1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27 #define NFT_SET_MAX_ANONLEN 16
28
29 unsigned int nf_tables_net_id __read_mostly;
30
31 static LIST_HEAD(nf_tables_expressions);
32 static LIST_HEAD(nf_tables_objects);
33 static LIST_HEAD(nf_tables_flowtables);
34 static LIST_HEAD(nf_tables_destroy_list);
35 static LIST_HEAD(nf_tables_gc_list);
36 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
37 static DEFINE_SPINLOCK(nf_tables_gc_list_lock);
38
39 enum {
40 NFT_VALIDATE_SKIP = 0,
41 NFT_VALIDATE_NEED,
42 NFT_VALIDATE_DO,
43 };
44
45 static struct rhltable nft_objname_ht;
46
47 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
48 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
49 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
50
51 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
52 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
53 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
54
55 static const struct rhashtable_params nft_chain_ht_params = {
56 .head_offset = offsetof(struct nft_chain, rhlhead),
57 .key_offset = offsetof(struct nft_chain, name),
58 .hashfn = nft_chain_hash,
59 .obj_hashfn = nft_chain_hash_obj,
60 .obj_cmpfn = nft_chain_hash_cmp,
61 .automatic_shrinking = true,
62 };
63
64 static const struct rhashtable_params nft_objname_ht_params = {
65 .head_offset = offsetof(struct nft_object, rhlhead),
66 .key_offset = offsetof(struct nft_object, key),
67 .hashfn = nft_objname_hash,
68 .obj_hashfn = nft_objname_hash_obj,
69 .obj_cmpfn = nft_objname_hash_cmp,
70 .automatic_shrinking = true,
71 };
72
73 struct nft_audit_data {
74 struct nft_table *table;
75 int entries;
76 int op;
77 struct list_head list;
78 };
79
80 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
81 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
82 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
83 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
84 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
85 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
86 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
87 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
88 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
89 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
90 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
91 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
92 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
93 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
94 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
95 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
96 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
97 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
98 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
99 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
100 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
101 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
102 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
103 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
104 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
105 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
106 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET,
107 };
108
nft_validate_state_update(struct nft_table * table,u8 new_validate_state)109 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
110 {
111 switch (table->validate_state) {
112 case NFT_VALIDATE_SKIP:
113 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
114 break;
115 case NFT_VALIDATE_NEED:
116 break;
117 case NFT_VALIDATE_DO:
118 if (new_validate_state == NFT_VALIDATE_NEED)
119 return;
120 }
121
122 table->validate_state = new_validate_state;
123 }
124 static void nf_tables_trans_destroy_work(struct work_struct *w);
125 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
126
127 static void nft_trans_gc_work(struct work_struct *work);
128 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work);
129
nft_ctx_init(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,u8 family,struct nft_table * table,struct nft_chain * chain,const struct nlattr * const * nla)130 static void nft_ctx_init(struct nft_ctx *ctx,
131 struct net *net,
132 const struct sk_buff *skb,
133 const struct nlmsghdr *nlh,
134 u8 family,
135 struct nft_table *table,
136 struct nft_chain *chain,
137 const struct nlattr * const *nla)
138 {
139 ctx->net = net;
140 ctx->family = family;
141 ctx->level = 0;
142 ctx->table = table;
143 ctx->chain = chain;
144 ctx->nla = nla;
145 ctx->portid = NETLINK_CB(skb).portid;
146 ctx->report = nlmsg_report(nlh);
147 ctx->flags = nlh->nlmsg_flags;
148 ctx->seq = nlh->nlmsg_seq;
149 }
150
nft_trans_alloc_gfp(const struct nft_ctx * ctx,int msg_type,u32 size,gfp_t gfp)151 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
152 int msg_type, u32 size, gfp_t gfp)
153 {
154 struct nft_trans *trans;
155
156 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
157 if (trans == NULL)
158 return NULL;
159
160 INIT_LIST_HEAD(&trans->list);
161 INIT_LIST_HEAD(&trans->binding_list);
162 trans->msg_type = msg_type;
163 trans->ctx = *ctx;
164
165 return trans;
166 }
167
nft_trans_alloc(const struct nft_ctx * ctx,int msg_type,u32 size)168 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
169 int msg_type, u32 size)
170 {
171 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
172 }
173
nft_trans_list_del(struct nft_trans * trans)174 static void nft_trans_list_del(struct nft_trans *trans)
175 {
176 list_del(&trans->list);
177 list_del(&trans->binding_list);
178 }
179
nft_trans_destroy(struct nft_trans * trans)180 static void nft_trans_destroy(struct nft_trans *trans)
181 {
182 nft_trans_list_del(trans);
183 kfree(trans);
184 }
185
__nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set,bool bind)186 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
187 bool bind)
188 {
189 struct nftables_pernet *nft_net;
190 struct net *net = ctx->net;
191 struct nft_trans *trans;
192
193 if (!nft_set_is_anonymous(set))
194 return;
195
196 nft_net = nft_pernet(net);
197 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
198 switch (trans->msg_type) {
199 case NFT_MSG_NEWSET:
200 if (nft_trans_set(trans) == set)
201 nft_trans_set_bound(trans) = bind;
202 break;
203 case NFT_MSG_NEWSETELEM:
204 if (nft_trans_elem_set(trans) == set)
205 nft_trans_elem_set_bound(trans) = bind;
206 break;
207 }
208 }
209 }
210
nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set)211 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
212 {
213 return __nft_set_trans_bind(ctx, set, true);
214 }
215
nft_set_trans_unbind(const struct nft_ctx * ctx,struct nft_set * set)216 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
217 {
218 return __nft_set_trans_bind(ctx, set, false);
219 }
220
__nft_chain_trans_bind(const struct nft_ctx * ctx,struct nft_chain * chain,bool bind)221 static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
222 struct nft_chain *chain, bool bind)
223 {
224 struct nftables_pernet *nft_net;
225 struct net *net = ctx->net;
226 struct nft_trans *trans;
227
228 if (!nft_chain_binding(chain))
229 return;
230
231 nft_net = nft_pernet(net);
232 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
233 switch (trans->msg_type) {
234 case NFT_MSG_NEWCHAIN:
235 if (nft_trans_chain(trans) == chain)
236 nft_trans_chain_bound(trans) = bind;
237 break;
238 case NFT_MSG_NEWRULE:
239 if (trans->ctx.chain == chain)
240 nft_trans_rule_bound(trans) = bind;
241 break;
242 }
243 }
244 }
245
nft_chain_trans_bind(const struct nft_ctx * ctx,struct nft_chain * chain)246 static void nft_chain_trans_bind(const struct nft_ctx *ctx,
247 struct nft_chain *chain)
248 {
249 __nft_chain_trans_bind(ctx, chain, true);
250 }
251
nf_tables_bind_chain(const struct nft_ctx * ctx,struct nft_chain * chain)252 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
253 {
254 if (!nft_chain_binding(chain))
255 return 0;
256
257 if (nft_chain_binding(ctx->chain))
258 return -EOPNOTSUPP;
259
260 if (chain->bound)
261 return -EBUSY;
262
263 if (!nft_use_inc(&chain->use))
264 return -EMFILE;
265
266 chain->bound = true;
267 nft_chain_trans_bind(ctx, chain);
268
269 return 0;
270 }
271
nf_tables_unbind_chain(const struct nft_ctx * ctx,struct nft_chain * chain)272 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
273 {
274 __nft_chain_trans_bind(ctx, chain, false);
275 }
276
nft_netdev_register_hooks(struct net * net,struct list_head * hook_list)277 static int nft_netdev_register_hooks(struct net *net,
278 struct list_head *hook_list)
279 {
280 struct nft_hook *hook;
281 int err, j;
282
283 j = 0;
284 list_for_each_entry(hook, hook_list, list) {
285 err = nf_register_net_hook(net, &hook->ops);
286 if (err < 0)
287 goto err_register;
288
289 j++;
290 }
291 return 0;
292
293 err_register:
294 list_for_each_entry(hook, hook_list, list) {
295 if (j-- <= 0)
296 break;
297
298 nf_unregister_net_hook(net, &hook->ops);
299 }
300 return err;
301 }
302
nft_netdev_unregister_hooks(struct net * net,struct list_head * hook_list,bool release_netdev)303 static void nft_netdev_unregister_hooks(struct net *net,
304 struct list_head *hook_list,
305 bool release_netdev)
306 {
307 struct nft_hook *hook, *next;
308
309 list_for_each_entry_safe(hook, next, hook_list, list) {
310 nf_unregister_net_hook(net, &hook->ops);
311 if (release_netdev) {
312 list_del(&hook->list);
313 kfree_rcu(hook, rcu);
314 }
315 }
316 }
317
nf_tables_register_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)318 static int nf_tables_register_hook(struct net *net,
319 const struct nft_table *table,
320 struct nft_chain *chain)
321 {
322 struct nft_base_chain *basechain;
323 const struct nf_hook_ops *ops;
324
325 if (table->flags & NFT_TABLE_F_DORMANT ||
326 !nft_is_base_chain(chain))
327 return 0;
328
329 basechain = nft_base_chain(chain);
330 ops = &basechain->ops;
331
332 if (basechain->type->ops_register)
333 return basechain->type->ops_register(net, ops);
334
335 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
336 return nft_netdev_register_hooks(net, &basechain->hook_list);
337
338 return nf_register_net_hook(net, &basechain->ops);
339 }
340
__nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain,bool release_netdev)341 static void __nf_tables_unregister_hook(struct net *net,
342 const struct nft_table *table,
343 struct nft_chain *chain,
344 bool release_netdev)
345 {
346 struct nft_base_chain *basechain;
347 const struct nf_hook_ops *ops;
348
349 if (table->flags & NFT_TABLE_F_DORMANT ||
350 !nft_is_base_chain(chain))
351 return;
352 basechain = nft_base_chain(chain);
353 ops = &basechain->ops;
354
355 if (basechain->type->ops_unregister)
356 return basechain->type->ops_unregister(net, ops);
357
358 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
359 nft_netdev_unregister_hooks(net, &basechain->hook_list,
360 release_netdev);
361 else
362 nf_unregister_net_hook(net, &basechain->ops);
363 }
364
nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)365 static void nf_tables_unregister_hook(struct net *net,
366 const struct nft_table *table,
367 struct nft_chain *chain)
368 {
369 return __nf_tables_unregister_hook(net, table, chain, false);
370 }
371
nft_trans_commit_list_add_tail(struct net * net,struct nft_trans * trans)372 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
373 {
374 struct nftables_pernet *nft_net = nft_pernet(net);
375
376 switch (trans->msg_type) {
377 case NFT_MSG_NEWSET:
378 if (!nft_trans_set_update(trans) &&
379 nft_set_is_anonymous(nft_trans_set(trans)))
380 list_add_tail(&trans->binding_list, &nft_net->binding_list);
381 break;
382 case NFT_MSG_NEWCHAIN:
383 if (!nft_trans_chain_update(trans) &&
384 nft_chain_binding(nft_trans_chain(trans)))
385 list_add_tail(&trans->binding_list, &nft_net->binding_list);
386 break;
387 }
388
389 list_add_tail(&trans->list, &nft_net->commit_list);
390 }
391
nft_trans_table_add(struct nft_ctx * ctx,int msg_type)392 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
393 {
394 struct nft_trans *trans;
395
396 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
397 if (trans == NULL)
398 return -ENOMEM;
399
400 if (msg_type == NFT_MSG_NEWTABLE)
401 nft_activate_next(ctx->net, ctx->table);
402
403 nft_trans_commit_list_add_tail(ctx->net, trans);
404 return 0;
405 }
406
nft_deltable(struct nft_ctx * ctx)407 static int nft_deltable(struct nft_ctx *ctx)
408 {
409 int err;
410
411 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
412 if (err < 0)
413 return err;
414
415 nft_deactivate_next(ctx->net, ctx->table);
416 return err;
417 }
418
nft_trans_chain_add(struct nft_ctx * ctx,int msg_type)419 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
420 {
421 struct nft_trans *trans;
422
423 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
424 if (trans == NULL)
425 return ERR_PTR(-ENOMEM);
426
427 if (msg_type == NFT_MSG_NEWCHAIN) {
428 nft_activate_next(ctx->net, ctx->chain);
429
430 if (ctx->nla[NFTA_CHAIN_ID]) {
431 nft_trans_chain_id(trans) =
432 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
433 }
434 }
435 nft_trans_chain(trans) = ctx->chain;
436 nft_trans_commit_list_add_tail(ctx->net, trans);
437
438 return trans;
439 }
440
nft_delchain(struct nft_ctx * ctx)441 static int nft_delchain(struct nft_ctx *ctx)
442 {
443 struct nft_trans *trans;
444
445 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
446 if (IS_ERR(trans))
447 return PTR_ERR(trans);
448
449 nft_use_dec(&ctx->table->use);
450 nft_deactivate_next(ctx->net, ctx->chain);
451
452 return 0;
453 }
454
nft_rule_expr_activate(const struct nft_ctx * ctx,struct nft_rule * rule)455 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
456 {
457 struct nft_expr *expr;
458
459 expr = nft_expr_first(rule);
460 while (nft_expr_more(rule, expr)) {
461 if (expr->ops->activate)
462 expr->ops->activate(ctx, expr);
463
464 expr = nft_expr_next(expr);
465 }
466 }
467
nft_rule_expr_deactivate(const struct nft_ctx * ctx,struct nft_rule * rule,enum nft_trans_phase phase)468 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
469 enum nft_trans_phase phase)
470 {
471 struct nft_expr *expr;
472
473 expr = nft_expr_first(rule);
474 while (nft_expr_more(rule, expr)) {
475 if (expr->ops->deactivate)
476 expr->ops->deactivate(ctx, expr, phase);
477
478 expr = nft_expr_next(expr);
479 }
480 }
481
482 static int
nf_tables_delrule_deactivate(struct nft_ctx * ctx,struct nft_rule * rule)483 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
484 {
485 /* You cannot delete the same rule twice */
486 if (nft_is_active_next(ctx->net, rule)) {
487 nft_deactivate_next(ctx->net, rule);
488 nft_use_dec(&ctx->chain->use);
489 return 0;
490 }
491 return -ENOENT;
492 }
493
nft_trans_rule_add(struct nft_ctx * ctx,int msg_type,struct nft_rule * rule)494 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
495 struct nft_rule *rule)
496 {
497 struct nft_trans *trans;
498
499 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
500 if (trans == NULL)
501 return NULL;
502
503 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
504 nft_trans_rule_id(trans) =
505 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
506 }
507 nft_trans_rule(trans) = rule;
508 nft_trans_commit_list_add_tail(ctx->net, trans);
509
510 return trans;
511 }
512
nft_delrule(struct nft_ctx * ctx,struct nft_rule * rule)513 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
514 {
515 struct nft_flow_rule *flow;
516 struct nft_trans *trans;
517 int err;
518
519 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
520 if (trans == NULL)
521 return -ENOMEM;
522
523 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
524 flow = nft_flow_rule_create(ctx->net, rule);
525 if (IS_ERR(flow)) {
526 nft_trans_destroy(trans);
527 return PTR_ERR(flow);
528 }
529
530 nft_trans_flow_rule(trans) = flow;
531 }
532
533 err = nf_tables_delrule_deactivate(ctx, rule);
534 if (err < 0) {
535 nft_trans_destroy(trans);
536 return err;
537 }
538 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
539
540 return 0;
541 }
542
nft_delrule_by_chain(struct nft_ctx * ctx)543 static int nft_delrule_by_chain(struct nft_ctx *ctx)
544 {
545 struct nft_rule *rule;
546 int err;
547
548 list_for_each_entry(rule, &ctx->chain->rules, list) {
549 if (!nft_is_active_next(ctx->net, rule))
550 continue;
551
552 err = nft_delrule(ctx, rule);
553 if (err < 0)
554 return err;
555 }
556 return 0;
557 }
558
__nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set,const struct nft_set_desc * desc)559 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
560 struct nft_set *set,
561 const struct nft_set_desc *desc)
562 {
563 struct nft_trans *trans;
564
565 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
566 if (trans == NULL)
567 return -ENOMEM;
568
569 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
570 nft_trans_set_id(trans) =
571 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
572 nft_activate_next(ctx->net, set);
573 }
574 nft_trans_set(trans) = set;
575 if (desc) {
576 nft_trans_set_update(trans) = true;
577 nft_trans_set_gc_int(trans) = desc->gc_int;
578 nft_trans_set_timeout(trans) = desc->timeout;
579 nft_trans_set_size(trans) = desc->size;
580 }
581 nft_trans_commit_list_add_tail(ctx->net, trans);
582
583 return 0;
584 }
585
nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set)586 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
587 struct nft_set *set)
588 {
589 return __nft_trans_set_add(ctx, msg_type, set, NULL);
590 }
591
nft_mapelem_deactivate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)592 static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
593 struct nft_set *set,
594 const struct nft_set_iter *iter,
595 struct nft_elem_priv *elem_priv)
596 {
597 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
598
599 return 0;
600 }
601
602 struct nft_set_elem_catchall {
603 struct list_head list;
604 struct rcu_head rcu;
605 struct nft_elem_priv *elem;
606 };
607
nft_map_catchall_deactivate(const struct nft_ctx * ctx,struct nft_set * set)608 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
609 struct nft_set *set)
610 {
611 u8 genmask = nft_genmask_next(ctx->net);
612 struct nft_set_elem_catchall *catchall;
613 struct nft_set_ext *ext;
614
615 list_for_each_entry(catchall, &set->catchall_list, list) {
616 ext = nft_set_elem_ext(set, catchall->elem);
617 if (!nft_set_elem_active(ext, genmask))
618 continue;
619
620 nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
621 break;
622 }
623 }
624
nft_map_deactivate(const struct nft_ctx * ctx,struct nft_set * set)625 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set)
626 {
627 struct nft_set_iter iter = {
628 .genmask = nft_genmask_next(ctx->net),
629 .fn = nft_mapelem_deactivate,
630 };
631
632 set->ops->walk(ctx, set, &iter);
633 WARN_ON_ONCE(iter.err);
634
635 nft_map_catchall_deactivate(ctx, set);
636 }
637
nft_delset(const struct nft_ctx * ctx,struct nft_set * set)638 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
639 {
640 int err;
641
642 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
643 if (err < 0)
644 return err;
645
646 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
647 nft_map_deactivate(ctx, set);
648
649 nft_deactivate_next(ctx->net, set);
650 nft_use_dec(&ctx->table->use);
651
652 return err;
653 }
654
nft_trans_obj_add(struct nft_ctx * ctx,int msg_type,struct nft_object * obj)655 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
656 struct nft_object *obj)
657 {
658 struct nft_trans *trans;
659
660 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
661 if (trans == NULL)
662 return -ENOMEM;
663
664 if (msg_type == NFT_MSG_NEWOBJ)
665 nft_activate_next(ctx->net, obj);
666
667 nft_trans_obj(trans) = obj;
668 nft_trans_commit_list_add_tail(ctx->net, trans);
669
670 return 0;
671 }
672
nft_delobj(struct nft_ctx * ctx,struct nft_object * obj)673 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
674 {
675 int err;
676
677 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
678 if (err < 0)
679 return err;
680
681 nft_deactivate_next(ctx->net, obj);
682 nft_use_dec(&ctx->table->use);
683
684 return err;
685 }
686
687 static struct nft_trans *
nft_trans_flowtable_add(struct nft_ctx * ctx,int msg_type,struct nft_flowtable * flowtable)688 nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
689 struct nft_flowtable *flowtable)
690 {
691 struct nft_trans *trans;
692
693 trans = nft_trans_alloc(ctx, msg_type,
694 sizeof(struct nft_trans_flowtable));
695 if (trans == NULL)
696 return ERR_PTR(-ENOMEM);
697
698 if (msg_type == NFT_MSG_NEWFLOWTABLE)
699 nft_activate_next(ctx->net, flowtable);
700
701 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
702 nft_trans_flowtable(trans) = flowtable;
703 nft_trans_commit_list_add_tail(ctx->net, trans);
704
705 return trans;
706 }
707
nft_delflowtable(struct nft_ctx * ctx,struct nft_flowtable * flowtable)708 static int nft_delflowtable(struct nft_ctx *ctx,
709 struct nft_flowtable *flowtable)
710 {
711 struct nft_trans *trans;
712
713 trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
714 if (IS_ERR(trans))
715 return PTR_ERR(trans);
716
717 nft_deactivate_next(ctx->net, flowtable);
718 nft_use_dec(&ctx->table->use);
719
720 return 0;
721 }
722
__nft_reg_track_clobber(struct nft_regs_track * track,u8 dreg)723 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
724 {
725 int i;
726
727 for (i = track->regs[dreg].num_reg; i > 0; i--)
728 __nft_reg_track_cancel(track, dreg - i);
729 }
730
__nft_reg_track_update(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg,u8 num_reg)731 static void __nft_reg_track_update(struct nft_regs_track *track,
732 const struct nft_expr *expr,
733 u8 dreg, u8 num_reg)
734 {
735 track->regs[dreg].selector = expr;
736 track->regs[dreg].bitwise = NULL;
737 track->regs[dreg].num_reg = num_reg;
738 }
739
nft_reg_track_update(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg,u8 len)740 void nft_reg_track_update(struct nft_regs_track *track,
741 const struct nft_expr *expr, u8 dreg, u8 len)
742 {
743 unsigned int regcount;
744 int i;
745
746 __nft_reg_track_clobber(track, dreg);
747
748 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
749 for (i = 0; i < regcount; i++, dreg++)
750 __nft_reg_track_update(track, expr, dreg, i);
751 }
752 EXPORT_SYMBOL_GPL(nft_reg_track_update);
753
nft_reg_track_cancel(struct nft_regs_track * track,u8 dreg,u8 len)754 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
755 {
756 unsigned int regcount;
757 int i;
758
759 __nft_reg_track_clobber(track, dreg);
760
761 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
762 for (i = 0; i < regcount; i++, dreg++)
763 __nft_reg_track_cancel(track, dreg);
764 }
765 EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
766
__nft_reg_track_cancel(struct nft_regs_track * track,u8 dreg)767 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
768 {
769 track->regs[dreg].selector = NULL;
770 track->regs[dreg].bitwise = NULL;
771 track->regs[dreg].num_reg = 0;
772 }
773 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
774
775 /*
776 * Tables
777 */
778
nft_table_lookup(const struct net * net,const struct nlattr * nla,u8 family,u8 genmask,u32 nlpid)779 static struct nft_table *nft_table_lookup(const struct net *net,
780 const struct nlattr *nla,
781 u8 family, u8 genmask, u32 nlpid)
782 {
783 struct nftables_pernet *nft_net;
784 struct nft_table *table;
785
786 if (nla == NULL)
787 return ERR_PTR(-EINVAL);
788
789 nft_net = nft_pernet(net);
790 list_for_each_entry_rcu(table, &nft_net->tables, list,
791 lockdep_is_held(&nft_net->commit_mutex)) {
792 if (!nla_strcmp(nla, table->name) &&
793 table->family == family &&
794 nft_active_genmask(table, genmask)) {
795 if (nft_table_has_owner(table) &&
796 nlpid && table->nlpid != nlpid)
797 return ERR_PTR(-EPERM);
798
799 return table;
800 }
801 }
802
803 return ERR_PTR(-ENOENT);
804 }
805
nft_table_lookup_byhandle(const struct net * net,const struct nlattr * nla,int family,u8 genmask,u32 nlpid)806 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
807 const struct nlattr *nla,
808 int family, u8 genmask, u32 nlpid)
809 {
810 struct nftables_pernet *nft_net;
811 struct nft_table *table;
812
813 nft_net = nft_pernet(net);
814 list_for_each_entry(table, &nft_net->tables, list) {
815 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
816 table->family == family &&
817 nft_active_genmask(table, genmask)) {
818 if (nft_table_has_owner(table) &&
819 nlpid && table->nlpid != nlpid)
820 return ERR_PTR(-EPERM);
821
822 return table;
823 }
824 }
825
826 return ERR_PTR(-ENOENT);
827 }
828
nf_tables_alloc_handle(struct nft_table * table)829 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
830 {
831 return ++table->hgenerator;
832 }
833
834 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
835
836 static const struct nft_chain_type *
__nft_chain_type_get(u8 family,enum nft_chain_types type)837 __nft_chain_type_get(u8 family, enum nft_chain_types type)
838 {
839 if (family >= NFPROTO_NUMPROTO ||
840 type >= NFT_CHAIN_T_MAX)
841 return NULL;
842
843 return chain_type[family][type];
844 }
845
846 static const struct nft_chain_type *
__nf_tables_chain_type_lookup(const struct nlattr * nla,u8 family)847 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
848 {
849 const struct nft_chain_type *type;
850 int i;
851
852 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
853 type = __nft_chain_type_get(family, i);
854 if (!type)
855 continue;
856 if (!nla_strcmp(nla, type->name))
857 return type;
858 }
859 return NULL;
860 }
861
862 struct nft_module_request {
863 struct list_head list;
864 char module[MODULE_NAME_LEN];
865 bool done;
866 };
867
868 #ifdef CONFIG_MODULES
nft_request_module(struct net * net,const char * fmt,...)869 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
870 ...)
871 {
872 char module_name[MODULE_NAME_LEN];
873 struct nftables_pernet *nft_net;
874 struct nft_module_request *req;
875 va_list args;
876 int ret;
877
878 va_start(args, fmt);
879 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
880 va_end(args);
881 if (ret >= MODULE_NAME_LEN)
882 return 0;
883
884 nft_net = nft_pernet(net);
885 list_for_each_entry(req, &nft_net->module_list, list) {
886 if (!strcmp(req->module, module_name)) {
887 if (req->done)
888 return 0;
889
890 /* A request to load this module already exists. */
891 return -EAGAIN;
892 }
893 }
894
895 req = kmalloc(sizeof(*req), GFP_KERNEL);
896 if (!req)
897 return -ENOMEM;
898
899 req->done = false;
900 strscpy(req->module, module_name, MODULE_NAME_LEN);
901 list_add_tail(&req->list, &nft_net->module_list);
902
903 return -EAGAIN;
904 }
905 EXPORT_SYMBOL_GPL(nft_request_module);
906 #endif
907
lockdep_nfnl_nft_mutex_not_held(void)908 static void lockdep_nfnl_nft_mutex_not_held(void)
909 {
910 #ifdef CONFIG_PROVE_LOCKING
911 if (debug_locks)
912 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
913 #endif
914 }
915
916 static const struct nft_chain_type *
nf_tables_chain_type_lookup(struct net * net,const struct nlattr * nla,u8 family,bool autoload)917 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
918 u8 family, bool autoload)
919 {
920 const struct nft_chain_type *type;
921
922 type = __nf_tables_chain_type_lookup(nla, family);
923 if (type != NULL)
924 return type;
925
926 lockdep_nfnl_nft_mutex_not_held();
927 #ifdef CONFIG_MODULES
928 if (autoload) {
929 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
930 nla_len(nla),
931 (const char *)nla_data(nla)) == -EAGAIN)
932 return ERR_PTR(-EAGAIN);
933 }
934 #endif
935 return ERR_PTR(-ENOENT);
936 }
937
nft_base_seq(const struct net * net)938 static __be16 nft_base_seq(const struct net *net)
939 {
940 struct nftables_pernet *nft_net = nft_pernet(net);
941
942 return htons(nft_net->base_seq & 0xffff);
943 }
944
945 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
946 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
947 .len = NFT_TABLE_MAXNAMELEN - 1 },
948 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
949 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
950 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
951 .len = NFT_USERDATA_MAXLEN }
952 };
953
nf_tables_fill_table_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table)954 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
955 u32 portid, u32 seq, int event, u32 flags,
956 int family, const struct nft_table *table)
957 {
958 struct nlmsghdr *nlh;
959
960 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
961 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
962 NFNETLINK_V0, nft_base_seq(net));
963 if (!nlh)
964 goto nla_put_failure;
965
966 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
967 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
968 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
969 NFTA_TABLE_PAD))
970 goto nla_put_failure;
971
972 if (event == NFT_MSG_DELTABLE) {
973 nlmsg_end(skb, nlh);
974 return 0;
975 }
976
977 if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
978 htonl(table->flags & NFT_TABLE_F_MASK)))
979 goto nla_put_failure;
980
981 if (nft_table_has_owner(table) &&
982 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
983 goto nla_put_failure;
984
985 if (table->udata) {
986 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
987 goto nla_put_failure;
988 }
989
990 nlmsg_end(skb, nlh);
991 return 0;
992
993 nla_put_failure:
994 nlmsg_trim(skb, nlh);
995 return -1;
996 }
997
998 struct nftnl_skb_parms {
999 bool report;
1000 };
1001 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
1002
nft_notify_enqueue(struct sk_buff * skb,bool report,struct list_head * notify_list)1003 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
1004 struct list_head *notify_list)
1005 {
1006 NFT_CB(skb).report = report;
1007 list_add_tail(&skb->list, notify_list);
1008 }
1009
nf_tables_table_notify(const struct nft_ctx * ctx,int event)1010 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
1011 {
1012 struct nftables_pernet *nft_net;
1013 struct sk_buff *skb;
1014 u16 flags = 0;
1015 int err;
1016
1017 if (!ctx->report &&
1018 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1019 return;
1020
1021 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1022 if (skb == NULL)
1023 goto err;
1024
1025 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1026 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1027
1028 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
1029 event, flags, ctx->family, ctx->table);
1030 if (err < 0) {
1031 kfree_skb(skb);
1032 goto err;
1033 }
1034
1035 nft_net = nft_pernet(ctx->net);
1036 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1037 return;
1038 err:
1039 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1040 }
1041
nf_tables_dump_tables(struct sk_buff * skb,struct netlink_callback * cb)1042 static int nf_tables_dump_tables(struct sk_buff *skb,
1043 struct netlink_callback *cb)
1044 {
1045 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1046 struct nftables_pernet *nft_net;
1047 const struct nft_table *table;
1048 unsigned int idx = 0, s_idx = cb->args[0];
1049 struct net *net = sock_net(skb->sk);
1050 int family = nfmsg->nfgen_family;
1051
1052 rcu_read_lock();
1053 nft_net = nft_pernet(net);
1054 cb->seq = READ_ONCE(nft_net->base_seq);
1055
1056 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1057 if (family != NFPROTO_UNSPEC && family != table->family)
1058 continue;
1059
1060 if (idx < s_idx)
1061 goto cont;
1062 if (idx > s_idx)
1063 memset(&cb->args[1], 0,
1064 sizeof(cb->args) - sizeof(cb->args[0]));
1065 if (!nft_is_active(net, table))
1066 continue;
1067 if (nf_tables_fill_table_info(skb, net,
1068 NETLINK_CB(cb->skb).portid,
1069 cb->nlh->nlmsg_seq,
1070 NFT_MSG_NEWTABLE, NLM_F_MULTI,
1071 table->family, table) < 0)
1072 goto done;
1073
1074 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1075 cont:
1076 idx++;
1077 }
1078 done:
1079 rcu_read_unlock();
1080 cb->args[0] = idx;
1081 return skb->len;
1082 }
1083
nft_netlink_dump_start_rcu(struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,struct netlink_dump_control * c)1084 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
1085 const struct nlmsghdr *nlh,
1086 struct netlink_dump_control *c)
1087 {
1088 int err;
1089
1090 if (!try_module_get(THIS_MODULE))
1091 return -EINVAL;
1092
1093 rcu_read_unlock();
1094 err = netlink_dump_start(nlsk, skb, nlh, c);
1095 rcu_read_lock();
1096 module_put(THIS_MODULE);
1097
1098 return err;
1099 }
1100
1101 /* called with rcu_read_lock held */
nf_tables_gettable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1102 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
1103 const struct nlattr * const nla[])
1104 {
1105 struct netlink_ext_ack *extack = info->extack;
1106 u8 genmask = nft_genmask_cur(info->net);
1107 u8 family = info->nfmsg->nfgen_family;
1108 const struct nft_table *table;
1109 struct net *net = info->net;
1110 struct sk_buff *skb2;
1111 int err;
1112
1113 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1114 struct netlink_dump_control c = {
1115 .dump = nf_tables_dump_tables,
1116 .module = THIS_MODULE,
1117 };
1118
1119 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1120 }
1121
1122 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
1123 if (IS_ERR(table)) {
1124 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
1125 return PTR_ERR(table);
1126 }
1127
1128 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1129 if (!skb2)
1130 return -ENOMEM;
1131
1132 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
1133 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
1134 0, family, table);
1135 if (err < 0)
1136 goto err_fill_table_info;
1137
1138 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1139
1140 err_fill_table_info:
1141 kfree_skb(skb2);
1142 return err;
1143 }
1144
nft_table_disable(struct net * net,struct nft_table * table,u32 cnt)1145 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
1146 {
1147 struct nft_chain *chain;
1148 u32 i = 0;
1149
1150 list_for_each_entry(chain, &table->chains, list) {
1151 if (!nft_is_active_next(net, chain))
1152 continue;
1153 if (!nft_is_base_chain(chain))
1154 continue;
1155
1156 if (cnt && i++ == cnt)
1157 break;
1158
1159 nf_tables_unregister_hook(net, table, chain);
1160 }
1161 }
1162
nf_tables_table_enable(struct net * net,struct nft_table * table)1163 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1164 {
1165 struct nft_chain *chain;
1166 int err, i = 0;
1167
1168 list_for_each_entry(chain, &table->chains, list) {
1169 if (!nft_is_active_next(net, chain))
1170 continue;
1171 if (!nft_is_base_chain(chain))
1172 continue;
1173
1174 err = nf_tables_register_hook(net, table, chain);
1175 if (err < 0)
1176 goto err_register_hooks;
1177
1178 i++;
1179 }
1180 return 0;
1181
1182 err_register_hooks:
1183 if (i)
1184 nft_table_disable(net, table, i);
1185 return err;
1186 }
1187
nf_tables_table_disable(struct net * net,struct nft_table * table)1188 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1189 {
1190 table->flags &= ~NFT_TABLE_F_DORMANT;
1191 nft_table_disable(net, table, 0);
1192 table->flags |= NFT_TABLE_F_DORMANT;
1193 }
1194
1195 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1196 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1197 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1198 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1199 __NFT_TABLE_F_WAS_AWAKEN)
1200
nf_tables_updtable(struct nft_ctx * ctx)1201 static int nf_tables_updtable(struct nft_ctx *ctx)
1202 {
1203 struct nft_trans *trans;
1204 u32 flags;
1205 int ret;
1206
1207 if (!ctx->nla[NFTA_TABLE_FLAGS])
1208 return 0;
1209
1210 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1211 if (flags & ~NFT_TABLE_F_MASK)
1212 return -EOPNOTSUPP;
1213
1214 if (flags == ctx->table->flags)
1215 return 0;
1216
1217 if ((nft_table_has_owner(ctx->table) &&
1218 !(flags & NFT_TABLE_F_OWNER)) ||
1219 (!nft_table_has_owner(ctx->table) &&
1220 flags & NFT_TABLE_F_OWNER))
1221 return -EOPNOTSUPP;
1222
1223 /* No dormant off/on/off/on games in single transaction */
1224 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
1225 return -EINVAL;
1226
1227 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1228 sizeof(struct nft_trans_table));
1229 if (trans == NULL)
1230 return -ENOMEM;
1231
1232 if ((flags & NFT_TABLE_F_DORMANT) &&
1233 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1234 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1235 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1236 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1237 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1238 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1239 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1240 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1241 ret = nf_tables_table_enable(ctx->net, ctx->table);
1242 if (ret < 0)
1243 goto err_register_hooks;
1244
1245 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1246 }
1247 }
1248
1249 nft_trans_table_update(trans) = true;
1250 nft_trans_commit_list_add_tail(ctx->net, trans);
1251
1252 return 0;
1253
1254 err_register_hooks:
1255 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1256 nft_trans_destroy(trans);
1257 return ret;
1258 }
1259
nft_chain_hash(const void * data,u32 len,u32 seed)1260 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1261 {
1262 const char *name = data;
1263
1264 return jhash(name, strlen(name), seed);
1265 }
1266
nft_chain_hash_obj(const void * data,u32 len,u32 seed)1267 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1268 {
1269 const struct nft_chain *chain = data;
1270
1271 return nft_chain_hash(chain->name, 0, seed);
1272 }
1273
nft_chain_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)1274 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1275 const void *ptr)
1276 {
1277 const struct nft_chain *chain = ptr;
1278 const char *name = arg->key;
1279
1280 return strcmp(chain->name, name);
1281 }
1282
nft_objname_hash(const void * data,u32 len,u32 seed)1283 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1284 {
1285 const struct nft_object_hash_key *k = data;
1286
1287 seed ^= hash_ptr(k->table, 32);
1288
1289 return jhash(k->name, strlen(k->name), seed);
1290 }
1291
nft_objname_hash_obj(const void * data,u32 len,u32 seed)1292 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1293 {
1294 const struct nft_object *obj = data;
1295
1296 return nft_objname_hash(&obj->key, 0, seed);
1297 }
1298
nft_objname_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)1299 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1300 const void *ptr)
1301 {
1302 const struct nft_object_hash_key *k = arg->key;
1303 const struct nft_object *obj = ptr;
1304
1305 if (obj->key.table != k->table)
1306 return -1;
1307
1308 return strcmp(obj->key.name, k->name);
1309 }
1310
nft_supported_family(u8 family)1311 static bool nft_supported_family(u8 family)
1312 {
1313 return false
1314 #ifdef CONFIG_NF_TABLES_INET
1315 || family == NFPROTO_INET
1316 #endif
1317 #ifdef CONFIG_NF_TABLES_IPV4
1318 || family == NFPROTO_IPV4
1319 #endif
1320 #ifdef CONFIG_NF_TABLES_ARP
1321 || family == NFPROTO_ARP
1322 #endif
1323 #ifdef CONFIG_NF_TABLES_NETDEV
1324 || family == NFPROTO_NETDEV
1325 #endif
1326 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1327 || family == NFPROTO_BRIDGE
1328 #endif
1329 #ifdef CONFIG_NF_TABLES_IPV6
1330 || family == NFPROTO_IPV6
1331 #endif
1332 ;
1333 }
1334
nf_tables_newtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1335 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1336 const struct nlattr * const nla[])
1337 {
1338 struct nftables_pernet *nft_net = nft_pernet(info->net);
1339 struct netlink_ext_ack *extack = info->extack;
1340 u8 genmask = nft_genmask_next(info->net);
1341 u8 family = info->nfmsg->nfgen_family;
1342 struct net *net = info->net;
1343 const struct nlattr *attr;
1344 struct nft_table *table;
1345 struct nft_ctx ctx;
1346 u32 flags = 0;
1347 int err;
1348
1349 if (!nft_supported_family(family))
1350 return -EOPNOTSUPP;
1351
1352 lockdep_assert_held(&nft_net->commit_mutex);
1353 attr = nla[NFTA_TABLE_NAME];
1354 table = nft_table_lookup(net, attr, family, genmask,
1355 NETLINK_CB(skb).portid);
1356 if (IS_ERR(table)) {
1357 if (PTR_ERR(table) != -ENOENT)
1358 return PTR_ERR(table);
1359 } else {
1360 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1361 NL_SET_BAD_ATTR(extack, attr);
1362 return -EEXIST;
1363 }
1364 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1365 return -EOPNOTSUPP;
1366
1367 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1368
1369 return nf_tables_updtable(&ctx);
1370 }
1371
1372 if (nla[NFTA_TABLE_FLAGS]) {
1373 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1374 if (flags & ~NFT_TABLE_F_MASK)
1375 return -EOPNOTSUPP;
1376 }
1377
1378 err = -ENOMEM;
1379 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1380 if (table == NULL)
1381 goto err_kzalloc;
1382
1383 table->validate_state = nft_net->validate_state;
1384 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1385 if (table->name == NULL)
1386 goto err_strdup;
1387
1388 if (nla[NFTA_TABLE_USERDATA]) {
1389 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1390 if (table->udata == NULL)
1391 goto err_table_udata;
1392
1393 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1394 }
1395
1396 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1397 if (err)
1398 goto err_chain_ht;
1399
1400 INIT_LIST_HEAD(&table->chains);
1401 INIT_LIST_HEAD(&table->sets);
1402 INIT_LIST_HEAD(&table->objects);
1403 INIT_LIST_HEAD(&table->flowtables);
1404 table->family = family;
1405 table->flags = flags;
1406 table->handle = ++nft_net->table_handle;
1407 if (table->flags & NFT_TABLE_F_OWNER)
1408 table->nlpid = NETLINK_CB(skb).portid;
1409
1410 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1411 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1412 if (err < 0)
1413 goto err_trans;
1414
1415 list_add_tail_rcu(&table->list, &nft_net->tables);
1416 return 0;
1417 err_trans:
1418 rhltable_destroy(&table->chains_ht);
1419 err_chain_ht:
1420 kfree(table->udata);
1421 err_table_udata:
1422 kfree(table->name);
1423 err_strdup:
1424 kfree(table);
1425 err_kzalloc:
1426 return err;
1427 }
1428
nft_flush_table(struct nft_ctx * ctx)1429 static int nft_flush_table(struct nft_ctx *ctx)
1430 {
1431 struct nft_flowtable *flowtable, *nft;
1432 struct nft_chain *chain, *nc;
1433 struct nft_object *obj, *ne;
1434 struct nft_set *set, *ns;
1435 int err;
1436
1437 list_for_each_entry(chain, &ctx->table->chains, list) {
1438 if (!nft_is_active_next(ctx->net, chain))
1439 continue;
1440
1441 if (nft_chain_binding(chain))
1442 continue;
1443
1444 ctx->chain = chain;
1445
1446 err = nft_delrule_by_chain(ctx);
1447 if (err < 0)
1448 goto out;
1449 }
1450
1451 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1452 if (!nft_is_active_next(ctx->net, set))
1453 continue;
1454
1455 if (nft_set_is_anonymous(set))
1456 continue;
1457
1458 err = nft_delset(ctx, set);
1459 if (err < 0)
1460 goto out;
1461 }
1462
1463 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1464 if (!nft_is_active_next(ctx->net, flowtable))
1465 continue;
1466
1467 err = nft_delflowtable(ctx, flowtable);
1468 if (err < 0)
1469 goto out;
1470 }
1471
1472 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1473 if (!nft_is_active_next(ctx->net, obj))
1474 continue;
1475
1476 err = nft_delobj(ctx, obj);
1477 if (err < 0)
1478 goto out;
1479 }
1480
1481 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1482 if (!nft_is_active_next(ctx->net, chain))
1483 continue;
1484
1485 if (nft_chain_binding(chain))
1486 continue;
1487
1488 ctx->chain = chain;
1489
1490 err = nft_delchain(ctx);
1491 if (err < 0)
1492 goto out;
1493 }
1494
1495 err = nft_deltable(ctx);
1496 out:
1497 return err;
1498 }
1499
nft_flush(struct nft_ctx * ctx,int family)1500 static int nft_flush(struct nft_ctx *ctx, int family)
1501 {
1502 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1503 const struct nlattr * const *nla = ctx->nla;
1504 struct nft_table *table, *nt;
1505 int err = 0;
1506
1507 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1508 if (family != AF_UNSPEC && table->family != family)
1509 continue;
1510
1511 ctx->family = table->family;
1512
1513 if (!nft_is_active_next(ctx->net, table))
1514 continue;
1515
1516 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1517 continue;
1518
1519 if (nla[NFTA_TABLE_NAME] &&
1520 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1521 continue;
1522
1523 ctx->table = table;
1524
1525 err = nft_flush_table(ctx);
1526 if (err < 0)
1527 goto out;
1528 }
1529 out:
1530 return err;
1531 }
1532
nf_tables_deltable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1533 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1534 const struct nlattr * const nla[])
1535 {
1536 struct netlink_ext_ack *extack = info->extack;
1537 u8 genmask = nft_genmask_next(info->net);
1538 u8 family = info->nfmsg->nfgen_family;
1539 struct net *net = info->net;
1540 const struct nlattr *attr;
1541 struct nft_table *table;
1542 struct nft_ctx ctx;
1543
1544 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1545 if (family == AF_UNSPEC ||
1546 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1547 return nft_flush(&ctx, family);
1548
1549 if (nla[NFTA_TABLE_HANDLE]) {
1550 attr = nla[NFTA_TABLE_HANDLE];
1551 table = nft_table_lookup_byhandle(net, attr, family, genmask,
1552 NETLINK_CB(skb).portid);
1553 } else {
1554 attr = nla[NFTA_TABLE_NAME];
1555 table = nft_table_lookup(net, attr, family, genmask,
1556 NETLINK_CB(skb).portid);
1557 }
1558
1559 if (IS_ERR(table)) {
1560 if (PTR_ERR(table) == -ENOENT &&
1561 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1562 return 0;
1563
1564 NL_SET_BAD_ATTR(extack, attr);
1565 return PTR_ERR(table);
1566 }
1567
1568 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1569 table->use > 0)
1570 return -EBUSY;
1571
1572 ctx.family = family;
1573 ctx.table = table;
1574
1575 return nft_flush_table(&ctx);
1576 }
1577
nf_tables_table_destroy(struct nft_ctx * ctx)1578 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1579 {
1580 if (WARN_ON(ctx->table->use > 0))
1581 return;
1582
1583 rhltable_destroy(&ctx->table->chains_ht);
1584 kfree(ctx->table->name);
1585 kfree(ctx->table->udata);
1586 kfree(ctx->table);
1587 }
1588
nft_register_chain_type(const struct nft_chain_type * ctype)1589 void nft_register_chain_type(const struct nft_chain_type *ctype)
1590 {
1591 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1592 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1593 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1594 return;
1595 }
1596 chain_type[ctype->family][ctype->type] = ctype;
1597 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1598 }
1599 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1600
nft_unregister_chain_type(const struct nft_chain_type * ctype)1601 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1602 {
1603 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1604 chain_type[ctype->family][ctype->type] = NULL;
1605 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1606 }
1607 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1608
1609 /*
1610 * Chains
1611 */
1612
1613 static struct nft_chain *
nft_chain_lookup_byhandle(const struct nft_table * table,u64 handle,u8 genmask)1614 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1615 {
1616 struct nft_chain *chain;
1617
1618 list_for_each_entry(chain, &table->chains, list) {
1619 if (chain->handle == handle &&
1620 nft_active_genmask(chain, genmask))
1621 return chain;
1622 }
1623
1624 return ERR_PTR(-ENOENT);
1625 }
1626
lockdep_commit_lock_is_held(const struct net * net)1627 static bool lockdep_commit_lock_is_held(const struct net *net)
1628 {
1629 #ifdef CONFIG_PROVE_LOCKING
1630 struct nftables_pernet *nft_net = nft_pernet(net);
1631
1632 return lockdep_is_held(&nft_net->commit_mutex);
1633 #else
1634 return true;
1635 #endif
1636 }
1637
nft_chain_lookup(struct net * net,struct nft_table * table,const struct nlattr * nla,u8 genmask)1638 static struct nft_chain *nft_chain_lookup(struct net *net,
1639 struct nft_table *table,
1640 const struct nlattr *nla, u8 genmask)
1641 {
1642 char search[NFT_CHAIN_MAXNAMELEN + 1];
1643 struct rhlist_head *tmp, *list;
1644 struct nft_chain *chain;
1645
1646 if (nla == NULL)
1647 return ERR_PTR(-EINVAL);
1648
1649 nla_strscpy(search, nla, sizeof(search));
1650
1651 WARN_ON(!rcu_read_lock_held() &&
1652 !lockdep_commit_lock_is_held(net));
1653
1654 chain = ERR_PTR(-ENOENT);
1655 rcu_read_lock();
1656 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1657 if (!list)
1658 goto out_unlock;
1659
1660 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1661 if (nft_active_genmask(chain, genmask))
1662 goto out_unlock;
1663 }
1664 chain = ERR_PTR(-ENOENT);
1665 out_unlock:
1666 rcu_read_unlock();
1667 return chain;
1668 }
1669
1670 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1671 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1672 .len = NFT_TABLE_MAXNAMELEN - 1 },
1673 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1674 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1675 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1676 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1677 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1678 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1679 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1680 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1681 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1682 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1683 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1684 .len = NFT_USERDATA_MAXLEN },
1685 };
1686
1687 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1688 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1689 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1690 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1691 .len = IFNAMSIZ - 1 },
1692 };
1693
nft_dump_stats(struct sk_buff * skb,struct nft_stats __percpu * stats)1694 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1695 {
1696 struct nft_stats *cpu_stats, total;
1697 struct nlattr *nest;
1698 unsigned int seq;
1699 u64 pkts, bytes;
1700 int cpu;
1701
1702 if (!stats)
1703 return 0;
1704
1705 memset(&total, 0, sizeof(total));
1706 for_each_possible_cpu(cpu) {
1707 cpu_stats = per_cpu_ptr(stats, cpu);
1708 do {
1709 seq = u64_stats_fetch_begin(&cpu_stats->syncp);
1710 pkts = cpu_stats->pkts;
1711 bytes = cpu_stats->bytes;
1712 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
1713 total.pkts += pkts;
1714 total.bytes += bytes;
1715 }
1716 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1717 if (nest == NULL)
1718 goto nla_put_failure;
1719
1720 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1721 NFTA_COUNTER_PAD) ||
1722 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1723 NFTA_COUNTER_PAD))
1724 goto nla_put_failure;
1725
1726 nla_nest_end(skb, nest);
1727 return 0;
1728
1729 nla_put_failure:
1730 return -ENOSPC;
1731 }
1732
nft_dump_basechain_hook(struct sk_buff * skb,int family,const struct nft_base_chain * basechain,const struct list_head * hook_list)1733 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1734 const struct nft_base_chain *basechain,
1735 const struct list_head *hook_list)
1736 {
1737 const struct nf_hook_ops *ops = &basechain->ops;
1738 struct nft_hook *hook, *first = NULL;
1739 struct nlattr *nest, *nest_devs;
1740 int n = 0;
1741
1742 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1743 if (nest == NULL)
1744 goto nla_put_failure;
1745 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1746 goto nla_put_failure;
1747 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1748 goto nla_put_failure;
1749
1750 if (nft_base_chain_netdev(family, ops->hooknum)) {
1751 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1752 if (!nest_devs)
1753 goto nla_put_failure;
1754
1755 if (!hook_list)
1756 hook_list = &basechain->hook_list;
1757
1758 list_for_each_entry(hook, hook_list, list) {
1759 if (!first)
1760 first = hook;
1761
1762 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1763 hook->ops.dev->name))
1764 goto nla_put_failure;
1765 n++;
1766 }
1767 nla_nest_end(skb, nest_devs);
1768
1769 if (n == 1 &&
1770 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1771 goto nla_put_failure;
1772 }
1773 nla_nest_end(skb, nest);
1774
1775 return 0;
1776 nla_put_failure:
1777 return -1;
1778 }
1779
nf_tables_fill_chain_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct list_head * hook_list)1780 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1781 u32 portid, u32 seq, int event, u32 flags,
1782 int family, const struct nft_table *table,
1783 const struct nft_chain *chain,
1784 const struct list_head *hook_list)
1785 {
1786 struct nlmsghdr *nlh;
1787
1788 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1789 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1790 NFNETLINK_V0, nft_base_seq(net));
1791 if (!nlh)
1792 goto nla_put_failure;
1793
1794 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) ||
1795 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) ||
1796 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1797 NFTA_CHAIN_PAD))
1798 goto nla_put_failure;
1799
1800 if (event == NFT_MSG_DELCHAIN && !hook_list) {
1801 nlmsg_end(skb, nlh);
1802 return 0;
1803 }
1804
1805 if (nft_is_base_chain(chain)) {
1806 const struct nft_base_chain *basechain = nft_base_chain(chain);
1807 struct nft_stats __percpu *stats;
1808
1809 if (nft_dump_basechain_hook(skb, family, basechain, hook_list))
1810 goto nla_put_failure;
1811
1812 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1813 htonl(basechain->policy)))
1814 goto nla_put_failure;
1815
1816 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1817 goto nla_put_failure;
1818
1819 stats = rcu_dereference_check(basechain->stats,
1820 lockdep_commit_lock_is_held(net));
1821 if (nft_dump_stats(skb, stats))
1822 goto nla_put_failure;
1823 }
1824
1825 if (chain->flags &&
1826 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1827 goto nla_put_failure;
1828
1829 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1830 goto nla_put_failure;
1831
1832 if (chain->udata &&
1833 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1834 goto nla_put_failure;
1835
1836 nlmsg_end(skb, nlh);
1837 return 0;
1838
1839 nla_put_failure:
1840 nlmsg_trim(skb, nlh);
1841 return -1;
1842 }
1843
nf_tables_chain_notify(const struct nft_ctx * ctx,int event,const struct list_head * hook_list)1844 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
1845 const struct list_head *hook_list)
1846 {
1847 struct nftables_pernet *nft_net;
1848 struct sk_buff *skb;
1849 u16 flags = 0;
1850 int err;
1851
1852 if (!ctx->report &&
1853 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1854 return;
1855
1856 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1857 if (skb == NULL)
1858 goto err;
1859
1860 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1861 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1862
1863 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1864 event, flags, ctx->family, ctx->table,
1865 ctx->chain, hook_list);
1866 if (err < 0) {
1867 kfree_skb(skb);
1868 goto err;
1869 }
1870
1871 nft_net = nft_pernet(ctx->net);
1872 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1873 return;
1874 err:
1875 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1876 }
1877
nf_tables_dump_chains(struct sk_buff * skb,struct netlink_callback * cb)1878 static int nf_tables_dump_chains(struct sk_buff *skb,
1879 struct netlink_callback *cb)
1880 {
1881 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1882 unsigned int idx = 0, s_idx = cb->args[0];
1883 struct net *net = sock_net(skb->sk);
1884 int family = nfmsg->nfgen_family;
1885 struct nftables_pernet *nft_net;
1886 const struct nft_table *table;
1887 const struct nft_chain *chain;
1888
1889 rcu_read_lock();
1890 nft_net = nft_pernet(net);
1891 cb->seq = READ_ONCE(nft_net->base_seq);
1892
1893 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1894 if (family != NFPROTO_UNSPEC && family != table->family)
1895 continue;
1896
1897 list_for_each_entry_rcu(chain, &table->chains, list) {
1898 if (idx < s_idx)
1899 goto cont;
1900 if (idx > s_idx)
1901 memset(&cb->args[1], 0,
1902 sizeof(cb->args) - sizeof(cb->args[0]));
1903 if (!nft_is_active(net, chain))
1904 continue;
1905 if (nf_tables_fill_chain_info(skb, net,
1906 NETLINK_CB(cb->skb).portid,
1907 cb->nlh->nlmsg_seq,
1908 NFT_MSG_NEWCHAIN,
1909 NLM_F_MULTI,
1910 table->family, table,
1911 chain, NULL) < 0)
1912 goto done;
1913
1914 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1915 cont:
1916 idx++;
1917 }
1918 }
1919 done:
1920 rcu_read_unlock();
1921 cb->args[0] = idx;
1922 return skb->len;
1923 }
1924
1925 /* called with rcu_read_lock held */
nf_tables_getchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1926 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
1927 const struct nlattr * const nla[])
1928 {
1929 struct netlink_ext_ack *extack = info->extack;
1930 u8 genmask = nft_genmask_cur(info->net);
1931 u8 family = info->nfmsg->nfgen_family;
1932 const struct nft_chain *chain;
1933 struct net *net = info->net;
1934 struct nft_table *table;
1935 struct sk_buff *skb2;
1936 int err;
1937
1938 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1939 struct netlink_dump_control c = {
1940 .dump = nf_tables_dump_chains,
1941 .module = THIS_MODULE,
1942 };
1943
1944 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1945 }
1946
1947 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1948 if (IS_ERR(table)) {
1949 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1950 return PTR_ERR(table);
1951 }
1952
1953 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1954 if (IS_ERR(chain)) {
1955 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1956 return PTR_ERR(chain);
1957 }
1958
1959 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1960 if (!skb2)
1961 return -ENOMEM;
1962
1963 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1964 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
1965 0, family, table, chain, NULL);
1966 if (err < 0)
1967 goto err_fill_chain_info;
1968
1969 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1970
1971 err_fill_chain_info:
1972 kfree_skb(skb2);
1973 return err;
1974 }
1975
1976 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1977 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1978 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1979 };
1980
nft_stats_alloc(const struct nlattr * attr)1981 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1982 {
1983 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1984 struct nft_stats __percpu *newstats;
1985 struct nft_stats *stats;
1986 int err;
1987
1988 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1989 nft_counter_policy, NULL);
1990 if (err < 0)
1991 return ERR_PTR(err);
1992
1993 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1994 return ERR_PTR(-EINVAL);
1995
1996 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1997 if (newstats == NULL)
1998 return ERR_PTR(-ENOMEM);
1999
2000 /* Restore old counters on this cpu, no problem. Per-cpu statistics
2001 * are not exposed to userspace.
