]> git.ipfire.org Git - thirdparty/linux.git/blob - net/netfilter/nf_tables_api.c
projects / thirdparty / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
fs: indicate request originates from old mount API
[thirdparty/linux.git] / net / netfilter / nf_tables_api.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27
28 unsigned int nf_tables_net_id __read_mostly;
29
30 static LIST_HEAD(nf_tables_expressions);
31 static LIST_HEAD(nf_tables_objects);
32 static LIST_HEAD(nf_tables_flowtables);
33 static LIST_HEAD(nf_tables_destroy_list);
34 static LIST_HEAD(nf_tables_gc_list);
35 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
36 static DEFINE_SPINLOCK(nf_tables_gc_list_lock);
37
38 enum {
39 NFT_VALIDATE_SKIP = 0,
40 NFT_VALIDATE_NEED,
41 NFT_VALIDATE_DO,
42 };
43
44 static struct rhltable nft_objname_ht;
45
46 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
47 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
48 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
49
50 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
51 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
52 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
53
54 static const struct rhashtable_params nft_chain_ht_params = {
55 .head_offset = offsetof(struct nft_chain, rhlhead),
56 .key_offset = offsetof(struct nft_chain, name),
57 .hashfn = nft_chain_hash,
58 .obj_hashfn = nft_chain_hash_obj,
59 .obj_cmpfn = nft_chain_hash_cmp,
60 .automatic_shrinking = true,
61 };
62
63 static const struct rhashtable_params nft_objname_ht_params = {
64 .head_offset = offsetof(struct nft_object, rhlhead),
65 .key_offset = offsetof(struct nft_object, key),
66 .hashfn = nft_objname_hash,
67 .obj_hashfn = nft_objname_hash_obj,
68 .obj_cmpfn = nft_objname_hash_cmp,
69 .automatic_shrinking = true,
70 };
71
72 struct nft_audit_data {
73 struct nft_table *table;
74 int entries;
75 int op;
76 struct list_head list;
77 };
78
79 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
80 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
81 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
82 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
83 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
84 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
85 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
86 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
87 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
88 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
89 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
90 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
91 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
92 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
93 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
94 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
95 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
96 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
97 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
98 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
99 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
100 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
101 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
102 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
103 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
104 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
105 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET,
106 };
107
108 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
109 {
110 switch (table->validate_state) {
111 case NFT_VALIDATE_SKIP:
112 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
113 break;
114 case NFT_VALIDATE_NEED:
115 break;
116 case NFT_VALIDATE_DO:
117 if (new_validate_state == NFT_VALIDATE_NEED)
118 return;
119 }
120
121 table->validate_state = new_validate_state;
122 }
123 static void nf_tables_trans_destroy_work(struct work_struct *w);
124 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
125
126 static void nft_trans_gc_work(struct work_struct *work);
127 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work);
128
129 static void nft_ctx_init(struct nft_ctx *ctx,
130 struct net *net,
131 const struct sk_buff *skb,
132 const struct nlmsghdr *nlh,
133 u8 family,
134 struct nft_table *table,
135 struct nft_chain *chain,
136 const struct nlattr * const *nla)
137 {
138 ctx->net = net;
139 ctx->family = family;
140 ctx->level = 0;
141 ctx->table = table;
142 ctx->chain = chain;
143 ctx->nla = nla;
144 ctx->portid = NETLINK_CB(skb).portid;
145 ctx->report = nlmsg_report(nlh);
146 ctx->flags = nlh->nlmsg_flags;
147 ctx->seq = nlh->nlmsg_seq;
148 }
149
150 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
151 int msg_type, u32 size, gfp_t gfp)
152 {
153 struct nft_trans *trans;
154
155 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
156 if (trans == NULL)
157 return NULL;
158
159 INIT_LIST_HEAD(&trans->list);
160 INIT_LIST_HEAD(&trans->binding_list);
161 trans->msg_type = msg_type;
162 trans->ctx = *ctx;
163
164 return trans;
165 }
166
167 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
168 int msg_type, u32 size)
169 {
170 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
171 }
172
173 static void nft_trans_list_del(struct nft_trans *trans)
174 {
175 list_del(&trans->list);
176 list_del(&trans->binding_list);
177 }
178
179 static void nft_trans_destroy(struct nft_trans *trans)
180 {
181 nft_trans_list_del(trans);
182 kfree(trans);
183 }
184
185 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
186 bool bind)
187 {
188 struct nftables_pernet *nft_net;
189 struct net *net = ctx->net;
190 struct nft_trans *trans;
191
192 if (!nft_set_is_anonymous(set))
193 return;
194
195 nft_net = nft_pernet(net);
196 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
197 switch (trans->msg_type) {
198 case NFT_MSG_NEWSET:
199 if (nft_trans_set(trans) == set)
200 nft_trans_set_bound(trans) = bind;
201 break;
202 case NFT_MSG_NEWSETELEM:
203 if (nft_trans_elem_set(trans) == set)
204 nft_trans_elem_set_bound(trans) = bind;
205 break;
206 }
207 }
208 }
209
210 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
211 {
212 return __nft_set_trans_bind(ctx, set, true);
213 }
214
215 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
216 {
217 return __nft_set_trans_bind(ctx, set, false);
218 }
219
220 static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
221 struct nft_chain *chain, bool bind)
222 {
223 struct nftables_pernet *nft_net;
224 struct net *net = ctx->net;
225 struct nft_trans *trans;
226
227 if (!nft_chain_binding(chain))
228 return;
229
230 nft_net = nft_pernet(net);
231 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
232 switch (trans->msg_type) {
233 case NFT_MSG_NEWCHAIN:
234 if (nft_trans_chain(trans) == chain)
235 nft_trans_chain_bound(trans) = bind;
236 break;
237 case NFT_MSG_NEWRULE:
238 if (trans->ctx.chain == chain)
239 nft_trans_rule_bound(trans) = bind;
240 break;
241 }
242 }
243 }
244
245 static void nft_chain_trans_bind(const struct nft_ctx *ctx,
246 struct nft_chain *chain)
247 {
248 __nft_chain_trans_bind(ctx, chain, true);
249 }
250
251 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
252 {
253 if (!nft_chain_binding(chain))
254 return 0;
255
256 if (nft_chain_binding(ctx->chain))
257 return -EOPNOTSUPP;
258
259 if (chain->bound)
260 return -EBUSY;
261
262 if (!nft_use_inc(&chain->use))
263 return -EMFILE;
264
265 chain->bound = true;
266 nft_chain_trans_bind(ctx, chain);
267
268 return 0;
269 }
270
271 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
272 {
273 __nft_chain_trans_bind(ctx, chain, false);
274 }
275
276 static int nft_netdev_register_hooks(struct net *net,
277 struct list_head *hook_list)
278 {
279 struct nft_hook *hook;
280 int err, j;
281
282 j = 0;
283 list_for_each_entry(hook, hook_list, list) {
284 err = nf_register_net_hook(net, &hook->ops);
285 if (err < 0)
286 goto err_register;
287
288 j++;
289 }
290 return 0;
291
292 err_register:
293 list_for_each_entry(hook, hook_list, list) {
294 if (j-- <= 0)
295 break;
296
297 nf_unregister_net_hook(net, &hook->ops);
298 }
299 return err;
300 }
301
302 static void nft_netdev_unregister_hooks(struct net *net,
303 struct list_head *hook_list,
304 bool release_netdev)
305 {
306 struct nft_hook *hook, *next;
307
308 list_for_each_entry_safe(hook, next, hook_list, list) {
309 nf_unregister_net_hook(net, &hook->ops);
310 if (release_netdev) {
311 list_del(&hook->list);
312 kfree_rcu(hook, rcu);
313 }
314 }
315 }
316
317 static int nf_tables_register_hook(struct net *net,
318 const struct nft_table *table,
319 struct nft_chain *chain)
320 {
321 struct nft_base_chain *basechain;
322 const struct nf_hook_ops *ops;
323
324 if (table->flags & NFT_TABLE_F_DORMANT ||
325 !nft_is_base_chain(chain))
326 return 0;
327
328 basechain = nft_base_chain(chain);
329 ops = &basechain->ops;
330
331 if (basechain->type->ops_register)
332 return basechain->type->ops_register(net, ops);
333
334 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
335 return nft_netdev_register_hooks(net, &basechain->hook_list);
336
337 return nf_register_net_hook(net, &basechain->ops);
338 }
339
340 static void __nf_tables_unregister_hook(struct net *net,
341 const struct nft_table *table,
342 struct nft_chain *chain,
343 bool release_netdev)
344 {
345 struct nft_base_chain *basechain;
346 const struct nf_hook_ops *ops;
347
348 if (table->flags & NFT_TABLE_F_DORMANT ||
349 !nft_is_base_chain(chain))
350 return;
351 basechain = nft_base_chain(chain);
352 ops = &basechain->ops;
353
354 if (basechain->type->ops_unregister)
355 return basechain->type->ops_unregister(net, ops);
356
357 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
358 nft_netdev_unregister_hooks(net, &basechain->hook_list,
359 release_netdev);
360 else
361 nf_unregister_net_hook(net, &basechain->ops);
362 }
363
364 static void nf_tables_unregister_hook(struct net *net,
365 const struct nft_table *table,
366 struct nft_chain *chain)
367 {
368 return __nf_tables_unregister_hook(net, table, chain, false);
369 }
370
371 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
372 {
373 struct nftables_pernet *nft_net = nft_pernet(net);
374
375 switch (trans->msg_type) {
376 case NFT_MSG_NEWSET:
377 if (!nft_trans_set_update(trans) &&
378 nft_set_is_anonymous(nft_trans_set(trans)))
379 list_add_tail(&trans->binding_list, &nft_net->binding_list);
380 break;
381 case NFT_MSG_NEWCHAIN:
382 if (!nft_trans_chain_update(trans) &&
383 nft_chain_binding(nft_trans_chain(trans)))
384 list_add_tail(&trans->binding_list, &nft_net->binding_list);
385 break;
386 }
387
388 list_add_tail(&trans->list, &nft_net->commit_list);
389 }
390
391 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
392 {
393 struct nft_trans *trans;
394
395 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
396 if (trans == NULL)
397 return -ENOMEM;
398
399 if (msg_type == NFT_MSG_NEWTABLE)
400 nft_activate_next(ctx->net, ctx->table);
401
402 nft_trans_commit_list_add_tail(ctx->net, trans);
403 return 0;
404 }
405
406 static int nft_deltable(struct nft_ctx *ctx)
407 {
408 int err;
409
410 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
411 if (err < 0)
412 return err;
413
414 nft_deactivate_next(ctx->net, ctx->table);
415 return err;
416 }
417
418 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
419 {
420 struct nft_trans *trans;
421
422 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
423 if (trans == NULL)
424 return ERR_PTR(-ENOMEM);
425
426 if (msg_type == NFT_MSG_NEWCHAIN) {
427 nft_activate_next(ctx->net, ctx->chain);
428
429 if (ctx->nla[NFTA_CHAIN_ID]) {
430 nft_trans_chain_id(trans) =
431 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
432 }
433 }
434 nft_trans_chain(trans) = ctx->chain;
435 nft_trans_commit_list_add_tail(ctx->net, trans);
436
437 return trans;
438 }
439
440 static int nft_delchain(struct nft_ctx *ctx)
441 {
442 struct nft_trans *trans;
443
444 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
445 if (IS_ERR(trans))
446 return PTR_ERR(trans);
447
448 nft_use_dec(&ctx->table->use);
449 nft_deactivate_next(ctx->net, ctx->chain);
450
451 return 0;
452 }
453
454 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
455 {
456 struct nft_expr *expr;
457
458 expr = nft_expr_first(rule);
459 while (nft_expr_more(rule, expr)) {
460 if (expr->ops->activate)
461 expr->ops->activate(ctx, expr);
462
463 expr = nft_expr_next(expr);
464 }
465 }
466
467 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
468 enum nft_trans_phase phase)
469 {
470 struct nft_expr *expr;
471
472 expr = nft_expr_first(rule);
473 while (nft_expr_more(rule, expr)) {
474 if (expr->ops->deactivate)
475 expr->ops->deactivate(ctx, expr, phase);
476
477 expr = nft_expr_next(expr);
478 }
479 }
480
481 static int
482 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
483 {
484 /* You cannot delete the same rule twice */
485 if (nft_is_active_next(ctx->net, rule)) {
486 nft_deactivate_next(ctx->net, rule);
487 nft_use_dec(&ctx->chain->use);
488 return 0;
489 }
490 return -ENOENT;
491 }
492
493 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
494 struct nft_rule *rule)
495 {
496 struct nft_trans *trans;
497
498 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
499 if (trans == NULL)
500 return NULL;
501
502 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
503 nft_trans_rule_id(trans) =
504 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
505 }
506 nft_trans_rule(trans) = rule;
507 nft_trans_commit_list_add_tail(ctx->net, trans);
508
509 return trans;
510 }
511
512 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
513 {
514 struct nft_flow_rule *flow;
515 struct nft_trans *trans;
516 int err;
517
518 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
519 if (trans == NULL)
520 return -ENOMEM;
521
522 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
523 flow = nft_flow_rule_create(ctx->net, rule);
524 if (IS_ERR(flow)) {
525 nft_trans_destroy(trans);
526 return PTR_ERR(flow);
527 }
528
529 nft_trans_flow_rule(trans) = flow;
530 }
531
532 err = nf_tables_delrule_deactivate(ctx, rule);
533 if (err < 0) {
534 nft_trans_destroy(trans);
535 return err;
536 }
537 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
538
539 return 0;
540 }
541
542 static int nft_delrule_by_chain(struct nft_ctx *ctx)
543 {
544 struct nft_rule *rule;
545 int err;
546
547 list_for_each_entry(rule, &ctx->chain->rules, list) {
548 if (!nft_is_active_next(ctx->net, rule))
549 continue;
550
551 err = nft_delrule(ctx, rule);
552 if (err < 0)
553 return err;
554 }
555 return 0;
556 }
557
558 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
559 struct nft_set *set,
560 const struct nft_set_desc *desc)
561 {
562 struct nft_trans *trans;
563
564 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
565 if (trans == NULL)
566 return -ENOMEM;
567
568 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
569 nft_trans_set_id(trans) =
570 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
571 nft_activate_next(ctx->net, set);
572 }
573 nft_trans_set(trans) = set;
574 if (desc) {
575 nft_trans_set_update(trans) = true;
576 nft_trans_set_gc_int(trans) = desc->gc_int;
577 nft_trans_set_timeout(trans) = desc->timeout;
578 nft_trans_set_size(trans) = desc->size;
579 }
580 nft_trans_commit_list_add_tail(ctx->net, trans);
581
582 return 0;
583 }
584
585 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
586 struct nft_set *set)
587 {
588 return __nft_trans_set_add(ctx, msg_type, set, NULL);
589 }
590
591 static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
592 struct nft_set *set,
593 const struct nft_set_iter *iter,
594 struct nft_elem_priv *elem_priv)
595 {
596 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
597
598 return 0;
599 }
600
601 struct nft_set_elem_catchall {
602 struct list_head list;
603 struct rcu_head rcu;
604 struct nft_elem_priv *elem;
605 };
606
607 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
608 struct nft_set *set)
609 {
610 u8 genmask = nft_genmask_next(ctx->net);
611 struct nft_set_elem_catchall *catchall;
612 struct nft_set_ext *ext;
613
614 list_for_each_entry(catchall, &set->catchall_list, list) {
615 ext = nft_set_elem_ext(set, catchall->elem);
616 if (!nft_set_elem_active(ext, genmask))
617 continue;
618
619 nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
620 break;
621 }
622 }
623
624 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set)
625 {
626 struct nft_set_iter iter = {
627 .genmask = nft_genmask_next(ctx->net),
628 .fn = nft_mapelem_deactivate,
629 };
630
631 set->ops->walk(ctx, set, &iter);
632 WARN_ON_ONCE(iter.err);
633
634 nft_map_catchall_deactivate(ctx, set);
635 }
636
637 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
638 {
639 int err;
640
641 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
642 if (err < 0)
643 return err;
644
645 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
646 nft_map_deactivate(ctx, set);
647
648 nft_deactivate_next(ctx->net, set);
649 nft_use_dec(&ctx->table->use);
650
651 return err;
652 }
653
654 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
655 struct nft_object *obj)
656 {
657 struct nft_trans *trans;
658
659 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
660 if (trans == NULL)
661 return -ENOMEM;
662
663 if (msg_type == NFT_MSG_NEWOBJ)
664 nft_activate_next(ctx->net, obj);
665
666 nft_trans_obj(trans) = obj;
667 nft_trans_commit_list_add_tail(ctx->net, trans);
668
669 return 0;
670 }
671
672 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
673 {
674 int err;
675
676 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
677 if (err < 0)
678 return err;
679
680 nft_deactivate_next(ctx->net, obj);
681 nft_use_dec(&ctx->table->use);
682
683 return err;
684 }
685
686 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
687 struct nft_flowtable *flowtable)
688 {
689 struct nft_trans *trans;
690
691 trans = nft_trans_alloc(ctx, msg_type,
692 sizeof(struct nft_trans_flowtable));
693 if (trans == NULL)
694 return -ENOMEM;
695
696 if (msg_type == NFT_MSG_NEWFLOWTABLE)
697 nft_activate_next(ctx->net, flowtable);
698
699 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
700 nft_trans_flowtable(trans) = flowtable;
701 nft_trans_commit_list_add_tail(ctx->net, trans);
702
703 return 0;
704 }
705
706 static int nft_delflowtable(struct nft_ctx *ctx,
707 struct nft_flowtable *flowtable)
708 {
709 int err;
710
711 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
712 if (err < 0)
713 return err;
714
715 nft_deactivate_next(ctx->net, flowtable);
716 nft_use_dec(&ctx->table->use);
717
718 return err;
719 }
720
721 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
722 {
723 int i;
724
725 for (i = track->regs[dreg].num_reg; i > 0; i--)
726 __nft_reg_track_cancel(track, dreg - i);
727 }
728
729 static void __nft_reg_track_update(struct nft_regs_track *track,
730 const struct nft_expr *expr,
731 u8 dreg, u8 num_reg)
732 {
733 track->regs[dreg].selector = expr;
734 track->regs[dreg].bitwise = NULL;
735 track->regs[dreg].num_reg = num_reg;
736 }
737
738 void nft_reg_track_update(struct nft_regs_track *track,
739 const struct nft_expr *expr, u8 dreg, u8 len)
740 {
741 unsigned int regcount;
742 int i;
743
744 __nft_reg_track_clobber(track, dreg);
745
746 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
747 for (i = 0; i < regcount; i++, dreg++)
748 __nft_reg_track_update(track, expr, dreg, i);
749 }
750 EXPORT_SYMBOL_GPL(nft_reg_track_update);
751
752 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
753 {
754 unsigned int regcount;
755 int i;
756
757 __nft_reg_track_clobber(track, dreg);
758
759 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
760 for (i = 0; i < regcount; i++, dreg++)
761 __nft_reg_track_cancel(track, dreg);
762 }
763 EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
764
765 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
766 {
767 track->regs[dreg].selector = NULL;
768 track->regs[dreg].bitwise = NULL;
769 track->regs[dreg].num_reg = 0;
770 }
771 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
772
773 /*
774 * Tables
775 */
776
777 static struct nft_table *nft_table_lookup(const struct net *net,
778 const struct nlattr *nla,
779 u8 family, u8 genmask, u32 nlpid)
780 {
781 struct nftables_pernet *nft_net;
782 struct nft_table *table;
783
784 if (nla == NULL)
785 return ERR_PTR(-EINVAL);
786
787 nft_net = nft_pernet(net);
788 list_for_each_entry_rcu(table, &nft_net->tables, list,
789 lockdep_is_held(&nft_net->commit_mutex)) {
790 if (!nla_strcmp(nla, table->name) &&
791 table->family == family &&
792 nft_active_genmask(table, genmask)) {
793 if (nft_table_has_owner(table) &&
794 nlpid && table->nlpid != nlpid)
795 return ERR_PTR(-EPERM);
796
797 return table;
798 }
799 }
800
801 return ERR_PTR(-ENOENT);
802 }
803
804 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
805 const struct nlattr *nla,
806 int family, u8 genmask, u32 nlpid)
807 {
808 struct nftables_pernet *nft_net;
809 struct nft_table *table;
810
811 nft_net = nft_pernet(net);
812 list_for_each_entry(table, &nft_net->tables, list) {
813 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
814 table->family == family &&
815 nft_active_genmask(table, genmask)) {
816 if (nft_table_has_owner(table) &&
817 nlpid && table->nlpid != nlpid)
818 return ERR_PTR(-EPERM);
819
820 return table;
821 }
822 }
823
824 return ERR_PTR(-ENOENT);
825 }
826
827 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
828 {
829 return ++table->hgenerator;
830 }
831
832 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
833
834 static const struct nft_chain_type *
835 __nft_chain_type_get(u8 family, enum nft_chain_types type)
836 {
837 if (family >= NFPROTO_NUMPROTO ||
838 type >= NFT_CHAIN_T_MAX)
839 return NULL;
840
841 return chain_type[family][type];
842 }
843
844 static const struct nft_chain_type *
845 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
846 {
847 const struct nft_chain_type *type;
848 int i;
849
850 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
851 type = __nft_chain_type_get(family, i);
852 if (!type)
853 continue;
854 if (!nla_strcmp(nla, type->name))
855 return type;
856 }
857 return NULL;
858 }
859
860 struct nft_module_request {
861 struct list_head list;
862 char module[MODULE_NAME_LEN];
863 bool done;
864 };
865
866 #ifdef CONFIG_MODULES
867 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
868 ...)
869 {
870 char module_name[MODULE_NAME_LEN];
871 struct nftables_pernet *nft_net;
872 struct nft_module_request *req;
873 va_list args;
874 int ret;
875
876 va_start(args, fmt);
877 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
878 va_end(args);
879 if (ret >= MODULE_NAME_LEN)
880 return 0;
881
882 nft_net = nft_pernet(net);
883 list_for_each_entry(req, &nft_net->module_list, list) {
884 if (!strcmp(req->module, module_name)) {
885 if (req->done)
886 return 0;
887
888 /* A request to load this module already exists. */
889 return -EAGAIN;
890 }
891 }
892
893 req = kmalloc(sizeof(*req), GFP_KERNEL);
894 if (!req)
895 return -ENOMEM;
896
897 req->done = false;
898 strscpy(req->module, module_name, MODULE_NAME_LEN);
899 list_add_tail(&req->list, &nft_net->module_list);
900
901 return -EAGAIN;
902 }
903 EXPORT_SYMBOL_GPL(nft_request_module);
904 #endif
905
906 static void lockdep_nfnl_nft_mutex_not_held(void)
907 {
908 #ifdef CONFIG_PROVE_LOCKING
909 if (debug_locks)
910 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
911 #endif
912 }
913
914 static const struct nft_chain_type *
915 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
916 u8 family, bool autoload)
917 {
918 const struct nft_chain_type *type;
919
920 type = __nf_tables_chain_type_lookup(nla, family);
921 if (type != NULL)
922 return type;
923
924 lockdep_nfnl_nft_mutex_not_held();
925 #ifdef CONFIG_MODULES
926 if (autoload) {
927 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
928 nla_len(nla),
929 (const char *)nla_data(nla)) == -EAGAIN)
930 return ERR_PTR(-EAGAIN);
931 }
932 #endif
933 return ERR_PTR(-ENOENT);
934 }
935
936 static __be16 nft_base_seq(const struct net *net)
937 {
938 struct nftables_pernet *nft_net = nft_pernet(net);
939
940 return htons(nft_net->base_seq & 0xffff);
941 }
942
943 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
944 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
945 .len = NFT_TABLE_MAXNAMELEN - 1 },
946 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
947 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
948 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
949 .len = NFT_USERDATA_MAXLEN }
950 };
951
952 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
953 u32 portid, u32 seq, int event, u32 flags,
954 int family, const struct nft_table *table)
955 {
956 struct nlmsghdr *nlh;
957
958 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
959 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
960 NFNETLINK_V0, nft_base_seq(net));
961 if (!nlh)
962 goto nla_put_failure;
963
964 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
965 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
966 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
967 NFTA_TABLE_PAD))
968 goto nla_put_failure;
969
970 if (event == NFT_MSG_DELTABLE) {
971 nlmsg_end(skb, nlh);
972 return 0;
973 }
974
975 if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
976 htonl(table->flags & NFT_TABLE_F_MASK)))
977 goto nla_put_failure;
978
979 if (nft_table_has_owner(table) &&
980 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
981 goto nla_put_failure;
982
983 if (table->udata) {
984 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
985 goto nla_put_failure;
986 }
987
988 nlmsg_end(skb, nlh);
989 return 0;
990
991 nla_put_failure:
992 nlmsg_trim(skb, nlh);
993 return -1;
994 }
995
996 struct nftnl_skb_parms {
997 bool report;
998 };
999 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
1000
1001 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
1002 struct list_head *notify_list)
1003 {
1004 NFT_CB(skb).report = report;
1005 list_add_tail(&skb->list, notify_list);
1006 }
1007
1008 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
1009 {
1010 struct nftables_pernet *nft_net;
1011 struct sk_buff *skb;
1012 u16 flags = 0;
1013 int err;
1014
1015 if (!ctx->report &&
1016 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1017 return;
1018
1019 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1020 if (skb == NULL)
1021 goto err;
1022
1023 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1024 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1025
1026 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
1027 event, flags, ctx->family, ctx->table);
1028 if (err < 0) {
1029 kfree_skb(skb);
1030 goto err;
1031 }
1032
1033 nft_net = nft_pernet(ctx->net);
1034 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1035 return;
1036 err:
1037 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1038 }
1039
1040 static int nf_tables_dump_tables(struct sk_buff *skb,
1041 struct netlink_callback *cb)
1042 {
1043 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1044 struct nftables_pernet *nft_net;
1045 const struct nft_table *table;
1046 unsigned int idx = 0, s_idx = cb->args[0];
1047 struct net *net = sock_net(skb->sk);
1048 int family = nfmsg->nfgen_family;
1049
1050 rcu_read_lock();
1051 nft_net = nft_pernet(net);
1052 cb->seq = READ_ONCE(nft_net->base_seq);
1053
1054 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1055 if (family != NFPROTO_UNSPEC && family != table->family)
1056 continue;
1057
1058 if (idx < s_idx)
1059 goto cont;
1060 if (idx > s_idx)
1061 memset(&cb->args[1], 0,
1062 sizeof(cb->args) - sizeof(cb->args[0]));
1063 if (!nft_is_active(net, table))
1064 continue;
1065 if (nf_tables_fill_table_info(skb, net,
1066 NETLINK_CB(cb->skb).portid,
1067 cb->nlh->nlmsg_seq,
1068 NFT_MSG_NEWTABLE, NLM_F_MULTI,
1069 table->family, table) < 0)
1070 goto done;
1071
1072 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1073 cont:
1074 idx++;
1075 }
1076 done:
1077 rcu_read_unlock();
1078 cb->args[0] = idx;
1079 return skb->len;
1080 }
1081
1082 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
1083 const struct nlmsghdr *nlh,
1084 struct netlink_dump_control *c)
1085 {
1086 int err;
1087
1088 if (!try_module_get(THIS_MODULE))
1089 return -EINVAL;
1090
1091 rcu_read_unlock();
1092 err = netlink_dump_start(nlsk, skb, nlh, c);
1093 rcu_read_lock();
1094 module_put(THIS_MODULE);
1095
1096 return err;
1097 }
1098
1099 /* called with rcu_read_lock held */
1100 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
1101 const struct nlattr * const nla[])
1102 {
1103 struct netlink_ext_ack *extack = info->extack;
1104 u8 genmask = nft_genmask_cur(info->net);
1105 u8 family = info->nfmsg->nfgen_family;
1106 const struct nft_table *table;
1107 struct net *net = info->net;
1108 struct sk_buff *skb2;
1109 int err;
1110
1111 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1112 struct netlink_dump_control c = {
1113 .dump = nf_tables_dump_tables,
1114 .module = THIS_MODULE,
1115 };
1116
1117 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1118 }
1119
1120 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
1121 if (IS_ERR(table)) {
1122 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
1123 return PTR_ERR(table);
1124 }
1125
1126 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1127 if (!skb2)
1128 return -ENOMEM;
1129
1130 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
1131 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
1132 0, family, table);
1133 if (err < 0)
1134 goto err_fill_table_info;
1135
1136 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1137
1138 err_fill_table_info:
1139 kfree_skb(skb2);
1140 return err;
1141 }
1142
1143 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
1144 {
1145 struct nft_chain *chain;
1146 u32 i = 0;
1147
1148 list_for_each_entry(chain, &table->chains, list) {
1149 if (!nft_is_active_next(net, chain))
1150 continue;
1151 if (!nft_is_base_chain(chain))
1152 continue;
1153
1154 if (cnt && i++ == cnt)
1155 break;
1156
1157 nf_tables_unregister_hook(net, table, chain);
1158 }
1159 }
1160
1161 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1162 {
1163 struct nft_chain *chain;
1164 int err, i = 0;
1165
1166 list_for_each_entry(chain, &table->chains, list) {
1167 if (!nft_is_active_next(net, chain))
1168 continue;
1169 if (!nft_is_base_chain(chain))
1170 continue;
1171
1172 err = nf_tables_register_hook(net, table, chain);
1173 if (err < 0)
1174 goto err_register_hooks;
1175
1176 i++;
1177 }
1178 return 0;
1179
1180 err_register_hooks:
1181 if (i)
1182 nft_table_disable(net, table, i);
1183 return err;
1184 }
1185
1186 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1187 {
1188 table->flags &= ~NFT_TABLE_F_DORMANT;
1189 nft_table_disable(net, table, 0);
1190 table->flags |= NFT_TABLE_F_DORMANT;
1191 }
1192
1193 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1194 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1195 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1196 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1197 __NFT_TABLE_F_WAS_AWAKEN)
1198
1199 static int nf_tables_updtable(struct nft_ctx *ctx)
1200 {
1201 struct nft_trans *trans;
1202 u32 flags;
1203 int ret;
1204
1205 if (!ctx->nla[NFTA_TABLE_FLAGS])
1206 return 0;
1207
1208 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1209 if (flags & ~NFT_TABLE_F_MASK)
1210 return -EOPNOTSUPP;
1211
1212 if (flags == ctx->table->flags)
1213 return 0;
1214
1215 if ((nft_table_has_owner(ctx->table) &&
1216 !(flags & NFT_TABLE_F_OWNER)) ||
1217 (!nft_table_has_owner(ctx->table) &&
1218 flags & NFT_TABLE_F_OWNER))
1219 return -EOPNOTSUPP;
1220
1221 /* No dormant off/on/off/on games in single transaction */
1222 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
1223 return -EINVAL;
1224
1225 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1226 sizeof(struct nft_trans_table));
1227 if (trans == NULL)
1228 return -ENOMEM;
1229
1230 if ((flags & NFT_TABLE_F_DORMANT) &&
1231 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1232 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1233 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1234 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1235 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1236 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1237 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1238 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1239 ret = nf_tables_table_enable(ctx->net, ctx->table);
1240 if (ret < 0)
1241 goto err_register_hooks;
1242
1243 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1244 }
1245 }
1246
1247 nft_trans_table_update(trans) = true;
1248 nft_trans_commit_list_add_tail(ctx->net, trans);
1249
1250 return 0;
1251
1252 err_register_hooks:
1253 nft_trans_destroy(trans);
1254 return ret;
1255 }
1256
1257 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1258 {
1259 const char *name = data;
1260
1261 return jhash(name, strlen(name), seed);
1262 }
1263
1264 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1265 {
1266 const struct nft_chain *chain = data;
1267
1268 return nft_chain_hash(chain->name, 0, seed);
1269 }
1270
1271 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1272 const void *ptr)
1273 {
1274 const struct nft_chain *chain = ptr;
1275 const char *name = arg->key;
1276
1277 return strcmp(chain->name, name);
1278 }
1279
1280 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1281 {
1282 const struct nft_object_hash_key *k = data;
1283
1284 seed ^= hash_ptr(k->table, 32);
1285
1286 return jhash(k->name, strlen(k->name), seed);
1287 }
1288
1289 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1290 {
1291 const struct nft_object *obj = data;
1292
1293 return nft_objname_hash(&obj->key, 0, seed);
1294 }
1295
1296 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1297 const void *ptr)
1298 {
1299 const struct nft_object_hash_key *k = arg->key;
1300 const struct nft_object *obj = ptr;
1301
1302 if (obj->key.table != k->table)
1303 return -1;
1304
1305 return strcmp(obj->key.name, k->name);
1306 }
1307
1308 static bool nft_supported_family(u8 family)
1309 {
1310 return false
1311 #ifdef CONFIG_NF_TABLES_INET
1312 || family == NFPROTO_INET
1313 #endif
1314 #ifdef CONFIG_NF_TABLES_IPV4
1315 || family == NFPROTO_IPV4
1316 #endif
1317 #ifdef CONFIG_NF_TABLES_ARP
1318 || family == NFPROTO_ARP
1319 #endif
1320 #ifdef CONFIG_NF_TABLES_NETDEV
1321 || family == NFPROTO_NETDEV
1322 #endif
1323 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1324 || family == NFPROTO_BRIDGE
1325 #endif
1326 #ifdef CONFIG_NF_TABLES_IPV6
1327 || family == NFPROTO_IPV6
1328 #endif
1329 ;
1330 }
1331
1332 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1333 const struct nlattr * const nla[])
1334 {
1335 struct nftables_pernet *nft_net = nft_pernet(info->net);
1336 struct netlink_ext_ack *extack = info->extack;
1337 u8 genmask = nft_genmask_next(info->net);
1338 u8 family = info->nfmsg->nfgen_family;
1339 struct net *net = info->net;
1340 const struct nlattr *attr;
1341 struct nft_table *table;
1342 struct nft_ctx ctx;
1343 u32 flags = 0;
1344 int err;
1345
1346 if (!nft_supported_family(family))
1347 return -EOPNOTSUPP;
1348
1349 lockdep_assert_held(&nft_net->commit_mutex);
1350 attr = nla[NFTA_TABLE_NAME];
1351 table = nft_table_lookup(net, attr, family, genmask,
1352 NETLINK_CB(skb).portid);
1353 if (IS_ERR(table)) {
1354 if (PTR_ERR(table) != -ENOENT)
1355 return PTR_ERR(table);
1356 } else {
1357 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1358 NL_SET_BAD_ATTR(extack, attr);
1359 return -EEXIST;
1360 }
1361 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1362 return -EOPNOTSUPP;
1363
1364 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1365
1366 return nf_tables_updtable(&ctx);
1367 }
1368
1369 if (nla[NFTA_TABLE_FLAGS]) {
1370 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1371 if (flags & ~NFT_TABLE_F_MASK)
1372 return -EOPNOTSUPP;
1373 }
1374
1375 err = -ENOMEM;
1376 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1377 if (table == NULL)
1378 goto err_kzalloc;
1379
1380 table->validate_state = nft_net->validate_state;
1381 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1382 if (table->name == NULL)
1383 goto err_strdup;
1384
1385 if (nla[NFTA_TABLE_USERDATA]) {
1386 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1387 if (table->udata == NULL)
1388 goto err_table_udata;
1389
1390 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1391 }
1392
1393 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1394 if (err)
1395 goto err_chain_ht;
1396
1397 INIT_LIST_HEAD(&table->chains);
1398 INIT_LIST_HEAD(&table->sets);
1399 INIT_LIST_HEAD(&table->objects);
1400 INIT_LIST_HEAD(&table->flowtables);
1401 table->family = family;
1402 table->flags = flags;
1403 table->handle = ++nft_net->table_handle;
1404 if (table->flags & NFT_TABLE_F_OWNER)
1405 table->nlpid = NETLINK_CB(skb).portid;
1406
1407 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1408 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1409 if (err < 0)
1410 goto err_trans;
1411
1412 list_add_tail_rcu(&table->list, &nft_net->tables);
1413 return 0;
1414 err_trans:
1415 rhltable_destroy(&table->chains_ht);
1416 err_chain_ht:
1417 kfree(table->udata);
1418 err_table_udata:
1419 kfree(table->name);
1420 err_strdup:
1421 kfree(table);
1422 err_kzalloc:
1423 return err;
1424 }
1425
1426 static int nft_flush_table(struct nft_ctx *ctx)
1427 {
1428 struct nft_flowtable *flowtable, *nft;
1429 struct nft_chain *chain, *nc;
1430 struct nft_object *obj, *ne;
1431 struct nft_set *set, *ns;
1432 int err;
1433
1434 list_for_each_entry(chain, &ctx->table->chains, list) {
1435 if (!nft_is_active_next(ctx->net, chain))
1436 continue;
1437
1438 if (nft_chain_binding(chain))
1439 continue;
1440
1441 ctx->chain = chain;
1442
1443 err = nft_delrule_by_chain(ctx);
1444 if (err < 0)
1445 goto out;
1446 }
1447
1448 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1449 if (!nft_is_active_next(ctx->net, set))
1450 continue;
1451
1452 if (nft_set_is_anonymous(set))
1453 continue;
1454
1455 err = nft_delset(ctx, set);
1456 if (err < 0)
1457 goto out;
1458 }
1459
1460 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1461 if (!nft_is_active_next(ctx->net, flowtable))
1462 continue;
1463
1464 err = nft_delflowtable(ctx, flowtable);
1465 if (err < 0)
1466 goto out;
1467 }
1468
1469 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1470 if (!nft_is_active_next(ctx->net, obj))
1471 continue;
1472
1473 err = nft_delobj(ctx, obj);
1474 if (err < 0)
1475 goto out;
1476 }
1477
1478 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1479 if (!nft_is_active_next(ctx->net, chain))
1480 continue;
1481
1482 if (nft_chain_binding(chain))
1483 continue;
1484
1485 ctx->chain = chain;
1486
1487 err = nft_delchain(ctx);
1488 if (err < 0)
1489 goto out;
1490 }
1491
1492 err = nft_deltable(ctx);
1493 out:
1494 return err;
1495 }
1496
1497 static int nft_flush(struct nft_ctx *ctx, int family)
1498 {
1499 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1500 const struct nlattr * const *nla = ctx->nla;
1501 struct nft_table *table, *nt;
1502 int err = 0;
1503
1504 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1505 if (family != AF_UNSPEC && table->family != family)
1506 continue;
1507
1508 ctx->family = table->family;
1509
1510 if (!nft_is_active_next(ctx->net, table))
1511 continue;
1512
1513 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1514 continue;
1515
1516 if (nla[NFTA_TABLE_NAME] &&
1517 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1518 continue;
1519
1520 ctx->table = table;
1521
1522 err = nft_flush_table(ctx);
1523 if (err < 0)
1524 goto out;
1525 }
1526 out:
1527 return err;
1528 }
1529
1530 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1531 const struct nlattr * const nla[])
1532 {
1533 struct netlink_ext_ack *extack = info->extack;
1534 u8 genmask = nft_genmask_next(info->net);
1535 u8 family = info->nfmsg->nfgen_family;
1536 struct net *net = info->net;
1537 const struct nlattr *attr;
1538 struct nft_table *table;
1539 struct nft_ctx ctx;
1540
1541 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1542 if (family == AF_UNSPEC ||
1543 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1544 return nft_flush(&ctx, family);
1545
1546 if (nla[NFTA_TABLE_HANDLE]) {
1547 attr = nla[NFTA_TABLE_HANDLE];
1548 table = nft_table_lookup_byhandle(net, attr, family, genmask,
1549 NETLINK_CB(skb).portid);
1550 } else {
1551 attr = nla[NFTA_TABLE_NAME];
1552 table = nft_table_lookup(net, attr, family, genmask,
1553 NETLINK_CB(skb).portid);
1554 }
1555
1556 if (IS_ERR(table)) {
1557 if (PTR_ERR(table) == -ENOENT &&
1558 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1559 return 0;
1560
1561 NL_SET_BAD_ATTR(extack, attr);
1562 return PTR_ERR(table);
1563 }
1564
1565 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1566 table->use > 0)
1567 return -EBUSY;
1568
1569 ctx.family = family;
1570 ctx.table = table;
1571
1572 return nft_flush_table(&ctx);
1573 }
1574
1575 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1576 {
1577 if (WARN_ON(ctx->table->use > 0))
1578 return;
1579
1580 rhltable_destroy(&ctx->table->chains_ht);
1581 kfree(ctx->table->name);
1582 kfree(ctx->table->udata);
1583 kfree(ctx->table);
1584 }
1585
1586 void nft_register_chain_type(const struct nft_chain_type *ctype)
1587 {
1588 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1589 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1590 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1591 return;
1592 }
1593 chain_type[ctype->family][ctype->type] = ctype;
1594 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1595 }
1596 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1597
1598 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1599 {
1600 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1601 chain_type[ctype->family][ctype->type] = NULL;
1602 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1603 }
1604 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1605
1606 /*
1607 * Chains
1608 */
1609
1610 static struct nft_chain *
1611 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1612 {
1613 struct nft_chain *chain;
1614
1615 list_for_each_entry(chain, &table->chains, list) {
1616 if (chain->handle == handle &&
1617 nft_active_genmask(chain, genmask))
1618 return chain;
1619 }
1620
1621 return ERR_PTR(-ENOENT);
1622 }
1623
1624 static bool lockdep_commit_lock_is_held(const struct net *net)
1625 {
1626 #ifdef CONFIG_PROVE_LOCKING
1627 struct nftables_pernet *nft_net = nft_pernet(net);
1628
1629 return lockdep_is_held(&nft_net->commit_mutex);
1630 #else
1631 return true;
1632 #endif
1633 }
1634
1635 static struct nft_chain *nft_chain_lookup(struct net *net,
1636 struct nft_table *table,
1637 const struct nlattr *nla, u8 genmask)
1638 {
1639 char search[NFT_CHAIN_MAXNAMELEN + 1];
1640 struct rhlist_head *tmp, *list;
1641 struct nft_chain *chain;
1642
1643 if (nla == NULL)
1644 return ERR_PTR(-EINVAL);
1645
1646 nla_strscpy(search, nla, sizeof(search));
1647
1648 WARN_ON(!rcu_read_lock_held() &&
1649 !lockdep_commit_lock_is_held(net));
1650
1651 chain = ERR_PTR(-ENOENT);
1652 rcu_read_lock();
1653 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1654 if (!list)
1655 goto out_unlock;
1656
1657 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1658 if (nft_active_genmask(chain, genmask))
1659 goto out_unlock;
1660 }
1661 chain = ERR_PTR(-ENOENT);
1662 out_unlock:
1663 rcu_read_unlock();
1664 return chain;
1665 }
1666
1667 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1668 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1669 .len = NFT_TABLE_MAXNAMELEN - 1 },
1670 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1671 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1672 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1673 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1674 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1675 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1676 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1677 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1678 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1679 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1680 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1681 .len = NFT_USERDATA_MAXLEN },
1682 };
1683
1684 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1685 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1686 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1687 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1688 .len = IFNAMSIZ - 1 },
1689 };
1690
1691 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1692 {
1693 struct nft_stats *cpu_stats, total;
1694 struct nlattr *nest;
1695 unsigned int seq;
1696 u64 pkts, bytes;
1697 int cpu;
1698
1699 if (!stats)
1700 return 0;
1701
1702 memset(&total, 0, sizeof(total));
1703 for_each_possible_cpu(cpu) {
1704 cpu_stats = per_cpu_ptr(stats, cpu);
1705 do {
1706 seq = u64_stats_fetch_begin(&cpu_stats->syncp);
1707 pkts = cpu_stats->pkts;
1708 bytes = cpu_stats->bytes;
1709 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
1710 total.pkts += pkts;
1711 total.bytes += bytes;
1712 }
1713 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1714 if (nest == NULL)
1715 goto nla_put_failure;
1716
1717 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1718 NFTA_COUNTER_PAD) ||
1719 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1720 NFTA_COUNTER_PAD))
1721 goto nla_put_failure;
1722
1723 nla_nest_end(skb, nest);
1724 return 0;
1725
1726 nla_put_failure:
1727 return -ENOSPC;
1728 }
1729
1730 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1731 const struct nft_base_chain *basechain,
1732 const struct list_head *hook_list)
1733 {
1734 const struct nf_hook_ops *ops = &basechain->ops;
1735 struct nft_hook *hook, *first = NULL;
1736 struct nlattr *nest, *nest_devs;
1737 int n = 0;
1738
1739 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1740 if (nest == NULL)
1741 goto nla_put_failure;
1742 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1743 goto nla_put_failure;
1744 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1745 goto nla_put_failure;
1746
1747 if (nft_base_chain_netdev(family, ops->hooknum)) {
1748 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1749 if (!nest_devs)
1750 goto nla_put_failure;
1751
1752 if (!hook_list)
1753 hook_list = &basechain->hook_list;
1754
1755 list_for_each_entry(hook, hook_list, list) {
1756 if (!first)
1757 first = hook;
1758
1759 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1760 hook->ops.dev->name))
1761 goto nla_put_failure;
1762 n++;
1763 }
1764 nla_nest_end(skb, nest_devs);
1765
1766 if (n == 1 &&
1767 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1768 goto nla_put_failure;
1769 }
1770 nla_nest_end(skb, nest);
1771
1772 return 0;
1773 nla_put_failure:
1774 return -1;
1775 }
1776
1777 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1778 u32 portid, u32 seq, int event, u32 flags,
1779 int family, const struct nft_table *table,
1780 const struct nft_chain *chain,
1781 const struct list_head *hook_list)
1782 {
1783 struct nlmsghdr *nlh;
1784
1785 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1786 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1787 NFNETLINK_V0, nft_base_seq(net));
1788 if (!nlh)
1789 goto nla_put_failure;
1790
1791 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) ||
1792 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) ||
1793 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1794 NFTA_CHAIN_PAD))
1795 goto nla_put_failure;
1796
1797 if (event == NFT_MSG_DELCHAIN && !hook_list) {
1798 nlmsg_end(skb, nlh);
1799 return 0;
1800 }
1801
1802 if (nft_is_base_chain(chain)) {
1803 const struct nft_base_chain *basechain = nft_base_chain(chain);
1804 struct nft_stats __percpu *stats;
1805
1806 if (nft_dump_basechain_hook(skb, family, basechain, hook_list))
1807 goto nla_put_failure;
1808
1809 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1810 htonl(basechain->policy)))
1811 goto nla_put_failure;
1812
1813 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1814 goto nla_put_failure;
1815
1816 stats = rcu_dereference_check(basechain->stats,
1817 lockdep_commit_lock_is_held(net));
1818 if (nft_dump_stats(skb, stats))
1819 goto nla_put_failure;
1820 }
1821
1822 if (chain->flags &&
1823 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1824 goto nla_put_failure;
1825
1826 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1827 goto nla_put_failure;
1828
1829 if (chain->udata &&
1830 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1831 goto nla_put_failure;
1832
1833 nlmsg_end(skb, nlh);
1834 return 0;
1835
1836 nla_put_failure:
1837 nlmsg_trim(skb, nlh);
1838 return -1;
1839 }
1840
1841 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
1842 const struct list_head *hook_list)
1843 {
1844 struct nftables_pernet *nft_net;
1845 struct sk_buff *skb;
1846 u16 flags = 0;
1847 int err;
1848
1849 if (!ctx->report &&
1850 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1851 return;
1852
1853 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1854 if (skb == NULL)
1855 goto err;
1856
1857 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1858 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1859
1860 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1861 event, flags, ctx->family, ctx->table,
1862 ctx->chain, hook_list);
1863 if (err < 0) {
1864 kfree_skb(skb);
1865 goto err;
1866 }
1867
1868 nft_net = nft_pernet(ctx->net);
1869 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1870 return;
1871 err:
1872 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1873 }
1874
1875 static int nf_tables_dump_chains(struct sk_buff *skb,
1876 struct netlink_callback *cb)
1877 {
1878 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1879 unsigned int idx = 0, s_idx = cb->args[0];
1880 struct net *net = sock_net(skb->sk);
1881 int family = nfmsg->nfgen_family;
1882 struct nftables_pernet *nft_net;
1883 const struct nft_table *table;
1884 const struct nft_chain *chain;
1885
1886 rcu_read_lock();
1887 nft_net = nft_pernet(net);
1888 cb->seq = READ_ONCE(nft_net->base_seq);
1889
1890 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1891 if (family != NFPROTO_UNSPEC && family != table->family)
1892 continue;
1893
1894 list_for_each_entry_rcu(chain, &table->chains, list) {
1895 if (idx < s_idx)
1896 goto cont;
1897 if (idx > s_idx)
1898 memset(&cb->args[1], 0,
1899 sizeof(cb->args) - sizeof(cb->args[0]));
1900 if (!nft_is_active(net, chain))
1901 continue;
1902 if (nf_tables_fill_chain_info(skb, net,
1903 NETLINK_CB(cb->skb).portid,
1904 cb->nlh->nlmsg_seq,
1905 NFT_MSG_NEWCHAIN,
1906 NLM_F_MULTI,
1907 table->family, table,
1908 chain, NULL) < 0)
1909 goto done;
1910
1911 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1912 cont:
1913 idx++;
1914 }
1915 }
1916 done:
1917 rcu_read_unlock();
1918 cb->args[0] = idx;
1919 return skb->len;
1920 }
1921
1922 /* called with rcu_read_lock held */
1923 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
1924 const struct nlattr * const nla[])
1925 {
1926 struct netlink_ext_ack *extack = info->extack;
1927 u8 genmask = nft_genmask_cur(info->net);
1928 u8 family = info->nfmsg->nfgen_family;
1929 const struct nft_chain *chain;
1930 struct net *net = info->net;
1931 struct nft_table *table;
1932 struct sk_buff *skb2;
1933 int err;
1934
1935 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1936 struct netlink_dump_control c = {
1937 .dump = nf_tables_dump_chains,
1938 .module = THIS_MODULE,
1939 };
1940
1941 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1942 }
1943
1944 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1945 if (IS_ERR(table)) {
1946 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1947 return PTR_ERR(table);
1948 }
1949
1950 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1951 if (IS_ERR(chain)) {
1952 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1953 return PTR_ERR(chain);
1954 }
1955
1956 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1957 if (!skb2)
1958 return -ENOMEM;
1959
1960 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1961 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
1962 0, family, table, chain, NULL);
1963 if (err < 0)
1964 goto err_fill_chain_info;
1965
1966 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1967
1968 err_fill_chain_info:
1969 kfree_skb(skb2);
1970 return err;
1971 }
1972
1973 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1974 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1975 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1976 };
1977
1978 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1979 {
1980 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1981 struct nft_stats __percpu *newstats;
1982 struct nft_stats *stats;
1983 int err;
1984
1985 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1986 nft_counter_policy, NULL);
1987 if (err < 0)
1988 return ERR_PTR(err);
1989
1990 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1991 return ERR_PTR(-EINVAL);
1992
1993 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1994 if (newstats == NULL)
1995 return ERR_PTR(-ENOMEM);
1996
1997 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1998 * are not exposed to userspace.
