1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net> 4 * 5 * Development of this code funded by Astaro AG (http://www.astaro.com/) 6 */ 7 8 #include <linux/module.h> 9 #include <linux/init.h> 10 #include <linux/list.h> 11 #include <linux/skbuff.h> 12 #include <linux/netlink.h> 13 #include <linux/vmalloc.h> 14 #include <linux/rhashtable.h> 15 #include <linux/audit.h> 16 #include <linux/netfilter.h> 17 #include <linux/netfilter/nfnetlink.h> 18 #include <linux/netfilter/nf_tables.h> 19 #include <net/netfilter/nf_flow_table.h> 20 #include <net/netfilter/nf_tables_core.h> 21 #include <net/netfilter/nf_tables.h> 22 #include <net/netfilter/nf_tables_offload.h> 23 #include <net/net_namespace.h> 24 #include <net/sock.h> 25 26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) 27 #define NFT_SET_MAX_ANONLEN 16 28 29 /* limit compaction to avoid huge kmalloc/krealloc sizes. */ 30 #define NFT_MAX_SET_NELEMS ((2048 - sizeof(struct nft_trans_elem)) / sizeof(struct nft_trans_one_elem)) 31 32 unsigned int nf_tables_net_id __read_mostly; 33 34 static LIST_HEAD(nf_tables_expressions); 35 static LIST_HEAD(nf_tables_objects); 36 static LIST_HEAD(nf_tables_flowtables); 37 static LIST_HEAD(nf_tables_gc_list); 38 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock); 39 static DEFINE_SPINLOCK(nf_tables_gc_list_lock); 40 41 enum { 42 NFT_VALIDATE_SKIP = 0, 43 NFT_VALIDATE_NEED, 44 NFT_VALIDATE_DO, 45 }; 46 47 static struct rhltable nft_objname_ht; 48 49 static u32 nft_chain_hash(const void *data, u32 len, u32 seed); 50 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed); 51 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *); 52 53 static u32 nft_objname_hash(const void *data, u32 len, u32 seed); 54 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed); 55 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *); 56 57 static const struct rhashtable_params nft_chain_ht_params = { 58 .head_offset = offsetof(struct nft_chain, rhlhead), 59 .key_offset = offsetof(struct nft_chain, name), 60 .hashfn = nft_chain_hash, 61 .obj_hashfn = nft_chain_hash_obj, 62 .obj_cmpfn = nft_chain_hash_cmp, 63 .automatic_shrinking = true, 64 }; 65 66 static const struct rhashtable_params nft_objname_ht_params = { 67 .head_offset = offsetof(struct nft_object, rhlhead), 68 .key_offset = offsetof(struct nft_object, key), 69 .hashfn = nft_objname_hash, 70 .obj_hashfn = nft_objname_hash_obj, 71 .obj_cmpfn = nft_objname_hash_cmp, 72 .automatic_shrinking = true, 73 }; 74 75 struct nft_audit_data { 76 struct nft_table *table; 77 int entries; 78 int op; 79 struct list_head list; 80 }; 81 82 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types 83 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER, 84 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID, 85 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER, 86 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER, 87 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID, 88 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER, 89 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER, 90 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID, 91 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER, 92 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER, 93 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID, 94 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER, 95 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER, 96 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID, 97 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER, 98 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER, 99 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID, 100 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID, 101 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER, 102 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID, 103 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER, 104 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET, 105 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER, 106 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID, 107 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, 108 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET, 109 }; 110 111 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state) 112 { 113 switch (table->validate_state) { 114 case NFT_VALIDATE_SKIP: 115 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); 116 break; 117 case NFT_VALIDATE_NEED: 118 break; 119 case NFT_VALIDATE_DO: 120 if (new_validate_state == NFT_VALIDATE_NEED) 121 return; 122 } 123 124 table->validate_state = new_validate_state; 125 } 126 static void nf_tables_trans_destroy_work(struct work_struct *w); 127 128 static void nft_trans_gc_work(struct work_struct *work); 129 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work); 130 131 static void nft_ctx_init(struct nft_ctx *ctx, 132 struct net *net, 133 const struct sk_buff *skb, 134 const struct nlmsghdr *nlh, 135 u8 family, 136 struct nft_table *table, 137 struct nft_chain *chain, 138 const struct nlattr * const *nla) 139 { 140 ctx->net = net; 141 ctx->family = family; 142 ctx->level = 0; 143 ctx->table = table; 144 ctx->chain = chain; 145 ctx->nla = nla; 146 ctx->portid = NETLINK_CB(skb).portid; 147 ctx->report = nlmsg_report(nlh); 148 ctx->flags = nlh->nlmsg_flags; 149 ctx->seq = nlh->nlmsg_seq; 150 151 bitmap_zero(ctx->reg_inited, NFT_REG32_NUM); 152 } 153 154 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, 155 int msg_type, u32 size, gfp_t gfp) 156 { 157 struct nft_trans *trans; 158 159 trans = kzalloc(size, gfp); 160 if (trans == NULL) 161 return NULL; 162 163 INIT_LIST_HEAD(&trans->list); 164 trans->msg_type = msg_type; 165 166 trans->net = ctx->net; 167 trans->table = ctx->table; 168 trans->seq = ctx->seq; 169 trans->flags = ctx->flags; 170 trans->report = ctx->report; 171 172 return trans; 173 } 174 175 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx, 176 int msg_type, u32 size) 177 { 178 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); 179 } 180 181 static struct nft_trans_binding *nft_trans_get_binding(struct nft_trans *trans) 182 { 183 switch (trans->msg_type) { 184 case NFT_MSG_NEWCHAIN: 185 case NFT_MSG_NEWSET: 186 return container_of(trans, struct nft_trans_binding, nft_trans); 187 } 188 189 return NULL; 190 } 191 192 static void nft_trans_list_del(struct nft_trans *trans) 193 { 194 struct nft_trans_binding *trans_binding; 195 196 list_del(&trans->list); 197 198 trans_binding = nft_trans_get_binding(trans); 199 if (trans_binding) 200 list_del(&trans_binding->binding_list); 201 } 202 203 static void nft_trans_destroy(struct nft_trans *trans) 204 { 205 nft_trans_list_del(trans); 206 kfree(trans); 207 } 208 209 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set, 210 bool bind) 211 { 212 struct nftables_pernet *nft_net; 213 struct net *net = ctx->net; 214 struct nft_trans *trans; 215 216 if (!nft_set_is_anonymous(set)) 217 return; 218 219 nft_net = nft_pernet(net); 220 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { 221 switch (trans->msg_type) { 222 case NFT_MSG_NEWSET: 223 if (nft_trans_set(trans) == set) 224 nft_trans_set_bound(trans) = bind; 225 break; 226 case NFT_MSG_NEWSETELEM: 227 if (nft_trans_elem_set(trans) == set) 228 nft_trans_elem_set_bound(trans) = bind; 229 break; 230 } 231 } 232 } 233 234 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) 235 { 236 return __nft_set_trans_bind(ctx, set, true); 237 } 238 239 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set) 240 { 241 return __nft_set_trans_bind(ctx, set, false); 242 } 243 244 static void __nft_chain_trans_bind(const struct nft_ctx *ctx, 245 struct nft_chain *chain, bool bind) 246 { 247 struct nftables_pernet *nft_net; 248 struct net *net = ctx->net; 249 struct nft_trans *trans; 250 251 if (!nft_chain_binding(chain)) 252 return; 253 254 nft_net = nft_pernet(net); 255 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { 256 switch (trans->msg_type) { 257 case NFT_MSG_NEWCHAIN: 258 if (nft_trans_chain(trans) == chain) 259 nft_trans_chain_bound(trans) = bind; 260 break; 261 case NFT_MSG_NEWRULE: 262 if (nft_trans_rule_chain(trans) == chain) 263 nft_trans_rule_bound(trans) = bind; 264 break; 265 } 266 } 267 } 268 269 static void nft_chain_trans_bind(const struct nft_ctx *ctx, 270 struct nft_chain *chain) 271 { 272 __nft_chain_trans_bind(ctx, chain, true); 273 } 274 275 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) 276 { 277 if (!nft_chain_binding(chain)) 278 return 0; 279 280 if (nft_chain_binding(ctx->chain)) 281 return -EOPNOTSUPP; 282 283 if (chain->bound) 284 return -EBUSY; 285 286 if (!nft_use_inc(&chain->use)) 287 return -EMFILE; 288 289 chain->bound = true; 290 nft_chain_trans_bind(ctx, chain); 291 292 return 0; 293 } 294 295 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) 296 { 297 __nft_chain_trans_bind(ctx, chain, false); 298 } 299 300 static int nft_netdev_register_hooks(struct net *net, 301 struct list_head *hook_list) 302 { 303 struct nf_hook_ops *ops; 304 struct nft_hook *hook; 305 int err, j; 306 307 j = 0; 308 list_for_each_entry(hook, hook_list, list) { 309 list_for_each_entry(ops, &hook->ops_list, list) { 310 err = nf_register_net_hook(net, ops); 311 if (err < 0) 312 goto err_register; 313 314 j++; 315 } 316 } 317 return 0; 318 319 err_register: 320 list_for_each_entry(hook, hook_list, list) { 321 list_for_each_entry(ops, &hook->ops_list, list) { 322 if (j-- <= 0) 323 break; 324 325 nf_unregister_net_hook(net, ops); 326 } 327 } 328 return err; 329 } 330 331 static void nft_netdev_hook_free_ops(struct nft_hook *hook) 332 { 333 struct nf_hook_ops *ops, *next; 334 335 list_for_each_entry_safe(ops, next, &hook->ops_list, list) { 336 list_del(&ops->list); 337 kfree(ops); 338 } 339 } 340 341 static void nft_netdev_hook_free(struct nft_hook *hook) 342 { 343 nft_netdev_hook_free_ops(hook); 344 kfree(hook); 345 } 346 347 static void __nft_netdev_hook_free_rcu(struct rcu_head *rcu) 348 { 349 struct nft_hook *hook = container_of(rcu, struct nft_hook, rcu); 350 351 nft_netdev_hook_free(hook); 352 } 353 354 static void nft_netdev_hook_free_rcu(struct nft_hook *hook) 355 { 356 call_rcu(&hook->rcu, __nft_netdev_hook_free_rcu); 357 } 358 359 static void nft_netdev_unregister_hooks(struct net *net, 360 struct list_head *hook_list, 361 bool release_netdev) 362 { 363 struct nft_hook *hook, *next; 364 struct nf_hook_ops *ops; 365 366 list_for_each_entry_safe(hook, next, hook_list, list) { 367 list_for_each_entry(ops, &hook->ops_list, list) 368 nf_unregister_net_hook(net, ops); 369 if (release_netdev) { 370 list_del(&hook->list); 371 nft_netdev_hook_free_rcu(hook); 372 } 373 } 374 } 375 376 static int nf_tables_register_hook(struct net *net, 377 const struct nft_table *table, 378 struct nft_chain *chain) 379 { 380 struct nft_base_chain *basechain; 381 const struct nf_hook_ops *ops; 382 383 if (table->flags & NFT_TABLE_F_DORMANT || 384 !nft_is_base_chain(chain)) 385 return 0; 386 387 basechain = nft_base_chain(chain); 388 ops = &basechain->ops; 389 390 if (basechain->type->ops_register) 391 return basechain->type->ops_register(net, ops); 392 393 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 394 return nft_netdev_register_hooks(net, &basechain->hook_list); 395 396 return nf_register_net_hook(net, &basechain->ops); 397 } 398 399 static void __nf_tables_unregister_hook(struct net *net, 400 const struct nft_table *table, 401 struct nft_chain *chain, 402 bool release_netdev) 403 { 404 struct nft_base_chain *basechain; 405 const struct nf_hook_ops *ops; 406 407 if (table->flags & NFT_TABLE_F_DORMANT || 408 !nft_is_base_chain(chain)) 409 return; 410 basechain = nft_base_chain(chain); 411 ops = &basechain->ops; 412 413 if (basechain->type->ops_unregister) 414 return basechain->type->ops_unregister(net, ops); 415 416 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 417 nft_netdev_unregister_hooks(net, &basechain->hook_list, 418 release_netdev); 419 else 420 nf_unregister_net_hook(net, &basechain->ops); 421 } 422 423 static void nf_tables_unregister_hook(struct net *net, 424 const struct nft_table *table, 425 struct nft_chain *chain) 426 { 427 return __nf_tables_unregister_hook(net, table, chain, false); 428 } 429 430 static bool nft_trans_collapse_set_elem_allowed(const struct nft_trans_elem *a, const struct nft_trans_elem *b) 431 { 432 /* NB: the ->bound equality check is defensive, at this time we only merge 433 * a new nft_trans_elem transaction request with the transaction tail 434 * element, but a->bound != b->bound would imply a NEWRULE transaction 435 * is queued in-between. 436 * 437 * The set check is mandatory, the NFT_MAX_SET_NELEMS check prevents 438 * huge krealloc() requests. 439 */ 440 return a->set == b->set && a->bound == b->bound && a->nelems < NFT_MAX_SET_NELEMS; 441 } 442 443 static bool nft_trans_collapse_set_elem(struct nftables_pernet *nft_net, 444 struct nft_trans_elem *tail, 445 struct nft_trans_elem *trans, 446 gfp_t gfp) 447 { 448 unsigned int nelems, old_nelems = tail->nelems; 449 struct nft_trans_elem *new_trans; 450 451 if (!nft_trans_collapse_set_elem_allowed(tail, trans)) 452 return false; 453 454 /* "cannot happen", at this time userspace element add 455 * requests always allocate a new transaction element. 456 * 457 * This serves as a reminder to adjust the list_add_tail 458 * logic below in case this ever changes. 459 */ 460 if (WARN_ON_ONCE(trans->nelems != 1)) 461 return false; 462 463 if (check_add_overflow(old_nelems, trans->nelems, &nelems)) 464 return false; 465 466 /* krealloc might free tail which invalidates list pointers */ 467 list_del_init(&tail->nft_trans.list); 468 469 new_trans = krealloc(tail, struct_size(tail, elems, nelems), gfp); 470 if (!new_trans) { 471 list_add_tail(&tail->nft_trans.list, &nft_net->commit_list); 472 return false; 473 } 474 475 /* 476 * new_trans->nft_trans.list contains garbage, but 477 * list_add_tail() doesn't care. 478 */ 479 new_trans->nelems = nelems; 480 new_trans->elems[old_nelems] = trans->elems[0]; 481 list_add_tail(&new_trans->nft_trans.list, &nft_net->commit_list); 482 483 return true; 484 } 485 486 static bool nft_trans_try_collapse(struct nftables_pernet *nft_net, 487 struct nft_trans *trans, gfp_t gfp) 488 { 489 struct nft_trans *tail; 490 491 if (list_empty(&nft_net->commit_list)) 492 return false; 493 494 tail = list_last_entry(&nft_net->commit_list, struct nft_trans, list); 495 496 if (tail->msg_type != trans->msg_type) 497 return false; 498 499 switch (trans->msg_type) { 500 case NFT_MSG_NEWSETELEM: 501 case NFT_MSG_DELSETELEM: 502 return nft_trans_collapse_set_elem(nft_net, 503 nft_trans_container_elem(tail), 504 nft_trans_container_elem(trans), gfp); 505 } 506 507 return false; 508 } 509 510 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) 511 { 512 struct nftables_pernet *nft_net = nft_pernet(net); 513 struct nft_trans_binding *binding; 514 struct nft_trans_set *trans_set; 515 516 list_add_tail(&trans->list, &nft_net->commit_list); 517 518 binding = nft_trans_get_binding(trans); 519 if (!binding) 520 return; 521 522 switch (trans->msg_type) { 523 case NFT_MSG_NEWSET: 524 trans_set = nft_trans_container_set(trans); 525 526 if (!nft_trans_set_update(trans) && 527 nft_set_is_anonymous(nft_trans_set(trans))) 528 list_add_tail(&binding->binding_list, &nft_net->binding_list); 529 530 list_add_tail(&trans_set->list_trans_newset, &nft_net->commit_set_list); 531 break; 532 case NFT_MSG_NEWCHAIN: 533 if (!nft_trans_chain_update(trans) && 534 nft_chain_binding(nft_trans_chain(trans))) 535 list_add_tail(&binding->binding_list, &nft_net->binding_list); 536 break; 537 } 538 } 539 540 static void nft_trans_commit_list_add_elem(struct net *net, struct nft_trans *trans, 541 gfp_t gfp) 542 { 543 struct nftables_pernet *nft_net = nft_pernet(net); 544 545 WARN_ON_ONCE(trans->msg_type != NFT_MSG_NEWSETELEM && 546 trans->msg_type != NFT_MSG_DELSETELEM); 547 548 might_alloc(gfp); 549 550 if (nft_trans_try_collapse(nft_net, trans, gfp)) { 551 kfree(trans); 552 return; 553 } 554 555 nft_trans_commit_list_add_tail(net, trans); 556 } 557 558 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type) 559 { 560 struct nft_trans *trans; 561 562 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table)); 563 if (trans == NULL) 564 return -ENOMEM; 565 566 if (msg_type == NFT_MSG_NEWTABLE) 567 nft_activate_next(ctx->net, ctx->table); 568 569 nft_trans_commit_list_add_tail(ctx->net, trans); 570 return 0; 571 } 572 573 static int nft_deltable(struct nft_ctx *ctx) 574 { 575 int err; 576 577 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE); 578 if (err < 0) 579 return err; 580 581 nft_deactivate_next(ctx->net, ctx->table); 582 return err; 583 } 584 585 static struct nft_trans * 586 nft_trans_alloc_chain(const struct nft_ctx *ctx, int msg_type) 587 { 588 struct nft_trans_chain *trans_chain; 589 struct nft_trans *trans; 590 591 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain)); 592 if (!trans) 593 return NULL; 594 595 trans_chain = nft_trans_container_chain(trans); 596 INIT_LIST_HEAD(&trans_chain->nft_trans_binding.binding_list); 597 trans_chain->chain = ctx->chain; 598 599 return trans; 600 } 601 602 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type) 603 { 604 struct nft_trans *trans; 605 606 trans = nft_trans_alloc_chain(ctx, msg_type); 607 if (trans == NULL) 608 return ERR_PTR(-ENOMEM); 609 610 if (msg_type == NFT_MSG_NEWCHAIN) { 611 nft_activate_next(ctx->net, ctx->chain); 612 613 if (ctx->nla[NFTA_CHAIN_ID]) { 614 nft_trans_chain_id(trans) = 615 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID])); 616 } 617 } 618 nft_trans_commit_list_add_tail(ctx->net, trans); 619 620 return trans; 621 } 622 623 static int nft_delchain(struct nft_ctx *ctx) 624 { 625 struct nft_trans *trans; 626 627 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN); 628 if (IS_ERR(trans)) 629 return PTR_ERR(trans); 630 631 nft_use_dec(&ctx->table->use); 632 nft_deactivate_next(ctx->net, ctx->chain); 633 634 return 0; 635 } 636 637 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule) 638 { 639 struct nft_expr *expr; 640 641 expr = nft_expr_first(rule); 642 while (nft_expr_more(rule, expr)) { 643 if (expr->ops->activate) 644 expr->ops->activate(ctx, expr); 645 646 expr = nft_expr_next(expr); 647 } 648 } 649 650 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule, 651 enum nft_trans_phase phase) 652 { 653 struct nft_expr *expr; 654 655 expr = nft_expr_first(rule); 656 while (nft_expr_more(rule, expr)) { 657 if (expr->ops->deactivate) 658 expr->ops->deactivate(ctx, expr, phase); 659 660 expr = nft_expr_next(expr); 661 } 662 } 663 664 static int 665 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule) 666 { 667 /* You cannot delete the same rule twice */ 668 if (nft_is_active_next(ctx->net, rule)) { 669 nft_deactivate_next(ctx->net, rule); 670 nft_use_dec(&ctx->chain->use); 671 return 0; 672 } 673 return -ENOENT; 674 } 675 676 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type, 677 struct nft_rule *rule) 678 { 679 struct nft_trans *trans; 680 681 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule)); 682 if (trans == NULL) 683 return NULL; 684 685 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) { 686 nft_trans_rule_id(trans) = 687 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); 688 } 689 nft_trans_rule(trans) = rule; 690 nft_trans_rule_chain(trans) = ctx->chain; 691 nft_trans_commit_list_add_tail(ctx->net, trans); 692 693 return trans; 694 } 695 696 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule) 697 { 698 struct nft_flow_rule *flow; 699 struct nft_trans *trans; 700 int err; 701 702 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule); 703 if (trans == NULL) 704 return -ENOMEM; 705 706 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) { 707 flow = nft_flow_rule_create(ctx->net, rule); 708 if (IS_ERR(flow)) { 709 nft_trans_destroy(trans); 710 return PTR_ERR(flow); 711 } 712 713 nft_trans_flow_rule(trans) = flow; 714 } 715 716 err = nf_tables_delrule_deactivate(ctx, rule); 717 if (err < 0) { 718 nft_trans_destroy(trans); 719 return err; 720 } 721 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE); 722 723 return 0; 724 } 725 726 static int nft_delrule_by_chain(struct nft_ctx *ctx) 727 { 728 struct nft_rule *rule; 729 int err; 730 731 list_for_each_entry(rule, &ctx->chain->rules, list) { 732 if (!nft_is_active_next(ctx->net, rule)) 733 continue; 734 735 err = nft_delrule(ctx, rule); 736 if (err < 0) 737 return err; 738 } 739 return 0; 740 } 741 742 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 743 struct nft_set *set, 744 const struct nft_set_desc *desc) 745 { 746 struct nft_trans_set *trans_set; 747 struct nft_trans *trans; 748 749 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set)); 750 if (trans == NULL) 751 return -ENOMEM; 752 753 trans_set = nft_trans_container_set(trans); 754 INIT_LIST_HEAD(&trans_set->nft_trans_binding.binding_list); 755 INIT_LIST_HEAD(&trans_set->list_trans_newset); 756 757 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) { 758 nft_trans_set_id(trans) = 759 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID])); 760 nft_activate_next(ctx->net, set); 761 } 762 nft_trans_set(trans) = set; 763 if (desc) { 764 nft_trans_set_update(trans) = true; 765 nft_trans_set_gc_int(trans) = desc->gc_int; 766 nft_trans_set_timeout(trans) = desc->timeout; 767 nft_trans_set_size(trans) = desc->size; 768 } 769 nft_trans_commit_list_add_tail(ctx->net, trans); 770 771 return 0; 772 } 773 774 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 775 struct nft_set *set) 776 { 777 return __nft_trans_set_add(ctx, msg_type, set, NULL); 778 } 779 780 static int nft_mapelem_deactivate(const struct nft_ctx *ctx, 781 struct nft_set *set, 782 const struct nft_set_iter *iter, 783 struct nft_elem_priv *elem_priv) 784 { 785 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 786 787 if (!nft_set_elem_active(ext, iter->genmask)) 788 return 0; 789 790 nft_set_elem_change_active(ctx->net, set, ext); 791 nft_setelem_data_deactivate(ctx->net, set, elem_priv); 792 793 return 0; 794 } 795 796 struct nft_set_elem_catchall { 797 struct list_head list; 798 struct rcu_head rcu; 799 struct nft_elem_priv *elem; 800 }; 801 802 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx, 803 struct nft_set *set) 804 { 805 u8 genmask = nft_genmask_next(ctx->net); 806 struct nft_set_elem_catchall *catchall; 807 struct nft_set_ext *ext; 808 809 list_for_each_entry(catchall, &set->catchall_list, list) { 810 ext = nft_set_elem_ext(set, catchall->elem); 811 if (!nft_set_elem_active(ext, genmask)) 812 continue; 813 814 nft_set_elem_change_active(ctx->net, set, ext); 815 nft_setelem_data_deactivate(ctx->net, set, catchall->elem); 816 break; 817 } 818 } 819 820 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set) 821 { 822 struct nft_set_iter iter = { 823 .genmask = nft_genmask_next(ctx->net), 824 .type = NFT_ITER_UPDATE, 825 .fn = nft_mapelem_deactivate, 826 }; 827 828 set->ops->walk(ctx, set, &iter); 829 WARN_ON_ONCE(iter.err); 830 831 nft_map_catchall_deactivate(ctx, set); 832 } 833 834 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) 835 { 836 int err; 837 838 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set); 839 if (err < 0) 840 return err; 841 842 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 843 nft_map_deactivate(ctx, set); 844 845 nft_deactivate_next(ctx->net, set); 846 nft_use_dec(&ctx->table->use); 847 848 return err; 849 } 850 851 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type, 852 struct nft_object *obj) 853 { 854 struct nft_trans *trans; 855 856 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj)); 857 if (trans == NULL) 858 return -ENOMEM; 859 860 if (msg_type == NFT_MSG_NEWOBJ) 861 nft_activate_next(ctx->net, obj); 862 863 nft_trans_obj(trans) = obj; 864 nft_trans_commit_list_add_tail(ctx->net, trans); 865 866 return 0; 867 } 868 869 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj) 870 { 871 int err; 872 873 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj); 874 if (err < 0) 875 return err; 876 877 nft_deactivate_next(ctx->net, obj); 878 nft_use_dec(&ctx->table->use); 879 880 return err; 881 } 882 883 static struct nft_trans * 884 nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, 885 struct nft_flowtable *flowtable) 886 { 887 struct nft_trans *trans; 888 889 trans = nft_trans_alloc(ctx, msg_type, 890 sizeof(struct nft_trans_flowtable)); 891 if (trans == NULL) 892 return ERR_PTR(-ENOMEM); 893 894 if (msg_type == NFT_MSG_NEWFLOWTABLE) 895 nft_activate_next(ctx->net, flowtable); 896 897 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 898 nft_trans_flowtable(trans) = flowtable; 899 nft_trans_commit_list_add_tail(ctx->net, trans); 900 901 return trans; 902 } 903 904 static int nft_delflowtable(struct nft_ctx *ctx, 905 struct nft_flowtable *flowtable) 906 { 907 struct nft_trans *trans; 908 909 trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable); 910 if (IS_ERR(trans)) 911 return PTR_ERR(trans); 912 913 nft_deactivate_next(ctx->net, flowtable); 914 nft_use_dec(&ctx->table->use); 915 916 return 0; 917 } 918 919 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg) 920 { 921 int i; 922 923 for (i = track->regs[dreg].num_reg; i > 0; i--) 924 __nft_reg_track_cancel(track, dreg - i); 925 } 926 927 static void __nft_reg_track_update(struct nft_regs_track *track, 928 const struct nft_expr *expr, 929 u8 dreg, u8 num_reg) 930 { 931 track->regs[dreg].selector = expr; 932 track->regs[dreg].bitwise = NULL; 933 track->regs[dreg].num_reg = num_reg; 934 } 935 936 void nft_reg_track_update(struct nft_regs_track *track, 937 const struct nft_expr *expr, u8 dreg, u8 len) 938 { 939 unsigned int regcount; 940 int i; 941 942 __nft_reg_track_clobber(track, dreg); 943 944 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE); 945 for (i = 0; i < regcount; i++, dreg++) 946 __nft_reg_track_update(track, expr, dreg, i); 947 } 948 EXPORT_SYMBOL_GPL(nft_reg_track_update); 949 950 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len) 951 { 952 unsigned int regcount; 953 int i; 954 955 __nft_reg_track_clobber(track, dreg); 956 957 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE); 958 for (i = 0; i < regcount; i++, dreg++) 959 __nft_reg_track_cancel(track, dreg); 960 } 961 EXPORT_SYMBOL_GPL(nft_reg_track_cancel); 962 963 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg) 964 { 965 track->regs[dreg].selector = NULL; 966 track->regs[dreg].bitwise = NULL; 967 track->regs[dreg].num_reg = 0; 968 } 969 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel); 970 971 /* 972 * Tables 973 */ 974 975 static struct nft_table *nft_table_lookup(const struct net *net, 976 const struct nlattr *nla, 977 u8 family, u8 genmask, u32 nlpid) 978 { 979 struct nftables_pernet *nft_net; 980 struct nft_table *table; 981 982 if (nla == NULL) 983 return ERR_PTR(-EINVAL); 984 985 nft_net = nft_pernet(net); 986 list_for_each_entry_rcu(table, &nft_net->tables, list, 987 lockdep_is_held(&nft_net->commit_mutex)) { 988 if (!nla_strcmp(nla, table->name) && 989 table->family == family && 990 nft_active_genmask(table, genmask)) { 991 if (nft_table_has_owner(table) && 992 nlpid && table->nlpid != nlpid) 993 return ERR_PTR(-EPERM); 994 995 return table; 996 } 997 } 998 999 return ERR_PTR(-ENOENT); 1000 } 1001 1002 static struct nft_table *nft_table_lookup_byhandle(const struct net *net, 1003 const struct nlattr *nla, 1004 int family, u8 genmask, u32 nlpid) 1005 { 1006 struct nftables_pernet *nft_net; 1007 struct nft_table *table; 1008 1009 nft_net = nft_pernet(net); 1010 list_for_each_entry(table, &nft_net->tables, list) { 1011 if (be64_to_cpu(nla_get_be64(nla)) == table->handle && 1012 table->family == family && 1013 nft_active_genmask(table, genmask)) { 1014 if (nft_table_has_owner(table) && 1015 nlpid && table->nlpid != nlpid) 1016 return ERR_PTR(-EPERM); 1017 1018 return table; 1019 } 1020 } 1021 1022 return ERR_PTR(-ENOENT); 1023 } 1024 1025 static inline u64 nf_tables_alloc_handle(struct nft_table *table) 1026 { 1027 return ++table->hgenerator; 1028 } 1029 1030 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX]; 1031 1032 static const struct nft_chain_type * 1033 __nft_chain_type_get(u8 family, enum nft_chain_types type) 1034 { 1035 if (family >= NFPROTO_NUMPROTO || 1036 type >= NFT_CHAIN_T_MAX) 1037 return NULL; 1038 1039 return chain_type[family][type]; 1040 } 1041 1042 static const struct nft_chain_type * 1043 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family) 1044 { 1045 const struct nft_chain_type *type; 1046 int i; 1047 1048 for (i = 0; i < NFT_CHAIN_T_MAX; i++) { 1049 type = __nft_chain_type_get(family, i); 1050 if (!type) 1051 continue; 1052 if (!nla_strcmp(nla, type->name)) 1053 return type; 1054 } 1055 return NULL; 1056 } 1057 1058 struct nft_module_request { 1059 struct list_head list; 1060 char module[MODULE_NAME_LEN]; 1061 bool done; 1062 }; 1063 1064 #ifdef CONFIG_MODULES 1065 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt, 1066 ...) 1067 { 1068 char module_name[MODULE_NAME_LEN]; 1069 struct nftables_pernet *nft_net; 1070 struct nft_module_request *req; 1071 va_list args; 1072 int ret; 1073 1074 va_start(args, fmt); 1075 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); 1076 va_end(args); 1077 if (ret >= MODULE_NAME_LEN) 1078 return 0; 1079 1080 nft_net = nft_pernet(net); 1081 list_for_each_entry(req, &nft_net->module_list, list) { 1082 if (!strcmp(req->module, module_name)) { 1083 if (req->done) 1084 return 0; 1085 1086 /* A request to load this module already exists. */ 1087 return -EAGAIN; 1088 } 1089 } 1090 1091 req = kmalloc(sizeof(*req), GFP_KERNEL); 1092 if (!req) 1093 return -ENOMEM; 1094 1095 req->done = false; 1096 strscpy(req->module, module_name, MODULE_NAME_LEN); 1097 list_add_tail(&req->list, &nft_net->module_list); 1098 1099 return -EAGAIN; 1100 } 1101 EXPORT_SYMBOL_GPL(nft_request_module); 1102 #endif 1103 1104 static void lockdep_nfnl_nft_mutex_not_held(void) 1105 { 1106 #ifdef CONFIG_PROVE_LOCKING 1107 if (debug_locks) 1108 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES)); 1109 #endif 1110 } 1111 1112 static const struct nft_chain_type * 1113 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla, 1114 u8 family, bool autoload) 1115 { 1116 const struct nft_chain_type *type; 1117 1118 type = __nf_tables_chain_type_lookup(nla, family); 1119 if (type != NULL) 1120 return type; 1121 1122 lockdep_nfnl_nft_mutex_not_held(); 1123 #ifdef CONFIG_MODULES 1124 if (autoload) { 1125 if (nft_request_module(net, "nft-chain-%u-%.*s", family, 1126 nla_len(nla), 1127 (const char *)nla_data(nla)) == -EAGAIN) 1128 return ERR_PTR(-EAGAIN); 1129 } 1130 #endif 1131 return ERR_PTR(-ENOENT); 1132 } 1133 1134 static unsigned int nft_base_seq(const struct net *net) 1135 { 1136 return READ_ONCE(net->nft.base_seq); 1137 } 1138 1139 static __be16 nft_base_seq_be16(const struct net *net) 1140 { 1141 return htons(nft_base_seq(net) & 0xffff); 1142 } 1143 1144 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { 1145 [NFTA_TABLE_NAME] = { .type = NLA_STRING, 1146 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1147 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 }, 1148 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 }, 1149 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY, 1150 .len = NFT_USERDATA_MAXLEN } 1151 }; 1152 1153 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, 1154 u32 portid, u32 seq, int event, u32 flags, 1155 int family, const struct nft_table *table) 1156 { 1157 struct nlmsghdr *nlh; 1158 1159 nlh = nfnl_msg_put(skb, portid, seq, 1160 nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event), 1161 flags, family, NFNETLINK_V0, nft_base_seq_be16(net)); 1162 if (!nlh) 1163 goto nla_put_failure; 1164 1165 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || 1166 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) || 1167 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle), 1168 NFTA_TABLE_PAD)) 1169 goto nla_put_failure; 1170 1171 if (event == NFT_MSG_DELTABLE || 1172 event == NFT_MSG_DESTROYTABLE) { 1173 nlmsg_end(skb, nlh); 1174 return 0; 1175 } 1176 1177 if (nla_put_be32(skb, NFTA_TABLE_FLAGS, 1178 htonl(table->flags & NFT_TABLE_F_MASK))) 1179 goto nla_put_failure; 1180 1181 if (nft_table_has_owner(table) && 1182 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid))) 1183 goto nla_put_failure; 1184 1185 if (table->udata) { 1186 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata)) 1187 goto nla_put_failure; 1188 } 1189 1190 nlmsg_end(skb, nlh); 1191 return 0; 1192 1193 nla_put_failure: 1194 nlmsg_trim(skb, nlh); 1195 return -1; 1196 } 1197 1198 struct nftnl_skb_parms { 1199 bool report; 1200 }; 1201 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb)) 1202 1203 static void nft_notify_enqueue(struct sk_buff *skb, bool report, 1204 struct list_head *notify_list) 1205 { 1206 NFT_CB(skb).report = report; 1207 list_add_tail(&skb->list, notify_list); 1208 } 1209 1210 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) 1211 { 1212 struct nftables_pernet *nft_net; 1213 struct sk_buff *skb; 1214 u16 flags = 0; 1215 int err; 1216 1217 if (!ctx->report && 1218 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1219 return; 1220 1221 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1222 if (skb == NULL) 1223 goto err; 1224 1225 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 1226 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 1227 1228 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, 1229 event, flags, ctx->family, ctx->table); 1230 if (err < 0) { 1231 kfree_skb(skb); 1232 goto err; 1233 } 1234 1235 nft_net = nft_pernet(ctx->net); 1236 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 1237 return; 1238 err: 1239 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 1240 } 1241 1242 static int nf_tables_dump_tables(struct sk_buff *skb, 1243 struct netlink_callback *cb) 1244 { 1245 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1246 struct nftables_pernet *nft_net; 1247 const struct nft_table *table; 1248 unsigned int idx = 0, s_idx = cb->args[0]; 1249 struct net *net = sock_net(skb->sk); 1250 int family = nfmsg->nfgen_family; 1251 1252 rcu_read_lock(); 1253 nft_net = nft_pernet(net); 1254 cb->seq = nft_base_seq(net); 1255 1256 list_for_each_entry_rcu(table, &nft_net->tables, list) { 1257 if (family != NFPROTO_UNSPEC && family != table->family) 1258 continue; 1259 1260 if (idx < s_idx) 1261 goto cont; 1262 if (idx > s_idx) 1263 memset(&cb->args[1], 0, 1264 sizeof(cb->args) - sizeof(cb->args[0])); 1265 if (!nft_is_active(net, table)) 1266 continue; 1267 if (nf_tables_fill_table_info(skb, net, 1268 NETLINK_CB(cb->skb).portid, 1269 cb->nlh->nlmsg_seq, 1270 NFT_MSG_NEWTABLE, NLM_F_MULTI, 1271 table->family, table) < 0) 1272 goto done; 1273 1274 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1275 cont: 1276 idx++; 1277 } 1278 done: 1279 rcu_read_unlock(); 1280 cb->args[0] = idx; 1281 return skb->len; 1282 } 1283 1284 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb, 1285 const struct nlmsghdr *nlh, 1286 struct netlink_dump_control *c) 1287 { 1288 int err; 1289 1290 if (!try_module_get(THIS_MODULE)) 1291 return -EINVAL; 1292 1293 rcu_read_unlock(); 1294 err = netlink_dump_start(nlsk, skb, nlh, c); 1295 rcu_read_lock(); 1296 module_put(THIS_MODULE); 1297 1298 return err; 1299 } 1300 1301 /* called with rcu_read_lock held */ 1302 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info, 1303 const struct nlattr * const nla[]) 1304 { 1305 struct netlink_ext_ack *extack = info->extack; 1306 u8 genmask = nft_genmask_cur(info->net); 1307 u8 family = info->nfmsg->nfgen_family; 1308 const struct nft_table *table; 1309 struct net *net = info->net; 1310 struct sk_buff *skb2; 1311 int err; 1312 1313 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1314 struct netlink_dump_control c = { 1315 .dump = nf_tables_dump_tables, 1316 .module = THIS_MODULE, 1317 }; 1318 1319 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 1320 } 1321 1322 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0); 1323 if (IS_ERR(table)) { 1324 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]); 1325 return PTR_ERR(table); 1326 } 1327 1328 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 1329 if (!skb2) 1330 return -ENOMEM; 1331 1332 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid, 1333 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 1334 0, family, table); 1335 if (err < 0) 1336 goto err_fill_table_info; 1337 1338 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 1339 1340 err_fill_table_info: 1341 kfree_skb(skb2); 1342 return err; 1343 } 1344 1345 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt) 1346 { 1347 struct nft_chain *chain; 1348 u32 i = 0; 1349 1350 list_for_each_entry(chain, &table->chains, list) { 1351 if (!nft_is_active_next(net, chain)) 1352 continue; 1353 if (!nft_is_base_chain(chain)) 1354 continue; 1355 1356 if (cnt && i++ == cnt) 1357 break; 1358 1359 nf_tables_unregister_hook(net, table, chain); 1360 } 1361 } 1362 1363 static int nf_tables_table_enable(struct net *net, struct nft_table *table) 1364 { 1365 struct nft_chain *chain; 1366 int err, i = 0; 1367 1368 list_for_each_entry(chain, &table->chains, list) { 1369 if (!nft_is_active_next(net, chain)) 1370 continue; 1371 if (!nft_is_base_chain(chain)) 1372 continue; 1373 1374 err = nf_tables_register_hook(net, table, chain); 1375 if (err < 0) 1376 goto err_register_hooks; 1377 1378 i++; 1379 } 1380 return 0; 1381 1382 err_register_hooks: 1383 if (i) 1384 nft_table_disable(net, table, i); 1385 return err; 1386 } 1387 1388 static void nf_tables_table_disable(struct net *net, struct nft_table *table) 1389 { 1390 table->flags &= ~NFT_TABLE_F_DORMANT; 1391 nft_table_disable(net, table, 0); 1392 table->flags |= NFT_TABLE_F_DORMANT; 1393 } 1394 1395 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1) 1396 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0) 1397 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1) 1398 #define __NFT_TABLE_F_WAS_ORPHAN (__NFT_TABLE_F_INTERNAL << 2) 1399 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \ 1400 __NFT_TABLE_F_WAS_AWAKEN | \ 1401 __NFT_TABLE_F_WAS_ORPHAN) 1402 1403 static bool nft_table_pending_update(const struct nft_ctx *ctx) 1404 { 1405 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 1406 struct nft_trans *trans; 1407 1408 if (ctx->table->flags & __NFT_TABLE_F_UPDATE) 1409 return true; 1410 1411 list_for_each_entry(trans, &nft_net->commit_list, list) { 1412 if (trans->table == ctx->table && 1413 ((trans->msg_type == NFT_MSG_NEWCHAIN && 1414 nft_trans_chain_update(trans)) || 1415 (trans->msg_type == NFT_MSG_DELCHAIN && 1416 nft_is_base_chain(nft_trans_chain(trans))))) 1417 return true; 1418 } 1419 1420 return false; 1421 } 1422 1423 static int nf_tables_updtable(struct nft_ctx *ctx) 1424 { 1425 struct nft_trans *trans; 1426 u32 flags; 1427 int ret; 1428 1429 if (!ctx->nla[NFTA_TABLE_FLAGS]) 1430 return 0; 1431 1432 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS])); 1433 if (flags & ~NFT_TABLE_F_MASK) 1434 return -EOPNOTSUPP; 1435 1436 if (flags == (ctx->table->flags & NFT_TABLE_F_MASK)) 1437 return 0; 1438 1439 if ((nft_table_has_owner(ctx->table) && 1440 !(flags & NFT_TABLE_F_OWNER)) || 1441 (flags & NFT_TABLE_F_OWNER && 1442 !nft_table_is_orphan(ctx->table))) 1443 return -EOPNOTSUPP; 1444 1445 if ((flags ^ ctx->table->flags) & NFT_TABLE_F_PERSIST) 1446 return -EOPNOTSUPP; 1447 1448 /* No dormant off/on/off/on games in single transaction */ 1449 if (nft_table_pending_update(ctx)) 1450 return -EINVAL; 1451 1452 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, 1453 sizeof(struct nft_trans_table)); 1454 if (trans == NULL) 1455 return -ENOMEM; 1456 1457 if ((flags & NFT_TABLE_F_DORMANT) && 1458 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) { 1459 ctx->table->flags |= NFT_TABLE_F_DORMANT; 1460 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) 1461 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN; 1462 } else if (!