1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27 #define NFT_SET_MAX_ANONLEN 16
28
29 unsigned int nf_tables_net_id __read_mostly;
30
31 static LIST_HEAD(nf_tables_expressions);
32 static LIST_HEAD(nf_tables_objects);
33 static LIST_HEAD(nf_tables_flowtables);
34 static LIST_HEAD(nf_tables_destroy_list);
35 static LIST_HEAD(nf_tables_gc_list);
36 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
37 static DEFINE_SPINLOCK(nf_tables_gc_list_lock);
38
39 enum {
40 NFT_VALIDATE_SKIP = 0,
41 NFT_VALIDATE_NEED,
42 NFT_VALIDATE_DO,
43 };
44
45 static struct rhltable nft_objname_ht;
46
47 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
48 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
49 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
50
51 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
52 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
53 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
54
55 static const struct rhashtable_params nft_chain_ht_params = {
56 .head_offset = offsetof(struct nft_chain, rhlhead),
57 .key_offset = offsetof(struct nft_chain, name),
58 .hashfn = nft_chain_hash,
59 .obj_hashfn = nft_chain_hash_obj,
60 .obj_cmpfn = nft_chain_hash_cmp,
61 .automatic_shrinking = true,
62 };
63
64 static const struct rhashtable_params nft_objname_ht_params = {
65 .head_offset = offsetof(struct nft_object, rhlhead),
66 .key_offset = offsetof(struct nft_object, key),
67 .hashfn = nft_objname_hash,
68 .obj_hashfn = nft_objname_hash_obj,
69 .obj_cmpfn = nft_objname_hash_cmp,
70 .automatic_shrinking = true,
71 };
72
73 struct nft_audit_data {
74 struct nft_table *table;
75 int entries;
76 int op;
77 struct list_head list;
78 };
79
80 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
81 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
82 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
83 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
84 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
85 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
86 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
87 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
88 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
89 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
90 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
91 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
92 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
93 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
94 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
95 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
96 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
97 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
98 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
99 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
100 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
101 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
102 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
103 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
104 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
105 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
106 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET,
107 };
108
109 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
110 {
111 switch (table->validate_state) {
112 case NFT_VALIDATE_SKIP:
113 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
114 break;
115 case NFT_VALIDATE_NEED:
116 break;
117 case NFT_VALIDATE_DO:
118 if (new_validate_state == NFT_VALIDATE_NEED)
119 return;
120 }
121
122 table->validate_state = new_validate_state;
123 }
124 static void nf_tables_trans_destroy_work(struct work_struct *w);
125 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
126
127 static void nft_trans_gc_work(struct work_struct *work);
128 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work);
129
130 static void nft_ctx_init(struct nft_ctx *ctx,
131 struct net *net,
132 const struct sk_buff *skb,
133 const struct nlmsghdr *nlh,
134 u8 family,
135 struct nft_table *table,
136 struct nft_chain *chain,
137 const struct nlattr * const *nla)
138 {
139 ctx->net = net;
140 ctx->family = family;
141 ctx->level = 0;
142 ctx->table = table;
143 ctx->chain = chain;
144 ctx->nla = nla;
145 ctx->portid = NETLINK_CB(skb).portid;
146 ctx->report = nlmsg_report(nlh);
147 ctx->flags = nlh->nlmsg_flags;
148 ctx->seq = nlh->nlmsg_seq;
149 }
150
151 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
152 int msg_type, u32 size, gfp_t gfp)
153 {
154 struct nft_trans *trans;
155
156 trans = kzalloc(size, gfp);
157 if (trans == NULL)
158 return NULL;
159
160 INIT_LIST_HEAD(&trans->list);
161 trans->msg_type = msg_type;
162
163 trans->net = ctx->net;
164 trans->table = ctx->table;
165 trans->seq = ctx->seq;
166 trans->flags = ctx->flags;
167 trans->report = ctx->report;
168
169 return trans;
170 }
171
172 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
173 int msg_type, u32 size)
174 {
175 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
176 }
177
178 static struct nft_trans_binding *nft_trans_get_binding(struct nft_trans *trans)
179 {
180 switch (trans->msg_type) {
181 case NFT_MSG_NEWCHAIN:
182 case NFT_MSG_NEWSET:
183 return container_of(trans, struct nft_trans_binding, nft_trans);
184 }
185
186 return NULL;
187 }
188
189 static void nft_trans_list_del(struct nft_trans *trans)
190 {
191 struct nft_trans_binding *trans_binding;
192
193 list_del(&trans->list);
194
195 trans_binding = nft_trans_get_binding(trans);
196 if (trans_binding)
197 list_del(&trans_binding->binding_list);
198 }
199
200 static void nft_trans_destroy(struct nft_trans *trans)
201 {
202 nft_trans_list_del(trans);
203 kfree(trans);
204 }
205
206 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
207 bool bind)
208 {
209 struct nftables_pernet *nft_net;
210 struct net *net = ctx->net;
211 struct nft_trans *trans;
212
213 if (!nft_set_is_anonymous(set))
214 return;
215
216 nft_net = nft_pernet(net);
217 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
218 switch (trans->msg_type) {
219 case NFT_MSG_NEWSET:
220 if (nft_trans_set(trans) == set)
221 nft_trans_set_bound(trans) = bind;
222 break;
223 case NFT_MSG_NEWSETELEM:
224 if (nft_trans_elem_set(trans) == set)
225 nft_trans_elem_set_bound(trans) = bind;
226 break;
227 }
228 }
229 }
230
231 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
232 {
233 return __nft_set_trans_bind(ctx, set, true);
234 }
235
236 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
237 {
238 return __nft_set_trans_bind(ctx, set, false);
239 }
240
241 static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
242 struct nft_chain *chain, bool bind)
243 {
244 struct nftables_pernet *nft_net;
245 struct net *net = ctx->net;
246 struct nft_trans *trans;
247
248 if (!nft_chain_binding(chain))
249 return;
250
251 nft_net = nft_pernet(net);
252 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
253 switch (trans->msg_type) {
254 case NFT_MSG_NEWCHAIN:
255 if (nft_trans_chain(trans) == chain)
256 nft_trans_chain_bound(trans) = bind;
257 break;
258 case NFT_MSG_NEWRULE:
259 if (nft_trans_rule_chain(trans) == chain)
260 nft_trans_rule_bound(trans) = bind;
261 break;
262 }
263 }
264 }
265
266 static void nft_chain_trans_bind(const struct nft_ctx *ctx,
267 struct nft_chain *chain)
268 {
269 __nft_chain_trans_bind(ctx, chain, true);
270 }
271
272 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
273 {
274 if (!nft_chain_binding(chain))
275 return 0;
276
277 if (nft_chain_binding(ctx->chain))
278 return -EOPNOTSUPP;
279
280 if (chain->bound)
281 return -EBUSY;
282
283 if (!nft_use_inc(&chain->use))
284 return -EMFILE;
285
286 chain->bound = true;
287 nft_chain_trans_bind(ctx, chain);
288
289 return 0;
290 }
291
292 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
293 {
294 __nft_chain_trans_bind(ctx, chain, false);
295 }
296
297 static int nft_netdev_register_hooks(struct net *net,
298 struct list_head *hook_list)
299 {
300 struct nft_hook *hook;
301 int err, j;
302
303 j = 0;
304 list_for_each_entry(hook, hook_list, list) {
305 err = nf_register_net_hook(net, &hook->ops);
306 if (err < 0)
307 goto err_register;
308
309 j++;
310 }
311 return 0;
312
313 err_register:
314 list_for_each_entry(hook, hook_list, list) {
315 if (j-- <= 0)
316 break;
317
318 nf_unregister_net_hook(net, &hook->ops);
319 }
320 return err;
321 }
322
323 static void nft_netdev_unregister_hooks(struct net *net,
324 struct list_head *hook_list,
325 bool release_netdev)
326 {
327 struct nft_hook *hook, *next;
328
329 list_for_each_entry_safe(hook, next, hook_list, list) {
330 nf_unregister_net_hook(net, &hook->ops);
331 if (release_netdev) {
332 list_del(&hook->list);
333 kfree_rcu(hook, rcu);
334 }
335 }
336 }
337
338 static int nf_tables_register_hook(struct net *net,
339 const struct nft_table *table,
340 struct nft_chain *chain)
341 {
342 struct nft_base_chain *basechain;
343 const struct nf_hook_ops *ops;
344
345 if (table->flags & NFT_TABLE_F_DORMANT ||
346 !nft_is_base_chain(chain))
347 return 0;
348
349 basechain = nft_base_chain(chain);
350 ops = &basechain->ops;
351
352 if (basechain->type->ops_register)
353 return basechain->type->ops_register(net, ops);
354
355 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
356 return nft_netdev_register_hooks(net, &basechain->hook_list);
357
358 return nf_register_net_hook(net, &basechain->ops);
359 }
360
361 static void __nf_tables_unregister_hook(struct net *net,
362 const struct nft_table *table,
363 struct nft_chain *chain,
364 bool release_netdev)
365 {
366 struct nft_base_chain *basechain;
367 const struct nf_hook_ops *ops;
368
369 if (table->flags & NFT_TABLE_F_DORMANT ||
370 !nft_is_base_chain(chain))
371 return;
372 basechain = nft_base_chain(chain);
373 ops = &basechain->ops;
374
375 if (basechain->type->ops_unregister)
376 return basechain->type->ops_unregister(net, ops);
377
378 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
379 nft_netdev_unregister_hooks(net, &basechain->hook_list,
380 release_netdev);
381 else
382 nf_unregister_net_hook(net, &basechain->ops);
383 }
384
385 static void nf_tables_unregister_hook(struct net *net,
386 const struct nft_table *table,
387 struct nft_chain *chain)
388 {
389 return __nf_tables_unregister_hook(net, table, chain, false);
390 }
391
392 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
393 {
394 struct nftables_pernet *nft_net = nft_pernet(net);
395 struct nft_trans_binding *binding;
396
397 list_add_tail(&trans->list, &nft_net->commit_list);
398
399 binding = nft_trans_get_binding(trans);
400 if (!binding)
401 return;
402
403 switch (trans->msg_type) {
404 case NFT_MSG_NEWSET:
405 if (!nft_trans_set_update(trans) &&
406 nft_set_is_anonymous(nft_trans_set(trans)))
407 list_add_tail(&binding->binding_list, &nft_net->binding_list);
408 break;
409 case NFT_MSG_NEWCHAIN:
410 if (!nft_trans_chain_update(trans) &&
411 nft_chain_binding(nft_trans_chain(trans)))
412 list_add_tail(&binding->binding_list, &nft_net->binding_list);
413 break;
414 }
415 }
416
417 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
418 {
419 struct nft_trans *trans;
420
421 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
422 if (trans == NULL)
423 return -ENOMEM;
424
425 if (msg_type == NFT_MSG_NEWTABLE)
426 nft_activate_next(ctx->net, ctx->table);
427
428 nft_trans_commit_list_add_tail(ctx->net, trans);
429 return 0;
430 }
431
432 static int nft_deltable(struct nft_ctx *ctx)
433 {
434 int err;
435
436 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
437 if (err < 0)
438 return err;
439
440 nft_deactivate_next(ctx->net, ctx->table);
441 return err;
442 }
443
444 static struct nft_trans *
445 nft_trans_alloc_chain(const struct nft_ctx *ctx, int msg_type)
446 {
447 struct nft_trans_chain *trans_chain;
448 struct nft_trans *trans;
449
450 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
451 if (!trans)
452 return NULL;
453
454 trans_chain = nft_trans_container_chain(trans);
455 INIT_LIST_HEAD(&trans_chain->nft_trans_binding.binding_list);
456 trans_chain->chain = ctx->chain;
457
458 return trans;
459 }
460
461 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
462 {
463 struct nft_trans *trans;
464
465 trans = nft_trans_alloc_chain(ctx, msg_type);
466 if (trans == NULL)
467 return ERR_PTR(-ENOMEM);
468
469 if (msg_type == NFT_MSG_NEWCHAIN) {
470 nft_activate_next(ctx->net, ctx->chain);
471
472 if (ctx->nla[NFTA_CHAIN_ID]) {
473 nft_trans_chain_id(trans) =
474 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
475 }
476 }
477 nft_trans_commit_list_add_tail(ctx->net, trans);
478
479 return trans;
480 }
481
482 static int nft_delchain(struct nft_ctx *ctx)
483 {
484 struct nft_trans *trans;
485
486 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
487 if (IS_ERR(trans))
488 return PTR_ERR(trans);
489
490 nft_use_dec(&ctx->table->use);
491 nft_deactivate_next(ctx->net, ctx->chain);
492
493 return 0;
494 }
495
496 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
497 {
498 struct nft_expr *expr;
499
500 expr = nft_expr_first(rule);
501 while (nft_expr_more(rule, expr)) {
502 if (expr->ops->activate)
503 expr->ops->activate(ctx, expr);
504
505 expr = nft_expr_next(expr);
506 }
507 }
508
509 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
510 enum nft_trans_phase phase)
511 {
512 struct nft_expr *expr;
513
514 expr = nft_expr_first(rule);
515 while (nft_expr_more(rule, expr)) {
516 if (expr->ops->deactivate)
517 expr->ops->deactivate(ctx, expr, phase);
518
519 expr = nft_expr_next(expr);
520 }
521 }
522
523 static int
524 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
525 {
526 /* You cannot delete the same rule twice */
527 if (nft_is_active_next(ctx->net, rule)) {
528 nft_deactivate_next(ctx->net, rule);
529 nft_use_dec(&ctx->chain->use);
530 return 0;
531 }
532 return -ENOENT;
533 }
534
535 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
536 struct nft_rule *rule)
537 {
538 struct nft_trans *trans;
539
540 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
541 if (trans == NULL)
542 return NULL;
543
544 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
545 nft_trans_rule_id(trans) =
546 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
547 }
548 nft_trans_rule(trans) = rule;
549 nft_trans_rule_chain(trans) = ctx->chain;
550 nft_trans_commit_list_add_tail(ctx->net, trans);
551
552 return trans;
553 }
554
555 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
556 {
557 struct nft_flow_rule *flow;
558 struct nft_trans *trans;
559 int err;
560
561 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
562 if (trans == NULL)
563 return -ENOMEM;
564
565 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
566 flow = nft_flow_rule_create(ctx->net, rule);
567 if (IS_ERR(flow)) {
568 nft_trans_destroy(trans);
569 return PTR_ERR(flow);
570 }
571
572 nft_trans_flow_rule(trans) = flow;
573 }
574
575 err = nf_tables_delrule_deactivate(ctx, rule);
576 if (err < 0) {
577 nft_trans_destroy(trans);
578 return err;
579 }
580 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
581
582 return 0;
583 }
584
585 static int nft_delrule_by_chain(struct nft_ctx *ctx)
586 {
587 struct nft_rule *rule;
588 int err;
589
590 list_for_each_entry(rule, &ctx->chain->rules, list) {
591 if (!nft_is_active_next(ctx->net, rule))
592 continue;
593
594 err = nft_delrule(ctx, rule);
595 if (err < 0)
596 return err;
597 }
598 return 0;
599 }
600
601 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
602 struct nft_set *set,
603 const struct nft_set_desc *desc)
604 {
605 struct nft_trans_set *trans_set;
606 struct nft_trans *trans;
607
608 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
609 if (trans == NULL)
610 return -ENOMEM;
611
612 trans_set = nft_trans_container_set(trans);
613 INIT_LIST_HEAD(&trans_set->nft_trans_binding.binding_list);
614
615 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
616 nft_trans_set_id(trans) =
617 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
618 nft_activate_next(ctx->net, set);
619 }
620 nft_trans_set(trans) = set;
621 if (desc) {
622 nft_trans_set_update(trans) = true;
623 nft_trans_set_gc_int(trans) = desc->gc_int;
624 nft_trans_set_timeout(trans) = desc->timeout;
625 nft_trans_set_size(trans) = desc->size;
626 }
627 nft_trans_commit_list_add_tail(ctx->net, trans);
628
629 return 0;
630 }
631
632 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
633 struct nft_set *set)
634 {
635 return __nft_trans_set_add(ctx, msg_type, set, NULL);
636 }
637
638 static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
639 struct nft_set *set,
640 const struct nft_set_iter *iter,
641 struct nft_elem_priv *elem_priv)
642 {
643 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
644
645 if (!nft_set_elem_active(ext, iter->genmask))
646 return 0;
647
648 nft_set_elem_change_active(ctx->net, set, ext);
649 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
650
651 return 0;
652 }
653
654 struct nft_set_elem_catchall {
655 struct list_head list;
656 struct rcu_head rcu;
657 struct nft_elem_priv *elem;
658 };
659
660 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
661 struct nft_set *set)
662 {
663 u8 genmask = nft_genmask_next(ctx->net);
664 struct nft_set_elem_catchall *catchall;
665 struct nft_set_ext *ext;
666
667 list_for_each_entry(catchall, &set->catchall_list, list) {
668 ext = nft_set_elem_ext(set, catchall->elem);
669 if (!nft_set_elem_active(ext, genmask))
670 continue;
671
672 nft_set_elem_change_active(ctx->net, set, ext);
673 nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
674 break;
675 }
676 }
677
678 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set)
679 {
680 struct nft_set_iter iter = {
681 .genmask = nft_genmask_next(ctx->net),
682 .type = NFT_ITER_UPDATE,
683 .fn = nft_mapelem_deactivate,
684 };
685
686 set->ops->walk(ctx, set, &iter);
687 WARN_ON_ONCE(iter.err);
688
689 nft_map_catchall_deactivate(ctx, set);
690 }
691
692 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
693 {
694 int err;
695
696 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
697 if (err < 0)
698 return err;
699
700 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
701 nft_map_deactivate(ctx, set);
702
703 nft_deactivate_next(ctx->net, set);
704 nft_use_dec(&ctx->table->use);
705
706 return err;
707 }
708
709 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
710 struct nft_object *obj)
711 {
712 struct nft_trans *trans;
713
714 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
715 if (trans == NULL)
716 return -ENOMEM;
717
718 if (msg_type == NFT_MSG_NEWOBJ)
719 nft_activate_next(ctx->net, obj);
720
721 nft_trans_obj(trans) = obj;
722 nft_trans_commit_list_add_tail(ctx->net, trans);
723
724 return 0;
725 }
726
727 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
728 {
729 int err;
730
731 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
732 if (err < 0)
733 return err;
734
735 nft_deactivate_next(ctx->net, obj);
736 nft_use_dec(&ctx->table->use);
737
738 return err;
739 }
740
741 static struct nft_trans *
742 nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
743 struct nft_flowtable *flowtable)
744 {
745 struct nft_trans *trans;
746
747 trans = nft_trans_alloc(ctx, msg_type,
748 sizeof(struct nft_trans_flowtable));
749 if (trans == NULL)
750 return ERR_PTR(-ENOMEM);
751
752 if (msg_type == NFT_MSG_NEWFLOWTABLE)
753 nft_activate_next(ctx->net, flowtable);
754
755 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
756 nft_trans_flowtable(trans) = flowtable;
757 nft_trans_commit_list_add_tail(ctx->net, trans);
758
759 return trans;
760 }
761
762 static int nft_delflowtable(struct nft_ctx *ctx,
763 struct nft_flowtable *flowtable)
764 {
765 struct nft_trans *trans;
766
767 trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
768 if (IS_ERR(trans))
769 return PTR_ERR(trans);
770
771 nft_deactivate_next(ctx->net, flowtable);
772 nft_use_dec(&ctx->table->use);
773
774 return 0;
775 }
776
777 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
778 {
779 int i;
780
781 for (i = track->regs[dreg].num_reg; i > 0; i--)
782 __nft_reg_track_cancel(track, dreg - i);
783 }
784
785 static void __nft_reg_track_update(struct nft_regs_track *track,
786 const struct nft_expr *expr,
787 u8 dreg, u8 num_reg)
788 {
789 track->regs[dreg].selector = expr;
790 track->regs[dreg].bitwise = NULL;
791 track->regs[dreg].num_reg = num_reg;
792 }
793
794 void nft_reg_track_update(struct nft_regs_track *track,
795 const struct nft_expr *expr, u8 dreg, u8 len)
796 {
797 unsigned int regcount;
798 int i;
799
800 __nft_reg_track_clobber(track, dreg);
801
802 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
803 for (i = 0; i < regcount; i++, dreg++)
804 __nft_reg_track_update(track, expr, dreg, i);
805 }
806 EXPORT_SYMBOL_GPL(nft_reg_track_update);
807
808 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
809 {
810 unsigned int regcount;
811 int i;
812
813 __nft_reg_track_clobber(track, dreg);
814
815 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
816 for (i = 0; i < regcount; i++, dreg++)
817 __nft_reg_track_cancel(track, dreg);
818 }
819 EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
820
821 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
822 {
823 track->regs[dreg].selector = NULL;
824 track->regs[dreg].bitwise = NULL;
825 track->regs[dreg].num_reg = 0;
826 }
827 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
828
829 /*
830 * Tables
831 */
832
833 static struct nft_table *nft_table_lookup(const struct net *net,
834 const struct nlattr *nla,
835 u8 family, u8 genmask, u32 nlpid)
836 {
837 struct nftables_pernet *nft_net;
838 struct nft_table *table;
839
840 if (nla == NULL)
841 return ERR_PTR(-EINVAL);
842
843 nft_net = nft_pernet(net);
844 list_for_each_entry_rcu(table, &nft_net->tables, list,
845 lockdep_is_held(&nft_net->commit_mutex)) {
846 if (!nla_strcmp(nla, table->name) &&
847 table->family == family &&
848 nft_active_genmask(table, genmask)) {
849 if (nft_table_has_owner(table) &&
850 nlpid && table->nlpid != nlpid)
851 return ERR_PTR(-EPERM);
852
853 return table;
854 }
855 }
856
857 return ERR_PTR(-ENOENT);
858 }
859
860 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
861 const struct nlattr *nla,
862 int family, u8 genmask, u32 nlpid)
863 {
864 struct nftables_pernet *nft_net;
865 struct nft_table *table;
866
867 nft_net = nft_pernet(net);
868 list_for_each_entry(table, &nft_net->tables, list) {
869 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
870 table->family == family &&
871 nft_active_genmask(table, genmask)) {
872 if (nft_table_has_owner(table) &&
873 nlpid && table->nlpid != nlpid)
874 return ERR_PTR(-EPERM);
875
876 return table;
877 }
878 }
879
880 return ERR_PTR(-ENOENT);
881 }
882
883 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
884 {
885 return ++table->hgenerator;
886 }
887
888 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
889
890 static const struct nft_chain_type *
891 __nft_chain_type_get(u8 family, enum nft_chain_types type)
892 {
893 if (family >= NFPROTO_NUMPROTO ||
894 type >= NFT_CHAIN_T_MAX)
895 return NULL;
896
897 return chain_type[family][type];
898 }
899
900 static const struct nft_chain_type *
901 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
902 {
903 const struct nft_chain_type *type;
904 int i;
905
906 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
907 type = __nft_chain_type_get(family, i);
908 if (!type)
909 continue;
910 if (!nla_strcmp(nla, type->name))
911 return type;
912 }
913 return NULL;
914 }
915
916 struct nft_module_request {
917 struct list_head list;
918 char module[MODULE_NAME_LEN];
919 bool done;
920 };
921
922 #ifdef CONFIG_MODULES
923 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
924 ...)
925 {
926 char module_name[MODULE_NAME_LEN];
927 struct nftables_pernet *nft_net;
928 struct nft_module_request *req;
929 va_list args;
930 int ret;
931
932 va_start(args, fmt);
933 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
934 va_end(args);
935 if (ret >= MODULE_NAME_LEN)
936 return 0;
937
938 nft_net = nft_pernet(net);
939 list_for_each_entry(req, &nft_net->module_list, list) {
940 if (!strcmp(req->module, module_name)) {
941 if (req->done)
942 return 0;
943
944 /* A request to load this module already exists. */
945 return -EAGAIN;
946 }
947 }
948
949 req = kmalloc(sizeof(*req), GFP_KERNEL);
950 if (!req)
951 return -ENOMEM;
952
953 req->done = false;
954 strscpy(req->module, module_name, MODULE_NAME_LEN);
955 list_add_tail(&req->list, &nft_net->module_list);
956
957 return -EAGAIN;
958 }
959 EXPORT_SYMBOL_GPL(nft_request_module);
960 #endif
961
962 static void lockdep_nfnl_nft_mutex_not_held(void)
963 {
964 #ifdef CONFIG_PROVE_LOCKING
965 if (debug_locks)
966 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
967 #endif
968 }
969
970 static const struct nft_chain_type *
971 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
972 u8 family, bool autoload)
973 {
974 const struct nft_chain_type *type;
975
976 type = __nf_tables_chain_type_lookup(nla, family);
977 if (type != NULL)
978 return type;
979
980 lockdep_nfnl_nft_mutex_not_held();
981 #ifdef CONFIG_MODULES
982 if (autoload) {
983 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
984 nla_len(nla),
985 (const char *)nla_data(nla)) == -EAGAIN)
986 return ERR_PTR(-EAGAIN);
987 }
988 #endif
989 return ERR_PTR(-ENOENT);
990 }
991
992 static __be16 nft_base_seq(const struct net *net)
993 {
994 struct nftables_pernet *nft_net = nft_pernet(net);
995
996 return htons(nft_net->base_seq & 0xffff);
997 }
998
999 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
1000 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
1001 .len = NFT_TABLE_MAXNAMELEN - 1 },
1002 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
1003 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
1004 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
1005 .len = NFT_USERDATA_MAXLEN }
1006 };
1007
1008 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
1009 u32 portid, u32 seq, int event, u32 flags,
1010 int family, const struct nft_table *table)
1011 {
1012 struct nlmsghdr *nlh;
1013
1014 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1015 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1016 NFNETLINK_V0, nft_base_seq(net));
1017 if (!nlh)
1018 goto nla_put_failure;
1019
1020 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
1021 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
1022 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
1023 NFTA_TABLE_PAD))
1024 goto nla_put_failure;
1025
1026 if (event == NFT_MSG_DELTABLE) {
1027 nlmsg_end(skb, nlh);
1028 return 0;
1029 }
1030
1031 if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
1032 htonl(table->flags & NFT_TABLE_F_MASK)))
1033 goto nla_put_failure;
1034
1035 if (nft_table_has_owner(table) &&
1036 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
1037 goto nla_put_failure;
1038
1039 if (table->udata) {
1040 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
1041 goto nla_put_failure;
1042 }
1043
1044 nlmsg_end(skb, nlh);
1045 return 0;
1046
1047 nla_put_failure:
1048 nlmsg_trim(skb, nlh);
1049 return -1;
1050 }
1051
1052 struct nftnl_skb_parms {
1053 bool report;
1054 };
1055 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
1056
1057 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
1058 struct list_head *notify_list)
1059 {
1060 NFT_CB(skb).report = report;
1061 list_add_tail(&skb->list, notify_list);
1062 }
1063
1064 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
1065 {
1066 struct nftables_pernet *nft_net;
1067 struct sk_buff *skb;
1068 u16 flags = 0;
1069 int err;
1070
1071 if (!ctx->report &&
1072 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1073 return;
1074
1075 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1076 if (skb == NULL)
1077 goto err;
1078
1079 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1080 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1081
1082 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
1083 event, flags, ctx->family, ctx->table);
1084 if (err < 0) {
1085 kfree_skb(skb);
1086 goto err;
1087 }
1088
1089 nft_net = nft_pernet(ctx->net);
1090 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1091 return;
1092 err:
1093 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1094 }
1095
1096 static int nf_tables_dump_tables(struct sk_buff *skb,
1097 struct netlink_callback *cb)
1098 {
1099 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1100 struct nftables_pernet *nft_net;
1101 const struct nft_table *table;
1102 unsigned int idx = 0, s_idx = cb->args[0];
1103 struct net *net = sock_net(skb->sk);
1104 int family = nfmsg->nfgen_family;
1105
1106 rcu_read_lock();
1107 nft_net = nft_pernet(net);
1108 cb->seq = READ_ONCE(nft_net->base_seq);
1109
1110 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1111 if (family != NFPROTO_UNSPEC && family != table->family)
1112 continue;
1113
1114 if (idx < s_idx)
1115 goto cont;
1116 if (idx > s_idx)
1117 memset(&cb->args[1], 0,
1118 sizeof(cb->args) - sizeof(cb->args[0]));
1119 if (!nft_is_active(net, table))
1120 continue;
1121 if (nf_tables_fill_table_info(skb, net,
1122 NETLINK_CB(cb->skb).portid,
1123 cb->nlh->nlmsg_seq,
1124 NFT_MSG_NEWTABLE, NLM_F_MULTI,
1125 table->family, table) < 0)
1126 goto done;
1127
1128 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1129 cont:
1130 idx++;
1131 }
1132 done:
1133 rcu_read_unlock();
1134 cb->args[0] = idx;
1135 return skb->len;
1136 }
1137
1138 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
1139 const struct nlmsghdr *nlh,
1140 struct netlink_dump_control *c)
1141 {
1142 int err;
1143
1144 if (!try_module_get(THIS_MODULE))
1145 return -EINVAL;
1146
1147 rcu_read_unlock();
1148 err = netlink_dump_start(nlsk, skb, nlh, c);
1149 rcu_read_lock();
1150 module_put(THIS_MODULE);
1151
1152 return err;
1153 }
1154
1155 /* called with rcu_read_lock held */
1156 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
1157 const struct nlattr * const nla[])
1158 {
1159 struct netlink_ext_ack *extack = info->extack;
1160 u8 genmask = nft_genmask_cur(info->net);
1161 u8 family = info->nfmsg->nfgen_family;
1162 const struct nft_table *table;
1163 struct net *net = info->net;
1164 struct sk_buff *skb2;
1165 int err;
1166
1167 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1168 struct netlink_dump_control c = {
1169 .dump = nf_tables_dump_tables,
1170 .module = THIS_MODULE,
1171 };
1172
1173 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1174 }
1175
1176 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
1177 if (IS_ERR(table)) {
1178 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
1179 return PTR_ERR(table);
1180 }
1181
1182 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1183 if (!skb2)
1184 return -ENOMEM;
1185
1186 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
1187 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
1188 0, family, table);
1189 if (err < 0)
1190 goto err_fill_table_info;
1191
1192 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1193
1194 err_fill_table_info:
1195 kfree_skb(skb2);
1196 return err;
1197 }
1198
1199 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
1200 {
1201 struct nft_chain *chain;
1202 u32 i = 0;
1203
1204 list_for_each_entry(chain, &table->chains, list) {
1205 if (!nft_is_active_next(net, chain))
1206 continue;
1207 if (!nft_is_base_chain(chain))
1208 continue;
1209
1210 if (cnt && i++ == cnt)
1211 break;
1212
1213 nf_tables_unregister_hook(net, table, chain);
1214 }
1215 }
1216
1217 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1218 {
1219 struct nft_chain *chain;
1220 int err, i = 0;
1221
1222 list_for_each_entry(chain, &table->chains, list) {
1223 if (!nft_is_active_next(net, chain))
1224 continue;
1225 if (!nft_is_base_chain(chain))
1226 continue;
1227
1228 err = nf_tables_register_hook(net, table, chain);
1229 if (err < 0)
1230 goto err_register_hooks;
1231
1232 i++;
1233 }
1234 return 0;
1235
1236 err_register_hooks:
1237 if (i)
1238 nft_table_disable(net, table, i);
1239 return err;
1240 }
1241
1242 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1243 {
1244 table->flags &= ~NFT_TABLE_F_DORMANT;
1245 nft_table_disable(net, table, 0);
1246 table->flags |= NFT_TABLE_F_DORMANT;
1247 }
1248
1249 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1250 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1251 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1252 #define __NFT_TABLE_F_WAS_ORPHAN (__NFT_TABLE_F_INTERNAL << 2)
1253 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1254 __NFT_TABLE_F_WAS_AWAKEN | \
1255 __NFT_TABLE_F_WAS_ORPHAN)
1256
1257 static bool nft_table_pending_update(const struct nft_ctx *ctx)
1258 {
1259 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1260 struct nft_trans *trans;
1261
1262 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
1263 return true;
1264
1265 list_for_each_entry(trans, &nft_net->commit_list, list) {
1266 if (trans->table == ctx->table &&
1267 ((trans->msg_type == NFT_MSG_NEWCHAIN &&
1268 nft_trans_chain_update(trans)) ||
1269 (trans->msg_type == NFT_MSG_DELCHAIN &&
1270 nft_is_base_chain(nft_trans_chain(trans)))))
1271 return true;
1272 }
1273
1274 return false;
1275 }
1276
1277 static int nf_tables_updtable(struct nft_ctx *ctx)
1278 {
1279 struct nft_trans *trans;
1280 u32 flags;
1281 int ret;
1282
1283 if (!ctx->nla[NFTA_TABLE_FLAGS])
1284 return 0;
1285
1286 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1287 if (flags & ~NFT_TABLE_F_MASK)
1288 return -EOPNOTSUPP;
1289
1290 if (flags == (ctx->table->flags & NFT_TABLE_F_MASK))
1291 return 0;
1292
1293 if ((nft_table_has_owner(ctx->table) &&
1294 !(flags & NFT_TABLE_F_OWNER)) ||
1295 (flags & NFT_TABLE_F_OWNER &&
1296 !nft_table_is_orphan(ctx->table)))
1297 return -EOPNOTSUPP;
1298
1299 if ((flags ^ ctx->table->flags) & NFT_TABLE_F_PERSIST)
1300 return -EOPNOTSUPP;
1301
1302 /* No dormant off/on/off/on games in single transaction */
1303 if (nft_table_pending_update(ctx))
1304 return -EINVAL;
1305
1306 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1307 sizeof(struct nft_trans_table));
1308 if (trans == NULL)
1309 return -ENOMEM;
1310
1311 if ((flags & NFT_TABLE_F_DORMANT) &&
1312 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1313 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1314 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1315 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1316 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1317 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1318 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1319 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1320 ret = nf_tables_table_enable(ctx->net, ctx->table);
1321 if (ret < 0)
1322 goto err_register_hooks;
1323
1324 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1325 }
1326 }
1327
1328 if ((flags & NFT_TABLE_F_OWNER) &&
1329 !nft_table_has_owner(ctx->table)) {
1330 ctx->table->nlpid = ctx->portid;
1331 ctx->table->flags |= NFT_TABLE_F_OWNER |
1332 __NFT_TABLE_F_WAS_ORPHAN;
1333 }
1334
1335 nft_trans_table_update(trans) = true;
1336 nft_trans_commit_list_add_tail(ctx->net, trans);
1337
1338 return 0;
1339
1340 err_register_hooks:
1341 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1342 nft_trans_destroy(trans);
1343 return ret;
1344 }
1345
1346 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1347 {
1348 const char *name = data;
1349
1350 return jhash(name, strlen(name), seed);
1351 }
1352
1353 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1354 {
1355 const struct nft_chain *chain = data;
1356
1357 return nft_chain_hash(chain->name, 0, seed);
1358 }
1359
1360 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1361 const void *ptr)
1362 {
1363 const struct nft_chain *chain = ptr;
1364 const char *name = arg->key;
1365
1366 return strcmp(chain->name, name);
1367 }
1368
1369 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1370 {
1371 const struct nft_object_hash_key *k = data;
1372
1373 seed ^= hash_ptr(k->table, 32);
1374
1375 return jhash(k->name, strlen(k->name), seed);
1376 }
1377
1378 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1379 {
1380 const struct nft_object *obj = data;
1381
1382 return nft_objname_hash(&obj->key, 0, seed);
1383 }
1384
1385 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1386 const void *ptr)
1387 {
1388 const struct nft_object_hash_key *k = arg->key;
1389 const struct nft_object *obj = ptr;
1390
1391 if (obj->key.table != k->table)
1392 return -1;
1393
1394 return strcmp(obj->key.name, k->name);
1395 }
1396
1397 static bool nft_supported_family(u8 family)
1398 {
1399 return false
1400 #ifdef CONFIG_NF_TABLES_INET
1401 || family == NFPROTO_INET
1402 #endif
1403 #ifdef CONFIG_NF_TABLES_IPV4
1404 || family == NFPROTO_IPV4
1405 #endif
1406 #ifdef CONFIG_NF_TABLES_ARP
1407 || family == NFPROTO_ARP
1408 #endif
1409 #ifdef CONFIG_NF_TABLES_NETDEV
1410 || family == NFPROTO_NETDEV
1411 #endif
1412 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1413 || family == NFPROTO_BRIDGE
1414 #endif
1415 #ifdef CONFIG_NF_TABLES_IPV6
1416 || family == NFPROTO_IPV6
1417 #endif
1418 ;
1419 }
1420
1421 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1422 const struct nlattr * const nla[])
1423 {
1424 struct nftables_pernet *nft_net = nft_pernet(info->net);
1425 struct netlink_ext_ack *extack = info->extack;
1426 u8 genmask = nft_genmask_next(info->net);
1427 u8 family = info->nfmsg->nfgen_family;
1428 struct net *net = info->net;
1429 const struct nlattr *attr;
1430 struct nft_table *table;
1431 struct nft_ctx ctx;
1432 u32 flags = 0;
1433 int err;
1434
1435 if (!nft_supported_family(family))
1436 return -EOPNOTSUPP;
1437
1438 lockdep_assert_held(&nft_net->commit_mutex);
1439 attr = nla[NFTA_TABLE_NAME];
1440 table = nft_table_lookup(net, attr, family, genmask,
1441 NETLINK_CB(skb).portid);
1442 if (IS_ERR(table)) {
1443 if (PTR_ERR(table) != -ENOENT)
1444 return PTR_ERR(table);
1445 } else {
1446 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1447 NL_SET_BAD_ATTR(extack, attr);
1448 return -EEXIST;
1449 }
1450 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1451 return -EOPNOTSUPP;
1452
1453 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1454
1455 return nf_tables_updtable(&ctx);
1456 }
1457
1458 if (nla[NFTA_TABLE_FLAGS]) {
1459 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1460 if (flags & ~NFT_TABLE_F_MASK)
1461 return -EOPNOTSUPP;
1462 }
1463
1464 err = -ENOMEM;
1465 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1466 if (table == NULL)
1467 goto err_kzalloc;
1468
1469 table->validate_state = nft_net->validate_state;
1470 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1471 if (table->name == NULL)
1472 goto err_strdup;
1473
1474 if (nla[NFTA_TABLE_USERDATA]) {
1475 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1476 if (table->udata == NULL)
1477 goto err_table_udata;
1478
1479 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1480 }
1481
1482 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1483 if (err)
1484 goto err_chain_ht;
1485
1486 INIT_LIST_HEAD(&table->chains);
1487 INIT_LIST_HEAD(&table->sets);
1488 INIT_LIST_HEAD(&table->objects);
1489 INIT_LIST_HEAD(&table->flowtables);
1490 table->family = family;
1491 table->flags = flags;
1492 table->handle = ++nft_net->table_handle;
1493 if (table->flags & NFT_TABLE_F_OWNER)
1494 table->nlpid = NETLINK_CB(skb).portid;
1495
1496 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1497 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1498 if (err < 0)
1499 goto err_trans;
1500
1501 list_add_tail_rcu(&table->list, &nft_net->tables);
1502 return 0;
1503 err_trans:
1504 rhltable_destroy(&table->chains_ht);
1505 err_chain_ht:
1506 kfree(table->udata);
1507 err_table_udata:
1508 kfree(table->name);
1509 err_strdup:
1510 kfree(table);
1511 err_kzalloc:
1512 return err;
1513 }
1514
1515 static int nft_flush_table(struct nft_ctx *ctx)
1516 {
1517 struct nft_flowtable *flowtable, *nft;
1518 struct nft_chain *chain, *nc;
1519 struct nft_object *obj, *ne;
1520 struct nft_set *set, *ns;
1521 int err;
1522
1523 list_for_each_entry(chain, &ctx->table->chains, list) {
1524 if (!nft_is_active_next(ctx->net, chain))
1525 continue;
1526
1527 if (nft_chain_binding(chain))
1528 continue;
1529
1530 ctx->chain = chain;
1531
1532 err = nft_delrule_by_chain(ctx);
1533 if (err < 0)
1534 goto out;
1535 }
1536
1537 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1538 if (!nft_is_active_next(ctx->net, set))
1539 continue;
1540
1541 if (nft_set_is_anonymous(set))
1542 continue;
1543
1544 err = nft_delset(ctx, set);
1545 if (err < 0)
1546 goto out;
1547 }
1548
1549 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1550 if (!nft_is_active_next(ctx->net, flowtable))
1551 continue;
1552
1553 err = nft_delflowtable(ctx, flowtable);
1554 if (err < 0)
1555 goto out;
1556 }
1557
1558 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1559 if (!nft_is_active_next(ctx->net, obj))
1560 continue;
1561
1562 err = nft_delobj(ctx, obj);
1563 if (err < 0)
1564 goto out;
1565 }
1566
1567 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1568 if (!nft_is_active_next(ctx->net, chain))
1569 continue;
1570
1571 if (nft_chain_binding(chain))
1572 continue;
1573
1574 ctx->chain = chain;
1575
1576 err = nft_delchain(ctx);
1577 if (err < 0)
1578 goto out;
1579 }
1580
1581 err = nft_deltable(ctx);
1582 out:
1583 return err;
1584 }
1585
1586 static int nft_flush(struct nft_ctx *ctx, int family)
1587 {
1588 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1589 const struct nlattr * const *nla = ctx->nla;
1590 struct nft_table *table, *nt;
1591 int err = 0;
1592
1593 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1594 if (family != AF_UNSPEC && table->family != family)
1595 continue;
1596
1597 ctx->family = table->family;
1598
1599 if (!nft_is_active_next(ctx->net, table))
1600 continue;
1601
1602 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1603 continue;
1604
1605 if (nla[NFTA_TABLE_NAME] &&
1606 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1607 continue;
1608
1609 ctx->table = table;
1610
1611 err = nft_flush_table(ctx);
1612 if (err < 0)
1613 goto out;
1614 }
1615 out:
1616 return err;
1617 }
1618
1619 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1620 const struct nlattr * const nla[])
1621 {
1622 struct netlink_ext_ack *extack = info->extack;
1623 u8 genmask = nft_genmask_next(info->net);
1624 u8 family = info->nfmsg->nfgen_family;
1625 struct net *net = info->net;
1626 const struct nlattr *attr;
1627 struct nft_table *table;
1628 struct nft_ctx ctx;
1629
1630 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1631 if (family == AF_UNSPEC ||
1632 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1633 return nft_flush(&ctx, family);
1634
1635 if (nla[NFTA_TABLE_HANDLE]) {
1636 attr = nla[NFTA_TABLE_HANDLE];
1637 table = nft_table_lookup_byhandle(net, attr, family, genmask,
1638 NETLINK_CB(skb).portid);
1639 } else {
1640 attr = nla[NFTA_TABLE_NAME];
1641 table = nft_table_lookup(net, attr, family, genmask,
1642 NETLINK_CB(skb).portid);
1643 }
1644
1645 if (IS_ERR(table)) {
1646 if (PTR_ERR(table) == -ENOENT &&
1647 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1648 return 0;
1649
1650 NL_SET_BAD_ATTR(extack, attr);
1651 return PTR_ERR(table);
1652 }
1653
1654 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1655 table->use > 0)
1656 return -EBUSY;
1657
1658 ctx.family = family;
1659 ctx.table = table;
1660
1661 return nft_flush_table(&ctx);
1662 }
1663
1664 static void nf_tables_table_destroy(struct nft_table *table)
1665 {
1666 if (WARN_ON(table->use > 0))
1667 return;
1668
1669 rhltable_destroy(&table->chains_ht);
1670 kfree(table->name);
1671 kfree(table->udata);
1672 kfree(table);
1673 }
1674
1675 void nft_register_chain_type(const struct nft_chain_type *ctype)
1676 {
1677 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1678 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1679 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1680 return;
1681 }
1682 chain_type[ctype->family][ctype->type] = ctype;
1683 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1684 }
1685 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1686
1687 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1688 {
1689 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1690 chain_type[ctype->family][ctype->type] = NULL;
1691 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1692 }
1693 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1694
1695 /*
1696 * Chains
1697 */
1698
1699 static struct nft_chain *
1700 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1701 {
1702 struct nft_chain *chain;
1703
1704 list_for_each_entry(chain, &table->chains, list) {
1705 if (chain->handle == handle &&
1706 nft_active_genmask(chain, genmask))
1707 return chain;
1708 }
1709
1710 return ERR_PTR(-ENOENT);
1711 }
1712
1713 static bool lockdep_commit_lock_is_held(const struct net *net)
1714 {
1715 #ifdef CONFIG_PROVE_LOCKING
1716 struct nftables_pernet *nft_net = nft_pernet(net);
1717
1718 return lockdep_is_held(&nft_net->commit_mutex);
1719 #else
1720 return true;
1721 #endif
1722 }
1723
1724 static struct nft_chain *nft_chain_lookup(struct net *net,
1725 struct nft_table *table,
1726 const struct nlattr *nla, u8 genmask)
1727 {
1728 char search[NFT_CHAIN_MAXNAMELEN + 1];
1729 struct rhlist_head *tmp, *list;
1730 struct nft_chain *chain;
1731
1732 if (nla == NULL)
1733 return ERR_PTR(-EINVAL);
1734
1735 nla_strscpy(search, nla, sizeof(search));
1736
1737 WARN_ON(!rcu_read_lock_held() &&
1738 !lockdep_commit_lock_is_held(net));
1739
1740 chain = ERR_PTR(-ENOENT);
1741 rcu_read_lock();
1742 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1743 if (!list)
1744 goto out_unlock;
1745
1746 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1747 if (nft_active_genmask(chain, genmask))
1748 goto out_unlock;
1749 }
1750 chain = ERR_PTR(-ENOENT);
1751 out_unlock:
1752 rcu_read_unlock();
1753 return chain;
1754 }
1755
1756 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1757 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1758 .len = NFT_TABLE_MAXNAMELEN - 1 },
1759 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1760 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1761 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1762 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1763 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1764 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1765 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1766 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1767 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1768 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1769 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1770 .len = NFT_USERDATA_MAXLEN },
1771 };
1772
1773 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1774 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1775 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1776 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1777 .len = IFNAMSIZ - 1 },
1778 };
1779
1780 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1781 {
1782 struct nft_stats *cpu_stats, total;
1783 struct nlattr *nest;
1784 unsigned int seq;
1785 u64 pkts, bytes;
1786 int cpu;
1787
1788 if (!stats)
1789 return 0;
1790
1791 memset(&total, 0, sizeof(total));
1792 for_each_possible_cpu(cpu) {
1793 cpu_stats = per_cpu_ptr(stats, cpu);
1794 do {
1795 seq = u64_stats_fetch_begin(&cpu_stats->syncp);
1796 pkts = cpu_stats->pkts;
1797 bytes = cpu_stats->bytes;
1798 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
1799 total.pkts += pkts;
1800 total.bytes += bytes;
1801 }
1802 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1803 if (nest == NULL)
1804 goto nla_put_failure;
1805
1806 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1807 NFTA_COUNTER_PAD) ||
1808 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1809 NFTA_COUNTER_PAD))
1810 goto nla_put_failure;
1811
1812 nla_nest_end(skb, nest);
1813 return 0;
1814
1815 nla_put_failure:
1816 return -ENOSPC;
1817 }
1818
1819 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1820 const struct nft_base_chain *basechain,
1821 const struct list_head *hook_list)
1822 {
1823 const struct nf_hook_ops *ops = &basechain->ops;
1824 struct nft_hook *hook, *first = NULL;
1825 struct nlattr *nest, *nest_devs;
1826 int n = 0;
1827
1828 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1829 if (nest == NULL)
1830 goto nla_put_failure;
1831 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1832 goto nla_put_failure;
1833 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1834 goto nla_put_failure;
1835
1836 if (nft_base_chain_netdev(family, ops->hooknum)) {
1837 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1838 if (!nest_devs)
1839 goto nla_put_failure;
1840
1841 if (!hook_list)
1842 hook_list = &basechain->hook_list;
1843
1844 list_for_each_entry(hook, hook_list, list) {
1845 if (!first)
1846 first = hook;
1847
1848 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1849 hook->ops.dev->name))
1850 goto nla_put_failure;
1851 n++;
1852 }
1853 nla_nest_end(skb, nest_devs);
1854
1855 if (n == 1 &&
1856 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1857 goto nla_put_failure;
1858 }
1859 nla_nest_end(skb, nest);
1860
1861 return 0;
1862 nla_put_failure:
1863 return -1;
1864 }
1865
1866 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1867 u32 portid, u32 seq, int event, u32 flags,
1868 int family, const struct nft_table *table,
1869 const struct nft_chain *chain,
1870 const struct list_head *hook_list)
1871 {
1872 struct nlmsghdr *nlh;
1873
1874 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1875 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1876 NFNETLINK_V0, nft_base_seq(net));
1877 if (!nlh)
1878 goto nla_put_failure;
1879
1880 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) ||
1881 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) ||
1882 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1883 NFTA_CHAIN_PAD))
1884 goto nla_put_failure;
1885
1886 if (event == NFT_MSG_DELCHAIN && !hook_list) {
1887 nlmsg_end(skb, nlh);
1888 return 0;
1889 }
1890
1891 if (nft_is_base_chain(chain)) {
1892 const struct nft_base_chain *basechain = nft_base_chain(chain);
1893 struct nft_stats __percpu *stats;
1894
1895 if (nft_dump_basechain_hook(skb, family, basechain, hook_list))
1896 goto nla_put_failure;
1897
1898 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1899 htonl(basechain->policy)))
1900 goto nla_put_failure;
1901
1902 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1903 goto nla_put_failure;
1904
1905 stats = rcu_dereference_check(basechain->stats,
1906 lockdep_commit_lock_is_held(net));
1907 if (nft_dump_stats(skb, stats))
1908 goto nla_put_failure;
1909 }
1910
1911 if (chain->flags &&
1912 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1913 goto nla_put_failure;
1914
1915 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1916 goto nla_put_failure;
1917
1918 if (chain->udata &&
1919 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1920 goto nla_put_failure;
1921
1922 nlmsg_end(skb, nlh);
1923 return 0;
1924
1925 nla_put_failure:
1926 nlmsg_trim(skb, nlh);
1927 return -1;
1928 }
1929
1930 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
1931 const struct list_head *hook_list)
1932 {
1933 struct nftables_pernet *nft_net;
1934 struct sk_buff *skb;
1935 u16 flags = 0;
1936 int err;
1937
1938 if (!ctx->report &&
1939 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1940 return;
1941
1942 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1943 if (skb == NULL)
1944 goto err;
1945
1946 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1947 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1948
1949 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1950 event, flags, ctx->family, ctx->table,
1951 ctx->chain, hook_list);
1952 if (err < 0) {
1953 kfree_skb(skb);
1954 goto err;
1955 }
1956
1957 nft_net = nft_pernet(ctx->net);
1958 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1959 return;
1960 err:
1961 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1962 }
1963
1964 static int nf_tables_dump_chains(struct sk_buff *skb,
1965 struct netlink_callback *cb)
1966 {
1967 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1968 unsigned int idx = 0, s_idx = cb->args[0];
1969 struct net *net = sock_net(skb->sk);
1970 int family = nfmsg->nfgen_family;
1971 struct nftables_pernet *nft_net;
1972 const struct nft_table *table;
1973 const struct nft_chain *chain;
1974
1975 rcu_read_lock();
1976 nft_net = nft_pernet(net);
1977 cb->seq = READ_ONCE(nft_net->base_seq);
1978
1979 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1980 if (family != NFPROTO_UNSPEC && family != table->family)
1981 continue;
1982
1983 list_for_each_entry_rcu(chain, &table->chains, list) {
1984 if (idx < s_idx)
1985 goto cont;
1986 if (idx > s_idx)
1987 memset(&cb->args[1], 0,
1988 sizeof(cb->args) - sizeof(cb->args[0]));
1989 if (!nft_is_active(net, chain))
1990 continue;
1991 if (nf_tables_fill_chain_info(skb, net,
1992 NETLINK_CB(cb->skb).portid,
1993 cb->nlh->nlmsg_seq,
1994 NFT_MSG_NEWCHAIN,
1995 NLM_F_MULTI,
1996 table->family, table,
1997 chain, NULL) < 0)
1998 goto done;
1999
2000 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2001 cont:
2002 idx++;
2003 }
2004 }
2005 done:
2006 rcu_read_unlock();
2007 cb->args[0] = idx;
2008 return skb->len;
2009 }
2010
2011 /* called with rcu_read_lock held */
2012 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
2013 const struct nlattr * const nla[])
2014 {
2015 struct netlink_ext_ack *extack = info->extack;
2016 u8 genmask = nft_genmask_cur(info->net);
2017 u8 family = info->nfmsg->nfgen_family;
2018 const struct nft_chain *chain;
2019 struct net *net = info->net;
2020 struct nft_table *table;
2021 struct sk_buff *skb2;
2022 int err;
2023
2024 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
2025 struct netlink_dump_control c = {
2026 .dump = nf_tables_dump_chains,
2027 .module = THIS_MODULE,
2028 };
2029
2030 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
2031 }
2032
2033 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
2034 if (IS_ERR(table)) {
2035 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2036 return PTR_ERR(table);
2037 }
2038
2039 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
2040 if (IS_ERR(chain)) {
2041 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2042 return PTR_ERR(chain);
2043 }
2044
2045 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2046 if (!skb2)
2047 return -ENOMEM;
2048
2049 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
2050 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
2051 0, family, table, chain, NULL);
2052 if (err < 0)
2053 goto err_fill_chain_info;
2054
2055 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
2056
2057 err_fill_chain_info:
2058 kfree_skb(skb2);
2059 return err;
2060 }
2061
2062 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
2063 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
2064 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
2065 };
2066
2067 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
2068 {
2069 struct nlattr *tb[NFTA_COUNTER_MAX+1];
2070 struct nft_stats __percpu *newstats;
2071 struct nft_stats *stats;
2072 int err;
2073
2074 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
2075 nft_counter_policy, NULL);
2076 if (err < 0)
2077 return ERR_PTR(err);
2078
2079 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
2080 return ERR_PTR(-EINVAL);
2081
2082 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
2083 if (newstats == NULL)
2084 return ERR_PTR(-ENOMEM);
2085
2086 /* Restore old counters on this cpu, no problem. Per-cpu statistics
2087 * are not exposed to userspace.
