1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net> 4 * 5 * Development of this code funded by Astaro AG (http://www.astaro.com/) 6 */ 7 8 #include <linux/module.h> 9 #include <linux/init.h> 10 #include <linux/list.h> 11 #include <linux/skbuff.h> 12 #include <linux/netlink.h> 13 #include <linux/vmalloc.h> 14 #include <linux/rhashtable.h> 15 #include <linux/audit.h> 16 #include <linux/netfilter.h> 17 #include <linux/netfilter/nfnetlink.h> 18 #include <linux/netfilter/nf_tables.h> 19 #include <net/netfilter/nf_flow_table.h> 20 #include <net/netfilter/nf_tables_core.h> 21 #include <net/netfilter/nf_tables.h> 22 #include <net/netfilter/nf_tables_offload.h> 23 #include <net/net_namespace.h> 24 #include <net/sock.h> 25 26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) 27 #define NFT_SET_MAX_ANONLEN 16 28 29 unsigned int nf_tables_net_id __read_mostly; 30 31 static LIST_HEAD(nf_tables_expressions); 32 static LIST_HEAD(nf_tables_objects); 33 static LIST_HEAD(nf_tables_flowtables); 34 static LIST_HEAD(nf_tables_destroy_list); 35 static LIST_HEAD(nf_tables_gc_list); 36 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock); 37 static DEFINE_SPINLOCK(nf_tables_gc_list_lock); 38 39 enum { 40 NFT_VALIDATE_SKIP = 0, 41 NFT_VALIDATE_NEED, 42 NFT_VALIDATE_DO, 43 }; 44 45 static struct rhltable nft_objname_ht; 46 47 static u32 nft_chain_hash(const void *data, u32 len, u32 seed); 48 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed); 49 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *); 50 51 static u32 nft_objname_hash(const void *data, u32 len, u32 seed); 52 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed); 53 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *); 54 55 static const struct rhashtable_params nft_chain_ht_params = { 56 .head_offset = offsetof(struct nft_chain, rhlhead), 57 .key_offset = offsetof(struct nft_chain, name), 58 .hashfn = nft_chain_hash, 59 .obj_hashfn = nft_chain_hash_obj, 60 .obj_cmpfn = nft_chain_hash_cmp, 61 .automatic_shrinking = true, 62 }; 63 64 static const struct rhashtable_params nft_objname_ht_params = { 65 .head_offset = offsetof(struct nft_object, rhlhead), 66 .key_offset = offsetof(struct nft_object, key), 67 .hashfn = nft_objname_hash, 68 .obj_hashfn = nft_objname_hash_obj, 69 .obj_cmpfn = nft_objname_hash_cmp, 70 .automatic_shrinking = true, 71 }; 72 73 struct nft_audit_data { 74 struct nft_table *table; 75 int entries; 76 int op; 77 struct list_head list; 78 }; 79 80 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types 81 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER, 82 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID, 83 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER, 84 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER, 85 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID, 86 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER, 87 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER, 88 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID, 89 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER, 90 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER, 91 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID, 92 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER, 93 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER, 94 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID, 95 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER, 96 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER, 97 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID, 98 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID, 99 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER, 100 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID, 101 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER, 102 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET, 103 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER, 104 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID, 105 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, 106 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET, 107 }; 108 nft_validate_state_update(struct nft_table * table,u8 new_validate_state)109 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state) 110 { 111 switch (table->validate_state) { 112 case NFT_VALIDATE_SKIP: 113 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); 114 break; 115 case NFT_VALIDATE_NEED: 116 break; 117 case NFT_VALIDATE_DO: 118 if (new_validate_state == NFT_VALIDATE_NEED) 119 return; 120 } 121 122 table->validate_state = new_validate_state; 123 } 124 static void nf_tables_trans_destroy_work(struct work_struct *w); 125 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work); 126 127 static void nft_trans_gc_work(struct work_struct *work); 128 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work); 129 nft_ctx_init(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,u8 family,struct nft_table * table,struct nft_chain * chain,const struct nlattr * const * nla)130 static void nft_ctx_init(struct nft_ctx *ctx, 131 struct net *net, 132 const struct sk_buff *skb, 133 const struct nlmsghdr *nlh, 134 u8 family, 135 struct nft_table *table, 136 struct nft_chain *chain, 137 const struct nlattr * const *nla) 138 { 139 ctx->net = net; 140 ctx->family = family; 141 ctx->level = 0; 142 ctx->table = table; 143 ctx->chain = chain; 144 ctx->nla = nla; 145 ctx->portid = NETLINK_CB(skb).portid; 146 ctx->report = nlmsg_report(nlh); 147 ctx->flags = nlh->nlmsg_flags; 148 ctx->seq = nlh->nlmsg_seq; 149 150 bitmap_zero(ctx->reg_inited, NFT_REG32_NUM); 151 } 152 nft_trans_alloc_gfp(const struct nft_ctx * ctx,int msg_type,u32 size,gfp_t gfp)153 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, 154 int msg_type, u32 size, gfp_t gfp) 155 { 156 struct nft_trans *trans; 157 158 trans = kzalloc(size, gfp); 159 if (trans == NULL) 160 return NULL; 161 162 INIT_LIST_HEAD(&trans->list); 163 trans->msg_type = msg_type; 164 165 trans->net = ctx->net; 166 trans->table = ctx->table; 167 trans->seq = ctx->seq; 168 trans->flags = ctx->flags; 169 trans->report = ctx->report; 170 171 return trans; 172 } 173 nft_trans_alloc(const struct nft_ctx * ctx,int msg_type,u32 size)174 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx, 175 int msg_type, u32 size) 176 { 177 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); 178 } 179 nft_trans_get_binding(struct nft_trans * trans)180 static struct nft_trans_binding *nft_trans_get_binding(struct nft_trans *trans) 181 { 182 switch (trans->msg_type) { 183 case NFT_MSG_NEWCHAIN: 184 case NFT_MSG_NEWSET: 185 return container_of(trans, struct nft_trans_binding, nft_trans); 186 } 187 188 return NULL; 189 } 190 nft_trans_list_del(struct nft_trans * trans)191 static void nft_trans_list_del(struct nft_trans *trans) 192 { 193 struct nft_trans_binding *trans_binding; 194 195 list_del(&trans->list); 196 197 trans_binding = nft_trans_get_binding(trans); 198 if (trans_binding) 199 list_del(&trans_binding->binding_list); 200 } 201 nft_trans_destroy(struct nft_trans * trans)202 static void nft_trans_destroy(struct nft_trans *trans) 203 { 204 nft_trans_list_del(trans); 205 kfree(trans); 206 } 207 __nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set,bool bind)208 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set, 209 bool bind) 210 { 211 struct nftables_pernet *nft_net; 212 struct net *net = ctx->net; 213 struct nft_trans *trans; 214 215 if (!nft_set_is_anonymous(set)) 216 return; 217 218 nft_net = nft_pernet(net); 219 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { 220 switch (trans->msg_type) { 221 case NFT_MSG_NEWSET: 222 if (nft_trans_set(trans) == set) 223 nft_trans_set_bound(trans) = bind; 224 break; 225 case NFT_MSG_NEWSETELEM: 226 if (nft_trans_elem_set(trans) == set) 227 nft_trans_elem_set_bound(trans) = bind; 228 break; 229 } 230 } 231 } 232 nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set)233 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) 234 { 235 return __nft_set_trans_bind(ctx, set, true); 236 } 237 nft_set_trans_unbind(const struct nft_ctx * ctx,struct nft_set * set)238 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set) 239 { 240 return __nft_set_trans_bind(ctx, set, false); 241 } 242 __nft_chain_trans_bind(const struct nft_ctx * ctx,struct nft_chain * chain,bool bind)243 static void __nft_chain_trans_bind(const struct nft_ctx *ctx, 244 struct nft_chain *chain, bool bind) 245 { 246 struct nftables_pernet *nft_net; 247 struct net *net = ctx->net; 248 struct nft_trans *trans; 249 250 if (!nft_chain_binding(chain)) 251 return; 252 253 nft_net = nft_pernet(net); 254 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { 255 switch (trans->msg_type) { 256 case NFT_MSG_NEWCHAIN: 257 if (nft_trans_chain(trans) == chain) 258 nft_trans_chain_bound(trans) = bind; 259 break; 260 case NFT_MSG_NEWRULE: 261 if (nft_trans_rule_chain(trans) == chain) 262 nft_trans_rule_bound(trans) = bind; 263 break; 264 } 265 } 266 } 267 nft_chain_trans_bind(const struct nft_ctx * ctx,struct nft_chain * chain)268 static void nft_chain_trans_bind(const struct nft_ctx *ctx, 269 struct nft_chain *chain) 270 { 271 __nft_chain_trans_bind(ctx, chain, true); 272 } 273 nf_tables_bind_chain(const struct nft_ctx * ctx,struct nft_chain * chain)274 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) 275 { 276 if (!nft_chain_binding(chain)) 277 return 0; 278 279 if (nft_chain_binding(ctx->chain)) 280 return -EOPNOTSUPP; 281 282 if (chain->bound) 283 return -EBUSY; 284 285 if (!nft_use_inc(&chain->use)) 286 return -EMFILE; 287 288 chain->bound = true; 289 nft_chain_trans_bind(ctx, chain); 290 291 return 0; 292 } 293 nf_tables_unbind_chain(const struct nft_ctx * ctx,struct nft_chain * chain)294 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) 295 { 296 __nft_chain_trans_bind(ctx, chain, false); 297 } 298 nft_netdev_register_hooks(struct net * net,struct list_head * hook_list)299 static int nft_netdev_register_hooks(struct net *net, 300 struct list_head *hook_list) 301 { 302 struct nft_hook *hook; 303 int err, j; 304 305 j = 0; 306 list_for_each_entry(hook, hook_list, list) { 307 err = nf_register_net_hook(net, &hook->ops); 308 if (err < 0) 309 goto err_register; 310 311 j++; 312 } 313 return 0; 314 315 err_register: 316 list_for_each_entry(hook, hook_list, list) { 317 if (j-- <= 0) 318 break; 319 320 nf_unregister_net_hook(net, &hook->ops); 321 } 322 return err; 323 } 324 nft_netdev_unregister_hooks(struct net * net,struct list_head * hook_list,bool release_netdev)325 static void nft_netdev_unregister_hooks(struct net *net, 326 struct list_head *hook_list, 327 bool release_netdev) 328 { 329 struct nft_hook *hook, *next; 330 331 list_for_each_entry_safe(hook, next, hook_list, list) { 332 nf_unregister_net_hook(net, &hook->ops); 333 if (release_netdev) { 334 list_del(&hook->list); 335 kfree_rcu(hook, rcu); 336 } 337 } 338 } 339 nf_tables_register_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)340 static int nf_tables_register_hook(struct net *net, 341 const struct nft_table *table, 342 struct nft_chain *chain) 343 { 344 struct nft_base_chain *basechain; 345 const struct nf_hook_ops *ops; 346 347 if (table->flags & NFT_TABLE_F_DORMANT || 348 !nft_is_base_chain(chain)) 349 return 0; 350 351 basechain = nft_base_chain(chain); 352 ops = &basechain->ops; 353 354 if (basechain->type->ops_register) 355 return basechain->type->ops_register(net, ops); 356 357 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 358 return nft_netdev_register_hooks(net, &basechain->hook_list); 359 360 return nf_register_net_hook(net, &basechain->ops); 361 } 362 __nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain,bool release_netdev)363 static void __nf_tables_unregister_hook(struct net *net, 364 const struct nft_table *table, 365 struct nft_chain *chain, 366 bool release_netdev) 367 { 368 struct nft_base_chain *basechain; 369 const struct nf_hook_ops *ops; 370 371 if (table->flags & NFT_TABLE_F_DORMANT || 372 !nft_is_base_chain(chain)) 373 return; 374 basechain = nft_base_chain(chain); 375 ops = &basechain->ops; 376 377 if (basechain->type->ops_unregister) 378 return basechain->type->ops_unregister(net, ops); 379 380 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 381 nft_netdev_unregister_hooks(net, &basechain->hook_list, 382 release_netdev); 383 else 384 nf_unregister_net_hook(net, &basechain->ops); 385 } 386 nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)387 static void nf_tables_unregister_hook(struct net *net, 388 const struct nft_table *table, 389 struct nft_chain *chain) 390 { 391 return __nf_tables_unregister_hook(net, table, chain, false); 392 } 393 nft_trans_commit_list_add_tail(struct net * net,struct nft_trans * trans)394 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) 395 { 396 struct nftables_pernet *nft_net = nft_pernet(net); 397 struct nft_trans_binding *binding; 398 struct nft_trans_set *trans_set; 399 400 list_add_tail(&trans->list, &nft_net->commit_list); 401 402 binding = nft_trans_get_binding(trans); 403 if (!binding) 404 return; 405 406 switch (trans->msg_type) { 407 case NFT_MSG_NEWSET: 408 trans_set = nft_trans_container_set(trans); 409 410 if (!nft_trans_set_update(trans) && 411 nft_set_is_anonymous(nft_trans_set(trans))) 412 list_add_tail(&binding->binding_list, &nft_net->binding_list); 413 414 list_add_tail(&trans_set->list_trans_newset, &nft_net->commit_set_list); 415 break; 416 case NFT_MSG_NEWCHAIN: 417 if (!nft_trans_chain_update(trans) && 418 nft_chain_binding(nft_trans_chain(trans))) 419 list_add_tail(&binding->binding_list, &nft_net->binding_list); 420 break; 421 } 422 } 423 nft_trans_table_add(struct nft_ctx * ctx,int msg_type)424 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type) 425 { 426 struct nft_trans *trans; 427 428 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table)); 429 if (trans == NULL) 430 return -ENOMEM; 431 432 if (msg_type == NFT_MSG_NEWTABLE) 433 nft_activate_next(ctx->net, ctx->table); 434 435 nft_trans_commit_list_add_tail(ctx->net, trans); 436 return 0; 437 } 438 nft_deltable(struct nft_ctx * ctx)439 static int nft_deltable(struct nft_ctx *ctx) 440 { 441 int err; 442 443 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE); 444 if (err < 0) 445 return err; 446 447 nft_deactivate_next(ctx->net, ctx->table); 448 return err; 449 } 450 451 static struct nft_trans * nft_trans_alloc_chain(const struct nft_ctx * ctx,int msg_type)452 nft_trans_alloc_chain(const struct nft_ctx *ctx, int msg_type) 453 { 454 struct nft_trans_chain *trans_chain; 455 struct nft_trans *trans; 456 457 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain)); 458 if (!trans) 459 return NULL; 460 461 trans_chain = nft_trans_container_chain(trans); 462 INIT_LIST_HEAD(&trans_chain->nft_trans_binding.binding_list); 463 trans_chain->chain = ctx->chain; 464 465 return trans; 466 } 467 nft_trans_chain_add(struct nft_ctx * ctx,int msg_type)468 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type) 469 { 470 struct nft_trans *trans; 471 472 trans = nft_trans_alloc_chain(ctx, msg_type); 473 if (trans == NULL) 474 return ERR_PTR(-ENOMEM); 475 476 if (msg_type == NFT_MSG_NEWCHAIN) { 477 nft_activate_next(ctx->net, ctx->chain); 478 479 if (ctx->nla[NFTA_CHAIN_ID]) { 480 nft_trans_chain_id(trans) = 481 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID])); 482 } 483 } 484 nft_trans_commit_list_add_tail(ctx->net, trans); 485 486 return trans; 487 } 488 nft_delchain(struct nft_ctx * ctx)489 static int nft_delchain(struct nft_ctx *ctx) 490 { 491 struct nft_trans *trans; 492 493 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN); 494 if (IS_ERR(trans)) 495 return PTR_ERR(trans); 496 497 nft_use_dec(&ctx->table->use); 498 nft_deactivate_next(ctx->net, ctx->chain); 499 500 return 0; 501 } 502 nft_rule_expr_activate(const struct nft_ctx * ctx,struct nft_rule * rule)503 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule) 504 { 505 struct nft_expr *expr; 506 507 expr = nft_expr_first(rule); 508 while (nft_expr_more(rule, expr)) { 509 if (expr->ops->activate) 510 expr->ops->activate(ctx, expr); 511 512 expr = nft_expr_next(expr); 513 } 514 } 515 nft_rule_expr_deactivate(const struct nft_ctx * ctx,struct nft_rule * rule,enum nft_trans_phase phase)516 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule, 517 enum nft_trans_phase phase) 518 { 519 struct nft_expr *expr; 520 521 expr = nft_expr_first(rule); 522 while (nft_expr_more(rule, expr)) { 523 if (expr->ops->deactivate) 524 expr->ops->deactivate(ctx, expr, phase); 525 526 expr = nft_expr_next(expr); 527 } 528 } 529 530 static int nf_tables_delrule_deactivate(struct nft_ctx * ctx,struct nft_rule * rule)531 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule) 532 { 533 /* You cannot delete the same rule twice */ 534 if (nft_is_active_next(ctx->net, rule)) { 535 nft_deactivate_next(ctx->net, rule); 536 nft_use_dec(&ctx->chain->use); 537 return 0; 538 } 539 return -ENOENT; 540 } 541 nft_trans_rule_add(struct nft_ctx * ctx,int msg_type,struct nft_rule * rule)542 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type, 543 struct nft_rule *rule) 544 { 545 struct nft_trans *trans; 546 547 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule)); 548 if (trans == NULL) 549 return NULL; 550 551 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) { 552 nft_trans_rule_id(trans) = 553 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); 554 } 555 nft_trans_rule(trans) = rule; 556 nft_trans_rule_chain(trans) = ctx->chain; 557 nft_trans_commit_list_add_tail(ctx->net, trans); 558 559 return trans; 560 } 561 nft_delrule(struct nft_ctx * ctx,struct nft_rule * rule)562 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule) 563 { 564 struct nft_flow_rule *flow; 565 struct nft_trans *trans; 566 int err; 567 568 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule); 569 if (trans == NULL) 570 return -ENOMEM; 571 572 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) { 573 flow = nft_flow_rule_create(ctx->net, rule); 574 if (IS_ERR(flow)) { 575 nft_trans_destroy(trans); 576 return PTR_ERR(flow); 577 } 578 579 nft_trans_flow_rule(trans) = flow; 580 } 581 582 err = nf_tables_delrule_deactivate(ctx, rule); 583 if (err < 0) { 584 nft_trans_destroy(trans); 585 return err; 586 } 587 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE); 588 589 return 0; 590 } 591 nft_delrule_by_chain(struct nft_ctx * ctx)592 static int nft_delrule_by_chain(struct nft_ctx *ctx) 593 { 594 struct nft_rule *rule; 595 int err; 596 597 list_for_each_entry(rule, &ctx->chain->rules, list) { 598 if (!nft_is_active_next(ctx->net, rule)) 599 continue; 600 601 err = nft_delrule(ctx, rule); 602 if (err < 0) 603 return err; 604 } 605 return 0; 606 } 607 __nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set,const struct nft_set_desc * desc)608 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 609 struct nft_set *set, 610 const struct nft_set_desc *desc) 611 { 612 struct nft_trans_set *trans_set; 613 struct nft_trans *trans; 614 615 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set)); 616 if (trans == NULL) 617 return -ENOMEM; 618 619 trans_set = nft_trans_container_set(trans); 620 INIT_LIST_HEAD(&trans_set->nft_trans_binding.binding_list); 621 INIT_LIST_HEAD(&trans_set->list_trans_newset); 622 623 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) { 624 nft_trans_set_id(trans) = 625 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID])); 626 nft_activate_next(ctx->net, set); 627 } 628 nft_trans_set(trans) = set; 629 if (desc) { 630 nft_trans_set_update(trans) = true; 631 nft_trans_set_gc_int(trans) = desc->gc_int; 632 nft_trans_set_timeout(trans) = desc->timeout; 633 nft_trans_set_size(trans) = desc->size; 634 } 635 nft_trans_commit_list_add_tail(ctx->net, trans); 636 637 return 0; 638 } 639 nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set)640 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 641 struct nft_set *set) 642 { 643 return __nft_trans_set_add(ctx, msg_type, set, NULL); 644 } 645 nft_mapelem_deactivate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)646 static int nft_mapelem_deactivate(const struct nft_ctx *ctx, 647 struct nft_set *set, 648 const struct nft_set_iter *iter, 649 struct nft_elem_priv *elem_priv) 650 { 651 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 652 653 if (!nft_set_elem_active(ext, iter->genmask)) 654 return 0; 655 656 nft_set_elem_change_active(ctx->net, set, ext); 657 nft_setelem_data_deactivate(ctx->net, set, elem_priv); 658 659 return 0; 660 } 661 662 struct nft_set_elem_catchall { 663 struct list_head list; 664 struct rcu_head rcu; 665 struct nft_elem_priv *elem; 666 }; 667 nft_map_catchall_deactivate(const struct nft_ctx * ctx,struct nft_set * set)668 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx, 669 struct nft_set *set) 670 { 671 u8 genmask = nft_genmask_next(ctx->net); 672 struct nft_set_elem_catchall *catchall; 673 struct nft_set_ext *ext; 674 675 list_for_each_entry(catchall, &set->catchall_list, list) { 676 ext = nft_set_elem_ext(set, catchall->elem); 677 if (!nft_set_elem_active(ext, genmask)) 678 continue; 679 680 nft_set_elem_change_active(ctx->net, set, ext); 681 nft_setelem_data_deactivate(ctx->net, set, catchall->elem); 682 break; 683 } 684 } 685 nft_map_deactivate(const struct nft_ctx * ctx,struct nft_set * set)686 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set) 687 { 688 struct nft_set_iter iter = { 689 .genmask = nft_genmask_next(ctx->net), 690 .type = NFT_ITER_UPDATE, 691 .fn = nft_mapelem_deactivate, 692 }; 693 694 set->ops->walk(ctx, set, &iter); 695 WARN_ON_ONCE(iter.err); 696 697 nft_map_catchall_deactivate(ctx, set); 698 } 699 nft_delset(const struct nft_ctx * ctx,struct nft_set * set)700 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) 701 { 702 int err; 703 704 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set); 705 if (err < 0) 706 return err; 707 708 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 709 nft_map_deactivate(ctx, set); 710 711 nft_deactivate_next(ctx->net, set); 712 nft_use_dec(&ctx->table->use); 713 714 return err; 715 } 716 nft_trans_obj_add(struct nft_ctx * ctx,int msg_type,struct nft_object * obj)717 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type, 718 struct nft_object *obj) 719 { 720 struct nft_trans *trans; 721 722 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj)); 723 if (trans == NULL) 724 return -ENOMEM; 725 726 if (msg_type == NFT_MSG_NEWOBJ) 727 nft_activate_next(ctx->net, obj); 728 729 nft_trans_obj(trans) = obj; 730 nft_trans_commit_list_add_tail(ctx->net, trans); 731 732 return 0; 733 } 734 nft_delobj(struct nft_ctx * ctx,struct nft_object * obj)735 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj) 736 { 737 int err; 738 739 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj); 740 if (err < 0) 741 return err; 742 743 nft_deactivate_next(ctx->net, obj); 744 nft_use_dec(&ctx->table->use); 745 746 return err; 747 } 748 749 static struct nft_trans * nft_trans_flowtable_add(struct nft_ctx * ctx,int msg_type,struct nft_flowtable * flowtable)750 nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, 751 struct nft_flowtable *flowtable) 752 { 753 struct nft_trans *trans; 754 755 trans = nft_trans_alloc(ctx, msg_type, 756 sizeof(struct nft_trans_flowtable)); 757 if (trans == NULL) 758 return ERR_PTR(-ENOMEM); 759 760 if (msg_type == NFT_MSG_NEWFLOWTABLE) 761 nft_activate_next(ctx->net, flowtable); 762 763 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 764 nft_trans_flowtable(trans) = flowtable; 765 nft_trans_commit_list_add_tail(ctx->net, trans); 766 767 return trans; 768 } 769 nft_delflowtable(struct nft_ctx * ctx,struct nft_flowtable * flowtable)770 static int nft_delflowtable(struct nft_ctx *ctx, 771 struct nft_flowtable *flowtable) 772 { 773 struct nft_trans *trans; 774 775 trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable); 776 if (IS_ERR(trans)) 777 return PTR_ERR(trans); 778 779 nft_deactivate_next(ctx->net, flowtable); 780 nft_use_dec(&ctx->table->use); 781 782 return 0; 783 } 784 __nft_reg_track_clobber(struct nft_regs_track * track,u8 dreg)785 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg) 786 { 787 int i; 788 789 for (i = track->regs[dreg].num_reg; i > 0; i--) 790 __nft_reg_track_cancel(track, dreg - i); 791 } 792 __nft_reg_track_update(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg,u8 num_reg)793 static void __nft_reg_track_update(struct nft_regs_track *track, 794 const struct nft_expr *expr, 795 u8 dreg, u8 num_reg) 796 { 797 track->regs[dreg].selector = expr; 798 track->regs[dreg].bitwise = NULL; 799 track->regs[dreg].num_reg = num_reg; 800 } 801 nft_reg_track_update(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg,u8 len)802 void nft_reg_track_update(struct nft_regs_track *track, 803 const struct nft_expr *expr, u8 dreg, u8 len) 804 { 805 unsigned int regcount; 806 int i; 807 808 __nft_reg_track_clobber(track, dreg); 809 810 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE); 811 for (i = 0; i < regcount; i++, dreg++) 812 __nft_reg_track_update(track, expr, dreg, i); 813 } 814 EXPORT_SYMBOL_GPL(nft_reg_track_update); 815 nft_reg_track_cancel(struct nft_regs_track * track,u8 dreg,u8 len)816 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len) 817 { 818 unsigned int regcount; 819 int i; 820 821 __nft_reg_track_clobber(track, dreg); 822 823 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE); 824 for (i = 0; i < regcount; i++, dreg++) 825 __nft_reg_track_cancel(track, dreg); 826 } 827 EXPORT_SYMBOL_GPL(nft_reg_track_cancel); 828 __nft_reg_track_cancel(struct nft_regs_track * track,u8 dreg)829 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg) 830 { 831 track->regs[dreg].selector = NULL; 832 track->regs[dreg].bitwise = NULL; 833 track->regs[dreg].num_reg = 0; 834 } 835 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel); 836 837 /* 838 * Tables 839 */ 840 nft_table_lookup(const struct net * net,const struct nlattr * nla,u8 family,u8 genmask,u32 nlpid)841 static struct nft_table *nft_table_lookup(const struct net *net, 842 const struct nlattr *nla, 843 u8 family, u8 genmask, u32 nlpid) 844 { 845 struct nftables_pernet *nft_net; 846 struct nft_table *table; 847 848 if (nla == NULL) 849 return ERR_PTR(-EINVAL); 850 851 nft_net = nft_pernet(net); 852 list_for_each_entry_rcu(table, &nft_net->tables, list, 853 lockdep_is_held(&nft_net->commit_mutex)) { 854 if (!nla_strcmp(nla, table->name) && 855 table->family == family && 856 nft_active_genmask(table, genmask)) { 857 if (nft_table_has_owner(table) && 858 nlpid && table->nlpid != nlpid) 859 return ERR_PTR(-EPERM); 860 861 return table; 862 } 863 } 864 865 return ERR_PTR(-ENOENT); 866 } 867 nft_table_lookup_byhandle(const struct net * net,const struct nlattr * nla,int family,u8 genmask,u32 nlpid)868 static struct nft_table *nft_table_lookup_byhandle(const struct net *net, 869 const struct nlattr *nla, 870 int family, u8 genmask, u32 nlpid) 871 { 872 struct nftables_pernet *nft_net; 873 struct nft_table *table; 874 875 nft_net = nft_pernet(net); 876 list_for_each_entry(table, &nft_net->tables, list) { 877 if (be64_to_cpu(nla_get_be64(nla)) == table->handle && 878 table->family == family && 879 nft_active_genmask(table, genmask)) { 880 if (nft_table_has_owner(table) && 881 nlpid && table->nlpid != nlpid) 882 return ERR_PTR(-EPERM); 883 884 return table; 885 } 886 } 887 888 return ERR_PTR(-ENOENT); 889 } 890 nf_tables_alloc_handle(struct nft_table * table)891 static inline u64 nf_tables_alloc_handle(struct nft_table *table) 892 { 893 return ++table->hgenerator; 894 } 895 896 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX]; 897 898 static const struct nft_chain_type * __nft_chain_type_get(u8 family,enum nft_chain_types type)899 __nft_chain_type_get(u8 family, enum nft_chain_types type) 900 { 901 if (family >= NFPROTO_NUMPROTO || 902 type >= NFT_CHAIN_T_MAX) 903 return NULL; 904 905 return chain_type[family][type]; 906 } 907 908 static const struct nft_chain_type * __nf_tables_chain_type_lookup(const struct nlattr * nla,u8 family)909 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family) 910 { 911 const struct nft_chain_type *type; 912 int i; 913 914 for (i = 0; i < NFT_CHAIN_T_MAX; i++) { 915 type = __nft_chain_type_get(family, i); 916 if (!type) 917 continue; 918 if (!nla_strcmp(nla, type->name)) 919 return type; 920 } 921 return NULL; 922 } 923 924 struct nft_module_request { 925 struct list_head list; 926 char module[MODULE_NAME_LEN]; 927 bool done; 928 }; 929 930 #ifdef CONFIG_MODULES nft_request_module(struct net * net,const char * fmt,...)931 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt, 932 ...) 933 { 934 char module_name[MODULE_NAME_LEN]; 935 struct nftables_pernet *nft_net; 936 struct nft_module_request *req; 937 va_list args; 938 int ret; 939 940 va_start(args, fmt); 941 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); 942 va_end(args); 943 if (ret >= MODULE_NAME_LEN) 944 return 0; 945 946 nft_net = nft_pernet(net); 947 list_for_each_entry(req, &nft_net->module_list, list) { 948 if (!strcmp(req->module, module_name)) { 949 if (req->done) 950 return 0; 951 952 /* A request to load this module already exists. */ 953 return -EAGAIN; 954 } 955 } 956 957 req = kmalloc(sizeof(*req), GFP_KERNEL); 958 if (!req) 959 return -ENOMEM; 960 961 req->done = false; 962 strscpy(req->module, module_name, MODULE_NAME_LEN); 963 list_add_tail(&req->list, &nft_net->module_list); 964 965 return -EAGAIN; 966 } 967 EXPORT_SYMBOL_GPL(nft_request_module); 968 #endif 969 lockdep_nfnl_nft_mutex_not_held(void)970 static void lockdep_nfnl_nft_mutex_not_held(void) 971 { 972 #ifdef CONFIG_PROVE_LOCKING 973 if (debug_locks) 974 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES)); 975 #endif 976 } 977 978 static const struct nft_chain_type * nf_tables_chain_type_lookup(struct net * net,const struct nlattr * nla,u8 family,bool autoload)979 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla, 980 u8 family, bool autoload) 981 { 982 const struct nft_chain_type *type; 983 984 type = __nf_tables_chain_type_lookup(nla, family); 985 if (type != NULL) 986 return type; 987 988 lockdep_nfnl_nft_mutex_not_held(); 989 #ifdef CONFIG_MODULES 990 if (autoload) { 991 if (nft_request_module(net, "nft-chain-%u-%.*s", family, 992 nla_len(nla), 993 (const char *)nla_data(nla)) == -EAGAIN) 994 return ERR_PTR(-EAGAIN); 995 } 996 #endif 997 return ERR_PTR(-ENOENT); 998 } 999 nft_base_seq(const struct net * net)1000 static __be16 nft_base_seq(const struct net *net) 1001 { 1002 struct nftables_pernet *nft_net = nft_pernet(net); 1003 1004 return htons(nft_net->base_seq & 0xffff); 1005 } 1006 1007 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { 1008 [NFTA_TABLE_NAME] = { .type = NLA_STRING, 1009 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1010 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 }, 1011 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 }, 1012 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY, 1013 .len = NFT_USERDATA_MAXLEN } 1014 }; 1015 nf_tables_fill_table_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table)1016 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, 1017 u32 portid, u32 seq, int event, u32 flags, 1018 int family, const struct nft_table *table) 1019 { 1020 struct nlmsghdr *nlh; 1021 1022 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 1023 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 1024 NFNETLINK_V0, nft_base_seq(net)); 1025 if (!nlh) 1026 goto nla_put_failure; 1027 1028 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || 1029 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) || 1030 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle), 1031 NFTA_TABLE_PAD)) 1032 goto nla_put_failure; 1033 1034 if (event == NFT_MSG_DELTABLE) { 1035 nlmsg_end(skb, nlh); 1036 return 0; 1037 } 1038 1039 if (nla_put_be32(skb, NFTA_TABLE_FLAGS, 1040 htonl(table->flags & NFT_TABLE_F_MASK))) 1041 goto nla_put_failure; 1042 1043 if (nft_table_has_owner(table) && 1044 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid))) 1045 goto nla_put_failure; 1046 1047 if (table->udata) { 1048 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata)) 1049 goto nla_put_failure; 1050 } 1051 1052 nlmsg_end(skb, nlh); 1053 return 0; 1054 1055 nla_put_failure: 1056 nlmsg_trim(skb, nlh); 1057 return -1; 1058 } 1059 1060 struct nftnl_skb_parms { 1061 bool report; 1062 }; 1063 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb)) 1064 nft_notify_enqueue(struct sk_buff * skb,bool report,struct list_head * notify_list)1065 static void nft_notify_enqueue(struct sk_buff *skb, bool report, 1066 struct list_head *notify_list) 1067 { 1068 NFT_CB(skb).report = report; 1069 list_add_tail(&skb->list, notify_list); 1070 } 1071 nf_tables_table_notify(const struct nft_ctx * ctx,int event)1072 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) 1073 { 1074 struct nftables_pernet *nft_net; 1075 struct sk_buff *skb; 1076 u16 flags = 0; 1077 int err; 1078 1079 if (!ctx->report && 1080 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1081 return; 1082 1083 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1084 if (skb == NULL) 1085 goto err; 1086 1087 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 1088 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 1089 1090 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, 1091 event, flags, ctx->family, ctx->table); 1092 if (err < 0) { 1093 kfree_skb(skb); 1094 goto err; 1095 } 1096 1097 nft_net = nft_pernet(ctx->net); 1098 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 1099 return; 1100 err: 1101 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 1102 } 1103 nf_tables_dump_tables(struct sk_buff * skb,struct netlink_callback * cb)1104 static int nf_tables_dump_tables(struct sk_buff *skb, 1105 struct netlink_callback *cb) 1106 { 1107 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1108 struct nftables_pernet *nft_net; 1109 const struct nft_table *table; 1110 unsigned int idx = 0, s_idx = cb->args[0]; 1111 struct net *net = sock_net(skb->sk); 1112 int family = nfmsg->nfgen_family; 1113 1114 rcu_read_lock(); 1115 nft_net = nft_pernet(net); 1116 cb->seq = READ_ONCE(nft_net->base_seq); 1117 1118 list_for_each_entry_rcu(table, &nft_net->tables, list) { 1119 if (family != NFPROTO_UNSPEC && family != table->family) 1120 continue; 1121 1122 if (idx < s_idx) 1123 goto cont; 1124 if (idx > s_idx) 1125 memset(&cb->args[1], 0, 1126 sizeof(cb->args) - sizeof(cb->args[0])); 1127 if (!nft_is_active(net, table)) 1128 continue; 1129 if (nf_tables_fill_table_info(skb, net, 1130 NETLINK_CB(cb->skb).portid, 1131 cb->nlh->nlmsg_seq, 1132 NFT_MSG_NEWTABLE, NLM_F_MULTI, 1133 table->family, table) < 0) 1134 goto done; 1135 1136 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1137 cont: 1138 idx++; 1139 } 1140 done: 1141 rcu_read_unlock(); 1142 cb->args[0] = idx; 1143 return skb->len; 1144 } 1145 nft_netlink_dump_start_rcu(struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,struct netlink_dump_control * c)1146 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb, 1147 const struct nlmsghdr *nlh, 1148 struct netlink_dump_control *c) 1149 { 1150 int err; 1151 1152 if (!try_module_get(THIS_MODULE)) 1153 return -EINVAL; 1154 1155 rcu_read_unlock(); 1156 err = netlink_dump_start(nlsk, skb, nlh, c); 1157 rcu_read_lock(); 1158 module_put(THIS_MODULE); 1159 1160 return err; 1161 } 1162 1163 /* called with rcu_read_lock held */ nf_tables_gettable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1164 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info, 1165 const struct nlattr * const nla[]) 1166 { 1167 struct netlink_ext_ack *extack = info->extack; 1168 u8 genmask = nft_genmask_cur(info->net); 1169 u8 family = info->nfmsg->nfgen_family; 1170 const struct nft_table *table; 1171 struct net *net = info->net; 1172 struct sk_buff *skb2; 1173 int err; 1174 1175 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1176 struct netlink_dump_control c = { 1177 .dump = nf_tables_dump_tables, 1178 .module = THIS_MODULE, 1179 }; 1180 1181 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 1182 } 1183 1184 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0); 1185 if (IS_ERR(table)) { 1186 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]); 1187 return PTR_ERR(table); 1188 } 1189 1190 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 1191 if (!skb2) 1192 return -ENOMEM; 1193 1194 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid, 1195 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 1196 0, family, table); 1197 if (err < 0) 1198 goto err_fill_table_info; 1199 1200 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 1201 1202 err_fill_table_info: 1203 kfree_skb(skb2); 1204 return err; 1205 } 1206 nft_table_disable(struct net * net,struct nft_table * table,u32 cnt)1207 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt) 1208 { 1209 struct nft_chain *chain; 1210 u32 i = 0; 1211 1212 list_for_each_entry(chain, &table->chains, list) { 1213 if (!nft_is_active_next(net, chain)) 1214 continue; 1215 if (!nft_is_base_chain(chain)) 1216 continue; 1217 1218 if (cnt && i++ == cnt) 1219 break; 1220 1221 nf_tables_unregister_hook(net, table, chain); 1222 } 1223 } 1224 nf_tables_table_enable(struct net * net,struct nft_table * table)1225 static int nf_tables_table_enable(struct net *net, struct nft_table *table) 1226 { 1227 struct nft_chain *chain; 1228 int err, i = 0; 1229 1230 list_for_each_entry(chain, &table->chains, list) { 1231 if (!nft_is_active_next(net, chain)) 1232 continue; 1233 if (!nft_is_base_chain(chain)) 1234 continue; 1235 1236 err = nf_tables_register_hook(net, table, chain); 1237 if (err < 0) 1238 goto err_register_hooks; 1239 1240 i++; 1241 } 1242 return 0; 1243 1244 err_register_hooks: 1245 if (i) 1246 nft_table_disable(net, table, i); 1247 return err; 1248 } 1249 nf_tables_table_disable(struct net * net,struct nft_table * table)1250 static void nf_tables_table_disable(struct net *net, struct nft_table *table) 1251 { 1252 table->flags &= ~NFT_TABLE_F_DORMANT; 1253 nft_table_disable(net, table, 0); 1254 table->flags |= NFT_TABLE_F_DORMANT; 1255 } 1256 1257 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1) 1258 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0) 1259 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1) 1260 #define __NFT_TABLE_F_WAS_ORPHAN (__NFT_TABLE_F_INTERNAL << 2) 1261 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \ 1262 __NFT_TABLE_F_WAS_AWAKEN | \ 1263 __NFT_TABLE_F_WAS_ORPHAN) 1264 nft_table_pending_update(const struct nft_ctx * ctx)1265 static bool nft_table_pending_update(const struct nft_ctx *ctx) 1266 { 1267 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 1268 struct nft_trans *trans; 1269 1270 if (ctx->table->flags & __NFT_TABLE_F_UPDATE) 1271 return true; 1272 1273 list_for_each_entry(trans, &nft_net->commit_list, list) { 1274 if (trans->table == ctx->table && 1275 ((trans->msg_type == NFT_MSG_NEWCHAIN && 1276 nft_trans_chain_update(trans)) || 1277 (trans->msg_type == NFT_MSG_DELCHAIN && 1278 nft_is_base_chain(nft_trans_chain(trans))))) 1279 return true; 1280 } 1281 1282 return false; 1283 } 1284 nf_tables_updtable(struct nft_ctx * ctx)1285 static int nf_tables_updtable(struct nft_ctx *ctx) 1286 { 1287 struct nft_trans *trans; 1288 u32 flags; 1289 int ret; 1290 1291 if (!ctx->nla[NFTA_TABLE_FLAGS]) 1292 return 0; 1293 1294 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS])); 1295 if (flags & ~NFT_TABLE_F_MASK) 1296 return -EOPNOTSUPP; 1297 1298 if (flags == (ctx->table->flags & NFT_TABLE_F_MASK)) 1299 return 0; 1300 1301 if ((nft_table_has_owner(ctx->table) && 1302 !(flags & NFT_TABLE_F_OWNER)) || 1303 (flags & NFT_TABLE_F_OWNER && 1304 !nft_table_is_orphan(ctx->table))) 1305 return -EOPNOTSUPP; 1306 1307 if ((flags ^ ctx->table->flags) & NFT_TABLE_F_PERSIST) 1308 return -EOPNOTSUPP; 1309 1310 /* No dormant off/on/off/on games in single transaction */ 1311 if (nft_table_pending_update(ctx)) 1312 return -EINVAL; 1313 1314 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, 1315 sizeof(struct nft_trans_table)); 1316 if (trans == NULL) 1317 return -ENOMEM; 1318 1319 if ((flags & NFT_TABLE_F_DORMANT) && 1320 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) { 1321 ctx->table->flags |= NFT_TABLE_F_DORMANT; 1322 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) 1323 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN; 1324 } else if (!