2002 */
2003 preempt_disable();
2004 stats = this_cpu_ptr(newstats);
2005 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
2006 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
2007 preempt_enable();
2008
2009 return newstats;
2010 }
2011
nft_chain_stats_replace(struct nft_trans * trans)2012 static void nft_chain_stats_replace(struct nft_trans *trans)
2013 {
2014 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
2015
2016 if (!nft_trans_chain_stats(trans))
2017 return;
2018
2019 nft_trans_chain_stats(trans) =
2020 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
2021 lockdep_commit_lock_is_held(trans->ctx.net));
2022
2023 if (!nft_trans_chain_stats(trans))
2024 static_branch_inc(&nft_counters_enabled);
2025 }
2026
nf_tables_chain_free_chain_rules(struct nft_chain * chain)2027 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
2028 {
2029 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
2030 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
2031
2032 if (g0 != g1)
2033 kvfree(g1);
2034 kvfree(g0);
2035
2036 /* should be NULL either via abort or via successful commit */
2037 WARN_ON_ONCE(chain->blob_next);
2038 kvfree(chain->blob_next);
2039 }
2040
nf_tables_chain_destroy(struct nft_ctx * ctx)2041 void nf_tables_chain_destroy(struct nft_ctx *ctx)
2042 {
2043 struct nft_chain *chain = ctx->chain;
2044 struct nft_hook *hook, *next;
2045
2046 if (WARN_ON(chain->use > 0))
2047 return;
2048
2049 /* no concurrent access possible anymore */
2050 nf_tables_chain_free_chain_rules(chain);
2051
2052 if (nft_is_base_chain(chain)) {
2053 struct nft_base_chain *basechain = nft_base_chain(chain);
2054
2055 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2056 list_for_each_entry_safe(hook, next,
2057 &basechain->hook_list, list) {
2058 list_del_rcu(&hook->list);
2059 kfree_rcu(hook, rcu);
2060 }
2061 }
2062 module_put(basechain->type->owner);
2063 if (rcu_access_pointer(basechain->stats)) {
2064 static_branch_dec(&nft_counters_enabled);
2065 free_percpu(rcu_dereference_raw(basechain->stats));
2066 }
2067 kfree(chain->name);
2068 kfree(chain->udata);
2069 kfree(basechain);
2070 } else {
2071 kfree(chain->name);
2072 kfree(chain->udata);
2073 kfree(chain);
2074 }
2075 }
2076
nft_netdev_hook_alloc(struct net * net,const struct nlattr * attr)2077 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
2078 const struct nlattr *attr)
2079 {
2080 struct net_device *dev;
2081 char ifname[IFNAMSIZ];
2082 struct nft_hook *hook;
2083 int err;
2084
2085 hook = kzalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
2086 if (!hook) {
2087 err = -ENOMEM;
2088 goto err_hook_alloc;
2089 }
2090
2091 nla_strscpy(ifname, attr, IFNAMSIZ);
2092 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
2093 * indirectly serializing all the other holders of the commit_mutex with
2094 * the rtnl_mutex.
2095 */
2096 dev = __dev_get_by_name(net, ifname);
2097 if (!dev) {
2098 err = -ENOENT;
2099 goto err_hook_dev;
2100 }
2101 hook->ops.dev = dev;
2102
2103 return hook;
2104
2105 err_hook_dev:
2106 kfree(hook);
2107 err_hook_alloc:
2108 return ERR_PTR(err);
2109 }
2110
nft_hook_list_find(struct list_head * hook_list,const struct nft_hook * this)2111 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
2112 const struct nft_hook *this)
2113 {
2114 struct nft_hook *hook;
2115
2116 list_for_each_entry(hook, hook_list, list) {
2117 if (this->ops.dev == hook->ops.dev)
2118 return hook;
2119 }
2120
2121 return NULL;
2122 }
2123
nf_tables_parse_netdev_hooks(struct net * net,const struct nlattr * attr,struct list_head * hook_list,struct netlink_ext_ack * extack)2124 static int nf_tables_parse_netdev_hooks(struct net *net,
2125 const struct nlattr *attr,
2126 struct list_head *hook_list,
2127 struct netlink_ext_ack *extack)
2128 {
2129 struct nft_hook *hook, *next;
2130 const struct nlattr *tmp;
2131 int rem, n = 0, err;
2132
2133 nla_for_each_nested(tmp, attr, rem) {
2134 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
2135 err = -EINVAL;
2136 goto err_hook;
2137 }
2138
2139 hook = nft_netdev_hook_alloc(net, tmp);
2140 if (IS_ERR(hook)) {
2141 NL_SET_BAD_ATTR(extack, tmp);
2142 err = PTR_ERR(hook);
2143 goto err_hook;
2144 }
2145 if (nft_hook_list_find(hook_list, hook)) {
2146 NL_SET_BAD_ATTR(extack, tmp);
2147 kfree(hook);
2148 err = -EEXIST;
2149 goto err_hook;
2150 }
2151 list_add_tail(&hook->list, hook_list);
2152 n++;
2153
2154 if (n == NFT_NETDEVICE_MAX) {
2155 err = -EFBIG;
2156 goto err_hook;
2157 }
2158 }
2159
2160 return 0;
2161
2162 err_hook:
2163 list_for_each_entry_safe(hook, next, hook_list, list) {
2164 list_del(&hook->list);
2165 kfree(hook);
2166 }
2167 return err;
2168 }
2169
2170 struct nft_chain_hook {
2171 u32 num;
2172 s32 priority;
2173 const struct nft_chain_type *type;
2174 struct list_head list;
2175 };
2176
nft_chain_parse_netdev(struct net * net,struct nlattr * tb[],struct list_head * hook_list,struct netlink_ext_ack * extack,u32 flags)2177 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
2178 struct list_head *hook_list,
2179 struct netlink_ext_ack *extack, u32 flags)
2180 {
2181 struct nft_hook *hook;
2182 int err;
2183
2184 if (tb[NFTA_HOOK_DEV]) {
2185 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
2186 if (IS_ERR(hook)) {
2187 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2188 return PTR_ERR(hook);
2189 }
2190
2191 list_add_tail(&hook->list, hook_list);
2192 } else if (tb[NFTA_HOOK_DEVS]) {
2193 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2194 hook_list, extack);
2195 if (err < 0)
2196 return err;
2197
2198 }
2199
2200 if (flags & NFT_CHAIN_HW_OFFLOAD &&
2201 list_empty(hook_list))
2202 return -EINVAL;
2203
2204 return 0;
2205 }
2206
nft_chain_parse_hook(struct net * net,struct nft_base_chain * basechain,const struct nlattr * const nla[],struct nft_chain_hook * hook,u8 family,u32 flags,struct netlink_ext_ack * extack)2207 static int nft_chain_parse_hook(struct net *net,
2208 struct nft_base_chain *basechain,
2209 const struct nlattr * const nla[],
2210 struct nft_chain_hook *hook, u8 family,
2211 u32 flags, struct netlink_ext_ack *extack)
2212 {
2213 struct nftables_pernet *nft_net = nft_pernet(net);
2214 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2215 const struct nft_chain_type *type;
2216 int err;
2217
2218 lockdep_assert_held(&nft_net->commit_mutex);
2219 lockdep_nfnl_nft_mutex_not_held();
2220
2221 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2222 nla[NFTA_CHAIN_HOOK],
2223 nft_hook_policy, NULL);
2224 if (err < 0)
2225 return err;
2226
2227 if (!basechain) {
2228 if (!ha[NFTA_HOOK_HOOKNUM] ||
2229 !ha[NFTA_HOOK_PRIORITY]) {
2230 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2231 return -ENOENT;
2232 }
2233
2234 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2235 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2236
2237 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2238 if (!type)
2239 return -EOPNOTSUPP;
2240
2241 if (nla[NFTA_CHAIN_TYPE]) {
2242 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2243 family, true);
2244 if (IS_ERR(type)) {
2245 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2246 return PTR_ERR(type);
2247 }
2248 }
2249 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2250 return -EOPNOTSUPP;
2251
2252 if (type->type == NFT_CHAIN_T_NAT &&
2253 hook->priority <= NF_IP_PRI_CONNTRACK)
2254 return -EOPNOTSUPP;
2255 } else {
2256 if (ha[NFTA_HOOK_HOOKNUM]) {
2257 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2258 if (hook->num != basechain->ops.hooknum)
2259 return -EOPNOTSUPP;
2260 }
2261 if (ha[NFTA_HOOK_PRIORITY]) {
2262 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2263 if (hook->priority != basechain->ops.priority)
2264 return -EOPNOTSUPP;
2265 }
2266
2267 if (nla[NFTA_CHAIN_TYPE]) {
2268 type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
2269 family);
2270 if (!type) {
2271 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2272 return -ENOENT;
2273 }
2274 } else {
2275 type = basechain->type;
2276 }
2277 }
2278
2279 if (!try_module_get(type->owner)) {
2280 if (nla[NFTA_CHAIN_TYPE])
2281 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2282 return -ENOENT;
2283 }
2284
2285 hook->type = type;
2286
2287 INIT_LIST_HEAD(&hook->list);
2288 if (nft_base_chain_netdev(family, hook->num)) {
2289 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags);
2290 if (err < 0) {
2291 module_put(type->owner);
2292 return err;
2293 }
2294 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2295 module_put(type->owner);
2296 return -EOPNOTSUPP;
2297 }
2298
2299 return 0;
2300 }
2301
nft_chain_release_hook(struct nft_chain_hook * hook)2302 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2303 {
2304 struct nft_hook *h, *next;
2305
2306 list_for_each_entry_safe(h, next, &hook->list, list) {
2307 list_del(&h->list);
2308 kfree(h);
2309 }
2310 module_put(hook->type->owner);
2311 }
2312
nft_last_rule(const struct nft_chain * chain,const void * ptr)2313 static void nft_last_rule(const struct nft_chain *chain, const void *ptr)
2314 {
2315 struct nft_rule_dp_last *lrule;
2316
2317 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0);
2318
2319 lrule = (struct nft_rule_dp_last *)ptr;
2320 lrule->end.is_last = 1;
2321 lrule->chain = chain;
2322 /* blob size does not include the trailer rule */
2323 }
2324
nf_tables_chain_alloc_rules(const struct nft_chain * chain,unsigned int size)2325 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2326 unsigned int size)
2327 {
2328 struct nft_rule_blob *blob;
2329
2330 if (size > INT_MAX)
2331 return NULL;
2332
2333 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last);
2334
2335 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2336 if (!blob)
2337 return NULL;
2338
2339 blob->size = 0;
2340 nft_last_rule(chain, blob->data);
2341
2342 return blob;
2343 }
2344
nft_basechain_hook_init(struct nf_hook_ops * ops,u8 family,const struct nft_chain_hook * hook,struct nft_chain * chain)2345 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2346 const struct nft_chain_hook *hook,
2347 struct nft_chain *chain)
2348 {
2349 ops->pf = family;
2350 ops->hooknum = hook->num;
2351 ops->priority = hook->priority;
2352 ops->priv = chain;
2353 ops->hook = hook->type->hooks[ops->hooknum];
2354 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2355 }
2356
nft_basechain_init(struct nft_base_chain * basechain,u8 family,struct nft_chain_hook * hook,u32 flags)2357 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2358 struct nft_chain_hook *hook, u32 flags)
2359 {
2360 struct nft_chain *chain;
2361 struct nft_hook *h;
2362
2363 basechain->type = hook->type;
2364 INIT_LIST_HEAD(&basechain->hook_list);
2365 chain = &basechain->chain;
2366
2367 if (nft_base_chain_netdev(family, hook->num)) {
2368 list_splice_init(&hook->list, &basechain->hook_list);
2369 list_for_each_entry(h, &basechain->hook_list, list)
2370 nft_basechain_hook_init(&h->ops, family, hook, chain);
2371 }
2372 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2373
2374 chain->flags |= NFT_CHAIN_BASE | flags;
2375 basechain->policy = NF_ACCEPT;
2376 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2377 !nft_chain_offload_support(basechain)) {
2378 list_splice_init(&basechain->hook_list, &hook->list);
2379 return -EOPNOTSUPP;
2380 }
2381
2382 flow_block_init(&basechain->flow_block);
2383
2384 return 0;
2385 }
2386
nft_chain_add(struct nft_table * table,struct nft_chain * chain)2387 int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2388 {
2389 int err;
2390
2391 err = rhltable_insert_key(&table->chains_ht, chain->name,
2392 &chain->rhlhead, nft_chain_ht_params);
2393 if (err)
2394 return err;
2395
2396 list_add_tail_rcu(&chain->list, &table->chains);
2397
2398 return 0;
2399 }
2400
2401 static u64 chain_id;
2402
nf_tables_addchain(struct nft_ctx * ctx,u8 family,u8 genmask,u8 policy,u32 flags,struct netlink_ext_ack * extack)2403 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2404 u8 policy, u32 flags,
2405 struct netlink_ext_ack *extack)
2406 {
2407 const struct nlattr * const *nla = ctx->nla;
2408 struct nft_table *table = ctx->table;
2409 struct nft_base_chain *basechain;
2410 struct net *net = ctx->net;
2411 char name[NFT_NAME_MAXLEN];
2412 struct nft_rule_blob *blob;
2413 struct nft_trans *trans;
2414 struct nft_chain *chain;
2415 int err;
2416
2417 if (nla[NFTA_CHAIN_HOOK]) {
2418 struct nft_stats __percpu *stats = NULL;
2419 struct nft_chain_hook hook = {};
2420
2421 if (flags & NFT_CHAIN_BINDING)
2422 return -EOPNOTSUPP;
2423
2424 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags,
2425 extack);
2426 if (err < 0)
2427 return err;
2428
2429 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2430 if (basechain == NULL) {
2431 nft_chain_release_hook(&hook);
2432 return -ENOMEM;
2433 }
2434 chain = &basechain->chain;
2435
2436 if (nla[NFTA_CHAIN_COUNTERS]) {
2437 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2438 if (IS_ERR(stats)) {
2439 nft_chain_release_hook(&hook);
2440 kfree(basechain);
2441 return PTR_ERR(stats);
2442 }
2443 rcu_assign_pointer(basechain->stats, stats);
2444 }
2445
2446 err = nft_basechain_init(basechain, family, &hook, flags);
2447 if (err < 0) {
2448 nft_chain_release_hook(&hook);
2449 kfree(basechain);
2450 free_percpu(stats);
2451 return err;
2452 }
2453 if (stats)
2454 static_branch_inc(&nft_counters_enabled);
2455 } else {
2456 if (flags & NFT_CHAIN_BASE)
2457 return -EINVAL;
2458 if (flags & NFT_CHAIN_HW_OFFLOAD)
2459 return -EOPNOTSUPP;
2460
2461 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2462 if (chain == NULL)
2463 return -ENOMEM;
2464
2465 chain->flags = flags;
2466 }
2467 ctx->chain = chain;
2468
2469 INIT_LIST_HEAD(&chain->rules);
2470 chain->handle = nf_tables_alloc_handle(table);
2471 chain->table = table;
2472
2473 if (nla[NFTA_CHAIN_NAME]) {
2474 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2475 } else {
2476 if (!(flags & NFT_CHAIN_BINDING)) {
2477 err = -EINVAL;
2478 goto err_destroy_chain;
2479 }
2480
2481 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2482 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2483 }
2484
2485 if (!chain->name) {
2486 err = -ENOMEM;
2487 goto err_destroy_chain;
2488 }
2489
2490 if (nla[NFTA_CHAIN_USERDATA]) {
2491 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2492 if (chain->udata == NULL) {
2493 err = -ENOMEM;
2494 goto err_destroy_chain;
2495 }
2496 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2497 }
2498
2499 blob = nf_tables_chain_alloc_rules(chain, 0);
2500 if (!blob) {
2501 err = -ENOMEM;
2502 goto err_destroy_chain;
2503 }
2504
2505 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2506 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2507
2508 if (!nft_use_inc(&table->use)) {
2509 err = -EMFILE;
2510 goto err_destroy_chain;
2511 }
2512
2513 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2514 if (IS_ERR(trans)) {
2515 err = PTR_ERR(trans);
2516 goto err_trans;
2517 }
2518
2519 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2520 if (nft_is_base_chain(chain))
2521 nft_trans_chain_policy(trans) = policy;
2522
2523 err = nft_chain_add(table, chain);
2524 if (err < 0)
2525 goto err_chain_add;
2526
2527 /* This must be LAST to ensure no packets are walking over this chain. */
2528 err = nf_tables_register_hook(net, table, chain);
2529 if (err < 0)
2530 goto err_register_hook;
2531
2532 return 0;
2533
2534 err_register_hook:
2535 nft_chain_del(chain);
2536 err_chain_add:
2537 nft_trans_destroy(trans);
2538 err_trans:
2539 nft_use_dec_restore(&table->use);
2540 err_destroy_chain:
2541 nf_tables_chain_destroy(ctx);
2542
2543 return err;
2544 }
2545
nf_tables_updchain(struct nft_ctx * ctx,u8 genmask,u8 policy,u32 flags,const struct nlattr * attr,struct netlink_ext_ack * extack)2546 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2547 u32 flags, const struct nlattr *attr,
2548 struct netlink_ext_ack *extack)
2549 {
2550 const struct nlattr * const *nla = ctx->nla;
2551 struct nft_base_chain *basechain = NULL;
2552 struct nft_table *table = ctx->table;
2553 struct nft_chain *chain = ctx->chain;
2554 struct nft_chain_hook hook = {};
2555 struct nft_stats *stats = NULL;
2556 struct nft_hook *h, *next;
2557 struct nf_hook_ops *ops;
2558 struct nft_trans *trans;
2559 bool unregister = false;
2560 int err;
2561
2562 if (chain->flags ^ flags)
2563 return -EOPNOTSUPP;
2564
2565 INIT_LIST_HEAD(&hook.list);
2566
2567 if (nla[NFTA_CHAIN_HOOK]) {
2568 if (!nft_is_base_chain(chain)) {
2569 NL_SET_BAD_ATTR(extack, attr);
2570 return -EEXIST;
2571 }
2572
2573 basechain = nft_base_chain(chain);
2574 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2575 ctx->family, flags, extack);
2576 if (err < 0)
2577 return err;
2578
2579 if (basechain->type != hook.type) {
2580 nft_chain_release_hook(&hook);
2581 NL_SET_BAD_ATTR(extack, attr);
2582 return -EEXIST;
2583 }
2584
2585 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2586 list_for_each_entry_safe(h, next, &hook.list, list) {
2587 h->ops.pf = basechain->ops.pf;
2588 h->ops.hooknum = basechain->ops.hooknum;
2589 h->ops.priority = basechain->ops.priority;
2590 h->ops.priv = basechain->ops.priv;
2591 h->ops.hook = basechain->ops.hook;
2592
2593 if (nft_hook_list_find(&basechain->hook_list, h)) {
2594 list_del(&h->list);
2595 kfree(h);
2596 }
2597 }
2598 } else {
2599 ops = &basechain->ops;
2600 if (ops->hooknum != hook.num ||
2601 ops->priority != hook.priority) {
2602 nft_chain_release_hook(&hook);
2603 NL_SET_BAD_ATTR(extack, attr);
2604 return -EEXIST;
2605 }
2606 }
2607 }
2608
2609 if (nla[NFTA_CHAIN_HANDLE] &&
2610 nla[NFTA_CHAIN_NAME]) {
2611 struct nft_chain *chain2;
2612
2613 chain2 = nft_chain_lookup(ctx->net, table,
2614 nla[NFTA_CHAIN_NAME], genmask);
2615 if (!IS_ERR(chain2)) {
2616 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2617 err = -EEXIST;
2618 goto err_hooks;
2619 }
2620 }
2621
2622 if (nla[NFTA_CHAIN_COUNTERS]) {
2623 if (!nft_is_base_chain(chain)) {
2624 err = -EOPNOTSUPP;
2625 goto err_hooks;
2626 }
2627
2628 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2629 if (IS_ERR(stats)) {
2630 err = PTR_ERR(stats);
2631 goto err_hooks;
2632 }
2633 }
2634
2635 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2636 nft_is_base_chain(chain) &&
2637 !list_empty(&hook.list)) {
2638 basechain = nft_base_chain(chain);
2639 ops = &basechain->ops;
2640
2641 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2642 err = nft_netdev_register_hooks(ctx->net, &hook.list);
2643 if (err < 0)
2644 goto err_hooks;
2645 }
2646 }
2647
2648 unregister = true;
2649 err = -ENOMEM;
2650 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2651 sizeof(struct nft_trans_chain));
2652 if (trans == NULL)
2653 goto err_trans;
2654
2655 nft_trans_chain_stats(trans) = stats;
2656 nft_trans_chain_update(trans) = true;
2657
2658 if (nla[NFTA_CHAIN_POLICY])
2659 nft_trans_chain_policy(trans) = policy;
2660 else
2661 nft_trans_chain_policy(trans) = -1;
2662
2663 if (nla[NFTA_CHAIN_HANDLE] &&
2664 nla[NFTA_CHAIN_NAME]) {
2665 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2666 struct nft_trans *tmp;
2667 char *name;
2668
2669 err = -ENOMEM;
2670 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2671 if (!name)
2672 goto err_trans;
2673
2674 err = -EEXIST;
2675 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2676 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2677 tmp->ctx.table == table &&
2678 nft_trans_chain_update(tmp) &&
2679 nft_trans_chain_name(tmp) &&
2680 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2681 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2682 kfree(name);
2683 goto err_trans;
2684 }
2685 }
2686
2687 nft_trans_chain_name(trans) = name;
2688 }
2689
2690 nft_trans_basechain(trans) = basechain;
2691 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2692 list_splice(&hook.list, &nft_trans_chain_hooks(trans));
2693 if (nla[NFTA_CHAIN_HOOK])
2694 module_put(hook.type->owner);
2695
2696 nft_trans_commit_list_add_tail(ctx->net, trans);
2697
2698 return 0;
2699
2700 err_trans:
2701 free_percpu(stats);
2702 kfree(trans);
2703 err_hooks:
2704 if (nla[NFTA_CHAIN_HOOK]) {
2705 list_for_each_entry_safe(h, next, &hook.list, list) {
2706 if (unregister)
2707 nf_unregister_net_hook(ctx->net, &h->ops);
2708 list_del(&h->list);
2709 kfree_rcu(h, rcu);
2710 }
2711 module_put(hook.type->owner);
2712 }
2713
2714 return err;
2715 }
2716
nft_chain_lookup_byid(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)2717 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2718 const struct nft_table *table,
2719 const struct nlattr *nla, u8 genmask)
2720 {
2721 struct nftables_pernet *nft_net = nft_pernet(net);
2722 u32 id = ntohl(nla_get_be32(nla));
2723 struct nft_trans *trans;
2724
2725 list_for_each_entry(trans, &nft_net->commit_list, list) {
2726 struct nft_chain *chain = trans->ctx.chain;
2727
2728 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2729 chain->table == table &&
2730 id == nft_trans_chain_id(trans) &&
2731 nft_active_genmask(chain, genmask))
2732 return chain;
2733 }
2734 return ERR_PTR(-ENOENT);
2735 }
2736
nf_tables_newchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])2737 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2738 const struct nlattr * const nla[])
2739 {
2740 struct nftables_pernet *nft_net = nft_pernet(info->net);
2741 struct netlink_ext_ack *extack = info->extack;
2742 u8 genmask = nft_genmask_next(info->net);
2743 u8 family = info->nfmsg->nfgen_family;
2744 struct nft_chain *chain = NULL;
2745 struct net *net = info->net;
2746 const struct nlattr *attr;
2747 struct nft_table *table;
2748 u8 policy = NF_ACCEPT;
2749 struct nft_ctx ctx;
2750 u64 handle = 0;
2751 u32 flags = 0;
2752
2753 lockdep_assert_held(&nft_net->commit_mutex);
2754
2755 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2756 NETLINK_CB(skb).portid);
2757 if (IS_ERR(table)) {
2758 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2759 return PTR_ERR(table);
2760 }
2761
2762 chain = NULL;
2763 attr = nla[NFTA_CHAIN_NAME];
2764
2765 if (nla[NFTA_CHAIN_HANDLE]) {
2766 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2767 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2768 if (IS_ERR(chain)) {
2769 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2770 return PTR_ERR(chain);
2771 }
2772 attr = nla[NFTA_CHAIN_HANDLE];
2773 } else if (nla[NFTA_CHAIN_NAME]) {
2774 chain = nft_chain_lookup(net, table, attr, genmask);
2775 if (IS_ERR(chain)) {
2776 if (PTR_ERR(chain) != -ENOENT) {
2777 NL_SET_BAD_ATTR(extack, attr);
2778 return PTR_ERR(chain);
2779 }
2780 chain = NULL;
2781 }
2782 } else if (!nla[NFTA_CHAIN_ID]) {
2783 return -EINVAL;
2784 }
2785
2786 if (nla[NFTA_CHAIN_POLICY]) {
2787 if (chain != NULL &&
2788 !nft_is_base_chain(chain)) {
2789 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2790 return -EOPNOTSUPP;
2791 }
2792
2793 if (chain == NULL &&
2794 nla[NFTA_CHAIN_HOOK] == NULL) {
2795 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2796 return -EOPNOTSUPP;
2797 }
2798
2799 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2800 switch (policy) {
2801 case NF_DROP:
2802 case NF_ACCEPT:
2803 break;
2804 default:
2805 return -EINVAL;
2806 }
2807 }
2808
2809 if (nla[NFTA_CHAIN_FLAGS])
2810 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2811 else if (chain)
2812 flags = chain->flags;
2813
2814 if (flags & ~NFT_CHAIN_FLAGS)
2815 return -EOPNOTSUPP;
2816
2817 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2818
2819 if (chain != NULL) {
2820 if (chain->flags & NFT_CHAIN_BINDING)
2821 return -EINVAL;
2822
2823 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2824 NL_SET_BAD_ATTR(extack, attr);
2825 return -EEXIST;
2826 }
2827 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2828 return -EOPNOTSUPP;
2829
2830 flags |= chain->flags & NFT_CHAIN_BASE;
2831 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2832 extack);
2833 }
2834
2835 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2836 }
2837
nft_delchain_hook(struct nft_ctx * ctx,struct nft_base_chain * basechain,struct netlink_ext_ack * extack)2838 static int nft_delchain_hook(struct nft_ctx *ctx,
2839 struct nft_base_chain *basechain,
2840 struct netlink_ext_ack *extack)
2841 {
2842 const struct nft_chain *chain = &basechain->chain;
2843 const struct nlattr * const *nla = ctx->nla;
2844 struct nft_chain_hook chain_hook = {};
2845 struct nft_hook *this, *hook;
2846 LIST_HEAD(chain_del_list);
2847 struct nft_trans *trans;
2848 int err;
2849
2850 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
2851 ctx->family, chain->flags, extack);
2852 if (err < 0)
2853 return err;
2854
2855 list_for_each_entry(this, &chain_hook.list, list) {
2856 hook = nft_hook_list_find(&basechain->hook_list, this);
2857 if (!hook) {
2858 err = -ENOENT;
2859 goto err_chain_del_hook;
2860 }
2861 list_move(&hook->list, &chain_del_list);
2862 }
2863
2864 trans = nft_trans_alloc(ctx, NFT_MSG_DELCHAIN,
2865 sizeof(struct nft_trans_chain));
2866 if (!trans) {
2867 err = -ENOMEM;
2868 goto err_chain_del_hook;
2869 }
2870
2871 nft_trans_basechain(trans) = basechain;
2872 nft_trans_chain_update(trans) = true;
2873 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2874 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans));
2875 nft_chain_release_hook(&chain_hook);
2876
2877 nft_trans_commit_list_add_tail(ctx->net, trans);
2878
2879 return 0;
2880
2881 err_chain_del_hook:
2882 list_splice(&chain_del_list, &basechain->hook_list);
2883 nft_chain_release_hook(&chain_hook);
2884
2885 return err;
2886 }
2887
nf_tables_delchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])2888 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2889 const struct nlattr * const nla[])
2890 {
2891 struct netlink_ext_ack *extack = info->extack;
2892 u8 genmask = nft_genmask_next(info->net);
2893 u8 family = info->nfmsg->nfgen_family;
2894 struct net *net = info->net;
2895 const struct nlattr *attr;
2896 struct nft_table *table;
2897 struct nft_chain *chain;
2898 struct nft_rule *rule;
2899 struct nft_ctx ctx;
2900 u64 handle;
2901 u32 use;
2902 int err;
2903
2904 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2905 NETLINK_CB(skb).portid);
2906 if (IS_ERR(table)) {
2907 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2908 return PTR_ERR(table);
2909 }
2910
2911 if (nla[NFTA_CHAIN_HANDLE]) {
2912 attr = nla[NFTA_CHAIN_HANDLE];
2913 handle = be64_to_cpu(nla_get_be64(attr));
2914 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2915 } else {
2916 attr = nla[NFTA_CHAIN_NAME];
2917 chain = nft_chain_lookup(net, table, attr, genmask);
2918 }
2919 if (IS_ERR(chain)) {
2920 if (PTR_ERR(chain) == -ENOENT &&
2921 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
2922 return 0;
2923
2924 NL_SET_BAD_ATTR(extack, attr);
2925 return PTR_ERR(chain);
2926 }
2927
2928 if (nft_chain_binding(chain))
2929 return -EOPNOTSUPP;
2930
2931 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2932
2933 if (nla[NFTA_CHAIN_HOOK]) {
2934 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
2935 return -EOPNOTSUPP;
2936
2937 if (nft_is_base_chain(chain)) {
2938 struct nft_base_chain *basechain = nft_base_chain(chain);
2939
2940 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
2941 return nft_delchain_hook(&ctx, basechain, extack);
2942 }
2943 }
2944
2945 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
2946 chain->use > 0)
2947 return -EBUSY;
2948
2949 use = chain->use;
2950 list_for_each_entry(rule, &chain->rules, list) {
2951 if (!nft_is_active_next(net, rule))
2952 continue;
2953 use--;
2954
2955 err = nft_delrule(&ctx, rule);
2956 if (err < 0)
2957 return err;
2958 }
2959
2960 /* There are rules and elements that are still holding references to us,
2961 * we cannot do a recursive removal in this case.
2962 */
2963 if (use > 0) {
2964 NL_SET_BAD_ATTR(extack, attr);
2965 return -EBUSY;
2966 }
2967
2968 return nft_delchain(&ctx);
2969 }
2970
2971 /*
2972 * Expressions
2973 */
2974
2975 /**
2976 * nft_register_expr - register nf_tables expr type
2977 * @type: expr type
2978 *
2979 * Registers the expr type for use with nf_tables. Returns zero on
2980 * success or a negative errno code otherwise.
2981 */
nft_register_expr(struct nft_expr_type * type)2982 int nft_register_expr(struct nft_expr_type *type)
2983 {
2984 if (WARN_ON_ONCE(type->maxattr > NFT_EXPR_MAXATTR))
2985 return -ENOMEM;
2986
2987 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2988 if (type->family == NFPROTO_UNSPEC)
2989 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2990 else
2991 list_add_rcu(&type->list, &nf_tables_expressions);
2992 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2993 return 0;
2994 }
2995 EXPORT_SYMBOL_GPL(nft_register_expr);
2996
2997 /**
2998 * nft_unregister_expr - unregister nf_tables expr type
2999 * @type: expr type
3000 *
3001 * Unregisters the expr typefor use with nf_tables.
