_commit_chain_free_rules(struct rcu_head * h)10425 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h)
10426 {
10427 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h);
10428
10429 kvfree(l->blob);
10430 }
10431
nf_tables_commit_chain_free_rules_old(struct nft_rule_blob * blob)10432 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
10433 {
10434 struct nft_rule_dp_last *last;
10435
10436 /* last rule trailer is after end marker */
10437 last = (void *)blob + sizeof(*blob) + blob->size;
10438 last->blob = blob;
10439
10440 call_rcu(&last->h, __nf_tables_commit_chain_free_rules);
10441 }
10442
nf_tables_commit_chain(struct net * net,struct nft_chain * chain)10443 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
10444 {
10445 struct nft_rule_blob *g0, *g1;
10446 bool next_genbit;
10447
10448 next_genbit = nft_gencursor_next(net);
10449
10450 g0 = rcu_dereference_protected(chain->blob_gen_0,
10451 lockdep_commit_lock_is_held(net));
10452 g1 = rcu_dereference_protected(chain->blob_gen_1,
10453 lockdep_commit_lock_is_held(net));
10454
10455 /* No changes to this chain? */
10456 if (chain->blob_next == NULL) {
10457 /* chain had no change in last or next generation */
10458 if (g0 == g1)
10459 return;
10460 /*
10461 * chain had no change in this generation; make sure next
10462 * one uses same rules as current generation.
10463 */
10464 if (next_genbit) {
10465 rcu_assign_pointer(chain->blob_gen_1, g0);
10466 nf_tables_commit_chain_free_rules_old(g1);
10467 } else {
10468 rcu_assign_pointer(chain->blob_gen_0, g1);
10469 nf_tables_commit_chain_free_rules_old(g0);
10470 }
10471
10472 return;
10473 }
10474
10475 if (next_genbit)
10476 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
10477 else
10478 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
10479
10480 chain->blob_next = NULL;
10481
10482 if (g0 == g1)
10483 return;
10484
10485 if (next_genbit)
10486 nf_tables_commit_chain_free_rules_old(g1);
10487 else
10488 nf_tables_commit_chain_free_rules_old(g0);
10489 }
10490
nft_obj_del(struct nft_object * obj)10491 static void nft_obj_del(struct nft_object *obj)
10492 {
10493 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
10494 list_del_rcu(&obj->list);
10495 }
10496
nft_chain_del(struct nft_chain * chain)10497 void nft_chain_del(struct nft_chain *chain)
10498 {
10499 struct nft_table *table = chain->table;
10500
10501 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
10502 nft_chain_ht_params));
10503 list_del_rcu(&chain->list);
10504 }
10505
nft_trans_gc_setelem_remove(struct nft_ctx * ctx,struct nft_trans_gc * trans)10506 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx,
10507 struct nft_trans_gc *trans)
10508 {
10509 struct nft_elem_priv **priv = trans->priv;
10510 unsigned int i;
10511
10512 for (i = 0; i < trans->count; i++) {
10513 nft_setelem_data_deactivate(ctx->net, trans->set, priv[i]);
10514 nft_setelem_remove(ctx->net, trans->set, priv[i]);
10515 }
10516 }
10517
nft_trans_gc_destroy(struct nft_trans_gc * trans)10518 void nft_trans_gc_destroy(struct nft_trans_gc *trans)
10519 {
10520 nft_set_put(trans->set);
10521 put_net(trans->net);
10522 kfree(trans);
10523 }
10524
nft_trans_gc_trans_free(struct rcu_head * rcu)10525 static void nft_trans_gc_trans_free(struct rcu_head *rcu)
10526 {
10527 struct nft_elem_priv *elem_priv;
10528 struct nft_trans_gc *trans;
10529 struct nft_ctx ctx = {};
10530 unsigned int i;
10531
10532 trans = container_of(rcu, struct nft_trans_gc, rcu);
10533 ctx.net = read_pnet(&trans->set->net);
10534
10535 for (i = 0; i < trans->count; i++) {
10536 elem_priv = trans->priv[i];
10537 if (!nft_setelem_is_catchall(trans->set, elem_priv))
10538 atomic_dec(&trans->set->nelems);
10539
10540 nf_tables_set_elem_destroy(&ctx, trans->set, elem_priv);
10541 }
10542
10543 nft_trans_gc_destroy(trans);
10544 }
10545
nft_trans_gc_work_done(struct nft_trans_gc * trans)10546 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans)
10547 {
10548 struct nftables_pernet *nft_net;
10549 struct nft_ctx ctx = {};
10550
10551 nft_net = nft_pernet(trans->net);
10552
10553 mutex_lock(&nft_net->commit_mutex);
10554
10555 /* Check for race with transaction, otherwise this batch refers to
10556 * stale objects that might not be there anymore. Skip transaction if
10557 * set has been destroyed from control plane transaction in case gc
10558 * worker loses race.
10559 */
10560 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) {
10561 mutex_unlock(&nft_net->commit_mutex);
10562 return false;
10563 }
10564
10565 ctx.net = trans->net;
10566 ctx.table = trans->set->table;
10567
10568 nft_trans_gc_setelem_remove(&ctx, trans);
10569 mutex_unlock(&nft_net->commit_mutex);
10570
10571 return true;
10572 }
10573
nft_trans_gc_work(struct work_struct * work)10574 static void nft_trans_gc_work(struct work_struct *work)
10575 {
10576 struct nft_trans_gc *trans, *next;
10577 LIST_HEAD(trans_gc_list);
10578
10579 spin_lock(&nf_tables_gc_list_lock);
10580 list_splice_init(&nf_tables_gc_list, &trans_gc_list);
10581 spin_unlock(&nf_tables_gc_list_lock);
10582
10583 list_for_each_entry_safe(trans, next, &trans_gc_list, list) {
10584 list_del(&trans->list);
10585 if (!nft_trans_gc_work_done(trans)) {
10586 nft_trans_gc_destroy(trans);
10587 continue;
10588 }
10589 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
10590 }
10591 }
10592
nft_trans_gc_alloc(struct nft_set * set,unsigned int gc_seq,gfp_t gfp)10593 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
10594 unsigned int gc_seq, gfp_t gfp)
10595 {
10596 struct net *net = read_pnet(&set->net);
10597 struct nft_trans_gc *trans;
10598
10599 trans = kzalloc(sizeof(*trans), gfp);
10600 if (!trans)
10601 return NULL;
10602
10603 trans->net = maybe_get_net(net);
10604 if (!trans->net) {
10605 kfree(trans);
10606 return NULL;
10607 }
10608
10609 refcount_inc(&set->refs);
10610 trans->set = set;
10611 trans->seq = gc_seq;
10612
10613 return trans;
10614 }
10615
nft_trans_gc_elem_add(struct nft_trans_gc * trans,void * priv)10616 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv)
10617 {
10618 trans->priv[trans->count++] = priv;
10619 }
10620
nft_trans_gc_queue_work(struct nft_trans_gc * trans)10621 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans)
10622 {
10623 spin_lock(&nf_tables_gc_list_lock);
10624 list_add_tail(&trans->list, &nf_tables_gc_list);
10625 spin_unlock(&nf_tables_gc_list_lock);
10626
10627 schedule_work(&trans_gc_work);
10628 }
10629
nft_trans_gc_space(struct nft_trans_gc * trans)10630 static int nft_trans_gc_space(struct nft_trans_gc *trans)
10631 {
10632 return NFT_TRANS_GC_BATCHCOUNT - trans->count;
10633 }
10634
nft_trans_gc_queue_async(struct nft_trans_gc * gc,unsigned int gc_seq,gfp_t gfp)10635 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc,
