1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net> 4 * 5 * Development of this code funded by Astaro AG (http://www.astaro.com/) 6 */ 7 8 #include <linux/module.h> 9 #include <linux/init.h> 10 #include <linux/list.h> 11 #include <linux/skbuff.h> 12 #include <linux/netlink.h> 13 #include <linux/vmalloc.h> 14 #include <linux/rhashtable.h> 15 #include <linux/audit.h> 16 #include <linux/netfilter.h> 17 #include <linux/netfilter/nfnetlink.h> 18 #include <linux/netfilter/nf_tables.h> 19 #include <net/netfilter/nf_flow_table.h> 20 #include <net/netfilter/nf_tables_core.h> 21 #include <net/netfilter/nf_tables.h> 22 #include <net/netfilter/nf_tables_offload.h> 23 #include <net/net_namespace.h> 24 #include <net/sock.h> 25 26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) 27 #define NFT_SET_MAX_ANONLEN 16 28 29 unsigned int nf_tables_net_id __read_mostly; 30 31 static LIST_HEAD(nf_tables_expressions); 32 static LIST_HEAD(nf_tables_objects); 33 static LIST_HEAD(nf_tables_flowtables); 34 static LIST_HEAD(nf_tables_destroy_list); 35 static LIST_HEAD(nf_tables_gc_list); 36 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock); 37 static DEFINE_SPINLOCK(nf_tables_gc_list_lock); 38 39 enum { 40 NFT_VALIDATE_SKIP = 0, 41 NFT_VALIDATE_NEED, 42 NFT_VALIDATE_DO, 43 }; 44 45 static struct rhltable nft_objname_ht; 46 47 static u32 nft_chain_hash(const void *data, u32 len, u32 seed); 48 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed); 49 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *); 50 51 static u32 nft_objname_hash(const void *data, u32 len, u32 seed); 52 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed); 53 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *); 54 55 static const struct rhashtable_params nft_chain_ht_params = { 56 .head_offset = offsetof(struct nft_chain, rhlhead), 57 .key_offset = offsetof(struct nft_chain, name), 58 .hashfn = nft_chain_hash, 59 .obj_hashfn = nft_chain_hash_obj, 60 .obj_cmpfn = nft_chain_hash_cmp, 61 .automatic_shrinking = true, 62 }; 63 64 static const struct rhashtable_params nft_objname_ht_params = { 65 .head_offset = offsetof(struct nft_object, rhlhead), 66 .key_offset = offsetof(struct nft_object, key), 67 .hashfn = nft_objname_hash, 68 .obj_hashfn = nft_objname_hash_obj, 69 .obj_cmpfn = nft_objname_hash_cmp, 70 .automatic_shrinking = true, 71 }; 72 73 struct nft_audit_data { 74 struct nft_table *table; 75 int entries; 76 int op; 77 struct list_head list; 78 }; 79 80 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types 81 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER, 82 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID, 83 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER, 84 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER, 85 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID, 86 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER, 87 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER, 88 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID, 89 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER, 90 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER, 91 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID, 92 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER, 93 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER, 94 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID, 95 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER, 96 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER, 97 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID, 98 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID, 99 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER, 100 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID, 101 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER, 102 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET, 103 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER, 104 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID, 105 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, 106 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET, 107 }; 108 109 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state) 110 { 111 switch (table->validate_state) { 112 case NFT_VALIDATE_SKIP: 113 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); 114 break; 115 case NFT_VALIDATE_NEED: 116 break; 117 case NFT_VALIDATE_DO: 118 if (new_validate_state == NFT_VALIDATE_NEED) 119 return; 120 } 121 122 table->validate_state = new_validate_state; 123 } 124 static void nf_tables_trans_destroy_work(struct work_struct *w); 125 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work); 126 127 static void nft_trans_gc_work(struct work_struct *work); 128 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work); 129 130 static void nft_ctx_init(struct nft_ctx *ctx, 131 struct net *net, 132 const struct sk_buff *skb, 133 const struct nlmsghdr *nlh, 134 u8 family, 135 struct nft_table *table, 136 struct nft_chain *chain, 137 const struct nlattr * const *nla) 138 { 139 ctx->net = net; 140 ctx->family = family; 141 ctx->level = 0; 142 ctx->table = table; 143 ctx->chain = chain; 144 ctx->nla = nla; 145 ctx->portid = NETLINK_CB(skb).portid; 146 ctx->report = nlmsg_report(nlh); 147 ctx->flags = nlh->nlmsg_flags; 148 ctx->seq = nlh->nlmsg_seq; 149 } 150 151 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, 152 int msg_type, u32 size, gfp_t gfp) 153 { 154 struct nft_trans *trans; 155 156 trans = kzalloc(size, gfp); 157 if (trans == NULL) 158 return NULL; 159 160 INIT_LIST_HEAD(&trans->list); 161 trans->msg_type = msg_type; 162 163 trans->net = ctx->net; 164 trans->table = ctx->table; 165 trans->seq = ctx->seq; 166 trans->flags = ctx->flags; 167 trans->report = ctx->report; 168 169 return trans; 170 } 171 172 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx, 173 int msg_type, u32 size) 174 { 175 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); 176 } 177 178 static struct nft_trans_binding *nft_trans_get_binding(struct nft_trans *trans) 179 { 180 switch (trans->msg_type) { 181 case NFT_MSG_NEWCHAIN: 182 case NFT_MSG_NEWSET: 183 return container_of(trans, struct nft_trans_binding, nft_trans); 184 } 185 186 return NULL; 187 } 188 189 static void nft_trans_list_del(struct nft_trans *trans) 190 { 191 struct nft_trans_binding *trans_binding; 192 193 list_del(&trans->list); 194 195 trans_binding = nft_trans_get_binding(trans); 196 if (trans_binding) 197 list_del(&trans_binding->binding_list); 198 } 199 200 static void nft_trans_destroy(struct nft_trans *trans) 201 { 202 nft_trans_list_del(trans); 203 kfree(trans); 204 } 205 206 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set, 207 bool bind) 208 { 209 struct nftables_pernet *nft_net; 210 struct net *net = ctx->net; 211 struct nft_trans *trans; 212 213 if (!nft_set_is_anonymous(set)) 214 return; 215 216 nft_net = nft_pernet(net); 217 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { 218 switch (trans->msg_type) { 219 case NFT_MSG_NEWSET: 220 if (nft_trans_set(trans) == set) 221 nft_trans_set_bound(trans) = bind; 222 break; 223 case NFT_MSG_NEWSETELEM: 224 if (nft_trans_elem_set(trans) == set) 225 nft_trans_elem_set_bound(trans) = bind; 226 break; 227 } 228 } 229 } 230 231 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) 232 { 233 return __nft_set_trans_bind(ctx, set, true); 234 } 235 236 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set) 237 { 238 return __nft_set_trans_bind(ctx, set, false); 239 } 240 241 static void __nft_chain_trans_bind(const struct nft_ctx *ctx, 242 struct nft_chain *chain, bool bind) 243 { 244 struct nftables_pernet *nft_net; 245 struct net *net = ctx->net; 246 struct nft_trans *trans; 247 248 if (!nft_chain_binding(chain)) 249 return; 250 251 nft_net = nft_pernet(net); 252 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { 253 switch (trans->msg_type) { 254 case NFT_MSG_NEWCHAIN: 255 if (nft_trans_chain(trans) == chain) 256 nft_trans_chain_bound(trans) = bind; 257 break; 258 case NFT_MSG_NEWRULE: 259 if (nft_trans_rule_chain(trans) == chain) 260 nft_trans_rule_bound(trans) = bind; 261 break; 262 } 263 } 264 } 265 266 static void nft_chain_trans_bind(const struct nft_ctx *ctx, 267 struct nft_chain *chain) 268 { 269 __nft_chain_trans_bind(ctx, chain, true); 270 } 271 272 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) 273 { 274 if (!nft_chain_binding(chain)) 275 return 0; 276 277 if (nft_chain_binding(ctx->chain)) 278 return -EOPNOTSUPP; 279 280 if (chain->bound) 281 return -EBUSY; 282 283 if (!nft_use_inc(&chain->use)) 284 return -EMFILE; 285 286 chain->bound = true; 287 nft_chain_trans_bind(ctx, chain); 288 289 return 0; 290 } 291 292 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) 293 { 294 __nft_chain_trans_bind(ctx, chain, false); 295 } 296 297 static int nft_netdev_register_hooks(struct net *net, 298 struct list_head *hook_list) 299 { 300 struct nft_hook *hook; 301 int err, j; 302 303 j = 0; 304 list_for_each_entry(hook, hook_list, list) { 305 err = nf_register_net_hook(net, &hook->ops); 306 if (err < 0) 307 goto err_register; 308 309 j++; 310 } 311 return 0; 312 313 err_register: 314 list_for_each_entry(hook, hook_list, list) { 315 if (j-- <= 0) 316 break; 317 318 nf_unregister_net_hook(net, &hook->ops); 319 } 320 return err; 321 } 322 323 static void nft_netdev_unregister_hooks(struct net *net, 324 struct list_head *hook_list, 325 bool release_netdev) 326 { 327 struct nft_hook *hook, *next; 328 329 list_for_each_entry_safe(hook, next, hook_list, list) { 330 nf_unregister_net_hook(net, &hook->ops); 331 if (release_netdev) { 332 list_del(&hook->list); 333 kfree_rcu(hook, rcu); 334 } 335 } 336 } 337 338 static int nf_tables_register_hook(struct net *net, 339 const struct nft_table *table, 340 struct nft_chain *chain) 341 { 342 struct nft_base_chain *basechain; 343 const struct nf_hook_ops *ops; 344 345 if (table->flags & NFT_TABLE_F_DORMANT || 346 !nft_is_base_chain(chain)) 347 return 0; 348 349 basechain = nft_base_chain(chain); 350 ops = &basechain->ops; 351 352 if (basechain->type->ops_register) 353 return basechain->type->ops_register(net, ops); 354 355 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 356 return nft_netdev_register_hooks(net, &basechain->hook_list); 357 358 return nf_register_net_hook(net, &basechain->ops); 359 } 360 361 static void __nf_tables_unregister_hook(struct net *net, 362 const struct nft_table *table, 363 struct nft_chain *chain, 364 bool release_netdev) 365 { 366 struct nft_base_chain *basechain; 367 const struct nf_hook_ops *ops; 368 369 if (table->flags & NFT_TABLE_F_DORMANT || 370 !nft_is_base_chain(chain)) 371 return; 372 basechain = nft_base_chain(chain); 373 ops = &basechain->ops; 374 375 if (basechain->type->ops_unregister) 376 return basechain->type->ops_unregister(net, ops); 377 378 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 379 nft_netdev_unregister_hooks(net, &basechain->hook_list, 380 release_netdev); 381 else 382 nf_unregister_net_hook(net, &basechain->ops); 383 } 384 385 static void nf_tables_unregister_hook(struct net *net, 386 const struct nft_table *table, 387 struct nft_chain *chain) 388 { 389 return __nf_tables_unregister_hook(net, table, chain, false); 390 } 391 392 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) 393 { 394 struct nftables_pernet *nft_net = nft_pernet(net); 395 struct nft_trans_binding *binding; 396 397 list_add_tail(&trans->list, &nft_net->commit_list); 398 399 binding = nft_trans_get_binding(trans); 400 if (!binding) 401 return; 402 403 switch (trans->msg_type) { 404 case NFT_MSG_NEWSET: 405 if (!nft_trans_set_update(trans) && 406 nft_set_is_anonymous(nft_trans_set(trans))) 407 list_add_tail(&binding->binding_list, &nft_net->binding_list); 408 break; 409 case NFT_MSG_NEWCHAIN: 410 if (!nft_trans_chain_update(trans) && 411 nft_chain_binding(nft_trans_chain(trans))) 412 list_add_tail(&binding->binding_list, &nft_net->binding_list); 413 break; 414 } 415 } 416 417 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type) 418 { 419 struct nft_trans *trans; 420 421 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table)); 422 if (trans == NULL) 423 return -ENOMEM; 424 425 if (msg_type == NFT_MSG_NEWTABLE) 426 nft_activate_next(ctx->net, ctx->table); 427 428 nft_trans_commit_list_add_tail(ctx->net, trans); 429 return 0; 430 } 431 432 static int nft_deltable(struct nft_ctx *ctx) 433 { 434 int err; 435 436 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE); 437 if (err < 0) 438 return err; 439 440 nft_deactivate_next(ctx->net, ctx->table); 441 return err; 442 } 443 444 static struct nft_trans * 445 nft_trans_alloc_chain(const struct nft_ctx *ctx, int msg_type) 446 { 447 struct nft_trans_chain *trans_chain; 448 struct nft_trans *trans; 449 450 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain)); 451 if (!trans) 452 return NULL; 453 454 trans_chain = nft_trans_container_chain(trans); 455 INIT_LIST_HEAD(&trans_chain->nft_trans_binding.binding_list); 456 trans_chain->chain = ctx->chain; 457 458 return trans; 459 } 460 461 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type) 462 { 463 struct nft_trans *trans; 464 465 trans = nft_trans_alloc_chain(ctx, msg_type); 466 if (trans == NULL) 467 return ERR_PTR(-ENOMEM); 468 469 if (msg_type == NFT_MSG_NEWCHAIN) { 470 nft_activate_next(ctx->net, ctx->chain); 471 472 if (ctx->nla[NFTA_CHAIN_ID]) { 473 nft_trans_chain_id(trans) = 474 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID])); 475 } 476 } 477 nft_trans_commit_list_add_tail(ctx->net, trans); 478 479 return trans; 480 } 481 482 static int nft_delchain(struct nft_ctx *ctx) 483 { 484 struct nft_trans *trans; 485 486 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN); 487 if (IS_ERR(trans)) 488 return PTR_ERR(trans); 489 490 nft_use_dec(&ctx->table->use); 491 nft_deactivate_next(ctx->net, ctx->chain); 492 493 return 0; 494 } 495 496 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule) 497 { 498 struct nft_expr *expr; 499 500 expr = nft_expr_first(rule); 501 while (nft_expr_more(rule, expr)) { 502 if (expr->ops->activate) 503 expr->ops->activate(ctx, expr); 504 505 expr = nft_expr_next(expr); 506 } 507 } 508 509 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule, 510 enum nft_trans_phase phase) 511 { 512 struct nft_expr *expr; 513 514 expr = nft_expr_first(rule); 515 while (nft_expr_more(rule, expr)) { 516 if (expr->ops->deactivate) 517 expr->ops->deactivate(ctx, expr, phase); 518 519 expr = nft_expr_next(expr); 520 } 521 } 522 523 static int 524 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule) 525 { 526 /* You cannot delete the same rule twice */ 527 if (nft_is_active_next(ctx->net, rule)) { 528 nft_deactivate_next(ctx->net, rule); 529 nft_use_dec(&ctx->chain->use); 530 return 0; 531 } 532 return -ENOENT; 533 } 534 535 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type, 536 struct nft_rule *rule) 537 { 538 struct nft_trans *trans; 539 540 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule)); 541 if (trans == NULL) 542 return NULL; 543 544 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) { 545 nft_trans_rule_id(trans) = 546 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); 547 } 548 nft_trans_rule(trans) = rule; 549 nft_trans_rule_chain(trans) = ctx->chain; 550 nft_trans_commit_list_add_tail(ctx->net, trans); 551 552 return trans; 553 } 554 555 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule) 556 { 557 struct nft_flow_rule *flow; 558 struct nft_trans *trans; 559 int err; 560 561 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule); 562 if (trans == NULL) 563 return -ENOMEM; 564 565 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) { 566 flow = nft_flow_rule_create(ctx->net, rule); 567 if (IS_ERR(flow)) { 568 nft_trans_destroy(trans); 569 return PTR_ERR(flow); 570 } 571 572 nft_trans_flow_rule(trans) = flow; 573 } 574 575 err = nf_tables_delrule_deactivate(ctx, rule); 576 if (err < 0) { 577 nft_trans_destroy(trans); 578 return err; 579 } 580 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE); 581 582 return 0; 583 } 584 585 static int nft_delrule_by_chain(struct nft_ctx *ctx) 586 { 587 struct nft_rule *rule; 588 int err; 589 590 list_for_each_entry(rule, &ctx->chain->rules, list) { 591 if (!nft_is_active_next(ctx->net, rule)) 592 continue; 593 594 err = nft_delrule(ctx, rule); 595 if (err < 0) 596 return err; 597 } 598 return 0; 599 } 600 601 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 602 struct nft_set *set, 603 const struct nft_set_desc *desc) 604 { 605 struct nft_trans_set *trans_set; 606 struct nft_trans *trans; 607 608 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set)); 609 if (trans == NULL) 610 return -ENOMEM; 611 612 trans_set = nft_trans_container_set(trans); 613 INIT_LIST_HEAD(&trans_set->nft_trans_binding.binding_list); 614 615 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) { 616 nft_trans_set_id(trans) = 617 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID])); 618 nft_activate_next(ctx->net, set); 619 } 620 nft_trans_set(trans) = set; 621 if (desc) { 622 nft_trans_set_update(trans) = true; 623 nft_trans_set_gc_int(trans) = desc->gc_int; 624 nft_trans_set_timeout(trans) = desc->timeout; 625 nft_trans_set_size(trans) = desc->size; 626 } 627 nft_trans_commit_list_add_tail(ctx->net, trans); 628 629 return 0; 630 } 631 632 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 633 struct nft_set *set) 634 { 635 return __nft_trans_set_add(ctx, msg_type, set, NULL); 636 } 637 638 static int nft_mapelem_deactivate(const struct nft_ctx *ctx, 639 struct nft_set *set, 640 const struct nft_set_iter *iter, 641 struct nft_elem_priv *elem_priv) 642 { 643 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 644 645 if (!nft_set_elem_active(ext, iter->genmask)) 646 return 0; 647 648 nft_set_elem_change_active(ctx->net, set, ext); 649 nft_setelem_data_deactivate(ctx->net, set, elem_priv); 650 651 return 0; 652 } 653 654 struct nft_set_elem_catchall { 655 struct list_head list; 656 struct rcu_head rcu; 657 struct nft_elem_priv *elem; 658 }; 659 660 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx, 661 struct nft_set *set) 662 { 663 u8 genmask = nft_genmask_next(ctx->net); 664 struct nft_set_elem_catchall *catchall; 665 struct nft_set_ext *ext; 666 667 list_for_each_entry(catchall, &set->catchall_list, list) { 668 ext = nft_set_elem_ext(set, catchall->elem); 669 if (!nft_set_elem_active(ext, genmask)) 670 continue; 671 672 nft_set_elem_change_active(ctx->net, set, ext); 673 nft_setelem_data_deactivate(ctx->net, set, catchall->elem); 674 break; 675 } 676 } 677 678 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set) 679 { 680 struct nft_set_iter iter = { 681 .genmask = nft_genmask_next(ctx->net), 682 .type = NFT_ITER_UPDATE, 683 .fn = nft_mapelem_deactivate, 684 }; 685 686 set->ops->walk(ctx, set, &iter); 687 WARN_ON_ONCE(iter.err); 688 689 nft_map_catchall_deactivate(ctx, set); 690 } 691 692 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) 693 { 694 int err; 695 696 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set); 697 if (err < 0) 698 return err; 699 700 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 701 nft_map_deactivate(ctx, set); 702 703 nft_deactivate_next(ctx->net, set); 704 nft_use_dec(&ctx->table->use); 705 706 return err; 707 } 708 709 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type, 710 struct nft_object *obj) 711 { 712 struct nft_trans *trans; 713 714 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj)); 715 if (trans == NULL) 716 return -ENOMEM; 717 718 if (msg_type == NFT_MSG_NEWOBJ) 719 nft_activate_next(ctx->net, obj); 720 721 nft_trans_obj(trans) = obj; 722 nft_trans_commit_list_add_tail(ctx->net, trans); 723 724 return 0; 725 } 726 727 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj) 728 { 729 int err; 730 731 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj); 732 if (err < 0) 733 return err; 734 735 nft_deactivate_next(ctx->net, obj); 736 nft_use_dec(&ctx->table->use); 737 738 return err; 739 } 740 741 static struct nft_trans * 742 nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, 743 struct nft_flowtable *flowtable) 744 { 745 struct nft_trans *trans; 746 747 trans = nft_trans_alloc(ctx, msg_type, 748 sizeof(struct nft_trans_flowtable)); 749 if (trans == NULL) 750 return ERR_PTR(-ENOMEM); 751 752 if (msg_type == NFT_MSG_NEWFLOWTABLE) 753 nft_activate_next(ctx->net, flowtable); 754 755 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 756 nft_trans_flowtable(trans) = flowtable; 757 nft_trans_commit_list_add_tail(ctx->net, trans); 758 759 return trans; 760 } 761 762 static int nft_delflowtable(struct nft_ctx *ctx, 763 struct nft_flowtable *flowtable) 764 { 765 struct nft_trans *trans; 766 767 trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable); 768 if (IS_ERR(trans)) 769 return PTR_ERR(trans); 770 771 nft_deactivate_next(ctx->net, flowtable); 772 nft_use_dec(&ctx->table->use); 773 774 return 0; 775 } 776 777 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg) 778 { 779 int i; 780 781 for (i = track->regs[dreg].num_reg; i > 0; i--) 782 __nft_reg_track_cancel(track, dreg - i); 783 } 784 785 static void __nft_reg_track_update(struct nft_regs_track *track, 786 const struct nft_expr *expr, 787 u8 dreg, u8 num_reg) 788 { 789 track->regs[dreg].selector = expr; 790 track->regs[dreg].bitwise = NULL; 791 track->regs[dreg].num_reg = num_reg; 792 } 793 794 void nft_reg_track_update(struct nft_regs_track *track, 795 const struct nft_expr *expr, u8 dreg, u8 len) 796 { 797 unsigned int regcount; 798 int i; 799 800 __nft_reg_track_clobber(track, dreg); 801 802 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE); 803 for (i = 0; i < regcount; i++, dreg++) 804 __nft_reg_track_update(track, expr, dreg, i); 805 } 806 EXPORT_SYMBOL_GPL(nft_reg_track_update); 807 808 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len) 809 { 810 unsigned int regcount; 811 int i; 812 813 __nft_reg_track_clobber(track, dreg); 814 815 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE); 816 for (i = 0; i < regcount; i++, dreg++) 817 __nft_reg_track_cancel(track, dreg); 818 } 819 EXPORT_SYMBOL_GPL(nft_reg_track_cancel); 820 821 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg) 822 { 823 track->regs[dreg].selector = NULL; 824 track->regs[dreg].bitwise = NULL; 825 track->regs[dreg].num_reg = 0; 826 } 827 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel); 828 829 /* 830 * Tables 831 */ 832 833 static struct nft_table *nft_table_lookup(const struct net *net, 834 const struct nlattr *nla, 835 u8 family, u8 genmask, u32 nlpid) 836 { 837 struct nftables_pernet *nft_net; 838 struct nft_table *table; 839 840 if (nla == NULL) 841 return ERR_PTR(-EINVAL); 842 843 nft_net = nft_pernet(net); 844 list_for_each_entry_rcu(table, &nft_net->tables, list, 845 lockdep_is_held(&nft_net->commit_mutex)) { 846 if (!nla_strcmp(nla, table->name) && 847 table->family == family && 848 nft_active_genmask(table, genmask)) { 849 if (nft_table_has_owner(table) && 850 nlpid && table->nlpid != nlpid) 851 return ERR_PTR(-EPERM); 852 853 return table; 854 } 855 } 856 857 return ERR_PTR(-ENOENT); 858 } 859 860 static struct nft_table *nft_table_lookup_byhandle(const struct net *net, 861 const struct nlattr *nla, 862 int family, u8 genmask, u32 nlpid) 863 { 864 struct nftables_pernet *nft_net; 865 struct nft_table *table; 866 867 nft_net = nft_pernet(net); 868 list_for_each_entry(table, &nft_net->tables, list) { 869 if (be64_to_cpu(nla_get_be64(nla)) == table->handle && 870 table->family == family && 871 nft_active_genmask(table, genmask)) { 872 if (nft_table_has_owner(table) && 873 nlpid && table->nlpid != nlpid) 874 return ERR_PTR(-EPERM); 875 876 return table; 877 } 878 } 879 880 return ERR_PTR(-ENOENT); 881 } 882 883 static inline u64 nf_tables_alloc_handle(struct nft_table *table) 884 { 885 return ++table->hgenerator; 886 } 887 888 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX]; 889 890 static const struct nft_chain_type * 891 __nft_chain_type_get(u8 family, enum nft_chain_types type) 892 { 893 if (family >= NFPROTO_NUMPROTO || 894 type >= NFT_CHAIN_T_MAX) 895 return NULL; 896 897 return chain_type[family][type]; 898 } 899 900 static const struct nft_chain_type * 901 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family) 902 { 903 const struct nft_chain_type *type; 904 int i; 905 906 for (i = 0; i < NFT_CHAIN_T_MAX; i++) { 907 type = __nft_chain_type_get(family, i); 908 if (!type) 909 continue; 910 if (!nla_strcmp(nla, type->name)) 911 return type; 912 } 913 return NULL; 914 } 915 916 struct nft_module_request { 917 struct list_head list; 918 char module[MODULE_NAME_LEN]; 919 bool done; 920 }; 921 922 #ifdef CONFIG_MODULES 923 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt, 924 ...) 925 { 926 char module_name[MODULE_NAME_LEN]; 927 struct nftables_pernet *nft_net; 928 struct nft_module_request *req; 929 va_list args; 930 int ret; 931 932 va_start(args, fmt); 933 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); 934 va_end(args); 935 if (ret >= MODULE_NAME_LEN) 936 return 0; 937 938 nft_net = nft_pernet(net); 939 list_for_each_entry(req, &nft_net->module_list, list) { 940 if (!strcmp(req->module, module_name)) { 941 if (req->done) 942 return 0; 943 944 /* A request to load this module already exists. */ 945 return -EAGAIN; 946 } 947 } 948 949 req = kmalloc(sizeof(*req), GFP_KERNEL); 950 if (!req) 951 return -ENOMEM; 952 953 req->done = false; 954 strscpy(req->module, module_name, MODULE_NAME_LEN); 955 list_add_tail(&req->list, &nft_net->module_list); 956 957 return -EAGAIN; 958 } 959 EXPORT_SYMBOL_GPL(nft_request_module); 960 #endif 961 962 static void lockdep_nfnl_nft_mutex_not_held(void) 963 { 964 #ifdef CONFIG_PROVE_LOCKING 965 if (debug_locks) 966 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES)); 967 #endif 968 } 969 970 static const struct nft_chain_type * 971 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla, 972 u8 family, bool autoload) 973 { 974 const struct nft_chain_type *type; 975 976 type = __nf_tables_chain_type_lookup(nla, family); 977 if (type != NULL) 978 return type; 979 980 lockdep_nfnl_nft_mutex_not_held(); 981 #ifdef CONFIG_MODULES 982 if (autoload) { 983 if (nft_request_module(net, "nft-chain-%u-%.*s", family, 984 nla_len(nla), 985 (const char *)nla_data(nla)) == -EAGAIN) 986 return ERR_PTR(-EAGAIN); 987 } 988 #endif 989 return ERR_PTR(-ENOENT); 990 } 991 992 static __be16 nft_base_seq(const struct net *net) 993 { 994 struct nftables_pernet *nft_net = nft_pernet(net); 995 996 return htons(nft_net->base_seq & 0xffff); 997 } 998 999 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { 1000 [NFTA_TABLE_NAME] = { .type = NLA_STRING, 1001 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1002 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 }, 1003 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 }, 1004 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY, 1005 .len = NFT_USERDATA_MAXLEN } 1006 }; 1007 1008 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, 1009 u32 portid, u32 seq, int event, u32 flags, 1010 int family, const struct nft_table *table) 1011 { 1012 struct nlmsghdr *nlh; 1013 1014 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 1015 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 1016 NFNETLINK_V0, nft_base_seq(net)); 1017 if (!nlh) 1018 goto nla_put_failure; 1019 1020 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || 1021 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) || 1022 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle), 1023 NFTA_TABLE_PAD)) 1024 goto nla_put_failure; 1025 1026 if (event == NFT_MSG_DELTABLE) { 1027 nlmsg_end(skb, nlh); 1028 return 0; 1029 } 1030 1031 if (nla_put_be32(skb, NFTA_TABLE_FLAGS, 1032 htonl(table->flags & NFT_TABLE_F_MASK))) 1033 goto nla_put_failure; 1034 1035 if (nft_table_has_owner(table) && 1036 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid))) 1037 goto nla_put_failure; 1038 1039 if (table->udata) { 1040 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata)) 1041 goto nla_put_failure; 1042 } 1043 1044 nlmsg_end(skb, nlh); 1045 return 0; 1046 1047 nla_put_failure: 1048 nlmsg_trim(skb, nlh); 1049 return -1; 1050 } 1051 1052 struct nftnl_skb_parms { 1053 bool report; 1054 }; 1055 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb)) 1056 1057 static void nft_notify_enqueue(struct sk_buff *skb, bool report, 1058 struct list_head *notify_list) 1059 { 1060 NFT_CB(skb).report = report; 1061 list_add_tail(&skb->list, notify_list); 1062 } 1063 1064 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) 1065 { 1066 struct nftables_pernet *nft_net; 1067 struct sk_buff *skb; 1068 u16 flags = 0; 1069 int err; 1070 1071 if (!ctx->report && 1072 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1073 return; 1074 1075 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1076 if (skb == NULL) 1077 goto err; 1078 1079 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 1080 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 1081 1082 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, 1083 event, flags, ctx->family, ctx->table); 1084 if (err < 0) { 1085 kfree_skb(skb); 1086 goto err; 1087 } 1088 1089 nft_net = nft_pernet(ctx->net); 1090 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 1091 return; 1092 err: 1093 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 1094 } 1095 1096 static int nf_tables_dump_tables(struct sk_buff *skb, 1097 struct netlink_callback *cb) 1098 { 1099 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1100 struct nftables_pernet *nft_net; 1101 const struct nft_table *table; 1102 unsigned int idx = 0, s_idx = cb->args[0]; 1103 struct net *net = sock_net(skb->sk); 1104 int family = nfmsg->nfgen_family; 1105 1106 rcu_read_lock(); 1107 nft_net = nft_pernet(net); 1108 cb->seq = READ_ONCE(nft_net->base_seq); 1109 1110 list_for_each_entry_rcu(table, &nft_net->tables, list) { 1111 if (family != NFPROTO_UNSPEC && family != table->family) 1112 continue; 1113 1114 if (idx < s_idx) 1115 goto cont; 1116 if (idx > s_idx) 1117 memset(&cb->args[1], 0, 1118 sizeof(cb->args) - sizeof(cb->args[0])); 1119 if (!nft_is_active(net, table)) 1120 continue; 1121 if (nf_tables_fill_table_info(skb, net, 1122 NETLINK_CB(cb->skb).portid, 1123 cb->nlh->nlmsg_seq, 1124 NFT_MSG_NEWTABLE, NLM_F_MULTI, 1125 table->family, table) < 0) 1126 goto done; 1127 1128 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1129 cont: 1130 idx++; 1131 } 1132 done: 1133 rcu_read_unlock(); 1134 cb->args[0] = idx; 1135 return skb->len; 1136 } 1137 1138 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb, 1139 const struct nlmsghdr *nlh, 1140 struct netlink_dump_control *c) 1141 { 1142 int err; 1143 1144 if (!try_module_get(THIS_MODULE)) 1145 return -EINVAL; 1146 1147 rcu_read_unlock(); 1148 err = netlink_dump_start(nlsk, skb, nlh, c); 1149 rcu_read_lock(); 1150 module_put(THIS_MODULE); 1151 1152 return err; 1153 } 1154 1155 /* called with rcu_read_lock held */ 1156 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info, 1157 const struct nlattr * const nla[]) 1158 { 1159 struct netlink_ext_ack *extack = info->extack; 1160 u8 genmask = nft_genmask_cur(info->net); 1161 u8 family = info->nfmsg->nfgen_family; 1162 const struct nft_table *table; 1163 struct net *net = info->net; 1164 struct sk_buff *skb2; 1165 int err; 1166 1167 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1168 struct netlink_dump_control c = { 1169 .dump = nf_tables_dump_tables, 1170 .module = THIS_MODULE, 1171 }; 1172 1173 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 1174 } 1175 1176 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0); 1177 if (IS_ERR(table)) { 1178 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]); 1179 return PTR_ERR(table); 1180 } 1181 1182 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 1183 if (!skb2) 1184 return -ENOMEM; 1185 1186 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid, 1187 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 1188 0, family, table); 1189 if (err < 0) 1190 goto err_fill_table_info; 1191 1192 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 1193 1194 err_fill_table_info: 1195 kfree_skb(skb2); 1196 return err; 1197 } 1198 1199 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt) 1200 { 1201 struct nft_chain *chain; 1202 u32 i = 0; 1203 1204 list_for_each_entry(chain, &table->chains, list) { 1205 if (!nft_is_active_next(net, chain)) 1206 continue; 1207 if (!nft_is_base_chain(chain)) 1208 continue; 1209 1210 if (cnt && i++ == cnt) 1211 break; 1212 1213 nf_tables_unregister_hook(net, table, chain); 1214 } 1215 } 1216 1217 static int nf_tables_table_enable(struct net *net, struct nft_table *table) 1218 { 1219 struct nft_chain *chain; 1220 int err, i = 0; 1221 1222 list_for_each_entry(chain, &table->chains, list) { 1223 if (!nft_is_active_next(net, chain)) 1224 continue; 1225 if (!nft_is_base_chain(chain)) 1226 continue; 1227 1228 err = nf_tables_register_hook(net, table, chain); 1229 if (err < 0) 1230 goto err_register_hooks; 1231 1232 i++; 1233 } 1234 return 0; 1235 1236 err_register_hooks: 1237 if (i) 1238 nft_table_disable(net, table, i); 1239 return err; 1240 } 1241 1242 static void nf_tables_table_disable(struct net *net, struct nft_table *table) 1243 { 1244 table->flags &= ~NFT_TABLE_F_DORMANT; 1245 nft_table_disable(net, table, 0); 1246 table->flags |= NFT_TABLE_F_DORMANT; 1247 } 1248 1249 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1) 1250 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0) 1251 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1) 1252 #define __NFT_TABLE_F_WAS_ORPHAN (__NFT_TABLE_F_INTERNAL << 2) 1253 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \ 1254 __NFT_TABLE_F_WAS_AWAKEN | \ 1255 __NFT_TABLE_F_WAS_ORPHAN) 1256 1257 static bool nft_table_pending_update(const struct nft_ctx *ctx) 1258 { 1259 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 1260 struct nft_trans *trans; 1261 1262 if (ctx->table->flags & __NFT_TABLE_F_UPDATE) 1263 return true; 1264 1265 list_for_each_entry(trans, &nft_net->commit_list, list) { 1266 if (trans->table == ctx->table && 1267 ((trans->msg_type == NFT_MSG_NEWCHAIN && 1268 nft_trans_chain_update(trans)) || 1269 (trans->msg_type == NFT_MSG_DELCHAIN && 1270 nft_is_base_chain(nft_trans_chain(trans))))) 1271 return true; 1272 } 1273 1274 return false; 1275 } 1276 1277 static int nf_tables_updtable(struct nft_ctx *ctx) 1278 { 1279 struct nft_trans *trans; 1280 u32 flags; 1281 int ret; 1282 1283 if (!ctx->nla[NFTA_TABLE_FLAGS]) 1284 return 0; 1285 1286 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS])); 1287 if (flags & ~NFT_TABLE_F_MASK) 1288 return -EOPNOTSUPP; 1289 1290 if (flags == (ctx->table->flags & NFT_TABLE_F_MASK)) 1291 return 0; 1292 1293 if ((nft_table_has_owner(ctx->table) && 1294 !(flags & NFT_TABLE_F_OWNER)) || 1295 (flags & NFT_TABLE_F_OWNER && 1296 !nft_table_is_orphan(ctx->table))) 1297 return -EOPNOTSUPP; 1298 1299 if ((flags ^ ctx->table->flags) & NFT_TABLE_F_PERSIST) 1300 return -EOPNOTSUPP; 1301 1302 /* No dormant off/on/off/on games in single transaction */ 1303 if (nft_table_pending_update(ctx)) 1304 return -EINVAL; 1305 1306 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, 1307 sizeof(struct nft_trans_table)); 1308 if (trans == NULL) 1309 return -ENOMEM; 1310 1311 if ((flags & NFT_TABLE_F_DORMANT) && 1312 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) { 1313 ctx->table->flags |= NFT_TABLE_F_DORMANT; 1314 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) 1315 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN; 1316 } else if (!