3002 */
nft_unregister_expr(struct nft_expr_type * type)3003 void nft_unregister_expr(struct nft_expr_type *type)
3004 {
3005 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3006 list_del_rcu(&type->list);
3007 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3008 }
3009 EXPORT_SYMBOL_GPL(nft_unregister_expr);
3010
__nft_expr_type_get(u8 family,struct nlattr * nla)3011 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
3012 struct nlattr *nla)
3013 {
3014 const struct nft_expr_type *type, *candidate = NULL;
3015
3016 list_for_each_entry(type, &nf_tables_expressions, list) {
3017 if (!nla_strcmp(nla, type->name)) {
3018 if (!type->family && !candidate)
3019 candidate = type;
3020 else if (type->family == family)
3021 candidate = type;
3022 }
3023 }
3024 return candidate;
3025 }
3026
3027 #ifdef CONFIG_MODULES
nft_expr_type_request_module(struct net * net,u8 family,struct nlattr * nla)3028 static int nft_expr_type_request_module(struct net *net, u8 family,
3029 struct nlattr *nla)
3030 {
3031 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
3032 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
3033 return -EAGAIN;
3034
3035 return 0;
3036 }
3037 #endif
3038
nft_expr_type_get(struct net * net,u8 family,struct nlattr * nla)3039 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
3040 u8 family,
3041 struct nlattr *nla)
3042 {
3043 const struct nft_expr_type *type;
3044
3045 if (nla == NULL)
3046 return ERR_PTR(-EINVAL);
3047
3048 type = __nft_expr_type_get(family, nla);
3049 if (type != NULL && try_module_get(type->owner))
3050 return type;
3051
3052 lockdep_nfnl_nft_mutex_not_held();
3053 #ifdef CONFIG_MODULES
3054 if (type == NULL) {
3055 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
3056 return ERR_PTR(-EAGAIN);
3057
3058 if (nft_request_module(net, "nft-expr-%.*s",
3059 nla_len(nla),
3060 (char *)nla_data(nla)) == -EAGAIN)
3061 return ERR_PTR(-EAGAIN);
3062 }
3063 #endif
3064 return ERR_PTR(-ENOENT);
3065 }
3066
3067 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
3068 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
3069 .len = NFT_MODULE_AUTOLOAD_LIMIT },
3070 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
3071 };
3072
nf_tables_fill_expr_info(struct sk_buff * skb,const struct nft_expr * expr,bool reset)3073 static int nf_tables_fill_expr_info(struct sk_buff *skb,
3074 const struct nft_expr *expr, bool reset)
3075 {
3076 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
3077 goto nla_put_failure;
3078
3079 if (expr->ops->dump) {
3080 struct nlattr *data = nla_nest_start_noflag(skb,
3081 NFTA_EXPR_DATA);
3082 if (data == NULL)
3083 goto nla_put_failure;
3084 if (expr->ops->dump(skb, expr, reset) < 0)
3085 goto nla_put_failure;
3086 nla_nest_end(skb, data);
3087 }
3088
3089 return skb->len;
3090
3091 nla_put_failure:
3092 return -1;
3093 };
3094
nft_expr_dump(struct sk_buff * skb,unsigned int attr,const struct nft_expr * expr,bool reset)3095 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
3096 const struct nft_expr *expr, bool reset)
3097 {
3098 struct nlattr *nest;
3099
3100 nest = nla_nest_start_noflag(skb, attr);
3101 if (!nest)
3102 goto nla_put_failure;
3103 if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
3104 goto nla_put_failure;
3105 nla_nest_end(skb, nest);
3106 return 0;
3107
3108 nla_put_failure:
3109 return -1;
3110 }
3111
3112 struct nft_expr_info {
3113 const struct nft_expr_ops *ops;
3114 const struct nlattr *attr;
3115 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
3116 };
3117
nf_tables_expr_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)3118 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
3119 const struct nlattr *nla,
3120 struct nft_expr_info *info)
3121 {
3122 const struct nft_expr_type *type;
3123 const struct nft_expr_ops *ops;
3124 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3125 int err;
3126
3127 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3128 nft_expr_policy, NULL);
3129 if (err < 0)
3130 return err;
3131
3132 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
3133 if (IS_ERR(type))
3134 return PTR_ERR(type);
3135
3136 if (tb[NFTA_EXPR_DATA]) {
3137 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3138 tb[NFTA_EXPR_DATA],
3139 type->policy, NULL);
3140 if (err < 0)
3141 goto err1;
3142 } else
3143 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
3144
3145 if (type->select_ops != NULL) {
3146 ops = type->select_ops(ctx,
3147 (const struct nlattr * const *)info->tb);
3148 if (IS_ERR(ops)) {
3149 err = PTR_ERR(ops);
3150 #ifdef CONFIG_MODULES
3151 if (err == -EAGAIN)
3152 if (nft_expr_type_request_module(ctx->net,
3153 ctx->family,
3154 tb[NFTA_EXPR_NAME]) != -EAGAIN)
3155 err = -ENOENT;
3156 #endif
3157 goto err1;
3158 }
3159 } else
3160 ops = type->ops;
3161
3162 info->attr = nla;
3163 info->ops = ops;
3164
3165 return 0;
3166
3167 err1:
3168 module_put(type->owner);
3169 return err;
3170 }
3171
nft_expr_inner_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)3172 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
3173 struct nft_expr_info *info)
3174 {
3175 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3176 const struct nft_expr_type *type;
3177 int err;
3178
3179 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3180 nft_expr_policy, NULL);
3181 if (err < 0)
3182 return err;
3183
3184 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME])
3185 return -EINVAL;
3186
3187 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
3188 if (!type)
3189 return -ENOENT;
3190
3191 if (!type->inner_ops)
3192 return -EOPNOTSUPP;
3193
3194 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3195 tb[NFTA_EXPR_DATA],
3196 type->policy, NULL);
3197 if (err < 0)
3198 goto err_nla_parse;
3199
3200 info->attr = nla;
3201 info->ops = type->inner_ops;
3202
3203 return 0;
3204
3205 err_nla_parse:
3206 return err;
3207 }
3208
nf_tables_newexpr(const struct nft_ctx * ctx,const struct nft_expr_info * expr_info,struct nft_expr * expr)3209 static int nf_tables_newexpr(const struct nft_ctx *ctx,
3210 const struct nft_expr_info *expr_info,
3211 struct nft_expr *expr)
3212 {
3213 const struct nft_expr_ops *ops = expr_info->ops;
3214 int err;
3215
3216 expr->ops = ops;
3217 if (ops->init) {
3218 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
3219 if (err < 0)
3220 goto err1;
3221 }
3222
3223 return 0;
3224 err1:
3225 expr->ops = NULL;
3226 return err;
3227 }
3228
nf_tables_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)3229 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
3230 struct nft_expr *expr)
3231 {
3232 const struct nft_expr_type *type = expr->ops->type;
3233
3234 if (expr->ops->destroy)
3235 expr->ops->destroy(ctx, expr);
3236 module_put(type->owner);
3237 }
3238
nft_expr_init(const struct nft_ctx * ctx,const struct nlattr * nla)3239 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3240 const struct nlattr *nla)
3241 {
3242 struct nft_expr_info expr_info;
3243 struct nft_expr *expr;
3244 struct module *owner;
3245 int err;
3246
3247 err = nf_tables_expr_parse(ctx, nla, &expr_info);
3248 if (err < 0)
3249 goto err_expr_parse;
3250
3251 err = -EOPNOTSUPP;
3252 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3253 goto err_expr_stateful;
3254
3255 err = -ENOMEM;
3256 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3257 if (expr == NULL)
3258 goto err_expr_stateful;
3259
3260 err = nf_tables_newexpr(ctx, &expr_info, expr);
3261 if (err < 0)
3262 goto err_expr_new;
3263
3264 return expr;
3265 err_expr_new:
3266 kfree(expr);
3267 err_expr_stateful:
3268 owner = expr_info.ops->type->owner;
3269 if (expr_info.ops->type->release_ops)
3270 expr_info.ops->type->release_ops(expr_info.ops);
3271
3272 module_put(owner);
3273 err_expr_parse:
3274 return ERR_PTR(err);
3275 }
3276
nft_expr_clone(struct nft_expr * dst,struct nft_expr * src)3277 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
3278 {
3279 int err;
3280
3281 if (WARN_ON_ONCE(!src->ops->clone))
3282 return -EINVAL;
3283
3284 dst->ops = src->ops;
3285 err = src->ops->clone(dst, src);
3286 if (err < 0)
3287 return err;
3288
3289 __module_get(src->ops->type->owner);
3290
3291 return 0;
3292 }
3293
nft_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)3294 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3295 {
3296 nf_tables_expr_destroy(ctx, expr);
3297 kfree(expr);
3298 }
3299
3300 /*
3301 * Rules
3302 */
3303
__nft_rule_lookup(const struct nft_chain * chain,u64 handle)3304 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
3305 u64 handle)
3306 {
3307 struct nft_rule *rule;
3308
3309 // FIXME: this sucks
3310 list_for_each_entry_rcu(rule, &chain->rules, list) {
3311 if (handle == rule->handle)
3312 return rule;
3313 }
3314
3315 return ERR_PTR(-ENOENT);
3316 }
3317
nft_rule_lookup(const struct nft_chain * chain,const struct nlattr * nla)3318 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
3319 const struct nlattr *nla)
3320 {
3321 if (nla == NULL)
3322 return ERR_PTR(-EINVAL);
3323
3324 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
3325 }
3326
3327 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3328 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
3329 .len = NFT_TABLE_MAXNAMELEN - 1 },
3330 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
3331 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3332 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
3333 [NFTA_RULE_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
3334 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
3335 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3336 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3337 .len = NFT_USERDATA_MAXLEN },
3338 [NFTA_RULE_ID] = { .type = NLA_U32 },
3339 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3340 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3341 };
3342
nf_tables_fill_rule_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct nft_rule * rule,u64 handle,bool reset)3343 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3344 u32 portid, u32 seq, int event,
3345 u32 flags, int family,
3346 const struct nft_table *table,
3347 const struct nft_chain *chain,
3348 const struct nft_rule *rule, u64 handle,
3349 bool reset)
3350 {
3351 struct nlmsghdr *nlh;
3352 const struct nft_expr *expr, *next;
3353 struct nlattr *list;
3354 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3355
3356 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3357 nft_base_seq(net));
3358 if (!nlh)
3359 goto nla_put_failure;
3360
3361 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3362 goto nla_put_failure;
3363 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3364 goto nla_put_failure;
3365 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3366 NFTA_RULE_PAD))
3367 goto nla_put_failure;
3368
3369 if (event != NFT_MSG_DELRULE && handle) {
3370 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3371 NFTA_RULE_PAD))
3372 goto nla_put_failure;
3373 }
3374
3375 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3376 nft_flow_rule_stats(chain, rule);
3377
3378 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3379 if (list == NULL)
3380 goto nla_put_failure;
3381 nft_rule_for_each_expr(expr, next, rule) {
3382 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
3383 goto nla_put_failure;
3384 }
3385 nla_nest_end(skb, list);
3386
3387 if (rule->udata) {
3388 struct nft_userdata *udata = nft_userdata(rule);
3389 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3390 udata->data) < 0)
3391 goto nla_put_failure;
3392 }
3393
3394 nlmsg_end(skb, nlh);
3395 return 0;
3396
3397 nla_put_failure:
3398 nlmsg_trim(skb, nlh);
3399 return -1;
3400 }
3401
nf_tables_rule_notify(const struct nft_ctx * ctx,const struct nft_rule * rule,int event)3402 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3403 const struct nft_rule *rule, int event)
3404 {
3405 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3406 const struct nft_rule *prule;
3407 struct sk_buff *skb;
3408 u64 handle = 0;
3409 u16 flags = 0;
3410 int err;
3411
3412 if (!ctx->report &&
3413 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3414 return;
3415
3416 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3417 if (skb == NULL)
3418 goto err;
3419
3420 if (event == NFT_MSG_NEWRULE &&
3421 !list_is_first(&rule->list, &ctx->chain->rules) &&
3422 !list_is_last(&rule->list, &ctx->chain->rules)) {
3423 prule = list_prev_entry(rule, list);
3424 handle = prule->handle;
3425 }
3426 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3427 flags |= NLM_F_APPEND;
3428 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3429 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3430
3431 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3432 event, flags, ctx->family, ctx->table,
3433 ctx->chain, rule, handle, false);
3434 if (err < 0) {
3435 kfree_skb(skb);
3436 goto err;
3437 }
3438
3439 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3440 return;
3441 err:
3442 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3443 }
3444
audit_log_rule_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)3445 static void audit_log_rule_reset(const struct nft_table *table,
3446 unsigned int base_seq,
3447 unsigned int nentries)
3448 {
3449 char *buf = kasprintf(GFP_ATOMIC, "%s:%u",
3450 table->name, base_seq);
3451
3452 audit_log_nfcfg(buf, table->family, nentries,
3453 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3454 kfree(buf);
3455 }
3456
3457 struct nft_rule_dump_ctx {
3458 unsigned int s_idx;
3459 char *table;
3460 char *chain;
3461 bool reset;
3462 };
3463
__nf_tables_dump_rules(struct sk_buff * skb,unsigned int * idx,struct netlink_callback * cb,const struct nft_table * table,const struct nft_chain * chain)3464 static int __nf_tables_dump_rules(struct sk_buff *skb,
3465 unsigned int *idx,
3466 struct netlink_callback *cb,
3467 const struct nft_table *table,
3468 const struct nft_chain *chain)
3469 {
3470 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3471 struct net *net = sock_net(skb->sk);
3472 const struct nft_rule *rule, *prule;
3473 unsigned int entries = 0;
3474 int ret = 0;
3475 u64 handle;
3476
3477 prule = NULL;
3478 list_for_each_entry_rcu(rule, &chain->rules, list) {
3479 if (!nft_is_active(net, rule))
3480 goto cont_skip;
3481 if (*idx < ctx->s_idx)
3482 goto cont;
3483 if (prule)
3484 handle = prule->handle;
3485 else
3486 handle = 0;
3487
3488 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3489 cb->nlh->nlmsg_seq,
3490 NFT_MSG_NEWRULE,
3491 NLM_F_MULTI | NLM_F_APPEND,
3492 table->family,
3493 table, chain, rule, handle, ctx->reset) < 0) {
3494 ret = 1;
3495 break;
3496 }
3497 entries++;
3498 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3499 cont:
3500 prule = rule;
3501 cont_skip:
3502 (*idx)++;
3503 }
3504
3505 if (ctx->reset && entries)
3506 audit_log_rule_reset(table, cb->seq, entries);
3507
3508 return ret;
3509 }
3510
nf_tables_dump_rules(struct sk_buff * skb,struct netlink_callback * cb)3511 static int nf_tables_dump_rules(struct sk_buff *skb,
3512 struct netlink_callback *cb)
3513 {
3514 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3515 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3516 struct nft_table *table;
3517 const struct nft_chain *chain;
3518 unsigned int idx = 0;
3519 struct net *net = sock_net(skb->sk);
3520 int family = nfmsg->nfgen_family;
3521 struct nftables_pernet *nft_net;
3522
3523 rcu_read_lock();
3524 nft_net = nft_pernet(net);
3525 cb->seq = READ_ONCE(nft_net->base_seq);
3526
3527 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3528 if (family != NFPROTO_UNSPEC && family != table->family)
3529 continue;
3530
3531 if (ctx->table && strcmp(ctx->table, table->name) != 0)
3532 continue;
3533
3534 if (ctx->table && ctx->chain) {
3535 struct rhlist_head *list, *tmp;
3536
3537 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3538 nft_chain_ht_params);
3539 if (!list)
3540 goto done;
3541
3542 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3543 if (!nft_is_active(net, chain))
3544 continue;
3545 __nf_tables_dump_rules(skb, &idx,
3546 cb, table, chain);
3547 break;
3548 }
3549 goto done;
3550 }
3551
3552 list_for_each_entry_rcu(chain, &table->chains, list) {
3553 if (__nf_tables_dump_rules(skb, &idx,
3554 cb, table, chain))
3555 goto done;
3556 }
3557
3558 if (ctx->table)
3559 break;
3560 }
3561 done:
3562 rcu_read_unlock();
3563
3564 ctx->s_idx = idx;
3565 return skb->len;
3566 }
3567
nf_tables_dumpreset_rules(struct sk_buff * skb,struct netlink_callback * cb)3568 static int nf_tables_dumpreset_rules(struct sk_buff *skb,
3569 struct netlink_callback *cb)
3570 {
3571 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
3572 int ret;
3573
3574 /* Mutex is held is to prevent that two concurrent dump-and-reset calls
3575 * do not underrun counters and quotas. The commit_mutex is used for
3576 * the lack a better lock, this is not transaction path.
3577 */
3578 mutex_lock(&nft_net->commit_mutex);
3579 ret = nf_tables_dump_rules(skb, cb);
3580 mutex_unlock(&nft_net->commit_mutex);
3581
3582 return ret;
3583 }
3584
nf_tables_dump_rules_start(struct netlink_callback * cb)3585 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3586 {
3587 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3588 const struct nlattr * const *nla = cb->data;
3589
3590 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
3591
3592 if (nla[NFTA_RULE_TABLE]) {
3593 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], GFP_ATOMIC);
3594 if (!ctx->table)
3595 return -ENOMEM;
3596 }
3597 if (nla[NFTA_RULE_CHAIN]) {
3598 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], GFP_ATOMIC);
3599 if (!ctx->chain) {
3600 kfree(ctx->table);
3601 return -ENOMEM;
3602 }
3603 }
3604 return 0;
3605 }
3606
nf_tables_dumpreset_rules_start(struct netlink_callback * cb)3607 static int nf_tables_dumpreset_rules_start(struct netlink_callback *cb)
3608 {
3609 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3610
3611 ctx->reset = true;
3612
3613 return nf_tables_dump_rules_start(cb);
3614 }
3615
nf_tables_dump_rules_done(struct netlink_callback * cb)3616 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3617 {
3618 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3619
3620 kfree(ctx->table);
3621 kfree(ctx->chain);
3622 return 0;
3623 }
3624
3625 /* called with rcu_read_lock held */
3626 static struct sk_buff *
nf_tables_getrule_single(u32 portid,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)3627 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info,
3628 const struct nlattr * const nla[], bool reset)
3629 {
3630 struct netlink_ext_ack *extack = info->extack;
3631 u8 genmask = nft_genmask_cur(info->net);
3632 u8 family = info->nfmsg->nfgen_family;
3633 const struct nft_chain *chain;
3634 const struct nft_rule *rule;
3635 struct net *net = info->net;
3636 struct nft_table *table;
3637 struct sk_buff *skb2;
3638 int err;
3639
3640 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3641 if (IS_ERR(table)) {
3642 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3643 return ERR_CAST(table);
3644 }
3645
3646 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3647 if (IS_ERR(chain)) {
3648 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3649 return ERR_CAST(chain);
3650 }
3651
3652 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3653 if (IS_ERR(rule)) {
3654 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3655 return ERR_CAST(rule);
3656 }
3657
3658 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3659 if (!skb2)
3660 return ERR_PTR(-ENOMEM);
3661
3662 err = nf_tables_fill_rule_info(skb2, net, portid,
3663 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3664 family, table, chain, rule, 0, reset);
3665 if (err < 0) {
3666 kfree_skb(skb2);
3667 return ERR_PTR(err);
3668 }
3669
3670 return skb2;
3671 }
3672
nf_tables_getrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3673 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3674 const struct nlattr * const nla[])
3675 {
3676 u32 portid = NETLINK_CB(skb).portid;
3677 struct net *net = info->net;
3678 struct sk_buff *skb2;
3679
3680 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3681 struct netlink_dump_control c = {
3682 .start= nf_tables_dump_rules_start,
3683 .dump = nf_tables_dump_rules,
3684 .done = nf_tables_dump_rules_done,
3685 .module = THIS_MODULE,
3686 .data = (void *)nla,
3687 };
3688
3689 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3690 }
3691
3692 skb2 = nf_tables_getrule_single(portid, info, nla, false);
3693 if (IS_ERR(skb2))
3694 return PTR_ERR(skb2);
3695
3696 return nfnetlink_unicast(skb2, net, portid);
3697 }
3698
nf_tables_getrule_reset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3699 static int nf_tables_getrule_reset(struct sk_buff *skb,
3700 const struct nfnl_info *info,
3701 const struct nlattr * const nla[])
3702 {
3703 struct nftables_pernet *nft_net = nft_pernet(info->net);
3704 u32 portid = NETLINK_CB(skb).portid;
3705 struct net *net = info->net;
3706 struct sk_buff *skb2;
3707 char *buf;
3708
3709 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3710 struct netlink_dump_control c = {
3711 .start= nf_tables_dumpreset_rules_start,
3712 .dump = nf_tables_dumpreset_rules,
3713 .done = nf_tables_dump_rules_done,
3714 .module = THIS_MODULE,
3715 .data = (void *)nla,
3716 };
3717
3718 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3719 }
3720
3721 if (!try_module_get(THIS_MODULE))
3722 return -EINVAL;
3723 rcu_read_unlock();
3724 mutex_lock(&nft_net->commit_mutex);
3725 skb2 = nf_tables_getrule_single(portid, info, nla, true);
3726 mutex_unlock(&nft_net->commit_mutex);
3727 rcu_read_lock();
3728 module_put(THIS_MODULE);
3729
3730 if (IS_ERR(skb2))
3731 return PTR_ERR(skb2);
3732
3733 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
3734 nla_len(nla[NFTA_RULE_TABLE]),
3735 (char *)nla_data(nla[NFTA_RULE_TABLE]),
3736 nft_net->base_seq);
3737 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
3738 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3739 kfree(buf);
3740
3741 return nfnetlink_unicast(skb2, net, portid);
3742 }
3743
nf_tables_rule_destroy(const struct nft_ctx * ctx,struct nft_rule * rule)3744 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
3745 {
3746 struct nft_expr *expr, *next;
3747
3748 /*
3749 * Careful: some expressions might not be initialized in case this
3750 * is called on error from nf_tables_newrule().
3751 */
3752 expr = nft_expr_first(rule);
3753 while (nft_expr_more(rule, expr)) {
3754 next = nft_expr_next(expr);
3755 nf_tables_expr_destroy(ctx, expr);
3756 expr = next;
3757 }
3758 kfree(rule);
3759 }
3760
nf_tables_rule_release(const struct nft_ctx * ctx,struct nft_rule * rule)3761 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3762 {
3763 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3764 nf_tables_rule_destroy(ctx, rule);
3765 }
3766
nft_chain_validate(const struct nft_ctx * ctx,const struct nft_chain * chain)3767 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3768 {
3769 struct nft_expr *expr, *last;
3770 const struct nft_data *data;
3771 struct nft_rule *rule;
3772 int err;
3773
3774 if (ctx->level == NFT_JUMP_STACK_SIZE)
3775 return -EMLINK;
3776
3777 list_for_each_entry(rule, &chain->rules, list) {
3778 if (fatal_signal_pending(current))
3779 return -EINTR;
3780
3781 if (!nft_is_active_next(ctx->net, rule))
3782 continue;
3783
3784 nft_rule_for_each_expr(expr, last, rule) {
3785 if (!expr->ops->validate)
3786 continue;
3787
3788 err = expr->ops->validate(ctx, expr, &data);
3789 if (err < 0)
3790 return err;
3791 }
3792 }
3793
3794 return 0;
3795 }
3796 EXPORT_SYMBOL_GPL(nft_chain_validate);
3797
nft_table_validate(struct net * net,const struct nft_table * table)3798 static int nft_table_validate(struct net *net, const struct nft_table *table)
3799 {
3800 struct nft_chain *chain;
3801 struct nft_ctx ctx = {
3802 .net = net,
3803 .family = table->family,
3804 };
3805 int err;
3806
3807 list_for_each_entry(chain, &table->chains, list) {
3808 if (!nft_is_base_chain(chain))
3809 continue;
3810
3811 ctx.chain = chain;
3812 err = nft_chain_validate(&ctx, chain);
3813 if (err < 0)
3814 return err;
3815
3816 cond_resched();
3817 }
3818
3819 return 0;
3820 }
3821
nft_setelem_validate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)3822 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
3823 const struct nft_set_iter *iter,
3824 struct nft_elem_priv *elem_priv)
3825 {
3826 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
3827 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
3828 const struct nft_data *data;
3829 int err;
3830
3831 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3832 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
3833 return 0;
3834
3835 data = nft_set_ext_data(ext);
3836 switch (data->verdict.code) {
3837 case NFT_JUMP:
3838 case NFT_GOTO:
3839 pctx->level++;
3840 err = nft_chain_validate(ctx, data->verdict.chain);
3841 if (err < 0)
3842 return err;
3843 pctx->level--;
3844 break;
3845 default:
3846 break;
3847 }
3848
3849 return 0;
3850 }
3851
nft_set_catchall_validate(const struct nft_ctx * ctx,struct nft_set * set)3852 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
3853 {
3854 u8 genmask = nft_genmask_next(ctx->net);
3855 struct nft_set_elem_catchall *catchall;
3856 struct nft_set_ext *ext;
3857 int ret = 0;
3858
3859 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
3860 ext = nft_set_elem_ext(set, catchall->elem);
3861 if (!nft_set_elem_active(ext, genmask))
3862 continue;
3863
3864 ret = nft_setelem_validate(ctx, set, NULL, catchall->elem);
3865 if (ret < 0)
3866 return ret;
3867 }
3868
3869 return ret;
3870 }
3871
3872 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3873 const struct nft_chain *chain,
3874 const struct nlattr *nla);
3875
3876 #define NFT_RULE_MAXEXPRS 128
3877
nf_tables_newrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3878 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
3879 const struct nlattr * const nla[])
3880 {
3881 struct nftables_pernet *nft_net = nft_pernet(info->net);
3882 struct netlink_ext_ack *extack = info->extack;
3883 unsigned int size, i, n, ulen = 0, usize = 0;
3884 u8 genmask = nft_genmask_next(info->net);
3885 struct nft_rule *rule, *old_rule = NULL;
3886 struct nft_expr_info *expr_info = NULL;
3887 u8 family = info->nfmsg->nfgen_family;
3888 struct nft_flow_rule *flow = NULL;
3889 struct net *net = info->net;
3890 struct nft_userdata *udata;
3891 struct nft_table *table;
3892 struct nft_chain *chain;
3893 struct nft_trans *trans;
3894 u64 handle, pos_handle;
3895 struct nft_expr *expr;
3896 struct nft_ctx ctx;
3897 struct nlattr *tmp;
3898 int err, rem;
3899
3900 lockdep_assert_held(&nft_net->commit_mutex);
3901
3902 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3903 NETLINK_CB(skb).portid);
3904 if (IS_ERR(table)) {
3905 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3906 return PTR_ERR(table);
3907 }
3908
3909 if (nla[NFTA_RULE_CHAIN]) {
3910 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3911 genmask);
3912 if (IS_ERR(chain)) {
3913 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3914 return PTR_ERR(chain);
3915 }
3916
3917 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3918 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID],
3919 genmask);
3920 if (IS_ERR(chain)) {
3921 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3922 return PTR_ERR(chain);
3923 }
3924 } else {
3925 return -EINVAL;
3926 }
3927
3928 if (nft_chain_is_bound(chain))
3929 return -EOPNOTSUPP;
3930
3931 if (nla[NFTA_RULE_HANDLE]) {
3932 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3933 rule = __nft_rule_lookup(chain, handle);
3934 if (IS_ERR(rule)) {
3935 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3936 return PTR_ERR(rule);
3937 }
3938
3939 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
3940 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3941 return -EEXIST;
3942 }
3943 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
3944 old_rule = rule;
3945 else
3946 return -EOPNOTSUPP;
3947 } else {
3948 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
3949 info->nlh->nlmsg_flags & NLM_F_REPLACE)
3950 return -EINVAL;
3951 handle = nf_tables_alloc_handle(table);
3952
3953 if (nla[NFTA_RULE_POSITION]) {
3954 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3955 old_rule = __nft_rule_lookup(chain, pos_handle);
3956 if (IS_ERR(old_rule)) {
3957 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3958 return PTR_ERR(old_rule);
3959 }
3960 } else if (nla[NFTA_RULE_POSITION_ID]) {
3961 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
3962 if (IS_ERR(old_rule)) {
3963 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3964 return PTR_ERR(old_rule);
3965 }
3966 }
3967 }
3968
3969 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3970
3971 n = 0;
3972 size = 0;
3973 if (nla[NFTA_RULE_EXPRESSIONS]) {
3974 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3975 sizeof(struct nft_expr_info),
3976 GFP_KERNEL);
3977 if (!expr_info)
3978 return -ENOMEM;
3979
3980 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3981 err = -EINVAL;
3982 if (nla_type(tmp) != NFTA_LIST_ELEM)
3983 goto err_release_expr;
3984 if (n == NFT_RULE_MAXEXPRS)
3985 goto err_release_expr;
3986 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
3987 if (err < 0) {
3988 NL_SET_BAD_ATTR(extack, tmp);
3989 goto err_release_expr;
3990 }
3991 size += expr_info[n].ops->size;
3992 n++;
3993 }
3994 }
3995 /* Check for overflow of dlen field */
3996 err = -EFBIG;
3997 if (size >= 1 << 12)
3998 goto err_release_expr;
3999
4000 if (nla[NFTA_RULE_USERDATA]) {
4001 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
4002 if (ulen > 0)
4003 usize = sizeof(struct nft_userdata) + ulen;
4004 }
4005
4006 err = -ENOMEM;
4007 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
4008 if (rule == NULL)
4009 goto err_release_expr;
4010
4011 nft_activate_next(net, rule);
4012
4013 rule->handle = handle;
4014 rule->dlen = size;
4015 rule->udata = ulen ? 1 : 0;
4016
4017 if (ulen) {
4018 udata = nft_userdata(rule);
4019 udata->len = ulen - 1;
4020 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
4021 }
4022
4023 expr = nft_expr_first(rule);
4024 for (i = 0; i < n; i++) {
4025 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
4026 if (err < 0) {
4027 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
4028 goto err_release_rule;
4029 }
4030
4031 if (expr_info[i].ops->validate)
4032 nft_validate_state_update(table, NFT_VALIDATE_NEED);
4033
4034 expr_info[i].ops = NULL;
4035 expr = nft_expr_next(expr);
4036 }
4037
4038 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
4039 flow = nft_flow_rule_create(net, rule);
4040 if (IS_ERR(flow)) {
4041 err = PTR_ERR(flow);
4042 goto err_release_rule;
4043 }
4044 }
4045
4046 if (!nft_use_inc(&chain->use)) {
4047 err = -EMFILE;
4048 goto err_release_rule;
4049 }
4050
4051 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
4052 if (nft_chain_binding(chain)) {
4053 err = -EOPNOTSUPP;
4054 goto err_destroy_flow_rule;
4055 }
4056
4057 err = nft_delrule(&ctx, old_rule);
4058 if (err < 0)
4059 goto err_destroy_flow_rule;
4060
4061 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4062 if (trans == NULL) {
4063 err = -ENOMEM;
4064 goto err_destroy_flow_rule;
4065 }
4066 list_add_tail_rcu(&rule->list, &old_rule->list);
4067 } else {
4068 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4069 if (!trans) {
4070 err = -ENOMEM;
4071 goto err_destroy_flow_rule;
4072 }
4073
4074 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
4075 if (old_rule)
4076 list_add_rcu(&rule->list, &old_rule->list);
4077 else
4078 list_add_tail_rcu(&rule->list, &chain->rules);
4079 } else {
4080 if (old_rule)
4081 list_add_tail_rcu(&rule->list, &old_rule->list);
4082 else
4083 list_add_rcu(&rule->list, &chain->rules);
4084 }
4085 }
4086 kvfree(expr_info);
4087
4088 if (flow)
4089 nft_trans_flow_rule(trans) = flow;
4090
4091 if (table->validate_state == NFT_VALIDATE_DO)
4092 return nft_table_validate(net, table);
4093
4094 return 0;
4095
4096 err_destroy_flow_rule:
4097 nft_use_dec_restore(&chain->use);
4098 if (flow)
4099 nft_flow_rule_destroy(flow);
4100 err_release_rule:
4101 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
4102 nf_tables_rule_destroy(&ctx, rule);
4103 err_release_expr:
4104 for (i = 0; i < n; i++) {
4105 if (expr_info[i].ops) {
4106 module_put(expr_info[i].ops->type->owner);
4107 if (expr_info[i].ops->type->release_ops)
4108 expr_info[i].ops->type->release_ops(expr_info[i].ops);
4109 }
4110 }
4111 kvfree(expr_info);
4112
4113 return err;
4114 }
4115
nft_rule_lookup_byid(const struct net * net,const struct nft_chain * chain,const struct nlattr * nla)4116 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4117 const struct nft_chain *chain,
4118 const struct nlattr *nla)
4119 {
4120 struct nftables_pernet *nft_net = nft_pernet(net);
4121 u32 id = ntohl(nla_get_be32(nla));
4122 struct nft_trans *trans;
4123
4124 list_for_each_entry(trans, &nft_net->commit_list, list) {
4125 if (trans->msg_type == NFT_MSG_NEWRULE &&
4126 trans->ctx.chain == chain &&
4127 id == nft_trans_rule_id(trans))
4128 return nft_trans_rule(trans);
4129 }
4130 return ERR_PTR(-ENOENT);
4131 }
4132
nf_tables_delrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4133 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
4134 const struct nlattr * const nla[])
4135 {
4136 struct netlink_ext_ack *extack = info->extack;
4137 u8 genmask = nft_genmask_next(info->net);
4138 u8 family = info->nfmsg->nfgen_family;
4139 struct nft_chain *chain = NULL;
4140 struct net *net = info->net;
4141 struct nft_table *table;
4142 struct nft_rule *rule;
4143 struct nft_ctx ctx;
4144 int err = 0;
4145
4146 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4147 NETLINK_CB(skb).portid);
4148 if (IS_ERR(table)) {
4149 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4150 return PTR_ERR(table);
4151 }
4152
4153 if (nla[NFTA_RULE_CHAIN]) {
4154 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4155 genmask);
4156 if (IS_ERR(chain)) {
4157 if (PTR_ERR(chain) == -ENOENT &&
4158 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4159 return 0;
4160
4161 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4162 return PTR_ERR(chain);
4163 }
4164 if (nft_chain_binding(chain))
4165 return -EOPNOTSUPP;
4166 }
4167
4168 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4169
4170 if (chain) {
4171 if (nla[NFTA_RULE_HANDLE]) {
4172 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
4173 if (IS_ERR(rule)) {
4174 if (PTR_ERR(rule) == -ENOENT &&
4175 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4176 return 0;
4177
4178 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4179 return PTR_ERR(rule);
4180 }
4181
4182 err = nft_delrule(&ctx, rule);
4183 } else if (nla[NFTA_RULE_ID]) {
4184 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
4185 if (IS_ERR(rule)) {
4186 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
4187 return PTR_ERR(rule);
4188 }
4189
4190 err = nft_delrule(&ctx, rule);
4191 } else {
4192 err = nft_delrule_by_chain(&ctx);
4193 }
4194 } else {
4195 list_for_each_entry(chain, &table->chains, list) {
4196 if (!nft_is_active_next(net, chain))
4197 continue;
4198 if (nft_chain_binding(chain))
4199 continue;
4200
4201 ctx.chain = chain;
4202 err = nft_delrule_by_chain(&ctx);
4203 if (err < 0)
4204 break;
4205 }
4206 }
4207
4208 return err;
4209 }
4210
4211 /*
4212 * Sets
4213 */
4214 static const struct nft_set_type *nft_set_types[] = {
4215 &nft_set_hash_fast_type,
4216 &nft_set_hash_type,
4217 &nft_set_rhash_type,
4218 &nft_set_bitmap_type,
4219 &nft_set_rbtree_type,
4220 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
4221 &nft_set_pipapo_avx2_type,
4222 #endif
4223 &nft_set_pipapo_type,
4224 };
4225
4226 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
4227 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
4228 NFT_SET_EVAL)
4229
nft_set_ops_candidate(const struct nft_set_type * type,u32 flags)4230 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
4231 {
4232 return (flags & type->features) == (flags & NFT_SET_FEATURES);
4233 }
4234
4235 /*
4236 * Select a set implementation based on the data characteristics and the
4237 * given policy. The total memory use might not be known if no size is
4238 * given, in that case the amount of memory per element is used.
