1 /*
2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 *
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
9 */
10
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
22 #include <net/sock.h>
23
24 static LIST_HEAD(nf_tables_expressions);
25
26 /**
27 * nft_register_afinfo - register nf_tables address family info
28 *
29 * @afi: address family info to register
30 *
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
33 */
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
35 {
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail_rcu(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
40 return 0;
41 }
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
43
44 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
45
46 /**
47 * nft_unregister_afinfo - unregister nf_tables address family info
48 *
49 * @afi: address family info to unregister
50 *
51 * Unregister the address family for use with nf_tables.
52 */
53 void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
54 {
55 nfnl_lock(NFNL_SUBSYS_NFTABLES);
56 __nft_release_afinfo(net, afi);
57 list_del_rcu(&afi->list);
58 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
59 }
60 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
61
62 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
63 {
64 struct nft_af_info *afi;
65
66 list_for_each_entry(afi, &net->nft.af_info, list) {
67 if (afi->family == family)
68 return afi;
69 }
70 return NULL;
71 }
72
73 static struct nft_af_info *
74 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
75 {
76 struct nft_af_info *afi;
77
78 afi = nft_afinfo_lookup(net, family);
79 if (afi != NULL)
80 return afi;
81 #ifdef CONFIG_MODULES
82 if (autoload) {
83 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
84 request_module("nft-afinfo-%u", family);
85 nfnl_lock(NFNL_SUBSYS_NFTABLES);
86 afi = nft_afinfo_lookup(net, family);
87 if (afi != NULL)
88 return ERR_PTR(-EAGAIN);
89 }
90 #endif
91 return ERR_PTR(-EAFNOSUPPORT);
92 }
93
94 static void nft_ctx_init(struct nft_ctx *ctx,
95 struct net *net,
96 const struct sk_buff *skb,
97 const struct nlmsghdr *nlh,
98 struct nft_af_info *afi,
99 struct nft_table *table,
100 struct nft_chain *chain,
101 const struct nlattr * const *nla)
102 {
103 ctx->net = net;
104 ctx->afi = afi;
105 ctx->table = table;
106 ctx->chain = chain;
107 ctx->nla = nla;
108 ctx->portid = NETLINK_CB(skb).portid;
109 ctx->report = nlmsg_report(nlh);
110 ctx->seq = nlh->nlmsg_seq;
111 }
112
113 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
114 u32 size)
115 {
116 struct nft_trans *trans;
117
118 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
119 if (trans == NULL)
120 return NULL;
121
122 trans->msg_type = msg_type;
123 trans->ctx = *ctx;
124
125 return trans;
126 }
127
128 static void nft_trans_destroy(struct nft_trans *trans)
129 {
130 list_del(&trans->list);
131 kfree(trans);
132 }
133
134 static int nf_tables_register_hooks(struct net *net,
135 const struct nft_table *table,
136 struct nft_chain *chain,
137 unsigned int hook_nops)
138 {
139 if (table->flags & NFT_TABLE_F_DORMANT ||
140 !(chain->flags & NFT_BASE_CHAIN))
141 return 0;
142
143 return nf_register_net_hooks(net, nft_base_chain(chain)->ops,
144 hook_nops);
145 }
146
147 static void nf_tables_unregister_hooks(struct net *net,
148 const struct nft_table *table,
149 struct nft_chain *chain,
150 unsigned int hook_nops)
151 {
152 if (table->flags & NFT_TABLE_F_DORMANT ||
153 !(chain->flags & NFT_BASE_CHAIN))
154 return;
155
156 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops, hook_nops);
157 }
158
159 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
160 {
161 struct nft_trans *trans;
162
163 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
164 if (trans == NULL)
165 return -ENOMEM;
166
167 if (msg_type == NFT_MSG_NEWTABLE)
168 nft_activate_next(ctx->net, ctx->table);
169
170 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
171 return 0;
172 }
173
174 static int nft_deltable(struct nft_ctx *ctx)
175 {
176 int err;
177
178 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
179 if (err < 0)
180 return err;
181
182 nft_deactivate_next(ctx->net, ctx->table);
183 return err;
184 }
185
186 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
187 {
188 struct nft_trans *trans;
189
190 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
191 if (trans == NULL)
192 return -ENOMEM;
193
194 if (msg_type == NFT_MSG_NEWCHAIN)
195 nft_activate_next(ctx->net, ctx->chain);
196
197 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
198 return 0;
199 }
200
201 static int nft_delchain(struct nft_ctx *ctx)
202 {
203 int err;
204
205 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
206 if (err < 0)
207 return err;
208
209 ctx->table->use--;
210 nft_deactivate_next(ctx->net, ctx->chain);
211
212 return err;
213 }
214
215 static int
216 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
217 {
218 /* You cannot delete the same rule twice */
219 if (nft_is_active_next(ctx->net, rule)) {
220 nft_deactivate_next(ctx->net, rule);
221 ctx->chain->use--;
222 return 0;
223 }
224 return -ENOENT;
225 }
226
227 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
228 struct nft_rule *rule)
229 {
230 struct nft_trans *trans;
231
232 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
233 if (trans == NULL)
234 return NULL;
235
236 nft_trans_rule(trans) = rule;
237 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
238
239 return trans;
240 }
241
242 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
243 {
244 struct nft_trans *trans;
245 int err;
246
247 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
248 if (trans == NULL)
249 return -ENOMEM;
250
251 err = nf_tables_delrule_deactivate(ctx, rule);
252 if (err < 0) {
253 nft_trans_destroy(trans);
254 return err;
255 }
256
257 return 0;
258 }
259
260 static int nft_delrule_by_chain(struct nft_ctx *ctx)
261 {
262 struct nft_rule *rule;
263 int err;
264
265 list_for_each_entry(rule, &ctx->chain->rules, list) {
266 err = nft_delrule(ctx, rule);
267 if (err < 0)
268 return err;
269 }
270 return 0;
271 }
272
273 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
274 struct nft_set *set)
275 {
276 struct nft_trans *trans;
277
278 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
279 if (trans == NULL)
280 return -ENOMEM;
281
282 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
283 nft_trans_set_id(trans) =
284 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
285 nft_activate_next(ctx->net, set);
286 }
287 nft_trans_set(trans) = set;
288 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
289
290 return 0;
291 }
292
293 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
294 {
295 int err;
296
297 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
298 if (err < 0)
299 return err;
300
301 nft_deactivate_next(ctx->net, set);
302 ctx->table->use--;
303
304 return err;
305 }
306
307 /*
308 * Tables
309 */
310
311 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
312 const struct nlattr *nla,
313 u8 genmask)
314 {
315 struct nft_table *table;
316
317 list_for_each_entry(table, &afi->tables, list) {
318 if (!nla_strcmp(nla, table->name) &&
319 nft_active_genmask(table, genmask))
320 return table;
321 }
322 return NULL;
323 }
324
325 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
326 const struct nlattr *nla,
327 u8 genmask)
328 {
329 struct nft_table *table;
330
331 if (nla == NULL)
332 return ERR_PTR(-EINVAL);
333
334 table = nft_table_lookup(afi, nla, genmask);
335 if (table != NULL)
336 return table;
337
338 return ERR_PTR(-ENOENT);
339 }
340
341 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
342 {
343 return ++table->hgenerator;
344 }
345
346 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
347
348 static const struct nf_chain_type *
349 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
350 {
351 int i;
352
353 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
354 if (chain_type[family][i] != NULL &&
355 !nla_strcmp(nla, chain_type[family][i]->name))
356 return chain_type[family][i];
357 }
358 return NULL;
359 }
360
361 static const struct nf_chain_type *
362 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
363 const struct nlattr *nla,
364 bool autoload)
365 {
366 const struct nf_chain_type *type;
367
368 type = __nf_tables_chain_type_lookup(afi->family, nla);
369 if (type != NULL)
370 return type;
371 #ifdef CONFIG_MODULES
372 if (autoload) {
373 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
374 request_module("nft-chain-%u-%.*s", afi->family,
375 nla_len(nla), (const char *)nla_data(nla));
376 nfnl_lock(NFNL_SUBSYS_NFTABLES);
377 type = __nf_tables_chain_type_lookup(afi->family, nla);
378 if (type != NULL)
379 return ERR_PTR(-EAGAIN);
380 }
381 #endif
382 return ERR_PTR(-ENOENT);
383 }
384
385 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
386 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
387 .len = NFT_TABLE_MAXNAMELEN - 1 },
388 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
389 };
390
391 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
392 u32 portid, u32 seq, int event, u32 flags,
393 int family, const struct nft_table *table)
394 {
395 struct nlmsghdr *nlh;
396 struct nfgenmsg *nfmsg;
397
398 event |= NFNL_SUBSYS_NFTABLES << 8;
399 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
400 if (nlh == NULL)
401 goto nla_put_failure;
402
403 nfmsg = nlmsg_data(nlh);
404 nfmsg->nfgen_family = family;
405 nfmsg->version = NFNETLINK_V0;
406 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
407
408 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
409 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
410 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
411 goto nla_put_failure;
412
413 nlmsg_end(skb, nlh);
414 return 0;
415
416 nla_put_failure:
417 nlmsg_trim(skb, nlh);
418 return -1;
419 }
420
421 static int nf_tables_table_notify(const struct nft_ctx *ctx, int event)
422 {
423 struct sk_buff *skb;
424 int err;
425
426 if (!ctx->report &&
427 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
428 return 0;
429
430 err = -ENOBUFS;
431 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
432 if (skb == NULL)
433 goto err;
434
435 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
436 event, 0, ctx->afi->family, ctx->table);
437 if (err < 0) {
438 kfree_skb(skb);
439 goto err;
440 }
441
442 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
443 ctx->report, GFP_KERNEL);
444 err:
445 if (err < 0) {
446 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
447 err);
448 }
449 return err;
450 }
451
452 static int nf_tables_dump_tables(struct sk_buff *skb,
453 struct netlink_callback *cb)
454 {
455 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
456 const struct nft_af_info *afi;
457 const struct nft_table *table;
458 unsigned int idx = 0, s_idx = cb->args[0];
459 struct net *net = sock_net(skb->sk);
460 int family = nfmsg->nfgen_family;
461
462 rcu_read_lock();
463 cb->seq = net->nft.base_seq;
464
465 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
466 if (family != NFPROTO_UNSPEC && family != afi->family)
467 continue;
468
469 list_for_each_entry_rcu(table, &afi->tables, list) {
470 if (idx < s_idx)
471 goto cont;
472 if (idx > s_idx)
473 memset(&cb->args[1], 0,
474 sizeof(cb->args) - sizeof(cb->args[0]));
475 if (!nft_is_active(net, table))
476 continue;
477 if (nf_tables_fill_table_info(skb, net,
478 NETLINK_CB(cb->skb).portid,
479 cb->nlh->nlmsg_seq,
480 NFT_MSG_NEWTABLE,
481 NLM_F_MULTI,
482 afi->family, table) < 0)
483 goto done;
484
485 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
486 cont:
487 idx++;
488 }
489 }
490 done:
491 rcu_read_unlock();
492 cb->args[0] = idx;
493 return skb->len;
494 }
495
496 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
497 struct sk_buff *skb, const struct nlmsghdr *nlh,
498 const struct nlattr * const nla[])
499 {
500 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
501 u8 genmask = nft_genmask_cur(net);
502 const struct nft_af_info *afi;
503 const struct nft_table *table;
504 struct sk_buff *skb2;
505 int family = nfmsg->nfgen_family;
506 int err;
507
508 if (nlh->nlmsg_flags & NLM_F_DUMP) {
509 struct netlink_dump_control c = {
510 .dump = nf_tables_dump_tables,
511 };
512 return netlink_dump_start(nlsk, skb, nlh, &c);
513 }
514
515 afi = nf_tables_afinfo_lookup(net, family, false);
516 if (IS_ERR(afi))
517 return PTR_ERR(afi);
518
519 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
520 if (IS_ERR(table))
521 return PTR_ERR(table);
522
523 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
524 if (!skb2)
525 return -ENOMEM;
526
527 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
528 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
529 family, table);
530 if (err < 0)
531 goto err;
532
533 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
534
535 err:
536 kfree_skb(skb2);
537 return err;
538 }
539
540 static int nf_tables_table_enable(struct net *net,
541 const struct nft_af_info *afi,
542 struct nft_table *table)
543 {
544 struct nft_chain *chain;
545 int err, i = 0;
546
547 list_for_each_entry(chain, &table->chains, list) {
548 if (!nft_is_active_next(net, chain))
549 continue;
550 if (!(chain->flags & NFT_BASE_CHAIN))
551 continue;
552
553 err = nf_register_net_hooks(net, nft_base_chain(chain)->ops,
554 afi->nops);
555 if (err < 0)
556 goto err;
557
558 i++;
559 }
560 return 0;
561 err:
562 list_for_each_entry(chain, &table->chains, list) {
563 if (!nft_is_active_next(net, chain))
564 continue;
565 if (!(chain->flags & NFT_BASE_CHAIN))
566 continue;
567
568 if (i-- <= 0)
569 break;
570
571 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
572 afi->nops);
573 }
574 return err;
575 }
576
577 static void nf_tables_table_disable(struct net *net,
578 const struct nft_af_info *afi,
579 struct nft_table *table)
580 {
581 struct nft_chain *chain;
582
583 list_for_each_entry(chain, &table->chains, list) {
584 if (!nft_is_active_next(net, chain))
585 continue;
586 if (!(chain->flags & NFT_BASE_CHAIN))
587 continue;
588
589 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
590 afi->nops);
591 }
592 }
593
594 static int nf_tables_updtable(struct nft_ctx *ctx)
595 {
596 struct nft_trans *trans;
597 u32 flags;
598 int ret = 0;
599
600 if (!ctx->nla[NFTA_TABLE_FLAGS])
601 return 0;
602
603 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
604 if (flags & ~NFT_TABLE_F_DORMANT)
605 return -EINVAL;
606
607 if (flags == ctx->table->flags)
608 return 0;
609
610 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
611 sizeof(struct nft_trans_table));
612 if (trans == NULL)
613 return -ENOMEM;
614
615 if ((flags & NFT_TABLE_F_DORMANT) &&
616 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
617 nft_trans_table_enable(trans) = false;
618 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
619 ctx->table->flags & NFT_TABLE_F_DORMANT) {
620 ret = nf_tables_table_enable(ctx->net, ctx->afi, ctx->table);
621 if (ret >= 0) {
622 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
623 nft_trans_table_enable(trans) = true;
624 }
625 }
626 if (ret < 0)
627 goto err;
628
629 nft_trans_table_update(trans) = true;
630 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
631 return 0;
632 err:
633 nft_trans_destroy(trans);
634 return ret;
635 }
636
637 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
638 struct sk_buff *skb, const struct nlmsghdr *nlh,
639 const struct nlattr * const nla[])
640 {
641 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
642 u8 genmask = nft_genmask_next(net);
643 const struct nlattr *name;
644 struct nft_af_info *afi;
645 struct nft_table *table;
646 int family = nfmsg->nfgen_family;
647 u32 flags = 0;
648 struct nft_ctx ctx;
649 int err;
650
651 afi = nf_tables_afinfo_lookup(net, family, true);
652 if (IS_ERR(afi))
653 return PTR_ERR(afi);
654
655 name = nla[NFTA_TABLE_NAME];
656 table = nf_tables_table_lookup(afi, name, genmask);
657 if (IS_ERR(table)) {
658 if (PTR_ERR(table) != -ENOENT)
659 return PTR_ERR(table);
660 table = NULL;
661 }
662
663 if (table != NULL) {
664 if (nlh->nlmsg_flags & NLM_F_EXCL)
665 return -EEXIST;
666 if (nlh->nlmsg_flags & NLM_F_REPLACE)
667 return -EOPNOTSUPP;
668
669 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
670 return nf_tables_updtable(&ctx);
671 }
672
673 if (nla[NFTA_TABLE_FLAGS]) {
674 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
675 if (flags & ~NFT_TABLE_F_DORMANT)
676 return -EINVAL;
677 }
678
679 err = -EAFNOSUPPORT;
680 if (!try_module_get(afi->owner))
681 goto err1;
682
683 err = -ENOMEM;
684 table = kzalloc(sizeof(*table), GFP_KERNEL);
685 if (table == NULL)
686 goto err2;
687
688 nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN);
689 INIT_LIST_HEAD(&table->chains);
690 INIT_LIST_HEAD(&table->sets);
691 table->flags = flags;
692
693 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
694 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
695 if (err < 0)
696 goto err3;
697
698 list_add_tail_rcu(&table->list, &afi->tables);
699 return 0;
700 err3:
701 kfree(table);
702 err2:
703 module_put(afi->owner);
704 err1:
705 return err;
706 }
707
708 static int nft_flush_table(struct nft_ctx *ctx)
709 {
710 int err;
711 struct nft_chain *chain, *nc;
712 struct nft_set *set, *ns;
713
714 list_for_each_entry(chain, &ctx->table->chains, list) {
715 if (!nft_is_active_next(ctx->net, chain))
716 continue;
717
718 ctx->chain = chain;
719