2088 */
2089 preempt_disable();
2090 stats = this_cpu_ptr(newstats);
2091 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
2092 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
2093 preempt_enable();
2094
2095 return newstats;
2096 }
2097
2098 static void nft_chain_stats_replace(struct nft_trans_chain *trans)
2099 {
2100 const struct nft_trans *t = &trans->nft_trans_binding.nft_trans;
2101 struct nft_base_chain *chain = nft_base_chain(trans->chain);
2102
2103 if (!trans->stats)
2104 return;
2105
2106 trans->stats =
2107 rcu_replace_pointer(chain->stats, trans->stats,
2108 lockdep_commit_lock_is_held(t->net));
2109
2110 if (!trans->stats)
2111 static_branch_inc(&nft_counters_enabled);
2112 }
2113
2114 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
2115 {
2116 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
2117 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
2118
2119 if (g0 != g1)
2120 kvfree(g1);
2121 kvfree(g0);
2122
2123 /* should be NULL either via abort or via successful commit */
2124 WARN_ON_ONCE(chain->blob_next);
2125 kvfree(chain->blob_next);
2126 }
2127
2128 void nf_tables_chain_destroy(struct nft_chain *chain)
2129 {
2130 const struct nft_table *table = chain->table;
2131 struct nft_hook *hook, *next;
2132
2133 if (WARN_ON(chain->use > 0))
2134 return;
2135
2136 /* no concurrent access possible anymore */
2137 nf_tables_chain_free_chain_rules(chain);
2138
2139 if (nft_is_base_chain(chain)) {
2140 struct nft_base_chain *basechain = nft_base_chain(chain);
2141
2142 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2143 list_for_each_entry_safe(hook, next,
2144 &basechain->hook_list, list) {
2145 list_del_rcu(&hook->list);
2146 kfree_rcu(hook, rcu);
2147 }
2148 }
2149 module_put(basechain->type->owner);
2150 if (rcu_access_pointer(basechain->stats)) {
2151 static_branch_dec(&nft_counters_enabled);
2152 free_percpu(rcu_dereference_raw(basechain->stats));
2153 }
2154 kfree(chain->name);
2155 kfree(chain->udata);
2156 kfree(basechain);
2157 } else {
2158 kfree(chain->name);
2159 kfree(chain->udata);
2160 kfree(chain);
2161 }
2162 }
2163
2164 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
2165 const struct nlattr *attr)
2166 {
2167 struct net_device *dev;
2168 char ifname[IFNAMSIZ];
2169 struct nft_hook *hook;
2170 int err;
2171
2172 hook = kzalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
2173 if (!hook) {
2174 err = -ENOMEM;
2175 goto err_hook_alloc;
2176 }
2177
2178 nla_strscpy(ifname, attr, IFNAMSIZ);
2179 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
2180 * indirectly serializing all the other holders of the commit_mutex with
2181 * the rtnl_mutex.
2182 */
2183 dev = __dev_get_by_name(net, ifname);
2184 if (!dev) {
2185 err = -ENOENT;
2186 goto err_hook_dev;
2187 }
2188 hook->ops.dev = dev;
2189
2190 return hook;
2191
2192 err_hook_dev:
2193 kfree(hook);
2194 err_hook_alloc:
2195 return ERR_PTR(err);
2196 }
2197
2198 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
2199 const struct nft_hook *this)
2200 {
2201 struct nft_hook *hook;
2202
2203 list_for_each_entry(hook, hook_list, list) {
2204 if (this->ops.dev == hook->ops.dev)
2205 return hook;
2206 }
2207
2208 return NULL;
2209 }
2210
2211 static int nf_tables_parse_netdev_hooks(struct net *net,
2212 const struct nlattr *attr,
2213 struct list_head *hook_list,
2214 struct netlink_ext_ack *extack)
2215 {
2216 struct nft_hook *hook, *next;
2217 const struct nlattr *tmp;
2218 int rem, n = 0, err;
2219
2220 nla_for_each_nested(tmp, attr, rem) {
2221 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
2222 err = -EINVAL;
2223 goto err_hook;
2224 }
2225
2226 hook = nft_netdev_hook_alloc(net, tmp);
2227 if (IS_ERR(hook)) {
2228 NL_SET_BAD_ATTR(extack, tmp);
2229 err = PTR_ERR(hook);
2230 goto err_hook;
2231 }
2232 if (nft_hook_list_find(hook_list, hook)) {
2233 NL_SET_BAD_ATTR(extack, tmp);
2234 kfree(hook);
2235 err = -EEXIST;
2236 goto err_hook;
2237 }
2238 list_add_tail(&hook->list, hook_list);
2239 n++;
2240
2241 if (n == NFT_NETDEVICE_MAX) {
2242 err = -EFBIG;
2243 goto err_hook;
2244 }
2245 }
2246
2247 return 0;
2248
2249 err_hook:
2250 list_for_each_entry_safe(hook, next, hook_list, list) {
2251 list_del(&hook->list);
2252 kfree(hook);
2253 }
2254 return err;
2255 }
2256
2257 struct nft_chain_hook {
2258 u32 num;
2259 s32 priority;
2260 const struct nft_chain_type *type;
2261 struct list_head list;
2262 };
2263
2264 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
2265 struct list_head *hook_list,
2266 struct netlink_ext_ack *extack, u32 flags)
2267 {
2268 struct nft_hook *hook;
2269 int err;
2270
2271 if (tb[NFTA_HOOK_DEV]) {
2272 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
2273 if (IS_ERR(hook)) {
2274 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2275 return PTR_ERR(hook);
2276 }
2277
2278 list_add_tail(&hook->list, hook_list);
2279 } else if (tb[NFTA_HOOK_DEVS]) {
2280 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2281 hook_list, extack);
2282 if (err < 0)
2283 return err;
2284
2285 }
2286
2287 if (flags & NFT_CHAIN_HW_OFFLOAD &&
2288 list_empty(hook_list))
2289 return -EINVAL;
2290
2291 return 0;
2292 }
2293
2294 static int nft_chain_parse_hook(struct net *net,
2295 struct nft_base_chain *basechain,
2296 const struct nlattr * const nla[],
2297 struct nft_chain_hook *hook, u8 family,
2298 u32 flags, struct netlink_ext_ack *extack)
2299 {
2300 struct nftables_pernet *nft_net = nft_pernet(net);
2301 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2302 const struct nft_chain_type *type;
2303 int err;
2304
2305 lockdep_assert_held(&nft_net->commit_mutex);
2306 lockdep_nfnl_nft_mutex_not_held();
2307
2308 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2309 nla[NFTA_CHAIN_HOOK],
2310 nft_hook_policy, NULL);
2311 if (err < 0)
2312 return err;
2313
2314 if (!basechain) {
2315 if (!ha[NFTA_HOOK_HOOKNUM] ||
2316 !ha[NFTA_HOOK_PRIORITY]) {
2317 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2318 return -ENOENT;
2319 }
2320
2321 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2322 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2323
2324 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2325 if (!type)
2326 return -EOPNOTSUPP;
2327
2328 if (nla[NFTA_CHAIN_TYPE]) {
2329 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2330 family, true);
2331 if (IS_ERR(type)) {
2332 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2333 return PTR_ERR(type);
2334 }
2335 }
2336 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2337 return -EOPNOTSUPP;
2338
2339 if (type->type == NFT_CHAIN_T_NAT &&
2340 hook->priority <= NF_IP_PRI_CONNTRACK)
2341 return -EOPNOTSUPP;
2342 } else {
2343 if (ha[NFTA_HOOK_HOOKNUM]) {
2344 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2345 if (hook->num != basechain->ops.hooknum)
2346 return -EOPNOTSUPP;
2347 }
2348 if (ha[NFTA_HOOK_PRIORITY]) {
2349 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2350 if (hook->priority != basechain->ops.priority)
2351 return -EOPNOTSUPP;
2352 }
2353
2354 if (nla[NFTA_CHAIN_TYPE]) {
2355 type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
2356 family);
2357 if (!type) {
2358 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2359 return -ENOENT;
2360 }
2361 } else {
2362 type = basechain->type;
2363 }
2364 }
2365
2366 if (!try_module_get(type->owner)) {
2367 if (nla[NFTA_CHAIN_TYPE])
2368 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2369 return -ENOENT;
2370 }
2371
2372 hook->type = type;
2373
2374 INIT_LIST_HEAD(&hook->list);
2375 if (nft_base_chain_netdev(family, hook->num)) {
2376 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags);
2377 if (err < 0) {
2378 module_put(type->owner);
2379 return err;
2380 }
2381 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2382 module_put(type->owner);
2383 return -EOPNOTSUPP;
2384 }
2385
2386 return 0;
2387 }
2388
2389 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2390 {
2391 struct nft_hook *h, *next;
2392
2393 list_for_each_entry_safe(h, next, &hook->list, list) {
2394 list_del(&h->list);
2395 kfree(h);
2396 }
2397 module_put(hook->type->owner);
2398 }
2399
2400 static void nft_last_rule(const struct nft_chain *chain, const void *ptr)
2401 {
2402 struct nft_rule_dp_last *lrule;
2403
2404 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0);
2405
2406 lrule = (struct nft_rule_dp_last *)ptr;
2407 lrule->end.is_last = 1;
2408 lrule->chain = chain;
2409 /* blob size does not include the trailer rule */
2410 }
2411
2412 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2413 unsigned int size)
2414 {
2415 struct nft_rule_blob *blob;
2416
2417 if (size > INT_MAX)
2418 return NULL;
2419
2420 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last);
2421
2422 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2423 if (!blob)
2424 return NULL;
2425
2426 blob->size = 0;
2427 nft_last_rule(chain, blob->data);
2428
2429 return blob;
2430 }
2431
2432 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2433 const struct nft_chain_hook *hook,
2434 struct nft_chain *chain)
2435 {
2436 ops->pf = family;
2437 ops->hooknum = hook->num;
2438 ops->priority = hook->priority;
2439 ops->priv = chain;
2440 ops->hook = hook->type->hooks[ops->hooknum];
2441 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2442 }
2443
2444 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2445 struct nft_chain_hook *hook, u32 flags)
2446 {
2447 struct nft_chain *chain;
2448 struct nft_hook *h;
2449
2450 basechain->type = hook->type;
2451 INIT_LIST_HEAD(&basechain->hook_list);
2452 chain = &basechain->chain;
2453
2454 if (nft_base_chain_netdev(family, hook->num)) {
2455 list_splice_init(&hook->list, &basechain->hook_list);
2456 list_for_each_entry(h, &basechain->hook_list, list)
2457 nft_basechain_hook_init(&h->ops, family, hook, chain);
2458 }
2459 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2460
2461 chain->flags |= NFT_CHAIN_BASE | flags;
2462 basechain->policy = NF_ACCEPT;
2463 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2464 !nft_chain_offload_support(basechain)) {
2465 list_splice_init(&basechain->hook_list, &hook->list);
2466 return -EOPNOTSUPP;
2467 }
2468
2469 flow_block_init(&basechain->flow_block);
2470
2471 return 0;
2472 }
2473
2474 int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2475 {
2476 int err;
2477
2478 err = rhltable_insert_key(&table->chains_ht, chain->name,
2479 &chain->rhlhead, nft_chain_ht_params);
2480 if (err)
2481 return err;
2482
2483 list_add_tail_rcu(&chain->list, &table->chains);
2484
2485 return 0;
2486 }
2487
2488 static u64 chain_id;
2489
2490 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2491 u8 policy, u32 flags,
2492 struct netlink_ext_ack *extack)
2493 {
2494 const struct nlattr * const *nla = ctx->nla;
2495 struct nft_table *table = ctx->table;
2496 struct nft_base_chain *basechain;
2497 struct net *net = ctx->net;
2498 char name[NFT_NAME_MAXLEN];
2499 struct nft_rule_blob *blob;
2500 struct nft_trans *trans;
2501 struct nft_chain *chain;
2502 int err;
2503
2504 if (nla[NFTA_CHAIN_HOOK]) {
2505 struct nft_stats __percpu *stats = NULL;
2506 struct nft_chain_hook hook = {};
2507
2508 if (table->flags & __NFT_TABLE_F_UPDATE)
2509 return -EINVAL;
2510
2511 if (flags & NFT_CHAIN_BINDING)
2512 return -EOPNOTSUPP;
2513
2514 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags,
2515 extack);
2516 if (err < 0)
2517 return err;
2518
2519 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2520 if (basechain == NULL) {
2521 nft_chain_release_hook(&hook);
2522 return -ENOMEM;
2523 }
2524 chain = &basechain->chain;
2525
2526 if (nla[NFTA_CHAIN_COUNTERS]) {
2527 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2528 if (IS_ERR(stats)) {
2529 nft_chain_release_hook(&hook);
2530 kfree(basechain);
2531 return PTR_ERR(stats);
2532 }
2533 rcu_assign_pointer(basechain->stats, stats);
2534 }
2535
2536 err = nft_basechain_init(basechain, family, &hook, flags);
2537 if (err < 0) {
2538 nft_chain_release_hook(&hook);
2539 kfree(basechain);
2540 free_percpu(stats);
2541 return err;
2542 }
2543 if (stats)
2544 static_branch_inc(&nft_counters_enabled);
2545 } else {
2546 if (flags & NFT_CHAIN_BASE)
2547 return -EINVAL;
2548 if (flags & NFT_CHAIN_HW_OFFLOAD)
2549 return -EOPNOTSUPP;
2550
2551 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2552 if (chain == NULL)
2553 return -ENOMEM;
2554
2555 chain->flags = flags;
2556 }
2557 ctx->chain = chain;
2558
2559 INIT_LIST_HEAD(&chain->rules);
2560 chain->handle = nf_tables_alloc_handle(table);
2561 chain->table = table;
2562
2563 if (nla[NFTA_CHAIN_NAME]) {
2564 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2565 } else {
2566 if (!(flags & NFT_CHAIN_BINDING)) {
2567 err = -EINVAL;
2568 goto err_destroy_chain;
2569 }
2570
2571 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2572 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2573 }
2574
2575 if (!chain->name) {
2576 err = -ENOMEM;
2577 goto err_destroy_chain;
2578 }
2579
2580 if (nla[NFTA_CHAIN_USERDATA]) {
2581 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2582 if (chain->udata == NULL) {
2583 err = -ENOMEM;
2584 goto err_destroy_chain;
2585 }
2586 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2587 }
2588
2589 blob = nf_tables_chain_alloc_rules(chain, 0);
2590 if (!blob) {
2591 err = -ENOMEM;
2592 goto err_destroy_chain;
2593 }
2594
2595 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2596 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2597
2598 if (!nft_use_inc(&table->use)) {
2599 err = -EMFILE;
2600 goto err_destroy_chain;
2601 }
2602
2603 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2604 if (IS_ERR(trans)) {
2605 err = PTR_ERR(trans);
2606 goto err_trans;
2607 }
2608
2609 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2610 if (nft_is_base_chain(chain))
2611 nft_trans_chain_policy(trans) = policy;
2612
2613 err = nft_chain_add(table, chain);
2614 if (err < 0)
2615 goto err_chain_add;
2616
2617 /* This must be LAST to ensure no packets are walking over this chain. */
2618 err = nf_tables_register_hook(net, table, chain);
2619 if (err < 0)
2620 goto err_register_hook;
2621
2622 return 0;
2623
2624 err_register_hook:
2625 nft_chain_del(chain);
2626 err_chain_add:
2627 nft_trans_destroy(trans);
2628 err_trans:
2629 nft_use_dec_restore(&table->use);
2630 err_destroy_chain:
2631 nf_tables_chain_destroy(chain);
2632
2633 return err;
2634 }
2635
2636 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2637 u32 flags, const struct nlattr *attr,
2638 struct netlink_ext_ack *extack)
2639 {
2640 const struct nlattr * const *nla = ctx->nla;
2641 struct nft_base_chain *basechain = NULL;
2642 struct nft_table *table = ctx->table;
2643 struct nft_chain *chain = ctx->chain;
2644 struct nft_chain_hook hook = {};
2645 struct nft_stats *stats = NULL;
2646 struct nft_hook *h, *next;
2647 struct nf_hook_ops *ops;
2648 struct nft_trans *trans;
2649 bool unregister = false;
2650 int err;
2651
2652 if (chain->flags ^ flags)
2653 return -EOPNOTSUPP;
2654
2655 INIT_LIST_HEAD(&hook.list);
2656
2657 if (nla[NFTA_CHAIN_HOOK]) {
2658 if (!nft_is_base_chain(chain)) {
2659 NL_SET_BAD_ATTR(extack, attr);
2660 return -EEXIST;
2661 }
2662
2663 basechain = nft_base_chain(chain);
2664 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2665 ctx->family, flags, extack);
2666 if (err < 0)
2667 return err;
2668
2669 if (basechain->type != hook.type) {
2670 nft_chain_release_hook(&hook);
2671 NL_SET_BAD_ATTR(extack, attr);
2672 return -EEXIST;
2673 }
2674
2675 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2676 list_for_each_entry_safe(h, next, &hook.list, list) {
2677 h->ops.pf = basechain->ops.pf;
2678 h->ops.hooknum = basechain->ops.hooknum;
2679 h->ops.priority = basechain->ops.priority;
2680 h->ops.priv = basechain->ops.priv;
2681 h->ops.hook = basechain->ops.hook;
2682
2683 if (nft_hook_list_find(&basechain->hook_list, h)) {
2684 list_del(&h->list);
2685 kfree(h);
2686 }
2687 }
2688 } else {
2689 ops = &basechain->ops;
2690 if (ops->hooknum != hook.num ||
2691 ops->priority != hook.priority) {
2692 nft_chain_release_hook(&hook);
2693 NL_SET_BAD_ATTR(extack, attr);
2694 return -EEXIST;
2695 }
2696 }
2697 }
2698
2699 if (nla[NFTA_CHAIN_HANDLE] &&
2700 nla[NFTA_CHAIN_NAME]) {
2701 struct nft_chain *chain2;
2702
2703 chain2 = nft_chain_lookup(ctx->net, table,
2704 nla[NFTA_CHAIN_NAME], genmask);
2705 if (!IS_ERR(chain2)) {
2706 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2707 err = -EEXIST;
2708 goto err_hooks;
2709 }
2710 }
2711
2712 if (table->flags & __NFT_TABLE_F_UPDATE &&
2713 !list_empty(&hook.list)) {
2714 NL_SET_BAD_ATTR(extack, attr);
2715 err = -EOPNOTSUPP;
2716 goto err_hooks;
2717 }
2718
2719 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2720 nft_is_base_chain(chain) &&
2721 !list_empty(&hook.list)) {
2722 basechain = nft_base_chain(chain);
2723 ops = &basechain->ops;
2724
2725 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2726 err = nft_netdev_register_hooks(ctx->net, &hook.list);
2727 if (err < 0)
2728 goto err_hooks;
2729 }
2730 }
2731
2732 unregister = true;
2733
2734 if (nla[NFTA_CHAIN_COUNTERS]) {
2735 if (!nft_is_base_chain(chain)) {
2736 err = -EOPNOTSUPP;
2737 goto err_hooks;
2738 }
2739
2740 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2741 if (IS_ERR(stats)) {
2742 err = PTR_ERR(stats);
2743 goto err_hooks;
2744 }
2745 }
2746
2747 err = -ENOMEM;
2748 trans = nft_trans_alloc_chain(ctx, NFT_MSG_NEWCHAIN);
2749 if (trans == NULL)
2750 goto err_trans;
2751
2752 nft_trans_chain_stats(trans) = stats;
2753 nft_trans_chain_update(trans) = true;
2754
2755 if (nla[NFTA_CHAIN_POLICY])
2756 nft_trans_chain_policy(trans) = policy;
2757 else
2758 nft_trans_chain_policy(trans) = -1;
2759
2760 if (nla[NFTA_CHAIN_HANDLE] &&
2761 nla[NFTA_CHAIN_NAME]) {
2762 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2763 struct nft_trans *tmp;
2764 char *name;
2765
2766 err = -ENOMEM;
2767 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2768 if (!name)
2769 goto err_trans;
2770
2771 err = -EEXIST;
2772 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2773 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2774 tmp->table == table &&
2775 nft_trans_chain_update(tmp) &&
2776 nft_trans_chain_name(tmp) &&
2777 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2778 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2779 kfree(name);
2780 goto err_trans;
2781 }
2782 }
2783
2784 nft_trans_chain_name(trans) = name;
2785 }
2786
2787 nft_trans_basechain(trans) = basechain;
2788 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2789 list_splice(&hook.list, &nft_trans_chain_hooks(trans));
2790 if (nla[NFTA_CHAIN_HOOK])
2791 module_put(hook.type->owner);
2792
2793 nft_trans_commit_list_add_tail(ctx->net, trans);
2794
2795 return 0;
2796
2797 err_trans:
2798 free_percpu(stats);
2799 kfree(trans);
2800 err_hooks:
2801 if (nla[NFTA_CHAIN_HOOK]) {
2802 list_for_each_entry_safe(h, next, &hook.list, list) {
2803 if (unregister)
2804 nf_unregister_net_hook(ctx->net, &h->ops);
2805 list_del(&h->list);
2806 kfree_rcu(h, rcu);
2807 }
2808 module_put(hook.type->owner);
2809 }
2810
2811 return err;
2812 }
2813
2814 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2815 const struct nft_table *table,
2816 const struct nlattr *nla, u8 genmask)
2817 {
2818 struct nftables_pernet *nft_net = nft_pernet(net);
2819 u32 id = ntohl(nla_get_be32(nla));
2820 struct nft_trans *trans;
2821
2822 list_for_each_entry(trans, &nft_net->commit_list, list) {
2823 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2824 nft_trans_chain(trans)->table == table &&
2825 id == nft_trans_chain_id(trans) &&
2826 nft_active_genmask(nft_trans_chain(trans), genmask))
2827 return nft_trans_chain(trans);
2828 }
2829 return ERR_PTR(-ENOENT);
2830 }
2831
2832 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2833 const struct nlattr * const nla[])
2834 {
2835 struct nftables_pernet *nft_net = nft_pernet(info->net);
2836 struct netlink_ext_ack *extack = info->extack;
2837 u8 genmask = nft_genmask_next(info->net);
2838 u8 family = info->nfmsg->nfgen_family;
2839 struct nft_chain *chain = NULL;
2840 struct net *net = info->net;
2841 const struct nlattr *attr;
2842 struct nft_table *table;
2843 u8 policy = NF_ACCEPT;
2844 struct nft_ctx ctx;
2845 u64 handle = 0;
2846 u32 flags = 0;
2847
2848 lockdep_assert_held(&nft_net->commit_mutex);
2849
2850 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2851 NETLINK_CB(skb).portid);
2852 if (IS_ERR(table)) {
2853 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2854 return PTR_ERR(table);
2855 }
2856
2857 chain = NULL;
2858 attr = nla[NFTA_CHAIN_NAME];
2859
2860 if (nla[NFTA_CHAIN_HANDLE]) {
2861 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2862 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2863 if (IS_ERR(chain)) {
2864 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2865 return PTR_ERR(chain);
2866 }
2867 attr = nla[NFTA_CHAIN_HANDLE];
2868 } else if (nla[NFTA_CHAIN_NAME]) {
2869 chain = nft_chain_lookup(net, table, attr, genmask);
2870 if (IS_ERR(chain)) {
2871 if (PTR_ERR(chain) != -ENOENT) {
2872 NL_SET_BAD_ATTR(extack, attr);
2873 return PTR_ERR(chain);
2874 }
2875 chain = NULL;
2876 }
2877 } else if (!nla[NFTA_CHAIN_ID]) {
2878 return -EINVAL;
2879 }
2880
2881 if (nla[NFTA_CHAIN_POLICY]) {
2882 if (chain != NULL &&
2883 !nft_is_base_chain(chain)) {
2884 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2885 return -EOPNOTSUPP;
2886 }
2887
2888 if (chain == NULL &&
2889 nla[NFTA_CHAIN_HOOK] == NULL) {
2890 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2891 return -EOPNOTSUPP;
2892 }
2893
2894 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2895 switch (policy) {
2896 case NF_DROP:
2897 case NF_ACCEPT:
2898 break;
2899 default:
2900 return -EINVAL;
2901 }
2902 }
2903
2904 if (nla[NFTA_CHAIN_FLAGS])
2905 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2906 else if (chain)
2907 flags = chain->flags;
2908
2909 if (flags & ~NFT_CHAIN_FLAGS)
2910 return -EOPNOTSUPP;
2911
2912 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2913
2914 if (chain != NULL) {
2915 if (chain->flags & NFT_CHAIN_BINDING)
2916 return -EINVAL;
2917
2918 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2919 NL_SET_BAD_ATTR(extack, attr);
2920 return -EEXIST;
2921 }
2922 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2923 return -EOPNOTSUPP;
2924
2925 flags |= chain->flags & NFT_CHAIN_BASE;
2926 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2927 extack);
2928 }
2929
2930 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2931 }
2932
2933 static int nft_delchain_hook(struct nft_ctx *ctx,
2934 struct nft_base_chain *basechain,
2935 struct netlink_ext_ack *extack)
2936 {
2937 const struct nft_chain *chain = &basechain->chain;
2938 const struct nlattr * const *nla = ctx->nla;
2939 struct nft_chain_hook chain_hook = {};
2940 struct nft_hook *this, *hook;
2941 LIST_HEAD(chain_del_list);
2942 struct nft_trans *trans;
2943 int err;
2944
2945 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
2946 return -EOPNOTSUPP;
2947
2948 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
2949 ctx->family, chain->flags, extack);
2950 if (err < 0)
2951 return err;
2952
2953 list_for_each_entry(this, &chain_hook.list, list) {
2954 hook = nft_hook_list_find(&basechain->hook_list, this);
2955 if (!hook) {
2956 err = -ENOENT;
2957 goto err_chain_del_hook;
2958 }
2959 list_move(&hook->list, &chain_del_list);
2960 }
2961
2962 trans = nft_trans_alloc_chain(ctx, NFT_MSG_DELCHAIN);
2963 if (!trans) {
2964 err = -ENOMEM;
2965 goto err_chain_del_hook;
2966 }
2967
2968 nft_trans_basechain(trans) = basechain;
2969 nft_trans_chain_update(trans) = true;
2970 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2971 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans));
2972 nft_chain_release_hook(&chain_hook);
2973
2974 nft_trans_commit_list_add_tail(ctx->net, trans);
2975
2976 return 0;
2977
2978 err_chain_del_hook:
2979 list_splice(&chain_del_list, &basechain->hook_list);
2980 nft_chain_release_hook(&chain_hook);
2981
2982 return err;
2983 }
2984
2985 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2986 const struct nlattr * const nla[])
2987 {
2988 struct netlink_ext_ack *extack = info->extack;
2989 u8 genmask = nft_genmask_next(info->net);
2990 u8 family = info->nfmsg->nfgen_family;
2991 struct net *net = info->net;
2992 const struct nlattr *attr;
2993 struct nft_table *table;
2994 struct nft_chain *chain;
2995 struct nft_rule *rule;
2996 struct nft_ctx ctx;
2997 u64 handle;
2998 u32 use;
2999 int err;
3000
3001 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
3002 NETLINK_CB(skb).portid);
3003 if (IS_ERR(table)) {
3004 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
3005 return PTR_ERR(table);
3006 }
3007
3008 if (nla[NFTA_CHAIN_HANDLE]) {
3009 attr = nla[NFTA_CHAIN_HANDLE];
3010 handle = be64_to_cpu(nla_get_be64(attr));
3011 chain = nft_chain_lookup_byhandle(table, handle, genmask);
3012 } else {
3013 attr = nla[NFTA_CHAIN_NAME];
3014 chain = nft_chain_lookup(net, table, attr, genmask);
3015 }
3016 if (IS_ERR(chain)) {
3017 if (PTR_ERR(chain) == -ENOENT &&
3018 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
3019 return 0;
3020
3021 NL_SET_BAD_ATTR(extack, attr);
3022 return PTR_ERR(chain);
3023 }
3024
3025 if (nft_chain_binding(chain))
3026 return -EOPNOTSUPP;
3027
3028 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3029
3030 if (nla[NFTA_CHAIN_HOOK]) {
3031 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN ||
3032 chain->flags & NFT_CHAIN_HW_OFFLOAD)
3033 return -EOPNOTSUPP;
3034
3035 if (nft_is_base_chain(chain)) {
3036 struct nft_base_chain *basechain = nft_base_chain(chain);
3037
3038 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
3039 return nft_delchain_hook(&ctx, basechain, extack);
3040 }
3041 }
3042
3043 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
3044 chain->use > 0)
3045 return -EBUSY;
3046
3047 use = chain->use;
3048 list_for_each_entry(rule, &chain->rules, list) {
3049 if (!nft_is_active_next(net, rule))
3050 continue;
3051 use--;
3052
3053 err = nft_delrule(&ctx, rule);
3054 if (err < 0)
3055 return err;
3056 }
3057
3058 /* There are rules and elements that are still holding references to us,
3059 * we cannot do a recursive removal in this case.
3060 */
3061 if (use > 0) {
3062 NL_SET_BAD_ATTR(extack, attr);
3063 return -EBUSY;
3064 }
3065
3066 return nft_delchain(&ctx);
3067 }
3068
3069 /*
3070 * Expressions
3071 */
3072
3073 /**
3074 * nft_register_expr - register nf_tables expr type
3075 * @type: expr type
3076 *
3077 * Registers the expr type for use with nf_tables. Returns zero on
3078 * success or a negative errno code otherwise.