(flags & NFT_TABLE_F_DORMANT) && 1463 ctx->table->flags & NFT_TABLE_F_DORMANT) { 1464 ctx->table->flags &= ~NFT_TABLE_F_DORMANT; 1465 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) { 1466 ret = nf_tables_table_enable(ctx->net, ctx->table); 1467 if (ret < 0) 1468 goto err_register_hooks; 1469 1470 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT; 1471 } 1472 } 1473 1474 if ((flags & NFT_TABLE_F_OWNER) && 1475 !nft_table_has_owner(ctx->table)) { 1476 ctx->table->nlpid = ctx->portid; 1477 ctx->table->flags |= NFT_TABLE_F_OWNER | 1478 __NFT_TABLE_F_WAS_ORPHAN; 1479 } 1480 1481 nft_trans_table_update(trans) = true; 1482 nft_trans_commit_list_add_tail(ctx->net, trans); 1483 1484 return 0; 1485 1486 err_register_hooks: 1487 ctx->table->flags |= NFT_TABLE_F_DORMANT; 1488 nft_trans_destroy(trans); 1489 return ret; 1490 } 1491 1492 static u32 nft_chain_hash(const void *data, u32 len, u32 seed) 1493 { 1494 const char *name = data; 1495 1496 return jhash(name, strlen(name), seed); 1497 } 1498 1499 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed) 1500 { 1501 const struct nft_chain *chain = data; 1502 1503 return nft_chain_hash(chain->name, 0, seed); 1504 } 1505 1506 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg, 1507 const void *ptr) 1508 { 1509 const struct nft_chain *chain = ptr; 1510 const char *name = arg->key; 1511 1512 return strcmp(chain->name, name); 1513 } 1514 1515 static u32 nft_objname_hash(const void *data, u32 len, u32 seed) 1516 { 1517 const struct nft_object_hash_key *k = data; 1518 1519 seed ^= hash_ptr(k->table, 32); 1520 1521 return jhash(k->name, strlen(k->name), seed); 1522 } 1523 1524 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed) 1525 { 1526 const struct nft_object *obj = data; 1527 1528 return nft_objname_hash(&obj->key, 0, seed); 1529 } 1530 1531 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg, 1532 const void *ptr) 1533 { 1534 const struct nft_object_hash_key *k = arg->key; 1535 const struct nft_object *obj = ptr; 1536 1537 if (obj->key.table != k->table) 1538 return -1; 1539 1540 return strcmp(obj->key.name, k->name); 1541 } 1542 1543 static bool nft_supported_family(u8 family) 1544 { 1545 return false 1546 #ifdef CONFIG_NF_TABLES_INET 1547 || family == NFPROTO_INET 1548 #endif 1549 #ifdef CONFIG_NF_TABLES_IPV4 1550 || family == NFPROTO_IPV4 1551 #endif 1552 #ifdef CONFIG_NF_TABLES_ARP 1553 || family == NFPROTO_ARP 1554 #endif 1555 #ifdef CONFIG_NF_TABLES_NETDEV 1556 || family == NFPROTO_NETDEV 1557 #endif 1558 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE) 1559 || family == NFPROTO_BRIDGE 1560 #endif 1561 #ifdef CONFIG_NF_TABLES_IPV6 1562 || family == NFPROTO_IPV6 1563 #endif 1564 ; 1565 } 1566 1567 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, 1568 const struct nlattr * const nla[]) 1569 { 1570 struct nftables_pernet *nft_net = nft_pernet(info->net); 1571 struct netlink_ext_ack *extack = info->extack; 1572 u8 genmask = nft_genmask_next(info->net); 1573 u8 family = info->nfmsg->nfgen_family; 1574 struct net *net = info->net; 1575 const struct nlattr *attr; 1576 struct nft_table *table; 1577 struct nft_ctx ctx; 1578 u32 flags = 0; 1579 int err; 1580 1581 if (!nft_supported_family(family)) 1582 return -EOPNOTSUPP; 1583 1584 lockdep_assert_held(&nft_net->commit_mutex); 1585 attr = nla[NFTA_TABLE_NAME]; 1586 table = nft_table_lookup(net, attr, family, genmask, 1587 NETLINK_CB(skb).portid); 1588 if (IS_ERR(table)) { 1589 if (PTR_ERR(table) != -ENOENT) 1590 return PTR_ERR(table); 1591 } else { 1592 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 1593 NL_SET_BAD_ATTR(extack, attr); 1594 return -EEXIST; 1595 } 1596 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 1597 return -EOPNOTSUPP; 1598 1599 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1600 1601 return nf_tables_updtable(&ctx); 1602 } 1603 1604 if (nla[NFTA_TABLE_FLAGS]) { 1605 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS])); 1606 if (flags & ~NFT_TABLE_F_MASK) 1607 return -EOPNOTSUPP; 1608 } 1609 1610 err = -ENOMEM; 1611 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT); 1612 if (table == NULL) 1613 goto err_kzalloc; 1614 1615 table->validate_state = nft_net->validate_state; 1616 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT); 1617 if (table->name == NULL) 1618 goto err_strdup; 1619 1620 if (nla[NFTA_TABLE_USERDATA]) { 1621 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT); 1622 if (table->udata == NULL) 1623 goto err_table_udata; 1624 1625 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]); 1626 } 1627 1628 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params); 1629 if (err) 1630 goto err_chain_ht; 1631 1632 INIT_LIST_HEAD(&table->chains); 1633 INIT_LIST_HEAD(&table->sets); 1634 INIT_LIST_HEAD(&table->objects); 1635 INIT_LIST_HEAD(&table->flowtables); 1636 table->family = family; 1637 table->flags = flags; 1638 table->handle = ++nft_net->table_handle; 1639 if (table->flags & NFT_TABLE_F_OWNER) 1640 table->nlpid = NETLINK_CB(skb).portid; 1641 1642 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1643 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); 1644 if (err < 0) 1645 goto err_trans; 1646 1647 list_add_tail_rcu(&table->list, &nft_net->tables); 1648 return 0; 1649 err_trans: 1650 rhltable_destroy(&table->chains_ht); 1651 err_chain_ht: 1652 kfree(table->udata); 1653 err_table_udata: 1654 kfree(table->name); 1655 err_strdup: 1656 kfree(table); 1657 err_kzalloc: 1658 return err; 1659 } 1660 1661 static int nft_flush_table(struct nft_ctx *ctx) 1662 { 1663 struct nft_flowtable *flowtable, *nft; 1664 struct nft_chain *chain, *nc; 1665 struct nft_object *obj, *ne; 1666 struct nft_set *set, *ns; 1667 int err; 1668 1669 list_for_each_entry(chain, &ctx->table->chains, list) { 1670 if (!nft_is_active_next(ctx->net, chain)) 1671 continue; 1672 1673 if (nft_chain_binding(chain)) 1674 continue; 1675 1676 ctx->chain = chain; 1677 1678 err = nft_delrule_by_chain(ctx); 1679 if (err < 0) 1680 goto out; 1681 } 1682 1683 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { 1684 if (!nft_is_active_next(ctx->net, set)) 1685 continue; 1686 1687 if (nft_set_is_anonymous(set)) 1688 continue; 1689 1690 err = nft_delset(ctx, set); 1691 if (err < 0) 1692 goto out; 1693 } 1694 1695 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) { 1696 if (!nft_is_active_next(ctx->net, flowtable)) 1697 continue; 1698 1699 err = nft_delflowtable(ctx, flowtable); 1700 if (err < 0) 1701 goto out; 1702 } 1703 1704 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) { 1705 if (!nft_is_active_next(ctx->net, obj)) 1706 continue; 1707 1708 err = nft_delobj(ctx, obj); 1709 if (err < 0) 1710 goto out; 1711 } 1712 1713 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { 1714 if (!nft_is_active_next(ctx->net, chain)) 1715 continue; 1716 1717 if (nft_chain_binding(chain)) 1718 continue; 1719 1720 ctx->chain = chain; 1721 1722 err = nft_delchain(ctx); 1723 if (err < 0) 1724 goto out; 1725 } 1726 1727 err = nft_deltable(ctx); 1728 out: 1729 return err; 1730 } 1731 1732 static int nft_flush(struct nft_ctx *ctx, int family) 1733 { 1734 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 1735 const struct nlattr * const *nla = ctx->nla; 1736 struct nft_table *table, *nt; 1737 int err = 0; 1738 1739 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 1740 if (family != AF_UNSPEC && table->family != family) 1741 continue; 1742 1743 ctx->family = table->family; 1744 1745 if (!nft_is_active_next(ctx->net, table)) 1746 continue; 1747 1748 if (nft_table_has_owner(table) && table->nlpid != ctx->portid) 1749 continue; 1750 1751 if (nla[NFTA_TABLE_NAME] && 1752 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) 1753 continue; 1754 1755 ctx->table = table; 1756 1757 err = nft_flush_table(ctx); 1758 if (err < 0) 1759 goto out; 1760 } 1761 out: 1762 return err; 1763 } 1764 1765 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info, 1766 const struct nlattr * const nla[]) 1767 { 1768 struct netlink_ext_ack *extack = info->extack; 1769 u8 genmask = nft_genmask_next(info->net); 1770 u8 family = info->nfmsg->nfgen_family; 1771 struct net *net = info->net; 1772 const struct nlattr *attr; 1773 struct nft_table *table; 1774 struct nft_ctx ctx; 1775 1776 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla); 1777 if (family == AF_UNSPEC || 1778 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE])) 1779 return nft_flush(&ctx, family); 1780 1781 if (nla[NFTA_TABLE_HANDLE]) { 1782 attr = nla[NFTA_TABLE_HANDLE]; 1783 table = nft_table_lookup_byhandle(net, attr, family, genmask, 1784 NETLINK_CB(skb).portid); 1785 } else { 1786 attr = nla[NFTA_TABLE_NAME]; 1787 table = nft_table_lookup(net, attr, family, genmask, 1788 NETLINK_CB(skb).portid); 1789 } 1790 1791 if (IS_ERR(table)) { 1792 if (PTR_ERR(table) == -ENOENT && 1793 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE) 1794 return 0; 1795 1796 NL_SET_BAD_ATTR(extack, attr); 1797 return PTR_ERR(table); 1798 } 1799 1800 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 1801 table->use > 0) 1802 return -EBUSY; 1803 1804 ctx.family = family; 1805 ctx.table = table; 1806 1807 return nft_flush_table(&ctx); 1808 } 1809 1810 static void nf_tables_table_destroy(struct nft_table *table) 1811 { 1812 if (WARN_ON(table->use > 0)) 1813 return; 1814 1815 rhltable_destroy(&table->chains_ht); 1816 kfree(table->name); 1817 kfree(table->udata); 1818 kfree(table); 1819 } 1820 1821 void nft_register_chain_type(const struct nft_chain_type *ctype) 1822 { 1823 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1824 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) { 1825 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1826 return; 1827 } 1828 chain_type[ctype->family][ctype->type] = ctype; 1829 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1830 } 1831 EXPORT_SYMBOL_GPL(nft_register_chain_type); 1832 1833 void nft_unregister_chain_type(const struct nft_chain_type *ctype) 1834 { 1835 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1836 chain_type[ctype->family][ctype->type] = NULL; 1837 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1838 } 1839 EXPORT_SYMBOL_GPL(nft_unregister_chain_type); 1840 1841 /* 1842 * Chains 1843 */ 1844 1845 static struct nft_chain * 1846 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask) 1847 { 1848 struct nft_chain *chain; 1849 1850 list_for_each_entry(chain, &table->chains, list) { 1851 if (chain->handle == handle && 1852 nft_active_genmask(chain, genmask)) 1853 return chain; 1854 } 1855 1856 return ERR_PTR(-ENOENT); 1857 } 1858 1859 static bool lockdep_commit_lock_is_held(const struct net *net) 1860 { 1861 #ifdef CONFIG_PROVE_LOCKING 1862 struct nftables_pernet *nft_net = nft_pernet(net); 1863 1864 return lockdep_is_held(&nft_net->commit_mutex); 1865 #else 1866 return true; 1867 #endif 1868 } 1869 1870 static struct nft_chain *nft_chain_lookup(struct net *net, 1871 struct nft_table *table, 1872 const struct nlattr *nla, u8 genmask) 1873 { 1874 char search[NFT_CHAIN_MAXNAMELEN + 1]; 1875 struct rhlist_head *tmp, *list; 1876 struct nft_chain *chain; 1877 1878 if (nla == NULL) 1879 return ERR_PTR(-EINVAL); 1880 1881 nla_strscpy(search, nla, sizeof(search)); 1882 1883 WARN_ON(!rcu_read_lock_held() && 1884 !lockdep_commit_lock_is_held(net)); 1885 1886 chain = ERR_PTR(-ENOENT); 1887 rcu_read_lock(); 1888 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params); 1889 if (!list) 1890 goto out_unlock; 1891 1892 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 1893 if (nft_active_genmask(chain, genmask)) 1894 goto out_unlock; 1895 } 1896 chain = ERR_PTR(-ENOENT); 1897 out_unlock: 1898 rcu_read_unlock(); 1899 return chain; 1900 } 1901 1902 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = { 1903 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING, 1904 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1905 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 }, 1906 [NFTA_CHAIN_NAME] = { .type = NLA_STRING, 1907 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 1908 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, 1909 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, 1910 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, 1911 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 1912 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, 1913 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 }, 1914 [NFTA_CHAIN_ID] = { .type = NLA_U32 }, 1915 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY, 1916 .len = NFT_USERDATA_MAXLEN }, 1917 }; 1918 1919 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = { 1920 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 }, 1921 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 }, 1922 [NFTA_HOOK_DEV] = { .type = NLA_STRING, 1923 .len = IFNAMSIZ - 1 }, 1924 }; 1925 1926 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats) 1927 { 1928 struct nft_stats *cpu_stats, total; 1929 struct nlattr *nest; 1930 unsigned int seq; 1931 u64 pkts, bytes; 1932 int cpu; 1933 1934 if (!stats) 1935 return 0; 1936 1937 memset(&total, 0, sizeof(total)); 1938 for_each_possible_cpu(cpu) { 1939 cpu_stats = per_cpu_ptr(stats, cpu); 1940 do { 1941 seq = u64_stats_fetch_begin(&cpu_stats->syncp); 1942 pkts = cpu_stats->pkts; 1943 bytes = cpu_stats->bytes; 1944 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq)); 1945 total.pkts += pkts; 1946 total.bytes += bytes; 1947 } 1948 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS); 1949 if (nest == NULL) 1950 goto nla_put_failure; 1951 1952 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts), 1953 NFTA_COUNTER_PAD) || 1954 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes), 1955 NFTA_COUNTER_PAD)) 1956 goto nla_put_failure; 1957 1958 nla_nest_end(skb, nest); 1959 return 0; 1960 1961 nla_put_failure: 1962 return -ENOSPC; 1963 } 1964 1965 static bool hook_is_prefix(struct nft_hook *hook) 1966 { 1967 return strlen(hook->ifname) >= hook->ifnamelen; 1968 } 1969 1970 static int nft_nla_put_hook_dev(struct sk_buff *skb, struct nft_hook *hook) 1971 { 1972 int attr = hook_is_prefix(hook) ? NFTA_DEVICE_PREFIX : NFTA_DEVICE_NAME; 1973 1974 return nla_put_string(skb, attr, hook->ifname); 1975 } 1976 1977 static int nft_dump_basechain_hook(struct sk_buff *skb, 1978 const struct net *net, int family, 1979 const struct nft_base_chain *basechain, 1980 const struct list_head *hook_list) 1981 { 1982 const struct nf_hook_ops *ops = &basechain->ops; 1983 struct nft_hook *hook, *first = NULL; 1984 struct nlattr *nest, *nest_devs; 1985 int n = 0; 1986 1987 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK); 1988 if (nest == NULL) 1989 goto nla_put_failure; 1990 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum))) 1991 goto nla_put_failure; 1992 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority))) 1993 goto nla_put_failure; 1994 1995 if (nft_base_chain_netdev(family, ops->hooknum)) { 1996 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS); 1997 if (!nest_devs) 1998 goto nla_put_failure; 1999 2000 if (!hook_list) 2001 hook_list = &basechain->hook_list; 2002 2003 list_for_each_entry_rcu(hook, hook_list, list, 2004 lockdep_commit_lock_is_held(net)) { 2005 if (!first) 2006 first = hook; 2007 2008 if (nft_nla_put_hook_dev(skb, hook)) 2009 goto nla_put_failure; 2010 n++; 2011 } 2012 nla_nest_end(skb, nest_devs); 2013 2014 if (n == 1 && 2015 !hook_is_prefix(first) && 2016 nla_put_string(skb, NFTA_HOOK_DEV, first->ifname)) 2017 goto nla_put_failure; 2018 } 2019 nla_nest_end(skb, nest); 2020 2021 return 0; 2022 nla_put_failure: 2023 return -1; 2024 } 2025 2026 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net, 2027 u32 portid, u32 seq, int event, u32 flags, 2028 int family, const struct nft_table *table, 2029 const struct nft_chain *chain, 2030 const struct list_head *hook_list) 2031 { 2032 struct nlmsghdr *nlh; 2033 2034 nlh = nfnl_msg_put(skb, portid, seq, 2035 nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event), 2036 flags, family, NFNETLINK_V0, nft_base_seq_be16(net)); 2037 if (!nlh) 2038 goto nla_put_failure; 2039 2040 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) || 2041 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) || 2042 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle), 2043 NFTA_CHAIN_PAD)) 2044 goto nla_put_failure; 2045 2046 if (!hook_list && 2047 (event == NFT_MSG_DELCHAIN || 2048 event == NFT_MSG_DESTROYCHAIN)) { 2049 nlmsg_end(skb, nlh); 2050 return 0; 2051 } 2052 2053 if (nft_is_base_chain(chain)) { 2054 const struct nft_base_chain *basechain = nft_base_chain(chain); 2055 struct nft_stats __percpu *stats; 2056 2057 if (nft_dump_basechain_hook(skb, net, family, basechain, hook_list)) 2058 goto nla_put_failure; 2059 2060 if (nla_put_be32(skb, NFTA_CHAIN_POLICY, 2061 htonl(basechain->policy))) 2062 goto nla_put_failure; 2063 2064 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name)) 2065 goto nla_put_failure; 2066 2067 stats = rcu_dereference_check(basechain->stats, 2068 lockdep_commit_lock_is_held(net)); 2069 if (nft_dump_stats(skb, stats)) 2070 goto nla_put_failure; 2071 } 2072 2073 if (chain->flags && 2074 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags))) 2075 goto nla_put_failure; 2076 2077 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use))) 2078 goto nla_put_failure; 2079 2080 if (chain->udata && 2081 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata)) 2082 goto nla_put_failure; 2083 2084 nlmsg_end(skb, nlh); 2085 return 0; 2086 2087 nla_put_failure: 2088 nlmsg_trim(skb, nlh); 2089 return -1; 2090 } 2091 2092 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event, 2093 const struct list_head *hook_list) 2094 { 2095 struct nftables_pernet *nft_net; 2096 struct sk_buff *skb; 2097 u16 flags = 0; 2098 int err; 2099 2100 if (!ctx->report && 2101 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 2102 return; 2103 2104 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 2105 if (skb == NULL) 2106 goto err; 2107 2108 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 2109 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 2110 2111 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, 2112 event, flags, ctx->family, ctx->table, 2113 ctx->chain, hook_list); 2114 if (err < 0) { 2115 kfree_skb(skb); 2116 goto err; 2117 } 2118 2119 nft_net = nft_pernet(ctx->net); 2120 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 2121 return; 2122 err: 2123 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 2124 } 2125 2126 static int nf_tables_dump_chains(struct sk_buff *skb, 2127 struct netlink_callback *cb) 2128 { 2129 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 2130 unsigned int idx = 0, s_idx = cb->args[0]; 2131 struct net *net = sock_net(skb->sk); 2132 int family = nfmsg->nfgen_family; 2133 struct nftables_pernet *nft_net; 2134 const struct nft_table *table; 2135 const struct nft_chain *chain; 2136 2137 rcu_read_lock(); 2138 nft_net = nft_pernet(net); 2139 cb->seq = nft_base_seq(net); 2140 2141 list_for_each_entry_rcu(table, &nft_net->tables, list) { 2142 if (family != NFPROTO_UNSPEC && family != table->family) 2143 continue; 2144 2145 list_for_each_entry_rcu(chain, &table->chains, list) { 2146 if (idx < s_idx) 2147 goto cont; 2148 if (idx > s_idx) 2149 memset(&cb->args[1], 0, 2150 sizeof(cb->args) - sizeof(cb->args[0])); 2151 if (!nft_is_active(net, chain)) 2152 continue; 2153 if (nf_tables_fill_chain_info(skb, net, 2154 NETLINK_CB(cb->skb).portid, 2155 cb->nlh->nlmsg_seq, 2156 NFT_MSG_NEWCHAIN, 2157 NLM_F_MULTI, 2158 table->family, table, 2159 chain, NULL) < 0) 2160 goto done; 2161 2162 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 2163 cont: 2164 idx++; 2165 } 2166 } 2167 done: 2168 rcu_read_unlock(); 2169 cb->args[0] = idx; 2170 return skb->len; 2171 } 2172 2173 /* called with rcu_read_lock held */ 2174 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info, 2175 const struct nlattr * const nla[]) 2176 { 2177 struct netlink_ext_ack *extack = info->extack; 2178 u8 genmask = nft_genmask_cur(info->net); 2179 u8 family = info->nfmsg->nfgen_family; 2180 const struct nft_chain *chain; 2181 struct net *net = info->net; 2182 struct nft_table *table; 2183 struct sk_buff *skb2; 2184 int err; 2185 2186 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 2187 struct netlink_dump_control c = { 2188 .dump = nf_tables_dump_chains, 2189 .module = THIS_MODULE, 2190 }; 2191 2192 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 2193 } 2194 2195 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0); 2196 if (IS_ERR(table)) { 2197 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2198 return PTR_ERR(table); 2199 } 2200 2201 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask); 2202 if (IS_ERR(chain)) { 2203 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2204 return PTR_ERR(chain); 2205 } 2206 2207 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 2208 if (!skb2) 2209 return -ENOMEM; 2210 2211 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid, 2212 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 2213 0, family, table, chain, NULL); 2214 if (err < 0) 2215 goto err_fill_chain_info; 2216 2217 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 2218 2219 err_fill_chain_info: 2220 kfree_skb(skb2); 2221 return err; 2222 } 2223 2224 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = { 2225 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 }, 2226 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 }, 2227 }; 2228 2229 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr) 2230 { 2231 struct nlattr *tb[NFTA_COUNTER_MAX+1]; 2232 struct nft_stats __percpu *newstats; 2233 struct nft_stats *stats; 2234 int err; 2235 2236 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr, 2237 nft_counter_policy, NULL); 2238 if (err < 0) 2239 return ERR_PTR_PCPU(err); 2240 2241 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS]) 2242 return ERR_PTR_PCPU(-EINVAL); 2243 2244 newstats = netdev_alloc_pcpu_stats(struct nft_stats); 2245 if (newstats == NULL) 2246 return ERR_PTR_PCPU(-ENOMEM); 2247 2248 /* Restore old counters on this cpu, no problem. Per-cpu statistics 2249 * are not exposed to userspace. 2250 */ 2251 preempt_disable(); 2252 stats = this_cpu_ptr(newstats); 2253 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); 2254 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); 2255 preempt_enable(); 2256 2257 return newstats; 2258 } 2259 2260 static void nft_chain_stats_replace(struct nft_trans_chain *trans) 2261 { 2262 const struct nft_trans *t = &trans->nft_trans_binding.nft_trans; 2263 struct nft_base_chain *chain = nft_base_chain(trans->chain); 2264 2265 if (!trans->stats) 2266 return; 2267 2268 trans->stats = 2269 rcu_replace_pointer(chain->stats, trans->stats, 2270 lockdep_commit_lock_is_held(t->net)); 2271 2272 if (!trans->stats) 2273 static_branch_inc(&nft_counters_enabled); 2274 } 2275 2276 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain) 2277 { 2278 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0); 2279 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1); 2280 2281 if (g0 != g1) 2282 kvfree(g1); 2283 kvfree(g0); 2284 2285 /* should be NULL either via abort or via successful commit */ 2286 WARN_ON_ONCE(chain->blob_next); 2287 kvfree(chain->blob_next); 2288 } 2289 2290 void nf_tables_chain_destroy(struct nft_chain *chain) 2291 { 2292 const struct nft_table *table = chain->table; 2293 struct nft_hook *hook, *next; 2294 2295 if (WARN_ON(chain->use > 0)) 2296 return; 2297 2298 /* no concurrent access possible anymore */ 2299 nf_tables_chain_free_chain_rules(chain); 2300 2301 if (nft_is_base_chain(chain)) { 2302 struct nft_base_chain *basechain = nft_base_chain(chain); 2303 2304 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) { 2305 list_for_each_entry_safe(hook, next, 2306 &basechain->hook_list, list) { 2307 list_del_rcu(&hook->list); 2308 nft_netdev_hook_free_rcu(hook); 2309 } 2310 } 2311 module_put(basechain->type->owner); 2312 if (rcu_access_pointer(basechain->stats)) { 2313 static_branch_dec(&nft_counters_enabled); 2314 free_percpu(rcu_dereference_raw(basechain->stats)); 2315 } 2316 kfree(chain->name); 2317 kfree(chain->udata); 2318 kfree(basechain); 2319 } else { 2320 kfree(chain->name); 2321 kfree(chain->udata); 2322 kfree(chain); 2323 } 2324 } 2325 2326 static struct nft_hook *nft_netdev_hook_alloc(struct net *net, 2327 const struct nlattr *attr, 2328 bool prefix) 2329 { 2330 struct nf_hook_ops *ops; 2331 struct net_device *dev; 2332 struct nft_hook *hook; 2333 int err; 2334 2335 hook = kzalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT); 2336 if (!hook) 2337 return ERR_PTR(-ENOMEM); 2338 2339 INIT_LIST_HEAD(&hook->ops_list); 2340 2341 err = nla_strscpy(hook->ifname, attr, IFNAMSIZ); 2342 if (err < 0) 2343 goto err_hook_free; 2344 2345 /* include the terminating NUL-char when comparing non-prefixes */ 2346 hook->ifnamelen = strlen(hook->ifname) + !prefix; 2347 2348 /* nf_tables_netdev_event() is called under rtnl_mutex, this is 2349 * indirectly serializing all the other holders of the commit_mutex with 2350 * the rtnl_mutex. 2351 */ 2352 for_each_netdev(net, dev) { 2353 if (strncmp(dev->name, hook->ifname, hook->ifnamelen)) 2354 continue; 2355 2356 ops = kzalloc(sizeof(struct nf_hook_ops), GFP_KERNEL_ACCOUNT); 2357 if (!ops) { 2358 err = -ENOMEM; 2359 goto err_hook_free; 2360 } 2361 ops->dev = dev; 2362 list_add_tail(&ops->list, &hook->ops_list); 2363 } 2364 return hook; 2365 2366 err_hook_free: 2367 nft_netdev_hook_free(hook); 2368 return ERR_PTR(err); 2369 } 2370 2371 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list, 2372 const struct nft_hook *this) 2373 { 2374 struct nft_hook *hook; 2375 2376 list_for_each_entry(hook, hook_list, list) { 2377 if (!strncmp(hook->ifname, this->ifname, 2378 min(hook->ifnamelen, this->ifnamelen))) 2379 return hook; 2380 } 2381 2382 return NULL; 2383 } 2384 2385 static int nf_tables_parse_netdev_hooks(struct net *net, 2386 const struct nlattr *attr, 2387 struct list_head *hook_list, 2388 struct netlink_ext_ack *extack) 2389 { 2390 struct nft_hook *hook, *next; 2391 const struct nlattr *tmp; 2392 int rem, n = 0, err; 2393 bool prefix; 2394 2395 nla_for_each_nested(tmp, attr, rem) { 2396 switch (nla_type(tmp)) { 2397 case NFTA_DEVICE_NAME: 2398 prefix = false; 2399 break; 2400 case NFTA_DEVICE_PREFIX: 2401 prefix = true; 2402 break; 2403 default: 2404 err = -EINVAL; 2405 goto err_hook; 2406 } 2407 2408 hook = nft_netdev_hook_alloc(net, tmp, prefix); 2409 if (IS_ERR(hook)) { 2410 NL_SET_BAD_ATTR(extack, tmp); 2411 err = PTR_ERR(hook); 2412 goto err_hook; 2413 } 2414 if (nft_hook_list_find(hook_list, hook)) { 2415 NL_SET_BAD_ATTR(extack, tmp); 2416 nft_netdev_hook_free(hook); 2417 err = -EEXIST; 2418 goto err_hook; 2419 } 2420 list_add_tail(&hook->list, hook_list); 2421 n++; 2422 2423 if (n == NFT_NETDEVICE_MAX) { 2424 err = -EFBIG; 2425 goto err_hook; 2426 } 2427 } 2428 2429 return 0; 2430 2431 err_hook: 2432 list_for_each_entry_safe(hook, next, hook_list, list) { 2433 list_del(&hook->list); 2434 nft_netdev_hook_free(hook); 2435 } 2436 return err; 2437 } 2438 2439 struct nft_chain_hook { 2440 u32 num; 2441 s32 priority; 2442 const struct nft_chain_type *type; 2443 struct list_head list; 2444 }; 2445 2446 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[], 2447 struct list_head *hook_list, 2448 struct netlink_ext_ack *extack, u32 flags) 2449 { 2450 struct nft_hook *hook; 2451 int err; 2452 2453 if (tb[NFTA_HOOK_DEV]) { 2454 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV], false); 2455 if (IS_ERR(hook)) { 2456 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]); 2457 return PTR_ERR(hook); 2458 } 2459 2460 list_add_tail(&hook->list, hook_list); 2461 } else if (tb[NFTA_HOOK_DEVS]) { 2462 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS], 2463 hook_list, extack); 2464 if (err < 0) 2465 return err; 2466 2467 } 2468 2469 if (flags & NFT_CHAIN_HW_OFFLOAD && 2470 list_empty(hook_list)) 2471 return -EINVAL; 2472 2473 return 0; 2474 } 2475 2476 static int nft_chain_parse_hook(struct net *net, 2477 struct nft_base_chain *basechain, 2478 const struct nlattr * const nla[], 2479 struct nft_chain_hook *hook, u8 family, 2480 u32 flags, struct netlink_ext_ack *extack) 2481 { 2482 struct nftables_pernet *nft_net = nft_pernet(net); 2483 struct nlattr *ha[NFTA_HOOK_MAX + 1]; 2484 const struct nft_chain_type *type; 2485 int err; 2486 2487 lockdep_assert_held(&nft_net->commit_mutex); 2488 lockdep_nfnl_nft_mutex_not_held(); 2489 2490 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX, 2491 nla[NFTA_CHAIN_HOOK], 2492 nft_hook_policy, NULL); 2493 if (err < 0) 2494 return err; 2495 2496 if (!basechain) { 2497 if (!ha[NFTA_HOOK_HOOKNUM] || 2498 !ha[NFTA_HOOK_PRIORITY]) { 2499 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2500 return -ENOENT; 2501 } 2502 2503 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 2504 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 2505 2506 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT); 2507 if (!type) 2508 return -EOPNOTSUPP; 2509 2510 if (nla[NFTA_CHAIN_TYPE]) { 2511 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE], 2512 family, true); 2513 if (IS_ERR(type)) { 2514 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2515 return PTR_ERR(type); 2516 } 2517 } 2518 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num))) 2519 return -EOPNOTSUPP; 2520 2521 if (type->type == NFT_CHAIN_T_NAT && 2522 hook->priority <= NF_IP_PRI_CONNTRACK) 2523 return -EOPNOTSUPP; 2524 } else { 2525 if (ha[NFTA_HOOK_HOOKNUM]) { 2526 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 2527 if (hook->num != basechain->ops.hooknum) 2528 return -EOPNOTSUPP; 2529 } 2530 if (ha[NFTA_HOOK_PRIORITY]) { 2531 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 2532 if (hook->priority != basechain->ops.priority) 2533 return -EOPNOTSUPP; 2534 } 2535 2536 if (nla[NFTA_CHAIN_TYPE]) { 2537 type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE], 2538 family); 2539 if (!type) { 2540 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2541 return -ENOENT; 2542 } 2543 } else { 2544 type = basechain->type; 2545 } 2546 } 2547 2548 if (!try_module_get(type->owner)) { 2549 if (nla[NFTA_CHAIN_TYPE]) 2550 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2551 return -ENOENT; 2552 } 2553 2554 hook->type = type; 2555 2556 INIT_LIST_HEAD(&hook->list); 2557 if (nft_base_chain_netdev(family, hook->num)) { 2558 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags); 2559 if (err < 0) { 2560 module_put(type->owner); 2561 return err; 2562 } 2563 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) { 2564 module_put(type->owner); 2565 return -EOPNOTSUPP; 2566 } 2567 2568 return 0; 2569 } 2570 2571 static void nft_chain_release_hook(struct nft_chain_hook *hook) 2572 { 2573 struct nft_hook *h, *next; 2574 2575 list_for_each_entry_safe(h, next, &hook->list, list) { 2576 list_del(&h->list); 2577 nft_netdev_hook_free(h); 2578 } 2579 module_put(hook->type->owner); 2580 } 2581 2582 static void nft_last_rule(const struct nft_chain *chain, const void *ptr) 2583 { 2584 struct nft_rule_dp_last *lrule; 2585 2586 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0); 2587 2588 lrule = (struct nft_rule_dp_last *)ptr; 2589 lrule->end.is_last = 1; 2590 lrule->chain = chain; 2591 /* blob size does not include the trailer rule */ 2592 } 2593 2594 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain, 2595 unsigned int size) 2596 { 2597 struct nft_rule_blob *blob; 2598 2599 if (size > INT_MAX) 2600 return NULL; 2601 2602 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last); 2603 2604 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT); 2605 if (!blob) 2606 return NULL; 2607 2608 blob->size = 0; 2609 nft_last_rule(chain, blob->data); 2610 2611 return blob; 2612 } 2613 2614 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family, 2615 const struct nft_chain_hook *hook, 2616 struct nft_chain *chain) 2617 { 2618 ops->pf = family; 2619 ops->hooknum = hook->num; 2620 ops->priority = hook->priority; 2621 ops->priv = chain; 2622 ops->hook = hook->type->hooks[ops->hooknum]; 2623 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES; 2624 } 2625 2626 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, 2627 struct nft_chain_hook *hook, u32 flags) 2628 { 2629 struct nft_chain *chain; 2630 struct nf_hook_ops *ops; 2631 struct nft_hook *h; 2632 2633 basechain->type = hook->type; 2634 INIT_LIST_HEAD(&basechain->hook_list); 2635 chain = &basechain->chain; 2636 2637 if (nft_base_chain_netdev(family, hook->num)) { 2638 list_splice_init(&hook->list, &basechain->hook_list); 2639 list_for_each_entry(h, &basechain->hook_list, list) { 2640 list_for_each_entry(ops, &h->ops_list, list) 2641 nft_basechain_hook_init(ops, family, hook, chain); 2642 } 2643 } 2644 nft_basechain_hook_init(&basechain->ops, family, hook, chain); 2645 2646 chain->flags |= NFT_CHAIN_BASE | flags; 2647 basechain->policy = NF_ACCEPT; 2648 if (chain->flags & NFT_CHAIN_HW_OFFLOAD && 2649 !nft_chain_offload_support(basechain)) { 2650 list_splice_init(&basechain->hook_list, &hook->list); 2651 return -EOPNOTSUPP; 2652 } 2653 2654 flow_block_init(&basechain->flow_block); 2655 2656 return 0; 2657 } 2658 2659 int nft_chain_add(struct nft_table *table, struct nft_chain *chain) 2660 { 2661 int err; 2662 2663 err = rhltable_insert_key(&table->chains_ht, chain->name, 2664 &chain->rhlhead, nft_chain_ht_params); 2665 if (err) 2666 return err; 2667 2668 list_add_tail_rcu(&chain->list, &table->chains); 2669 2670 return 0; 2671 } 2672 2673 static u64 chain_id; 2674 2675 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 policy, 2676 u32 flags, struct netlink_ext_ack *extack) 2677 { 2678 const struct nlattr * const *nla = ctx->nla; 2679 struct nft_table *table = ctx->table; 2680 struct nft_base_chain *basechain; 2681 struct net *net = ctx->net; 2682 char name[NFT_NAME_MAXLEN]; 2683 struct nft_rule_blob *blob; 2684 struct nft_trans *trans; 2685 struct nft_chain *chain; 2686 int err; 2687 2688 if (nla[NFTA_CHAIN_HOOK]) { 2689 struct nft_stats __percpu *stats = NULL; 2690 struct nft_chain_hook hook = {}; 2691 2692 if (table->flags & __NFT_TABLE_F_UPDATE) 2693 return -EINVAL; 2694 2695 if (flags & NFT_CHAIN_BINDING) 2696 return -EOPNOTSUPP; 2697 2698 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags, 2699 extack); 2700 if (err < 0) 2701 return err; 2702 2703 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT); 2704 if (basechain == NULL) { 2705 nft_chain_release_hook(&hook); 2706 return -ENOMEM; 2707 } 2708 chain = &basechain->chain; 2709 2710 if (nla[NFTA_CHAIN_COUNTERS]) { 2711 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2712 if (IS_ERR_PCPU(stats)) { 2713 nft_chain_release_hook(&hook); 2714 kfree(basechain); 2715 return PTR_ERR_PCPU(stats); 2716 } 2717 rcu_assign_pointer(basechain->stats, stats); 2718 } 2719 2720 err = nft_basechain_init(basechain, family, &hook, flags); 2721 if (err < 0) { 2722 nft_chain_release_hook(&hook); 2723 kfree(basechain); 2724 free_percpu(stats); 2725 return err; 2726 } 2727 if (stats) 2728 static_branch_inc(&nft_counters_enabled); 2729 } else { 2730 if (flags & NFT_CHAIN_BASE) 2731 return -EINVAL; 2732 if (flags & NFT_CHAIN_HW_OFFLOAD) 2733 return -EOPNOTSUPP; 2734 2735 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT); 2736 if (chain == NULL) 2737 return -ENOMEM; 2738 2739 chain->flags = flags; 2740 } 2741 ctx->chain = chain; 2742 2743 INIT_LIST_HEAD(&chain->rules); 2744 chain->handle = nf_tables_alloc_handle(table); 2745 chain->table = table; 2746 2747 if (nla[NFTA_CHAIN_NAME]) { 2748 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT); 2749 } else { 2750 if (!(flags & NFT_CHAIN_BINDING)) { 2751 err = -EINVAL; 2752 goto err_destroy_chain; 2753 } 2754 2755 snprintf(name, sizeof(name), "__chain%llu", ++chain_id); 2756 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT); 2757 } 2758 2759 if (!chain->name) { 2760 err = -ENOMEM; 2761 goto err_destroy_chain; 2762 } 2763 2764 if (nla[NFTA_CHAIN_USERDATA]) { 2765 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT); 2766 if (chain->udata == NULL) { 2767 err = -ENOMEM; 2768 goto err_destroy_chain; 2769 } 2770 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]); 2771 } 2772 2773 blob = nf_tables_chain_alloc_rules(chain, 0); 2774 if (!blob) { 2775 err = -ENOMEM; 2776 goto err_destroy_chain; 2777 } 2778 2779 RCU_INIT_POINTER(chain->blob_gen_0, blob); 2780 RCU_INIT_POINTER(chain->blob_gen_1, blob); 2781 2782 if (!nft_use_inc(&table->use)) { 2783 err = -EMFILE; 2784 goto err_destroy_chain; 2785 } 2786 2787 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN); 2788 if (IS_ERR(trans)) { 2789 err = PTR_ERR(trans); 2790 goto err_trans; 2791 } 2792 2793 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET; 2794 if (nft_is_base_chain(chain)) 2795 nft_trans_chain_policy(trans) = policy; 2796 2797 err = nft_chain_add(table, chain); 2798 if (err < 0) 2799 goto err_chain_add; 2800 2801 /* This must be LAST to ensure no packets are walking over this chain. */ 2802 err = nf_tables_register_hook(net, table, chain); 2803 if (err < 0) 2804 goto err_register_hook; 2805 2806 return 0; 2807 2808 err_register_hook: 2809 nft_chain_del(chain); 2810 err_chain_add: 2811 nft_trans_destroy(trans); 2812 err_trans: 2813 nft_use_dec_restore(&table->use); 2814 err_destroy_chain: 2815 nf_tables_chain_destroy(chain); 2816 2817 return err; 2818 } 2819 2820 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, 2821 u32 flags, const struct nlattr *attr, 2822 struct netlink_ext_ack *extack) 2823 { 2824 const struct nlattr * const *nla = ctx->nla; 2825 struct nft_base_chain *basechain = NULL; 2826 struct nft_table *table = ctx->table; 2827 struct nft_chain *chain = ctx->chain; 2828 struct nft_chain_hook hook = {}; 2829 struct nft_stats __percpu *stats = NULL; 2830 struct nftables_pernet *nft_net; 2831 struct nft_hook *h, *next; 2832 struct nf_hook_ops *ops; 2833 struct nft_trans *trans; 2834 bool unregister = false; 2835 int err; 2836 2837 if (chain->flags ^ flags) 2838 return -EOPNOTSUPP; 2839 2840 INIT_LIST_HEAD(&hook.list); 2841 2842 if (nla[NFTA_CHAIN_HOOK]) { 2843 if (!nft_is_base_chain(chain)) { 2844 NL_SET_BAD_ATTR(extack, attr); 2845 return -EEXIST; 2846 } 2847 2848 basechain = nft_base_chain(chain); 2849 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook, 2850 ctx->family, flags, extack); 2851 if (err < 0) 2852 return err; 2853 2854 if (basechain->type != hook.type) { 2855 nft_chain_release_hook(&hook); 2856 NL_SET_BAD_ATTR(extack, attr); 2857 return -EEXIST; 2858 } 2859 2860 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) { 2861 list_for_each_entry_safe(h, next, &hook.list, list) { 2862 list_for_each_entry(ops, &h->ops_list, list) { 2863 ops->pf = basechain->ops.pf; 2864 ops->hooknum = basechain->ops.hooknum; 2865 ops->priority = basechain->ops.priority; 2866 ops->priv = basechain->ops.priv; 2867 ops->hook = basechain->ops.hook; 2868 } 2869 2870 if (nft_hook_list_find(&basechain->hook_list, h)) { 2871 list_del(&h->list); 2872 nft_netdev_hook_free(h); 2873 continue; 2874 } 2875 2876 nft_net = nft_pernet(ctx->net); 2877 list_for_each_entry(trans, &nft_net->commit_list, list) { 2878 if (trans->msg_type != NFT_MSG_NEWCHAIN || 2879 trans->table != ctx->table || 2880 !nft_trans_chain_update(trans)) 2881 continue; 2882 2883 if (nft_hook_list_find(&nft_trans_chain_hooks(trans), h)) { 2884 nft_chain_release_hook(&hook); 2885 return -EEXIST; 2886 } 2887 } 2888 } 2889 } else { 2890 ops = &basechain->ops; 2891 if (ops->hooknum != hook.num || 2892 ops->priority != hook.priority) { 2893 nft_chain_release_hook(&hook); 2894 NL_SET_BAD_ATTR(extack, attr); 2895 return -EEXIST; 2896 } 2897 } 2898 } 2899 2900 if (nla[NFTA_CHAIN_HANDLE] && 2901 nla[NFTA_CHAIN_NAME]) { 2902 struct nft_chain *chain2; 2903 2904 chain2 = nft_chain_lookup(ctx->net, table, 2905 nla[NFTA_CHAIN_NAME], genmask); 2906 if (!IS_ERR(chain2)) { 2907 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2908 err = -EEXIST; 2909 goto err_hooks; 2910 } 2911 } 2912 2913 if (table->flags & __NFT_TABLE_F_UPDATE && 2914 !list_empty(&hook.list)) { 2915 NL_SET_BAD_ATTR(extack, attr); 2916 err = -EOPNOTSUPP; 2917 goto err_hooks; 2918 } 2919 2920 if (!(table->flags & NFT_TABLE_F_DORMANT) && 2921 nft_is_base_chain(chain) && 2922 !list_empty(&hook.list)) { 2923 basechain = nft_base_chain(chain); 2924 ops = &basechain->ops; 2925 2926 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) { 2927 err = nft_netdev_register_hooks(ctx->net, &hook.list); 2928 if (err < 0) 2929 goto err_hooks; 2930 2931 unregister = true; 2932 } 2933 } 2934 2935 if (nla[NFTA_CHAIN_COUNTERS]) { 2936 if (!nft_is_base_chain(chain)) { 2937 err = -EOPNOTSUPP; 2938 goto err_hooks; 2939 } 2940 2941 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2942 if (IS_ERR_PCPU(stats)) { 2943 err = PTR_ERR_PCPU(stats); 2944 goto err_hooks; 2945 } 2946 } 2947 2948 err = -ENOMEM; 2949 trans = nft_trans_alloc_chain(ctx, NFT_MSG_NEWCHAIN); 2950 if (trans == NULL) 2951 goto err_trans; 2952 2953 nft_trans_chain_stats(trans) = stats; 2954 nft_trans_chain_update(trans) = true; 2955 2956 if (nla[NFTA_CHAIN_POLICY]) 2957 nft_trans_chain_policy(trans) = policy; 2958 else 2959 nft_trans_chain_policy(trans) = -1; 2960 2961 if (nla[NFTA_CHAIN_HANDLE] && 2962 nla[NFTA_CHAIN_NAME]) { 2963 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 2964 struct nft_trans *tmp; 2965 char *name; 2966 2967 err = -ENOMEM; 2968 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT); 2969 if (!name) 2970 goto err_trans; 2971 2972 err = -EEXIST; 2973 list_for_each_entry(tmp, &nft_net->commit_list, list) { 2974 if (tmp->msg_type == NFT_MSG_NEWCHAIN && 2975 tmp->table == table && 2976 nft_trans_chain_update(tmp) && 2977 nft_trans_chain_name(tmp) && 2978 strcmp(name, nft_trans_chain_name(tmp)) == 0) { 2979 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2980 kfree(name); 2981 goto err_trans; 2982 } 2983 } 2984 2985 nft_trans_chain_name(trans) = name; 2986 } 2987 2988 nft_trans_basechain(trans) = basechain; 2989 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans)); 2990 list_splice(&hook.list, &nft_trans_chain_hooks(trans)); 2991 if (nla[NFTA_CHAIN_HOOK]) 2992 module_put(hook.type->owner); 2993 2994 nft_trans_commit_list_add_tail(ctx->net, trans); 2995 2996 return 0; 2997 2998 err_trans: 2999 free_percpu(stats); 3000 kfree(trans); 3001 err_hooks: 3002 if (nla[NFTA_CHAIN_HOOK]) { 3003 list_for_each_entry_safe(h, next, &hook.list, list) { 3004 if (unregister) { 3005 list_for_each_entry(ops, &h->ops_list, list) 3006 nf_unregister_net_hook(ctx->net, ops); 3007 } 3008 list_del(&h->list); 3009 nft_netdev_hook_free_rcu(h); 3010 } 3011 module_put(hook.type->owner); 3012 } 3013 3014 return err; 3015 } 3016 3017 static struct nft_chain *nft_chain_lookup_byid(const struct net *net, 3018 const struct nft_table *table, 3019 const struct nlattr *nla, u8 genmask) 3020 { 3021 struct nftables_pernet *nft_net = nft_pernet(net); 3022 u32 id = ntohl(nla_get_be32(nla)); 3023 struct nft_trans *trans; 3024 3025 list_for_each_entry(trans, &nft_net->commit_list, list) { 3026 if (trans->msg_type == NFT_MSG_NEWCHAIN && 3027 nft_trans_chain(trans)->table == table && 3028 id == nft_trans_chain_id(trans) && 3029 nft_active_genmask(nft_trans_chain(trans), genmask)) 3030 return nft_trans_chain(trans); 3031 } 3032 return ERR_PTR(-ENOENT); 3033 } 3034 3035 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info, 3036 const struct nlattr * const nla[]) 3037 { 3038 struct nftables_pernet *nft_net = nft_pernet(info->net); 3039 struct netlink_ext_ack *extack = info->extack; 3040 u8 genmask = nft_genmask_next(info->net); 3041 u8 family = info->nfmsg->nfgen_family; 3042 struct nft_chain *chain = NULL; 3043 struct net *net = info->net; 3044 const struct nlattr *attr; 3045 struct nft_table *table; 3046 u8 policy = NF_ACCEPT; 3047 struct nft_ctx ctx; 3048 u64 handle = 0; 3049 u32 flags = 0; 3050 3051 lockdep_assert_held(&nft_net->commit_mutex); 3052 3053 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 3054 NETLINK_CB(skb).portid); 3055 if (IS_ERR(table)) { 3056 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 3057 return PTR_ERR(table); 3058 } 3059 3060 chain = NULL; 3061 attr = nla[NFTA_CHAIN_NAME]; 3062 3063 if (nla[NFTA_CHAIN_HANDLE]) { 3064 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE])); 3065 chain = nft_chain_lookup_byhandle(table, handle, genmask); 3066 if (IS_ERR(chain)) { 3067 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]); 3068 return PTR_ERR(chain); 3069 } 3070 attr = nla[NFTA_CHAIN_HANDLE]; 3071 } else if (nla[NFTA_CHAIN_NAME]) { 3072 chain = nft_chain_lookup(net, table, attr, genmask); 3073 if (IS_ERR(chain)) { 3074 if (PTR_ERR(chain) != -ENOENT) { 3075 NL_SET_BAD_ATTR(extack, attr); 3076 return PTR_ERR(chain); 3077 } 3078 chain = NULL; 3079 } 3080 } else if (!nla[NFTA_CHAIN_ID]) { 3081 return -EINVAL; 3082 } 3083 3084 if (nla[NFTA_CHAIN_POLICY]) { 3085 if (chain != NULL && 3086 !nft_is_base_chain(chain)) { 3087 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 3088 return -EOPNOTSUPP; 3089 } 3090 3091 if (chain == NULL && 3092 nla[NFTA_CHAIN_HOOK] == NULL) { 3093 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 3094 return -EOPNOTSUPP; 3095 } 3096 3097 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY])); 3098 switch (policy) { 3099 case NF_DROP: 3100 case NF_ACCEPT: 3101 break; 3102 default: 3103 return -EINVAL; 3104 } 3105 } 3106 3107 if (nla[NFTA_CHAIN_FLAGS]) 3108 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS])); 3109 else if (chain) 3110 flags = chain->flags; 3111 3112 if (flags & ~NFT_CHAIN_FLAGS) 3113 return -EOPNOTSUPP; 3114 3115 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 3116 3117 if (chain != NULL) { 3118 if (chain->flags & NFT_CHAIN_BINDING) 3119 return -EINVAL; 3120 3121 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 3122 NL_SET_BAD_ATTR(extack, attr); 3123 return -EEXIST; 3124 } 3125 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 3126 return -EOPNOTSUPP; 3127 3128 flags |= chain->flags & NFT_CHAIN_BASE; 3129 return nf_tables_updchain(&ctx, genmask, policy, flags, attr, 3130 extack); 3131 } 3132 3133 return nf_tables_addchain(&ctx, family, policy, flags, extack); 3134 } 3135 3136 static int nft_delchain_hook(struct nft_ctx *ctx, 3137 struct nft_base_chain *basechain, 3138 struct netlink_ext_ack *extack) 3139 { 3140 const struct nft_chain *chain = &basechain->chain; 3141 const struct nlattr * const *nla = ctx->nla; 3142 struct nft_chain_hook chain_hook = {}; 3143 struct nft_hook *this, *hook; 3144 LIST_HEAD(chain_del_list); 3145 struct nft_trans *trans; 3146 int err; 3147 3148 if (ctx->table->flags & __NFT_TABLE_F_UPDATE) 3149 return -EOPNOTSUPP; 3150 3151 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook, 3152 ctx->family, chain->flags, extack); 3153 if (err < 0) 3154 return err; 3155 3156 list_for_each_entry(this, &chain_hook.list, list) { 3157 hook = nft_hook_list_find(&basechain->hook_list, this); 3158 if (!hook) { 3159 err = -ENOENT; 3160 goto err_chain_del_hook; 3161 } 3162 list_move(&hook->list, &chain_del_list); 3163 } 3164 3165 trans = nft_trans_alloc_chain(ctx, NFT_MSG_DELCHAIN); 3166 if (!trans) { 3167 err = -ENOMEM; 3168 goto err_chain_del_hook; 3169 } 3170 3171 nft_trans_basechain(trans) = basechain; 3172 nft_trans_chain_update(trans) = true; 3173 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans)); 3174 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans)); 3175 nft_chain_release_hook(&chain_hook); 3176 3177 nft_trans_commit_list_add_tail(ctx->net, trans); 3178 3179 return 0; 3180 3181 err_chain_del_hook: 3182 list_splice(&chain_del_list, &basechain->hook_list); 3183 nft_chain_release_hook(&chain_hook); 3184 3185 return err; 3186 } 3187 3188 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info, 3189 const struct nlattr * const nla[]) 3190 { 3191 struct netlink_ext_ack *extack = info->extack; 3192 u8 genmask = nft_genmask_next(info->net); 3193 u8 family = info->nfmsg->nfgen_family; 3194 struct net *net = info->net; 3195 const struct nlattr *attr; 3196 struct nft_table *table; 3197 struct nft_chain *chain; 3198 struct nft_rule *rule; 3199 struct nft_ctx ctx; 3200 u64 handle; 3201 u32 use; 3202 int err; 3203 3204 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 3205 NETLINK_CB(skb).portid); 3206 if (IS_ERR(table)) { 3207 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 3208 return PTR_ERR(table); 3209 } 3210 3211 if (nla[NFTA_CHAIN_HANDLE]) { 3212 attr = nla[NFTA_CHAIN_HANDLE]; 3213 handle = be64_to_cpu(nla_get_be64(attr)); 3214 chain = nft_chain_lookup_byhandle(table, handle, genmask); 3215 } else { 3216 attr = nla[NFTA_CHAIN_NAME]; 3217 chain = nft_chain_lookup(net, table, attr, genmask); 3218 } 3219 if (IS_ERR(chain)) { 3220 if (PTR_ERR(chain) == -ENOENT && 3221 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN) 3222 return 0; 3223 3224 NL_SET_BAD_ATTR(extack, attr); 3225 return PTR_ERR(chain); 3226 } 3227 3228 if (nft_chain_binding(chain)) 3229 return -EOPNOTSUPP; 3230 3231 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 3232 3233 if (nla[NFTA_CHAIN_HOOK]) { 3234 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN || 3235 chain->flags & NFT_CHAIN_HW_OFFLOAD) 3236 return -EOPNOTSUPP; 3237 3238 if (nft_is_base_chain(chain)) { 3239 struct nft_base_chain *basechain = nft_base_chain(chain); 3240 3241 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 3242 return nft_delchain_hook(&ctx, basechain, extack); 3243 } 3244 } 3245 3246 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 3247 chain->use > 0) 3248 return -EBUSY; 3249 3250 use = chain->use; 3251 list_for_each_entry(rule, &chain->rules, list) { 3252 if (!nft_is_active_next(net, rule)) 3253 continue; 3254 use--; 3255 3256 err = nft_delrule(&ctx, rule); 3257 if (err < 0) 3258 return err; 3259 } 3260 3261 /* There are rules and elements that are still holding references to us, 3262 * we cannot do a recursive removal in this case. 3263 */ 3264 if (use > 0) { 3265 NL_SET_BAD_ATTR(extack, attr); 3266 return -EBUSY; 3267 } 3268 3269 return nft_delchain(&ctx); 3270 } 3271 3272 /* 3273 * Expressions 3274 */ 3275 3276 /** 3277 * nft_register_expr - register nf_tables expr type 3278 * @type: expr type 3279 * 3280 * Registers the expr type for use with nf_tables. Returns zero on 3281 * success or a negative errno code otherwise. 