(flags & NFT_TABLE_F_DORMANT) && 1325 ctx->table->flags & NFT_TABLE_F_DORMANT) { 1326 ctx->table->flags &= ~NFT_TABLE_F_DORMANT; 1327 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) { 1328 ret = nf_tables_table_enable(ctx->net, ctx->table); 1329 if (ret < 0) 1330 goto err_register_hooks; 1331 1332 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT; 1333 } 1334 } 1335 1336 if ((flags & NFT_TABLE_F_OWNER) && 1337 !nft_table_has_owner(ctx->table)) { 1338 ctx->table->nlpid = ctx->portid; 1339 ctx->table->flags |= NFT_TABLE_F_OWNER | 1340 __NFT_TABLE_F_WAS_ORPHAN; 1341 } 1342 1343 nft_trans_table_update(trans) = true; 1344 nft_trans_commit_list_add_tail(ctx->net, trans); 1345 1346 return 0; 1347 1348 err_register_hooks: 1349 ctx->table->flags |= NFT_TABLE_F_DORMANT; 1350 nft_trans_destroy(trans); 1351 return ret; 1352 } 1353 nft_chain_hash(const void * data,u32 len,u32 seed)1354 static u32 nft_chain_hash(const void *data, u32 len, u32 seed) 1355 { 1356 const char *name = data; 1357 1358 return jhash(name, strlen(name), seed); 1359 } 1360 nft_chain_hash_obj(const void * data,u32 len,u32 seed)1361 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed) 1362 { 1363 const struct nft_chain *chain = data; 1364 1365 return nft_chain_hash(chain->name, 0, seed); 1366 } 1367 nft_chain_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)1368 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg, 1369 const void *ptr) 1370 { 1371 const struct nft_chain *chain = ptr; 1372 const char *name = arg->key; 1373 1374 return strcmp(chain->name, name); 1375 } 1376 nft_objname_hash(const void * data,u32 len,u32 seed)1377 static u32 nft_objname_hash(const void *data, u32 len, u32 seed) 1378 { 1379 const struct nft_object_hash_key *k = data; 1380 1381 seed ^= hash_ptr(k->table, 32); 1382 1383 return jhash(k->name, strlen(k->name), seed); 1384 } 1385 nft_objname_hash_obj(const void * data,u32 len,u32 seed)1386 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed) 1387 { 1388 const struct nft_object *obj = data; 1389 1390 return nft_objname_hash(&obj->key, 0, seed); 1391 } 1392 nft_objname_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)1393 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg, 1394 const void *ptr) 1395 { 1396 const struct nft_object_hash_key *k = arg->key; 1397 const struct nft_object *obj = ptr; 1398 1399 if (obj->key.table != k->table) 1400 return -1; 1401 1402 return strcmp(obj->key.name, k->name); 1403 } 1404 nft_supported_family(u8 family)1405 static bool nft_supported_family(u8 family) 1406 { 1407 return false 1408 #ifdef CONFIG_NF_TABLES_INET 1409 || family == NFPROTO_INET 1410 #endif 1411 #ifdef CONFIG_NF_TABLES_IPV4 1412 || family == NFPROTO_IPV4 1413 #endif 1414 #ifdef CONFIG_NF_TABLES_ARP 1415 || family == NFPROTO_ARP 1416 #endif 1417 #ifdef CONFIG_NF_TABLES_NETDEV 1418 || family == NFPROTO_NETDEV 1419 #endif 1420 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE) 1421 || family == NFPROTO_BRIDGE 1422 #endif 1423 #ifdef CONFIG_NF_TABLES_IPV6 1424 || family == NFPROTO_IPV6 1425 #endif 1426 ; 1427 } 1428 nf_tables_newtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1429 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, 1430 const struct nlattr * const nla[]) 1431 { 1432 struct nftables_pernet *nft_net = nft_pernet(info->net); 1433 struct netlink_ext_ack *extack = info->extack; 1434 u8 genmask = nft_genmask_next(info->net); 1435 u8 family = info->nfmsg->nfgen_family; 1436 struct net *net = info->net; 1437 const struct nlattr *attr; 1438 struct nft_table *table; 1439 struct nft_ctx ctx; 1440 u32 flags = 0; 1441 int err; 1442 1443 if (!nft_supported_family(family)) 1444 return -EOPNOTSUPP; 1445 1446 lockdep_assert_held(&nft_net->commit_mutex); 1447 attr = nla[NFTA_TABLE_NAME]; 1448 table = nft_table_lookup(net, attr, family, genmask, 1449 NETLINK_CB(skb).portid); 1450 if (IS_ERR(table)) { 1451 if (PTR_ERR(table) != -ENOENT) 1452 return PTR_ERR(table); 1453 } else { 1454 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 1455 NL_SET_BAD_ATTR(extack, attr); 1456 return -EEXIST; 1457 } 1458 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 1459 return -EOPNOTSUPP; 1460 1461 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1462 1463 return nf_tables_updtable(&ctx); 1464 } 1465 1466 if (nla[NFTA_TABLE_FLAGS]) { 1467 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS])); 1468 if (flags & ~NFT_TABLE_F_MASK) 1469 return -EOPNOTSUPP; 1470 } 1471 1472 err = -ENOMEM; 1473 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT); 1474 if (table == NULL) 1475 goto err_kzalloc; 1476 1477 table->validate_state = nft_net->validate_state; 1478 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT); 1479 if (table->name == NULL) 1480 goto err_strdup; 1481 1482 if (nla[NFTA_TABLE_USERDATA]) { 1483 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT); 1484 if (table->udata == NULL) 1485 goto err_table_udata; 1486 1487 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]); 1488 } 1489 1490 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params); 1491 if (err) 1492 goto err_chain_ht; 1493 1494 INIT_LIST_HEAD(&table->chains); 1495 INIT_LIST_HEAD(&table->sets); 1496 INIT_LIST_HEAD(&table->objects); 1497 INIT_LIST_HEAD(&table->flowtables); 1498 write_pnet(&table->net, net); 1499 table->family = family; 1500 table->flags = flags; 1501 table->handle = ++nft_net->table_handle; 1502 if (table->flags & NFT_TABLE_F_OWNER) 1503 table->nlpid = NETLINK_CB(skb).portid; 1504 1505 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1506 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); 1507 if (err < 0) 1508 goto err_trans; 1509 1510 list_add_tail_rcu(&table->list, &nft_net->tables); 1511 return 0; 1512 err_trans: 1513 rhltable_destroy(&table->chains_ht); 1514 err_chain_ht: 1515 kfree(table->udata); 1516 err_table_udata: 1517 kfree(table->name); 1518 err_strdup: 1519 kfree(table); 1520 err_kzalloc: 1521 return err; 1522 } 1523 nft_flush_table(struct nft_ctx * ctx)1524 static int nft_flush_table(struct nft_ctx *ctx) 1525 { 1526 struct nft_flowtable *flowtable, *nft; 1527 struct nft_chain *chain, *nc; 1528 struct nft_object *obj, *ne; 1529 struct nft_set *set, *ns; 1530 int err; 1531 1532 list_for_each_entry(chain, &ctx->table->chains, list) { 1533 if (!nft_is_active_next(ctx->net, chain)) 1534 continue; 1535 1536 if (nft_chain_binding(chain)) 1537 continue; 1538 1539 ctx->chain = chain; 1540 1541 err = nft_delrule_by_chain(ctx); 1542 if (err < 0) 1543 goto out; 1544 } 1545 1546 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { 1547 if (!nft_is_active_next(ctx->net, set)) 1548 continue; 1549 1550 if (nft_set_is_anonymous(set)) 1551 continue; 1552 1553 err = nft_delset(ctx, set); 1554 if (err < 0) 1555 goto out; 1556 } 1557 1558 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) { 1559 if (!nft_is_active_next(ctx->net, flowtable)) 1560 continue; 1561 1562 err = nft_delflowtable(ctx, flowtable); 1563 if (err < 0) 1564 goto out; 1565 } 1566 1567 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) { 1568 if (!nft_is_active_next(ctx->net, obj)) 1569 continue; 1570 1571 err = nft_delobj(ctx, obj); 1572 if (err < 0) 1573 goto out; 1574 } 1575 1576 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { 1577 if (!nft_is_active_next(ctx->net, chain)) 1578 continue; 1579 1580 if (nft_chain_binding(chain)) 1581 continue; 1582 1583 ctx->chain = chain; 1584 1585 err = nft_delchain(ctx); 1586 if (err < 0) 1587 goto out; 1588 } 1589 1590 err = nft_deltable(ctx); 1591 out: 1592 return err; 1593 } 1594 nft_flush(struct nft_ctx * ctx,int family)1595 static int nft_flush(struct nft_ctx *ctx, int family) 1596 { 1597 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 1598 const struct nlattr * const *nla = ctx->nla; 1599 struct nft_table *table, *nt; 1600 int err = 0; 1601 1602 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 1603 if (family != AF_UNSPEC && table->family != family) 1604 continue; 1605 1606 ctx->family = table->family; 1607 1608 if (!nft_is_active_next(ctx->net, table)) 1609 continue; 1610 1611 if (nft_table_has_owner(table) && table->nlpid != ctx->portid) 1612 continue; 1613 1614 if (nla[NFTA_TABLE_NAME] && 1615 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) 1616 continue; 1617 1618 ctx->table = table; 1619 1620 err = nft_flush_table(ctx); 1621 if (err < 0) 1622 goto out; 1623 } 1624 out: 1625 return err; 1626 } 1627 nf_tables_deltable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1628 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info, 1629 const struct nlattr * const nla[]) 1630 { 1631 struct netlink_ext_ack *extack = info->extack; 1632 u8 genmask = nft_genmask_next(info->net); 1633 u8 family = info->nfmsg->nfgen_family; 1634 struct net *net = info->net; 1635 const struct nlattr *attr; 1636 struct nft_table *table; 1637 struct nft_ctx ctx; 1638 1639 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla); 1640 if (family == AF_UNSPEC || 1641 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE])) 1642 return nft_flush(&ctx, family); 1643 1644 if (nla[NFTA_TABLE_HANDLE]) { 1645 attr = nla[NFTA_TABLE_HANDLE]; 1646 table = nft_table_lookup_byhandle(net, attr, family, genmask, 1647 NETLINK_CB(skb).portid); 1648 } else { 1649 attr = nla[NFTA_TABLE_NAME]; 1650 table = nft_table_lookup(net, attr, family, genmask, 1651 NETLINK_CB(skb).portid); 1652 } 1653 1654 if (IS_ERR(table)) { 1655 if (PTR_ERR(table) == -ENOENT && 1656 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE) 1657 return 0; 1658 1659 NL_SET_BAD_ATTR(extack, attr); 1660 return PTR_ERR(table); 1661 } 1662 1663 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 1664 table->use > 0) 1665 return -EBUSY; 1666 1667 ctx.family = family; 1668 ctx.table = table; 1669 1670 return nft_flush_table(&ctx); 1671 } 1672 nf_tables_table_destroy(struct nft_table * table)1673 static void nf_tables_table_destroy(struct nft_table *table) 1674 { 1675 if (WARN_ON(table->use > 0)) 1676 return; 1677 1678 rhltable_destroy(&table->chains_ht); 1679 kfree(table->name); 1680 kfree(table->udata); 1681 kfree(table); 1682 } 1683 nft_register_chain_type(const struct nft_chain_type * ctype)1684 void nft_register_chain_type(const struct nft_chain_type *ctype) 1685 { 1686 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1687 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) { 1688 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1689 return; 1690 } 1691 chain_type[ctype->family][ctype->type] = ctype; 1692 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1693 } 1694 EXPORT_SYMBOL_GPL(nft_register_chain_type); 1695 nft_unregister_chain_type(const struct nft_chain_type * ctype)1696 void nft_unregister_chain_type(const struct nft_chain_type *ctype) 1697 { 1698 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1699 chain_type[ctype->family][ctype->type] = NULL; 1700 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1701 } 1702 EXPORT_SYMBOL_GPL(nft_unregister_chain_type); 1703 1704 /* 1705 * Chains 1706 */ 1707 1708 static struct nft_chain * nft_chain_lookup_byhandle(const struct nft_table * table,u64 handle,u8 genmask)1709 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask) 1710 { 1711 struct nft_chain *chain; 1712 1713 list_for_each_entry(chain, &table->chains, list) { 1714 if (chain->handle == handle && 1715 nft_active_genmask(chain, genmask)) 1716 return chain; 1717 } 1718 1719 return ERR_PTR(-ENOENT); 1720 } 1721 lockdep_commit_lock_is_held(const struct net * net)1722 static bool lockdep_commit_lock_is_held(const struct net *net) 1723 { 1724 #ifdef CONFIG_PROVE_LOCKING 1725 struct nftables_pernet *nft_net = nft_pernet(net); 1726 1727 return lockdep_is_held(&nft_net->commit_mutex); 1728 #else 1729 return true; 1730 #endif 1731 } 1732 nft_chain_lookup(struct net * net,struct nft_table * table,const struct nlattr * nla,u8 genmask)1733 static struct nft_chain *nft_chain_lookup(struct net *net, 1734 struct nft_table *table, 1735 const struct nlattr *nla, u8 genmask) 1736 { 1737 char search[NFT_CHAIN_MAXNAMELEN + 1]; 1738 struct rhlist_head *tmp, *list; 1739 struct nft_chain *chain; 1740 1741 if (nla == NULL) 1742 return ERR_PTR(-EINVAL); 1743 1744 nla_strscpy(search, nla, sizeof(search)); 1745 1746 WARN_ON(!rcu_read_lock_held() && 1747 !lockdep_commit_lock_is_held(net)); 1748 1749 chain = ERR_PTR(-ENOENT); 1750 rcu_read_lock(); 1751 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params); 1752 if (!list) 1753 goto out_unlock; 1754 1755 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 1756 if (nft_active_genmask(chain, genmask)) 1757 goto out_unlock; 1758 } 1759 chain = ERR_PTR(-ENOENT); 1760 out_unlock: 1761 rcu_read_unlock(); 1762 return chain; 1763 } 1764 1765 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = { 1766 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING, 1767 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1768 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 }, 1769 [NFTA_CHAIN_NAME] = { .type = NLA_STRING, 1770 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 1771 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, 1772 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, 1773 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, 1774 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 1775 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, 1776 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 }, 1777 [NFTA_CHAIN_ID] = { .type = NLA_U32 }, 1778 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY, 1779 .len = NFT_USERDATA_MAXLEN }, 1780 }; 1781 1782 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = { 1783 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 }, 1784 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 }, 1785 [NFTA_HOOK_DEV] = { .type = NLA_STRING, 1786 .len = IFNAMSIZ - 1 }, 1787 }; 1788 nft_dump_stats(struct sk_buff * skb,struct nft_stats __percpu * stats)1789 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats) 1790 { 1791 struct nft_stats *cpu_stats, total; 1792 struct nlattr *nest; 1793 unsigned int seq; 1794 u64 pkts, bytes; 1795 int cpu; 1796 1797 if (!stats) 1798 return 0; 1799 1800 memset(&total, 0, sizeof(total)); 1801 for_each_possible_cpu(cpu) { 1802 cpu_stats = per_cpu_ptr(stats, cpu); 1803 do { 1804 seq = u64_stats_fetch_begin(&cpu_stats->syncp); 1805 pkts = cpu_stats->pkts; 1806 bytes = cpu_stats->bytes; 1807 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq)); 1808 total.pkts += pkts; 1809 total.bytes += bytes; 1810 } 1811 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS); 1812 if (nest == NULL) 1813 goto nla_put_failure; 1814 1815 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts), 1816 NFTA_COUNTER_PAD) || 1817 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes), 1818 NFTA_COUNTER_PAD)) 1819 goto nla_put_failure; 1820 1821 nla_nest_end(skb, nest); 1822 return 0; 1823 1824 nla_put_failure: 1825 return -ENOSPC; 1826 } 1827 nft_dump_basechain_hook(struct sk_buff * skb,int family,const struct nft_base_chain * basechain,const struct list_head * hook_list)1828 static int nft_dump_basechain_hook(struct sk_buff *skb, int family, 1829 const struct nft_base_chain *basechain, 1830 const struct list_head *hook_list) 1831 { 1832 const struct nf_hook_ops *ops = &basechain->ops; 1833 struct nft_hook *hook, *first = NULL; 1834 struct nlattr *nest, *nest_devs; 1835 int n = 0; 1836 1837 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK); 1838 if (nest == NULL) 1839 goto nla_put_failure; 1840 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum))) 1841 goto nla_put_failure; 1842 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority))) 1843 goto nla_put_failure; 1844 1845 if (nft_base_chain_netdev(family, ops->hooknum)) { 1846 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS); 1847 if (!nest_devs) 1848 goto nla_put_failure; 1849 1850 if (!hook_list) 1851 hook_list = &basechain->hook_list; 1852 1853 list_for_each_entry_rcu(hook, hook_list, list) { 1854 if (!first) 1855 first = hook; 1856 1857 if (nla_put_string(skb, NFTA_DEVICE_NAME, 1858 hook->ops.dev->name)) 1859 goto nla_put_failure; 1860 n++; 1861 } 1862 nla_nest_end(skb, nest_devs); 1863 1864 if (n == 1 && 1865 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name)) 1866 goto nla_put_failure; 1867 } 1868 nla_nest_end(skb, nest); 1869 1870 return 0; 1871 nla_put_failure: 1872 return -1; 1873 } 1874 nf_tables_fill_chain_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct list_head * hook_list)1875 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net, 1876 u32 portid, u32 seq, int event, u32 flags, 1877 int family, const struct nft_table *table, 1878 const struct nft_chain *chain, 1879 const struct list_head *hook_list) 1880 { 1881 struct nlmsghdr *nlh; 1882 1883 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 1884 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 1885 NFNETLINK_V0, nft_base_seq(net)); 1886 if (!nlh) 1887 goto nla_put_failure; 1888 1889 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) || 1890 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) || 1891 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle), 1892 NFTA_CHAIN_PAD)) 1893 goto nla_put_failure; 1894 1895 if (event == NFT_MSG_DELCHAIN && !hook_list) { 1896 nlmsg_end(skb, nlh); 1897 return 0; 1898 } 1899 1900 if (nft_is_base_chain(chain)) { 1901 const struct nft_base_chain *basechain = nft_base_chain(chain); 1902 struct nft_stats __percpu *stats; 1903 1904 if (nft_dump_basechain_hook(skb, family, basechain, hook_list)) 1905 goto nla_put_failure; 1906 1907 if (nla_put_be32(skb, NFTA_CHAIN_POLICY, 1908 htonl(basechain->policy))) 1909 goto nla_put_failure; 1910 1911 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name)) 1912 goto nla_put_failure; 1913 1914 stats = rcu_dereference_check(basechain->stats, 1915 lockdep_commit_lock_is_held(net)); 1916 if (nft_dump_stats(skb, stats)) 1917 goto nla_put_failure; 1918 } 1919 1920 if (chain->flags && 1921 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags))) 1922 goto nla_put_failure; 1923 1924 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use))) 1925 goto nla_put_failure; 1926 1927 if (chain->udata && 1928 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata)) 1929 goto nla_put_failure; 1930 1931 nlmsg_end(skb, nlh); 1932 return 0; 1933 1934 nla_put_failure: 1935 nlmsg_trim(skb, nlh); 1936 return -1; 1937 } 1938 nf_tables_chain_notify(const struct nft_ctx * ctx,int event,const struct list_head * hook_list)1939 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event, 1940 const struct list_head *hook_list) 1941 { 1942 struct nftables_pernet *nft_net; 1943 struct sk_buff *skb; 1944 u16 flags = 0; 1945 int err; 1946 1947 if (!ctx->report && 1948 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1949 return; 1950 1951 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1952 if (skb == NULL) 1953 goto err; 1954 1955 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 1956 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 1957 1958 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, 1959 event, flags, ctx->family, ctx->table, 1960 ctx->chain, hook_list); 1961 if (err < 0) { 1962 kfree_skb(skb); 1963 goto err; 1964 } 1965 1966 nft_net = nft_pernet(ctx->net); 1967 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 1968 return; 1969 err: 1970 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 1971 } 1972 nf_tables_dump_chains(struct sk_buff * skb,struct netlink_callback * cb)1973 static int nf_tables_dump_chains(struct sk_buff *skb, 1974 struct netlink_callback *cb) 1975 { 1976 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1977 unsigned int idx = 0, s_idx = cb->args[0]; 1978 struct net *net = sock_net(skb->sk); 1979 int family = nfmsg->nfgen_family; 1980 struct nftables_pernet *nft_net; 1981 const struct nft_table *table; 1982 const struct nft_chain *chain; 1983 1984 rcu_read_lock(); 1985 nft_net = nft_pernet(net); 1986 cb->seq = READ_ONCE(nft_net->base_seq); 1987 1988 list_for_each_entry_rcu(table, &nft_net->tables, list) { 1989 if (family != NFPROTO_UNSPEC && family != table->family) 1990 continue; 1991 1992 list_for_each_entry_rcu(chain, &table->chains, list) { 1993 if (idx < s_idx) 1994 goto cont; 1995 if (idx > s_idx) 1996 memset(&cb->args[1], 0, 1997 sizeof(cb->args) - sizeof(cb->args[0])); 1998 if (!nft_is_active(net, chain)) 1999 continue; 2000 if (nf_tables_fill_chain_info(skb, net, 2001 NETLINK_CB(cb->skb).portid, 2002 cb->nlh->nlmsg_seq, 2003 NFT_MSG_NEWCHAIN, 2004 NLM_F_MULTI, 2005 table->family, table, 2006 chain, NULL) < 0) 2007 goto done; 2008 2009 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 2010 cont: 2011 idx++; 2012 } 2013 } 2014 done: 2015 rcu_read_unlock(); 2016 cb->args[0] = idx; 2017 return skb->len; 2018 } 2019 2020 /* called with rcu_read_lock held */ nf_tables_getchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])2021 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info, 2022 const struct nlattr * const nla[]) 2023 { 2024 struct netlink_ext_ack *extack = info->extack; 2025 u8 genmask = nft_genmask_cur(info->net); 2026 u8 family = info->nfmsg->nfgen_family; 2027 const struct nft_chain *chain; 2028 struct net *net = info->net; 2029 struct nft_table *table; 2030 struct sk_buff *skb2; 2031 int err; 2032 2033 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 2034 struct netlink_dump_control c = { 2035 .dump = nf_tables_dump_chains, 2036 .module = THIS_MODULE, 2037 }; 2038 2039 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 2040 } 2041 2042 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0); 2043 if (IS_ERR(table)) { 2044 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2045 return PTR_ERR(table); 2046 } 2047 2048 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask); 2049 if (IS_ERR(chain)) { 2050 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2051 return PTR_ERR(chain); 2052 } 2053 2054 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 2055 if (!skb2) 2056 return -ENOMEM; 2057 2058 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid, 2059 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 2060 0, family, table, chain, NULL); 2061 if (err < 0) 2062 goto err_fill_chain_info; 2063 2064 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 2065 2066 err_fill_chain_info: 2067 kfree_skb(skb2); 2068 return err; 2069 } 2070 2071 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = { 2072 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 }, 2073 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 }, 2074 }; 2075 nft_stats_alloc(const struct nlattr * attr)2076 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr) 2077 { 2078 struct nlattr *tb[NFTA_COUNTER_MAX+1]; 2079 struct nft_stats __percpu *newstats; 2080 struct nft_stats *stats; 2081 int err; 2082 2083 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr, 2084 nft_counter_policy, NULL); 2085 if (err < 0) 2086 return ERR_PTR(err); 2087 2088 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS]) 2089 return ERR_PTR(-EINVAL); 2090 2091 newstats = netdev_alloc_pcpu_stats(struct nft_stats); 2092 if (newstats == NULL) 2093 return ERR_PTR(-ENOMEM); 2094 2095 /* Restore old counters on this cpu, no problem. Per-cpu statistics 2096 * are not exposed to userspace. 2097 */ 2098 preempt_disable(); 2099 stats = this_cpu_ptr(newstats); 2100 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); 2101 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); 2102 preempt_enable(); 2103 2104 return newstats; 2105 } 2106 nft_chain_stats_replace(struct nft_trans_chain * trans)2107 static void nft_chain_stats_replace(struct nft_trans_chain *trans) 2108 { 2109 const struct nft_trans *t = &trans->nft_trans_binding.nft_trans; 2110 struct nft_base_chain *chain = nft_base_chain(trans->chain); 2111 2112 if (!trans->stats) 2113 return; 2114 2115 trans->stats = 2116 rcu_replace_pointer(chain->stats, trans->stats, 2117 lockdep_commit_lock_is_held(t->net)); 2118 2119 if (!trans->stats) 2120 static_branch_inc(&nft_counters_enabled); 2121 } 2122 nf_tables_chain_free_chain_rules(struct nft_chain * chain)2123 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain) 2124 { 2125 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0); 2126 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1); 2127 2128 if (g0 != g1) 2129 kvfree(g1); 2130 kvfree(g0); 2131 2132 /* should be NULL either via abort or via successful commit */ 2133 WARN_ON_ONCE(chain->blob_next); 2134 kvfree(chain->blob_next); 2135 } 2136 nf_tables_chain_destroy(struct nft_chain * chain)2137 void nf_tables_chain_destroy(struct nft_chain *chain) 2138 { 2139 const struct nft_table *table = chain->table; 2140 struct nft_hook *hook, *next; 2141 2142 if (WARN_ON(chain->use > 0)) 2143 return; 2144 2145 /* no concurrent access possible anymore */ 2146 nf_tables_chain_free_chain_rules(chain); 2147 2148 if (nft_is_base_chain(chain)) { 2149 struct nft_base_chain *basechain = nft_base_chain(chain); 2150 2151 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) { 2152 list_for_each_entry_safe(hook, next, 2153 &basechain->hook_list, list) { 2154 list_del_rcu(&hook->list); 2155 kfree_rcu(hook, rcu); 2156 } 2157 } 2158 module_put(basechain->type->owner); 2159 if (rcu_access_pointer(basechain->stats)) { 2160 static_branch_dec(&nft_counters_enabled); 2161 free_percpu(rcu_dereference_raw(basechain->stats)); 2162 } 2163 kfree(chain->name); 2164 kfree(chain->udata); 2165 kfree(basechain); 2166 } else { 2167 kfree(chain->name); 2168 kfree(chain->udata); 2169 kfree(chain); 2170 } 2171 } 2172 nft_netdev_hook_alloc(struct net * net,const struct nlattr * attr)2173 static struct nft_hook *nft_netdev_hook_alloc(struct net *net, 2174 const struct nlattr *attr) 2175 { 2176 struct net_device *dev; 2177 char ifname[IFNAMSIZ]; 2178 struct nft_hook *hook; 2179 int err; 2180 2181 hook = kzalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT); 2182 if (!hook) { 2183 err = -ENOMEM; 2184 goto err_hook_alloc; 2185 } 2186 2187 nla_strscpy(ifname, attr, IFNAMSIZ); 2188 /* nf_tables_netdev_event() is called under rtnl_mutex, this is 2189 * indirectly serializing all the other holders of the commit_mutex with 2190 * the rtnl_mutex. 2191 */ 2192 dev = __dev_get_by_name(net, ifname); 2193 if (!dev) { 2194 err = -ENOENT; 2195 goto err_hook_dev; 2196 } 2197 hook->ops.dev = dev; 2198 2199 return hook; 2200 2201 err_hook_dev: 2202 kfree(hook); 2203 err_hook_alloc: 2204 return ERR_PTR(err); 2205 } 2206 nft_hook_list_find(struct list_head * hook_list,const struct nft_hook * this)2207 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list, 2208 const struct nft_hook *this) 2209 { 2210 struct nft_hook *hook; 2211 2212 list_for_each_entry(hook, hook_list, list) { 2213 if (this->ops.dev == hook->ops.dev) 2214 return hook; 2215 } 2216 2217 return NULL; 2218 } 2219 nf_tables_parse_netdev_hooks(struct net * net,const struct nlattr * attr,struct list_head * hook_list,struct netlink_ext_ack * extack)2220 static int nf_tables_parse_netdev_hooks(struct net *net, 2221 const struct nlattr *attr, 2222 struct list_head *hook_list, 2223 struct netlink_ext_ack *extack) 2224 { 2225 struct nft_hook *hook, *next; 2226 const struct nlattr *tmp; 2227 int rem, n = 0, err; 2228 2229 nla_for_each_nested(tmp, attr, rem) { 2230 if (nla_type(tmp) != NFTA_DEVICE_NAME) { 2231 err = -EINVAL; 2232 goto err_hook; 2233 } 2234 2235 hook = nft_netdev_hook_alloc(net, tmp); 2236 if (IS_ERR(hook)) { 2237 NL_SET_BAD_ATTR(extack, tmp); 2238 err = PTR_ERR(hook); 2239 goto err_hook; 2240 } 2241 if (nft_hook_list_find(hook_list, hook)) { 2242 NL_SET_BAD_ATTR(extack, tmp); 2243 kfree(hook); 2244 err = -EEXIST; 2245 goto err_hook; 2246 } 2247 list_add_tail(&hook->list, hook_list); 2248 n++; 2249 2250 if (n == NFT_NETDEVICE_MAX) { 2251 err = -EFBIG; 2252 goto err_hook; 2253 } 2254 } 2255 2256 return 0; 2257 2258 err_hook: 2259 list_for_each_entry_safe(hook, next, hook_list, list) { 2260 list_del(&hook->list); 2261 kfree(hook); 2262 } 2263 return err; 2264 } 2265 2266 struct nft_chain_hook { 2267 u32 num; 2268 s32 priority; 2269 const struct nft_chain_type *type; 2270 struct list_head list; 2271 }; 2272 nft_chain_parse_netdev(struct net * net,struct nlattr * tb[],struct list_head * hook_list,struct netlink_ext_ack * extack,u32 flags)2273 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[], 2274 struct list_head *hook_list, 2275 struct netlink_ext_ack *extack, u32 flags) 2276 { 2277 struct nft_hook *hook; 2278 int err; 2279 2280 if (tb[NFTA_HOOK_DEV]) { 2281 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]); 2282 if (IS_ERR(hook)) { 2283 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]); 2284 return PTR_ERR(hook); 2285 } 2286 2287 list_add_tail(&hook->list, hook_list); 2288 } else if (tb[NFTA_HOOK_DEVS]) { 2289 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS], 2290 hook_list, extack); 2291 if (err < 0) 2292 return err; 2293 2294 } 2295 2296 if (flags & NFT_CHAIN_HW_OFFLOAD && 2297 list_empty(hook_list)) 2298 return -EINVAL; 2299 2300 return 0; 2301 } 2302 nft_chain_parse_hook(struct net * net,struct nft_base_chain * basechain,const struct nlattr * const nla[],struct nft_chain_hook * hook,u8 family,u32 flags,struct netlink_ext_ack * extack)2303 static int nft_chain_parse_hook(struct net *net, 2304 struct nft_base_chain *basechain, 2305 const struct nlattr * const nla[], 2306 struct nft_chain_hook *hook, u8 family, 2307 u32 flags, struct netlink_ext_ack *extack) 2308 { 2309 struct nftables_pernet *nft_net = nft_pernet(net); 2310 struct nlattr *ha[NFTA_HOOK_MAX + 1]; 2311 const struct nft_chain_type *type; 2312 int err; 2313 2314 lockdep_assert_held(&nft_net->commit_mutex); 2315 lockdep_nfnl_nft_mutex_not_held(); 2316 2317 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX, 2318 nla[NFTA_CHAIN_HOOK], 2319 nft_hook_policy, NULL); 2320 if (err < 0) 2321 return err; 2322 2323 if (!basechain) { 2324 if (!ha[NFTA_HOOK_HOOKNUM] || 2325 !ha[NFTA_HOOK_PRIORITY]) { 2326 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2327 return -ENOENT; 2328 } 2329 2330 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 2331 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 2332 2333 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT); 2334 if (!type) 2335 return -EOPNOTSUPP; 2336 2337 if (nla[NFTA_CHAIN_TYPE]) { 2338 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE], 2339 family, true); 2340 if (IS_ERR(type)) { 2341 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2342 return PTR_ERR(type); 2343 } 2344 } 2345 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num))) 2346 return -EOPNOTSUPP; 2347 2348 if (type->type == NFT_CHAIN_T_NAT && 2349 hook->priority <= NF_IP_PRI_CONNTRACK) 2350 return -EOPNOTSUPP; 2351 } else { 2352 if (ha[NFTA_HOOK_HOOKNUM]) { 2353 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 2354 if (hook->num != basechain->ops.hooknum) 2355 return -EOPNOTSUPP; 2356 } 2357 if (ha[NFTA_HOOK_PRIORITY]) { 2358 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 2359 if (hook->priority != basechain->ops.priority) 2360 return -EOPNOTSUPP; 2361 } 2362 2363 if (nla[NFTA_CHAIN_TYPE]) { 2364 type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE], 2365 family); 2366 if (!type) { 2367 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2368 return -ENOENT; 2369 } 2370 } else { 2371 type = basechain->type; 2372 } 2373 } 2374 2375 if (!try_module_get(type->owner)) { 2376 if (nla[NFTA_CHAIN_TYPE]) 2377 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2378 return -ENOENT; 2379 } 2380 2381 hook->type = type; 2382 2383 INIT_LIST_HEAD(&hook->list); 2384 if (nft_base_chain_netdev(family, hook->num)) { 2385 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags); 2386 if (err < 0) { 2387 module_put(type->owner); 2388 return err; 2389 } 2390 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) { 2391 module_put(type->owner); 2392 return -EOPNOTSUPP; 2393 } 2394 2395 return 0; 2396 } 2397 nft_chain_release_hook(struct nft_chain_hook * hook)2398 static void nft_chain_release_hook(struct nft_chain_hook *hook) 2399 { 2400 struct nft_hook *h, *next; 2401 2402 list_for_each_entry_safe(h, next, &hook->list, list) { 2403 list_del(&h->list); 2404 kfree(h); 2405 } 2406 module_put(hook->type->owner); 2407 } 2408 nft_last_rule(const struct nft_chain * chain,const void * ptr)2409 static void nft_last_rule(const struct nft_chain *chain, const void *ptr) 2410 { 2411 struct nft_rule_dp_last *lrule; 2412 2413 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0); 2414 2415 lrule = (struct nft_rule_dp_last *)ptr; 2416 lrule->end.is_last = 1; 2417 lrule->chain = chain; 2418 /* blob size does not include the trailer rule */ 2419 } 2420 nf_tables_chain_alloc_rules(const struct nft_chain * chain,unsigned int size)2421 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain, 2422 unsigned int size) 2423 { 2424 struct nft_rule_blob *blob; 2425 2426 if (size > INT_MAX) 2427 return NULL; 2428 2429 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last); 2430 2431 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT); 2432 if (!blob) 2433 return NULL; 2434 2435 blob->size = 0; 2436 nft_last_rule(chain, blob->data); 2437 2438 return blob; 2439 } 2440 nft_basechain_hook_init(struct nf_hook_ops * ops,u8 family,const struct nft_chain_hook * hook,struct nft_chain * chain)2441 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family, 2442 const struct nft_chain_hook *hook, 2443 struct nft_chain *chain) 2444 { 2445 ops->pf = family; 2446 ops->hooknum = hook->num; 2447 ops->priority = hook->priority; 2448 ops->priv = chain; 2449 ops->hook = hook->type->hooks[ops->hooknum]; 2450 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES; 2451 } 2452 nft_basechain_init(struct nft_base_chain * basechain,u8 family,struct nft_chain_hook * hook,u32 flags)2453 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, 2454 struct nft_chain_hook *hook, u32 flags) 2455 { 2456 struct nft_chain *chain; 2457 struct nft_hook *h; 2458 2459 basechain->type = hook->type; 2460 INIT_LIST_HEAD(&basechain->hook_list); 2461 chain = &basechain->chain; 2462 2463 if (nft_base_chain_netdev(family, hook->num)) { 2464 list_splice_init(&hook->list, &basechain->hook_list); 2465 list_for_each_entry(h, &basechain->hook_list, list) 2466 nft_basechain_hook_init(&h->ops, family, hook, chain); 2467 } 2468 nft_basechain_hook_init(&basechain->ops, family, hook, chain); 2469 2470 chain->flags |= NFT_CHAIN_BASE | flags; 2471 basechain->policy = NF_ACCEPT; 2472 if (chain->flags & NFT_CHAIN_HW_OFFLOAD && 2473 !nft_chain_offload_support(basechain)) { 2474 list_splice_init(&basechain->hook_list, &hook->list); 2475 return -EOPNOTSUPP; 2476 } 2477 2478 flow_block_init(&basechain->flow_block); 2479 2480 return 0; 2481 } 2482 nft_chain_add(struct nft_table * table,struct nft_chain * chain)2483 int nft_chain_add(struct nft_table *table, struct nft_chain *chain) 2484 { 2485 int err; 2486 2487 err = rhltable_insert_key(&table->chains_ht, chain->name, 2488 &chain->rhlhead, nft_chain_ht_params); 2489 if (err) 2490 return err; 2491 2492 list_add_tail_rcu(&chain->list, &table->chains); 2493 2494 return 0; 2495 } 2496 2497 static u64 chain_id; 2498 nf_tables_addchain(struct nft_ctx * ctx,u8 family,u8 genmask,u8 policy,u32 flags,struct netlink_ext_ack * extack)2499 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, 2500 u8 policy, u32 flags, 2501 struct netlink_ext_ack *extack) 2502 { 2503 const struct nlattr * const *nla = ctx->nla; 2504 struct nft_table *table = ctx->table; 2505 struct nft_base_chain *basechain; 2506 struct net *net = ctx->net; 2507 char name[NFT_NAME_MAXLEN]; 2508 struct nft_rule_blob *blob; 2509 struct nft_trans *trans; 2510 struct nft_chain *chain; 2511 int err; 2512 2513 if (nla[NFTA_CHAIN_HOOK]) { 2514 struct nft_stats __percpu *stats = NULL; 2515 struct nft_chain_hook hook = {}; 2516 2517 if (table->flags & __NFT_TABLE_F_UPDATE) 2518 return -EINVAL; 2519 2520 if (flags & NFT_CHAIN_BINDING) 2521 return -EOPNOTSUPP; 2522 2523 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags, 2524 extack); 2525 if (err < 0) 2526 return err; 2527 2528 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT); 2529 if (basechain == NULL) { 2530 nft_chain_release_hook(&hook); 2531 return -ENOMEM; 2532 } 2533 chain = &basechain->chain; 2534 2535 if (nla[NFTA_CHAIN_COUNTERS]) { 2536 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2537 if (IS_ERR(stats)) { 2538 nft_chain_release_hook(&hook); 2539 kfree(basechain); 2540 return PTR_ERR(stats); 2541 } 2542 rcu_assign_pointer(basechain->stats, stats); 2543 } 2544 2545 err = nft_basechain_init(basechain, family, &hook, flags); 2546 if (err < 0) { 2547 nft_chain_release_hook(&hook); 2548 kfree(basechain); 2549 free_percpu(stats); 2550 return err; 2551 } 2552 if (stats) 2553 static_branch_inc(&nft_counters_enabled); 2554 } else { 2555 if (flags & NFT_CHAIN_BASE) 2556 return -EINVAL; 2557 if (flags & NFT_CHAIN_HW_OFFLOAD) 2558 return -EOPNOTSUPP; 2559 2560 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT); 2561 if (chain == NULL) 2562 return -ENOMEM; 2563 2564 chain->flags = flags; 2565 } 2566 ctx->chain = chain; 2567 2568 INIT_LIST_HEAD(&chain->rules); 2569 chain->handle = nf_tables_alloc_handle(table); 2570 chain->table = table; 2571 2572 if (nla[NFTA_CHAIN_NAME]) { 2573 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT); 2574 } else { 2575 if (!(flags & NFT_CHAIN_BINDING)) { 2576 err = -EINVAL; 2577 goto err_destroy_chain; 2578 } 2579 2580 snprintf(name, sizeof(name), "__chain%llu", ++chain_id); 2581 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT); 2582 } 2583 2584 if (!chain->name) { 2585 err = -ENOMEM; 2586 goto err_destroy_chain; 2587 } 2588 2589 if (nla[NFTA_CHAIN_USERDATA]) { 2590 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT); 2591 if (chain->udata == NULL) { 2592 err = -ENOMEM; 2593 goto err_destroy_chain; 2594 } 2595 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]); 2596 } 2597 2598 blob = nf_tables_chain_alloc_rules(chain, 0); 2599 if (!blob) { 2600 err = -ENOMEM; 2601 goto err_destroy_chain; 2602 } 2603 2604 RCU_INIT_POINTER(chain->blob_gen_0, blob); 2605 RCU_INIT_POINTER(chain->blob_gen_1, blob); 2606 2607 if (!nft_use_inc(&table->use)) { 2608 err = -EMFILE; 2609 goto err_destroy_chain; 2610 } 2611 2612 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN); 2613 if (IS_ERR(trans)) { 2614 err = PTR_ERR(trans); 2615 goto err_trans; 2616 } 2617 2618 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET; 2619 if (nft_is_base_chain(chain)) 2620 nft_trans_chain_policy(trans) = policy; 2621 2622 err = nft_chain_add(table, chain); 2623 if (err < 0) 2624 goto err_chain_add; 2625 2626 /* This must be LAST to ensure no packets are walking over this chain. */ 2627 err = nf_tables_register_hook(net, table, chain); 2628 if (err < 0) 2629 goto err_register_hook; 2630 2631 return 0; 2632 2633 err_register_hook: 2634 nft_chain_del(chain); 2635 err_chain_add: 2636 nft_trans_destroy(trans); 2637 err_trans: 2638 nft_use_dec_restore(&table->use); 2639 err_destroy_chain: 2640 nf_tables_chain_destroy(chain); 2641 2642 return err; 2643 } 2644 nf_tables_updchain(struct nft_ctx * ctx,u8 genmask,u8 policy,u32 flags,const struct nlattr * attr,struct netlink_ext_ack * extack)2645 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, 2646 u32 flags, const struct nlattr *attr, 2647 struct netlink_ext_ack *extack) 2648 { 2649 const struct nlattr * const *nla = ctx->nla; 2650 struct nft_base_chain *basechain = NULL; 2651 struct nft_table *table = ctx->table; 2652 struct nft_chain *chain = ctx->chain; 2653 struct nft_chain_hook hook = {}; 2654 struct nft_stats *stats = NULL; 2655 struct nft_hook *h, *next; 2656 struct nf_hook_ops *ops; 2657 struct nft_trans *trans; 2658 bool unregister = false; 2659 int err; 2660 2661 if (chain->flags ^ flags) 2662 return -EOPNOTSUPP; 2663 2664 INIT_LIST_HEAD(&hook.list); 2665 2666 if (nla[NFTA_CHAIN_HOOK]) { 2667 if (!nft_is_base_chain(chain)) { 2668 NL_SET_BAD_ATTR(extack, attr); 2669 return -EEXIST; 2670 } 2671 2672 basechain = nft_base_chain(chain); 2673 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook, 2674 ctx->family, flags, extack); 2675 if (err < 0) 2676 return err; 2677 2678 if (basechain->type != hook.type) { 2679 nft_chain_release_hook(&hook); 2680 NL_SET_BAD_ATTR(extack, attr); 2681 return -EEXIST; 2682 } 2683 2684 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) { 2685 list_for_each_entry_safe(h, next, &hook.list, list) { 2686 h->ops.pf = basechain->ops.pf; 2687 h->ops.hooknum = basechain->ops.hooknum; 2688 h->ops.priority = basechain->ops.priority; 2689 h->ops.priv = basechain->ops.priv; 2690 h->ops.hook = basechain->ops.hook; 2691 2692 if (nft_hook_list_find(&basechain->hook_list, h)) { 2693 list_del(&h->list); 2694 kfree(h); 2695 } 2696 } 2697 } else { 2698 ops = &basechain->ops; 2699 if (ops->hooknum != hook.num || 2700 ops->priority != hook.priority) { 2701 nft_chain_release_hook(&hook); 2702 NL_SET_BAD_ATTR(extack, attr); 2703 return -EEXIST; 2704 } 2705 } 2706 } 2707 2708 if (nla[NFTA_CHAIN_HANDLE] && 2709 nla[NFTA_CHAIN_NAME]) { 2710 struct nft_chain *chain2; 2711 2712 chain2 = nft_chain_lookup(ctx->net, table, 2713 nla[NFTA_CHAIN_NAME], genmask); 2714 if (!IS_ERR(chain2)) { 2715 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2716 err = -EEXIST; 2717 goto err_hooks; 2718 } 2719 } 2720 2721 if (table->flags & __NFT_TABLE_F_UPDATE && 2722 !list_empty(&hook.list)) { 2723 NL_SET_BAD_ATTR(extack, attr); 2724 err = -EOPNOTSUPP; 2725 goto err_hooks; 2726 } 2727 2728 if (!(table->flags & NFT_TABLE_F_DORMANT) && 2729 nft_is_base_chain(chain) && 2730 !list_empty(&hook.list)) { 2731 basechain = nft_base_chain(chain); 2732 ops = &basechain->ops; 2733 2734 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) { 2735 err = nft_netdev_register_hooks(ctx->net, &hook.list); 2736 if (err < 0) 2737 goto err_hooks; 2738 } 2739 } 2740 2741 unregister = true; 2742 2743 if (nla[NFTA_CHAIN_COUNTERS]) { 2744 if (!nft_is_base_chain(chain)) { 2745 err = -EOPNOTSUPP; 2746 goto err_hooks; 2747 } 2748 2749 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2750 if (IS_ERR(stats)) { 2751 err = PTR_ERR(stats); 2752 goto err_hooks; 2753 } 2754 } 2755 2756 err = -ENOMEM; 2757 trans = nft_trans_alloc_chain(ctx, NFT_MSG_NEWCHAIN); 2758 if (trans == NULL) 2759 goto err_trans; 2760 2761 nft_trans_chain_stats(trans) = stats; 2762 nft_trans_chain_update(trans) = true; 2763 2764 if (nla[NFTA_CHAIN_POLICY]) 2765 nft_trans_chain_policy(trans) = policy; 2766 else 2767 nft_trans_chain_policy(trans) = -1; 2768 2769 if (nla[NFTA_CHAIN_HANDLE] && 2770 nla[NFTA_CHAIN_NAME]) { 2771 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 2772 struct nft_trans *tmp; 2773 char *name; 2774 2775 err = -ENOMEM; 2776 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT); 2777 if (!name) 2778 goto err_trans; 2779 2780 err = -EEXIST; 2781 list_for_each_entry(tmp, &nft_net->commit_list, list) { 2782 if (tmp->msg_type == NFT_MSG_NEWCHAIN && 2783 tmp->table == table && 2784 nft_trans_chain_update(tmp) && 2785 nft_trans_chain_name(tmp) && 2786 strcmp(name, nft_trans_chain_name(tmp)) == 0) { 2787 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2788 kfree(name); 2789 goto err_trans; 2790 } 2791 } 2792 2793 nft_trans_chain_name(trans) = name; 2794 } 2795 2796 nft_trans_basechain(trans) = basechain; 2797 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans)); 2798 list_splice(&hook.list, &nft_trans_chain_hooks(trans)); 2799 if (nla[NFTA_CHAIN_HOOK]) 2800 module_put(hook.type->owner); 2801 2802 nft_trans_commit_list_add_tail(ctx->net, trans); 2803 2804 return 0; 2805 2806 err_trans: 2807 free_percpu(stats); 2808 kfree(trans); 2809 err_hooks: 2810 if (nla[NFTA_CHAIN_HOOK]) { 2811 list_for_each_entry_safe(h, next, &hook.list, list) { 2812 if (unregister) 2813 nf_unregister_net_hook(ctx->net, &h->ops); 2814 list_del(&h->list); 2815 kfree_rcu(h, rcu); 2816 } 2817 module_put(hook.type->owner); 2818 } 2819 2820 return err; 2821 } 2822 nft_chain_lookup_byid(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)2823 static struct nft_chain *nft_chain_lookup_byid(const struct net *net, 2824 const struct nft_table *table, 2825 const struct nlattr *nla, u8 genmask) 2826 { 2827 struct nftables_pernet *nft_net = nft_pernet(net); 2828 u32 id = ntohl(nla_get_be32(nla)); 2829 struct nft_trans *trans; 2830 2831 list_for_each_entry(trans, &nft_net->commit_list, list) { 2832 if (trans->msg_type == NFT_MSG_NEWCHAIN && 2833 nft_trans_chain(trans)->table == table && 2834 id == nft_trans_chain_id(trans) && 2835 nft_active_genmask(nft_trans_chain(trans), genmask)) 2836 return nft_trans_chain(trans); 2837 } 2838 return ERR_PTR(-ENOENT); 2839 } 2840 nf_tables_newchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])2841 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info, 2842 const struct nlattr * const nla[]) 2843 { 2844 struct nftables_pernet *nft_net = nft_pernet(info->net); 2845 struct netlink_ext_ack *extack = info->extack; 2846 u8 genmask = nft_genmask_next(info->net); 2847 u8 family = info->nfmsg->nfgen_family; 2848 struct nft_chain *chain = NULL; 2849 struct net *net = info->net; 2850 const struct nlattr *attr; 2851 struct nft_table *table; 2852 u8 policy = NF_ACCEPT; 2853 struct nft_ctx ctx; 2854 u64 handle = 0; 2855 u32 flags = 0; 2856 2857 lockdep_assert_held(&nft_net->commit_mutex); 2858 2859 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 2860 NETLINK_CB(skb).portid); 2861 if (IS_ERR(table)) { 2862 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2863 return PTR_ERR(table); 2864 } 2865 2866 chain = NULL; 2867 attr = nla[NFTA_CHAIN_NAME]; 2868 2869 if (nla[NFTA_CHAIN_HANDLE]) { 2870 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE])); 2871 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2872 if (IS_ERR(chain)) { 2873 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]); 2874 return PTR_ERR(chain); 2875 } 2876 attr = nla[NFTA_CHAIN_HANDLE]; 2877 } else if (nla[NFTA_CHAIN_NAME]) { 2878 chain = nft_chain_lookup(net, table, attr, genmask); 2879 if (IS_ERR(chain)) { 2880 if (PTR_ERR(chain) != -ENOENT) { 2881 NL_SET_BAD_ATTR(extack, attr); 2882 return PTR_ERR(chain); 2883 } 2884 chain = NULL; 2885 } 2886 } else if (!nla[NFTA_CHAIN_ID]) { 2887 return -EINVAL; 2888 } 2889 2890 if (nla[NFTA_CHAIN_POLICY]) { 2891 if (chain != NULL && 2892 !nft_is_base_chain(chain)) { 2893 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2894 return -EOPNOTSUPP; 2895 } 2896 2897 if (chain == NULL && 2898 nla[NFTA_CHAIN_HOOK] == NULL) { 2899 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2900 return -EOPNOTSUPP; 2901 } 2902 2903 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY])); 2904 switch (policy) { 2905 case NF_DROP: 2906 case NF_ACCEPT: 2907 break; 2908 default: 2909 return -EINVAL; 2910 } 2911 } 2912 2913 if (nla[NFTA_CHAIN_FLAGS]) 2914 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS])); 2915 else if (chain) 2916 flags = chain->flags; 2917 2918 if (flags & ~NFT_CHAIN_FLAGS) 2919 return -EOPNOTSUPP; 2920 2921 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 2922 2923 if (chain != NULL) { 2924 if (chain->flags & NFT_CHAIN_BINDING) 2925 return -EINVAL; 2926 2927 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 2928 NL_SET_BAD_ATTR(extack, attr); 2929 return -EEXIST; 2930 } 2931 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 2932 return -EOPNOTSUPP; 2933 2934 flags |= chain->flags & NFT_CHAIN_BASE; 2935 return nf_tables_updchain(&ctx, genmask, policy, flags, attr, 2936 extack); 2937 } 2938 2939 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack); 2940 } 2941 nft_delchain_hook(struct nft_ctx * ctx,struct nft_base_chain * basechain,struct netlink_ext_ack * extack)2942 static int nft_delchain_hook(struct nft_ctx *ctx, 2943 struct nft_base_chain *basechain, 2944 struct netlink_ext_ack *extack) 2945 { 2946 const struct nft_chain *chain = &basechain->chain; 2947 const struct nlattr * const *nla = ctx->nla; 2948 struct nft_chain_hook chain_hook = {}; 2949 struct nft_hook *this, *hook; 2950 LIST_HEAD(chain_del_list); 2951 struct nft_trans *trans; 2952 int err; 2953 2954 if (ctx->table->flags & __NFT_TABLE_F_UPDATE) 2955 return -EOPNOTSUPP; 2956 2957 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook, 2958 ctx->family, chain->flags, extack); 2959 if (err < 0) 2960 return err; 2961 2962 list_for_each_entry(this, &chain_hook.list, list) { 2963 hook = nft_hook_list_find(&basechain->hook_list, this); 2964 if (!hook) { 2965 err = -ENOENT; 2966 goto err_chain_del_hook; 2967 } 2968 list_move(&hook->list, &chain_del_list); 2969 } 2970 2971 trans = nft_trans_alloc_chain(ctx, NFT_MSG_DELCHAIN); 2972 if (!trans) { 2973 err = -ENOMEM; 2974 goto err_chain_del_hook; 2975 } 2976 2977 nft_trans_basechain(trans) = basechain; 2978 nft_trans_chain_update(trans) = true; 2979 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans)); 2980 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans)); 2981 nft_chain_release_hook(&chain_hook); 2982 2983 nft_trans_commit_list_add_tail(ctx->net, trans); 2984 2985 return 0; 2986 2987 err_chain_del_hook: 2988 list_splice(&chain_del_list, &basechain->hook_list); 2989 nft_chain_release_hook(&chain_hook); 2990 2991 return err; 2992 } 2993 nf_tables_delchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])2994 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info, 2995 const struct nlattr * const nla[]) 2996 { 2997 struct netlink_ext_ack *extack = info->extack; 2998 u8 genmask = nft_genmask_next(info->net); 2999 u8 family = info->nfmsg->nfgen_family; 3000 struct net *net = info->net; 3001 const struct nlattr *attr; 3002 struct nft_table *table; 3003 struct nft_chain *chain; 3004 struct nft_rule *rule; 3005 struct nft_ctx ctx; 3006 u64 handle; 3007 u32 use; 3008 int err; 3009 3010 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 3011 NETLINK_CB(skb).portid); 3012 if (IS_ERR(table)) { 3013 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 3014 return PTR_ERR(table); 3015 } 3016 3017 if (nla[NFTA_CHAIN_HANDLE]) { 3018 attr = nla[NFTA_CHAIN_HANDLE]; 3019 handle = be64_to_cpu(nla_get_be64(attr)); 3020 chain = nft_chain_lookup_byhandle(table, handle, genmask); 3021 } else { 3022 attr = nla[NFTA_CHAIN_NAME]; 3023 chain = nft_chain_lookup(net, table, attr, genmask); 3024 } 3025 if (IS_ERR(chain)) { 3026 if (PTR_ERR(chain) == -ENOENT && 3027 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN) 3028 return 0; 3029 3030 NL_SET_BAD_ATTR(extack, attr); 3031 return PTR_ERR(chain); 3032 } 3033 3034 if (nft_chain_binding(chain)) 3035 return -EOPNOTSUPP; 3036 3037 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 3038 3039 if (nla[NFTA_CHAIN_HOOK]) { 3040 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN || 3041 chain->flags & NFT_CHAIN_HW_OFFLOAD) 3042 return -EOPNOTSUPP; 3043 3044 if (nft_is_base_chain(chain)) { 3045 struct nft_base_chain *basechain = nft_base_chain(chain); 3046 3047 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 3048 return nft_delchain_hook(&ctx, basechain, extack); 3049 } 3050 } 3051 3052 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 3053 chain->use > 0) 3054 return -EBUSY; 3055 3056 use = chain->use; 3057 list_for_each_entry(rule, &chain->rules, list) { 3058 if (!nft_is_active_next(net, rule)) 3059 continue; 3060 use--; 3061 3062 err = nft_delrule(&ctx, rule); 3063 if (err < 0) 3064 return err; 3065 } 3066 3067 /* There are rules and elements that are still holding references to us, 3068 * we cannot do a recursive removal in this case. 3069 */ 3070 if (use > 0) { 3071 NL_SET_BAD_ATTR(extack, attr); 3072 return -EBUSY; 3073 } 3074 3075 return nft_delchain(&ctx); 3076 } 3077 3078 /* 3079 * Expressions 3080 */ 3081 3082 /** 3083 * nft_register_expr - register nf_tables expr type 3084 * @type: expr type 3085 * 3086 * Registers the expr type for use with nf_tables. Returns zero on 3087 * success or a negative errno code otherwise. 