3079 */
3080 int nft_register_expr(struct nft_expr_type *type)
3081 {
3082 if (WARN_ON_ONCE(type->maxattr > NFT_EXPR_MAXATTR))
3083 return -ENOMEM;
3084
3085 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3086 if (type->family == NFPROTO_UNSPEC)
3087 list_add_tail_rcu(&type->list, &nf_tables_expressions);
3088 else
3089 list_add_rcu(&type->list, &nf_tables_expressions);
3090 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3091 return 0;
3092 }
3093 EXPORT_SYMBOL_GPL(nft_register_expr);
3094
3095 /**
3096 * nft_unregister_expr - unregister nf_tables expr type
3097 * @type: expr type
3098 *
3099 * Unregisters the expr typefor use with nf_tables.
3100 */
3101 void nft_unregister_expr(struct nft_expr_type *type)
3102 {
3103 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3104 list_del_rcu(&type->list);
3105 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3106 }
3107 EXPORT_SYMBOL_GPL(nft_unregister_expr);
3108
3109 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
3110 struct nlattr *nla)
3111 {
3112 const struct nft_expr_type *type, *candidate = NULL;
3113
3114 list_for_each_entry_rcu(type, &nf_tables_expressions, list) {
3115 if (!nla_strcmp(nla, type->name)) {
3116 if (!type->family && !candidate)
3117 candidate = type;
3118 else if (type->family == family)
3119 candidate = type;
3120 }
3121 }
3122 return candidate;
3123 }
3124
3125 #ifdef CONFIG_MODULES
3126 static int nft_expr_type_request_module(struct net *net, u8 family,
3127 struct nlattr *nla)
3128 {
3129 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
3130 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
3131 return -EAGAIN;
3132
3133 return 0;
3134 }
3135 #endif
3136
3137 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
3138 u8 family,
3139 struct nlattr *nla)
3140 {
3141 const struct nft_expr_type *type;
3142
3143 if (nla == NULL)
3144 return ERR_PTR(-EINVAL);
3145
3146 rcu_read_lock();
3147 type = __nft_expr_type_get(family, nla);
3148 if (type != NULL && try_module_get(type->owner)) {
3149 rcu_read_unlock();
3150 return type;
3151 }
3152 rcu_read_unlock();
3153
3154 lockdep_nfnl_nft_mutex_not_held();
3155 #ifdef CONFIG_MODULES
3156 if (type == NULL) {
3157 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
3158 return ERR_PTR(-EAGAIN);
3159
3160 if (nft_request_module(net, "nft-expr-%.*s",
3161 nla_len(nla),
3162 (char *)nla_data(nla)) == -EAGAIN)
3163 return ERR_PTR(-EAGAIN);
3164 }
3165 #endif
3166 return ERR_PTR(-ENOENT);
3167 }
3168
3169 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
3170 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
3171 .len = NFT_MODULE_AUTOLOAD_LIMIT },
3172 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
3173 };
3174
3175 static int nf_tables_fill_expr_info(struct sk_buff *skb,
3176 const struct nft_expr *expr, bool reset)
3177 {
3178 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
3179 goto nla_put_failure;
3180
3181 if (expr->ops->dump) {
3182 struct nlattr *data = nla_nest_start_noflag(skb,
3183 NFTA_EXPR_DATA);
3184 if (data == NULL)
3185 goto nla_put_failure;
3186 if (expr->ops->dump(skb, expr, reset) < 0)
3187 goto nla_put_failure;
3188 nla_nest_end(skb, data);
3189 }
3190
3191 return skb->len;
3192
3193 nla_put_failure:
3194 return -1;
3195 };
3196
3197 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
3198 const struct nft_expr *expr, bool reset)
3199 {
3200 struct nlattr *nest;
3201
3202 nest = nla_nest_start_noflag(skb, attr);
3203 if (!nest)
3204 goto nla_put_failure;
3205 if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
3206 goto nla_put_failure;
3207 nla_nest_end(skb, nest);
3208 return 0;
3209
3210 nla_put_failure:
3211 return -1;
3212 }
3213
3214 struct nft_expr_info {
3215 const struct nft_expr_ops *ops;
3216 const struct nlattr *attr;
3217 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
3218 };
3219
3220 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
3221 const struct nlattr *nla,
3222 struct nft_expr_info *info)
3223 {
3224 const struct nft_expr_type *type;
3225 const struct nft_expr_ops *ops;
3226 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3227 int err;
3228
3229 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3230 nft_expr_policy, NULL);
3231 if (err < 0)
3232 return err;
3233
3234 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
3235 if (IS_ERR(type))
3236 return PTR_ERR(type);
3237
3238 if (tb[NFTA_EXPR_DATA]) {
3239 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3240 tb[NFTA_EXPR_DATA],
3241 type->policy, NULL);
3242 if (err < 0)
3243 goto err1;
3244 } else
3245 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
3246
3247 if (type->select_ops != NULL) {
3248 ops = type->select_ops(ctx,
3249 (const struct nlattr * const *)info->tb);
3250 if (IS_ERR(ops)) {
3251 err = PTR_ERR(ops);
3252 #ifdef CONFIG_MODULES
3253 if (err == -EAGAIN)
3254 if (nft_expr_type_request_module(ctx->net,
3255 ctx->family,
3256 tb[NFTA_EXPR_NAME]) != -EAGAIN)
3257 err = -ENOENT;
3258 #endif
3259 goto err1;
3260 }
3261 } else
3262 ops = type->ops;
3263
3264 info->attr = nla;
3265 info->ops = ops;
3266
3267 return 0;
3268
3269 err1:
3270 module_put(type->owner);
3271 return err;
3272 }
3273
3274 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
3275 struct nft_expr_info *info)
3276 {
3277 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3278 const struct nft_expr_type *type;
3279 int err;
3280
3281 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3282 nft_expr_policy, NULL);
3283 if (err < 0)
3284 return err;
3285
3286 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME])
3287 return -EINVAL;
3288
3289 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
3290 if (!type)
3291 return -ENOENT;
3292
3293 if (!type->inner_ops)
3294 return -EOPNOTSUPP;
3295
3296 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3297 tb[NFTA_EXPR_DATA],
3298 type->policy, NULL);
3299 if (err < 0)
3300 goto err_nla_parse;
3301
3302 info->attr = nla;
3303 info->ops = type->inner_ops;
3304
3305 return 0;
3306
3307 err_nla_parse:
3308 return err;
3309 }
3310
3311 static int nf_tables_newexpr(const struct nft_ctx *ctx,
3312 const struct nft_expr_info *expr_info,
3313 struct nft_expr *expr)
3314 {
3315 const struct nft_expr_ops *ops = expr_info->ops;
3316 int err;
3317
3318 expr->ops = ops;
3319 if (ops->init) {
3320 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
3321 if (err < 0)
3322 goto err1;
3323 }
3324
3325 return 0;
3326 err1:
3327 expr->ops = NULL;
3328 return err;
3329 }
3330
3331 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
3332 struct nft_expr *expr)
3333 {
3334 const struct nft_expr_type *type = expr->ops->type;
3335
3336 if (expr->ops->destroy)
3337 expr->ops->destroy(ctx, expr);
3338 module_put(type->owner);
3339 }
3340
3341 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3342 const struct nlattr *nla)
3343 {
3344 struct nft_expr_info expr_info;
3345 struct nft_expr *expr;
3346 struct module *owner;
3347 int err;
3348
3349 err = nf_tables_expr_parse(ctx, nla, &expr_info);
3350 if (err < 0)
3351 goto err_expr_parse;
3352
3353 err = -EOPNOTSUPP;
3354 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3355 goto err_expr_stateful;
3356
3357 err = -ENOMEM;
3358 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3359 if (expr == NULL)
3360 goto err_expr_stateful;
3361
3362 err = nf_tables_newexpr(ctx, &expr_info, expr);
3363 if (err < 0)
3364 goto err_expr_new;
3365
3366 return expr;
3367 err_expr_new:
3368 kfree(expr);
3369 err_expr_stateful:
3370 owner = expr_info.ops->type->owner;
3371 if (expr_info.ops->type->release_ops)
3372 expr_info.ops->type->release_ops(expr_info.ops);
3373
3374 module_put(owner);
3375 err_expr_parse:
3376 return ERR_PTR(err);
3377 }
3378
3379 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp)
3380 {
3381 int err;
3382
3383 if (WARN_ON_ONCE(!src->ops->clone))
3384 return -EINVAL;
3385
3386 dst->ops = src->ops;
3387 err = src->ops->clone(dst, src, gfp);
3388 if (err < 0)
3389 return err;
3390
3391 __module_get(src->ops->type->owner);
3392
3393 return 0;
3394 }
3395
3396 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3397 {
3398 nf_tables_expr_destroy(ctx, expr);
3399 kfree(expr);
3400 }
3401
3402 /*
3403 * Rules
3404 */
3405
3406 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
3407 u64 handle)
3408 {
3409 struct nft_rule *rule;
3410
3411 // FIXME: this sucks
3412 list_for_each_entry_rcu(rule, &chain->rules, list) {
3413 if (handle == rule->handle)
3414 return rule;
3415 }
3416
3417 return ERR_PTR(-ENOENT);
3418 }
3419
3420 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
3421 const struct nlattr *nla)
3422 {
3423 if (nla == NULL)
3424 return ERR_PTR(-EINVAL);
3425
3426 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
3427 }
3428
3429 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3430 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
3431 .len = NFT_TABLE_MAXNAMELEN - 1 },
3432 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
3433 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3434 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
3435 [NFTA_RULE_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
3436 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
3437 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3438 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3439 .len = NFT_USERDATA_MAXLEN },
3440 [NFTA_RULE_ID] = { .type = NLA_U32 },
3441 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3442 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3443 };
3444
3445 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3446 u32 portid, u32 seq, int event,
3447 u32 flags, int family,
3448 const struct nft_table *table,
3449 const struct nft_chain *chain,
3450 const struct nft_rule *rule, u64 handle,
3451 bool reset)
3452 {
3453 struct nlmsghdr *nlh;
3454 const struct nft_expr *expr, *next;
3455 struct nlattr *list;
3456 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3457
3458 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3459 nft_base_seq(net));
3460 if (!nlh)
3461 goto nla_put_failure;
3462
3463 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3464 goto nla_put_failure;
3465 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3466 goto nla_put_failure;
3467 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3468 NFTA_RULE_PAD))
3469 goto nla_put_failure;
3470
3471 if (event != NFT_MSG_DELRULE && handle) {
3472 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3473 NFTA_RULE_PAD))
3474 goto nla_put_failure;
3475 }
3476
3477 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3478 nft_flow_rule_stats(chain, rule);
3479
3480 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3481 if (list == NULL)
3482 goto nla_put_failure;
3483 nft_rule_for_each_expr(expr, next, rule) {
3484 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
3485 goto nla_put_failure;
3486 }
3487 nla_nest_end(skb, list);
3488
3489 if (rule->udata) {
3490 struct nft_userdata *udata = nft_userdata(rule);
3491 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3492 udata->data) < 0)
3493 goto nla_put_failure;
3494 }
3495
3496 nlmsg_end(skb, nlh);
3497 return 0;
3498
3499 nla_put_failure:
3500 nlmsg_trim(skb, nlh);
3501 return -1;
3502 }
3503
3504 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3505 const struct nft_rule *rule, int event)
3506 {
3507 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3508 const struct nft_rule *prule;
3509 struct sk_buff *skb;
3510 u64 handle = 0;
3511 u16 flags = 0;
3512 int err;
3513
3514 if (!ctx->report &&
3515 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3516 return;
3517
3518 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3519 if (skb == NULL)
3520 goto err;
3521
3522 if (event == NFT_MSG_NEWRULE &&
3523 !list_is_first(&rule->list, &ctx->chain->rules) &&
3524 !list_is_last(&rule->list, &ctx->chain->rules)) {
3525 prule = list_prev_entry(rule, list);
3526 handle = prule->handle;
3527 }
3528 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3529 flags |= NLM_F_APPEND;
3530 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3531 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3532
3533 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3534 event, flags, ctx->family, ctx->table,
3535 ctx->chain, rule, handle, false);
3536 if (err < 0) {
3537 kfree_skb(skb);
3538 goto err;
3539 }
3540
3541 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3542 return;
3543 err:
3544 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3545 }
3546
3547 static void audit_log_rule_reset(const struct nft_table *table,
3548 unsigned int base_seq,
3549 unsigned int nentries)
3550 {
3551 char *buf = kasprintf(GFP_ATOMIC, "%s:%u",
3552 table->name, base_seq);
3553
3554 audit_log_nfcfg(buf, table->family, nentries,
3555 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3556 kfree(buf);
3557 }
3558
3559 struct nft_rule_dump_ctx {
3560 unsigned int s_idx;
3561 char *table;
3562 char *chain;
3563 bool reset;
3564 };
3565
3566 static int __nf_tables_dump_rules(struct sk_buff *skb,
3567 unsigned int *idx,
3568 struct netlink_callback *cb,
3569 const struct nft_table *table,
3570 const struct nft_chain *chain)
3571 {
3572 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3573 struct net *net = sock_net(skb->sk);
3574 const struct nft_rule *rule, *prule;
3575 unsigned int entries = 0;
3576 int ret = 0;
3577 u64 handle;
3578
3579 prule = NULL;
3580 list_for_each_entry_rcu(rule, &chain->rules, list) {
3581 if (!nft_is_active(net, rule))
3582 goto cont_skip;
3583 if (*idx < ctx->s_idx)
3584 goto cont;
3585 if (prule)
3586 handle = prule->handle;
3587 else
3588 handle = 0;
3589
3590 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3591 cb->nlh->nlmsg_seq,
3592 NFT_MSG_NEWRULE,
3593 NLM_F_MULTI | NLM_F_APPEND,
3594 table->family,
3595 table, chain, rule, handle, ctx->reset) < 0) {
3596 ret = 1;
3597 break;
3598 }
3599 entries++;
3600 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3601 cont:
3602 prule = rule;
3603 cont_skip:
3604 (*idx)++;
3605 }
3606
3607 if (ctx->reset && entries)
3608 audit_log_rule_reset(table, cb->seq, entries);
3609
3610 return ret;
3611 }
3612
3613 static int nf_tables_dump_rules(struct sk_buff *skb,
3614 struct netlink_callback *cb)
3615 {
3616 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3617 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3618 struct nft_table *table;
3619 const struct nft_chain *chain;
3620 unsigned int idx = 0;
3621 struct net *net = sock_net(skb->sk);
3622 int family = nfmsg->nfgen_family;
3623 struct nftables_pernet *nft_net;
3624
3625 rcu_read_lock();
3626 nft_net = nft_pernet(net);
3627 cb->seq = READ_ONCE(nft_net->base_seq);
3628
3629 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3630 if (family != NFPROTO_UNSPEC && family != table->family)
3631 continue;
3632
3633 if (ctx->table && strcmp(ctx->table, table->name) != 0)
3634 continue;
3635
3636 if (ctx->table && ctx->chain) {
3637 struct rhlist_head *list, *tmp;
3638
3639 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3640 nft_chain_ht_params);
3641 if (!list)
3642 goto done;
3643
3644 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3645 if (!nft_is_active(net, chain))
3646 continue;
3647 __nf_tables_dump_rules(skb, &idx,
3648 cb, table, chain);
3649 break;
3650 }
3651 goto done;
3652 }
3653
3654 list_for_each_entry_rcu(chain, &table->chains, list) {
3655 if (__nf_tables_dump_rules(skb, &idx,
3656 cb, table, chain))
3657 goto done;
3658 }
3659
3660 if (ctx->table)
3661 break;
3662 }
3663 done:
3664 rcu_read_unlock();
3665
3666 ctx->s_idx = idx;
3667 return skb->len;
3668 }
3669
3670 static int nf_tables_dumpreset_rules(struct sk_buff *skb,
3671 struct netlink_callback *cb)
3672 {
3673 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
3674 int ret;
3675
3676 /* Mutex is held is to prevent that two concurrent dump-and-reset calls
3677 * do not underrun counters and quotas. The commit_mutex is used for
3678 * the lack a better lock, this is not transaction path.
3679 */
3680 mutex_lock(&nft_net->commit_mutex);
3681 ret = nf_tables_dump_rules(skb, cb);
3682 mutex_unlock(&nft_net->commit_mutex);
3683
3684 return ret;
3685 }
3686
3687 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3688 {
3689 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3690 const struct nlattr * const *nla = cb->data;
3691
3692 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
3693
3694 if (nla[NFTA_RULE_TABLE]) {
3695 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], GFP_ATOMIC);
3696 if (!ctx->table)
3697 return -ENOMEM;
3698 }
3699 if (nla[NFTA_RULE_CHAIN]) {
3700 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], GFP_ATOMIC);
3701 if (!ctx->chain) {
3702 kfree(ctx->table);
3703 return -ENOMEM;
3704 }
3705 }
3706 return 0;
3707 }
3708
3709 static int nf_tables_dumpreset_rules_start(struct netlink_callback *cb)
3710 {
3711 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3712
3713 ctx->reset = true;
3714
3715 return nf_tables_dump_rules_start(cb);
3716 }
3717
3718 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3719 {
3720 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3721
3722 kfree(ctx->table);
3723 kfree(ctx->chain);
3724 return 0;
3725 }
3726
3727 /* called with rcu_read_lock held */
3728 static struct sk_buff *
3729 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info,
3730 const struct nlattr * const nla[], bool reset)
3731 {
3732 struct netlink_ext_ack *extack = info->extack;
3733 u8 genmask = nft_genmask_cur(info->net);
3734 u8 family = info->nfmsg->nfgen_family;
3735 const struct nft_chain *chain;
3736 const struct nft_rule *rule;
3737 struct net *net = info->net;
3738 struct nft_table *table;
3739 struct sk_buff *skb2;
3740 int err;
3741
3742 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3743 if (IS_ERR(table)) {
3744 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3745 return ERR_CAST(table);
3746 }
3747
3748 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3749 if (IS_ERR(chain)) {
3750 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3751 return ERR_CAST(chain);
3752 }
3753
3754 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3755 if (IS_ERR(rule)) {
3756 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3757 return ERR_CAST(rule);
3758 }
3759
3760 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3761 if (!skb2)
3762 return ERR_PTR(-ENOMEM);
3763
3764 err = nf_tables_fill_rule_info(skb2, net, portid,
3765 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3766 family, table, chain, rule, 0, reset);
3767 if (err < 0) {
3768 kfree_skb(skb2);
3769 return ERR_PTR(err);
3770 }
3771
3772 return skb2;
3773 }
3774
3775 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3776 const struct nlattr * const nla[])
3777 {
3778 u32 portid = NETLINK_CB(skb).portid;
3779 struct net *net = info->net;
3780 struct sk_buff *skb2;
3781
3782 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3783 struct netlink_dump_control c = {
3784 .start= nf_tables_dump_rules_start,
3785 .dump = nf_tables_dump_rules,
3786 .done = nf_tables_dump_rules_done,
3787 .module = THIS_MODULE,
3788 .data = (void *)nla,
3789 };
3790
3791 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3792 }
3793
3794 skb2 = nf_tables_getrule_single(portid, info, nla, false);
3795 if (IS_ERR(skb2))
3796 return PTR_ERR(skb2);
3797
3798 return nfnetlink_unicast(skb2, net, portid);
3799 }
3800
3801 static int nf_tables_getrule_reset(struct sk_buff *skb,
3802 const struct nfnl_info *info,
3803 const struct nlattr * const nla[])
3804 {
3805 struct nftables_pernet *nft_net = nft_pernet(info->net);
3806 u32 portid = NETLINK_CB(skb).portid;
3807 struct net *net = info->net;
3808 struct sk_buff *skb2;
3809 char *buf;
3810
3811 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3812 struct netlink_dump_control c = {
3813 .start= nf_tables_dumpreset_rules_start,
3814 .dump = nf_tables_dumpreset_rules,
3815 .done = nf_tables_dump_rules_done,
3816 .module = THIS_MODULE,
3817 .data = (void *)nla,
3818 };
3819
3820 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3821 }
3822
3823 if (!try_module_get(THIS_MODULE))
3824 return -EINVAL;
3825 rcu_read_unlock();
3826 mutex_lock(&nft_net->commit_mutex);
3827 skb2 = nf_tables_getrule_single(portid, info, nla, true);
3828 mutex_unlock(&nft_net->commit_mutex);
3829 rcu_read_lock();
3830 module_put(THIS_MODULE);
3831
3832 if (IS_ERR(skb2))
3833 return PTR_ERR(skb2);
3834
3835 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
3836 nla_len(nla[NFTA_RULE_TABLE]),
3837 (char *)nla_data(nla[NFTA_RULE_TABLE]),
3838 nft_net->base_seq);
3839 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
3840 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3841 kfree(buf);
3842
3843 return nfnetlink_unicast(skb2, net, portid);
3844 }
3845
3846 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
3847 {
3848 struct nft_expr *expr, *next;
3849
3850 /*
3851 * Careful: some expressions might not be initialized in case this
3852 * is called on error from nf_tables_newrule().
3853 */
3854 expr = nft_expr_first(rule);
3855 while (nft_expr_more(rule, expr)) {
3856 next = nft_expr_next(expr);
3857 nf_tables_expr_destroy(ctx, expr);
3858 expr = next;
3859 }
3860 kfree(rule);
3861 }
3862
3863 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3864 {
3865 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3866 nf_tables_rule_destroy(ctx, rule);
3867 }
3868
3869 /** nft_chain_validate - loop detection and hook validation
3870 *
3871 * @ctx: context containing call depth and base chain
3872 * @chain: chain to validate
3873 *
3874 * Walk through the rules of the given chain and chase all jumps/gotos
3875 * and set lookups until either the jump limit is hit or all reachable
3876 * chains have been validated.
3877 */
3878 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3879 {
3880 struct nft_expr *expr, *last;
3881 const struct nft_data *data;
3882 struct nft_rule *rule;
3883 int err;
3884
3885 if (ctx->level == NFT_JUMP_STACK_SIZE)
3886 return -EMLINK;
3887
3888 list_for_each_entry(rule, &chain->rules, list) {
3889 if (fatal_signal_pending(current))
3890 return -EINTR;
3891
3892 if (!nft_is_active_next(ctx->net, rule))
3893 continue;
3894
3895 nft_rule_for_each_expr(expr, last, rule) {
3896 if (!expr->ops->validate)
3897 continue;
3898
3899 /* This may call nft_chain_validate() recursively,
3900 * callers that do so must increment ctx->level.
3901 */
3902 err = expr->ops->validate(ctx, expr, &data);
3903 if (err < 0)
3904 return err;
3905 }
3906 }
3907
3908 return 0;
3909 }
3910 EXPORT_SYMBOL_GPL(nft_chain_validate);
3911
3912 static int nft_table_validate(struct net *net, const struct nft_table *table)
3913 {
3914 struct nft_chain *chain;
3915 struct nft_ctx ctx = {
3916 .net = net,
3917 .family = table->family,
3918 };
3919 int err;
3920
3921 list_for_each_entry(chain, &table->chains, list) {
3922 if (!nft_is_base_chain(chain))
3923 continue;
3924
3925 ctx.chain = chain;
3926 err = nft_chain_validate(&ctx, chain);
3927 if (err < 0)
3928 return err;
3929
3930 cond_resched();
3931 }
3932
3933 return 0;
3934 }
3935
3936 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
3937 const struct nft_set_iter *iter,
3938 struct nft_elem_priv *elem_priv)
3939 {
3940 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
3941 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
3942 const struct nft_data *data;
3943 int err;
3944
3945 if (!nft_set_elem_active(ext, iter->genmask))
3946 return 0;
3947
3948 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3949 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
3950 return 0;
3951
3952 data = nft_set_ext_data(ext);
3953 switch (data->verdict.code) {
3954 case NFT_JUMP:
3955 case NFT_GOTO:
3956 pctx->level++;
3957 err = nft_chain_validate(ctx, data->verdict.chain);
3958 if (err < 0)
3959 return err;
3960 pctx->level--;
3961 break;
3962 default:
3963 break;
3964 }
3965
3966 return 0;
3967 }
3968
3969 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
3970 {
3971 struct nft_set_iter dummy_iter = {
3972 .genmask = nft_genmask_next(ctx->net),
3973 };
3974 struct nft_set_elem_catchall *catchall;
3975
3976 struct nft_set_ext *ext;
3977 int ret = 0;
3978
3979 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
3980 ext = nft_set_elem_ext(set, catchall->elem);
3981 if (!nft_set_elem_active(ext, dummy_iter.genmask))
3982 continue;
3983
3984 ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem);
3985 if (ret < 0)
3986 return ret;
3987 }
3988
3989 return ret;
3990 }
3991
3992 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3993 const struct nft_chain *chain,
3994 const struct nlattr *nla);
3995
3996 #define NFT_RULE_MAXEXPRS 128
3997
3998 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
3999 const struct nlattr * const nla[])
4000 {
4001 struct nftables_pernet *nft_net = nft_pernet(info->net);
4002 struct netlink_ext_ack *extack = info->extack;
4003 unsigned int size, i, n, ulen = 0, usize = 0;
4004 u8 genmask = nft_genmask_next(info->net);
4005 struct nft_rule *rule, *old_rule = NULL;
4006 struct nft_expr_info *expr_info = NULL;
4007 u8 family = info->nfmsg->nfgen_family;
4008 struct nft_flow_rule *flow = NULL;
4009 struct net *net = info->net;
4010 struct nft_userdata *udata;
4011 struct nft_table *table;
4012 struct nft_chain *chain;
4013 struct nft_trans *trans;
4014 u64 handle, pos_handle;
4015 struct nft_expr *expr;
4016 struct nft_ctx ctx;
4017 struct nlattr *tmp;
4018 int err, rem;
4019
4020 lockdep_assert_held(&nft_net->commit_mutex);
4021
4022 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4023 NETLINK_CB(skb).portid);
4024 if (IS_ERR(table)) {
4025 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4026 return PTR_ERR(table);
4027 }
4028
4029 if (nla[NFTA_RULE_CHAIN]) {
4030 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4031 genmask);
4032 if (IS_ERR(chain)) {
4033 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4034 return PTR_ERR(chain);
4035 }
4036
4037 } else if (nla[NFTA_RULE_CHAIN_ID]) {
4038 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID],
4039 genmask);
4040 if (IS_ERR(chain)) {
4041 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
4042 return PTR_ERR(chain);
4043 }
4044 } else {
4045 return -EINVAL;
4046 }
4047
4048 if (nft_chain_is_bound(chain))
4049 return -EOPNOTSUPP;
4050
4051 if (nla[NFTA_RULE_HANDLE]) {
4052 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
4053 rule = __nft_rule_lookup(chain, handle);
4054 if (IS_ERR(rule)) {
4055 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4056 return PTR_ERR(rule);
4057 }
4058
4059 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4060 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4061 return -EEXIST;
4062 }
4063 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4064 old_rule = rule;
4065 else
4066 return -EOPNOTSUPP;
4067 } else {
4068 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
4069 info->nlh->nlmsg_flags & NLM_F_REPLACE)
4070 return -EINVAL;
4071 handle = nf_tables_alloc_handle(table);
4072
4073 if (nla[NFTA_RULE_POSITION]) {
4074 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
4075 old_rule = __nft_rule_lookup(chain, pos_handle);
4076 if (IS_ERR(old_rule)) {
4077 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
4078 return PTR_ERR(old_rule);
4079 }
4080 } else if (nla[NFTA_RULE_POSITION_ID]) {
4081 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
4082 if (IS_ERR(old_rule)) {
4083 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
4084 return PTR_ERR(old_rule);
4085 }
4086 }
4087 }
4088
4089 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4090
4091 n = 0;
4092 size = 0;
4093 if (nla[NFTA_RULE_EXPRESSIONS]) {
4094 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
4095 sizeof(struct nft_expr_info),
4096 GFP_KERNEL);
4097 if (!expr_info)
4098 return -ENOMEM;
4099
4100 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
4101 err = -EINVAL;
4102 if (nla_type(tmp) != NFTA_LIST_ELEM)
4103 goto err_release_expr;
4104 if (n == NFT_RULE_MAXEXPRS)
4105 goto err_release_expr;
4106 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
4107 if (err < 0) {
4108 NL_SET_BAD_ATTR(extack, tmp);
4109 goto err_release_expr;
4110 }
4111 size += expr_info[n].ops->size;
4112 n++;
4113 }
4114 }
4115 /* Check for overflow of dlen field */
4116 err = -EFBIG;
4117 if (size >= 1 << 12)
4118 goto err_release_expr;
4119
4120 if (nla[NFTA_RULE_USERDATA]) {
4121 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
4122 if (ulen > 0)
4123 usize = sizeof(struct nft_userdata) + ulen;
4124 }
4125
4126 err = -ENOMEM;
4127 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
4128 if (rule == NULL)
4129 goto err_release_expr;
4130
4131 nft_activate_next(net, rule);
4132
4133 rule->handle = handle;
4134 rule->dlen = size;
4135 rule->udata = ulen ? 1 : 0;
4136
4137 if (ulen) {
4138 udata = nft_userdata(rule);
4139 udata->len = ulen - 1;
4140 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
4141 }
4142
4143 expr = nft_expr_first(rule);
4144 for (i = 0; i < n; i++) {
4145 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
4146 if (err < 0) {
4147 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
4148 goto err_release_rule;
4149 }
4150
4151 if (expr_info[i].ops->validate)
4152 nft_validate_state_update(table, NFT_VALIDATE_NEED);
4153
4154 expr_info[i].ops = NULL;
4155 expr = nft_expr_next(expr);
4156 }
4157
4158 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
4159 flow = nft_flow_rule_create(net, rule);
4160 if (IS_ERR(flow)) {
4161 err = PTR_ERR(flow);
4162 goto err_release_rule;
4163 }
4164 }
4165
4166 if (!nft_use_inc(&chain->use)) {
4167 err = -EMFILE;
4168 goto err_release_rule;
4169 }
4170
4171 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
4172 if (nft_chain_binding(chain)) {
4173 err = -EOPNOTSUPP;
4174 goto err_destroy_flow_rule;
4175 }
4176
4177 err = nft_delrule(&ctx, old_rule);
4178 if (err < 0)
4179 goto err_destroy_flow_rule;
4180
4181 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4182 if (trans == NULL) {
4183 err = -ENOMEM;
4184 goto err_destroy_flow_rule;
4185 }
4186 list_add_tail_rcu(&rule->list, &old_rule->list);
4187 } else {
4188 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4189 if (!trans) {
4190 err = -ENOMEM;
4191 goto err_destroy_flow_rule;
4192 }
4193
4194 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
4195 if (old_rule)
4196 list_add_rcu(&rule->list, &old_rule->list);
4197 else
4198 list_add_tail_rcu(&rule->list, &chain->rules);
4199 } else {
4200 if (old_rule)
4201 list_add_tail_rcu(&rule->list, &old_rule->list);
4202 else
4203 list_add_rcu(&rule->list, &chain->rules);
4204 }
4205 }
4206 kvfree(expr_info);
4207
4208 if (flow)
4209 nft_trans_flow_rule(trans) = flow;
4210
4211 if (table->validate_state == NFT_VALIDATE_DO)
4212 return nft_table_validate(net, table);
4213
4214 return 0;
4215
4216 err_destroy_flow_rule:
4217 nft_use_dec_restore(&chain->use);
4218 if (flow)
4219 nft_flow_rule_destroy(flow);
4220 err_release_rule:
4221 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
4222 nf_tables_rule_destroy(&ctx, rule);
4223 err_release_expr:
4224 for (i = 0; i < n; i++) {
4225 if (expr_info[i].ops) {
4226 module_put(expr_info[i].ops->type->owner);
4227 if (expr_info[i].ops->type->release_ops)
4228 expr_info[i].ops->type->release_ops(expr_info[i].ops);
4229 }
4230 }
4231 kvfree(expr_info);
4232
4233 return err;
4234 }
4235
4236 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4237 const struct nft_chain *chain,
4238 const struct nlattr *nla)
4239 {
4240 struct nftables_pernet *nft_net = nft_pernet(net);
4241 u32 id = ntohl(nla_get_be32(nla));
4242 struct nft_trans *trans;
4243
4244 list_for_each_entry(trans, &nft_net->commit_list, list) {
4245 if (trans->msg_type == NFT_MSG_NEWRULE &&
4246 nft_trans_rule_chain(trans) == chain &&
4247 id == nft_trans_rule_id(trans))
4248 return nft_trans_rule(trans);
4249 }
4250 return ERR_PTR(-ENOENT);
4251 }
4252
4253 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
4254 const struct nlattr * const nla[])
4255 {
4256 struct netlink_ext_ack *extack = info->extack;
4257 u8 genmask = nft_genmask_next(info->net);
4258 u8 family = info->nfmsg->nfgen_family;
4259 struct nft_chain *chain = NULL;
4260 struct net *net = info->net;
4261 struct nft_table *table;
4262 struct nft_rule *rule;
4263 struct nft_ctx ctx;
4264 int err = 0;
4265
4266 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4267 NETLINK_CB(skb).portid);
4268 if (IS_ERR(table)) {
4269 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4270 return PTR_ERR(table);
4271 }
4272
4273 if (nla[NFTA_RULE_CHAIN]) {
4274 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4275 genmask);
4276 if (IS_ERR(chain)) {
4277 if (PTR_ERR(chain) == -ENOENT &&
4278 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4279 return 0;
4280
4281 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4282 return PTR_ERR(chain);
4283 }
4284 if (nft_chain_binding(chain))
4285 return -EOPNOTSUPP;
4286 }
4287
4288 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4289
4290 if (chain) {
4291 if (nla[NFTA_RULE_HANDLE]) {
4292 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
4293 if (IS_ERR(rule)) {
4294 if (PTR_ERR(rule) == -ENOENT &&
4295 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4296 return 0;
4297
4298 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4299 return PTR_ERR(rule);
4300 }
4301
4302 err = nft_delrule(&ctx, rule);
4303 } else if (nla[NFTA_RULE_ID]) {
4304 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
4305 if (IS_ERR(rule)) {
4306 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
4307 return PTR_ERR(rule);
4308 }
4309
4310 err = nft_delrule(&ctx, rule);
4311 } else {
4312 err = nft_delrule_by_chain(&ctx);
4313 }
4314 } else {
4315 list_for_each_entry(chain, &table->chains, list) {
4316 if (!nft_is_active_next(net, chain))
4317 continue;
4318 if (nft_chain_binding(chain))
4319 continue;
4320
4321 ctx.chain = chain;
4322 err = nft_delrule_by_chain(&ctx);
4323 if (err < 0)
4324 break;
4325 }
4326 }
4327
4328 return err;
4329 }
4330
4331 /*
4332 * Sets
4333 */
4334 static const struct nft_set_type *nft_set_types[] = {
4335 &nft_set_hash_fast_type,
4336 &nft_set_hash_type,
4337 &nft_set_rhash_type,
4338 &nft_set_bitmap_type,
4339 &nft_set_rbtree_type,
4340 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
4341 &nft_set_pipapo_avx2_type,
4342 #endif
4343 &nft_set_pipapo_type,
4344 };
4345
4346 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
4347 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
4348 NFT_SET_EVAL)
4349
4350 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
4351 {
4352 return (flags & type->features) == (flags & NFT_SET_FEATURES);
4353 }
4354
4355 /*
4356 * Select a set implementation based on the data characteristics and the
4357 * given policy. The total memory use might not be known if no size is
4358 * given, in that case the amount of memory per element is used.