720 err = nft_delrule_by_chain(ctx);
721 if (err < 0)
722 goto out;
723 }
724
725 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
726 if (!nft_is_active_next(ctx->net, set))
727 continue;
728
729 if (set->flags & NFT_SET_ANONYMOUS &&
730 !list_empty(&set->bindings))
731 continue;
732
733 err = nft_delset(ctx, set);
734 if (err < 0)
735 goto out;
736 }
737
738 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
739 if (!nft_is_active_next(ctx->net, chain))
740 continue;
741
742 ctx->chain = chain;
743
744 err = nft_delchain(ctx);
745 if (err < 0)
746 goto out;
747 }
748
749 err = nft_deltable(ctx);
750 out:
751 return err;
752 }
753
754 static int nft_flush(struct nft_ctx *ctx, int family)
755 {
756 struct nft_af_info *afi;
757 struct nft_table *table, *nt;
758 const struct nlattr * const *nla = ctx->nla;
759 int err = 0;
760
761 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
762 if (family != AF_UNSPEC && afi->family != family)
763 continue;
764
765 ctx->afi = afi;
766 list_for_each_entry_safe(table, nt, &afi->tables, list) {
767 if (!nft_is_active_next(ctx->net, table))
768 continue;
769
770 if (nla[NFTA_TABLE_NAME] &&
771 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
772 continue;
773
774 ctx->table = table;
775
776 err = nft_flush_table(ctx);
777 if (err < 0)
778 goto out;
779 }
780 }
781 out:
782 return err;
783 }
784
785 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
786 struct sk_buff *skb, const struct nlmsghdr *nlh,
787 const struct nlattr * const nla[])
788 {
789 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
790 u8 genmask = nft_genmask_next(net);
791 struct nft_af_info *afi;
792 struct nft_table *table;
793 int family = nfmsg->nfgen_family;
794 struct nft_ctx ctx;
795
796 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
797 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
798 return nft_flush(&ctx, family);
799
800 afi = nf_tables_afinfo_lookup(net, family, false);
801 if (IS_ERR(afi))
802 return PTR_ERR(afi);
803
804 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
805 if (IS_ERR(table))
806 return PTR_ERR(table);
807
808 ctx.afi = afi;
809 ctx.table = table;
810
811 return nft_flush_table(&ctx);
812 }
813
814 static void nf_tables_table_destroy(struct nft_ctx *ctx)
815 {
816 BUG_ON(ctx->table->use > 0);
817
818 kfree(ctx->table);
819 module_put(ctx->afi->owner);
820 }
821
822 int nft_register_chain_type(const struct nf_chain_type *ctype)
823 {
824 int err = 0;
825
826 nfnl_lock(NFNL_SUBSYS_NFTABLES);
827 if (chain_type[ctype->family][ctype->type] != NULL) {
828 err = -EBUSY;
829 goto out;
830 }
831 chain_type[ctype->family][ctype->type] = ctype;
832 out:
833 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
834 return err;
835 }
836 EXPORT_SYMBOL_GPL(nft_register_chain_type);
837
838 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
839 {
840 nfnl_lock(NFNL_SUBSYS_NFTABLES);
841 chain_type[ctype->family][ctype->type] = NULL;
842 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
843 }
844 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
845
846 /*
847 * Chains
848 */
849
850 static struct nft_chain *
851 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
852 u8 genmask)
853 {
854 struct nft_chain *chain;
855
856 list_for_each_entry(chain, &table->chains, list) {
857 if (chain->handle == handle &&
858 nft_active_genmask(chain, genmask))
859 return chain;
860 }
861
862 return ERR_PTR(-ENOENT);
863 }
864
865 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
866 const struct nlattr *nla,
867 u8 genmask)
868 {
869 struct nft_chain *chain;
870
871 if (nla == NULL)
872 return ERR_PTR(-EINVAL);
873
874 list_for_each_entry(chain, &table->chains, list) {
875 if (!nla_strcmp(nla, chain->name) &&
876 nft_active_genmask(chain, genmask))
877 return chain;
878 }
879
880 return ERR_PTR(-ENOENT);
881 }
882
883 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
884 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
885 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
886 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
887 .len = NFT_CHAIN_MAXNAMELEN - 1 },
888 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
889 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
890 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
891 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
892 };
893
894 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
895 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
896 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
897 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
898 .len = IFNAMSIZ - 1 },
899 };
900
901 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
902 {
903 struct nft_stats *cpu_stats, total;
904 struct nlattr *nest;
905 unsigned int seq;
906 u64 pkts, bytes;
907 int cpu;
908
909 memset(&total, 0, sizeof(total));
910 for_each_possible_cpu(cpu) {
911 cpu_stats = per_cpu_ptr(stats, cpu);
912 do {
913 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
914 pkts = cpu_stats->pkts;
915 bytes = cpu_stats->bytes;
916 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
917 total.pkts += pkts;
918 total.bytes += bytes;
919 }
920 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
921 if (nest == NULL)
922 goto nla_put_failure;
923
924 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
925 NFTA_COUNTER_PAD) ||
926 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
927 NFTA_COUNTER_PAD))
928 goto nla_put_failure;
929
930 nla_nest_end(skb, nest);
931 return 0;
932
933 nla_put_failure:
934 return -ENOSPC;
935 }
936
937 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
938 u32 portid, u32 seq, int event, u32 flags,
939 int family, const struct nft_table *table,
940 const struct nft_chain *chain)
941 {
942 struct nlmsghdr *nlh;
943 struct nfgenmsg *nfmsg;
944
945 event |= NFNL_SUBSYS_NFTABLES << 8;
946 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
947 if (nlh == NULL)
948 goto nla_put_failure;
949
950 nfmsg = nlmsg_data(nlh);
951 nfmsg->nfgen_family = family;
952 nfmsg->version = NFNETLINK_V0;
953 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
954
955 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
956 goto nla_put_failure;
957 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
958 NFTA_CHAIN_PAD))
959 goto nla_put_failure;
960 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
961 goto nla_put_failure;
962
963 if (chain->flags & NFT_BASE_CHAIN) {
964 const struct nft_base_chain *basechain = nft_base_chain(chain);
965 const struct nf_hook_ops *ops = &basechain->ops[0];
966 struct nlattr *nest;
967
968 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
969 if (nest == NULL)
970 goto nla_put_failure;
971 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
972 goto nla_put_failure;
973 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
974 goto nla_put_failure;
975 if (basechain->dev_name[0] &&
976 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
977 goto nla_put_failure;
978 nla_nest_end(skb, nest);
979
980 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
981 htonl(basechain->policy)))
982 goto nla_put_failure;
983
984 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
985 goto nla_put_failure;
986
987 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
988 goto nla_put_failure;
989 }
990
991 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
992 goto nla_put_failure;
993
994 nlmsg_end(skb, nlh);
995 return 0;
996
997 nla_put_failure:
998 nlmsg_trim(skb, nlh);
999 return -1;
1000 }
1001
1002 static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1003 {
1004 struct sk_buff *skb;
1005 int err;
1006
1007 if (!ctx->report &&
1008 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1009 return 0;
1010
1011 err = -ENOBUFS;
1012 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1013 if (skb == NULL)
1014 goto err;
1015
1016 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1017 event, 0, ctx->afi->family, ctx->table,
1018 ctx->chain);
1019 if (err < 0) {
1020 kfree_skb(skb);
1021 goto err;
1022 }
1023
1024 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1025 ctx->report, GFP_KERNEL);
1026 err:
1027 if (err < 0) {
1028 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1029 err);
1030 }
1031 return err;
1032 }
1033
1034 static int nf_tables_dump_chains(struct sk_buff *skb,
1035 struct netlink_callback *cb)
1036 {
1037 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1038 const struct nft_af_info *afi;
1039 const struct nft_table *table;
1040 const struct nft_chain *chain;
1041 unsigned int idx = 0, s_idx = cb->args[0];
1042 struct net *net = sock_net(skb->sk);
1043 int family = nfmsg->nfgen_family;
1044
1045 rcu_read_lock();
1046 cb->seq = net->nft.base_seq;
1047
1048 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1049 if (family != NFPROTO_UNSPEC && family != afi->family)
1050 continue;
1051
1052 list_for_each_entry_rcu(table, &afi->tables, list) {
1053 list_for_each_entry_rcu(chain, &table->chains, list) {
1054 if (idx < s_idx)
1055 goto cont;
1056 if (idx > s_idx)
1057 memset(&cb->args[1], 0,
1058 sizeof(cb->args) - sizeof(cb->args[0]));
1059 if (!nft_is_active(net, chain))
1060 continue;
1061 if (nf_tables_fill_chain_info(skb, net,
1062 NETLINK_CB(cb->skb).portid,
1063 cb->nlh->nlmsg_seq,
1064 NFT_MSG_NEWCHAIN,
1065 NLM_F_MULTI,
1066 afi->family, table, chain) < 0)
1067 goto done;
1068
1069 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1070 cont:
1071 idx++;
1072 }
1073 }
1074 }
1075 done:
1076 rcu_read_unlock();
1077 cb->args[0] = idx;
1078 return skb->len;
1079 }
1080
1081 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1082 struct sk_buff *skb, const struct nlmsghdr *nlh,
1083 const struct nlattr * const nla[])
1084 {
1085 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1086 u8 genmask = nft_genmask_cur(net);
1087 const struct nft_af_info *afi;
1088 const struct nft_table *table;
1089 const struct nft_chain *chain;
1090 struct sk_buff *skb2;
1091 int family = nfmsg->nfgen_family;
1092 int err;
1093
1094 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1095 struct netlink_dump_control c = {
1096 .dump = nf_tables_dump_chains,
1097 };
1098 return netlink_dump_start(nlsk, skb, nlh, &c);
1099 }
1100
1101 afi = nf_tables_afinfo_lookup(net, family, false);
1102 if (IS_ERR(afi))
1103 return PTR_ERR(afi);
1104
1105 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1106 if (IS_ERR(table))
1107 return PTR_ERR(table);
1108
1109 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1110 if (IS_ERR(chain))
1111 return PTR_ERR(chain);
1112
1113 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1114 if (!skb2)
1115 return -ENOMEM;
1116
1117 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1118 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1119 family, table, chain);
1120 if (err < 0)
1121 goto err;
1122
1123 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1124
1125 err:
1126 kfree_skb(skb2);
1127 return err;
1128 }
1129
1130 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1131 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1132 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1133 };
1134
1135 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1136 {
1137 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1138 struct nft_stats __percpu *newstats;
1139 struct nft_stats *stats;
1140 int err;
1141
1142 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
1143 if (err < 0)
1144 return ERR_PTR(err);
1145
1146 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1147 return ERR_PTR(-EINVAL);
1148
1149 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1150 if (newstats == NULL)
1151 return ERR_PTR(-ENOMEM);
1152
1153 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1154 * are not exposed to userspace.
1155 */
1156 preempt_disable();
1157 stats = this_cpu_ptr(newstats);
1158 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1159 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1160 preempt_enable();
1161
1162 return newstats;
1163 }
1164
1165 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1166 struct nft_stats __percpu *newstats)
1167 {
1168 if (newstats == NULL)
1169 return;
1170
1171 if (chain->stats) {
1172 struct nft_stats __percpu *oldstats =
1173 nft_dereference(chain->stats);
1174
1175 rcu_assign_pointer(chain->stats, newstats);
1176 synchronize_rcu();
1177 free_percpu(oldstats);
1178 } else
1179 rcu_assign_pointer(chain->stats, newstats);
1180 }
1181
1182 static void nf_tables_chain_destroy(struct nft_chain *chain)
1183 {
1184 BUG_ON(chain->use > 0);
1185
1186 if (chain->flags & NFT_BASE_CHAIN) {
1187 struct nft_base_chain *basechain = nft_base_chain(chain);
1188
1189 module_put(basechain->type->owner);
1190 free_percpu(basechain->stats);
1191 if (basechain->ops[0].dev != NULL)
1192 dev_put(basechain->ops[0].dev);
1193 kfree(basechain);
1194 } else {
1195 kfree(chain);
1196 }
1197 }
1198
1199 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1200 struct sk_buff *skb, const struct nlmsghdr *nlh,
1201 const struct nlattr * const nla[])
1202 {
1203 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1204 const struct nlattr * uninitialized_var(name);
1205 struct nft_af_info *afi;
1206 struct nft_table *table;
1207 struct nft_chain *chain;
1208 struct nft_base_chain *basechain = NULL;
1209 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1210 u8 genmask = nft_genmask_next(net);
1211 int family = nfmsg->nfgen_family;
1212 struct net_device *dev = NULL;
1213 u8 policy = NF_ACCEPT;
1214 u64 handle = 0;
1215 unsigned int i;
1216 struct nft_stats __percpu *stats;
1217 int err;
1218 bool create;
1219 struct nft_ctx ctx;
1220
1221 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1222
1223 afi = nf_tables_afinfo_lookup(net, family, true);
1224 if (IS_ERR(afi))
1225 return PTR_ERR(afi);
1226
1227 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1228 if (IS_ERR(table))
1229 return PTR_ERR(table);
1230
1231 chain = NULL;
1232 name = nla[NFTA_CHAIN_NAME];
1233
1234 if (nla[NFTA_CHAIN_HANDLE]) {
1235 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1236 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1237 if (IS_ERR(chain))
1238 return PTR_ERR(chain);
1239 } else {
1240 chain = nf_tables_chain_lookup(table, name, genmask);
1241 if (IS_ERR(chain)) {
1242 if (PTR_ERR(chain) != -ENOENT)
1243 return PTR_ERR(chain);
1244 chain = NULL;
1245 }
1246 }
1247
1248 if (nla[NFTA_CHAIN_POLICY]) {
1249 if ((chain != NULL &&
1250 !(chain->flags & NFT_BASE_CHAIN)))
1251 return -EOPNOTSUPP;
1252
1253 if (chain == NULL &&
1254 nla[NFTA_CHAIN_HOOK] == NULL)
1255 return -EOPNOTSUPP;
1256
1257 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1258 switch (policy) {
1259 case NF_DROP:
1260 case NF_ACCEPT:
1261 break;
1262 default:
1263 return -EINVAL;
1264 }
1265 }
1266
1267 if (chain != NULL) {
1268 struct nft_stats *stats = NULL;
1269 struct nft_trans *trans;
1270
1271 if (nlh->nlmsg_flags & NLM_F_EXCL)
1272 return -EEXIST;
1273 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1274 return -EOPNOTSUPP;
1275
1276 if (nla[NFTA_CHAIN_HANDLE] && name) {
1277 struct nft_chain *chain2;
1278
1279 chain2 = nf_tables_chain_lookup(table,
1280 nla[NFTA_CHAIN_NAME],
1281 genmask);
1282 if (IS_ERR(chain2))
1283 return PTR_ERR(chain2);
1284 }
1285
1286 if (nla[NFTA_CHAIN_COUNTERS]) {
1287 if (!(chain->flags & NFT_BASE_CHAIN))
1288 return -EOPNOTSUPP;
1289
1290 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1291 if (IS_ERR(stats))
1292 return PTR_ERR(stats);
1293 }
1294
1295 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1296 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1297 sizeof(struct nft_trans_chain));
1298 if (trans == NULL) {
1299 free_percpu(stats);
1300 return -ENOMEM;
1301 }
1302
1303 nft_trans_chain_stats(trans) = stats;
1304 nft_trans_chain_update(trans) = true;
1305
1306 if (nla[NFTA_CHAIN_POLICY])
1307 nft_trans_chain_policy(trans) = policy;
1308 else
1309 nft_trans_chain_policy(trans) = -1;
1310
1311 if (nla[NFTA_CHAIN_HANDLE] && name) {
1312 nla_strlcpy(nft_trans_chain_name(trans), name,
1313 NFT_CHAIN_MAXNAMELEN);
1314 }
1315 list_add_tail(&trans->list, &net->nft.commit_list);
1316 return 0;
1317 }
1318
1319 if (table->use == UINT_MAX)
1320 return -EOVERFLOW;
1321
1322 if (nla[NFTA_CHAIN_HOOK]) {
1323 const struct nf_chain_type *type;
1324 struct nf_hook_ops *ops;
1325 nf_hookfn *hookfn;
1326 u32 hooknum, priority;
1327
1328 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1329 if (nla[NFTA_CHAIN_TYPE]) {
1330 type = nf_tables_chain_type_lookup(afi,
1331 nla[NFTA_CHAIN_TYPE],
1332 create);
1333 if (IS_ERR(type))
1334 return PTR_ERR(type);
1335 }
1336
1337 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1338 nft_hook_policy);
1339 if (err < 0)
1340 return err;
1341 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1342 ha[NFTA_HOOK_PRIORITY] == NULL)
1343 return -EINVAL;
1344
1345 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1346 if (hooknum >= afi->nhooks)
1347 return -EINVAL;
1348 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1349
1350 if (!(type->hook_mask & (1 << hooknum)))
1351 return -EOPNOTSUPP;
1352 if (!try_module_get(type->owner))
1353 return -ENOENT;
1354 hookfn = type->hooks[hooknum];
1355
1356 if (afi->flags & NFT_AF_NEEDS_DEV) {
1357 char ifname[IFNAMSIZ];
1358
1359 if (!ha[NFTA_HOOK_DEV]) {
1360 module_put(type->owner);
1361 return -EOPNOTSUPP;
1362 }
1363
