1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter_ipv4.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_flow_table.h>
21 #include <net/netfilter/nf_tables_core.h>
22 #include <net/netfilter/nf_tables.h>
23 #include <net/netfilter/nf_tables_offload.h>
24 #include <net/net_namespace.h>
25 #include <net/sock.h>
26
27 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
28 #define NFT_SET_MAX_ANONLEN 16
29
30 /* limit compaction to avoid huge kmalloc/krealloc sizes. */
31 #define NFT_MAX_SET_NELEMS ((2048 - sizeof(struct nft_trans_elem)) / sizeof(struct nft_trans_one_elem))
32
33 unsigned int nf_tables_net_id __read_mostly;
34
35 static LIST_HEAD(nf_tables_expressions);
36 static LIST_HEAD(nf_tables_objects);
37 static LIST_HEAD(nf_tables_flowtables);
38 static LIST_HEAD(nf_tables_gc_list);
39 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
40 static DEFINE_SPINLOCK(nf_tables_gc_list_lock);
41
42 enum {
43 NFT_VALIDATE_SKIP = 0,
44 NFT_VALIDATE_NEED,
45 NFT_VALIDATE_DO,
46 };
47
48 static struct rhltable nft_objname_ht;
49
50 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
51 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
52 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
53
54 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
55 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
56 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
57
58 static const struct rhashtable_params nft_chain_ht_params = {
59 .head_offset = offsetof(struct nft_chain, rhlhead),
60 .key_offset = offsetof(struct nft_chain, name),
61 .hashfn = nft_chain_hash,
62 .obj_hashfn = nft_chain_hash_obj,
63 .obj_cmpfn = nft_chain_hash_cmp,
64 .automatic_shrinking = true,
65 };
66
67 static const struct rhashtable_params nft_objname_ht_params = {
68 .head_offset = offsetof(struct nft_object, rhlhead),
69 .key_offset = offsetof(struct nft_object, key),
70 .hashfn = nft_objname_hash,
71 .obj_hashfn = nft_objname_hash_obj,
72 .obj_cmpfn = nft_objname_hash_cmp,
73 .automatic_shrinking = true,
74 };
75
76 struct nft_audit_data {
77 struct nft_table *table;
78 int entries;
79 int op;
80 struct list_head list;
81 };
82
83 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
84 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
85 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
86 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
87 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
88 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
89 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
90 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
91 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
92 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
93 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
94 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
95 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
96 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
97 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
98 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
99 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
100 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
101 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
102 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
103 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
104 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
105 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
106 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
107 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
108 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
109 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET,
110 };
111
nft_validate_state_update(struct nft_table * table,u8 new_validate_state)112 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
113 {
114 switch (table->validate_state) {
115 case NFT_VALIDATE_SKIP:
116 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
117 break;
118 case NFT_VALIDATE_NEED:
119 break;
120 case NFT_VALIDATE_DO:
121 if (new_validate_state == NFT_VALIDATE_NEED)
122 return;
123 }
124
125 table->validate_state = new_validate_state;
126 }
127
nft_chain_vstate_valid(const struct nft_ctx * ctx,const struct nft_chain * chain)128 static bool nft_chain_vstate_valid(const struct nft_ctx *ctx,
129 const struct nft_chain *chain)
130 {
131 const struct nft_base_chain *base_chain;
132 enum nft_chain_types type;
133 u8 hooknum;
134
135 if (WARN_ON_ONCE(!nft_is_base_chain(ctx->chain)))
136 return false;
137
138 base_chain = nft_base_chain(ctx->chain);
139 hooknum = base_chain->ops.hooknum;
140 type = base_chain->type->type;
141
142 /* chain is already validated for this call depth */
143 if (chain->vstate.depth >= ctx->level &&
144 chain->vstate.hook_mask[type] & BIT(hooknum))
145 return true;
146
147 return false;
148 }
149
150 static void nf_tables_trans_destroy_work(struct work_struct *w);
151
152 static void nft_trans_gc_work(struct work_struct *work);
153 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work);
154
nft_ctx_init(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,u8 family,struct nft_table * table,struct nft_chain * chain,const struct nlattr * const * nla)155 static void nft_ctx_init(struct nft_ctx *ctx,
156 struct net *net,
157 const struct sk_buff *skb,
158 const struct nlmsghdr *nlh,
159 u8 family,
160 struct nft_table *table,
161 struct nft_chain *chain,
162 const struct nlattr * const *nla)
163 {
164 ctx->net = net;
165 ctx->family = family;
166 ctx->level = 0;
167 ctx->table = table;
168 ctx->chain = chain;
169 ctx->nla = nla;
170 ctx->portid = NETLINK_CB(skb).portid;
171 ctx->report = nlmsg_report(nlh);
172 ctx->flags = nlh->nlmsg_flags;
173 ctx->seq = nlh->nlmsg_seq;
174
175 bitmap_zero(ctx->reg_inited, NFT_REG32_NUM);
176 }
177
nft_trans_alloc(const struct nft_ctx * ctx,int msg_type,u32 size)178 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
179 int msg_type, u32 size)
180 {
181 struct nft_trans *trans;
182
183 trans = kzalloc(size, GFP_KERNEL);
184 if (trans == NULL)
185 return NULL;
186
187 INIT_LIST_HEAD(&trans->list);
188 trans->msg_type = msg_type;
189
190 trans->net = ctx->net;
191 trans->table = ctx->table;
192 trans->seq = ctx->seq;
193 trans->flags = ctx->flags;
194 trans->report = ctx->report;
195
196 return trans;
197 }
198
nft_trans_get_binding(struct nft_trans * trans)199 static struct nft_trans_binding *nft_trans_get_binding(struct nft_trans *trans)
200 {
201 switch (trans->msg_type) {
202 case NFT_MSG_NEWCHAIN:
203 case NFT_MSG_NEWSET:
204 return container_of(trans, struct nft_trans_binding, nft_trans);
205 }
206
207 return NULL;
208 }
209
nft_trans_list_del(struct nft_trans * trans)210 static void nft_trans_list_del(struct nft_trans *trans)
211 {
212 struct nft_trans_binding *trans_binding;
213
214 list_del(&trans->list);
215
216 trans_binding = nft_trans_get_binding(trans);
217 if (trans_binding)
218 list_del(&trans_binding->binding_list);
219 }
220
nft_trans_destroy(struct nft_trans * trans)221 static void nft_trans_destroy(struct nft_trans *trans)
222 {
223 nft_trans_list_del(trans);
224 kfree(trans);
225 }
226
__nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set,bool bind)227 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
228 bool bind)
229 {
230 struct nftables_pernet *nft_net;
231 struct net *net = ctx->net;
232 struct nft_trans *trans;
233
234 if (!nft_set_is_anonymous(set))
235 return;
236
237 nft_net = nft_pernet(net);
238 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
239 switch (trans->msg_type) {
240 case NFT_MSG_NEWSET:
241 if (nft_trans_set(trans) == set)
242 nft_trans_set_bound(trans) = bind;
243 break;
244 case NFT_MSG_NEWSETELEM:
245 if (nft_trans_elem_set(trans) == set)
246 nft_trans_elem_set_bound(trans) = bind;
247 break;
248 }
249 }
250 }
251
nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set)252 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
253 {
254 return __nft_set_trans_bind(ctx, set, true);
255 }
256
nft_set_trans_unbind(const struct nft_ctx * ctx,struct nft_set * set)257 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
258 {
259 return __nft_set_trans_bind(ctx, set, false);
260 }
261
__nft_chain_trans_bind(const struct nft_ctx * ctx,struct nft_chain * chain,bool bind)262 static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
263 struct nft_chain *chain, bool bind)
264 {
265 struct nftables_pernet *nft_net;
266 struct net *net = ctx->net;
267 struct nft_trans *trans;
268
269 if (!nft_chain_binding(chain))
270 return;
271
272 nft_net = nft_pernet(net);
273 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
274 switch (trans->msg_type) {
275 case NFT_MSG_NEWCHAIN:
276 if (nft_trans_chain(trans) == chain)
277 nft_trans_chain_bound(trans) = bind;
278 break;
279 case NFT_MSG_NEWRULE:
280 if (nft_trans_rule_chain(trans) == chain)
281 nft_trans_rule_bound(trans) = bind;
282 break;
283 }
284 }
285 }
286
nft_chain_trans_bind(const struct nft_ctx * ctx,struct nft_chain * chain)287 static void nft_chain_trans_bind(const struct nft_ctx *ctx,
288 struct nft_chain *chain)
289 {
290 __nft_chain_trans_bind(ctx, chain, true);
291 }
292
nf_tables_bind_chain(const struct nft_ctx * ctx,struct nft_chain * chain)293 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
294 {
295 if (!nft_chain_binding(chain))
296 return 0;
297
298 if (nft_chain_binding(ctx->chain))
299 return -EOPNOTSUPP;
300
301 if (chain->bound)
302 return -EBUSY;
303
304 if (!nft_use_inc(&chain->use))
305 return -EMFILE;
306
307 chain->bound = true;
308 nft_chain_trans_bind(ctx, chain);
309
310 return 0;
311 }
312
nf_tables_unbind_chain(const struct nft_ctx * ctx,struct nft_chain * chain)313 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
314 {
315 __nft_chain_trans_bind(ctx, chain, false);
316 }
317
nft_netdev_register_hooks(struct net * net,struct list_head * hook_list)318 static int nft_netdev_register_hooks(struct net *net,
319 struct list_head *hook_list)
320 {
321 struct nf_hook_ops *ops;
322 struct nft_hook *hook;
323 int err, j;
324
325 j = 0;
326 list_for_each_entry(hook, hook_list, list) {
327 list_for_each_entry(ops, &hook->ops_list, list) {
328 err = nf_register_net_hook(net, ops);
329 if (err < 0)
330 goto err_register;
331
332 j++;
333 }
334 }
335 return 0;
336
337 err_register:
338 list_for_each_entry(hook, hook_list, list) {
339 list_for_each_entry(ops, &hook->ops_list, list) {
340 if (j-- <= 0)
341 break;
342
343 nf_unregister_net_hook(net, ops);
344 }
345 }
346 return err;
347 }
348
nft_netdev_hook_free_ops(struct nft_hook * hook)349 static void nft_netdev_hook_free_ops(struct nft_hook *hook)
350 {
351 struct nf_hook_ops *ops, *next;
352
353 list_for_each_entry_safe(ops, next, &hook->ops_list, list) {
354 list_del(&ops->list);
355 kfree(ops);
356 }
357 }
358
nft_netdev_hook_free(struct nft_hook * hook)359 static void nft_netdev_hook_free(struct nft_hook *hook)
360 {
361 nft_netdev_hook_free_ops(hook);
362 kfree(hook);
363 }
364
__nft_netdev_hook_free_rcu(struct rcu_head * rcu)365 static void __nft_netdev_hook_free_rcu(struct rcu_head *rcu)
366 {
367 struct nft_hook *hook = container_of(rcu, struct nft_hook, rcu);
368
369 nft_netdev_hook_free(hook);
370 }
371
nft_netdev_hook_free_rcu(struct nft_hook * hook)372 static void nft_netdev_hook_free_rcu(struct nft_hook *hook)
373 {
374 call_rcu(&hook->rcu, __nft_netdev_hook_free_rcu);
375 }
376
nft_netdev_unregister_hooks(struct net * net,struct list_head * hook_list,bool release_netdev)377 static void nft_netdev_unregister_hooks(struct net *net,
378 struct list_head *hook_list,
379 bool release_netdev)
380 {
381 struct nft_hook *hook, *next;
382 struct nf_hook_ops *ops;
383
384 list_for_each_entry_safe(hook, next, hook_list, list) {
385 list_for_each_entry(ops, &hook->ops_list, list)
386 nf_unregister_net_hook(net, ops);
387 if (release_netdev) {
388 list_del(&hook->list);
389 nft_netdev_hook_free_rcu(hook);
390 }
391 }
392 }
393
nf_tables_register_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)394 static int nf_tables_register_hook(struct net *net,
395 const struct nft_table *table,
396 struct nft_chain *chain)
397 {
398 struct nft_base_chain *basechain;
399 const struct nf_hook_ops *ops;
400
401 if (table->flags & NFT_TABLE_F_DORMANT ||
402 !nft_is_base_chain(chain))
403 return 0;
404
405 basechain = nft_base_chain(chain);
406 ops = &basechain->ops;
407
408 if (basechain->type->ops_register)
409 return basechain->type->ops_register(net, ops);
410
411 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
412 return nft_netdev_register_hooks(net, &basechain->hook_list);
413
414 return nf_register_net_hook(net, &basechain->ops);
415 }
416
__nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain,bool release_netdev)417 static void __nf_tables_unregister_hook(struct net *net,
418 const struct nft_table *table,
419 struct nft_chain *chain,
420 bool release_netdev)
421 {
422 struct nft_base_chain *basechain;
423 const struct nf_hook_ops *ops;
424
425 if (table->flags & NFT_TABLE_F_DORMANT ||
426 !nft_is_base_chain(chain))
427 return;
428 basechain = nft_base_chain(chain);
429 ops = &basechain->ops;
430
431 if (basechain->type->ops_unregister)
432 return basechain->type->ops_unregister(net, ops);
433
434 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
435 nft_netdev_unregister_hooks(net, &basechain->hook_list,
436 release_netdev);
437 else
438 nf_unregister_net_hook(net, &basechain->ops);
439 }
440
nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)441 static void nf_tables_unregister_hook(struct net *net,
442 const struct nft_table *table,
443 struct nft_chain *chain)
444 {
445 return __nf_tables_unregister_hook(net, table, chain, false);
446 }
447
nft_trans_collapse_set_elem_allowed(const struct nft_trans_elem * a,const struct nft_trans_elem * b)448 static bool nft_trans_collapse_set_elem_allowed(const struct nft_trans_elem *a, const struct nft_trans_elem *b)
449 {
450 /* NB: the ->bound equality check is defensive, at this time we only merge
451 * a new nft_trans_elem transaction request with the transaction tail
452 * element, but a->bound != b->bound would imply a NEWRULE transaction
453 * is queued in-between.
454 *
455 * The set check is mandatory, the NFT_MAX_SET_NELEMS check prevents
456 * huge krealloc() requests.
457 */
458 return a->set == b->set && a->bound == b->bound && a->nelems < NFT_MAX_SET_NELEMS;
459 }
460
nft_trans_collapse_set_elem(struct nftables_pernet * nft_net,struct nft_trans_elem * tail,struct nft_trans_elem * trans)461 static bool nft_trans_collapse_set_elem(struct nftables_pernet *nft_net,
462 struct nft_trans_elem *tail,
463 struct nft_trans_elem *trans)
464 {
465 unsigned int nelems, old_nelems = tail->nelems;
466 struct nft_trans_elem *new_trans;
467
468 if (!nft_trans_collapse_set_elem_allowed(tail, trans))
469 return false;
470
471 /* "cannot happen", at this time userspace element add
472 * requests always allocate a new transaction element.
473 *
474 * This serves as a reminder to adjust the list_add_tail
475 * logic below in case this ever changes.
476 */
477 if (WARN_ON_ONCE(trans->nelems != 1))
478 return false;
479
480 if (check_add_overflow(old_nelems, trans->nelems, &nelems))
481 return false;
482
483 /* krealloc might free tail which invalidates list pointers */
484 list_del_init(&tail->nft_trans.list);
485
486 new_trans = krealloc(tail, struct_size(tail, elems, nelems),
487 GFP_KERNEL);
488 if (!new_trans) {
489 list_add_tail(&tail->nft_trans.list,
490 &nft_net->commit_list);
491 return false;
492 }
493
494 /*
495 * new_trans->nft_trans.list contains garbage, but
496 * list_add_tail() doesn't care.
497 */
498 new_trans->nelems = nelems;
499 new_trans->elems[old_nelems] = trans->elems[0];
500 list_add_tail(&new_trans->nft_trans.list, &nft_net->commit_list);
501
502 return true;
503 }
504
nft_trans_try_collapse(struct nftables_pernet * nft_net,struct nft_trans * trans)505 static bool nft_trans_try_collapse(struct nftables_pernet *nft_net,
506 struct nft_trans *trans)
507 {
508 struct nft_trans *tail;
509
510 if (list_empty(&nft_net->commit_list))
511 return false;
512
513 tail = list_last_entry(&nft_net->commit_list, struct nft_trans, list);
514
515 if (tail->msg_type != trans->msg_type)
516 return false;
517
518 switch (trans->msg_type) {
519 case NFT_MSG_NEWSETELEM:
520 case NFT_MSG_DELSETELEM:
521 return nft_trans_collapse_set_elem(nft_net,
522 nft_trans_container_elem(tail),
523 nft_trans_container_elem(trans));
524 }
525
526 return false;
527 }
528
nft_trans_commit_list_add_tail(struct net * net,struct nft_trans * trans)529 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
530 {
531 struct nftables_pernet *nft_net = nft_pernet(net);
532 struct nft_trans_binding *binding;
533 struct nft_trans_set *trans_set;
534
535 list_add_tail(&trans->list, &nft_net->commit_list);
536
537 binding = nft_trans_get_binding(trans);
538 if (!binding)
539 return;
540
541 switch (trans->msg_type) {
542 case NFT_MSG_NEWSET:
543 trans_set = nft_trans_container_set(trans);
544
545 if (!nft_trans_set_update(trans) &&
546 nft_set_is_anonymous(nft_trans_set(trans)))
547 list_add_tail(&binding->binding_list, &nft_net->binding_list);
548
549 list_add_tail(&trans_set->list_trans_newset, &nft_net->commit_set_list);
550 break;
551 case NFT_MSG_NEWCHAIN:
552 if (!nft_trans_chain_update(trans) &&
553 nft_chain_binding(nft_trans_chain(trans)))
554 list_add_tail(&binding->binding_list, &nft_net->binding_list);
555 break;
556 }
557 }
558
nft_trans_commit_list_add_elem(struct net * net,struct nft_trans * trans)559 static void nft_trans_commit_list_add_elem(struct net *net, struct nft_trans *trans)
560 {
561 struct nftables_pernet *nft_net = nft_pernet(net);
562
563 WARN_ON_ONCE(trans->msg_type != NFT_MSG_NEWSETELEM &&
564 trans->msg_type != NFT_MSG_DELSETELEM);
565
566 if (nft_trans_try_collapse(nft_net, trans)) {
567 kfree(trans);
568 return;
569 }
570
571 nft_trans_commit_list_add_tail(net, trans);
572 }
573
nft_trans_table_add(struct nft_ctx * ctx,int msg_type)574 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
575 {
576 struct nft_trans *trans;
577
578 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
579 if (trans == NULL)
580 return -ENOMEM;
581
582 if (msg_type == NFT_MSG_NEWTABLE)
583 nft_activate_next(ctx->net, ctx->table);
584
585 nft_trans_commit_list_add_tail(ctx->net, trans);
586 return 0;
587 }
588
nft_deltable(struct nft_ctx * ctx)589 static int nft_deltable(struct nft_ctx *ctx)
590 {
591 int err;
592
593 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
594 if (err < 0)
595 return err;
596
597 nft_deactivate_next(ctx->net, ctx->table);
598 return err;
599 }
600
601 static struct nft_trans *
nft_trans_alloc_chain(const struct nft_ctx * ctx,int msg_type)602 nft_trans_alloc_chain(const struct nft_ctx *ctx, int msg_type)
603 {
604 struct nft_trans_chain *trans_chain;
605 struct nft_trans *trans;
606
607 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
608 if (!trans)
609 return NULL;
610
611 trans_chain = nft_trans_container_chain(trans);
612 INIT_LIST_HEAD(&trans_chain->nft_trans_binding.binding_list);
613 trans_chain->chain = ctx->chain;
614
615 return trans;
616 }
617
nft_trans_chain_add(struct nft_ctx * ctx,int msg_type)618 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
619 {
620 struct nft_trans *trans;
621
622 trans = nft_trans_alloc_chain(ctx, msg_type);
623 if (trans == NULL)
624 return ERR_PTR(-ENOMEM);
625
626 if (msg_type == NFT_MSG_NEWCHAIN) {
627 nft_activate_next(ctx->net, ctx->chain);
628
629 if (ctx->nla[NFTA_CHAIN_ID]) {
630 nft_trans_chain_id(trans) =
631 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
632 }
633 }
634 nft_trans_commit_list_add_tail(ctx->net, trans);
635
636 return trans;
637 }
638
nft_delchain(struct nft_ctx * ctx)639 static int nft_delchain(struct nft_ctx *ctx)
640 {
641 struct nft_trans *trans;
642
643 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
644 if (IS_ERR(trans))
645 return PTR_ERR(trans);
646
647 nft_use_dec(&ctx->table->use);
648 nft_deactivate_next(ctx->net, ctx->chain);
649
650 return 0;
651 }
652
nft_rule_expr_activate(const struct nft_ctx * ctx,struct nft_rule * rule)653 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
654 {
655 struct nft_expr *expr;
656
657 expr = nft_expr_first(rule);
658 while (nft_expr_more(rule, expr)) {
659 if (expr->ops->activate)
660 expr->ops->activate(ctx, expr);
661
662 expr = nft_expr_next(expr);
663 }
664 }
665
nft_rule_expr_deactivate(const struct nft_ctx * ctx,struct nft_rule * rule,enum nft_trans_phase phase)666 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
667 enum nft_trans_phase phase)
668 {
669 struct nft_expr *expr;
670
671 expr = nft_expr_first(rule);
672 while (nft_expr_more(rule, expr)) {
673 if (expr->ops->deactivate)
674 expr->ops->deactivate(ctx, expr, phase);
675
676 expr = nft_expr_next(expr);
677 }
678 }
679
680 static int
nf_tables_delrule_deactivate(struct nft_ctx * ctx,struct nft_rule * rule)681 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
682 {
683 /* You cannot delete the same rule twice */
684 if (nft_is_active_next(ctx->net, rule)) {
685 nft_deactivate_next(ctx->net, rule);
686 nft_use_dec(&ctx->chain->use);
687 return 0;
688 }
689 return -ENOENT;
690 }
691
nft_trans_rule_add(struct nft_ctx * ctx,int msg_type,struct nft_rule * rule)692 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
693 struct nft_rule *rule)
694 {
695 struct nft_trans *trans;
696
697 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
698 if (trans == NULL)
699 return NULL;
700
701 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
702 nft_trans_rule_id(trans) =
703 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
704 }
705 nft_trans_rule(trans) = rule;
706 nft_trans_rule_chain(trans) = ctx->chain;
707 nft_trans_commit_list_add_tail(ctx->net, trans);
708
709 return trans;
710 }
711
nft_delrule(struct nft_ctx * ctx,struct nft_rule * rule)712 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
713 {
714 struct nft_flow_rule *flow;
715 struct nft_trans *trans;
716 int err;
717
718 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
719 if (trans == NULL)
720 return -ENOMEM;
721
722 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
723 flow = nft_flow_rule_create(ctx->net, rule);
724 if (IS_ERR(flow)) {
725 nft_trans_destroy(trans);
726 return PTR_ERR(flow);
727 }
728
729 nft_trans_flow_rule(trans) = flow;
730 }
731
732 err = nf_tables_delrule_deactivate(ctx, rule);
733 if (err < 0) {
734 nft_trans_destroy(trans);
735 return err;
736 }
737 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
738
739 return 0;
740 }
741
nft_delrule_by_chain(struct nft_ctx * ctx)742 static int nft_delrule_by_chain(struct nft_ctx *ctx)
743 {
744 struct nft_rule *rule;
745 int err;
746
747 list_for_each_entry(rule, &ctx->chain->rules, list) {
748 if (!nft_is_active_next(ctx->net, rule))
749 continue;
750
751 err = nft_delrule(ctx, rule);
752 if (err < 0)
753 return err;
754 }
755 return 0;
756 }
757
__nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set,const struct nft_set_desc * desc)758 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
759 struct nft_set *set,
760 const struct nft_set_desc *desc)
761 {
762 struct nft_trans_set *trans_set;
763 struct nft_trans *trans;
764
765 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
766 if (trans == NULL)
767 return -ENOMEM;
768
769 trans_set = nft_trans_container_set(trans);
770 INIT_LIST_HEAD(&trans_set->nft_trans_binding.binding_list);
771 INIT_LIST_HEAD(&trans_set->list_trans_newset);
772
773 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
774 nft_trans_set_id(trans) =
775 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
776 nft_activate_next(ctx->net, set);
777 }
778 nft_trans_set(trans) = set;
779 if (desc) {
780 nft_trans_set_update(trans) = true;
781 nft_trans_set_gc_int(trans) = desc->gc_int;
782 nft_trans_set_timeout(trans) = desc->timeout;
783 nft_trans_set_size(trans) = desc->size;
784 }
785 nft_trans_commit_list_add_tail(ctx->net, trans);
786
787 return 0;
788 }
789
nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set)790 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
791 struct nft_set *set)
792 {
793 return __nft_trans_set_add(ctx, msg_type, set, NULL);
794 }
795
nft_mapelem_deactivate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)796 static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
797 struct nft_set *set,
798 const struct nft_set_iter *iter,
799 struct nft_elem_priv *elem_priv)
800 {
801 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
802
803 if (!nft_set_elem_active(ext, iter->genmask))
804 return 0;
805
806 nft_set_elem_change_active(ctx->net, set, ext);
807 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
808
809 return 0;
810 }
811
812 struct nft_set_elem_catchall {
813 struct list_head list;
814 struct rcu_head rcu;
815 struct nft_elem_priv *elem;
816 };
817
nft_map_catchall_deactivate(const struct nft_ctx * ctx,struct nft_set * set)818 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
819 struct nft_set *set)
820 {
821 u8 genmask = nft_genmask_next(ctx->net);
822 struct nft_set_elem_catchall *catchall;
823 struct nft_set_ext *ext;
824
825 list_for_each_entry(catchall, &set->catchall_list, list) {
826 ext = nft_set_elem_ext(set, catchall->elem);
827 if (!nft_set_elem_active(ext, genmask))
828 continue;
829
830 nft_set_elem_change_active(ctx->net, set, ext);
831 nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
832 }
833 }
834
835 /* Use NFT_ITER_UPDATE iterator even if this may be called from the preparation
836 * phase, the set clone might already exist from a previous command, or it might
837 * be a set that is going away and does not require a clone. The netns and
838 * netlink release paths also need to work on the live set.
839 */
nft_map_deactivate(const struct nft_ctx * ctx,struct nft_set * set)840 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set)
841 {
842 struct nft_set_iter iter = {
843 .genmask = nft_genmask_next(ctx->net),
844 .type = NFT_ITER_UPDATE,
845 .fn = nft_mapelem_deactivate,
846 };
847
848 set->ops->walk(ctx, set, &iter);
849 WARN_ON_ONCE(iter.err);
850
851 nft_map_catchall_deactivate(ctx, set);
852 }
853
nft_delset(const struct nft_ctx * ctx,struct nft_set * set)854 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
855 {
856 int err;
857
858 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
859 if (err < 0)
860 return err;
861
862 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
863 nft_map_deactivate(ctx, set);
864
865 nft_deactivate_next(ctx->net, set);
866 nft_use_dec(&ctx->table->use);
867
868 return err;
869 }
870
nft_trans_obj_add(struct nft_ctx * ctx,int msg_type,struct nft_object * obj)871 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
872 struct nft_object *obj)
873 {
874 struct nft_trans *trans;
875
876 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
877 if (trans == NULL)
878 return -ENOMEM;
879
880 if (msg_type == NFT_MSG_NEWOBJ)
881 nft_activate_next(ctx->net, obj);
882
883 nft_trans_obj(trans) = obj;
884 nft_trans_commit_list_add_tail(ctx->net, trans);
885
886 return 0;
887 }
888
nft_delobj(struct nft_ctx * ctx,struct nft_object * obj)889 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
890 {
891 int err;
892
893 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
894 if (err < 0)
895 return err;
896
897 nft_deactivate_next(ctx->net, obj);
898 nft_use_dec(&ctx->table->use);
899
900 return err;
901 }
902
903 static struct nft_trans *
nft_trans_flowtable_add(struct nft_ctx * ctx,int msg_type,struct nft_flowtable * flowtable)904 nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
905 struct nft_flowtable *flowtable)
906 {
907 struct nft_trans *trans;
908
909 trans = nft_trans_alloc(ctx, msg_type,
910 sizeof(struct nft_trans_flowtable));
911 if (trans == NULL)
912 return ERR_PTR(-ENOMEM);
913
914 if (msg_type == NFT_MSG_NEWFLOWTABLE)
915 nft_activate_next(ctx->net, flowtable);
916
917 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
918 nft_trans_flowtable(trans) = flowtable;
919 nft_trans_commit_list_add_tail(ctx->net, trans);
920
921 return trans;
922 }
923
nft_delflowtable(struct nft_ctx * ctx,struct nft_flowtable * flowtable)924 static int nft_delflowtable(struct nft_ctx *ctx,
925 struct nft_flowtable *flowtable)
926 {
927 struct nft_trans *trans;
928
929 trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
930 if (IS_ERR(trans))
931 return PTR_ERR(trans);
932
933 nft_deactivate_next(ctx->net, flowtable);
934 nft_use_dec(&ctx->table->use);
935
936 return 0;
937 }
938
__nft_reg_track_clobber(struct nft_regs_track * track,u8 dreg)939 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
940 {
941 int i;
942
943 for (i = track->regs[dreg].num_reg; i > 0; i--)
944 __nft_reg_track_cancel(track, dreg - i);
945 }
946
__nft_reg_track_update(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg,u8 num_reg)947 static void __nft_reg_track_update(struct nft_regs_track *track,
948 const struct nft_expr *expr,
949 u8 dreg, u8 num_reg)
950 {
951 track->regs[dreg].selector = expr;
952 track->regs[dreg].bitwise = NULL;
953 track->regs[dreg].num_reg = num_reg;
954 }
955
nft_reg_track_update(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg,u8 len)956 void nft_reg_track_update(struct nft_regs_track *track,
957 const struct nft_expr *expr, u8 dreg, u8 len)
958 {
959 unsigned int regcount;
960 int i;
961
962 __nft_reg_track_clobber(track, dreg);
963
964 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
965 for (i = 0; i < regcount; i++, dreg++)
966 __nft_reg_track_update(track, expr, dreg, i);
967 }
968 EXPORT_SYMBOL_GPL(nft_reg_track_update);
969
nft_reg_track_cancel(struct nft_regs_track * track,u8 dreg,u8 len)970 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
971 {
972 unsigned int regcount;
973 int i;
974
975 __nft_reg_track_clobber(track, dreg);
976
977 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
978 for (i = 0; i < regcount; i++, dreg++)
979 __nft_reg_track_cancel(track, dreg);
980 }
981 EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
982
__nft_reg_track_cancel(struct nft_regs_track * track,u8 dreg)983 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
984 {
985 track->regs[dreg].selector = NULL;
986 track->regs[dreg].bitwise = NULL;
987 track->regs[dreg].num_reg = 0;
988 }
989 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
990
991 /*
992 * Tables
993 */
994
nft_table_lookup(const struct net * net,const struct nlattr * nla,u8 family,u8 genmask,u32 nlpid)995 static struct nft_table *nft_table_lookup(const struct net *net,
996 const struct nlattr *nla,
997 u8 family, u8 genmask, u32 nlpid)
998 {
999 struct nftables_pernet *nft_net;
1000 struct nft_table *table;
1001
1002 if (nla == NULL)
1003 return ERR_PTR(-EINVAL);
1004
1005 nft_net = nft_pernet(net);
1006 list_for_each_entry_rcu(table, &nft_net->tables, list,
1007 lockdep_is_held(&nft_net->commit_mutex)) {
1008 if (!nla_strcmp(nla, table->name) &&
1009 table->family == family &&
1010 nft_active_genmask(table, genmask)) {
1011 if (nft_table_has_owner(table) &&
1012 nlpid && table->nlpid != nlpid)
1013 return ERR_PTR(-EPERM);
1014
1015 return table;
1016 }
1017 }
1018
1019 return ERR_PTR(-ENOENT);
1020 }
1021
nft_table_lookup_byhandle(const struct net * net,const struct nlattr * nla,int family,u8 genmask,u32 nlpid)1022 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
1023 const struct nlattr *nla,
1024 int family, u8 genmask, u32 nlpid)
1025 {
1026 struct nftables_pernet *nft_net;
1027 struct nft_table *table;
1028
1029 nft_net = nft_pernet(net);
1030 list_for_each_entry(table, &nft_net->tables, list) {
1031 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
1032 table->family == family &&
1033 nft_active_genmask(table, genmask)) {
1034 if (nft_table_has_owner(table) &&
1035 nlpid && table->nlpid != nlpid)
1036 return ERR_PTR(-EPERM);
1037
1038 return table;
1039 }
1040 }
1041
1042 return ERR_PTR(-ENOENT);
1043 }
1044
nf_tables_alloc_handle(struct nft_table * table)1045 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
1046 {
1047 return ++table->hgenerator;
1048 }
1049
1050 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
1051
1052 static const struct nft_chain_type *
__nft_chain_type_get(u8 family,enum nft_chain_types type)1053 __nft_chain_type_get(u8 family, enum nft_chain_types type)
1054 {
1055 if (family >= NFPROTO_NUMPROTO ||
1056 type >= NFT_CHAIN_T_MAX)
1057 return NULL;
1058
1059 return chain_type[family][type];
1060 }
1061
1062 static const struct nft_chain_type *
__nf_tables_chain_type_lookup(const struct nlattr * nla,u8 family)1063 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
1064 {
1065 const struct nft_chain_type *type;
1066 int i;
1067
1068 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
1069 type = __nft_chain_type_get(family, i);
1070 if (!type)
1071 continue;
1072 if (!nla_strcmp(nla, type->name))
1073 return type;
1074 }
1075 return NULL;
1076 }
1077
1078 struct nft_module_request {
1079 struct list_head list;
1080 char module[MODULE_NAME_LEN];
1081 bool done;
1082 };
1083
1084 #ifdef CONFIG_MODULES
nft_request_module(struct net * net,const char * fmt,...)1085 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
1086 ...)
1087 {
1088 char module_name[MODULE_NAME_LEN];
1089 struct nftables_pernet *nft_net;
1090 struct nft_module_request *req;
1091 va_list args;
1092 int ret;
1093
1094 va_start(args, fmt);
1095 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
1096 va_end(args);
1097 if (ret >= MODULE_NAME_LEN)
1098 return 0;
1099
1100 nft_net = nft_pernet(net);
1101 list_for_each_entry(req, &nft_net->module_list, list) {
1102 if (!strcmp(req->module, module_name)) {
1103 if (req->done)
1104 return 0;
1105
1106 /* A request to load this module already exists. */
1107 return -EAGAIN;
1108 }
1109 }
1110
1111 req = kmalloc_obj(*req);
1112 if (!req)
1113 return -ENOMEM;
1114
1115 req->done = false;
1116 strscpy(req->module, module_name, MODULE_NAME_LEN);
1117 list_add_tail(&req->list, &nft_net->module_list);
1118
1119 return -EAGAIN;
1120 }
1121 EXPORT_SYMBOL_GPL(nft_request_module);
1122 #endif
1123
lockdep_nfnl_nft_mutex_not_held(void)1124 static void lockdep_nfnl_nft_mutex_not_held(void)
1125 {
1126 #ifdef CONFIG_PROVE_LOCKING
1127 if (debug_locks)
1128 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
1129 #endif
1130 }
1131
1132 static const struct nft_chain_type *
nf_tables_chain_type_lookup(struct net * net,const struct nlattr * nla,u8 family,bool autoload)1133 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
1134 u8 family, bool autoload)
1135 {
1136 const struct nft_chain_type *type;
1137
1138 type = __nf_tables_chain_type_lookup(nla, family);
1139 if (type != NULL)
1140 return type;
1141
1142 lockdep_nfnl_nft_mutex_not_held();
1143 #ifdef CONFIG_MODULES
1144 if (autoload) {
1145 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
1146 nla_len(nla),
1147 (const char *)nla_data(nla)) == -EAGAIN)
1148 return ERR_PTR(-EAGAIN);
1149 }
1150 #endif
1151 return ERR_PTR(-ENOENT);
1152 }
1153
nft_base_seq(const struct net * net)1154 static unsigned int nft_base_seq(const struct net *net)
1155 {
1156 return READ_ONCE(net->nft.base_seq);
1157 }
1158
nft_base_seq_be16(const struct net * net)1159 static __be16 nft_base_seq_be16(const struct net *net)
1160 {
1161 return htons(nft_base_seq(net) & 0xffff);
1162 }
1163
1164 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
1165 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
1166 .len = NFT_TABLE_MAXNAMELEN - 1 },
1167 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
1168 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
1169 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
1170 .len = NFT_USERDATA_MAXLEN }
1171 };
1172
nf_tables_fill_table_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table)1173 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
1174 u32 portid, u32 seq, int event, u32 flags,
1175 int family, const struct nft_table *table)
1176 {
1177 struct nlmsghdr *nlh;
1178
1179 nlh = nfnl_msg_put(skb, portid, seq,
1180 nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event),
1181 flags, family, NFNETLINK_V0, nft_base_seq_be16(net));
1182 if (!nlh)
1183 goto nla_put_failure;
1184
1185 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
1186 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
1187 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
1188 NFTA_TABLE_PAD))
1189 goto nla_put_failure;
1190
1191 if (event == NFT_MSG_DELTABLE ||
1192 event == NFT_MSG_DESTROYTABLE) {
1193 nlmsg_end(skb, nlh);
1194 return 0;
1195 }
1196
1197 if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
1198 htonl(table->flags & NFT_TABLE_F_MASK)))
1199 goto nla_put_failure;
1200
1201 if (nft_table_has_owner(table) &&
1202 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
1203 goto nla_put_failure;
1204
1205 if (table->udata) {
1206 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
1207 goto nla_put_failure;
1208 }
1209
1210 nlmsg_end(skb, nlh);
1211 return 0;
1212
1213 nla_put_failure:
1214 nlmsg_trim(skb, nlh);
1215 return -1;
1216 }
1217
1218 struct nftnl_skb_parms {
1219 bool report;
1220 };
1221 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
1222
nft_notify_enqueue(struct sk_buff * skb,bool report,struct list_head * notify_list)1223 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
1224 struct list_head *notify_list)
1225 {
1226 NFT_CB(skb).report = report;
1227 list_add_tail(&skb->list, notify_list);
1228 }
1229
nf_tables_table_notify(const struct nft_ctx * ctx,int event)1230 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
1231 {
1232 struct nftables_pernet *nft_net;
1233 struct sk_buff *skb;
1234 u16 flags = 0;
1235 int err;
1236
1237 if (!ctx->report &&
1238 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1239 return;
1240
1241 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1242 if (skb == NULL)
1243 goto err;
1244
1245 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1246 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1247
1248 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
1249 event, flags, ctx->family, ctx->table);
1250 if (err < 0) {
1251 kfree_skb(skb);
1252 goto err;
1253 }
1254
1255 nft_net = nft_pernet(ctx->net);
1256 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1257 return;
1258 err:
1259 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1260 }
1261
nf_tables_dump_tables(struct sk_buff * skb,struct netlink_callback * cb)1262 static int nf_tables_dump_tables(struct sk_buff *skb,
1263 struct netlink_callback *cb)
1264 {
1265 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1266 struct nftables_pernet *nft_net;
1267 const struct nft_table *table;
1268 unsigned int idx = 0, s_idx = cb->args[0];
1269 struct net *net = sock_net(skb->sk);
1270 int family = nfmsg->nfgen_family;
1271
1272 rcu_read_lock();
1273 nft_net = nft_pernet(net);
1274 cb->seq = nft_base_seq(net);
1275
1276 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1277 if (family != NFPROTO_UNSPEC && family != table->family)
1278 continue;
1279
1280 if (idx < s_idx)
1281 goto cont;
1282 if (idx > s_idx)
1283 memset(&cb->args[1], 0,
1284 sizeof(cb->args) - sizeof(cb->args[0]));
1285 if (!nft_is_active(net, table))
1286 continue;
1287 if (nf_tables_fill_table_info(skb, net,
1288 NETLINK_CB(cb->skb).portid,
1289 cb->nlh->nlmsg_seq,
1290 NFT_MSG_NEWTABLE, NLM_F_MULTI,
1291 table->family, table) < 0)
1292 goto done;
1293
1294 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1295 cont:
1296 idx++;
1297 }
1298 done:
1299 rcu_read_unlock();
1300 cb->args[0] = idx;
1301 return skb->len;
1302 }
1303
nft_netlink_dump_start_rcu(struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,struct netlink_dump_control * c)1304 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
1305 const struct nlmsghdr *nlh,
1306 struct netlink_dump_control *c)
1307 {
1308 int err;
1309
1310 if (!try_module_get(THIS_MODULE))
1311 return -EINVAL;
1312
1313 rcu_read_unlock();
1314 err = netlink_dump_start(nlsk, skb, nlh, c);
1315 rcu_read_lock();
1316 module_put(THIS_MODULE);
1317
1318 return err;
1319 }
1320
1321 /* called with rcu_read_lock held */
nf_tables_gettable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1322 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
1323 const struct nlattr * const nla[])
1324 {
1325 struct netlink_ext_ack *extack = info->extack;
1326 u8 genmask = nft_genmask_cur(info->net);
1327 u8 family = info->nfmsg->nfgen_family;
1328 const struct nft_table *table;
1329 struct net *net = info->net;
1330 struct sk_buff *skb2;
1331 int err;
1332
1333 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1334 struct netlink_dump_control c = {
1335 .dump = nf_tables_dump_tables,
1336 .module = THIS_MODULE,
1337 };
1338
1339 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1340 }
1341
1342 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
1343 if (IS_ERR(table)) {
1344 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
1345 return PTR_ERR(table);
1346 }
1347
1348 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1349 if (!skb2)
1350 return -ENOMEM;
1351
1352 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
1353 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
1354 0, family, table);
1355 if (err < 0)
1356 goto err_fill_table_info;
1357
1358 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1359
1360 err_fill_table_info:
1361 kfree_skb(skb2);
1362 return err;
1363 }
1364
nft_table_disable(struct net * net,struct nft_table * table,u32 cnt)1365 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
1366 {
1367 struct nft_chain *chain;
1368 u32 i = 0;
1369
1370 list_for_each_entry(chain, &table->chains, list) {
1371 if (!nft_is_active_next(net, chain))
1372 continue;
1373 if (!nft_is_base_chain(chain))
1374 continue;
1375
1376 if (cnt && i++ == cnt)
1377 break;
1378
1379 nf_tables_unregister_hook(net, table, chain);
1380 }
1381 }
1382
nf_tables_table_enable(struct net * net,struct nft_table * table)1383 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1384 {
1385 struct nft_chain *chain;
1386 int err, i = 0;
1387
1388 list_for_each_entry(chain, &table->chains, list) {
1389 if (!nft_is_active_next(net, chain))
1390 continue;
1391 if (!nft_is_base_chain(chain))
1392 continue;
1393
1394 err = nf_tables_register_hook(net, table, chain);
1395 if (err < 0)
1396 goto err_register_hooks;
1397
1398 i++;
1399 }
1400 return 0;
1401
1402 err_register_hooks:
1403 if (i)
1404 nft_table_disable(net, table, i);
1405 return err;
1406 }
1407
nf_tables_table_disable(struct net * net,struct nft_table * table)1408 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1409 {
1410 table->flags &= ~NFT_TABLE_F_DORMANT;
1411 nft_table_disable(net, table, 0);
1412 table->flags |= NFT_TABLE_F_DORMANT;
1413 }
1414
1415 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1416 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1417 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1418 #define __NFT_TABLE_F_WAS_ORPHAN (__NFT_TABLE_F_INTERNAL << 2)
1419 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1420 __NFT_TABLE_F_WAS_AWAKEN | \
1421 __NFT_TABLE_F_WAS_ORPHAN)
1422
nft_table_pending_update(const struct nft_ctx * ctx)1423 static bool nft_table_pending_update(const struct nft_ctx *ctx)
1424 {
1425 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1426 struct nft_trans *trans;
1427
1428 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
1429 return true;
1430
1431 list_for_each_entry(trans, &nft_net->commit_list, list) {
1432 if (trans->table == ctx->table &&
1433 ((trans->msg_type == NFT_MSG_NEWCHAIN &&
1434 nft_trans_chain_update(trans)) ||
1435 (trans->msg_type == NFT_MSG_DELCHAIN &&
1436 nft_is_base_chain(nft_trans_chain(trans)))))
1437 return true;
1438 }
1439
1440 return false;
1441 }
1442
nf_tables_updtable(struct nft_ctx * ctx)1443 static int nf_tables_updtable(struct nft_ctx *ctx)
1444 {
1445 struct nft_trans *trans;
1446 u32 flags;
1447 int ret;
1448
1449 if (!ctx->nla[NFTA_TABLE_FLAGS])
1450 return 0;
1451
1452 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1453 if (flags & ~NFT_TABLE_F_MASK)
1454 return -EOPNOTSUPP;
1455
1456 if (flags == (ctx->table->flags & NFT_TABLE_F_MASK))
1457 return 0;
1458
1459 if ((nft_table_has_owner(ctx->table) &&
1460 !(flags & NFT_TABLE_F_OWNER)) ||
1461 (flags & NFT_TABLE_F_OWNER &&
1462 !nft_table_is_orphan(ctx->table)))
1463 return -EOPNOTSUPP;
1464
1465 if ((flags ^ ctx->table->flags) & NFT_TABLE_F_PERSIST)
1466 return -EOPNOTSUPP;
1467
1468 /* No dormant off/on/off/on games in single transaction */
1469 if (nft_table_pending_update(ctx))
1470 return -EINVAL;
1471
1472 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1473 sizeof(struct nft_trans_table));
1474 if (trans == NULL)
1475 return -ENOMEM;
1476
1477 if ((flags & NFT_TABLE_F_DORMANT) &&
1478 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1479 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1480 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1481 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1482 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1483 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1484 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1485 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1486 ret = nf_tables_table_enable(ctx->net, ctx->table);
1487 if (ret < 0)
1488 goto err_register_hooks;
1489
1490 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1491 }
1492 }
1493
1494 if ((flags & NFT_TABLE_F_OWNER) &&
1495 !nft_table_has_owner(ctx->table)) {
1496 ctx->table->nlpid = ctx->portid;
1497 ctx->table->flags |= NFT_TABLE_F_OWNER |
1498 __NFT_TABLE_F_WAS_ORPHAN;
1499 }
1500
1501 nft_trans_table_update(trans) = true;
1502 nft_trans_commit_list_add_tail(ctx->net, trans);
1503
1504 return 0;
1505
1506 err_register_hooks:
1507 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1508 nft_trans_destroy(trans);
1509 return ret;
1510 }
1511
nft_chain_hash(const void * data,u32 len,u32 seed)1512 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1513 {
1514 const char *name = data;
1515
1516 return jhash(name, strlen(name), seed);
1517 }
1518
nft_chain_hash_obj(const void * data,u32 len,u32 seed)1519 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1520 {
1521 const struct nft_chain *chain = data;
1522
1523 return nft_chain_hash(chain->name, 0, seed);
1524 }
1525
nft_chain_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)1526 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1527 const void *ptr)
1528 {
1529 const struct nft_chain *chain = ptr;
1530 const char *name = arg->key;
1531
1532 return strcmp(chain->name, name);
1533 }
1534
nft_objname_hash(const void * data,u32 len,u32 seed)1535 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1536 {
1537 const struct nft_object_hash_key *k = data;
1538
1539 seed ^= hash_ptr(k->table, 32);
1540
1541 return jhash(k->name, strlen(k->name), seed);
1542 }
1543
nft_objname_hash_obj(const void * data,u32 len,u32 seed)1544 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1545 {
1546 const struct nft_object *obj = data;
1547
1548 return nft_objname_hash(&obj->key, 0, seed);
1549 }
1550
nft_objname_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)1551 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1552 const void *ptr)
1553 {
1554 const struct nft_object_hash_key *k = arg->key;
1555 const struct nft_object *obj = ptr;
1556
1557 if (obj->key.table != k->table)
1558 return -1;
1559
1560 return strcmp(obj->key.name, k->name);
1561 }
1562
nft_supported_family(u8 family)1563 static bool nft_supported_family(u8 family)
1564 {
1565 return false
1566 #ifdef CONFIG_NF_TABLES_INET
1567 || family == NFPROTO_INET
1568 #endif
1569 #ifdef CONFIG_NF_TABLES_IPV4
1570 || family == NFPROTO_IPV4
1571 #endif
1572 #ifdef CONFIG_NF_TABLES_ARP
1573 || family == NFPROTO_ARP
1574 #endif
1575 #ifdef CONFIG_NF_TABLES_NETDEV
1576 || family == NFPROTO_NETDEV
1577 #endif
1578 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1579 || family == NFPROTO_BRIDGE
1580 #endif
1581 #ifdef CONFIG_NF_TABLES_IPV6
1582 || family == NFPROTO_IPV6
1583 #endif
1584 ;
1585 }
1586
nf_tables_newtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1587 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1588 const struct nlattr * const nla[])
1589 {
1590 struct nftables_pernet *nft_net = nft_pernet(info->net);
1591 struct netlink_ext_ack *extack = info->extack;
1592 u8 genmask = nft_genmask_next(info->net);
1593 u8 family = info->nfmsg->nfgen_family;
1594 struct net *net = info->net;
1595 const struct nlattr *attr;
1596 struct nft_table *table;
1597 struct nft_ctx ctx;
1598 u32 flags = 0;
1599 int err;
1600
1601 if (!nft_supported_family(family))
1602 return -EOPNOTSUPP;
1603
1604 lockdep_assert_held(&nft_net->commit_mutex);
1605 attr = nla[NFTA_TABLE_NAME];
1606 table = nft_table_lookup(net, attr, family, genmask,
1607 NETLINK_CB(skb).portid);
1608 if (IS_ERR(table)) {
1609 if (PTR_ERR(table) != -ENOENT)
1610 return PTR_ERR(table);
1611 } else {