3088 */ nft_register_expr(struct nft_expr_type * type)3089 int nft_register_expr(struct nft_expr_type *type) 3090 { 3091 if (WARN_ON_ONCE(type->maxattr > NFT_EXPR_MAXATTR)) 3092 return -ENOMEM; 3093 3094 nfnl_lock(NFNL_SUBSYS_NFTABLES); 3095 if (type->family == NFPROTO_UNSPEC) 3096 list_add_tail_rcu(&type->list, &nf_tables_expressions); 3097 else 3098 list_add_rcu(&type->list, &nf_tables_expressions); 3099 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 3100 return 0; 3101 } 3102 EXPORT_SYMBOL_GPL(nft_register_expr); 3103 3104 /** 3105 * nft_unregister_expr - unregister nf_tables expr type 3106 * @type: expr type 3107 * 3108 * Unregisters the expr typefor use with nf_tables. 3109 */ nft_unregister_expr(struct nft_expr_type * type)3110 void nft_unregister_expr(struct nft_expr_type *type) 3111 { 3112 nfnl_lock(NFNL_SUBSYS_NFTABLES); 3113 list_del_rcu(&type->list); 3114 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 3115 } 3116 EXPORT_SYMBOL_GPL(nft_unregister_expr); 3117 __nft_expr_type_get(u8 family,struct nlattr * nla)3118 static const struct nft_expr_type *__nft_expr_type_get(u8 family, 3119 struct nlattr *nla) 3120 { 3121 const struct nft_expr_type *type, *candidate = NULL; 3122 3123 list_for_each_entry_rcu(type, &nf_tables_expressions, list) { 3124 if (!nla_strcmp(nla, type->name)) { 3125 if (!type->family && !candidate) 3126 candidate = type; 3127 else if (type->family == family) 3128 candidate = type; 3129 } 3130 } 3131 return candidate; 3132 } 3133 3134 #ifdef CONFIG_MODULES nft_expr_type_request_module(struct net * net,u8 family,struct nlattr * nla)3135 static int nft_expr_type_request_module(struct net *net, u8 family, 3136 struct nlattr *nla) 3137 { 3138 if (nft_request_module(net, "nft-expr-%u-%.*s", family, 3139 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN) 3140 return -EAGAIN; 3141 3142 return 0; 3143 } 3144 #endif 3145 nft_expr_type_get(struct net * net,u8 family,struct nlattr * nla)3146 static const struct nft_expr_type *nft_expr_type_get(struct net *net, 3147 u8 family, 3148 struct nlattr *nla) 3149 { 3150 const struct nft_expr_type *type; 3151 3152 if (nla == NULL) 3153 return ERR_PTR(-EINVAL); 3154 3155 rcu_read_lock(); 3156 type = __nft_expr_type_get(family, nla); 3157 if (type != NULL && try_module_get(type->owner)) { 3158 rcu_read_unlock(); 3159 return type; 3160 } 3161 rcu_read_unlock(); 3162 3163 lockdep_nfnl_nft_mutex_not_held(); 3164 #ifdef CONFIG_MODULES 3165 if (type == NULL) { 3166 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN) 3167 return ERR_PTR(-EAGAIN); 3168 3169 if (nft_request_module(net, "nft-expr-%.*s", 3170 nla_len(nla), 3171 (char *)nla_data(nla)) == -EAGAIN) 3172 return ERR_PTR(-EAGAIN); 3173 } 3174 #endif 3175 return ERR_PTR(-ENOENT); 3176 } 3177 3178 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { 3179 [NFTA_EXPR_NAME] = { .type = NLA_STRING, 3180 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 3181 [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, 3182 }; 3183 nf_tables_fill_expr_info(struct sk_buff * skb,const struct nft_expr * expr,bool reset)3184 static int nf_tables_fill_expr_info(struct sk_buff *skb, 3185 const struct nft_expr *expr, bool reset) 3186 { 3187 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name)) 3188 goto nla_put_failure; 3189 3190 if (expr->ops->dump) { 3191 struct nlattr *data = nla_nest_start_noflag(skb, 3192 NFTA_EXPR_DATA); 3193 if (data == NULL) 3194 goto nla_put_failure; 3195 if (expr->ops->dump(skb, expr, reset) < 0) 3196 goto nla_put_failure; 3197 nla_nest_end(skb, data); 3198 } 3199 3200 return skb->len; 3201 3202 nla_put_failure: 3203 return -1; 3204 }; 3205 nft_expr_dump(struct sk_buff * skb,unsigned int attr,const struct nft_expr * expr,bool reset)3206 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 3207 const struct nft_expr *expr, bool reset) 3208 { 3209 struct nlattr *nest; 3210 3211 nest = nla_nest_start_noflag(skb, attr); 3212 if (!nest) 3213 goto nla_put_failure; 3214 if (nf_tables_fill_expr_info(skb, expr, reset) < 0) 3215 goto nla_put_failure; 3216 nla_nest_end(skb, nest); 3217 return 0; 3218 3219 nla_put_failure: 3220 return -1; 3221 } 3222 3223 struct nft_expr_info { 3224 const struct nft_expr_ops *ops; 3225 const struct nlattr *attr; 3226 struct nlattr *tb[NFT_EXPR_MAXATTR + 1]; 3227 }; 3228 nf_tables_expr_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)3229 static int nf_tables_expr_parse(const struct nft_ctx *ctx, 3230 const struct nlattr *nla, 3231 struct nft_expr_info *info) 3232 { 3233 const struct nft_expr_type *type; 3234 const struct nft_expr_ops *ops; 3235 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 3236 int err; 3237 3238 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 3239 nft_expr_policy, NULL); 3240 if (err < 0) 3241 return err; 3242 3243 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]); 3244 if (IS_ERR(type)) 3245 return PTR_ERR(type); 3246 3247 if (tb[NFTA_EXPR_DATA]) { 3248 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 3249 tb[NFTA_EXPR_DATA], 3250 type->policy, NULL); 3251 if (err < 0) 3252 goto err1; 3253 } else 3254 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1)); 3255 3256 if (type->select_ops != NULL) { 3257 ops = type->select_ops(ctx, 3258 (const struct nlattr * const *)info->tb); 3259 if (IS_ERR(ops)) { 3260 err = PTR_ERR(ops); 3261 #ifdef CONFIG_MODULES 3262 if (err == -EAGAIN) 3263 if (nft_expr_type_request_module(ctx->net, 3264 ctx->family, 3265 tb[NFTA_EXPR_NAME]) != -EAGAIN) 3266 err = -ENOENT; 3267 #endif 3268 goto err1; 3269 } 3270 } else 3271 ops = type->ops; 3272 3273 info->attr = nla; 3274 info->ops = ops; 3275 3276 return 0; 3277 3278 err1: 3279 module_put(type->owner); 3280 return err; 3281 } 3282 nft_expr_inner_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)3283 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla, 3284 struct nft_expr_info *info) 3285 { 3286 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 3287 const struct nft_expr_type *type; 3288 int err; 3289 3290 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 3291 nft_expr_policy, NULL); 3292 if (err < 0) 3293 return err; 3294 3295 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME]) 3296 return -EINVAL; 3297 3298 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]); 3299 if (!type) 3300 return -ENOENT; 3301 3302 if (!type->inner_ops) 3303 return -EOPNOTSUPP; 3304 3305 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 3306 tb[NFTA_EXPR_DATA], 3307 type->policy, NULL); 3308 if (err < 0) 3309 goto err_nla_parse; 3310 3311 info->attr = nla; 3312 info->ops = type->inner_ops; 3313 3314 return 0; 3315 3316 err_nla_parse: 3317 return err; 3318 } 3319 nf_tables_newexpr(const struct nft_ctx * ctx,const struct nft_expr_info * expr_info,struct nft_expr * expr)3320 static int nf_tables_newexpr(const struct nft_ctx *ctx, 3321 const struct nft_expr_info *expr_info, 3322 struct nft_expr *expr) 3323 { 3324 const struct nft_expr_ops *ops = expr_info->ops; 3325 int err; 3326 3327 expr->ops = ops; 3328 if (ops->init) { 3329 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb); 3330 if (err < 0) 3331 goto err1; 3332 } 3333 3334 return 0; 3335 err1: 3336 expr->ops = NULL; 3337 return err; 3338 } 3339 nf_tables_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)3340 static void nf_tables_expr_destroy(const struct nft_ctx *ctx, 3341 struct nft_expr *expr) 3342 { 3343 const struct nft_expr_type *type = expr->ops->type; 3344 3345 if (expr->ops->destroy) 3346 expr->ops->destroy(ctx, expr); 3347 module_put(type->owner); 3348 } 3349 nft_expr_init(const struct nft_ctx * ctx,const struct nlattr * nla)3350 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 3351 const struct nlattr *nla) 3352 { 3353 struct nft_expr_info expr_info; 3354 struct nft_expr *expr; 3355 struct module *owner; 3356 int err; 3357 3358 err = nf_tables_expr_parse(ctx, nla, &expr_info); 3359 if (err < 0) 3360 goto err_expr_parse; 3361 3362 err = -EOPNOTSUPP; 3363 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL)) 3364 goto err_expr_stateful; 3365 3366 err = -ENOMEM; 3367 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT); 3368 if (expr == NULL) 3369 goto err_expr_stateful; 3370 3371 err = nf_tables_newexpr(ctx, &expr_info, expr); 3372 if (err < 0) 3373 goto err_expr_new; 3374 3375 return expr; 3376 err_expr_new: 3377 kfree(expr); 3378 err_expr_stateful: 3379 owner = expr_info.ops->type->owner; 3380 if (expr_info.ops->type->release_ops) 3381 expr_info.ops->type->release_ops(expr_info.ops); 3382 3383 module_put(owner); 3384 err_expr_parse: 3385 return ERR_PTR(err); 3386 } 3387 nft_expr_clone(struct nft_expr * dst,struct nft_expr * src,gfp_t gfp)3388 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp) 3389 { 3390 int err; 3391 3392 if (WARN_ON_ONCE(!src->ops->clone)) 3393 return -EINVAL; 3394 3395 dst->ops = src->ops; 3396 err = src->ops->clone(dst, src, gfp); 3397 if (err < 0) 3398 return err; 3399 3400 __module_get(src->ops->type->owner); 3401 3402 return 0; 3403 } 3404 nft_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)3405 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) 3406 { 3407 nf_tables_expr_destroy(ctx, expr); 3408 kfree(expr); 3409 } 3410 3411 /* 3412 * Rules 3413 */ 3414 __nft_rule_lookup(const struct nft_chain * chain,u64 handle)3415 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain, 3416 u64 handle) 3417 { 3418 struct nft_rule *rule; 3419 3420 // FIXME: this sucks 3421 list_for_each_entry_rcu(rule, &chain->rules, list) { 3422 if (handle == rule->handle) 3423 return rule; 3424 } 3425 3426 return ERR_PTR(-ENOENT); 3427 } 3428 nft_rule_lookup(const struct nft_chain * chain,const struct nlattr * nla)3429 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain, 3430 const struct nlattr *nla) 3431 { 3432 if (nla == NULL) 3433 return ERR_PTR(-EINVAL); 3434 3435 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla))); 3436 } 3437 3438 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = { 3439 [NFTA_RULE_TABLE] = { .type = NLA_STRING, 3440 .len = NFT_TABLE_MAXNAMELEN - 1 }, 3441 [NFTA_RULE_CHAIN] = { .type = NLA_STRING, 3442 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 3443 [NFTA_RULE_HANDLE] = { .type = NLA_U64 }, 3444 [NFTA_RULE_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy), 3445 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED }, 3446 [NFTA_RULE_POSITION] = { .type = NLA_U64 }, 3447 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY, 3448 .len = NFT_USERDATA_MAXLEN }, 3449 [NFTA_RULE_ID] = { .type = NLA_U32 }, 3450 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 }, 3451 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 }, 3452 }; 3453 nf_tables_fill_rule_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct nft_rule * rule,u64 handle,bool reset)3454 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net, 3455 u32 portid, u32 seq, int event, 3456 u32 flags, int family, 3457 const struct nft_table *table, 3458 const struct nft_chain *chain, 3459 const struct nft_rule *rule, u64 handle, 3460 bool reset) 3461 { 3462 struct nlmsghdr *nlh; 3463 const struct nft_expr *expr, *next; 3464 struct nlattr *list; 3465 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 3466 3467 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0, 3468 nft_base_seq(net)); 3469 if (!nlh) 3470 goto nla_put_failure; 3471 3472 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) 3473 goto nla_put_failure; 3474 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) 3475 goto nla_put_failure; 3476 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle), 3477 NFTA_RULE_PAD)) 3478 goto nla_put_failure; 3479 3480 if (event != NFT_MSG_DELRULE && handle) { 3481 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle), 3482 NFTA_RULE_PAD)) 3483 goto nla_put_failure; 3484 } 3485 3486 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) 3487 nft_flow_rule_stats(chain, rule); 3488 3489 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS); 3490 if (list == NULL) 3491 goto nla_put_failure; 3492 nft_rule_for_each_expr(expr, next, rule) { 3493 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0) 3494 goto nla_put_failure; 3495 } 3496 nla_nest_end(skb, list); 3497 3498 if (rule->udata) { 3499 struct nft_userdata *udata = nft_userdata(rule); 3500 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1, 3501 udata->data) < 0) 3502 goto nla_put_failure; 3503 } 3504 3505 nlmsg_end(skb, nlh); 3506 return 0; 3507 3508 nla_put_failure: 3509 nlmsg_trim(skb, nlh); 3510 return -1; 3511 } 3512 nf_tables_rule_notify(const struct nft_ctx * ctx,const struct nft_rule * rule,int event)3513 static void nf_tables_rule_notify(const struct nft_ctx *ctx, 3514 const struct nft_rule *rule, int event) 3515 { 3516 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 3517 const struct nft_rule *prule; 3518 struct sk_buff *skb; 3519 u64 handle = 0; 3520 u16 flags = 0; 3521 int err; 3522 3523 if (!ctx->report && 3524 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 3525 return; 3526 3527 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 3528 if (skb == NULL) 3529 goto err; 3530 3531 if (event == NFT_MSG_NEWRULE && 3532 !list_is_first(&rule->list, &ctx->chain->rules) && 3533 !list_is_last(&rule->list, &ctx->chain->rules)) { 3534 prule = list_prev_entry(rule, list); 3535 handle = prule->handle; 3536 } 3537 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE)) 3538 flags |= NLM_F_APPEND; 3539 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 3540 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 3541 3542 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, 3543 event, flags, ctx->family, ctx->table, 3544 ctx->chain, rule, handle, false); 3545 if (err < 0) { 3546 kfree_skb(skb); 3547 goto err; 3548 } 3549 3550 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 3551 return; 3552 err: 3553 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 3554 } 3555 audit_log_rule_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)3556 static void audit_log_rule_reset(const struct nft_table *table, 3557 unsigned int base_seq, 3558 unsigned int nentries) 3559 { 3560 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", 3561 table->name, base_seq); 3562 3563 audit_log_nfcfg(buf, table->family, nentries, 3564 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC); 3565 kfree(buf); 3566 } 3567 3568 struct nft_rule_dump_ctx { 3569 unsigned int s_idx; 3570 char *table; 3571 char *chain; 3572 bool reset; 3573 }; 3574 __nf_tables_dump_rules(struct sk_buff * skb,unsigned int * idx,struct netlink_callback * cb,const struct nft_table * table,const struct nft_chain * chain)3575 static int __nf_tables_dump_rules(struct sk_buff *skb, 3576 unsigned int *idx, 3577 struct netlink_callback *cb, 3578 const struct nft_table *table, 3579 const struct nft_chain *chain) 3580 { 3581 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx; 3582 struct net *net = sock_net(skb->sk); 3583 const struct nft_rule *rule, *prule; 3584 unsigned int entries = 0; 3585 int ret = 0; 3586 u64 handle; 3587 3588 prule = NULL; 3589 list_for_each_entry_rcu(rule, &chain->rules, list) { 3590 if (!nft_is_active(net, rule)) 3591 goto cont_skip; 3592 if (*idx < ctx->s_idx) 3593 goto cont; 3594 if (prule) 3595 handle = prule->handle; 3596 else 3597 handle = 0; 3598 3599 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, 3600 cb->nlh->nlmsg_seq, 3601 NFT_MSG_NEWRULE, 3602 NLM_F_MULTI | NLM_F_APPEND, 3603 table->family, 3604 table, chain, rule, handle, ctx->reset) < 0) { 3605 ret = 1; 3606 break; 3607 } 3608 entries++; 3609 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 3610 cont: 3611 prule = rule; 3612 cont_skip: 3613 (*idx)++; 3614 } 3615 3616 if (ctx->reset && entries) 3617 audit_log_rule_reset(table, cb->seq, entries); 3618 3619 return ret; 3620 } 3621 nf_tables_dump_rules(struct sk_buff * skb,struct netlink_callback * cb)3622 static int nf_tables_dump_rules(struct sk_buff *skb, 3623 struct netlink_callback *cb) 3624 { 3625 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 3626 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx; 3627 struct nft_table *table; 3628 const struct nft_chain *chain; 3629 unsigned int idx = 0; 3630 struct net *net = sock_net(skb->sk); 3631 int family = nfmsg->nfgen_family; 3632 struct nftables_pernet *nft_net; 3633 3634 rcu_read_lock(); 3635 nft_net = nft_pernet(net); 3636 cb->seq = READ_ONCE(nft_net->base_seq); 3637 3638 list_for_each_entry_rcu(table, &nft_net->tables, list) { 3639 if (family != NFPROTO_UNSPEC && family != table->family) 3640 continue; 3641 3642 if (ctx->table && strcmp(ctx->table, table->name) != 0) 3643 continue; 3644 3645 if (ctx->table && ctx->chain) { 3646 struct rhlist_head *list, *tmp; 3647 3648 list = rhltable_lookup(&table->chains_ht, ctx->chain, 3649 nft_chain_ht_params); 3650 if (!list) 3651 goto done; 3652 3653 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 3654 if (!nft_is_active(net, chain)) 3655 continue; 3656 __nf_tables_dump_rules(skb, &idx, 3657 cb, table, chain); 3658 break; 3659 } 3660 goto done; 3661 } 3662 3663 list_for_each_entry_rcu(chain, &table->chains, list) { 3664 if (__nf_tables_dump_rules(skb, &idx, 3665 cb, table, chain)) 3666 goto done; 3667 } 3668 3669 if (ctx->table) 3670 break; 3671 } 3672 done: 3673 rcu_read_unlock(); 3674 3675 ctx->s_idx = idx; 3676 return skb->len; 3677 } 3678 nf_tables_dumpreset_rules(struct sk_buff * skb,struct netlink_callback * cb)3679 static int nf_tables_dumpreset_rules(struct sk_buff *skb, 3680 struct netlink_callback *cb) 3681 { 3682 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk)); 3683 int ret; 3684 3685 /* Mutex is held is to prevent that two concurrent dump-and-reset calls 3686 * do not underrun counters and quotas. The commit_mutex is used for 3687 * the lack a better lock, this is not transaction path. 3688 */ 3689 mutex_lock(&nft_net->commit_mutex); 3690 ret = nf_tables_dump_rules(skb, cb); 3691 mutex_unlock(&nft_net->commit_mutex); 3692 3693 return ret; 3694 } 3695 nf_tables_dump_rules_start(struct netlink_callback * cb)3696 static int nf_tables_dump_rules_start(struct netlink_callback *cb) 3697 { 3698 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx; 3699 const struct nlattr * const *nla = cb->data; 3700 3701 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx)); 3702 3703 if (nla[NFTA_RULE_TABLE]) { 3704 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], GFP_ATOMIC); 3705 if (!ctx->table) 3706 return -ENOMEM; 3707 } 3708 if (nla[NFTA_RULE_CHAIN]) { 3709 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], GFP_ATOMIC); 3710 if (!ctx->chain) { 3711 kfree(ctx->table); 3712 return -ENOMEM; 3713 } 3714 } 3715 return 0; 3716 } 3717 nf_tables_dumpreset_rules_start(struct netlink_callback * cb)3718 static int nf_tables_dumpreset_rules_start(struct netlink_callback *cb) 3719 { 3720 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx; 3721 3722 ctx->reset = true; 3723 3724 return nf_tables_dump_rules_start(cb); 3725 } 3726 nf_tables_dump_rules_done(struct netlink_callback * cb)3727 static int nf_tables_dump_rules_done(struct netlink_callback *cb) 3728 { 3729 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx; 3730 3731 kfree(ctx->table); 3732 kfree(ctx->chain); 3733 return 0; 3734 } 3735 3736 /* called with rcu_read_lock held */ 3737 static struct sk_buff * nf_tables_getrule_single(u32 portid,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)3738 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info, 3739 const struct nlattr * const nla[], bool reset) 3740 { 3741 struct netlink_ext_ack *extack = info->extack; 3742 u8 genmask = nft_genmask_cur(info->net); 3743 u8 family = info->nfmsg->nfgen_family; 3744 const struct nft_chain *chain; 3745 const struct nft_rule *rule; 3746 struct net *net = info->net; 3747 struct nft_table *table; 3748 struct sk_buff *skb2; 3749 int err; 3750 3751 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0); 3752 if (IS_ERR(table)) { 3753 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3754 return ERR_CAST(table); 3755 } 3756 3757 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask); 3758 if (IS_ERR(chain)) { 3759 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3760 return ERR_CAST(chain); 3761 } 3762 3763 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3764 if (IS_ERR(rule)) { 3765 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3766 return ERR_CAST(rule); 3767 } 3768 3769 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 3770 if (!skb2) 3771 return ERR_PTR(-ENOMEM); 3772 3773 err = nf_tables_fill_rule_info(skb2, net, portid, 3774 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, 3775 family, table, chain, rule, 0, reset); 3776 if (err < 0) { 3777 kfree_skb(skb2); 3778 return ERR_PTR(err); 3779 } 3780 3781 return skb2; 3782 } 3783 nf_tables_getrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3784 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info, 3785 const struct nlattr * const nla[]) 3786 { 3787 u32 portid = NETLINK_CB(skb).portid; 3788 struct net *net = info->net; 3789 struct sk_buff *skb2; 3790 3791 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 3792 struct netlink_dump_control c = { 3793 .start= nf_tables_dump_rules_start, 3794 .dump = nf_tables_dump_rules, 3795 .done = nf_tables_dump_rules_done, 3796 .module = THIS_MODULE, 3797 .data = (void *)nla, 3798 }; 3799 3800 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 3801 } 3802 3803 skb2 = nf_tables_getrule_single(portid, info, nla, false); 3804 if (IS_ERR(skb2)) 3805 return PTR_ERR(skb2); 3806 3807 return nfnetlink_unicast(skb2, net, portid); 3808 } 3809 nf_tables_getrule_reset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3810 static int nf_tables_getrule_reset(struct sk_buff *skb, 3811 const struct nfnl_info *info, 3812 const struct nlattr * const nla[]) 3813 { 3814 struct nftables_pernet *nft_net = nft_pernet(info->net); 3815 u32 portid = NETLINK_CB(skb).portid; 3816 struct net *net = info->net; 3817 struct sk_buff *skb2; 3818 char *buf; 3819 3820 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 3821 struct netlink_dump_control c = { 3822 .start= nf_tables_dumpreset_rules_start, 3823 .dump = nf_tables_dumpreset_rules, 3824 .done = nf_tables_dump_rules_done, 3825 .module = THIS_MODULE, 3826 .data = (void *)nla, 3827 }; 3828 3829 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 3830 } 3831 3832 if (!try_module_get(THIS_MODULE)) 3833 return -EINVAL; 3834 rcu_read_unlock(); 3835 mutex_lock(&nft_net->commit_mutex); 3836 skb2 = nf_tables_getrule_single(portid, info, nla, true); 3837 mutex_unlock(&nft_net->commit_mutex); 3838 rcu_read_lock(); 3839 module_put(THIS_MODULE); 3840 3841 if (IS_ERR(skb2)) 3842 return PTR_ERR(skb2); 3843 3844 buf = kasprintf(GFP_ATOMIC, "%.*s:%u", 3845 nla_len(nla[NFTA_RULE_TABLE]), 3846 (char *)nla_data(nla[NFTA_RULE_TABLE]), 3847 nft_net->base_seq); 3848 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1, 3849 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC); 3850 kfree(buf); 3851 3852 return nfnetlink_unicast(skb2, net, portid); 3853 } 3854 nf_tables_rule_destroy(const struct nft_ctx * ctx,struct nft_rule * rule)3855 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule) 3856 { 3857 struct nft_expr *expr, *next; 3858 3859 /* 3860 * Careful: some expressions might not be initialized in case this 3861 * is called on error from nf_tables_newrule(). 3862 */ 3863 expr = nft_expr_first(rule); 3864 while (nft_expr_more(rule, expr)) { 3865 next = nft_expr_next(expr); 3866 nf_tables_expr_destroy(ctx, expr); 3867 expr = next; 3868 } 3869 kfree(rule); 3870 } 3871 nf_tables_rule_release(const struct nft_ctx * ctx,struct nft_rule * rule)3872 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) 3873 { 3874 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); 3875 nf_tables_rule_destroy(ctx, rule); 3876 } 3877 3878 /** nft_chain_validate - loop detection and hook validation 3879 * 3880 * @ctx: context containing call depth and base chain 3881 * @chain: chain to validate 3882 * 3883 * Walk through the rules of the given chain and chase all jumps/gotos 3884 * and set lookups until either the jump limit is hit or all reachable 3885 * chains have been validated. 3886 */ nft_chain_validate(const struct nft_ctx * ctx,const struct nft_chain * chain)3887 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) 3888 { 3889 struct nft_expr *expr, *last; 3890 struct nft_rule *rule; 3891 int err; 3892 3893 if (ctx->level == NFT_JUMP_STACK_SIZE) 3894 return -EMLINK; 3895 3896 list_for_each_entry(rule, &chain->rules, list) { 3897 if (fatal_signal_pending(current)) 3898 return -EINTR; 3899 3900 if (!nft_is_active_next(ctx->net, rule)) 3901 continue; 3902 3903 nft_rule_for_each_expr(expr, last, rule) { 3904 if (!expr->ops->validate) 3905 continue; 3906 3907 /* This may call nft_chain_validate() recursively, 3908 * callers that do so must increment ctx->level. 3909 */ 3910 err = expr->ops->validate(ctx, expr); 3911 if (err < 0) 3912 return err; 3913 } 3914 } 3915 3916 return 0; 3917 } 3918 EXPORT_SYMBOL_GPL(nft_chain_validate); 3919 nft_table_validate(struct net * net,const struct nft_table * table)3920 static int nft_table_validate(struct net *net, const struct nft_table *table) 3921 { 3922 struct nft_chain *chain; 3923 struct nft_ctx ctx = { 3924 .net = net, 3925 .family = table->family, 3926 }; 3927 int err; 3928 3929 list_for_each_entry(chain, &table->chains, list) { 3930 if (!nft_is_base_chain(chain)) 3931 continue; 3932 3933 ctx.chain = chain; 3934 err = nft_chain_validate(&ctx, chain); 3935 if (err < 0) 3936 return err; 3937 3938 cond_resched(); 3939 } 3940 3941 return 0; 3942 } 3943 nft_setelem_validate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)3944 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, 3945 const struct nft_set_iter *iter, 3946 struct nft_elem_priv *elem_priv) 3947 { 3948 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 3949 struct nft_ctx *pctx = (struct nft_ctx *)ctx; 3950 const struct nft_data *data; 3951 int err; 3952 3953 if (!nft_set_elem_active(ext, iter->genmask)) 3954 return 0; 3955 3956 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 3957 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) 3958 return 0; 3959 3960 data = nft_set_ext_data(ext); 3961 switch (data->verdict.code) { 3962 case NFT_JUMP: 3963 case NFT_GOTO: 3964 pctx->level++; 3965 err = nft_chain_validate(ctx, data->verdict.chain); 3966 if (err < 0) 3967 return err; 3968 pctx->level--; 3969 break; 3970 default: 3971 break; 3972 } 3973 3974 return 0; 3975 } 3976 nft_set_catchall_validate(const struct nft_ctx * ctx,struct nft_set * set)3977 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set) 3978 { 3979 struct nft_set_iter dummy_iter = { 3980 .genmask = nft_genmask_next(ctx->net), 3981 }; 3982 struct nft_set_elem_catchall *catchall; 3983 3984 struct nft_set_ext *ext; 3985 int ret = 0; 3986 3987 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 3988 ext = nft_set_elem_ext(set, catchall->elem); 3989 if (!nft_set_elem_active(ext, dummy_iter.genmask)) 3990 continue; 3991 3992 ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem); 3993 if (ret < 0) 3994 return ret; 3995 } 3996 3997 return ret; 3998 } 3999 4000 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 4001 const struct nft_chain *chain, 4002 const struct nlattr *nla); 4003 4004 #define NFT_RULE_MAXEXPRS 128 4005 nf_tables_newrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4006 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, 4007 const struct nlattr * const nla[]) 4008 { 4009 struct nftables_pernet *nft_net = nft_pernet(info->net); 4010 struct netlink_ext_ack *extack = info->extack; 4011 unsigned int size, i, n, ulen = 0, usize = 0; 4012 u8 genmask = nft_genmask_next(info->net); 4013 struct nft_rule *rule, *old_rule = NULL; 4014 struct nft_expr_info *expr_info = NULL; 4015 u8 family = info->nfmsg->nfgen_family; 4016 struct nft_flow_rule *flow = NULL; 4017 struct net *net = info->net; 4018 struct nft_userdata *udata; 4019 struct nft_table *table; 4020 struct nft_chain *chain; 4021 struct nft_trans *trans; 4022 u64 handle, pos_handle; 4023 struct nft_expr *expr; 4024 struct nft_ctx ctx; 4025 struct nlattr *tmp; 4026 int err, rem; 4027 4028 lockdep_assert_held(&nft_net->commit_mutex); 4029 4030 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 4031 NETLINK_CB(skb).portid); 4032 if (IS_ERR(table)) { 4033 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 4034 return PTR_ERR(table); 4035 } 4036 4037 if (nla[NFTA_RULE_CHAIN]) { 4038 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 4039 genmask); 4040 if (IS_ERR(chain)) { 4041 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 4042 return PTR_ERR(chain); 4043 } 4044 4045 } else if (nla[NFTA_RULE_CHAIN_ID]) { 4046 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID], 4047 genmask); 4048 if (IS_ERR(chain)) { 4049 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]); 4050 return PTR_ERR(chain); 4051 } 4052 } else { 4053 return -EINVAL; 4054 } 4055 4056 if (nft_chain_is_bound(chain)) 4057 return -EOPNOTSUPP; 4058 4059 if (nla[NFTA_RULE_HANDLE]) { 4060 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE])); 4061 rule = __nft_rule_lookup(chain, handle); 4062 if (IS_ERR(rule)) { 4063 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 4064 return PTR_ERR(rule); 4065 } 4066 4067 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 4068 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 4069 return -EEXIST; 4070 } 4071 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 4072 old_rule = rule; 4073 else 4074 return -EOPNOTSUPP; 4075 } else { 4076 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) || 4077 info->nlh->nlmsg_flags & NLM_F_REPLACE) 4078 return -EINVAL; 4079 handle = nf_tables_alloc_handle(table); 4080 4081 if (nla[NFTA_RULE_POSITION]) { 4082 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION])); 4083 old_rule = __nft_rule_lookup(chain, pos_handle); 4084 if (IS_ERR(old_rule)) { 4085 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]); 4086 return PTR_ERR(old_rule); 4087 } 4088 } else if (nla[NFTA_RULE_POSITION_ID]) { 4089 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]); 4090 if (IS_ERR(old_rule)) { 4091 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]); 4092 return PTR_ERR(old_rule); 4093 } 4094 } 4095 } 4096 4097 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 4098 4099 n = 0; 4100 size = 0; 4101 if (nla[NFTA_RULE_EXPRESSIONS]) { 4102 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS, 4103 sizeof(struct nft_expr_info), 4104 GFP_KERNEL); 4105 if (!expr_info) 4106 return -ENOMEM; 4107 4108 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) { 4109 err = -EINVAL; 4110 if (nla_type(tmp) != NFTA_LIST_ELEM) 4111 goto err_release_expr; 4112 if (n == NFT_RULE_MAXEXPRS) 4113 goto err_release_expr; 4114 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]); 4115 if (err < 0) { 4116 NL_SET_BAD_ATTR(extack, tmp); 4117 goto err_release_expr; 4118 } 4119 size += expr_info[n].ops->size; 4120 n++; 4121 } 4122 } 4123 /* Check for overflow of dlen field */ 4124 err = -EFBIG; 4125 if (size >= 1 << 12) 4126 goto err_release_expr; 4127 4128 if (nla[NFTA_RULE_USERDATA]) { 4129 ulen = nla_len(nla[NFTA_RULE_USERDATA]); 4130 if (ulen > 0) 4131 usize = sizeof(struct nft_userdata) + ulen; 4132 } 4133 4134 err = -ENOMEM; 4135 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT); 4136 if (rule == NULL) 4137 goto err_release_expr; 4138 4139 nft_activate_next(net, rule); 4140 4141 rule->handle = handle; 4142 rule->dlen = size; 4143 rule->udata = ulen ? 1 : 0; 4144 4145 if (ulen) { 4146 udata = nft_userdata(rule); 4147 udata->len = ulen - 1; 4148 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen); 4149 } 4150 4151 expr = nft_expr_first(rule); 4152 for (i = 0; i < n; i++) { 4153 err = nf_tables_newexpr(&ctx, &expr_info[i], expr); 4154 if (err < 0) { 4155 NL_SET_BAD_ATTR(extack, expr_info[i].attr); 4156 goto err_release_rule; 4157 } 4158 4159 if (expr_info[i].ops->validate) 4160 nft_validate_state_update(table, NFT_VALIDATE_NEED); 4161 4162 expr_info[i].ops = NULL; 4163 expr = nft_expr_next(expr); 4164 } 4165 4166 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { 4167 flow = nft_flow_rule_create(net, rule); 4168 if (IS_ERR(flow)) { 4169 err = PTR_ERR(flow); 4170 goto err_release_rule; 4171 } 4172 } 4173 4174 if (!nft_use_inc(&chain->use)) { 4175 err = -EMFILE; 4176 goto err_release_rule; 4177 } 4178 4179 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { 4180 if (nft_chain_binding(chain)) { 4181 err = -EOPNOTSUPP; 4182 goto err_destroy_flow_rule; 4183 } 4184 4185 err = nft_delrule(&ctx, old_rule); 4186 if (err < 0) 4187 goto err_destroy_flow_rule; 4188 4189 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 4190 if (trans == NULL) { 4191 err = -ENOMEM; 4192 goto err_destroy_flow_rule; 4193 } 4194 list_add_tail_rcu(&rule->list, &old_rule->list); 4195 } else { 4196 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 4197 if (!trans) { 4198 err = -ENOMEM; 4199 goto err_destroy_flow_rule; 4200 } 4201 4202 if (info->nlh->nlmsg_flags & NLM_F_APPEND) { 4203 if (old_rule) 4204 list_add_rcu(&rule->list, &old_rule->list); 4205 else 4206 list_add_tail_rcu(&rule->list, &chain->rules); 4207 } else { 4208 if (old_rule) 4209 list_add_tail_rcu(&rule->list, &old_rule->list); 4210 else 4211 list_add_rcu(&rule->list, &chain->rules); 4212 } 4213 } 4214 kvfree(expr_info); 4215 4216 if (flow) 4217 nft_trans_flow_rule(trans) = flow; 4218 4219 if (table->validate_state == NFT_VALIDATE_DO) 4220 return nft_table_validate(net, table); 4221 4222 return 0; 4223 4224 err_destroy_flow_rule: 4225 nft_use_dec_restore(&chain->use); 4226 if (flow) 4227 nft_flow_rule_destroy(flow); 4228 err_release_rule: 4229 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR); 4230 nf_tables_rule_destroy(&ctx, rule); 4231 err_release_expr: 4232 for (i = 0; i < n; i++) { 4233 if (expr_info[i].ops) { 4234 module_put(expr_info[i].ops->type->owner); 4235 if (expr_info[i].ops->type->release_ops) 4236 expr_info[i].ops->type->release_ops(expr_info[i].ops); 4237 } 4238 } 4239 kvfree(expr_info); 4240 4241 return err; 4242 } 4243 nft_rule_lookup_byid(const struct net * net,const struct nft_chain * chain,const struct nlattr * nla)4244 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 4245 const struct nft_chain *chain, 4246 const struct nlattr *nla) 4247 { 4248 struct nftables_pernet *nft_net = nft_pernet(net); 4249 u32 id = ntohl(nla_get_be32(nla)); 4250 struct nft_trans *trans; 4251 4252 list_for_each_entry(trans, &nft_net->commit_list, list) { 4253 if (trans->msg_type == NFT_MSG_NEWRULE && 4254 nft_trans_rule_chain(trans) == chain && 4255 id == nft_trans_rule_id(trans)) 4256 return nft_trans_rule(trans); 4257 } 4258 return ERR_PTR(-ENOENT); 4259 } 4260 nf_tables_delrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4261 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, 4262 const struct nlattr * const nla[]) 4263 { 4264 struct netlink_ext_ack *extack = info->extack; 4265 u8 genmask = nft_genmask_next(info->net); 4266 u8 family = info->nfmsg->nfgen_family; 4267 struct nft_chain *chain = NULL; 4268 struct net *net = info->net; 4269 struct nft_table *table; 4270 struct nft_rule *rule; 4271 struct nft_ctx ctx; 4272 int err = 0; 4273 4274 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 4275 NETLINK_CB(skb).portid); 4276 if (IS_ERR(table)) { 4277 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 4278 return PTR_ERR(table); 4279 } 4280 4281 if (nla[NFTA_RULE_CHAIN]) { 4282 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 4283 genmask); 4284 if (IS_ERR(chain)) { 4285 if (PTR_ERR(chain) == -ENOENT && 4286 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE) 4287 return 0; 4288 4289 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 4290 return PTR_ERR(chain); 4291 } 4292 if (nft_chain_binding(chain)) 4293 return -EOPNOTSUPP; 4294 } 4295 4296 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 4297 4298 if (chain) { 4299 if (nla[NFTA_RULE_HANDLE]) { 4300 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 4301 if (IS_ERR(rule)) { 4302 if (PTR_ERR(rule) == -ENOENT && 4303 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE) 4304 return 0; 4305 4306 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 4307 return PTR_ERR(rule); 4308 } 4309 4310 err = nft_delrule(&ctx, rule); 4311 } else if (nla[NFTA_RULE_ID]) { 4312 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]); 4313 if (IS_ERR(rule)) { 4314 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]); 4315 return PTR_ERR(rule); 4316 } 4317 4318 err = nft_delrule(&ctx, rule); 4319 } else { 4320 err = nft_delrule_by_chain(&ctx); 4321 } 4322 } else { 4323 list_for_each_entry(chain, &table->chains, list) { 4324 if (!nft_is_active_next(net, chain)) 4325 continue; 4326 if (nft_chain_binding(chain)) 4327 continue; 4328 4329 ctx.chain = chain; 4330 err = nft_delrule_by_chain(&ctx); 4331 if (err < 0) 4332 break; 4333 } 4334 } 4335 4336 return err; 4337 } 4338 4339 /* 4340 * Sets 4341 */ 4342 static const struct nft_set_type *nft_set_types[] = { 4343 &nft_set_hash_fast_type, 4344 &nft_set_hash_type, 4345 &nft_set_rhash_type, 4346 &nft_set_bitmap_type, 4347 &nft_set_rbtree_type, 4348 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML) 4349 &nft_set_pipapo_avx2_type, 4350 #endif 4351 &nft_set_pipapo_type, 4352 }; 4353 4354 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \ 4355 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \ 4356 NFT_SET_EVAL) 4357 nft_set_ops_candidate(const struct nft_set_type * type,u32 flags)4358 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags) 4359 { 4360 return (flags & type->features) == (flags & NFT_SET_FEATURES); 4361 } 4362 4363 /* 4364 * Select a set implementation based on the data characteristics and the 4365 * given policy. The total memory use might not be known if no size is 4366 * given, in that case the amount of memory per element is used. 4367 */ 4368 static const struct nft_set_ops * nft_select_set_ops(const struct nft_ctx * ctx,u32 flags,const struct nft_set_desc * desc)4369 nft_select_set_ops(const struct nft_ctx *ctx, u32 flags, 4370 const struct nft_set_desc *desc) 4371 { 4372 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 4373 const struct nft_set_ops *ops, *bops; 4374 struct nft_set_estimate est, best; 4375 const struct nft_set_type *type; 4376 int i; 4377 4378 lockdep_assert_held(&nft_net->commit_mutex); 4379 lockdep_nfnl_nft_mutex_not_held(); 4380 4381 bops = NULL; 4382 best.size = ~0; 4383 best.lookup = ~0; 4384 best.space = ~0; 4385 4386 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) { 4387 type = nft_set_types[i]; 4388 ops = &type->ops; 4389 4390 if (!nft_set_ops_candidate(type, flags)) 4391 continue; 4392 if (!ops->estimate(desc, flags, &est)) 4393 continue; 4394 4395 switch (desc->policy) { 4396 case NFT_SET_POL_PERFORMANCE: 4397 if (est.lookup < best.lookup) 4398 break; 4399 if (est.lookup == best.lookup && 4400 est.space < best.space) 4401 break; 4402 continue; 4403 case NFT_SET_POL_MEMORY: 4404 if (!desc->size) { 4405 if (est.space < best.space) 4406 break; 4407 if (est.space == best.space && 4408 est.lookup < best.lookup) 4409 break; 4410 } else if (est.size < best.size || !bops) { 4411 break; 4412 } 4413 continue; 4414 default: 4415 break; 4416 } 4417 4418 bops = ops; 4419 best = est; 4420 } 4421 4422 if (bops != NULL) 4423 return bops; 4424 4425 return ERR_PTR(-EOPNOTSUPP); 4426 } 4427 4428 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = { 4429 [NFTA_SET_TABLE] = { .type = NLA_STRING, 4430 .len = NFT_TABLE_MAXNAMELEN - 1 }, 4431 [NFTA_SET_NAME] = { .type = NLA_STRING, 4432 .len = NFT_SET_MAXNAMELEN - 1 }, 4433 [NFTA_SET_FLAGS] = { .type = NLA_U32 }, 4434 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 }, 4435 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 }, 4436 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 }, 4437 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 }, 4438 [NFTA_SET_POLICY] = { .type = NLA_U32 }, 4439 [NFTA_SET_DESC] = { .type = NLA_NESTED }, 4440 [NFTA_SET_ID] = { .type = NLA_U32 }, 4441 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 }, 4442 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 }, 4443 [NFTA_SET_USERDATA] = { .type = NLA_BINARY, 4444 .len = NFT_USERDATA_MAXLEN }, 4445 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 }, 4446 [NFTA_SET_HANDLE] = { .type = NLA_U64 }, 4447 [NFTA_SET_EXPR] = { .type = NLA_NESTED }, 4448 [NFTA_SET_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy), 4449 }; 4450 4451 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = { 4452 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 }, 4453 }; 4454 4455 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = { 4456 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 }, 4457 [NFTA_SET_DESC_CONCAT] = NLA_POLICY_NESTED_ARRAY(nft_concat_policy), 4458 }; 4459 nft_set_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)4460 static struct nft_set *nft_set_lookup(const struct nft_table *table, 4461 const struct nlattr *nla, u8 genmask) 4462 { 4463 struct nft_set *set; 4464 4465 if (nla == NULL) 4466 return ERR_PTR(-EINVAL); 4467 4468 list_for_each_entry_rcu(set, &table->sets, list) { 4469 if (!nla_strcmp(nla, set->name) && 4470 nft_active_genmask(set, genmask)) 4471 return set; 4472 } 4473 return ERR_PTR(-ENOENT); 4474 } 4475 nft_set_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)4476 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table, 4477 const struct nlattr *nla, 4478 u8 genmask) 4479 { 4480 struct nft_set *set; 4481 4482 list_for_each_entry(set, &table->sets, list) { 