10636 unsigned int gc_seq, gfp_t gfp)
10637 {
10638 struct nft_set *set;
10639
10640 if (nft_trans_gc_space(gc))
10641 return gc;
10642
10643 set = gc->set;
10644 nft_trans_gc_queue_work(gc);
10645
10646 return nft_trans_gc_alloc(set, gc_seq, gfp);
10647 }
10648
nft_trans_gc_queue_async_done(struct nft_trans_gc * trans)10649 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans)
10650 {
10651 if (trans->count == 0) {
10652 nft_trans_gc_destroy(trans);
10653 return;
10654 }
10655
10656 nft_trans_gc_queue_work(trans);
10657 }
10658
nft_trans_gc_queue_sync(struct nft_trans_gc * gc,gfp_t gfp)10659 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp)
10660 {
10661 struct nft_set *set;
10662
10663 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)))
10664 return NULL;
10665
10666 if (nft_trans_gc_space(gc))
10667 return gc;
10668
10669 set = gc->set;
10670 call_rcu(&gc->rcu, nft_trans_gc_trans_free);
10671
10672 return nft_trans_gc_alloc(set, 0, gfp);
10673 }
10674
nft_trans_gc_queue_sync_done(struct nft_trans_gc * trans)10675 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans)
10676 {
10677 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net));
10678
10679 if (trans->count == 0) {
10680 nft_trans_gc_destroy(trans);
10681 return;
10682 }
10683
10684 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
10685 }
10686
nft_trans_gc_catchall_async(struct nft_trans_gc * gc,unsigned int gc_seq)10687 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc,
10688 unsigned int gc_seq)
10689 {
10690 struct nft_set_elem_catchall *catchall;
10691 const struct nft_set *set = gc->set;
10692 struct nft_set_ext *ext;
10693
10694 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
10695 ext = nft_set_elem_ext(set, catchall->elem);
10696
10697 if (!nft_set_elem_expired(ext))
10698 continue;
10699 if (nft_set_elem_is_dead(ext))
10700 goto dead_elem;
10701
10702 nft_set_elem_dead(ext);
10703 dead_elem:
10704 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC);
10705 if (!gc)
10706 return NULL;
10707
10708 nft_trans_gc_elem_add(gc, catchall->elem);
10709 }
10710
10711 return gc;
10712 }
10713
nft_trans_gc_catchall_sync(struct nft_trans_gc * gc)10714 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc)
10715 {
10716 struct nft_set_elem_catchall *catchall, *next;
10717 u64 tstamp = nft_net_tstamp(gc->net);
10718 const struct nft_set *set = gc->set;
10719 struct nft_elem_priv *elem_priv;
10720 struct nft_set_ext *ext;
10721
10722 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net));
10723
10724 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
10725 ext = nft_set_elem_ext(set, catchall->elem);
10726
10727 if (!__nft_set_elem_expired(ext, tstamp))
10728 continue;
10729
10730 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
10731 if (!gc)
10732 return NULL;
10733
10734 elem_priv = catchall->elem;
10735 nft_setelem_data_deactivate(gc->net, gc->set, elem_priv);
10736 nft_setelem_catchall_destroy(catchall);
10737 nft_trans_gc_elem_add(gc, elem_priv);
10738 }
10739
10740 return gc;
10741 }
10742
nf_tables_module_autoload_cleanup(struct net * net)10743 static void nf_tables_module_autoload_cleanup(struct net *net)
10744 {
10745 struct nftables_pernet *nft_net = nft_pernet(net);
10746 struct nft_module_request *req, *next;
10747
10748 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
10749 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
10750 WARN_ON_ONCE(!req->done);
10751 list_del(&req->list);
10752 kfree(req);
10753 }
10754 }
10755
nf_tables_commit_release(struct net * net)10756 static void nf_tables_commit_release(struct net *net)
10757 {
10758 struct nftables_pernet *nft_net = nft_pernet(net);
10759 struct nft_trans *trans;
10760
10761 /* all side effects have to be made visible.
10762 * For example, if a chain named 'foo' has been deleted, a
10763 * new transaction must not find it anymore.
10764 *
10765 * Memory reclaim happens asynchronously from work queue
10766 * to prevent expensive synchronize_rcu() in commit phase.
10767 */
10768 if (list_empty(&nft_net->commit_list)) {
10769 nf_tables_module_autoload_cleanup(net);
10770 mutex_unlock(&nft_net->commit_mutex);
10771 return;
10772 }
10773
10774 trans = list_last_entry(&nft_net->commit_list,
10775 struct nft_trans, list);
10776 get_net(trans->net);
10777 WARN_ON_ONCE(trans->put_net);
10778
10779 trans->put_net = true;
10780 spin_lock(&nf_tables_destroy_list_lock);
10781 list_splice_tail_init(&nft_net->commit_list, &nft_net->destroy_list);
10782 spin_unlock(&nf_tables_destroy_list_lock);
10783
10784 nf_tables_module_autoload_cleanup(net);
10785 schedule_work(&nft_net->destroy_work);
10786
10787 mutex_unlock(&nft_net->commit_mutex);
10788 }
10789
nft_commit_notify(struct net * net,u32 portid)10790 static void nft_commit_notify(struct net *net, u32 portid)
10791 {
10792 struct nftables_pernet *nft_net = nft_pernet(net);
10793 struct sk_buff *batch_skb = NULL, *nskb, *skb;
10794 unsigned char *data;
10795 int len;
10796
10797 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
10798 if (!batch_skb) {
10799 new_batch:
10800 batch_skb = skb;
10801 len = NLMSG_GOODSIZE - skb->len;
10802 list_del(&skb->list);
10803 continue;
10804 }
10805 len -= skb->len;
10806 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
10807 data = skb_put(batch_skb, skb->len);
10808 memcpy(data, skb->data, skb->len);
10809 list_del(&skb->list);
10810 kfree_skb(skb);
10811 continue;
10812 }
10813 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10814 NFT_CB(batch_skb).report, GFP_KERNEL);
10815 goto new_batch;
10816 }
10817
10818 if (batch_skb) {
10819 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10820 NFT_CB(batch_skb).report, GFP_KERNEL);
10821 }
10822
10823 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
10824 }
10825
nf_tables_commit_audit_alloc(struct list_head * adl,struct nft_table * table)10826 static int nf_tables_commit_audit_alloc(struct list_head *adl,
10827 struct nft_table *table)
10828 {
10829 struct nft_audit_data *adp;
10830
10831 list_for_each_entry(adp, adl, list) {
10832 if (adp->table == table)
10833 return 0;
10834 }
10835 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
10836 if (!adp)
10837 return -ENOMEM;
10838 adp->table = table;
10839 list_add(&adp->list, adl);
10840 return 0;
10841 }
10842
nf_tables_commit_audit_free(struct list_head * adl)10843 static void nf_tables_commit_audit_free(struct list_head *adl)
10844 {
10845 struct nft_audit_data *adp, *adn;
10846
10847 list_for_each_entry_safe(adp, adn, adl, list) {
10848 list_del(&adp->list);
10849 kfree(adp);
10850 }
10851 }
10852
10853 /* nft audit emits the number of elements that get added/removed/updated,
10854 * so NEW/DELSETELEM needs to increment based on the total elem count.