3282 */ 3283 int nft_register_expr(struct nft_expr_type *type) 3284 { 3285 if (WARN_ON_ONCE(type->maxattr > NFT_EXPR_MAXATTR)) 3286 return -ENOMEM; 3287 3288 nfnl_lock(NFNL_SUBSYS_NFTABLES); 3289 if (type->family == NFPROTO_UNSPEC) 3290 list_add_tail_rcu(&type->list, &nf_tables_expressions); 3291 else 3292 list_add_rcu(&type->list, &nf_tables_expressions); 3293 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 3294 return 0; 3295 } 3296 EXPORT_SYMBOL_GPL(nft_register_expr); 3297 3298 /** 3299 * nft_unregister_expr - unregister nf_tables expr type 3300 * @type: expr type 3301 * 3302 * Unregisters the expr typefor use with nf_tables. 3303 */ 3304 void nft_unregister_expr(struct nft_expr_type *type) 3305 { 3306 nfnl_lock(NFNL_SUBSYS_NFTABLES); 3307 list_del_rcu(&type->list); 3308 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 3309 } 3310 EXPORT_SYMBOL_GPL(nft_unregister_expr); 3311 3312 static const struct nft_expr_type *__nft_expr_type_get(u8 family, 3313 struct nlattr *nla) 3314 { 3315 const struct nft_expr_type *type, *candidate = NULL; 3316 3317 list_for_each_entry_rcu(type, &nf_tables_expressions, list) { 3318 if (!nla_strcmp(nla, type->name)) { 3319 if (!type->family && !candidate) 3320 candidate = type; 3321 else if (type->family == family) 3322 candidate = type; 3323 } 3324 } 3325 return candidate; 3326 } 3327 3328 #ifdef CONFIG_MODULES 3329 static int nft_expr_type_request_module(struct net *net, u8 family, 3330 struct nlattr *nla) 3331 { 3332 if (nft_request_module(net, "nft-expr-%u-%.*s", family, 3333 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN) 3334 return -EAGAIN; 3335 3336 return 0; 3337 } 3338 #endif 3339 3340 static const struct nft_expr_type *nft_expr_type_get(struct net *net, 3341 u8 family, 3342 struct nlattr *nla) 3343 { 3344 const struct nft_expr_type *type; 3345 3346 if (nla == NULL) 3347 return ERR_PTR(-EINVAL); 3348 3349 rcu_read_lock(); 3350 type = __nft_expr_type_get(family, nla); 3351 if (type != NULL && try_module_get(type->owner)) { 3352 rcu_read_unlock(); 3353 return type; 3354 } 3355 rcu_read_unlock(); 3356 3357 lockdep_nfnl_nft_mutex_not_held(); 3358 #ifdef CONFIG_MODULES 3359 if (type == NULL) { 3360 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN) 3361 return ERR_PTR(-EAGAIN); 3362 3363 if (nft_request_module(net, "nft-expr-%.*s", 3364 nla_len(nla), 3365 (char *)nla_data(nla)) == -EAGAIN) 3366 return ERR_PTR(-EAGAIN); 3367 } 3368 #endif 3369 return ERR_PTR(-ENOENT); 3370 } 3371 3372 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { 3373 [NFTA_EXPR_NAME] = { .type = NLA_STRING, 3374 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 3375 [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, 3376 }; 3377 3378 static int nf_tables_fill_expr_info(struct sk_buff *skb, 3379 const struct nft_expr *expr, bool reset) 3380 { 3381 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name)) 3382 goto nla_put_failure; 3383 3384 if (expr->ops->dump) { 3385 struct nlattr *data = nla_nest_start_noflag(skb, 3386 NFTA_EXPR_DATA); 3387 if (data == NULL) 3388 goto nla_put_failure; 3389 if (expr->ops->dump(skb, expr, reset) < 0) 3390 goto nla_put_failure; 3391 nla_nest_end(skb, data); 3392 } 3393 3394 return skb->len; 3395 3396 nla_put_failure: 3397 return -1; 3398 }; 3399 3400 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 3401 const struct nft_expr *expr, bool reset) 3402 { 3403 struct nlattr *nest; 3404 3405 nest = nla_nest_start_noflag(skb, attr); 3406 if (!nest) 3407 goto nla_put_failure; 3408 if (nf_tables_fill_expr_info(skb, expr, reset) < 0) 3409 goto nla_put_failure; 3410 nla_nest_end(skb, nest); 3411 return 0; 3412 3413 nla_put_failure: 3414 return -1; 3415 } 3416 3417 struct nft_expr_info { 3418 const struct nft_expr_ops *ops; 3419 const struct nlattr *attr; 3420 struct nlattr *tb[NFT_EXPR_MAXATTR + 1]; 3421 }; 3422 3423 static int nf_tables_expr_parse(const struct nft_ctx *ctx, 3424 const struct nlattr *nla, 3425 struct nft_expr_info *info) 3426 { 3427 const struct nft_expr_type *type; 3428 const struct nft_expr_ops *ops; 3429 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 3430 int err; 3431 3432 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 3433 nft_expr_policy, NULL); 3434 if (err < 0) 3435 return err; 3436 3437 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]); 3438 if (IS_ERR(type)) 3439 return PTR_ERR(type); 3440 3441 if (tb[NFTA_EXPR_DATA]) { 3442 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 3443 tb[NFTA_EXPR_DATA], 3444 type->policy, NULL); 3445 if (err < 0) 3446 goto err1; 3447 } else 3448 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1)); 3449 3450 if (type->select_ops != NULL) { 3451 ops = type->select_ops(ctx, 3452 (const struct nlattr * const *)info->tb); 3453 if (IS_ERR(ops)) { 3454 err = PTR_ERR(ops); 3455 #ifdef CONFIG_MODULES 3456 if (err == -EAGAIN) 3457 if (nft_expr_type_request_module(ctx->net, 3458 ctx->family, 3459 tb[NFTA_EXPR_NAME]) != -EAGAIN) 3460 err = -ENOENT; 3461 #endif 3462 goto err1; 3463 } 3464 } else 3465 ops = type->ops; 3466 3467 info->attr = nla; 3468 info->ops = ops; 3469 3470 return 0; 3471 3472 err1: 3473 module_put(type->owner); 3474 return err; 3475 } 3476 3477 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla, 3478 struct nft_expr_info *info) 3479 { 3480 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 3481 const struct nft_expr_type *type; 3482 int err; 3483 3484 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 3485 nft_expr_policy, NULL); 3486 if (err < 0) 3487 return err; 3488 3489 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME]) 3490 return -EINVAL; 3491 3492 rcu_read_lock(); 3493 3494 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]); 3495 if (!type) { 3496 err = -ENOENT; 3497 goto out_unlock; 3498 } 3499 3500 if (!type->inner_ops) { 3501 err = -EOPNOTSUPP; 3502 goto out_unlock; 3503 } 3504 3505 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 3506 tb[NFTA_EXPR_DATA], 3507 type->policy, NULL); 3508 if (err < 0) 3509 goto out_unlock; 3510 3511 info->attr = nla; 3512 info->ops = type->inner_ops; 3513 3514 /* No module reference will be taken on type->owner. 3515 * Presence of type->inner_ops implies that the expression 3516 * is builtin, so it cannot go away. 3517 */ 3518 rcu_read_unlock(); 3519 return 0; 3520 3521 out_unlock: 3522 rcu_read_unlock(); 3523 return err; 3524 } 3525 3526 static int nf_tables_newexpr(const struct nft_ctx *ctx, 3527 const struct nft_expr_info *expr_info, 3528 struct nft_expr *expr) 3529 { 3530 const struct nft_expr_ops *ops = expr_info->ops; 3531 int err; 3532 3533 expr->ops = ops; 3534 if (ops->init) { 3535 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb); 3536 if (err < 0) 3537 goto err1; 3538 } 3539 3540 return 0; 3541 err1: 3542 expr->ops = NULL; 3543 return err; 3544 } 3545 3546 static void nf_tables_expr_destroy(const struct nft_ctx *ctx, 3547 struct nft_expr *expr) 3548 { 3549 const struct nft_expr_type *type = expr->ops->type; 3550 3551 if (expr->ops->destroy) 3552 expr->ops->destroy(ctx, expr); 3553 module_put(type->owner); 3554 } 3555 3556 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 3557 const struct nlattr *nla) 3558 { 3559 struct nft_expr_info expr_info; 3560 struct nft_expr *expr; 3561 struct module *owner; 3562 int err; 3563 3564 err = nf_tables_expr_parse(ctx, nla, &expr_info); 3565 if (err < 0) 3566 goto err_expr_parse; 3567 3568 err = -EOPNOTSUPP; 3569 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL)) 3570 goto err_expr_stateful; 3571 3572 err = -ENOMEM; 3573 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT); 3574 if (expr == NULL) 3575 goto err_expr_stateful; 3576 3577 err = nf_tables_newexpr(ctx, &expr_info, expr); 3578 if (err < 0) 3579 goto err_expr_new; 3580 3581 return expr; 3582 err_expr_new: 3583 kfree(expr); 3584 err_expr_stateful: 3585 owner = expr_info.ops->type->owner; 3586 if (expr_info.ops->type->release_ops) 3587 expr_info.ops->type->release_ops(expr_info.ops); 3588 3589 module_put(owner); 3590 err_expr_parse: 3591 return ERR_PTR(err); 3592 } 3593 3594 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp) 3595 { 3596 int err; 3597 3598 if (WARN_ON_ONCE(!src->ops->clone)) 3599 return -EINVAL; 3600 3601 dst->ops = src->ops; 3602 err = src->ops->clone(dst, src, gfp); 3603 if (err < 0) 3604 return err; 3605 3606 __module_get(src->ops->type->owner); 3607 3608 return 0; 3609 } 3610 3611 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) 3612 { 3613 nf_tables_expr_destroy(ctx, expr); 3614 kfree(expr); 3615 } 3616 3617 /* 3618 * Rules 3619 */ 3620 3621 static struct nft_rule *__nft_rule_lookup(const struct net *net, 3622 const struct nft_chain *chain, 3623 u64 handle) 3624 { 3625 struct nft_rule *rule; 3626 3627 // FIXME: this sucks 3628 list_for_each_entry_rcu(rule, &chain->rules, list, 3629 lockdep_commit_lock_is_held(net)) { 3630 if (handle == rule->handle) 3631 return rule; 3632 } 3633 3634 return ERR_PTR(-ENOENT); 3635 } 3636 3637 static struct nft_rule *nft_rule_lookup(const struct net *net, 3638 const struct nft_chain *chain, 3639 const struct nlattr *nla) 3640 { 3641 if (nla == NULL) 3642 return ERR_PTR(-EINVAL); 3643 3644 return __nft_rule_lookup(net, chain, be64_to_cpu(nla_get_be64(nla))); 3645 } 3646 3647 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = { 3648 [NFTA_RULE_TABLE] = { .type = NLA_STRING, 3649 .len = NFT_TABLE_MAXNAMELEN - 1 }, 3650 [NFTA_RULE_CHAIN] = { .type = NLA_STRING, 3651 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 3652 [NFTA_RULE_HANDLE] = { .type = NLA_U64 }, 3653 [NFTA_RULE_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy), 3654 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED }, 3655 [NFTA_RULE_POSITION] = { .type = NLA_U64 }, 3656 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY, 3657 .len = NFT_USERDATA_MAXLEN }, 3658 [NFTA_RULE_ID] = { .type = NLA_U32 }, 3659 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 }, 3660 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 }, 3661 }; 3662 3663 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net, 3664 u32 portid, u32 seq, int event, 3665 u32 flags, int family, 3666 const struct nft_table *table, 3667 const struct nft_chain *chain, 3668 const struct nft_rule *rule, u64 handle, 3669 bool reset) 3670 { 3671 struct nlmsghdr *nlh; 3672 const struct nft_expr *expr, *next; 3673 struct nlattr *list; 3674 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 3675 3676 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0, 3677 nft_base_seq_be16(net)); 3678 if (!nlh) 3679 goto nla_put_failure; 3680 3681 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) 3682 goto nla_put_failure; 3683 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) 3684 goto nla_put_failure; 3685 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle), 3686 NFTA_RULE_PAD)) 3687 goto nla_put_failure; 3688 3689 if (event != NFT_MSG_DELRULE && handle) { 3690 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle), 3691 NFTA_RULE_PAD)) 3692 goto nla_put_failure; 3693 } 3694 3695 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) 3696 nft_flow_rule_stats(chain, rule); 3697 3698 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS); 3699 if (list == NULL) 3700 goto nla_put_failure; 3701 nft_rule_for_each_expr(expr, next, rule) { 3702 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0) 3703 goto nla_put_failure; 3704 } 3705 nla_nest_end(skb, list); 3706 3707 if (rule->udata) { 3708 struct nft_userdata *udata = nft_userdata(rule); 3709 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1, 3710 udata->data) < 0) 3711 goto nla_put_failure; 3712 } 3713 3714 nlmsg_end(skb, nlh); 3715 return 0; 3716 3717 nla_put_failure: 3718 nlmsg_trim(skb, nlh); 3719 return -1; 3720 } 3721 3722 static void nf_tables_rule_notify(const struct nft_ctx *ctx, 3723 const struct nft_rule *rule, int event) 3724 { 3725 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 3726 const struct nft_rule *prule; 3727 struct sk_buff *skb; 3728 u64 handle = 0; 3729 u16 flags = 0; 3730 int err; 3731 3732 if (!ctx->report && 3733 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 3734 return; 3735 3736 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 3737 if (skb == NULL) 3738 goto err; 3739 3740 if (event == NFT_MSG_NEWRULE && 3741 !list_is_first(&rule->list, &ctx->chain->rules) && 3742 !list_is_last(&rule->list, &ctx->chain->rules)) { 3743 prule = list_prev_entry(rule, list); 3744 handle = prule->handle; 3745 } 3746 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE)) 3747 flags |= NLM_F_APPEND; 3748 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 3749 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 3750 3751 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, 3752 event, flags, ctx->family, ctx->table, 3753 ctx->chain, rule, handle, false); 3754 if (err < 0) { 3755 kfree_skb(skb); 3756 goto err; 3757 } 3758 3759 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 3760 return; 3761 err: 3762 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 3763 } 3764 3765 static void audit_log_rule_reset(const struct nft_table *table, 3766 unsigned int base_seq, 3767 unsigned int nentries) 3768 { 3769 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", 3770 table->name, base_seq); 3771 3772 audit_log_nfcfg(buf, table->family, nentries, 3773 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC); 3774 kfree(buf); 3775 } 3776 3777 struct nft_rule_dump_ctx { 3778 unsigned int s_idx; 3779 char *table; 3780 char *chain; 3781 bool reset; 3782 }; 3783 3784 static int __nf_tables_dump_rules(struct sk_buff *skb, 3785 unsigned int *idx, 3786 struct netlink_callback *cb, 3787 const struct nft_table *table, 3788 const struct nft_chain *chain) 3789 { 3790 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx; 3791 struct net *net = sock_net(skb->sk); 3792 const struct nft_rule *rule, *prule; 3793 unsigned int entries = 0; 3794 int ret = 0; 3795 u64 handle; 3796 3797 prule = NULL; 3798 list_for_each_entry_rcu(rule, &chain->rules, list) { 3799 if (!nft_is_active(net, rule)) 3800 goto cont_skip; 3801 if (*idx < ctx->s_idx) 3802 goto cont; 3803 if (prule) 3804 handle = prule->handle; 3805 else 3806 handle = 0; 3807 3808 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, 3809 cb->nlh->nlmsg_seq, 3810 NFT_MSG_NEWRULE, 3811 NLM_F_MULTI | NLM_F_APPEND, 3812 table->family, 3813 table, chain, rule, handle, ctx->reset) < 0) { 3814 ret = 1; 3815 break; 3816 } 3817 entries++; 3818 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 3819 cont: 3820 prule = rule; 3821 cont_skip: 3822 (*idx)++; 3823 } 3824 3825 if (ctx->reset && entries) 3826 audit_log_rule_reset(table, cb->seq, entries); 3827 3828 return ret; 3829 } 3830 3831 static int nf_tables_dump_rules(struct sk_buff *skb, 3832 struct netlink_callback *cb) 3833 { 3834 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 3835 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx; 3836 struct nft_table *table; 3837 const struct nft_chain *chain; 3838 unsigned int idx = 0; 3839 struct net *net = sock_net(skb->sk); 3840 int family = nfmsg->nfgen_family; 3841 struct nftables_pernet *nft_net; 3842 3843 rcu_read_lock(); 3844 nft_net = nft_pernet(net); 3845 cb->seq = nft_base_seq(net); 3846 3847 list_for_each_entry_rcu(table, &nft_net->tables, list) { 3848 if (family != NFPROTO_UNSPEC && family != table->family) 3849 continue; 3850 3851 if (ctx->table && strcmp(ctx->table, table->name) != 0) 3852 continue; 3853 3854 if (ctx->table && ctx->chain) { 3855 struct rhlist_head *list, *tmp; 3856 3857 list = rhltable_lookup(&table->chains_ht, ctx->chain, 3858 nft_chain_ht_params); 3859 if (!list) 3860 goto done; 3861 3862 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 3863 if (!nft_is_active(net, chain)) 3864 continue; 3865 __nf_tables_dump_rules(skb, &idx, 3866 cb, table, chain); 3867 break; 3868 } 3869 goto done; 3870 } 3871 3872 list_for_each_entry_rcu(chain, &table->chains, list) { 3873 if (__nf_tables_dump_rules(skb, &idx, 3874 cb, table, chain)) 3875 goto done; 3876 } 3877 3878 if (ctx->table) 3879 break; 3880 } 3881 done: 3882 rcu_read_unlock(); 3883 3884 ctx->s_idx = idx; 3885 return skb->len; 3886 } 3887 3888 static int nf_tables_dumpreset_rules(struct sk_buff *skb, 3889 struct netlink_callback *cb) 3890 { 3891 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk)); 3892 int ret; 3893 3894 /* Mutex is held is to prevent that two concurrent dump-and-reset calls 3895 * do not underrun counters and quotas. The commit_mutex is used for 3896 * the lack a better lock, this is not transaction path. 3897 */ 3898 mutex_lock(&nft_net->commit_mutex); 3899 ret = nf_tables_dump_rules(skb, cb); 3900 mutex_unlock(&nft_net->commit_mutex); 3901 3902 return ret; 3903 } 3904 3905 static int nf_tables_dump_rules_start(struct netlink_callback *cb) 3906 { 3907 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx; 3908 const struct nlattr * const *nla = cb->data; 3909 3910 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx)); 3911 3912 if (nla[NFTA_RULE_TABLE]) { 3913 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], GFP_ATOMIC); 3914 if (!ctx->table) 3915 return -ENOMEM; 3916 } 3917 if (nla[NFTA_RULE_CHAIN]) { 3918 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], GFP_ATOMIC); 3919 if (!ctx->chain) { 3920 kfree(ctx->table); 3921 return -ENOMEM; 3922 } 3923 } 3924 return 0; 3925 } 3926 3927 static int nf_tables_dumpreset_rules_start(struct netlink_callback *cb) 3928 { 3929 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx; 3930 3931 ctx->reset = true; 3932 3933 return nf_tables_dump_rules_start(cb); 3934 } 3935 3936 static int nf_tables_dump_rules_done(struct netlink_callback *cb) 3937 { 3938 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx; 3939 3940 kfree(ctx->table); 3941 kfree(ctx->chain); 3942 return 0; 3943 } 3944 3945 /* Caller must hold rcu read lock or transaction mutex */ 3946 static struct sk_buff * 3947 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info, 3948 const struct nlattr * const nla[], bool reset) 3949 { 3950 struct netlink_ext_ack *extack = info->extack; 3951 u8 genmask = nft_genmask_cur(info->net); 3952 u8 family = info->nfmsg->nfgen_family; 3953 const struct nft_chain *chain; 3954 const struct nft_rule *rule; 3955 struct net *net = info->net; 3956 struct nft_table *table; 3957 struct sk_buff *skb2; 3958 int err; 3959 3960 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0); 3961 if (IS_ERR(table)) { 3962 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3963 return ERR_CAST(table); 3964 } 3965 3966 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask); 3967 if (IS_ERR(chain)) { 3968 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3969 return ERR_CAST(chain); 3970 } 3971 3972 rule = nft_rule_lookup(net, chain, nla[NFTA_RULE_HANDLE]); 3973 if (IS_ERR(rule)) { 3974 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3975 return ERR_CAST(rule); 3976 } 3977 3978 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 3979 if (!skb2) 3980 return ERR_PTR(-ENOMEM); 3981 3982 err = nf_tables_fill_rule_info(skb2, net, portid, 3983 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, 3984 family, table, chain, rule, 0, reset); 3985 if (err < 0) { 3986 kfree_skb(skb2); 3987 return ERR_PTR(err); 3988 } 3989 3990 return skb2; 3991 } 3992 3993 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info, 3994 const struct nlattr * const nla[]) 3995 { 3996 u32 portid = NETLINK_CB(skb).portid; 3997 struct net *net = info->net; 3998 struct sk_buff *skb2; 3999 4000 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 4001 struct netlink_dump_control c = { 4002 .start= nf_tables_dump_rules_start, 4003 .dump = nf_tables_dump_rules, 4004 .done = nf_tables_dump_rules_done, 4005 .module = THIS_MODULE, 4006 .data = (void *)nla, 4007 }; 4008 4009 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 4010 } 4011 4012 skb2 = nf_tables_getrule_single(portid, info, nla, false); 4013 if (IS_ERR(skb2)) 4014 return PTR_ERR(skb2); 4015 4016 return nfnetlink_unicast(skb2, net, portid); 4017 } 4018 4019 static int nf_tables_getrule_reset(struct sk_buff *skb, 4020 const struct nfnl_info *info, 4021 const struct nlattr * const nla[]) 4022 { 4023 struct nftables_pernet *nft_net = nft_pernet(info->net); 4024 u32 portid = NETLINK_CB(skb).portid; 4025 struct net *net = info->net; 4026 struct sk_buff *skb2; 4027 char *buf; 4028 4029 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 4030 struct netlink_dump_control c = { 4031 .start= nf_tables_dumpreset_rules_start, 4032 .dump = nf_tables_dumpreset_rules, 4033 .done = nf_tables_dump_rules_done, 4034 .module = THIS_MODULE, 4035 .data = (void *)nla, 4036 }; 4037 4038 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 4039 } 4040 4041 if (!try_module_get(THIS_MODULE)) 4042 return -EINVAL; 4043 rcu_read_unlock(); 4044 mutex_lock(&nft_net->commit_mutex); 4045 skb2 = nf_tables_getrule_single(portid, info, nla, true); 4046 mutex_unlock(&nft_net->commit_mutex); 4047 rcu_read_lock(); 4048 module_put(THIS_MODULE); 4049 4050 if (IS_ERR(skb2)) 4051 return PTR_ERR(skb2); 4052 4053 buf = kasprintf(GFP_ATOMIC, "%.*s:%u", 4054 nla_len(nla[NFTA_RULE_TABLE]), 4055 (char *)nla_data(nla[NFTA_RULE_TABLE]), 4056 nft_base_seq(net)); 4057 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1, 4058 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC); 4059 kfree(buf); 4060 4061 return nfnetlink_unicast(skb2, net, portid); 4062 } 4063 4064 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule) 4065 { 4066 struct nft_expr *expr, *next; 4067 4068 /* 4069 * Careful: some expressions might not be initialized in case this 4070 * is called on error from nf_tables_newrule(). 4071 */ 4072 expr = nft_expr_first(rule); 4073 while (nft_expr_more(rule, expr)) { 4074 next = nft_expr_next(expr); 4075 nf_tables_expr_destroy(ctx, expr); 4076 expr = next; 4077 } 4078 kfree(rule); 4079 } 4080 4081 /* can only be used if rule is no longer visible to dumps */ 4082 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) 4083 { 4084 WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net)); 4085 4086 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); 4087 nf_tables_rule_destroy(ctx, rule); 4088 } 4089 4090 /** nft_chain_validate - loop detection and hook validation 4091 * 4092 * @ctx: context containing call depth and base chain 4093 * @chain: chain to validate 4094 * 4095 * Walk through the rules of the given chain and chase all jumps/gotos 4096 * and set lookups until either the jump limit is hit or all reachable 4097 * chains have been validated. 4098 */ 4099 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) 4100 { 4101 struct nft_expr *expr, *last; 4102 struct nft_rule *rule; 4103 int err; 4104 4105 if (ctx->level == NFT_JUMP_STACK_SIZE) 4106 return -EMLINK; 4107 4108 list_for_each_entry(rule, &chain->rules, list) { 4109 if (fatal_signal_pending(current)) 4110 return -EINTR; 4111 4112 if (!nft_is_active_next(ctx->net, rule)) 4113 continue; 4114 4115 nft_rule_for_each_expr(expr, last, rule) { 4116 if (!expr->ops->validate) 4117 continue; 4118 4119 /* This may call nft_chain_validate() recursively, 4120 * callers that do so must increment ctx->level. 4121 */ 4122 err = expr->ops->validate(ctx, expr); 4123 if (err < 0) 4124 return err; 4125 } 4126 } 4127 4128 return 0; 4129 } 4130 EXPORT_SYMBOL_GPL(nft_chain_validate); 4131 4132 static int nft_table_validate(struct net *net, const struct nft_table *table) 4133 { 4134 struct nft_chain *chain; 4135 struct nft_ctx ctx = { 4136 .net = net, 4137 .family = table->family, 4138 }; 4139 int err; 4140 4141 list_for_each_entry(chain, &table->chains, list) { 4142 if (!nft_is_base_chain(chain)) 4143 continue; 4144 4145 ctx.chain = chain; 4146 err = nft_chain_validate(&ctx, chain); 4147 if (err < 0) 4148 return err; 4149 4150 cond_resched(); 4151 } 4152 4153 return 0; 4154 } 4155 4156 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, 4157 const struct nft_set_iter *iter, 4158 struct nft_elem_priv *elem_priv) 4159 { 4160 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 4161 struct nft_ctx *pctx = (struct nft_ctx *)ctx; 4162 const struct nft_data *data; 4163 int err; 4164 4165 if (!nft_set_elem_active(ext, iter->genmask)) 4166 return 0; 4167 4168 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 4169 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) 4170 return 0; 4171 4172 data = nft_set_ext_data(ext); 4173 switch (data->verdict.code) { 4174 case NFT_JUMP: 4175 case NFT_GOTO: 4176 pctx->level++; 4177 err = nft_chain_validate(ctx, data->verdict.chain); 4178 if (err < 0) 4179 return err; 4180 pctx->level--; 4181 break; 4182 default: 4183 break; 4184 } 4185 4186 return 0; 4187 } 4188 4189 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set) 4190 { 4191 struct nft_set_iter dummy_iter = { 4192 .genmask = nft_genmask_next(ctx->net), 4193 }; 4194 struct nft_set_elem_catchall *catchall; 4195 4196 struct nft_set_ext *ext; 4197 int ret = 0; 4198 4199 list_for_each_entry_rcu(catchall, &set->catchall_list, list, 4200 lockdep_commit_lock_is_held(ctx->net)) { 4201 ext = nft_set_elem_ext(set, catchall->elem); 4202 if (!nft_set_elem_active(ext, dummy_iter.genmask)) 4203 continue; 4204 4205 ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem); 4206 if (ret < 0) 4207 return ret; 4208 } 4209 4210 return ret; 4211 } 4212 4213 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 4214 const struct nft_chain *chain, 4215 const struct nlattr *nla); 4216 4217 #define NFT_RULE_MAXEXPRS 128 4218 4219 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, 4220 const struct nlattr * const nla[]) 4221 { 4222 struct nftables_pernet *nft_net = nft_pernet(info->net); 4223 struct netlink_ext_ack *extack = info->extack; 4224 unsigned int size, i, n, ulen = 0, usize = 0; 4225 u8 genmask = nft_genmask_next(info->net); 4226 struct nft_rule *rule, *old_rule = NULL; 4227 struct nft_expr_info *expr_info = NULL; 4228 u8 family = info->nfmsg->nfgen_family; 4229 struct nft_flow_rule *flow = NULL; 4230 struct net *net = info->net; 4231 struct nft_userdata *udata; 4232 struct nft_table *table; 4233 struct nft_chain *chain; 4234 struct nft_trans *trans; 4235 u64 handle, pos_handle; 4236 struct nft_expr *expr; 4237 struct nft_ctx ctx; 4238 struct nlattr *tmp; 4239 int err, rem; 4240 4241 lockdep_assert_held(&nft_net->commit_mutex); 4242 4243 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 4244 NETLINK_CB(skb).portid); 4245 if (IS_ERR(table)) { 4246 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 4247 return PTR_ERR(table); 4248 } 4249 4250 if (nla[NFTA_RULE_CHAIN]) { 4251 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 4252 genmask); 4253 if (IS_ERR(chain)) { 4254 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 4255 return PTR_ERR(chain); 4256 } 4257 4258 } else if (nla[NFTA_RULE_CHAIN_ID]) { 4259 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID], 4260 genmask); 4261 if (IS_ERR(chain)) { 4262 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]); 4263 return PTR_ERR(chain); 4264 } 4265 } else { 4266 return -EINVAL; 4267 } 4268 4269 if (nft_chain_is_bound(chain)) 4270 return -EOPNOTSUPP; 4271 4272 if (nla[NFTA_RULE_HANDLE]) { 4273 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE])); 4274 rule = __nft_rule_lookup(net, chain, handle); 4275 if (IS_ERR(rule)) { 4276 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 4277 return PTR_ERR(rule); 4278 } 4279 4280 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 4281 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 4282 return -EEXIST; 4283 } 4284 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 4285 old_rule = rule; 4286 else 4287 return -EOPNOTSUPP; 4288 } else { 4289 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) || 4290 info->nlh->nlmsg_flags & NLM_F_REPLACE) 4291 return -EINVAL; 4292 handle = nf_tables_alloc_handle(table); 4293 4294 if (nla[NFTA_RULE_POSITION]) { 4295 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION])); 4296 old_rule = __nft_rule_lookup(net, chain, pos_handle); 4297 if (IS_ERR(old_rule)) { 4298 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]); 4299 return PTR_ERR(old_rule); 4300 } 4301 } else if (nla[NFTA_RULE_POSITION_ID]) { 4302 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]); 4303 if (IS_ERR(old_rule)) { 4304 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]); 4305 return PTR_ERR(old_rule); 4306 } 4307 } 4308 } 4309 4310 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 4311 4312 n = 0; 4313 size = 0; 4314 if (nla[NFTA_RULE_EXPRESSIONS]) { 4315 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS, 4316 sizeof(struct nft_expr_info), 4317 GFP_KERNEL); 4318 if (!expr_info) 4319 return -ENOMEM; 4320 4321 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) { 4322 err = -EINVAL; 4323 if (nla_type(tmp) != NFTA_LIST_ELEM) 4324 goto err_release_expr; 4325 if (n == NFT_RULE_MAXEXPRS) 4326 goto err_release_expr; 4327 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]); 4328 if (err < 0) { 4329 NL_SET_BAD_ATTR(extack, tmp); 4330 goto err_release_expr; 4331 } 4332 size += expr_info[n].ops->size; 4333 n++; 4334 } 4335 } 4336 /* Check for overflow of dlen field */ 4337 err = -EFBIG; 4338 if (size >= 1 << 12) 4339 goto err_release_expr; 4340 4341 if (nla[NFTA_RULE_USERDATA]) { 4342 ulen = nla_len(nla[NFTA_RULE_USERDATA]); 4343 if (ulen > 0) 4344 usize = sizeof(struct nft_userdata) + ulen; 4345 } 4346 4347 err = -ENOMEM; 4348 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT); 4349 if (rule == NULL) 4350 goto err_release_expr; 4351 4352 nft_activate_next(net, rule); 4353 4354 rule->handle = handle; 4355 rule->dlen = size; 4356 rule->udata = ulen ? 1 : 0; 4357 4358 if (ulen) { 4359 udata = nft_userdata(rule); 4360 udata->len = ulen - 1; 4361 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen); 4362 } 4363 4364 expr = nft_expr_first(rule); 4365 for (i = 0; i < n; i++) { 4366 err = nf_tables_newexpr(&ctx, &expr_info[i], expr); 4367 if (err < 0) { 4368 NL_SET_BAD_ATTR(extack, expr_info[i].attr); 4369 goto err_release_rule; 4370 } 4371 4372 if (expr_info[i].ops->validate) 4373 nft_validate_state_update(table, NFT_VALIDATE_NEED); 4374 4375 expr_info[i].ops = NULL; 4376 expr = nft_expr_next(expr); 4377 } 4378 4379 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { 4380 flow = nft_flow_rule_create(net, rule); 4381 if (IS_ERR(flow)) { 4382 err = PTR_ERR(flow); 4383 goto err_release_rule; 4384 } 4385 } 4386 4387 if (!nft_use_inc(&chain->use)) { 4388 err = -EMFILE; 4389 goto err_release_rule; 4390 } 4391 4392 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { 4393 if (nft_chain_binding(chain)) { 4394 err = -EOPNOTSUPP; 4395 goto err_destroy_flow_rule; 4396 } 4397 4398 err = nft_delrule(&ctx, old_rule); 4399 if (err < 0) 4400 goto err_destroy_flow_rule; 4401 4402 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 4403 if (trans == NULL) { 4404 err = -ENOMEM; 4405 goto err_destroy_flow_rule; 4406 } 4407 list_add_tail_rcu(&rule->list, &old_rule->list); 4408 } else { 4409 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 4410 if (!trans) { 4411 err = -ENOMEM; 4412 goto err_destroy_flow_rule; 4413 } 4414 4415 if (info->nlh->nlmsg_flags & NLM_F_APPEND) { 4416 if (old_rule) 4417 list_add_rcu(&rule->list, &old_rule->list); 4418 else 4419 list_add_tail_rcu(&rule->list, &chain->rules); 4420 } else { 4421 if (old_rule) 4422 list_add_tail_rcu(&rule->list, &old_rule->list); 4423 else 4424 list_add_rcu(&rule->list, &chain->rules); 4425 } 4426 } 4427 kvfree(expr_info); 4428 4429 if (flow) 4430 nft_trans_flow_rule(trans) = flow; 4431 4432 if (table->validate_state == NFT_VALIDATE_DO) 4433 return nft_table_validate(net, table); 4434 4435 return 0; 4436 4437 err_destroy_flow_rule: 4438 nft_use_dec_restore(&chain->use); 4439 if (flow) 4440 nft_flow_rule_destroy(flow); 4441 err_release_rule: 4442 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR); 4443 nf_tables_rule_destroy(&ctx, rule); 4444 err_release_expr: 4445 for (i = 0; i < n; i++) { 4446 if (expr_info[i].ops) { 4447 module_put(expr_info[i].ops->type->owner); 4448 if (expr_info[i].ops->type->release_ops) 4449 expr_info[i].ops->type->release_ops(expr_info[i].ops); 4450 } 4451 } 4452 kvfree(expr_info); 4453 4454 return err; 4455 } 4456 4457 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 4458 const struct nft_chain *chain, 4459 const struct nlattr *nla) 4460 { 4461 struct nftables_pernet *nft_net = nft_pernet(net); 4462 u32 id = ntohl(nla_get_be32(nla)); 4463 struct nft_trans *trans; 4464 4465 list_for_each_entry(trans, &nft_net->commit_list, list) { 4466 if (trans->msg_type == NFT_MSG_NEWRULE && 4467 nft_trans_rule_chain(trans) == chain && 4468 id == nft_trans_rule_id(trans)) 4469 return nft_trans_rule(trans); 4470 } 4471 return ERR_PTR(-ENOENT); 4472 } 4473 4474 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, 4475 const struct nlattr * const nla[]) 4476 { 4477 struct netlink_ext_ack *extack = info->extack; 4478 u8 genmask = nft_genmask_next(info->net); 4479 u8 family = info->nfmsg->nfgen_family; 4480 struct nft_chain *chain = NULL; 4481 struct net *net = info->net; 4482 struct nft_table *table; 4483 struct nft_rule *rule; 4484 struct nft_ctx ctx; 4485 int err = 0; 4486 4487 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 4488 NETLINK_CB(skb).portid); 4489 if (IS_ERR(table)) { 4490 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 4491 return PTR_ERR(table); 4492 } 4493 4494 if (nla[NFTA_RULE_CHAIN]) { 4495 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 4496 genmask); 4497 if (IS_ERR(chain)) { 4498 if (PTR_ERR(chain) == -ENOENT && 4499 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE) 4500 return 0; 4501 4502 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 4503 return PTR_ERR(chain); 4504 } 4505 if (nft_chain_binding(chain)) 4506 return -EOPNOTSUPP; 4507 } 4508 4509 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 4510 4511 if (chain) { 4512 if (nla[NFTA_RULE_HANDLE]) { 4513 rule = nft_rule_lookup(info->net, chain, nla[NFTA_RULE_HANDLE]); 4514 if (IS_ERR(rule)) { 4515 if (PTR_ERR(rule) == -ENOENT && 4516 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE) 4517 return 0; 4518 4519 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 4520 return PTR_ERR(rule); 4521 } 4522 4523 err = nft_delrule(&ctx, rule); 4524 } else if (nla[NFTA_RULE_ID]) { 4525 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]); 4526 if (IS_ERR(rule)) { 4527 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]); 4528 return PTR_ERR(rule); 4529 } 4530 4531 err = nft_delrule(&ctx, rule); 4532 } else { 4533 err = nft_delrule_by_chain(&ctx); 4534 } 4535 } else { 4536 list_for_each_entry(chain, &table->chains, list) { 4537 if (!nft_is_active_next(net, chain)) 4538 continue; 4539 if (nft_chain_binding(chain)) 4540 continue; 4541 4542 ctx.chain = chain; 4543 err = nft_delrule_by_chain(&ctx); 4544 if (err < 0) 4545 break; 4546 } 4547 } 4548 4549 return err; 4550 } 4551 4552 /* 4553 * Sets 4554 */ 4555 static const struct nft_set_type *nft_set_types[] = { 4556 &nft_set_hash_fast_type, 4557 &nft_set_hash_type, 4558 &nft_set_rhash_type, 4559 &nft_set_bitmap_type, 4560 &nft_set_rbtree_type, 4561 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML) 4562 &nft_set_pipapo_avx2_type, 4563 #endif 4564 &nft_set_pipapo_type, 4565 }; 4566 4567 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \ 4568 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \ 4569 NFT_SET_EVAL) 4570 4571 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags) 4572 { 4573 return (flags & type->features) == (flags & NFT_SET_FEATURES); 4574 } 4575 4576 /* 4577 * Select a set implementation based on the data characteristics and the 4578 * given policy. The total memory use might not be known if no size is 4579 * given, in that case the amount of memory per element is used. 4580 */ 4581 static const struct nft_set_ops * 4582 nft_select_set_ops(const struct nft_ctx *ctx, u32 flags, 4583 const struct nft_set_desc *desc) 4584 { 4585 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 4586 const struct nft_set_ops *ops, *bops; 4587 struct nft_set_estimate est, best; 4588 const struct nft_set_type *type; 4589 int i; 4590 4591 lockdep_assert_held(&nft_net->commit_mutex); 4592 lockdep_nfnl_nft_mutex_not_held(); 4593 4594 bops = NULL; 4595 best.size = ~0; 4596 best.lookup = ~0; 4597 best.space = ~0; 4598 4599 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) { 4600 type = nft_set_types[i]; 4601 ops = &type->ops; 4602 4603 if (!nft_set_ops_candidate(type, flags)) 4604 continue; 4605 if (!ops->estimate(desc, flags, &est)) 4606 continue; 4607 4608 switch (desc->policy) { 4609 case NFT_SET_POL_PERFORMANCE: 4610 if (est.lookup < best.lookup) 4611 break; 4612 if (est.lookup == best.lookup && 4613 est.space < best.space) 4614 break; 4615 continue; 4616 case NFT_SET_POL_MEMORY: 4617 if (!desc->size) { 4618 if (est.space < best.space) 4619 break; 4620 if (est.space == best.space && 4621 est.lookup < best.lookup) 4622 break; 4623 } else if (est.size < best.size || !bops) { 4624 break; 4625 } 4626 continue; 4627 default: 4628 break; 4629 } 4630 4631 bops = ops; 4632 best = est; 4633 } 4634 4635 if (bops != NULL) 4636 return bops; 4637 4638 return ERR_PTR(-EOPNOTSUPP); 4639 } 4640 4641 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = { 4642 [NFTA_SET_TABLE] = { .type = NLA_STRING, 4643 .len = NFT_TABLE_MAXNAMELEN - 1 }, 4644 [NFTA_SET_NAME] = { .type = NLA_STRING, 4645 .len = NFT_SET_MAXNAMELEN - 1 }, 4646 [NFTA_SET_FLAGS] = { .type = NLA_U32 }, 4647 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 }, 4648 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 }, 4649 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 }, 4650 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 }, 4651 [NFTA_SET_POLICY] = { .type = NLA_U32 }, 4652 [NFTA_SET_DESC] = { .type = NLA_NESTED }, 4653 [NFTA_SET_ID] = { .type = NLA_U32 }, 4654 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 }, 4655 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 }, 4656 [NFTA_SET_USERDATA] = { .type = NLA_BINARY, 4657 .len = NFT_USERDATA_MAXLEN }, 4658 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 }, 4659 [NFTA_SET_HANDLE] = { .type = NLA_U64 }, 4660 [NFTA_SET_EXPR] = { .type = NLA_NESTED }, 4661 [NFTA_SET_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy), 4662 [NFTA_SET_TYPE] = { .type = NLA_REJECT }, 4663 [NFTA_SET_COUNT] = { .type = NLA_REJECT }, 4664 }; 4665 4666 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = { 4667 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 }, 4668 }; 4669 4670 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = { 4671 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 }, 4672 [NFTA_SET_DESC_CONCAT] = NLA_POLICY_NESTED_ARRAY(nft_concat_policy), 4673 }; 4674 4675 static struct nft_set *nft_set_lookup(const struct net *net, 4676 const struct nft_table *table, 4677 const struct nlattr *nla, u8 genmask) 4678 { 4679 struct nft_set *set; 4680 4681 if (nla == NULL) 4682 return ERR_PTR(-EINVAL); 4683 4684 list_for_each_entry_rcu(set, &table->sets, list, 4685 lockdep_commit_lock_is_held(net)) { 4686 if (!nla_strcmp(nla, set->name) && 4687 nft_active_genmask(set, genmask)) 4688 return set; 4689 } 4690 return ERR_PTR(-ENOENT); 4691 } 4692 4693 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table, 4694 const struct nlattr *nla, 4695 u8 genmask) 4696 { 4697 struct nft_set *set; 4698 4699 list_for_each_entry(set, &table->sets, list) { 4700 if (be64_to_cpu(nla_get_be64(nla)) == set->handle && 4701 nft_active_genmask(set, genmask)) 4702 return set; 4703 } 4704 return ERR_PTR(-ENOENT); 4705 } 4706 4707 static struct nft_set *nft_set_lookup_byid(const struct net *net, 4708 const struct nft_table *table, 4709 const struct nlattr *nla, u8 genmask) 4710 { 4711 struct nftables_pernet *nft_net = nft_pernet(net); 4712 u32 id = ntohl(nla_get_be32(nla)); 4713 struct nft_trans_set *trans; 4714 4715 /* its likely the id we need is at the tail, not at start */ 4716 list_for_each_entry_reverse(trans, &nft_net->commit_set_list, list_trans_newset) { 4717 struct nft_set *set = trans->set; 4718 4719 if (id == trans->set_id && 4720 set->table == table && 4721 nft_active_genmask(set, genmask)) 4722 return set; 4723 } 4724 return ERR_PTR(-ENOENT); 4725 } 4726 4727 struct nft_set *nft_set_lookup_global(const struct net *net, 4728 const struct nft_table *table, 4729 const struct nlattr *nla_set_name, 4730 const struct nlattr *nla_set_id, 4731 u8 genmask) 4732 { 4733 struct nft_set *set; 4734 4735 set = nft_set_lookup(net, table, nla_set_name, genmask); 4736 if (IS_ERR(set)) { 4737 if (!nla_set_id) 4738 return set; 4739 4740 set = nft_set_lookup_byid(net, table, nla_set_id, genmask); 4741 } 4742 return set; 4743 } 4744 EXPORT_SYMBOL_GPL(nft_set_lookup_global); 4745 4746 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set, 4747 const char *name) 4748 { 4749 const struct nft_set *i; 4750 const char *p; 4751 unsigned long *inuse; 4752 unsigned int n = 0, min = 0; 4753 4754 p = strchr(name, '%'); 4755 if (p != NULL) { 4756 if (p[1] != 'd' || strchr(p + 2, '%')) 4757 return -EINVAL; 4758 4759 if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN) 4760 return -EINVAL; 4761 4762 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL); 4763 if (inuse == NULL) 4764 return -ENOMEM; 4765 cont: 4766 list_for_each_entry(i, &ctx->table->sets, list) { 4767 int tmp; 4768 4769 if (!nft_is_active_next(ctx->net, i)) 4770 continue; 4771 if (!sscanf(i->name, name, &tmp)) 4772 continue; 4773 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE) 4774 continue; 4775 4776 set_bit(tmp - min, inuse); 4777 } 4778 4779 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE); 4780 if (n >= BITS_PER_BYTE * PAGE_SIZE) { 4781 min += BITS_PER_BYTE * PAGE_SIZE; 4782 memset(inuse, 0, PAGE_SIZE); 4783 goto cont; 4784 } 4785 free_page((unsigned long)inuse); 4786 } 4787 4788 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n); 4789 if (!set->name) 4790 return -ENOMEM; 4791 4792 list_for_each_entry(i, &ctx->table->sets, list) { 4793 if (!nft_is_active_next(ctx->net, i)) 4794 continue; 4795 if (!strcmp(set->name, i->name)) { 4796 kfree(set->name); 4797 set->name = NULL; 4798 return -ENFILE; 4799 } 4800 } 4801 return 0; 4802 } 4803 4804 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result) 4805 { 4806 u64 ms = be64_to_cpu(nla_get_be64(nla)); 4807 u64 max = (u64)(~((u64)0)); 4808 4809 max = div_u64(max, NSEC_PER_MSEC); 4810 if (ms >= max) 4811 return -ERANGE; 4812 4813 ms *= NSEC_PER_MSEC; 4814 *result = nsecs_to_jiffies64(ms) ? : !!ms; 4815 return 0; 4816 } 4817 4818 __be64 nf_jiffies64_to_msecs(u64 input) 4819 { 4820 return cpu_to_be64(jiffies64_to_msecs(input)); 4821 } 4822 4823 static int nf_tables_fill_set_concat(struct sk_buff *skb, 4824 const struct nft_set *set) 4825 { 4826 struct nlattr *concat, *field; 4827 int i; 4828 4829 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT); 4830 if (!concat) 4831 return -ENOMEM; 4832 4833 for (i = 0; i < set->field_count; i++) { 4834 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 4835 if (!field) 4836 return -ENOMEM; 4837 4838 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN, 4839 htonl(set->field_len[i]))) 4840 return -ENOMEM; 4841 4842 nla_nest_end(skb, field); 4843 } 4844 4845 nla_nest_end(skb, concat); 4846 4847 return 0; 4848 } 4849 4850 static u32 nft_set_userspace_size(const struct nft_set_ops *ops, u32 size) 4851 { 4852 if (ops->usize) 4853 return ops->usize(size); 4854 4855 return size; 4856 } 4857 4858 static noinline_for_stack int 4859 nf_tables_fill_set_info(struct sk_buff *skb, const struct nft_set *set) 4860 { 4861 unsigned int nelems; 4862 char str[40]; 4863 int ret; 4864 4865 ret = snprintf(str, sizeof(str), "%ps", set->ops); 4866 4867 /* Not expected to happen and harmless: NFTA_SET_TYPE is dumped 4868 * to userspace purely for informational/debug purposes. 