1999 */
2000 preempt_disable();
2001 stats = this_cpu_ptr(newstats);
2002 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
2003 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
2004 preempt_enable();
2005
2006 return newstats;
2007 }
2008
2009 static void nft_chain_stats_replace(struct nft_trans *trans)
2010 {
2011 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
2012
2013 if (!nft_trans_chain_stats(trans))
2014 return;
2015
2016 nft_trans_chain_stats(trans) =
2017 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
2018 lockdep_commit_lock_is_held(trans->ctx.net));
2019
2020 if (!nft_trans_chain_stats(trans))
2021 static_branch_inc(&nft_counters_enabled);
2022 }
2023
2024 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
2025 {
2026 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
2027 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
2028
2029 if (g0 != g1)
2030 kvfree(g1);
2031 kvfree(g0);
2032
2033 /* should be NULL either via abort or via successful commit */
2034 WARN_ON_ONCE(chain->blob_next);
2035 kvfree(chain->blob_next);
2036 }
2037
2038 void nf_tables_chain_destroy(struct nft_ctx *ctx)
2039 {
2040 struct nft_chain *chain = ctx->chain;
2041 struct nft_hook *hook, *next;
2042
2043 if (WARN_ON(chain->use > 0))
2044 return;
2045
2046 /* no concurrent access possible anymore */
2047 nf_tables_chain_free_chain_rules(chain);
2048
2049 if (nft_is_base_chain(chain)) {
2050 struct nft_base_chain *basechain = nft_base_chain(chain);
2051
2052 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2053 list_for_each_entry_safe(hook, next,
2054 &basechain->hook_list, list) {
2055 list_del_rcu(&hook->list);
2056 kfree_rcu(hook, rcu);
2057 }
2058 }
2059 module_put(basechain->type->owner);
2060 if (rcu_access_pointer(basechain->stats)) {
2061 static_branch_dec(&nft_counters_enabled);
2062 free_percpu(rcu_dereference_raw(basechain->stats));
2063 }
2064 kfree(chain->name);
2065 kfree(chain->udata);
2066 kfree(basechain);
2067 } else {
2068 kfree(chain->name);
2069 kfree(chain->udata);
2070 kfree(chain);
2071 }
2072 }
2073
2074 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
2075 const struct nlattr *attr)
2076 {
2077 struct net_device *dev;
2078 char ifname[IFNAMSIZ];
2079 struct nft_hook *hook;
2080 int err;
2081
2082 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
2083 if (!hook) {
2084 err = -ENOMEM;
2085 goto err_hook_alloc;
2086 }
2087
2088 nla_strscpy(ifname, attr, IFNAMSIZ);
2089 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
2090 * indirectly serializing all the other holders of the commit_mutex with
2091 * the rtnl_mutex.
2092 */
2093 dev = __dev_get_by_name(net, ifname);
2094 if (!dev) {
2095 err = -ENOENT;
2096 goto err_hook_dev;
2097 }
2098 hook->ops.dev = dev;
2099
2100 return hook;
2101
2102 err_hook_dev:
2103 kfree(hook);
2104 err_hook_alloc:
2105 return ERR_PTR(err);
2106 }
2107
2108 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
2109 const struct nft_hook *this)
2110 {
2111 struct nft_hook *hook;
2112
2113 list_for_each_entry(hook, hook_list, list) {
2114 if (this->ops.dev == hook->ops.dev)
2115 return hook;
2116 }
2117
2118 return NULL;
2119 }
2120
2121 static int nf_tables_parse_netdev_hooks(struct net *net,
2122 const struct nlattr *attr,
2123 struct list_head *hook_list,
2124 struct netlink_ext_ack *extack)
2125 {
2126 struct nft_hook *hook, *next;
2127 const struct nlattr *tmp;
2128 int rem, n = 0, err;
2129
2130 nla_for_each_nested(tmp, attr, rem) {
2131 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
2132 err = -EINVAL;
2133 goto err_hook;
2134 }
2135
2136 hook = nft_netdev_hook_alloc(net, tmp);
2137 if (IS_ERR(hook)) {
2138 NL_SET_BAD_ATTR(extack, tmp);
2139 err = PTR_ERR(hook);
2140 goto err_hook;
2141 }
2142 if (nft_hook_list_find(hook_list, hook)) {
2143 NL_SET_BAD_ATTR(extack, tmp);
2144 kfree(hook);
2145 err = -EEXIST;
2146 goto err_hook;
2147 }
2148 list_add_tail(&hook->list, hook_list);
2149 n++;
2150
2151 if (n == NFT_NETDEVICE_MAX) {
2152 err = -EFBIG;
2153 goto err_hook;
2154 }
2155 }
2156
2157 return 0;
2158
2159 err_hook:
2160 list_for_each_entry_safe(hook, next, hook_list, list) {
2161 list_del(&hook->list);
2162 kfree(hook);
2163 }
2164 return err;
2165 }
2166
2167 struct nft_chain_hook {
2168 u32 num;
2169 s32 priority;
2170 const struct nft_chain_type *type;
2171 struct list_head list;
2172 };
2173
2174 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
2175 struct list_head *hook_list,
2176 struct netlink_ext_ack *extack, u32 flags)
2177 {
2178 struct nft_hook *hook;
2179 int err;
2180
2181 if (tb[NFTA_HOOK_DEV]) {
2182 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
2183 if (IS_ERR(hook)) {
2184 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2185 return PTR_ERR(hook);
2186 }
2187
2188 list_add_tail(&hook->list, hook_list);
2189 } else if (tb[NFTA_HOOK_DEVS]) {
2190 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2191 hook_list, extack);
2192 if (err < 0)
2193 return err;
2194
2195 }
2196
2197 if (flags & NFT_CHAIN_HW_OFFLOAD &&
2198 list_empty(hook_list))
2199 return -EINVAL;
2200
2201 return 0;
2202 }
2203
2204 static int nft_chain_parse_hook(struct net *net,
2205 struct nft_base_chain *basechain,
2206 const struct nlattr * const nla[],
2207 struct nft_chain_hook *hook, u8 family,
2208 u32 flags, struct netlink_ext_ack *extack)
2209 {
2210 struct nftables_pernet *nft_net = nft_pernet(net);
2211 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2212 const struct nft_chain_type *type;
2213 int err;
2214
2215 lockdep_assert_held(&nft_net->commit_mutex);
2216 lockdep_nfnl_nft_mutex_not_held();
2217
2218 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2219 nla[NFTA_CHAIN_HOOK],
2220 nft_hook_policy, NULL);
2221 if (err < 0)
2222 return err;
2223
2224 if (!basechain) {
2225 if (!ha[NFTA_HOOK_HOOKNUM] ||
2226 !ha[NFTA_HOOK_PRIORITY]) {
2227 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2228 return -ENOENT;
2229 }
2230
2231 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2232 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2233
2234 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2235 if (!type)
2236 return -EOPNOTSUPP;
2237
2238 if (nla[NFTA_CHAIN_TYPE]) {
2239 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2240 family, true);
2241 if (IS_ERR(type)) {
2242 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2243 return PTR_ERR(type);
2244 }
2245 }
2246 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2247 return -EOPNOTSUPP;
2248
2249 if (type->type == NFT_CHAIN_T_NAT &&
2250 hook->priority <= NF_IP_PRI_CONNTRACK)
2251 return -EOPNOTSUPP;
2252 } else {
2253 if (ha[NFTA_HOOK_HOOKNUM]) {
2254 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2255 if (hook->num != basechain->ops.hooknum)
2256 return -EOPNOTSUPP;
2257 }
2258 if (ha[NFTA_HOOK_PRIORITY]) {
2259 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2260 if (hook->priority != basechain->ops.priority)
2261 return -EOPNOTSUPP;
2262 }
2263
2264 type = basechain->type;
2265 }
2266
2267 if (!try_module_get(type->owner)) {
2268 if (nla[NFTA_CHAIN_TYPE])
2269 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2270 return -ENOENT;
2271 }
2272
2273 hook->type = type;
2274
2275 INIT_LIST_HEAD(&hook->list);
2276 if (nft_base_chain_netdev(family, hook->num)) {
2277 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags);
2278 if (err < 0) {
2279 module_put(type->owner);
2280 return err;
2281 }
2282 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2283 module_put(type->owner);
2284 return -EOPNOTSUPP;
2285 }
2286
2287 return 0;
2288 }
2289
2290 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2291 {
2292 struct nft_hook *h, *next;
2293
2294 list_for_each_entry_safe(h, next, &hook->list, list) {
2295 list_del(&h->list);
2296 kfree(h);
2297 }
2298 module_put(hook->type->owner);
2299 }
2300
2301 static void nft_last_rule(const struct nft_chain *chain, const void *ptr)
2302 {
2303 struct nft_rule_dp_last *lrule;
2304
2305 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0);
2306
2307 lrule = (struct nft_rule_dp_last *)ptr;
2308 lrule->end.is_last = 1;
2309 lrule->chain = chain;
2310 /* blob size does not include the trailer rule */
2311 }
2312
2313 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2314 unsigned int size)
2315 {
2316 struct nft_rule_blob *blob;
2317
2318 if (size > INT_MAX)
2319 return NULL;
2320
2321 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last);
2322
2323 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2324 if (!blob)
2325 return NULL;
2326
2327 blob->size = 0;
2328 nft_last_rule(chain, blob->data);
2329
2330 return blob;
2331 }
2332
2333 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2334 const struct nft_chain_hook *hook,
2335 struct nft_chain *chain)
2336 {
2337 ops->pf = family;
2338 ops->hooknum = hook->num;
2339 ops->priority = hook->priority;
2340 ops->priv = chain;
2341 ops->hook = hook->type->hooks[ops->hooknum];
2342 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2343 }
2344
2345 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2346 struct nft_chain_hook *hook, u32 flags)
2347 {
2348 struct nft_chain *chain;
2349 struct nft_hook *h;
2350
2351 basechain->type = hook->type;
2352 INIT_LIST_HEAD(&basechain->hook_list);
2353 chain = &basechain->chain;
2354
2355 if (nft_base_chain_netdev(family, hook->num)) {
2356 list_splice_init(&hook->list, &basechain->hook_list);
2357 list_for_each_entry(h, &basechain->hook_list, list)
2358 nft_basechain_hook_init(&h->ops, family, hook, chain);
2359 }
2360 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2361
2362 chain->flags |= NFT_CHAIN_BASE | flags;
2363 basechain->policy = NF_ACCEPT;
2364 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2365 !nft_chain_offload_support(basechain)) {
2366 list_splice_init(&basechain->hook_list, &hook->list);
2367 return -EOPNOTSUPP;
2368 }
2369
2370 flow_block_init(&basechain->flow_block);
2371
2372 return 0;
2373 }
2374
2375 int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2376 {
2377 int err;
2378
2379 err = rhltable_insert_key(&table->chains_ht, chain->name,
2380 &chain->rhlhead, nft_chain_ht_params);
2381 if (err)
2382 return err;
2383
2384 list_add_tail_rcu(&chain->list, &table->chains);
2385
2386 return 0;
2387 }
2388
2389 static u64 chain_id;
2390
2391 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2392 u8 policy, u32 flags,
2393 struct netlink_ext_ack *extack)
2394 {
2395 const struct nlattr * const *nla = ctx->nla;
2396 struct nft_table *table = ctx->table;
2397 struct nft_base_chain *basechain;
2398 struct net *net = ctx->net;
2399 char name[NFT_NAME_MAXLEN];
2400 struct nft_rule_blob *blob;
2401 struct nft_trans *trans;
2402 struct nft_chain *chain;
2403 int err;
2404
2405 if (nla[NFTA_CHAIN_HOOK]) {
2406 struct nft_stats __percpu *stats = NULL;
2407 struct nft_chain_hook hook = {};
2408
2409 if (flags & NFT_CHAIN_BINDING)
2410 return -EOPNOTSUPP;
2411
2412 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags,
2413 extack);
2414 if (err < 0)
2415 return err;
2416
2417 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2418 if (basechain == NULL) {
2419 nft_chain_release_hook(&hook);
2420 return -ENOMEM;
2421 }
2422 chain = &basechain->chain;
2423
2424 if (nla[NFTA_CHAIN_COUNTERS]) {
2425 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2426 if (IS_ERR(stats)) {
2427 nft_chain_release_hook(&hook);
2428 kfree(basechain);
2429 return PTR_ERR(stats);
2430 }
2431 rcu_assign_pointer(basechain->stats, stats);
2432 }
2433
2434 err = nft_basechain_init(basechain, family, &hook, flags);
2435 if (err < 0) {
2436 nft_chain_release_hook(&hook);
2437 kfree(basechain);
2438 free_percpu(stats);
2439 return err;
2440 }
2441 if (stats)
2442 static_branch_inc(&nft_counters_enabled);
2443 } else {
2444 if (flags & NFT_CHAIN_BASE)
2445 return -EINVAL;
2446 if (flags & NFT_CHAIN_HW_OFFLOAD)
2447 return -EOPNOTSUPP;
2448
2449 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2450 if (chain == NULL)
2451 return -ENOMEM;
2452
2453 chain->flags = flags;
2454 }
2455 ctx->chain = chain;
2456
2457 INIT_LIST_HEAD(&chain->rules);
2458 chain->handle = nf_tables_alloc_handle(table);
2459 chain->table = table;
2460
2461 if (nla[NFTA_CHAIN_NAME]) {
2462 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2463 } else {
2464 if (!(flags & NFT_CHAIN_BINDING)) {
2465 err = -EINVAL;
2466 goto err_destroy_chain;
2467 }
2468
2469 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2470 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2471 }
2472
2473 if (!chain->name) {
2474 err = -ENOMEM;
2475 goto err_destroy_chain;
2476 }
2477
2478 if (nla[NFTA_CHAIN_USERDATA]) {
2479 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2480 if (chain->udata == NULL) {
2481 err = -ENOMEM;
2482 goto err_destroy_chain;
2483 }
2484 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2485 }
2486
2487 blob = nf_tables_chain_alloc_rules(chain, 0);
2488 if (!blob) {
2489 err = -ENOMEM;
2490 goto err_destroy_chain;
2491 }
2492
2493 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2494 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2495
2496 err = nf_tables_register_hook(net, table, chain);
2497 if (err < 0)
2498 goto err_destroy_chain;
2499
2500 if (!nft_use_inc(&table->use)) {
2501 err = -EMFILE;
2502 goto err_use;
2503 }
2504
2505 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2506 if (IS_ERR(trans)) {
2507 err = PTR_ERR(trans);
2508 goto err_unregister_hook;
2509 }
2510
2511 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2512 if (nft_is_base_chain(chain))
2513 nft_trans_chain_policy(trans) = policy;
2514
2515 err = nft_chain_add(table, chain);
2516 if (err < 0) {
2517 nft_trans_destroy(trans);
2518 goto err_unregister_hook;
2519 }
2520
2521 return 0;
2522
2523 err_unregister_hook:
2524 nft_use_dec_restore(&table->use);
2525 err_use:
2526 nf_tables_unregister_hook(net, table, chain);
2527 err_destroy_chain:
2528 nf_tables_chain_destroy(ctx);
2529
2530 return err;
2531 }
2532
2533 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2534 u32 flags, const struct nlattr *attr,
2535 struct netlink_ext_ack *extack)
2536 {
2537 const struct nlattr * const *nla = ctx->nla;
2538 struct nft_base_chain *basechain = NULL;
2539 struct nft_table *table = ctx->table;
2540 struct nft_chain *chain = ctx->chain;
2541 struct nft_chain_hook hook = {};
2542 struct nft_stats *stats = NULL;
2543 struct nft_hook *h, *next;
2544 struct nf_hook_ops *ops;
2545 struct nft_trans *trans;
2546 bool unregister = false;
2547 int err;
2548
2549 if (chain->flags ^ flags)
2550 return -EOPNOTSUPP;
2551
2552 INIT_LIST_HEAD(&hook.list);
2553
2554 if (nla[NFTA_CHAIN_HOOK]) {
2555 if (!nft_is_base_chain(chain)) {
2556 NL_SET_BAD_ATTR(extack, attr);
2557 return -EEXIST;
2558 }
2559
2560 basechain = nft_base_chain(chain);
2561 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2562 ctx->family, flags, extack);
2563 if (err < 0)
2564 return err;
2565
2566 if (basechain->type != hook.type) {
2567 nft_chain_release_hook(&hook);
2568 NL_SET_BAD_ATTR(extack, attr);
2569 return -EEXIST;
2570 }
2571
2572 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2573 list_for_each_entry_safe(h, next, &hook.list, list) {
2574 h->ops.pf = basechain->ops.pf;
2575 h->ops.hooknum = basechain->ops.hooknum;
2576 h->ops.priority = basechain->ops.priority;
2577 h->ops.priv = basechain->ops.priv;
2578 h->ops.hook = basechain->ops.hook;
2579
2580 if (nft_hook_list_find(&basechain->hook_list, h)) {
2581 list_del(&h->list);
2582 kfree(h);
2583 }
2584 }
2585 } else {
2586 ops = &basechain->ops;
2587 if (ops->hooknum != hook.num ||
2588 ops->priority != hook.priority) {
2589 nft_chain_release_hook(&hook);
2590 NL_SET_BAD_ATTR(extack, attr);
2591 return -EEXIST;
2592 }
2593 }
2594 }
2595
2596 if (nla[NFTA_CHAIN_HANDLE] &&
2597 nla[NFTA_CHAIN_NAME]) {
2598 struct nft_chain *chain2;
2599
2600 chain2 = nft_chain_lookup(ctx->net, table,
2601 nla[NFTA_CHAIN_NAME], genmask);
2602 if (!IS_ERR(chain2)) {
2603 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2604 err = -EEXIST;
2605 goto err_hooks;
2606 }
2607 }
2608
2609 if (nla[NFTA_CHAIN_COUNTERS]) {
2610 if (!nft_is_base_chain(chain)) {
2611 err = -EOPNOTSUPP;
2612 goto err_hooks;
2613 }
2614
2615 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2616 if (IS_ERR(stats)) {
2617 err = PTR_ERR(stats);
2618 goto err_hooks;
2619 }
2620 }
2621
2622 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2623 nft_is_base_chain(chain) &&
2624 !list_empty(&hook.list)) {
2625 basechain = nft_base_chain(chain);
2626 ops = &basechain->ops;
2627
2628 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2629 err = nft_netdev_register_hooks(ctx->net, &hook.list);
2630 if (err < 0)
2631 goto err_hooks;
2632 }
2633 }
2634
2635 unregister = true;
2636 err = -ENOMEM;
2637 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2638 sizeof(struct nft_trans_chain));
2639 if (trans == NULL)
2640 goto err_trans;
2641
2642 nft_trans_chain_stats(trans) = stats;
2643 nft_trans_chain_update(trans) = true;
2644
2645 if (nla[NFTA_CHAIN_POLICY])
2646 nft_trans_chain_policy(trans) = policy;
2647 else
2648 nft_trans_chain_policy(trans) = -1;
2649
2650 if (nla[NFTA_CHAIN_HANDLE] &&
2651 nla[NFTA_CHAIN_NAME]) {
2652 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2653 struct nft_trans *tmp;
2654 char *name;
2655
2656 err = -ENOMEM;
2657 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2658 if (!name)
2659 goto err_trans;
2660
2661 err = -EEXIST;
2662 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2663 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2664 tmp->ctx.table == table &&
2665 nft_trans_chain_update(tmp) &&
2666 nft_trans_chain_name(tmp) &&
2667 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2668 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2669 kfree(name);
2670 goto err_trans;
2671 }
2672 }
2673
2674 nft_trans_chain_name(trans) = name;
2675 }
2676
2677 nft_trans_basechain(trans) = basechain;
2678 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2679 list_splice(&hook.list, &nft_trans_chain_hooks(trans));
2680 if (nla[NFTA_CHAIN_HOOK])
2681 module_put(hook.type->owner);
2682
2683 nft_trans_commit_list_add_tail(ctx->net, trans);
2684
2685 return 0;
2686
2687 err_trans:
2688 free_percpu(stats);
2689 kfree(trans);
2690 err_hooks:
2691 if (nla[NFTA_CHAIN_HOOK]) {
2692 list_for_each_entry_safe(h, next, &hook.list, list) {
2693 if (unregister)
2694 nf_unregister_net_hook(ctx->net, &h->ops);
2695 list_del(&h->list);
2696 kfree_rcu(h, rcu);
2697 }
2698 module_put(hook.type->owner);
2699 }
2700
2701 return err;
2702 }
2703
2704 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2705 const struct nft_table *table,
2706 const struct nlattr *nla, u8 genmask)
2707 {
2708 struct nftables_pernet *nft_net = nft_pernet(net);
2709 u32 id = ntohl(nla_get_be32(nla));
2710 struct nft_trans *trans;
2711
2712 list_for_each_entry(trans, &nft_net->commit_list, list) {
2713 struct nft_chain *chain = trans->ctx.chain;
2714
2715 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2716 chain->table == table &&
2717 id == nft_trans_chain_id(trans) &&
2718 nft_active_genmask(chain, genmask))
2719 return chain;
2720 }
2721 return ERR_PTR(-ENOENT);
2722 }
2723
2724 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2725 const struct nlattr * const nla[])
2726 {
2727 struct nftables_pernet *nft_net = nft_pernet(info->net);
2728 struct netlink_ext_ack *extack = info->extack;
2729 u8 genmask = nft_genmask_next(info->net);
2730 u8 family = info->nfmsg->nfgen_family;
2731 struct nft_chain *chain = NULL;
2732 struct net *net = info->net;
2733 const struct nlattr *attr;
2734 struct nft_table *table;
2735 u8 policy = NF_ACCEPT;
2736 struct nft_ctx ctx;
2737 u64 handle = 0;
2738 u32 flags = 0;
2739
2740 lockdep_assert_held(&nft_net->commit_mutex);
2741
2742 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2743 NETLINK_CB(skb).portid);
2744 if (IS_ERR(table)) {
2745 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2746 return PTR_ERR(table);
2747 }
2748
2749 chain = NULL;
2750 attr = nla[NFTA_CHAIN_NAME];
2751
2752 if (nla[NFTA_CHAIN_HANDLE]) {
2753 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2754 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2755 if (IS_ERR(chain)) {
2756 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2757 return PTR_ERR(chain);
2758 }
2759 attr = nla[NFTA_CHAIN_HANDLE];
2760 } else if (nla[NFTA_CHAIN_NAME]) {
2761 chain = nft_chain_lookup(net, table, attr, genmask);
2762 if (IS_ERR(chain)) {
2763 if (PTR_ERR(chain) != -ENOENT) {
2764 NL_SET_BAD_ATTR(extack, attr);
2765 return PTR_ERR(chain);
2766 }
2767 chain = NULL;
2768 }
2769 } else if (!nla[NFTA_CHAIN_ID]) {
2770 return -EINVAL;
2771 }
2772
2773 if (nla[NFTA_CHAIN_POLICY]) {
2774 if (chain != NULL &&
2775 !nft_is_base_chain(chain)) {
2776 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2777 return -EOPNOTSUPP;
2778 }
2779
2780 if (chain == NULL &&
2781 nla[NFTA_CHAIN_HOOK] == NULL) {
2782 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2783 return -EOPNOTSUPP;
2784 }
2785
2786 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2787 switch (policy) {
2788 case NF_DROP:
2789 case NF_ACCEPT:
2790 break;
2791 default:
2792 return -EINVAL;
2793 }
2794 }
2795
2796 if (nla[NFTA_CHAIN_FLAGS])
2797 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2798 else if (chain)
2799 flags = chain->flags;
2800
2801 if (flags & ~NFT_CHAIN_FLAGS)
2802 return -EOPNOTSUPP;
2803
2804 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2805
2806 if (chain != NULL) {
2807 if (chain->flags & NFT_CHAIN_BINDING)
2808 return -EINVAL;
2809
2810 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2811 NL_SET_BAD_ATTR(extack, attr);
2812 return -EEXIST;
2813 }
2814 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2815 return -EOPNOTSUPP;
2816
2817 flags |= chain->flags & NFT_CHAIN_BASE;
2818 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2819 extack);
2820 }
2821
2822 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2823 }
2824
2825 static int nft_delchain_hook(struct nft_ctx *ctx,
2826 struct nft_base_chain *basechain,
2827 struct netlink_ext_ack *extack)
2828 {
2829 const struct nft_chain *chain = &basechain->chain;
2830 const struct nlattr * const *nla = ctx->nla;
2831 struct nft_chain_hook chain_hook = {};
2832 struct nft_hook *this, *hook;
2833 LIST_HEAD(chain_del_list);
2834 struct nft_trans *trans;
2835 int err;
2836
2837 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
2838 ctx->family, chain->flags, extack);
2839 if (err < 0)
2840 return err;
2841
2842 list_for_each_entry(this, &chain_hook.list, list) {
2843 hook = nft_hook_list_find(&basechain->hook_list, this);
2844 if (!hook) {
2845 err = -ENOENT;
2846 goto err_chain_del_hook;
2847 }
2848 list_move(&hook->list, &chain_del_list);
2849 }
2850
2851 trans = nft_trans_alloc(ctx, NFT_MSG_DELCHAIN,
2852 sizeof(struct nft_trans_chain));
2853 if (!trans) {
2854 err = -ENOMEM;
2855 goto err_chain_del_hook;
2856 }
2857
2858 nft_trans_basechain(trans) = basechain;
2859 nft_trans_chain_update(trans) = true;
2860 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2861 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans));
2862 nft_chain_release_hook(&chain_hook);
2863
2864 nft_trans_commit_list_add_tail(ctx->net, trans);
2865
2866 return 0;
2867
2868 err_chain_del_hook:
2869 list_splice(&chain_del_list, &basechain->hook_list);
2870 nft_chain_release_hook(&chain_hook);
2871
2872 return err;
2873 }
2874
2875 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2876 const struct nlattr * const nla[])
2877 {
2878 struct netlink_ext_ack *extack = info->extack;
2879 u8 genmask = nft_genmask_next(info->net);
2880 u8 family = info->nfmsg->nfgen_family;
2881 struct net *net = info->net;
2882 const struct nlattr *attr;
2883 struct nft_table *table;
2884 struct nft_chain *chain;
2885 struct nft_rule *rule;
2886 struct nft_ctx ctx;
2887 u64 handle;
2888 u32 use;
2889 int err;
2890
2891 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2892 NETLINK_CB(skb).portid);
2893 if (IS_ERR(table)) {
2894 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2895 return PTR_ERR(table);
2896 }
2897
2898 if (nla[NFTA_CHAIN_HANDLE]) {
2899 attr = nla[NFTA_CHAIN_HANDLE];
2900 handle = be64_to_cpu(nla_get_be64(attr));
2901 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2902 } else {
2903 attr = nla[NFTA_CHAIN_NAME];
2904 chain = nft_chain_lookup(net, table, attr, genmask);
2905 }
2906 if (IS_ERR(chain)) {
2907 if (PTR_ERR(chain) == -ENOENT &&
2908 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
2909 return 0;
2910
2911 NL_SET_BAD_ATTR(extack, attr);
2912 return PTR_ERR(chain);
2913 }
2914
2915 if (nft_chain_binding(chain))
2916 return -EOPNOTSUPP;
2917
2918 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2919
2920 if (nla[NFTA_CHAIN_HOOK]) {
2921 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
2922 return -EOPNOTSUPP;
2923
2924 if (nft_is_base_chain(chain)) {
2925 struct nft_base_chain *basechain = nft_base_chain(chain);
2926
2927 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
2928 return nft_delchain_hook(&ctx, basechain, extack);
2929 }
2930 }
2931
2932 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
2933 chain->use > 0)
2934 return -EBUSY;
2935
2936 use = chain->use;
2937 list_for_each_entry(rule, &chain->rules, list) {
2938 if (!nft_is_active_next(net, rule))
2939 continue;
2940 use--;
2941
2942 err = nft_delrule(&ctx, rule);
2943 if (err < 0)
2944 return err;
2945 }
2946
2947 /* There are rules and elements that are still holding references to us,
2948 * we cannot do a recursive removal in this case.
2949 */
2950 if (use > 0) {
2951 NL_SET_BAD_ATTR(extack, attr);
2952 return -EBUSY;
2953 }
2954
2955 return nft_delchain(&ctx);
2956 }
2957
2958 /*
2959 * Expressions
2960 */
2961
2962 /**
2963 * nft_register_expr - register nf_tables expr type
2964 * @type: expr type
2965 *
2966 * Registers the expr type for use with nf_tables. Returns zero on
2967 * success or a negative errno code otherwise.
2968 */
2969 int nft_register_expr(struct nft_expr_type *type)
2970 {
2971 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2972 if (type->family == NFPROTO_UNSPEC)
2973 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2974 else
2975 list_add_rcu(&type->list, &nf_tables_expressions);
2976 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2977 return 0;
2978 }
2979 EXPORT_SYMBOL_GPL(nft_register_expr);
2980
2981 /**
2982 * nft_unregister_expr - unregister nf_tables expr type
2983 * @type: expr type
2984 *
2985 * Unregisters the expr typefor use with nf_tables.