4483 if (be64_to_cpu(nla_get_be64(nla)) == set->handle && 4484 nft_active_genmask(set, genmask)) 4485 return set; 4486 } 4487 return ERR_PTR(-ENOENT); 4488 } 4489 nft_set_lookup_byid(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)4490 static struct nft_set *nft_set_lookup_byid(const struct net *net, 4491 const struct nft_table *table, 4492 const struct nlattr *nla, u8 genmask) 4493 { 4494 struct nftables_pernet *nft_net = nft_pernet(net); 4495 u32 id = ntohl(nla_get_be32(nla)); 4496 struct nft_trans_set *trans; 4497 4498 /* its likely the id we need is at the tail, not at start */ 4499 list_for_each_entry_reverse(trans, &nft_net->commit_set_list, list_trans_newset) { 4500 struct nft_set *set = trans->set; 4501 4502 if (id == trans->set_id && 4503 set->table == table && 4504 nft_active_genmask(set, genmask)) 4505 return set; 4506 } 4507 return ERR_PTR(-ENOENT); 4508 } 4509 nft_set_lookup_global(const struct net * net,const struct nft_table * table,const struct nlattr * nla_set_name,const struct nlattr * nla_set_id,u8 genmask)4510 struct nft_set *nft_set_lookup_global(const struct net *net, 4511 const struct nft_table *table, 4512 const struct nlattr *nla_set_name, 4513 const struct nlattr *nla_set_id, 4514 u8 genmask) 4515 { 4516 struct nft_set *set; 4517 4518 set = nft_set_lookup(table, nla_set_name, genmask); 4519 if (IS_ERR(set)) { 4520 if (!nla_set_id) 4521 return set; 4522 4523 set = nft_set_lookup_byid(net, table, nla_set_id, genmask); 4524 } 4525 return set; 4526 } 4527 EXPORT_SYMBOL_GPL(nft_set_lookup_global); 4528 nf_tables_set_alloc_name(struct nft_ctx * ctx,struct nft_set * set,const char * name)4529 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set, 4530 const char *name) 4531 { 4532 const struct nft_set *i; 4533 const char *p; 4534 unsigned long *inuse; 4535 unsigned int n = 0, min = 0; 4536 4537 p = strchr(name, '%'); 4538 if (p != NULL) { 4539 if (p[1] != 'd' || strchr(p + 2, '%')) 4540 return -EINVAL; 4541 4542 if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN) 4543 return -EINVAL; 4544 4545 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL); 4546 if (inuse == NULL) 4547 return -ENOMEM; 4548 cont: 4549 list_for_each_entry(i, &ctx->table->sets, list) { 4550 int tmp; 4551 4552 if (!nft_is_active_next(ctx->net, i)) 4553 continue; 4554 if (!sscanf(i->name, name, &tmp)) 4555 continue; 4556 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE) 4557 continue; 4558 4559 set_bit(tmp - min, inuse); 4560 } 4561 4562 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE); 4563 if (n >= BITS_PER_BYTE * PAGE_SIZE) { 4564 min += BITS_PER_BYTE * PAGE_SIZE; 4565 memset(inuse, 0, PAGE_SIZE); 4566 goto cont; 4567 } 4568 free_page((unsigned long)inuse); 4569 } 4570 4571 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n); 4572 if (!set->name) 4573 return -ENOMEM; 4574 4575 list_for_each_entry(i, &ctx->table->sets, list) { 4576 if (!nft_is_active_next(ctx->net, i)) 4577 continue; 4578 if (!strcmp(set->name, i->name)) { 4579 kfree(set->name); 4580 set->name = NULL; 4581 return -ENFILE; 4582 } 4583 } 4584 return 0; 4585 } 4586 nf_msecs_to_jiffies64(const struct nlattr * nla,u64 * result)4587 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result) 4588 { 4589 u64 ms = be64_to_cpu(nla_get_be64(nla)); 4590 u64 max = (u64)(~((u64)0)); 4591 4592 max = div_u64(max, NSEC_PER_MSEC); 4593 if (ms >= max) 4594 return -ERANGE; 4595 4596 ms *= NSEC_PER_MSEC; 4597 *result = nsecs_to_jiffies64(ms) ? : !!ms; 4598 return 0; 4599 } 4600 nf_jiffies64_to_msecs(u64 input)4601 __be64 nf_jiffies64_to_msecs(u64 input) 4602 { 4603 return cpu_to_be64(jiffies64_to_msecs(input)); 4604 } 4605 nf_tables_fill_set_concat(struct sk_buff * skb,const struct nft_set * set)4606 static int nf_tables_fill_set_concat(struct sk_buff *skb, 4607 const struct nft_set *set) 4608 { 4609 struct nlattr *concat, *field; 4610 int i; 4611 4612 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT); 4613 if (!concat) 4614 return -ENOMEM; 4615 4616 for (i = 0; i < set->field_count; i++) { 4617 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 4618 if (!field) 4619 return -ENOMEM; 4620 4621 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN, 4622 htonl(set->field_len[i]))) 4623 return -ENOMEM; 4624 4625 nla_nest_end(skb, field); 4626 } 4627 4628 nla_nest_end(skb, concat); 4629 4630 return 0; 4631 } 4632 nf_tables_fill_set(struct sk_buff * skb,const struct nft_ctx * ctx,const struct nft_set * set,u16 event,u16 flags)4633 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, 4634 const struct nft_set *set, u16 event, u16 flags) 4635 { 4636 u64 timeout = READ_ONCE(set->timeout); 4637 u32 gc_int = READ_ONCE(set->gc_int); 4638 u32 portid = ctx->portid; 4639 struct nlmsghdr *nlh; 4640 struct nlattr *nest; 4641 u32 seq = ctx->seq; 4642 int i; 4643 4644 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 4645 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 4646 NFNETLINK_V0, nft_base_seq(ctx->net)); 4647 if (!nlh) 4648 goto nla_put_failure; 4649 4650 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 4651 goto nla_put_failure; 4652 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 4653 goto nla_put_failure; 4654 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle), 4655 NFTA_SET_PAD)) 4656 goto nla_put_failure; 4657 4658 if (event == NFT_MSG_DELSET) { 4659 nlmsg_end(skb, nlh); 4660 return 0; 4661 } 4662 4663 if (set->flags != 0) 4664 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags))) 4665 goto nla_put_failure; 4666 4667 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype))) 4668 goto nla_put_failure; 4669 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen))) 4670 goto nla_put_failure; 4671 if (set->flags & NFT_SET_MAP) { 4672 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype))) 4673 goto nla_put_failure; 4674 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen))) 4675 goto nla_put_failure; 4676 } 4677 if (set->flags & NFT_SET_OBJECT && 4678 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype))) 4679 goto nla_put_failure; 4680 4681 if (timeout && 4682 nla_put_be64(skb, NFTA_SET_TIMEOUT, 4683 nf_jiffies64_to_msecs(timeout), 4684 NFTA_SET_PAD)) 4685 goto nla_put_failure; 4686 if (gc_int && 4687 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int))) 4688 goto nla_put_failure; 4689 4690 if (set->policy != NFT_SET_POL_PERFORMANCE) { 4691 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy))) 4692 goto nla_put_failure; 4693 } 4694 4695 if (set->udata && 4696 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) 4697 goto nla_put_failure; 4698 4699 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC); 4700 if (!nest) 4701 goto nla_put_failure; 4702 if (set->size && 4703 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size))) 4704 goto nla_put_failure; 4705 4706 if (set->field_count > 1 && 4707 nf_tables_fill_set_concat(skb, set)) 4708 goto nla_put_failure; 4709 4710 nla_nest_end(skb, nest); 4711 4712 if (set->num_exprs == 1) { 4713 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR); 4714 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0) 4715 goto nla_put_failure; 4716 4717 nla_nest_end(skb, nest); 4718 } else if (set->num_exprs > 1) { 4719 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS); 4720 if (nest == NULL) 4721 goto nla_put_failure; 4722 4723 for (i = 0; i < set->num_exprs; i++) { 4724 if (nft_expr_dump(skb, NFTA_LIST_ELEM, 4725 set->exprs[i], false) < 0) 4726 goto nla_put_failure; 4727 } 4728 nla_nest_end(skb, nest); 4729 } 4730 4731 nlmsg_end(skb, nlh); 4732 return 0; 4733 4734 nla_put_failure: 4735 nlmsg_trim(skb, nlh); 4736 return -1; 4737 } 4738 nf_tables_set_notify(const struct nft_ctx * ctx,const struct nft_set * set,int event,gfp_t gfp_flags)4739 static void nf_tables_set_notify(const struct nft_ctx *ctx, 4740 const struct nft_set *set, int event, 4741 gfp_t gfp_flags) 4742 { 4743 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 4744 u32 portid = ctx->portid; 4745 struct sk_buff *skb; 4746 u16 flags = 0; 4747 int err; 4748 4749 if (!ctx->report && 4750 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 4751 return; 4752 4753 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags); 4754 if (skb == NULL) 4755 goto err; 4756 4757 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 4758 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 4759 4760 err = nf_tables_fill_set(skb, ctx, set, event, flags); 4761 if (err < 0) { 4762 kfree_skb(skb); 4763 goto err; 4764 } 4765 4766 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 4767 return; 4768 err: 4769 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 4770 } 4771 nf_tables_dump_sets(struct sk_buff * skb,struct netlink_callback * cb)4772 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) 4773 { 4774 const struct nft_set *set; 4775 unsigned int idx, s_idx = cb->args[0]; 4776 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; 4777 struct net *net = sock_net(skb->sk); 4778 struct nft_ctx *ctx = cb->data, ctx_set; 4779 struct nftables_pernet *nft_net; 4780 4781 if (cb->args[1]) 4782 return skb->len; 4783 4784 rcu_read_lock(); 4785 nft_net = nft_pernet(net); 4786 cb->seq = READ_ONCE(nft_net->base_seq); 4787 4788 list_for_each_entry_rcu(table, &nft_net->tables, list) { 4789 if (ctx->family != NFPROTO_UNSPEC && 4790 ctx->family != table->family) 4791 continue; 4792 4793 if (ctx->table && ctx->table != table) 4794 continue; 4795 4796 if (cur_table) { 4797 if (cur_table != table) 4798 continue; 4799 4800 cur_table = NULL; 4801 } 4802 idx = 0; 4803 list_for_each_entry_rcu(set, &table->sets, list) { 4804 if (idx < s_idx) 4805 goto cont; 4806 if (!nft_is_active(net, set)) 4807 goto cont; 4808 4809 ctx_set = *ctx; 4810 ctx_set.table = table; 4811 ctx_set.family = table->family; 4812 4813 if (nf_tables_fill_set(skb, &ctx_set, set, 4814 NFT_MSG_NEWSET, 4815 NLM_F_MULTI) < 0) { 4816 cb->args[0] = idx; 4817 cb->args[2] = (unsigned long) table; 4818 goto done; 4819 } 4820 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 4821 cont: 4822 idx++; 4823 } 4824 if (s_idx) 4825 s_idx = 0; 4826 } 4827 cb->args[1] = 1; 4828 done: 4829 rcu_read_unlock(); 4830 return skb->len; 4831 } 4832 nf_tables_dump_sets_start(struct netlink_callback * cb)4833 static int nf_tables_dump_sets_start(struct netlink_callback *cb) 4834 { 4835 struct nft_ctx *ctx_dump = NULL; 4836 4837 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC); 4838 if (ctx_dump == NULL) 4839 return -ENOMEM; 4840 4841 cb->data = ctx_dump; 4842 return 0; 4843 } 4844 nf_tables_dump_sets_done(struct netlink_callback * cb)4845 static int nf_tables_dump_sets_done(struct netlink_callback *cb) 4846 { 4847 kfree(cb->data); 4848 return 0; 4849 } 4850 4851 /* called with rcu_read_lock held */ nf_tables_getset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4852 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info, 4853 const struct nlattr * const nla[]) 4854 { 4855 struct netlink_ext_ack *extack = info->extack; 4856 u8 genmask = nft_genmask_cur(info->net); 4857 u8 family = info->nfmsg->nfgen_family; 4858 struct nft_table *table = NULL; 4859 struct net *net = info->net; 4860 const struct nft_set *set; 4861 struct sk_buff *skb2; 4862 struct nft_ctx ctx; 4863 int err; 4864 4865 if (nla[NFTA_SET_TABLE]) { 4866 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 4867 genmask, 0); 4868 if (IS_ERR(table)) { 4869 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4870 return PTR_ERR(table); 4871 } 4872 } 4873 4874 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 4875 4876 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 4877 struct netlink_dump_control c = { 4878 .start = nf_tables_dump_sets_start, 4879 .dump = nf_tables_dump_sets, 4880 .done = nf_tables_dump_sets_done, 4881 .data = &ctx, 4882 .module = THIS_MODULE, 4883 }; 4884 4885 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 4886 } 4887 4888 /* Only accept unspec with dump */ 4889 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 4890 return -EAFNOSUPPORT; 4891 if (!nla[NFTA_SET_TABLE]) 4892 return -EINVAL; 4893 4894 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4895 if (IS_ERR(set)) { 4896 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4897 return PTR_ERR(set); 4898 } 4899 4900 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 4901 if (skb2 == NULL) 4902 return -ENOMEM; 4903 4904 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); 4905 if (err < 0) 4906 goto err_fill_set_info; 4907 4908 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 4909 4910 err_fill_set_info: 4911 kfree_skb(skb2); 4912 return err; 4913 } 4914 nft_set_desc_concat_parse(const struct nlattr * attr,struct nft_set_desc * desc)4915 static int nft_set_desc_concat_parse(const struct nlattr *attr, 4916 struct nft_set_desc *desc) 4917 { 4918 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1]; 4919 u32 len; 4920 int err; 4921 4922 if (desc->field_count >= ARRAY_SIZE(desc->field_len)) 4923 return -E2BIG; 4924 4925 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr, 4926 nft_concat_policy, NULL); 4927 if (err < 0) 4928 return err; 4929 4930 if (!tb[NFTA_SET_FIELD_LEN]) 4931 return -EINVAL; 4932 4933 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN])); 4934 if (!len || len > U8_MAX) 4935 return -EINVAL; 4936 4937 desc->field_len[desc->field_count++] = len; 4938 4939 return 0; 4940 } 4941 nft_set_desc_concat(struct nft_set_desc * desc,const struct nlattr * nla)4942 static int nft_set_desc_concat(struct nft_set_desc *desc, 4943 const struct nlattr *nla) 4944 { 4945 u32 num_regs = 0, key_num_regs = 0; 4946 struct nlattr *attr; 4947 int rem, err, i; 4948 4949 nla_for_each_nested(attr, nla, rem) { 4950 if (nla_type(attr) != NFTA_LIST_ELEM) 4951 return -EINVAL; 4952 4953 err = nft_set_desc_concat_parse(attr, desc); 4954 if (err < 0) 4955 return err; 4956 } 4957 4958 for (i = 0; i < desc->field_count; i++) 4959 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32)); 4960 4961 key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32)); 4962 if (key_num_regs != num_regs) 4963 return -EINVAL; 4964 4965 if (num_regs > NFT_REG32_COUNT) 4966 return -E2BIG; 4967 4968 return 0; 4969 } 4970 nf_tables_set_desc_parse(struct nft_set_desc * desc,const struct nlattr * nla)4971 static int nf_tables_set_desc_parse(struct nft_set_desc *desc, 4972 const struct nlattr *nla) 4973 { 4974 struct nlattr *da[NFTA_SET_DESC_MAX + 1]; 4975 int err; 4976 4977 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla, 4978 nft_set_desc_policy, NULL); 4979 if (err < 0) 4980 return err; 4981 4982 if (da[NFTA_SET_DESC_SIZE] != NULL) 4983 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE])); 4984 if (da[NFTA_SET_DESC_CONCAT]) 4985 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]); 4986 4987 return err; 4988 } 4989 nft_set_expr_alloc(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * const * nla,struct nft_expr ** exprs,int * num_exprs,u32 flags)4990 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set, 4991 const struct nlattr * const *nla, 4992 struct nft_expr **exprs, int *num_exprs, 4993 u32 flags) 4994 { 4995 struct nft_expr *expr; 4996 int err, i; 4997 4998 if (nla[NFTA_SET_EXPR]) { 4999 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]); 5000 if (IS_ERR(expr)) { 5001 err = PTR_ERR(expr); 5002 goto err_set_expr_alloc; 5003 } 5004 exprs[0] = expr; 5005 (*num_exprs)++; 5006 } else if (nla[NFTA_SET_EXPRESSIONS]) { 5007 struct nlattr *tmp; 5008 int left; 5009 5010 if (!(flags & NFT_SET_EXPR)) { 5011 err = -EINVAL; 5012 goto err_set_expr_alloc; 5013 } 5014 i = 0; 5015 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) { 5016 if (i == NFT_SET_EXPR_MAX) { 5017 err = -E2BIG; 5018 goto err_set_expr_alloc; 5019 } 5020 if (nla_type(tmp) != NFTA_LIST_ELEM) { 5021 err = -EINVAL; 5022 goto err_set_expr_alloc; 5023 } 5024 expr = nft_set_elem_expr_alloc(ctx, set, tmp); 5025 if (IS_ERR(expr)) { 5026 err = PTR_ERR(expr); 5027 goto err_set_expr_alloc; 5028 } 5029 exprs[i++] = expr; 5030 (*num_exprs)++; 5031 } 5032 } 5033 5034 return 0; 5035 5036 err_set_expr_alloc: 5037 for (i = 0; i < *num_exprs; i++) 5038 nft_expr_destroy(ctx, exprs[i]); 5039 5040 return err; 5041 } 5042 nft_set_is_same(const struct nft_set * set,const struct nft_set_desc * desc,struct nft_expr * exprs[],u32 num_exprs,u32 flags)5043 static bool nft_set_is_same(const struct nft_set *set, 5044 const struct nft_set_desc *desc, 5045 struct nft_expr *exprs[], u32 num_exprs, u32 flags) 5046 { 5047 int i; 5048 5049 if (set->ktype != desc->ktype || 5050 set->dtype != desc->dtype || 5051 set->flags != flags || 5052 set->klen != desc->klen || 5053 set->dlen != desc->dlen || 5054 set->field_count != desc->field_count || 5055 set->num_exprs != num_exprs) 5056 return false; 5057 5058 for (i = 0; i < desc->field_count; i++) { 5059 if (set->field_len[i] != desc->field_len[i]) 5060 return false; 5061 } 5062 5063 for (i = 0; i < num_exprs; i++) { 5064 if (set->exprs[i]->ops != exprs[i]->ops) 5065 return false; 5066 } 5067 5068 return true; 5069 } 5070 nf_tables_newset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])5071 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 5072 const struct nlattr * const nla[]) 5073 { 5074 struct netlink_ext_ack *extack = info->extack; 5075 u8 genmask = nft_genmask_next(info->net); 5076 u8 family = info->nfmsg->nfgen_family; 5077 const struct nft_set_ops *ops; 5078 struct net *net = info->net; 5079 struct nft_set_desc desc; 5080 struct nft_table *table; 5081 unsigned char *udata; 5082 struct nft_set *set; 5083 struct nft_ctx ctx; 5084 size_t alloc_size; 5085 int num_exprs = 0; 5086 char *name; 5087 int err, i; 5088 u16 udlen; 5089 u32 flags; 5090 u64 size; 5091 5092 if (nla[NFTA_SET_TABLE] == NULL || 5093 nla[NFTA_SET_NAME] == NULL || 5094 nla[NFTA_SET_KEY_LEN] == NULL || 5095 nla[NFTA_SET_ID] == NULL) 5096 return -EINVAL; 5097 5098 memset(&desc, 0, sizeof(desc)); 5099 5100 desc.ktype = NFT_DATA_VALUE; 5101 if (nla[NFTA_SET_KEY_TYPE] != NULL) { 5102 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE])); 5103 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK) 5104 return -EINVAL; 5105 } 5106 5107 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN])); 5108 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN) 5109 return -EINVAL; 5110 5111 flags = 0; 5112 if (nla[NFTA_SET_FLAGS] != NULL) { 5113 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 5114 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | 5115 NFT_SET_INTERVAL | NFT_SET_TIMEOUT | 5116 NFT_SET_MAP | NFT_SET_EVAL | 5117 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR)) 5118 return -EOPNOTSUPP; 5119 /* Only one of these operations is supported */ 5120 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) == 5121 (NFT_SET_MAP | NFT_SET_OBJECT)) 5122 return -EOPNOTSUPP; 5123 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) == 5124 (NFT_SET_EVAL | NFT_SET_OBJECT)) 5125 return -EOPNOTSUPP; 5126 if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) == 5127 (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT)) 5128 return -EOPNOTSUPP; 5129 if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) == 5130 (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) 5131 return -EOPNOTSUPP; 5132 } 5133 5134 desc.dtype = 0; 5135 if (nla[NFTA_SET_DATA_TYPE] != NULL) { 5136 if (!(flags & NFT_SET_MAP)) 5137 return -EINVAL; 5138 5139 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE])); 5140 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK && 5141 desc.dtype != NFT_DATA_VERDICT) 5142 return -EINVAL; 5143 5144 if (desc.dtype != NFT_DATA_VERDICT) { 5145 if (nla[NFTA_SET_DATA_LEN] == NULL) 5146 return -EINVAL; 5147 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN])); 5148 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN) 5149 return -EINVAL; 5150 } else 5151 desc.dlen = sizeof(struct nft_verdict); 5152 } else if (flags & NFT_SET_MAP) 5153 return -EINVAL; 5154 5155 if (nla[NFTA_SET_OBJ_TYPE] != NULL) { 5156 if (!(flags & NFT_SET_OBJECT)) 5157 return -EINVAL; 5158 5159 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE])); 5160 if (desc.objtype == NFT_OBJECT_UNSPEC || 5161 desc.objtype > NFT_OBJECT_MAX) 5162 return -EOPNOTSUPP; 5163 } else if (flags & NFT_SET_OBJECT) 5164 return -EINVAL; 5165 else 5166 desc.objtype = NFT_OBJECT_UNSPEC; 5167 5168 desc.timeout = 0; 5169 if (nla[NFTA_SET_TIMEOUT] != NULL) { 5170 if (!(flags & NFT_SET_TIMEOUT)) 5171 return -EINVAL; 5172 5173 if (flags & NFT_SET_ANONYMOUS) 5174 return -EOPNOTSUPP; 5175 5176 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout); 5177 if (err) 5178 return err; 5179 } 5180 desc.gc_int = 0; 5181 if (nla[NFTA_SET_GC_INTERVAL] != NULL) { 5182 if (!(flags & NFT_SET_TIMEOUT)) 5183 return -EINVAL; 5184 5185 if (flags & NFT_SET_ANONYMOUS) 5186 return -EOPNOTSUPP; 5187 5188 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL])); 5189 } 5190 5191 desc.policy = NFT_SET_POL_PERFORMANCE; 5192 if (nla[NFTA_SET_POLICY] != NULL) { 5193 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY])); 5194 switch (desc.policy) { 5195 case NFT_SET_POL_PERFORMANCE: 5196 case NFT_SET_POL_MEMORY: 5197 break; 5198 default: 5199 return -EOPNOTSUPP; 5200 } 5201 } 5202 5203 if (nla[NFTA_SET_DESC] != NULL) { 5204 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]); 5205 if (err < 0) 5206 return err; 5207 5208 if (desc.field_count > 1) { 5209 if (!(flags & NFT_SET_CONCAT)) 5210 return -EINVAL; 5211 } else if (flags & NFT_SET_CONCAT) { 5212 return -EINVAL; 5213 } 5214 } else if (flags & NFT_SET_CONCAT) { 5215 return -EINVAL; 5216 } 5217 5218 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS]) 5219 desc.expr = true; 5220 5221 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask, 5222 NETLINK_CB(skb).portid); 5223 if (IS_ERR(table)) { 5224 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 5225 return PTR_ERR(table); 5226 } 5227 5228 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 5229 5230 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 5231 if (IS_ERR(set)) { 5232 if (PTR_ERR(set) != -ENOENT) { 5233 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 5234 return PTR_ERR(set); 5235 } 5236 } else { 5237 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {}; 5238 5239 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 5240 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 5241 return -EEXIST; 5242 } 5243 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 5244 return -EOPNOTSUPP; 5245 5246 if (nft_set_is_anonymous(set)) 5247 return -EOPNOTSUPP; 5248 5249 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags); 5250 if (err < 0) 5251 return err; 5252 5253 err = 0; 5254 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) { 5255 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 5256 err = -EEXIST; 5257 } 5258 5259 for (i = 0; i < num_exprs; i++) 5260 nft_expr_destroy(&ctx, exprs[i]); 5261 5262 if (err < 0) 5263 return err; 5264 5265 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc); 5266 } 5267 5268 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE)) 5269 return -ENOENT; 5270 5271 ops = nft_select_set_ops(&ctx, flags, &desc); 5272 if (IS_ERR(ops)) 5273 return PTR_ERR(ops); 5274 5275 udlen = 0; 5276 if (nla[NFTA_SET_USERDATA]) 5277 udlen = nla_len(nla[NFTA_SET_USERDATA]); 5278 5279 size = 0; 5280 if (ops->privsize != NULL) 5281 size = ops->privsize(nla, &desc); 5282 alloc_size = sizeof(*set) + size + udlen; 5283 if (alloc_size < size || alloc_size > INT_MAX) 5284 return -ENOMEM; 5285 5286 if (!nft_use_inc(&table->use)) 5287 return -EMFILE; 5288 5289 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT); 5290 if (!set) { 5291 err = -ENOMEM; 5292 goto err_alloc; 5293 } 5294 5295 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT); 5296 if (!name) { 5297 err = -ENOMEM; 5298 goto err_set_name; 5299 } 5300 5301 err = nf_tables_set_alloc_name(&ctx, set, name); 5302 kfree(name); 5303 if (err < 0) 5304 goto err_set_name; 5305 5306 udata = NULL; 5307 if (udlen) { 5308 udata = set->data + size; 5309 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen); 5310 } 5311 5312 INIT_LIST_HEAD(&set->bindings); 5313 INIT_LIST_HEAD(&set->catchall_list); 5314 refcount_set(&set->refs, 1); 5315 set->table = table; 5316 write_pnet(&set->net, net); 5317 set->ops = ops; 5318 set->ktype = desc.ktype; 5319 set->klen = desc.klen; 5320 set->dtype = desc.dtype; 5321 set->objtype = desc.objtype; 5322 set->dlen = desc.dlen; 5323 set->flags = flags; 5324 set->size = desc.size; 5325 set->policy = desc.policy; 5326 set->udlen = udlen; 5327 set->udata = udata; 5328 set->timeout = desc.timeout; 5329 set->gc_int = desc.gc_int; 5330 5331 set->field_count = desc.field_count; 5332 for (i = 0; i < desc.field_count; i++) 5333 set->field_len[i] = desc.field_len[i]; 5334 5335 err = ops->init(set, &desc, nla); 5336 if (err < 0) 5337 goto err_set_init; 5338 5339 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags); 5340 if (err < 0) 5341 goto err_set_destroy; 5342 5343 set->num_exprs = num_exprs; 5344 set->handle = nf_tables_alloc_handle(table); 5345 INIT_LIST_HEAD(&set->pending_update); 5346 5347 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); 5348 if (err < 0) 5349 goto err_set_expr_alloc; 5350 5351 list_add_tail_rcu(&set->list, &table->sets); 5352 5353 return 0; 5354 5355 err_set_expr_alloc: 5356 for (i = 0; i < set->num_exprs; i++) 5357 nft_expr_destroy(&ctx, set->exprs[i]); 5358 err_set_destroy: 5359 ops->destroy(&ctx, set); 5360 err_set_init: 5361 kfree(set->name); 5362 err_set_name: 5363 kvfree(set); 5364 err_alloc: 5365 nft_use_dec_restore(&table->use); 5366 5367 return err; 5368 } 5369 nft_set_catchall_destroy(const struct nft_ctx * ctx,struct nft_set * set)5370 static void nft_set_catchall_destroy(const struct nft_ctx *ctx, 5371 struct nft_set *set) 5372 { 5373 struct nft_set_elem_catchall *next, *catchall; 5374 5375 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 5376 list_del_rcu(&catchall->list); 5377 nf_tables_set_elem_destroy(ctx, set, catchall->elem); 5378 kfree_rcu(catchall, rcu); 5379 } 5380 } 5381 nft_set_put(struct nft_set * set)5382 static void nft_set_put(struct nft_set *set) 5383 { 5384 if (refcount_dec_and_test(&set->refs)) { 5385 kfree(set->name); 5386 kvfree(set); 5387 } 5388 } 5389 nft_set_destroy(const struct nft_ctx * ctx,struct nft_set * set)5390 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) 5391 { 5392 int i; 5393 5394 if (WARN_ON(set->use > 0)) 5395 return; 5396 5397 for (i = 0; i < set->num_exprs; i++) 5398 nft_expr_destroy(ctx, set->exprs[i]); 5399 5400 set->ops->destroy(ctx, set); 5401 nft_set_catchall_destroy(ctx, set); 5402 nft_set_put(set); 5403 } 5404 nf_tables_delset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])5405 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info, 5406 const struct nlattr * const nla[]) 5407 { 5408 struct netlink_ext_ack *extack = info->extack; 5409 u8 genmask = nft_genmask_next(info->net); 5410 u8 family = info->nfmsg->nfgen_family; 5411 struct net *net = info->net; 5412 const struct nlattr *attr; 5413 struct nft_table *table; 5414 struct nft_set *set; 5415 struct nft_ctx ctx; 5416 5417 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 5418 return -EAFNOSUPPORT; 5419 5420 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 5421 genmask, NETLINK_CB(skb).portid); 5422 if (IS_ERR(table)) { 5423 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 5424 return PTR_ERR(table); 5425 } 5426 5427 if (nla[NFTA_SET_HANDLE]) { 5428 attr = nla[NFTA_SET_HANDLE]; 5429 set = nft_set_lookup_byhandle(table, attr, genmask); 5430 } else { 5431 attr = nla[NFTA_SET_NAME]; 5432 set = nft_set_lookup(table, attr, genmask); 5433 } 5434 5435 if (IS_ERR(set)) { 5436 if (PTR_ERR(set) == -ENOENT && 5437 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET) 5438 return 0; 5439 5440 NL_SET_BAD_ATTR(extack, attr); 5441 return PTR_ERR(set); 5442 } 5443 if (set->use || 5444 (info->nlh->nlmsg_flags & NLM_F_NONREC && 5445 atomic_read(&set->nelems) > 0)) { 5446 NL_SET_BAD_ATTR(extack, attr); 5447 return -EBUSY; 5448 } 5449 5450 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 5451 5452 return nft_delset(&ctx, set); 5453 } 5454 5455 static int nft_validate_register_store(const struct nft_ctx *ctx, 5456 enum nft_registers reg, 5457 const struct nft_data *data, 5458 enum nft_data_types type, 5459 unsigned int len); 5460 nft_setelem_data_validate(const struct nft_ctx * ctx,struct nft_set * set,struct nft_elem_priv * elem_priv)5461 static int nft_setelem_data_validate(const struct nft_ctx *ctx, 5462 struct nft_set *set, 5463 struct nft_elem_priv *elem_priv) 5464 { 5465 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 5466 enum nft_registers dreg; 5467 5468 dreg = nft_type_to_reg(set->dtype); 5469 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext), 5470 set->dtype == NFT_DATA_VERDICT ? 5471 NFT_DATA_VERDICT : NFT_DATA_VALUE, 5472 set->dlen); 5473 } 5474 nf_tables_bind_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5475 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, 5476 struct nft_set *set, 5477 const struct nft_set_iter *iter, 5478 struct nft_elem_priv *elem_priv) 5479 { 5480 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 5481 5482 if (!nft_set_elem_active(ext, iter->genmask)) 5483 return 0; 5484 5485 return nft_setelem_data_validate(ctx, set, elem_priv); 5486 } 5487 nft_set_catchall_bind_check(const struct nft_ctx * ctx,struct nft_set * set)5488 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx, 5489 struct nft_set *set) 5490 { 5491 u8 genmask = nft_genmask_next(ctx->net); 5492 struct nft_set_elem_catchall *catchall; 5493 struct nft_set_ext *ext; 5494 int ret = 0; 5495 5496 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5497 ext = nft_set_elem_ext(set, catchall->elem); 5498 if (!nft_set_elem_active(ext, genmask)) 5499 continue; 5500 5501 ret = nft_setelem_data_validate(ctx, set, catchall->elem); 5502 if (ret < 0) 5503 break; 5504 } 5505 5506 return ret; 5507 } 5508 nf_tables_bind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding)5509 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 5510 struct nft_set_binding *binding) 5511 { 5512 struct nft_set_binding *i; 5513 struct nft_set_iter iter; 5514 5515 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) 5516 return -EBUSY; 5517 5518 if (binding->flags & NFT_SET_MAP) { 5519 /* If the set is already bound to the same chain all 5520 * jumps are already validated for that chain. 5521 */ 5522 list_for_each_entry(i, &set->bindings, list) { 5523 if (i->flags & NFT_SET_MAP && 5524 i->chain == binding->chain) 5525 goto bind; 5526 } 5527 5528 iter.genmask = nft_genmask_next(ctx->net); 5529 iter.type = NFT_ITER_UPDATE; 5530 iter.skip = 0; 5531 iter.count = 0; 5532 iter.err = 0; 5533 iter.fn = nf_tables_bind_check_setelem; 5534 5535 set->ops->walk(ctx, set, &iter); 5536 if (!iter.err) 5537 iter.err = nft_set_catchall_bind_check(ctx, set); 5538 5539 if (iter.err < 0) 5540 return iter.err; 5541 } 5542 bind: 5543 if (!nft_use_inc(&set->use)) 5544 return -EMFILE; 5545 5546 binding->chain = ctx->chain; 5547 list_add_tail_rcu(&binding->list, &set->bindings); 5548 nft_set_trans_bind(ctx, set); 5549 5550 return 0; 5551 } 5552 EXPORT_SYMBOL_GPL(nf_tables_bind_set); 5553 nf_tables_unbind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,bool event)5554 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 5555 struct nft_set_binding *binding, bool event) 5556 { 5557 list_del_rcu(&binding->list); 5558 5559 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { 5560 list_del_rcu(&set->list); 5561 set->dead = 1; 5562 if (event) 5563 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, 5564 GFP_KERNEL); 5565 } 5566 } 5567 5568 static void nft_setelem_data_activate(const struct net *net, 5569 const struct nft_set *set, 5570 struct nft_elem_priv *elem_priv); 5571 nft_mapelem_activate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5572 static int nft_mapelem_activate(const struct nft_ctx *ctx, 5573 struct nft_set *set, 5574 const struct nft_set_iter *iter, 5575 struct nft_elem_priv *elem_priv) 5576 { 5577 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 5578 5579 /* called from abort path, reverse check to undo changes. */ 5580 if (nft_set_elem_active(ext, iter->genmask)) 5581 return 0; 5582 5583 nft_clear(ctx->net, ext); 5584 nft_setelem_data_activate(ctx->net, set, elem_priv); 5585 5586 return 0; 5587 } 5588 nft_map_catchall_activate(const struct nft_ctx * ctx,struct nft_set * set)5589 static void nft_map_catchall_activate(const struct nft_ctx *ctx, 5590 struct nft_set *set) 5591 { 5592 u8 genmask = nft_genmask_next(ctx->net); 5593 struct nft_set_elem_catchall *catchall; 5594 struct nft_set_ext *ext; 5595 5596 list_for_each_entry(catchall, &set->catchall_list, list) { 5597 ext = nft_set_elem_ext(set, catchall->elem); 5598 if (!nft_set_elem_active(ext, genmask)) 5599 continue; 5600 5601 nft_clear(ctx->net, ext); 5602 nft_setelem_data_activate(ctx->net, set, catchall->elem); 5603 break; 5604 } 5605 } 5606 nft_map_activate(const struct nft_ctx * ctx,struct nft_set * set)5607 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set) 5608 { 5609 struct nft_set_iter iter = { 5610 .genmask = nft_genmask_next(ctx->net), 5611 .type = NFT_ITER_UPDATE, 5612 .fn = nft_mapelem_activate, 5613 }; 5614 5615 set->ops->walk(ctx, set, &iter); 5616 WARN_ON_ONCE(iter.err); 5617 5618 nft_map_catchall_activate(ctx, set); 5619 } 5620 nf_tables_activate_set(const struct nft_ctx * ctx,struct nft_set * set)5621 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set) 5622 { 5623 if (nft_set_is_anonymous(set)) { 5624 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 5625 nft_map_activate(ctx, set); 5626 5627 nft_clear(ctx->net, set); 5628 } 5629 5630 nft_use_inc_restore(&set->use); 5631 } 5632 EXPORT_SYMBOL_GPL(nf_tables_activate_set); 5633 nf_tables_deactivate_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,enum nft_trans_phase phase)5634 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, 5635 struct nft_set_binding *binding, 5636 enum nft_trans_phase phase) 5637 { 5638 switch (phase) { 5639 case NFT_TRANS_PREPARE_ERROR: 5640 nft_set_trans_unbind(ctx, set); 5641 if (nft_set_is_anonymous(set)) 5642 nft_deactivate_next(ctx->net, set); 5643 else 5644 list_del_rcu(&binding->list); 5645 5646 nft_use_dec(&set->use); 5647 break; 5648 case NFT_TRANS_PREPARE: 5649 if (nft_set_is_anonymous(set)) { 5650 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 5651 nft_map_deactivate(ctx, set); 5652 5653 nft_deactivate_next(ctx->net, set); 5654 } 5655 nft_use_dec(&set->use); 5656 return; 5657 case NFT_TRANS_ABORT: 5658 case NFT_TRANS_RELEASE: 5659 if (nft_set_is_anonymous(set) && 5660 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 5661 nft_map_deactivate(ctx, set); 5662 5663 nft_use_dec(&set->use); 5664 fallthrough; 5665 default: 5666 nf_tables_unbind_set(ctx, set, binding, 5667 phase == NFT_TRANS_COMMIT); 5668 } 5669 } 5670 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); 5671 nf_tables_destroy_set(const struct nft_ctx * ctx,struct nft_set * set)5672 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) 5673 { 5674 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) 5675 nft_set_destroy(ctx, set); 5676 } 5677 EXPORT_SYMBOL_GPL(nf_tables_destroy_set); 5678 5679 const struct nft_set_ext_type nft_set_ext_types[] = { 5680 [NFT_SET_EXT_KEY] = { 5681 .align = __alignof__(u32), 5682 }, 5683 [NFT_SET_EXT_DATA] = { 5684 .align = __alignof__(u32), 5685 }, 5686 [NFT_SET_EXT_EXPRESSIONS] = { 5687 .align = __alignof__(struct nft_set_elem_expr), 5688 }, 5689 [NFT_SET_EXT_OBJREF] = { 5690 .len = sizeof(struct nft_object *), 5691 .align = __alignof__(struct nft_object *), 5692 }, 5693 [NFT_SET_EXT_FLAGS] = { 5694 .len = sizeof(u8), 5695 .align = __alignof__(u8), 5696 }, 5697 [NFT_SET_EXT_TIMEOUT] = { 5698 .len = sizeof(struct nft_timeout), 5699 .align = __alignof__(struct nft_timeout), 5700 }, 5701 [NFT_SET_EXT_USERDATA] = { 5702 .len = sizeof(struct nft_userdata), 5703 .align = __alignof__(struct nft_userdata), 5704 }, 5705 [NFT_SET_EXT_KEY_END] = { 5706 .align = __alignof__(u32), 5707 }, 5708 }; 5709 5710 /* 5711 * Set elements 5712 */ 5713 5714 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { 5715 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED }, 5716 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED }, 5717 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 }, 5718 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 }, 5719 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 }, 5720 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, 5721 .len = NFT_USERDATA_MAXLEN }, 5722 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED }, 5723 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING, 5724 .len = NFT_OBJ_MAXNAMELEN - 1 }, 5725 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED }, 5726 [NFTA_SET_ELEM_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy), 5727 }; 5728 5729 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { 5730 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING, 5731 .len = NFT_TABLE_MAXNAMELEN - 1 }, 5732 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING, 5733 .len = NFT_SET_MAXNAMELEN - 1 }, 5734 [NFTA_SET_ELEM_LIST_ELEMENTS] = NLA_POLICY_NESTED_ARRAY(nft_set_elem_policy), 5735 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 }, 5736 }; 5737 nft_set_elem_expr_dump(struct sk_buff * skb,const struct nft_set * set,const struct nft_set_ext * ext,bool reset)5738 static int nft_set_elem_expr_dump(struct sk_buff *skb, 5739 const struct nft_set *set, 5740 const struct nft_set_ext *ext, 5741 bool reset) 5742 { 5743 struct nft_set_elem_expr *elem_expr; 5744 u32 size, num_exprs = 0; 5745 struct nft_expr *expr; 5746 struct nlattr *nest; 5747 5748 elem_expr = nft_set_ext_expr(ext); 5749 nft_setelem_expr_foreach(expr, elem_expr, size) 5750 num_exprs++; 5751 5752 if (num_exprs == 1) { 5753 expr = nft_setelem_expr_at(elem_expr, 0); 5754 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0) 5755 return -1; 5756 5757 return 0; 5758 } else if (num_exprs > 1) { 5759 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS); 5760 if (nest == NULL) 5761 goto nla_put_failure; 5762 5763 nft_setelem_expr_foreach(expr, elem_expr, size) { 5764 expr = nft_setelem_expr_at(elem_expr, size); 5765 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0) 5766 goto nla_put_failure; 5767 } 5768 nla_nest_end(skb, nest); 5769 } 5770 return 0; 5771 5772 nla_put_failure: 5773 return -1; 5774 } 5775 nf_tables_fill_setelem(struct sk_buff * skb,const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool reset)5776 static int nf_tables_fill_setelem(struct sk_buff *skb, 5777 const struct nft_set *set, 5778 const struct nft_elem_priv *elem_priv, 5779 bool reset) 5780 { 5781 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 5782 unsigned char *b = skb_tail_pointer(skb); 5783 struct nlattr *nest; 5784 5785 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 5786 if (nest == NULL) 5787 goto nla_put_failure; 5788 5789 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) && 5790 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext), 5791 NFT_DATA_VALUE, set->klen) < 0) 5792 goto nla_put_failure; 5793 5794 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 5795 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext), 5796 NFT_DATA_VALUE, set->klen) < 0) 5797 goto nla_put_failure; 5798 5799 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 5800 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext), 5801 nft_set_datatype(set), set->dlen) < 0) 5802 goto nla_put_failure; 5803 5804 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) && 5805 nft_set_elem_expr_dump(skb, set, ext, reset)) 5806 goto nla_put_failure; 5807 5808 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 5809 nla_put_string(skb, NFTA_SET_ELEM_OBJREF, 5810 (*nft_set_ext_obj(ext))->key.name) < 0) 5811 goto nla_put_failure; 5812 5813 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 5814 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, 5815 htonl(*nft_set_ext_flags(ext)))) 5816 goto nla_put_failure; 5817 5818 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) { 5819 u64 timeout = READ_ONCE(nft_set_ext_timeout(ext)->timeout); 5820 u64 set_timeout = READ_ONCE(set->timeout); 5821 __be64 msecs = 0; 5822 5823 if (set_timeout != timeout) { 5824 msecs = nf_jiffies64_to_msecs(timeout); 5825 if (nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, msecs, 5826 NFTA_SET_ELEM_PAD)) 5827 goto nla_put_failure; 5828 } 5829 5830 if (timeout > 0) { 5831 u64 expires, now = get_jiffies_64(); 5832 5833 expires = READ_ONCE(nft_set_ext_timeout(ext)->expiration); 5834 if (time_before64(now, expires)) 5835 expires -= now; 5836 else 5837 expires = 0; 5838 5839 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION, 5840 nf_jiffies64_to_msecs(expires), 5841 NFTA_SET_ELEM_PAD)) 5842 goto nla_put_failure; 5843 } 5844 } 5845 5846 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) { 5847 struct nft_userdata *udata; 5848 5849 udata = nft_set_ext_userdata(ext); 5850 if (nla_put(skb, NFTA_SET_ELEM_USERDATA, 5851 udata->len + 1, udata->data)) 5852 goto nla_put_failure; 5853 } 5854 5855 nla_nest_end(skb, nest); 5856 return 0; 5857 5858 nla_put_failure: 5859 nlmsg_trim(skb, b); 5860 return -EMSGSIZE; 5861 } 5862 5863 struct nft_set_dump_args { 5864 const struct netlink_callback *cb; 5865 struct nft_set_iter iter; 5866 struct sk_buff *skb; 5867 bool reset; 5868 }; 5869 nf_tables_dump_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5870 static int nf_tables_dump_setelem(const struct nft_ctx *ctx, 5871 struct nft_set *set, 5872 const struct nft_set_iter *iter, 5873 struct nft_elem_priv *elem_priv) 5874 { 5875 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 5876 struct nft_set_dump_args *args; 5877 5878 if (!nft_set_elem_active(ext, iter->genmask)) 5879 return 0; 5880 5881 if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext)) 5882 return 0; 5883 5884 args = container_of(iter, struct nft_set_dump_args, iter); 5885 return nf_tables_fill_setelem(args->skb, set, elem_priv, args->reset); 5886 } 5887 audit_log_nft_set_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)5888 static void audit_log_nft_set_reset(const struct nft_table *table, 5889 unsigned int base_seq, 5890 unsigned int nentries) 5891 { 5892 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq); 5893 5894 audit_log_nfcfg(buf, table->family, nentries, 5895 AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC); 5896 kfree(buf); 5897 } 5898 5899 struct nft_set_dump_ctx { 5900 const struct nft_set *set; 5901 struct nft_ctx ctx; 5902 bool reset; 5903 }; 5904 nft_set_catchall_dump(struct net * net,struct sk_buff * skb,const struct nft_set * set,bool reset,unsigned int base_seq)5905 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb, 5906 const struct nft_set *set, bool reset, 5907 unsigned int base_seq) 5908 { 5909 struct nft_set_elem_catchall *catchall; 5910 u8 genmask = nft_genmask_cur(net); 5911 struct nft_set_ext *ext; 5912 int ret = 0; 5913 5914 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5915 ext = nft_set_elem_ext(set, catchall->elem); 5916 if (!nft_set_elem_active(ext, genmask) || 5917 nft_set_elem_expired(ext)) 5918 continue; 5919 5920 ret = nf_tables_fill_setelem(skb, set, catchall->elem, reset); 5921 if (reset && !ret) 5922 audit_log_nft_set_reset(set->table, base_seq, 1); 5923 break; 5924 } 5925 5926 return ret; 5927 } 5928 nf_tables_dump_set(struct sk_buff * skb,struct netlink_callback * cb)5929 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) 5930 { 5931 struct nft_set_dump_ctx *dump_ctx = cb->data; 5932 struct net *net = sock_net(skb->sk); 5933 struct nftables_pernet *nft_net; 5934 struct nft_table *table; 5935 struct nft_set *set; 5936 struct nft_set_dump_args args; 5937 bool set_found = false; 5938 struct nlmsghdr *nlh; 5939 struct nlattr *nest; 5940 u32 portid, seq; 5941 int event; 5942 5943 rcu_read_lock(); 5944 nft_net = nft_pernet(net); 5945 cb->seq = READ_ONCE(nft_net->base_seq); 5946 5947 list_for_each_entry_rcu(table, &nft_net->tables, list) { 5948 if (dump_ctx->ctx.family != NFPROTO_UNSPEC && 5949 dump_ctx->ctx.family != table->family) 5950 continue; 5951 5952 if (table != dump_ctx->ctx.table) 5953 continue; 5954 5955 list_for_each_entry_rcu(set, &table->sets, list) { 5956 if (set == dump_ctx->set) { 5957 set_found = true; 5958 break; 5959 } 5960 } 5961 break; 5962 } 5963 5964 if (!set_found) { 5965 rcu_read_unlock(); 5966 return -ENOENT; 5967 } 5968 5969 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM); 5970 portid = NETLINK_CB(cb->skb).portid; 5971 seq = cb->nlh->nlmsg_seq; 5972 5973 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI, 5974 table->family, NFNETLINK_V0, nft_base_seq(net)); 5975 if (!nlh) 5976 goto nla_put_failure; 5977 5978 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) 5979 goto nla_put_failure; 5980 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) 5981 goto nla_put_failure; 5982 5983 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 5984 if (nest == NULL) 5985 goto nla_put_failure; 5986 5987 args.cb = cb; 5988 args.skb = skb; 5989 args.reset = dump_ctx->reset; 5990 args.iter.genmask = nft_genmask_cur(net); 5991 args.iter.type = NFT_ITER_READ; 5992 args.iter.skip = cb->args[0]; 5993 args.iter.count = 0; 5994 args.iter.err = 0; 5995 args.iter.fn = nf_tables_dump_setelem; 5996 set->ops->walk(&dump_ctx->ctx, set, &args.iter); 5997 5998 if (!args.iter.err && args.iter.count == cb->args[0]) 5999 args.iter.err = nft_set_catchall_dump(net, skb, set, 6000 dump_ctx->reset, cb->seq); 6001 nla_nest_end(skb, nest); 6002 nlmsg_end(skb, nlh); 6003 6004 rcu_read_unlock(); 6005 6006 if (args.iter.err && args.iter.err != -EMSGSIZE) 6007 return args.iter.err; 6008 if (args.iter.count == cb->args[0]) 6009 return 0; 6010 6011 cb->args[0] = args.iter.count; 6012 return skb->len; 6013 6014 nla_put_failure: 6015 rcu_read_unlock(); 6016 return -ENOSPC; 6017 } 6018 nf_tables_dumpreset_set(struct sk_buff * skb,struct netlink_callback * cb)6019 static int nf_tables_dumpreset_set(struct sk_buff *skb, 6020 struct netlink_callback *cb) 6021 { 6022 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk)); 6023 struct nft_set_dump_ctx *dump_ctx = cb->data; 6024 int ret, skip = cb->args[0]; 6025 6026 mutex_lock(&nft_net->commit_mutex); 6027 6028 ret = nf_tables_dump_set(skb, cb); 6029 6030 if (cb->args[0] > skip) 6031 audit_log_nft_set_reset(dump_ctx->ctx.table, cb->seq, 6032 cb->args[0] - skip); 6033 6034 mutex_unlock(&nft_net->commit_mutex); 6035 6036 return ret; 6037 } 6038 nf_tables_dump_set_start(struct netlink_callback * cb)6039 static int nf_tables_dump_set_start(struct netlink_callback *cb) 6040 { 6041 struct nft_set_dump_ctx *dump_ctx = cb->data; 6042 6043 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC); 6044 6045 return cb->data ? 