~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/netfilter/nf_tables_api.c

Version: ~ [ linux-5.13-rc1 ] ~ [ linux-5.12.2 ] ~ [ linux-5.11.19 ] ~ [ linux-5.10.35 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.117 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.190 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.232 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.268 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.268 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
  3  *
  4  * This program is free software; you can redistribute it and/or modify
  5  * it under the terms of the GNU General Public License version 2 as
  6  * published by the Free Software Foundation.
  7  *
  8  * Development of this code funded by Astaro AG (http://www.astaro.com/)
  9  */
 10 
 11 #include <linux/module.h>
 12 #include <linux/init.h>
 13 #include <linux/list.h>
 14 #include <linux/skbuff.h>
 15 #include <linux/netlink.h>
 16 #include <linux/netfilter.h>
 17 #include <linux/netfilter/nfnetlink.h>
 18 #include <linux/netfilter/nf_tables.h>
 19 #include <net/netfilter/nf_tables_core.h>
 20 #include <net/netfilter/nf_tables.h>
 21 #include <net/net_namespace.h>
 22 #include <net/sock.h>
 23 
 24 static LIST_HEAD(nf_tables_expressions);
 25 
 26 /**
 27  *      nft_register_afinfo - register nf_tables address family info
 28  *
 29  *      @afi: address family info to register
 30  *
 31  *      Register the address family for use with nf_tables. Returns zero on
 32  *      success or a negative errno code otherwise.
 33  */
 34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
 35 {
 36         INIT_LIST_HEAD(&afi->tables);
 37         nfnl_lock(NFNL_SUBSYS_NFTABLES);
 38         list_add_tail_rcu(&afi->list, &net->nft.af_info);
 39         nfnl_unlock(NFNL_SUBSYS_NFTABLES);
 40         return 0;
 41 }
 42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
 43 
 44 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
 45 
 46 /**
 47  *      nft_unregister_afinfo - unregister nf_tables address family info
 48  *
 49  *      @afi: address family info to unregister
 50  *
 51  *      Unregister the address family for use with nf_tables.
 52  */
 53 void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
 54 {
 55         nfnl_lock(NFNL_SUBSYS_NFTABLES);
 56         __nft_release_afinfo(net, afi);
 57         list_del_rcu(&afi->list);
 58         nfnl_unlock(NFNL_SUBSYS_NFTABLES);
 59 }
 60 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
 61 
 62 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
 63 {
 64         struct nft_af_info *afi;
 65 
 66         list_for_each_entry(afi, &net->nft.af_info, list) {
 67                 if (afi->family == family)
 68                         return afi;
 69         }
 70         return NULL;
 71 }
 72 
 73 static struct nft_af_info *
 74 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
 75 {
 76         struct nft_af_info *afi;
 77 
 78         afi = nft_afinfo_lookup(net, family);
 79         if (afi != NULL)
 80                 return afi;
 81 #ifdef CONFIG_MODULES
 82         if (autoload) {
 83                 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
 84                 request_module("nft-afinfo-%u", family);
 85                 nfnl_lock(NFNL_SUBSYS_NFTABLES);
 86                 afi = nft_afinfo_lookup(net, family);
 87                 if (afi != NULL)
 88                         return ERR_PTR(-EAGAIN);
 89         }
 90 #endif
 91         return ERR_PTR(-EAFNOSUPPORT);
 92 }
 93 
 94 static void nft_ctx_init(struct nft_ctx *ctx,
 95                          struct net *net,
 96                          const struct sk_buff *skb,
 97                          const struct nlmsghdr *nlh,
 98                          struct nft_af_info *afi,
 99                          struct nft_table *table,
100                          struct nft_chain *chain,
101                          const struct nlattr * const *nla)
102 {
103         ctx->net        = net;
104         ctx->afi        = afi;
105         ctx->table      = table;
106         ctx->chain      = chain;
107         ctx->nla        = nla;
108         ctx->portid     = NETLINK_CB(skb).portid;
109         ctx->report     = nlmsg_report(nlh);
110         ctx->seq        = nlh->nlmsg_seq;
111 }
112 
113 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
114                                          u32 size)
115 {
116         struct nft_trans *trans;
117 
118         trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
119         if (trans == NULL)
120                 return NULL;
121 