2986 */
2987 void nft_unregister_expr(struct nft_expr_type *type)
2988 {
2989 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2990 list_del_rcu(&type->list);
2991 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2992 }
2993 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2994
2995 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2996 struct nlattr *nla)
2997 {
2998 const struct nft_expr_type *type, *candidate = NULL;
2999
3000 list_for_each_entry(type, &nf_tables_expressions, list) {
3001 if (!nla_strcmp(nla, type->name)) {
3002 if (!type->family && !candidate)
3003 candidate = type;
3004 else if (type->family == family)
3005 candidate = type;
3006 }
3007 }
3008 return candidate;
3009 }
3010
3011 #ifdef CONFIG_MODULES
3012 static int nft_expr_type_request_module(struct net *net, u8 family,
3013 struct nlattr *nla)
3014 {
3015 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
3016 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
3017 return -EAGAIN;
3018
3019 return 0;
3020 }
3021 #endif
3022
3023 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
3024 u8 family,
3025 struct nlattr *nla)
3026 {
3027 const struct nft_expr_type *type;
3028
3029 if (nla == NULL)
3030 return ERR_PTR(-EINVAL);
3031
3032 type = __nft_expr_type_get(family, nla);
3033 if (type != NULL && try_module_get(type->owner))
3034 return type;
3035
3036 lockdep_nfnl_nft_mutex_not_held();
3037 #ifdef CONFIG_MODULES
3038 if (type == NULL) {
3039 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
3040 return ERR_PTR(-EAGAIN);
3041
3042 if (nft_request_module(net, "nft-expr-%.*s",
3043 nla_len(nla),
3044 (char *)nla_data(nla)) == -EAGAIN)
3045 return ERR_PTR(-EAGAIN);
3046 }
3047 #endif
3048 return ERR_PTR(-ENOENT);
3049 }
3050
3051 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
3052 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
3053 .len = NFT_MODULE_AUTOLOAD_LIMIT },
3054 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
3055 };
3056
3057 static int nf_tables_fill_expr_info(struct sk_buff *skb,
3058 const struct nft_expr *expr, bool reset)
3059 {
3060 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
3061 goto nla_put_failure;
3062
3063 if (expr->ops->dump) {
3064 struct nlattr *data = nla_nest_start_noflag(skb,
3065 NFTA_EXPR_DATA);
3066 if (data == NULL)
3067 goto nla_put_failure;
3068 if (expr->ops->dump(skb, expr, reset) < 0)
3069 goto nla_put_failure;
3070 nla_nest_end(skb, data);
3071 }
3072
3073 return skb->len;
3074
3075 nla_put_failure:
3076 return -1;
3077 };
3078
3079 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
3080 const struct nft_expr *expr, bool reset)
3081 {
3082 struct nlattr *nest;
3083
3084 nest = nla_nest_start_noflag(skb, attr);
3085 if (!nest)
3086 goto nla_put_failure;
3087 if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
3088 goto nla_put_failure;
3089 nla_nest_end(skb, nest);
3090 return 0;
3091
3092 nla_put_failure:
3093 return -1;
3094 }
3095
3096 struct nft_expr_info {
3097 const struct nft_expr_ops *ops;
3098 const struct nlattr *attr;
3099 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
3100 };
3101
3102 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
3103 const struct nlattr *nla,
3104 struct nft_expr_info *info)
3105 {
3106 const struct nft_expr_type *type;
3107 const struct nft_expr_ops *ops;
3108 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3109 int err;
3110
3111 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3112 nft_expr_policy, NULL);
3113 if (err < 0)
3114 return err;
3115
3116 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
3117 if (IS_ERR(type))
3118 return PTR_ERR(type);
3119
3120 if (tb[NFTA_EXPR_DATA]) {
3121 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3122 tb[NFTA_EXPR_DATA],
3123 type->policy, NULL);
3124 if (err < 0)
3125 goto err1;
3126 } else
3127 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
3128
3129 if (type->select_ops != NULL) {
3130 ops = type->select_ops(ctx,
3131 (const struct nlattr * const *)info->tb);
3132 if (IS_ERR(ops)) {
3133 err = PTR_ERR(ops);
3134 #ifdef CONFIG_MODULES
3135 if (err == -EAGAIN)
3136 if (nft_expr_type_request_module(ctx->net,
3137 ctx->family,
3138 tb[NFTA_EXPR_NAME]) != -EAGAIN)
3139 err = -ENOENT;
3140 #endif
3141 goto err1;
3142 }
3143 } else
3144 ops = type->ops;
3145
3146 info->attr = nla;
3147 info->ops = ops;
3148
3149 return 0;
3150
3151 err1:
3152 module_put(type->owner);
3153 return err;
3154 }
3155
3156 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
3157 struct nft_expr_info *info)
3158 {
3159 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3160 const struct nft_expr_type *type;
3161 int err;
3162
3163 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3164 nft_expr_policy, NULL);
3165 if (err < 0)
3166 return err;
3167
3168 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME])
3169 return -EINVAL;
3170
3171 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
3172 if (!type)
3173 return -ENOENT;
3174
3175 if (!type->inner_ops)
3176 return -EOPNOTSUPP;
3177
3178 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3179 tb[NFTA_EXPR_DATA],
3180 type->policy, NULL);
3181 if (err < 0)
3182 goto err_nla_parse;
3183
3184 info->attr = nla;
3185 info->ops = type->inner_ops;
3186
3187 return 0;
3188
3189 err_nla_parse:
3190 return err;
3191 }
3192
3193 static int nf_tables_newexpr(const struct nft_ctx *ctx,
3194 const struct nft_expr_info *expr_info,
3195 struct nft_expr *expr)
3196 {
3197 const struct nft_expr_ops *ops = expr_info->ops;
3198 int err;
3199
3200 expr->ops = ops;
3201 if (ops->init) {
3202 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
3203 if (err < 0)
3204 goto err1;
3205 }
3206
3207 return 0;
3208 err1:
3209 expr->ops = NULL;
3210 return err;
3211 }
3212
3213 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
3214 struct nft_expr *expr)
3215 {
3216 const struct nft_expr_type *type = expr->ops->type;
3217
3218 if (expr->ops->destroy)
3219 expr->ops->destroy(ctx, expr);
3220 module_put(type->owner);
3221 }
3222
3223 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3224 const struct nlattr *nla)
3225 {
3226 struct nft_expr_info expr_info;
3227 struct nft_expr *expr;
3228 struct module *owner;
3229 int err;
3230
3231 err = nf_tables_expr_parse(ctx, nla, &expr_info);
3232 if (err < 0)
3233 goto err_expr_parse;
3234
3235 err = -EOPNOTSUPP;
3236 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3237 goto err_expr_stateful;
3238
3239 err = -ENOMEM;
3240 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3241 if (expr == NULL)
3242 goto err_expr_stateful;
3243
3244 err = nf_tables_newexpr(ctx, &expr_info, expr);
3245 if (err < 0)
3246 goto err_expr_new;
3247
3248 return expr;
3249 err_expr_new:
3250 kfree(expr);
3251 err_expr_stateful:
3252 owner = expr_info.ops->type->owner;
3253 if (expr_info.ops->type->release_ops)
3254 expr_info.ops->type->release_ops(expr_info.ops);
3255
3256 module_put(owner);
3257 err_expr_parse:
3258 return ERR_PTR(err);
3259 }
3260
3261 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
3262 {
3263 int err;
3264
3265 if (src->ops->clone) {
3266 dst->ops = src->ops;
3267 err = src->ops->clone(dst, src);
3268 if (err < 0)
3269 return err;
3270 } else {
3271 memcpy(dst, src, src->ops->size);
3272 }
3273
3274 __module_get(src->ops->type->owner);
3275
3276 return 0;
3277 }
3278
3279 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3280 {
3281 nf_tables_expr_destroy(ctx, expr);
3282 kfree(expr);
3283 }
3284
3285 /*
3286 * Rules
3287 */
3288
3289 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
3290 u64 handle)
3291 {
3292 struct nft_rule *rule;
3293
3294 // FIXME: this sucks
3295 list_for_each_entry_rcu(rule, &chain->rules, list) {
3296 if (handle == rule->handle)
3297 return rule;
3298 }
3299
3300 return ERR_PTR(-ENOENT);
3301 }
3302
3303 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
3304 const struct nlattr *nla)
3305 {
3306 if (nla == NULL)
3307 return ERR_PTR(-EINVAL);
3308
3309 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
3310 }
3311
3312 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3313 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
3314 .len = NFT_TABLE_MAXNAMELEN - 1 },
3315 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
3316 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3317 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
3318 [NFTA_RULE_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
3319 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
3320 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3321 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3322 .len = NFT_USERDATA_MAXLEN },
3323 [NFTA_RULE_ID] = { .type = NLA_U32 },
3324 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3325 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3326 };
3327
3328 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3329 u32 portid, u32 seq, int event,
3330 u32 flags, int family,
3331 const struct nft_table *table,
3332 const struct nft_chain *chain,
3333 const struct nft_rule *rule, u64 handle,
3334 bool reset)
3335 {
3336 struct nlmsghdr *nlh;
3337 const struct nft_expr *expr, *next;
3338 struct nlattr *list;
3339 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3340
3341 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3342 nft_base_seq(net));
3343 if (!nlh)
3344 goto nla_put_failure;
3345
3346 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3347 goto nla_put_failure;
3348 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3349 goto nla_put_failure;
3350 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3351 NFTA_RULE_PAD))
3352 goto nla_put_failure;
3353
3354 if (event != NFT_MSG_DELRULE && handle) {
3355 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3356 NFTA_RULE_PAD))
3357 goto nla_put_failure;
3358 }
3359
3360 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3361 nft_flow_rule_stats(chain, rule);
3362
3363 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3364 if (list == NULL)
3365 goto nla_put_failure;
3366 nft_rule_for_each_expr(expr, next, rule) {
3367 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
3368 goto nla_put_failure;
3369 }
3370 nla_nest_end(skb, list);
3371
3372 if (rule->udata) {
3373 struct nft_userdata *udata = nft_userdata(rule);
3374 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3375 udata->data) < 0)
3376 goto nla_put_failure;
3377 }
3378
3379 nlmsg_end(skb, nlh);
3380 return 0;
3381
3382 nla_put_failure:
3383 nlmsg_trim(skb, nlh);
3384 return -1;
3385 }
3386
3387 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3388 const struct nft_rule *rule, int event)
3389 {
3390 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3391 const struct nft_rule *prule;
3392 struct sk_buff *skb;
3393 u64 handle = 0;
3394 u16 flags = 0;
3395 int err;
3396
3397 if (!ctx->report &&
3398 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3399 return;
3400
3401 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3402 if (skb == NULL)
3403 goto err;
3404
3405 if (event == NFT_MSG_NEWRULE &&
3406 !list_is_first(&rule->list, &ctx->chain->rules) &&
3407 !list_is_last(&rule->list, &ctx->chain->rules)) {
3408 prule = list_prev_entry(rule, list);
3409 handle = prule->handle;
3410 }
3411 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3412 flags |= NLM_F_APPEND;
3413 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3414 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3415
3416 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3417 event, flags, ctx->family, ctx->table,
3418 ctx->chain, rule, handle, false);
3419 if (err < 0) {
3420 kfree_skb(skb);
3421 goto err;
3422 }
3423
3424 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3425 return;
3426 err:
3427 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3428 }
3429
3430 static void audit_log_rule_reset(const struct nft_table *table,
3431 unsigned int base_seq,
3432 unsigned int nentries)
3433 {
3434 char *buf = kasprintf(GFP_ATOMIC, "%s:%u",
3435 table->name, base_seq);
3436
3437 audit_log_nfcfg(buf, table->family, nentries,
3438 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3439 kfree(buf);
3440 }
3441
3442 struct nft_rule_dump_ctx {
3443 unsigned int s_idx;
3444 char *table;
3445 char *chain;
3446 bool reset;
3447 };
3448
3449 static int __nf_tables_dump_rules(struct sk_buff *skb,
3450 unsigned int *idx,
3451 struct netlink_callback *cb,
3452 const struct nft_table *table,
3453 const struct nft_chain *chain)
3454 {
3455 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3456 struct net *net = sock_net(skb->sk);
3457 const struct nft_rule *rule, *prule;
3458 unsigned int entries = 0;
3459 int ret = 0;
3460 u64 handle;
3461
3462 prule = NULL;
3463 list_for_each_entry_rcu(rule, &chain->rules, list) {
3464 if (!nft_is_active(net, rule))
3465 goto cont_skip;
3466 if (*idx < ctx->s_idx)
3467 goto cont;
3468 if (prule)
3469 handle = prule->handle;
3470 else
3471 handle = 0;
3472
3473 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3474 cb->nlh->nlmsg_seq,
3475 NFT_MSG_NEWRULE,
3476 NLM_F_MULTI | NLM_F_APPEND,
3477 table->family,
3478 table, chain, rule, handle, ctx->reset) < 0) {
3479 ret = 1;
3480 break;
3481 }
3482 entries++;
3483 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3484 cont:
3485 prule = rule;
3486 cont_skip:
3487 (*idx)++;
3488 }
3489
3490 if (ctx->reset && entries)
3491 audit_log_rule_reset(table, cb->seq, entries);
3492
3493 return ret;
3494 }
3495
3496 static int nf_tables_dump_rules(struct sk_buff *skb,
3497 struct netlink_callback *cb)
3498 {
3499 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3500 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3501 struct nft_table *table;
3502 const struct nft_chain *chain;
3503 unsigned int idx = 0;
3504 struct net *net = sock_net(skb->sk);
3505 int family = nfmsg->nfgen_family;
3506 struct nftables_pernet *nft_net;
3507
3508 rcu_read_lock();
3509 nft_net = nft_pernet(net);
3510 cb->seq = READ_ONCE(nft_net->base_seq);
3511
3512 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3513 if (family != NFPROTO_UNSPEC && family != table->family)
3514 continue;
3515
3516 if (ctx->table && strcmp(ctx->table, table->name) != 0)
3517 continue;
3518
3519 if (ctx->table && ctx->chain) {
3520 struct rhlist_head *list, *tmp;
3521
3522 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3523 nft_chain_ht_params);
3524 if (!list)
3525 goto done;
3526
3527 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3528 if (!nft_is_active(net, chain))
3529 continue;
3530 __nf_tables_dump_rules(skb, &idx,
3531 cb, table, chain);
3532 break;
3533 }
3534 goto done;
3535 }
3536
3537 list_for_each_entry_rcu(chain, &table->chains, list) {
3538 if (__nf_tables_dump_rules(skb, &idx,
3539 cb, table, chain))
3540 goto done;
3541 }
3542
3543 if (ctx->table)
3544 break;
3545 }
3546 done:
3547 rcu_read_unlock();
3548
3549 ctx->s_idx = idx;
3550 return skb->len;
3551 }
3552
3553 static int nf_tables_dumpreset_rules(struct sk_buff *skb,
3554 struct netlink_callback *cb)
3555 {
3556 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
3557 int ret;
3558
3559 /* Mutex is held is to prevent that two concurrent dump-and-reset calls
3560 * do not underrun counters and quotas. The commit_mutex is used for
3561 * the lack a better lock, this is not transaction path.
3562 */
3563 mutex_lock(&nft_net->commit_mutex);
3564 ret = nf_tables_dump_rules(skb, cb);
3565 mutex_unlock(&nft_net->commit_mutex);
3566
3567 return ret;
3568 }
3569
3570 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3571 {
3572 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3573 const struct nlattr * const *nla = cb->data;
3574
3575 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
3576
3577 if (nla[NFTA_RULE_TABLE]) {
3578 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], GFP_ATOMIC);
3579 if (!ctx->table)
3580 return -ENOMEM;
3581 }
3582 if (nla[NFTA_RULE_CHAIN]) {
3583 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], GFP_ATOMIC);
3584 if (!ctx->chain) {
3585 kfree(ctx->table);
3586 return -ENOMEM;
3587 }
3588 }
3589 return 0;
3590 }
3591
3592 static int nf_tables_dumpreset_rules_start(struct netlink_callback *cb)
3593 {
3594 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3595
3596 ctx->reset = true;
3597
3598 return nf_tables_dump_rules_start(cb);
3599 }
3600
3601 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3602 {
3603 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3604
3605 kfree(ctx->table);
3606 kfree(ctx->chain);
3607 return 0;
3608 }
3609
3610 /* called with rcu_read_lock held */
3611 static struct sk_buff *
3612 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info,
3613 const struct nlattr * const nla[], bool reset)
3614 {
3615 struct netlink_ext_ack *extack = info->extack;
3616 u8 genmask = nft_genmask_cur(info->net);
3617 u8 family = info->nfmsg->nfgen_family;
3618 const struct nft_chain *chain;
3619 const struct nft_rule *rule;
3620 struct net *net = info->net;
3621 struct nft_table *table;
3622 struct sk_buff *skb2;
3623 int err;
3624
3625 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3626 if (IS_ERR(table)) {
3627 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3628 return ERR_CAST(table);
3629 }
3630
3631 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3632 if (IS_ERR(chain)) {
3633 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3634 return ERR_CAST(chain);
3635 }
3636
3637 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3638 if (IS_ERR(rule)) {
3639 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3640 return ERR_CAST(rule);
3641 }
3642
3643 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3644 if (!skb2)
3645 return ERR_PTR(-ENOMEM);
3646
3647 err = nf_tables_fill_rule_info(skb2, net, portid,
3648 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3649 family, table, chain, rule, 0, reset);
3650 if (err < 0) {
3651 kfree_skb(skb2);
3652 return ERR_PTR(err);
3653 }
3654
3655 return skb2;
3656 }
3657
3658 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3659 const struct nlattr * const nla[])
3660 {
3661 u32 portid = NETLINK_CB(skb).portid;
3662 struct net *net = info->net;
3663 struct sk_buff *skb2;
3664
3665 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3666 struct netlink_dump_control c = {
3667 .start= nf_tables_dump_rules_start,
3668 .dump = nf_tables_dump_rules,
3669 .done = nf_tables_dump_rules_done,
3670 .module = THIS_MODULE,
3671 .data = (void *)nla,
3672 };
3673
3674 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3675 }
3676
3677 skb2 = nf_tables_getrule_single(portid, info, nla, false);
3678 if (IS_ERR(skb2))
3679 return PTR_ERR(skb2);
3680
3681 return nfnetlink_unicast(skb2, net, portid);
3682 }
3683
3684 static int nf_tables_getrule_reset(struct sk_buff *skb,
3685 const struct nfnl_info *info,
3686 const struct nlattr * const nla[])
3687 {
3688 struct nftables_pernet *nft_net = nft_pernet(info->net);
3689 u32 portid = NETLINK_CB(skb).portid;
3690 struct net *net = info->net;
3691 struct sk_buff *skb2;
3692 char *buf;
3693
3694 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3695 struct netlink_dump_control c = {
3696 .start= nf_tables_dumpreset_rules_start,
3697 .dump = nf_tables_dumpreset_rules,
3698 .done = nf_tables_dump_rules_done,
3699 .module = THIS_MODULE,
3700 .data = (void *)nla,
3701 };
3702
3703 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3704 }
3705
3706 if (!try_module_get(THIS_MODULE))
3707 return -EINVAL;
3708 rcu_read_unlock();
3709 mutex_lock(&nft_net->commit_mutex);
3710 skb2 = nf_tables_getrule_single(portid, info, nla, true);
3711 mutex_unlock(&nft_net->commit_mutex);
3712 rcu_read_lock();
3713 module_put(THIS_MODULE);
3714
3715 if (IS_ERR(skb2))
3716 return PTR_ERR(skb2);
3717
3718 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
3719 nla_len(nla[NFTA_RULE_TABLE]),
3720 (char *)nla_data(nla[NFTA_RULE_TABLE]),
3721 nft_net->base_seq);
3722 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
3723 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3724 kfree(buf);
3725
3726 return nfnetlink_unicast(skb2, net, portid);
3727 }
3728
3729 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
3730 {
3731 struct nft_expr *expr, *next;
3732
3733 /*
3734 * Careful: some expressions might not be initialized in case this
3735 * is called on error from nf_tables_newrule().
3736 */
3737 expr = nft_expr_first(rule);
3738 while (nft_expr_more(rule, expr)) {
3739 next = nft_expr_next(expr);
3740 nf_tables_expr_destroy(ctx, expr);
3741 expr = next;
3742 }
3743 kfree(rule);
3744 }
3745
3746 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3747 {
3748 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3749 nf_tables_rule_destroy(ctx, rule);
3750 }
3751
3752 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3753 {
3754 struct nft_expr *expr, *last;
3755 const struct nft_data *data;
3756 struct nft_rule *rule;
3757 int err;
3758
3759 if (ctx->level == NFT_JUMP_STACK_SIZE)
3760 return -EMLINK;
3761
3762 list_for_each_entry(rule, &chain->rules, list) {
3763 if (fatal_signal_pending(current))
3764 return -EINTR;
3765
3766 if (!nft_is_active_next(ctx->net, rule))
3767 continue;
3768
3769 nft_rule_for_each_expr(expr, last, rule) {
3770 if (!expr->ops->validate)
3771 continue;
3772
3773 err = expr->ops->validate(ctx, expr, &data);
3774 if (err < 0)
3775 return err;
3776 }
3777 }
3778
3779 return 0;
3780 }
3781 EXPORT_SYMBOL_GPL(nft_chain_validate);
3782
3783 static int nft_table_validate(struct net *net, const struct nft_table *table)
3784 {
3785 struct nft_chain *chain;
3786 struct nft_ctx ctx = {
3787 .net = net,
3788 .family = table->family,
3789 };
3790 int err;
3791
3792 list_for_each_entry(chain, &table->chains, list) {
3793 if (!nft_is_base_chain(chain))
3794 continue;
3795
3796 ctx.chain = chain;
3797 err = nft_chain_validate(&ctx, chain);
3798 if (err < 0)
3799 return err;
3800
3801 cond_resched();
3802 }
3803
3804 return 0;
3805 }
3806
3807 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
3808 const struct nft_set_iter *iter,
3809 struct nft_elem_priv *elem_priv)
3810 {
3811 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
3812 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
3813 const struct nft_data *data;
3814 int err;
3815
3816 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3817 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
3818 return 0;
3819
3820 data = nft_set_ext_data(ext);
3821 switch (data->verdict.code) {
3822 case NFT_JUMP:
3823 case NFT_GOTO:
3824 pctx->level++;
3825 err = nft_chain_validate(ctx, data->verdict.chain);
3826 if (err < 0)
3827 return err;
3828 pctx->level--;
3829 break;
3830 default:
3831 break;
3832 }
3833
3834 return 0;
3835 }
3836
3837 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
3838 {
3839 u8 genmask = nft_genmask_next(ctx->net);
3840 struct nft_set_elem_catchall *catchall;
3841 struct nft_set_ext *ext;
3842 int ret = 0;
3843
3844 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
3845 ext = nft_set_elem_ext(set, catchall->elem);
3846 if (!nft_set_elem_active(ext, genmask))
3847 continue;
3848
3849 ret = nft_setelem_validate(ctx, set, NULL, catchall->elem);
3850 if (ret < 0)
3851 return ret;
3852 }
3853
3854 return ret;
3855 }
3856
3857 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3858 const struct nft_chain *chain,
3859 const struct nlattr *nla);
3860
3861 #define NFT_RULE_MAXEXPRS 128
3862
3863 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
3864 const struct nlattr * const nla[])
3865 {
3866 struct nftables_pernet *nft_net = nft_pernet(info->net);
3867 struct netlink_ext_ack *extack = info->extack;
3868 unsigned int size, i, n, ulen = 0, usize = 0;
3869 u8 genmask = nft_genmask_next(info->net);
3870 struct nft_rule *rule, *old_rule = NULL;
3871 struct nft_expr_info *expr_info = NULL;
3872 u8 family = info->nfmsg->nfgen_family;
3873 struct nft_flow_rule *flow = NULL;
3874 struct net *net = info->net;
3875 struct nft_userdata *udata;
3876 struct nft_table *table;
3877 struct nft_chain *chain;
3878 struct nft_trans *trans;
3879 u64 handle, pos_handle;
3880 struct nft_expr *expr;
3881 struct nft_ctx ctx;
3882 struct nlattr *tmp;
3883 int err, rem;
3884
3885 lockdep_assert_held(&nft_net->commit_mutex);
3886
3887 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3888 NETLINK_CB(skb).portid);
3889 if (IS_ERR(table)) {
3890 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3891 return PTR_ERR(table);
3892 }
3893
3894 if (nla[NFTA_RULE_CHAIN]) {
3895 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3896 genmask);
3897 if (IS_ERR(chain)) {
3898 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3899 return PTR_ERR(chain);
3900 }
3901
3902 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3903 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID],
3904 genmask);
3905 if (IS_ERR(chain)) {
3906 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3907 return PTR_ERR(chain);
3908 }
3909 } else {
3910 return -EINVAL;
3911 }
3912
3913 if (nft_chain_is_bound(chain))
3914 return -EOPNOTSUPP;
3915
3916 if (nla[NFTA_RULE_HANDLE]) {
3917 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3918 rule = __nft_rule_lookup(chain, handle);
3919 if (IS_ERR(rule)) {
3920 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3921 return PTR_ERR(rule);
3922 }
3923
3924 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
3925 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3926 return -EEXIST;
3927 }
3928 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
3929 old_rule = rule;
3930 else
3931 return -EOPNOTSUPP;
3932 } else {
3933 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
3934 info->nlh->nlmsg_flags & NLM_F_REPLACE)
3935 return -EINVAL;
3936 handle = nf_tables_alloc_handle(table);
3937
3938 if (nla[NFTA_RULE_POSITION]) {
3939 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3940 old_rule = __nft_rule_lookup(chain, pos_handle);
3941 if (IS_ERR(old_rule)) {
3942 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3943 return PTR_ERR(old_rule);
3944 }
3945 } else if (nla[NFTA_RULE_POSITION_ID]) {
3946 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
3947 if (IS_ERR(old_rule)) {
3948 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3949 return PTR_ERR(old_rule);
3950 }
3951 }
3952 }
3953
3954 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3955
3956 n = 0;
3957 size = 0;
3958 if (nla[NFTA_RULE_EXPRESSIONS]) {
3959 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3960 sizeof(struct nft_expr_info),
3961 GFP_KERNEL);
3962 if (!expr_info)
3963 return -ENOMEM;
3964
3965 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3966 err = -EINVAL;
3967 if (nla_type(tmp) != NFTA_LIST_ELEM)
3968 goto err_release_expr;
3969 if (n == NFT_RULE_MAXEXPRS)
3970 goto err_release_expr;
3971 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
3972 if (err < 0) {
3973 NL_SET_BAD_ATTR(extack, tmp);
3974 goto err_release_expr;
3975 }
3976 size += expr_info[n].ops->size;
3977 n++;
3978 }
3979 }
3980 /* Check for overflow of dlen field */
3981 err = -EFBIG;
3982 if (size >= 1 << 12)
3983 goto err_release_expr;
3984
3985 if (nla[NFTA_RULE_USERDATA]) {
3986 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3987 if (ulen > 0)
3988 usize = sizeof(struct nft_userdata) + ulen;
3989 }
3990
3991 err = -ENOMEM;
3992 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
3993 if (rule == NULL)
3994 goto err_release_expr;
3995
3996 nft_activate_next(net, rule);
3997
3998 rule->handle = handle;
3999 rule->dlen = size;
4000 rule->udata = ulen ? 1 : 0;
4001
4002 if (ulen) {
4003 udata = nft_userdata(rule);
4004 udata->len = ulen - 1;
4005 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
4006 }
4007
4008 expr = nft_expr_first(rule);
4009 for (i = 0; i < n; i++) {
4010 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
4011 if (err < 0) {
4012 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
4013 goto err_release_rule;
4014 }
4015
4016 if (expr_info[i].ops->validate)
4017 nft_validate_state_update(table, NFT_VALIDATE_NEED);
4018
4019 expr_info[i].ops = NULL;
4020 expr = nft_expr_next(expr);
4021 }
4022
4023 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
4024 flow = nft_flow_rule_create(net, rule);
4025 if (IS_ERR(flow)) {
4026 err = PTR_ERR(flow);
4027 goto err_release_rule;
4028 }
4029 }
4030
4031 if (!nft_use_inc(&chain->use)) {
4032 err = -EMFILE;
4033 goto err_release_rule;
4034 }
4035
4036 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
4037 if (nft_chain_binding(chain)) {
4038 err = -EOPNOTSUPP;
4039 goto err_destroy_flow_rule;
4040 }
4041
4042 err = nft_delrule(&ctx, old_rule);
4043 if (err < 0)
4044 goto err_destroy_flow_rule;
4045
4046 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4047 if (trans == NULL) {
4048 err = -ENOMEM;
4049 goto err_destroy_flow_rule;
4050 }
4051 list_add_tail_rcu(&rule->list, &old_rule->list);
4052 } else {
4053 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4054 if (!trans) {
4055 err = -ENOMEM;
4056 goto err_destroy_flow_rule;
4057 }
4058
4059 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
4060 if (old_rule)
4061 list_add_rcu(&rule->list, &old_rule->list);
4062 else
4063 list_add_tail_rcu(&rule->list, &chain->rules);
4064 } else {
4065 if (old_rule)
4066 list_add_tail_rcu(&rule->list, &old_rule->list);
4067 else
4068 list_add_rcu(&rule->list, &chain->rules);
4069 }
4070 }
4071 kvfree(expr_info);
4072
4073 if (flow)
4074 nft_trans_flow_rule(trans) = flow;
4075
4076 if (table->validate_state == NFT_VALIDATE_DO)
4077 return nft_table_validate(net, table);
4078
4079 return 0;
4080
4081 err_destroy_flow_rule:
4082 nft_use_dec_restore(&chain->use);
4083 if (flow)
4084 nft_flow_rule_destroy(flow);
4085 err_release_rule:
4086 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
4087 nf_tables_rule_destroy(&ctx, rule);
4088 err_release_expr:
4089 for (i = 0; i < n; i++) {
4090 if (expr_info[i].ops) {
4091 module_put(expr_info[i].ops->type->owner);
4092 if (expr_info[i].ops->type->release_ops)
4093 expr_info[i].ops->type->release_ops(expr_info[i].ops);
4094 }
4095 }
4096 kvfree(expr_info);
4097
4098 return err;
4099 }
4100
4101 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4102 const struct nft_chain *chain,
4103 const struct nlattr *nla)
4104 {
4105 struct nftables_pernet *nft_net = nft_pernet(net);
4106 u32 id = ntohl(nla_get_be32(nla));
4107 struct nft_trans *trans;
4108
4109 list_for_each_entry(trans, &nft_net->commit_list, list) {
4110 if (trans->msg_type == NFT_MSG_NEWRULE &&
4111 trans->ctx.chain == chain &&
4112 id == nft_trans_rule_id(trans))
4113 return nft_trans_rule(trans);
4114 }
4115 return ERR_PTR(-ENOENT);
4116 }
4117
4118 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
4119 const struct nlattr * const nla[])
4120 {
4121 struct netlink_ext_ack *extack = info->extack;
4122 u8 genmask = nft_genmask_next(info->net);
4123 u8 family = info->nfmsg->nfgen_family;
4124 struct nft_chain *chain = NULL;
4125 struct net *net = info->net;
4126 struct nft_table *table;
4127 struct nft_rule *rule;
4128 struct nft_ctx ctx;
4129 int err = 0;
4130
4131 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4132 NETLINK_CB(skb).portid);
4133 if (IS_ERR(table)) {
4134 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4135 return PTR_ERR(table);
4136 }
4137
4138 if (nla[NFTA_RULE_CHAIN]) {
4139 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4140 genmask);
4141 if (IS_ERR(chain)) {
4142 if (PTR_ERR(chain) == -ENOENT &&
4143 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4144 return 0;
4145
4146 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4147 return PTR_ERR(chain);
4148 }
4149 if (nft_chain_binding(chain))
4150 return -EOPNOTSUPP;
4151 }
4152
4153 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4154
4155 if (chain) {
4156 if (nla[NFTA_RULE_HANDLE]) {
4157 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
4158 if (IS_ERR(rule)) {
4159 if (PTR_ERR(rule) == -ENOENT &&
4160 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4161 return 0;
4162
4163 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4164 return PTR_ERR(rule);
4165 }
4166
4167 err = nft_delrule(&ctx, rule);
4168 } else if (nla[NFTA_RULE_ID]) {
4169 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
4170 if (IS_ERR(rule)) {
4171 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
4172 return PTR_ERR(rule);
4173 }
4174
4175 err = nft_delrule(&ctx, rule);
4176 } else {
4177 err = nft_delrule_by_chain(&ctx);
4178 }
4179 } else {
4180 list_for_each_entry(chain, &table->chains, list) {
4181 if (!nft_is_active_next(net, chain))
4182 continue;
4183 if (nft_chain_binding(chain))
4184 continue;
4185
4186 ctx.chain = chain;
4187 err = nft_delrule_by_chain(&ctx);
4188 if (err < 0)
4189 break;
4190 }
4191 }
4192
4193 return err;
4194 }
4195
4196 /*
4197 * Sets
4198 */
4199 static const struct nft_set_type *nft_set_types[] = {
4200 &nft_set_hash_fast_type,
4201 &nft_set_hash_type,
4202 &nft_set_rhash_type,
4203 &nft_set_bitmap_type,
4204 &nft_set_rbtree_type,
4205 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
4206 &nft_set_pipapo_avx2_type,
4207 #endif
4208 &nft_set_pipapo_type,
4209 };
4210
4211 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
4212 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
4213 NFT_SET_EVAL)
4214
4215 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
4216 {
4217 return (flags & type->features) == (flags & NFT_SET_FEATURES);
4218 }
4219
4220 /*
4221 * Select a set implementation based on the data characteristics and the
4222 * given policy. The total memory use might not be known if no size is
4223 * given, in that case the amount of memory per element is used.