1364 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1365 dev = dev_get_by_name(net, ifname);
1366 if (!dev) {
1367 module_put(type->owner);
1368 return -ENOENT;
1369 }
1370 } else if (ha[NFTA_HOOK_DEV]) {
1371 module_put(type->owner);
1372 return -EOPNOTSUPP;
1373 }
1374
1375 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1376 if (basechain == NULL) {
1377 module_put(type->owner);
1378 if (dev != NULL)
1379 dev_put(dev);
1380 return -ENOMEM;
1381 }
1382
1383 if (dev != NULL)
1384 strncpy(basechain->dev_name, dev->name, IFNAMSIZ);
1385
1386 if (nla[NFTA_CHAIN_COUNTERS]) {
1387 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1388 if (IS_ERR(stats)) {
1389 module_put(type->owner);
1390 kfree(basechain);
1391 if (dev != NULL)
1392 dev_put(dev);
1393 return PTR_ERR(stats);
1394 }
1395 basechain->stats = stats;
1396 } else {
1397 stats = netdev_alloc_pcpu_stats(struct nft_stats);
1398 if (stats == NULL) {
1399 module_put(type->owner);
1400 kfree(basechain);
1401 if (dev != NULL)
1402 dev_put(dev);
1403 return -ENOMEM;
1404 }
1405 rcu_assign_pointer(basechain->stats, stats);
1406 }
1407
1408 basechain->type = type;
1409 chain = &basechain->chain;
1410
1411 for (i = 0; i < afi->nops; i++) {
1412 ops = &basechain->ops[i];
1413 ops->pf = family;
1414 ops->hooknum = hooknum;
1415 ops->priority = priority;
1416 ops->priv = chain;
1417 ops->hook = afi->hooks[ops->hooknum];
1418 ops->dev = dev;
1419 if (hookfn)
1420 ops->hook = hookfn;
1421 if (afi->hook_ops_init)
1422 afi->hook_ops_init(ops, i);
1423 }
1424
1425 chain->flags |= NFT_BASE_CHAIN;
1426 basechain->policy = policy;
1427 } else {
1428 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1429 if (chain == NULL)
1430 return -ENOMEM;
1431 }
1432
1433 INIT_LIST_HEAD(&chain->rules);
1434 chain->handle = nf_tables_alloc_handle(table);
1435 chain->table = table;
1436 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1437
1438 err = nf_tables_register_hooks(net, table, chain, afi->nops);
1439 if (err < 0)
1440 goto err1;
1441
1442 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1443 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1444 if (err < 0)
1445 goto err2;
1446
1447 table->use++;
1448 list_add_tail_rcu(&chain->list, &table->chains);
1449 return 0;
1450 err2:
1451 nf_tables_unregister_hooks(net, table, chain, afi->nops);
1452 err1:
1453 nf_tables_chain_destroy(chain);
1454 return err;
1455 }
1456
1457 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1458 struct sk_buff *skb, const struct nlmsghdr *nlh,
1459 const struct nlattr * const nla[])
1460 {
1461 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1462 u8 genmask = nft_genmask_next(net);
1463 struct nft_af_info *afi;
1464 struct nft_table *table;
1465 struct nft_chain *chain;
1466 int family = nfmsg->nfgen_family;
1467 struct nft_ctx ctx;
1468
1469 afi = nf_tables_afinfo_lookup(net, family, false);
1470 if (IS_ERR(afi))
1471 return PTR_ERR(afi);
1472
1473 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1474 if (IS_ERR(table))
1475 return PTR_ERR(table);
1476
1477 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1478 if (IS_ERR(chain))
1479 return PTR_ERR(chain);
1480 if (chain->use > 0)
1481 return -EBUSY;
1482
1483 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1484
1485 return nft_delchain(&ctx);
1486 }
1487
1488 /*
1489 * Expressions
1490 */
1491
1492 /**
1493 * nft_register_expr - register nf_tables expr type
1494 * @ops: expr type
1495 *
1496 * Registers the expr type for use with nf_tables. Returns zero on
1497 * success or a negative errno code otherwise.
1498 */
1499 int nft_register_expr(struct nft_expr_type *type)
1500 {
1501 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1502 if (type->family == NFPROTO_UNSPEC)
1503 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1504 else
1505 list_add_rcu(&type->list, &nf_tables_expressions);
1506 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1507 return 0;
1508 }
1509 EXPORT_SYMBOL_GPL(nft_register_expr);
1510
1511 /**
1512 * nft_unregister_expr - unregister nf_tables expr type
1513 * @ops: expr type
1514 *
1515 * Unregisters the expr typefor use with nf_tables.
1516 */
1517 void nft_unregister_expr(struct nft_expr_type *type)
1518 {
1519 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1520 list_del_rcu(&type->list);
1521 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1522 }
1523 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1524
1525 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1526 struct nlattr *nla)
1527 {
1528 const struct nft_expr_type *type;
1529
1530 list_for_each_entry(type, &nf_tables_expressions, list) {
1531 if (!nla_strcmp(nla, type->name) &&
1532 (!type->family || type->family == family))
1533 return type;
1534 }
1535 return NULL;
1536 }
1537
1538 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1539 struct nlattr *nla)
1540 {
1541 const struct nft_expr_type *type;
1542
1543 if (nla == NULL)
1544 return ERR_PTR(-EINVAL);
1545
1546 type = __nft_expr_type_get(family, nla);
1547 if (type != NULL && try_module_get(type->owner))
1548 return type;
1549
1550 #ifdef CONFIG_MODULES
1551 if (type == NULL) {
1552 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1553 request_module("nft-expr-%u-%.*s", family,
1554 nla_len(nla), (char *)nla_data(nla));
1555 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1556 if (__nft_expr_type_get(family, nla))
1557 return ERR_PTR(-EAGAIN);
1558
1559 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1560 request_module("nft-expr-%.*s",
1561 nla_len(nla), (char *)nla_data(nla));
1562 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1563 if (__nft_expr_type_get(family, nla))
1564 return ERR_PTR(-EAGAIN);
1565 }
1566 #endif
1567 return ERR_PTR(-ENOENT);
1568 }
1569
1570 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1571 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1572 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1573 };
1574
1575 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1576 const struct nft_expr *expr)
1577 {
1578 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1579 goto nla_put_failure;
1580
1581 if (expr->ops->dump) {
1582 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1583 if (data == NULL)
1584 goto nla_put_failure;
1585 if (expr->ops->dump(skb, expr) < 0)
1586 goto nla_put_failure;
1587 nla_nest_end(skb, data);
1588 }
1589
1590 return skb->len;
1591
1592 nla_put_failure:
1593 return -1;
1594 };
1595
1596 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1597 const struct nft_expr *expr)
1598 {
1599 struct nlattr *nest;
1600
1601 nest = nla_nest_start(skb, attr);
1602 if (!nest)
1603 goto nla_put_failure;
1604 if (nf_tables_fill_expr_info(skb, expr) < 0)
1605 goto nla_put_failure;
1606 nla_nest_end(skb, nest);
1607 return 0;
1608
1609 nla_put_failure:
1610 return -1;
1611 }
1612
1613 struct nft_expr_info {
1614 const struct nft_expr_ops *ops;
1615 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1616 };
1617
1618 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1619 const struct nlattr *nla,
1620 struct nft_expr_info *info)
1621 {
1622 const struct nft_expr_type *type;
1623 const struct nft_expr_ops *ops;
1624 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1625 int err;
1626
1627 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1628 if (err < 0)
1629 return err;
1630
1631 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1632 if (IS_ERR(type))
1633 return PTR_ERR(type);
1634
1635 if (tb[NFTA_EXPR_DATA]) {
1636 err = nla_parse_nested(info->tb, type->maxattr,
1637 tb[NFTA_EXPR_DATA], type->policy);
1638 if (err < 0)
1639 goto err1;
1640 } else
1641 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1642
1643 if (type->select_ops != NULL) {
1644 ops = type->select_ops(ctx,
1645 (const struct nlattr * const *)info->tb);
1646 if (IS_ERR(ops)) {
1647 err = PTR_ERR(ops);
1648 goto err1;
1649 }
1650 } else
1651 ops = type->ops;
1652
1653 info->ops = ops;
1654 return 0;
1655
1656 err1:
1657 module_put(type->owner);
1658 return err;
1659 }
1660
1661 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1662 const struct nft_expr_info *info,
1663 struct nft_expr *expr)
1664 {
1665 const struct nft_expr_ops *ops = info->ops;
1666 int err;
1667
1668 expr->ops = ops;
1669 if (ops->init) {
1670 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1671 if (err < 0)
1672 goto err1;
1673 }
1674
1675 return 0;
1676
1677 err1:
1678 expr->ops = NULL;
1679 return err;
1680 }
1681
1682 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1683 struct nft_expr *expr)
1684 {
1685 if (expr->ops->destroy)
1686 expr->ops->destroy(ctx, expr);
1687 module_put(expr->ops->type->owner);
1688 }
1689
1690 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1691 const struct nlattr *nla)
1692 {
1693 struct nft_expr_info info;
1694 struct nft_expr *expr;
1695 int err;
1696
1697 err = nf_tables_expr_parse(ctx, nla, &info);
1698 if (err < 0)
1699 goto err1;
1700
1701 err = -ENOMEM;
1702 expr = kzalloc(info.ops->size, GFP_KERNEL);
1703 if (expr == NULL)
1704 goto err2;
1705
1706 err = nf_tables_newexpr(ctx, &info, expr);
1707 if (err < 0)
1708 goto err3;
1709
1710 return expr;
1711 err3:
1712 kfree(expr);
1713 err2:
1714 module_put(info.ops->type->owner);
1715 err1:
1716 return ERR_PTR(err);
1717 }
1718
1719 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1720 {
1721 nf_tables_expr_destroy(ctx, expr);
1722 kfree(expr);
1723 }
1724
1725 /*
1726 * Rules
1727 */
1728
1729 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1730 u64 handle)
1731 {
1732 struct nft_rule *rule;
1733
1734 // FIXME: this sucks
1735 list_for_each_entry(rule, &chain->rules, list) {
1736 if (handle == rule->handle)
1737 return rule;
1738 }
1739
1740 return ERR_PTR(-ENOENT);
1741 }
1742
1743 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1744 const struct nlattr *nla)
1745 {
1746 if (nla == NULL)
1747 return ERR_PTR(-EINVAL);
1748
1749 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1750 }
1751
1752 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1753 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1754 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1755 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1756 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1757 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1758 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1759 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1760 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1761 .len = NFT_USERDATA_MAXLEN },
1762 };
1763
1764 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1765 u32 portid, u32 seq, int event,
1766 u32 flags, int family,
1767 const struct nft_table *table,
1768 const struct nft_chain *chain,
1769 const struct nft_rule *rule)
1770 {
1771 struct nlmsghdr *nlh;
1772 struct nfgenmsg *nfmsg;
1773 const struct nft_expr *expr, *next;
1774 struct nlattr *list;
1775 const struct nft_rule *prule;
1776 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1777
1778 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1779 flags);
1780 if (nlh == NULL)
1781 goto nla_put_failure;
1782
1783 nfmsg = nlmsg_data(nlh);
1784 nfmsg->nfgen_family = family;
1785 nfmsg->version = NFNETLINK_V0;
1786 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1787
1788 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1789 goto nla_put_failure;
1790 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1791 goto nla_put_failure;
1792 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
1793 NFTA_RULE_PAD))
1794 goto nla_put_failure;
1795
1796 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1797 prule = list_entry(rule->list.prev, struct nft_rule, list);
1798 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1799 cpu_to_be64(prule->handle),
1800 NFTA_RULE_PAD))
1801 goto nla_put_failure;
1802 }
1803
1804 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1805 if (list == NULL)
1806 goto nla_put_failure;
1807 nft_rule_for_each_expr(expr, next, rule) {
1808 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1809 goto nla_put_failure;
1810 }
1811 nla_nest_end(skb, list);
1812
1813 if (rule->udata) {
1814 struct nft_userdata *udata = nft_userdata(rule);
1815 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
1816 udata->data) < 0)
1817 goto nla_put_failure;
1818 }
1819
1820 nlmsg_end(skb, nlh);
1821 return 0;
1822
1823 nla_put_failure:
1824 nlmsg_trim(skb, nlh);
1825 return -1;
1826 }
1827
1828 static int nf_tables_rule_notify(const struct nft_ctx *ctx,
1829 const struct nft_rule *rule,
1830 int event)
1831 {
1832 struct sk_buff *skb;
1833 int err;
1834
1835 if (!ctx->report &&
1836 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1837 return 0;
1838
1839 err = -ENOBUFS;
1840 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1841 if (skb == NULL)
1842 goto err;
1843
1844 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
1845 event, 0, ctx->afi->family, ctx->table,
1846 ctx->chain, rule);
1847 if (err < 0) {
1848 kfree_skb(skb);
1849 goto err;
1850 }
1851
1852 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1853 ctx->report, GFP_KERNEL);
1854 err:
1855 if (err < 0) {
1856 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1857 err);
1858 }
1859 return err;
1860 }
1861
1862 struct nft_rule_dump_ctx {
1863 char table[NFT_TABLE_MAXNAMELEN];
1864 char chain[NFT_CHAIN_MAXNAMELEN];
1865 };
1866
1867 static int nf_tables_dump_rules(struct sk_buff *skb,
1868 struct netlink_callback *cb)
1869 {
1870 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1871 const struct nft_rule_dump_ctx *ctx = cb->data;
1872 const struct nft_af_info *afi;
1873 const struct nft_table *table;
1874 const struct nft_chain *chain;
1875 const struct nft_rule *rule;
1876 unsigned int idx = 0, s_idx = cb->args[0];
1877 struct net *net = sock_net(skb->sk);
1878 int family = nfmsg->nfgen_family;
1879
1880 rcu_read_lock();
1881 cb->seq = net->nft.base_seq;
1882
1883 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1884 if (family != NFPROTO_UNSPEC && family != afi->family)
1885 continue;
1886
1887 list_for_each_entry_rcu(table, &afi->tables, list) {
1888 if (ctx && ctx->table[0] &&
1889 strcmp(ctx->table, table->name) != 0)
1890 continue;
1891
1892 list_for_each_entry_rcu(chain, &table->chains, list) {
1893 if (ctx && ctx->chain[0] &&
1894 strcmp(ctx->chain, chain->name) != 0)
1895 continue;
1896
1897 list_for_each_entry_rcu(rule, &chain->rules, list) {
1898 if (!nft_is_active(net, rule))
1899 goto cont;
1900 if (idx < s_idx)
1901 goto cont;
1902 if (idx > s_idx)
1903 memset(&cb->args[1], 0,
1904 sizeof(cb->args) - sizeof(cb->args[0]));
1905 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
1906 cb->nlh->nlmsg_seq,
1907 NFT_MSG_NEWRULE,
1908 NLM_F_MULTI | NLM_F_APPEND,
1909 afi->family, table, chain, rule) < 0)
1910 goto done;
1911
1912 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1913 cont:
1914 idx++;
1915 }
1916 }
1917 }
1918 }
1919 done:
1920 rcu_read_unlock();
1921
1922 cb->args[0] = idx;
1923 return skb->len;
1924 }
1925
1926 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
1927 {
1928 kfree(cb->data);
1929 return 0;
1930 }
1931
1932 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
1933 struct sk_buff *skb, const struct nlmsghdr *nlh,
1934 const struct nlattr * const nla[])
1935 {
1936 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1937 u8 genmask = nft_genmask_cur(net);
1938 const struct nft_af_info *afi;
1939 const struct nft_table *table;
1940 const struct nft_chain *chain;
1941 const struct nft_rule *rule;
1942 struct sk_buff *skb2;
1943 int family = nfmsg->nfgen_family;
1944 int err;
1945
1946 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1947 struct netlink_dump_control c = {
1948 .dump = nf_tables_dump_rules,
1949 .done = nf_tables_dump_rules_done,
1950 };
1951
1952 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
1953 struct nft_rule_dump_ctx *ctx;
1954
1955 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
1956 if (!ctx)
1957 return -ENOMEM;
1958
1959 if (nla[NFTA_RULE_TABLE])
1960 nla_strlcpy(ctx->table, nla[NFTA_RULE_TABLE],
1961 sizeof(ctx->table));
1962 if (nla[NFTA_RULE_CHAIN])
1963 nla_strlcpy(ctx->chain, nla[NFTA_RULE_CHAIN],
1964 sizeof(ctx->chain));
1965 c.data = ctx;
1966 }
1967
1968 return netlink_dump_start(nlsk, skb, nlh, &c);
1969 }
1970
1971 afi = nf_tables_afinfo_lookup(net, family, false);
1972 if (IS_ERR(afi))
1973 return PTR_ERR(afi);
1974
1975 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
1976 if (IS_ERR(table))
1977 return PTR_ERR(table);
1978
1979 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
1980 if (IS_ERR(chain))
1981 return PTR_ERR(chain);
1982
1983 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1984 if (IS_ERR(rule))
1985 return PTR_ERR(rule);
1986
1987 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1988 if (!skb2)
1989 return -ENOMEM;
1990
1991 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
1992 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1993 family, table, chain, rule);
1994 if (err < 0)
1995 goto err;
1996
1997 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1998
1999 err:
2000 kfree_skb(skb2);
2001 return err;
2002 }
2003
2004 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2005 struct nft_rule *rule)
2006 {
2007 struct nft_expr *expr;
2008
2009 /*
2010 * Careful: some expressions might not be initialized in case this
2011 * is called on error from nf_tables_newrule().