10855 */
nf_tables_commit_audit_entrycount(const struct nft_trans * trans)10856 static unsigned int nf_tables_commit_audit_entrycount(const struct nft_trans *trans)
10857 {
10858 switch (trans->msg_type) {
10859 case NFT_MSG_NEWSETELEM:
10860 case NFT_MSG_DELSETELEM:
10861 return nft_trans_container_elem(trans)->nelems;
10862 }
10863
10864 return 1;
10865 }
10866
nf_tables_commit_audit_collect(struct list_head * adl,const struct nft_trans * trans,u32 op)10867 static void nf_tables_commit_audit_collect(struct list_head *adl,
10868 const struct nft_trans *trans, u32 op)
10869 {
10870 const struct nft_table *table = trans->table;
10871 struct nft_audit_data *adp;
10872
10873 list_for_each_entry(adp, adl, list) {
10874 if (adp->table == table)
10875 goto found;
10876 }
10877 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
10878 return;
10879 found:
10880 adp->entries += nf_tables_commit_audit_entrycount(trans);
10881 if (!adp->op || adp->op > op)
10882 adp->op = op;
10883 }
10884
10885 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
10886
nf_tables_commit_audit_log(struct list_head * adl,u32 generation)10887 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
10888 {
10889 struct nft_audit_data *adp, *adn;
10890 char aubuf[AUNFTABLENAMELEN];
10891
10892 list_for_each_entry_safe(adp, adn, adl, list) {
10893 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
10894 generation);
10895 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
10896 nft2audit_op[adp->op], GFP_KERNEL);
10897 list_del(&adp->list);
10898 kfree(adp);
10899 }
10900 }
10901
nft_set_commit_update(struct list_head * set_update_list)10902 static void nft_set_commit_update(struct list_head *set_update_list)
10903 {
10904 struct nft_set *set, *next;
10905
10906 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10907 list_del_init(&set->pending_update);
10908
10909 if (!set->ops->commit || set->dead)
10910 continue;
10911
10912 set->ops->commit(set);
10913 }
10914 }
10915
nft_gc_seq_begin(struct nftables_pernet * nft_net)10916 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net)
10917 {
10918 unsigned int gc_seq;
10919
10920 /* Bump gc counter, it becomes odd, this is the busy mark. */
10921 gc_seq = READ_ONCE(nft_net->gc_seq);
10922 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10923
10924 return gc_seq;
10925 }
10926
nft_gc_seq_end(struct nftables_pernet * nft_net,unsigned int gc_seq)10927 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq)
10928 {
10929 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10930 }
10931
nf_tables_commit(struct net * net,struct sk_buff * skb)10932 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
10933 {
10934 struct nftables_pernet *nft_net = nft_pernet(net);
10935 const struct nlmsghdr *nlh = nlmsg_hdr(skb);
10936 struct nft_trans_binding *trans_binding;
10937 struct nft_trans *trans, *next;
10938 unsigned int base_seq, gc_seq;
10939 LIST_HEAD(set_update_list);
10940 struct nft_trans_elem *te;
10941 struct nft_chain *chain;
10942 struct nft_table *table;
10943 struct nft_ctx ctx;
10944 LIST_HEAD(adl);
10945 int err;
10946
10947 if (list_empty(&nft_net->commit_list)) {
10948 mutex_unlock(&nft_net->commit_mutex);
10949 return 0;
10950 }
10951
10952 nft_ctx_init(&ctx, net, skb, nlh, NFPROTO_UNSPEC, NULL, NULL, NULL);
10953
10954 list_for_each_entry(trans_binding, &nft_net->binding_list, binding_list) {
10955 trans = &trans_binding->nft_trans;
10956 switch (trans->msg_type) {
10957 case NFT_MSG_NEWSET:
10958 if (!nft_trans_set_update(trans) &&
10959 nft_set_is_anonymous(nft_trans_set(trans)) &&
10960 !nft_trans_set_bound(trans)) {
10961 pr_warn_once("nftables ruleset with unbound set\n");
10962 return -EINVAL;
10963 }
10964 break;
10965 case NFT_MSG_NEWCHAIN:
10966 if (!nft_trans_chain_update(trans) &&
10967 nft_chain_binding(nft_trans_chain(trans)) &&
10968 !nft_trans_chain_bound(trans)) {
10969 pr_warn_once("nftables ruleset with unbound chain\n");
10970 return -EINVAL;
10971 }
10972 break;
10973 default:
10974 WARN_ONCE(1, "Unhandled bind type %d", trans->msg_type);
10975 break;
10976 }
10977 }
10978
10979 /* 0. Validate ruleset, otherwise roll back for error reporting. */
10980 if (nf_tables_validate(net) < 0) {
10981 nft_net->validate_state = NFT_VALIDATE_DO;
10982 return -EAGAIN;
10983 }
10984
10985 err = nft_flow_rule_offload_commit(net);
10986 if (err < 0)
10987 return err;
10988
10989 /* 1. Allocate space for next generation rules_gen_X[] */
10990 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10991 struct nft_table *table = trans->table;
10992 int ret;
10993
10994 ret = nf_tables_commit_audit_alloc(&adl, table);
10995 if (ret) {
10996 nf_tables_commit_chain_prepare_cancel(net);
10997 nf_tables_commit_audit_free(&adl);
10998 return ret;
10999 }
11000 if (trans->msg_type == NFT_MSG_NEWRULE ||
11001 trans->msg_type == NFT_MSG_DELRULE) {
11002 chain = nft_trans_rule_chain(trans);
11003
11004 ret = nf_tables_commit_chain_prepare(net, chain);
11005 if (ret < 0) {
11006 nf_tables_commit_chain_prepare_cancel(net);
11007 nf_tables_commit_audit_free(&adl);
11008 return ret;
11009 }
11010 }
11011 }
11012
11013 /* step 2. Make rules_gen_X visible to packet path */
11014 list_for_each_entry(table, &nft_net->tables, list) {
11015 list_for_each_entry(chain, &table->chains, list)
11016 nf_tables_commit_chain(net, chain);
11017 }
11018
11019 /*
11020 * Bump generation counter, invalidate any dump in progress.
11021 * Cannot fail after this point.
11022 */
11023 base_seq = nft_base_seq(net);
11024 while (++base_seq == 0)
11025 ;
11026
11027 /* pairs with smp_load_acquire in nft_lookup_eval */
11028 smp_store_release(&net->nft.base_seq, base_seq);
11029
11030 gc_seq = nft_gc_seq_begin(nft_net);
11031
11032 /* step 3. Start new generation, rules_gen_X now in use. */
11033 net->nft.gencursor = nft_gencursor_next(net);
11034
11035 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
11036 struct nft_table *table = trans->table;
11037
11038 nft_ctx_update(&ctx, trans);
11039
11040 nf_tables_commit_audit_collect(&adl, trans, trans->msg_type);
11041 switch (trans->msg_type) {
11042 case NFT_MSG_NEWTABLE:
11043 if (nft_trans_table_update(trans)) {
11044 if (!(table->flags & __NFT_TABLE_F_UPDATE)) {
11045 nft_trans_destroy(trans);
11046 break;
11047 }
11048 if (table->flags & NFT_TABLE_F_DORMANT)
11049 nf_tables_table_disable(net, table);
11050
11051 table->flags &= ~__NFT_TABLE_F_UPDATE;
11052 } else {
11053 nft_clear(net, table);
11054 }
11055 nf_tables_table_notify(&ctx, NFT_MSG_NEWTABLE);
11056 nft_trans_destroy(trans);
11057 break;
11058 case NFT_MSG_DELTABLE:
11059 case NFT_MSG_DESTROYTABLE:
11060 list_del_rcu(&table->list);
11061 nf_tables_table_notify(&ctx, trans->msg_type);
11062 break;
11063 case NFT_MSG_NEWCHAIN:
11064 if (nft_trans_chain_update(trans)) {
11065 nft_chain_commit_update(nft_trans_container_chain(trans));
11066 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN,
11067 &nft_trans_chain_hooks(trans));
11068 list_splice(&nft_trans_chain_hooks(trans),
11069 &nft_trans_basechain(trans)->hook_list);
11070 /* trans destroyed after rcu grace period */
11071 } else {
11072 nft_chain_commit_drop_policy(nft_trans_container_chain(trans));
11073 nft_clear(net, nft_trans_chain(trans));
11074 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN, NULL);
11075 nft_trans_destroy(trans);
11076 }
11077 break;
11078 case NFT_MSG_DELCHAIN:
11079 case NFT_MSG_DESTROYCHAIN:
11080 if (nft_trans_chain_update(trans)) {
11081 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,
11082 &nft_trans_chain_hooks(trans));
11083 if (!(table->flags & NFT_TABLE_F_DORMANT)) {
11084 nft_netdev_unregister_hooks(net,
11085 &nft_trans_chain_hooks(trans),
11086 true);
11087 }
11088 } else {
11089 nft_chain_del(nft_trans_chain(trans));
11090 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,
11091 NULL);
11092 nf_tables_unregister_hook(ctx.net, ctx.table,
11093 nft_trans_chain(trans));
11094 }
11095 break;
11096 case NFT_MSG_NEWRULE:
11097 nft_clear(net, nft_trans_rule(trans));
11098 nf_tables_rule_notify(&ctx, nft_trans_rule(trans),
11099 NFT_MSG_NEWRULE);
11100 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
11101 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
11102
11103 nft_trans_destroy(trans);
11104 break;
11105 case NFT_MSG_DELRULE:
11106 case NFT_MSG_DESTROYRULE:
11107 list_del_rcu(&nft_trans_rule(trans)->list);
11108 nf_tables_rule_notify(&ctx, nft_trans_rule(trans),
11109 trans->msg_type);
11110 nft_rule_expr_deactivate(&ctx, nft_trans_rule(trans),
11111 NFT_TRANS_COMMIT);
11112
11113 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
11114 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
11115 break;
11116 case NFT_MSG_NEWSET:
11117 list_del(&nft_trans_container_set(trans)->list_trans_newset);
11118 if (nft_trans_set_update(trans)) {
11119 struct nft_set *set = nft_trans_set(trans);
11120
11121 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
11122 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
11123
11124 if (nft_trans_set_size(trans))
11125 WRITE_ONCE(set->size, nft_trans_set_size(trans));
11126 } else {
11127 nft_clear(net, nft_trans_set(trans));
11128 /* This avoids hitting -EBUSY when deleting the table
11129 * from the transaction.