4224 */
4225 static const struct nft_set_ops *
4226 nft_select_set_ops(const struct nft_ctx *ctx,
4227 const struct nlattr * const nla[],
4228 const struct nft_set_desc *desc)
4229 {
4230 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4231 const struct nft_set_ops *ops, *bops;
4232 struct nft_set_estimate est, best;
4233 const struct nft_set_type *type;
4234 u32 flags = 0;
4235 int i;
4236
4237 lockdep_assert_held(&nft_net->commit_mutex);
4238 lockdep_nfnl_nft_mutex_not_held();
4239
4240 if (nla[NFTA_SET_FLAGS] != NULL)
4241 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4242
4243 bops = NULL;
4244 best.size = ~0;
4245 best.lookup = ~0;
4246 best.space = ~0;
4247
4248 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
4249 type = nft_set_types[i];
4250 ops = &type->ops;
4251
4252 if (!nft_set_ops_candidate(type, flags))
4253 continue;
4254 if (!ops->estimate(desc, flags, &est))
4255 continue;
4256
4257 switch (desc->policy) {
4258 case NFT_SET_POL_PERFORMANCE:
4259 if (est.lookup < best.lookup)
4260 break;
4261 if (est.lookup == best.lookup &&
4262 est.space < best.space)
4263 break;
4264 continue;
4265 case NFT_SET_POL_MEMORY:
4266 if (!desc->size) {
4267 if (est.space < best.space)
4268 break;
4269 if (est.space == best.space &&
4270 est.lookup < best.lookup)
4271 break;
4272 } else if (est.size < best.size || !bops) {
4273 break;
4274 }
4275 continue;
4276 default:
4277 break;
4278 }
4279
4280 bops = ops;
4281 best = est;
4282 }
4283
4284 if (bops != NULL)
4285 return bops;
4286
4287 return ERR_PTR(-EOPNOTSUPP);
4288 }
4289
4290 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
4291 [NFTA_SET_TABLE] = { .type = NLA_STRING,
4292 .len = NFT_TABLE_MAXNAMELEN - 1 },
4293 [NFTA_SET_NAME] = { .type = NLA_STRING,
4294 .len = NFT_SET_MAXNAMELEN - 1 },
4295 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
4296 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
4297 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
4298 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
4299 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
4300 [NFTA_SET_POLICY] = { .type = NLA_U32 },
4301 [NFTA_SET_DESC] = { .type = NLA_NESTED },
4302 [NFTA_SET_ID] = { .type = NLA_U32 },
4303 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
4304 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
4305 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
4306 .len = NFT_USERDATA_MAXLEN },
4307 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
4308 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
4309 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
4310 [NFTA_SET_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
4311 };
4312
4313 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4314 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4315 };
4316
4317 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4318 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
4319 [NFTA_SET_DESC_CONCAT] = NLA_POLICY_NESTED_ARRAY(nft_concat_policy),
4320 };
4321
4322 static struct nft_set *nft_set_lookup(const struct nft_table *table,
4323 const struct nlattr *nla, u8 genmask)
4324 {
4325 struct nft_set *set;
4326
4327 if (nla == NULL)
4328 return ERR_PTR(-EINVAL);
4329
4330 list_for_each_entry_rcu(set, &table->sets, list) {
4331 if (!nla_strcmp(nla, set->name) &&
4332 nft_active_genmask(set, genmask))
4333 return set;
4334 }
4335 return ERR_PTR(-ENOENT);
4336 }
4337
4338 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4339 const struct nlattr *nla,
4340 u8 genmask)
4341 {
4342 struct nft_set *set;
4343
4344 list_for_each_entry(set, &table->sets, list) {
4345 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4346 nft_active_genmask(set, genmask))
4347 return set;
4348 }
4349 return ERR_PTR(-ENOENT);
4350 }
4351
4352 static struct nft_set *nft_set_lookup_byid(const struct net *net,
4353 const struct nft_table *table,
4354 const struct nlattr *nla, u8 genmask)
4355 {
4356 struct nftables_pernet *nft_net = nft_pernet(net);
4357 u32 id = ntohl(nla_get_be32(nla));
4358 struct nft_trans *trans;
4359
4360 list_for_each_entry(trans, &nft_net->commit_list, list) {
4361 if (trans->msg_type == NFT_MSG_NEWSET) {
4362 struct nft_set *set = nft_trans_set(trans);
4363
4364 if (id == nft_trans_set_id(trans) &&
4365 set->table == table &&
4366 nft_active_genmask(set, genmask))
4367 return set;
4368 }
4369 }
4370 return ERR_PTR(-ENOENT);
4371 }
4372
4373 struct nft_set *nft_set_lookup_global(const struct net *net,
4374 const struct nft_table *table,
4375 const struct nlattr *nla_set_name,
4376 const struct nlattr *nla_set_id,
4377 u8 genmask)
4378 {
4379 struct nft_set *set;
4380
4381 set = nft_set_lookup(table, nla_set_name, genmask);
4382 if (IS_ERR(set)) {
4383 if (!nla_set_id)
4384 return set;
4385
4386 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
4387 }
4388 return set;
4389 }
4390 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
4391
4392 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4393 const char *name)
4394 {
4395 const struct nft_set *i;
4396 const char *p;
4397 unsigned long *inuse;
4398 unsigned int n = 0, min = 0;
4399
4400 p = strchr(name, '%');
4401 if (p != NULL) {
4402 if (p[1] != 'd' || strchr(p + 2, '%'))
4403 return -EINVAL;
4404
4405 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4406 if (inuse == NULL)
4407 return -ENOMEM;
4408 cont:
4409 list_for_each_entry(i, &ctx->table->sets, list) {
4410 int tmp;
4411
4412 if (!nft_is_active_next(ctx->net, i))
4413 continue;
4414 if (!sscanf(i->name, name, &tmp))
4415 continue;
4416 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4417 continue;
4418
4419 set_bit(tmp - min, inuse);
4420 }
4421
4422 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
4423 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4424 min += BITS_PER_BYTE * PAGE_SIZE;
4425 memset(inuse, 0, PAGE_SIZE);
4426 goto cont;
4427 }
4428 free_page((unsigned long)inuse);
4429 }
4430
4431 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
4432 if (!set->name)
4433 return -ENOMEM;
4434
4435 list_for_each_entry(i, &ctx->table->sets, list) {
4436 if (!nft_is_active_next(ctx->net, i))
4437 continue;
4438 if (!strcmp(set->name, i->name)) {
4439 kfree(set->name);
4440 set->name = NULL;
4441 return -ENFILE;
4442 }
4443 }
4444 return 0;
4445 }
4446
4447 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4448 {
4449 u64 ms = be64_to_cpu(nla_get_be64(nla));
4450 u64 max = (u64)(~((u64)0));
4451
4452 max = div_u64(max, NSEC_PER_MSEC);
4453 if (ms >= max)
4454 return -ERANGE;
4455
4456 ms *= NSEC_PER_MSEC;
4457 *result = nsecs_to_jiffies64(ms);
4458 return 0;
4459 }
4460
4461 __be64 nf_jiffies64_to_msecs(u64 input)
4462 {
4463 return cpu_to_be64(jiffies64_to_msecs(input));
4464 }
4465
4466 static int nf_tables_fill_set_concat(struct sk_buff *skb,
4467 const struct nft_set *set)
4468 {
4469 struct nlattr *concat, *field;
4470 int i;
4471
4472 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
4473 if (!concat)
4474 return -ENOMEM;
4475
4476 for (i = 0; i < set->field_count; i++) {
4477 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4478 if (!field)
4479 return -ENOMEM;
4480
4481 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
4482 htonl(set->field_len[i])))
4483 return -ENOMEM;
4484
4485 nla_nest_end(skb, field);
4486 }
4487
4488 nla_nest_end(skb, concat);
4489
4490 return 0;
4491 }
4492
4493 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4494 const struct nft_set *set, u16 event, u16 flags)
4495 {
4496 u64 timeout = READ_ONCE(set->timeout);
4497 u32 gc_int = READ_ONCE(set->gc_int);
4498 u32 portid = ctx->portid;
4499 struct nlmsghdr *nlh;
4500 struct nlattr *nest;
4501 u32 seq = ctx->seq;
4502 int i;
4503
4504 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4505 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
4506 NFNETLINK_V0, nft_base_seq(ctx->net));
4507 if (!nlh)
4508 goto nla_put_failure;
4509
4510 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4511 goto nla_put_failure;
4512 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4513 goto nla_put_failure;
4514 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4515 NFTA_SET_PAD))
4516 goto nla_put_failure;
4517
4518 if (event == NFT_MSG_DELSET) {
4519 nlmsg_end(skb, nlh);
4520 return 0;
4521 }
4522
4523 if (set->flags != 0)
4524 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
4525 goto nla_put_failure;
4526
4527 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4528 goto nla_put_failure;
4529 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
4530 goto nla_put_failure;
4531 if (set->flags & NFT_SET_MAP) {
4532 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4533 goto nla_put_failure;
4534 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
4535 goto nla_put_failure;
4536 }
4537 if (set->flags & NFT_SET_OBJECT &&
4538 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4539 goto nla_put_failure;
4540
4541 if (timeout &&
4542 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4543 nf_jiffies64_to_msecs(timeout),
4544 NFTA_SET_PAD))
4545 goto nla_put_failure;
4546 if (gc_int &&
4547 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4548 goto nla_put_failure;
4549
4550 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4551 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4552 goto nla_put_failure;
4553 }
4554
4555 if (set->udata &&
4556 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4557 goto nla_put_failure;
4558
4559 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4560 if (!nest)
4561 goto nla_put_failure;
4562 if (set->size &&
4563 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
4564 goto nla_put_failure;
4565
4566 if (set->field_count > 1 &&
4567 nf_tables_fill_set_concat(skb, set))
4568 goto nla_put_failure;
4569
4570 nla_nest_end(skb, nest);
4571
4572 if (set->num_exprs == 1) {
4573 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
4574 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
4575 goto nla_put_failure;
4576
4577 nla_nest_end(skb, nest);
4578 } else if (set->num_exprs > 1) {
4579 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
4580 if (nest == NULL)
4581 goto nla_put_failure;
4582
4583 for (i = 0; i < set->num_exprs; i++) {
4584 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
4585 set->exprs[i], false) < 0)
4586 goto nla_put_failure;
4587 }
4588 nla_nest_end(skb, nest);
4589 }
4590
4591 nlmsg_end(skb, nlh);
4592 return 0;
4593
4594 nla_put_failure:
4595 nlmsg_trim(skb, nlh);
4596 return -1;
4597 }
4598
4599 static void nf_tables_set_notify(const struct nft_ctx *ctx,
4600 const struct nft_set *set, int event,
4601 gfp_t gfp_flags)
4602 {
4603 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4604 u32 portid = ctx->portid;
4605 struct sk_buff *skb;
4606 u16 flags = 0;
4607 int err;
4608
4609 if (!ctx->report &&
4610 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
4611 return;
4612
4613 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
4614 if (skb == NULL)
4615 goto err;
4616
4617 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
4618 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
4619
4620 err = nf_tables_fill_set(skb, ctx, set, event, flags);
4621 if (err < 0) {
4622 kfree_skb(skb);
4623 goto err;
4624 }
4625
4626 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
4627 return;
4628 err:
4629 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4630 }
4631
4632 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4633 {
4634 const struct nft_set *set;
4635 unsigned int idx, s_idx = cb->args[0];
4636 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4637 struct net *net = sock_net(skb->sk);
4638 struct nft_ctx *ctx = cb->data, ctx_set;
4639 struct nftables_pernet *nft_net;
4640
4641 if (cb->args[1])
4642 return skb->len;
4643
4644 rcu_read_lock();
4645 nft_net = nft_pernet(net);
4646 cb->seq = READ_ONCE(nft_net->base_seq);
4647
4648 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4649 if (ctx->family != NFPROTO_UNSPEC &&
4650 ctx->family != table->family)
4651 continue;
4652
4653 if (ctx->table && ctx->table != table)
4654 continue;
4655
4656 if (cur_table) {
4657 if (cur_table != table)
4658 continue;
4659
4660 cur_table = NULL;
4661 }
4662 idx = 0;
4663 list_for_each_entry_rcu(set, &table->sets, list) {
4664 if (idx < s_idx)
4665 goto cont;
4666 if (!nft_is_active(net, set))
4667 goto cont;
4668
4669 ctx_set = *ctx;
4670 ctx_set.table = table;
4671 ctx_set.family = table->family;
4672
4673 if (nf_tables_fill_set(skb, &ctx_set, set,
4674 NFT_MSG_NEWSET,
4675 NLM_F_MULTI) < 0) {
4676 cb->args[0] = idx;
4677 cb->args[2] = (unsigned long) table;
4678 goto done;
4679 }
4680 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4681 cont:
4682 idx++;
4683 }
4684 if (s_idx)
4685 s_idx = 0;
4686 }
4687 cb->args[1] = 1;
4688 done:
4689 rcu_read_unlock();
4690 return skb->len;
4691 }
4692
4693 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4694 {
4695 struct nft_ctx *ctx_dump = NULL;
4696
4697 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4698 if (ctx_dump == NULL)
4699 return -ENOMEM;
4700
4701 cb->data = ctx_dump;
4702 return 0;
4703 }
4704
4705 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4706 {
4707 kfree(cb->data);
4708 return 0;
4709 }
4710
4711 /* called with rcu_read_lock held */
4712 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4713 const struct nlattr * const nla[])
4714 {
4715 struct netlink_ext_ack *extack = info->extack;
4716 u8 genmask = nft_genmask_cur(info->net);
4717 u8 family = info->nfmsg->nfgen_family;
4718 struct nft_table *table = NULL;
4719 struct net *net = info->net;
4720 const struct nft_set *set;
4721 struct sk_buff *skb2;
4722 struct nft_ctx ctx;
4723 int err;
4724
4725 if (nla[NFTA_SET_TABLE]) {
4726 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4727 genmask, 0);
4728 if (IS_ERR(table)) {
4729 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4730 return PTR_ERR(table);
4731 }
4732 }
4733
4734 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4735
4736 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4737 struct netlink_dump_control c = {
4738 .start = nf_tables_dump_sets_start,
4739 .dump = nf_tables_dump_sets,
4740 .done = nf_tables_dump_sets_done,
4741 .data = &ctx,
4742 .module = THIS_MODULE,
4743 };
4744
4745 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4746 }
4747
4748 /* Only accept unspec with dump */
4749 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4750 return -EAFNOSUPPORT;
4751 if (!nla[NFTA_SET_TABLE])
4752 return -EINVAL;
4753
4754 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4755 if (IS_ERR(set)) {
4756 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4757 return PTR_ERR(set);
4758 }
4759
4760 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4761 if (skb2 == NULL)
4762 return -ENOMEM;
4763
4764 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4765 if (err < 0)
4766 goto err_fill_set_info;
4767
4768 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4769
4770 err_fill_set_info:
4771 kfree_skb(skb2);
4772 return err;
4773 }
4774
4775 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4776 struct nft_set_desc *desc)
4777 {
4778 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4779 u32 len;
4780 int err;
4781
4782 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
4783 return -E2BIG;
4784
4785 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4786 nft_concat_policy, NULL);
4787 if (err < 0)
4788 return err;
4789
4790 if (!tb[NFTA_SET_FIELD_LEN])
4791 return -EINVAL;
4792
4793 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4794 if (!len || len > U8_MAX)
4795 return -EINVAL;
4796
4797 desc->field_len[desc->field_count++] = len;
4798
4799 return 0;
4800 }
4801
4802 static int nft_set_desc_concat(struct nft_set_desc *desc,
4803 const struct nlattr *nla)
4804 {
4805 struct nlattr *attr;
4806 u32 num_regs = 0;
4807 int rem, err, i;
4808
4809 nla_for_each_nested(attr, nla, rem) {
4810 if (nla_type(attr) != NFTA_LIST_ELEM)
4811 return -EINVAL;
4812
4813 err = nft_set_desc_concat_parse(attr, desc);
4814 if (err < 0)
4815 return err;
4816 }
4817
4818 for (i = 0; i < desc->field_count; i++)
4819 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
4820
4821 if (num_regs > NFT_REG32_COUNT)
4822 return -E2BIG;
4823
4824 return 0;
4825 }
4826
4827 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4828 const struct nlattr *nla)
4829 {
4830 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4831 int err;
4832
4833 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4834 nft_set_desc_policy, NULL);
4835 if (err < 0)
4836 return err;
4837
4838 if (da[NFTA_SET_DESC_SIZE] != NULL)
4839 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4840 if (da[NFTA_SET_DESC_CONCAT])
4841 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4842
4843 return err;
4844 }
4845
4846 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
4847 const struct nlattr * const *nla,
4848 struct nft_expr **exprs, int *num_exprs,
4849 u32 flags)
4850 {
4851 struct nft_expr *expr;
4852 int err, i;
4853
4854 if (nla[NFTA_SET_EXPR]) {
4855 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
4856 if (IS_ERR(expr)) {
4857 err = PTR_ERR(expr);
4858 goto err_set_expr_alloc;
4859 }
4860 exprs[0] = expr;
4861 (*num_exprs)++;
4862 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4863 struct nlattr *tmp;
4864 int left;
4865
4866 if (!(flags & NFT_SET_EXPR)) {
4867 err = -EINVAL;
4868 goto err_set_expr_alloc;
4869 }
4870 i = 0;
4871 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4872 if (i == NFT_SET_EXPR_MAX) {
4873 err = -E2BIG;
4874 goto err_set_expr_alloc;
4875 }
4876 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4877 err = -EINVAL;
4878 goto err_set_expr_alloc;
4879 }
4880 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
4881 if (IS_ERR(expr)) {
4882 err = PTR_ERR(expr);
4883 goto err_set_expr_alloc;
4884 }
4885 exprs[i++] = expr;
4886 (*num_exprs)++;
4887 }
4888 }
4889
4890 return 0;
4891
4892 err_set_expr_alloc:
4893 for (i = 0; i < *num_exprs; i++)
4894 nft_expr_destroy(ctx, exprs[i]);
4895
4896 return err;
4897 }
4898
4899 static bool nft_set_is_same(const struct nft_set *set,
4900 const struct nft_set_desc *desc,
4901 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
4902 {
4903 int i;
4904
4905 if (set->ktype != desc->ktype ||
4906 set->dtype != desc->dtype ||
4907 set->flags != flags ||
4908 set->klen != desc->klen ||
4909 set->dlen != desc->dlen ||
4910 set->field_count != desc->field_count ||
4911 set->num_exprs != num_exprs)
4912 return false;
4913
4914 for (i = 0; i < desc->field_count; i++) {
4915 if (set->field_len[i] != desc->field_len[i])
4916 return false;
4917 }
4918
4919 for (i = 0; i < num_exprs; i++) {
4920 if (set->exprs[i]->ops != exprs[i]->ops)
4921 return false;
4922 }
4923
4924 return true;
4925 }
4926
4927 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
4928 const struct nlattr * const nla[])
4929 {
4930 struct netlink_ext_ack *extack = info->extack;
4931 u8 genmask = nft_genmask_next(info->net);
4932 u8 family = info->nfmsg->nfgen_family;
4933 const struct nft_set_ops *ops;
4934 struct net *net = info->net;
4935 struct nft_set_desc desc;
4936 struct nft_table *table;
4937 unsigned char *udata;
4938 struct nft_set *set;
4939 struct nft_ctx ctx;
4940 size_t alloc_size;
4941 int num_exprs = 0;
4942 char *name;
4943 int err, i;
4944 u16 udlen;
4945 u32 flags;
4946 u64 size;
4947
4948 if (nla[NFTA_SET_TABLE] == NULL ||
4949 nla[NFTA_SET_NAME] == NULL ||
4950 nla[NFTA_SET_KEY_LEN] == NULL ||
4951 nla[NFTA_SET_ID] == NULL)
4952 return -EINVAL;
4953
4954 memset(&desc, 0, sizeof(desc));
4955
4956 desc.ktype = NFT_DATA_VALUE;
4957 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4958 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4959 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4960 return -EINVAL;
4961 }
4962
4963 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4964 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4965 return -EINVAL;
4966
4967 flags = 0;
4968 if (nla[NFTA_SET_FLAGS] != NULL) {
4969 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4970 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4971 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4972 NFT_SET_MAP | NFT_SET_EVAL |
4973 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
4974 return -EOPNOTSUPP;
4975 /* Only one of these operations is supported */
4976 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4977 (NFT_SET_MAP | NFT_SET_OBJECT))
4978 return -EOPNOTSUPP;
4979 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4980 (NFT_SET_EVAL | NFT_SET_OBJECT))
4981 return -EOPNOTSUPP;
4982 }
4983
4984 desc.dtype = 0;
4985 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4986 if (!(flags & NFT_SET_MAP))
4987 return -EINVAL;
4988
4989 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4990 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4991 desc.dtype != NFT_DATA_VERDICT)
4992 return -EINVAL;
4993
4994 if (desc.dtype != NFT_DATA_VERDICT) {
4995 if (nla[NFTA_SET_DATA_LEN] == NULL)
4996 return -EINVAL;
4997 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4998 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4999 return -EINVAL;
5000 } else
5001 desc.dlen = sizeof(struct nft_verdict);
5002 } else if (flags & NFT_SET_MAP)
5003 return -EINVAL;
5004
5005 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
5006 if (!(flags & NFT_SET_OBJECT))
5007 return -EINVAL;
5008
5009 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
5010 if (desc.objtype == NFT_OBJECT_UNSPEC ||
5011 desc.objtype > NFT_OBJECT_MAX)
5012 return -EOPNOTSUPP;
5013 } else if (flags & NFT_SET_OBJECT)
5014 return -EINVAL;
5015 else
5016 desc.objtype = NFT_OBJECT_UNSPEC;
5017
5018 desc.timeout = 0;
5019 if (nla[NFTA_SET_TIMEOUT] != NULL) {
5020 if (!(flags & NFT_SET_TIMEOUT))
5021 return -EINVAL;
5022
5023 if (flags & NFT_SET_ANONYMOUS)
5024 return -EOPNOTSUPP;
5025
5026 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
5027 if (err)
5028 return err;
5029 }
5030 desc.gc_int = 0;
5031 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
5032 if (!(flags & NFT_SET_TIMEOUT))
5033 return -EINVAL;
5034
5035 if (flags & NFT_SET_ANONYMOUS)
5036 return -EOPNOTSUPP;
5037
5038 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
5039 }
5040
5041 desc.policy = NFT_SET_POL_PERFORMANCE;
5042 if (nla[NFTA_SET_POLICY] != NULL)
5043 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
5044
5045 if (nla[NFTA_SET_DESC] != NULL) {
5046 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
5047 if (err < 0)
5048 return err;
5049
5050 if (desc.field_count > 1 && !(flags & NFT_SET_CONCAT))
5051 return -EINVAL;
5052 } else if (flags & NFT_SET_CONCAT) {
5053 return -EINVAL;
5054 }
5055
5056 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
5057 desc.expr = true;
5058
5059 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
5060 NETLINK_CB(skb).portid);
5061 if (IS_ERR(table)) {
5062 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5063 return PTR_ERR(table);
5064 }
5065
5066 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5067
5068 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
5069 if (IS_ERR(set)) {
5070 if (PTR_ERR(set) != -ENOENT) {
5071 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5072 return PTR_ERR(set);
5073 }
5074 } else {
5075 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
5076
5077 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
5078 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5079 return -EEXIST;
5080 }
5081 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
5082 return -EOPNOTSUPP;
5083
5084 if (nft_set_is_anonymous(set))
5085 return -EOPNOTSUPP;
5086
5087 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
5088 if (err < 0)
5089 return err;
5090
5091 err = 0;
5092 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
5093 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5094 err = -EEXIST;
5095 }
5096
5097 for (i = 0; i < num_exprs; i++)
5098 nft_expr_destroy(&ctx, exprs[i]);
5099
5100 if (err < 0)
5101 return err;
5102
5103 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
5104 }
5105
5106 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
5107 return -ENOENT;
5108
5109 ops = nft_select_set_ops(&ctx, nla, &desc);
5110 if (IS_ERR(ops))
5111 return PTR_ERR(ops);
5112
5113 udlen = 0;
5114 if (nla[NFTA_SET_USERDATA])
5115 udlen = nla_len(nla[NFTA_SET_USERDATA]);
5116
5117 size = 0;
5118 if (ops->privsize != NULL)
5119 size = ops->privsize(nla, &desc);
5120 alloc_size = sizeof(*set) + size + udlen;
5121 if (alloc_size < size || alloc_size > INT_MAX)
5122 return -ENOMEM;
5123
5124 if (!nft_use_inc(&table->use))
5125 return -EMFILE;
5126
5127 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
5128 if (!set) {
5129 err = -ENOMEM;
5130 goto err_alloc;
5131 }
5132
5133 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
5134 if (!name) {
5135 err = -ENOMEM;
5136 goto err_set_name;
5137 }
5138
5139 err = nf_tables_set_alloc_name(&ctx, set, name);
5140 kfree(name);
5141 if (err < 0)
5142 goto err_set_name;
5143
5144 udata = NULL;
5145 if (udlen) {
5146 udata = set->data + size;
5147 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
5148 }
5149
5150 INIT_LIST_HEAD(&set->bindings);
5151 INIT_LIST_HEAD(&set->catchall_list);
5152 refcount_set(&set->refs, 1);
5153 set->table = table;
5154 write_pnet(&set->net, net);
5155 set->ops = ops;
5156 set->ktype = desc.ktype;
5157 set->klen = desc.klen;
5158 set->dtype = desc.dtype;
5159 set->objtype = desc.objtype;
5160 set->dlen = desc.dlen;
5161 set->flags = flags;
5162 set->size = desc.size;
5163 set->policy = desc.policy;
5164 set->udlen = udlen;
5165 set->udata = udata;
5166 set->timeout = desc.timeout;
5167 set->gc_int = desc.gc_int;
5168
5169 set->field_count = desc.field_count;
5170 for (i = 0; i < desc.field_count; i++)
5171 set->field_len[i] = desc.field_len[i];
5172
5173 err = ops->init(set, &desc, nla);
5174 if (err < 0)
5175 goto err_set_init;
5176
5177 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
5178 if (err < 0)
5179 goto err_set_destroy;
5180
5181 set->num_exprs = num_exprs;
5182 set->handle = nf_tables_alloc_handle(table);
5183 INIT_LIST_HEAD(&set->pending_update);
5184
5185 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
5186 if (err < 0)
5187 goto err_set_expr_alloc;
5188
5189 list_add_tail_rcu(&set->list, &table->sets);
5190
5191 return 0;
5192
5193 err_set_expr_alloc:
5194 for (i = 0; i < set->num_exprs; i++)
5195 nft_expr_destroy(&ctx, set->exprs[i]);
5196 err_set_destroy:
5197 ops->destroy(&ctx, set);
5198 err_set_init:
5199 kfree(set->name);
5200 err_set_name:
5201 kvfree(set);
5202 err_alloc:
5203 nft_use_dec_restore(&table->use);
5204
5205 return err;
5206 }
5207
5208 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
5209 struct nft_set *set)
5210 {
5211 struct nft_set_elem_catchall *next, *catchall;
5212
5213 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5214 list_del_rcu(&catchall->list);
5215 nf_tables_set_elem_destroy(ctx, set, catchall->elem);
5216 kfree_rcu(catchall, rcu);
5217 }
5218 }
5219
5220 static void nft_set_put(struct nft_set *set)
5221 {
5222 if (refcount_dec_and_test(&set->refs)) {
5223 kfree(set->name);
5224 kvfree(set);
5225 }
5226 }
5227
5228 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
5229 {
5230 int i;
5231
5232 if (WARN_ON(set->use > 0))
5233 return;
5234
5235 for (i = 0; i < set->num_exprs; i++)
5236 nft_expr_destroy(ctx, set->exprs[i]);
5237
5238 set->ops->destroy(ctx, set);
5239 nft_set_catchall_destroy(ctx, set);
5240 nft_set_put(set);
5241 }
5242
5243 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
5244 const struct nlattr * const nla[])
5245 {
5246 struct netlink_ext_ack *extack = info->extack;
5247 u8 genmask = nft_genmask_next(info->net);
5248 u8 family = info->nfmsg->nfgen_family;
5249 struct net *net = info->net;
5250 const struct nlattr *attr;
5251 struct nft_table *table;
5252 struct nft_set *set;
5253 struct nft_ctx ctx;
5254
5255 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5256 return -EAFNOSUPPORT;
5257
5258 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5259 genmask, NETLINK_CB(skb).portid);
5260 if (IS_ERR(table)) {
5261 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5262 return PTR_ERR(table);
5263 }
5264
5265 if (nla[NFTA_SET_HANDLE]) {
5266 attr = nla[NFTA_SET_HANDLE];
5267 set = nft_set_lookup_byhandle(table, attr, genmask);
5268 } else {
5269 attr = nla[NFTA_SET_NAME];
5270 set = nft_set_lookup(table, attr, genmask);
5271 }
5272
5273 if (IS_ERR(set)) {
5274 if (PTR_ERR(set) == -ENOENT &&
5275 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
5276 return 0;
5277
5278 NL_SET_BAD_ATTR(extack, attr);
5279 return PTR_ERR(set);
5280 }
5281 if (set->use ||
5282 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
5283 atomic_read(&set->nelems) > 0)) {
5284 NL_SET_BAD_ATTR(extack, attr);
5285 return -EBUSY;
5286 }
5287
5288 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5289
5290 return nft_delset(&ctx, set);
5291 }
5292
5293 static int nft_validate_register_store(const struct nft_ctx *ctx,
5294 enum nft_registers reg,
5295 const struct nft_data *data,
5296 enum nft_data_types type,
5297 unsigned int len);
5298
5299 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
5300 struct nft_set *set,
5301 struct nft_elem_priv *elem_priv)
5302 {
5303 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5304 enum nft_registers dreg;
5305
5306 dreg = nft_type_to_reg(set->dtype);
5307 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
5308 set->dtype == NFT_DATA_VERDICT ?
5309 NFT_DATA_VERDICT : NFT_DATA_VALUE,
5310 set->dlen);
5311 }
5312
5313 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
5314 struct nft_set *set,
5315 const struct nft_set_iter *iter,
5316 struct nft_elem_priv *elem_priv)
5317 {
5318 return nft_setelem_data_validate(ctx, set, elem_priv);
5319 }
5320
5321 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
5322 struct nft_set *set)
5323 {
5324 u8 genmask = nft_genmask_next(ctx->net);
5325 struct nft_set_elem_catchall *catchall;
5326 struct nft_set_ext *ext;
5327 int ret = 0;
5328
5329 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5330 ext = nft_set_elem_ext(set, catchall->elem);
5331 if (!nft_set_elem_active(ext, genmask))
5332 continue;
5333
5334 ret = nft_setelem_data_validate(ctx, set, catchall->elem);
5335 if (ret < 0)
5336 break;
5337 }
5338
5339 return ret;
5340 }
5341
5342 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5343 struct nft_set_binding *binding)
5344 {
5345 struct nft_set_binding *i;
5346 struct nft_set_iter iter;
5347
5348 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5349 return -EBUSY;
5350
5351 if (binding->flags & NFT_SET_MAP) {
5352 /* If the set is already bound to the same chain all
5353 * jumps are already validated for that chain.
5354 */
5355 list_for_each_entry(i, &set->bindings, list) {
5356 if (i->flags & NFT_SET_MAP &&
5357 i->chain == binding->chain)
5358 goto bind;
5359 }
5360
5361 iter.genmask = nft_genmask_next(ctx->net);
5362 iter.skip = 0;
5363 iter.count = 0;
5364 iter.err = 0;
5365 iter.fn = nf_tables_bind_check_setelem;
5366
5367 set->ops->walk(ctx, set, &iter);
5368 if (!iter.err)
5369 iter.err = nft_set_catchall_bind_check(ctx, set);
5370
5371 if (iter.err < 0)
5372 return iter.err;
5373 }
5374 bind:
5375 if (!nft_use_inc(&set->use))
5376 return -EMFILE;
5377
5378 binding->chain = ctx->chain;
5379 list_add_tail_rcu(&binding->list, &set->bindings);
5380 nft_set_trans_bind(ctx, set);
5381
5382 return 0;
5383 }
5384 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
5385
5386 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5387 struct nft_set_binding *binding, bool event)
5388 {
5389 list_del_rcu(&binding->list);
5390
5391 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
5392 list_del_rcu(&set->list);
5393 if (event)
5394 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
5395 GFP_KERNEL);
5396 }
5397 }
5398
5399 static void nft_setelem_data_activate(const struct net *net,
5400 const struct nft_set *set,
5401 struct nft_elem_priv *elem_priv);
5402
5403 static int nft_mapelem_activate(const struct nft_ctx *ctx,
5404 struct nft_set *set,
5405 const struct nft_set_iter *iter,
5406 struct nft_elem_priv *elem_priv)
5407 {
5408 nft_setelem_data_activate(ctx->net, set, elem_priv);
5409
5410 return 0;
5411 }
5412
5413 static void nft_map_catchall_activate(const struct nft_ctx *ctx,
5414 struct nft_set *set)
5415 {
5416 u8 genmask = nft_genmask_next(ctx->net);
5417 struct nft_set_elem_catchall *catchall;
5418 struct nft_set_ext *ext;
5419
5420 list_for_each_entry(catchall, &set->catchall_list, list) {
5421 ext = nft_set_elem_ext(set, catchall->elem);
5422 if (!nft_set_elem_active(ext, genmask))
5423 continue;
5424
5425 nft_setelem_data_activate(ctx->net, set, catchall->elem);
5426 break;
5427 }
5428 }
5429
5430 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set)
5431 {
5432 struct nft_set_iter iter = {
5433 .genmask = nft_genmask_next(ctx->net),
5434 .fn = nft_mapelem_activate,
5435 };
5436
5437 set->ops->walk(ctx, set, &iter);
5438 WARN_ON_ONCE(iter.err);
5439
5440 nft_map_catchall_activate(ctx, set);
5441 }
5442
5443 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5444 {
5445 if (nft_set_is_anonymous(set)) {
5446 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5447 nft_map_activate(ctx, set);
5448
5449 nft_clear(ctx->net, set);
5450 }
5451
5452 nft_use_inc_restore(&set->use);
5453 }
5454 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
5455
5456 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5457 struct nft_set_binding *binding,
5458 enum nft_trans_phase phase)
5459 {
5460 switch (phase) {
5461 case NFT_TRANS_PREPARE_ERROR:
5462 nft_set_trans_unbind(ctx, set);
5463 if (nft_set_is_anonymous(set))
5464 nft_deactivate_next(ctx->net, set);
5465 else
5466 list_del_rcu(&binding->list);
5467
5468 nft_use_dec(&set->use);
5469 break;
5470 case NFT_TRANS_PREPARE:
5471 if (nft_set_is_anonymous(set)) {
5472 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5473 nft_map_deactivate(ctx, set);
5474
5475 nft_deactivate_next(ctx->net, set);
5476 }
5477 nft_use_dec(&set->use);
5478 return;
5479 case NFT_TRANS_ABORT:
5480 case NFT_TRANS_RELEASE:
5481 if (nft_set_is_anonymous(set) &&
5482 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5483 nft_map_deactivate(ctx, set);
5484
5485 nft_use_dec(&set->use);
5486 fallthrough;
5487 default:
5488 nf_tables_unbind_set(ctx, set, binding,
5489 phase == NFT_TRANS_COMMIT);
5490 }
5491 }
5492 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
5493
5494 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
5495 {
5496 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
5497 nft_set_destroy(ctx, set);
5498 }
5499 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
5500
5501 const struct nft_set_ext_type nft_set_ext_types[] = {
5502 [NFT_SET_EXT_KEY] = {
5503 .align = __alignof__(u32),
5504 },
5505 [NFT_SET_EXT_DATA] = {
5506 .align = __alignof__(u32),
5507 },
5508 [NFT_SET_EXT_EXPRESSIONS] = {
5509 .align = __alignof__(struct nft_set_elem_expr),
5510 },
5511 [NFT_SET_EXT_OBJREF] = {
5512 .len = sizeof(struct nft_object *),
5513 .align = __alignof__(struct nft_object *),
5514 },
5515 [NFT_SET_EXT_FLAGS] = {
5516 .len = sizeof(u8),
5517 .align = __alignof__(u8),
5518 },
5519 [NFT_SET_EXT_TIMEOUT] = {
5520 .len = sizeof(u64),
5521 .align = __alignof__(u64),
5522 },
5523 [NFT_SET_EXT_EXPIRATION] = {
5524 .len = sizeof(u64),
5525 .align = __alignof__(u64),
5526 },
5527 [NFT_SET_EXT_USERDATA] = {
5528 .len = sizeof(struct nft_userdata),
5529 .align = __alignof__(struct nft_userdata),
5530 },
5531 [NFT_SET_EXT_KEY_END] = {
5532 .align = __alignof__(u32),
5533 },
5534 };
5535
5536 /*
5537 * Set elements
5538 */
5539
5540 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
5541 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
5542 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
5543 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
5544 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
5545 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
5546 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
5547 .len = NFT_USERDATA_MAXLEN },
5548 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
5549 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
5550 .len = NFT_OBJ_MAXNAMELEN - 1 },
5551 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
5552 [NFTA_SET_ELEM_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
5553 };
5554
5555 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
5556 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
5557 .len = NFT_TABLE_MAXNAMELEN - 1 },
5558 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
5559 .len = NFT_SET_MAXNAMELEN - 1 },
5560 [NFTA_SET_ELEM_LIST_ELEMENTS] = NLA_POLICY_NESTED_ARRAY(nft_set_elem_policy),
5561 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
5562 };
5563
5564 static int nft_set_elem_expr_dump(struct sk_buff *skb,
5565 const struct nft_set *set,
5566 const struct nft_set_ext *ext,
5567 bool reset)
5568 {
5569 struct nft_set_elem_expr *elem_expr;
5570 u32 size, num_exprs = 0;
5571 struct nft_expr *expr;
5572 struct nlattr *nest;
5573
5574 elem_expr = nft_set_ext_expr(ext);
5575 nft_setelem_expr_foreach(expr, elem_expr, size)
5576 num_exprs++;
5577
5578 if (num_exprs == 1) {
5579 expr = nft_setelem_expr_at(elem_expr, 0);
5580 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0)
5581 return -1;
5582
5583 return 0;
5584 } else if (num_exprs > 1) {
5585 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
5586 if (nest == NULL)
5587 goto nla_put_failure;
5588
5589 nft_setelem_expr_foreach(expr, elem_expr, size) {
5590 expr = nft_setelem_expr_at(elem_expr, size);
5591 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
5592 goto nla_put_failure;
5593 }
5594 nla_nest_end(skb, nest);
5595 }
5596 return 0;
5597
5598 nla_put_failure:
5599 return -1;
5600 }
5601
5602 static int nf_tables_fill_setelem(struct sk_buff *skb,
5603 const struct nft_set *set,
5604 const struct nft_elem_priv *elem_priv,
5605 bool reset)
5606 {
5607 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5608 unsigned char *b = skb_tail_pointer(skb);
5609 struct nlattr *nest;
5610
5611 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
5612 if (nest == NULL)
5613 goto nla_put_failure;
5614
5615 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5616 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
5617 NFT_DATA_VALUE, set->klen) < 0)
5618 goto nla_put_failure;
5619
5620 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5621 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
5622 NFT_DATA_VALUE, set->klen) < 0)
5623 goto nla_put_failure;
5624
5625 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5626 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
5627 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
5628 set->dlen) < 0)
5629 goto nla_put_failure;
5630
5631 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
5632 nft_set_elem_expr_dump(skb, set, ext, reset))
5633 goto nla_put_failure;
5634
5635 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5636 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
5637 (*nft_set_ext_obj(ext))->key.name) < 0)
5638 goto nla_put_failure;
5639
5640 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5641 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
5642 htonl(*nft_set_ext_flags(ext))))
5643 goto nla_put_failure;
5644
5645 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
5646 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
5647 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
5648 NFTA_SET_ELEM_PAD))
5649 goto nla_put_failure;
5650
5651 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5652 u64 expires, now = get_jiffies_64();
5653
5654 expires = *nft_set_ext_expiration(ext);
5655 if (time_before64(now, expires))
5656 expires -= now;
5657 else
5658 expires = 0;
5659
5660 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
5661 nf_jiffies64_to_msecs(expires),
5662 NFTA_SET_ELEM_PAD))
5663 goto nla_put_failure;
5664 }
5665
5666 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
5667 struct nft_userdata *udata;
5668
5669 udata = nft_set_ext_userdata(ext);
5670 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
5671 udata->len + 1, udata->data))
5672 goto nla_put_failure;
5673 }
5674
5675 nla_nest_end(skb, nest);
5676 return 0;
5677
5678 nla_put_failure:
5679 nlmsg_trim(skb, b);
5680 return -EMSGSIZE;
5681 }
5682
5683 struct nft_set_dump_args {
5684 const struct netlink_callback *cb;
5685 struct nft_set_iter iter;
5686 struct sk_buff *skb;
5687 bool reset;
5688 };
5689
5690 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
5691 struct nft_set *set,
5692 const struct nft_set_iter *iter,
5693 struct nft_elem_priv *elem_priv)
5694 {
5695 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5696 struct nft_set_dump_args *args;
5697
5698 if (nft_set_elem_expired(ext))
5699 return 0;
5700
5701 args = container_of(iter, struct nft_set_dump_args, iter);
5702 return nf_tables_fill_setelem(args->skb, set, elem_priv, args->reset);
5703 }
5704
5705 static void audit_log_nft_set_reset(const struct nft_table *table,
5706 unsigned int base_seq,
5707 unsigned int nentries)
5708 {
5709 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
5710
5711 audit_log_nfcfg(buf, table->family, nentries,
5712 AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC);
5713 kfree(buf);
5714 }
5715
5716 struct nft_set_dump_ctx {
5717 const struct nft_set *set;
5718 struct nft_ctx ctx;
5719 bool reset;
5720 };
5721
5722 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
5723 const struct nft_set *set, bool reset,
5724 unsigned int base_seq)
5725 {
5726 struct nft_set_elem_catchall *catchall;
5727 u8 genmask = nft_genmask_cur(net);
5728 struct nft_set_ext *ext;
5729 int ret = 0;
5730
5731 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5732 ext = nft_set_elem_ext(set, catchall->elem);
5733 if (!nft_set_elem_active(ext, genmask) ||
5734 nft_set_elem_expired(ext))
5735 continue;
5736
5737 ret = nf_tables_fill_setelem(skb, set, catchall->elem, reset);
5738 if (reset && !ret)
5739 audit_log_nft_set_reset(set->table, base_seq, 1);
5740 break;
5741 }
5742
5743 return ret;
5744 }
5745
5746 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
5747 {
5748 struct nft_set_dump_ctx *dump_ctx = cb->data;
5749 struct net *net = sock_net(skb->sk);
5750 struct nftables_pernet *nft_net;
5751 struct nft_table *table;
5752 struct nft_set *set;
5753 struct nft_set_dump_args args;
5754 bool set_found = false;
5755 struct nlmsghdr *nlh;
5756 struct nlattr *nest;
5757 u32 portid, seq;
5758 int event;
5759
5760 rcu_read_lock();
5761 nft_net = nft_pernet(net);
5762 cb->seq = READ_ONCE(nft_net->base_seq);
5763
5764 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5765 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
5766 dump_ctx->ctx.family != table->family)
5767 continue;
5768
5769 if (table != dump_ctx->ctx.table)
5770 continue;
5771
5772 list_for_each_entry_rcu(set, &table->sets, list) {
5773 if (set == dump_ctx->set) {
5774 set_found = true;
5775 break;
5776 }
5777 }
5778 break;
5779 }
5780
5781 if (!set_found) {
5782 rcu_read_unlock();
5783 return -ENOENT;
5784 }
5785
5786 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
5787 portid = NETLINK_CB(cb->skb).portid;
5788 seq = cb->nlh->nlmsg_seq;
5789
5790 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
5791 table->family, NFNETLINK_V0, nft_base_seq(net));
5792 if (!nlh)
5793 goto nla_put_failure;
5794
5795 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
5796 goto nla_put_failure;
5797 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
5798 goto nla_put_failure;
5799
5800 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5801 if (nest == NULL)
5802 goto nla_put_failure;
5803
5804 args.cb = cb;
5805 args.skb = skb;
5806 args.reset = dump_ctx->reset;
5807 args.iter.genmask = nft_genmask_cur(net);
5808 args.iter.skip = cb->args[0];
5809 args.iter.count = 0;
5810 args.iter.err = 0;
5811 args.iter.fn = nf_tables_dump_setelem;
5812 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
5813
5814 if (!args.iter.err && args.iter.count == cb->args[0])
5815 args.iter.err = nft_set_catchall_dump(net, skb, set,
5816 dump_ctx->reset, cb->seq);
5817 nla_nest_end(skb, nest);
5818 nlmsg_end(skb, nlh);
5819
5820 if (dump_ctx->reset && args.iter.count > args.iter.skip)
5821 audit_log_nft_set_reset(table, cb->seq,
5822 args.iter.count - args.iter.skip);
5823
5824 rcu_read_unlock();
5825
5826 if (args.iter.err && args.iter.err != -EMSGSIZE)
5827 return args.iter.err;
5828 if (args.iter.count == cb->args[0])
5829 return 0;
5830
5831 cb->args[0] = args.iter.count;
5832 return skb->len;
5833
5834 nla_put_failure:
5835 rcu_read_unlock();
5836 return -ENOSPC;
5837 }
5838
5839 static int nf_tables_dump_set_start(struct netlink_callback *cb)
5840 {
5841 struct nft_set_dump_ctx *dump_ctx = cb->data;
5842
5843 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
5844
5845 return cb->data ? 0 : -ENOMEM;
5846 }
5847
5848 static int nf_tables_dump_set_done(struct netlink_callback *cb)
5849 {
5850 kfree(cb->data);
5851 return 0;
5852 }
5853
5854 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
5855 const struct nft_ctx *ctx, u32 seq,
5856 u32 portid, int event, u16 flags,
5857 const struct nft_set *set,
5858 const struct nft_elem_priv *elem_priv,
5859 bool reset)
5860 {
5861 struct nlmsghdr *nlh;
5862 struct nlattr *nest;
5863 int err;
5864
5865 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5866 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
5867 NFNETLINK_V0, nft_base_seq(ctx->net));
5868 if (!nlh)
5869 goto nla_put_failure;
5870
5871 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
5872 goto nla_put_failure;
5873 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
5874 goto nla_put_failure;
5875
5876 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5877 if (nest == NULL)
5878 goto nla_put_failure;
5879
5880 err = nf_tables_fill_setelem(skb, set, elem_priv, reset);
5881 if (err < 0)
5882 goto nla_put_failure;
5883
5884 nla_nest_end(skb, nest);
5885
5886 nlmsg_end(skb, nlh);
5887 return 0;
5888
5889 nla_put_failure:
5890 nlmsg_trim(skb, nlh);
5891 return -1;
5892 }
5893
5894 static int nft_setelem_parse_flags(const struct nft_set *set,
5895 const struct nlattr *attr, u32 *flags)
5896 {
5897 if (attr == NULL)
5898 return 0;
5899
5900 *flags = ntohl(nla_get_be32(attr));
5901 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5902 return -EOPNOTSUPP;
5903 if (!(set->flags & NFT_SET_INTERVAL) &&
5904 *flags & NFT_SET_ELEM_INTERVAL_END)
5905 return -EINVAL;
5906 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
5907 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5908 return -EINVAL;
5909
5910 return 0;
5911 }
5912
5913 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
5914 struct nft_data *key, struct nlattr *attr)
5915 {
5916 struct nft_data_desc desc = {
5917 .type = NFT_DATA_VALUE,
5918 .size = NFT_DATA_VALUE_MAXLEN,
5919 .len = set->klen,
5920 };
5921
5922 return nft_data_init(ctx, key, &desc, attr);
5923 }
5924
5925 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
5926 struct nft_data_desc *desc,
5927 struct nft_data *data,
5928 struct nlattr *attr)
5929 {
5930 u32 dtype;
5931
5932 if (set->dtype == NFT_DATA_VERDICT)
5933 dtype = NFT_DATA_VERDICT;
5934 else
5935 dtype = NFT_DATA_VALUE;
5936
5937 desc->type = dtype;
5938 desc->size = NFT_DATA_VALUE_MAXLEN;
5939 desc->len = set->dlen;
5940 desc->flags = NFT_DATA_DESC_SETELEM;
5941
5942 return nft_data_init(ctx, data, desc, attr);
5943 }
5944
5945 static void *nft_setelem_catchall_get(const struct net *net,
5946 const struct nft_set *set)
5947 {
5948 struct nft_set_elem_catchall *catchall;
5949 u8 genmask = nft_genmask_cur(net);
5950 struct nft_set_ext *ext;
5951 void *priv = NULL;
5952
5953 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5954 ext = nft_set_elem_ext(set, catchall->elem);
5955 if (!nft_set_elem_active(ext, genmask) ||
5956 nft_set_elem_expired(ext))
5957 continue;
5958
5959 priv = catchall->elem;
5960 break;
5961 }
5962
5963 return priv;
5964 }
5965
5966 static int nft_setelem_get(struct nft_ctx *ctx, struct nft_set *set,
5967 struct nft_set_elem *elem, u32 flags)
5968 {
5969 void *priv;
5970
5971 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
5972 priv = set->ops->get(ctx->net, set, elem, flags);
5973 if (IS_ERR(priv))
5974 return PTR_ERR(priv);
5975 } else {
5976 priv = nft_setelem_catchall_get(ctx->net, set);
5977 if (!priv)
5978 return -ENOENT;
5979 }
5980 elem->priv = priv;
5981
5982 return 0;
5983 }
5984
5985 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5986 const struct nlattr *attr, bool reset)
5987 {
5988 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5989 struct nft_set_elem elem;
5990 struct sk_buff *skb;
5991 uint32_t flags = 0;
5992 int err;
5993
5994 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5995 nft_set_elem_policy, NULL);
5996 if (err < 0)
5997 return err;
5998
5999 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6000 if (err < 0)
6001 return err;
6002
6003 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6004 return -EINVAL;
6005
6006 if (nla[NFTA_SET_ELEM_KEY]) {
6007 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6008 nla[NFTA_SET_ELEM_KEY]);
6009 if (err < 0)
6010 return err;
6011 }
6012
6013 if (nla[NFTA_SET_ELEM_KEY_END]) {
6014 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6015 nla[NFTA_SET_ELEM_KEY_END]);
6016 if (err < 0)
6017 return err;
6018 }
6019
6020 err = nft_setelem_get(ctx, set, &elem, flags);
6021 if (err < 0)
6022 return err;
6023
6024 err = -ENOMEM;
6025 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
6026 if (skb == NULL)
6027 return err;
6028
6029 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
6030 NFT_MSG_NEWSETELEM, 0, set, elem.priv,
6031 reset);
6032 if (err < 0)
6033 goto err_fill_setelem;
6034
6035 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
6036
6037 err_fill_setelem:
6038 kfree_skb(skb);
6039 return err;
6040 }
6041
6042 /* called with rcu_read_lock held */
6043 static int nf_tables_getsetelem(struct sk_buff *skb,
6044 const struct nfnl_info *info,
6045 const struct nlattr * const nla[])
6046 {
6047 struct netlink_ext_ack *extack = info->extack;
6048 u8 genmask = nft_genmask_cur(info->net);
6049 u8 family = info->nfmsg->nfgen_family;
6050 int rem, err = 0, nelems = 0;
6051 struct net *net = info->net;
6052 struct nft_table *table;
6053 struct nft_set *set;
6054 struct nlattr *attr;
6055 struct nft_ctx ctx;
6056 bool reset = false;
6057
6058 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6059 genmask, 0);
6060 if (IS_ERR(table)) {
6061 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6062 return PTR_ERR(table);
6063 }
6064
6065 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6066 if (IS_ERR(set)) {
6067 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
6068 return PTR_ERR(set);
6069 }
6070
6071 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6072
6073 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETSETELEM_RESET)
6074 reset = true;
6075
6076 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6077 struct netlink_dump_control c = {
6078 .start = nf_tables_dump_set_start,
6079 .dump = nf_tables_dump_set,
6080 .done = nf_tables_dump_set_done,
6081 .module = THIS_MODULE,
6082 };
6083 struct nft_set_dump_ctx dump_ctx = {
6084 .set = set,
6085 .ctx = ctx,
6086 .reset = reset,
6087 };
6088
6089 c.data = &dump_ctx;
6090 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6091 }
6092
6093 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6094 return -EINVAL;
6095
6096 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6097 err = nft_get_set_elem(&ctx, set, attr, reset);
6098 if (err < 0) {
6099 NL_SET_BAD_ATTR(extack, attr);
6100 break;
6101 }
6102 nelems++;
6103 }
6104
6105 if (reset)
6106 audit_log_nft_set_reset(table, nft_pernet(net)->base_seq,
6107 nelems);
6108
6109 return err;
6110 }
6111
6112 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
6113 const struct nft_set *set,
6114 const struct nft_elem_priv *elem_priv,
6115 int event)
6116 {
6117 struct nftables_pernet *nft_net;
6118 struct net *net = ctx->net;
6119 u32 portid = ctx->portid;
6120 struct sk_buff *skb;
6121 u16 flags = 0;
6122 int err;
6123
6124 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6125 return;
6126
6127 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6128 if (skb == NULL)
6129 goto err;
6130
6131 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
6132 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
6133
6134 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
6135 set, elem_priv, false);
6136 if (err < 0) {
6137 kfree_skb(skb);
6138 goto err;
6139 }
6140
6141 nft_net = nft_pernet(net);
6142 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
6143 return;
6144 err:
6145 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6146 }
6147
6148 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
6149 int msg_type,
6150 struct nft_set *set)
6151 {
6152 struct nft_trans *trans;
6153
6154 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
6155 if (trans == NULL)
6156 return NULL;
6157
6158 nft_trans_elem_set(trans) = set;
6159 return trans;
6160 }
6161
6162 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
6163 const struct nft_set *set,
6164 const struct nlattr *attr)
6165 {
6166 struct nft_expr *expr;
6167 int err;
6168
6169 expr = nft_expr_init(ctx, attr);
6170 if (IS_ERR(expr))
6171 return expr;
6172
6173 err = -EOPNOTSUPP;
6174 if (expr->ops->type->flags & NFT_EXPR_GC) {
6175 if (set->flags & NFT_SET_TIMEOUT)
6176 goto err_set_elem_expr;
6177 if (!set->ops->gc_init)
6178 goto err_set_elem_expr;
6179 set->ops->gc_init(set);
6180 }
6181
6182 return expr;
6183
6184 err_set_elem_expr:
6185 nft_expr_destroy(ctx, expr);
6186 return ERR_PTR(err);
6187 }
6188
6189 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
6190 {
6191 len += nft_set_ext_types[id].len;
6192 if (len > tmpl->ext_len[id] ||
6193 len > U8_MAX)
6194 return -1;
6195
6196 return 0;
6197 }
6198
6199 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
6200 void *to, const void *from, u32 len)
6201 {
6202 if (nft_set_ext_check(tmpl, id, len) < 0)
6203 return -1;
6204
6205 memcpy(to, from, len);
6206
6207 return 0;
6208 }
6209
6210 struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
6211 const struct nft_set_ext_tmpl *tmpl,
6212 const u32 *key, const u32 *key_end,
6213 const u32 *data,
6214 u64 timeout, u64 expiration, gfp_t gfp)
6215 {
6216 struct nft_set_ext *ext;
6217 void *elem;
6218
6219 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
6220 if (elem == NULL)
6221 return ERR_PTR(-ENOMEM);
6222
6223 ext = nft_set_elem_ext(set, elem);
6224 nft_set_ext_init(ext, tmpl);
6225
6226 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
6227 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
6228 nft_set_ext_key(ext), key, set->klen) < 0)
6229 goto err_ext_check;
6230
6231 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
6232 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
6233 nft_set_ext_key_end(ext), key_end, set->klen) < 0)
6234 goto err_ext_check;
6235
6236 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6237 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
6238 nft_set_ext_data(ext), data, set->dlen) < 0)
6239 goto err_ext_check;
6240
6241 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
6242 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
6243 if (expiration == 0)
6244 *nft_set_ext_expiration(ext) += timeout;
6245 }
6246 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
6247 *nft_set_ext_timeout(ext) = timeout;
6248
6249 return elem;
6250
6251 err_ext_check:
6252 kfree(elem);
6253
6254 return ERR_PTR(-EINVAL);
6255 }
6256
6257 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6258 struct nft_expr *expr)
6259 {
6260 if (expr->ops->destroy_clone) {
6261 expr->ops->destroy_clone(ctx, expr);
6262 module_put(expr->ops->type->owner);
6263 } else {
6264 nf_tables_expr_destroy(ctx, expr);
6265 }
6266 }
6267
6268 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6269 struct nft_set_elem_expr *elem_expr)
6270 {
6271 struct nft_expr *expr;
6272 u32 size;
6273
6274 nft_setelem_expr_foreach(expr, elem_expr, size)
6275 __nft_set_elem_expr_destroy(ctx, expr);
6276 }
6277
6278 /* Drop references and destroy. Called from gc, dynset and abort path. */
6279 void nft_set_elem_destroy(const struct nft_set *set,
6280 const struct nft_elem_priv *elem_priv,
6281 bool destroy_expr)
6282 {
6283 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6284 struct nft_ctx ctx = {
6285 .net = read_pnet(&set->net),
6286 .family = set->table->family,
6287 };
6288
6289 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
6290 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6291 nft_data_release(nft_set_ext_data(ext), set->dtype);
6292 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6293 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
6294 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6295 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
6296
6297 kfree(elem_priv);
6298 }
6299 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
6300
6301 /* Destroy element. References have been already dropped in the preparation
6302 * path via nft_setelem_data_deactivate().