2012 */
2013 expr = nft_expr_first(rule);
2014 while (expr->ops && expr != nft_expr_last(rule)) {
2015 nf_tables_expr_destroy(ctx, expr);
2016 expr = nft_expr_next(expr);
2017 }
2018 kfree(rule);
2019 }
2020
2021 #define NFT_RULE_MAXEXPRS 128
2022
2023 static struct nft_expr_info *info;
2024
2025 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2026 struct sk_buff *skb, const struct nlmsghdr *nlh,
2027 const struct nlattr * const nla[])
2028 {
2029 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2030 u8 genmask = nft_genmask_next(net);
2031 struct nft_af_info *afi;
2032 struct nft_table *table;
2033 struct nft_chain *chain;
2034 struct nft_rule *rule, *old_rule = NULL;
2035 struct nft_userdata *udata;
2036 struct nft_trans *trans = NULL;
2037 struct nft_expr *expr;
2038 struct nft_ctx ctx;
2039 struct nlattr *tmp;
2040 unsigned int size, i, n, ulen = 0, usize = 0;
2041 int err, rem;
2042 bool create;
2043 u64 handle, pos_handle;
2044
2045 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2046
2047 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2048 if (IS_ERR(afi))
2049 return PTR_ERR(afi);
2050
2051 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2052 if (IS_ERR(table))
2053 return PTR_ERR(table);
2054
2055 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2056 if (IS_ERR(chain))
2057 return PTR_ERR(chain);
2058
2059 if (nla[NFTA_RULE_HANDLE]) {
2060 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2061 rule = __nf_tables_rule_lookup(chain, handle);
2062 if (IS_ERR(rule))
2063 return PTR_ERR(rule);
2064
2065 if (nlh->nlmsg_flags & NLM_F_EXCL)
2066 return -EEXIST;
2067 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2068 old_rule = rule;
2069 else
2070 return -EOPNOTSUPP;
2071 } else {
2072 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2073 return -EINVAL;
2074 handle = nf_tables_alloc_handle(table);
2075
2076 if (chain->use == UINT_MAX)
2077 return -EOVERFLOW;
2078 }
2079
2080 if (nla[NFTA_RULE_POSITION]) {
2081 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2082 return -EOPNOTSUPP;
2083
2084 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2085 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2086 if (IS_ERR(old_rule))
2087 return PTR_ERR(old_rule);
2088 }
2089
2090 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2091
2092 n = 0;
2093 size = 0;
2094 if (nla[NFTA_RULE_EXPRESSIONS]) {
2095 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2096 err = -EINVAL;
2097 if (nla_type(tmp) != NFTA_LIST_ELEM)
2098 goto err1;
2099 if (n == NFT_RULE_MAXEXPRS)
2100 goto err1;
2101 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2102 if (err < 0)
2103 goto err1;
2104 size += info[n].ops->size;
2105 n++;
2106 }
2107 }
2108 /* Check for overflow of dlen field */
2109 err = -EFBIG;
2110 if (size >= 1 << 12)
2111 goto err1;
2112
2113 if (nla[NFTA_RULE_USERDATA]) {
2114 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2115 if (ulen > 0)
2116 usize = sizeof(struct nft_userdata) + ulen;
2117 }
2118
2119 err = -ENOMEM;
2120 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2121 if (rule == NULL)
2122 goto err1;
2123
2124 nft_activate_next(net, rule);
2125
2126 rule->handle = handle;
2127 rule->dlen = size;
2128 rule->udata = ulen ? 1 : 0;
2129
2130 if (ulen) {
2131 udata = nft_userdata(rule);
2132 udata->len = ulen - 1;
2133 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2134 }
2135
2136 expr = nft_expr_first(rule);
2137 for (i = 0; i < n; i++) {
2138 err = nf_tables_newexpr(&ctx, &info[i], expr);
2139 if (err < 0)
2140 goto err2;
2141 info[i].ops = NULL;
2142 expr = nft_expr_next(expr);
2143 }
2144
2145 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2146 if (nft_is_active_next(net, old_rule)) {
2147 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2148 old_rule);
2149 if (trans == NULL) {
2150 err = -ENOMEM;
2151 goto err2;
2152 }
2153 nft_deactivate_next(net, old_rule);
2154 chain->use--;
2155 list_add_tail_rcu(&rule->list, &old_rule->list);
2156 } else {
2157 err = -ENOENT;
2158 goto err2;
2159 }
2160 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2161 if (old_rule)
2162 list_add_rcu(&rule->list, &old_rule->list);
2163 else
2164 list_add_tail_rcu(&rule->list, &chain->rules);
2165 else {
2166 if (old_rule)
2167 list_add_tail_rcu(&rule->list, &old_rule->list);
2168 else
2169 list_add_rcu(&rule->list, &chain->rules);
2170 }
2171
2172 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2173 err = -ENOMEM;
2174 goto err3;
2175 }
2176 chain->use++;
2177 return 0;
2178
2179 err3:
2180 list_del_rcu(&rule->list);
2181 err2:
2182 nf_tables_rule_destroy(&ctx, rule);
2183 err1:
2184 for (i = 0; i < n; i++) {
2185 if (info[i].ops != NULL)
2186 module_put(info[i].ops->type->owner);
2187 }
2188 return err;
2189 }
2190
2191 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2192 struct sk_buff *skb, const struct nlmsghdr *nlh,
2193 const struct nlattr * const nla[])
2194 {
2195 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2196 u8 genmask = nft_genmask_next(net);
2197 struct nft_af_info *afi;
2198 struct nft_table *table;
2199 struct nft_chain *chain = NULL;
2200 struct nft_rule *rule;
2201 int family = nfmsg->nfgen_family, err = 0;
2202 struct nft_ctx ctx;
2203
2204 afi = nf_tables_afinfo_lookup(net, family, false);
2205 if (IS_ERR(afi))
2206 return PTR_ERR(afi);
2207
2208 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2209 if (IS_ERR(table))
2210 return PTR_ERR(table);
2211
2212 if (nla[NFTA_RULE_CHAIN]) {
2213 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2214 genmask);
2215 if (IS_ERR(chain))
2216 return PTR_ERR(chain);
2217 }
2218
2219 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2220
2221 if (chain) {
2222 if (nla[NFTA_RULE_HANDLE]) {
2223 rule = nf_tables_rule_lookup(chain,
2224 nla[NFTA_RULE_HANDLE]);
2225 if (IS_ERR(rule))
2226 return PTR_ERR(rule);
2227
2228 err = nft_delrule(&ctx, rule);
2229 } else {
2230 err = nft_delrule_by_chain(&ctx);
2231 }
2232 } else {
2233 list_for_each_entry(chain, &table->chains, list) {
2234 if (!nft_is_active_next(net, chain))
2235 continue;
2236
2237 ctx.chain = chain;
2238 err = nft_delrule_by_chain(&ctx);
2239 if (err < 0)
2240 break;
2241 }
2242 }
2243
2244 return err;
2245 }
2246
2247 /*
2248 * Sets
2249 */
2250
2251 static LIST_HEAD(nf_tables_set_ops);
2252
2253 int nft_register_set(struct nft_set_ops *ops)
2254 {
2255 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2256 list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
2257 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2258 return 0;
2259 }
2260 EXPORT_SYMBOL_GPL(nft_register_set);
2261
2262 void nft_unregister_set(struct nft_set_ops *ops)
2263 {
2264 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2265 list_del_rcu(&ops->list);
2266 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2267 }
2268 EXPORT_SYMBOL_GPL(nft_unregister_set);
2269
2270 /*
2271 * Select a set implementation based on the data characteristics and the
2272 * given policy. The total memory use might not be known if no size is
2273 * given, in that case the amount of memory per element is used.
2274 */
2275 static const struct nft_set_ops *
2276 nft_select_set_ops(const struct nlattr * const nla[],
2277 const struct nft_set_desc *desc,
2278 enum nft_set_policies policy)
2279 {
2280 const struct nft_set_ops *ops, *bops;
2281 struct nft_set_estimate est, best;
2282 u32 features;
2283
2284 #ifdef CONFIG_MODULES
2285 if (list_empty(&nf_tables_set_ops)) {
2286 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2287 request_module("nft-set");
2288 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2289 if (!list_empty(&nf_tables_set_ops))
2290 return ERR_PTR(-EAGAIN);
2291 }
2292 #endif
2293 features = 0;
2294 if (nla[NFTA_SET_FLAGS] != NULL) {
2295 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2296 features &= NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_TIMEOUT;
2297 }
2298
2299 bops = NULL;
2300 best.size = ~0;
2301 best.class = ~0;
2302
2303 list_for_each_entry(ops, &nf_tables_set_ops, list) {
2304 if ((ops->features & features) != features)
2305 continue;
2306 if (!ops->estimate(desc, features, &est))
2307 continue;
2308
2309 switch (policy) {
2310 case NFT_SET_POL_PERFORMANCE:
2311 if (est.class < best.class)
2312 break;
2313 if (est.class == best.class && est.size < best.size)
2314 break;
2315 continue;
2316 case NFT_SET_POL_MEMORY:
2317 if (est.size < best.size)
2318 break;
2319 if (est.size == best.size && est.class < best.class)
2320 break;
2321 continue;
2322 default:
2323 break;
2324 }
2325
2326 if (!try_module_get(ops->owner))
2327 continue;
2328 if (bops != NULL)
2329 module_put(bops->owner);
2330
2331 bops = ops;
2332 best = est;
2333 }
2334
2335 if (bops != NULL)
2336 return bops;
2337
2338 return ERR_PTR(-EOPNOTSUPP);
2339 }
2340
2341 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2342 [NFTA_SET_TABLE] = { .type = NLA_STRING },
2343 [NFTA_SET_NAME] = { .type = NLA_STRING,
2344 .len = NFT_SET_MAXNAMELEN - 1 },
2345 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2346 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2347 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2348 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2349 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2350 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2351 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2352 [NFTA_SET_ID] = { .type = NLA_U32 },
2353 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2354 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2355 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2356 .len = NFT_USERDATA_MAXLEN },
2357 };
2358
2359 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2360 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2361 };
2362
2363 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2364 const struct sk_buff *skb,
2365 const struct nlmsghdr *nlh,
2366 const struct nlattr * const nla[],
2367 u8 genmask)
2368 {
2369 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2370 struct nft_af_info *afi = NULL;
2371 struct nft_table *table = NULL;
2372
2373 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2374 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2375 if (IS_ERR(afi))
2376 return PTR_ERR(afi);
2377 }
2378
2379 if (nla[NFTA_SET_TABLE] != NULL) {
2380 if (afi == NULL)
2381 return -EAFNOSUPPORT;
2382
2383 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
2384 genmask);
2385 if (IS_ERR(table))
2386 return PTR_ERR(table);
2387 }
2388
2389 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2390 return 0;
2391 }
2392
2393 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2394 const struct nlattr *nla, u8 genmask)
2395 {
2396 struct nft_set *set;
2397
2398 if (nla == NULL)
2399 return ERR_PTR(-EINVAL);
2400
2401 list_for_each_entry(set, &table->sets, list) {
2402 if (!nla_strcmp(nla, set->name) &&
2403 nft_active_genmask(set, genmask))
2404 return set;
2405 }
2406 return ERR_PTR(-ENOENT);
2407 }
2408
2409 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2410 const struct nlattr *nla,
2411 u8 genmask)
2412 {
2413 struct nft_trans *trans;
2414 u32 id = ntohl(nla_get_be32(nla));
2415
2416 list_for_each_entry(trans, &net->nft.commit_list, list) {
2417 struct nft_set *set = nft_trans_set(trans);
2418
2419 if (trans->msg_type == NFT_MSG_NEWSET &&
2420 id == nft_trans_set_id(trans) &&
2421 nft_active_genmask(set, genmask))
2422 return set;
2423 }
2424 return ERR_PTR(-ENOENT);
2425 }
2426
2427 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2428 const char *name)
2429 {
2430 const struct nft_set *i;
2431 const char *p;
2432 unsigned long *inuse;
2433 unsigned int n = 0, min = 0;
2434
2435 p = strnchr(name, NFT_SET_MAXNAMELEN, '%');
2436 if (p != NULL) {
2437 if (p[1] != 'd' || strchr(p + 2, '%'))
2438 return -EINVAL;
2439
2440 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2441 if (inuse == NULL)
2442 return -ENOMEM;
2443 cont:
2444 list_for_each_entry(i, &ctx->table->sets, list) {
2445 int tmp;
2446
2447 if (!nft_is_active_next(ctx->net, set))
2448 continue;
2449 if (!sscanf(i->name, name, &tmp))
2450 continue;
2451 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2452 continue;
2453
2454 set_bit(tmp - min, inuse);
2455 }
2456
2457 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2458 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2459 min += BITS_PER_BYTE * PAGE_SIZE;
2460 memset(inuse, 0, PAGE_SIZE);
2461 goto cont;
2462 }
2463 free_page((unsigned long)inuse);
2464 }
2465
2466 snprintf(set->name, sizeof(set->name), name, min + n);
2467 list_for_each_entry(i, &ctx->table->sets, list) {
2468 if (!nft_is_active_next(ctx->net, i))
2469 continue;
2470 if (!strcmp(set->name, i->name))
2471 return -ENFILE;
2472 }
2473 return 0;
2474 }
2475
2476 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2477 const struct nft_set *set, u16 event, u16 flags)
2478 {
2479 struct nfgenmsg *nfmsg;
2480 struct nlmsghdr *nlh;
2481 struct nlattr *desc;
2482 u32 portid = ctx->portid;
2483 u32 seq = ctx->seq;
2484
2485 event |= NFNL_SUBSYS_NFTABLES << 8;
2486 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2487 flags);
2488 if (nlh == NULL)
2489 goto nla_put_failure;
2490
2491 nfmsg = nlmsg_data(nlh);
2492 nfmsg->nfgen_family = ctx->afi->family;
2493 nfmsg->version = NFNETLINK_V0;