122         trans->msg_type = msg_type;
123         trans->ctx      = *ctx;
124 
125         return trans;
126 }
127 
128 static void nft_trans_destroy(struct nft_trans *trans)
129 {
130         list_del(&trans->list);
131         kfree(trans);
132 }
133 
134 static int nft_register_basechain(struct nft_base_chain *basechain,
135                                   unsigned int hook_nops)
136 {
137         struct net *net = read_pnet(&basechain->pnet);
138 
139         if (basechain->flags & NFT_BASECHAIN_DISABLED)
140                 return 0;
141 
142         return nf_register_net_hooks(net, basechain->ops, hook_nops);
143 }
144 
145 static void nft_unregister_basechain(struct nft_base_chain *basechain,
146                                      unsigned int hook_nops)
147 {
148         struct net *net = read_pnet(&basechain->pnet);
149 
150         if (basechain->flags & NFT_BASECHAIN_DISABLED)
151                 return;
152 
153         nf_unregister_net_hooks(net, basechain->ops, hook_nops);
154 }
155 
156 static int nf_tables_register_hooks(const struct nft_table *table,
157                                     struct nft_chain *chain,
158                                     unsigned int hook_nops)
159 {
160         if (table->flags & NFT_TABLE_F_DORMANT ||
161             !(chain->flags & NFT_BASE_CHAIN))
162                 return 0;
163 
164         return nft_register_basechain(nft_base_chain(chain), hook_nops);
165 }
166 
167 static void nf_tables_unregister_hooks(const struct nft_table *table,
168                                        struct nft_chain *chain,
169                                        unsigned int hook_nops)
170 {
171         if (table->flags & NFT_TABLE_F_DORMANT ||
172             !(chain->flags & NFT_BASE_CHAIN))
173                 return;
174 
175         nft_unregister_basechain(nft_base_chain(chain), hook_nops);
176 }
177 
178 /* Internal table flags */
179 #define NFT_TABLE_INACTIVE      (1 << 15)
180 
181 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
182 {
183         struct nft_trans *trans;
184 
185         trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
186         if (trans == NULL)
187                 return -ENOMEM;
188 
189         if (msg_type == NFT_MSG_NEWTABLE)
190                 ctx->table->flags |= NFT_TABLE_INACTIVE;
191 
192         list_add_tail(&trans->list, &ctx->net->nft.commit_list);
193         return 0;
194 }
195 
196 static int nft_deltable(struct nft_ctx *ctx)
197 {
198         int err;
199 
200         err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
201         if (err < 0)
202                 return err;
203 
204         list_del_rcu(&ctx->table->list);
205         return err;
206 }
207 
208 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
209 {
210         struct nft_trans *trans;
211 
212         trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
213         if (trans == NULL)
214                 return -ENOMEM;
215 
216         if (msg_type == NFT_MSG_NEWCHAIN)
217                 ctx->chain->flags |= NFT_CHAIN_INACTIVE;
218 
219         list_add_tail(&trans->list, &ctx->net->nft.commit_list);
220         return 0;
221 }
222 
223 static int nft_delchain(struct nft_ctx *ctx)
224 {
225         int err;
226 
227         err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
228         if (err < 0)
229                 return err;
230 
231         ctx->table->use--;
232         list_del_rcu(&ctx->chain->list);
233 
234         return err;
235 }
236 
237 static inline bool
238 nft_rule_is_active(struct net *net, const struct nft_rule *rule)
239 {
240         return (rule->genmask & nft_genmask_cur(net)) == 0;
241 }
242 
243 static inline int
244 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
245 {
246         return (rule->genmask & nft_genmask_next(net)) == 0;
247 }
248 
249 static inline void
250 nft_rule_activate_next(struct net *net, struct nft_rule *rule)
251 {
252         /* Now inactive, will be active in the future */
253         rule->genmask = nft_genmask_cur(net);
254 }
255 
256 static inline void
257 nft_rule_deactivate_next(struct net *net, struct nft_rule *rule)
258 {
259         rule->genmask = nft_genmask_next(net);
260 }
261 
262 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
263 {
264         rule->genmask &= ~nft_genmask_next(net);
265 }
266 
267 static int
268 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
269 {
270         /* You cannot delete the same rule twice */
271         if (nft_rule_is_active_next(ctx->net, rule)) {
272                 nft_rule_deactivate_next(ctx->net, rule);