6303 */
6304 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
6305 const struct nft_set *set,
6306 const struct nft_elem_priv *elem_priv)
6307 {
6308 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6309
6310 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6311 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6312
6313 kfree(elem_priv);
6314 }
6315
6316 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
6317 struct nft_expr *expr_array[])
6318 {
6319 struct nft_expr *expr;
6320 int err, i, k;
6321
6322 for (i = 0; i < set->num_exprs; i++) {
6323 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
6324 if (!expr)
6325 goto err_expr;
6326
6327 err = nft_expr_clone(expr, set->exprs[i]);
6328 if (err < 0) {
6329 kfree(expr);
6330 goto err_expr;
6331 }
6332 expr_array[i] = expr;
6333 }
6334
6335 return 0;
6336
6337 err_expr:
6338 for (k = i - 1; k >= 0; k--)
6339 nft_expr_destroy(ctx, expr_array[k]);
6340
6341 return -ENOMEM;
6342 }
6343
6344 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
6345 const struct nft_set_ext_tmpl *tmpl,
6346 const struct nft_set_ext *ext,
6347 struct nft_expr *expr_array[],
6348 u32 num_exprs)
6349 {
6350 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
6351 u32 len = sizeof(struct nft_set_elem_expr);
6352 struct nft_expr *expr;
6353 int i, err;
6354
6355 if (num_exprs == 0)
6356 return 0;
6357
6358 for (i = 0; i < num_exprs; i++)
6359 len += expr_array[i]->ops->size;
6360
6361 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
6362 return -EINVAL;
6363
6364 for (i = 0; i < num_exprs; i++) {
6365 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
6366 err = nft_expr_clone(expr, expr_array[i]);
6367 if (err < 0)
6368 goto err_elem_expr_setup;
6369
6370 elem_expr->size += expr_array[i]->ops->size;
6371 nft_expr_destroy(ctx, expr_array[i]);
6372 expr_array[i] = NULL;
6373 }
6374
6375 return 0;
6376
6377 err_elem_expr_setup:
6378 for (; i < num_exprs; i++) {
6379 nft_expr_destroy(ctx, expr_array[i]);
6380 expr_array[i] = NULL;
6381 }
6382
6383 return -ENOMEM;
6384 }
6385
6386 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
6387 const struct nft_set *set)
6388 {
6389 struct nft_set_elem_catchall *catchall;
6390 u8 genmask = nft_genmask_cur(net);
6391 struct nft_set_ext *ext;
6392
6393 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6394 ext = nft_set_elem_ext(set, catchall->elem);
6395 if (nft_set_elem_active(ext, genmask) &&
6396 !nft_set_elem_expired(ext) &&
6397 !nft_set_elem_is_dead(ext))
6398 return ext;
6399 }
6400
6401 return NULL;
6402 }
6403 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
6404
6405 static int nft_setelem_catchall_insert(const struct net *net,
6406 struct nft_set *set,
6407 const struct nft_set_elem *elem,
6408 struct nft_elem_priv **priv)
6409 {
6410 struct nft_set_elem_catchall *catchall;
6411 u8 genmask = nft_genmask_next(net);
6412 struct nft_set_ext *ext;
6413
6414 list_for_each_entry(catchall, &set->catchall_list, list) {
6415 ext = nft_set_elem_ext(set, catchall->elem);
6416 if (nft_set_elem_active(ext, genmask)) {
6417 *priv = catchall->elem;
6418 return -EEXIST;
6419 }
6420 }
6421
6422 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
6423 if (!catchall)
6424 return -ENOMEM;
6425
6426 catchall->elem = elem->priv;
6427 list_add_tail_rcu(&catchall->list, &set->catchall_list);
6428
6429 return 0;
6430 }
6431
6432 static int nft_setelem_insert(const struct net *net,
6433 struct nft_set *set,
6434 const struct nft_set_elem *elem,
6435 struct nft_elem_priv **elem_priv,
6436 unsigned int flags)
6437 {
6438 int ret;
6439
6440 if (flags & NFT_SET_ELEM_CATCHALL)
6441 ret = nft_setelem_catchall_insert(net, set, elem, elem_priv);
6442 else
6443 ret = set->ops->insert(net, set, elem, elem_priv);
6444
6445 return ret;
6446 }
6447
6448 static bool nft_setelem_is_catchall(const struct nft_set *set,
6449 const struct nft_elem_priv *elem_priv)
6450 {
6451 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6452
6453 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6454 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
6455 return true;
6456
6457 return false;
6458 }
6459
6460 static void nft_setelem_activate(struct net *net, struct nft_set *set,
6461 struct nft_elem_priv *elem_priv)
6462 {
6463 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6464
6465 if (nft_setelem_is_catchall(set, elem_priv)) {
6466 nft_set_elem_change_active(net, set, ext);
6467 } else {
6468 set->ops->activate(net, set, elem_priv);
6469 }
6470 }
6471
6472 static int nft_setelem_catchall_deactivate(const struct net *net,
6473 struct nft_set *set,
6474 struct nft_set_elem *elem)
6475 {
6476 struct nft_set_elem_catchall *catchall;
6477 struct nft_set_ext *ext;
6478
6479 list_for_each_entry(catchall, &set->catchall_list, list) {
6480 ext = nft_set_elem_ext(set, catchall->elem);
6481 if (!nft_is_active(net, ext))
6482 continue;
6483
6484 kfree(elem->priv);
6485 elem->priv = catchall->elem;
6486 nft_set_elem_change_active(net, set, ext);
6487 return 0;
6488 }
6489
6490 return -ENOENT;
6491 }
6492
6493 static int __nft_setelem_deactivate(const struct net *net,
6494 struct nft_set *set,
6495 struct nft_set_elem *elem)
6496 {
6497 void *priv;
6498
6499 priv = set->ops->deactivate(net, set, elem);
6500 if (!priv)
6501 return -ENOENT;
6502
6503 kfree(elem->priv);
6504 elem->priv = priv;
6505 set->ndeact++;
6506
6507 return 0;
6508 }
6509
6510 static int nft_setelem_deactivate(const struct net *net,
6511 struct nft_set *set,
6512 struct nft_set_elem *elem, u32 flags)
6513 {
6514 int ret;
6515
6516 if (flags & NFT_SET_ELEM_CATCHALL)
6517 ret = nft_setelem_catchall_deactivate(net, set, elem);
6518 else
6519 ret = __nft_setelem_deactivate(net, set, elem);
6520
6521 return ret;
6522 }
6523
6524 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
6525 {
6526 list_del_rcu(&catchall->list);
6527 kfree_rcu(catchall, rcu);
6528 }
6529
6530 static void nft_setelem_catchall_remove(const struct net *net,
6531 const struct nft_set *set,
6532 struct nft_elem_priv *elem_priv)
6533 {
6534 struct nft_set_elem_catchall *catchall, *next;
6535
6536 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
6537 if (catchall->elem == elem_priv) {
6538 nft_setelem_catchall_destroy(catchall);
6539 break;
6540 }
6541 }
6542 }
6543
6544 static void nft_setelem_remove(const struct net *net,
6545 const struct nft_set *set,
6546 struct nft_elem_priv *elem_priv)
6547 {
6548 if (nft_setelem_is_catchall(set, elem_priv))
6549 nft_setelem_catchall_remove(net, set, elem_priv);
6550 else
6551 set->ops->remove(net, set, elem_priv);
6552 }
6553
6554 static bool nft_setelem_valid_key_end(const struct nft_set *set,
6555 struct nlattr **nla, u32 flags)
6556 {
6557 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
6558 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
6559 if (flags & NFT_SET_ELEM_INTERVAL_END)
6560 return false;
6561
6562 if (nla[NFTA_SET_ELEM_KEY_END] &&
6563 flags & NFT_SET_ELEM_CATCHALL)
6564 return false;
6565 } else {
6566 if (nla[NFTA_SET_ELEM_KEY_END])
6567 return false;
6568 }
6569
6570 return true;
6571 }
6572
6573 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
6574 const struct nlattr *attr, u32 nlmsg_flags)
6575 {
6576 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
6577 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6578 u8 genmask = nft_genmask_next(ctx->net);
6579 u32 flags = 0, size = 0, num_exprs = 0;
6580 struct nft_set_ext_tmpl tmpl;
6581 struct nft_set_ext *ext, *ext2;
6582 struct nft_set_elem elem;
6583 struct nft_set_binding *binding;
6584 struct nft_elem_priv *elem_priv;
6585 struct nft_object *obj = NULL;
6586 struct nft_userdata *udata;
6587 struct nft_data_desc desc;
6588 enum nft_registers dreg;
6589 struct nft_trans *trans;
6590 u64 expiration;
6591 u64 timeout;
6592 int err, i;
6593 u8 ulen;
6594
6595 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6596 nft_set_elem_policy, NULL);
6597 if (err < 0)
6598 return err;
6599
6600 nft_set_ext_prepare(&tmpl);
6601
6602 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6603 if (err < 0)
6604 return err;
6605
6606 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
6607 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
6608 return -EINVAL;
6609
6610 if (flags != 0) {
6611 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6612 if (err < 0)
6613 return err;
6614 }
6615
6616 if (set->flags & NFT_SET_MAP) {
6617 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
6618 !(flags & NFT_SET_ELEM_INTERVAL_END))
6619 return -EINVAL;
6620 } else {
6621 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6622 return -EINVAL;
6623 }
6624
6625 if (set->flags & NFT_SET_OBJECT) {
6626 if (!nla[NFTA_SET_ELEM_OBJREF] &&
6627 !(flags & NFT_SET_ELEM_INTERVAL_END))
6628 return -EINVAL;
6629 } else {
6630 if (nla[NFTA_SET_ELEM_OBJREF])
6631 return -EINVAL;
6632 }
6633
6634 if (!nft_setelem_valid_key_end(set, nla, flags))
6635 return -EINVAL;
6636
6637 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
6638 (nla[NFTA_SET_ELEM_DATA] ||
6639 nla[NFTA_SET_ELEM_OBJREF] ||
6640 nla[NFTA_SET_ELEM_TIMEOUT] ||
6641 nla[NFTA_SET_ELEM_EXPIRATION] ||
6642 nla[NFTA_SET_ELEM_USERDATA] ||
6643 nla[NFTA_SET_ELEM_EXPR] ||
6644 nla[NFTA_SET_ELEM_KEY_END] ||
6645 nla[NFTA_SET_ELEM_EXPRESSIONS]))
6646 return -EINVAL;
6647
6648 timeout = 0;
6649 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
6650 if (!(set->flags & NFT_SET_TIMEOUT))
6651 return -EINVAL;
6652 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
6653 &timeout);
6654 if (err)
6655 return err;
6656 } else if (set->flags & NFT_SET_TIMEOUT &&
6657 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6658 timeout = READ_ONCE(set->timeout);
6659 }
6660
6661 expiration = 0;
6662 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
6663 if (!(set->flags & NFT_SET_TIMEOUT))
6664 return -EINVAL;
6665 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
6666 &expiration);
6667 if (err)
6668 return err;
6669 }
6670
6671 if (nla[NFTA_SET_ELEM_EXPR]) {
6672 struct nft_expr *expr;
6673
6674 if (set->num_exprs && set->num_exprs != 1)
6675 return -EOPNOTSUPP;
6676
6677 expr = nft_set_elem_expr_alloc(ctx, set,
6678 nla[NFTA_SET_ELEM_EXPR]);
6679 if (IS_ERR(expr))
6680 return PTR_ERR(expr);
6681
6682 expr_array[0] = expr;
6683 num_exprs = 1;
6684
6685 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
6686 err = -EOPNOTSUPP;
6687 goto err_set_elem_expr;
6688 }
6689 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
6690 struct nft_expr *expr;
6691 struct nlattr *tmp;
6692 int left;
6693
6694 i = 0;
6695 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
6696 if (i == NFT_SET_EXPR_MAX ||
6697 (set->num_exprs && set->num_exprs == i)) {
6698 err = -E2BIG;
6699 goto err_set_elem_expr;
6700 }
6701 if (nla_type(tmp) != NFTA_LIST_ELEM) {
6702 err = -EINVAL;
6703 goto err_set_elem_expr;
6704 }
6705 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
6706 if (IS_ERR(expr)) {
6707 err = PTR_ERR(expr);
6708 goto err_set_elem_expr;
6709 }
6710 expr_array[i] = expr;
6711 num_exprs++;
6712
6713 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
6714 err = -EOPNOTSUPP;
6715 goto err_set_elem_expr;
6716 }
6717 i++;
6718 }
6719 if (set->num_exprs && set->num_exprs != i) {
6720 err = -EOPNOTSUPP;
6721 goto err_set_elem_expr;
6722 }
6723 } else if (set->num_exprs > 0 &&
6724 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6725 err = nft_set_elem_expr_clone(ctx, set, expr_array);
6726 if (err < 0)
6727 goto err_set_elem_expr_clone;
6728
6729 num_exprs = set->num_exprs;
6730 }
6731
6732 if (nla[NFTA_SET_ELEM_KEY]) {
6733 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6734 nla[NFTA_SET_ELEM_KEY]);
6735 if (err < 0)
6736 goto err_set_elem_expr;
6737
6738 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6739 if (err < 0)
6740 goto err_parse_key;
6741 }
6742
6743 if (nla[NFTA_SET_ELEM_KEY_END]) {
6744 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6745 nla[NFTA_SET_ELEM_KEY_END]);
6746 if (err < 0)
6747 goto err_parse_key;
6748
6749 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6750 if (err < 0)
6751 goto err_parse_key_end;
6752 }
6753
6754 if (timeout > 0) {
6755 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
6756 if (err < 0)
6757 goto err_parse_key_end;
6758
6759 if (timeout != READ_ONCE(set->timeout)) {
6760 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
6761 if (err < 0)
6762 goto err_parse_key_end;
6763 }
6764 }
6765
6766 if (num_exprs) {
6767 for (i = 0; i < num_exprs; i++)
6768 size += expr_array[i]->ops->size;
6769
6770 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
6771 sizeof(struct nft_set_elem_expr) + size);
6772 if (err < 0)
6773 goto err_parse_key_end;
6774 }
6775
6776 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
6777 obj = nft_obj_lookup(ctx->net, ctx->table,
6778 nla[NFTA_SET_ELEM_OBJREF],
6779 set->objtype, genmask);
6780 if (IS_ERR(obj)) {
6781 err = PTR_ERR(obj);
6782 obj = NULL;
6783 goto err_parse_key_end;
6784 }
6785
6786 if (!nft_use_inc(&obj->use)) {
6787 err = -EMFILE;
6788 obj = NULL;
6789 goto err_parse_key_end;
6790 }
6791
6792 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
6793 if (err < 0)
6794 goto err_parse_key_end;
6795 }
6796
6797 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
6798 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
6799 nla[NFTA_SET_ELEM_DATA]);
6800 if (err < 0)
6801 goto err_parse_key_end;
6802
6803 dreg = nft_type_to_reg(set->dtype);
6804 list_for_each_entry(binding, &set->bindings, list) {
6805 struct nft_ctx bind_ctx = {
6806 .net = ctx->net,
6807 .family = ctx->family,
6808 .table = ctx->table,
6809 .chain = (struct nft_chain *)binding->chain,
6810 };
6811
6812 if (!(binding->flags & NFT_SET_MAP))
6813 continue;
6814
6815 err = nft_validate_register_store(&bind_ctx, dreg,
6816 &elem.data.val,
6817 desc.type, desc.len);
6818 if (err < 0)
6819 goto err_parse_data;
6820
6821 if (desc.type == NFT_DATA_VERDICT &&
6822 (elem.data.val.verdict.code == NFT_GOTO ||
6823 elem.data.val.verdict.code == NFT_JUMP))
6824 nft_validate_state_update(ctx->table,
6825 NFT_VALIDATE_NEED);
6826 }
6827
6828 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
6829 if (err < 0)
6830 goto err_parse_data;
6831 }
6832
6833 /* The full maximum length of userdata can exceed the maximum
6834 * offset value (U8_MAX) for following extensions, therefor it
6835 * must be the last extension added.
6836 */
6837 ulen = 0;
6838 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
6839 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
6840 if (ulen > 0) {
6841 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
6842 ulen);
6843 if (err < 0)
6844 goto err_parse_data;
6845 }
6846 }
6847
6848 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6849 elem.key_end.val.data, elem.data.val.data,
6850 timeout, expiration, GFP_KERNEL_ACCOUNT);
6851 if (IS_ERR(elem.priv)) {
6852 err = PTR_ERR(elem.priv);
6853 goto err_parse_data;
6854 }
6855
6856 ext = nft_set_elem_ext(set, elem.priv);
6857 if (flags)
6858 *nft_set_ext_flags(ext) = flags;
6859
6860 if (obj)
6861 *nft_set_ext_obj(ext) = obj;
6862
6863 if (ulen > 0) {
6864 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
6865 err = -EINVAL;
6866 goto err_elem_free;
6867 }
6868 udata = nft_set_ext_userdata(ext);
6869 udata->len = ulen - 1;
6870 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
6871 }
6872 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
6873 if (err < 0)
6874 goto err_elem_free;
6875
6876 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
6877 if (trans == NULL) {
6878 err = -ENOMEM;
6879 goto err_elem_free;
6880 }
6881
6882 ext->genmask = nft_genmask_cur(ctx->net);
6883
6884 err = nft_setelem_insert(ctx->net, set, &elem, &elem_priv, flags);
6885 if (err) {
6886 if (err == -EEXIST) {
6887 ext2 = nft_set_elem_ext(set, elem_priv);
6888 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
6889 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
6890 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
6891 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
6892 goto err_element_clash;
6893 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6894 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
6895 memcmp(nft_set_ext_data(ext),
6896 nft_set_ext_data(ext2), set->dlen) != 0) ||
6897 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
6898 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
6899 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
6900 goto err_element_clash;
6901 else if (!(nlmsg_flags & NLM_F_EXCL))
6902 err = 0;
6903 } else if (err == -ENOTEMPTY) {
6904 /* ENOTEMPTY reports overlapping between this element
6905 * and an existing one.
6906 */
6907 err = -EEXIST;
6908 }
6909 goto err_element_clash;
6910 }
6911
6912 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
6913 unsigned int max = set->size ? set->size + set->ndeact : UINT_MAX;
6914
6915 if (!atomic_add_unless(&set->nelems, 1, max)) {
6916 err = -ENFILE;
6917 goto err_set_full;
6918 }
6919 }
6920
6921 nft_trans_elem_priv(trans) = elem.priv;
6922 nft_trans_commit_list_add_tail(ctx->net, trans);
6923 return 0;
6924
6925 err_set_full:
6926 nft_setelem_remove(ctx->net, set, elem.priv);
6927 err_element_clash:
6928 kfree(trans);
6929 err_elem_free:
6930 nf_tables_set_elem_destroy(ctx, set, elem.priv);
6931 err_parse_data:
6932 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6933 nft_data_release(&elem.data.val, desc.type);
6934 err_parse_key_end:
6935 if (obj)
6936 nft_use_dec_restore(&obj->use);
6937
6938 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
6939 err_parse_key:
6940 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
6941 err_set_elem_expr:
6942 for (i = 0; i < num_exprs && expr_array[i]; i++)
6943 nft_expr_destroy(ctx, expr_array[i]);
6944 err_set_elem_expr_clone:
6945 return err;
6946 }
6947
6948 static int nf_tables_newsetelem(struct sk_buff *skb,
6949 const struct nfnl_info *info,
6950 const struct nlattr * const nla[])
6951 {
6952 struct netlink_ext_ack *extack = info->extack;
6953 u8 genmask = nft_genmask_next(info->net);
6954 u8 family = info->nfmsg->nfgen_family;
6955 struct net *net = info->net;
6956 const struct nlattr *attr;
6957 struct nft_table *table;
6958 struct nft_set *set;
6959 struct nft_ctx ctx;
6960 int rem, err;
6961
6962 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
6963 return -EINVAL;
6964
6965 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6966 genmask, NETLINK_CB(skb).portid);
6967 if (IS_ERR(table)) {
6968 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6969 return PTR_ERR(table);
6970 }
6971
6972 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
6973 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
6974 if (IS_ERR(set)) {
6975 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
6976 return PTR_ERR(set);
6977 }
6978
6979 if (!list_empty(&set->bindings) &&
6980 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
6981 return -EBUSY;
6982
6983 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6984
6985 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6986 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
6987 if (err < 0) {
6988 NL_SET_BAD_ATTR(extack, attr);
6989 return err;
6990 }
6991 }
6992
6993 if (table->validate_state == NFT_VALIDATE_DO)
6994 return nft_table_validate(net, table);
6995
6996 return 0;
6997 }
6998
6999 /**
7000 * nft_data_hold - hold a nft_data item
7001 *
7002 * @data: struct nft_data to release
7003 * @type: type of data
7004 *
7005 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7006 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
7007 * NFT_GOTO verdicts. This function must be called on active data objects
7008 * from the second phase of the commit protocol.
7009 */
7010 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
7011 {
7012 struct nft_chain *chain;
7013
7014 if (type == NFT_DATA_VERDICT) {
7015 switch (data->verdict.code) {
7016 case NFT_JUMP:
7017 case NFT_GOTO:
7018 chain = data->verdict.chain;
7019 nft_use_inc_restore(&chain->use);
7020 break;
7021 }
7022 }
7023 }
7024
7025 static void nft_setelem_data_activate(const struct net *net,
7026 const struct nft_set *set,
7027 struct nft_elem_priv *elem_priv)
7028 {
7029 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7030
7031 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7032 nft_data_hold(nft_set_ext_data(ext), set->dtype);
7033 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7034 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use);
7035 }
7036
7037 void nft_setelem_data_deactivate(const struct net *net,
7038 const struct nft_set *set,
7039 struct nft_elem_priv *elem_priv)
7040 {
7041 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7042
7043 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7044 nft_data_release(nft_set_ext_data(ext), set->dtype);
7045 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7046 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
7047 }
7048
7049 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
7050 const struct nlattr *attr)
7051 {
7052 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7053 struct nft_set_ext_tmpl tmpl;
7054 struct nft_set_elem elem;
7055 struct nft_set_ext *ext;
7056 struct nft_trans *trans;
7057 u32 flags = 0;
7058 int err;
7059
7060 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7061 nft_set_elem_policy, NULL);
7062 if (err < 0)
7063 return err;
7064
7065 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7066 if (err < 0)
7067 return err;
7068
7069 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
7070 return -EINVAL;
7071
7072 if (!nft_setelem_valid_key_end(set, nla, flags))
7073 return -EINVAL;
7074
7075 nft_set_ext_prepare(&tmpl);
7076
7077 if (flags != 0) {
7078 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7079 if (err < 0)
7080 return err;
7081 }
7082
7083 if (nla[NFTA_SET_ELEM_KEY]) {
7084 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7085 nla[NFTA_SET_ELEM_KEY]);
7086 if (err < 0)
7087 return err;
7088
7089 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7090 if (err < 0)
7091 goto fail_elem;
7092 }
7093
7094 if (nla[NFTA_SET_ELEM_KEY_END]) {
7095 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7096 nla[NFTA_SET_ELEM_KEY_END]);
7097 if (err < 0)
7098 goto fail_elem;
7099
7100 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7101 if (err < 0)
7102 goto fail_elem_key_end;
7103 }
7104
7105 err = -ENOMEM;
7106 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7107 elem.key_end.val.data, NULL, 0, 0,
7108 GFP_KERNEL_ACCOUNT);
7109 if (IS_ERR(elem.priv)) {
7110 err = PTR_ERR(elem.priv);
7111 goto fail_elem_key_end;
7112 }
7113
7114 ext = nft_set_elem_ext(set, elem.priv);
7115 if (flags)
7116 *nft_set_ext_flags(ext) = flags;
7117
7118 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7119 if (trans == NULL)
7120 goto fail_trans;
7121
7122 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
7123 if (err < 0)
7124 goto fail_ops;
7125
7126 nft_setelem_data_deactivate(ctx->net, set, elem.priv);
7127
7128 nft_trans_elem_priv(trans) = elem.priv;
7129 nft_trans_commit_list_add_tail(ctx->net, trans);
7130 return 0;
7131
7132 fail_ops:
7133 kfree(trans);
7134 fail_trans:
7135 kfree(elem.priv);
7136 fail_elem_key_end:
7137 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7138 fail_elem:
7139 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7140 return err;
7141 }
7142
7143 static int nft_setelem_flush(const struct nft_ctx *ctx,
7144 struct nft_set *set,
7145 const struct nft_set_iter *iter,
7146 struct nft_elem_priv *elem_priv)
7147 {
7148 struct nft_trans *trans;
7149
7150 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7151 sizeof(struct nft_trans_elem), GFP_ATOMIC);
7152 if (!trans)
7153 return -ENOMEM;
7154
7155 set->ops->flush(ctx->net, set, elem_priv);
7156 set->ndeact++;
7157
7158 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7159 nft_trans_elem_set(trans) = set;
7160 nft_trans_elem_priv(trans) = elem_priv;
7161 nft_trans_commit_list_add_tail(ctx->net, trans);
7162
7163 return 0;
7164 }
7165
7166 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
7167 struct nft_set *set,
7168 struct nft_elem_priv *elem_priv)
7169 {
7170 struct nft_trans *trans;
7171
7172 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7173 sizeof(struct nft_trans_elem), GFP_KERNEL);
7174 if (!trans)
7175 return -ENOMEM;
7176
7177 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7178 nft_trans_elem_set(trans) = set;
7179 nft_trans_elem_priv(trans) = elem_priv;
7180 nft_trans_commit_list_add_tail(ctx->net, trans);
7181
7182 return 0;
7183 }
7184
7185 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
7186 struct nft_set *set)
7187 {
7188 u8 genmask = nft_genmask_next(ctx->net);
7189 struct nft_set_elem_catchall *catchall;
7190 struct nft_set_ext *ext;
7191 int ret = 0;
7192
7193 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
7194 ext = nft_set_elem_ext(set, catchall->elem);
7195 if (!nft_set_elem_active(ext, genmask))
7196 continue;
7197
7198 ret = __nft_set_catchall_flush(ctx, set, catchall->elem);
7199 if (ret < 0)
7200 break;
7201 nft_set_elem_change_active(ctx->net, set, ext);
7202 }
7203
7204 return ret;
7205 }
7206
7207 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
7208 {
7209 struct nft_set_iter iter = {
7210 .genmask = genmask,
7211 .fn = nft_setelem_flush,
7212 };
7213
7214 set->ops->walk(ctx, set, &iter);
7215 if (!iter.err)
7216 iter.err = nft_set_catchall_flush(ctx, set);
7217
7218 return iter.err;
7219 }
7220
7221 static int nf_tables_delsetelem(struct sk_buff *skb,
7222 const struct nfnl_info *info,
7223 const struct nlattr * const nla[])
7224 {
7225 struct netlink_ext_ack *extack = info->extack;
7226 u8 genmask = nft_genmask_next(info->net);
7227 u8 family = info->nfmsg->nfgen_family;
7228 struct net *net = info->net;
7229 const struct nlattr *attr;
7230 struct nft_table *table;
7231 struct nft_set *set;
7232 struct nft_ctx ctx;
7233 int rem, err = 0;
7234
7235 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7236 genmask, NETLINK_CB(skb).portid);
7237 if (IS_ERR(table)) {
7238 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7239 return PTR_ERR(table);
7240 }
7241
7242 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
7243 if (IS_ERR(set)) {
7244 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7245 return PTR_ERR(set);
7246 }
7247
7248 if (nft_set_is_anonymous(set))
7249 return -EOPNOTSUPP;
7250
7251 if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
7252 return -EBUSY;
7253
7254 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7255
7256 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
7257 return nft_set_flush(&ctx, set, genmask);
7258
7259 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7260 err = nft_del_setelem(&ctx, set, attr);
7261 if (err == -ENOENT &&
7262 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
7263 continue;
7264
7265 if (err < 0) {
7266 NL_SET_BAD_ATTR(extack, attr);
7267 return err;
7268 }
7269 }
7270
7271 return 0;
7272 }
7273
7274 /*
7275 * Stateful objects
7276 */
7277
7278 /**
7279 * nft_register_obj- register nf_tables stateful object type
7280 * @obj_type: object type
7281 *
7282 * Registers the object type for use with nf_tables. Returns zero on
7283 * success or a negative errno code otherwise.
7284 */
7285 int nft_register_obj(struct nft_object_type *obj_type)
7286 {
7287 if (obj_type->type == NFT_OBJECT_UNSPEC)
7288 return -EINVAL;
7289
7290 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7291 list_add_rcu(&obj_type->list, &nf_tables_objects);
7292 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7293 return 0;
7294 }
7295 EXPORT_SYMBOL_GPL(nft_register_obj);
7296
7297 /**
7298 * nft_unregister_obj - unregister nf_tables object type
7299 * @obj_type: object type
7300 *
7301 * Unregisters the object type for use with nf_tables.