2494 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2495
2496 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2497 goto nla_put_failure;
2498 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2499 goto nla_put_failure;
2500 if (set->flags != 0)
2501 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2502 goto nla_put_failure;
2503
2504 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2505 goto nla_put_failure;
2506 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2507 goto nla_put_failure;
2508 if (set->flags & NFT_SET_MAP) {
2509 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2510 goto nla_put_failure;
2511 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2512 goto nla_put_failure;
2513 }
2514
2515 if (set->timeout &&
2516 nla_put_be64(skb, NFTA_SET_TIMEOUT, cpu_to_be64(set->timeout),
2517 NFTA_SET_PAD))
2518 goto nla_put_failure;
2519 if (set->gc_int &&
2520 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2521 goto nla_put_failure;
2522
2523 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2524 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2525 goto nla_put_failure;
2526 }
2527
2528 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2529 goto nla_put_failure;
2530
2531 desc = nla_nest_start(skb, NFTA_SET_DESC);
2532 if (desc == NULL)
2533 goto nla_put_failure;
2534 if (set->size &&
2535 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2536 goto nla_put_failure;
2537 nla_nest_end(skb, desc);
2538
2539 nlmsg_end(skb, nlh);
2540 return 0;
2541
2542 nla_put_failure:
2543 nlmsg_trim(skb, nlh);
2544 return -1;
2545 }
2546
2547 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2548 const struct nft_set *set,
2549 int event, gfp_t gfp_flags)
2550 {
2551 struct sk_buff *skb;
2552 u32 portid = ctx->portid;
2553 int err;
2554
2555 if (!ctx->report &&
2556 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2557 return 0;
2558
2559 err = -ENOBUFS;
2560 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2561 if (skb == NULL)
2562 goto err;
2563
2564 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2565 if (err < 0) {
2566 kfree_skb(skb);
2567 goto err;
2568 }
2569
2570 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES,
2571 ctx->report, gfp_flags);
2572 err:
2573 if (err < 0)
2574 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2575 return err;
2576 }
2577
2578 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2579 {
2580 const struct nft_set *set;
2581 unsigned int idx, s_idx = cb->args[0];
2582 struct nft_af_info *afi;
2583 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2584 struct net *net = sock_net(skb->sk);
2585 int cur_family = cb->args[3];
2586 struct nft_ctx *ctx = cb->data, ctx_set;
2587
2588 if (cb->args[1])
2589 return skb->len;
2590
2591 rcu_read_lock();
2592 cb->seq = net->nft.base_seq;
2593
2594 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2595 if (ctx->afi && ctx->afi != afi)
2596 continue;
2597
2598 if (cur_family) {
2599 if (afi->family != cur_family)
2600 continue;
2601
2602 cur_family = 0;
2603 }
2604 list_for_each_entry_rcu(table, &afi->tables, list) {
2605 if (ctx->table && ctx->table != table)
2606 continue;
2607
2608 if (cur_table) {
2609 if (cur_table != table)
2610 continue;
2611
2612 cur_table = NULL;
2613 }
2614 idx = 0;
2615 list_for_each_entry_rcu(set, &table->sets, list) {
2616 if (idx < s_idx)
2617 goto cont;
2618 if (!nft_is_active(net, set))
2619 goto cont;
2620
2621 ctx_set = *ctx;
2622 ctx_set.table = table;
2623 ctx_set.afi = afi;
2624 if (nf_tables_fill_set(skb, &ctx_set, set,
2625 NFT_MSG_NEWSET,
2626 NLM_F_MULTI) < 0) {
2627 cb->args[0] = idx;
2628 cb->args[2] = (unsigned long) table;
2629 cb->args[3] = afi->family;
2630 goto done;
2631 }
2632 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2633 cont:
2634 idx++;
2635 }
2636 if (s_idx)
2637 s_idx = 0;
2638 }
2639 }
2640 cb->args[1] = 1;
2641 done:
2642 rcu_read_unlock();
2643 return skb->len;
2644 }
2645
2646 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2647 {
2648 kfree(cb->data);
2649 return 0;
2650 }
2651
2652 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2653 struct sk_buff *skb, const struct nlmsghdr *nlh,
2654 const struct nlattr * const nla[])
2655 {
2656 u8 genmask = nft_genmask_cur(net);
2657 const struct nft_set *set;
2658 struct nft_ctx ctx;
2659 struct sk_buff *skb2;
2660 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2661 int err;
2662
2663 /* Verify existence before starting dump */
2664 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2665 if (err < 0)
2666 return err;
2667
2668 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2669 struct netlink_dump_control c = {
2670 .dump = nf_tables_dump_sets,
2671 .done = nf_tables_dump_sets_done,
2672 };
2673 struct nft_ctx *ctx_dump;
2674
2675 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2676 if (ctx_dump == NULL)
2677 return -ENOMEM;
2678
2679 *ctx_dump = ctx;
2680 c.data = ctx_dump;
2681
2682 return netlink_dump_start(nlsk, skb, nlh, &c);
2683 }
2684
2685 /* Only accept unspec with dump */
2686 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2687 return -EAFNOSUPPORT;
2688 if (!nla[NFTA_SET_TABLE])
2689 return -EINVAL;
2690
2691 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2692 if (IS_ERR(set))
2693 return PTR_ERR(set);
2694
2695 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2696 if (skb2 == NULL)
2697 return -ENOMEM;
2698
2699 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2700 if (err < 0)
2701 goto err;
2702
2703 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2704
2705 err:
2706 kfree_skb(skb2);
2707 return err;
2708 }
2709
2710 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2711 struct nft_set_desc *desc,
2712 const struct nlattr *nla)
2713 {
2714 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2715 int err;
2716
2717 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2718 if (err < 0)
2719 return err;
2720
2721 if (da[NFTA_SET_DESC_SIZE] != NULL)
2722 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2723
2724 return 0;
2725 }
2726
2727 static int nf_tables_newset(struct net *net, struct sock *nlsk,
2728 struct sk_buff *skb, const struct nlmsghdr *nlh,
2729 const struct nlattr * const nla[])
2730 {
2731 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2732 u8 genmask = nft_genmask_next(net);
2733 const struct nft_set_ops *ops;
2734 struct nft_af_info *afi;
2735 struct nft_table *table;
2736 struct nft_set *set;
2737 struct nft_ctx ctx;
2738 char name[NFT_SET_MAXNAMELEN];
2739 unsigned int size;
2740 bool create;
2741 u64 timeout;
2742 u32 ktype, dtype, flags, policy, gc_int;
2743 struct nft_set_desc desc;
2744 unsigned char *udata;
2745 u16 udlen;
2746 int err;
2747
2748 if (nla[NFTA_SET_TABLE] == NULL ||
2749 nla[NFTA_SET_NAME] == NULL ||
2750 nla[NFTA_SET_KEY_LEN] == NULL ||
2751 nla[NFTA_SET_ID] == NULL)
2752 return -EINVAL;
2753
2754 memset(&desc, 0, sizeof(desc));
2755
2756 ktype = NFT_DATA_VALUE;
2757 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2758 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2759 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2760 return -EINVAL;
2761 }
2762
2763 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2764 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
2765 return -EINVAL;
2766
2767 flags = 0;
2768 if (nla[NFTA_SET_FLAGS] != NULL) {
2769 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2770 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2771 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
2772 NFT_SET_MAP | NFT_SET_EVAL))
2773 return -EINVAL;
2774 /* Only one of both operations is supported */
2775 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL)) ==
2776 (NFT_SET_MAP | NFT_SET_EVAL))
2777 return -EOPNOTSUPP;
2778 }
2779
2780 dtype = 0;
2781 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2782 if (!(flags & NFT_SET_MAP))
2783 return -EINVAL;
2784
2785 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2786 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2787 dtype != NFT_DATA_VERDICT)
2788 return -EINVAL;
2789
2790 if (dtype != NFT_DATA_VERDICT) {
2791 if (nla[NFTA_SET_DATA_LEN] == NULL)
2792 return -EINVAL;
2793 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2794 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
2795 return -EINVAL;
2796 } else
2797 desc.dlen = sizeof(struct nft_verdict);
2798 } else if (flags & NFT_SET_MAP)
2799 return -EINVAL;
2800
2801 timeout = 0;
2802 if (nla[NFTA_SET_TIMEOUT] != NULL) {
2803 if (!(flags & NFT_SET_TIMEOUT))
2804 return -EINVAL;
2805 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_TIMEOUT]));
2806 }
2807 gc_int = 0;
2808 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
2809 if (!(flags & NFT_SET_TIMEOUT))
2810 return -EINVAL;
2811 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
2812 }
2813
2814 policy = NFT_SET_POL_PERFORMANCE;
2815 if (nla[NFTA_SET_POLICY] != NULL)
2816 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2817
2818 if (nla[NFTA_SET_DESC] != NULL) {
2819 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2820 if (err < 0)
2821 return err;
2822 }
2823
2824 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2825
2826 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2827 if (IS_ERR(afi))
2828 return PTR_ERR(afi);
2829
2830 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
2831 if (IS_ERR(table))
2832 return PTR_ERR(table);
2833
2834 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
2835
2836 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
2837 if (IS_ERR(set)) {
2838 if (PTR_ERR(set) != -ENOENT)
2839 return PTR_ERR(set);
2840 set = NULL;
2841 }
2842
2843 if (set != NULL) {
2844 if (nlh->nlmsg_flags & NLM_F_EXCL)
2845 return -EEXIST;
2846 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2847 return -EOPNOTSUPP;
2848 return 0;
2849 }
2850
2851 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2852 return -ENOENT;
2853
2854 ops = nft_select_set_ops(nla, &desc, policy);
2855 if (IS_ERR(ops))
2856 return PTR_ERR(ops);
2857
2858 udlen = 0;
2859 if (nla[NFTA_SET_USERDATA])
2860 udlen = nla_len(nla[NFTA_SET_USERDATA]);
2861
2862 size = 0;
2863 if (ops->privsize != NULL)
2864 size = ops->privsize(nla);
2865
2866 err = -ENOMEM;
2867 set = kzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
2868 if (set == NULL)
2869 goto err1;
2870
2871 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2872 err = nf_tables_set_alloc_name(&ctx, set, name);
2873 if (err < 0)
2874 goto err2;
2875
2876 udata = NULL;
2877 if (udlen) {
2878 udata = set->data + size;
2879 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
2880 }
2881
2882 INIT_LIST_HEAD(&set->bindings);
2883 set->ops = ops;
2884 set->ktype = ktype;
2885 set->klen = desc.klen;
2886 set->dtype = dtype;
2887 set->dlen = desc.dlen;
2888 set->flags = flags;
2889 set->size = desc.size;
2890 set->policy = policy;
2891 set->udlen = udlen;
2892 set->udata = udata;
2893 set->timeout = timeout;
2894 set->gc_int = gc_int;
2895
2896 err = ops->init(set, &desc, nla);
2897 if (err < 0)
2898 goto err2;
2899
2900 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2901 if (err < 0)
2902 goto err2;
2903
2904 list_add_tail_rcu(&set->list, &table->sets);
2905 table->use++;
2906 return 0;
2907
2908 err2:
2909 kfree(set);
2910 err1:
2911 module_put(ops->owner);
2912 return err;
2913 }
2914
2915 static void nft_set_destroy(struct nft_set *set)
2916 {
2917 set->ops->destroy(set);
2918 module_put(set->ops->owner);
2919 kfree(set);
2920 }
2921
2922 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2923 {
2924 list_del_rcu(&set->list);
2925 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
2926 nft_set_destroy(set);
2927 }
2928
2929 static int nf_tables_delset(struct net *net, struct sock *nlsk,
2930 struct sk_buff *skb, const struct nlmsghdr *nlh,
2931 const struct nlattr * const nla[])
2932 {
2933 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2934 u8 genmask = nft_genmask_next(net);
2935 struct nft_set *set;
2936 struct nft_ctx ctx;
2937 int err;
2938
2939 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2940 return -EAFNOSUPPORT;
2941 if (nla[NFTA_SET_TABLE] == NULL)
2942 return -EINVAL;
2943
2944 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2945 if (err < 0)
2946 return err;
2947
2948 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2949 if (IS_ERR(set))
2950 return PTR_ERR(set);
2951 if (!list_empty(&set->bindings))
2952 return -EBUSY;
2953
2954 return nft_delset(&ctx, set);
2955 }
2956
2957 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2958 const struct nft_set *set,
2959 const struct nft_set_iter *iter,
2960 const struct nft_set_elem *elem)
2961 {
2962 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
2963 enum nft_registers dreg;
2964
2965 dreg = nft_type_to_reg(set->dtype);
2966 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
2967 set->dtype == NFT_DATA_VERDICT ?
2968 NFT_DATA_VERDICT : NFT_DATA_VALUE,
2969 set->dlen);
2970 }
2971
2972 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2973 struct nft_set_binding *binding)
2974 {
2975 struct nft_set_binding *i;
2976 struct nft_set_iter iter;
2977
2978 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2979 return -EBUSY;
2980
2981 if (binding->flags & NFT_SET_MAP) {
2982 /* If the set is already bound to the same chain all
2983 * jumps are already validated for that chain.