11130 */
11131 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
11132 !list_empty(&nft_trans_set(trans)->bindings))
11133 nft_use_dec(&table->use);
11134 }
11135 nf_tables_set_notify(&ctx, nft_trans_set(trans),
11136 NFT_MSG_NEWSET, GFP_KERNEL);
11137 nft_trans_destroy(trans);
11138 break;
11139 case NFT_MSG_DELSET:
11140 case NFT_MSG_DESTROYSET:
11141 nft_trans_set(trans)->dead = 1;
11142 list_del_rcu(&nft_trans_set(trans)->list);
11143 nf_tables_set_notify(&ctx, nft_trans_set(trans),
11144 trans->msg_type, GFP_KERNEL);
11145 break;
11146 case NFT_MSG_NEWSETELEM:
11147 te = nft_trans_container_elem(trans);
11148
11149 nft_trans_elems_add(&ctx, te);
11150
11151 if (te->set->ops->commit &&
11152 list_empty(&te->set->pending_update)) {
11153 list_add_tail(&te->set->pending_update,
11154 &set_update_list);
11155 }
11156 nft_trans_destroy(trans);
11157 break;
11158 case NFT_MSG_DELSETELEM:
11159 case NFT_MSG_DESTROYSETELEM:
11160 te = nft_trans_container_elem(trans);
11161
11162 nft_trans_elems_remove(&ctx, te);
11163
11164 if (te->set->ops->commit &&
11165 list_empty(&te->set->pending_update)) {
11166 list_add_tail(&te->set->pending_update,
11167 &set_update_list);
11168 }
11169 break;
11170 case NFT_MSG_NEWOBJ:
11171 if (nft_trans_obj_update(trans)) {
11172 nft_obj_commit_update(&ctx, trans);
11173 nf_tables_obj_notify(&ctx,
11174 nft_trans_obj(trans),
11175 NFT_MSG_NEWOBJ);
11176 } else {
11177 nft_clear(net, nft_trans_obj(trans));
11178 nf_tables_obj_notify(&ctx,
11179 nft_trans_obj(trans),
11180 NFT_MSG_NEWOBJ);
11181 nft_trans_destroy(trans);
11182 }
11183 break;
11184 case NFT_MSG_DELOBJ:
11185 case NFT_MSG_DESTROYOBJ:
11186 nft_obj_del(nft_trans_obj(trans));
11187 nf_tables_obj_notify(&ctx, nft_trans_obj(trans),
11188 trans->msg_type);
11189 break;
11190 case NFT_MSG_NEWFLOWTABLE:
11191 if (nft_trans_flowtable_update(trans)) {
11192 nft_trans_flowtable(trans)->data.flags =
11193 nft_trans_flowtable_flags(trans);
11194 nf_tables_flowtable_notify(&ctx,
11195 nft_trans_flowtable(trans),
11196 &nft_trans_flowtable_hooks(trans),
11197 NFT_MSG_NEWFLOWTABLE);
11198 list_splice(&nft_trans_flowtable_hooks(trans),
11199 &nft_trans_flowtable(trans)->hook_list);
11200 } else {
11201 nft_clear(net, nft_trans_flowtable(trans));
11202 nf_tables_flowtable_notify(&ctx,
11203 nft_trans_flowtable(trans),
11204 NULL,
11205 NFT_MSG_NEWFLOWTABLE);
11206 }
11207 nft_trans_destroy(trans);
11208 break;
11209 case NFT_MSG_DELFLOWTABLE:
11210 case NFT_MSG_DESTROYFLOWTABLE:
11211 if (nft_trans_flowtable_update(trans)) {
11212 nf_tables_flowtable_notify(&ctx,
11213 nft_trans_flowtable(trans),
11214 &nft_trans_flowtable_hooks(trans),
11215 trans->msg_type);
11216 nft_unregister_flowtable_net_hooks(net,
11217 nft_trans_flowtable(trans),
11218 &nft_trans_flowtable_hooks(trans));
11219 } else {
11220 list_del_rcu(&nft_trans_flowtable(trans)->list);
11221 nf_tables_flowtable_notify(&ctx,
11222 nft_trans_flowtable(trans),
11223 NULL,
11224 trans->msg_type);
11225 nft_unregister_flowtable_net_hooks(net,
11226 nft_trans_flowtable(trans),
11227 &nft_trans_flowtable(trans)->hook_list);
11228 }
11229 break;
11230 }
11231 }
11232
11233 nft_set_commit_update(&set_update_list);
11234
11235 nft_commit_notify(net, NETLINK_CB(skb).portid);
11236 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
11237 nf_tables_commit_audit_log(&adl, nft_base_seq(net));
11238
11239 nft_gc_seq_end(nft_net, gc_seq);
11240 nft_net->validate_state = NFT_VALIDATE_SKIP;
11241 nf_tables_commit_release(net);
11242
11243 return 0;
11244 }
11245
nf_tables_module_autoload(struct net * net)11246 static void nf_tables_module_autoload(struct net *net)
11247 {
11248 struct nftables_pernet *nft_net = nft_pernet(net);
11249 struct nft_module_request *req, *next;
11250 LIST_HEAD(module_list);
11251
11252 list_splice_init(&nft_net->module_list, &module_list);
11253 mutex_unlock(&nft_net->commit_mutex);
11254 list_for_each_entry_safe(req, next, &module_list, list) {
11255 request_module("%s", req->module);
11256 req->done = true;
11257 }
11258 mutex_lock(&nft_net->commit_mutex);
11259 list_splice(&module_list, &nft_net->module_list);
11260 }
11261
nf_tables_abort_release(struct nft_trans * trans)11262 static void nf_tables_abort_release(struct nft_trans *trans)
11263 {
11264 struct nft_ctx ctx = { };
11265
11266 nft_ctx_update(&ctx, trans);
11267
11268 switch (trans->msg_type) {
11269 case NFT_MSG_NEWTABLE:
11270 nf_tables_table_destroy(trans->table);
11271 break;
11272 case NFT_MSG_NEWCHAIN:
11273 if (nft_trans_chain_update(trans))
11274 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
11275 else
11276 nf_tables_chain_destroy(nft_trans_chain(trans));
11277 break;
11278 case NFT_MSG_NEWRULE:
11279 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans));
11280 break;
11281 case NFT_MSG_NEWSET:
11282 nft_set_destroy(&ctx, nft_trans_set(trans));
11283 break;
11284 case NFT_MSG_NEWSETELEM:
11285 nft_trans_set_elem_destroy(&ctx, nft_trans_container_elem(trans));
11286 break;
11287 case NFT_MSG_NEWOBJ:
11288 nft_obj_destroy(&ctx, nft_trans_obj(trans));
11289 break;
11290 case NFT_MSG_NEWFLOWTABLE:
11291 if (nft_trans_flowtable_update(trans))
11292 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
11293 else
11294 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
11295 break;
11296 }
11297 kfree(trans);
11298 }
11299
nft_set_abort_update(struct list_head * set_update_list)11300 static void nft_set_abort_update(struct list_head *set_update_list)
11301 {
11302 struct nft_set *set, *next;
11303
11304 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
11305 list_del_init(&set->pending_update);
11306
11307 if (!set->ops->abort)
11308 continue;
11309
11310 set->ops->abort(set);
11311 }
11312 }
11313
__nf_tables_abort(struct net * net,enum nfnl_abort_action action)11314 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
11315 {
11316 struct nftables_pernet *nft_net = nft_pernet(net);
11317 struct nft_trans *trans, *next;
11318 LIST_HEAD(set_update_list);
11319 struct nft_trans_elem *te;
11320 struct nft_ctx ctx = {
11321 .net = net,
11322 };
11323 int err = 0;
11324
11325 if (action == NFNL_ABORT_VALIDATE &&
11326 nf_tables_validate(net) < 0)
11327 err = -EAGAIN;
11328
11329 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
11330 list) {
11331 struct nft_table *table = trans->table;
11332
11333 nft_ctx_update(&ctx, trans);
11334
11335 switch (trans->msg_type) {
11336 case NFT_MSG_NEWTABLE:
11337 if (nft_trans_table_update(trans)) {
11338 if (!(table->flags & __NFT_TABLE_F_UPDATE)) {
11339 nft_trans_destroy(trans);
11340 break;
11341 }
11342 if (table->flags & __NFT_TABLE_F_WAS_DORMANT) {
11343 nf_tables_table_disable(net, table);
11344 table->flags |= NFT_TABLE_F_DORMANT;
11345 } else if (table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
11346 table->flags &= ~NFT_TABLE_F_DORMANT;
11347 }
11348 if (table->flags & __NFT_TABLE_F_WAS_ORPHAN) {
11349 table->flags &= ~NFT_TABLE_F_OWNER;
11350 table->nlpid = 0;
11351 }
11352 table->flags &= ~__NFT_TABLE_F_UPDATE;
11353 nft_trans_destroy(trans);
11354 } else {
11355 list_del_rcu(&table->list);
11356 }
11357 break;
11358 case NFT_MSG_DELTABLE:
11359 case NFT_MSG_DESTROYTABLE:
11360 nft_clear(trans->net, table);
11361 nft_trans_destroy(trans);
11362 break;
11363 case NFT_MSG_NEWCHAIN:
11364 if (nft_trans_chain_update(trans)) {
11365 if (!(table->flags & NFT_TABLE_F_DORMANT)) {
11366 nft_netdev_unregister_hooks(net,
11367 &nft_trans_chain_hooks(trans),
11368 true);
11369 }
11370 free_percpu(nft_trans_chain_stats(trans));
11371 kfree(nft_trans_chain_name(trans));
11372 nft_trans_destroy(trans);
11373 } else {
11374 if (nft_trans_chain_bound(trans)) {
11375 nft_trans_destroy(trans);
11376 break;