1612 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1613 NL_SET_BAD_ATTR(extack, attr);
1614 return -EEXIST;
1615 }
1616 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1617 return -EOPNOTSUPP;
1618
1619 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1620
1621 return nf_tables_updtable(&ctx);
1622 }
1623
1624 if (nla[NFTA_TABLE_FLAGS]) {
1625 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1626 if (flags & ~NFT_TABLE_F_MASK)
1627 return -EOPNOTSUPP;
1628 }
1629
1630 err = -ENOMEM;
1631 table = kzalloc_obj(*table, GFP_KERNEL_ACCOUNT);
1632 if (table == NULL)
1633 goto err_kzalloc;
1634
1635 table->validate_state = nft_net->validate_state;
1636 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1637 if (table->name == NULL)
1638 goto err_strdup;
1639
1640 if (nla[NFTA_TABLE_USERDATA]) {
1641 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1642 if (table->udata == NULL)
1643 goto err_table_udata;
1644
1645 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1646 }
1647
1648 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1649 if (err)
1650 goto err_chain_ht;
1651
1652 INIT_LIST_HEAD(&table->chains);
1653 INIT_LIST_HEAD(&table->sets);
1654 INIT_LIST_HEAD(&table->objects);
1655 INIT_LIST_HEAD(&table->flowtables);
1656 table->family = family;
1657 table->flags = flags;
1658 table->handle = ++nft_net->table_handle;
1659 if (table->flags & NFT_TABLE_F_OWNER)
1660 table->nlpid = NETLINK_CB(skb).portid;
1661
1662 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1663 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1664 if (err < 0)
1665 goto err_trans;
1666
1667 list_add_tail_rcu(&table->list, &nft_net->tables);
1668 return 0;
1669 err_trans:
1670 rhltable_destroy(&table->chains_ht);
1671 err_chain_ht:
1672 kfree(table->udata);
1673 err_table_udata:
1674 kfree(table->name);
1675 err_strdup:
1676 kfree(table);
1677 err_kzalloc:
1678 return err;
1679 }
1680
nft_flush_table(struct nft_ctx * ctx)1681 static int nft_flush_table(struct nft_ctx *ctx)
1682 {
1683 struct nft_flowtable *flowtable, *nft;
1684 struct nft_chain *chain, *nc;
1685 struct nft_object *obj, *ne;
1686 struct nft_set *set, *ns;
1687 int err;
1688
1689 list_for_each_entry(chain, &ctx->table->chains, list) {
1690 if (!nft_is_active_next(ctx->net, chain))
1691 continue;
1692
1693 if (nft_chain_binding(chain))
1694 continue;
1695
1696 ctx->chain = chain;
1697
1698 err = nft_delrule_by_chain(ctx);
1699 if (err < 0)
1700 goto out;
1701 }
1702
1703 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1704 if (!nft_is_active_next(ctx->net, set))
1705 continue;
1706
1707 if (nft_set_is_anonymous(set))
1708 continue;
1709
1710 err = nft_delset(ctx, set);
1711 if (err < 0)
1712 goto out;
1713 }
1714
1715 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1716 if (!nft_is_active_next(ctx->net, flowtable))
1717 continue;
1718
1719 err = nft_delflowtable(ctx, flowtable);
1720 if (err < 0)
1721 goto out;
1722 }
1723
1724 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1725 if (!nft_is_active_next(ctx->net, obj))
1726 continue;
1727
1728 err = nft_delobj(ctx, obj);
1729 if (err < 0)
1730 goto out;
1731 }
1732
1733 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1734 if (!nft_is_active_next(ctx->net, chain))
1735 continue;
1736
1737 if (nft_chain_binding(chain))
1738 continue;
1739
1740 ctx->chain = chain;
1741
1742 err = nft_delchain(ctx);
1743 if (err < 0)
1744 goto out;
1745 }
1746
1747 err = nft_deltable(ctx);
1748 out:
1749 return err;
1750 }
1751
nft_flush(struct nft_ctx * ctx,int family)1752 static int nft_flush(struct nft_ctx *ctx, int family)
1753 {
1754 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1755 const struct nlattr * const *nla = ctx->nla;
1756 struct nft_table *table, *nt;
1757 int err = 0;
1758
1759 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1760 if (family != AF_UNSPEC && table->family != family)
1761 continue;
1762
1763 ctx->family = table->family;
1764
1765 if (!nft_is_active_next(ctx->net, table))
1766 continue;
1767
1768 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1769 continue;
1770
1771 if (nla[NFTA_TABLE_NAME] &&
1772 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1773 continue;
1774
1775 ctx->table = table;
1776
1777 err = nft_flush_table(ctx);
1778 if (err < 0)
1779 goto out;
1780 }
1781 out:
1782 return err;
1783 }
1784
nf_tables_deltable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1785 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1786 const struct nlattr * const nla[])
1787 {
1788 struct netlink_ext_ack *extack = info->extack;
1789 u8 genmask = nft_genmask_next(info->net);
1790 u8 family = info->nfmsg->nfgen_family;
1791 struct net *net = info->net;
1792 const struct nlattr *attr;
1793 struct nft_table *table;
1794 struct nft_ctx ctx;
1795
1796 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1797 if (family == AF_UNSPEC ||
1798 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1799 return nft_flush(&ctx, family);
1800
1801 if (nla[NFTA_TABLE_HANDLE]) {
1802 attr = nla[NFTA_TABLE_HANDLE];
1803 table = nft_table_lookup_byhandle(net, attr, family, genmask,
1804 NETLINK_CB(skb).portid);
1805 } else {
1806 attr = nla[NFTA_TABLE_NAME];
1807 table = nft_table_lookup(net, attr, family, genmask,
1808 NETLINK_CB(skb).portid);
1809 }
1810
1811 if (IS_ERR(table)) {
1812 if (PTR_ERR(table) == -ENOENT &&
1813 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1814 return 0;
1815
1816 NL_SET_BAD_ATTR(extack, attr);
1817 return PTR_ERR(table);
1818 }
1819
1820 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1821 table->use > 0)
1822 return -EBUSY;
1823
1824 ctx.family = family;
1825 ctx.table = table;
1826
1827 return nft_flush_table(&ctx);
1828 }
1829
nf_tables_table_destroy(struct nft_table * table)1830 static void nf_tables_table_destroy(struct nft_table *table)
1831 {
1832 if (WARN_ON(table->use > 0))
1833 return;
1834
1835 rhltable_destroy(&table->chains_ht);
1836 kfree(table->name);
1837 kfree(table->udata);
1838 kfree(table);
1839 }
1840
nft_register_chain_type(const struct nft_chain_type * ctype)1841 void nft_register_chain_type(const struct nft_chain_type *ctype)
1842 {
1843 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1844 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1845 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1846 return;
1847 }
1848 chain_type[ctype->family][ctype->type] = ctype;
1849 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1850 }
1851 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1852
nft_unregister_chain_type(const struct nft_chain_type * ctype)1853 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1854 {
1855 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1856 chain_type[ctype->family][ctype->type] = NULL;
1857 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1858 }
1859 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1860
1861 /*
1862 * Chains
1863 */
1864
1865 static struct nft_chain *
nft_chain_lookup_byhandle(const struct nft_table * table,u64 handle,u8 genmask)1866 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1867 {
1868 struct nft_chain *chain;
1869
1870 list_for_each_entry(chain, &table->chains, list) {
1871 if (chain->handle == handle &&
1872 nft_active_genmask(chain, genmask))
1873 return chain;
1874 }
1875
1876 return ERR_PTR(-ENOENT);
1877 }
1878
lockdep_commit_lock_is_held(const struct net * net)1879 static bool lockdep_commit_lock_is_held(const struct net *net)
1880 {
1881 #ifdef CONFIG_PROVE_LOCKING
1882 struct nftables_pernet *nft_net = nft_pernet(net);
1883
1884 return lockdep_is_held(&nft_net->commit_mutex);
1885 #else
1886 return true;
1887 #endif
1888 }
1889
nft_chain_lookup(struct net * net,struct nft_table * table,const struct nlattr * nla,u8 genmask)1890 static struct nft_chain *nft_chain_lookup(struct net *net,
1891 struct nft_table *table,
1892 const struct nlattr *nla, u8 genmask)
1893 {
1894 char search[NFT_CHAIN_MAXNAMELEN + 1];
1895 struct rhlist_head *tmp, *list;
1896 struct nft_chain *chain;
1897
1898 if (nla == NULL)
1899 return ERR_PTR(-EINVAL);
1900
1901 nla_strscpy(search, nla, sizeof(search));
1902
1903 WARN_ON(!rcu_read_lock_held() &&
1904 !lockdep_commit_lock_is_held(net));
1905
1906 chain = ERR_PTR(-ENOENT);
1907 rcu_read_lock();
1908 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1909 if (!list)
1910 goto out_unlock;
1911
1912 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1913 if (nft_active_genmask(chain, genmask))
1914 goto out_unlock;
1915 }
1916 chain = ERR_PTR(-ENOENT);
1917 out_unlock:
1918 rcu_read_unlock();
1919 return chain;
1920 }
1921
1922 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1923 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1924 .len = NFT_TABLE_MAXNAMELEN - 1 },
1925 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1926 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1927 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1928 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1929 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1930 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1931 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1932 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1933 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1934 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1935 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1936 .len = NFT_USERDATA_MAXLEN },
1937 };
1938
1939 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1940 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1941 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1942 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1943 .len = IFNAMSIZ - 1 },
1944 };
1945
nft_dump_stats(struct sk_buff * skb,struct nft_stats __percpu * stats)1946 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1947 {
1948 struct nft_stats *cpu_stats, total;
1949 struct nlattr *nest;
1950 unsigned int seq;
1951 u64 pkts, bytes;
1952 int cpu;
1953
1954 if (!stats)
1955 return 0;
1956
1957 memset(&total, 0, sizeof(total));
1958 for_each_possible_cpu(cpu) {
1959 cpu_stats = per_cpu_ptr(stats, cpu);
1960 do {
1961 seq = u64_stats_fetch_begin(&cpu_stats->syncp);
1962 pkts = cpu_stats->pkts;
1963 bytes = cpu_stats->bytes;
1964 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
1965 total.pkts += pkts;
1966 total.bytes += bytes;
1967 }
1968 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1969 if (nest == NULL)
1970 goto nla_put_failure;
1971
1972 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1973 NFTA_COUNTER_PAD) ||
1974 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1975 NFTA_COUNTER_PAD))
1976 goto nla_put_failure;
1977
1978 nla_nest_end(skb, nest);
1979 return 0;
1980
1981 nla_put_failure:
1982 return -ENOSPC;
1983 }
1984
hook_is_prefix(struct nft_hook * hook)1985 static bool hook_is_prefix(struct nft_hook *hook)
1986 {
1987 return strlen(hook->ifname) >= hook->ifnamelen;
1988 }
1989
nft_nla_put_hook_dev(struct sk_buff * skb,struct nft_hook * hook)1990 static int nft_nla_put_hook_dev(struct sk_buff *skb, struct nft_hook *hook)
1991 {
1992 int attr = hook_is_prefix(hook) ? NFTA_DEVICE_PREFIX : NFTA_DEVICE_NAME;
1993
1994 return nla_put_string(skb, attr, hook->ifname);
1995 }
1996
nft_dump_basechain_hook(struct sk_buff * skb,const struct net * net,int family,const struct nft_base_chain * basechain,const struct list_head * hook_list)1997 static int nft_dump_basechain_hook(struct sk_buff *skb,
1998 const struct net *net, int family,
1999 const struct nft_base_chain *basechain,
2000 const struct list_head *hook_list)
2001 {
2002 const struct nf_hook_ops *ops = &basechain->ops;
2003 struct nft_hook *hook, *first = NULL;
2004 struct nlattr *nest, *nest_devs;
2005 int n = 0;
2006
2007 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
2008 if (nest == NULL)
2009 goto nla_put_failure;
2010 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
2011 goto nla_put_failure;
2012 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
2013 goto nla_put_failure;
2014
2015 if (nft_base_chain_netdev(family, ops->hooknum)) {
2016 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
2017 if (!nest_devs)
2018 goto nla_put_failure;
2019
2020 if (!hook_list)
2021 hook_list = &basechain->hook_list;
2022
2023 list_for_each_entry_rcu(hook, hook_list, list,
2024 lockdep_commit_lock_is_held(net)) {
2025 if (!first)
2026 first = hook;
2027
2028 if (nft_nla_put_hook_dev(skb, hook))
2029 goto nla_put_failure;
2030 n++;
2031 }
2032 nla_nest_end(skb, nest_devs);
2033
2034 if (n == 1 &&
2035 !hook_is_prefix(first) &&
2036 nla_put_string(skb, NFTA_HOOK_DEV, first->ifname))
2037 goto nla_put_failure;
2038 }
2039 nla_nest_end(skb, nest);
2040
2041 return 0;
2042 nla_put_failure:
2043 return -1;
2044 }
2045
nf_tables_fill_chain_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct list_head * hook_list)2046 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
2047 u32 portid, u32 seq, int event, u32 flags,
2048 int family, const struct nft_table *table,
2049 const struct nft_chain *chain,
2050 const struct list_head *hook_list)
2051 {
2052 struct nlmsghdr *nlh;
2053
2054 nlh = nfnl_msg_put(skb, portid, seq,
2055 nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event),
2056 flags, family, NFNETLINK_V0, nft_base_seq_be16(net));
2057 if (!nlh)
2058 goto nla_put_failure;
2059
2060 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) ||
2061 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) ||
2062 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
2063 NFTA_CHAIN_PAD))
2064 goto nla_put_failure;
2065
2066 if (!hook_list &&
2067 (event == NFT_MSG_DELCHAIN ||
2068 event == NFT_MSG_DESTROYCHAIN)) {
2069 nlmsg_end(skb, nlh);
2070 return 0;
2071 }
2072
2073 if (nft_is_base_chain(chain)) {
2074 const struct nft_base_chain *basechain = nft_base_chain(chain);
2075 struct nft_stats __percpu *stats;
2076
2077 if (nft_dump_basechain_hook(skb, net, family, basechain, hook_list))
2078 goto nla_put_failure;
2079
2080 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
2081 htonl(basechain->policy)))
2082 goto nla_put_failure;
2083
2084 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
2085 goto nla_put_failure;
2086
2087 stats = rcu_dereference_check(basechain->stats,
2088 lockdep_commit_lock_is_held(net));
2089 if (nft_dump_stats(skb, stats))
2090 goto nla_put_failure;
2091 }
2092
2093 if (chain->flags &&
2094 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
2095 goto nla_put_failure;
2096
2097 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
2098 goto nla_put_failure;
2099
2100 if (chain->udata &&
2101 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
2102 goto nla_put_failure;
2103
2104 nlmsg_end(skb, nlh);
2105 return 0;
2106
2107 nla_put_failure:
2108 nlmsg_trim(skb, nlh);
2109 return -1;
2110 }
2111
nf_tables_chain_notify(const struct nft_ctx * ctx,int event,const struct list_head * hook_list)2112 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
2113 const struct list_head *hook_list)
2114 {
2115 struct nftables_pernet *nft_net;
2116 struct sk_buff *skb;
2117 u16 flags = 0;
2118 int err;
2119
2120 if (!ctx->report &&
2121 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2122 return;
2123
2124 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2125 if (skb == NULL)
2126 goto err;
2127
2128 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
2129 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
2130
2131 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
2132 event, flags, ctx->family, ctx->table,
2133 ctx->chain, hook_list);
2134 if (err < 0) {
2135 kfree_skb(skb);
2136 goto err;
2137 }
2138
2139 nft_net = nft_pernet(ctx->net);
2140 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
2141 return;
2142 err:
2143 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2144 }
2145
nf_tables_dump_chains(struct sk_buff * skb,struct netlink_callback * cb)2146 static int nf_tables_dump_chains(struct sk_buff *skb,
2147 struct netlink_callback *cb)
2148 {
2149 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2150 unsigned int idx = 0, s_idx = cb->args[0];
2151 struct net *net = sock_net(skb->sk);
2152 int family = nfmsg->nfgen_family;
2153 struct nftables_pernet *nft_net;
2154 const struct nft_table *table;
2155 const struct nft_chain *chain;
2156
2157 rcu_read_lock();
2158 nft_net = nft_pernet(net);
2159 cb->seq = nft_base_seq(net);
2160
2161 list_for_each_entry_rcu(table, &nft_net->tables, list) {
2162 if (family != NFPROTO_UNSPEC && family != table->family)
2163 continue;
2164
2165 list_for_each_entry_rcu(chain, &table->chains, list) {
2166 if (idx < s_idx)
2167 goto cont;
2168 if (idx > s_idx)
2169 memset(&cb->args[1], 0,
2170 sizeof(cb->args) - sizeof(cb->args[0]));
2171 if (!nft_is_active(net, chain))
2172 continue;
2173 if (nf_tables_fill_chain_info(skb, net,
2174 NETLINK_CB(cb->skb).portid,
2175 cb->nlh->nlmsg_seq,
2176 NFT_MSG_NEWCHAIN,
2177 NLM_F_MULTI,
2178 table->family, table,
2179 chain, NULL) < 0)
2180 goto done;
2181
2182 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2183 cont:
2184 idx++;
2185 }
2186 }
2187 done:
2188 rcu_read_unlock();
2189 cb->args[0] = idx;
2190 return skb->len;
2191 }
2192
2193 /* called with rcu_read_lock held */
nf_tables_getchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])2194 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
2195 const struct nlattr * const nla[])
2196 {
2197 struct netlink_ext_ack *extack = info->extack;
2198 u8 genmask = nft_genmask_cur(info->net);
2199 u8 family = info->nfmsg->nfgen_family;
2200 const struct nft_chain *chain;
2201 struct net *net = info->net;
2202 struct nft_table *table;
2203 struct sk_buff *skb2;
2204 int err;
2205
2206 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
2207 struct netlink_dump_control c = {
2208 .dump = nf_tables_dump_chains,
2209 .module = THIS_MODULE,
2210 };
2211
2212 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
2213 }
2214
2215 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
2216 if (IS_ERR(table)) {
2217 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2218 return PTR_ERR(table);
2219 }
2220
2221 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
2222 if (IS_ERR(chain)) {
2223 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2224 return PTR_ERR(chain);
2225 }
2226
2227 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2228 if (!skb2)
2229 return -ENOMEM;
2230
2231 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
2232 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
2233 0, family, table, chain, NULL);
2234 if (err < 0)
2235 goto err_fill_chain_info;
2236
2237 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
2238
2239 err_fill_chain_info:
2240 kfree_skb(skb2);
2241 return err;
2242 }
2243
2244 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
2245 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
2246 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
2247 };
2248
nft_stats_alloc(const struct nlattr * attr)2249 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
2250 {
2251 struct nlattr *tb[NFTA_COUNTER_MAX+1];
2252 struct nft_stats __percpu *newstats;
2253 struct nft_stats *stats;
2254 int err;
2255
2256 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
2257 nft_counter_policy, NULL);
2258 if (err < 0)
2259 return ERR_PTR_PCPU(err);
2260
2261 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
2262 return ERR_PTR_PCPU(-EINVAL);
2263
2264 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
2265 if (newstats == NULL)
2266 return ERR_PTR_PCPU(-ENOMEM);
2267
2268 /* Restore old counters on this cpu, no problem. Per-cpu statistics
2269 * are not exposed to userspace.
2270 */
2271 preempt_disable();
2272 stats = this_cpu_ptr(newstats);
2273 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
2274 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
2275 preempt_enable();
2276
2277 return newstats;
2278 }
2279
nft_chain_stats_replace(struct nft_trans_chain * trans)2280 static void nft_chain_stats_replace(struct nft_trans_chain *trans)
2281 {
2282 const struct nft_trans *t = &trans->nft_trans_binding.nft_trans;
2283 struct nft_base_chain *chain = nft_base_chain(trans->chain);
2284
2285 if (!trans->stats)
2286 return;
2287
2288 trans->stats =
2289 rcu_replace_pointer(chain->stats, trans->stats,
2290 lockdep_commit_lock_is_held(t->net));
2291
2292 if (!trans->stats)
2293 static_branch_inc(&nft_counters_enabled);
2294 }
2295
nf_tables_chain_free_chain_rules(struct nft_chain * chain)2296 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
2297 {
2298 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
2299 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
2300
2301 if (g0 != g1)
2302 kvfree(g1);
2303 kvfree(g0);
2304
2305 /* should be NULL either via abort or via successful commit */
2306 WARN_ON_ONCE(chain->blob_next);
2307 kvfree(chain->blob_next);
2308 }
2309
nf_tables_chain_destroy(struct nft_chain * chain)2310 void nf_tables_chain_destroy(struct nft_chain *chain)
2311 {
2312 const struct nft_table *table = chain->table;
2313 struct nft_hook *hook, *next;
2314
2315 if (WARN_ON(chain->use > 0))
2316 return;
2317
2318 /* no concurrent access possible anymore */
2319 nf_tables_chain_free_chain_rules(chain);
2320
2321 if (nft_is_base_chain(chain)) {
2322 struct nft_base_chain *basechain = nft_base_chain(chain);
2323
2324 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2325 list_for_each_entry_safe(hook, next,
2326 &basechain->hook_list, list) {
2327 list_del_rcu(&hook->list);
2328 nft_netdev_hook_free_rcu(hook);
2329 }
2330 }
2331 module_put(basechain->type->owner);
2332 if (rcu_access_pointer(basechain->stats)) {
2333 static_branch_dec(&nft_counters_enabled);
2334 free_percpu(rcu_dereference_raw(basechain->stats));
2335 }
2336 kfree(chain->name);
2337 kfree(chain->udata);
2338 kfree(basechain);
2339 } else {
2340 kfree(chain->name);
2341 kfree(chain->udata);
2342 kfree(chain);
2343 }
2344 }
2345
nft_netdev_hook_alloc(struct net * net,const struct nlattr * attr,bool prefix)2346 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
2347 const struct nlattr *attr,
2348 bool prefix)
2349 {
2350 struct nf_hook_ops *ops;
2351 struct net_device *dev;
2352 struct nft_hook *hook;
2353 int err;
2354
2355 hook = kzalloc_obj(struct nft_hook, GFP_KERNEL_ACCOUNT);
2356 if (!hook)
2357 return ERR_PTR(-ENOMEM);
2358
2359 INIT_LIST_HEAD(&hook->ops_list);
2360
2361 err = nla_strscpy(hook->ifname, attr, IFNAMSIZ);
2362 if (err < 0)
2363 goto err_hook_free;
2364
2365 /* include the terminating NUL-char when comparing non-prefixes */
2366 hook->ifnamelen = strlen(hook->ifname) + !prefix;
2367
2368 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
2369 * indirectly serializing all the other holders of the commit_mutex with
2370 * the rtnl_mutex.
2371 */
2372 for_each_netdev(net, dev) {
2373 if (strncmp(dev->name, hook->ifname, hook->ifnamelen))
2374 continue;
2375
2376 ops = kzalloc_obj(struct nf_hook_ops, GFP_KERNEL_ACCOUNT);
2377 if (!ops) {
2378 err = -ENOMEM;
2379 goto err_hook_free;
2380 }
2381 ops->dev = dev;
2382 list_add_tail(&ops->list, &hook->ops_list);
2383 }
2384 return hook;
2385
2386 err_hook_free:
2387 nft_netdev_hook_free(hook);
2388 return ERR_PTR(err);
2389 }
2390
nft_hook_list_find(struct list_head * hook_list,const struct nft_hook * this)2391 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
2392 const struct nft_hook *this)
2393 {
2394 struct nft_hook *hook;
2395
2396 list_for_each_entry(hook, hook_list, list) {
2397 if (!strncmp(hook->ifname, this->ifname,
2398 min(hook->ifnamelen, this->ifnamelen)))
2399 return hook;
2400 }
2401
2402 return NULL;
2403 }
2404
nf_tables_parse_netdev_hooks(struct net * net,const struct nlattr * attr,struct list_head * hook_list,struct netlink_ext_ack * extack)2405 static int nf_tables_parse_netdev_hooks(struct net *net,
2406 const struct nlattr *attr,
2407 struct list_head *hook_list,
2408 struct netlink_ext_ack *extack)
2409 {
2410 struct nft_hook *hook, *next;
2411 const struct nlattr *tmp;
2412 int rem, n = 0, err;
2413 bool prefix;
2414
2415 nla_for_each_nested(tmp, attr, rem) {
2416 switch (nla_type(tmp)) {
2417 case NFTA_DEVICE_NAME:
2418 prefix = false;
2419 break;
2420 case NFTA_DEVICE_PREFIX:
2421 prefix = true;
2422 break;
2423 default:
2424 err = -EINVAL;
2425 goto err_hook;
2426 }
2427
2428 hook = nft_netdev_hook_alloc(net, tmp, prefix);
2429 if (IS_ERR(hook)) {
2430 NL_SET_BAD_ATTR(extack, tmp);
2431 err = PTR_ERR(hook);
2432 goto err_hook;
2433 }
2434 if (nft_hook_list_find(hook_list, hook)) {
2435 NL_SET_BAD_ATTR(extack, tmp);
2436 nft_netdev_hook_free(hook);
2437 err = -EEXIST;
2438 goto err_hook;
2439 }
2440 list_add_tail(&hook->list, hook_list);
2441 n++;
2442
2443 if (n == NFT_NETDEVICE_MAX) {
2444 err = -EFBIG;
2445 goto err_hook;
2446 }
2447 }
2448
2449 return 0;
2450
2451 err_hook:
2452 list_for_each_entry_safe(hook, next, hook_list, list) {
2453 list_del(&hook->list);
2454 nft_netdev_hook_free(hook);
2455 }
2456 return err;
2457 }
2458
2459 struct nft_chain_hook {
2460 u32 num;
2461 s32 priority;
2462 const struct nft_chain_type *type;
2463 struct list_head list;
2464 };
2465
nft_chain_parse_netdev(struct net * net,struct nlattr * tb[],struct list_head * hook_list,struct netlink_ext_ack * extack,u32 flags)2466 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
2467 struct list_head *hook_list,
2468 struct netlink_ext_ack *extack, u32 flags)
2469 {
2470 struct nft_hook *hook;
2471 int err;
2472
2473 if (tb[NFTA_HOOK_DEV]) {
2474 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV], false);
2475 if (IS_ERR(hook)) {
2476 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2477 return PTR_ERR(hook);
2478 }
2479
2480 list_add_tail(&hook->list, hook_list);
2481 } else if (tb[NFTA_HOOK_DEVS]) {
2482 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2483 hook_list, extack);
2484 if (err < 0)
2485 return err;
2486
2487 }
2488
2489 if (flags & NFT_CHAIN_HW_OFFLOAD &&
2490 list_empty(hook_list))
2491 return -EINVAL;
2492
2493 return 0;
2494 }
2495
nft_chain_parse_hook(struct net * net,struct nft_base_chain * basechain,const struct nlattr * const nla[],struct nft_chain_hook * hook,u8 family,u32 flags,struct netlink_ext_ack * extack)2496 static int nft_chain_parse_hook(struct net *net,
2497 struct nft_base_chain *basechain,
2498 const struct nlattr * const nla[],
2499 struct nft_chain_hook *hook, u8 family,
2500 u32 flags, struct netlink_ext_ack *extack)
2501 {
2502 struct nftables_pernet *nft_net = nft_pernet(net);
2503 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2504 const struct nft_chain_type *type;
2505 int err;
2506
2507 lockdep_assert_held(&nft_net->commit_mutex);
2508 lockdep_nfnl_nft_mutex_not_held();
2509
2510 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2511 nla[NFTA_CHAIN_HOOK],
2512 nft_hook_policy, NULL);
2513 if (err < 0)
2514 return err;
2515
2516 if (!basechain) {
2517 if (!ha[NFTA_HOOK_HOOKNUM] ||
2518 !ha[NFTA_HOOK_PRIORITY]) {
2519 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2520 return -ENOENT;
2521 }
2522
2523 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2524 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2525
2526 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2527 if (!type)
2528 return -EOPNOTSUPP;
2529
2530 if (nla[NFTA_CHAIN_TYPE]) {
2531 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2532 family, true);
2533 if (IS_ERR(type)) {
2534 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2535 return PTR_ERR(type);
2536 }
2537 }
2538 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2539 return -EOPNOTSUPP;
2540
2541 if (type->type == NFT_CHAIN_T_NAT &&
2542 hook->priority <= NF_IP_PRI_CONNTRACK)
2543 return -EOPNOTSUPP;
2544 } else {
2545 if (ha[NFTA_HOOK_HOOKNUM]) {
2546 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2547 if (hook->num != basechain->ops.hooknum)
2548 return -EOPNOTSUPP;
2549 }
2550 if (ha[NFTA_HOOK_PRIORITY]) {
2551 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2552 if (hook->priority != basechain->ops.priority)
2553 return -EOPNOTSUPP;
2554 }
2555
2556 if (nla[NFTA_CHAIN_TYPE]) {
2557 type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
2558 family);
2559 if (!type) {
2560 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2561 return -ENOENT;
2562 }
2563 } else {
2564 type = basechain->type;
2565 }
2566 }
2567
2568 if (!try_module_get(type->owner)) {
2569 if (nla[NFTA_CHAIN_TYPE])
2570 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2571 return -ENOENT;
2572 }
2573
2574 hook->type = type;
2575
2576 INIT_LIST_HEAD(&hook->list);
2577 if (nft_base_chain_netdev(family, hook->num)) {
2578 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags);
2579 if (err < 0) {
2580 module_put(type->owner);
2581 return err;
2582 }
2583 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2584 module_put(type->owner);
2585 return -EOPNOTSUPP;
2586 }
2587
2588 return 0;
2589 }
2590
nft_chain_release_hook(struct nft_chain_hook * hook)2591 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2592 {
2593 struct nft_hook *h, *next;
2594
2595 list_for_each_entry_safe(h, next, &hook->list, list) {
2596 list_del(&h->list);
2597 nft_netdev_hook_free(h);
2598 }
2599 module_put(hook->type->owner);
2600 }
2601
nft_last_rule(const struct nft_chain * chain,const void * ptr)2602 static void nft_last_rule(const struct nft_chain *chain, const void *ptr)
2603 {
2604 struct nft_rule_dp_last *lrule;
2605
2606 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0);
2607
2608 lrule = (struct nft_rule_dp_last *)ptr;
2609 lrule->end.is_last = 1;
2610 lrule->chain = chain;
2611 /* blob size does not include the trailer rule */
2612 }
2613
nf_tables_chain_alloc_rules(const struct nft_chain * chain,unsigned int size)2614 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2615 unsigned int size)
2616 {
2617 struct nft_rule_blob *blob;
2618
2619 if (size > INT_MAX)
2620 return NULL;
2621
2622 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last);
2623
2624 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2625 if (!blob)
2626 return NULL;
2627
2628 blob->size = 0;
2629 nft_last_rule(chain, blob->data);
2630
2631 return blob;
2632 }
2633
nft_basechain_hook_init(struct nf_hook_ops * ops,u8 family,const struct nft_chain_hook * hook,struct nft_chain * chain)2634 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2635 const struct nft_chain_hook *hook,
2636 struct nft_chain *chain)
2637 {
2638 ops->pf = family;
2639 ops->hooknum = hook->num;
2640 ops->priority = hook->priority;
2641 ops->priv = chain;
2642 ops->hook = hook->type->hooks[ops->hooknum];
2643 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2644 }
2645
nft_basechain_init(struct nft_base_chain * basechain,u8 family,struct nft_chain_hook * hook,u32 flags)2646 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2647 struct nft_chain_hook *hook, u32 flags)
2648 {
2649 struct nft_chain *chain;
2650 struct nf_hook_ops *ops;
2651 struct nft_hook *h;
2652
2653 basechain->type = hook->type;
2654 INIT_LIST_HEAD(&basechain->hook_list);
2655 chain = &basechain->chain;
2656
2657 if (nft_base_chain_netdev(family, hook->num)) {
2658 list_splice_init(&hook->list, &basechain->hook_list);
2659 list_for_each_entry(h, &basechain->hook_list, list) {
2660 list_for_each_entry(ops, &h->ops_list, list)
2661 nft_basechain_hook_init(ops, family, hook, chain);
2662 }
2663 }
2664 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2665
2666 chain->flags |= NFT_CHAIN_BASE | flags;
2667 basechain->policy = NF_ACCEPT;
2668 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2669 !nft_chain_offload_support(basechain)) {
2670 list_splice_init(&basechain->hook_list, &hook->list);
2671 return -EOPNOTSUPP;
2672 }
2673
2674 flow_block_init(&basechain->flow_block);
2675
2676 return 0;
2677 }
2678
nft_chain_add(struct nft_table * table,struct nft_chain * chain)2679 int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2680 {
2681 int err;
2682
2683 err = rhltable_insert_key(&table->chains_ht, chain->name,
2684 &chain->rhlhead, nft_chain_ht_params);
2685 if (err)
2686 return err;
2687
2688 list_add_tail_rcu(&chain->list, &table->chains);
2689
2690 return 0;
2691 }
2692
2693 static u64 chain_id;
2694
nf_tables_addchain(struct nft_ctx * ctx,u8 family,u8 policy,u32 flags,struct netlink_ext_ack * extack)2695 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 policy,
2696 u32 flags, struct netlink_ext_ack *extack)
2697 {
2698 const struct nlattr * const *nla = ctx->nla;
2699 struct nft_table *table = ctx->table;
2700 struct nft_base_chain *basechain;
2701 struct net *net = ctx->net;
2702 char name[NFT_NAME_MAXLEN];
2703 struct nft_rule_blob *blob;
2704 struct nft_trans *trans;
2705 struct nft_chain *chain;
2706 int err;
2707
2708 if (nla[NFTA_CHAIN_HOOK]) {
2709 struct nft_stats __percpu *stats = NULL;
2710 struct nft_chain_hook hook = {};
2711
2712 if (table->flags & __NFT_TABLE_F_UPDATE)
2713 return -EINVAL;
2714
2715 if (flags & NFT_CHAIN_BINDING)
2716 return -EOPNOTSUPP;
2717
2718 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags,
2719 extack);
2720 if (err < 0)
2721 return err;
2722
2723 basechain = kzalloc_obj(*basechain, GFP_KERNEL_ACCOUNT);
2724 if (basechain == NULL) {
2725 nft_chain_release_hook(&hook);
2726 return -ENOMEM;
2727 }
2728 chain = &basechain->chain;
2729
2730 if (nla[NFTA_CHAIN_COUNTERS]) {
2731 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2732 if (IS_ERR_PCPU(stats)) {
2733 nft_chain_release_hook(&hook);
2734 kfree(basechain);
2735 return PTR_ERR_PCPU(stats);
2736 }
2737 rcu_assign_pointer(basechain->stats, stats);
2738 }
2739
2740 err = nft_basechain_init(basechain, family, &hook, flags);
2741 if (err < 0) {
2742 nft_chain_release_hook(&hook);
2743 kfree(basechain);
2744 free_percpu(stats);
2745 return err;
2746 }
2747 if (stats)
2748 static_branch_inc(&nft_counters_enabled);
2749 } else {
2750 if (flags & NFT_CHAIN_BASE)
2751 return -EINVAL;
2752 if (flags & NFT_CHAIN_HW_OFFLOAD)
2753 return -EOPNOTSUPP;
2754
2755 chain = kzalloc_obj(*chain, GFP_KERNEL_ACCOUNT);
2756 if (chain == NULL)
2757 return -ENOMEM;
2758
2759 chain->flags = flags;
2760 }
2761 ctx->chain = chain;
2762
2763 INIT_LIST_HEAD(&chain->rules);
2764 chain->handle = nf_tables_alloc_handle(table);
2765 chain->table = table;
2766
2767 if (nla[NFTA_CHAIN_NAME]) {
2768 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2769 } else {
2770 if (!(flags & NFT_CHAIN_BINDING)) {
2771 err = -EINVAL;
2772 goto err_destroy_chain;
2773 }
2774
2775 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2776 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2777 }
2778
2779 if (!chain->name) {
2780 err = -ENOMEM;
2781 goto err_destroy_chain;
2782 }
2783
2784 if (nla[NFTA_CHAIN_USERDATA]) {
2785 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2786 if (chain->udata == NULL) {
2787 err = -ENOMEM;
2788 goto err_destroy_chain;
2789 }
2790 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2791 }
2792
2793 blob = nf_tables_chain_alloc_rules(chain, 0);
2794 if (!blob) {
2795 err = -ENOMEM;
2796 goto err_destroy_chain;
2797 }
2798
2799 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2800 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2801
2802 if (!nft_use_inc(&table->use)) {
2803 err = -EMFILE;
2804 goto err_destroy_chain;
2805 }
2806
2807 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2808 if (IS_ERR(trans)) {
2809 err = PTR_ERR(trans);
2810 goto err_trans;
2811 }
2812
2813 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2814 if (nft_is_base_chain(chain))
2815 nft_trans_chain_policy(trans) = policy;
2816
2817 err = nft_chain_add(table, chain);
2818 if (err < 0)
2819 goto err_chain_add;
2820
2821 /* This must be LAST to ensure no packets are walking over this chain. */
2822 err = nf_tables_register_hook(net, table, chain);
2823 if (err < 0)
2824 goto err_register_hook;
2825
2826 return 0;
2827
2828 err_register_hook:
2829 nft_chain_del(chain);
2830 synchronize_rcu();
2831 err_chain_add:
2832 nft_trans_destroy(trans);
2833 err_trans:
2834 nft_use_dec_restore(&table->use);
2835 err_destroy_chain:
2836 nf_tables_chain_destroy(chain);
2837
2838 return err;
2839 }
2840
nf_tables_updchain(struct nft_ctx * ctx,u8 genmask,u8 policy,u32 flags,const struct nlattr * attr,struct netlink_ext_ack * extack)2841 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2842 u32 flags, const struct nlattr *attr,
2843 struct netlink_ext_ack *extack)
2844 {
2845 const struct nlattr * const *nla = ctx->nla;
2846 struct nft_base_chain *basechain = NULL;
2847 struct nft_table *table = ctx->table;
2848 struct nft_chain *chain = ctx->chain;
2849 struct nft_chain_hook hook = {};
2850 struct nft_stats __percpu *stats = NULL;
2851 struct nftables_pernet *nft_net;
2852 struct nft_hook *h, *next;
2853 struct nf_hook_ops *ops;
2854 struct nft_trans *trans;
2855 bool unregister = false;
2856 int err;
2857
2858 if (chain->flags ^ flags)
2859 return -EOPNOTSUPP;
2860
2861 INIT_LIST_HEAD(&hook.list);
2862
2863 if (nla[NFTA_CHAIN_HOOK]) {
2864 if (!nft_is_base_chain(chain)) {
2865 NL_SET_BAD_ATTR(extack, attr);
2866 return -EEXIST;
2867 }
2868
2869 basechain = nft_base_chain(chain);
2870 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2871 ctx->family, flags, extack);
2872 if (err < 0)
2873 return err;
2874
2875 if (basechain->type != hook.type) {
2876 nft_chain_release_hook(&hook);
2877 NL_SET_BAD_ATTR(extack, attr);
2878 return -EEXIST;
2879 }
2880
2881 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2882 list_for_each_entry_safe(h, next, &hook.list, list) {
2883 list_for_each_entry(ops, &h->ops_list, list) {
2884 ops->pf = basechain->ops.pf;
2885 ops->hooknum = basechain->ops.hooknum;
2886 ops->priority = basechain->ops.priority;
2887 ops->priv = basechain->ops.priv;
2888 ops->hook = basechain->ops.hook;
2889 }
2890
2891 if (nft_hook_list_find(&basechain->hook_list, h)) {
2892 list_del(&h->list);
2893 nft_netdev_hook_free(h);
2894 continue;
2895 }
2896
2897 nft_net = nft_pernet(ctx->net);
2898 list_for_each_entry(trans, &nft_net->commit_list, list) {
2899 if (trans->msg_type != NFT_MSG_NEWCHAIN ||
2900 trans->table != ctx->table ||
2901 !nft_trans_chain_update(trans))
2902 continue;
2903
2904 if (nft_hook_list_find(&nft_trans_chain_hooks(trans), h)) {
2905 nft_chain_release_hook(&hook);
2906 return -EEXIST;
2907 }
2908 }
2909 }
2910 } else {
2911 ops = &basechain->ops;
2912 if (ops->hooknum != hook.num ||
2913 ops->priority != hook.priority) {
2914 nft_chain_release_hook(&hook);
2915 NL_SET_BAD_ATTR(extack, attr);
2916 return -EEXIST;
2917 }
2918 }
2919 }
2920
2921 if (nla[NFTA_CHAIN_HANDLE] &&
2922 nla[NFTA_CHAIN_NAME]) {
2923 struct nft_chain *chain2;
2924
2925 chain2 = nft_chain_lookup(ctx->net, table,
2926 nla[NFTA_CHAIN_NAME], genmask);
2927 if (!IS_ERR(chain2)) {
2928 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2929 err = -EEXIST;
2930 goto err_hooks;
2931 }
2932 }
2933
2934 if (table->flags & __NFT_TABLE_F_UPDATE &&
2935 !list_empty(&hook.list)) {
2936 NL_SET_BAD_ATTR(extack, attr);
2937 err = -EOPNOTSUPP;
2938 goto err_hooks;
2939 }
2940
2941 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2942 nft_is_base_chain(chain) &&
2943 !list_empty(&hook.list)) {
2944 basechain = nft_base_chain(chain);
2945 ops = &basechain->ops;
2946
2947 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2948 err = nft_netdev_register_hooks(ctx->net, &hook.list);
2949 if (err < 0)
2950 goto err_hooks;
2951
2952 unregister = true;
2953 }
2954 }
2955
2956 if (nla[NFTA_CHAIN_COUNTERS]) {
2957 if (!nft_is_base_chain(chain)) {
2958 err = -EOPNOTSUPP;
2959 goto err_hooks;
2960 }
2961
2962 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2963 if (IS_ERR_PCPU(stats)) {
2964 err = PTR_ERR_PCPU(stats);
2965 goto err_hooks;
2966 }
2967 }
2968
2969 err = -ENOMEM;
2970 trans = nft_trans_alloc_chain(ctx, NFT_MSG_NEWCHAIN);
2971 if (trans == NULL)
2972 goto err_trans;
2973
2974 nft_trans_chain_stats(trans) = stats;
2975 nft_trans_chain_update(trans) = true;
2976
2977 if (nla[NFTA_CHAIN_POLICY])
2978 nft_trans_chain_policy(trans) = policy;
2979 else
2980 nft_trans_chain_policy(trans) = -1;
2981
2982 if (nla[NFTA_CHAIN_HANDLE] &&
2983 nla[NFTA_CHAIN_NAME]) {
2984 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2985 struct nft_trans *tmp;
2986 char *name;
2987
2988 err = -ENOMEM;
2989 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2990 if (!name)
2991 goto err_trans;
2992
2993 err = -EEXIST;
2994 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2995 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2996 tmp->table == table &&
2997 nft_trans_chain_update(tmp) &&
2998 nft_trans_chain_name(tmp) &&
2999 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
3000 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
3001 kfree(name);
3002 goto err_trans;
3003 }
3004 }
3005
3006 nft_trans_chain_name(trans) = name;
3007 }
3008
3009 nft_trans_basechain(trans) = basechain;
3010 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
3011 list_splice(&hook.list, &nft_trans_chain_hooks(trans));
3012 if (nla[NFTA_CHAIN_HOOK])
3013 module_put(hook.type->owner);
3014
3015 nft_trans_commit_list_add_tail(ctx->net, trans);
3016
3017 return 0;
3018
3019 err_trans:
3020 free_percpu(stats);
3021 kfree(trans);
3022 err_hooks:
3023 if (nla[NFTA_CHAIN_HOOK]) {
3024 list_for_each_entry_safe(h, next, &hook.list, list) {
3025 if (unregister) {
3026 list_for_each_entry(ops, &h->ops_list, list)
3027 nf_unregister_net_hook(ctx->net, ops);
3028 }
3029 list_del(&h->list);
3030 nft_netdev_hook_free_rcu(h);
3031 }
3032 module_put(hook.type->owner);
3033 }
3034
3035 return err;
3036 }
3037
nft_chain_lookup_byid(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)3038 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
3039 const struct nft_table *table,
3040 const struct nlattr *nla, u8 genmask)
3041 {
3042 struct nftables_pernet *nft_net = nft_pernet(net);
3043 u32 id = ntohl(nla_get_be32(nla));
3044 struct nft_trans *trans;
3045
3046 list_for_each_entry(trans, &nft_net->commit_list, list) {
3047 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
3048 nft_trans_chain(trans)->table == table &&
3049 id == nft_trans_chain_id(trans) &&
3050 nft_active_genmask(nft_trans_chain(trans), genmask))
3051 return nft_trans_chain(trans);
3052 }
3053 return ERR_PTR(-ENOENT);
3054 }
3055
nf_tables_newchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3056 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
3057 const struct nlattr * const nla[])
3058 {
3059 struct nftables_pernet *nft_net = nft_pernet(info->net);
3060 struct netlink_ext_ack *extack = info->extack;
3061 u8 genmask = nft_genmask_next(info->net);
3062 u8 family = info->nfmsg->nfgen_family;
3063 struct nft_chain *chain = NULL;
3064 struct net *net = info->net;
3065 const struct nlattr *attr;
3066 struct nft_table *table;
3067 u8 policy = NF_ACCEPT;
3068 struct nft_ctx ctx;
3069 u64 handle = 0;
3070 u32 flags = 0;
3071
3072 lockdep_assert_held(&nft_net->commit_mutex);
3073
3074 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
3075 NETLINK_CB(skb).portid);
3076 if (IS_ERR(table)) {
3077 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
3078 return PTR_ERR(table);
3079 }
3080
3081 chain = NULL;
3082 attr = nla[NFTA_CHAIN_NAME];
3083
3084 if (nla[NFTA_CHAIN_HANDLE]) {
3085 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
3086 chain = nft_chain_lookup_byhandle(table, handle, genmask);
3087 if (IS_ERR(chain)) {
3088 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
3089 return PTR_ERR(chain);
3090 }
3091 attr = nla[NFTA_CHAIN_HANDLE];
3092 } else if (nla[NFTA_CHAIN_NAME]) {
3093 chain = nft_chain_lookup(net, table, attr, genmask);
3094 if (IS_ERR(chain)) {
3095 if (PTR_ERR(chain) != -ENOENT) {
3096 NL_SET_BAD_ATTR(extack, attr);
3097 return PTR_ERR(chain);
3098 }
3099 chain = NULL;
3100 }
3101 } else if (!nla[NFTA_CHAIN_ID]) {
3102 return -EINVAL;
3103 }
3104
3105 if (nla[NFTA_CHAIN_POLICY]) {
3106 if (chain != NULL &&
3107 !nft_is_base_chain(chain)) {
3108 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
3109 return -EOPNOTSUPP;
3110 }
3111
3112 if (chain == NULL &&
3113 nla[NFTA_CHAIN_HOOK] == NULL) {
3114 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
3115 return -EOPNOTSUPP;
3116 }
3117
3118 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
3119 switch (policy) {
3120 case NF_DROP:
3121 case NF_ACCEPT:
3122 break;
3123 default:
3124 return -EINVAL;
3125 }
3126 }
3127
3128 if (nla[NFTA_CHAIN_FLAGS])
3129 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
3130 else if (chain)
3131 flags = chain->flags;
3132
3133 if (flags & ~NFT_CHAIN_FLAGS)
3134 return -EOPNOTSUPP;
3135
3136 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3137
3138 if (chain != NULL) {
3139 if (chain->flags & NFT_CHAIN_BINDING)
3140 return -EINVAL;
3141
3142 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
3143 NL_SET_BAD_ATTR(extack, attr);
3144 return -EEXIST;
3145 }
3146 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
3147 return -EOPNOTSUPP;
3148
3149 flags |= chain->flags & NFT_CHAIN_BASE;
3150 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
3151 extack);
3152 }
3153
3154 return nf_tables_addchain(&ctx, family, policy, flags, extack);
3155 }
3156
nft_delchain_hook(struct nft_ctx * ctx,struct nft_base_chain * basechain,struct netlink_ext_ack * extack)3157 static int nft_delchain_hook(struct nft_ctx *ctx,
3158 struct nft_base_chain *basechain,
3159 struct netlink_ext_ack *extack)
3160 {
3161 const struct nft_chain *chain = &basechain->chain;
3162 const struct nlattr * const *nla = ctx->nla;
3163 struct nft_chain_hook chain_hook = {};
3164 struct nft_hook *this, *hook;
3165 LIST_HEAD(chain_del_list);
3166 struct nft_trans *trans;
3167 int err;
3168
3169 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
3170 return -EOPNOTSUPP;
3171
3172 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
3173 ctx->family, chain->flags, extack);
3174 if (err < 0)
3175 return err;
3176
3177 list_for_each_entry(this, &chain_hook.list, list) {
3178 hook = nft_hook_list_find(&basechain->hook_list, this);
3179 if (!hook) {
3180 err = -ENOENT;
3181 goto err_chain_del_hook;
3182 }
3183 list_move(&hook->list, &chain_del_list);
3184 }
3185
3186 trans = nft_trans_alloc_chain(ctx, NFT_MSG_DELCHAIN);
3187 if (!trans) {
3188 err = -ENOMEM;
3189 goto err_chain_del_hook;
3190 }
3191
3192 nft_trans_basechain(trans) = basechain;
3193 nft_trans_chain_update(trans) = true;
3194 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
3195 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans));
3196 nft_chain_release_hook(&chain_hook);
3197
3198 nft_trans_commit_list_add_tail(ctx->net, trans);
3199
3200 return 0;
3201
3202 err_chain_del_hook:
3203 list_splice(&chain_del_list, &basechain->hook_list);
3204 nft_chain_release_hook(&chain_hook);
3205
3206 return err;
3207 }
3208
nf_tables_delchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3209 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
3210 const struct nlattr * const nla[])
3211 {
3212 struct netlink_ext_ack *extack = info->extack;
3213 u8 genmask = nft_genmask_next(info->net);
3214 u8 family = info->nfmsg->nfgen_family;
3215 struct net *net = info->net;
3216 const struct nlattr *attr;
3217 struct nft_table *table;
3218 struct nft_chain *chain;
3219 struct nft_rule *rule;
3220 struct nft_ctx ctx;
3221 u64 handle;
3222 u32 use;
3223 int err;
3224
3225 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
3226 NETLINK_CB(skb).portid);
3227 if (IS_ERR(table)) {
3228 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
3229 return PTR_ERR(table);
3230 }
3231
3232 if (nla[NFTA_CHAIN_HANDLE]) {
3233 attr = nla[NFTA_CHAIN_HANDLE];
3234 handle = be64_to_cpu(nla_get_be64(attr));
3235 chain = nft_chain_lookup_byhandle(table, handle, genmask);
3236 } else {
3237 attr = nla[NFTA_CHAIN_NAME];
3238 chain = nft_chain_lookup(net, table, attr, genmask);
3239 }
3240 if (IS_ERR(chain)) {
3241 if (PTR_ERR(chain) == -ENOENT &&
3242 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
3243 return 0;
3244
3245 NL_SET_BAD_ATTR(extack, attr);
3246 return PTR_ERR(chain);
3247 }
3248
3249 if (nft_chain_binding(chain))
3250 return -EOPNOTSUPP;
3251
3252 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3253
3254 if (nla[NFTA_CHAIN_HOOK]) {
3255 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN ||
3256 chain->flags & NFT_CHAIN_HW_OFFLOAD)
3257 return -EOPNOTSUPP;
3258
3259 if (nft_is_base_chain(chain)) {
3260 struct nft_base_chain *basechain = nft_base_chain(chain);
3261
3262 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
3263 return nft_delchain_hook(&ctx, basechain, extack);
3264 }
3265 }
3266
3267 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
3268 chain->use > 0)
3269 return -EBUSY;
3270
3271 use = chain->use;
3272 list_for_each_entry(rule, &chain->rules, list) {
3273 if (!nft_is_active_next(net, rule))
3274 continue;
3275 use--;
3276
3277 err = nft_delrule(&ctx, rule);
3278 if (err < 0)
3279 return err;
3280 }
3281
3282 /* There are rules and elements that are still holding references to us,
3283 * we cannot do a recursive removal in this case.