2984 */
2985 list_for_each_entry(i, &set->bindings, list) {
2986 if (i->flags & NFT_SET_MAP &&
2987 i->chain == binding->chain)
2988 goto bind;
2989 }
2990
2991 iter.genmask = nft_genmask_next(ctx->net);
2992 iter.skip = 0;
2993 iter.count = 0;
2994 iter.err = 0;
2995 iter.fn = nf_tables_bind_check_setelem;
2996
2997 set->ops->walk(ctx, set, &iter);
2998 if (iter.err < 0)
2999 return iter.err;
3000 }
3001 bind:
3002 binding->chain = ctx->chain;
3003 list_add_tail_rcu(&binding->list, &set->bindings);
3004 return 0;
3005 }
3006
3007 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3008 struct nft_set_binding *binding)
3009 {
3010 list_del_rcu(&binding->list);
3011
3012 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
3013 nft_is_active(ctx->net, set))
3014 nf_tables_set_destroy(ctx, set);
3015 }
3016
3017 const struct nft_set_ext_type nft_set_ext_types[] = {
3018 [NFT_SET_EXT_KEY] = {
3019 .align = __alignof__(u32),
3020 },
3021 [NFT_SET_EXT_DATA] = {
3022 .align = __alignof__(u32),
3023 },
3024 [NFT_SET_EXT_EXPR] = {
3025 .align = __alignof__(struct nft_expr),
3026 },
3027 [NFT_SET_EXT_FLAGS] = {
3028 .len = sizeof(u8),
3029 .align = __alignof__(u8),
3030 },
3031 [NFT_SET_EXT_TIMEOUT] = {
3032 .len = sizeof(u64),
3033 .align = __alignof__(u64),
3034 },
3035 [NFT_SET_EXT_EXPIRATION] = {
3036 .len = sizeof(unsigned long),
3037 .align = __alignof__(unsigned long),
3038 },
3039 [NFT_SET_EXT_USERDATA] = {
3040 .len = sizeof(struct nft_userdata),
3041 .align = __alignof__(struct nft_userdata),
3042 },
3043 };
3044 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3045
3046 /*
3047 * Set elements
3048 */
3049
3050 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3051 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3052 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3053 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3054 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3055 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3056 .len = NFT_USERDATA_MAXLEN },
3057 };
3058
3059 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3060 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
3061 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
3062 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3063 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3064 };
3065
3066 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3067 const struct sk_buff *skb,
3068 const struct nlmsghdr *nlh,
3069 const struct nlattr * const nla[],
3070 u8 genmask)
3071 {
3072 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3073 struct nft_af_info *afi;
3074 struct nft_table *table;
3075
3076 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3077 if (IS_ERR(afi))
3078 return PTR_ERR(afi);
3079
3080 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
3081 genmask);
3082 if (IS_ERR(table))
3083 return PTR_ERR(table);
3084
3085 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3086 return 0;
3087 }
3088
3089 static int nf_tables_fill_setelem(struct sk_buff *skb,
3090 const struct nft_set *set,
3091 const struct nft_set_elem *elem)
3092 {
3093 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3094 unsigned char *b = skb_tail_pointer(skb);
3095 struct nlattr *nest;
3096
3097 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3098 if (nest == NULL)
3099 goto nla_put_failure;
3100
3101 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3102 NFT_DATA_VALUE, set->klen) < 0)
3103 goto nla_put_failure;
3104
3105 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3106 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3107 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3108 set->dlen) < 0)
3109 goto nla_put_failure;
3110
3111 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3112 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3113 goto nla_put_failure;
3114
3115 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3116 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3117 htonl(*nft_set_ext_flags(ext))))
3118 goto nla_put_failure;
3119
3120 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3121 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3122 cpu_to_be64(*nft_set_ext_timeout(ext)),
3123 NFTA_SET_ELEM_PAD))
3124 goto nla_put_failure;
3125
3126 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3127 unsigned long expires, now = jiffies;
3128
3129 expires = *nft_set_ext_expiration(ext);
3130 if (time_before(now, expires))
3131 expires -= now;
3132 else
3133 expires = 0;
3134
3135 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3136 cpu_to_be64(jiffies_to_msecs(expires)),
3137 NFTA_SET_ELEM_PAD))
3138 goto nla_put_failure;
3139 }
3140
3141 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3142 struct nft_userdata *udata;
3143
3144 udata = nft_set_ext_userdata(ext);
3145 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3146 udata->len + 1, udata->data))
3147 goto nla_put_failure;
3148 }
3149
3150 nla_nest_end(skb, nest);
3151 return 0;
3152
3153 nla_put_failure:
3154 nlmsg_trim(skb, b);
3155 return -EMSGSIZE;
3156 }
3157
3158 struct nft_set_dump_args {
3159 const struct netlink_callback *cb;
3160 struct nft_set_iter iter;
3161 struct sk_buff *skb;
3162 };
3163
3164 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3165 const struct nft_set *set,
3166 const struct nft_set_iter *iter,
3167 const struct nft_set_elem *elem)
3168 {
3169 struct nft_set_dump_args *args;
3170
3171 args = container_of(iter, struct nft_set_dump_args, iter);
3172 return nf_tables_fill_setelem(args->skb, set, elem);
3173 }
3174
3175 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3176 {
3177 struct net *net = sock_net(skb->sk);
3178 u8 genmask = nft_genmask_cur(net);
3179 const struct nft_set *set;
3180 struct nft_set_dump_args args;
3181 struct nft_ctx ctx;
3182 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
3183 struct nfgenmsg *nfmsg;
3184 struct nlmsghdr *nlh;
3185 struct nlattr *nest;
3186 u32 portid, seq;
3187 int event, err;
3188
3189 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
3190 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
3191 if (err < 0)
3192 return err;
3193
3194 err = nft_ctx_init_from_elemattr(&ctx, net, cb->skb, cb->nlh,
3195 (void *)nla, genmask);
3196 if (err < 0)
3197 return err;
3198
3199 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3200 genmask);
3201 if (IS_ERR(set))
3202 return PTR_ERR(set);
3203
3204 event = NFT_MSG_NEWSETELEM;
3205 event |= NFNL_SUBSYS_NFTABLES << 8;
3206 portid = NETLINK_CB(cb->skb).portid;
3207 seq = cb->nlh->nlmsg_seq;
3208
3209 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3210 NLM_F_MULTI);
3211 if (nlh == NULL)
3212 goto nla_put_failure;
3213
3214 nfmsg = nlmsg_data(nlh);
3215 nfmsg->nfgen_family = ctx.afi->family;
3216 nfmsg->version = NFNETLINK_V0;
3217 nfmsg->res_id = htons(ctx.net->nft.base_seq & 0xffff);
3218
3219 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
3220 goto nla_put_failure;
3221 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3222 goto nla_put_failure;
3223
3224 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3225 if (nest == NULL)
3226 goto nla_put_failure;
3227
3228 args.cb = cb;
3229 args.skb = skb;
3230 args.iter.genmask = nft_genmask_cur(ctx.net);
3231 args.iter.skip = cb->args[0];
3232 args.iter.count = 0;
3233 args.iter.err = 0;
3234 args.iter.fn = nf_tables_dump_setelem;
3235 set->ops->walk(&ctx, set, &args.iter);
3236
3237 nla_nest_end(skb, nest);
3238 nlmsg_end(skb, nlh);
3239
3240 if (args.iter.err && args.iter.err != -EMSGSIZE)
3241 return args.iter.err;
3242 if (args.iter.count == cb->args[0])
3243 return 0;
3244
3245 cb->args[0] = args.iter.count;
3246 return skb->len;
3247
3248 nla_put_failure:
3249 return -ENOSPC;
3250 }
3251
3252 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3253 struct sk_buff *skb, const struct nlmsghdr *nlh,
3254 const struct nlattr * const nla[])
3255 {
3256 u8 genmask = nft_genmask_cur(net);
3257 const struct nft_set *set;
3258 struct nft_ctx ctx;
3259 int err;
3260
3261 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3262 if (err < 0)
3263 return err;
3264
3265 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3266 genmask);
3267 if (IS_ERR(set))
3268 return PTR_ERR(set);
3269
3270 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3271 struct netlink_dump_control c = {
3272 .dump = nf_tables_dump_set,
3273 };
3274 return netlink_dump_start(nlsk, skb, nlh, &c);
3275 }
3276 return -EOPNOTSUPP;
3277 }
3278
3279 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3280 const struct nft_ctx *ctx, u32 seq,
3281 u32 portid, int event, u16 flags,
3282 const struct nft_set *set,
3283 const struct nft_set_elem *elem)
3284 {
3285 struct nfgenmsg *nfmsg;
3286 struct nlmsghdr *nlh;
3287 struct nlattr *nest;
3288 int err;
3289
3290 event |= NFNL_SUBSYS_NFTABLES << 8;
3291 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3292 flags);
3293 if (nlh == NULL)
3294 goto nla_put_failure;
3295
3296 nfmsg = nlmsg_data(nlh);
3297 nfmsg->nfgen_family = ctx->afi->family;
3298 nfmsg->version = NFNETLINK_V0;
3299 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3300
3301 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3302 goto nla_put_failure;
3303 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3304 goto nla_put_failure;
3305
3306 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3307 if (nest == NULL)
3308 goto nla_put_failure;
3309
3310 err = nf_tables_fill_setelem(skb, set, elem);
3311 if (err < 0)
3312 goto nla_put_failure;
3313
3314 nla_nest_end(skb, nest);
3315
3316 nlmsg_end(skb, nlh);
3317 return 0;
3318
3319 nla_put_failure:
3320 nlmsg_trim(skb, nlh);
3321 return -1;
3322 }
3323
3324 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
3325 const struct nft_set *set,
3326 const struct nft_set_elem *elem,
3327 int event, u16 flags)
3328 {
3329 struct net *net = ctx->net;
3330 u32 portid = ctx->portid;
3331 struct sk_buff *skb;
3332 int err;
3333
3334 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3335 return 0;
3336
3337 err = -ENOBUFS;
3338 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3339 if (skb == NULL)
3340 goto err;
3341
3342 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3343 set, elem);
3344 if (err < 0) {
3345 kfree_skb(skb);
3346 goto err;
3347 }
3348
3349 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3350 GFP_KERNEL);
3351 err:
3352 if (err < 0)
3353 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
3354 return err;
3355 }
3356
3357 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3358 int msg_type,
3359 struct nft_set *set)
3360 {
3361 struct nft_trans *trans;
3362
3363 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3364 if (trans == NULL)
3365 return NULL;
3366
3367 nft_trans_elem_set(trans) = set;
3368 return trans;
3369 }
3370
3371 void *nft_set_elem_init(const struct nft_set *set,
3372 const struct nft_set_ext_tmpl *tmpl,
3373 const u32 *key, const u32 *data,
3374 u64 timeout, gfp_t gfp)
3375 {
3376 struct nft_set_ext *ext;
3377 void *elem;
3378
3379 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3380 if (elem == NULL)
3381 return NULL;
3382
3383 ext = nft_set_elem_ext(set, elem);
3384 nft_set_ext_init(ext, tmpl);
3385
3386 memcpy(nft_set_ext_key(ext), key, set->klen);
3387 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3388 memcpy(nft_set_ext_data(ext), data, set->dlen);
3389 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3390 *nft_set_ext_expiration(ext) =
3391 jiffies + msecs_to_jiffies(timeout);
3392 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3393 *nft_set_ext_timeout(ext) = timeout;
3394
3395 return elem;
3396 }
3397
3398 void nft_set_elem_destroy(const struct nft_set *set, void *elem)
3399 {
3400 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3401
3402 nft_data_uninit(nft_set_ext_key(ext), NFT_DATA_VALUE);
3403 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3404 nft_data_uninit(nft_set_ext_data(ext), set->dtype);
3405 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3406 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3407
3408 kfree(elem);
3409 }
3410 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3411
3412 static int nft_setelem_parse_flags(const struct nft_set *set,
3413 const struct nlattr *attr, u32 *flags)
3414 {
3415 if (attr == NULL)
3416 return 0;
3417
3418 *flags = ntohl(nla_get_be32(attr));
3419 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3420 return -EINVAL;
3421 if (!(set->flags & NFT_SET_INTERVAL) &&
3422 *flags & NFT_SET_ELEM_INTERVAL_END)
3423 return -EINVAL;
3424
3425 return 0;
3426 }
3427
3428 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3429 const struct nlattr *attr)
3430 {
3431 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3432 struct nft_data_desc d1, d2;
3433 struct nft_set_ext_tmpl tmpl;
3434 struct nft_set_ext *ext;
3435 struct nft_set_elem elem;
3436 struct nft_set_binding *binding;
3437 struct nft_userdata *udata;
3438 struct nft_data data;
3439 enum nft_registers dreg;
3440 struct nft_trans *trans;
3441 u32 flags = 0;
3442 u64 timeout;
3443 u8 ulen;
3444 int err;
3445
3446 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3447 nft_set_elem_policy);
3448 if (err < 0)
3449 return err;
3450
3451 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3452 return -EINVAL;
3453
3454 nft_set_ext_prepare(&tmpl);
3455
3456 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3457 if (err < 0)
3458 return err;
3459 if (flags != 0)
3460 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3461
3462 if (set->flags & NFT_SET_MAP) {
3463 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3464 !(flags & NFT_SET_ELEM_INTERVAL_END))
3465 return -EINVAL;
3466 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3467 flags & NFT_SET_ELEM_INTERVAL_END)
3468 return -EINVAL;
3469 } else {
3470 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3471 return -EINVAL;
3472 }
3473
3474 timeout = 0;
3475 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3476 if (!(set->flags & NFT_SET_TIMEOUT))
3477 return -EINVAL;
3478 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_ELEM_TIMEOUT]));
3479 } else if (set->flags & NFT_SET_TIMEOUT) {
3480 timeout = set->timeout;
3481 }
3482
3483 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3484 nla[NFTA_SET_ELEM_KEY]);
3485 if (err < 0)
3486 goto err1;
3487 err = -EINVAL;
3488 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3489 goto err2;
3490
3491 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3492 if (timeout > 0) {
3493 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3494 if (timeout != set->timeout)
3495 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3496 }
3497
3498 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3499 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3500 nla[NFTA_SET_ELEM_DATA]);
3501 if (err < 0)
3502 goto err2;
3503
3504 err = -EINVAL;
3505 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3506 goto err3;
3507
3508 dreg = nft_type_to_reg(set->dtype);
3509 list_for_each_entry(binding, &set->bindings, list) {
3510 struct nft_ctx bind_ctx = {
3511 .afi = ctx->afi,
3512 .table = ctx->table,
3513 .chain = (struct nft_chain *)binding->chain,
3514 };
3515
3516 if (!(binding->flags & NFT_SET_MAP))
3517 continue;
3518
3519 err = nft_validate_register_store(&bind_ctx, dreg,
3520 &data,
3521 d2.type, d2.len);
3522 if (err < 0)
3523 goto err3;
3524 }
3525
3526 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3527 }
3528
3529 /* The full maximum length of userdata can exceed the maximum
3530 * offset value (U8_MAX) for following extensions, therefor it
3531 * must be the last extension added.
3532 */
3533 ulen = 0;
3534 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3535 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
3536 if (ulen > 0)
3537 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
3538 ulen);
3539 }
3540
3541 err = -ENOMEM;
3542 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
3543 timeout, GFP_KERNEL);
3544 if (elem.priv == NULL)
3545 goto err3;
3546
3547 ext = nft_set_elem_ext(set, elem.priv);
3548 if (flags)
3549 *nft_set_ext_flags(ext) = flags;
3550 if (ulen > 0) {
3551 udata = nft_set_ext_userdata(ext);
3552 udata->len = ulen - 1;
3553 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
3554 }
3555
3556 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3557 if (trans == NULL)
3558 goto err4;
3559
3560 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
3561 err = set->ops->insert(ctx->net, set, &elem);
3562 if (err < 0)
3563 goto err5;
3564
3565 nft_trans_elem(trans) = elem;
3566 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3567 return 0;
3568
3569 err5:
3570 kfree(trans);
3571 err4:
3572 kfree(elem.priv);
3573 err3:
3574 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3575 nft_data_uninit(&data, d2.type);
3576 err2:
3577 nft_data_uninit(&elem.key.val, d1.type);
3578 err1:
3579 return err;
3580 }
3581
3582 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
3583 struct sk_buff *skb, const struct nlmsghdr *nlh,
3584 const struct nlattr * const nla[])
3585 {
3586 u8 genmask = nft_genmask_next(net);
3587 const struct nlattr *attr;
3588 struct nft_set *set;
3589 struct nft_ctx ctx;
3590 int rem, err = 0;
3591
3592 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3593 return -EINVAL;
3594
3595 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3596 if (err < 0)
3597 return err;
3598
3599 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3600 genmask);
3601 if (IS_ERR(set)) {
3602 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3603 set = nf_tables_set_lookup_byid(net,