7302 */
7303 void nft_unregister_obj(struct nft_object_type *obj_type)
7304 {
7305 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7306 list_del_rcu(&obj_type->list);
7307 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7308 }
7309 EXPORT_SYMBOL_GPL(nft_unregister_obj);
7310
7311 struct nft_object *nft_obj_lookup(const struct net *net,
7312 const struct nft_table *table,
7313 const struct nlattr *nla, u32 objtype,
7314 u8 genmask)
7315 {
7316 struct nft_object_hash_key k = { .table = table };
7317 char search[NFT_OBJ_MAXNAMELEN];
7318 struct rhlist_head *tmp, *list;
7319 struct nft_object *obj;
7320
7321 nla_strscpy(search, nla, sizeof(search));
7322 k.name = search;
7323
7324 WARN_ON_ONCE(!rcu_read_lock_held() &&
7325 !lockdep_commit_lock_is_held(net));
7326
7327 rcu_read_lock();
7328 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
7329 if (!list)
7330 goto out;
7331
7332 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
7333 if (objtype == obj->ops->type->type &&
7334 nft_active_genmask(obj, genmask)) {
7335 rcu_read_unlock();
7336 return obj;
7337 }
7338 }
7339 out:
7340 rcu_read_unlock();
7341 return ERR_PTR(-ENOENT);
7342 }
7343 EXPORT_SYMBOL_GPL(nft_obj_lookup);
7344
7345 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
7346 const struct nlattr *nla,
7347 u32 objtype, u8 genmask)
7348 {
7349 struct nft_object *obj;
7350
7351 list_for_each_entry(obj, &table->objects, list) {
7352 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
7353 objtype == obj->ops->type->type &&
7354 nft_active_genmask(obj, genmask))
7355 return obj;
7356 }
7357 return ERR_PTR(-ENOENT);
7358 }
7359
7360 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
7361 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
7362 .len = NFT_TABLE_MAXNAMELEN - 1 },
7363 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
7364 .len = NFT_OBJ_MAXNAMELEN - 1 },
7365 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
7366 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
7367 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
7368 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
7369 .len = NFT_USERDATA_MAXLEN },
7370 };
7371
7372 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
7373 const struct nft_object_type *type,
7374 const struct nlattr *attr)
7375 {
7376 struct nlattr **tb;
7377 const struct nft_object_ops *ops;
7378 struct nft_object *obj;
7379 int err = -ENOMEM;
7380
7381 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
7382 if (!tb)
7383 goto err1;
7384
7385 if (attr) {
7386 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
7387 type->policy, NULL);
7388 if (err < 0)
7389 goto err2;
7390 } else {
7391 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
7392 }
7393
7394 if (type->select_ops) {
7395 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
7396 if (IS_ERR(ops)) {
7397 err = PTR_ERR(ops);
7398 goto err2;
7399 }
7400 } else {
7401 ops = type->ops;
7402 }
7403
7404 err = -ENOMEM;
7405 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
7406 if (!obj)
7407 goto err2;
7408
7409 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
7410 if (err < 0)
7411 goto err3;
7412
7413 obj->ops = ops;
7414
7415 kfree(tb);
7416 return obj;
7417 err3:
7418 kfree(obj);
7419 err2:
7420 kfree(tb);
7421 err1:
7422 return ERR_PTR(err);
7423 }
7424
7425 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
7426 struct nft_object *obj, bool reset)
7427 {
7428 struct nlattr *nest;
7429
7430 nest = nla_nest_start_noflag(skb, attr);
7431 if (!nest)
7432 goto nla_put_failure;
7433 if (obj->ops->dump(skb, obj, reset) < 0)
7434 goto nla_put_failure;
7435 nla_nest_end(skb, nest);
7436 return 0;
7437
7438 nla_put_failure:
7439 return -1;
7440 }
7441
7442 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
7443 {
7444 const struct nft_object_type *type;
7445
7446 list_for_each_entry(type, &nf_tables_objects, list) {
7447 if (objtype == type->type)
7448 return type;
7449 }
7450 return NULL;
7451 }
7452
7453 static const struct nft_object_type *
7454 nft_obj_type_get(struct net *net, u32 objtype)
7455 {
7456 const struct nft_object_type *type;
7457
7458 type = __nft_obj_type_get(objtype);
7459 if (type != NULL && try_module_get(type->owner))
7460 return type;
7461
7462 lockdep_nfnl_nft_mutex_not_held();
7463 #ifdef CONFIG_MODULES
7464 if (type == NULL) {
7465 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
7466 return ERR_PTR(-EAGAIN);
7467 }
7468 #endif
7469 return ERR_PTR(-ENOENT);
7470 }
7471
7472 static int nf_tables_updobj(const struct nft_ctx *ctx,
7473 const struct nft_object_type *type,
7474 const struct nlattr *attr,
7475 struct nft_object *obj)
7476 {
7477 struct nft_object *newobj;
7478 struct nft_trans *trans;
7479 int err = -ENOMEM;
7480
7481 if (!try_module_get(type->owner))
7482 return -ENOENT;
7483
7484 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
7485 sizeof(struct nft_trans_obj));
7486 if (!trans)
7487 goto err_trans;
7488
7489 newobj = nft_obj_init(ctx, type, attr);
7490 if (IS_ERR(newobj)) {
7491 err = PTR_ERR(newobj);
7492 goto err_free_trans;
7493 }
7494
7495 nft_trans_obj(trans) = obj;
7496 nft_trans_obj_update(trans) = true;
7497 nft_trans_obj_newobj(trans) = newobj;
7498 nft_trans_commit_list_add_tail(ctx->net, trans);
7499
7500 return 0;
7501
7502 err_free_trans:
7503 kfree(trans);
7504 err_trans:
7505 module_put(type->owner);
7506 return err;
7507 }
7508
7509 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
7510 const struct nlattr * const nla[])
7511 {
7512 struct netlink_ext_ack *extack = info->extack;
7513 u8 genmask = nft_genmask_next(info->net);
7514 u8 family = info->nfmsg->nfgen_family;
7515 const struct nft_object_type *type;
7516 struct net *net = info->net;
7517 struct nft_table *table;
7518 struct nft_object *obj;
7519 struct nft_ctx ctx;
7520 u32 objtype;
7521 int err;
7522
7523 if (!nla[NFTA_OBJ_TYPE] ||
7524 !nla[NFTA_OBJ_NAME] ||
7525 !nla[NFTA_OBJ_DATA])
7526 return -EINVAL;
7527
7528 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7529 NETLINK_CB(skb).portid);
7530 if (IS_ERR(table)) {
7531 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7532 return PTR_ERR(table);
7533 }
7534
7535 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7536 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7537 if (IS_ERR(obj)) {
7538 err = PTR_ERR(obj);
7539 if (err != -ENOENT) {
7540 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7541 return err;
7542 }
7543 } else {
7544 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7545 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7546 return -EEXIST;
7547 }
7548 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
7549 return -EOPNOTSUPP;
7550
7551 type = __nft_obj_type_get(objtype);
7552 if (WARN_ON_ONCE(!type))
7553 return -ENOENT;
7554
7555 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7556
7557 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
7558 }
7559
7560 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7561
7562 if (!nft_use_inc(&table->use))
7563 return -EMFILE;
7564
7565 type = nft_obj_type_get(net, objtype);
7566 if (IS_ERR(type)) {
7567 err = PTR_ERR(type);
7568 goto err_type;
7569 }
7570
7571 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
7572 if (IS_ERR(obj)) {
7573 err = PTR_ERR(obj);
7574 goto err_init;
7575 }
7576 obj->key.table = table;
7577 obj->handle = nf_tables_alloc_handle(table);
7578
7579 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
7580 if (!obj->key.name) {
7581 err = -ENOMEM;
7582 goto err_strdup;
7583 }
7584
7585 if (nla[NFTA_OBJ_USERDATA]) {
7586 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
7587 if (obj->udata == NULL)
7588 goto err_userdata;
7589
7590 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
7591 }
7592
7593 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
7594 if (err < 0)
7595 goto err_trans;
7596
7597 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
7598 nft_objname_ht_params);
7599 if (err < 0)
7600 goto err_obj_ht;
7601
7602 list_add_tail_rcu(&obj->list, &table->objects);
7603
7604 return 0;
7605 err_obj_ht:
7606 /* queued in transaction log */
7607 INIT_LIST_HEAD(&obj->list);
7608 return err;
7609 err_trans:
7610 kfree(obj->udata);
7611 err_userdata:
7612 kfree(obj->key.name);
7613 err_strdup:
7614 if (obj->ops->destroy)
7615 obj->ops->destroy(&ctx, obj);
7616 kfree(obj);
7617 err_init:
7618 module_put(type->owner);
7619 err_type:
7620 nft_use_dec_restore(&table->use);
7621
7622 return err;
7623 }
7624
7625 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
7626 u32 portid, u32 seq, int event, u32 flags,
7627 int family, const struct nft_table *table,
7628 struct nft_object *obj, bool reset)
7629 {
7630 struct nlmsghdr *nlh;
7631
7632 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7633 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7634 NFNETLINK_V0, nft_base_seq(net));
7635 if (!nlh)
7636 goto nla_put_failure;
7637
7638 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
7639 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
7640 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
7641 NFTA_OBJ_PAD))
7642 goto nla_put_failure;
7643
7644 if (event == NFT_MSG_DELOBJ) {
7645 nlmsg_end(skb, nlh);
7646 return 0;
7647 }
7648
7649 if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
7650 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
7651 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
7652 goto nla_put_failure;
7653
7654 if (obj->udata &&
7655 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
7656 goto nla_put_failure;
7657
7658 nlmsg_end(skb, nlh);
7659 return 0;
7660
7661 nla_put_failure:
7662 nlmsg_trim(skb, nlh);
7663 return -1;
7664 }
7665
7666 static void audit_log_obj_reset(const struct nft_table *table,
7667 unsigned int base_seq, unsigned int nentries)
7668 {
7669 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
7670
7671 audit_log_nfcfg(buf, table->family, nentries,
7672 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
7673 kfree(buf);
7674 }
7675
7676 struct nft_obj_dump_ctx {
7677 unsigned int s_idx;
7678 char *table;
7679 u32 type;
7680 bool reset;
7681 };
7682
7683 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
7684 {
7685 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7686 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7687 struct net *net = sock_net(skb->sk);
7688 int family = nfmsg->nfgen_family;
7689 struct nftables_pernet *nft_net;
7690 const struct nft_table *table;
7691 unsigned int entries = 0;
7692 struct nft_object *obj;
7693 unsigned int idx = 0;
7694 int rc = 0;
7695
7696 rcu_read_lock();
7697 nft_net = nft_pernet(net);
7698 cb->seq = READ_ONCE(nft_net->base_seq);
7699
7700 list_for_each_entry_rcu(table, &nft_net->tables, list) {
7701 if (family != NFPROTO_UNSPEC && family != table->family)
7702 continue;
7703
7704 entries = 0;
7705 list_for_each_entry_rcu(obj, &table->objects, list) {
7706 if (!nft_is_active(net, obj))
7707 goto cont;
7708 if (idx < ctx->s_idx)
7709 goto cont;
7710 if (ctx->table && strcmp(ctx->table, table->name))
7711 goto cont;
7712 if (ctx->type != NFT_OBJECT_UNSPEC &&
7713 obj->ops->type->type != ctx->type)
7714 goto cont;
7715
7716 rc = nf_tables_fill_obj_info(skb, net,
7717 NETLINK_CB(cb->skb).portid,
7718 cb->nlh->nlmsg_seq,
7719 NFT_MSG_NEWOBJ,
7720 NLM_F_MULTI | NLM_F_APPEND,
7721 table->family, table,
7722 obj, ctx->reset);
7723 if (rc < 0)
7724 break;
7725
7726 entries++;
7727 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7728 cont:
7729 idx++;
7730 }
7731 if (ctx->reset && entries)
7732 audit_log_obj_reset(table, nft_net->base_seq, entries);
7733 if (rc < 0)
7734 break;
7735 }
7736 rcu_read_unlock();
7737
7738 ctx->s_idx = idx;
7739 return skb->len;
7740 }
7741
7742 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
7743 {
7744 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7745 const struct nlattr * const *nla = cb->data;
7746
7747 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
7748
7749 if (nla[NFTA_OBJ_TABLE]) {
7750 ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
7751 if (!ctx->table)
7752 return -ENOMEM;
7753 }
7754
7755 if (nla[NFTA_OBJ_TYPE])
7756 ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7757
7758 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7759 ctx->reset = true;
7760
7761 return 0;
7762 }
7763
7764 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
7765 {
7766 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7767
7768 kfree(ctx->table);
7769
7770 return 0;
7771 }
7772
7773 /* called with rcu_read_lock held */
7774 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
7775 const struct nlattr * const nla[])
7776 {
7777 struct netlink_ext_ack *extack = info->extack;
7778 u8 genmask = nft_genmask_cur(info->net);
7779 u8 family = info->nfmsg->nfgen_family;
7780 const struct nft_table *table;
7781 struct net *net = info->net;
7782 struct nft_object *obj;
7783 struct sk_buff *skb2;
7784 bool reset = false;
7785 u32 objtype;
7786 int err;
7787
7788 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
7789 struct netlink_dump_control c = {
7790 .start = nf_tables_dump_obj_start,
7791 .dump = nf_tables_dump_obj,
7792 .done = nf_tables_dump_obj_done,
7793 .module = THIS_MODULE,
7794 .data = (void *)nla,
7795 };
7796
7797 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
7798 }
7799
7800 if (!nla[NFTA_OBJ_NAME] ||
7801 !nla[NFTA_OBJ_TYPE])
7802 return -EINVAL;
7803
7804 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
7805 if (IS_ERR(table)) {
7806 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7807 return PTR_ERR(table);
7808 }
7809
7810 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7811 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7812 if (IS_ERR(obj)) {
7813 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7814 return PTR_ERR(obj);
7815 }
7816
7817 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7818 if (!skb2)
7819 return -ENOMEM;
7820
7821 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7822 reset = true;
7823
7824 if (reset) {
7825 const struct nftables_pernet *nft_net;
7826 char *buf;
7827
7828 nft_net = nft_pernet(net);
7829 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq);
7830
7831 audit_log_nfcfg(buf,
7832 family,
7833 1,
7834 AUDIT_NFT_OP_OBJ_RESET,
7835 GFP_ATOMIC);
7836 kfree(buf);
7837 }
7838
7839 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
7840 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
7841 family, table, obj, reset);
7842 if (err < 0)
7843 goto err_fill_obj_info;
7844
7845 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7846
7847 err_fill_obj_info:
7848 kfree_skb(skb2);
7849 return err;
7850 }
7851
7852 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
7853 {
7854 if (obj->ops->destroy)
7855 obj->ops->destroy(ctx, obj);
7856
7857 module_put(obj->ops->type->owner);
7858 kfree(obj->key.name);
7859 kfree(obj->udata);
7860 kfree(obj);
7861 }
7862
7863 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
7864 const struct nlattr * const nla[])
7865 {
7866 struct netlink_ext_ack *extack = info->extack;
7867 u8 genmask = nft_genmask_next(info->net);
7868 u8 family = info->nfmsg->nfgen_family;
7869 struct net *net = info->net;
7870 const struct nlattr *attr;
7871 struct nft_table *table;
7872 struct nft_object *obj;
7873 struct nft_ctx ctx;
7874 u32 objtype;
7875
7876 if (!nla[NFTA_OBJ_TYPE] ||
7877 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
7878 return -EINVAL;
7879
7880 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7881 NETLINK_CB(skb).portid);
7882 if (IS_ERR(table)) {
7883 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7884 return PTR_ERR(table);
7885 }
7886
7887 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7888 if (nla[NFTA_OBJ_HANDLE]) {
7889 attr = nla[NFTA_OBJ_HANDLE];
7890 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
7891 } else {
7892 attr = nla[NFTA_OBJ_NAME];
7893 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
7894 }
7895
7896 if (IS_ERR(obj)) {
7897 if (PTR_ERR(obj) == -ENOENT &&
7898 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
7899 return 0;
7900
7901 NL_SET_BAD_ATTR(extack, attr);
7902 return PTR_ERR(obj);
7903 }
7904 if (obj->use > 0) {
7905 NL_SET_BAD_ATTR(extack, attr);
7906 return -EBUSY;
7907 }
7908
7909 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7910
7911 return nft_delobj(&ctx, obj);
7912 }
7913
7914 static void
7915 __nft_obj_notify(struct net *net, const struct nft_table *table,
7916 struct nft_object *obj, u32 portid, u32 seq, int event,
7917 u16 flags, int family, int report, gfp_t gfp)
7918 {
7919 struct nftables_pernet *nft_net = nft_pernet(net);
7920 struct sk_buff *skb;
7921 int err;
7922
7923 if (!report &&
7924 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7925 return;
7926
7927 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
7928 if (skb == NULL)
7929 goto err;
7930
7931 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
7932 flags & (NLM_F_CREATE | NLM_F_EXCL),
7933 family, table, obj, false);
7934 if (err < 0) {
7935 kfree_skb(skb);
7936 goto err;
7937 }
7938
7939 nft_notify_enqueue(skb, report, &nft_net->notify_list);
7940 return;
7941 err:
7942 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
7943 }
7944
7945 void nft_obj_notify(struct net *net, const struct nft_table *table,
7946 struct nft_object *obj, u32 portid, u32 seq, int event,
7947 u16 flags, int family, int report, gfp_t gfp)
7948 {
7949 struct nftables_pernet *nft_net = nft_pernet(net);
7950 char *buf = kasprintf(gfp, "%s:%u",
7951 table->name, nft_net->base_seq);
7952
7953 audit_log_nfcfg(buf,
7954 family,
7955 obj->handle,
7956 event == NFT_MSG_NEWOBJ ?
7957 AUDIT_NFT_OP_OBJ_REGISTER :
7958 AUDIT_NFT_OP_OBJ_UNREGISTER,
7959 gfp);
7960 kfree(buf);
7961
7962 __nft_obj_notify(net, table, obj, portid, seq, event,
7963 flags, family, report, gfp);
7964 }
7965 EXPORT_SYMBOL_GPL(nft_obj_notify);
7966
7967 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
7968 struct nft_object *obj, int event)
7969 {
7970 __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid,
7971 ctx->seq, event, ctx->flags, ctx->family,
7972 ctx->report, GFP_KERNEL);
7973 }
7974
7975 /*
7976 * Flow tables
7977 */
7978 void nft_register_flowtable_type(struct nf_flowtable_type *type)
7979 {
7980 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7981 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
7982 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7983 }
7984 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
7985
7986 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
7987 {
7988 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7989 list_del_rcu(&type->list);
7990 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7991 }
7992 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
7993
7994 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
7995 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
7996 .len = NFT_NAME_MAXLEN - 1 },
7997 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
7998 .len = NFT_NAME_MAXLEN - 1 },
7999 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
8000 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
8001 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
8002 };
8003
8004 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
8005 const struct nlattr *nla, u8 genmask)
8006 {
8007 struct nft_flowtable *flowtable;
8008
8009 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8010 if (!nla_strcmp(nla, flowtable->name) &&
8011 nft_active_genmask(flowtable, genmask))
8012 return flowtable;
8013 }
8014 return ERR_PTR(-ENOENT);
8015 }
8016 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
8017
8018 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
8019 struct nft_flowtable *flowtable,
8020 enum nft_trans_phase phase)
8021 {
8022 switch (phase) {
8023 case NFT_TRANS_PREPARE_ERROR:
8024 case NFT_TRANS_PREPARE:
8025 case NFT_TRANS_ABORT:
8026 case NFT_TRANS_RELEASE:
8027 nft_use_dec(&flowtable->use);
8028 fallthrough;
8029 default:
8030 return;
8031 }
8032 }
8033 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
8034
8035 static struct nft_flowtable *
8036 nft_flowtable_lookup_byhandle(const struct nft_table *table,
8037 const struct nlattr *nla, u8 genmask)
8038 {
8039 struct nft_flowtable *flowtable;
8040
8041 list_for_each_entry(flowtable, &table->flowtables, list) {
8042 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
8043 nft_active_genmask(flowtable, genmask))
8044 return flowtable;
8045 }
8046 return ERR_PTR(-ENOENT);
8047 }
8048
8049 struct nft_flowtable_hook {
8050 u32 num;
8051 int priority;
8052 struct list_head list;
8053 };
8054
8055 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
8056 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
8057 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
8058 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
8059 };
8060
8061 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
8062 const struct nlattr * const nla[],
8063 struct nft_flowtable_hook *flowtable_hook,
8064 struct nft_flowtable *flowtable,
8065 struct netlink_ext_ack *extack, bool add)
8066 {
8067 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
8068 struct nft_hook *hook;
8069 int hooknum, priority;
8070 int err;
8071
8072 INIT_LIST_HEAD(&flowtable_hook->list);
8073
8074 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
8075 nla[NFTA_FLOWTABLE_HOOK],
8076 nft_flowtable_hook_policy, NULL);
8077 if (err < 0)
8078 return err;
8079
8080 if (add) {
8081 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
8082 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8083 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8084 return -ENOENT;
8085 }
8086
8087 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8088 if (hooknum != NF_NETDEV_INGRESS)
8089 return -EOPNOTSUPP;
8090
8091 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8092
8093 flowtable_hook->priority = priority;
8094 flowtable_hook->num = hooknum;
8095 } else {
8096 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
8097 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8098 if (hooknum != flowtable->hooknum)
8099 return -EOPNOTSUPP;
8100 }
8101
8102 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8103 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8104 if (priority != flowtable->data.priority)
8105 return -EOPNOTSUPP;
8106 }
8107
8108 flowtable_hook->priority = flowtable->data.priority;
8109 flowtable_hook->num = flowtable->hooknum;
8110 }
8111
8112 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
8113 err = nf_tables_parse_netdev_hooks(ctx->net,
8114 tb[NFTA_FLOWTABLE_HOOK_DEVS],
8115 &flowtable_hook->list,
8116 extack);
8117 if (err < 0)
8118 return err;
8119 }
8120
8121 list_for_each_entry(hook, &flowtable_hook->list, list) {
8122 hook->ops.pf = NFPROTO_NETDEV;
8123 hook->ops.hooknum = flowtable_hook->num;
8124 hook->ops.priority = flowtable_hook->priority;
8125 hook->ops.priv = &flowtable->data;
8126 hook->ops.hook = flowtable->data.type->hook;
8127 }
8128
8129 return err;
8130 }
8131
8132 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
8133 {
8134 const struct nf_flowtable_type *type;
8135
8136 list_for_each_entry(type, &nf_tables_flowtables, list) {
8137 if (family == type->family)
8138 return type;
8139 }
8140 return NULL;
8141 }
8142
8143 static const struct nf_flowtable_type *
8144 nft_flowtable_type_get(struct net *net, u8 family)
8145 {
8146 const struct nf_flowtable_type *type;
8147
8148 type = __nft_flowtable_type_get(family);
8149 if (type != NULL && try_module_get(type->owner))
8150 return type;
8151
8152 lockdep_nfnl_nft_mutex_not_held();
8153 #ifdef CONFIG_MODULES
8154 if (type == NULL) {
8155 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
8156 return ERR_PTR(-EAGAIN);
8157 }
8158 #endif
8159 return ERR_PTR(-ENOENT);
8160 }
8161
8162 /* Only called from error and netdev event paths. */
8163 static void nft_unregister_flowtable_hook(struct net *net,
8164 struct nft_flowtable *flowtable,
8165 struct nft_hook *hook)
8166 {
8167 nf_unregister_net_hook(net, &hook->ops);
8168 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8169 FLOW_BLOCK_UNBIND);
8170 }
8171
8172 static void __nft_unregister_flowtable_net_hooks(struct net *net,
8173 struct list_head *hook_list,
8174 bool release_netdev)
8175 {
8176 struct nft_hook *hook, *next;
8177
8178 list_for_each_entry_safe(hook, next, hook_list, list) {
8179 nf_unregister_net_hook(net, &hook->ops);
8180 if (release_netdev) {
8181 list_del(&hook->list);
8182 kfree_rcu(hook, rcu);
8183 }
8184 }
8185 }
8186
8187 static void nft_unregister_flowtable_net_hooks(struct net *net,
8188 struct list_head *hook_list)
8189 {
8190 __nft_unregister_flowtable_net_hooks(net, hook_list, false);
8191 }
8192
8193 static int nft_register_flowtable_net_hooks(struct net *net,
8194 struct nft_table *table,
8195 struct list_head *hook_list,
8196 struct nft_flowtable *flowtable)
8197 {
8198 struct nft_hook *hook, *hook2, *next;
8199 struct nft_flowtable *ft;
8200 int err, i = 0;
8201
8202 list_for_each_entry(hook, hook_list, list) {
8203 list_for_each_entry(ft, &table->flowtables, list) {
8204 if (!nft_is_active_next(net, ft))
8205 continue;
8206
8207 list_for_each_entry(hook2, &ft->hook_list, list) {
8208 if (hook->ops.dev == hook2->ops.dev &&
8209 hook->ops.pf == hook2->ops.pf) {
8210 err = -EEXIST;
8211 goto err_unregister_net_hooks;
8212 }
8213 }
8214 }
8215
8216 err = flowtable->data.type->setup(&flowtable->data,
8217 hook->ops.dev,
8218 FLOW_BLOCK_BIND);
8219 if (err < 0)
8220 goto err_unregister_net_hooks;
8221
8222 err = nf_register_net_hook(net, &hook->ops);
8223 if (err < 0) {
8224 flowtable->data.type->setup(&flowtable->data,
8225 hook->ops.dev,
8226 FLOW_BLOCK_UNBIND);
8227 goto err_unregister_net_hooks;
8228 }
8229
8230 i++;
8231 }
8232
8233 return 0;
8234
8235 err_unregister_net_hooks:
8236 list_for_each_entry_safe(hook, next, hook_list, list) {
8237 if (i-- <= 0)
8238 break;
8239
8240 nft_unregister_flowtable_hook(net, flowtable, hook);
8241 list_del_rcu(&hook->list);
8242 kfree_rcu(hook, rcu);
8243 }
8244
8245 return err;
8246 }
8247
8248 static void nft_hooks_destroy(struct list_head *hook_list)
8249 {
8250 struct nft_hook *hook, *next;
8251
8252 list_for_each_entry_safe(hook, next, hook_list, list) {
8253 list_del_rcu(&hook->list);
8254 kfree_rcu(hook, rcu);
8255 }
8256 }
8257
8258 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
8259 struct nft_flowtable *flowtable,
8260 struct netlink_ext_ack *extack)
8261 {
8262 const struct nlattr * const *nla = ctx->nla;
8263 struct nft_flowtable_hook flowtable_hook;
8264 struct nft_hook *hook, *next;
8265 struct nft_trans *trans;
8266 bool unregister = false;
8267 u32 flags;
8268 int err;
8269
8270 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8271 extack, false);
8272 if (err < 0)
8273 return err;
8274
8275 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8276 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
8277 list_del(&hook->list);
8278 kfree(hook);
8279 }
8280 }
8281
8282 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8283 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8284 if (flags & ~NFT_FLOWTABLE_MASK) {
8285 err = -EOPNOTSUPP;
8286 goto err_flowtable_update_hook;
8287 }
8288 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
8289 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
8290 err = -EOPNOTSUPP;
8291 goto err_flowtable_update_hook;
8292 }
8293 } else {
8294 flags = flowtable->data.flags;
8295 }
8296
8297 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
8298 &flowtable_hook.list, flowtable);
8299 if (err < 0)
8300 goto err_flowtable_update_hook;
8301
8302 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
8303 sizeof(struct nft_trans_flowtable));
8304 if (!trans) {
8305 unregister = true;
8306 err = -ENOMEM;
8307 goto err_flowtable_update_hook;
8308 }
8309
8310 nft_trans_flowtable_flags(trans) = flags;
8311 nft_trans_flowtable(trans) = flowtable;
8312 nft_trans_flowtable_update(trans) = true;
8313 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8314 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
8315
8316 nft_trans_commit_list_add_tail(ctx->net, trans);
8317
8318 return 0;
8319
8320 err_flowtable_update_hook:
8321 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8322 if (unregister)
8323 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
8324 list_del_rcu(&hook->list);
8325 kfree_rcu(hook, rcu);
8326 }
8327
8328 return err;
8329
8330 }
8331
8332 static int nf_tables_newflowtable(struct sk_buff *skb,
8333 const struct nfnl_info *info,
8334 const struct nlattr * const nla[])
8335 {
8336 struct netlink_ext_ack *extack = info->extack;
8337 struct nft_flowtable_hook flowtable_hook;
8338 u8 genmask = nft_genmask_next(info->net);
8339 u8 family = info->nfmsg->nfgen_family;
8340 const struct nf_flowtable_type *type;
8341 struct nft_flowtable *flowtable;
8342 struct nft_hook *hook, *next;
8343 struct net *net = info->net;
8344 struct nft_table *table;
8345 struct nft_ctx ctx;
8346 int err;
8347
8348 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8349 !nla[NFTA_FLOWTABLE_NAME] ||
8350 !nla[NFTA_FLOWTABLE_HOOK])
8351 return -EINVAL;
8352
8353 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8354 genmask, NETLINK_CB(skb).portid);
8355 if (IS_ERR(table)) {
8356 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8357 return PTR_ERR(table);
8358 }
8359
8360 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8361 genmask);
8362 if (IS_ERR(flowtable)) {
8363 err = PTR_ERR(flowtable);
8364 if (err != -ENOENT) {
8365 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8366 return err;
8367 }
8368 } else {
8369 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
8370 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8371 return -EEXIST;
8372 }
8373
8374 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8375
8376 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
8377 }
8378
8379 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8380
8381 if (!nft_use_inc(&table->use))
8382 return -EMFILE;
8383
8384 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
8385 if (!flowtable) {
8386 err = -ENOMEM;
8387 goto flowtable_alloc;
8388 }
8389
8390 flowtable->table = table;
8391 flowtable->handle = nf_tables_alloc_handle(table);
8392 INIT_LIST_HEAD(&flowtable->hook_list);
8393
8394 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
8395 if (!flowtable->name) {
8396 err = -ENOMEM;
8397 goto err1;
8398 }
8399
8400 type = nft_flowtable_type_get(net, family);
8401 if (IS_ERR(type)) {
8402 err = PTR_ERR(type);
8403 goto err2;
8404 }
8405
8406 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8407 flowtable->data.flags =
8408 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8409 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
8410 err = -EOPNOTSUPP;
8411 goto err3;
8412 }
8413 }
8414
8415 write_pnet(&flowtable->data.net, net);
8416 flowtable->data.type = type;
8417 err = type->init(&flowtable->data);
8418 if (err < 0)
8419 goto err3;
8420
8421 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
8422 extack, true);
8423 if (err < 0)
8424 goto err4;
8425
8426 list_splice(&flowtable_hook.list, &flowtable->hook_list);
8427 flowtable->data.priority = flowtable_hook.priority;
8428 flowtable->hooknum = flowtable_hook.num;
8429
8430 err = nft_register_flowtable_net_hooks(ctx.net, table,
8431 &flowtable->hook_list,
8432 flowtable);
8433 if (err < 0) {
8434 nft_hooks_destroy(&flowtable->hook_list);
8435 goto err4;
8436 }
8437
8438 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
8439 if (err < 0)
8440 goto err5;
8441
8442 list_add_tail_rcu(&flowtable->list, &table->flowtables);
8443
8444 return 0;
8445 err5:
8446 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
8447 nft_unregister_flowtable_hook(net, flowtable, hook);
8448 list_del_rcu(&hook->list);
8449 kfree_rcu(hook, rcu);
8450 }
8451 err4:
8452 flowtable->data.type->free(&flowtable->data);
8453 err3:
8454 module_put(type->owner);
8455 err2:
8456 kfree(flowtable->name);
8457 err1:
8458 kfree(flowtable);
8459 flowtable_alloc:
8460 nft_use_dec_restore(&table->use);
8461
8462 return err;
8463 }
8464
8465 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
8466 {
8467 struct nft_hook *this, *next;
8468
8469 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
8470 list_del(&this->list);
8471 kfree(this);
8472 }
8473 }
8474
8475 static int nft_delflowtable_hook(struct nft_ctx *ctx,
8476 struct nft_flowtable *flowtable,
8477 struct netlink_ext_ack *extack)
8478 {
8479 const struct nlattr * const *nla = ctx->nla;
8480 struct nft_flowtable_hook flowtable_hook;
8481 LIST_HEAD(flowtable_del_list);
8482 struct nft_hook *this, *hook;
8483 struct nft_trans *trans;
8484 int err;
8485
8486 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8487 extack, false);
8488 if (err < 0)
8489 return err;
8490
8491 list_for_each_entry(this, &flowtable_hook.list, list) {
8492 hook = nft_hook_list_find(&flowtable->hook_list, this);
8493 if (!hook) {
8494 err = -ENOENT;
8495 goto err_flowtable_del_hook;
8496 }
8497 list_move(&hook->list, &flowtable_del_list);
8498 }
8499
8500 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
8501 sizeof(struct nft_trans_flowtable));
8502 if (!trans) {
8503 err = -ENOMEM;
8504 goto err_flowtable_del_hook;
8505 }
8506
8507 nft_trans_flowtable(trans) = flowtable;
8508 nft_trans_flowtable_update(trans) = true;
8509 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8510 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
8511 nft_flowtable_hook_release(&flowtable_hook);
8512
8513 nft_trans_commit_list_add_tail(ctx->net, trans);
8514
8515 return 0;
8516
8517 err_flowtable_del_hook:
8518 list_splice(&flowtable_del_list, &flowtable->hook_list);
8519 nft_flowtable_hook_release(&flowtable_hook);
8520
8521 return err;
8522 }
8523
8524 static int nf_tables_delflowtable(struct sk_buff *skb,
8525 const struct nfnl_info *info,
8526 const struct nlattr * const nla[])
8527 {
8528 struct netlink_ext_ack *extack = info->extack;
8529 u8 genmask = nft_genmask_next(info->net);
8530 u8 family = info->nfmsg->nfgen_family;
8531 struct nft_flowtable *flowtable;
8532 struct net *net = info->net;
8533 const struct nlattr *attr;
8534 struct nft_table *table;
8535 struct nft_ctx ctx;
8536
8537 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8538 (!nla[NFTA_FLOWTABLE_NAME] &&
8539 !nla[NFTA_FLOWTABLE_HANDLE]))
8540 return -EINVAL;
8541
8542 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8543 genmask, NETLINK_CB(skb).portid);
8544 if (IS_ERR(table)) {
8545 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8546 return PTR_ERR(table);
8547 }
8548
8549 if (nla[NFTA_FLOWTABLE_HANDLE]) {
8550 attr = nla[NFTA_FLOWTABLE_HANDLE];
8551 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
8552 } else {
8553 attr = nla[NFTA_FLOWTABLE_NAME];
8554 flowtable = nft_flowtable_lookup(table, attr, genmask);
8555 }
8556
8557 if (IS_ERR(flowtable)) {
8558 if (PTR_ERR(flowtable) == -ENOENT &&
8559 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
8560 return 0;
8561
8562 NL_SET_BAD_ATTR(extack, attr);
8563 return PTR_ERR(flowtable);
8564 }
8565
8566 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8567
8568 if (nla[NFTA_FLOWTABLE_HOOK])
8569 return nft_delflowtable_hook(&ctx, flowtable, extack);
8570
8571 if (flowtable->use > 0) {
8572 NL_SET_BAD_ATTR(extack, attr);
8573 return -EBUSY;
8574 }
8575
8576 return nft_delflowtable(&ctx, flowtable);
8577 }
8578
8579 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
8580 u32 portid, u32 seq, int event,
8581 u32 flags, int family,
8582 struct nft_flowtable *flowtable,
8583 struct list_head *hook_list)
8584 {
8585 struct nlattr *nest, *nest_devs;
8586 struct nft_hook *hook;
8587 struct nlmsghdr *nlh;
8588
8589 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
8590 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
8591 NFNETLINK_V0, nft_base_seq(net));
8592 if (!nlh)
8593 goto nla_put_failure;
8594
8595 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
8596 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
8597 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
8598 NFTA_FLOWTABLE_PAD))
8599 goto nla_put_failure;
8600
8601 if (event == NFT_MSG_DELFLOWTABLE && !hook_list) {
8602 nlmsg_end(skb, nlh);
8603 return 0;
8604 }
8605
8606 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
8607 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
8608 goto nla_put_failure;
8609
8610 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
8611 if (!nest)
8612 goto nla_put_failure;
8613 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
8614 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
8615 goto nla_put_failure;
8616
8617 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
8618 if (!nest_devs)
8619 goto nla_put_failure;
8620
8621 if (!hook_list)
8622 hook_list = &flowtable->hook_list;
8623
8624 list_for_each_entry_rcu(hook, hook_list, list) {
8625 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
8626 goto nla_put_failure;
8627 }
8628 nla_nest_end(skb, nest_devs);
8629 nla_nest_end(skb, nest);
8630
8631 nlmsg_end(skb, nlh);
8632 return 0;
8633
8634 nla_put_failure:
8635 nlmsg_trim(skb, nlh);
8636 return -1;
8637 }
8638
8639 struct nft_flowtable_filter {
8640 char *table;
8641 };
8642
8643 static int nf_tables_dump_flowtable(struct sk_buff *skb,
8644 struct netlink_callback *cb)
8645 {
8646 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
8647 struct nft_flowtable_filter *filter = cb->data;
8648 unsigned int idx = 0, s_idx = cb->args[0];
8649 struct net *net = sock_net(skb->sk);
8650 int family = nfmsg->nfgen_family;
8651 struct nft_flowtable *flowtable;
8652 struct nftables_pernet *nft_net;
8653 const struct nft_table *table;
8654
8655 rcu_read_lock();
8656 nft_net = nft_pernet(net);
8657 cb->seq = READ_ONCE(nft_net->base_seq);
8658
8659 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8660 if (family != NFPROTO_UNSPEC && family != table->family)
8661 continue;
8662
8663 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8664 if (!nft_is_active(net, flowtable))
8665 goto cont;
8666 if (idx < s_idx)
8667 goto cont;
8668 if (idx > s_idx)
8669 memset(&cb->args[1], 0,
8670 sizeof(cb->args) - sizeof(cb->args[0]));
8671 if (filter && filter->table &&
8672 strcmp(filter->table, table->name))
8673 goto cont;
8674
8675 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
8676 cb->nlh->nlmsg_seq,
8677 NFT_MSG_NEWFLOWTABLE,
8678 NLM_F_MULTI | NLM_F_APPEND,
8679 table->family,
8680 flowtable, NULL) < 0)
8681 goto done;
8682
8683 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8684 cont:
8685 idx++;
8686 }
8687 }
8688 done:
8689 rcu_read_unlock();
8690
8691 cb->args[0] = idx;
8692 return skb->len;
8693 }
8694
8695 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
8696 {
8697 const struct nlattr * const *nla = cb->data;
8698 struct nft_flowtable_filter *filter = NULL;
8699
8700 if (nla[NFTA_FLOWTABLE_TABLE]) {
8701 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
8702 if (!filter)
8703 return -ENOMEM;
8704
8705 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
8706 GFP_ATOMIC);
8707 if (!filter->table) {
8708 kfree(filter);
8709 return -ENOMEM;
8710 }
8711 }
8712
8713 cb->data = filter;
8714 return 0;
8715 }
8716
8717 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
8718 {
8719 struct nft_flowtable_filter *filter = cb->data;
8720
8721 if (!filter)
8722 return 0;
8723
8724 kfree(filter->table);
8725 kfree(filter);
8726
8727 return 0;
8728 }
8729
8730 /* called with rcu_read_lock held */
8731 static int nf_tables_getflowtable(struct sk_buff *skb,
8732 const struct nfnl_info *info,
8733 const struct nlattr * const nla[])
8734 {
8735 struct netlink_ext_ack *extack = info->extack;
8736 u8 genmask = nft_genmask_cur(info->net);
8737 u8 family = info->nfmsg->nfgen_family;
8738 struct nft_flowtable *flowtable;
8739 const struct nft_table *table;
8740 struct net *net = info->net;
8741 struct sk_buff *skb2;
8742 int err;
8743
8744 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8745 struct netlink_dump_control c = {
8746 .start = nf_tables_dump_flowtable_start,
8747 .dump = nf_tables_dump_flowtable,
8748 .done = nf_tables_dump_flowtable_done,
8749 .module = THIS_MODULE,
8750 .data = (void *)nla,
8751 };
8752
8753 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8754 }
8755
8756 if (!nla[NFTA_FLOWTABLE_NAME])
8757 return -EINVAL;
8758
8759 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8760 genmask, 0);
8761 if (IS_ERR(table)) {
8762 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8763 return PTR_ERR(table);
8764 }
8765
8766 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8767 genmask);
8768 if (IS_ERR(flowtable)) {
8769 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8770 return PTR_ERR(flowtable);
8771 }
8772
8773 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8774 if (!skb2)
8775 return -ENOMEM;
8776
8777 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
8778 info->nlh->nlmsg_seq,
8779 NFT_MSG_NEWFLOWTABLE, 0, family,
8780 flowtable, NULL);
8781 if (err < 0)
8782 goto err_fill_flowtable_info;
8783
8784 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
8785
8786 err_fill_flowtable_info:
8787 kfree_skb(skb2);
8788 return err;
8789 }
8790
8791 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
8792 struct nft_flowtable *flowtable,
8793 struct list_head *hook_list, int event)
8794 {
8795 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
8796 struct sk_buff *skb;
8797 u16 flags = 0;
8798 int err;
8799
8800 if (!ctx->report &&
8801 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
8802 return;
8803
8804 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
8805 if (skb == NULL)
8806 goto err;
8807
8808 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
8809 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
8810
8811 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
8812 ctx->seq, event, flags,
8813 ctx->family, flowtable, hook_list);
8814 if (err < 0) {
8815 kfree_skb(skb);
8816 goto err;
8817 }
8818
8819 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
8820 return;
8821 err:
8822 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
8823 }
8824
8825 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
8826 {
8827 struct nft_hook *hook, *next;
8828
8829 flowtable->data.type->free(&flowtable->data);
8830 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
8831 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8832 FLOW_BLOCK_UNBIND);
8833 list_del_rcu(&hook->list);
8834 kfree(hook);
8835 }
8836 kfree(flowtable->name);
8837 module_put(flowtable->data.type->owner);
8838 kfree(flowtable);
8839 }
8840
8841 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
8842 u32 portid, u32 seq)
8843 {
8844 struct nftables_pernet *nft_net = nft_pernet(net);
8845 struct nlmsghdr *nlh;
8846 char buf[TASK_COMM_LEN];
8847 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
8848
8849 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
8850 NFNETLINK_V0, nft_base_seq(net));
8851 if (!nlh)
8852 goto nla_put_failure;
8853
8854 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
8855 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
8856 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
8857 goto nla_put_failure;
8858
8859 nlmsg_end(skb, nlh);
8860 return 0;
8861
8862 nla_put_failure:
8863 nlmsg_trim(skb, nlh);
8864 return -EMSGSIZE;
8865 }
8866
8867 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
8868 struct nft_flowtable *flowtable)
8869 {
8870 struct nft_hook *hook;
8871
8872 list_for_each_entry(hook, &flowtable->hook_list, list) {
8873 if (hook->ops.dev != dev)
8874 continue;
8875
8876 /* flow_offload_netdev_event() cleans up entries for us. */
8877 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
8878 list_del_rcu(&hook->list);
8879 kfree_rcu(hook, rcu);
8880 break;
8881 }
8882 }
8883
8884 static int nf_tables_flowtable_event(struct notifier_block *this,
8885 unsigned long event, void *ptr)
8886 {
8887 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
8888 struct nft_flowtable *flowtable;
8889 struct nftables_pernet *nft_net;
8890 struct nft_table *table;
8891 struct net *net;
8892
8893 if (event != NETDEV_UNREGISTER)
8894 return 0;
8895
8896 net = dev_net(dev);
8897 nft_net = nft_pernet(net);
8898 mutex_lock(&nft_net->commit_mutex);
8899 list_for_each_entry(table, &nft_net->tables, list) {
8900 list_for_each_entry(flowtable, &table->flowtables, list) {
8901 nft_flowtable_event(event, dev, flowtable);
8902 }
8903 }
8904 mutex_unlock(&nft_net->commit_mutex);
8905
8906 return NOTIFY_DONE;
8907 }
8908
8909 static struct notifier_block nf_tables_flowtable_notifier = {
8910 .notifier_call = nf_tables_flowtable_event,
8911 };
8912
8913 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
8914 int event)
8915 {
8916 struct nlmsghdr *nlh = nlmsg_hdr(skb);
8917 struct sk_buff *skb2;
8918 int err;
8919
8920 if (!nlmsg_report(nlh) &&
8921 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8922 return;
8923
8924 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
8925 if (skb2 == NULL)
8926 goto err;
8927
8928 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
8929 nlh->nlmsg_seq);
8930 if (err < 0) {
8931 kfree_skb(skb2);
8932 goto err;
8933 }
8934
8935 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
8936 nlmsg_report(nlh), GFP_KERNEL);
8937 return;
8938 err:
8939 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
8940 -ENOBUFS);
8941 }
8942
8943 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
8944 const struct nlattr * const nla[])
8945 {
8946 struct sk_buff *skb2;
8947 int err;
8948
8949 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8950 if (skb2 == NULL)
8951 return -ENOMEM;
8952
8953 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
8954 info->nlh->nlmsg_seq);
8955 if (err < 0)
8956 goto err_fill_gen_info;
8957
8958 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
8959
8960 err_fill_gen_info:
8961 kfree_skb(skb2);
8962 return err;
8963 }
8964
8965 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
8966 [NFT_MSG_NEWTABLE] = {
8967 .call = nf_tables_newtable,
8968 .type = NFNL_CB_BATCH,
8969 .attr_count = NFTA_TABLE_MAX,
8970 .policy = nft_table_policy,
8971 },
8972 [NFT_MSG_GETTABLE] = {
8973 .call = nf_tables_gettable,
8974 .type = NFNL_CB_RCU,
8975 .attr_count = NFTA_TABLE_MAX,
8976 .policy = nft_table_policy,
8977 },
8978 [NFT_MSG_DELTABLE] = {
8979 .call = nf_tables_deltable,
8980 .type = NFNL_CB_BATCH,
8981 .attr_count = NFTA_TABLE_MAX,
8982 .policy = nft_table_policy,
8983 },
8984 [NFT_MSG_DESTROYTABLE] = {
8985 .call = nf_tables_deltable,
8986 .type = NFNL_CB_BATCH,
8987 .attr_count = NFTA_TABLE_MAX,
8988 .policy = nft_table_policy,
8989 },
8990 [NFT_MSG_NEWCHAIN] = {
8991 .call = nf_tables_newchain,
8992 .type = NFNL_CB_BATCH,
8993 .attr_count = NFTA_CHAIN_MAX,
8994 .policy = nft_chain_policy,
8995 },
8996 [NFT_MSG_GETCHAIN] = {
8997 .call = nf_tables_getchain,
8998 .type = NFNL_CB_RCU,
8999 .attr_count = NFTA_CHAIN_MAX,
9000 .policy = nft_chain_policy,
9001 },
9002 [NFT_MSG_DELCHAIN] = {
9003 .call = nf_tables_delchain,
9004 .type = NFNL_CB_BATCH,
9005 .attr_count = NFTA_CHAIN_MAX,
9006 .policy = nft_chain_policy,
9007 },
9008 [NFT_MSG_DESTROYCHAIN] = {
9009 .call = nf_tables_delchain,
9010 .type = NFNL_CB_BATCH,
9011 .attr_count = NFTA_CHAIN_MAX,
9012 .policy = nft_chain_policy,
9013 },
9014 [NFT_MSG_NEWRULE] = {
9015 .call = nf_tables_newrule,
9016 .type = NFNL_CB_BATCH,
9017 .attr_count = NFTA_RULE_MAX,
9018 .policy = nft_rule_policy,
9019 },
9020 [NFT_MSG_GETRULE] = {
9021 .call = nf_tables_getrule,
9022 .type = NFNL_CB_RCU,
9023 .attr_count = NFTA_RULE_MAX,
9024 .policy = nft_rule_policy,
9025 },
9026 [NFT_MSG_GETRULE_RESET] = {
9027 .call = nf_tables_getrule_reset,
9028 .type = NFNL_CB_RCU,
9029 .attr_count = NFTA_RULE_MAX,
9030 .policy = nft_rule_policy,
9031 },
9032 [NFT_MSG_DELRULE] = {
9033 .call = nf_tables_delrule,
9034 .type = NFNL_CB_BATCH,
9035 .attr_count = NFTA_RULE_MAX,
9036 .policy = nft_rule_policy,
9037 },
9038 [NFT_MSG_DESTROYRULE] = {
9039 .call = nf_tables_delrule,
9040 .type = NFNL_CB_BATCH,
9041 .attr_count = NFTA_RULE_MAX,
9042 .policy = nft_rule_policy,
9043 },
9044 [NFT_MSG_NEWSET] = {
9045 .call = nf_tables_newset,
9046 .type = NFNL_CB_BATCH,
9047 .attr_count = NFTA_SET_MAX,
9048 .policy = nft_set_policy,
9049 },
9050 [NFT_MSG_GETSET] = {
9051 .call = nf_tables_getset,
9052 .type = NFNL_CB_RCU,
9053 .attr_count = NFTA_SET_MAX,
9054 .policy = nft_set_policy,
9055 },
9056 [NFT_MSG_DELSET] = {
9057 .call = nf_tables_delset,
9058 .type = NFNL_CB_BATCH,
9059 .attr_count = NFTA_SET_MAX,
9060 .policy = nft_set_policy,
9061 },
9062 [NFT_MSG_DESTROYSET] = {
9063 .call = nf_tables_delset,
9064 .type = NFNL_CB_BATCH,
9065 .attr_count = NFTA_SET_MAX,
9066 .policy = nft_set_policy,
9067 },
9068 [NFT_MSG_NEWSETELEM] = {
9069 .call = nf_tables_newsetelem,
9070 .type = NFNL_CB_BATCH,
9071 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9072 .policy = nft_set_elem_list_policy,
9073 },
9074 [NFT_MSG_GETSETELEM] = {
9075 .call = nf_tables_getsetelem,
9076 .type = NFNL_CB_RCU,
9077 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9078 .policy = nft_set_elem_list_policy,
9079 },
9080 [NFT_MSG_GETSETELEM_RESET] = {
9081 .call = nf_tables_getsetelem,
9082 .type = NFNL_CB_RCU,
9083 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9084 .policy = nft_set_elem_list_policy,
9085 },
9086 [NFT_MSG_DELSETELEM] = {
9087 .call = nf_tables_delsetelem,
9088 .type = NFNL_CB_BATCH,
9089 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9090 .policy = nft_set_elem_list_policy,
9091 },
9092 [NFT_MSG_DESTROYSETELEM] = {
9093 .call = nf_tables_delsetelem,
9094 .type = NFNL_CB_BATCH,
9095 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9096 .policy = nft_set_elem_list_policy,
9097 },
9098 [NFT_MSG_GETGEN] = {
9099 .call = nf_tables_getgen,
9100 .type = NFNL_CB_RCU,
9101 },
9102 [NFT_MSG_NEWOBJ] = {
9103 .call = nf_tables_newobj,
9104 .type = NFNL_CB_BATCH,
9105 .attr_count = NFTA_OBJ_MAX,
9106 .policy = nft_obj_policy,
9107 },
9108 [NFT_MSG_GETOBJ] = {
9109 .call = nf_tables_getobj,
9110 .type = NFNL_CB_RCU,
9111 .attr_count = NFTA_OBJ_MAX,
9112 .policy = nft_obj_policy,
9113 },
9114 [NFT_MSG_DELOBJ] = {
9115 .call = nf_tables_delobj,
9116 .type = NFNL_CB_BATCH,
9117 .attr_count = NFTA_OBJ_MAX,
9118 .policy = nft_obj_policy,
9119 },
9120 [NFT_MSG_DESTROYOBJ] = {
9121 .call = nf_tables_delobj,
9122 .type = NFNL_CB_BATCH,
9123 .attr_count = NFTA_OBJ_MAX,
9124 .policy = nft_obj_policy,
9125 },
9126 [NFT_MSG_GETOBJ_RESET] = {
9127 .call = nf_tables_getobj,
9128 .type = NFNL_CB_RCU,
9129 .attr_count = NFTA_OBJ_MAX,
9130 .policy = nft_obj_policy,
9131 },
9132 [NFT_MSG_NEWFLOWTABLE] = {
9133 .call = nf_tables_newflowtable,
9134 .type = NFNL_CB_BATCH,
9135 .attr_count = NFTA_FLOWTABLE_MAX,
9136 .policy = nft_flowtable_policy,
9137 },
9138 [NFT_MSG_GETFLOWTABLE] = {
9139 .call = nf_tables_getflowtable,
9140 .type = NFNL_CB_RCU,
9141 .attr_count = NFTA_FLOWTABLE_MAX,
9142 .policy = nft_flowtable_policy,
9143 },
9144 [NFT_MSG_DELFLOWTABLE] = {
9145 .call = nf_tables_delflowtable,
9146 .type = NFNL_CB_BATCH,
9147 .attr_count = NFTA_FLOWTABLE_MAX,
9148 .policy = nft_flowtable_policy,
9149 },
9150 [NFT_MSG_DESTROYFLOWTABLE] = {
9151 .call = nf_tables_delflowtable,
9152 .type = NFNL_CB_BATCH,
9153 .attr_count = NFTA_FLOWTABLE_MAX,
9154 .policy = nft_flowtable_policy,
9155 },
9156 };
9157
9158 static int nf_tables_validate(struct net *net)
9159 {
9160 struct nftables_pernet *nft_net = nft_pernet(net);
9161 struct nft_table *table;
9162
9163 list_for_each_entry(table, &nft_net->tables, list) {
9164 switch (table->validate_state) {
9165 case NFT_VALIDATE_SKIP:
9166 continue;
9167 case NFT_VALIDATE_NEED:
9168 nft_validate_state_update(table, NFT_VALIDATE_DO);
9169 fallthrough;
9170 case NFT_VALIDATE_DO:
9171 if (nft_table_validate(net, table) < 0)
9172 return -EAGAIN;
9173
9174 nft_validate_state_update(table, NFT_VALIDATE_SKIP);
9175 break;
9176 }
9177 }
9178
9179 return 0;
9180 }
9181
9182 /* a drop policy has to be deferred until all rules have been activated,
9183 * otherwise a large ruleset that contains a drop-policy base chain will
9184 * cause all packets to get dropped until the full transaction has been
9185 * processed.