3284 */
3285 if (use > 0) {
3286 NL_SET_BAD_ATTR(extack, attr);
3287 return -EBUSY;
3288 }
3289
3290 return nft_delchain(&ctx);
3291 }
3292
3293 /*
3294 * Expressions
3295 */
3296
3297 /**
3298 * nft_register_expr - register nf_tables expr type
3299 * @type: expr type
3300 *
3301 * Registers the expr type for use with nf_tables. Returns zero on
3302 * success or a negative errno code otherwise.
3303 */
nft_register_expr(struct nft_expr_type * type)3304 int nft_register_expr(struct nft_expr_type *type)
3305 {
3306 if (WARN_ON_ONCE(type->maxattr > NFT_EXPR_MAXATTR))
3307 return -ENOMEM;
3308
3309 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3310 if (type->family == NFPROTO_UNSPEC)
3311 list_add_tail_rcu(&type->list, &nf_tables_expressions);
3312 else
3313 list_add_rcu(&type->list, &nf_tables_expressions);
3314 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3315 return 0;
3316 }
3317 EXPORT_SYMBOL_GPL(nft_register_expr);
3318
3319 /**
3320 * nft_unregister_expr - unregister nf_tables expr type
3321 * @type: expr type
3322 *
3323 * Unregisters the expr typefor use with nf_tables.
3324 */
nft_unregister_expr(struct nft_expr_type * type)3325 void nft_unregister_expr(struct nft_expr_type *type)
3326 {
3327 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3328 list_del_rcu(&type->list);
3329 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3330 }
3331 EXPORT_SYMBOL_GPL(nft_unregister_expr);
3332
__nft_expr_type_get(u8 family,struct nlattr * nla)3333 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
3334 struct nlattr *nla)
3335 {
3336 const struct nft_expr_type *type, *candidate = NULL;
3337
3338 list_for_each_entry_rcu(type, &nf_tables_expressions, list) {
3339 if (!nla_strcmp(nla, type->name)) {
3340 if (!type->family && !candidate)
3341 candidate = type;
3342 else if (type->family == family)
3343 candidate = type;
3344 }
3345 }
3346 return candidate;
3347 }
3348
3349 #ifdef CONFIG_MODULES
nft_expr_type_request_module(struct net * net,u8 family,struct nlattr * nla)3350 static int nft_expr_type_request_module(struct net *net, u8 family,
3351 struct nlattr *nla)
3352 {
3353 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
3354 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
3355 return -EAGAIN;
3356
3357 return 0;
3358 }
3359 #endif
3360
nft_expr_type_get(struct net * net,u8 family,struct nlattr * nla)3361 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
3362 u8 family,
3363 struct nlattr *nla)
3364 {
3365 const struct nft_expr_type *type;
3366
3367 if (nla == NULL)
3368 return ERR_PTR(-EINVAL);
3369
3370 rcu_read_lock();
3371 type = __nft_expr_type_get(family, nla);
3372 if (type != NULL && try_module_get(type->owner)) {
3373 rcu_read_unlock();
3374 return type;
3375 }
3376 rcu_read_unlock();
3377
3378 lockdep_nfnl_nft_mutex_not_held();
3379 #ifdef CONFIG_MODULES
3380 if (type == NULL) {
3381 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
3382 return ERR_PTR(-EAGAIN);
3383
3384 if (nft_request_module(net, "nft-expr-%.*s",
3385 nla_len(nla),
3386 (char *)nla_data(nla)) == -EAGAIN)
3387 return ERR_PTR(-EAGAIN);
3388 }
3389 #endif
3390 return ERR_PTR(-ENOENT);
3391 }
3392
3393 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
3394 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
3395 .len = NFT_MODULE_AUTOLOAD_LIMIT },
3396 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
3397 };
3398
nf_tables_fill_expr_info(struct sk_buff * skb,const struct nft_expr * expr,bool reset)3399 static int nf_tables_fill_expr_info(struct sk_buff *skb,
3400 const struct nft_expr *expr, bool reset)
3401 {
3402 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
3403 goto nla_put_failure;
3404
3405 if (expr->ops->dump) {
3406 struct nlattr *data = nla_nest_start_noflag(skb,
3407 NFTA_EXPR_DATA);
3408 if (data == NULL)
3409 goto nla_put_failure;
3410 if (expr->ops->dump(skb, expr, reset) < 0)
3411 goto nla_put_failure;
3412 nla_nest_end(skb, data);
3413 }
3414
3415 return skb->len;
3416
3417 nla_put_failure:
3418 return -1;
3419 };
3420
nft_expr_dump(struct sk_buff * skb,unsigned int attr,const struct nft_expr * expr,bool reset)3421 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
3422 const struct nft_expr *expr, bool reset)
3423 {
3424 struct nlattr *nest;
3425
3426 nest = nla_nest_start_noflag(skb, attr);
3427 if (!nest)
3428 goto nla_put_failure;
3429 if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
3430 goto nla_put_failure;
3431 nla_nest_end(skb, nest);
3432 return 0;
3433
3434 nla_put_failure:
3435 return -1;
3436 }
3437
3438 struct nft_expr_info {
3439 const struct nft_expr_ops *ops;
3440 const struct nlattr *attr;
3441 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
3442 };
3443
nf_tables_expr_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)3444 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
3445 const struct nlattr *nla,
3446 struct nft_expr_info *info)
3447 {
3448 const struct nft_expr_type *type;
3449 const struct nft_expr_ops *ops;
3450 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3451 int err;
3452
3453 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3454 nft_expr_policy, NULL);
3455 if (err < 0)
3456 return err;
3457
3458 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
3459 if (IS_ERR(type))
3460 return PTR_ERR(type);
3461
3462 if (tb[NFTA_EXPR_DATA]) {
3463 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3464 tb[NFTA_EXPR_DATA],
3465 type->policy, NULL);
3466 if (err < 0)
3467 goto err1;
3468 } else
3469 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
3470
3471 if (type->select_ops != NULL) {
3472 ops = type->select_ops(ctx,
3473 (const struct nlattr * const *)info->tb);
3474 if (IS_ERR(ops)) {
3475 err = PTR_ERR(ops);
3476 #ifdef CONFIG_MODULES
3477 if (err == -EAGAIN)
3478 if (nft_expr_type_request_module(ctx->net,
3479 ctx->family,
3480 tb[NFTA_EXPR_NAME]) != -EAGAIN)
3481 err = -ENOENT;
3482 #endif
3483 goto err1;
3484 }
3485 } else
3486 ops = type->ops;
3487
3488 info->attr = nla;
3489 info->ops = ops;
3490
3491 return 0;
3492
3493 err1:
3494 module_put(type->owner);
3495 return err;
3496 }
3497
nft_expr_inner_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)3498 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
3499 struct nft_expr_info *info)
3500 {
3501 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3502 const struct nft_expr_type *type;
3503 int err;
3504
3505 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3506 nft_expr_policy, NULL);
3507 if (err < 0)
3508 return err;
3509
3510 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME])
3511 return -EINVAL;
3512
3513 rcu_read_lock();
3514
3515 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
3516 if (!type) {
3517 err = -ENOENT;
3518 goto out_unlock;
3519 }
3520
3521 if (!type->inner_ops) {
3522 err = -EOPNOTSUPP;
3523 goto out_unlock;
3524 }
3525
3526 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3527 tb[NFTA_EXPR_DATA],
3528 type->policy, NULL);
3529 if (err < 0)
3530 goto out_unlock;
3531
3532 info->attr = nla;
3533 info->ops = type->inner_ops;
3534
3535 /* No module reference will be taken on type->owner.
3536 * Presence of type->inner_ops implies that the expression
3537 * is builtin, so it cannot go away.
3538 */
3539 rcu_read_unlock();
3540 return 0;
3541
3542 out_unlock:
3543 rcu_read_unlock();
3544 return err;
3545 }
3546
nf_tables_newexpr(const struct nft_ctx * ctx,const struct nft_expr_info * expr_info,struct nft_expr * expr)3547 static int nf_tables_newexpr(const struct nft_ctx *ctx,
3548 const struct nft_expr_info *expr_info,
3549 struct nft_expr *expr)
3550 {
3551 const struct nft_expr_ops *ops = expr_info->ops;
3552 int err;
3553
3554 expr->ops = ops;
3555 if (ops->init) {
3556 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
3557 if (err < 0)
3558 goto err1;
3559 }
3560
3561 return 0;
3562 err1:
3563 expr->ops = NULL;
3564 return err;
3565 }
3566
nf_tables_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)3567 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
3568 struct nft_expr *expr)
3569 {
3570 const struct nft_expr_type *type = expr->ops->type;
3571
3572 if (expr->ops->destroy)
3573 expr->ops->destroy(ctx, expr);
3574 module_put(type->owner);
3575 }
3576
nft_expr_init(const struct nft_ctx * ctx,const struct nlattr * nla)3577 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3578 const struct nlattr *nla)
3579 {
3580 struct nft_expr_info expr_info;
3581 struct nft_expr *expr;
3582 struct module *owner;
3583 int err;
3584
3585 err = nf_tables_expr_parse(ctx, nla, &expr_info);
3586 if (err < 0)
3587 goto err_expr_parse;
3588
3589 err = -EOPNOTSUPP;
3590 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3591 goto err_expr_stateful;
3592
3593 err = -ENOMEM;
3594 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3595 if (expr == NULL)
3596 goto err_expr_stateful;
3597
3598 err = nf_tables_newexpr(ctx, &expr_info, expr);
3599 if (err < 0)
3600 goto err_expr_new;
3601
3602 return expr;
3603 err_expr_new:
3604 kfree(expr);
3605 err_expr_stateful:
3606 owner = expr_info.ops->type->owner;
3607 if (expr_info.ops->type->release_ops)
3608 expr_info.ops->type->release_ops(expr_info.ops);
3609
3610 module_put(owner);
3611 err_expr_parse:
3612 return ERR_PTR(err);
3613 }
3614
nft_expr_clone(struct nft_expr * dst,struct nft_expr * src,gfp_t gfp)3615 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp)
3616 {
3617 int err;
3618
3619 if (WARN_ON_ONCE(!src->ops->clone))
3620 return -EINVAL;
3621
3622 dst->ops = src->ops;
3623 err = src->ops->clone(dst, src, gfp);
3624 if (err < 0)
3625 return err;
3626
3627 __module_get(src->ops->type->owner);
3628
3629 return 0;
3630 }
3631
nft_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)3632 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3633 {
3634 nf_tables_expr_destroy(ctx, expr);
3635 kfree(expr);
3636 }
3637
3638 /*
3639 * Rules
3640 */
3641
__nft_rule_lookup(const struct net * net,const struct nft_chain * chain,u64 handle)3642 static struct nft_rule *__nft_rule_lookup(const struct net *net,
3643 const struct nft_chain *chain,
3644 u64 handle)
3645 {
3646 struct nft_rule *rule;
3647
3648 // FIXME: this sucks
3649 list_for_each_entry_rcu(rule, &chain->rules, list,
3650 lockdep_commit_lock_is_held(net)) {
3651 if (handle == rule->handle)
3652 return rule;
3653 }
3654
3655 return ERR_PTR(-ENOENT);
3656 }
3657
nft_rule_lookup(const struct net * net,const struct nft_chain * chain,const struct nlattr * nla)3658 static struct nft_rule *nft_rule_lookup(const struct net *net,
3659 const struct nft_chain *chain,
3660 const struct nlattr *nla)
3661 {
3662 if (nla == NULL)
3663 return ERR_PTR(-EINVAL);
3664
3665 return __nft_rule_lookup(net, chain, be64_to_cpu(nla_get_be64(nla)));
3666 }
3667
3668 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3669 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
3670 .len = NFT_TABLE_MAXNAMELEN - 1 },
3671 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
3672 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3673 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
3674 [NFTA_RULE_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
3675 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
3676 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3677 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3678 .len = NFT_USERDATA_MAXLEN },
3679 [NFTA_RULE_ID] = { .type = NLA_U32 },
3680 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3681 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3682 };
3683
nf_tables_fill_rule_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct nft_rule * rule,u64 handle,bool reset)3684 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3685 u32 portid, u32 seq, int event,
3686 u32 flags, int family,
3687 const struct nft_table *table,
3688 const struct nft_chain *chain,
3689 const struct nft_rule *rule, u64 handle,
3690 bool reset)
3691 {
3692 struct nlmsghdr *nlh;
3693 const struct nft_expr *expr, *next;
3694 struct nlattr *list;
3695 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3696
3697 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3698 nft_base_seq_be16(net));
3699 if (!nlh)
3700 goto nla_put_failure;
3701
3702 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3703 goto nla_put_failure;
3704 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3705 goto nla_put_failure;
3706 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3707 NFTA_RULE_PAD))
3708 goto nla_put_failure;
3709
3710 if (event != NFT_MSG_DELRULE && handle) {
3711 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3712 NFTA_RULE_PAD))
3713 goto nla_put_failure;
3714 }
3715
3716 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3717 nft_flow_rule_stats(chain, rule);
3718
3719 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3720 if (list == NULL)
3721 goto nla_put_failure;
3722 nft_rule_for_each_expr(expr, next, rule) {
3723 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
3724 goto nla_put_failure;
3725 }
3726 nla_nest_end(skb, list);
3727
3728 if (rule->udata) {
3729 struct nft_userdata *udata = nft_userdata(rule);
3730 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3731 udata->data) < 0)
3732 goto nla_put_failure;
3733 }
3734
3735 nlmsg_end(skb, nlh);
3736 return 0;
3737
3738 nla_put_failure:
3739 nlmsg_trim(skb, nlh);
3740 return -1;
3741 }
3742
nf_tables_rule_notify(const struct nft_ctx * ctx,const struct nft_rule * rule,int event)3743 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3744 const struct nft_rule *rule, int event)
3745 {
3746 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3747 const struct nft_rule *prule;
3748 struct sk_buff *skb;
3749 u64 handle = 0;
3750 u16 flags = 0;
3751 int err;
3752
3753 if (!ctx->report &&
3754 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3755 return;
3756
3757 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3758 if (skb == NULL)
3759 goto err;
3760
3761 if (event == NFT_MSG_NEWRULE &&
3762 !list_is_first(&rule->list, &ctx->chain->rules) &&
3763 !list_is_last(&rule->list, &ctx->chain->rules)) {
3764 prule = list_prev_entry(rule, list);
3765 handle = prule->handle;
3766 }
3767 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3768 flags |= NLM_F_APPEND;
3769 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3770 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3771
3772 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3773 event, flags, ctx->family, ctx->table,
3774 ctx->chain, rule, handle, false);
3775 if (err < 0) {
3776 kfree_skb(skb);
3777 goto err;
3778 }
3779
3780 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3781 return;
3782 err:
3783 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3784 }
3785
audit_log_rule_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)3786 static void audit_log_rule_reset(const struct nft_table *table,
3787 unsigned int base_seq,
3788 unsigned int nentries)
3789 {
3790 char *buf = kasprintf(GFP_ATOMIC, "%s:%u",
3791 table->name, base_seq);
3792
3793 audit_log_nfcfg(buf, table->family, nentries,
3794 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3795 kfree(buf);
3796 }
3797
3798 struct nft_rule_dump_ctx {
3799 unsigned int s_idx;
3800 char *table;
3801 char *chain;
3802 bool reset;
3803 };
3804
__nf_tables_dump_rules(struct sk_buff * skb,unsigned int * idx,struct netlink_callback * cb,const struct nft_table * table,const struct nft_chain * chain)3805 static int __nf_tables_dump_rules(struct sk_buff *skb,
3806 unsigned int *idx,
3807 struct netlink_callback *cb,
3808 const struct nft_table *table,
3809 const struct nft_chain *chain)
3810 {
3811 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3812 struct net *net = sock_net(skb->sk);
3813 const struct nft_rule *rule, *prule;
3814 unsigned int entries = 0;
3815 int ret = 0;
3816 u64 handle;
3817
3818 prule = NULL;
3819 list_for_each_entry_rcu(rule, &chain->rules, list) {
3820 if (!nft_is_active(net, rule))
3821 goto cont_skip;
3822 if (*idx < ctx->s_idx)
3823 goto cont;
3824 if (prule)
3825 handle = prule->handle;
3826 else
3827 handle = 0;
3828
3829 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3830 cb->nlh->nlmsg_seq,
3831 NFT_MSG_NEWRULE,
3832 NLM_F_MULTI | NLM_F_APPEND,
3833 table->family,
3834 table, chain, rule, handle, ctx->reset) < 0) {
3835 ret = 1;
3836 break;
3837 }
3838 entries++;
3839 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3840 cont:
3841 prule = rule;
3842 cont_skip:
3843 (*idx)++;
3844 }
3845
3846 if (ctx->reset && entries)
3847 audit_log_rule_reset(table, cb->seq, entries);
3848
3849 return ret;
3850 }
3851
nf_tables_dump_rules(struct sk_buff * skb,struct netlink_callback * cb)3852 static int nf_tables_dump_rules(struct sk_buff *skb,
3853 struct netlink_callback *cb)
3854 {
3855 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3856 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3857 struct nft_table *table;
3858 const struct nft_chain *chain;
3859 unsigned int idx = 0;
3860 struct net *net = sock_net(skb->sk);
3861 int family = nfmsg->nfgen_family;
3862 struct nftables_pernet *nft_net;
3863
3864 rcu_read_lock();
3865 nft_net = nft_pernet(net);
3866 cb->seq = nft_base_seq(net);
3867
3868 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3869 if (family != NFPROTO_UNSPEC && family != table->family)
3870 continue;
3871
3872 if (ctx->table && strcmp(ctx->table, table->name) != 0)
3873 continue;
3874
3875 if (ctx->table && ctx->chain) {
3876 struct rhlist_head *list, *tmp;
3877
3878 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3879 nft_chain_ht_params);
3880 if (!list)
3881 goto done;
3882
3883 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3884 if (!nft_is_active(net, chain))
3885 continue;
3886 __nf_tables_dump_rules(skb, &idx,
3887 cb, table, chain);
3888 break;
3889 }
3890 goto done;
3891 }
3892
3893 list_for_each_entry_rcu(chain, &table->chains, list) {
3894 if (__nf_tables_dump_rules(skb, &idx,
3895 cb, table, chain))
3896 goto done;
3897 }
3898
3899 if (ctx->table)
3900 break;
3901 }
3902 done:
3903 rcu_read_unlock();
3904
3905 ctx->s_idx = idx;
3906 return skb->len;
3907 }
3908
nf_tables_dump_rules_start(struct netlink_callback * cb)3909 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3910 {
3911 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3912 const struct nlattr * const *nla = cb->data;
3913
3914 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
3915
3916 if (nla[NFTA_RULE_TABLE]) {
3917 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], GFP_ATOMIC);
3918 if (!ctx->table)
3919 return -ENOMEM;
3920 }
3921 if (nla[NFTA_RULE_CHAIN]) {
3922 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], GFP_ATOMIC);
3923 if (!ctx->chain) {
3924 kfree(ctx->table);
3925 return -ENOMEM;
3926 }
3927 }
3928 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET)
3929 ctx->reset = true;
3930
3931 return 0;
3932 }
3933
nf_tables_dump_rules_done(struct netlink_callback * cb)3934 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3935 {
3936 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3937
3938 kfree(ctx->table);
3939 kfree(ctx->chain);
3940 return 0;
3941 }
3942
3943 /* Caller must hold rcu read lock or transaction mutex */
3944 static struct sk_buff *
nf_tables_getrule_single(u32 portid,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)3945 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info,
3946 const struct nlattr * const nla[], bool reset)
3947 {
3948 struct netlink_ext_ack *extack = info->extack;
3949 u8 genmask = nft_genmask_cur(info->net);
3950 u8 family = info->nfmsg->nfgen_family;
3951 const struct nft_chain *chain;
3952 const struct nft_rule *rule;
3953 struct net *net = info->net;
3954 struct nft_table *table;
3955 struct sk_buff *skb2;
3956 int err;
3957
3958 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3959 if (IS_ERR(table)) {
3960 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3961 return ERR_CAST(table);
3962 }
3963
3964 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3965 if (IS_ERR(chain)) {
3966 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3967 return ERR_CAST(chain);
3968 }
3969
3970 rule = nft_rule_lookup(net, chain, nla[NFTA_RULE_HANDLE]);
3971 if (IS_ERR(rule)) {
3972 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3973 return ERR_CAST(rule);
3974 }
3975
3976 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3977 if (!skb2)
3978 return ERR_PTR(-ENOMEM);
3979
3980 err = nf_tables_fill_rule_info(skb2, net, portid,
3981 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3982 family, table, chain, rule, 0, reset);
3983 if (err < 0) {
3984 kfree_skb(skb2);
3985 return ERR_PTR(err);
3986 }
3987
3988 return skb2;
3989 }
3990
nf_tables_getrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3991 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3992 const struct nlattr * const nla[])
3993 {
3994 u32 portid = NETLINK_CB(skb).portid;
3995 struct net *net = info->net;
3996 struct sk_buff *skb2;
3997 bool reset = false;
3998 char *buf;
3999
4000 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4001 struct netlink_dump_control c = {
4002 .start= nf_tables_dump_rules_start,
4003 .dump = nf_tables_dump_rules,
4004 .done = nf_tables_dump_rules_done,
4005 .module = THIS_MODULE,
4006 .data = (void *)nla,
4007 };
4008
4009 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4010 }
4011
4012 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET)
4013 reset = true;
4014
4015 skb2 = nf_tables_getrule_single(portid, info, nla, reset);
4016 if (IS_ERR(skb2))
4017 return PTR_ERR(skb2);
4018
4019 if (!reset)
4020 return nfnetlink_unicast(skb2, net, portid);
4021
4022 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
4023 nla_len(nla[NFTA_RULE_TABLE]),
4024 (char *)nla_data(nla[NFTA_RULE_TABLE]),
4025 nft_base_seq(net));
4026 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
4027 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
4028 kfree(buf);
4029
4030 return nfnetlink_unicast(skb2, net, portid);
4031 }
4032
nf_tables_rule_destroy(const struct nft_ctx * ctx,struct nft_rule * rule)4033 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
4034 {
4035 struct nft_expr *expr, *next;
4036
4037 /*
4038 * Careful: some expressions might not be initialized in case this
4039 * is called on error from nf_tables_newrule().
4040 */
4041 expr = nft_expr_first(rule);
4042 while (nft_expr_more(rule, expr)) {
4043 next = nft_expr_next(expr);
4044 nf_tables_expr_destroy(ctx, expr);
4045 expr = next;
4046 }
4047 kfree(rule);
4048 }
4049
4050 /* can only be used if rule is no longer visible to dumps */
nf_tables_rule_release(const struct nft_ctx * ctx,struct nft_rule * rule)4051 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
4052 {
4053 WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net));
4054
4055 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
4056 nf_tables_rule_destroy(ctx, rule);
4057 }
4058
nft_chain_vstate_update(const struct nft_ctx * ctx,struct nft_chain * chain)4059 static void nft_chain_vstate_update(const struct nft_ctx *ctx, struct nft_chain *chain)
4060 {
4061 const struct nft_base_chain *base_chain;
4062 enum nft_chain_types type;
4063 u8 hooknum;
4064
4065 /* ctx->chain must hold the calling base chain. */
4066 if (WARN_ON_ONCE(!nft_is_base_chain(ctx->chain))) {
4067 memset(&chain->vstate, 0, sizeof(chain->vstate));
4068 return;
4069 }
4070
4071 base_chain = nft_base_chain(ctx->chain);
4072 hooknum = base_chain->ops.hooknum;
4073 type = base_chain->type->type;
4074
4075 BUILD_BUG_ON(BIT(NF_INET_NUMHOOKS) > U8_MAX);
4076
4077 chain->vstate.hook_mask[type] |= BIT(hooknum);
4078 if (chain->vstate.depth < ctx->level)
4079 chain->vstate.depth = ctx->level;
4080 }
4081
4082 /** nft_chain_validate - loop detection and hook validation
4083 *
4084 * @ctx: context containing call depth and base chain
4085 * @chain: chain to validate
4086 *
4087 * Walk through the rules of the given chain and chase all jumps/gotos
4088 * and set lookups until either the jump limit is hit or all reachable
4089 * chains have been validated.
4090 */
nft_chain_validate(const struct nft_ctx * ctx,struct nft_chain * chain)4091 int nft_chain_validate(const struct nft_ctx *ctx, struct nft_chain *chain)
4092 {
4093 struct nft_expr *expr, *last;
4094 struct nft_rule *rule;
4095 int err;
4096
4097 BUILD_BUG_ON(NFT_JUMP_STACK_SIZE > 255);
4098 if (ctx->level == NFT_JUMP_STACK_SIZE)
4099 return -EMLINK;
4100
4101 if (ctx->level > 0) {
4102 /* jumps to base chains are not allowed. */
4103 if (nft_is_base_chain(chain))
4104 return -ELOOP;
4105
4106 if (nft_chain_vstate_valid(ctx, chain))
4107 return 0;
4108 }
4109
4110 list_for_each_entry(rule, &chain->rules, list) {
4111 if (fatal_signal_pending(current))
4112 return -EINTR;
4113
4114 if (!nft_is_active_next(ctx->net, rule))
4115 continue;
4116
4117 nft_rule_for_each_expr(expr, last, rule) {
4118 if (!expr->ops->validate)
4119 continue;
4120
4121 /* This may call nft_chain_validate() recursively,
4122 * callers that do so must increment ctx->level.
4123 */
4124 err = expr->ops->validate(ctx, expr);
4125 if (err < 0)
4126 return err;
4127 }
4128
4129 cond_resched();
4130 }
4131
4132 nft_chain_vstate_update(ctx, chain);
4133 return 0;
4134 }
4135 EXPORT_SYMBOL_GPL(nft_chain_validate);
4136
nft_table_validate(struct net * net,const struct nft_table * table)4137 static int nft_table_validate(struct net *net, const struct nft_table *table)
4138 {
4139 struct nft_chain *chain;
4140 struct nft_ctx ctx = {
4141 .net = net,
4142 .family = table->family,
4143 };
4144 int err = 0;
4145
4146 list_for_each_entry(chain, &table->chains, list) {
4147 if (!nft_is_base_chain(chain))
4148 continue;
4149
4150 ctx.chain = chain;
4151 err = nft_chain_validate(&ctx, chain);
4152 if (err < 0)
4153 goto err;
4154 }
4155
4156 err:
4157 list_for_each_entry(chain, &table->chains, list)
4158 memset(&chain->vstate, 0, sizeof(chain->vstate));
4159
4160 return err;
4161 }
4162
nft_setelem_validate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)4163 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
4164 const struct nft_set_iter *iter,
4165 struct nft_elem_priv *elem_priv)
4166 {
4167 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
4168 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
4169 const struct nft_data *data;
4170 int err;
4171
4172 if (!nft_set_elem_active(ext, iter->genmask))
4173 return 0;
4174
4175 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4176 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
4177 return 0;
4178
4179 data = nft_set_ext_data(ext);
4180 switch (data->verdict.code) {
4181 case NFT_JUMP:
4182 case NFT_GOTO:
4183 pctx->level++;
4184 err = nft_chain_validate(ctx, data->verdict.chain);
4185 if (err < 0)
4186 return err;
4187 pctx->level--;
4188 break;
4189 default:
4190 break;
4191 }
4192
4193 return 0;
4194 }
4195
nft_set_catchall_validate(const struct nft_ctx * ctx,struct nft_set * set)4196 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
4197 {
4198 struct nft_set_iter dummy_iter = {
4199 .genmask = nft_genmask_next(ctx->net),
4200 };
4201 struct nft_set_elem_catchall *catchall;
4202
4203 struct nft_set_ext *ext;
4204 int ret = 0;
4205
4206 list_for_each_entry_rcu(catchall, &set->catchall_list, list,
4207 lockdep_commit_lock_is_held(ctx->net)) {
4208 ext = nft_set_elem_ext(set, catchall->elem);
4209 if (!nft_set_elem_active(ext, dummy_iter.genmask))
4210 continue;
4211
4212 ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem);
4213 if (ret < 0)
4214 return ret;
4215 }
4216
4217 return ret;
4218 }
4219
4220 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4221 const struct nft_chain *chain,
4222 const struct nlattr *nla);
4223
4224 #define NFT_RULE_MAXEXPRS 128
4225
nf_tables_newrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4226 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
4227 const struct nlattr * const nla[])
4228 {
4229 struct nftables_pernet *nft_net = nft_pernet(info->net);
4230 struct netlink_ext_ack *extack = info->extack;
4231 unsigned int size, i, n, ulen = 0, usize = 0;
4232 u8 genmask = nft_genmask_next(info->net);
4233 struct nft_rule *rule, *old_rule = NULL;
4234 struct nft_expr_info *expr_info = NULL;
4235 u8 family = info->nfmsg->nfgen_family;
4236 struct nft_flow_rule *flow = NULL;
4237 struct net *net = info->net;
4238 struct nft_userdata *udata;
4239 struct nft_table *table;
4240 struct nft_chain *chain;
4241 struct nft_trans *trans;
4242 u64 handle, pos_handle;
4243 struct nft_expr *expr;
4244 struct nft_ctx ctx;
4245 struct nlattr *tmp;
4246 int err, rem;
4247
4248 lockdep_assert_held(&nft_net->commit_mutex);
4249
4250 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4251 NETLINK_CB(skb).portid);
4252 if (IS_ERR(table)) {
4253 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4254 return PTR_ERR(table);
4255 }
4256
4257 if (nla[NFTA_RULE_CHAIN]) {
4258 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4259 genmask);
4260 if (IS_ERR(chain)) {
4261 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4262 return PTR_ERR(chain);
4263 }
4264
4265 } else if (nla[NFTA_RULE_CHAIN_ID]) {
4266 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID],
4267 genmask);
4268 if (IS_ERR(chain)) {
4269 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
4270 return PTR_ERR(chain);
4271 }
4272 } else {
4273 return -EINVAL;
4274 }
4275
4276 if (nft_chain_is_bound(chain))
4277 return -EOPNOTSUPP;
4278
4279 if (nla[NFTA_RULE_HANDLE]) {
4280 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
4281 rule = __nft_rule_lookup(net, chain, handle);
4282 if (IS_ERR(rule)) {
4283 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4284 return PTR_ERR(rule);
4285 }
4286
4287 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4288 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4289 return -EEXIST;
4290 }
4291 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4292 old_rule = rule;
4293 else
4294 return -EOPNOTSUPP;
4295 } else {
4296 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
4297 info->nlh->nlmsg_flags & NLM_F_REPLACE)
4298 return -EINVAL;
4299 handle = nf_tables_alloc_handle(table);
4300
4301 if (nla[NFTA_RULE_POSITION]) {
4302 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
4303 old_rule = __nft_rule_lookup(net, chain, pos_handle);
4304 if (IS_ERR(old_rule)) {
4305 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
4306 return PTR_ERR(old_rule);
4307 }
4308 } else if (nla[NFTA_RULE_POSITION_ID]) {
4309 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
4310 if (IS_ERR(old_rule)) {
4311 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
4312 return PTR_ERR(old_rule);
4313 }
4314 }
4315 }
4316
4317 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4318
4319 n = 0;
4320 size = 0;
4321 if (nla[NFTA_RULE_EXPRESSIONS]) {
4322 expr_info = kvmalloc_objs(struct nft_expr_info,
4323 NFT_RULE_MAXEXPRS);
4324 if (!expr_info)
4325 return -ENOMEM;
4326
4327 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
4328 err = -EINVAL;
4329 if (nla_type(tmp) != NFTA_LIST_ELEM)
4330 goto err_release_expr;
4331 if (n == NFT_RULE_MAXEXPRS)
4332 goto err_release_expr;
4333 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
4334 if (err < 0) {
4335 NL_SET_BAD_ATTR(extack, tmp);
4336 goto err_release_expr;
4337 }
4338 size += expr_info[n].ops->size;
4339 n++;
4340 }
4341 }
4342 /* Check for overflow of dlen field */
4343 err = -EFBIG;
4344 if (size >= 1 << 12)
4345 goto err_release_expr;
4346
4347 if (nla[NFTA_RULE_USERDATA]) {
4348 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
4349 if (ulen > 0)
4350 usize = sizeof(struct nft_userdata) + ulen;
4351 }
4352
4353 err = -ENOMEM;
4354 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
4355 if (rule == NULL)
4356 goto err_release_expr;
4357
4358 nft_activate_next(net, rule);
4359
4360 rule->handle = handle;
4361 rule->dlen = size;
4362 rule->udata = ulen ? 1 : 0;
4363
4364 if (ulen) {
4365 udata = nft_userdata(rule);
4366 udata->len = ulen - 1;
4367 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
4368 }
4369
4370 expr = nft_expr_first(rule);
4371 for (i = 0; i < n; i++) {
4372 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
4373 if (err < 0) {
4374 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
4375 goto err_release_rule;
4376 }
4377
4378 if (expr_info[i].ops->validate)
4379 nft_validate_state_update(table, NFT_VALIDATE_NEED);
4380
4381 expr_info[i].ops = NULL;
4382 expr = nft_expr_next(expr);
4383 }
4384
4385 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
4386 flow = nft_flow_rule_create(net, rule);
4387 if (IS_ERR(flow)) {
4388 err = PTR_ERR(flow);
4389 goto err_release_rule;
4390 }
4391 }
4392
4393 if (!nft_use_inc(&chain->use)) {
4394 err = -EMFILE;
4395 goto err_destroy_flow;
4396 }
4397
4398 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
4399 if (nft_chain_binding(chain)) {
4400 err = -EOPNOTSUPP;
4401 goto err_destroy_flow_rule;
4402 }
4403
4404 err = nft_delrule(&ctx, old_rule);
4405 if (err < 0)
4406 goto err_destroy_flow_rule;
4407
4408 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4409 if (trans == NULL) {
4410 err = -ENOMEM;
4411 goto err_destroy_flow_rule;
4412 }
4413 list_add_tail_rcu(&rule->list, &old_rule->list);
4414 } else {
4415 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4416 if (!trans) {
4417 err = -ENOMEM;
4418 goto err_destroy_flow_rule;
4419 }
4420
4421 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
4422 if (old_rule)
4423 list_add_rcu(&rule->list, &old_rule->list);
4424 else
4425 list_add_tail_rcu(&rule->list, &chain->rules);
4426 } else {
4427 if (old_rule)
4428 list_add_tail_rcu(&rule->list, &old_rule->list);
4429 else
4430 list_add_rcu(&rule->list, &chain->rules);
4431 }
4432 }
4433 kvfree(expr_info);
4434
4435 if (flow)
4436 nft_trans_flow_rule(trans) = flow;
4437
4438 if (table->validate_state == NFT_VALIDATE_DO)
4439 return nft_table_validate(net, table);
4440
4441 return 0;
4442
4443 err_destroy_flow_rule:
4444 nft_use_dec_restore(&chain->use);
4445 err_destroy_flow:
4446 if (flow)
4447 nft_flow_rule_destroy(flow);
4448 err_release_rule:
4449 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
4450 nf_tables_rule_destroy(&ctx, rule);
4451 err_release_expr:
4452 for (i = 0; i < n; i++) {
4453 if (expr_info[i].ops) {
4454 module_put(expr_info[i].ops->type->owner);
4455 if (expr_info[i].ops->type->release_ops)
4456 expr_info[i].ops->type->release_ops(expr_info[i].ops);
4457 }
4458 }
4459 kvfree(expr_info);
4460
4461 return err;
4462 }
4463
nft_rule_lookup_byid(const struct net * net,const struct nft_chain * chain,const struct nlattr * nla)4464 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4465 const struct nft_chain *chain,
4466 const struct nlattr *nla)
4467 {
4468 struct nftables_pernet *nft_net = nft_pernet(net);
4469 u32 id = ntohl(nla_get_be32(nla));
4470 struct nft_trans *trans;
4471
4472 list_for_each_entry(trans, &nft_net->commit_list, list) {
4473 if (trans->msg_type == NFT_MSG_NEWRULE &&
4474 nft_trans_rule_chain(trans) == chain &&
4475 id == nft_trans_rule_id(trans))
4476 return nft_trans_rule(trans);
4477 }
4478 return ERR_PTR(-ENOENT);
4479 }
4480
nf_tables_delrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4481 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
4482 const struct nlattr * const nla[])
4483 {
4484 struct netlink_ext_ack *extack = info->extack;
4485 u8 genmask = nft_genmask_next(info->net);
4486 u8 family = info->nfmsg->nfgen_family;
4487 struct nft_chain *chain = NULL;
4488 struct net *net = info->net;
4489 struct nft_table *table;
4490 struct nft_rule *rule;
4491 struct nft_ctx ctx;
4492 int err = 0;
4493
4494 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4495 NETLINK_CB(skb).portid);
4496 if (IS_ERR(table)) {
4497 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4498 return PTR_ERR(table);
4499 }
4500
4501 if (nla[NFTA_RULE_CHAIN]) {
4502 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4503 genmask);
4504 if (IS_ERR(chain)) {
4505 if (PTR_ERR(chain) == -ENOENT &&
4506 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4507 return 0;
4508
4509 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4510 return PTR_ERR(chain);
4511 }
4512 if (nft_chain_binding(chain))
4513 return -EOPNOTSUPP;
4514 }
4515
4516 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4517
4518 if (chain) {
4519 if (nla[NFTA_RULE_HANDLE]) {
4520 rule = nft_rule_lookup(info->net, chain, nla[NFTA_RULE_HANDLE]);
4521 if (IS_ERR(rule)) {
4522 if (PTR_ERR(rule) == -ENOENT &&
4523 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4524 return 0;
4525
4526 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4527 return PTR_ERR(rule);
4528 }
4529
4530 err = nft_delrule(&ctx, rule);
4531 } else if (nla[NFTA_RULE_ID]) {
4532 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
4533 if (IS_ERR(rule)) {
4534 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
4535 return PTR_ERR(rule);
4536 }
4537
4538 err = nft_delrule(&ctx, rule);
4539 } else {
4540 err = nft_delrule_by_chain(&ctx);
4541 }
4542 } else {
4543 list_for_each_entry(chain, &table->chains, list) {
4544 if (!nft_is_active_next(net, chain))
4545 continue;
4546 if (nft_chain_binding(chain))
4547 continue;
4548
4549 ctx.chain = chain;
4550 err = nft_delrule_by_chain(&ctx);
4551 if (err < 0)
4552 break;
4553 }
4554 }
4555
4556 return err;
4557 }
4558
4559 /*
4560 * Sets
4561 */
4562 static const struct nft_set_type *nft_set_types[] = {
4563 &nft_set_hash_fast_type,
4564 &nft_set_hash_type,
4565 &nft_set_rhash_type,
4566 &nft_set_bitmap_type,
4567 &nft_set_rbtree_type,
4568 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
4569 &nft_set_pipapo_avx2_type,
4570 #endif
4571 &nft_set_pipapo_type,
4572 };
4573
4574 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
4575 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
4576 NFT_SET_EVAL)
4577
nft_set_ops_candidate(const struct nft_set_type * type,u32 flags)4578 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
4579 {
4580 return (flags & type->features) == (flags & NFT_SET_FEATURES);
4581 }
4582
4583 /*
4584 * Select a set implementation based on the data characteristics and the
4585 * given policy. The total memory use might not be known if no size is
4586 * given, in that case the amount of memory per element is used.
4587 */
4588 static const struct nft_set_ops *
nft_select_set_ops(const struct nft_ctx * ctx,u32 flags,const struct nft_set_desc * desc)4589 nft_select_set_ops(const struct nft_ctx *ctx, u32 flags,
4590 const struct nft_set_desc *desc)
4591 {
4592 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4593 const struct nft_set_ops *ops, *bops;
4594 struct nft_set_estimate est, best;
4595 const struct nft_set_type *type;
4596 int i;
4597
4598 lockdep_assert_held(&nft_net->commit_mutex);
4599 lockdep_nfnl_nft_mutex_not_held();
4600
4601 bops = NULL;
4602 best.size = ~0;
4603 best.lookup = ~0;
4604 best.space = ~0;
4605
4606 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
4607 type = nft_set_types[i];
4608 ops = &type->ops;
4609
4610 if (!nft_set_ops_candidate(type, flags))
4611 continue;
4612 if (!ops->estimate(desc, flags, &est))
4613 continue;
4614
4615 switch (desc->policy) {
4616 case NFT_SET_POL_PERFORMANCE:
4617 if (est.lookup < best.lookup)
4618 break;
4619 if (est.lookup == best.lookup &&
4620 est.space < best.space)
4621 break;
4622 continue;
4623 case NFT_SET_POL_MEMORY:
4624 if (!desc->size) {
4625 if (est.space < best.space)
4626 break;
4627 if (est.space == best.space &&
4628 est.lookup < best.lookup)
4629 break;
4630 } else if (est.size < best.size || !bops) {
4631 break;
4632 }
4633 continue;
4634 default:
4635 break;
4636 }
4637
4638 bops = ops;
4639 best = est;
4640 }
4641
4642 if (bops != NULL)
4643 return bops;
4644
4645 return ERR_PTR(-EOPNOTSUPP);
4646 }
4647
4648 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
4649 [NFTA_SET_TABLE] = { .type = NLA_STRING,
4650 .len = NFT_TABLE_MAXNAMELEN - 1 },
4651 [NFTA_SET_NAME] = { .type = NLA_STRING,
4652 .len = NFT_SET_MAXNAMELEN - 1 },
4653 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
4654 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
4655 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
4656 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
4657 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
4658 [NFTA_SET_POLICY] = { .type = NLA_U32 },
4659 [NFTA_SET_DESC] = { .type = NLA_NESTED },
4660 [NFTA_SET_ID] = { .type = NLA_U32 },
4661 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
4662 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
4663 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
4664 .len = NFT_USERDATA_MAXLEN },
4665 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
4666 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
4667 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
4668 [NFTA_SET_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
4669 [NFTA_SET_TYPE] = { .type = NLA_REJECT },
4670 [NFTA_SET_COUNT] = { .type = NLA_REJECT },
4671 };
4672
4673 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4674 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4675 };
4676
4677 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4678 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
4679 [NFTA_SET_DESC_CONCAT] = NLA_POLICY_NESTED_ARRAY(nft_concat_policy),
4680 };
4681
nft_set_lookup(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)4682 static struct nft_set *nft_set_lookup(const struct net *net,
4683 const struct nft_table *table,
4684 const struct nlattr *nla, u8 genmask)
4685 {
4686 struct nft_set *set;
4687
4688 if (nla == NULL)
4689 return ERR_PTR(-EINVAL);
4690
4691 list_for_each_entry_rcu(set, &table->sets, list,
4692 lockdep_commit_lock_is_held(net)) {
4693 if (!nla_strcmp(nla, set->name) &&
4694 nft_active_genmask(set, genmask))
4695 return set;
4696 }
4697 return ERR_PTR(-ENOENT);
4698 }
4699
nft_set_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)4700 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4701 const struct nlattr *nla,
4702 u8 genmask)
4703 {
4704 struct nft_set *set;
4705
4706 list_for_each_entry(set, &table->sets, list) {
4707 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4708 nft_active_genmask(set, genmask))
4709 return set;
4710 }
4711 return ERR_PTR(-ENOENT);
4712 }
4713
nft_set_lookup_byid(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)4714 static struct nft_set *nft_set_lookup_byid(const struct net *net,
4715 const struct nft_table *table,
4716 const struct nlattr *nla, u8 genmask)
4717 {
4718 struct nftables_pernet *nft_net = nft_pernet(net);
4719 u32 id = ntohl(nla_get_be32(nla));
4720 struct nft_trans_set *trans;
4721
4722 /* its likely the id we need is at the tail, not at start */
4723 list_for_each_entry_reverse(trans, &nft_net->commit_set_list, list_trans_newset) {
4724 struct nft_set *set = trans->set;
4725
4726 if (id == trans->set_id &&
4727 set->table == table &&
4728 nft_active_genmask(set, genmask))
4729 return set;
4730 }
4731 return ERR_PTR(-ENOENT);
4732 }
4733
nft_set_lookup_global(const struct net * net,const struct nft_table * table,const struct nlattr * nla_set_name,const struct nlattr * nla_set_id,u8 genmask)4734 struct nft_set *nft_set_lookup_global(const struct net *net,
4735 const struct nft_table *table,
4736 const struct nlattr *nla_set_name,
4737 const struct nlattr *nla_set_id,
4738 u8 genmask)
4739 {
4740 struct nft_set *set;
4741
4742 set = nft_set_lookup(net, table, nla_set_name, genmask);
4743 if (IS_ERR(set)) {
4744 if (!nla_set_id)
4745 return set;
4746
4747 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
4748 }
4749 return set;
4750 }
4751 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
4752
nf_tables_set_alloc_name(struct nft_ctx * ctx,struct nft_set * set,const char * name)4753 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4754 const char *name)
4755 {
4756 const struct nft_set *i;
4757 const char *p;
4758 unsigned long *inuse;
4759 unsigned int n = 0, min = 0;
4760
4761 p = strchr(name, '%');
4762 if (p != NULL) {
4763 if (p[1] != 'd' || strchr(p + 2, '%'))
4764 return -EINVAL;
4765
4766 if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN)
4767 return -EINVAL;
4768
4769 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4770 if (inuse == NULL)
4771 return -ENOMEM;
4772 cont:
4773 list_for_each_entry(i, &ctx->table->sets, list) {
4774 int tmp;
4775
4776 if (!nft_is_active_next(ctx->net, i))
4777 continue;
4778 if (!sscanf(i->name, name, &tmp))
4779 continue;
4780 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4781 continue;
4782
4783 set_bit(tmp - min, inuse);
4784 }
4785
4786 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
4787 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4788 min += BITS_PER_BYTE * PAGE_SIZE;
4789 memset(inuse, 0, PAGE_SIZE);
4790 goto cont;
4791 }
4792 free_page((unsigned long)inuse);
4793 }
4794
4795 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
4796 if (!set->name)
4797 return -ENOMEM;
4798
4799 list_for_each_entry(i, &ctx->table->sets, list) {
4800 if (!nft_is_active_next(ctx->net, i))
4801 continue;
4802 if (!strcmp(set->name, i->name)) {
4803 kfree(set->name);
4804 set->name = NULL;
4805 return -ENFILE;
4806 }
4807 }
4808 return 0;
4809 }
4810
nf_msecs_to_jiffies64(const struct nlattr * nla,u64 * result)4811 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4812 {
4813 u64 ms = be64_to_cpu(nla_get_be64(nla));
4814 u64 max = (u64)(~((u64)0));
4815
4816 max = div_u64(max, NSEC_PER_MSEC);
4817 if (ms >= max)
4818 return -ERANGE;
4819
4820 ms *= NSEC_PER_MSEC;
4821 *result = nsecs_to_jiffies64(ms) ? : !!ms;
4822 return 0;
4823 }
4824
nf_jiffies64_to_msecs(u64 input)4825 __be64 nf_jiffies64_to_msecs(u64 input)
4826 {
4827 return cpu_to_be64(jiffies64_to_msecs(input));
4828 }
4829
nf_tables_fill_set_concat(struct sk_buff * skb,const struct nft_set * set)4830 static int nf_tables_fill_set_concat(struct sk_buff *skb,
4831 const struct nft_set *set)
4832 {
4833 struct nlattr *concat, *field;
4834 int i;
4835
4836 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
4837 if (!concat)
4838 return -ENOMEM;
4839
4840 for (i = 0; i < set->field_count; i++) {
4841 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4842 if (!field)
4843 return -ENOMEM;
4844
4845 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
4846 htonl(set->field_len[i])))
4847 return -ENOMEM;
4848
4849 nla_nest_end(skb, field);
4850 }
4851
4852 nla_nest_end(skb, concat);
4853
4854 return 0;
4855 }
4856
nft_set_userspace_size(const struct nft_set_ops * ops,u32 size)4857 static u32 nft_set_userspace_size(const struct nft_set_ops *ops, u32 size)
4858 {
4859 if (ops->usize)
4860 return ops->usize(size);
4861
4862 return size;
4863 }
4864
4865 static noinline_for_stack int
nf_tables_fill_set_info(struct sk_buff * skb,const struct nft_set * set)4866 nf_tables_fill_set_info(struct sk_buff *skb, const struct nft_set *set)
4867 {
4868 unsigned int nelems;
4869 char str[40];
4870 int ret;
4871
4872 ret = snprintf(str, sizeof(str), "%ps", set->ops);
4873
4874 /* Not expected to happen and harmless: NFTA_SET_TYPE is dumped
4875 * to userspace purely for informational/debug purposes.