0 : -ENOMEM; 6046 } 6047 nf_tables_dump_set_done(struct netlink_callback * cb)6048 static int nf_tables_dump_set_done(struct netlink_callback *cb) 6049 { 6050 kfree(cb->data); 6051 return 0; 6052 } 6053 nf_tables_fill_setelem_info(struct sk_buff * skb,const struct nft_ctx * ctx,u32 seq,u32 portid,int event,u16 flags,const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool reset)6054 static int nf_tables_fill_setelem_info(struct sk_buff *skb, 6055 const struct nft_ctx *ctx, u32 seq, 6056 u32 portid, int event, u16 flags, 6057 const struct nft_set *set, 6058 const struct nft_elem_priv *elem_priv, 6059 bool reset) 6060 { 6061 struct nlmsghdr *nlh; 6062 struct nlattr *nest; 6063 int err; 6064 6065 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 6066 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 6067 NFNETLINK_V0, nft_base_seq(ctx->net)); 6068 if (!nlh) 6069 goto nla_put_failure; 6070 6071 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 6072 goto nla_put_failure; 6073 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 6074 goto nla_put_failure; 6075 6076 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 6077 if (nest == NULL) 6078 goto nla_put_failure; 6079 6080 err = nf_tables_fill_setelem(skb, set, elem_priv, reset); 6081 if (err < 0) 6082 goto nla_put_failure; 6083 6084 nla_nest_end(skb, nest); 6085 6086 nlmsg_end(skb, nlh); 6087 return 0; 6088 6089 nla_put_failure: 6090 nlmsg_trim(skb, nlh); 6091 return -1; 6092 } 6093 nft_setelem_parse_flags(const struct nft_set * set,const struct nlattr * attr,u32 * flags)6094 static int nft_setelem_parse_flags(const struct nft_set *set, 6095 const struct nlattr *attr, u32 *flags) 6096 { 6097 if (attr == NULL) 6098 return 0; 6099 6100 *flags = ntohl(nla_get_be32(attr)); 6101 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) 6102 return -EOPNOTSUPP; 6103 if (!(set->flags & NFT_SET_INTERVAL) && 6104 *flags & NFT_SET_ELEM_INTERVAL_END) 6105 return -EINVAL; 6106 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) == 6107 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) 6108 return -EINVAL; 6109 6110 return 0; 6111 } 6112 nft_setelem_parse_key(struct nft_ctx * ctx,const struct nft_set * set,struct nft_data * key,struct nlattr * attr)6113 static int nft_setelem_parse_key(struct nft_ctx *ctx, const struct nft_set *set, 6114 struct nft_data *key, struct nlattr *attr) 6115 { 6116 struct nft_data_desc desc = { 6117 .type = NFT_DATA_VALUE, 6118 .size = NFT_DATA_VALUE_MAXLEN, 6119 .len = set->klen, 6120 }; 6121 6122 return nft_data_init(ctx, key, &desc, attr); 6123 } 6124 nft_setelem_parse_data(struct nft_ctx * ctx,struct nft_set * set,struct nft_data_desc * desc,struct nft_data * data,struct nlattr * attr)6125 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, 6126 struct nft_data_desc *desc, 6127 struct nft_data *data, 6128 struct nlattr *attr) 6129 { 6130 u32 dtype; 6131 6132 if (set->dtype == NFT_DATA_VERDICT) 6133 dtype = NFT_DATA_VERDICT; 6134 else 6135 dtype = NFT_DATA_VALUE; 6136 6137 desc->type = dtype; 6138 desc->size = NFT_DATA_VALUE_MAXLEN; 6139 desc->len = set->dlen; 6140 desc->flags = NFT_DATA_DESC_SETELEM; 6141 6142 return nft_data_init(ctx, data, desc, attr); 6143 } 6144 nft_setelem_catchall_get(const struct net * net,const struct nft_set * set)6145 static void *nft_setelem_catchall_get(const struct net *net, 6146 const struct nft_set *set) 6147 { 6148 struct nft_set_elem_catchall *catchall; 6149 u8 genmask = nft_genmask_cur(net); 6150 struct nft_set_ext *ext; 6151 void *priv = NULL; 6152 6153 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 6154 ext = nft_set_elem_ext(set, catchall->elem); 6155 if (!nft_set_elem_active(ext, genmask) || 6156 nft_set_elem_expired(ext)) 6157 continue; 6158 6159 priv = catchall->elem; 6160 break; 6161 } 6162 6163 return priv; 6164 } 6165 nft_setelem_get(struct nft_ctx * ctx,const struct nft_set * set,struct nft_set_elem * elem,u32 flags)6166 static int nft_setelem_get(struct nft_ctx *ctx, const struct nft_set *set, 6167 struct nft_set_elem *elem, u32 flags) 6168 { 6169 void *priv; 6170 6171 if (!(flags & NFT_SET_ELEM_CATCHALL)) { 6172 priv = set->ops->get(ctx->net, set, elem, flags); 6173 if (IS_ERR(priv)) 6174 return PTR_ERR(priv); 6175 } else { 6176 priv = nft_setelem_catchall_get(ctx->net, set); 6177 if (!priv) 6178 return -ENOENT; 6179 } 6180 elem->priv = priv; 6181 6182 return 0; 6183 } 6184 nft_get_set_elem(struct nft_ctx * ctx,const struct nft_set * set,const struct nlattr * attr,bool reset)6185 static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set, 6186 const struct nlattr *attr, bool reset) 6187 { 6188 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 6189 struct nft_set_elem elem; 6190 struct sk_buff *skb; 6191 uint32_t flags = 0; 6192 int err; 6193 6194 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 6195 nft_set_elem_policy, NULL); 6196 if (err < 0) 6197 return err; 6198 6199 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 6200 if (err < 0) 6201 return err; 6202 6203 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 6204 return -EINVAL; 6205 6206 if (nla[NFTA_SET_ELEM_KEY]) { 6207 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 6208 nla[NFTA_SET_ELEM_KEY]); 6209 if (err < 0) 6210 return err; 6211 } 6212 6213 if (nla[NFTA_SET_ELEM_KEY_END]) { 6214 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 6215 nla[NFTA_SET_ELEM_KEY_END]); 6216 if (err < 0) 6217 return err; 6218 } 6219 6220 err = nft_setelem_get(ctx, set, &elem, flags); 6221 if (err < 0) 6222 return err; 6223 6224 err = -ENOMEM; 6225 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); 6226 if (skb == NULL) 6227 return err; 6228 6229 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, 6230 NFT_MSG_NEWSETELEM, 0, set, elem.priv, 6231 reset); 6232 if (err < 0) 6233 goto err_fill_setelem; 6234 6235 return nfnetlink_unicast(skb, ctx->net, ctx->portid); 6236 6237 err_fill_setelem: 6238 kfree_skb(skb); 6239 return err; 6240 } 6241 nft_set_dump_ctx_init(struct nft_set_dump_ctx * dump_ctx,const struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)6242 static int nft_set_dump_ctx_init(struct nft_set_dump_ctx *dump_ctx, 6243 const struct sk_buff *skb, 6244 const struct nfnl_info *info, 6245 const struct nlattr * const nla[], 6246 bool reset) 6247 { 6248 struct netlink_ext_ack *extack = info->extack; 6249 u8 genmask = nft_genmask_cur(info->net); 6250 u8 family = info->nfmsg->nfgen_family; 6251 struct net *net = info->net; 6252 struct nft_table *table; 6253 struct nft_set *set; 6254 6255 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 6256 genmask, 0); 6257 if (IS_ERR(table)) { 6258 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 6259 return PTR_ERR(table); 6260 } 6261 6262 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 6263 if (IS_ERR(set)) { 6264 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]); 6265 return PTR_ERR(set); 6266 } 6267 6268 nft_ctx_init(&dump_ctx->ctx, net, skb, 6269 info->nlh, family, table, NULL, nla); 6270 dump_ctx->set = set; 6271 dump_ctx->reset = reset; 6272 return 0; 6273 } 6274 6275 /* called with rcu_read_lock held */ nf_tables_getsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])6276 static int nf_tables_getsetelem(struct sk_buff *skb, 6277 const struct nfnl_info *info, 6278 const struct nlattr * const nla[]) 6279 { 6280 struct netlink_ext_ack *extack = info->extack; 6281 struct nft_set_dump_ctx dump_ctx; 6282 struct nlattr *attr; 6283 int rem, err = 0; 6284 6285 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 6286 struct netlink_dump_control c = { 6287 .start = nf_tables_dump_set_start, 6288 .dump = nf_tables_dump_set, 6289 .done = nf_tables_dump_set_done, 6290 .module = THIS_MODULE, 6291 }; 6292 6293 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false); 6294 if (err) 6295 return err; 6296 6297 c.data = &dump_ctx; 6298 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 6299 } 6300 6301 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 6302 return -EINVAL; 6303 6304 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false); 6305 if (err) 6306 return err; 6307 6308 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 6309 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, false); 6310 if (err < 0) { 6311 NL_SET_BAD_ATTR(extack, attr); 6312 break; 6313 } 6314 } 6315 6316 return err; 6317 } 6318 nf_tables_getsetelem_reset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])6319 static int nf_tables_getsetelem_reset(struct sk_buff *skb, 6320 const struct nfnl_info *info, 6321 const struct nlattr * const nla[]) 6322 { 6323 struct nftables_pernet *nft_net = nft_pernet(info->net); 6324 struct netlink_ext_ack *extack = info->extack; 6325 struct nft_set_dump_ctx dump_ctx; 6326 int rem, err = 0, nelems = 0; 6327 struct nlattr *attr; 6328 6329 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 6330 struct netlink_dump_control c = { 6331 .start = nf_tables_dump_set_start, 6332 .dump = nf_tables_dumpreset_set, 6333 .done = nf_tables_dump_set_done, 6334 .module = THIS_MODULE, 6335 }; 6336 6337 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true); 6338 if (err) 6339 return err; 6340 6341 c.data = &dump_ctx; 6342 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 6343 } 6344 6345 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 6346 return -EINVAL; 6347 6348 if (!try_module_get(THIS_MODULE)) 6349 return -EINVAL; 6350 rcu_read_unlock(); 6351 mutex_lock(&nft_net->commit_mutex); 6352 rcu_read_lock(); 6353 6354 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true); 6355 if (err) 6356 goto out_unlock; 6357 6358 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 6359 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, true); 6360 if (err < 0) { 6361 NL_SET_BAD_ATTR(extack, attr); 6362 break; 6363 } 6364 nelems++; 6365 } 6366 audit_log_nft_set_reset(dump_ctx.ctx.table, nft_net->base_seq, nelems); 6367 6368 out_unlock: 6369 rcu_read_unlock(); 6370 mutex_unlock(&nft_net->commit_mutex); 6371 rcu_read_lock(); 6372 module_put(THIS_MODULE); 6373 6374 return err; 6375 } 6376 nf_tables_setelem_notify(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_elem_priv * elem_priv,int event)6377 static void nf_tables_setelem_notify(const struct nft_ctx *ctx, 6378 const struct nft_set *set, 6379 const struct nft_elem_priv *elem_priv, 6380 int event) 6381 { 6382 struct nftables_pernet *nft_net; 6383 struct net *net = ctx->net; 6384 u32 portid = ctx->portid; 6385 struct sk_buff *skb; 6386 u16 flags = 0; 6387 int err; 6388 6389 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 6390 return; 6391 6392 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 6393 if (skb == NULL) 6394 goto err; 6395 6396 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 6397 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 6398 6399 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags, 6400 set, elem_priv, false); 6401 if (err < 0) { 6402 kfree_skb(skb); 6403 goto err; 6404 } 6405 6406 nft_net = nft_pernet(net); 6407 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 6408 return; 6409 err: 6410 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 6411 } 6412 nft_trans_elem_alloc(struct nft_ctx * ctx,int msg_type,struct nft_set * set)6413 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx, 6414 int msg_type, 6415 struct nft_set *set) 6416 { 6417 struct nft_trans *trans; 6418 6419 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem)); 6420 if (trans == NULL) 6421 return NULL; 6422 6423 nft_trans_elem_set(trans) = set; 6424 return trans; 6425 } 6426 nft_set_elem_expr_alloc(const struct nft_ctx * ctx,const struct nft_set * set,const struct nlattr * attr)6427 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx, 6428 const struct nft_set *set, 6429 const struct nlattr *attr) 6430 { 6431 struct nft_expr *expr; 6432 int err; 6433 6434 expr = nft_expr_init(ctx, attr); 6435 if (IS_ERR(expr)) 6436 return expr; 6437 6438 err = -EOPNOTSUPP; 6439 if (expr->ops->type->flags & NFT_EXPR_GC) { 6440 if (set->flags & NFT_SET_TIMEOUT) 6441 goto err_set_elem_expr; 6442 if (!set->ops->gc_init) 6443 goto err_set_elem_expr; 6444 set->ops->gc_init(set); 6445 } 6446 6447 return expr; 6448 6449 err_set_elem_expr: 6450 nft_expr_destroy(ctx, expr); 6451 return ERR_PTR(err); 6452 } 6453 nft_set_ext_check(const struct nft_set_ext_tmpl * tmpl,u8 id,u32 len)6454 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len) 6455 { 6456 len += nft_set_ext_types[id].len; 6457 if (len > tmpl->ext_len[id] || 6458 len > U8_MAX) 6459 return -1; 6460 6461 return 0; 6462 } 6463 nft_set_ext_memcpy(const struct nft_set_ext_tmpl * tmpl,u8 id,void * to,const void * from,u32 len)6464 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id, 6465 void *to, const void *from, u32 len) 6466 { 6467 if (nft_set_ext_check(tmpl, id, len) < 0) 6468 return -1; 6469 6470 memcpy(to, from, len); 6471 6472 return 0; 6473 } 6474 nft_set_elem_init(const struct nft_set * set,const struct nft_set_ext_tmpl * tmpl,const u32 * key,const u32 * key_end,const u32 * data,u64 timeout,u64 expiration,gfp_t gfp)6475 struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set, 6476 const struct nft_set_ext_tmpl *tmpl, 6477 const u32 *key, const u32 *key_end, 6478 const u32 *data, 6479 u64 timeout, u64 expiration, gfp_t gfp) 6480 { 6481 struct nft_set_ext *ext; 6482 void *elem; 6483 6484 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp); 6485 if (elem == NULL) 6486 return ERR_PTR(-ENOMEM); 6487 6488 ext = nft_set_elem_ext(set, elem); 6489 nft_set_ext_init(ext, tmpl); 6490 6491 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) && 6492 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY, 6493 nft_set_ext_key(ext), key, set->klen) < 0) 6494 goto err_ext_check; 6495 6496 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 6497 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END, 6498 nft_set_ext_key_end(ext), key_end, set->klen) < 0) 6499 goto err_ext_check; 6500 6501 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 6502 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA, 6503 nft_set_ext_data(ext), data, set->dlen) < 0) 6504 goto err_ext_check; 6505 6506 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) { 6507 nft_set_ext_timeout(ext)->timeout = timeout; 6508 6509 if (expiration == 0) 6510 expiration = timeout; 6511 6512 nft_set_ext_timeout(ext)->expiration = get_jiffies_64() + expiration; 6513 } 6514 6515 return elem; 6516 6517 err_ext_check: 6518 kfree(elem); 6519 6520 return ERR_PTR(-EINVAL); 6521 } 6522 __nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)6523 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 6524 struct nft_expr *expr) 6525 { 6526 if (expr->ops->destroy_clone) { 6527 expr->ops->destroy_clone(ctx, expr); 6528 module_put(expr->ops->type->owner); 6529 } else { 6530 nf_tables_expr_destroy(ctx, expr); 6531 } 6532 } 6533 nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_set_elem_expr * elem_expr)6534 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 6535 struct nft_set_elem_expr *elem_expr) 6536 { 6537 struct nft_expr *expr; 6538 u32 size; 6539 6540 nft_setelem_expr_foreach(expr, elem_expr, size) 6541 __nft_set_elem_expr_destroy(ctx, expr); 6542 } 6543 6544 /* Drop references and destroy. Called from gc, dynset and abort path. */ nft_set_elem_destroy(const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool destroy_expr)6545 void nft_set_elem_destroy(const struct nft_set *set, 6546 const struct nft_elem_priv *elem_priv, 6547 bool destroy_expr) 6548 { 6549 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 6550 struct nft_ctx ctx = { 6551 .net = read_pnet(&set->net), 6552 .family = set->table->family, 6553 }; 6554 6555 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE); 6556 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 6557 nft_data_release(nft_set_ext_data(ext), set->dtype); 6558 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 6559 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext)); 6560 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 6561 nft_use_dec(&(*nft_set_ext_obj(ext))->use); 6562 6563 kfree(elem_priv); 6564 } 6565 EXPORT_SYMBOL_GPL(nft_set_elem_destroy); 6566 6567 /* Destroy element. References have been already dropped in the preparation 6568 * path via nft_setelem_data_deactivate(). 6569 */ nf_tables_set_elem_destroy(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_elem_priv * elem_priv)6570 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, 6571 const struct nft_set *set, 6572 const struct nft_elem_priv *elem_priv) 6573 { 6574 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 6575 6576 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 6577 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext)); 6578 6579 kfree(elem_priv); 6580 } 6581 nft_set_elem_expr_clone(const struct nft_ctx * ctx,struct nft_set * set,struct nft_expr * expr_array[])6582 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, 6583 struct nft_expr *expr_array[]) 6584 { 6585 struct nft_expr *expr; 6586 int err, i, k; 6587 6588 for (i = 0; i < set->num_exprs; i++) { 6589 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT); 6590 if (!expr) 6591 goto err_expr; 6592 6593 err = nft_expr_clone(expr, set->exprs[i], GFP_KERNEL_ACCOUNT); 6594 if (err < 0) { 6595 kfree(expr); 6596 goto err_expr; 6597 } 6598 expr_array[i] = expr; 6599 } 6600 6601 return 0; 6602 6603 err_expr: 6604 for (k = i - 1; k >= 0; k--) 6605 nft_expr_destroy(ctx, expr_array[k]); 6606 6607 return -ENOMEM; 6608 } 6609 nft_set_elem_expr_setup(struct nft_ctx * ctx,const struct nft_set_ext_tmpl * tmpl,const struct nft_set_ext * ext,struct nft_expr * expr_array[],u32 num_exprs)6610 static int nft_set_elem_expr_setup(struct nft_ctx *ctx, 6611 const struct nft_set_ext_tmpl *tmpl, 6612 const struct nft_set_ext *ext, 6613 struct nft_expr *expr_array[], 6614 u32 num_exprs) 6615 { 6616 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); 6617 u32 len = sizeof(struct nft_set_elem_expr); 6618 struct nft_expr *expr; 6619 int i, err; 6620 6621 if (num_exprs == 0) 6622 return 0; 6623 6624 for (i = 0; i < num_exprs; i++) 6625 len += expr_array[i]->ops->size; 6626 6627 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0) 6628 return -EINVAL; 6629 6630 for (i = 0; i < num_exprs; i++) { 6631 expr = nft_setelem_expr_at(elem_expr, elem_expr->size); 6632 err = nft_expr_clone(expr, expr_array[i], GFP_KERNEL_ACCOUNT); 6633 if (err < 0) 6634 goto err_elem_expr_setup; 6635 6636 elem_expr->size += expr_array[i]->ops->size; 6637 nft_expr_destroy(ctx, expr_array[i]); 6638 expr_array[i] = NULL; 6639 } 6640 6641 return 0; 6642 6643 err_elem_expr_setup: 6644 for (; i < num_exprs; i++) { 6645 nft_expr_destroy(ctx, expr_array[i]); 6646 expr_array[i] = NULL; 6647 } 6648 6649 return -ENOMEM; 6650 } 6651 nft_set_catchall_lookup(const struct net * net,const struct nft_set * set)6652 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net, 6653 const struct nft_set *set) 6654 { 6655 struct nft_set_elem_catchall *catchall; 6656 u8 genmask = nft_genmask_cur(net); 6657 struct nft_set_ext *ext; 6658 6659 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 6660 ext = nft_set_elem_ext(set, catchall->elem); 6661 if (nft_set_elem_active(ext, genmask) && 6662 !nft_set_elem_expired(ext) && 6663 !nft_set_elem_is_dead(ext)) 6664 return ext; 6665 } 6666 6667 return NULL; 6668 } 6669 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup); 6670 nft_setelem_catchall_insert(const struct net * net,struct nft_set * set,const struct nft_set_elem * elem,struct nft_elem_priv ** priv)6671 static int nft_setelem_catchall_insert(const struct net *net, 6672 struct nft_set *set, 6673 const struct nft_set_elem *elem, 6674 struct nft_elem_priv **priv) 6675 { 6676 struct nft_set_elem_catchall *catchall; 6677 u8 genmask = nft_genmask_next(net); 6678 struct nft_set_ext *ext; 6679 6680 list_for_each_entry(catchall, &set->catchall_list, list) { 6681 ext = nft_set_elem_ext(set, catchall->elem); 6682 if (nft_set_elem_active(ext, genmask)) { 6683 *priv = catchall->elem; 6684 return -EEXIST; 6685 } 6686 } 6687 6688 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL_ACCOUNT); 6689 if (!catchall) 6690 return -ENOMEM; 6691 6692 catchall->elem = elem->priv; 6693 list_add_tail_rcu(&catchall->list, &set->catchall_list); 6694 6695 return 0; 6696 } 6697 nft_setelem_insert(const struct net * net,struct nft_set * set,const struct nft_set_elem * elem,struct nft_elem_priv ** elem_priv,unsigned int flags)6698 static int nft_setelem_insert(const struct net *net, 6699 struct nft_set *set, 6700 const struct nft_set_elem *elem, 6701 struct nft_elem_priv **elem_priv, 6702 unsigned int flags) 6703 { 6704 int ret; 6705 6706 if (flags & NFT_SET_ELEM_CATCHALL) 6707 ret = nft_setelem_catchall_insert(net, set, elem, elem_priv); 6708 else 6709 ret = set->ops->insert(net, set, elem, elem_priv); 6710 6711 return ret; 6712 } 6713 nft_setelem_is_catchall(const struct nft_set * set,const struct nft_elem_priv * elem_priv)6714 static bool nft_setelem_is_catchall(const struct nft_set *set, 6715 const struct nft_elem_priv *elem_priv) 6716 { 6717 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 6718 6719 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 6720 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL) 6721 return true; 6722 6723 return false; 6724 } 6725 nft_setelem_activate(struct net * net,struct nft_set * set,struct nft_elem_priv * elem_priv)6726 static void nft_setelem_activate(struct net *net, struct nft_set *set, 6727 struct nft_elem_priv *elem_priv) 6728 { 6729 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 6730 6731 if (nft_setelem_is_catchall(set, elem_priv)) { 6732 nft_clear(net, ext); 6733 } else { 6734 set->ops->activate(net, set, elem_priv); 6735 } 6736 } 6737 nft_setelem_catchall_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem)6738 static int nft_setelem_catchall_deactivate(const struct net *net, 6739 struct nft_set *set, 6740 struct nft_set_elem *elem) 6741 { 6742 struct nft_set_elem_catchall *catchall; 6743 struct nft_set_ext *ext; 6744 6745 list_for_each_entry(catchall, &set->catchall_list, list) { 6746 ext = nft_set_elem_ext(set, catchall->elem); 6747 if (!nft_is_active_next(net, ext)) 6748 continue; 6749 6750 kfree(elem->priv); 6751 elem->priv = catchall->elem; 6752 nft_set_elem_change_active(net, set, ext); 6753 return 0; 6754 } 6755 6756 return -ENOENT; 6757 } 6758 __nft_setelem_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem)6759 static int __nft_setelem_deactivate(const struct net *net, 6760 struct nft_set *set, 6761 struct nft_set_elem *elem) 6762 { 6763 void *priv; 6764 6765 priv = set->ops->deactivate(net, set, elem); 6766 if (!priv) 6767 return -ENOENT; 6768 6769 kfree(elem->priv); 6770 elem->priv = priv; 6771 set->ndeact++; 6772 6773 return 0; 6774 } 6775 nft_setelem_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem,u32 flags)6776 static int nft_setelem_deactivate(const struct net *net, 6777 struct nft_set *set, 6778 struct nft_set_elem *elem, u32 flags) 6779 { 6780 int ret; 6781 6782 if (flags & NFT_SET_ELEM_CATCHALL) 6783 ret = nft_setelem_catchall_deactivate(net, set, elem); 6784 else 6785 ret = __nft_setelem_deactivate(net, set, elem); 6786 6787 return ret; 6788 } 6789 nft_setelem_catchall_destroy(struct nft_set_elem_catchall * catchall)6790 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall) 6791 { 6792 list_del_rcu(&catchall->list); 6793 kfree_rcu(catchall, rcu); 6794 } 6795 nft_setelem_catchall_remove(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)6796 static void nft_setelem_catchall_remove(const struct net *net, 6797 const struct nft_set *set, 6798 struct nft_elem_priv *elem_priv) 6799 { 6800 struct nft_set_elem_catchall *catchall, *next; 6801 6802 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 6803 if (catchall->elem == elem_priv) { 6804 nft_setelem_catchall_destroy(catchall); 6805 break; 6806 } 6807 } 6808 } 6809 nft_setelem_remove(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)6810 static void nft_setelem_remove(const struct net *net, 6811 const struct nft_set *set, 6812 struct nft_elem_priv *elem_priv) 6813 { 6814 if (nft_setelem_is_catchall(set, elem_priv)) 6815 nft_setelem_catchall_remove(net, set, elem_priv); 6816 else 6817 set->ops->remove(net, set, elem_priv); 6818 } 6819 nft_setelem_valid_key_end(const struct nft_set * set,struct nlattr ** nla,u32 flags)6820 static bool nft_setelem_valid_key_end(const struct nft_set *set, 6821 struct nlattr **nla, u32 flags) 6822 { 6823 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) == 6824 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) { 6825 if (flags & NFT_SET_ELEM_INTERVAL_END) 6826 return false; 6827 6828 if (nla[NFTA_SET_ELEM_KEY_END] && 6829 flags & NFT_SET_ELEM_CATCHALL) 6830 return false; 6831 } else { 6832 if (nla[NFTA_SET_ELEM_KEY_END]) 6833 return false; 6834 } 6835 6836 return true; 6837 } 6838 nft_add_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr,u32 nlmsg_flags)6839 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 6840 const struct nlattr *attr, u32 nlmsg_flags) 6841 { 6842 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {}; 6843 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 6844 u8 genmask = nft_genmask_next(ctx->net); 6845 u32 flags = 0, size = 0, num_exprs = 0; 6846 struct nft_set_ext_tmpl tmpl; 6847 struct nft_set_ext *ext, *ext2; 6848 struct nft_set_elem elem; 6849 struct nft_set_binding *binding; 6850 struct nft_elem_priv *elem_priv; 6851 struct nft_object *obj = NULL; 6852 struct nft_userdata *udata; 6853 struct nft_data_desc desc; 6854 enum nft_registers dreg; 6855 struct nft_trans *trans; 6856 u8 update_flags; 6857 u64 expiration; 6858 u64 timeout; 6859 int err, i; 6860 u8 ulen; 6861 6862 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 6863 nft_set_elem_policy, NULL); 6864 if (err < 0) 6865 return err; 6866 6867 nft_set_ext_prepare(&tmpl); 6868 6869 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 6870 if (err < 0) 6871 return err; 6872 6873 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) || 6874 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY])) 6875 return -EINVAL; 6876 6877 if (flags != 0) { 6878 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 6879 if (err < 0) 6880 return err; 6881 } 6882 6883 if (set->flags & NFT_SET_MAP) { 6884 if (nla[NFTA_SET_ELEM_DATA] == NULL && 6885 !(flags & NFT_SET_ELEM_INTERVAL_END)) 6886 return -EINVAL; 6887 } else { 6888 if (nla[NFTA_SET_ELEM_DATA] != NULL) 6889 return -EINVAL; 6890 } 6891 6892 if (set->flags & NFT_SET_OBJECT) { 6893 if (!nla[NFTA_SET_ELEM_OBJREF] && 6894 !(flags & NFT_SET_ELEM_INTERVAL_END)) 6895 return -EINVAL; 6896 } else { 6897 if (nla[NFTA_SET_ELEM_OBJREF]) 6898 return -EINVAL; 6899 } 6900 6901 if (!nft_setelem_valid_key_end(set, nla, flags)) 6902 return -EINVAL; 6903 6904 if ((flags & NFT_SET_ELEM_INTERVAL_END) && 6905 (nla[NFTA_SET_ELEM_DATA] || 6906 nla[NFTA_SET_ELEM_OBJREF] || 6907 nla[NFTA_SET_ELEM_TIMEOUT] || 6908 nla[NFTA_SET_ELEM_EXPIRATION] || 6909 nla[NFTA_SET_ELEM_USERDATA] || 6910 nla[NFTA_SET_ELEM_EXPR] || 6911 nla[NFTA_SET_ELEM_KEY_END] || 6912 nla[NFTA_SET_ELEM_EXPRESSIONS])) 6913 return -EINVAL; 6914 6915 timeout = 0; 6916 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { 6917 if (!(set->flags & NFT_SET_TIMEOUT)) 6918 return -EINVAL; 6919 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT], 6920 &timeout); 6921 if (err) 6922 return err; 6923 } else if (set->flags & NFT_SET_TIMEOUT && 6924 !(flags & NFT_SET_ELEM_INTERVAL_END)) { 6925 timeout = set->timeout; 6926 } 6927 6928 expiration = 0; 6929 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { 6930 if (!(set->flags & NFT_SET_TIMEOUT)) 6931 return -EINVAL; 6932 if (timeout == 0) 6933 return -EOPNOTSUPP; 6934 6935 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], 6936 &expiration); 6937 if (err) 6938 return err; 6939 6940 if (expiration > timeout) 6941 return -ERANGE; 6942 } 6943 6944 if (nla[NFTA_SET_ELEM_EXPR]) { 6945 struct nft_expr *expr; 6946 6947 if (set->num_exprs && set->num_exprs != 1) 6948 return -EOPNOTSUPP; 6949 6950 expr = nft_set_elem_expr_alloc(ctx, set, 6951 nla[NFTA_SET_ELEM_EXPR]); 6952 if (IS_ERR(expr)) 6953 return PTR_ERR(expr); 6954 6955 expr_array[0] = expr; 6956 num_exprs = 1; 6957 6958 if (set->num_exprs && set->exprs[0]->ops != expr->ops) { 6959 err = -EOPNOTSUPP; 6960 goto err_set_elem_expr; 6961 } 6962 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) { 6963 struct nft_expr *expr; 6964 struct nlattr *tmp; 6965 int left; 6966 6967 i = 0; 6968 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) { 6969 if (i == NFT_SET_EXPR_MAX || 6970 (set->num_exprs && set->num_exprs == i)) { 6971 err = -E2BIG; 6972 goto err_set_elem_expr; 6973 } 6974 if (nla_type(tmp) != NFTA_LIST_ELEM) { 6975 err = -EINVAL; 6976 goto err_set_elem_expr; 6977 } 6978 expr = nft_set_elem_expr_alloc(ctx, set, tmp); 6979 if (IS_ERR(expr)) { 6980 err = PTR_ERR(expr); 6981 goto err_set_elem_expr; 6982 } 6983 expr_array[i] = expr; 6984 num_exprs++; 6985 6986 if (set->num_exprs && expr->ops != set->exprs[i]->ops) { 6987 err = -EOPNOTSUPP; 6988 goto err_set_elem_expr; 6989 } 6990 i++; 6991 } 6992 if (set->num_exprs && set->num_exprs != i) { 6993 err = -EOPNOTSUPP; 6994 goto err_set_elem_expr; 6995 } 6996 } else if (set->num_exprs > 0 && 6997 !(flags & NFT_SET_ELEM_INTERVAL_END)) { 6998 err = nft_set_elem_expr_clone(ctx, set, expr_array); 6999 if (err < 0) 7000 goto err_set_elem_expr_clone; 7001 7002 num_exprs = set->num_exprs; 7003 } 7004 7005 if (nla[NFTA_SET_ELEM_KEY]) { 7006 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 7007 nla[NFTA_SET_ELEM_KEY]); 7008 if (err < 0) 7009 goto err_set_elem_expr; 7010 7011 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 7012 if (err < 0) 7013 goto err_parse_key; 7014 } 7015 7016 if (nla[NFTA_SET_ELEM_KEY_END]) { 7017 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 7018 nla[NFTA_SET_ELEM_KEY_END]); 7019 if (err < 0) 7020 goto err_parse_key; 7021 7022 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 7023 if (err < 0) 7024 goto err_parse_key_end; 7025 } 7026 7027 if (set->flags & NFT_SET_TIMEOUT) { 7028 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT); 7029 if (err < 0) 7030 goto err_parse_key_end; 7031 } 7032 7033 if (num_exprs) { 7034 for (i = 0; i < num_exprs; i++) 7035 size += expr_array[i]->ops->size; 7036 7037 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS, 7038 sizeof(struct nft_set_elem_expr) + size); 7039 if (err < 0) 7040 goto err_parse_key_end; 7041 } 7042 7043 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) { 7044 obj = nft_obj_lookup(ctx->net, ctx->table, 7045 nla[NFTA_SET_ELEM_OBJREF], 7046 set->objtype, genmask); 7047 if (IS_ERR(obj)) { 7048 err = PTR_ERR(obj); 7049 obj = NULL; 7050 goto err_parse_key_end; 7051 } 7052 7053 if (!nft_use_inc(&obj->use)) { 7054 err = -EMFILE; 7055 obj = NULL; 7056 goto err_parse_key_end; 7057 } 7058 7059 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF); 7060 if (err < 0) 7061 goto err_parse_key_end; 7062 } 7063 7064 if (nla[NFTA_SET_ELEM_DATA] != NULL) { 7065 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val, 7066 nla[NFTA_SET_ELEM_DATA]); 7067 if (err < 0) 7068 goto err_parse_key_end; 7069 7070 dreg = nft_type_to_reg(set->dtype); 7071 list_for_each_entry(binding, &set->bindings, list) { 7072 struct nft_ctx bind_ctx = { 7073 .net = ctx->net, 7074 .family = ctx->family, 7075 .table = ctx->table, 7076 .chain = (struct nft_chain *)binding->chain, 7077 }; 7078 7079 if (!(binding->flags & NFT_SET_MAP)) 7080 continue; 7081 7082 err = nft_validate_register_store(&bind_ctx, dreg, 7083 &elem.data.val, 7084 desc.type, desc.len); 7085 if (err < 0) 7086 goto err_parse_data; 7087 7088 if (desc.type == NFT_DATA_VERDICT && 7089 (elem.data.val.verdict.code == NFT_GOTO || 7090 elem.data.val.verdict.code == NFT_JUMP)) 7091 nft_validate_state_update(ctx->table, 7092 NFT_VALIDATE_NEED); 7093 } 7094 7095 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len); 7096 if (err < 0) 7097 goto err_parse_data; 7098 } 7099 7100 /* The full maximum length of userdata can exceed the maximum 7101 * offset value (U8_MAX) for following extensions, therefor it 7102 * must be the last extension added. 7103 */ 7104 ulen = 0; 7105 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) { 7106 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]); 7107 if (ulen > 0) { 7108 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA, 7109 ulen); 7110 if (err < 0) 7111 goto err_parse_data; 7112 } 7113 } 7114 7115 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 7116 elem.key_end.val.data, elem.data.val.data, 7117 timeout, expiration, GFP_KERNEL_ACCOUNT); 7118 if (IS_ERR(elem.priv)) { 7119 err = PTR_ERR(elem.priv); 7120 goto err_parse_data; 7121 } 7122 7123 ext = nft_set_elem_ext(set, elem.priv); 7124 if (flags) 7125 *nft_set_ext_flags(ext) = flags; 7126 7127 if (obj) 7128 *nft_set_ext_obj(ext) = obj; 7129 7130 if (ulen > 0) { 7131 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) { 7132 err = -EINVAL; 7133 goto err_elem_free; 7134 } 7135 udata = nft_set_ext_userdata(ext); 7136 udata->len = ulen - 1; 7137 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen); 7138 } 7139 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs); 7140 if (err < 0) 7141 goto err_elem_free; 7142 7143 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); 7144 if (trans == NULL) { 7145 err = -ENOMEM; 7146 goto err_elem_free; 7147 } 7148 7149 ext->genmask = nft_genmask_cur(ctx->net); 7150 7151 err = nft_setelem_insert(ctx->net, set, &elem, &elem_priv, flags); 7152 if (err) { 7153 if (err == -EEXIST) { 7154 ext2 = nft_set_elem_ext(set, elem_priv); 7155 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^ 7156 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) || 7157 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^ 7158 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) 7159 goto err_element_clash; 7160 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 7161 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) && 7162 memcmp(nft_set_ext_data(ext), 7163 nft_set_ext_data(ext2), set->dlen) != 0) || 7164 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 7165 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) && 7166 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2))) 7167 goto err_element_clash; 7168 else if (!(nlmsg_flags & NLM_F_EXCL)) { 7169 err = 0; 7170 if (nft_set_ext_exists(ext2, NFT_SET_EXT_TIMEOUT)) { 7171 update_flags = 0; 7172 if (timeout != nft_set_ext_timeout(ext2)->timeout) { 7173 nft_trans_elem_timeout(trans) = timeout; 7174 if (expiration == 0) 7175 expiration = timeout; 7176 7177 update_flags |= NFT_TRANS_UPD_TIMEOUT; 7178 } 7179 if (expiration) { 7180 nft_trans_elem_expiration(trans) = expiration; 7181 update_flags |= NFT_TRANS_UPD_EXPIRATION; 7182 } 7183 7184 if (update_flags) { 7185 nft_trans_elem_priv(trans) = elem_priv; 7186 nft_trans_elem_update_flags(trans) = update_flags; 7187 nft_trans_commit_list_add_tail(ctx->net, trans); 7188 goto err_elem_free; 7189 } 7190 } 7191 } 7192 } else if (err == -ENOTEMPTY) { 7193 /* ENOTEMPTY reports overlapping between this element 7194 * and an existing one. 7195 */ 7196 err = -EEXIST; 7197 } 7198 goto err_element_clash; 7199 } 7200 7201 if (!(flags & NFT_SET_ELEM_CATCHALL)) { 7202 unsigned int max = set->size ? set->size + set->ndeact : UINT_MAX; 7203 7204 if (!atomic_add_unless(&set->nelems, 1, max)) { 7205 err = -ENFILE; 7206 goto err_set_full; 7207 } 7208 } 7209 7210 nft_trans_elem_priv(trans) = elem.priv; 7211 nft_trans_commit_list_add_tail(ctx->net, trans); 7212 return 0; 7213 7214 err_set_full: 7215 nft_setelem_remove(ctx->net, set, elem.priv); 7216 err_element_clash: 7217 kfree(trans); 7218 err_elem_free: 7219 nf_tables_set_elem_destroy(ctx, set, elem.priv); 7220 err_parse_data: 7221 if (nla[NFTA_SET_ELEM_DATA] != NULL) 7222 nft_data_release(&elem.data.val, desc.type); 7223 err_parse_key_end: 7224 if (obj) 7225 nft_use_dec_restore(&obj->use); 7226 7227 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 7228 err_parse_key: 7229 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 7230 err_set_elem_expr: 7231 for (i = 0; i < num_exprs && expr_array[i]; i++) 7232 nft_expr_destroy(ctx, expr_array[i]); 7233 err_set_elem_expr_clone: 7234 return err; 7235 } 7236 nf_tables_newsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7237 static int nf_tables_newsetelem(struct sk_buff *skb, 7238 const struct nfnl_info *info, 7239 const struct nlattr * const nla[]) 7240 { 7241 struct netlink_ext_ack *extack = info->extack; 7242 u8 genmask = nft_genmask_next(info->net); 7243 u8 family = info->nfmsg->nfgen_family; 7244 struct net *net = info->net; 7245 const struct nlattr *attr; 7246 struct nft_table *table; 7247 struct nft_set *set; 7248 struct nft_ctx ctx; 7249 int rem, err; 7250 7251 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) 7252 return -EINVAL; 7253 7254 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 7255 genmask, NETLINK_CB(skb).portid); 7256 if (IS_ERR(table)) { 7257 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 7258 return PTR_ERR(table); 7259 } 7260 7261 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET], 7262 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask); 7263 if (IS_ERR(set)) { 7264 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]); 7265 return PTR_ERR(set); 7266 } 7267 7268 if (!list_empty(&set->bindings) && 7269 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS))) 7270 return -EBUSY; 7271 7272 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7273 7274 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 7275 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags); 7276 if (err < 0) { 7277 NL_SET_BAD_ATTR(extack, attr); 7278 return err; 7279 } 7280 } 7281 7282 if (table->validate_state == NFT_VALIDATE_DO) 7283 return nft_table_validate(net, table); 7284 7285 return 0; 7286 } 7287 7288 /** 7289 * nft_data_hold - hold a nft_data item 7290 * 7291 * @data: struct nft_data to release 7292 * @type: type of data 7293 * 7294 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded, 7295 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and 7296 * NFT_GOTO verdicts. This function must be called on active data objects 7297 * from the second phase of the commit protocol. 