4359 */
4360 static const struct nft_set_ops *
4361 nft_select_set_ops(const struct nft_ctx *ctx, u32 flags,
4362 const struct nft_set_desc *desc)
4363 {
4364 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4365 const struct nft_set_ops *ops, *bops;
4366 struct nft_set_estimate est, best;
4367 const struct nft_set_type *type;
4368 int i;
4369
4370 lockdep_assert_held(&nft_net->commit_mutex);
4371 lockdep_nfnl_nft_mutex_not_held();
4372
4373 bops = NULL;
4374 best.size = ~0;
4375 best.lookup = ~0;
4376 best.space = ~0;
4377
4378 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
4379 type = nft_set_types[i];
4380 ops = &type->ops;
4381
4382 if (!nft_set_ops_candidate(type, flags))
4383 continue;
4384 if (!ops->estimate(desc, flags, &est))
4385 continue;
4386
4387 switch (desc->policy) {
4388 case NFT_SET_POL_PERFORMANCE:
4389 if (est.lookup < best.lookup)
4390 break;
4391 if (est.lookup == best.lookup &&
4392 est.space < best.space)
4393 break;
4394 continue;
4395 case NFT_SET_POL_MEMORY:
4396 if (!desc->size) {
4397 if (est.space < best.space)
4398 break;
4399 if (est.space == best.space &&
4400 est.lookup < best.lookup)
4401 break;
4402 } else if (est.size < best.size || !bops) {
4403 break;
4404 }
4405 continue;
4406 default:
4407 break;
4408 }
4409
4410 bops = ops;
4411 best = est;
4412 }
4413
4414 if (bops != NULL)
4415 return bops;
4416
4417 return ERR_PTR(-EOPNOTSUPP);
4418 }
4419
4420 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
4421 [NFTA_SET_TABLE] = { .type = NLA_STRING,
4422 .len = NFT_TABLE_MAXNAMELEN - 1 },
4423 [NFTA_SET_NAME] = { .type = NLA_STRING,
4424 .len = NFT_SET_MAXNAMELEN - 1 },
4425 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
4426 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
4427 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
4428 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
4429 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
4430 [NFTA_SET_POLICY] = { .type = NLA_U32 },
4431 [NFTA_SET_DESC] = { .type = NLA_NESTED },
4432 [NFTA_SET_ID] = { .type = NLA_U32 },
4433 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
4434 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
4435 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
4436 .len = NFT_USERDATA_MAXLEN },
4437 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
4438 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
4439 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
4440 [NFTA_SET_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
4441 };
4442
4443 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4444 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4445 };
4446
4447 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4448 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
4449 [NFTA_SET_DESC_CONCAT] = NLA_POLICY_NESTED_ARRAY(nft_concat_policy),
4450 };
4451
4452 static struct nft_set *nft_set_lookup(const struct nft_table *table,
4453 const struct nlattr *nla, u8 genmask)
4454 {
4455 struct nft_set *set;
4456
4457 if (nla == NULL)
4458 return ERR_PTR(-EINVAL);
4459
4460 list_for_each_entry_rcu(set, &table->sets, list) {
4461 if (!nla_strcmp(nla, set->name) &&
4462 nft_active_genmask(set, genmask))
4463 return set;
4464 }
4465 return ERR_PTR(-ENOENT);
4466 }
4467
4468 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4469 const struct nlattr *nla,
4470 u8 genmask)
4471 {
4472 struct nft_set *set;
4473
4474 list_for_each_entry(set, &table->sets, list) {
4475 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4476 nft_active_genmask(set, genmask))
4477 return set;
4478 }
4479 return ERR_PTR(-ENOENT);
4480 }
4481
4482 static struct nft_set *nft_set_lookup_byid(const struct net *net,
4483 const struct nft_table *table,
4484 const struct nlattr *nla, u8 genmask)
4485 {
4486 struct nftables_pernet *nft_net = nft_pernet(net);
4487 u32 id = ntohl(nla_get_be32(nla));
4488 struct nft_trans *trans;
4489
4490 list_for_each_entry(trans, &nft_net->commit_list, list) {
4491 if (trans->msg_type == NFT_MSG_NEWSET) {
4492 struct nft_set *set = nft_trans_set(trans);
4493
4494 if (id == nft_trans_set_id(trans) &&
4495 set->table == table &&
4496 nft_active_genmask(set, genmask))
4497 return set;
4498 }
4499 }
4500 return ERR_PTR(-ENOENT);
4501 }
4502
4503 struct nft_set *nft_set_lookup_global(const struct net *net,
4504 const struct nft_table *table,
4505 const struct nlattr *nla_set_name,
4506 const struct nlattr *nla_set_id,
4507 u8 genmask)
4508 {
4509 struct nft_set *set;
4510
4511 set = nft_set_lookup(table, nla_set_name, genmask);
4512 if (IS_ERR(set)) {
4513 if (!nla_set_id)
4514 return set;
4515
4516 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
4517 }
4518 return set;
4519 }
4520 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
4521
4522 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4523 const char *name)
4524 {
4525 const struct nft_set *i;
4526 const char *p;
4527 unsigned long *inuse;
4528 unsigned int n = 0, min = 0;
4529
4530 p = strchr(name, '%');
4531 if (p != NULL) {
4532 if (p[1] != 'd' || strchr(p + 2, '%'))
4533 return -EINVAL;
4534
4535 if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN)
4536 return -EINVAL;
4537
4538 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4539 if (inuse == NULL)
4540 return -ENOMEM;
4541 cont:
4542 list_for_each_entry(i, &ctx->table->sets, list) {
4543 int tmp;
4544
4545 if (!nft_is_active_next(ctx->net, i))
4546 continue;
4547 if (!sscanf(i->name, name, &tmp))
4548 continue;
4549 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4550 continue;
4551
4552 set_bit(tmp - min, inuse);
4553 }
4554
4555 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
4556 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4557 min += BITS_PER_BYTE * PAGE_SIZE;
4558 memset(inuse, 0, PAGE_SIZE);
4559 goto cont;
4560 }
4561 free_page((unsigned long)inuse);
4562 }
4563
4564 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
4565 if (!set->name)
4566 return -ENOMEM;
4567
4568 list_for_each_entry(i, &ctx->table->sets, list) {
4569 if (!nft_is_active_next(ctx->net, i))
4570 continue;
4571 if (!strcmp(set->name, i->name)) {
4572 kfree(set->name);
4573 set->name = NULL;
4574 return -ENFILE;
4575 }
4576 }
4577 return 0;
4578 }
4579
4580 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4581 {
4582 u64 ms = be64_to_cpu(nla_get_be64(nla));
4583 u64 max = (u64)(~((u64)0));
4584
4585 max = div_u64(max, NSEC_PER_MSEC);
4586 if (ms >= max)
4587 return -ERANGE;
4588
4589 ms *= NSEC_PER_MSEC;
4590 *result = nsecs_to_jiffies64(ms);
4591 return 0;
4592 }
4593
4594 __be64 nf_jiffies64_to_msecs(u64 input)
4595 {
4596 return cpu_to_be64(jiffies64_to_msecs(input));
4597 }
4598
4599 static int nf_tables_fill_set_concat(struct sk_buff *skb,
4600 const struct nft_set *set)
4601 {
4602 struct nlattr *concat, *field;
4603 int i;
4604
4605 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
4606 if (!concat)
4607 return -ENOMEM;
4608
4609 for (i = 0; i < set->field_count; i++) {
4610 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4611 if (!field)
4612 return -ENOMEM;
4613
4614 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
4615 htonl(set->field_len[i])))
4616 return -ENOMEM;
4617
4618 nla_nest_end(skb, field);
4619 }
4620
4621 nla_nest_end(skb, concat);
4622
4623 return 0;
4624 }
4625
4626 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4627 const struct nft_set *set, u16 event, u16 flags)
4628 {
4629 u64 timeout = READ_ONCE(set->timeout);
4630 u32 gc_int = READ_ONCE(set->gc_int);
4631 u32 portid = ctx->portid;
4632 struct nlmsghdr *nlh;
4633 struct nlattr *nest;
4634 u32 seq = ctx->seq;
4635 int i;
4636
4637 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4638 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
4639 NFNETLINK_V0, nft_base_seq(ctx->net));
4640 if (!nlh)
4641 goto nla_put_failure;
4642
4643 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4644 goto nla_put_failure;
4645 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4646 goto nla_put_failure;
4647 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4648 NFTA_SET_PAD))
4649 goto nla_put_failure;
4650
4651 if (event == NFT_MSG_DELSET) {
4652 nlmsg_end(skb, nlh);
4653 return 0;
4654 }
4655
4656 if (set->flags != 0)
4657 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
4658 goto nla_put_failure;
4659
4660 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4661 goto nla_put_failure;
4662 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
4663 goto nla_put_failure;
4664 if (set->flags & NFT_SET_MAP) {
4665 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4666 goto nla_put_failure;
4667 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
4668 goto nla_put_failure;
4669 }
4670 if (set->flags & NFT_SET_OBJECT &&
4671 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4672 goto nla_put_failure;
4673
4674 if (timeout &&
4675 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4676 nf_jiffies64_to_msecs(timeout),
4677 NFTA_SET_PAD))
4678 goto nla_put_failure;
4679 if (gc_int &&
4680 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4681 goto nla_put_failure;
4682
4683 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4684 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4685 goto nla_put_failure;
4686 }
4687
4688 if (set->udata &&
4689 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4690 goto nla_put_failure;
4691
4692 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4693 if (!nest)
4694 goto nla_put_failure;
4695 if (set->size &&
4696 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
4697 goto nla_put_failure;
4698
4699 if (set->field_count > 1 &&
4700 nf_tables_fill_set_concat(skb, set))
4701 goto nla_put_failure;
4702
4703 nla_nest_end(skb, nest);
4704
4705 if (set->num_exprs == 1) {
4706 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
4707 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
4708 goto nla_put_failure;
4709
4710 nla_nest_end(skb, nest);
4711 } else if (set->num_exprs > 1) {
4712 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
4713 if (nest == NULL)
4714 goto nla_put_failure;
4715
4716 for (i = 0; i < set->num_exprs; i++) {
4717 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
4718 set->exprs[i], false) < 0)
4719 goto nla_put_failure;
4720 }
4721 nla_nest_end(skb, nest);
4722 }
4723
4724 nlmsg_end(skb, nlh);
4725 return 0;
4726
4727 nla_put_failure:
4728 nlmsg_trim(skb, nlh);
4729 return -1;
4730 }
4731
4732 static void nf_tables_set_notify(const struct nft_ctx *ctx,
4733 const struct nft_set *set, int event,
4734 gfp_t gfp_flags)
4735 {
4736 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4737 u32 portid = ctx->portid;
4738 struct sk_buff *skb;
4739 u16 flags = 0;
4740 int err;
4741
4742 if (!ctx->report &&
4743 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
4744 return;
4745
4746 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
4747 if (skb == NULL)
4748 goto err;
4749
4750 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
4751 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
4752
4753 err = nf_tables_fill_set(skb, ctx, set, event, flags);
4754 if (err < 0) {
4755 kfree_skb(skb);
4756 goto err;
4757 }
4758
4759 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
4760 return;
4761 err:
4762 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4763 }
4764
4765 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4766 {
4767 const struct nft_set *set;
4768 unsigned int idx, s_idx = cb->args[0];
4769 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4770 struct net *net = sock_net(skb->sk);
4771 struct nft_ctx *ctx = cb->data, ctx_set;
4772 struct nftables_pernet *nft_net;
4773
4774 if (cb->args[1])
4775 return skb->len;
4776
4777 rcu_read_lock();
4778 nft_net = nft_pernet(net);
4779 cb->seq = READ_ONCE(nft_net->base_seq);
4780
4781 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4782 if (ctx->family != NFPROTO_UNSPEC &&
4783 ctx->family != table->family)
4784 continue;
4785
4786 if (ctx->table && ctx->table != table)
4787 continue;
4788
4789 if (cur_table) {
4790 if (cur_table != table)
4791 continue;
4792
4793 cur_table = NULL;
4794 }
4795 idx = 0;
4796 list_for_each_entry_rcu(set, &table->sets, list) {
4797 if (idx < s_idx)
4798 goto cont;
4799 if (!nft_is_active(net, set))
4800 goto cont;
4801
4802 ctx_set = *ctx;
4803 ctx_set.table = table;
4804 ctx_set.family = table->family;
4805
4806 if (nf_tables_fill_set(skb, &ctx_set, set,
4807 NFT_MSG_NEWSET,
4808 NLM_F_MULTI) < 0) {
4809 cb->args[0] = idx;
4810 cb->args[2] = (unsigned long) table;
4811 goto done;
4812 }
4813 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4814 cont:
4815 idx++;
4816 }
4817 if (s_idx)
4818 s_idx = 0;
4819 }
4820 cb->args[1] = 1;
4821 done:
4822 rcu_read_unlock();
4823 return skb->len;
4824 }
4825
4826 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4827 {
4828 struct nft_ctx *ctx_dump = NULL;
4829
4830 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4831 if (ctx_dump == NULL)
4832 return -ENOMEM;
4833
4834 cb->data = ctx_dump;
4835 return 0;
4836 }
4837
4838 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4839 {
4840 kfree(cb->data);
4841 return 0;
4842 }
4843
4844 /* called with rcu_read_lock held */
4845 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4846 const struct nlattr * const nla[])
4847 {
4848 struct netlink_ext_ack *extack = info->extack;
4849 u8 genmask = nft_genmask_cur(info->net);
4850 u8 family = info->nfmsg->nfgen_family;
4851 struct nft_table *table = NULL;
4852 struct net *net = info->net;
4853 const struct nft_set *set;
4854 struct sk_buff *skb2;
4855 struct nft_ctx ctx;
4856 int err;
4857
4858 if (nla[NFTA_SET_TABLE]) {
4859 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4860 genmask, 0);
4861 if (IS_ERR(table)) {
4862 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4863 return PTR_ERR(table);
4864 }
4865 }
4866
4867 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4868
4869 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4870 struct netlink_dump_control c = {
4871 .start = nf_tables_dump_sets_start,
4872 .dump = nf_tables_dump_sets,
4873 .done = nf_tables_dump_sets_done,
4874 .data = &ctx,
4875 .module = THIS_MODULE,
4876 };
4877
4878 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4879 }
4880
4881 /* Only accept unspec with dump */
4882 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4883 return -EAFNOSUPPORT;
4884 if (!nla[NFTA_SET_TABLE])
4885 return -EINVAL;
4886
4887 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4888 if (IS_ERR(set)) {
4889 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4890 return PTR_ERR(set);
4891 }
4892
4893 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4894 if (skb2 == NULL)
4895 return -ENOMEM;
4896
4897 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4898 if (err < 0)
4899 goto err_fill_set_info;
4900
4901 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4902
4903 err_fill_set_info:
4904 kfree_skb(skb2);
4905 return err;
4906 }
4907
4908 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4909 struct nft_set_desc *desc)
4910 {
4911 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4912 u32 len;
4913 int err;
4914
4915 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
4916 return -E2BIG;
4917
4918 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4919 nft_concat_policy, NULL);
4920 if (err < 0)
4921 return err;
4922
4923 if (!tb[NFTA_SET_FIELD_LEN])
4924 return -EINVAL;
4925
4926 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4927 if (!len || len > U8_MAX)
4928 return -EINVAL;
4929
4930 desc->field_len[desc->field_count++] = len;
4931
4932 return 0;
4933 }
4934
4935 static int nft_set_desc_concat(struct nft_set_desc *desc,
4936 const struct nlattr *nla)
4937 {
4938 u32 num_regs = 0, key_num_regs = 0;
4939 struct nlattr *attr;
4940 int rem, err, i;
4941
4942 nla_for_each_nested(attr, nla, rem) {
4943 if (nla_type(attr) != NFTA_LIST_ELEM)
4944 return -EINVAL;
4945
4946 err = nft_set_desc_concat_parse(attr, desc);
4947 if (err < 0)
4948 return err;
4949 }
4950
4951 for (i = 0; i < desc->field_count; i++)
4952 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
4953
4954 key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
4955 if (key_num_regs != num_regs)
4956 return -EINVAL;
4957
4958 if (num_regs > NFT_REG32_COUNT)
4959 return -E2BIG;
4960
4961 return 0;
4962 }
4963
4964 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4965 const struct nlattr *nla)
4966 {
4967 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4968 int err;
4969
4970 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4971 nft_set_desc_policy, NULL);
4972 if (err < 0)
4973 return err;
4974
4975 if (da[NFTA_SET_DESC_SIZE] != NULL)
4976 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4977 if (da[NFTA_SET_DESC_CONCAT])
4978 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4979
4980 return err;
4981 }
4982
4983 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
4984 const struct nlattr * const *nla,
4985 struct nft_expr **exprs, int *num_exprs,
4986 u32 flags)
4987 {
4988 struct nft_expr *expr;
4989 int err, i;
4990
4991 if (nla[NFTA_SET_EXPR]) {
4992 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
4993 if (IS_ERR(expr)) {
4994 err = PTR_ERR(expr);
4995 goto err_set_expr_alloc;
4996 }
4997 exprs[0] = expr;
4998 (*num_exprs)++;
4999 } else if (nla[NFTA_SET_EXPRESSIONS]) {
5000 struct nlattr *tmp;
5001 int left;
5002
5003 if (!(flags & NFT_SET_EXPR)) {
5004 err = -EINVAL;
5005 goto err_set_expr_alloc;
5006 }
5007 i = 0;
5008 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
5009 if (i == NFT_SET_EXPR_MAX) {
5010 err = -E2BIG;
5011 goto err_set_expr_alloc;
5012 }
5013 if (nla_type(tmp) != NFTA_LIST_ELEM) {
5014 err = -EINVAL;
5015 goto err_set_expr_alloc;
5016 }
5017 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
5018 if (IS_ERR(expr)) {
5019 err = PTR_ERR(expr);
5020 goto err_set_expr_alloc;
5021 }
5022 exprs[i++] = expr;
5023 (*num_exprs)++;
5024 }
5025 }
5026
5027 return 0;
5028
5029 err_set_expr_alloc:
5030 for (i = 0; i < *num_exprs; i++)
5031 nft_expr_destroy(ctx, exprs[i]);
5032
5033 return err;
5034 }
5035
5036 static bool nft_set_is_same(const struct nft_set *set,
5037 const struct nft_set_desc *desc,
5038 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
5039 {
5040 int i;
5041
5042 if (set->ktype != desc->ktype ||
5043 set->dtype != desc->dtype ||
5044 set->flags != flags ||
5045 set->klen != desc->klen ||
5046 set->dlen != desc->dlen ||
5047 set->field_count != desc->field_count ||
5048 set->num_exprs != num_exprs)
5049 return false;
5050
5051 for (i = 0; i < desc->field_count; i++) {
5052 if (set->field_len[i] != desc->field_len[i])
5053 return false;
5054 }
5055
5056 for (i = 0; i < num_exprs; i++) {
5057 if (set->exprs[i]->ops != exprs[i]->ops)
5058 return false;
5059 }
5060
5061 return true;
5062 }
5063
5064 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
5065 const struct nlattr * const nla[])
5066 {
5067 struct netlink_ext_ack *extack = info->extack;
5068 u8 genmask = nft_genmask_next(info->net);
5069 u8 family = info->nfmsg->nfgen_family;
5070 const struct nft_set_ops *ops;
5071 struct net *net = info->net;
5072 struct nft_set_desc desc;
5073 struct nft_table *table;
5074 unsigned char *udata;
5075 struct nft_set *set;
5076 struct nft_ctx ctx;
5077 size_t alloc_size;
5078 int num_exprs = 0;
5079 char *name;
5080 int err, i;
5081 u16 udlen;
5082 u32 flags;
5083 u64 size;
5084
5085 if (nla[NFTA_SET_TABLE] == NULL ||
5086 nla[NFTA_SET_NAME] == NULL ||
5087 nla[NFTA_SET_KEY_LEN] == NULL ||
5088 nla[NFTA_SET_ID] == NULL)
5089 return -EINVAL;
5090
5091 memset(&desc, 0, sizeof(desc));
5092
5093 desc.ktype = NFT_DATA_VALUE;
5094 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
5095 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
5096 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
5097 return -EINVAL;
5098 }
5099
5100 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
5101 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
5102 return -EINVAL;
5103
5104 flags = 0;
5105 if (nla[NFTA_SET_FLAGS] != NULL) {
5106 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
5107 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
5108 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
5109 NFT_SET_MAP | NFT_SET_EVAL |
5110 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
5111 return -EOPNOTSUPP;
5112 /* Only one of these operations is supported */
5113 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
5114 (NFT_SET_MAP | NFT_SET_OBJECT))
5115 return -EOPNOTSUPP;
5116 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
5117 (NFT_SET_EVAL | NFT_SET_OBJECT))
5118 return -EOPNOTSUPP;
5119 if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) ==
5120 (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT))
5121 return -EOPNOTSUPP;
5122 if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) ==
5123 (NFT_SET_CONSTANT | NFT_SET_TIMEOUT))
5124 return -EOPNOTSUPP;
5125 }
5126
5127 desc.dtype = 0;
5128 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
5129 if (!(flags & NFT_SET_MAP))
5130 return -EINVAL;
5131
5132 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
5133 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
5134 desc.dtype != NFT_DATA_VERDICT)
5135 return -EINVAL;
5136
5137 if (desc.dtype != NFT_DATA_VERDICT) {
5138 if (nla[NFTA_SET_DATA_LEN] == NULL)
5139 return -EINVAL;
5140 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
5141 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
5142 return -EINVAL;
5143 } else
5144 desc.dlen = sizeof(struct nft_verdict);
5145 } else if (flags & NFT_SET_MAP)
5146 return -EINVAL;
5147
5148 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
5149 if (!(flags & NFT_SET_OBJECT))
5150 return -EINVAL;
5151
5152 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
5153 if (desc.objtype == NFT_OBJECT_UNSPEC ||
5154 desc.objtype > NFT_OBJECT_MAX)
5155 return -EOPNOTSUPP;
5156 } else if (flags & NFT_SET_OBJECT)
5157 return -EINVAL;
5158 else
5159 desc.objtype = NFT_OBJECT_UNSPEC;
5160
5161 desc.timeout = 0;
5162 if (nla[NFTA_SET_TIMEOUT] != NULL) {
5163 if (!(flags & NFT_SET_TIMEOUT))
5164 return -EINVAL;
5165
5166 if (flags & NFT_SET_ANONYMOUS)
5167 return -EOPNOTSUPP;
5168
5169 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
5170 if (err)
5171 return err;
5172 }
5173 desc.gc_int = 0;
5174 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
5175 if (!(flags & NFT_SET_TIMEOUT))
5176 return -EINVAL;
5177
5178 if (flags & NFT_SET_ANONYMOUS)
5179 return -EOPNOTSUPP;
5180
5181 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
5182 }
5183
5184 desc.policy = NFT_SET_POL_PERFORMANCE;
5185 if (nla[NFTA_SET_POLICY] != NULL) {
5186 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
5187 switch (desc.policy) {
5188 case NFT_SET_POL_PERFORMANCE:
5189 case NFT_SET_POL_MEMORY:
5190 break;
5191 default:
5192 return -EOPNOTSUPP;
5193 }
5194 }
5195
5196 if (nla[NFTA_SET_DESC] != NULL) {
5197 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
5198 if (err < 0)
5199 return err;
5200
5201 if (desc.field_count > 1) {
5202 if (!(flags & NFT_SET_CONCAT))
5203 return -EINVAL;
5204 } else if (flags & NFT_SET_CONCAT) {
5205 return -EINVAL;
5206 }
5207 } else if (flags & NFT_SET_CONCAT) {
5208 return -EINVAL;
5209 }
5210
5211 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
5212 desc.expr = true;
5213
5214 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
5215 NETLINK_CB(skb).portid);
5216 if (IS_ERR(table)) {
5217 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5218 return PTR_ERR(table);
5219 }
5220
5221 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5222
5223 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
5224 if (IS_ERR(set)) {
5225 if (PTR_ERR(set) != -ENOENT) {
5226 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5227 return PTR_ERR(set);
5228 }
5229 } else {
5230 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
5231
5232 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
5233 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5234 return -EEXIST;
5235 }
5236 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
5237 return -EOPNOTSUPP;
5238
5239 if (nft_set_is_anonymous(set))
5240 return -EOPNOTSUPP;
5241
5242 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
5243 if (err < 0)
5244 return err;
5245
5246 err = 0;
5247 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
5248 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5249 err = -EEXIST;
5250 }
5251
5252 for (i = 0; i < num_exprs; i++)
5253 nft_expr_destroy(&ctx, exprs[i]);
5254
5255 if (err < 0)
5256 return err;
5257
5258 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
5259 }
5260
5261 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
5262 return -ENOENT;
5263
5264 ops = nft_select_set_ops(&ctx, flags, &desc);
5265 if (IS_ERR(ops))
5266 return PTR_ERR(ops);
5267
5268 udlen = 0;
5269 if (nla[NFTA_SET_USERDATA])
5270 udlen = nla_len(nla[NFTA_SET_USERDATA]);
5271
5272 size = 0;
5273 if (ops->privsize != NULL)
5274 size = ops->privsize(nla, &desc);
5275 alloc_size = sizeof(*set) + size + udlen;
5276 if (alloc_size < size || alloc_size > INT_MAX)
5277 return -ENOMEM;
5278
5279 if (!nft_use_inc(&table->use))
5280 return -EMFILE;
5281
5282 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
5283 if (!set) {
5284 err = -ENOMEM;
5285 goto err_alloc;
5286 }
5287
5288 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
5289 if (!name) {
5290 err = -ENOMEM;
5291 goto err_set_name;
5292 }
5293
5294 err = nf_tables_set_alloc_name(&ctx, set, name);
5295 kfree(name);
5296 if (err < 0)
5297 goto err_set_name;
5298
5299 udata = NULL;
5300 if (udlen) {
5301 udata = set->data + size;
5302 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
5303 }
5304
5305 INIT_LIST_HEAD(&set->bindings);
5306 INIT_LIST_HEAD(&set->catchall_list);
5307 refcount_set(&set->refs, 1);
5308 set->table = table;
5309 write_pnet(&set->net, net);
5310 set->ops = ops;
5311 set->ktype = desc.ktype;
5312 set->klen = desc.klen;
5313 set->dtype = desc.dtype;
5314 set->objtype = desc.objtype;
5315 set->dlen = desc.dlen;
5316 set->flags = flags;
5317 set->size = desc.size;
5318 set->policy = desc.policy;
5319 set->udlen = udlen;
5320 set->udata = udata;
5321 set->timeout = desc.timeout;
5322 set->gc_int = desc.gc_int;
5323
5324 set->field_count = desc.field_count;
5325 for (i = 0; i < desc.field_count; i++)
5326 set->field_len[i] = desc.field_len[i];
5327
5328 err = ops->init(set, &desc, nla);
5329 if (err < 0)
5330 goto err_set_init;
5331
5332 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
5333 if (err < 0)
5334 goto err_set_destroy;
5335
5336 set->num_exprs = num_exprs;
5337 set->handle = nf_tables_alloc_handle(table);
5338 INIT_LIST_HEAD(&set->pending_update);
5339
5340 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
5341 if (err < 0)
5342 goto err_set_expr_alloc;
5343
5344 list_add_tail_rcu(&set->list, &table->sets);
5345
5346 return 0;
5347
5348 err_set_expr_alloc:
5349 for (i = 0; i < set->num_exprs; i++)
5350 nft_expr_destroy(&ctx, set->exprs[i]);
5351 err_set_destroy:
5352 ops->destroy(&ctx, set);
5353 err_set_init:
5354 kfree(set->name);
5355 err_set_name:
5356 kvfree(set);
5357 err_alloc:
5358 nft_use_dec_restore(&table->use);
5359
5360 return err;
5361 }
5362
5363 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
5364 struct nft_set *set)
5365 {
5366 struct nft_set_elem_catchall *next, *catchall;
5367
5368 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5369 list_del_rcu(&catchall->list);
5370 nf_tables_set_elem_destroy(ctx, set, catchall->elem);
5371 kfree_rcu(catchall, rcu);
5372 }
5373 }
5374
5375 static void nft_set_put(struct nft_set *set)
5376 {
5377 if (refcount_dec_and_test(&set->refs)) {
5378 kfree(set->name);
5379 kvfree(set);
5380 }
5381 }
5382
5383 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
5384 {
5385 int i;
5386
5387 if (WARN_ON(set->use > 0))
5388 return;
5389
5390 for (i = 0; i < set->num_exprs; i++)
5391 nft_expr_destroy(ctx, set->exprs[i]);
5392
5393 set->ops->destroy(ctx, set);
5394 nft_set_catchall_destroy(ctx, set);
5395 nft_set_put(set);
5396 }
5397
5398 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
5399 const struct nlattr * const nla[])
5400 {
5401 struct netlink_ext_ack *extack = info->extack;
5402 u8 genmask = nft_genmask_next(info->net);
5403 u8 family = info->nfmsg->nfgen_family;
5404 struct net *net = info->net;
5405 const struct nlattr *attr;
5406 struct nft_table *table;
5407 struct nft_set *set;
5408 struct nft_ctx ctx;
5409
5410 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5411 return -EAFNOSUPPORT;
5412
5413 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5414 genmask, NETLINK_CB(skb).portid);
5415 if (IS_ERR(table)) {
5416 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5417 return PTR_ERR(table);
5418 }
5419
5420 if (nla[NFTA_SET_HANDLE]) {
5421 attr = nla[NFTA_SET_HANDLE];
5422 set = nft_set_lookup_byhandle(table, attr, genmask);
5423 } else {
5424 attr = nla[NFTA_SET_NAME];
5425 set = nft_set_lookup(table, attr, genmask);
5426 }
5427
5428 if (IS_ERR(set)) {
5429 if (PTR_ERR(set) == -ENOENT &&
5430 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
5431 return 0;
5432
5433 NL_SET_BAD_ATTR(extack, attr);
5434 return PTR_ERR(set);
5435 }
5436 if (set->use ||
5437 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
5438 atomic_read(&set->nelems) > 0)) {
5439 NL_SET_BAD_ATTR(extack, attr);
5440 return -EBUSY;
5441 }
5442
5443 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5444
5445 return nft_delset(&ctx, set);
5446 }
5447
5448 static int nft_validate_register_store(const struct nft_ctx *ctx,
5449 enum nft_registers reg,
5450 const struct nft_data *data,
5451 enum nft_data_types type,
5452 unsigned int len);
5453
5454 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
5455 struct nft_set *set,
5456 struct nft_elem_priv *elem_priv)
5457 {
5458 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5459 enum nft_registers dreg;
5460
5461 dreg = nft_type_to_reg(set->dtype);
5462 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
5463 set->dtype == NFT_DATA_VERDICT ?
5464 NFT_DATA_VERDICT : NFT_DATA_VALUE,
5465 set->dlen);
5466 }
5467
5468 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
5469 struct nft_set *set,
5470 const struct nft_set_iter *iter,
5471 struct nft_elem_priv *elem_priv)
5472 {
5473 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5474
5475 if (!nft_set_elem_active(ext, iter->genmask))
5476 return 0;
5477
5478 return nft_setelem_data_validate(ctx, set, elem_priv);
5479 }
5480
5481 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
5482 struct nft_set *set)
5483 {
5484 u8 genmask = nft_genmask_next(ctx->net);
5485 struct nft_set_elem_catchall *catchall;
5486 struct nft_set_ext *ext;
5487 int ret = 0;
5488
5489 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5490 ext = nft_set_elem_ext(set, catchall->elem);
5491 if (!nft_set_elem_active(ext, genmask))
5492 continue;
5493
5494 ret = nft_setelem_data_validate(ctx, set, catchall->elem);
5495 if (ret < 0)
5496 break;
5497 }
5498
5499 return ret;
5500 }
5501
5502 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5503 struct nft_set_binding *binding)
5504 {
5505 struct nft_set_binding *i;
5506 struct nft_set_iter iter;
5507
5508 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5509 return -EBUSY;
5510
5511 if (binding->flags & NFT_SET_MAP) {
5512 /* If the set is already bound to the same chain all
5513 * jumps are already validated for that chain.
5514 */
5515 list_for_each_entry(i, &set->bindings, list) {
5516 if (i->flags & NFT_SET_MAP &&
5517 i->chain == binding->chain)
5518 goto bind;
5519 }
5520
5521 iter.genmask = nft_genmask_next(ctx->net);
5522 iter.type = NFT_ITER_UPDATE;
5523 iter.skip = 0;
5524 iter.count = 0;
5525 iter.err = 0;
5526 iter.fn = nf_tables_bind_check_setelem;
5527
5528 set->ops->walk(ctx, set, &iter);
5529 if (!iter.err)
5530 iter.err = nft_set_catchall_bind_check(ctx, set);
5531
5532 if (iter.err < 0)
5533 return iter.err;
5534 }
5535 bind:
5536 if (!nft_use_inc(&set->use))
5537 return -EMFILE;
5538
5539 binding->chain = ctx->chain;
5540 list_add_tail_rcu(&binding->list, &set->bindings);
5541 nft_set_trans_bind(ctx, set);
5542
5543 return 0;
5544 }
5545 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
5546
5547 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5548 struct nft_set_binding *binding, bool event)
5549 {
5550 list_del_rcu(&binding->list);
5551
5552 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
5553 list_del_rcu(&set->list);
5554 set->dead = 1;
5555 if (event)
5556 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
5557 GFP_KERNEL);
5558 }
5559 }
5560
5561 static void nft_setelem_data_activate(const struct net *net,
5562 const struct nft_set *set,
5563 struct nft_elem_priv *elem_priv);
5564
5565 static int nft_mapelem_activate(const struct nft_ctx *ctx,
5566 struct nft_set *set,
5567 const struct nft_set_iter *iter,
5568 struct nft_elem_priv *elem_priv)
5569 {
5570 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5571
5572 /* called from abort path, reverse check to undo changes. */
5573 if (nft_set_elem_active(ext, iter->genmask))
5574 return 0;
5575
5576 nft_clear(ctx->net, ext);
5577 nft_setelem_data_activate(ctx->net, set, elem_priv);
5578
5579 return 0;
5580 }
5581
5582 static void nft_map_catchall_activate(const struct nft_ctx *ctx,
5583 struct nft_set *set)
5584 {
5585 u8 genmask = nft_genmask_next(ctx->net);
5586 struct nft_set_elem_catchall *catchall;
5587 struct nft_set_ext *ext;
5588
5589 list_for_each_entry(catchall, &set->catchall_list, list) {
5590 ext = nft_set_elem_ext(set, catchall->elem);
5591 if (!nft_set_elem_active(ext, genmask))
5592 continue;
5593
5594 nft_clear(ctx->net, ext);
5595 nft_setelem_data_activate(ctx->net, set, catchall->elem);
5596 break;
5597 }
5598 }
5599
5600 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set)
5601 {
5602 struct nft_set_iter iter = {
5603 .genmask = nft_genmask_next(ctx->net),
5604 .type = NFT_ITER_UPDATE,
5605 .fn = nft_mapelem_activate,
5606 };
5607
5608 set->ops->walk(ctx, set, &iter);
5609 WARN_ON_ONCE(iter.err);
5610
5611 nft_map_catchall_activate(ctx, set);
5612 }
5613
5614 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5615 {
5616 if (nft_set_is_anonymous(set)) {
5617 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5618 nft_map_activate(ctx, set);
5619
5620 nft_clear(ctx->net, set);
5621 }
5622
5623 nft_use_inc_restore(&set->use);
5624 }
5625 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
5626
5627 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5628 struct nft_set_binding *binding,
5629 enum nft_trans_phase phase)
5630 {
5631 switch (phase) {
5632 case NFT_TRANS_PREPARE_ERROR:
5633 nft_set_trans_unbind(ctx, set);
5634 if (nft_set_is_anonymous(set))
5635 nft_deactivate_next(ctx->net, set);
5636 else
5637 list_del_rcu(&binding->list);
5638
5639 nft_use_dec(&set->use);
5640 break;
5641 case NFT_TRANS_PREPARE:
5642 if (nft_set_is_anonymous(set)) {
5643 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5644 nft_map_deactivate(ctx, set);
5645
5646 nft_deactivate_next(ctx->net, set);
5647 }
5648 nft_use_dec(&set->use);
5649 return;
5650 case NFT_TRANS_ABORT:
5651 case NFT_TRANS_RELEASE:
5652 if (nft_set_is_anonymous(set) &&
5653 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5654 nft_map_deactivate(ctx, set);
5655
5656 nft_use_dec(&set->use);
5657 fallthrough;
5658 default:
5659 nf_tables_unbind_set(ctx, set, binding,
5660 phase == NFT_TRANS_COMMIT);
5661 }
5662 }
5663 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
5664
5665 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
5666 {
5667 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
5668 nft_set_destroy(ctx, set);
5669 }
5670 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
5671
5672 const struct nft_set_ext_type nft_set_ext_types[] = {
5673 [NFT_SET_EXT_KEY] = {
5674 .align = __alignof__(u32),
5675 },
5676 [NFT_SET_EXT_DATA] = {
5677 .align = __alignof__(u32),
5678 },
5679 [NFT_SET_EXT_EXPRESSIONS] = {
5680 .align = __alignof__(struct nft_set_elem_expr),
5681 },
5682 [NFT_SET_EXT_OBJREF] = {
5683 .len = sizeof(struct nft_object *),
5684 .align = __alignof__(struct nft_object *),
5685 },
5686 [NFT_SET_EXT_FLAGS] = {
5687 .len = sizeof(u8),
5688 .align = __alignof__(u8),
5689 },
5690 [NFT_SET_EXT_TIMEOUT] = {
5691 .len = sizeof(u64),
5692 .align = __alignof__(u64),
5693 },
5694 [NFT_SET_EXT_EXPIRATION] = {
5695 .len = sizeof(u64),
5696 .align = __alignof__(u64),
5697 },
5698 [NFT_SET_EXT_USERDATA] = {
5699 .len = sizeof(struct nft_userdata),
5700 .align = __alignof__(struct nft_userdata),
5701 },
5702 [NFT_SET_EXT_KEY_END] = {
5703 .align = __alignof__(u32),
5704 },
5705 };
5706
5707 /*
5708 * Set elements
5709 */
5710
5711 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
5712 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
5713 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
5714 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
5715 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
5716 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
5717 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
5718 .len = NFT_USERDATA_MAXLEN },
5719 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
5720 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
5721 .len = NFT_OBJ_MAXNAMELEN - 1 },
5722 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
5723 [NFTA_SET_ELEM_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
5724 };
5725
5726 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
5727 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
5728 .len = NFT_TABLE_MAXNAMELEN - 1 },
5729 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
5730 .len = NFT_SET_MAXNAMELEN - 1 },
5731 [NFTA_SET_ELEM_LIST_ELEMENTS] = NLA_POLICY_NESTED_ARRAY(nft_set_elem_policy),
5732 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
5733 };
5734
5735 static int nft_set_elem_expr_dump(struct sk_buff *skb,
5736 const struct nft_set *set,
5737 const struct nft_set_ext *ext,
5738 bool reset)
5739 {
5740 struct nft_set_elem_expr *elem_expr;
5741 u32 size, num_exprs = 0;
5742 struct nft_expr *expr;
5743 struct nlattr *nest;
5744
5745 elem_expr = nft_set_ext_expr(ext);
5746 nft_setelem_expr_foreach(expr, elem_expr, size)
5747 num_exprs++;
5748
5749 if (num_exprs == 1) {
5750 expr = nft_setelem_expr_at(elem_expr, 0);
5751 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0)
5752 return -1;
5753
5754 return 0;
5755 } else if (num_exprs > 1) {
5756 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
5757 if (nest == NULL)
5758 goto nla_put_failure;
5759
5760 nft_setelem_expr_foreach(expr, elem_expr, size) {
5761 expr = nft_setelem_expr_at(elem_expr, size);
5762 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
5763 goto nla_put_failure;
5764 }
5765 nla_nest_end(skb, nest);
5766 }
5767 return 0;
5768
5769 nla_put_failure:
5770 return -1;
5771 }
5772
5773 static int nf_tables_fill_setelem(struct sk_buff *skb,
5774 const struct nft_set *set,
5775 const struct nft_elem_priv *elem_priv,
5776 bool reset)
5777 {
5778 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5779 unsigned char *b = skb_tail_pointer(skb);
5780 struct nlattr *nest;
5781
5782 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
5783 if (nest == NULL)
5784 goto nla_put_failure;
5785
5786 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5787 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
5788 NFT_DATA_VALUE, set->klen) < 0)
5789 goto nla_put_failure;
5790
5791 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5792 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
5793 NFT_DATA_VALUE, set->klen) < 0)
5794 goto nla_put_failure;
5795
5796 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5797 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
5798 nft_set_datatype(set), set->dlen) < 0)
5799 goto nla_put_failure;
5800
5801 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
5802 nft_set_elem_expr_dump(skb, set, ext, reset))
5803 goto nla_put_failure;
5804
5805 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5806 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
5807 (*nft_set_ext_obj(ext))->key.name) < 0)
5808 goto nla_put_failure;
5809
5810 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5811 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
5812 htonl(*nft_set_ext_flags(ext))))
5813 goto nla_put_failure;
5814
5815 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
5816 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
5817 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
5818 NFTA_SET_ELEM_PAD))
5819 goto nla_put_failure;
5820
5821 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5822 u64 expires, now = get_jiffies_64();
5823
5824 expires = *nft_set_ext_expiration(ext);
5825 if (time_before64(now, expires))
5826 expires -= now;
5827 else
5828 expires = 0;
5829
5830 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
5831 nf_jiffies64_to_msecs(expires),
5832 NFTA_SET_ELEM_PAD))
5833 goto nla_put_failure;
5834 }
5835
5836 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
5837 struct nft_userdata *udata;
5838
5839 udata = nft_set_ext_userdata(ext);
5840 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
5841 udata->len + 1, udata->data))
5842 goto nla_put_failure;
5843 }
5844
5845 nla_nest_end(skb, nest);
5846 return 0;
5847
5848 nla_put_failure:
5849 nlmsg_trim(skb, b);
5850 return -EMSGSIZE;
5851 }
5852
5853 struct nft_set_dump_args {
5854 const struct netlink_callback *cb;
5855 struct nft_set_iter iter;
5856 struct sk_buff *skb;
5857 bool reset;
5858 };
5859
5860 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
5861 struct nft_set *set,
5862 const struct nft_set_iter *iter,
5863 struct nft_elem_priv *elem_priv)
5864 {
5865 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5866 struct nft_set_dump_args *args;
5867
5868 if (!nft_set_elem_active(ext, iter->genmask))
5869 return 0;
5870
5871 if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
5872 return 0;
5873
5874 args = container_of(iter, struct nft_set_dump_args, iter);
5875 return nf_tables_fill_setelem(args->skb, set, elem_priv, args->reset);
5876 }
5877
5878 static void audit_log_nft_set_reset(const struct nft_table *table,
5879 unsigned int base_seq,
5880 unsigned int nentries)
5881 {
5882 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
5883
5884 audit_log_nfcfg(buf, table->family, nentries,
5885 AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC);
5886 kfree(buf);
5887 }
5888
5889 struct nft_set_dump_ctx {
5890 const struct nft_set *set;
5891 struct nft_ctx ctx;
5892 bool reset;
5893 };
5894
5895 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
5896 const struct nft_set *set, bool reset,
5897 unsigned int base_seq)
5898 {
5899 struct nft_set_elem_catchall *catchall;
5900 u8 genmask = nft_genmask_cur(net);
5901 struct nft_set_ext *ext;
5902 int ret = 0;
5903
5904 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5905 ext = nft_set_elem_ext(set, catchall->elem);
5906 if (!nft_set_elem_active(ext, genmask) ||
5907 nft_set_elem_expired(ext))
5908 continue;
5909
5910 ret = nf_tables_fill_setelem(skb, set, catchall->elem, reset);
5911 if (reset && !ret)
5912 audit_log_nft_set_reset(set->table, base_seq, 1);
5913 break;
5914 }
5915
5916 return ret;
5917 }
5918
5919 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
5920 {
5921 struct nft_set_dump_ctx *dump_ctx = cb->data;
5922 struct net *net = sock_net(skb->sk);
5923 struct nftables_pernet *nft_net;
5924 struct nft_table *table;
5925 struct nft_set *set;
5926 struct nft_set_dump_args args;
5927 bool set_found = false;
5928 struct nlmsghdr *nlh;
5929 struct nlattr *nest;
5930 u32 portid, seq;
5931 int event;
5932
5933 rcu_read_lock();
5934 nft_net = nft_pernet(net);
5935 cb->seq = READ_ONCE(nft_net->base_seq);
5936
5937 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5938 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
5939 dump_ctx->ctx.family != table->family)
5940 continue;
5941
5942 if (table != dump_ctx->ctx.table)
5943 continue;
5944
5945 list_for_each_entry_rcu(set, &table->sets, list) {
5946 if (set == dump_ctx->set) {
5947 set_found = true;
5948 break;
5949 }
5950 }