(flags & NFT_TABLE_F_DORMANT) && 1317 ctx->table->flags & NFT_TABLE_F_DORMANT) { 1318 ctx->table->flags &= ~NFT_TABLE_F_DORMANT; 1319 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) { 1320 ret = nf_tables_table_enable(ctx->net, ctx->table); 1321 if (ret < 0) 1322 goto err_register_hooks; 1323 1324 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT; 1325 } 1326 } 1327 1328 if ((flags & NFT_TABLE_F_OWNER) && 1329 !nft_table_has_owner(ctx->table)) { 1330 ctx->table->nlpid = ctx->portid; 1331 ctx->table->flags |= NFT_TABLE_F_OWNER | 1332 __NFT_TABLE_F_WAS_ORPHAN; 1333 } 1334 1335 nft_trans_table_update(trans) = true; 1336 nft_trans_commit_list_add_tail(ctx->net, trans); 1337 1338 return 0; 1339 1340 err_register_hooks: 1341 ctx->table->flags |= NFT_TABLE_F_DORMANT; 1342 nft_trans_destroy(trans); 1343 return ret; 1344 } 1345 1346 static u32 nft_chain_hash(const void *data, u32 len, u32 seed) 1347 { 1348 const char *name = data; 1349 1350 return jhash(name, strlen(name), seed); 1351 } 1352 1353 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed) 1354 { 1355 const struct nft_chain *chain = data; 1356 1357 return nft_chain_hash(chain->name, 0, seed); 1358 } 1359 1360 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg, 1361 const void *ptr) 1362 { 1363 const struct nft_chain *chain = ptr; 1364 const char *name = arg->key; 1365 1366 return strcmp(chain->name, name); 1367 } 1368 1369 static u32 nft_objname_hash(const void *data, u32 len, u32 seed) 1370 { 1371 const struct nft_object_hash_key *k = data; 1372 1373 seed ^= hash_ptr(k->table, 32); 1374 1375 return jhash(k->name, strlen(k->name), seed); 1376 } 1377 1378 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed) 1379 { 1380 const struct nft_object *obj = data; 1381 1382 return nft_objname_hash(&obj->key, 0, seed); 1383 } 1384 1385 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg, 1386 const void *ptr) 1387 { 1388 const struct nft_object_hash_key *k = arg->key; 1389 const struct nft_object *obj = ptr; 1390 1391 if (obj->key.table != k->table) 1392 return -1; 1393 1394 return strcmp(obj->key.name, k->name); 1395 } 1396 1397 static bool nft_supported_family(u8 family) 1398 { 1399 return false 1400 #ifdef CONFIG_NF_TABLES_INET 1401 || family == NFPROTO_INET 1402 #endif 1403 #ifdef CONFIG_NF_TABLES_IPV4 1404 || family == NFPROTO_IPV4 1405 #endif 1406 #ifdef CONFIG_NF_TABLES_ARP 1407 || family == NFPROTO_ARP 1408 #endif 1409 #ifdef CONFIG_NF_TABLES_NETDEV 1410 || family == NFPROTO_NETDEV 1411 #endif 1412 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE) 1413 || family == NFPROTO_BRIDGE 1414 #endif 1415 #ifdef CONFIG_NF_TABLES_IPV6 1416 || family == NFPROTO_IPV6 1417 #endif 1418 ; 1419 } 1420 1421 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, 1422 const struct nlattr * const nla[]) 1423 { 1424 struct nftables_pernet *nft_net = nft_pernet(info->net); 1425 struct netlink_ext_ack *extack = info->extack; 1426 u8 genmask = nft_genmask_next(info->net); 1427 u8 family = info->nfmsg->nfgen_family; 1428 struct net *net = info->net; 1429 const struct nlattr *attr; 1430 struct nft_table *table; 1431 struct nft_ctx ctx; 1432 u32 flags = 0; 1433 int err; 1434 1435 if (!nft_supported_family(family)) 1436 return -EOPNOTSUPP; 1437 1438 lockdep_assert_held(&nft_net->commit_mutex); 1439 attr = nla[NFTA_TABLE_NAME]; 1440 table = nft_table_lookup(net, attr, family, genmask, 1441 NETLINK_CB(skb).portid); 1442 if (IS_ERR(table)) { 1443 if (PTR_ERR(table) != -ENOENT) 1444 return PTR_ERR(table); 1445 } else { 1446 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 1447 NL_SET_BAD_ATTR(extack, attr); 1448 return -EEXIST; 1449 } 1450 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 1451 return -EOPNOTSUPP; 1452 1453 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1454 1455 return nf_tables_updtable(&ctx); 1456 } 1457 1458 if (nla[NFTA_TABLE_FLAGS]) { 1459 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS])); 1460 if (flags & ~NFT_TABLE_F_MASK) 1461 return -EOPNOTSUPP; 1462 } 1463 1464 err = -ENOMEM; 1465 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT); 1466 if (table == NULL) 1467 goto err_kzalloc; 1468 1469 table->validate_state = nft_net->validate_state; 1470 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT); 1471 if (table->name == NULL) 1472 goto err_strdup; 1473 1474 if (nla[NFTA_TABLE_USERDATA]) { 1475 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT); 1476 if (table->udata == NULL) 1477 goto err_table_udata; 1478 1479 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]); 1480 } 1481 1482 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params); 1483 if (err) 1484 goto err_chain_ht; 1485 1486 INIT_LIST_HEAD(&table->chains); 1487 INIT_LIST_HEAD(&table->sets); 1488 INIT_LIST_HEAD(&table->objects); 1489 INIT_LIST_HEAD(&table->flowtables); 1490 table->family = family; 1491 table->flags = flags; 1492 table->handle = ++nft_net->table_handle; 1493 if (table->flags & NFT_TABLE_F_OWNER) 1494 table->nlpid = NETLINK_CB(skb).portid; 1495 1496 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1497 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); 1498 if (err < 0) 1499 goto err_trans; 1500 1501 list_add_tail_rcu(&table->list, &nft_net->tables); 1502 return 0; 1503 err_trans: 1504 rhltable_destroy(&table->chains_ht); 1505 err_chain_ht: 1506 kfree(table->udata); 1507 err_table_udata: 1508 kfree(table->name); 1509 err_strdup: 1510 kfree(table); 1511 err_kzalloc: 1512 return err; 1513 } 1514 1515 static int nft_flush_table(struct nft_ctx *ctx) 1516 { 1517 struct nft_flowtable *flowtable, *nft; 1518 struct nft_chain *chain, *nc; 1519 struct nft_object *obj, *ne; 1520 struct nft_set *set, *ns; 1521 int err; 1522 1523 list_for_each_entry(chain, &ctx->table->chains, list) { 1524 if (!nft_is_active_next(ctx->net, chain)) 1525 continue; 1526 1527 if (nft_chain_binding(chain)) 1528 continue; 1529 1530 ctx->chain = chain; 1531 1532 err = nft_delrule_by_chain(ctx); 1533 if (err < 0) 1534 goto out; 1535 } 1536 1537 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { 1538 if (!nft_is_active_next(ctx->net, set)) 1539 continue; 1540 1541 if (nft_set_is_anonymous(set)) 1542 continue; 1543 1544 err = nft_delset(ctx, set); 1545 if (err < 0) 1546 goto out; 1547 } 1548 1549 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) { 1550 if (!nft_is_active_next(ctx->net, flowtable)) 1551 continue; 1552 1553 err = nft_delflowtable(ctx, flowtable); 1554 if (err < 0) 1555 goto out; 1556 } 1557 1558 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) { 1559 if (!nft_is_active_next(ctx->net, obj)) 1560 continue; 1561 1562 err = nft_delobj(ctx, obj); 1563 if (err < 0) 1564 goto out; 1565 } 1566 1567 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { 1568 if (!nft_is_active_next(ctx->net, chain)) 1569 continue; 1570 1571 if (nft_chain_binding(chain)) 1572 continue; 1573 1574 ctx->chain = chain; 1575 1576 err = nft_delchain(ctx); 1577 if (err < 0) 1578 goto out; 1579 } 1580 1581 err = nft_deltable(ctx); 1582 out: 1583 return err; 1584 } 1585 1586 static int nft_flush(struct nft_ctx *ctx, int family) 1587 { 1588 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 1589 const struct nlattr * const *nla = ctx->nla; 1590 struct nft_table *table, *nt; 1591 int err = 0; 1592 1593 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 1594 if (family != AF_UNSPEC && table->family != family) 1595 continue; 1596 1597 ctx->family = table->family; 1598 1599 if (!nft_is_active_next(ctx->net, table)) 1600 continue; 1601 1602 if (nft_table_has_owner(table) && table->nlpid != ctx->portid) 1603 continue; 1604 1605 if (nla[NFTA_TABLE_NAME] && 1606 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) 1607 continue; 1608 1609 ctx->table = table; 1610 1611 err = nft_flush_table(ctx); 1612 if (err < 0) 1613 goto out; 1614 } 1615 out: 1616 return err; 1617 } 1618 1619 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info, 1620 const struct nlattr * const nla[]) 1621 { 1622 struct netlink_ext_ack *extack = info->extack; 1623 u8 genmask = nft_genmask_next(info->net); 1624 u8 family = info->nfmsg->nfgen_family; 1625 struct net *net = info->net; 1626 const struct nlattr *attr; 1627 struct nft_table *table; 1628 struct nft_ctx ctx; 1629 1630 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla); 1631 if (family == AF_UNSPEC || 1632 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE])) 1633 return nft_flush(&ctx, family); 1634 1635 if (nla[NFTA_TABLE_HANDLE]) { 1636 attr = nla[NFTA_TABLE_HANDLE]; 1637 table = nft_table_lookup_byhandle(net, attr, family, genmask, 1638 NETLINK_CB(skb).portid); 1639 } else { 1640 attr = nla[NFTA_TABLE_NAME]; 1641 table = nft_table_lookup(net, attr, family, genmask, 1642 NETLINK_CB(skb).portid); 1643 } 1644 1645 if (IS_ERR(table)) { 1646 if (PTR_ERR(table) == -ENOENT && 1647 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE) 1648 return 0; 1649 1650 NL_SET_BAD_ATTR(extack, attr); 1651 return PTR_ERR(table); 1652 } 1653 1654 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 1655 table->use > 0) 1656 return -EBUSY; 1657 1658 ctx.family = family; 1659 ctx.table = table; 1660 1661 return nft_flush_table(&ctx); 1662 } 1663 1664 static void nf_tables_table_destroy(struct nft_table *table) 1665 { 1666 if (WARN_ON(table->use > 0)) 1667 return; 1668 1669 rhltable_destroy(&table->chains_ht); 1670 kfree(table->name); 1671 kfree(table->udata); 1672 kfree(table); 1673 } 1674 1675 void nft_register_chain_type(const struct nft_chain_type *ctype) 1676 { 1677 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1678 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) { 1679 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1680 return; 1681 } 1682 chain_type[ctype->family][ctype->type] = ctype; 1683 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1684 } 1685 EXPORT_SYMBOL_GPL(nft_register_chain_type); 1686 1687 void nft_unregister_chain_type(const struct nft_chain_type *ctype) 1688 { 1689 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1690 chain_type[ctype->family][ctype->type] = NULL; 1691 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1692 } 1693 EXPORT_SYMBOL_GPL(nft_unregister_chain_type); 1694 1695 /* 1696 * Chains 1697 */ 1698 1699 static struct nft_chain * 1700 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask) 1701 { 1702 struct nft_chain *chain; 1703 1704 list_for_each_entry(chain, &table->chains, list) { 1705 if (chain->handle == handle && 1706 nft_active_genmask(chain, genmask)) 1707 return chain; 1708 } 1709 1710 return ERR_PTR(-ENOENT); 1711 } 1712 1713 static bool lockdep_commit_lock_is_held(const struct net *net) 1714 { 1715 #ifdef CONFIG_PROVE_LOCKING 1716 struct nftables_pernet *nft_net = nft_pernet(net); 1717 1718 return lockdep_is_held(&nft_net->commit_mutex); 1719 #else 1720 return true; 1721 #endif 1722 } 1723 1724 static struct nft_chain *nft_chain_lookup(struct net *net, 1725 struct nft_table *table, 1726 const struct nlattr *nla, u8 genmask) 1727 { 1728 char search[NFT_CHAIN_MAXNAMELEN + 1]; 1729 struct rhlist_head *tmp, *list; 1730 struct nft_chain *chain; 1731 1732 if (nla == NULL) 1733 return ERR_PTR(-EINVAL); 1734 1735 nla_strscpy(search, nla, sizeof(search)); 1736 1737 WARN_ON(!rcu_read_lock_held() && 1738 !lockdep_commit_lock_is_held(net)); 1739 1740 chain = ERR_PTR(-ENOENT); 1741 rcu_read_lock(); 1742 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params); 1743 if (!list) 1744 goto out_unlock; 1745 1746 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 1747 if (nft_active_genmask(chain, genmask)) 1748 goto out_unlock; 1749 } 1750 chain = ERR_PTR(-ENOENT); 1751 out_unlock: 1752 rcu_read_unlock(); 1753 return chain; 1754 } 1755 1756 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = { 1757 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING, 1758 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1759 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 }, 1760 [NFTA_CHAIN_NAME] = { .type = NLA_STRING, 1761 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 1762 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, 1763 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, 1764 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, 1765 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 1766 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, 1767 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 }, 1768 [NFTA_CHAIN_ID] = { .type = NLA_U32 }, 1769 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY, 1770 .len = NFT_USERDATA_MAXLEN }, 1771 }; 1772 1773 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = { 1774 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 }, 1775 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 }, 1776 [NFTA_HOOK_DEV] = { .type = NLA_STRING, 1777 .len = IFNAMSIZ - 1 }, 1778 }; 1779 1780 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats) 1781 { 1782 struct nft_stats *cpu_stats, total; 1783 struct nlattr *nest; 1784 unsigned int seq; 1785 u64 pkts, bytes; 1786 int cpu; 1787 1788 if (!stats) 1789 return 0; 1790 1791 memset(&total, 0, sizeof(total)); 1792 for_each_possible_cpu(cpu) { 1793 cpu_stats = per_cpu_ptr(stats, cpu); 1794 do { 1795 seq = u64_stats_fetch_begin(&cpu_stats->syncp); 1796 pkts = cpu_stats->pkts; 1797 bytes = cpu_stats->bytes; 1798 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq)); 1799 total.pkts += pkts; 1800 total.bytes += bytes; 1801 } 1802 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS); 1803 if (nest == NULL) 1804 goto nla_put_failure; 1805 1806 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts), 1807 NFTA_COUNTER_PAD) || 1808 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes), 1809 NFTA_COUNTER_PAD)) 1810 goto nla_put_failure; 1811 1812 nla_nest_end(skb, nest); 1813 return 0; 1814 1815 nla_put_failure: 1816 return -ENOSPC; 1817 } 1818 1819 static int nft_dump_basechain_hook(struct sk_buff *skb, int family, 1820 const struct nft_base_chain *basechain, 1821 const struct list_head *hook_list) 1822 { 1823 const struct nf_hook_ops *ops = &basechain->ops; 1824 struct nft_hook *hook, *first = NULL; 1825 struct nlattr *nest, *nest_devs; 1826 int n = 0; 1827 1828 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK); 1829 if (nest == NULL) 1830 goto nla_put_failure; 1831 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum))) 1832 goto nla_put_failure; 1833 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority))) 1834 goto nla_put_failure; 1835 1836 if (nft_base_chain_netdev(family, ops->hooknum)) { 1837 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS); 1838 if (!nest_devs) 1839 goto nla_put_failure; 1840 1841 if (!hook_list) 1842 hook_list = &basechain->hook_list; 1843 1844 list_for_each_entry(hook, hook_list, list) { 1845 if (!first) 1846 first = hook; 1847 1848 if (nla_put_string(skb, NFTA_DEVICE_NAME, 1849 hook->ops.dev->name)) 1850 goto nla_put_failure; 1851 n++; 1852 } 1853 nla_nest_end(skb, nest_devs); 1854 1855 if (n == 1 && 1856 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name)) 1857 goto nla_put_failure; 1858 } 1859 nla_nest_end(skb, nest); 1860 1861 return 0; 1862 nla_put_failure: 1863 return -1; 1864 } 1865 1866 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net, 1867 u32 portid, u32 seq, int event, u32 flags, 1868 int family, const struct nft_table *table, 1869 const struct nft_chain *chain, 1870 const struct list_head *hook_list) 1871 { 1872 struct nlmsghdr *nlh; 1873 1874 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 1875 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 1876 NFNETLINK_V0, nft_base_seq(net)); 1877 if (!nlh) 1878 goto nla_put_failure; 1879 1880 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) || 1881 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) || 1882 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle), 1883 NFTA_CHAIN_PAD)) 1884 goto nla_put_failure; 1885 1886 if (event == NFT_MSG_DELCHAIN && !hook_list) { 1887 nlmsg_end(skb, nlh); 1888 return 0; 1889 } 1890 1891 if (nft_is_base_chain(chain)) { 1892 const struct nft_base_chain *basechain = nft_base_chain(chain); 1893 struct nft_stats __percpu *stats; 1894 1895 if (nft_dump_basechain_hook(skb, family, basechain, hook_list)) 1896 goto nla_put_failure; 1897 1898 if (nla_put_be32(skb, NFTA_CHAIN_POLICY, 1899 htonl(basechain->policy))) 1900 goto nla_put_failure; 1901 1902 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name)) 1903 goto nla_put_failure; 1904 1905 stats = rcu_dereference_check(basechain->stats, 1906 lockdep_commit_lock_is_held(net)); 1907 if (nft_dump_stats(skb, stats)) 1908 goto nla_put_failure; 1909 } 1910 1911 if (chain->flags && 1912 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags))) 1913 goto nla_put_failure; 1914 1915 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use))) 1916 goto nla_put_failure; 1917 1918 if (chain->udata && 1919 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata)) 1920 goto nla_put_failure; 1921 1922 nlmsg_end(skb, nlh); 1923 return 0; 1924 1925 nla_put_failure: 1926 nlmsg_trim(skb, nlh); 1927 return -1; 1928 } 1929 1930 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event, 1931 const struct list_head *hook_list) 1932 { 1933 struct nftables_pernet *nft_net; 1934 struct sk_buff *skb; 1935 u16 flags = 0; 1936 int err; 1937 1938 if (!ctx->report && 1939 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1940 return; 1941 1942 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1943 if (skb == NULL) 1944 goto err; 1945 1946 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 1947 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 1948 1949 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, 1950 event, flags, ctx->family, ctx->table, 1951 ctx->chain, hook_list); 1952 if (err < 0) { 1953 kfree_skb(skb); 1954 goto err; 1955 } 1956 1957 nft_net = nft_pernet(ctx->net); 1958 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 1959 return; 1960 err: 1961 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 1962 } 1963 1964 static int nf_tables_dump_chains(struct sk_buff *skb, 1965 struct netlink_callback *cb) 1966 { 1967 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1968 unsigned int idx = 0, s_idx = cb->args[0]; 1969 struct net *net = sock_net(skb->sk); 1970 int family = nfmsg->nfgen_family; 1971 struct nftables_pernet *nft_net; 1972 const struct nft_table *table; 1973 const struct nft_chain *chain; 1974 1975 rcu_read_lock(); 1976 nft_net = nft_pernet(net); 1977 cb->seq = READ_ONCE(nft_net->base_seq); 1978 1979 list_for_each_entry_rcu(table, &nft_net->tables, list) { 1980 if (family != NFPROTO_UNSPEC && family != table->family) 1981 continue; 1982 1983 list_for_each_entry_rcu(chain, &table->chains, list) { 1984 if (idx < s_idx) 1985 goto cont; 1986 if (idx > s_idx) 1987 memset(&cb->args[1], 0, 1988 sizeof(cb->args) - sizeof(cb->args[0])); 1989 if (!nft_is_active(net, chain)) 1990 continue; 1991 if (nf_tables_fill_chain_info(skb, net, 1992 NETLINK_CB(cb->skb).portid, 1993 cb->nlh->nlmsg_seq, 1994 NFT_MSG_NEWCHAIN, 1995 NLM_F_MULTI, 1996 table->family, table, 1997 chain, NULL) < 0) 1998 goto done; 1999 2000 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 2001 cont: 2002 idx++; 2003 } 2004 } 2005 done: 2006 rcu_read_unlock(); 2007 cb->args[0] = idx; 2008 return skb->len; 2009 } 2010 2011 /* called with rcu_read_lock held */ 2012 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info, 2013 const struct nlattr * const nla[]) 2014 { 2015 struct netlink_ext_ack *extack = info->extack; 2016 u8 genmask = nft_genmask_cur(info->net); 2017 u8 family = info->nfmsg->nfgen_family; 2018 const struct nft_chain *chain; 2019 struct net *net = info->net; 2020 struct nft_table *table; 2021 struct sk_buff *skb2; 2022 int err; 2023 2024 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 2025 struct netlink_dump_control c = { 2026 .dump = nf_tables_dump_chains, 2027 .module = THIS_MODULE, 2028 }; 2029 2030 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 2031 } 2032 2033 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0); 2034 if (IS_ERR(table)) { 2035 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2036 return PTR_ERR(table); 2037 } 2038 2039 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask); 2040 if (IS_ERR(chain)) { 2041 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2042 return PTR_ERR(chain); 2043 } 2044 2045 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 2046 if (!skb2) 2047 return -ENOMEM; 2048 2049 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid, 2050 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 2051 0, family, table, chain, NULL); 2052 if (err < 0) 2053 goto err_fill_chain_info; 2054 2055 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 2056 2057 err_fill_chain_info: 2058 kfree_skb(skb2); 2059 return err; 2060 } 2061 2062 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = { 2063 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 }, 2064 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 }, 2065 }; 2066 2067 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr) 2068 { 2069 struct nlattr *tb[NFTA_COUNTER_MAX+1]; 2070 struct nft_stats __percpu *newstats; 2071 struct nft_stats *stats; 2072 int err; 2073 2074 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr, 2075 nft_counter_policy, NULL); 2076 if (err < 0) 2077 return ERR_PTR(err); 2078 2079 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS]) 2080 return ERR_PTR(-EINVAL); 2081 2082 newstats = netdev_alloc_pcpu_stats(struct nft_stats); 2083 if (newstats == NULL) 2084 return ERR_PTR(-ENOMEM); 2085 2086 /* Restore old counters on this cpu, no problem. Per-cpu statistics 2087 * are not exposed to userspace. 2088 */ 2089 preempt_disable(); 2090 stats = this_cpu_ptr(newstats); 2091 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); 2092 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); 2093 preempt_enable(); 2094 2095 return newstats; 2096 } 2097 2098 static void nft_chain_stats_replace(struct nft_trans_chain *trans) 2099 { 2100 const struct nft_trans *t = &trans->nft_trans_binding.nft_trans; 2101 struct nft_base_chain *chain = nft_base_chain(trans->chain); 2102 2103 if (!trans->stats) 2104 return; 2105 2106 trans->stats = 2107 rcu_replace_pointer(chain->stats, trans->stats, 2108 lockdep_commit_lock_is_held(t->net)); 2109 2110 if (!trans->stats) 2111 static_branch_inc(&nft_counters_enabled); 2112 } 2113 2114 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain) 2115 { 2116 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0); 2117 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1); 2118 2119 if (g0 != g1) 2120 kvfree(g1); 2121 kvfree(g0); 2122 2123 /* should be NULL either via abort or via successful commit */ 2124 WARN_ON_ONCE(chain->blob_next); 2125 kvfree(chain->blob_next); 2126 } 2127 2128 void nf_tables_chain_destroy(struct nft_chain *chain) 2129 { 2130 const struct nft_table *table = chain->table; 2131 struct nft_hook *hook, *next; 2132 2133 if (WARN_ON(chain->use > 0)) 2134 return; 2135 2136 /* no concurrent access possible anymore */ 2137 nf_tables_chain_free_chain_rules(chain); 2138 2139 if (nft_is_base_chain(chain)) { 2140 struct nft_base_chain *basechain = nft_base_chain(chain); 2141 2142 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) { 2143 list_for_each_entry_safe(hook, next, 2144 &basechain->hook_list, list) { 2145 list_del_rcu(&hook->list); 2146 kfree_rcu(hook, rcu); 2147 } 2148 } 2149 module_put(basechain->type->owner); 2150 if (rcu_access_pointer(basechain->stats)) { 2151 static_branch_dec(&nft_counters_enabled); 2152 free_percpu(rcu_dereference_raw(basechain->stats)); 2153 } 2154 kfree(chain->name); 2155 kfree(chain->udata); 2156 kfree(basechain); 2157 } else { 2158 kfree(chain->name); 2159 kfree(chain->udata); 2160 kfree(chain); 2161 } 2162 } 2163 2164 static struct nft_hook *nft_netdev_hook_alloc(struct net *net, 2165 const struct nlattr *attr) 2166 { 2167 struct net_device *dev; 2168 char ifname[IFNAMSIZ]; 2169 struct nft_hook *hook; 2170 int err; 2171 2172 hook = kzalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT); 2173 if (!hook) { 2174 err = -ENOMEM; 2175 goto err_hook_alloc; 2176 } 2177 2178 nla_strscpy(ifname, attr, IFNAMSIZ); 2179 /* nf_tables_netdev_event() is called under rtnl_mutex, this is 2180 * indirectly serializing all the other holders of the commit_mutex with 2181 * the rtnl_mutex. 2182 */ 2183 dev = __dev_get_by_name(net, ifname); 2184 if (!dev) { 2185 err = -ENOENT; 2186 goto err_hook_dev; 2187 } 2188 hook->ops.dev = dev; 2189 2190 return hook; 2191 2192 err_hook_dev: 2193 kfree(hook); 2194 err_hook_alloc: 2195 return ERR_PTR(err); 2196 } 2197 2198 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list, 2199 const struct nft_hook *this) 2200 { 2201 struct nft_hook *hook; 2202 2203 list_for_each_entry(hook, hook_list, list) { 2204 if (this->ops.dev == hook->ops.dev) 2205 return hook; 2206 } 2207 2208 return NULL; 2209 } 2210 2211 static int nf_tables_parse_netdev_hooks(struct net *net, 2212 const struct nlattr *attr, 2213 struct list_head *hook_list, 2214 struct netlink_ext_ack *extack) 2215 { 2216 struct nft_hook *hook, *next; 2217 const struct nlattr *tmp; 2218 int rem, n = 0, err; 2219 2220 nla_for_each_nested(tmp, attr, rem) { 2221 if (nla_type(tmp) != NFTA_DEVICE_NAME) { 2222 err = -EINVAL; 2223 goto err_hook; 2224 } 2225 2226 hook = nft_netdev_hook_alloc(net, tmp); 2227 if (IS_ERR(hook)) { 2228 NL_SET_BAD_ATTR(extack, tmp); 2229 err = PTR_ERR(hook); 2230 goto err_hook; 2231 } 2232 if (nft_hook_list_find(hook_list, hook)) { 2233 NL_SET_BAD_ATTR(extack, tmp); 2234 kfree(hook); 2235 err = -EEXIST; 2236 goto err_hook; 2237 } 2238 list_add_tail(&hook->list, hook_list); 2239 n++; 2240 2241 if (n == NFT_NETDEVICE_MAX) { 2242 err = -EFBIG; 2243 goto err_hook; 2244 } 2245 } 2246 2247 return 0; 2248 2249 err_hook: 2250 list_for_each_entry_safe(hook, next, hook_list, list) { 2251 list_del(&hook->list); 2252 kfree(hook); 2253 } 2254 return err; 2255 } 2256 2257 struct nft_chain_hook { 2258 u32 num; 2259 s32 priority; 2260 const struct nft_chain_type *type; 2261 struct list_head list; 2262 }; 2263 2264 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[], 2265 struct list_head *hook_list, 2266 struct netlink_ext_ack *extack, u32 flags) 2267 { 2268 struct nft_hook *hook; 2269 int err; 2270 2271 if (tb[NFTA_HOOK_DEV]) { 2272 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]); 2273 if (IS_ERR(hook)) { 2274 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]); 2275 return PTR_ERR(hook); 2276 } 2277 2278 list_add_tail(&hook->list, hook_list); 2279 } else if (tb[NFTA_HOOK_DEVS]) { 2280 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS], 2281 hook_list, extack); 2282 if (err < 0) 2283 return err; 2284 2285 } 2286 2287 if (flags & NFT_CHAIN_HW_OFFLOAD && 2288 list_empty(hook_list)) 2289 return -EINVAL; 2290 2291 return 0; 2292 } 2293 2294 static int nft_chain_parse_hook(struct net *net, 2295 struct nft_base_chain *basechain, 2296 const struct nlattr * const nla[], 2297 struct nft_chain_hook *hook, u8 family, 2298 u32 flags, struct netlink_ext_ack *extack) 2299 { 2300 struct nftables_pernet *nft_net = nft_pernet(net); 2301 struct nlattr *ha[NFTA_HOOK_MAX + 1]; 2302 const struct nft_chain_type *type; 2303 int err; 2304 2305 lockdep_assert_held(&nft_net->commit_mutex); 2306 lockdep_nfnl_nft_mutex_not_held(); 2307 2308 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX, 2309 nla[NFTA_CHAIN_HOOK], 2310 nft_hook_policy, NULL); 2311 if (err < 0) 2312 return err; 2313 2314 if (!basechain) { 2315 if (!ha[NFTA_HOOK_HOOKNUM] || 2316 !ha[NFTA_HOOK_PRIORITY]) { 2317 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2318 return -ENOENT; 2319 } 2320 2321 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 2322 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 2323 2324 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT); 2325 if (!type) 2326 return -EOPNOTSUPP; 2327 2328 if (nla[NFTA_CHAIN_TYPE]) { 2329 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE], 2330 family, true); 2331 if (IS_ERR(type)) { 2332 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2333 return PTR_ERR(type); 2334 } 2335 } 2336 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num))) 2337 return -EOPNOTSUPP; 2338 2339 if (type->type == NFT_CHAIN_T_NAT && 2340 hook->priority <= NF_IP_PRI_CONNTRACK) 2341 return -EOPNOTSUPP; 2342 } else { 2343 if (ha[NFTA_HOOK_HOOKNUM]) { 2344 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 2345 if (hook->num != basechain->ops.hooknum) 2346 return -EOPNOTSUPP; 2347 } 2348 if (ha[NFTA_HOOK_PRIORITY]) { 2349 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 2350 if (hook->priority != basechain->ops.priority) 2351 return -EOPNOTSUPP; 2352 } 2353 2354 if (nla[NFTA_CHAIN_TYPE]) { 2355 type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE], 2356 family); 2357 if (!type) { 2358 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2359 return -ENOENT; 2360 } 2361 } else { 2362 type = basechain->type; 2363 } 2364 } 2365 2366 if (!try_module_get(type->owner)) { 2367 if (nla[NFTA_CHAIN_TYPE]) 2368 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2369 return -ENOENT; 2370 } 2371 2372 hook->type = type; 2373 2374 INIT_LIST_HEAD(&hook->list); 2375 if (nft_base_chain_netdev(family, hook->num)) { 2376 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags); 2377 if (err < 0) { 2378 module_put(type->owner); 2379 return err; 2380 } 2381 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) { 2382 module_put(type->owner); 2383 return -EOPNOTSUPP; 2384 } 2385 2386 return 0; 2387 } 2388 2389 static void nft_chain_release_hook(struct nft_chain_hook *hook) 2390 { 2391 struct nft_hook *h, *next; 2392 2393 list_for_each_entry_safe(h, next, &hook->list, list) { 2394 list_del(&h->list); 2395 kfree(h); 2396 } 2397 module_put(hook->type->owner); 2398 } 2399 2400 static void nft_last_rule(const struct nft_chain *chain, const void *ptr) 2401 { 2402 struct nft_rule_dp_last *lrule; 2403 2404 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0); 2405 2406 lrule = (struct nft_rule_dp_last *)ptr; 2407 lrule->end.is_last = 1; 2408 lrule->chain = chain; 2409 /* blob size does not include the trailer rule */ 2410 } 2411 2412 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain, 2413 unsigned int size) 2414 { 2415 struct nft_rule_blob *blob; 2416 2417 if (size > INT_MAX) 2418 return NULL; 2419 2420 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last); 2421 2422 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT); 2423 if (!blob) 2424 return NULL; 2425 2426 blob->size = 0; 2427 nft_last_rule(chain, blob->data); 2428 2429 return blob; 2430 } 2431 2432 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family, 2433 const struct nft_chain_hook *hook, 2434 struct nft_chain *chain) 2435 { 2436 ops->pf = family; 2437 ops->hooknum = hook->num; 2438 ops->priority = hook->priority; 2439 ops->priv = chain; 2440 ops->hook = hook->type->hooks[ops->hooknum]; 2441 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES; 2442 } 2443 2444 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, 2445 struct nft_chain_hook *hook, u32 flags) 2446 { 2447 struct nft_chain *chain; 2448 struct nft_hook *h; 2449 2450 basechain->type = hook->type; 2451 INIT_LIST_HEAD(&basechain->hook_list); 2452 chain = &basechain->chain; 2453 2454 if (nft_base_chain_netdev(family, hook->num)) { 2455 list_splice_init(&hook->list, &basechain->hook_list); 2456 list_for_each_entry(h, &basechain->hook_list, list) 2457 nft_basechain_hook_init(&h->ops, family, hook, chain); 2458 } 2459 nft_basechain_hook_init(&basechain->ops, family, hook, chain); 2460 2461 chain->flags |= NFT_CHAIN_BASE | flags; 2462 basechain->policy = NF_ACCEPT; 2463 if (chain->flags & NFT_CHAIN_HW_OFFLOAD && 2464 !nft_chain_offload_support(basechain)) { 2465 list_splice_init(&basechain->hook_list, &hook->list); 2466 return -EOPNOTSUPP; 2467 } 2468 2469 flow_block_init(&basechain->flow_block); 2470 2471 return 0; 2472 } 2473 2474 int nft_chain_add(struct nft_table *table, struct nft_chain *chain) 2475 { 2476 int err; 2477 2478 err = rhltable_insert_key(&table->chains_ht, chain->name, 2479 &chain->rhlhead, nft_chain_ht_params); 2480 if (err) 2481 return err; 2482 2483 list_add_tail_rcu(&chain->list, &table->chains); 2484 2485 return 0; 2486 } 2487 2488 static u64 chain_id; 2489 2490 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, 2491 u8 policy, u32 flags, 2492 struct netlink_ext_ack *extack) 2493 { 2494 const struct nlattr * const *nla = ctx->nla; 2495 struct nft_table *table = ctx->table; 2496 struct nft_base_chain *basechain; 2497 struct net *net = ctx->net; 2498 char name[NFT_NAME_MAXLEN]; 2499 struct nft_rule_blob *blob; 2500 struct nft_trans *trans; 2501 struct nft_chain *chain; 2502 int err; 2503 2504 if (nla[NFTA_CHAIN_HOOK]) { 2505 struct nft_stats __percpu *stats = NULL; 2506 struct nft_chain_hook hook = {}; 2507 2508 if (table->flags & __NFT_TABLE_F_UPDATE) 2509 return -EINVAL; 2510 2511 if (flags & NFT_CHAIN_BINDING) 2512 return -EOPNOTSUPP; 2513 2514 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags, 2515 extack); 2516 if (err < 0) 2517 return err; 2518 2519 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT); 2520 if (basechain == NULL) { 2521 nft_chain_release_hook(&hook); 2522 return -ENOMEM; 2523 } 2524 chain = &basechain->chain; 2525 2526 if (nla[NFTA_CHAIN_COUNTERS]) { 2527 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2528 if (IS_ERR(stats)) { 2529 nft_chain_release_hook(&hook); 2530 kfree(basechain); 2531 return PTR_ERR(stats); 2532 } 2533 rcu_assign_pointer(basechain->stats, stats); 2534 } 2535 2536 err = nft_basechain_init(basechain, family, &hook, flags); 2537 if (err < 0) { 2538 nft_chain_release_hook(&hook); 2539 kfree(basechain); 2540 free_percpu(stats); 2541 return err; 2542 } 2543 if (stats) 2544 static_branch_inc(&nft_counters_enabled); 2545 } else { 2546 if (flags & NFT_CHAIN_BASE) 2547 return -EINVAL; 2548 if (flags & NFT_CHAIN_HW_OFFLOAD) 2549 return -EOPNOTSUPP; 2550 2551 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT); 2552 if (chain == NULL) 2553 return -ENOMEM; 2554 2555 chain->flags = flags; 2556 } 2557 ctx->chain = chain; 2558 2559 INIT_LIST_HEAD(&chain->rules); 2560 chain->handle = nf_tables_alloc_handle(table); 2561 chain->table = table; 2562 2563 if (nla[NFTA_CHAIN_NAME]) { 2564 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT); 2565 } else { 2566 if (!(flags & NFT_CHAIN_BINDING)) { 2567 err = -EINVAL; 2568 goto err_destroy_chain; 2569 } 2570 2571 snprintf(name, sizeof(name), "__chain%llu", ++chain_id); 2572 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT); 2573 } 2574 2575 if (!chain->name) { 2576 err = -ENOMEM; 2577 goto err_destroy_chain; 2578 } 2579 2580 if (nla[NFTA_CHAIN_USERDATA]) { 2581 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT); 2582 if (chain->udata == NULL) { 2583 err = -ENOMEM; 2584 goto err_destroy_chain; 2585 } 2586 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]); 2587 } 2588 2589 blob = nf_tables_chain_alloc_rules(chain, 0); 2590 if (!blob) { 2591 err = -ENOMEM; 2592 goto err_destroy_chain; 2593 } 2594 2595 RCU_INIT_POINTER(chain->blob_gen_0, blob); 2596 RCU_INIT_POINTER(chain->blob_gen_1, blob); 2597 2598 if (!nft_use_inc(&table->use)) { 2599 err = -EMFILE; 2600 goto err_destroy_chain; 2601 } 2602 2603 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN); 2604 if (IS_ERR(trans)) { 2605 err = PTR_ERR(trans); 2606 goto err_trans; 2607 } 2608 2609 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET; 2610 if (nft_is_base_chain(chain)) 2611 nft_trans_chain_policy(trans) = policy; 2612 2613 err = nft_chain_add(table, chain); 2614 if (err < 0) 2615 goto err_chain_add; 2616 2617 /* This must be LAST to ensure no packets are walking over this chain. */ 2618 err = nf_tables_register_hook(net, table, chain); 2619 if (err < 0) 2620 goto err_register_hook; 2621 2622 return 0; 2623 2624 err_register_hook: 2625 nft_chain_del(chain); 2626 err_chain_add: 2627 nft_trans_destroy(trans); 2628 err_trans: 2629 nft_use_dec_restore(&table->use); 2630 err_destroy_chain: 2631 nf_tables_chain_destroy(chain); 2632 2633 return err; 2634 } 2635 2636 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, 2637 u32 flags, const struct nlattr *attr, 2638 struct netlink_ext_ack *extack) 2639 { 2640 const struct nlattr * const *nla = ctx->nla; 2641 struct nft_base_chain *basechain = NULL; 2642 struct nft_table *table = ctx->table; 2643 struct nft_chain *chain = ctx->chain; 2644 struct nft_chain_hook hook = {}; 2645 struct nft_stats *stats = NULL; 2646 struct nft_hook *h, *next; 2647 struct nf_hook_ops *ops; 2648 struct nft_trans *trans; 2649 bool unregister = false; 2650 int err; 2651 2652 if (chain->flags ^ flags) 2653 return -EOPNOTSUPP; 2654 2655 INIT_LIST_HEAD(&hook.list); 2656 2657 if (nla[NFTA_CHAIN_HOOK]) { 2658 if (!nft_is_base_chain(chain)) { 2659 NL_SET_BAD_ATTR(extack, attr); 2660 return -EEXIST; 2661 } 2662 2663 basechain = nft_base_chain(chain); 2664 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook, 2665 ctx->family, flags, extack); 2666 if (err < 0) 2667 return err; 2668 2669 if (basechain->type != hook.type) { 2670 nft_chain_release_hook(&hook); 2671 NL_SET_BAD_ATTR(extack, attr); 2672 return -EEXIST; 2673 } 2674 2675 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) { 2676 list_for_each_entry_safe(h, next, &hook.list, list) { 2677 h->ops.pf = basechain->ops.pf; 2678 h->ops.hooknum = basechain->ops.hooknum; 2679 h->ops.priority = basechain->ops.priority; 2680 h->ops.priv = basechain->ops.priv; 2681 h->ops.hook = basechain->ops.hook; 2682 2683 if (nft_hook_list_find(&basechain->hook_list, h)) { 2684 list_del(&h->list); 2685 kfree(h); 2686 } 2687 } 2688 } else { 2689 ops = &basechain->ops; 2690 if (ops->hooknum != hook.num || 2691 ops->priority != hook.priority) { 2692 nft_chain_release_hook(&hook); 2693 NL_SET_BAD_ATTR(extack, attr); 2694 return -EEXIST; 2695 } 2696 } 2697 } 2698 2699 if (nla[NFTA_CHAIN_HANDLE] && 2700 nla[NFTA_CHAIN_NAME]) { 2701 struct nft_chain *chain2; 2702 2703 chain2 = nft_chain_lookup(ctx->net, table, 2704 nla[NFTA_CHAIN_NAME], genmask); 2705 if (!IS_ERR(chain2)) { 2706 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2707 err = -EEXIST; 2708 goto err_hooks; 2709 } 2710 } 2711 2712 if (table->flags & __NFT_TABLE_F_UPDATE && 2713 !list_empty(&hook.list)) { 2714 NL_SET_BAD_ATTR(extack, attr); 2715 err = -EOPNOTSUPP; 2716 goto err_hooks; 2717 } 2718 2719 if (!(table->flags & NFT_TABLE_F_DORMANT) && 2720 nft_is_base_chain(chain) && 2721 !list_empty(&hook.list)) { 2722 basechain = nft_base_chain(chain); 2723 ops = &basechain->ops; 2724 2725 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) { 2726 err = nft_netdev_register_hooks(ctx->net, &hook.list); 2727 if (err < 0) 2728 goto err_hooks; 2729 } 2730 } 2731 2732 unregister = true; 2733 2734 if (nla[NFTA_CHAIN_COUNTERS]) { 2735 if (!nft_is_base_chain(chain)) { 2736 err = -EOPNOTSUPP; 2737 goto err_hooks; 2738 } 2739 2740 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2741 if (IS_ERR(stats)) { 2742 err = PTR_ERR(stats); 2743 goto err_hooks; 2744 } 2745 } 2746 2747 err = -ENOMEM; 2748 trans = nft_trans_alloc_chain(ctx, NFT_MSG_NEWCHAIN); 2749 if (trans == NULL) 2750 goto err_trans; 2751 2752 nft_trans_chain_stats(trans) = stats; 2753 nft_trans_chain_update(trans) = true; 2754 2755 if (nla[NFTA_CHAIN_POLICY]) 2756 nft_trans_chain_policy(trans) = policy; 2757 else 2758 nft_trans_chain_policy(trans) = -1; 2759 2760 if (nla[NFTA_CHAIN_HANDLE] && 2761 nla[NFTA_CHAIN_NAME]) { 2762 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 2763 struct nft_trans *tmp; 2764 char *name; 2765 2766 err = -ENOMEM; 2767 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT); 2768 if (!name) 2769 goto err_trans; 2770 2771 err = -EEXIST; 2772 list_for_each_entry(tmp, &nft_net->commit_list, list) { 2773 if (tmp->msg_type == NFT_MSG_NEWCHAIN && 2774 tmp->table == table && 2775 nft_trans_chain_update(tmp) && 2776 nft_trans_chain_name(tmp) && 2777 strcmp(name, nft_trans_chain_name(tmp)) == 0) { 2778 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2779 kfree(name); 2780 goto err_trans; 2781 } 2782 } 2783 2784 nft_trans_chain_name(trans) = name; 2785 } 2786 2787 nft_trans_basechain(trans) = basechain; 2788 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans)); 2789 list_splice(&hook.list, &nft_trans_chain_hooks(trans)); 2790 if (nla[NFTA_CHAIN_HOOK]) 2791 module_put(hook.type->owner); 2792 2793 nft_trans_commit_list_add_tail(ctx->net, trans); 2794 2795 return 0; 2796 2797 err_trans: 2798 free_percpu(stats); 2799 kfree(trans); 2800 err_hooks: 2801 if (nla[NFTA_CHAIN_HOOK]) { 2802 list_for_each_entry_safe(h, next, &hook.list, list) { 2803 if (unregister) 2804 nf_unregister_net_hook(ctx->net, &h->ops); 2805 list_del(&h->list); 2806 kfree_rcu(h, rcu); 2807 } 2808 module_put(hook.type->owner); 2809 } 2810 2811 return err; 2812 } 2813 2814 static struct nft_chain *nft_chain_lookup_byid(const struct net *net, 2815 const struct nft_table *table, 2816 const struct nlattr *nla, u8 genmask) 2817 { 2818 struct nftables_pernet *nft_net = nft_pernet(net); 2819 u32 id = ntohl(nla_get_be32(nla)); 2820 struct nft_trans *trans; 2821 2822 list_for_each_entry(trans, &nft_net->commit_list, list) { 2823 if (trans->msg_type == NFT_MSG_NEWCHAIN && 2824 nft_trans_chain(trans)->table == table && 2825 id == nft_trans_chain_id(trans) && 2826 nft_active_genmask(nft_trans_chain(trans), genmask)) 2827 return nft_trans_chain(trans); 2828 } 2829 return ERR_PTR(-ENOENT); 2830 } 2831 2832 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info, 2833 const struct nlattr * const nla[]) 2834 { 2835 struct nftables_pernet *nft_net = nft_pernet(info->net); 2836 struct netlink_ext_ack *extack = info->extack; 2837 u8 genmask = nft_genmask_next(info->net); 2838 u8 family = info->nfmsg->nfgen_family; 2839 struct nft_chain *chain = NULL; 2840 struct net *net = info->net; 2841 const struct nlattr *attr; 2842 struct nft_table *table; 2843 u8 policy = NF_ACCEPT; 2844 struct nft_ctx ctx; 2845 u64 handle = 0; 2846 u32 flags = 0; 2847 2848 lockdep_assert_held(&nft_net->commit_mutex); 2849 2850 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 2851 NETLINK_CB(skb).portid); 2852 if (IS_ERR(table)) { 2853 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2854 return PTR_ERR(table); 2855 } 2856 2857 chain = NULL; 2858 attr = nla[NFTA_CHAIN_NAME]; 2859 2860 if (nla[NFTA_CHAIN_HANDLE]) { 2861 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE])); 2862 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2863 if (IS_ERR(chain)) { 2864 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]); 2865 return PTR_ERR(chain); 2866 } 2867 attr = nla[NFTA_CHAIN_HANDLE]; 2868 } else if (nla[NFTA_CHAIN_NAME]) { 2869 chain = nft_chain_lookup(net, table, attr, genmask); 2870 if (IS_ERR(chain)) { 2871 if (PTR_ERR(chain) != -ENOENT) { 2872 NL_SET_BAD_ATTR(extack, attr); 2873 return PTR_ERR(chain); 2874 } 2875 chain = NULL; 2876 } 2877 } else if (!nla[NFTA_CHAIN_ID]) { 2878 return -EINVAL; 2879 } 2880 2881 if (nla[NFTA_CHAIN_POLICY]) { 2882 if (chain != NULL && 2883 !nft_is_base_chain(chain)) { 2884 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2885 return -EOPNOTSUPP; 2886 } 2887 2888 if (chain == NULL && 2889 nla[NFTA_CHAIN_HOOK] == NULL) { 2890 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2891 return -EOPNOTSUPP; 2892 } 2893 2894 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY])); 2895 switch (policy) { 2896 case NF_DROP: 2897 case NF_ACCEPT: 2898 break; 2899 default: 2900 return -EINVAL; 2901 } 2902 } 2903 2904 if (nla[NFTA_CHAIN_FLAGS]) 2905 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS])); 2906 else if (chain) 2907 flags = chain->flags; 2908 2909 if (flags & ~NFT_CHAIN_FLAGS) 2910 return -EOPNOTSUPP; 2911 2912 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 2913 2914 if (chain != NULL) { 2915 if (chain->flags & NFT_CHAIN_BINDING) 2916 return -EINVAL; 2917 2918 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 2919 NL_SET_BAD_ATTR(extack, attr); 2920 return -EEXIST; 2921 } 2922 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 2923 return -EOPNOTSUPP; 2924 2925 flags |= chain->flags & NFT_CHAIN_BASE; 2926 return nf_tables_updchain(&ctx, genmask, policy, flags, attr, 2927 extack); 2928 } 2929 2930 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack); 2931 } 2932 2933 static int nft_delchain_hook(struct nft_ctx *ctx, 2934 struct nft_base_chain *basechain, 2935 struct netlink_ext_ack *extack) 2936 { 2937 const struct nft_chain *chain = &basechain->chain; 2938 const struct nlattr * const *nla = ctx->nla; 2939 struct nft_chain_hook chain_hook = {}; 2940 struct nft_hook *this, *hook; 2941 LIST_HEAD(chain_del_list); 2942 struct nft_trans *trans; 2943 int err; 2944 2945 if (ctx->table->flags & __NFT_TABLE_F_UPDATE) 2946 return -EOPNOTSUPP; 2947 2948 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook, 2949 ctx->family, chain->flags, extack); 2950 if (err < 0) 2951 return err; 2952 2953 list_for_each_entry(this, &chain_hook.list, list) { 2954 hook = nft_hook_list_find(&basechain->hook_list, this); 2955 if (!hook) { 2956 err = -ENOENT; 2957 goto err_chain_del_hook; 2958 } 2959 list_move(&hook->list, &chain_del_list); 2960 } 2961 2962 trans = nft_trans_alloc_chain(ctx, NFT_MSG_DELCHAIN); 2963 if (!trans) { 2964 err = -ENOMEM; 2965 goto err_chain_del_hook; 2966 } 2967 2968 nft_trans_basechain(trans) = basechain; 2969 nft_trans_chain_update(trans) = true; 2970 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans)); 2971 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans)); 2972 nft_chain_release_hook(&chain_hook); 2973 2974 nft_trans_commit_list_add_tail(ctx->net, trans); 2975 2976 return 0; 2977 2978 err_chain_del_hook: 2979 list_splice(&chain_del_list, &basechain->hook_list); 2980 nft_chain_release_hook(&chain_hook); 2981 2982 return err; 2983 } 2984 2985 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info, 2986 const struct nlattr * const nla[]) 2987 { 2988 struct netlink_ext_ack *extack = info->extack; 2989 u8 genmask = nft_genmask_next(info->net); 2990 u8 family = info->nfmsg->nfgen_family; 2991 struct net *net = info->net; 2992 const struct nlattr *attr; 2993 struct nft_table *table; 2994 struct nft_chain *chain; 2995 struct nft_rule *rule; 2996 struct nft_ctx ctx; 2997 u64 handle; 2998 u32 use; 2999 int err; 3000 3001 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 3002 NETLINK_CB(skb).portid); 3003 if (IS_ERR(table)) { 3004 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 3005 return PTR_ERR(table); 3006 } 3007 3008 if (nla[NFTA_CHAIN_HANDLE]) { 3009 attr = nla[NFTA_CHAIN_HANDLE]; 3010 handle = be64_to_cpu(nla_get_be64(attr)); 3011 chain = nft_chain_lookup_byhandle(table, handle, genmask); 3012 } else { 3013 attr = nla[NFTA_CHAIN_NAME]; 3014 chain = nft_chain_lookup(net, table, attr, genmask); 3015 } 3016 if (IS_ERR(chain)) { 3017 if (PTR_ERR(chain) == -ENOENT && 3018 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN) 3019 return 0; 3020 3021 NL_SET_BAD_ATTR(extack, attr); 3022 return PTR_ERR(chain); 3023 } 3024 3025 if (nft_chain_binding(chain)) 3026 return -EOPNOTSUPP; 3027 3028 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 3029 3030 if (nla[NFTA_CHAIN_HOOK]) { 3031 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN || 3032 chain->flags & NFT_CHAIN_HW_OFFLOAD) 3033 return -EOPNOTSUPP; 3034 3035 if (nft_is_base_chain(chain)) { 3036 struct nft_base_chain *basechain = nft_base_chain(chain); 3037 3038 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 3039 return nft_delchain_hook(&ctx, basechain, extack); 3040 } 3041 } 3042 3043 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 3044 chain->use > 0) 3045 return -EBUSY; 3046 3047 use = chain->use; 3048 list_for_each_entry(rule, &chain->rules, list) { 3049 if (!nft_is_active_next(net, rule)) 3050 continue; 3051 use--; 3052 3053 err = nft_delrule(&ctx, rule); 3054 if (err < 0) 3055 return err; 3056 } 3057 3058 /* There are rules and elements that are still holding references to us, 3059 * we cannot do a recursive removal in this case. 3060 */ 3061 if (use > 0) { 3062 NL_SET_BAD_ATTR(extack, attr); 3063 return -EBUSY; 3064 } 3065 3066 return nft_delchain(&ctx); 3067 } 3068 3069 /* 3070 * Expressions 3071 */ 3072 3073 /** 3074 * nft_register_expr - register nf_tables expr type 3075 * @type: expr type 3076 * 3077 * Registers the expr type for use with nf_tables. Returns zero on 3078 * success or a negative errno code otherwise. 