11377 }
11378 nft_use_dec_restore(&table->use);
11379 nft_chain_del(nft_trans_chain(trans));
11380 nf_tables_unregister_hook(trans->net, table,
11381 nft_trans_chain(trans));
11382 }
11383 break;
11384 case NFT_MSG_DELCHAIN:
11385 case NFT_MSG_DESTROYCHAIN:
11386 if (nft_trans_chain_update(trans)) {
11387 list_splice(&nft_trans_chain_hooks(trans),
11388 &nft_trans_basechain(trans)->hook_list);
11389 } else {
11390 nft_use_inc_restore(&table->use);
11391 nft_clear(trans->net, nft_trans_chain(trans));
11392 }
11393 nft_trans_destroy(trans);
11394 break;
11395 case NFT_MSG_NEWRULE:
11396 if (nft_trans_rule_bound(trans)) {
11397 nft_trans_destroy(trans);
11398 break;
11399 }
11400 nft_use_dec_restore(&nft_trans_rule_chain(trans)->use);
11401 list_del_rcu(&nft_trans_rule(trans)->list);
11402 nft_rule_expr_deactivate(&ctx,
11403 nft_trans_rule(trans),
11404 NFT_TRANS_ABORT);
11405 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
11406 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
11407 break;
11408 case NFT_MSG_DELRULE:
11409 case NFT_MSG_DESTROYRULE:
11410 nft_use_inc_restore(&nft_trans_rule_chain(trans)->use);
11411 nft_clear(trans->net, nft_trans_rule(trans));
11412 nft_rule_expr_activate(&ctx, nft_trans_rule(trans));
11413 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
11414 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
11415
11416 nft_trans_destroy(trans);
11417 break;
11418 case NFT_MSG_NEWSET:
11419 list_del(&nft_trans_container_set(trans)->list_trans_newset);
11420 if (nft_trans_set_update(trans)) {
11421 nft_trans_destroy(trans);
11422 break;
11423 }
11424 nft_use_dec_restore(&table->use);
11425 if (nft_trans_set_bound(trans)) {
11426 nft_trans_destroy(trans);
11427 break;
11428 }
11429 nft_trans_set(trans)->dead = 1;
11430 list_del_rcu(&nft_trans_set(trans)->list);
11431 break;
11432 case NFT_MSG_DELSET:
11433 case NFT_MSG_DESTROYSET:
11434 nft_use_inc_restore(&table->use);
11435 nft_clear(trans->net, nft_trans_set(trans));
11436 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11437 nft_map_activate(&ctx, nft_trans_set(trans));
11438
11439 nft_trans_destroy(trans);
11440 break;
11441 case NFT_MSG_NEWSETELEM:
11442 if (nft_trans_elem_set_bound(trans)) {
11443 nft_trans_destroy(trans);
11444 break;
11445 }
11446 te = nft_trans_container_elem(trans);
11447 if (!nft_trans_elems_new_abort(&ctx, te)) {
11448 nft_trans_destroy(trans);
11449 break;
11450 }
11451
11452 if (te->set->ops->abort &&
11453 list_empty(&te->set->pending_update)) {
11454 list_add_tail(&te->set->pending_update,
11455 &set_update_list);
11456 }
11457 break;
11458 case NFT_MSG_DELSETELEM:
11459 case NFT_MSG_DESTROYSETELEM:
11460 te = nft_trans_container_elem(trans);
11461
11462 nft_trans_elems_destroy_abort(&ctx, te);
11463
11464 if (te->set->ops->abort &&
11465 list_empty(&te->set->pending_update)) {
11466 list_add_tail(&te->set->pending_update,
11467 &set_update_list);
11468 }
11469 nft_trans_destroy(trans);
11470 break;
11471 case NFT_MSG_NEWOBJ:
11472 if (nft_trans_obj_update(trans)) {
11473 nft_obj_destroy(&ctx, nft_trans_obj_newobj(trans));
11474 nft_trans_destroy(trans);
11475 } else {
11476 nft_use_dec_restore(&table->use);
11477 nft_obj_del(nft_trans_obj(trans));
11478 }
11479 break;
11480 case NFT_MSG_DELOBJ:
11481 case NFT_MSG_DESTROYOBJ:
11482 nft_use_inc_restore(&table->use);
11483 nft_clear(trans->net, nft_trans_obj(trans));
11484 nft_trans_destroy(trans);
11485 break;
11486 case NFT_MSG_NEWFLOWTABLE:
11487 if (nft_trans_flowtable_update(trans)) {
11488 nft_unregister_flowtable_net_hooks(net,
11489 nft_trans_flowtable(trans),
11490 &nft_trans_flowtable_hooks(trans));
11491 } else {
11492 nft_use_dec_restore(&table->use);
11493 list_del_rcu(&nft_trans_flowtable(trans)->list);
11494 nft_unregister_flowtable_net_hooks(net,
11495 nft_trans_flowtable(trans),
11496 &nft_trans_flowtable(trans)->hook_list);
11497 }
11498 break;
11499 case NFT_MSG_DELFLOWTABLE:
11500 case NFT_MSG_DESTROYFLOWTABLE:
11501 if (nft_trans_flowtable_update(trans)) {
11502 list_splice(&nft_trans_flowtable_hooks(trans),
11503 &nft_trans_flowtable(trans)->hook_list);
11504 } else {
11505 nft_use_inc_restore(&table->use);
11506 nft_clear(trans->net, nft_trans_flowtable(trans));
11507 }
11508 nft_trans_destroy(trans);
11509 break;
11510 }
11511 }
11512
11513 WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list));
11514
11515 nft_set_abort_update(&set_update_list);
11516
11517 synchronize_rcu();
11518
11519 list_for_each_entry_safe_reverse(trans, next,
11520 &nft_net->commit_list, list) {
11521 nft_trans_list_del(trans);
11522 nf_tables_abort_release(trans);
11523 }
11524
11525 return err;
11526 }
11527
nf_tables_abort(struct net * net,struct sk_buff * skb,enum nfnl_abort_action action)11528 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
11529 enum nfnl_abort_action action)
11530 {
11531 struct nftables_pernet *nft_net = nft_pernet(net);
11532 unsigned int gc_seq;
11533 int ret;
11534
11535 gc_seq = nft_gc_seq_begin(nft_net);
11536 ret = __nf_tables_abort(net, action);
11537 nft_gc_seq_end(nft_net, gc_seq);
11538
11539 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
11540
11541 /* module autoload needs to happen after GC sequence update because it
11542 * temporarily releases and grabs mutex again.
11543 */
11544 if (action == NFNL_ABORT_AUTOLOAD)
11545 nf_tables_module_autoload(net);
11546 else
11547 nf_tables_module_autoload_cleanup(net);
11548
11549 mutex_unlock(&nft_net->commit_mutex);
11550
11551 return ret;
11552 }
11553
nf_tables_valid_genid(struct net * net,u32 genid)11554 static bool nf_tables_valid_genid(struct net *net, u32 genid)
11555 {
11556 struct nftables_pernet *nft_net = nft_pernet(net);
11557 bool genid_ok;
11558
11559 mutex_lock(&nft_net->commit_mutex);
11560 nft_net->tstamp = get_jiffies_64();
11561
11562 genid_ok = genid == 0 || nft_base_seq(net) == genid;
11563 if (!genid_ok)
11564 mutex_unlock(&nft_net->commit_mutex);
11565
11566 /* else, commit mutex has to be released by commit or abort function */
11567 return genid_ok;
11568 }
11569
11570 static const struct nfnetlink_subsystem nf_tables_subsys = {
11571 .name = "nf_tables",
11572 .subsys_id = NFNL_SUBSYS_NFTABLES,
11573 .cb_count = NFT_MSG_MAX,
11574 .cb = nf_tables_cb,
11575 .commit = nf_tables_commit,
11576 .abort = nf_tables_abort,
11577 .valid_genid = nf_tables_valid_genid,
11578 .owner = THIS_MODULE,
11579 };
11580
nft_chain_validate_dependency(const struct nft_chain * chain,enum nft_chain_types type)11581 int nft_chain_validate_dependency(const struct nft_chain *chain,
11582 enum nft_chain_types type)
11583 {
11584 const struct nft_base_chain *basechain;
11585
11586 if (nft_is_base_chain(chain)) {
11587 basechain = nft_base_chain(chain);
11588 if (basechain->type->type != type)
11589 return -EOPNOTSUPP;
11590 }
11591 return 0;
11592 }
11593 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
11594
nft_chain_validate_hooks(const struct nft_chain * chain,unsigned int hook_flags)11595 int nft_chain_validate_hooks(const struct nft_chain *chain,
11596 unsigned int hook_flags)
11597 {
11598 struct nft_base_chain *basechain;
11599
11600 if (nft_is_base_chain(chain)) {
11601 basechain = nft_base_chain(chain);
11602
11603 if ((1 << basechain->ops.hooknum) & hook_flags)
11604 return 0;
11605
11606 return -EOPNOTSUPP;
11607 }
11608
11609 return 0;
11610 }
11611 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
11612
11613 /**
11614 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
11615 *
11616 * @attr: netlink attribute to fetch value from
11617 * @max: maximum value to be stored in dest
11618 * @dest: pointer to the variable
11619 *
11620 * Parse, check and store a given u32 netlink attribute into variable.