273                 ctx->chain->use--;
274                 return 0;
275         }
276         return -ENOENT;
277 }
278 
279 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
280                                             struct nft_rule *rule)
281 {
282         struct nft_trans *trans;
283 
284         trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
285         if (trans == NULL)
286                 return NULL;
287 
288         nft_trans_rule(trans) = rule;
289         list_add_tail(&trans->list, &ctx->net->nft.commit_list);
290 
291         return trans;
292 }
293 
294 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
295 {
296         struct nft_trans *trans;
297         int err;
298 
299         trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
300         if (trans == NULL)
301                 return -ENOMEM;
302 
303         err = nf_tables_delrule_deactivate(ctx, rule);
304         if (err < 0) {
305                 nft_trans_destroy(trans);
306                 return err;
307         }
308 
309         return 0;
310 }
311 
312 static int nft_delrule_by_chain(struct nft_ctx *ctx)
313 {
314         struct nft_rule *rule;
315         int err;
316 
317         list_for_each_entry(rule, &ctx->chain->rules, list) {
318                 err = nft_delrule(ctx, rule);
319                 if (err < 0)
320                         return err;
321         }
322         return 0;
323 }
324 
325 /* Internal set flag */
326 #define NFT_SET_INACTIVE        (1 << 15)
327 
328 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
329                              struct nft_set *set)
330 {
331         struct nft_trans *trans;
332 
333         trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
334         if (trans == NULL)
335                 return -ENOMEM;
336 
337         if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
338                 nft_trans_set_id(trans) =
339                         ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
340                 set->flags |= NFT_SET_INACTIVE;
341         }
342         nft_trans_set(trans) = set;
343         list_add_tail(&trans->list, &ctx->net->nft.commit_list);
344 
345         return 0;
346 }
347 
348 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
349 {
350         int err;
351 
352         err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
353         if (err < 0)
354                 return err;
355 
356         list_del_rcu(&set->list);
357         ctx->table->use--;
358 
359         return err;
360 }
361 
362 /*
363  * Tables
364  */
365 
366 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
367                                           const struct nlattr *nla)
368 {
369         struct nft_table *table;
370 
371         list_for_each_entry(table, &afi->tables, list) {
372                 if (!nla_strcmp(nla, table->name))
373                         return table;
374         }
375         return NULL;
376 }
377 
378 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
379                                                 const struct nlattr *nla)
380 {
381         struct nft_table *table;
382 
383         if (nla == NULL)
384                 return ERR_PTR(-EINVAL);
385 
386         table = nft_table_lookup(afi, nla);
387         if (table != NULL)
388                 return table;
389 
390         return ERR_PTR(-ENOENT);
391 }
392 
393 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
394 {
395         return ++table->hgenerator;
396 }
397 
398 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
399 
400 static const struct nf_chain_type *
401 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
402 {
403         int i;
404 
405         for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
406                 if (chain_type[family][i] != NULL &&
407                     !nla_strcmp(nla, chain_type[family][i]->name))
408                         return chain_type[family][i];
409         }
410         return NULL;
411 }
412 
413 static const struct nf_chain_type *
414 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
415                             const struct nlattr *nla,
416                             bool autoload)
417 {
418         const struct nf_chain_type *type;
419 
420         type = __nf_tables_chain_type_lookup(afi->family, nla);
421         if (type != NULL)
422                 return type;
423 #ifdef CONFIG_MODULES
424         if (autoload) {
425                 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
426                 request_module("nft-chain-%u-%.*s", afi->family,
427                                nla_len(nla), (const char *)nla_data(nla));