3079 */ 3080 int nft_register_expr(struct nft_expr_type *type) 3081 { 3082 if (WARN_ON_ONCE(type->maxattr > NFT_EXPR_MAXATTR)) 3083 return -ENOMEM; 3084 3085 nfnl_lock(NFNL_SUBSYS_NFTABLES); 3086 if (type->family == NFPROTO_UNSPEC) 3087 list_add_tail_rcu(&type->list, &nf_tables_expressions); 3088 else 3089 list_add_rcu(&type->list, &nf_tables_expressions); 3090 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 3091 return 0; 3092 } 3093 EXPORT_SYMBOL_GPL(nft_register_expr); 3094 3095 /** 3096 * nft_unregister_expr - unregister nf_tables expr type 3097 * @type: expr type 3098 * 3099 * Unregisters the expr typefor use with nf_tables. 3100 */ 3101 void nft_unregister_expr(struct nft_expr_type *type) 3102 { 3103 nfnl_lock(NFNL_SUBSYS_NFTABLES); 3104 list_del_rcu(&type->list); 3105 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 3106 } 3107 EXPORT_SYMBOL_GPL(nft_unregister_expr); 3108 3109 static const struct nft_expr_type *__nft_expr_type_get(u8 family, 3110 struct nlattr *nla) 3111 { 3112 const struct nft_expr_type *type, *candidate = NULL; 3113 3114 list_for_each_entry_rcu(type, &nf_tables_expressions, list) { 3115 if (!nla_strcmp(nla, type->name)) { 3116 if (!type->family && !candidate) 3117 candidate = type; 3118 else if (type->family == family) 3119 candidate = type; 3120 } 3121 } 3122 return candidate; 3123 } 3124 3125 #ifdef CONFIG_MODULES 3126 static int nft_expr_type_request_module(struct net *net, u8 family, 3127 struct nlattr *nla) 3128 { 3129 if (nft_request_module(net, "nft-expr-%u-%.*s", family, 3130 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN) 3131 return -EAGAIN; 3132 3133 return 0; 3134 } 3135 #endif 3136 3137 static const struct nft_expr_type *nft_expr_type_get(struct net *net, 3138 u8 family, 3139 struct nlattr *nla) 3140 { 3141 const struct nft_expr_type *type; 3142 3143 if (nla == NULL) 3144 return ERR_PTR(-EINVAL); 3145 3146 rcu_read_lock(); 3147 type = __nft_expr_type_get(family, nla); 3148 if (type != NULL && try_module_get(type->owner)) { 3149 rcu_read_unlock(); 3150 return type; 3151 } 3152 rcu_read_unlock(); 3153 3154 lockdep_nfnl_nft_mutex_not_held(); 3155 #ifdef CONFIG_MODULES 3156 if (type == NULL) { 3157 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN) 3158 return ERR_PTR(-EAGAIN); 3159 3160 if (nft_request_module(net, "nft-expr-%.*s", 3161 nla_len(nla), 3162 (char *)nla_data(nla)) == -EAGAIN) 3163 return ERR_PTR(-EAGAIN); 3164 } 3165 #endif 3166 return ERR_PTR(-ENOENT); 3167 } 3168 3169 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { 3170 [NFTA_EXPR_NAME] = { .type = NLA_STRING, 3171 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 3172 [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, 3173 }; 3174 3175 static int nf_tables_fill_expr_info(struct sk_buff *skb, 3176 const struct nft_expr *expr, bool reset) 3177 { 3178 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name)) 3179 goto nla_put_failure; 3180 3181 if (expr->ops->dump) { 3182 struct nlattr *data = nla_nest_start_noflag(skb, 3183 NFTA_EXPR_DATA); 3184 if (data == NULL) 3185 goto nla_put_failure; 3186 if (expr->ops->dump(skb, expr, reset) < 0) 3187 goto nla_put_failure; 3188 nla_nest_end(skb, data); 3189 } 3190 3191 return skb->len; 3192 3193 nla_put_failure: 3194 return -1; 3195 }; 3196 3197 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 3198 const struct nft_expr *expr, bool reset) 3199 { 3200 struct nlattr *nest; 3201 3202 nest = nla_nest_start_noflag(skb, attr); 3203 if (!nest) 3204 goto nla_put_failure; 3205 if (nf_tables_fill_expr_info(skb, expr, reset) < 0) 3206 goto nla_put_failure; 3207 nla_nest_end(skb, nest); 3208 return 0; 3209 3210 nla_put_failure: 3211 return -1; 3212 } 3213 3214 struct nft_expr_info { 3215 const struct nft_expr_ops *ops; 3216 const struct nlattr *attr; 3217 struct nlattr *tb[NFT_EXPR_MAXATTR + 1]; 3218 }; 3219 3220 static int nf_tables_expr_parse(const struct nft_ctx *ctx, 3221 const struct nlattr *nla, 3222 struct nft_expr_info *info) 3223 { 3224 const struct nft_expr_type *type; 3225 const struct nft_expr_ops *ops; 3226 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 3227 int err; 3228 3229 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 3230 nft_expr_policy, NULL); 3231 if (err < 0) 3232 return err; 3233 3234 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]); 3235 if (IS_ERR(type)) 3236 return PTR_ERR(type); 3237 3238 if (tb[NFTA_EXPR_DATA]) { 3239 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 3240 tb[NFTA_EXPR_DATA], 3241 type->policy, NULL); 3242 if (err < 0) 3243 goto err1; 3244 } else 3245 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1)); 3246 3247 if (type->select_ops != NULL) { 3248 ops = type->select_ops(ctx, 3249 (const struct nlattr * const *)info->tb); 3250 if (IS_ERR(ops)) { 3251 err = PTR_ERR(ops); 3252 #ifdef CONFIG_MODULES 3253 if (err == -EAGAIN) 3254 if (nft_expr_type_request_module(ctx->net, 3255 ctx->family, 3256 tb[NFTA_EXPR_NAME]) != -EAGAIN) 3257 err = -ENOENT; 3258 #endif 3259 goto err1; 3260 } 3261 } else 3262 ops = type->ops; 3263 3264 info->attr = nla; 3265 info->ops = ops; 3266 3267 return 0; 3268 3269 err1: 3270 module_put(type->owner); 3271 return err; 3272 } 3273 3274 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla, 3275 struct nft_expr_info *info) 3276 { 3277 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 3278 const struct nft_expr_type *type; 3279 int err; 3280 3281 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 3282 nft_expr_policy, NULL); 3283 if (err < 0) 3284 return err; 3285 3286 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME]) 3287 return -EINVAL; 3288 3289 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]); 3290 if (!type) 3291 return -ENOENT; 3292 3293 if (!type->inner_ops) 3294 return -EOPNOTSUPP; 3295 3296 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 3297 tb[NFTA_EXPR_DATA], 3298 type->policy, NULL); 3299 if (err < 0) 3300 goto err_nla_parse; 3301 3302 info->attr = nla; 3303 info->ops = type->inner_ops; 3304 3305 return 0; 3306 3307 err_nla_parse: 3308 return err; 3309 } 3310 3311 static int nf_tables_newexpr(const struct nft_ctx *ctx, 3312 const struct nft_expr_info *expr_info, 3313 struct nft_expr *expr) 3314 { 3315 const struct nft_expr_ops *ops = expr_info->ops; 3316 int err; 3317 3318 expr->ops = ops; 3319 if (ops->init) { 3320 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb); 3321 if (err < 0) 3322 goto err1; 3323 } 3324 3325 return 0; 3326 err1: 3327 expr->ops = NULL; 3328 return err; 3329 } 3330 3331 static void nf_tables_expr_destroy(const struct nft_ctx *ctx, 3332 struct nft_expr *expr) 3333 { 3334 const struct nft_expr_type *type = expr->ops->type; 3335 3336 if (expr->ops->destroy) 3337 expr->ops->destroy(ctx, expr); 3338 module_put(type->owner); 3339 } 3340 3341 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 3342 const struct nlattr *nla) 3343 { 3344 struct nft_expr_info expr_info; 3345 struct nft_expr *expr; 3346 struct module *owner; 3347 int err; 3348 3349 err = nf_tables_expr_parse(ctx, nla, &expr_info); 3350 if (err < 0) 3351 goto err_expr_parse; 3352 3353 err = -EOPNOTSUPP; 3354 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL)) 3355 goto err_expr_stateful; 3356 3357 err = -ENOMEM; 3358 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT); 3359 if (expr == NULL) 3360 goto err_expr_stateful; 3361 3362 err = nf_tables_newexpr(ctx, &expr_info, expr); 3363 if (err < 0) 3364 goto err_expr_new; 3365 3366 return expr; 3367 err_expr_new: 3368 kfree(expr); 3369 err_expr_stateful: 3370 owner = expr_info.ops->type->owner; 3371 if (expr_info.ops->type->release_ops) 3372 expr_info.ops->type->release_ops(expr_info.ops); 3373 3374 module_put(owner); 3375 err_expr_parse: 3376 return ERR_PTR(err); 3377 } 3378 3379 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp) 3380 { 3381 int err; 3382 3383 if (WARN_ON_ONCE(!src->ops->clone)) 3384 return -EINVAL; 3385 3386 dst->ops = src->ops; 3387 err = src->ops->clone(dst, src, gfp); 3388 if (err < 0) 3389 return err; 3390 3391 __module_get(src->ops->type->owner); 3392 3393 return 0; 3394 } 3395 3396 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) 3397 { 3398 nf_tables_expr_destroy(ctx, expr); 3399 kfree(expr); 3400 } 3401 3402 /* 3403 * Rules 3404 */ 3405 3406 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain, 3407 u64 handle) 3408 { 3409 struct nft_rule *rule; 3410 3411 // FIXME: this sucks 3412 list_for_each_entry_rcu(rule, &chain->rules, list) { 3413 if (handle == rule->handle) 3414 return rule; 3415 } 3416 3417 return ERR_PTR(-ENOENT); 3418 } 3419 3420 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain, 3421 const struct nlattr *nla) 3422 { 3423 if (nla == NULL) 3424 return ERR_PTR(-EINVAL); 3425 3426 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla))); 3427 } 3428 3429 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = { 3430 [NFTA_RULE_TABLE] = { .type = NLA_STRING, 3431 .len = NFT_TABLE_MAXNAMELEN - 1 }, 3432 [NFTA_RULE_CHAIN] = { .type = NLA_STRING, 3433 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 3434 [NFTA_RULE_HANDLE] = { .type = NLA_U64 }, 3435 [NFTA_RULE_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy), 3436 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED }, 3437 [NFTA_RULE_POSITION] = { .type = NLA_U64 }, 3438 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY, 3439 .len = NFT_USERDATA_MAXLEN }, 3440 [NFTA_RULE_ID] = { .type = NLA_U32 }, 3441 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 }, 3442 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 }, 3443 }; 3444 3445 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net, 3446 u32 portid, u32 seq, int event, 3447 u32 flags, int family, 3448 const struct nft_table *table, 3449 const struct nft_chain *chain, 3450 const struct nft_rule *rule, u64 handle, 3451 bool reset) 3452 { 3453 struct nlmsghdr *nlh; 3454 const struct nft_expr *expr, *next; 3455 struct nlattr *list; 3456 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 3457 3458 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0, 3459 nft_base_seq(net)); 3460 if (!nlh) 3461 goto nla_put_failure; 3462 3463 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) 3464 goto nla_put_failure; 3465 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) 3466 goto nla_put_failure; 3467 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle), 3468 NFTA_RULE_PAD)) 3469 goto nla_put_failure; 3470 3471 if (event != NFT_MSG_DELRULE && handle) { 3472 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle), 3473 NFTA_RULE_PAD)) 3474 goto nla_put_failure; 3475 } 3476 3477 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) 3478 nft_flow_rule_stats(chain, rule); 3479 3480 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS); 3481 if (list == NULL) 3482 goto nla_put_failure; 3483 nft_rule_for_each_expr(expr, next, rule) { 3484 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0) 3485 goto nla_put_failure; 3486 } 3487 nla_nest_end(skb, list); 3488 3489 if (rule->udata) { 3490 struct nft_userdata *udata = nft_userdata(rule); 3491 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1, 3492 udata->data) < 0) 3493 goto nla_put_failure; 3494 } 3495 3496 nlmsg_end(skb, nlh); 3497 return 0; 3498 3499 nla_put_failure: 3500 nlmsg_trim(skb, nlh); 3501 return -1; 3502 } 3503 3504 static void nf_tables_rule_notify(const struct nft_ctx *ctx, 3505 const struct nft_rule *rule, int event) 3506 { 3507 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 3508 const struct nft_rule *prule; 3509 struct sk_buff *skb; 3510 u64 handle = 0; 3511 u16 flags = 0; 3512 int err; 3513 3514 if (!ctx->report && 3515 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 3516 return; 3517 3518 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 3519 if (skb == NULL) 3520 goto err; 3521 3522 if (event == NFT_MSG_NEWRULE && 3523 !list_is_first(&rule->list, &ctx->chain->rules) && 3524 !list_is_last(&rule->list, &ctx->chain->rules)) { 3525 prule = list_prev_entry(rule, list); 3526 handle = prule->handle; 3527 } 3528 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE)) 3529 flags |= NLM_F_APPEND; 3530 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 3531 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 3532 3533 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, 3534 event, flags, ctx->family, ctx->table, 3535 ctx->chain, rule, handle, false); 3536 if (err < 0) { 3537 kfree_skb(skb); 3538 goto err; 3539 } 3540 3541 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 3542 return; 3543 err: 3544 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 3545 } 3546 3547 static void audit_log_rule_reset(const struct nft_table *table, 3548 unsigned int base_seq, 3549 unsigned int nentries) 3550 { 3551 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", 3552 table->name, base_seq); 3553 3554 audit_log_nfcfg(buf, table->family, nentries, 3555 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC); 3556 kfree(buf); 3557 } 3558 3559 struct nft_rule_dump_ctx { 3560 unsigned int s_idx; 3561 char *table; 3562 char *chain; 3563 bool reset; 3564 }; 3565 3566 static int __nf_tables_dump_rules(struct sk_buff *skb, 3567 unsigned int *idx, 3568 struct netlink_callback *cb, 3569 const struct nft_table *table, 3570 const struct nft_chain *chain) 3571 { 3572 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx; 3573 struct net *net = sock_net(skb->sk); 3574 const struct nft_rule *rule, *prule; 3575 unsigned int entries = 0; 3576 int ret = 0; 3577 u64 handle; 3578 3579 prule = NULL; 3580 list_for_each_entry_rcu(rule, &chain->rules, list) { 3581 if (!nft_is_active(net, rule)) 3582 goto cont_skip; 3583 if (*idx < ctx->s_idx) 3584 goto cont; 3585 if (prule) 3586 handle = prule->handle; 3587 else 3588 handle = 0; 3589 3590 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, 3591 cb->nlh->nlmsg_seq, 3592 NFT_MSG_NEWRULE, 3593 NLM_F_MULTI | NLM_F_APPEND, 3594 table->family, 3595 table, chain, rule, handle, ctx->reset) < 0) { 3596 ret = 1; 3597 break; 3598 } 3599 entries++; 3600 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 3601 cont: 3602 prule = rule; 3603 cont_skip: 3604 (*idx)++; 3605 } 3606 3607 if (ctx->reset && entries) 3608 audit_log_rule_reset(table, cb->seq, entries); 3609 3610 return ret; 3611 } 3612 3613 static int nf_tables_dump_rules(struct sk_buff *skb, 3614 struct netlink_callback *cb) 3615 { 3616 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 3617 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx; 3618 struct nft_table *table; 3619 const struct nft_chain *chain; 3620 unsigned int idx = 0; 3621 struct net *net = sock_net(skb->sk); 3622 int family = nfmsg->nfgen_family; 3623 struct nftables_pernet *nft_net; 3624 3625 rcu_read_lock(); 3626 nft_net = nft_pernet(net); 3627 cb->seq = READ_ONCE(nft_net->base_seq); 3628 3629 list_for_each_entry_rcu(table, &nft_net->tables, list) { 3630 if (family != NFPROTO_UNSPEC && family != table->family) 3631 continue; 3632 3633 if (ctx->table && strcmp(ctx->table, table->name) != 0) 3634 continue; 3635 3636 if (ctx->table && ctx->chain) { 3637 struct rhlist_head *list, *tmp; 3638 3639 list = rhltable_lookup(&table->chains_ht, ctx->chain, 3640 nft_chain_ht_params); 3641 if (!list) 3642 goto done; 3643 3644 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 3645 if (!nft_is_active(net, chain)) 3646 continue; 3647 __nf_tables_dump_rules(skb, &idx, 3648 cb, table, chain); 3649 break; 3650 } 3651 goto done; 3652 } 3653 3654 list_for_each_entry_rcu(chain, &table->chains, list) { 3655 if (__nf_tables_dump_rules(skb, &idx, 3656 cb, table, chain)) 3657 goto done; 3658 } 3659 3660 if (ctx->table) 3661 break; 3662 } 3663 done: 3664 rcu_read_unlock(); 3665 3666 ctx->s_idx = idx; 3667 return skb->len; 3668 } 3669 3670 static int nf_tables_dumpreset_rules(struct sk_buff *skb, 3671 struct netlink_callback *cb) 3672 { 3673 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk)); 3674 int ret; 3675 3676 /* Mutex is held is to prevent that two concurrent dump-and-reset calls 3677 * do not underrun counters and quotas. The commit_mutex is used for 3678 * the lack a better lock, this is not transaction path. 3679 */ 3680 mutex_lock(&nft_net->commit_mutex); 3681 ret = nf_tables_dump_rules(skb, cb); 3682 mutex_unlock(&nft_net->commit_mutex); 3683 3684 return ret; 3685 } 3686 3687 static int nf_tables_dump_rules_start(struct netlink_callback *cb) 3688 { 3689 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx; 3690 const struct nlattr * const *nla = cb->data; 3691 3692 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx)); 3693 3694 if (nla[NFTA_RULE_TABLE]) { 3695 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], GFP_ATOMIC); 3696 if (!ctx->table) 3697 return -ENOMEM; 3698 } 3699 if (nla[NFTA_RULE_CHAIN]) { 3700 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], GFP_ATOMIC); 3701 if (!ctx->chain) { 3702 kfree(ctx->table); 3703 return -ENOMEM; 3704 } 3705 } 3706 return 0; 3707 } 3708 3709 static int nf_tables_dumpreset_rules_start(struct netlink_callback *cb) 3710 { 3711 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx; 3712 3713 ctx->reset = true; 3714 3715 return nf_tables_dump_rules_start(cb); 3716 } 3717 3718 static int nf_tables_dump_rules_done(struct netlink_callback *cb) 3719 { 3720 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx; 3721 3722 kfree(ctx->table); 3723 kfree(ctx->chain); 3724 return 0; 3725 } 3726 3727 /* called with rcu_read_lock held */ 3728 static struct sk_buff * 3729 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info, 3730 const struct nlattr * const nla[], bool reset) 3731 { 3732 struct netlink_ext_ack *extack = info->extack; 3733 u8 genmask = nft_genmask_cur(info->net); 3734 u8 family = info->nfmsg->nfgen_family; 3735 const struct nft_chain *chain; 3736 const struct nft_rule *rule; 3737 struct net *net = info->net; 3738 struct nft_table *table; 3739 struct sk_buff *skb2; 3740 int err; 3741 3742 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0); 3743 if (IS_ERR(table)) { 3744 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3745 return ERR_CAST(table); 3746 } 3747 3748 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask); 3749 if (IS_ERR(chain)) { 3750 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3751 return ERR_CAST(chain); 3752 } 3753 3754 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3755 if (IS_ERR(rule)) { 3756 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3757 return ERR_CAST(rule); 3758 } 3759 3760 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 3761 if (!skb2) 3762 return ERR_PTR(-ENOMEM); 3763 3764 err = nf_tables_fill_rule_info(skb2, net, portid, 3765 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, 3766 family, table, chain, rule, 0, reset); 3767 if (err < 0) { 3768 kfree_skb(skb2); 3769 return ERR_PTR(err); 3770 } 3771 3772 return skb2; 3773 } 3774 3775 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info, 3776 const struct nlattr * const nla[]) 3777 { 3778 u32 portid = NETLINK_CB(skb).portid; 3779 struct net *net = info->net; 3780 struct sk_buff *skb2; 3781 3782 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 3783 struct netlink_dump_control c = { 3784 .start= nf_tables_dump_rules_start, 3785 .dump = nf_tables_dump_rules, 3786 .done = nf_tables_dump_rules_done, 3787 .module = THIS_MODULE, 3788 .data = (void *)nla, 3789 }; 3790 3791 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 3792 } 3793 3794 skb2 = nf_tables_getrule_single(portid, info, nla, false); 3795 if (IS_ERR(skb2)) 3796 return PTR_ERR(skb2); 3797 3798 return nfnetlink_unicast(skb2, net, portid); 3799 } 3800 3801 static int nf_tables_getrule_reset(struct sk_buff *skb, 3802 const struct nfnl_info *info, 3803 const struct nlattr * const nla[]) 3804 { 3805 struct nftables_pernet *nft_net = nft_pernet(info->net); 3806 u32 portid = NETLINK_CB(skb).portid; 3807 struct net *net = info->net; 3808 struct sk_buff *skb2; 3809 char *buf; 3810 3811 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 3812 struct netlink_dump_control c = { 3813 .start= nf_tables_dumpreset_rules_start, 3814 .dump = nf_tables_dumpreset_rules, 3815 .done = nf_tables_dump_rules_done, 3816 .module = THIS_MODULE, 3817 .data = (void *)nla, 3818 }; 3819 3820 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 3821 } 3822 3823 if (!try_module_get(THIS_MODULE)) 3824 return -EINVAL; 3825 rcu_read_unlock(); 3826 mutex_lock(&nft_net->commit_mutex); 3827 skb2 = nf_tables_getrule_single(portid, info, nla, true); 3828 mutex_unlock(&nft_net->commit_mutex); 3829 rcu_read_lock(); 3830 module_put(THIS_MODULE); 3831 3832 if (IS_ERR(skb2)) 3833 return PTR_ERR(skb2); 3834 3835 buf = kasprintf(GFP_ATOMIC, "%.*s:%u", 3836 nla_len(nla[NFTA_RULE_TABLE]), 3837 (char *)nla_data(nla[NFTA_RULE_TABLE]), 3838 nft_net->base_seq); 3839 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1, 3840 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC); 3841 kfree(buf); 3842 3843 return nfnetlink_unicast(skb2, net, portid); 3844 } 3845 3846 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule) 3847 { 3848 struct nft_expr *expr, *next; 3849 3850 /* 3851 * Careful: some expressions might not be initialized in case this 3852 * is called on error from nf_tables_newrule(). 3853 */ 3854 expr = nft_expr_first(rule); 3855 while (nft_expr_more(rule, expr)) { 3856 next = nft_expr_next(expr); 3857 nf_tables_expr_destroy(ctx, expr); 3858 expr = next; 3859 } 3860 kfree(rule); 3861 } 3862 3863 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) 3864 { 3865 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); 3866 nf_tables_rule_destroy(ctx, rule); 3867 } 3868 3869 /** nft_chain_validate - loop detection and hook validation 3870 * 3871 * @ctx: context containing call depth and base chain 3872 * @chain: chain to validate 3873 * 3874 * Walk through the rules of the given chain and chase all jumps/gotos 3875 * and set lookups until either the jump limit is hit or all reachable 3876 * chains have been validated. 3877 */ 3878 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) 3879 { 3880 struct nft_expr *expr, *last; 3881 const struct nft_data *data; 3882 struct nft_rule *rule; 3883 int err; 3884 3885 if (ctx->level == NFT_JUMP_STACK_SIZE) 3886 return -EMLINK; 3887 3888 list_for_each_entry(rule, &chain->rules, list) { 3889 if (fatal_signal_pending(current)) 3890 return -EINTR; 3891 3892 if (!nft_is_active_next(ctx->net, rule)) 3893 continue; 3894 3895 nft_rule_for_each_expr(expr, last, rule) { 3896 if (!expr->ops->validate) 3897 continue; 3898 3899 /* This may call nft_chain_validate() recursively, 3900 * callers that do so must increment ctx->level. 3901 */ 3902 err = expr->ops->validate(ctx, expr, &data); 3903 if (err < 0) 3904 return err; 3905 } 3906 } 3907 3908 return 0; 3909 } 3910 EXPORT_SYMBOL_GPL(nft_chain_validate); 3911 3912 static int nft_table_validate(struct net *net, const struct nft_table *table) 3913 { 3914 struct nft_chain *chain; 3915 struct nft_ctx ctx = { 3916 .net = net, 3917 .family = table->family, 3918 }; 3919 int err; 3920 3921 list_for_each_entry(chain, &table->chains, list) { 3922 if (!nft_is_base_chain(chain)) 3923 continue; 3924 3925 ctx.chain = chain; 3926 err = nft_chain_validate(&ctx, chain); 3927 if (err < 0) 3928 return err; 3929 3930 cond_resched(); 3931 } 3932 3933 return 0; 3934 } 3935 3936 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, 3937 const struct nft_set_iter *iter, 3938 struct nft_elem_priv *elem_priv) 3939 { 3940 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 3941 struct nft_ctx *pctx = (struct nft_ctx *)ctx; 3942 const struct nft_data *data; 3943 int err; 3944 3945 if (!nft_set_elem_active(ext, iter->genmask)) 3946 return 0; 3947 3948 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 3949 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) 3950 return 0; 3951 3952 data = nft_set_ext_data(ext); 3953 switch (data->verdict.code) { 3954 case NFT_JUMP: 3955 case NFT_GOTO: 3956 pctx->level++; 3957 err = nft_chain_validate(ctx, data->verdict.chain); 3958 if (err < 0) 3959 return err; 3960 pctx->level--; 3961 break; 3962 default: 3963 break; 3964 } 3965 3966 return 0; 3967 } 3968 3969 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set) 3970 { 3971 struct nft_set_iter dummy_iter = { 3972 .genmask = nft_genmask_next(ctx->net), 3973 }; 3974 struct nft_set_elem_catchall *catchall; 3975 3976 struct nft_set_ext *ext; 3977 int ret = 0; 3978 3979 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 3980 ext = nft_set_elem_ext(set, catchall->elem); 3981 if (!nft_set_elem_active(ext, dummy_iter.genmask)) 3982 continue; 3983 3984 ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem); 3985 if (ret < 0) 3986 return ret; 3987 } 3988 3989 return ret; 3990 } 3991 3992 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3993 const struct nft_chain *chain, 3994 const struct nlattr *nla); 3995 3996 #define NFT_RULE_MAXEXPRS 128 3997 3998 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, 3999 const struct nlattr * const nla[]) 4000 { 4001 struct nftables_pernet *nft_net = nft_pernet(info->net); 4002 struct netlink_ext_ack *extack = info->extack; 4003 unsigned int size, i, n, ulen = 0, usize = 0; 4004 u8 genmask = nft_genmask_next(info->net); 4005 struct nft_rule *rule, *old_rule = NULL; 4006 struct nft_expr_info *expr_info = NULL; 4007 u8 family = info->nfmsg->nfgen_family; 4008 struct nft_flow_rule *flow = NULL; 4009 struct net *net = info->net; 4010 struct nft_userdata *udata; 4011 struct nft_table *table; 4012 struct nft_chain *chain; 4013 struct nft_trans *trans; 4014 u64 handle, pos_handle; 4015 struct nft_expr *expr; 4016 struct nft_ctx ctx; 4017 struct nlattr *tmp; 4018 int err, rem; 4019 4020 lockdep_assert_held(&nft_net->commit_mutex); 4021 4022 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 4023 NETLINK_CB(skb).portid); 4024 if (IS_ERR(table)) { 4025 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 4026 return PTR_ERR(table); 4027 } 4028 4029 if (nla[NFTA_RULE_CHAIN]) { 4030 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 4031 genmask); 4032 if (IS_ERR(chain)) { 4033 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 4034 return PTR_ERR(chain); 4035 } 4036 4037 } else if (nla[NFTA_RULE_CHAIN_ID]) { 4038 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID], 4039 genmask); 4040 if (IS_ERR(chain)) { 4041 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]); 4042 return PTR_ERR(chain); 4043 } 4044 } else { 4045 return -EINVAL; 4046 } 4047 4048 if (nft_chain_is_bound(chain)) 4049 return -EOPNOTSUPP; 4050 4051 if (nla[NFTA_RULE_HANDLE]) { 4052 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE])); 4053 rule = __nft_rule_lookup(chain, handle); 4054 if (IS_ERR(rule)) { 4055 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 4056 return PTR_ERR(rule); 4057 } 4058 4059 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 4060 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 4061 return -EEXIST; 4062 } 4063 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 4064 old_rule = rule; 4065 else 4066 return -EOPNOTSUPP; 4067 } else { 4068 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) || 4069 info->nlh->nlmsg_flags & NLM_F_REPLACE) 4070 return -EINVAL; 4071 handle = nf_tables_alloc_handle(table); 4072 4073 if (nla[NFTA_RULE_POSITION]) { 4074 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION])); 4075 old_rule = __nft_rule_lookup(chain, pos_handle); 4076 if (IS_ERR(old_rule)) { 4077 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]); 4078 return PTR_ERR(old_rule); 4079 } 4080 } else if (nla[NFTA_RULE_POSITION_ID]) { 4081 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]); 4082 if (IS_ERR(old_rule)) { 4083 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]); 4084 return PTR_ERR(old_rule); 4085 } 4086 } 4087 } 4088 4089 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 4090 4091 n = 0; 4092 size = 0; 4093 if (nla[NFTA_RULE_EXPRESSIONS]) { 4094 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS, 4095 sizeof(struct nft_expr_info), 4096 GFP_KERNEL); 4097 if (!expr_info) 4098 return -ENOMEM; 4099 4100 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) { 4101 err = -EINVAL; 4102 if (nla_type(tmp) != NFTA_LIST_ELEM) 4103 goto err_release_expr; 4104 if (n == NFT_RULE_MAXEXPRS) 4105 goto err_release_expr; 4106 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]); 4107 if (err < 0) { 4108 NL_SET_BAD_ATTR(extack, tmp); 4109 goto err_release_expr; 4110 } 4111 size += expr_info[n].ops->size; 4112 n++; 4113 } 4114 } 4115 /* Check for overflow of dlen field */ 4116 err = -EFBIG; 4117 if (size >= 1 << 12) 4118 goto err_release_expr; 4119 4120 if (nla[NFTA_RULE_USERDATA]) { 4121 ulen = nla_len(nla[NFTA_RULE_USERDATA]); 4122 if (ulen > 0) 4123 usize = sizeof(struct nft_userdata) + ulen; 4124 } 4125 4126 err = -ENOMEM; 4127 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT); 4128 if (rule == NULL) 4129 goto err_release_expr; 4130 4131 nft_activate_next(net, rule); 4132 4133 rule->handle = handle; 4134 rule->dlen = size; 4135 rule->udata = ulen ? 1 : 0; 4136 4137 if (ulen) { 4138 udata = nft_userdata(rule); 4139 udata->len = ulen - 1; 4140 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen); 4141 } 4142 4143 expr = nft_expr_first(rule); 4144 for (i = 0; i < n; i++) { 4145 err = nf_tables_newexpr(&ctx, &expr_info[i], expr); 4146 if (err < 0) { 4147 NL_SET_BAD_ATTR(extack, expr_info[i].attr); 4148 goto err_release_rule; 4149 } 4150 4151 if (expr_info[i].ops->validate) 4152 nft_validate_state_update(table, NFT_VALIDATE_NEED); 4153 4154 expr_info[i].ops = NULL; 4155 expr = nft_expr_next(expr); 4156 } 4157 4158 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { 4159 flow = nft_flow_rule_create(net, rule); 4160 if (IS_ERR(flow)) { 4161 err = PTR_ERR(flow); 4162 goto err_release_rule; 4163 } 4164 } 4165 4166 if (!nft_use_inc(&chain->use)) { 4167 err = -EMFILE; 4168 goto err_release_rule; 4169 } 4170 4171 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { 4172 if (nft_chain_binding(chain)) { 4173 err = -EOPNOTSUPP; 4174 goto err_destroy_flow_rule; 4175 } 4176 4177 err = nft_delrule(&ctx, old_rule); 4178 if (err < 0) 4179 goto err_destroy_flow_rule; 4180 4181 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 4182 if (trans == NULL) { 4183 err = -ENOMEM; 4184 goto err_destroy_flow_rule; 4185 } 4186 list_add_tail_rcu(&rule->list, &old_rule->list); 4187 } else { 4188 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 4189 if (!trans) { 4190 err = -ENOMEM; 4191 goto err_destroy_flow_rule; 4192 } 4193 4194 if (info->nlh->nlmsg_flags & NLM_F_APPEND) { 4195 if (old_rule) 4196 list_add_rcu(&rule->list, &old_rule->list); 4197 else 4198 list_add_tail_rcu(&rule->list, &chain->rules); 4199 } else { 4200 if (old_rule) 4201 list_add_tail_rcu(&rule->list, &old_rule->list); 4202 else 4203 list_add_rcu(&rule->list, &chain->rules); 4204 } 4205 } 4206 kvfree(expr_info); 4207 4208 if (flow) 4209 nft_trans_flow_rule(trans) = flow; 4210 4211 if (table->validate_state == NFT_VALIDATE_DO) 4212 return nft_table_validate(net, table); 4213 4214 return 0; 4215 4216 err_destroy_flow_rule: 4217 nft_use_dec_restore(&chain->use); 4218 if (flow) 4219 nft_flow_rule_destroy(flow); 4220 err_release_rule: 4221 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR); 4222 nf_tables_rule_destroy(&ctx, rule); 4223 err_release_expr: 4224 for (i = 0; i < n; i++) { 4225 if (expr_info[i].ops) { 4226 module_put(expr_info[i].ops->type->owner); 4227 if (expr_info[i].ops->type->release_ops) 4228 expr_info[i].ops->type->release_ops(expr_info[i].ops); 4229 } 4230 } 4231 kvfree(expr_info); 4232 4233 return err; 4234 } 4235 4236 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 4237 const struct nft_chain *chain, 4238 const struct nlattr *nla) 4239 { 4240 struct nftables_pernet *nft_net = nft_pernet(net); 4241 u32 id = ntohl(nla_get_be32(nla)); 4242 struct nft_trans *trans; 4243 4244 list_for_each_entry(trans, &nft_net->commit_list, list) { 4245 if (trans->msg_type == NFT_MSG_NEWRULE && 4246 nft_trans_rule_chain(trans) == chain && 4247 id == nft_trans_rule_id(trans)) 4248 return nft_trans_rule(trans); 4249 } 4250 return ERR_PTR(-ENOENT); 4251 } 4252 4253 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, 4254 const struct nlattr * const nla[]) 4255 { 4256 struct netlink_ext_ack *extack = info->extack; 4257 u8 genmask = nft_genmask_next(info->net); 4258 u8 family = info->nfmsg->nfgen_family; 4259 struct nft_chain *chain = NULL; 4260 struct net *net = info->net; 4261 struct nft_table *table; 4262 struct nft_rule *rule; 4263 struct nft_ctx ctx; 4264 int err = 0; 4265 4266 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 4267 NETLINK_CB(skb).portid); 4268 if (IS_ERR(table)) { 4269 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 4270 return PTR_ERR(table); 4271 } 4272 4273 if (nla[NFTA_RULE_CHAIN]) { 4274 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 4275 genmask); 4276 if (IS_ERR(chain)) { 4277 if (PTR_ERR(chain) == -ENOENT && 4278 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE) 4279 return 0; 4280 4281 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 4282 return PTR_ERR(chain); 4283 } 4284 if (nft_chain_binding(chain)) 4285 return -EOPNOTSUPP; 4286 } 4287 4288 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 4289 4290 if (chain) { 4291 if (nla[NFTA_RULE_HANDLE]) { 4292 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 4293 if (IS_ERR(rule)) { 4294 if (PTR_ERR(rule) == -ENOENT && 4295 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE) 4296 return 0; 4297 4298 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 4299 return PTR_ERR(rule); 4300 } 4301 4302 err = nft_delrule(&ctx, rule); 4303 } else if (nla[NFTA_RULE_ID]) { 4304 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]); 4305 if (IS_ERR(rule)) { 4306 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]); 4307 return PTR_ERR(rule); 4308 } 4309 4310 err = nft_delrule(&ctx, rule); 4311 } else { 4312 err = nft_delrule_by_chain(&ctx); 4313 } 4314 } else { 4315 list_for_each_entry(chain, &table->chains, list) { 4316 if (!nft_is_active_next(net, chain)) 4317 continue; 4318 if (nft_chain_binding(chain)) 4319 continue; 4320 4321 ctx.chain = chain; 4322 err = nft_delrule_by_chain(&ctx); 4323 if (err < 0) 4324 break; 4325 } 4326 } 4327 4328 return err; 4329 } 4330 4331 /* 4332 * Sets 4333 */ 4334 static const struct nft_set_type *nft_set_types[] = { 4335 &nft_set_hash_fast_type, 4336 &nft_set_hash_type, 4337 &nft_set_rhash_type, 4338 &nft_set_bitmap_type, 4339 &nft_set_rbtree_type, 4340 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML) 4341 &nft_set_pipapo_avx2_type, 4342 #endif 4343 &nft_set_pipapo_type, 4344 }; 4345 4346 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \ 4347 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \ 4348 NFT_SET_EVAL) 4349 4350 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags) 4351 { 4352 return (flags & type->features) == (flags & NFT_SET_FEATURES); 4353 } 4354 4355 /* 4356 * Select a set implementation based on the data characteristics and the 4357 * given policy. The total memory use might not be known if no size is 4358 * given, in that case the amount of memory per element is used. 4359 */ 4360 static const struct nft_set_ops * 4361 nft_select_set_ops(const struct nft_ctx *ctx, u32 flags, 4362 const struct nft_set_desc *desc) 4363 { 4364 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 4365 const struct nft_set_ops *ops, *bops; 4366 struct nft_set_estimate est, best; 4367 const struct nft_set_type *type; 4368 int i; 4369 4370 lockdep_assert_held(&nft_net->commit_mutex); 4371 lockdep_nfnl_nft_mutex_not_held(); 4372 4373 bops = NULL; 4374 best.size = ~0; 4375 best.lookup = ~0; 4376 best.space = ~0; 4377 4378 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) { 4379 type = nft_set_types[i]; 4380 ops = &type->ops; 4381 4382 if (!nft_set_ops_candidate(type, flags)) 4383 continue; 4384 if (!ops->estimate(desc, flags, &est)) 4385 continue; 4386 4387 switch (desc->policy) { 4388 case NFT_SET_POL_PERFORMANCE: 4389 if (est.lookup < best.lookup) 4390 break; 4391 if (est.lookup == best.lookup && 4392 est.space < best.space) 4393 break; 4394 continue; 4395 case NFT_SET_POL_MEMORY: 4396 if (!desc->size) { 4397 if (est.space < best.space) 4398 break; 4399 if (est.space == best.space && 4400 est.lookup < best.lookup) 4401 break; 4402 } else if (est.size < best.size || !bops) { 4403 break; 4404 } 4405 continue; 4406 default: 4407 break; 4408 } 4409 4410 bops = ops; 4411 best = est; 4412 } 4413 4414 if (bops != NULL) 4415 return bops; 4416 4417 return ERR_PTR(-EOPNOTSUPP); 4418 } 4419 4420 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = { 4421 [NFTA_SET_TABLE] = { .type = NLA_STRING, 4422 .len = NFT_TABLE_MAXNAMELEN - 1 }, 4423 [NFTA_SET_NAME] = { .type = NLA_STRING, 4424 .len = NFT_SET_MAXNAMELEN - 1 }, 4425 [NFTA_SET_FLAGS] = { .type = NLA_U32 }, 4426 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 }, 4427 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 }, 4428 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 }, 4429 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 }, 4430 [NFTA_SET_POLICY] = { .type = NLA_U32 }, 4431 [NFTA_SET_DESC] = { .type = NLA_NESTED }, 4432 [NFTA_SET_ID] = { .type = NLA_U32 }, 4433 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 }, 4434 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 }, 4435 [NFTA_SET_USERDATA] = { .type = NLA_BINARY, 4436 .len = NFT_USERDATA_MAXLEN }, 4437 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 }, 4438 [NFTA_SET_HANDLE] = { .type = NLA_U64 }, 4439 [NFTA_SET_EXPR] = { .type = NLA_NESTED }, 4440 [NFTA_SET_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy), 4441 }; 4442 4443 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = { 4444 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 }, 4445 }; 4446 4447 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = { 4448 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 }, 4449 [NFTA_SET_DESC_CONCAT] = NLA_POLICY_NESTED_ARRAY(nft_concat_policy), 4450 }; 4451 4452 static struct nft_set *nft_set_lookup(const struct nft_table *table, 4453 const struct nlattr *nla, u8 genmask) 4454 { 4455 struct nft_set *set; 4456 4457 if (nla == NULL) 4458 return ERR_PTR(-EINVAL); 4459 4460 list_for_each_entry_rcu(set, &table->sets, list) { 4461 if (!nla_strcmp(nla, set->name) && 4462 nft_active_genmask(set, genmask)) 4463 return set; 4464 } 4465 return ERR_PTR(-ENOENT); 4466 } 4467 4468 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table, 4469 const struct nlattr *nla, 4470 u8 genmask) 4471 { 4472 struct nft_set *set; 4473 4474 list_for_each_entry(set, &table->sets, list) { 4475 if (be64_to_cpu(nla_get_be64(nla)) == set->handle && 4476 nft_active_genmask(set, genmask)) 4477 return set; 4478 } 4479 return ERR_PTR(-ENOENT); 4480 } 4481 4482 static struct nft_set *nft_set_lookup_byid(const struct net *net, 4483 const struct nft_table *table, 4484 const struct nlattr *nla, u8 genmask) 4485 { 4486 struct nftables_pernet *nft_net = nft_pernet(net); 4487 u32 id = ntohl(nla_get_be32(nla)); 4488 struct nft_trans *trans; 4489 4490 list_for_each_entry(trans, &nft_net->commit_list, list) { 4491 if (trans->msg_type == NFT_MSG_NEWSET) { 4492 struct nft_set *set = nft_trans_set(trans); 4493 4494 if (id == nft_trans_set_id(trans) && 4495 set->table == table && 4496 nft_active_genmask(set, genmask)) 4497 return set; 4498 } 4499 } 4500 return ERR_PTR(-ENOENT); 4501 } 4502 4503 struct nft_set *nft_set_lookup_global(const struct net *net, 4504 const struct nft_table *table, 4505 const struct nlattr *nla_set_name, 4506 const struct nlattr *nla_set_id, 4507 u8 genmask) 4508 { 4509 struct nft_set *set; 4510 4511 set = nft_set_lookup(table, nla_set_name, genmask); 4512 if (IS_ERR(set)) { 4513 if (!nla_set_id) 4514 return set; 4515 4516 set = nft_set_lookup_byid(net, table, nla_set_id, genmask); 4517 } 4518 return set; 4519 } 4520 EXPORT_SYMBOL_GPL(nft_set_lookup_global); 4521 4522 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set, 4523 const char *name) 4524 { 4525 const struct nft_set *i; 4526 const char *p; 4527 unsigned long *inuse; 4528 unsigned int n = 0, min = 0; 4529 4530 p = strchr(name, '%'); 4531 if (p != NULL) { 4532 if (p[1] != 'd' || strchr(p + 2, '%')) 4533 return -EINVAL; 4534 4535 if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN) 4536 return -EINVAL; 4537 4538 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL); 4539 if (inuse == NULL) 4540 return -ENOMEM; 4541 cont: 4542 list_for_each_entry(i, &ctx->table->sets, list) { 4543 int tmp; 4544 4545 if (!nft_is_active_next(ctx->net, i)) 4546 continue; 4547 if (!sscanf(i->name, name, &tmp)) 4548 continue; 4549 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE) 4550 continue; 4551 4552 set_bit(tmp - min, inuse); 4553 } 4554 4555 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE); 4556 if (n >= BITS_PER_BYTE * PAGE_SIZE) { 4557 min += BITS_PER_BYTE * PAGE_SIZE; 4558 memset(inuse, 0, PAGE_SIZE); 4559 goto cont; 4560 } 4561 free_page((unsigned long)inuse); 4562 } 4563 4564 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n); 4565 if (!set->name) 4566 return -ENOMEM; 4567 4568 list_for_each_entry(i, &ctx->table->sets, list) { 4569 if (!nft_is_active_next(ctx->net, i)) 4570 continue; 4571 if (!strcmp(set->name, i->name)) { 4572 kfree(set->name); 4573 set->name = NULL; 4574 return -ENFILE; 4575 } 4576 } 4577 return 0; 4578 } 4579 4580 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result) 4581 { 4582 u64 ms = be64_to_cpu(nla_get_be64(nla)); 4583 u64 max = (u64)(~((u64)0)); 4584 4585 max = div_u64(max, NSEC_PER_MSEC); 4586 if (ms >= max) 4587 return -ERANGE; 4588 4589 ms *= NSEC_PER_MSEC; 4590 *result = nsecs_to_jiffies64(ms); 4591 return 0; 4592 } 4593 4594 __be64 nf_jiffies64_to_msecs(u64 input) 4595 { 4596 return cpu_to_be64(jiffies64_to_msecs(input)); 4597 } 4598 4599 static int nf_tables_fill_set_concat(struct sk_buff *skb, 4600 const struct nft_set *set) 4601 { 4602 struct nlattr *concat, *field; 4603 int i; 4604 4605 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT); 4606 if (!concat) 4607 return -ENOMEM; 4608 4609 for (i = 0; i < set->field_count; i++) { 4610 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 4611 if (!field) 4612 return -ENOMEM; 4613 4614 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN, 4615 htonl(set->field_len[i]))) 4616 return -ENOMEM; 4617 4618 nla_nest_end(skb, field); 4619 } 4620 4621 nla_nest_end(skb, concat); 4622 4623 return 0; 4624 } 4625 4626 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, 4627 const struct nft_set *set, u16 event, u16 flags) 4628 { 4629 u64 timeout = READ_ONCE(set->timeout); 4630 u32 gc_int = READ_ONCE(set->gc_int); 4631 u32 portid = ctx->portid; 4632 struct nlmsghdr *nlh; 4633 struct nlattr *nest; 4634 u32 seq = ctx->seq; 4635 int i; 4636 4637 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 4638 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 4639 NFNETLINK_V0, nft_base_seq(ctx->net)); 4640 if (!nlh) 4641 goto nla_put_failure; 4642 4643 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 4644 goto nla_put_failure; 4645 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 4646 goto nla_put_failure; 4647 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle), 4648 NFTA_SET_PAD)) 4649 goto nla_put_failure; 4650 4651 if (event == NFT_MSG_DELSET) { 4652 nlmsg_end(skb, nlh); 4653 return 0; 4654 } 4655 4656 if (set->flags != 0) 4657 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags))) 4658 goto nla_put_failure; 4659 4660 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype))) 4661 goto nla_put_failure; 4662 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen))) 4663 goto nla_put_failure; 4664 if (set->flags & NFT_SET_MAP) { 4665 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype))) 4666 goto nla_put_failure; 4667 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen))) 4668 goto nla_put_failure; 4669 } 4670 if (set->flags & NFT_SET_OBJECT && 4671 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype))) 4672 goto nla_put_failure; 4673 4674 if (timeout && 4675 nla_put_be64(skb, NFTA_SET_TIMEOUT, 4676 nf_jiffies64_to_msecs(timeout), 4677 NFTA_SET_PAD)) 4678 goto nla_put_failure; 4679 if (gc_int && 4680 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int))) 4681 goto nla_put_failure; 4682 4683 if (set->policy != NFT_SET_POL_PERFORMANCE) { 4684 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy))) 4685 goto nla_put_failure; 4686 } 4687 4688 if (set->udata && 4689 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) 4690 goto nla_put_failure; 4691 4692 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC); 4693 if (!nest) 4694 goto nla_put_failure; 4695 if (set->size && 4696 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size))) 4697 goto nla_put_failure; 4698 4699 if (set->field_count > 1 && 4700 nf_tables_fill_set_concat(skb, set)) 4701 goto nla_put_failure; 4702 4703 nla_nest_end(skb, nest); 4704 4705 if (set->num_exprs == 1) { 4706 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR); 4707 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0) 4708 goto nla_put_failure; 4709 4710 nla_nest_end(skb, nest); 4711 } else if (set->num_exprs > 1) { 4712 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS); 4713 if (nest == NULL) 4714 goto nla_put_failure; 4715 4716 for (i = 0; i < set->num_exprs; i++) { 4717 if (nft_expr_dump(skb, NFTA_LIST_ELEM, 4718 set->exprs[i], false) < 0) 4719 goto nla_put_failure; 4720 } 4721 nla_nest_end(skb, nest); 4722 } 4723 4724 nlmsg_end(skb, nlh); 4725 return 0; 4726 4727 nla_put_failure: 4728 nlmsg_trim(skb, nlh); 4729 return -1; 4730 } 4731 4732 static void nf_tables_set_notify(const struct nft_ctx *ctx, 4733 const struct nft_set *set, int event, 4734 gfp_t gfp_flags) 4735 { 4736 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 4737 u32 portid = ctx->portid; 4738 struct sk_buff *skb; 4739 u16 flags = 0; 4740 int err; 4741 4742 if (!ctx->report && 4743 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 4744 return; 4745 4746 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags); 4747 if (skb == NULL) 4748 goto err; 4749 4750 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 4751 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 4752 4753 err = nf_tables_fill_set(skb, ctx, set, event, flags); 4754 if (err < 0) { 4755 kfree_skb(skb); 4756 goto err; 4757 } 4758 4759 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 4760 return; 4761 err: 4762 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 4763 } 4764 4765 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) 4766 { 4767 const struct nft_set *set; 4768 unsigned int idx, s_idx = cb->args[0]; 4769 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; 4770 struct net *net = sock_net(skb->sk); 4771 struct nft_ctx *ctx = cb->data, ctx_set; 4772 struct nftables_pernet *nft_net; 4773 4774 if (cb->args[1]) 4775 return skb->len; 4776 4777 rcu_read_lock(); 4778 nft_net = nft_pernet(net); 4779 cb->seq = READ_ONCE(nft_net->base_seq); 4780 4781 list_for_each_entry_rcu(table, &nft_net->tables, list) { 4782 if (ctx->family != NFPROTO_UNSPEC && 4783 ctx->family != table->family) 4784 continue; 4785 4786 if (ctx->table && ctx->table != table) 4787 continue; 4788 4789 if (cur_table) { 4790 if (cur_table != table) 4791 continue; 4792 4793 cur_table = NULL; 4794 } 4795 idx = 0; 4796 list_for_each_entry_rcu(set, &table->sets, list) { 4797 if (idx < s_idx) 4798 goto cont; 4799 if (!nft_is_active(net, set)) 4800 goto cont; 4801 4802 ctx_set = *ctx; 4803 ctx_set.table = table; 4804 ctx_set.family = table->family; 4805 4806 if (nf_tables_fill_set(skb, &ctx_set, set, 4807 NFT_MSG_NEWSET, 4808 NLM_F_MULTI) < 0) { 4809 cb->args[0] = idx; 4810 cb->args[2] = (unsigned long) table; 4811 goto done; 4812 } 4813 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 4814 cont: 4815 idx++; 4816 } 4817 if (s_idx) 4818 s_idx = 0; 4819 } 4820 cb->args[1] = 1; 4821 done: 4822 rcu_read_unlock(); 4823 return skb->len; 4824 } 4825 4826 static int nf_tables_dump_sets_start(struct netlink_callback *cb) 4827 { 4828 struct nft_ctx *ctx_dump = NULL; 4829 4830 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC); 4831 if (ctx_dump == NULL) 4832 return -ENOMEM; 4833 4834 cb->data = ctx_dump; 4835 return 0; 4836 } 4837 4838 static int nf_tables_dump_sets_done(struct netlink_callback *cb) 4839 { 4840 kfree(cb->data); 4841 return 0; 4842 } 4843 4844 /* called with rcu_read_lock held */ 4845 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info, 4846 const struct nlattr * const nla[]) 4847 { 4848 struct netlink_ext_ack *extack = info->extack; 4849 u8 genmask = nft_genmask_cur(info->net); 4850 u8 family = info->nfmsg->nfgen_family; 4851 struct nft_table *table = NULL; 4852 struct net *net = info->net; 4853 const struct nft_set *set; 4854 struct sk_buff *skb2; 4855 struct nft_ctx ctx; 4856 int err; 4857 4858 if (nla[NFTA_SET_TABLE]) { 4859 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 4860 genmask, 0); 4861 if (IS_ERR(table)) { 4862 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4863 return PTR_ERR(table); 4864 } 4865 } 4866 4867 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 4868 4869 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 4870 struct netlink_dump_control c = { 4871 .start = nf_tables_dump_sets_start, 4872 .dump = nf_tables_dump_sets, 4873 .done = nf_tables_dump_sets_done, 4874 .data = &ctx, 4875 .module = THIS_MODULE, 4876 }; 4877 4878 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 4879 } 4880 4881 /* Only accept unspec with dump */ 4882 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 4883 return -EAFNOSUPPORT; 4884 if (!nla[NFTA_SET_TABLE]) 4885 return -EINVAL; 4886 4887 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4888 if (IS_ERR(set)) { 4889 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4890 return PTR_ERR(set); 4891 } 4892 4893 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 4894 if (skb2 == NULL) 4895 return -ENOMEM; 4896 4897 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); 4898 if (err < 0) 4899 goto err_fill_set_info; 4900 4901 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 4902 4903 err_fill_set_info: 4904 kfree_skb(skb2); 4905 return err; 4906 } 4907 4908 static int nft_set_desc_concat_parse(const struct nlattr *attr, 4909 struct nft_set_desc *desc) 4910 { 4911 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1]; 4912 u32 len; 4913 int err; 4914 4915 if (desc->field_count >= ARRAY_SIZE(desc->field_len)) 4916 return -E2BIG; 4917 4918 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr, 4919 nft_concat_policy, NULL); 4920 if (err < 0) 4921 return err; 4922 4923 if (!tb[NFTA_SET_FIELD_LEN]) 4924 return -EINVAL; 4925 4926 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN])); 4927 if (!len || len > U8_MAX) 4928 return -EINVAL; 4929 4930 desc->field_len[desc->field_count++] = len; 4931 4932 return 0; 4933 } 4934 4935 static int nft_set_desc_concat(struct nft_set_desc *desc, 4936 const struct nlattr *nla) 4937 { 4938 u32 num_regs = 0, key_num_regs = 0; 4939 struct nlattr *attr; 4940 int rem, err, i; 4941 4942 nla_for_each_nested(attr, nla, rem) { 4943 if (nla_type(attr) != NFTA_LIST_ELEM) 4944 return -EINVAL; 4945 4946 err = nft_set_desc_concat_parse(attr, desc); 4947 if (err < 0) 4948 return err; 4949 } 4950 4951 for (i = 0; i < desc->field_count; i++) 4952 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32)); 4953 4954 key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32)); 4955 if (key_num_regs != num_regs) 4956 return -EINVAL; 4957 4958 if (num_regs > NFT_REG32_COUNT) 4959 return -E2BIG; 4960 4961 return 0; 4962 } 4963 4964 static int nf_tables_set_desc_parse(struct nft_set_desc *desc, 4965 const struct nlattr *nla) 4966 { 4967 struct nlattr *da[NFTA_SET_DESC_MAX + 1]; 4968 int err; 4969 4970 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla, 4971 nft_set_desc_policy, NULL); 4972 if (err < 0) 4973 return err; 4974 4975 if (da[NFTA_SET_DESC_SIZE] != NULL) 4976 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE])); 4977 if (da[NFTA_SET_DESC_CONCAT]) 4978 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]); 4979 4980 return err; 4981 } 4982 4983 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set, 4984 const struct nlattr * const *nla, 4985 struct nft_expr **exprs, int *num_exprs, 4986 u32 flags) 4987 { 4988 struct nft_expr *expr; 4989 int err, i; 4990 4991 if (nla[NFTA_SET_EXPR]) { 4992 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]); 4993 if (IS_ERR(expr)) { 4994 err = PTR_ERR(expr); 4995 goto err_set_expr_alloc; 4996 } 4997 exprs[0] = expr; 4998 (*num_exprs)++; 4999 } else if (nla[NFTA_SET_EXPRESSIONS]) { 5000 struct nlattr *tmp; 5001 int left; 5002 5003 if (!(flags & NFT_SET_EXPR)) { 5004 err = -EINVAL; 5005 goto err_set_expr_alloc; 5006 } 5007 i = 0; 5008 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) { 5009 if (i == NFT_SET_EXPR_MAX) { 5010 err = -E2BIG; 5011 goto err_set_expr_alloc; 5012 } 5013 if (nla_type(tmp) != NFTA_LIST_ELEM) { 5014 err = -EINVAL; 5015 goto err_set_expr_alloc; 5016 } 5017 expr = nft_set_elem_expr_alloc(ctx, set, tmp); 5018 if (IS_ERR(expr)) { 5019 err = PTR_ERR(expr); 5020 goto err_set_expr_alloc; 5021 } 5022 exprs[i++] = expr; 5023 (*num_exprs)++; 5024 } 5025 } 5026 5027 return 0; 5028 5029 err_set_expr_alloc: 5030 for (i = 0; i < *num_exprs; i++) 5031 nft_expr_destroy(ctx, exprs[i]); 5032 5033 return err; 5034 } 5035 5036 static bool nft_set_is_same(const struct nft_set *set, 5037 const struct nft_set_desc *desc, 5038 struct nft_expr *exprs[], u32 num_exprs, u32 flags) 5039 { 5040 int i; 5041 5042 if (set->ktype != desc->ktype || 5043 set->dtype != desc->dtype || 5044 set->flags != flags || 5045 set->klen != desc->klen || 5046 set->dlen != desc->dlen || 5047 set->field_count != desc->field_count || 5048 set->num_exprs != num_exprs) 5049 return false; 5050 5051 for (i = 0; i < desc->field_count; i++) { 5052 if (set->field_len[i] != desc->field_len[i]) 5053 return false; 5054 } 5055 5056 for (i = 0; i < num_exprs; i++) { 5057 if (set->exprs[i]->ops != exprs[i]->ops) 5058 return false; 5059 } 5060 5061 return true; 5062 } 5063 5064 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 5065 const struct nlattr * const nla[]) 5066 { 5067 struct netlink_ext_ack *extack = info->extack; 5068 u8 genmask = nft_genmask_next(info->net); 5069 u8 family = info->nfmsg->nfgen_family; 5070 const struct nft_set_ops *ops; 5071 struct net *net = info->net; 5072 struct nft_set_desc desc; 5073 struct nft_table *table; 5074 unsigned char *udata; 5075 struct nft_set *set; 5076 struct nft_ctx ctx; 5077 size_t alloc_size; 5078 int num_exprs = 0; 5079 char *name; 5080 int err, i; 5081 u16 udlen; 5082 u32 flags; 5083 u64 size; 5084 5085 if (nla[NFTA_SET_TABLE] == NULL || 5086 nla[NFTA_SET_NAME] == NULL || 5087 nla[NFTA_SET_KEY_LEN] == NULL || 5088 nla[NFTA_SET_ID] == NULL) 5089 return -EINVAL; 5090 5091 memset(&desc, 0, sizeof(desc)); 5092 5093 desc.ktype = NFT_DATA_VALUE; 5094 if (nla[NFTA_SET_KEY_TYPE] != NULL) { 5095 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE])); 5096 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK) 5097 return -EINVAL; 5098 } 5099 5100 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN])); 5101 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN) 5102 return -EINVAL; 5103 5104 flags = 0; 5105 if (nla[NFTA_SET_FLAGS] != NULL) { 5106 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 5107 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | 5108 NFT_SET_INTERVAL | NFT_SET_TIMEOUT | 5109 NFT_SET_MAP | NFT_SET_EVAL | 5110 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR)) 5111 return -EOPNOTSUPP; 5112 /* Only one of these operations is supported */ 5113 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) == 5114 (NFT_SET_MAP | NFT_SET_OBJECT)) 5115 return -EOPNOTSUPP; 5116 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) == 5117 (NFT_SET_EVAL | NFT_SET_OBJECT)) 5118 return -EOPNOTSUPP; 5119 if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) == 5120 (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT)) 5121 return -EOPNOTSUPP; 5122 if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) == 5123 (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) 5124 return -EOPNOTSUPP; 5125 } 5126 5127 desc.dtype = 0; 5128 if (nla[NFTA_SET_DATA_TYPE] != NULL) { 5129 if (!(flags & NFT_SET_MAP)) 5130 return -EINVAL; 5131 5132 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE])); 5133 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK && 5134 desc.dtype != NFT_DATA_VERDICT) 5135 return -EINVAL; 5136 5137 if (desc.dtype != NFT_DATA_VERDICT) { 5138 if (nla[NFTA_SET_DATA_LEN] == NULL) 5139 return -EINVAL; 5140 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN])); 5141 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN) 5142 return -EINVAL; 5143 } else 5144 desc.dlen = sizeof(struct nft_verdict); 5145 } else if (flags & NFT_SET_MAP) 5146 return -EINVAL; 5147 5148 if (nla[NFTA_SET_OBJ_TYPE] != NULL) { 5149 if (!(flags & NFT_SET_OBJECT)) 5150 return -EINVAL; 5151 5152 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE])); 5153 if (desc.objtype == NFT_OBJECT_UNSPEC || 5154 desc.objtype > NFT_OBJECT_MAX) 5155 return -EOPNOTSUPP; 5156 } else if (flags & NFT_SET_OBJECT) 5157 return -EINVAL; 5158 else 5159 desc.objtype = NFT_OBJECT_UNSPEC; 5160 5161 desc.timeout = 0; 5162 if (nla[NFTA_SET_TIMEOUT] != NULL) { 5163 if (!(flags & NFT_SET_TIMEOUT)) 5164 return -EINVAL; 5165 5166 if (flags & NFT_SET_ANONYMOUS) 5167 return -EOPNOTSUPP; 5168 5169 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout); 5170 if (err) 5171 return err; 5172 } 5173 desc.gc_int = 0; 5174 if (nla[NFTA_SET_GC_INTERVAL] != NULL) { 5175 if (!(flags & NFT_SET_TIMEOUT)) 5176 return -EINVAL; 5177 5178 if (flags & NFT_SET_ANONYMOUS) 5179 return -EOPNOTSUPP; 5180 5181 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL])); 5182 } 5183 5184 desc.policy = NFT_SET_POL_PERFORMANCE; 5185 if (nla[NFTA_SET_POLICY] != NULL) { 5186 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY])); 5187 switch (desc.policy) { 5188 case NFT_SET_POL_PERFORMANCE: 5189 case NFT_SET_POL_MEMORY: 5190 break; 5191 default: 5192 return -EOPNOTSUPP; 5193 } 5194 } 5195 5196 if (nla[NFTA_SET_DESC] != NULL) { 5197 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]); 5198 if (err < 0) 5199 return err; 5200 5201 if (desc.field_count > 1) { 5202 if (!(flags & NFT_SET_CONCAT)) 5203 return -EINVAL; 5204 } else if (flags & NFT_SET_CONCAT) { 5205 return -EINVAL; 5206 } 5207 } else if (flags & NFT_SET_CONCAT) { 5208 return -EINVAL; 5209 } 5210 5211 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS]) 5212 desc.expr = true; 5213 5214 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask, 5215 NETLINK_CB(skb).portid); 5216 if (IS_ERR(table)) { 5217 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 5218 return PTR_ERR(table); 5219 } 5220 5221 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 5222 5223 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 5224 if (IS_ERR(set)) { 5225 if (PTR_ERR(set) != -ENOENT) { 5226 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 5227 return PTR_ERR(set); 5228 } 5229 } else { 5230 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {}; 5231 5232 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 5233 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 5234 return -EEXIST; 5235 } 5236 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 5237 return -EOPNOTSUPP; 5238 5239 if (nft_set_is_anonymous(set)) 5240 return -EOPNOTSUPP; 5241 5242 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags); 5243 if (err < 0) 5244 return err; 5245 5246 err = 0; 5247 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) { 5248 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 5249 err = -EEXIST; 5250 } 5251 5252 for (i = 0; i < num_exprs; i++) 5253 nft_expr_destroy(&ctx, exprs[i]); 5254 5255 if (err < 0) 5256 return err; 5257 5258 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc); 5259 } 5260 5261 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE)) 5262 return -ENOENT; 5263 5264 ops = nft_select_set_ops(&ctx, flags, &desc); 5265 if (IS_ERR(ops)) 5266 return PTR_ERR(ops); 5267 5268 udlen = 0; 5269 if (nla[NFTA_SET_USERDATA]) 5270 udlen = nla_len(nla[NFTA_SET_USERDATA]); 5271 5272 size = 0; 5273 if (ops->privsize != NULL) 5274 size = ops->privsize(nla, &desc); 5275 alloc_size = sizeof(*set) + size + udlen; 5276 if (alloc_size < size || alloc_size > INT_MAX) 5277 return -ENOMEM; 5278 5279 if (!nft_use_inc(&table->use)) 5280 return -EMFILE; 5281 5282 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT); 5283 if (!set) { 5284 err = -ENOMEM; 5285 goto err_alloc; 5286 } 5287 5288 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT); 5289 if (!name) { 5290 err = -ENOMEM; 5291 goto err_set_name; 5292 } 5293 5294 err = nf_tables_set_alloc_name(&ctx, set, name); 5295 kfree(name); 5296 if (err < 0) 5297 goto err_set_name; 5298 5299 udata = NULL; 5300 if (udlen) { 5301 udata = set->data + size; 5302 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen); 5303 } 5304 5305 INIT_LIST_HEAD(&set->bindings); 5306 INIT_LIST_HEAD(&set->catchall_list); 5307 refcount_set(&set->refs, 1); 5308 set->table = table; 5309 write_pnet(&set->net, net); 5310 set->ops = ops; 5311 set->ktype = desc.ktype; 5312 set->klen = desc.klen; 5313 set->dtype = desc.dtype; 5314 set->objtype = desc.objtype; 5315 set->dlen = desc.dlen; 5316 set->flags = flags; 5317 set->size = desc.size; 5318 set->policy = desc.policy; 5319 set->udlen = udlen; 5320 set->udata = udata; 5321 set->timeout = desc.timeout; 5322 set->gc_int = desc.gc_int; 5323 5324 set->field_count = desc.field_count; 5325 for (i = 0; i < desc.field_count; i++) 5326 set->field_len[i] = desc.field_len[i]; 5327 5328 err = ops->init(set, &desc, nla); 5329 if (err < 0) 5330 goto err_set_init; 5331 5332 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags); 5333 if (err < 0) 5334 goto err_set_destroy; 5335 5336 set->num_exprs = num_exprs; 5337 set->handle = nf_tables_alloc_handle(table); 5338 INIT_LIST_HEAD(&set->pending_update); 5339 5340 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); 5341 if (err < 0) 5342 goto err_set_expr_alloc; 5343 5344 list_add_tail_rcu(&set->list, &table->sets); 5345 5346 return 0; 5347 5348 err_set_expr_alloc: 5349 for (i = 0; i < set->num_exprs; i++) 5350 nft_expr_destroy(&ctx, set->exprs[i]); 5351 err_set_destroy: 5352 ops->destroy(&ctx, set); 5353 err_set_init: 5354 kfree(set->name); 5355 err_set_name: 5356 kvfree(set); 5357 err_alloc: 5358 nft_use_dec_restore(&table->use); 5359 5360 return err; 5361 } 5362 5363 static void nft_set_catchall_destroy(const struct nft_ctx *ctx, 5364 struct nft_set *set) 5365 { 5366 struct nft_set_elem_catchall *next, *catchall; 5367 5368 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 5369 list_del_rcu(&catchall->list); 5370 nf_tables_set_elem_destroy(ctx, set, catchall->elem); 5371 kfree_rcu(catchall, rcu); 5372 } 5373 } 5374 5375 static void nft_set_put(struct nft_set *set) 5376 { 5377 if (refcount_dec_and_test(&set->refs)) { 5378 kfree(set->name); 5379 kvfree(set); 5380 } 5381 } 5382 5383 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) 5384 { 5385 int i; 5386 5387 if (WARN_ON(set->use > 0)) 5388 return; 5389 5390 for (i = 0; i < set->num_exprs; i++) 5391 nft_expr_destroy(ctx, set->exprs[i]); 5392 5393 set->ops->destroy(ctx, set); 5394 nft_set_catchall_destroy(ctx, set); 5395 nft_set_put(set); 5396 } 5397 5398 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info, 5399 const struct nlattr * const nla[]) 5400 { 5401 struct netlink_ext_ack *extack = info->extack; 5402 u8 genmask = nft_genmask_next(info->net); 5403 u8 family = info->nfmsg->nfgen_family; 5404 struct net *net = info->net; 5405 const struct nlattr *attr; 5406 struct nft_table *table; 5407 struct nft_set *set; 5408 struct nft_ctx ctx; 5409 5410 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 5411 return -EAFNOSUPPORT; 5412 5413 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 5414 genmask, NETLINK_CB(skb).portid); 5415 if (IS_ERR(table)) { 5416 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 5417 return PTR_ERR(table); 5418 } 5419 5420 if (nla[NFTA_SET_HANDLE]) { 5421 attr = nla[NFTA_SET_HANDLE]; 5422 set = nft_set_lookup_byhandle(table, attr, genmask); 5423 } else { 5424 attr = nla[NFTA_SET_NAME]; 5425 set = nft_set_lookup(table, attr, genmask); 5426 } 5427 5428 if (IS_ERR(set)) { 5429 if (PTR_ERR(set) == -ENOENT && 5430 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET) 5431 return 0; 5432 5433 NL_SET_BAD_ATTR(extack, attr); 5434 return PTR_ERR(set); 5435 } 5436 if (set->use || 5437 (info->nlh->nlmsg_flags & NLM_F_NONREC && 5438 atomic_read(&set->nelems) > 0)) { 5439 NL_SET_BAD_ATTR(extack, attr); 5440 return -EBUSY; 5441 } 5442 5443 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 5444 5445 return nft_delset(&ctx, set); 5446 } 5447 5448 static int nft_validate_register_store(const struct nft_ctx *ctx, 5449 enum nft_registers reg, 5450 const struct nft_data *data, 5451 enum nft_data_types type, 5452 unsigned int len); 5453 5454 static int nft_setelem_data_validate(const struct nft_ctx *ctx, 5455 struct nft_set *set, 5456 struct nft_elem_priv *elem_priv) 5457 { 5458 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 5459 enum nft_registers dreg; 5460 5461 dreg = nft_type_to_reg(set->dtype); 5462 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext), 5463 set->dtype == NFT_DATA_VERDICT ? 5464 NFT_DATA_VERDICT : NFT_DATA_VALUE, 5465 set->dlen); 5466 } 5467 5468 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, 5469 struct nft_set *set, 5470 const struct nft_set_iter *iter, 5471 struct nft_elem_priv *elem_priv) 5472 { 5473 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 5474 5475 if (!nft_set_elem_active(ext, iter->genmask)) 5476 return 0; 5477 5478 return nft_setelem_data_validate(ctx, set, elem_priv); 5479 } 5480 5481 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx, 5482 struct nft_set *set) 5483 { 5484 u8 genmask = nft_genmask_next(ctx->net); 5485 struct nft_set_elem_catchall *catchall; 5486 struct nft_set_ext *ext; 5487 int ret = 0; 5488 5489 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5490 ext = nft_set_elem_ext(set, catchall->elem); 5491 if (!nft_set_elem_active(ext, genmask)) 5492 continue; 5493 5494 ret = nft_setelem_data_validate(ctx, set, catchall->elem); 5495 if (ret < 0) 5496 break; 5497 } 5498 5499 return ret; 5500 } 5501 5502 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 5503 struct nft_set_binding *binding) 5504 { 5505 struct nft_set_binding *i; 5506 struct nft_set_iter iter; 5507 5508 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) 5509 return -EBUSY; 5510 5511 if (binding->flags & NFT_SET_MAP) { 5512 /* If the set is already bound to the same chain all 5513 * jumps are already validated for that chain. 5514 */ 5515 list_for_each_entry(i, &set->bindings, list) { 5516 if (i->flags & NFT_SET_MAP && 5517 i->chain == binding->chain) 5518 goto bind; 5519 } 5520 5521 iter.genmask = nft_genmask_next(ctx->net); 5522 iter.type = NFT_ITER_UPDATE; 5523 iter.skip = 0; 5524 iter.count = 0; 5525 iter.err = 0; 5526 iter.fn = nf_tables_bind_check_setelem; 5527 5528 set->ops->walk(ctx, set, &iter); 5529 if (!iter.err) 5530 iter.err = nft_set_catchall_bind_check(ctx, set); 5531 5532 if (iter.err < 0) 5533 return iter.err; 5534 } 5535 bind: 5536 if (!nft_use_inc(&set->use)) 5537 return -EMFILE; 5538 5539 binding->chain = ctx->chain; 5540 list_add_tail_rcu(&binding->list, &set->bindings); 5541 nft_set_trans_bind(ctx, set); 5542 5543 return 0; 5544 } 5545 EXPORT_SYMBOL_GPL(nf_tables_bind_set); 5546 5547 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 5548 struct nft_set_binding *binding, bool event) 5549 { 5550 list_del_rcu(&binding->list); 5551 5552 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { 5553 list_del_rcu(&set->list); 5554 set->dead = 1; 5555 if (event) 5556 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, 5557 GFP_KERNEL); 5558 } 5559 } 5560 5561 static void nft_setelem_data_activate(const struct net *net, 5562 const struct nft_set *set, 5563 struct nft_elem_priv *elem_priv); 5564 5565 static int nft_mapelem_activate(const struct nft_ctx *ctx, 5566 struct nft_set *set, 5567 const struct nft_set_iter *iter, 5568 struct nft_elem_priv *elem_priv) 5569 { 5570 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 5571 5572 /* called from abort path, reverse check to undo changes. */ 5573 if (nft_set_elem_active(ext, iter->genmask)) 5574 return 0; 5575 5576 nft_clear(ctx->net, ext); 5577 nft_setelem_data_activate(ctx->net, set, elem_priv); 5578 5579 return 0; 5580 } 5581 5582 static void nft_map_catchall_activate(const struct nft_ctx *ctx, 5583 struct nft_set *set) 5584 { 5585 u8 genmask = nft_genmask_next(ctx->net); 5586 struct nft_set_elem_catchall *catchall; 5587 struct nft_set_ext *ext; 5588 5589 list_for_each_entry(catchall, &set->catchall_list, list) { 5590 ext = nft_set_elem_ext(set, catchall->elem); 5591 if (!nft_set_elem_active(ext, genmask)) 5592 continue; 5593 5594 nft_clear(ctx->net, ext); 5595 nft_setelem_data_activate(ctx->net, set, catchall->elem); 5596 break; 5597 } 5598 } 5599 5600 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set) 5601 { 5602 struct nft_set_iter iter = { 5603 .genmask = nft_genmask_next(ctx->net), 5604 .type = NFT_ITER_UPDATE, 5605 .fn = nft_mapelem_activate, 5606 }; 5607 5608 set->ops->walk(ctx, set, &iter); 5609 WARN_ON_ONCE(iter.err); 5610 5611 nft_map_catchall_activate(ctx, set); 5612 } 5613 5614 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set) 5615 { 5616 if (nft_set_is_anonymous(set)) { 5617 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 5618 nft_map_activate(ctx, set); 5619 5620 nft_clear(ctx->net, set); 5621 } 5622 5623 nft_use_inc_restore(&set->use); 5624 } 5625 EXPORT_SYMBOL_GPL(nf_tables_activate_set); 5626 5627 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, 5628 struct nft_set_binding *binding, 5629 enum nft_trans_phase phase) 5630 { 5631 switch (phase) { 5632 case NFT_TRANS_PREPARE_ERROR: 5633 nft_set_trans_unbind(ctx, set); 5634 if (nft_set_is_anonymous(set)) 5635 nft_deactivate_next(ctx->net, set); 5636 else 5637 list_del_rcu(&binding->list); 5638 5639 nft_use_dec(&set->use); 5640 break; 5641 case NFT_TRANS_PREPARE: 5642 if (nft_set_is_anonymous(set)) { 5643 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 5644 nft_map_deactivate(ctx, set); 5645 5646 nft_deactivate_next(ctx->net, set); 5647 } 5648 nft_use_dec(&set->use); 5649 return; 5650 case NFT_TRANS_ABORT: 5651 case NFT_TRANS_RELEASE: 5652 if (nft_set_is_anonymous(set) && 5653 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 5654 nft_map_deactivate(ctx, set); 5655 5656 nft_use_dec(&set->use); 5657 fallthrough; 5658 default: 5659 nf_tables_unbind_set(ctx, set, binding, 5660 phase == NFT_TRANS_COMMIT); 5661 } 5662 } 5663 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); 5664 5665 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) 5666 { 5667 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) 5668 nft_set_destroy(ctx, set); 5669 } 5670 EXPORT_SYMBOL_GPL(nf_tables_destroy_set); 5671 5672 const struct nft_set_ext_type nft_set_ext_types[] = { 5673 [NFT_SET_EXT_KEY] = { 5674 .align = __alignof__(u32), 5675 }, 5676 [NFT_SET_EXT_DATA] = { 5677 .align = __alignof__(u32), 5678 }, 5679 [NFT_SET_EXT_EXPRESSIONS] = { 5680 .align = __alignof__(struct nft_set_elem_expr), 5681 }, 5682 [NFT_SET_EXT_OBJREF] = { 5683 .len = sizeof(struct nft_object *), 5684 .align = __alignof__(struct nft_object *), 5685 }, 5686 [NFT_SET_EXT_FLAGS] = { 5687 .len = sizeof(u8), 5688 .align = __alignof__(u8), 5689 }, 5690 [NFT_SET_EXT_TIMEOUT] = { 5691 .len = sizeof(u64), 5692 .align = __alignof__(u64), 5693 }, 5694 [NFT_SET_EXT_EXPIRATION] = { 5695 .len = sizeof(u64), 5696 .align = __alignof__(u64), 5697 }, 5698 [NFT_SET_EXT_USERDATA] = { 5699 .len = sizeof(struct nft_userdata), 5700 .align = __alignof__(struct nft_userdata), 5701 }, 5702 [NFT_SET_EXT_KEY_END] = { 5703 .align = __alignof__(u32), 5704 }, 5705 }; 5706 5707 /* 5708 * Set elements 5709 */ 5710 5711 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { 5712 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED }, 5713 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED }, 5714 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 }, 5715 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 }, 5716 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 }, 5717 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, 5718 .len = NFT_USERDATA_MAXLEN }, 5719 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED }, 5720 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING, 5721 .len = NFT_OBJ_MAXNAMELEN - 1 }, 5722 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED }, 5723 [NFTA_SET_ELEM_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy), 5724 }; 5725 5726 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { 5727 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING, 5728 .len = NFT_TABLE_MAXNAMELEN - 1 }, 5729 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING, 5730 .len = NFT_SET_MAXNAMELEN - 1 }, 5731 [NFTA_SET_ELEM_LIST_ELEMENTS] = NLA_POLICY_NESTED_ARRAY(nft_set_elem_policy), 5732 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 }, 5733 }; 5734 5735 static int nft_set_elem_expr_dump(struct sk_buff *skb, 5736 const struct nft_set *set, 5737 const struct nft_set_ext *ext, 5738 bool reset) 5739 { 5740 struct nft_set_elem_expr *elem_expr; 5741 u32 size, num_exprs = 0; 5742 struct nft_expr *expr; 5743 struct nlattr *nest; 5744 5745 elem_expr = nft_set_ext_expr(ext); 5746 nft_setelem_expr_foreach(expr, elem_expr, size) 5747 num_exprs++; 5748 5749 if (num_exprs == 1) { 5750 expr = nft_setelem_expr_at(elem_expr, 0); 5751 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0) 5752 return -1; 5753 5754 return 0; 5755 } else if (num_exprs > 1) { 5756 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS); 5757 if (nest == NULL) 5758 goto nla_put_failure; 5759 5760 nft_setelem_expr_foreach(expr, elem_expr, size) { 5761 expr = nft_setelem_expr_at(elem_expr, size); 5762 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0) 5763 goto nla_put_failure; 5764 } 5765 nla_nest_end(skb, nest); 5766 } 5767 return 0; 5768 5769 nla_put_failure: 5770 return -1; 5771 } 5772 5773 static int nf_tables_fill_setelem(struct sk_buff *skb, 5774 const struct nft_set *set, 5775 const struct nft_elem_priv *elem_priv, 5776 bool reset) 5777 { 5778 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 5779 unsigned char *b = skb_tail_pointer(skb); 5780 struct nlattr *nest; 5781 5782 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 5783 if (nest == NULL) 5784 goto nla_put_failure; 5785 5786 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) && 5787 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext), 5788 NFT_DATA_VALUE, set->klen) < 0) 5789 goto nla_put_failure; 5790 5791 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 5792 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext), 5793 NFT_DATA_VALUE, set->klen) < 0) 5794 goto nla_put_failure; 5795 5796 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 5797 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext), 5798 nft_set_datatype(set), set->dlen) < 0) 5799 goto nla_put_failure; 5800 5801 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) && 5802 nft_set_elem_expr_dump(skb, set, ext, reset)) 5803 goto nla_put_failure; 5804 5805 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 5806 nla_put_string(skb, NFTA_SET_ELEM_OBJREF, 5807 (*nft_set_ext_obj(ext))->key.name) < 0) 5808 goto nla_put_failure; 5809 5810 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 5811 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, 5812 htonl(*nft_set_ext_flags(ext)))) 5813 goto nla_put_failure; 5814 5815 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) && 5816 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, 5817 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)), 5818 NFTA_SET_ELEM_PAD)) 5819 goto nla_put_failure; 5820 5821 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 5822 u64 expires, now = get_jiffies_64(); 5823 5824 expires = *nft_set_ext_expiration(ext); 5825 if (time_before64(now, expires)) 5826 expires -= now; 5827 else 5828 expires = 0; 5829 5830 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION, 5831 nf_jiffies64_to_msecs(expires), 5832 NFTA_SET_ELEM_PAD)) 5833 goto nla_put_failure; 5834 } 5835 5836 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) { 5837 struct nft_userdata *udata; 5838 5839 udata = nft_set_ext_userdata(ext); 5840 if (nla_put(skb, NFTA_SET_ELEM_USERDATA, 5841 udata->len + 1, udata->data)) 5842 goto nla_put_failure; 5843 } 5844 5845 nla_nest_end(skb, nest); 5846 return 0; 5847 5848 nla_put_failure: 5849 nlmsg_trim(skb, b); 5850 return -EMSGSIZE; 5851 } 5852 5853 struct nft_set_dump_args { 5854 const struct netlink_callback *cb; 5855 struct nft_set_iter iter; 5856 struct sk_buff *skb; 5857 bool reset; 5858 }; 5859 5860 static int nf_tables_dump_setelem(const struct nft_ctx *ctx, 5861 struct nft_set *set, 5862 const struct nft_set_iter *iter, 5863 struct nft_elem_priv *elem_priv) 5864 { 5865 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 5866 struct nft_set_dump_args *args; 5867 5868 if (!nft_set_elem_active(ext, iter->genmask)) 5869 return 0; 5870 5871 if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext)) 5872 return 0; 5873 5874 args = container_of(iter, struct nft_set_dump_args, iter); 5875 return nf_tables_fill_setelem(args->skb, set, elem_priv, args->reset); 5876 } 5877 5878 static void audit_log_nft_set_reset(const struct nft_table *table, 5879 unsigned int base_seq, 5880 unsigned int nentries) 5881 { 5882 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq); 5883 5884 audit_log_nfcfg(buf, table->family, nentries, 5885 AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC); 5886 kfree(buf); 5887 } 5888 5889 struct nft_set_dump_ctx { 5890 const struct nft_set *set; 5891 struct nft_ctx ctx; 5892 bool reset; 5893 }; 5894 5895 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb, 5896 const struct nft_set *set, bool reset, 5897 unsigned int base_seq) 5898 { 5899 struct nft_set_elem_catchall *catchall; 5900 u8 genmask = nft_genmask_cur(net); 5901 struct nft_set_ext *ext; 5902 int ret = 0; 5903 5904 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5905 ext = nft_set_elem_ext(set, catchall->elem); 5906 if (!nft_set_elem_active(ext, genmask) || 5907 nft_set_elem_expired(ext)) 5908 continue; 5909 5910 ret = nf_tables_fill_setelem(skb, set, catchall->elem, reset); 5911 if (reset && !ret) 5912 audit_log_nft_set_reset(set->table, base_seq, 1); 5913 break; 5914 } 5915 5916 return ret; 5917 } 5918 5919 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) 5920 { 5921 struct nft_set_dump_ctx *dump_ctx = cb->data; 5922 struct net *net = sock_net(skb->sk); 5923 struct nftables_pernet *nft_net; 5924 struct nft_table *table; 5925 struct nft_set *set; 5926 struct nft_set_dump_args args; 5927 bool set_found = false; 5928 struct nlmsghdr *nlh; 5929 struct nlattr *nest; 5930 u32 portid, seq; 5931 int event; 5932 5933 rcu_read_lock(); 5934 nft_net = nft_pernet(net); 5935 cb->seq = READ_ONCE(nft_net->base_seq); 5936 5937 list_for_each_entry_rcu(table, &nft_net->tables, list) { 5938 if (dump_ctx->ctx.family != NFPROTO_UNSPEC && 5939 dump_ctx->ctx.family != table->family) 5940 continue; 5941 5942 if (table != dump_ctx->ctx.table) 5943 continue; 5944 5945 list_for_each_entry_rcu(set, &table->sets, list) { 5946 if (set == dump_ctx->set) { 5947 set_found = true; 5948 break; 5949 } 5950 } 5951 break; 5952 } 5953 5954 if (!set_found) { 5955 rcu_read_unlock(); 5956 return -ENOENT; 5957 } 5958 5959 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM); 5960 portid = NETLINK_CB(cb->skb).portid; 5961 seq = cb->nlh->nlmsg_seq; 5962 5963 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI, 5964 table->family, NFNETLINK_V0, nft_base_seq(net)); 5965 if (!nlh) 5966 goto nla_put_failure; 5967 5968 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) 5969 goto nla_put_failure; 5970 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) 5971 goto nla_put_failure; 5972 5973 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 5974 if (nest == NULL) 5975 goto nla_put_failure; 5976 5977 args.cb = cb; 5978 args.skb = skb; 5979 args.reset = dump_ctx->reset; 5980 args.iter.genmask = nft_genmask_cur(net); 5981 args.iter.type = NFT_ITER_READ; 5982 args.iter.skip = cb->args[0]; 5983 args.iter.count = 0; 5984 args.iter.err = 0; 5985 args.iter.fn = nf_tables_dump_setelem; 5986 set->ops->walk(&dump_ctx->ctx, set, &args.iter); 5987 5988 if (!args.iter.err && args.iter.count == cb->args[0]) 5989 args.iter.err = nft_set_catchall_dump(net, skb, set, 5990 dump_ctx->reset, cb->seq); 5991 nla_nest_end(skb, nest); 5992 nlmsg_end(skb, nlh); 5993 5994 rcu_read_unlock(); 5995 5996 if (args.iter.err && args.iter.err != -EMSGSIZE) 5997 return args.iter.err; 5998 if (args.iter.count == cb->args[0]) 5999 return 0; 6000 6001 cb->args[0] = args.iter.count; 6002 return skb->len; 6003 6004 nla_put_failure: 6005 rcu_read_unlock(); 6006 return -ENOSPC; 6007 } 6008 6009 static int nf_tables_dumpreset_set(struct sk_buff *skb, 6010 struct netlink_callback *cb) 6011 { 6012 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk)); 6013 struct nft_set_dump_ctx *dump_ctx = cb->data; 6014 int ret, skip = cb->args[0]; 6015 6016 mutex_lock(&nft_net->commit_mutex); 6017 6018 ret = nf_tables_dump_set(skb, cb); 6019 6020 if (cb->args[0] > skip) 6021 audit_log_nft_set_reset(dump_ctx->ctx.table, cb->seq, 6022 cb->args[0] - skip); 6023 6024 mutex_unlock(&nft_net->commit_mutex); 6025 6026 return ret; 6027 } 6028 6029 static int nf_tables_dump_set_start(struct netlink_callback *cb) 6030 { 6031 struct nft_set_dump_ctx *dump_ctx = cb->data; 6032 6033 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC); 6034 6035 return cb->data ? 