11621 * This function returns -ERANGE if the value goes over maximum value.
11622 * Otherwise a 0 is returned and the attribute value is stored in the
11623 * destination variable.
11624 */
nft_parse_u32_check(const struct nlattr * attr,int max,u32 * dest)11625 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
11626 {
11627 u32 val;
11628
11629 val = ntohl(nla_get_be32(attr));
11630 if (val > max)
11631 return -ERANGE;
11632
11633 *dest = val;
11634 return 0;
11635 }
11636 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
11637
nft_parse_register(const struct nlattr * attr,u32 * preg)11638 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
11639 {
11640 unsigned int reg;
11641
11642 reg = ntohl(nla_get_be32(attr));
11643 switch (reg) {
11644 case NFT_REG_VERDICT...NFT_REG_4:
11645 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
11646 break;
11647 case NFT_REG32_00...NFT_REG32_15:
11648 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
11649 break;
11650 default:
11651 return -ERANGE;
11652 }
11653
11654 return 0;
11655 }
11656
11657 /**
11658 * nft_dump_register - dump a register value to a netlink attribute
11659 *
11660 * @skb: socket buffer
11661 * @attr: attribute number
11662 * @reg: register number
11663 *
11664 * Construct a netlink attribute containing the register number. For
11665 * compatibility reasons, register numbers being a multiple of 4 are
11666 * translated to the corresponding 128 bit register numbers.
11667 */
nft_dump_register(struct sk_buff * skb,unsigned int attr,unsigned int reg)11668 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
11669 {
11670 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
11671 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
11672 else
11673 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
11674
11675 return nla_put_be32(skb, attr, htonl(reg));
11676 }
11677 EXPORT_SYMBOL_GPL(nft_dump_register);
11678
nft_validate_register_load(enum nft_registers reg,unsigned int len)11679 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
11680 {
11681 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11682 return -EINVAL;
11683 if (len == 0)
11684 return -EINVAL;
11685 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
11686 return -ERANGE;
11687
11688 return 0;
11689 }
11690
nft_parse_register_load(const struct nft_ctx * ctx,const struct nlattr * attr,u8 * sreg,u32 len)11691 int nft_parse_register_load(const struct nft_ctx *ctx,
11692 const struct nlattr *attr, u8 *sreg, u32 len)
11693 {
11694 int err, invalid_reg;
11695 u32 reg, next_register;
11696
11697 err = nft_parse_register(attr, ®);
11698 if (err < 0)
11699 return err;
11700
11701 err = nft_validate_register_load(reg, len);
11702 if (err < 0)
11703 return err;
11704
11705 next_register = DIV_ROUND_UP(len, NFT_REG32_SIZE) + reg;
11706
11707 /* Can't happen: nft_validate_register_load() should have failed */
11708 if (WARN_ON_ONCE(next_register > NFT_REG32_NUM))
11709 return -EINVAL;
11710
11711 /* find first register that did not see an earlier store. */
11712 invalid_reg = find_next_zero_bit(ctx->reg_inited, NFT_REG32_NUM, reg);
11713
11714 /* invalid register within the range that we're loading from? */
11715 if (invalid_reg < next_register)
11716 return -ENODATA;
11717
11718 *sreg = reg;
11719 return 0;
11720 }
11721 EXPORT_SYMBOL_GPL(nft_parse_register_load);
11722
nft_saw_register_store(const struct nft_ctx * __ctx,int reg,unsigned int len)11723 static void nft_saw_register_store(const struct nft_ctx *__ctx,
11724 int reg, unsigned int len)
11725 {
11726 unsigned int registers = DIV_ROUND_UP(len, NFT_REG32_SIZE);
11727 struct nft_ctx *ctx = (struct nft_ctx *)__ctx;
11728
11729 if (WARN_ON_ONCE(len == 0 || reg < 0))
11730 return;
11731
11732 bitmap_set(ctx->reg_inited, reg, registers);
11733 }
11734
nft_validate_register_store(const struct nft_ctx * ctx,enum nft_registers reg,const struct nft_data * data,enum nft_data_types type,unsigned int len)11735 static int nft_validate_register_store(const struct nft_ctx *ctx,
11736 enum nft_registers reg,
11737 const struct nft_data *data,
11738 enum nft_data_types type,
11739 unsigned int len)
11740 {
11741 switch (reg) {
11742 case NFT_REG_VERDICT:
11743 if (type != NFT_DATA_VERDICT)
11744 return -EINVAL;
11745 break;
11746 default:
11747 if (type != NFT_DATA_VALUE)
11748 return -EINVAL;
11749
11750 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11751 return -EINVAL;
11752 if (len == 0)
11753 return -EINVAL;
11754 if (reg * NFT_REG32_SIZE + len >
11755 sizeof_field(struct nft_regs, data))
11756 return -ERANGE;
11757
11758 break;
11759 }
11760
11761 nft_saw_register_store(ctx, reg, len);
11762 return 0;
11763 }
11764
nft_parse_register_store(const struct nft_ctx * ctx,const struct nlattr * attr,u8 * dreg,const struct nft_data * data,enum nft_data_types type,unsigned int len)11765 int nft_parse_register_store(const struct nft_ctx *ctx,
11766 const struct nlattr *attr, u8 *dreg,
11767 const struct nft_data *data,
11768 enum nft_data_types type, unsigned int len)
11769 {
11770 int err;
11771 u32 reg;
11772
11773 err = nft_parse_register(attr, ®);
11774 if (err < 0)
11775 return err;
11776
11777 err = nft_validate_register_store(ctx, reg, data, type, len);
11778 if (err < 0)
11779 return err;
11780
11781 *dreg = reg;
11782 return 0;
11783 }
11784 EXPORT_SYMBOL_GPL(nft_parse_register_store);
11785
11786 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
11787 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
11788 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
11789 .len = NFT_CHAIN_MAXNAMELEN - 1 },
11790 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
11791 };
11792
nft_verdict_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11793 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
11794 struct nft_data_desc *desc, const struct nlattr *nla)
11795 {
11796 u8 genmask = nft_genmask_next(ctx->net);
11797 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
11798 struct nft_chain *chain;
11799 int err;
11800
11801 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
11802 nft_verdict_policy, NULL);
11803 if (err < 0)
11804 return err;
11805
11806 if (!tb[NFTA_VERDICT_CODE])
11807 return -EINVAL;
11808
11809 /* zero padding hole for memcmp */
11810 memset(data, 0, sizeof(*data));
11811 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
11812
11813 switch (data->verdict.code) {
11814 case NF_ACCEPT:
11815 case NF_DROP:
11816 case NF_QUEUE:
11817 break;
11818 case NFT_CONTINUE:
11819 case NFT_BREAK:
11820 case NFT_RETURN:
11821 break;
11822 case NFT_JUMP:
11823 case NFT_GOTO:
11824 if (tb[NFTA_VERDICT_CHAIN]) {
11825 chain = nft_chain_lookup(ctx->net, ctx->table,
11826 tb[NFTA_VERDICT_CHAIN],
11827 genmask);
11828 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
11829 chain = nft_chain_lookup_byid(ctx->net, ctx->table,
11830 tb[NFTA_VERDICT_CHAIN_ID],
11831 genmask);
11832 if (IS_ERR(chain))
11833 return PTR_ERR(chain);
11834 } else {
11835 return -EINVAL;
11836 }
11837
11838 if (IS_ERR(chain))
11839 return PTR_ERR(chain);
11840 if (nft_is_base_chain(chain))
11841 return -EOPNOTSUPP;
11842 if (nft_chain_is_bound(chain))
11843 return -EINVAL;
11844 if (desc->flags & NFT_DATA_DESC_SETELEM &&
11845 chain->flags & NFT_CHAIN_BINDING)
11846 return -EINVAL;
11847 if (!nft_use_inc(&chain->use))
11848 return -EMFILE;
11849
11850 data->verdict.chain = chain;
11851 break;
11852 default:
11853 return -EINVAL;
11854 }
11855