4869 */ 4870 DEBUG_NET_WARN_ON_ONCE(ret >= sizeof(str)); 4871 4872 if (nla_put_string(skb, NFTA_SET_TYPE, str)) 4873 return -EMSGSIZE; 4874 4875 nelems = nft_set_userspace_size(set->ops, atomic_read(&set->nelems)); 4876 return nla_put_be32(skb, NFTA_SET_COUNT, htonl(nelems)); 4877 } 4878 4879 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, 4880 const struct nft_set *set, u16 event, u16 flags) 4881 { 4882 u64 timeout = READ_ONCE(set->timeout); 4883 u32 gc_int = READ_ONCE(set->gc_int); 4884 u32 portid = ctx->portid; 4885 struct nlmsghdr *nlh; 4886 struct nlattr *nest; 4887 u32 seq = ctx->seq; 4888 int i; 4889 4890 nlh = nfnl_msg_put(skb, portid, seq, 4891 nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event), 4892 flags, ctx->family, NFNETLINK_V0, 4893 nft_base_seq_be16(ctx->net)); 4894 if (!nlh) 4895 goto nla_put_failure; 4896 4897 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 4898 goto nla_put_failure; 4899 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 4900 goto nla_put_failure; 4901 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle), 4902 NFTA_SET_PAD)) 4903 goto nla_put_failure; 4904 4905 if (event == NFT_MSG_DELSET || 4906 event == NFT_MSG_DESTROYSET) { 4907 nlmsg_end(skb, nlh); 4908 return 0; 4909 } 4910 4911 if (set->flags != 0) 4912 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags))) 4913 goto nla_put_failure; 4914 4915 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype))) 4916 goto nla_put_failure; 4917 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen))) 4918 goto nla_put_failure; 4919 if (set->flags & NFT_SET_MAP) { 4920 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype))) 4921 goto nla_put_failure; 4922 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen))) 4923 goto nla_put_failure; 4924 } 4925 if (set->flags & NFT_SET_OBJECT && 4926 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype))) 4927 goto nla_put_failure; 4928 4929 if (timeout && 4930 nla_put_be64(skb, NFTA_SET_TIMEOUT, 4931 nf_jiffies64_to_msecs(timeout), 4932 NFTA_SET_PAD)) 4933 goto nla_put_failure; 4934 if (gc_int && 4935 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int))) 4936 goto nla_put_failure; 4937 4938 if (set->policy != NFT_SET_POL_PERFORMANCE) { 4939 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy))) 4940 goto nla_put_failure; 4941 } 4942 4943 if (set->udata && 4944 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) 4945 goto nla_put_failure; 4946 4947 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC); 4948 if (!nest) 4949 goto nla_put_failure; 4950 if (set->size && 4951 nla_put_be32(skb, NFTA_SET_DESC_SIZE, 4952 htonl(nft_set_userspace_size(set->ops, set->size)))) 4953 goto nla_put_failure; 4954 4955 if (set->field_count > 1 && 4956 nf_tables_fill_set_concat(skb, set)) 4957 goto nla_put_failure; 4958 4959 nla_nest_end(skb, nest); 4960 4961 if (nf_tables_fill_set_info(skb, set)) 4962 goto nla_put_failure; 4963 4964 if (set->num_exprs == 1) { 4965 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR); 4966 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0) 4967 goto nla_put_failure; 4968 4969 nla_nest_end(skb, nest); 4970 } else if (set->num_exprs > 1) { 4971 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS); 4972 if (nest == NULL) 4973 goto nla_put_failure; 4974 4975 for (i = 0; i < set->num_exprs; i++) { 4976 if (nft_expr_dump(skb, NFTA_LIST_ELEM, 4977 set->exprs[i], false) < 0) 4978 goto nla_put_failure; 4979 } 4980 nla_nest_end(skb, nest); 4981 } 4982 4983 nlmsg_end(skb, nlh); 4984 return 0; 4985 4986 nla_put_failure: 4987 nlmsg_trim(skb, nlh); 4988 return -1; 4989 } 4990 4991 static void nf_tables_set_notify(const struct nft_ctx *ctx, 4992 const struct nft_set *set, int event, 4993 gfp_t gfp_flags) 4994 { 4995 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 4996 u32 portid = ctx->portid; 4997 struct sk_buff *skb; 4998 u16 flags = 0; 4999 int err; 5000 5001 if (!ctx->report && 5002 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 5003 return; 5004 5005 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags); 5006 if (skb == NULL) 5007 goto err; 5008 5009 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 5010 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 5011 5012 err = nf_tables_fill_set(skb, ctx, set, event, flags); 5013 if (err < 0) { 5014 kfree_skb(skb); 5015 goto err; 5016 } 5017 5018 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 5019 return; 5020 err: 5021 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 5022 } 5023 5024 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) 5025 { 5026 const struct nft_set *set; 5027 unsigned int idx, s_idx = cb->args[0]; 5028 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; 5029 struct net *net = sock_net(skb->sk); 5030 struct nft_ctx *ctx = cb->data, ctx_set; 5031 struct nftables_pernet *nft_net; 5032 5033 if (cb->args[1]) 5034 return skb->len; 5035 5036 rcu_read_lock(); 5037 nft_net = nft_pernet(net); 5038 cb->seq = nft_base_seq(net); 5039 5040 list_for_each_entry_rcu(table, &nft_net->tables, list) { 5041 if (ctx->family != NFPROTO_UNSPEC && 5042 ctx->family != table->family) 5043 continue; 5044 5045 if (ctx->table && ctx->table != table) 5046 continue; 5047 5048 if (cur_table) { 5049 if (cur_table != table) 5050 continue; 5051 5052 cur_table = NULL; 5053 } 5054 idx = 0; 5055 list_for_each_entry_rcu(set, &table->sets, list) { 5056 if (idx < s_idx) 5057 goto cont; 5058 if (!nft_is_active(net, set)) 5059 goto cont; 5060 5061 ctx_set = *ctx; 5062 ctx_set.table = table; 5063 ctx_set.family = table->family; 5064 5065 if (nf_tables_fill_set(skb, &ctx_set, set, 5066 NFT_MSG_NEWSET, 5067 NLM_F_MULTI) < 0) { 5068 cb->args[0] = idx; 5069 cb->args[2] = (unsigned long) table; 5070 goto done; 5071 } 5072 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 5073 cont: 5074 idx++; 5075 } 5076 if (s_idx) 5077 s_idx = 0; 5078 } 5079 cb->args[1] = 1; 5080 done: 5081 rcu_read_unlock(); 5082 return skb->len; 5083 } 5084 5085 static int nf_tables_dump_sets_start(struct netlink_callback *cb) 5086 { 5087 struct nft_ctx *ctx_dump = NULL; 5088 5089 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC); 5090 if (ctx_dump == NULL) 5091 return -ENOMEM; 5092 5093 cb->data = ctx_dump; 5094 return 0; 5095 } 5096 5097 static int nf_tables_dump_sets_done(struct netlink_callback *cb) 5098 { 5099 kfree(cb->data); 5100 return 0; 5101 } 5102 5103 /* called with rcu_read_lock held */ 5104 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info, 5105 const struct nlattr * const nla[]) 5106 { 5107 struct netlink_ext_ack *extack = info->extack; 5108 u8 genmask = nft_genmask_cur(info->net); 5109 u8 family = info->nfmsg->nfgen_family; 5110 struct nft_table *table = NULL; 5111 struct net *net = info->net; 5112 const struct nft_set *set; 5113 struct sk_buff *skb2; 5114 struct nft_ctx ctx; 5115 int err; 5116 5117 if (nla[NFTA_SET_TABLE]) { 5118 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 5119 genmask, 0); 5120 if (IS_ERR(table)) { 5121 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 5122 return PTR_ERR(table); 5123 } 5124 } 5125 5126 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 5127 5128 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 5129 struct netlink_dump_control c = { 5130 .start = nf_tables_dump_sets_start, 5131 .dump = nf_tables_dump_sets, 5132 .done = nf_tables_dump_sets_done, 5133 .data = &ctx, 5134 .module = THIS_MODULE, 5135 }; 5136 5137 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 5138 } 5139 5140 /* Only accept unspec with dump */ 5141 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 5142 return -EAFNOSUPPORT; 5143 if (!nla[NFTA_SET_TABLE]) 5144 return -EINVAL; 5145 5146 set = nft_set_lookup(net, table, nla[NFTA_SET_NAME], genmask); 5147 if (IS_ERR(set)) { 5148 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 5149 return PTR_ERR(set); 5150 } 5151 5152 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 5153 if (skb2 == NULL) 5154 return -ENOMEM; 5155 5156 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); 5157 if (err < 0) 5158 goto err_fill_set_info; 5159 5160 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 5161 5162 err_fill_set_info: 5163 kfree_skb(skb2); 5164 return err; 5165 } 5166 5167 static int nft_set_desc_concat_parse(const struct nlattr *attr, 5168 struct nft_set_desc *desc) 5169 { 5170 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1]; 5171 u32 len; 5172 int err; 5173 5174 if (desc->field_count >= ARRAY_SIZE(desc->field_len)) 5175 return -E2BIG; 5176 5177 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr, 5178 nft_concat_policy, NULL); 5179 if (err < 0) 5180 return err; 5181 5182 if (!tb[NFTA_SET_FIELD_LEN]) 5183 return -EINVAL; 5184 5185 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN])); 5186 if (!len || len > U8_MAX) 5187 return -EINVAL; 5188 5189 desc->field_len[desc->field_count++] = len; 5190 5191 return 0; 5192 } 5193 5194 static int nft_set_desc_concat(struct nft_set_desc *desc, 5195 const struct nlattr *nla) 5196 { 5197 u32 len = 0, num_regs; 5198 struct nlattr *attr; 5199 int rem, err, i; 5200 5201 nla_for_each_nested(attr, nla, rem) { 5202 if (nla_type(attr) != NFTA_LIST_ELEM) 5203 return -EINVAL; 5204 5205 err = nft_set_desc_concat_parse(attr, desc); 5206 if (err < 0) 5207 return err; 5208 } 5209 5210 for (i = 0; i < desc->field_count; i++) 5211 len += round_up(desc->field_len[i], sizeof(u32)); 5212 5213 if (len != desc->klen) 5214 return -EINVAL; 5215 5216 num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32)); 5217 if (num_regs > NFT_REG32_COUNT) 5218 return -E2BIG; 5219 5220 return 0; 5221 } 5222 5223 static int nf_tables_set_desc_parse(struct nft_set_desc *desc, 5224 const struct nlattr *nla) 5225 { 5226 struct nlattr *da[NFTA_SET_DESC_MAX + 1]; 5227 int err; 5228 5229 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla, 5230 nft_set_desc_policy, NULL); 5231 if (err < 0) 5232 return err; 5233 5234 if (da[NFTA_SET_DESC_SIZE] != NULL) 5235 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE])); 5236 if (da[NFTA_SET_DESC_CONCAT]) 5237 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]); 5238 5239 return err; 5240 } 5241 5242 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set, 5243 const struct nlattr * const *nla, 5244 struct nft_expr **exprs, int *num_exprs, 5245 u32 flags) 5246 { 5247 struct nft_expr *expr; 5248 int err, i; 5249 5250 if (nla[NFTA_SET_EXPR]) { 5251 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]); 5252 if (IS_ERR(expr)) { 5253 err = PTR_ERR(expr); 5254 goto err_set_expr_alloc; 5255 } 5256 exprs[0] = expr; 5257 (*num_exprs)++; 5258 } else if (nla[NFTA_SET_EXPRESSIONS]) { 5259 struct nlattr *tmp; 5260 int left; 5261 5262 if (!(flags & NFT_SET_EXPR)) { 5263 err = -EINVAL; 5264 goto err_set_expr_alloc; 5265 } 5266 i = 0; 5267 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) { 5268 if (i == NFT_SET_EXPR_MAX) { 5269 err = -E2BIG; 5270 goto err_set_expr_alloc; 5271 } 5272 if (nla_type(tmp) != NFTA_LIST_ELEM) { 5273 err = -EINVAL; 5274 goto err_set_expr_alloc; 5275 } 5276 expr = nft_set_elem_expr_alloc(ctx, set, tmp); 5277 if (IS_ERR(expr)) { 5278 err = PTR_ERR(expr); 5279 goto err_set_expr_alloc; 5280 } 5281 exprs[i++] = expr; 5282 (*num_exprs)++; 5283 } 5284 } 5285 5286 return 0; 5287 5288 err_set_expr_alloc: 5289 for (i = 0; i < *num_exprs; i++) 5290 nft_expr_destroy(ctx, exprs[i]); 5291 5292 return err; 5293 } 5294 5295 static bool nft_set_is_same(const struct nft_set *set, 5296 const struct nft_set_desc *desc, 5297 struct nft_expr *exprs[], u32 num_exprs, u32 flags) 5298 { 5299 int i; 5300 5301 if (set->ktype != desc->ktype || 5302 set->dtype != desc->dtype || 5303 set->flags != flags || 5304 set->klen != desc->klen || 5305 set->dlen != desc->dlen || 5306 set->field_count != desc->field_count || 5307 set->num_exprs != num_exprs) 5308 return false; 5309 5310 for (i = 0; i < desc->field_count; i++) { 5311 if (set->field_len[i] != desc->field_len[i]) 5312 return false; 5313 } 5314 5315 for (i = 0; i < num_exprs; i++) { 5316 if (set->exprs[i]->ops != exprs[i]->ops) 5317 return false; 5318 } 5319 5320 return true; 5321 } 5322 5323 static u32 nft_set_kernel_size(const struct nft_set_ops *ops, 5324 const struct nft_set_desc *desc) 5325 { 5326 if (ops->ksize) 5327 return ops->ksize(desc->size); 5328 5329 return desc->size; 5330 } 5331 5332 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 5333 const struct nlattr * const nla[]) 5334 { 5335 struct netlink_ext_ack *extack = info->extack; 5336 u8 genmask = nft_genmask_next(info->net); 5337 u8 family = info->nfmsg->nfgen_family; 5338 const struct nft_set_ops *ops; 5339 struct net *net = info->net; 5340 struct nft_set_desc desc; 5341 struct nft_table *table; 5342 unsigned char *udata; 5343 struct nft_set *set; 5344 struct nft_ctx ctx; 5345 size_t alloc_size; 5346 int num_exprs = 0; 5347 char *name; 5348 int err, i; 5349 u16 udlen; 5350 u32 flags; 5351 u64 size; 5352 5353 if (nla[NFTA_SET_TABLE] == NULL || 5354 nla[NFTA_SET_NAME] == NULL || 5355 nla[NFTA_SET_KEY_LEN] == NULL || 5356 nla[NFTA_SET_ID] == NULL) 5357 return -EINVAL; 5358 5359 memset(&desc, 0, sizeof(desc)); 5360 5361 desc.ktype = NFT_DATA_VALUE; 5362 if (nla[NFTA_SET_KEY_TYPE] != NULL) { 5363 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE])); 5364 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK) 5365 return -EINVAL; 5366 } 5367 5368 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN])); 5369 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN) 5370 return -EINVAL; 5371 5372 flags = 0; 5373 if (nla[NFTA_SET_FLAGS] != NULL) { 5374 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 5375 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | 5376 NFT_SET_INTERVAL | NFT_SET_TIMEOUT | 5377 NFT_SET_MAP | NFT_SET_EVAL | 5378 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR)) 5379 return -EOPNOTSUPP; 5380 /* Only one of these operations is supported */ 5381 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) == 5382 (NFT_SET_MAP | NFT_SET_OBJECT)) 5383 return -EOPNOTSUPP; 5384 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) == 5385 (NFT_SET_EVAL | NFT_SET_OBJECT)) 5386 return -EOPNOTSUPP; 5387 if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) == 5388 (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT)) 5389 return -EOPNOTSUPP; 5390 if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) == 5391 (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) 5392 return -EOPNOTSUPP; 5393 } 5394 5395 desc.dtype = 0; 5396 if (nla[NFTA_SET_DATA_TYPE] != NULL) { 5397 if (!(flags & NFT_SET_MAP)) 5398 return -EINVAL; 5399 5400 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE])); 5401 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK && 5402 desc.dtype != NFT_DATA_VERDICT) 5403 return -EINVAL; 5404 5405 if (desc.dtype != NFT_DATA_VERDICT) { 5406 if (nla[NFTA_SET_DATA_LEN] == NULL) 5407 return -EINVAL; 5408 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN])); 5409 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN) 5410 return -EINVAL; 5411 } else 5412 desc.dlen = sizeof(struct nft_verdict); 5413 } else if (flags & NFT_SET_MAP) 5414 return -EINVAL; 5415 5416 if (nla[NFTA_SET_OBJ_TYPE] != NULL) { 5417 if (!(flags & NFT_SET_OBJECT)) 5418 return -EINVAL; 5419 5420 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE])); 5421 if (desc.objtype == NFT_OBJECT_UNSPEC || 5422 desc.objtype > NFT_OBJECT_MAX) 5423 return -EOPNOTSUPP; 5424 } else if (flags & NFT_SET_OBJECT) 5425 return -EINVAL; 5426 else 5427 desc.objtype = NFT_OBJECT_UNSPEC; 5428 5429 desc.timeout = 0; 5430 if (nla[NFTA_SET_TIMEOUT] != NULL) { 5431 if (!(flags & NFT_SET_TIMEOUT)) 5432 return -EINVAL; 5433 5434 if (flags & NFT_SET_ANONYMOUS) 5435 return -EOPNOTSUPP; 5436 5437 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout); 5438 if (err) 5439 return err; 5440 } 5441 desc.gc_int = 0; 5442 if (nla[NFTA_SET_GC_INTERVAL] != NULL) { 5443 if (!(flags & NFT_SET_TIMEOUT)) 5444 return -EINVAL; 5445 5446 if (flags & NFT_SET_ANONYMOUS) 5447 return -EOPNOTSUPP; 5448 5449 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL])); 5450 } 5451 5452 desc.policy = NFT_SET_POL_PERFORMANCE; 5453 if (nla[NFTA_SET_POLICY] != NULL) { 5454 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY])); 5455 switch (desc.policy) { 5456 case NFT_SET_POL_PERFORMANCE: 5457 case NFT_SET_POL_MEMORY: 5458 break; 5459 default: 5460 return -EOPNOTSUPP; 5461 } 5462 } 5463 5464 if (nla[NFTA_SET_DESC] != NULL) { 5465 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]); 5466 if (err < 0) 5467 return err; 5468 5469 if (desc.field_count > 1) { 5470 if (!(flags & NFT_SET_CONCAT)) 5471 return -EINVAL; 5472 } else if (flags & NFT_SET_CONCAT) { 5473 return -EINVAL; 5474 } 5475 } else if (flags & NFT_SET_CONCAT) { 5476 return -EINVAL; 5477 } 5478 5479 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS]) 5480 desc.expr = true; 5481 5482 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask, 5483 NETLINK_CB(skb).portid); 5484 if (IS_ERR(table)) { 5485 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 5486 return PTR_ERR(table); 5487 } 5488 5489 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 5490 5491 set = nft_set_lookup(net, table, nla[NFTA_SET_NAME], genmask); 5492 if (IS_ERR(set)) { 5493 if (PTR_ERR(set) != -ENOENT) { 5494 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 5495 return PTR_ERR(set); 5496 } 5497 } else { 5498 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {}; 5499 5500 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 5501 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 5502 return -EEXIST; 5503 } 5504 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 5505 return -EOPNOTSUPP; 5506 5507 if (nft_set_is_anonymous(set)) 5508 return -EOPNOTSUPP; 5509 5510 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags); 5511 if (err < 0) 5512 return err; 5513 5514 if (desc.size) 5515 desc.size = nft_set_kernel_size(set->ops, &desc); 5516 5517 err = 0; 5518 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) { 5519 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 5520 err = -EEXIST; 5521 } 5522 5523 for (i = 0; i < num_exprs; i++) 5524 nft_expr_destroy(&ctx, exprs[i]); 5525 5526 if (err < 0) 5527 return err; 5528 5529 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc); 5530 } 5531 5532 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE)) 5533 return -ENOENT; 5534 5535 ops = nft_select_set_ops(&ctx, flags, &desc); 5536 if (IS_ERR(ops)) 5537 return PTR_ERR(ops); 5538 5539 if (desc.size) 5540 desc.size = nft_set_kernel_size(ops, &desc); 5541 5542 udlen = 0; 5543 if (nla[NFTA_SET_USERDATA]) 5544 udlen = nla_len(nla[NFTA_SET_USERDATA]); 5545 5546 size = 0; 5547 if (ops->privsize != NULL) 5548 size = ops->privsize(nla, &desc); 5549 alloc_size = sizeof(*set) + size + udlen; 5550 if (alloc_size < size || alloc_size > INT_MAX) 5551 return -ENOMEM; 5552 5553 if (!nft_use_inc(&table->use)) 5554 return -EMFILE; 5555 5556 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT); 5557 if (!set) { 5558 err = -ENOMEM; 5559 goto err_alloc; 5560 } 5561 5562 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT); 5563 if (!name) { 5564 err = -ENOMEM; 5565 goto err_set_name; 5566 } 5567 5568 err = nf_tables_set_alloc_name(&ctx, set, name); 5569 kfree(name); 5570 if (err < 0) 5571 goto err_set_name; 5572 5573 udata = NULL; 5574 if (udlen) { 5575 udata = set->data + size; 5576 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen); 5577 } 5578 5579 INIT_LIST_HEAD(&set->bindings); 5580 INIT_LIST_HEAD(&set->catchall_list); 5581 refcount_set(&set->refs, 1); 5582 set->table = table; 5583 write_pnet(&set->net, net); 5584 set->ops = ops; 5585 set->ktype = desc.ktype; 5586 set->klen = desc.klen; 5587 set->dtype = desc.dtype; 5588 set->objtype = desc.objtype; 5589 set->dlen = desc.dlen; 5590 set->flags = flags; 5591 set->size = desc.size; 5592 set->policy = desc.policy; 5593 set->udlen = udlen; 5594 set->udata = udata; 5595 set->timeout = desc.timeout; 5596 set->gc_int = desc.gc_int; 5597 5598 set->field_count = desc.field_count; 5599 for (i = 0; i < desc.field_count; i++) 5600 set->field_len[i] = desc.field_len[i]; 5601 5602 err = ops->init(set, &desc, nla); 5603 if (err < 0) 5604 goto err_set_init; 5605 5606 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags); 5607 if (err < 0) 5608 goto err_set_destroy; 5609 5610 set->num_exprs = num_exprs; 5611 set->handle = nf_tables_alloc_handle(table); 5612 INIT_LIST_HEAD(&set->pending_update); 5613 5614 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); 5615 if (err < 0) 5616 goto err_set_expr_alloc; 5617 5618 list_add_tail_rcu(&set->list, &table->sets); 5619 5620 return 0; 5621 5622 err_set_expr_alloc: 5623 for (i = 0; i < set->num_exprs; i++) 5624 nft_expr_destroy(&ctx, set->exprs[i]); 5625 err_set_destroy: 5626 ops->destroy(&ctx, set); 5627 err_set_init: 5628 kfree(set->name); 5629 err_set_name: 5630 kvfree(set); 5631 err_alloc: 5632 nft_use_dec_restore(&table->use); 5633 5634 return err; 5635 } 5636 5637 static void nft_set_catchall_destroy(const struct nft_ctx *ctx, 5638 struct nft_set *set) 5639 { 5640 struct nft_set_elem_catchall *next, *catchall; 5641 5642 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 5643 list_del_rcu(&catchall->list); 5644 nf_tables_set_elem_destroy(ctx, set, catchall->elem); 5645 kfree_rcu(catchall, rcu); 5646 } 5647 } 5648 5649 static void nft_set_put(struct nft_set *set) 5650 { 5651 if (refcount_dec_and_test(&set->refs)) { 5652 kfree(set->name); 5653 kvfree(set); 5654 } 5655 } 5656 5657 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) 5658 { 5659 int i; 5660 5661 if (WARN_ON(set->use > 0)) 5662 return; 5663 5664 for (i = 0; i < set->num_exprs; i++) 5665 nft_expr_destroy(ctx, set->exprs[i]); 5666 5667 set->ops->destroy(ctx, set); 5668 nft_set_catchall_destroy(ctx, set); 5669 nft_set_put(set); 5670 } 5671 5672 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info, 5673 const struct nlattr * const nla[]) 5674 { 5675 struct netlink_ext_ack *extack = info->extack; 5676 u8 genmask = nft_genmask_next(info->net); 5677 u8 family = info->nfmsg->nfgen_family; 5678 struct net *net = info->net; 5679 const struct nlattr *attr; 5680 struct nft_table *table; 5681 struct nft_set *set; 5682 struct nft_ctx ctx; 5683 5684 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 5685 return -EAFNOSUPPORT; 5686 5687 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 5688 genmask, NETLINK_CB(skb).portid); 5689 if (IS_ERR(table)) { 5690 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 5691 return PTR_ERR(table); 5692 } 5693 5694 if (nla[NFTA_SET_HANDLE]) { 5695 attr = nla[NFTA_SET_HANDLE]; 5696 set = nft_set_lookup_byhandle(table, attr, genmask); 5697 } else { 5698 attr = nla[NFTA_SET_NAME]; 5699 set = nft_set_lookup(net, table, attr, genmask); 5700 } 5701 5702 if (IS_ERR(set)) { 5703 if (PTR_ERR(set) == -ENOENT && 5704 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET) 5705 return 0; 5706 5707 NL_SET_BAD_ATTR(extack, attr); 5708 return PTR_ERR(set); 5709 } 5710 if (set->use || 5711 (info->nlh->nlmsg_flags & NLM_F_NONREC && 5712 atomic_read(&set->nelems) > 0)) { 5713 NL_SET_BAD_ATTR(extack, attr); 5714 return -EBUSY; 5715 } 5716 5717 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 5718 5719 return nft_delset(&ctx, set); 5720 } 5721 5722 static int nft_validate_register_store(const struct nft_ctx *ctx, 5723 enum nft_registers reg, 5724 const struct nft_data *data, 5725 enum nft_data_types type, 5726 unsigned int len); 5727 5728 static int nft_setelem_data_validate(const struct nft_ctx *ctx, 5729 struct nft_set *set, 5730 struct nft_elem_priv *elem_priv) 5731 { 5732 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 5733 enum nft_registers dreg; 5734 5735 dreg = nft_type_to_reg(set->dtype); 5736 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext), 5737 set->dtype == NFT_DATA_VERDICT ? 5738 NFT_DATA_VERDICT : NFT_DATA_VALUE, 5739 set->dlen); 5740 } 5741 5742 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, 5743 struct nft_set *set, 5744 const struct nft_set_iter *iter, 5745 struct nft_elem_priv *elem_priv) 5746 { 5747 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 5748 5749 if (!nft_set_elem_active(ext, iter->genmask)) 5750 return 0; 5751 5752 return nft_setelem_data_validate(ctx, set, elem_priv); 5753 } 5754 5755 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx, 5756 struct nft_set *set) 5757 { 5758 u8 genmask = nft_genmask_next(ctx->net); 5759 struct nft_set_elem_catchall *catchall; 5760 struct nft_set_ext *ext; 5761 int ret = 0; 5762 5763 list_for_each_entry_rcu(catchall, &set->catchall_list, list, 5764 lockdep_commit_lock_is_held(ctx->net)) { 5765 ext = nft_set_elem_ext(set, catchall->elem); 5766 if (!nft_set_elem_active(ext, genmask)) 5767 continue; 5768 5769 ret = nft_setelem_data_validate(ctx, set, catchall->elem); 5770 if (ret < 0) 5771 break; 5772 } 5773 5774 return ret; 5775 } 5776 5777 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 5778 struct nft_set_binding *binding) 5779 { 5780 struct nft_set_binding *i; 5781 struct nft_set_iter iter; 5782 5783 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) 5784 return -EBUSY; 5785 5786 if (binding->flags & NFT_SET_MAP) { 5787 /* If the set is already bound to the same chain all 5788 * jumps are already validated for that chain. 5789 */ 5790 list_for_each_entry(i, &set->bindings, list) { 5791 if (i->flags & NFT_SET_MAP && 5792 i->chain == binding->chain) 5793 goto bind; 5794 } 5795 5796 iter.genmask = nft_genmask_next(ctx->net); 5797 iter.type = NFT_ITER_UPDATE; 5798 iter.skip = 0; 5799 iter.count = 0; 5800 iter.err = 0; 5801 iter.fn = nf_tables_bind_check_setelem; 5802 5803 set->ops->walk(ctx, set, &iter); 5804 if (!iter.err) 5805 iter.err = nft_set_catchall_bind_check(ctx, set); 5806 5807 if (iter.err < 0) 5808 return iter.err; 5809 } 5810 bind: 5811 if (!nft_use_inc(&set->use)) 5812 return -EMFILE; 5813 5814 binding->chain = ctx->chain; 5815 list_add_tail_rcu(&binding->list, &set->bindings); 5816 nft_set_trans_bind(ctx, set); 5817 5818 return 0; 5819 } 5820 EXPORT_SYMBOL_GPL(nf_tables_bind_set); 5821 5822 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 5823 struct nft_set_binding *binding, bool event) 5824 { 5825 list_del_rcu(&binding->list); 5826 5827 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { 5828 list_del_rcu(&set->list); 5829 set->dead = 1; 5830 if (event) 5831 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, 5832 GFP_KERNEL); 5833 } 5834 } 5835 5836 static void nft_setelem_data_activate(const struct net *net, 5837 const struct nft_set *set, 5838 struct nft_elem_priv *elem_priv); 5839 5840 static int nft_mapelem_activate(const struct nft_ctx *ctx, 5841 struct nft_set *set, 5842 const struct nft_set_iter *iter, 5843 struct nft_elem_priv *elem_priv) 5844 { 5845 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 5846 5847 /* called from abort path, reverse check to undo changes. */ 5848 if (nft_set_elem_active(ext, iter->genmask)) 5849 return 0; 5850 5851 nft_clear(ctx->net, ext); 5852 nft_setelem_data_activate(ctx->net, set, elem_priv); 5853 5854 return 0; 5855 } 5856 5857 static void nft_map_catchall_activate(const struct nft_ctx *ctx, 5858 struct nft_set *set) 5859 { 5860 u8 genmask = nft_genmask_next(ctx->net); 5861 struct nft_set_elem_catchall *catchall; 5862 struct nft_set_ext *ext; 5863 5864 list_for_each_entry(catchall, &set->catchall_list, list) { 5865 ext = nft_set_elem_ext(set, catchall->elem); 5866 if (!nft_set_elem_active(ext, genmask)) 5867 continue; 5868 5869 nft_clear(ctx->net, ext); 5870 nft_setelem_data_activate(ctx->net, set, catchall->elem); 5871 break; 5872 } 5873 } 5874 5875 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set) 5876 { 5877 struct nft_set_iter iter = { 5878 .genmask = nft_genmask_next(ctx->net), 5879 .type = NFT_ITER_UPDATE, 5880 .fn = nft_mapelem_activate, 5881 }; 5882 5883 set->ops->walk(ctx, set, &iter); 5884 WARN_ON_ONCE(iter.err); 5885 5886 nft_map_catchall_activate(ctx, set); 5887 } 5888 5889 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set) 5890 { 5891 if (nft_set_is_anonymous(set)) { 5892 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 5893 nft_map_activate(ctx, set); 5894 5895 nft_clear(ctx->net, set); 5896 } 5897 5898 nft_use_inc_restore(&set->use); 5899 } 5900 EXPORT_SYMBOL_GPL(nf_tables_activate_set); 5901 5902 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, 5903 struct nft_set_binding *binding, 5904 enum nft_trans_phase phase) 5905 { 5906 WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net)); 5907 5908 switch (phase) { 5909 case NFT_TRANS_PREPARE_ERROR: 5910 nft_set_trans_unbind(ctx, set); 5911 if (nft_set_is_anonymous(set)) 5912 nft_deactivate_next(ctx->net, set); 5913 else 5914 list_del_rcu(&binding->list); 5915 5916 nft_use_dec(&set->use); 5917 break; 5918 case NFT_TRANS_PREPARE: 5919 if (nft_set_is_anonymous(set)) { 5920 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 5921 nft_map_deactivate(ctx, set); 5922 5923 nft_deactivate_next(ctx->net, set); 5924 } 5925 nft_use_dec(&set->use); 5926 return; 5927 case NFT_TRANS_ABORT: 5928 case NFT_TRANS_RELEASE: 5929 if (nft_set_is_anonymous(set) && 5930 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 5931 nft_map_deactivate(ctx, set); 5932 5933 nft_use_dec(&set->use); 5934 fallthrough; 5935 default: 5936 nf_tables_unbind_set(ctx, set, binding, 5937 phase == NFT_TRANS_COMMIT); 5938 } 5939 } 5940 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); 5941 5942 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) 5943 { 5944 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) 5945 nft_set_destroy(ctx, set); 5946 } 5947 EXPORT_SYMBOL_GPL(nf_tables_destroy_set); 5948 5949 const struct nft_set_ext_type nft_set_ext_types[] = { 5950 [NFT_SET_EXT_KEY] = { 5951 .align = __alignof__(u32), 5952 }, 5953 [NFT_SET_EXT_DATA] = { 5954 .align = __alignof__(u32), 5955 }, 5956 [NFT_SET_EXT_EXPRESSIONS] = { 5957 .align = __alignof__(struct nft_set_elem_expr), 5958 }, 5959 [NFT_SET_EXT_OBJREF] = { 5960 .len = sizeof(struct nft_object *), 5961 .align = __alignof__(struct nft_object *), 5962 }, 5963 [NFT_SET_EXT_FLAGS] = { 5964 .len = sizeof(u8), 5965 .align = __alignof__(u8), 5966 }, 5967 [NFT_SET_EXT_TIMEOUT] = { 5968 .len = sizeof(struct nft_timeout), 5969 .align = __alignof__(struct nft_timeout), 5970 }, 5971 [NFT_SET_EXT_USERDATA] = { 5972 .len = sizeof(struct nft_userdata), 5973 .align = __alignof__(struct nft_userdata), 5974 }, 5975 [NFT_SET_EXT_KEY_END] = { 5976 .align = __alignof__(u32), 5977 }, 5978 }; 5979 5980 /* 5981 * Set elements 5982 */ 5983 5984 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { 5985 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED }, 5986 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED }, 5987 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 }, 5988 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 }, 5989 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 }, 5990 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, 5991 .len = NFT_USERDATA_MAXLEN }, 5992 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED }, 5993 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING, 5994 .len = NFT_OBJ_MAXNAMELEN - 1 }, 5995 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED }, 5996 [NFTA_SET_ELEM_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy), 5997 }; 5998 5999 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { 6000 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING, 6001 .len = NFT_TABLE_MAXNAMELEN - 1 }, 6002 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING, 6003 .len = NFT_SET_MAXNAMELEN - 1 }, 6004 [NFTA_SET_ELEM_LIST_ELEMENTS] = NLA_POLICY_NESTED_ARRAY(nft_set_elem_policy), 6005 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 }, 6006 }; 6007 6008 static int nft_set_elem_expr_dump(struct sk_buff *skb, 6009 const struct nft_set *set, 6010 const struct nft_set_ext *ext, 6011 bool reset) 6012 { 6013 struct nft_set_elem_expr *elem_expr; 6014 u32 size, num_exprs = 0; 6015 struct nft_expr *expr; 6016 struct nlattr *nest; 6017 6018 elem_expr = nft_set_ext_expr(ext); 6019 nft_setelem_expr_foreach(expr, elem_expr, size) 6020 num_exprs++; 6021 6022 if (num_exprs == 1) { 6023 expr = nft_setelem_expr_at(elem_expr, 0); 6024 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0) 6025 return -1; 6026 6027 return 0; 6028 } else if (num_exprs > 1) { 6029 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS); 6030 if (nest == NULL) 6031 goto nla_put_failure; 6032 6033 nft_setelem_expr_foreach(expr, elem_expr, size) { 6034 expr = nft_setelem_expr_at(elem_expr, size); 6035 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0) 6036 goto nla_put_failure; 6037 } 6038 nla_nest_end(skb, nest); 6039 } 6040 return 0; 6041 6042 nla_put_failure: 6043 return -1; 6044 } 6045 6046 static int nf_tables_fill_setelem(struct sk_buff *skb, 6047 const struct nft_set *set, 6048 const struct nft_elem_priv *elem_priv, 6049 bool reset) 6050 { 6051 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 6052 unsigned char *b = skb_tail_pointer(skb); 6053 struct nlattr *nest; 6054 6055 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 6056 if (nest == NULL) 6057 goto nla_put_failure; 6058 6059 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) && 6060 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext), 6061 NFT_DATA_VALUE, set->klen) < 0) 6062 goto nla_put_failure; 6063 6064 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 6065 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext), 6066 NFT_DATA_VALUE, set->klen) < 0) 6067 goto nla_put_failure; 6068 6069 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 6070 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext), 6071 nft_set_datatype(set), set->dlen) < 0) 6072 goto nla_put_failure; 6073 6074 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) && 6075 nft_set_elem_expr_dump(skb, set, ext, reset)) 6076 goto nla_put_failure; 6077 6078 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 6079 nla_put_string(skb, NFTA_SET_ELEM_OBJREF, 6080 (*nft_set_ext_obj(ext))->key.name) < 0) 6081 goto nla_put_failure; 6082 6083 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 6084 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, 6085 htonl(*nft_set_ext_flags(ext)))) 6086 goto nla_put_failure; 6087 6088 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) { 6089 u64 timeout = READ_ONCE(nft_set_ext_timeout(ext)->timeout); 6090 u64 set_timeout = READ_ONCE(set->timeout); 6091 __be64 msecs = 0; 6092 6093 if (set_timeout != timeout) { 6094 msecs = nf_jiffies64_to_msecs(timeout); 6095 if (nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, msecs, 6096 NFTA_SET_ELEM_PAD)) 6097 goto nla_put_failure; 6098 } 6099 6100 if (timeout > 0) { 6101 u64 expires, now = get_jiffies_64(); 6102 6103 expires = READ_ONCE(nft_set_ext_timeout(ext)->expiration); 6104 if (time_before64(now, expires)) 6105 expires -= now; 6106 else 6107 expires = 0; 6108 6109 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION, 6110 nf_jiffies64_to_msecs(expires), 6111 NFTA_SET_ELEM_PAD)) 6112 goto nla_put_failure; 6113 } 6114 } 6115 6116 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) { 6117 struct nft_userdata *udata; 6118 6119 udata = nft_set_ext_userdata(ext); 6120 if (nla_put(skb, NFTA_SET_ELEM_USERDATA, 6121 udata->len + 1, udata->data)) 6122 goto nla_put_failure; 6123 } 6124 6125 nla_nest_end(skb, nest); 6126 return 0; 6127 6128 nla_put_failure: 6129 nlmsg_trim(skb, b); 6130 return -EMSGSIZE; 6131 } 6132 6133 struct nft_set_dump_args { 6134 const struct netlink_callback *cb; 6135 struct nft_set_iter iter; 6136 struct sk_buff *skb; 6137 bool reset; 6138 }; 6139 6140 static int nf_tables_dump_setelem(const struct nft_ctx *ctx, 6141 struct nft_set *set, 6142 const struct nft_set_iter *iter, 6143 struct nft_elem_priv *elem_priv) 6144 { 6145 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 6146 struct nft_set_dump_args *args; 6147 6148 if (!nft_set_elem_active(ext, iter->genmask)) 6149 return 0; 6150 6151 if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext)) 6152 return 0; 6153 6154 args = container_of(iter, struct nft_set_dump_args, iter); 6155 return nf_tables_fill_setelem(args->skb, set, elem_priv, args->reset); 6156 } 6157 6158 static void audit_log_nft_set_reset(const struct nft_table *table, 6159 unsigned int base_seq, 6160 unsigned int nentries) 6161 { 6162 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq); 6163 6164 audit_log_nfcfg(buf, table->family, nentries, 6165 AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC); 6166 kfree(buf); 6167 } 6168 6169 struct nft_set_dump_ctx { 6170 const struct nft_set *set; 6171 struct nft_ctx ctx; 6172 bool reset; 6173 }; 6174 6175 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb, 6176 const struct nft_set *set, bool reset, 6177 unsigned int base_seq) 6178 { 6179 struct nft_set_elem_catchall *catchall; 6180 u8 genmask = nft_genmask_cur(net); 6181 struct nft_set_ext *ext; 6182 int ret = 0; 6183 6184 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 6185 ext = nft_set_elem_ext(set, catchall->elem); 6186 if (!nft_set_elem_active(ext, genmask) || 6187 nft_set_elem_expired(ext)) 6188 continue; 6189 6190 ret = nf_tables_fill_setelem(skb, set, catchall->elem, reset); 6191 if (reset && !ret) 6192 audit_log_nft_set_reset(set->table, base_seq, 1); 6193 break; 6194 } 6195 6196 return ret; 6197 } 6198 6199 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) 6200 { 6201 struct nft_set_dump_ctx *dump_ctx = cb->data; 6202 struct net *net = sock_net(skb->sk); 6203 struct nftables_pernet *nft_net; 6204 struct nft_table *table; 6205 struct nft_set *set; 6206 struct nft_set_dump_args args; 6207 bool set_found = false; 6208 struct nlmsghdr *nlh; 6209 struct nlattr *nest; 6210 u32 portid, seq; 6211 int event; 6212 6213 rcu_read_lock(); 6214 nft_net = nft_pernet(net); 6215 cb->seq = nft_base_seq(net); 6216 6217 list_for_each_entry_rcu(table, &nft_net->tables, list) { 6218 if (dump_ctx->ctx.family != NFPROTO_UNSPEC && 6219 dump_ctx->ctx.family != table->family) 6220 continue; 6221 6222 if (table != dump_ctx->ctx.table) 6223 continue; 6224 6225 list_for_each_entry_rcu(set, &table->sets, list) { 6226 if (set == dump_ctx->set) { 6227 set_found = true; 6228 break; 6229 } 6230 } 6231 break; 6232 } 6233 6234 if (!set_found) { 6235 rcu_read_unlock(); 6236 return -ENOENT; 6237 } 6238 6239 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM); 6240 portid = NETLINK_CB(cb->skb).portid; 6241 seq = cb->nlh->nlmsg_seq; 6242 6243 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI, 6244 table->family, NFNETLINK_V0, nft_base_seq_be16(net)); 6245 if (!nlh) 6246 goto nla_put_failure; 6247 6248 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) 6249 goto nla_put_failure; 6250 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) 6251 goto nla_put_failure; 6252 6253 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 6254 if (nest == NULL) 6255 goto nla_put_failure; 6256 6257 args.cb = cb; 6258 args.skb = skb; 6259 args.reset = dump_ctx->reset; 6260 args.iter.genmask = nft_genmask_cur(net); 6261 args.iter.type = NFT_ITER_READ; 6262 args.iter.skip = cb->args[0]; 6263 args.iter.count = 0; 6264 args.iter.err = 0; 6265 args.iter.fn = nf_tables_dump_setelem; 6266 set->ops->walk(&dump_ctx->ctx, set, &args.iter); 6267 6268 if (!args.iter.err && args.iter.count == cb->args[0]) 6269 args.iter.err = nft_set_catchall_dump(net, skb, set, 6270 dump_ctx->reset, cb->seq); 6271 nla_nest_end(skb, nest); 6272 nlmsg_end(skb, nlh); 6273 6274 rcu_read_unlock(); 6275 6276 if (args.iter.err && args.iter.err != -EMSGSIZE) 6277 return args.iter.err; 6278 if (args.iter.count == cb->args[0]) 6279 return 0; 6280 6281 cb->args[0] = args.iter.count; 6282 return skb->len; 6283 6284 nla_put_failure: 6285 rcu_read_unlock(); 6286 return -ENOSPC; 6287 } 6288 6289 static int nf_tables_dumpreset_set(struct sk_buff *skb, 6290 struct netlink_callback *cb) 6291 { 6292 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk)); 6293 struct nft_set_dump_ctx *dump_ctx = cb->data; 6294 int ret, skip = cb->args[0]; 6295 6296 mutex_lock(&nft_net->commit_mutex); 6297 6298 ret = nf_tables_dump_set(skb, cb); 6299 6300 if (cb->args[0] > skip) 6301 audit_log_nft_set_reset(dump_ctx->ctx.table, cb->seq, 6302 cb->args[0] - skip); 6303 6304 mutex_unlock(&nft_net->commit_mutex); 6305 6306 return ret; 6307 } 6308 6309 static int nf_tables_dump_set_start(struct netlink_callback *cb) 6310 { 6311 struct nft_set_dump_ctx *dump_ctx = cb->data; 6312 6313 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC); 6314 6315 return cb->data ? 