0 : -ENOMEM; 6036 } 6037 6038 static int nf_tables_dump_set_done(struct netlink_callback *cb) 6039 { 6040 kfree(cb->data); 6041 return 0; 6042 } 6043 6044 static int nf_tables_fill_setelem_info(struct sk_buff *skb, 6045 const struct nft_ctx *ctx, u32 seq, 6046 u32 portid, int event, u16 flags, 6047 const struct nft_set *set, 6048 const struct nft_elem_priv *elem_priv, 6049 bool reset) 6050 { 6051 struct nlmsghdr *nlh; 6052 struct nlattr *nest; 6053 int err; 6054 6055 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 6056 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 6057 NFNETLINK_V0, nft_base_seq(ctx->net)); 6058 if (!nlh) 6059 goto nla_put_failure; 6060 6061 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 6062 goto nla_put_failure; 6063 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 6064 goto nla_put_failure; 6065 6066 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 6067 if (nest == NULL) 6068 goto nla_put_failure; 6069 6070 err = nf_tables_fill_setelem(skb, set, elem_priv, reset); 6071 if (err < 0) 6072 goto nla_put_failure; 6073 6074 nla_nest_end(skb, nest); 6075 6076 nlmsg_end(skb, nlh); 6077 return 0; 6078 6079 nla_put_failure: 6080 nlmsg_trim(skb, nlh); 6081 return -1; 6082 } 6083 6084 static int nft_setelem_parse_flags(const struct nft_set *set, 6085 const struct nlattr *attr, u32 *flags) 6086 { 6087 if (attr == NULL) 6088 return 0; 6089 6090 *flags = ntohl(nla_get_be32(attr)); 6091 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) 6092 return -EOPNOTSUPP; 6093 if (!(set->flags & NFT_SET_INTERVAL) && 6094 *flags & NFT_SET_ELEM_INTERVAL_END) 6095 return -EINVAL; 6096 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) == 6097 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) 6098 return -EINVAL; 6099 6100 return 0; 6101 } 6102 6103 static int nft_setelem_parse_key(struct nft_ctx *ctx, const struct nft_set *set, 6104 struct nft_data *key, struct nlattr *attr) 6105 { 6106 struct nft_data_desc desc = { 6107 .type = NFT_DATA_VALUE, 6108 .size = NFT_DATA_VALUE_MAXLEN, 6109 .len = set->klen, 6110 }; 6111 6112 return nft_data_init(ctx, key, &desc, attr); 6113 } 6114 6115 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, 6116 struct nft_data_desc *desc, 6117 struct nft_data *data, 6118 struct nlattr *attr) 6119 { 6120 u32 dtype; 6121 6122 if (set->dtype == NFT_DATA_VERDICT) 6123 dtype = NFT_DATA_VERDICT; 6124 else 6125 dtype = NFT_DATA_VALUE; 6126 6127 desc->type = dtype; 6128 desc->size = NFT_DATA_VALUE_MAXLEN; 6129 desc->len = set->dlen; 6130 desc->flags = NFT_DATA_DESC_SETELEM; 6131 6132 return nft_data_init(ctx, data, desc, attr); 6133 } 6134 6135 static void *nft_setelem_catchall_get(const struct net *net, 6136 const struct nft_set *set) 6137 { 6138 struct nft_set_elem_catchall *catchall; 6139 u8 genmask = nft_genmask_cur(net); 6140 struct nft_set_ext *ext; 6141 void *priv = NULL; 6142 6143 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 6144 ext = nft_set_elem_ext(set, catchall->elem); 6145 if (!nft_set_elem_active(ext, genmask) || 6146 nft_set_elem_expired(ext)) 6147 continue; 6148 6149 priv = catchall->elem; 6150 break; 6151 } 6152 6153 return priv; 6154 } 6155 6156 static int nft_setelem_get(struct nft_ctx *ctx, const struct nft_set *set, 6157 struct nft_set_elem *elem, u32 flags) 6158 { 6159 void *priv; 6160 6161 if (!(flags & NFT_SET_ELEM_CATCHALL)) { 6162 priv = set->ops->get(ctx->net, set, elem, flags); 6163 if (IS_ERR(priv)) 6164 return PTR_ERR(priv); 6165 } else { 6166 priv = nft_setelem_catchall_get(ctx->net, set); 6167 if (!priv) 6168 return -ENOENT; 6169 } 6170 elem->priv = priv; 6171 6172 return 0; 6173 } 6174 6175 static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set, 6176 const struct nlattr *attr, bool reset) 6177 { 6178 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 6179 struct nft_set_elem elem; 6180 struct sk_buff *skb; 6181 uint32_t flags = 0; 6182 int err; 6183 6184 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 6185 nft_set_elem_policy, NULL); 6186 if (err < 0) 6187 return err; 6188 6189 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 6190 if (err < 0) 6191 return err; 6192 6193 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 6194 return -EINVAL; 6195 6196 if (nla[NFTA_SET_ELEM_KEY]) { 6197 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 6198 nla[NFTA_SET_ELEM_KEY]); 6199 if (err < 0) 6200 return err; 6201 } 6202 6203 if (nla[NFTA_SET_ELEM_KEY_END]) { 6204 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 6205 nla[NFTA_SET_ELEM_KEY_END]); 6206 if (err < 0) 6207 return err; 6208 } 6209 6210 err = nft_setelem_get(ctx, set, &elem, flags); 6211 if (err < 0) 6212 return err; 6213 6214 err = -ENOMEM; 6215 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); 6216 if (skb == NULL) 6217 return err; 6218 6219 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, 6220 NFT_MSG_NEWSETELEM, 0, set, elem.priv, 6221 reset); 6222 if (err < 0) 6223 goto err_fill_setelem; 6224 6225 return nfnetlink_unicast(skb, ctx->net, ctx->portid); 6226 6227 err_fill_setelem: 6228 kfree_skb(skb); 6229 return err; 6230 } 6231 6232 static int nft_set_dump_ctx_init(struct nft_set_dump_ctx *dump_ctx, 6233 const struct sk_buff *skb, 6234 const struct nfnl_info *info, 6235 const struct nlattr * const nla[], 6236 bool reset) 6237 { 6238 struct netlink_ext_ack *extack = info->extack; 6239 u8 genmask = nft_genmask_cur(info->net); 6240 u8 family = info->nfmsg->nfgen_family; 6241 struct net *net = info->net; 6242 struct nft_table *table; 6243 struct nft_set *set; 6244 6245 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 6246 genmask, 0); 6247 if (IS_ERR(table)) { 6248 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 6249 return PTR_ERR(table); 6250 } 6251 6252 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 6253 if (IS_ERR(set)) { 6254 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]); 6255 return PTR_ERR(set); 6256 } 6257 6258 nft_ctx_init(&dump_ctx->ctx, net, skb, 6259 info->nlh, family, table, NULL, nla); 6260 dump_ctx->set = set; 6261 dump_ctx->reset = reset; 6262 return 0; 6263 } 6264 6265 /* called with rcu_read_lock held */ 6266 static int nf_tables_getsetelem(struct sk_buff *skb, 6267 const struct nfnl_info *info, 6268 const struct nlattr * const nla[]) 6269 { 6270 struct netlink_ext_ack *extack = info->extack; 6271 struct nft_set_dump_ctx dump_ctx; 6272 struct nlattr *attr; 6273 int rem, err = 0; 6274 6275 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 6276 struct netlink_dump_control c = { 6277 .start = nf_tables_dump_set_start, 6278 .dump = nf_tables_dump_set, 6279 .done = nf_tables_dump_set_done, 6280 .module = THIS_MODULE, 6281 }; 6282 6283 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false); 6284 if (err) 6285 return err; 6286 6287 c.data = &dump_ctx; 6288 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 6289 } 6290 6291 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 6292 return -EINVAL; 6293 6294 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false); 6295 if (err) 6296 return err; 6297 6298 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 6299 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, false); 6300 if (err < 0) { 6301 NL_SET_BAD_ATTR(extack, attr); 6302 break; 6303 } 6304 } 6305 6306 return err; 6307 } 6308 6309 static int nf_tables_getsetelem_reset(struct sk_buff *skb, 6310 const struct nfnl_info *info, 6311 const struct nlattr * const nla[]) 6312 { 6313 struct nftables_pernet *nft_net = nft_pernet(info->net); 6314 struct netlink_ext_ack *extack = info->extack; 6315 struct nft_set_dump_ctx dump_ctx; 6316 int rem, err = 0, nelems = 0; 6317 struct nlattr *attr; 6318 6319 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 6320 struct netlink_dump_control c = { 6321 .start = nf_tables_dump_set_start, 6322 .dump = nf_tables_dumpreset_set, 6323 .done = nf_tables_dump_set_done, 6324 .module = THIS_MODULE, 6325 }; 6326 6327 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true); 6328 if (err) 6329 return err; 6330 6331 c.data = &dump_ctx; 6332 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 6333 } 6334 6335 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 6336 return -EINVAL; 6337 6338 if (!try_module_get(THIS_MODULE)) 6339 return -EINVAL; 6340 rcu_read_unlock(); 6341 mutex_lock(&nft_net->commit_mutex); 6342 rcu_read_lock(); 6343 6344 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true); 6345 if (err) 6346 goto out_unlock; 6347 6348 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 6349 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, true); 6350 if (err < 0) { 6351 NL_SET_BAD_ATTR(extack, attr); 6352 break; 6353 } 6354 nelems++; 6355 } 6356 audit_log_nft_set_reset(dump_ctx.ctx.table, nft_net->base_seq, nelems); 6357 6358 out_unlock: 6359 rcu_read_unlock(); 6360 mutex_unlock(&nft_net->commit_mutex); 6361 rcu_read_lock(); 6362 module_put(THIS_MODULE); 6363 6364 return err; 6365 } 6366 6367 static void nf_tables_setelem_notify(const struct nft_ctx *ctx, 6368 const struct nft_set *set, 6369 const struct nft_elem_priv *elem_priv, 6370 int event) 6371 { 6372 struct nftables_pernet *nft_net; 6373 struct net *net = ctx->net; 6374 u32 portid = ctx->portid; 6375 struct sk_buff *skb; 6376 u16 flags = 0; 6377 int err; 6378 6379 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 6380 return; 6381 6382 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 6383 if (skb == NULL) 6384 goto err; 6385 6386 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 6387 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 6388 6389 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags, 6390 set, elem_priv, false); 6391 if (err < 0) { 6392 kfree_skb(skb); 6393 goto err; 6394 } 6395 6396 nft_net = nft_pernet(net); 6397 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 6398 return; 6399 err: 6400 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 6401 } 6402 6403 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx, 6404 int msg_type, 6405 struct nft_set *set) 6406 { 6407 struct nft_trans *trans; 6408 6409 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem)); 6410 if (trans == NULL) 6411 return NULL; 6412 6413 nft_trans_elem_set(trans) = set; 6414 return trans; 6415 } 6416 6417 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx, 6418 const struct nft_set *set, 6419 const struct nlattr *attr) 6420 { 6421 struct nft_expr *expr; 6422 int err; 6423 6424 expr = nft_expr_init(ctx, attr); 6425 if (IS_ERR(expr)) 6426 return expr; 6427 6428 err = -EOPNOTSUPP; 6429 if (expr->ops->type->flags & NFT_EXPR_GC) { 6430 if (set->flags & NFT_SET_TIMEOUT) 6431 goto err_set_elem_expr; 6432 if (!set->ops->gc_init) 6433 goto err_set_elem_expr; 6434 set->ops->gc_init(set); 6435 } 6436 6437 return expr; 6438 6439 err_set_elem_expr: 6440 nft_expr_destroy(ctx, expr); 6441 return ERR_PTR(err); 6442 } 6443 6444 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len) 6445 { 6446 len += nft_set_ext_types[id].len; 6447 if (len > tmpl->ext_len[id] || 6448 len > U8_MAX) 6449 return -1; 6450 6451 return 0; 6452 } 6453 6454 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id, 6455 void *to, const void *from, u32 len) 6456 { 6457 if (nft_set_ext_check(tmpl, id, len) < 0) 6458 return -1; 6459 6460 memcpy(to, from, len); 6461 6462 return 0; 6463 } 6464 6465 struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set, 6466 const struct nft_set_ext_tmpl *tmpl, 6467 const u32 *key, const u32 *key_end, 6468 const u32 *data, 6469 u64 timeout, u64 expiration, gfp_t gfp) 6470 { 6471 struct nft_set_ext *ext; 6472 void *elem; 6473 6474 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp); 6475 if (elem == NULL) 6476 return ERR_PTR(-ENOMEM); 6477 6478 ext = nft_set_elem_ext(set, elem); 6479 nft_set_ext_init(ext, tmpl); 6480 6481 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) && 6482 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY, 6483 nft_set_ext_key(ext), key, set->klen) < 0) 6484 goto err_ext_check; 6485 6486 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 6487 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END, 6488 nft_set_ext_key_end(ext), key_end, set->klen) < 0) 6489 goto err_ext_check; 6490 6491 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 6492 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA, 6493 nft_set_ext_data(ext), data, set->dlen) < 0) 6494 goto err_ext_check; 6495 6496 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 6497 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration; 6498 if (expiration == 0) 6499 *nft_set_ext_expiration(ext) += timeout; 6500 } 6501 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) 6502 *nft_set_ext_timeout(ext) = timeout; 6503 6504 return elem; 6505 6506 err_ext_check: 6507 kfree(elem); 6508 6509 return ERR_PTR(-EINVAL); 6510 } 6511 6512 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 6513 struct nft_expr *expr) 6514 { 6515 if (expr->ops->destroy_clone) { 6516 expr->ops->destroy_clone(ctx, expr); 6517 module_put(expr->ops->type->owner); 6518 } else { 6519 nf_tables_expr_destroy(ctx, expr); 6520 } 6521 } 6522 6523 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 6524 struct nft_set_elem_expr *elem_expr) 6525 { 6526 struct nft_expr *expr; 6527 u32 size; 6528 6529 nft_setelem_expr_foreach(expr, elem_expr, size) 6530 __nft_set_elem_expr_destroy(ctx, expr); 6531 } 6532 6533 /* Drop references and destroy. Called from gc, dynset and abort path. */ 6534 void nft_set_elem_destroy(const struct nft_set *set, 6535 const struct nft_elem_priv *elem_priv, 6536 bool destroy_expr) 6537 { 6538 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 6539 struct nft_ctx ctx = { 6540 .net = read_pnet(&set->net), 6541 .family = set->table->family, 6542 }; 6543 6544 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE); 6545 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 6546 nft_data_release(nft_set_ext_data(ext), set->dtype); 6547 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 6548 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext)); 6549 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 6550 nft_use_dec(&(*nft_set_ext_obj(ext))->use); 6551 6552 kfree(elem_priv); 6553 } 6554 EXPORT_SYMBOL_GPL(nft_set_elem_destroy); 6555 6556 /* Destroy element. References have been already dropped in the preparation 6557 * path via nft_setelem_data_deactivate(). 6558 */ 6559 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, 6560 const struct nft_set *set, 6561 const struct nft_elem_priv *elem_priv) 6562 { 6563 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 6564 6565 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 6566 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext)); 6567 6568 kfree(elem_priv); 6569 } 6570 6571 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, 6572 struct nft_expr *expr_array[]) 6573 { 6574 struct nft_expr *expr; 6575 int err, i, k; 6576 6577 for (i = 0; i < set->num_exprs; i++) { 6578 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT); 6579 if (!expr) 6580 goto err_expr; 6581 6582 err = nft_expr_clone(expr, set->exprs[i], GFP_KERNEL_ACCOUNT); 6583 if (err < 0) { 6584 kfree(expr); 6585 goto err_expr; 6586 } 6587 expr_array[i] = expr; 6588 } 6589 6590 return 0; 6591 6592 err_expr: 6593 for (k = i - 1; k >= 0; k--) 6594 nft_expr_destroy(ctx, expr_array[k]); 6595 6596 return -ENOMEM; 6597 } 6598 6599 static int nft_set_elem_expr_setup(struct nft_ctx *ctx, 6600 const struct nft_set_ext_tmpl *tmpl, 6601 const struct nft_set_ext *ext, 6602 struct nft_expr *expr_array[], 6603 u32 num_exprs) 6604 { 6605 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); 6606 u32 len = sizeof(struct nft_set_elem_expr); 6607 struct nft_expr *expr; 6608 int i, err; 6609 6610 if (num_exprs == 0) 6611 return 0; 6612 6613 for (i = 0; i < num_exprs; i++) 6614 len += expr_array[i]->ops->size; 6615 6616 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0) 6617 return -EINVAL; 6618 6619 for (i = 0; i < num_exprs; i++) { 6620 expr = nft_setelem_expr_at(elem_expr, elem_expr->size); 6621 err = nft_expr_clone(expr, expr_array[i], GFP_KERNEL_ACCOUNT); 6622 if (err < 0) 6623 goto err_elem_expr_setup; 6624 6625 elem_expr->size += expr_array[i]->ops->size; 6626 nft_expr_destroy(ctx, expr_array[i]); 6627 expr_array[i] = NULL; 6628 } 6629 6630 return 0; 6631 6632 err_elem_expr_setup: 6633 for (; i < num_exprs; i++) { 6634 nft_expr_destroy(ctx, expr_array[i]); 6635 expr_array[i] = NULL; 6636 } 6637 6638 return -ENOMEM; 6639 } 6640 6641 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net, 6642 const struct nft_set *set) 6643 { 6644 struct nft_set_elem_catchall *catchall; 6645 u8 genmask = nft_genmask_cur(net); 6646 struct nft_set_ext *ext; 6647 6648 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 6649 ext = nft_set_elem_ext(set, catchall->elem); 6650 if (nft_set_elem_active(ext, genmask) && 6651 !nft_set_elem_expired(ext) && 6652 !nft_set_elem_is_dead(ext)) 6653 return ext; 6654 } 6655 6656 return NULL; 6657 } 6658 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup); 6659 6660 static int nft_setelem_catchall_insert(const struct net *net, 6661 struct nft_set *set, 6662 const struct nft_set_elem *elem, 6663 struct nft_elem_priv **priv) 6664 { 6665 struct nft_set_elem_catchall *catchall; 6666 u8 genmask = nft_genmask_next(net); 6667 struct nft_set_ext *ext; 6668 6669 list_for_each_entry(catchall, &set->catchall_list, list) { 6670 ext = nft_set_elem_ext(set, catchall->elem); 6671 if (nft_set_elem_active(ext, genmask)) { 6672 *priv = catchall->elem; 6673 return -EEXIST; 6674 } 6675 } 6676 6677 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL); 6678 if (!catchall) 6679 return -ENOMEM; 6680 6681 catchall->elem = elem->priv; 6682 list_add_tail_rcu(&catchall->list, &set->catchall_list); 6683 6684 return 0; 6685 } 6686 6687 static int nft_setelem_insert(const struct net *net, 6688 struct nft_set *set, 6689 const struct nft_set_elem *elem, 6690 struct nft_elem_priv **elem_priv, 6691 unsigned int flags) 6692 { 6693 int ret; 6694 6695 if (flags & NFT_SET_ELEM_CATCHALL) 6696 ret = nft_setelem_catchall_insert(net, set, elem, elem_priv); 6697 else 6698 ret = set->ops->insert(net, set, elem, elem_priv); 6699 6700 return ret; 6701 } 6702 6703 static bool nft_setelem_is_catchall(const struct nft_set *set, 6704 const struct nft_elem_priv *elem_priv) 6705 { 6706 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 6707 6708 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 6709 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL) 6710 return true; 6711 6712 return false; 6713 } 6714 6715 static void nft_setelem_activate(struct net *net, struct nft_set *set, 6716 struct nft_elem_priv *elem_priv) 6717 { 6718 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 6719 6720 if (nft_setelem_is_catchall(set, elem_priv)) { 6721 nft_clear(net, ext); 6722 } else { 6723 set->ops->activate(net, set, elem_priv); 6724 } 6725 } 6726 6727 static int nft_setelem_catchall_deactivate(const struct net *net, 6728 struct nft_set *set, 6729 struct nft_set_elem *elem) 6730 { 6731 struct nft_set_elem_catchall *catchall; 6732 struct nft_set_ext *ext; 6733 6734 list_for_each_entry(catchall, &set->catchall_list, list) { 6735 ext = nft_set_elem_ext(set, catchall->elem); 6736 if (!nft_is_active_next(net, ext)) 6737 continue; 6738 6739 kfree(elem->priv); 6740 elem->priv = catchall->elem; 6741 nft_set_elem_change_active(net, set, ext); 6742 return 0; 6743 } 6744 6745 return -ENOENT; 6746 } 6747 6748 static int __nft_setelem_deactivate(const struct net *net, 6749 struct nft_set *set, 6750 struct nft_set_elem *elem) 6751 { 6752 void *priv; 6753 6754 priv = set->ops->deactivate(net, set, elem); 6755 if (!priv) 6756 return -ENOENT; 6757 6758 kfree(elem->priv); 6759 elem->priv = priv; 6760 set->ndeact++; 6761 6762 return 0; 6763 } 6764 6765 static int nft_setelem_deactivate(const struct net *net, 6766 struct nft_set *set, 6767 struct nft_set_elem *elem, u32 flags) 6768 { 6769 int ret; 6770 6771 if (flags & NFT_SET_ELEM_CATCHALL) 6772 ret = nft_setelem_catchall_deactivate(net, set, elem); 6773 else 6774 ret = __nft_setelem_deactivate(net, set, elem); 6775 6776 return ret; 6777 } 6778 6779 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall) 6780 { 6781 list_del_rcu(&catchall->list); 6782 kfree_rcu(catchall, rcu); 6783 } 6784 6785 static void nft_setelem_catchall_remove(const struct net *net, 6786 const struct nft_set *set, 6787 struct nft_elem_priv *elem_priv) 6788 { 6789 struct nft_set_elem_catchall *catchall, *next; 6790 6791 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 6792 if (catchall->elem == elem_priv) { 6793 nft_setelem_catchall_destroy(catchall); 6794 break; 6795 } 6796 } 6797 } 6798 6799 static void nft_setelem_remove(const struct net *net, 6800 const struct nft_set *set, 6801 struct nft_elem_priv *elem_priv) 6802 { 6803 if (nft_setelem_is_catchall(set, elem_priv)) 6804 nft_setelem_catchall_remove(net, set, elem_priv); 6805 else 6806 set->ops->remove(net, set, elem_priv); 6807 } 6808 6809 static bool nft_setelem_valid_key_end(const struct nft_set *set, 6810 struct nlattr **nla, u32 flags) 6811 { 6812 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) == 6813 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) { 6814 if (flags & NFT_SET_ELEM_INTERVAL_END) 6815 return false; 6816 6817 if (nla[NFTA_SET_ELEM_KEY_END] && 6818 flags & NFT_SET_ELEM_CATCHALL) 6819 return false; 6820 } else { 6821 if (nla[NFTA_SET_ELEM_KEY_END]) 6822 return false; 6823 } 6824 6825 return true; 6826 } 6827 6828 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 6829 const struct nlattr *attr, u32 nlmsg_flags) 6830 { 6831 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {}; 6832 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 6833 u8 genmask = nft_genmask_next(ctx->net); 6834 u32 flags = 0, size = 0, num_exprs = 0; 6835 struct nft_set_ext_tmpl tmpl; 6836 struct nft_set_ext *ext, *ext2; 6837 struct nft_set_elem elem; 6838 struct nft_set_binding *binding; 6839 struct nft_elem_priv *elem_priv; 6840 struct nft_object *obj = NULL; 6841 struct nft_userdata *udata; 6842 struct nft_data_desc desc; 6843 enum nft_registers dreg; 6844 struct nft_trans *trans; 6845 u64 expiration; 6846 u64 timeout; 6847 int err, i; 6848 u8 ulen; 6849 6850 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 6851 nft_set_elem_policy, NULL); 6852 if (err < 0) 6853 return err; 6854 6855 nft_set_ext_prepare(&tmpl); 6856 6857 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 6858 if (err < 0) 6859 return err; 6860 6861 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) || 6862 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY])) 6863 return -EINVAL; 6864 6865 if (flags != 0) { 6866 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 6867 if (err < 0) 6868 return err; 6869 } 6870 6871 if (set->flags & NFT_SET_MAP) { 6872 if (nla[NFTA_SET_ELEM_DATA] == NULL && 6873 !(flags & NFT_SET_ELEM_INTERVAL_END)) 6874 return -EINVAL; 6875 } else { 6876 if (nla[NFTA_SET_ELEM_DATA] != NULL) 6877 return -EINVAL; 6878 } 6879 6880 if (set->flags & NFT_SET_OBJECT) { 6881 if (!nla[NFTA_SET_ELEM_OBJREF] && 6882 !(flags & NFT_SET_ELEM_INTERVAL_END)) 6883 return -EINVAL; 6884 } else { 6885 if (nla[NFTA_SET_ELEM_OBJREF]) 6886 return -EINVAL; 6887 } 6888 6889 if (!nft_setelem_valid_key_end(set, nla, flags)) 6890 return -EINVAL; 6891 6892 if ((flags & NFT_SET_ELEM_INTERVAL_END) && 6893 (nla[NFTA_SET_ELEM_DATA] || 6894 nla[NFTA_SET_ELEM_OBJREF] || 6895 nla[NFTA_SET_ELEM_TIMEOUT] || 6896 nla[NFTA_SET_ELEM_EXPIRATION] || 6897 nla[NFTA_SET_ELEM_USERDATA] || 6898 nla[NFTA_SET_ELEM_EXPR] || 6899 nla[NFTA_SET_ELEM_KEY_END] || 6900 nla[NFTA_SET_ELEM_EXPRESSIONS])) 6901 return -EINVAL; 6902 6903 timeout = 0; 6904 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { 6905 if (!(set->flags & NFT_SET_TIMEOUT)) 6906 return -EINVAL; 6907 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT], 6908 &timeout); 6909 if (err) 6910 return err; 6911 } else if (set->flags & NFT_SET_TIMEOUT && 6912 !(flags & NFT_SET_ELEM_INTERVAL_END)) { 6913 timeout = READ_ONCE(set->timeout); 6914 } 6915 6916 expiration = 0; 6917 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { 6918 if (!(set->flags & NFT_SET_TIMEOUT)) 6919 return -EINVAL; 6920 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], 6921 &expiration); 6922 if (err) 6923 return err; 6924 } 6925 6926 if (nla[NFTA_SET_ELEM_EXPR]) { 6927 struct nft_expr *expr; 6928 6929 if (set->num_exprs && set->num_exprs != 1) 6930 return -EOPNOTSUPP; 6931 6932 expr = nft_set_elem_expr_alloc(ctx, set, 6933 nla[NFTA_SET_ELEM_EXPR]); 6934 if (IS_ERR(expr)) 6935 return PTR_ERR(expr); 6936 6937 expr_array[0] = expr; 6938 num_exprs = 1; 6939 6940 if (set->num_exprs && set->exprs[0]->ops != expr->ops) { 6941 err = -EOPNOTSUPP; 6942 goto err_set_elem_expr; 6943 } 6944 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) { 6945 struct nft_expr *expr; 6946 struct nlattr *tmp; 6947 int left; 6948 6949 i = 0; 6950 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) { 6951 if (i == NFT_SET_EXPR_MAX || 6952 (set->num_exprs && set->num_exprs == i)) { 6953 err = -E2BIG; 6954 goto err_set_elem_expr; 6955 } 6956 if (nla_type(tmp) != NFTA_LIST_ELEM) { 6957 err = -EINVAL; 6958 goto err_set_elem_expr; 6959 } 6960 expr = nft_set_elem_expr_alloc(ctx, set, tmp); 6961 if (IS_ERR(expr)) { 6962 err = PTR_ERR(expr); 6963 goto err_set_elem_expr; 6964 } 6965 expr_array[i] = expr; 6966 num_exprs++; 6967 6968 if (set->num_exprs && expr->ops != set->exprs[i]->ops) { 6969 err = -EOPNOTSUPP; 6970 goto err_set_elem_expr; 6971 } 6972 i++; 6973 } 6974 if (set->num_exprs && set->num_exprs != i) { 6975 err = -EOPNOTSUPP; 6976 goto err_set_elem_expr; 6977 } 6978 } else if (set->num_exprs > 0 && 6979 !(flags & NFT_SET_ELEM_INTERVAL_END)) { 6980 err = nft_set_elem_expr_clone(ctx, set, expr_array); 6981 if (err < 0) 6982 goto err_set_elem_expr_clone; 6983 6984 num_exprs = set->num_exprs; 6985 } 6986 6987 if (nla[NFTA_SET_ELEM_KEY]) { 6988 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 6989 nla[NFTA_SET_ELEM_KEY]); 6990 if (err < 0) 6991 goto err_set_elem_expr; 6992 6993 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 6994 if (err < 0) 6995 goto err_parse_key; 6996 } 6997 6998 if (nla[NFTA_SET_ELEM_KEY_END]) { 6999 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 7000 nla[NFTA_SET_ELEM_KEY_END]); 7001 if (err < 0) 7002 goto err_parse_key; 7003 7004 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 7005 if (err < 0) 7006 goto err_parse_key_end; 7007 } 7008 7009 if (timeout > 0) { 7010 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION); 7011 if (err < 0) 7012 goto err_parse_key_end; 7013 7014 if (timeout != READ_ONCE(set->timeout)) { 7015 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT); 7016 if (err < 0) 7017 goto err_parse_key_end; 7018 } 7019 } 7020 7021 if (num_exprs) { 7022 for (i = 0; i < num_exprs; i++) 7023 size += expr_array[i]->ops->size; 7024 7025 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS, 7026 sizeof(struct nft_set_elem_expr) + size); 7027 if (err < 0) 7028 goto err_parse_key_end; 7029 } 7030 7031 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) { 7032 obj = nft_obj_lookup(ctx->net, ctx->table, 7033 nla[NFTA_SET_ELEM_OBJREF], 7034 set->objtype, genmask); 7035 if (IS_ERR(obj)) { 7036 err = PTR_ERR(obj); 7037 obj = NULL; 7038 goto err_parse_key_end; 7039 } 7040 7041 if (!nft_use_inc(&obj->use)) { 7042 err = -EMFILE; 7043 obj = NULL; 7044 goto err_parse_key_end; 7045 } 7046 7047 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF); 7048 if (err < 0) 7049 goto err_parse_key_end; 7050 } 7051 7052 if (nla[NFTA_SET_ELEM_DATA] != NULL) { 7053 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val, 7054 nla[NFTA_SET_ELEM_DATA]); 7055 if (err < 0) 7056 goto err_parse_key_end; 7057 7058 dreg = nft_type_to_reg(set->dtype); 7059 list_for_each_entry(binding, &set->bindings, list) { 7060 struct nft_ctx bind_ctx = { 7061 .net = ctx->net, 7062 .family = ctx->family, 7063 .table = ctx->table, 7064 .chain = (struct nft_chain *)binding->chain, 7065 }; 7066 7067 if (!(binding->flags & NFT_SET_MAP)) 7068 continue; 7069 7070 err = nft_validate_register_store(&bind_ctx, dreg, 7071 &elem.data.val, 7072 desc.type, desc.len); 7073 if (err < 0) 7074 goto err_parse_data; 7075 7076 if (desc.type == NFT_DATA_VERDICT && 7077 (elem.data.val.verdict.code == NFT_GOTO || 7078 elem.data.val.verdict.code == NFT_JUMP)) 7079 nft_validate_state_update(ctx->table, 7080 NFT_VALIDATE_NEED); 7081 } 7082 7083 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len); 7084 if (err < 0) 7085 goto err_parse_data; 7086 } 7087 7088 /* The full maximum length of userdata can exceed the maximum 7089 * offset value (U8_MAX) for following extensions, therefor it 7090 * must be the last extension added. 7091 */ 7092 ulen = 0; 7093 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) { 7094 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]); 7095 if (ulen > 0) { 7096 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA, 7097 ulen); 7098 if (err < 0) 7099 goto err_parse_data; 7100 } 7101 } 7102 7103 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 7104 elem.key_end.val.data, elem.data.val.data, 7105 timeout, expiration, GFP_KERNEL_ACCOUNT); 7106 if (IS_ERR(elem.priv)) { 7107 err = PTR_ERR(elem.priv); 7108 goto err_parse_data; 7109 } 7110 7111 ext = nft_set_elem_ext(set, elem.priv); 7112 if (flags) 7113 *nft_set_ext_flags(ext) = flags; 7114 7115 if (obj) 7116 *nft_set_ext_obj(ext) = obj; 7117 7118 if (ulen > 0) { 7119 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) { 7120 err = -EINVAL; 7121 goto err_elem_free; 7122 } 7123 udata = nft_set_ext_userdata(ext); 7124 udata->len = ulen - 1; 7125 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen); 7126 } 7127 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs); 7128 if (err < 0) 7129 goto err_elem_free; 7130 7131 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); 7132 if (trans == NULL) { 7133 err = -ENOMEM; 7134 goto err_elem_free; 7135 } 7136 7137 ext->genmask = nft_genmask_cur(ctx->net); 7138 7139 err = nft_setelem_insert(ctx->net, set, &elem, &elem_priv, flags); 7140 if (err) { 7141 if (err == -EEXIST) { 7142 ext2 = nft_set_elem_ext(set, elem_priv); 7143 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^ 7144 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) || 7145 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^ 7146 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) 7147 goto err_element_clash; 7148 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 7149 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) && 7150 memcmp(nft_set_ext_data(ext), 7151 nft_set_ext_data(ext2), set->dlen) != 0) || 7152 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 7153 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) && 7154 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2))) 7155 goto err_element_clash; 7156 else if (!(nlmsg_flags & NLM_F_EXCL)) 7157 err = 0; 7158 } else if (err == -ENOTEMPTY) { 7159 /* ENOTEMPTY reports overlapping between this element 7160 * and an existing one. 7161 */ 7162 err = -EEXIST; 7163 } 7164 goto err_element_clash; 7165 } 7166 7167 if (!(flags & NFT_SET_ELEM_CATCHALL)) { 7168 unsigned int max = set->size ? set->size + set->ndeact : UINT_MAX; 7169 7170 if (!atomic_add_unless(&set->nelems, 1, max)) { 7171 err = -ENFILE; 7172 goto err_set_full; 7173 } 7174 } 7175 7176 nft_trans_elem_priv(trans) = elem.priv; 7177 nft_trans_commit_list_add_tail(ctx->net, trans); 7178 return 0; 7179 7180 err_set_full: 7181 nft_setelem_remove(ctx->net, set, elem.priv); 7182 err_element_clash: 7183 kfree(trans); 7184 err_elem_free: 7185 nf_tables_set_elem_destroy(ctx, set, elem.priv); 7186 err_parse_data: 7187 if (nla[NFTA_SET_ELEM_DATA] != NULL) 7188 nft_data_release(&elem.data.val, desc.type); 7189 err_parse_key_end: 7190 if (obj) 7191 nft_use_dec_restore(&obj->use); 7192 7193 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 7194 err_parse_key: 7195 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 7196 err_set_elem_expr: 7197 for (i = 0; i < num_exprs && expr_array[i]; i++) 7198 nft_expr_destroy(ctx, expr_array[i]); 7199 err_set_elem_expr_clone: 7200 return err; 7201 } 7202 7203 static int nf_tables_newsetelem(struct sk_buff *skb, 7204 const struct nfnl_info *info, 7205 const struct nlattr * const nla[]) 7206 { 7207 struct netlink_ext_ack *extack = info->extack; 7208 u8 genmask = nft_genmask_next(info->net); 7209 u8 family = info->nfmsg->nfgen_family; 7210 struct net *net = info->net; 7211 const struct nlattr *attr; 7212 struct nft_table *table; 7213 struct nft_set *set; 7214 struct nft_ctx ctx; 7215 int rem, err; 7216 7217 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) 7218 return -EINVAL; 7219 7220 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 7221 genmask, NETLINK_CB(skb).portid); 7222 if (IS_ERR(table)) { 7223 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 7224 return PTR_ERR(table); 7225 } 7226 7227 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET], 7228 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask); 7229 if (IS_ERR(set)) { 7230 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]); 7231 return PTR_ERR(set); 7232 } 7233 7234 if (!list_empty(&set->bindings) && 7235 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS))) 7236 return -EBUSY; 7237 7238 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7239 7240 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 7241 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags); 7242 if (err < 0) { 7243 NL_SET_BAD_ATTR(extack, attr); 7244 return err; 7245 } 7246 } 7247 7248 if (table->validate_state == NFT_VALIDATE_DO) 7249 return nft_table_validate(net, table); 7250 7251 return 0; 7252 } 7253 7254 /** 7255 * nft_data_hold - hold a nft_data item 7256 * 7257 * @data: struct nft_data to release 7258 * @type: type of data 7259 * 7260 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded, 7261 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and 7262 * NFT_GOTO verdicts. This function must be called on active data objects 7263 * from the second phase of the commit protocol. 