5951 break;
5952 }
5953
5954 if (!set_found) {
5955 rcu_read_unlock();
5956 return -ENOENT;
5957 }
5958
5959 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
5960 portid = NETLINK_CB(cb->skb).portid;
5961 seq = cb->nlh->nlmsg_seq;
5962
5963 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
5964 table->family, NFNETLINK_V0, nft_base_seq(net));
5965 if (!nlh)
5966 goto nla_put_failure;
5967
5968 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
5969 goto nla_put_failure;
5970 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
5971 goto nla_put_failure;
5972
5973 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5974 if (nest == NULL)
5975 goto nla_put_failure;
5976
5977 args.cb = cb;
5978 args.skb = skb;
5979 args.reset = dump_ctx->reset;
5980 args.iter.genmask = nft_genmask_cur(net);
5981 args.iter.type = NFT_ITER_READ;
5982 args.iter.skip = cb->args[0];
5983 args.iter.count = 0;
5984 args.iter.err = 0;
5985 args.iter.fn = nf_tables_dump_setelem;
5986 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
5987
5988 if (!args.iter.err && args.iter.count == cb->args[0])
5989 args.iter.err = nft_set_catchall_dump(net, skb, set,
5990 dump_ctx->reset, cb->seq);
5991 nla_nest_end(skb, nest);
5992 nlmsg_end(skb, nlh);
5993
5994 rcu_read_unlock();
5995
5996 if (args.iter.err && args.iter.err != -EMSGSIZE)
5997 return args.iter.err;
5998 if (args.iter.count == cb->args[0])
5999 return 0;
6000
6001 cb->args[0] = args.iter.count;
6002 return skb->len;
6003
6004 nla_put_failure:
6005 rcu_read_unlock();
6006 return -ENOSPC;
6007 }
6008
6009 static int nf_tables_dumpreset_set(struct sk_buff *skb,
6010 struct netlink_callback *cb)
6011 {
6012 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
6013 struct nft_set_dump_ctx *dump_ctx = cb->data;
6014 int ret, skip = cb->args[0];
6015
6016 mutex_lock(&nft_net->commit_mutex);
6017
6018 ret = nf_tables_dump_set(skb, cb);
6019
6020 if (cb->args[0] > skip)
6021 audit_log_nft_set_reset(dump_ctx->ctx.table, cb->seq,
6022 cb->args[0] - skip);
6023
6024 mutex_unlock(&nft_net->commit_mutex);
6025
6026 return ret;
6027 }
6028
6029 static int nf_tables_dump_set_start(struct netlink_callback *cb)
6030 {
6031 struct nft_set_dump_ctx *dump_ctx = cb->data;
6032
6033 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
6034
6035 return cb->data ? 0 : -ENOMEM;
6036 }
6037
6038 static int nf_tables_dump_set_done(struct netlink_callback *cb)
6039 {
6040 kfree(cb->data);
6041 return 0;
6042 }
6043
6044 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
6045 const struct nft_ctx *ctx, u32 seq,
6046 u32 portid, int event, u16 flags,
6047 const struct nft_set *set,
6048 const struct nft_elem_priv *elem_priv,
6049 bool reset)
6050 {
6051 struct nlmsghdr *nlh;
6052 struct nlattr *nest;
6053 int err;
6054
6055 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6056 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
6057 NFNETLINK_V0, nft_base_seq(ctx->net));
6058 if (!nlh)
6059 goto nla_put_failure;
6060
6061 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
6062 goto nla_put_failure;
6063 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
6064 goto nla_put_failure;
6065
6066 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
6067 if (nest == NULL)
6068 goto nla_put_failure;
6069
6070 err = nf_tables_fill_setelem(skb, set, elem_priv, reset);
6071 if (err < 0)
6072 goto nla_put_failure;
6073
6074 nla_nest_end(skb, nest);
6075
6076 nlmsg_end(skb, nlh);
6077 return 0;
6078
6079 nla_put_failure:
6080 nlmsg_trim(skb, nlh);
6081 return -1;
6082 }
6083
6084 static int nft_setelem_parse_flags(const struct nft_set *set,
6085 const struct nlattr *attr, u32 *flags)
6086 {
6087 if (attr == NULL)
6088 return 0;
6089
6090 *flags = ntohl(nla_get_be32(attr));
6091 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6092 return -EOPNOTSUPP;
6093 if (!(set->flags & NFT_SET_INTERVAL) &&
6094 *flags & NFT_SET_ELEM_INTERVAL_END)
6095 return -EINVAL;
6096 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
6097 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6098 return -EINVAL;
6099
6100 return 0;
6101 }
6102
6103 static int nft_setelem_parse_key(struct nft_ctx *ctx, const struct nft_set *set,
6104 struct nft_data *key, struct nlattr *attr)
6105 {
6106 struct nft_data_desc desc = {
6107 .type = NFT_DATA_VALUE,
6108 .size = NFT_DATA_VALUE_MAXLEN,
6109 .len = set->klen,
6110 };
6111
6112 return nft_data_init(ctx, key, &desc, attr);
6113 }
6114
6115 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
6116 struct nft_data_desc *desc,
6117 struct nft_data *data,
6118 struct nlattr *attr)
6119 {
6120 u32 dtype;
6121
6122 if (set->dtype == NFT_DATA_VERDICT)
6123 dtype = NFT_DATA_VERDICT;
6124 else
6125 dtype = NFT_DATA_VALUE;
6126
6127 desc->type = dtype;
6128 desc->size = NFT_DATA_VALUE_MAXLEN;
6129 desc->len = set->dlen;
6130 desc->flags = NFT_DATA_DESC_SETELEM;
6131
6132 return nft_data_init(ctx, data, desc, attr);
6133 }
6134
6135 static void *nft_setelem_catchall_get(const struct net *net,
6136 const struct nft_set *set)
6137 {
6138 struct nft_set_elem_catchall *catchall;
6139 u8 genmask = nft_genmask_cur(net);
6140 struct nft_set_ext *ext;
6141 void *priv = NULL;
6142
6143 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6144 ext = nft_set_elem_ext(set, catchall->elem);
6145 if (!nft_set_elem_active(ext, genmask) ||
6146 nft_set_elem_expired(ext))
6147 continue;
6148
6149 priv = catchall->elem;
6150 break;
6151 }
6152
6153 return priv;
6154 }
6155
6156 static int nft_setelem_get(struct nft_ctx *ctx, const struct nft_set *set,
6157 struct nft_set_elem *elem, u32 flags)
6158 {
6159 void *priv;
6160
6161 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
6162 priv = set->ops->get(ctx->net, set, elem, flags);
6163 if (IS_ERR(priv))
6164 return PTR_ERR(priv);
6165 } else {
6166 priv = nft_setelem_catchall_get(ctx->net, set);
6167 if (!priv)
6168 return -ENOENT;
6169 }
6170 elem->priv = priv;
6171
6172 return 0;
6173 }
6174
6175 static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set,
6176 const struct nlattr *attr, bool reset)
6177 {
6178 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6179 struct nft_set_elem elem;
6180 struct sk_buff *skb;
6181 uint32_t flags = 0;
6182 int err;
6183
6184 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6185 nft_set_elem_policy, NULL);
6186 if (err < 0)
6187 return err;
6188
6189 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6190 if (err < 0)
6191 return err;
6192
6193 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6194 return -EINVAL;
6195
6196 if (nla[NFTA_SET_ELEM_KEY]) {
6197 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6198 nla[NFTA_SET_ELEM_KEY]);
6199 if (err < 0)
6200 return err;
6201 }
6202
6203 if (nla[NFTA_SET_ELEM_KEY_END]) {
6204 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6205 nla[NFTA_SET_ELEM_KEY_END]);
6206 if (err < 0)
6207 return err;
6208 }
6209
6210 err = nft_setelem_get(ctx, set, &elem, flags);
6211 if (err < 0)
6212 return err;
6213
6214 err = -ENOMEM;
6215 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
6216 if (skb == NULL)
6217 return err;
6218
6219 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
6220 NFT_MSG_NEWSETELEM, 0, set, elem.priv,
6221 reset);
6222 if (err < 0)
6223 goto err_fill_setelem;
6224
6225 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
6226
6227 err_fill_setelem:
6228 kfree_skb(skb);
6229 return err;
6230 }
6231
6232 static int nft_set_dump_ctx_init(struct nft_set_dump_ctx *dump_ctx,
6233 const struct sk_buff *skb,
6234 const struct nfnl_info *info,
6235 const struct nlattr * const nla[],
6236 bool reset)
6237 {
6238 struct netlink_ext_ack *extack = info->extack;
6239 u8 genmask = nft_genmask_cur(info->net);
6240 u8 family = info->nfmsg->nfgen_family;
6241 struct net *net = info->net;
6242 struct nft_table *table;
6243 struct nft_set *set;
6244
6245 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6246 genmask, 0);
6247 if (IS_ERR(table)) {
6248 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6249 return PTR_ERR(table);
6250 }
6251
6252 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6253 if (IS_ERR(set)) {
6254 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
6255 return PTR_ERR(set);
6256 }
6257
6258 nft_ctx_init(&dump_ctx->ctx, net, skb,
6259 info->nlh, family, table, NULL, nla);
6260 dump_ctx->set = set;
6261 dump_ctx->reset = reset;
6262 return 0;
6263 }
6264
6265 /* called with rcu_read_lock held */
6266 static int nf_tables_getsetelem(struct sk_buff *skb,
6267 const struct nfnl_info *info,
6268 const struct nlattr * const nla[])
6269 {
6270 struct netlink_ext_ack *extack = info->extack;
6271 struct nft_set_dump_ctx dump_ctx;
6272 struct nlattr *attr;
6273 int rem, err = 0;
6274
6275 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6276 struct netlink_dump_control c = {
6277 .start = nf_tables_dump_set_start,
6278 .dump = nf_tables_dump_set,
6279 .done = nf_tables_dump_set_done,
6280 .module = THIS_MODULE,
6281 };
6282
6283 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6284 if (err)
6285 return err;
6286
6287 c.data = &dump_ctx;
6288 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6289 }
6290
6291 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6292 return -EINVAL;
6293
6294 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6295 if (err)
6296 return err;
6297
6298 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6299 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, false);
6300 if (err < 0) {
6301 NL_SET_BAD_ATTR(extack, attr);
6302 break;
6303 }
6304 }
6305
6306 return err;
6307 }
6308
6309 static int nf_tables_getsetelem_reset(struct sk_buff *skb,
6310 const struct nfnl_info *info,
6311 const struct nlattr * const nla[])
6312 {
6313 struct nftables_pernet *nft_net = nft_pernet(info->net);
6314 struct netlink_ext_ack *extack = info->extack;
6315 struct nft_set_dump_ctx dump_ctx;
6316 int rem, err = 0, nelems = 0;
6317 struct nlattr *attr;
6318
6319 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6320 struct netlink_dump_control c = {
6321 .start = nf_tables_dump_set_start,
6322 .dump = nf_tables_dumpreset_set,
6323 .done = nf_tables_dump_set_done,
6324 .module = THIS_MODULE,
6325 };
6326
6327 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6328 if (err)
6329 return err;
6330
6331 c.data = &dump_ctx;
6332 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6333 }
6334
6335 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6336 return -EINVAL;
6337
6338 if (!try_module_get(THIS_MODULE))
6339 return -EINVAL;
6340 rcu_read_unlock();
6341 mutex_lock(&nft_net->commit_mutex);
6342 rcu_read_lock();
6343
6344 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6345 if (err)
6346 goto out_unlock;
6347
6348 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6349 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, true);
6350 if (err < 0) {
6351 NL_SET_BAD_ATTR(extack, attr);
6352 break;
6353 }
6354 nelems++;
6355 }
6356 audit_log_nft_set_reset(dump_ctx.ctx.table, nft_net->base_seq, nelems);
6357
6358 out_unlock:
6359 rcu_read_unlock();
6360 mutex_unlock(&nft_net->commit_mutex);
6361 rcu_read_lock();
6362 module_put(THIS_MODULE);
6363
6364 return err;
6365 }
6366
6367 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
6368 const struct nft_set *set,
6369 const struct nft_elem_priv *elem_priv,
6370 int event)
6371 {
6372 struct nftables_pernet *nft_net;
6373 struct net *net = ctx->net;
6374 u32 portid = ctx->portid;
6375 struct sk_buff *skb;
6376 u16 flags = 0;
6377 int err;
6378
6379 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6380 return;
6381
6382 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6383 if (skb == NULL)
6384 goto err;
6385
6386 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
6387 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
6388
6389 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
6390 set, elem_priv, false);
6391 if (err < 0) {
6392 kfree_skb(skb);
6393 goto err;
6394 }
6395
6396 nft_net = nft_pernet(net);
6397 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
6398 return;
6399 err:
6400 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6401 }
6402
6403 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
6404 int msg_type,
6405 struct nft_set *set)
6406 {
6407 struct nft_trans *trans;
6408
6409 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
6410 if (trans == NULL)
6411 return NULL;
6412
6413 nft_trans_elem_set(trans) = set;
6414 return trans;
6415 }
6416
6417 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
6418 const struct nft_set *set,
6419 const struct nlattr *attr)
6420 {
6421 struct nft_expr *expr;
6422 int err;
6423
6424 expr = nft_expr_init(ctx, attr);
6425 if (IS_ERR(expr))
6426 return expr;
6427
6428 err = -EOPNOTSUPP;
6429 if (expr->ops->type->flags & NFT_EXPR_GC) {
6430 if (set->flags & NFT_SET_TIMEOUT)
6431 goto err_set_elem_expr;
6432 if (!set->ops->gc_init)
6433 goto err_set_elem_expr;
6434 set->ops->gc_init(set);
6435 }
6436
6437 return expr;
6438
6439 err_set_elem_expr:
6440 nft_expr_destroy(ctx, expr);
6441 return ERR_PTR(err);
6442 }
6443
6444 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
6445 {
6446 len += nft_set_ext_types[id].len;
6447 if (len > tmpl->ext_len[id] ||
6448 len > U8_MAX)
6449 return -1;
6450
6451 return 0;
6452 }
6453
6454 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
6455 void *to, const void *from, u32 len)
6456 {
6457 if (nft_set_ext_check(tmpl, id, len) < 0)
6458 return -1;
6459
6460 memcpy(to, from, len);
6461
6462 return 0;
6463 }
6464
6465 struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
6466 const struct nft_set_ext_tmpl *tmpl,
6467 const u32 *key, const u32 *key_end,
6468 const u32 *data,
6469 u64 timeout, u64 expiration, gfp_t gfp)
6470 {
6471 struct nft_set_ext *ext;
6472 void *elem;
6473
6474 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
6475 if (elem == NULL)
6476 return ERR_PTR(-ENOMEM);
6477
6478 ext = nft_set_elem_ext(set, elem);
6479 nft_set_ext_init(ext, tmpl);
6480
6481 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
6482 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
6483 nft_set_ext_key(ext), key, set->klen) < 0)
6484 goto err_ext_check;
6485
6486 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
6487 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
6488 nft_set_ext_key_end(ext), key_end, set->klen) < 0)
6489 goto err_ext_check;
6490
6491 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6492 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
6493 nft_set_ext_data(ext), data, set->dlen) < 0)
6494 goto err_ext_check;
6495
6496 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
6497 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
6498 if (expiration == 0)
6499 *nft_set_ext_expiration(ext) += timeout;
6500 }
6501 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
6502 *nft_set_ext_timeout(ext) = timeout;
6503
6504 return elem;
6505
6506 err_ext_check:
6507 kfree(elem);
6508
6509 return ERR_PTR(-EINVAL);
6510 }
6511
6512 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6513 struct nft_expr *expr)
6514 {
6515 if (expr->ops->destroy_clone) {
6516 expr->ops->destroy_clone(ctx, expr);
6517 module_put(expr->ops->type->owner);
6518 } else {
6519 nf_tables_expr_destroy(ctx, expr);
6520 }
6521 }
6522
6523 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6524 struct nft_set_elem_expr *elem_expr)
6525 {
6526 struct nft_expr *expr;
6527 u32 size;
6528
6529 nft_setelem_expr_foreach(expr, elem_expr, size)
6530 __nft_set_elem_expr_destroy(ctx, expr);
6531 }
6532
6533 /* Drop references and destroy. Called from gc, dynset and abort path. */
6534 void nft_set_elem_destroy(const struct nft_set *set,
6535 const struct nft_elem_priv *elem_priv,
6536 bool destroy_expr)
6537 {
6538 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6539 struct nft_ctx ctx = {
6540 .net = read_pnet(&set->net),
6541 .family = set->table->family,
6542 };
6543
6544 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
6545 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6546 nft_data_release(nft_set_ext_data(ext), set->dtype);
6547 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6548 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
6549 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6550 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
6551
6552 kfree(elem_priv);
6553 }
6554 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
6555
6556 /* Destroy element. References have been already dropped in the preparation
6557 * path via nft_setelem_data_deactivate().
6558 */
6559 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
6560 const struct nft_set *set,
6561 const struct nft_elem_priv *elem_priv)
6562 {
6563 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6564
6565 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6566 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6567
6568 kfree(elem_priv);
6569 }
6570
6571 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
6572 struct nft_expr *expr_array[])
6573 {
6574 struct nft_expr *expr;
6575 int err, i, k;
6576
6577 for (i = 0; i < set->num_exprs; i++) {
6578 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
6579 if (!expr)
6580 goto err_expr;
6581
6582 err = nft_expr_clone(expr, set->exprs[i], GFP_KERNEL_ACCOUNT);
6583 if (err < 0) {
6584 kfree(expr);
6585 goto err_expr;
6586 }
6587 expr_array[i] = expr;
6588 }
6589
6590 return 0;
6591
6592 err_expr:
6593 for (k = i - 1; k >= 0; k--)
6594 nft_expr_destroy(ctx, expr_array[k]);
6595
6596 return -ENOMEM;
6597 }
6598
6599 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
6600 const struct nft_set_ext_tmpl *tmpl,
6601 const struct nft_set_ext *ext,
6602 struct nft_expr *expr_array[],
6603 u32 num_exprs)
6604 {
6605 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
6606 u32 len = sizeof(struct nft_set_elem_expr);
6607 struct nft_expr *expr;
6608 int i, err;
6609
6610 if (num_exprs == 0)
6611 return 0;
6612
6613 for (i = 0; i < num_exprs; i++)
6614 len += expr_array[i]->ops->size;
6615
6616 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
6617 return -EINVAL;
6618
6619 for (i = 0; i < num_exprs; i++) {
6620 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
6621 err = nft_expr_clone(expr, expr_array[i], GFP_KERNEL_ACCOUNT);
6622 if (err < 0)
6623 goto err_elem_expr_setup;
6624
6625 elem_expr->size += expr_array[i]->ops->size;
6626 nft_expr_destroy(ctx, expr_array[i]);
6627 expr_array[i] = NULL;
6628 }
6629
6630 return 0;
6631
6632 err_elem_expr_setup:
6633 for (; i < num_exprs; i++) {
6634 nft_expr_destroy(ctx, expr_array[i]);
6635 expr_array[i] = NULL;
6636 }
6637
6638 return -ENOMEM;
6639 }
6640
6641 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
6642 const struct nft_set *set)
6643 {
6644 struct nft_set_elem_catchall *catchall;
6645 u8 genmask = nft_genmask_cur(net);
6646 struct nft_set_ext *ext;
6647
6648 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6649 ext = nft_set_elem_ext(set, catchall->elem);
6650 if (nft_set_elem_active(ext, genmask) &&
6651 !nft_set_elem_expired(ext) &&
6652 !nft_set_elem_is_dead(ext))
6653 return ext;
6654 }
6655
6656 return NULL;
6657 }
6658 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
6659
6660 static int nft_setelem_catchall_insert(const struct net *net,
6661 struct nft_set *set,
6662 const struct nft_set_elem *elem,
6663 struct nft_elem_priv **priv)
6664 {
6665 struct nft_set_elem_catchall *catchall;
6666 u8 genmask = nft_genmask_next(net);
6667 struct nft_set_ext *ext;
6668
6669 list_for_each_entry(catchall, &set->catchall_list, list) {
6670 ext = nft_set_elem_ext(set, catchall->elem);
6671 if (nft_set_elem_active(ext, genmask)) {
6672 *priv = catchall->elem;
6673 return -EEXIST;
6674 }
6675 }
6676
6677 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
6678 if (!catchall)
6679 return -ENOMEM;
6680
6681 catchall->elem = elem->priv;
6682 list_add_tail_rcu(&catchall->list, &set->catchall_list);
6683
6684 return 0;
6685 }
6686
6687 static int nft_setelem_insert(const struct net *net,
6688 struct nft_set *set,
6689 const struct nft_set_elem *elem,
6690 struct nft_elem_priv **elem_priv,
6691 unsigned int flags)
6692 {
6693 int ret;
6694
6695 if (flags & NFT_SET_ELEM_CATCHALL)
6696 ret = nft_setelem_catchall_insert(net, set, elem, elem_priv);
6697 else
6698 ret = set->ops->insert(net, set, elem, elem_priv);
6699
6700 return ret;
6701 }
6702
6703 static bool nft_setelem_is_catchall(const struct nft_set *set,
6704 const struct nft_elem_priv *elem_priv)
6705 {
6706 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6707
6708 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6709 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
6710 return true;
6711
6712 return false;
6713 }
6714
6715 static void nft_setelem_activate(struct net *net, struct nft_set *set,
6716 struct nft_elem_priv *elem_priv)
6717 {
6718 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6719
6720 if (nft_setelem_is_catchall(set, elem_priv)) {
6721 nft_clear(net, ext);
6722 } else {
6723 set->ops->activate(net, set, elem_priv);
6724 }
6725 }
6726
6727 static int nft_setelem_catchall_deactivate(const struct net *net,
6728 struct nft_set *set,
6729 struct nft_set_elem *elem)
6730 {
6731 struct nft_set_elem_catchall *catchall;
6732 struct nft_set_ext *ext;
6733
6734 list_for_each_entry(catchall, &set->catchall_list, list) {
6735 ext = nft_set_elem_ext(set, catchall->elem);
6736 if (!nft_is_active_next(net, ext))
6737 continue;
6738
6739 kfree(elem->priv);
6740 elem->priv = catchall->elem;
6741 nft_set_elem_change_active(net, set, ext);
6742 return 0;
6743 }
6744
6745 return -ENOENT;
6746 }
6747
6748 static int __nft_setelem_deactivate(const struct net *net,
6749 struct nft_set *set,
6750 struct nft_set_elem *elem)
6751 {
6752 void *priv;
6753
6754 priv = set->ops->deactivate(net, set, elem);
6755 if (!priv)
6756 return -ENOENT;
6757
6758 kfree(elem->priv);
6759 elem->priv = priv;
6760 set->ndeact++;
6761
6762 return 0;
6763 }
6764
6765 static int nft_setelem_deactivate(const struct net *net,
6766 struct nft_set *set,
6767 struct nft_set_elem *elem, u32 flags)
6768 {
6769 int ret;
6770
6771 if (flags & NFT_SET_ELEM_CATCHALL)
6772 ret = nft_setelem_catchall_deactivate(net, set, elem);
6773 else
6774 ret = __nft_setelem_deactivate(net, set, elem);
6775
6776 return ret;
6777 }
6778
6779 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
6780 {
6781 list_del_rcu(&catchall->list);
6782 kfree_rcu(catchall, rcu);
6783 }
6784
6785 static void nft_setelem_catchall_remove(const struct net *net,
6786 const struct nft_set *set,
6787 struct nft_elem_priv *elem_priv)
6788 {
6789 struct nft_set_elem_catchall *catchall, *next;
6790
6791 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
6792 if (catchall->elem == elem_priv) {
6793 nft_setelem_catchall_destroy(catchall);
6794 break;
6795 }
6796 }
6797 }
6798
6799 static void nft_setelem_remove(const struct net *net,
6800 const struct nft_set *set,
6801 struct nft_elem_priv *elem_priv)
6802 {
6803 if (nft_setelem_is_catchall(set, elem_priv))
6804 nft_setelem_catchall_remove(net, set, elem_priv);
6805 else
6806 set->ops->remove(net, set, elem_priv);
6807 }
6808
6809 static bool nft_setelem_valid_key_end(const struct nft_set *set,
6810 struct nlattr **nla, u32 flags)
6811 {
6812 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
6813 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
6814 if (flags & NFT_SET_ELEM_INTERVAL_END)
6815 return false;
6816
6817 if (nla[NFTA_SET_ELEM_KEY_END] &&
6818 flags & NFT_SET_ELEM_CATCHALL)
6819 return false;
6820 } else {
6821 if (nla[NFTA_SET_ELEM_KEY_END])
6822 return false;
6823 }
6824
6825 return true;
6826 }
6827
6828 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
6829 const struct nlattr *attr, u32 nlmsg_flags)
6830 {
6831 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
6832 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6833 u8 genmask = nft_genmask_next(ctx->net);
6834 u32 flags = 0, size = 0, num_exprs = 0;
6835 struct nft_set_ext_tmpl tmpl;
6836 struct nft_set_ext *ext, *ext2;
6837 struct nft_set_elem elem;
6838 struct nft_set_binding *binding;
6839 struct nft_elem_priv *elem_priv;
6840 struct nft_object *obj = NULL;
6841 struct nft_userdata *udata;
6842 struct nft_data_desc desc;
6843 enum nft_registers dreg;
6844 struct nft_trans *trans;
6845 u64 expiration;
6846 u64 timeout;
6847 int err, i;
6848 u8 ulen;
6849
6850 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6851 nft_set_elem_policy, NULL);
6852 if (err < 0)
6853 return err;
6854
6855 nft_set_ext_prepare(&tmpl);
6856
6857 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6858 if (err < 0)
6859 return err;
6860
6861 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
6862 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
6863 return -EINVAL;
6864
6865 if (flags != 0) {
6866 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6867 if (err < 0)
6868 return err;
6869 }
6870
6871 if (set->flags & NFT_SET_MAP) {
6872 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
6873 !(flags & NFT_SET_ELEM_INTERVAL_END))
6874 return -EINVAL;
6875 } else {
6876 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6877 return -EINVAL;
6878 }
6879
6880 if (set->flags & NFT_SET_OBJECT) {
6881 if (!nla[NFTA_SET_ELEM_OBJREF] &&
6882 !(flags & NFT_SET_ELEM_INTERVAL_END))
6883 return -EINVAL;
6884 } else {
6885 if (nla[NFTA_SET_ELEM_OBJREF])
6886 return -EINVAL;
6887 }
6888
6889 if (!nft_setelem_valid_key_end(set, nla, flags))
6890 return -EINVAL;
6891
6892 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
6893 (nla[NFTA_SET_ELEM_DATA] ||
6894 nla[NFTA_SET_ELEM_OBJREF] ||
6895 nla[NFTA_SET_ELEM_TIMEOUT] ||
6896 nla[NFTA_SET_ELEM_EXPIRATION] ||
6897 nla[NFTA_SET_ELEM_USERDATA] ||
6898 nla[NFTA_SET_ELEM_EXPR] ||
6899 nla[NFTA_SET_ELEM_KEY_END] ||
6900 nla[NFTA_SET_ELEM_EXPRESSIONS]))
6901 return -EINVAL;
6902
6903 timeout = 0;
6904 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
6905 if (!(set->flags & NFT_SET_TIMEOUT))
6906 return -EINVAL;
6907 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
6908 &timeout);
6909 if (err)
6910 return err;
6911 } else if (set->flags & NFT_SET_TIMEOUT &&
6912 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6913 timeout = READ_ONCE(set->timeout);
6914 }
6915
6916 expiration = 0;
6917 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
6918 if (!(set->flags & NFT_SET_TIMEOUT))
6919 return -EINVAL;
6920 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
6921 &expiration);
6922 if (err)
6923 return err;
6924 }
6925
6926 if (nla[NFTA_SET_ELEM_EXPR]) {
6927 struct nft_expr *expr;
6928
6929 if (set->num_exprs && set->num_exprs != 1)
6930 return -EOPNOTSUPP;
6931
6932 expr = nft_set_elem_expr_alloc(ctx, set,
6933 nla[NFTA_SET_ELEM_EXPR]);
6934 if (IS_ERR(expr))
6935 return PTR_ERR(expr);
6936
6937 expr_array[0] = expr;
6938 num_exprs = 1;
6939
6940 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
6941 err = -EOPNOTSUPP;
6942 goto err_set_elem_expr;
6943 }
6944 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
6945 struct nft_expr *expr;
6946 struct nlattr *tmp;
6947 int left;
6948
6949 i = 0;
6950 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
6951 if (i == NFT_SET_EXPR_MAX ||
6952 (set->num_exprs && set->num_exprs == i)) {
6953 err = -E2BIG;
6954 goto err_set_elem_expr;
6955 }
6956 if (nla_type(tmp) != NFTA_LIST_ELEM) {
6957 err = -EINVAL;
6958 goto err_set_elem_expr;
6959 }
6960 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
6961 if (IS_ERR(expr)) {
6962 err = PTR_ERR(expr);
6963 goto err_set_elem_expr;
6964 }
6965 expr_array[i] = expr;
6966 num_exprs++;
6967
6968 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
6969 err = -EOPNOTSUPP;
6970 goto err_set_elem_expr;
6971 }
6972 i++;
6973 }
6974 if (set->num_exprs && set->num_exprs != i) {
6975 err = -EOPNOTSUPP;
6976 goto err_set_elem_expr;
6977 }
6978 } else if (set->num_exprs > 0 &&
6979 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6980 err = nft_set_elem_expr_clone(ctx, set, expr_array);
6981 if (err < 0)
6982 goto err_set_elem_expr_clone;
6983
6984 num_exprs = set->num_exprs;
6985 }
6986
6987 if (nla[NFTA_SET_ELEM_KEY]) {
6988 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6989 nla[NFTA_SET_ELEM_KEY]);
6990 if (err < 0)
6991 goto err_set_elem_expr;
6992
6993 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6994 if (err < 0)
6995 goto err_parse_key;
6996 }
6997
6998 if (nla[NFTA_SET_ELEM_KEY_END]) {
6999 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7000 nla[NFTA_SET_ELEM_KEY_END]);
7001 if (err < 0)
7002 goto err_parse_key;
7003
7004 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7005 if (err < 0)
7006 goto err_parse_key_end;
7007 }
7008
7009 if (timeout > 0) {
7010 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
7011 if (err < 0)
7012 goto err_parse_key_end;
7013
7014 if (timeout != READ_ONCE(set->timeout)) {
7015 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
7016 if (err < 0)
7017 goto err_parse_key_end;
7018 }
7019 }
7020
7021 if (num_exprs) {
7022 for (i = 0; i < num_exprs; i++)
7023 size += expr_array[i]->ops->size;
7024
7025 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
7026 sizeof(struct nft_set_elem_expr) + size);
7027 if (err < 0)
7028 goto err_parse_key_end;
7029 }
7030
7031 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
7032 obj = nft_obj_lookup(ctx->net, ctx->table,
7033 nla[NFTA_SET_ELEM_OBJREF],
7034 set->objtype, genmask);
7035 if (IS_ERR(obj)) {
7036 err = PTR_ERR(obj);
7037 obj = NULL;
7038 goto err_parse_key_end;
7039 }
7040
7041 if (!nft_use_inc(&obj->use)) {
7042 err = -EMFILE;
7043 obj = NULL;
7044 goto err_parse_key_end;
7045 }
7046
7047 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
7048 if (err < 0)
7049 goto err_parse_key_end;
7050 }
7051
7052 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
7053 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
7054 nla[NFTA_SET_ELEM_DATA]);
7055 if (err < 0)
7056 goto err_parse_key_end;
7057
7058 dreg = nft_type_to_reg(set->dtype);
7059 list_for_each_entry(binding, &set->bindings, list) {
7060 struct nft_ctx bind_ctx = {
7061 .net = ctx->net,
7062 .family = ctx->family,
7063 .table = ctx->table,
7064 .chain = (struct nft_chain *)binding->chain,
7065 };
7066
7067 if (!(binding->flags & NFT_SET_MAP))
7068 continue;
7069
7070 err = nft_validate_register_store(&bind_ctx, dreg,
7071 &elem.data.val,
7072 desc.type, desc.len);
7073 if (err < 0)
7074 goto err_parse_data;
7075
7076 if (desc.type == NFT_DATA_VERDICT &&
7077 (elem.data.val.verdict.code == NFT_GOTO ||
7078 elem.data.val.verdict.code == NFT_JUMP))
7079 nft_validate_state_update(ctx->table,
7080 NFT_VALIDATE_NEED);
7081 }
7082
7083 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
7084 if (err < 0)
7085 goto err_parse_data;
7086 }
7087
7088 /* The full maximum length of userdata can exceed the maximum
7089 * offset value (U8_MAX) for following extensions, therefor it
7090 * must be the last extension added.
7091 */
7092 ulen = 0;
7093 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
7094 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
7095 if (ulen > 0) {
7096 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
7097 ulen);
7098 if (err < 0)
7099 goto err_parse_data;
7100 }
7101 }
7102
7103 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7104 elem.key_end.val.data, elem.data.val.data,
7105 timeout, expiration, GFP_KERNEL_ACCOUNT);
7106 if (IS_ERR(elem.priv)) {
7107 err = PTR_ERR(elem.priv);
7108 goto err_parse_data;
7109 }
7110
7111 ext = nft_set_elem_ext(set, elem.priv);
7112 if (flags)
7113 *nft_set_ext_flags(ext) = flags;
7114
7115 if (obj)
7116 *nft_set_ext_obj(ext) = obj;
7117
7118 if (ulen > 0) {
7119 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
7120 err = -EINVAL;
7121 goto err_elem_free;
7122 }
7123 udata = nft_set_ext_userdata(ext);
7124 udata->len = ulen - 1;
7125 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
7126 }
7127 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
7128 if (err < 0)
7129 goto err_elem_free;
7130
7131 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
7132 if (trans == NULL) {
7133 err = -ENOMEM;
7134 goto err_elem_free;
7135 }
7136
7137 ext->genmask = nft_genmask_cur(ctx->net);
7138
7139 err = nft_setelem_insert(ctx->net, set, &elem, &elem_priv, flags);
7140 if (err) {
7141 if (err == -EEXIST) {
7142 ext2 = nft_set_elem_ext(set, elem_priv);
7143 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
7144 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
7145 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
7146 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
7147 goto err_element_clash;
7148 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
7149 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
7150 memcmp(nft_set_ext_data(ext),
7151 nft_set_ext_data(ext2), set->dlen) != 0) ||
7152 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
7153 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
7154 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
7155 goto err_element_clash;
7156 else if (!(nlmsg_flags & NLM_F_EXCL))
7157 err = 0;
7158 } else if (err == -ENOTEMPTY) {
7159 /* ENOTEMPTY reports overlapping between this element
7160 * and an existing one.
7161 */
7162 err = -EEXIST;
7163 }
7164 goto err_element_clash;
7165 }
7166
7167 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
7168 unsigned int max = set->size ? set->size + set->ndeact : UINT_MAX;
7169
7170 if (!atomic_add_unless(&set->nelems, 1, max)) {
7171 err = -ENFILE;
7172 goto err_set_full;
7173 }
7174 }
7175
7176 nft_trans_elem_priv(trans) = elem.priv;
7177 nft_trans_commit_list_add_tail(ctx->net, trans);
7178 return 0;
7179
7180 err_set_full:
7181 nft_setelem_remove(ctx->net, set, elem.priv);
7182 err_element_clash:
7183 kfree(trans);
7184 err_elem_free:
7185 nf_tables_set_elem_destroy(ctx, set, elem.priv);
7186 err_parse_data:
7187 if (nla[NFTA_SET_ELEM_DATA] != NULL)
7188 nft_data_release(&elem.data.val, desc.type);
7189 err_parse_key_end:
7190 if (obj)
7191 nft_use_dec_restore(&obj->use);
7192
7193 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7194 err_parse_key:
7195 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7196 err_set_elem_expr:
7197 for (i = 0; i < num_exprs && expr_array[i]; i++)
7198 nft_expr_destroy(ctx, expr_array[i]);
7199 err_set_elem_expr_clone:
7200 return err;
7201 }
7202
7203 static int nf_tables_newsetelem(struct sk_buff *skb,
7204 const struct nfnl_info *info,
7205 const struct nlattr * const nla[])
7206 {
7207 struct netlink_ext_ack *extack = info->extack;
7208 u8 genmask = nft_genmask_next(info->net);
7209 u8 family = info->nfmsg->nfgen_family;
7210 struct net *net = info->net;
7211 const struct nlattr *attr;
7212 struct nft_table *table;
7213 struct nft_set *set;
7214 struct nft_ctx ctx;
7215 int rem, err;
7216
7217 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
7218 return -EINVAL;
7219
7220 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7221 genmask, NETLINK_CB(skb).portid);
7222 if (IS_ERR(table)) {
7223 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7224 return PTR_ERR(table);
7225 }
7226
7227 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
7228 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
7229 if (IS_ERR(set)) {
7230 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7231 return PTR_ERR(set);
7232 }
7233
7234 if (!list_empty(&set->bindings) &&
7235 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
7236 return -EBUSY;
7237
7238 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7239
7240 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7241 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
7242 if (err < 0) {
7243 NL_SET_BAD_ATTR(extack, attr);
7244 return err;
7245 }
7246 }
7247
7248 if (table->validate_state == NFT_VALIDATE_DO)
7249 return nft_table_validate(net, table);
7250
7251 return 0;
7252 }
7253
7254 /**
7255 * nft_data_hold - hold a nft_data item
7256 *
7257 * @data: struct nft_data to release
7258 * @type: type of data
7259 *
7260 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7261 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
7262 * NFT_GOTO verdicts. This function must be called on active data objects
7263 * from the second phase of the commit protocol.
7264 */
7265 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
7266 {
7267 struct nft_chain *chain;
7268
7269 if (type == NFT_DATA_VERDICT) {
7270 switch (data->verdict.code) {
7271 case NFT_JUMP:
7272 case NFT_GOTO:
7273 chain = data->verdict.chain;
7274 nft_use_inc_restore(&chain->use);
7275 break;
7276 }
7277 }
7278 }
7279
7280 static int nft_setelem_active_next(const struct net *net,
7281 const struct nft_set *set,
7282 struct nft_elem_priv *elem_priv)
7283 {
7284 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7285 u8 genmask = nft_genmask_next(net);
7286
7287 return nft_set_elem_active(ext, genmask);
7288 }
7289
7290 static void nft_setelem_data_activate(const struct net *net,
7291 const struct nft_set *set,
7292 struct nft_elem_priv *elem_priv)
7293 {
7294 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7295
7296 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7297 nft_data_hold(nft_set_ext_data(ext), set->dtype);
7298 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7299 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use);
7300 }
7301
7302 void nft_setelem_data_deactivate(const struct net *net,
7303 const struct nft_set *set,
7304 struct nft_elem_priv *elem_priv)
7305 {
7306 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7307
7308 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7309 nft_data_release(nft_set_ext_data(ext), set->dtype);
7310 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7311 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
7312 }
7313
7314 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
7315 const struct nlattr *attr)
7316 {
7317 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7318 struct nft_set_ext_tmpl tmpl;
7319 struct nft_set_elem elem;
7320 struct nft_set_ext *ext;
7321 struct nft_trans *trans;
7322 u32 flags = 0;
7323 int err;
7324
7325 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7326 nft_set_elem_policy, NULL);
7327 if (err < 0)
7328 return err;
7329
7330 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7331 if (err < 0)
7332 return err;
7333
7334 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
7335 return -EINVAL;
7336
7337 if (!nft_setelem_valid_key_end(set, nla, flags))
7338 return -EINVAL;
7339
7340 nft_set_ext_prepare(&tmpl);
7341
7342 if (flags != 0) {
7343 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7344 if (err < 0)
7345 return err;
7346 }
7347
7348 if (nla[NFTA_SET_ELEM_KEY]) {
7349 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7350 nla[NFTA_SET_ELEM_KEY]);
7351 if (err < 0)
7352 return err;
7353
7354 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7355 if (err < 0)
7356 goto fail_elem;
7357 }
7358
7359 if (nla[NFTA_SET_ELEM_KEY_END]) {
7360 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7361 nla[NFTA_SET_ELEM_KEY_END]);
7362 if (err < 0)
7363 goto fail_elem;
7364
7365 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7366 if (err < 0)
7367 goto fail_elem_key_end;
7368 }
7369
7370 err = -ENOMEM;
7371 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7372 elem.key_end.val.data, NULL, 0, 0,
7373 GFP_KERNEL_ACCOUNT);
7374 if (IS_ERR(elem.priv)) {
7375 err = PTR_ERR(elem.priv);
7376 goto fail_elem_key_end;
7377 }
7378
7379 ext = nft_set_elem_ext(set, elem.priv);
7380 if (flags)
7381 *nft_set_ext_flags(ext) = flags;
7382
7383 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7384 if (trans == NULL)
7385 goto fail_trans;
7386
7387 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
7388 if (err < 0)
7389 goto fail_ops;
7390
7391 nft_setelem_data_deactivate(ctx->net, set, elem.priv);
7392
7393 nft_trans_elem_priv(trans) = elem.priv;
7394 nft_trans_commit_list_add_tail(ctx->net, trans);
7395 return 0;
7396
7397 fail_ops:
7398 kfree(trans);
7399 fail_trans:
7400 kfree(elem.priv);
7401 fail_elem_key_end:
7402 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7403 fail_elem:
7404 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7405 return err;
7406 }
7407
7408 static int nft_setelem_flush(const struct nft_ctx *ctx,
7409 struct nft_set *set,
7410 const struct nft_set_iter *iter,
7411 struct nft_elem_priv *elem_priv)
7412 {
7413 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7414 struct nft_trans *trans;
7415
7416 if (!nft_set_elem_active(ext, iter->genmask))
7417 return 0;
7418
7419 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7420 sizeof(struct nft_trans_elem), GFP_ATOMIC);
7421 if (!trans)
7422 return -ENOMEM;
7423
7424 set->ops->flush(ctx->net, set, elem_priv);
7425 set->ndeact++;
7426
7427 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7428 nft_trans_elem_set(trans) = set;
7429 nft_trans_elem_priv(trans) = elem_priv;
7430 nft_trans_commit_list_add_tail(ctx->net, trans);
7431
7432 return 0;
7433 }
7434
7435 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
7436 struct nft_set *set,
7437 struct nft_elem_priv *elem_priv)
7438 {
7439 struct nft_trans *trans;
7440
7441 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7442 sizeof(struct nft_trans_elem), GFP_KERNEL);
7443 if (!trans)
7444 return -ENOMEM;
7445
7446 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7447 nft_trans_elem_set(trans) = set;
7448 nft_trans_elem_priv(trans) = elem_priv;
7449 nft_trans_commit_list_add_tail(ctx->net, trans);
7450
7451 return 0;
7452 }
7453
7454 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
7455 struct nft_set *set)
7456 {
7457 u8 genmask = nft_genmask_next(ctx->net);
7458 struct nft_set_elem_catchall *catchall;
7459 struct nft_set_ext *ext;
7460 int ret = 0;
7461
7462 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
7463 ext = nft_set_elem_ext(set, catchall->elem);
7464 if (!nft_set_elem_active(ext, genmask))
7465 continue;
7466
7467 ret = __nft_set_catchall_flush(ctx, set, catchall->elem);
7468 if (ret < 0)
7469 break;
7470 nft_set_elem_change_active(ctx->net, set, ext);
7471 }
7472
7473 return ret;
7474 }
7475
7476 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
7477 {
7478 struct nft_set_iter iter = {
7479 .genmask = genmask,
7480 .type = NFT_ITER_UPDATE,
7481 .fn = nft_setelem_flush,
7482 };
7483
7484 set->ops->walk(ctx, set, &iter);
7485 if (!iter.err)
7486 iter.err = nft_set_catchall_flush(ctx, set);
7487
7488 return iter.err;
7489 }
7490
7491 static int nf_tables_delsetelem(struct sk_buff *skb,
7492 const struct nfnl_info *info,
7493 const struct nlattr * const nla[])
7494 {
7495 struct netlink_ext_ack *extack = info->extack;
7496 u8 genmask = nft_genmask_next(info->net);
7497 u8 family = info->nfmsg->nfgen_family;
7498 struct net *net = info->net;
7499 const struct nlattr *attr;
7500 struct nft_table *table;
7501 struct nft_set *set;
7502 struct nft_ctx ctx;
7503 int rem, err = 0;
7504
7505 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7506 genmask, NETLINK_CB(skb).portid);
7507 if (IS_ERR(table)) {
7508 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7509 return PTR_ERR(table);
7510 }
7511
7512 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
7513 if (IS_ERR(set)) {
7514 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7515 return PTR_ERR(set);
7516 }
7517
7518 if (nft_set_is_anonymous(set))
7519 return -EOPNOTSUPP;
7520
7521 if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
7522 return -EBUSY;
7523
7524 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7525
7526 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
7527 return nft_set_flush(&ctx, set, genmask);
7528
7529 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7530 err = nft_del_setelem(&ctx, set, attr);
7531 if (err == -ENOENT &&
7532 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
7533 continue;
7534
7535 if (err < 0) {
7536 NL_SET_BAD_ATTR(extack, attr);
7537 return err;
7538 }
7539 }
7540
7541 return 0;
7542 }
7543
7544 /*
7545 * Stateful objects
7546 */
7547
7548 /**
7549 * nft_register_obj- register nf_tables stateful object type
7550 * @obj_type: object type
7551 *
7552 * Registers the object type for use with nf_tables. Returns zero on
7553 * success or a negative errno code otherwise.