9186 *
9187 * We defer the drop policy until the transaction has been finalized.
9188 */
9189 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
9190 {
9191 struct nft_base_chain *basechain;
9192
9193 if (nft_trans_chain_policy(trans) != NF_DROP)
9194 return;
9195
9196 if (!nft_is_base_chain(trans->ctx.chain))
9197 return;
9198
9199 basechain = nft_base_chain(trans->ctx.chain);
9200 basechain->policy = NF_DROP;
9201 }
9202
9203 static void nft_chain_commit_update(struct nft_trans *trans)
9204 {
9205 struct nft_base_chain *basechain;
9206
9207 if (nft_trans_chain_name(trans)) {
9208 rhltable_remove(&trans->ctx.table->chains_ht,
9209 &trans->ctx.chain->rhlhead,
9210 nft_chain_ht_params);
9211 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
9212 rhltable_insert_key(&trans->ctx.table->chains_ht,
9213 trans->ctx.chain->name,
9214 &trans->ctx.chain->rhlhead,
9215 nft_chain_ht_params);
9216 }
9217
9218 if (!nft_is_base_chain(trans->ctx.chain))
9219 return;
9220
9221 nft_chain_stats_replace(trans);
9222
9223 basechain = nft_base_chain(trans->ctx.chain);
9224
9225 switch (nft_trans_chain_policy(trans)) {
9226 case NF_DROP:
9227 case NF_ACCEPT:
9228 basechain->policy = nft_trans_chain_policy(trans);
9229 break;
9230 }
9231 }
9232
9233 static void nft_obj_commit_update(struct nft_trans *trans)
9234 {
9235 struct nft_object *newobj;
9236 struct nft_object *obj;
9237
9238 obj = nft_trans_obj(trans);
9239 newobj = nft_trans_obj_newobj(trans);
9240
9241 if (obj->ops->update)
9242 obj->ops->update(obj, newobj);
9243
9244 nft_obj_destroy(&trans->ctx, newobj);
9245 }
9246
9247 static void nft_commit_release(struct nft_trans *trans)
9248 {
9249 switch (trans->msg_type) {
9250 case NFT_MSG_DELTABLE:
9251 case NFT_MSG_DESTROYTABLE:
9252 nf_tables_table_destroy(&trans->ctx);
9253 break;
9254 case NFT_MSG_NEWCHAIN:
9255 free_percpu(nft_trans_chain_stats(trans));
9256 kfree(nft_trans_chain_name(trans));
9257 break;
9258 case NFT_MSG_DELCHAIN:
9259 case NFT_MSG_DESTROYCHAIN:
9260 if (nft_trans_chain_update(trans))
9261 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
9262 else
9263 nf_tables_chain_destroy(&trans->ctx);
9264 break;
9265 case NFT_MSG_DELRULE:
9266 case NFT_MSG_DESTROYRULE:
9267 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
9268 break;
9269 case NFT_MSG_DELSET:
9270 case NFT_MSG_DESTROYSET:
9271 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
9272 break;
9273 case NFT_MSG_DELSETELEM:
9274 case NFT_MSG_DESTROYSETELEM:
9275 nf_tables_set_elem_destroy(&trans->ctx,
9276 nft_trans_elem_set(trans),
9277 nft_trans_elem_priv(trans));
9278 break;
9279 case NFT_MSG_DELOBJ:
9280 case NFT_MSG_DESTROYOBJ:
9281 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
9282 break;
9283 case NFT_MSG_DELFLOWTABLE:
9284 case NFT_MSG_DESTROYFLOWTABLE:
9285 if (nft_trans_flowtable_update(trans))
9286 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
9287 else
9288 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
9289 break;
9290 }
9291
9292 if (trans->put_net)
9293 put_net(trans->ctx.net);
9294
9295 kfree(trans);
9296 }
9297
9298 static void nf_tables_trans_destroy_work(struct work_struct *w)
9299 {
9300 struct nft_trans *trans, *next;
9301 LIST_HEAD(head);
9302
9303 spin_lock(&nf_tables_destroy_list_lock);
9304 list_splice_init(&nf_tables_destroy_list, &head);
9305 spin_unlock(&nf_tables_destroy_list_lock);
9306
9307 if (list_empty(&head))
9308 return;
9309
9310 synchronize_rcu();
9311
9312 list_for_each_entry_safe(trans, next, &head, list) {
9313 nft_trans_list_del(trans);
9314 nft_commit_release(trans);
9315 }
9316 }
9317
9318 void nf_tables_trans_destroy_flush_work(void)
9319 {
9320 flush_work(&trans_destroy_work);
9321 }
9322 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
9323
9324 static bool nft_expr_reduce(struct nft_regs_track *track,
9325 const struct nft_expr *expr)
9326 {
9327 return false;
9328 }
9329
9330 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
9331 {
9332 const struct nft_expr *expr, *last;
9333 struct nft_regs_track track = {};
9334 unsigned int size, data_size;
9335 void *data, *data_boundary;
9336 struct nft_rule_dp *prule;
9337 struct nft_rule *rule;
9338
9339 /* already handled or inactive chain? */
9340 if (chain->blob_next || !nft_is_active_next(net, chain))
9341 return 0;
9342
9343 data_size = 0;
9344 list_for_each_entry(rule, &chain->rules, list) {
9345 if (nft_is_active_next(net, rule)) {
9346 data_size += sizeof(*prule) + rule->dlen;
9347 if (data_size > INT_MAX)
9348 return -ENOMEM;
9349 }
9350 }
9351
9352 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size);
9353 if (!chain->blob_next)
9354 return -ENOMEM;
9355
9356 data = (void *)chain->blob_next->data;
9357 data_boundary = data + data_size;
9358 size = 0;
9359
9360 list_for_each_entry(rule, &chain->rules, list) {
9361 if (!nft_is_active_next(net, rule))
9362 continue;
9363
9364 prule = (struct nft_rule_dp *)data;
9365 data += offsetof(struct nft_rule_dp, data);
9366 if (WARN_ON_ONCE(data > data_boundary))
9367 return -ENOMEM;
9368
9369 size = 0;
9370 track.last = nft_expr_last(rule);
9371 nft_rule_for_each_expr(expr, last, rule) {
9372 track.cur = expr;
9373
9374 if (nft_expr_reduce(&track, expr)) {
9375 expr = track.cur;
9376 continue;
9377 }
9378
9379 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
9380 return -ENOMEM;
9381
9382 memcpy(data + size, expr, expr->ops->size);
9383 size += expr->ops->size;
9384 }
9385 if (WARN_ON_ONCE(size >= 1 << 12))
9386 return -ENOMEM;
9387
9388 prule->handle = rule->handle;
9389 prule->dlen = size;
9390 prule->is_last = 0;
9391
9392 data += size;
9393 size = 0;
9394 chain->blob_next->size += (unsigned long)(data - (void *)prule);
9395 }
9396
9397 if (WARN_ON_ONCE(data > data_boundary))
9398 return -ENOMEM;
9399
9400 prule = (struct nft_rule_dp *)data;
9401 nft_last_rule(chain, prule);
9402
9403 return 0;
9404 }
9405
9406 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
9407 {
9408 struct nftables_pernet *nft_net = nft_pernet(net);
9409 struct nft_trans *trans, *next;
9410
9411 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9412 struct nft_chain *chain = trans->ctx.chain;
9413
9414 if (trans->msg_type == NFT_MSG_NEWRULE ||
9415 trans->msg_type == NFT_MSG_DELRULE) {
9416 kvfree(chain->blob_next);
9417 chain->blob_next = NULL;
9418 }
9419 }
9420 }
9421
9422 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h)
9423 {
9424 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h);
9425
9426 kvfree(l->blob);
9427 }
9428
9429 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
9430 {
9431 struct nft_rule_dp_last *last;
9432
9433 /* last rule trailer is after end marker */
9434 last = (void *)blob + sizeof(*blob) + blob->size;
9435 last->blob = blob;
9436
9437 call_rcu(&last->h, __nf_tables_commit_chain_free_rules);
9438 }
9439
9440 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
9441 {
9442 struct nft_rule_blob *g0, *g1;
9443 bool next_genbit;
9444
9445 next_genbit = nft_gencursor_next(net);
9446
9447 g0 = rcu_dereference_protected(chain->blob_gen_0,
9448 lockdep_commit_lock_is_held(net));
9449 g1 = rcu_dereference_protected(chain->blob_gen_1,
9450 lockdep_commit_lock_is_held(net));
9451
9452 /* No changes to this chain? */
9453 if (chain->blob_next == NULL) {
9454 /* chain had no change in last or next generation */
9455 if (g0 == g1)
9456 return;
9457 /*
9458 * chain had no change in this generation; make sure next
9459 * one uses same rules as current generation.
9460 */
9461 if (next_genbit) {
9462 rcu_assign_pointer(chain->blob_gen_1, g0);
9463 nf_tables_commit_chain_free_rules_old(g1);
9464 } else {
9465 rcu_assign_pointer(chain->blob_gen_0, g1);
9466 nf_tables_commit_chain_free_rules_old(g0);
9467 }
9468
9469 return;
9470 }
9471
9472 if (next_genbit)
9473 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
9474 else
9475 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
9476
9477 chain->blob_next = NULL;
9478
9479 if (g0 == g1)
9480 return;
9481
9482 if (next_genbit)
9483 nf_tables_commit_chain_free_rules_old(g1);
9484 else
9485 nf_tables_commit_chain_free_rules_old(g0);
9486 }
9487
9488 static void nft_obj_del(struct nft_object *obj)
9489 {
9490 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
9491 list_del_rcu(&obj->list);
9492 }
9493
9494 void nft_chain_del(struct nft_chain *chain)
9495 {
9496 struct nft_table *table = chain->table;
9497
9498 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
9499 nft_chain_ht_params));
9500 list_del_rcu(&chain->list);
9501 }
9502
9503 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx,
9504 struct nft_trans_gc *trans)
9505 {
9506 struct nft_elem_priv **priv = trans->priv;
9507 unsigned int i;
9508
9509 for (i = 0; i < trans->count; i++) {
9510 nft_setelem_data_deactivate(ctx->net, trans->set, priv[i]);
9511 nft_setelem_remove(ctx->net, trans->set, priv[i]);
9512 }
9513 }
9514
9515 void nft_trans_gc_destroy(struct nft_trans_gc *trans)
9516 {
9517 nft_set_put(trans->set);
9518 put_net(trans->net);
9519 kfree(trans);
9520 }
9521
9522 static void nft_trans_gc_trans_free(struct rcu_head *rcu)
9523 {
9524 struct nft_elem_priv *elem_priv;
9525 struct nft_trans_gc *trans;
9526 struct nft_ctx ctx = {};
9527 unsigned int i;
9528
9529 trans = container_of(rcu, struct nft_trans_gc, rcu);
9530 ctx.net = read_pnet(&trans->set->net);
9531
9532 for (i = 0; i < trans->count; i++) {
9533 elem_priv = trans->priv[i];
9534 if (!nft_setelem_is_catchall(trans->set, elem_priv))
9535 atomic_dec(&trans->set->nelems);
9536
9537 nf_tables_set_elem_destroy(&ctx, trans->set, elem_priv);
9538 }
9539
9540 nft_trans_gc_destroy(trans);
9541 }
9542
9543 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans)
9544 {
9545 struct nftables_pernet *nft_net;
9546 struct nft_ctx ctx = {};
9547
9548 nft_net = nft_pernet(trans->net);
9549
9550 mutex_lock(&nft_net->commit_mutex);
9551
9552 /* Check for race with transaction, otherwise this batch refers to
9553 * stale objects that might not be there anymore. Skip transaction if
9554 * set has been destroyed from control plane transaction in case gc
9555 * worker loses race.
9556 */
9557 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) {
9558 mutex_unlock(&nft_net->commit_mutex);
9559 return false;
9560 }
9561
9562 ctx.net = trans->net;
9563 ctx.table = trans->set->table;
9564
9565 nft_trans_gc_setelem_remove(&ctx, trans);
9566 mutex_unlock(&nft_net->commit_mutex);
9567
9568 return true;
9569 }
9570
9571 static void nft_trans_gc_work(struct work_struct *work)
9572 {
9573 struct nft_trans_gc *trans, *next;
9574 LIST_HEAD(trans_gc_list);
9575
9576 spin_lock(&nf_tables_gc_list_lock);
9577 list_splice_init(&nf_tables_gc_list, &trans_gc_list);
9578 spin_unlock(&nf_tables_gc_list_lock);
9579
9580 list_for_each_entry_safe(trans, next, &trans_gc_list, list) {
9581 list_del(&trans->list);
9582 if (!nft_trans_gc_work_done(trans)) {
9583 nft_trans_gc_destroy(trans);
9584 continue;
9585 }
9586 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
9587 }
9588 }
9589
9590 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
9591 unsigned int gc_seq, gfp_t gfp)
9592 {
9593 struct net *net = read_pnet(&set->net);
9594 struct nft_trans_gc *trans;
9595
9596 trans = kzalloc(sizeof(*trans), gfp);
9597 if (!trans)
9598 return NULL;
9599
9600 trans->net = maybe_get_net(net);
9601 if (!trans->net) {
9602 kfree(trans);
9603 return NULL;
9604 }
9605
9606 refcount_inc(&set->refs);
9607 trans->set = set;
9608 trans->seq = gc_seq;
9609
9610 return trans;
9611 }
9612
9613 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv)
9614 {
9615 trans->priv[trans->count++] = priv;
9616 }
9617
9618 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans)
9619 {
9620 spin_lock(&nf_tables_gc_list_lock);
9621 list_add_tail(&trans->list, &nf_tables_gc_list);
9622 spin_unlock(&nf_tables_gc_list_lock);
9623
9624 schedule_work(&trans_gc_work);
9625 }
9626
9627 static int nft_trans_gc_space(struct nft_trans_gc *trans)
9628 {
9629 return NFT_TRANS_GC_BATCHCOUNT - trans->count;
9630 }
9631
9632 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc,
9633 unsigned int gc_seq, gfp_t gfp)
9634 {
9635 struct nft_set *set;
9636
9637 if (nft_trans_gc_space(gc))
9638 return gc;
9639
9640 set = gc->set;
9641 nft_trans_gc_queue_work(gc);
9642
9643 return nft_trans_gc_alloc(set, gc_seq, gfp);
9644 }
9645
9646 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans)
9647 {
9648 if (trans->count == 0) {
9649 nft_trans_gc_destroy(trans);
9650 return;
9651 }
9652
9653 nft_trans_gc_queue_work(trans);
9654 }
9655
9656 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp)
9657 {
9658 struct nft_set *set;
9659
9660 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)))
9661 return NULL;
9662
9663 if (nft_trans_gc_space(gc))
9664 return gc;
9665
9666 set = gc->set;
9667 call_rcu(&gc->rcu, nft_trans_gc_trans_free);
9668
9669 return nft_trans_gc_alloc(set, 0, gfp);
9670 }
9671
9672 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans)
9673 {
9674 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net));
9675
9676 if (trans->count == 0) {
9677 nft_trans_gc_destroy(trans);
9678 return;
9679 }
9680
9681 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
9682 }
9683
9684 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc,
9685 unsigned int gc_seq)
9686 {
9687 struct nft_set_elem_catchall *catchall;
9688 const struct nft_set *set = gc->set;
9689 struct nft_set_ext *ext;
9690
9691 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
9692 ext = nft_set_elem_ext(set, catchall->elem);
9693
9694 if (!nft_set_elem_expired(ext))
9695 continue;
9696 if (nft_set_elem_is_dead(ext))
9697 goto dead_elem;
9698
9699 nft_set_elem_dead(ext);
9700 dead_elem:
9701 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC);
9702 if (!gc)
9703 return NULL;
9704
9705 nft_trans_gc_elem_add(gc, catchall->elem);
9706 }
9707
9708 return gc;
9709 }
9710
9711 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc)
9712 {
9713 struct nft_set_elem_catchall *catchall, *next;
9714 const struct nft_set *set = gc->set;
9715 struct nft_elem_priv *elem_priv;
9716 struct nft_set_ext *ext;
9717
9718 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net));
9719
9720 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
9721 ext = nft_set_elem_ext(set, catchall->elem);
9722
9723 if (!nft_set_elem_expired(ext))
9724 continue;
9725
9726 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
9727 if (!gc)
9728 return NULL;
9729
9730 elem_priv = catchall->elem;
9731 nft_setelem_data_deactivate(gc->net, gc->set, elem_priv);
9732 nft_setelem_catchall_destroy(catchall);
9733 nft_trans_gc_elem_add(gc, elem_priv);
9734 }
9735
9736 return gc;
9737 }
9738
9739 static void nf_tables_module_autoload_cleanup(struct net *net)
9740 {
9741 struct nftables_pernet *nft_net = nft_pernet(net);
9742 struct nft_module_request *req, *next;
9743
9744 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
9745 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
9746 WARN_ON_ONCE(!req->done);
9747 list_del(&req->list);
9748 kfree(req);
9749 }
9750 }
9751
9752 static void nf_tables_commit_release(struct net *net)
9753 {
9754 struct nftables_pernet *nft_net = nft_pernet(net);
9755 struct nft_trans *trans;
9756
9757 /* all side effects have to be made visible.
9758 * For example, if a chain named 'foo' has been deleted, a
9759 * new transaction must not find it anymore.
9760 *
9761 * Memory reclaim happens asynchronously from work queue
9762 * to prevent expensive synchronize_rcu() in commit phase.
9763 */
9764 if (list_empty(&nft_net->commit_list)) {
9765 nf_tables_module_autoload_cleanup(net);
9766 mutex_unlock(&nft_net->commit_mutex);
9767 return;
9768 }
9769
9770 trans = list_last_entry(&nft_net->commit_list,
9771 struct nft_trans, list);
9772 get_net(trans->ctx.net);
9773 WARN_ON_ONCE(trans->put_net);
9774
9775 trans->put_net = true;
9776 spin_lock(&nf_tables_destroy_list_lock);
9777 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
9778 spin_unlock(&nf_tables_destroy_list_lock);
9779
9780 nf_tables_module_autoload_cleanup(net);
9781 schedule_work(&trans_destroy_work);
9782
9783 mutex_unlock(&nft_net->commit_mutex);
9784 }
9785
9786 static void nft_commit_notify(struct net *net, u32 portid)
9787 {
9788 struct nftables_pernet *nft_net = nft_pernet(net);
9789 struct sk_buff *batch_skb = NULL, *nskb, *skb;
9790 unsigned char *data;
9791 int len;
9792
9793 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
9794 if (!batch_skb) {
9795 new_batch:
9796 batch_skb = skb;
9797 len = NLMSG_GOODSIZE - skb->len;
9798 list_del(&skb->list);
9799 continue;
9800 }
9801 len -= skb->len;
9802 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
9803 data = skb_put(batch_skb, skb->len);
9804 memcpy(data, skb->data, skb->len);
9805 list_del(&skb->list);
9806 kfree_skb(skb);
9807 continue;
9808 }
9809 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
9810 NFT_CB(batch_skb).report, GFP_KERNEL);
9811 goto new_batch;
9812 }
9813
9814 if (batch_skb) {
9815 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
9816 NFT_CB(batch_skb).report, GFP_KERNEL);
9817 }
9818
9819 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
9820 }
9821
9822 static int nf_tables_commit_audit_alloc(struct list_head *adl,
9823 struct nft_table *table)
9824 {
9825 struct nft_audit_data *adp;
9826
9827 list_for_each_entry(adp, adl, list) {
9828 if (adp->table == table)
9829 return 0;
9830 }
9831 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
9832 if (!adp)
9833 return -ENOMEM;
9834 adp->table = table;
9835 list_add(&adp->list, adl);
9836 return 0;
9837 }
9838
9839 static void nf_tables_commit_audit_free(struct list_head *adl)
9840 {
9841 struct nft_audit_data *adp, *adn;
9842
9843 list_for_each_entry_safe(adp, adn, adl, list) {
9844 list_del(&adp->list);
9845 kfree(adp);
9846 }
9847 }
9848
9849 static void nf_tables_commit_audit_collect(struct list_head *adl,
9850 struct nft_table *table, u32 op)
9851 {
9852 struct nft_audit_data *adp;
9853
9854 list_for_each_entry(adp, adl, list) {
9855 if (adp->table == table)
9856 goto found;
9857 }
9858 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
9859 return;
9860 found:
9861 adp->entries++;
9862 if (!adp->op || adp->op > op)
9863 adp->op = op;
9864 }
9865
9866 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
9867
9868 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
9869 {
9870 struct nft_audit_data *adp, *adn;
9871 char aubuf[AUNFTABLENAMELEN];
9872
9873 list_for_each_entry_safe(adp, adn, adl, list) {
9874 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
9875 generation);
9876 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
9877 nft2audit_op[adp->op], GFP_KERNEL);
9878 list_del(&adp->list);
9879 kfree(adp);
9880 }
9881 }
9882
9883 static void nft_set_commit_update(struct list_head *set_update_list)
9884 {
9885 struct nft_set *set, *next;
9886
9887 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
9888 list_del_init(&set->pending_update);
9889
9890 if (!set->ops->commit)
9891 continue;
9892
9893 set->ops->commit(set);
9894 }
9895 }
9896
9897 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net)
9898 {
9899 unsigned int gc_seq;
9900
9901 /* Bump gc counter, it becomes odd, this is the busy mark. */
9902 gc_seq = READ_ONCE(nft_net->gc_seq);
9903 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
9904
9905 return gc_seq;
9906 }
9907
9908 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq)
9909 {
9910 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
9911 }
9912
9913 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
9914 {
9915 struct nftables_pernet *nft_net = nft_pernet(net);
9916 struct nft_trans *trans, *next;
9917 unsigned int base_seq, gc_seq;
9918 LIST_HEAD(set_update_list);
9919 struct nft_trans_elem *te;
9920 struct nft_chain *chain;
9921 struct nft_table *table;
9922 LIST_HEAD(adl);
9923 int err;
9924
9925 if (list_empty(&nft_net->commit_list)) {
9926 mutex_unlock(&nft_net->commit_mutex);
9927 return 0;
9928 }
9929
9930 list_for_each_entry(trans, &nft_net->binding_list, binding_list) {
9931 switch (trans->msg_type) {
9932 case NFT_MSG_NEWSET:
9933 if (!nft_trans_set_update(trans) &&
9934 nft_set_is_anonymous(nft_trans_set(trans)) &&
9935 !nft_trans_set_bound(trans)) {
9936 pr_warn_once("nftables ruleset with unbound set\n");
9937 return -EINVAL;
9938 }
9939 break;
9940 case NFT_MSG_NEWCHAIN:
9941 if (!nft_trans_chain_update(trans) &&
9942 nft_chain_binding(nft_trans_chain(trans)) &&
9943 !nft_trans_chain_bound(trans)) {
9944 pr_warn_once("nftables ruleset with unbound chain\n");
9945 return -EINVAL;
9946 }
9947 break;
9948 }
9949 }
9950
9951 /* 0. Validate ruleset, otherwise roll back for error reporting. */
9952 if (nf_tables_validate(net) < 0) {
9953 nft_net->validate_state = NFT_VALIDATE_DO;
9954 return -EAGAIN;
9955 }
9956
9957 err = nft_flow_rule_offload_commit(net);
9958 if (err < 0)
9959 return err;
9960
9961 /* 1. Allocate space for next generation rules_gen_X[] */
9962 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9963 int ret;
9964
9965 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);
9966 if (ret) {
9967 nf_tables_commit_chain_prepare_cancel(net);
9968 nf_tables_commit_audit_free(&adl);
9969 return ret;
9970 }
9971 if (trans->msg_type == NFT_MSG_NEWRULE ||
9972 trans->msg_type == NFT_MSG_DELRULE) {
9973 chain = trans->ctx.chain;
9974
9975 ret = nf_tables_commit_chain_prepare(net, chain);
9976 if (ret < 0) {
9977 nf_tables_commit_chain_prepare_cancel(net);
9978 nf_tables_commit_audit_free(&adl);
9979 return ret;
9980 }
9981 }
9982 }
9983
9984 /* step 2. Make rules_gen_X visible to packet path */
9985 list_for_each_entry(table, &nft_net->tables, list) {
9986 list_for_each_entry(chain, &table->chains, list)
9987 nf_tables_commit_chain(net, chain);
9988 }
9989
9990 /*
9991 * Bump generation counter, invalidate any dump in progress.
9992 * Cannot fail after this point.
9993 */
9994 base_seq = READ_ONCE(nft_net->base_seq);
9995 while (++base_seq == 0)
9996 ;
9997
9998 WRITE_ONCE(nft_net->base_seq, base_seq);
9999
10000 gc_seq = nft_gc_seq_begin(nft_net);
10001
10002 /* step 3. Start new generation, rules_gen_X now in use. */
10003 net->nft.gencursor = nft_gencursor_next(net);
10004
10005 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10006 nf_tables_commit_audit_collect(&adl, trans->ctx.table,
10007 trans->msg_type);
10008 switch (trans->msg_type) {
10009 case NFT_MSG_NEWTABLE:
10010 if (nft_trans_table_update(trans)) {
10011 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
10012 nft_trans_destroy(trans);
10013 break;
10014 }
10015 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT)
10016 nf_tables_table_disable(net, trans->ctx.table);
10017
10018 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
10019 } else {
10020 nft_clear(net, trans->ctx.table);
10021 }
10022 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
10023 nft_trans_destroy(trans);
10024 break;
10025 case NFT_MSG_DELTABLE:
10026 case NFT_MSG_DESTROYTABLE:
10027 list_del_rcu(&trans->ctx.table->list);
10028 nf_tables_table_notify(&trans->ctx, trans->msg_type);
10029 break;
10030 case NFT_MSG_NEWCHAIN:
10031 if (nft_trans_chain_update(trans)) {
10032 nft_chain_commit_update(trans);
10033 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN,
10034 &nft_trans_chain_hooks(trans));
10035 list_splice(&nft_trans_chain_hooks(trans),
10036 &nft_trans_basechain(trans)->hook_list);
10037 /* trans destroyed after rcu grace period */
10038 } else {
10039 nft_chain_commit_drop_policy(trans);
10040 nft_clear(net, trans->ctx.chain);
10041 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN, NULL);
10042 nft_trans_destroy(trans);
10043 }
10044 break;
10045 case NFT_MSG_DELCHAIN:
10046 case NFT_MSG_DESTROYCHAIN:
10047 if (nft_trans_chain_update(trans)) {
10048 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
10049 &nft_trans_chain_hooks(trans));
10050 nft_netdev_unregister_hooks(net,
10051 &nft_trans_chain_hooks(trans),
10052 true);
10053 } else {
10054 nft_chain_del(trans->ctx.chain);
10055 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
10056 NULL);
10057 nf_tables_unregister_hook(trans->ctx.net,
10058 trans->ctx.table,
10059 trans->ctx.chain);
10060 }
10061 break;
10062 case NFT_MSG_NEWRULE:
10063 nft_clear(trans->ctx.net, nft_trans_rule(trans));
10064 nf_tables_rule_notify(&trans->ctx,
10065 nft_trans_rule(trans),
10066 NFT_MSG_NEWRULE);
10067 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10068 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10069
10070 nft_trans_destroy(trans);
10071 break;
10072 case NFT_MSG_DELRULE:
10073 case NFT_MSG_DESTROYRULE:
10074 list_del_rcu(&nft_trans_rule(trans)->list);
10075 nf_tables_rule_notify(&trans->ctx,
10076 nft_trans_rule(trans),
10077 trans->msg_type);
10078 nft_rule_expr_deactivate(&trans->ctx,
10079 nft_trans_rule(trans),
10080 NFT_TRANS_COMMIT);
10081
10082 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10083 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10084 break;
10085 case NFT_MSG_NEWSET:
10086 if (nft_trans_set_update(trans)) {
10087 struct nft_set *set = nft_trans_set(trans);
10088
10089 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
10090 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
10091
10092 if (nft_trans_set_size(trans))
10093 WRITE_ONCE(set->size, nft_trans_set_size(trans));
10094 } else {
10095 nft_clear(net, nft_trans_set(trans));
10096 /* This avoids hitting -EBUSY when deleting the table
10097 * from the transaction.