428                 nfnl_lock(NFNL_SUBSYS_NFTABLES);
429                 type = __nf_tables_chain_type_lookup(afi->family, nla);
430                 if (type != NULL)
431                         return ERR_PTR(-EAGAIN);
432         }
433 #endif
434         return ERR_PTR(-ENOENT);
435 }
436 
437 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
438         [NFTA_TABLE_NAME]       = { .type = NLA_STRING,
439                                     .len = NFT_TABLE_MAXNAMELEN - 1 },
440         [NFTA_TABLE_FLAGS]      = { .type = NLA_U32 },
441 };
442 
443 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
444                                      u32 portid, u32 seq, int event, u32 flags,
445                                      int family, const struct nft_table *table)
446 {
447         struct nlmsghdr *nlh;
448         struct nfgenmsg *nfmsg;
449 
450         event |= NFNL_SUBSYS_NFTABLES << 8;
451         nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
452         if (nlh == NULL)
453                 goto nla_put_failure;
454 
455         nfmsg = nlmsg_data(nlh);
456         nfmsg->nfgen_family     = family;
457         nfmsg->version          = NFNETLINK_V0;
458         nfmsg->res_id           = htons(net->nft.base_seq & 0xffff);
459 
460         if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
461             nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
462             nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
463                 goto nla_put_failure;
464 
465         nlmsg_end(skb, nlh);
466         return 0;
467 
468 nla_put_failure:
469         nlmsg_trim(skb, nlh);
470         return -1;
471 }
472 
473 static int nf_tables_table_notify(const struct nft_ctx *ctx, int event)
474 {
475         struct sk_buff *skb;
476         int err;
477 
478         if (!ctx->report &&
479             !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
480                 return 0;
481 
482         err = -ENOBUFS;
483         skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
484         if (skb == NULL)
485                 goto err;
486 
487         err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
488                                         event, 0, ctx->afi->family, ctx->table);
489         if (err < 0) {
490                 kfree_skb(skb);
491                 goto err;
492         }
493 
494         err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
495                              ctx->report, GFP_KERNEL);
496 err:
497         if (err < 0) {
498                 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
499                                   err);
500         }
501         return err;
502 }
503 
504 static int nf_tables_dump_tables(struct sk_buff *skb,
505                                  struct netlink_callback *cb)
506 {
507         const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
508         const struct nft_af_info *afi;
509         const struct nft_table *table;
510         unsigned int idx = 0, s_idx = cb->args[0];
511         struct net *net = sock_net(skb->sk);
512         int family = nfmsg->nfgen_family;
513 
514         rcu_read_lock();
515         cb->seq = net->nft.base_seq;
516 
517         list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
518                 if (family != NFPROTO_UNSPEC && family != afi->family)
519                         continue;
520 
521                 list_for_each_entry_rcu(table, &afi->tables, list) {
522                         if (idx < s_idx)
523                                 goto cont;
524                         if (idx > s_idx)
525                                 memset(&cb->args[1], 0,
526                                        sizeof(cb->args) - sizeof(cb->args[0]));
527                         if (nf_tables_fill_table_info(skb, net,
528                                                       NETLINK_CB(cb->skb).portid,
529                                                       cb->nlh->nlmsg_seq,
530                                                       NFT_MSG_NEWTABLE,
531                                                       NLM_F_MULTI,
532                                                       afi->family, table) < 0)
533                                 goto done;
534 
535                         nl_dump_check_consistent(cb, nlmsg_hdr(skb));
536 cont:
537                         idx++;
538                 }
539         }
540 done:
541         rcu_read_unlock();
542         cb->args[0] = idx;
543         return skb->len;
544 }
545 
546 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