7298 */ nft_data_hold(const struct nft_data * data,enum nft_data_types type)7299 void nft_data_hold(const struct nft_data *data, enum nft_data_types type) 7300 { 7301 struct nft_chain *chain; 7302 7303 if (type == NFT_DATA_VERDICT) { 7304 switch (data->verdict.code) { 7305 case NFT_JUMP: 7306 case NFT_GOTO: 7307 chain = data->verdict.chain; 7308 nft_use_inc_restore(&chain->use); 7309 break; 7310 } 7311 } 7312 } 7313 nft_setelem_active_next(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7314 static int nft_setelem_active_next(const struct net *net, 7315 const struct nft_set *set, 7316 struct nft_elem_priv *elem_priv) 7317 { 7318 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 7319 u8 genmask = nft_genmask_next(net); 7320 7321 return nft_set_elem_active(ext, genmask); 7322 } 7323 nft_setelem_data_activate(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7324 static void nft_setelem_data_activate(const struct net *net, 7325 const struct nft_set *set, 7326 struct nft_elem_priv *elem_priv) 7327 { 7328 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 7329 7330 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 7331 nft_data_hold(nft_set_ext_data(ext), set->dtype); 7332 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 7333 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use); 7334 } 7335 nft_setelem_data_deactivate(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7336 void nft_setelem_data_deactivate(const struct net *net, 7337 const struct nft_set *set, 7338 struct nft_elem_priv *elem_priv) 7339 { 7340 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 7341 7342 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 7343 nft_data_release(nft_set_ext_data(ext), set->dtype); 7344 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 7345 nft_use_dec(&(*nft_set_ext_obj(ext))->use); 7346 } 7347 nft_del_setelem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr)7348 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, 7349 const struct nlattr *attr) 7350 { 7351 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 7352 struct nft_set_ext_tmpl tmpl; 7353 struct nft_set_elem elem; 7354 struct nft_set_ext *ext; 7355 struct nft_trans *trans; 7356 u32 flags = 0; 7357 int err; 7358 7359 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 7360 nft_set_elem_policy, NULL); 7361 if (err < 0) 7362 return err; 7363 7364 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 7365 if (err < 0) 7366 return err; 7367 7368 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 7369 return -EINVAL; 7370 7371 if (!nft_setelem_valid_key_end(set, nla, flags)) 7372 return -EINVAL; 7373 7374 nft_set_ext_prepare(&tmpl); 7375 7376 if (flags != 0) { 7377 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 7378 if (err < 0) 7379 return err; 7380 } 7381 7382 if (nla[NFTA_SET_ELEM_KEY]) { 7383 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 7384 nla[NFTA_SET_ELEM_KEY]); 7385 if (err < 0) 7386 return err; 7387 7388 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 7389 if (err < 0) 7390 goto fail_elem; 7391 } 7392 7393 if (nla[NFTA_SET_ELEM_KEY_END]) { 7394 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 7395 nla[NFTA_SET_ELEM_KEY_END]); 7396 if (err < 0) 7397 goto fail_elem; 7398 7399 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 7400 if (err < 0) 7401 goto fail_elem_key_end; 7402 } 7403 7404 err = -ENOMEM; 7405 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 7406 elem.key_end.val.data, NULL, 0, 0, 7407 GFP_KERNEL_ACCOUNT); 7408 if (IS_ERR(elem.priv)) { 7409 err = PTR_ERR(elem.priv); 7410 goto fail_elem_key_end; 7411 } 7412 7413 ext = nft_set_elem_ext(set, elem.priv); 7414 if (flags) 7415 *nft_set_ext_flags(ext) = flags; 7416 7417 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 7418 if (trans == NULL) 7419 goto fail_trans; 7420 7421 err = nft_setelem_deactivate(ctx->net, set, &elem, flags); 7422 if (err < 0) 7423 goto fail_ops; 7424 7425 nft_setelem_data_deactivate(ctx->net, set, elem.priv); 7426 7427 nft_trans_elem_priv(trans) = elem.priv; 7428 nft_trans_commit_list_add_tail(ctx->net, trans); 7429 return 0; 7430 7431 fail_ops: 7432 kfree(trans); 7433 fail_trans: 7434 kfree(elem.priv); 7435 fail_elem_key_end: 7436 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 7437 fail_elem: 7438 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 7439 return err; 7440 } 7441 nft_setelem_flush(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)7442 static int nft_setelem_flush(const struct nft_ctx *ctx, 7443 struct nft_set *set, 7444 const struct nft_set_iter *iter, 7445 struct nft_elem_priv *elem_priv) 7446 { 7447 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); 7448 struct nft_trans *trans; 7449 7450 if (!nft_set_elem_active(ext, iter->genmask)) 7451 return 0; 7452 7453 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 7454 sizeof(struct nft_trans_elem), GFP_ATOMIC); 7455 if (!trans) 7456 return -ENOMEM; 7457 7458 set->ops->flush(ctx->net, set, elem_priv); 7459 set->ndeact++; 7460 7461 nft_setelem_data_deactivate(ctx->net, set, elem_priv); 7462 nft_trans_elem_set(trans) = set; 7463 nft_trans_elem_priv(trans) = elem_priv; 7464 nft_trans_commit_list_add_tail(ctx->net, trans); 7465 7466 return 0; 7467 } 7468 __nft_set_catchall_flush(const struct nft_ctx * ctx,struct nft_set * set,struct nft_elem_priv * elem_priv)7469 static int __nft_set_catchall_flush(const struct nft_ctx *ctx, 7470 struct nft_set *set, 7471 struct nft_elem_priv *elem_priv) 7472 { 7473 struct nft_trans *trans; 7474 7475 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 7476 sizeof(struct nft_trans_elem), GFP_KERNEL); 7477 if (!trans) 7478 return -ENOMEM; 7479 7480 nft_setelem_data_deactivate(ctx->net, set, elem_priv); 7481 nft_trans_elem_set(trans) = set; 7482 nft_trans_elem_priv(trans) = elem_priv; 7483 nft_trans_commit_list_add_tail(ctx->net, trans); 7484 7485 return 0; 7486 } 7487 nft_set_catchall_flush(const struct nft_ctx * ctx,struct nft_set * set)7488 static int nft_set_catchall_flush(const struct nft_ctx *ctx, 7489 struct nft_set *set) 7490 { 7491 u8 genmask = nft_genmask_next(ctx->net); 7492 struct nft_set_elem_catchall *catchall; 7493 struct nft_set_ext *ext; 7494 int ret = 0; 7495 7496 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 7497 ext = nft_set_elem_ext(set, catchall->elem); 7498 if (!nft_set_elem_active(ext, genmask)) 7499 continue; 7500 7501 ret = __nft_set_catchall_flush(ctx, set, catchall->elem); 7502 if (ret < 0) 7503 break; 7504 nft_set_elem_change_active(ctx->net, set, ext); 7505 } 7506 7507 return ret; 7508 } 7509 nft_set_flush(struct nft_ctx * ctx,struct nft_set * set,u8 genmask)7510 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask) 7511 { 7512 struct nft_set_iter iter = { 7513 .genmask = genmask, 7514 .type = NFT_ITER_UPDATE, 7515 .fn = nft_setelem_flush, 7516 }; 7517 7518 set->ops->walk(ctx, set, &iter); 7519 if (!iter.err) 7520 iter.err = nft_set_catchall_flush(ctx, set); 7521 7522 return iter.err; 7523 } 7524 nf_tables_delsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7525 static int nf_tables_delsetelem(struct sk_buff *skb, 7526 const struct nfnl_info *info, 7527 const struct nlattr * const nla[]) 7528 { 7529 struct netlink_ext_ack *extack = info->extack; 7530 u8 genmask = nft_genmask_next(info->net); 7531 u8 family = info->nfmsg->nfgen_family; 7532 struct net *net = info->net; 7533 const struct nlattr *attr; 7534 struct nft_table *table; 7535 struct nft_set *set; 7536 struct nft_ctx ctx; 7537 int rem, err = 0; 7538 7539 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 7540 genmask, NETLINK_CB(skb).portid); 7541 if (IS_ERR(table)) { 7542 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 7543 return PTR_ERR(table); 7544 } 7545 7546 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 7547 if (IS_ERR(set)) { 7548 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]); 7549 return PTR_ERR(set); 7550 } 7551 7552 if (nft_set_is_anonymous(set)) 7553 return -EOPNOTSUPP; 7554 7555 if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT)) 7556 return -EBUSY; 7557 7558 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7559 7560 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 7561 return nft_set_flush(&ctx, set, genmask); 7562 7563 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 7564 err = nft_del_setelem(&ctx, set, attr); 7565 if (err == -ENOENT && 7566 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM) 7567 continue; 7568 7569 if (err < 0) { 7570 NL_SET_BAD_ATTR(extack, attr); 7571 return err; 7572 } 7573 } 7574 7575 return 0; 7576 } 7577 7578 /* 7579 * Stateful objects 7580 */ 7581 7582 /** 7583 * nft_register_obj- register nf_tables stateful object type 7584 * @obj_type: object type 7585 * 7586 * Registers the object type for use with nf_tables. Returns zero on 7587 * success or a negative errno code otherwise. 7588 */ nft_register_obj(struct nft_object_type * obj_type)7589 int nft_register_obj(struct nft_object_type *obj_type) 7590 { 7591 if (obj_type->type == NFT_OBJECT_UNSPEC) 7592 return -EINVAL; 7593 7594 nfnl_lock(NFNL_SUBSYS_NFTABLES); 7595 list_add_rcu(&obj_type->list, &nf_tables_objects); 7596 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 7597 return 0; 7598 } 7599 EXPORT_SYMBOL_GPL(nft_register_obj); 7600 7601 /** 7602 * nft_unregister_obj - unregister nf_tables object type 7603 * @obj_type: object type 7604 * 7605 * Unregisters the object type for use with nf_tables. 7606 */ nft_unregister_obj(struct nft_object_type * obj_type)7607 void nft_unregister_obj(struct nft_object_type *obj_type) 7608 { 7609 nfnl_lock(NFNL_SUBSYS_NFTABLES); 7610 list_del_rcu(&obj_type->list); 7611 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 7612 } 7613 EXPORT_SYMBOL_GPL(nft_unregister_obj); 7614 nft_obj_lookup(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)7615 struct nft_object *nft_obj_lookup(const struct net *net, 7616 const struct nft_table *table, 7617 const struct nlattr *nla, u32 objtype, 7618 u8 genmask) 7619 { 7620 struct nft_object_hash_key k = { .table = table }; 7621 char search[NFT_OBJ_MAXNAMELEN]; 7622 struct rhlist_head *tmp, *list; 7623 struct nft_object *obj; 7624 7625 nla_strscpy(search, nla, sizeof(search)); 7626 k.name = search; 7627 7628 WARN_ON_ONCE(!rcu_read_lock_held() && 7629 !lockdep_commit_lock_is_held(net)); 7630 7631 rcu_read_lock(); 7632 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params); 7633 if (!list) 7634 goto out; 7635 7636 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) { 7637 if (objtype == obj->ops->type->type && 7638 nft_active_genmask(obj, genmask)) { 7639 rcu_read_unlock(); 7640 return obj; 7641 } 7642 } 7643 out: 7644 rcu_read_unlock(); 7645 return ERR_PTR(-ENOENT); 7646 } 7647 EXPORT_SYMBOL_GPL(nft_obj_lookup); 7648 nft_obj_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)7649 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table, 7650 const struct nlattr *nla, 7651 u32 objtype, u8 genmask) 7652 { 7653 struct nft_object *obj; 7654 7655 list_for_each_entry(obj, &table->objects, list) { 7656 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle && 7657 objtype == obj->ops->type->type && 7658 nft_active_genmask(obj, genmask)) 7659 return obj; 7660 } 7661 return ERR_PTR(-ENOENT); 7662 } 7663 7664 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = { 7665 [NFTA_OBJ_TABLE] = { .type = NLA_STRING, 7666 .len = NFT_TABLE_MAXNAMELEN - 1 }, 7667 [NFTA_OBJ_NAME] = { .type = NLA_STRING, 7668 .len = NFT_OBJ_MAXNAMELEN - 1 }, 7669 [NFTA_OBJ_TYPE] = { .type = NLA_U32 }, 7670 [NFTA_OBJ_DATA] = { .type = NLA_NESTED }, 7671 [NFTA_OBJ_HANDLE] = { .type = NLA_U64}, 7672 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY, 7673 .len = NFT_USERDATA_MAXLEN }, 7674 }; 7675 nft_obj_init(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr)7676 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx, 7677 const struct nft_object_type *type, 7678 const struct nlattr *attr) 7679 { 7680 struct nlattr **tb; 7681 const struct nft_object_ops *ops; 7682 struct nft_object *obj; 7683 int err = -ENOMEM; 7684 7685 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL); 7686 if (!tb) 7687 goto err1; 7688 7689 if (attr) { 7690 err = nla_parse_nested_deprecated(tb, type->maxattr, attr, 7691 type->policy, NULL); 7692 if (err < 0) 7693 goto err2; 7694 } else { 7695 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1)); 7696 } 7697 7698 if (type->select_ops) { 7699 ops = type->select_ops(ctx, (const struct nlattr * const *)tb); 7700 if (IS_ERR(ops)) { 7701 err = PTR_ERR(ops); 7702 goto err2; 7703 } 7704 } else { 7705 ops = type->ops; 7706 } 7707 7708 err = -ENOMEM; 7709 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT); 7710 if (!obj) 7711 goto err2; 7712 7713 err = ops->init(ctx, (const struct nlattr * const *)tb, obj); 7714 if (err < 0) 7715 goto err3; 7716 7717 obj->ops = ops; 7718 7719 kfree(tb); 7720 return obj; 7721 err3: 7722 kfree(obj); 7723 err2: 7724 kfree(tb); 7725 err1: 7726 return ERR_PTR(err); 7727 } 7728 nft_object_dump(struct sk_buff * skb,unsigned int attr,struct nft_object * obj,bool reset)7729 static int nft_object_dump(struct sk_buff *skb, unsigned int attr, 7730 struct nft_object *obj, bool reset) 7731 { 7732 struct nlattr *nest; 7733 7734 nest = nla_nest_start_noflag(skb, attr); 7735 if (!nest) 7736 goto nla_put_failure; 7737 if (obj->ops->dump(skb, obj, reset) < 0) 7738 goto nla_put_failure; 7739 nla_nest_end(skb, nest); 7740 return 0; 7741 7742 nla_put_failure: 7743 return -1; 7744 } 7745 __nft_obj_type_get(u32 objtype,u8 family)7746 static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family) 7747 { 7748 const struct nft_object_type *type; 7749 7750 list_for_each_entry_rcu(type, &nf_tables_objects, list) { 7751 if (type->family != NFPROTO_UNSPEC && 7752 type->family != family) 7753 continue; 7754 7755 if (objtype == type->type) 7756 return type; 7757 } 7758 return NULL; 7759 } 7760 7761 static const struct nft_object_type * nft_obj_type_get(struct net * net,u32 objtype,u8 family)7762 nft_obj_type_get(struct net *net, u32 objtype, u8 family) 7763 { 7764 const struct nft_object_type *type; 7765 7766 rcu_read_lock(); 7767 type = __nft_obj_type_get(objtype, family); 7768 if (type != NULL && try_module_get(type->owner)) { 7769 rcu_read_unlock(); 7770 return type; 7771 } 7772 rcu_read_unlock(); 7773 7774 lockdep_nfnl_nft_mutex_not_held(); 7775 #ifdef CONFIG_MODULES 7776 if (type == NULL) { 7777 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN) 7778 return ERR_PTR(-EAGAIN); 7779 } 7780 #endif 7781 return ERR_PTR(-ENOENT); 7782 } 7783 nf_tables_updobj(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr,struct nft_object * obj)7784 static int nf_tables_updobj(const struct nft_ctx *ctx, 7785 const struct nft_object_type *type, 7786 const struct nlattr *attr, 7787 struct nft_object *obj) 7788 { 7789 struct nft_object *newobj; 7790 struct nft_trans *trans; 7791 int err = -ENOMEM; 7792 7793 if (!try_module_get(type->owner)) 7794 return -ENOENT; 7795 7796 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ, 7797 sizeof(struct nft_trans_obj)); 7798 if (!trans) 7799 goto err_trans; 7800 7801 newobj = nft_obj_init(ctx, type, attr); 7802 if (IS_ERR(newobj)) { 7803 err = PTR_ERR(newobj); 7804 goto err_free_trans; 7805 } 7806 7807 nft_trans_obj(trans) = obj; 7808 nft_trans_obj_update(trans) = true; 7809 nft_trans_obj_newobj(trans) = newobj; 7810 nft_trans_commit_list_add_tail(ctx->net, trans); 7811 7812 return 0; 7813 7814 err_free_trans: 7815 kfree(trans); 7816 err_trans: 7817 module_put(type->owner); 7818 return err; 7819 } 7820 nf_tables_newobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7821 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info, 7822 const struct nlattr * const nla[]) 7823 { 7824 struct netlink_ext_ack *extack = info->extack; 7825 u8 genmask = nft_genmask_next(info->net); 7826 u8 family = info->nfmsg->nfgen_family; 7827 const struct nft_object_type *type; 7828 struct net *net = info->net; 7829 struct nft_table *table; 7830 struct nft_object *obj; 7831 struct nft_ctx ctx; 7832 u32 objtype; 7833 int err; 7834 7835 if (!nla[NFTA_OBJ_TYPE] || 7836 !nla[NFTA_OBJ_NAME] || 7837 !nla[NFTA_OBJ_DATA]) 7838 return -EINVAL; 7839 7840 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 7841 NETLINK_CB(skb).portid); 7842 if (IS_ERR(table)) { 7843 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 7844 return PTR_ERR(table); 7845 } 7846 7847 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 7848 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 7849 if (IS_ERR(obj)) { 7850 err = PTR_ERR(obj); 7851 if (err != -ENOENT) { 7852 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 7853 return err; 7854 } 7855 } else { 7856 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 7857 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 7858 return -EEXIST; 7859 } 7860 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 7861 return -EOPNOTSUPP; 7862 7863 type = __nft_obj_type_get(objtype, family); 7864 if (WARN_ON_ONCE(!type)) 7865 return -ENOENT; 7866 7867 if (!obj->ops->update) 7868 return 0; 7869 7870 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7871 7872 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); 7873 } 7874 7875 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7876 7877 if (!nft_use_inc(&table->use)) 7878 return -EMFILE; 7879 7880 type = nft_obj_type_get(net, objtype, family); 7881 if (IS_ERR(type)) { 7882 err = PTR_ERR(type); 7883 goto err_type; 7884 } 7885 7886 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]); 7887 if (IS_ERR(obj)) { 7888 err = PTR_ERR(obj); 7889 goto err_init; 7890 } 7891 obj->key.table = table; 7892 obj->handle = nf_tables_alloc_handle(table); 7893 7894 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT); 7895 if (!obj->key.name) { 7896 err = -ENOMEM; 7897 goto err_strdup; 7898 } 7899 7900 if (nla[NFTA_OBJ_USERDATA]) { 7901 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT); 7902 if (obj->udata == NULL) 7903 goto err_userdata; 7904 7905 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]); 7906 } 7907 7908 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj); 7909 if (err < 0) 7910 goto err_trans; 7911 7912 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead, 7913 nft_objname_ht_params); 7914 if (err < 0) 7915 goto err_obj_ht; 7916 7917 list_add_tail_rcu(&obj->list, &table->objects); 7918 7919 return 0; 7920 err_obj_ht: 7921 /* queued in transaction log */ 7922 INIT_LIST_HEAD(&obj->list); 7923 return err; 7924 err_trans: 7925 kfree(obj->udata); 7926 err_userdata: 7927 kfree(obj->key.name); 7928 err_strdup: 7929 if (obj->ops->destroy) 7930 obj->ops->destroy(&ctx, obj); 7931 kfree(obj); 7932 err_init: 7933 module_put(type->owner); 7934 err_type: 7935 nft_use_dec_restore(&table->use); 7936 7937 return err; 7938 } 7939 nf_tables_fill_obj_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,struct nft_object * obj,bool reset)7940 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net, 7941 u32 portid, u32 seq, int event, u32 flags, 7942 int family, const struct nft_table *table, 7943 struct nft_object *obj, bool reset) 7944 { 7945 struct nlmsghdr *nlh; 7946 7947 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 7948 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 7949 NFNETLINK_V0, nft_base_seq(net)); 7950 if (!nlh) 7951 goto nla_put_failure; 7952 7953 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || 7954 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || 7955 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle), 7956 NFTA_OBJ_PAD)) 7957 goto nla_put_failure; 7958 7959 if (event == NFT_MSG_DELOBJ) { 7960 nlmsg_end(skb, nlh); 7961 return 0; 7962 } 7963 7964 if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || 7965 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) || 7966 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset)) 7967 goto nla_put_failure; 7968 7969 if (obj->udata && 7970 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata)) 7971 goto nla_put_failure; 7972 7973 nlmsg_end(skb, nlh); 7974 return 0; 7975 7976 nla_put_failure: 7977 nlmsg_trim(skb, nlh); 7978 return -1; 7979 } 7980 audit_log_obj_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)7981 static void audit_log_obj_reset(const struct nft_table *table, 7982 unsigned int base_seq, unsigned int nentries) 7983 { 7984 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq); 7985 7986 audit_log_nfcfg(buf, table->family, nentries, 7987 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC); 7988 kfree(buf); 7989 } 7990 7991 struct nft_obj_dump_ctx { 7992 unsigned int s_idx; 7993 char *table; 7994 u32 type; 7995 bool reset; 7996 }; 7997 nf_tables_dump_obj(struct sk_buff * skb,struct netlink_callback * cb)7998 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) 7999 { 8000 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 8001 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx; 8002 struct net *net = sock_net(skb->sk); 8003 int family = nfmsg->nfgen_family; 8004 struct nftables_pernet *nft_net; 8005 const struct nft_table *table; 8006 unsigned int entries = 0; 8007 struct nft_object *obj; 8008 unsigned int idx = 0; 8009 int rc = 0; 8010 8011 rcu_read_lock(); 8012 nft_net = nft_pernet(net); 8013 cb->seq = READ_ONCE(nft_net->base_seq); 8014 8015 list_for_each_entry_rcu(table, &nft_net->tables, list) { 8016 if (family != NFPROTO_UNSPEC && family != table->family) 8017 continue; 8018 8019 entries = 0; 8020 list_for_each_entry_rcu(obj, &table->objects, list) { 8021 if (!nft_is_active(net, obj)) 8022 goto cont; 8023 if (idx < ctx->s_idx) 8024 goto cont; 8025 if (ctx->table && strcmp(ctx->table, table->name)) 8026 goto cont; 8027 if (ctx->type != NFT_OBJECT_UNSPEC && 8028 obj->ops->type->type != ctx->type) 8029 goto cont; 8030 8031 rc = nf_tables_fill_obj_info(skb, net, 8032 NETLINK_CB(cb->skb).portid, 8033 cb->nlh->nlmsg_seq, 8034 NFT_MSG_NEWOBJ, 8035 NLM_F_MULTI | NLM_F_APPEND, 8036 table->family, table, 8037 obj, ctx->reset); 8038 if (rc < 0) 8039 break; 8040 8041 entries++; 8042 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 8043 cont: 8044 idx++; 8045 } 8046 if (ctx->reset && entries) 8047 audit_log_obj_reset(table, nft_net->base_seq, entries); 8048 if (rc < 0) 8049 break; 8050 } 8051 rcu_read_unlock(); 8052 8053 ctx->s_idx = idx; 8054 return skb->len; 8055 } 8056 nf_tables_dumpreset_obj(struct sk_buff * skb,struct netlink_callback * cb)8057 static int nf_tables_dumpreset_obj(struct sk_buff *skb, 8058 struct netlink_callback *cb) 8059 { 8060 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk)); 8061 int ret; 8062 8063 mutex_lock(&nft_net->commit_mutex); 8064 ret = nf_tables_dump_obj(skb, cb); 8065 mutex_unlock(&nft_net->commit_mutex); 8066 8067 return ret; 8068 } 8069 nf_tables_dump_obj_start(struct netlink_callback * cb)8070 static int nf_tables_dump_obj_start(struct netlink_callback *cb) 8071 { 8072 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx; 8073 const struct nlattr * const *nla = cb->data; 8074 8075 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx)); 8076 8077 if (nla[NFTA_OBJ_TABLE]) { 8078 ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC); 8079 if (!ctx->table) 8080 return -ENOMEM; 8081 } 8082 8083 if (nla[NFTA_OBJ_TYPE]) 8084 ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 8085 8086 return 0; 8087 } 8088 nf_tables_dumpreset_obj_start(struct netlink_callback * cb)8089 static int nf_tables_dumpreset_obj_start(struct netlink_callback *cb) 8090 { 8091 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx; 8092 8093 ctx->reset = true; 8094 8095 return nf_tables_dump_obj_start(cb); 8096 } 8097 nf_tables_dump_obj_done(struct netlink_callback * cb)8098 static int nf_tables_dump_obj_done(struct netlink_callback *cb) 8099 { 8100 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx; 8101 8102 kfree(ctx->table); 8103 8104 return 0; 8105 } 8106 8107 /* called with rcu_read_lock held */ 8108 static struct sk_buff * nf_tables_getobj_single(u32 portid,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)8109 nf_tables_getobj_single(u32 portid, const struct nfnl_info *info, 8110 const struct nlattr * const nla[], bool reset) 8111 { 8112 struct netlink_ext_ack *extack = info->extack; 8113 u8 genmask = nft_genmask_cur(info->net); 8114 u8 family = info->nfmsg->nfgen_family; 8115 const struct nft_table *table; 8116 struct net *net = info->net; 8117 struct nft_object *obj; 8118 struct sk_buff *skb2; 8119 u32 objtype; 8120 int err; 8121 8122 if (!nla[NFTA_OBJ_NAME] || 8123 !nla[NFTA_OBJ_TYPE]) 8124 return ERR_PTR(-EINVAL); 8125 8126 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0); 8127 if (IS_ERR(table)) { 8128 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 8129 return ERR_CAST(table); 8130 } 8131 8132 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 8133 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 8134 if (IS_ERR(obj)) { 8135 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 8136 return ERR_CAST(obj); 8137 } 8138 8139 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 8140 if (!skb2) 8141 return ERR_PTR(-ENOMEM); 8142 8143 err = nf_tables_fill_obj_info(skb2, net, portid, 8144 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, 8145 family, table, obj, reset); 8146 if (err < 0) { 8147 kfree_skb(skb2); 8148 return ERR_PTR(err); 8149 } 8150 8151 return skb2; 8152 } 8153 nf_tables_getobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8154 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info, 8155 const struct nlattr * const nla[]) 8156 { 8157 u32 portid = NETLINK_CB(skb).portid; 8158 struct sk_buff *skb2; 8159 8160 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 8161 struct netlink_dump_control c = { 8162 .start = nf_tables_dump_obj_start, 8163 .dump = nf_tables_dump_obj, 8164 .done = nf_tables_dump_obj_done, 8165 .module = THIS_MODULE, 8166 .data = (void *)nla, 8167 }; 8168 8169 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 8170 } 8171 8172 skb2 = nf_tables_getobj_single(portid, info, nla, false); 8173 if (IS_ERR(skb2)) 8174 return PTR_ERR(skb2); 8175 8176 return nfnetlink_unicast(skb2, info->net, portid); 8177 } 8178 nf_tables_getobj_reset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8179 static int nf_tables_getobj_reset(struct sk_buff *skb, 8180 const struct nfnl_info *info, 8181 const struct nlattr * const nla[]) 8182 { 8183 struct nftables_pernet *nft_net = nft_pernet(info->net); 8184 u32 portid = NETLINK_CB(skb).portid; 8185 struct net *net = info->net; 8186 struct sk_buff *skb2; 8187 char *buf; 8188 8189 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 8190 struct netlink_dump_control c = { 8191 .start = nf_tables_dumpreset_obj_start, 8192 .dump = nf_tables_dumpreset_obj, 8193 .done = nf_tables_dump_obj_done, 8194 .module = THIS_MODULE, 8195 .data = (void *)nla, 8196 }; 8197 8198 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 8199 } 8200 8201 if (!try_module_get(THIS_MODULE)) 8202 return -EINVAL; 8203 rcu_read_unlock(); 8204 mutex_lock(&nft_net->commit_mutex); 8205 skb2 = nf_tables_getobj_single(portid, info, nla, true); 8206 mutex_unlock(&nft_net->commit_mutex); 8207 rcu_read_lock(); 8208 module_put(THIS_MODULE); 8209 8210 if (IS_ERR(skb2)) 8211 return PTR_ERR(skb2); 8212 8213 buf = kasprintf(GFP_ATOMIC, "%.*s:%u", 8214 nla_len(nla[NFTA_OBJ_TABLE]), 8215 (char *)nla_data(nla[NFTA_OBJ_TABLE]), 8216 nft_net->base_seq); 8217 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1, 8218 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC); 8219 kfree(buf); 8220 8221 return nfnetlink_unicast(skb2, net, portid); 8222 } 8223 nft_obj_destroy(const struct nft_ctx * ctx,struct nft_object * obj)8224 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) 8225 { 8226 if (obj->ops->destroy) 8227 obj->ops->destroy(ctx, obj); 8228 8229 module_put(obj->ops->type->owner); 8230 kfree(obj->key.name); 8231 kfree(obj->udata); 8232 kfree(obj); 8233 } 8234 nf_tables_delobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8235 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info, 8236 const struct nlattr * const nla[]) 8237 { 8238 struct netlink_ext_ack *extack = info->extack; 8239 u8 genmask = nft_genmask_next(info->net); 8240 u8 family = info->nfmsg->nfgen_family; 8241 struct net *net = info->net; 8242 const struct nlattr *attr; 8243 struct nft_table *table; 8244 struct nft_object *obj; 8245 struct nft_ctx ctx; 8246 u32 objtype; 8247 8248 if (!nla[NFTA_OBJ_TYPE] || 8249 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE])) 8250 return -EINVAL; 8251 8252 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 8253 NETLINK_CB(skb).portid); 8254 if (IS_ERR(table)) { 8255 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 8256 return PTR_ERR(table); 8257 } 8258 8259 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 8260 if (nla[NFTA_OBJ_HANDLE]) { 8261 attr = nla[NFTA_OBJ_HANDLE]; 8262 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask); 8263 } else { 8264 attr = nla[NFTA_OBJ_NAME]; 8265 obj = nft_obj_lookup(net, table, attr, objtype, genmask); 8266 } 8267 8268 if (IS_ERR(obj)) { 8269 if (PTR_ERR(obj) == -ENOENT && 8270 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ) 8271 return 0; 8272 8273 NL_SET_BAD_ATTR(extack, attr); 8274 return PTR_ERR(obj); 8275 } 8276 if (obj->use > 0) { 8277 NL_SET_BAD_ATTR(extack, attr); 8278 return -EBUSY; 8279 } 8280 8281 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 8282 8283 return nft_delobj(&ctx, obj); 8284 } 8285 8286 static void __nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,u16 flags,int family,int report,gfp_t gfp)8287 __nft_obj_notify(struct net *net, const struct nft_table *table, 8288 struct nft_object *obj, u32 portid, u32 seq, int event, 8289 u16 flags, int family, int report, gfp_t gfp) 8290 { 8291 struct nftables_pernet *nft_net = nft_pernet(net); 8292 struct sk_buff *skb; 8293 int err; 8294 8295 if (!report && 8296 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 8297 return; 8298 8299 skb = nlmsg_new(NLMSG_GOODSIZE, gfp); 8300 if (skb == NULL) 8301 goto err; 8302 8303 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 8304 flags & (NLM_F_CREATE | NLM_F_EXCL), 8305 family, table, obj, false); 8306 if (err < 0) { 8307 kfree_skb(skb); 8308 goto err; 8309 } 8310 8311 nft_notify_enqueue(skb, report, &nft_net->notify_list); 8312 return; 8313 err: 8314 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 8315 } 8316 nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,u16 flags,int family,int report,gfp_t gfp)8317 void nft_obj_notify(struct net *net, const struct nft_table *table, 8318 struct nft_object *obj, u32 portid, u32 seq, int event, 8319 u16 flags, int family, int report, gfp_t gfp) 8320 { 8321 struct nftables_pernet *nft_net = nft_pernet(net); 8322 char *buf = kasprintf(gfp, "%s:%u", 8323 table->name, nft_net->base_seq); 8324 8325 audit_log_nfcfg(buf, 8326 family, 8327 obj->handle, 8328 event == NFT_MSG_NEWOBJ ? 8329 AUDIT_NFT_OP_OBJ_REGISTER : 8330 AUDIT_NFT_OP_OBJ_UNREGISTER, 8331 gfp); 8332 kfree(buf); 8333 8334 __nft_obj_notify(net, table, obj, portid, seq, event, 8335 flags, family, report, gfp); 8336 } 8337 EXPORT_SYMBOL_GPL(nft_obj_notify); 8338 nf_tables_obj_notify(const struct nft_ctx * ctx,struct nft_object * obj,int event)8339 static void nf_tables_obj_notify(const struct nft_ctx *ctx, 8340 struct nft_object *obj, int event) 8341 { 8342 __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, 8343 ctx->seq, event, ctx->flags, ctx->family, 8344 ctx->report, GFP_KERNEL); 8345 } 8346 8347 /* 8348 * Flow tables 8349 */ nft_register_flowtable_type(struct nf_flowtable_type * type)8350 void nft_register_flowtable_type(struct nf_flowtable_type *type) 8351 { 8352 nfnl_lock(NFNL_SUBSYS_NFTABLES); 8353 list_add_tail_rcu(&type->list, &nf_tables_flowtables); 8354 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 8355 } 8356 EXPORT_SYMBOL_GPL(nft_register_flowtable_type); 8357 nft_unregister_flowtable_type(struct nf_flowtable_type * type)8358 void nft_unregister_flowtable_type(struct nf_flowtable_type *type) 8359 { 8360 nfnl_lock(NFNL_SUBSYS_NFTABLES); 8361 list_del_rcu(&type->list); 8362 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 8363 } 8364 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type); 8365 8366 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = { 8367 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING, 8368 .len = NFT_NAME_MAXLEN - 1 }, 8369 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING, 8370 .len = NFT_NAME_MAXLEN - 1 }, 8371 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED }, 8372 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 }, 8373 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 }, 8374 }; 8375 nft_flowtable_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)8376 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 8377 const struct nlattr *nla, u8 genmask) 8378 { 8379 struct nft_flowtable *flowtable; 8380 8381 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 8382 if (!nla_strcmp(nla, flowtable->name) && 8383 nft_active_genmask(flowtable, genmask)) 8384 return flowtable; 8385 } 8386 return ERR_PTR(-ENOENT); 8387 } 8388 EXPORT_SYMBOL_GPL(nft_flowtable_lookup); 8389 nf_tables_deactivate_flowtable(const struct nft_ctx * ctx,struct nft_flowtable * flowtable,enum nft_trans_phase phase)8390 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, 8391 struct nft_flowtable *flowtable, 8392 enum nft_trans_phase phase) 8393 { 8394 switch (phase) { 8395 case NFT_TRANS_PREPARE_ERROR: 8396 case NFT_TRANS_PREPARE: 8397 case NFT_TRANS_ABORT: 8398 case NFT_TRANS_RELEASE: 8399 nft_use_dec(&flowtable->use); 8400 fallthrough; 8401 default: 8402 return; 8403 } 8404 } 8405 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable); 8406 8407 static struct nft_flowtable * nft_flowtable_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)8408 nft_flowtable_lookup_byhandle(const struct nft_table *table, 8409 const struct nlattr *nla, u8 genmask) 8410 { 8411 struct nft_flowtable *flowtable; 8412 8413 list_for_each_entry(flowtable, &table->flowtables, list) { 8414 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle && 8415 nft_active_genmask(flowtable, genmask)) 8416 return flowtable; 8417 } 8418 return ERR_PTR(-ENOENT); 8419 } 8420 8421 struct nft_flowtable_hook { 8422 u32 num; 8423 int priority; 8424 struct list_head list; 8425 }; 8426 8427 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = { 8428 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 }, 8429 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 }, 8430 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED }, 8431 }; 8432 nft_flowtable_parse_hook(const struct nft_ctx * ctx,const struct nlattr * const nla[],struct nft_flowtable_hook * flowtable_hook,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack,bool add)8433 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx, 8434 const struct nlattr * const nla[], 8435 struct nft_flowtable_hook *flowtable_hook, 8436 struct nft_flowtable *flowtable, 8437 struct netlink_ext_ack *extack, bool add) 8438 { 8439 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1]; 8440 struct nft_hook *hook; 8441 int hooknum, priority; 8442 int err; 8443 8444 INIT_LIST_HEAD(&flowtable_hook->list); 8445 8446 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, 8447 nla[NFTA_FLOWTABLE_HOOK], 8448 nft_flowtable_hook_policy, NULL); 8449 if (err < 0) 8450 return err; 8451 8452 if (add) { 8453 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] || 8454 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) { 8455 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 8456 return -ENOENT; 8457 } 8458 8459 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 8460 if (hooknum != NF_NETDEV_INGRESS) 8461 return -EOPNOTSUPP; 8462 8463 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 8464 8465 flowtable_hook->priority = priority; 8466 flowtable_hook->num = hooknum; 8467 } else { 8468 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) { 8469 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 8470 if (hooknum != flowtable->hooknum) 8471 return -EOPNOTSUPP; 8472 } 8473 8474 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) { 8475 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 8476 if (priority != flowtable->data.priority) 8477 return -EOPNOTSUPP; 8478 } 8479 8480 flowtable_hook->priority = flowtable->data.priority; 8481 flowtable_hook->num = flowtable->hooknum; 8482 } 8483 8484 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) { 8485 err = nf_tables_parse_netdev_hooks(ctx->net, 8486 tb[NFTA_FLOWTABLE_HOOK_DEVS], 8487 &flowtable_hook->list, 8488 extack); 8489 if (err < 0) 8490 return err; 8491 } 8492 8493 list_for_each_entry(hook, &flowtable_hook->list, list) { 8494 hook->ops.pf = NFPROTO_NETDEV; 8495 hook->ops.hooknum = flowtable_hook->num; 8496 hook->ops.priority = flowtable_hook->priority; 8497 hook->ops.priv = &flowtable->data; 8498 hook->ops.hook = flowtable->data.type->hook; 8499 } 8500 8501 return err; 8502 } 8503 8504 /* call under rcu_read_lock */ __nft_flowtable_type_get(u8 family)8505 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) 8506 { 8507 const struct nf_flowtable_type *type; 8508 8509 list_for_each_entry_rcu(type, &nf_tables_flowtables, list) { 8510 if (family == type->family) 8511 return type; 8512 } 8513 return NULL; 8514 } 8515 8516 static const struct nf_flowtable_type * nft_flowtable_type_get(struct net * net,u8 family)8517 nft_flowtable_type_get(struct net *net, u8 family) 8518 { 8519 const struct nf_flowtable_type *type; 8520 8521 rcu_read_lock(); 8522 type = __nft_flowtable_type_get(family); 8523 if (type != NULL && try_module_get(type->owner)) { 8524 rcu_read_unlock(); 8525 return type; 8526 } 8527 rcu_read_unlock(); 8528 8529 lockdep_nfnl_nft_mutex_not_held(); 8530 #ifdef CONFIG_MODULES 8531 if (type == NULL) { 8532 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN) 8533 return ERR_PTR(-EAGAIN); 8534 } 8535 #endif 8536 return ERR_PTR(-ENOENT); 8537 } 8538 8539 /* Only called from error and netdev event paths. */ nft_unregister_flowtable_hook(struct net * net,struct nft_flowtable * flowtable,struct nft_hook * hook)8540 static void nft_unregister_flowtable_hook(struct net *net, 8541 struct nft_flowtable *flowtable, 8542 struct nft_hook *hook) 8543 { 8544 nf_unregister_net_hook(net, &hook->ops); 8545 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 8546 FLOW_BLOCK_UNBIND); 8547 } 8548 __nft_unregister_flowtable_net_hooks(struct net * net,struct list_head * hook_list,bool release_netdev)8549 static void __nft_unregister_flowtable_net_hooks(struct net *net, 8550 struct list_head *hook_list, 8551 bool release_netdev) 8552 { 8553 struct nft_hook *hook, *next; 8554 8555 list_for_each_entry_safe(hook, next, hook_list, list) { 8556 nf_unregister_net_hook(net, &hook->ops); 8557 if (release_netdev) { 8558 list_del(&hook->list); 8559 kfree_rcu(hook, rcu); 8560 } 8561 } 8562 } 8563 nft_unregister_flowtable_net_hooks(struct net * net,struct list_head * hook_list)8564 static void nft_unregister_flowtable_net_hooks(struct net *net, 8565 struct list_head *hook_list) 8566 { 8567 __nft_unregister_flowtable_net_hooks(net, hook_list, false); 8568 } 8569 nft_register_flowtable_net_hooks(struct net * net,struct nft_table * table,struct list_head * hook_list,struct nft_flowtable * flowtable)8570 static int nft_register_flowtable_net_hooks(struct net *net, 8571 struct nft_table *table, 8572 struct list_head *hook_list, 8573 struct nft_flowtable *flowtable) 8574 { 8575 struct nft_hook *hook, *hook2, *next; 8576 struct nft_flowtable *ft; 8577 int err, i = 0; 8578 8579 list_for_each_entry(hook, hook_list, list) { 8580 list_for_each_entry(ft, &table->flowtables, list) { 8581 if (!nft_is_active_next(net, ft)) 8582 continue; 8583 8584 list_for_each_entry(hook2, &ft->hook_list, list) { 8585 if (hook->ops.dev == hook2->ops.dev && 8586 hook->ops.pf == hook2->ops.pf) { 8587 err = -EEXIST; 8588 goto err_unregister_net_hooks; 8589 } 8590 } 8591 } 8592 8593 err = flowtable->data.type->setup(&flowtable->data, 8594 hook->ops.dev, 8595 FLOW_BLOCK_BIND); 8596 if (err < 0) 8597 goto err_unregister_net_hooks; 8598 8599 err = nf_register_net_hook(net, &hook->ops); 8600 if (err < 0) { 8601 flowtable->data.type->setup(&flowtable->data, 8602 hook->ops.dev, 8603 FLOW_BLOCK_UNBIND); 8604 goto err_unregister_net_hooks; 8605 } 8606 8607 i++; 8608 } 8609 8610 return 0; 8611 8612 err_unregister_net_hooks: 8613 list_for_each_entry_safe(hook, next, hook_list, list) { 8614 if (i-- <= 0) 8615 break; 8616 8617 nft_unregister_flowtable_hook(net, flowtable, hook); 8618 list_del_rcu(&hook->list); 8619 kfree_rcu(hook, rcu); 8620 } 8621 8622 return err; 8623 } 8624 nft_hooks_destroy(struct list_head * hook_list)8625 static void nft_hooks_destroy(struct list_head *hook_list) 8626 { 8627 struct nft_hook *hook, *next; 8628 8629 list_for_each_entry_safe(hook, next, hook_list, list) { 8630 list_del_rcu(&hook->list); 8631 kfree_rcu(hook, rcu); 8632 } 8633 } 8634 nft_flowtable_update(struct nft_ctx * ctx,const struct nlmsghdr * nlh,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack)8635 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, 8636 struct nft_flowtable *flowtable, 8637 struct netlink_ext_ack *extack) 8638 { 8639 const struct nlattr * const *nla = ctx->nla; 8640 struct nft_flowtable_hook flowtable_hook; 8641 struct nft_hook *hook, *next; 8642 struct nft_trans *trans; 8643 bool unregister = false; 8644 u32 flags; 8645 int err; 8646 8647 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable, 8648 extack, false); 8649 if (err < 0) 8650 return err; 8651 8652 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 8653 if (nft_hook_list_find(&flowtable->hook_list, hook)) { 8654 list_del(&hook->list); 8655 kfree(hook); 8656 } 8657 } 8658 8659 if (nla[NFTA_FLOWTABLE_FLAGS]) { 8660 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 8661 if (flags & ~NFT_FLOWTABLE_MASK) { 8662 err = -EOPNOTSUPP; 8663 goto err_flowtable_update_hook; 8664 } 8665 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^ 8666 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) { 8667 err = -EOPNOTSUPP; 8668 goto err_flowtable_update_hook; 8669 } 8670 } else { 8671 flags = flowtable->data.flags; 8672 } 8673 8674 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table, 8675 &flowtable_hook.list, flowtable); 8676 if (err < 0) 8677 goto err_flowtable_update_hook; 8678 8679 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE, 8680 sizeof(struct nft_trans_flowtable)); 8681 if (!trans) { 8682 unregister = true; 8683 err = -ENOMEM; 8684 goto err_flowtable_update_hook; 8685 } 8686 8687 nft_trans_flowtable_flags(trans) = flags; 8688 nft_trans_flowtable(trans) = flowtable; 8689 nft_trans_flowtable_update(trans) = true; 8690 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 8691 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans)); 8692 8693 nft_trans_commit_list_add_tail(ctx->net, trans); 8694 8695 return 0; 8696 8697 err_flowtable_update_hook: 8698 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 8699 if (unregister) 8700 nft_unregister_flowtable_hook(ctx->net, flowtable, hook); 8701 list_del_rcu(&hook->list); 8702 kfree_rcu(hook, rcu); 8703 } 8704 8705 return err; 8706 8707 } 8708 nf_tables_newflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8709 static int nf_tables_newflowtable(struct sk_buff *skb, 8710 const struct nfnl_info *info, 8711 const struct nlattr * const nla[]) 8712 { 8713 struct netlink_ext_ack *extack = info->extack; 8714 struct nft_flowtable_hook flowtable_hook; 8715 u8 genmask = nft_genmask_next(info->net); 8716 u8 family = info->nfmsg->nfgen_family; 8717 const struct nf_flowtable_type *type; 8718 struct nft_flowtable *flowtable; 8719 struct net *net = info->net; 8720 struct nft_table *table; 8721 struct nft_trans *trans; 8722 struct nft_ctx ctx; 8723 int err; 8724 8725 if (!nla[NFTA_FLOWTABLE_TABLE] || 8726 !nla[NFTA_FLOWTABLE_NAME] || 8727 !nla[NFTA_FLOWTABLE_HOOK]) 8728 return -EINVAL; 8729 8730 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 8731 genmask, NETLINK_CB(skb).portid); 8732 if (IS_ERR(table)) { 8733 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 8734 return PTR_ERR(table); 8735 } 8736 8737 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 8738 genmask); 8739 if (IS_ERR(flowtable)) { 8740 err = PTR_ERR(flowtable); 8741 if (err != -ENOENT) { 8742 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 8743 return err; 8744 } 8745 } else { 8746 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 8747 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 8748 return -EEXIST; 8749 } 8750 8751 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 8752 8753 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack); 8754 } 8755 8756 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 8757 8758 if (!nft_use_inc(&table->use)) 8759 return -EMFILE; 8760 8761 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT); 8762 if (!flowtable) { 8763 err = -ENOMEM; 8764 goto flowtable_alloc; 8765 } 8766 8767 flowtable->table = table; 8768 flowtable->handle = nf_tables_alloc_handle(table); 8769 INIT_LIST_HEAD(&flowtable->hook_list); 8770 8771 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT); 8772 if (!flowtable->name) { 8773 err = -ENOMEM; 8774 goto err1; 8775 } 8776 8777 type = nft_flowtable_type_get(net, family); 8778 if (IS_ERR(type)) { 8779 err = PTR_ERR(type); 8780 goto err2; 8781 } 8782 8783 if (nla[NFTA_FLOWTABLE_FLAGS]) { 8784 flowtable->data.flags = 8785 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 8786 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) { 8787 err = -EOPNOTSUPP; 8788 goto err3; 8789 } 8790 } 8791 8792 write_pnet(&flowtable->data.net, net); 8793 flowtable->data.type = type; 8794 err = type->init(&flowtable->data); 8795 if (err < 0) 8796 goto err3; 8797 8798 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable, 8799 extack, true); 8800 if (err < 0) 8801 goto err_flowtable_parse_hooks; 8802 8803 list_splice(&flowtable_hook.list, &flowtable->hook_list); 8804 flowtable->data.priority = flowtable_hook.priority; 8805 flowtable->hooknum = flowtable_hook.num; 8806 8807 trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable); 8808 if (IS_ERR(trans)) { 8809 err = PTR_ERR(trans); 8810 goto err_flowtable_trans; 8811 } 8812 8813 /* This must be LAST to ensure no packets are walking over this flowtable. */ 8814 err = nft_register_flowtable_net_hooks(ctx.net, table, 8815 &flowtable->hook_list, 8816 flowtable); 8817 if (err < 0) 8818 goto err_flowtable_hooks; 8819 8820 list_add_tail_rcu(&flowtable->list, &table->flowtables); 8821 8822 return 0; 8823 8824 err_flowtable_hooks: 8825 nft_trans_destroy(trans); 8826 err_flowtable_trans: 8827 nft_hooks_destroy(&flowtable->hook_list); 8828 err_flowtable_parse_hooks: 8829 flowtable->data.type->free(&flowtable->data); 8830 err3: 8831 module_put(type->owner); 8832 err2: 8833 kfree(flowtable->name); 8834 err1: 8835 kfree(flowtable); 8836 flowtable_alloc: 8837 nft_use_dec_restore(&table->use); 8838 8839 return err; 8840 } 8841 nft_flowtable_hook_release(struct nft_flowtable_hook * flowtable_hook)8842 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook) 8843 { 8844 struct nft_hook *this, *next; 8845 8846 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) { 8847 list_del(&this->list); 8848 kfree(this); 8849 } 8850 } 8851 nft_delflowtable_hook(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack)8852 static int nft_delflowtable_hook(struct nft_ctx *ctx, 8853 struct nft_flowtable *flowtable, 8854 struct netlink_ext_ack *extack) 8855 { 8856 const struct nlattr * const *nla = ctx->nla; 8857 struct nft_flowtable_hook flowtable_hook; 8858 LIST_HEAD(flowtable_del_list); 8859 struct nft_hook *this, *hook; 8860 struct nft_trans *trans; 8861 int err; 8862 8863 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable, 8864 extack, false); 8865 if (err < 0) 8866 return err; 8867 8868 list_for_each_entry(this, &flowtable_hook.list, list) { 8869 hook = nft_hook_list_find(&flowtable->hook_list, this); 8870 if (!hook) { 8871 err = -ENOENT; 8872 goto err_flowtable_del_hook; 8873 } 8874 list_move(&hook->list, &flowtable_del_list); 8875 } 8876 8877 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE, 8878 sizeof(struct nft_trans_flowtable)); 8879 if (!trans) { 8880 err = -ENOMEM; 8881 goto err_flowtable_del_hook; 8882 } 8883 8884 nft_trans_flowtable(trans) = flowtable; 8885 nft_trans_flowtable_update(trans) = true; 8886 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 8887 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans)); 8888 nft_flowtable_hook_release(&flowtable_hook); 8889 8890 nft_trans_commit_list_add_tail(ctx->net, trans); 8891 8892 return 0; 8893 8894 err_flowtable_del_hook: 8895 