10098 */
10099 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
10100 !list_empty(&nft_trans_set(trans)->bindings))
10101 nft_use_dec(&trans->ctx.table->use);
10102 }
10103 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
10104 NFT_MSG_NEWSET, GFP_KERNEL);
10105 nft_trans_destroy(trans);
10106 break;
10107 case NFT_MSG_DELSET:
10108 case NFT_MSG_DESTROYSET:
10109 nft_trans_set(trans)->dead = 1;
10110 list_del_rcu(&nft_trans_set(trans)->list);
10111 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
10112 trans->msg_type, GFP_KERNEL);
10113 break;
10114 case NFT_MSG_NEWSETELEM:
10115 te = (struct nft_trans_elem *)trans->data;
10116
10117 nft_setelem_activate(net, te->set, te->elem_priv);
10118 nf_tables_setelem_notify(&trans->ctx, te->set,
10119 te->elem_priv,
10120 NFT_MSG_NEWSETELEM);
10121 if (te->set->ops->commit &&
10122 list_empty(&te->set->pending_update)) {
10123 list_add_tail(&te->set->pending_update,
10124 &set_update_list);
10125 }
10126 nft_trans_destroy(trans);
10127 break;
10128 case NFT_MSG_DELSETELEM:
10129 case NFT_MSG_DESTROYSETELEM:
10130 te = (struct nft_trans_elem *)trans->data;
10131
10132 nf_tables_setelem_notify(&trans->ctx, te->set,
10133 te->elem_priv,
10134 trans->msg_type);
10135 nft_setelem_remove(net, te->set, te->elem_priv);
10136 if (!nft_setelem_is_catchall(te->set, te->elem_priv)) {
10137 atomic_dec(&te->set->nelems);
10138 te->set->ndeact--;
10139 }
10140 if (te->set->ops->commit &&
10141 list_empty(&te->set->pending_update)) {
10142 list_add_tail(&te->set->pending_update,
10143 &set_update_list);
10144 }
10145 break;
10146 case NFT_MSG_NEWOBJ:
10147 if (nft_trans_obj_update(trans)) {
10148 nft_obj_commit_update(trans);
10149 nf_tables_obj_notify(&trans->ctx,
10150 nft_trans_obj(trans),
10151 NFT_MSG_NEWOBJ);
10152 } else {
10153 nft_clear(net, nft_trans_obj(trans));
10154 nf_tables_obj_notify(&trans->ctx,
10155 nft_trans_obj(trans),
10156 NFT_MSG_NEWOBJ);
10157 nft_trans_destroy(trans);
10158 }
10159 break;
10160 case NFT_MSG_DELOBJ:
10161 case NFT_MSG_DESTROYOBJ:
10162 nft_obj_del(nft_trans_obj(trans));
10163 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
10164 trans->msg_type);
10165 break;
10166 case NFT_MSG_NEWFLOWTABLE:
10167 if (nft_trans_flowtable_update(trans)) {
10168 nft_trans_flowtable(trans)->data.flags =
10169 nft_trans_flowtable_flags(trans);
10170 nf_tables_flowtable_notify(&trans->ctx,
10171 nft_trans_flowtable(trans),
10172 &nft_trans_flowtable_hooks(trans),
10173 NFT_MSG_NEWFLOWTABLE);
10174 list_splice(&nft_trans_flowtable_hooks(trans),
10175 &nft_trans_flowtable(trans)->hook_list);
10176 } else {
10177 nft_clear(net, nft_trans_flowtable(trans));
10178 nf_tables_flowtable_notify(&trans->ctx,
10179 nft_trans_flowtable(trans),
10180 NULL,
10181 NFT_MSG_NEWFLOWTABLE);
10182 }
10183 nft_trans_destroy(trans);
10184 break;
10185 case NFT_MSG_DELFLOWTABLE:
10186 case NFT_MSG_DESTROYFLOWTABLE:
10187 if (nft_trans_flowtable_update(trans)) {
10188 nf_tables_flowtable_notify(&trans->ctx,
10189 nft_trans_flowtable(trans),
10190 &nft_trans_flowtable_hooks(trans),
10191 trans->msg_type);
10192 nft_unregister_flowtable_net_hooks(net,
10193 &nft_trans_flowtable_hooks(trans));
10194 } else {
10195 list_del_rcu(&nft_trans_flowtable(trans)->list);
10196 nf_tables_flowtable_notify(&trans->ctx,
10197 nft_trans_flowtable(trans),
10198 NULL,
10199 trans->msg_type);
10200 nft_unregister_flowtable_net_hooks(net,
10201 &nft_trans_flowtable(trans)->hook_list);
10202 }
10203 break;
10204 }
10205 }
10206
10207 nft_set_commit_update(&set_update_list);
10208
10209 nft_commit_notify(net, NETLINK_CB(skb).portid);
10210 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
10211 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
10212
10213 nft_gc_seq_end(nft_net, gc_seq);
10214 nft_net->validate_state = NFT_VALIDATE_SKIP;
10215 nf_tables_commit_release(net);
10216
10217 return 0;
10218 }
10219
10220 static void nf_tables_module_autoload(struct net *net)
10221 {
10222 struct nftables_pernet *nft_net = nft_pernet(net);
10223 struct nft_module_request *req, *next;
10224 LIST_HEAD(module_list);
10225
10226 list_splice_init(&nft_net->module_list, &module_list);
10227 mutex_unlock(&nft_net->commit_mutex);
10228 list_for_each_entry_safe(req, next, &module_list, list) {
10229 request_module("%s", req->module);
10230 req->done = true;
10231 }
10232 mutex_lock(&nft_net->commit_mutex);
10233 list_splice(&module_list, &nft_net->module_list);
10234 }
10235
10236 static void nf_tables_abort_release(struct nft_trans *trans)
10237 {
10238 switch (trans->msg_type) {
10239 case NFT_MSG_NEWTABLE:
10240 nf_tables_table_destroy(&trans->ctx);
10241 break;
10242 case NFT_MSG_NEWCHAIN:
10243 if (nft_trans_chain_update(trans))
10244 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
10245 else
10246 nf_tables_chain_destroy(&trans->ctx);
10247 break;
10248 case NFT_MSG_NEWRULE:
10249 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
10250 break;
10251 case NFT_MSG_NEWSET:
10252 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
10253 break;
10254 case NFT_MSG_NEWSETELEM:
10255 nft_set_elem_destroy(nft_trans_elem_set(trans),
10256 nft_trans_elem_priv(trans), true);
10257 break;
10258 case NFT_MSG_NEWOBJ:
10259 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
10260 break;
10261 case NFT_MSG_NEWFLOWTABLE:
10262 if (nft_trans_flowtable_update(trans))
10263 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
10264 else
10265 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
10266 break;
10267 }
10268 kfree(trans);
10269 }
10270
10271 static void nft_set_abort_update(struct list_head *set_update_list)
10272 {
10273 struct nft_set *set, *next;
10274
10275 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10276 list_del_init(&set->pending_update);
10277
10278 if (!set->ops->abort)
10279 continue;
10280
10281 set->ops->abort(set);
10282 }
10283 }
10284
10285 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
10286 {
10287 struct nftables_pernet *nft_net = nft_pernet(net);
10288 struct nft_trans *trans, *next;
10289 LIST_HEAD(set_update_list);
10290 struct nft_trans_elem *te;
10291
10292 if (action == NFNL_ABORT_VALIDATE &&
10293 nf_tables_validate(net) < 0)
10294 return -EAGAIN;
10295
10296 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
10297 list) {
10298 switch (trans->msg_type) {
10299 case NFT_MSG_NEWTABLE:
10300 if (nft_trans_table_update(trans)) {
10301 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
10302 nft_trans_destroy(trans);
10303 break;
10304 }
10305 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) {
10306 nf_tables_table_disable(net, trans->ctx.table);
10307 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
10308 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
10309 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;
10310 }
10311 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
10312 nft_trans_destroy(trans);
10313 } else {
10314 list_del_rcu(&trans->ctx.table->list);
10315 }
10316 break;
10317 case NFT_MSG_DELTABLE:
10318 case NFT_MSG_DESTROYTABLE:
10319 nft_clear(trans->ctx.net, trans->ctx.table);
10320 nft_trans_destroy(trans);
10321 break;
10322 case NFT_MSG_NEWCHAIN:
10323 if (nft_trans_chain_update(trans)) {
10324 nft_netdev_unregister_hooks(net,
10325 &nft_trans_chain_hooks(trans),
10326 true);
10327 free_percpu(nft_trans_chain_stats(trans));
10328 kfree(nft_trans_chain_name(trans));
10329 nft_trans_destroy(trans);
10330 } else {
10331 if (nft_trans_chain_bound(trans)) {
10332 nft_trans_destroy(trans);
10333 break;
10334 }
10335 nft_use_dec_restore(&trans->ctx.table->use);
10336 nft_chain_del(trans->ctx.chain);
10337 nf_tables_unregister_hook(trans->ctx.net,
10338 trans->ctx.table,
10339 trans->ctx.chain);
10340 }
10341 break;
10342 case NFT_MSG_DELCHAIN:
10343 case NFT_MSG_DESTROYCHAIN:
10344 if (nft_trans_chain_update(trans)) {
10345 list_splice(&nft_trans_chain_hooks(trans),
10346 &nft_trans_basechain(trans)->hook_list);
10347 } else {
10348 nft_use_inc_restore(&trans->ctx.table->use);
10349 nft_clear(trans->ctx.net, trans->ctx.chain);
10350 }
10351 nft_trans_destroy(trans);
10352 break;
10353 case NFT_MSG_NEWRULE:
10354 if (nft_trans_rule_bound(trans)) {
10355 nft_trans_destroy(trans);
10356 break;
10357 }
10358 nft_use_dec_restore(&trans->ctx.chain->use);
10359 list_del_rcu(&nft_trans_rule(trans)->list);
10360 nft_rule_expr_deactivate(&trans->ctx,
10361 nft_trans_rule(trans),
10362 NFT_TRANS_ABORT);
10363 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10364 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10365 break;
10366 case NFT_MSG_DELRULE:
10367 case NFT_MSG_DESTROYRULE:
10368 nft_use_inc_restore(&trans->ctx.chain->use);
10369 nft_clear(trans->ctx.net, nft_trans_rule(trans));
10370 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
10371 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10372 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10373
10374 nft_trans_destroy(trans);
10375 break;
10376 case NFT_MSG_NEWSET:
10377 if (nft_trans_set_update(trans)) {
10378 nft_trans_destroy(trans);
10379 break;
10380 }
10381 nft_use_dec_restore(&trans->ctx.table->use);
10382 if (nft_trans_set_bound(trans)) {
10383 nft_trans_destroy(trans);
10384 break;
10385 }
10386 list_del_rcu(&nft_trans_set(trans)->list);
10387 break;
10388 case NFT_MSG_DELSET:
10389 case NFT_MSG_DESTROYSET:
10390 nft_use_inc_restore(&trans->ctx.table->use);
10391 nft_clear(trans->ctx.net, nft_trans_set(trans));
10392 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
10393 nft_map_activate(&trans->ctx, nft_trans_set(trans));
10394
10395 nft_trans_destroy(trans);
10396 break;
10397 case NFT_MSG_NEWSETELEM:
10398 if (nft_trans_elem_set_bound(trans)) {
10399 nft_trans_destroy(trans);
10400 break;
10401 }
10402 te = (struct nft_trans_elem *)trans->data;
10403 nft_setelem_remove(net, te->set, te->elem_priv);
10404 if (!nft_setelem_is_catchall(te->set, te->elem_priv))
10405 atomic_dec(&te->set->nelems);
10406
10407 if (te->set->ops->abort &&
10408 list_empty(&te->set->pending_update)) {
10409 list_add_tail(&te->set->pending_update,
10410 &set_update_list);
10411 }
10412 break;
10413 case NFT_MSG_DELSETELEM:
10414 case NFT_MSG_DESTROYSETELEM:
10415 te = (struct nft_trans_elem *)trans->data;
10416
10417 nft_setelem_data_activate(net, te->set, te->elem_priv);
10418 nft_setelem_activate(net, te->set, te->elem_priv);
10419 if (!nft_setelem_is_catchall(te->set, te->elem_priv))
10420 te->set->ndeact--;
10421
10422 if (te->set->ops->abort &&
10423 list_empty(&te->set->pending_update)) {
10424 list_add_tail(&te->set->pending_update,
10425 &set_update_list);
10426 }
10427 nft_trans_destroy(trans);
10428 break;
10429 case NFT_MSG_NEWOBJ:
10430 if (nft_trans_obj_update(trans)) {
10431 nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans));
10432 nft_trans_destroy(trans);
10433 } else {
10434 nft_use_dec_restore(&trans->ctx.table->use);
10435 nft_obj_del(nft_trans_obj(trans));
10436 }
10437 break;
10438 case NFT_MSG_DELOBJ:
10439 case NFT_MSG_DESTROYOBJ:
10440 nft_use_inc_restore(&trans->ctx.table->use);
10441 nft_clear(trans->ctx.net, nft_trans_obj(trans));
10442 nft_trans_destroy(trans);
10443 break;
10444 case NFT_MSG_NEWFLOWTABLE:
10445 if (nft_trans_flowtable_update(trans)) {
10446 nft_unregister_flowtable_net_hooks(net,
10447 &nft_trans_flowtable_hooks(trans));
10448 } else {
10449 nft_use_dec_restore(&trans->ctx.table->use);
10450 list_del_rcu(&nft_trans_flowtable(trans)->list);
10451 nft_unregister_flowtable_net_hooks(net,
10452 &nft_trans_flowtable(trans)->hook_list);
10453 }
10454 break;
10455 case NFT_MSG_DELFLOWTABLE:
10456 case NFT_MSG_DESTROYFLOWTABLE:
10457 if (nft_trans_flowtable_update(trans)) {
10458 list_splice(&nft_trans_flowtable_hooks(trans),
10459 &nft_trans_flowtable(trans)->hook_list);
10460 } else {
10461 nft_use_inc_restore(&trans->ctx.table->use);
10462 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
10463 }
10464 nft_trans_destroy(trans);
10465 break;
10466 }
10467 }
10468
10469 nft_set_abort_update(&set_update_list);
10470
10471 synchronize_rcu();
10472
10473 list_for_each_entry_safe_reverse(trans, next,
10474 &nft_net->commit_list, list) {
10475 nft_trans_list_del(trans);
10476 nf_tables_abort_release(trans);
10477 }
10478
10479 if (action == NFNL_ABORT_AUTOLOAD)
10480 nf_tables_module_autoload(net);
10481 else
10482 nf_tables_module_autoload_cleanup(net);
10483
10484 return 0;
10485 }
10486
10487 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
10488 enum nfnl_abort_action action)
10489 {
10490 struct nftables_pernet *nft_net = nft_pernet(net);
10491 unsigned int gc_seq;
10492 int ret;
10493
10494 gc_seq = nft_gc_seq_begin(nft_net);
10495 ret = __nf_tables_abort(net, action);
10496 nft_gc_seq_end(nft_net, gc_seq);
10497 mutex_unlock(&nft_net->commit_mutex);
10498
10499 return ret;
10500 }
10501
10502 static bool nf_tables_valid_genid(struct net *net, u32 genid)
10503 {
10504 struct nftables_pernet *nft_net = nft_pernet(net);
10505 bool genid_ok;
10506
10507 mutex_lock(&nft_net->commit_mutex);
10508
10509 genid_ok = genid == 0 || nft_net->base_seq == genid;
10510 if (!genid_ok)
10511 mutex_unlock(&nft_net->commit_mutex);
10512
10513 /* else, commit mutex has to be released by commit or abort function */
10514 return genid_ok;
10515 }
10516
10517 static const struct nfnetlink_subsystem nf_tables_subsys = {
10518 .name = "nf_tables",
10519 .subsys_id = NFNL_SUBSYS_NFTABLES,
10520 .cb_count = NFT_MSG_MAX,
10521 .cb = nf_tables_cb,
10522 .commit = nf_tables_commit,
10523 .abort = nf_tables_abort,
10524 .valid_genid = nf_tables_valid_genid,
10525 .owner = THIS_MODULE,
10526 };
10527
10528 int nft_chain_validate_dependency(const struct nft_chain *chain,
10529 enum nft_chain_types type)
10530 {
10531 const struct nft_base_chain *basechain;
10532
10533 if (nft_is_base_chain(chain)) {
10534 basechain = nft_base_chain(chain);
10535 if (basechain->type->type != type)
10536 return -EOPNOTSUPP;
10537 }
10538 return 0;
10539 }
10540 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
10541
10542 int nft_chain_validate_hooks(const struct nft_chain *chain,
10543 unsigned int hook_flags)
10544 {
10545 struct nft_base_chain *basechain;
10546
10547 if (nft_is_base_chain(chain)) {
10548 basechain = nft_base_chain(chain);
10549
10550 if ((1 << basechain->ops.hooknum) & hook_flags)
10551 return 0;
10552
10553 return -EOPNOTSUPP;
10554 }
10555
10556 return 0;
10557 }
10558 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
10559
10560 /*
10561 * Loop detection - walk through the ruleset beginning at the destination chain
10562 * of a new jump until either the source chain is reached (loop) or all
10563 * reachable chains have been traversed.
10564 *
10565 * The loop check is performed whenever a new jump verdict is added to an
10566 * expression or verdict map or a verdict map is bound to a new chain.
10567 */
10568
10569 static int nf_tables_check_loops(const struct nft_ctx *ctx,
10570 const struct nft_chain *chain);
10571
10572 static int nft_check_loops(const struct nft_ctx *ctx,
10573 const struct nft_set_ext *ext)
10574 {
10575 const struct nft_data *data;
10576 int ret;
10577
10578 data = nft_set_ext_data(ext);
10579 switch (data->verdict.code) {
10580 case NFT_JUMP:
10581 case NFT_GOTO:
10582 ret = nf_tables_check_loops(ctx, data->verdict.chain);
10583 break;
10584 default:
10585 ret = 0;
10586 break;
10587 }
10588
10589 return ret;
10590 }
10591
10592 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
10593 struct nft_set *set,
10594 const struct nft_set_iter *iter,
10595 struct nft_elem_priv *elem_priv)
10596 {
10597 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
10598
10599 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
10600 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
10601 return 0;
10602
10603 return nft_check_loops(ctx, ext);
10604 }
10605
10606 static int nft_set_catchall_loops(const struct nft_ctx *ctx,
10607 struct nft_set *set)
10608 {
10609 u8 genmask = nft_genmask_next(ctx->net);
10610 struct nft_set_elem_catchall *catchall;
10611 struct nft_set_ext *ext;
10612 int ret = 0;
10613
10614 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
10615 ext = nft_set_elem_ext(set, catchall->elem);
10616 if (!nft_set_elem_active(ext, genmask))
10617 continue;
10618
10619 ret = nft_check_loops(ctx, ext);
10620 if (ret < 0)
10621 return ret;
10622 }
10623
10624 return ret;
10625 }
10626
10627 static int nf_tables_check_loops(const struct nft_ctx *ctx,
10628 const struct nft_chain *chain)
10629 {
10630 const struct nft_rule *rule;
10631 const struct nft_expr *expr, *last;
10632 struct nft_set *set;
10633 struct nft_set_binding *binding;
10634 struct nft_set_iter iter;
10635
10636 if (ctx->chain == chain)
10637 return -ELOOP;
10638
10639 if (fatal_signal_pending(current))
10640 return -EINTR;
10641
10642 list_for_each_entry(rule, &chain->rules, list) {
10643 nft_rule_for_each_expr(expr, last, rule) {
10644 struct nft_immediate_expr *priv;
10645 const struct nft_data *data;
10646 int err;
10647
10648 if (strcmp(expr->ops->type->name, "immediate"))
10649 continue;
10650
10651 priv = nft_expr_priv(expr);
10652 if (priv->dreg != NFT_REG_VERDICT)
10653 continue;
10654
10655 data = &priv->data;
10656 switch (data->verdict.code) {
10657 case NFT_JUMP:
10658 case NFT_GOTO:
10659 err = nf_tables_check_loops(ctx,
10660 data->verdict.chain);
10661 if (err < 0)
10662 return err;
10663 break;
10664 default:
10665 break;
10666 }
10667 }
10668 }
10669
10670 list_for_each_entry(set, &ctx->table->sets, list) {
10671 if (!nft_is_active_next(ctx->net, set))
10672 continue;
10673 if (!(set->flags & NFT_SET_MAP) ||
10674 set->dtype != NFT_DATA_VERDICT)
10675 continue;
10676
10677 list_for_each_entry(binding, &set->bindings, list) {
10678 if (!(binding->flags & NFT_SET_MAP) ||
10679 binding->chain != chain)
10680 continue;
10681
10682 iter.genmask = nft_genmask_next(ctx->net);
10683 iter.skip = 0;
10684 iter.count = 0;
10685 iter.err = 0;
10686 iter.fn = nf_tables_loop_check_setelem;
10687
10688 set->ops->walk(ctx, set, &iter);
10689 if (!iter.err)
10690 iter.err = nft_set_catchall_loops(ctx, set);
10691
10692 if (iter.err < 0)
10693 return iter.err;
10694 }
10695 }
10696
10697 return 0;
10698 }
10699
10700 /**
10701 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
10702 *
10703 * @attr: netlink attribute to fetch value from
10704 * @max: maximum value to be stored in dest
10705 * @dest: pointer to the variable
10706 *
10707 * Parse, check and store a given u32 netlink attribute into variable.
10708 * This function returns -ERANGE if the value goes over maximum value.
10709 * Otherwise a 0 is returned and the attribute value is stored in the
10710 * destination variable.
10711 */
10712 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
10713 {
10714 u32 val;
10715
10716 val = ntohl(nla_get_be32(attr));
10717 if (val > max)
10718 return -ERANGE;
10719
10720 *dest = val;
10721 return 0;
10722 }
10723 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
10724
10725 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
10726 {
10727 unsigned int reg;
10728
10729 reg = ntohl(nla_get_be32(attr));
10730 switch (reg) {
10731 case NFT_REG_VERDICT...NFT_REG_4:
10732 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
10733 break;
10734 case NFT_REG32_00...NFT_REG32_15:
10735 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
10736 break;
10737 default:
10738 return -ERANGE;
10739 }
10740
10741 return 0;
10742 }
10743
10744 /**
10745 * nft_dump_register - dump a register value to a netlink attribute
10746 *
10747 * @skb: socket buffer
10748 * @attr: attribute number
10749 * @reg: register number
10750 *
10751 * Construct a netlink attribute containing the register number. For
10752 * compatibility reasons, register numbers being a multiple of 4 are
10753 * translated to the corresponding 128 bit register numbers.
10754 */
10755 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
10756 {
10757 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
10758 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
10759 else
10760 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
10761
10762 return nla_put_be32(skb, attr, htonl(reg));
10763 }
10764 EXPORT_SYMBOL_GPL(nft_dump_register);
10765
10766 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
10767 {
10768 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
10769 return -EINVAL;
10770 if (len == 0)
10771 return -EINVAL;
10772 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
10773 return -ERANGE;
10774
10775 return 0;
10776 }
10777
10778 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
10779 {
10780 u32 reg;
10781 int err;
10782
10783 err = nft_parse_register(attr, &reg);
10784 if (err < 0)
10785 return err;
10786
10787 err = nft_validate_register_load(reg, len);
10788 if (err < 0)
10789 return err;
10790
10791 *sreg = reg;
10792 return 0;
10793 }
10794 EXPORT_SYMBOL_GPL(nft_parse_register_load);
10795
10796 static int nft_validate_register_store(const struct nft_ctx *ctx,
10797 enum nft_registers reg,
10798 const struct nft_data *data,
10799 enum nft_data_types type,
10800 unsigned int len)
10801 {
10802 int err;
10803
10804 switch (reg) {
10805 case NFT_REG_VERDICT:
10806 if (type != NFT_DATA_VERDICT)
10807 return -EINVAL;
10808
10809 if (data != NULL &&
10810 (data->verdict.code == NFT_GOTO ||
10811 data->verdict.code == NFT_JUMP)) {
10812 err = nf_tables_check_loops(ctx, data->verdict.chain);
10813 if (err < 0)
10814 return err;
10815 }
10816
10817 return 0;
10818 default:
10819 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
10820 return -EINVAL;
10821 if (len == 0)
10822 return -EINVAL;
10823 if (reg * NFT_REG32_SIZE + len >
10824 sizeof_field(struct nft_regs, data))
10825 return -ERANGE;
10826
10827 if (data != NULL && type != NFT_DATA_VALUE)
10828 return -EINVAL;
10829 return 0;
10830 }
10831 }
10832
10833 int nft_parse_register_store(const struct nft_ctx *ctx,
10834 const struct nlattr *attr, u8 *dreg,
10835 const struct nft_data *data,
10836 enum nft_data_types type, unsigned int len)
10837 {
10838 int err;
10839 u32 reg;
10840
10841 err = nft_parse_register(attr, &reg);
10842 if (err < 0)
10843 return err;
10844
10845 err = nft_validate_register_store(ctx, reg, data, type, len);
10846 if (err < 0)
10847 return err;
10848
10849 *dreg = reg;
10850 return 0;
10851 }
10852 EXPORT_SYMBOL_GPL(nft_parse_register_store);
10853
10854 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
10855 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
10856 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
10857 .len = NFT_CHAIN_MAXNAMELEN - 1 },
10858 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
10859 };
10860
10861 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
10862 struct nft_data_desc *desc, const struct nlattr *nla)
10863 {
10864 u8 genmask = nft_genmask_next(ctx->net);
10865 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
10866 struct nft_chain *chain;
10867 int err;
10868
10869 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
10870 nft_verdict_policy, NULL);
10871 if (err < 0)
10872 return err;
10873
10874 if (!tb[NFTA_VERDICT_CODE])
10875 return -EINVAL;
10876
10877 /* zero padding hole for memcmp */
10878 memset(data, 0, sizeof(*data));
10879 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
10880
10881 switch (data->verdict.code) {
10882 default:
10883 switch (data->verdict.code & NF_VERDICT_MASK) {
10884 case NF_ACCEPT:
10885 case NF_DROP:
10886 case NF_QUEUE:
10887 break;
10888 default:
10889 return -EINVAL;
10890 }
10891 fallthrough;
10892 case NFT_CONTINUE:
10893 case NFT_BREAK:
10894 case NFT_RETURN:
10895 break;
10896 case NFT_JUMP:
10897 case NFT_GOTO:
10898 if (tb[NFTA_VERDICT_CHAIN]) {
10899 chain = nft_chain_lookup(ctx->net, ctx->table,
10900 tb[NFTA_VERDICT_CHAIN],
10901 genmask);
10902 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
10903 chain = nft_chain_lookup_byid(ctx->net, ctx->table,
10904 tb[NFTA_VERDICT_CHAIN_ID],
10905 genmask);
10906 if (IS_ERR(chain))
10907 return PTR_ERR(chain);
10908 } else {
10909 return -EINVAL;
10910 }
10911
10912 if (IS_ERR(chain))
10913 return PTR_ERR(chain);
10914 if (nft_is_base_chain(chain))
10915 return -EOPNOTSUPP;
10916 if (nft_chain_is_bound(chain))
10917 return -EINVAL;
10918 if (desc->flags & NFT_DATA_DESC_SETELEM &&
10919 chain->flags & NFT_CHAIN_BINDING)
10920 return -EINVAL;
10921 if (!nft_use_inc(&chain->use))
10922 return -EMFILE;
10923
10924 data->verdict.chain = chain;
10925 break;
10926 }
10927
10928 desc->len = sizeof(data->verdict);
10929
10930 return 0;
10931 }
10932
10933 static void nft_verdict_uninit(const struct nft_data *data)
10934 {
10935 struct nft_chain *chain;
10936
10937 switch (data->verdict.code) {
10938 case NFT_JUMP:
10939 case NFT_GOTO:
10940 chain = data->verdict.chain;
10941 nft_use_dec(&chain->use);
10942 break;
10943 }
10944 }
10945
10946 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
10947 {
10948 struct nlattr *nest;
10949
10950 nest = nla_nest_start_noflag(skb, type);
10951 if (!nest)
10952 goto nla_put_failure;
10953
10954 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
10955 goto nla_put_failure;
10956
10957 switch (v->code) {
10958 case NFT_JUMP:
10959 case NFT_GOTO:
10960 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
10961 v->chain->name))
10962 goto nla_put_failure;
10963 }
10964 nla_nest_end(skb, nest);
10965 return 0;
10966
10967 nla_put_failure:
10968 return -1;
10969 }
10970
10971 static int nft_value_init(const struct nft_ctx *ctx,
10972 struct nft_data *data, struct nft_data_desc *desc,
10973 const struct nlattr *nla)
10974 {
10975 unsigned int len;
10976
10977 len = nla_len(nla);
10978 if (len == 0)
10979 return -EINVAL;
10980 if (len > desc->size)
10981 return -EOVERFLOW;
10982 if (desc->len) {
10983 if (len != desc->len)
10984 return -EINVAL;
10985 } else {
10986 desc->len = len;
10987 }
10988
10989 nla_memcpy(data->data, nla, len);
10990
10991 return 0;
10992 }
10993
10994 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
10995 unsigned int len)
10996 {
10997 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
10998 }
10999
11000 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
11001 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
11002 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
11003 };
11004
11005 /**
11006 * nft_data_init - parse nf_tables data netlink attributes
11007 *
11008 * @ctx: context of the expression using the data
11009 * @data: destination struct nft_data
11010 * @desc: data description
11011 * @nla: netlink attribute containing data
11012 *
11013 * Parse the netlink data attributes and initialize a struct nft_data.
11014 * The type and length of data are returned in the data description.
11015 *
11016 * The caller can indicate that it only wants to accept data of type
11017 * NFT_DATA_VALUE by passing NULL for the ctx argument.
11018 */
11019 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
11020 struct nft_data_desc *desc, const struct nlattr *nla)
11021 {
11022 struct nlattr *tb[NFTA_DATA_MAX + 1];
11023 int err;
11024
11025 if (WARN_ON_ONCE(!desc->size))
11026 return -EINVAL;
11027
11028 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
11029 nft_data_policy, NULL);
11030 if (err < 0)
11031 return err;
11032
11033 if (tb[NFTA_DATA_VALUE]) {
11034 if (desc->type != NFT_DATA_VALUE)
11035 return -EINVAL;
11036
11037 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
11038 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
11039 if (desc->type != NFT_DATA_VERDICT)
11040 return -EINVAL;
11041
11042 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
11043 } else {
11044 err = -EINVAL;
11045 }
11046
11047 return err;
11048 }
11049 EXPORT_SYMBOL_GPL(nft_data_init);
11050
11051 /**
11052 * nft_data_release - release a nft_data item
11053 *
11054 * @data: struct nft_data to release
11055 * @type: type of data
11056 *
11057 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
11058 * all others need to be released by calling this function.
11059 */
11060 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
11061 {
11062 if (type < NFT_DATA_VERDICT)
11063 return;
11064 switch (type) {
11065 case NFT_DATA_VERDICT:
11066 return nft_verdict_uninit(data);
11067 default:
11068 WARN_ON(1);
11069 }
11070 }
11071 EXPORT_SYMBOL_GPL(nft_data_release);
11072
11073 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
11074 enum nft_data_types type, unsigned int len)
11075 {
11076 struct nlattr *nest;
11077 int err;
11078
11079 nest = nla_nest_start_noflag(skb, attr);
11080 if (nest == NULL)
11081 return -1;
11082
11083 switch (type) {
11084 case NFT_DATA_VALUE:
11085 err = nft_value_dump(skb, data, len);
11086 break;
11087 case NFT_DATA_VERDICT:
11088 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
11089 break;
11090 default:
11091 err = -EINVAL;
11092 WARN_ON(1);
11093 }
11094
11095 nla_nest_end(skb, nest);
11096 return err;
11097 }
11098 EXPORT_SYMBOL_GPL(nft_data_dump);
11099
11100 int __nft_release_basechain(struct nft_ctx *ctx)
11101 {
11102 struct nft_rule *rule, *nr;
11103
11104 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
11105 return 0;
11106
11107 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
11108 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
11109 list_del(&rule->list);
11110 nft_use_dec(&ctx->chain->use);
11111 nf_tables_rule_release(ctx, rule);
11112 }
11113 nft_chain_del(ctx->chain);
11114 nft_use_dec(&ctx->table->use);
11115 nf_tables_chain_destroy(ctx);
11116
11117 return 0;
11118 }
11119 EXPORT_SYMBOL_GPL(__nft_release_basechain);
11120
11121 static void __nft_release_hook(struct net *net, struct nft_table *table)
11122 {
11123 struct nft_flowtable *flowtable;
11124 struct nft_chain *chain;
11125
11126 list_for_each_entry(chain, &table->chains, list)
11127 __nf_tables_unregister_hook(net, table, chain, true);
11128 list_for_each_entry(flowtable, &table->flowtables, list)
11129 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list,
11130 true);
11131 }
11132
11133 static void __nft_release_hooks(struct net *net)
11134 {
11135 struct nftables_pernet *nft_net = nft_pernet(net);
11136 struct nft_table *table;
11137
11138 list_for_each_entry(table, &nft_net->tables, list) {
11139 if (nft_table_has_owner(table))
11140 continue;
11141
11142 __nft_release_hook(net, table);
11143 }
11144 }
11145
11146 static void __nft_release_table(struct net *net, struct nft_table *table)
11147 {
11148 struct nft_flowtable *flowtable, *nf;
11149 struct nft_chain *chain, *nc;
11150 struct nft_object *obj, *ne;
11151 struct nft_rule *rule, *nr;
11152 struct nft_set *set, *ns;
11153 struct nft_ctx ctx = {
11154 .net = net,
11155 .family = NFPROTO_NETDEV,
11156 };
11157
11158 ctx.family = table->family;
11159 ctx.table = table;
11160 list_for_each_entry(chain, &table->chains, list) {
11161 if (nft_chain_binding(chain))
11162 continue;
11163
11164 ctx.chain = chain;
11165 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
11166 list_del(&rule->list);
11167 nft_use_dec(&chain->use);
11168 nf_tables_rule_release(&ctx, rule);
11169 }
11170 }
11171 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
11172 list_del(&flowtable->list);
11173 nft_use_dec(&table->use);
11174 nf_tables_flowtable_destroy(flowtable);
11175 }
11176 list_for_each_entry_safe(set, ns, &table->sets, list) {
11177 list_del(&set->list);
11178 nft_use_dec(&table->use);
11179 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11180 nft_map_deactivate(&ctx, set);
11181
11182 nft_set_destroy(&ctx, set);
11183 }
11184 list_for_each_entry_safe(obj, ne, &table->objects, list) {
11185 nft_obj_del(obj);
11186 nft_use_dec(&table->use);
11187 nft_obj_destroy(&ctx, obj);
11188 }
11189 list_for_each_entry_safe(chain, nc, &table->chains, list) {
11190 ctx.chain = chain;
11191 nft_chain_del(chain);
11192 nft_use_dec(&table->use);
11193 nf_tables_chain_destroy(&ctx);
11194 }
11195 nf_tables_table_destroy(&ctx);
11196 }
11197
11198 static void __nft_release_tables(struct net *net)
11199 {
11200 struct nftables_pernet *nft_net = nft_pernet(net);
11201 struct nft_table *table, *nt;
11202
11203 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
11204 if (nft_table_has_owner(table))
11205 continue;
11206
11207 list_del(&table->list);
11208
11209 __nft_release_table(net, table);
11210 }
11211 }
11212
11213 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
11214 void *ptr)
11215 {
11216 struct nft_table *table, *to_delete[8];
11217 struct nftables_pernet *nft_net;
11218 struct netlink_notify *n = ptr;
11219 struct net *net = n->net;
11220 unsigned int deleted;
11221 bool restart = false;
11222 unsigned int gc_seq;
11223
11224 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
11225 return NOTIFY_DONE;
11226
11227 nft_net = nft_pernet(net);
11228 deleted = 0;
11229 mutex_lock(&nft_net->commit_mutex);
11230
11231 gc_seq = nft_gc_seq_begin(nft_net);
11232
11233 if (!list_empty(&nf_tables_destroy_list))
11234 nf_tables_trans_destroy_flush_work();
11235 again:
11236 list_for_each_entry(table, &nft_net->tables, list) {
11237 if (nft_table_has_owner(table) &&
11238 n->portid == table->nlpid) {
11239 __nft_release_hook(net, table);
11240 list_del_rcu(&table->list);
11241 to_delete[deleted++] = table;
11242 if (deleted >= ARRAY_SIZE(to_delete))
11243 break;
11244 }
11245 }
11246 if (deleted) {
11247 restart = deleted >= ARRAY_SIZE(to_delete);
11248 synchronize_rcu();
11249 while (deleted)
11250 __nft_release_table(net, to_delete[--deleted]);
11251
11252 if (restart)
11253 goto again;
11254 }
11255 nft_gc_seq_end(nft_net, gc_seq);
11256
11257 mutex_unlock(&nft_net->commit_mutex);
11258
11259 return NOTIFY_DONE;
11260 }
11261
11262 static struct notifier_block nft_nl_notifier = {
11263 .notifier_call = nft_rcv_nl_event,
11264 };
11265
11266 static int __net_init nf_tables_init_net(struct net *net)
11267 {
11268 struct nftables_pernet *nft_net = nft_pernet(net);
11269
11270 INIT_LIST_HEAD(&nft_net->tables);
11271 INIT_LIST_HEAD(&nft_net->commit_list);
11272 INIT_LIST_HEAD(&nft_net->binding_list);
11273 INIT_LIST_HEAD(&nft_net->module_list);
11274 INIT_LIST_HEAD(&nft_net->notify_list);
11275 mutex_init(&nft_net->commit_mutex);
11276 nft_net->base_seq = 1;
11277 nft_net->gc_seq = 0;
11278 nft_net->validate_state = NFT_VALIDATE_SKIP;
11279
11280 return 0;
11281 }
11282
11283 static void __net_exit nf_tables_pre_exit_net(struct net *net)
11284 {
11285 struct nftables_pernet *nft_net = nft_pernet(net);
11286
11287 mutex_lock(&nft_net->commit_mutex);
11288 __nft_release_hooks(net);
11289 mutex_unlock(&nft_net->commit_mutex);
11290 }
11291
11292 static void __net_exit nf_tables_exit_net(struct net *net)
11293 {
11294 struct nftables_pernet *nft_net = nft_pernet(net);
11295 unsigned int gc_seq;
11296
11297 mutex_lock(&nft_net->commit_mutex);
11298
11299 gc_seq = nft_gc_seq_begin(nft_net);
11300
11301 if (!list_empty(&nft_net->commit_list) ||
11302 !list_empty(&nft_net->module_list))
11303 __nf_tables_abort(net, NFNL_ABORT_NONE);
11304
11305 __nft_release_tables(net);
11306
11307 nft_gc_seq_end(nft_net, gc_seq);
11308
11309 mutex_unlock(&nft_net->commit_mutex);
11310 WARN_ON_ONCE(!list_empty(&nft_net->tables));
11311 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
11312 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
11313 }
11314
11315 static void nf_tables_exit_batch(struct list_head *net_exit_list)
11316 {
11317 flush_work(&trans_gc_work);
11318 }
11319
11320 static struct pernet_operations nf_tables_net_ops = {
11321 .init = nf_tables_init_net,
11322 .pre_exit = nf_tables_pre_exit_net,
11323 .exit = nf_tables_exit_net,
11324 .exit_batch = nf_tables_exit_batch,
11325 .id = &nf_tables_net_id,
11326 .size = sizeof(struct nftables_pernet),
11327 };
11328
11329 static int __init nf_tables_module_init(void)
11330 {
11331 int err;
11332
11333 err = register_pernet_subsys(&nf_tables_net_ops);
11334 if (err < 0)
11335 return err;
11336
11337 err = nft_chain_filter_init();
11338 if (err < 0)
11339 goto err_chain_filter;
11340
11341 err = nf_tables_core_module_init();
11342 if (err < 0)
11343 goto err_core_module;
11344
11345 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
11346 if (err < 0)
11347 goto err_netdev_notifier;
11348
11349 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
11350 if (err < 0)
11351 goto err_rht_objname;
11352
11353 err = nft_offload_init();
11354 if (err < 0)
11355 goto err_offload;
11356
11357 err = netlink_register_notifier(&nft_nl_notifier);
11358 if (err < 0)
11359 goto err_netlink_notifier;
11360
11361 /* must be last */
11362 err = nfnetlink_subsys_register(&nf_tables_subsys);
11363 if (err < 0)
11364 goto err_nfnl_subsys;
11365
11366 nft_chain_route_init();
11367
11368 return err;
11369
11370 err_nfnl_subsys:
11371 netlink_unregister_notifier(&nft_nl_notifier);
11372 err_netlink_notifier:
11373 nft_offload_exit();
11374 err_offload:
11375 rhltable_destroy(&nft_objname_ht);
11376 err_rht_objname:
11377 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11378 err_netdev_notifier:
11379 nf_tables_core_module_exit();
11380 err_core_module:
11381 nft_chain_filter_fini();
11382 err_chain_filter:
11383 unregister_pernet_subsys(&nf_tables_net_ops);
11384 return err;
11385 }
11386
11387 static void __exit nf_tables_module_exit(void)
11388 {
11389 nfnetlink_subsys_unregister(&nf_tables_subsys);
11390 netlink_unregister_notifier(&nft_nl_notifier);
11391 nft_offload_exit();
11392 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11393 nft_chain_filter_fini();
11394 nft_chain_route_fini();
11395 unregister_pernet_subsys(&nf_tables_net_ops);
11396 cancel_work_sync(&trans_gc_work);
11397 cancel_work_sync(&trans_destroy_work);
11398 rcu_barrier();
11399 rhltable_destroy(&nft_objname_ht);
11400 nf_tables_core_module_exit();
11401 }
11402
11403 module_init(nf_tables_module_init);
11404 module_exit(nf_tables_module_exit);
11405
11406 MODULE_LICENSE("GPL");
11407 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
11408 MODULE_DESCRIPTION("Framework for packet filtering and classification");
11409 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
A mirror of Linus' kernel repository