7264 */ 7265 void nft_data_hold(const struct nft_data *data, enum nft_data_types type) 7266 { 7267 struct nft_chain *chain; 7268 7269 if (type == NFT_DATA_VERDICT) { 7270 switch (data->verdict.code) { 7271 case NFT_JUMP: 7272 case NFT_GOTO: 7273 chain = data->verdict.chain; 7274 nft_use_inc_restore(&chain->use); 7275 break; 7276 } 7277 } 7278 } 7279 7280 static int nft_setelem_active_next(const struct net *net, 7281 const struct nft_set *set, 7282 struct nft_elem_priv *elem_priv) 7283 { 7284 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 7285 u8 genmask = nft_genmask_next(net); 7286 7287 return nft_set_elem_active(ext, genmask); 7288 } 7289 7290 static void nft_setelem_data_activate(const struct net *net, 7291 const struct nft_set *set, 7292 struct nft_elem_priv *elem_priv) 7293 { 7294 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 7295 7296 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 7297 nft_data_hold(nft_set_ext_data(ext), set->dtype); 7298 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 7299 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use); 7300 } 7301 7302 void nft_setelem_data_deactivate(const struct net *net, 7303 const struct nft_set *set, 7304 struct nft_elem_priv *elem_priv) 7305 { 7306 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 7307 7308 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 7309 nft_data_release(nft_set_ext_data(ext), set->dtype); 7310 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 7311 nft_use_dec(&(*nft_set_ext_obj(ext))->use); 7312 } 7313 7314 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, 7315 const struct nlattr *attr) 7316 { 7317 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 7318 struct nft_set_ext_tmpl tmpl; 7319 struct nft_set_elem elem; 7320 struct nft_set_ext *ext; 7321 struct nft_trans *trans; 7322 u32 flags = 0; 7323 int err; 7324 7325 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 7326 nft_set_elem_policy, NULL); 7327 if (err < 0) 7328 return err; 7329 7330 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 7331 if (err < 0) 7332 return err; 7333 7334 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 7335 return -EINVAL; 7336 7337 if (!nft_setelem_valid_key_end(set, nla, flags)) 7338 return -EINVAL; 7339 7340 nft_set_ext_prepare(&tmpl); 7341 7342 if (flags != 0) { 7343 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 7344 if (err < 0) 7345 return err; 7346 } 7347 7348 if (nla[NFTA_SET_ELEM_KEY]) { 7349 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 7350 nla[NFTA_SET_ELEM_KEY]); 7351 if (err < 0) 7352 return err; 7353 7354 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 7355 if (err < 0) 7356 goto fail_elem; 7357 } 7358 7359 if (nla[NFTA_SET_ELEM_KEY_END]) { 7360 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 7361 nla[NFTA_SET_ELEM_KEY_END]); 7362 if (err < 0) 7363 goto fail_elem; 7364 7365 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 7366 if (err < 0) 7367 goto fail_elem_key_end; 7368 } 7369 7370 err = -ENOMEM; 7371 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 7372 elem.key_end.val.data, NULL, 0, 0, 7373 GFP_KERNEL_ACCOUNT); 7374 if (IS_ERR(elem.priv)) { 7375 err = PTR_ERR(elem.priv); 7376 goto fail_elem_key_end; 7377 } 7378 7379 ext = nft_set_elem_ext(set, elem.priv); 7380 if (flags) 7381 *nft_set_ext_flags(ext) = flags; 7382 7383 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 7384 if (trans == NULL) 7385 goto fail_trans; 7386 7387 err = nft_setelem_deactivate(ctx->net, set, &elem, flags); 7388 if (err < 0) 7389 goto fail_ops; 7390 7391 nft_setelem_data_deactivate(ctx->net, set, elem.priv); 7392 7393 nft_trans_elem_priv(trans) = elem.priv; 7394 nft_trans_commit_list_add_tail(ctx->net, trans); 7395 return 0; 7396 7397 fail_ops: 7398 kfree(trans); 7399 fail_trans: 7400 kfree(elem.priv); 7401 fail_elem_key_end: 7402 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 7403 fail_elem: 7404 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 7405 return err; 7406 } 7407 7408 static int nft_setelem_flush(const struct nft_ctx *ctx, 7409 struct nft_set *set, 7410 const struct nft_set_iter *iter, 7411 struct nft_elem_priv *elem_priv) 7412 { 7413 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 7414 struct nft_trans *trans; 7415 7416 if (!nft_set_elem_active(ext, iter->genmask)) 7417 return 0; 7418 7419 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 7420 sizeof(struct nft_trans_elem), GFP_ATOMIC); 7421 if (!trans) 7422 return -ENOMEM; 7423 7424 set->ops->flush(ctx->net, set, elem_priv); 7425 set->ndeact++; 7426 7427 nft_setelem_data_deactivate(ctx->net, set, elem_priv); 7428 nft_trans_elem_set(trans) = set; 7429 nft_trans_elem_priv(trans) = elem_priv; 7430 nft_trans_commit_list_add_tail(ctx->net, trans); 7431 7432 return 0; 7433 } 7434 7435 static int __nft_set_catchall_flush(const struct nft_ctx *ctx, 7436 struct nft_set *set, 7437 struct nft_elem_priv *elem_priv) 7438 { 7439 struct nft_trans *trans; 7440 7441 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 7442 sizeof(struct nft_trans_elem), GFP_KERNEL); 7443 if (!trans) 7444 return -ENOMEM; 7445 7446 nft_setelem_data_deactivate(ctx->net, set, elem_priv); 7447 nft_trans_elem_set(trans) = set; 7448 nft_trans_elem_priv(trans) = elem_priv; 7449 nft_trans_commit_list_add_tail(ctx->net, trans); 7450 7451 return 0; 7452 } 7453 7454 static int nft_set_catchall_flush(const struct nft_ctx *ctx, 7455 struct nft_set *set) 7456 { 7457 u8 genmask = nft_genmask_next(ctx->net); 7458 struct nft_set_elem_catchall *catchall; 7459 struct nft_set_ext *ext; 7460 int ret = 0; 7461 7462 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 7463 ext = nft_set_elem_ext(set, catchall->elem); 7464 if (!nft_set_elem_active(ext, genmask)) 7465 continue; 7466 7467 ret = __nft_set_catchall_flush(ctx, set, catchall->elem); 7468 if (ret < 0) 7469 break; 7470 nft_set_elem_change_active(ctx->net, set, ext); 7471 } 7472 7473 return ret; 7474 } 7475 7476 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask) 7477 { 7478 struct nft_set_iter iter = { 7479 .genmask = genmask, 7480 .type = NFT_ITER_UPDATE, 7481 .fn = nft_setelem_flush, 7482 }; 7483 7484 set->ops->walk(ctx, set, &iter); 7485 if (!iter.err) 7486 iter.err = nft_set_catchall_flush(ctx, set); 7487 7488 return iter.err; 7489 } 7490 7491 static int nf_tables_delsetelem(struct sk_buff *skb, 7492 const struct nfnl_info *info, 7493 const struct nlattr * const nla[]) 7494 { 7495 struct netlink_ext_ack *extack = info->extack; 7496 u8 genmask = nft_genmask_next(info->net); 7497 u8 family = info->nfmsg->nfgen_family; 7498 struct net *net = info->net; 7499 const struct nlattr *attr; 7500 struct nft_table *table; 7501 struct nft_set *set; 7502 struct nft_ctx ctx; 7503 int rem, err = 0; 7504 7505 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 7506 genmask, NETLINK_CB(skb).portid); 7507 if (IS_ERR(table)) { 7508 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 7509 return PTR_ERR(table); 7510 } 7511 7512 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 7513 if (IS_ERR(set)) { 7514 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]); 7515 return PTR_ERR(set); 7516 } 7517 7518 if (nft_set_is_anonymous(set)) 7519 return -EOPNOTSUPP; 7520 7521 if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT)) 7522 return -EBUSY; 7523 7524 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7525 7526 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 7527 return nft_set_flush(&ctx, set, genmask); 7528 7529 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 7530 err = nft_del_setelem(&ctx, set, attr); 7531 if (err == -ENOENT && 7532 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM) 7533 continue; 7534 7535 if (err < 0) { 7536 NL_SET_BAD_ATTR(extack, attr); 7537 return err; 7538 } 7539 } 7540 7541 return 0; 7542 } 7543 7544 /* 7545 * Stateful objects 7546 */ 7547 7548 /** 7549 * nft_register_obj- register nf_tables stateful object type 7550 * @obj_type: object type 7551 * 7552 * Registers the object type for use with nf_tables. Returns zero on 7553 * success or a negative errno code otherwise. 7554 */ 7555 int nft_register_obj(struct nft_object_type *obj_type) 7556 { 7557 if (obj_type->type == NFT_OBJECT_UNSPEC) 7558 return -EINVAL; 7559 7560 nfnl_lock(NFNL_SUBSYS_NFTABLES); 7561 list_add_rcu(&obj_type->list, &nf_tables_objects); 7562 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 7563 return 0; 7564 } 7565 EXPORT_SYMBOL_GPL(nft_register_obj); 7566 7567 /** 7568 * nft_unregister_obj - unregister nf_tables object type 7569 * @obj_type: object type 7570 * 7571 * Unregisters the object type for use with nf_tables. 7572 */ 7573 void nft_unregister_obj(struct nft_object_type *obj_type) 7574 { 7575 nfnl_lock(NFNL_SUBSYS_NFTABLES); 7576 list_del_rcu(&obj_type->list); 7577 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 7578 } 7579 EXPORT_SYMBOL_GPL(nft_unregister_obj); 7580 7581 struct nft_object *nft_obj_lookup(const struct net *net, 7582 const struct nft_table *table, 7583 const struct nlattr *nla, u32 objtype, 7584 u8 genmask) 7585 { 7586 struct nft_object_hash_key k = { .table = table }; 7587 char search[NFT_OBJ_MAXNAMELEN]; 7588 struct rhlist_head *tmp, *list; 7589 struct nft_object *obj; 7590 7591 nla_strscpy(search, nla, sizeof(search)); 7592 k.name = search; 7593 7594 WARN_ON_ONCE(!rcu_read_lock_held() && 7595 !lockdep_commit_lock_is_held(net)); 7596 7597 rcu_read_lock(); 7598 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params); 7599 if (!list) 7600 goto out; 7601 7602 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) { 7603 if (objtype == obj->ops->type->type && 7604 nft_active_genmask(obj, genmask)) { 7605 rcu_read_unlock(); 7606 return obj; 7607 } 7608 } 7609 out: 7610 rcu_read_unlock(); 7611 return ERR_PTR(-ENOENT); 7612 } 7613 EXPORT_SYMBOL_GPL(nft_obj_lookup); 7614 7615 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table, 7616 const struct nlattr *nla, 7617 u32 objtype, u8 genmask) 7618 { 7619 struct nft_object *obj; 7620 7621 list_for_each_entry(obj, &table->objects, list) { 7622 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle && 7623 objtype == obj->ops->type->type && 7624 nft_active_genmask(obj, genmask)) 7625 return obj; 7626 } 7627 return ERR_PTR(-ENOENT); 7628 } 7629 7630 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = { 7631 [NFTA_OBJ_TABLE] = { .type = NLA_STRING, 7632 .len = NFT_TABLE_MAXNAMELEN - 1 }, 7633 [NFTA_OBJ_NAME] = { .type = NLA_STRING, 7634 .len = NFT_OBJ_MAXNAMELEN - 1 }, 7635 [NFTA_OBJ_TYPE] = { .type = NLA_U32 }, 7636 [NFTA_OBJ_DATA] = { .type = NLA_NESTED }, 7637 [NFTA_OBJ_HANDLE] = { .type = NLA_U64}, 7638 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY, 7639 .len = NFT_USERDATA_MAXLEN }, 7640 }; 7641 7642 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx, 7643 const struct nft_object_type *type, 7644 const struct nlattr *attr) 7645 { 7646 struct nlattr **tb; 7647 const struct nft_object_ops *ops; 7648 struct nft_object *obj; 7649 int err = -ENOMEM; 7650 7651 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL); 7652 if (!tb) 7653 goto err1; 7654 7655 if (attr) { 7656 err = nla_parse_nested_deprecated(tb, type->maxattr, attr, 7657 type->policy, NULL); 7658 if (err < 0) 7659 goto err2; 7660 } else { 7661 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1)); 7662 } 7663 7664 if (type->select_ops) { 7665 ops = type->select_ops(ctx, (const struct nlattr * const *)tb); 7666 if (IS_ERR(ops)) { 7667 err = PTR_ERR(ops); 7668 goto err2; 7669 } 7670 } else { 7671 ops = type->ops; 7672 } 7673 7674 err = -ENOMEM; 7675 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT); 7676 if (!obj) 7677 goto err2; 7678 7679 err = ops->init(ctx, (const struct nlattr * const *)tb, obj); 7680 if (err < 0) 7681 goto err3; 7682 7683 obj->ops = ops; 7684 7685 kfree(tb); 7686 return obj; 7687 err3: 7688 kfree(obj); 7689 err2: 7690 kfree(tb); 7691 err1: 7692 return ERR_PTR(err); 7693 } 7694 7695 static int nft_object_dump(struct sk_buff *skb, unsigned int attr, 7696 struct nft_object *obj, bool reset) 7697 { 7698 struct nlattr *nest; 7699 7700 nest = nla_nest_start_noflag(skb, attr); 7701 if (!nest) 7702 goto nla_put_failure; 7703 if (obj->ops->dump(skb, obj, reset) < 0) 7704 goto nla_put_failure; 7705 nla_nest_end(skb, nest); 7706 return 0; 7707 7708 nla_put_failure: 7709 return -1; 7710 } 7711 7712 static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family) 7713 { 7714 const struct nft_object_type *type; 7715 7716 list_for_each_entry_rcu(type, &nf_tables_objects, list) { 7717 if (type->family != NFPROTO_UNSPEC && 7718 type->family != family) 7719 continue; 7720 7721 if (objtype == type->type) 7722 return type; 7723 } 7724 return NULL; 7725 } 7726 7727 static const struct nft_object_type * 7728 nft_obj_type_get(struct net *net, u32 objtype, u8 family) 7729 { 7730 const struct nft_object_type *type; 7731 7732 rcu_read_lock(); 7733 type = __nft_obj_type_get(objtype, family); 7734 if (type != NULL && try_module_get(type->owner)) { 7735 rcu_read_unlock(); 7736 return type; 7737 } 7738 rcu_read_unlock(); 7739 7740 lockdep_nfnl_nft_mutex_not_held(); 7741 #ifdef CONFIG_MODULES 7742 if (type == NULL) { 7743 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN) 7744 return ERR_PTR(-EAGAIN); 7745 } 7746 #endif 7747 return ERR_PTR(-ENOENT); 7748 } 7749 7750 static int nf_tables_updobj(const struct nft_ctx *ctx, 7751 const struct nft_object_type *type, 7752 const struct nlattr *attr, 7753 struct nft_object *obj) 7754 { 7755 struct nft_object *newobj; 7756 struct nft_trans *trans; 7757 int err = -ENOMEM; 7758 7759 if (!try_module_get(type->owner)) 7760 return -ENOENT; 7761 7762 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ, 7763 sizeof(struct nft_trans_obj)); 7764 if (!trans) 7765 goto err_trans; 7766 7767 newobj = nft_obj_init(ctx, type, attr); 7768 if (IS_ERR(newobj)) { 7769 err = PTR_ERR(newobj); 7770 goto err_free_trans; 7771 } 7772 7773 nft_trans_obj(trans) = obj; 7774 nft_trans_obj_update(trans) = true; 7775 nft_trans_obj_newobj(trans) = newobj; 7776 nft_trans_commit_list_add_tail(ctx->net, trans); 7777 7778 return 0; 7779 7780 err_free_trans: 7781 kfree(trans); 7782 err_trans: 7783 module_put(type->owner); 7784 return err; 7785 } 7786 7787 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info, 7788 const struct nlattr * const nla[]) 7789 { 7790 struct netlink_ext_ack *extack = info->extack; 7791 u8 genmask = nft_genmask_next(info->net); 7792 u8 family = info->nfmsg->nfgen_family; 7793 const struct nft_object_type *type; 7794 struct net *net = info->net; 7795 struct nft_table *table; 7796 struct nft_object *obj; 7797 struct nft_ctx ctx; 7798 u32 objtype; 7799 int err; 7800 7801 if (!nla[NFTA_OBJ_TYPE] || 7802 !nla[NFTA_OBJ_NAME] || 7803 !nla[NFTA_OBJ_DATA]) 7804 return -EINVAL; 7805 7806 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 7807 NETLINK_CB(skb).portid); 7808 if (IS_ERR(table)) { 7809 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 7810 return PTR_ERR(table); 7811 } 7812 7813 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 7814 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 7815 if (IS_ERR(obj)) { 7816 err = PTR_ERR(obj); 7817 if (err != -ENOENT) { 7818 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 7819 return err; 7820 } 7821 } else { 7822 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 7823 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 7824 return -EEXIST; 7825 } 7826 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 7827 return -EOPNOTSUPP; 7828 7829 type = __nft_obj_type_get(objtype, family); 7830 if (WARN_ON_ONCE(!type)) 7831 return -ENOENT; 7832 7833 if (!obj->ops->update) 7834 return 0; 7835 7836 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7837 7838 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); 7839 } 7840 7841 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7842 7843 if (!nft_use_inc(&table->use)) 7844 return -EMFILE; 7845 7846 type = nft_obj_type_get(net, objtype, family); 7847 if (IS_ERR(type)) { 7848 err = PTR_ERR(type); 7849 goto err_type; 7850 } 7851 7852 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]); 7853 if (IS_ERR(obj)) { 7854 err = PTR_ERR(obj); 7855 goto err_init; 7856 } 7857 obj->key.table = table; 7858 obj->handle = nf_tables_alloc_handle(table); 7859 7860 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT); 7861 if (!obj->key.name) { 7862 err = -ENOMEM; 7863 goto err_strdup; 7864 } 7865 7866 if (nla[NFTA_OBJ_USERDATA]) { 7867 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT); 7868 if (obj->udata == NULL) 7869 goto err_userdata; 7870 7871 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]); 7872 } 7873 7874 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj); 7875 if (err < 0) 7876 goto err_trans; 7877 7878 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead, 7879 nft_objname_ht_params); 7880 if (err < 0) 7881 goto err_obj_ht; 7882 7883 list_add_tail_rcu(&obj->list, &table->objects); 7884 7885 return 0; 7886 err_obj_ht: 7887 /* queued in transaction log */ 7888 INIT_LIST_HEAD(&obj->list); 7889 return err; 7890 err_trans: 7891 kfree(obj->udata); 7892 err_userdata: 7893 kfree(obj->key.name); 7894 err_strdup: 7895 if (obj->ops->destroy) 7896 obj->ops->destroy(&ctx, obj); 7897 kfree(obj); 7898 err_init: 7899 module_put(type->owner); 7900 err_type: 7901 nft_use_dec_restore(&table->use); 7902 7903 return err; 7904 } 7905 7906 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net, 7907 u32 portid, u32 seq, int event, u32 flags, 7908 int family, const struct nft_table *table, 7909 struct nft_object *obj, bool reset) 7910 { 7911 struct nlmsghdr *nlh; 7912 7913 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 7914 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 7915 NFNETLINK_V0, nft_base_seq(net)); 7916 if (!nlh) 7917 goto nla_put_failure; 7918 7919 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || 7920 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || 7921 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle), 7922 NFTA_OBJ_PAD)) 7923 goto nla_put_failure; 7924 7925 if (event == NFT_MSG_DELOBJ) { 7926 nlmsg_end(skb, nlh); 7927 return 0; 7928 } 7929 7930 if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || 7931 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) || 7932 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset)) 7933 goto nla_put_failure; 7934 7935 if (obj->udata && 7936 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata)) 7937 goto nla_put_failure; 7938 7939 nlmsg_end(skb, nlh); 7940 return 0; 7941 7942 nla_put_failure: 7943 nlmsg_trim(skb, nlh); 7944 return -1; 7945 } 7946 7947 static void audit_log_obj_reset(const struct nft_table *table, 7948 unsigned int base_seq, unsigned int nentries) 7949 { 7950 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq); 7951 7952 audit_log_nfcfg(buf, table->family, nentries, 7953 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC); 7954 kfree(buf); 7955 } 7956 7957 struct nft_obj_dump_ctx { 7958 unsigned int s_idx; 7959 char *table; 7960 u32 type; 7961 bool reset; 7962 }; 7963 7964 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) 7965 { 7966 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 7967 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx; 7968 struct net *net = sock_net(skb->sk); 7969 int family = nfmsg->nfgen_family; 7970 struct nftables_pernet *nft_net; 7971 const struct nft_table *table; 7972 unsigned int entries = 0; 7973 struct nft_object *obj; 7974 unsigned int idx = 0; 7975 int rc = 0; 7976 7977 rcu_read_lock(); 7978 nft_net = nft_pernet(net); 7979 cb->seq = READ_ONCE(nft_net->base_seq); 7980 7981 list_for_each_entry_rcu(table, &nft_net->tables, list) { 7982 if (family != NFPROTO_UNSPEC && family != table->family) 7983 continue; 7984 7985 entries = 0; 7986 list_for_each_entry_rcu(obj, &table->objects, list) { 7987 if (!nft_is_active(net, obj)) 7988 goto cont; 7989 if (idx < ctx->s_idx) 7990 goto cont; 7991 if (ctx->table && strcmp(ctx->table, table->name)) 7992 goto cont; 7993 if (ctx->type != NFT_OBJECT_UNSPEC && 7994 obj->ops->type->type != ctx->type) 7995 goto cont; 7996 7997 rc = nf_tables_fill_obj_info(skb, net, 7998 NETLINK_CB(cb->skb).portid, 7999 cb->nlh->nlmsg_seq, 8000 NFT_MSG_NEWOBJ, 8001 NLM_F_MULTI | NLM_F_APPEND, 8002 table->family, table, 8003 obj, ctx->reset); 8004 if (rc < 0) 8005 break; 8006 8007 entries++; 8008 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 8009 cont: 8010 idx++; 8011 } 8012 if (ctx->reset && entries) 8013 audit_log_obj_reset(table, nft_net->base_seq, entries); 8014 if (rc < 0) 8015 break; 8016 } 8017 rcu_read_unlock(); 8018 8019 ctx->s_idx = idx; 8020 return skb->len; 8021 } 8022 8023 static int nf_tables_dumpreset_obj(struct sk_buff *skb, 8024 struct netlink_callback *cb) 8025 { 8026 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk)); 8027 int ret; 8028 8029 mutex_lock(&nft_net->commit_mutex); 8030 ret = nf_tables_dump_obj(skb, cb); 8031 mutex_unlock(&nft_net->commit_mutex); 8032 8033 return ret; 8034 } 8035 8036 static int nf_tables_dump_obj_start(struct netlink_callback *cb) 8037 { 8038 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx; 8039 const struct nlattr * const *nla = cb->data; 8040 8041 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx)); 8042 8043 if (nla[NFTA_OBJ_TABLE]) { 8044 ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC); 8045 if (!ctx->table) 8046 return -ENOMEM; 8047 } 8048 8049 if (nla[NFTA_OBJ_TYPE]) 8050 ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 8051 8052 return 0; 8053 } 8054 8055 static int nf_tables_dumpreset_obj_start(struct netlink_callback *cb) 8056 { 8057 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx; 8058 8059 ctx->reset = true; 8060 8061 return nf_tables_dump_obj_start(cb); 8062 } 8063 8064 static int nf_tables_dump_obj_done(struct netlink_callback *cb) 8065 { 8066 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx; 8067 8068 kfree(ctx->table); 8069 8070 return 0; 8071 } 8072 8073 /* called with rcu_read_lock held */ 8074 static struct sk_buff * 8075 nf_tables_getobj_single(u32 portid, const struct nfnl_info *info, 8076 const struct nlattr * const nla[], bool reset) 8077 { 8078 struct netlink_ext_ack *extack = info->extack; 8079 u8 genmask = nft_genmask_cur(info->net); 8080 u8 family = info->nfmsg->nfgen_family; 8081 const struct nft_table *table; 8082 struct net *net = info->net; 8083 struct nft_object *obj; 8084 struct sk_buff *skb2; 8085 u32 objtype; 8086 int err; 8087 8088 if (!nla[NFTA_OBJ_NAME] || 8089 !nla[NFTA_OBJ_TYPE]) 8090 return ERR_PTR(-EINVAL); 8091 8092 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0); 8093 if (IS_ERR(table)) { 8094 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 8095 return ERR_CAST(table); 8096 } 8097 8098 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 8099 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 8100 if (IS_ERR(obj)) { 8101 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 8102 return ERR_CAST(obj); 8103 } 8104 8105 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 8106 if (!skb2) 8107 return ERR_PTR(-ENOMEM); 8108 8109 err = nf_tables_fill_obj_info(skb2, net, portid, 8110 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, 8111 family, table, obj, reset); 8112 if (err < 0) { 8113 kfree_skb(skb2); 8114 return ERR_PTR(err); 8115 } 8116 8117 return skb2; 8118 } 8119 8120 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info, 8121 const struct nlattr * const nla[]) 8122 { 8123 u32 portid = NETLINK_CB(skb).portid; 8124 struct sk_buff *skb2; 8125 8126 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 8127 struct netlink_dump_control c = { 8128 .start = nf_tables_dump_obj_start, 8129 .dump = nf_tables_dump_obj, 8130 .done = nf_tables_dump_obj_done, 8131 .module = THIS_MODULE, 8132 .data = (void *)nla, 8133 }; 8134 8135 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 8136 } 8137 8138 skb2 = nf_tables_getobj_single(portid, info, nla, false); 8139 if (IS_ERR(skb2)) 8140 return PTR_ERR(skb2); 8141 8142 return nfnetlink_unicast(skb2, info->net, portid); 8143 } 8144 8145 static int nf_tables_getobj_reset(struct sk_buff *skb, 8146 const struct nfnl_info *info, 8147 const struct nlattr * const nla[]) 8148 { 8149 struct nftables_pernet *nft_net = nft_pernet(info->net); 8150 u32 portid = NETLINK_CB(skb).portid; 8151 struct net *net = info->net; 8152 struct sk_buff *skb2; 8153 char *buf; 8154 8155 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 8156 struct netlink_dump_control c = { 8157 .start = nf_tables_dumpreset_obj_start, 8158 .dump = nf_tables_dumpreset_obj, 8159 .done = nf_tables_dump_obj_done, 8160 .module = THIS_MODULE, 8161 .data = (void *)nla, 8162 }; 8163 8164 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 8165 } 8166 8167 if (!try_module_get(THIS_MODULE)) 8168 return -EINVAL; 8169 rcu_read_unlock(); 8170 mutex_lock(&nft_net->commit_mutex); 8171 skb2 = nf_tables_getobj_single(portid, info, nla, true); 8172 mutex_unlock(&nft_net->commit_mutex); 8173 rcu_read_lock(); 8174 module_put(THIS_MODULE); 8175 8176 if (IS_ERR(skb2)) 8177 return PTR_ERR(skb2); 8178 8179 buf = kasprintf(GFP_ATOMIC, "%.*s:%u", 8180 nla_len(nla[NFTA_OBJ_TABLE]), 8181 (char *)nla_data(nla[NFTA_OBJ_TABLE]), 8182 nft_net->base_seq); 8183 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1, 8184 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC); 8185 kfree(buf); 8186 8187 return nfnetlink_unicast(skb2, net, portid); 8188 } 8189 8190 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) 8191 { 8192 if (obj->ops->destroy) 8193 obj->ops->destroy(ctx, obj); 8194 8195 module_put(obj->ops->type->owner); 8196 kfree(obj->key.name); 8197 kfree(obj->udata); 8198 kfree(obj); 8199 } 8200 8201 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info, 8202 const struct nlattr * const nla[]) 8203 { 8204 struct netlink_ext_ack *extack = info->extack; 8205 u8 genmask = nft_genmask_next(info->net); 8206 u8 family = info->nfmsg->nfgen_family; 8207 struct net *net = info->net; 8208 const struct nlattr *attr; 8209 struct nft_table *table; 8210 struct nft_object *obj; 8211 struct nft_ctx ctx; 8212 u32 objtype; 8213 8214 if (!nla[NFTA_OBJ_TYPE] || 8215 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE])) 8216 return -EINVAL; 8217 8218 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 8219 NETLINK_CB(skb).portid); 8220 if (IS_ERR(table)) { 8221 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 8222 return PTR_ERR(table); 8223 } 8224 8225 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 8226 if (nla[NFTA_OBJ_HANDLE]) { 8227 attr = nla[NFTA_OBJ_HANDLE]; 8228 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask); 8229 } else { 8230 attr = nla[NFTA_OBJ_NAME]; 8231 obj = nft_obj_lookup(net, table, attr, objtype, genmask); 8232 } 8233 8234 if (IS_ERR(obj)) { 8235 if (PTR_ERR(obj) == -ENOENT && 8236 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ) 8237 return 0; 8238 8239 NL_SET_BAD_ATTR(extack, attr); 8240 return PTR_ERR(obj); 8241 } 8242 if (obj->use > 0) { 8243 NL_SET_BAD_ATTR(extack, attr); 8244 return -EBUSY; 8245 } 8246 8247 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 8248 8249 return nft_delobj(&ctx, obj); 8250 } 8251 8252 static void 8253 __nft_obj_notify(struct net *net, const struct nft_table *table, 8254 struct nft_object *obj, u32 portid, u32 seq, int event, 8255 u16 flags, int family, int report, gfp_t gfp) 8256 { 8257 struct nftables_pernet *nft_net = nft_pernet(net); 8258 struct sk_buff *skb; 8259 int err; 8260 8261 if (!report && 8262 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 8263 return; 8264 8265 skb = nlmsg_new(NLMSG_GOODSIZE, gfp); 8266 if (skb == NULL) 8267 goto err; 8268 8269 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 8270 flags & (NLM_F_CREATE | NLM_F_EXCL), 8271 family, table, obj, false); 8272 if (err < 0) { 8273 kfree_skb(skb); 8274 goto err; 8275 } 8276 8277 nft_notify_enqueue(skb, report, &nft_net->notify_list); 8278 return; 8279 err: 8280 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 8281 } 8282 8283 void nft_obj_notify(struct net *net, const struct nft_table *table, 8284 struct nft_object *obj, u32 portid, u32 seq, int event, 8285 u16 flags, int family, int report, gfp_t gfp) 8286 { 8287 struct nftables_pernet *nft_net = nft_pernet(net); 8288 char *buf = kasprintf(gfp, "%s:%u", 8289 table->name, nft_net->base_seq); 8290 8291 audit_log_nfcfg(buf, 8292 family, 8293 obj->handle, 8294 event == NFT_MSG_NEWOBJ ? 8295 AUDIT_NFT_OP_OBJ_REGISTER : 8296 AUDIT_NFT_OP_OBJ_UNREGISTER, 8297 gfp); 8298 kfree(buf); 8299 8300 __nft_obj_notify(net, table, obj, portid, seq, event, 8301 flags, family, report, gfp); 8302 } 8303 EXPORT_SYMBOL_GPL(nft_obj_notify); 8304 8305 static void nf_tables_obj_notify(const struct nft_ctx *ctx, 8306 struct nft_object *obj, int event) 8307 { 8308 __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, 8309 ctx->seq, event, ctx->flags, ctx->family, 8310 ctx->report, GFP_KERNEL); 8311 } 8312 8313 /* 8314 * Flow tables 8315 */ 8316 void nft_register_flowtable_type(struct nf_flowtable_type *type) 8317 { 8318 nfnl_lock(NFNL_SUBSYS_NFTABLES); 8319 list_add_tail_rcu(&type->list, &nf_tables_flowtables); 8320 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 8321 } 8322 EXPORT_SYMBOL_GPL(nft_register_flowtable_type); 8323 8324 void nft_unregister_flowtable_type(struct nf_flowtable_type *type) 8325 { 8326 nfnl_lock(NFNL_SUBSYS_NFTABLES); 8327 list_del_rcu(&type->list); 8328 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 8329 } 8330 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type); 8331 8332 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = { 8333 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING, 8334 .len = NFT_NAME_MAXLEN - 1 }, 8335 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING, 8336 .len = NFT_NAME_MAXLEN - 1 }, 8337 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED }, 8338 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 }, 8339 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 }, 8340 }; 8341 8342 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 8343 const struct nlattr *nla, u8 genmask) 8344 { 8345 struct nft_flowtable *flowtable; 8346 8347 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 8348 if (!nla_strcmp(nla, flowtable->name) && 8349 nft_active_genmask(flowtable, genmask)) 8350 return flowtable; 8351 } 8352 return ERR_PTR(-ENOENT); 8353 } 8354 EXPORT_SYMBOL_GPL(nft_flowtable_lookup); 8355 8356 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, 8357 struct nft_flowtable *flowtable, 8358 enum nft_trans_phase phase) 8359 { 8360 switch (phase) { 8361 case NFT_TRANS_PREPARE_ERROR: 8362 case NFT_TRANS_PREPARE: 8363 case NFT_TRANS_ABORT: 8364 case NFT_TRANS_RELEASE: 8365 nft_use_dec(&flowtable->use); 8366 fallthrough; 8367 default: 8368 return; 8369 } 8370 } 8371 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable); 8372 8373 static struct nft_flowtable * 8374 nft_flowtable_lookup_byhandle(const struct nft_table *table, 8375 const struct nlattr *nla, u8 genmask) 8376 { 8377 struct nft_flowtable *flowtable; 8378 8379 list_for_each_entry(flowtable, &table->flowtables, list) { 8380 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle && 8381 nft_active_genmask(flowtable, genmask)) 8382 return flowtable; 8383 } 8384 return ERR_PTR(-ENOENT); 8385 } 8386 8387 struct nft_flowtable_hook { 8388 u32 num; 8389 int priority; 8390 struct list_head list; 8391 }; 8392 8393 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = { 8394 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 }, 8395 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 }, 8396 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED }, 8397 }; 8398 8399 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx, 8400 const struct nlattr * const nla[], 8401 struct nft_flowtable_hook *flowtable_hook, 8402 struct nft_flowtable *flowtable, 8403 struct netlink_ext_ack *extack, bool add) 8404 { 8405 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1]; 8406 struct nft_hook *hook; 8407 int hooknum, priority; 8408 int err; 8409 8410 INIT_LIST_HEAD(&flowtable_hook->list); 8411 8412 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, 8413 nla[NFTA_FLOWTABLE_HOOK], 8414 nft_flowtable_hook_policy, NULL); 8415 if (err < 0) 8416 return err; 8417 8418 if (add) { 8419 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] || 8420 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) { 8421 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 8422 return -ENOENT; 8423 } 8424 8425 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 8426 if (hooknum != NF_NETDEV_INGRESS) 8427 return -EOPNOTSUPP; 8428 8429 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 8430 8431 flowtable_hook->priority = priority; 8432 flowtable_hook->num = hooknum; 8433 } else { 8434 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) { 8435 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 8436 if (hooknum != flowtable->hooknum) 8437 return -EOPNOTSUPP; 8438 } 8439 8440 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) { 8441 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 8442 if (priority != flowtable->data.priority) 8443 return -EOPNOTSUPP; 8444 } 8445 8446 flowtable_hook->priority = flowtable->data.priority; 8447 flowtable_hook->num = flowtable->hooknum; 8448 } 8449 8450 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) { 8451 err = nf_tables_parse_netdev_hooks(ctx->net, 8452 tb[NFTA_FLOWTABLE_HOOK_DEVS], 8453 &flowtable_hook->list, 8454 extack); 8455 if (err < 0) 8456 return err; 8457 } 8458 8459 list_for_each_entry(hook, &flowtable_hook->list, list) { 8460 hook->ops.pf = NFPROTO_NETDEV; 8461 hook->ops.hooknum = flowtable_hook->num; 8462 hook->ops.priority = flowtable_hook->priority; 8463 hook->ops.priv = &flowtable->data; 8464 hook->ops.hook = flowtable->data.type->hook; 8465 } 8466 8467 return err; 8468 } 8469 8470 /* call under rcu_read_lock */ 8471 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) 8472 { 8473 const struct nf_flowtable_type *type; 8474 8475 list_for_each_entry_rcu(type, &nf_tables_flowtables, list) { 8476 if (family == type->family) 8477 return type; 8478 } 8479 return NULL; 8480 } 8481 8482 static const struct nf_flowtable_type * 8483 nft_flowtable_type_get(struct net *net, u8 family) 8484 { 8485 const struct nf_flowtable_type *type; 8486 8487 rcu_read_lock(); 8488 type = __nft_flowtable_type_get(family); 8489 if (type != NULL && try_module_get(type->owner)) { 8490 rcu_read_unlock(); 8491 return type; 8492 } 8493 rcu_read_unlock(); 8494 8495 lockdep_nfnl_nft_mutex_not_held(); 8496 #ifdef CONFIG_MODULES 8497 if (type == NULL) { 8498 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN) 8499 return ERR_PTR(-EAGAIN); 8500 } 8501 #endif 8502 return ERR_PTR(-ENOENT); 8503 } 8504 8505 /* Only called from error and netdev event paths. */ 8506 static void nft_unregister_flowtable_hook(struct net *net, 8507 struct nft_flowtable *flowtable, 8508 struct nft_hook *hook) 8509 { 8510 nf_unregister_net_hook(net, &hook->ops); 8511 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 8512 FLOW_BLOCK_UNBIND); 8513 } 8514 8515 static void __nft_unregister_flowtable_net_hooks(struct net *net, 8516 struct list_head *hook_list, 8517 bool release_netdev) 8518 { 8519 struct nft_hook *hook, *next; 8520 8521 list_for_each_entry_safe(hook, next, hook_list, list) { 8522 nf_unregister_net_hook(net, &hook->ops); 8523 if (release_netdev) { 8524 list_del(&hook->list); 8525 kfree_rcu(hook, rcu); 8526 } 8527 } 8528 } 8529 8530 static void nft_unregister_flowtable_net_hooks(struct net *net, 8531 struct list_head *hook_list) 8532 { 8533 __nft_unregister_flowtable_net_hooks(net, hook_list, false); 8534 } 8535 8536 static int nft_register_flowtable_net_hooks(struct net *net, 8537 struct nft_table *table, 8538 struct list_head *hook_list, 8539 struct nft_flowtable *flowtable) 8540 { 8541 struct nft_hook *hook, *hook2, *next; 8542 struct nft_flowtable *ft; 8543 int err, i = 0; 8544 8545 list_for_each_entry(hook, hook_list, list) { 8546 list_for_each_entry(ft, &table->flowtables, list) { 8547 if (!nft_is_active_next(net, ft)) 8548 continue; 8549 8550 list_for_each_entry(hook2, &ft->hook_list, list) { 8551 if (hook->ops.dev == hook2->ops.dev && 8552 hook->ops.pf == hook2->ops.pf) { 8553 err = -EEXIST; 8554 goto err_unregister_net_hooks; 8555 } 8556 } 8557 } 8558 8559 err = flowtable->data.type->setup(&flowtable->data, 8560 hook->ops.dev, 8561 FLOW_BLOCK_BIND); 8562 if (err < 0) 8563 goto err_unregister_net_hooks; 8564 8565 err = nf_register_net_hook(net, &hook->ops); 8566 if (err < 0) { 8567 flowtable->data.type->setup(&flowtable->data, 8568 hook->ops.dev, 8569 FLOW_BLOCK_UNBIND); 8570 goto err_unregister_net_hooks; 8571 } 8572 8573 i++; 8574 } 8575 8576 return 0; 8577 8578 err_unregister_net_hooks: 8579 list_for_each_entry_safe(hook, next, hook_list, list) { 8580 if (i-- <= 0) 8581 break; 8582 8583 nft_unregister_flowtable_hook(net, flowtable, hook); 8584 list_del_rcu(&hook->list); 8585 kfree_rcu(hook, rcu); 8586 } 8587 8588 return err; 8589 } 8590 8591 static void nft_hooks_destroy(struct list_head *hook_list) 8592 { 8593 struct nft_hook *hook, *next; 8594 8595 list_for_each_entry_safe(hook, next, hook_list, list) { 8596 list_del_rcu(&hook->list); 8597 kfree_rcu(hook, rcu); 8598 } 8599 } 8600 8601 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, 8602 struct nft_flowtable *flowtable, 8603 struct netlink_ext_ack *extack) 8604 { 8605 const struct nlattr * const *nla = ctx->nla; 8606 struct nft_flowtable_hook flowtable_hook; 8607 struct nft_hook *hook, *next; 8608 struct nft_trans *trans; 8609 bool unregister = false; 8610 u32 flags; 8611 int err; 8612 8613 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable, 8614 extack, false); 8615 if (err < 0) 8616 return err; 8617 8618 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 8619 if (nft_hook_list_find(&flowtable->hook_list, hook)) { 8620 list_del(&hook->list); 8621 kfree(hook); 8622 } 8623 } 8624 8625 if (nla[NFTA_FLOWTABLE_FLAGS]) { 8626 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 8627 if (flags & ~NFT_FLOWTABLE_MASK) { 8628 err = -EOPNOTSUPP; 8629 goto err_flowtable_update_hook; 8630 } 8631 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^ 8632 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) { 8633 err = -EOPNOTSUPP; 8634 goto err_flowtable_update_hook; 8635 } 8636 } else { 8637 flags = flowtable->data.flags; 8638 } 8639 8640 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table, 8641 &flowtable_hook.list, flowtable); 8642 if (err < 0) 8643 goto err_flowtable_update_hook; 8644 8645 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE, 8646 sizeof(struct nft_trans_flowtable)); 8647 if (!trans) { 8648 unregister = true; 8649 err = -ENOMEM; 8650 goto err_flowtable_update_hook; 8651 } 8652 8653 nft_trans_flowtable_flags(trans) = flags; 8654 nft_trans_flowtable(trans) = flowtable; 8655 nft_trans_flowtable_update(trans) = true; 8656 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 8657 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans)); 8658 8659 nft_trans_commit_list_add_tail(ctx->net, trans); 8660 8661 return 0; 8662 8663 err_flowtable_update_hook: 8664 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 8665 if (unregister) 8666 nft_unregister_flowtable_hook(ctx->net, flowtable, hook); 8667 list_del_rcu(&hook->list); 8668 kfree_rcu(hook, rcu); 8669 } 8670 8671 return err; 8672 8673 } 8674 8675 static int nf_tables_newflowtable(struct sk_buff *skb, 8676 const struct nfnl_info *info, 8677 const struct nlattr * const nla[]) 8678 { 8679 struct netlink_ext_ack *extack = info->extack; 8680 struct nft_flowtable_hook flowtable_hook; 8681 u8 genmask = nft_genmask_next(info->net); 8682 u8 family = info->nfmsg->nfgen_family; 8683 const struct nf_flowtable_type *type; 8684 struct nft_flowtable *flowtable; 8685 struct net *net = info->net; 8686 struct nft_table *table; 8687 struct nft_trans *trans; 8688 struct nft_ctx ctx; 8689 int err; 8690 8691 if (!nla[NFTA_FLOWTABLE_TABLE] || 8692 !nla[NFTA_FLOWTABLE_NAME] || 8693 !nla[NFTA_FLOWTABLE_HOOK]) 8694 return -EINVAL; 8695 8696 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 8697 genmask, NETLINK_CB(skb).portid); 8698 if (IS_ERR(table)) { 8699 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 8700 return PTR_ERR(table); 8701 } 8702 8703 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 8704 genmask); 8705 if (IS_ERR(flowtable)) { 8706 err = PTR_ERR(flowtable); 8707 if (err != -ENOENT) { 8708 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 8709 return err; 8710 } 8711 } else { 8712 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 8713 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 8714 return -EEXIST; 8715 } 8716 8717 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 8718 8719 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack); 8720 } 8721 8722 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 8723 8724 if (!nft_use_inc(&table->use)) 8725 return -EMFILE; 8726 8727 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT); 8728 if (!flowtable) { 8729 err = -ENOMEM; 8730 goto flowtable_alloc; 8731 } 8732 8733 flowtable->table = table; 8734 flowtable->handle = nf_tables_alloc_handle(table); 8735 INIT_LIST_HEAD(&flowtable->hook_list); 8736 8737 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT); 8738 if (!flowtable->name) { 8739 err = -ENOMEM; 8740 goto err1; 8741 } 8742 8743 type = nft_flowtable_type_get(net, family); 8744 if (IS_ERR(type)) { 8745 err = PTR_ERR(type); 8746 goto err2; 8747 } 8748 8749 if (nla[NFTA_FLOWTABLE_FLAGS]) { 8750 flowtable->data.flags = 8751 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 8752 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) { 8753 err = -EOPNOTSUPP; 8754 goto err3; 8755 } 8756 } 8757 8758 write_pnet(&flowtable->data.net, net); 8759 flowtable->data.type = type; 8760 err = type->init(&flowtable->data); 8761 if (err < 0) 8762 goto err3; 8763 8764 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable, 8765 extack, true); 8766 if (err < 0) 8767 goto err_flowtable_parse_hooks; 8768 8769 list_splice(&flowtable_hook.list, &flowtable->hook_list); 8770 flowtable->data.priority = flowtable_hook.priority; 8771 flowtable->hooknum = flowtable_hook.num; 8772 8773 trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable); 8774 if (IS_ERR(trans)) { 8775 err = PTR_ERR(trans); 8776 goto err_flowtable_trans; 8777 } 8778 8779 /* This must be LAST to ensure no packets are walking over this flowtable. */ 8780 err = nft_register_flowtable_net_hooks(ctx.net, table, 8781 &flowtable->hook_list, 8782 flowtable); 8783 if (err < 0) 8784 goto err_flowtable_hooks; 8785 8786 list_add_tail_rcu(&flowtable->list, &table->flowtables); 8787 8788 return 0; 8789 8790 err_flowtable_hooks: 8791 nft_trans_destroy(trans); 8792 err_flowtable_trans: 8793 nft_hooks_destroy(&flowtable->hook_list); 8794 err_flowtable_parse_hooks: 8795 flowtable->data.type->free(&flowtable->data); 8796 err3: 8797 module_put(type->owner); 8798 err2: 8799 kfree(flowtable->name); 8800 err1: 8801 kfree(flowtable); 8802 flowtable_alloc: 8803 nft_use_dec_restore(&table->use); 8804 8805 return err; 8806 } 8807 8808 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook) 8809 { 8810 struct nft_hook *this, *next; 8811 8812 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) { 8813 list_del(&this->list); 8814 kfree(this); 8815 } 8816 } 8817 8818 static int nft_delflowtable_hook(struct nft_ctx *ctx, 8819 struct nft_flowtable *flowtable, 8820 struct netlink_ext_ack *extack) 8821 { 8822 const struct nlattr * const *nla = ctx->nla; 8823 struct nft_flowtable_hook flowtable_hook; 8824 LIST_HEAD(flowtable_del_list); 8825 struct nft_hook *this, *hook; 8826 struct nft_trans *trans; 8827 int err; 8828 8829 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable, 8830 extack, false); 8831 if (err < 0) 8832 return err; 8833 8834 list_for_each_entry(this, &flowtable_hook.list, list) { 8835 hook = nft_hook_list_find(&flowtable->hook_list, this); 