4876 */
4877 DEBUG_NET_WARN_ON_ONCE(ret >= sizeof(str));
4878
4879 if (nla_put_string(skb, NFTA_SET_TYPE, str))
4880 return -EMSGSIZE;
4881
4882 nelems = nft_set_userspace_size(set->ops, atomic_read(&set->nelems));
4883 return nla_put_be32(skb, NFTA_SET_COUNT, htonl(nelems));
4884 }
4885
nf_tables_fill_set(struct sk_buff * skb,const struct nft_ctx * ctx,const struct nft_set * set,u16 event,u16 flags)4886 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4887 const struct nft_set *set, u16 event, u16 flags)
4888 {
4889 u64 timeout = READ_ONCE(set->timeout);
4890 u32 gc_int = READ_ONCE(set->gc_int);
4891 u32 portid = ctx->portid;
4892 struct nlmsghdr *nlh;
4893 struct nlattr *nest;
4894 u32 seq = ctx->seq;
4895 int i;
4896
4897 nlh = nfnl_msg_put(skb, portid, seq,
4898 nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event),
4899 flags, ctx->family, NFNETLINK_V0,
4900 nft_base_seq_be16(ctx->net));
4901 if (!nlh)
4902 goto nla_put_failure;
4903
4904 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4905 goto nla_put_failure;
4906 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4907 goto nla_put_failure;
4908 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4909 NFTA_SET_PAD))
4910 goto nla_put_failure;
4911
4912 if (event == NFT_MSG_DELSET ||
4913 event == NFT_MSG_DESTROYSET) {
4914 nlmsg_end(skb, nlh);
4915 return 0;
4916 }
4917
4918 if (set->flags != 0)
4919 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
4920 goto nla_put_failure;
4921
4922 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4923 goto nla_put_failure;
4924 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
4925 goto nla_put_failure;
4926 if (set->flags & NFT_SET_MAP) {
4927 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4928 goto nla_put_failure;
4929 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
4930 goto nla_put_failure;
4931 }
4932 if (set->flags & NFT_SET_OBJECT &&
4933 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4934 goto nla_put_failure;
4935
4936 if (timeout &&
4937 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4938 nf_jiffies64_to_msecs(timeout),
4939 NFTA_SET_PAD))
4940 goto nla_put_failure;
4941 if (gc_int &&
4942 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4943 goto nla_put_failure;
4944
4945 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4946 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4947 goto nla_put_failure;
4948 }
4949
4950 if (set->udata &&
4951 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4952 goto nla_put_failure;
4953
4954 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4955 if (!nest)
4956 goto nla_put_failure;
4957 if (set->size &&
4958 nla_put_be32(skb, NFTA_SET_DESC_SIZE,
4959 htonl(nft_set_userspace_size(set->ops, set->size))))
4960 goto nla_put_failure;
4961
4962 if (set->field_count > 1 &&
4963 nf_tables_fill_set_concat(skb, set))
4964 goto nla_put_failure;
4965
4966 nla_nest_end(skb, nest);
4967
4968 if (nf_tables_fill_set_info(skb, set))
4969 goto nla_put_failure;
4970
4971 if (set->num_exprs == 1) {
4972 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
4973 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
4974 goto nla_put_failure;
4975
4976 nla_nest_end(skb, nest);
4977 } else if (set->num_exprs > 1) {
4978 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
4979 if (nest == NULL)
4980 goto nla_put_failure;
4981
4982 for (i = 0; i < set->num_exprs; i++) {
4983 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
4984 set->exprs[i], false) < 0)
4985 goto nla_put_failure;
4986 }
4987 nla_nest_end(skb, nest);
4988 }
4989
4990 nlmsg_end(skb, nlh);
4991 return 0;
4992
4993 nla_put_failure:
4994 nlmsg_trim(skb, nlh);
4995 return -1;
4996 }
4997
nf_tables_set_notify(const struct nft_ctx * ctx,const struct nft_set * set,int event,gfp_t gfp_flags)4998 static void nf_tables_set_notify(const struct nft_ctx *ctx,
4999 const struct nft_set *set, int event,
5000 gfp_t gfp_flags)
5001 {
5002 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
5003 u32 portid = ctx->portid;
5004 struct sk_buff *skb;
5005 u16 flags = 0;
5006 int err;
5007
5008 if (!ctx->report &&
5009 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5010 return;
5011
5012 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
5013 if (skb == NULL)
5014 goto err;
5015
5016 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
5017 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
5018
5019 err = nf_tables_fill_set(skb, ctx, set, event, flags);
5020 if (err < 0) {
5021 kfree_skb(skb);
5022 goto err;
5023 }
5024
5025 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
5026 return;
5027 err:
5028 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5029 }
5030
nf_tables_dump_sets(struct sk_buff * skb,struct netlink_callback * cb)5031 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
5032 {
5033 const struct nft_set *set;
5034 unsigned int idx, s_idx = cb->args[0];
5035 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
5036 struct net *net = sock_net(skb->sk);
5037 struct nft_ctx *ctx = cb->data, ctx_set;
5038 struct nftables_pernet *nft_net;
5039
5040 if (cb->args[1])
5041 return skb->len;
5042
5043 rcu_read_lock();
5044 nft_net = nft_pernet(net);
5045 cb->seq = nft_base_seq(net);
5046
5047 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5048 if (ctx->family != NFPROTO_UNSPEC &&
5049 ctx->family != table->family)
5050 continue;
5051
5052 if (ctx->table && ctx->table != table)
5053 continue;
5054
5055 if (cur_table) {
5056 if (cur_table != table)
5057 continue;
5058
5059 cur_table = NULL;
5060 }
5061 idx = 0;
5062 list_for_each_entry_rcu(set, &table->sets, list) {
5063 if (idx < s_idx)
5064 goto cont;
5065 if (!nft_is_active(net, set))
5066 goto cont;
5067
5068 ctx_set = *ctx;
5069 ctx_set.table = table;
5070 ctx_set.family = table->family;
5071
5072 if (nf_tables_fill_set(skb, &ctx_set, set,
5073 NFT_MSG_NEWSET,
5074 NLM_F_MULTI) < 0) {
5075 cb->args[0] = idx;
5076 cb->args[2] = (unsigned long) table;
5077 goto done;
5078 }
5079 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5080 cont:
5081 idx++;
5082 }
5083 if (s_idx)
5084 s_idx = 0;
5085 }
5086 cb->args[1] = 1;
5087 done:
5088 rcu_read_unlock();
5089 return skb->len;
5090 }
5091
nf_tables_dump_sets_start(struct netlink_callback * cb)5092 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
5093 {
5094 struct nft_ctx *ctx_dump = NULL;
5095
5096 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
5097 if (ctx_dump == NULL)
5098 return -ENOMEM;
5099
5100 cb->data = ctx_dump;
5101 return 0;
5102 }
5103
nf_tables_dump_sets_done(struct netlink_callback * cb)5104 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
5105 {
5106 kfree(cb->data);
5107 return 0;
5108 }
5109
5110 /* called with rcu_read_lock held */
nf_tables_getset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])5111 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
5112 const struct nlattr * const nla[])
5113 {
5114 struct netlink_ext_ack *extack = info->extack;
5115 u8 genmask = nft_genmask_cur(info->net);
5116 u8 family = info->nfmsg->nfgen_family;
5117 struct nft_table *table = NULL;
5118 struct net *net = info->net;
5119 const struct nft_set *set;
5120 struct sk_buff *skb2;
5121 struct nft_ctx ctx;
5122 int err;
5123
5124 if (nla[NFTA_SET_TABLE]) {
5125 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5126 genmask, 0);
5127 if (IS_ERR(table)) {
5128 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5129 return PTR_ERR(table);
5130 }
5131 }
5132
5133 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5134
5135 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
5136 struct netlink_dump_control c = {
5137 .start = nf_tables_dump_sets_start,
5138 .dump = nf_tables_dump_sets,
5139 .done = nf_tables_dump_sets_done,
5140 .data = &ctx,
5141 .module = THIS_MODULE,
5142 };
5143
5144 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
5145 }
5146
5147 /* Only accept unspec with dump */
5148 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5149 return -EAFNOSUPPORT;
5150 if (!nla[NFTA_SET_TABLE])
5151 return -EINVAL;
5152
5153 set = nft_set_lookup(net, table, nla[NFTA_SET_NAME], genmask);
5154 if (IS_ERR(set)) {
5155 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5156 return PTR_ERR(set);
5157 }
5158
5159 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5160 if (skb2 == NULL)
5161 return -ENOMEM;
5162
5163 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
5164 if (err < 0)
5165 goto err_fill_set_info;
5166
5167 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
5168
5169 err_fill_set_info:
5170 kfree_skb(skb2);
5171 return err;
5172 }
5173
nft_set_desc_concat_parse(const struct nlattr * attr,struct nft_set_desc * desc)5174 static int nft_set_desc_concat_parse(const struct nlattr *attr,
5175 struct nft_set_desc *desc)
5176 {
5177 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
5178 u32 len;
5179 int err;
5180
5181 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
5182 return -E2BIG;
5183
5184 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
5185 nft_concat_policy, NULL);
5186 if (err < 0)
5187 return err;
5188
5189 if (!tb[NFTA_SET_FIELD_LEN])
5190 return -EINVAL;
5191
5192 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
5193 if (!len || len > U8_MAX)
5194 return -EINVAL;
5195
5196 desc->field_len[desc->field_count++] = len;
5197
5198 return 0;
5199 }
5200
nft_set_desc_concat(struct nft_set_desc * desc,const struct nlattr * nla)5201 static int nft_set_desc_concat(struct nft_set_desc *desc,
5202 const struct nlattr *nla)
5203 {
5204 u32 len = 0, num_regs;
5205 struct nlattr *attr;
5206 int rem, err, i;
5207
5208 nla_for_each_nested(attr, nla, rem) {
5209 if (nla_type(attr) != NFTA_LIST_ELEM)
5210 return -EINVAL;
5211
5212 err = nft_set_desc_concat_parse(attr, desc);
5213 if (err < 0)
5214 return err;
5215 }
5216
5217 for (i = 0; i < desc->field_count; i++)
5218 len += round_up(desc->field_len[i], sizeof(u32));
5219
5220 if (len != desc->klen)
5221 return -EINVAL;
5222
5223 num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
5224 if (num_regs > NFT_REG32_COUNT)
5225 return -E2BIG;
5226
5227 return 0;
5228 }
5229
nf_tables_set_desc_parse(struct nft_set_desc * desc,const struct nlattr * nla)5230 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
5231 const struct nlattr *nla)
5232 {
5233 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
5234 int err;
5235
5236 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
5237 nft_set_desc_policy, NULL);
5238 if (err < 0)
5239 return err;
5240
5241 if (da[NFTA_SET_DESC_SIZE] != NULL)
5242 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
5243 if (da[NFTA_SET_DESC_CONCAT])
5244 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
5245
5246 return err;
5247 }
5248
nft_set_expr_alloc(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * const * nla,struct nft_expr ** exprs,int * num_exprs,u32 flags)5249 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
5250 const struct nlattr * const *nla,
5251 struct nft_expr **exprs, int *num_exprs,
5252 u32 flags)
5253 {
5254 struct nft_expr *expr;
5255 int err, i;
5256
5257 if (nla[NFTA_SET_EXPR]) {
5258 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
5259 if (IS_ERR(expr)) {
5260 err = PTR_ERR(expr);
5261 goto err_set_expr_alloc;
5262 }
5263 exprs[0] = expr;
5264 (*num_exprs)++;
5265 } else if (nla[NFTA_SET_EXPRESSIONS]) {
5266 struct nlattr *tmp;
5267 int left;
5268
5269 if (!(flags & NFT_SET_EXPR)) {
5270 err = -EINVAL;
5271 goto err_set_expr_alloc;
5272 }
5273 i = 0;
5274 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
5275 if (i == NFT_SET_EXPR_MAX) {
5276 err = -E2BIG;
5277 goto err_set_expr_alloc;
5278 }
5279 if (nla_type(tmp) != NFTA_LIST_ELEM) {
5280 err = -EINVAL;
5281 goto err_set_expr_alloc;
5282 }
5283 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
5284 if (IS_ERR(expr)) {
5285 err = PTR_ERR(expr);
5286 goto err_set_expr_alloc;
5287 }
5288 exprs[i++] = expr;
5289 (*num_exprs)++;
5290 }
5291 }
5292
5293 return 0;
5294
5295 err_set_expr_alloc:
5296 for (i = 0; i < *num_exprs; i++)
5297 nft_expr_destroy(ctx, exprs[i]);
5298
5299 return err;
5300 }
5301
nft_set_is_same(const struct nft_set * set,const struct nft_set_desc * desc,struct nft_expr * exprs[],u32 num_exprs,u32 flags)5302 static bool nft_set_is_same(const struct nft_set *set,
5303 const struct nft_set_desc *desc,
5304 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
5305 {
5306 int i;
5307
5308 if (set->ktype != desc->ktype ||
5309 set->dtype != desc->dtype ||
5310 set->flags != flags ||
5311 set->klen != desc->klen ||
5312 set->dlen != desc->dlen ||
5313 set->field_count != desc->field_count ||
5314 set->num_exprs != num_exprs)
5315 return false;
5316
5317 for (i = 0; i < desc->field_count; i++) {
5318 if (set->field_len[i] != desc->field_len[i])
5319 return false;
5320 }
5321
5322 for (i = 0; i < num_exprs; i++) {
5323 if (set->exprs[i]->ops != exprs[i]->ops)
5324 return false;
5325 }
5326
5327 return true;
5328 }
5329
nft_set_kernel_size(const struct nft_set_ops * ops,const struct nft_set_desc * desc)5330 static u32 nft_set_kernel_size(const struct nft_set_ops *ops,
5331 const struct nft_set_desc *desc)
5332 {
5333 if (ops->ksize)
5334 return ops->ksize(desc->size);
5335
5336 return desc->size;
5337 }
5338
nf_tables_newset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])5339 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
5340 const struct nlattr * const nla[])
5341 {
5342 struct netlink_ext_ack *extack = info->extack;
5343 u8 genmask = nft_genmask_next(info->net);
5344 u8 family = info->nfmsg->nfgen_family;
5345 const struct nft_set_ops *ops;
5346 struct net *net = info->net;
5347 struct nft_set_desc desc;
5348 struct nft_table *table;
5349 unsigned char *udata;
5350 struct nft_set *set;
5351 struct nft_ctx ctx;
5352 size_t alloc_size;
5353 int num_exprs = 0;
5354 char *name;
5355 int err, i;
5356 u16 udlen;
5357 u32 flags;
5358 u64 size;
5359
5360 if (nla[NFTA_SET_TABLE] == NULL ||
5361 nla[NFTA_SET_NAME] == NULL ||
5362 nla[NFTA_SET_KEY_LEN] == NULL ||
5363 nla[NFTA_SET_ID] == NULL)
5364 return -EINVAL;
5365
5366 memset(&desc, 0, sizeof(desc));
5367
5368 desc.ktype = NFT_DATA_VALUE;
5369 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
5370 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
5371 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
5372 return -EINVAL;
5373 }
5374
5375 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
5376 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
5377 return -EINVAL;
5378
5379 flags = 0;
5380 if (nla[NFTA_SET_FLAGS] != NULL) {
5381 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
5382 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
5383 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
5384 NFT_SET_MAP | NFT_SET_EVAL |
5385 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
5386 return -EOPNOTSUPP;
5387 /* Only one of these operations is supported */
5388 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
5389 (NFT_SET_MAP | NFT_SET_OBJECT))
5390 return -EOPNOTSUPP;
5391 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
5392 (NFT_SET_EVAL | NFT_SET_OBJECT))
5393 return -EOPNOTSUPP;
5394 if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) ==
5395 (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT))
5396 return -EOPNOTSUPP;
5397 if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) ==
5398 (NFT_SET_CONSTANT | NFT_SET_TIMEOUT))
5399 return -EOPNOTSUPP;
5400 }
5401
5402 desc.dtype = 0;
5403 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
5404 if (!(flags & NFT_SET_MAP))
5405 return -EINVAL;
5406
5407 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
5408 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
5409 desc.dtype != NFT_DATA_VERDICT)
5410 return -EINVAL;
5411
5412 if (desc.dtype != NFT_DATA_VERDICT) {
5413 if (nla[NFTA_SET_DATA_LEN] == NULL)
5414 return -EINVAL;
5415 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
5416 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
5417 return -EINVAL;
5418 } else
5419 desc.dlen = sizeof(struct nft_verdict);
5420 } else if (flags & NFT_SET_MAP)
5421 return -EINVAL;
5422
5423 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
5424 if (!(flags & NFT_SET_OBJECT))
5425 return -EINVAL;
5426
5427 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
5428 if (desc.objtype == NFT_OBJECT_UNSPEC ||
5429 desc.objtype > NFT_OBJECT_MAX)
5430 return -EOPNOTSUPP;
5431 } else if (flags & NFT_SET_OBJECT)
5432 return -EINVAL;
5433 else
5434 desc.objtype = NFT_OBJECT_UNSPEC;
5435
5436 desc.timeout = 0;
5437 if (nla[NFTA_SET_TIMEOUT] != NULL) {
5438 if (!(flags & NFT_SET_TIMEOUT))
5439 return -EINVAL;
5440
5441 if (flags & NFT_SET_ANONYMOUS)
5442 return -EOPNOTSUPP;
5443
5444 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
5445 if (err)
5446 return err;
5447 }
5448 desc.gc_int = 0;
5449 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
5450 if (!(flags & NFT_SET_TIMEOUT))
5451 return -EINVAL;
5452
5453 if (flags & NFT_SET_ANONYMOUS)
5454 return -EOPNOTSUPP;
5455
5456 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
5457 }
5458
5459 desc.policy = NFT_SET_POL_PERFORMANCE;
5460 if (nla[NFTA_SET_POLICY] != NULL) {
5461 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
5462 switch (desc.policy) {
5463 case NFT_SET_POL_PERFORMANCE:
5464 case NFT_SET_POL_MEMORY:
5465 break;
5466 default:
5467 return -EOPNOTSUPP;
5468 }
5469 }
5470
5471 if (nla[NFTA_SET_DESC] != NULL) {
5472 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
5473 if (err < 0)
5474 return err;
5475
5476 if (desc.field_count > 1) {
5477 if (!(flags & NFT_SET_CONCAT))
5478 return -EINVAL;
5479 } else if (flags & NFT_SET_CONCAT) {
5480 return -EINVAL;
5481 }
5482 } else if (flags & NFT_SET_CONCAT) {
5483 return -EINVAL;
5484 }
5485
5486 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
5487 desc.expr = true;
5488
5489 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
5490 NETLINK_CB(skb).portid);
5491 if (IS_ERR(table)) {
5492 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5493 return PTR_ERR(table);
5494 }
5495
5496 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5497
5498 set = nft_set_lookup(net, table, nla[NFTA_SET_NAME], genmask);
5499 if (IS_ERR(set)) {
5500 if (PTR_ERR(set) != -ENOENT) {
5501 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5502 return PTR_ERR(set);
5503 }
5504 } else {
5505 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
5506
5507 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
5508 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5509 return -EEXIST;
5510 }
5511 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
5512 return -EOPNOTSUPP;
5513
5514 if (nft_set_is_anonymous(set))
5515 return -EOPNOTSUPP;
5516
5517 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
5518 if (err < 0)
5519 return err;
5520
5521 if (desc.size)
5522 desc.size = nft_set_kernel_size(set->ops, &desc);
5523
5524 err = 0;
5525 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
5526 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5527 err = -EEXIST;
5528 }
5529
5530 for (i = 0; i < num_exprs; i++)
5531 nft_expr_destroy(&ctx, exprs[i]);
5532
5533 if (err < 0)
5534 return err;
5535
5536 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
5537 }
5538
5539 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
5540 return -ENOENT;
5541
5542 ops = nft_select_set_ops(&ctx, flags, &desc);
5543 if (IS_ERR(ops))
5544 return PTR_ERR(ops);
5545
5546 if (desc.size)
5547 desc.size = nft_set_kernel_size(ops, &desc);
5548
5549 udlen = 0;
5550 if (nla[NFTA_SET_USERDATA])
5551 udlen = nla_len(nla[NFTA_SET_USERDATA]);
5552
5553 size = 0;
5554 if (ops->privsize != NULL)
5555 size = ops->privsize(nla, &desc);
5556 alloc_size = sizeof(*set) + size + udlen;
5557 if (alloc_size < size || alloc_size > INT_MAX)
5558 return -ENOMEM;
5559
5560 if (!nft_use_inc(&table->use))
5561 return -EMFILE;
5562
5563 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
5564 if (!set) {
5565 err = -ENOMEM;
5566 goto err_alloc;
5567 }
5568
5569 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
5570 if (!name) {
5571 err = -ENOMEM;
5572 goto err_set_name;
5573 }
5574
5575 err = nf_tables_set_alloc_name(&ctx, set, name);
5576 kfree(name);
5577 if (err < 0)
5578 goto err_set_name;
5579
5580 udata = NULL;
5581 if (udlen) {
5582 udata = set->data + size;
5583 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
5584 }
5585
5586 INIT_LIST_HEAD(&set->bindings);
5587 INIT_LIST_HEAD(&set->catchall_list);
5588 refcount_set(&set->refs, 1);
5589 set->table = table;
5590 write_pnet(&set->net, net);
5591 set->ops = ops;
5592 set->ktype = desc.ktype;
5593 set->klen = desc.klen;
5594 set->dtype = desc.dtype;
5595 set->objtype = desc.objtype;
5596 set->dlen = desc.dlen;
5597 set->flags = flags;
5598 set->size = desc.size;
5599 set->policy = desc.policy;
5600 set->udlen = udlen;
5601 set->udata = udata;
5602 set->timeout = desc.timeout;
5603 set->gc_int = desc.gc_int;
5604
5605 set->field_count = desc.field_count;
5606 for (i = 0; i < desc.field_count; i++)
5607 set->field_len[i] = desc.field_len[i];
5608
5609 err = ops->init(set, &desc, nla);
5610 if (err < 0)
5611 goto err_set_init;
5612
5613 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
5614 if (err < 0)
5615 goto err_set_destroy;
5616
5617 set->num_exprs = num_exprs;
5618 set->handle = nf_tables_alloc_handle(table);
5619 INIT_LIST_HEAD(&set->pending_update);
5620
5621 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
5622 if (err < 0)
5623 goto err_set_expr_alloc;
5624
5625 list_add_tail_rcu(&set->list, &table->sets);
5626
5627 return 0;
5628
5629 err_set_expr_alloc:
5630 for (i = 0; i < set->num_exprs; i++)
5631 nft_expr_destroy(&ctx, set->exprs[i]);
5632 err_set_destroy:
5633 ops->destroy(&ctx, set);
5634 err_set_init:
5635 kfree(set->name);
5636 err_set_name:
5637 kvfree(set);
5638 err_alloc:
5639 nft_use_dec_restore(&table->use);
5640
5641 return err;
5642 }
5643
nft_set_catchall_destroy(const struct nft_ctx * ctx,struct nft_set * set)5644 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
5645 struct nft_set *set)
5646 {
5647 struct nft_set_elem_catchall *next, *catchall;
5648
5649 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5650 list_del_rcu(&catchall->list);
5651 nf_tables_set_elem_destroy(ctx, set, catchall->elem);
5652 kfree_rcu(catchall, rcu);
5653 }
5654 }
5655
nft_set_put(struct nft_set * set)5656 static void nft_set_put(struct nft_set *set)
5657 {
5658 if (refcount_dec_and_test(&set->refs)) {
5659 kfree(set->name);
5660 kvfree(set);
5661 }
5662 }
5663
nft_set_destroy(const struct nft_ctx * ctx,struct nft_set * set)5664 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
5665 {
5666 int i;
5667
5668 if (WARN_ON(set->use > 0))
5669 return;
5670
5671 for (i = 0; i < set->num_exprs; i++)
5672 nft_expr_destroy(ctx, set->exprs[i]);
5673
5674 set->ops->destroy(ctx, set);
5675 nft_set_catchall_destroy(ctx, set);
5676 nft_set_put(set);
5677 }
5678
nf_tables_delset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])5679 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
5680 const struct nlattr * const nla[])
5681 {
5682 struct netlink_ext_ack *extack = info->extack;
5683 u8 genmask = nft_genmask_next(info->net);
5684 u8 family = info->nfmsg->nfgen_family;
5685 struct net *net = info->net;
5686 const struct nlattr *attr;
5687 struct nft_table *table;
5688 struct nft_set *set;
5689 struct nft_ctx ctx;
5690
5691 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5692 return -EAFNOSUPPORT;
5693
5694 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5695 genmask, NETLINK_CB(skb).portid);
5696 if (IS_ERR(table)) {
5697 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5698 return PTR_ERR(table);
5699 }
5700
5701 if (nla[NFTA_SET_HANDLE]) {
5702 attr = nla[NFTA_SET_HANDLE];
5703 set = nft_set_lookup_byhandle(table, attr, genmask);
5704 } else {
5705 attr = nla[NFTA_SET_NAME];
5706 set = nft_set_lookup(net, table, attr, genmask);
5707 }
5708
5709 if (IS_ERR(set)) {
5710 if (PTR_ERR(set) == -ENOENT &&
5711 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
5712 return 0;
5713
5714 NL_SET_BAD_ATTR(extack, attr);
5715 return PTR_ERR(set);
5716 }
5717 if (set->use ||
5718 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
5719 atomic_read(&set->nelems) > 0)) {
5720 NL_SET_BAD_ATTR(extack, attr);
5721 return -EBUSY;
5722 }
5723
5724 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5725
5726 return nft_delset(&ctx, set);
5727 }
5728
5729 static int nft_validate_register_store(const struct nft_ctx *ctx,
5730 enum nft_registers reg,
5731 const struct nft_data *data,
5732 enum nft_data_types type,
5733 unsigned int len);
5734
nft_setelem_data_validate(const struct nft_ctx * ctx,struct nft_set * set,struct nft_elem_priv * elem_priv)5735 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
5736 struct nft_set *set,
5737 struct nft_elem_priv *elem_priv)
5738 {
5739 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5740 enum nft_registers dreg;
5741
5742 dreg = nft_type_to_reg(set->dtype);
5743 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
5744 set->dtype == NFT_DATA_VERDICT ?
5745 NFT_DATA_VERDICT : NFT_DATA_VALUE,
5746 set->dlen);
5747 }
5748
nf_tables_bind_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5749 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
5750 struct nft_set *set,
5751 const struct nft_set_iter *iter,
5752 struct nft_elem_priv *elem_priv)
5753 {
5754 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5755
5756 if (!nft_set_elem_active(ext, iter->genmask))
5757 return 0;
5758
5759 return nft_setelem_data_validate(ctx, set, elem_priv);
5760 }
5761
nft_set_catchall_bind_check(const struct nft_ctx * ctx,struct nft_set * set)5762 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
5763 struct nft_set *set)
5764 {
5765 u8 genmask = nft_genmask_next(ctx->net);
5766 struct nft_set_elem_catchall *catchall;
5767 struct nft_set_ext *ext;
5768 int ret = 0;
5769
5770 list_for_each_entry_rcu(catchall, &set->catchall_list, list,
5771 lockdep_commit_lock_is_held(ctx->net)) {
5772 ext = nft_set_elem_ext(set, catchall->elem);
5773 if (!nft_set_elem_active(ext, genmask))
5774 continue;
5775
5776 ret = nft_setelem_data_validate(ctx, set, catchall->elem);
5777 if (ret < 0)
5778 break;
5779 }
5780
5781 return ret;
5782 }
5783
nf_tables_bind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding)5784 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5785 struct nft_set_binding *binding)
5786 {
5787 struct nft_set_binding *i;
5788 struct nft_set_iter iter = {
5789 .genmask = nft_genmask_next(ctx->net),
5790 .type = NFT_ITER_UPDATE,
5791 .fn = nf_tables_bind_check_setelem,
5792 };
5793
5794 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5795 return -EBUSY;
5796
5797 if (binding->flags & NFT_SET_MAP) {
5798 /* If the set is already bound to the same chain all
5799 * jumps are already validated for that chain.
5800 */
5801 list_for_each_entry(i, &set->bindings, list) {
5802 if (i->flags & NFT_SET_MAP &&
5803 i->chain == binding->chain)
5804 goto bind;
5805 }
5806
5807 set->ops->walk(ctx, set, &iter);
5808 if (!iter.err)
5809 iter.err = nft_set_catchall_bind_check(ctx, set);
5810
5811 if (iter.err < 0)
5812 return iter.err;
5813 }
5814 bind:
5815 if (!nft_use_inc(&set->use))
5816 return -EMFILE;
5817
5818 binding->chain = ctx->chain;
5819 list_add_tail_rcu(&binding->list, &set->bindings);
5820 nft_set_trans_bind(ctx, set);
5821
5822 return 0;
5823 }
5824 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
5825
nf_tables_unbind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,bool event)5826 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5827 struct nft_set_binding *binding, bool event)
5828 {
5829 list_del_rcu(&binding->list);
5830
5831 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
5832 list_del_rcu(&set->list);
5833 set->dead = 1;
5834 if (event)
5835 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
5836 GFP_KERNEL);
5837 }
5838 }
5839
5840 static void nft_setelem_data_activate(const struct net *net,
5841 const struct nft_set *set,
5842 struct nft_elem_priv *elem_priv);
5843
nft_mapelem_activate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5844 static int nft_mapelem_activate(const struct nft_ctx *ctx,
5845 struct nft_set *set,
5846 const struct nft_set_iter *iter,
5847 struct nft_elem_priv *elem_priv)
5848 {
5849 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5850
5851 /* called from abort path, reverse check to undo changes. */
5852 if (nft_set_elem_active(ext, iter->genmask))
5853 return 0;
5854
5855 nft_clear(ctx->net, ext);
5856 nft_setelem_data_activate(ctx->net, set, elem_priv);
5857
5858 return 0;
5859 }
5860
nft_map_catchall_activate(const struct nft_ctx * ctx,struct nft_set * set)5861 static void nft_map_catchall_activate(const struct nft_ctx *ctx,
5862 struct nft_set *set)
5863 {
5864 u8 genmask = nft_genmask_next(ctx->net);
5865 struct nft_set_elem_catchall *catchall;
5866 struct nft_set_ext *ext;
5867
5868 list_for_each_entry(catchall, &set->catchall_list, list) {
5869 ext = nft_set_elem_ext(set, catchall->elem);
5870 if (nft_set_elem_active(ext, genmask))
5871 continue;
5872
5873 nft_clear(ctx->net, ext);
5874 nft_setelem_data_activate(ctx->net, set, catchall->elem);
5875 }
5876 }
5877
nft_map_activate(const struct nft_ctx * ctx,struct nft_set * set)5878 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set)
5879 {
5880 struct nft_set_iter iter = {
5881 .genmask = nft_genmask_next(ctx->net),
5882 .type = NFT_ITER_UPDATE,
5883 .fn = nft_mapelem_activate,
5884 };
5885
5886 set->ops->walk(ctx, set, &iter);
5887 WARN_ON_ONCE(iter.err);
5888
5889 nft_map_catchall_activate(ctx, set);
5890 }
5891
nf_tables_activate_set(const struct nft_ctx * ctx,struct nft_set * set)5892 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5893 {
5894 if (nft_set_is_anonymous(set)) {
5895 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5896 nft_map_activate(ctx, set);
5897
5898 nft_clear(ctx->net, set);
5899 }
5900
5901 nft_use_inc_restore(&set->use);
5902 }
5903 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
5904
nf_tables_deactivate_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,enum nft_trans_phase phase)5905 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5906 struct nft_set_binding *binding,
5907 enum nft_trans_phase phase)
5908 {
5909 WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net));
5910
5911 switch (phase) {
5912 case NFT_TRANS_PREPARE_ERROR:
5913 nft_set_trans_unbind(ctx, set);
5914 if (nft_set_is_anonymous(set))
5915 nft_deactivate_next(ctx->net, set);
5916 else
5917 list_del_rcu(&binding->list);
5918
5919 nft_use_dec(&set->use);
5920 break;
5921 case NFT_TRANS_PREPARE:
5922 if (nft_set_is_anonymous(set)) {
5923 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5924 nft_map_deactivate(ctx, set);
5925
5926 nft_deactivate_next(ctx->net, set);
5927 }
5928 nft_use_dec(&set->use);
5929 return;
5930 case NFT_TRANS_ABORT:
5931 case NFT_TRANS_RELEASE:
5932 if (nft_set_is_anonymous(set) &&
5933 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5934 nft_map_deactivate(ctx, set);
5935
5936 nft_use_dec(&set->use);
5937 fallthrough;
5938 default:
5939 nf_tables_unbind_set(ctx, set, binding,
5940 phase == NFT_TRANS_COMMIT);
5941 }
5942 }
5943 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
5944
nf_tables_destroy_set(const struct nft_ctx * ctx,struct nft_set * set)5945 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
5946 {
5947 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
5948 nft_set_destroy(ctx, set);
5949 }
5950 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
5951
5952 const struct nft_set_ext_type nft_set_ext_types[] = {
5953 [NFT_SET_EXT_KEY] = {
5954 .align = __alignof__(u32),
5955 },
5956 [NFT_SET_EXT_DATA] = {
5957 .align = __alignof__(u32),
5958 },
5959 [NFT_SET_EXT_EXPRESSIONS] = {
5960 .align = __alignof__(struct nft_set_elem_expr),
5961 },
5962 [NFT_SET_EXT_OBJREF] = {
5963 .len = sizeof(struct nft_object *),
5964 .align = __alignof__(struct nft_object *),
5965 },
5966 [NFT_SET_EXT_FLAGS] = {
5967 .len = sizeof(u8),
5968 .align = __alignof__(u8),
5969 },
5970 [NFT_SET_EXT_TIMEOUT] = {
5971 .len = sizeof(struct nft_timeout),
5972 .align = __alignof__(struct nft_timeout),
5973 },
5974 [NFT_SET_EXT_USERDATA] = {
5975 .len = sizeof(struct nft_userdata),
5976 .align = __alignof__(struct nft_userdata),
5977 },
5978 [NFT_SET_EXT_KEY_END] = {
5979 .align = __alignof__(u32),
5980 },
5981 };
5982
5983 /*
5984 * Set elements
5985 */
5986
5987 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
5988 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
5989 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
5990 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
5991 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
5992 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
5993 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
5994 .len = NFT_USERDATA_MAXLEN },
5995 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
5996 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
5997 .len = NFT_OBJ_MAXNAMELEN - 1 },
5998 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
5999 [NFTA_SET_ELEM_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
6000 };
6001
6002 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
6003 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
6004 .len = NFT_TABLE_MAXNAMELEN - 1 },
6005 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
6006 .len = NFT_SET_MAXNAMELEN - 1 },
6007 [NFTA_SET_ELEM_LIST_ELEMENTS] = NLA_POLICY_NESTED_ARRAY(nft_set_elem_policy),
6008 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
6009 };
6010
nft_set_elem_expr_dump(struct sk_buff * skb,const struct nft_set * set,const struct nft_set_ext * ext,bool reset)6011 static int nft_set_elem_expr_dump(struct sk_buff *skb,
6012 const struct nft_set *set,
6013 const struct nft_set_ext *ext,
6014 bool reset)
6015 {
6016 struct nft_set_elem_expr *elem_expr;
6017 u32 size, num_exprs = 0;
6018 struct nft_expr *expr;
6019 struct nlattr *nest;
6020
6021 elem_expr = nft_set_ext_expr(ext);
6022 nft_setelem_expr_foreach(expr, elem_expr, size)
6023 num_exprs++;
6024
6025 if (num_exprs == 1) {
6026 expr = nft_setelem_expr_at(elem_expr, 0);
6027 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0)
6028 return -1;
6029
6030 return 0;
6031 } else if (num_exprs > 1) {
6032 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
6033 if (nest == NULL)
6034 goto nla_put_failure;
6035
6036 nft_setelem_expr_foreach(expr, elem_expr, size) {
6037 expr = nft_setelem_expr_at(elem_expr, size);
6038 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
6039 goto nla_put_failure;
6040 }
6041 nla_nest_end(skb, nest);
6042 }
6043 return 0;
6044
6045 nla_put_failure:
6046 return -1;
6047 }
6048
nf_tables_fill_setelem(struct sk_buff * skb,const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool reset)6049 static int nf_tables_fill_setelem(struct sk_buff *skb,
6050 const struct nft_set *set,
6051 const struct nft_elem_priv *elem_priv,
6052 bool reset)
6053 {
6054 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6055 unsigned char *b = skb_tail_pointer(skb);
6056 struct nlattr *nest;
6057
6058 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
6059 if (nest == NULL)
6060 goto nla_put_failure;
6061
6062 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
6063 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
6064 NFT_DATA_VALUE, set->klen) < 0)
6065 goto nla_put_failure;
6066
6067 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
6068 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
6069 NFT_DATA_VALUE, set->klen) < 0)
6070 goto nla_put_failure;
6071
6072 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6073 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
6074 nft_set_datatype(set), set->dlen) < 0)
6075 goto nla_put_failure;
6076
6077 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
6078 nft_set_elem_expr_dump(skb, set, ext, reset))
6079 goto nla_put_failure;
6080
6081 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
6082 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
6083 (*nft_set_ext_obj(ext))->key.name) < 0)
6084 goto nla_put_failure;
6085
6086 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6087 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
6088 htonl(*nft_set_ext_flags(ext))))
6089 goto nla_put_failure;
6090
6091 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
6092 u64 timeout = READ_ONCE(nft_set_ext_timeout(ext)->timeout);
6093 u64 set_timeout = READ_ONCE(set->timeout);
6094 __be64 msecs = 0;
6095
6096 if (set_timeout != timeout) {
6097 msecs = nf_jiffies64_to_msecs(timeout);
6098 if (nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, msecs,
6099 NFTA_SET_ELEM_PAD))
6100 goto nla_put_failure;
6101 }
6102
6103 if (timeout > 0) {
6104 u64 expires, now = get_jiffies_64();
6105
6106 expires = READ_ONCE(nft_set_ext_timeout(ext)->expiration);
6107 if (time_before64(now, expires))
6108 expires -= now;
6109 else
6110 expires = 0;
6111
6112 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
6113 nf_jiffies64_to_msecs(expires),
6114 NFTA_SET_ELEM_PAD))
6115 goto nla_put_failure;
6116 }
6117 }
6118
6119 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
6120 struct nft_userdata *udata;
6121
6122 udata = nft_set_ext_userdata(ext);
6123 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
6124 udata->len + 1, udata->data))
6125 goto nla_put_failure;
6126 }
6127
6128 nla_nest_end(skb, nest);
6129 return 0;
6130
6131 nla_put_failure:
6132 nlmsg_trim(skb, b);
6133 return -EMSGSIZE;
6134 }
6135
6136 struct nft_set_dump_args {
6137 const struct netlink_callback *cb;
6138 struct nft_set_iter iter;
6139 struct sk_buff *skb;
6140 bool reset;
6141 };
6142
nf_tables_dump_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)6143 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
6144 struct nft_set *set,
6145 const struct nft_set_iter *iter,
6146 struct nft_elem_priv *elem_priv)
6147 {
6148 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6149 struct nft_set_dump_args *args;
6150
6151 if (!nft_set_elem_active(ext, iter->genmask))
6152 return 0;
6153
6154 if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
6155 return 0;
6156
6157 args = container_of(iter, struct nft_set_dump_args, iter);
6158 return nf_tables_fill_setelem(args->skb, set, elem_priv, args->reset);
6159 }
6160
audit_log_nft_set_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)6161 static void audit_log_nft_set_reset(const struct nft_table *table,
6162 unsigned int base_seq,
6163 unsigned int nentries)
6164 {
6165 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
6166
6167 audit_log_nfcfg(buf, table->family, nentries,
6168 AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC);
6169 kfree(buf);
6170 }
6171
6172 struct nft_set_dump_ctx {
6173 const struct nft_set *set;
6174 struct nft_ctx ctx;
6175 bool reset;
6176 };
6177
nft_set_catchall_dump(struct net * net,struct sk_buff * skb,const struct nft_set * set,bool reset,unsigned int base_seq)6178 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
6179 const struct nft_set *set, bool reset,
6180 unsigned int base_seq)
6181 {
6182 struct nft_set_elem_catchall *catchall;
6183 u8 genmask = nft_genmask_cur(net);
6184 struct nft_set_ext *ext;
6185 int ret = 0;
6186
6187 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6188 ext = nft_set_elem_ext(set, catchall->elem);
6189 if (!nft_set_elem_active(ext, genmask) ||
6190 nft_set_elem_expired(ext))
6191 continue;
6192
6193 ret = nf_tables_fill_setelem(skb, set, catchall->elem, reset);
6194 if (reset && !ret)
6195 audit_log_nft_set_reset(set->table, base_seq, 1);
6196 break;
6197 }
6198
6199 return ret;
6200 }
6201
nf_tables_dump_set(struct sk_buff * skb,struct netlink_callback * cb)6202 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
6203 {
6204 struct nft_set_dump_ctx *dump_ctx = cb->data;
6205 struct net *net = sock_net(skb->sk);
6206 struct nftables_pernet *nft_net;
6207 struct nft_table *table;
6208 struct nft_set *set;
6209 struct nft_set_dump_args args = {
6210 .cb = cb,
6211 .skb = skb,
6212 .reset = dump_ctx->reset,
6213 .iter = {
6214 .genmask = nft_genmask_cur(net),
6215 .type = NFT_ITER_READ,
6216 .skip = cb->args[0],
6217 .fn = nf_tables_dump_setelem,
6218 },
6219 };
6220 bool set_found = false;
6221 struct nlmsghdr *nlh;
6222 struct nlattr *nest;
6223 u32 portid, seq;
6224 int event;
6225
6226 rcu_read_lock();
6227 nft_net = nft_pernet(net);
6228 cb->seq = nft_base_seq(net);
6229
6230 list_for_each_entry_rcu(table, &nft_net->tables, list) {
6231 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
6232 dump_ctx->ctx.family != table->family)
6233 continue;
6234
6235 if (table != dump_ctx->ctx.table)
6236 continue;
6237
6238 list_for_each_entry_rcu(set, &table->sets, list) {
6239 if (set == dump_ctx->set) {
6240 set_found = true;
6241 break;
6242 }
6243 }
6244 break;
6245 }
6246
6247 if (!set_found) {
6248 rcu_read_unlock();
6249 return -ENOENT;
6250 }
6251
6252 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
6253 portid = NETLINK_CB(cb->skb).portid;
6254 seq = cb->nlh->nlmsg_seq;
6255
6256 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
6257 table->family, NFNETLINK_V0, nft_base_seq_be16(net));
6258 if (!nlh)
6259 goto nla_put_failure;
6260
6261 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
6262 goto nla_put_failure;
6263 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
6264 goto nla_put_failure;
6265
6266 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
6267 if (nest == NULL)
6268 goto nla_put_failure;
6269
6270 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
6271
6272 if (!args.iter.err && args.iter.count == cb->args[0])
6273 args.iter.err = nft_set_catchall_dump(net, skb, set,
6274 dump_ctx->reset, cb->seq);
6275 nla_nest_end(skb, nest);
6276 nlmsg_end(skb, nlh);
6277
6278 if (dump_ctx->reset && args.iter.count > args.iter.skip)
6279 audit_log_nft_set_reset(table, cb->seq,
6280 args.iter.count - args.iter.skip);
6281
6282 rcu_read_unlock();
6283
6284 if (args.iter.err && args.iter.err != -EMSGSIZE)
6285 return args.iter.err;
6286 if (args.iter.count == cb->args[0])
6287 return 0;
6288
6289 cb->args[0] = args.iter.count;
6290 return skb->len;
6291
6292 nla_put_failure:
6293 rcu_read_unlock();
6294 return -ENOSPC;
6295 }
6296
nf_tables_dump_set_start(struct netlink_callback * cb)6297 static int nf_tables_dump_set_start(struct netlink_callback *cb)
6298 {
6299 struct nft_set_dump_ctx *dump_ctx = cb->data;
6300
6301 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
6302
6303 return cb->data ? 0 : -ENOMEM;
6304 }
6305
nf_tables_dump_set_done(struct netlink_callback * cb)6306 static int nf_tables_dump_set_done(struct netlink_callback *cb)
6307 {
6308 kfree(cb->data);
6309 return 0;
6310 }
6311
nf_tables_fill_setelem_info(struct sk_buff * skb,const struct nft_ctx * ctx,u32 seq,u32 portid,int event,u16 flags,const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool reset)6312 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
6313 const struct nft_ctx *ctx, u32 seq,
6314 u32 portid, int event, u16 flags,
6315 const struct nft_set *set,
6316 const struct nft_elem_priv *elem_priv,
6317 bool reset)
6318 {
6319 struct nlmsghdr *nlh;
6320 struct nlattr *nest;
6321 int err;
6322
6323 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6324 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
6325 NFNETLINK_V0, nft_base_seq_be16(ctx->net));
6326 if (!nlh)
6327 goto nla_put_failure;
6328
6329 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
6330 goto nla_put_failure;
6331 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
6332 goto nla_put_failure;
6333
6334 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
6335 if (nest == NULL)
6336 goto nla_put_failure;
6337
6338 err = nf_tables_fill_setelem(skb, set, elem_priv, reset);
6339 if (err < 0)
6340 goto nla_put_failure;
6341
6342 nla_nest_end(skb, nest);
6343
6344 nlmsg_end(skb, nlh);
6345 return 0;
6346
6347 nla_put_failure:
6348 nlmsg_trim(skb, nlh);
6349 return -1;
6350 }
6351
nft_setelem_parse_flags(const struct nft_set * set,const struct nlattr * attr,u32 * flags)6352 static int nft_setelem_parse_flags(const struct nft_set *set,
6353 const struct nlattr *attr, u32 *flags)
6354 {
6355 if (attr == NULL)
6356 return 0;
6357
6358 *flags = ntohl(nla_get_be32(attr));
6359 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6360 return -EOPNOTSUPP;
6361 if (!(set->flags & NFT_SET_INTERVAL) &&
6362 *flags & NFT_SET_ELEM_INTERVAL_END)
6363 return -EINVAL;
6364 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
6365 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6366 return -EINVAL;
6367
6368 return 0;
6369 }
6370
nft_setelem_parse_key(struct nft_ctx * ctx,const struct nft_set * set,struct nft_data * key,struct nlattr * attr)6371 static int nft_setelem_parse_key(struct nft_ctx *ctx, const struct nft_set *set,
6372 struct nft_data *key, struct nlattr *attr)
6373 {
6374 struct nft_data_desc desc = {
6375 .type = NFT_DATA_VALUE,
6376 .size = NFT_DATA_VALUE_MAXLEN,
6377 .len = set->klen,
6378 };
6379
6380 return nft_data_init(ctx, key, &desc, attr);
6381 }
6382
nft_setelem_parse_data(struct nft_ctx * ctx,struct nft_set * set,struct nft_data_desc * desc,struct nft_data * data,struct nlattr * attr)6383 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
6384 struct nft_data_desc *desc,
6385 struct nft_data *data,
6386 struct nlattr *attr)
6387 {
6388 u32 dtype;
6389
6390 if (set->dtype == NFT_DATA_VERDICT)
6391 dtype = NFT_DATA_VERDICT;
6392 else
6393 dtype = NFT_DATA_VALUE;
6394
6395 desc->type = dtype;
6396 desc->size = NFT_DATA_VALUE_MAXLEN;
6397 desc->len = set->dlen;
6398 desc->flags = NFT_DATA_DESC_SETELEM;
6399
6400 return nft_data_init(ctx, data, desc, attr);
6401 }
6402
nft_setelem_catchall_get(const struct net * net,const struct nft_set * set)6403 static void *nft_setelem_catchall_get(const struct net *net,