list_splice(&flowtable_del_list, &flowtable->hook_list); 8896 nft_flowtable_hook_release(&flowtable_hook); 8897 8898 return err; 8899 } 8900 nf_tables_delflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8901 static int nf_tables_delflowtable(struct sk_buff *skb, 8902 const struct nfnl_info *info, 8903 const struct nlattr * const nla[]) 8904 { 8905 struct netlink_ext_ack *extack = info->extack; 8906 u8 genmask = nft_genmask_next(info->net); 8907 u8 family = info->nfmsg->nfgen_family; 8908 struct nft_flowtable *flowtable; 8909 struct net *net = info->net; 8910 const struct nlattr *attr; 8911 struct nft_table *table; 8912 struct nft_ctx ctx; 8913 8914 if (!nla[NFTA_FLOWTABLE_TABLE] || 8915 (!nla[NFTA_FLOWTABLE_NAME] && 8916 !nla[NFTA_FLOWTABLE_HANDLE])) 8917 return -EINVAL; 8918 8919 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 8920 genmask, NETLINK_CB(skb).portid); 8921 if (IS_ERR(table)) { 8922 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 8923 return PTR_ERR(table); 8924 } 8925 8926 if (nla[NFTA_FLOWTABLE_HANDLE]) { 8927 attr = nla[NFTA_FLOWTABLE_HANDLE]; 8928 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask); 8929 } else { 8930 attr = nla[NFTA_FLOWTABLE_NAME]; 8931 flowtable = nft_flowtable_lookup(table, attr, genmask); 8932 } 8933 8934 if (IS_ERR(flowtable)) { 8935 if (PTR_ERR(flowtable) == -ENOENT && 8936 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE) 8937 return 0; 8938 8939 NL_SET_BAD_ATTR(extack, attr); 8940 return PTR_ERR(flowtable); 8941 } 8942 8943 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 8944 8945 if (nla[NFTA_FLOWTABLE_HOOK]) 8946 return nft_delflowtable_hook(&ctx, flowtable, extack); 8947 8948 if (flowtable->use > 0) { 8949 NL_SET_BAD_ATTR(extack, attr); 8950 return -EBUSY; 8951 } 8952 8953 return nft_delflowtable(&ctx, flowtable); 8954 } 8955 nf_tables_fill_flowtable_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,struct nft_flowtable * flowtable,struct list_head * hook_list)8956 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, 8957 u32 portid, u32 seq, int event, 8958 u32 flags, int family, 8959 struct nft_flowtable *flowtable, 8960 struct list_head *hook_list) 8961 { 8962 struct nlattr *nest, *nest_devs; 8963 struct nft_hook *hook; 8964 struct nlmsghdr *nlh; 8965 8966 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 8967 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 8968 NFNETLINK_V0, nft_base_seq(net)); 8969 if (!nlh) 8970 goto nla_put_failure; 8971 8972 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || 8973 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || 8974 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle), 8975 NFTA_FLOWTABLE_PAD)) 8976 goto nla_put_failure; 8977 8978 if (event == NFT_MSG_DELFLOWTABLE && !hook_list) { 8979 nlmsg_end(skb, nlh); 8980 return 0; 8981 } 8982 8983 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || 8984 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags))) 8985 goto nla_put_failure; 8986 8987 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK); 8988 if (!nest) 8989 goto nla_put_failure; 8990 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) || 8991 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority))) 8992 goto nla_put_failure; 8993 8994 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS); 8995 if (!nest_devs) 8996 goto nla_put_failure; 8997 8998 if (!hook_list) 8999 hook_list = &flowtable->hook_list; 9000 9001 list_for_each_entry_rcu(hook, hook_list, list) { 9002 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name)) 9003 goto nla_put_failure; 9004 } 9005 nla_nest_end(skb, nest_devs); 9006 nla_nest_end(skb, nest); 9007 9008 nlmsg_end(skb, nlh); 9009 return 0; 9010 9011 nla_put_failure: 9012 nlmsg_trim(skb, nlh); 9013 return -1; 9014 } 9015 9016 struct nft_flowtable_filter { 9017 char *table; 9018 }; 9019 nf_tables_dump_flowtable(struct sk_buff * skb,struct netlink_callback * cb)9020 static int nf_tables_dump_flowtable(struct sk_buff *skb, 9021 struct netlink_callback *cb) 9022 { 9023 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 9024 struct nft_flowtable_filter *filter = cb->data; 9025 unsigned int idx = 0, s_idx = cb->args[0]; 9026 struct net *net = sock_net(skb->sk); 9027 int family = nfmsg->nfgen_family; 9028 struct nft_flowtable *flowtable; 9029 struct nftables_pernet *nft_net; 9030 const struct nft_table *table; 9031 9032 rcu_read_lock(); 9033 nft_net = nft_pernet(net); 9034 cb->seq = READ_ONCE(nft_net->base_seq); 9035 9036 list_for_each_entry_rcu(table, &nft_net->tables, list) { 9037 if (family != NFPROTO_UNSPEC && family != table->family) 9038 continue; 9039 9040 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 9041 if (!nft_is_active(net, flowtable)) 9042 goto cont; 9043 if (idx < s_idx) 9044 goto cont; 9045 if (idx > s_idx) 9046 memset(&cb->args[1], 0, 9047 sizeof(cb->args) - sizeof(cb->args[0])); 9048 if (filter && filter->table && 9049 strcmp(filter->table, table->name)) 9050 goto cont; 9051 9052 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, 9053 cb->nlh->nlmsg_seq, 9054 NFT_MSG_NEWFLOWTABLE, 9055 NLM_F_MULTI | NLM_F_APPEND, 9056 table->family, 9057 flowtable, NULL) < 0) 9058 goto done; 9059 9060 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 9061 cont: 9062 idx++; 9063 } 9064 } 9065 done: 9066 rcu_read_unlock(); 9067 9068 cb->args[0] = idx; 9069 return skb->len; 9070 } 9071 nf_tables_dump_flowtable_start(struct netlink_callback * cb)9072 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb) 9073 { 9074 const struct nlattr * const *nla = cb->data; 9075 struct nft_flowtable_filter *filter = NULL; 9076 9077 if (nla[NFTA_FLOWTABLE_TABLE]) { 9078 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 9079 if (!filter) 9080 return -ENOMEM; 9081 9082 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE], 9083 GFP_ATOMIC); 9084 if (!filter->table) { 9085 kfree(filter); 9086 return -ENOMEM; 9087 } 9088 } 9089 9090 cb->data = filter; 9091 return 0; 9092 } 9093 nf_tables_dump_flowtable_done(struct netlink_callback * cb)9094 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb) 9095 { 9096 struct nft_flowtable_filter *filter = cb->data; 9097 9098 if (!filter) 9099 return 0; 9100 9101 kfree(filter->table); 9102 kfree(filter); 9103 9104 return 0; 9105 } 9106 9107 /* called with rcu_read_lock held */ nf_tables_getflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9108 static int nf_tables_getflowtable(struct sk_buff *skb, 9109 const struct nfnl_info *info, 9110 const struct nlattr * const nla[]) 9111 { 9112 struct netlink_ext_ack *extack = info->extack; 9113 u8 genmask = nft_genmask_cur(info->net); 9114 u8 family = info->nfmsg->nfgen_family; 9115 struct nft_flowtable *flowtable; 9116 const struct nft_table *table; 9117 struct net *net = info->net; 9118 struct sk_buff *skb2; 9119 int err; 9120 9121 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 9122 struct netlink_dump_control c = { 9123 .start = nf_tables_dump_flowtable_start, 9124 .dump = nf_tables_dump_flowtable, 9125 .done = nf_tables_dump_flowtable_done, 9126 .module = THIS_MODULE, 9127 .data = (void *)nla, 9128 }; 9129 9130 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 9131 } 9132 9133 if (!nla[NFTA_FLOWTABLE_NAME]) 9134 return -EINVAL; 9135 9136 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 9137 genmask, 0); 9138 if (IS_ERR(table)) { 9139 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 9140 return PTR_ERR(table); 9141 } 9142 9143 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 9144 genmask); 9145 if (IS_ERR(flowtable)) { 9146 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 9147 return PTR_ERR(flowtable); 9148 } 9149 9150 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 9151 if (!skb2) 9152 return -ENOMEM; 9153 9154 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid, 9155 info->nlh->nlmsg_seq, 9156 NFT_MSG_NEWFLOWTABLE, 0, family, 9157 flowtable, NULL); 9158 if (err < 0) 9159 goto err_fill_flowtable_info; 9160 9161 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 9162 9163 err_fill_flowtable_info: 9164 kfree_skb(skb2); 9165 return err; 9166 } 9167 nf_tables_flowtable_notify(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct list_head * hook_list,int event)9168 static void nf_tables_flowtable_notify(struct nft_ctx *ctx, 9169 struct nft_flowtable *flowtable, 9170 struct list_head *hook_list, int event) 9171 { 9172 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 9173 struct sk_buff *skb; 9174 u16 flags = 0; 9175 int err; 9176 9177 if (!ctx->report && 9178 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 9179 return; 9180 9181 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 9182 if (skb == NULL) 9183 goto err; 9184 9185 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 9186 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 9187 9188 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid, 9189 ctx->seq, event, flags, 9190 ctx->family, flowtable, hook_list); 9191 if (err < 0) { 9192 kfree_skb(skb); 9193 goto err; 9194 } 9195 9196 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 9197 return; 9198 err: 9199 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 9200 } 9201 nf_tables_flowtable_destroy(struct nft_flowtable * flowtable)9202 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) 9203 { 9204 struct nft_hook *hook, *next; 9205 9206 flowtable->data.type->free(&flowtable->data); 9207 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 9208 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 9209 FLOW_BLOCK_UNBIND); 9210 list_del_rcu(&hook->list); 9211 kfree_rcu(hook, rcu); 9212 } 9213 kfree(flowtable->name); 9214 module_put(flowtable->data.type->owner); 9215 kfree(flowtable); 9216 } 9217 nf_tables_fill_gen_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq)9218 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, 9219 u32 portid, u32 seq) 9220 { 9221 struct nftables_pernet *nft_net = nft_pernet(net); 9222 struct nlmsghdr *nlh; 9223 char buf[TASK_COMM_LEN]; 9224 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); 9225 9226 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC, 9227 NFNETLINK_V0, nft_base_seq(net)); 9228 if (!nlh) 9229 goto nla_put_failure; 9230 9231 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) || 9232 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || 9233 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) 9234 goto nla_put_failure; 9235 9236 nlmsg_end(skb, nlh); 9237 return 0; 9238 9239 nla_put_failure: 9240 nlmsg_trim(skb, nlh); 9241 return -EMSGSIZE; 9242 } 9243 nft_flowtable_event(unsigned long event,struct net_device * dev,struct nft_flowtable * flowtable)9244 static void nft_flowtable_event(unsigned long event, struct net_device *dev, 9245 struct nft_flowtable *flowtable) 9246 { 9247 struct nft_hook *hook; 9248 9249 list_for_each_entry(hook, &flowtable->hook_list, list) { 9250 if (hook->ops.dev != dev) 9251 continue; 9252 9253 /* flow_offload_netdev_event() cleans up entries for us. */ 9254 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook); 9255 list_del_rcu(&hook->list); 9256 kfree_rcu(hook, rcu); 9257 break; 9258 } 9259 } 9260 nf_tables_flowtable_event(struct notifier_block * this,unsigned long event,void * ptr)9261 static int nf_tables_flowtable_event(struct notifier_block *this, 9262 unsigned long event, void *ptr) 9263 { 9264 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 9265 struct nft_flowtable *flowtable; 9266 struct nftables_pernet *nft_net; 9267 struct nft_table *table; 9268 struct net *net; 9269 9270 if (event != NETDEV_UNREGISTER) 9271 return 0; 9272 9273 net = dev_net(dev); 9274 nft_net = nft_pernet(net); 9275 mutex_lock(&nft_net->commit_mutex); 9276 list_for_each_entry(table, &nft_net->tables, list) { 9277 list_for_each_entry(flowtable, &table->flowtables, list) { 9278 nft_flowtable_event(event, dev, flowtable); 9279 } 9280 } 9281 mutex_unlock(&nft_net->commit_mutex); 9282 9283 return NOTIFY_DONE; 9284 } 9285 9286 static struct notifier_block nf_tables_flowtable_notifier = { 9287 .notifier_call = nf_tables_flowtable_event, 9288 }; 9289 nf_tables_gen_notify(struct net * net,struct sk_buff * skb,int event)9290 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb, 9291 int event) 9292 { 9293 struct nlmsghdr *nlh = nlmsg_hdr(skb); 9294 struct sk_buff *skb2; 9295 int err; 9296 9297 if (!nlmsg_report(nlh) && 9298 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 9299 return; 9300 9301 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 9302 if (skb2 == NULL) 9303 goto err; 9304 9305 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 9306 nlh->nlmsg_seq); 9307 if (err < 0) { 9308 kfree_skb(skb2); 9309 goto err; 9310 } 9311 9312 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 9313 nlmsg_report(nlh), GFP_KERNEL); 9314 return; 9315 err: 9316 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 9317 -ENOBUFS); 9318 } 9319 nf_tables_getgen(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9320 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info, 9321 const struct nlattr * const nla[]) 9322 { 9323 struct sk_buff *skb2; 9324 int err; 9325 9326 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 9327 if (skb2 == NULL) 9328 return -ENOMEM; 9329 9330 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid, 9331 info->nlh->nlmsg_seq); 9332 if (err < 0) 9333 goto err_fill_gen_info; 9334 9335 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 9336 9337 err_fill_gen_info: 9338 kfree_skb(skb2); 9339 return err; 9340 } 9341 9342 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = { 9343 [NFT_MSG_NEWTABLE] = { 9344 .call = nf_tables_newtable, 9345 .type = NFNL_CB_BATCH, 9346 .attr_count = NFTA_TABLE_MAX, 9347 .policy = nft_table_policy, 9348 }, 9349 [NFT_MSG_GETTABLE] = { 9350 .call = nf_tables_gettable, 9351 .type = NFNL_CB_RCU, 9352 .attr_count = NFTA_TABLE_MAX, 9353 .policy = nft_table_policy, 9354 }, 9355 [NFT_MSG_DELTABLE] = { 9356 .call = nf_tables_deltable, 9357 .type = NFNL_CB_BATCH, 9358 .attr_count = NFTA_TABLE_MAX, 9359 .policy = nft_table_policy, 9360 }, 9361 [NFT_MSG_DESTROYTABLE] = { 9362 .call = nf_tables_deltable, 9363 .type = NFNL_CB_BATCH, 9364 .attr_count = NFTA_TABLE_MAX, 9365 .policy = nft_table_policy, 9366 }, 9367 [NFT_MSG_NEWCHAIN] = { 9368 .call = nf_tables_newchain, 9369 .type = NFNL_CB_BATCH, 9370 .attr_count = NFTA_CHAIN_MAX, 9371 .policy = nft_chain_policy, 9372 }, 9373 [NFT_MSG_GETCHAIN] = { 9374 .call = nf_tables_getchain, 9375 .type = NFNL_CB_RCU, 9376 .attr_count = NFTA_CHAIN_MAX, 9377 .policy = nft_chain_policy, 9378 }, 9379 [NFT_MSG_DELCHAIN] = { 9380 .call = nf_tables_delchain, 9381 .type = NFNL_CB_BATCH, 9382 .attr_count = NFTA_CHAIN_MAX, 9383 .policy = nft_chain_policy, 9384 }, 9385 [NFT_MSG_DESTROYCHAIN] = { 9386 .call = nf_tables_delchain, 9387 .type = NFNL_CB_BATCH, 9388 .attr_count = NFTA_CHAIN_MAX, 9389 .policy = nft_chain_policy, 9390 }, 9391 [NFT_MSG_NEWRULE] = { 9392 .call = nf_tables_newrule, 9393 .type = NFNL_CB_BATCH, 9394 .attr_count = NFTA_RULE_MAX, 9395 .policy = nft_rule_policy, 9396 }, 9397 [NFT_MSG_GETRULE] = { 9398 .call = nf_tables_getrule, 9399 .type = NFNL_CB_RCU, 9400 .attr_count = NFTA_RULE_MAX, 9401 .policy = nft_rule_policy, 9402 }, 9403 [NFT_MSG_GETRULE_RESET] = { 9404 .call = nf_tables_getrule_reset, 9405 .type = NFNL_CB_RCU, 9406 .attr_count = NFTA_RULE_MAX, 9407 .policy = nft_rule_policy, 9408 }, 9409 [NFT_MSG_DELRULE] = { 9410 .call = nf_tables_delrule, 9411 .type = NFNL_CB_BATCH, 9412 .attr_count = NFTA_RULE_MAX, 9413 .policy = nft_rule_policy, 9414 }, 9415 [NFT_MSG_DESTROYRULE] = { 9416 .call = nf_tables_delrule, 9417 .type = NFNL_CB_BATCH, 9418 .attr_count = NFTA_RULE_MAX, 9419 .policy = nft_rule_policy, 9420 }, 9421 [NFT_MSG_NEWSET] = { 9422 .call = nf_tables_newset, 9423 .type = NFNL_CB_BATCH, 9424 .attr_count = NFTA_SET_MAX, 9425 .policy = nft_set_policy, 9426 }, 9427 [NFT_MSG_GETSET] = { 9428 .call = nf_tables_getset, 9429 .type = NFNL_CB_RCU, 9430 .attr_count = NFTA_SET_MAX, 9431 .policy = nft_set_policy, 9432 }, 9433 [NFT_MSG_DELSET] = { 9434 .call = nf_tables_delset, 9435 .type = NFNL_CB_BATCH, 9436 .attr_count = NFTA_SET_MAX, 9437 .policy = nft_set_policy, 9438 }, 9439 [NFT_MSG_DESTROYSET] = { 9440 .call = nf_tables_delset, 9441 .type = NFNL_CB_BATCH, 9442 .attr_count = NFTA_SET_MAX, 9443 .policy = nft_set_policy, 9444 }, 9445 [NFT_MSG_NEWSETELEM] = { 9446 .call = nf_tables_newsetelem, 9447 .type = NFNL_CB_BATCH, 9448 .attr_count = NFTA_SET_ELEM_LIST_MAX, 9449 .policy = nft_set_elem_list_policy, 9450 }, 9451 [NFT_MSG_GETSETELEM] = { 9452 .call = nf_tables_getsetelem, 9453 .type = NFNL_CB_RCU, 9454 .attr_count = NFTA_SET_ELEM_LIST_MAX, 9455 .policy = nft_set_elem_list_policy, 9456 }, 9457 [NFT_MSG_GETSETELEM_RESET] = { 9458 .call = nf_tables_getsetelem_reset, 9459 .type = NFNL_CB_RCU, 9460 .attr_count = NFTA_SET_ELEM_LIST_MAX, 9461 .policy = nft_set_elem_list_policy, 9462 }, 9463 [NFT_MSG_DELSETELEM] = { 9464 .call = nf_tables_delsetelem, 9465 .type = NFNL_CB_BATCH, 9466 .attr_count = NFTA_SET_ELEM_LIST_MAX, 9467 .policy = nft_set_elem_list_policy, 9468 }, 9469 [NFT_MSG_DESTROYSETELEM] = { 9470 .call = nf_tables_delsetelem, 9471 .type = NFNL_CB_BATCH, 9472 .attr_count = NFTA_SET_ELEM_LIST_MAX, 9473 .policy = nft_set_elem_list_policy, 9474 }, 9475 [NFT_MSG_GETGEN] = { 9476 .call = nf_tables_getgen, 9477 .type = NFNL_CB_RCU, 9478 }, 9479 [NFT_MSG_NEWOBJ] = { 9480 .call = nf_tables_newobj, 9481 .type = NFNL_CB_BATCH, 9482 .attr_count = NFTA_OBJ_MAX, 9483 .policy = nft_obj_policy, 9484 }, 9485 [NFT_MSG_GETOBJ] = { 9486 .call = nf_tables_getobj, 9487 .type = NFNL_CB_RCU, 9488 .attr_count = NFTA_OBJ_MAX, 9489 .policy = nft_obj_policy, 9490 }, 9491 [NFT_MSG_DELOBJ] = { 9492 .call = nf_tables_delobj, 9493 .type = NFNL_CB_BATCH, 9494 .attr_count = NFTA_OBJ_MAX, 9495 .policy = nft_obj_policy, 9496 }, 9497 [NFT_MSG_DESTROYOBJ] = { 9498 .call = nf_tables_delobj, 9499 .type = NFNL_CB_BATCH, 9500 .attr_count = NFTA_OBJ_MAX, 9501 .policy = nft_obj_policy, 9502 }, 9503 [NFT_MSG_GETOBJ_RESET] = { 9504 .call = nf_tables_getobj_reset, 9505 .type = NFNL_CB_RCU, 9506 .attr_count = NFTA_OBJ_MAX, 9507 .policy = nft_obj_policy, 9508 }, 9509 [NFT_MSG_NEWFLOWTABLE] = { 9510 .call = nf_tables_newflowtable, 9511 .type = NFNL_CB_BATCH, 9512 .attr_count = NFTA_FLOWTABLE_MAX, 9513 .policy = nft_flowtable_policy, 9514 }, 9515 [NFT_MSG_GETFLOWTABLE] = { 9516 .call = nf_tables_getflowtable, 9517 .type = NFNL_CB_RCU, 9518 .attr_count = NFTA_FLOWTABLE_MAX, 9519 .policy = nft_flowtable_policy, 9520 }, 9521 [NFT_MSG_DELFLOWTABLE] = { 9522 .call = nf_tables_delflowtable, 9523 .type = NFNL_CB_BATCH, 9524 .attr_count = NFTA_FLOWTABLE_MAX, 9525 .policy = nft_flowtable_policy, 9526 }, 9527 [NFT_MSG_DESTROYFLOWTABLE] = { 9528 .call = nf_tables_delflowtable, 9529 .type = NFNL_CB_BATCH, 9530 .attr_count = NFTA_FLOWTABLE_MAX, 9531 .policy = nft_flowtable_policy, 9532 }, 9533 }; 9534 nf_tables_validate(struct net * net)9535 static int nf_tables_validate(struct net *net) 9536 { 9537 struct nftables_pernet *nft_net = nft_pernet(net); 9538 struct nft_table *table; 9539 9540 list_for_each_entry(table, &nft_net->tables, list) { 9541 switch (table->validate_state) { 9542 case NFT_VALIDATE_SKIP: 9543 continue; 9544 case NFT_VALIDATE_NEED: 9545 nft_validate_state_update(table, NFT_VALIDATE_DO); 9546 fallthrough; 9547 case NFT_VALIDATE_DO: 9548 if (nft_table_validate(net, table) < 0) 9549 return -EAGAIN; 9550 9551 nft_validate_state_update(table, NFT_VALIDATE_SKIP); 9552 break; 9553 } 9554 } 9555 9556 return 0; 9557 } 9558 9559 /* a drop policy has to be deferred until all rules have been activated, 9560 * otherwise a large ruleset that contains a drop-policy base chain will 9561 * cause all packets to get dropped until the full transaction has been 9562 * processed. 9563 * 9564 * We defer the drop policy until the transaction has been finalized. 9565 */ nft_chain_commit_drop_policy(struct nft_trans_chain * trans)9566 static void nft_chain_commit_drop_policy(struct nft_trans_chain *trans) 9567 { 9568 struct nft_base_chain *basechain; 9569 9570 if (trans->policy != NF_DROP) 9571 return; 9572 9573 if (!nft_is_base_chain(trans->chain)) 9574 return; 9575 9576 basechain = nft_base_chain(trans->chain); 9577 basechain->policy = NF_DROP; 9578 } 9579 nft_chain_commit_update(struct nft_trans_chain * trans)9580 static void nft_chain_commit_update(struct nft_trans_chain *trans) 9581 { 9582 struct nft_table *table = trans->nft_trans_binding.nft_trans.table; 9583 struct nft_base_chain *basechain; 9584 9585 if (trans->name) { 9586 rhltable_remove(&table->chains_ht, 9587 &trans->chain->rhlhead, 9588 nft_chain_ht_params); 9589 swap(trans->chain->name, trans->name); 9590 rhltable_insert_key(&table->chains_ht, 9591 trans->chain->name, 9592 &trans->chain->rhlhead, 9593 nft_chain_ht_params); 9594 } 9595 9596 if (!nft_is_base_chain(trans->chain)) 9597 return; 9598 9599 nft_chain_stats_replace(trans); 9600 9601 basechain = nft_base_chain(trans->chain); 9602 9603 switch (trans->policy) { 9604 case NF_DROP: 9605 case NF_ACCEPT: 9606 basechain->policy = trans->policy; 9607 break; 9608 } 9609 } 9610 nft_obj_commit_update(const struct nft_ctx * ctx,struct nft_trans * trans)9611 static void nft_obj_commit_update(const struct nft_ctx *ctx, 9612 struct nft_trans *trans) 9613 { 9614 struct nft_object *newobj; 9615 struct nft_object *obj; 9616 9617 obj = nft_trans_obj(trans); 9618 newobj = nft_trans_obj_newobj(trans); 9619 9620 if (WARN_ON_ONCE(!obj->ops->update)) 9621 return; 9622 9623 obj->ops->update(obj, newobj); 9624 nft_obj_destroy(ctx, newobj); 9625 } 9626 nft_commit_release(struct nft_trans * trans)9627 static void nft_commit_release(struct nft_trans *trans) 9628 { 9629 struct nft_ctx ctx = { 9630 .net = trans->net, 9631 }; 9632 9633 nft_ctx_update(&ctx, trans); 9634 9635 switch (trans->msg_type) { 9636 case NFT_MSG_DELTABLE: 9637 case NFT_MSG_DESTROYTABLE: 9638 nf_tables_table_destroy(trans->table); 9639 break; 9640 case NFT_MSG_NEWCHAIN: 9641 free_percpu(nft_trans_chain_stats(trans)); 9642 kfree(nft_trans_chain_name(trans)); 9643 break; 9644 case NFT_MSG_DELCHAIN: 9645 case NFT_MSG_DESTROYCHAIN: 9646 if (nft_trans_chain_update(trans)) 9647 nft_hooks_destroy(&nft_trans_chain_hooks(trans)); 9648 else 9649 nf_tables_chain_destroy(nft_trans_chain(trans)); 9650 break; 9651 case NFT_MSG_DELRULE: 9652 case NFT_MSG_DESTROYRULE: 9653 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans)); 9654 break; 9655 case NFT_MSG_DELSET: 9656 case NFT_MSG_DESTROYSET: 9657 nft_set_destroy(&ctx, nft_trans_set(trans)); 9658 break; 9659 case NFT_MSG_DELSETELEM: 9660 case NFT_MSG_DESTROYSETELEM: 9661 nf_tables_set_elem_destroy(&ctx, 9662 nft_trans_elem_set(trans), 9663 nft_trans_elem_priv(trans)); 9664 break; 9665 case NFT_MSG_DELOBJ: 9666 case NFT_MSG_DESTROYOBJ: 9667 nft_obj_destroy(&ctx, nft_trans_obj(trans)); 9668 break; 9669 case NFT_MSG_DELFLOWTABLE: 9670 case NFT_MSG_DESTROYFLOWTABLE: 9671 if (nft_trans_flowtable_update(trans)) 9672 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 9673 else 9674 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 9675 break; 9676 } 9677 9678 if (trans->put_net) 9679 put_net(trans->net); 9680 9681 kfree(trans); 9682 } 9683 nf_tables_trans_destroy_work(struct work_struct * w)9684 static void nf_tables_trans_destroy_work(struct work_struct *w) 9685 { 9686 struct nft_trans *trans, *next; 9687 LIST_HEAD(head); 9688 9689 spin_lock(&nf_tables_destroy_list_lock); 9690 list_splice_init(&nf_tables_destroy_list, &head); 9691 spin_unlock(&nf_tables_destroy_list_lock); 9692 9693 if (list_empty(&head)) 9694 return; 9695 9696 synchronize_rcu(); 9697 9698 list_for_each_entry_safe(trans, next, &head, list) { 9699 nft_trans_list_del(trans); 9700 nft_commit_release(trans); 9701 } 9702 } 9703 nf_tables_trans_destroy_flush_work(void)9704 void nf_tables_trans_destroy_flush_work(void) 9705 { 9706 flush_work(&trans_destroy_work); 9707 } 9708 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work); 9709 nft_expr_reduce(struct nft_regs_track * track,const struct nft_expr * expr)9710 static bool nft_expr_reduce(struct nft_regs_track *track, 9711 const struct nft_expr *expr) 9712 { 9713 return false; 9714 } 9715 nf_tables_commit_chain_prepare(struct net * net,struct nft_chain * chain)9716 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain) 9717 { 9718 const struct nft_expr *expr, *last; 9719 struct nft_regs_track track = {}; 9720 unsigned int size, data_size; 9721 void *data, *data_boundary; 9722 struct nft_rule_dp *prule; 9723 struct nft_rule *rule; 9724 9725 /* already handled or inactive chain? */ 9726 if (chain->blob_next || !nft_is_active_next(net, chain)) 9727 return 0; 9728 9729 data_size = 0; 9730 list_for_each_entry(rule, &chain->rules, list) { 9731 if (nft_is_active_next(net, rule)) { 9732 data_size += sizeof(*prule) + rule->dlen; 9733 if (data_size > INT_MAX) 9734 return -ENOMEM; 9735 } 9736 } 9737 9738 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size); 9739 if (!chain->blob_next) 9740 return -ENOMEM; 9741 9742 data = (void *)chain->blob_next->data; 9743 data_boundary = data + data_size; 9744 size = 0; 9745 9746 list_for_each_entry(rule, &chain->rules, list) { 9747 if (!nft_is_active_next(net, rule)) 9748 continue; 9749 9750 prule = (struct nft_rule_dp *)data; 9751 data += offsetof(struct nft_rule_dp, data); 9752 if (WARN_ON_ONCE(data > data_boundary)) 9753 return -ENOMEM; 9754 9755 size = 0; 9756 track.last = nft_expr_last(rule); 9757 nft_rule_for_each_expr(expr, last, rule) { 9758 track.cur = expr; 9759 9760 if (nft_expr_reduce(&track, expr)) { 9761 expr = track.cur; 9762 continue; 9763 } 9764 9765 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary)) 9766 return -ENOMEM; 9767 9768 memcpy(data + size, expr, expr->ops->size); 9769 size += expr->ops->size; 9770 } 9771 if (WARN_ON_ONCE(size >= 1 << 12)) 9772 return -ENOMEM; 9773 9774 prule->handle = rule->handle; 9775 prule->dlen = size; 9776 prule->is_last = 0; 9777 9778 data += size; 9779 size = 0; 9780 chain->blob_next->size += (unsigned long)(data - (void *)prule); 9781 } 9782 9783 if (WARN_ON_ONCE(data > data_boundary)) 9784 return -ENOMEM; 9785 9786 prule = (struct nft_rule_dp *)data; 9787 nft_last_rule(chain, prule); 9788 9789 return 0; 9790 } 9791 nf_tables_commit_chain_prepare_cancel(struct net * net)9792 static void nf_tables_commit_chain_prepare_cancel(struct net *net) 9793 { 9794 struct nftables_pernet *nft_net = nft_pernet(net); 9795 struct nft_trans *trans, *next; 9796 9797 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 9798 if (trans->msg_type == NFT_MSG_NEWRULE || 9799 trans->msg_type == NFT_MSG_DELRULE) { 9800 struct nft_chain *chain = nft_trans_rule_chain(trans); 9801 9802 kvfree(chain->blob_next); 9803 chain->blob_next = NULL; 9804 } 9805 } 9806 } 9807 __nf_tables_commit_chain_free_rules(struct rcu_head * h)9808 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h) 9809 { 9810 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h); 9811 9812 kvfree(l->blob); 9813 } 9814 nf_tables_commit_chain_free_rules_old(struct nft_rule_blob * blob)9815 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob) 9816 { 9817 struct nft_rule_dp_last *last; 9818 9819 /* last rule trailer is after end marker */ 9820 last = (void *)blob + sizeof(*blob) + blob->size; 9821 last->blob = blob; 9822 9823 call_rcu(&last->h, __nf_tables_commit_chain_free_rules); 9824 } 9825 nf_tables_commit_chain(struct net * net,struct nft_chain * chain)9826 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain) 9827 { 9828 struct nft_rule_blob *g0, *g1; 9829 bool next_genbit; 9830 9831 next_genbit = nft_gencursor_next(net); 9832 9833 g0 = rcu_dereference_protected(chain->blob_gen_0, 9834 lockdep_commit_lock_is_held(net)); 9835 g1 = rcu_dereference_protected(chain->blob_gen_1, 9836 lockdep_commit_lock_is_held(net)); 9837 9838 /* No changes to this chain? */ 9839 if (chain->blob_next == NULL) { 9840 /* chain had no change in last or next generation */ 9841 if (g0 == g1) 9842 return; 9843 /* 9844 * chain had no change in this generation; make sure next 9845 * one uses same rules as current generation. 9846 */ 9847 if (next_genbit) { 9848 rcu_assign_pointer(chain->blob_gen_1, g0); 9849 nf_tables_commit_chain_free_rules_old(g1); 9850 } else { 9851 rcu_assign_pointer(chain->blob_gen_0, g1); 9852 nf_tables_commit_chain_free_rules_old(g0); 9853 } 9854 9855 return; 9856 } 9857 9858 if (next_genbit) 9859 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next); 9860 else 9861 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next); 9862 9863 chain->blob_next = NULL; 9864 9865 if (g0 == g1) 9866 return; 9867 9868 if (next_genbit) 9869 nf_tables_commit_chain_free_rules_old(g1); 9870 else 9871 nf_tables_commit_chain_free_rules_old(g0); 9872 } 9873 nft_obj_del(struct nft_object * obj)9874 static void nft_obj_del(struct nft_object *obj) 9875 { 9876 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params); 9877 list_del_rcu(&obj->list); 9878 } 9879 nft_chain_del(struct nft_chain * chain)9880 void nft_chain_del(struct nft_chain *chain) 9881 { 9882 struct nft_table *table = chain->table; 9883 9884 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead, 9885 nft_chain_ht_params)); 9886 list_del_rcu(&chain->list); 9887 } 9888 nft_trans_gc_setelem_remove(struct nft_ctx * ctx,struct nft_trans_gc * trans)9889 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx, 9890 struct nft_trans_gc *trans) 9891 { 9892 struct nft_elem_priv **priv = trans->priv; 9893 unsigned int i; 9894 9895 for (i = 0; i < trans->count; i++) { 9896 nft_setelem_data_deactivate(ctx->net, trans->set, priv[i]); 9897 nft_setelem_remove(ctx->net, trans->set, priv[i]); 9898 } 9899 } 9900 nft_trans_gc_destroy(struct nft_trans_gc * trans)9901 void nft_trans_gc_destroy(struct nft_trans_gc *trans) 9902 { 9903 nft_set_put(trans->set); 9904 put_net(trans->net); 9905 kfree(trans); 9906 } 9907 nft_trans_gc_trans_free(struct rcu_head * rcu)9908 static void nft_trans_gc_trans_free(struct rcu_head *rcu) 9909 { 9910 struct nft_elem_priv *elem_priv; 9911 struct nft_trans_gc *trans; 9912 struct nft_ctx ctx = {}; 9913 unsigned int i; 9914 9915 trans = container_of(rcu, struct nft_trans_gc, rcu); 9916 ctx.net = read_pnet(&trans->set->net); 9917 9918 for (i = 0; i < trans->count; i++) { 9919 elem_priv = trans->priv[i]; 9920 if (!nft_setelem_is_catchall(trans->set, elem_priv)) 9921 atomic_dec(&trans->set->nelems); 9922 9923 nf_tables_set_elem_destroy(&ctx, trans->set, elem_priv); 9924 } 9925 9926 nft_trans_gc_destroy(trans); 9927 } 9928 nft_trans_gc_work_done(struct nft_trans_gc * trans)9929 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans) 9930 { 9931 struct nftables_pernet *nft_net; 9932 struct nft_ctx ctx = {}; 9933 9934 nft_net = nft_pernet(trans->net); 9935 9936 mutex_lock(&nft_net->commit_mutex); 9937 9938 /* Check for race with transaction, otherwise this batch refers to 9939 * stale objects that might not be there anymore. Skip transaction if 9940 * set has been destroyed from control plane transaction in case gc 9941 * worker loses race. 9942 */ 9943 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) { 9944 mutex_unlock(&nft_net->commit_mutex); 9945 return false; 9946 } 9947 9948 ctx.net = trans->net; 9949 ctx.table = trans->set->table; 9950 9951 nft_trans_gc_setelem_remove(&ctx, trans); 9952 mutex_unlock(&nft_net->commit_mutex); 9953 9954 return true; 9955 } 9956 nft_trans_gc_work(struct work_struct * work)9957 static void nft_trans_gc_work(struct work_struct *work) 9958 { 9959 struct nft_trans_gc *trans, *next; 9960 LIST_HEAD(trans_gc_list); 9961 9962 spin_lock(&nf_tables_gc_list_lock); 9963 list_splice_init(&nf_tables_gc_list, &trans_gc_list); 9964 spin_unlock(&nf_tables_gc_list_lock); 9965 9966 list_for_each_entry_safe(trans, next, &trans_gc_list, list) { 9967 list_del(&trans->list); 9968 if (!nft_trans_gc_work_done(trans)) { 9969 nft_trans_gc_destroy(trans); 9970 continue; 9971 } 9972 call_rcu(&trans->rcu, nft_trans_gc_trans_free); 9973 } 9974 } 9975 nft_trans_gc_alloc(struct nft_set * set,unsigned int gc_seq,gfp_t gfp)9976 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set, 9977 unsigned int gc_seq, gfp_t gfp) 9978 { 9979 struct net *net = read_pnet(&set->net); 9980 struct nft_trans_gc *trans; 9981 9982 trans = kzalloc(sizeof(*trans), gfp); 9983 if (!trans) 9984 return NULL; 9985 9986 trans->net = maybe_get_net(net); 9987 if (!trans->net) { 9988 kfree(trans); 9989 return NULL; 9990 } 9991 9992 refcount_inc(&set->refs); 9993 trans->set = set; 9994 trans->seq = gc_seq; 9995 9996 return trans; 9997 } 9998 nft_trans_gc_elem_add(struct nft_trans_gc * trans,void * priv)9999 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv) 10000 { 10001 trans->priv[trans->count++] = priv; 10002 } 10003 nft_trans_gc_queue_work(struct nft_trans_gc * trans)10004 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans) 10005 { 10006 spin_lock(&nf_tables_gc_list_lock); 10007 list_add_tail(&trans->list, &nf_tables_gc_list); 10008 spin_unlock(&nf_tables_gc_list_lock); 10009 10010 schedule_work(&trans_gc_work); 10011 } 10012 nft_trans_gc_space(struct nft_trans_gc * trans)10013 static int nft_trans_gc_space(struct nft_trans_gc *trans) 10014 { 10015 return NFT_TRANS_GC_BATCHCOUNT - trans->count; 10016 } 10017 nft_trans_gc_queue_async(struct nft_trans_gc * gc,unsigned int gc_seq,gfp_t gfp)10018 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc, 10019 unsigned int gc_seq, gfp_t gfp) 10020 { 10021 struct nft_set *set; 10022 10023 if (nft_trans_gc_space(gc)) 10024 return gc; 10025 10026 set = gc->set; 10027 nft_trans_gc_queue_work(gc); 10028 10029 return nft_trans_gc_alloc(set, gc_seq, gfp); 10030 } 10031 nft_trans_gc_queue_async_done(struct nft_trans_gc * trans)10032 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans) 10033 { 10034 if (trans->count == 0) { 10035 nft_trans_gc_destroy(trans); 10036 return; 10037 } 10038 10039 nft_trans_gc_queue_work(trans); 10040 } 10041 nft_trans_gc_queue_sync(struct nft_trans_gc * gc,gfp_t gfp)10042 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp) 10043 { 10044 struct nft_set *set; 10045 10046 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net))) 10047 return NULL; 10048 10049 if (nft_trans_gc_space(gc)) 10050 return gc; 10051 10052 set = gc->set; 10053 call_rcu(&gc->rcu, nft_trans_gc_trans_free); 10054 10055 return nft_trans_gc_alloc(set, 0, gfp); 10056 } 10057 nft_trans_gc_queue_sync_done(struct nft_trans_gc * trans)10058 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans) 10059 { 10060 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net)); 10061 10062 if (trans->count == 0) { 10063 nft_trans_gc_destroy(trans); 10064 return; 10065 } 10066 10067 call_rcu(&trans->rcu, nft_trans_gc_trans_free); 10068 } 10069 nft_trans_gc_catchall_async(struct nft_trans_gc * gc,unsigned int gc_seq)10070 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc, 10071 unsigned int gc_seq) 10072 { 10073 struct nft_set_elem_catchall *catchall; 10074 const struct nft_set *set = gc->set; 10075 struct nft_set_ext *ext; 10076 10077 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 10078 ext = nft_set_elem_ext(set, catchall->elem); 10079 10080 if (!nft_set_elem_expired(ext)) 10081 continue; 10082 if (nft_set_elem_is_dead(ext)) 10083 goto dead_elem; 10084 10085 nft_set_elem_dead(ext); 10086 dead_elem: 10087 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC); 10088 if (!gc) 10089 return NULL; 10090 10091 nft_trans_gc_elem_add(gc, catchall->elem); 10092 } 10093 10094 return gc; 10095 } 10096 nft_trans_gc_catchall_sync(struct nft_trans_gc * gc)10097 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc) 10098 { 10099 struct nft_set_elem_catchall *catchall, *next; 10100 u64 tstamp = nft_net_tstamp(gc->net); 10101 const struct nft_set *set = gc->set; 10102 struct nft_elem_priv *elem_priv; 10103 struct nft_set_ext *ext; 10104 10105 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)); 10106 10107 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 10108 ext = nft_set_elem_ext(set, catchall->elem); 10109 10110 if (!__nft_set_elem_expired(ext, tstamp)) 10111 continue; 10112 10113 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL); 10114 if (!gc) 10115 return NULL; 10116 10117 elem_priv = catchall->elem; 10118 nft_setelem_data_deactivate(gc->net, gc->set, elem_priv); 10119 nft_setelem_catchall_destroy(catchall); 10120 nft_trans_gc_elem_add(gc, elem_priv); 10121 } 10122 10123 return gc; 10124 } 10125 nf_tables_module_autoload_cleanup(struct net * net)10126 static void nf_tables_module_autoload_cleanup(struct net *net) 10127 { 10128 struct nftables_pernet *nft_net = nft_pernet(net); 10129 struct nft_module_request *req, *next; 10130 10131 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 10132 list_for_each_entry_safe(req, next, &nft_net->module_list, list) { 10133 WARN_ON_ONCE(!req->done); 10134 list_del(&req->list); 10135 kfree(req); 10136 } 10137 } 10138 nf_tables_commit_release(struct net * net)10139 static void nf_tables_commit_release(struct net *net) 10140 { 10141 struct nftables_pernet *nft_net = nft_pernet(net); 10142 struct nft_trans *trans; 10143 10144 /* all side effects have to be made visible. 10145 * For example, if a chain named 'foo' has been deleted, a 10146 * new transaction must not find it anymore. 10147 * 10148 * Memory reclaim happens asynchronously from work queue 10149 * to prevent expensive synchronize_rcu() in commit phase. 10150 */ 10151 if (list_empty(&nft_net->commit_list)) { 10152 nf_tables_module_autoload_cleanup(net); 10153 mutex_unlock(&nft_net->commit_mutex); 10154 return; 10155 } 10156 10157 trans = list_last_entry(&nft_net->commit_list, 10158 struct nft_trans, list); 10159 get_net(trans->net); 10160 WARN_ON_ONCE(trans->put_net); 10161 10162 trans->put_net = true; 10163 spin_lock(&nf_tables_destroy_list_lock); 10164 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list); 10165 spin_unlock(&nf_tables_destroy_list_lock); 10166 10167 nf_tables_module_autoload_cleanup(net); 10168 schedule_work(&trans_destroy_work); 10169 10170 mutex_unlock(&nft_net->commit_mutex); 10171 } 10172 nft_commit_notify(struct net * net,u32 portid)10173 static void nft_commit_notify(struct net *net, u32 portid) 10174 { 10175 struct nftables_pernet *nft_net = nft_pernet(net); 10176 struct sk_buff *batch_skb = NULL, *nskb, *skb; 10177 unsigned char *data; 10178 int len; 10179 10180 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) { 10181 if (!batch_skb) { 10182 new_batch: 10183 batch_skb = skb; 10184 len = NLMSG_GOODSIZE - skb->len; 10185 list_del(&skb->list); 10186 continue; 10187 } 10188 len -= skb->len; 10189 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) { 10190 data = skb_put(batch_skb, skb->len); 10191 memcpy(data, skb->data, skb->len); 10192 list_del(&skb->list); 10193 kfree_skb(skb); 10194 continue; 10195 } 10196 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 10197 NFT_CB(batch_skb).report, GFP_KERNEL); 10198 goto new_batch; 10199 } 10200 10201 if (batch_skb) { 10202 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 10203 NFT_CB(batch_skb).report, GFP_KERNEL); 10204 } 10205 10206 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 10207 } 10208 nf_tables_commit_audit_alloc(struct list_head * adl,struct nft_table * table)10209 static int nf_tables_commit_audit_alloc(struct list_head *adl, 10210 struct nft_table *table) 10211 { 10212 struct nft_audit_data *adp; 10213 10214 list_for_each_entry(adp, adl, list) { 10215 if (adp->table == table) 10216 return 0; 10217 } 10218 adp = kzalloc(sizeof(*adp), GFP_KERNEL); 10219 if (!adp) 10220 return -ENOMEM; 10221 adp->table = table; 10222 list_add(&adp->list, adl); 10223 return 0; 10224 } 10225 nf_tables_commit_audit_free(struct list_head * adl)10226 static void nf_tables_commit_audit_free(struct list_head *adl) 10227 { 10228 struct nft_audit_data *adp, *adn; 10229 10230 list_for_each_entry_safe(adp, adn, adl, list) { 10231 list_del(&adp->list); 10232 kfree(adp); 10233 } 10234 } 10235 nf_tables_commit_audit_collect(struct list_head * adl,struct nft_table * table,u32 op)10236 static void nf_tables_commit_audit_collect(struct list_head *adl, 10237 struct nft_table *table, u32 op) 10238 { 10239 struct nft_audit_data *adp; 10240 10241 list_for_each_entry(adp, adl, list) { 10242 if (adp->table == table) 10243 goto found; 10244 } 10245 WARN_ONCE(1, "table=%s not expected in commit list", table->name); 10246 return; 10247 found: 10248 adp->entries++; 10249 if (!adp->op || adp->op > op) 10250 adp->op = op; 10251 } 10252 10253 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22) 10254 nf_tables_commit_audit_log(struct list_head * adl,u32 generation)10255 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation) 10256 { 10257 struct nft_audit_data *adp, *adn; 10258 char aubuf[AUNFTABLENAMELEN]; 10259 10260 list_for_each_entry_safe(adp, adn, adl, list) { 10261 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name, 10262 generation); 10263 audit_log_nfcfg(aubuf, adp->table->family, adp->entries, 10264 nft2audit_op[adp->op], GFP_KERNEL); 10265 list_del(&adp->list); 10266 kfree(adp); 10267 } 10268 } 10269 nft_set_commit_update(struct list_head * set_update_list)10270 static void nft_set_commit_update(struct list_head *set_update_list) 10271 { 10272 struct nft_set *set, *next; 10273 10274 list_for_each_entry_safe(set, next, set_update_list, pending_update) { 10275 list_del_init(&set->pending_update); 10276 10277 if (!set->ops->commit || set->dead) 10278 continue; 10279 10280 set->ops->commit(set); 10281 } 10282 } 10283 nft_gc_seq_begin(struct nftables_pernet * nft_net)10284 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net) 10285 { 10286 unsigned int gc_seq; 10287 10288 /* Bump gc counter, it becomes odd, this is the busy mark. */ 10289 gc_seq = READ_ONCE(nft_net->gc_seq); 10290 WRITE_ONCE(nft_net->gc_seq, ++gc_seq); 10291 10292 return gc_seq; 10293 } 10294 nft_gc_seq_end(struct nftables_pernet * nft_net,unsigned int gc_seq)10295 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq) 10296 { 10297 WRITE_ONCE(nft_net->gc_seq, ++gc_seq); 10298 } 10299 nf_tables_commit(struct net * net,struct sk_buff * skb)10300 static int nf_tables_commit(struct net *net, struct sk_buff *skb) 10301 { 10302 struct nftables_pernet *nft_net = nft_pernet(net); 10303 const struct nlmsghdr *nlh = nlmsg_hdr(skb); 10304 struct nft_trans_binding *trans_binding; 10305 struct nft_trans *trans, *next; 10306 unsigned int base_seq, gc_seq; 10307 LIST_HEAD(set_update_list); 10308 struct nft_trans_elem *te; 10309 struct nft_chain *chain; 10310 struct nft_table *table; 10311 struct nft_ctx ctx; 10312 LIST_HEAD(adl); 10313 int err; 10314 10315 if (list_empty(&nft_net->commit_list)) { 10316 mutex_unlock(&nft_net->commit_mutex); 10317 return 0; 10318 } 10319 10320 nft_ctx_init(&ctx, net, skb, nlh, NFPROTO_UNSPEC, NULL, NULL, NULL); 10321 10322 list_for_each_entry(trans_binding, &nft_net->binding_list, binding_list) { 10323 trans = &trans_binding->nft_trans; 10324 switch (trans->msg_type) { 10325 case NFT_MSG_NEWSET: 10326 if (!nft_trans_set_update(trans) && 10327 nft_set_is_anonymous(nft_trans_set(trans)) && 10328 !nft_trans_set_bound(trans)) { 10329 pr_warn_once("nftables ruleset with unbound set\n"); 10330 return -EINVAL; 10331 } 10332 break; 10333 case NFT_MSG_NEWCHAIN: 10334 if (!nft_trans_chain_update(trans) && 10335 nft_chain_binding(nft_trans_chain(trans)) && 10336 !nft_trans_chain_bound(trans)) { 10337 pr_warn_once("nftables ruleset with unbound chain\n"); 10338 return -EINVAL; 10339 } 10340 break; 10341 default: 10342 WARN_ONCE(1, "Unhandled bind type %d", trans->msg_type); 10343 break; 10344 } 10345 } 10346 10347 /* 0. Validate ruleset, otherwise roll back for error reporting. */ 10348 if (nf_tables_validate(net) < 0) { 10349 nft_net->validate_state = NFT_VALIDATE_DO; 10350 return -EAGAIN; 10351 } 10352 10353 err = nft_flow_rule_offload_commit(net); 10354 if (err < 0) 10355 return err; 10356 10357 /* 1. Allocate space for next generation rules_gen_X[] */ 10358 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 10359 struct nft_table *table = trans->table; 10360 int ret; 10361 10362 ret = nf_tables_commit_audit_alloc(&adl, table); 10363 if (ret) { 10364 nf_tables_commit_chain_prepare_cancel(net); 10365 nf_tables_commit_audit_free(&adl); 10366 return ret; 10367 } 10368 if (trans->msg_type == NFT_MSG_NEWRULE || 10369 trans->msg_type == NFT_MSG_DELRULE) { 10370 chain = nft_trans_rule_chain(trans); 10371 10372 ret = nf_tables_commit_chain_prepare(net, chain); 10373 if (ret < 0) { 10374 nf_tables_commit_chain_prepare_cancel(net); 10375 nf_tables_commit_audit_free(&adl); 10376 return ret; 10377 } 10378 } 10379 } 10380 10381 /* step 2. Make rules_gen_X visible to packet path */ 10382 list_for_each_entry(table, &nft_net->tables, list) { 10383 list_for_each_entry(chain, &table->chains, list) 10384 nf_tables_commit_chain(net, chain); 10385 } 10386 10387 /* 10388 * Bump generation counter, invalidate any dump in progress. 