8836 if (!hook) { 8837 err = -ENOENT; 8838 goto err_flowtable_del_hook; 8839 } 8840 list_move(&hook->list, &flowtable_del_list); 8841 } 8842 8843 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE, 8844 sizeof(struct nft_trans_flowtable)); 8845 if (!trans) { 8846 err = -ENOMEM; 8847 goto err_flowtable_del_hook; 8848 } 8849 8850 nft_trans_flowtable(trans) = flowtable; 8851 nft_trans_flowtable_update(trans) = true; 8852 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 8853 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans)); 8854 nft_flowtable_hook_release(&flowtable_hook); 8855 8856 nft_trans_commit_list_add_tail(ctx->net, trans); 8857 8858 return 0; 8859 8860 err_flowtable_del_hook: 8861 list_splice(&flowtable_del_list, &flowtable->hook_list); 8862 nft_flowtable_hook_release(&flowtable_hook); 8863 8864 return err; 8865 } 8866 8867 static int nf_tables_delflowtable(struct sk_buff *skb, 8868 const struct nfnl_info *info, 8869 const struct nlattr * const nla[]) 8870 { 8871 struct netlink_ext_ack *extack = info->extack; 8872 u8 genmask = nft_genmask_next(info->net); 8873 u8 family = info->nfmsg->nfgen_family; 8874 struct nft_flowtable *flowtable; 8875 struct net *net = info->net; 8876 const struct nlattr *attr; 8877 struct nft_table *table; 8878 struct nft_ctx ctx; 8879 8880 if (!nla[NFTA_FLOWTABLE_TABLE] || 8881 (!nla[NFTA_FLOWTABLE_NAME] && 8882 !nla[NFTA_FLOWTABLE_HANDLE])) 8883 return -EINVAL; 8884 8885 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 8886 genmask, NETLINK_CB(skb).portid); 8887 if (IS_ERR(table)) { 8888 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 8889 return PTR_ERR(table); 8890 } 8891 8892 if (nla[NFTA_FLOWTABLE_HANDLE]) { 8893 attr = nla[NFTA_FLOWTABLE_HANDLE]; 8894 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask); 8895 } else { 8896 attr = nla[NFTA_FLOWTABLE_NAME]; 8897 flowtable = nft_flowtable_lookup(table, attr, genmask); 8898 } 8899 8900 if (IS_ERR(flowtable)) { 8901 if (PTR_ERR(flowtable) == -ENOENT && 8902 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE) 8903 return 0; 8904 8905 NL_SET_BAD_ATTR(extack, attr); 8906 return PTR_ERR(flowtable); 8907 } 8908 8909 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 8910 8911 if (nla[NFTA_FLOWTABLE_HOOK]) 8912 return nft_delflowtable_hook(&ctx, flowtable, extack); 8913 8914 if (flowtable->use > 0) { 8915 NL_SET_BAD_ATTR(extack, attr); 8916 return -EBUSY; 8917 } 8918 8919 return nft_delflowtable(&ctx, flowtable); 8920 } 8921 8922 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, 8923 u32 portid, u32 seq, int event, 8924 u32 flags, int family, 8925 struct nft_flowtable *flowtable, 8926 struct list_head *hook_list) 8927 { 8928 struct nlattr *nest, *nest_devs; 8929 struct nft_hook *hook; 8930 struct nlmsghdr *nlh; 8931 8932 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 8933 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 8934 NFNETLINK_V0, nft_base_seq(net)); 8935 if (!nlh) 8936 goto nla_put_failure; 8937 8938 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || 8939 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || 8940 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle), 8941 NFTA_FLOWTABLE_PAD)) 8942 goto nla_put_failure; 8943 8944 if (event == NFT_MSG_DELFLOWTABLE && !hook_list) { 8945 nlmsg_end(skb, nlh); 8946 return 0; 8947 } 8948 8949 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || 8950 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags))) 8951 goto nla_put_failure; 8952 8953 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK); 8954 if (!nest) 8955 goto nla_put_failure; 8956 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) || 8957 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority))) 8958 goto nla_put_failure; 8959 8960 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS); 8961 if (!nest_devs) 8962 goto nla_put_failure; 8963 8964 if (!hook_list) 8965 hook_list = &flowtable->hook_list; 8966 8967 list_for_each_entry_rcu(hook, hook_list, list) { 8968 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name)) 8969 goto nla_put_failure; 8970 } 8971 nla_nest_end(skb, nest_devs); 8972 nla_nest_end(skb, nest); 8973 8974 nlmsg_end(skb, nlh); 8975 return 0; 8976 8977 nla_put_failure: 8978 nlmsg_trim(skb, nlh); 8979 return -1; 8980 } 8981 8982 struct nft_flowtable_filter { 8983 char *table; 8984 }; 8985 8986 static int nf_tables_dump_flowtable(struct sk_buff *skb, 8987 struct netlink_callback *cb) 8988 { 8989 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 8990 struct nft_flowtable_filter *filter = cb->data; 8991 unsigned int idx = 0, s_idx = cb->args[0]; 8992 struct net *net = sock_net(skb->sk); 8993 int family = nfmsg->nfgen_family; 8994 struct nft_flowtable *flowtable; 8995 struct nftables_pernet *nft_net; 8996 const struct nft_table *table; 8997 8998 rcu_read_lock(); 8999 nft_net = nft_pernet(net); 9000 cb->seq = READ_ONCE(nft_net->base_seq); 9001 9002 list_for_each_entry_rcu(table, &nft_net->tables, list) { 9003 if (family != NFPROTO_UNSPEC && family != table->family) 9004 continue; 9005 9006 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 9007 if (!nft_is_active(net, flowtable)) 9008 goto cont; 9009 if (idx < s_idx) 9010 goto cont; 9011 if (idx > s_idx) 9012 memset(&cb->args[1], 0, 9013 sizeof(cb->args) - sizeof(cb->args[0])); 9014 if (filter && filter->table && 9015 strcmp(filter->table, table->name)) 9016 goto cont; 9017 9018 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, 9019 cb->nlh->nlmsg_seq, 9020 NFT_MSG_NEWFLOWTABLE, 9021 NLM_F_MULTI | NLM_F_APPEND, 9022 table->family, 9023 flowtable, NULL) < 0) 9024 goto done; 9025 9026 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 9027 cont: 9028 idx++; 9029 } 9030 } 9031 done: 9032 rcu_read_unlock(); 9033 9034 cb->args[0] = idx; 9035 return skb->len; 9036 } 9037 9038 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb) 9039 { 9040 const struct nlattr * const *nla = cb->data; 9041 struct nft_flowtable_filter *filter = NULL; 9042 9043 if (nla[NFTA_FLOWTABLE_TABLE]) { 9044 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 9045 if (!filter) 9046 return -ENOMEM; 9047 9048 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE], 9049 GFP_ATOMIC); 9050 if (!filter->table) { 9051 kfree(filter); 9052 return -ENOMEM; 9053 } 9054 } 9055 9056 cb->data = filter; 9057 return 0; 9058 } 9059 9060 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb) 9061 { 9062 struct nft_flowtable_filter *filter = cb->data; 9063 9064 if (!filter) 9065 return 0; 9066 9067 kfree(filter->table); 9068 kfree(filter); 9069 9070 return 0; 9071 } 9072 9073 /* called with rcu_read_lock held */ 9074 static int nf_tables_getflowtable(struct sk_buff *skb, 9075 const struct nfnl_info *info, 9076 const struct nlattr * const nla[]) 9077 { 9078 struct netlink_ext_ack *extack = info->extack; 9079 u8 genmask = nft_genmask_cur(info->net); 9080 u8 family = info->nfmsg->nfgen_family; 9081 struct nft_flowtable *flowtable; 9082 const struct nft_table *table; 9083 struct net *net = info->net; 9084 struct sk_buff *skb2; 9085 int err; 9086 9087 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 9088 struct netlink_dump_control c = { 9089 .start = nf_tables_dump_flowtable_start, 9090 .dump = nf_tables_dump_flowtable, 9091 .done = nf_tables_dump_flowtable_done, 9092 .module = THIS_MODULE, 9093 .data = (void *)nla, 9094 }; 9095 9096 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 9097 } 9098 9099 if (!nla[NFTA_FLOWTABLE_NAME]) 9100 return -EINVAL; 9101 9102 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 9103 genmask, 0); 9104 if (IS_ERR(table)) { 9105 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 9106 return PTR_ERR(table); 9107 } 9108 9109 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 9110 genmask); 9111 if (IS_ERR(flowtable)) { 9112 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 9113 return PTR_ERR(flowtable); 9114 } 9115 9116 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 9117 if (!skb2) 9118 return -ENOMEM; 9119 9120 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid, 9121 info->nlh->nlmsg_seq, 9122 NFT_MSG_NEWFLOWTABLE, 0, family, 9123 flowtable, NULL); 9124 if (err < 0) 9125 goto err_fill_flowtable_info; 9126 9127 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 9128 9129 err_fill_flowtable_info: 9130 kfree_skb(skb2); 9131 return err; 9132 } 9133 9134 static void nf_tables_flowtable_notify(struct nft_ctx *ctx, 9135 struct nft_flowtable *flowtable, 9136 struct list_head *hook_list, int event) 9137 { 9138 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 9139 struct sk_buff *skb; 9140 u16 flags = 0; 9141 int err; 9142 9143 if (!ctx->report && 9144 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 9145 return; 9146 9147 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 9148 if (skb == NULL) 9149 goto err; 9150 9151 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 9152 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 9153 9154 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid, 9155 ctx->seq, event, flags, 9156 ctx->family, flowtable, hook_list); 9157 if (err < 0) { 9158 kfree_skb(skb); 9159 goto err; 9160 } 9161 9162 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 9163 return; 9164 err: 9165 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 9166 } 9167 9168 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) 9169 { 9170 struct nft_hook *hook, *next; 9171 9172 flowtable->data.type->free(&flowtable->data); 9173 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 9174 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 9175 FLOW_BLOCK_UNBIND); 9176 list_del_rcu(&hook->list); 9177 kfree(hook); 9178 } 9179 kfree(flowtable->name); 9180 module_put(flowtable->data.type->owner); 9181 kfree(flowtable); 9182 } 9183 9184 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, 9185 u32 portid, u32 seq) 9186 { 9187 struct nftables_pernet *nft_net = nft_pernet(net); 9188 struct nlmsghdr *nlh; 9189 char buf[TASK_COMM_LEN]; 9190 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); 9191 9192 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC, 9193 NFNETLINK_V0, nft_base_seq(net)); 9194 if (!nlh) 9195 goto nla_put_failure; 9196 9197 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) || 9198 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || 9199 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) 9200 goto nla_put_failure; 9201 9202 nlmsg_end(skb, nlh); 9203 return 0; 9204 9205 nla_put_failure: 9206 nlmsg_trim(skb, nlh); 9207 return -EMSGSIZE; 9208 } 9209 9210 static void nft_flowtable_event(unsigned long event, struct net_device *dev, 9211 struct nft_flowtable *flowtable) 9212 { 9213 struct nft_hook *hook; 9214 9215 list_for_each_entry(hook, &flowtable->hook_list, list) { 9216 if (hook->ops.dev != dev) 9217 continue; 9218 9219 /* flow_offload_netdev_event() cleans up entries for us. */ 9220 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook); 9221 list_del_rcu(&hook->list); 9222 kfree_rcu(hook, rcu); 9223 break; 9224 } 9225 } 9226 9227 static int nf_tables_flowtable_event(struct notifier_block *this, 9228 unsigned long event, void *ptr) 9229 { 9230 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 9231 struct nft_flowtable *flowtable; 9232 struct nftables_pernet *nft_net; 9233 struct nft_table *table; 9234 struct net *net; 9235 9236 if (event != NETDEV_UNREGISTER) 9237 return 0; 9238 9239 net = dev_net(dev); 9240 nft_net = nft_pernet(net); 9241 mutex_lock(&nft_net->commit_mutex); 9242 list_for_each_entry(table, &nft_net->tables, list) { 9243 list_for_each_entry(flowtable, &table->flowtables, list) { 9244 nft_flowtable_event(event, dev, flowtable); 9245 } 9246 } 9247 mutex_unlock(&nft_net->commit_mutex); 9248 9249 return NOTIFY_DONE; 9250 } 9251 9252 static struct notifier_block nf_tables_flowtable_notifier = { 9253 .notifier_call = nf_tables_flowtable_event, 9254 }; 9255 9256 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb, 9257 int event) 9258 { 9259 struct nlmsghdr *nlh = nlmsg_hdr(skb); 9260 struct sk_buff *skb2; 9261 int err; 9262 9263 if (!nlmsg_report(nlh) && 9264 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 9265 return; 9266 9267 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 9268 if (skb2 == NULL) 9269 goto err; 9270 9271 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 9272 nlh->nlmsg_seq); 9273 if (err < 0) { 9274 kfree_skb(skb2); 9275 goto err; 9276 } 9277 9278 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 9279 nlmsg_report(nlh), GFP_KERNEL); 9280 return; 9281 err: 9282 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 9283 -ENOBUFS); 9284 } 9285 9286 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info, 9287 const struct nlattr * const nla[]) 9288 { 9289 struct sk_buff *skb2; 9290 int err; 9291 9292 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 9293 if (skb2 == NULL) 9294 return -ENOMEM; 9295 9296 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid, 9297 info->nlh->nlmsg_seq); 9298 if (err < 0) 9299 goto err_fill_gen_info; 9300 9301 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 9302 9303 err_fill_gen_info: 9304 kfree_skb(skb2); 9305 return err; 9306 } 9307 9308 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = { 9309 [NFT_MSG_NEWTABLE] = { 9310 .call = nf_tables_newtable, 9311 .type = NFNL_CB_BATCH, 9312 .attr_count = NFTA_TABLE_MAX, 9313 .policy = nft_table_policy, 9314 }, 9315 [NFT_MSG_GETTABLE] = { 9316 .call = nf_tables_gettable, 9317 .type = NFNL_CB_RCU, 9318 .attr_count = NFTA_TABLE_MAX, 9319 .policy = nft_table_policy, 9320 }, 9321 [NFT_MSG_DELTABLE] = { 9322 .call = nf_tables_deltable, 9323 .type = NFNL_CB_BATCH, 9324 .attr_count = NFTA_TABLE_MAX, 9325 .policy = nft_table_policy, 9326 }, 9327 [NFT_MSG_DESTROYTABLE] = { 9328 .call = nf_tables_deltable, 9329 .type = NFNL_CB_BATCH, 9330 .attr_count = NFTA_TABLE_MAX, 9331 .policy = nft_table_policy, 9332 }, 9333 [NFT_MSG_NEWCHAIN] = { 9334 .call = nf_tables_newchain, 9335 .type = NFNL_CB_BATCH, 9336 .attr_count = NFTA_CHAIN_MAX, 9337 .policy = nft_chain_policy, 9338 }, 9339 [NFT_MSG_GETCHAIN] = { 9340 .call = nf_tables_getchain, 9341 .type = NFNL_CB_RCU, 9342 .attr_count = NFTA_CHAIN_MAX, 9343 .policy = nft_chain_policy, 9344 }, 9345 [NFT_MSG_DELCHAIN] = { 9346 .call = nf_tables_delchain, 9347 .type = NFNL_CB_BATCH, 9348 .attr_count = NFTA_CHAIN_MAX, 9349 .policy = nft_chain_policy, 9350 }, 9351 [NFT_MSG_DESTROYCHAIN] = { 9352 .call = nf_tables_delchain, 9353 .type = NFNL_CB_BATCH, 9354 .attr_count = NFTA_CHAIN_MAX, 9355 .policy = nft_chain_policy, 9356 }, 9357 [NFT_MSG_NEWRULE] = { 9358 .call = nf_tables_newrule, 9359 .type = NFNL_CB_BATCH, 9360 .attr_count = NFTA_RULE_MAX, 9361 .policy = nft_rule_policy, 9362 }, 9363 [NFT_MSG_GETRULE] = { 9364 .call = nf_tables_getrule, 9365 .type = NFNL_CB_RCU, 9366 .attr_count = NFTA_RULE_MAX, 9367 .policy = nft_rule_policy, 9368 }, 9369 [NFT_MSG_GETRULE_RESET] = { 9370 .call = nf_tables_getrule_reset, 9371 .type = NFNL_CB_RCU, 9372 .attr_count = NFTA_RULE_MAX, 9373 .policy = nft_rule_policy, 9374 }, 9375 [NFT_MSG_DELRULE] = { 9376 .call = nf_tables_delrule, 9377 .type = NFNL_CB_BATCH, 9378 .attr_count = NFTA_RULE_MAX, 9379 .policy = nft_rule_policy, 9380 }, 9381 [NFT_MSG_DESTROYRULE] = { 9382 .call = nf_tables_delrule, 9383 .type = NFNL_CB_BATCH, 9384 .attr_count = NFTA_RULE_MAX, 9385 .policy = nft_rule_policy, 9386 }, 9387 [NFT_MSG_NEWSET] = { 9388 .call = nf_tables_newset, 9389 .type = NFNL_CB_BATCH, 9390 .attr_count = NFTA_SET_MAX, 9391 .policy = nft_set_policy, 9392 }, 9393 [NFT_MSG_GETSET] = { 9394 .call = nf_tables_getset, 9395 .type = NFNL_CB_RCU, 9396 .attr_count = NFTA_SET_MAX, 9397 .policy = nft_set_policy, 9398 }, 9399 [NFT_MSG_DELSET] = { 9400 .call = nf_tables_delset, 9401 .type = NFNL_CB_BATCH, 9402 .attr_count = NFTA_SET_MAX, 9403 .policy = nft_set_policy, 9404 }, 9405 [NFT_MSG_DESTROYSET] = { 9406 .call = nf_tables_delset, 9407 .type = NFNL_CB_BATCH, 9408 .attr_count = NFTA_SET_MAX, 9409 .policy = nft_set_policy, 9410 }, 9411 [NFT_MSG_NEWSETELEM] = { 9412 .call = nf_tables_newsetelem, 9413 .type = NFNL_CB_BATCH, 9414 .attr_count = NFTA_SET_ELEM_LIST_MAX, 9415 .policy = nft_set_elem_list_policy, 9416 }, 9417 [NFT_MSG_GETSETELEM] = { 9418 .call = nf_tables_getsetelem, 9419 .type = NFNL_CB_RCU, 9420 .attr_count = NFTA_SET_ELEM_LIST_MAX, 9421 .policy = nft_set_elem_list_policy, 9422 }, 9423 [NFT_MSG_GETSETELEM_RESET] = { 9424 .call = nf_tables_getsetelem_reset, 9425 .type = NFNL_CB_RCU, 9426 .attr_count = NFTA_SET_ELEM_LIST_MAX, 9427 .policy = nft_set_elem_list_policy, 9428 }, 9429 [NFT_MSG_DELSETELEM] = { 9430 .call = nf_tables_delsetelem, 9431 .type = NFNL_CB_BATCH, 9432 .attr_count = NFTA_SET_ELEM_LIST_MAX, 9433 .policy = nft_set_elem_list_policy, 9434 }, 9435 [NFT_MSG_DESTROYSETELEM] = { 9436 .call = nf_tables_delsetelem, 9437 .type = NFNL_CB_BATCH, 9438 .attr_count = NFTA_SET_ELEM_LIST_MAX, 9439 .policy = nft_set_elem_list_policy, 9440 }, 9441 [NFT_MSG_GETGEN] = { 9442 .call = nf_tables_getgen, 9443 .type = NFNL_CB_RCU, 9444 }, 9445 [NFT_MSG_NEWOBJ] = { 9446 .call = nf_tables_newobj, 9447 .type = NFNL_CB_BATCH, 9448 .attr_count = NFTA_OBJ_MAX, 9449 .policy = nft_obj_policy, 9450 }, 9451 [NFT_MSG_GETOBJ] = { 9452 .call = nf_tables_getobj, 9453 .type = NFNL_CB_RCU, 9454 .attr_count = NFTA_OBJ_MAX, 9455 .policy = nft_obj_policy, 9456 }, 9457 [NFT_MSG_DELOBJ] = { 9458 .call = nf_tables_delobj, 9459 .type = NFNL_CB_BATCH, 9460 .attr_count = NFTA_OBJ_MAX, 9461 .policy = nft_obj_policy, 9462 }, 9463 [NFT_MSG_DESTROYOBJ] = { 9464 .call = nf_tables_delobj, 9465 .type = NFNL_CB_BATCH, 9466 .attr_count = NFTA_OBJ_MAX, 9467 .policy = nft_obj_policy, 9468 }, 9469 [NFT_MSG_GETOBJ_RESET] = { 9470 .call = nf_tables_getobj_reset, 9471 .type = NFNL_CB_RCU, 9472 .attr_count = NFTA_OBJ_MAX, 9473 .policy = nft_obj_policy, 9474 }, 9475 [NFT_MSG_NEWFLOWTABLE] = { 9476 .call = nf_tables_newflowtable, 9477 .type = NFNL_CB_BATCH, 9478 .attr_count = NFTA_FLOWTABLE_MAX, 9479 .policy = nft_flowtable_policy, 9480 }, 9481 [NFT_MSG_GETFLOWTABLE] = { 9482 .call = nf_tables_getflowtable, 9483 .type = NFNL_CB_RCU, 9484 .attr_count = NFTA_FLOWTABLE_MAX, 9485 .policy = nft_flowtable_policy, 9486 }, 9487 [NFT_MSG_DELFLOWTABLE] = { 9488 .call = nf_tables_delflowtable, 9489 .type = NFNL_CB_BATCH, 9490 .attr_count = NFTA_FLOWTABLE_MAX, 9491 .policy = nft_flowtable_policy, 9492 }, 9493 [NFT_MSG_DESTROYFLOWTABLE] = { 9494 .call = nf_tables_delflowtable, 9495 .type = NFNL_CB_BATCH, 9496 .attr_count = NFTA_FLOWTABLE_MAX, 9497 .policy = nft_flowtable_policy, 9498 }, 9499 }; 9500 9501 static int nf_tables_validate(struct net *net) 9502 { 9503 struct nftables_pernet *nft_net = nft_pernet(net); 9504 struct nft_table *table; 9505 9506 list_for_each_entry(table, &nft_net->tables, list) { 9507 switch (table->validate_state) { 9508 case NFT_VALIDATE_SKIP: 9509 continue; 9510 case NFT_VALIDATE_NEED: 9511 nft_validate_state_update(table, NFT_VALIDATE_DO); 9512 fallthrough; 9513 case NFT_VALIDATE_DO: 9514 if (nft_table_validate(net, table) < 0) 9515 return -EAGAIN; 9516 9517 nft_validate_state_update(table, NFT_VALIDATE_SKIP); 9518 break; 9519 } 9520 } 9521 9522 return 0; 9523 } 9524 9525 /* a drop policy has to be deferred until all rules have been activated, 9526 * otherwise a large ruleset that contains a drop-policy base chain will 9527 * cause all packets to get dropped until the full transaction has been 9528 * processed. 9529 * 9530 * We defer the drop policy until the transaction has been finalized. 9531 */ 9532 static void nft_chain_commit_drop_policy(struct nft_trans_chain *trans) 9533 { 9534 struct nft_base_chain *basechain; 9535 9536 if (trans->policy != NF_DROP) 9537 return; 9538 9539 if (!nft_is_base_chain(trans->chain)) 9540 return; 9541 9542 basechain = nft_base_chain(trans->chain); 9543 basechain->policy = NF_DROP; 9544 } 9545 9546 static void nft_chain_commit_update(struct nft_trans_chain *trans) 9547 { 9548 struct nft_table *table = trans->nft_trans_binding.nft_trans.table; 9549 struct nft_base_chain *basechain; 9550 9551 if (trans->name) { 9552 rhltable_remove(&table->chains_ht, 9553 &trans->chain->rhlhead, 9554 nft_chain_ht_params); 9555 swap(trans->chain->name, trans->name); 9556 rhltable_insert_key(&table->chains_ht, 9557 trans->chain->name, 9558 &trans->chain->rhlhead, 9559 nft_chain_ht_params); 9560 } 9561 9562 if (!nft_is_base_chain(trans->chain)) 9563 return; 9564 9565 nft_chain_stats_replace(trans); 9566 9567 basechain = nft_base_chain(trans->chain); 9568 9569 switch (trans->policy) { 9570 case NF_DROP: 9571 case NF_ACCEPT: 9572 basechain->policy = trans->policy; 9573 break; 9574 } 9575 } 9576 9577 static void nft_obj_commit_update(const struct nft_ctx *ctx, 9578 struct nft_trans *trans) 9579 { 9580 struct nft_object *newobj; 9581 struct nft_object *obj; 9582 9583 obj = nft_trans_obj(trans); 9584 newobj = nft_trans_obj_newobj(trans); 9585 9586 if (WARN_ON_ONCE(!obj->ops->update)) 9587 return; 9588 9589 obj->ops->update(obj, newobj); 9590 nft_obj_destroy(ctx, newobj); 9591 } 9592 9593 static void nft_commit_release(struct nft_trans *trans) 9594 { 9595 struct nft_ctx ctx = { 9596 .net = trans->net, 9597 }; 9598 9599 nft_ctx_update(&ctx, trans); 9600 9601 switch (trans->msg_type) { 9602 case NFT_MSG_DELTABLE: 9603 case NFT_MSG_DESTROYTABLE: 9604 nf_tables_table_destroy(trans->table); 9605 break; 9606 case NFT_MSG_NEWCHAIN: 9607 free_percpu(nft_trans_chain_stats(trans)); 9608 kfree(nft_trans_chain_name(trans)); 9609 break; 9610 case NFT_MSG_DELCHAIN: 9611 case NFT_MSG_DESTROYCHAIN: 9612 if (nft_trans_chain_update(trans)) 9613 nft_hooks_destroy(&nft_trans_chain_hooks(trans)); 9614 else 9615 nf_tables_chain_destroy(nft_trans_chain(trans)); 9616 break; 9617 case NFT_MSG_DELRULE: 9618 case NFT_MSG_DESTROYRULE: 9619 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans)); 9620 break; 9621 case NFT_MSG_DELSET: 9622 case NFT_MSG_DESTROYSET: 9623 nft_set_destroy(&ctx, nft_trans_set(trans)); 9624 break; 9625 case NFT_MSG_DELSETELEM: 9626 case NFT_MSG_DESTROYSETELEM: 9627 nf_tables_set_elem_destroy(&ctx, 9628 nft_trans_elem_set(trans), 9629 nft_trans_elem_priv(trans)); 9630 break; 9631 case NFT_MSG_DELOBJ: 9632 case NFT_MSG_DESTROYOBJ: 9633 nft_obj_destroy(&ctx, nft_trans_obj(trans)); 9634 break; 9635 case NFT_MSG_DELFLOWTABLE: 9636 case NFT_MSG_DESTROYFLOWTABLE: 9637 if (nft_trans_flowtable_update(trans)) 9638 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 9639 else 9640 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 9641 break; 9642 } 9643 9644 if (trans->put_net) 9645 put_net(trans->net); 9646 9647 kfree(trans); 9648 } 9649 9650 static void nf_tables_trans_destroy_work(struct work_struct *w) 9651 { 9652 struct nft_trans *trans, *next; 9653 LIST_HEAD(head); 9654 9655 spin_lock(&nf_tables_destroy_list_lock); 9656 list_splice_init(&nf_tables_destroy_list, &head); 9657 spin_unlock(&nf_tables_destroy_list_lock); 9658 9659 if (list_empty(&head)) 9660 return; 9661 9662 synchronize_rcu(); 9663 9664 list_for_each_entry_safe(trans, next, &head, list) { 9665 nft_trans_list_del(trans); 9666 nft_commit_release(trans); 9667 } 9668 } 9669 9670 void nf_tables_trans_destroy_flush_work(void) 9671 { 9672 flush_work(&trans_destroy_work); 9673 } 9674 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work); 9675 9676 static bool nft_expr_reduce(struct nft_regs_track *track, 9677 const struct nft_expr *expr) 9678 { 9679 return false; 9680 } 9681 9682 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain) 9683 { 9684 const struct nft_expr *expr, *last; 9685 struct nft_regs_track track = {}; 9686 unsigned int size, data_size; 9687 void *data, *data_boundary; 9688 struct nft_rule_dp *prule; 9689 struct nft_rule *rule; 9690 9691 /* already handled or inactive chain? */ 9692 if (chain->blob_next || !nft_is_active_next(net, chain)) 9693 return 0; 9694 9695 data_size = 0; 9696 list_for_each_entry(rule, &chain->rules, list) { 9697 if (nft_is_active_next(net, rule)) { 9698 data_size += sizeof(*prule) + rule->dlen; 9699 if (data_size > INT_MAX) 9700 return -ENOMEM; 9701 } 9702 } 9703 9704 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size); 9705 if (!chain->blob_next) 9706 return -ENOMEM; 9707 9708 data = (void *)chain->blob_next->data; 9709 data_boundary = data + data_size; 9710 size = 0; 9711 9712 list_for_each_entry(rule, &chain->rules, list) { 9713 if (!nft_is_active_next(net, rule)) 9714 continue; 9715 9716 prule = (struct nft_rule_dp *)data; 9717 data += offsetof(struct nft_rule_dp, data); 9718 if (WARN_ON_ONCE(data > data_boundary)) 9719 return -ENOMEM; 9720 9721 size = 0; 9722 track.last = nft_expr_last(rule); 9723 nft_rule_for_each_expr(expr, last, rule) { 9724 track.cur = expr; 9725 9726 if (nft_expr_reduce(&track, expr)) { 9727 expr = track.cur; 9728 continue; 9729 } 9730 9731 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary)) 9732 return -ENOMEM; 9733 9734 memcpy(data + size, expr, expr->ops->size); 9735 size += expr->ops->size; 9736 } 9737 if (WARN_ON_ONCE(size >= 1 << 12)) 9738 return -ENOMEM; 9739 9740 prule->handle = rule->handle; 9741 prule->dlen = size; 9742 prule->is_last = 0; 9743 9744 data += size; 9745 size = 0; 9746 chain->blob_next->size += (unsigned long)(data - (void *)prule); 9747 } 9748 9749 if (WARN_ON_ONCE(data > data_boundary)) 9750 return -ENOMEM; 9751 9752 prule = (struct nft_rule_dp *)data; 9753 nft_last_rule(chain, prule); 9754 9755 return 0; 9756 } 9757 9758 static void nf_tables_commit_chain_prepare_cancel(struct net *net) 9759 { 9760 struct nftables_pernet *nft_net = nft_pernet(net); 9761 struct nft_trans *trans, *next; 9762 9763 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 9764 if (trans->msg_type == NFT_MSG_NEWRULE || 9765 trans->msg_type == NFT_MSG_DELRULE) { 9766 struct nft_chain *chain = nft_trans_rule_chain(trans); 9767 9768 kvfree(chain->blob_next); 9769 chain->blob_next = NULL; 9770 } 9771 } 9772 } 9773 9774 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h) 9775 { 9776 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h); 9777 9778 kvfree(l->blob); 9779 } 9780 9781 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob) 9782 { 9783 struct nft_rule_dp_last *last; 9784 9785 /* last rule trailer is after end marker */ 9786 last = (void *)blob + sizeof(*blob) + blob->size; 9787 last->blob = blob; 9788 9789 call_rcu(&last->h, __nf_tables_commit_chain_free_rules); 9790 } 9791 9792 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain) 9793 { 9794 struct nft_rule_blob *g0, *g1; 9795 bool next_genbit; 9796 9797 next_genbit = nft_gencursor_next(net); 9798 9799 g0 = rcu_dereference_protected(chain->blob_gen_0, 9800 lockdep_commit_lock_is_held(net)); 9801 g1 = rcu_dereference_protected(chain->blob_gen_1, 9802 lockdep_commit_lock_is_held(net)); 9803 9804 /* No changes to this chain? */ 9805 if (chain->blob_next == NULL) { 9806 /* chain had no change in last or next generation */ 9807 if (g0 == g1) 9808 return; 9809 /* 9810 * chain had no change in this generation; make sure next 9811 * one uses same rules as current generation. 9812 */ 9813 if (next_genbit) { 9814 rcu_assign_pointer(chain->blob_gen_1, g0); 9815 nf_tables_commit_chain_free_rules_old(g1); 9816 } else { 9817 rcu_assign_pointer(chain->blob_gen_0, g1); 9818 nf_tables_commit_chain_free_rules_old(g0); 9819 } 9820 9821 return; 9822 } 9823 9824 if (next_genbit) 9825 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next); 9826 else 9827 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next); 9828 9829 chain->blob_next = NULL; 9830 9831 if (g0 == g1) 9832 return; 9833 9834 if (next_genbit) 9835 nf_tables_commit_chain_free_rules_old(g1); 9836 else 9837 nf_tables_commit_chain_free_rules_old(g0); 9838 } 9839 9840 static void nft_obj_del(struct nft_object *obj) 9841 { 9842 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params); 9843 list_del_rcu(&obj->list); 9844 } 9845 9846 void nft_chain_del(struct nft_chain *chain) 9847 { 9848 struct nft_table *table = chain->table; 9849 9850 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead, 9851 nft_chain_ht_params)); 9852 list_del_rcu(&chain->list); 9853 } 9854 9855 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx, 9856 struct nft_trans_gc *trans) 9857 { 9858 struct nft_elem_priv **priv = trans->priv; 9859 unsigned int i; 9860 9861 for (i = 0; i < trans->count; i++) { 9862 nft_setelem_data_deactivate(ctx->net, trans->set, priv[i]); 9863 nft_setelem_remove(ctx->net, trans->set, priv[i]); 9864 } 9865 } 9866 9867 void nft_trans_gc_destroy(struct nft_trans_gc *trans) 9868 { 9869 nft_set_put(trans->set); 9870 put_net(trans->net); 9871 kfree(trans); 9872 } 9873 9874 static void nft_trans_gc_trans_free(struct rcu_head *rcu) 9875 { 9876 struct nft_elem_priv *elem_priv; 9877 struct nft_trans_gc *trans; 9878 struct nft_ctx ctx = {}; 9879 unsigned int i; 9880 9881 trans = container_of(rcu, struct nft_trans_gc, rcu); 9882 ctx.net = read_pnet(&trans->set->net); 9883 9884 for (i = 0; i < trans->count; i++) { 9885 elem_priv = trans->priv[i]; 9886 if (!nft_setelem_is_catchall(trans->set, elem_priv)) 9887 atomic_dec(&trans->set->nelems); 9888 9889 nf_tables_set_elem_destroy(&ctx, trans->set, elem_priv); 9890 } 9891 9892 nft_trans_gc_destroy(trans); 9893 } 9894 9895 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans) 9896 { 9897 struct nftables_pernet *nft_net; 9898 struct nft_ctx ctx = {}; 9899 9900 nft_net = nft_pernet(trans->net); 9901 9902 mutex_lock(&nft_net->commit_mutex); 9903 9904 /* Check for race with transaction, otherwise this batch refers to 9905 * stale objects that might not be there anymore. Skip transaction if 9906 * set has been destroyed from control plane transaction in case gc 9907 * worker loses race. 9908 */ 9909 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) { 9910 mutex_unlock(&nft_net->commit_mutex); 9911 return false; 9912 } 9913 9914 ctx.net = trans->net; 9915 ctx.table = trans->set->table; 9916 9917 nft_trans_gc_setelem_remove(&ctx, trans); 9918 mutex_unlock(&nft_net->commit_mutex); 9919 9920 return true; 9921 } 9922 9923 static void nft_trans_gc_work(struct work_struct *work) 9924 { 9925 struct nft_trans_gc *trans, *next; 9926 LIST_HEAD(trans_gc_list); 9927 9928 spin_lock(&nf_tables_gc_list_lock); 9929 list_splice_init(&nf_tables_gc_list, &trans_gc_list); 9930 spin_unlock(&nf_tables_gc_list_lock); 9931 9932 list_for_each_entry_safe(trans, next, &trans_gc_list, list) { 9933 list_del(&trans->list); 9934 if (!nft_trans_gc_work_done(trans)) { 9935 nft_trans_gc_destroy(trans); 9936 continue; 9937 } 9938 call_rcu(&trans->rcu, nft_trans_gc_trans_free); 9939 } 9940 } 9941 9942 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set, 9943 unsigned int gc_seq, gfp_t gfp) 9944 { 9945 struct net *net = read_pnet(&set->net); 9946 struct nft_trans_gc *trans; 9947 9948 trans = kzalloc(sizeof(*trans), gfp); 9949 if (!trans) 9950 return NULL; 9951 9952 trans->net = maybe_get_net(net); 9953 if (!trans->net) { 9954 kfree(trans); 9955 return NULL; 9956 } 9957 9958 refcount_inc(&set->refs); 9959 trans->set = set; 9960 trans->seq = gc_seq; 9961 9962 return trans; 9963 } 9964 9965 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv) 9966 { 9967 trans->priv[trans->count++] = priv; 9968 } 9969 9970 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans) 9971 { 9972 spin_lock(&nf_tables_gc_list_lock); 9973 list_add_tail(&trans->list, &nf_tables_gc_list); 9974 spin_unlock(&nf_tables_gc_list_lock); 9975 9976 schedule_work(&trans_gc_work); 9977 } 9978 9979 static int nft_trans_gc_space(struct nft_trans_gc *trans) 9980 { 9981 return NFT_TRANS_GC_BATCHCOUNT - trans->count; 9982 } 9983 9984 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc, 9985 unsigned int gc_seq, gfp_t gfp) 9986 { 9987 struct nft_set *set; 9988 9989 if (nft_trans_gc_space(gc)) 9990 return gc; 9991 9992 set = gc->set; 9993 nft_trans_gc_queue_work(gc); 9994 9995 return nft_trans_gc_alloc(set, gc_seq, gfp); 9996 } 9997 9998 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans) 9999 { 10000 if (trans->count == 0) { 10001 nft_trans_gc_destroy(trans); 10002 return; 10003 } 10004 10005 nft_trans_gc_queue_work(trans); 10006 } 10007 10008 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp) 10009 { 10010 struct nft_set *set; 10011 10012 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net))) 10013 return NULL; 10014 10015 if (nft_trans_gc_space(gc)) 10016 return gc; 10017 10018 set = gc->set; 10019 call_rcu(&gc->rcu, nft_trans_gc_trans_free); 10020 10021 return nft_trans_gc_alloc(set, 0, gfp); 10022 } 10023 10024 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans) 10025 { 10026 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net)); 10027 10028 if (trans->count == 0) { 10029 nft_trans_gc_destroy(trans); 10030 return; 10031 } 10032 10033 call_rcu(&trans->rcu, nft_trans_gc_trans_free); 10034 } 10035 10036 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc, 10037 unsigned int gc_seq) 10038 { 10039 struct nft_set_elem_catchall *catchall; 10040 const struct nft_set *set = gc->set; 10041 struct nft_set_ext *ext; 10042 10043 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 10044 ext = nft_set_elem_ext(set, catchall->elem); 10045 10046 if (!nft_set_elem_expired(ext)) 10047 continue; 10048 if (nft_set_elem_is_dead(ext)) 10049 goto dead_elem; 10050 10051 nft_set_elem_dead(ext); 10052 dead_elem: 10053 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC); 10054 if (!gc) 10055 return NULL; 10056 10057 nft_trans_gc_elem_add(gc, catchall->elem); 10058 } 10059 10060 return gc; 10061 } 10062 10063 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc) 10064 { 10065 struct nft_set_elem_catchall *catchall, *next; 10066 u64 tstamp = nft_net_tstamp(gc->net); 10067 const struct nft_set *set = gc->set; 10068 struct nft_elem_priv *elem_priv; 10069 struct nft_set_ext *ext; 10070 10071 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)); 10072 10073 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 10074 ext = nft_set_elem_ext(set, catchall->elem); 10075 10076 if (!__nft_set_elem_expired(ext, tstamp)) 10077 continue; 10078 10079 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL); 10080 if (!gc) 10081 return NULL; 10082 10083 elem_priv = catchall->elem; 10084 nft_setelem_data_deactivate(gc->net, gc->set, elem_priv); 10085 nft_setelem_catchall_destroy(catchall); 10086 nft_trans_gc_elem_add(gc, elem_priv); 10087 } 10088 10089 return gc; 10090 } 10091 10092 static void nf_tables_module_autoload_cleanup(struct net *net) 10093 { 10094 struct nftables_pernet *nft_net = nft_pernet(net); 10095 struct nft_module_request *req, *next; 10096 10097 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 10098 list_for_each_entry_safe(req, next, &nft_net->module_list, list) { 10099 WARN_ON_ONCE(!req->done); 10100 list_del(&req->list); 10101 kfree(req); 10102 } 10103 } 10104 10105 static void nf_tables_commit_release(struct net *net) 10106 { 10107 struct nftables_pernet *nft_net = nft_pernet(net); 10108 struct nft_trans *trans; 10109 10110 /* all side effects have to be made visible. 10111 * For example, if a chain named 'foo' has been deleted, a 10112 * new transaction must not find it anymore. 10113 * 10114 * Memory reclaim happens asynchronously from work queue 10115 * to prevent expensive synchronize_rcu() in commit phase. 10116 */ 10117 if (list_empty(&nft_net->commit_list)) { 10118 nf_tables_module_autoload_cleanup(net); 10119 mutex_unlock(&nft_net->commit_mutex); 10120 return; 10121 } 10122 10123 trans = list_last_entry(&nft_net->commit_list, 10124 struct nft_trans, list); 10125 get_net(trans->net); 10126 WARN_ON_ONCE(trans->put_net); 10127 10128 trans->put_net = true; 10129 spin_lock(&nf_tables_destroy_list_lock); 10130 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list); 10131 spin_unlock(&nf_tables_destroy_list_lock); 10132 10133 nf_tables_module_autoload_cleanup(net); 10134 schedule_work(&trans_destroy_work); 10135 10136 mutex_unlock(&nft_net->commit_mutex); 10137 } 10138 10139 static void nft_commit_notify(struct net *net, u32 portid) 10140 { 10141 struct nftables_pernet *nft_net = nft_pernet(net); 10142 struct sk_buff *batch_skb = NULL, *nskb, *skb; 10143 unsigned char *data; 10144 int len; 10145 10146 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) { 10147 if (!batch_skb) { 10148 new_batch: 10149 batch_skb = skb; 10150 len = NLMSG_GOODSIZE - skb->len; 10151 list_del(&skb->list); 10152 continue; 10153 } 10154 len -= skb->len; 10155 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) { 10156 data = skb_put(batch_skb, skb->len); 10157 memcpy(data, skb->data, skb->len); 10158 list_del(&skb->list); 10159 kfree_skb(skb); 10160 continue; 10161 } 10162 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 10163 NFT_CB(batch_skb).report, GFP_KERNEL); 10164 goto new_batch; 10165 } 10166 10167 if (batch_skb) { 10168 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 10169 NFT_CB(batch_skb).report, GFP_KERNEL); 10170 } 10171 10172 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 10173 } 10174 10175 static int nf_tables_commit_audit_alloc(struct list_head *adl, 10176 struct nft_table *table) 10177 { 10178 struct nft_audit_data *adp; 10179 10180 list_for_each_entry(adp, adl, list) { 10181 if (adp->table == table) 10182 return 0; 10183 } 10184 adp = kzalloc(sizeof(*adp), GFP_KERNEL); 10185 if (!adp) 10186 return -ENOMEM; 10187 adp->table = table; 10188 list_add(&adp->list, adl); 10189 return 0; 10190 } 10191 10192 static void nf_tables_commit_audit_free(struct list_head *adl) 10193 { 10194 struct nft_audit_data *adp, *adn; 10195 10196 list_for_each_entry_safe(adp, adn, adl, list) { 10197 list_del(&adp->list); 10198 kfree(adp); 10199 } 10200 } 10201 10202 static void nf_tables_commit_audit_collect(struct list_head *adl, 10203 struct nft_table *table, u32 op) 10204 { 10205 struct nft_audit_data *adp; 10206 10207 list_for_each_entry(adp, adl, list) { 10208 if (adp->table == table) 10209 goto found; 10210 } 10211 WARN_ONCE(1, "table=%s not expected in commit list", table->name); 10212 return; 10213 found: 10214 adp->entries++; 10215 if (!adp->op || adp->op > op) 10216 adp->op = op; 10217 } 10218 10219 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22) 10220 10221 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation) 10222 { 10223 struct nft_audit_data *adp, *adn; 10224 char aubuf[AUNFTABLENAMELEN]; 10225 10226 list_for_each_entry_safe(adp, adn, adl, list) { 10227 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name, 10228 generation); 10229 audit_log_nfcfg(aubuf, adp->table->family, adp->entries, 10230 nft2audit_op[adp->op], GFP_KERNEL); 10231 list_del(&adp->list); 10232 kfree(adp); 10233 } 10234 } 10235 10236 static void nft_set_commit_update(struct list_head *set_update_list) 10237 { 10238 struct nft_set *set, *next; 10239 10240 list_for_each_entry_safe(set, next, set_update_list, pending_update) { 10241 list_del_init(&set->pending_update); 10242 10243 if (!set->ops->commit || set->dead) 10244 continue; 10245 10246 set->ops->commit(set); 10247 } 10248 } 10249 10250 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net) 10251 { 10252 unsigned int gc_seq; 10253 10254 /* Bump gc counter, it becomes odd, this is the busy mark. */ 10255 gc_seq = READ_ONCE(nft_net->gc_seq); 10256 WRITE_ONCE(nft_net->gc_seq, ++gc_seq); 10257 10258 return gc_seq; 10259 } 10260 10261 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq) 10262 { 10263 WRITE_ONCE(nft_net->gc_seq, ++gc_seq); 10264 } 10265 10266 static int nf_tables_commit(struct net *net, struct sk_buff *skb) 10267 { 10268 struct nftables_pernet *nft_net = nft_pernet(net); 10269 const struct nlmsghdr *nlh = nlmsg_hdr(skb); 10270 struct nft_trans_binding *trans_binding; 10271 struct nft_trans *trans, *next; 10272 unsigned int base_seq, gc_seq; 10273 LIST_HEAD(set_update_list); 10274 struct nft_trans_elem *te; 10275 struct nft_chain *chain; 10276 struct nft_table *table; 10277 struct nft_ctx ctx; 10278 LIST_HEAD(adl); 10279 int err; 10280 10281 if (list_empty(&nft_net->commit_list)) { 10282 mutex_unlock(&nft_net->commit_mutex); 10283 return 0; 10284 } 10285 10286 nft_ctx_init(&ctx, net, skb, nlh, NFPROTO_UNSPEC, NULL, NULL, NULL); 10287 10288 list_for_each_entry(trans_binding, &nft_net->binding_list, binding_list) { 10289 trans = &trans_binding->nft_trans; 10290 switch (trans->msg_type) { 10291 case NFT_MSG_NEWSET: 10292 if (!nft_trans_set_update(trans) && 10293 nft_set_is_anonymous(nft_trans_set(trans)) && 10294 !nft_trans_set_bound(trans)) { 10295 pr_warn_once("nftables ruleset with unbound set\n"); 10296 return -EINVAL; 10297 } 10298 break; 10299 case NFT_MSG_NEWCHAIN: 10300 if (!nft_trans_chain_update(trans) && 10301 nft_chain_binding(nft_trans_chain(trans)) && 10302 !nft_trans_chain_bound(trans)) { 10303 pr_warn_once("nftables ruleset with unbound chain\n"); 10304 return -EINVAL; 10305 } 10306 break; 10307 default: 10308 WARN_ONCE(1, "Unhandled bind type %d", trans->msg_type); 10309 break; 10310 } 10311 } 10312 10313 /* 0. Validate ruleset, otherwise roll back for error reporting. */ 10314 if (nf_tables_validate(net) < 0) { 10315 nft_net->validate_state = NFT_VALIDATE_DO; 10316 return -EAGAIN; 10317 } 10318 10319 err = nft_flow_rule_offload_commit(net); 10320 if (err < 0) 10321 return err; 10322 10323 /* 1. Allocate space for next generation rules_gen_X[] */ 10324 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 10325 struct nft_table *table = trans->table; 10326 int ret; 10327 10328 ret = nf_tables_commit_audit_alloc(&adl, table); 10329 if (ret) { 10330 nf_tables_commit_chain_prepare_cancel(net); 10331 nf_tables_commit_audit_free(&adl); 10332 return ret; 10333 } 10334 if (trans->msg_type == NFT_MSG_NEWRULE || 10335 trans->msg_type == NFT_MSG_DELRULE) { 10336 chain = nft_trans_rule_chain(trans); 10337 10338 ret = nf_tables_commit_chain_prepare(net, chain); 10339 if (ret < 0) { 10340 nf_tables_commit_chain_prepare_cancel(net); 10341 nf_tables_commit_audit_free(&adl); 10342 return ret; 10343 } 10344 } 10345 } 10346 10347 /* step 2. Make rules_gen_X visible to packet path */ 10348 list_for_each_entry(table, &nft_net->tables, list) { 10349 list_for_each_entry(chain, &table->chains, list) 10350 nf_tables_commit_chain(net, chain); 10351 } 10352 10353 /* 10354 * Bump generation counter, invalidate any dump in progress. 