6404 const struct nft_set *set)
6405 {
6406 struct nft_set_elem_catchall *catchall;
6407 u8 genmask = nft_genmask_cur(net);
6408 struct nft_set_ext *ext;
6409 void *priv = NULL;
6410
6411 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6412 ext = nft_set_elem_ext(set, catchall->elem);
6413 if (!nft_set_elem_active(ext, genmask) ||
6414 nft_set_elem_expired(ext))
6415 continue;
6416
6417 priv = catchall->elem;
6418 break;
6419 }
6420
6421 return priv;
6422 }
6423
nft_setelem_get(struct nft_ctx * ctx,const struct nft_set * set,struct nft_set_elem * elem,u32 flags)6424 static int nft_setelem_get(struct nft_ctx *ctx, const struct nft_set *set,
6425 struct nft_set_elem *elem, u32 flags)
6426 {
6427 void *priv;
6428
6429 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
6430 priv = set->ops->get(ctx->net, set, elem, flags);
6431 if (IS_ERR(priv))
6432 return PTR_ERR(priv);
6433 } else {
6434 priv = nft_setelem_catchall_get(ctx->net, set);
6435 if (!priv)
6436 return -ENOENT;
6437 }
6438 elem->priv = priv;
6439
6440 return 0;
6441 }
6442
nft_get_set_elem(struct nft_ctx * ctx,const struct nft_set * set,const struct nlattr * attr,bool reset)6443 static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set,
6444 const struct nlattr *attr, bool reset)
6445 {
6446 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6447 struct nft_set_elem elem;
6448 struct sk_buff *skb;
6449 uint32_t flags = 0;
6450 int err;
6451
6452 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6453 nft_set_elem_policy, NULL);
6454 if (err < 0)
6455 return err;
6456
6457 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6458 if (err < 0)
6459 return err;
6460
6461 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6462 return -EINVAL;
6463
6464 if (nla[NFTA_SET_ELEM_KEY]) {
6465 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6466 nla[NFTA_SET_ELEM_KEY]);
6467 if (err < 0)
6468 return err;
6469 }
6470
6471 if (nla[NFTA_SET_ELEM_KEY_END]) {
6472 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6473 nla[NFTA_SET_ELEM_KEY_END]);
6474 if (err < 0)
6475 return err;
6476 }
6477
6478 err = nft_setelem_get(ctx, set, &elem, flags);
6479 if (err < 0)
6480 return err;
6481
6482 err = -ENOMEM;
6483 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
6484 if (skb == NULL)
6485 return err;
6486
6487 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
6488 NFT_MSG_NEWSETELEM, 0, set, elem.priv,
6489 reset);
6490 if (err < 0)
6491 goto err_fill_setelem;
6492
6493 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
6494
6495 err_fill_setelem:
6496 kfree_skb(skb);
6497 return err;
6498 }
6499
nft_set_dump_ctx_init(struct nft_set_dump_ctx * dump_ctx,const struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)6500 static int nft_set_dump_ctx_init(struct nft_set_dump_ctx *dump_ctx,
6501 const struct sk_buff *skb,
6502 const struct nfnl_info *info,
6503 const struct nlattr * const nla[],
6504 bool reset)
6505 {
6506 struct netlink_ext_ack *extack = info->extack;
6507 u8 genmask = nft_genmask_cur(info->net);
6508 u8 family = info->nfmsg->nfgen_family;
6509 struct net *net = info->net;
6510 struct nft_table *table;
6511 struct nft_set *set;
6512
6513 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6514 genmask, 0);
6515 if (IS_ERR(table)) {
6516 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6517 return PTR_ERR(table);
6518 }
6519
6520 set = nft_set_lookup(net, table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6521 if (IS_ERR(set)) {
6522 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
6523 return PTR_ERR(set);
6524 }
6525
6526 nft_ctx_init(&dump_ctx->ctx, net, skb,
6527 info->nlh, family, table, NULL, nla);
6528 dump_ctx->set = set;
6529 dump_ctx->reset = reset;
6530 return 0;
6531 }
6532
6533 /* called with rcu_read_lock held */
nf_tables_getsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])6534 static int nf_tables_getsetelem(struct sk_buff *skb,
6535 const struct nfnl_info *info,
6536 const struct nlattr * const nla[])
6537 {
6538 struct netlink_ext_ack *extack = info->extack;
6539 struct nft_set_dump_ctx dump_ctx;
6540 int rem, err = 0, nelems = 0;
6541 struct net *net = info->net;
6542 struct nlattr *attr;
6543 bool reset = false;
6544
6545 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETSETELEM_RESET)
6546 reset = true;
6547
6548 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6549 struct netlink_dump_control c = {
6550 .start = nf_tables_dump_set_start,
6551 .dump = nf_tables_dump_set,
6552 .done = nf_tables_dump_set_done,
6553 .module = THIS_MODULE,
6554 };
6555
6556 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, reset);
6557 if (err)
6558 return err;
6559
6560 c.data = &dump_ctx;
6561 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6562 }
6563
6564 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6565 return -EINVAL;
6566
6567 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, reset);
6568 if (err)
6569 return err;
6570
6571 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6572 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, reset);
6573 if (err < 0) {
6574 NL_SET_BAD_ATTR(extack, attr);
6575 break;
6576 }
6577 nelems++;
6578 }
6579 if (reset)
6580 audit_log_nft_set_reset(dump_ctx.ctx.table, nft_base_seq(net),
6581 nelems);
6582
6583 return err;
6584 }
6585
nf_tables_setelem_notify(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_elem_priv * elem_priv,int event)6586 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
6587 const struct nft_set *set,
6588 const struct nft_elem_priv *elem_priv,
6589 int event)
6590 {
6591 struct nftables_pernet *nft_net;
6592 struct net *net = ctx->net;
6593 u32 portid = ctx->portid;
6594 struct sk_buff *skb;
6595 u16 flags = 0;
6596 int err;
6597
6598 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6599 return;
6600
6601 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6602 if (skb == NULL)
6603 goto err;
6604
6605 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
6606 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
6607
6608 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
6609 set, elem_priv, false);
6610 if (err < 0) {
6611 kfree_skb(skb);
6612 goto err;
6613 }
6614
6615 nft_net = nft_pernet(net);
6616 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
6617 return;
6618 err:
6619 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6620 }
6621
nft_trans_elem_alloc(const struct nft_ctx * ctx,int msg_type,struct nft_set * set)6622 static struct nft_trans *nft_trans_elem_alloc(const struct nft_ctx *ctx,
6623 int msg_type,
6624 struct nft_set *set)
6625 {
6626 struct nft_trans_elem *te;
6627 struct nft_trans *trans;
6628
6629 trans = nft_trans_alloc(ctx, msg_type, struct_size(te, elems, 1));
6630 if (trans == NULL)
6631 return NULL;
6632
6633 te = nft_trans_container_elem(trans);
6634 te->nelems = 1;
6635 te->set = set;
6636
6637 return trans;
6638 }
6639
nft_set_elem_expr_alloc(const struct nft_ctx * ctx,const struct nft_set * set,const struct nlattr * attr)6640 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
6641 const struct nft_set *set,
6642 const struct nlattr *attr)
6643 {
6644 struct nft_expr *expr;
6645 int err;
6646
6647 expr = nft_expr_init(ctx, attr);
6648 if (IS_ERR(expr))
6649 return expr;
6650
6651 err = -EOPNOTSUPP;
6652 if (expr->ops->type->flags & NFT_EXPR_GC) {
6653 if (set->flags & NFT_SET_TIMEOUT)
6654 goto err_set_elem_expr;
6655 if (!set->ops->gc_init)
6656 goto err_set_elem_expr;
6657 set->ops->gc_init(set);
6658 }
6659
6660 return expr;
6661
6662 err_set_elem_expr:
6663 nft_expr_destroy(ctx, expr);
6664 return ERR_PTR(err);
6665 }
6666
nft_set_ext_check(const struct nft_set_ext_tmpl * tmpl,u8 id,u32 len)6667 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
6668 {
6669 len += nft_set_ext_types[id].len;
6670 if (len > tmpl->ext_len[id] ||
6671 len > U8_MAX)
6672 return -1;
6673
6674 return 0;
6675 }
6676
nft_set_ext_memcpy(const struct nft_set_ext_tmpl * tmpl,u8 id,void * to,const void * from,u32 len)6677 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
6678 void *to, const void *from, u32 len)
6679 {
6680 if (nft_set_ext_check(tmpl, id, len) < 0)
6681 return -1;
6682
6683 memcpy(to, from, len);
6684
6685 return 0;
6686 }
6687
nft_set_elem_init(const struct nft_set * set,const struct nft_set_ext_tmpl * tmpl,const u32 * key,const u32 * key_end,const u32 * data,u64 timeout,u64 expiration,gfp_t gfp)6688 struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
6689 const struct nft_set_ext_tmpl *tmpl,
6690 const u32 *key, const u32 *key_end,
6691 const u32 *data,
6692 u64 timeout, u64 expiration, gfp_t gfp)
6693 {
6694 struct nft_set_ext *ext;
6695 void *elem;
6696
6697 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
6698 if (elem == NULL)
6699 return ERR_PTR(-ENOMEM);
6700
6701 ext = nft_set_elem_ext(set, elem);
6702 nft_set_ext_init(ext, tmpl);
6703
6704 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
6705 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
6706 nft_set_ext_key(ext), key, set->klen) < 0)
6707 goto err_ext_check;
6708
6709 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
6710 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
6711 nft_set_ext_key_end(ext), key_end, set->klen) < 0)
6712 goto err_ext_check;
6713
6714 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6715 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
6716 nft_set_ext_data(ext), data, set->dlen) < 0)
6717 goto err_ext_check;
6718
6719 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
6720 nft_set_ext_timeout(ext)->timeout = timeout;
6721
6722 if (expiration == 0)
6723 expiration = timeout;
6724
6725 nft_set_ext_timeout(ext)->expiration = get_jiffies_64() + expiration;
6726 }
6727
6728 return elem;
6729
6730 err_ext_check:
6731 kfree(elem);
6732
6733 return ERR_PTR(-EINVAL);
6734 }
6735
__nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)6736 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6737 struct nft_expr *expr)
6738 {
6739 if (expr->ops->destroy_clone) {
6740 expr->ops->destroy_clone(ctx, expr);
6741 module_put(expr->ops->type->owner);
6742 } else {
6743 nf_tables_expr_destroy(ctx, expr);
6744 }
6745 }
6746
nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_set_elem_expr * elem_expr)6747 void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6748 struct nft_set_elem_expr *elem_expr)
6749 {
6750 struct nft_expr *expr;
6751 u32 size;
6752
6753 nft_setelem_expr_foreach(expr, elem_expr, size)
6754 __nft_set_elem_expr_destroy(ctx, expr);
6755 }
6756
6757 /* Drop references and destroy. Called from gc, dynset and abort path. */
__nft_set_elem_destroy(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool destroy_expr)6758 static void __nft_set_elem_destroy(const struct nft_ctx *ctx,
6759 const struct nft_set *set,
6760 const struct nft_elem_priv *elem_priv,
6761 bool destroy_expr)
6762 {
6763 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6764
6765 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
6766 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6767 nft_data_release(nft_set_ext_data(ext), set->dtype);
6768 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6769 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6770 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6771 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
6772
6773 kfree(elem_priv);
6774 }
6775
6776 /* Drop references and destroy. Called from gc and dynset. */
nft_set_elem_destroy(const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool destroy_expr)6777 void nft_set_elem_destroy(const struct nft_set *set,
6778 const struct nft_elem_priv *elem_priv,
6779 bool destroy_expr)
6780 {
6781 struct nft_ctx ctx = {
6782 .net = read_pnet(&set->net),
6783 .family = set->table->family,
6784 };
6785
6786 __nft_set_elem_destroy(&ctx, set, elem_priv, destroy_expr);
6787 }
6788 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
6789
6790 /* Drop references and destroy. Called from abort path. */
nft_trans_set_elem_destroy(const struct nft_ctx * ctx,struct nft_trans_elem * te)6791 static void nft_trans_set_elem_destroy(const struct nft_ctx *ctx, struct nft_trans_elem *te)
6792 {
6793 int i;
6794
6795 for (i = 0; i < te->nelems; i++) {
6796 /* skip update request, see nft_trans_elems_new_abort() */
6797 if (!te->elems[i].priv)
6798 continue;
6799
6800 __nft_set_elem_destroy(ctx, te->set, te->elems[i].priv, true);
6801 }
6802 }
6803
6804 /* Destroy element. References have been already dropped in the preparation
6805 * path via nft_setelem_data_deactivate().
6806 */
nf_tables_set_elem_destroy(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_elem_priv * elem_priv)6807 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
6808 const struct nft_set *set,
6809 const struct nft_elem_priv *elem_priv)
6810 {
6811 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6812
6813 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6814 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6815
6816 kfree(elem_priv);
6817 }
6818
nft_trans_elems_destroy(const struct nft_ctx * ctx,const struct nft_trans_elem * te)6819 static void nft_trans_elems_destroy(const struct nft_ctx *ctx,
6820 const struct nft_trans_elem *te)
6821 {
6822 int i;
6823
6824 for (i = 0; i < te->nelems; i++)
6825 nf_tables_set_elem_destroy(ctx, te->set, te->elems[i].priv);
6826 }
6827
nft_set_elem_expr_clone(const struct nft_ctx * ctx,struct nft_set * set,struct nft_expr * expr_array[])6828 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
6829 struct nft_expr *expr_array[])
6830 {
6831 struct nft_expr *expr;
6832 int err, i, k;
6833
6834 for (i = 0; i < set->num_exprs; i++) {
6835 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
6836 if (!expr)
6837 goto err_expr;
6838
6839 err = nft_expr_clone(expr, set->exprs[i], GFP_KERNEL_ACCOUNT);
6840 if (err < 0) {
6841 kfree(expr);
6842 goto err_expr;
6843 }
6844 expr_array[i] = expr;
6845 }
6846
6847 return 0;
6848
6849 err_expr:
6850 for (k = i - 1; k >= 0; k--)
6851 nft_expr_destroy(ctx, expr_array[k]);
6852
6853 return -ENOMEM;
6854 }
6855
nft_set_elem_expr_setup(struct nft_ctx * ctx,const struct nft_set_ext_tmpl * tmpl,const struct nft_set_ext * ext,struct nft_expr * expr_array[],u32 num_exprs)6856 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
6857 const struct nft_set_ext_tmpl *tmpl,
6858 const struct nft_set_ext *ext,
6859 struct nft_expr *expr_array[],
6860 u32 num_exprs)
6861 {
6862 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
6863 u32 len = sizeof(struct nft_set_elem_expr);
6864 struct nft_expr *expr;
6865 int i, err;
6866
6867 if (num_exprs == 0)
6868 return 0;
6869
6870 for (i = 0; i < num_exprs; i++)
6871 len += expr_array[i]->ops->size;
6872
6873 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
6874 return -EINVAL;
6875
6876 for (i = 0; i < num_exprs; i++) {
6877 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
6878 err = nft_expr_clone(expr, expr_array[i], GFP_KERNEL_ACCOUNT);
6879 if (err < 0)
6880 goto err_elem_expr_setup;
6881
6882 elem_expr->size += expr_array[i]->ops->size;
6883 nft_expr_destroy(ctx, expr_array[i]);
6884 expr_array[i] = NULL;
6885 }
6886
6887 return 0;
6888
6889 err_elem_expr_setup:
6890 for (; i < num_exprs; i++) {
6891 nft_expr_destroy(ctx, expr_array[i]);
6892 expr_array[i] = NULL;
6893 }
6894
6895 return -ENOMEM;
6896 }
6897
nft_set_catchall_lookup(const struct net * net,const struct nft_set * set)6898 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
6899 const struct nft_set *set)
6900 {
6901 struct nft_set_elem_catchall *catchall;
6902 u8 genmask = nft_genmask_cur(net);
6903 struct nft_set_ext *ext;
6904
6905 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6906 ext = nft_set_elem_ext(set, catchall->elem);
6907 if (nft_set_elem_active(ext, genmask) &&
6908 !nft_set_elem_expired(ext) &&
6909 !nft_set_elem_is_dead(ext))
6910 return ext;
6911 }
6912
6913 return NULL;
6914 }
6915 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
6916
nft_setelem_catchall_insert(const struct net * net,struct nft_set * set,const struct nft_set_elem * elem,struct nft_elem_priv ** priv)6917 static int nft_setelem_catchall_insert(const struct net *net,
6918 struct nft_set *set,
6919 const struct nft_set_elem *elem,
6920 struct nft_elem_priv **priv)
6921 {
6922 struct nft_set_elem_catchall *catchall;
6923 u8 genmask = nft_genmask_next(net);
6924 struct nft_set_ext *ext;
6925
6926 list_for_each_entry(catchall, &set->catchall_list, list) {
6927 ext = nft_set_elem_ext(set, catchall->elem);
6928 if (nft_set_elem_active(ext, genmask)) {
6929 *priv = catchall->elem;
6930 return -EEXIST;
6931 }
6932 }
6933
6934 catchall = kmalloc_obj(*catchall, GFP_KERNEL_ACCOUNT);
6935 if (!catchall)
6936 return -ENOMEM;
6937
6938 catchall->elem = elem->priv;
6939 list_add_tail_rcu(&catchall->list, &set->catchall_list);
6940
6941 return 0;
6942 }
6943
nft_setelem_insert(const struct net * net,struct nft_set * set,const struct nft_set_elem * elem,struct nft_elem_priv ** elem_priv,unsigned int flags)6944 static int nft_setelem_insert(const struct net *net,
6945 struct nft_set *set,
6946 const struct nft_set_elem *elem,
6947 struct nft_elem_priv **elem_priv,
6948 unsigned int flags)
6949 {
6950 int ret;
6951
6952 if (flags & NFT_SET_ELEM_CATCHALL)
6953 ret = nft_setelem_catchall_insert(net, set, elem, elem_priv);
6954 else
6955 ret = set->ops->insert(net, set, elem, elem_priv);
6956
6957 return ret;
6958 }
6959
nft_setelem_is_catchall(const struct nft_set * set,const struct nft_elem_priv * elem_priv)6960 static bool nft_setelem_is_catchall(const struct nft_set *set,
6961 const struct nft_elem_priv *elem_priv)
6962 {
6963 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6964
6965 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6966 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
6967 return true;
6968
6969 return false;
6970 }
6971
nft_setelem_activate(struct net * net,struct nft_set * set,struct nft_elem_priv * elem_priv)6972 static void nft_setelem_activate(struct net *net, struct nft_set *set,
6973 struct nft_elem_priv *elem_priv)
6974 {
6975 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6976
6977 if (nft_setelem_is_catchall(set, elem_priv)) {
6978 nft_clear(net, ext);
6979 } else {
6980 set->ops->activate(net, set, elem_priv);
6981 }
6982 }
6983
nft_trans_elem_update(const struct nft_set * set,const struct nft_trans_one_elem * elem)6984 static void nft_trans_elem_update(const struct nft_set *set,
6985 const struct nft_trans_one_elem *elem)
6986 {
6987 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6988 const struct nft_elem_update *update = elem->update;
6989
6990 if (update->flags & NFT_TRANS_UPD_TIMEOUT)
6991 WRITE_ONCE(nft_set_ext_timeout(ext)->timeout, update->timeout);
6992
6993 if (update->flags & NFT_TRANS_UPD_EXPIRATION)
6994 WRITE_ONCE(nft_set_ext_timeout(ext)->expiration, get_jiffies_64() + update->expiration);
6995 }
6996
nft_trans_elems_add(const struct nft_ctx * ctx,struct nft_trans_elem * te)6997 static void nft_trans_elems_add(const struct nft_ctx *ctx,
6998 struct nft_trans_elem *te)
6999 {
7000 int i;
7001
7002 for (i = 0; i < te->nelems; i++) {
7003 struct nft_trans_one_elem *elem = &te->elems[i];
7004
7005 if (elem->update)
7006 nft_trans_elem_update(te->set, elem);
7007 else
7008 nft_setelem_activate(ctx->net, te->set, elem->priv);
7009
7010 nf_tables_setelem_notify(ctx, te->set, elem->priv,
7011 NFT_MSG_NEWSETELEM);
7012 kfree(elem->update);
7013 }
7014 }
7015
nft_setelem_catchall_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem)7016 static int nft_setelem_catchall_deactivate(const struct net *net,
7017 struct nft_set *set,
7018 struct nft_set_elem *elem)
7019 {
7020 struct nft_set_elem_catchall *catchall;
7021 struct nft_set_ext *ext;
7022
7023 list_for_each_entry(catchall, &set->catchall_list, list) {
7024 ext = nft_set_elem_ext(set, catchall->elem);
7025 if (!nft_is_active_next(net, ext))
7026 continue;
7027
7028 kfree(elem->priv);
7029 elem->priv = catchall->elem;
7030 nft_set_elem_change_active(net, set, ext);
7031 return 0;
7032 }
7033
7034 return -ENOENT;
7035 }
7036
__nft_setelem_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem)7037 static int __nft_setelem_deactivate(const struct net *net,
7038 struct nft_set *set,
7039 struct nft_set_elem *elem)
7040 {
7041 void *priv;
7042
7043 priv = set->ops->deactivate(net, set, elem);
7044 if (!priv)
7045 return -ENOENT;
7046
7047 kfree(elem->priv);
7048 elem->priv = priv;
7049 set->ndeact++;
7050
7051 return 0;
7052 }
7053
nft_setelem_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem,u32 flags)7054 static int nft_setelem_deactivate(const struct net *net,
7055 struct nft_set *set,
7056 struct nft_set_elem *elem, u32 flags)
7057 {
7058 int ret;
7059
7060 if (flags & NFT_SET_ELEM_CATCHALL)
7061 ret = nft_setelem_catchall_deactivate(net, set, elem);
7062 else
7063 ret = __nft_setelem_deactivate(net, set, elem);
7064
7065 return ret;
7066 }
7067
nft_setelem_catchall_destroy(struct nft_set_elem_catchall * catchall)7068 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
7069 {
7070 list_del_rcu(&catchall->list);
7071 kfree_rcu(catchall, rcu);
7072 }
7073
nft_setelem_catchall_remove(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7074 static void nft_setelem_catchall_remove(const struct net *net,
7075 const struct nft_set *set,
7076 struct nft_elem_priv *elem_priv)
7077 {
7078 struct nft_set_elem_catchall *catchall, *next;
7079
7080 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
7081 if (catchall->elem == elem_priv) {
7082 nft_setelem_catchall_destroy(catchall);
7083 break;
7084 }
7085 }
7086 }
7087
nft_setelem_remove(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7088 static void nft_setelem_remove(const struct net *net,
7089 const struct nft_set *set,
7090 struct nft_elem_priv *elem_priv)
7091 {
7092 if (nft_setelem_is_catchall(set, elem_priv))
7093 nft_setelem_catchall_remove(net, set, elem_priv);
7094 else
7095 set->ops->remove(net, set, elem_priv);
7096 }
7097
nft_trans_elems_remove(const struct nft_ctx * ctx,const struct nft_trans_elem * te)7098 static void nft_trans_elems_remove(const struct nft_ctx *ctx,
7099 const struct nft_trans_elem *te)
7100 {
7101 int i;
7102
7103 for (i = 0; i < te->nelems; i++) {
7104 WARN_ON_ONCE(te->elems[i].update);
7105
7106 nf_tables_setelem_notify(ctx, te->set,
7107 te->elems[i].priv,
7108 te->nft_trans.msg_type);
7109
7110 nft_setelem_remove(ctx->net, te->set, te->elems[i].priv);
7111 if (!nft_setelem_is_catchall(te->set, te->elems[i].priv)) {
7112 atomic_dec(&te->set->nelems);
7113 te->set->ndeact--;
7114 }
7115 }
7116 }
7117
nft_setelem_valid_key_end(const struct nft_set * set,struct nlattr ** nla,u32 flags)7118 static bool nft_setelem_valid_key_end(const struct nft_set *set,
7119 struct nlattr **nla, u32 flags)
7120 {
7121 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
7122 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
7123 if (flags & NFT_SET_ELEM_INTERVAL_END)
7124 return false;
7125
7126 if (nla[NFTA_SET_ELEM_KEY_END] &&
7127 flags & NFT_SET_ELEM_CATCHALL)
7128 return false;
7129 } else {
7130 if (nla[NFTA_SET_ELEM_KEY_END])
7131 return false;
7132 }
7133
7134 return true;
7135 }
7136
nft_set_maxsize(const struct nft_set * set)7137 static u32 nft_set_maxsize(const struct nft_set *set)
7138 {
7139 u32 maxsize, delta;
7140
7141 if (!set->size)
7142 return UINT_MAX;
7143
7144 if (set->ops->adjust_maxsize)
7145 delta = set->ops->adjust_maxsize(set);
7146 else
7147 delta = 0;
7148
7149 if (check_add_overflow(set->size, set->ndeact, &maxsize))
7150 return UINT_MAX;
7151
7152 if (check_add_overflow(maxsize, delta, &maxsize))
7153 return UINT_MAX;
7154
7155 return maxsize;
7156 }
7157
nft_add_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr,u32 nlmsg_flags)7158 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
7159 const struct nlattr *attr, u32 nlmsg_flags)
7160 {
7161 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
7162 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7163 u8 genmask = nft_genmask_next(ctx->net);
7164 u32 flags = 0, size = 0, num_exprs = 0;
7165 struct nft_set_ext_tmpl tmpl;
7166 struct nft_set_ext *ext, *ext2;
7167 struct nft_set_elem elem;
7168 struct nft_set_binding *binding;
7169 struct nft_elem_priv *elem_priv;
7170 struct nft_object *obj = NULL;
7171 struct nft_userdata *udata;
7172 struct nft_data_desc desc;
7173 enum nft_registers dreg;
7174 struct nft_trans *trans;
7175 bool set_full = false;
7176 u64 expiration;
7177 u64 timeout;
7178 int err, i;
7179 u8 ulen;
7180
7181 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7182 nft_set_elem_policy, NULL);
7183 if (err < 0)
7184 return err;
7185
7186 nft_set_ext_prepare(&tmpl);
7187
7188 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7189 if (err < 0)
7190 return err;
7191
7192 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
7193 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
7194 return -EINVAL;
7195
7196 if (flags != 0) {
7197 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7198 if (err < 0)
7199 return err;
7200 }
7201
7202 if (set->flags & NFT_SET_MAP) {
7203 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
7204 !(flags & NFT_SET_ELEM_INTERVAL_END))
7205 return -EINVAL;
7206 } else {
7207 if (nla[NFTA_SET_ELEM_DATA] != NULL)
7208 return -EINVAL;
7209 }
7210
7211 if (set->flags & NFT_SET_OBJECT) {
7212 if (!nla[NFTA_SET_ELEM_OBJREF] &&
7213 !(flags & NFT_SET_ELEM_INTERVAL_END))
7214 return -EINVAL;
7215 } else {
7216 if (nla[NFTA_SET_ELEM_OBJREF])
7217 return -EINVAL;
7218 }
7219
7220 if (!nft_setelem_valid_key_end(set, nla, flags))
7221 return -EINVAL;
7222
7223 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
7224 (nla[NFTA_SET_ELEM_DATA] ||
7225 nla[NFTA_SET_ELEM_OBJREF] ||
7226 nla[NFTA_SET_ELEM_TIMEOUT] ||
7227 nla[NFTA_SET_ELEM_EXPIRATION] ||
7228 nla[NFTA_SET_ELEM_USERDATA] ||
7229 nla[NFTA_SET_ELEM_EXPR] ||
7230 nla[NFTA_SET_ELEM_KEY_END] ||
7231 nla[NFTA_SET_ELEM_EXPRESSIONS]))
7232 return -EINVAL;
7233
7234 timeout = 0;
7235 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
7236 if (!(set->flags & NFT_SET_TIMEOUT))
7237 return -EINVAL;
7238 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
7239 &timeout);
7240 if (err)
7241 return err;
7242 } else if (set->flags & NFT_SET_TIMEOUT &&
7243 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
7244 timeout = set->timeout;
7245 }
7246
7247 expiration = 0;
7248 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
7249 if (!(set->flags & NFT_SET_TIMEOUT))
7250 return -EINVAL;
7251 if (timeout == 0)
7252 return -EOPNOTSUPP;
7253
7254 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
7255 &expiration);
7256 if (err)
7257 return err;
7258
7259 if (expiration > timeout)
7260 return -ERANGE;
7261 }
7262
7263 if (nla[NFTA_SET_ELEM_EXPR]) {
7264 struct nft_expr *expr;
7265
7266 if (set->num_exprs && set->num_exprs != 1)
7267 return -EOPNOTSUPP;
7268
7269 expr = nft_set_elem_expr_alloc(ctx, set,
7270 nla[NFTA_SET_ELEM_EXPR]);
7271 if (IS_ERR(expr))
7272 return PTR_ERR(expr);
7273
7274 expr_array[0] = expr;
7275 num_exprs = 1;
7276
7277 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
7278 err = -EOPNOTSUPP;
7279 goto err_set_elem_expr;
7280 }
7281 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
7282 struct nft_expr *expr;
7283 struct nlattr *tmp;
7284 int left;
7285
7286 i = 0;
7287 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
7288 if (i == NFT_SET_EXPR_MAX ||
7289 (set->num_exprs && set->num_exprs == i)) {
7290 err = -E2BIG;
7291 goto err_set_elem_expr;
7292 }
7293 if (nla_type(tmp) != NFTA_LIST_ELEM) {
7294 err = -EINVAL;
7295 goto err_set_elem_expr;
7296 }
7297 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
7298 if (IS_ERR(expr)) {
7299 err = PTR_ERR(expr);
7300 goto err_set_elem_expr;
7301 }
7302 expr_array[i] = expr;
7303 num_exprs++;
7304
7305 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
7306 err = -EOPNOTSUPP;
7307 goto err_set_elem_expr;
7308 }
7309 i++;
7310 }
7311 if (set->num_exprs && set->num_exprs != i) {
7312 err = -EOPNOTSUPP;
7313 goto err_set_elem_expr;
7314 }
7315 } else if (set->num_exprs > 0 &&
7316 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
7317 err = nft_set_elem_expr_clone(ctx, set, expr_array);
7318 if (err < 0)
7319 goto err_set_elem_expr_clone;
7320
7321 num_exprs = set->num_exprs;
7322 }
7323
7324 if (nla[NFTA_SET_ELEM_KEY]) {
7325 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7326 nla[NFTA_SET_ELEM_KEY]);
7327 if (err < 0)
7328 goto err_set_elem_expr;
7329
7330 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7331 if (err < 0)
7332 goto err_parse_key;
7333 }
7334
7335 if (nla[NFTA_SET_ELEM_KEY_END]) {
7336 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7337 nla[NFTA_SET_ELEM_KEY_END]);
7338 if (err < 0)
7339 goto err_parse_key;
7340
7341 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7342 if (err < 0)
7343 goto err_parse_key_end;
7344 }
7345
7346 if (set->flags & NFT_SET_TIMEOUT) {
7347 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
7348 if (err < 0)
7349 goto err_parse_key_end;
7350 }
7351
7352 if (num_exprs) {
7353 for (i = 0; i < num_exprs; i++)
7354 size += expr_array[i]->ops->size;
7355
7356 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
7357 sizeof(struct nft_set_elem_expr) + size);
7358 if (err < 0)
7359 goto err_parse_key_end;
7360 }
7361
7362 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
7363 obj = nft_obj_lookup(ctx->net, ctx->table,
7364 nla[NFTA_SET_ELEM_OBJREF],
7365 set->objtype, genmask);
7366 if (IS_ERR(obj)) {
7367 err = PTR_ERR(obj);
7368 obj = NULL;
7369 goto err_parse_key_end;
7370 }
7371
7372 if (!nft_use_inc(&obj->use)) {
7373 err = -EMFILE;
7374 obj = NULL;
7375 goto err_parse_key_end;
7376 }
7377
7378 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
7379 if (err < 0)
7380 goto err_parse_key_end;
7381 }
7382
7383 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
7384 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
7385 nla[NFTA_SET_ELEM_DATA]);
7386 if (err < 0)
7387 goto err_parse_key_end;
7388
7389 dreg = nft_type_to_reg(set->dtype);
7390 list_for_each_entry(binding, &set->bindings, list) {
7391 struct nft_ctx bind_ctx = {
7392 .net = ctx->net,
7393 .family = ctx->family,
7394 .table = ctx->table,
7395 .chain = (struct nft_chain *)binding->chain,
7396 };
7397
7398 if (!(binding->flags & NFT_SET_MAP))
7399 continue;
7400
7401 err = nft_validate_register_store(&bind_ctx, dreg,
7402 &elem.data.val,
7403 desc.type, desc.len);
7404 if (err < 0)
7405 goto err_parse_data;
7406
7407 if (desc.type == NFT_DATA_VERDICT &&
7408 (elem.data.val.verdict.code == NFT_GOTO ||
7409 elem.data.val.verdict.code == NFT_JUMP))
7410 nft_validate_state_update(ctx->table,
7411 NFT_VALIDATE_NEED);
7412 }
7413
7414 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
7415 if (err < 0)
7416 goto err_parse_data;
7417 }
7418
7419 /* The full maximum length of userdata can exceed the maximum
7420 * offset value (U8_MAX) for following extensions, therefor it
7421 * must be the last extension added.
7422 */
7423 ulen = 0;
7424 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
7425 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
7426 if (ulen > 0) {
7427 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
7428 ulen);
7429 if (err < 0)
7430 goto err_parse_data;
7431 }
7432 }
7433
7434 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7435 elem.key_end.val.data, elem.data.val.data,
7436 timeout, expiration, GFP_KERNEL_ACCOUNT);
7437 if (IS_ERR(elem.priv)) {
7438 err = PTR_ERR(elem.priv);
7439 goto err_parse_data;
7440 }
7441
7442 ext = nft_set_elem_ext(set, elem.priv);
7443 if (flags)
7444 *nft_set_ext_flags(ext) = flags;
7445
7446 if (obj)
7447 *nft_set_ext_obj(ext) = obj;
7448
7449 if (ulen > 0) {
7450 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
7451 err = -EINVAL;
7452 goto err_elem_free;
7453 }
7454 udata = nft_set_ext_userdata(ext);
7455 udata->len = ulen - 1;
7456 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
7457 }
7458 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
7459 if (err < 0)
7460 goto err_elem_free;
7461
7462 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
7463 unsigned int max = nft_set_maxsize(set), nelems;
7464
7465 nelems = atomic_inc_return(&set->nelems);
7466 if (nelems > max)
7467 set_full = true;
7468 }
7469
7470 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
7471 if (trans == NULL) {
7472 err = -ENOMEM;
7473 goto err_set_size;
7474 }
7475
7476 ext->genmask = nft_genmask_cur(ctx->net);
7477
7478 err = nft_setelem_insert(ctx->net, set, &elem, &elem_priv, flags);
7479 if (err) {
7480 if (err == -EEXIST) {
7481 ext2 = nft_set_elem_ext(set, elem_priv);
7482 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
7483 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
7484 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
7485 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
7486 goto err_element_clash;
7487 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
7488 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
7489 memcmp(nft_set_ext_data(ext),
7490 nft_set_ext_data(ext2), set->dlen) != 0) ||
7491 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
7492 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
7493 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
7494 goto err_element_clash;
7495 else if (!(nlmsg_flags & NLM_F_EXCL)) {
7496 err = 0;
7497 if (nft_set_ext_exists(ext2, NFT_SET_EXT_TIMEOUT)) {
7498 struct nft_elem_update update = { };
7499
7500 if (timeout != nft_set_ext_timeout(ext2)->timeout) {
7501 update.timeout = timeout;
7502 if (expiration == 0)
7503 expiration = timeout;
7504
7505 update.flags |= NFT_TRANS_UPD_TIMEOUT;
7506 }
7507 if (expiration) {
7508 update.expiration = expiration;
7509 update.flags |= NFT_TRANS_UPD_EXPIRATION;
7510 }
7511
7512 if (update.flags) {
7513 struct nft_trans_one_elem *ue;
7514
7515 ue = &nft_trans_container_elem(trans)->elems[0];
7516
7517 ue->update = kmemdup(&update, sizeof(update), GFP_KERNEL);
7518 if (!ue->update) {
7519 err = -ENOMEM;
7520 goto err_element_clash;
7521 }
7522
7523 ue->priv = elem_priv;
7524 nft_trans_commit_list_add_elem(ctx->net, trans);
7525 goto err_set_size;
7526 }
7527 }
7528 }
7529 } else if (err == -ENOTEMPTY) {
7530 /* ENOTEMPTY reports overlapping between this element
7531 * and an existing one.
7532 */
7533 err = -EEXIST;
7534 } else if (err == -ECANCELED) {
7535 /* ECANCELED reports an existing nul-element in
7536 * interval sets.
7537 */
7538 err = 0;
7539 }
7540 goto err_element_clash;
7541 }
7542
7543 nft_trans_container_elem(trans)->elems[0].priv = elem.priv;
7544 nft_trans_commit_list_add_elem(ctx->net, trans);
7545
7546 return set_full ? -ENFILE : 0;
7547
7548 err_element_clash:
7549 kfree(trans);
7550 err_set_size:
7551 if (!(flags & NFT_SET_ELEM_CATCHALL))
7552 atomic_dec(&set->nelems);
7553 err_elem_free:
7554 nf_tables_set_elem_destroy(ctx, set, elem.priv);
7555 err_parse_data:
7556 if (nla[NFTA_SET_ELEM_DATA] != NULL)
7557 nft_data_release(&elem.data.val, desc.type);
7558 err_parse_key_end:
7559 if (obj)
7560 nft_use_dec_restore(&obj->use);
7561
7562 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7563 err_parse_key:
7564 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7565 err_set_elem_expr:
7566 for (i = 0; i < num_exprs && expr_array[i]; i++)
7567 nft_expr_destroy(ctx, expr_array[i]);
7568 err_set_elem_expr_clone:
7569 return err;
7570 }
7571
nf_tables_newsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7572 static int nf_tables_newsetelem(struct sk_buff *skb,
7573 const struct nfnl_info *info,
7574 const struct nlattr * const nla[])
7575 {
7576 struct netlink_ext_ack *extack = info->extack;
7577 u8 genmask = nft_genmask_next(info->net);
7578 u8 family = info->nfmsg->nfgen_family;
7579 struct net *net = info->net;
7580 const struct nlattr *attr;
7581 struct nft_table *table;
7582 struct nft_set *set;
7583 struct nft_ctx ctx;
7584 int rem, err;
7585
7586 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
7587 return -EINVAL;
7588
7589 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7590 genmask, NETLINK_CB(skb).portid);
7591 if (IS_ERR(table)) {
7592 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7593 return PTR_ERR(table);
7594 }
7595
7596 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
7597 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
7598 if (IS_ERR(set)) {
7599 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7600 return PTR_ERR(set);
7601 }
7602
7603 if (!list_empty(&set->bindings) &&
7604 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
7605 return -EBUSY;
7606
7607 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7608
7609 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7610 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
7611 if (err < 0) {
7612 NL_SET_BAD_ATTR(extack, attr);
7613 return err;
7614 }
7615 }
7616
7617 if (table->validate_state == NFT_VALIDATE_DO)
7618 return nft_table_validate(net, table);
7619
7620 return 0;
7621 }
7622
7623 /**
7624 * nft_data_hold - hold a nft_data item
7625 *
7626 * @data: struct nft_data to release
7627 * @type: type of data
7628 *
7629 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7630 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
7631 * NFT_GOTO verdicts. This function must be called on active data objects
7632 * from the second phase of the commit protocol.
7633 */
nft_data_hold(const struct nft_data * data,enum nft_data_types type)7634 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
7635 {
7636 struct nft_chain *chain;
7637
7638 if (type == NFT_DATA_VERDICT) {
7639 switch (data->verdict.code) {
7640 case NFT_JUMP:
7641 case NFT_GOTO:
7642 chain = data->verdict.chain;
7643 nft_use_inc_restore(&chain->use);
7644 break;
7645 }
7646 }
7647 }
7648
nft_setelem_active_next(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7649 static int nft_setelem_active_next(const struct net *net,
7650 const struct nft_set *set,
7651 struct nft_elem_priv *elem_priv)
7652 {
7653 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7654 u8 genmask = nft_genmask_next(net);
7655
7656 return nft_set_elem_active(ext, genmask);
7657 }
7658
nft_setelem_data_activate(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7659 static void nft_setelem_data_activate(const struct net *net,
7660 const struct nft_set *set,
7661 struct nft_elem_priv *elem_priv)
7662 {
7663 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7664
7665 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7666 nft_data_hold(nft_set_ext_data(ext), set->dtype);
7667 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7668 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use);
7669 }
7670
nft_setelem_data_deactivate(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7671 void nft_setelem_data_deactivate(const struct net *net,
7672 const struct nft_set *set,
7673 struct nft_elem_priv *elem_priv)
7674 {
7675 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7676
7677 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7678 nft_data_release(nft_set_ext_data(ext), set->dtype);
7679 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7680 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
7681 }
7682
7683 /* similar to nft_trans_elems_remove, but called from abort path to undo newsetelem.
7684 * No notifications and no ndeact changes.
7685 *
7686 * Returns true if set had been added to (i.e., elements need to be removed again).
7687 */
nft_trans_elems_new_abort(const struct nft_ctx * ctx,struct nft_trans_elem * te)7688 static bool nft_trans_elems_new_abort(const struct nft_ctx *ctx,
7689 struct nft_trans_elem *te)
7690 {
7691 bool removed = false;
7692 int i;
7693
7694 for (i = 0; i < te->nelems; i++) {
7695 if (te->elems[i].update) {
7696 kfree(te->elems[i].update);
7697 te->elems[i].update = NULL;
7698 /* Update request, so do not release this element */
7699 te->elems[i].priv = NULL;
7700 continue;
7701 }
7702
7703 if (!te->set->ops->abort_skip_removal ||
7704 nft_setelem_is_catchall(te->set, te->elems[i].priv))
7705 nft_setelem_remove(ctx->net, te->set, te->elems[i].priv);
7706
7707 if (!nft_setelem_is_catchall(te->set, te->elems[i].priv))
7708 atomic_dec(&te->set->nelems);
7709
7710 removed = true;
7711 }
7712
7713 return removed;
7714 }
7715
7716 /* Called from abort path to undo DELSETELEM/DESTROYSETELEM. */
nft_trans_elems_destroy_abort(const struct nft_ctx * ctx,const struct nft_trans_elem * te)7717 static void nft_trans_elems_destroy_abort(const struct nft_ctx *ctx,
7718 const struct nft_trans_elem *te)
7719 {
7720 int i;
7721
7722 for (i = 0; i < te->nelems; i++) {
7723 if (!nft_setelem_active_next(ctx->net, te->set, te->elems[i].priv)) {
7724 nft_setelem_data_activate(ctx->net, te->set, te->elems[i].priv);
7725 nft_setelem_activate(ctx->net, te->set, te->elems[i].priv);
7726 }
7727
7728 if (!nft_setelem_is_catchall(te->set, te->elems[i].priv))
7729 te->set->ndeact--;
7730 }
7731 }
7732
nft_del_setelem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr)7733 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
7734 const struct nlattr *attr)
7735 {
7736 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7737 struct nft_set_ext_tmpl tmpl;
7738 struct nft_set_elem elem;
7739 struct nft_set_ext *ext;
7740 struct nft_trans *trans;
7741 u32 flags = 0;
7742 int err;
7743
7744 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7745 nft_set_elem_policy, NULL);
7746 if (err < 0)
7747 return err;
7748
7749 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7750 if (err < 0)
7751 return err;
7752
7753 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
7754 return -EINVAL;
7755
7756 if (!nft_setelem_valid_key_end(set, nla, flags))
7757 return -EINVAL;
7758
7759 nft_set_ext_prepare(&tmpl);
7760
7761 if (flags != 0) {
7762 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7763 if (err < 0)
7764 return err;
7765 }
7766
7767 if (nla[NFTA_SET_ELEM_KEY]) {
7768 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7769 nla[NFTA_SET_ELEM_KEY]);
7770 if (err < 0)
7771 return err;
7772
7773 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7774 if (err < 0)
7775 goto fail_elem;
7776 }
7777
7778 if (nla[NFTA_SET_ELEM_KEY_END]) {
7779 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7780 nla[NFTA_SET_ELEM_KEY_END]);
7781 if (err < 0)
7782 goto fail_elem;
7783
7784 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7785 if (err < 0)
7786 goto fail_elem_key_end;
7787 }
7788
7789 err = -ENOMEM;
7790 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7791 elem.key_end.val.data, NULL, 0, 0,
7792 GFP_KERNEL_ACCOUNT);
7793 if (IS_ERR(elem.priv)) {
7794 err = PTR_ERR(elem.priv);
7795 goto fail_elem_key_end;
7796 }
7797
7798 ext = nft_set_elem_ext(set, elem.priv);
7799 if (flags)
7800 *nft_set_ext_flags(ext) = flags;
7801
7802 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7803 if (trans == NULL)
7804 goto fail_trans;
7805
7806 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
7807 if (err < 0)
7808 goto fail_ops;
7809
7810 nft_setelem_data_deactivate(ctx->net, set, elem.priv);
7811
7812 nft_trans_container_elem(trans)->elems[0].priv = elem.priv;
7813 nft_trans_commit_list_add_elem(ctx->net, trans);
7814 return 0;
7815
7816 fail_ops:
7817 kfree(trans);
7818 fail_trans:
7819 kfree(elem.priv);
7820 fail_elem_key_end:
7821 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7822 fail_elem:
7823 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7824 return err;
7825 }
7826
nft_setelem_flush(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)7827 static int nft_setelem_flush(const struct nft_ctx *ctx,
7828 struct nft_set *set,
7829 const struct nft_set_iter *iter,
7830 struct nft_elem_priv *elem_priv)
7831 {
7832 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7833 struct nft_trans *trans;
7834
7835 if (!nft_set_elem_active(ext, iter->genmask))
7836 return 0;
7837
7838 trans = nft_trans_alloc(ctx, NFT_MSG_DELSETELEM,
7839 struct_size_t(struct nft_trans_elem, elems, 1));
7840 if (!trans)
7841 return -ENOMEM;
7842
7843 set->ops->flush(ctx->net, set, elem_priv);
7844 set->ndeact++;
7845
7846 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7847 nft_trans_elem_set(trans) = set;
7848 nft_trans_container_elem(trans)->nelems = 1;
7849 nft_trans_container_elem(trans)->elems[0].priv = elem_priv;
7850 nft_trans_commit_list_add_elem(ctx->net, trans);
7851
7852 return 0;
7853 }
7854
__nft_set_catchall_flush(const struct nft_ctx * ctx,struct nft_set * set,struct nft_elem_priv * elem_priv)7855 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
7856 struct nft_set *set,
7857 struct nft_elem_priv *elem_priv)
7858 {
7859 struct nft_trans *trans;
7860
7861 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7862 if (!trans)
7863 return -ENOMEM;
7864
7865 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7866 nft_trans_container_elem(trans)->elems[0].priv = elem_priv;
7867 nft_trans_commit_list_add_elem(ctx->net, trans);
7868
7869 return 0;
7870 }
7871
nft_set_catchall_flush(const struct nft_ctx * ctx,struct nft_set * set)7872 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
7873 struct nft_set *set)
7874 {
7875 u8 genmask = nft_genmask_next(ctx->net);
7876 struct nft_set_elem_catchall *catchall;
7877 struct nft_set_ext *ext;
7878 int ret = 0;
7879
7880 list_for_each_entry_rcu(catchall, &set->catchall_list, list,
7881 lockdep_commit_lock_is_held(ctx->net)) {
7882 ext = nft_set_elem_ext(set, catchall->elem);
7883 if (!nft_set_elem_active(ext, genmask))
7884 continue;
7885
7886 ret = __nft_set_catchall_flush(ctx, set, catchall->elem);
7887 if (ret < 0)
7888 break;
7889 nft_set_elem_change_active(ctx->net, set, ext);
7890 }
7891
7892 return ret;
7893 }
7894
nft_set_flush(struct nft_ctx * ctx,struct nft_set * set,u8 genmask)7895 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
7896 {
7897 /* The set backend might need to clone the set, do it now from the
7898 * preparation phase, use NFT_ITER_UPDATE_CLONE iterator type.