7554 */
7555 int nft_register_obj(struct nft_object_type *obj_type)
7556 {
7557 if (obj_type->type == NFT_OBJECT_UNSPEC)
7558 return -EINVAL;
7559
7560 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7561 list_add_rcu(&obj_type->list, &nf_tables_objects);
7562 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7563 return 0;
7564 }
7565 EXPORT_SYMBOL_GPL(nft_register_obj);
7566
7567 /**
7568 * nft_unregister_obj - unregister nf_tables object type
7569 * @obj_type: object type
7570 *
7571 * Unregisters the object type for use with nf_tables.
7572 */
7573 void nft_unregister_obj(struct nft_object_type *obj_type)
7574 {
7575 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7576 list_del_rcu(&obj_type->list);
7577 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7578 }
7579 EXPORT_SYMBOL_GPL(nft_unregister_obj);
7580
7581 struct nft_object *nft_obj_lookup(const struct net *net,
7582 const struct nft_table *table,
7583 const struct nlattr *nla, u32 objtype,
7584 u8 genmask)
7585 {
7586 struct nft_object_hash_key k = { .table = table };
7587 char search[NFT_OBJ_MAXNAMELEN];
7588 struct rhlist_head *tmp, *list;
7589 struct nft_object *obj;
7590
7591 nla_strscpy(search, nla, sizeof(search));
7592 k.name = search;
7593
7594 WARN_ON_ONCE(!rcu_read_lock_held() &&
7595 !lockdep_commit_lock_is_held(net));
7596
7597 rcu_read_lock();
7598 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
7599 if (!list)
7600 goto out;
7601
7602 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
7603 if (objtype == obj->ops->type->type &&
7604 nft_active_genmask(obj, genmask)) {
7605 rcu_read_unlock();
7606 return obj;
7607 }
7608 }
7609 out:
7610 rcu_read_unlock();
7611 return ERR_PTR(-ENOENT);
7612 }
7613 EXPORT_SYMBOL_GPL(nft_obj_lookup);
7614
7615 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
7616 const struct nlattr *nla,
7617 u32 objtype, u8 genmask)
7618 {
7619 struct nft_object *obj;
7620
7621 list_for_each_entry(obj, &table->objects, list) {
7622 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
7623 objtype == obj->ops->type->type &&
7624 nft_active_genmask(obj, genmask))
7625 return obj;
7626 }
7627 return ERR_PTR(-ENOENT);
7628 }
7629
7630 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
7631 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
7632 .len = NFT_TABLE_MAXNAMELEN - 1 },
7633 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
7634 .len = NFT_OBJ_MAXNAMELEN - 1 },
7635 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
7636 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
7637 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
7638 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
7639 .len = NFT_USERDATA_MAXLEN },
7640 };
7641
7642 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
7643 const struct nft_object_type *type,
7644 const struct nlattr *attr)
7645 {
7646 struct nlattr **tb;
7647 const struct nft_object_ops *ops;
7648 struct nft_object *obj;
7649 int err = -ENOMEM;
7650
7651 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
7652 if (!tb)
7653 goto err1;
7654
7655 if (attr) {
7656 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
7657 type->policy, NULL);
7658 if (err < 0)
7659 goto err2;
7660 } else {
7661 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
7662 }
7663
7664 if (type->select_ops) {
7665 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
7666 if (IS_ERR(ops)) {
7667 err = PTR_ERR(ops);
7668 goto err2;
7669 }
7670 } else {
7671 ops = type->ops;
7672 }
7673
7674 err = -ENOMEM;
7675 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
7676 if (!obj)
7677 goto err2;
7678
7679 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
7680 if (err < 0)
7681 goto err3;
7682
7683 obj->ops = ops;
7684
7685 kfree(tb);
7686 return obj;
7687 err3:
7688 kfree(obj);
7689 err2:
7690 kfree(tb);
7691 err1:
7692 return ERR_PTR(err);
7693 }
7694
7695 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
7696 struct nft_object *obj, bool reset)
7697 {
7698 struct nlattr *nest;
7699
7700 nest = nla_nest_start_noflag(skb, attr);
7701 if (!nest)
7702 goto nla_put_failure;
7703 if (obj->ops->dump(skb, obj, reset) < 0)
7704 goto nla_put_failure;
7705 nla_nest_end(skb, nest);
7706 return 0;
7707
7708 nla_put_failure:
7709 return -1;
7710 }
7711
7712 static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family)
7713 {
7714 const struct nft_object_type *type;
7715
7716 list_for_each_entry_rcu(type, &nf_tables_objects, list) {
7717 if (type->family != NFPROTO_UNSPEC &&
7718 type->family != family)
7719 continue;
7720
7721 if (objtype == type->type)
7722 return type;
7723 }
7724 return NULL;
7725 }
7726
7727 static const struct nft_object_type *
7728 nft_obj_type_get(struct net *net, u32 objtype, u8 family)
7729 {
7730 const struct nft_object_type *type;
7731
7732 rcu_read_lock();
7733 type = __nft_obj_type_get(objtype, family);
7734 if (type != NULL && try_module_get(type->owner)) {
7735 rcu_read_unlock();
7736 return type;
7737 }
7738 rcu_read_unlock();
7739
7740 lockdep_nfnl_nft_mutex_not_held();
7741 #ifdef CONFIG_MODULES
7742 if (type == NULL) {
7743 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
7744 return ERR_PTR(-EAGAIN);
7745 }
7746 #endif
7747 return ERR_PTR(-ENOENT);
7748 }
7749
7750 static int nf_tables_updobj(const struct nft_ctx *ctx,
7751 const struct nft_object_type *type,
7752 const struct nlattr *attr,
7753 struct nft_object *obj)
7754 {
7755 struct nft_object *newobj;
7756 struct nft_trans *trans;
7757 int err = -ENOMEM;
7758
7759 if (!try_module_get(type->owner))
7760 return -ENOENT;
7761
7762 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
7763 sizeof(struct nft_trans_obj));
7764 if (!trans)
7765 goto err_trans;
7766
7767 newobj = nft_obj_init(ctx, type, attr);
7768 if (IS_ERR(newobj)) {
7769 err = PTR_ERR(newobj);
7770 goto err_free_trans;
7771 }
7772
7773 nft_trans_obj(trans) = obj;
7774 nft_trans_obj_update(trans) = true;
7775 nft_trans_obj_newobj(trans) = newobj;
7776 nft_trans_commit_list_add_tail(ctx->net, trans);
7777
7778 return 0;
7779
7780 err_free_trans:
7781 kfree(trans);
7782 err_trans:
7783 module_put(type->owner);
7784 return err;
7785 }
7786
7787 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
7788 const struct nlattr * const nla[])
7789 {
7790 struct netlink_ext_ack *extack = info->extack;
7791 u8 genmask = nft_genmask_next(info->net);
7792 u8 family = info->nfmsg->nfgen_family;
7793 const struct nft_object_type *type;
7794 struct net *net = info->net;
7795 struct nft_table *table;
7796 struct nft_object *obj;
7797 struct nft_ctx ctx;
7798 u32 objtype;
7799 int err;
7800
7801 if (!nla[NFTA_OBJ_TYPE] ||
7802 !nla[NFTA_OBJ_NAME] ||
7803 !nla[NFTA_OBJ_DATA])
7804 return -EINVAL;
7805
7806 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7807 NETLINK_CB(skb).portid);
7808 if (IS_ERR(table)) {
7809 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7810 return PTR_ERR(table);
7811 }
7812
7813 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7814 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7815 if (IS_ERR(obj)) {
7816 err = PTR_ERR(obj);
7817 if (err != -ENOENT) {
7818 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7819 return err;
7820 }
7821 } else {
7822 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7823 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7824 return -EEXIST;
7825 }
7826 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
7827 return -EOPNOTSUPP;
7828
7829 type = __nft_obj_type_get(objtype, family);
7830 if (WARN_ON_ONCE(!type))
7831 return -ENOENT;
7832
7833 if (!obj->ops->update)
7834 return 0;
7835
7836 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7837
7838 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
7839 }
7840
7841 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7842
7843 if (!nft_use_inc(&table->use))
7844 return -EMFILE;
7845
7846 type = nft_obj_type_get(net, objtype, family);
7847 if (IS_ERR(type)) {
7848 err = PTR_ERR(type);
7849 goto err_type;
7850 }
7851
7852 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
7853 if (IS_ERR(obj)) {
7854 err = PTR_ERR(obj);
7855 goto err_init;
7856 }
7857 obj->key.table = table;
7858 obj->handle = nf_tables_alloc_handle(table);
7859
7860 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
7861 if (!obj->key.name) {
7862 err = -ENOMEM;
7863 goto err_strdup;
7864 }
7865
7866 if (nla[NFTA_OBJ_USERDATA]) {
7867 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
7868 if (obj->udata == NULL)
7869 goto err_userdata;
7870
7871 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
7872 }
7873
7874 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
7875 if (err < 0)
7876 goto err_trans;
7877
7878 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
7879 nft_objname_ht_params);
7880 if (err < 0)
7881 goto err_obj_ht;
7882
7883 list_add_tail_rcu(&obj->list, &table->objects);
7884
7885 return 0;
7886 err_obj_ht:
7887 /* queued in transaction log */
7888 INIT_LIST_HEAD(&obj->list);
7889 return err;
7890 err_trans:
7891 kfree(obj->udata);
7892 err_userdata:
7893 kfree(obj->key.name);
7894 err_strdup:
7895 if (obj->ops->destroy)
7896 obj->ops->destroy(&ctx, obj);
7897 kfree(obj);
7898 err_init:
7899 module_put(type->owner);
7900 err_type:
7901 nft_use_dec_restore(&table->use);
7902
7903 return err;
7904 }
7905
7906 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
7907 u32 portid, u32 seq, int event, u32 flags,
7908 int family, const struct nft_table *table,
7909 struct nft_object *obj, bool reset)
7910 {
7911 struct nlmsghdr *nlh;
7912
7913 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7914 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7915 NFNETLINK_V0, nft_base_seq(net));
7916 if (!nlh)
7917 goto nla_put_failure;
7918
7919 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
7920 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
7921 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
7922 NFTA_OBJ_PAD))
7923 goto nla_put_failure;
7924
7925 if (event == NFT_MSG_DELOBJ) {
7926 nlmsg_end(skb, nlh);
7927 return 0;
7928 }
7929
7930 if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
7931 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
7932 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
7933 goto nla_put_failure;
7934
7935 if (obj->udata &&
7936 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
7937 goto nla_put_failure;
7938
7939 nlmsg_end(skb, nlh);
7940 return 0;
7941
7942 nla_put_failure:
7943 nlmsg_trim(skb, nlh);
7944 return -1;
7945 }
7946
7947 static void audit_log_obj_reset(const struct nft_table *table,
7948 unsigned int base_seq, unsigned int nentries)
7949 {
7950 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
7951
7952 audit_log_nfcfg(buf, table->family, nentries,
7953 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
7954 kfree(buf);
7955 }
7956
7957 struct nft_obj_dump_ctx {
7958 unsigned int s_idx;
7959 char *table;
7960 u32 type;
7961 bool reset;
7962 };
7963
7964 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
7965 {
7966 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7967 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7968 struct net *net = sock_net(skb->sk);
7969 int family = nfmsg->nfgen_family;
7970 struct nftables_pernet *nft_net;
7971 const struct nft_table *table;
7972 unsigned int entries = 0;
7973 struct nft_object *obj;
7974 unsigned int idx = 0;
7975 int rc = 0;
7976
7977 rcu_read_lock();
7978 nft_net = nft_pernet(net);
7979 cb->seq = READ_ONCE(nft_net->base_seq);
7980
7981 list_for_each_entry_rcu(table, &nft_net->tables, list) {
7982 if (family != NFPROTO_UNSPEC && family != table->family)
7983 continue;
7984
7985 entries = 0;
7986 list_for_each_entry_rcu(obj, &table->objects, list) {
7987 if (!nft_is_active(net, obj))
7988 goto cont;
7989 if (idx < ctx->s_idx)
7990 goto cont;
7991 if (ctx->table && strcmp(ctx->table, table->name))
7992 goto cont;
7993 if (ctx->type != NFT_OBJECT_UNSPEC &&
7994 obj->ops->type->type != ctx->type)
7995 goto cont;
7996
7997 rc = nf_tables_fill_obj_info(skb, net,
7998 NETLINK_CB(cb->skb).portid,
7999 cb->nlh->nlmsg_seq,
8000 NFT_MSG_NEWOBJ,
8001 NLM_F_MULTI | NLM_F_APPEND,
8002 table->family, table,
8003 obj, ctx->reset);
8004 if (rc < 0)
8005 break;
8006
8007 entries++;
8008 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8009 cont:
8010 idx++;
8011 }
8012 if (ctx->reset && entries)
8013 audit_log_obj_reset(table, nft_net->base_seq, entries);
8014 if (rc < 0)
8015 break;
8016 }
8017 rcu_read_unlock();
8018
8019 ctx->s_idx = idx;
8020 return skb->len;
8021 }
8022
8023 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
8024 {
8025 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8026 const struct nlattr * const *nla = cb->data;
8027
8028 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
8029
8030 if (nla[NFTA_OBJ_TABLE]) {
8031 ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
8032 if (!ctx->table)
8033 return -ENOMEM;
8034 }
8035
8036 if (nla[NFTA_OBJ_TYPE])
8037 ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8038
8039 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
8040 ctx->reset = true;
8041
8042 return 0;
8043 }
8044
8045 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
8046 {
8047 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8048
8049 kfree(ctx->table);
8050
8051 return 0;
8052 }
8053
8054 /* called with rcu_read_lock held */
8055 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
8056 const struct nlattr * const nla[])
8057 {
8058 struct netlink_ext_ack *extack = info->extack;
8059 u8 genmask = nft_genmask_cur(info->net);
8060 u8 family = info->nfmsg->nfgen_family;
8061 const struct nft_table *table;
8062 struct net *net = info->net;
8063 struct nft_object *obj;
8064 struct sk_buff *skb2;
8065 bool reset = false;
8066 u32 objtype;
8067 int err;
8068
8069 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8070 struct netlink_dump_control c = {
8071 .start = nf_tables_dump_obj_start,
8072 .dump = nf_tables_dump_obj,
8073 .done = nf_tables_dump_obj_done,
8074 .module = THIS_MODULE,
8075 .data = (void *)nla,
8076 };
8077
8078 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8079 }
8080
8081 if (!nla[NFTA_OBJ_NAME] ||
8082 !nla[NFTA_OBJ_TYPE])
8083 return -EINVAL;
8084
8085 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
8086 if (IS_ERR(table)) {
8087 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8088 return PTR_ERR(table);
8089 }
8090
8091 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8092 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
8093 if (IS_ERR(obj)) {
8094 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8095 return PTR_ERR(obj);
8096 }
8097
8098 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8099 if (!skb2)
8100 return -ENOMEM;
8101
8102 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
8103 reset = true;
8104
8105 if (reset) {
8106 const struct nftables_pernet *nft_net;
8107 char *buf;
8108
8109 nft_net = nft_pernet(net);
8110 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq);
8111
8112 audit_log_nfcfg(buf,
8113 family,
8114 1,
8115 AUDIT_NFT_OP_OBJ_RESET,
8116 GFP_ATOMIC);
8117 kfree(buf);
8118 }
8119
8120 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
8121 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
8122 family, table, obj, reset);
8123 if (err < 0)
8124 goto err_fill_obj_info;
8125
8126 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
8127
8128 err_fill_obj_info:
8129 kfree_skb(skb2);
8130 return err;
8131 }
8132
8133 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
8134 {
8135 if (obj->ops->destroy)
8136 obj->ops->destroy(ctx, obj);
8137
8138 module_put(obj->ops->type->owner);
8139 kfree(obj->key.name);
8140 kfree(obj->udata);
8141 kfree(obj);
8142 }
8143
8144 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
8145 const struct nlattr * const nla[])
8146 {
8147 struct netlink_ext_ack *extack = info->extack;
8148 u8 genmask = nft_genmask_next(info->net);
8149 u8 family = info->nfmsg->nfgen_family;
8150 struct net *net = info->net;
8151 const struct nlattr *attr;
8152 struct nft_table *table;
8153 struct nft_object *obj;
8154 struct nft_ctx ctx;
8155 u32 objtype;
8156
8157 if (!nla[NFTA_OBJ_TYPE] ||
8158 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
8159 return -EINVAL;
8160
8161 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
8162 NETLINK_CB(skb).portid);
8163 if (IS_ERR(table)) {
8164 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8165 return PTR_ERR(table);
8166 }
8167
8168 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8169 if (nla[NFTA_OBJ_HANDLE]) {
8170 attr = nla[NFTA_OBJ_HANDLE];
8171 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
8172 } else {
8173 attr = nla[NFTA_OBJ_NAME];
8174 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
8175 }
8176
8177 if (IS_ERR(obj)) {
8178 if (PTR_ERR(obj) == -ENOENT &&
8179 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
8180 return 0;
8181
8182 NL_SET_BAD_ATTR(extack, attr);
8183 return PTR_ERR(obj);
8184 }
8185 if (obj->use > 0) {
8186 NL_SET_BAD_ATTR(extack, attr);
8187 return -EBUSY;
8188 }
8189
8190 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8191
8192 return nft_delobj(&ctx, obj);
8193 }
8194
8195 static void
8196 __nft_obj_notify(struct net *net, const struct nft_table *table,
8197 struct nft_object *obj, u32 portid, u32 seq, int event,
8198 u16 flags, int family, int report, gfp_t gfp)
8199 {
8200 struct nftables_pernet *nft_net = nft_pernet(net);
8201 struct sk_buff *skb;
8202 int err;
8203
8204 if (!report &&
8205 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8206 return;
8207
8208 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
8209 if (skb == NULL)
8210 goto err;
8211
8212 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
8213 flags & (NLM_F_CREATE | NLM_F_EXCL),
8214 family, table, obj, false);
8215 if (err < 0) {
8216 kfree_skb(skb);
8217 goto err;
8218 }
8219
8220 nft_notify_enqueue(skb, report, &nft_net->notify_list);
8221 return;
8222 err:
8223 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
8224 }
8225
8226 void nft_obj_notify(struct net *net, const struct nft_table *table,
8227 struct nft_object *obj, u32 portid, u32 seq, int event,
8228 u16 flags, int family, int report, gfp_t gfp)
8229 {
8230 struct nftables_pernet *nft_net = nft_pernet(net);
8231 char *buf = kasprintf(gfp, "%s:%u",
8232 table->name, nft_net->base_seq);
8233
8234 audit_log_nfcfg(buf,
8235 family,
8236 obj->handle,
8237 event == NFT_MSG_NEWOBJ ?
8238 AUDIT_NFT_OP_OBJ_REGISTER :
8239 AUDIT_NFT_OP_OBJ_UNREGISTER,
8240 gfp);
8241 kfree(buf);
8242
8243 __nft_obj_notify(net, table, obj, portid, seq, event,
8244 flags, family, report, gfp);
8245 }
8246 EXPORT_SYMBOL_GPL(nft_obj_notify);
8247
8248 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
8249 struct nft_object *obj, int event)
8250 {
8251 __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid,
8252 ctx->seq, event, ctx->flags, ctx->family,
8253 ctx->report, GFP_KERNEL);
8254 }
8255
8256 /*
8257 * Flow tables
8258 */
8259 void nft_register_flowtable_type(struct nf_flowtable_type *type)
8260 {
8261 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8262 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
8263 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8264 }
8265 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
8266
8267 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
8268 {
8269 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8270 list_del_rcu(&type->list);
8271 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8272 }
8273 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
8274
8275 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
8276 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
8277 .len = NFT_NAME_MAXLEN - 1 },
8278 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
8279 .len = NFT_NAME_MAXLEN - 1 },
8280 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
8281 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
8282 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
8283 };
8284
8285 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
8286 const struct nlattr *nla, u8 genmask)
8287 {
8288 struct nft_flowtable *flowtable;
8289
8290 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8291 if (!nla_strcmp(nla, flowtable->name) &&
8292 nft_active_genmask(flowtable, genmask))
8293 return flowtable;
8294 }
8295 return ERR_PTR(-ENOENT);
8296 }
8297 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
8298
8299 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
8300 struct nft_flowtable *flowtable,
8301 enum nft_trans_phase phase)
8302 {
8303 switch (phase) {
8304 case NFT_TRANS_PREPARE_ERROR:
8305 case NFT_TRANS_PREPARE:
8306 case NFT_TRANS_ABORT:
8307 case NFT_TRANS_RELEASE:
8308 nft_use_dec(&flowtable->use);
8309 fallthrough;
8310 default:
8311 return;
8312 }
8313 }
8314 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
8315
8316 static struct nft_flowtable *
8317 nft_flowtable_lookup_byhandle(const struct nft_table *table,
8318 const struct nlattr *nla, u8 genmask)
8319 {
8320 struct nft_flowtable *flowtable;
8321
8322 list_for_each_entry(flowtable, &table->flowtables, list) {
8323 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
8324 nft_active_genmask(flowtable, genmask))
8325 return flowtable;
8326 }
8327 return ERR_PTR(-ENOENT);
8328 }
8329
8330 struct nft_flowtable_hook {
8331 u32 num;
8332 int priority;
8333 struct list_head list;
8334 };
8335
8336 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
8337 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
8338 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
8339 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
8340 };
8341
8342 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
8343 const struct nlattr * const nla[],
8344 struct nft_flowtable_hook *flowtable_hook,
8345 struct nft_flowtable *flowtable,
8346 struct netlink_ext_ack *extack, bool add)
8347 {
8348 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
8349 struct nft_hook *hook;
8350 int hooknum, priority;
8351 int err;
8352
8353 INIT_LIST_HEAD(&flowtable_hook->list);
8354
8355 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
8356 nla[NFTA_FLOWTABLE_HOOK],
8357 nft_flowtable_hook_policy, NULL);
8358 if (err < 0)
8359 return err;
8360
8361 if (add) {
8362 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
8363 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8364 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8365 return -ENOENT;
8366 }
8367
8368 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8369 if (hooknum != NF_NETDEV_INGRESS)
8370 return -EOPNOTSUPP;
8371
8372 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8373
8374 flowtable_hook->priority = priority;
8375 flowtable_hook->num = hooknum;
8376 } else {
8377 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
8378 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8379 if (hooknum != flowtable->hooknum)
8380 return -EOPNOTSUPP;
8381 }
8382
8383 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8384 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8385 if (priority != flowtable->data.priority)
8386 return -EOPNOTSUPP;
8387 }
8388
8389 flowtable_hook->priority = flowtable->data.priority;
8390 flowtable_hook->num = flowtable->hooknum;
8391 }
8392
8393 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
8394 err = nf_tables_parse_netdev_hooks(ctx->net,
8395 tb[NFTA_FLOWTABLE_HOOK_DEVS],
8396 &flowtable_hook->list,
8397 extack);
8398 if (err < 0)
8399 return err;
8400 }
8401
8402 list_for_each_entry(hook, &flowtable_hook->list, list) {
8403 hook->ops.pf = NFPROTO_NETDEV;
8404 hook->ops.hooknum = flowtable_hook->num;
8405 hook->ops.priority = flowtable_hook->priority;
8406 hook->ops.priv = &flowtable->data;
8407 hook->ops.hook = flowtable->data.type->hook;
8408 }
8409
8410 return err;
8411 }
8412
8413 /* call under rcu_read_lock */
8414 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
8415 {
8416 const struct nf_flowtable_type *type;
8417
8418 list_for_each_entry_rcu(type, &nf_tables_flowtables, list) {
8419 if (family == type->family)
8420 return type;
8421 }
8422 return NULL;
8423 }
8424
8425 static const struct nf_flowtable_type *
8426 nft_flowtable_type_get(struct net *net, u8 family)
8427 {
8428 const struct nf_flowtable_type *type;
8429
8430 rcu_read_lock();
8431 type = __nft_flowtable_type_get(family);
8432 if (type != NULL && try_module_get(type->owner)) {
8433 rcu_read_unlock();
8434 return type;
8435 }
8436 rcu_read_unlock();
8437
8438 lockdep_nfnl_nft_mutex_not_held();
8439 #ifdef CONFIG_MODULES
8440 if (type == NULL) {
8441 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
8442 return ERR_PTR(-EAGAIN);
8443 }
8444 #endif
8445 return ERR_PTR(-ENOENT);
8446 }
8447
8448 /* Only called from error and netdev event paths. */
8449 static void nft_unregister_flowtable_hook(struct net *net,
8450 struct nft_flowtable *flowtable,
8451 struct nft_hook *hook)
8452 {
8453 nf_unregister_net_hook(net, &hook->ops);
8454 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8455 FLOW_BLOCK_UNBIND);
8456 }
8457
8458 static void __nft_unregister_flowtable_net_hooks(struct net *net,
8459 struct list_head *hook_list,
8460 bool release_netdev)
8461 {
8462 struct nft_hook *hook, *next;
8463
8464 list_for_each_entry_safe(hook, next, hook_list, list) {
8465 nf_unregister_net_hook(net, &hook->ops);
8466 if (release_netdev) {
8467 list_del(&hook->list);
8468 kfree_rcu(hook, rcu);
8469 }
8470 }
8471 }
8472
8473 static void nft_unregister_flowtable_net_hooks(struct net *net,
8474 struct list_head *hook_list)
8475 {
8476 __nft_unregister_flowtable_net_hooks(net, hook_list, false);
8477 }
8478
8479 static int nft_register_flowtable_net_hooks(struct net *net,
8480 struct nft_table *table,
8481 struct list_head *hook_list,
8482 struct nft_flowtable *flowtable)
8483 {
8484 struct nft_hook *hook, *hook2, *next;
8485 struct nft_flowtable *ft;
8486 int err, i = 0;
8487
8488 list_for_each_entry(hook, hook_list, list) {
8489 list_for_each_entry(ft, &table->flowtables, list) {
8490 if (!nft_is_active_next(net, ft))
8491 continue;
8492
8493 list_for_each_entry(hook2, &ft->hook_list, list) {
8494 if (hook->ops.dev == hook2->ops.dev &&
8495 hook->ops.pf == hook2->ops.pf) {
8496 err = -EEXIST;
8497 goto err_unregister_net_hooks;
8498 }
8499 }
8500 }
8501
8502 err = flowtable->data.type->setup(&flowtable->data,
8503 hook->ops.dev,
8504 FLOW_BLOCK_BIND);
8505 if (err < 0)
8506 goto err_unregister_net_hooks;
8507
8508 err = nf_register_net_hook(net, &hook->ops);
8509 if (err < 0) {
8510 flowtable->data.type->setup(&flowtable->data,
8511 hook->ops.dev,
8512 FLOW_BLOCK_UNBIND);
8513 goto err_unregister_net_hooks;
8514 }
8515
8516 i++;
8517 }
8518
8519 return 0;
8520
8521 err_unregister_net_hooks:
8522 list_for_each_entry_safe(hook, next, hook_list, list) {
8523 if (i-- <= 0)
8524 break;
8525
8526 nft_unregister_flowtable_hook(net, flowtable, hook);
8527 list_del_rcu(&hook->list);
8528 kfree_rcu(hook, rcu);
8529 }
8530
8531 return err;
8532 }
8533
8534 static void nft_hooks_destroy(struct list_head *hook_list)
8535 {
8536 struct nft_hook *hook, *next;
8537
8538 list_for_each_entry_safe(hook, next, hook_list, list) {
8539 list_del_rcu(&hook->list);
8540 kfree_rcu(hook, rcu);
8541 }
8542 }
8543
8544 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
8545 struct nft_flowtable *flowtable,
8546 struct netlink_ext_ack *extack)
8547 {
8548 const struct nlattr * const *nla = ctx->nla;
8549 struct nft_flowtable_hook flowtable_hook;
8550 struct nft_hook *hook, *next;
8551 struct nft_trans *trans;
8552 bool unregister = false;
8553 u32 flags;
8554 int err;
8555
8556 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8557 extack, false);
8558 if (err < 0)
8559 return err;
8560
8561 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8562 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
8563 list_del(&hook->list);
8564 kfree(hook);
8565 }
8566 }
8567
8568 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8569 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8570 if (flags & ~NFT_FLOWTABLE_MASK) {
8571 err = -EOPNOTSUPP;
8572 goto err_flowtable_update_hook;
8573 }
8574 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
8575 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
8576 err = -EOPNOTSUPP;
8577 goto err_flowtable_update_hook;
8578 }
8579 } else {
8580 flags = flowtable->data.flags;
8581 }
8582
8583 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
8584 &flowtable_hook.list, flowtable);
8585 if (err < 0)
8586 goto err_flowtable_update_hook;
8587
8588 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
8589 sizeof(struct nft_trans_flowtable));
8590 if (!trans) {
8591 unregister = true;
8592 err = -ENOMEM;
8593 goto err_flowtable_update_hook;
8594 }
8595
8596 nft_trans_flowtable_flags(trans) = flags;
8597 nft_trans_flowtable(trans) = flowtable;
8598 nft_trans_flowtable_update(trans) = true;
8599 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8600 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
8601
8602 nft_trans_commit_list_add_tail(ctx->net, trans);
8603
8604 return 0;
8605
8606 err_flowtable_update_hook:
8607 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8608 if (unregister)
8609 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
8610 list_del_rcu(&hook->list);
8611 kfree_rcu(hook, rcu);
8612 }
8613
8614 return err;
8615
8616 }
8617
8618 static int nf_tables_newflowtable(struct sk_buff *skb,
8619 const struct nfnl_info *info,
8620 const struct nlattr * const nla[])
8621 {
8622 struct netlink_ext_ack *extack = info->extack;
8623 struct nft_flowtable_hook flowtable_hook;
8624 u8 genmask = nft_genmask_next(info->net);
8625 u8 family = info->nfmsg->nfgen_family;
8626 const struct nf_flowtable_type *type;
8627 struct nft_flowtable *flowtable;
8628 struct net *net = info->net;
8629 struct nft_table *table;
8630 struct nft_trans *trans;
8631 struct nft_ctx ctx;
8632 int err;
8633
8634 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8635 !nla[NFTA_FLOWTABLE_NAME] ||
8636 !nla[NFTA_FLOWTABLE_HOOK])
8637 return -EINVAL;
8638
8639 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8640 genmask, NETLINK_CB(skb).portid);
8641 if (IS_ERR(table)) {
8642 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8643 return PTR_ERR(table);
8644 }
8645
8646 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8647 genmask);
8648 if (IS_ERR(flowtable)) {
8649 err = PTR_ERR(flowtable);
8650 if (err != -ENOENT) {
8651 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8652 return err;
8653 }
8654 } else {
8655 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
8656 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8657 return -EEXIST;
8658 }
8659
8660 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8661
8662 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
8663 }
8664
8665 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8666
8667 if (!nft_use_inc(&table->use))
8668 return -EMFILE;
8669
8670 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
8671 if (!flowtable) {
8672 err = -ENOMEM;
8673 goto flowtable_alloc;
8674 }
8675
8676 flowtable->table = table;
8677 flowtable->handle = nf_tables_alloc_handle(table);
8678 INIT_LIST_HEAD(&flowtable->hook_list);
8679
8680 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
8681 if (!flowtable->name) {
8682 err = -ENOMEM;
8683 goto err1;
8684 }
8685
8686 type = nft_flowtable_type_get(net, family);
8687 if (IS_ERR(type)) {
8688 err = PTR_ERR(type);
8689 goto err2;
8690 }
8691
8692 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8693 flowtable->data.flags =
8694 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8695 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
8696 err = -EOPNOTSUPP;
8697 goto err3;
8698 }
8699 }
8700
8701 write_pnet(&flowtable->data.net, net);
8702 flowtable->data.type = type;
8703 err = type->init(&flowtable->data);
8704 if (err < 0)
8705 goto err3;
8706
8707 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
8708 extack, true);
8709 if (err < 0)
8710 goto err_flowtable_parse_hooks;
8711
8712 list_splice(&flowtable_hook.list, &flowtable->hook_list);
8713 flowtable->data.priority = flowtable_hook.priority;
8714 flowtable->hooknum = flowtable_hook.num;
8715
8716 trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
8717 if (IS_ERR(trans)) {
8718 err = PTR_ERR(trans);
8719 goto err_flowtable_trans;
8720 }
8721
8722 /* This must be LAST to ensure no packets are walking over this flowtable. */
8723 err = nft_register_flowtable_net_hooks(ctx.net, table,
8724 &flowtable->hook_list,
8725 flowtable);
8726 if (err < 0)
8727 goto err_flowtable_hooks;
8728
8729 list_add_tail_rcu(&flowtable->list, &table->flowtables);
8730
8731 return 0;
8732
8733 err_flowtable_hooks:
8734 nft_trans_destroy(trans);
8735 err_flowtable_trans:
8736 nft_hooks_destroy(&flowtable->hook_list);
8737 err_flowtable_parse_hooks:
8738 flowtable->data.type->free(&flowtable->data);
8739 err3:
8740 module_put(type->owner);
8741 err2:
8742 kfree(flowtable->name);
8743 err1:
8744 kfree(flowtable);
8745 flowtable_alloc:
8746 nft_use_dec_restore(&table->use);
8747
8748 return err;
8749 }
8750
8751 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
8752 {
8753 struct nft_hook *this, *next;
8754
8755 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
8756 list_del(&this->list);
8757 kfree(this);
8758 }
8759 }
8760
8761 static int nft_delflowtable_hook(struct nft_ctx *ctx,
8762 struct nft_flowtable *flowtable,
8763 struct netlink_ext_ack *extack)
8764 {
8765 const struct nlattr * const *nla = ctx->nla;
8766 struct nft_flowtable_hook flowtable_hook;
8767 LIST_HEAD(flowtable_del_list);
8768 struct nft_hook *this, *hook;
8769 struct nft_trans *trans;
8770 int err;
8771
8772 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8773 extack, false);
8774 if (err < 0)
8775 return err;
8776
8777 list_for_each_entry(this, &flowtable_hook.list, list) {
8778 hook = nft_hook_list_find(&flowtable->hook_list, this);
8779 if (!hook) {
8780 err = -ENOENT;
8781 goto err_flowtable_del_hook;
8782 }
8783 list_move(&hook->list, &flowtable_del_list);
8784 }
8785
8786 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
8787 sizeof(struct nft_trans_flowtable));
8788 if (!trans) {
8789 err = -ENOMEM;
8790 goto err_flowtable_del_hook;
8791 }
8792
8793 nft_trans_flowtable(trans) = flowtable;
8794 nft_trans_flowtable_update(trans) = true;
8795 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8796 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
8797 nft_flowtable_hook_release(&flowtable_hook);
8798
8799 nft_trans_commit_list_add_tail(ctx->net, trans);
8800
8801 return 0;
8802
8803 err_flowtable_del_hook:
8804 list_splice(&flowtable_del_list, &flowtable->hook_list);
8805 nft_flowtable_hook_release(&flowtable_hook);
8806
8807 return err;
8808 }
8809
8810 static int nf_tables_delflowtable(struct sk_buff *skb,
8811 const struct nfnl_info *info,
8812 const struct nlattr * const nla[])
8813 {
8814 struct netlink_ext_ack *extack = info->extack;
8815 u8 genmask = nft_genmask_next(info->net);
8816 u8 family = info->nfmsg->nfgen_family;
8817 struct nft_flowtable *flowtable;
8818 struct net *net = info->net;
8819 const struct nlattr *attr;
8820 struct nft_table *table;
8821 struct nft_ctx ctx;
8822
8823 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8824 (!nla[NFTA_FLOWTABLE_NAME] &&
8825 !nla[NFTA_FLOWTABLE_HANDLE]))
8826 return -EINVAL;
8827
8828 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8829 genmask, NETLINK_CB(skb).portid);
8830 if (IS_ERR(table)) {
8831 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8832 return PTR_ERR(table);
8833 }
8834
8835 if (nla[NFTA_FLOWTABLE_HANDLE]) {
8836 attr = nla[NFTA_FLOWTABLE_HANDLE];
8837 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
8838 } else {
8839 attr = nla[NFTA_FLOWTABLE_NAME];
8840 flowtable = nft_flowtable_lookup(table, attr, genmask);
8841 }
8842
8843 if (IS_ERR(flowtable)) {
8844 if (PTR_ERR(flowtable) == -ENOENT &&
8845 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
8846 return 0;
8847
8848 NL_SET_BAD_ATTR(extack, attr);
8849 return PTR_ERR(flowtable);
8850 }
8851
8852 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8853
8854 if (nla[NFTA_FLOWTABLE_HOOK])
8855 return nft_delflowtable_hook(&ctx, flowtable, extack);
8856
8857 if (flowtable->use > 0) {
8858 NL_SET_BAD_ATTR(extack, attr);
8859 return -EBUSY;
8860 }
8861
8862 return nft_delflowtable(&ctx, flowtable);
8863 }
8864
8865 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
8866 u32 portid, u32 seq, int event,
8867 u32 flags, int family,
8868 struct nft_flowtable *flowtable,
8869 struct list_head *hook_list)
8870 {
8871 struct nlattr *nest, *nest_devs;
8872 struct nft_hook *hook;
8873 struct nlmsghdr *nlh;
8874
8875 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
8876 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
8877 NFNETLINK_V0, nft_base_seq(net));
8878 if (!nlh)
8879 goto nla_put_failure;
8880
8881 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
8882 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
8883 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
8884 NFTA_FLOWTABLE_PAD))
8885 goto nla_put_failure;
8886
8887 if (event == NFT_MSG_DELFLOWTABLE && !hook_list) {
8888 nlmsg_end(skb, nlh);
8889 return 0;
8890 }
8891
8892 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
8893 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
8894 goto nla_put_failure;
8895
8896 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
8897 if (!nest)
8898 goto nla_put_failure;
8899 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
8900 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
8901 goto nla_put_failure;
8902
8903 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
8904 if (!nest_devs)
8905 goto nla_put_failure;
8906
8907 if (!hook_list)
8908 hook_list = &flowtable->hook_list;
8909
8910 list_for_each_entry_rcu(hook, hook_list, list) {
8911 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
8912 goto nla_put_failure;
8913 }
8914 nla_nest_end(skb, nest_devs);
8915 nla_nest_end(skb, nest);
8916
8917 nlmsg_end(skb, nlh);
8918 return 0;
8919
8920 nla_put_failure:
8921 nlmsg_trim(skb, nlh);
8922 return -1;
8923 }
8924
8925 struct nft_flowtable_filter {
8926 char *table;
8927 };
8928
8929 static int nf_tables_dump_flowtable(struct sk_buff *skb,
8930 struct netlink_callback *cb)
8931 {
8932 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
8933 struct nft_flowtable_filter *filter = cb->data;
8934 unsigned int idx = 0, s_idx = cb->args[0];
8935 struct net *net = sock_net(skb->sk);
8936 int family = nfmsg->nfgen_family;
8937 struct nft_flowtable *flowtable;
8938 struct nftables_pernet *nft_net;
8939 const struct nft_table *table;
8940
8941 rcu_read_lock();
8942 nft_net = nft_pernet(net);
8943 cb->seq = READ_ONCE(nft_net->base_seq);
8944
8945 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8946 if (family != NFPROTO_UNSPEC && family != table->family)
8947 continue;
8948
8949 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8950 if (!nft_is_active(net, flowtable))
8951 goto cont;
8952 if (idx < s_idx)
8953 goto cont;
8954 if (idx > s_idx)
8955 memset(&cb->args[1], 0,
8956 sizeof(cb->args) - sizeof(cb->args[0]));
8957 if (filter && filter->table &&
8958 strcmp(filter->table, table->name))
8959 goto cont;
8960
8961 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
8962 cb->nlh->nlmsg_seq,
8963 NFT_MSG_NEWFLOWTABLE,
8964 NLM_F_MULTI | NLM_F_APPEND,
8965 table->family,
8966 flowtable, NULL) < 0)
8967 goto done;
8968
8969 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8970 cont:
8971 idx++;
8972 }
8973 }
8974 done:
8975 rcu_read_unlock();
8976
8977 cb->args[0] = idx;
8978 return skb->len;
8979 }
8980
8981 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
8982 {
8983 const struct nlattr * const *nla = cb->data;