11856 desc->len = sizeof(data->verdict);
11857
11858 return 0;
11859 }
11860
nft_verdict_uninit(const struct nft_data * data)11861 static void nft_verdict_uninit(const struct nft_data *data)
11862 {
11863 struct nft_chain *chain;
11864
11865 switch (data->verdict.code) {
11866 case NFT_JUMP:
11867 case NFT_GOTO:
11868 chain = data->verdict.chain;
11869 nft_use_dec(&chain->use);
11870 break;
11871 }
11872 }
11873
nft_verdict_dump(struct sk_buff * skb,int type,const struct nft_verdict * v)11874 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
11875 {
11876 struct nlattr *nest;
11877
11878 nest = nla_nest_start_noflag(skb, type);
11879 if (!nest)
11880 goto nla_put_failure;
11881
11882 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
11883 goto nla_put_failure;
11884
11885 switch (v->code) {
11886 case NFT_JUMP:
11887 case NFT_GOTO:
11888 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
11889 v->chain->name))
11890 goto nla_put_failure;
11891 }
11892 nla_nest_end(skb, nest);
11893 return 0;
11894
11895 nla_put_failure:
11896 return -1;
11897 }
11898
nft_value_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11899 static int nft_value_init(const struct nft_ctx *ctx,
11900 struct nft_data *data, struct nft_data_desc *desc,
11901 const struct nlattr *nla)
11902 {
11903 unsigned int len;
11904
11905 len = nla_len(nla);
11906 if (len == 0)
11907 return -EINVAL;
11908 if (len > desc->size)
11909 return -EOVERFLOW;
11910 if (desc->len) {
11911 if (len != desc->len)
11912 return -EINVAL;
11913 } else {
11914 desc->len = len;
11915 }
11916
11917 nla_memcpy(data->data, nla, len);
11918
11919 return 0;
11920 }
11921
nft_value_dump(struct sk_buff * skb,const struct nft_data * data,unsigned int len)11922 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
11923 unsigned int len)
11924 {
11925 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
11926 }
11927
11928 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
11929 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
11930 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
11931 };
11932
11933 /**
11934 * nft_data_init - parse nf_tables data netlink attributes
11935 *
11936 * @ctx: context of the expression using the data
11937 * @data: destination struct nft_data
11938 * @desc: data description
11939 * @nla: netlink attribute containing data
11940 *
11941 * Parse the netlink data attributes and initialize a struct nft_data.
11942 * The type and length of data are returned in the data description.
11943 *
11944 * The caller can indicate that it only wants to accept data of type
11945 * NFT_DATA_VALUE by passing NULL for the ctx argument.
11946 */
nft_data_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11947 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
11948 struct nft_data_desc *desc, const struct nlattr *nla)
11949 {
11950 struct nlattr *tb[NFTA_DATA_MAX + 1];
11951 int err;
11952
11953 if (WARN_ON_ONCE(!desc->size))
11954 return -EINVAL;
11955
11956 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
11957 nft_data_policy, NULL);
11958 if (err < 0)
11959 return err;
11960
11961 if (tb[NFTA_DATA_VALUE]) {
11962 if (desc->type != NFT_DATA_VALUE)
11963 return -EINVAL;
11964
11965 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
11966 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
11967 if (desc->type != NFT_DATA_VERDICT)
11968 return -EINVAL;
11969
11970 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
11971 } else {
11972 err = -EINVAL;
11973 }
11974
11975 return err;
11976 }
11977 EXPORT_SYMBOL_GPL(nft_data_init);
11978
11979 /**
11980 * nft_data_release - release a nft_data item
11981 *
11982 * @data: struct nft_data to release
11983 * @type: type of data
11984 *
11985 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
11986 * all others need to be released by calling this function.
11987 */
nft_data_release(const struct nft_data * data,enum nft_data_types type)11988 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
11989 {
11990 if (type < NFT_DATA_VERDICT)
11991 return;
11992 switch (type) {
11993 case NFT_DATA_VERDICT:
11994 return nft_verdict_uninit(data);
11995 default:
11996 WARN_ON(1);
11997 }
11998 }
11999 EXPORT_SYMBOL_GPL(nft_data_release);
12000
nft_data_dump(struct sk_buff * skb,int attr,const struct nft_data * data,enum nft_data_types type,unsigned int len)12001 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
12002 enum nft_data_types type, unsigned int len)
12003 {
12004 struct nlattr *nest;
12005 int err;
12006
12007 nest = nla_nest_start_noflag(skb, attr);
12008 if (nest == NULL)
12009 return -1;
12010
12011 switch (type) {
12012 case NFT_DATA_VALUE:
12013 err = nft_value_dump(skb, data, len);
12014 break;
12015 case NFT_DATA_VERDICT:
12016 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
12017 break;
12018 default:
12019 err = -EINVAL;
12020 WARN_ON(1);
12021 }
12022
12023 nla_nest_end(skb, nest);
12024 return err;
12025 }
12026 EXPORT_SYMBOL_GPL(nft_data_dump);
12027
__nft_release_hook(struct net * net,struct nft_table * table)12028 static void __nft_release_hook(struct net *net, struct nft_table *table)
12029 {
12030 struct nft_flowtable *flowtable;
12031 struct nft_chain *chain;
12032
12033 list_for_each_entry(chain, &table->chains, list)
12034 __nf_tables_unregister_hook(net, table, chain, true);
12035 list_for_each_entry(flowtable, &table->flowtables, list)
12036 __nft_unregister_flowtable_net_hooks(net, flowtable,
12037 &flowtable->hook_list,
12038 true);
12039 }
12040
__nft_release_hooks(struct net * net)12041 static void __nft_release_hooks(struct net *net)
12042 {
12043 struct nftables_pernet *nft_net = nft_pernet(net);
12044 struct nft_table *table;
12045
12046 list_for_each_entry(table, &nft_net->tables, list) {
12047 if (nft_table_has_owner(table))
12048 continue;
12049
12050 __nft_release_hook(net, table);
12051 }
12052 }
12053
__nft_release_table(struct net * net,struct nft_table * table)12054 static void __nft_release_table(struct net *net, struct nft_table *table)
12055 {
12056 struct nft_flowtable *flowtable, *nf;
12057 struct nft_chain *chain, *nc;
12058 struct nft_object *obj, *ne;
12059 struct nft_rule *rule, *nr;
12060 struct nft_set *set, *ns;
12061 struct nft_ctx ctx = {
12062 .net = net,
12063 .family = NFPROTO_NETDEV,
12064 };
12065
12066 ctx.family = table->family;
12067 ctx.table = table;
12068 list_for_each_entry(chain, &table->chains, list) {
12069 if (nft_chain_binding(chain))
12070 continue;
12071
12072 ctx.chain = chain;
12073 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
12074 list_del(&rule->list);
12075 nft_use_dec(&chain->use);
12076 nf_tables_rule_release(&ctx, rule);
12077 }
12078 }
12079 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
12080 list_del(&flowtable->list);
12081 nft_use_dec(&table->use);
12082 nf_tables_flowtable_destroy(flowtable);
12083 }
12084 list_for_each_entry_safe(set, ns, &table->sets, list) {
12085 list_del(&set->list);
12086 nft_use_dec(&table->use);
12087 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
12088 nft_map_deactivate(&ctx, set);
12089
12090 nft_set_destroy(&ctx, set);
12091 }
12092 list_for_each_entry_safe(obj, ne, &table->objects, list) {
12093 nft_obj_del(obj);
12094 nft_use_dec(&table->use);
12095 nft_obj_destroy(&ctx, obj);
12096 }
12097 list_for_each_entry_safe(chain, nc, &table->chains, list) {
12098 nft_chain_del(chain);
12099 nft_use_dec(&table->use);
12100 nf_tables_chain_destroy(chain);
12101 }