4239 */
4240 static const struct nft_set_ops *
nft_select_set_ops(const struct nft_ctx * ctx,const struct nlattr * const nla[],const struct nft_set_desc * desc)4241 nft_select_set_ops(const struct nft_ctx *ctx,
4242 const struct nlattr * const nla[],
4243 const struct nft_set_desc *desc)
4244 {
4245 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4246 const struct nft_set_ops *ops, *bops;
4247 struct nft_set_estimate est, best;
4248 const struct nft_set_type *type;
4249 u32 flags = 0;
4250 int i;
4251
4252 lockdep_assert_held(&nft_net->commit_mutex);
4253 lockdep_nfnl_nft_mutex_not_held();
4254
4255 if (nla[NFTA_SET_FLAGS] != NULL)
4256 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4257
4258 bops = NULL;
4259 best.size = ~0;
4260 best.lookup = ~0;
4261 best.space = ~0;
4262
4263 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
4264 type = nft_set_types[i];
4265 ops = &type->ops;
4266
4267 if (!nft_set_ops_candidate(type, flags))
4268 continue;
4269 if (!ops->estimate(desc, flags, &est))
4270 continue;
4271
4272 switch (desc->policy) {
4273 case NFT_SET_POL_PERFORMANCE:
4274 if (est.lookup < best.lookup)
4275 break;
4276 if (est.lookup == best.lookup &&
4277 est.space < best.space)
4278 break;
4279 continue;
4280 case NFT_SET_POL_MEMORY:
4281 if (!desc->size) {
4282 if (est.space < best.space)
4283 break;
4284 if (est.space == best.space &&
4285 est.lookup < best.lookup)
4286 break;
4287 } else if (est.size < best.size || !bops) {
4288 break;
4289 }
4290 continue;
4291 default:
4292 break;
4293 }
4294
4295 bops = ops;
4296 best = est;
4297 }
4298
4299 if (bops != NULL)
4300 return bops;
4301
4302 return ERR_PTR(-EOPNOTSUPP);
4303 }
4304
4305 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
4306 [NFTA_SET_TABLE] = { .type = NLA_STRING,
4307 .len = NFT_TABLE_MAXNAMELEN - 1 },
4308 [NFTA_SET_NAME] = { .type = NLA_STRING,
4309 .len = NFT_SET_MAXNAMELEN - 1 },
4310 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
4311 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
4312 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
4313 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
4314 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
4315 [NFTA_SET_POLICY] = { .type = NLA_U32 },
4316 [NFTA_SET_DESC] = { .type = NLA_NESTED },
4317 [NFTA_SET_ID] = { .type = NLA_U32 },
4318 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
4319 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
4320 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
4321 .len = NFT_USERDATA_MAXLEN },
4322 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
4323 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
4324 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
4325 [NFTA_SET_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
4326 };
4327
4328 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4329 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4330 };
4331
4332 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4333 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
4334 [NFTA_SET_DESC_CONCAT] = NLA_POLICY_NESTED_ARRAY(nft_concat_policy),
4335 };
4336
nft_set_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)4337 static struct nft_set *nft_set_lookup(const struct nft_table *table,
4338 const struct nlattr *nla, u8 genmask)
4339 {
4340 struct nft_set *set;
4341
4342 if (nla == NULL)
4343 return ERR_PTR(-EINVAL);
4344
4345 list_for_each_entry_rcu(set, &table->sets, list) {
4346 if (!nla_strcmp(nla, set->name) &&
4347 nft_active_genmask(set, genmask))
4348 return set;
4349 }
4350 return ERR_PTR(-ENOENT);
4351 }
4352
nft_set_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)4353 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4354 const struct nlattr *nla,
4355 u8 genmask)
4356 {
4357 struct nft_set *set;
4358
4359 list_for_each_entry(set, &table->sets, list) {
4360 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4361 nft_active_genmask(set, genmask))
4362 return set;
4363 }
4364 return ERR_PTR(-ENOENT);
4365 }
4366
nft_set_lookup_byid(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)4367 static struct nft_set *nft_set_lookup_byid(const struct net *net,
4368 const struct nft_table *table,
4369 const struct nlattr *nla, u8 genmask)
4370 {
4371 struct nftables_pernet *nft_net = nft_pernet(net);
4372 u32 id = ntohl(nla_get_be32(nla));
4373 struct nft_trans *trans;
4374
4375 list_for_each_entry(trans, &nft_net->commit_list, list) {
4376 if (trans->msg_type == NFT_MSG_NEWSET) {
4377 struct nft_set *set = nft_trans_set(trans);
4378
4379 if (id == nft_trans_set_id(trans) &&
4380 set->table == table &&
4381 nft_active_genmask(set, genmask))
4382 return set;
4383 }
4384 }
4385 return ERR_PTR(-ENOENT);
4386 }
4387
nft_set_lookup_global(const struct net * net,const struct nft_table * table,const struct nlattr * nla_set_name,const struct nlattr * nla_set_id,u8 genmask)4388 struct nft_set *nft_set_lookup_global(const struct net *net,
4389 const struct nft_table *table,
4390 const struct nlattr *nla_set_name,
4391 const struct nlattr *nla_set_id,
4392 u8 genmask)
4393 {
4394 struct nft_set *set;
4395
4396 set = nft_set_lookup(table, nla_set_name, genmask);
4397 if (IS_ERR(set)) {
4398 if (!nla_set_id)
4399 return set;
4400
4401 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
4402 }
4403 return set;
4404 }
4405 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
4406
nf_tables_set_alloc_name(struct nft_ctx * ctx,struct nft_set * set,const char * name)4407 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4408 const char *name)
4409 {
4410 const struct nft_set *i;
4411 const char *p;
4412 unsigned long *inuse;
4413 unsigned int n = 0, min = 0;
4414
4415 p = strchr(name, '%');
4416 if (p != NULL) {
4417 if (p[1] != 'd' || strchr(p + 2, '%'))
4418 return -EINVAL;
4419
4420 if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN)
4421 return -EINVAL;
4422
4423 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4424 if (inuse == NULL)
4425 return -ENOMEM;
4426 cont:
4427 list_for_each_entry(i, &ctx->table->sets, list) {
4428 int tmp;
4429
4430 if (!nft_is_active_next(ctx->net, i))
4431 continue;
4432 if (!sscanf(i->name, name, &tmp))
4433 continue;
4434 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4435 continue;
4436
4437 set_bit(tmp - min, inuse);
4438 }
4439
4440 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
4441 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4442 min += BITS_PER_BYTE * PAGE_SIZE;
4443 memset(inuse, 0, PAGE_SIZE);
4444 goto cont;
4445 }
4446 free_page((unsigned long)inuse);
4447 }
4448
4449 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
4450 if (!set->name)
4451 return -ENOMEM;
4452
4453 list_for_each_entry(i, &ctx->table->sets, list) {
4454 if (!nft_is_active_next(ctx->net, i))
4455 continue;
4456 if (!strcmp(set->name, i->name)) {
4457 kfree(set->name);
4458 set->name = NULL;
4459 return -ENFILE;
4460 }
4461 }
4462 return 0;
4463 }
4464
nf_msecs_to_jiffies64(const struct nlattr * nla,u64 * result)4465 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4466 {
4467 u64 ms = be64_to_cpu(nla_get_be64(nla));
4468 u64 max = (u64)(~((u64)0));
4469
4470 max = div_u64(max, NSEC_PER_MSEC);
4471 if (ms >= max)
4472 return -ERANGE;
4473
4474 ms *= NSEC_PER_MSEC;
4475 *result = nsecs_to_jiffies64(ms);
4476 return 0;
4477 }
4478
nf_jiffies64_to_msecs(u64 input)4479 __be64 nf_jiffies64_to_msecs(u64 input)
4480 {
4481 return cpu_to_be64(jiffies64_to_msecs(input));
4482 }
4483
nf_tables_fill_set_concat(struct sk_buff * skb,const struct nft_set * set)4484 static int nf_tables_fill_set_concat(struct sk_buff *skb,
4485 const struct nft_set *set)
4486 {
4487 struct nlattr *concat, *field;
4488 int i;
4489
4490 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
4491 if (!concat)
4492 return -ENOMEM;
4493
4494 for (i = 0; i < set->field_count; i++) {
4495 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4496 if (!field)
4497 return -ENOMEM;
4498
4499 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
4500 htonl(set->field_len[i])))
4501 return -ENOMEM;
4502
4503 nla_nest_end(skb, field);
4504 }
4505
4506 nla_nest_end(skb, concat);
4507
4508 return 0;
4509 }
4510
nf_tables_fill_set(struct sk_buff * skb,const struct nft_ctx * ctx,const struct nft_set * set,u16 event,u16 flags)4511 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4512 const struct nft_set *set, u16 event, u16 flags)
4513 {
4514 u64 timeout = READ_ONCE(set->timeout);
4515 u32 gc_int = READ_ONCE(set->gc_int);
4516 u32 portid = ctx->portid;
4517 struct nlmsghdr *nlh;
4518 struct nlattr *nest;
4519 u32 seq = ctx->seq;
4520 int i;
4521
4522 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4523 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
4524 NFNETLINK_V0, nft_base_seq(ctx->net));
4525 if (!nlh)
4526 goto nla_put_failure;
4527
4528 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4529 goto nla_put_failure;
4530 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4531 goto nla_put_failure;
4532 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4533 NFTA_SET_PAD))
4534 goto nla_put_failure;
4535
4536 if (event == NFT_MSG_DELSET) {
4537 nlmsg_end(skb, nlh);
4538 return 0;
4539 }
4540
4541 if (set->flags != 0)
4542 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
4543 goto nla_put_failure;
4544
4545 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4546 goto nla_put_failure;
4547 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
4548 goto nla_put_failure;
4549 if (set->flags & NFT_SET_MAP) {
4550 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4551 goto nla_put_failure;
4552 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
4553 goto nla_put_failure;
4554 }
4555 if (set->flags & NFT_SET_OBJECT &&
4556 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4557 goto nla_put_failure;
4558
4559 if (timeout &&
4560 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4561 nf_jiffies64_to_msecs(timeout),
4562 NFTA_SET_PAD))
4563 goto nla_put_failure;
4564 if (gc_int &&
4565 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4566 goto nla_put_failure;
4567
4568 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4569 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4570 goto nla_put_failure;
4571 }
4572
4573 if (set->udata &&
4574 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4575 goto nla_put_failure;
4576
4577 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4578 if (!nest)
4579 goto nla_put_failure;
4580 if (set->size &&
4581 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
4582 goto nla_put_failure;
4583
4584 if (set->field_count > 1 &&
4585 nf_tables_fill_set_concat(skb, set))
4586 goto nla_put_failure;
4587
4588 nla_nest_end(skb, nest);
4589
4590 if (set->num_exprs == 1) {
4591 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
4592 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
4593 goto nla_put_failure;
4594
4595 nla_nest_end(skb, nest);
4596 } else if (set->num_exprs > 1) {
4597 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
4598 if (nest == NULL)
4599 goto nla_put_failure;
4600
4601 for (i = 0; i < set->num_exprs; i++) {
4602 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
4603 set->exprs[i], false) < 0)
4604 goto nla_put_failure;
4605 }
4606 nla_nest_end(skb, nest);
4607 }
4608
4609 nlmsg_end(skb, nlh);
4610 return 0;
4611
4612 nla_put_failure:
4613 nlmsg_trim(skb, nlh);
4614 return -1;
4615 }
4616
nf_tables_set_notify(const struct nft_ctx * ctx,const struct nft_set * set,int event,gfp_t gfp_flags)4617 static void nf_tables_set_notify(const struct nft_ctx *ctx,
4618 const struct nft_set *set, int event,
4619 gfp_t gfp_flags)
4620 {
4621 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4622 u32 portid = ctx->portid;
4623 struct sk_buff *skb;
4624 u16 flags = 0;
4625 int err;
4626
4627 if (!ctx->report &&
4628 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
4629 return;
4630
4631 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
4632 if (skb == NULL)
4633 goto err;
4634
4635 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
4636 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
4637
4638 err = nf_tables_fill_set(skb, ctx, set, event, flags);
4639 if (err < 0) {
4640 kfree_skb(skb);
4641 goto err;
4642 }
4643
4644 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
4645 return;
4646 err:
4647 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4648 }
4649
nf_tables_dump_sets(struct sk_buff * skb,struct netlink_callback * cb)4650 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4651 {
4652 const struct nft_set *set;
4653 unsigned int idx, s_idx = cb->args[0];
4654 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4655 struct net *net = sock_net(skb->sk);
4656 struct nft_ctx *ctx = cb->data, ctx_set;
4657 struct nftables_pernet *nft_net;
4658
4659 if (cb->args[1])
4660 return skb->len;
4661
4662 rcu_read_lock();
4663 nft_net = nft_pernet(net);
4664 cb->seq = READ_ONCE(nft_net->base_seq);
4665
4666 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4667 if (ctx->family != NFPROTO_UNSPEC &&
4668 ctx->family != table->family)
4669 continue;
4670
4671 if (ctx->table && ctx->table != table)
4672 continue;
4673
4674 if (cur_table) {
4675 if (cur_table != table)
4676 continue;
4677
4678 cur_table = NULL;
4679 }
4680 idx = 0;
4681 list_for_each_entry_rcu(set, &table->sets, list) {
4682 if (idx < s_idx)
4683 goto cont;
4684 if (!nft_is_active(net, set))
4685 goto cont;
4686
4687 ctx_set = *ctx;
4688 ctx_set.table = table;
4689 ctx_set.family = table->family;
4690
4691 if (nf_tables_fill_set(skb, &ctx_set, set,
4692 NFT_MSG_NEWSET,
4693 NLM_F_MULTI) < 0) {
4694 cb->args[0] = idx;
4695 cb->args[2] = (unsigned long) table;
4696 goto done;
4697 }
4698 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4699 cont:
4700 idx++;
4701 }
4702 if (s_idx)
4703 s_idx = 0;
4704 }
4705 cb->args[1] = 1;
4706 done:
4707 rcu_read_unlock();
4708 return skb->len;
4709 }
4710
nf_tables_dump_sets_start(struct netlink_callback * cb)4711 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4712 {
4713 struct nft_ctx *ctx_dump = NULL;
4714
4715 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4716 if (ctx_dump == NULL)
4717 return -ENOMEM;
4718
4719 cb->data = ctx_dump;
4720 return 0;
4721 }
4722
nf_tables_dump_sets_done(struct netlink_callback * cb)4723 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4724 {
4725 kfree(cb->data);
4726 return 0;
4727 }
4728
4729 /* called with rcu_read_lock held */
nf_tables_getset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4730 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4731 const struct nlattr * const nla[])
4732 {
4733 struct netlink_ext_ack *extack = info->extack;
4734 u8 genmask = nft_genmask_cur(info->net);
4735 u8 family = info->nfmsg->nfgen_family;
4736 struct nft_table *table = NULL;
4737 struct net *net = info->net;
4738 const struct nft_set *set;
4739 struct sk_buff *skb2;
4740 struct nft_ctx ctx;
4741 int err;
4742
4743 if (nla[NFTA_SET_TABLE]) {
4744 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4745 genmask, 0);
4746 if (IS_ERR(table)) {
4747 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4748 return PTR_ERR(table);
4749 }
4750 }
4751
4752 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4753
4754 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4755 struct netlink_dump_control c = {
4756 .start = nf_tables_dump_sets_start,
4757 .dump = nf_tables_dump_sets,
4758 .done = nf_tables_dump_sets_done,
4759 .data = &ctx,
4760 .module = THIS_MODULE,
4761 };
4762
4763 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4764 }
4765
4766 /* Only accept unspec with dump */
4767 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4768 return -EAFNOSUPPORT;
4769 if (!nla[NFTA_SET_TABLE])
4770 return -EINVAL;
4771
4772 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4773 if (IS_ERR(set)) {
4774 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4775 return PTR_ERR(set);
4776 }
4777
4778 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4779 if (skb2 == NULL)
4780 return -ENOMEM;
4781
4782 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4783 if (err < 0)
4784 goto err_fill_set_info;
4785
4786 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4787
4788 err_fill_set_info:
4789 kfree_skb(skb2);
4790 return err;
4791 }
4792
nft_set_desc_concat_parse(const struct nlattr * attr,struct nft_set_desc * desc)4793 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4794 struct nft_set_desc *desc)
4795 {
4796 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4797 u32 len;
4798 int err;
4799
4800 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
4801 return -E2BIG;
4802
4803 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4804 nft_concat_policy, NULL);
4805 if (err < 0)
4806 return err;
4807
4808 if (!tb[NFTA_SET_FIELD_LEN])
4809 return -EINVAL;
4810
4811 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4812 if (!len || len > U8_MAX)
4813 return -EINVAL;
4814
4815 desc->field_len[desc->field_count++] = len;
4816
4817 return 0;
4818 }
4819
nft_set_desc_concat(struct nft_set_desc * desc,const struct nlattr * nla)4820 static int nft_set_desc_concat(struct nft_set_desc *desc,
4821 const struct nlattr *nla)
4822 {
4823 u32 num_regs = 0, key_num_regs = 0;
4824 struct nlattr *attr;
4825 int rem, err, i;
4826
4827 nla_for_each_nested(attr, nla, rem) {
4828 if (nla_type(attr) != NFTA_LIST_ELEM)
4829 return -EINVAL;
4830
4831 err = nft_set_desc_concat_parse(attr, desc);
4832 if (err < 0)
4833 return err;
4834 }
4835
4836 for (i = 0; i < desc->field_count; i++)
4837 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
4838
4839 key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
4840 if (key_num_regs != num_regs)
4841 return -EINVAL;
4842
4843 if (num_regs > NFT_REG32_COUNT)
4844 return -E2BIG;
4845
4846 return 0;
4847 }
4848
nf_tables_set_desc_parse(struct nft_set_desc * desc,const struct nlattr * nla)4849 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4850 const struct nlattr *nla)
4851 {
4852 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4853 int err;
4854
4855 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4856 nft_set_desc_policy, NULL);
4857 if (err < 0)
4858 return err;
4859
4860 if (da[NFTA_SET_DESC_SIZE] != NULL)
4861 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4862 if (da[NFTA_SET_DESC_CONCAT])
4863 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4864
4865 return err;
4866 }
4867
nft_set_expr_alloc(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * const * nla,struct nft_expr ** exprs,int * num_exprs,u32 flags)4868 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
4869 const struct nlattr * const *nla,
4870 struct nft_expr **exprs, int *num_exprs,
4871 u32 flags)
4872 {
4873 struct nft_expr *expr;
4874 int err, i;
4875
4876 if (nla[NFTA_SET_EXPR]) {
4877 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
4878 if (IS_ERR(expr)) {
4879 err = PTR_ERR(expr);
4880 goto err_set_expr_alloc;
4881 }
4882 exprs[0] = expr;
4883 (*num_exprs)++;
4884 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4885 struct nlattr *tmp;
4886 int left;
4887
4888 if (!(flags & NFT_SET_EXPR)) {
4889 err = -EINVAL;
4890 goto err_set_expr_alloc;
4891 }
4892 i = 0;
4893 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4894 if (i == NFT_SET_EXPR_MAX) {
4895 err = -E2BIG;
4896 goto err_set_expr_alloc;
4897 }
4898 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4899 err = -EINVAL;
4900 goto err_set_expr_alloc;
4901 }
4902 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
4903 if (IS_ERR(expr)) {
4904 err = PTR_ERR(expr);
4905 goto err_set_expr_alloc;
4906 }
4907 exprs[i++] = expr;
4908 (*num_exprs)++;
4909 }
4910 }
4911
4912 return 0;
4913
4914 err_set_expr_alloc:
4915 for (i = 0; i < *num_exprs; i++)
4916 nft_expr_destroy(ctx, exprs[i]);
4917
4918 return err;
4919 }
4920
nft_set_is_same(const struct nft_set * set,const struct nft_set_desc * desc,struct nft_expr * exprs[],u32 num_exprs,u32 flags)4921 static bool nft_set_is_same(const struct nft_set *set,
4922 const struct nft_set_desc *desc,
4923 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
4924 {
4925 int i;
4926
4927 if (set->ktype != desc->ktype ||
4928 set->dtype != desc->dtype ||
4929 set->flags != flags ||
4930 set->klen != desc->klen ||
4931 set->dlen != desc->dlen ||
4932 set->field_count != desc->field_count ||
4933 set->num_exprs != num_exprs)
4934 return false;
4935
4936 for (i = 0; i < desc->field_count; i++) {
4937 if (set->field_len[i] != desc->field_len[i])
4938 return false;
4939 }
4940
4941 for (i = 0; i < num_exprs; i++) {
4942 if (set->exprs[i]->ops != exprs[i]->ops)
4943 return false;
4944 }
4945
4946 return true;
4947 }
4948
nf_tables_newset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4949 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
4950 const struct nlattr * const nla[])
4951 {
4952 struct netlink_ext_ack *extack = info->extack;
4953 u8 genmask = nft_genmask_next(info->net);
4954 u8 family = info->nfmsg->nfgen_family;
4955 const struct nft_set_ops *ops;
4956 struct net *net = info->net;
4957 struct nft_set_desc desc;
4958 struct nft_table *table;
4959 unsigned char *udata;
4960 struct nft_set *set;
4961 struct nft_ctx ctx;
4962 size_t alloc_size;
4963 int num_exprs = 0;
4964 char *name;
4965 int err, i;
4966 u16 udlen;
4967 u32 flags;
4968 u64 size;
4969
4970 if (nla[NFTA_SET_TABLE] == NULL ||
4971 nla[NFTA_SET_NAME] == NULL ||
4972 nla[NFTA_SET_KEY_LEN] == NULL ||
4973 nla[NFTA_SET_ID] == NULL)
4974 return -EINVAL;
4975
4976 memset(&desc, 0, sizeof(desc));
4977
4978 desc.ktype = NFT_DATA_VALUE;
4979 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4980 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4981 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4982 return -EINVAL;
4983 }
4984
4985 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4986 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4987 return -EINVAL;
4988
4989 flags = 0;
4990 if (nla[NFTA_SET_FLAGS] != NULL) {
4991 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4992 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4993 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4994 NFT_SET_MAP | NFT_SET_EVAL |
4995 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
4996 return -EOPNOTSUPP;
4997 /* Only one of these operations is supported */
4998 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4999 (NFT_SET_MAP | NFT_SET_OBJECT))
5000 return -EOPNOTSUPP;
5001 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
5002 (NFT_SET_EVAL | NFT_SET_OBJECT))
5003 return -EOPNOTSUPP;
5004 if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) ==
5005 (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT))
5006 return -EOPNOTSUPP;
5007 if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) ==
5008 (NFT_SET_CONSTANT | NFT_SET_TIMEOUT))
5009 return -EOPNOTSUPP;
5010 }
5011
5012 desc.dtype = 0;
5013 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
5014 if (!(flags & NFT_SET_MAP))
5015 return -EINVAL;
5016
5017 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
5018 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
5019 desc.dtype != NFT_DATA_VERDICT)
5020 return -EINVAL;
5021
5022 if (desc.dtype != NFT_DATA_VERDICT) {
5023 if (nla[NFTA_SET_DATA_LEN] == NULL)
5024 return -EINVAL;
5025 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
5026 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
5027 return -EINVAL;
5028 } else
5029 desc.dlen = sizeof(struct nft_verdict);
5030 } else if (flags & NFT_SET_MAP)
5031 return -EINVAL;
5032
5033 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
5034 if (!(flags & NFT_SET_OBJECT))
5035 return -EINVAL;
5036
5037 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
5038 if (desc.objtype == NFT_OBJECT_UNSPEC ||
5039 desc.objtype > NFT_OBJECT_MAX)
5040 return -EOPNOTSUPP;
5041 } else if (flags & NFT_SET_OBJECT)
5042 return -EINVAL;
5043 else
5044 desc.objtype = NFT_OBJECT_UNSPEC;
5045
5046 desc.timeout = 0;
5047 if (nla[NFTA_SET_TIMEOUT] != NULL) {
5048 if (!(flags & NFT_SET_TIMEOUT))
5049 return -EINVAL;
5050
5051 if (flags & NFT_SET_ANONYMOUS)
5052 return -EOPNOTSUPP;
5053
5054 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
5055 if (err)
5056 return err;
5057 }
5058 desc.gc_int = 0;
5059 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
5060 if (!(flags & NFT_SET_TIMEOUT))
5061 return -EINVAL;
5062
5063 if (flags & NFT_SET_ANONYMOUS)
5064 return -EOPNOTSUPP;
5065
5066 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
5067 }
5068
5069 desc.policy = NFT_SET_POL_PERFORMANCE;
5070 if (nla[NFTA_SET_POLICY] != NULL) {
5071 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
5072 switch (desc.policy) {
5073 case NFT_SET_POL_PERFORMANCE:
5074 case NFT_SET_POL_MEMORY:
5075 break;
5076 default:
5077 return -EOPNOTSUPP;
5078 }
5079 }
5080
5081 if (nla[NFTA_SET_DESC] != NULL) {
5082 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
5083 if (err < 0)
5084 return err;
5085
5086 if (desc.field_count > 1) {
5087 if (!(flags & NFT_SET_CONCAT))
5088 return -EINVAL;
5089 } else if (flags & NFT_SET_CONCAT) {
5090 return -EINVAL;
5091 }
5092 } else if (flags & NFT_SET_CONCAT) {
5093 return -EINVAL;
5094 }
5095
5096 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
5097 desc.expr = true;
5098
5099 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
5100 NETLINK_CB(skb).portid);
5101 if (IS_ERR(table)) {
5102 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5103 return PTR_ERR(table);
5104 }
5105
5106 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5107
5108 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
5109 if (IS_ERR(set)) {
5110 if (PTR_ERR(set) != -ENOENT) {
5111 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5112 return PTR_ERR(set);
5113 }
5114 } else {
5115 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
5116
5117 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
5118 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5119 return -EEXIST;
5120 }
5121 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
5122 return -EOPNOTSUPP;
5123
5124 if (nft_set_is_anonymous(set))
5125 return -EOPNOTSUPP;
5126
5127 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
5128 if (err < 0)
5129 return err;
5130
5131 err = 0;
5132 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
5133 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5134 err = -EEXIST;
5135 }
5136
5137 for (i = 0; i < num_exprs; i++)
5138 nft_expr_destroy(&ctx, exprs[i]);
5139
5140 if (err < 0)
5141 return err;
5142
5143 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
5144 }
5145
5146 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
5147 return -ENOENT;
5148
5149 ops = nft_select_set_ops(&ctx, nla, &desc);
5150 if (IS_ERR(ops))
5151 return PTR_ERR(ops);
5152
5153 udlen = 0;
5154 if (nla[NFTA_SET_USERDATA])
5155 udlen = nla_len(nla[NFTA_SET_USERDATA]);
5156
5157 size = 0;
5158 if (ops->privsize != NULL)
5159 size = ops->privsize(nla, &desc);
5160 alloc_size = sizeof(*set) + size + udlen;
5161 if (alloc_size < size || alloc_size > INT_MAX)
5162 return -ENOMEM;
5163
5164 if (!nft_use_inc(&table->use))
5165 return -EMFILE;
5166
5167 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
5168 if (!set) {
5169 err = -ENOMEM;
5170 goto err_alloc;
5171 }
5172
5173 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
5174 if (!name) {
5175 err = -ENOMEM;
5176 goto err_set_name;
5177 }
5178
5179 err = nf_tables_set_alloc_name(&ctx, set, name);
5180 kfree(name);
5181 if (err < 0)
5182 goto err_set_name;
5183
5184 udata = NULL;
5185 if (udlen) {
5186 udata = set->data + size;
5187 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
5188 }
5189
5190 INIT_LIST_HEAD(&set->bindings);
5191 INIT_LIST_HEAD(&set->catchall_list);
5192 refcount_set(&set->refs, 1);
5193 set->table = table;
5194 write_pnet(&set->net, net);
5195 set->ops = ops;
5196 set->ktype = desc.ktype;
5197 set->klen = desc.klen;
5198 set->dtype = desc.dtype;
5199 set->objtype = desc.objtype;
5200 set->dlen = desc.dlen;
5201 set->flags = flags;
5202 set->size = desc.size;
5203 set->policy = desc.policy;
5204 set->udlen = udlen;
5205 set->udata = udata;
5206 set->timeout = desc.timeout;
5207 set->gc_int = desc.gc_int;
5208
5209 set->field_count = desc.field_count;
5210 for (i = 0; i < desc.field_count; i++)
5211 set->field_len[i] = desc.field_len[i];
5212
5213 err = ops->init(set, &desc, nla);
5214 if (err < 0)
5215 goto err_set_init;
5216
5217 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
5218 if (err < 0)
5219 goto err_set_destroy;
5220
5221 set->num_exprs = num_exprs;
5222 set->handle = nf_tables_alloc_handle(table);
5223 INIT_LIST_HEAD(&set->pending_update);
5224
5225 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
5226 if (err < 0)
5227 goto err_set_expr_alloc;
5228
5229 list_add_tail_rcu(&set->list, &table->sets);
5230
5231 return 0;
5232
5233 err_set_expr_alloc:
5234 for (i = 0; i < set->num_exprs; i++)
5235 nft_expr_destroy(&ctx, set->exprs[i]);
5236 err_set_destroy:
5237 ops->destroy(&ctx, set);
5238 err_set_init:
5239 kfree(set->name);
5240 err_set_name:
5241 kvfree(set);
5242 err_alloc:
5243 nft_use_dec_restore(&table->use);
5244
5245 return err;
5246 }
5247
nft_set_catchall_destroy(const struct nft_ctx * ctx,struct nft_set * set)5248 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
5249 struct nft_set *set)
5250 {
5251 struct nft_set_elem_catchall *next, *catchall;
5252
5253 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5254 list_del_rcu(&catchall->list);
5255 nf_tables_set_elem_destroy(ctx, set, catchall->elem);
5256 kfree_rcu(catchall, rcu);
5257 }
5258 }
5259
nft_set_put(struct nft_set * set)5260 static void nft_set_put(struct nft_set *set)
5261 {
5262 if (refcount_dec_and_test(&set->refs)) {
5263 kfree(set->name);
5264 kvfree(set);
5265 }
5266 }
5267
nft_set_destroy(const struct nft_ctx * ctx,struct nft_set * set)5268 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
5269 {
5270 int i;
5271
5272 if (WARN_ON(set->use > 0))
5273 return;
5274
5275 for (i = 0; i < set->num_exprs; i++)
5276 nft_expr_destroy(ctx, set->exprs[i]);
5277
5278 set->ops->destroy(ctx, set);
5279 nft_set_catchall_destroy(ctx, set);
5280 nft_set_put(set);
5281 }
5282
nf_tables_delset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])5283 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
5284 const struct nlattr * const nla[])
5285 {
5286 struct netlink_ext_ack *extack = info->extack;
5287 u8 genmask = nft_genmask_next(info->net);
5288 u8 family = info->nfmsg->nfgen_family;
5289 struct net *net = info->net;
5290 const struct nlattr *attr;
5291 struct nft_table *table;
5292 struct nft_set *set;
5293 struct nft_ctx ctx;
5294
5295 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5296 return -EAFNOSUPPORT;
5297
5298 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5299 genmask, NETLINK_CB(skb).portid);
5300 if (IS_ERR(table)) {
5301 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5302 return PTR_ERR(table);
5303 }
5304
5305 if (nla[NFTA_SET_HANDLE]) {
5306 attr = nla[NFTA_SET_HANDLE];
5307 set = nft_set_lookup_byhandle(table, attr, genmask);
5308 } else {
5309 attr = nla[NFTA_SET_NAME];
5310 set = nft_set_lookup(table, attr, genmask);
5311 }
5312
5313 if (IS_ERR(set)) {
5314 if (PTR_ERR(set) == -ENOENT &&
5315 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
5316 return 0;
5317
5318 NL_SET_BAD_ATTR(extack, attr);
5319 return PTR_ERR(set);
5320 }
5321 if (set->use ||
5322 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
5323 atomic_read(&set->nelems) > 0)) {
5324 NL_SET_BAD_ATTR(extack, attr);
5325 return -EBUSY;
5326 }
5327
5328 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5329
5330 return nft_delset(&ctx, set);
5331 }
5332
5333 static int nft_validate_register_store(const struct nft_ctx *ctx,
5334 enum nft_registers reg,
5335 const struct nft_data *data,
5336 enum nft_data_types type,
5337 unsigned int len);
5338
nft_setelem_data_validate(const struct nft_ctx * ctx,struct nft_set * set,struct nft_elem_priv * elem_priv)5339 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
5340 struct nft_set *set,
5341 struct nft_elem_priv *elem_priv)
5342 {
5343 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5344 enum nft_registers dreg;
5345
5346 dreg = nft_type_to_reg(set->dtype);
5347 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
5348 set->dtype == NFT_DATA_VERDICT ?
5349 NFT_DATA_VERDICT : NFT_DATA_VALUE,
5350 set->dlen);
5351 }
5352
nf_tables_bind_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5353 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
5354 struct nft_set *set,
5355 const struct nft_set_iter *iter,
5356 struct nft_elem_priv *elem_priv)
5357 {
5358 return nft_setelem_data_validate(ctx, set, elem_priv);
5359 }
5360
nft_set_catchall_bind_check(const struct nft_ctx * ctx,struct nft_set * set)5361 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
5362 struct nft_set *set)
5363 {
5364 u8 genmask = nft_genmask_next(ctx->net);
5365 struct nft_set_elem_catchall *catchall;
5366 struct nft_set_ext *ext;
5367 int ret = 0;
5368
5369 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5370 ext = nft_set_elem_ext(set, catchall->elem);
5371 if (!nft_set_elem_active(ext, genmask))
5372 continue;
5373
5374 ret = nft_setelem_data_validate(ctx, set, catchall->elem);
5375 if (ret < 0)
5376 break;
5377 }
5378
5379 return ret;
5380 }
5381
nf_tables_bind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding)5382 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5383 struct nft_set_binding *binding)
5384 {
5385 struct nft_set_binding *i;
5386 struct nft_set_iter iter;
5387
5388 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5389 return -EBUSY;
5390
5391 if (binding->flags & NFT_SET_MAP) {
5392 /* If the set is already bound to the same chain all
5393 * jumps are already validated for that chain.
5394 */
5395 list_for_each_entry(i, &set->bindings, list) {
5396 if (i->flags & NFT_SET_MAP &&
5397 i->chain == binding->chain)
5398 goto bind;
5399 }
5400
5401 iter.genmask = nft_genmask_next(ctx->net);
5402 iter.skip = 0;
5403 iter.count = 0;
5404 iter.err = 0;
5405 iter.fn = nf_tables_bind_check_setelem;
5406
5407 set->ops->walk(ctx, set, &iter);
5408 if (!iter.err)
5409 iter.err = nft_set_catchall_bind_check(ctx, set);
5410
5411 if (iter.err < 0)
5412 return iter.err;
5413 }
5414 bind:
5415 if (!nft_use_inc(&set->use))
5416 return -EMFILE;
5417
5418 binding->chain = ctx->chain;
5419 list_add_tail_rcu(&binding->list, &set->bindings);
5420 nft_set_trans_bind(ctx, set);
5421
5422 return 0;
5423 }
5424 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
5425
nf_tables_unbind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,bool event)5426 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5427 struct nft_set_binding *binding, bool event)
5428 {
5429 list_del_rcu(&binding->list);
5430
5431 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
5432 list_del_rcu(&set->list);
5433 set->dead = 1;
5434 if (event)
5435 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
5436 GFP_KERNEL);
5437 }
5438 }
5439
5440 static void nft_setelem_data_activate(const struct net *net,
5441 const struct nft_set *set,
5442 struct nft_elem_priv *elem_priv);
5443
nft_mapelem_activate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5444 static int nft_mapelem_activate(const struct nft_ctx *ctx,
5445 struct nft_set *set,
5446 const struct nft_set_iter *iter,
5447 struct nft_elem_priv *elem_priv)
5448 {
5449 nft_setelem_data_activate(ctx->net, set, elem_priv);
5450
5451 return 0;
5452 }
5453
nft_map_catchall_activate(const struct nft_ctx * ctx,struct nft_set * set)5454 static void nft_map_catchall_activate(const struct nft_ctx *ctx,
5455 struct nft_set *set)
5456 {
5457 u8 genmask = nft_genmask_next(ctx->net);
5458 struct nft_set_elem_catchall *catchall;
5459 struct nft_set_ext *ext;
5460
5461 list_for_each_entry(catchall, &set->catchall_list, list) {
5462 ext = nft_set_elem_ext(set, catchall->elem);
5463 if (!nft_set_elem_active(ext, genmask))
5464 continue;
5465
5466 nft_setelem_data_activate(ctx->net, set, catchall->elem);
5467 break;
5468 }
5469 }
5470
nft_map_activate(const struct nft_ctx * ctx,struct nft_set * set)5471 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set)
5472 {
5473 struct nft_set_iter iter = {
5474 .genmask = nft_genmask_next(ctx->net),
5475 .fn = nft_mapelem_activate,
5476 };
5477
5478 set->ops->walk(ctx, set, &iter);
5479 WARN_ON_ONCE(iter.err);
5480
5481 nft_map_catchall_activate(ctx, set);
5482 }
5483
nf_tables_activate_set(const struct nft_ctx * ctx,struct nft_set * set)5484 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5485 {
5486 if (nft_set_is_anonymous(set)) {
5487 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5488 nft_map_activate(ctx, set);
5489
5490 nft_clear(ctx->net, set);
5491 }
5492
5493 nft_use_inc_restore(&set->use);
5494 }
5495 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
5496
nf_tables_deactivate_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,enum nft_trans_phase phase)5497 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5498 struct nft_set_binding *binding,
5499 enum nft_trans_phase phase)
5500 {
5501 switch (phase) {
5502 case NFT_TRANS_PREPARE_ERROR:
5503 nft_set_trans_unbind(ctx, set);
5504 if (nft_set_is_anonymous(set))
5505 nft_deactivate_next(ctx->net, set);
5506 else
5507 list_del_rcu(&binding->list);
5508
5509 nft_use_dec(&set->use);
5510 break;
5511 case NFT_TRANS_PREPARE:
5512 if (nft_set_is_anonymous(set)) {
5513 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5514 nft_map_deactivate(ctx, set);
5515
5516 nft_deactivate_next(ctx->net, set);
5517 }
5518 nft_use_dec(&set->use);
5519 return;
5520 case NFT_TRANS_ABORT:
5521 case NFT_TRANS_RELEASE:
5522 if (nft_set_is_anonymous(set) &&
5523 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5524 nft_map_deactivate(ctx, set);
5525
5526 nft_use_dec(&set->use);
5527 fallthrough;
5528 default:
5529 nf_tables_unbind_set(ctx, set, binding,
5530 phase == NFT_TRANS_COMMIT);
5531 }
5532 }
5533 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
5534
nf_tables_destroy_set(const struct nft_ctx * ctx,struct nft_set * set)5535 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
5536 {
5537 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
5538 nft_set_destroy(ctx, set);
5539 }
5540 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
5541
5542 const struct nft_set_ext_type nft_set_ext_types[] = {
5543 [NFT_SET_EXT_KEY] = {
5544 .align = __alignof__(u32),
5545 },
5546 [NFT_SET_EXT_DATA] = {
5547 .align = __alignof__(u32),
5548 },
5549 [NFT_SET_EXT_EXPRESSIONS] = {
5550 .align = __alignof__(struct nft_set_elem_expr),
5551 },
5552 [NFT_SET_EXT_OBJREF] = {
5553 .len = sizeof(struct nft_object *),
5554 .align = __alignof__(struct nft_object *),
5555 },
5556 [NFT_SET_EXT_FLAGS] = {
5557 .len = sizeof(u8),
5558 .align = __alignof__(u8),
5559 },
5560 [NFT_SET_EXT_TIMEOUT] = {
5561 .len = sizeof(u64),
5562 .align = __alignof__(u64),
5563 },
5564 [NFT_SET_EXT_EXPIRATION] = {
5565 .len = sizeof(u64),
5566 .align = __alignof__(u64),
5567 },
5568 [NFT_SET_EXT_USERDATA] = {
5569 .len = sizeof(struct nft_userdata),
5570 .align = __alignof__(struct nft_userdata),
5571 },
5572 [NFT_SET_EXT_KEY_END] = {
5573 .align = __alignof__(u32),
5574 },
5575 };
5576
5577 /*
5578 * Set elements
5579 */
5580
5581 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
5582 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
5583 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
5584 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
5585 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
5586 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
5587 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
5588 .len = NFT_USERDATA_MAXLEN },
5589 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
5590 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
5591 .len = NFT_OBJ_MAXNAMELEN - 1 },
5592 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
5593 [NFTA_SET_ELEM_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
5594 };
5595
5596 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
5597 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
5598 .len = NFT_TABLE_MAXNAMELEN - 1 },
5599 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
5600 .len = NFT_SET_MAXNAMELEN - 1 },
5601 [NFTA_SET_ELEM_LIST_ELEMENTS] = NLA_POLICY_NESTED_ARRAY(nft_set_elem_policy),
5602 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
5603 };
5604
nft_set_elem_expr_dump(struct sk_buff * skb,const struct nft_set * set,const struct nft_set_ext * ext,bool reset)5605 static int nft_set_elem_expr_dump(struct sk_buff *skb,
5606 const struct nft_set *set,
5607 const struct nft_set_ext *ext,
5608 bool reset)
5609 {
5610 struct nft_set_elem_expr *elem_expr;
5611 u32 size, num_exprs = 0;
5612 struct nft_expr *expr;
5613 struct nlattr *nest;
5614
5615 elem_expr = nft_set_ext_expr(ext);
5616 nft_setelem_expr_foreach(expr, elem_expr, size)
5617 num_exprs++;
5618
5619 if (num_exprs == 1) {
5620 expr = nft_setelem_expr_at(elem_expr, 0);
5621 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0)
5622 return -1;
5623
5624 return 0;
5625 } else if (num_exprs > 1) {
5626 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
5627 if (nest == NULL)
5628 goto nla_put_failure;
5629
5630 nft_setelem_expr_foreach(expr, elem_expr, size) {
5631 expr = nft_setelem_expr_at(elem_expr, size);
5632 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
5633 goto nla_put_failure;
5634 }
5635 nla_nest_end(skb, nest);
5636 }
5637 return 0;
5638
5639 nla_put_failure:
5640 return -1;
5641 }
5642
nf_tables_fill_setelem(struct sk_buff * skb,const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool reset)5643 static int nf_tables_fill_setelem(struct sk_buff *skb,
5644 const struct nft_set *set,
5645 const struct nft_elem_priv *elem_priv,
5646 bool reset)
5647 {
5648 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5649 unsigned char *b = skb_tail_pointer(skb);
5650 struct nlattr *nest;
5651
5652 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
5653 if (nest == NULL)
5654 goto nla_put_failure;
5655
5656 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5657 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
5658 NFT_DATA_VALUE, set->klen) < 0)
5659 goto nla_put_failure;
5660
5661 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5662 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
5663 NFT_DATA_VALUE, set->klen) < 0)
5664 goto nla_put_failure;
5665
5666 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5667 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
5668 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
5669 set->dlen) < 0)
5670 goto nla_put_failure;
5671
5672 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
5673 nft_set_elem_expr_dump(skb, set, ext, reset))
5674 goto nla_put_failure;
5675
5676 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5677 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
5678 (*nft_set_ext_obj(ext))->key.name) < 0)
5679 goto nla_put_failure;
5680
5681 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5682 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
5683 htonl(*nft_set_ext_flags(ext))))
5684 goto nla_put_failure;
5685
5686 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
5687 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
5688 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
5689 NFTA_SET_ELEM_PAD))
5690 goto nla_put_failure;
5691
5692 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5693 u64 expires, now = get_jiffies_64();
5694
5695 expires = *nft_set_ext_expiration(ext);
5696 if (time_before64(now, expires))
5697 expires -= now;
5698 else
5699 expires = 0;
5700
5701 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
5702 nf_jiffies64_to_msecs(expires),
5703 NFTA_SET_ELEM_PAD))
5704 goto nla_put_failure;
5705 }
5706
5707 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
5708 struct nft_userdata *udata;
5709
5710 udata = nft_set_ext_userdata(ext);
5711 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
5712 udata->len + 1, udata->data))
5713 goto nla_put_failure;
5714 }
5715
5716 nla_nest_end(skb, nest);
5717 return 0;
5718
5719 nla_put_failure:
5720 nlmsg_trim(skb, b);
5721 return -EMSGSIZE;
5722 }
5723
5724 struct nft_set_dump_args {
5725 const struct netlink_callback *cb;
5726 struct nft_set_iter iter;
5727 struct sk_buff *skb;
5728 bool reset;
5729 };
5730
nf_tables_dump_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5731 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
5732 struct nft_set *set,
5733 const struct nft_set_iter *iter,
5734 struct nft_elem_priv *elem_priv)
5735 {
5736 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5737 struct nft_set_dump_args *args;
5738
5739 if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
5740 return 0;
5741
5742 args = container_of(iter, struct nft_set_dump_args, iter);
5743 return nf_tables_fill_setelem(args->skb, set, elem_priv, args->reset);
5744 }
5745
audit_log_nft_set_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)5746 static void audit_log_nft_set_reset(const struct nft_table *table,
5747 unsigned int base_seq,
5748 unsigned int nentries)
5749 {
5750 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
5751
5752 audit_log_nfcfg(buf, table->family, nentries,
5753 AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC);
5754 kfree(buf);
5755 }
5756
5757 struct nft_set_dump_ctx {
5758 const struct nft_set *set;
5759 struct nft_ctx ctx;
5760 bool reset;
5761 };
5762
nft_set_catchall_dump(struct net * net,struct sk_buff * skb,const struct nft_set * set,bool reset,unsigned int base_seq)5763 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
5764 const struct nft_set *set, bool reset,
5765 unsigned int base_seq)
5766 {
5767 struct nft_set_elem_catchall *catchall;
5768 u8 genmask = nft_genmask_cur(net);
5769 struct nft_set_ext *ext;
5770 int ret = 0;
5771
5772 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5773 ext = nft_set_elem_ext(set, catchall->elem);
5774 if (!nft_set_elem_active(ext, genmask) ||
5775 nft_set_elem_expired(ext))
5776 continue;
5777
5778 ret = nf_tables_fill_setelem(skb, set, catchall->elem, reset);
5779 if (reset && !ret)
5780 audit_log_nft_set_reset(set->table, base_seq, 1);
5781 break;
5782 }
5783
5784 return ret;
5785 }
5786
nf_tables_dump_set(struct sk_buff * skb,struct netlink_callback * cb)5787 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
5788 {
5789 struct nft_set_dump_ctx *dump_ctx = cb->data;
5790 struct net *net = sock_net(skb->sk);
5791 struct nftables_pernet *nft_net;
5792 struct nft_table *table;
5793 struct nft_set *set;
5794 struct nft_set_dump_args args;
5795 bool set_found = false;
5796 struct nlmsghdr *nlh;
5797 struct nlattr *nest;
5798 u32 portid, seq;
5799 int event;
5800
5801 rcu_read_lock();
5802 nft_net = nft_pernet(net);
5803 cb->seq = READ_ONCE(nft_net->base_seq);
5804
5805 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5806 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
5807 dump_ctx->ctx.family != table->family)
5808 continue;
5809
5810 if (table != dump_ctx->ctx.table)
5811 continue;
5812
5813 list_for_each_entry_rcu(set, &table->sets, list) {
5814 if (set == dump_ctx->set) {
5815 set_found = true;
5816 break;
5817 }
5818 }
5819 break;
5820 }
5821
5822 if (!set_found) {
5823 rcu_read_unlock();
5824 return -ENOENT;
5825 }
5826
5827 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
5828 portid = NETLINK_CB(cb->skb).portid;
5829 seq = cb->nlh->nlmsg_seq;
5830
5831 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
5832 table->family, NFNETLINK_V0, nft_base_seq(net));
5833 if (!nlh)
5834 goto nla_put_failure;
5835
5836 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
5837 goto nla_put_failure;
5838 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
5839 goto nla_put_failure;
5840
5841 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5842 if (nest == NULL)
5843 goto nla_put_failure;
5844
5845 args.cb = cb;
5846 args.skb = skb;
5847 args.reset = dump_ctx->reset;
5848 args.iter.genmask = nft_genmask_cur(net);
5849 args.iter.skip = cb->args[0];
5850 args.iter.count = 0;
5851 args.iter.err = 0;
5852 args.iter.fn = nf_tables_dump_setelem;
5853 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
5854
5855 if (!args.iter.err && args.iter.count == cb->args[0])
5856 args.iter.err = nft_set_catchall_dump(net, skb, set,
5857 dump_ctx->reset, cb->seq);
5858 nla_nest_end(skb, nest);
5859 nlmsg_end(skb, nlh);
5860
5861 rcu_read_unlock();
5862
5863 if (args.iter.err && args.iter.err != -EMSGSIZE)
5864 return args.iter.err;
5865 if (args.iter.count == cb->args[0])
5866 return 0;
5867
5868 cb->args[0] = args.iter.count;
5869 return skb->len;
5870
5871 nla_put_failure:
5872 rcu_read_unlock();
5873 return -ENOSPC;
5874 }
5875
nf_tables_dumpreset_set(struct sk_buff * skb,struct netlink_callback * cb)5876 static int nf_tables_dumpreset_set(struct sk_buff *skb,
5877 struct netlink_callback *cb)
5878 {
5879 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
5880 struct nft_set_dump_ctx *dump_ctx = cb->data;
5881 int ret, skip = cb->args[0];
5882
5883 mutex_lock(&nft_net->commit_mutex);
5884
5885 ret = nf_tables_dump_set(skb, cb);
5886
5887 if (cb->args[0] > skip)
5888 audit_log_nft_set_reset(dump_ctx->ctx.table, cb->seq,
5889 cb->args[0] - skip);
5890
5891 mutex_unlock(&nft_net->commit_mutex);
5892
5893 return ret;
5894 }
5895
nf_tables_dump_set_start(struct netlink_callback * cb)5896 static int nf_tables_dump_set_start(struct netlink_callback *cb)
5897 {
5898 struct nft_set_dump_ctx *dump_ctx = cb->data;
5899
5900 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
5901
5902 return cb->data ? 0 : -ENOMEM;
5903 }
5904
nf_tables_dump_set_done(struct netlink_callback * cb)5905 static int nf_tables_dump_set_done(struct netlink_callback *cb)
5906 {
5907 kfree(cb->data);
5908 return 0;
5909 }
5910
nf_tables_fill_setelem_info(struct sk_buff * skb,const struct nft_ctx * ctx,u32 seq,u32 portid,int event,u16 flags,const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool reset)5911 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
5912 const struct nft_ctx *ctx, u32 seq,
5913 u32 portid, int event, u16 flags,
5914 const struct nft_set *set,
5915 const struct nft_elem_priv *elem_priv,
5916 bool reset)
5917 {
5918 struct nlmsghdr *nlh;
5919 struct nlattr *nest;
5920 int err;
5921
5922 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5923 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
5924 NFNETLINK_V0, nft_base_seq(ctx->net));
5925 if (!nlh)
5926 goto nla_put_failure;
5927
5928 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
5929 goto nla_put_failure;
5930 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
5931 goto nla_put_failure;
5932
5933 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5934 if (nest == NULL)
5935 goto nla_put_failure;
5936
5937 err = nf_tables_fill_setelem(skb, set, elem_priv, reset);
5938 if (err < 0)
5939 goto nla_put_failure;
5940
5941 nla_nest_end(skb, nest);
5942
5943 nlmsg_end(skb, nlh);
5944 return 0;
5945
5946 nla_put_failure:
5947 nlmsg_trim(skb, nlh);
5948 return -1;
5949 }
5950
nft_setelem_parse_flags(const struct nft_set * set,const struct nlattr * attr,u32 * flags)5951 static int nft_setelem_parse_flags(const struct nft_set *set,
5952 const struct nlattr *attr, u32 *flags)
5953 {
5954 if (attr == NULL)
5955 return 0;
5956
5957 *flags = ntohl(nla_get_be32(attr));
5958 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5959 return -EOPNOTSUPP;
5960 if (!(set->flags & NFT_SET_INTERVAL) &&
5961 *flags & NFT_SET_ELEM_INTERVAL_END)
5962 return -EINVAL;
5963 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
5964 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5965 return -EINVAL;
5966
5967 return 0;
5968 }
5969
nft_setelem_parse_key(struct nft_ctx * ctx,const struct nft_set * set,struct nft_data * key,struct nlattr * attr)5970 static int nft_setelem_parse_key(struct nft_ctx *ctx, const struct nft_set *set,
5971 struct nft_data *key, struct nlattr *attr)
5972 {
5973 struct nft_data_desc desc = {
5974 .type = NFT_DATA_VALUE,
5975 .size = NFT_DATA_VALUE_MAXLEN,
5976 .len = set->klen,
5977 };
5978
5979 return nft_data_init(ctx, key, &desc, attr);
5980 }
5981
nft_setelem_parse_data(struct nft_ctx * ctx,struct nft_set * set,struct nft_data_desc * desc,struct nft_data * data,struct nlattr * attr)5982 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
5983 struct nft_data_desc *desc,
5984 struct nft_data *data,
5985 struct nlattr *attr)
5986 {
5987 u32 dtype;
5988
5989 if (set->dtype == NFT_DATA_VERDICT)
5990 dtype = NFT_DATA_VERDICT;
5991 else
5992 dtype = NFT_DATA_VALUE;
5993
5994 desc->type = dtype;
5995 desc->size = NFT_DATA_VALUE_MAXLEN;
5996 desc->len = set->dlen;
5997 desc->flags = NFT_DATA_DESC_SETELEM;
5998
5999 return nft_data_init(ctx, data, desc, attr);
6000 }
6001
nft_setelem_catchall_get(const struct net * net,const struct nft_set * set)6002 static void *nft_setelem_catchall_get(const struct net *net,
6003 const struct nft_set *set)
6004 {
6005 struct nft_set_elem_catchall *catchall;
6006 u8 genmask = nft_genmask_cur(net);
6007 struct nft_set_ext *ext;
6008 void *priv = NULL;
6009
6010 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6011 ext = nft_set_elem_ext(set, catchall->elem);
6012 if (!nft_set_elem_active(ext, genmask) ||
6013 nft_set_elem_expired(ext))
6014 continue;
6015
6016 priv = catchall->elem;
6017 break;
6018 }
6019
6020 return priv;
6021 }
6022
nft_setelem_get(struct nft_ctx * ctx,const struct nft_set * set,struct nft_set_elem * elem,u32 flags)6023 static int nft_setelem_get(struct nft_ctx *ctx, const struct nft_set *set,
6024 struct nft_set_elem *elem, u32 flags)
6025 {
6026 void *priv;
6027
6028 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
6029 priv = set->ops->get(ctx->net, set, elem, flags);
6030 if (IS_ERR(priv))
6031 return PTR_ERR(priv);
6032 } else {
6033 priv = nft_setelem_catchall_get(ctx->net, set);
6034 if (!priv)
6035 return -ENOENT;
6036 }
6037 elem->priv = priv;
6038
6039 return 0;
6040 }
6041
nft_get_set_elem(struct nft_ctx * ctx,const struct nft_set * set,const struct nlattr * attr,bool reset)6042 static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set,
6043 const struct nlattr *attr, bool reset)
6044 {
6045 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6046 struct nft_set_elem elem;
6047 struct sk_buff *skb;
6048 uint32_t flags = 0;
6049 int err;
6050
6051 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6052 nft_set_elem_policy, NULL);
6053 if (err < 0)
6054 return err;
6055
6056 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6057 if (err < 0)
6058 return err;
6059
6060 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6061 return -EINVAL;
6062
6063 if (nla[NFTA_SET_ELEM_KEY]) {
6064 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6065 nla[NFTA_SET_ELEM_KEY]);
6066 if (err < 0)
6067 return err;
6068 }
6069
6070 if (nla[NFTA_SET_ELEM_KEY_END]) {
6071 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6072 nla[NFTA_SET_ELEM_KEY_END]);
6073 if (err < 0)
6074 return err;
6075 }
6076
6077 err = nft_setelem_get(ctx, set, &elem, flags);
6078 if (err < 0)
6079 return err;
6080
6081 err = -ENOMEM;
6082 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
6083 if (skb == NULL)
6084 return err;
6085
6086 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
6087 NFT_MSG_NEWSETELEM, 0, set, elem.priv,
6088 reset);
6089 if (err < 0)
6090 goto err_fill_setelem;
6091
6092 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
6093
6094 err_fill_setelem:
6095 kfree_skb(skb);
6096 return err;
6097 }
6098
nft_set_dump_ctx_init(struct nft_set_dump_ctx * dump_ctx,const struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)6099 static int nft_set_dump_ctx_init(struct nft_set_dump_ctx *dump_ctx,
6100 const struct sk_buff *skb,
6101 const struct nfnl_info *info,
6102 const struct nlattr * const nla[],
6103 bool reset)
6104 {
6105 struct netlink_ext_ack *extack = info->extack;
6106 u8 genmask = nft_genmask_cur(info->net);
6107 u8 family = info->nfmsg->nfgen_family;
6108 struct net *net = info->net;
6109 struct nft_table *table;
6110 struct nft_set *set;
6111
6112 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6113 genmask, 0);
6114 if (IS_ERR(table)) {
6115 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6116 return PTR_ERR(table);
6117 }
6118
6119 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6120 if (IS_ERR(set)) {
6121 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
6122 return PTR_ERR(set);
6123 }
6124
6125 nft_ctx_init(&dump_ctx->ctx, net, skb,
6126 info->nlh, family, table, NULL, nla);
6127 dump_ctx->set = set;
6128 dump_ctx->reset = reset;
6129 return 0;
6130 }
6131
6132 /* called with rcu_read_lock held */
nf_tables_getsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])6133 static int nf_tables_getsetelem(struct sk_buff *skb,
6134 const struct nfnl_info *info,
6135 const struct nlattr * const nla[])
6136 {
6137 struct netlink_ext_ack *extack = info->extack;
6138 struct nft_set_dump_ctx dump_ctx;
6139 struct nlattr *attr;
6140 int rem, err = 0;
6141
6142 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6143 struct netlink_dump_control c = {
6144 .start = nf_tables_dump_set_start,
6145 .dump = nf_tables_dump_set,
6146 .done = nf_tables_dump_set_done,
6147 .module = THIS_MODULE,
6148 };
6149
6150 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6151 if (err)
6152 return err;
6153
6154 c.data = &dump_ctx;
6155 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6156 }
6157
6158 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6159 return -EINVAL;
6160
6161 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6162 if (err)
6163 return err;
6164
6165 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6166 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, false);
6167 if (err < 0) {
6168 NL_SET_BAD_ATTR(extack, attr);
6169 break;
6170 }
6171 }
6172
6173 return err;
6174 }
6175
nf_tables_getsetelem_reset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])6176 static int nf_tables_getsetelem_reset(struct sk_buff *skb,
6177 const struct nfnl_info *info,
6178 const struct nlattr * const nla[])
6179 {
6180 struct nftables_pernet *nft_net = nft_pernet(info->net);
6181 struct netlink_ext_ack *extack = info->extack;
6182 struct nft_set_dump_ctx dump_ctx;
6183 int rem, err = 0, nelems = 0;
6184 struct nlattr *attr;
6185
6186 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6187 struct netlink_dump_control c = {
6188 .start = nf_tables_dump_set_start,
6189 .dump = nf_tables_dumpreset_set,
6190 .done = nf_tables_dump_set_done,
6191 .module = THIS_MODULE,
6192 };
6193
6194 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6195 if (err)
6196 return err;
6197
6198 c.data = &dump_ctx;
6199 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6200 }
6201
6202 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6203 return -EINVAL;
6204
6205 if (!try_module_get(THIS_MODULE))
6206 return -EINVAL;
6207 rcu_read_unlock();
6208 mutex_lock(&nft_net->commit_mutex);
6209 rcu_read_lock();
6210
6211 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6212 if (err)
6213 goto out_unlock;
6214
6215 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6216 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, true);
6217 if (err < 0) {
6218 NL_SET_BAD_ATTR(extack, attr);
6219 break;
6220 }
6221 nelems++;
6222 }
6223 audit_log_nft_set_reset(dump_ctx.ctx.table, nft_net->base_seq, nelems);
6224
6225 out_unlock:
6226 rcu_read_unlock();
6227 mutex_unlock(&nft_net->commit_mutex);
6228 rcu_read_lock();
6229 module_put(THIS_MODULE);
6230
6231 return err;
6232 }
6233
nf_tables_setelem_notify(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_elem_priv * elem_priv,int event)6234 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
6235 const struct nft_set *set,
6236 const struct nft_elem_priv *elem_priv,
6237 int event)
6238 {
6239 struct nftables_pernet *nft_net;
6240 struct net *net = ctx->net;
6241 u32 portid = ctx->portid;
6242 struct sk_buff *skb;
6243 u16 flags = 0;
6244 int err;
6245
6246 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6247 return;
6248
6249 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6250 if (skb == NULL)
6251 goto err;
6252
6253 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
6254 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
6255
6256 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
6257 set, elem_priv, false);
6258 if (err < 0) {
6259 kfree_skb(skb);
6260 goto err;
6261 }
6262
6263 nft_net = nft_pernet(net);
6264 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
6265 return;
6266 err:
6267 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6268 }
6269
nft_trans_elem_alloc(struct nft_ctx * ctx,int msg_type,struct nft_set * set)6270 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
6271 int msg_type,
6272 struct nft_set *set)
6273 {
6274 struct nft_trans *trans;
6275
6276 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
6277 if (trans == NULL)
6278 return NULL;
6279
6280 nft_trans_elem_set(trans) = set;
6281 return trans;
6282 }
6283
nft_set_elem_expr_alloc(const struct nft_ctx * ctx,const struct nft_set * set,const struct nlattr * attr)6284 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
6285 const struct nft_set *set,
6286 const struct nlattr *attr)
6287 {
6288 struct nft_expr *expr;
6289 int err;
6290
6291 expr = nft_expr_init(ctx, attr);
6292 if (IS_ERR(expr))
6293 return expr;
6294
6295 err = -EOPNOTSUPP;
6296 if (expr->ops->type->flags & NFT_EXPR_GC) {
6297 if (set->flags & NFT_SET_TIMEOUT)
6298 goto err_set_elem_expr;
6299 if (!set->ops->gc_init)
6300 goto err_set_elem_expr;
6301 set->ops->gc_init(set);
6302 }
6303
6304 return expr;
6305
6306 err_set_elem_expr:
6307 nft_expr_destroy(ctx, expr);
6308 return ERR_PTR(err);
6309 }
6310
nft_set_ext_check(const struct nft_set_ext_tmpl * tmpl,u8 id,u32 len)6311 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
6312 {
6313 len += nft_set_ext_types[id].len;
6314 if (len > tmpl->ext_len[id] ||
6315 len > U8_MAX)
6316 return -1;
6317
6318 return 0;
6319 }
6320
nft_set_ext_memcpy(const struct nft_set_ext_tmpl * tmpl,u8 id,void * to,const void * from,u32 len)6321 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
6322 void *to, const void *from, u32 len)
6323 {
6324 if (nft_set_ext_check(tmpl, id, len) < 0)
6325 return -1;
6326
6327 memcpy(to, from, len);
6328
6329 return 0;
6330 }
6331
nft_set_elem_init(const struct nft_set * set,const struct nft_set_ext_tmpl * tmpl,const u32 * key,const u32 * key_end,const u32 * data,u64 timeout,u64 expiration,gfp_t gfp)6332 struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
6333 const struct nft_set_ext_tmpl *tmpl,
6334 const u32 *key, const u32 *key_end,
6335 const u32 *data,
6336 u64 timeout, u64 expiration, gfp_t gfp)
6337 {
6338 struct nft_set_ext *ext;
6339 void *elem;
6340
6341 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
6342 if (elem == NULL)
6343 return ERR_PTR(-ENOMEM);
6344
6345 ext = nft_set_elem_ext(set, elem);
6346 nft_set_ext_init(ext, tmpl);
6347
6348 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
6349 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
6350 nft_set_ext_key(ext), key, set->klen) < 0)
6351 goto err_ext_check;
6352
6353 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
6354 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
6355 nft_set_ext_key_end(ext), key_end, set->klen) < 0)
6356 goto err_ext_check;
6357
6358 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6359 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
6360 nft_set_ext_data(ext), data, set->dlen) < 0)
6361 goto err_ext_check;
6362
6363 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
6364 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
6365 if (expiration == 0)
6366 *nft_set_ext_expiration(ext) += timeout;
6367 }
6368 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
6369 *nft_set_ext_timeout(ext) = timeout;
6370
6371 return elem;
6372
6373 err_ext_check:
6374 kfree(elem);
6375
6376 return ERR_PTR(-EINVAL);
6377 }
6378
__nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)6379 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6380 struct nft_expr *expr)
6381 {
6382 if (expr->ops->destroy_clone) {
6383 expr->ops->destroy_clone(ctx, expr);
6384 module_put(expr->ops->type->owner);
6385 } else {
6386 nf_tables_expr_destroy(ctx, expr);
6387 }
6388 }
6389
nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_set_elem_expr * elem_expr)6390 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6391 struct nft_set_elem_expr *elem_expr)
6392 {
6393 struct nft_expr *expr;
6394 u32 size;
6395
6396 nft_setelem_expr_foreach(expr, elem_expr, size)
6397 __nft_set_elem_expr_destroy(ctx, expr);
6398 }
6399
6400 /* Drop references and destroy. Called from gc, dynset and abort path. */
nft_set_elem_destroy(const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool destroy_expr)6401 void nft_set_elem_destroy(const struct nft_set *set,
6402 const struct nft_elem_priv *elem_priv,
6403 bool destroy_expr)
6404 {
6405 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6406 struct nft_ctx ctx = {
6407 .net = read_pnet(&set->net),
6408 .family = set->table->family,
6409 };
6410
6411 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
6412 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6413 nft_data_release(nft_set_ext_data(ext), set->dtype);
6414 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6415 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
6416 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6417 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
6418
6419 kfree(elem_priv);
6420 }
6421 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
6422
6423 /* Destroy element. References have been already dropped in the preparation
6424 * path via nft_setelem_data_deactivate().