8984 struct nft_flowtable_filter *filter = NULL;
8985
8986 if (nla[NFTA_FLOWTABLE_TABLE]) {
8987 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
8988 if (!filter)
8989 return -ENOMEM;
8990
8991 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
8992 GFP_ATOMIC);
8993 if (!filter->table) {
8994 kfree(filter);
8995 return -ENOMEM;
8996 }
8997 }
8998
8999 cb->data = filter;
9000 return 0;
9001 }
9002
9003 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
9004 {
9005 struct nft_flowtable_filter *filter = cb->data;
9006
9007 if (!filter)
9008 return 0;
9009
9010 kfree(filter->table);
9011 kfree(filter);
9012
9013 return 0;
9014 }
9015
9016 /* called with rcu_read_lock held */
9017 static int nf_tables_getflowtable(struct sk_buff *skb,
9018 const struct nfnl_info *info,
9019 const struct nlattr * const nla[])
9020 {
9021 struct netlink_ext_ack *extack = info->extack;
9022 u8 genmask = nft_genmask_cur(info->net);
9023 u8 family = info->nfmsg->nfgen_family;
9024 struct nft_flowtable *flowtable;
9025 const struct nft_table *table;
9026 struct net *net = info->net;
9027 struct sk_buff *skb2;
9028 int err;
9029
9030 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
9031 struct netlink_dump_control c = {
9032 .start = nf_tables_dump_flowtable_start,
9033 .dump = nf_tables_dump_flowtable,
9034 .done = nf_tables_dump_flowtable_done,
9035 .module = THIS_MODULE,
9036 .data = (void *)nla,
9037 };
9038
9039 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
9040 }
9041
9042 if (!nla[NFTA_FLOWTABLE_NAME])
9043 return -EINVAL;
9044
9045 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9046 genmask, 0);
9047 if (IS_ERR(table)) {
9048 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
9049 return PTR_ERR(table);
9050 }
9051
9052 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
9053 genmask);
9054 if (IS_ERR(flowtable)) {
9055 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9056 return PTR_ERR(flowtable);
9057 }
9058
9059 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9060 if (!skb2)
9061 return -ENOMEM;
9062
9063 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
9064 info->nlh->nlmsg_seq,
9065 NFT_MSG_NEWFLOWTABLE, 0, family,
9066 flowtable, NULL);
9067 if (err < 0)
9068 goto err_fill_flowtable_info;
9069
9070 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
9071
9072 err_fill_flowtable_info:
9073 kfree_skb(skb2);
9074 return err;
9075 }
9076
9077 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
9078 struct nft_flowtable *flowtable,
9079 struct list_head *hook_list, int event)
9080 {
9081 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
9082 struct sk_buff *skb;
9083 u16 flags = 0;
9084 int err;
9085
9086 if (!ctx->report &&
9087 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
9088 return;
9089
9090 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9091 if (skb == NULL)
9092 goto err;
9093
9094 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
9095 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
9096
9097 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
9098 ctx->seq, event, flags,
9099 ctx->family, flowtable, hook_list);
9100 if (err < 0) {
9101 kfree_skb(skb);
9102 goto err;
9103 }
9104
9105 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
9106 return;
9107 err:
9108 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
9109 }
9110
9111 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
9112 {
9113 struct nft_hook *hook, *next;
9114
9115 flowtable->data.type->free(&flowtable->data);
9116 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
9117 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
9118 FLOW_BLOCK_UNBIND);
9119 list_del_rcu(&hook->list);
9120 kfree(hook);
9121 }
9122 kfree(flowtable->name);
9123 module_put(flowtable->data.type->owner);
9124 kfree(flowtable);
9125 }
9126
9127 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
9128 u32 portid, u32 seq)
9129 {
9130 struct nftables_pernet *nft_net = nft_pernet(net);
9131 struct nlmsghdr *nlh;
9132 char buf[TASK_COMM_LEN];
9133 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
9134
9135 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
9136 NFNETLINK_V0, nft_base_seq(net));
9137 if (!nlh)
9138 goto nla_put_failure;
9139
9140 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
9141 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
9142 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
9143 goto nla_put_failure;
9144
9145 nlmsg_end(skb, nlh);
9146 return 0;
9147
9148 nla_put_failure:
9149 nlmsg_trim(skb, nlh);
9150 return -EMSGSIZE;
9151 }
9152
9153 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
9154 struct nft_flowtable *flowtable)
9155 {
9156 struct nft_hook *hook;
9157
9158 list_for_each_entry(hook, &flowtable->hook_list, list) {
9159 if (hook->ops.dev != dev)
9160 continue;
9161
9162 /* flow_offload_netdev_event() cleans up entries for us. */
9163 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
9164 list_del_rcu(&hook->list);
9165 kfree_rcu(hook, rcu);
9166 break;
9167 }
9168 }
9169
9170 static int nf_tables_flowtable_event(struct notifier_block *this,
9171 unsigned long event, void *ptr)
9172 {
9173 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
9174 struct nft_flowtable *flowtable;
9175 struct nftables_pernet *nft_net;
9176 struct nft_table *table;
9177 struct net *net;
9178
9179 if (event != NETDEV_UNREGISTER)
9180 return 0;
9181
9182 net = dev_net(dev);
9183 nft_net = nft_pernet(net);
9184 mutex_lock(&nft_net->commit_mutex);
9185 list_for_each_entry(table, &nft_net->tables, list) {
9186 list_for_each_entry(flowtable, &table->flowtables, list) {
9187 nft_flowtable_event(event, dev, flowtable);
9188 }
9189 }
9190 mutex_unlock(&nft_net->commit_mutex);
9191
9192 return NOTIFY_DONE;
9193 }
9194
9195 static struct notifier_block nf_tables_flowtable_notifier = {
9196 .notifier_call = nf_tables_flowtable_event,
9197 };
9198
9199 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
9200 int event)
9201 {
9202 struct nlmsghdr *nlh = nlmsg_hdr(skb);
9203 struct sk_buff *skb2;
9204 int err;
9205
9206 if (!nlmsg_report(nlh) &&
9207 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
9208 return;
9209
9210 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9211 if (skb2 == NULL)
9212 goto err;
9213
9214 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
9215 nlh->nlmsg_seq);
9216 if (err < 0) {
9217 kfree_skb(skb2);
9218 goto err;
9219 }
9220
9221 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9222 nlmsg_report(nlh), GFP_KERNEL);
9223 return;
9224 err:
9225 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9226 -ENOBUFS);
9227 }
9228
9229 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
9230 const struct nlattr * const nla[])
9231 {
9232 struct sk_buff *skb2;
9233 int err;
9234
9235 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9236 if (skb2 == NULL)
9237 return -ENOMEM;
9238
9239 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
9240 info->nlh->nlmsg_seq);
9241 if (err < 0)
9242 goto err_fill_gen_info;
9243
9244 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
9245
9246 err_fill_gen_info:
9247 kfree_skb(skb2);
9248 return err;
9249 }
9250
9251 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
9252 [NFT_MSG_NEWTABLE] = {
9253 .call = nf_tables_newtable,
9254 .type = NFNL_CB_BATCH,
9255 .attr_count = NFTA_TABLE_MAX,
9256 .policy = nft_table_policy,
9257 },
9258 [NFT_MSG_GETTABLE] = {
9259 .call = nf_tables_gettable,
9260 .type = NFNL_CB_RCU,
9261 .attr_count = NFTA_TABLE_MAX,
9262 .policy = nft_table_policy,
9263 },
9264 [NFT_MSG_DELTABLE] = {
9265 .call = nf_tables_deltable,
9266 .type = NFNL_CB_BATCH,
9267 .attr_count = NFTA_TABLE_MAX,
9268 .policy = nft_table_policy,
9269 },
9270 [NFT_MSG_DESTROYTABLE] = {
9271 .call = nf_tables_deltable,
9272 .type = NFNL_CB_BATCH,
9273 .attr_count = NFTA_TABLE_MAX,
9274 .policy = nft_table_policy,
9275 },
9276 [NFT_MSG_NEWCHAIN] = {
9277 .call = nf_tables_newchain,
9278 .type = NFNL_CB_BATCH,
9279 .attr_count = NFTA_CHAIN_MAX,
9280 .policy = nft_chain_policy,
9281 },
9282 [NFT_MSG_GETCHAIN] = {
9283 .call = nf_tables_getchain,
9284 .type = NFNL_CB_RCU,
9285 .attr_count = NFTA_CHAIN_MAX,
9286 .policy = nft_chain_policy,
9287 },
9288 [NFT_MSG_DELCHAIN] = {
9289 .call = nf_tables_delchain,
9290 .type = NFNL_CB_BATCH,
9291 .attr_count = NFTA_CHAIN_MAX,
9292 .policy = nft_chain_policy,
9293 },
9294 [NFT_MSG_DESTROYCHAIN] = {
9295 .call = nf_tables_delchain,
9296 .type = NFNL_CB_BATCH,
9297 .attr_count = NFTA_CHAIN_MAX,
9298 .policy = nft_chain_policy,
9299 },
9300 [NFT_MSG_NEWRULE] = {
9301 .call = nf_tables_newrule,
9302 .type = NFNL_CB_BATCH,
9303 .attr_count = NFTA_RULE_MAX,
9304 .policy = nft_rule_policy,
9305 },
9306 [NFT_MSG_GETRULE] = {
9307 .call = nf_tables_getrule,
9308 .type = NFNL_CB_RCU,
9309 .attr_count = NFTA_RULE_MAX,
9310 .policy = nft_rule_policy,
9311 },
9312 [NFT_MSG_GETRULE_RESET] = {
9313 .call = nf_tables_getrule_reset,
9314 .type = NFNL_CB_RCU,
9315 .attr_count = NFTA_RULE_MAX,
9316 .policy = nft_rule_policy,
9317 },
9318 [NFT_MSG_DELRULE] = {
9319 .call = nf_tables_delrule,
9320 .type = NFNL_CB_BATCH,
9321 .attr_count = NFTA_RULE_MAX,
9322 .policy = nft_rule_policy,
9323 },
9324 [NFT_MSG_DESTROYRULE] = {
9325 .call = nf_tables_delrule,
9326 .type = NFNL_CB_BATCH,
9327 .attr_count = NFTA_RULE_MAX,
9328 .policy = nft_rule_policy,
9329 },
9330 [NFT_MSG_NEWSET] = {
9331 .call = nf_tables_newset,
9332 .type = NFNL_CB_BATCH,
9333 .attr_count = NFTA_SET_MAX,
9334 .policy = nft_set_policy,
9335 },
9336 [NFT_MSG_GETSET] = {
9337 .call = nf_tables_getset,
9338 .type = NFNL_CB_RCU,
9339 .attr_count = NFTA_SET_MAX,
9340 .policy = nft_set_policy,
9341 },
9342 [NFT_MSG_DELSET] = {
9343 .call = nf_tables_delset,
9344 .type = NFNL_CB_BATCH,
9345 .attr_count = NFTA_SET_MAX,
9346 .policy = nft_set_policy,
9347 },
9348 [NFT_MSG_DESTROYSET] = {
9349 .call = nf_tables_delset,
9350 .type = NFNL_CB_BATCH,
9351 .attr_count = NFTA_SET_MAX,
9352 .policy = nft_set_policy,
9353 },
9354 [NFT_MSG_NEWSETELEM] = {
9355 .call = nf_tables_newsetelem,
9356 .type = NFNL_CB_BATCH,
9357 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9358 .policy = nft_set_elem_list_policy,
9359 },
9360 [NFT_MSG_GETSETELEM] = {
9361 .call = nf_tables_getsetelem,
9362 .type = NFNL_CB_RCU,
9363 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9364 .policy = nft_set_elem_list_policy,
9365 },
9366 [NFT_MSG_GETSETELEM_RESET] = {
9367 .call = nf_tables_getsetelem_reset,
9368 .type = NFNL_CB_RCU,
9369 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9370 .policy = nft_set_elem_list_policy,
9371 },
9372 [NFT_MSG_DELSETELEM] = {
9373 .call = nf_tables_delsetelem,
9374 .type = NFNL_CB_BATCH,
9375 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9376 .policy = nft_set_elem_list_policy,
9377 },
9378 [NFT_MSG_DESTROYSETELEM] = {
9379 .call = nf_tables_delsetelem,
9380 .type = NFNL_CB_BATCH,
9381 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9382 .policy = nft_set_elem_list_policy,
9383 },
9384 [NFT_MSG_GETGEN] = {
9385 .call = nf_tables_getgen,
9386 .type = NFNL_CB_RCU,
9387 },
9388 [NFT_MSG_NEWOBJ] = {
9389 .call = nf_tables_newobj,
9390 .type = NFNL_CB_BATCH,
9391 .attr_count = NFTA_OBJ_MAX,
9392 .policy = nft_obj_policy,
9393 },
9394 [NFT_MSG_GETOBJ] = {
9395 .call = nf_tables_getobj,
9396 .type = NFNL_CB_RCU,
9397 .attr_count = NFTA_OBJ_MAX,
9398 .policy = nft_obj_policy,
9399 },
9400 [NFT_MSG_DELOBJ] = {
9401 .call = nf_tables_delobj,
9402 .type = NFNL_CB_BATCH,
9403 .attr_count = NFTA_OBJ_MAX,
9404 .policy = nft_obj_policy,
9405 },
9406 [NFT_MSG_DESTROYOBJ] = {
9407 .call = nf_tables_delobj,
9408 .type = NFNL_CB_BATCH,
9409 .attr_count = NFTA_OBJ_MAX,
9410 .policy = nft_obj_policy,
9411 },
9412 [NFT_MSG_GETOBJ_RESET] = {
9413 .call = nf_tables_getobj,
9414 .type = NFNL_CB_RCU,
9415 .attr_count = NFTA_OBJ_MAX,
9416 .policy = nft_obj_policy,
9417 },
9418 [NFT_MSG_NEWFLOWTABLE] = {
9419 .call = nf_tables_newflowtable,
9420 .type = NFNL_CB_BATCH,
9421 .attr_count = NFTA_FLOWTABLE_MAX,
9422 .policy = nft_flowtable_policy,
9423 },
9424 [NFT_MSG_GETFLOWTABLE] = {
9425 .call = nf_tables_getflowtable,
9426 .type = NFNL_CB_RCU,
9427 .attr_count = NFTA_FLOWTABLE_MAX,
9428 .policy = nft_flowtable_policy,
9429 },
9430 [NFT_MSG_DELFLOWTABLE] = {
9431 .call = nf_tables_delflowtable,
9432 .type = NFNL_CB_BATCH,
9433 .attr_count = NFTA_FLOWTABLE_MAX,
9434 .policy = nft_flowtable_policy,
9435 },
9436 [NFT_MSG_DESTROYFLOWTABLE] = {
9437 .call = nf_tables_delflowtable,
9438 .type = NFNL_CB_BATCH,
9439 .attr_count = NFTA_FLOWTABLE_MAX,
9440 .policy = nft_flowtable_policy,
9441 },
9442 };
9443
9444 static int nf_tables_validate(struct net *net)
9445 {
9446 struct nftables_pernet *nft_net = nft_pernet(net);
9447 struct nft_table *table;
9448
9449 list_for_each_entry(table, &nft_net->tables, list) {
9450 switch (table->validate_state) {
9451 case NFT_VALIDATE_SKIP:
9452 continue;
9453 case NFT_VALIDATE_NEED:
9454 nft_validate_state_update(table, NFT_VALIDATE_DO);
9455 fallthrough;
9456 case NFT_VALIDATE_DO:
9457 if (nft_table_validate(net, table) < 0)
9458 return -EAGAIN;
9459
9460 nft_validate_state_update(table, NFT_VALIDATE_SKIP);
9461 break;
9462 }
9463 }
9464
9465 return 0;
9466 }
9467
9468 /* a drop policy has to be deferred until all rules have been activated,
9469 * otherwise a large ruleset that contains a drop-policy base chain will
9470 * cause all packets to get dropped until the full transaction has been
9471 * processed.
9472 *
9473 * We defer the drop policy until the transaction has been finalized.
9474 */
9475 static void nft_chain_commit_drop_policy(struct nft_trans_chain *trans)
9476 {
9477 struct nft_base_chain *basechain;
9478
9479 if (trans->policy != NF_DROP)
9480 return;
9481
9482 if (!nft_is_base_chain(trans->chain))
9483 return;
9484
9485 basechain = nft_base_chain(trans->chain);
9486 basechain->policy = NF_DROP;
9487 }
9488
9489 static void nft_chain_commit_update(struct nft_trans_chain *trans)
9490 {
9491 struct nft_table *table = trans->nft_trans_binding.nft_trans.table;
9492 struct nft_base_chain *basechain;
9493
9494 if (trans->name) {
9495 rhltable_remove(&table->chains_ht,
9496 &trans->chain->rhlhead,
9497 nft_chain_ht_params);
9498 swap(trans->chain->name, trans->name);
9499 rhltable_insert_key(&table->chains_ht,
9500 trans->chain->name,
9501 &trans->chain->rhlhead,
9502 nft_chain_ht_params);
9503 }
9504
9505 if (!nft_is_base_chain(trans->chain))
9506 return;
9507
9508 nft_chain_stats_replace(trans);
9509
9510 basechain = nft_base_chain(trans->chain);
9511
9512 switch (trans->policy) {
9513 case NF_DROP:
9514 case NF_ACCEPT:
9515 basechain->policy = trans->policy;
9516 break;
9517 }
9518 }
9519
9520 static void nft_obj_commit_update(const struct nft_ctx *ctx,
9521 struct nft_trans *trans)
9522 {
9523 struct nft_object *newobj;
9524 struct nft_object *obj;
9525
9526 obj = nft_trans_obj(trans);
9527 newobj = nft_trans_obj_newobj(trans);
9528
9529 if (WARN_ON_ONCE(!obj->ops->update))
9530 return;
9531
9532 obj->ops->update(obj, newobj);
9533 nft_obj_destroy(ctx, newobj);
9534 }
9535
9536 static void nft_commit_release(struct nft_trans *trans)
9537 {
9538 struct nft_ctx ctx = {
9539 .net = trans->net,
9540 };
9541
9542 nft_ctx_update(&ctx, trans);
9543
9544 switch (trans->msg_type) {
9545 case NFT_MSG_DELTABLE:
9546 case NFT_MSG_DESTROYTABLE:
9547 nf_tables_table_destroy(trans->table);
9548 break;
9549 case NFT_MSG_NEWCHAIN:
9550 free_percpu(nft_trans_chain_stats(trans));
9551 kfree(nft_trans_chain_name(trans));
9552 break;
9553 case NFT_MSG_DELCHAIN:
9554 case NFT_MSG_DESTROYCHAIN:
9555 if (nft_trans_chain_update(trans))
9556 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
9557 else
9558 nf_tables_chain_destroy(nft_trans_chain(trans));
9559 break;
9560 case NFT_MSG_DELRULE:
9561 case NFT_MSG_DESTROYRULE:
9562 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans));
9563 break;
9564 case NFT_MSG_DELSET:
9565 case NFT_MSG_DESTROYSET:
9566 nft_set_destroy(&ctx, nft_trans_set(trans));
9567 break;
9568 case NFT_MSG_DELSETELEM:
9569 case NFT_MSG_DESTROYSETELEM:
9570 nf_tables_set_elem_destroy(&ctx,
9571 nft_trans_elem_set(trans),
9572 nft_trans_elem_priv(trans));
9573 break;
9574 case NFT_MSG_DELOBJ:
9575 case NFT_MSG_DESTROYOBJ:
9576 nft_obj_destroy(&ctx, nft_trans_obj(trans));
9577 break;
9578 case NFT_MSG_DELFLOWTABLE:
9579 case NFT_MSG_DESTROYFLOWTABLE:
9580 if (nft_trans_flowtable_update(trans))
9581 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
9582 else
9583 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
9584 break;
9585 }
9586
9587 if (trans->put_net)
9588 put_net(trans->net);
9589
9590 kfree(trans);
9591 }
9592
9593 static void nf_tables_trans_destroy_work(struct work_struct *w)
9594 {
9595 struct nft_trans *trans, *next;
9596 LIST_HEAD(head);
9597
9598 spin_lock(&nf_tables_destroy_list_lock);
9599 list_splice_init(&nf_tables_destroy_list, &head);
9600 spin_unlock(&nf_tables_destroy_list_lock);
9601
9602 if (list_empty(&head))
9603 return;
9604
9605 synchronize_rcu();
9606
9607 list_for_each_entry_safe(trans, next, &head, list) {
9608 nft_trans_list_del(trans);
9609 nft_commit_release(trans);
9610 }
9611 }
9612
9613 void nf_tables_trans_destroy_flush_work(void)
9614 {
9615 flush_work(&trans_destroy_work);
9616 }
9617 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
9618
9619 static bool nft_expr_reduce(struct nft_regs_track *track,
9620 const struct nft_expr *expr)
9621 {
9622 return false;
9623 }
9624
9625 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
9626 {
9627 const struct nft_expr *expr, *last;
9628 struct nft_regs_track track = {};
9629 unsigned int size, data_size;
9630 void *data, *data_boundary;
9631 struct nft_rule_dp *prule;
9632 struct nft_rule *rule;
9633
9634 /* already handled or inactive chain? */
9635 if (chain->blob_next || !nft_is_active_next(net, chain))
9636 return 0;
9637
9638 data_size = 0;
9639 list_for_each_entry(rule, &chain->rules, list) {
9640 if (nft_is_active_next(net, rule)) {
9641 data_size += sizeof(*prule) + rule->dlen;
9642 if (data_size > INT_MAX)
9643 return -ENOMEM;
9644 }
9645 }
9646
9647 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size);
9648 if (!chain->blob_next)
9649 return -ENOMEM;
9650
9651 data = (void *)chain->blob_next->data;
9652 data_boundary = data + data_size;
9653 size = 0;
9654
9655 list_for_each_entry(rule, &chain->rules, list) {
9656 if (!nft_is_active_next(net, rule))
9657 continue;
9658
9659 prule = (struct nft_rule_dp *)data;
9660 data += offsetof(struct nft_rule_dp, data);
9661 if (WARN_ON_ONCE(data > data_boundary))
9662 return -ENOMEM;
9663
9664 size = 0;
9665 track.last = nft_expr_last(rule);
9666 nft_rule_for_each_expr(expr, last, rule) {
9667 track.cur = expr;
9668
9669 if (nft_expr_reduce(&track, expr)) {
9670 expr = track.cur;
9671 continue;
9672 }
9673
9674 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
9675 return -ENOMEM;
9676
9677 memcpy(data + size, expr, expr->ops->size);
9678 size += expr->ops->size;
9679 }
9680 if (WARN_ON_ONCE(size >= 1 << 12))
9681 return -ENOMEM;
9682
9683 prule->handle = rule->handle;
9684 prule->dlen = size;
9685 prule->is_last = 0;
9686
9687 data += size;
9688 size = 0;
9689 chain->blob_next->size += (unsigned long)(data - (void *)prule);
9690 }
9691
9692 if (WARN_ON_ONCE(data > data_boundary))
9693 return -ENOMEM;
9694
9695 prule = (struct nft_rule_dp *)data;
9696 nft_last_rule(chain, prule);
9697
9698 return 0;
9699 }
9700
9701 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
9702 {
9703 struct nftables_pernet *nft_net = nft_pernet(net);
9704 struct nft_trans *trans, *next;
9705
9706 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9707 if (trans->msg_type == NFT_MSG_NEWRULE ||
9708 trans->msg_type == NFT_MSG_DELRULE) {
9709 struct nft_chain *chain = nft_trans_rule_chain(trans);
9710
9711 kvfree(chain->blob_next);
9712 chain->blob_next = NULL;
9713 }
9714 }
9715 }
9716
9717 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h)
9718 {
9719 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h);
9720
9721 kvfree(l->blob);
9722 }
9723
9724 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
9725 {
9726 struct nft_rule_dp_last *last;
9727
9728 /* last rule trailer is after end marker */
9729 last = (void *)blob + sizeof(*blob) + blob->size;
9730 last->blob = blob;
9731
9732 call_rcu(&last->h, __nf_tables_commit_chain_free_rules);
9733 }
9734
9735 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
9736 {
9737 struct nft_rule_blob *g0, *g1;
9738 bool next_genbit;
9739
9740 next_genbit = nft_gencursor_next(net);
9741
9742 g0 = rcu_dereference_protected(chain->blob_gen_0,
9743 lockdep_commit_lock_is_held(net));
9744 g1 = rcu_dereference_protected(chain->blob_gen_1,
9745 lockdep_commit_lock_is_held(net));
9746
9747 /* No changes to this chain? */
9748 if (chain->blob_next == NULL) {
9749 /* chain had no change in last or next generation */
9750 if (g0 == g1)
9751 return;
9752 /*
9753 * chain had no change in this generation; make sure next
9754 * one uses same rules as current generation.
9755 */
9756 if (next_genbit) {
9757 rcu_assign_pointer(chain->blob_gen_1, g0);
9758 nf_tables_commit_chain_free_rules_old(g1);
9759 } else {
9760 rcu_assign_pointer(chain->blob_gen_0, g1);
9761 nf_tables_commit_chain_free_rules_old(g0);
9762 }
9763
9764 return;
9765 }
9766
9767 if (next_genbit)
9768 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
9769 else
9770 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
9771
9772 chain->blob_next = NULL;
9773
9774 if (g0 == g1)
9775 return;
9776
9777 if (next_genbit)
9778 nf_tables_commit_chain_free_rules_old(g1);
9779 else
9780 nf_tables_commit_chain_free_rules_old(g0);
9781 }
9782
9783 static void nft_obj_del(struct nft_object *obj)
9784 {
9785 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
9786 list_del_rcu(&obj->list);
9787 }
9788
9789 void nft_chain_del(struct nft_chain *chain)
9790 {
9791 struct nft_table *table = chain->table;
9792
9793 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
9794 nft_chain_ht_params));
9795 list_del_rcu(&chain->list);
9796 }
9797
9798 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx,
9799 struct nft_trans_gc *trans)
9800 {
9801 struct nft_elem_priv **priv = trans->priv;
9802 unsigned int i;
9803
9804 for (i = 0; i < trans->count; i++) {
9805 nft_setelem_data_deactivate(ctx->net, trans->set, priv[i]);
9806 nft_setelem_remove(ctx->net, trans->set, priv[i]);
9807 }
9808 }
9809
9810 void nft_trans_gc_destroy(struct nft_trans_gc *trans)
9811 {
9812 nft_set_put(trans->set);
9813 put_net(trans->net);
9814 kfree(trans);
9815 }
9816
9817 static void nft_trans_gc_trans_free(struct rcu_head *rcu)
9818 {
9819 struct nft_elem_priv *elem_priv;
9820 struct nft_trans_gc *trans;
9821 struct nft_ctx ctx = {};
9822 unsigned int i;
9823
9824 trans = container_of(rcu, struct nft_trans_gc, rcu);
9825 ctx.net = read_pnet(&trans->set->net);
9826
9827 for (i = 0; i < trans->count; i++) {
9828 elem_priv = trans->priv[i];
9829 if (!nft_setelem_is_catchall(trans->set, elem_priv))
9830 atomic_dec(&trans->set->nelems);
9831
9832 nf_tables_set_elem_destroy(&ctx, trans->set, elem_priv);
9833 }
9834
9835 nft_trans_gc_destroy(trans);
9836 }
9837
9838 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans)
9839 {
9840 struct nftables_pernet *nft_net;
9841 struct nft_ctx ctx = {};
9842
9843 nft_net = nft_pernet(trans->net);
9844
9845 mutex_lock(&nft_net->commit_mutex);
9846
9847 /* Check for race with transaction, otherwise this batch refers to
9848 * stale objects that might not be there anymore. Skip transaction if
9849 * set has been destroyed from control plane transaction in case gc
9850 * worker loses race.
9851 */
9852 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) {
9853 mutex_unlock(&nft_net->commit_mutex);
9854 return false;
9855 }
9856
9857 ctx.net = trans->net;
9858 ctx.table = trans->set->table;
9859
9860 nft_trans_gc_setelem_remove(&ctx, trans);
9861 mutex_unlock(&nft_net->commit_mutex);
9862
9863 return true;
9864 }
9865
9866 static void nft_trans_gc_work(struct work_struct *work)
9867 {
9868 struct nft_trans_gc *trans, *next;
9869 LIST_HEAD(trans_gc_list);
9870
9871 spin_lock(&nf_tables_gc_list_lock);
9872 list_splice_init(&nf_tables_gc_list, &trans_gc_list);
9873 spin_unlock(&nf_tables_gc_list_lock);
9874
9875 list_for_each_entry_safe(trans, next, &trans_gc_list, list) {
9876 list_del(&trans->list);
9877 if (!nft_trans_gc_work_done(trans)) {
9878 nft_trans_gc_destroy(trans);
9879 continue;
9880 }
9881 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
9882 }
9883 }
9884
9885 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
9886 unsigned int gc_seq, gfp_t gfp)
9887 {
9888 struct net *net = read_pnet(&set->net);
9889 struct nft_trans_gc *trans;
9890
9891 trans = kzalloc(sizeof(*trans), gfp);
9892 if (!trans)
9893 return NULL;
9894
9895 trans->net = maybe_get_net(net);
9896 if (!trans->net) {
9897 kfree(trans);
9898 return NULL;
9899 }
9900
9901 refcount_inc(&set->refs);
9902 trans->set = set;
9903 trans->seq = gc_seq;
9904
9905 return trans;
9906 }
9907
9908 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv)
9909 {
9910 trans->priv[trans->count++] = priv;
9911 }
9912
9913 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans)
9914 {
9915 spin_lock(&nf_tables_gc_list_lock);
9916 list_add_tail(&trans->list, &nf_tables_gc_list);
9917 spin_unlock(&nf_tables_gc_list_lock);
9918
9919 schedule_work(&trans_gc_work);
9920 }
9921
9922 static int nft_trans_gc_space(struct nft_trans_gc *trans)
9923 {
9924 return NFT_TRANS_GC_BATCHCOUNT - trans->count;
9925 }
9926
9927 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc,
9928 unsigned int gc_seq, gfp_t gfp)
9929 {
9930 struct nft_set *set;
9931
9932 if (nft_trans_gc_space(gc))
9933 return gc;
9934
9935 set = gc->set;
9936 nft_trans_gc_queue_work(gc);
9937
9938 return nft_trans_gc_alloc(set, gc_seq, gfp);
9939 }
9940
9941 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans)
9942 {
9943 if (trans->count == 0) {
9944 nft_trans_gc_destroy(trans);
9945 return;
9946 }
9947
9948 nft_trans_gc_queue_work(trans);
9949 }
9950
9951 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp)
9952 {
9953 struct nft_set *set;
9954
9955 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)))
9956 return NULL;
9957
9958 if (nft_trans_gc_space(gc))
9959 return gc;
9960
9961 set = gc->set;
9962 call_rcu(&gc->rcu, nft_trans_gc_trans_free);
9963
9964 return nft_trans_gc_alloc(set, 0, gfp);
9965 }
9966
9967 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans)
9968 {
9969 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net));
9970
9971 if (trans->count == 0) {
9972 nft_trans_gc_destroy(trans);
9973 return;
9974 }
9975
9976 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
9977 }
9978
9979 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc,
9980 unsigned int gc_seq)
9981 {
9982 struct nft_set_elem_catchall *catchall;
9983 const struct nft_set *set = gc->set;
9984 struct nft_set_ext *ext;
9985
9986 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
9987 ext = nft_set_elem_ext(set, catchall->elem);
9988
9989 if (!nft_set_elem_expired(ext))
9990 continue;
9991 if (nft_set_elem_is_dead(ext))
9992 goto dead_elem;
9993
9994 nft_set_elem_dead(ext);
9995 dead_elem:
9996 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC);
9997 if (!gc)
9998 return NULL;
9999
10000 nft_trans_gc_elem_add(gc, catchall->elem);
10001 }
10002
10003 return gc;
10004 }
10005
10006 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc)
10007 {
10008 struct nft_set_elem_catchall *catchall, *next;
10009 u64 tstamp = nft_net_tstamp(gc->net);
10010 const struct nft_set *set = gc->set;
10011 struct nft_elem_priv *elem_priv;
10012 struct nft_set_ext *ext;
10013
10014 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net));
10015
10016 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
10017 ext = nft_set_elem_ext(set, catchall->elem);
10018
10019 if (!__nft_set_elem_expired(ext, tstamp))
10020 continue;
10021
10022 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
10023 if (!gc)
10024 return NULL;
10025
10026 elem_priv = catchall->elem;
10027 nft_setelem_data_deactivate(gc->net, gc->set, elem_priv);
10028 nft_setelem_catchall_destroy(catchall);
10029 nft_trans_gc_elem_add(gc, elem_priv);
10030 }
10031
10032 return gc;
10033 }
10034
10035 static void nf_tables_module_autoload_cleanup(struct net *net)
10036 {
10037 struct nftables_pernet *nft_net = nft_pernet(net);
10038 struct nft_module_request *req, *next;
10039
10040 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
10041 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
10042 WARN_ON_ONCE(!req->done);
10043 list_del(&req->list);
10044 kfree(req);
10045 }
10046 }
10047
10048 static void nf_tables_commit_release(struct net *net)
10049 {
10050 struct nftables_pernet *nft_net = nft_pernet(net);
10051 struct nft_trans *trans;
10052
10053 /* all side effects have to be made visible.
10054 * For example, if a chain named 'foo' has been deleted, a
10055 * new transaction must not find it anymore.
10056 *
10057 * Memory reclaim happens asynchronously from work queue
10058 * to prevent expensive synchronize_rcu() in commit phase.
10059 */
10060 if (list_empty(&nft_net->commit_list)) {
10061 nf_tables_module_autoload_cleanup(net);
10062 mutex_unlock(&nft_net->commit_mutex);
10063 return;
10064 }
10065
10066 trans = list_last_entry(&nft_net->commit_list,
10067 struct nft_trans, list);
10068 get_net(trans->net);
10069 WARN_ON_ONCE(trans->put_net);
10070
10071 trans->put_net = true;
10072 spin_lock(&nf_tables_destroy_list_lock);
10073 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
10074 spin_unlock(&nf_tables_destroy_list_lock);
10075
10076 nf_tables_module_autoload_cleanup(net);
10077 schedule_work(&trans_destroy_work);
10078
10079 mutex_unlock(&nft_net->commit_mutex);
10080 }
10081
10082 static void nft_commit_notify(struct net *net, u32 portid)
10083 {
10084 struct nftables_pernet *nft_net = nft_pernet(net);
10085 struct sk_buff *batch_skb = NULL, *nskb, *skb;
10086 unsigned char *data;
10087 int len;
10088
10089 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
10090 if (!batch_skb) {
10091 new_batch:
10092 batch_skb = skb;
10093 len = NLMSG_GOODSIZE - skb->len;
10094 list_del(&skb->list);
10095 continue;
10096 }
10097 len -= skb->len;
10098 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
10099 data = skb_put(batch_skb, skb->len);
10100 memcpy(data, skb->data, skb->len);
10101 list_del(&skb->list);
10102 kfree_skb(skb);
10103 continue;
10104 }
10105 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10106 NFT_CB(batch_skb).report, GFP_KERNEL);
10107 goto new_batch;
10108 }
10109
10110 if (batch_skb) {
10111 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10112 NFT_CB(batch_skb).report, GFP_KERNEL);
10113 }
10114
10115 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
10116 }
10117
10118 static int nf_tables_commit_audit_alloc(struct list_head *adl,
10119 struct nft_table *table)
10120 {
10121 struct nft_audit_data *adp;
10122
10123 list_for_each_entry(adp, adl, list) {
10124 if (adp->table == table)
10125 return 0;
10126 }
10127 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
10128 if (!adp)
10129 return -ENOMEM;
10130 adp->table = table;
10131 list_add(&adp->list, adl);
10132 return 0;
10133 }
10134
10135 static void nf_tables_commit_audit_free(struct list_head *adl)
10136 {
10137 struct nft_audit_data *adp, *adn;
10138
10139 list_for_each_entry_safe(adp, adn, adl, list) {
10140 list_del(&adp->list);
10141 kfree(adp);
10142 }
10143 }
10144
10145 static void nf_tables_commit_audit_collect(struct list_head *adl,
10146 struct nft_table *table, u32 op)
10147 {
10148 struct nft_audit_data *adp;
10149
10150 list_for_each_entry(adp, adl, list) {
10151 if (adp->table == table)
10152 goto found;
10153 }
10154 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
10155 return;
10156 found:
10157 adp->entries++;
10158 if (!adp->op || adp->op > op)
10159 adp->op = op;
10160 }
10161
10162 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
10163
10164 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
10165 {
10166 struct nft_audit_data *adp, *adn;
10167 char aubuf[AUNFTABLENAMELEN];
10168
10169 list_for_each_entry_safe(adp, adn, adl, list) {
10170 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
10171 generation);
10172 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
10173 nft2audit_op[adp->op], GFP_KERNEL);
10174 list_del(&adp->list);
10175 kfree(adp);
10176 }
10177 }
10178
10179 static void nft_set_commit_update(struct list_head *set_update_list)
10180 {
10181 struct nft_set *set, *next;
10182
10183 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10184 list_del_init(&set->pending_update);
10185
10186 if (!set->ops->commit || set->dead)
10187 continue;
10188
10189 set->ops->commit(set);
10190 }
10191 }
10192
10193 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net)
10194 {
10195 unsigned int gc_seq;
10196
10197 /* Bump gc counter, it becomes odd, this is the busy mark. */
10198 gc_seq = READ_ONCE(nft_net->gc_seq);
10199 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10200
10201 return gc_seq;
10202 }
10203
10204 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq)
10205 {
10206 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10207 }
10208
10209 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
10210 {
10211 struct nftables_pernet *nft_net = nft_pernet(net);
10212 const struct nlmsghdr *nlh = nlmsg_hdr(skb);
10213 struct nft_trans_binding *trans_binding;
10214 struct nft_trans *trans, *next;
10215 unsigned int base_seq, gc_seq;
10216 LIST_HEAD(set_update_list);
10217 struct nft_trans_elem *te;
10218 struct nft_chain *chain;
10219 struct nft_table *table;
10220 struct nft_ctx ctx;
10221 LIST_HEAD(adl);
10222 int err;
10223
10224 if (list_empty(&nft_net->commit_list)) {
10225 mutex_unlock(&nft_net->commit_mutex);
10226 return 0;
10227 }
10228
10229 nft_ctx_init(&ctx, net, skb, nlh, NFPROTO_UNSPEC, NULL, NULL, NULL);
10230
10231 list_for_each_entry(trans_binding, &nft_net->binding_list, binding_list) {
10232 trans = &trans_binding->nft_trans;
10233 switch (trans->msg_type) {
10234 case NFT_MSG_NEWSET:
10235 if (!nft_trans_set_update(trans) &&
10236 nft_set_is_anonymous(nft_trans_set(trans)) &&
10237 !nft_trans_set_bound(trans)) {
10238 pr_warn_once("nftables ruleset with unbound set\n");
10239 return -EINVAL;
10240 }
10241 break;
10242 case NFT_MSG_NEWCHAIN:
10243 if (!nft_trans_chain_update(trans) &&
10244 nft_chain_binding(nft_trans_chain(trans)) &&
10245 !nft_trans_chain_bound(trans)) {
10246 pr_warn_once("nftables ruleset with unbound chain\n");
10247 return -EINVAL;
10248 }
10249 break;
10250 default:
10251 WARN_ONCE(1, "Unhandled bind type %d", trans->msg_type);
10252 break;
10253 }
10254 }
10255
10256 /* 0. Validate ruleset, otherwise roll back for error reporting. */
10257 if (nf_tables_validate(net) < 0) {
10258 nft_net->validate_state = NFT_VALIDATE_DO;
10259 return -EAGAIN;
10260 }
10261
10262 err = nft_flow_rule_offload_commit(net);
10263 if (err < 0)
10264 return err;
10265
10266 /* 1. Allocate space for next generation rules_gen_X[] */
10267 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10268 struct nft_table *table = trans->table;
10269 int ret;
10270
10271 ret = nf_tables_commit_audit_alloc(&adl, table);
10272 if (ret) {
10273 nf_tables_commit_chain_prepare_cancel(net);
10274 nf_tables_commit_audit_free(&adl);
10275 return ret;
10276 }
10277 if (trans->msg_type == NFT_MSG_NEWRULE ||
10278 trans->msg_type == NFT_MSG_DELRULE) {
10279 chain = nft_trans_rule_chain(trans);
10280
10281 ret = nf_tables_commit_chain_prepare(net, chain);
10282 if (ret < 0) {
10283 nf_tables_commit_chain_prepare_cancel(net);
10284 nf_tables_commit_audit_free(&adl);
10285 return ret;
10286 }
10287 }
10288 }
10289
10290 /* step 2. Make rules_gen_X visible to packet path */
10291 list_for_each_entry(table, &nft_net->tables, list) {
10292 list_for_each_entry(chain, &table->chains, list)
10293 nf_tables_commit_chain(net, chain);
10294 }
10295
10296 /*
10297 * Bump generation counter, invalidate any dump in progress.
10298 * Cannot fail after this point.
10299 */
10300 base_seq = READ_ONCE(nft_net->base_seq);
10301 while (++base_seq == 0)
10302 ;
10303
10304 WRITE_ONCE(nft_net->base_seq, base_seq);
10305
10306 gc_seq = nft_gc_seq_begin(nft_net);
10307
10308 /* step 3. Start new generation, rules_gen_X now in use. */
10309 net->nft.gencursor = nft_gencursor_next(net);
10310
10311 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10312 struct nft_table *table = trans->table;
10313
10314 nft_ctx_update(&ctx, trans);
10315
10316 nf_tables_commit_audit_collect(&adl, table, trans->msg_type);
10317 switch (trans->msg_type) {
10318 case NFT_MSG_NEWTABLE:
10319 if (nft_trans_table_update(trans)) {
10320 if (!(table->flags & __NFT_TABLE_F_UPDATE)) {
10321 nft_trans_destroy(trans);
10322 break;
10323 }
10324 if (table->flags & NFT_TABLE_F_DORMANT)
10325 nf_tables_table_disable(net, table);
10326
10327 table->flags &= ~__NFT_TABLE_F_UPDATE;
10328 } else {
10329 nft_clear(net, table);
10330 }
10331 nf_tables_table_notify(&ctx, NFT_MSG_NEWTABLE);
10332 nft_trans_destroy(trans);
10333 break;
10334 case NFT_MSG_DELTABLE:
10335 case NFT_MSG_DESTROYTABLE:
10336 list_del_rcu(&table->list);
10337 nf_tables_table_notify(&ctx, trans->msg_type);
10338 break;
10339 case NFT_MSG_NEWCHAIN:
10340 if (nft_trans_chain_update(trans)) {
10341 nft_chain_commit_update(nft_trans_container_chain(trans));
10342 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN,
10343 &nft_trans_chain_hooks(trans));
10344 list_splice(&nft_trans_chain_hooks(trans),
10345 &nft_trans_basechain(trans)->hook_list);
10346 /* trans destroyed after rcu grace period */
10347 } else {
10348 nft_chain_commit_drop_policy(nft_trans_container_chain(trans));
10349 nft_clear(net, nft_trans_chain(trans));
10350 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN, NULL);
10351 nft_trans_destroy(trans);
10352 }
10353 break;
10354 case NFT_MSG_DELCHAIN:
10355 case NFT_MSG_DESTROYCHAIN:
10356 if (nft_trans_chain_update(trans)) {
10357 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,
10358 &nft_trans_chain_hooks(trans));
10359 if (!(table->flags & NFT_TABLE_F_DORMANT)) {
10360 nft_netdev_unregister_hooks(net,
10361 &nft_trans_chain_hooks(trans),
10362 true);
10363 }
10364 } else {
10365 nft_chain_del(nft_trans_chain(trans));
10366 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,
10367 NULL);
10368 nf_tables_unregister_hook(ctx.net, ctx.table,
10369 nft_trans_chain(trans));
10370 }
10371 break;
10372 case NFT_MSG_NEWRULE:
10373 nft_clear(net, nft_trans_rule(trans));
10374 nf_tables_rule_notify(&ctx, nft_trans_rule(trans),
10375 NFT_MSG_NEWRULE);
10376 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10377 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10378
10379 nft_trans_destroy(trans);
10380 break;
10381 case NFT_MSG_DELRULE:
10382 case NFT_MSG_DESTROYRULE:
10383 list_del_rcu(&nft_trans_rule(trans)->list);
10384 nf_tables_rule_notify(&ctx, nft_trans_rule(trans),
10385 trans->msg_type);
10386 nft_rule_expr_deactivate(&ctx, nft_trans_rule(trans),
10387 NFT_TRANS_COMMIT);
10388
10389 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10390 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10391 break;
10392 case NFT_MSG_NEWSET:
10393 if (nft_trans_set_update(trans)) {
10394 struct nft_set *set = nft_trans_set(trans);
10395
10396 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
10397 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
10398
10399 if (nft_trans_set_size(trans))
10400 WRITE_ONCE(set->size, nft_trans_set_size(trans));
10401 } else {
10402 nft_clear(net, nft_trans_set(trans));
10403 /* This avoids hitting -EBUSY when deleting the table
10404 * from the transaction.