10389 * Cannot fail after this point. 10390 */ 10391 base_seq = READ_ONCE(nft_net->base_seq); 10392 while (++base_seq == 0) 10393 ; 10394 10395 WRITE_ONCE(nft_net->base_seq, base_seq); 10396 10397 gc_seq = nft_gc_seq_begin(nft_net); 10398 10399 /* step 3. Start new generation, rules_gen_X now in use. */ 10400 net->nft.gencursor = nft_gencursor_next(net); 10401 10402 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 10403 struct nft_table *table = trans->table; 10404 10405 nft_ctx_update(&ctx, trans); 10406 10407 nf_tables_commit_audit_collect(&adl, table, trans->msg_type); 10408 switch (trans->msg_type) { 10409 case NFT_MSG_NEWTABLE: 10410 if (nft_trans_table_update(trans)) { 10411 if (!(table->flags & __NFT_TABLE_F_UPDATE)) { 10412 nft_trans_destroy(trans); 10413 break; 10414 } 10415 if (table->flags & NFT_TABLE_F_DORMANT) 10416 nf_tables_table_disable(net, table); 10417 10418 table->flags &= ~__NFT_TABLE_F_UPDATE; 10419 } else { 10420 nft_clear(net, table); 10421 } 10422 nf_tables_table_notify(&ctx, NFT_MSG_NEWTABLE); 10423 nft_trans_destroy(trans); 10424 break; 10425 case NFT_MSG_DELTABLE: 10426 case NFT_MSG_DESTROYTABLE: 10427 list_del_rcu(&table->list); 10428 nf_tables_table_notify(&ctx, trans->msg_type); 10429 break; 10430 case NFT_MSG_NEWCHAIN: 10431 if (nft_trans_chain_update(trans)) { 10432 nft_chain_commit_update(nft_trans_container_chain(trans)); 10433 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN, 10434 &nft_trans_chain_hooks(trans)); 10435 list_splice(&nft_trans_chain_hooks(trans), 10436 &nft_trans_basechain(trans)->hook_list); 10437 /* trans destroyed after rcu grace period */ 10438 } else { 10439 nft_chain_commit_drop_policy(nft_trans_container_chain(trans)); 10440 nft_clear(net, nft_trans_chain(trans)); 10441 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN, NULL); 10442 nft_trans_destroy(trans); 10443 } 10444 break; 10445 case NFT_MSG_DELCHAIN: 10446 case NFT_MSG_DESTROYCHAIN: 10447 if (nft_trans_chain_update(trans)) { 10448 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN, 10449 &nft_trans_chain_hooks(trans)); 10450 if (!(table->flags & NFT_TABLE_F_DORMANT)) { 10451 nft_netdev_unregister_hooks(net, 10452 &nft_trans_chain_hooks(trans), 10453 true); 10454 } 10455 } else { 10456 nft_chain_del(nft_trans_chain(trans)); 10457 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN, 10458 NULL); 10459 nf_tables_unregister_hook(ctx.net, ctx.table, 10460 nft_trans_chain(trans)); 10461 } 10462 break; 10463 case NFT_MSG_NEWRULE: 10464 nft_clear(net, nft_trans_rule(trans)); 10465 nf_tables_rule_notify(&ctx, nft_trans_rule(trans), 10466 NFT_MSG_NEWRULE); 10467 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD) 10468 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 10469 10470 nft_trans_destroy(trans); 10471 break; 10472 case NFT_MSG_DELRULE: 10473 case NFT_MSG_DESTROYRULE: 10474 list_del_rcu(&nft_trans_rule(trans)->list); 10475 nf_tables_rule_notify(&ctx, nft_trans_rule(trans), 10476 trans->msg_type); 10477 nft_rule_expr_deactivate(&ctx, nft_trans_rule(trans), 10478 NFT_TRANS_COMMIT); 10479 10480 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD) 10481 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 10482 break; 10483 case NFT_MSG_NEWSET: 10484 list_del(&nft_trans_container_set(trans)->list_trans_newset); 10485 if (nft_trans_set_update(trans)) { 10486 struct nft_set *set = nft_trans_set(trans); 10487 10488 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans)); 10489 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans)); 10490 10491 if (nft_trans_set_size(trans)) 10492 WRITE_ONCE(set->size, nft_trans_set_size(trans)); 10493 } else { 10494 nft_clear(net, nft_trans_set(trans)); 10495 /* This avoids hitting -EBUSY when deleting the table 10496 * from the transaction. 10497 */ 10498 if (nft_set_is_anonymous(nft_trans_set(trans)) && 10499 !list_empty(&nft_trans_set(trans)->bindings)) 10500 nft_use_dec(&table->use); 10501 } 10502 nf_tables_set_notify(&ctx, nft_trans_set(trans), 10503 NFT_MSG_NEWSET, GFP_KERNEL); 10504 nft_trans_destroy(trans); 10505 break; 10506 case NFT_MSG_DELSET: 10507 case NFT_MSG_DESTROYSET: 10508 nft_trans_set(trans)->dead = 1; 10509 list_del_rcu(&nft_trans_set(trans)->list); 10510 nf_tables_set_notify(&ctx, nft_trans_set(trans), 10511 trans->msg_type, GFP_KERNEL); 10512 break; 10513 case NFT_MSG_NEWSETELEM: 10514 te = nft_trans_container_elem(trans); 10515 10516 if (te->update_flags) { 10517 const struct nft_set_ext *ext = 10518 nft_set_elem_ext(te->set, te->elem_priv); 10519 10520 if (te->update_flags & NFT_TRANS_UPD_TIMEOUT) { 10521 WRITE_ONCE(nft_set_ext_timeout(ext)->timeout, 10522 te->timeout); 10523 } 10524 if (te->update_flags & NFT_TRANS_UPD_EXPIRATION) { 10525 WRITE_ONCE(nft_set_ext_timeout(ext)->expiration, 10526 get_jiffies_64() + te->expiration); 10527 } 10528 } else { 10529 nft_setelem_activate(net, te->set, te->elem_priv); 10530 } 10531 10532 nf_tables_setelem_notify(&ctx, te->set, 10533 te->elem_priv, 10534 NFT_MSG_NEWSETELEM); 10535 if (te->set->ops->commit && 10536 list_empty(&te->set->pending_update)) { 10537 list_add_tail(&te->set->pending_update, 10538 &set_update_list); 10539 } 10540 nft_trans_destroy(trans); 10541 break; 10542 case NFT_MSG_DELSETELEM: 10543 case NFT_MSG_DESTROYSETELEM: 10544 te = nft_trans_container_elem(trans); 10545 10546 nf_tables_setelem_notify(&ctx, te->set, 10547 te->elem_priv, 10548 trans->msg_type); 10549 nft_setelem_remove(net, te->set, te->elem_priv); 10550 if (!nft_setelem_is_catchall(te->set, te->elem_priv)) { 10551 atomic_dec(&te->set->nelems); 10552 te->set->ndeact--; 10553 } 10554 if (te->set->ops->commit && 10555 list_empty(&te->set->pending_update)) { 10556 list_add_tail(&te->set->pending_update, 10557 &set_update_list); 10558 } 10559 break; 10560 case NFT_MSG_NEWOBJ: 10561 if (nft_trans_obj_update(trans)) { 10562 nft_obj_commit_update(&ctx, trans); 10563 nf_tables_obj_notify(&ctx, 10564 nft_trans_obj(trans), 10565 NFT_MSG_NEWOBJ); 10566 } else { 10567 nft_clear(net, nft_trans_obj(trans)); 10568 nf_tables_obj_notify(&ctx, 10569 nft_trans_obj(trans), 10570 NFT_MSG_NEWOBJ); 10571 nft_trans_destroy(trans); 10572 } 10573 break; 10574 case NFT_MSG_DELOBJ: 10575 case NFT_MSG_DESTROYOBJ: 10576 nft_obj_del(nft_trans_obj(trans)); 10577 nf_tables_obj_notify(&ctx, nft_trans_obj(trans), 10578 trans->msg_type); 10579 break; 10580 case NFT_MSG_NEWFLOWTABLE: 10581 if (nft_trans_flowtable_update(trans)) { 10582 nft_trans_flowtable(trans)->data.flags = 10583 nft_trans_flowtable_flags(trans); 10584 nf_tables_flowtable_notify(&ctx, 10585 nft_trans_flowtable(trans), 10586 &nft_trans_flowtable_hooks(trans), 10587 NFT_MSG_NEWFLOWTABLE); 10588 list_splice(&nft_trans_flowtable_hooks(trans), 10589 &nft_trans_flowtable(trans)->hook_list); 10590 } else { 10591 nft_clear(net, nft_trans_flowtable(trans)); 10592 nf_tables_flowtable_notify(&ctx, 10593 nft_trans_flowtable(trans), 10594 NULL, 10595 NFT_MSG_NEWFLOWTABLE); 10596 } 10597 nft_trans_destroy(trans); 10598 break; 10599 case NFT_MSG_DELFLOWTABLE: 10600 case NFT_MSG_DESTROYFLOWTABLE: 10601 if (nft_trans_flowtable_update(trans)) { 10602 nf_tables_flowtable_notify(&ctx, 10603 nft_trans_flowtable(trans), 10604 &nft_trans_flowtable_hooks(trans), 10605 trans->msg_type); 10606 nft_unregister_flowtable_net_hooks(net, 10607 &nft_trans_flowtable_hooks(trans)); 10608 } else { 10609 list_del_rcu(&nft_trans_flowtable(trans)->list); 10610 nf_tables_flowtable_notify(&ctx, 10611 nft_trans_flowtable(trans), 10612 NULL, 10613 trans->msg_type); 10614 nft_unregister_flowtable_net_hooks(net, 10615 &nft_trans_flowtable(trans)->hook_list); 10616 } 10617 break; 10618 } 10619 } 10620 10621 nft_set_commit_update(&set_update_list); 10622 10623 nft_commit_notify(net, NETLINK_CB(skb).portid); 10624 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); 10625 nf_tables_commit_audit_log(&adl, nft_net->base_seq); 10626 10627 nft_gc_seq_end(nft_net, gc_seq); 10628 nft_net->validate_state = NFT_VALIDATE_SKIP; 10629 nf_tables_commit_release(net); 10630 10631 return 0; 10632 } 10633 nf_tables_module_autoload(struct net * net)10634 static void nf_tables_module_autoload(struct net *net) 10635 { 10636 struct nftables_pernet *nft_net = nft_pernet(net); 10637 struct nft_module_request *req, *next; 10638 LIST_HEAD(module_list); 10639 10640 list_splice_init(&nft_net->module_list, &module_list); 10641 mutex_unlock(&nft_net->commit_mutex); 10642 list_for_each_entry_safe(req, next, &module_list, list) { 10643 request_module("%s", req->module); 10644 req->done = true; 10645 } 10646 mutex_lock(&nft_net->commit_mutex); 10647 list_splice(&module_list, &nft_net->module_list); 10648 } 10649 nf_tables_abort_release(struct nft_trans * trans)10650 static void nf_tables_abort_release(struct nft_trans *trans) 10651 { 10652 struct nft_ctx ctx = { }; 10653 10654 nft_ctx_update(&ctx, trans); 10655 10656 switch (trans->msg_type) { 10657 case NFT_MSG_NEWTABLE: 10658 nf_tables_table_destroy(trans->table); 10659 break; 10660 case NFT_MSG_NEWCHAIN: 10661 if (nft_trans_chain_update(trans)) 10662 nft_hooks_destroy(&nft_trans_chain_hooks(trans)); 10663 else 10664 nf_tables_chain_destroy(nft_trans_chain(trans)); 10665 break; 10666 case NFT_MSG_NEWRULE: 10667 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans)); 10668 break; 10669 case NFT_MSG_NEWSET: 10670 nft_set_destroy(&ctx, nft_trans_set(trans)); 10671 break; 10672 case NFT_MSG_NEWSETELEM: 10673 nft_set_elem_destroy(nft_trans_elem_set(trans), 10674 nft_trans_elem_priv(trans), true); 10675 break; 10676 case NFT_MSG_NEWOBJ: 10677 nft_obj_destroy(&ctx, nft_trans_obj(trans)); 10678 break; 10679 case NFT_MSG_NEWFLOWTABLE: 10680 if (nft_trans_flowtable_update(trans)) 10681 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 10682 else 10683 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 10684 break; 10685 } 10686 kfree(trans); 10687 } 10688 nft_set_abort_update(struct list_head * set_update_list)10689 static void nft_set_abort_update(struct list_head *set_update_list) 10690 { 10691 struct nft_set *set, *next; 10692 10693 list_for_each_entry_safe(set, next, set_update_list, pending_update) { 10694 list_del_init(&set->pending_update); 10695 10696 if (!set->ops->abort) 10697 continue; 10698 10699 set->ops->abort(set); 10700 } 10701 } 10702 __nf_tables_abort(struct net * net,enum nfnl_abort_action action)10703 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) 10704 { 10705 struct nftables_pernet *nft_net = nft_pernet(net); 10706 struct nft_trans *trans, *next; 10707 LIST_HEAD(set_update_list); 10708 struct nft_trans_elem *te; 10709 struct nft_ctx ctx = { 10710 .net = net, 10711 }; 10712 int err = 0; 10713 10714 if (action == NFNL_ABORT_VALIDATE && 10715 nf_tables_validate(net) < 0) 10716 err = -EAGAIN; 10717 10718 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list, 10719 list) { 10720 struct nft_table *table = trans->table; 10721 10722 nft_ctx_update(&ctx, trans); 10723 10724 switch (trans->msg_type) { 10725 case NFT_MSG_NEWTABLE: 10726 if (nft_trans_table_update(trans)) { 10727 if (!(table->flags & __NFT_TABLE_F_UPDATE)) { 10728 nft_trans_destroy(trans); 10729 break; 10730 } 10731 if (table->flags & __NFT_TABLE_F_WAS_DORMANT) { 10732 nf_tables_table_disable(net, table); 10733 table->flags |= NFT_TABLE_F_DORMANT; 10734 } else if (table->flags & __NFT_TABLE_F_WAS_AWAKEN) { 10735 table->flags &= ~NFT_TABLE_F_DORMANT; 10736 } 10737 if (table->flags & __NFT_TABLE_F_WAS_ORPHAN) { 10738 table->flags &= ~NFT_TABLE_F_OWNER; 10739 table->nlpid = 0; 10740 } 10741 table->flags &= ~__NFT_TABLE_F_UPDATE; 10742 nft_trans_destroy(trans); 10743 } else { 10744 list_del_rcu(&table->list); 10745 } 10746 break; 10747 case NFT_MSG_DELTABLE: 10748 case NFT_MSG_DESTROYTABLE: 10749 nft_clear(trans->net, table); 10750 nft_trans_destroy(trans); 10751 break; 10752 case NFT_MSG_NEWCHAIN: 10753 if (nft_trans_chain_update(trans)) { 10754 if (!(table->flags & NFT_TABLE_F_DORMANT)) { 10755 nft_netdev_unregister_hooks(net, 10756 &nft_trans_chain_hooks(trans), 10757 true); 10758 } 10759 free_percpu(nft_trans_chain_stats(trans)); 10760 kfree(nft_trans_chain_name(trans)); 10761 nft_trans_destroy(trans); 10762 } else { 10763 if (nft_trans_chain_bound(trans)) { 10764 nft_trans_destroy(trans); 10765 break; 10766 } 10767 nft_use_dec_restore(&table->use); 10768 nft_chain_del(nft_trans_chain(trans)); 10769 nf_tables_unregister_hook(trans->net, table, 10770 nft_trans_chain(trans)); 10771 } 10772 break; 10773 case NFT_MSG_DELCHAIN: 10774 case NFT_MSG_DESTROYCHAIN: 10775 if (nft_trans_chain_update(trans)) { 10776 list_splice(&nft_trans_chain_hooks(trans), 10777 &nft_trans_basechain(trans)->hook_list); 10778 } else { 10779 nft_use_inc_restore(&table->use); 10780 nft_clear(trans->net, nft_trans_chain(trans)); 10781 } 10782 nft_trans_destroy(trans); 10783 break; 10784 case NFT_MSG_NEWRULE: 10785 if (nft_trans_rule_bound(trans)) { 10786 nft_trans_destroy(trans); 10787 break; 10788 } 10789 nft_use_dec_restore(&nft_trans_rule_chain(trans)->use); 10790 list_del_rcu(&nft_trans_rule(trans)->list); 10791 nft_rule_expr_deactivate(&ctx, 10792 nft_trans_rule(trans), 10793 NFT_TRANS_ABORT); 10794 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD) 10795 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 10796 break; 10797 case NFT_MSG_DELRULE: 10798 case NFT_MSG_DESTROYRULE: 10799 nft_use_inc_restore(&nft_trans_rule_chain(trans)->use); 10800 nft_clear(trans->net, nft_trans_rule(trans)); 10801 nft_rule_expr_activate(&ctx, nft_trans_rule(trans)); 10802 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD) 10803 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 10804 10805 nft_trans_destroy(trans); 10806 break; 10807 case NFT_MSG_NEWSET: 10808 list_del(&nft_trans_container_set(trans)->list_trans_newset); 10809 if (nft_trans_set_update(trans)) { 10810 nft_trans_destroy(trans); 10811 break; 10812 } 10813 nft_use_dec_restore(&table->use); 10814 if (nft_trans_set_bound(trans)) { 10815 nft_trans_destroy(trans); 10816 break; 10817 } 10818 nft_trans_set(trans)->dead = 1; 10819 list_del_rcu(&nft_trans_set(trans)->list); 10820 break; 10821 case NFT_MSG_DELSET: 10822 case NFT_MSG_DESTROYSET: 10823 nft_use_inc_restore(&table->use); 10824 nft_clear(trans->net, nft_trans_set(trans)); 10825 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 10826 nft_map_activate(&ctx, nft_trans_set(trans)); 10827 10828 nft_trans_destroy(trans); 10829 break; 10830 case NFT_MSG_NEWSETELEM: 10831 if (nft_trans_elem_update_flags(trans) || 10832 nft_trans_elem_set_bound(trans)) { 10833 nft_trans_destroy(trans); 10834 break; 10835 } 10836 te = nft_trans_container_elem(trans); 10837 if (!te->set->ops->abort || 10838 nft_setelem_is_catchall(te->set, te->elem_priv)) 10839 nft_setelem_remove(net, te->set, te->elem_priv); 10840 10841 if (!nft_setelem_is_catchall(te->set, te->elem_priv)) 10842 atomic_dec(&te->set->nelems); 10843 10844 if (te->set->ops->abort && 10845 list_empty(&te->set->pending_update)) { 10846 list_add_tail(&te->set->pending_update, 10847 &set_update_list); 10848 } 10849 break; 10850 case NFT_MSG_DELSETELEM: 10851 case NFT_MSG_DESTROYSETELEM: 10852 te = nft_trans_container_elem(trans); 10853 10854 if (!nft_setelem_active_next(net, te->set, te->elem_priv)) { 10855 nft_setelem_data_activate(net, te->set, te->elem_priv); 10856 nft_setelem_activate(net, te->set, te->elem_priv); 10857 } 10858 if (!nft_setelem_is_catchall(te->set, te->elem_priv)) 10859 te->set->ndeact--; 10860 10861 if (te->set->ops->abort && 10862 list_empty(&te->set->pending_update)) { 10863 list_add_tail(&te->set->pending_update, 10864 &set_update_list); 10865 } 10866 nft_trans_destroy(trans); 10867 break; 10868 case NFT_MSG_NEWOBJ: 10869 if (nft_trans_obj_update(trans)) { 10870 nft_obj_destroy(&ctx, nft_trans_obj_newobj(trans)); 10871 nft_trans_destroy(trans); 10872 } else { 10873 nft_use_dec_restore(&table->use); 10874 nft_obj_del(nft_trans_obj(trans)); 10875 } 10876 break; 10877 case NFT_MSG_DELOBJ: 10878 case NFT_MSG_DESTROYOBJ: 10879 nft_use_inc_restore(&table->use); 10880 nft_clear(trans->net, nft_trans_obj(trans)); 10881 nft_trans_destroy(trans); 10882 break; 10883 case NFT_MSG_NEWFLOWTABLE: 10884 if (nft_trans_flowtable_update(trans)) { 10885 nft_unregister_flowtable_net_hooks(net, 10886 &nft_trans_flowtable_hooks(trans)); 10887 } else { 10888 nft_use_dec_restore(&table->use); 10889 list_del_rcu(&nft_trans_flowtable(trans)->list); 10890 nft_unregister_flowtable_net_hooks(net, 10891 &nft_trans_flowtable(trans)->hook_list); 10892 } 10893 break; 10894 case NFT_MSG_DELFLOWTABLE: 10895 case NFT_MSG_DESTROYFLOWTABLE: 10896 if (nft_trans_flowtable_update(trans)) { 10897 list_splice(&nft_trans_flowtable_hooks(trans), 10898 &nft_trans_flowtable(trans)->hook_list); 10899 } else { 10900 nft_use_inc_restore(&table->use); 10901 nft_clear(trans->net, nft_trans_flowtable(trans)); 10902 } 10903 nft_trans_destroy(trans); 10904 break; 10905 } 10906 } 10907 10908 WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list)); 10909 10910 nft_set_abort_update(&set_update_list); 10911 10912 synchronize_rcu(); 10913 10914 list_for_each_entry_safe_reverse(trans, next, 10915 &nft_net->commit_list, list) { 10916 nft_trans_list_del(trans); 10917 nf_tables_abort_release(trans); 10918 } 10919 10920 return err; 10921 } 10922 nf_tables_abort(struct net * net,struct sk_buff * skb,enum nfnl_abort_action action)10923 static int nf_tables_abort(struct net *net, struct sk_buff *skb, 10924 enum nfnl_abort_action action) 10925 { 10926 struct nftables_pernet *nft_net = nft_pernet(net); 10927 unsigned int gc_seq; 10928 int ret; 10929 10930 gc_seq = nft_gc_seq_begin(nft_net); 10931 ret = __nf_tables_abort(net, action); 10932 nft_gc_seq_end(nft_net, gc_seq); 10933 10934 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 10935 10936 /* module autoload needs to happen after GC sequence update because it 10937 * temporarily releases and grabs mutex again. 10938 */ 10939 if (action == NFNL_ABORT_AUTOLOAD) 10940 nf_tables_module_autoload(net); 10941 else 10942 nf_tables_module_autoload_cleanup(net); 10943 10944 mutex_unlock(&nft_net->commit_mutex); 10945 10946 return ret; 10947 } 10948 nf_tables_valid_genid(struct net * net,u32 genid)10949 static bool nf_tables_valid_genid(struct net *net, u32 genid) 10950 { 10951 struct nftables_pernet *nft_net = nft_pernet(net); 10952 bool genid_ok; 10953 10954 mutex_lock(&nft_net->commit_mutex); 10955 nft_net->tstamp = get_jiffies_64(); 10956 10957 genid_ok = genid == 0 || nft_net->base_seq == genid; 10958 if (!genid_ok) 10959 mutex_unlock(&nft_net->commit_mutex); 10960 10961 /* else, commit mutex has to be released by commit or abort function */ 10962 return genid_ok; 10963 } 10964 10965 static const struct nfnetlink_subsystem nf_tables_subsys = { 10966 .name = "nf_tables", 10967 .subsys_id = NFNL_SUBSYS_NFTABLES, 10968 .cb_count = NFT_MSG_MAX, 10969 .cb = nf_tables_cb, 10970 .commit = nf_tables_commit, 10971 .abort = nf_tables_abort, 10972 .valid_genid = nf_tables_valid_genid, 10973 .owner = THIS_MODULE, 10974 }; 10975 nft_chain_validate_dependency(const struct nft_chain * chain,enum nft_chain_types type)10976 int nft_chain_validate_dependency(const struct nft_chain *chain, 10977 enum nft_chain_types type) 10978 { 10979 const struct nft_base_chain *basechain; 10980 10981 if (nft_is_base_chain(chain)) { 10982 basechain = nft_base_chain(chain); 10983 if (basechain->type->type != type) 10984 return -EOPNOTSUPP; 10985 } 10986 return 0; 10987 } 10988 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency); 10989 nft_chain_validate_hooks(const struct nft_chain * chain,unsigned int hook_flags)10990 int nft_chain_validate_hooks(const struct nft_chain *chain, 10991 unsigned int hook_flags) 10992 { 10993 struct nft_base_chain *basechain; 10994 10995 if (nft_is_base_chain(chain)) { 10996 basechain = nft_base_chain(chain); 10997 10998 if ((1 << basechain->ops.hooknum) & hook_flags) 10999 return 0; 11000 11001 return -EOPNOTSUPP; 11002 } 11003 11004 return 0; 11005 } 11006 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks); 11007 11008 /** 11009 * nft_parse_u32_check - fetch u32 attribute and check for maximum value 11010 * 11011 * @attr: netlink attribute to fetch value from 11012 * @max: maximum value to be stored in dest 11013 * @dest: pointer to the variable 11014 * 11015 * Parse, check and store a given u32 netlink attribute into variable. 11016 * This function returns -ERANGE if the value goes over maximum value. 11017 * Otherwise a 0 is returned and the attribute value is stored in the 11018 * destination variable. 11019 */ nft_parse_u32_check(const struct nlattr * attr,int max,u32 * dest)11020 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest) 11021 { 11022 u32 val; 11023 11024 val = ntohl(nla_get_be32(attr)); 11025 if (val > max) 11026 return -ERANGE; 11027 11028 *dest = val; 11029 return 0; 11030 } 11031 EXPORT_SYMBOL_GPL(nft_parse_u32_check); 11032 nft_parse_register(const struct nlattr * attr,u32 * preg)11033 static int nft_parse_register(const struct nlattr *attr, u32 *preg) 11034 { 11035 unsigned int reg; 11036 11037 reg = ntohl(nla_get_be32(attr)); 11038 switch (reg) { 11039 case NFT_REG_VERDICT...NFT_REG_4: 11040 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE; 11041 break; 11042 case NFT_REG32_00...NFT_REG32_15: 11043 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; 11044 break; 11045 default: 11046 return -ERANGE; 11047 } 11048 11049 return 0; 11050 } 11051 11052 /** 11053 * nft_dump_register - dump a register value to a netlink attribute 11054 * 11055 * @skb: socket buffer 11056 * @attr: attribute number 11057 * @reg: register number 11058 * 11059 * Construct a netlink attribute containing the register number. For 11060 * compatibility reasons, register numbers being a multiple of 4 are 11061 * translated to the corresponding 128 bit register numbers. 11062 */ nft_dump_register(struct sk_buff * skb,unsigned int attr,unsigned int reg)11063 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg) 11064 { 11065 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0) 11066 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE); 11067 else 11068 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00; 11069 11070 return nla_put_be32(skb, attr, htonl(reg)); 11071 } 11072 EXPORT_SYMBOL_GPL(nft_dump_register); 11073 nft_validate_register_load(enum nft_registers reg,unsigned int len)11074 static int nft_validate_register_load(enum nft_registers reg, unsigned int len) 11075 { 11076 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 11077 return -EINVAL; 11078 if (len == 0) 11079 return -EINVAL; 11080 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data)) 11081 return -ERANGE; 11082 11083 return 0; 11084 } 11085 nft_parse_register_load(const struct nft_ctx * ctx,const struct nlattr * attr,u8 * sreg,u32 len)11086 int nft_parse_register_load(const struct nft_ctx *ctx, 11087 const struct nlattr *attr, u8 *sreg, u32 len) 11088 { 11089 int err, invalid_reg; 11090 u32 reg, next_register; 11091 11092 err = nft_parse_register(attr, ®); 11093 if (err < 0) 11094 return err; 11095 11096 err = nft_validate_register_load(reg, len); 11097 if (err < 0) 11098 return err; 11099 11100 next_register = DIV_ROUND_UP(len, NFT_REG32_SIZE) + reg; 11101 11102 /* Can't happen: nft_validate_register_load() should have failed */ 11103 if (WARN_ON_ONCE(next_register > NFT_REG32_NUM)) 11104 return -EINVAL; 11105 11106 /* find first register that did not see an earlier store. */ 11107 invalid_reg = find_next_zero_bit(ctx->reg_inited, NFT_REG32_NUM, reg); 11108 11109 /* invalid register within the range that we're loading from? */ 11110 if (invalid_reg < next_register) 11111 return -ENODATA; 11112 11113 *sreg = reg; 11114 return 0; 11115 } 11116 EXPORT_SYMBOL_GPL(nft_parse_register_load); 11117 nft_saw_register_store(const struct nft_ctx * __ctx,int reg,unsigned int len)11118 static void nft_saw_register_store(const struct nft_ctx *__ctx, 11119 int reg, unsigned int len) 11120 { 11121 unsigned int registers = DIV_ROUND_UP(len, NFT_REG32_SIZE); 11122 struct nft_ctx *ctx = (struct nft_ctx *)__ctx; 11123 11124 if (WARN_ON_ONCE(len == 0 || reg < 0)) 11125 return; 11126 11127 bitmap_set(ctx->reg_inited, reg, registers); 11128 } 11129 nft_validate_register_store(const struct nft_ctx * ctx,enum nft_registers reg,const struct nft_data * data,enum nft_data_types type,unsigned int len)11130 static int nft_validate_register_store(const struct nft_ctx *ctx, 11131 enum nft_registers reg, 11132 const struct nft_data *data, 11133 enum nft_data_types type, 11134 unsigned int len) 11135 { 11136 int err; 11137 11138 switch (reg) { 11139 case NFT_REG_VERDICT: 11140 if (type != NFT_DATA_VERDICT) 11141 return -EINVAL; 11142 11143 if (data != NULL && 11144 (data->verdict.code == NFT_GOTO || 11145 data->verdict.code == NFT_JUMP)) { 11146 err = nft_chain_validate(ctx, data->verdict.chain); 11147 if (err < 0) 11148 return err; 11149 } 11150 11151 break; 11152 default: 11153 if (type != NFT_DATA_VALUE) 11154 return -EINVAL; 11155 11156 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 11157 return -EINVAL; 11158 if (len == 0) 11159 return -EINVAL; 11160 if (reg * NFT_REG32_SIZE + len > 11161 sizeof_field(struct nft_regs, data)) 11162 return -ERANGE; 11163 11164 break; 11165 } 11166 11167 nft_saw_register_store(ctx, reg, len); 11168 return 0; 11169 } 11170 nft_parse_register_store(const struct nft_ctx * ctx,const struct nlattr * attr,u8 * dreg,const struct nft_data * data,enum nft_data_types type,unsigned int len)11171 int nft_parse_register_store(const struct nft_ctx *ctx, 11172 const struct nlattr *attr, u8 *dreg, 11173 const struct nft_data *data, 11174 enum nft_data_types type, unsigned int len) 11175 { 11176 int err; 11177 u32 reg; 11178 11179 err = nft_parse_register(attr, ®); 11180 if (err < 0) 11181 return err; 11182 11183 err = nft_validate_register_store(ctx, reg, data, type, len); 11184 if (err < 0) 11185 return err; 11186 11187 *dreg = reg; 11188 return 0; 11189 } 11190 EXPORT_SYMBOL_GPL(nft_parse_register_store); 11191 11192 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = { 11193 [NFTA_VERDICT_CODE] = { .type = NLA_U32 }, 11194 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING, 11195 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 11196 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 }, 11197 }; 11198 nft_verdict_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11199 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, 11200 struct nft_data_desc *desc, const struct nlattr *nla) 11201 { 11202 u8 genmask = nft_genmask_next(ctx->net); 11203 struct nlattr *tb[NFTA_VERDICT_MAX + 1]; 11204 struct nft_chain *chain; 11205 int err; 11206 11207 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla, 11208 nft_verdict_policy, NULL); 11209 if (err < 0) 11210 return err; 11211 11212 if (!tb[NFTA_VERDICT_CODE]) 11213 return -EINVAL; 11214 11215 /* zero padding hole for memcmp */ 11216 memset(data, 0, sizeof(*data)); 11217 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); 11218 11219 switch (data->verdict.code) { 11220 case NF_ACCEPT: 11221 case NF_DROP: 11222 case NF_QUEUE: 11223 break; 11224 case NFT_CONTINUE: 11225 case NFT_BREAK: 11226 case NFT_RETURN: 11227 break; 11228 case NFT_JUMP: 11229 case NFT_GOTO: 11230 if (tb[NFTA_VERDICT_CHAIN]) { 11231 chain = nft_chain_lookup(ctx->net, ctx->table, 11232 tb[NFTA_VERDICT_CHAIN], 11233 genmask); 11234 } else if (tb[NFTA_VERDICT_CHAIN_ID]) { 11235 chain = nft_chain_lookup_byid(ctx->net, ctx->table, 11236 tb[NFTA_VERDICT_CHAIN_ID], 11237 genmask); 11238 if (IS_ERR(chain)) 11239 return PTR_ERR(chain); 11240 } else { 11241 return -EINVAL; 11242 } 11243 11244 if (IS_ERR(chain)) 11245 return PTR_ERR(chain); 11246 if (nft_is_base_chain(chain)) 11247 return -EOPNOTSUPP; 11248 if (nft_chain_is_bound(chain)) 11249 return -EINVAL; 11250 if (desc->flags & NFT_DATA_DESC_SETELEM && 11251 chain->flags & NFT_CHAIN_BINDING) 11252 return -EINVAL; 11253 if (!nft_use_inc(&chain->use)) 11254 return -EMFILE; 11255 11256 data->verdict.chain = chain; 11257 break; 11258 default: 11259 return -EINVAL; 11260 } 11261 11262 desc->len = sizeof(data->verdict); 11263 11264 return 0; 11265 } 11266 nft_verdict_uninit(const struct nft_data * data)11267 static void nft_verdict_uninit(const struct nft_data *data) 11268 { 11269 struct nft_chain *chain; 11270 11271 switch (data->verdict.code) { 11272 case NFT_JUMP: 11273 case NFT_GOTO: 11274 chain = data->verdict.chain; 11275 nft_use_dec(&chain->use); 11276 break; 11277 } 11278 } 11279 nft_verdict_dump(struct sk_buff * skb,int type,const struct nft_verdict * v)11280 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v) 11281 { 11282 struct nlattr *nest; 11283 11284 nest = nla_nest_start_noflag(skb, type); 11285 if (!nest) 11286 goto nla_put_failure; 11287 11288 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code))) 11289 goto nla_put_failure; 11290 11291 switch (v->code) { 11292 case NFT_JUMP: 11293 case NFT_GOTO: 11294 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, 11295 v->chain->name)) 11296 goto nla_put_failure; 11297 } 11298 nla_nest_end(skb, nest); 11299 return 0; 11300 11301 nla_put_failure: 11302 return -1; 11303 } 11304 nft_value_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11305 static int nft_value_init(const struct nft_ctx *ctx, 11306 struct nft_data *data, struct nft_data_desc *desc, 11307 const struct nlattr *nla) 11308 { 11309 unsigned int len; 11310 11311 len = nla_len(nla); 11312 if (len == 0) 11313 return -EINVAL; 11314 if (len > desc->size) 11315 return -EOVERFLOW; 11316 if (desc->len) { 11317 if (len != desc->len) 11318 return -EINVAL; 11319 } else { 11320 desc->len = len; 11321 } 11322 11323 nla_memcpy(data->data, nla, len); 11324 11325 return 0; 11326 } 11327 nft_value_dump(struct sk_buff * skb,const struct nft_data * data,unsigned int len)11328 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data, 11329 unsigned int len) 11330 { 11331 return nla_put(skb, NFTA_DATA_VALUE, len, data->data); 11332 } 11333 11334 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = { 11335 [NFTA_DATA_VALUE] = { .type = NLA_BINARY }, 11336 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED }, 11337 }; 11338 11339 /** 11340 * nft_data_init - parse nf_tables data netlink attributes 11341 * 11342 * @ctx: context of the expression using the data 11343 * @data: destination struct nft_data 11344 * @desc: data description 11345 * @nla: netlink attribute containing data 11346 * 11347 * Parse the netlink data attributes and initialize a struct nft_data. 11348 * The type and length of data are returned in the data description. 11349 * 11350 * The caller can indicate that it only wants to accept data of type 11351 * NFT_DATA_VALUE by passing NULL for the ctx argument. 11352 */ nft_data_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11353 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data, 11354 struct nft_data_desc *desc, const struct nlattr *nla) 11355 { 11356 struct nlattr *tb[NFTA_DATA_MAX + 1]; 11357 int err; 11358 11359 if (WARN_ON_ONCE(!desc->size)) 11360 return -EINVAL; 11361 11362 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla, 11363 nft_data_policy, NULL); 11364 if (err < 0) 11365 return err; 11366 11367 if (tb[NFTA_DATA_VALUE]) { 11368 if (desc->type != NFT_DATA_VALUE) 11369 return -EINVAL; 11370 11371 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]); 11372 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) { 11373 if (desc->type != NFT_DATA_VERDICT) 11374 return -EINVAL; 11375 11376 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]); 11377 } else { 11378 err = -EINVAL; 11379 } 11380 11381 return err; 11382 } 11383 EXPORT_SYMBOL_GPL(nft_data_init); 11384 11385 /** 11386 * nft_data_release - release a nft_data item 11387 * 11388 * @data: struct nft_data to release 11389 * @type: type of data 11390 * 11391 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded, 11392 * all others need to be released by calling this function. 11393 */ nft_data_release(const struct nft_data * data,enum nft_data_types type)11394 void nft_data_release(const struct nft_data *data, enum nft_data_types type) 11395 { 11396 if (type < NFT_DATA_VERDICT) 11397 return; 11398 switch (type) { 11399 case NFT_DATA_VERDICT: 11400 return nft_verdict_uninit(data); 11401 default: 11402 WARN_ON(1); 11403 } 11404 } 11405 EXPORT_SYMBOL_GPL(nft_data_release); 11406 nft_data_dump(struct sk_buff * skb,int attr,const struct nft_data * data,enum nft_data_types type,unsigned int len)11407 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 11408 enum nft_data_types type, unsigned int len) 11409 { 11410 struct nlattr *nest; 11411 int err; 11412 11413 nest = nla_nest_start_noflag(skb, attr); 11414 if (nest == NULL) 11415 return -1; 11416 11417 switch (type) { 11418 case NFT_DATA_VALUE: 11419 err = nft_value_dump(skb, data, len); 11420 break; 11421 case NFT_DATA_VERDICT: 11422 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict); 11423 break; 11424 default: 11425 err = -EINVAL; 11426 WARN_ON(1); 11427 } 11428 11429 nla_nest_end(skb, nest); 11430 return err; 11431 } 11432 EXPORT_SYMBOL_GPL(nft_data_dump); 11433 __nft_release_basechain_now(struct nft_ctx * ctx)11434 static void __nft_release_basechain_now(struct nft_ctx *ctx) 11435 { 11436 struct nft_rule *rule, *nr; 11437 11438 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) { 11439 list_del(&rule->list); 11440 nf_tables_rule_release(ctx, rule); 11441 } 11442 nf_tables_chain_destroy(ctx->chain); 11443 } 11444 nft_release_basechain_rcu(struct rcu_head * head)11445 static void nft_release_basechain_rcu(struct rcu_head *head) 11446 { 11447 struct nft_chain *chain = container_of(head, struct nft_chain, rcu_head); 11448 struct nft_ctx ctx = { 11449 .family = chain->table->family, 11450 .chain = chain, 11451 .net = read_pnet(&chain->table->net), 11452 }; 11453 11454 __nft_release_basechain_now(&ctx); 11455 put_net(ctx.net); 11456 } 11457 __nft_release_basechain(struct nft_ctx * ctx)11458 int __nft_release_basechain(struct nft_ctx *ctx) 11459 { 11460 struct nft_rule *rule; 11461 11462 if (WARN_ON_ONCE(!nft_is_base_chain(ctx->chain))) 11463 return 0; 11464 11465 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain); 11466 list_for_each_entry(rule, &ctx->chain->rules, list) 11467 nft_use_dec(&ctx->chain->use); 11468 11469 nft_chain_del(ctx->chain); 11470 nft_use_dec(&ctx->table->use); 11471 11472 if (maybe_get_net(ctx->net)) 11473 call_rcu(&ctx->chain->rcu_head, nft_release_basechain_rcu); 11474 else 11475 __nft_release_basechain_now(ctx); 11476 11477 return 0; 11478 } 11479 EXPORT_SYMBOL_GPL(__nft_release_basechain); 11480 __nft_release_hook(struct net * net,struct nft_table * table)11481 static void __nft_release_hook(struct net *net, struct nft_table *table) 11482 { 11483 struct nft_flowtable *flowtable; 11484 struct nft_chain *chain; 11485 11486 list_for_each_entry(chain, &table->chains, list) 11487 __nf_tables_unregister_hook(net, table, chain, true); 11488 list_for_each_entry(flowtable, &table->flowtables, list) 11489 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list, 11490 true); 11491 } 11492 __nft_release_hooks(struct net * net)11493 static void __nft_release_hooks(struct net *net) 11494 { 11495 struct nftables_pernet *nft_net = nft_pernet(net); 11496 struct nft_table *table; 11497 11498 list_for_each_entry(table, &nft_net->tables, list) { 11499 if (nft_table_has_owner(table)) 11500 continue; 11501 11502 __nft_release_hook(net, table); 11503 } 11504 } 11505 __nft_release_table(struct net * net,struct nft_table * table)11506 static void __nft_release_table(struct net *net, struct nft_table *table) 11507 { 11508 struct nft_flowtable *flowtable, *nf; 11509 struct nft_chain *chain, *nc; 11510 struct nft_object *obj, *ne; 11511 struct nft_rule *rule, *nr; 11512 struct nft_set *set, *ns; 11513 struct nft_ctx ctx = { 11514 .net = net, 11515 .family = NFPROTO_NETDEV, 11516 }; 11517 11518 ctx.family = table->family; 11519 ctx.table = table; 11520 list_for_each_entry(chain, &table->chains, list) { 11521 if (nft_chain_binding(chain)) 11522 continue; 11523 11524 ctx.chain = chain; 11525 list_for_each_entry_safe(rule, nr, &chain->rules, list) { 11526 list_del(&rule->list); 11527 nft_use_dec(&chain->use); 11528 nf_tables_rule_release(&ctx, rule); 11529 } 11530 } 11531 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 11532 list_del(&flowtable->list); 11533 nft_use_dec(&table->use); 11534 nf_tables_flowtable_destroy(flowtable); 11535 } 11536 list_for_each_entry_safe(set, ns, &table->sets, list) { 11537 list_del(&set->list); 11538 nft_use_dec(&table->use); 11539 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 11540 nft_map_deactivate(&ctx, set); 11541 11542 nft_set_destroy(&ctx, set); 11543 } 11544 list_for_each_entry_safe(obj, ne, &table->objects, list) { 11545 nft_obj_del(obj); 11546 nft_use_dec(&table->use); 11547 nft_obj_destroy(&ctx, obj); 11548 } 11549 list_for_each_entry_safe(chain, nc, &table->chains, list) { 11550 nft_chain_del(chain); 11551 nft_use_dec(&table->use); 11552 nf_tables_chain_destroy(chain); 11553 } 11554 nf_tables_table_destroy(table); 11555 } 11556 __nft_release_tables(struct net * net)11557 static void __nft_release_tables(struct net *net) 11558 { 11559 struct nftables_pernet *nft_net = nft_pernet(net); 11560 struct nft_table *table, *nt; 11561 11562 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 11563 if (nft_table_has_owner(table)) 11564 continue; 11565 11566 list_del(&table->list); 11567 11568 __nft_release_table(net, table); 11569 } 11570 } 11571 nft_rcv_nl_event(struct notifier_block * this,unsigned long event,void * ptr)11572 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, 11573 void *ptr) 11574 { 11575 struct nft_table *table, *to_delete[8]; 11576 struct nftables_pernet *nft_net; 11577 struct netlink_notify *n = ptr; 11578 struct net *net = n->net; 11579 unsigned int deleted; 11580 bool restart = false; 11581 unsigned int gc_seq; 11582 11583 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER) 11584 return NOTIFY_DONE; 11585 11586 nft_net = nft_pernet(net); 11587 deleted = 0; 11588 mutex_lock(&nft_net->commit_mutex); 11589 11590 gc_seq = nft_gc_seq_begin(nft_net); 11591 11592 nf_tables_trans_destroy_flush_work(); 11593 again: 11594 list_for_each_entry(table, &nft_net->tables, list) { 11595 if (nft_table_has_owner(table) && 11596 n->portid == table->nlpid) { 11597 if (table->flags & NFT_TABLE_F_PERSIST) { 11598 table->flags &= ~NFT_TABLE_F_OWNER; 11599 continue; 11600 } 11601 __nft_release_hook(net, table); 11602 list_del_rcu(&table->list); 11603 to_delete[deleted++] = table; 11604 if (deleted >= ARRAY_SIZE(to_delete)) 11605 break; 11606 } 11607 } 11608 if (deleted) { 11609 restart = deleted >= ARRAY_SIZE(to_delete); 11610 synchronize_rcu(); 11611 while (deleted) 11612 __nft_release_table(net, to_delete[--deleted]); 11613 11614 if (restart) 11615 goto again; 11616 } 11617 nft_gc_seq_end(nft_net, gc_seq); 11618 11619 mutex_unlock(&nft_net->commit_mutex); 11620 11621 return NOTIFY_DONE; 11622 } 11623 11624 static struct notifier_block nft_nl_notifier = { 11625 .notifier_call = nft_rcv_nl_event, 11626 }; 11627 nf_tables_init_net(struct net * net)11628 static int __net_init nf_tables_init_net(struct net *net) 11629 { 11630 struct nftables_pernet *nft_net = nft_pernet(net); 11631 11632 INIT_LIST_HEAD(&nft_net->tables); 11633 INIT_LIST_HEAD(&nft_net->commit_list); 11634 INIT_LIST_HEAD(&nft_net->commit_set_list); 11635 INIT_LIST_HEAD(&nft_net->binding_list); 11636 INIT_LIST_HEAD(&nft_net->module_list); 11637 INIT_LIST_HEAD(&nft_net->notify_list); 11638 mutex_init(&nft_net->commit_mutex); 11639 nft_net->base_seq = 1; 11640 nft_net->gc_seq = 0; 11641 nft_net->validate_state = NFT_VALIDATE_SKIP; 11642 11643 return 0; 11644 } 11645 nf_tables_pre_exit_net(struct net * net)11646 static void __net_exit nf_tables_pre_exit_net(struct net *net) 11647 { 11648 struct nftables_pernet *nft_net = nft_pernet(net); 11649 11650 mutex_lock(&nft_net->commit_mutex); 11651 __nft_release_hooks(net); 11652 mutex_unlock(&nft_net->commit_mutex); 11653 } 11654 nf_tables_exit_net(struct net * net)11655 static void __net_exit nf_tables_exit_net(struct net *net) 11656 { 11657 struct nftables_pernet *nft_net = nft_pernet(net); 11658 unsigned int gc_seq; 11659 11660 mutex_lock(&nft_net->commit_mutex); 11661 11662 gc_seq = nft_gc_seq_begin(nft_net); 11663 11664 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 11665 WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list)); 11666 11667 if (!list_empty(&nft_net->module_list)) 11668 nf_tables_module_autoload_cleanup(net); 11669 11670 __nft_release_tables(net); 11671 11672 nft_gc_seq_end(nft_net, gc_seq); 11673 11674 mutex_unlock(&nft_net->commit_mutex); 11675 WARN_ON_ONCE(!list_empty(&nft_net->tables)); 11676 WARN_ON_ONCE(!list_empty(&nft_net->module_list)); 11677 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 11678 } 11679 nf_tables_exit_batch(struct list_head * net_exit_list)11680 static void nf_tables_exit_batch(struct list_head *net_exit_list) 11681 { 11682 flush_work(&trans_gc_work); 11683 } 11684 11685 static struct pernet_operations nf_tables_net_ops = { 11686 .init = nf_tables_init_net, 11687 .pre_exit = nf_tables_pre_exit_net, 11688 .exit = nf_tables_exit_net, 11689 .exit_batch = nf_tables_exit_batch, 11690 .id = &nf_tables_net_id, 11691 .size = sizeof(struct nftables_pernet), 11692 }; 11693 nf_tables_module_init(void)11694 static int __init nf_tables_module_init(void) 11695 { 11696 int err; 11697 11698 BUILD_BUG_ON(offsetof(struct nft_trans_table, nft_trans) != 0); 11699 BUILD_BUG_ON(offsetof(struct nft_trans_chain, nft_trans_binding.nft_trans) != 0); 11700 BUILD_BUG_ON(offsetof(struct nft_trans_rule, nft_trans) != 0); 11701 BUILD_BUG_ON(offsetof(struct nft_trans_set, nft_trans_binding.nft_trans) != 0); 11702 BUILD_BUG_ON(offsetof(struct nft_trans_elem, nft_trans) != 0); 11703 BUILD_BUG_ON(offsetof(struct nft_trans_obj, nft_trans) != 0); 11704 BUILD_BUG_ON(offsetof(struct nft_trans_flowtable, nft_trans) != 0); 11705 11706 err = register_pernet_subsys(&nf_tables_net_ops); 11707 if (err < 0) 11708 return err; 11709 11710 err = nft_chain_filter_init(); 11711 if (err < 0) 11712 goto err_chain_filter; 11713 11714 err = nf_tables_core_module_init(); 11715 if (err < 0) 11716 goto err_core_module; 11717 11718 err = register_netdevice_notifier(&nf_tables_flowtable_notifier); 11719 if (err < 0) 11720 goto err_netdev_notifier; 11721 11722 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params); 11723 if (err < 0) 11724 goto err_rht_objname; 11725 11726 err = nft_offload_init(); 11727 if (err < 0) 11728 goto err_offload; 11729 11730 err = netlink_register_notifier(&nft_nl_notifier); 11731 if (err < 0) 11732 goto err_netlink_notifier; 11733 11734 /* must be last */ 11735 err = nfnetlink_subsys_register(&nf_tables_subsys); 11736 if (err < 0) 11737 goto err_nfnl_subsys; 11738 11739 nft_chain_route_init(); 11740 11741 return err; 11742 11743 err_nfnl_subsys: 11744 netlink_unregister_notifier(&nft_nl_notifier); 11745 err_netlink_notifier: 11746 nft_offload_exit(); 11747 err_offload: 11748 rhltable_destroy(&nft_objname_ht); 11749 err_rht_objname: 11750 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 11751 err_netdev_notifier: 11752 nf_tables_core_module_exit(); 11753 err_core_module: 11754 nft_chain_filter_fini(); 11755 err_chain_filter: 11756 unregister_pernet_subsys(&nf_tables_net_ops); 11757 return err; 11758 } 11759 nf_tables_module_exit(void)11760 static void __exit nf_tables_module_exit(void) 11761 { 11762 nfnetlink_subsys_unregister(&nf_tables_subsys); 11763 netlink_unregister_notifier(&nft_nl_notifier); 11764 nft_offload_exit(); 11765 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 11766 nft_chain_filter_fini(); 11767 nft_chain_route_fini(); 11768 nf_tables_trans_destroy_flush_work(); 11769 unregister_pernet_subsys(&nf_tables_net_ops); 11770 cancel_work_sync(&trans_gc_work); 11771 cancel_work_sync(&trans_destroy_work); 11772 rcu_barrier(); 11773 rhltable_destroy(&nft_objname_ht); 11774 nf_tables_core_module_exit(); 11775 } 11776 11777 module_init(nf_tables_module_init); 11778 module_exit(nf_tables_module_exit); 11779 11780 MODULE_LICENSE("GPL"); 11781 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 11782 MODULE_DESCRIPTION("Framework for packet filtering and classification"); 11783 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES); 11784