3604 nla[NFTA_SET_ELEM_LIST_SET_ID],
3605 genmask);
3606 }
3607 if (IS_ERR(set))
3608 return PTR_ERR(set);
3609 }
3610
3611 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3612 return -EBUSY;
3613
3614 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3615 if (set->size &&
3616 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact))
3617 return -ENFILE;
3618
3619 err = nft_add_set_elem(&ctx, set, attr);
3620 if (err < 0) {
3621 atomic_dec(&set->nelems);
3622 break;
3623 }
3624 }
3625 return err;
3626 }
3627
3628 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3629 const struct nlattr *attr)
3630 {
3631 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3632 struct nft_set_ext_tmpl tmpl;
3633 struct nft_data_desc desc;
3634 struct nft_set_elem elem;
3635 struct nft_set_ext *ext;
3636 struct nft_trans *trans;
3637 u32 flags = 0;
3638 void *priv;
3639 int err;
3640
3641 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3642 nft_set_elem_policy);
3643 if (err < 0)
3644 goto err1;
3645
3646 err = -EINVAL;
3647 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3648 goto err1;
3649
3650 nft_set_ext_prepare(&tmpl);
3651
3652 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3653 if (err < 0)
3654 return err;
3655 if (flags != 0)
3656 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3657
3658 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3659 nla[NFTA_SET_ELEM_KEY]);
3660 if (err < 0)
3661 goto err1;
3662
3663 err = -EINVAL;
3664 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3665 goto err2;
3666
3667 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
3668
3669 err = -ENOMEM;
3670 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
3671 GFP_KERNEL);
3672 if (elem.priv == NULL)
3673 goto err2;
3674
3675 ext = nft_set_elem_ext(set, elem.priv);
3676 if (flags)
3677 *nft_set_ext_flags(ext) = flags;
3678
3679 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3680 if (trans == NULL) {
3681 err = -ENOMEM;
3682 goto err3;
3683 }
3684
3685 priv = set->ops->deactivate(ctx->net, set, &elem);
3686 if (priv == NULL) {
3687 err = -ENOENT;
3688 goto err4;
3689 }
3690 kfree(elem.priv);
3691 elem.priv = priv;
3692
3693 nft_trans_elem(trans) = elem;
3694 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3695 return 0;
3696
3697 err4:
3698 kfree(trans);
3699 err3:
3700 kfree(elem.priv);
3701 err2:
3702 nft_data_uninit(&elem.key.val, desc.type);
3703 err1:
3704 return err;
3705 }
3706
3707 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
3708 struct sk_buff *skb, const struct nlmsghdr *nlh,
3709 const struct nlattr * const nla[])
3710 {
3711 u8 genmask = nft_genmask_next(net);
3712 const struct nlattr *attr;
3713 struct nft_set *set;
3714 struct nft_ctx ctx;
3715 int rem, err = 0;
3716
3717 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3718 return -EINVAL;
3719
3720 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3721 if (err < 0)
3722 return err;
3723
3724 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3725 genmask);
3726 if (IS_ERR(set))
3727 return PTR_ERR(set);
3728 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3729 return -EBUSY;
3730
3731 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3732 err = nft_del_setelem(&ctx, set, attr);
3733 if (err < 0)
3734 break;
3735
3736 set->ndeact++;
3737 }
3738 return err;
3739 }
3740
3741 void nft_set_gc_batch_release(struct rcu_head *rcu)
3742 {
3743 struct nft_set_gc_batch *gcb;
3744 unsigned int i;
3745
3746 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
3747 for (i = 0; i < gcb->head.cnt; i++)
3748 nft_set_elem_destroy(gcb->head.set, gcb->elems[i]);
3749 kfree(gcb);
3750 }
3751 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
3752
3753 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
3754 gfp_t gfp)
3755 {
3756 struct nft_set_gc_batch *gcb;
3757
3758 gcb = kzalloc(sizeof(*gcb), gfp);
3759 if (gcb == NULL)
3760 return gcb;
3761 gcb->head.set = set;
3762 return gcb;
3763 }
3764 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
3765
3766 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
3767 u32 portid, u32 seq)
3768 {
3769 struct nlmsghdr *nlh;
3770 struct nfgenmsg *nfmsg;
3771 int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWGEN;
3772
3773 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
3774 if (nlh == NULL)
3775 goto nla_put_failure;
3776
3777 nfmsg = nlmsg_data(nlh);
3778 nfmsg->nfgen_family = AF_UNSPEC;
3779 nfmsg->version = NFNETLINK_V0;
3780 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3781
3782 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)))
3783 goto nla_put_failure;
3784
3785 nlmsg_end(skb, nlh);
3786 return 0;
3787
3788 nla_put_failure:
3789 nlmsg_trim(skb, nlh);
3790 return -EMSGSIZE;
3791 }
3792
3793 static int nf_tables_gen_notify(struct net *net, struct sk_buff *skb, int event)
3794 {
3795 struct nlmsghdr *nlh = nlmsg_hdr(skb);
3796 struct sk_buff *skb2;
3797 int err;
3798
3799 if (nlmsg_report(nlh) &&
3800 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3801 return 0;
3802
3803 err = -ENOBUFS;
3804 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3805 if (skb2 == NULL)
3806 goto err;
3807
3808 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3809 nlh->nlmsg_seq);
3810 if (err < 0) {
3811 kfree_skb(skb2);
3812 goto err;
3813 }
3814
3815 err = nfnetlink_send(skb2, net, NETLINK_CB(skb).portid,
3816 NFNLGRP_NFTABLES, nlmsg_report(nlh), GFP_KERNEL);
3817 err:
3818 if (err < 0) {
3819 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
3820 err);
3821 }
3822 return err;
3823 }
3824
3825 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
3826 struct sk_buff *skb, const struct nlmsghdr *nlh,
3827 const struct nlattr * const nla[])
3828 {
3829 struct sk_buff *skb2;
3830 int err;
3831
3832 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3833 if (skb2 == NULL)
3834 return -ENOMEM;
3835
3836 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3837 nlh->nlmsg_seq);
3838 if (err < 0)
3839 goto err;
3840
3841 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3842 err:
3843 kfree_skb(skb2);
3844 return err;
3845 }
3846
3847 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3848 [NFT_MSG_NEWTABLE] = {
3849 .call_batch = nf_tables_newtable,
3850 .attr_count = NFTA_TABLE_MAX,
3851 .policy = nft_table_policy,
3852 },
3853 [NFT_MSG_GETTABLE] = {
3854 .call = nf_tables_gettable,
3855 .attr_count = NFTA_TABLE_MAX,
3856 .policy = nft_table_policy,
3857 },
3858 [NFT_MSG_DELTABLE] = {
3859 .call_batch = nf_tables_deltable,
3860 .attr_count = NFTA_TABLE_MAX,
3861 .policy = nft_table_policy,
3862 },
3863 [NFT_MSG_NEWCHAIN] = {
3864 .call_batch = nf_tables_newchain,
3865 .attr_count = NFTA_CHAIN_MAX,
3866 .policy = nft_chain_policy,
3867 },
3868 [NFT_MSG_GETCHAIN] = {
3869 .call = nf_tables_getchain,
3870 .attr_count = NFTA_CHAIN_MAX,
3871 .policy = nft_chain_policy,
3872 },
3873 [NFT_MSG_DELCHAIN] = {
3874 .call_batch = nf_tables_delchain,
3875 .attr_count = NFTA_CHAIN_MAX,
3876 .policy = nft_chain_policy,
3877 },
3878 [NFT_MSG_NEWRULE] = {
3879 .call_batch = nf_tables_newrule,
3880 .attr_count = NFTA_RULE_MAX,
3881 .policy = nft_rule_policy,
3882 },
3883 [NFT_MSG_GETRULE] = {
3884 .call = nf_tables_getrule,
3885 .attr_count = NFTA_RULE_MAX,
3886 .policy = nft_rule_policy,
3887 },
3888 [NFT_MSG_DELRULE] = {
3889 .call_batch = nf_tables_delrule,
3890 .attr_count = NFTA_RULE_MAX,
3891 .policy = nft_rule_policy,
3892 },
3893 [NFT_MSG_NEWSET] = {
3894 .call_batch = nf_tables_newset,
3895 .attr_count = NFTA_SET_MAX,
3896 .policy = nft_set_policy,
3897 },
3898 [NFT_MSG_GETSET] = {
3899 .call = nf_tables_getset,
3900 .attr_count = NFTA_SET_MAX,
3901 .policy = nft_set_policy,
3902 },
3903 [NFT_MSG_DELSET] = {
3904 .call_batch = nf_tables_delset,
3905 .attr_count = NFTA_SET_MAX,
3906 .policy = nft_set_policy,
3907 },
3908 [NFT_MSG_NEWSETELEM] = {
3909 .call_batch = nf_tables_newsetelem,
3910 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3911 .policy = nft_set_elem_list_policy,
3912 },
3913 [NFT_MSG_GETSETELEM] = {
3914 .call = nf_tables_getsetelem,
3915 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3916 .policy = nft_set_elem_list_policy,
3917 },
3918 [NFT_MSG_DELSETELEM] = {
3919 .call_batch = nf_tables_delsetelem,
3920 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3921 .policy = nft_set_elem_list_policy,
3922 },
3923 [NFT_MSG_GETGEN] = {
3924 .call = nf_tables_getgen,
3925 },
3926 };
3927
3928 static void nft_chain_commit_update(struct nft_trans *trans)
3929 {
3930 struct nft_base_chain *basechain;
3931
3932 if (nft_trans_chain_name(trans)[0])
3933 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
3934
3935 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
3936 return;
3937
3938 basechain = nft_base_chain(trans->ctx.chain);
3939 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
3940
3941 switch (nft_trans_chain_policy(trans)) {
3942 case NF_DROP:
3943 case NF_ACCEPT:
3944 basechain->policy = nft_trans_chain_policy(trans);
3945 break;
3946 }
3947 }
3948
3949 static void nf_tables_commit_release(struct nft_trans *trans)
3950 {
3951 switch (trans->msg_type) {
3952 case NFT_MSG_DELTABLE:
3953 nf_tables_table_destroy(&trans->ctx);
3954 break;
3955 case NFT_MSG_DELCHAIN:
3956 nf_tables_chain_destroy(trans->ctx.chain);
3957 break;
3958 case NFT_MSG_DELRULE:
3959 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3960 break;
3961 case NFT_MSG_DELSET:
3962 nft_set_destroy(nft_trans_set(trans));
3963 break;
3964 case NFT_MSG_DELSETELEM:
3965 nft_set_elem_destroy(nft_trans_elem_set(trans),
3966 nft_trans_elem(trans).priv);
3967 break;
3968 }
3969 kfree(trans);
3970 }
3971
3972 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
3973 {
3974 struct nft_trans *trans, *next;
3975 struct nft_trans_elem *te;
3976
3977 /* Bump generation counter, invalidate any dump in progress */
3978 while (++net->nft.base_seq == 0);
3979
3980 /* A new generation has just started */
3981 net->nft.gencursor = nft_gencursor_next(net);
3982
3983 /* Make sure all packets have left the previous generation before
3984 * purging old rules.
3985 */
3986 synchronize_rcu();
3987
3988 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3989 switch (trans->msg_type) {
3990 case NFT_MSG_NEWTABLE:
3991 if (nft_trans_table_update(trans)) {
3992 if (!nft_trans_table_enable(trans)) {
3993 nf_tables_table_disable(net,
3994 trans->ctx.afi,
3995 trans->ctx.table);
3996 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3997 }
3998 } else {
3999 nft_clear(net, trans->ctx.table);
4000 }
4001 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
4002 nft_trans_destroy(trans);
4003 break;
4004 case NFT_MSG_DELTABLE:
4005 list_del_rcu(&trans->ctx.table->list);
4006 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
4007 break;
4008 case NFT_MSG_NEWCHAIN:
4009 if (nft_trans_chain_update(trans))
4010 nft_chain_commit_update(trans);
4011 else
4012 nft_clear(net, trans->ctx.chain);
4013
4014 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
4015 nft_trans_destroy(trans);
4016 break;
4017 case NFT_MSG_DELCHAIN:
4018 list_del_rcu(&trans->ctx.chain->list);
4019 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
4020 nf_tables_unregister_hooks(trans->ctx.net,
4021 trans->ctx.table,
4022 trans->ctx.chain,
4023 trans->ctx.afi->nops);
4024 break;
4025 case NFT_MSG_NEWRULE:
4026 nft_clear(trans->ctx.net, nft_trans_rule(trans));
4027 nf_tables_rule_notify(&trans->ctx,
4028 nft_trans_rule(trans),
4029 NFT_MSG_NEWRULE);
4030 nft_trans_destroy(trans);
4031 break;
4032 case NFT_MSG_DELRULE:
4033 list_del_rcu(&nft_trans_rule(trans)->list);
4034 nf_tables_rule_notify(&trans->ctx,
4035 nft_trans_rule(trans),
4036 NFT_MSG_DELRULE);
4037 break;
4038 case NFT_MSG_NEWSET:
4039 nft_clear(net, nft_trans_set(trans));
4040 /* This avoids hitting -EBUSY when deleting the table
4041 * from the transaction.
4042 */
4043 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
4044 !list_empty(&nft_trans_set(trans)->bindings))
4045 trans->ctx.table->use--;
4046
4047 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4048 NFT_MSG_NEWSET, GFP_KERNEL);
4049 nft_trans_destroy(trans);
4050 break;
4051 case NFT_MSG_DELSET:
4052 list_del_rcu(&nft_trans_set(trans)->list);
4053 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4054 NFT_MSG_DELSET, GFP_KERNEL);
4055 break;
4056 case NFT_MSG_NEWSETELEM:
4057 te = (struct nft_trans_elem *)trans->data;
4058
4059 te->set->ops->activate(net, te->set, &te->elem);
4060 nf_tables_setelem_notify(&trans->ctx, te->set,
4061 &te->elem,
4062 NFT_MSG_NEWSETELEM, 0);
4063 nft_trans_destroy(trans);
4064 break;
4065 case NFT_MSG_DELSETELEM:
4066 te = (struct nft_trans_elem *)trans->data;
4067
4068 nf_tables_setelem_notify(&trans->ctx, te->set,
4069 &te->elem,
4070 NFT_MSG_DELSETELEM, 0);
4071 te->set->ops->remove(te->set, &te->elem);
4072 atomic_dec(&te->set->nelems);
4073 te->set->ndeact--;
4074 break;
4075 }
4076 }
4077
4078 synchronize_rcu();
4079
4080 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
4081 list_del(&trans->list);
4082 nf_tables_commit_release(trans);
4083 }
4084
4085 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
4086
4087 return 0;
4088 }
4089
4090 static void nf_tables_abort_release(struct nft_trans *trans)
4091 {
4092 switch (trans->msg_type) {
4093 case NFT_MSG_NEWTABLE:
4094 nf_tables_table_destroy(&trans->ctx);
4095 break;
4096 case NFT_MSG_NEWCHAIN:
4097 nf_tables_chain_destroy(trans->ctx.chain);
4098 break;
4099 case NFT_MSG_NEWRULE:
4100 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4101 break;
4102 case NFT_MSG_NEWSET:
4103 nft_set_destroy(nft_trans_set(trans));
4104 break;
4105 case NFT_MSG_NEWSETELEM:
4106 nft_set_elem_destroy(nft_trans_elem_set(trans),
4107 nft_trans_elem(trans).priv);
4108 break;
4109 }
4110 kfree(trans);
4111 }
4112
4113 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
4114 {
4115 struct nft_trans *trans, *next;
4116 struct nft_trans_elem *te;
4117
4118 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
4119 list) {
4120 switch (trans->msg_type) {
4121 case NFT_MSG_NEWTABLE:
4122 if (nft_trans_table_update(trans)) {
4123 if (nft_trans_table_enable(trans)) {
4124 nf_tables_table_disable(net,
4125 trans->ctx.afi,
4126 trans->ctx.table);
4127 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4128 }
4129 nft_trans_destroy(trans);
4130 } else {
4131 list_del_rcu(&trans->ctx.table->list);
4132 }
4133 break;
4134 case NFT_MSG_DELTABLE:
4135 nft_clear(trans->ctx.net, trans->ctx.table);
4136 nft_trans_destroy(trans);
4137 break;
4138 case NFT_MSG_NEWCHAIN:
4139 if (nft_trans_chain_update(trans)) {
4140 free_percpu(nft_trans_chain_stats(trans));
4141
4142 nft_trans_destroy(trans);
4143 } else {
4144 trans->ctx.table->use--;
4145 list_del_rcu(&trans->ctx.chain->list);
4146 nf_tables_unregister_hooks(trans->ctx.net,
4147 trans->ctx.table,
4148 trans->ctx.chain,
4149 trans->ctx.afi->nops);
4150 }
4151 break;
4152 case NFT_MSG_DELCHAIN:
4153 trans->ctx.table->use++;
4154 nft_clear(trans->ctx.net, trans->ctx.chain);
4155 nft_trans_destroy(trans);
4156 break;
4157 case NFT_MSG_NEWRULE:
4158 trans->ctx.chain->use--;
4159 list_del_rcu(&nft_trans_rule(trans)->list);
4160 break;
4161 case NFT_MSG_DELRULE:
4162 trans->ctx.chain->use++;
4163 nft_clear(trans->ctx.net, nft_trans_rule(trans));
4164 nft_trans_destroy(trans);
4165 break;
4166 case NFT_MSG_NEWSET:
4167 trans->ctx.table->use--;
4168 list_del_rcu(&nft_trans_set(trans)->list);
4169 break;
4170 case NFT_MSG_DELSET:
4171 trans->ctx.table->use++;
4172 nft_clear(trans->ctx.net, nft_trans_set(trans));
4173 nft_trans_destroy(trans);
4174 break;
4175 case NFT_MSG_NEWSETELEM:
4176 te = (struct nft_trans_elem *)trans->data;
4177
4178 te->set->ops->remove(te->set, &te->elem);
4179 atomic_dec(&te->set->nelems);
4180 break;
4181 case NFT_MSG_DELSETELEM:
4182 te = (struct nft_trans_elem *)trans->data;
4183
4184 te->set->ops->activate(net, te->set, &te->elem);
4185 te->set->ndeact--;
4186
4187 nft_trans_destroy(trans);
4188 break;
4189 }
4190 }
4191
4192 synchronize_rcu();
4193
4194 list_for_each_entry_safe_reverse(trans, next,
4195 &net->nft.commit_list, list) {
4196 list_del(&trans->list);
4197 nf_tables_abort_release(trans);
4198 }
4199
4200 return 0;
4201 }
4202
4203 static const struct nfnetlink_subsystem nf_tables_subsys = {
4204 .name = "nf_tables",
4205 .subsys_id = NFNL_SUBSYS_NFTABLES,
4206 .cb_count = NFT_MSG_MAX,
4207 .cb = nf_tables_cb,
4208 .commit = nf_tables_commit,
4209 .abort = nf_tables_abort,
4210 };
4211
4212 int nft_chain_validate_dependency(const struct nft_chain *chain,
4213 enum nft_chain_type type)
4214 {
4215 const struct nft_base_chain *basechain;
4216
4217 if (chain->flags & NFT_BASE_CHAIN) {
4218 basechain = nft_base_chain(chain);
4219 if (basechain->type->type != type)
4220 return -EOPNOTSUPP;
4221 }
4222 return 0;
4223 }
4224 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
4225
4226 int nft_chain_validate_hooks(const struct nft_chain *chain,
4227 unsigned int hook_flags)
4228 {
4229 struct nft_base_chain *basechain;
4230
4231 if (chain->flags & NFT_BASE_CHAIN) {
4232 basechain = nft_base_chain(chain);
4233
4234 if ((1 << basechain->ops[0].hooknum) & hook_flags)
4235 return 0;
4236
4237 return -EOPNOTSUPP;
4238 }
4239
4240 return 0;
4241 }
4242 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
4243
4244 /*
4245 * Loop detection - walk through the ruleset beginning at the destination chain
4246 * of a new jump until either the source chain is reached (loop) or all
4247 * reachable chains have been traversed.