6425 */
nf_tables_set_elem_destroy(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_elem_priv * elem_priv)6426 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
6427 const struct nft_set *set,
6428 const struct nft_elem_priv *elem_priv)
6429 {
6430 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6431
6432 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6433 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6434
6435 kfree(elem_priv);
6436 }
6437
nft_set_elem_expr_clone(const struct nft_ctx * ctx,struct nft_set * set,struct nft_expr * expr_array[])6438 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
6439 struct nft_expr *expr_array[])
6440 {
6441 struct nft_expr *expr;
6442 int err, i, k;
6443
6444 for (i = 0; i < set->num_exprs; i++) {
6445 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
6446 if (!expr)
6447 goto err_expr;
6448
6449 err = nft_expr_clone(expr, set->exprs[i]);
6450 if (err < 0) {
6451 kfree(expr);
6452 goto err_expr;
6453 }
6454 expr_array[i] = expr;
6455 }
6456
6457 return 0;
6458
6459 err_expr:
6460 for (k = i - 1; k >= 0; k--)
6461 nft_expr_destroy(ctx, expr_array[k]);
6462
6463 return -ENOMEM;
6464 }
6465
nft_set_elem_expr_setup(struct nft_ctx * ctx,const struct nft_set_ext_tmpl * tmpl,const struct nft_set_ext * ext,struct nft_expr * expr_array[],u32 num_exprs)6466 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
6467 const struct nft_set_ext_tmpl *tmpl,
6468 const struct nft_set_ext *ext,
6469 struct nft_expr *expr_array[],
6470 u32 num_exprs)
6471 {
6472 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
6473 u32 len = sizeof(struct nft_set_elem_expr);
6474 struct nft_expr *expr;
6475 int i, err;
6476
6477 if (num_exprs == 0)
6478 return 0;
6479
6480 for (i = 0; i < num_exprs; i++)
6481 len += expr_array[i]->ops->size;
6482
6483 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
6484 return -EINVAL;
6485
6486 for (i = 0; i < num_exprs; i++) {
6487 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
6488 err = nft_expr_clone(expr, expr_array[i]);
6489 if (err < 0)
6490 goto err_elem_expr_setup;
6491
6492 elem_expr->size += expr_array[i]->ops->size;
6493 nft_expr_destroy(ctx, expr_array[i]);
6494 expr_array[i] = NULL;
6495 }
6496
6497 return 0;
6498
6499 err_elem_expr_setup:
6500 for (; i < num_exprs; i++) {
6501 nft_expr_destroy(ctx, expr_array[i]);
6502 expr_array[i] = NULL;
6503 }
6504
6505 return -ENOMEM;
6506 }
6507
nft_set_catchall_lookup(const struct net * net,const struct nft_set * set)6508 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
6509 const struct nft_set *set)
6510 {
6511 struct nft_set_elem_catchall *catchall;
6512 u8 genmask = nft_genmask_cur(net);
6513 struct nft_set_ext *ext;
6514
6515 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6516 ext = nft_set_elem_ext(set, catchall->elem);
6517 if (nft_set_elem_active(ext, genmask) &&
6518 !nft_set_elem_expired(ext) &&
6519 !nft_set_elem_is_dead(ext))
6520 return ext;
6521 }
6522
6523 return NULL;
6524 }
6525 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
6526
nft_setelem_catchall_insert(const struct net * net,struct nft_set * set,const struct nft_set_elem * elem,struct nft_elem_priv ** priv)6527 static int nft_setelem_catchall_insert(const struct net *net,
6528 struct nft_set *set,
6529 const struct nft_set_elem *elem,
6530 struct nft_elem_priv **priv)
6531 {
6532 struct nft_set_elem_catchall *catchall;
6533 u8 genmask = nft_genmask_next(net);
6534 struct nft_set_ext *ext;
6535
6536 list_for_each_entry(catchall, &set->catchall_list, list) {
6537 ext = nft_set_elem_ext(set, catchall->elem);
6538 if (nft_set_elem_active(ext, genmask)) {
6539 *priv = catchall->elem;
6540 return -EEXIST;
6541 }
6542 }
6543
6544 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
6545 if (!catchall)
6546 return -ENOMEM;
6547
6548 catchall->elem = elem->priv;
6549 list_add_tail_rcu(&catchall->list, &set->catchall_list);
6550
6551 return 0;
6552 }
6553
nft_setelem_insert(const struct net * net,struct nft_set * set,const struct nft_set_elem * elem,struct nft_elem_priv ** elem_priv,unsigned int flags)6554 static int nft_setelem_insert(const struct net *net,
6555 struct nft_set *set,
6556 const struct nft_set_elem *elem,
6557 struct nft_elem_priv **elem_priv,
6558 unsigned int flags)
6559 {
6560 int ret;
6561
6562 if (flags & NFT_SET_ELEM_CATCHALL)
6563 ret = nft_setelem_catchall_insert(net, set, elem, elem_priv);
6564 else
6565 ret = set->ops->insert(net, set, elem, elem_priv);
6566
6567 return ret;
6568 }
6569
nft_setelem_is_catchall(const struct nft_set * set,const struct nft_elem_priv * elem_priv)6570 static bool nft_setelem_is_catchall(const struct nft_set *set,
6571 const struct nft_elem_priv *elem_priv)
6572 {
6573 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6574
6575 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6576 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
6577 return true;
6578
6579 return false;
6580 }
6581
nft_setelem_activate(struct net * net,struct nft_set * set,struct nft_elem_priv * elem_priv)6582 static void nft_setelem_activate(struct net *net, struct nft_set *set,
6583 struct nft_elem_priv *elem_priv)
6584 {
6585 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6586
6587 if (nft_setelem_is_catchall(set, elem_priv)) {
6588 nft_set_elem_change_active(net, set, ext);
6589 } else {
6590 set->ops->activate(net, set, elem_priv);
6591 }
6592 }
6593
nft_setelem_catchall_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem)6594 static int nft_setelem_catchall_deactivate(const struct net *net,
6595 struct nft_set *set,
6596 struct nft_set_elem *elem)
6597 {
6598 struct nft_set_elem_catchall *catchall;
6599 struct nft_set_ext *ext;
6600
6601 list_for_each_entry(catchall, &set->catchall_list, list) {
6602 ext = nft_set_elem_ext(set, catchall->elem);
6603 if (!nft_is_active_next(net, ext))
6604 continue;
6605
6606 kfree(elem->priv);
6607 elem->priv = catchall->elem;
6608 nft_set_elem_change_active(net, set, ext);
6609 return 0;
6610 }
6611
6612 return -ENOENT;
6613 }
6614
__nft_setelem_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem)6615 static int __nft_setelem_deactivate(const struct net *net,
6616 struct nft_set *set,
6617 struct nft_set_elem *elem)
6618 {
6619 void *priv;
6620
6621 priv = set->ops->deactivate(net, set, elem);
6622 if (!priv)
6623 return -ENOENT;
6624
6625 kfree(elem->priv);
6626 elem->priv = priv;
6627 set->ndeact++;
6628
6629 return 0;
6630 }
6631
nft_setelem_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem,u32 flags)6632 static int nft_setelem_deactivate(const struct net *net,
6633 struct nft_set *set,
6634 struct nft_set_elem *elem, u32 flags)
6635 {
6636 int ret;
6637
6638 if (flags & NFT_SET_ELEM_CATCHALL)
6639 ret = nft_setelem_catchall_deactivate(net, set, elem);
6640 else
6641 ret = __nft_setelem_deactivate(net, set, elem);
6642
6643 return ret;
6644 }
6645
nft_setelem_catchall_destroy(struct nft_set_elem_catchall * catchall)6646 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
6647 {
6648 list_del_rcu(&catchall->list);
6649 kfree_rcu(catchall, rcu);
6650 }
6651
nft_setelem_catchall_remove(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)6652 static void nft_setelem_catchall_remove(const struct net *net,
6653 const struct nft_set *set,
6654 struct nft_elem_priv *elem_priv)
6655 {
6656 struct nft_set_elem_catchall *catchall, *next;
6657
6658 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
6659 if (catchall->elem == elem_priv) {
6660 nft_setelem_catchall_destroy(catchall);
6661 break;
6662 }
6663 }
6664 }
6665
nft_setelem_remove(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)6666 static void nft_setelem_remove(const struct net *net,
6667 const struct nft_set *set,
6668 struct nft_elem_priv *elem_priv)
6669 {
6670 if (nft_setelem_is_catchall(set, elem_priv))
6671 nft_setelem_catchall_remove(net, set, elem_priv);
6672 else
6673 set->ops->remove(net, set, elem_priv);
6674 }
6675
nft_setelem_valid_key_end(const struct nft_set * set,struct nlattr ** nla,u32 flags)6676 static bool nft_setelem_valid_key_end(const struct nft_set *set,
6677 struct nlattr **nla, u32 flags)
6678 {
6679 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
6680 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
6681 if (flags & NFT_SET_ELEM_INTERVAL_END)
6682 return false;
6683
6684 if (nla[NFTA_SET_ELEM_KEY_END] &&
6685 flags & NFT_SET_ELEM_CATCHALL)
6686 return false;
6687 } else {
6688 if (nla[NFTA_SET_ELEM_KEY_END])
6689 return false;
6690 }
6691
6692 return true;
6693 }
6694
nft_add_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr,u32 nlmsg_flags)6695 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
6696 const struct nlattr *attr, u32 nlmsg_flags)
6697 {
6698 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
6699 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6700 u8 genmask = nft_genmask_next(ctx->net);
6701 u32 flags = 0, size = 0, num_exprs = 0;
6702 struct nft_set_ext_tmpl tmpl;
6703 struct nft_set_ext *ext, *ext2;
6704 struct nft_set_elem elem;
6705 struct nft_set_binding *binding;
6706 struct nft_elem_priv *elem_priv;
6707 struct nft_object *obj = NULL;
6708 struct nft_userdata *udata;
6709 struct nft_data_desc desc;
6710 enum nft_registers dreg;
6711 struct nft_trans *trans;
6712 u64 expiration;
6713 u64 timeout;
6714 int err, i;
6715 u8 ulen;
6716
6717 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6718 nft_set_elem_policy, NULL);
6719 if (err < 0)
6720 return err;
6721
6722 nft_set_ext_prepare(&tmpl);
6723
6724 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6725 if (err < 0)
6726 return err;
6727
6728 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
6729 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
6730 return -EINVAL;
6731
6732 if (flags != 0) {
6733 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6734 if (err < 0)
6735 return err;
6736 }
6737
6738 if (set->flags & NFT_SET_MAP) {
6739 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
6740 !(flags & NFT_SET_ELEM_INTERVAL_END))
6741 return -EINVAL;
6742 } else {
6743 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6744 return -EINVAL;
6745 }
6746
6747 if (set->flags & NFT_SET_OBJECT) {
6748 if (!nla[NFTA_SET_ELEM_OBJREF] &&
6749 !(flags & NFT_SET_ELEM_INTERVAL_END))
6750 return -EINVAL;
6751 } else {
6752 if (nla[NFTA_SET_ELEM_OBJREF])
6753 return -EINVAL;
6754 }
6755
6756 if (!nft_setelem_valid_key_end(set, nla, flags))
6757 return -EINVAL;
6758
6759 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
6760 (nla[NFTA_SET_ELEM_DATA] ||
6761 nla[NFTA_SET_ELEM_OBJREF] ||
6762 nla[NFTA_SET_ELEM_TIMEOUT] ||
6763 nla[NFTA_SET_ELEM_EXPIRATION] ||
6764 nla[NFTA_SET_ELEM_USERDATA] ||
6765 nla[NFTA_SET_ELEM_EXPR] ||
6766 nla[NFTA_SET_ELEM_KEY_END] ||
6767 nla[NFTA_SET_ELEM_EXPRESSIONS]))
6768 return -EINVAL;
6769
6770 timeout = 0;
6771 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
6772 if (!(set->flags & NFT_SET_TIMEOUT))
6773 return -EINVAL;
6774 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
6775 &timeout);
6776 if (err)
6777 return err;
6778 } else if (set->flags & NFT_SET_TIMEOUT &&
6779 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6780 timeout = READ_ONCE(set->timeout);
6781 }
6782
6783 expiration = 0;
6784 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
6785 if (!(set->flags & NFT_SET_TIMEOUT))
6786 return -EINVAL;
6787 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
6788 &expiration);
6789 if (err)
6790 return err;
6791 }
6792
6793 if (nla[NFTA_SET_ELEM_EXPR]) {
6794 struct nft_expr *expr;
6795
6796 if (set->num_exprs && set->num_exprs != 1)
6797 return -EOPNOTSUPP;
6798
6799 expr = nft_set_elem_expr_alloc(ctx, set,
6800 nla[NFTA_SET_ELEM_EXPR]);
6801 if (IS_ERR(expr))
6802 return PTR_ERR(expr);
6803
6804 expr_array[0] = expr;
6805 num_exprs = 1;
6806
6807 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
6808 err = -EOPNOTSUPP;
6809 goto err_set_elem_expr;
6810 }
6811 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
6812 struct nft_expr *expr;
6813 struct nlattr *tmp;
6814 int left;
6815
6816 i = 0;
6817 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
6818 if (i == NFT_SET_EXPR_MAX ||
6819 (set->num_exprs && set->num_exprs == i)) {
6820 err = -E2BIG;
6821 goto err_set_elem_expr;
6822 }
6823 if (nla_type(tmp) != NFTA_LIST_ELEM) {
6824 err = -EINVAL;
6825 goto err_set_elem_expr;
6826 }
6827 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
6828 if (IS_ERR(expr)) {
6829 err = PTR_ERR(expr);
6830 goto err_set_elem_expr;
6831 }
6832 expr_array[i] = expr;
6833 num_exprs++;
6834
6835 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
6836 err = -EOPNOTSUPP;
6837 goto err_set_elem_expr;
6838 }
6839 i++;
6840 }
6841 if (set->num_exprs && set->num_exprs != i) {
6842 err = -EOPNOTSUPP;
6843 goto err_set_elem_expr;
6844 }
6845 } else if (set->num_exprs > 0 &&
6846 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6847 err = nft_set_elem_expr_clone(ctx, set, expr_array);
6848 if (err < 0)
6849 goto err_set_elem_expr_clone;
6850
6851 num_exprs = set->num_exprs;
6852 }
6853
6854 if (nla[NFTA_SET_ELEM_KEY]) {
6855 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6856 nla[NFTA_SET_ELEM_KEY]);
6857 if (err < 0)
6858 goto err_set_elem_expr;
6859
6860 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6861 if (err < 0)
6862 goto err_parse_key;
6863 }
6864
6865 if (nla[NFTA_SET_ELEM_KEY_END]) {
6866 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6867 nla[NFTA_SET_ELEM_KEY_END]);
6868 if (err < 0)
6869 goto err_parse_key;
6870
6871 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6872 if (err < 0)
6873 goto err_parse_key_end;
6874 }
6875
6876 if (timeout > 0) {
6877 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
6878 if (err < 0)
6879 goto err_parse_key_end;
6880
6881 if (timeout != READ_ONCE(set->timeout)) {
6882 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
6883 if (err < 0)
6884 goto err_parse_key_end;
6885 }
6886 }
6887
6888 if (num_exprs) {
6889 for (i = 0; i < num_exprs; i++)
6890 size += expr_array[i]->ops->size;
6891
6892 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
6893 sizeof(struct nft_set_elem_expr) + size);
6894 if (err < 0)
6895 goto err_parse_key_end;
6896 }
6897
6898 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
6899 obj = nft_obj_lookup(ctx->net, ctx->table,
6900 nla[NFTA_SET_ELEM_OBJREF],
6901 set->objtype, genmask);
6902 if (IS_ERR(obj)) {
6903 err = PTR_ERR(obj);
6904 obj = NULL;
6905 goto err_parse_key_end;
6906 }
6907
6908 if (!nft_use_inc(&obj->use)) {
6909 err = -EMFILE;
6910 obj = NULL;
6911 goto err_parse_key_end;
6912 }
6913
6914 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
6915 if (err < 0)
6916 goto err_parse_key_end;
6917 }
6918
6919 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
6920 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
6921 nla[NFTA_SET_ELEM_DATA]);
6922 if (err < 0)
6923 goto err_parse_key_end;
6924
6925 dreg = nft_type_to_reg(set->dtype);
6926 list_for_each_entry(binding, &set->bindings, list) {
6927 struct nft_ctx bind_ctx = {
6928 .net = ctx->net,
6929 .family = ctx->family,
6930 .table = ctx->table,
6931 .chain = (struct nft_chain *)binding->chain,
6932 };
6933
6934 if (!(binding->flags & NFT_SET_MAP))
6935 continue;
6936
6937 err = nft_validate_register_store(&bind_ctx, dreg,
6938 &elem.data.val,
6939 desc.type, desc.len);
6940 if (err < 0)
6941 goto err_parse_data;
6942
6943 if (desc.type == NFT_DATA_VERDICT &&
6944 (elem.data.val.verdict.code == NFT_GOTO ||
6945 elem.data.val.verdict.code == NFT_JUMP))
6946 nft_validate_state_update(ctx->table,
6947 NFT_VALIDATE_NEED);
6948 }
6949
6950 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
6951 if (err < 0)
6952 goto err_parse_data;
6953 }
6954
6955 /* The full maximum length of userdata can exceed the maximum
6956 * offset value (U8_MAX) for following extensions, therefor it
6957 * must be the last extension added.
6958 */
6959 ulen = 0;
6960 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
6961 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
6962 if (ulen > 0) {
6963 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
6964 ulen);
6965 if (err < 0)
6966 goto err_parse_data;
6967 }
6968 }
6969
6970 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6971 elem.key_end.val.data, elem.data.val.data,
6972 timeout, expiration, GFP_KERNEL_ACCOUNT);
6973 if (IS_ERR(elem.priv)) {
6974 err = PTR_ERR(elem.priv);
6975 goto err_parse_data;
6976 }
6977
6978 ext = nft_set_elem_ext(set, elem.priv);
6979 if (flags)
6980 *nft_set_ext_flags(ext) = flags;
6981
6982 if (obj)
6983 *nft_set_ext_obj(ext) = obj;
6984
6985 if (ulen > 0) {
6986 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
6987 err = -EINVAL;
6988 goto err_elem_free;
6989 }
6990 udata = nft_set_ext_userdata(ext);
6991 udata->len = ulen - 1;
6992 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
6993 }
6994 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
6995 if (err < 0)
6996 goto err_elem_free;
6997
6998 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
6999 if (trans == NULL) {
7000 err = -ENOMEM;
7001 goto err_elem_free;
7002 }
7003
7004 ext->genmask = nft_genmask_cur(ctx->net);
7005
7006 err = nft_setelem_insert(ctx->net, set, &elem, &elem_priv, flags);
7007 if (err) {
7008 if (err == -EEXIST) {
7009 ext2 = nft_set_elem_ext(set, elem_priv);
7010 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
7011 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
7012 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
7013 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
7014 goto err_element_clash;
7015 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
7016 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
7017 memcmp(nft_set_ext_data(ext),
7018 nft_set_ext_data(ext2), set->dlen) != 0) ||
7019 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
7020 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
7021 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
7022 goto err_element_clash;
7023 else if (!(nlmsg_flags & NLM_F_EXCL))
7024 err = 0;
7025 } else if (err == -ENOTEMPTY) {
7026 /* ENOTEMPTY reports overlapping between this element
7027 * and an existing one.
7028 */
7029 err = -EEXIST;
7030 }
7031 goto err_element_clash;
7032 }
7033
7034 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
7035 unsigned int max = set->size ? set->size + set->ndeact : UINT_MAX;
7036
7037 if (!atomic_add_unless(&set->nelems, 1, max)) {
7038 err = -ENFILE;
7039 goto err_set_full;
7040 }
7041 }
7042
7043 nft_trans_elem_priv(trans) = elem.priv;
7044 nft_trans_commit_list_add_tail(ctx->net, trans);
7045 return 0;
7046
7047 err_set_full:
7048 nft_setelem_remove(ctx->net, set, elem.priv);
7049 err_element_clash:
7050 kfree(trans);
7051 err_elem_free:
7052 nf_tables_set_elem_destroy(ctx, set, elem.priv);
7053 err_parse_data:
7054 if (nla[NFTA_SET_ELEM_DATA] != NULL)
7055 nft_data_release(&elem.data.val, desc.type);
7056 err_parse_key_end:
7057 if (obj)
7058 nft_use_dec_restore(&obj->use);
7059
7060 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7061 err_parse_key:
7062 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7063 err_set_elem_expr:
7064 for (i = 0; i < num_exprs && expr_array[i]; i++)
7065 nft_expr_destroy(ctx, expr_array[i]);
7066 err_set_elem_expr_clone:
7067 return err;
7068 }
7069
nf_tables_newsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7070 static int nf_tables_newsetelem(struct sk_buff *skb,
7071 const struct nfnl_info *info,
7072 const struct nlattr * const nla[])
7073 {
7074 struct netlink_ext_ack *extack = info->extack;
7075 u8 genmask = nft_genmask_next(info->net);
7076 u8 family = info->nfmsg->nfgen_family;
7077 struct net *net = info->net;
7078 const struct nlattr *attr;
7079 struct nft_table *table;
7080 struct nft_set *set;
7081 struct nft_ctx ctx;
7082 int rem, err;
7083
7084 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
7085 return -EINVAL;
7086
7087 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7088 genmask, NETLINK_CB(skb).portid);
7089 if (IS_ERR(table)) {
7090 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7091 return PTR_ERR(table);
7092 }
7093
7094 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
7095 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
7096 if (IS_ERR(set)) {
7097 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7098 return PTR_ERR(set);
7099 }
7100
7101 if (!list_empty(&set->bindings) &&
7102 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
7103 return -EBUSY;
7104
7105 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7106
7107 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7108 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
7109 if (err < 0) {
7110 NL_SET_BAD_ATTR(extack, attr);
7111 return err;
7112 }
7113 }
7114
7115 if (table->validate_state == NFT_VALIDATE_DO)
7116 return nft_table_validate(net, table);
7117
7118 return 0;
7119 }
7120
7121 /**
7122 * nft_data_hold - hold a nft_data item
7123 *
7124 * @data: struct nft_data to release
7125 * @type: type of data
7126 *
7127 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7128 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
7129 * NFT_GOTO verdicts. This function must be called on active data objects
7130 * from the second phase of the commit protocol.
7131 */
nft_data_hold(const struct nft_data * data,enum nft_data_types type)7132 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
7133 {
7134 struct nft_chain *chain;
7135
7136 if (type == NFT_DATA_VERDICT) {
7137 switch (data->verdict.code) {
7138 case NFT_JUMP:
7139 case NFT_GOTO:
7140 chain = data->verdict.chain;
7141 nft_use_inc_restore(&chain->use);
7142 break;
7143 }
7144 }
7145 }
7146
nft_setelem_data_activate(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7147 static void nft_setelem_data_activate(const struct net *net,
7148 const struct nft_set *set,
7149 struct nft_elem_priv *elem_priv)
7150 {
7151 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7152
7153 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7154 nft_data_hold(nft_set_ext_data(ext), set->dtype);
7155 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7156 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use);
7157 }
7158
nft_setelem_data_deactivate(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7159 void nft_setelem_data_deactivate(const struct net *net,
7160 const struct nft_set *set,
7161 struct nft_elem_priv *elem_priv)
7162 {
7163 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7164
7165 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7166 nft_data_release(nft_set_ext_data(ext), set->dtype);
7167 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7168 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
7169 }
7170
nft_del_setelem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr)7171 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
7172 const struct nlattr *attr)
7173 {
7174 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7175 struct nft_set_ext_tmpl tmpl;
7176 struct nft_set_elem elem;
7177 struct nft_set_ext *ext;
7178 struct nft_trans *trans;
7179 u32 flags = 0;
7180 int err;
7181
7182 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7183 nft_set_elem_policy, NULL);
7184 if (err < 0)
7185 return err;
7186
7187 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7188 if (err < 0)
7189 return err;
7190
7191 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
7192 return -EINVAL;
7193
7194 if (!nft_setelem_valid_key_end(set, nla, flags))
7195 return -EINVAL;
7196
7197 nft_set_ext_prepare(&tmpl);
7198
7199 if (flags != 0) {
7200 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7201 if (err < 0)
7202 return err;
7203 }
7204
7205 if (nla[NFTA_SET_ELEM_KEY]) {
7206 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7207 nla[NFTA_SET_ELEM_KEY]);
7208 if (err < 0)
7209 return err;
7210
7211 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7212 if (err < 0)
7213 goto fail_elem;
7214 }
7215
7216 if (nla[NFTA_SET_ELEM_KEY_END]) {
7217 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7218 nla[NFTA_SET_ELEM_KEY_END]);
7219 if (err < 0)
7220 goto fail_elem;
7221
7222 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7223 if (err < 0)
7224 goto fail_elem_key_end;
7225 }
7226
7227 err = -ENOMEM;
7228 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7229 elem.key_end.val.data, NULL, 0, 0,
7230 GFP_KERNEL_ACCOUNT);
7231 if (IS_ERR(elem.priv)) {
7232 err = PTR_ERR(elem.priv);
7233 goto fail_elem_key_end;
7234 }
7235
7236 ext = nft_set_elem_ext(set, elem.priv);
7237 if (flags)
7238 *nft_set_ext_flags(ext) = flags;
7239
7240 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7241 if (trans == NULL)
7242 goto fail_trans;
7243
7244 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
7245 if (err < 0)
7246 goto fail_ops;
7247
7248 nft_setelem_data_deactivate(ctx->net, set, elem.priv);
7249
7250 nft_trans_elem_priv(trans) = elem.priv;
7251 nft_trans_commit_list_add_tail(ctx->net, trans);
7252 return 0;
7253
7254 fail_ops:
7255 kfree(trans);
7256 fail_trans:
7257 kfree(elem.priv);
7258 fail_elem_key_end:
7259 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7260 fail_elem:
7261 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7262 return err;
7263 }
7264
nft_setelem_flush(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)7265 static int nft_setelem_flush(const struct nft_ctx *ctx,
7266 struct nft_set *set,
7267 const struct nft_set_iter *iter,
7268 struct nft_elem_priv *elem_priv)
7269 {
7270 struct nft_trans *trans;
7271
7272 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7273 sizeof(struct nft_trans_elem), GFP_ATOMIC);
7274 if (!trans)
7275 return -ENOMEM;
7276
7277 set->ops->flush(ctx->net, set, elem_priv);
7278 set->ndeact++;
7279
7280 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7281 nft_trans_elem_set(trans) = set;
7282 nft_trans_elem_priv(trans) = elem_priv;
7283 nft_trans_commit_list_add_tail(ctx->net, trans);
7284
7285 return 0;
7286 }
7287
__nft_set_catchall_flush(const struct nft_ctx * ctx,struct nft_set * set,struct nft_elem_priv * elem_priv)7288 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
7289 struct nft_set *set,
7290 struct nft_elem_priv *elem_priv)
7291 {
7292 struct nft_trans *trans;
7293
7294 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7295 sizeof(struct nft_trans_elem), GFP_KERNEL);
7296 if (!trans)
7297 return -ENOMEM;
7298
7299 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7300 nft_trans_elem_set(trans) = set;
7301 nft_trans_elem_priv(trans) = elem_priv;
7302 nft_trans_commit_list_add_tail(ctx->net, trans);
7303
7304 return 0;
7305 }
7306
nft_set_catchall_flush(const struct nft_ctx * ctx,struct nft_set * set)7307 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
7308 struct nft_set *set)
7309 {
7310 u8 genmask = nft_genmask_next(ctx->net);
7311 struct nft_set_elem_catchall *catchall;
7312 struct nft_set_ext *ext;
7313 int ret = 0;
7314
7315 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
7316 ext = nft_set_elem_ext(set, catchall->elem);
7317 if (!nft_set_elem_active(ext, genmask))
7318 continue;
7319
7320 ret = __nft_set_catchall_flush(ctx, set, catchall->elem);
7321 if (ret < 0)
7322 break;
7323 nft_set_elem_change_active(ctx->net, set, ext);
7324 }
7325
7326 return ret;
7327 }
7328
nft_set_flush(struct nft_ctx * ctx,struct nft_set * set,u8 genmask)7329 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
7330 {
7331 struct nft_set_iter iter = {
7332 .genmask = genmask,
7333 .fn = nft_setelem_flush,
7334 };
7335
7336 set->ops->walk(ctx, set, &iter);
7337 if (!iter.err)
7338 iter.err = nft_set_catchall_flush(ctx, set);
7339
7340 return iter.err;
7341 }
7342
nf_tables_delsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7343 static int nf_tables_delsetelem(struct sk_buff *skb,
7344 const struct nfnl_info *info,
7345 const struct nlattr * const nla[])
7346 {
7347 struct netlink_ext_ack *extack = info->extack;
7348 u8 genmask = nft_genmask_next(info->net);
7349 u8 family = info->nfmsg->nfgen_family;
7350 struct net *net = info->net;
7351 const struct nlattr *attr;
7352 struct nft_table *table;
7353 struct nft_set *set;
7354 struct nft_ctx ctx;
7355 int rem, err = 0;
7356
7357 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7358 genmask, NETLINK_CB(skb).portid);
7359 if (IS_ERR(table)) {
7360 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7361 return PTR_ERR(table);
7362 }
7363
7364 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
7365 if (IS_ERR(set)) {
7366 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7367 return PTR_ERR(set);
7368 }
7369
7370 if (nft_set_is_anonymous(set))
7371 return -EOPNOTSUPP;
7372
7373 if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
7374 return -EBUSY;
7375
7376 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7377
7378 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
7379 return nft_set_flush(&ctx, set, genmask);
7380
7381 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7382 err = nft_del_setelem(&ctx, set, attr);
7383 if (err == -ENOENT &&
7384 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
7385 continue;
7386
7387 if (err < 0) {
7388 NL_SET_BAD_ATTR(extack, attr);
7389 return err;
7390 }
7391 }
7392
7393 return 0;
7394 }
7395
7396 /*
7397 * Stateful objects
7398 */
7399
7400 /**
7401 * nft_register_obj- register nf_tables stateful object type
7402 * @obj_type: object type
7403 *
7404 * Registers the object type for use with nf_tables. Returns zero on
7405 * success or a negative errno code otherwise.
7406 */
nft_register_obj(struct nft_object_type * obj_type)7407 int nft_register_obj(struct nft_object_type *obj_type)
7408 {
7409 if (obj_type->type == NFT_OBJECT_UNSPEC)
7410 return -EINVAL;
7411
7412 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7413 list_add_rcu(&obj_type->list, &nf_tables_objects);
7414 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7415 return 0;
7416 }
7417 EXPORT_SYMBOL_GPL(nft_register_obj);
7418
7419 /**
7420 * nft_unregister_obj - unregister nf_tables object type
7421 * @obj_type: object type
7422 *
7423 * Unregisters the object type for use with nf_tables.