7899 */
7900 struct nft_set_iter iter = {
7901 .genmask = genmask,
7902 .type = NFT_ITER_UPDATE_CLONE,
7903 .fn = nft_setelem_flush,
7904 };
7905
7906 set->ops->walk(ctx, set, &iter);
7907 if (!iter.err)
7908 iter.err = nft_set_catchall_flush(ctx, set);
7909
7910 return iter.err;
7911 }
7912
nf_tables_delsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7913 static int nf_tables_delsetelem(struct sk_buff *skb,
7914 const struct nfnl_info *info,
7915 const struct nlattr * const nla[])
7916 {
7917 struct netlink_ext_ack *extack = info->extack;
7918 u8 genmask = nft_genmask_next(info->net);
7919 u8 family = info->nfmsg->nfgen_family;
7920 struct net *net = info->net;
7921 const struct nlattr *attr;
7922 struct nft_table *table;
7923 struct nft_set *set;
7924 struct nft_ctx ctx;
7925 int rem, err = 0;
7926
7927 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7928 genmask, NETLINK_CB(skb).portid);
7929 if (IS_ERR(table)) {
7930 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7931 return PTR_ERR(table);
7932 }
7933
7934 set = nft_set_lookup(net, table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
7935 if (IS_ERR(set)) {
7936 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7937 return PTR_ERR(set);
7938 }
7939
7940 if (nft_set_is_anonymous(set))
7941 return -EOPNOTSUPP;
7942
7943 if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
7944 return -EBUSY;
7945
7946 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7947
7948 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
7949 return nft_set_flush(&ctx, set, genmask);
7950
7951 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7952 err = nft_del_setelem(&ctx, set, attr);
7953 if (err == -ENOENT &&
7954 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
7955 continue;
7956
7957 if (err < 0) {
7958 NL_SET_BAD_ATTR(extack, attr);
7959 return err;
7960 }
7961 }
7962
7963 return 0;
7964 }
7965
7966 /*
7967 * Stateful objects
7968 */
7969
7970 /**
7971 * nft_register_obj- register nf_tables stateful object type
7972 * @obj_type: object type
7973 *
7974 * Registers the object type for use with nf_tables. Returns zero on
7975 * success or a negative errno code otherwise.
7976 */
nft_register_obj(struct nft_object_type * obj_type)7977 int nft_register_obj(struct nft_object_type *obj_type)
7978 {
7979 if (obj_type->type == NFT_OBJECT_UNSPEC)
7980 return -EINVAL;
7981
7982 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7983 list_add_rcu(&obj_type->list, &nf_tables_objects);
7984 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7985 return 0;
7986 }
7987 EXPORT_SYMBOL_GPL(nft_register_obj);
7988
7989 /**
7990 * nft_unregister_obj - unregister nf_tables object type
7991 * @obj_type: object type
7992 *
7993 * Unregisters the object type for use with nf_tables.
7994 */
nft_unregister_obj(struct nft_object_type * obj_type)7995 void nft_unregister_obj(struct nft_object_type *obj_type)
7996 {
7997 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7998 list_del_rcu(&obj_type->list);
7999 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8000 }
8001 EXPORT_SYMBOL_GPL(nft_unregister_obj);
8002
nft_obj_lookup(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)8003 struct nft_object *nft_obj_lookup(const struct net *net,
8004 const struct nft_table *table,
8005 const struct nlattr *nla, u32 objtype,
8006 u8 genmask)
8007 {
8008 struct nft_object_hash_key k = { .table = table };
8009 char search[NFT_OBJ_MAXNAMELEN];
8010 struct rhlist_head *tmp, *list;
8011 struct nft_object *obj;
8012
8013 nla_strscpy(search, nla, sizeof(search));
8014 k.name = search;
8015
8016 WARN_ON_ONCE(!rcu_read_lock_held() &&
8017 !lockdep_commit_lock_is_held(net));
8018
8019 rcu_read_lock();
8020 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
8021 if (!list)
8022 goto out;
8023
8024 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
8025 if (objtype == obj->ops->type->type &&
8026 nft_active_genmask(obj, genmask)) {
8027 rcu_read_unlock();
8028 return obj;
8029 }
8030 }
8031 out:
8032 rcu_read_unlock();
8033 return ERR_PTR(-ENOENT);
8034 }
8035 EXPORT_SYMBOL_GPL(nft_obj_lookup);
8036
nft_obj_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)8037 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
8038 const struct nlattr *nla,
8039 u32 objtype, u8 genmask)
8040 {
8041 struct nft_object *obj;
8042
8043 list_for_each_entry(obj, &table->objects, list) {
8044 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
8045 objtype == obj->ops->type->type &&
8046 nft_active_genmask(obj, genmask))
8047 return obj;
8048 }
8049 return ERR_PTR(-ENOENT);
8050 }
8051
8052 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
8053 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
8054 .len = NFT_TABLE_MAXNAMELEN - 1 },
8055 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
8056 .len = NFT_OBJ_MAXNAMELEN - 1 },
8057 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
8058 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
8059 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
8060 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
8061 .len = NFT_USERDATA_MAXLEN },
8062 };
8063
nft_obj_init(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr)8064 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
8065 const struct nft_object_type *type,
8066 const struct nlattr *attr)
8067 {
8068 struct nlattr **tb;
8069 const struct nft_object_ops *ops;
8070 struct nft_object *obj;
8071 int err = -ENOMEM;
8072
8073 tb = kmalloc_objs(*tb, type->maxattr + 1);
8074 if (!tb)
8075 goto err1;
8076
8077 if (attr) {
8078 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
8079 type->policy, NULL);
8080 if (err < 0)
8081 goto err2;
8082 } else {
8083 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
8084 }
8085
8086 if (type->select_ops) {
8087 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
8088 if (IS_ERR(ops)) {
8089 err = PTR_ERR(ops);
8090 goto err2;
8091 }
8092 } else {
8093 ops = type->ops;
8094 }
8095
8096 err = -ENOMEM;
8097 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
8098 if (!obj)
8099 goto err2;
8100
8101 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
8102 if (err < 0)
8103 goto err3;
8104
8105 obj->ops = ops;
8106
8107 kfree(tb);
8108 return obj;
8109 err3:
8110 kfree(obj);
8111 err2:
8112 kfree(tb);
8113 err1:
8114 return ERR_PTR(err);
8115 }
8116
nft_object_dump(struct sk_buff * skb,unsigned int attr,struct nft_object * obj,bool reset)8117 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
8118 struct nft_object *obj, bool reset)
8119 {
8120 struct nlattr *nest;
8121
8122 nest = nla_nest_start_noflag(skb, attr);
8123 if (!nest)
8124 goto nla_put_failure;
8125 if (obj->ops->dump(skb, obj, reset) < 0)
8126 goto nla_put_failure;
8127 nla_nest_end(skb, nest);
8128 return 0;
8129
8130 nla_put_failure:
8131 return -1;
8132 }
8133
__nft_obj_type_get(u32 objtype,u8 family)8134 static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family)
8135 {
8136 const struct nft_object_type *type;
8137
8138 list_for_each_entry_rcu(type, &nf_tables_objects, list) {
8139 if (type->family != NFPROTO_UNSPEC &&
8140 type->family != family)
8141 continue;
8142
8143 if (objtype == type->type)
8144 return type;
8145 }
8146 return NULL;
8147 }
8148
8149 static const struct nft_object_type *
nft_obj_type_get(struct net * net,u32 objtype,u8 family)8150 nft_obj_type_get(struct net *net, u32 objtype, u8 family)
8151 {
8152 const struct nft_object_type *type;
8153
8154 rcu_read_lock();
8155 type = __nft_obj_type_get(objtype, family);
8156 if (type != NULL && try_module_get(type->owner)) {
8157 rcu_read_unlock();
8158 return type;
8159 }
8160 rcu_read_unlock();
8161
8162 lockdep_nfnl_nft_mutex_not_held();
8163 #ifdef CONFIG_MODULES
8164 if (type == NULL) {
8165 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
8166 return ERR_PTR(-EAGAIN);
8167 }
8168 #endif
8169 return ERR_PTR(-ENOENT);
8170 }
8171
nf_tables_updobj(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr,struct nft_object * obj)8172 static int nf_tables_updobj(const struct nft_ctx *ctx,
8173 const struct nft_object_type *type,
8174 const struct nlattr *attr,
8175 struct nft_object *obj)
8176 {
8177 struct nft_object *newobj;
8178 struct nft_trans *trans;
8179 int err = -ENOMEM;
8180
8181 /* caller must have obtained type->owner reference. */
8182 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
8183 sizeof(struct nft_trans_obj));
8184 if (!trans)
8185 goto err_trans;
8186
8187 newobj = nft_obj_init(ctx, type, attr);
8188 if (IS_ERR(newobj)) {
8189 err = PTR_ERR(newobj);
8190 goto err_free_trans;
8191 }
8192
8193 nft_trans_obj(trans) = obj;
8194 nft_trans_obj_update(trans) = true;
8195 nft_trans_obj_newobj(trans) = newobj;
8196 nft_trans_commit_list_add_tail(ctx->net, trans);
8197
8198 return 0;
8199
8200 err_free_trans:
8201 kfree(trans);
8202 err_trans:
8203 module_put(type->owner);
8204 return err;
8205 }
8206
nf_tables_newobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8207 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
8208 const struct nlattr * const nla[])
8209 {
8210 struct netlink_ext_ack *extack = info->extack;
8211 u8 genmask = nft_genmask_next(info->net);
8212 u8 family = info->nfmsg->nfgen_family;
8213 const struct nft_object_type *type;
8214 struct net *net = info->net;
8215 struct nft_table *table;
8216 struct nft_object *obj;
8217 struct nft_ctx ctx;
8218 u32 objtype;
8219 int err;
8220
8221 if (!nla[NFTA_OBJ_TYPE] ||
8222 !nla[NFTA_OBJ_NAME] ||
8223 !nla[NFTA_OBJ_DATA])
8224 return -EINVAL;
8225
8226 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
8227 NETLINK_CB(skb).portid);
8228 if (IS_ERR(table)) {
8229 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8230 return PTR_ERR(table);
8231 }
8232
8233 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8234 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
8235 if (IS_ERR(obj)) {
8236 err = PTR_ERR(obj);
8237 if (err != -ENOENT) {
8238 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8239 return err;
8240 }
8241 } else {
8242 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
8243 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8244 return -EEXIST;
8245 }
8246 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
8247 return -EOPNOTSUPP;
8248
8249 if (!obj->ops->update)
8250 return 0;
8251
8252 type = nft_obj_type_get(net, objtype, family);
8253 if (WARN_ON_ONCE(IS_ERR(type)))
8254 return PTR_ERR(type);
8255
8256 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8257
8258 /* type->owner reference is put when transaction object is released. */
8259 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
8260 }
8261
8262 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8263
8264 if (!nft_use_inc(&table->use))
8265 return -EMFILE;
8266
8267 type = nft_obj_type_get(net, objtype, family);
8268 if (IS_ERR(type)) {
8269 err = PTR_ERR(type);
8270 goto err_type;
8271 }
8272
8273 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
8274 if (IS_ERR(obj)) {
8275 err = PTR_ERR(obj);
8276 goto err_init;
8277 }
8278 obj->key.table = table;
8279 obj->handle = nf_tables_alloc_handle(table);
8280
8281 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
8282 if (!obj->key.name) {
8283 err = -ENOMEM;
8284 goto err_strdup;
8285 }
8286
8287 if (nla[NFTA_OBJ_USERDATA]) {
8288 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
8289 if (obj->udata == NULL)
8290 goto err_userdata;
8291
8292 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
8293 }
8294
8295 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
8296 if (err < 0)
8297 goto err_trans;
8298
8299 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
8300 nft_objname_ht_params);
8301 if (err < 0)
8302 goto err_obj_ht;
8303
8304 list_add_tail_rcu(&obj->list, &table->objects);
8305
8306 return 0;
8307 err_obj_ht:
8308 /* queued in transaction log */
8309 INIT_LIST_HEAD(&obj->list);
8310 return err;
8311 err_trans:
8312 kfree(obj->udata);
8313 err_userdata:
8314 kfree(obj->key.name);
8315 err_strdup:
8316 if (obj->ops->destroy)
8317 obj->ops->destroy(&ctx, obj);
8318 kfree(obj);
8319 err_init:
8320 module_put(type->owner);
8321 err_type:
8322 nft_use_dec_restore(&table->use);
8323
8324 return err;
8325 }
8326
nf_tables_fill_obj_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,struct nft_object * obj,bool reset)8327 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
8328 u32 portid, u32 seq, int event, u32 flags,
8329 int family, const struct nft_table *table,
8330 struct nft_object *obj, bool reset)
8331 {
8332 struct nlmsghdr *nlh;
8333
8334 nlh = nfnl_msg_put(skb, portid, seq,
8335 nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event),
8336 flags, family, NFNETLINK_V0, nft_base_seq_be16(net));
8337 if (!nlh)
8338 goto nla_put_failure;
8339
8340 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
8341 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
8342 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
8343 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
8344 NFTA_OBJ_PAD))
8345 goto nla_put_failure;
8346
8347 if (event == NFT_MSG_DELOBJ ||
8348 event == NFT_MSG_DESTROYOBJ) {
8349 nlmsg_end(skb, nlh);
8350 return 0;
8351 }
8352
8353 if (nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
8354 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
8355 goto nla_put_failure;
8356
8357 if (obj->udata &&
8358 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
8359 goto nla_put_failure;
8360
8361 nlmsg_end(skb, nlh);
8362 return 0;
8363
8364 nla_put_failure:
8365 nlmsg_trim(skb, nlh);
8366 return -1;
8367 }
8368
audit_log_obj_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)8369 static void audit_log_obj_reset(const struct nft_table *table,
8370 unsigned int base_seq, unsigned int nentries)
8371 {
8372 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
8373
8374 audit_log_nfcfg(buf, table->family, nentries,
8375 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
8376 kfree(buf);
8377 }
8378
8379 struct nft_obj_dump_ctx {
8380 unsigned int s_idx;
8381 char *table;
8382 u32 type;
8383 bool reset;
8384 };
8385
nf_tables_dump_obj(struct sk_buff * skb,struct netlink_callback * cb)8386 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
8387 {
8388 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
8389 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8390 struct net *net = sock_net(skb->sk);
8391 int family = nfmsg->nfgen_family;
8392 struct nftables_pernet *nft_net;
8393 const struct nft_table *table;
8394 unsigned int entries = 0;
8395 struct nft_object *obj;
8396 unsigned int idx = 0;
8397 int rc = 0;
8398
8399 rcu_read_lock();
8400 nft_net = nft_pernet(net);
8401 cb->seq = nft_base_seq(net);
8402
8403 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8404 if (family != NFPROTO_UNSPEC && family != table->family)
8405 continue;
8406
8407 entries = 0;
8408 list_for_each_entry_rcu(obj, &table->objects, list) {
8409 if (!nft_is_active(net, obj))
8410 goto cont;
8411 if (idx < ctx->s_idx)
8412 goto cont;
8413 if (ctx->table && strcmp(ctx->table, table->name))
8414 goto cont;
8415 if (ctx->type != NFT_OBJECT_UNSPEC &&
8416 obj->ops->type->type != ctx->type)
8417 goto cont;
8418
8419 rc = nf_tables_fill_obj_info(skb, net,
8420 NETLINK_CB(cb->skb).portid,
8421 cb->nlh->nlmsg_seq,
8422 NFT_MSG_NEWOBJ,
8423 NLM_F_MULTI | NLM_F_APPEND,
8424 table->family, table,
8425 obj, ctx->reset);
8426 if (rc < 0)
8427 break;
8428
8429 entries++;
8430 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8431 cont:
8432 idx++;
8433 }
8434 if (ctx->reset && entries)
8435 audit_log_obj_reset(table, nft_base_seq(net), entries);
8436 if (rc < 0)
8437 break;
8438 }
8439 rcu_read_unlock();
8440
8441 ctx->s_idx = idx;
8442 return skb->len;
8443 }
8444
nf_tables_dump_obj_start(struct netlink_callback * cb)8445 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
8446 {
8447 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8448 const struct nlattr * const *nla = cb->data;
8449
8450 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
8451
8452 if (nla[NFTA_OBJ_TABLE]) {
8453 ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
8454 if (!ctx->table)
8455 return -ENOMEM;
8456 }
8457
8458 if (nla[NFTA_OBJ_TYPE])
8459 ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8460
8461 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
8462 ctx->reset = true;
8463
8464 return 0;
8465 }
8466
nf_tables_dump_obj_done(struct netlink_callback * cb)8467 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
8468 {
8469 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8470
8471 kfree(ctx->table);
8472
8473 return 0;
8474 }
8475
8476 /* Caller must hold rcu read lock or transaction mutex */
8477 static struct sk_buff *
nf_tables_getobj_single(u32 portid,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)8478 nf_tables_getobj_single(u32 portid, const struct nfnl_info *info,
8479 const struct nlattr * const nla[], bool reset)
8480 {
8481 struct netlink_ext_ack *extack = info->extack;
8482 u8 genmask = nft_genmask_cur(info->net);
8483 u8 family = info->nfmsg->nfgen_family;
8484 const struct nft_table *table;
8485 struct net *net = info->net;
8486 struct nft_object *obj;
8487 struct sk_buff *skb2;
8488 u32 objtype;
8489 int err;
8490
8491 if (!nla[NFTA_OBJ_NAME] ||
8492 !nla[NFTA_OBJ_TYPE])
8493 return ERR_PTR(-EINVAL);
8494
8495 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
8496 if (IS_ERR(table)) {
8497 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8498 return ERR_CAST(table);
8499 }
8500
8501 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8502 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
8503 if (IS_ERR(obj)) {
8504 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8505 return ERR_CAST(obj);
8506 }
8507
8508 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8509 if (!skb2)
8510 return ERR_PTR(-ENOMEM);
8511
8512 err = nf_tables_fill_obj_info(skb2, net, portid,
8513 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
8514 family, table, obj, reset);
8515 if (err < 0) {
8516 kfree_skb(skb2);
8517 return ERR_PTR(err);
8518 }
8519
8520 return skb2;
8521 }
8522
nf_tables_getobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8523 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
8524 const struct nlattr * const nla[])
8525 {
8526 u32 portid = NETLINK_CB(skb).portid;
8527 struct net *net = info->net;
8528 struct sk_buff *skb2;
8529 bool reset = false;
8530 char *buf;
8531
8532 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8533 struct netlink_dump_control c = {
8534 .start = nf_tables_dump_obj_start,
8535 .dump = nf_tables_dump_obj,
8536 .done = nf_tables_dump_obj_done,
8537 .module = THIS_MODULE,
8538 .data = (void *)nla,
8539 };
8540
8541 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8542 }
8543
8544 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
8545 reset = true;
8546
8547 skb2 = nf_tables_getobj_single(portid, info, nla, reset);
8548 if (IS_ERR(skb2))
8549 return PTR_ERR(skb2);
8550
8551 if (!reset)
8552 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
8553
8554 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
8555 nla_len(nla[NFTA_OBJ_TABLE]),
8556 (char *)nla_data(nla[NFTA_OBJ_TABLE]),
8557 nft_base_seq(net));
8558 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
8559 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
8560 kfree(buf);
8561
8562 return nfnetlink_unicast(skb2, net, portid);
8563 }
8564
nft_obj_destroy(const struct nft_ctx * ctx,struct nft_object * obj)8565 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
8566 {
8567 if (obj->ops->destroy)
8568 obj->ops->destroy(ctx, obj);
8569
8570 module_put(obj->ops->type->owner);
8571 kfree(obj->key.name);
8572 kfree(obj->udata);
8573 kfree(obj);
8574 }
8575
nf_tables_delobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8576 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
8577 const struct nlattr * const nla[])
8578 {
8579 struct netlink_ext_ack *extack = info->extack;
8580 u8 genmask = nft_genmask_next(info->net);
8581 u8 family = info->nfmsg->nfgen_family;
8582 struct net *net = info->net;
8583 const struct nlattr *attr;
8584 struct nft_table *table;
8585 struct nft_object *obj;
8586 struct nft_ctx ctx;
8587 u32 objtype;
8588
8589 if (!nla[NFTA_OBJ_TYPE] ||
8590 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
8591 return -EINVAL;
8592
8593 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
8594 NETLINK_CB(skb).portid);
8595 if (IS_ERR(table)) {
8596 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8597 return PTR_ERR(table);
8598 }
8599
8600 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8601 if (nla[NFTA_OBJ_HANDLE]) {
8602 attr = nla[NFTA_OBJ_HANDLE];
8603 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
8604 } else {
8605 attr = nla[NFTA_OBJ_NAME];
8606 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
8607 }
8608
8609 if (IS_ERR(obj)) {
8610 if (PTR_ERR(obj) == -ENOENT &&
8611 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
8612 return 0;
8613
8614 NL_SET_BAD_ATTR(extack, attr);
8615 return PTR_ERR(obj);
8616 }
8617 if (obj->use > 0) {
8618 NL_SET_BAD_ATTR(extack, attr);
8619 return -EBUSY;
8620 }
8621
8622 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8623
8624 return nft_delobj(&ctx, obj);
8625 }
8626
8627 static void
__nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,u16 flags,int family,int report,gfp_t gfp)8628 __nft_obj_notify(struct net *net, const struct nft_table *table,
8629 struct nft_object *obj, u32 portid, u32 seq, int event,
8630 u16 flags, int family, int report, gfp_t gfp)
8631 {
8632 struct nftables_pernet *nft_net = nft_pernet(net);
8633 struct sk_buff *skb;
8634 int err;
8635
8636 if (!report &&
8637 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8638 return;
8639
8640 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
8641 if (skb == NULL)
8642 goto err;
8643
8644 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
8645 flags & (NLM_F_CREATE | NLM_F_EXCL),
8646 family, table, obj, false);
8647 if (err < 0) {
8648 kfree_skb(skb);
8649 goto err;
8650 }
8651
8652 nft_notify_enqueue(skb, report, &nft_net->notify_list);
8653 return;
8654 err:
8655 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
8656 }
8657
nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,u16 flags,int family,int report,gfp_t gfp)8658 void nft_obj_notify(struct net *net, const struct nft_table *table,
8659 struct nft_object *obj, u32 portid, u32 seq, int event,
8660 u16 flags, int family, int report, gfp_t gfp)
8661 {
8662 char *buf = kasprintf(gfp, "%s:%u",
8663 table->name, nft_base_seq(net));
8664
8665 audit_log_nfcfg(buf,
8666 family,
8667 obj->handle,
8668 event == NFT_MSG_NEWOBJ ?
8669 AUDIT_NFT_OP_OBJ_REGISTER :
8670 AUDIT_NFT_OP_OBJ_UNREGISTER,
8671 gfp);
8672 kfree(buf);
8673
8674 __nft_obj_notify(net, table, obj, portid, seq, event,
8675 flags, family, report, gfp);
8676 }
8677 EXPORT_SYMBOL_GPL(nft_obj_notify);
8678
nf_tables_obj_notify(const struct nft_ctx * ctx,struct nft_object * obj,int event)8679 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
8680 struct nft_object *obj, int event)
8681 {
8682 __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid,
8683 ctx->seq, event, ctx->flags, ctx->family,
8684 ctx->report, GFP_KERNEL);
8685 }
8686
8687 /*
8688 * Flow tables
8689 */
nft_register_flowtable_type(struct nf_flowtable_type * type)8690 void nft_register_flowtable_type(struct nf_flowtable_type *type)
8691 {
8692 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8693 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
8694 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8695 }
8696 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
8697
nft_unregister_flowtable_type(struct nf_flowtable_type * type)8698 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
8699 {
8700 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8701 list_del_rcu(&type->list);
8702 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8703 }
8704 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
8705
8706 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
8707 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
8708 .len = NFT_NAME_MAXLEN - 1 },
8709 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
8710 .len = NFT_NAME_MAXLEN - 1 },
8711 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
8712 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
8713 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
8714 };
8715
nft_flowtable_lookup(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)8716 struct nft_flowtable *nft_flowtable_lookup(const struct net *net,
8717 const struct nft_table *table,
8718 const struct nlattr *nla, u8 genmask)
8719 {
8720 struct nft_flowtable *flowtable;
8721
8722 list_for_each_entry_rcu(flowtable, &table->flowtables, list,
8723 lockdep_commit_lock_is_held(net)) {
8724 if (!nla_strcmp(nla, flowtable->name) &&
8725 nft_active_genmask(flowtable, genmask))
8726 return flowtable;
8727 }
8728 return ERR_PTR(-ENOENT);
8729 }
8730 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
8731
nf_tables_deactivate_flowtable(const struct nft_ctx * ctx,struct nft_flowtable * flowtable,enum nft_trans_phase phase)8732 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
8733 struct nft_flowtable *flowtable,
8734 enum nft_trans_phase phase)
8735 {
8736 switch (phase) {
8737 case NFT_TRANS_PREPARE_ERROR:
8738 case NFT_TRANS_PREPARE:
8739 case NFT_TRANS_ABORT:
8740 case NFT_TRANS_RELEASE:
8741 nft_use_dec(&flowtable->use);
8742 fallthrough;
8743 default:
8744 return;
8745 }
8746 }
8747 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
8748
8749 static struct nft_flowtable *
nft_flowtable_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)8750 nft_flowtable_lookup_byhandle(const struct nft_table *table,
8751 const struct nlattr *nla, u8 genmask)
8752 {
8753 struct nft_flowtable *flowtable;
8754
8755 list_for_each_entry(flowtable, &table->flowtables, list) {
8756 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
8757 nft_active_genmask(flowtable, genmask))
8758 return flowtable;
8759 }
8760 return ERR_PTR(-ENOENT);
8761 }
8762
8763 struct nft_flowtable_hook {
8764 u32 num;
8765 int priority;
8766 struct list_head list;
8767 };
8768
8769 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
8770 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
8771 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
8772 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
8773 };
8774
nft_flowtable_parse_hook(const struct nft_ctx * ctx,const struct nlattr * const nla[],struct nft_flowtable_hook * flowtable_hook,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack,bool add)8775 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
8776 const struct nlattr * const nla[],
8777 struct nft_flowtable_hook *flowtable_hook,
8778 struct nft_flowtable *flowtable,
8779 struct netlink_ext_ack *extack, bool add)
8780 {
8781 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
8782 struct nf_hook_ops *ops;
8783 struct nft_hook *hook;
8784 int hooknum, priority;
8785 int err;
8786
8787 INIT_LIST_HEAD(&flowtable_hook->list);
8788
8789 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
8790 nla[NFTA_FLOWTABLE_HOOK],
8791 nft_flowtable_hook_policy, NULL);
8792 if (err < 0)
8793 return err;
8794
8795 if (add) {
8796 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
8797 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8798 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8799 return -ENOENT;
8800 }
8801
8802 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8803 if (hooknum != NF_NETDEV_INGRESS)
8804 return -EOPNOTSUPP;
8805
8806 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8807
8808 flowtable_hook->priority = priority;
8809 flowtable_hook->num = hooknum;
8810 } else {
8811 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
8812 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8813 if (hooknum != flowtable->hooknum)
8814 return -EOPNOTSUPP;
8815 }
8816
8817 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8818 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8819 if (priority != flowtable->data.priority)
8820 return -EOPNOTSUPP;
8821 }
8822
8823 flowtable_hook->priority = flowtable->data.priority;
8824 flowtable_hook->num = flowtable->hooknum;
8825 }
8826
8827 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
8828 err = nf_tables_parse_netdev_hooks(ctx->net,
8829 tb[NFTA_FLOWTABLE_HOOK_DEVS],
8830 &flowtable_hook->list,
8831 extack);
8832 if (err < 0)
8833 return err;
8834 }
8835
8836 list_for_each_entry(hook, &flowtable_hook->list, list) {
8837 list_for_each_entry(ops, &hook->ops_list, list) {
8838 ops->pf = NFPROTO_NETDEV;
8839 ops->hooknum = flowtable_hook->num;
8840 ops->priority = flowtable_hook->priority;
8841 ops->priv = &flowtable->data;
8842 ops->hook = flowtable->data.type->hook;
8843 ops->hook_ops_type = NF_HOOK_OP_NFT_FT;
8844 }
8845 }
8846
8847 return err;
8848 }
8849
8850 /* call under rcu_read_lock */
__nft_flowtable_type_get(u8 family)8851 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
8852 {
8853 const struct nf_flowtable_type *type;
8854
8855 list_for_each_entry_rcu(type, &nf_tables_flowtables, list) {
8856 if (family == type->family)
8857 return type;
8858 }
8859 return NULL;
8860 }
8861
8862 static const struct nf_flowtable_type *
nft_flowtable_type_get(struct net * net,u8 family)8863 nft_flowtable_type_get(struct net *net, u8 family)
8864 {
8865 const struct nf_flowtable_type *type;
8866
8867 rcu_read_lock();
8868 type = __nft_flowtable_type_get(family);
8869 if (type != NULL && try_module_get(type->owner)) {
8870 rcu_read_unlock();
8871 return type;
8872 }
8873 rcu_read_unlock();
8874
8875 lockdep_nfnl_nft_mutex_not_held();
8876 #ifdef CONFIG_MODULES
8877 if (type == NULL) {
8878 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
8879 return ERR_PTR(-EAGAIN);
8880 }
8881 #endif
8882 return ERR_PTR(-ENOENT);
8883 }
8884
8885 /* Only called from error and netdev event paths. */
nft_unregister_flowtable_ops(struct net * net,struct nft_flowtable * flowtable,struct nf_hook_ops * ops)8886 static void nft_unregister_flowtable_ops(struct net *net,
8887 struct nft_flowtable *flowtable,
8888 struct nf_hook_ops *ops)
8889 {
8890 nf_unregister_net_hook(net, ops);
8891 flowtable->data.type->setup(&flowtable->data, ops->dev,
8892 FLOW_BLOCK_UNBIND);
8893 }
8894
__nft_unregister_flowtable_net_hooks(struct net * net,struct nft_flowtable * flowtable,struct list_head * hook_list,bool release_netdev)8895 static void __nft_unregister_flowtable_net_hooks(struct net *net,
8896 struct nft_flowtable *flowtable,
8897 struct list_head *hook_list,
8898 bool release_netdev)
8899 {
8900 struct nft_hook *hook, *next;
8901 struct nf_hook_ops *ops;
8902
8903 list_for_each_entry_safe(hook, next, hook_list, list) {
8904 list_for_each_entry(ops, &hook->ops_list, list)
8905 nft_unregister_flowtable_ops(net, flowtable, ops);
8906 if (release_netdev) {
8907 list_del(&hook->list);
8908 nft_netdev_hook_free_rcu(hook);
8909 }
8910 }
8911 }
8912
nft_unregister_flowtable_net_hooks(struct net * net,struct nft_flowtable * flowtable,struct list_head * hook_list)8913 static void nft_unregister_flowtable_net_hooks(struct net *net,
8914 struct nft_flowtable *flowtable,
8915 struct list_head *hook_list)
8916 {
8917 __nft_unregister_flowtable_net_hooks(net, flowtable, hook_list, false);
8918 }
8919
nft_register_flowtable_ops(struct net * net,struct nft_flowtable * flowtable,struct nf_hook_ops * ops)8920 static int nft_register_flowtable_ops(struct net *net,
8921 struct nft_flowtable *flowtable,
8922 struct nf_hook_ops *ops)
8923 {
8924 int err;
8925
8926 err = flowtable->data.type->setup(&flowtable->data,
8927 ops->dev, FLOW_BLOCK_BIND);
8928 if (err < 0)
8929 return err;
8930
8931 err = nf_register_net_hook(net, ops);
8932 if (!err)
8933 return 0;
8934
8935 flowtable->data.type->setup(&flowtable->data,
8936 ops->dev, FLOW_BLOCK_UNBIND);
8937 return err;
8938 }
8939
nft_register_flowtable_net_hooks(struct net * net,struct nft_table * table,struct list_head * hook_list,struct nft_flowtable * flowtable)8940 static int nft_register_flowtable_net_hooks(struct net *net,
8941 struct nft_table *table,
8942 struct list_head *hook_list,
8943 struct nft_flowtable *flowtable)
8944 {
8945 struct nft_hook *hook, *next;
8946 struct nft_flowtable *ft;
8947 struct nf_hook_ops *ops;
8948 int err, i = 0;
8949
8950 list_for_each_entry(hook, hook_list, list) {
8951 list_for_each_entry(ft, &table->flowtables, list) {
8952 if (!nft_is_active_next(net, ft))
8953 continue;
8954
8955 if (nft_hook_list_find(&ft->hook_list, hook)) {
8956 err = -EEXIST;
8957 goto err_unregister_net_hooks;
8958 }
8959 }
8960
8961 list_for_each_entry(ops, &hook->ops_list, list) {
8962 err = nft_register_flowtable_ops(net, flowtable, ops);
8963 if (err < 0)
8964 goto err_unregister_net_hooks;
8965
8966 i++;
8967 }
8968 }
8969
8970 return 0;
8971
8972 err_unregister_net_hooks:
8973 list_for_each_entry_safe(hook, next, hook_list, list) {
8974 list_for_each_entry(ops, &hook->ops_list, list) {
8975 if (i-- <= 0)
8976 break;
8977
8978 nft_unregister_flowtable_ops(net, flowtable, ops);
8979 }
8980 list_del_rcu(&hook->list);
8981 nft_netdev_hook_free_rcu(hook);
8982 }
8983
8984 return err;
8985 }
8986
nft_hooks_destroy(struct list_head * hook_list)8987 static void nft_hooks_destroy(struct list_head *hook_list)
8988 {
8989 struct nft_hook *hook, *next;
8990
8991 list_for_each_entry_safe(hook, next, hook_list, list) {
8992 list_del_rcu(&hook->list);
8993 nft_netdev_hook_free_rcu(hook);
8994 }
8995 }
8996
nft_flowtable_update(struct nft_ctx * ctx,const struct nlmsghdr * nlh,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack)8997 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
8998 struct nft_flowtable *flowtable,
8999 struct netlink_ext_ack *extack)
9000 {
9001 const struct nlattr * const *nla = ctx->nla;
9002 struct nft_flowtable_hook flowtable_hook;
9003 struct nftables_pernet *nft_net;
9004 struct nft_hook *hook, *next;
9005 struct nf_hook_ops *ops;
9006 struct nft_trans *trans;
9007 bool unregister = false;
9008 u32 flags;
9009 int err;
9010
9011 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
9012 extack, false);
9013 if (err < 0)
9014 return err;
9015
9016 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
9017 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
9018 list_del(&hook->list);
9019 nft_netdev_hook_free(hook);
9020 continue;
9021 }
9022
9023 nft_net = nft_pernet(ctx->net);
9024 list_for_each_entry(trans, &nft_net->commit_list, list) {
9025 if (trans->msg_type != NFT_MSG_NEWFLOWTABLE ||
9026 trans->table != ctx->table ||
9027 !nft_trans_flowtable_update(trans))
9028 continue;
9029
9030 if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) {
9031 err = -EEXIST;
9032 goto err_flowtable_update_hook;
9033 }
9034 }
9035 }
9036
9037 if (nla[NFTA_FLOWTABLE_FLAGS]) {
9038 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
9039 if (flags & ~NFT_FLOWTABLE_MASK) {
9040 err = -EOPNOTSUPP;
9041 goto err_flowtable_update_hook;
9042 }
9043 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
9044 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
9045 err = -EOPNOTSUPP;
9046 goto err_flowtable_update_hook;
9047 }
9048 } else {
9049 flags = flowtable->data.flags;
9050 }
9051
9052 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
9053 &flowtable_hook.list, flowtable);
9054 if (err < 0)
9055 goto err_flowtable_update_hook;
9056
9057 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
9058 sizeof(struct nft_trans_flowtable));
9059 if (!trans) {
9060 unregister = true;
9061 err = -ENOMEM;
9062 goto err_flowtable_update_hook;
9063 }
9064
9065 nft_trans_flowtable_flags(trans) = flags;
9066 nft_trans_flowtable(trans) = flowtable;
9067 nft_trans_flowtable_update(trans) = true;
9068 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
9069 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
9070
9071 nft_trans_commit_list_add_tail(ctx->net, trans);
9072
9073 return 0;
9074
9075 err_flowtable_update_hook:
9076 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
9077 if (unregister) {
9078 list_for_each_entry(ops, &hook->ops_list, list)
9079 nft_unregister_flowtable_ops(ctx->net,
9080 flowtable, ops);
9081 }
9082 list_del_rcu(&hook->list);
9083 nft_netdev_hook_free_rcu(hook);
9084 }
9085
9086 return err;
9087
9088 }
9089
nf_tables_newflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9090 static int nf_tables_newflowtable(struct sk_buff *skb,
9091 const struct nfnl_info *info,
9092 const struct nlattr * const nla[])
9093 {
9094 struct netlink_ext_ack *extack = info->extack;
9095 struct nft_flowtable_hook flowtable_hook;
9096 u8 genmask = nft_genmask_next(info->net);
9097 u8 family = info->nfmsg->nfgen_family;
9098 const struct nf_flowtable_type *type;
9099 struct nft_flowtable *flowtable;
9100 struct net *net = info->net;
9101 struct nft_table *table;
9102 struct nft_trans *trans;
9103 struct nft_ctx ctx;
9104 int err;
9105
9106 if (!nla[NFTA_FLOWTABLE_TABLE] ||
9107 !nla[NFTA_FLOWTABLE_NAME] ||
9108 !nla[NFTA_FLOWTABLE_HOOK])
9109 return -EINVAL;
9110
9111 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9112 genmask, NETLINK_CB(skb).portid);
9113 if (IS_ERR(table)) {
9114 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
9115 return PTR_ERR(table);
9116 }
9117
9118 flowtable = nft_flowtable_lookup(net, table, nla[NFTA_FLOWTABLE_NAME],
9119 genmask);
9120 if (IS_ERR(flowtable)) {
9121 err = PTR_ERR(flowtable);
9122 if (err != -ENOENT) {
9123 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9124 return err;
9125 }
9126 } else {
9127 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
9128 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9129 return -EEXIST;
9130 }
9131
9132 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
9133
9134 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
9135 }
9136
9137 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
9138
9139 if (!nft_use_inc(&table->use))
9140 return -EMFILE;
9141
9142 flowtable = kzalloc_obj(*flowtable, GFP_KERNEL_ACCOUNT);
9143 if (!flowtable) {
9144 err = -ENOMEM;
9145 goto flowtable_alloc;
9146 }
9147
9148 flowtable->table = table;
9149 flowtable->handle = nf_tables_alloc_handle(table);
9150 INIT_LIST_HEAD(&flowtable->hook_list);
9151
9152 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
9153 if (!flowtable->name) {
9154 err = -ENOMEM;
9155 goto err1;
9156 }
9157
9158 type = nft_flowtable_type_get(net, family);
9159 if (IS_ERR(type)) {
9160 err = PTR_ERR(type);
9161 goto err2;
9162 }
9163
9164 if (nla[NFTA_FLOWTABLE_FLAGS]) {
9165 flowtable->data.flags =
9166 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
9167 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
9168 err = -EOPNOTSUPP;
9169 goto err3;
9170 }
9171 }
9172
9173 write_pnet(&flowtable->data.net, net);
9174 flowtable->data.type = type;
9175 err = type->init(&flowtable->data);
9176 if (err < 0)
9177 goto err3;
9178
9179 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
9180 extack, true);
9181 if (err < 0)
9182 goto err_flowtable_parse_hooks;
9183
9184 list_splice(&flowtable_hook.list, &flowtable->hook_list);
9185 flowtable->data.priority = flowtable_hook.priority;
9186 flowtable->hooknum = flowtable_hook.num;
9187
9188 trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
9189 if (IS_ERR(trans)) {
9190 err = PTR_ERR(trans);
9191 goto err_flowtable_trans;
9192 }
9193
9194 /* This must be LAST to ensure no packets are walking over this flowtable. */
9195 err = nft_register_flowtable_net_hooks(ctx.net, table,
9196 &flowtable->hook_list,
9197 flowtable);
9198 if (err < 0)
9199 goto err_flowtable_hooks;
9200
9201 list_add_tail_rcu(&flowtable->list, &table->flowtables);
9202
9203 return 0;
9204
9205 err_flowtable_hooks:
9206 synchronize_rcu();
9207 nft_trans_destroy(trans);
9208 err_flowtable_trans:
9209 nft_hooks_destroy(&flowtable->hook_list);
9210 err_flowtable_parse_hooks:
9211 flowtable->data.type->free(&flowtable->data);
9212 err3:
9213 module_put(type->owner);
9214 err2:
9215 kfree(flowtable->name);
9216 err1:
9217 kfree(flowtable);
9218 flowtable_alloc:
9219 nft_use_dec_restore(&table->use);
9220
9221 return err;
9222 }
9223
nft_flowtable_hook_release(struct nft_flowtable_hook * flowtable_hook)9224 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
9225 {
9226 struct nft_hook *this, *next;
9227
9228 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
9229 list_del(&this->list);
9230 nft_netdev_hook_free(this);
9231 }
9232 }
9233
nft_delflowtable_hook(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack)9234 static int nft_delflowtable_hook(struct nft_ctx *ctx,
9235 struct nft_flowtable *flowtable,
9236 struct netlink_ext_ack *extack)
9237 {
9238 const struct nlattr * const *nla = ctx->nla;
9239 struct nft_flowtable_hook flowtable_hook;
9240 LIST_HEAD(flowtable_del_list);
9241 struct nft_hook *this, *hook;
9242 struct nft_trans *trans;
9243 int err;
9244
9245 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
9246 extack, false);
9247 if (err < 0)
9248 return err;
9249
9250 list_for_each_entry(this, &flowtable_hook.list, list) {
9251 hook = nft_hook_list_find(&flowtable->hook_list, this);
9252 if (!hook) {
9253 err = -ENOENT;
9254 goto err_flowtable_del_hook;
9255 }
9256 list_move(&hook->list, &flowtable_del_list);
9257 }
9258
9259 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
9260 sizeof(struct nft_trans_flowtable));
9261 if (!trans) {
9262 err = -ENOMEM;
9263 goto err_flowtable_del_hook;
9264 }
9265
9266 nft_trans_flowtable(trans) = flowtable;
9267 nft_trans_flowtable_update(trans) = true;
9268 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
9269 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
9270 nft_flowtable_hook_release(&flowtable_hook);
9271
9272 nft_trans_commit_list_add_tail(ctx->net, trans);
9273
9274 return 0;
9275
9276 err_flowtable_del_hook:
9277 list_splice(&flowtable_del_list, &flowtable->hook_list);
9278 nft_flowtable_hook_release(&flowtable_hook);
9279
9280 return err;
9281 }
9282
nf_tables_delflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9283 static int nf_tables_delflowtable(struct sk_buff *skb,
9284 const struct nfnl_info *info,
9285 const struct nlattr * const nla[])
9286 {
9287 struct netlink_ext_ack *extack = info->extack;
9288 u8 genmask = nft_genmask_next(info->net);
9289 u8 family = info->nfmsg->nfgen_family;
9290 struct nft_flowtable *flowtable;
9291 struct net *net = info->net;
9292 const struct nlattr *attr;
9293 struct nft_table *table;
9294 struct nft_ctx ctx;
9295
9296 if (!nla[NFTA_FLOWTABLE_TABLE] ||
9297 (!nla[NFTA_FLOWTABLE_NAME] &&
9298 !nla[NFTA_FLOWTABLE_HANDLE]))
9299 return -EINVAL;
9300
9301 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9302 genmask, NETLINK_CB(skb).portid);
9303 if (IS_ERR(table)) {
9304 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
9305 return PTR_ERR(table);
9306 }
9307
9308 if (nla[NFTA_FLOWTABLE_HANDLE]) {
9309 attr = nla[NFTA_FLOWTABLE_HANDLE];
9310 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
9311 } else {
9312 attr = nla[NFTA_FLOWTABLE_NAME];
9313 flowtable = nft_flowtable_lookup(net, table, attr, genmask);
9314 }
9315
9316 if (IS_ERR(flowtable)) {
9317 if (PTR_ERR(flowtable) == -ENOENT &&
9318 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
9319 return 0;
9320
9321 NL_SET_BAD_ATTR(extack, attr);
9322 return PTR_ERR(flowtable);
9323 }
9324
9325 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
9326
9327 if (nla[NFTA_FLOWTABLE_HOOK])
9328 return nft_delflowtable_hook(&ctx, flowtable, extack);
9329
9330 if (flowtable->use > 0) {
9331 NL_SET_BAD_ATTR(extack, attr);
9332 return -EBUSY;
9333 }
9334
9335 return nft_delflowtable(&ctx, flowtable);
9336 }
9337
nf_tables_fill_flowtable_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,struct nft_flowtable * flowtable,struct list_head * hook_list)9338 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
9339 u32 portid, u32 seq, int event,
9340 u32 flags, int family,
9341 struct nft_flowtable *flowtable,
9342 struct list_head *hook_list)
9343 {
9344 struct nlattr *nest, *nest_devs;
9345 struct nft_hook *hook;
9346 struct nlmsghdr *nlh;
9347
9348 nlh = nfnl_msg_put(skb, portid, seq,
9349 nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event),
9350 flags, family, NFNETLINK_V0, nft_base_seq_be16(net));
9351 if (!nlh)
9352 goto nla_put_failure;
9353
9354 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
9355 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
9356 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
9357 NFTA_FLOWTABLE_PAD))
9358 goto nla_put_failure;
9359
9360 if (!hook_list &&
9361 (event == NFT_MSG_DELFLOWTABLE ||
9362 event == NFT_MSG_DESTROYFLOWTABLE)) {
9363 nlmsg_end(skb, nlh);
9364 return 0;
9365 }
9366
9367 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
9368 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
9369 goto nla_put_failure;
9370
9371 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
9372 if (!nest)
9373 goto nla_put_failure;
9374 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
9375 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