0 : -ENOMEM; 6316 } 6317 6318 static int nf_tables_dump_set_done(struct netlink_callback *cb) 6319 { 6320 kfree(cb->data); 6321 return 0; 6322 } 6323 6324 static int nf_tables_fill_setelem_info(struct sk_buff *skb, 6325 const struct nft_ctx *ctx, u32 seq, 6326 u32 portid, int event, u16 flags, 6327 const struct nft_set *set, 6328 const struct nft_elem_priv *elem_priv, 6329 bool reset) 6330 { 6331 struct nlmsghdr *nlh; 6332 struct nlattr *nest; 6333 int err; 6334 6335 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 6336 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 6337 NFNETLINK_V0, nft_base_seq_be16(ctx->net)); 6338 if (!nlh) 6339 goto nla_put_failure; 6340 6341 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 6342 goto nla_put_failure; 6343 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 6344 goto nla_put_failure; 6345 6346 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 6347 if (nest == NULL) 6348 goto nla_put_failure; 6349 6350 err = nf_tables_fill_setelem(skb, set, elem_priv, reset); 6351 if (err < 0) 6352 goto nla_put_failure; 6353 6354 nla_nest_end(skb, nest); 6355 6356 nlmsg_end(skb, nlh); 6357 return 0; 6358 6359 nla_put_failure: 6360 nlmsg_trim(skb, nlh); 6361 return -1; 6362 } 6363 6364 static int nft_setelem_parse_flags(const struct nft_set *set, 6365 const struct nlattr *attr, u32 *flags) 6366 { 6367 if (attr == NULL) 6368 return 0; 6369 6370 *flags = ntohl(nla_get_be32(attr)); 6371 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) 6372 return -EOPNOTSUPP; 6373 if (!(set->flags & NFT_SET_INTERVAL) && 6374 *flags & NFT_SET_ELEM_INTERVAL_END) 6375 return -EINVAL; 6376 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) == 6377 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) 6378 return -EINVAL; 6379 6380 return 0; 6381 } 6382 6383 static int nft_setelem_parse_key(struct nft_ctx *ctx, const struct nft_set *set, 6384 struct nft_data *key, struct nlattr *attr) 6385 { 6386 struct nft_data_desc desc = { 6387 .type = NFT_DATA_VALUE, 6388 .size = NFT_DATA_VALUE_MAXLEN, 6389 .len = set->klen, 6390 }; 6391 6392 return nft_data_init(ctx, key, &desc, attr); 6393 } 6394 6395 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, 6396 struct nft_data_desc *desc, 6397 struct nft_data *data, 6398 struct nlattr *attr) 6399 { 6400 u32 dtype; 6401 6402 if (set->dtype == NFT_DATA_VERDICT) 6403 dtype = NFT_DATA_VERDICT; 6404 else 6405 dtype = NFT_DATA_VALUE; 6406 6407 desc->type = dtype; 6408 desc->size = NFT_DATA_VALUE_MAXLEN; 6409 desc->len = set->dlen; 6410 desc->flags = NFT_DATA_DESC_SETELEM; 6411 6412 return nft_data_init(ctx, data, desc, attr); 6413 } 6414 6415 static void *nft_setelem_catchall_get(const struct net *net, 6416 const struct nft_set *set) 6417 { 6418 struct nft_set_elem_catchall *catchall; 6419 u8 genmask = nft_genmask_cur(net); 6420 struct nft_set_ext *ext; 6421 void *priv = NULL; 6422 6423 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 6424 ext = nft_set_elem_ext(set, catchall->elem); 6425 if (!nft_set_elem_active(ext, genmask) || 6426 nft_set_elem_expired(ext)) 6427 continue; 6428 6429 priv = catchall->elem; 6430 break; 6431 } 6432 6433 return priv; 6434 } 6435 6436 static int nft_setelem_get(struct nft_ctx *ctx, const struct nft_set *set, 6437 struct nft_set_elem *elem, u32 flags) 6438 { 6439 void *priv; 6440 6441 if (!(flags & NFT_SET_ELEM_CATCHALL)) { 6442 priv = set->ops->get(ctx->net, set, elem, flags); 6443 if (IS_ERR(priv)) 6444 return PTR_ERR(priv); 6445 } else { 6446 priv = nft_setelem_catchall_get(ctx->net, set); 6447 if (!priv) 6448 return -ENOENT; 6449 } 6450 elem->priv = priv; 6451 6452 return 0; 6453 } 6454 6455 static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set, 6456 const struct nlattr *attr, bool reset) 6457 { 6458 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 6459 struct nft_set_elem elem; 6460 struct sk_buff *skb; 6461 uint32_t flags = 0; 6462 int err; 6463 6464 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 6465 nft_set_elem_policy, NULL); 6466 if (err < 0) 6467 return err; 6468 6469 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 6470 if (err < 0) 6471 return err; 6472 6473 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 6474 return -EINVAL; 6475 6476 if (nla[NFTA_SET_ELEM_KEY]) { 6477 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 6478 nla[NFTA_SET_ELEM_KEY]); 6479 if (err < 0) 6480 return err; 6481 } 6482 6483 if (nla[NFTA_SET_ELEM_KEY_END]) { 6484 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 6485 nla[NFTA_SET_ELEM_KEY_END]); 6486 if (err < 0) 6487 return err; 6488 } 6489 6490 err = nft_setelem_get(ctx, set, &elem, flags); 6491 if (err < 0) 6492 return err; 6493 6494 err = -ENOMEM; 6495 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); 6496 if (skb == NULL) 6497 return err; 6498 6499 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, 6500 NFT_MSG_NEWSETELEM, 0, set, elem.priv, 6501 reset); 6502 if (err < 0) 6503 goto err_fill_setelem; 6504 6505 return nfnetlink_unicast(skb, ctx->net, ctx->portid); 6506 6507 err_fill_setelem: 6508 kfree_skb(skb); 6509 return err; 6510 } 6511 6512 static int nft_set_dump_ctx_init(struct nft_set_dump_ctx *dump_ctx, 6513 const struct sk_buff *skb, 6514 const struct nfnl_info *info, 6515 const struct nlattr * const nla[], 6516 bool reset) 6517 { 6518 struct netlink_ext_ack *extack = info->extack; 6519 u8 genmask = nft_genmask_cur(info->net); 6520 u8 family = info->nfmsg->nfgen_family; 6521 struct net *net = info->net; 6522 struct nft_table *table; 6523 struct nft_set *set; 6524 6525 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 6526 genmask, 0); 6527 if (IS_ERR(table)) { 6528 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 6529 return PTR_ERR(table); 6530 } 6531 6532 set = nft_set_lookup(net, table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 6533 if (IS_ERR(set)) { 6534 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]); 6535 return PTR_ERR(set); 6536 } 6537 6538 nft_ctx_init(&dump_ctx->ctx, net, skb, 6539 info->nlh, family, table, NULL, nla); 6540 dump_ctx->set = set; 6541 dump_ctx->reset = reset; 6542 return 0; 6543 } 6544 6545 /* called with rcu_read_lock held */ 6546 static int nf_tables_getsetelem(struct sk_buff *skb, 6547 const struct nfnl_info *info, 6548 const struct nlattr * const nla[]) 6549 { 6550 struct netlink_ext_ack *extack = info->extack; 6551 struct nft_set_dump_ctx dump_ctx; 6552 struct nlattr *attr; 6553 int rem, err = 0; 6554 6555 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 6556 struct netlink_dump_control c = { 6557 .start = nf_tables_dump_set_start, 6558 .dump = nf_tables_dump_set, 6559 .done = nf_tables_dump_set_done, 6560 .module = THIS_MODULE, 6561 }; 6562 6563 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false); 6564 if (err) 6565 return err; 6566 6567 c.data = &dump_ctx; 6568 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 6569 } 6570 6571 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 6572 return -EINVAL; 6573 6574 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false); 6575 if (err) 6576 return err; 6577 6578 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 6579 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, false); 6580 if (err < 0) { 6581 NL_SET_BAD_ATTR(extack, attr); 6582 break; 6583 } 6584 } 6585 6586 return err; 6587 } 6588 6589 static int nf_tables_getsetelem_reset(struct sk_buff *skb, 6590 const struct nfnl_info *info, 6591 const struct nlattr * const nla[]) 6592 { 6593 struct nftables_pernet *nft_net = nft_pernet(info->net); 6594 struct netlink_ext_ack *extack = info->extack; 6595 struct nft_set_dump_ctx dump_ctx; 6596 int rem, err = 0, nelems = 0; 6597 struct nlattr *attr; 6598 6599 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 6600 struct netlink_dump_control c = { 6601 .start = nf_tables_dump_set_start, 6602 .dump = nf_tables_dumpreset_set, 6603 .done = nf_tables_dump_set_done, 6604 .module = THIS_MODULE, 6605 }; 6606 6607 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true); 6608 if (err) 6609 return err; 6610 6611 c.data = &dump_ctx; 6612 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 6613 } 6614 6615 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 6616 return -EINVAL; 6617 6618 if (!try_module_get(THIS_MODULE)) 6619 return -EINVAL; 6620 rcu_read_unlock(); 6621 mutex_lock(&nft_net->commit_mutex); 6622 rcu_read_lock(); 6623 6624 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true); 6625 if (err) 6626 goto out_unlock; 6627 6628 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 6629 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, true); 6630 if (err < 0) { 6631 NL_SET_BAD_ATTR(extack, attr); 6632 break; 6633 } 6634 nelems++; 6635 } 6636 audit_log_nft_set_reset(dump_ctx.ctx.table, nft_base_seq(info->net), nelems); 6637 6638 out_unlock: 6639 rcu_read_unlock(); 6640 mutex_unlock(&nft_net->commit_mutex); 6641 rcu_read_lock(); 6642 module_put(THIS_MODULE); 6643 6644 return err; 6645 } 6646 6647 static void nf_tables_setelem_notify(const struct nft_ctx *ctx, 6648 const struct nft_set *set, 6649 const struct nft_elem_priv *elem_priv, 6650 int event) 6651 { 6652 struct nftables_pernet *nft_net; 6653 struct net *net = ctx->net; 6654 u32 portid = ctx->portid; 6655 struct sk_buff *skb; 6656 u16 flags = 0; 6657 int err; 6658 6659 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 6660 return; 6661 6662 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 6663 if (skb == NULL) 6664 goto err; 6665 6666 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 6667 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 6668 6669 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags, 6670 set, elem_priv, false); 6671 if (err < 0) { 6672 kfree_skb(skb); 6673 goto err; 6674 } 6675 6676 nft_net = nft_pernet(net); 6677 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 6678 return; 6679 err: 6680 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 6681 } 6682 6683 static struct nft_trans *nft_trans_elem_alloc(const struct nft_ctx *ctx, 6684 int msg_type, 6685 struct nft_set *set) 6686 { 6687 struct nft_trans_elem *te; 6688 struct nft_trans *trans; 6689 6690 trans = nft_trans_alloc(ctx, msg_type, struct_size(te, elems, 1)); 6691 if (trans == NULL) 6692 return NULL; 6693 6694 te = nft_trans_container_elem(trans); 6695 te->nelems = 1; 6696 te->set = set; 6697 6698 return trans; 6699 } 6700 6701 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx, 6702 const struct nft_set *set, 6703 const struct nlattr *attr) 6704 { 6705 struct nft_expr *expr; 6706 int err; 6707 6708 expr = nft_expr_init(ctx, attr); 6709 if (IS_ERR(expr)) 6710 return expr; 6711 6712 err = -EOPNOTSUPP; 6713 if (expr->ops->type->flags & NFT_EXPR_GC) { 6714 if (set->flags & NFT_SET_TIMEOUT) 6715 goto err_set_elem_expr; 6716 if (!set->ops->gc_init) 6717 goto err_set_elem_expr; 6718 set->ops->gc_init(set); 6719 } 6720 6721 return expr; 6722 6723 err_set_elem_expr: 6724 nft_expr_destroy(ctx, expr); 6725 return ERR_PTR(err); 6726 } 6727 6728 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len) 6729 { 6730 len += nft_set_ext_types[id].len; 6731 if (len > tmpl->ext_len[id] || 6732 len > U8_MAX) 6733 return -1; 6734 6735 return 0; 6736 } 6737 6738 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id, 6739 void *to, const void *from, u32 len) 6740 { 6741 if (nft_set_ext_check(tmpl, id, len) < 0) 6742 return -1; 6743 6744 memcpy(to, from, len); 6745 6746 return 0; 6747 } 6748 6749 struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set, 6750 const struct nft_set_ext_tmpl *tmpl, 6751 const u32 *key, const u32 *key_end, 6752 const u32 *data, 6753 u64 timeout, u64 expiration, gfp_t gfp) 6754 { 6755 struct nft_set_ext *ext; 6756 void *elem; 6757 6758 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp); 6759 if (elem == NULL) 6760 return ERR_PTR(-ENOMEM); 6761 6762 ext = nft_set_elem_ext(set, elem); 6763 nft_set_ext_init(ext, tmpl); 6764 6765 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) && 6766 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY, 6767 nft_set_ext_key(ext), key, set->klen) < 0) 6768 goto err_ext_check; 6769 6770 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 6771 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END, 6772 nft_set_ext_key_end(ext), key_end, set->klen) < 0) 6773 goto err_ext_check; 6774 6775 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 6776 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA, 6777 nft_set_ext_data(ext), data, set->dlen) < 0) 6778 goto err_ext_check; 6779 6780 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) { 6781 nft_set_ext_timeout(ext)->timeout = timeout; 6782 6783 if (expiration == 0) 6784 expiration = timeout; 6785 6786 nft_set_ext_timeout(ext)->expiration = get_jiffies_64() + expiration; 6787 } 6788 6789 return elem; 6790 6791 err_ext_check: 6792 kfree(elem); 6793 6794 return ERR_PTR(-EINVAL); 6795 } 6796 6797 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 6798 struct nft_expr *expr) 6799 { 6800 if (expr->ops->destroy_clone) { 6801 expr->ops->destroy_clone(ctx, expr); 6802 module_put(expr->ops->type->owner); 6803 } else { 6804 nf_tables_expr_destroy(ctx, expr); 6805 } 6806 } 6807 6808 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 6809 struct nft_set_elem_expr *elem_expr) 6810 { 6811 struct nft_expr *expr; 6812 u32 size; 6813 6814 nft_setelem_expr_foreach(expr, elem_expr, size) 6815 __nft_set_elem_expr_destroy(ctx, expr); 6816 } 6817 6818 /* Drop references and destroy. Called from gc, dynset and abort path. */ 6819 static void __nft_set_elem_destroy(const struct nft_ctx *ctx, 6820 const struct nft_set *set, 6821 const struct nft_elem_priv *elem_priv, 6822 bool destroy_expr) 6823 { 6824 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 6825 6826 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE); 6827 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 6828 nft_data_release(nft_set_ext_data(ext), set->dtype); 6829 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 6830 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext)); 6831 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 6832 nft_use_dec(&(*nft_set_ext_obj(ext))->use); 6833 6834 kfree(elem_priv); 6835 } 6836 6837 /* Drop references and destroy. Called from gc and dynset. */ 6838 void nft_set_elem_destroy(const struct nft_set *set, 6839 const struct nft_elem_priv *elem_priv, 6840 bool destroy_expr) 6841 { 6842 struct nft_ctx ctx = { 6843 .net = read_pnet(&set->net), 6844 .family = set->table->family, 6845 }; 6846 6847 __nft_set_elem_destroy(&ctx, set, elem_priv, destroy_expr); 6848 } 6849 EXPORT_SYMBOL_GPL(nft_set_elem_destroy); 6850 6851 /* Drop references and destroy. Called from abort path. */ 6852 static void nft_trans_set_elem_destroy(const struct nft_ctx *ctx, struct nft_trans_elem *te) 6853 { 6854 int i; 6855 6856 for (i = 0; i < te->nelems; i++) { 6857 /* skip update request, see nft_trans_elems_new_abort() */ 6858 if (!te->elems[i].priv) 6859 continue; 6860 6861 __nft_set_elem_destroy(ctx, te->set, te->elems[i].priv, true); 6862 } 6863 } 6864 6865 /* Destroy element. References have been already dropped in the preparation 6866 * path via nft_setelem_data_deactivate(). 6867 */ 6868 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, 6869 const struct nft_set *set, 6870 const struct nft_elem_priv *elem_priv) 6871 { 6872 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 6873 6874 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 6875 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext)); 6876 6877 kfree(elem_priv); 6878 } 6879 6880 static void nft_trans_elems_destroy(const struct nft_ctx *ctx, 6881 const struct nft_trans_elem *te) 6882 { 6883 int i; 6884 6885 for (i = 0; i < te->nelems; i++) 6886 nf_tables_set_elem_destroy(ctx, te->set, te->elems[i].priv); 6887 } 6888 6889 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, 6890 struct nft_expr *expr_array[]) 6891 { 6892 struct nft_expr *expr; 6893 int err, i, k; 6894 6895 for (i = 0; i < set->num_exprs; i++) { 6896 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT); 6897 if (!expr) 6898 goto err_expr; 6899 6900 err = nft_expr_clone(expr, set->exprs[i], GFP_KERNEL_ACCOUNT); 6901 if (err < 0) { 6902 kfree(expr); 6903 goto err_expr; 6904 } 6905 expr_array[i] = expr; 6906 } 6907 6908 return 0; 6909 6910 err_expr: 6911 for (k = i - 1; k >= 0; k--) 6912 nft_expr_destroy(ctx, expr_array[k]); 6913 6914 return -ENOMEM; 6915 } 6916 6917 static int nft_set_elem_expr_setup(struct nft_ctx *ctx, 6918 const struct nft_set_ext_tmpl *tmpl, 6919 const struct nft_set_ext *ext, 6920 struct nft_expr *expr_array[], 6921 u32 num_exprs) 6922 { 6923 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); 6924 u32 len = sizeof(struct nft_set_elem_expr); 6925 struct nft_expr *expr; 6926 int i, err; 6927 6928 if (num_exprs == 0) 6929 return 0; 6930 6931 for (i = 0; i < num_exprs; i++) 6932 len += expr_array[i]->ops->size; 6933 6934 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0) 6935 return -EINVAL; 6936 6937 for (i = 0; i < num_exprs; i++) { 6938 expr = nft_setelem_expr_at(elem_expr, elem_expr->size); 6939 err = nft_expr_clone(expr, expr_array[i], GFP_KERNEL_ACCOUNT); 6940 if (err < 0) 6941 goto err_elem_expr_setup; 6942 6943 elem_expr->size += expr_array[i]->ops->size; 6944 nft_expr_destroy(ctx, expr_array[i]); 6945 expr_array[i] = NULL; 6946 } 6947 6948 return 0; 6949 6950 err_elem_expr_setup: 6951 for (; i < num_exprs; i++) { 6952 nft_expr_destroy(ctx, expr_array[i]); 6953 expr_array[i] = NULL; 6954 } 6955 6956 return -ENOMEM; 6957 } 6958 6959 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net, 6960 const struct nft_set *set) 6961 { 6962 struct nft_set_elem_catchall *catchall; 6963 u8 genmask = nft_genmask_cur(net); 6964 struct nft_set_ext *ext; 6965 6966 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 6967 ext = nft_set_elem_ext(set, catchall->elem); 6968 if (nft_set_elem_active(ext, genmask) && 6969 !nft_set_elem_expired(ext) && 6970 !nft_set_elem_is_dead(ext)) 6971 return ext; 6972 } 6973 6974 return NULL; 6975 } 6976 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup); 6977 6978 static int nft_setelem_catchall_insert(const struct net *net, 6979 struct nft_set *set, 6980 const struct nft_set_elem *elem, 6981 struct nft_elem_priv **priv) 6982 { 6983 struct nft_set_elem_catchall *catchall; 6984 u8 genmask = nft_genmask_next(net); 6985 struct nft_set_ext *ext; 6986 6987 list_for_each_entry(catchall, &set->catchall_list, list) { 6988 ext = nft_set_elem_ext(set, catchall->elem); 6989 if (nft_set_elem_active(ext, genmask)) { 6990 *priv = catchall->elem; 6991 return -EEXIST; 6992 } 6993 } 6994 6995 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL_ACCOUNT); 6996 if (!catchall) 6997 return -ENOMEM; 6998 6999 catchall->elem = elem->priv; 7000 list_add_tail_rcu(&catchall->list, &set->catchall_list); 7001 7002 return 0; 7003 } 7004 7005 static int nft_setelem_insert(const struct net *net, 7006 struct nft_set *set, 7007 const struct nft_set_elem *elem, 7008 struct nft_elem_priv **elem_priv, 7009 unsigned int flags) 7010 { 7011 int ret; 7012 7013 if (flags & NFT_SET_ELEM_CATCHALL) 7014 ret = nft_setelem_catchall_insert(net, set, elem, elem_priv); 7015 else 7016 ret = set->ops->insert(net, set, elem, elem_priv); 7017 7018 return ret; 7019 } 7020 7021 static bool nft_setelem_is_catchall(const struct nft_set *set, 7022 const struct nft_elem_priv *elem_priv) 7023 { 7024 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 7025 7026 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 7027 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL) 7028 return true; 7029 7030 return false; 7031 } 7032 7033 static void nft_setelem_activate(struct net *net, struct nft_set *set, 7034 struct nft_elem_priv *elem_priv) 7035 { 7036 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 7037 7038 if (nft_setelem_is_catchall(set, elem_priv)) { 7039 nft_clear(net, ext); 7040 } else { 7041 set->ops->activate(net, set, elem_priv); 7042 } 7043 } 7044 7045 static void nft_trans_elem_update(const struct nft_set *set, 7046 const struct nft_trans_one_elem *elem) 7047 { 7048 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 7049 const struct nft_elem_update *update = elem->update; 7050 7051 if (update->flags & NFT_TRANS_UPD_TIMEOUT) 7052 WRITE_ONCE(nft_set_ext_timeout(ext)->timeout, update->timeout); 7053 7054 if (update->flags & NFT_TRANS_UPD_EXPIRATION) 7055 WRITE_ONCE(nft_set_ext_timeout(ext)->expiration, get_jiffies_64() + update->expiration); 7056 } 7057 7058 static void nft_trans_elems_add(const struct nft_ctx *ctx, 7059 struct nft_trans_elem *te) 7060 { 7061 int i; 7062 7063 for (i = 0; i < te->nelems; i++) { 7064 struct nft_trans_one_elem *elem = &te->elems[i]; 7065 7066 if (elem->update) 7067 nft_trans_elem_update(te->set, elem); 7068 else 7069 nft_setelem_activate(ctx->net, te->set, elem->priv); 7070 7071 nf_tables_setelem_notify(ctx, te->set, elem->priv, 7072 NFT_MSG_NEWSETELEM); 7073 kfree(elem->update); 7074 } 7075 } 7076 7077 static int nft_setelem_catchall_deactivate(const struct net *net, 7078 struct nft_set *set, 7079 struct nft_set_elem *elem) 7080 { 7081 struct nft_set_elem_catchall *catchall; 7082 struct nft_set_ext *ext; 7083 7084 list_for_each_entry(catchall, &set->catchall_list, list) { 7085 ext = nft_set_elem_ext(set, catchall->elem); 7086 if (!nft_is_active_next(net, ext)) 7087 continue; 7088 7089 kfree(elem->priv); 7090 elem->priv = catchall->elem; 7091 nft_set_elem_change_active(net, set, ext); 7092 return 0; 7093 } 7094 7095 return -ENOENT; 7096 } 7097 7098 static int __nft_setelem_deactivate(const struct net *net, 7099 struct nft_set *set, 7100 struct nft_set_elem *elem) 7101 { 7102 void *priv; 7103 7104 priv = set->ops->deactivate(net, set, elem); 7105 if (!priv) 7106 return -ENOENT; 7107 7108 kfree(elem->priv); 7109 elem->priv = priv; 7110 set->ndeact++; 7111 7112 return 0; 7113 } 7114 7115 static int nft_setelem_deactivate(const struct net *net, 7116 struct nft_set *set, 7117 struct nft_set_elem *elem, u32 flags) 7118 { 7119 int ret; 7120 7121 if (flags & NFT_SET_ELEM_CATCHALL) 7122 ret = nft_setelem_catchall_deactivate(net, set, elem); 7123 else 7124 ret = __nft_setelem_deactivate(net, set, elem); 7125 7126 return ret; 7127 } 7128 7129 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall) 7130 { 7131 list_del_rcu(&catchall->list); 7132 kfree_rcu(catchall, rcu); 7133 } 7134 7135 static void nft_setelem_catchall_remove(const struct net *net, 7136 const struct nft_set *set, 7137 struct nft_elem_priv *elem_priv) 7138 { 7139 struct nft_set_elem_catchall *catchall, *next; 7140 7141 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 7142 if (catchall->elem == elem_priv) { 7143 nft_setelem_catchall_destroy(catchall); 7144 break; 7145 } 7146 } 7147 } 7148 7149 static void nft_setelem_remove(const struct net *net, 7150 const struct nft_set *set, 7151 struct nft_elem_priv *elem_priv) 7152 { 7153 if (nft_setelem_is_catchall(set, elem_priv)) 7154 nft_setelem_catchall_remove(net, set, elem_priv); 7155 else 7156 set->ops->remove(net, set, elem_priv); 7157 } 7158 7159 static void nft_trans_elems_remove(const struct nft_ctx *ctx, 7160 const struct nft_trans_elem *te) 7161 { 7162 int i; 7163 7164 for (i = 0; i < te->nelems; i++) { 7165 WARN_ON_ONCE(te->elems[i].update); 7166 7167 nf_tables_setelem_notify(ctx, te->set, 7168 te->elems[i].priv, 7169 te->nft_trans.msg_type); 7170 7171 nft_setelem_remove(ctx->net, te->set, te->elems[i].priv); 7172 if (!nft_setelem_is_catchall(te->set, te->elems[i].priv)) { 7173 atomic_dec(&te->set->nelems); 7174 te->set->ndeact--; 7175 } 7176 } 7177 } 7178 7179 static bool nft_setelem_valid_key_end(const struct nft_set *set, 7180 struct nlattr **nla, u32 flags) 7181 { 7182 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) == 7183 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) { 7184 if (flags & NFT_SET_ELEM_INTERVAL_END) 7185 return false; 7186 7187 if (nla[NFTA_SET_ELEM_KEY_END] && 7188 flags & NFT_SET_ELEM_CATCHALL) 7189 return false; 7190 } else { 7191 if (nla[NFTA_SET_ELEM_KEY_END]) 7192 return false; 7193 } 7194 7195 return true; 7196 } 7197 7198 static u32 nft_set_maxsize(const struct nft_set *set) 7199 { 7200 u32 maxsize, delta; 7201 7202 if (!set->size) 7203 return UINT_MAX; 7204 7205 if (set->ops->adjust_maxsize) 7206 delta = set->ops->adjust_maxsize(set); 7207 else 7208 delta = 0; 7209 7210 if (check_add_overflow(set->size, set->ndeact, &maxsize)) 7211 return UINT_MAX; 7212 7213 if (check_add_overflow(maxsize, delta, &maxsize)) 7214 return UINT_MAX; 7215 7216 return maxsize; 7217 } 7218 7219 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 7220 const struct nlattr *attr, u32 nlmsg_flags) 7221 { 7222 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {}; 7223 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 7224 u8 genmask = nft_genmask_next(ctx->net); 7225 u32 flags = 0, size = 0, num_exprs = 0; 7226 struct nft_set_ext_tmpl tmpl; 7227 struct nft_set_ext *ext, *ext2; 7228 struct nft_set_elem elem; 7229 struct nft_set_binding *binding; 7230 struct nft_elem_priv *elem_priv; 7231 struct nft_object *obj = NULL; 7232 struct nft_userdata *udata; 7233 struct nft_data_desc desc; 7234 enum nft_registers dreg; 7235 struct nft_trans *trans; 7236 u64 expiration; 7237 u64 timeout; 7238 int err, i; 7239 u8 ulen; 7240 7241 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 7242 nft_set_elem_policy, NULL); 7243 if (err < 0) 7244 return err; 7245 7246 nft_set_ext_prepare(&tmpl); 7247 7248 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 7249 if (err < 0) 7250 return err; 7251 7252 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) || 7253 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY])) 7254 return -EINVAL; 7255 7256 if (flags != 0) { 7257 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 7258 if (err < 0) 7259 return err; 7260 } 7261 7262 if (set->flags & NFT_SET_MAP) { 7263 if (nla[NFTA_SET_ELEM_DATA] == NULL && 7264 !(flags & NFT_SET_ELEM_INTERVAL_END)) 7265 return -EINVAL; 7266 } else { 7267 if (nla[NFTA_SET_ELEM_DATA] != NULL) 7268 return -EINVAL; 7269 } 7270 7271 if (set->flags & NFT_SET_OBJECT) { 7272 if (!nla[NFTA_SET_ELEM_OBJREF] && 7273 !(flags & NFT_SET_ELEM_INTERVAL_END)) 7274 return -EINVAL; 7275 } else { 7276 if (nla[NFTA_SET_ELEM_OBJREF]) 7277 return -EINVAL; 7278 } 7279 7280 if (!nft_setelem_valid_key_end(set, nla, flags)) 7281 return -EINVAL; 7282 7283 if ((flags & NFT_SET_ELEM_INTERVAL_END) && 7284 (nla[NFTA_SET_ELEM_DATA] || 7285 nla[NFTA_SET_ELEM_OBJREF] || 7286 nla[NFTA_SET_ELEM_TIMEOUT] || 7287 nla[NFTA_SET_ELEM_EXPIRATION] || 7288 nla[NFTA_SET_ELEM_USERDATA] || 7289 nla[NFTA_SET_ELEM_EXPR] || 7290 nla[NFTA_SET_ELEM_KEY_END] || 7291 nla[NFTA_SET_ELEM_EXPRESSIONS])) 7292 return -EINVAL; 7293 7294 timeout = 0; 7295 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { 7296 if (!(set->flags & NFT_SET_TIMEOUT)) 7297 return -EINVAL; 7298 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT], 7299 &timeout); 7300 if (err) 7301 return err; 7302 } else if (set->flags & NFT_SET_TIMEOUT && 7303 !(flags & NFT_SET_ELEM_INTERVAL_END)) { 7304 timeout = set->timeout; 7305 } 7306 7307 expiration = 0; 7308 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { 7309 if (!(set->flags & NFT_SET_TIMEOUT)) 7310 return -EINVAL; 7311 if (timeout == 0) 7312 return -EOPNOTSUPP; 7313 7314 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], 7315 &expiration); 7316 if (err) 7317 return err; 7318 7319 if (expiration > timeout) 7320 return -ERANGE; 7321 } 7322 7323 if (nla[NFTA_SET_ELEM_EXPR]) { 7324 struct nft_expr *expr; 7325 7326 if (set->num_exprs && set->num_exprs != 1) 7327 return -EOPNOTSUPP; 7328 7329 expr = nft_set_elem_expr_alloc(ctx, set, 7330 nla[NFTA_SET_ELEM_EXPR]); 7331 if (IS_ERR(expr)) 7332 return PTR_ERR(expr); 7333 7334 expr_array[0] = expr; 7335 num_exprs = 1; 7336 7337 if (set->num_exprs && set->exprs[0]->ops != expr->ops) { 7338 err = -EOPNOTSUPP; 7339 goto err_set_elem_expr; 7340 } 7341 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) { 7342 struct nft_expr *expr; 7343 struct nlattr *tmp; 7344 int left; 7345 7346 i = 0; 7347 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) { 7348 if (i == NFT_SET_EXPR_MAX || 7349 (set->num_exprs && set->num_exprs == i)) { 7350 err = -E2BIG; 7351 goto err_set_elem_expr; 7352 } 7353 if (nla_type(tmp) != NFTA_LIST_ELEM) { 7354 err = -EINVAL; 7355 goto err_set_elem_expr; 7356 } 7357 expr = nft_set_elem_expr_alloc(ctx, set, tmp); 7358 if (IS_ERR(expr)) { 7359 err = PTR_ERR(expr); 7360 goto err_set_elem_expr; 7361 } 7362 expr_array[i] = expr; 7363 num_exprs++; 7364 7365 if (set->num_exprs && expr->ops != set->exprs[i]->ops) { 7366 err = -EOPNOTSUPP; 7367 goto err_set_elem_expr; 7368 } 7369 i++; 7370 } 7371 if (set->num_exprs && set->num_exprs != i) { 7372 err = -EOPNOTSUPP; 7373 goto err_set_elem_expr; 7374 } 7375 } else if (set->num_exprs > 0 && 7376 !(flags & NFT_SET_ELEM_INTERVAL_END)) { 7377 err = nft_set_elem_expr_clone(ctx, set, expr_array); 7378 if (err < 0) 7379 goto err_set_elem_expr_clone; 7380 7381 num_exprs = set->num_exprs; 7382 } 7383 7384 if (nla[NFTA_SET_ELEM_KEY]) { 7385 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 7386 nla[NFTA_SET_ELEM_KEY]); 7387 if (err < 0) 7388 goto err_set_elem_expr; 7389 7390 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 7391 if (err < 0) 7392 goto err_parse_key; 7393 } 7394 7395 if (nla[NFTA_SET_ELEM_KEY_END]) { 7396 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 7397 nla[NFTA_SET_ELEM_KEY_END]); 7398 if (err < 0) 7399 goto err_parse_key; 7400 7401 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 7402 if (err < 0) 7403 goto err_parse_key_end; 7404 } 7405 7406 if (set->flags & NFT_SET_TIMEOUT) { 7407 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT); 7408 if (err < 0) 7409 goto err_parse_key_end; 7410 } 7411 7412 if (num_exprs) { 7413 for (i = 0; i < num_exprs; i++) 7414 size += expr_array[i]->ops->size; 7415 7416 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS, 7417 sizeof(struct nft_set_elem_expr) + size); 7418 if (err < 0) 7419 goto err_parse_key_end; 7420 } 7421 7422 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) { 7423 obj = nft_obj_lookup(ctx->net, ctx->table, 7424 nla[NFTA_SET_ELEM_OBJREF], 7425 set->objtype, genmask); 7426 if (IS_ERR(obj)) { 7427 err = PTR_ERR(obj); 7428 obj = NULL; 7429 goto err_parse_key_end; 7430 } 7431 7432 if (!nft_use_inc(&obj->use)) { 7433 err = -EMFILE; 7434 obj = NULL; 7435 goto err_parse_key_end; 7436 } 7437 7438 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF); 7439 if (err < 0) 7440 goto err_parse_key_end; 7441 } 7442 7443 if (nla[NFTA_SET_ELEM_DATA] != NULL) { 7444 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val, 7445 nla[NFTA_SET_ELEM_DATA]); 7446 if (err < 0) 7447 goto err_parse_key_end; 7448 7449 dreg = nft_type_to_reg(set->dtype); 7450 list_for_each_entry(binding, &set->bindings, list) { 7451 struct nft_ctx bind_ctx = { 7452 .net = ctx->net, 7453 .family = ctx->family, 7454 .table = ctx->table, 7455 .chain = (struct nft_chain *)binding->chain, 7456 }; 7457 7458 if (!(binding->flags & NFT_SET_MAP)) 7459 continue; 7460 7461 err = nft_validate_register_store(&bind_ctx, dreg, 7462 &elem.data.val, 7463 desc.type, desc.len); 7464 if (err < 0) 7465 goto err_parse_data; 7466 7467 if (desc.type == NFT_DATA_VERDICT && 7468 (elem.data.val.verdict.code == NFT_GOTO || 7469 elem.data.val.verdict.code == NFT_JUMP)) 7470 nft_validate_state_update(ctx->table, 7471 NFT_VALIDATE_NEED); 7472 } 7473 7474 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len); 7475 if (err < 0) 7476 goto err_parse_data; 7477 } 7478 7479 /* The full maximum length of userdata can exceed the maximum 7480 * offset value (U8_MAX) for following extensions, therefor it 7481 * must be the last extension added. 7482 */ 7483 ulen = 0; 7484 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) { 7485 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]); 7486 if (ulen > 0) { 7487 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA, 7488 ulen); 7489 if (err < 0) 7490 goto err_parse_data; 7491 } 7492 } 7493 7494 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 7495 elem.key_end.val.data, elem.data.val.data, 7496 timeout, expiration, GFP_KERNEL_ACCOUNT); 7497 if (IS_ERR(elem.priv)) { 7498 err = PTR_ERR(elem.priv); 7499 goto err_parse_data; 7500 } 7501 7502 ext = nft_set_elem_ext(set, elem.priv); 7503 if (flags) 7504 *nft_set_ext_flags(ext) = flags; 7505 7506 if (obj) 7507 *nft_set_ext_obj(ext) = obj; 7508 7509 if (ulen > 0) { 7510 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) { 7511 err = -EINVAL; 7512 goto err_elem_free; 7513 } 7514 udata = nft_set_ext_userdata(ext); 7515 udata->len = ulen - 1; 7516 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen); 7517 } 7518 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs); 7519 if (err < 0) 7520 goto err_elem_free; 7521 7522 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); 7523 if (trans == NULL) { 7524 err = -ENOMEM; 7525 goto err_elem_free; 7526 } 7527 7528 ext->genmask = nft_genmask_cur(ctx->net); 7529 7530 err = nft_setelem_insert(ctx->net, set, &elem, &elem_priv, flags); 7531 if (err) { 7532 if (err == -EEXIST) { 7533 ext2 = nft_set_elem_ext(set, elem_priv); 7534 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^ 7535 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) || 7536 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^ 7537 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) 7538 goto err_element_clash; 7539 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 7540 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) && 7541 memcmp(nft_set_ext_data(ext), 7542 nft_set_ext_data(ext2), set->dlen) != 0) || 7543 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 7544 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) && 7545 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2))) 7546 goto err_element_clash; 7547 else if (!(nlmsg_flags & NLM_F_EXCL)) { 7548 err = 0; 7549 if (nft_set_ext_exists(ext2, NFT_SET_EXT_TIMEOUT)) { 7550 struct nft_elem_update update = { }; 7551 7552 if (timeout != nft_set_ext_timeout(ext2)->timeout) { 7553 update.timeout = timeout; 7554 if (expiration == 0) 7555 expiration = timeout; 7556 7557 update.flags |= NFT_TRANS_UPD_TIMEOUT; 7558 } 7559 if (expiration) { 7560 update.expiration = expiration; 7561 update.flags |= NFT_TRANS_UPD_EXPIRATION; 7562 } 7563 7564 if (update.flags) { 7565 struct nft_trans_one_elem *ue; 7566 7567 ue = &nft_trans_container_elem(trans)->elems[0]; 7568 7569 ue->update = kmemdup(&update, sizeof(update), GFP_KERNEL); 7570 if (!ue->update) { 7571 err = -ENOMEM; 7572 goto err_element_clash; 7573 } 7574 7575 ue->priv = elem_priv; 7576 nft_trans_commit_list_add_elem(ctx->net, trans, GFP_KERNEL); 7577 goto err_elem_free; 7578 } 7579 } 7580 } 7581 } else if (err == -ENOTEMPTY) { 7582 /* ENOTEMPTY reports overlapping between this element 7583 * and an existing one. 7584 */ 7585 err = -EEXIST; 7586 } 7587 goto err_element_clash; 7588 } 7589 7590 if (!(flags & NFT_SET_ELEM_CATCHALL)) { 7591 unsigned int max = nft_set_maxsize(set); 7592 7593 if (!atomic_add_unless(&set->nelems, 1, max)) { 7594 err = -ENFILE; 7595 goto err_set_full; 7596 } 7597 } 7598 7599 nft_trans_container_elem(trans)->elems[0].priv = elem.priv; 7600 nft_trans_commit_list_add_elem(ctx->net, trans, GFP_KERNEL); 7601 return 0; 7602 7603 err_set_full: 7604 nft_setelem_remove(ctx->net, set, elem.priv); 7605 err_element_clash: 7606 kfree(trans); 7607 err_elem_free: 7608 nf_tables_set_elem_destroy(ctx, set, elem.priv); 7609 err_parse_data: 7610 if (nla[NFTA_SET_ELEM_DATA] != NULL) 7611 nft_data_release(&elem.data.val, desc.type); 7612 err_parse_key_end: 7613 if (obj) 7614 nft_use_dec_restore(&obj->use); 7615 7616 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 7617 err_parse_key: 7618 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 7619 err_set_elem_expr: 7620 for (i = 0; i < num_exprs && expr_array[i]; i++) 7621 nft_expr_destroy(ctx, expr_array[i]); 7622 err_set_elem_expr_clone: 7623 return err; 7624 } 7625 7626 static int nf_tables_newsetelem(struct sk_buff *skb, 7627 const struct nfnl_info *info, 7628 const struct nlattr * const nla[]) 7629 { 7630 struct netlink_ext_ack *extack = info->extack; 7631 u8 genmask = nft_genmask_next(info->net); 7632 u8 family = info->nfmsg->nfgen_family; 7633 struct net *net = info->net; 7634 const struct nlattr *attr; 7635 struct nft_table *table; 7636 struct nft_set *set; 7637 struct nft_ctx ctx; 7638 int rem, err; 7639 7640 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) 7641 return -EINVAL; 7642 7643 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 7644 genmask, NETLINK_CB(skb).portid); 7645 if (IS_ERR(table)) { 7646 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 7647 return PTR_ERR(table); 7648 } 7649 7650 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET], 7651 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask); 7652 if (IS_ERR(set)) { 7653 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]); 7654 return PTR_ERR(set); 7655 } 7656 7657 if (!list_empty(&set->bindings) && 7658 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS))) 7659 return -EBUSY; 7660 7661 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7662 7663 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 7664 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags); 7665 if (err < 0) { 7666 NL_SET_BAD_ATTR(extack, attr); 7667 return err; 7668 } 7669 } 7670 7671 if (table->validate_state == NFT_VALIDATE_DO) 7672 return nft_table_validate(net, table); 7673 7674 return 0; 7675 } 7676 7677 /** 7678 * nft_data_hold - hold a nft_data item 7679 * 7680 * @data: struct nft_data to release 7681 * @type: type of data 7682 * 7683 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded, 7684 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and 7685 * NFT_GOTO verdicts. This function must be called on active data objects 7686 * from the second phase of the commit protocol. 7687 */ 7688 void nft_data_hold(const struct nft_data *data, enum nft_data_types type) 7689 { 7690 struct nft_chain *chain; 7691 7692 if (type == NFT_DATA_VERDICT) { 7693 switch (data->verdict.code) { 7694 case NFT_JUMP: 7695 case NFT_GOTO: 7696 chain = data->verdict.chain; 7697 nft_use_inc_restore(&chain->use); 7698 break; 7699 } 7700 } 7701 } 7702 7703 static int nft_setelem_active_next(const struct net *net, 7704 const struct nft_set *set, 7705 struct nft_elem_priv *elem_priv) 7706 { 7707 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 7708 u8 genmask = nft_genmask_next(net); 7709 7710 return nft_set_elem_active(ext, genmask); 7711 } 7712 7713 static void nft_setelem_data_activate(const struct net *net, 7714 const struct nft_set *set, 7715 struct nft_elem_priv *elem_priv) 7716 { 7717 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 7718 7719 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 7720 nft_data_hold(nft_set_ext_data(ext), set->dtype); 7721 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 7722 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use); 7723 } 7724 7725 void nft_setelem_data_deactivate(const struct net *net, 7726 const struct nft_set *set, 7727 struct nft_elem_priv *elem_priv) 7728 { 7729 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 7730 7731 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 7732 nft_data_release(nft_set_ext_data(ext), set->dtype); 7733 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 7734 nft_use_dec(&(*nft_set_ext_obj(ext))->use); 7735 } 7736 7737 /* similar to nft_trans_elems_remove, but called from abort path to undo newsetelem. 7738 * No notifications and no ndeact changes. 7739 * 7740 * Returns true if set had been added to (i.e., elements need to be removed again). 