7424 */
nft_unregister_obj(struct nft_object_type * obj_type)7425 void nft_unregister_obj(struct nft_object_type *obj_type)
7426 {
7427 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7428 list_del_rcu(&obj_type->list);
7429 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7430 }
7431 EXPORT_SYMBOL_GPL(nft_unregister_obj);
7432
nft_obj_lookup(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)7433 struct nft_object *nft_obj_lookup(const struct net *net,
7434 const struct nft_table *table,
7435 const struct nlattr *nla, u32 objtype,
7436 u8 genmask)
7437 {
7438 struct nft_object_hash_key k = { .table = table };
7439 char search[NFT_OBJ_MAXNAMELEN];
7440 struct rhlist_head *tmp, *list;
7441 struct nft_object *obj;
7442
7443 nla_strscpy(search, nla, sizeof(search));
7444 k.name = search;
7445
7446 WARN_ON_ONCE(!rcu_read_lock_held() &&
7447 !lockdep_commit_lock_is_held(net));
7448
7449 rcu_read_lock();
7450 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
7451 if (!list)
7452 goto out;
7453
7454 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
7455 if (objtype == obj->ops->type->type &&
7456 nft_active_genmask(obj, genmask)) {
7457 rcu_read_unlock();
7458 return obj;
7459 }
7460 }
7461 out:
7462 rcu_read_unlock();
7463 return ERR_PTR(-ENOENT);
7464 }
7465 EXPORT_SYMBOL_GPL(nft_obj_lookup);
7466
nft_obj_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)7467 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
7468 const struct nlattr *nla,
7469 u32 objtype, u8 genmask)
7470 {
7471 struct nft_object *obj;
7472
7473 list_for_each_entry(obj, &table->objects, list) {
7474 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
7475 objtype == obj->ops->type->type &&
7476 nft_active_genmask(obj, genmask))
7477 return obj;
7478 }
7479 return ERR_PTR(-ENOENT);
7480 }
7481
7482 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
7483 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
7484 .len = NFT_TABLE_MAXNAMELEN - 1 },
7485 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
7486 .len = NFT_OBJ_MAXNAMELEN - 1 },
7487 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
7488 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
7489 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
7490 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
7491 .len = NFT_USERDATA_MAXLEN },
7492 };
7493
nft_obj_init(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr)7494 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
7495 const struct nft_object_type *type,
7496 const struct nlattr *attr)
7497 {
7498 struct nlattr **tb;
7499 const struct nft_object_ops *ops;
7500 struct nft_object *obj;
7501 int err = -ENOMEM;
7502
7503 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
7504 if (!tb)
7505 goto err1;
7506
7507 if (attr) {
7508 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
7509 type->policy, NULL);
7510 if (err < 0)
7511 goto err2;
7512 } else {
7513 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
7514 }
7515
7516 if (type->select_ops) {
7517 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
7518 if (IS_ERR(ops)) {
7519 err = PTR_ERR(ops);
7520 goto err2;
7521 }
7522 } else {
7523 ops = type->ops;
7524 }
7525
7526 err = -ENOMEM;
7527 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
7528 if (!obj)
7529 goto err2;
7530
7531 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
7532 if (err < 0)
7533 goto err3;
7534
7535 obj->ops = ops;
7536
7537 kfree(tb);
7538 return obj;
7539 err3:
7540 kfree(obj);
7541 err2:
7542 kfree(tb);
7543 err1:
7544 return ERR_PTR(err);
7545 }
7546
nft_object_dump(struct sk_buff * skb,unsigned int attr,struct nft_object * obj,bool reset)7547 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
7548 struct nft_object *obj, bool reset)
7549 {
7550 struct nlattr *nest;
7551
7552 nest = nla_nest_start_noflag(skb, attr);
7553 if (!nest)
7554 goto nla_put_failure;
7555 if (obj->ops->dump(skb, obj, reset) < 0)
7556 goto nla_put_failure;
7557 nla_nest_end(skb, nest);
7558 return 0;
7559
7560 nla_put_failure:
7561 return -1;
7562 }
7563
__nft_obj_type_get(u32 objtype,u8 family)7564 static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family)
7565 {
7566 const struct nft_object_type *type;
7567
7568 list_for_each_entry(type, &nf_tables_objects, list) {
7569 if (type->family != NFPROTO_UNSPEC &&
7570 type->family != family)
7571 continue;
7572
7573 if (objtype == type->type)
7574 return type;
7575 }
7576 return NULL;
7577 }
7578
7579 static const struct nft_object_type *
nft_obj_type_get(struct net * net,u32 objtype,u8 family)7580 nft_obj_type_get(struct net *net, u32 objtype, u8 family)
7581 {
7582 const struct nft_object_type *type;
7583
7584 type = __nft_obj_type_get(objtype, family);
7585 if (type != NULL && try_module_get(type->owner))
7586 return type;
7587
7588 lockdep_nfnl_nft_mutex_not_held();
7589 #ifdef CONFIG_MODULES
7590 if (type == NULL) {
7591 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
7592 return ERR_PTR(-EAGAIN);
7593 }
7594 #endif
7595 return ERR_PTR(-ENOENT);
7596 }
7597
nf_tables_updobj(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr,struct nft_object * obj)7598 static int nf_tables_updobj(const struct nft_ctx *ctx,
7599 const struct nft_object_type *type,
7600 const struct nlattr *attr,
7601 struct nft_object *obj)
7602 {
7603 struct nft_object *newobj;
7604 struct nft_trans *trans;
7605 int err = -ENOMEM;
7606
7607 if (!try_module_get(type->owner))
7608 return -ENOENT;
7609
7610 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
7611 sizeof(struct nft_trans_obj));
7612 if (!trans)
7613 goto err_trans;
7614
7615 newobj = nft_obj_init(ctx, type, attr);
7616 if (IS_ERR(newobj)) {
7617 err = PTR_ERR(newobj);
7618 goto err_free_trans;
7619 }
7620
7621 nft_trans_obj(trans) = obj;
7622 nft_trans_obj_update(trans) = true;
7623 nft_trans_obj_newobj(trans) = newobj;
7624 nft_trans_commit_list_add_tail(ctx->net, trans);
7625
7626 return 0;
7627
7628 err_free_trans:
7629 kfree(trans);
7630 err_trans:
7631 module_put(type->owner);
7632 return err;
7633 }
7634
nf_tables_newobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7635 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
7636 const struct nlattr * const nla[])
7637 {
7638 struct netlink_ext_ack *extack = info->extack;
7639 u8 genmask = nft_genmask_next(info->net);
7640 u8 family = info->nfmsg->nfgen_family;
7641 const struct nft_object_type *type;
7642 struct net *net = info->net;
7643 struct nft_table *table;
7644 struct nft_object *obj;
7645 struct nft_ctx ctx;
7646 u32 objtype;
7647 int err;
7648
7649 if (!nla[NFTA_OBJ_TYPE] ||
7650 !nla[NFTA_OBJ_NAME] ||
7651 !nla[NFTA_OBJ_DATA])
7652 return -EINVAL;
7653
7654 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7655 NETLINK_CB(skb).portid);
7656 if (IS_ERR(table)) {
7657 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7658 return PTR_ERR(table);
7659 }
7660
7661 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7662 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7663 if (IS_ERR(obj)) {
7664 err = PTR_ERR(obj);
7665 if (err != -ENOENT) {
7666 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7667 return err;
7668 }
7669 } else {
7670 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7671 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7672 return -EEXIST;
7673 }
7674 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
7675 return -EOPNOTSUPP;
7676
7677 type = __nft_obj_type_get(objtype, family);
7678 if (WARN_ON_ONCE(!type))
7679 return -ENOENT;
7680
7681 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7682
7683 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
7684 }
7685
7686 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7687
7688 if (!nft_use_inc(&table->use))
7689 return -EMFILE;
7690
7691 type = nft_obj_type_get(net, objtype, family);
7692 if (IS_ERR(type)) {
7693 err = PTR_ERR(type);
7694 goto err_type;
7695 }
7696
7697 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
7698 if (IS_ERR(obj)) {
7699 err = PTR_ERR(obj);
7700 goto err_init;
7701 }
7702 obj->key.table = table;
7703 obj->handle = nf_tables_alloc_handle(table);
7704
7705 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
7706 if (!obj->key.name) {
7707 err = -ENOMEM;
7708 goto err_strdup;
7709 }
7710
7711 if (nla[NFTA_OBJ_USERDATA]) {
7712 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
7713 if (obj->udata == NULL)
7714 goto err_userdata;
7715
7716 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
7717 }
7718
7719 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
7720 if (err < 0)
7721 goto err_trans;
7722
7723 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
7724 nft_objname_ht_params);
7725 if (err < 0)
7726 goto err_obj_ht;
7727
7728 list_add_tail_rcu(&obj->list, &table->objects);
7729
7730 return 0;
7731 err_obj_ht:
7732 /* queued in transaction log */
7733 INIT_LIST_HEAD(&obj->list);
7734 return err;
7735 err_trans:
7736 kfree(obj->udata);
7737 err_userdata:
7738 kfree(obj->key.name);
7739 err_strdup:
7740 if (obj->ops->destroy)
7741 obj->ops->destroy(&ctx, obj);
7742 kfree(obj);
7743 err_init:
7744 module_put(type->owner);
7745 err_type:
7746 nft_use_dec_restore(&table->use);
7747
7748 return err;
7749 }
7750
nf_tables_fill_obj_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,struct nft_object * obj,bool reset)7751 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
7752 u32 portid, u32 seq, int event, u32 flags,
7753 int family, const struct nft_table *table,
7754 struct nft_object *obj, bool reset)
7755 {
7756 struct nlmsghdr *nlh;
7757
7758 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7759 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7760 NFNETLINK_V0, nft_base_seq(net));
7761 if (!nlh)
7762 goto nla_put_failure;
7763
7764 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
7765 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
7766 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
7767 NFTA_OBJ_PAD))
7768 goto nla_put_failure;
7769
7770 if (event == NFT_MSG_DELOBJ) {
7771 nlmsg_end(skb, nlh);
7772 return 0;
7773 }
7774
7775 if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
7776 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
7777 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
7778 goto nla_put_failure;
7779
7780 if (obj->udata &&
7781 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
7782 goto nla_put_failure;
7783
7784 nlmsg_end(skb, nlh);
7785 return 0;
7786
7787 nla_put_failure:
7788 nlmsg_trim(skb, nlh);
7789 return -1;
7790 }
7791
audit_log_obj_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)7792 static void audit_log_obj_reset(const struct nft_table *table,
7793 unsigned int base_seq, unsigned int nentries)
7794 {
7795 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
7796
7797 audit_log_nfcfg(buf, table->family, nentries,
7798 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
7799 kfree(buf);
7800 }
7801
7802 struct nft_obj_dump_ctx {
7803 unsigned int s_idx;
7804 char *table;
7805 u32 type;
7806 bool reset;
7807 };
7808
nf_tables_dump_obj(struct sk_buff * skb,struct netlink_callback * cb)7809 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
7810 {
7811 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7812 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7813 struct net *net = sock_net(skb->sk);
7814 int family = nfmsg->nfgen_family;
7815 struct nftables_pernet *nft_net;
7816 const struct nft_table *table;
7817 unsigned int entries = 0;
7818 struct nft_object *obj;
7819 unsigned int idx = 0;
7820 int rc = 0;
7821
7822 rcu_read_lock();
7823 nft_net = nft_pernet(net);
7824 cb->seq = READ_ONCE(nft_net->base_seq);
7825
7826 list_for_each_entry_rcu(table, &nft_net->tables, list) {
7827 if (family != NFPROTO_UNSPEC && family != table->family)
7828 continue;
7829
7830 entries = 0;
7831 list_for_each_entry_rcu(obj, &table->objects, list) {
7832 if (!nft_is_active(net, obj))
7833 goto cont;
7834 if (idx < ctx->s_idx)
7835 goto cont;
7836 if (ctx->table && strcmp(ctx->table, table->name))
7837 goto cont;
7838 if (ctx->type != NFT_OBJECT_UNSPEC &&
7839 obj->ops->type->type != ctx->type)
7840 goto cont;
7841
7842 rc = nf_tables_fill_obj_info(skb, net,
7843 NETLINK_CB(cb->skb).portid,
7844 cb->nlh->nlmsg_seq,
7845 NFT_MSG_NEWOBJ,
7846 NLM_F_MULTI | NLM_F_APPEND,
7847 table->family, table,
7848 obj, ctx->reset);
7849 if (rc < 0)
7850 break;
7851
7852 entries++;
7853 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7854 cont:
7855 idx++;
7856 }
7857 if (ctx->reset && entries)
7858 audit_log_obj_reset(table, nft_net->base_seq, entries);
7859 if (rc < 0)
7860 break;
7861 }
7862 rcu_read_unlock();
7863
7864 ctx->s_idx = idx;
7865 return skb->len;
7866 }
7867
nf_tables_dump_obj_start(struct netlink_callback * cb)7868 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
7869 {
7870 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7871 const struct nlattr * const *nla = cb->data;
7872
7873 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
7874
7875 if (nla[NFTA_OBJ_TABLE]) {
7876 ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
7877 if (!ctx->table)
7878 return -ENOMEM;
7879 }
7880
7881 if (nla[NFTA_OBJ_TYPE])
7882 ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7883
7884 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7885 ctx->reset = true;
7886
7887 return 0;
7888 }
7889
nf_tables_dump_obj_done(struct netlink_callback * cb)7890 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
7891 {
7892 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7893
7894 kfree(ctx->table);
7895
7896 return 0;
7897 }
7898
7899 /* called with rcu_read_lock held */
nf_tables_getobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7900 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
7901 const struct nlattr * const nla[])
7902 {
7903 struct netlink_ext_ack *extack = info->extack;
7904 u8 genmask = nft_genmask_cur(info->net);
7905 u8 family = info->nfmsg->nfgen_family;
7906 const struct nft_table *table;
7907 struct net *net = info->net;
7908 struct nft_object *obj;
7909 struct sk_buff *skb2;
7910 bool reset = false;
7911 u32 objtype;
7912 int err;
7913
7914 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
7915 struct netlink_dump_control c = {
7916 .start = nf_tables_dump_obj_start,
7917 .dump = nf_tables_dump_obj,
7918 .done = nf_tables_dump_obj_done,
7919 .module = THIS_MODULE,
7920 .data = (void *)nla,
7921 };
7922
7923 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
7924 }
7925
7926 if (!nla[NFTA_OBJ_NAME] ||
7927 !nla[NFTA_OBJ_TYPE])
7928 return -EINVAL;
7929
7930 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
7931 if (IS_ERR(table)) {
7932 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7933 return PTR_ERR(table);
7934 }
7935
7936 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7937 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7938 if (IS_ERR(obj)) {
7939 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7940 return PTR_ERR(obj);
7941 }
7942
7943 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7944 if (!skb2)
7945 return -ENOMEM;
7946
7947 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7948 reset = true;
7949
7950 if (reset) {
7951 const struct nftables_pernet *nft_net;
7952 char *buf;
7953
7954 nft_net = nft_pernet(net);
7955 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq);
7956
7957 audit_log_nfcfg(buf,
7958 family,
7959 1,
7960 AUDIT_NFT_OP_OBJ_RESET,
7961 GFP_ATOMIC);
7962 kfree(buf);
7963 }
7964
7965 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
7966 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
7967 family, table, obj, reset);
7968 if (err < 0)
7969 goto err_fill_obj_info;
7970
7971 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7972
7973 err_fill_obj_info:
7974 kfree_skb(skb2);
7975 return err;
7976 }
7977
nft_obj_destroy(const struct nft_ctx * ctx,struct nft_object * obj)7978 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
7979 {
7980 if (obj->ops->destroy)
7981 obj->ops->destroy(ctx, obj);
7982
7983 module_put(obj->ops->type->owner);
7984 kfree(obj->key.name);
7985 kfree(obj->udata);
7986 kfree(obj);
7987 }
7988
nf_tables_delobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7989 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
7990 const struct nlattr * const nla[])
7991 {
7992 struct netlink_ext_ack *extack = info->extack;
7993 u8 genmask = nft_genmask_next(info->net);
7994 u8 family = info->nfmsg->nfgen_family;
7995 struct net *net = info->net;
7996 const struct nlattr *attr;
7997 struct nft_table *table;
7998 struct nft_object *obj;
7999 struct nft_ctx ctx;
8000 u32 objtype;
8001
8002 if (!nla[NFTA_OBJ_TYPE] ||
8003 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
8004 return -EINVAL;
8005
8006 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
8007 NETLINK_CB(skb).portid);
8008 if (IS_ERR(table)) {
8009 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8010 return PTR_ERR(table);
8011 }
8012
8013 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8014 if (nla[NFTA_OBJ_HANDLE]) {
8015 attr = nla[NFTA_OBJ_HANDLE];
8016 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
8017 } else {
8018 attr = nla[NFTA_OBJ_NAME];
8019 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
8020 }
8021
8022 if (IS_ERR(obj)) {
8023 if (PTR_ERR(obj) == -ENOENT &&
8024 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
8025 return 0;
8026
8027 NL_SET_BAD_ATTR(extack, attr);
8028 return PTR_ERR(obj);
8029 }
8030 if (obj->use > 0) {
8031 NL_SET_BAD_ATTR(extack, attr);
8032 return -EBUSY;
8033 }
8034
8035 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8036
8037 return nft_delobj(&ctx, obj);
8038 }
8039
8040 static void
__nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,u16 flags,int family,int report,gfp_t gfp)8041 __nft_obj_notify(struct net *net, const struct nft_table *table,
8042 struct nft_object *obj, u32 portid, u32 seq, int event,
8043 u16 flags, int family, int report, gfp_t gfp)
8044 {
8045 struct nftables_pernet *nft_net = nft_pernet(net);
8046 struct sk_buff *skb;
8047 int err;
8048
8049 if (!report &&
8050 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8051 return;
8052
8053 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
8054 if (skb == NULL)
8055 goto err;
8056
8057 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
8058 flags & (NLM_F_CREATE | NLM_F_EXCL),
8059 family, table, obj, false);
8060 if (err < 0) {
8061 kfree_skb(skb);
8062 goto err;
8063 }
8064
8065 nft_notify_enqueue(skb, report, &nft_net->notify_list);
8066 return;
8067 err:
8068 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
8069 }
8070
nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,u16 flags,int family,int report,gfp_t gfp)8071 void nft_obj_notify(struct net *net, const struct nft_table *table,
8072 struct nft_object *obj, u32 portid, u32 seq, int event,
8073 u16 flags, int family, int report, gfp_t gfp)
8074 {
8075 struct nftables_pernet *nft_net = nft_pernet(net);
8076 char *buf = kasprintf(gfp, "%s:%u",
8077 table->name, nft_net->base_seq);
8078
8079 audit_log_nfcfg(buf,
8080 family,
8081 obj->handle,
8082 event == NFT_MSG_NEWOBJ ?
8083 AUDIT_NFT_OP_OBJ_REGISTER :
8084 AUDIT_NFT_OP_OBJ_UNREGISTER,
8085 gfp);
8086 kfree(buf);
8087
8088 __nft_obj_notify(net, table, obj, portid, seq, event,
8089 flags, family, report, gfp);
8090 }
8091 EXPORT_SYMBOL_GPL(nft_obj_notify);
8092
nf_tables_obj_notify(const struct nft_ctx * ctx,struct nft_object * obj,int event)8093 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
8094 struct nft_object *obj, int event)
8095 {
8096 __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid,
8097 ctx->seq, event, ctx->flags, ctx->family,
8098 ctx->report, GFP_KERNEL);
8099 }
8100
8101 /*
8102 * Flow tables
8103 */
nft_register_flowtable_type(struct nf_flowtable_type * type)8104 void nft_register_flowtable_type(struct nf_flowtable_type *type)
8105 {
8106 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8107 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
8108 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8109 }
8110 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
8111
nft_unregister_flowtable_type(struct nf_flowtable_type * type)8112 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
8113 {
8114 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8115 list_del_rcu(&type->list);
8116 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8117 }
8118 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
8119
8120 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
8121 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
8122 .len = NFT_NAME_MAXLEN - 1 },
8123 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
8124 .len = NFT_NAME_MAXLEN - 1 },
8125 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
8126 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
8127 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
8128 };
8129
nft_flowtable_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)8130 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
8131 const struct nlattr *nla, u8 genmask)
8132 {
8133 struct nft_flowtable *flowtable;
8134
8135 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8136 if (!nla_strcmp(nla, flowtable->name) &&
8137 nft_active_genmask(flowtable, genmask))
8138 return flowtable;
8139 }
8140 return ERR_PTR(-ENOENT);
8141 }
8142 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
8143
nf_tables_deactivate_flowtable(const struct nft_ctx * ctx,struct nft_flowtable * flowtable,enum nft_trans_phase phase)8144 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
8145 struct nft_flowtable *flowtable,
8146 enum nft_trans_phase phase)
8147 {
8148 switch (phase) {
8149 case NFT_TRANS_PREPARE_ERROR:
8150 case NFT_TRANS_PREPARE:
8151 case NFT_TRANS_ABORT:
8152 case NFT_TRANS_RELEASE:
8153 nft_use_dec(&flowtable->use);
8154 fallthrough;
8155 default:
8156 return;
8157 }
8158 }
8159 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
8160
8161 static struct nft_flowtable *
nft_flowtable_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)8162 nft_flowtable_lookup_byhandle(const struct nft_table *table,
8163 const struct nlattr *nla, u8 genmask)
8164 {
8165 struct nft_flowtable *flowtable;
8166
8167 list_for_each_entry(flowtable, &table->flowtables, list) {
8168 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
8169 nft_active_genmask(flowtable, genmask))
8170 return flowtable;
8171 }
8172 return ERR_PTR(-ENOENT);
8173 }
8174
8175 struct nft_flowtable_hook {
8176 u32 num;
8177 int priority;
8178 struct list_head list;
8179 };
8180
8181 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
8182 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
8183 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
8184 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
8185 };
8186
nft_flowtable_parse_hook(const struct nft_ctx * ctx,const struct nlattr * const nla[],struct nft_flowtable_hook * flowtable_hook,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack,bool add)8187 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
8188 const struct nlattr * const nla[],
8189 struct nft_flowtable_hook *flowtable_hook,
8190 struct nft_flowtable *flowtable,
8191 struct netlink_ext_ack *extack, bool add)
8192 {
8193 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
8194 struct nft_hook *hook;
8195 int hooknum, priority;
8196 int err;
8197
8198 INIT_LIST_HEAD(&flowtable_hook->list);
8199
8200 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
8201 nla[NFTA_FLOWTABLE_HOOK],
8202 nft_flowtable_hook_policy, NULL);
8203 if (err < 0)
8204 return err;
8205
8206 if (add) {
8207 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
8208 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8209 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8210 return -ENOENT;
8211 }
8212
8213 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8214 if (hooknum != NF_NETDEV_INGRESS)
8215 return -EOPNOTSUPP;
8216
8217 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8218
8219 flowtable_hook->priority = priority;
8220 flowtable_hook->num = hooknum;
8221 } else {
8222 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
8223 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8224 if (hooknum != flowtable->hooknum)
8225 return -EOPNOTSUPP;
8226 }
8227
8228 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8229 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8230 if (priority != flowtable->data.priority)
8231 return -EOPNOTSUPP;
8232 }
8233
8234 flowtable_hook->priority = flowtable->data.priority;
8235 flowtable_hook->num = flowtable->hooknum;
8236 }
8237
8238 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
8239 err = nf_tables_parse_netdev_hooks(ctx->net,
8240 tb[NFTA_FLOWTABLE_HOOK_DEVS],
8241 &flowtable_hook->list,
8242 extack);
8243 if (err < 0)
8244 return err;
8245 }
8246
8247 list_for_each_entry(hook, &flowtable_hook->list, list) {
8248 hook->ops.pf = NFPROTO_NETDEV;
8249 hook->ops.hooknum = flowtable_hook->num;
8250 hook->ops.priority = flowtable_hook->priority;
8251 hook->ops.priv = &flowtable->data;
8252 hook->ops.hook = flowtable->data.type->hook;
8253 }
8254
8255 return err;
8256 }
8257
__nft_flowtable_type_get(u8 family)8258 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
8259 {
8260 const struct nf_flowtable_type *type;
8261
8262 list_for_each_entry(type, &nf_tables_flowtables, list) {
8263 if (family == type->family)
8264 return type;
8265 }
8266 return NULL;
8267 }
8268
8269 static const struct nf_flowtable_type *
nft_flowtable_type_get(struct net * net,u8 family)8270 nft_flowtable_type_get(struct net *net, u8 family)
8271 {
8272 const struct nf_flowtable_type *type;
8273
8274 type = __nft_flowtable_type_get(family);
8275 if (type != NULL && try_module_get(type->owner))
8276 return type;
8277
8278 lockdep_nfnl_nft_mutex_not_held();
8279 #ifdef CONFIG_MODULES
8280 if (type == NULL) {
8281 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
8282 return ERR_PTR(-EAGAIN);
8283 }
8284 #endif
8285 return ERR_PTR(-ENOENT);
8286 }
8287
8288 /* Only called from error and netdev event paths. */
nft_unregister_flowtable_hook(struct net * net,struct nft_flowtable * flowtable,struct nft_hook * hook)8289 static void nft_unregister_flowtable_hook(struct net *net,
8290 struct nft_flowtable *flowtable,
8291 struct nft_hook *hook)
8292 {
8293 nf_unregister_net_hook(net, &hook->ops);
8294 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8295 FLOW_BLOCK_UNBIND);
8296 }
8297
__nft_unregister_flowtable_net_hooks(struct net * net,struct list_head * hook_list,bool release_netdev)8298 static void __nft_unregister_flowtable_net_hooks(struct net *net,
8299 struct list_head *hook_list,
8300 bool release_netdev)
8301 {
8302 struct nft_hook *hook, *next;
8303
8304 list_for_each_entry_safe(hook, next, hook_list, list) {
8305 nf_unregister_net_hook(net, &hook->ops);
8306 if (release_netdev) {
8307 list_del(&hook->list);
8308 kfree_rcu(hook, rcu);
8309 }
8310 }
8311 }
8312
nft_unregister_flowtable_net_hooks(struct net * net,struct list_head * hook_list)8313 static void nft_unregister_flowtable_net_hooks(struct net *net,
8314 struct list_head *hook_list)
8315 {
8316 __nft_unregister_flowtable_net_hooks(net, hook_list, false);
8317 }
8318
nft_register_flowtable_net_hooks(struct net * net,struct nft_table * table,struct list_head * hook_list,struct nft_flowtable * flowtable)8319 static int nft_register_flowtable_net_hooks(struct net *net,
8320 struct nft_table *table,
8321 struct list_head *hook_list,
8322 struct nft_flowtable *flowtable)
8323 {
8324 struct nft_hook *hook, *hook2, *next;
8325 struct nft_flowtable *ft;
8326 int err, i = 0;
8327
8328 list_for_each_entry(hook, hook_list, list) {
8329 list_for_each_entry(ft, &table->flowtables, list) {
8330 if (!nft_is_active_next(net, ft))
8331 continue;
8332
8333 list_for_each_entry(hook2, &ft->hook_list, list) {
8334 if (hook->ops.dev == hook2->ops.dev &&
8335 hook->ops.pf == hook2->ops.pf) {
8336 err = -EEXIST;
8337 goto err_unregister_net_hooks;
8338 }
8339 }
8340 }
8341
8342 err = flowtable->data.type->setup(&flowtable->data,
8343 hook->ops.dev,
8344 FLOW_BLOCK_BIND);
8345 if (err < 0)
8346 goto err_unregister_net_hooks;
8347
8348 err = nf_register_net_hook(net, &hook->ops);
8349 if (err < 0) {
8350 flowtable->data.type->setup(&flowtable->data,
8351 hook->ops.dev,
8352 FLOW_BLOCK_UNBIND);
8353 goto err_unregister_net_hooks;
8354 }
8355
8356 i++;
8357 }
8358
8359 return 0;
8360
8361 err_unregister_net_hooks:
8362 list_for_each_entry_safe(hook, next, hook_list, list) {
8363 if (i-- <= 0)
8364 break;
8365
8366 nft_unregister_flowtable_hook(net, flowtable, hook);
8367 list_del_rcu(&hook->list);
8368 kfree_rcu(hook, rcu);
8369 }
8370
8371 return err;
8372 }
8373
nft_hooks_destroy(struct list_head * hook_list)8374 static void nft_hooks_destroy(struct list_head *hook_list)
8375 {
8376 struct nft_hook *hook, *next;
8377
8378 list_for_each_entry_safe(hook, next, hook_list, list) {
8379 list_del_rcu(&hook->list);
8380 kfree_rcu(hook, rcu);
8381 }
8382 }
8383
nft_flowtable_update(struct nft_ctx * ctx,const struct nlmsghdr * nlh,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack)8384 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
8385 struct nft_flowtable *flowtable,
8386 struct netlink_ext_ack *extack)
8387 {
8388 const struct nlattr * const *nla = ctx->nla;
8389 struct nft_flowtable_hook flowtable_hook;
8390 struct nft_hook *hook, *next;
8391 struct nft_trans *trans;
8392 bool unregister = false;
8393 u32 flags;
8394 int err;
8395
8396 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8397 extack, false);
8398 if (err < 0)
8399 return err;
8400
8401 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8402 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
8403 list_del(&hook->list);
8404 kfree(hook);
8405 }
8406 }
8407
8408 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8409 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8410 if (flags & ~NFT_FLOWTABLE_MASK) {
8411 err = -EOPNOTSUPP;
8412 goto err_flowtable_update_hook;
8413 }
8414 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
8415 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
8416 err = -EOPNOTSUPP;
8417 goto err_flowtable_update_hook;
8418 }
8419 } else {
8420 flags = flowtable->data.flags;
8421 }
8422
8423 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
8424 &flowtable_hook.list, flowtable);
8425 if (err < 0)
8426 goto err_flowtable_update_hook;
8427
8428 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
8429 sizeof(struct nft_trans_flowtable));
8430 if (!trans) {
8431 unregister = true;
8432 err = -ENOMEM;
8433 goto err_flowtable_update_hook;
8434 }
8435
8436 nft_trans_flowtable_flags(trans) = flags;
8437 nft_trans_flowtable(trans) = flowtable;
8438 nft_trans_flowtable_update(trans) = true;
8439 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8440 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
8441
8442 nft_trans_commit_list_add_tail(ctx->net, trans);
8443
8444 return 0;
8445
8446 err_flowtable_update_hook:
8447 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8448 if (unregister)
8449 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
8450 list_del_rcu(&hook->list);
8451 kfree_rcu(hook, rcu);
8452 }
8453
8454 return err;
8455
8456 }
8457
nf_tables_newflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8458 static int nf_tables_newflowtable(struct sk_buff *skb,
8459 const struct nfnl_info *info,
8460 const struct nlattr * const nla[])
8461 {
8462 struct netlink_ext_ack *extack = info->extack;
8463 struct nft_flowtable_hook flowtable_hook;
8464 u8 genmask = nft_genmask_next(info->net);
8465 u8 family = info->nfmsg->nfgen_family;
8466 const struct nf_flowtable_type *type;
8467 struct nft_flowtable *flowtable;
8468 struct net *net = info->net;
8469 struct nft_table *table;
8470 struct nft_trans *trans;
8471 struct nft_ctx ctx;
8472 int err;
8473
8474 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8475 !nla[NFTA_FLOWTABLE_NAME] ||
8476 !nla[NFTA_FLOWTABLE_HOOK])
8477 return -EINVAL;
8478
8479 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8480 genmask, NETLINK_CB(skb).portid);
8481 if (IS_ERR(table)) {
8482 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8483 return PTR_ERR(table);
8484 }
8485
8486 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8487 genmask);
8488 if (IS_ERR(flowtable)) {
8489 err = PTR_ERR(flowtable);
8490 if (err != -ENOENT) {
8491 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8492 return err;
8493 }
8494 } else {
8495 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
8496 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8497 return -EEXIST;
8498 }
8499
8500 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8501
8502 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
8503 }
8504
8505 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8506
8507 if (!nft_use_inc(&table->use))
8508 return -EMFILE;
8509
8510 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
8511 if (!flowtable) {
8512 err = -ENOMEM;
8513 goto flowtable_alloc;
8514 }
8515
8516 flowtable->table = table;
8517 flowtable->handle = nf_tables_alloc_handle(table);
8518 INIT_LIST_HEAD(&flowtable->hook_list);
8519
8520 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
8521 if (!flowtable->name) {
8522 err = -ENOMEM;
8523 goto err1;
8524 }
8525
8526 type = nft_flowtable_type_get(net, family);
8527 if (IS_ERR(type)) {
8528 err = PTR_ERR(type);
8529 goto err2;
8530 }
8531
8532 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8533 flowtable->data.flags =
8534 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8535 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
8536 err = -EOPNOTSUPP;
8537 goto err3;
8538 }
8539 }
8540
8541 write_pnet(&flowtable->data.net, net);
8542 flowtable->data.type = type;
8543 err = type->init(&flowtable->data);
8544 if (err < 0)
8545 goto err3;
8546
8547 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
8548 extack, true);
8549 if (err < 0)
8550 goto err_flowtable_parse_hooks;
8551
8552 list_splice(&flowtable_hook.list, &flowtable->hook_list);
8553 flowtable->data.priority = flowtable_hook.priority;
8554 flowtable->hooknum = flowtable_hook.num;
8555
8556 trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
8557 if (IS_ERR(trans)) {
8558 err = PTR_ERR(trans);
8559 goto err_flowtable_trans;
8560 }
8561
8562 /* This must be LAST to ensure no packets are walking over this flowtable. */
8563 err = nft_register_flowtable_net_hooks(ctx.net, table,
8564 &flowtable->hook_list,
8565 flowtable);
8566 if (err < 0)
8567 goto err_flowtable_hooks;
8568
8569 list_add_tail_rcu(&flowtable->list, &table->flowtables);
8570
8571 return 0;
8572
8573 err_flowtable_hooks:
8574 nft_trans_destroy(trans);
8575 err_flowtable_trans:
8576 nft_hooks_destroy(&flowtable->hook_list);
8577 err_flowtable_parse_hooks:
8578 flowtable->data.type->free(&flowtable->data);
8579 err3:
8580 module_put(type->owner);
8581 err2:
8582 kfree(flowtable->name);
8583 err1:
8584 kfree(flowtable);
8585 flowtable_alloc:
8586 nft_use_dec_restore(&table->use);
8587
8588 return err;
8589 }
8590
nft_flowtable_hook_release(struct nft_flowtable_hook * flowtable_hook)8591 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
8592 {
8593 struct nft_hook *this, *next;
8594
8595 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
8596 list_del(&this->list);
8597 kfree(this);
8598 }
8599 }
8600
nft_delflowtable_hook(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack)8601 static int nft_delflowtable_hook(struct nft_ctx *ctx,
8602 struct nft_flowtable *flowtable,
8603 struct netlink_ext_ack *extack)
8604 {
8605 const struct nlattr * const *nla = ctx->nla;
8606 struct nft_flowtable_hook flowtable_hook;
8607 LIST_HEAD(flowtable_del_list);
8608 struct nft_hook *this, *hook;
8609 struct nft_trans *trans;
8610 int err;
8611
8612 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8613 extack, false);
8614 if (err < 0)
8615 return err;
8616
8617 list_for_each_entry(this, &flowtable_hook.list, list) {
8618 hook = nft_hook_list_find(&flowtable->hook_list, this);
8619 if (!hook) {
8620 err = -ENOENT;
8621 goto err_flowtable_del_hook;
8622 }
8623 list_move(&hook->list, &flowtable_del_list);
8624 }
8625
8626 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
8627 sizeof(struct nft_trans_flowtable));
8628 if (!trans) {
8629 err = -ENOMEM;
8630 goto err_flowtable_del_hook;
8631 }
8632
8633 nft_trans_flowtable(trans) = flowtable;
8634 nft_trans_flowtable_update(trans) = true;
8635 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8636 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
8637 nft_flowtable_hook_release(&flowtable_hook);
8638
8639 nft_trans_commit_list_add_tail(ctx->net, trans);
8640
8641 return 0;
8642
8643 err_flowtable_del_hook:
8644 list_splice(&flowtable_del_list, &flowtable->hook_list);
8645 nft_flowtable_hook_release(&flowtable_hook);
8646
8647 return err;
8648 }
8649
nf_tables_delflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8650 static int nf_tables_delflowtable(struct sk_buff *skb,
8651 const struct nfnl_info *info,
8652 const struct nlattr * const nla[])
8653 {
8654 struct netlink_ext_ack *extack = info->extack;
8655 u8 genmask = nft_genmask_next(info->net);
8656 u8 family = info->nfmsg->nfgen_family;
8657 struct nft_flowtable *flowtable;
8658 struct net *net = info->net;
8659 const struct nlattr *attr;
8660 struct nft_table *table;
8661 struct nft_ctx ctx;
8662
8663 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8664 (!nla[NFTA_FLOWTABLE_NAME] &&
8665 !nla[NFTA_FLOWTABLE_HANDLE]))
8666 return -EINVAL;
8667
8668 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8669 genmask, NETLINK_CB(skb).portid);
8670 if (IS_ERR(table)) {
8671 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8672 return PTR_ERR(table);
8673 }
8674
8675 if (nla[NFTA_FLOWTABLE_HANDLE]) {
8676 attr = nla[NFTA_FLOWTABLE_HANDLE];
8677 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
8678 } else {
8679 attr = nla[NFTA_FLOWTABLE_NAME];
8680 flowtable = nft_flowtable_lookup(table, attr, genmask);
8681 }
8682
8683 if (IS_ERR(flowtable)) {
8684 if (PTR_ERR(flowtable) == -ENOENT &&
8685 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
8686 return 0;
8687
8688 NL_SET_BAD_ATTR(extack, attr);
8689 return PTR_ERR(flowtable);
8690 }
8691
8692 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8693
8694 if (nla[NFTA_FLOWTABLE_HOOK])
8695 return nft_delflowtable_hook(&ctx, flowtable, extack);
8696
8697 if (flowtable->use > 0) {
8698 NL_SET_BAD_ATTR(extack, attr);
8699 return -EBUSY;
8700 }
8701
8702 return nft_delflowtable(&ctx, flowtable);
8703 }
8704
nf_tables_fill_flowtable_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,struct nft_flowtable * flowtable,struct list_head * hook_list)8705 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
8706 u32 portid, u32 seq, int event,
8707 u32 flags, int family,
8708 struct nft_flowtable *flowtable,
8709 struct list_head *hook_list)
8710 {
8711 struct nlattr *nest, *nest_devs;
8712 struct nft_hook *hook;
8713 struct nlmsghdr *nlh;
8714
8715 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
8716 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
8717 NFNETLINK_V0, nft_base_seq(net));
8718 if (!nlh)
8719 goto nla_put_failure;
8720
8721 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
8722 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
8723 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
8724 NFTA_FLOWTABLE_PAD))
8725 goto nla_put_failure;
8726
8727 if (event == NFT_MSG_DELFLOWTABLE && !hook_list) {
8728 nlmsg_end(skb, nlh);
8729 return 0;
8730 }
8731
8732 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
8733 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
8734 goto nla_put_failure;
8735
8736 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
8737 if (!nest)
8738 goto nla_put_failure;
8739 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
8740 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
8741 goto nla_put_failure;
8742
8743 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
8744 if (!nest_devs)
8745 goto nla_put_failure;
8746
8747 if (!hook_list)
8748 hook_list = &flowtable->hook_list;
8749
8750 list_for_each_entry_rcu(hook, hook_list, list) {
8751 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
8752 goto nla_put_failure;
8753 }
8754 nla_nest_end(skb, nest_devs);
8755 nla_nest_end(skb, nest);
8756
8757 nlmsg_end(skb, nlh);
8758 return 0;
8759
8760 nla_put_failure:
8761 nlmsg_trim(skb, nlh);
8762 return -1;
8763 }
8764
8765 struct nft_flowtable_filter {
8766 char *table;
8767 };
8768
nf_tables_dump_flowtable(struct sk_buff * skb,struct netlink_callback * cb)8769 static int nf_tables_dump_flowtable(struct sk_buff *skb,
8770 struct netlink_callback *cb)
8771 {
8772 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
8773 struct nft_flowtable_filter *filter = cb->data;
8774 unsigned int idx = 0, s_idx = cb->args[0];
8775 struct net *net = sock_net(skb->sk);
8776 int family = nfmsg->nfgen_family;
8777 struct nft_flowtable *flowtable;
8778 struct nftables_pernet *nft_net;
8779 const struct nft_table *table;
8780
8781 rcu_read_lock();
8782 nft_net = nft_pernet(net);
8783 cb->seq = READ_ONCE(nft_net->base_seq);
8784
8785 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8786 if (family != NFPROTO_UNSPEC && family != table->family)
8787 continue;
8788
8789 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8790 if (!nft_is_active(net, flowtable))
8791 goto cont;
8792 if (idx < s_idx)
8793 goto cont;
8794 if (idx > s_idx)
8795 memset(&cb->args[1], 0,
8796 sizeof(cb->args) - sizeof(cb->args[0]));
8797 if (filter && filter->table &&
8798 strcmp(filter->table, table->name))
8799 goto cont;
8800
8801 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
8802 cb->nlh->nlmsg_seq,
8803 NFT_MSG_NEWFLOWTABLE,
8804 NLM_F_MULTI | NLM_F_APPEND,
8805 table->family,
8806 flowtable, NULL) < 0)
8807 goto done;
8808
8809 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8810 cont:
8811 idx++;
8812 }
8813 }
8814 done:
8815 rcu_read_unlock();
8816
8817 cb->args[0] = idx;
8818 return skb->len;
8819 }
8820
nf_tables_dump_flowtable_start(struct netlink_callback * cb)8821 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