9376 goto nla_put_failure;
9377
9378 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
9379 if (!nest_devs)
9380 goto nla_put_failure;
9381
9382 if (!hook_list)
9383 hook_list = &flowtable->hook_list;
9384
9385 list_for_each_entry_rcu(hook, hook_list, list,
9386 lockdep_commit_lock_is_held(net)) {
9387 if (nft_nla_put_hook_dev(skb, hook))
9388 goto nla_put_failure;
9389 }
9390 nla_nest_end(skb, nest_devs);
9391 nla_nest_end(skb, nest);
9392
9393 nlmsg_end(skb, nlh);
9394 return 0;
9395
9396 nla_put_failure:
9397 nlmsg_trim(skb, nlh);
9398 return -1;
9399 }
9400
9401 struct nft_flowtable_filter {
9402 char *table;
9403 };
9404
nf_tables_dump_flowtable(struct sk_buff * skb,struct netlink_callback * cb)9405 static int nf_tables_dump_flowtable(struct sk_buff *skb,
9406 struct netlink_callback *cb)
9407 {
9408 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
9409 struct nft_flowtable_filter *filter = cb->data;
9410 unsigned int idx = 0, s_idx = cb->args[0];
9411 struct net *net = sock_net(skb->sk);
9412 int family = nfmsg->nfgen_family;
9413 struct nft_flowtable *flowtable;
9414 struct nftables_pernet *nft_net;
9415 const struct nft_table *table;
9416
9417 rcu_read_lock();
9418 nft_net = nft_pernet(net);
9419 cb->seq = nft_base_seq(net);
9420
9421 list_for_each_entry_rcu(table, &nft_net->tables, list) {
9422 if (family != NFPROTO_UNSPEC && family != table->family)
9423 continue;
9424
9425 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
9426 if (!nft_is_active(net, flowtable))
9427 goto cont;
9428 if (idx < s_idx)
9429 goto cont;
9430 if (idx > s_idx)
9431 memset(&cb->args[1], 0,
9432 sizeof(cb->args) - sizeof(cb->args[0]));
9433 if (filter && filter->table &&
9434 strcmp(filter->table, table->name))
9435 goto cont;
9436
9437 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
9438 cb->nlh->nlmsg_seq,
9439 NFT_MSG_NEWFLOWTABLE,
9440 NLM_F_MULTI | NLM_F_APPEND,
9441 table->family,
9442 flowtable, NULL) < 0)
9443 goto done;
9444
9445 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
9446 cont:
9447 idx++;
9448 }
9449 }
9450 done:
9451 rcu_read_unlock();
9452
9453 cb->args[0] = idx;
9454 return skb->len;
9455 }
9456
nf_tables_dump_flowtable_start(struct netlink_callback * cb)9457 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
9458 {
9459 const struct nlattr * const *nla = cb->data;
9460 struct nft_flowtable_filter *filter = NULL;
9461
9462 if (nla[NFTA_FLOWTABLE_TABLE]) {
9463 filter = kzalloc_obj(*filter, GFP_ATOMIC);
9464 if (!filter)
9465 return -ENOMEM;
9466
9467 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
9468 GFP_ATOMIC);
9469 if (!filter->table) {
9470 kfree(filter);
9471 return -ENOMEM;
9472 }
9473 }
9474
9475 cb->data = filter;
9476 return 0;
9477 }
9478
nf_tables_dump_flowtable_done(struct netlink_callback * cb)9479 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
9480 {
9481 struct nft_flowtable_filter *filter = cb->data;
9482
9483 if (!filter)
9484 return 0;
9485
9486 kfree(filter->table);
9487 kfree(filter);
9488
9489 return 0;
9490 }
9491
9492 /* called with rcu_read_lock held */
nf_tables_getflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9493 static int nf_tables_getflowtable(struct sk_buff *skb,
9494 const struct nfnl_info *info,
9495 const struct nlattr * const nla[])
9496 {
9497 struct netlink_ext_ack *extack = info->extack;
9498 u8 genmask = nft_genmask_cur(info->net);
9499 u8 family = info->nfmsg->nfgen_family;
9500 struct nft_flowtable *flowtable;
9501 const struct nft_table *table;
9502 struct net *net = info->net;
9503 struct sk_buff *skb2;
9504 int err;
9505
9506 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
9507 struct netlink_dump_control c = {
9508 .start = nf_tables_dump_flowtable_start,
9509 .dump = nf_tables_dump_flowtable,
9510 .done = nf_tables_dump_flowtable_done,
9511 .module = THIS_MODULE,
9512 .data = (void *)nla,
9513 };
9514
9515 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
9516 }
9517
9518 if (!nla[NFTA_FLOWTABLE_NAME])
9519 return -EINVAL;
9520
9521 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9522 genmask, 0);
9523 if (IS_ERR(table)) {
9524 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
9525 return PTR_ERR(table);
9526 }
9527
9528 flowtable = nft_flowtable_lookup(net, table, nla[NFTA_FLOWTABLE_NAME],
9529 genmask);
9530 if (IS_ERR(flowtable)) {
9531 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9532 return PTR_ERR(flowtable);
9533 }
9534
9535 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9536 if (!skb2)
9537 return -ENOMEM;
9538
9539 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
9540 info->nlh->nlmsg_seq,
9541 NFT_MSG_NEWFLOWTABLE, 0, family,
9542 flowtable, NULL);
9543 if (err < 0)
9544 goto err_fill_flowtable_info;
9545
9546 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
9547
9548 err_fill_flowtable_info:
9549 kfree_skb(skb2);
9550 return err;
9551 }
9552
nf_tables_flowtable_notify(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct list_head * hook_list,int event)9553 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
9554 struct nft_flowtable *flowtable,
9555 struct list_head *hook_list, int event)
9556 {
9557 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
9558 struct sk_buff *skb;
9559 u16 flags = 0;
9560 int err;
9561
9562 if (!ctx->report &&
9563 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
9564 return;
9565
9566 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9567 if (skb == NULL)
9568 goto err;
9569
9570 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
9571 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
9572
9573 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
9574 ctx->seq, event, flags,
9575 ctx->family, flowtable, hook_list);
9576 if (err < 0) {
9577 kfree_skb(skb);
9578 goto err;
9579 }
9580
9581 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
9582 return;
9583 err:
9584 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
9585 }
9586
nf_tables_flowtable_destroy(struct nft_flowtable * flowtable)9587 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
9588 {
9589 struct nft_hook *hook, *next;
9590
9591 flowtable->data.type->free(&flowtable->data);
9592 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
9593 list_del_rcu(&hook->list);
9594 nft_netdev_hook_free_rcu(hook);
9595 }
9596 kfree(flowtable->name);
9597 module_put(flowtable->data.type->owner);
9598 kfree(flowtable);
9599 }
9600
nf_tables_fill_gen_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq)9601 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
9602 u32 portid, u32 seq)
9603 {
9604 struct nlmsghdr *nlh;
9605 char buf[TASK_COMM_LEN];
9606 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
9607
9608 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
9609 NFNETLINK_V0, nft_base_seq_be16(net));
9610 if (!nlh)
9611 goto nla_put_failure;
9612
9613 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_base_seq(net))) ||
9614 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
9615 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
9616 goto nla_put_failure;
9617
9618 nlmsg_end(skb, nlh);
9619 return 0;
9620
9621 nla_put_failure:
9622 nlmsg_trim(skb, nlh);
9623 return -EMSGSIZE;
9624 }
9625
nft_hook_find_ops(const struct nft_hook * hook,const struct net_device * dev)9626 struct nf_hook_ops *nft_hook_find_ops(const struct nft_hook *hook,
9627 const struct net_device *dev)
9628 {
9629 struct nf_hook_ops *ops;
9630
9631 list_for_each_entry(ops, &hook->ops_list, list) {
9632 if (ops->dev == dev)
9633 return ops;
9634 }
9635 return NULL;
9636 }
9637 EXPORT_SYMBOL_GPL(nft_hook_find_ops);
9638
nft_hook_find_ops_rcu(const struct nft_hook * hook,const struct net_device * dev)9639 struct nf_hook_ops *nft_hook_find_ops_rcu(const struct nft_hook *hook,
9640 const struct net_device *dev)
9641 {
9642 struct nf_hook_ops *ops;
9643
9644 list_for_each_entry_rcu(ops, &hook->ops_list, list) {
9645 if (ops->dev == dev)
9646 return ops;
9647 }
9648 return NULL;
9649 }
9650 EXPORT_SYMBOL_GPL(nft_hook_find_ops_rcu);
9651
nft_flowtable_event(unsigned long event,struct net_device * dev,struct nft_flowtable * flowtable,bool changename)9652 static int nft_flowtable_event(unsigned long event, struct net_device *dev,
9653 struct nft_flowtable *flowtable, bool changename)
9654 {
9655 struct nf_hook_ops *ops;
9656 struct nft_hook *hook;
9657 bool match;
9658
9659 list_for_each_entry(hook, &flowtable->hook_list, list) {
9660 ops = nft_hook_find_ops(hook, dev);
9661 match = !strncmp(hook->ifname, dev->name, hook->ifnamelen);
9662
9663 switch (event) {
9664 case NETDEV_UNREGISTER:
9665 /* NOP if not found or new name still matching */
9666 if (!ops || (changename && match))
9667 continue;
9668
9669 /* flow_offload_netdev_event() cleans up entries for us. */
9670 nft_unregister_flowtable_ops(dev_net(dev),
9671 flowtable, ops);
9672 list_del_rcu(&ops->list);
9673 kfree_rcu(ops, rcu);
9674 break;
9675 case NETDEV_REGISTER:
9676 /* NOP if not matching or already registered */
9677 if (!match || ops)
9678 continue;
9679
9680 ops = kzalloc_obj(struct nf_hook_ops,
9681 GFP_KERNEL_ACCOUNT);
9682 if (!ops)
9683 return 1;
9684
9685 ops->pf = NFPROTO_NETDEV;
9686 ops->hooknum = flowtable->hooknum;
9687 ops->priority = flowtable->data.priority;
9688 ops->priv = &flowtable->data;
9689 ops->hook = flowtable->data.type->hook;
9690 ops->hook_ops_type = NF_HOOK_OP_NFT_FT;
9691 ops->dev = dev;
9692 if (nft_register_flowtable_ops(dev_net(dev),
9693 flowtable, ops)) {
9694 kfree(ops);
9695 return 1;
9696 }
9697 list_add_tail_rcu(&ops->list, &hook->ops_list);
9698 break;
9699 }
9700 break;
9701 }
9702 return 0;
9703 }
9704
__nf_tables_flowtable_event(unsigned long event,struct net_device * dev,bool changename)9705 static int __nf_tables_flowtable_event(unsigned long event,
9706 struct net_device *dev,
9707 bool changename)
9708 {
9709 struct nftables_pernet *nft_net = nft_pernet(dev_net(dev));
9710 struct nft_flowtable *flowtable;
9711 struct nft_table *table;
9712
9713 list_for_each_entry(table, &nft_net->tables, list) {
9714 list_for_each_entry(flowtable, &table->flowtables, list) {
9715 if (nft_flowtable_event(event, dev,
9716 flowtable, changename))
9717 return 1;
9718 }
9719 }
9720 return 0;
9721 }
9722
nf_tables_flowtable_event(struct notifier_block * this,unsigned long event,void * ptr)9723 static int nf_tables_flowtable_event(struct notifier_block *this,
9724 unsigned long event, void *ptr)
9725 {
9726 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
9727 struct nftables_pernet *nft_net;
9728 int ret = NOTIFY_DONE;
9729 struct net *net;
9730
9731 if (event != NETDEV_REGISTER &&
9732 event != NETDEV_UNREGISTER &&
9733 event != NETDEV_CHANGENAME)
9734 return NOTIFY_DONE;
9735
9736 net = dev_net(dev);
9737 nft_net = nft_pernet(net);
9738 mutex_lock(&nft_net->commit_mutex);
9739
9740 if (event == NETDEV_CHANGENAME) {
9741 if (__nf_tables_flowtable_event(NETDEV_REGISTER, dev, true)) {
9742 ret = NOTIFY_BAD;
9743 goto out_unlock;
9744 }
9745 __nf_tables_flowtable_event(NETDEV_UNREGISTER, dev, true);
9746 } else if (__nf_tables_flowtable_event(event, dev, false)) {
9747 ret = NOTIFY_BAD;
9748 }
9749 out_unlock:
9750 mutex_unlock(&nft_net->commit_mutex);
9751 return ret;
9752 }
9753
9754 static struct notifier_block nf_tables_flowtable_notifier = {
9755 .notifier_call = nf_tables_flowtable_event,
9756 };
9757
nf_tables_gen_notify(struct net * net,struct sk_buff * skb,int event)9758 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
9759 int event)
9760 {
9761 struct nlmsghdr *nlh = nlmsg_hdr(skb);
9762 struct sk_buff *skb2;
9763 int err;
9764
9765 if (!nlmsg_report(nlh) &&
9766 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
9767 return;
9768
9769 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9770 if (skb2 == NULL)
9771 goto err;
9772
9773 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
9774 nlh->nlmsg_seq);
9775 if (err < 0) {
9776 kfree_skb(skb2);
9777 goto err;
9778 }
9779
9780 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9781 nlmsg_report(nlh), GFP_KERNEL);
9782 return;
9783 err:
9784 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9785 -ENOBUFS);
9786 }
9787
nf_tables_getgen(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9788 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
9789 const struct nlattr * const nla[])
9790 {
9791 struct sk_buff *skb2;
9792 int err;
9793
9794 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9795 if (skb2 == NULL)
9796 return -ENOMEM;
9797
9798 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
9799 info->nlh->nlmsg_seq);
9800 if (err < 0)
9801 goto err_fill_gen_info;
9802
9803 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
9804
9805 err_fill_gen_info:
9806 kfree_skb(skb2);
9807 return err;
9808 }
9809
9810 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
9811 [NFT_MSG_NEWTABLE] = {
9812 .call = nf_tables_newtable,
9813 .type = NFNL_CB_BATCH,
9814 .attr_count = NFTA_TABLE_MAX,
9815 .policy = nft_table_policy,
9816 },
9817 [NFT_MSG_GETTABLE] = {
9818 .call = nf_tables_gettable,
9819 .type = NFNL_CB_RCU,
9820 .attr_count = NFTA_TABLE_MAX,
9821 .policy = nft_table_policy,
9822 },
9823 [NFT_MSG_DELTABLE] = {
9824 .call = nf_tables_deltable,
9825 .type = NFNL_CB_BATCH,
9826 .attr_count = NFTA_TABLE_MAX,
9827 .policy = nft_table_policy,
9828 },
9829 [NFT_MSG_DESTROYTABLE] = {
9830 .call = nf_tables_deltable,
9831 .type = NFNL_CB_BATCH,
9832 .attr_count = NFTA_TABLE_MAX,
9833 .policy = nft_table_policy,
9834 },
9835 [NFT_MSG_NEWCHAIN] = {
9836 .call = nf_tables_newchain,
9837 .type = NFNL_CB_BATCH,
9838 .attr_count = NFTA_CHAIN_MAX,
9839 .policy = nft_chain_policy,
9840 },
9841 [NFT_MSG_GETCHAIN] = {
9842 .call = nf_tables_getchain,
9843 .type = NFNL_CB_RCU,
9844 .attr_count = NFTA_CHAIN_MAX,
9845 .policy = nft_chain_policy,
9846 },
9847 [NFT_MSG_DELCHAIN] = {
9848 .call = nf_tables_delchain,
9849 .type = NFNL_CB_BATCH,
9850 .attr_count = NFTA_CHAIN_MAX,
9851 .policy = nft_chain_policy,
9852 },
9853 [NFT_MSG_DESTROYCHAIN] = {
9854 .call = nf_tables_delchain,
9855 .type = NFNL_CB_BATCH,
9856 .attr_count = NFTA_CHAIN_MAX,
9857 .policy = nft_chain_policy,
9858 },
9859 [NFT_MSG_NEWRULE] = {
9860 .call = nf_tables_newrule,
9861 .type = NFNL_CB_BATCH,
9862 .attr_count = NFTA_RULE_MAX,
9863 .policy = nft_rule_policy,
9864 },
9865 [NFT_MSG_GETRULE] = {
9866 .call = nf_tables_getrule,
9867 .type = NFNL_CB_RCU,
9868 .attr_count = NFTA_RULE_MAX,
9869 .policy = nft_rule_policy,
9870 },
9871 [NFT_MSG_GETRULE_RESET] = {
9872 .call = nf_tables_getrule,
9873 .type = NFNL_CB_RCU,
9874 .attr_count = NFTA_RULE_MAX,
9875 .policy = nft_rule_policy,
9876 },
9877 [NFT_MSG_DELRULE] = {
9878 .call = nf_tables_delrule,
9879 .type = NFNL_CB_BATCH,
9880 .attr_count = NFTA_RULE_MAX,
9881 .policy = nft_rule_policy,
9882 },
9883 [NFT_MSG_DESTROYRULE] = {
9884 .call = nf_tables_delrule,
9885 .type = NFNL_CB_BATCH,
9886 .attr_count = NFTA_RULE_MAX,
9887 .policy = nft_rule_policy,
9888 },
9889 [NFT_MSG_NEWSET] = {
9890 .call = nf_tables_newset,
9891 .type = NFNL_CB_BATCH,
9892 .attr_count = NFTA_SET_MAX,
9893 .policy = nft_set_policy,
9894 },
9895 [NFT_MSG_GETSET] = {
9896 .call = nf_tables_getset,
9897 .type = NFNL_CB_RCU,
9898 .attr_count = NFTA_SET_MAX,
9899 .policy = nft_set_policy,
9900 },
9901 [NFT_MSG_DELSET] = {
9902 .call = nf_tables_delset,
9903 .type = NFNL_CB_BATCH,
9904 .attr_count = NFTA_SET_MAX,
9905 .policy = nft_set_policy,
9906 },
9907 [NFT_MSG_DESTROYSET] = {
9908 .call = nf_tables_delset,
9909 .type = NFNL_CB_BATCH,
9910 .attr_count = NFTA_SET_MAX,
9911 .policy = nft_set_policy,
9912 },
9913 [NFT_MSG_NEWSETELEM] = {
9914 .call = nf_tables_newsetelem,
9915 .type = NFNL_CB_BATCH,
9916 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9917 .policy = nft_set_elem_list_policy,
9918 },
9919 [NFT_MSG_GETSETELEM] = {
9920 .call = nf_tables_getsetelem,
9921 .type = NFNL_CB_RCU,
9922 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9923 .policy = nft_set_elem_list_policy,
9924 },
9925 [NFT_MSG_GETSETELEM_RESET] = {
9926 .call = nf_tables_getsetelem,
9927 .type = NFNL_CB_RCU,
9928 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9929 .policy = nft_set_elem_list_policy,
9930 },
9931 [NFT_MSG_DELSETELEM] = {
9932 .call = nf_tables_delsetelem,
9933 .type = NFNL_CB_BATCH,
9934 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9935 .policy = nft_set_elem_list_policy,
9936 },
9937 [NFT_MSG_DESTROYSETELEM] = {
9938 .call = nf_tables_delsetelem,
9939 .type = NFNL_CB_BATCH,
9940 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9941 .policy = nft_set_elem_list_policy,
9942 },
9943 [NFT_MSG_GETGEN] = {
9944 .call = nf_tables_getgen,
9945 .type = NFNL_CB_RCU,
9946 },
9947 [NFT_MSG_NEWOBJ] = {
9948 .call = nf_tables_newobj,
9949 .type = NFNL_CB_BATCH,
9950 .attr_count = NFTA_OBJ_MAX,
9951 .policy = nft_obj_policy,
9952 },
9953 [NFT_MSG_GETOBJ] = {
9954 .call = nf_tables_getobj,
9955 .type = NFNL_CB_RCU,
9956 .attr_count = NFTA_OBJ_MAX,
9957 .policy = nft_obj_policy,
9958 },
9959 [NFT_MSG_DELOBJ] = {
9960 .call = nf_tables_delobj,
9961 .type = NFNL_CB_BATCH,
9962 .attr_count = NFTA_OBJ_MAX,
9963 .policy = nft_obj_policy,
9964 },
9965 [NFT_MSG_DESTROYOBJ] = {
9966 .call = nf_tables_delobj,
9967 .type = NFNL_CB_BATCH,
9968 .attr_count = NFTA_OBJ_MAX,
9969 .policy = nft_obj_policy,
9970 },
9971 [NFT_MSG_GETOBJ_RESET] = {
9972 .call = nf_tables_getobj,
9973 .type = NFNL_CB_RCU,
9974 .attr_count = NFTA_OBJ_MAX,
9975 .policy = nft_obj_policy,
9976 },
9977 [NFT_MSG_NEWFLOWTABLE] = {
9978 .call = nf_tables_newflowtable,
9979 .type = NFNL_CB_BATCH,
9980 .attr_count = NFTA_FLOWTABLE_MAX,
9981 .policy = nft_flowtable_policy,
9982 },
9983 [NFT_MSG_GETFLOWTABLE] = {
9984 .call = nf_tables_getflowtable,
9985 .type = NFNL_CB_RCU,
9986 .attr_count = NFTA_FLOWTABLE_MAX,
9987 .policy = nft_flowtable_policy,
9988 },
9989 [NFT_MSG_DELFLOWTABLE] = {
9990 .call = nf_tables_delflowtable,
9991 .type = NFNL_CB_BATCH,
9992 .attr_count = NFTA_FLOWTABLE_MAX,
9993 .policy = nft_flowtable_policy,
9994 },
9995 [NFT_MSG_DESTROYFLOWTABLE] = {
9996 .call = nf_tables_delflowtable,
9997 .type = NFNL_CB_BATCH,
9998 .attr_count = NFTA_FLOWTABLE_MAX,
9999 .policy = nft_flowtable_policy,
10000 },
10001 };
10002
nf_tables_validate(struct net * net)10003 static int nf_tables_validate(struct net *net)
10004 {
10005 struct nftables_pernet *nft_net = nft_pernet(net);
10006 struct nft_table *table;
10007
10008 list_for_each_entry(table, &nft_net->tables, list) {
10009 switch (table->validate_state) {
10010 case NFT_VALIDATE_SKIP:
10011 continue;
10012 case NFT_VALIDATE_NEED:
10013 nft_validate_state_update(table, NFT_VALIDATE_DO);
10014 fallthrough;
10015 case NFT_VALIDATE_DO:
10016 if (nft_table_validate(net, table) < 0)
10017 return -EAGAIN;
10018
10019 nft_validate_state_update(table, NFT_VALIDATE_SKIP);
10020 break;
10021 }
10022 }
10023
10024 return 0;
10025 }
10026
10027 /* a drop policy has to be deferred until all rules have been activated,
10028 * otherwise a large ruleset that contains a drop-policy base chain will
10029 * cause all packets to get dropped until the full transaction has been
10030 * processed.
10031 *
10032 * We defer the drop policy until the transaction has been finalized.
10033 */
nft_chain_commit_drop_policy(struct nft_trans_chain * trans)10034 static void nft_chain_commit_drop_policy(struct nft_trans_chain *trans)
10035 {
10036 struct nft_base_chain *basechain;
10037
10038 if (trans->policy != NF_DROP)
10039 return;
10040
10041 if (!nft_is_base_chain(trans->chain))
10042 return;
10043
10044 basechain = nft_base_chain(trans->chain);
10045 basechain->policy = NF_DROP;
10046 }
10047
nft_chain_commit_update(struct nft_trans_chain * trans)10048 static void nft_chain_commit_update(struct nft_trans_chain *trans)
10049 {
10050 struct nft_table *table = trans->nft_trans_binding.nft_trans.table;
10051 struct nft_base_chain *basechain;
10052
10053 if (trans->name) {
10054 rhltable_remove(&table->chains_ht,
10055 &trans->chain->rhlhead,
10056 nft_chain_ht_params);
10057 swap(trans->chain->name, trans->name);
10058 rhltable_insert_key(&table->chains_ht,
10059 trans->chain->name,
10060 &trans->chain->rhlhead,
10061 nft_chain_ht_params);
10062 }
10063
10064 if (!nft_is_base_chain(trans->chain))
10065 return;
10066
10067 nft_chain_stats_replace(trans);
10068
10069 basechain = nft_base_chain(trans->chain);
10070
10071 switch (trans->policy) {
10072 case NF_DROP:
10073 case NF_ACCEPT:
10074 basechain->policy = trans->policy;
10075 break;
10076 }
10077 }
10078
nft_obj_commit_update(const struct nft_ctx * ctx,struct nft_trans * trans)10079 static void nft_obj_commit_update(const struct nft_ctx *ctx,
10080 struct nft_trans *trans)
10081 {
10082 struct nft_object *newobj;
10083 struct nft_object *obj;
10084
10085 obj = nft_trans_obj(trans);
10086 newobj = nft_trans_obj_newobj(trans);
10087
10088 if (WARN_ON_ONCE(!obj->ops->update))
10089 return;
10090
10091 obj->ops->update(obj, newobj);
10092 nft_obj_destroy(ctx, newobj);
10093 }
10094
nft_commit_release(struct nft_trans * trans)10095 static void nft_commit_release(struct nft_trans *trans)
10096 {
10097 struct nft_ctx ctx = {
10098 .net = trans->net,
10099 };
10100
10101 nft_ctx_update(&ctx, trans);
10102
10103 switch (trans->msg_type) {
10104 case NFT_MSG_DELTABLE:
10105 case NFT_MSG_DESTROYTABLE:
10106 nf_tables_table_destroy(trans->table);
10107 break;
10108 case NFT_MSG_NEWCHAIN:
10109 free_percpu(nft_trans_chain_stats(trans));
10110 kfree(nft_trans_chain_name(trans));
10111 break;
10112 case NFT_MSG_DELCHAIN:
10113 case NFT_MSG_DESTROYCHAIN:
10114 if (nft_trans_chain_update(trans))
10115 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
10116 else
10117 nf_tables_chain_destroy(nft_trans_chain(trans));
10118 break;
10119 case NFT_MSG_DELRULE:
10120 case NFT_MSG_DESTROYRULE:
10121 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans));
10122 break;
10123 case NFT_MSG_DELSET:
10124 case NFT_MSG_DESTROYSET:
10125 nft_set_destroy(&ctx, nft_trans_set(trans));
10126 break;
10127 case NFT_MSG_DELSETELEM:
10128 case NFT_MSG_DESTROYSETELEM:
10129 nft_trans_elems_destroy(&ctx, nft_trans_container_elem(trans));
10130 break;
10131 case NFT_MSG_DELOBJ:
10132 case NFT_MSG_DESTROYOBJ:
10133 nft_obj_destroy(&ctx, nft_trans_obj(trans));
10134 break;
10135 case NFT_MSG_DELFLOWTABLE:
10136 case NFT_MSG_DESTROYFLOWTABLE:
10137 if (nft_trans_flowtable_update(trans))
10138 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
10139 else
10140 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
10141 break;
10142 }
10143
10144 if (trans->put_net)
10145 put_net(trans->net);
10146
10147 kfree(trans);
10148 }
10149
nf_tables_trans_destroy_work(struct work_struct * w)10150 static void nf_tables_trans_destroy_work(struct work_struct *w)
10151 {
10152 struct nftables_pernet *nft_net = container_of(w, struct nftables_pernet, destroy_work);
10153 struct nft_trans *trans, *next;
10154 LIST_HEAD(head);
10155
10156 spin_lock(&nf_tables_destroy_list_lock);
10157 list_splice_init(&nft_net->destroy_list, &head);
10158 spin_unlock(&nf_tables_destroy_list_lock);
10159
10160 if (list_empty(&head))
10161 return;
10162
10163 synchronize_rcu();
10164
10165 list_for_each_entry_safe(trans, next, &head, list) {
10166 nft_trans_list_del(trans);
10167 nft_commit_release(trans);
10168 }
10169 }
10170
nf_tables_trans_destroy_flush_work(struct net * net)10171 void nf_tables_trans_destroy_flush_work(struct net *net)
10172 {
10173 struct nftables_pernet *nft_net = nft_pernet(net);
10174
10175 flush_work(&nft_net->destroy_work);
10176 }
10177 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
10178
nft_expr_reduce(struct nft_regs_track * track,const struct nft_expr * expr)10179 static bool nft_expr_reduce(struct nft_regs_track *track,
10180 const struct nft_expr *expr)
10181 {
10182 return false;
10183 }
10184
nf_tables_commit_chain_prepare(struct net * net,struct nft_chain * chain)10185 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
10186 {
10187 const struct nft_expr *expr, *last;
10188 struct nft_regs_track track = {};
10189 unsigned int size, data_size;
10190 void *data, *data_boundary;
10191 struct nft_rule_dp *prule;
10192 struct nft_rule *rule;
10193
10194 /* already handled or inactive chain? */
10195 if (chain->blob_next || !nft_is_active_next(net, chain))
10196 return 0;
10197
10198 data_size = 0;
10199 list_for_each_entry(rule, &chain->rules, list) {
10200 if (nft_is_active_next(net, rule)) {
10201 data_size += sizeof(*prule) + rule->dlen;
10202 if (data_size > INT_MAX)
10203 return -ENOMEM;
10204 }
10205 }
10206
10207 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size);
10208 if (!chain->blob_next)
10209 return -ENOMEM;
10210
10211 data = (void *)chain->blob_next->data;
10212 data_boundary = data + data_size;
10213 size = 0;
10214
10215 list_for_each_entry(rule, &chain->rules, list) {
10216 if (!nft_is_active_next(net, rule))
10217 continue;
10218
10219 prule = (struct nft_rule_dp *)data;
10220 data += offsetof(struct nft_rule_dp, data);
10221 if (WARN_ON_ONCE(data > data_boundary))
10222 return -ENOMEM;
10223
10224 size = 0;
10225 track.last = nft_expr_last(rule);
10226 nft_rule_for_each_expr(expr, last, rule) {
10227 track.cur = expr;
10228
10229 if (nft_expr_reduce(&track, expr)) {
10230 expr = track.cur;
10231 continue;
10232 }
10233
10234 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
10235 return -ENOMEM;
10236
10237 memcpy(data + size, expr, expr->ops->size);
10238 size += expr->ops->size;
10239 }
10240 if (WARN_ON_ONCE(size >= 1 << 12))
10241 return -ENOMEM;
10242
10243 prule->handle = rule->handle;
10244 prule->dlen = size;
10245 prule->is_last = 0;
10246
10247 data += size;
10248 size = 0;
10249 chain->blob_next->size += (unsigned long)(data - (void *)prule);
10250 }
10251
10252 if (WARN_ON_ONCE(data > data_boundary))
10253 return -ENOMEM;
10254
10255 prule = (struct nft_rule_dp *)data;
10256 nft_last_rule(chain, prule);
10257
10258 return 0;
10259 }
10260
nf_tables_commit_chain_prepare_cancel(struct net * net)10261 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
10262 {
10263 struct nftables_pernet *nft_net = nft_pernet(net);
10264 struct nft_trans *trans, *next;
10265
10266 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10267 if (trans->msg_type == NFT_MSG_NEWRULE ||
10268 trans->msg_type == NFT_MSG_DELRULE) {
10269 struct nft_chain *chain = nft_trans_rule_chain(trans);
10270
10271 kvfree(chain->blob_next);
10272 chain->blob_next = NULL;
10273 }
10274 }
10275 }
10276
__nf_tables_commit_chain_free_rules(struct rcu_head * h)10277 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h)
10278 {
10279 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h);
10280
10281 kvfree(l->blob);
10282 }
10283
nf_tables_commit_chain_free_rules_old(struct nft_rule_blob * blob)10284 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
10285 {
10286 struct nft_rule_dp_last *last;
10287
10288 /* last rule trailer is after end marker */
10289 last = (void *)blob + sizeof(*blob) + blob->size;
10290 last->blob = blob;
10291
10292 call_rcu(&last->h, __nf_tables_commit_chain_free_rules);
10293 }
10294
nf_tables_commit_chain(struct net * net,struct nft_chain * chain)10295 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
10296 {
10297 struct nft_rule_blob *g0, *g1;
10298 bool next_genbit;
10299
10300 next_genbit = nft_gencursor_next(net);
10301
10302 g0 = rcu_dereference_protected(chain->blob_gen_0,
10303 lockdep_commit_lock_is_held(net));
10304 g1 = rcu_dereference_protected(chain->blob_gen_1,
10305 lockdep_commit_lock_is_held(net));
10306
10307 /* No changes to this chain? */
10308 if (chain->blob_next == NULL) {
10309 /* chain had no change in last or next generation */
10310 if (g0 == g1)
10311 return;
10312 /*
10313 * chain had no change in this generation; make sure next
10314 * one uses same rules as current generation.
10315 */
10316 if (next_genbit) {
10317 rcu_assign_pointer(chain->blob_gen_1, g0);
10318 nf_tables_commit_chain_free_rules_old(g1);
10319 } else {
10320 rcu_assign_pointer(chain->blob_gen_0, g1);
10321 nf_tables_commit_chain_free_rules_old(g0);
10322 }
10323
10324 return;
10325 }
10326
10327 if (next_genbit)
10328 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
10329 else
10330 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
10331
10332 chain->blob_next = NULL;
10333
10334 if (g0 == g1)
10335 return;
10336
10337 if (next_genbit)
10338 nf_tables_commit_chain_free_rules_old(g1);
10339 else
10340 nf_tables_commit_chain_free_rules_old(g0);
10341 }
10342
nft_obj_del(struct nft_object * obj)10343 static void nft_obj_del(struct nft_object *obj)
10344 {
10345 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
10346 list_del_rcu(&obj->list);
10347 }
10348
nft_chain_del(struct nft_chain * chain)10349 void nft_chain_del(struct nft_chain *chain)
10350 {
10351 struct nft_table *table = chain->table;
10352
10353 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
10354 nft_chain_ht_params));
10355 list_del_rcu(&chain->list);
10356 }
10357
nft_trans_gc_setelem_remove(struct nft_ctx * ctx,struct nft_trans_gc * trans)10358 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx,
10359 struct nft_trans_gc *trans)
10360 {
10361 struct nft_elem_priv **priv = trans->priv;
10362 unsigned int i;
10363
10364 for (i = 0; i < trans->count; i++) {
10365 nft_setelem_data_deactivate(ctx->net, trans->set, priv[i]);
10366 nft_setelem_remove(ctx->net, trans->set, priv[i]);
10367 }
10368 }
10369
nft_trans_gc_destroy(struct nft_trans_gc * trans)10370 void nft_trans_gc_destroy(struct nft_trans_gc *trans)
10371 {
10372 nft_set_put(trans->set);
10373 put_net(trans->net);
10374 kfree(trans);
10375 }
10376
nft_trans_gc_trans_free(struct rcu_head * rcu)10377 static void nft_trans_gc_trans_free(struct rcu_head *rcu)
10378 {
10379 struct nft_elem_priv *elem_priv;
10380 struct nft_trans_gc *trans;
10381 struct nft_ctx ctx = {};
10382 unsigned int i;
10383
10384 trans = container_of(rcu, struct nft_trans_gc, rcu);
10385 ctx.net = read_pnet(&trans->set->net);
10386
10387 for (i = 0; i < trans->count; i++) {
10388 elem_priv = trans->priv[i];
10389 if (!nft_setelem_is_catchall(trans->set, elem_priv))
10390 atomic_dec(&trans->set->nelems);
10391
10392 nf_tables_set_elem_destroy(&ctx, trans->set, elem_priv);
10393 }
10394
10395 nft_trans_gc_destroy(trans);
10396 }
10397
nft_trans_gc_work_done(struct nft_trans_gc * trans)10398 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans)
10399 {
10400 struct nftables_pernet *nft_net;
10401 struct nft_ctx ctx = {};
10402
10403 nft_net = nft_pernet(trans->net);
10404
10405 mutex_lock(&nft_net->commit_mutex);
10406
10407 /* Check for race with transaction, otherwise this batch refers to
10408 * stale objects that might not be there anymore. Skip transaction if
10409 * set has been destroyed from control plane transaction in case gc
10410 * worker loses race.
10411 */
10412 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) {
10413 mutex_unlock(&nft_net->commit_mutex);
10414 return false;
10415 }
10416
10417 ctx.net = trans->net;
10418 ctx.table = trans->set->table;
10419
10420 nft_trans_gc_setelem_remove(&ctx, trans);
10421 mutex_unlock(&nft_net->commit_mutex);
10422
10423 return true;
10424 }
10425
nft_trans_gc_work(struct work_struct * work)10426 static void nft_trans_gc_work(struct work_struct *work)
10427 {
10428 struct nft_trans_gc *trans, *next;
10429 LIST_HEAD(trans_gc_list);
10430
10431 spin_lock(&nf_tables_gc_list_lock);
10432 list_splice_init(&nf_tables_gc_list, &trans_gc_list);
10433 spin_unlock(&nf_tables_gc_list_lock);
10434
10435 list_for_each_entry_safe(trans, next, &trans_gc_list, list) {
10436 list_del(&trans->list);
10437 if (!nft_trans_gc_work_done(trans)) {
10438 nft_trans_gc_destroy(trans);
10439 continue;
10440 }
10441 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
10442 }
10443 }
10444
nft_trans_gc_alloc(struct nft_set * set,unsigned int gc_seq,gfp_t gfp)10445 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
10446 unsigned int gc_seq, gfp_t gfp)
10447 {
10448 struct net *net = read_pnet(&set->net);
10449 struct nft_trans_gc *trans;
10450
10451 trans = kzalloc_obj(*trans, gfp);
10452 if (!trans)
10453 return NULL;
10454
10455 trans->net = maybe_get_net(net);
10456 if (!trans->net) {
10457 kfree(trans);
10458 return NULL;
10459 }
10460
10461 refcount_inc(&set->refs);
10462 trans->set = set;
10463 trans->seq = gc_seq;
10464
10465 return trans;
10466 }
10467
nft_trans_gc_elem_add(struct nft_trans_gc * trans,void * priv)10468 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv)
10469 {
10470 trans->priv[trans->count++] = priv;
10471 }
10472
nft_trans_gc_queue_work(struct nft_trans_gc * trans)10473 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans)
10474 {
10475 spin_lock(&nf_tables_gc_list_lock);
10476 list_add_tail(&trans->list, &nf_tables_gc_list);
10477 spin_unlock(&nf_tables_gc_list_lock);
10478
10479 schedule_work(&trans_gc_work);
10480 }
10481
nft_trans_gc_queue_async(struct nft_trans_gc * gc,unsigned int gc_seq,gfp_t gfp)10482 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc,
10483 unsigned int gc_seq, gfp_t gfp)
10484 {
10485 struct nft_set *set;
10486
10487 if (nft_trans_gc_space(gc))
10488 return gc;
10489
10490 set = gc->set;
10491 nft_trans_gc_queue_work(gc);
10492
10493 return nft_trans_gc_alloc(set, gc_seq, gfp);
10494 }
10495
nft_trans_gc_queue_async_done(struct nft_trans_gc * trans)10496 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans)
10497 {
10498 if (trans->count == 0) {
10499 nft_trans_gc_destroy(trans);
10500 return;
10501 }
10502
10503 nft_trans_gc_queue_work(trans);
10504 }
10505
nft_trans_gc_queue_sync(struct nft_trans_gc * gc,gfp_t gfp)10506 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp)
10507 {
10508 struct nft_set *set;
10509
10510 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)))
10511 return NULL;
10512
10513 if (nft_trans_gc_space(gc))
10514 return gc;
10515
10516 set = gc->set;
10517 call_rcu(&gc->rcu, nft_trans_gc_trans_free);
10518
10519 return nft_trans_gc_alloc(set, 0, gfp);
10520 }
10521
nft_trans_gc_queue_sync_done(struct nft_trans_gc * trans)10522 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans)
10523 {
10524 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net));
10525
10526 if (trans->count == 0) {
10527 nft_trans_gc_destroy(trans);
10528 return;
10529 }
10530
10531 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
10532 }
10533
nft_trans_gc_catchall_async(struct nft_trans_gc * gc,unsigned int gc_seq)10534 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc,
10535 unsigned int gc_seq)
10536 {
10537 struct nft_set_elem_catchall *catchall;
10538 const struct nft_set *set = gc->set;
10539 struct nft_set_ext *ext;
10540
10541 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
10542 ext = nft_set_elem_ext(set, catchall->elem);
10543
10544 if (!nft_set_elem_expired(ext))
10545 continue;
10546 if (nft_set_elem_is_dead(ext))
10547 goto dead_elem;
10548
10549 nft_set_elem_dead(ext);
10550 dead_elem:
10551 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC);
10552 if (!gc)
10553 return NULL;
10554
10555 nft_trans_gc_elem_add(gc, catchall->elem);
10556 }
10557
10558 return gc;
10559 }
10560
nft_trans_gc_catchall_sync(struct nft_trans_gc * gc)10561 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc)
10562 {
10563 struct nft_set_elem_catchall *catchall, *next;
10564 u64 tstamp = nft_net_tstamp(gc->net);
10565 const struct nft_set *set = gc->set;
10566 struct nft_elem_priv *elem_priv;
10567 struct nft_set_ext *ext;
10568
10569 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net));
10570
10571 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
10572 ext = nft_set_elem_ext(set, catchall->elem);
10573
10574 if (!__nft_set_elem_expired(ext, tstamp))
10575 continue;
10576
10577 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
10578 if (!gc)
10579 return NULL;
10580
10581 elem_priv = catchall->elem;
10582 nft_setelem_data_deactivate(gc->net, gc->set, elem_priv);
10583 nft_setelem_catchall_destroy(catchall);
10584 nft_trans_gc_elem_add(gc, elem_priv);
10585 }
10586
10587 return gc;
10588 }
10589
nf_tables_module_autoload_cleanup(struct net * net)10590 static void nf_tables_module_autoload_cleanup(struct net *net)
10591 {
10592 struct nftables_pernet *nft_net = nft_pernet(net);
10593 struct nft_module_request *req, *next;
10594
10595 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
10596 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
10597 WARN_ON_ONCE(!req->done);
10598 list_del(&req->list);
10599 kfree(req);
10600 }
10601 }
10602
nf_tables_commit_release(struct net * net)10603 static void nf_tables_commit_release(struct net *net)
10604 {
10605 struct nftables_pernet *nft_net = nft_pernet(net);
10606 struct nft_trans *trans;
10607
10608 /* all side effects have to be made visible.
10609 * For example, if a chain named 'foo' has been deleted, a
10610 * new transaction must not find it anymore.
10611 *
10612 * Memory reclaim happens asynchronously from work queue
10613 * to prevent expensive synchronize_rcu() in commit phase.
10614 */
10615 if (list_empty(&nft_net->commit_list)) {
10616 nf_tables_module_autoload_cleanup(net);
10617 mutex_unlock(&nft_net->commit_mutex);
10618 return;
10619 }
10620
10621 trans = list_last_entry(&nft_net->commit_list,
10622 struct nft_trans, list);
10623 get_net(trans->net);
10624 WARN_ON_ONCE(trans->put_net);
10625
10626 trans->put_net = true;
10627 spin_lock(&nf_tables_destroy_list_lock);
10628 list_splice_tail_init(&nft_net->commit_list, &nft_net->destroy_list);
10629 spin_unlock(&nf_tables_destroy_list_lock);
10630
10631 nf_tables_module_autoload_cleanup(net);
10632 schedule_work(&nft_net->destroy_work);
10633
10634 mutex_unlock(&nft_net->commit_mutex);
10635 }
10636
nft_commit_notify(struct net * net,u32 portid)10637 static void nft_commit_notify(struct net *net, u32 portid)
10638 {
10639 struct nftables_pernet *nft_net = nft_pernet(net);
10640 struct sk_buff *batch_skb = NULL, *nskb, *skb;
10641 unsigned char *data;
10642 int len;
10643
10644 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
10645 if (!batch_skb) {
10646 new_batch:
10647 batch_skb = skb;
10648 len = NLMSG_GOODSIZE - skb->len;
10649 list_del(&skb->list);
10650 continue;
10651 }
10652 len -= skb->len;
10653 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
10654 data = skb_put(batch_skb, skb->len);
10655 memcpy(data, skb->data, skb->len);
10656 list_del(&skb->list);
10657 kfree_skb(skb);
10658 continue;
10659 }
10660 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10661 NFT_CB(batch_skb).report, GFP_KERNEL);
10662 goto new_batch;
10663 }
10664
10665 if (batch_skb) {
10666 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10667 NFT_CB(batch_skb).report, GFP_KERNEL);
10668 }
10669
10670 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
10671 }
10672
nf_tables_commit_audit_alloc(struct list_head * adl,struct nft_table * table)10673 static int nf_tables_commit_audit_alloc(struct list_head *adl,
10674 struct nft_table *table)
10675 {
10676 struct nft_audit_data *adp;
10677
10678 list_for_each_entry(adp, adl, list) {
10679 if (adp->table == table)
10680 return 0;
10681 }
10682 adp = kzalloc_obj(*adp);
10683 if (!adp)
10684 return -ENOMEM;
10685 adp->table = table;
10686 list_add(&adp->list, adl);
10687 return 0;
10688 }
10689
nf_tables_commit_audit_free(struct list_head * adl)10690 static void nf_tables_commit_audit_free(struct list_head *adl)
10691 {
10692 struct nft_audit_data *adp, *adn;
10693
10694 list_for_each_entry_safe(adp, adn, adl, list) {
10695 list_del(&adp->list);
10696 kfree(adp);
10697 }
10698 }
10699
10700 /* nft audit emits the number of elements that get added/removed/updated,
10701 * so NEW/DELSETELEM needs to increment based on the total elem count.
10702 */
nf_tables_commit_audit_entrycount(const struct nft_trans * trans)10703 static unsigned int nf_tables_commit_audit_entrycount(const struct nft_trans *trans)
10704 {
10705 switch (trans->msg_type) {
10706 case NFT_MSG_NEWSETELEM:
10707 case NFT_MSG_DELSETELEM:
10708 return nft_trans_container_elem(trans)->nelems;
10709 }
10710
10711 return 1;
10712 }
10713
nf_tables_commit_audit_collect(struct list_head * adl,const struct nft_trans * trans,u32 op)10714 static void nf_tables_commit_audit_collect(struct list_head *adl,
10715 const struct nft_trans *trans, u32 op)
10716 {
10717 const struct nft_table *table = trans->table;
10718 struct nft_audit_data *adp;
10719
10720 list_for_each_entry(adp, adl, list) {
10721 if (adp->table == table)
10722 goto found;
10723 }
10724 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
10725 return;
10726 found:
10727 adp->entries += nf_tables_commit_audit_entrycount(trans);
10728 if (!adp->op || adp->op > op)
10729 adp->op = op;
10730 }
10731
10732 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
10733
nf_tables_commit_audit_log(struct list_head * adl,u32 generation)10734 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
10735 {
10736 struct nft_audit_data *adp, *adn;
10737 char aubuf[AUNFTABLENAMELEN];
10738
10739 list_for_each_entry_safe(adp, adn, adl, list) {
10740 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
10741 generation);
10742 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
10743 nft2audit_op[adp->op], GFP_KERNEL);
10744 list_del(&adp->list);
10745 kfree(adp);
10746 }
10747 }
10748
nft_set_commit_update(struct list_head * set_update_list)10749 static void nft_set_commit_update(struct list_head *set_update_list)
10750 {
10751 struct nft_set *set, *next;
10752
10753 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10754 list_del_init(&set->pending_update);
10755
10756 if (!set->ops->commit || set->dead)
10757 continue;
10758
10759 set->ops->commit(set);
10760 }
10761 }
10762
nft_gc_seq_begin(struct nftables_pernet * nft_net)10763 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net)
10764 {
10765 unsigned int gc_seq;
10766
10767 /* Bump gc counter, it becomes odd, this is the busy mark. */
10768 gc_seq = READ_ONCE(nft_net->gc_seq);
10769 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10770
10771 return gc_seq;
10772 }
10773
nft_gc_seq_end(struct nftables_pernet * nft_net,unsigned int gc_seq)10774 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq)
10775 {
10776 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10777 }
10778
nf_tables_commit(struct net * net,struct sk_buff * skb)10779 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
10780 {
10781 struct nftables_pernet *nft_net = nft_pernet(net);
10782 const struct nlmsghdr *nlh = nlmsg_hdr(skb);
10783 struct nft_trans_binding *trans_binding;
10784 struct nft_trans *trans, *next;
10785 unsigned int base_seq, gc_seq;
10786 LIST_HEAD(set_update_list);
10787 struct nft_trans_elem *te;
10788 struct nft_chain *chain;
10789 struct nft_table *table;
10790 struct nft_ctx ctx;
10791 LIST_HEAD(adl);
10792 int err;
10793
10794 if (list_empty(&nft_net->commit_list)) {
10795 mutex_unlock(&nft_net->commit_mutex);
10796 return 0;
10797 }
10798
10799 nft_ctx_init(&ctx, net, skb, nlh, NFPROTO_UNSPEC, NULL, NULL, NULL);
10800
10801 list_for_each_entry(trans_binding, &nft_net->binding_list, binding_list) {
10802 trans = &trans_binding->nft_trans;
10803 switch (trans->msg_type) {
10804 case NFT_MSG_NEWSET:
10805 if (!nft_trans_set_update(trans) &&
10806 nft_set_is_anonymous(nft_trans_set(trans)) &&
10807 !nft_trans_set_bound(trans)) {
10808 pr_warn_once("nftables ruleset with unbound set\n");
10809 return -EINVAL;
10810 }
10811 break;
10812 case NFT_MSG_NEWCHAIN:
10813 if (!nft_trans_chain_update(trans) &&
10814 nft_chain_binding(nft_trans_chain(trans)) &&
10815 !nft_trans_chain_bound(trans)) {
10816 pr_warn_once("nftables ruleset with unbound chain\n");
10817 return -EINVAL;
10818 }
10819 break;
10820 default:
10821 WARN_ONCE(1, "Unhandled bind type %d", trans->msg_type);
10822 break;
10823 }
10824 }
10825
10826 /* 0. Validate ruleset, otherwise roll back for error reporting. */
10827 if (nf_tables_validate(net) < 0) {
10828 nft_net->validate_state = NFT_VALIDATE_DO;
10829 return -EAGAIN;
10830 }
10831
10832 err = nft_flow_rule_offload_commit(net);
10833 if (err < 0)
10834 return err;
10835
10836 /* 1. Allocate space for next generation rules_gen_X[] */
10837 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10838 struct nft_table *table = trans->table;
10839 int ret;
10840
10841 ret = nf_tables_commit_audit_alloc(&adl, table);
10842 if (ret) {
10843 nf_tables_commit_chain_prepare_cancel(net);
10844 nf_tables_commit_audit_free(&adl);
10845 return ret;
10846 }
10847 if (trans->msg_type == NFT_MSG_NEWRULE ||
10848 trans->msg_type == NFT_MSG_DELRULE) {
10849 chain = nft_trans_rule_chain(trans);
10850
10851 ret = nf_tables_commit_chain_prepare(net, chain);
10852 if (ret < 0) {
10853 nf_tables_commit_chain_prepare_cancel(net);
10854 nf_tables_commit_audit_free(&adl);
10855 return ret;
10856 }
10857 }
10858 }
10859
10860 /* step 2. Make rules_gen_X visible to packet path */
10861 list_for_each_entry(table, &nft_net->tables, list) {
10862 list_for_each_entry(chain, &table->chains, list)
10863 nf_tables_commit_chain(net, chain);
10864 }
10865
10866 /*
10867 * Bump generation counter, invalidate any dump in progress.