7741 */ 7742 static bool nft_trans_elems_new_abort(const struct nft_ctx *ctx, 7743 struct nft_trans_elem *te) 7744 { 7745 bool removed = false; 7746 int i; 7747 7748 for (i = 0; i < te->nelems; i++) { 7749 if (te->elems[i].update) { 7750 kfree(te->elems[i].update); 7751 te->elems[i].update = NULL; 7752 /* Update request, so do not release this element */ 7753 te->elems[i].priv = NULL; 7754 continue; 7755 } 7756 7757 if (!te->set->ops->abort || nft_setelem_is_catchall(te->set, te->elems[i].priv)) 7758 nft_setelem_remove(ctx->net, te->set, te->elems[i].priv); 7759 7760 if (!nft_setelem_is_catchall(te->set, te->elems[i].priv)) 7761 atomic_dec(&te->set->nelems); 7762 7763 removed = true; 7764 } 7765 7766 return removed; 7767 } 7768 7769 /* Called from abort path to undo DELSETELEM/DESTROYSETELEM. */ 7770 static void nft_trans_elems_destroy_abort(const struct nft_ctx *ctx, 7771 const struct nft_trans_elem *te) 7772 { 7773 int i; 7774 7775 for (i = 0; i < te->nelems; i++) { 7776 if (!nft_setelem_active_next(ctx->net, te->set, te->elems[i].priv)) { 7777 nft_setelem_data_activate(ctx->net, te->set, te->elems[i].priv); 7778 nft_setelem_activate(ctx->net, te->set, te->elems[i].priv); 7779 } 7780 7781 if (!nft_setelem_is_catchall(te->set, te->elems[i].priv)) 7782 te->set->ndeact--; 7783 } 7784 } 7785 7786 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, 7787 const struct nlattr *attr) 7788 { 7789 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 7790 struct nft_set_ext_tmpl tmpl; 7791 struct nft_set_elem elem; 7792 struct nft_set_ext *ext; 7793 struct nft_trans *trans; 7794 u32 flags = 0; 7795 int err; 7796 7797 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 7798 nft_set_elem_policy, NULL); 7799 if (err < 0) 7800 return err; 7801 7802 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 7803 if (err < 0) 7804 return err; 7805 7806 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 7807 return -EINVAL; 7808 7809 if (!nft_setelem_valid_key_end(set, nla, flags)) 7810 return -EINVAL; 7811 7812 nft_set_ext_prepare(&tmpl); 7813 7814 if (flags != 0) { 7815 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 7816 if (err < 0) 7817 return err; 7818 } 7819 7820 if (nla[NFTA_SET_ELEM_KEY]) { 7821 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 7822 nla[NFTA_SET_ELEM_KEY]); 7823 if (err < 0) 7824 return err; 7825 7826 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 7827 if (err < 0) 7828 goto fail_elem; 7829 } 7830 7831 if (nla[NFTA_SET_ELEM_KEY_END]) { 7832 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 7833 nla[NFTA_SET_ELEM_KEY_END]); 7834 if (err < 0) 7835 goto fail_elem; 7836 7837 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 7838 if (err < 0) 7839 goto fail_elem_key_end; 7840 } 7841 7842 err = -ENOMEM; 7843 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 7844 elem.key_end.val.data, NULL, 0, 0, 7845 GFP_KERNEL_ACCOUNT); 7846 if (IS_ERR(elem.priv)) { 7847 err = PTR_ERR(elem.priv); 7848 goto fail_elem_key_end; 7849 } 7850 7851 ext = nft_set_elem_ext(set, elem.priv); 7852 if (flags) 7853 *nft_set_ext_flags(ext) = flags; 7854 7855 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 7856 if (trans == NULL) 7857 goto fail_trans; 7858 7859 err = nft_setelem_deactivate(ctx->net, set, &elem, flags); 7860 if (err < 0) 7861 goto fail_ops; 7862 7863 nft_setelem_data_deactivate(ctx->net, set, elem.priv); 7864 7865 nft_trans_container_elem(trans)->elems[0].priv = elem.priv; 7866 nft_trans_commit_list_add_elem(ctx->net, trans, GFP_KERNEL); 7867 return 0; 7868 7869 fail_ops: 7870 kfree(trans); 7871 fail_trans: 7872 kfree(elem.priv); 7873 fail_elem_key_end: 7874 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 7875 fail_elem: 7876 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 7877 return err; 7878 } 7879 7880 static int nft_setelem_flush(const struct nft_ctx *ctx, 7881 struct nft_set *set, 7882 const struct nft_set_iter *iter, 7883 struct nft_elem_priv *elem_priv) 7884 { 7885 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 7886 struct nft_trans *trans; 7887 7888 if (!nft_set_elem_active(ext, iter->genmask)) 7889 return 0; 7890 7891 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 7892 struct_size_t(struct nft_trans_elem, elems, 1), 7893 GFP_ATOMIC); 7894 if (!trans) 7895 return -ENOMEM; 7896 7897 set->ops->flush(ctx->net, set, elem_priv); 7898 set->ndeact++; 7899 7900 nft_setelem_data_deactivate(ctx->net, set, elem_priv); 7901 nft_trans_elem_set(trans) = set; 7902 nft_trans_container_elem(trans)->nelems = 1; 7903 nft_trans_container_elem(trans)->elems[0].priv = elem_priv; 7904 nft_trans_commit_list_add_elem(ctx->net, trans, GFP_ATOMIC); 7905 7906 return 0; 7907 } 7908 7909 static int __nft_set_catchall_flush(const struct nft_ctx *ctx, 7910 struct nft_set *set, 7911 struct nft_elem_priv *elem_priv) 7912 { 7913 struct nft_trans *trans; 7914 7915 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 7916 if (!trans) 7917 return -ENOMEM; 7918 7919 nft_setelem_data_deactivate(ctx->net, set, elem_priv); 7920 nft_trans_container_elem(trans)->elems[0].priv = elem_priv; 7921 nft_trans_commit_list_add_elem(ctx->net, trans, GFP_KERNEL); 7922 7923 return 0; 7924 } 7925 7926 static int nft_set_catchall_flush(const struct nft_ctx *ctx, 7927 struct nft_set *set) 7928 { 7929 u8 genmask = nft_genmask_next(ctx->net); 7930 struct nft_set_elem_catchall *catchall; 7931 struct nft_set_ext *ext; 7932 int ret = 0; 7933 7934 list_for_each_entry_rcu(catchall, &set->catchall_list, list, 7935 lockdep_commit_lock_is_held(ctx->net)) { 7936 ext = nft_set_elem_ext(set, catchall->elem); 7937 if (!nft_set_elem_active(ext, genmask)) 7938 continue; 7939 7940 ret = __nft_set_catchall_flush(ctx, set, catchall->elem); 7941 if (ret < 0) 7942 break; 7943 nft_set_elem_change_active(ctx->net, set, ext); 7944 } 7945 7946 return ret; 7947 } 7948 7949 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask) 7950 { 7951 struct nft_set_iter iter = { 7952 .genmask = genmask, 7953 .type = NFT_ITER_UPDATE, 7954 .fn = nft_setelem_flush, 7955 }; 7956 7957 set->ops->walk(ctx, set, &iter); 7958 if (!iter.err) 7959 iter.err = nft_set_catchall_flush(ctx, set); 7960 7961 return iter.err; 7962 } 7963 7964 static int nf_tables_delsetelem(struct sk_buff *skb, 7965 const struct nfnl_info *info, 7966 const struct nlattr * const nla[]) 7967 { 7968 struct netlink_ext_ack *extack = info->extack; 7969 u8 genmask = nft_genmask_next(info->net); 7970 u8 family = info->nfmsg->nfgen_family; 7971 struct net *net = info->net; 7972 const struct nlattr *attr; 7973 struct nft_table *table; 7974 struct nft_set *set; 7975 struct nft_ctx ctx; 7976 int rem, err = 0; 7977 7978 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 7979 genmask, NETLINK_CB(skb).portid); 7980 if (IS_ERR(table)) { 7981 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 7982 return PTR_ERR(table); 7983 } 7984 7985 set = nft_set_lookup(net, table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 7986 if (IS_ERR(set)) { 7987 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]); 7988 return PTR_ERR(set); 7989 } 7990 7991 if (nft_set_is_anonymous(set)) 7992 return -EOPNOTSUPP; 7993 7994 if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT)) 7995 return -EBUSY; 7996 7997 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7998 7999 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 8000 return nft_set_flush(&ctx, set, genmask); 8001 8002 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 8003 err = nft_del_setelem(&ctx, set, attr); 8004 if (err == -ENOENT && 8005 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM) 8006 continue; 8007 8008 if (err < 0) { 8009 NL_SET_BAD_ATTR(extack, attr); 8010 return err; 8011 } 8012 } 8013 8014 return 0; 8015 } 8016 8017 /* 8018 * Stateful objects 8019 */ 8020 8021 /** 8022 * nft_register_obj- register nf_tables stateful object type 8023 * @obj_type: object type 8024 * 8025 * Registers the object type for use with nf_tables. Returns zero on 8026 * success or a negative errno code otherwise. 8027 */ 8028 int nft_register_obj(struct nft_object_type *obj_type) 8029 { 8030 if (obj_type->type == NFT_OBJECT_UNSPEC) 8031 return -EINVAL; 8032 8033 nfnl_lock(NFNL_SUBSYS_NFTABLES); 8034 list_add_rcu(&obj_type->list, &nf_tables_objects); 8035 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 8036 return 0; 8037 } 8038 EXPORT_SYMBOL_GPL(nft_register_obj); 8039 8040 /** 8041 * nft_unregister_obj - unregister nf_tables object type 8042 * @obj_type: object type 8043 * 8044 * Unregisters the object type for use with nf_tables. 8045 */ 8046 void nft_unregister_obj(struct nft_object_type *obj_type) 8047 { 8048 nfnl_lock(NFNL_SUBSYS_NFTABLES); 8049 list_del_rcu(&obj_type->list); 8050 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 8051 } 8052 EXPORT_SYMBOL_GPL(nft_unregister_obj); 8053 8054 struct nft_object *nft_obj_lookup(const struct net *net, 8055 const struct nft_table *table, 8056 const struct nlattr *nla, u32 objtype, 8057 u8 genmask) 8058 { 8059 struct nft_object_hash_key k = { .table = table }; 8060 char search[NFT_OBJ_MAXNAMELEN]; 8061 struct rhlist_head *tmp, *list; 8062 struct nft_object *obj; 8063 8064 nla_strscpy(search, nla, sizeof(search)); 8065 k.name = search; 8066 8067 WARN_ON_ONCE(!rcu_read_lock_held() && 8068 !lockdep_commit_lock_is_held(net)); 8069 8070 rcu_read_lock(); 8071 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params); 8072 if (!list) 8073 goto out; 8074 8075 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) { 8076 if (objtype == obj->ops->type->type && 8077 nft_active_genmask(obj, genmask)) { 8078 rcu_read_unlock(); 8079 return obj; 8080 } 8081 } 8082 out: 8083 rcu_read_unlock(); 8084 return ERR_PTR(-ENOENT); 8085 } 8086 EXPORT_SYMBOL_GPL(nft_obj_lookup); 8087 8088 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table, 8089 const struct nlattr *nla, 8090 u32 objtype, u8 genmask) 8091 { 8092 struct nft_object *obj; 8093 8094 list_for_each_entry(obj, &table->objects, list) { 8095 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle && 8096 objtype == obj->ops->type->type && 8097 nft_active_genmask(obj, genmask)) 8098 return obj; 8099 } 8100 return ERR_PTR(-ENOENT); 8101 } 8102 8103 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = { 8104 [NFTA_OBJ_TABLE] = { .type = NLA_STRING, 8105 .len = NFT_TABLE_MAXNAMELEN - 1 }, 8106 [NFTA_OBJ_NAME] = { .type = NLA_STRING, 8107 .len = NFT_OBJ_MAXNAMELEN - 1 }, 8108 [NFTA_OBJ_TYPE] = { .type = NLA_U32 }, 8109 [NFTA_OBJ_DATA] = { .type = NLA_NESTED }, 8110 [NFTA_OBJ_HANDLE] = { .type = NLA_U64}, 8111 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY, 8112 .len = NFT_USERDATA_MAXLEN }, 8113 }; 8114 8115 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx, 8116 const struct nft_object_type *type, 8117 const struct nlattr *attr) 8118 { 8119 struct nlattr **tb; 8120 const struct nft_object_ops *ops; 8121 struct nft_object *obj; 8122 int err = -ENOMEM; 8123 8124 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL); 8125 if (!tb) 8126 goto err1; 8127 8128 if (attr) { 8129 err = nla_parse_nested_deprecated(tb, type->maxattr, attr, 8130 type->policy, NULL); 8131 if (err < 0) 8132 goto err2; 8133 } else { 8134 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1)); 8135 } 8136 8137 if (type->select_ops) { 8138 ops = type->select_ops(ctx, (const struct nlattr * const *)tb); 8139 if (IS_ERR(ops)) { 8140 err = PTR_ERR(ops); 8141 goto err2; 8142 } 8143 } else { 8144 ops = type->ops; 8145 } 8146 8147 err = -ENOMEM; 8148 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT); 8149 if (!obj) 8150 goto err2; 8151 8152 err = ops->init(ctx, (const struct nlattr * const *)tb, obj); 8153 if (err < 0) 8154 goto err3; 8155 8156 obj->ops = ops; 8157 8158 kfree(tb); 8159 return obj; 8160 err3: 8161 kfree(obj); 8162 err2: 8163 kfree(tb); 8164 err1: 8165 return ERR_PTR(err); 8166 } 8167 8168 static int nft_object_dump(struct sk_buff *skb, unsigned int attr, 8169 struct nft_object *obj, bool reset) 8170 { 8171 struct nlattr *nest; 8172 8173 nest = nla_nest_start_noflag(skb, attr); 8174 if (!nest) 8175 goto nla_put_failure; 8176 if (obj->ops->dump(skb, obj, reset) < 0) 8177 goto nla_put_failure; 8178 nla_nest_end(skb, nest); 8179 return 0; 8180 8181 nla_put_failure: 8182 return -1; 8183 } 8184 8185 static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family) 8186 { 8187 const struct nft_object_type *type; 8188 8189 list_for_each_entry_rcu(type, &nf_tables_objects, list) { 8190 if (type->family != NFPROTO_UNSPEC && 8191 type->family != family) 8192 continue; 8193 8194 if (objtype == type->type) 8195 return type; 8196 } 8197 return NULL; 8198 } 8199 8200 static const struct nft_object_type * 8201 nft_obj_type_get(struct net *net, u32 objtype, u8 family) 8202 { 8203 const struct nft_object_type *type; 8204 8205 rcu_read_lock(); 8206 type = __nft_obj_type_get(objtype, family); 8207 if (type != NULL && try_module_get(type->owner)) { 8208 rcu_read_unlock(); 8209 return type; 8210 } 8211 rcu_read_unlock(); 8212 8213 lockdep_nfnl_nft_mutex_not_held(); 8214 #ifdef CONFIG_MODULES 8215 if (type == NULL) { 8216 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN) 8217 return ERR_PTR(-EAGAIN); 8218 } 8219 #endif 8220 return ERR_PTR(-ENOENT); 8221 } 8222 8223 static int nf_tables_updobj(const struct nft_ctx *ctx, 8224 const struct nft_object_type *type, 8225 const struct nlattr *attr, 8226 struct nft_object *obj) 8227 { 8228 struct nft_object *newobj; 8229 struct nft_trans *trans; 8230 int err = -ENOMEM; 8231 8232 /* caller must have obtained type->owner reference. */ 8233 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ, 8234 sizeof(struct nft_trans_obj)); 8235 if (!trans) 8236 goto err_trans; 8237 8238 newobj = nft_obj_init(ctx, type, attr); 8239 if (IS_ERR(newobj)) { 8240 err = PTR_ERR(newobj); 8241 goto err_free_trans; 8242 } 8243 8244 nft_trans_obj(trans) = obj; 8245 nft_trans_obj_update(trans) = true; 8246 nft_trans_obj_newobj(trans) = newobj; 8247 nft_trans_commit_list_add_tail(ctx->net, trans); 8248 8249 return 0; 8250 8251 err_free_trans: 8252 kfree(trans); 8253 err_trans: 8254 module_put(type->owner); 8255 return err; 8256 } 8257 8258 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info, 8259 const struct nlattr * const nla[]) 8260 { 8261 struct netlink_ext_ack *extack = info->extack; 8262 u8 genmask = nft_genmask_next(info->net); 8263 u8 family = info->nfmsg->nfgen_family; 8264 const struct nft_object_type *type; 8265 struct net *net = info->net; 8266 struct nft_table *table; 8267 struct nft_object *obj; 8268 struct nft_ctx ctx; 8269 u32 objtype; 8270 int err; 8271 8272 if (!nla[NFTA_OBJ_TYPE] || 8273 !nla[NFTA_OBJ_NAME] || 8274 !nla[NFTA_OBJ_DATA]) 8275 return -EINVAL; 8276 8277 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 8278 NETLINK_CB(skb).portid); 8279 if (IS_ERR(table)) { 8280 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 8281 return PTR_ERR(table); 8282 } 8283 8284 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 8285 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 8286 if (IS_ERR(obj)) { 8287 err = PTR_ERR(obj); 8288 if (err != -ENOENT) { 8289 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 8290 return err; 8291 } 8292 } else { 8293 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 8294 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 8295 return -EEXIST; 8296 } 8297 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 8298 return -EOPNOTSUPP; 8299 8300 if (!obj->ops->update) 8301 return 0; 8302 8303 type = nft_obj_type_get(net, objtype, family); 8304 if (WARN_ON_ONCE(IS_ERR(type))) 8305 return PTR_ERR(type); 8306 8307 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 8308 8309 /* type->owner reference is put when transaction object is released. */ 8310 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); 8311 } 8312 8313 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 8314 8315 if (!nft_use_inc(&table->use)) 8316 return -EMFILE; 8317 8318 type = nft_obj_type_get(net, objtype, family); 8319 if (IS_ERR(type)) { 8320 err = PTR_ERR(type); 8321 goto err_type; 8322 } 8323 8324 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]); 8325 if (IS_ERR(obj)) { 8326 err = PTR_ERR(obj); 8327 goto err_init; 8328 } 8329 obj->key.table = table; 8330 obj->handle = nf_tables_alloc_handle(table); 8331 8332 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT); 8333 if (!obj->key.name) { 8334 err = -ENOMEM; 8335 goto err_strdup; 8336 } 8337 8338 if (nla[NFTA_OBJ_USERDATA]) { 8339 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT); 8340 if (obj->udata == NULL) 8341 goto err_userdata; 8342 8343 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]); 8344 } 8345 8346 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj); 8347 if (err < 0) 8348 goto err_trans; 8349 8350 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead, 8351 nft_objname_ht_params); 8352 if (err < 0) 8353 goto err_obj_ht; 8354 8355 list_add_tail_rcu(&obj->list, &table->objects); 8356 8357 return 0; 8358 err_obj_ht: 8359 /* queued in transaction log */ 8360 INIT_LIST_HEAD(&obj->list); 8361 return err; 8362 err_trans: 8363 kfree(obj->udata); 8364 err_userdata: 8365 kfree(obj->key.name); 8366 err_strdup: 8367 if (obj->ops->destroy) 8368 obj->ops->destroy(&ctx, obj); 8369 kfree(obj); 8370 err_init: 8371 module_put(type->owner); 8372 err_type: 8373 nft_use_dec_restore(&table->use); 8374 8375 return err; 8376 } 8377 8378 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net, 8379 u32 portid, u32 seq, int event, u32 flags, 8380 int family, const struct nft_table *table, 8381 struct nft_object *obj, bool reset) 8382 { 8383 struct nlmsghdr *nlh; 8384 8385 nlh = nfnl_msg_put(skb, portid, seq, 8386 nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event), 8387 flags, family, NFNETLINK_V0, nft_base_seq_be16(net)); 8388 if (!nlh) 8389 goto nla_put_failure; 8390 8391 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || 8392 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || 8393 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || 8394 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle), 8395 NFTA_OBJ_PAD)) 8396 goto nla_put_failure; 8397 8398 if (event == NFT_MSG_DELOBJ || 8399 event == NFT_MSG_DESTROYOBJ) { 8400 nlmsg_end(skb, nlh); 8401 return 0; 8402 } 8403 8404 if (nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) || 8405 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset)) 8406 goto nla_put_failure; 8407 8408 if (obj->udata && 8409 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata)) 8410 goto nla_put_failure; 8411 8412 nlmsg_end(skb, nlh); 8413 return 0; 8414 8415 nla_put_failure: 8416 nlmsg_trim(skb, nlh); 8417 return -1; 8418 } 8419 8420 static void audit_log_obj_reset(const struct nft_table *table, 8421 unsigned int base_seq, unsigned int nentries) 8422 { 8423 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq); 8424 8425 audit_log_nfcfg(buf, table->family, nentries, 8426 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC); 8427 kfree(buf); 8428 } 8429 8430 struct nft_obj_dump_ctx { 8431 unsigned int s_idx; 8432 char *table; 8433 u32 type; 8434 bool reset; 8435 }; 8436 8437 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) 8438 { 8439 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 8440 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx; 8441 struct net *net = sock_net(skb->sk); 8442 int family = nfmsg->nfgen_family; 8443 struct nftables_pernet *nft_net; 8444 const struct nft_table *table; 8445 unsigned int entries = 0; 8446 struct nft_object *obj; 8447 unsigned int idx = 0; 8448 int rc = 0; 8449 8450 rcu_read_lock(); 8451 nft_net = nft_pernet(net); 8452 cb->seq = nft_base_seq(net); 8453 8454 list_for_each_entry_rcu(table, &nft_net->tables, list) { 8455 if (family != NFPROTO_UNSPEC && family != table->family) 8456 continue; 8457 8458 entries = 0; 8459 list_for_each_entry_rcu(obj, &table->objects, list) { 8460 if (!nft_is_active(net, obj)) 8461 goto cont; 8462 if (idx < ctx->s_idx) 8463 goto cont; 8464 if (ctx->table && strcmp(ctx->table, table->name)) 8465 goto cont; 8466 if (ctx->type != NFT_OBJECT_UNSPEC && 8467 obj->ops->type->type != ctx->type) 8468 goto cont; 8469 8470 rc = nf_tables_fill_obj_info(skb, net, 8471 NETLINK_CB(cb->skb).portid, 8472 cb->nlh->nlmsg_seq, 8473 NFT_MSG_NEWOBJ, 8474 NLM_F_MULTI | NLM_F_APPEND, 8475 table->family, table, 8476 obj, ctx->reset); 8477 if (rc < 0) 8478 break; 8479 8480 entries++; 8481 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 8482 cont: 8483 idx++; 8484 } 8485 if (ctx->reset && entries) 8486 audit_log_obj_reset(table, nft_base_seq(net), entries); 8487 if (rc < 0) 8488 break; 8489 } 8490 rcu_read_unlock(); 8491 8492 ctx->s_idx = idx; 8493 return skb->len; 8494 } 8495 8496 static int nf_tables_dumpreset_obj(struct sk_buff *skb, 8497 struct netlink_callback *cb) 8498 { 8499 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk)); 8500 int ret; 8501 8502 mutex_lock(&nft_net->commit_mutex); 8503 ret = nf_tables_dump_obj(skb, cb); 8504 mutex_unlock(&nft_net->commit_mutex); 8505 8506 return ret; 8507 } 8508 8509 static int nf_tables_dump_obj_start(struct netlink_callback *cb) 8510 { 8511 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx; 8512 const struct nlattr * const *nla = cb->data; 8513 8514 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx)); 8515 8516 if (nla[NFTA_OBJ_TABLE]) { 8517 ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC); 8518 if (!ctx->table) 8519 return -ENOMEM; 8520 } 8521 8522 if (nla[NFTA_OBJ_TYPE]) 8523 ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 8524 8525 return 0; 8526 } 8527 8528 static int nf_tables_dumpreset_obj_start(struct netlink_callback *cb) 8529 { 8530 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx; 8531 8532 ctx->reset = true; 8533 8534 return nf_tables_dump_obj_start(cb); 8535 } 8536 8537 static int nf_tables_dump_obj_done(struct netlink_callback *cb) 8538 { 8539 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx; 8540 8541 kfree(ctx->table); 8542 8543 return 0; 8544 } 8545 8546 /* Caller must hold rcu read lock or transaction mutex */ 8547 static struct sk_buff * 8548 nf_tables_getobj_single(u32 portid, const struct nfnl_info *info, 8549 const struct nlattr * const nla[], bool reset) 8550 { 8551 struct netlink_ext_ack *extack = info->extack; 8552 u8 genmask = nft_genmask_cur(info->net); 8553 u8 family = info->nfmsg->nfgen_family; 8554 const struct nft_table *table; 8555 struct net *net = info->net; 8556 struct nft_object *obj; 8557 struct sk_buff *skb2; 8558 u32 objtype; 8559 int err; 8560 8561 if (!nla[NFTA_OBJ_NAME] || 8562 !nla[NFTA_OBJ_TYPE]) 8563 return ERR_PTR(-EINVAL); 8564 8565 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0); 8566 if (IS_ERR(table)) { 8567 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 8568 return ERR_CAST(table); 8569 } 8570 8571 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 8572 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 8573 if (IS_ERR(obj)) { 8574 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 8575 return ERR_CAST(obj); 8576 } 8577 8578 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 8579 if (!skb2) 8580 return ERR_PTR(-ENOMEM); 8581 8582 err = nf_tables_fill_obj_info(skb2, net, portid, 8583 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, 8584 family, table, obj, reset); 8585 if (err < 0) { 8586 kfree_skb(skb2); 8587 return ERR_PTR(err); 8588 } 8589 8590 return skb2; 8591 } 8592 8593 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info, 8594 const struct nlattr * const nla[]) 8595 { 8596 u32 portid = NETLINK_CB(skb).portid; 8597 struct sk_buff *skb2; 8598 8599 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 8600 struct netlink_dump_control c = { 8601 .start = nf_tables_dump_obj_start, 8602 .dump = nf_tables_dump_obj, 8603 .done = nf_tables_dump_obj_done, 8604 .module = THIS_MODULE, 8605 .data = (void *)nla, 8606 }; 8607 8608 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 8609 } 8610 8611 skb2 = nf_tables_getobj_single(portid, info, nla, false); 8612 if (IS_ERR(skb2)) 8613 return PTR_ERR(skb2); 8614 8615 return nfnetlink_unicast(skb2, info->net, portid); 8616 } 8617 8618 static int nf_tables_getobj_reset(struct sk_buff *skb, 8619 const struct nfnl_info *info, 8620 const struct nlattr * const nla[]) 8621 { 8622 struct nftables_pernet *nft_net = nft_pernet(info->net); 8623 u32 portid = NETLINK_CB(skb).portid; 8624 struct net *net = info->net; 8625 struct sk_buff *skb2; 8626 char *buf; 8627 8628 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 8629 struct netlink_dump_control c = { 8630 .start = nf_tables_dumpreset_obj_start, 8631 .dump = nf_tables_dumpreset_obj, 8632 .done = nf_tables_dump_obj_done, 8633 .module = THIS_MODULE, 8634 .data = (void *)nla, 8635 }; 8636 8637 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 8638 } 8639 8640 if (!try_module_get(THIS_MODULE)) 8641 return -EINVAL; 8642 rcu_read_unlock(); 8643 mutex_lock(&nft_net->commit_mutex); 8644 skb2 = nf_tables_getobj_single(portid, info, nla, true); 8645 mutex_unlock(&nft_net->commit_mutex); 8646 rcu_read_lock(); 8647 module_put(THIS_MODULE); 8648 8649 if (IS_ERR(skb2)) 8650 return PTR_ERR(skb2); 8651 8652 buf = kasprintf(GFP_ATOMIC, "%.*s:%u", 8653 nla_len(nla[NFTA_OBJ_TABLE]), 8654 (char *)nla_data(nla[NFTA_OBJ_TABLE]), 8655 nft_base_seq(net)); 8656 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1, 8657 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC); 8658 kfree(buf); 8659 8660 return nfnetlink_unicast(skb2, net, portid); 8661 } 8662 8663 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) 8664 { 8665 if (obj->ops->destroy) 8666 obj->ops->destroy(ctx, obj); 8667 8668 module_put(obj->ops->type->owner); 8669 kfree(obj->key.name); 8670 kfree(obj->udata); 8671 kfree(obj); 8672 } 8673 8674 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info, 8675 const struct nlattr * const nla[]) 8676 { 8677 struct netlink_ext_ack *extack = info->extack; 8678 u8 genmask = nft_genmask_next(info->net); 8679 u8 family = info->nfmsg->nfgen_family; 8680 struct net *net = info->net; 8681 const struct nlattr *attr; 8682 struct nft_table *table; 8683 struct nft_object *obj; 8684 struct nft_ctx ctx; 8685 u32 objtype; 8686 8687 if (!nla[NFTA_OBJ_TYPE] || 8688 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE])) 8689 return -EINVAL; 8690 8691 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 8692 NETLINK_CB(skb).portid); 8693 if (IS_ERR(table)) { 8694 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 8695 return PTR_ERR(table); 8696 } 8697 8698 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 8699 if (nla[NFTA_OBJ_HANDLE]) { 8700 attr = nla[NFTA_OBJ_HANDLE]; 8701 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask); 8702 } else { 8703 attr = nla[NFTA_OBJ_NAME]; 8704 obj = nft_obj_lookup(net, table, attr, objtype, genmask); 8705 } 8706 8707 if (IS_ERR(obj)) { 8708 if (PTR_ERR(obj) == -ENOENT && 8709 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ) 8710 return 0; 8711 8712 NL_SET_BAD_ATTR(extack, attr); 8713 return PTR_ERR(obj); 8714 } 8715 if (obj->use > 0) { 8716 NL_SET_BAD_ATTR(extack, attr); 8717 return -EBUSY; 8718 } 8719 8720 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 8721 8722 return nft_delobj(&ctx, obj); 8723 } 8724 8725 static void 8726 __nft_obj_notify(struct net *net, const struct nft_table *table, 8727 struct nft_object *obj, u32 portid, u32 seq, int event, 8728 u16 flags, int family, int report, gfp_t gfp) 8729 { 8730 struct nftables_pernet *nft_net = nft_pernet(net); 8731 struct sk_buff *skb; 8732 int err; 8733 8734 if (!report && 8735 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 8736 return; 8737 8738 skb = nlmsg_new(NLMSG_GOODSIZE, gfp); 8739 if (skb == NULL) 8740 goto err; 8741 8742 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 8743 flags & (NLM_F_CREATE | NLM_F_EXCL), 8744 family, table, obj, false); 8745 if (err < 0) { 8746 kfree_skb(skb); 8747 goto err; 8748 } 8749 8750 nft_notify_enqueue(skb, report, &nft_net->notify_list); 8751 return; 8752 err: 8753 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 8754 } 8755 8756 void nft_obj_notify(struct net *net, const struct nft_table *table, 8757 struct nft_object *obj, u32 portid, u32 seq, int event, 8758 u16 flags, int family, int report, gfp_t gfp) 8759 { 8760 char *buf = kasprintf(gfp, "%s:%u", 8761 table->name, nft_base_seq(net)); 8762 8763 audit_log_nfcfg(buf, 8764 family, 8765 obj->handle, 8766 event == NFT_MSG_NEWOBJ ? 8767 AUDIT_NFT_OP_OBJ_REGISTER : 8768 AUDIT_NFT_OP_OBJ_UNREGISTER, 8769 gfp); 8770 kfree(buf); 8771 8772 __nft_obj_notify(net, table, obj, portid, seq, event, 8773 flags, family, report, gfp); 8774 } 8775 EXPORT_SYMBOL_GPL(nft_obj_notify); 8776 8777 static void nf_tables_obj_notify(const struct nft_ctx *ctx, 8778 struct nft_object *obj, int event) 8779 { 8780 __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, 8781 ctx->seq, event, ctx->flags, ctx->family, 8782 ctx->report, GFP_KERNEL); 8783 } 8784 8785 /* 8786 * Flow tables 8787 */ 8788 void nft_register_flowtable_type(struct nf_flowtable_type *type) 8789 { 8790 nfnl_lock(NFNL_SUBSYS_NFTABLES); 8791 list_add_tail_rcu(&type->list, &nf_tables_flowtables); 8792 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 8793 } 8794 EXPORT_SYMBOL_GPL(nft_register_flowtable_type); 8795 8796 void nft_unregister_flowtable_type(struct nf_flowtable_type *type) 8797 { 8798 nfnl_lock(NFNL_SUBSYS_NFTABLES); 8799 list_del_rcu(&type->list); 8800 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 8801 } 8802 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type); 8803 8804 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = { 8805 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING, 8806 .len = NFT_NAME_MAXLEN - 1 }, 8807 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING, 8808 .len = NFT_NAME_MAXLEN - 1 }, 8809 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED }, 8810 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 }, 8811 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 }, 8812 }; 8813 8814 struct nft_flowtable *nft_flowtable_lookup(const struct net *net, 8815 const struct nft_table *table, 8816 const struct nlattr *nla, u8 genmask) 8817 { 8818 struct nft_flowtable *flowtable; 8819 8820 list_for_each_entry_rcu(flowtable, &table->flowtables, list, 8821 lockdep_commit_lock_is_held(net)) { 8822 if (!nla_strcmp(nla, flowtable->name) && 8823 nft_active_genmask(flowtable, genmask)) 8824 return flowtable; 8825 } 8826 return ERR_PTR(-ENOENT); 8827 } 8828 EXPORT_SYMBOL_GPL(nft_flowtable_lookup); 8829 8830 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, 8831 struct nft_flowtable *flowtable, 8832 enum nft_trans_phase phase) 8833 { 8834 switch (phase) { 8835 case NFT_TRANS_PREPARE_ERROR: 8836 case NFT_TRANS_PREPARE: 8837 case NFT_TRANS_ABORT: 8838 case NFT_TRANS_RELEASE: 8839 nft_use_dec(&flowtable->use); 8840 fallthrough; 8841 default: 8842 return; 8843 } 8844 } 8845 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable); 8846 8847 static struct nft_flowtable * 8848 nft_flowtable_lookup_byhandle(const struct nft_table *table, 8849 const struct nlattr *nla, u8 genmask) 8850 { 8851 struct nft_flowtable *flowtable; 8852 8853 list_for_each_entry(flowtable, &table->flowtables, list) { 8854 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle && 8855 nft_active_genmask(flowtable, genmask)) 8856 return flowtable; 8857 } 8858 return ERR_PTR(-ENOENT); 8859 } 8860 8861 struct nft_flowtable_hook { 8862 u32 num; 8863 int priority; 8864 struct list_head list; 8865 }; 8866 8867 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = { 8868 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 }, 8869 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 }, 8870 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED }, 8871 }; 8872 8873 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx, 8874 const struct nlattr * const nla[], 8875 struct nft_flowtable_hook *flowtable_hook, 8876 struct nft_flowtable *flowtable, 8877 struct netlink_ext_ack *extack, bool add) 8878 { 8879 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1]; 8880 struct nf_hook_ops *ops; 8881 struct nft_hook *hook; 8882 int hooknum, priority; 8883 int err; 8884 8885 INIT_LIST_HEAD(&flowtable_hook->list); 8886 8887 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, 8888 nla[NFTA_FLOWTABLE_HOOK], 8889 nft_flowtable_hook_policy, NULL); 8890 if (err < 0) 8891 return err; 8892 8893 if (add) { 8894 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] || 8895 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) { 8896 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 8897 return -ENOENT; 8898 } 8899 8900 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 8901 if (hooknum != NF_NETDEV_INGRESS) 8902 return -EOPNOTSUPP; 8903 8904 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 8905 8906 flowtable_hook->priority = priority; 8907 flowtable_hook->num = hooknum; 8908 } else { 8909 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) { 8910 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 8911 if (hooknum != flowtable->hooknum) 8912 return -EOPNOTSUPP; 8913 } 8914 8915 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) { 8916 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 8917 if (priority != flowtable->data.priority) 8918 return -EOPNOTSUPP; 8919 } 8920 8921 flowtable_hook->priority = flowtable->data.priority; 8922 flowtable_hook->num = flowtable->hooknum; 8923 } 8924 8925 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) { 8926 err = nf_tables_parse_netdev_hooks(ctx->net, 8927 tb[NFTA_FLOWTABLE_HOOK_DEVS], 8928 &flowtable_hook->list, 8929 extack); 8930 if (err < 0) 8931 return err; 8932 } 8933 8934 list_for_each_entry(hook, &flowtable_hook->list, list) { 8935 list_for_each_entry(ops, &hook->ops_list, list) { 8936 ops->pf = NFPROTO_NETDEV; 8937 ops->hooknum = flowtable_hook->num; 8938 ops->priority = flowtable_hook->priority; 8939 ops->priv = &flowtable->data; 8940 ops->hook = flowtable->data.type->hook; 8941 ops->hook_ops_type = NF_HOOK_OP_NFT_FT; 8942 } 8943 } 8944 8945 return err; 8946 } 8947 8948 /* call under rcu_read_lock */ 8949 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) 8950 { 8951 const struct nf_flowtable_type *type; 8952 8953 list_for_each_entry_rcu(type, &nf_tables_flowtables, list) { 8954 if (family == type->family) 8955 return type; 8956 } 8957 return NULL; 8958 } 8959 8960 static const struct nf_flowtable_type * 8961 nft_flowtable_type_get(struct net *net, u8 family) 8962 { 8963 const struct nf_flowtable_type *type; 8964 8965 rcu_read_lock(); 8966 type = __nft_flowtable_type_get(family); 8967 if (type != NULL && try_module_get(type->owner)) { 8968 rcu_read_unlock(); 8969 return type; 8970 } 8971 rcu_read_unlock(); 8972 8973 lockdep_nfnl_nft_mutex_not_held(); 8974 #ifdef CONFIG_MODULES 8975 if (type == NULL) { 8976 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN) 8977 return ERR_PTR(-EAGAIN); 8978 } 8979 #endif 8980 return ERR_PTR(-ENOENT); 8981 } 8982 8983 /* Only called from error and netdev event paths. */ 8984 static void nft_unregister_flowtable_ops(struct net *net, 8985 struct nft_flowtable *flowtable, 8986 struct nf_hook_ops *ops) 8987 { 8988 nf_unregister_net_hook(net, ops); 8989 flowtable->data.type->setup(&flowtable->data, ops->dev, 8990 FLOW_BLOCK_UNBIND); 8991 } 8992 8993 static void __nft_unregister_flowtable_net_hooks(struct net *net, 8994 struct nft_flowtable *flowtable, 8995 struct list_head *hook_list, 8996 bool release_netdev) 8997 { 8998 struct nft_hook *hook, *next; 8999 struct nf_hook_ops *ops; 9000 9001 list_for_each_entry_safe(hook, next, hook_list, list) { 9002 list_for_each_entry(ops, &hook->ops_list, list) 9003 nft_unregister_flowtable_ops(net, flowtable, ops); 9004 if (release_netdev) { 9005 list_del(&hook->list); 9006 nft_netdev_hook_free_rcu(hook); 9007 } 9008 } 9009 } 9010 9011 static void nft_unregister_flowtable_net_hooks(struct net *net, 9012 struct nft_flowtable *flowtable, 9013 struct list_head *hook_list) 9014 { 9015 __nft_unregister_flowtable_net_hooks(net, flowtable, hook_list, false); 9016 } 9017 9018 static int nft_register_flowtable_ops(struct net *net, 9019 struct nft_flowtable *flowtable, 9020 struct nf_hook_ops *ops) 9021 { 9022 int err; 9023 9024 err = flowtable->data.type->setup(&flowtable->data, 9025 ops->dev, FLOW_BLOCK_BIND); 9026 if (err < 0) 9027 return err; 9028 9029 err = nf_register_net_hook(net, ops); 9030 if (!err) 9031 return 0; 9032 9033 flowtable->data.type->setup(&flowtable->data, 9034 ops->dev, FLOW_BLOCK_UNBIND); 9035 return err; 9036 } 9037 9038 static int nft_register_flowtable_net_hooks(struct net *net, 9039 struct nft_table *table, 9040 struct list_head *hook_list, 9041 struct nft_flowtable *flowtable) 9042 { 9043 struct nft_hook *hook, *next; 9044 struct nft_flowtable *ft; 9045 struct nf_hook_ops *ops; 9046 int err, i = 0; 9047 9048 list_for_each_entry(hook, hook_list, list) { 9049 list_for_each_entry(ft, &table->flowtables, list) { 9050 if (!nft_is_active_next(net, ft)) 9051 continue; 9052 9053 if (nft_hook_list_find(&ft->hook_list, hook)) { 9054 err = -EEXIST; 9055 goto err_unregister_net_hooks; 9056 } 9057 } 9058 9059 list_for_each_entry(ops, &hook->ops_list, list) { 9060 err = nft_register_flowtable_ops(net, flowtable, ops); 9061 if (err < 0) 9062 goto err_unregister_net_hooks; 9063 9064 i++; 9065 } 9066 } 9067 9068 return 0; 9069 9070 err_unregister_net_hooks: 9071 list_for_each_entry_safe(hook, next, hook_list, list) { 9072 list_for_each_entry(ops, &hook->ops_list, list) { 9073 if (i-- <= 0) 9074 break; 9075 9076 nft_unregister_flowtable_ops(net, flowtable, ops); 9077 } 9078 list_del_rcu(&hook->list); 9079 nft_netdev_hook_free_rcu(hook); 9080 } 9081 9082 return err; 9083 } 9084 9085 static void nft_hooks_destroy(struct list_head *hook_list) 9086 { 9087 struct nft_hook *hook, *next; 9088 9089 list_for_each_entry_safe(hook, next, hook_list, list) { 9090 list_del_rcu(&hook->list); 9091 nft_netdev_hook_free_rcu(hook); 9092 } 9093 } 9094 9095 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, 9096 struct nft_flowtable *flowtable, 9097 struct netlink_ext_ack *extack) 9098 { 9099 const struct nlattr * const *nla = ctx->nla; 9100 struct nft_flowtable_hook flowtable_hook; 9101 struct nftables_pernet *nft_net; 9102 struct nft_hook *hook, *next; 9103 struct nf_hook_ops *ops; 9104 struct nft_trans *trans; 9105 bool unregister = false; 9106 u32 flags; 9107 int err; 9108 9109 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable, 9110 extack, false); 9111 if (err < 0) 9112 return err; 9113 9114 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 9115 if (nft_hook_list_find(&flowtable->hook_list, hook)) { 9116 list_del(&hook->list); 9117 nft_netdev_hook_free(hook); 9118 continue; 9119 } 9120 9121 nft_net = nft_pernet(ctx->net); 9122 list_for_each_entry(trans, &nft_net->commit_list, list) { 9123 if (trans->msg_type != NFT_MSG_NEWFLOWTABLE || 9124 trans->table != ctx->table || 9125 !nft_trans_flowtable_update(trans)) 9126 continue; 9127 9128 if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) { 9129 err = -EEXIST; 9130 goto err_flowtable_update_hook; 9131 } 9132 } 9133 } 9134 9135 if (nla[NFTA_FLOWTABLE_FLAGS]) { 9136 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 9137 if (flags & ~NFT_FLOWTABLE_MASK) { 9138 err = -EOPNOTSUPP; 9139 goto err_flowtable_update_hook; 9140 } 9141 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^ 9142 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) { 9143 err = -EOPNOTSUPP; 9144 goto err_flowtable_update_hook; 9145 } 9146 } else { 9147 flags = flowtable->data.flags; 9148 } 9149 9150 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table, 9151 &flowtable_hook.list, flowtable); 9152 if (err < 0) 9153 goto err_flowtable_update_hook; 9154 9155 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE, 9156 sizeof(struct nft_trans_flowtable)); 9157 if (!trans) { 9158 unregister = true; 9159 err = -ENOMEM; 9160 goto err_flowtable_update_hook; 9161 } 9162 9163 nft_trans_flowtable_flags(trans) = flags; 9164 nft_trans_flowtable(trans) = flowtable; 9165 nft_trans_flowtable_update(trans) = true; 9166 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 9167 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans)); 9168 9169 nft_trans_commit_list_add_tail(ctx->net, trans); 9170 9171 return 0; 9172 9173 err_flowtable_update_hook: 9174 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 9175 if (unregister) { 9176 list_for_each_entry(ops, &hook->ops_list, list) 9177 nft_unregister_flowtable_ops(ctx->net, 9178 flowtable, ops); 9179 } 9180 list_del_rcu(&hook->list); 9181 nft_netdev_hook_free_rcu(hook); 9182 } 9183 9184 return err; 9185 9186 } 9187 9188 static int nf_tables_newflowtable(struct sk_buff *skb, 9189 const struct nfnl_info *info, 9190 const struct nlattr * const nla[]) 9191 { 9192 struct netlink_ext_ack *extack = info->extack; 9193 struct nft_flowtable_hook flowtable_hook; 9194 u8 genmask = nft_genmask_next(info->net); 9195 u8 family = info->nfmsg->nfgen_family; 9196 const struct nf_flowtable_type *type; 9197 struct nft_flowtable *flowtable; 9198 struct net *net = info->net; 9199 struct nft_table *table; 9200 struct nft_trans *trans; 9201 struct nft_ctx ctx; 9202 int err; 9203 9204 if (!nla[NFTA_FLOWTABLE_TABLE] || 9205 !nla[NFTA_FLOWTABLE_NAME] || 9206 !nla[NFTA_FLOWTABLE_HOOK]) 9207 return -EINVAL; 9208 9209 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 9210 genmask, NETLINK_CB(skb).portid); 9211 if (IS_ERR(table)) { 9212 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 9213 return PTR_ERR(table); 9214 } 9215 9216 flowtable = nft_flowtable_lookup(net, table, nla[NFTA_FLOWTABLE_NAME], 9217 genmask); 9218 if (IS_ERR(flowtable)) { 9219 err = PTR_ERR(flowtable); 9220 if (err != -ENOENT) { 9221 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 9222 return err; 9223 } 9224 } else { 9225 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 9226 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 9227 return -EEXIST; 9228 } 9229 9230 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 9231 9232 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack); 9233 } 9234 9235 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 9236 9237 if (!nft_use_inc(&table->use)) 9238 return -EMFILE; 9239 9240 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT); 9241 if (!flowtable) { 9242 err = -ENOMEM; 9243 goto flowtable_alloc; 9244 } 9245 9246 flowtable->table = table; 9247 flowtable->handle = nf_tables_alloc_handle(table); 9248 INIT_LIST_HEAD(&flowtable->hook_list); 9249 9250 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT); 9251 if (!flowtable->name) { 9252 err = -ENOMEM; 9253 goto err1; 9254 } 9255 9256 type = nft_flowtable_type_get(net, family); 9257 if (IS_ERR(type)) { 9258 err = PTR_ERR(type); 9259 goto err2; 9260 } 9261 9262 if (nla[NFTA_FLOWTABLE_FLAGS]) { 9263 flowtable->data.flags = 9264 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 9265 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) { 9266 err = -EOPNOTSUPP; 9267 goto err3; 9268 } 9269 } 9270 9271 write_pnet(&flowtable->data.net, net); 9272 flowtable->data.type = type; 9273 err = type->init(&flowtable->data); 9274 if (err < 0) 9275 goto err3; 9276 9277 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable, 9278 extack, true); 9279 if (err < 0) 9280 goto err_flowtable_parse_hooks; 9281 9282 list_splice(&flowtable_hook.list, &flowtable->hook_list); 9283 flowtable->data.priority = flowtable_hook.priority; 9284 flowtable->hooknum = flowtable_hook.num; 9285 9286 trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable); 9287 if (IS_ERR(trans)) { 9288 err = PTR_ERR(trans); 9289 goto err_flowtable_trans; 9290 } 9291 9292 /* This must be LAST to ensure no packets are walking over this flowtable. */ 9293 err = nft_register_flowtable_net_hooks(ctx.net, table, 9294 &flowtable->hook_list, 9295 flowtable); 9296 if (err < 0) 9297 goto err_flowtable_hooks; 9298 9299 list_add_tail_rcu(&flowtable->list, &table->flowtables); 9300 9301 return 0; 9302 9303 err_flowtable_hooks: 9304 nft_trans_destroy(trans); 9305 err_flowtable_trans: 9306 nft_hooks_destroy(&flowtable->hook_list); 9307 err_flowtable_parse_hooks: 9308 flowtable->data.type->free(&flowtable->data); 9309 err3: 9310 module_put(type->owner); 9311 err2: 9312 kfree(flowtable->name); 9313 err1: 9314 kfree(flowtable); 9315 flowtable_alloc: 9316 nft_use_dec_restore(&table->use); 9317 9318 return err; 9319 } 9320 9321 