4248 *
4249 * The loop check is performed whenever a new jump verdict is added to an
4250 * expression or verdict map or a verdict map is bound to a new chain.
4251 */
4252
4253 static int nf_tables_check_loops(const struct nft_ctx *ctx,
4254 const struct nft_chain *chain);
4255
4256 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
4257 const struct nft_set *set,
4258 const struct nft_set_iter *iter,
4259 const struct nft_set_elem *elem)
4260 {
4261 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4262 const struct nft_data *data;
4263
4264 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4265 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
4266 return 0;
4267
4268 data = nft_set_ext_data(ext);
4269 switch (data->verdict.code) {
4270 case NFT_JUMP:
4271 case NFT_GOTO:
4272 return nf_tables_check_loops(ctx, data->verdict.chain);
4273 default:
4274 return 0;
4275 }
4276 }
4277
4278 static int nf_tables_check_loops(const struct nft_ctx *ctx,
4279 const struct nft_chain *chain)
4280 {
4281 const struct nft_rule *rule;
4282 const struct nft_expr *expr, *last;
4283 const struct nft_set *set;
4284 struct nft_set_binding *binding;
4285 struct nft_set_iter iter;
4286
4287 if (ctx->chain == chain)
4288 return -ELOOP;
4289
4290 list_for_each_entry(rule, &chain->rules, list) {
4291 nft_rule_for_each_expr(expr, last, rule) {
4292 const struct nft_data *data = NULL;
4293 int err;
4294
4295 if (!expr->ops->validate)
4296 continue;
4297
4298 err = expr->ops->validate(ctx, expr, &data);
4299 if (err < 0)
4300 return err;
4301
4302 if (data == NULL)
4303 continue;
4304
4305 switch (data->verdict.code) {
4306 case NFT_JUMP:
4307 case NFT_GOTO:
4308 err = nf_tables_check_loops(ctx,
4309 data->verdict.chain);
4310 if (err < 0)
4311 return err;
4312 default:
4313 break;
4314 }
4315 }
4316 }
4317
4318 list_for_each_entry(set, &ctx->table->sets, list) {
4319 if (!nft_is_active_next(ctx->net, set))
4320 continue;
4321 if (!(set->flags & NFT_SET_MAP) ||
4322 set->dtype != NFT_DATA_VERDICT)
4323 continue;
4324
4325 list_for_each_entry(binding, &set->bindings, list) {
4326 if (!(binding->flags & NFT_SET_MAP) ||
4327 binding->chain != chain)
4328 continue;
4329
4330 iter.genmask = nft_genmask_next(ctx->net);
4331 iter.skip = 0;
4332 iter.count = 0;
4333 iter.err = 0;
4334 iter.fn = nf_tables_loop_check_setelem;
4335
4336 set->ops->walk(ctx, set, &iter);
4337 if (iter.err < 0)
4338 return iter.err;
4339 }
4340 }
4341
4342 return 0;
4343 }
4344
4345 /**
4346 * nft_parse_register - parse a register value from a netlink attribute
4347 *
4348 * @attr: netlink attribute
4349 *
4350 * Parse and translate a register value from a netlink attribute.
4351 * Registers used to be 128 bit wide, these register numbers will be
4352 * mapped to the corresponding 32 bit register numbers.
4353 */
4354 unsigned int nft_parse_register(const struct nlattr *attr)
4355 {
4356 unsigned int reg;
4357
4358 reg = ntohl(nla_get_be32(attr));
4359 switch (reg) {
4360 case NFT_REG_VERDICT...NFT_REG_4:
4361 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
4362 default:
4363 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
4364 }
4365 }
4366 EXPORT_SYMBOL_GPL(nft_parse_register);
4367
4368 /**
4369 * nft_dump_register - dump a register value to a netlink attribute
4370 *
4371 * @skb: socket buffer
4372 * @attr: attribute number
4373 * @reg: register number
4374 *
4375 * Construct a netlink attribute containing the register number. For
4376 * compatibility reasons, register numbers being a multiple of 4 are
4377 * translated to the corresponding 128 bit register numbers.
4378 */
4379 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
4380 {
4381 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
4382 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
4383 else
4384 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
4385
4386 return nla_put_be32(skb, attr, htonl(reg));
4387 }
4388 EXPORT_SYMBOL_GPL(nft_dump_register);
4389
4390 /**
4391 * nft_validate_register_load - validate a load from a register
4392 *
4393 * @reg: the register number
4394 * @len: the length of the data
4395 *
4396 * Validate that the input register is one of the general purpose
4397 * registers and that the length of the load is within the bounds.
4398 */
4399 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
4400 {
4401 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4402 return -EINVAL;
4403 if (len == 0)
4404 return -EINVAL;
4405 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
4406 return -ERANGE;
4407
4408 return 0;
4409 }
4410 EXPORT_SYMBOL_GPL(nft_validate_register_load);
4411
4412 /**
4413 * nft_validate_register_store - validate an expressions' register store
4414 *
4415 * @ctx: context of the expression performing the load
4416 * @reg: the destination register number
4417 * @data: the data to load
4418 * @type: the data type
4419 * @len: the length of the data
4420 *
4421 * Validate that a data load uses the appropriate data type for
4422 * the destination register and the length is within the bounds.
4423 * A value of NULL for the data means that its runtime gathered
4424 * data.
4425 */
4426 int nft_validate_register_store(const struct nft_ctx *ctx,
4427 enum nft_registers reg,
4428 const struct nft_data *data,
4429 enum nft_data_types type, unsigned int len)
4430 {
4431 int err;
4432
4433 switch (reg) {
4434 case NFT_REG_VERDICT:
4435 if (type != NFT_DATA_VERDICT)
4436 return -EINVAL;
4437
4438 if (data != NULL &&
4439 (data->verdict.code == NFT_GOTO ||
4440 data->verdict.code == NFT_JUMP)) {
4441 err = nf_tables_check_loops(ctx, data->verdict.chain);
4442 if (err < 0)
4443 return err;
4444
4445 if (ctx->chain->level + 1 >
4446 data->verdict.chain->level) {
4447 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
4448 return -EMLINK;
4449 data->verdict.chain->level = ctx->chain->level + 1;
4450 }
4451 }
4452
4453 return 0;
4454 default:
4455 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4456 return -EINVAL;
4457 if (len == 0)
4458 return -EINVAL;
4459 if (reg * NFT_REG32_SIZE + len >
4460 FIELD_SIZEOF(struct nft_regs, data))
4461 return -ERANGE;
4462
4463 if (data != NULL && type != NFT_DATA_VALUE)
4464 return -EINVAL;
4465 return 0;
4466 }
4467 }
4468 EXPORT_SYMBOL_GPL(nft_validate_register_store);
4469
4470 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
4471 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
4472 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
4473 .len = NFT_CHAIN_MAXNAMELEN - 1 },
4474 };
4475
4476 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
4477 struct nft_data_desc *desc, const struct nlattr *nla)
4478 {
4479 u8 genmask = nft_genmask_next(ctx->net);
4480 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
4481 struct nft_chain *chain;
4482 int err;
4483
4484 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
4485 if (err < 0)
4486 return err;
4487
4488 if (!tb[NFTA_VERDICT_CODE])
4489 return -EINVAL;
4490 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
4491
4492 switch (data->verdict.code) {
4493 default:
4494 switch (data->verdict.code & NF_VERDICT_MASK) {
4495 case NF_ACCEPT:
4496 case NF_DROP:
4497 case NF_QUEUE:
4498 break;
4499 default:
4500 return -EINVAL;
4501 }
4502 /* fall through */
4503 case NFT_CONTINUE:
4504 case NFT_BREAK:
4505 case NFT_RETURN:
4506 break;
4507 case NFT_JUMP:
4508 case NFT_GOTO:
4509 if (!tb[NFTA_VERDICT_CHAIN])
4510 return -EINVAL;
4511 chain = nf_tables_chain_lookup(ctx->table,
4512 tb[NFTA_VERDICT_CHAIN], genmask);
4513 if (IS_ERR(chain))
4514 return PTR_ERR(chain);
4515 if (chain->flags & NFT_BASE_CHAIN)
4516 return -EOPNOTSUPP;
4517
4518 chain->use++;
4519 data->verdict.chain = chain;
4520 break;
4521 }
4522
4523 desc->len = sizeof(data->verdict);
4524 desc->type = NFT_DATA_VERDICT;
4525 return 0;
4526 }
4527
4528 static void nft_verdict_uninit(const struct nft_data *data)
4529 {
4530 switch (data->verdict.code) {
4531 case NFT_JUMP:
4532 case NFT_GOTO:
4533 data->verdict.chain->use--;
4534 break;
4535 }
4536 }
4537
4538 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
4539 {
4540 struct nlattr *nest;
4541
4542 nest = nla_nest_start(skb, type);
4543 if (!nest)
4544 goto nla_put_failure;
4545
4546 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
4547 goto nla_put_failure;
4548
4549 switch (v->code) {
4550 case NFT_JUMP:
4551 case NFT_GOTO:
4552 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
4553 v->chain->name))
4554 goto nla_put_failure;
4555 }
4556 nla_nest_end(skb, nest);
4557 return 0;
4558
4559 nla_put_failure:
4560 return -1;
4561 }
4562
4563 static int nft_value_init(const struct nft_ctx *ctx,
4564 struct nft_data *data, unsigned int size,
4565 struct nft_data_desc *desc, const struct nlattr *nla)
4566 {
4567 unsigned int len;
4568
4569 len = nla_len(nla);
4570 if (len == 0)
4571 return -EINVAL;
4572 if (len > size)
4573 return -EOVERFLOW;
4574
4575 nla_memcpy(data->data, nla, len);
4576 desc->type = NFT_DATA_VALUE;
4577 desc->len = len;
4578 return 0;
4579 }
4580
4581 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
4582 unsigned int len)
4583 {
4584 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
4585 }
4586
4587 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
4588 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
4589 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
4590 };
4591
4592 /**
4593 * nft_data_init - parse nf_tables data netlink attributes
4594 *
4595 * @ctx: context of the expression using the data
4596 * @data: destination struct nft_data
4597 * @size: maximum data length
4598 * @desc: data description
4599 * @nla: netlink attribute containing data
4600 *
4601 * Parse the netlink data attributes and initialize a struct nft_data.
4602 * The type and length of data are returned in the data description.
4603 *
4604 * The caller can indicate that it only wants to accept data of type
4605 * NFT_DATA_VALUE by passing NULL for the ctx argument.
4606 */
4607 int nft_data_init(const struct nft_ctx *ctx,
4608 struct nft_data *data, unsigned int size,
4609 struct nft_data_desc *desc, const struct nlattr *nla)
4610 {
4611 struct nlattr *tb[NFTA_DATA_MAX + 1];
4612 int err;
4613
4614 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
4615 if (err < 0)
4616 return err;
4617
4618 if (tb[NFTA_DATA_VALUE])
4619 return nft_value_init(ctx, data, size, desc,
4620 tb[NFTA_DATA_VALUE]);
4621 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
4622 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
4623 return -EINVAL;
4624 }
4625 EXPORT_SYMBOL_GPL(nft_data_init);
4626
4627 /**
4628 * nft_data_uninit - release a nft_data item
4629 *
4630 * @data: struct nft_data to release
4631 * @type: type of data
4632 *
4633 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4634 * all others need to be released by calling this function.
4635 */
4636 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
4637 {
4638 if (type < NFT_DATA_VERDICT)
4639 return;
4640 switch (type) {
4641 case NFT_DATA_VERDICT:
4642 return nft_verdict_uninit(data);
4643 default:
4644 WARN_ON(1);
4645 }
4646 }
4647 EXPORT_SYMBOL_GPL(nft_data_uninit);
4648
4649 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
4650 enum nft_data_types type, unsigned int len)
4651 {
4652 struct nlattr *nest;
4653 int err;
4654
4655 nest = nla_nest_start(skb, attr);
4656 if (nest == NULL)
4657 return -1;
4658
4659 switch (type) {
4660 case NFT_DATA_VALUE:
4661 err = nft_value_dump(skb, data, len);
4662 break;
4663 case NFT_DATA_VERDICT:
4664 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
4665 break;
4666 default:
4667 err = -EINVAL;
4668 WARN_ON(1);
4669 }
4670
4671 nla_nest_end(skb, nest);
4672 return err;
4673 }
4674 EXPORT_SYMBOL_GPL(nft_data_dump);
4675
4676 static int __net_init nf_tables_init_net(struct net *net)
4677 {
4678 INIT_LIST_HEAD(&net->nft.af_info);
4679 INIT_LIST_HEAD(&net->nft.commit_list);
4680 net->nft.base_seq = 1;
4681 return 0;
4682 }
4683
4684 int __nft_release_basechain(struct nft_ctx *ctx)
4685 {
4686 struct nft_rule *rule, *nr;
4687
4688 BUG_ON(!(ctx->chain->flags & NFT_BASE_CHAIN));
4689
4690 nf_tables_unregister_hooks(ctx->net, ctx->chain->table, ctx->chain,
4691 ctx->afi->nops);
4692 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
4693 list_del(&rule->list);
4694 ctx->chain->use--;
4695 nf_tables_rule_destroy(ctx, rule);
4696 }
4697 list_del(&ctx->chain->list);
4698 ctx->table->use--;
4699 nf_tables_chain_destroy(ctx->chain);
4700
4701 return 0;
4702 }
4703 EXPORT_SYMBOL_GPL(__nft_release_basechain);
4704
4705 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
4706 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
4707 {
4708 struct nft_table *table, *nt;
4709 struct nft_chain *chain, *nc;
4710 struct nft_rule *rule, *nr;
4711 struct nft_set *set, *ns;
4712 struct nft_ctx ctx = {
4713 .net = net,
4714 .afi = afi,
4715 };
4716
4717 list_for_each_entry_safe(table, nt, &afi->tables, list) {
4718 list_for_each_entry(chain, &table->chains, list)
4719 nf_tables_unregister_hooks(net, table, chain,
4720 afi->nops);
4721 /* No packets are walking on these chains anymore. */
4722 ctx.table = table;
4723 list_for_each_entry(chain, &table->chains, list) {
4724 ctx.chain = chain;
4725 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
4726 list_del(&rule->list);
4727 chain->use--;
4728 nf_tables_rule_destroy(&ctx, rule);
4729 }
4730 }
4731 list_for_each_entry_safe(set, ns, &table->sets, list) {
4732 list_del(&set->list);
4733 table->use--;
4734 nft_set_destroy(set);
4735 }
4736 list_for_each_entry_safe(chain, nc, &table->chains, list) {
4737 list_del(&chain->list);
4738 table->use--;
4739 nf_tables_chain_destroy(chain);
4740 }
4741 list_del(&table->list);
4742 nf_tables_table_destroy(&ctx);
4743 }
4744 }
4745
4746 static struct pernet_operations nf_tables_net_ops = {
4747 .init = nf_tables_init_net,
4748 };
4749
4750 static int __init nf_tables_module_init(void)
4751 {
4752 int err;
4753
4754 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
4755 GFP_KERNEL);
4756 if (info == NULL) {
4757 err = -ENOMEM;
4758 goto err1;
4759 }
4760
4761 err = nf_tables_core_module_init();
4762 if (err < 0)
4763 goto err2;
4764
4765 err = nfnetlink_subsys_register(&nf_tables_subsys);
4766 if (err < 0)
4767 goto err3;
4768
4769 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
4770 return register_pernet_subsys(&nf_tables_net_ops);
4771 err3:
4772 nf_tables_core_module_exit();
4773 err2:
4774 kfree(info);
4775 err1:
4776 return err;
4777 }
4778
4779 static void __exit nf_tables_module_exit(void)
4780 {
4781 unregister_pernet_subsys(&nf_tables_net_ops);
4782 nfnetlink_subsys_unregister(&nf_tables_subsys);
4783 rcu_barrier();
4784 nf_tables_core_module_exit();
4785 kfree(info);
4786 }
4787
4788 module_init(nf_tables_module_init);
4789 module_exit(nf_tables_module_exit);
4790
4791 MODULE_LICENSE("GPL");
4792 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
4793 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
4794
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.