10868 * Cannot fail after this point.
10869 */
10870 base_seq = nft_base_seq(net);
10871 while (++base_seq == 0)
10872 ;
10873
10874 /* pairs with smp_load_acquire in nft_lookup_eval */
10875 smp_store_release(&net->nft.base_seq, base_seq);
10876
10877 gc_seq = nft_gc_seq_begin(nft_net);
10878
10879 /* step 3. Start new generation, rules_gen_X now in use. */
10880 net->nft.gencursor = nft_gencursor_next(net);
10881
10882 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10883 struct nft_table *table = trans->table;
10884
10885 nft_ctx_update(&ctx, trans);
10886
10887 nf_tables_commit_audit_collect(&adl, trans, trans->msg_type);
10888 switch (trans->msg_type) {
10889 case NFT_MSG_NEWTABLE:
10890 if (nft_trans_table_update(trans)) {
10891 if (!(table->flags & __NFT_TABLE_F_UPDATE)) {
10892 nft_trans_destroy(trans);
10893 break;
10894 }
10895 if (table->flags & NFT_TABLE_F_DORMANT)
10896 nf_tables_table_disable(net, table);
10897
10898 table->flags &= ~__NFT_TABLE_F_UPDATE;
10899 } else {
10900 nft_clear(net, table);
10901 }
10902 nf_tables_table_notify(&ctx, NFT_MSG_NEWTABLE);
10903 nft_trans_destroy(trans);
10904 break;
10905 case NFT_MSG_DELTABLE:
10906 case NFT_MSG_DESTROYTABLE:
10907 list_del_rcu(&table->list);
10908 nf_tables_table_notify(&ctx, trans->msg_type);
10909 break;
10910 case NFT_MSG_NEWCHAIN:
10911 if (nft_trans_chain_update(trans)) {
10912 nft_chain_commit_update(nft_trans_container_chain(trans));
10913 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN,
10914 &nft_trans_chain_hooks(trans));
10915 list_splice(&nft_trans_chain_hooks(trans),
10916 &nft_trans_basechain(trans)->hook_list);
10917 /* trans destroyed after rcu grace period */
10918 } else {
10919 nft_chain_commit_drop_policy(nft_trans_container_chain(trans));
10920 nft_clear(net, nft_trans_chain(trans));
10921 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN, NULL);
10922 nft_trans_destroy(trans);
10923 }
10924 break;
10925 case NFT_MSG_DELCHAIN:
10926 case NFT_MSG_DESTROYCHAIN:
10927 if (nft_trans_chain_update(trans)) {
10928 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,
10929 &nft_trans_chain_hooks(trans));
10930 if (!(table->flags & NFT_TABLE_F_DORMANT)) {
10931 nft_netdev_unregister_hooks(net,
10932 &nft_trans_chain_hooks(trans),
10933 true);
10934 }
10935 } else {
10936 nft_chain_del(nft_trans_chain(trans));
10937 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,
10938 NULL);
10939 nf_tables_unregister_hook(ctx.net, ctx.table,
10940 nft_trans_chain(trans));
10941 }
10942 break;
10943 case NFT_MSG_NEWRULE:
10944 nft_clear(net, nft_trans_rule(trans));
10945 nf_tables_rule_notify(&ctx, nft_trans_rule(trans),
10946 NFT_MSG_NEWRULE);
10947 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10948 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10949
10950 nft_trans_destroy(trans);
10951 break;
10952 case NFT_MSG_DELRULE:
10953 case NFT_MSG_DESTROYRULE:
10954 list_del_rcu(&nft_trans_rule(trans)->list);
10955 nf_tables_rule_notify(&ctx, nft_trans_rule(trans),
10956 trans->msg_type);
10957 nft_rule_expr_deactivate(&ctx, nft_trans_rule(trans),
10958 NFT_TRANS_COMMIT);
10959
10960 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10961 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10962 break;
10963 case NFT_MSG_NEWSET:
10964 list_del(&nft_trans_container_set(trans)->list_trans_newset);
10965 if (nft_trans_set_update(trans)) {
10966 struct nft_set *set = nft_trans_set(trans);
10967
10968 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
10969 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
10970
10971 if (nft_trans_set_size(trans))
10972 WRITE_ONCE(set->size, nft_trans_set_size(trans));
10973 } else {
10974 nft_clear(net, nft_trans_set(trans));
10975 /* This avoids hitting -EBUSY when deleting the table
10976 * from the transaction.
10977 */
10978 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
10979 !list_empty(&nft_trans_set(trans)->bindings))
10980 nft_use_dec(&table->use);
10981 }
10982 nf_tables_set_notify(&ctx, nft_trans_set(trans),
10983 NFT_MSG_NEWSET, GFP_KERNEL);
10984 nft_trans_destroy(trans);
10985 break;
10986 case NFT_MSG_DELSET:
10987 case NFT_MSG_DESTROYSET:
10988 nft_trans_set(trans)->dead = 1;
10989 list_del_rcu(&nft_trans_set(trans)->list);
10990 nf_tables_set_notify(&ctx, nft_trans_set(trans),
10991 trans->msg_type, GFP_KERNEL);
10992 break;
10993 case NFT_MSG_NEWSETELEM:
10994 te = nft_trans_container_elem(trans);
10995
10996 nft_trans_elems_add(&ctx, te);
10997
10998 if (te->set->ops->commit &&
10999 list_empty(&te->set->pending_update)) {
11000 list_add_tail(&te->set->pending_update,
11001 &set_update_list);
11002 }
11003 nft_trans_destroy(trans);
11004 break;
11005 case NFT_MSG_DELSETELEM:
11006 case NFT_MSG_DESTROYSETELEM:
11007 te = nft_trans_container_elem(trans);
11008
11009 nft_trans_elems_remove(&ctx, te);
11010
11011 if (te->set->ops->commit &&
11012 list_empty(&te->set->pending_update)) {
11013 list_add_tail(&te->set->pending_update,
11014 &set_update_list);
11015 }
11016 break;
11017 case NFT_MSG_NEWOBJ:
11018 if (nft_trans_obj_update(trans)) {
11019 nft_obj_commit_update(&ctx, trans);
11020 nf_tables_obj_notify(&ctx,
11021 nft_trans_obj(trans),
11022 NFT_MSG_NEWOBJ);
11023 } else {
11024 nft_clear(net, nft_trans_obj(trans));
11025 nf_tables_obj_notify(&ctx,
11026 nft_trans_obj(trans),
11027 NFT_MSG_NEWOBJ);
11028 nft_trans_destroy(trans);
11029 }
11030 break;
11031 case NFT_MSG_DELOBJ:
11032 case NFT_MSG_DESTROYOBJ:
11033 nft_obj_del(nft_trans_obj(trans));
11034 nf_tables_obj_notify(&ctx, nft_trans_obj(trans),
11035 trans->msg_type);
11036 break;
11037 case NFT_MSG_NEWFLOWTABLE:
11038 if (nft_trans_flowtable_update(trans)) {
11039 nft_trans_flowtable(trans)->data.flags =
11040 nft_trans_flowtable_flags(trans);
11041 nf_tables_flowtable_notify(&ctx,
11042 nft_trans_flowtable(trans),
11043 &nft_trans_flowtable_hooks(trans),
11044 NFT_MSG_NEWFLOWTABLE);
11045 list_splice(&nft_trans_flowtable_hooks(trans),
11046 &nft_trans_flowtable(trans)->hook_list);
11047 } else {
11048 nft_clear(net, nft_trans_flowtable(trans));
11049 nf_tables_flowtable_notify(&ctx,
11050 nft_trans_flowtable(trans),
11051 NULL,
11052 NFT_MSG_NEWFLOWTABLE);
11053 }
11054 nft_trans_destroy(trans);
11055 break;
11056 case NFT_MSG_DELFLOWTABLE:
11057 case NFT_MSG_DESTROYFLOWTABLE:
11058 if (nft_trans_flowtable_update(trans)) {
11059 nf_tables_flowtable_notify(&ctx,
11060 nft_trans_flowtable(trans),
11061 &nft_trans_flowtable_hooks(trans),
11062 trans->msg_type);
11063 nft_unregister_flowtable_net_hooks(net,
11064 nft_trans_flowtable(trans),
11065 &nft_trans_flowtable_hooks(trans));
11066 } else {
11067 list_del_rcu(&nft_trans_flowtable(trans)->list);
11068 nf_tables_flowtable_notify(&ctx,
11069 nft_trans_flowtable(trans),
11070 NULL,
11071 trans->msg_type);
11072 nft_unregister_flowtable_net_hooks(net,
11073 nft_trans_flowtable(trans),
11074 &nft_trans_flowtable(trans)->hook_list);
11075 }
11076 break;
11077 }
11078 }
11079
11080 nft_set_commit_update(&set_update_list);
11081
11082 nft_commit_notify(net, NETLINK_CB(skb).portid);
11083 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
11084 nf_tables_commit_audit_log(&adl, nft_base_seq(net));
11085
11086 nft_gc_seq_end(nft_net, gc_seq);
11087 nft_net->validate_state = NFT_VALIDATE_SKIP;
11088 nf_tables_commit_release(net);
11089
11090 return 0;
11091 }
11092
nf_tables_module_autoload(struct net * net)11093 static void nf_tables_module_autoload(struct net *net)
11094 {
11095 struct nftables_pernet *nft_net = nft_pernet(net);
11096 struct nft_module_request *req, *next;
11097 LIST_HEAD(module_list);
11098
11099 list_splice_init(&nft_net->module_list, &module_list);
11100 mutex_unlock(&nft_net->commit_mutex);
11101 list_for_each_entry_safe(req, next, &module_list, list) {
11102 request_module("%s", req->module);
11103 req->done = true;
11104 }
11105 mutex_lock(&nft_net->commit_mutex);
11106 list_splice(&module_list, &nft_net->module_list);
11107 }
11108
nf_tables_abort_release(struct nft_trans * trans)11109 static void nf_tables_abort_release(struct nft_trans *trans)
11110 {
11111 struct nft_ctx ctx = { };
11112
11113 nft_ctx_update(&ctx, trans);
11114
11115 switch (trans->msg_type) {
11116 case NFT_MSG_NEWTABLE:
11117 nf_tables_table_destroy(trans->table);
11118 break;
11119 case NFT_MSG_NEWCHAIN:
11120 if (nft_trans_chain_update(trans))
11121 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
11122 else
11123 nf_tables_chain_destroy(nft_trans_chain(trans));
11124 break;
11125 case NFT_MSG_NEWRULE:
11126 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans));
11127 break;
11128 case NFT_MSG_NEWSET:
11129 nft_set_destroy(&ctx, nft_trans_set(trans));
11130 break;
11131 case NFT_MSG_NEWSETELEM:
11132 nft_trans_set_elem_destroy(&ctx, nft_trans_container_elem(trans));
11133 break;
11134 case NFT_MSG_NEWOBJ:
11135 nft_obj_destroy(&ctx, nft_trans_obj(trans));
11136 break;
11137 case NFT_MSG_NEWFLOWTABLE:
11138 if (nft_trans_flowtable_update(trans))
11139 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
11140 else
11141 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
11142 break;
11143 }
11144 kfree(trans);
11145 }
11146
nft_set_abort_update(struct list_head * set_update_list)11147 static void nft_set_abort_update(struct list_head *set_update_list)
11148 {
11149 struct nft_set *set, *next;
11150
11151 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
11152 list_del_init(&set->pending_update);
11153
11154 if (!set->ops->abort)
11155 continue;
11156
11157 set->ops->abort(set);
11158 }
11159 }
11160
__nf_tables_abort(struct net * net,enum nfnl_abort_action action)11161 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
11162 {
11163 struct nftables_pernet *nft_net = nft_pernet(net);
11164 struct nft_trans *trans, *next;
11165 LIST_HEAD(set_update_list);
11166 struct nft_trans_elem *te;
11167 struct nft_ctx ctx = {
11168 .net = net,
11169 };
11170 int err = 0;
11171
11172 if (action == NFNL_ABORT_VALIDATE &&
11173 nf_tables_validate(net) < 0)
11174 err = -EAGAIN;
11175
11176 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
11177 list) {
11178 struct nft_table *table = trans->table;
11179
11180 nft_ctx_update(&ctx, trans);
11181
11182 switch (trans->msg_type) {
11183 case NFT_MSG_NEWTABLE:
11184 if (nft_trans_table_update(trans)) {
11185 if (!(table->flags & __NFT_TABLE_F_UPDATE)) {
11186 nft_trans_destroy(trans);
11187 break;
11188 }
11189 if (table->flags & __NFT_TABLE_F_WAS_DORMANT) {
11190 nf_tables_table_disable(net, table);
11191 table->flags |= NFT_TABLE_F_DORMANT;
11192 } else if (table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
11193 table->flags &= ~NFT_TABLE_F_DORMANT;
11194 }
11195 if (table->flags & __NFT_TABLE_F_WAS_ORPHAN) {
11196 table->flags &= ~NFT_TABLE_F_OWNER;
11197 table->nlpid = 0;
11198 }
11199 table->flags &= ~__NFT_TABLE_F_UPDATE;
11200 nft_trans_destroy(trans);
11201 } else {
11202 list_del_rcu(&table->list);
11203 }
11204 break;
11205 case NFT_MSG_DELTABLE:
11206 case NFT_MSG_DESTROYTABLE:
11207 nft_clear(trans->net, table);
11208 nft_trans_destroy(trans);
11209 break;
11210 case NFT_MSG_NEWCHAIN:
11211 if (nft_trans_chain_update(trans)) {
11212 if (!(table->flags & NFT_TABLE_F_DORMANT)) {
11213 nft_netdev_unregister_hooks(net,
11214 &nft_trans_chain_hooks(trans),
11215 true);
11216 }
11217 free_percpu(nft_trans_chain_stats(trans));
11218 kfree(nft_trans_chain_name(trans));
11219 nft_trans_destroy(trans);
11220 } else {
11221 if (nft_trans_chain_bound(trans)) {
11222 nft_trans_destroy(trans);
11223 break;
11224 }
11225 nft_use_dec_restore(&table->use);
11226 nft_chain_del(nft_trans_chain(trans));
11227 nf_tables_unregister_hook(trans->net, table,
11228 nft_trans_chain(trans));
11229 }
11230 break;
11231 case NFT_MSG_DELCHAIN:
11232 case NFT_MSG_DESTROYCHAIN:
11233 if (nft_trans_chain_update(trans)) {
11234 list_splice(&nft_trans_chain_hooks(trans),
11235 &nft_trans_basechain(trans)->hook_list);
11236 } else {
11237 nft_use_inc_restore(&table->use);
11238 nft_clear(trans->net, nft_trans_chain(trans));
11239 }
11240 nft_trans_destroy(trans);
11241 break;
11242 case NFT_MSG_NEWRULE:
11243 if (nft_trans_rule_bound(trans)) {
11244 nft_trans_destroy(trans);
11245 break;
11246 }
11247 nft_use_dec_restore(&nft_trans_rule_chain(trans)->use);
11248 list_del_rcu(&nft_trans_rule(trans)->list);
11249 nft_rule_expr_deactivate(&ctx,
11250 nft_trans_rule(trans),
11251 NFT_TRANS_ABORT);
11252 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
11253 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
11254 break;
11255 case NFT_MSG_DELRULE:
11256 case NFT_MSG_DESTROYRULE:
11257 nft_use_inc_restore(&nft_trans_rule_chain(trans)->use);
11258 nft_clear(trans->net, nft_trans_rule(trans));
11259 nft_rule_expr_activate(&ctx, nft_trans_rule(trans));
11260 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
11261 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
11262
11263 nft_trans_destroy(trans);
11264 break;
11265 case NFT_MSG_NEWSET:
11266 list_del(&nft_trans_container_set(trans)->list_trans_newset);
11267 if (nft_trans_set_update(trans)) {
11268 nft_trans_destroy(trans);
11269 break;
11270 }
11271 nft_use_dec_restore(&table->use);
11272 if (nft_trans_set_bound(trans)) {
11273 nft_trans_destroy(trans);
11274 break;
11275 }
11276 nft_trans_set(trans)->dead = 1;
11277 list_del_rcu(&nft_trans_set(trans)->list);
11278 break;
11279 case NFT_MSG_DELSET:
11280 case NFT_MSG_DESTROYSET:
11281 nft_use_inc_restore(&table->use);
11282 nft_clear(trans->net, nft_trans_set(trans));
11283 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11284 nft_map_activate(&ctx, nft_trans_set(trans));
11285
11286 nft_trans_destroy(trans);
11287 break;
11288 case NFT_MSG_NEWSETELEM:
11289 if (nft_trans_elem_set_bound(trans)) {
11290 nft_trans_destroy(trans);
11291 break;
11292 }
11293 te = nft_trans_container_elem(trans);
11294 if (!nft_trans_elems_new_abort(&ctx, te)) {
11295 nft_trans_destroy(trans);
11296 break;
11297 }
11298
11299 if (te->set->ops->abort &&
11300 list_empty(&te->set->pending_update)) {
11301 list_add_tail(&te->set->pending_update,
11302 &set_update_list);
11303 }
11304 break;
11305 case NFT_MSG_DELSETELEM:
11306 case NFT_MSG_DESTROYSETELEM:
11307 te = nft_trans_container_elem(trans);
11308
11309 nft_trans_elems_destroy_abort(&ctx, te);
11310
11311 if (te->set->ops->abort &&
11312 list_empty(&te->set->pending_update)) {
11313 list_add_tail(&te->set->pending_update,
11314 &set_update_list);
11315 }
11316 nft_trans_destroy(trans);
11317 break;
11318 case NFT_MSG_NEWOBJ:
11319 if (nft_trans_obj_update(trans)) {
11320 nft_obj_destroy(&ctx, nft_trans_obj_newobj(trans));
11321 nft_trans_destroy(trans);
11322 } else {
11323 nft_use_dec_restore(&table->use);
11324 nft_obj_del(nft_trans_obj(trans));
11325 }
11326 break;
11327 case NFT_MSG_DELOBJ:
11328 case NFT_MSG_DESTROYOBJ:
11329 nft_use_inc_restore(&table->use);
11330 nft_clear(trans->net, nft_trans_obj(trans));
11331 nft_trans_destroy(trans);
11332 break;
11333 case NFT_MSG_NEWFLOWTABLE:
11334 if (nft_trans_flowtable_update(trans)) {
11335 nft_unregister_flowtable_net_hooks(net,
11336 nft_trans_flowtable(trans),
11337 &nft_trans_flowtable_hooks(trans));
11338 } else {
11339 nft_use_dec_restore(&table->use);
11340 list_del_rcu(&nft_trans_flowtable(trans)->list);
11341 nft_unregister_flowtable_net_hooks(net,
11342 nft_trans_flowtable(trans),
11343 &nft_trans_flowtable(trans)->hook_list);
11344 }
11345 break;
11346 case NFT_MSG_DELFLOWTABLE:
11347 case NFT_MSG_DESTROYFLOWTABLE:
11348 if (nft_trans_flowtable_update(trans)) {
11349 list_splice(&nft_trans_flowtable_hooks(trans),
11350 &nft_trans_flowtable(trans)->hook_list);
11351 } else {
11352 nft_use_inc_restore(&table->use);
11353 nft_clear(trans->net, nft_trans_flowtable(trans));
11354 }
11355 nft_trans_destroy(trans);
11356 break;
11357 }
11358 }
11359
11360 WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list));
11361
11362 nft_set_abort_update(&set_update_list);
11363
11364 synchronize_rcu();
11365
11366 list_for_each_entry_safe_reverse(trans, next,
11367 &nft_net->commit_list, list) {
11368 nft_trans_list_del(trans);
11369 nf_tables_abort_release(trans);
11370 }
11371
11372 return err;
11373 }
11374
nf_tables_abort(struct net * net,struct sk_buff * skb,enum nfnl_abort_action action)11375 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
11376 enum nfnl_abort_action action)
11377 {
11378 struct nftables_pernet *nft_net = nft_pernet(net);
11379 unsigned int gc_seq;
11380 int ret;
11381
11382 gc_seq = nft_gc_seq_begin(nft_net);
11383 ret = __nf_tables_abort(net, action);
11384 nft_gc_seq_end(nft_net, gc_seq);
11385
11386 if (action == NFNL_ABORT_NONE) {
11387 struct nft_table *table;
11388
11389 list_for_each_entry(table, &nft_net->tables, list)
11390 table->validate_state = NFT_VALIDATE_SKIP;
11391 }
11392
11393 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
11394
11395 /* module autoload needs to happen after GC sequence update because it
11396 * temporarily releases and grabs mutex again.
11397 */
11398 if (action == NFNL_ABORT_AUTOLOAD)
11399 nf_tables_module_autoload(net);
11400 else
11401 nf_tables_module_autoload_cleanup(net);
11402
11403 mutex_unlock(&nft_net->commit_mutex);
11404
11405 return ret;
11406 }
11407
nf_tables_valid_genid(struct net * net,u32 genid)11408 static bool nf_tables_valid_genid(struct net *net, u32 genid)
11409 {
11410 struct nftables_pernet *nft_net = nft_pernet(net);
11411 bool genid_ok;
11412
11413 mutex_lock(&nft_net->commit_mutex);
11414 nft_net->tstamp = get_jiffies_64();
11415
11416 genid_ok = genid == 0 || nft_base_seq(net) == genid;
11417 if (!genid_ok)
11418 mutex_unlock(&nft_net->commit_mutex);
11419
11420 /* else, commit mutex has to be released by commit or abort function */
11421 return genid_ok;
11422 }
11423
11424 static const struct nfnetlink_subsystem nf_tables_subsys = {
11425 .name = "nf_tables",
11426 .subsys_id = NFNL_SUBSYS_NFTABLES,
11427 .cb_count = NFT_MSG_MAX,
11428 .cb = nf_tables_cb,
11429 .commit = nf_tables_commit,
11430 .abort = nf_tables_abort,
11431 .valid_genid = nf_tables_valid_genid,
11432 .owner = THIS_MODULE,
11433 };
11434
nft_chain_validate_dependency(const struct nft_chain * chain,enum nft_chain_types type)11435 int nft_chain_validate_dependency(const struct nft_chain *chain,
11436 enum nft_chain_types type)
11437 {
11438 const struct nft_base_chain *basechain;
11439
11440 if (nft_is_base_chain(chain)) {
11441 basechain = nft_base_chain(chain);
11442 if (basechain->type->type != type)
11443 return -EOPNOTSUPP;
11444 }
11445 return 0;
11446 }
11447 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
11448
nft_chain_validate_hooks(const struct nft_chain * chain,unsigned int hook_flags)11449 int nft_chain_validate_hooks(const struct nft_chain *chain,
11450 unsigned int hook_flags)
11451 {
11452 struct nft_base_chain *basechain;
11453
11454 if (nft_is_base_chain(chain)) {
11455 basechain = nft_base_chain(chain);
11456
11457 if ((1 << basechain->ops.hooknum) & hook_flags)
11458 return 0;
11459
11460 return -EOPNOTSUPP;
11461 }
11462
11463 return 0;
11464 }
11465 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
11466
11467 /**
11468 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
11469 *
11470 * @attr: netlink attribute to fetch value from
11471 * @max: maximum value to be stored in dest
11472 * @dest: pointer to the variable
11473 *
11474 * Parse, check and store a given u32 netlink attribute into variable.
11475 * This function returns -ERANGE if the value goes over maximum value.
11476 * Otherwise a 0 is returned and the attribute value is stored in the
11477 * destination variable.
11478 */
nft_parse_u32_check(const struct nlattr * attr,int max,u32 * dest)11479 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
11480 {
11481 u32 val;
11482
11483 val = ntohl(nla_get_be32(attr));
11484 if (val > max)
11485 return -ERANGE;
11486
11487 *dest = val;
11488 return 0;
11489 }
11490 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
11491
nft_parse_register(const struct nlattr * attr,u32 * preg)11492 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
11493 {
11494 unsigned int reg;
11495
11496 reg = ntohl(nla_get_be32(attr));
11497 switch (reg) {
11498 case NFT_REG_VERDICT...NFT_REG_4:
11499 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
11500 break;
11501 case NFT_REG32_00...NFT_REG32_15:
11502 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
11503 break;
11504 default:
11505 return -ERANGE;
11506 }
11507
11508 return 0;
11509 }
11510
11511 /**
11512 * nft_dump_register - dump a register value to a netlink attribute
11513 *
11514 * @skb: socket buffer
11515 * @attr: attribute number
11516 * @reg: register number
11517 *
11518 * Construct a netlink attribute containing the register number. For
11519 * compatibility reasons, register numbers being a multiple of 4 are
11520 * translated to the corresponding 128 bit register numbers.
11521 */
nft_dump_register(struct sk_buff * skb,unsigned int attr,unsigned int reg)11522 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
11523 {
11524 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
11525 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
11526 else
11527 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
11528
11529 return nla_put_be32(skb, attr, htonl(reg));
11530 }
11531 EXPORT_SYMBOL_GPL(nft_dump_register);
11532
nft_validate_register_load(enum nft_registers reg,unsigned int len)11533 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
11534 {
11535 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11536 return -EINVAL;
11537 if (len == 0)
11538 return -EINVAL;
11539 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
11540 return -ERANGE;
11541
11542 return 0;
11543 }
11544
nft_parse_register_load(const struct nft_ctx * ctx,const struct nlattr * attr,u8 * sreg,u32 len)11545 int nft_parse_register_load(const struct nft_ctx *ctx,
11546 const struct nlattr *attr, u8 *sreg, u32 len)
11547 {
11548 int err, invalid_reg;
11549 u32 reg, next_register;
11550
11551 err = nft_parse_register(attr, ®);
11552 if (err < 0)
11553 return err;
11554
11555 err = nft_validate_register_load(reg, len);
11556 if (err < 0)
11557 return err;
11558
11559 next_register = DIV_ROUND_UP(len, NFT_REG32_SIZE) + reg;
11560
11561 /* Can't happen: nft_validate_register_load() should have failed */
11562 if (WARN_ON_ONCE(next_register > NFT_REG32_NUM))
11563 return -EINVAL;
11564
11565 /* find first register that did not see an earlier store. */
11566 invalid_reg = find_next_zero_bit(ctx->reg_inited, NFT_REG32_NUM, reg);
11567
11568 /* invalid register within the range that we're loading from? */
11569 if (invalid_reg < next_register)
11570 return -ENODATA;
11571
11572 *sreg = reg;
11573 return 0;
11574 }
11575 EXPORT_SYMBOL_GPL(nft_parse_register_load);
11576
nft_saw_register_store(const struct nft_ctx * __ctx,int reg,unsigned int len)11577 static void nft_saw_register_store(const struct nft_ctx *__ctx,
11578 int reg, unsigned int len)
11579 {
11580 unsigned int registers = DIV_ROUND_UP(len, NFT_REG32_SIZE);
11581 struct nft_ctx *ctx = (struct nft_ctx *)__ctx;
11582
11583 if (WARN_ON_ONCE(len == 0 || reg < 0))
11584 return;
11585
11586 bitmap_set(ctx->reg_inited, reg, registers);
11587 }
11588
nft_validate_register_store(const struct nft_ctx * ctx,enum nft_registers reg,const struct nft_data * data,enum nft_data_types type,unsigned int len)11589 static int nft_validate_register_store(const struct nft_ctx *ctx,
11590 enum nft_registers reg,
11591 const struct nft_data *data,
11592 enum nft_data_types type,
11593 unsigned int len)
11594 {
11595 switch (reg) {
11596 case NFT_REG_VERDICT:
11597 if (type != NFT_DATA_VERDICT)
11598 return -EINVAL;
11599 break;
11600 default:
11601 if (type != NFT_DATA_VALUE)
11602 return -EINVAL;
11603
11604 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11605 return -EINVAL;
11606 if (len == 0)
11607 return -EINVAL;
11608 if (reg * NFT_REG32_SIZE + len >
11609 sizeof_field(struct nft_regs, data))
11610 return -ERANGE;
11611
11612 break;
11613 }
11614
11615 nft_saw_register_store(ctx, reg, len);
11616 return 0;
11617 }
11618
nft_parse_register_store(const struct nft_ctx * ctx,const struct nlattr * attr,u8 * dreg,const struct nft_data * data,enum nft_data_types type,unsigned int len)11619 int nft_parse_register_store(const struct nft_ctx *ctx,
11620 const struct nlattr *attr, u8 *dreg,
11621 const struct nft_data *data,
11622 enum nft_data_types type, unsigned int len)
11623 {
11624 int err;
11625 u32 reg;
11626
11627 err = nft_parse_register(attr, ®);
11628 if (err < 0)
11629 return err;
11630
11631 err = nft_validate_register_store(ctx, reg, data, type, len);
11632 if (err < 0)
11633 return err;
11634
11635 *dreg = reg;
11636 return 0;
11637 }
11638 EXPORT_SYMBOL_GPL(nft_parse_register_store);
11639
11640 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
11641 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
11642 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
11643 .len = NFT_CHAIN_MAXNAMELEN - 1 },
11644 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
11645 };
11646
nft_verdict_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11647 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
11648 struct nft_data_desc *desc, const struct nlattr *nla)
11649 {
11650 u8 genmask = nft_genmask_next(ctx->net);
11651 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
11652 struct nft_chain *chain;
11653 int err;
11654
11655 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
11656 nft_verdict_policy, NULL);
11657 if (err < 0)
11658 return err;
11659
11660 if (!tb[NFTA_VERDICT_CODE])
11661 return -EINVAL;
11662
11663 /* zero padding hole for memcmp */
11664 memset(data, 0, sizeof(*data));
11665 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
11666
11667 switch (data->verdict.code) {
11668 case NF_ACCEPT:
11669 case NF_DROP:
11670 case NF_QUEUE:
11671 break;
11672 case NFT_CONTINUE:
11673 case NFT_BREAK:
11674 case NFT_RETURN:
11675 break;
11676 case NFT_JUMP:
11677 case NFT_GOTO:
11678 if (tb[NFTA_VERDICT_CHAIN]) {
11679 chain = nft_chain_lookup(ctx->net, ctx->table,
11680 tb[NFTA_VERDICT_CHAIN],
11681 genmask);
11682 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
11683 chain = nft_chain_lookup_byid(ctx->net, ctx->table,
11684 tb[NFTA_VERDICT_CHAIN_ID],
11685 genmask);
11686 if (IS_ERR(chain))
11687 return PTR_ERR(chain);
11688 } else {
11689 return -EINVAL;
11690 }
11691
11692 if (IS_ERR(chain))
11693 return PTR_ERR(chain);
11694 if (nft_is_base_chain(chain))
11695 return -EOPNOTSUPP;
11696 if (nft_chain_is_bound(chain))
11697 return -EINVAL;
11698 if (desc->flags & NFT_DATA_DESC_SETELEM &&
11699 chain->flags & NFT_CHAIN_BINDING)
11700 return -EINVAL;
11701 if (!nft_use_inc(&chain->use))
11702 return -EMFILE;
11703
11704 data->verdict.chain = chain;
11705 break;
11706 default:
11707 return -EINVAL;
11708 }
11709
11710 desc->len = sizeof(data->verdict);
11711
11712 return 0;
11713 }
11714
nft_verdict_uninit(const struct nft_data * data)11715 static void nft_verdict_uninit(const struct nft_data *data)
11716 {
11717 struct nft_chain *chain;
11718
11719 switch (data->verdict.code) {
11720 case NFT_JUMP:
11721 case NFT_GOTO:
11722 chain = data->verdict.chain;
11723 nft_use_dec(&chain->use);
11724 break;
11725 }
11726 }
11727
nft_verdict_dump(struct sk_buff * skb,int type,const struct nft_verdict * v)11728 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
11729 {
11730 struct nlattr *nest;
11731
11732 nest = nla_nest_start_noflag(skb, type);
11733 if (!nest)
11734 goto nla_put_failure;
11735
11736 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
11737 goto nla_put_failure;
11738
11739 switch (v->code) {
11740 case NFT_JUMP:
11741 case NFT_GOTO:
11742 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
11743 v->chain->name))
11744 goto nla_put_failure;
11745 }
11746 nla_nest_end(skb, nest);
11747 return 0;
11748
11749 nla_put_failure:
11750 return -1;
11751 }
11752
nft_value_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11753 static int nft_value_init(const struct nft_ctx *ctx,
11754 struct nft_data *data, struct nft_data_desc *desc,
11755 const struct nlattr *nla)
11756 {
11757 unsigned int len;
11758
11759 len = nla_len(nla);
11760 if (len == 0)
11761 return -EINVAL;
11762 if (len > desc->size)
11763 return -EOVERFLOW;
11764 if (desc->len) {
11765 if (len != desc->len)
11766 return -EINVAL;
11767 } else {
11768 desc->len = len;
11769 }
11770
11771 nla_memcpy(data->data, nla, len);
11772
11773 return 0;
11774 }
11775
nft_value_dump(struct sk_buff * skb,const struct nft_data * data,unsigned int len)11776 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
11777 unsigned int len)
11778 {
11779 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
11780 }
11781
11782 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
11783 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
11784 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
11785 };
11786
11787 /**
11788 * nft_data_init - parse nf_tables data netlink attributes
11789 *
11790 * @ctx: context of the expression using the data
11791 * @data: destination struct nft_data
11792 * @desc: data description
11793 * @nla: netlink attribute containing data
11794 *
11795 * Parse the netlink data attributes and initialize a struct nft_data.
11796 * The type and length of data are returned in the data description.
11797 *
11798 * The caller can indicate that it only wants to accept data of type
11799 * NFT_DATA_VALUE by passing NULL for the ctx argument.
11800 */
nft_data_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11801 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
11802 struct nft_data_desc *desc, const struct nlattr *nla)
11803 {
11804 struct nlattr *tb[NFTA_DATA_MAX + 1];
11805 int err;
11806
11807 if (WARN_ON_ONCE(!desc->size))
11808 return -EINVAL;
11809
11810 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
11811 nft_data_policy, NULL);
11812 if (err < 0)
11813 return err;
11814
11815 if (tb[NFTA_DATA_VALUE]) {
11816 if (desc->type != NFT_DATA_VALUE)
11817 return -EINVAL;
11818
11819 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
11820 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
11821 if (desc->type != NFT_DATA_VERDICT)
11822 return -EINVAL;
11823
11824 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
11825 } else {
11826 err = -EINVAL;
11827 }
11828
11829 return err;
11830 }
11831 EXPORT_SYMBOL_GPL(nft_data_init);
11832
11833 /**
11834 * nft_data_release - release a nft_data item
11835 *
11836 * @data: struct nft_data to release
11837 * @type: type of data
11838 *
11839 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
11840 * all others need to be released by calling this function.
11841 */
nft_data_release(const struct nft_data * data,enum nft_data_types type)11842 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
11843 {
11844 if (type < NFT_DATA_VERDICT)
11845 return;
11846 switch (type) {
11847 case NFT_DATA_VERDICT:
11848 return nft_verdict_uninit(data);
11849 default:
11850 WARN_ON(1);
11851 }
11852 }
11853 EXPORT_SYMBOL_GPL(nft_data_release);
11854
nft_data_dump(struct sk_buff * skb,int attr,const struct nft_data * data,enum nft_data_types type,unsigned int len)11855 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
11856 enum nft_data_types type, unsigned int len)
11857 {
11858 struct nlattr *nest;
11859 int err;
11860
11861 nest = nla_nest_start_noflag(skb, attr);
11862 if (nest == NULL)
11863 return -1;
11864
11865 switch (type) {
11866 case NFT_DATA_VALUE:
11867 err = nft_value_dump(skb, data, len);
11868 break;
11869 case NFT_DATA_VERDICT:
11870 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
11871 break;
11872 default:
11873 err = -EINVAL;
11874 WARN_ON(1);
11875 }
11876
11877 nla_nest_end(skb, nest);
11878 return err;
11879 }
11880 EXPORT_SYMBOL_GPL(nft_data_dump);
11881
__nft_release_hook(struct net * net,struct nft_table * table)11882 static void __nft_release_hook(struct net *net, struct nft_table *table)
11883 {
11884 struct nft_flowtable *flowtable;
11885 struct nft_chain *chain;
11886
11887 list_for_each_entry(chain, &table->chains, list)
11888 __nf_tables_unregister_hook(net, table, chain, true);
11889 list_for_each_entry(flowtable, &table->flowtables, list)
11890 __nft_unregister_flowtable_net_hooks(net, flowtable,
11891 &flowtable->hook_list,
11892 true);
11893 }
11894
__nft_release_hooks(struct net * net)11895 static void __nft_release_hooks(struct net *net)
11896 {
11897 struct nftables_pernet *nft_net = nft_pernet(net);
11898 struct nft_table *table;
11899
11900 list_for_each_entry(table, &nft_net->tables, list) {
11901 if (nft_table_has_owner(table))
11902 continue;
11903
11904 __nft_release_hook(net, table);
11905 }
11906 }
11907
__nft_release_table(struct net * net,struct nft_table * table)11908 static void __nft_release_table(struct net *net, struct nft_table *table)
11909 {
11910 struct nft_flowtable *flowtable, *nf;
11911 struct nft_chain *chain, *nc;
11912 struct nft_object *obj, *ne;
11913 struct nft_rule *rule, *nr;
11914 struct nft_set *set, *ns;
11915 struct nft_ctx ctx = {
11916 .net = net,
11917 .family = NFPROTO_NETDEV,
11918 };
11919
11920 ctx.family = table->family;
11921 ctx.table = table;
11922 list_for_each_entry(chain, &table->chains, list) {
11923 if (nft_chain_binding(chain))
11924 continue;
11925
11926 ctx.chain = chain;
11927 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
11928 list_del(&rule->list);
11929 nft_use_dec(&chain->use);
11930 nf_tables_rule_release(&ctx, rule);
11931 }
11932 }
11933 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
11934 list_del(&flowtable->list);
11935 nft_use_dec(&table->use);
11936 nf_tables_flowtable_destroy(flowtable);
11937 }
11938 list_for_each_entry_safe(set, ns, &table->sets, list) {
11939 list_del(&set->list);
11940 nft_use_dec(&table->use);
11941 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11942 nft_map_deactivate(&ctx, set);
11943
11944 nft_set_destroy(&ctx, set);
11945 }
11946 list_for_each_entry_safe(obj, ne, &table->objects, list) {
11947 nft_obj_del(obj);
11948 nft_use_dec(&table->use);
11949 nft_obj_destroy(&ctx, obj);
11950 }
11951 list_for_each_entry_safe(chain, nc, &table->chains, list) {
11952 nft_chain_del(chain);
11953 nft_use_dec(&table->use);
11954 nf_tables_chain_destroy(chain);
11955 }
11956 nf_tables_table_destroy(table);
11957 }
11958
__nft_release_tables(struct net * net)11959 static void __nft_release_tables(struct net *net)
11960 {
11961 struct nftables_pernet *nft_net = nft_pernet(net);
11962 struct nft_table *table, *nt;
11963
11964 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
11965 if (nft_table_has_owner(table))
11966 continue;
11967
11968 list_del(&table->list);
11969
11970 __nft_release_table(net, table);
11971 }
11972 }
11973
nft_rcv_nl_event(struct notifier_block * this,unsigned long event,void * ptr)11974 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
11975 void *ptr)
11976 {
11977 struct nft_table *table, *to_delete[8];
11978 struct nftables_pernet *nft_net;
11979 struct netlink_notify *n = ptr;
11980 struct net *net = n->net;
11981 unsigned int deleted;
11982 bool restart = false;
11983 unsigned int gc_seq;
11984
11985 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
11986 return NOTIFY_DONE;
11987
11988 nft_net = nft_pernet(net);
11989 deleted = 0;
11990 mutex_lock(&nft_net->commit_mutex);
11991
11992 gc_seq = nft_gc_seq_begin(nft_net);
11993
11994 nf_tables_trans_destroy_flush_work(net);
11995 again:
11996 list_for_each_entry(table, &nft_net->tables, list) {
11997 if (nft_table_has_owner(table) &&
11998 n->portid == table->nlpid) {
11999 if (table->flags & NFT_TABLE_F_PERSIST) {
12000 table->flags &= ~NFT_TABLE_F_OWNER;
12001 continue;
12002 }
12003 __nft_release_hook(net, table);
12004 list_del_rcu(&table->list);
12005 to_delete[deleted++] = table;
12006 if (deleted >= ARRAY_SIZE(to_delete))
12007 break;
12008 }
12009 }
12010 if (deleted) {
12011 restart = deleted >= ARRAY_SIZE(to_delete);
12012 synchronize_rcu();
12013 while (deleted)
12014 __nft_release_table(net, to_delete[--deleted]);
12015
12016 if (restart)
12017 goto again;
12018 }
12019 nft_gc_seq_end(nft_net, gc_seq);
12020
12021 mutex_unlock(&nft_net->commit_mutex);
12022
12023 return NOTIFY_DONE;
12024 }
12025
12026 static struct notifier_block nft_nl_notifier = {
12027 .notifier_call = nft_rcv_nl_event,
12028 };
12029
nf_tables_init_net(struct net * net)12030 static int __net_init nf_tables_init_net(struct net *net)
12031 {
12032 struct nftables_pernet *nft_net = nft_pernet(net);
12033
12034 INIT_LIST_HEAD(&nft_net->tables);
12035 INIT_LIST_HEAD(&nft_net->commit_list);
12036 INIT_LIST_HEAD(&nft_net->destroy_list);
12037 INIT_LIST_HEAD(&nft_net->commit_set_list);
12038 INIT_LIST_HEAD(&nft_net->binding_list);
12039 INIT_LIST_HEAD(&nft_net->module_list);
12040 INIT_LIST_HEAD(&nft_net->notify_list);
12041 mutex_init(&nft_net->commit_mutex);
12042 net->nft.base_seq = 1;
12043 nft_net->gc_seq = 0;
12044 nft_net->validate_state = NFT_VALIDATE_SKIP;
12045 INIT_WORK(&nft_net->destroy_work, nf_tables_trans_destroy_work);
12046
12047 return 0;
12048 }
12049
nf_tables_pre_exit_net(struct net * net)12050 static void __net_exit nf_tables_pre_exit_net(struct net *net)
12051 {
12052 struct nftables_pernet *nft_net = nft_pernet(net);
12053
12054 mutex_lock(&nft_net->commit_mutex);
12055 __nft_release_hooks(net);
12056 mutex_unlock(&nft_net->commit_mutex);
12057 }
12058
nf_tables_exit_net(struct net * net)12059 static void __net_exit nf_tables_exit_net(struct net *net)
12060 {
12061 struct nftables_pernet *nft_net = nft_pernet(net);
12062 unsigned int gc_seq;
12063
12064 mutex_lock(&nft_net->commit_mutex);
12065
12066 gc_seq = nft_gc_seq_begin(nft_net);
12067
12068 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
12069 WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list));
12070
12071 if (!list_empty(&nft_net->module_list))
12072 nf_tables_module_autoload_cleanup(net);
12073
12074 cancel_work_sync(&nft_net->destroy_work);
12075 __nft_release_tables(net);
12076
12077 nft_gc_seq_end(nft_net, gc_seq);
12078
12079 mutex_unlock(&nft_net->commit_mutex);
12080
12081 WARN_ON_ONCE(!list_empty(&nft_net->tables));
12082 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
12083 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
12084 WARN_ON_ONCE(!list_empty(&nft_net->destroy_list));
12085 }
12086
nf_tables_exit_batch(struct list_head * net_exit_list)12087 static void nf_tables_exit_batch(struct list_head *net_exit_list)
12088 {
12089 flush_work(&trans_gc_work);
12090 }
12091
12092 static struct pernet_operations nf_tables_net_ops = {
12093 .init = nf_tables_init_net,
12094 .pre_exit = nf_tables_pre_exit_net,
12095 .exit = nf_tables_exit_net,
12096 .exit_batch = nf_tables_exit_batch,
12097 .id = &nf_tables_net_id,
12098 .size = sizeof(struct nftables_pernet),
12099 };
12100
nf_tables_module_init(void)12101 static int __init nf_tables_module_init(void)
12102 {
12103 int err;
12104
12105 BUILD_BUG_ON(offsetof(struct nft_trans_table, nft_trans) != 0);
12106 BUILD_BUG_ON(offsetof(struct nft_trans_chain, nft_trans_binding.nft_trans) != 0);
12107 BUILD_BUG_ON(offsetof(struct nft_trans_rule, nft_trans) != 0);
12108 BUILD_BUG_ON(offsetof(struct nft_trans_set, nft_trans_binding.nft_trans) != 0);
12109 BUILD_BUG_ON(offsetof(struct nft_trans_elem, nft_trans) != 0);
12110 BUILD_BUG_ON(offsetof(struct nft_trans_obj, nft_trans) != 0);
12111 BUILD_BUG_ON(offsetof(struct nft_trans_flowtable, nft_trans) != 0);
12112
12113 err = register_pernet_subsys(&nf_tables_net_ops);
12114 if (err < 0)
12115 return err;
12116
12117 err = nft_chain_filter_init();
12118 if (err < 0)
12119 goto err_chain_filter;
12120
12121 err = nf_tables_core_module_init();
12122 if (err < 0)
12123 goto err_core_module;
12124
12125 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
12126 if (err < 0)
12127 goto err_netdev_notifier;
12128
12129 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
12130 if (err < 0)
12131 goto err_rht_objname;
12132
12133 err = nft_offload_init();
12134 if (err < 0)
12135 goto err_offload;
12136
12137 err = netlink_register_notifier(&nft_nl_notifier);
12138 if (err < 0)
12139 goto err_netlink_notifier;
12140
12141 /* must be last */
12142 err = nfnetlink_subsys_register(&nf_tables_subsys);
12143 if (err < 0)
12144 goto err_nfnl_subsys;
12145
12146 nft_chain_route_init();
12147
12148 return err;
12149
12150 err_nfnl_subsys:
12151 netlink_unregister_notifier(&nft_nl_notifier);
12152 err_netlink_notifier:
12153 nft_offload_exit();
12154 err_offload:
12155 rhltable_destroy(&nft_objname_ht);
12156 err_rht_objname:
12157 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
12158 err_netdev_notifier:
12159 nf_tables_core_module_exit();
12160 err_core_module:
12161 nft_chain_filter_fini();
12162 err_chain_filter:
12163 unregister_pernet_subsys(&nf_tables_net_ops);
12164 return err;
12165 }
12166
nf_tables_module_exit(void)12167 static void __exit nf_tables_module_exit(void)
12168 {
12169 nfnetlink_subsys_unregister(&nf_tables_subsys);
12170 netlink_unregister_notifier(&nft_nl_notifier);
12171 nft_offload_exit();
12172 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
12173 nft_chain_filter_fini();
12174 nft_chain_route_fini();
12175 unregister_pernet_subsys(&nf_tables_net_ops);
12176 cancel_work_sync(&trans_gc_work);
12177 rcu_barrier();
12178 rhltable_destroy(&nft_objname_ht);
12179 nf_tables_core_module_exit();
12180 }
12181
12182 module_init(nf_tables_module_init);
12183 module_exit(nf_tables_module_exit);
12184
12185 MODULE_LICENSE("GPL");
12186 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
12187 MODULE_DESCRIPTION("Framework for packet filtering and classification");
12188 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
12189