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook) 9322 { 9323 struct nft_hook *this, *next; 9324 9325 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) { 9326 list_del(&this->list); 9327 nft_netdev_hook_free(this); 9328 } 9329 } 9330 9331 static int nft_delflowtable_hook(struct nft_ctx *ctx, 9332 struct nft_flowtable *flowtable, 9333 struct netlink_ext_ack *extack) 9334 { 9335 const struct nlattr * const *nla = ctx->nla; 9336 struct nft_flowtable_hook flowtable_hook; 9337 LIST_HEAD(flowtable_del_list); 9338 struct nft_hook *this, *hook; 9339 struct nft_trans *trans; 9340 int err; 9341 9342 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable, 9343 extack, false); 9344 if (err < 0) 9345 return err; 9346 9347 list_for_each_entry(this, &flowtable_hook.list, list) { 9348 hook = nft_hook_list_find(&flowtable->hook_list, this); 9349 if (!hook) { 9350 err = -ENOENT; 9351 goto err_flowtable_del_hook; 9352 } 9353 list_move(&hook->list, &flowtable_del_list); 9354 } 9355 9356 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE, 9357 sizeof(struct nft_trans_flowtable)); 9358 if (!trans) { 9359 err = -ENOMEM; 9360 goto err_flowtable_del_hook; 9361 } 9362 9363 nft_trans_flowtable(trans) = flowtable; 9364 nft_trans_flowtable_update(trans) = true; 9365 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 9366 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans)); 9367 nft_flowtable_hook_release(&flowtable_hook); 9368 9369 nft_trans_commit_list_add_tail(ctx->net, trans); 9370 9371 return 0; 9372 9373 err_flowtable_del_hook: 9374 list_splice(&flowtable_del_list, &flowtable->hook_list); 9375 nft_flowtable_hook_release(&flowtable_hook); 9376 9377 return err; 9378 } 9379 9380 static int nf_tables_delflowtable(struct sk_buff *skb, 9381 const struct nfnl_info *info, 9382 const struct nlattr * const nla[]) 9383 { 9384 struct netlink_ext_ack *extack = info->extack; 9385 u8 genmask = nft_genmask_next(info->net); 9386 u8 family = info->nfmsg->nfgen_family; 9387 struct nft_flowtable *flowtable; 9388 struct net *net = info->net; 9389 const struct nlattr *attr; 9390 struct nft_table *table; 9391 struct nft_ctx ctx; 9392 9393 if (!nla[NFTA_FLOWTABLE_TABLE] || 9394 (!nla[NFTA_FLOWTABLE_NAME] && 9395 !nla[NFTA_FLOWTABLE_HANDLE])) 9396 return -EINVAL; 9397 9398 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 9399 genmask, NETLINK_CB(skb).portid); 9400 if (IS_ERR(table)) { 9401 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 9402 return PTR_ERR(table); 9403 } 9404 9405 if (nla[NFTA_FLOWTABLE_HANDLE]) { 9406 attr = nla[NFTA_FLOWTABLE_HANDLE]; 9407 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask); 9408 } else { 9409 attr = nla[NFTA_FLOWTABLE_NAME]; 9410 flowtable = nft_flowtable_lookup(net, table, attr, genmask); 9411 } 9412 9413 if (IS_ERR(flowtable)) { 9414 if (PTR_ERR(flowtable) == -ENOENT && 9415 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE) 9416 return 0; 9417 9418 NL_SET_BAD_ATTR(extack, attr); 9419 return PTR_ERR(flowtable); 9420 } 9421 9422 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 9423 9424 if (nla[NFTA_FLOWTABLE_HOOK]) 9425 return nft_delflowtable_hook(&ctx, flowtable, extack); 9426 9427 if (flowtable->use > 0) { 9428 NL_SET_BAD_ATTR(extack, attr); 9429 return -EBUSY; 9430 } 9431 9432 return nft_delflowtable(&ctx, flowtable); 9433 } 9434 9435 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, 9436 u32 portid, u32 seq, int event, 9437 u32 flags, int family, 9438 struct nft_flowtable *flowtable, 9439 struct list_head *hook_list) 9440 { 9441 struct nlattr *nest, *nest_devs; 9442 struct nft_hook *hook; 9443 struct nlmsghdr *nlh; 9444 9445 nlh = nfnl_msg_put(skb, portid, seq, 9446 nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event), 9447 flags, family, NFNETLINK_V0, nft_base_seq_be16(net)); 9448 if (!nlh) 9449 goto nla_put_failure; 9450 9451 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || 9452 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || 9453 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle), 9454 NFTA_FLOWTABLE_PAD)) 9455 goto nla_put_failure; 9456 9457 if (!hook_list && 9458 (event == NFT_MSG_DELFLOWTABLE || 9459 event == NFT_MSG_DESTROYFLOWTABLE)) { 9460 nlmsg_end(skb, nlh); 9461 return 0; 9462 } 9463 9464 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || 9465 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags))) 9466 goto nla_put_failure; 9467 9468 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK); 9469 if (!nest) 9470 goto nla_put_failure; 9471 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) || 9472 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority))) 9473 goto nla_put_failure; 9474 9475 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS); 9476 if (!nest_devs) 9477 goto nla_put_failure; 9478 9479 if (!hook_list) 9480 hook_list = &flowtable->hook_list; 9481 9482 list_for_each_entry_rcu(hook, hook_list, list, 9483 lockdep_commit_lock_is_held(net)) { 9484 if (nft_nla_put_hook_dev(skb, hook)) 9485 goto nla_put_failure; 9486 } 9487 nla_nest_end(skb, nest_devs); 9488 nla_nest_end(skb, nest); 9489 9490 nlmsg_end(skb, nlh); 9491 return 0; 9492 9493 nla_put_failure: 9494 nlmsg_trim(skb, nlh); 9495 return -1; 9496 } 9497 9498 struct nft_flowtable_filter { 9499 char *table; 9500 }; 9501 9502 static int nf_tables_dump_flowtable(struct sk_buff *skb, 9503 struct netlink_callback *cb) 9504 { 9505 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 9506 struct nft_flowtable_filter *filter = cb->data; 9507 unsigned int idx = 0, s_idx = cb->args[0]; 9508 struct net *net = sock_net(skb->sk); 9509 int family = nfmsg->nfgen_family; 9510 struct nft_flowtable *flowtable; 9511 struct nftables_pernet *nft_net; 9512 const struct nft_table *table; 9513 9514 rcu_read_lock(); 9515 nft_net = nft_pernet(net); 9516 cb->seq = nft_base_seq(net); 9517 9518 list_for_each_entry_rcu(table, &nft_net->tables, list) { 9519 if (family != NFPROTO_UNSPEC && family != table->family) 9520 continue; 9521 9522 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 9523 if (!nft_is_active(net, flowtable)) 9524 goto cont; 9525 if (idx < s_idx) 9526 goto cont; 9527 if (idx > s_idx) 9528 memset(&cb->args[1], 0, 9529 sizeof(cb->args) - sizeof(cb->args[0])); 9530 if (filter && filter->table && 9531 strcmp(filter->table, table->name)) 9532 goto cont; 9533 9534 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, 9535 cb->nlh->nlmsg_seq, 9536 NFT_MSG_NEWFLOWTABLE, 9537 NLM_F_MULTI | NLM_F_APPEND, 9538 table->family, 9539 flowtable, NULL) < 0) 9540 goto done; 9541 9542 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 9543 cont: 9544 idx++; 9545 } 9546 } 9547 done: 9548 rcu_read_unlock(); 9549 9550 cb->args[0] = idx; 9551 return skb->len; 9552 } 9553 9554 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb) 9555 { 9556 const struct nlattr * const *nla = cb->data; 9557 struct nft_flowtable_filter *filter = NULL; 9558 9559 if (nla[NFTA_FLOWTABLE_TABLE]) { 9560 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 9561 if (!filter) 9562 return -ENOMEM; 9563 9564 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE], 9565 GFP_ATOMIC); 9566 if (!filter->table) { 9567 kfree(filter); 9568 return -ENOMEM; 9569 } 9570 } 9571 9572 cb->data = filter; 9573 return 0; 9574 } 9575 9576 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb) 9577 { 9578 struct nft_flowtable_filter *filter = cb->data; 9579 9580 if (!filter) 9581 return 0; 9582 9583 kfree(filter->table); 9584 kfree(filter); 9585 9586 return 0; 9587 } 9588 9589 /* called with rcu_read_lock held */ 9590 static int nf_tables_getflowtable(struct sk_buff *skb, 9591 const struct nfnl_info *info, 9592 const struct nlattr * const nla[]) 9593 { 9594 struct netlink_ext_ack *extack = info->extack; 9595 u8 genmask = nft_genmask_cur(info->net); 9596 u8 family = info->nfmsg->nfgen_family; 9597 struct nft_flowtable *flowtable; 9598 const struct nft_table *table; 9599 struct net *net = info->net; 9600 struct sk_buff *skb2; 9601 int err; 9602 9603 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 9604 struct netlink_dump_control c = { 9605 .start = nf_tables_dump_flowtable_start, 9606 .dump = nf_tables_dump_flowtable, 9607 .done = nf_tables_dump_flowtable_done, 9608 .module = THIS_MODULE, 9609 .data = (void *)nla, 9610 }; 9611 9612 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 9613 } 9614 9615 if (!nla[NFTA_FLOWTABLE_NAME]) 9616 return -EINVAL; 9617 9618 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 9619 genmask, 0); 9620 if (IS_ERR(table)) { 9621 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 9622 return PTR_ERR(table); 9623 } 9624 9625 flowtable = nft_flowtable_lookup(net, table, nla[NFTA_FLOWTABLE_NAME], 9626 genmask); 9627 if (IS_ERR(flowtable)) { 9628 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 9629 return PTR_ERR(flowtable); 9630 } 9631 9632 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 9633 if (!skb2) 9634 return -ENOMEM; 9635 9636 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid, 9637 info->nlh->nlmsg_seq, 9638 NFT_MSG_NEWFLOWTABLE, 0, family, 9639 flowtable, NULL); 9640 if (err < 0) 9641 goto err_fill_flowtable_info; 9642 9643 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 9644 9645 err_fill_flowtable_info: 9646 kfree_skb(skb2); 9647 return err; 9648 } 9649 9650 static void nf_tables_flowtable_notify(struct nft_ctx *ctx, 9651 struct nft_flowtable *flowtable, 9652 struct list_head *hook_list, int event) 9653 { 9654 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 9655 struct sk_buff *skb; 9656 u16 flags = 0; 9657 int err; 9658 9659 if (!ctx->report && 9660 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 9661 return; 9662 9663 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 9664 if (skb == NULL) 9665 goto err; 9666 9667 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 9668 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 9669 9670 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid, 9671 ctx->seq, event, flags, 9672 ctx->family, flowtable, hook_list); 9673 if (err < 0) { 9674 kfree_skb(skb); 9675 goto err; 9676 } 9677 9678 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 9679 return; 9680 err: 9681 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 9682 } 9683 9684 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) 9685 { 9686 struct nft_hook *hook, *next; 9687 9688 flowtable->data.type->free(&flowtable->data); 9689 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 9690 list_del_rcu(&hook->list); 9691 nft_netdev_hook_free_rcu(hook); 9692 } 9693 kfree(flowtable->name); 9694 module_put(flowtable->data.type->owner); 9695 kfree(flowtable); 9696 } 9697 9698 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, 9699 u32 portid, u32 seq) 9700 { 9701 struct nlmsghdr *nlh; 9702 char buf[TASK_COMM_LEN]; 9703 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); 9704 9705 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC, 9706 NFNETLINK_V0, nft_base_seq_be16(net)); 9707 if (!nlh) 9708 goto nla_put_failure; 9709 9710 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_base_seq(net))) || 9711 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || 9712 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) 9713 goto nla_put_failure; 9714 9715 nlmsg_end(skb, nlh); 9716 return 0; 9717 9718 nla_put_failure: 9719 nlmsg_trim(skb, nlh); 9720 return -EMSGSIZE; 9721 } 9722 9723 struct nf_hook_ops *nft_hook_find_ops(const struct nft_hook *hook, 9724 const struct net_device *dev) 9725 { 9726 struct nf_hook_ops *ops; 9727 9728 list_for_each_entry(ops, &hook->ops_list, list) { 9729 if (ops->dev == dev) 9730 return ops; 9731 } 9732 return NULL; 9733 } 9734 EXPORT_SYMBOL_GPL(nft_hook_find_ops); 9735 9736 struct nf_hook_ops *nft_hook_find_ops_rcu(const struct nft_hook *hook, 9737 const struct net_device *dev) 9738 { 9739 struct nf_hook_ops *ops; 9740 9741 list_for_each_entry_rcu(ops, &hook->ops_list, list) { 9742 if (ops->dev == dev) 9743 return ops; 9744 } 9745 return NULL; 9746 } 9747 EXPORT_SYMBOL_GPL(nft_hook_find_ops_rcu); 9748 9749 static int nft_flowtable_event(unsigned long event, struct net_device *dev, 9750 struct nft_flowtable *flowtable, bool changename) 9751 { 9752 struct nf_hook_ops *ops; 9753 struct nft_hook *hook; 9754 bool match; 9755 9756 list_for_each_entry(hook, &flowtable->hook_list, list) { 9757 ops = nft_hook_find_ops(hook, dev); 9758 match = !strncmp(hook->ifname, dev->name, hook->ifnamelen); 9759 9760 switch (event) { 9761 case NETDEV_UNREGISTER: 9762 /* NOP if not found or new name still matching */ 9763 if (!ops || (changename && match)) 9764 continue; 9765 9766 /* flow_offload_netdev_event() cleans up entries for us. */ 9767 nft_unregister_flowtable_ops(dev_net(dev), 9768 flowtable, ops); 9769 list_del_rcu(&ops->list); 9770 kfree_rcu(ops, rcu); 9771 break; 9772 case NETDEV_REGISTER: 9773 /* NOP if not matching or already registered */ 9774 if (!match || (changename && ops)) 9775 continue; 9776 9777 ops = kzalloc(sizeof(struct nf_hook_ops), 9778 GFP_KERNEL_ACCOUNT); 9779 if (!ops) 9780 return 1; 9781 9782 ops->pf = NFPROTO_NETDEV; 9783 ops->hooknum = flowtable->hooknum; 9784 ops->priority = flowtable->data.priority; 9785 ops->priv = &flowtable->data; 9786 ops->hook = flowtable->data.type->hook; 9787 ops->hook_ops_type = NF_HOOK_OP_NFT_FT; 9788 ops->dev = dev; 9789 if (nft_register_flowtable_ops(dev_net(dev), 9790 flowtable, ops)) { 9791 kfree(ops); 9792 return 1; 9793 } 9794 list_add_tail_rcu(&ops->list, &hook->ops_list); 9795 break; 9796 } 9797 break; 9798 } 9799 return 0; 9800 } 9801 9802 static int __nf_tables_flowtable_event(unsigned long event, 9803 struct net_device *dev, 9804 bool changename) 9805 { 9806 struct nftables_pernet *nft_net = nft_pernet(dev_net(dev)); 9807 struct nft_flowtable *flowtable; 9808 struct nft_table *table; 9809 9810 list_for_each_entry(table, &nft_net->tables, list) { 9811 list_for_each_entry(flowtable, &table->flowtables, list) { 9812 if (nft_flowtable_event(event, dev, 9813 flowtable, changename)) 9814 return 1; 9815 } 9816 } 9817 return 0; 9818 } 9819 9820 static int nf_tables_flowtable_event(struct notifier_block *this, 9821 unsigned long event, void *ptr) 9822 { 9823 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 9824 struct nftables_pernet *nft_net; 9825 int ret = NOTIFY_DONE; 9826 struct net *net; 9827 9828 if (event != NETDEV_REGISTER && 9829 event != NETDEV_UNREGISTER && 9830 event != NETDEV_CHANGENAME) 9831 return NOTIFY_DONE; 9832 9833 net = dev_net(dev); 9834 nft_net = nft_pernet(net); 9835 mutex_lock(&nft_net->commit_mutex); 9836 9837 if (event == NETDEV_CHANGENAME) { 9838 if (__nf_tables_flowtable_event(NETDEV_REGISTER, dev, true)) { 9839 ret = NOTIFY_BAD; 9840 goto out_unlock; 9841 } 9842 __nf_tables_flowtable_event(NETDEV_UNREGISTER, dev, true); 9843 } else if (__nf_tables_flowtable_event(event, dev, false)) { 9844 ret = NOTIFY_BAD; 9845 } 9846 out_unlock: 9847 mutex_unlock(&nft_net->commit_mutex); 9848 return ret; 9849 } 9850 9851 static struct notifier_block nf_tables_flowtable_notifier = { 9852 .notifier_call = nf_tables_flowtable_event, 9853 }; 9854 9855 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb, 9856 int event) 9857 { 9858 struct nlmsghdr *nlh = nlmsg_hdr(skb); 9859 struct sk_buff *skb2; 9860 int err; 9861 9862 if (!nlmsg_report(nlh) && 9863 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 9864 return; 9865 9866 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 9867 if (skb2 == NULL) 9868 goto err; 9869 9870 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 9871 nlh->nlmsg_seq); 9872 if (err < 0) { 9873 kfree_skb(skb2); 9874 goto err; 9875 } 9876 9877 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 9878 nlmsg_report(nlh), GFP_KERNEL); 9879 return; 9880 err: 9881 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 9882 -ENOBUFS); 9883 } 9884 9885 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info, 9886 const struct nlattr * const nla[]) 9887 { 9888 struct sk_buff *skb2; 9889 int err; 9890 9891 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 9892 if (skb2 == NULL) 9893 return -ENOMEM; 9894 9895 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid, 9896 info->nlh->nlmsg_seq); 9897 if (err < 0) 9898 goto err_fill_gen_info; 9899 9900 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 9901 9902 err_fill_gen_info: 9903 kfree_skb(skb2); 9904 return err; 9905 } 9906 9907 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = { 9908 [NFT_MSG_NEWTABLE] = { 9909 .call = nf_tables_newtable, 9910 .type = NFNL_CB_BATCH, 9911 .attr_count = NFTA_TABLE_MAX, 9912 .policy = nft_table_policy, 9913 }, 9914 [NFT_MSG_GETTABLE] = { 9915 .call = nf_tables_gettable, 9916 .type = NFNL_CB_RCU, 9917 .attr_count = NFTA_TABLE_MAX, 9918 .policy = nft_table_policy, 9919 }, 9920 [NFT_MSG_DELTABLE] = { 9921 .call = nf_tables_deltable, 9922 .type = NFNL_CB_BATCH, 9923 .attr_count = NFTA_TABLE_MAX, 9924 .policy = nft_table_policy, 9925 }, 9926 [NFT_MSG_DESTROYTABLE] = { 9927 .call = nf_tables_deltable, 9928 .type = NFNL_CB_BATCH, 9929 .attr_count = NFTA_TABLE_MAX, 9930 .policy = nft_table_policy, 9931 }, 9932 [NFT_MSG_NEWCHAIN] = { 9933 .call = nf_tables_newchain, 9934 .type = NFNL_CB_BATCH, 9935 .attr_count = NFTA_CHAIN_MAX, 9936 .policy = nft_chain_policy, 9937 }, 9938 [NFT_MSG_GETCHAIN] = { 9939 .call = nf_tables_getchain, 9940 .type = NFNL_CB_RCU, 9941 .attr_count = NFTA_CHAIN_MAX, 9942 .policy = nft_chain_policy, 9943 }, 9944 [NFT_MSG_DELCHAIN] = { 9945 .call = nf_tables_delchain, 9946 .type = NFNL_CB_BATCH, 9947 .attr_count = NFTA_CHAIN_MAX, 9948 .policy = nft_chain_policy, 9949 }, 9950 [NFT_MSG_DESTROYCHAIN] = { 9951 .call = nf_tables_delchain, 9952 .type = NFNL_CB_BATCH, 9953 .attr_count = NFTA_CHAIN_MAX, 9954 .policy = nft_chain_policy, 9955 }, 9956 [NFT_MSG_NEWRULE] = { 9957 .call = nf_tables_newrule, 9958 .type = NFNL_CB_BATCH, 9959 .attr_count = NFTA_RULE_MAX, 9960 .policy = nft_rule_policy, 9961 }, 9962 [NFT_MSG_GETRULE] = { 9963 .call = nf_tables_getrule, 9964 .type = NFNL_CB_RCU, 9965 .attr_count = NFTA_RULE_MAX, 9966 .policy = nft_rule_policy, 9967 }, 9968 [NFT_MSG_GETRULE_RESET] = { 9969 .call = nf_tables_getrule_reset, 9970 .type = NFNL_CB_RCU, 9971 .attr_count = NFTA_RULE_MAX, 9972 .policy = nft_rule_policy, 9973 }, 9974 [NFT_MSG_DELRULE] = { 9975 .call = nf_tables_delrule, 9976 .type = NFNL_CB_BATCH, 9977 .attr_count = NFTA_RULE_MAX, 9978 .policy = nft_rule_policy, 9979 }, 9980 [NFT_MSG_DESTROYRULE] = { 9981 .call = nf_tables_delrule, 9982 .type = NFNL_CB_BATCH, 9983 .attr_count = NFTA_RULE_MAX, 9984 .policy = nft_rule_policy, 9985 }, 9986 [NFT_MSG_NEWSET] = { 9987 .call = nf_tables_newset, 9988 .type = NFNL_CB_BATCH, 9989 .attr_count = NFTA_SET_MAX, 9990 .policy = nft_set_policy, 9991 }, 9992 [NFT_MSG_GETSET] = { 9993 .call = nf_tables_getset, 9994 .type = NFNL_CB_RCU, 9995 .attr_count = NFTA_SET_MAX, 9996 .policy = nft_set_policy, 9997 }, 9998 [NFT_MSG_DELSET] = { 9999 .call = nf_tables_delset, 10000 .type = NFNL_CB_BATCH, 10001 .attr_count = NFTA_SET_MAX, 10002 .policy = nft_set_policy, 10003 }, 10004 [NFT_MSG_DESTROYSET] = { 10005 .call = nf_tables_delset, 10006 .type = NFNL_CB_BATCH, 10007 .attr_count = NFTA_SET_MAX, 10008 .policy = nft_set_policy, 10009 }, 10010 [NFT_MSG_NEWSETELEM] = { 10011 .call = nf_tables_newsetelem, 10012 .type = NFNL_CB_BATCH, 10013 .attr_count = NFTA_SET_ELEM_LIST_MAX, 10014 .policy = nft_set_elem_list_policy, 10015 }, 10016 [NFT_MSG_GETSETELEM] = { 10017 .call = nf_tables_getsetelem, 10018 .type = NFNL_CB_RCU, 10019 .attr_count = NFTA_SET_ELEM_LIST_MAX, 10020 .policy = nft_set_elem_list_policy, 10021 }, 10022 [NFT_MSG_GETSETELEM_RESET] = { 10023 .call = nf_tables_getsetelem_reset, 10024 .type = NFNL_CB_RCU, 10025 .attr_count = NFTA_SET_ELEM_LIST_MAX, 10026 .policy = nft_set_elem_list_policy, 10027 }, 10028 [NFT_MSG_DELSETELEM] = { 10029 .call = nf_tables_delsetelem, 10030 .type = NFNL_CB_BATCH, 10031 .attr_count = NFTA_SET_ELEM_LIST_MAX, 10032 .policy = nft_set_elem_list_policy, 10033 }, 10034 [NFT_MSG_DESTROYSETELEM] = { 10035 .call = nf_tables_delsetelem, 10036 .type = NFNL_CB_BATCH, 10037 .attr_count = NFTA_SET_ELEM_LIST_MAX, 10038 .policy = nft_set_elem_list_policy, 10039 }, 10040 [NFT_MSG_GETGEN] = { 10041 .call = nf_tables_getgen, 10042 .type = NFNL_CB_RCU, 10043 }, 10044 [NFT_MSG_NEWOBJ] = { 10045 .call = nf_tables_newobj, 10046 .type = NFNL_CB_BATCH, 10047 .attr_count = NFTA_OBJ_MAX, 10048 .policy = nft_obj_policy, 10049 }, 10050 [NFT_MSG_GETOBJ] = { 10051 .call = nf_tables_getobj, 10052 .type = NFNL_CB_RCU, 10053 .attr_count = NFTA_OBJ_MAX, 10054 .policy = nft_obj_policy, 10055 }, 10056 [NFT_MSG_DELOBJ] = { 10057 .call = nf_tables_delobj, 10058 .type = NFNL_CB_BATCH, 10059 .attr_count = NFTA_OBJ_MAX, 10060 .policy = nft_obj_policy, 10061 }, 10062 [NFT_MSG_DESTROYOBJ] = { 10063 .call = nf_tables_delobj, 10064 .type = NFNL_CB_BATCH, 10065 .attr_count = NFTA_OBJ_MAX, 10066 .policy = nft_obj_policy, 10067 }, 10068 [NFT_MSG_GETOBJ_RESET] = { 10069 .call = nf_tables_getobj_reset, 10070 .type = NFNL_CB_RCU, 10071 .attr_count = NFTA_OBJ_MAX, 10072 .policy = nft_obj_policy, 10073 }, 10074 [NFT_MSG_NEWFLOWTABLE] = { 10075 .call = nf_tables_newflowtable, 10076 .type = NFNL_CB_BATCH, 10077 .attr_count = NFTA_FLOWTABLE_MAX, 10078 .policy = nft_flowtable_policy, 10079 }, 10080 [NFT_MSG_GETFLOWTABLE] = { 10081 .call = nf_tables_getflowtable, 10082 .type = NFNL_CB_RCU, 10083 .attr_count = NFTA_FLOWTABLE_MAX, 10084 .policy = nft_flowtable_policy, 10085 }, 10086 [NFT_MSG_DELFLOWTABLE] = { 10087 .call = nf_tables_delflowtable, 10088 .type = NFNL_CB_BATCH, 10089 .attr_count = NFTA_FLOWTABLE_MAX, 10090 .policy = nft_flowtable_policy, 10091 }, 10092 [NFT_MSG_DESTROYFLOWTABLE] = { 10093 .call = nf_tables_delflowtable, 10094 .type = NFNL_CB_BATCH, 10095 .attr_count = NFTA_FLOWTABLE_MAX, 10096 .policy = nft_flowtable_policy, 10097 }, 10098 }; 10099 10100 static int nf_tables_validate(struct net *net) 10101 { 10102 struct nftables_pernet *nft_net = nft_pernet(net); 10103 struct nft_table *table; 10104 10105 list_for_each_entry(table, &nft_net->tables, list) { 10106 switch (table->validate_state) { 10107 case NFT_VALIDATE_SKIP: 10108 continue; 10109 case NFT_VALIDATE_NEED: 10110 nft_validate_state_update(table, NFT_VALIDATE_DO); 10111 fallthrough; 10112 case NFT_VALIDATE_DO: 10113 if (nft_table_validate(net, table) < 0) 10114 return -EAGAIN; 10115 10116 nft_validate_state_update(table, NFT_VALIDATE_SKIP); 10117 break; 10118 } 10119 } 10120 10121 return 0; 10122 } 10123 10124 /* a drop policy has to be deferred until all rules have been activated, 10125 * otherwise a large ruleset that contains a drop-policy base chain will 10126 * cause all packets to get dropped until the full transaction has been 10127 * processed. 10128 * 10129 * We defer the drop policy until the transaction has been finalized. 10130 */ 10131 static void nft_chain_commit_drop_policy(struct nft_trans_chain *trans) 10132 { 10133 struct nft_base_chain *basechain; 10134 10135 if (trans->policy != NF_DROP) 10136 return; 10137 10138 if (!nft_is_base_chain(trans->chain)) 10139 return; 10140 10141 basechain = nft_base_chain(trans->chain); 10142 basechain->policy = NF_DROP; 10143 } 10144 10145 static void nft_chain_commit_update(struct nft_trans_chain *trans) 10146 { 10147 struct nft_table *table = trans->nft_trans_binding.nft_trans.table; 10148 struct nft_base_chain *basechain; 10149 10150 if (trans->name) { 10151 rhltable_remove(&table->chains_ht, 10152 &trans->chain->rhlhead, 10153 nft_chain_ht_params); 10154 swap(trans->chain->name, trans->name); 10155 rhltable_insert_key(&table->chains_ht, 10156 trans->chain->name, 10157 &trans->chain->rhlhead, 10158 nft_chain_ht_params); 10159 } 10160 10161 if (!nft_is_base_chain(trans->chain)) 10162 return; 10163 10164 nft_chain_stats_replace(trans); 10165 10166 basechain = nft_base_chain(trans->chain); 10167 10168 switch (trans->policy) { 10169 case NF_DROP: 10170 case NF_ACCEPT: 10171 basechain->policy = trans->policy; 10172 break; 10173 } 10174 } 10175 10176 static void nft_obj_commit_update(const struct nft_ctx *ctx, 10177 struct nft_trans *trans) 10178 { 10179 struct nft_object *newobj; 10180 struct nft_object *obj; 10181 10182 obj = nft_trans_obj(trans); 10183 newobj = nft_trans_obj_newobj(trans); 10184 10185 if (WARN_ON_ONCE(!obj->ops->update)) 10186 return; 10187 10188 obj->ops->update(obj, newobj); 10189 nft_obj_destroy(ctx, newobj); 10190 } 10191 10192 static void nft_commit_release(struct nft_trans *trans) 10193 { 10194 struct nft_ctx ctx = { 10195 .net = trans->net, 10196 }; 10197 10198 nft_ctx_update(&ctx, trans); 10199 10200 switch (trans->msg_type) { 10201 case NFT_MSG_DELTABLE: 10202 case NFT_MSG_DESTROYTABLE: 10203 nf_tables_table_destroy(trans->table); 10204 break; 10205 case NFT_MSG_NEWCHAIN: 10206 free_percpu(nft_trans_chain_stats(trans)); 10207 kfree(nft_trans_chain_name(trans)); 10208 break; 10209 case NFT_MSG_DELCHAIN: 10210 case NFT_MSG_DESTROYCHAIN: 10211 if (nft_trans_chain_update(trans)) 10212 nft_hooks_destroy(&nft_trans_chain_hooks(trans)); 10213 else 10214 nf_tables_chain_destroy(nft_trans_chain(trans)); 10215 break; 10216 case NFT_MSG_DELRULE: 10217 case NFT_MSG_DESTROYRULE: 10218 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans)); 10219 break; 10220 case NFT_MSG_DELSET: 10221 case NFT_MSG_DESTROYSET: 10222 nft_set_destroy(&ctx, nft_trans_set(trans)); 10223 break; 10224 case NFT_MSG_DELSETELEM: 10225 case NFT_MSG_DESTROYSETELEM: 10226 nft_trans_elems_destroy(&ctx, nft_trans_container_elem(trans)); 10227 break; 10228 case NFT_MSG_DELOBJ: 10229 case NFT_MSG_DESTROYOBJ: 10230 nft_obj_destroy(&ctx, nft_trans_obj(trans)); 10231 break; 10232 case NFT_MSG_DELFLOWTABLE: 10233 case NFT_MSG_DESTROYFLOWTABLE: 10234 if (nft_trans_flowtable_update(trans)) 10235 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 10236 else 10237 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 10238 break; 10239 } 10240 10241 if (trans->put_net) 10242 put_net(trans->net); 10243 10244 kfree(trans); 10245 } 10246 10247 static void nf_tables_trans_destroy_work(struct work_struct *w) 10248 { 10249 struct nftables_pernet *nft_net = container_of(w, struct nftables_pernet, destroy_work); 10250 struct nft_trans *trans, *next; 10251 LIST_HEAD(head); 10252 10253 spin_lock(&nf_tables_destroy_list_lock); 10254 list_splice_init(&nft_net->destroy_list, &head); 10255 spin_unlock(&nf_tables_destroy_list_lock); 10256 10257 if (list_empty(&head)) 10258 return; 10259 10260 synchronize_rcu(); 10261 10262 list_for_each_entry_safe(trans, next, &head, list) { 10263 nft_trans_list_del(trans); 10264 nft_commit_release(trans); 10265 } 10266 } 10267 10268 void nf_tables_trans_destroy_flush_work(struct net *net) 10269 { 10270 struct nftables_pernet *nft_net = nft_pernet(net); 10271 10272 flush_work(&nft_net->destroy_work); 10273 } 10274 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work); 10275 10276 static bool nft_expr_reduce(struct nft_regs_track *track, 10277 const struct nft_expr *expr) 10278 { 10279 return false; 10280 } 10281 10282 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain) 10283 { 10284 const struct nft_expr *expr, *last; 10285 struct nft_regs_track track = {}; 10286 unsigned int size, data_size; 10287 void *data, *data_boundary; 10288 struct nft_rule_dp *prule; 10289 struct nft_rule *rule; 10290 10291 /* already handled or inactive chain? */ 10292 if (chain->blob_next || !nft_is_active_next(net, chain)) 10293 return 0; 10294 10295 data_size = 0; 10296 list_for_each_entry(rule, &chain->rules, list) { 10297 if (nft_is_active_next(net, rule)) { 10298 data_size += sizeof(*prule) + rule->dlen; 10299 if (data_size > INT_MAX) 10300 return -ENOMEM; 10301 } 10302 } 10303 10304 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size); 10305 if (!chain->blob_next) 10306 return -ENOMEM; 10307 10308 data = (void *)chain->blob_next->data; 10309 data_boundary = data + data_size; 10310 size = 0; 10311 10312 list_for_each_entry(rule, &chain->rules, list) { 10313 if (!nft_is_active_next(net, rule)) 10314 continue; 10315 10316 prule = (struct nft_rule_dp *)data; 10317 data += offsetof(struct nft_rule_dp, data); 10318 if (WARN_ON_ONCE(data > data_boundary)) 10319 return -ENOMEM; 10320 10321 size = 0; 10322 track.last = nft_expr_last(rule); 10323 nft_rule_for_each_expr(expr, last, rule) { 10324 track.cur = expr; 10325 10326 if (nft_expr_reduce(&track, expr)) { 10327 expr = track.cur; 10328 continue; 10329 } 10330 10331 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary)) 10332 return -ENOMEM; 10333 10334 memcpy(data + size, expr, expr->ops->size); 10335 size += expr->ops->size; 10336 } 10337 if (WARN_ON_ONCE(size >= 1 << 12)) 10338 return -ENOMEM; 10339 10340 prule->handle = rule->handle; 10341 prule->dlen = size; 10342 prule->is_last = 0; 10343 10344 data += size; 10345 size = 0; 10346 chain->blob_next->size += (unsigned long)(data - (void *)prule); 10347 } 10348 10349 if (WARN_ON_ONCE(data > data_boundary)) 10350 return -ENOMEM; 10351 10352 prule = (struct nft_rule_dp *)data; 10353 nft_last_rule(chain, prule); 10354 10355 return 0; 10356 } 10357 10358 static void nf_tables_commit_chain_prepare_cancel(struct net *net) 10359 { 10360 struct nftables_pernet *nft_net = nft_pernet(net); 10361 struct nft_trans *trans, *next; 10362 10363 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 10364 if (trans->msg_type == NFT_MSG_NEWRULE || 10365 trans->msg_type == NFT_MSG_DELRULE) { 10366 struct nft_chain *chain = nft_trans_rule_chain(trans); 10367 10368 kvfree(chain->blob_next); 10369 chain->blob_next = NULL; 10370 } 10371 } 10372 } 10373 10374 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h) 10375 { 10376 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h); 10377 10378 kvfree(l->blob); 10379 } 10380 10381 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob) 10382 { 10383 struct nft_rule_dp_last *last; 10384 10385 /* last rule trailer is after end marker */ 10386 last = (void *)blob + sizeof(*blob) + blob->size; 10387 last->blob = blob; 10388 10389 call_rcu(&last->h, __nf_tables_commit_chain_free_rules); 10390 } 10391 10392 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain) 10393 { 10394 struct nft_rule_blob *g0, *g1; 10395 bool next_genbit; 10396 10397 next_genbit = nft_gencursor_next(net); 10398 10399 g0 = rcu_dereference_protected(chain->blob_gen_0, 10400 lockdep_commit_lock_is_held(net)); 10401 g1 = rcu_dereference_protected(chain->blob_gen_1, 10402 lockdep_commit_lock_is_held(net)); 10403 10404 /* No changes to this chain? */ 10405 if (chain->blob_next == NULL) { 10406 /* chain had no change in last or next generation */ 10407 if (g0 == g1) 10408 return; 10409 /* 10410 * chain had no change in this generation; make sure next 10411 * one uses same rules as current generation. 10412 */ 10413 if (next_genbit) { 10414 rcu_assign_pointer(chain->blob_gen_1, g0); 10415 nf_tables_commit_chain_free_rules_old(g1); 10416 } else { 10417 rcu_assign_pointer(chain->blob_gen_0, g1); 10418 nf_tables_commit_chain_free_rules_old(g0); 10419 } 10420 10421 return; 10422 } 10423 10424 if (next_genbit) 10425 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next); 10426 else 10427 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next); 10428 10429 chain->blob_next = NULL; 10430 10431 if (g0 == g1) 10432 return; 10433 10434 if (next_genbit) 10435 nf_tables_commit_chain_free_rules_old(g1); 10436 else 10437 nf_tables_commit_chain_free_rules_old(g0); 10438 } 10439 10440 static void nft_obj_del(struct nft_object *obj) 10441 { 10442 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params); 10443 list_del_rcu(&obj->list); 10444 } 10445 10446 void nft_chain_del(struct nft_chain *chain) 10447 { 10448 struct nft_table *table = chain->table; 10449 10450 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead, 10451 nft_chain_ht_params)); 10452 list_del_rcu(&chain->list); 10453 } 10454 10455 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx, 10456 struct nft_trans_gc *trans) 10457 { 10458 struct nft_elem_priv **priv = trans->priv; 10459 unsigned int i; 10460 10461 for (i = 0; i < trans->count; i++) { 10462 nft_setelem_data_deactivate(ctx->net, trans->set, priv[i]); 10463 nft_setelem_remove(ctx->net, trans->set, priv[i]); 10464 } 10465 } 10466 10467 void nft_trans_gc_destroy(struct nft_trans_gc *trans) 10468 { 10469 nft_set_put(trans->set); 10470 put_net(trans->net); 10471 kfree(trans); 10472 } 10473 10474 static void nft_trans_gc_trans_free(struct rcu_head *rcu) 10475 { 10476 struct nft_elem_priv *elem_priv; 10477 struct nft_trans_gc *trans; 10478 struct nft_ctx ctx = {}; 10479 unsigned int i; 10480 10481 trans = container_of(rcu, struct nft_trans_gc, rcu); 10482 ctx.net = read_pnet(&trans->set->net); 10483 10484 for (i = 0; i < trans->count; i++) { 10485 elem_priv = trans->priv[i]; 10486 if (!nft_setelem_is_catchall(trans->set, elem_priv)) 10487 atomic_dec(&trans->set->nelems); 10488 10489 nf_tables_set_elem_destroy(&ctx, trans->set, elem_priv); 10490 } 10491 10492 nft_trans_gc_destroy(trans); 10493 } 10494 10495 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans) 10496 { 10497 struct nftables_pernet *nft_net; 10498 struct nft_ctx ctx = {}; 10499 10500 nft_net = nft_pernet(trans->net); 10501 10502 mutex_lock(&nft_net->commit_mutex); 10503 10504 /* Check for race with transaction, otherwise this batch refers to 10505 * stale objects that might not be there anymore. Skip transaction if 10506 * set has been destroyed from control plane transaction in case gc 10507 * worker loses race. 10508 */ 10509 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) { 10510 mutex_unlock(&nft_net->commit_mutex); 10511 return false; 10512 } 10513 10514 ctx.net = trans->net; 10515 ctx.table = trans->set->table; 10516 10517 nft_trans_gc_setelem_remove(&ctx, trans); 10518 mutex_unlock(&nft_net->commit_mutex); 10519 10520 return true; 10521 } 10522 10523 static void nft_trans_gc_work(struct work_struct *work) 10524 { 10525 struct nft_trans_gc *trans, *next; 10526 LIST_HEAD(trans_gc_list); 10527 10528 spin_lock(&nf_tables_gc_list_lock); 10529 list_splice_init(&nf_tables_gc_list, &trans_gc_list); 10530 spin_unlock(&nf_tables_gc_list_lock); 10531 10532 list_for_each_entry_safe(trans, next, &trans_gc_list, list) { 10533 list_del(&trans->list); 10534 if (!nft_trans_gc_work_done(trans)) { 10535 nft_trans_gc_destroy(trans); 10536 continue; 10537 } 10538 call_rcu(&trans->rcu, nft_trans_gc_trans_free); 10539 } 10540 } 10541 10542 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set, 10543 unsigned int gc_seq, gfp_t gfp) 10544 { 10545 struct net *net = read_pnet(&set->net); 10546 struct nft_trans_gc *trans; 10547 10548 trans = kzalloc(sizeof(*trans), gfp); 10549 if (!trans) 10550 return NULL; 10551 10552 trans->net = maybe_get_net(net); 10553 if (!trans->net) { 10554 kfree(trans); 10555 return NULL; 10556 } 10557 10558 refcount_inc(&set->refs); 10559 trans->set = set; 10560 trans->seq = gc_seq; 10561 10562 return trans; 10563 } 10564 10565 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv) 10566 { 10567 trans->priv[trans->count++] = priv; 10568 } 10569 10570 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans) 10571 { 10572 spin_lock(&nf_tables_gc_list_lock); 10573 list_add_tail(&trans->list, &nf_tables_gc_list); 10574 spin_unlock(&nf_tables_gc_list_lock); 10575 10576 schedule_work(&trans_gc_work); 10577 } 10578 10579 static int nft_trans_gc_space(struct nft_trans_gc *trans) 10580 { 10581 return NFT_TRANS_GC_BATCHCOUNT - trans->count; 10582 } 10583 10584 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc, 10585 unsigned int gc_seq, gfp_t gfp) 10586 { 10587 struct nft_set *set; 10588 10589 if (nft_trans_gc_space(gc)) 10590 return gc; 10591 10592 set = gc->set; 10593 nft_trans_gc_queue_work(gc); 10594 10595 return nft_trans_gc_alloc(set, gc_seq, gfp); 10596 } 10597 10598 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans) 10599 { 10600 if (trans->count == 0) { 10601 nft_trans_gc_destroy(trans); 10602 return; 10603 } 10604 10605 nft_trans_gc_queue_work(trans); 10606 } 10607 10608 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp) 10609 { 10610 struct nft_set *set; 10611 10612 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net))) 10613 return NULL; 10614 10615 if (nft_trans_gc_space(gc)) 10616 return gc; 10617 10618 set = gc->set; 10619 call_rcu(&gc->rcu, nft_trans_gc_trans_free); 10620 10621 return nft_trans_gc_alloc(set, 0, gfp); 10622 } 10623 10624 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans) 10625 { 10626 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net)); 10627 10628 if (trans->count == 0) { 10629 nft_trans_gc_destroy(trans); 10630 return; 10631 } 10632 10633 call_rcu(&trans->rcu, nft_trans_gc_trans_free); 10634 } 10635 10636 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc, 10637 unsigned int gc_seq) 10638 { 10639 struct nft_set_elem_catchall *catchall; 10640 const struct nft_set *set = gc->set; 10641 struct nft_set_ext *ext; 10642 10643 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 10644 ext = nft_set_elem_ext(set, catchall->elem); 10645 10646 if (!nft_set_elem_expired(ext)) 10647 continue; 10648 if (nft_set_elem_is_dead(ext)) 10649 goto dead_elem; 10650 10651 nft_set_elem_dead(ext); 10652 dead_elem: 10653 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC); 10654 if (!gc) 10655 return NULL; 10656 10657 nft_trans_gc_elem_add(gc, catchall->elem); 10658 } 10659 10660 return gc; 10661 } 10662 10663 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc) 10664 { 10665 struct nft_set_elem_catchall *catchall, *next; 10666 u64 tstamp = nft_net_tstamp(gc->net); 10667 const struct nft_set *set = gc->set; 10668 struct nft_elem_priv *elem_priv; 10669 struct nft_set_ext *ext; 10670 10671 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)); 10672 10673 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 10674 ext = nft_set_elem_ext(set, catchall->elem); 10675 10676 if (!__nft_set_elem_expired(ext, tstamp)) 10677 continue; 10678 10679 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL); 10680 if (!gc) 10681 return NULL; 10682 10683 elem_priv = catchall->elem; 10684 nft_setelem_data_deactivate(gc->net, gc->set, elem_priv); 10685 nft_setelem_catchall_destroy(catchall); 10686 nft_trans_gc_elem_add(gc, elem_priv); 10687 } 10688 10689 return gc; 10690 } 10691 10692 static void nf_tables_module_autoload_cleanup(struct net *net) 10693 { 10694 struct nftables_pernet *nft_net = nft_pernet(net); 10695 struct nft_module_request *req, *next; 10696 10697 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 10698 list_for_each_entry_safe(req, next, &nft_net->module_list, list) { 10699 WARN_ON_ONCE(!req->done); 10700 list_del(&req->list); 10701 kfree(req); 10702 } 10703 } 10704 10705 static void nf_tables_commit_release(struct net *net) 10706 { 10707 struct nftables_pernet *nft_net = nft_pernet(net); 10708 struct nft_trans *trans; 10709 10710 /* all side effects have to be made visible. 10711 * For example, if a chain named 'foo' has been deleted, a 10712 * new transaction must not find it anymore. 10713 * 10714 * Memory reclaim happens asynchronously from work queue 10715 * to prevent expensive synchronize_rcu() in commit phase. 10716 */ 10717 if (list_empty(&nft_net->commit_list)) { 10718 nf_tables_module_autoload_cleanup(net); 10719 mutex_unlock(&nft_net->commit_mutex); 10720 return; 10721 } 10722 10723 trans = list_last_entry(&nft_net->commit_list, 10724 struct nft_trans, list); 10725 get_net(trans->net); 10726 WARN_ON_ONCE(trans->put_net); 10727 10728 trans->put_net = true; 10729 spin_lock(&nf_tables_destroy_list_lock); 10730 list_splice_tail_init(&nft_net->commit_list, &nft_net->destroy_list); 10731 spin_unlock(&nf_tables_destroy_list_lock); 10732 10733 nf_tables_module_autoload_cleanup(net); 10734 schedule_work(&nft_net->destroy_work); 10735 10736 mutex_unlock(&nft_net->commit_mutex); 10737 } 10738 10739 static void nft_commit_notify(struct net *net, u32 portid) 10740 { 10741 struct nftables_pernet *nft_net = nft_pernet(net); 10742 struct sk_buff *batch_skb = NULL, *nskb, *skb; 10743 unsigned char *data; 10744 int len; 10745 10746 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) { 10747 if (!batch_skb) { 10748 new_batch: 10749 batch_skb = skb; 10750 len = NLMSG_GOODSIZE - skb->len; 10751 list_del(&skb->list); 10752 continue; 10753 } 10754 len -= skb->len; 10755 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) { 10756 data = skb_put(batch_skb, skb->len); 10757 memcpy(data, skb->data, skb->len); 10758 list_del(&skb->list); 10759 kfree_skb(skb); 10760 continue; 10761 } 10762 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 10763 NFT_CB(batch_skb).report, GFP_KERNEL); 10764 goto new_batch; 10765 } 10766 10767 if (batch_skb) { 10768 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 10769 NFT_CB(batch_skb).report, GFP_KERNEL); 10770 } 10771 10772 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 10773 } 10774 10775 static int nf_tables_commit_audit_alloc(struct list_head *adl, 10776 struct nft_table *table) 10777 { 10778 struct nft_audit_data *adp; 10779 10780 list_for_each_entry(adp, adl, list) { 10781 if (adp->table == table) 10782 return 0; 10783 } 10784 adp = kzalloc(sizeof(*adp), GFP_KERNEL); 10785 if (!adp) 10786 return -ENOMEM; 10787 adp->table = table; 10788 list_add(&adp->list, adl); 10789 return 0; 10790 } 10791 10792 static void nf_tables_commit_audit_free(struct list_head *adl) 10793 { 10794 struct nft_audit_data *adp, *adn; 10795 10796 list_for_each_entry_safe(adp, adn, adl, list) { 10797 list_del(&adp->list); 10798 kfree(adp); 10799 } 10800 } 10801 10802 /* nft audit emits the number of elements that get added/removed/updated, 10803 * so NEW/DELSETELEM needs to increment based on the total elem count. 