547                               struct sk_buff *skb, const struct nlmsghdr *nlh,
548                               const struct nlattr * const nla[])
549 {
550         const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
551         const struct nft_af_info *afi;
552         const struct nft_table *table;
553         struct sk_buff *skb2;
554         int family = nfmsg->nfgen_family;
555         int err;
556 
557         if (nlh->nlmsg_flags & NLM_F_DUMP) {
558                 struct netlink_dump_control c = {
559                         .dump = nf_tables_dump_tables,
560                 };
561                 return netlink_dump_start(nlsk, skb, nlh, &c);
562         }
563 
564         afi = nf_tables_afinfo_lookup(net, family, false);
565         if (IS_ERR(afi))
566                 return PTR_ERR(afi);
567 
568         table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
569         if (IS_ERR(table))
570                 return PTR_ERR(table);
571         if (table->flags & NFT_TABLE_INACTIVE)
572                 return -ENOENT;
573 
574         skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
575         if (!skb2)
576                 return -ENOMEM;
577 
578         err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
579                                         nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
580                                         family, table);
581         if (err < 0)
582                 goto err;
583 
584         return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
585 
586 err:
587         kfree_skb(skb2);
588         return err;
589 }
590 
591 static int nf_tables_table_enable(const struct nft_af_info *afi,
592                                   struct nft_table *table)
593 {
594         struct nft_chain *chain;
595         int err, i = 0;
596 
597         list_for_each_entry(chain, &table->chains, list) {
598                 if (!(chain->flags & NFT_BASE_CHAIN))
599                         continue;
600 
601                 err = nft_register_basechain(nft_base_chain(chain), afi->nops);
602                 if (err < 0)
603                         goto err;
604 
605                 i++;
606         }
607         return 0;
608 err:
609         list_for_each_entry(chain, &table->chains, list) {
610                 if (!(chain->flags & NFT_BASE_CHAIN))
611                         continue;
612 
613                 if (i-- <= 0)
614                         break;
615 
616                 nft_unregister_basechain(nft_base_chain(chain), afi->nops);
617         }
618         return err;
619 }
620 
621 static void nf_tables_table_disable(const struct nft_af_info *afi,
622                                     struct nft_table *table)
623 {
624         struct nft_chain *chain;
625 
626         list_for_each_entry(chain, &table->chains, list) {
627                 if (chain->flags & NFT_BASE_CHAIN)
628                         nft_unregister_basechain(nft_base_chain(chain),
629                                                  afi->nops);
630         }
631 }
632 
633 static int nf_tables_updtable(struct nft_ctx *ctx)
634 {
635         struct nft_trans *trans;
636         u32 flags;
637         int ret = 0;
638 
639         if (!ctx->nla[NFTA_TABLE_FLAGS])
640                 return 0;
641 
642         flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
643         if (flags & ~NFT_TABLE_F_DORMANT)
644                 return -EINVAL;
645 
646         if (flags == ctx->table->flags)
647                 return 0;
648 
649         trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
650                                 sizeof(struct nft_trans_table));
651         if (trans == NULL)
652                 return -ENOMEM;
653 
654         if ((flags & NFT_TABLE_F_DORMANT) &&
655             !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
656                 nft_trans_table_enable(trans) = false;
657         } else if (!(flags & NFT_TABLE_F_DORMANT) &&
658                    ctx->table->flags & NFT_TABLE_F_DORMANT) {
659                 ret = nf_tables_table_enable(ctx->afi, ctx->table);
660                 if (ret >= 0) {
661                         ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
662                         nft_trans_table_enable(trans) = true;
663                 }
664         }
665         if (ret < 0)
666                 goto err;
667 
668         nft_trans_table_update(trans) = true;
669         list_add_tail(&trans->list, &ctx->net->nft.commit_list);
670         return 0;
671 err:
672         nft_trans_destroy(trans);
673         return ret;