10355 * Cannot fail after this point. 10356 */ 10357 base_seq = READ_ONCE(nft_net->base_seq); 10358 while (++base_seq == 0) 10359 ; 10360 10361 WRITE_ONCE(nft_net->base_seq, base_seq); 10362 10363 gc_seq = nft_gc_seq_begin(nft_net); 10364 10365 /* step 3. Start new generation, rules_gen_X now in use. */ 10366 net->nft.gencursor = nft_gencursor_next(net); 10367 10368 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 10369 struct nft_table *table = trans->table; 10370 10371 nft_ctx_update(&ctx, trans); 10372 10373 nf_tables_commit_audit_collect(&adl, table, trans->msg_type); 10374 switch (trans->msg_type) { 10375 case NFT_MSG_NEWTABLE: 10376 if (nft_trans_table_update(trans)) { 10377 if (!(table->flags & __NFT_TABLE_F_UPDATE)) { 10378 nft_trans_destroy(trans); 10379 break; 10380 } 10381 if (table->flags & NFT_TABLE_F_DORMANT) 10382 nf_tables_table_disable(net, table); 10383 10384 table->flags &= ~__NFT_TABLE_F_UPDATE; 10385 } else { 10386 nft_clear(net, table); 10387 } 10388 nf_tables_table_notify(&ctx, NFT_MSG_NEWTABLE); 10389 nft_trans_destroy(trans); 10390 break; 10391 case NFT_MSG_DELTABLE: 10392 case NFT_MSG_DESTROYTABLE: 10393 list_del_rcu(&table->list); 10394 nf_tables_table_notify(&ctx, trans->msg_type); 10395 break; 10396 case NFT_MSG_NEWCHAIN: 10397 if (nft_trans_chain_update(trans)) { 10398 nft_chain_commit_update(nft_trans_container_chain(trans)); 10399 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN, 10400 &nft_trans_chain_hooks(trans)); 10401 list_splice(&nft_trans_chain_hooks(trans), 10402 &nft_trans_basechain(trans)->hook_list); 10403 /* trans destroyed after rcu grace period */ 10404 } else { 10405 nft_chain_commit_drop_policy(nft_trans_container_chain(trans)); 10406 nft_clear(net, nft_trans_chain(trans)); 10407 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN, NULL); 10408 nft_trans_destroy(trans); 10409 } 10410 break; 10411 case NFT_MSG_DELCHAIN: 10412 case NFT_MSG_DESTROYCHAIN: 10413 if (nft_trans_chain_update(trans)) { 10414 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN, 10415 &nft_trans_chain_hooks(trans)); 10416 if (!(table->flags & NFT_TABLE_F_DORMANT)) { 10417 nft_netdev_unregister_hooks(net, 10418 &nft_trans_chain_hooks(trans), 10419 true); 10420 } 10421 } else { 10422 nft_chain_del(nft_trans_chain(trans)); 10423 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN, 10424 NULL); 10425 nf_tables_unregister_hook(ctx.net, ctx.table, 10426 nft_trans_chain(trans)); 10427 } 10428 break; 10429 case NFT_MSG_NEWRULE: 10430 nft_clear(net, nft_trans_rule(trans)); 10431 nf_tables_rule_notify(&ctx, nft_trans_rule(trans), 10432 NFT_MSG_NEWRULE); 10433 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD) 10434 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 10435 10436 nft_trans_destroy(trans); 10437 break; 10438 case NFT_MSG_DELRULE: 10439 case NFT_MSG_DESTROYRULE: 10440 list_del_rcu(&nft_trans_rule(trans)->list); 10441 nf_tables_rule_notify(&ctx, nft_trans_rule(trans), 10442 trans->msg_type); 10443 nft_rule_expr_deactivate(&ctx, nft_trans_rule(trans), 10444 NFT_TRANS_COMMIT); 10445 10446 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD) 10447 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 10448 break; 10449 case NFT_MSG_NEWSET: 10450 if (nft_trans_set_update(trans)) { 10451 struct nft_set *set = nft_trans_set(trans); 10452 10453 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans)); 10454 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans)); 10455 10456 if (nft_trans_set_size(trans)) 10457 WRITE_ONCE(set->size, nft_trans_set_size(trans)); 10458 } else { 10459 nft_clear(net, nft_trans_set(trans)); 10460 /* This avoids hitting -EBUSY when deleting the table 10461 * from the transaction. 10462 */ 10463 if (nft_set_is_anonymous(nft_trans_set(trans)) && 10464 !list_empty(&nft_trans_set(trans)->bindings)) 10465 nft_use_dec(&table->use); 10466 } 10467 nf_tables_set_notify(&ctx, nft_trans_set(trans), 10468 NFT_MSG_NEWSET, GFP_KERNEL); 10469 nft_trans_destroy(trans); 10470 break; 10471 case NFT_MSG_DELSET: 10472 case NFT_MSG_DESTROYSET: 10473 nft_trans_set(trans)->dead = 1; 10474 list_del_rcu(&nft_trans_set(trans)->list); 10475 nf_tables_set_notify(&ctx, nft_trans_set(trans), 10476 trans->msg_type, GFP_KERNEL); 10477 break; 10478 case NFT_MSG_NEWSETELEM: 10479 te = nft_trans_container_elem(trans); 10480 10481 nft_setelem_activate(net, te->set, te->elem_priv); 10482 nf_tables_setelem_notify(&ctx, te->set, 10483 te->elem_priv, 10484 NFT_MSG_NEWSETELEM); 10485 if (te->set->ops->commit && 10486 list_empty(&te->set->pending_update)) { 10487 list_add_tail(&te->set->pending_update, 10488 &set_update_list); 10489 } 10490 nft_trans_destroy(trans); 10491 break; 10492 case NFT_MSG_DELSETELEM: 10493 case NFT_MSG_DESTROYSETELEM: 10494 te = nft_trans_container_elem(trans); 10495 10496 nf_tables_setelem_notify(&ctx, te->set, 10497 te->elem_priv, 10498 trans->msg_type); 10499 nft_setelem_remove(net, te->set, te->elem_priv); 10500 if (!nft_setelem_is_catchall(te->set, te->elem_priv)) { 10501 atomic_dec(&te->set->nelems); 10502 te->set->ndeact--; 10503 } 10504 if (te->set->ops->commit && 10505 list_empty(&te->set->pending_update)) { 10506 list_add_tail(&te->set->pending_update, 10507 &set_update_list); 10508 } 10509 break; 10510 case NFT_MSG_NEWOBJ: 10511 if (nft_trans_obj_update(trans)) { 10512 nft_obj_commit_update(&ctx, trans); 10513 nf_tables_obj_notify(&ctx, 10514 nft_trans_obj(trans), 10515 NFT_MSG_NEWOBJ); 10516 } else { 10517 nft_clear(net, nft_trans_obj(trans)); 10518 nf_tables_obj_notify(&ctx, 10519 nft_trans_obj(trans), 10520 NFT_MSG_NEWOBJ); 10521 nft_trans_destroy(trans); 10522 } 10523 break; 10524 case NFT_MSG_DELOBJ: 10525 case NFT_MSG_DESTROYOBJ: 10526 nft_obj_del(nft_trans_obj(trans)); 10527 nf_tables_obj_notify(&ctx, nft_trans_obj(trans), 10528 trans->msg_type); 10529 break; 10530 case NFT_MSG_NEWFLOWTABLE: 10531 if (nft_trans_flowtable_update(trans)) { 10532 nft_trans_flowtable(trans)->data.flags = 10533 nft_trans_flowtable_flags(trans); 10534 nf_tables_flowtable_notify(&ctx, 10535 nft_trans_flowtable(trans), 10536 &nft_trans_flowtable_hooks(trans), 10537 NFT_MSG_NEWFLOWTABLE); 10538 list_splice(&nft_trans_flowtable_hooks(trans), 10539 &nft_trans_flowtable(trans)->hook_list); 10540 } else { 10541 nft_clear(net, nft_trans_flowtable(trans)); 10542 nf_tables_flowtable_notify(&ctx, 10543 nft_trans_flowtable(trans), 10544 NULL, 10545 NFT_MSG_NEWFLOWTABLE); 10546 } 10547 nft_trans_destroy(trans); 10548 break; 10549 case NFT_MSG_DELFLOWTABLE: 10550 case NFT_MSG_DESTROYFLOWTABLE: 10551 if (nft_trans_flowtable_update(trans)) { 10552 nf_tables_flowtable_notify(&ctx, 10553 nft_trans_flowtable(trans), 10554 &nft_trans_flowtable_hooks(trans), 10555 trans->msg_type); 10556 nft_unregister_flowtable_net_hooks(net, 10557 &nft_trans_flowtable_hooks(trans)); 10558 } else { 10559 list_del_rcu(&nft_trans_flowtable(trans)->list); 10560 nf_tables_flowtable_notify(&ctx, 10561 nft_trans_flowtable(trans), 10562 NULL, 10563 trans->msg_type); 10564 nft_unregister_flowtable_net_hooks(net, 10565 &nft_trans_flowtable(trans)->hook_list); 10566 } 10567 break; 10568 } 10569 } 10570 10571 nft_set_commit_update(&set_update_list); 10572 10573 nft_commit_notify(net, NETLINK_CB(skb).portid); 10574 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); 10575 nf_tables_commit_audit_log(&adl, nft_net->base_seq); 10576 10577 nft_gc_seq_end(nft_net, gc_seq); 10578 nft_net->validate_state = NFT_VALIDATE_SKIP; 10579 nf_tables_commit_release(net); 10580 10581 return 0; 10582 } 10583 10584 static void nf_tables_module_autoload(struct net *net) 10585 { 10586 struct nftables_pernet *nft_net = nft_pernet(net); 10587 struct nft_module_request *req, *next; 10588 LIST_HEAD(module_list); 10589 10590 list_splice_init(&nft_net->module_list, &module_list); 10591 mutex_unlock(&nft_net->commit_mutex); 10592 list_for_each_entry_safe(req, next, &module_list, list) { 10593 request_module("%s", req->module); 10594 req->done = true; 10595 } 10596 mutex_lock(&nft_net->commit_mutex); 10597 list_splice(&module_list, &nft_net->module_list); 10598 } 10599 10600 static void nf_tables_abort_release(struct nft_trans *trans) 10601 { 10602 struct nft_ctx ctx = { }; 10603 10604 nft_ctx_update(&ctx, trans); 10605 10606 switch (trans->msg_type) { 10607 case NFT_MSG_NEWTABLE: 10608 nf_tables_table_destroy(trans->table); 10609 break; 10610 case NFT_MSG_NEWCHAIN: 10611 if (nft_trans_chain_update(trans)) 10612 nft_hooks_destroy(&nft_trans_chain_hooks(trans)); 10613 else 10614 nf_tables_chain_destroy(nft_trans_chain(trans)); 10615 break; 10616 case NFT_MSG_NEWRULE: 10617 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans)); 10618 break; 10619 case NFT_MSG_NEWSET: 10620 nft_set_destroy(&ctx, nft_trans_set(trans)); 10621 break; 10622 case NFT_MSG_NEWSETELEM: 10623 nft_set_elem_destroy(nft_trans_elem_set(trans), 10624 nft_trans_elem_priv(trans), true); 10625 break; 10626 case NFT_MSG_NEWOBJ: 10627 nft_obj_destroy(&ctx, nft_trans_obj(trans)); 10628 break; 10629 case NFT_MSG_NEWFLOWTABLE: 10630 if (nft_trans_flowtable_update(trans)) 10631 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 10632 else 10633 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 10634 break; 10635 } 10636 kfree(trans); 10637 } 10638 10639 static void nft_set_abort_update(struct list_head *set_update_list) 10640 { 10641 struct nft_set *set, *next; 10642 10643 list_for_each_entry_safe(set, next, set_update_list, pending_update) { 10644 list_del_init(&set->pending_update); 10645 10646 if (!set->ops->abort) 10647 continue; 10648 10649 set->ops->abort(set); 10650 } 10651 } 10652 10653 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) 10654 { 10655 struct nftables_pernet *nft_net = nft_pernet(net); 10656 struct nft_trans *trans, *next; 10657 LIST_HEAD(set_update_list); 10658 struct nft_trans_elem *te; 10659 struct nft_ctx ctx = { 10660 .net = net, 10661 }; 10662 int err = 0; 10663 10664 if (action == NFNL_ABORT_VALIDATE && 10665 nf_tables_validate(net) < 0) 10666 err = -EAGAIN; 10667 10668 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list, 10669 list) { 10670 struct nft_table *table = trans->table; 10671 10672 nft_ctx_update(&ctx, trans); 10673 10674 switch (trans->msg_type) { 10675 case NFT_MSG_NEWTABLE: 10676 if (nft_trans_table_update(trans)) { 10677 if (!(table->flags & __NFT_TABLE_F_UPDATE)) { 10678 nft_trans_destroy(trans); 10679 break; 10680 } 10681 if (table->flags & __NFT_TABLE_F_WAS_DORMANT) { 10682 nf_tables_table_disable(net, table); 10683 table->flags |= NFT_TABLE_F_DORMANT; 10684 } else if (table->flags & __NFT_TABLE_F_WAS_AWAKEN) { 10685 table->flags &= ~NFT_TABLE_F_DORMANT; 10686 } 10687 if (table->flags & __NFT_TABLE_F_WAS_ORPHAN) { 10688 table->flags &= ~NFT_TABLE_F_OWNER; 10689 table->nlpid = 0; 10690 } 10691 table->flags &= ~__NFT_TABLE_F_UPDATE; 10692 nft_trans_destroy(trans); 10693 } else { 10694 list_del_rcu(&table->list); 10695 } 10696 break; 10697 case NFT_MSG_DELTABLE: 10698 case NFT_MSG_DESTROYTABLE: 10699 nft_clear(trans->net, table); 10700 nft_trans_destroy(trans); 10701 break; 10702 case NFT_MSG_NEWCHAIN: 10703 if (nft_trans_chain_update(trans)) { 10704 if (!(table->flags & NFT_TABLE_F_DORMANT)) { 10705 nft_netdev_unregister_hooks(net, 10706 &nft_trans_chain_hooks(trans), 10707 true); 10708 } 10709 free_percpu(nft_trans_chain_stats(trans)); 10710 kfree(nft_trans_chain_name(trans)); 10711 nft_trans_destroy(trans); 10712 } else { 10713 if (nft_trans_chain_bound(trans)) { 10714 nft_trans_destroy(trans); 10715 break; 10716 } 10717 nft_use_dec_restore(&table->use); 10718 nft_chain_del(nft_trans_chain(trans)); 10719 nf_tables_unregister_hook(trans->net, table, 10720 nft_trans_chain(trans)); 10721 } 10722 break; 10723 case NFT_MSG_DELCHAIN: 10724 case NFT_MSG_DESTROYCHAIN: 10725 if (nft_trans_chain_update(trans)) { 10726 list_splice(&nft_trans_chain_hooks(trans), 10727 &nft_trans_basechain(trans)->hook_list); 10728 } else { 10729 nft_use_inc_restore(&table->use); 10730 nft_clear(trans->net, nft_trans_chain(trans)); 10731 } 10732 nft_trans_destroy(trans); 10733 break; 10734 case NFT_MSG_NEWRULE: 10735 if (nft_trans_rule_bound(trans)) { 10736 nft_trans_destroy(trans); 10737 break; 10738 } 10739 nft_use_dec_restore(&nft_trans_rule_chain(trans)->use); 10740 list_del_rcu(&nft_trans_rule(trans)->list); 10741 nft_rule_expr_deactivate(&ctx, 10742 nft_trans_rule(trans), 10743 NFT_TRANS_ABORT); 10744 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD) 10745 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 10746 break; 10747 case NFT_MSG_DELRULE: 10748 case NFT_MSG_DESTROYRULE: 10749 nft_use_inc_restore(&nft_trans_rule_chain(trans)->use); 10750 nft_clear(trans->net, nft_trans_rule(trans)); 10751 nft_rule_expr_activate(&ctx, nft_trans_rule(trans)); 10752 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD) 10753 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 10754 10755 nft_trans_destroy(trans); 10756 break; 10757 case NFT_MSG_NEWSET: 10758 if (nft_trans_set_update(trans)) { 10759 nft_trans_destroy(trans); 10760 break; 10761 } 10762 nft_use_dec_restore(&table->use); 10763 if (nft_trans_set_bound(trans)) { 10764 nft_trans_destroy(trans); 10765 break; 10766 } 10767 nft_trans_set(trans)->dead = 1; 10768 list_del_rcu(&nft_trans_set(trans)->list); 10769 break; 10770 case NFT_MSG_DELSET: 10771 case NFT_MSG_DESTROYSET: 10772 nft_use_inc_restore(&table->use); 10773 nft_clear(trans->net, nft_trans_set(trans)); 10774 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 10775 nft_map_activate(&ctx, nft_trans_set(trans)); 10776 10777 nft_trans_destroy(trans); 10778 break; 10779 case NFT_MSG_NEWSETELEM: 10780 if (nft_trans_elem_set_bound(trans)) { 10781 nft_trans_destroy(trans); 10782 break; 10783 } 10784 te = nft_trans_container_elem(trans); 10785 nft_setelem_remove(net, te->set, te->elem_priv); 10786 if (!nft_setelem_is_catchall(te->set, te->elem_priv)) 10787 atomic_dec(&te->set->nelems); 10788 10789 if (te->set->ops->abort && 10790 list_empty(&te->set->pending_update)) { 10791 list_add_tail(&te->set->pending_update, 10792 &set_update_list); 10793 } 10794 break; 10795 case NFT_MSG_DELSETELEM: 10796 case NFT_MSG_DESTROYSETELEM: 10797 te = nft_trans_container_elem(trans); 10798 10799 if (!nft_setelem_active_next(net, te->set, te->elem_priv)) { 10800 nft_setelem_data_activate(net, te->set, te->elem_priv); 10801 nft_setelem_activate(net, te->set, te->elem_priv); 10802 } 10803 if (!nft_setelem_is_catchall(te->set, te->elem_priv)) 10804 te->set->ndeact--; 10805 10806 if (te->set->ops->abort && 10807 list_empty(&te->set->pending_update)) { 10808 list_add_tail(&te->set->pending_update, 10809 &set_update_list); 10810 } 10811 nft_trans_destroy(trans); 10812 break; 10813 case NFT_MSG_NEWOBJ: 10814 if (nft_trans_obj_update(trans)) { 10815 nft_obj_destroy(&ctx, nft_trans_obj_newobj(trans)); 10816 nft_trans_destroy(trans); 10817 } else { 10818 nft_use_dec_restore(&table->use); 10819 nft_obj_del(nft_trans_obj(trans)); 10820 } 10821 break; 10822 case NFT_MSG_DELOBJ: 10823 case NFT_MSG_DESTROYOBJ: 10824 nft_use_inc_restore(&table->use); 10825 nft_clear(trans->net, nft_trans_obj(trans)); 10826 nft_trans_destroy(trans); 10827 break; 10828 case NFT_MSG_NEWFLOWTABLE: 10829 if (nft_trans_flowtable_update(trans)) { 10830 nft_unregister_flowtable_net_hooks(net, 10831 &nft_trans_flowtable_hooks(trans)); 10832 } else { 10833 nft_use_dec_restore(&table->use); 10834 list_del_rcu(&nft_trans_flowtable(trans)->list); 10835 nft_unregister_flowtable_net_hooks(net, 10836 &nft_trans_flowtable(trans)->hook_list); 10837 } 10838 break; 10839 case NFT_MSG_DELFLOWTABLE: 10840 case NFT_MSG_DESTROYFLOWTABLE: 10841 if (nft_trans_flowtable_update(trans)) { 10842 list_splice(&nft_trans_flowtable_hooks(trans), 10843 &nft_trans_flowtable(trans)->hook_list); 10844 } else { 10845 nft_use_inc_restore(&table->use); 10846 nft_clear(trans->net, nft_trans_flowtable(trans)); 10847 } 10848 nft_trans_destroy(trans); 10849 break; 10850 } 10851 } 10852 10853 nft_set_abort_update(&set_update_list); 10854 10855 synchronize_rcu(); 10856 10857 list_for_each_entry_safe_reverse(trans, next, 10858 &nft_net->commit_list, list) { 10859 nft_trans_list_del(trans); 10860 nf_tables_abort_release(trans); 10861 } 10862 10863 return err; 10864 } 10865 10866 static int nf_tables_abort(struct net *net, struct sk_buff *skb, 10867 enum nfnl_abort_action action) 10868 { 10869 struct nftables_pernet *nft_net = nft_pernet(net); 10870 unsigned int gc_seq; 10871 int ret; 10872 10873 gc_seq = nft_gc_seq_begin(nft_net); 10874 ret = __nf_tables_abort(net, action); 10875 nft_gc_seq_end(nft_net, gc_seq); 10876 10877 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 10878 10879 /* module autoload needs to happen after GC sequence update because it 10880 * temporarily releases and grabs mutex again. 10881 */ 10882 if (action == NFNL_ABORT_AUTOLOAD) 10883 nf_tables_module_autoload(net); 10884 else 10885 nf_tables_module_autoload_cleanup(net); 10886 10887 mutex_unlock(&nft_net->commit_mutex); 10888 10889 return ret; 10890 } 10891 10892 static bool nf_tables_valid_genid(struct net *net, u32 genid) 10893 { 10894 struct nftables_pernet *nft_net = nft_pernet(net); 10895 bool genid_ok; 10896 10897 mutex_lock(&nft_net->commit_mutex); 10898 nft_net->tstamp = get_jiffies_64(); 10899 10900 genid_ok = genid == 0 || nft_net->base_seq == genid; 10901 if (!genid_ok) 10902 mutex_unlock(&nft_net->commit_mutex); 10903 10904 /* else, commit mutex has to be released by commit or abort function */ 10905 return genid_ok; 10906 } 10907 10908 static const struct nfnetlink_subsystem nf_tables_subsys = { 10909 .name = "nf_tables", 10910 .subsys_id = NFNL_SUBSYS_NFTABLES, 10911 .cb_count = NFT_MSG_MAX, 10912 .cb = nf_tables_cb, 10913 .commit = nf_tables_commit, 10914 .abort = nf_tables_abort, 10915 .valid_genid = nf_tables_valid_genid, 10916 .owner = THIS_MODULE, 10917 }; 10918 10919 int nft_chain_validate_dependency(const struct nft_chain *chain, 10920 enum nft_chain_types type) 10921 { 10922 const struct nft_base_chain *basechain; 10923 10924 if (nft_is_base_chain(chain)) { 10925 basechain = nft_base_chain(chain); 10926 if (basechain->type->type != type) 10927 return -EOPNOTSUPP; 10928 } 10929 return 0; 10930 } 10931 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency); 10932 10933 int nft_chain_validate_hooks(const struct nft_chain *chain, 10934 unsigned int hook_flags) 10935 { 10936 struct nft_base_chain *basechain; 10937 10938 if (nft_is_base_chain(chain)) { 10939 basechain = nft_base_chain(chain); 10940 10941 if ((1 << basechain->ops.hooknum) & hook_flags) 10942 return 0; 10943 10944 return -EOPNOTSUPP; 10945 } 10946 10947 return 0; 10948 } 10949 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks); 10950 10951 /** 10952 * nft_parse_u32_check - fetch u32 attribute and check for maximum value 10953 * 10954 * @attr: netlink attribute to fetch value from 10955 * @max: maximum value to be stored in dest 10956 * @dest: pointer to the variable 10957 * 10958 * Parse, check and store a given u32 netlink attribute into variable. 10959 * This function returns -ERANGE if the value goes over maximum value. 10960 * Otherwise a 0 is returned and the attribute value is stored in the 10961 * destination variable. 10962 */ 10963 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest) 10964 { 10965 u32 val; 10966 10967 val = ntohl(nla_get_be32(attr)); 10968 if (val > max) 10969 return -ERANGE; 10970 10971 *dest = val; 10972 return 0; 10973 } 10974 EXPORT_SYMBOL_GPL(nft_parse_u32_check); 10975 10976 static int nft_parse_register(const struct nlattr *attr, u32 *preg) 10977 { 10978 unsigned int reg; 10979 10980 reg = ntohl(nla_get_be32(attr)); 10981 switch (reg) { 10982 case NFT_REG_VERDICT...NFT_REG_4: 10983 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE; 10984 break; 10985 case NFT_REG32_00...NFT_REG32_15: 10986 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; 10987 break; 10988 default: 10989 return -ERANGE; 10990 } 10991 10992 return 0; 10993 } 10994 10995 /** 10996 * nft_dump_register - dump a register value to a netlink attribute 10997 * 10998 * @skb: socket buffer 10999 * @attr: attribute number 11000 * @reg: register number 11001 * 11002 * Construct a netlink attribute containing the register number. For 11003 * compatibility reasons, register numbers being a multiple of 4 are 11004 * translated to the corresponding 128 bit register numbers. 11005 */ 11006 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg) 11007 { 11008 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0) 11009 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE); 11010 else 11011 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00; 11012 11013 return nla_put_be32(skb, attr, htonl(reg)); 11014 } 11015 EXPORT_SYMBOL_GPL(nft_dump_register); 11016 11017 static int nft_validate_register_load(enum nft_registers reg, unsigned int len) 11018 { 11019 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 11020 return -EINVAL; 11021 if (len == 0) 11022 return -EINVAL; 11023 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data)) 11024 return -ERANGE; 11025 11026 return 0; 11027 } 11028 11029 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len) 11030 { 11031 u32 reg; 11032 int err; 11033 11034 err = nft_parse_register(attr, ®); 11035 if (err < 0) 11036 return err; 11037 11038 err = nft_validate_register_load(reg, len); 11039 if (err < 0) 11040 return err; 11041 11042 *sreg = reg; 11043 return 0; 11044 } 11045 EXPORT_SYMBOL_GPL(nft_parse_register_load); 11046 11047 static int nft_validate_register_store(const struct nft_ctx *ctx, 11048 enum nft_registers reg, 11049 const struct nft_data *data, 11050 enum nft_data_types type, 11051 unsigned int len) 11052 { 11053 int err; 11054 11055 switch (reg) { 11056 case NFT_REG_VERDICT: 11057 if (type != NFT_DATA_VERDICT) 11058 return -EINVAL; 11059 11060 if (data != NULL && 11061 (data->verdict.code == NFT_GOTO || 11062 data->verdict.code == NFT_JUMP)) { 11063 err = nft_chain_validate(ctx, data->verdict.chain); 11064 if (err < 0) 11065 return err; 11066 } 11067 11068 return 0; 11069 default: 11070 if (type != NFT_DATA_VALUE) 11071 return -EINVAL; 11072 11073 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 11074 return -EINVAL; 11075 if (len == 0) 11076 return -EINVAL; 11077 if (reg * NFT_REG32_SIZE + len > 11078 sizeof_field(struct nft_regs, data)) 11079 return -ERANGE; 11080 11081 return 0; 11082 } 11083 } 11084 11085 int nft_parse_register_store(const struct nft_ctx *ctx, 11086 const struct nlattr *attr, u8 *dreg, 11087 const struct nft_data *data, 11088 enum nft_data_types type, unsigned int len) 11089 { 11090 int err; 11091 u32 reg; 11092 11093 err = nft_parse_register(attr, ®); 11094 if (err < 0) 11095 return err; 11096 11097 err = nft_validate_register_store(ctx, reg, data, type, len); 11098 if (err < 0) 11099 return err; 11100 11101 *dreg = reg; 11102 return 0; 11103 } 11104 EXPORT_SYMBOL_GPL(nft_parse_register_store); 11105 11106 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = { 11107 [NFTA_VERDICT_CODE] = { .type = NLA_U32 }, 11108 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING, 11109 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 11110 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 }, 11111 }; 11112 11113 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, 11114 struct nft_data_desc *desc, const struct nlattr *nla) 11115 { 11116 u8 genmask = nft_genmask_next(ctx->net); 11117 struct nlattr *tb[NFTA_VERDICT_MAX + 1]; 11118 struct nft_chain *chain; 11119 int err; 11120 11121 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla, 11122 nft_verdict_policy, NULL); 11123 if (err < 0) 11124 return err; 11125 11126 if (!tb[NFTA_VERDICT_CODE]) 11127 return -EINVAL; 11128 11129 /* zero padding hole for memcmp */ 11130 memset(data, 0, sizeof(*data)); 11131 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); 11132 11133 switch (data->verdict.code) { 11134 case NF_ACCEPT: 11135 case NF_DROP: 11136 case NF_QUEUE: 11137 break; 11138 case NFT_CONTINUE: 11139 case NFT_BREAK: 11140 case NFT_RETURN: 11141 break; 11142 case NFT_JUMP: 11143 case NFT_GOTO: 11144 if (tb[NFTA_VERDICT_CHAIN]) { 11145 chain = nft_chain_lookup(ctx->net, ctx->table, 11146 tb[NFTA_VERDICT_CHAIN], 11147 genmask); 11148 } else if (tb[NFTA_VERDICT_CHAIN_ID]) { 11149 chain = nft_chain_lookup_byid(ctx->net, ctx->table, 11150 tb[NFTA_VERDICT_CHAIN_ID], 11151 genmask); 11152 if (IS_ERR(chain)) 11153 return PTR_ERR(chain); 11154 } else { 11155 return -EINVAL; 11156 } 11157 11158 if (IS_ERR(chain)) 11159 return PTR_ERR(chain); 11160 if (nft_is_base_chain(chain)) 11161 return -EOPNOTSUPP; 11162 if (nft_chain_is_bound(chain)) 11163 return -EINVAL; 11164 if (desc->flags & NFT_DATA_DESC_SETELEM && 11165 chain->flags & NFT_CHAIN_BINDING) 11166 return -EINVAL; 11167 if (!nft_use_inc(&chain->use)) 11168 return -EMFILE; 11169 11170 data->verdict.chain = chain; 11171 break; 11172 default: 11173 return -EINVAL; 11174 } 11175 11176 desc->len = sizeof(data->verdict); 11177 11178 return 0; 11179 } 11180 11181 static void nft_verdict_uninit(const struct nft_data *data) 11182 { 11183 struct nft_chain *chain; 11184 11185 switch (data->verdict.code) { 11186 case NFT_JUMP: 11187 case NFT_GOTO: 11188 chain = data->verdict.chain; 11189 nft_use_dec(&chain->use); 11190 break; 11191 } 11192 } 11193 11194 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v) 11195 { 11196 struct nlattr *nest; 11197 11198 nest = nla_nest_start_noflag(skb, type); 11199 if (!nest) 11200 goto nla_put_failure; 11201 11202 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code))) 11203 goto nla_put_failure; 11204 11205 switch (v->code) { 11206 case NFT_JUMP: 11207 case NFT_GOTO: 11208 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, 11209 v->chain->name)) 11210 goto nla_put_failure; 11211 } 11212 nla_nest_end(skb, nest); 11213 return 0; 11214 11215 nla_put_failure: 11216 return -1; 11217 } 11218 11219 static int nft_value_init(const struct nft_ctx *ctx, 11220 struct nft_data *data, struct nft_data_desc *desc, 11221 const struct nlattr *nla) 11222 { 11223 unsigned int len; 11224 11225 len = nla_len(nla); 11226 if (len == 0) 11227 return -EINVAL; 11228 if (len > desc->size) 11229 return -EOVERFLOW; 11230 if (desc->len) { 11231 if (len != desc->len) 11232 return -EINVAL; 11233 } else { 11234 desc->len = len; 11235 } 11236 11237 nla_memcpy(data->data, nla, len); 11238 11239 return 0; 11240 } 11241 11242 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data, 11243 unsigned int len) 11244 { 11245 return nla_put(skb, NFTA_DATA_VALUE, len, data->data); 11246 } 11247 11248 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = { 11249 [NFTA_DATA_VALUE] = { .type = NLA_BINARY }, 11250 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED }, 11251 }; 11252 11253 /** 11254 * nft_data_init - parse nf_tables data netlink attributes 11255 * 11256 * @ctx: context of the expression using the data 11257 * @data: destination struct nft_data 11258 * @desc: data description 11259 * @nla: netlink attribute containing data 11260 * 11261 * Parse the netlink data attributes and initialize a struct nft_data. 11262 * The type and length of data are returned in the data description. 11263 * 11264 * The caller can indicate that it only wants to accept data of type 11265 * NFT_DATA_VALUE by passing NULL for the ctx argument. 11266 */ 11267 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data, 11268 struct nft_data_desc *desc, const struct nlattr *nla) 11269 { 11270 struct nlattr *tb[NFTA_DATA_MAX + 1]; 11271 int err; 11272 11273 if (WARN_ON_ONCE(!desc->size)) 11274 return -EINVAL; 11275 11276 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla, 11277 nft_data_policy, NULL); 11278 if (err < 0) 11279 return err; 11280 11281 if (tb[NFTA_DATA_VALUE]) { 11282 if (desc->type != NFT_DATA_VALUE) 11283 return -EINVAL; 11284 11285 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]); 11286 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) { 11287 if (desc->type != NFT_DATA_VERDICT) 11288 return -EINVAL; 11289 11290 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]); 11291 } else { 11292 err = -EINVAL; 11293 } 11294 11295 return err; 11296 } 11297 EXPORT_SYMBOL_GPL(nft_data_init); 11298 11299 /** 11300 * nft_data_release - release a nft_data item 11301 * 11302 * @data: struct nft_data to release 11303 * @type: type of data 11304 * 11305 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded, 11306 * all others need to be released by calling this function. 11307 */ 11308 void nft_data_release(const struct nft_data *data, enum nft_data_types type) 11309 { 11310 if (type < NFT_DATA_VERDICT) 11311 return; 11312 switch (type) { 11313 case NFT_DATA_VERDICT: 11314 return nft_verdict_uninit(data); 11315 default: 11316 WARN_ON(1); 11317 } 11318 } 11319 EXPORT_SYMBOL_GPL(nft_data_release); 11320 11321 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 11322 enum nft_data_types type, unsigned int len) 11323 { 11324 struct nlattr *nest; 11325 int err; 11326 11327 nest = nla_nest_start_noflag(skb, attr); 11328 if (nest == NULL) 11329 return -1; 11330 11331 switch (type) { 11332 case NFT_DATA_VALUE: 11333 err = nft_value_dump(skb, data, len); 11334 break; 11335 case NFT_DATA_VERDICT: 11336 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict); 11337 break; 11338 default: 11339 err = -EINVAL; 11340 WARN_ON(1); 11341 } 11342 11343 nla_nest_end(skb, nest); 11344 return err; 11345 } 11346 EXPORT_SYMBOL_GPL(nft_data_dump); 11347 11348 int __nft_release_basechain(struct nft_ctx *ctx) 11349 { 11350 struct nft_rule *rule, *nr; 11351 11352 if (WARN_ON(!nft_is_base_chain(ctx->chain))) 11353 return 0; 11354 11355 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain); 11356 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) { 11357 list_del(&rule->list); 11358 nft_use_dec(&ctx->chain->use); 11359 nf_tables_rule_release(ctx, rule); 11360 } 11361 nft_chain_del(ctx->chain); 11362 nft_use_dec(&ctx->table->use); 11363 nf_tables_chain_destroy(ctx->chain); 11364 11365 return 0; 11366 } 11367 EXPORT_SYMBOL_GPL(__nft_release_basechain); 11368 11369 static void __nft_release_hook(struct net *net, struct nft_table *table) 11370 { 11371 struct nft_flowtable *flowtable; 11372 struct nft_chain *chain; 11373 11374 list_for_each_entry(chain, &table->chains, list) 11375 __nf_tables_unregister_hook(net, table, chain, true); 11376 list_for_each_entry(flowtable, &table->flowtables, list) 11377 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list, 11378 true); 11379 } 11380 11381 static void __nft_release_hooks(struct net *net) 11382 { 11383 struct nftables_pernet *nft_net = nft_pernet(net); 11384 struct nft_table *table; 11385 11386 list_for_each_entry(table, &nft_net->tables, list) { 11387 if (nft_table_has_owner(table)) 11388 continue; 11389 11390 __nft_release_hook(net, table); 11391 } 11392 } 11393 11394 static void __nft_release_table(struct net *net, struct nft_table *table) 11395 { 11396 struct nft_flowtable *flowtable, *nf; 11397 struct nft_chain *chain, *nc; 11398 struct nft_object *obj, *ne; 11399 struct nft_rule *rule, *nr; 11400 struct nft_set *set, *ns; 11401 struct nft_ctx ctx = { 11402 .net = net, 11403 .family = NFPROTO_NETDEV, 11404 }; 11405 11406 ctx.family = table->family; 11407 ctx.table = table; 11408 list_for_each_entry(chain, &table->chains, list) { 11409 if (nft_chain_binding(chain)) 11410 continue; 11411 11412 ctx.chain = chain; 11413 list_for_each_entry_safe(rule, nr, &chain->rules, list) { 11414 list_del(&rule->list); 11415 nft_use_dec(&chain->use); 11416 nf_tables_rule_release(&ctx, rule); 11417 } 11418 } 11419 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 11420 list_del(&flowtable->list); 11421 nft_use_dec(&table->use); 11422 nf_tables_flowtable_destroy(flowtable); 11423 } 11424 list_for_each_entry_safe(set, ns, &table->sets, list) { 11425 list_del(&set->list); 11426 nft_use_dec(&table->use); 11427 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 11428 nft_map_deactivate(&ctx, set); 11429 11430 nft_set_destroy(&ctx, set); 11431 } 11432 list_for_each_entry_safe(obj, ne, &table->objects, list) { 11433 nft_obj_del(obj); 11434 nft_use_dec(&table->use); 11435 nft_obj_destroy(&ctx, obj); 11436 } 11437 list_for_each_entry_safe(chain, nc, &table->chains, list) { 11438 nft_chain_del(chain); 11439 nft_use_dec(&table->use); 11440 nf_tables_chain_destroy(chain); 11441 } 11442 nf_tables_table_destroy(table); 11443 } 11444 11445 static void __nft_release_tables(struct net *net) 11446 { 11447 struct nftables_pernet *nft_net = nft_pernet(net); 11448 struct nft_table *table, *nt; 11449 11450 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 11451 if (nft_table_has_owner(table)) 11452 continue; 11453 11454 list_del(&table->list); 11455 11456 __nft_release_table(net, table); 11457 } 11458 } 11459 11460 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, 11461 void *ptr) 11462 { 11463 struct nft_table *table, *to_delete[8]; 11464 struct nftables_pernet *nft_net; 11465 struct netlink_notify *n = ptr; 11466 struct net *net = n->net; 11467 unsigned int deleted; 11468 bool restart = false; 11469 unsigned int gc_seq; 11470 11471 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER) 11472 return NOTIFY_DONE; 11473 11474 nft_net = nft_pernet(net); 11475 deleted = 0; 11476 mutex_lock(&nft_net->commit_mutex); 11477 11478 gc_seq = nft_gc_seq_begin(nft_net); 11479 11480 nf_tables_trans_destroy_flush_work(); 11481 again: 11482 list_for_each_entry(table, &nft_net->tables, list) { 11483 if (nft_table_has_owner(table) && 11484 n->portid == table->nlpid) { 11485 if (table->flags & NFT_TABLE_F_PERSIST) { 11486 table->flags &= ~NFT_TABLE_F_OWNER; 11487 continue; 11488 } 11489 __nft_release_hook(net, table); 11490 list_del_rcu(&table->list); 11491 to_delete[deleted++] = table; 11492 if (deleted >= ARRAY_SIZE(to_delete)) 11493 break; 11494 } 11495 } 11496 if (deleted) { 11497 restart = deleted >= ARRAY_SIZE(to_delete); 11498 synchronize_rcu(); 11499 while (deleted) 11500 __nft_release_table(net, to_delete[--deleted]); 11501 11502 if (restart) 11503 goto again; 11504 } 11505 nft_gc_seq_end(nft_net, gc_seq); 11506 11507 mutex_unlock(&nft_net->commit_mutex); 11508 11509 return NOTIFY_DONE; 11510 } 11511 11512 static struct notifier_block nft_nl_notifier = { 11513 .notifier_call = nft_rcv_nl_event, 11514 }; 11515 11516 static int __net_init nf_tables_init_net(struct net *net) 11517 { 11518 struct nftables_pernet *nft_net = nft_pernet(net); 11519 11520 INIT_LIST_HEAD(&nft_net->tables); 11521 INIT_LIST_HEAD(&nft_net->commit_list); 11522 INIT_LIST_HEAD(&nft_net->binding_list); 11523 INIT_LIST_HEAD(&nft_net->module_list); 11524 INIT_LIST_HEAD(&nft_net->notify_list); 11525 mutex_init(&nft_net->commit_mutex); 11526 nft_net->base_seq = 1; 11527 nft_net->gc_seq = 0; 11528 nft_net->validate_state = NFT_VALIDATE_SKIP; 11529 11530 return 0; 11531 } 11532 11533 static void __net_exit nf_tables_pre_exit_net(struct net *net) 11534 { 11535 struct nftables_pernet *nft_net = nft_pernet(net); 11536 11537 mutex_lock(&nft_net->commit_mutex); 11538 __nft_release_hooks(net); 11539 mutex_unlock(&nft_net->commit_mutex); 11540 } 11541 11542 static void __net_exit nf_tables_exit_net(struct net *net) 11543 { 11544 struct nftables_pernet *nft_net = nft_pernet(net); 11545 unsigned int gc_seq; 11546 11547 mutex_lock(&nft_net->commit_mutex); 11548 11549 gc_seq = nft_gc_seq_begin(nft_net); 11550 11551 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 11552 11553 if (!list_empty(&nft_net->module_list)) 11554 nf_tables_module_autoload_cleanup(net); 11555 11556 __nft_release_tables(net); 11557 11558 nft_gc_seq_end(nft_net, gc_seq); 11559 11560 mutex_unlock(&nft_net->commit_mutex); 11561 WARN_ON_ONCE(!list_empty(&nft_net->tables)); 11562 WARN_ON_ONCE(!list_empty(&nft_net->module_list)); 11563 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 11564 } 11565 11566 static void nf_tables_exit_batch(struct list_head *net_exit_list) 11567 { 11568 flush_work(&trans_gc_work); 11569 } 11570 11571 static struct pernet_operations nf_tables_net_ops = { 11572 .init = nf_tables_init_net, 11573 .pre_exit = nf_tables_pre_exit_net, 11574 .exit = nf_tables_exit_net, 11575 .exit_batch = nf_tables_exit_batch, 11576 .id = &nf_tables_net_id, 11577 .size = sizeof(struct nftables_pernet), 11578 }; 11579 11580 static int __init nf_tables_module_init(void) 11581 { 11582 int err; 11583 11584 BUILD_BUG_ON(offsetof(struct nft_trans_table, nft_trans) != 0); 11585 BUILD_BUG_ON(offsetof(struct nft_trans_chain, nft_trans_binding.nft_trans) != 0); 11586 BUILD_BUG_ON(offsetof(struct nft_trans_rule, nft_trans) != 0); 11587 BUILD_BUG_ON(offsetof(struct nft_trans_set, nft_trans_binding.nft_trans) != 0); 11588 BUILD_BUG_ON(offsetof(struct nft_trans_elem, nft_trans) != 0); 11589 BUILD_BUG_ON(offsetof(struct nft_trans_obj, nft_trans) != 0); 11590 BUILD_BUG_ON(offsetof(struct nft_trans_flowtable, nft_trans) != 0); 11591 11592 err = register_pernet_subsys(&nf_tables_net_ops); 11593 if (err < 0) 11594 return err; 11595 11596 err = nft_chain_filter_init(); 11597 if (err < 0) 11598 goto err_chain_filter; 11599 11600 err = nf_tables_core_module_init(); 11601 if (err < 0) 11602 goto err_core_module; 11603 11604 err = register_netdevice_notifier(&nf_tables_flowtable_notifier); 11605 if (err < 0) 11606 goto err_netdev_notifier; 11607 11608 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params); 11609 if (err < 0) 11610 goto err_rht_objname; 11611 11612 err = nft_offload_init(); 11613 if (err < 0) 11614 goto err_offload; 11615 11616 err = netlink_register_notifier(&nft_nl_notifier); 11617 if (err < 0) 11618 goto err_netlink_notifier; 11619 11620 /* must be last */ 11621 err = nfnetlink_subsys_register(&nf_tables_subsys); 11622 if (err < 0) 11623 goto err_nfnl_subsys; 11624 11625 nft_chain_route_init(); 11626 11627 return err; 11628 11629 err_nfnl_subsys: 11630 netlink_unregister_notifier(&nft_nl_notifier); 11631 err_netlink_notifier: 11632 nft_offload_exit(); 11633 err_offload: 11634 rhltable_destroy(&nft_objname_ht); 11635 err_rht_objname: 11636 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 11637 err_netdev_notifier: 11638 nf_tables_core_module_exit(); 11639 err_core_module: 11640 nft_chain_filter_fini(); 11641 err_chain_filter: 11642 unregister_pernet_subsys(&nf_tables_net_ops); 11643 return err; 11644 } 11645 11646 static void __exit nf_tables_module_exit(void) 11647 { 11648 nfnetlink_subsys_unregister(&nf_tables_subsys); 11649 netlink_unregister_notifier(&nft_nl_notifier); 11650 nft_offload_exit(); 11651 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 11652 nft_chain_filter_fini(); 11653 nft_chain_route_fini(); 11654 nf_tables_trans_destroy_flush_work(); 11655 unregister_pernet_subsys(&nf_tables_net_ops); 11656 cancel_work_sync(&trans_gc_work); 11657 cancel_work_sync(&trans_destroy_work); 11658 rcu_barrier(); 11659 rhltable_destroy(&nft_objname_ht); 11660 nf_tables_core_module_exit(); 11661 } 11662 11663 module_init(nf_tables_module_init); 11664 module_exit(nf_tables_module_exit); 11665 11666 MODULE_LICENSE("GPL"); 11667 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 11668 MODULE_DESCRIPTION("Framework for packet filtering and classification"); 11669 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES); 11670