8822 {
8823 const struct nlattr * const *nla = cb->data;
8824 struct nft_flowtable_filter *filter = NULL;
8825
8826 if (nla[NFTA_FLOWTABLE_TABLE]) {
8827 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
8828 if (!filter)
8829 return -ENOMEM;
8830
8831 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
8832 GFP_ATOMIC);
8833 if (!filter->table) {
8834 kfree(filter);
8835 return -ENOMEM;
8836 }
8837 }
8838
8839 cb->data = filter;
8840 return 0;
8841 }
8842
nf_tables_dump_flowtable_done(struct netlink_callback * cb)8843 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
8844 {
8845 struct nft_flowtable_filter *filter = cb->data;
8846
8847 if (!filter)
8848 return 0;
8849
8850 kfree(filter->table);
8851 kfree(filter);
8852
8853 return 0;
8854 }
8855
8856 /* called with rcu_read_lock held */
nf_tables_getflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8857 static int nf_tables_getflowtable(struct sk_buff *skb,
8858 const struct nfnl_info *info,
8859 const struct nlattr * const nla[])
8860 {
8861 struct netlink_ext_ack *extack = info->extack;
8862 u8 genmask = nft_genmask_cur(info->net);
8863 u8 family = info->nfmsg->nfgen_family;
8864 struct nft_flowtable *flowtable;
8865 const struct nft_table *table;
8866 struct net *net = info->net;
8867 struct sk_buff *skb2;
8868 int err;
8869
8870 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8871 struct netlink_dump_control c = {
8872 .start = nf_tables_dump_flowtable_start,
8873 .dump = nf_tables_dump_flowtable,
8874 .done = nf_tables_dump_flowtable_done,
8875 .module = THIS_MODULE,
8876 .data = (void *)nla,
8877 };
8878
8879 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8880 }
8881
8882 if (!nla[NFTA_FLOWTABLE_NAME])
8883 return -EINVAL;
8884
8885 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8886 genmask, 0);
8887 if (IS_ERR(table)) {
8888 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8889 return PTR_ERR(table);
8890 }
8891
8892 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8893 genmask);
8894 if (IS_ERR(flowtable)) {
8895 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8896 return PTR_ERR(flowtable);
8897 }
8898
8899 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8900 if (!skb2)
8901 return -ENOMEM;
8902
8903 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
8904 info->nlh->nlmsg_seq,
8905 NFT_MSG_NEWFLOWTABLE, 0, family,
8906 flowtable, NULL);
8907 if (err < 0)
8908 goto err_fill_flowtable_info;
8909
8910 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
8911
8912 err_fill_flowtable_info:
8913 kfree_skb(skb2);
8914 return err;
8915 }
8916
nf_tables_flowtable_notify(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct list_head * hook_list,int event)8917 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
8918 struct nft_flowtable *flowtable,
8919 struct list_head *hook_list, int event)
8920 {
8921 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
8922 struct sk_buff *skb;
8923 u16 flags = 0;
8924 int err;
8925
8926 if (!ctx->report &&
8927 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
8928 return;
8929
8930 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
8931 if (skb == NULL)
8932 goto err;
8933
8934 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
8935 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
8936
8937 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
8938 ctx->seq, event, flags,
8939 ctx->family, flowtable, hook_list);
8940 if (err < 0) {
8941 kfree_skb(skb);
8942 goto err;
8943 }
8944
8945 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
8946 return;
8947 err:
8948 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
8949 }
8950
nf_tables_flowtable_destroy(struct nft_flowtable * flowtable)8951 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
8952 {
8953 struct nft_hook *hook, *next;
8954
8955 flowtable->data.type->free(&flowtable->data);
8956 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
8957 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8958 FLOW_BLOCK_UNBIND);
8959 list_del_rcu(&hook->list);
8960 kfree(hook);
8961 }
8962 kfree(flowtable->name);
8963 module_put(flowtable->data.type->owner);
8964 kfree(flowtable);
8965 }
8966
nf_tables_fill_gen_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq)8967 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
8968 u32 portid, u32 seq)
8969 {
8970 struct nftables_pernet *nft_net = nft_pernet(net);
8971 struct nlmsghdr *nlh;
8972 char buf[TASK_COMM_LEN];
8973 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
8974
8975 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
8976 NFNETLINK_V0, nft_base_seq(net));
8977 if (!nlh)
8978 goto nla_put_failure;
8979
8980 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
8981 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
8982 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
8983 goto nla_put_failure;
8984
8985 nlmsg_end(skb, nlh);
8986 return 0;
8987
8988 nla_put_failure:
8989 nlmsg_trim(skb, nlh);
8990 return -EMSGSIZE;
8991 }
8992
nft_flowtable_event(unsigned long event,struct net_device * dev,struct nft_flowtable * flowtable)8993 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
8994 struct nft_flowtable *flowtable)
8995 {
8996 struct nft_hook *hook;
8997
8998 list_for_each_entry(hook, &flowtable->hook_list, list) {
8999 if (hook->ops.dev != dev)
9000 continue;
9001
9002 /* flow_offload_netdev_event() cleans up entries for us. */
9003 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
9004 list_del_rcu(&hook->list);
9005 kfree_rcu(hook, rcu);
9006 break;
9007 }
9008 }
9009
nf_tables_flowtable_event(struct notifier_block * this,unsigned long event,void * ptr)9010 static int nf_tables_flowtable_event(struct notifier_block *this,
9011 unsigned long event, void *ptr)
9012 {
9013 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
9014 struct nft_flowtable *flowtable;
9015 struct nftables_pernet *nft_net;
9016 struct nft_table *table;
9017 struct net *net;
9018
9019 if (event != NETDEV_UNREGISTER)
9020 return 0;
9021
9022 net = dev_net(dev);
9023 nft_net = nft_pernet(net);
9024 mutex_lock(&nft_net->commit_mutex);
9025 list_for_each_entry(table, &nft_net->tables, list) {
9026 list_for_each_entry(flowtable, &table->flowtables, list) {
9027 nft_flowtable_event(event, dev, flowtable);
9028 }
9029 }
9030 mutex_unlock(&nft_net->commit_mutex);
9031
9032 return NOTIFY_DONE;
9033 }
9034
9035 static struct notifier_block nf_tables_flowtable_notifier = {
9036 .notifier_call = nf_tables_flowtable_event,
9037 };
9038
nf_tables_gen_notify(struct net * net,struct sk_buff * skb,int event)9039 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
9040 int event)
9041 {
9042 struct nlmsghdr *nlh = nlmsg_hdr(skb);
9043 struct sk_buff *skb2;
9044 int err;
9045
9046 if (!nlmsg_report(nlh) &&
9047 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
9048 return;
9049
9050 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9051 if (skb2 == NULL)
9052 goto err;
9053
9054 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
9055 nlh->nlmsg_seq);
9056 if (err < 0) {
9057 kfree_skb(skb2);
9058 goto err;
9059 }
9060
9061 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9062 nlmsg_report(nlh), GFP_KERNEL);
9063 return;
9064 err:
9065 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9066 -ENOBUFS);
9067 }
9068
nf_tables_getgen(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9069 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
9070 const struct nlattr * const nla[])
9071 {
9072 struct sk_buff *skb2;
9073 int err;
9074
9075 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9076 if (skb2 == NULL)
9077 return -ENOMEM;
9078
9079 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
9080 info->nlh->nlmsg_seq);
9081 if (err < 0)
9082 goto err_fill_gen_info;
9083
9084 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
9085
9086 err_fill_gen_info:
9087 kfree_skb(skb2);
9088 return err;
9089 }
9090
9091 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
9092 [NFT_MSG_NEWTABLE] = {
9093 .call = nf_tables_newtable,
9094 .type = NFNL_CB_BATCH,
9095 .attr_count = NFTA_TABLE_MAX,
9096 .policy = nft_table_policy,
9097 },
9098 [NFT_MSG_GETTABLE] = {
9099 .call = nf_tables_gettable,
9100 .type = NFNL_CB_RCU,
9101 .attr_count = NFTA_TABLE_MAX,
9102 .policy = nft_table_policy,
9103 },
9104 [NFT_MSG_DELTABLE] = {
9105 .call = nf_tables_deltable,
9106 .type = NFNL_CB_BATCH,
9107 .attr_count = NFTA_TABLE_MAX,
9108 .policy = nft_table_policy,
9109 },
9110 [NFT_MSG_DESTROYTABLE] = {
9111 .call = nf_tables_deltable,
9112 .type = NFNL_CB_BATCH,
9113 .attr_count = NFTA_TABLE_MAX,
9114 .policy = nft_table_policy,
9115 },
9116 [NFT_MSG_NEWCHAIN] = {
9117 .call = nf_tables_newchain,
9118 .type = NFNL_CB_BATCH,
9119 .attr_count = NFTA_CHAIN_MAX,
9120 .policy = nft_chain_policy,
9121 },
9122 [NFT_MSG_GETCHAIN] = {
9123 .call = nf_tables_getchain,
9124 .type = NFNL_CB_RCU,
9125 .attr_count = NFTA_CHAIN_MAX,
9126 .policy = nft_chain_policy,
9127 },
9128 [NFT_MSG_DELCHAIN] = {
9129 .call = nf_tables_delchain,
9130 .type = NFNL_CB_BATCH,
9131 .attr_count = NFTA_CHAIN_MAX,
9132 .policy = nft_chain_policy,
9133 },
9134 [NFT_MSG_DESTROYCHAIN] = {
9135 .call = nf_tables_delchain,
9136 .type = NFNL_CB_BATCH,
9137 .attr_count = NFTA_CHAIN_MAX,
9138 .policy = nft_chain_policy,
9139 },
9140 [NFT_MSG_NEWRULE] = {
9141 .call = nf_tables_newrule,
9142 .type = NFNL_CB_BATCH,
9143 .attr_count = NFTA_RULE_MAX,
9144 .policy = nft_rule_policy,
9145 },
9146 [NFT_MSG_GETRULE] = {
9147 .call = nf_tables_getrule,
9148 .type = NFNL_CB_RCU,
9149 .attr_count = NFTA_RULE_MAX,
9150 .policy = nft_rule_policy,
9151 },
9152 [NFT_MSG_GETRULE_RESET] = {
9153 .call = nf_tables_getrule_reset,
9154 .type = NFNL_CB_RCU,
9155 .attr_count = NFTA_RULE_MAX,
9156 .policy = nft_rule_policy,
9157 },
9158 [NFT_MSG_DELRULE] = {
9159 .call = nf_tables_delrule,
9160 .type = NFNL_CB_BATCH,
9161 .attr_count = NFTA_RULE_MAX,
9162 .policy = nft_rule_policy,
9163 },
9164 [NFT_MSG_DESTROYRULE] = {
9165 .call = nf_tables_delrule,
9166 .type = NFNL_CB_BATCH,
9167 .attr_count = NFTA_RULE_MAX,
9168 .policy = nft_rule_policy,
9169 },
9170 [NFT_MSG_NEWSET] = {
9171 .call = nf_tables_newset,
9172 .type = NFNL_CB_BATCH,
9173 .attr_count = NFTA_SET_MAX,
9174 .policy = nft_set_policy,
9175 },
9176 [NFT_MSG_GETSET] = {
9177 .call = nf_tables_getset,
9178 .type = NFNL_CB_RCU,
9179 .attr_count = NFTA_SET_MAX,
9180 .policy = nft_set_policy,
9181 },
9182 [NFT_MSG_DELSET] = {
9183 .call = nf_tables_delset,
9184 .type = NFNL_CB_BATCH,
9185 .attr_count = NFTA_SET_MAX,
9186 .policy = nft_set_policy,
9187 },
9188 [NFT_MSG_DESTROYSET] = {
9189 .call = nf_tables_delset,
9190 .type = NFNL_CB_BATCH,
9191 .attr_count = NFTA_SET_MAX,
9192 .policy = nft_set_policy,
9193 },
9194 [NFT_MSG_NEWSETELEM] = {
9195 .call = nf_tables_newsetelem,
9196 .type = NFNL_CB_BATCH,
9197 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9198 .policy = nft_set_elem_list_policy,
9199 },
9200 [NFT_MSG_GETSETELEM] = {
9201 .call = nf_tables_getsetelem,
9202 .type = NFNL_CB_RCU,
9203 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9204 .policy = nft_set_elem_list_policy,
9205 },
9206 [NFT_MSG_GETSETELEM_RESET] = {
9207 .call = nf_tables_getsetelem_reset,
9208 .type = NFNL_CB_RCU,
9209 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9210 .policy = nft_set_elem_list_policy,
9211 },
9212 [NFT_MSG_DELSETELEM] = {
9213 .call = nf_tables_delsetelem,
9214 .type = NFNL_CB_BATCH,
9215 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9216 .policy = nft_set_elem_list_policy,
9217 },
9218 [NFT_MSG_DESTROYSETELEM] = {
9219 .call = nf_tables_delsetelem,
9220 .type = NFNL_CB_BATCH,
9221 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9222 .policy = nft_set_elem_list_policy,
9223 },
9224 [NFT_MSG_GETGEN] = {
9225 .call = nf_tables_getgen,
9226 .type = NFNL_CB_RCU,
9227 },
9228 [NFT_MSG_NEWOBJ] = {
9229 .call = nf_tables_newobj,
9230 .type = NFNL_CB_BATCH,
9231 .attr_count = NFTA_OBJ_MAX,
9232 .policy = nft_obj_policy,
9233 },
9234 [NFT_MSG_GETOBJ] = {
9235 .call = nf_tables_getobj,
9236 .type = NFNL_CB_RCU,
9237 .attr_count = NFTA_OBJ_MAX,
9238 .policy = nft_obj_policy,
9239 },
9240 [NFT_MSG_DELOBJ] = {
9241 .call = nf_tables_delobj,
9242 .type = NFNL_CB_BATCH,
9243 .attr_count = NFTA_OBJ_MAX,
9244 .policy = nft_obj_policy,
9245 },
9246 [NFT_MSG_DESTROYOBJ] = {
9247 .call = nf_tables_delobj,
9248 .type = NFNL_CB_BATCH,
9249 .attr_count = NFTA_OBJ_MAX,
9250 .policy = nft_obj_policy,
9251 },
9252 [NFT_MSG_GETOBJ_RESET] = {
9253 .call = nf_tables_getobj,
9254 .type = NFNL_CB_RCU,
9255 .attr_count = NFTA_OBJ_MAX,
9256 .policy = nft_obj_policy,
9257 },
9258 [NFT_MSG_NEWFLOWTABLE] = {
9259 .call = nf_tables_newflowtable,
9260 .type = NFNL_CB_BATCH,
9261 .attr_count = NFTA_FLOWTABLE_MAX,
9262 .policy = nft_flowtable_policy,
9263 },
9264 [NFT_MSG_GETFLOWTABLE] = {
9265 .call = nf_tables_getflowtable,
9266 .type = NFNL_CB_RCU,
9267 .attr_count = NFTA_FLOWTABLE_MAX,
9268 .policy = nft_flowtable_policy,
9269 },
9270 [NFT_MSG_DELFLOWTABLE] = {
9271 .call = nf_tables_delflowtable,
9272 .type = NFNL_CB_BATCH,
9273 .attr_count = NFTA_FLOWTABLE_MAX,
9274 .policy = nft_flowtable_policy,
9275 },
9276 [NFT_MSG_DESTROYFLOWTABLE] = {
9277 .call = nf_tables_delflowtable,
9278 .type = NFNL_CB_BATCH,
9279 .attr_count = NFTA_FLOWTABLE_MAX,
9280 .policy = nft_flowtable_policy,
9281 },
9282 };
9283
nf_tables_validate(struct net * net)9284 static int nf_tables_validate(struct net *net)
9285 {
9286 struct nftables_pernet *nft_net = nft_pernet(net);
9287 struct nft_table *table;
9288
9289 list_for_each_entry(table, &nft_net->tables, list) {
9290 switch (table->validate_state) {
9291 case NFT_VALIDATE_SKIP:
9292 continue;
9293 case NFT_VALIDATE_NEED:
9294 nft_validate_state_update(table, NFT_VALIDATE_DO);
9295 fallthrough;
9296 case NFT_VALIDATE_DO:
9297 if (nft_table_validate(net, table) < 0)
9298 return -EAGAIN;
9299
9300 nft_validate_state_update(table, NFT_VALIDATE_SKIP);
9301 break;
9302 }
9303 }
9304
9305 return 0;
9306 }
9307
9308 /* a drop policy has to be deferred until all rules have been activated,
9309 * otherwise a large ruleset that contains a drop-policy base chain will
9310 * cause all packets to get dropped until the full transaction has been
9311 * processed.
9312 *
9313 * We defer the drop policy until the transaction has been finalized.
9314 */
nft_chain_commit_drop_policy(struct nft_trans * trans)9315 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
9316 {
9317 struct nft_base_chain *basechain;
9318
9319 if (nft_trans_chain_policy(trans) != NF_DROP)
9320 return;
9321
9322 if (!nft_is_base_chain(trans->ctx.chain))
9323 return;
9324
9325 basechain = nft_base_chain(trans->ctx.chain);
9326 basechain->policy = NF_DROP;
9327 }
9328
nft_chain_commit_update(struct nft_trans * trans)9329 static void nft_chain_commit_update(struct nft_trans *trans)
9330 {
9331 struct nft_base_chain *basechain;
9332
9333 if (nft_trans_chain_name(trans)) {
9334 rhltable_remove(&trans->ctx.table->chains_ht,
9335 &trans->ctx.chain->rhlhead,
9336 nft_chain_ht_params);
9337 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
9338 rhltable_insert_key(&trans->ctx.table->chains_ht,
9339 trans->ctx.chain->name,
9340 &trans->ctx.chain->rhlhead,
9341 nft_chain_ht_params);
9342 }
9343
9344 if (!nft_is_base_chain(trans->ctx.chain))
9345 return;
9346
9347 nft_chain_stats_replace(trans);
9348
9349 basechain = nft_base_chain(trans->ctx.chain);
9350
9351 switch (nft_trans_chain_policy(trans)) {
9352 case NF_DROP:
9353 case NF_ACCEPT:
9354 basechain->policy = nft_trans_chain_policy(trans);
9355 break;
9356 }
9357 }
9358
nft_obj_commit_update(struct nft_trans * trans)9359 static void nft_obj_commit_update(struct nft_trans *trans)
9360 {
9361 struct nft_object *newobj;
9362 struct nft_object *obj;
9363
9364 obj = nft_trans_obj(trans);
9365 newobj = nft_trans_obj_newobj(trans);
9366
9367 if (obj->ops->update)
9368 obj->ops->update(obj, newobj);
9369
9370 nft_obj_destroy(&trans->ctx, newobj);
9371 }
9372
nft_commit_release(struct nft_trans * trans)9373 static void nft_commit_release(struct nft_trans *trans)
9374 {
9375 switch (trans->msg_type) {
9376 case NFT_MSG_DELTABLE:
9377 case NFT_MSG_DESTROYTABLE:
9378 nf_tables_table_destroy(&trans->ctx);
9379 break;
9380 case NFT_MSG_NEWCHAIN:
9381 free_percpu(nft_trans_chain_stats(trans));
9382 kfree(nft_trans_chain_name(trans));
9383 break;
9384 case NFT_MSG_DELCHAIN:
9385 case NFT_MSG_DESTROYCHAIN:
9386 if (nft_trans_chain_update(trans))
9387 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
9388 else
9389 nf_tables_chain_destroy(&trans->ctx);
9390 break;
9391 case NFT_MSG_DELRULE:
9392 case NFT_MSG_DESTROYRULE:
9393 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
9394 break;
9395 case NFT_MSG_DELSET:
9396 case NFT_MSG_DESTROYSET:
9397 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
9398 break;
9399 case NFT_MSG_DELSETELEM:
9400 case NFT_MSG_DESTROYSETELEM:
9401 nf_tables_set_elem_destroy(&trans->ctx,
9402 nft_trans_elem_set(trans),
9403 nft_trans_elem_priv(trans));
9404 break;
9405 case NFT_MSG_DELOBJ:
9406 case NFT_MSG_DESTROYOBJ:
9407 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
9408 break;
9409 case NFT_MSG_DELFLOWTABLE:
9410 case NFT_MSG_DESTROYFLOWTABLE:
9411 if (nft_trans_flowtable_update(trans))
9412 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
9413 else
9414 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
9415 break;
9416 }
9417
9418 if (trans->put_net)
9419 put_net(trans->ctx.net);
9420
9421 kfree(trans);
9422 }
9423
nf_tables_trans_destroy_work(struct work_struct * w)9424 static void nf_tables_trans_destroy_work(struct work_struct *w)
9425 {
9426 struct nft_trans *trans, *next;
9427 LIST_HEAD(head);
9428
9429 spin_lock(&nf_tables_destroy_list_lock);
9430 list_splice_init(&nf_tables_destroy_list, &head);
9431 spin_unlock(&nf_tables_destroy_list_lock);
9432
9433 if (list_empty(&head))
9434 return;
9435
9436 synchronize_rcu();
9437
9438 list_for_each_entry_safe(trans, next, &head, list) {
9439 nft_trans_list_del(trans);
9440 nft_commit_release(trans);
9441 }
9442 }
9443
nf_tables_trans_destroy_flush_work(void)9444 void nf_tables_trans_destroy_flush_work(void)
9445 {
9446 flush_work(&trans_destroy_work);
9447 }
9448 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
9449
nft_expr_reduce(struct nft_regs_track * track,const struct nft_expr * expr)9450 static bool nft_expr_reduce(struct nft_regs_track *track,
9451 const struct nft_expr *expr)
9452 {
9453 return false;
9454 }
9455
nf_tables_commit_chain_prepare(struct net * net,struct nft_chain * chain)9456 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
9457 {
9458 const struct nft_expr *expr, *last;
9459 struct nft_regs_track track = {};
9460 unsigned int size, data_size;
9461 void *data, *data_boundary;
9462 struct nft_rule_dp *prule;
9463 struct nft_rule *rule;
9464
9465 /* already handled or inactive chain? */
9466 if (chain->blob_next || !nft_is_active_next(net, chain))
9467 return 0;
9468
9469 data_size = 0;
9470 list_for_each_entry(rule, &chain->rules, list) {
9471 if (nft_is_active_next(net, rule)) {
9472 data_size += sizeof(*prule) + rule->dlen;
9473 if (data_size > INT_MAX)
9474 return -ENOMEM;
9475 }
9476 }
9477
9478 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size);
9479 if (!chain->blob_next)
9480 return -ENOMEM;
9481
9482 data = (void *)chain->blob_next->data;
9483 data_boundary = data + data_size;
9484 size = 0;
9485
9486 list_for_each_entry(rule, &chain->rules, list) {
9487 if (!nft_is_active_next(net, rule))
9488 continue;
9489
9490 prule = (struct nft_rule_dp *)data;
9491 data += offsetof(struct nft_rule_dp, data);
9492 if (WARN_ON_ONCE(data > data_boundary))
9493 return -ENOMEM;
9494
9495 size = 0;
9496 track.last = nft_expr_last(rule);
9497 nft_rule_for_each_expr(expr, last, rule) {
9498 track.cur = expr;
9499
9500 if (nft_expr_reduce(&track, expr)) {
9501 expr = track.cur;
9502 continue;
9503 }
9504
9505 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
9506 return -ENOMEM;
9507
9508 memcpy(data + size, expr, expr->ops->size);
9509 size += expr->ops->size;
9510 }
9511 if (WARN_ON_ONCE(size >= 1 << 12))
9512 return -ENOMEM;
9513
9514 prule->handle = rule->handle;
9515 prule->dlen = size;
9516 prule->is_last = 0;
9517
9518 data += size;
9519 size = 0;
9520 chain->blob_next->size += (unsigned long)(data - (void *)prule);
9521 }
9522
9523 if (WARN_ON_ONCE(data > data_boundary))
9524 return -ENOMEM;
9525
9526 prule = (struct nft_rule_dp *)data;
9527 nft_last_rule(chain, prule);
9528
9529 return 0;
9530 }
9531
nf_tables_commit_chain_prepare_cancel(struct net * net)9532 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
9533 {
9534 struct nftables_pernet *nft_net = nft_pernet(net);
9535 struct nft_trans *trans, *next;
9536
9537 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9538 struct nft_chain *chain = trans->ctx.chain;
9539
9540 if (trans->msg_type == NFT_MSG_NEWRULE ||
9541 trans->msg_type == NFT_MSG_DELRULE) {
9542 kvfree(chain->blob_next);
9543 chain->blob_next = NULL;
9544 }
9545 }
9546 }
9547
__nf_tables_commit_chain_free_rules(struct rcu_head * h)9548 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h)
9549 {
9550 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h);
9551
9552 kvfree(l->blob);
9553 }
9554
nf_tables_commit_chain_free_rules_old(struct nft_rule_blob * blob)9555 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
9556 {
9557 struct nft_rule_dp_last *last;
9558
9559 /* last rule trailer is after end marker */
9560 last = (void *)blob + sizeof(*blob) + blob->size;
9561 last->blob = blob;
9562
9563 call_rcu(&last->h, __nf_tables_commit_chain_free_rules);
9564 }
9565
nf_tables_commit_chain(struct net * net,struct nft_chain * chain)9566 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
9567 {
9568 struct nft_rule_blob *g0, *g1;
9569 bool next_genbit;
9570
9571 next_genbit = nft_gencursor_next(net);
9572
9573 g0 = rcu_dereference_protected(chain->blob_gen_0,
9574 lockdep_commit_lock_is_held(net));
9575 g1 = rcu_dereference_protected(chain->blob_gen_1,
9576 lockdep_commit_lock_is_held(net));
9577
9578 /* No changes to this chain? */
9579 if (chain->blob_next == NULL) {
9580 /* chain had no change in last or next generation */
9581 if (g0 == g1)
9582 return;
9583 /*
9584 * chain had no change in this generation; make sure next
9585 * one uses same rules as current generation.
9586 */
9587 if (next_genbit) {
9588 rcu_assign_pointer(chain->blob_gen_1, g0);
9589 nf_tables_commit_chain_free_rules_old(g1);
9590 } else {
9591 rcu_assign_pointer(chain->blob_gen_0, g1);
9592 nf_tables_commit_chain_free_rules_old(g0);
9593 }
9594
9595 return;
9596 }
9597
9598 if (next_genbit)
9599 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
9600 else
9601 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
9602
9603 chain->blob_next = NULL;
9604
9605 if (g0 == g1)
9606 return;
9607
9608 if (next_genbit)
9609 nf_tables_commit_chain_free_rules_old(g1);
9610 else
9611 nf_tables_commit_chain_free_rules_old(g0);
9612 }
9613
nft_obj_del(struct nft_object * obj)9614 static void nft_obj_del(struct nft_object *obj)
9615 {
9616 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
9617 list_del_rcu(&obj->list);
9618 }
9619
nft_chain_del(struct nft_chain * chain)9620 void nft_chain_del(struct nft_chain *chain)
9621 {
9622 struct nft_table *table = chain->table;
9623
9624 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
9625 nft_chain_ht_params));
9626 list_del_rcu(&chain->list);
9627 }
9628
nft_trans_gc_setelem_remove(struct nft_ctx * ctx,struct nft_trans_gc * trans)9629 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx,
9630 struct nft_trans_gc *trans)
9631 {
9632 struct nft_elem_priv **priv = trans->priv;
9633 unsigned int i;
9634
9635 for (i = 0; i < trans->count; i++) {
9636 nft_setelem_data_deactivate(ctx->net, trans->set, priv[i]);
9637 nft_setelem_remove(ctx->net, trans->set, priv[i]);
9638 }
9639 }
9640
nft_trans_gc_destroy(struct nft_trans_gc * trans)9641 void nft_trans_gc_destroy(struct nft_trans_gc *trans)
9642 {
9643 nft_set_put(trans->set);
9644 put_net(trans->net);
9645 kfree(trans);
9646 }
9647
nft_trans_gc_trans_free(struct rcu_head * rcu)9648 static void nft_trans_gc_trans_free(struct rcu_head *rcu)
9649 {
9650 struct nft_elem_priv *elem_priv;
9651 struct nft_trans_gc *trans;
9652 struct nft_ctx ctx = {};
9653 unsigned int i;
9654
9655 trans = container_of(rcu, struct nft_trans_gc, rcu);
9656 ctx.net = read_pnet(&trans->set->net);
9657
9658 for (i = 0; i < trans->count; i++) {
9659 elem_priv = trans->priv[i];
9660 if (!nft_setelem_is_catchall(trans->set, elem_priv))
9661 atomic_dec(&trans->set->nelems);
9662
9663 nf_tables_set_elem_destroy(&ctx, trans->set, elem_priv);
9664 }
9665
9666 nft_trans_gc_destroy(trans);
9667 }
9668
nft_trans_gc_work_done(struct nft_trans_gc * trans)9669 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans)
9670 {
9671 struct nftables_pernet *nft_net;
9672 struct nft_ctx ctx = {};
9673
9674 nft_net = nft_pernet(trans->net);
9675
9676 mutex_lock(&nft_net->commit_mutex);
9677
9678 /* Check for race with transaction, otherwise this batch refers to
9679 * stale objects that might not be there anymore. Skip transaction if
9680 * set has been destroyed from control plane transaction in case gc
9681 * worker loses race.
9682 */
9683 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) {
9684 mutex_unlock(&nft_net->commit_mutex);
9685 return false;
9686 }
9687
9688 ctx.net = trans->net;
9689 ctx.table = trans->set->table;
9690
9691 nft_trans_gc_setelem_remove(&ctx, trans);
9692 mutex_unlock(&nft_net->commit_mutex);
9693
9694 return true;
9695 }
9696
nft_trans_gc_work(struct work_struct * work)9697 static void nft_trans_gc_work(struct work_struct *work)
9698 {
9699 struct nft_trans_gc *trans, *next;
9700 LIST_HEAD(trans_gc_list);
9701
9702 spin_lock(&nf_tables_gc_list_lock);
9703 list_splice_init(&nf_tables_gc_list, &trans_gc_list);
9704 spin_unlock(&nf_tables_gc_list_lock);
9705
9706 list_for_each_entry_safe(trans, next, &trans_gc_list, list) {
9707 list_del(&trans->list);
9708 if (!nft_trans_gc_work_done(trans)) {
9709 nft_trans_gc_destroy(trans);
9710 continue;
9711 }
9712 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
9713 }
9714 }
9715
nft_trans_gc_alloc(struct nft_set * set,unsigned int gc_seq,gfp_t gfp)9716 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
9717 unsigned int gc_seq, gfp_t gfp)
9718 {
9719 struct net *net = read_pnet(&set->net);
9720 struct nft_trans_gc *trans;
9721
9722 trans = kzalloc(sizeof(*trans), gfp);
9723 if (!trans)
9724 return NULL;
9725
9726 trans->net = maybe_get_net(net);
9727 if (!trans->net) {
9728 kfree(trans);
9729 return NULL;
9730 }
9731
9732 refcount_inc(&set->refs);
9733 trans->set = set;
9734 trans->seq = gc_seq;
9735
9736 return trans;
9737 }
9738
nft_trans_gc_elem_add(struct nft_trans_gc * trans,void * priv)9739 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv)
9740 {
9741 trans->priv[trans->count++] = priv;
9742 }
9743
nft_trans_gc_queue_work(struct nft_trans_gc * trans)9744 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans)
9745 {
9746 spin_lock(&nf_tables_gc_list_lock);
9747 list_add_tail(&trans->list, &nf_tables_gc_list);
9748 spin_unlock(&nf_tables_gc_list_lock);
9749
9750 schedule_work(&trans_gc_work);
9751 }
9752
nft_trans_gc_space(struct nft_trans_gc * trans)9753 static int nft_trans_gc_space(struct nft_trans_gc *trans)
9754 {
9755 return NFT_TRANS_GC_BATCHCOUNT - trans->count;
9756 }
9757
nft_trans_gc_queue_async(struct nft_trans_gc * gc,unsigned int gc_seq,gfp_t gfp)9758 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc,
9759 unsigned int gc_seq, gfp_t gfp)
9760 {
9761 struct nft_set *set;
9762
9763 if (nft_trans_gc_space(gc))
9764 return gc;
9765
9766 set = gc->set;
9767 nft_trans_gc_queue_work(gc);
9768
9769 return nft_trans_gc_alloc(set, gc_seq, gfp);
9770 }
9771
nft_trans_gc_queue_async_done(struct nft_trans_gc * trans)9772 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans)
9773 {
9774 if (trans->count == 0) {
9775 nft_trans_gc_destroy(trans);
9776 return;
9777 }
9778
9779 nft_trans_gc_queue_work(trans);
9780 }
9781
nft_trans_gc_queue_sync(struct nft_trans_gc * gc,gfp_t gfp)9782 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp)
9783 {
9784 struct nft_set *set;
9785
9786 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)))
9787 return NULL;
9788
9789 if (nft_trans_gc_space(gc))
9790 return gc;
9791
9792 set = gc->set;
9793 call_rcu(&gc->rcu, nft_trans_gc_trans_free);
9794
9795 return nft_trans_gc_alloc(set, 0, gfp);
9796 }
9797
nft_trans_gc_queue_sync_done(struct nft_trans_gc * trans)9798 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans)
9799 {
9800 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net));
9801
9802 if (trans->count == 0) {
9803 nft_trans_gc_destroy(trans);
9804 return;
9805 }
9806
9807 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
9808 }
9809
nft_trans_gc_catchall_async(struct nft_trans_gc * gc,unsigned int gc_seq)9810 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc,
9811 unsigned int gc_seq)
9812 {
9813 struct nft_set_elem_catchall *catchall;
9814 const struct nft_set *set = gc->set;
9815 struct nft_set_ext *ext;
9816
9817 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
9818 ext = nft_set_elem_ext(set, catchall->elem);
9819
9820 if (!nft_set_elem_expired(ext))
9821 continue;
9822 if (nft_set_elem_is_dead(ext))
9823 goto dead_elem;
9824
9825 nft_set_elem_dead(ext);
9826 dead_elem:
9827 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC);
9828 if (!gc)
9829 return NULL;
9830
9831 nft_trans_gc_elem_add(gc, catchall->elem);
9832 }
9833
9834 return gc;
9835 }
9836
nft_trans_gc_catchall_sync(struct nft_trans_gc * gc)9837 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc)
9838 {
9839 struct nft_set_elem_catchall *catchall, *next;
9840 u64 tstamp = nft_net_tstamp(gc->net);
9841 const struct nft_set *set = gc->set;
9842 struct nft_elem_priv *elem_priv;
9843 struct nft_set_ext *ext;
9844
9845 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net));
9846
9847 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
9848 ext = nft_set_elem_ext(set, catchall->elem);
9849
9850 if (!__nft_set_elem_expired(ext, tstamp))
9851 continue;
9852
9853 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
9854 if (!gc)
9855 return NULL;
9856
9857 elem_priv = catchall->elem;
9858 nft_setelem_data_deactivate(gc->net, gc->set, elem_priv);
9859 nft_setelem_catchall_destroy(catchall);
9860 nft_trans_gc_elem_add(gc, elem_priv);
9861 }
9862
9863 return gc;
9864 }
9865
nf_tables_module_autoload_cleanup(struct net * net)9866 static void nf_tables_module_autoload_cleanup(struct net *net)
9867 {
9868 struct nftables_pernet *nft_net = nft_pernet(net);
9869 struct nft_module_request *req, *next;
9870
9871 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
9872 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
9873 WARN_ON_ONCE(!req->done);
9874 list_del(&req->list);
9875 kfree(req);
9876 }
9877 }
9878
nf_tables_commit_release(struct net * net)9879 static void nf_tables_commit_release(struct net *net)
9880 {
9881 struct nftables_pernet *nft_net = nft_pernet(net);
9882 struct nft_trans *trans;
9883
9884 /* all side effects have to be made visible.
9885 * For example, if a chain named 'foo' has been deleted, a
9886 * new transaction must not find it anymore.
9887 *
9888 * Memory reclaim happens asynchronously from work queue
9889 * to prevent expensive synchronize_rcu() in commit phase.
9890 */
9891 if (list_empty(&nft_net->commit_list)) {
9892 nf_tables_module_autoload_cleanup(net);
9893 mutex_unlock(&nft_net->commit_mutex);
9894 return;
9895 }
9896
9897 trans = list_last_entry(&nft_net->commit_list,
9898 struct nft_trans, list);
9899 get_net(trans->ctx.net);
9900 WARN_ON_ONCE(trans->put_net);
9901
9902 trans->put_net = true;
9903 spin_lock(&nf_tables_destroy_list_lock);
9904 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
9905 spin_unlock(&nf_tables_destroy_list_lock);
9906
9907 nf_tables_module_autoload_cleanup(net);
9908 schedule_work(&trans_destroy_work);
9909
9910 mutex_unlock(&nft_net->commit_mutex);
9911 }
9912
nft_commit_notify(struct net * net,u32 portid)9913 static void nft_commit_notify(struct net *net, u32 portid)
9914 {
9915 struct nftables_pernet *nft_net = nft_pernet(net);
9916 struct sk_buff *batch_skb = NULL, *nskb, *skb;
9917 unsigned char *data;
9918 int len;
9919
9920 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
9921 if (!batch_skb) {
9922 new_batch:
9923 batch_skb = skb;
9924 len = NLMSG_GOODSIZE - skb->len;
9925 list_del(&skb->list);
9926 continue;
9927 }
9928 len -= skb->len;
9929 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
9930 data = skb_put(batch_skb, skb->len);
9931 memcpy(data, skb->data, skb->len);
9932 list_del(&skb->list);
9933 kfree_skb(skb);
9934 continue;
9935 }
9936 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
9937 NFT_CB(batch_skb).report, GFP_KERNEL);
9938 goto new_batch;
9939 }
9940
9941 if (batch_skb) {
9942 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
9943 NFT_CB(batch_skb).report, GFP_KERNEL);
9944 }
9945
9946 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
9947 }
9948
nf_tables_commit_audit_alloc(struct list_head * adl,struct nft_table * table)9949 static int nf_tables_commit_audit_alloc(struct list_head *adl,
9950 struct nft_table *table)
9951 {
9952 struct nft_audit_data *adp;
9953
9954 list_for_each_entry(adp, adl, list) {
9955 if (adp->table == table)
9956 return 0;
9957 }
9958 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
9959 if (!adp)
9960 return -ENOMEM;
9961 adp->table = table;
9962 list_add(&adp->list, adl);
9963 return 0;
9964 }
9965
nf_tables_commit_audit_free(struct list_head * adl)9966 static void nf_tables_commit_audit_free(struct list_head *adl)
9967 {
9968 struct nft_audit_data *adp, *adn;
9969
9970 list_for_each_entry_safe(adp, adn, adl, list) {
9971 list_del(&adp->list);
9972 kfree(adp);
9973 }
9974 }
9975
nf_tables_commit_audit_collect(struct list_head * adl,struct nft_table * table,u32 op)9976 static void nf_tables_commit_audit_collect(struct list_head *adl,
9977 struct nft_table *table, u32 op)
9978 {
9979 struct nft_audit_data *adp;
9980
9981 list_for_each_entry(adp, adl, list) {
9982 if (adp->table == table)
9983 goto found;
9984 }
9985 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
9986 return;
9987 found:
9988 adp->entries++;
9989 if (!adp->op || adp->op > op)
9990 adp->op = op;
9991 }
9992
9993 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
9994
nf_tables_commit_audit_log(struct list_head * adl,u32 generation)9995 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
9996 {
9997 struct nft_audit_data *adp, *adn;
9998 char aubuf[AUNFTABLENAMELEN];
9999
10000 list_for_each_entry_safe(adp, adn, adl, list) {
10001 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
10002 generation);
10003 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
10004 nft2audit_op[adp->op], GFP_KERNEL);
10005 list_del(&adp->list);
10006 kfree(adp);
10007 }
10008 }
10009
nft_set_commit_update(struct list_head * set_update_list)10010 static void nft_set_commit_update(struct list_head *set_update_list)
10011 {
10012 struct nft_set *set, *next;
10013
10014 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10015 list_del_init(&set->pending_update);
10016
10017 if (!set->ops->commit || set->dead)
10018 continue;
10019
10020 set->ops->commit(set);
10021 }
10022 }
10023
nft_gc_seq_begin(struct nftables_pernet * nft_net)10024 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net)
10025 {
10026 unsigned int gc_seq;
10027
10028 /* Bump gc counter, it becomes odd, this is the busy mark. */
10029 gc_seq = READ_ONCE(nft_net->gc_seq);
10030 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10031
10032 return gc_seq;
10033 }
10034
nft_gc_seq_end(struct nftables_pernet * nft_net,unsigned int gc_seq)10035 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq)
10036 {
10037 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10038 }
10039
nf_tables_commit(struct net * net,struct sk_buff * skb)10040 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
10041 {
10042 struct nftables_pernet *nft_net = nft_pernet(net);
10043 struct nft_trans *trans, *next;
10044 unsigned int base_seq, gc_seq;
10045 LIST_HEAD(set_update_list);
10046 struct nft_trans_elem *te;
10047 struct nft_chain *chain;
10048 struct nft_table *table;
10049 LIST_HEAD(adl);
10050 int err;
10051
10052 if (list_empty(&nft_net->commit_list)) {
10053 mutex_unlock(&nft_net->commit_mutex);
10054 return 0;
10055 }
10056
10057 list_for_each_entry(trans, &nft_net->binding_list, binding_list) {
10058 switch (trans->msg_type) {
10059 case NFT_MSG_NEWSET:
10060 if (!nft_trans_set_update(trans) &&
10061 nft_set_is_anonymous(nft_trans_set(trans)) &&
10062 !nft_trans_set_bound(trans)) {
10063 pr_warn_once("nftables ruleset with unbound set\n");
10064 return -EINVAL;
10065 }
10066 break;
10067 case NFT_MSG_NEWCHAIN:
10068 if (!nft_trans_chain_update(trans) &&
10069 nft_chain_binding(nft_trans_chain(trans)) &&
10070 !nft_trans_chain_bound(trans)) {
10071 pr_warn_once("nftables ruleset with unbound chain\n");
10072 return -EINVAL;
10073 }
10074 break;
10075 }
10076 }
10077
10078 /* 0. Validate ruleset, otherwise roll back for error reporting. */
10079 if (nf_tables_validate(net) < 0) {
10080 nft_net->validate_state = NFT_VALIDATE_DO;
10081 return -EAGAIN;
10082 }
10083
10084 err = nft_flow_rule_offload_commit(net);
10085 if (err < 0)
10086 return err;
10087
10088 /* 1. Allocate space for next generation rules_gen_X[] */
10089 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10090 int ret;
10091
10092 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);
10093 if (ret) {
10094 nf_tables_commit_chain_prepare_cancel(net);
10095 nf_tables_commit_audit_free(&adl);
10096 return ret;
10097 }
10098 if (trans->msg_type == NFT_MSG_NEWRULE ||
10099 trans->msg_type == NFT_MSG_DELRULE) {
10100 chain = trans->ctx.chain;
10101
10102 ret = nf_tables_commit_chain_prepare(net, chain);
10103 if (ret < 0) {
10104 nf_tables_commit_chain_prepare_cancel(net);
10105 nf_tables_commit_audit_free(&adl);
10106 return ret;
10107 }
10108 }
10109 }
10110
10111 /* step 2. Make rules_gen_X visible to packet path */
10112 list_for_each_entry(table, &nft_net->tables, list) {
10113 list_for_each_entry(chain, &table->chains, list)
10114 nf_tables_commit_chain(net, chain);
10115 }
10116
10117 /*
10118 * Bump generation counter, invalidate any dump in progress.
10119 * Cannot fail after this point.
10120 */
10121 base_seq = READ_ONCE(nft_net->base_seq);
10122 while (++base_seq == 0)
10123 ;
10124
10125 WRITE_ONCE(nft_net->base_seq, base_seq);
10126
10127 gc_seq = nft_gc_seq_begin(nft_net);
10128
10129 /* step 3. Start new generation, rules_gen_X now in use. */
10130 net->nft.gencursor = nft_gencursor_next(net);
10131
10132 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10133 nf_tables_commit_audit_collect(&adl, trans->ctx.table,
10134 trans->msg_type);
10135 switch (trans->msg_type) {
10136 case NFT_MSG_NEWTABLE:
10137 if (nft_trans_table_update(trans)) {
10138 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
10139 nft_trans_destroy(trans);
10140 break;
10141 }
10142 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT)
10143 nf_tables_table_disable(net, trans->ctx.table);
10144
10145 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
10146 } else {
10147 nft_clear(net, trans->ctx.table);
10148 }
10149 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
10150 nft_trans_destroy(trans);
10151 break;
10152 case NFT_MSG_DELTABLE:
10153 case NFT_MSG_DESTROYTABLE:
10154 list_del_rcu(&trans->ctx.table->list);
10155 nf_tables_table_notify(&trans->ctx, trans->msg_type);
10156 break;
10157 case NFT_MSG_NEWCHAIN:
10158 if (nft_trans_chain_update(trans)) {
10159 nft_chain_commit_update(trans);
10160 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN,
10161 &nft_trans_chain_hooks(trans));
10162 list_splice(&nft_trans_chain_hooks(trans),
10163 &nft_trans_basechain(trans)->hook_list);
10164 /* trans destroyed after rcu grace period */
10165 } else {
10166 nft_chain_commit_drop_policy(trans);
10167 nft_clear(net, trans->ctx.chain);
10168 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN, NULL);
10169 nft_trans_destroy(trans);
10170 }
10171 break;
10172 case NFT_MSG_DELCHAIN:
10173 case NFT_MSG_DESTROYCHAIN:
10174 if (nft_trans_chain_update(trans)) {
10175 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
10176 &nft_trans_chain_hooks(trans));
10177 nft_netdev_unregister_hooks(net,
10178 &nft_trans_chain_hooks(trans),
10179 true);
10180 } else {
10181 nft_chain_del(trans->ctx.chain);
10182 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
10183 NULL);
10184 nf_tables_unregister_hook(trans->ctx.net,
10185 trans->ctx.table,
10186 trans->ctx.chain);
10187 }
10188 break;
10189 case NFT_MSG_NEWRULE:
10190 nft_clear(trans->ctx.net, nft_trans_rule(trans));
10191 nf_tables_rule_notify(&trans->ctx,
10192 nft_trans_rule(trans),
10193 NFT_MSG_NEWRULE);
10194 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10195 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10196
10197 nft_trans_destroy(trans);
10198 break;
10199 case NFT_MSG_DELRULE:
10200 case NFT_MSG_DESTROYRULE:
10201 list_del_rcu(&nft_trans_rule(trans)->list);
10202 nf_tables_rule_notify(&trans->ctx,
10203 nft_trans_rule(trans),
10204 trans->msg_type);
10205 nft_rule_expr_deactivate(&trans->ctx,
10206 nft_trans_rule(trans),
10207 NFT_TRANS_COMMIT);
10208
10209 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10210 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10211 break;
10212 case NFT_MSG_NEWSET:
10213 if (nft_trans_set_update(trans)) {
10214 struct nft_set *set = nft_trans_set(trans);
10215
10216 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
10217 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
10218
10219 if (nft_trans_set_size(trans))
10220 WRITE_ONCE(set->size, nft_trans_set_size(trans));
10221 } else {
10222 nft_clear(net, nft_trans_set(trans));
10223 /* This avoids hitting -EBUSY when deleting the table
10224 * from the transaction.