10804 */ 10805 static unsigned int nf_tables_commit_audit_entrycount(const struct nft_trans *trans) 10806 { 10807 switch (trans->msg_type) { 10808 case NFT_MSG_NEWSETELEM: 10809 case NFT_MSG_DELSETELEM: 10810 return nft_trans_container_elem(trans)->nelems; 10811 } 10812 10813 return 1; 10814 } 10815 10816 static void nf_tables_commit_audit_collect(struct list_head *adl, 10817 const struct nft_trans *trans, u32 op) 10818 { 10819 const struct nft_table *table = trans->table; 10820 struct nft_audit_data *adp; 10821 10822 list_for_each_entry(adp, adl, list) { 10823 if (adp->table == table) 10824 goto found; 10825 } 10826 WARN_ONCE(1, "table=%s not expected in commit list", table->name); 10827 return; 10828 found: 10829 adp->entries += nf_tables_commit_audit_entrycount(trans); 10830 if (!adp->op || adp->op > op) 10831 adp->op = op; 10832 } 10833 10834 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22) 10835 10836 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation) 10837 { 10838 struct nft_audit_data *adp, *adn; 10839 char aubuf[AUNFTABLENAMELEN]; 10840 10841 list_for_each_entry_safe(adp, adn, adl, list) { 10842 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name, 10843 generation); 10844 audit_log_nfcfg(aubuf, adp->table->family, adp->entries, 10845 nft2audit_op[adp->op], GFP_KERNEL); 10846 list_del(&adp->list); 10847 kfree(adp); 10848 } 10849 } 10850 10851 static void nft_set_commit_update(struct list_head *set_update_list) 10852 { 10853 struct nft_set *set, *next; 10854 10855 list_for_each_entry_safe(set, next, set_update_list, pending_update) { 10856 list_del_init(&set->pending_update); 10857 10858 if (!set->ops->commit || set->dead) 10859 continue; 10860 10861 set->ops->commit(set); 10862 } 10863 } 10864 10865 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net) 10866 { 10867 unsigned int gc_seq; 10868 10869 /* Bump gc counter, it becomes odd, this is the busy mark. */ 10870 gc_seq = READ_ONCE(nft_net->gc_seq); 10871 WRITE_ONCE(nft_net->gc_seq, ++gc_seq); 10872 10873 return gc_seq; 10874 } 10875 10876 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq) 10877 { 10878 WRITE_ONCE(nft_net->gc_seq, ++gc_seq); 10879 } 10880 10881 static int nf_tables_commit(struct net *net, struct sk_buff *skb) 10882 { 10883 struct nftables_pernet *nft_net = nft_pernet(net); 10884 const struct nlmsghdr *nlh = nlmsg_hdr(skb); 10885 struct nft_trans_binding *trans_binding; 10886 struct nft_trans *trans, *next; 10887 unsigned int base_seq, gc_seq; 10888 LIST_HEAD(set_update_list); 10889 struct nft_trans_elem *te; 10890 struct nft_chain *chain; 10891 struct nft_table *table; 10892 struct nft_ctx ctx; 10893 LIST_HEAD(adl); 10894 int err; 10895 10896 if (list_empty(&nft_net->commit_list)) { 10897 mutex_unlock(&nft_net->commit_mutex); 10898 return 0; 10899 } 10900 10901 nft_ctx_init(&ctx, net, skb, nlh, NFPROTO_UNSPEC, NULL, NULL, NULL); 10902 10903 list_for_each_entry(trans_binding, &nft_net->binding_list, binding_list) { 10904 trans = &trans_binding->nft_trans; 10905 switch (trans->msg_type) { 10906 case NFT_MSG_NEWSET: 10907 if (!nft_trans_set_update(trans) && 10908 nft_set_is_anonymous(nft_trans_set(trans)) && 10909 !nft_trans_set_bound(trans)) { 10910 pr_warn_once("nftables ruleset with unbound set\n"); 10911 return -EINVAL; 10912 } 10913 break; 10914 case NFT_MSG_NEWCHAIN: 10915 if (!nft_trans_chain_update(trans) && 10916 nft_chain_binding(nft_trans_chain(trans)) && 10917 !nft_trans_chain_bound(trans)) { 10918 pr_warn_once("nftables ruleset with unbound chain\n"); 10919 return -EINVAL; 10920 } 10921 break; 10922 default: 10923 WARN_ONCE(1, "Unhandled bind type %d", trans->msg_type); 10924 break; 10925 } 10926 } 10927 10928 /* 0. Validate ruleset, otherwise roll back for error reporting. */ 10929 if (nf_tables_validate(net) < 0) { 10930 nft_net->validate_state = NFT_VALIDATE_DO; 10931 return -EAGAIN; 10932 } 10933 10934 err = nft_flow_rule_offload_commit(net); 10935 if (err < 0) 10936 return err; 10937 10938 /* 1. Allocate space for next generation rules_gen_X[] */ 10939 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 10940 struct nft_table *table = trans->table; 10941 int ret; 10942 10943 ret = nf_tables_commit_audit_alloc(&adl, table); 10944 if (ret) { 10945 nf_tables_commit_chain_prepare_cancel(net); 10946 nf_tables_commit_audit_free(&adl); 10947 return ret; 10948 } 10949 if (trans->msg_type == NFT_MSG_NEWRULE || 10950 trans->msg_type == NFT_MSG_DELRULE) { 10951 chain = nft_trans_rule_chain(trans); 10952 10953 ret = nf_tables_commit_chain_prepare(net, chain); 10954 if (ret < 0) { 10955 nf_tables_commit_chain_prepare_cancel(net); 10956 nf_tables_commit_audit_free(&adl); 10957 return ret; 10958 } 10959 } 10960 } 10961 10962 /* step 2. Make rules_gen_X visible to packet path */ 10963 list_for_each_entry(table, &nft_net->tables, list) { 10964 list_for_each_entry(chain, &table->chains, list) 10965 nf_tables_commit_chain(net, chain); 10966 } 10967 10968 /* 10969 * Bump generation counter, invalidate any dump in progress. 10970 * Cannot fail after this point. 10971 */ 10972 base_seq = nft_base_seq(net); 10973 while (++base_seq == 0) 10974 ; 10975 10976 /* pairs with smp_load_acquire in nft_lookup_eval */ 10977 smp_store_release(&net->nft.base_seq, base_seq); 10978 10979 gc_seq = nft_gc_seq_begin(nft_net); 10980 10981 /* step 3. Start new generation, rules_gen_X now in use. */ 10982 net->nft.gencursor = nft_gencursor_next(net); 10983 10984 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 10985 struct nft_table *table = trans->table; 10986 10987 nft_ctx_update(&ctx, trans); 10988 10989 nf_tables_commit_audit_collect(&adl, trans, trans->msg_type); 10990 switch (trans->msg_type) { 10991 case NFT_MSG_NEWTABLE: 10992 if (nft_trans_table_update(trans)) { 10993 if (!(table->flags & __NFT_TABLE_F_UPDATE)) { 10994 nft_trans_destroy(trans); 10995 break; 10996 } 10997 if (table->flags & NFT_TABLE_F_DORMANT) 10998 nf_tables_table_disable(net, table); 10999 11000 table->flags &= ~__NFT_TABLE_F_UPDATE; 11001 } else { 11002 nft_clear(net, table); 11003 } 11004 nf_tables_table_notify(&ctx, NFT_MSG_NEWTABLE); 11005 nft_trans_destroy(trans); 11006 break; 11007 case NFT_MSG_DELTABLE: 11008 case NFT_MSG_DESTROYTABLE: 11009 list_del_rcu(&table->list); 11010 nf_tables_table_notify(&ctx, trans->msg_type); 11011 break; 11012 case NFT_MSG_NEWCHAIN: 11013 if (nft_trans_chain_update(trans)) { 11014 nft_chain_commit_update(nft_trans_container_chain(trans)); 11015 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN, 11016 &nft_trans_chain_hooks(trans)); 11017 list_splice(&nft_trans_chain_hooks(trans), 11018 &nft_trans_basechain(trans)->hook_list); 11019 /* trans destroyed after rcu grace period */ 11020 } else { 11021 nft_chain_commit_drop_policy(nft_trans_container_chain(trans)); 11022 nft_clear(net, nft_trans_chain(trans)); 11023 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN, NULL); 11024 nft_trans_destroy(trans); 11025 } 11026 break; 11027 case NFT_MSG_DELCHAIN: 11028 case NFT_MSG_DESTROYCHAIN: 11029 if (nft_trans_chain_update(trans)) { 11030 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN, 11031 &nft_trans_chain_hooks(trans)); 11032 if (!(table->flags & NFT_TABLE_F_DORMANT)) { 11033 nft_netdev_unregister_hooks(net, 11034 &nft_trans_chain_hooks(trans), 11035 true); 11036 } 11037 } else { 11038 nft_chain_del(nft_trans_chain(trans)); 11039 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN, 11040 NULL); 11041 nf_tables_unregister_hook(ctx.net, ctx.table, 11042 nft_trans_chain(trans)); 11043 } 11044 break; 11045 case NFT_MSG_NEWRULE: 11046 nft_clear(net, nft_trans_rule(trans)); 11047 nf_tables_rule_notify(&ctx, nft_trans_rule(trans), 11048 NFT_MSG_NEWRULE); 11049 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD) 11050 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 11051 11052 nft_trans_destroy(trans); 11053 break; 11054 case NFT_MSG_DELRULE: 11055 case NFT_MSG_DESTROYRULE: 11056 list_del_rcu(&nft_trans_rule(trans)->list); 11057 nf_tables_rule_notify(&ctx, nft_trans_rule(trans), 11058 trans->msg_type); 11059 nft_rule_expr_deactivate(&ctx, nft_trans_rule(trans), 11060 NFT_TRANS_COMMIT); 11061 11062 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD) 11063 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 11064 break; 11065 case NFT_MSG_NEWSET: 11066 list_del(&nft_trans_container_set(trans)->list_trans_newset); 11067 if (nft_trans_set_update(trans)) { 11068 struct nft_set *set = nft_trans_set(trans); 11069 11070 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans)); 11071 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans)); 11072 11073 if (nft_trans_set_size(trans)) 11074 WRITE_ONCE(set->size, nft_trans_set_size(trans)); 11075 } else { 11076 nft_clear(net, nft_trans_set(trans)); 11077 /* This avoids hitting -EBUSY when deleting the table 11078 * from the transaction. 11079 */ 11080 if (nft_set_is_anonymous(nft_trans_set(trans)) && 11081 !list_empty(&nft_trans_set(trans)->bindings)) 11082 nft_use_dec(&table->use); 11083 } 11084 nf_tables_set_notify(&ctx, nft_trans_set(trans), 11085 NFT_MSG_NEWSET, GFP_KERNEL); 11086 nft_trans_destroy(trans); 11087 break; 11088 case NFT_MSG_DELSET: 11089 case NFT_MSG_DESTROYSET: 11090 nft_trans_set(trans)->dead = 1; 11091 list_del_rcu(&nft_trans_set(trans)->list); 11092 nf_tables_set_notify(&ctx, nft_trans_set(trans), 11093 trans->msg_type, GFP_KERNEL); 11094 break; 11095 case NFT_MSG_NEWSETELEM: 11096 te = nft_trans_container_elem(trans); 11097 11098 nft_trans_elems_add(&ctx, te); 11099 11100 if (te->set->ops->commit && 11101 list_empty(&te->set->pending_update)) { 11102 list_add_tail(&te->set->pending_update, 11103 &set_update_list); 11104 } 11105 nft_trans_destroy(trans); 11106 break; 11107 case NFT_MSG_DELSETELEM: 11108 case NFT_MSG_DESTROYSETELEM: 11109 te = nft_trans_container_elem(trans); 11110 11111 nft_trans_elems_remove(&ctx, te); 11112 11113 if (te->set->ops->commit && 11114 list_empty(&te->set->pending_update)) { 11115 list_add_tail(&te->set->pending_update, 11116 &set_update_list); 11117 } 11118 break; 11119 case NFT_MSG_NEWOBJ: 11120 if (nft_trans_obj_update(trans)) { 11121 nft_obj_commit_update(&ctx, trans); 11122 nf_tables_obj_notify(&ctx, 11123 nft_trans_obj(trans), 11124 NFT_MSG_NEWOBJ); 11125 } else { 11126 nft_clear(net, nft_trans_obj(trans)); 11127 nf_tables_obj_notify(&ctx, 11128 nft_trans_obj(trans), 11129 NFT_MSG_NEWOBJ); 11130 nft_trans_destroy(trans); 11131 } 11132 break; 11133 case NFT_MSG_DELOBJ: 11134 case NFT_MSG_DESTROYOBJ: 11135 nft_obj_del(nft_trans_obj(trans)); 11136 nf_tables_obj_notify(&ctx, nft_trans_obj(trans), 11137 trans->msg_type); 11138 break; 11139 case NFT_MSG_NEWFLOWTABLE: 11140 if (nft_trans_flowtable_update(trans)) { 11141 nft_trans_flowtable(trans)->data.flags = 11142 nft_trans_flowtable_flags(trans); 11143 nf_tables_flowtable_notify(&ctx, 11144 nft_trans_flowtable(trans), 11145 &nft_trans_flowtable_hooks(trans), 11146 NFT_MSG_NEWFLOWTABLE); 11147 list_splice(&nft_trans_flowtable_hooks(trans), 11148 &nft_trans_flowtable(trans)->hook_list); 11149 } else { 11150 nft_clear(net, nft_trans_flowtable(trans)); 11151 nf_tables_flowtable_notify(&ctx, 11152 nft_trans_flowtable(trans), 11153 NULL, 11154 NFT_MSG_NEWFLOWTABLE); 11155 } 11156 nft_trans_destroy(trans); 11157 break; 11158 case NFT_MSG_DELFLOWTABLE: 11159 case NFT_MSG_DESTROYFLOWTABLE: 11160 if (nft_trans_flowtable_update(trans)) { 11161 nf_tables_flowtable_notify(&ctx, 11162 nft_trans_flowtable(trans), 11163 &nft_trans_flowtable_hooks(trans), 11164 trans->msg_type); 11165 nft_unregister_flowtable_net_hooks(net, 11166 nft_trans_flowtable(trans), 11167 &nft_trans_flowtable_hooks(trans)); 11168 } else { 11169 list_del_rcu(&nft_trans_flowtable(trans)->list); 11170 nf_tables_flowtable_notify(&ctx, 11171 nft_trans_flowtable(trans), 11172 NULL, 11173 trans->msg_type); 11174 nft_unregister_flowtable_net_hooks(net, 11175 nft_trans_flowtable(trans), 11176 &nft_trans_flowtable(trans)->hook_list); 11177 } 11178 break; 11179 } 11180 } 11181 11182 nft_set_commit_update(&set_update_list); 11183 11184 nft_commit_notify(net, NETLINK_CB(skb).portid); 11185 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); 11186 nf_tables_commit_audit_log(&adl, nft_base_seq(net)); 11187 11188 nft_gc_seq_end(nft_net, gc_seq); 11189 nft_net->validate_state = NFT_VALIDATE_SKIP; 11190 nf_tables_commit_release(net); 11191 11192 return 0; 11193 } 11194 11195 static void nf_tables_module_autoload(struct net *net) 11196 { 11197 struct nftables_pernet *nft_net = nft_pernet(net); 11198 struct nft_module_request *req, *next; 11199 LIST_HEAD(module_list); 11200 11201 list_splice_init(&nft_net->module_list, &module_list); 11202 mutex_unlock(&nft_net->commit_mutex); 11203 list_for_each_entry_safe(req, next, &module_list, list) { 11204 request_module("%s", req->module); 11205 req->done = true; 11206 } 11207 mutex_lock(&nft_net->commit_mutex); 11208 list_splice(&module_list, &nft_net->module_list); 11209 } 11210 11211 static void nf_tables_abort_release(struct nft_trans *trans) 11212 { 11213 struct nft_ctx ctx = { }; 11214 11215 nft_ctx_update(&ctx, trans); 11216 11217 switch (trans->msg_type) { 11218 case NFT_MSG_NEWTABLE: 11219 nf_tables_table_destroy(trans->table); 11220 break; 11221 case NFT_MSG_NEWCHAIN: 11222 if (nft_trans_chain_update(trans)) 11223 nft_hooks_destroy(&nft_trans_chain_hooks(trans)); 11224 else 11225 nf_tables_chain_destroy(nft_trans_chain(trans)); 11226 break; 11227 case NFT_MSG_NEWRULE: 11228 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans)); 11229 break; 11230 case NFT_MSG_NEWSET: 11231 nft_set_destroy(&ctx, nft_trans_set(trans)); 11232 break; 11233 case NFT_MSG_NEWSETELEM: 11234 nft_trans_set_elem_destroy(&ctx, nft_trans_container_elem(trans)); 11235 break; 11236 case NFT_MSG_NEWOBJ: 11237 nft_obj_destroy(&ctx, nft_trans_obj(trans)); 11238 break; 11239 case NFT_MSG_NEWFLOWTABLE: 11240 if (nft_trans_flowtable_update(trans)) 11241 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 11242 else 11243 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 11244 break; 11245 } 11246 kfree(trans); 11247 } 11248 11249 static void nft_set_abort_update(struct list_head *set_update_list) 11250 { 11251 struct nft_set *set, *next; 11252 11253 list_for_each_entry_safe(set, next, set_update_list, pending_update) { 11254 list_del_init(&set->pending_update); 11255 11256 if (!set->ops->abort) 11257 continue; 11258 11259 set->ops->abort(set); 11260 } 11261 } 11262 11263 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) 11264 { 11265 struct nftables_pernet *nft_net = nft_pernet(net); 11266 struct nft_trans *trans, *next; 11267 LIST_HEAD(set_update_list); 11268 struct nft_trans_elem *te; 11269 struct nft_ctx ctx = { 11270 .net = net, 11271 }; 11272 int err = 0; 11273 11274 if (action == NFNL_ABORT_VALIDATE && 11275 nf_tables_validate(net) < 0) 11276 err = -EAGAIN; 11277 11278 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list, 11279 list) { 11280 struct nft_table *table = trans->table; 11281 11282 nft_ctx_update(&ctx, trans); 11283 11284 switch (trans->msg_type) { 11285 case NFT_MSG_NEWTABLE: 11286 if (nft_trans_table_update(trans)) { 11287 if (!(table->flags & __NFT_TABLE_F_UPDATE)) { 11288 nft_trans_destroy(trans); 11289 break; 11290 } 11291 if (table->flags & __NFT_TABLE_F_WAS_DORMANT) { 11292 nf_tables_table_disable(net, table); 11293 table->flags |= NFT_TABLE_F_DORMANT; 11294 } else if (table->flags & __NFT_TABLE_F_WAS_AWAKEN) { 11295 table->flags &= ~NFT_TABLE_F_DORMANT; 11296 } 11297 if (table->flags & __NFT_TABLE_F_WAS_ORPHAN) { 11298 table->flags &= ~NFT_TABLE_F_OWNER; 11299 table->nlpid = 0; 11300 } 11301 table->flags &= ~__NFT_TABLE_F_UPDATE; 11302 nft_trans_destroy(trans); 11303 } else { 11304 list_del_rcu(&table->list); 11305 } 11306 break; 11307 case NFT_MSG_DELTABLE: 11308 case NFT_MSG_DESTROYTABLE: 11309 nft_clear(trans->net, table); 11310 nft_trans_destroy(trans); 11311 break; 11312 case NFT_MSG_NEWCHAIN: 11313 if (nft_trans_chain_update(trans)) { 11314 if (!(table->flags & NFT_TABLE_F_DORMANT)) { 11315 nft_netdev_unregister_hooks(net, 11316 &nft_trans_chain_hooks(trans), 11317 true); 11318 } 11319 free_percpu(nft_trans_chain_stats(trans)); 11320 kfree(nft_trans_chain_name(trans)); 11321 nft_trans_destroy(trans); 11322 } else { 11323 if (nft_trans_chain_bound(trans)) { 11324 nft_trans_destroy(trans); 11325 break; 11326 } 11327 nft_use_dec_restore(&table->use); 11328 nft_chain_del(nft_trans_chain(trans)); 11329 nf_tables_unregister_hook(trans->net, table, 11330 nft_trans_chain(trans)); 11331 } 11332 break; 11333 case NFT_MSG_DELCHAIN: 11334 case NFT_MSG_DESTROYCHAIN: 11335 if (nft_trans_chain_update(trans)) { 11336 list_splice(&nft_trans_chain_hooks(trans), 11337 &nft_trans_basechain(trans)->hook_list); 11338 } else { 11339 nft_use_inc_restore(&table->use); 11340 nft_clear(trans->net, nft_trans_chain(trans)); 11341 } 11342 nft_trans_destroy(trans); 11343 break; 11344 case NFT_MSG_NEWRULE: 11345 if (nft_trans_rule_bound(trans)) { 11346 nft_trans_destroy(trans); 11347 break; 11348 } 11349 nft_use_dec_restore(&nft_trans_rule_chain(trans)->use); 11350 list_del_rcu(&nft_trans_rule(trans)->list); 11351 nft_rule_expr_deactivate(&ctx, 11352 nft_trans_rule(trans), 11353 NFT_TRANS_ABORT); 11354 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD) 11355 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 11356 break; 11357 case NFT_MSG_DELRULE: 11358 case NFT_MSG_DESTROYRULE: 11359 nft_use_inc_restore(&nft_trans_rule_chain(trans)->use); 11360 nft_clear(trans->net, nft_trans_rule(trans)); 11361 nft_rule_expr_activate(&ctx, nft_trans_rule(trans)); 11362 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD) 11363 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 11364 11365 nft_trans_destroy(trans); 11366 break; 11367 case NFT_MSG_NEWSET: 11368 list_del(&nft_trans_container_set(trans)->list_trans_newset); 11369 if (nft_trans_set_update(trans)) { 11370 nft_trans_destroy(trans); 11371 break; 11372 } 11373 nft_use_dec_restore(&table->use); 11374 if (nft_trans_set_bound(trans)) { 11375 nft_trans_destroy(trans); 11376 break; 11377 } 11378 nft_trans_set(trans)->dead = 1; 11379 list_del_rcu(&nft_trans_set(trans)->list); 11380 break; 11381 case NFT_MSG_DELSET: 11382 case NFT_MSG_DESTROYSET: 11383 nft_use_inc_restore(&table->use); 11384 nft_clear(trans->net, nft_trans_set(trans)); 11385 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 11386 nft_map_activate(&ctx, nft_trans_set(trans)); 11387 11388 nft_trans_destroy(trans); 11389 break; 11390 case NFT_MSG_NEWSETELEM: 11391 if (nft_trans_elem_set_bound(trans)) { 11392 nft_trans_destroy(trans); 11393 break; 11394 } 11395 te = nft_trans_container_elem(trans); 11396 if (!nft_trans_elems_new_abort(&ctx, te)) { 11397 nft_trans_destroy(trans); 11398 break; 11399 } 11400 11401 if (te->set->ops->abort && 11402 list_empty(&te->set->pending_update)) { 11403 list_add_tail(&te->set->pending_update, 11404 &set_update_list); 11405 } 11406 break; 11407 case NFT_MSG_DELSETELEM: 11408 case NFT_MSG_DESTROYSETELEM: 11409 te = nft_trans_container_elem(trans); 11410 11411 nft_trans_elems_destroy_abort(&ctx, te); 11412 11413 if (te->set->ops->abort && 11414 list_empty(&te->set->pending_update)) { 11415 list_add_tail(&te->set->pending_update, 11416 &set_update_list); 11417 } 11418 nft_trans_destroy(trans); 11419 break; 11420 case NFT_MSG_NEWOBJ: 11421 if (nft_trans_obj_update(trans)) { 11422 nft_obj_destroy(&ctx, nft_trans_obj_newobj(trans)); 11423 nft_trans_destroy(trans); 11424 } else { 11425 nft_use_dec_restore(&table->use); 11426 nft_obj_del(nft_trans_obj(trans)); 11427 } 11428 break; 11429 case NFT_MSG_DELOBJ: 11430 case NFT_MSG_DESTROYOBJ: 11431 nft_use_inc_restore(&table->use); 11432 nft_clear(trans->net, nft_trans_obj(trans)); 11433 nft_trans_destroy(trans); 11434 break; 11435 case NFT_MSG_NEWFLOWTABLE: 11436 if (nft_trans_flowtable_update(trans)) { 11437 nft_unregister_flowtable_net_hooks(net, 11438 nft_trans_flowtable(trans), 11439 &nft_trans_flowtable_hooks(trans)); 11440 } else { 11441 nft_use_dec_restore(&table->use); 11442 list_del_rcu(&nft_trans_flowtable(trans)->list); 11443 nft_unregister_flowtable_net_hooks(net, 11444 nft_trans_flowtable(trans), 11445 &nft_trans_flowtable(trans)->hook_list); 11446 } 11447 break; 11448 case NFT_MSG_DELFLOWTABLE: 11449 case NFT_MSG_DESTROYFLOWTABLE: 11450 if (nft_trans_flowtable_update(trans)) { 11451 list_splice(&nft_trans_flowtable_hooks(trans), 11452 &nft_trans_flowtable(trans)->hook_list); 11453 } else { 11454 nft_use_inc_restore(&table->use); 11455 nft_clear(trans->net, nft_trans_flowtable(trans)); 11456 } 11457 nft_trans_destroy(trans); 11458 break; 11459 } 11460 } 11461 11462 WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list)); 11463 11464 nft_set_abort_update(&set_update_list); 11465 11466 synchronize_rcu(); 11467 11468 list_for_each_entry_safe_reverse(trans, next, 11469 &nft_net->commit_list, list) { 11470 nft_trans_list_del(trans); 11471 nf_tables_abort_release(trans); 11472 } 11473 11474 return err; 11475 } 11476 11477 static int nf_tables_abort(struct net *net, struct sk_buff *skb, 11478 enum nfnl_abort_action action) 11479 { 11480 struct nftables_pernet *nft_net = nft_pernet(net); 11481 unsigned int gc_seq; 11482 int ret; 11483 11484 gc_seq = nft_gc_seq_begin(nft_net); 11485 ret = __nf_tables_abort(net, action); 11486 nft_gc_seq_end(nft_net, gc_seq); 11487 11488 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 11489 11490 /* module autoload needs to happen after GC sequence update because it 11491 * temporarily releases and grabs mutex again. 11492 */ 11493 if (action == NFNL_ABORT_AUTOLOAD) 11494 nf_tables_module_autoload(net); 11495 else 11496 nf_tables_module_autoload_cleanup(net); 11497 11498 mutex_unlock(&nft_net->commit_mutex); 11499 11500 return ret; 11501 } 11502 11503 static bool nf_tables_valid_genid(struct net *net, u32 genid) 11504 { 11505 struct nftables_pernet *nft_net = nft_pernet(net); 11506 bool genid_ok; 11507 11508 mutex_lock(&nft_net->commit_mutex); 11509 nft_net->tstamp = get_jiffies_64(); 11510 11511 genid_ok = genid == 0 || nft_base_seq(net) == genid; 11512 if (!genid_ok) 11513 mutex_unlock(&nft_net->commit_mutex); 11514 11515 /* else, commit mutex has to be released by commit or abort function */ 11516 return genid_ok; 11517 } 11518 11519 static const struct nfnetlink_subsystem nf_tables_subsys = { 11520 .name = "nf_tables", 11521 .subsys_id = NFNL_SUBSYS_NFTABLES, 11522 .cb_count = NFT_MSG_MAX, 11523 .cb = nf_tables_cb, 11524 .commit = nf_tables_commit, 11525 .abort = nf_tables_abort, 11526 .valid_genid = nf_tables_valid_genid, 11527 .owner = THIS_MODULE, 11528 }; 11529 11530 int nft_chain_validate_dependency(const struct nft_chain *chain, 11531 enum nft_chain_types type) 11532 { 11533 const struct nft_base_chain *basechain; 11534 11535 if (nft_is_base_chain(chain)) { 11536 basechain = nft_base_chain(chain); 11537 if (basechain->type->type != type) 11538 return -EOPNOTSUPP; 11539 } 11540 return 0; 11541 } 11542 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency); 11543 11544 int nft_chain_validate_hooks(const struct nft_chain *chain, 11545 unsigned int hook_flags) 11546 { 11547 struct nft_base_chain *basechain; 11548 11549 if (nft_is_base_chain(chain)) { 11550 basechain = nft_base_chain(chain); 11551 11552 if ((1 << basechain->ops.hooknum) & hook_flags) 11553 return 0; 11554 11555 return -EOPNOTSUPP; 11556 } 11557 11558 return 0; 11559 } 11560 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks); 11561 11562 /** 11563 * nft_parse_u32_check - fetch u32 attribute and check for maximum value 11564 * 11565 * @attr: netlink attribute to fetch value from 11566 * @max: maximum value to be stored in dest 11567 * @dest: pointer to the variable 11568 * 11569 * Parse, check and store a given u32 netlink attribute into variable. 11570 * This function returns -ERANGE if the value goes over maximum value. 11571 * Otherwise a 0 is returned and the attribute value is stored in the 11572 * destination variable. 11573 */ 11574 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest) 11575 { 11576 u32 val; 11577 11578 val = ntohl(nla_get_be32(attr)); 11579 if (val > max) 11580 return -ERANGE; 11581 11582 *dest = val; 11583 return 0; 11584 } 11585 EXPORT_SYMBOL_GPL(nft_parse_u32_check); 11586 11587 static int nft_parse_register(const struct nlattr *attr, u32 *preg) 11588 { 11589 unsigned int reg; 11590 11591 reg = ntohl(nla_get_be32(attr)); 11592 switch (reg) { 11593 case NFT_REG_VERDICT...NFT_REG_4: 11594 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE; 11595 break; 11596 case NFT_REG32_00...NFT_REG32_15: 11597 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; 11598 break; 11599 default: 11600 return -ERANGE; 11601 } 11602 11603 return 0; 11604 } 11605 11606 /** 11607 * nft_dump_register - dump a register value to a netlink attribute 11608 * 11609 * @skb: socket buffer 11610 * @attr: attribute number 11611 * @reg: register number 11612 * 11613 * Construct a netlink attribute containing the register number. For 11614 * compatibility reasons, register numbers being a multiple of 4 are 11615 * translated to the corresponding 128 bit register numbers. 11616 */ 11617 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg) 11618 { 11619 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0) 11620 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE); 11621 else 11622 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00; 11623 11624 return nla_put_be32(skb, attr, htonl(reg)); 11625 } 11626 EXPORT_SYMBOL_GPL(nft_dump_register); 11627 11628 static int nft_validate_register_load(enum nft_registers reg, unsigned int len) 11629 { 11630 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 11631 return -EINVAL; 11632 if (len == 0) 11633 return -EINVAL; 11634 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data)) 11635 return -ERANGE; 11636 11637 return 0; 11638 } 11639 11640 int nft_parse_register_load(const struct nft_ctx *ctx, 11641 const struct nlattr *attr, u8 *sreg, u32 len) 11642 { 11643 int err, invalid_reg; 11644 u32 reg, next_register; 11645 11646 err = nft_parse_register(attr, ®); 11647 if (err < 0) 11648 return err; 11649 11650 err = nft_validate_register_load(reg, len); 11651 if (err < 0) 11652 return err; 11653 11654 next_register = DIV_ROUND_UP(len, NFT_REG32_SIZE) + reg; 11655 11656 /* Can't happen: nft_validate_register_load() should have failed */ 11657 if (WARN_ON_ONCE(next_register > NFT_REG32_NUM)) 11658 return -EINVAL; 11659 11660 /* find first register that did not see an earlier store. */ 11661 invalid_reg = find_next_zero_bit(ctx->reg_inited, NFT_REG32_NUM, reg); 11662 11663 /* invalid register within the range that we're loading from? */ 11664 if (invalid_reg < next_register) 11665 return -ENODATA; 11666 11667 *sreg = reg; 11668 return 0; 11669 } 11670 EXPORT_SYMBOL_GPL(nft_parse_register_load); 11671 11672 static void nft_saw_register_store(const struct nft_ctx *__ctx, 11673 int reg, unsigned int len) 11674 { 11675 unsigned int registers = DIV_ROUND_UP(len, NFT_REG32_SIZE); 11676 struct nft_ctx *ctx = (struct nft_ctx *)__ctx; 11677 11678 if (WARN_ON_ONCE(len == 0 || reg < 0)) 11679 return; 11680 11681 bitmap_set(ctx->reg_inited, reg, registers); 11682 } 11683 11684 static int nft_validate_register_store(const struct nft_ctx *ctx, 11685 enum nft_registers reg, 11686 const struct nft_data *data, 11687 enum nft_data_types type, 11688 unsigned int len) 11689 { 11690 int err; 11691 11692 switch (reg) { 11693 case NFT_REG_VERDICT: 11694 if (type != NFT_DATA_VERDICT) 11695 return -EINVAL; 11696 11697 if (data != NULL && 11698 (data->verdict.code == NFT_GOTO || 11699 data->verdict.code == NFT_JUMP)) { 11700 err = nft_chain_validate(ctx, data->verdict.chain); 11701 if (err < 0) 11702 return err; 11703 } 11704 11705 break; 11706 default: 11707 if (type != NFT_DATA_VALUE) 11708 return -EINVAL; 11709 11710 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 11711 return -EINVAL; 11712 if (len == 0) 11713 return -EINVAL; 11714 if (reg * NFT_REG32_SIZE + len > 11715 sizeof_field(struct nft_regs, data)) 11716 return -ERANGE; 11717 11718 break; 11719 } 11720 11721 nft_saw_register_store(ctx, reg, len); 11722 return 0; 11723 } 11724 11725 int nft_parse_register_store(const struct nft_ctx *ctx, 11726 const struct nlattr *attr, u8 *dreg, 11727 const struct nft_data *data, 11728 enum nft_data_types type, unsigned int len) 11729 { 11730 int err; 11731 u32 reg; 11732 11733 err = nft_parse_register(attr, ®); 11734 if (err < 0) 11735 return err; 11736 11737 err = nft_validate_register_store(ctx, reg, data, type, len); 11738 if (err < 0) 11739 return err; 11740 11741 *dreg = reg; 11742 return 0; 11743 } 11744 EXPORT_SYMBOL_GPL(nft_parse_register_store); 11745 11746 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = { 11747 [NFTA_VERDICT_CODE] = { .type = NLA_U32 }, 11748 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING, 11749 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 11750 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 }, 11751 }; 11752 11753 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, 11754 struct nft_data_desc *desc, const struct nlattr *nla) 11755 { 11756 u8 genmask = nft_genmask_next(ctx->net); 11757 struct nlattr *tb[NFTA_VERDICT_MAX + 1]; 11758 struct nft_chain *chain; 11759 int err; 11760 11761 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla, 11762 nft_verdict_policy, NULL); 11763 if (err < 0) 11764 return err; 11765 11766 if (!tb[NFTA_VERDICT_CODE]) 11767 return -EINVAL; 11768 11769 /* zero padding hole for memcmp */ 11770 memset(data, 0, sizeof(*data)); 11771 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); 11772 11773 switch (data->verdict.code) { 11774 case NF_ACCEPT: 11775 case NF_DROP: 11776 case NF_QUEUE: 11777 break; 11778 case NFT_CONTINUE: 11779 case NFT_BREAK: 11780 case NFT_RETURN: 11781 break; 11782 case NFT_JUMP: 11783 case NFT_GOTO: 11784 if (tb[NFTA_VERDICT_CHAIN]) { 11785 chain = nft_chain_lookup(ctx->net, ctx->table, 11786 tb[NFTA_VERDICT_CHAIN], 11787 genmask); 11788 } else if (tb[NFTA_VERDICT_CHAIN_ID]) { 11789 chain = nft_chain_lookup_byid(ctx->net, ctx->table, 11790 tb[NFTA_VERDICT_CHAIN_ID], 11791 genmask); 11792 if (IS_ERR(chain)) 11793 return PTR_ERR(chain); 11794 } else { 11795 return -EINVAL; 11796 } 11797 11798 if (IS_ERR(chain)) 11799 return PTR_ERR(chain); 11800 if (nft_is_base_chain(chain)) 11801 return -EOPNOTSUPP; 11802 if (nft_chain_is_bound(chain)) 11803 return -EINVAL; 11804 if (desc->flags & NFT_DATA_DESC_SETELEM && 11805 chain->flags & NFT_CHAIN_BINDING) 11806 return -EINVAL; 11807 if (!nft_use_inc(&chain->use)) 11808 return -EMFILE; 11809 11810 data->verdict.chain = chain; 11811 break; 11812 default: 11813 return -EINVAL; 11814 } 11815 11816 desc->len = sizeof(data->verdict); 11817 11818 return 0; 11819 } 11820 11821 static void nft_verdict_uninit(const struct nft_data *data) 11822 { 11823 struct nft_chain *chain; 11824 11825 switch (data->verdict.code) { 11826 case NFT_JUMP: 11827 case NFT_GOTO: 11828 chain = data->verdict.chain; 11829 nft_use_dec(&chain->use); 11830 break; 11831 } 11832 } 11833 11834 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v) 11835 { 11836 struct nlattr *nest; 11837 11838 nest = nla_nest_start_noflag(skb, type); 11839 if (!nest) 11840 goto nla_put_failure; 11841 11842 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code))) 11843 goto nla_put_failure; 11844 11845 switch (v->code) { 11846 case NFT_JUMP: 11847 case NFT_GOTO: 11848 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, 11849 v->chain->name)) 11850 goto nla_put_failure; 11851 } 11852 nla_nest_end(skb, nest); 11853 return 0; 11854 11855 nla_put_failure: 11856 return -1; 11857 } 11858 11859 static int nft_value_init(const struct nft_ctx *ctx, 11860 struct nft_data *data, struct nft_data_desc *desc, 11861 const struct nlattr *nla) 11862 { 11863 unsigned int len; 11864 11865 len = nla_len(nla); 11866 if (len == 0) 11867 return -EINVAL; 11868 if (len > desc->size) 11869 return -EOVERFLOW; 11870 if (desc->len) { 11871 if (len != desc->len) 11872 return -EINVAL; 11873 } else { 11874 desc->len = len; 11875 } 11876 11877 nla_memcpy(data->data, nla, len); 11878 11879 return 0; 11880 } 11881 11882 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data, 11883 unsigned int len) 11884 { 11885 return nla_put(skb, NFTA_DATA_VALUE, len, data->data); 11886 } 11887 11888 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = { 11889 [NFTA_DATA_VALUE] = { .type = NLA_BINARY }, 11890 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED }, 11891 }; 11892 11893 /** 11894 * nft_data_init - parse nf_tables data netlink attributes 11895 * 11896 * @ctx: context of the expression using the data 11897 * @data: destination struct nft_data 11898 * @desc: data description 11899 * @nla: netlink attribute containing data 11900 * 11901 * Parse the netlink data attributes and initialize a struct nft_data. 11902 * The type and length of data are returned in the data description. 11903 * 11904 * The caller can indicate that it only wants to accept data of type 11905 * NFT_DATA_VALUE by passing NULL for the ctx argument. 11906 */ 11907 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data, 11908 struct nft_data_desc *desc, const struct nlattr *nla) 11909 { 11910 struct nlattr *tb[NFTA_DATA_MAX + 1]; 11911 int err; 11912 11913 if (WARN_ON_ONCE(!desc->size)) 11914 return -EINVAL; 11915 11916 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla, 11917 nft_data_policy, NULL); 11918 if (err < 0) 11919 return err; 11920 11921 if (tb[NFTA_DATA_VALUE]) { 11922 if (desc->type != NFT_DATA_VALUE) 11923 return -EINVAL; 11924 11925 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]); 11926 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) { 11927 if (desc->type != NFT_DATA_VERDICT) 11928 return -EINVAL; 11929 11930 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]); 11931 } else { 11932 err = -EINVAL; 11933 } 11934 11935 return err; 11936 } 11937 EXPORT_SYMBOL_GPL(nft_data_init); 11938 11939 /** 11940 * nft_data_release - release a nft_data item 11941 * 11942 * @data: struct nft_data to release 11943 * @type: type of data 11944 * 11945 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded, 11946 * all others need to be released by calling this function. 11947 */ 11948 void nft_data_release(const struct nft_data *data, enum nft_data_types type) 11949 { 11950 if (type < NFT_DATA_VERDICT) 11951 return; 11952 switch (type) { 11953 case NFT_DATA_VERDICT: 11954 return nft_verdict_uninit(data); 11955 default: 11956 WARN_ON(1); 11957 } 11958 } 11959 EXPORT_SYMBOL_GPL(nft_data_release); 11960 11961 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 11962 enum nft_data_types type, unsigned int len) 11963 { 11964 struct nlattr *nest; 11965 int err; 11966 11967 nest = nla_nest_start_noflag(skb, attr); 11968 if (nest == NULL) 11969 return -1; 11970 11971 switch (type) { 11972 case NFT_DATA_VALUE: 11973 err = nft_value_dump(skb, data, len); 11974 break; 11975 case NFT_DATA_VERDICT: 11976 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict); 11977 break; 11978 default: 11979 err = -EINVAL; 11980 WARN_ON(1); 11981 } 11982 11983 nla_nest_end(skb, nest); 11984 return err; 11985 } 11986 EXPORT_SYMBOL_GPL(nft_data_dump); 11987 11988 static void __nft_release_hook(struct net *net, struct nft_table *table) 11989 { 11990 struct nft_flowtable *flowtable; 11991 struct nft_chain *chain; 11992 11993 list_for_each_entry(chain, &table->chains, list) 11994 __nf_tables_unregister_hook(net, table, chain, true); 11995 list_for_each_entry(flowtable, &table->flowtables, list) 11996 __nft_unregister_flowtable_net_hooks(net, flowtable, 11997 &flowtable->hook_list, 11998 true); 11999 } 12000 12001 static void __nft_release_hooks(struct net *net) 12002 { 12003 struct nftables_pernet *nft_net = nft_pernet(net); 12004 struct nft_table *table; 12005 12006 list_for_each_entry(table, &nft_net->tables, list) { 12007 if (nft_table_has_owner(table)) 12008 continue; 12009 12010 __nft_release_hook(net, table); 12011 } 12012 } 12013 12014 static void __nft_release_table(struct net *net, struct nft_table *table) 12015 { 12016 struct nft_flowtable *flowtable, *nf; 12017 struct nft_chain *chain, *nc; 12018 struct nft_object *obj, *ne; 12019 struct nft_rule *rule, *nr; 12020 struct nft_set *set, *ns; 12021 struct nft_ctx ctx = { 12022 .net = net, 12023 .family = NFPROTO_NETDEV, 12024 }; 12025 12026 ctx.family = table->family; 12027 ctx.table = table; 12028 list_for_each_entry(chain, &table->chains, list) { 12029 if (nft_chain_binding(chain)) 12030 continue; 12031 12032 ctx.chain = chain; 12033 list_for_each_entry_safe(rule, nr, &chain->rules, list) { 12034 list_del(&rule->list); 12035 nft_use_dec(&chain->use); 12036 nf_tables_rule_release(&ctx, rule); 12037 } 12038 } 12039 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 12040 list_del(&flowtable->list); 12041 nft_use_dec(&table->use); 12042 nf_tables_flowtable_destroy(flowtable); 12043 } 12044 list_for_each_entry_safe(set, ns, &table->sets, list) { 12045 list_del(&set->list); 12046 nft_use_dec(&table->use); 12047 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 12048 nft_map_deactivate(&ctx, set); 12049 12050 nft_set_destroy(&ctx, set); 12051 } 12052 list_for_each_entry_safe(obj, ne, &table->objects, list) { 12053 nft_obj_del(obj); 12054 nft_use_dec(&table->use); 12055 nft_obj_destroy(&ctx, obj); 12056 } 12057 list_for_each_entry_safe(chain, nc, &table->chains, list) { 12058 nft_chain_del(chain); 12059 nft_use_dec(&table->use); 12060 nf_tables_chain_destroy(chain); 12061 } 12062 nf_tables_table_destroy(table); 12063 } 12064 12065 static void __nft_release_tables(struct net *net) 12066 { 12067 struct nftables_pernet *nft_net = nft_pernet(net); 12068 struct nft_table *table, *nt; 12069 12070 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 12071 if (nft_table_has_owner(table)) 12072 continue; 12073 12074 list_del(&table->list); 12075 12076 __nft_release_table(net, table); 12077 } 12078 } 12079 12080 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, 12081 void *ptr) 12082 { 12083 struct nft_table *table, *to_delete[8]; 12084 struct nftables_pernet *nft_net; 12085 struct netlink_notify *n = ptr; 12086 struct net *net = n->net; 12087 unsigned int deleted; 12088 bool restart = false; 12089 unsigned int gc_seq; 12090 12091 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER) 12092 return NOTIFY_DONE; 12093 12094 nft_net = nft_pernet(net); 12095 deleted = 0; 12096 mutex_lock(&nft_net->commit_mutex); 12097 12098 gc_seq = nft_gc_seq_begin(nft_net); 12099 12100 nf_tables_trans_destroy_flush_work(net); 12101 again: 12102 list_for_each_entry(table, &nft_net->tables, list) { 12103 if (nft_table_has_owner(table) && 12104 n->portid == table->nlpid) { 12105 if (table->flags & NFT_TABLE_F_PERSIST) { 12106 table->flags &= ~NFT_TABLE_F_OWNER; 12107 continue; 12108 } 12109 __nft_release_hook(net, table); 12110 list_del_rcu(&table->list); 12111 to_delete[deleted++] = table; 12112 if (deleted >= ARRAY_SIZE(to_delete)) 12113 break; 12114 } 12115 } 12116 if (deleted) { 12117 restart = deleted >= ARRAY_SIZE(to_delete); 12118 synchronize_rcu(); 12119 while (deleted) 12120 __nft_release_table(net, to_delete[--deleted]); 12121 12122 if (restart) 12123 goto again; 12124 } 12125 nft_gc_seq_end(nft_net, gc_seq); 12126 12127 mutex_unlock(&nft_net->commit_mutex); 12128 12129 return NOTIFY_DONE; 12130 } 12131 12132 static struct notifier_block nft_nl_notifier = { 12133 .notifier_call = nft_rcv_nl_event, 12134 }; 12135 12136 static int __net_init nf_tables_init_net(struct net *net) 12137 { 12138 struct nftables_pernet *nft_net = nft_pernet(net); 12139 12140 INIT_LIST_HEAD(&nft_net->tables); 12141 INIT_LIST_HEAD(&nft_net->commit_list); 12142 INIT_LIST_HEAD(&nft_net->destroy_list); 12143 INIT_LIST_HEAD(&nft_net->commit_set_list); 12144 INIT_LIST_HEAD(&nft_net->binding_list); 12145 INIT_LIST_HEAD(&nft_net->module_list); 12146 INIT_LIST_HEAD(&nft_net->notify_list); 12147 mutex_init(&nft_net->commit_mutex); 12148 net->nft.base_seq = 1; 12149 nft_net->gc_seq = 0; 12150 nft_net->validate_state = NFT_VALIDATE_SKIP; 12151 INIT_WORK(&nft_net->destroy_work, nf_tables_trans_destroy_work); 12152 12153 return 0; 12154 } 12155 12156 static void __net_exit nf_tables_pre_exit_net(struct net *net) 12157 { 12158 struct nftables_pernet *nft_net = nft_pernet(net); 12159 12160 mutex_lock(&nft_net->commit_mutex); 12161 __nft_release_hooks(net); 12162 mutex_unlock(&nft_net->commit_mutex); 12163 } 12164 12165 static void __net_exit nf_tables_exit_net(struct net *net) 12166 { 12167 struct nftables_pernet *nft_net = nft_pernet(net); 12168 unsigned int gc_seq; 12169 12170 mutex_lock(&nft_net->commit_mutex); 12171 12172 gc_seq = nft_gc_seq_begin(nft_net); 12173 12174 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 12175 WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list)); 12176 12177 if (!list_empty(&nft_net->module_list)) 12178 nf_tables_module_autoload_cleanup(net); 12179 12180 cancel_work_sync(&nft_net->destroy_work); 12181 __nft_release_tables(net); 12182 12183 nft_gc_seq_end(nft_net, gc_seq); 12184 12185 mutex_unlock(&nft_net->commit_mutex); 12186 12187 WARN_ON_ONCE(!list_empty(&nft_net->tables)); 12188 WARN_ON_ONCE(!list_empty(&nft_net->module_list)); 12189 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 12190 WARN_ON_ONCE(!list_empty(&nft_net->destroy_list)); 12191 } 12192 12193 static void nf_tables_exit_batch(struct list_head *net_exit_list) 12194 { 12195 flush_work(&trans_gc_work); 12196 } 12197 12198 static struct pernet_operations nf_tables_net_ops = { 12199 .init = nf_tables_init_net, 12200 .pre_exit = nf_tables_pre_exit_net, 12201 .exit = nf_tables_exit_net, 12202 .exit_batch = nf_tables_exit_batch, 12203 .id = &nf_tables_net_id, 12204 .size = sizeof(struct nftables_pernet), 12205 }; 12206 12207 static int __init nf_tables_module_init(void) 12208 { 12209 int err; 12210 12211 BUILD_BUG_ON(offsetof(struct nft_trans_table, nft_trans) != 0); 12212 BUILD_BUG_ON(offsetof(struct nft_trans_chain, nft_trans_binding.nft_trans) != 0); 12213 BUILD_BUG_ON(offsetof(struct nft_trans_rule, nft_trans) != 0); 12214 BUILD_BUG_ON(offsetof(struct nft_trans_set, nft_trans_binding.nft_trans) != 0); 12215 BUILD_BUG_ON(offsetof(struct nft_trans_elem, nft_trans) != 0); 12216 BUILD_BUG_ON(offsetof(struct nft_trans_obj, nft_trans) != 0); 12217 BUILD_BUG_ON(offsetof(struct nft_trans_flowtable, nft_trans) != 0); 12218 12219 err = register_pernet_subsys(&nf_tables_net_ops); 12220 if (err < 0) 12221 return err; 12222 12223 err = nft_chain_filter_init(); 12224 if (err < 0) 12225 goto err_chain_filter; 12226 12227 err = nf_tables_core_module_init(); 12228 if (err < 0) 12229 goto err_core_module; 12230 12231 err = register_netdevice_notifier(&nf_tables_flowtable_notifier); 12232 if (err < 0) 12233 goto err_netdev_notifier; 12234 12235 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params); 12236 if (err < 0) 12237 goto err_rht_objname; 12238 12239 err = nft_offload_init(); 12240 if (err < 0) 12241 goto err_offload; 12242 12243 err = netlink_register_notifier(&nft_nl_notifier); 12244 if (err < 0) 12245 goto err_netlink_notifier; 12246 12247 /* must be last */ 12248 err = nfnetlink_subsys_register(&nf_tables_subsys); 12249 if (err < 0) 12250 goto err_nfnl_subsys; 12251 12252 nft_chain_route_init(); 12253 12254 return err; 12255 12256 err_nfnl_subsys: 12257 netlink_unregister_notifier(&nft_nl_notifier); 12258 err_netlink_notifier: 12259 nft_offload_exit(); 12260 err_offload: 12261 rhltable_destroy(&nft_objname_ht); 12262 err_rht_objname: 12263 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 12264 err_netdev_notifier: 12265 nf_tables_core_module_exit(); 12266 err_core_module: 12267 nft_chain_filter_fini(); 12268 err_chain_filter: 12269 unregister_pernet_subsys(&nf_tables_net_ops); 12270 return err; 12271 } 12272 12273 static void __exit nf_tables_module_exit(void) 12274 { 12275 nfnetlink_subsys_unregister(&nf_tables_subsys); 12276 netlink_unregister_notifier(&nft_nl_notifier); 12277 nft_offload_exit(); 12278 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 12279 nft_chain_filter_fini(); 12280 nft_chain_route_fini(); 12281 unregister_pernet_subsys(&nf_tables_net_ops); 12282 cancel_work_sync(&trans_gc_work); 12283 rcu_barrier(); 12284 rhltable_destroy(&nft_objname_ht); 12285 nf_tables_core_module_exit(); 12286 } 12287 12288 module_init(nf_tables_module_init); 12289 module_exit(nf_tables_module_exit); 12290 12291 MODULE_LICENSE("GPL"); 12292 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 12293 MODULE_DESCRIPTION("Framework for packet filtering and classification"); 12294 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES); 12295