10405 */
10406 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
10407 !list_empty(&nft_trans_set(trans)->bindings))
10408 nft_use_dec(&table->use);
10409 }
10410 nf_tables_set_notify(&ctx, nft_trans_set(trans),
10411 NFT_MSG_NEWSET, GFP_KERNEL);
10412 nft_trans_destroy(trans);
10413 break;
10414 case NFT_MSG_DELSET:
10415 case NFT_MSG_DESTROYSET:
10416 nft_trans_set(trans)->dead = 1;
10417 list_del_rcu(&nft_trans_set(trans)->list);
10418 nf_tables_set_notify(&ctx, nft_trans_set(trans),
10419 trans->msg_type, GFP_KERNEL);
10420 break;
10421 case NFT_MSG_NEWSETELEM:
10422 te = nft_trans_container_elem(trans);
10423
10424 nft_setelem_activate(net, te->set, te->elem_priv);
10425 nf_tables_setelem_notify(&ctx, te->set,
10426 te->elem_priv,
10427 NFT_MSG_NEWSETELEM);
10428 if (te->set->ops->commit &&
10429 list_empty(&te->set->pending_update)) {
10430 list_add_tail(&te->set->pending_update,
10431 &set_update_list);
10432 }
10433 nft_trans_destroy(trans);
10434 break;
10435 case NFT_MSG_DELSETELEM:
10436 case NFT_MSG_DESTROYSETELEM:
10437 te = nft_trans_container_elem(trans);
10438
10439 nf_tables_setelem_notify(&ctx, te->set,
10440 te->elem_priv,
10441 trans->msg_type);
10442 nft_setelem_remove(net, te->set, te->elem_priv);
10443 if (!nft_setelem_is_catchall(te->set, te->elem_priv)) {
10444 atomic_dec(&te->set->nelems);
10445 te->set->ndeact--;
10446 }
10447 if (te->set->ops->commit &&
10448 list_empty(&te->set->pending_update)) {
10449 list_add_tail(&te->set->pending_update,
10450 &set_update_list);
10451 }
10452 break;
10453 case NFT_MSG_NEWOBJ:
10454 if (nft_trans_obj_update(trans)) {
10455 nft_obj_commit_update(&ctx, trans);
10456 nf_tables_obj_notify(&ctx,
10457 nft_trans_obj(trans),
10458 NFT_MSG_NEWOBJ);
10459 } else {
10460 nft_clear(net, nft_trans_obj(trans));
10461 nf_tables_obj_notify(&ctx,
10462 nft_trans_obj(trans),
10463 NFT_MSG_NEWOBJ);
10464 nft_trans_destroy(trans);
10465 }
10466 break;
10467 case NFT_MSG_DELOBJ:
10468 case NFT_MSG_DESTROYOBJ:
10469 nft_obj_del(nft_trans_obj(trans));
10470 nf_tables_obj_notify(&ctx, nft_trans_obj(trans),
10471 trans->msg_type);
10472 break;
10473 case NFT_MSG_NEWFLOWTABLE:
10474 if (nft_trans_flowtable_update(trans)) {
10475 nft_trans_flowtable(trans)->data.flags =
10476 nft_trans_flowtable_flags(trans);
10477 nf_tables_flowtable_notify(&ctx,
10478 nft_trans_flowtable(trans),
10479 &nft_trans_flowtable_hooks(trans),
10480 NFT_MSG_NEWFLOWTABLE);
10481 list_splice(&nft_trans_flowtable_hooks(trans),
10482 &nft_trans_flowtable(trans)->hook_list);
10483 } else {
10484 nft_clear(net, nft_trans_flowtable(trans));
10485 nf_tables_flowtable_notify(&ctx,
10486 nft_trans_flowtable(trans),
10487 NULL,
10488 NFT_MSG_NEWFLOWTABLE);
10489 }
10490 nft_trans_destroy(trans);
10491 break;
10492 case NFT_MSG_DELFLOWTABLE:
10493 case NFT_MSG_DESTROYFLOWTABLE:
10494 if (nft_trans_flowtable_update(trans)) {
10495 nf_tables_flowtable_notify(&ctx,
10496 nft_trans_flowtable(trans),
10497 &nft_trans_flowtable_hooks(trans),
10498 trans->msg_type);
10499 nft_unregister_flowtable_net_hooks(net,
10500 &nft_trans_flowtable_hooks(trans));
10501 } else {
10502 list_del_rcu(&nft_trans_flowtable(trans)->list);
10503 nf_tables_flowtable_notify(&ctx,
10504 nft_trans_flowtable(trans),
10505 NULL,
10506 trans->msg_type);
10507 nft_unregister_flowtable_net_hooks(net,
10508 &nft_trans_flowtable(trans)->hook_list);
10509 }
10510 break;
10511 }
10512 }
10513
10514 nft_set_commit_update(&set_update_list);
10515
10516 nft_commit_notify(net, NETLINK_CB(skb).portid);
10517 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
10518 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
10519
10520 nft_gc_seq_end(nft_net, gc_seq);
10521 nft_net->validate_state = NFT_VALIDATE_SKIP;
10522 nf_tables_commit_release(net);
10523
10524 return 0;
10525 }
10526
10527 static void nf_tables_module_autoload(struct net *net)
10528 {
10529 struct nftables_pernet *nft_net = nft_pernet(net);
10530 struct nft_module_request *req, *next;
10531 LIST_HEAD(module_list);
10532
10533 list_splice_init(&nft_net->module_list, &module_list);
10534 mutex_unlock(&nft_net->commit_mutex);
10535 list_for_each_entry_safe(req, next, &module_list, list) {
10536 request_module("%s", req->module);
10537 req->done = true;
10538 }
10539 mutex_lock(&nft_net->commit_mutex);
10540 list_splice(&module_list, &nft_net->module_list);
10541 }
10542
10543 static void nf_tables_abort_release(struct nft_trans *trans)
10544 {
10545 struct nft_ctx ctx = { };
10546
10547 nft_ctx_update(&ctx, trans);
10548
10549 switch (trans->msg_type) {
10550 case NFT_MSG_NEWTABLE:
10551 nf_tables_table_destroy(trans->table);
10552 break;
10553 case NFT_MSG_NEWCHAIN:
10554 if (nft_trans_chain_update(trans))
10555 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
10556 else
10557 nf_tables_chain_destroy(nft_trans_chain(trans));
10558 break;
10559 case NFT_MSG_NEWRULE:
10560 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans));
10561 break;
10562 case NFT_MSG_NEWSET:
10563 nft_set_destroy(&ctx, nft_trans_set(trans));
10564 break;
10565 case NFT_MSG_NEWSETELEM:
10566 nft_set_elem_destroy(nft_trans_elem_set(trans),
10567 nft_trans_elem_priv(trans), true);
10568 break;
10569 case NFT_MSG_NEWOBJ:
10570 nft_obj_destroy(&ctx, nft_trans_obj(trans));
10571 break;
10572 case NFT_MSG_NEWFLOWTABLE:
10573 if (nft_trans_flowtable_update(trans))
10574 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
10575 else
10576 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
10577 break;
10578 }
10579 kfree(trans);
10580 }
10581
10582 static void nft_set_abort_update(struct list_head *set_update_list)
10583 {
10584 struct nft_set *set, *next;
10585
10586 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10587 list_del_init(&set->pending_update);
10588
10589 if (!set->ops->abort)
10590 continue;
10591
10592 set->ops->abort(set);
10593 }
10594 }
10595
10596 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
10597 {
10598 struct nftables_pernet *nft_net = nft_pernet(net);
10599 struct nft_trans *trans, *next;
10600 LIST_HEAD(set_update_list);
10601 struct nft_trans_elem *te;
10602 struct nft_ctx ctx = {
10603 .net = net,
10604 };
10605 int err = 0;
10606
10607 if (action == NFNL_ABORT_VALIDATE &&
10608 nf_tables_validate(net) < 0)
10609 err = -EAGAIN;
10610
10611 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
10612 list) {
10613 struct nft_table *table = trans->table;
10614
10615 nft_ctx_update(&ctx, trans);
10616
10617 switch (trans->msg_type) {
10618 case NFT_MSG_NEWTABLE:
10619 if (nft_trans_table_update(trans)) {
10620 if (!(table->flags & __NFT_TABLE_F_UPDATE)) {
10621 nft_trans_destroy(trans);
10622 break;
10623 }
10624 if (table->flags & __NFT_TABLE_F_WAS_DORMANT) {
10625 nf_tables_table_disable(net, table);
10626 table->flags |= NFT_TABLE_F_DORMANT;
10627 } else if (table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
10628 table->flags &= ~NFT_TABLE_F_DORMANT;
10629 }
10630 if (table->flags & __NFT_TABLE_F_WAS_ORPHAN) {
10631 table->flags &= ~NFT_TABLE_F_OWNER;
10632 table->nlpid = 0;
10633 }
10634 table->flags &= ~__NFT_TABLE_F_UPDATE;
10635 nft_trans_destroy(trans);
10636 } else {
10637 list_del_rcu(&table->list);
10638 }
10639 break;
10640 case NFT_MSG_DELTABLE:
10641 case NFT_MSG_DESTROYTABLE:
10642 nft_clear(trans->net, table);
10643 nft_trans_destroy(trans);
10644 break;
10645 case NFT_MSG_NEWCHAIN:
10646 if (nft_trans_chain_update(trans)) {
10647 if (!(table->flags & NFT_TABLE_F_DORMANT)) {
10648 nft_netdev_unregister_hooks(net,
10649 &nft_trans_chain_hooks(trans),
10650 true);
10651 }
10652 free_percpu(nft_trans_chain_stats(trans));
10653 kfree(nft_trans_chain_name(trans));
10654 nft_trans_destroy(trans);
10655 } else {
10656 if (nft_trans_chain_bound(trans)) {
10657 nft_trans_destroy(trans);
10658 break;
10659 }
10660 nft_use_dec_restore(&table->use);
10661 nft_chain_del(nft_trans_chain(trans));
10662 nf_tables_unregister_hook(trans->net, table,
10663 nft_trans_chain(trans));
10664 }
10665 break;
10666 case NFT_MSG_DELCHAIN:
10667 case NFT_MSG_DESTROYCHAIN:
10668 if (nft_trans_chain_update(trans)) {
10669 list_splice(&nft_trans_chain_hooks(trans),
10670 &nft_trans_basechain(trans)->hook_list);
10671 } else {
10672 nft_use_inc_restore(&table->use);
10673 nft_clear(trans->net, nft_trans_chain(trans));
10674 }
10675 nft_trans_destroy(trans);
10676 break;
10677 case NFT_MSG_NEWRULE:
10678 if (nft_trans_rule_bound(trans)) {
10679 nft_trans_destroy(trans);
10680 break;
10681 }
10682 nft_use_dec_restore(&nft_trans_rule_chain(trans)->use);
10683 list_del_rcu(&nft_trans_rule(trans)->list);
10684 nft_rule_expr_deactivate(&ctx,
10685 nft_trans_rule(trans),
10686 NFT_TRANS_ABORT);
10687 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10688 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10689 break;
10690 case NFT_MSG_DELRULE:
10691 case NFT_MSG_DESTROYRULE:
10692 nft_use_inc_restore(&nft_trans_rule_chain(trans)->use);
10693 nft_clear(trans->net, nft_trans_rule(trans));
10694 nft_rule_expr_activate(&ctx, nft_trans_rule(trans));
10695 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10696 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10697
10698 nft_trans_destroy(trans);
10699 break;
10700 case NFT_MSG_NEWSET:
10701 if (nft_trans_set_update(trans)) {
10702 nft_trans_destroy(trans);
10703 break;
10704 }
10705 nft_use_dec_restore(&table->use);
10706 if (nft_trans_set_bound(trans)) {
10707 nft_trans_destroy(trans);
10708 break;
10709 }
10710 nft_trans_set(trans)->dead = 1;
10711 list_del_rcu(&nft_trans_set(trans)->list);
10712 break;
10713 case NFT_MSG_DELSET:
10714 case NFT_MSG_DESTROYSET:
10715 nft_use_inc_restore(&table->use);
10716 nft_clear(trans->net, nft_trans_set(trans));
10717 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
10718 nft_map_activate(&ctx, nft_trans_set(trans));
10719
10720 nft_trans_destroy(trans);
10721 break;
10722 case NFT_MSG_NEWSETELEM:
10723 if (nft_trans_elem_set_bound(trans)) {
10724 nft_trans_destroy(trans);
10725 break;
10726 }
10727 te = nft_trans_container_elem(trans);
10728 nft_setelem_remove(net, te->set, te->elem_priv);
10729 if (!nft_setelem_is_catchall(te->set, te->elem_priv))
10730 atomic_dec(&te->set->nelems);
10731
10732 if (te->set->ops->abort &&
10733 list_empty(&te->set->pending_update)) {
10734 list_add_tail(&te->set->pending_update,
10735 &set_update_list);
10736 }
10737 break;
10738 case NFT_MSG_DELSETELEM:
10739 case NFT_MSG_DESTROYSETELEM:
10740 te = nft_trans_container_elem(trans);
10741
10742 if (!nft_setelem_active_next(net, te->set, te->elem_priv)) {
10743 nft_setelem_data_activate(net, te->set, te->elem_priv);
10744 nft_setelem_activate(net, te->set, te->elem_priv);
10745 }
10746 if (!nft_setelem_is_catchall(te->set, te->elem_priv))
10747 te->set->ndeact--;
10748
10749 if (te->set->ops->abort &&
10750 list_empty(&te->set->pending_update)) {
10751 list_add_tail(&te->set->pending_update,
10752 &set_update_list);
10753 }
10754 nft_trans_destroy(trans);
10755 break;
10756 case NFT_MSG_NEWOBJ:
10757 if (nft_trans_obj_update(trans)) {
10758 nft_obj_destroy(&ctx, nft_trans_obj_newobj(trans));
10759 nft_trans_destroy(trans);
10760 } else {
10761 nft_use_dec_restore(&table->use);
10762 nft_obj_del(nft_trans_obj(trans));
10763 }
10764 break;
10765 case NFT_MSG_DELOBJ:
10766 case NFT_MSG_DESTROYOBJ:
10767 nft_use_inc_restore(&table->use);
10768 nft_clear(trans->net, nft_trans_obj(trans));
10769 nft_trans_destroy(trans);
10770 break;
10771 case NFT_MSG_NEWFLOWTABLE:
10772 if (nft_trans_flowtable_update(trans)) {
10773 nft_unregister_flowtable_net_hooks(net,
10774 &nft_trans_flowtable_hooks(trans));
10775 } else {
10776 nft_use_dec_restore(&table->use);
10777 list_del_rcu(&nft_trans_flowtable(trans)->list);
10778 nft_unregister_flowtable_net_hooks(net,
10779 &nft_trans_flowtable(trans)->hook_list);
10780 }
10781 break;
10782 case NFT_MSG_DELFLOWTABLE:
10783 case NFT_MSG_DESTROYFLOWTABLE:
10784 if (nft_trans_flowtable_update(trans)) {
10785 list_splice(&nft_trans_flowtable_hooks(trans),
10786 &nft_trans_flowtable(trans)->hook_list);
10787 } else {
10788 nft_use_inc_restore(&table->use);
10789 nft_clear(trans->net, nft_trans_flowtable(trans));
10790 }
10791 nft_trans_destroy(trans);
10792 break;
10793 }
10794 }
10795
10796 nft_set_abort_update(&set_update_list);
10797
10798 synchronize_rcu();
10799
10800 list_for_each_entry_safe_reverse(trans, next,
10801 &nft_net->commit_list, list) {
10802 nft_trans_list_del(trans);
10803 nf_tables_abort_release(trans);
10804 }
10805
10806 return err;
10807 }
10808
10809 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
10810 enum nfnl_abort_action action)
10811 {
10812 struct nftables_pernet *nft_net = nft_pernet(net);
10813 unsigned int gc_seq;
10814 int ret;
10815
10816 gc_seq = nft_gc_seq_begin(nft_net);
10817 ret = __nf_tables_abort(net, action);
10818 nft_gc_seq_end(nft_net, gc_seq);
10819
10820 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
10821
10822 /* module autoload needs to happen after GC sequence update because it
10823 * temporarily releases and grabs mutex again.
10824 */
10825 if (action == NFNL_ABORT_AUTOLOAD)
10826 nf_tables_module_autoload(net);
10827 else
10828 nf_tables_module_autoload_cleanup(net);
10829
10830 mutex_unlock(&nft_net->commit_mutex);
10831
10832 return ret;
10833 }
10834
10835 static bool nf_tables_valid_genid(struct net *net, u32 genid)
10836 {
10837 struct nftables_pernet *nft_net = nft_pernet(net);
10838 bool genid_ok;
10839
10840 mutex_lock(&nft_net->commit_mutex);
10841 nft_net->tstamp = get_jiffies_64();
10842
10843 genid_ok = genid == 0 || nft_net->base_seq == genid;
10844 if (!genid_ok)
10845 mutex_unlock(&nft_net->commit_mutex);
10846
10847 /* else, commit mutex has to be released by commit or abort function */
10848 return genid_ok;
10849 }
10850
10851 static const struct nfnetlink_subsystem nf_tables_subsys = {
10852 .name = "nf_tables",
10853 .subsys_id = NFNL_SUBSYS_NFTABLES,
10854 .cb_count = NFT_MSG_MAX,
10855 .cb = nf_tables_cb,
10856 .commit = nf_tables_commit,
10857 .abort = nf_tables_abort,
10858 .valid_genid = nf_tables_valid_genid,
10859 .owner = THIS_MODULE,
10860 };
10861
10862 int nft_chain_validate_dependency(const struct nft_chain *chain,
10863 enum nft_chain_types type)
10864 {
10865 const struct nft_base_chain *basechain;
10866
10867 if (nft_is_base_chain(chain)) {
10868 basechain = nft_base_chain(chain);
10869 if (basechain->type->type != type)
10870 return -EOPNOTSUPP;
10871 }
10872 return 0;
10873 }
10874 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
10875
10876 int nft_chain_validate_hooks(const struct nft_chain *chain,
10877 unsigned int hook_flags)
10878 {
10879 struct nft_base_chain *basechain;
10880
10881 if (nft_is_base_chain(chain)) {
10882 basechain = nft_base_chain(chain);
10883
10884 if ((1 << basechain->ops.hooknum) & hook_flags)
10885 return 0;
10886
10887 return -EOPNOTSUPP;
10888 }
10889
10890 return 0;
10891 }
10892 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
10893
10894 /**
10895 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
10896 *
10897 * @attr: netlink attribute to fetch value from
10898 * @max: maximum value to be stored in dest
10899 * @dest: pointer to the variable
10900 *
10901 * Parse, check and store a given u32 netlink attribute into variable.
10902 * This function returns -ERANGE if the value goes over maximum value.
10903 * Otherwise a 0 is returned and the attribute value is stored in the
10904 * destination variable.
10905 */
10906 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
10907 {
10908 u32 val;
10909
10910 val = ntohl(nla_get_be32(attr));
10911 if (val > max)
10912 return -ERANGE;
10913
10914 *dest = val;
10915 return 0;
10916 }
10917 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
10918
10919 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
10920 {
10921 unsigned int reg;
10922
10923 reg = ntohl(nla_get_be32(attr));
10924 switch (reg) {
10925 case NFT_REG_VERDICT...NFT_REG_4:
10926 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
10927 break;
10928 case NFT_REG32_00...NFT_REG32_15:
10929 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
10930 break;
10931 default:
10932 return -ERANGE;
10933 }
10934
10935 return 0;
10936 }
10937
10938 /**
10939 * nft_dump_register - dump a register value to a netlink attribute
10940 *
10941 * @skb: socket buffer
10942 * @attr: attribute number
10943 * @reg: register number
10944 *
10945 * Construct a netlink attribute containing the register number. For
10946 * compatibility reasons, register numbers being a multiple of 4 are
10947 * translated to the corresponding 128 bit register numbers.
10948 */
10949 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
10950 {
10951 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
10952 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
10953 else
10954 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
10955
10956 return nla_put_be32(skb, attr, htonl(reg));
10957 }
10958 EXPORT_SYMBOL_GPL(nft_dump_register);
10959
10960 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
10961 {
10962 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
10963 return -EINVAL;
10964 if (len == 0)
10965 return -EINVAL;
10966 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
10967 return -ERANGE;
10968
10969 return 0;
10970 }
10971
10972 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
10973 {
10974 u32 reg;
10975 int err;
10976
10977 err = nft_parse_register(attr, ®);
10978 if (err < 0)
10979 return err;
10980
10981 err = nft_validate_register_load(reg, len);
10982 if (err < 0)
10983 return err;
10984
10985 *sreg = reg;
10986 return 0;
10987 }
10988 EXPORT_SYMBOL_GPL(nft_parse_register_load);
10989
10990 static int nft_validate_register_store(const struct nft_ctx *ctx,
10991 enum nft_registers reg,
10992 const struct nft_data *data,
10993 enum nft_data_types type,
10994 unsigned int len)
10995 {
10996 int err;
10997
10998 switch (reg) {
10999 case NFT_REG_VERDICT:
11000 if (type != NFT_DATA_VERDICT)
11001 return -EINVAL;
11002
11003 if (data != NULL &&
11004 (data->verdict.code == NFT_GOTO ||
11005 data->verdict.code == NFT_JUMP)) {
11006 err = nft_chain_validate(ctx, data->verdict.chain);
11007 if (err < 0)
11008 return err;
11009 }
11010
11011 return 0;
11012 default:
11013 if (type != NFT_DATA_VALUE)
11014 return -EINVAL;
11015
11016 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11017 return -EINVAL;
11018 if (len == 0)
11019 return -EINVAL;
11020 if (reg * NFT_REG32_SIZE + len >
11021 sizeof_field(struct nft_regs, data))
11022 return -ERANGE;
11023
11024 return 0;
11025 }
11026 }
11027
11028 int nft_parse_register_store(const struct nft_ctx *ctx,
11029 const struct nlattr *attr, u8 *dreg,
11030 const struct nft_data *data,
11031 enum nft_data_types type, unsigned int len)
11032 {
11033 int err;
11034 u32 reg;
11035
11036 err = nft_parse_register(attr, ®);
11037 if (err < 0)
11038 return err;
11039
11040 err = nft_validate_register_store(ctx, reg, data, type, len);
11041 if (err < 0)
11042 return err;
11043
11044 *dreg = reg;
11045 return 0;
11046 }
11047 EXPORT_SYMBOL_GPL(nft_parse_register_store);
11048
11049 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
11050 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
11051 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
11052 .len = NFT_CHAIN_MAXNAMELEN - 1 },
11053 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
11054 };
11055
11056 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
11057 struct nft_data_desc *desc, const struct nlattr *nla)
11058 {
11059 u8 genmask = nft_genmask_next(ctx->net);
11060 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
11061 struct nft_chain *chain;
11062 int err;
11063
11064 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
11065 nft_verdict_policy, NULL);
11066 if (err < 0)
11067 return err;
11068
11069 if (!tb[NFTA_VERDICT_CODE])
11070 return -EINVAL;
11071
11072 /* zero padding hole for memcmp */
11073 memset(data, 0, sizeof(*data));
11074 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
11075
11076 switch (data->verdict.code) {
11077 case NF_ACCEPT:
11078 case NF_DROP:
11079 case NF_QUEUE:
11080 break;
11081 case NFT_CONTINUE:
11082 case NFT_BREAK:
11083 case NFT_RETURN:
11084 break;
11085 case NFT_JUMP:
11086 case NFT_GOTO:
11087 if (tb[NFTA_VERDICT_CHAIN]) {
11088 chain = nft_chain_lookup(ctx->net, ctx->table,
11089 tb[NFTA_VERDICT_CHAIN],
11090 genmask);
11091 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
11092 chain = nft_chain_lookup_byid(ctx->net, ctx->table,
11093 tb[NFTA_VERDICT_CHAIN_ID],
11094 genmask);
11095 if (IS_ERR(chain))
11096 return PTR_ERR(chain);
11097 } else {
11098 return -EINVAL;
11099 }
11100
11101 if (IS_ERR(chain))
11102 return PTR_ERR(chain);
11103 if (nft_is_base_chain(chain))
11104 return -EOPNOTSUPP;
11105 if (nft_chain_is_bound(chain))
11106 return -EINVAL;
11107 if (desc->flags & NFT_DATA_DESC_SETELEM &&
11108 chain->flags & NFT_CHAIN_BINDING)
11109 return -EINVAL;
11110 if (!nft_use_inc(&chain->use))
11111 return -EMFILE;
11112
11113 data->verdict.chain = chain;
11114 break;
11115 default:
11116 return -EINVAL;
11117 }
11118
11119 desc->len = sizeof(data->verdict);
11120
11121 return 0;
11122 }
11123
11124 static void nft_verdict_uninit(const struct nft_data *data)
11125 {
11126 struct nft_chain *chain;
11127
11128 switch (data->verdict.code) {
11129 case NFT_JUMP:
11130 case NFT_GOTO:
11131 chain = data->verdict.chain;
11132 nft_use_dec(&chain->use);
11133 break;
11134 }
11135 }
11136
11137 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
11138 {
11139 struct nlattr *nest;
11140
11141 nest = nla_nest_start_noflag(skb, type);
11142 if (!nest)
11143 goto nla_put_failure;
11144
11145 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
11146 goto nla_put_failure;
11147
11148 switch (v->code) {
11149 case NFT_JUMP:
11150 case NFT_GOTO:
11151 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
11152 v->chain->name))
11153 goto nla_put_failure;
11154 }
11155 nla_nest_end(skb, nest);
11156 return 0;
11157
11158 nla_put_failure:
11159 return -1;
11160 }
11161
11162 static int nft_value_init(const struct nft_ctx *ctx,
11163 struct nft_data *data, struct nft_data_desc *desc,
11164 const struct nlattr *nla)
11165 {
11166 unsigned int len;
11167
11168 len = nla_len(nla);
11169 if (len == 0)
11170 return -EINVAL;
11171 if (len > desc->size)
11172 return -EOVERFLOW;
11173 if (desc->len) {
11174 if (len != desc->len)
11175 return -EINVAL;
11176 } else {
11177 desc->len = len;
11178 }
11179
11180 nla_memcpy(data->data, nla, len);
11181
11182 return 0;
11183 }
11184
11185 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
11186 unsigned int len)
11187 {
11188 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
11189 }
11190
11191 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
11192 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
11193 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
11194 };
11195
11196 /**
11197 * nft_data_init - parse nf_tables data netlink attributes
11198 *
11199 * @ctx: context of the expression using the data
11200 * @data: destination struct nft_data
11201 * @desc: data description
11202 * @nla: netlink attribute containing data
11203 *
11204 * Parse the netlink data attributes and initialize a struct nft_data.
11205 * The type and length of data are returned in the data description.
11206 *
11207 * The caller can indicate that it only wants to accept data of type
11208 * NFT_DATA_VALUE by passing NULL for the ctx argument.
11209 */
11210 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
11211 struct nft_data_desc *desc, const struct nlattr *nla)
11212 {
11213 struct nlattr *tb[NFTA_DATA_MAX + 1];
11214 int err;
11215
11216 if (WARN_ON_ONCE(!desc->size))
11217 return -EINVAL;
11218
11219 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
11220 nft_data_policy, NULL);
11221 if (err < 0)
11222 return err;
11223
11224 if (tb[NFTA_DATA_VALUE]) {
11225 if (desc->type != NFT_DATA_VALUE)
11226 return -EINVAL;
11227
11228 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
11229 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
11230 if (desc->type != NFT_DATA_VERDICT)
11231 return -EINVAL;
11232
11233 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
11234 } else {
11235 err = -EINVAL;
11236 }
11237
11238 return err;
11239 }
11240 EXPORT_SYMBOL_GPL(nft_data_init);
11241
11242 /**
11243 * nft_data_release - release a nft_data item
11244 *
11245 * @data: struct nft_data to release
11246 * @type: type of data
11247 *
11248 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
11249 * all others need to be released by calling this function.
11250 */
11251 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
11252 {
11253 if (type < NFT_DATA_VERDICT)
11254 return;
11255 switch (type) {
11256 case NFT_DATA_VERDICT:
11257 return nft_verdict_uninit(data);
11258 default:
11259 WARN_ON(1);
11260 }
11261 }
11262 EXPORT_SYMBOL_GPL(nft_data_release);
11263
11264 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
11265 enum nft_data_types type, unsigned int len)
11266 {
11267 struct nlattr *nest;
11268 int err;
11269
11270 nest = nla_nest_start_noflag(skb, attr);
11271 if (nest == NULL)
11272 return -1;
11273
11274 switch (type) {
11275 case NFT_DATA_VALUE:
11276 err = nft_value_dump(skb, data, len);
11277 break;
11278 case NFT_DATA_VERDICT:
11279 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
11280 break;
11281 default:
11282 err = -EINVAL;
11283 WARN_ON(1);
11284 }
11285
11286 nla_nest_end(skb, nest);
11287 return err;
11288 }
11289 EXPORT_SYMBOL_GPL(nft_data_dump);
11290
11291 int __nft_release_basechain(struct nft_ctx *ctx)
11292 {
11293 struct nft_rule *rule, *nr;
11294
11295 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
11296 return 0;
11297
11298 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
11299 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
11300 list_del(&rule->list);
11301 nft_use_dec(&ctx->chain->use);
11302 nf_tables_rule_release(ctx, rule);
11303 }
11304 nft_chain_del(ctx->chain);
11305 nft_use_dec(&ctx->table->use);
11306 nf_tables_chain_destroy(ctx->chain);
11307
11308 return 0;
11309 }
11310 EXPORT_SYMBOL_GPL(__nft_release_basechain);
11311
11312 static void __nft_release_hook(struct net *net, struct nft_table *table)
11313 {
11314 struct nft_flowtable *flowtable;
11315 struct nft_chain *chain;
11316
11317 list_for_each_entry(chain, &table->chains, list)
11318 __nf_tables_unregister_hook(net, table, chain, true);
11319 list_for_each_entry(flowtable, &table->flowtables, list)
11320 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list,
11321 true);
11322 }
11323
11324 static void __nft_release_hooks(struct net *net)
11325 {
11326 struct nftables_pernet *nft_net = nft_pernet(net);
11327 struct nft_table *table;
11328
11329 list_for_each_entry(table, &nft_net->tables, list) {
11330 if (nft_table_has_owner(table))
11331 continue;
11332
11333 __nft_release_hook(net, table);
11334 }
11335 }
11336
11337 static void __nft_release_table(struct net *net, struct nft_table *table)
11338 {
11339 struct nft_flowtable *flowtable, *nf;
11340 struct nft_chain *chain, *nc;
11341 struct nft_object *obj, *ne;
11342 struct nft_rule *rule, *nr;
11343 struct nft_set *set, *ns;
11344 struct nft_ctx ctx = {
11345 .net = net,
11346 .family = NFPROTO_NETDEV,
11347 };
11348
11349 ctx.family = table->family;
11350 ctx.table = table;
11351 list_for_each_entry(chain, &table->chains, list) {
11352 if (nft_chain_binding(chain))
11353 continue;
11354
11355 ctx.chain = chain;
11356 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
11357 list_del(&rule->list);
11358 nft_use_dec(&chain->use);
11359 nf_tables_rule_release(&ctx, rule);
11360 }
11361 }
11362 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
11363 list_del(&flowtable->list);
11364 nft_use_dec(&table->use);
11365 nf_tables_flowtable_destroy(flowtable);
11366 }
11367 list_for_each_entry_safe(set, ns, &table->sets, list) {
11368 list_del(&set->list);
11369 nft_use_dec(&table->use);
11370 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11371 nft_map_deactivate(&ctx, set);
11372
11373 nft_set_destroy(&ctx, set);
11374 }
11375 list_for_each_entry_safe(obj, ne, &table->objects, list) {
11376 nft_obj_del(obj);
11377 nft_use_dec(&table->use);
11378 nft_obj_destroy(&ctx, obj);
11379 }
11380 list_for_each_entry_safe(chain, nc, &table->chains, list) {
11381 nft_chain_del(chain);
11382 nft_use_dec(&table->use);
11383 nf_tables_chain_destroy(chain);
11384 }
11385 nf_tables_table_destroy(table);
11386 }
11387
11388 static void __nft_release_tables(struct net *net)
11389 {
11390 struct nftables_pernet *nft_net = nft_pernet(net);
11391 struct nft_table *table, *nt;
11392
11393 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
11394 if (nft_table_has_owner(table))
11395 continue;
11396
11397 list_del(&table->list);
11398
11399 __nft_release_table(net, table);
11400 }
11401 }
11402
11403 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
11404 void *ptr)
11405 {
11406 struct nft_table *table, *to_delete[8];
11407 struct nftables_pernet *nft_net;
11408 struct netlink_notify *n = ptr;
11409 struct net *net = n->net;
11410 unsigned int deleted;
11411 bool restart = false;
11412 unsigned int gc_seq;
11413
11414 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
11415 return NOTIFY_DONE;
11416
11417 nft_net = nft_pernet(net);
11418 deleted = 0;
11419 mutex_lock(&nft_net->commit_mutex);
11420
11421 gc_seq = nft_gc_seq_begin(nft_net);
11422
11423 nf_tables_trans_destroy_flush_work();
11424 again:
11425 list_for_each_entry(table, &nft_net->tables, list) {
11426 if (nft_table_has_owner(table) &&
11427 n->portid == table->nlpid) {
11428 if (table->flags & NFT_TABLE_F_PERSIST) {
11429 table->flags &= ~NFT_TABLE_F_OWNER;
11430 continue;
11431 }
11432 __nft_release_hook(net, table);
11433 list_del_rcu(&table->list);
11434 to_delete[deleted++] = table;
11435 if (deleted >= ARRAY_SIZE(to_delete))
11436 break;
11437 }
11438 }
11439 if (deleted) {
11440 restart = deleted >= ARRAY_SIZE(to_delete);
11441 synchronize_rcu();
11442 while (deleted)
11443 __nft_release_table(net, to_delete[--deleted]);
11444
11445 if (restart)
11446 goto again;
11447 }
11448 nft_gc_seq_end(nft_net, gc_seq);
11449
11450 mutex_unlock(&nft_net->commit_mutex);
11451
11452 return NOTIFY_DONE;
11453 }
11454
11455 static struct notifier_block nft_nl_notifier = {
11456 .notifier_call = nft_rcv_nl_event,
11457 };
11458
11459 static int __net_init nf_tables_init_net(struct net *net)
11460 {
11461 struct nftables_pernet *nft_net = nft_pernet(net);
11462
11463 INIT_LIST_HEAD(&nft_net->tables);
11464 INIT_LIST_HEAD(&nft_net->commit_list);
11465 INIT_LIST_HEAD(&nft_net->binding_list);
11466 INIT_LIST_HEAD(&nft_net->module_list);
11467 INIT_LIST_HEAD(&nft_net->notify_list);
11468 mutex_init(&nft_net->commit_mutex);
11469 nft_net->base_seq = 1;
11470 nft_net->gc_seq = 0;
11471 nft_net->validate_state = NFT_VALIDATE_SKIP;
11472
11473 return 0;
11474 }
11475
11476 static void __net_exit nf_tables_pre_exit_net(struct net *net)
11477 {
11478 struct nftables_pernet *nft_net = nft_pernet(net);
11479
11480 mutex_lock(&nft_net->commit_mutex);
11481 __nft_release_hooks(net);
11482 mutex_unlock(&nft_net->commit_mutex);
11483 }
11484
11485 static void __net_exit nf_tables_exit_net(struct net *net)
11486 {
11487 struct nftables_pernet *nft_net = nft_pernet(net);
11488 unsigned int gc_seq;
11489
11490 mutex_lock(&nft_net->commit_mutex);
11491
11492 gc_seq = nft_gc_seq_begin(nft_net);
11493
11494 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
11495
11496 if (!list_empty(&nft_net->module_list))
11497 nf_tables_module_autoload_cleanup(net);
11498
11499 __nft_release_tables(net);
11500
11501 nft_gc_seq_end(nft_net, gc_seq);
11502
11503 mutex_unlock(&nft_net->commit_mutex);
11504 WARN_ON_ONCE(!list_empty(&nft_net->tables));
11505 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
11506 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
11507 }
11508
11509 static void nf_tables_exit_batch(struct list_head *net_exit_list)
11510 {
11511 flush_work(&trans_gc_work);
11512 }
11513
11514 static struct pernet_operations nf_tables_net_ops = {
11515 .init = nf_tables_init_net,
11516 .pre_exit = nf_tables_pre_exit_net,
11517 .exit = nf_tables_exit_net,
11518 .exit_batch = nf_tables_exit_batch,
11519 .id = &nf_tables_net_id,
11520 .size = sizeof(struct nftables_pernet),
11521 };
11522
11523 static int __init nf_tables_module_init(void)
11524 {
11525 int err;
11526
11527 BUILD_BUG_ON(offsetof(struct nft_trans_table, nft_trans) != 0);
11528 BUILD_BUG_ON(offsetof(struct nft_trans_chain, nft_trans_binding.nft_trans) != 0);
11529 BUILD_BUG_ON(offsetof(struct nft_trans_rule, nft_trans) != 0);
11530 BUILD_BUG_ON(offsetof(struct nft_trans_set, nft_trans_binding.nft_trans) != 0);
11531 BUILD_BUG_ON(offsetof(struct nft_trans_elem, nft_trans) != 0);
11532 BUILD_BUG_ON(offsetof(struct nft_trans_obj, nft_trans) != 0);
11533 BUILD_BUG_ON(offsetof(struct nft_trans_flowtable, nft_trans) != 0);
11534
11535 err = register_pernet_subsys(&nf_tables_net_ops);
11536 if (err < 0)
11537 return err;
11538
11539 err = nft_chain_filter_init();
11540 if (err < 0)
11541 goto err_chain_filter;
11542
11543 err = nf_tables_core_module_init();
11544 if (err < 0)
11545 goto err_core_module;
11546
11547 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
11548 if (err < 0)
11549 goto err_netdev_notifier;
11550
11551 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
11552 if (err < 0)
11553 goto err_rht_objname;
11554
11555 err = nft_offload_init();
11556 if (err < 0)
11557 goto err_offload;
11558
11559 err = netlink_register_notifier(&nft_nl_notifier);
11560 if (err < 0)
11561 goto err_netlink_notifier;
11562
11563 /* must be last */
11564 err = nfnetlink_subsys_register(&nf_tables_subsys);
11565 if (err < 0)
11566 goto err_nfnl_subsys;
11567
11568 nft_chain_route_init();
11569
11570 return err;
11571
11572 err_nfnl_subsys:
11573 netlink_unregister_notifier(&nft_nl_notifier);
11574 err_netlink_notifier:
11575 nft_offload_exit();
11576 err_offload:
11577 rhltable_destroy(&nft_objname_ht);
11578 err_rht_objname:
11579 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11580 err_netdev_notifier:
11581 nf_tables_core_module_exit();
11582 err_core_module:
11583 nft_chain_filter_fini();
11584 err_chain_filter:
11585 unregister_pernet_subsys(&nf_tables_net_ops);
11586 return err;
11587 }
11588
11589 static void __exit nf_tables_module_exit(void)
11590 {
11591 nfnetlink_subsys_unregister(&nf_tables_subsys);
11592 netlink_unregister_notifier(&nft_nl_notifier);
11593 nft_offload_exit();
11594 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11595 nft_chain_filter_fini();
11596 nft_chain_route_fini();
11597 nf_tables_trans_destroy_flush_work();
11598 unregister_pernet_subsys(&nf_tables_net_ops);
11599 cancel_work_sync(&trans_gc_work);
11600 cancel_work_sync(&trans_destroy_work);
11601 rcu_barrier();
11602 rhltable_destroy(&nft_objname_ht);
11603 nf_tables_core_module_exit();
11604 }
11605
11606 module_init(nf_tables_module_init);
11607 module_exit(nf_tables_module_exit);
11608
11609 MODULE_LICENSE("GPL");
11610 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
11611 MODULE_DESCRIPTION("Framework for packet filtering and classification");
11612 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
11613
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.