10225 */
10226 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
10227 !list_empty(&nft_trans_set(trans)->bindings))
10228 nft_use_dec(&trans->ctx.table->use);
10229 }
10230 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
10231 NFT_MSG_NEWSET, GFP_KERNEL);
10232 nft_trans_destroy(trans);
10233 break;
10234 case NFT_MSG_DELSET:
10235 case NFT_MSG_DESTROYSET:
10236 nft_trans_set(trans)->dead = 1;
10237 list_del_rcu(&nft_trans_set(trans)->list);
10238 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
10239 trans->msg_type, GFP_KERNEL);
10240 break;
10241 case NFT_MSG_NEWSETELEM:
10242 te = (struct nft_trans_elem *)trans->data;
10243
10244 nft_setelem_activate(net, te->set, te->elem_priv);
10245 nf_tables_setelem_notify(&trans->ctx, te->set,
10246 te->elem_priv,
10247 NFT_MSG_NEWSETELEM);
10248 if (te->set->ops->commit &&
10249 list_empty(&te->set->pending_update)) {
10250 list_add_tail(&te->set->pending_update,
10251 &set_update_list);
10252 }
10253 nft_trans_destroy(trans);
10254 break;
10255 case NFT_MSG_DELSETELEM:
10256 case NFT_MSG_DESTROYSETELEM:
10257 te = (struct nft_trans_elem *)trans->data;
10258
10259 nf_tables_setelem_notify(&trans->ctx, te->set,
10260 te->elem_priv,
10261 trans->msg_type);
10262 nft_setelem_remove(net, te->set, te->elem_priv);
10263 if (!nft_setelem_is_catchall(te->set, te->elem_priv)) {
10264 atomic_dec(&te->set->nelems);
10265 te->set->ndeact--;
10266 }
10267 if (te->set->ops->commit &&
10268 list_empty(&te->set->pending_update)) {
10269 list_add_tail(&te->set->pending_update,
10270 &set_update_list);
10271 }
10272 break;
10273 case NFT_MSG_NEWOBJ:
10274 if (nft_trans_obj_update(trans)) {
10275 nft_obj_commit_update(trans);
10276 nf_tables_obj_notify(&trans->ctx,
10277 nft_trans_obj(trans),
10278 NFT_MSG_NEWOBJ);
10279 } else {
10280 nft_clear(net, nft_trans_obj(trans));
10281 nf_tables_obj_notify(&trans->ctx,
10282 nft_trans_obj(trans),
10283 NFT_MSG_NEWOBJ);
10284 nft_trans_destroy(trans);
10285 }
10286 break;
10287 case NFT_MSG_DELOBJ:
10288 case NFT_MSG_DESTROYOBJ:
10289 nft_obj_del(nft_trans_obj(trans));
10290 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
10291 trans->msg_type);
10292 break;
10293 case NFT_MSG_NEWFLOWTABLE:
10294 if (nft_trans_flowtable_update(trans)) {
10295 nft_trans_flowtable(trans)->data.flags =
10296 nft_trans_flowtable_flags(trans);
10297 nf_tables_flowtable_notify(&trans->ctx,
10298 nft_trans_flowtable(trans),
10299 &nft_trans_flowtable_hooks(trans),
10300 NFT_MSG_NEWFLOWTABLE);
10301 list_splice(&nft_trans_flowtable_hooks(trans),
10302 &nft_trans_flowtable(trans)->hook_list);
10303 } else {
10304 nft_clear(net, nft_trans_flowtable(trans));
10305 nf_tables_flowtable_notify(&trans->ctx,
10306 nft_trans_flowtable(trans),
10307 NULL,
10308 NFT_MSG_NEWFLOWTABLE);
10309 }
10310 nft_trans_destroy(trans);
10311 break;
10312 case NFT_MSG_DELFLOWTABLE:
10313 case NFT_MSG_DESTROYFLOWTABLE:
10314 if (nft_trans_flowtable_update(trans)) {
10315 nf_tables_flowtable_notify(&trans->ctx,
10316 nft_trans_flowtable(trans),
10317 &nft_trans_flowtable_hooks(trans),
10318 trans->msg_type);
10319 nft_unregister_flowtable_net_hooks(net,
10320 &nft_trans_flowtable_hooks(trans));
10321 } else {
10322 list_del_rcu(&nft_trans_flowtable(trans)->list);
10323 nf_tables_flowtable_notify(&trans->ctx,
10324 nft_trans_flowtable(trans),
10325 NULL,
10326 trans->msg_type);
10327 nft_unregister_flowtable_net_hooks(net,
10328 &nft_trans_flowtable(trans)->hook_list);
10329 }
10330 break;
10331 }
10332 }
10333
10334 nft_set_commit_update(&set_update_list);
10335
10336 nft_commit_notify(net, NETLINK_CB(skb).portid);
10337 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
10338 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
10339
10340 nft_gc_seq_end(nft_net, gc_seq);
10341 nft_net->validate_state = NFT_VALIDATE_SKIP;
10342 nf_tables_commit_release(net);
10343
10344 return 0;
10345 }
10346
nf_tables_module_autoload(struct net * net)10347 static void nf_tables_module_autoload(struct net *net)
10348 {
10349 struct nftables_pernet *nft_net = nft_pernet(net);
10350 struct nft_module_request *req, *next;
10351 LIST_HEAD(module_list);
10352
10353 list_splice_init(&nft_net->module_list, &module_list);
10354 mutex_unlock(&nft_net->commit_mutex);
10355 list_for_each_entry_safe(req, next, &module_list, list) {
10356 request_module("%s", req->module);
10357 req->done = true;
10358 }
10359 mutex_lock(&nft_net->commit_mutex);
10360 list_splice(&module_list, &nft_net->module_list);
10361 }
10362
nf_tables_abort_release(struct nft_trans * trans)10363 static void nf_tables_abort_release(struct nft_trans *trans)
10364 {
10365 switch (trans->msg_type) {
10366 case NFT_MSG_NEWTABLE:
10367 nf_tables_table_destroy(&trans->ctx);
10368 break;
10369 case NFT_MSG_NEWCHAIN:
10370 if (nft_trans_chain_update(trans))
10371 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
10372 else
10373 nf_tables_chain_destroy(&trans->ctx);
10374 break;
10375 case NFT_MSG_NEWRULE:
10376 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
10377 break;
10378 case NFT_MSG_NEWSET:
10379 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
10380 break;
10381 case NFT_MSG_NEWSETELEM:
10382 nft_set_elem_destroy(nft_trans_elem_set(trans),
10383 nft_trans_elem_priv(trans), true);
10384 break;
10385 case NFT_MSG_NEWOBJ:
10386 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
10387 break;
10388 case NFT_MSG_NEWFLOWTABLE:
10389 if (nft_trans_flowtable_update(trans))
10390 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
10391 else
10392 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
10393 break;
10394 }
10395 kfree(trans);
10396 }
10397
nft_set_abort_update(struct list_head * set_update_list)10398 static void nft_set_abort_update(struct list_head *set_update_list)
10399 {
10400 struct nft_set *set, *next;
10401
10402 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10403 list_del_init(&set->pending_update);
10404
10405 if (!set->ops->abort)
10406 continue;
10407
10408 set->ops->abort(set);
10409 }
10410 }
10411
__nf_tables_abort(struct net * net,enum nfnl_abort_action action)10412 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
10413 {
10414 struct nftables_pernet *nft_net = nft_pernet(net);
10415 struct nft_trans *trans, *next;
10416 LIST_HEAD(set_update_list);
10417 struct nft_trans_elem *te;
10418
10419 if (action == NFNL_ABORT_VALIDATE &&
10420 nf_tables_validate(net) < 0)
10421 return -EAGAIN;
10422
10423 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
10424 list) {
10425 switch (trans->msg_type) {
10426 case NFT_MSG_NEWTABLE:
10427 if (nft_trans_table_update(trans)) {
10428 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
10429 nft_trans_destroy(trans);
10430 break;
10431 }
10432 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) {
10433 nf_tables_table_disable(net, trans->ctx.table);
10434 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
10435 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
10436 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;
10437 }
10438 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
10439 nft_trans_destroy(trans);
10440 } else {
10441 list_del_rcu(&trans->ctx.table->list);
10442 }
10443 break;
10444 case NFT_MSG_DELTABLE:
10445 case NFT_MSG_DESTROYTABLE:
10446 nft_clear(trans->ctx.net, trans->ctx.table);
10447 nft_trans_destroy(trans);
10448 break;
10449 case NFT_MSG_NEWCHAIN:
10450 if (nft_trans_chain_update(trans)) {
10451 nft_netdev_unregister_hooks(net,
10452 &nft_trans_chain_hooks(trans),
10453 true);
10454 free_percpu(nft_trans_chain_stats(trans));
10455 kfree(nft_trans_chain_name(trans));
10456 nft_trans_destroy(trans);
10457 } else {
10458 if (nft_trans_chain_bound(trans)) {
10459 nft_trans_destroy(trans);
10460 break;
10461 }
10462 nft_use_dec_restore(&trans->ctx.table->use);
10463 nft_chain_del(trans->ctx.chain);
10464 nf_tables_unregister_hook(trans->ctx.net,
10465 trans->ctx.table,
10466 trans->ctx.chain);
10467 }
10468 break;
10469 case NFT_MSG_DELCHAIN:
10470 case NFT_MSG_DESTROYCHAIN:
10471 if (nft_trans_chain_update(trans)) {
10472 list_splice(&nft_trans_chain_hooks(trans),
10473 &nft_trans_basechain(trans)->hook_list);
10474 } else {
10475 nft_use_inc_restore(&trans->ctx.table->use);
10476 nft_clear(trans->ctx.net, trans->ctx.chain);
10477 }
10478 nft_trans_destroy(trans);
10479 break;
10480 case NFT_MSG_NEWRULE:
10481 if (nft_trans_rule_bound(trans)) {
10482 nft_trans_destroy(trans);
10483 break;
10484 }
10485 nft_use_dec_restore(&trans->ctx.chain->use);
10486 list_del_rcu(&nft_trans_rule(trans)->list);
10487 nft_rule_expr_deactivate(&trans->ctx,
10488 nft_trans_rule(trans),
10489 NFT_TRANS_ABORT);
10490 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10491 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10492 break;
10493 case NFT_MSG_DELRULE:
10494 case NFT_MSG_DESTROYRULE:
10495 nft_use_inc_restore(&trans->ctx.chain->use);
10496 nft_clear(trans->ctx.net, nft_trans_rule(trans));
10497 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
10498 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10499 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10500
10501 nft_trans_destroy(trans);
10502 break;
10503 case NFT_MSG_NEWSET:
10504 if (nft_trans_set_update(trans)) {
10505 nft_trans_destroy(trans);
10506 break;
10507 }
10508 nft_use_dec_restore(&trans->ctx.table->use);
10509 if (nft_trans_set_bound(trans)) {
10510 nft_trans_destroy(trans);
10511 break;
10512 }
10513 nft_trans_set(trans)->dead = 1;
10514 list_del_rcu(&nft_trans_set(trans)->list);
10515 break;
10516 case NFT_MSG_DELSET:
10517 case NFT_MSG_DESTROYSET:
10518 nft_use_inc_restore(&trans->ctx.table->use);
10519 nft_clear(trans->ctx.net, nft_trans_set(trans));
10520 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
10521 nft_map_activate(&trans->ctx, nft_trans_set(trans));
10522
10523 nft_trans_destroy(trans);
10524 break;
10525 case NFT_MSG_NEWSETELEM:
10526 if (nft_trans_elem_set_bound(trans)) {
10527 nft_trans_destroy(trans);
10528 break;
10529 }
10530 te = (struct nft_trans_elem *)trans->data;
10531 nft_setelem_remove(net, te->set, te->elem_priv);
10532 if (!nft_setelem_is_catchall(te->set, te->elem_priv))
10533 atomic_dec(&te->set->nelems);
10534
10535 if (te->set->ops->abort &&
10536 list_empty(&te->set->pending_update)) {
10537 list_add_tail(&te->set->pending_update,
10538 &set_update_list);
10539 }
10540 break;
10541 case NFT_MSG_DELSETELEM:
10542 case NFT_MSG_DESTROYSETELEM:
10543 te = (struct nft_trans_elem *)trans->data;
10544
10545 nft_setelem_data_activate(net, te->set, te->elem_priv);
10546 nft_setelem_activate(net, te->set, te->elem_priv);
10547 if (!nft_setelem_is_catchall(te->set, te->elem_priv))
10548 te->set->ndeact--;
10549
10550 if (te->set->ops->abort &&
10551 list_empty(&te->set->pending_update)) {
10552 list_add_tail(&te->set->pending_update,
10553 &set_update_list);
10554 }
10555 nft_trans_destroy(trans);
10556 break;
10557 case NFT_MSG_NEWOBJ:
10558 if (nft_trans_obj_update(trans)) {
10559 nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans));
10560 nft_trans_destroy(trans);
10561 } else {
10562 nft_use_dec_restore(&trans->ctx.table->use);
10563 nft_obj_del(nft_trans_obj(trans));
10564 }
10565 break;
10566 case NFT_MSG_DELOBJ:
10567 case NFT_MSG_DESTROYOBJ:
10568 nft_use_inc_restore(&trans->ctx.table->use);
10569 nft_clear(trans->ctx.net, nft_trans_obj(trans));
10570 nft_trans_destroy(trans);
10571 break;
10572 case NFT_MSG_NEWFLOWTABLE:
10573 if (nft_trans_flowtable_update(trans)) {
10574 nft_unregister_flowtable_net_hooks(net,
10575 &nft_trans_flowtable_hooks(trans));
10576 } else {
10577 nft_use_dec_restore(&trans->ctx.table->use);
10578 list_del_rcu(&nft_trans_flowtable(trans)->list);
10579 nft_unregister_flowtable_net_hooks(net,
10580 &nft_trans_flowtable(trans)->hook_list);
10581 }
10582 break;
10583 case NFT_MSG_DELFLOWTABLE:
10584 case NFT_MSG_DESTROYFLOWTABLE:
10585 if (nft_trans_flowtable_update(trans)) {
10586 list_splice(&nft_trans_flowtable_hooks(trans),
10587 &nft_trans_flowtable(trans)->hook_list);
10588 } else {
10589 nft_use_inc_restore(&trans->ctx.table->use);
10590 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
10591 }
10592 nft_trans_destroy(trans);
10593 break;
10594 }
10595 }
10596
10597 nft_set_abort_update(&set_update_list);
10598
10599 synchronize_rcu();
10600
10601 list_for_each_entry_safe_reverse(trans, next,
10602 &nft_net->commit_list, list) {
10603 nft_trans_list_del(trans);
10604 nf_tables_abort_release(trans);
10605 }
10606
10607 if (action == NFNL_ABORT_AUTOLOAD)
10608 nf_tables_module_autoload(net);
10609 else
10610 nf_tables_module_autoload_cleanup(net);
10611
10612 return 0;
10613 }
10614
nf_tables_abort(struct net * net,struct sk_buff * skb,enum nfnl_abort_action action)10615 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
10616 enum nfnl_abort_action action)
10617 {
10618 struct nftables_pernet *nft_net = nft_pernet(net);
10619 unsigned int gc_seq;
10620 int ret;
10621
10622 gc_seq = nft_gc_seq_begin(nft_net);
10623 ret = __nf_tables_abort(net, action);
10624 nft_gc_seq_end(nft_net, gc_seq);
10625 mutex_unlock(&nft_net->commit_mutex);
10626
10627 return ret;
10628 }
10629
nf_tables_valid_genid(struct net * net,u32 genid)10630 static bool nf_tables_valid_genid(struct net *net, u32 genid)
10631 {
10632 struct nftables_pernet *nft_net = nft_pernet(net);
10633 bool genid_ok;
10634
10635 mutex_lock(&nft_net->commit_mutex);
10636 nft_net->tstamp = get_jiffies_64();
10637
10638 genid_ok = genid == 0 || nft_net->base_seq == genid;
10639 if (!genid_ok)
10640 mutex_unlock(&nft_net->commit_mutex);
10641
10642 /* else, commit mutex has to be released by commit or abort function */
10643 return genid_ok;
10644 }
10645
10646 static const struct nfnetlink_subsystem nf_tables_subsys = {
10647 .name = "nf_tables",
10648 .subsys_id = NFNL_SUBSYS_NFTABLES,
10649 .cb_count = NFT_MSG_MAX,
10650 .cb = nf_tables_cb,
10651 .commit = nf_tables_commit,
10652 .abort = nf_tables_abort,
10653 .valid_genid = nf_tables_valid_genid,
10654 .owner = THIS_MODULE,
10655 };
10656
nft_chain_validate_dependency(const struct nft_chain * chain,enum nft_chain_types type)10657 int nft_chain_validate_dependency(const struct nft_chain *chain,
10658 enum nft_chain_types type)
10659 {
10660 const struct nft_base_chain *basechain;
10661
10662 if (nft_is_base_chain(chain)) {
10663 basechain = nft_base_chain(chain);
10664 if (basechain->type->type != type)
10665 return -EOPNOTSUPP;
10666 }
10667 return 0;
10668 }
10669 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
10670
nft_chain_validate_hooks(const struct nft_chain * chain,unsigned int hook_flags)10671 int nft_chain_validate_hooks(const struct nft_chain *chain,
10672 unsigned int hook_flags)
10673 {
10674 struct nft_base_chain *basechain;
10675
10676 if (nft_is_base_chain(chain)) {
10677 basechain = nft_base_chain(chain);
10678
10679 if ((1 << basechain->ops.hooknum) & hook_flags)
10680 return 0;
10681
10682 return -EOPNOTSUPP;
10683 }
10684
10685 return 0;
10686 }
10687 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
10688
10689 /*
10690 * Loop detection - walk through the ruleset beginning at the destination chain
10691 * of a new jump until either the source chain is reached (loop) or all
10692 * reachable chains have been traversed.
10693 *
10694 * The loop check is performed whenever a new jump verdict is added to an
10695 * expression or verdict map or a verdict map is bound to a new chain.
10696 */
10697
10698 static int nf_tables_check_loops(const struct nft_ctx *ctx,
10699 const struct nft_chain *chain);
10700
nft_check_loops(const struct nft_ctx * ctx,const struct nft_set_ext * ext)10701 static int nft_check_loops(const struct nft_ctx *ctx,
10702 const struct nft_set_ext *ext)
10703 {
10704 const struct nft_data *data;
10705 int ret;
10706
10707 data = nft_set_ext_data(ext);
10708 switch (data->verdict.code) {
10709 case NFT_JUMP:
10710 case NFT_GOTO:
10711 ret = nf_tables_check_loops(ctx, data->verdict.chain);
10712 break;
10713 default:
10714 ret = 0;
10715 break;
10716 }
10717
10718 return ret;
10719 }
10720
nf_tables_loop_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)10721 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
10722 struct nft_set *set,
10723 const struct nft_set_iter *iter,
10724 struct nft_elem_priv *elem_priv)
10725 {
10726 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
10727
10728 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
10729 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
10730 return 0;
10731
10732 return nft_check_loops(ctx, ext);
10733 }
10734
nft_set_catchall_loops(const struct nft_ctx * ctx,struct nft_set * set)10735 static int nft_set_catchall_loops(const struct nft_ctx *ctx,
10736 struct nft_set *set)
10737 {
10738 u8 genmask = nft_genmask_next(ctx->net);
10739 struct nft_set_elem_catchall *catchall;
10740 struct nft_set_ext *ext;
10741 int ret = 0;
10742
10743 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
10744 ext = nft_set_elem_ext(set, catchall->elem);
10745 if (!nft_set_elem_active(ext, genmask))
10746 continue;
10747
10748 ret = nft_check_loops(ctx, ext);
10749 if (ret < 0)
10750 return ret;
10751 }
10752
10753 return ret;
10754 }
10755
nf_tables_check_loops(const struct nft_ctx * ctx,const struct nft_chain * chain)10756 static int nf_tables_check_loops(const struct nft_ctx *ctx,
10757 const struct nft_chain *chain)
10758 {
10759 const struct nft_rule *rule;
10760 const struct nft_expr *expr, *last;
10761 struct nft_set *set;
10762 struct nft_set_binding *binding;
10763 struct nft_set_iter iter;
10764
10765 if (ctx->chain == chain)
10766 return -ELOOP;
10767
10768 if (fatal_signal_pending(current))
10769 return -EINTR;
10770
10771 list_for_each_entry(rule, &chain->rules, list) {
10772 nft_rule_for_each_expr(expr, last, rule) {
10773 struct nft_immediate_expr *priv;
10774 const struct nft_data *data;
10775 int err;
10776
10777 if (strcmp(expr->ops->type->name, "immediate"))
10778 continue;
10779
10780 priv = nft_expr_priv(expr);
10781 if (priv->dreg != NFT_REG_VERDICT)
10782 continue;
10783
10784 data = &priv->data;
10785 switch (data->verdict.code) {
10786 case NFT_JUMP:
10787 case NFT_GOTO:
10788 err = nf_tables_check_loops(ctx,
10789 data->verdict.chain);
10790 if (err < 0)
10791 return err;
10792 break;
10793 default:
10794 break;
10795 }
10796 }
10797 }
10798
10799 list_for_each_entry(set, &ctx->table->sets, list) {
10800 if (!nft_is_active_next(ctx->net, set))
10801 continue;
10802 if (!(set->flags & NFT_SET_MAP) ||
10803 set->dtype != NFT_DATA_VERDICT)
10804 continue;
10805
10806 list_for_each_entry(binding, &set->bindings, list) {
10807 if (!(binding->flags & NFT_SET_MAP) ||
10808 binding->chain != chain)
10809 continue;
10810
10811 iter.genmask = nft_genmask_next(ctx->net);
10812 iter.skip = 0;
10813 iter.count = 0;
10814 iter.err = 0;
10815 iter.fn = nf_tables_loop_check_setelem;
10816
10817 set->ops->walk(ctx, set, &iter);
10818 if (!iter.err)
10819 iter.err = nft_set_catchall_loops(ctx, set);
10820
10821 if (iter.err < 0)
10822 return iter.err;
10823 }
10824 }
10825
10826 return 0;
10827 }
10828
10829 /**
10830 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
10831 *
10832 * @attr: netlink attribute to fetch value from
10833 * @max: maximum value to be stored in dest
10834 * @dest: pointer to the variable
10835 *
10836 * Parse, check and store a given u32 netlink attribute into variable.
10837 * This function returns -ERANGE if the value goes over maximum value.
10838 * Otherwise a 0 is returned and the attribute value is stored in the
10839 * destination variable.
10840 */
nft_parse_u32_check(const struct nlattr * attr,int max,u32 * dest)10841 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
10842 {
10843 u32 val;
10844
10845 val = ntohl(nla_get_be32(attr));
10846 if (val > max)
10847 return -ERANGE;
10848
10849 *dest = val;
10850 return 0;
10851 }
10852 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
10853
nft_parse_register(const struct nlattr * attr,u32 * preg)10854 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
10855 {
10856 unsigned int reg;
10857
10858 reg = ntohl(nla_get_be32(attr));
10859 switch (reg) {
10860 case NFT_REG_VERDICT...NFT_REG_4:
10861 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
10862 break;
10863 case NFT_REG32_00...NFT_REG32_15:
10864 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
10865 break;
10866 default:
10867 return -ERANGE;
10868 }
10869
10870 return 0;
10871 }
10872
10873 /**
10874 * nft_dump_register - dump a register value to a netlink attribute
10875 *
10876 * @skb: socket buffer
10877 * @attr: attribute number
10878 * @reg: register number
10879 *
10880 * Construct a netlink attribute containing the register number. For
10881 * compatibility reasons, register numbers being a multiple of 4 are
10882 * translated to the corresponding 128 bit register numbers.
10883 */
nft_dump_register(struct sk_buff * skb,unsigned int attr,unsigned int reg)10884 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
10885 {
10886 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
10887 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
10888 else
10889 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
10890
10891 return nla_put_be32(skb, attr, htonl(reg));
10892 }
10893 EXPORT_SYMBOL_GPL(nft_dump_register);
10894
nft_validate_register_load(enum nft_registers reg,unsigned int len)10895 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
10896 {
10897 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
10898 return -EINVAL;
10899 if (len == 0)
10900 return -EINVAL;
10901 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
10902 return -ERANGE;
10903
10904 return 0;
10905 }
10906
nft_parse_register_load(const struct nlattr * attr,u8 * sreg,u32 len)10907 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
10908 {
10909 u32 reg;
10910 int err;
10911
10912 err = nft_parse_register(attr, ®);
10913 if (err < 0)
10914 return err;
10915
10916 err = nft_validate_register_load(reg, len);
10917 if (err < 0)
10918 return err;
10919
10920 *sreg = reg;
10921 return 0;
10922 }
10923 EXPORT_SYMBOL_GPL(nft_parse_register_load);
10924
nft_validate_register_store(const struct nft_ctx * ctx,enum nft_registers reg,const struct nft_data * data,enum nft_data_types type,unsigned int len)10925 static int nft_validate_register_store(const struct nft_ctx *ctx,
10926 enum nft_registers reg,
10927 const struct nft_data *data,
10928 enum nft_data_types type,
10929 unsigned int len)
10930 {
10931 int err;
10932
10933 switch (reg) {
10934 case NFT_REG_VERDICT:
10935 if (type != NFT_DATA_VERDICT)
10936 return -EINVAL;
10937
10938 if (data != NULL &&
10939 (data->verdict.code == NFT_GOTO ||
10940 data->verdict.code == NFT_JUMP)) {
10941 err = nf_tables_check_loops(ctx, data->verdict.chain);
10942 if (err < 0)
10943 return err;
10944 }
10945
10946 return 0;
10947 default:
10948 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
10949 return -EINVAL;
10950 if (len == 0)
10951 return -EINVAL;
10952 if (reg * NFT_REG32_SIZE + len >
10953 sizeof_field(struct nft_regs, data))
10954 return -ERANGE;
10955
10956 if (data != NULL && type != NFT_DATA_VALUE)
10957 return -EINVAL;
10958 return 0;
10959 }
10960 }
10961
nft_parse_register_store(const struct nft_ctx * ctx,const struct nlattr * attr,u8 * dreg,const struct nft_data * data,enum nft_data_types type,unsigned int len)10962 int nft_parse_register_store(const struct nft_ctx *ctx,
10963 const struct nlattr *attr, u8 *dreg,
10964 const struct nft_data *data,
10965 enum nft_data_types type, unsigned int len)
10966 {
10967 int err;
10968 u32 reg;
10969
10970 err = nft_parse_register(attr, ®);
10971 if (err < 0)
10972 return err;
10973
10974 err = nft_validate_register_store(ctx, reg, data, type, len);
10975 if (err < 0)
10976 return err;
10977
10978 *dreg = reg;
10979 return 0;
10980 }
10981 EXPORT_SYMBOL_GPL(nft_parse_register_store);
10982
10983 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
10984 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
10985 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
10986 .len = NFT_CHAIN_MAXNAMELEN - 1 },
10987 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
10988 };
10989
nft_verdict_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)10990 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
10991 struct nft_data_desc *desc, const struct nlattr *nla)
10992 {
10993 u8 genmask = nft_genmask_next(ctx->net);
10994 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
10995 struct nft_chain *chain;
10996 int err;
10997
10998 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
10999 nft_verdict_policy, NULL);
11000 if (err < 0)
11001 return err;
11002
11003 if (!tb[NFTA_VERDICT_CODE])
11004 return -EINVAL;
11005
11006 /* zero padding hole for memcmp */
11007 memset(data, 0, sizeof(*data));
11008 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
11009
11010 switch (data->verdict.code) {
11011 case NF_ACCEPT:
11012 case NF_DROP:
11013 case NF_QUEUE:
11014 break;
11015 case NFT_CONTINUE:
11016 case NFT_BREAK:
11017 case NFT_RETURN:
11018 break;
11019 case NFT_JUMP:
11020 case NFT_GOTO:
11021 if (tb[NFTA_VERDICT_CHAIN]) {
11022 chain = nft_chain_lookup(ctx->net, ctx->table,
11023 tb[NFTA_VERDICT_CHAIN],
11024 genmask);
11025 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
11026 chain = nft_chain_lookup_byid(ctx->net, ctx->table,
11027 tb[NFTA_VERDICT_CHAIN_ID],
11028 genmask);
11029 if (IS_ERR(chain))
11030 return PTR_ERR(chain);
11031 } else {
11032 return -EINVAL;
11033 }
11034
11035 if (IS_ERR(chain))
11036 return PTR_ERR(chain);
11037 if (nft_is_base_chain(chain))
11038 return -EOPNOTSUPP;
11039 if (nft_chain_is_bound(chain))
11040 return -EINVAL;
11041 if (desc->flags & NFT_DATA_DESC_SETELEM &&
11042 chain->flags & NFT_CHAIN_BINDING)
11043 return -EINVAL;
11044 if (!nft_use_inc(&chain->use))
11045 return -EMFILE;
11046
11047 data->verdict.chain = chain;
11048 break;
11049 default:
11050 return -EINVAL;
11051 }
11052
11053 desc->len = sizeof(data->verdict);
11054
11055 return 0;
11056 }
11057
nft_verdict_uninit(const struct nft_data * data)11058 static void nft_verdict_uninit(const struct nft_data *data)
11059 {
11060 struct nft_chain *chain;
11061
11062 switch (data->verdict.code) {
11063 case NFT_JUMP:
11064 case NFT_GOTO:
11065 chain = data->verdict.chain;
11066 nft_use_dec(&chain->use);
11067 break;
11068 }
11069 }
11070
nft_verdict_dump(struct sk_buff * skb,int type,const struct nft_verdict * v)11071 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
11072 {
11073 struct nlattr *nest;
11074
11075 nest = nla_nest_start_noflag(skb, type);
11076 if (!nest)
11077 goto nla_put_failure;
11078
11079 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
11080 goto nla_put_failure;
11081
11082 switch (v->code) {
11083 case NFT_JUMP:
11084 case NFT_GOTO:
11085 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
11086 v->chain->name))
11087 goto nla_put_failure;
11088 }
11089 nla_nest_end(skb, nest);
11090 return 0;
11091
11092 nla_put_failure:
11093 return -1;
11094 }
11095
nft_value_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11096 static int nft_value_init(const struct nft_ctx *ctx,
11097 struct nft_data *data, struct nft_data_desc *desc,
11098 const struct nlattr *nla)
11099 {
11100 unsigned int len;
11101
11102 len = nla_len(nla);
11103 if (len == 0)
11104 return -EINVAL;
11105 if (len > desc->size)
11106 return -EOVERFLOW;
11107 if (desc->len) {
11108 if (len != desc->len)
11109 return -EINVAL;
11110 } else {
11111 desc->len = len;
11112 }
11113
11114 nla_memcpy(data->data, nla, len);
11115
11116 return 0;
11117 }
11118
nft_value_dump(struct sk_buff * skb,const struct nft_data * data,unsigned int len)11119 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
11120 unsigned int len)
11121 {
11122 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
11123 }
11124
11125 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
11126 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
11127 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
11128 };
11129
11130 /**
11131 * nft_data_init - parse nf_tables data netlink attributes
11132 *
11133 * @ctx: context of the expression using the data
11134 * @data: destination struct nft_data
11135 * @desc: data description
11136 * @nla: netlink attribute containing data
11137 *
11138 * Parse the netlink data attributes and initialize a struct nft_data.
11139 * The type and length of data are returned in the data description.
11140 *
11141 * The caller can indicate that it only wants to accept data of type
11142 * NFT_DATA_VALUE by passing NULL for the ctx argument.
11143 */
nft_data_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11144 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
11145 struct nft_data_desc *desc, const struct nlattr *nla)
11146 {
11147 struct nlattr *tb[NFTA_DATA_MAX + 1];
11148 int err;
11149
11150 if (WARN_ON_ONCE(!desc->size))
11151 return -EINVAL;
11152
11153 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
11154 nft_data_policy, NULL);
11155 if (err < 0)
11156 return err;
11157
11158 if (tb[NFTA_DATA_VALUE]) {
11159 if (desc->type != NFT_DATA_VALUE)
11160 return -EINVAL;
11161
11162 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
11163 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
11164 if (desc->type != NFT_DATA_VERDICT)
11165 return -EINVAL;
11166
11167 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
11168 } else {
11169 err = -EINVAL;
11170 }
11171
11172 return err;
11173 }
11174 EXPORT_SYMBOL_GPL(nft_data_init);
11175
11176 /**
11177 * nft_data_release - release a nft_data item
11178 *
11179 * @data: struct nft_data to release
11180 * @type: type of data
11181 *
11182 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
11183 * all others need to be released by calling this function.
11184 */
nft_data_release(const struct nft_data * data,enum nft_data_types type)11185 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
11186 {
11187 if (type < NFT_DATA_VERDICT)
11188 return;
11189 switch (type) {
11190 case NFT_DATA_VERDICT:
11191 return nft_verdict_uninit(data);
11192 default:
11193 WARN_ON(1);
11194 }
11195 }
11196 EXPORT_SYMBOL_GPL(nft_data_release);
11197
nft_data_dump(struct sk_buff * skb,int attr,const struct nft_data * data,enum nft_data_types type,unsigned int len)11198 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
11199 enum nft_data_types type, unsigned int len)
11200 {
11201 struct nlattr *nest;
11202 int err;
11203
11204 nest = nla_nest_start_noflag(skb, attr);
11205 if (nest == NULL)
11206 return -1;
11207
11208 switch (type) {
11209 case NFT_DATA_VALUE:
11210 err = nft_value_dump(skb, data, len);
11211 break;
11212 case NFT_DATA_VERDICT:
11213 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
11214 break;
11215 default:
11216 err = -EINVAL;
11217 WARN_ON(1);
11218 }
11219
11220 nla_nest_end(skb, nest);
11221 return err;
11222 }
11223 EXPORT_SYMBOL_GPL(nft_data_dump);
11224
__nft_release_basechain(struct nft_ctx * ctx)11225 int __nft_release_basechain(struct nft_ctx *ctx)
11226 {
11227 struct nft_rule *rule, *nr;
11228
11229 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
11230 return 0;
11231
11232 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
11233 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
11234 list_del(&rule->list);
11235 nft_use_dec(&ctx->chain->use);
11236 nf_tables_rule_release(ctx, rule);
11237 }
11238 nft_chain_del(ctx->chain);
11239 nft_use_dec(&ctx->table->use);
11240 nf_tables_chain_destroy(ctx);
11241
11242 return 0;
11243 }
11244 EXPORT_SYMBOL_GPL(__nft_release_basechain);
11245
__nft_release_hook(struct net * net,struct nft_table * table)11246 static void __nft_release_hook(struct net *net, struct nft_table *table)
11247 {
11248 struct nft_flowtable *flowtable;
11249 struct nft_chain *chain;
11250
11251 list_for_each_entry(chain, &table->chains, list)
11252 __nf_tables_unregister_hook(net, table, chain, true);
11253 list_for_each_entry(flowtable, &table->flowtables, list)
11254 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list,
11255 true);
11256 }
11257
__nft_release_hooks(struct net * net)11258 static void __nft_release_hooks(struct net *net)
11259 {
11260 struct nftables_pernet *nft_net = nft_pernet(net);
11261 struct nft_table *table;
11262
11263 list_for_each_entry(table, &nft_net->tables, list) {
11264 if (nft_table_has_owner(table))
11265 continue;
11266
11267 __nft_release_hook(net, table);
11268 }
11269 }
11270
__nft_release_table(struct net * net,struct nft_table * table)11271 static void __nft_release_table(struct net *net, struct nft_table *table)
11272 {
11273 struct nft_flowtable *flowtable, *nf;
11274 struct nft_chain *chain, *nc;
11275 struct nft_object *obj, *ne;
11276 struct nft_rule *rule, *nr;
11277 struct nft_set *set, *ns;
11278 struct nft_ctx ctx = {
11279 .net = net,
11280 .family = NFPROTO_NETDEV,
11281 };
11282
11283 ctx.family = table->family;
11284 ctx.table = table;
11285 list_for_each_entry(chain, &table->chains, list) {
11286 if (nft_chain_binding(chain))
11287 continue;
11288
11289 ctx.chain = chain;
11290 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
11291 list_del(&rule->list);
11292 nft_use_dec(&chain->use);
11293 nf_tables_rule_release(&ctx, rule);
11294 }
11295 }
11296 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
11297 list_del(&flowtable->list);
11298 nft_use_dec(&table->use);
11299 nf_tables_flowtable_destroy(flowtable);
11300 }
11301 list_for_each_entry_safe(set, ns, &table->sets, list) {
11302 list_del(&set->list);
11303 nft_use_dec(&table->use);
11304 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11305 nft_map_deactivate(&ctx, set);
11306
11307 nft_set_destroy(&ctx, set);
11308 }
11309 list_for_each_entry_safe(obj, ne, &table->objects, list) {
11310 nft_obj_del(obj);
11311 nft_use_dec(&table->use);
11312 nft_obj_destroy(&ctx, obj);
11313 }
11314 list_for_each_entry_safe(chain, nc, &table->chains, list) {
11315 ctx.chain = chain;
11316 nft_chain_del(chain);
11317 nft_use_dec(&table->use);
11318 nf_tables_chain_destroy(&ctx);
11319 }
11320 nf_tables_table_destroy(&ctx);
11321 }
11322
__nft_release_tables(struct net * net)11323 static void __nft_release_tables(struct net *net)
11324 {
11325 struct nftables_pernet *nft_net = nft_pernet(net);
11326 struct nft_table *table, *nt;
11327
11328 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
11329 if (nft_table_has_owner(table))
11330 continue;
11331
11332 list_del(&table->list);
11333
11334 __nft_release_table(net, table);
11335 }
11336 }
11337
nft_rcv_nl_event(struct notifier_block * this,unsigned long event,void * ptr)11338 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
11339 void *ptr)
11340 {
11341 struct nft_table *table, *to_delete[8];
11342 struct nftables_pernet *nft_net;
11343 struct netlink_notify *n = ptr;
11344 struct net *net = n->net;
11345 unsigned int deleted;
11346 bool restart = false;
11347 unsigned int gc_seq;
11348
11349 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
11350 return NOTIFY_DONE;
11351
11352 nft_net = nft_pernet(net);
11353 deleted = 0;
11354 mutex_lock(&nft_net->commit_mutex);
11355
11356 gc_seq = nft_gc_seq_begin(nft_net);
11357
11358 if (!list_empty(&nf_tables_destroy_list))
11359 nf_tables_trans_destroy_flush_work();
11360 again:
11361 list_for_each_entry(table, &nft_net->tables, list) {
11362 if (nft_table_has_owner(table) &&
11363 n->portid == table->nlpid) {
11364 __nft_release_hook(net, table);
11365 list_del_rcu(&table->list);
11366 to_delete[deleted++] = table;
11367 if (deleted >= ARRAY_SIZE(to_delete))
11368 break;
11369 }
11370 }
11371 if (deleted) {
11372 restart = deleted >= ARRAY_SIZE(to_delete);
11373 synchronize_rcu();
11374 while (deleted)
11375 __nft_release_table(net, to_delete[--deleted]);
11376
11377 if (restart)
11378 goto again;
11379 }
11380 nft_gc_seq_end(nft_net, gc_seq);
11381
11382 mutex_unlock(&nft_net->commit_mutex);
11383
11384 return NOTIFY_DONE;
11385 }
11386
11387 static struct notifier_block nft_nl_notifier = {
11388 .notifier_call = nft_rcv_nl_event,
11389 };
11390
nf_tables_init_net(struct net * net)11391 static int __net_init nf_tables_init_net(struct net *net)
11392 {
11393 struct nftables_pernet *nft_net = nft_pernet(net);
11394
11395 INIT_LIST_HEAD(&nft_net->tables);
11396 INIT_LIST_HEAD(&nft_net->commit_list);
11397 INIT_LIST_HEAD(&nft_net->binding_list);
11398 INIT_LIST_HEAD(&nft_net->module_list);
11399 INIT_LIST_HEAD(&nft_net->notify_list);
11400 mutex_init(&nft_net->commit_mutex);
11401 nft_net->base_seq = 1;
11402 nft_net->gc_seq = 0;
11403 nft_net->validate_state = NFT_VALIDATE_SKIP;
11404
11405 return 0;
11406 }
11407
nf_tables_pre_exit_net(struct net * net)11408 static void __net_exit nf_tables_pre_exit_net(struct net *net)
11409 {
11410 struct nftables_pernet *nft_net = nft_pernet(net);
11411
11412 mutex_lock(&nft_net->commit_mutex);
11413 __nft_release_hooks(net);
11414 mutex_unlock(&nft_net->commit_mutex);
11415 }
11416
nf_tables_exit_net(struct net * net)11417 static void __net_exit nf_tables_exit_net(struct net *net)
11418 {
11419 struct nftables_pernet *nft_net = nft_pernet(net);
11420 unsigned int gc_seq;
11421
11422 mutex_lock(&nft_net->commit_mutex);
11423
11424 gc_seq = nft_gc_seq_begin(nft_net);
11425
11426 if (!list_empty(&nft_net->commit_list) ||
11427 !list_empty(&nft_net->module_list))
11428 __nf_tables_abort(net, NFNL_ABORT_NONE);
11429
11430 __nft_release_tables(net);
11431
11432 nft_gc_seq_end(nft_net, gc_seq);
11433
11434 mutex_unlock(&nft_net->commit_mutex);
11435 WARN_ON_ONCE(!list_empty(&nft_net->tables));
11436 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
11437 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
11438 }
11439
nf_tables_exit_batch(struct list_head * net_exit_list)11440 static void nf_tables_exit_batch(struct list_head *net_exit_list)
11441 {
11442 flush_work(&trans_gc_work);
11443 }
11444
11445 static struct pernet_operations nf_tables_net_ops = {
11446 .init = nf_tables_init_net,
11447 .pre_exit = nf_tables_pre_exit_net,
11448 .exit = nf_tables_exit_net,
11449 .exit_batch = nf_tables_exit_batch,
11450 .id = &nf_tables_net_id,
11451 .size = sizeof(struct nftables_pernet),
11452 };
11453
nf_tables_module_init(void)11454 static int __init nf_tables_module_init(void)
11455 {
11456 int err;
11457
11458 err = register_pernet_subsys(&nf_tables_net_ops);
11459 if (err < 0)
11460 return err;
11461
11462 err = nft_chain_filter_init();
11463 if (err < 0)
11464 goto err_chain_filter;
11465
11466 err = nf_tables_core_module_init();
11467 if (err < 0)
11468 goto err_core_module;
11469
11470 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
11471 if (err < 0)
11472 goto err_netdev_notifier;
11473
11474 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
11475 if (err < 0)
11476 goto err_rht_objname;
11477
11478 err = nft_offload_init();
11479 if (err < 0)
11480 goto err_offload;
11481
11482 err = netlink_register_notifier(&nft_nl_notifier);
11483 if (err < 0)
11484 goto err_netlink_notifier;
11485
11486 /* must be last */
11487 err = nfnetlink_subsys_register(&nf_tables_subsys);
11488 if (err < 0)
11489 goto err_nfnl_subsys;
11490
11491 nft_chain_route_init();
11492
11493 return err;
11494
11495 err_nfnl_subsys:
11496 netlink_unregister_notifier(&nft_nl_notifier);
11497 err_netlink_notifier:
11498 nft_offload_exit();
11499 err_offload:
11500 rhltable_destroy(&nft_objname_ht);
11501 err_rht_objname:
11502 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11503 err_netdev_notifier:
11504 nf_tables_core_module_exit();
11505 err_core_module:
11506 nft_chain_filter_fini();
11507 err_chain_filter:
11508 unregister_pernet_subsys(&nf_tables_net_ops);
11509 return err;
11510 }
11511
nf_tables_module_exit(void)11512 static void __exit nf_tables_module_exit(void)
11513 {
11514 nfnetlink_subsys_unregister(&nf_tables_subsys);
11515 netlink_unregister_notifier(&nft_nl_notifier);
11516 nft_offload_exit();
11517 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11518 nft_chain_filter_fini();
11519 nft_chain_route_fini();
11520 unregister_pernet_subsys(&nf_tables_net_ops);
11521 cancel_work_sync(&trans_gc_work);
11522 cancel_work_sync(&trans_destroy_work);
11523 rcu_barrier();
11524 rhltable_destroy(&nft_objname_ht);
11525 nf_tables_core_module_exit();
11526 }
11527
11528 module_init(nf_tables_module_init);
11529 module_exit(nf_tables_module_exit);
11530
11531 MODULE_LICENSE("GPL");
11532 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
11533 MODULE_DESCRIPTION("Framework for packet filtering and classification");
11534 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
11535