12102 nf_tables_table_destroy(table);
12103 }
12104
__nft_release_tables(struct net * net)12105 static void __nft_release_tables(struct net *net)
12106 {
12107 struct nftables_pernet *nft_net = nft_pernet(net);
12108 struct nft_table *table, *nt;
12109
12110 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
12111 if (nft_table_has_owner(table))
12112 continue;
12113
12114 list_del(&table->list);
12115
12116 __nft_release_table(net, table);
12117 }
12118 }
12119
nft_rcv_nl_event(struct notifier_block * this,unsigned long event,void * ptr)12120 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
12121 void *ptr)
12122 {
12123 struct nft_table *table, *to_delete[8];
12124 struct nftables_pernet *nft_net;
12125 struct netlink_notify *n = ptr;
12126 struct net *net = n->net;
12127 unsigned int deleted;
12128 bool restart = false;
12129 unsigned int gc_seq;
12130
12131 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
12132 return NOTIFY_DONE;
12133
12134 nft_net = nft_pernet(net);
12135 deleted = 0;
12136 mutex_lock(&nft_net->commit_mutex);
12137
12138 gc_seq = nft_gc_seq_begin(nft_net);
12139
12140 nf_tables_trans_destroy_flush_work(net);
12141 again:
12142 list_for_each_entry(table, &nft_net->tables, list) {
12143 if (nft_table_has_owner(table) &&
12144 n->portid == table->nlpid) {
12145 if (table->flags & NFT_TABLE_F_PERSIST) {
12146 table->flags &= ~NFT_TABLE_F_OWNER;
12147 continue;
12148 }
12149 __nft_release_hook(net, table);
12150 list_del_rcu(&table->list);
12151 to_delete[deleted++] = table;
12152 if (deleted >= ARRAY_SIZE(to_delete))
12153 break;
12154 }
12155 }
12156 if (deleted) {
12157 restart = deleted >= ARRAY_SIZE(to_delete);
12158 synchronize_rcu();
12159 while (deleted)
12160 __nft_release_table(net, to_delete[--deleted]);
12161
12162 if (restart)
12163 goto again;
12164 }
12165 nft_gc_seq_end(nft_net, gc_seq);
12166
12167 mutex_unlock(&nft_net->commit_mutex);
12168
12169 return NOTIFY_DONE;
12170 }
12171
12172 static struct notifier_block nft_nl_notifier = {
12173 .notifier_call = nft_rcv_nl_event,
12174 };
12175
nf_tables_init_net(struct net * net)12176 static int __net_init nf_tables_init_net(struct net *net)
12177 {
12178 struct nftables_pernet *nft_net = nft_pernet(net);
12179
12180 INIT_LIST_HEAD(&nft_net->tables);
12181 INIT_LIST_HEAD(&nft_net->commit_list);
12182 INIT_LIST_HEAD(&nft_net->destroy_list);
12183 INIT_LIST_HEAD(&nft_net->commit_set_list);
12184 INIT_LIST_HEAD(&nft_net->binding_list);
12185 INIT_LIST_HEAD(&nft_net->module_list);
12186 INIT_LIST_HEAD(&nft_net->notify_list);
12187 mutex_init(&nft_net->commit_mutex);
12188 net->nft.base_seq = 1;
12189 nft_net->gc_seq = 0;
12190 nft_net->validate_state = NFT_VALIDATE_SKIP;
12191 INIT_WORK(&nft_net->destroy_work, nf_tables_trans_destroy_work);
12192
12193 return 0;
12194 }
12195
nf_tables_pre_exit_net(struct net * net)12196 static void __net_exit nf_tables_pre_exit_net(struct net *net)
12197 {
12198 struct nftables_pernet *nft_net = nft_pernet(net);
12199
12200 mutex_lock(&nft_net->commit_mutex);
12201 __nft_release_hooks(net);
12202 mutex_unlock(&nft_net->commit_mutex);
12203 }
12204
nf_tables_exit_net(struct net * net)12205 static void __net_exit nf_tables_exit_net(struct net *net)
12206 {
12207 struct nftables_pernet *nft_net = nft_pernet(net);
12208 unsigned int gc_seq;
12209
12210 mutex_lock(&nft_net->commit_mutex);
12211
12212 gc_seq = nft_gc_seq_begin(nft_net);
12213
12214 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
12215 WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list));
12216
12217 if (!list_empty(&nft_net->module_list))
12218 nf_tables_module_autoload_cleanup(net);
12219
12220 cancel_work_sync(&nft_net->destroy_work);
12221 __nft_release_tables(net);
12222
12223 nft_gc_seq_end(nft_net, gc_seq);
12224
12225 mutex_unlock(&nft_net->commit_mutex);
12226
12227 WARN_ON_ONCE(!list_empty(&nft_net->tables));
12228 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
12229 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
12230 WARN_ON_ONCE(!list_empty(&nft_net->destroy_list));
12231 }
12232
nf_tables_exit_batch(struct list_head * net_exit_list)12233 static void nf_tables_exit_batch(struct list_head *net_exit_list)
12234 {
12235 flush_work(&trans_gc_work);
12236 }
12237
12238 static struct pernet_operations nf_tables_net_ops = {
12239 .init = nf_tables_init_net,
12240 .pre_exit = nf_tables_pre_exit_net,
12241 .exit = nf_tables_exit_net,
12242 .exit_batch = nf_tables_exit_batch,
12243 .id = &nf_tables_net_id,
12244 .size = sizeof(struct nftables_pernet),
12245 };
12246
nf_tables_module_init(void)12247 static int __init nf_tables_module_init(void)
12248 {
12249 int err;
12250
12251 BUILD_BUG_ON(offsetof(struct nft_trans_table, nft_trans) != 0);
12252 BUILD_BUG_ON(offsetof(struct nft_trans_chain, nft_trans_binding.nft_trans) != 0);
12253 BUILD_BUG_ON(offsetof(struct nft_trans_rule, nft_trans) != 0);
12254 BUILD_BUG_ON(offsetof(struct nft_trans_set, nft_trans_binding.nft_trans) != 0);
12255 BUILD_BUG_ON(offsetof(struct nft_trans_elem, nft_trans) != 0);
12256 BUILD_BUG_ON(offsetof(struct nft_trans_obj, nft_trans) != 0);
12257 BUILD_BUG_ON(offsetof(struct nft_trans_flowtable, nft_trans) != 0);
12258
12259 err = register_pernet_subsys(&nf_tables_net_ops);
12260 if (err < 0)
12261 return err;
12262
12263 err = nft_chain_filter_init();
12264 if (err < 0)
12265 goto err_chain_filter;
12266
12267 err = nf_tables_core_module_init();
12268 if (err < 0)
12269 goto err_core_module;
12270
12271 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
12272 if (err < 0)
12273 goto err_netdev_notifier;
12274
12275 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
12276 if (err < 0)
12277 goto err_rht_objname;
12278
12279 err = nft_offload_init();
12280 if (err < 0)
12281 goto err_offload;
12282
12283 err = netlink_register_notifier(&nft_nl_notifier);
12284 if (err < 0)
12285 goto err_netlink_notifier;
12286
12287 /* must be last */
12288 err = nfnetlink_subsys_register(&nf_tables_subsys);
12289 if (err < 0)
12290 goto err_nfnl_subsys;
12291
12292 nft_chain_route_init();
12293
12294 return err;
12295
12296 err_nfnl_subsys:
12297 netlink_unregister_notifier(&nft_nl_notifier);
12298 err_netlink_notifier:
12299 nft_offload_exit();
12300 err_offload:
12301 rhltable_destroy(&nft_objname_ht);
12302 err_rht_objname:
12303 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
12304 err_netdev_notifier:
12305 nf_tables_core_module_exit();
12306 err_core_module:
12307 nft_chain_filter_fini();
12308 err_chain_filter:
12309 unregister_pernet_subsys(&nf_tables_net_ops);
12310 return err;
12311 }
12312
nf_tables_module_exit(void)12313 static void __exit nf_tables_module_exit(void)
12314 {
12315 nfnetlink_subsys_unregister(&nf_tables_subsys);
12316 netlink_unregister_notifier(&nft_nl_notifier);
12317 nft_offload_exit();
12318 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
12319 nft_chain_filter_fini();
12320 nft_chain_route_fini();
12321 unregister_pernet_subsys(&nf_tables_net_ops);
12322 cancel_work_sync(&trans_gc_work);
12323 rcu_barrier();
12324 rhltable_destroy(&nft_objname_ht);
12325 nf_tables_core_module_exit();
12326 }
12327
12328 module_init(nf_tables_module_init);
12329 module_exit(nf_tables_module_exit);
12330
12331 MODULE_LICENSE("GPL");
12332 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
12333 MODULE_DESCRIPTION("Framework for packet filtering and classification");
12334 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
12335