674 }
675 
676 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
677                               struct sk_buff *skb, const struct nlmsghdr *nlh,
678                               const struct nlattr * const nla[])
679 {
680         const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
681         const struct nlattr *name;
682         struct nft_af_info *afi;
683         struct nft_table *table;
684         int family = nfmsg->nfgen_family;
685         u32 flags = 0;
686         struct nft_ctx ctx;
687         int err;
688 
689         afi = nf_tables_afinfo_lookup(net, family, true);
690         if (IS_ERR(afi))
691                 return PTR_ERR(afi);
692 
693         name = nla[NFTA_TABLE_NAME];
694         table = nf_tables_table_lookup(afi, name);
695         if (IS_ERR(table)) {
696                 if (PTR_ERR(table) != -ENOENT)
697                         return PTR_ERR(table);
698                 table = NULL;
699         }
700 
701         if (table != NULL) {
702                 if (table->flags & NFT_TABLE_INACTIVE)
703                         return -ENOENT;
704                 if (nlh->nlmsg_flags & NLM_F_EXCL)
705                         return -EEXIST;
706                 if (nlh->nlmsg_flags & NLM_F_REPLACE)
707                         return -EOPNOTSUPP;
708 
709                 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
710                 return nf_tables_updtable(&ctx);
711         }
712 
713         if (nla[NFTA_TABLE_FLAGS]) {
714                 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
715                 if (flags & ~NFT_TABLE_F_DORMANT)
716                         return -EINVAL;
717         }
718 
719         err = -EAFNOSUPPORT;
720         if (!try_module_get(afi->owner))
721                 goto err1;
722 
723         err = -ENOMEM;
724         table = kzalloc(sizeof(*table), GFP_KERNEL);
725         if (table == NULL)
726                 goto err2;
727 
728         nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN);
729         INIT_LIST_HEAD(&table->chains);
730         INIT_LIST_HEAD(&table->sets);
731         table->flags = flags;
732 
733         nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
734         err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
735         if (err < 0)
736                 goto err3;
737 
738         list_add_tail_rcu(&table->list, &afi->tables);
739         return 0;
740 err3:
741         kfree(table);
742 err2:
743         module_put(afi->owner);
744 err1:
745         return err;
746 }
747 
748 static int nft_flush_table(struct nft_ctx *ctx)
749 {
750         int err;
751         struct nft_chain *chain, *nc;
752         struct nft_set *set, *ns;
753 
754         list_for_each_entry(chain, &ctx->table->chains, list) {
755                 ctx->chain = chain;
756 
757                 err = nft_delrule_by_chain(ctx);
758                 if (err < 0)
759                         goto out;
760         }
761 
762         list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
763                 if (set->flags & NFT_SET_ANONYMOUS &&
764                     !list_empty(&set->bindings))
765                         continue;
766 
767                 err = nft_delset(ctx, set);
768                 if (err < 0)
769                         goto out;
770         }
771 
772         list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
773                 ctx->chain = chain;
774 
775                 err = nft_delchain(ctx);
776                 if (err < 0)
777                         goto out;
778         }
779 
780         err = nft_deltable(ctx);
781 out:
782         return err;
783 }
784 
785 static int nft_flush(struct nft_ctx *ctx, int family)
786 {
787         struct nft_af_info *afi;
788         struct nft_table *table, *nt;
789         const struct nlattr * const *nla = ctx->nla;
790         int err = 0;
791 
792         list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
793                 if (family != AF_UNSPEC && afi->family != family)
794                         continue;
795 
796                 ctx->afi = afi;
797                 list_for_each_entry_safe(table, nt, &afi->tables, list) {
798                         if (nla[NFTA_TABLE_NAME] &&
799                             nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
800                                 continue;
801 
802                         ctx->table = table;
803 
804                         err = nft_flush_table(ctx);
805                         if (err < 0)
806                                 goto out;
807                 }
808         }
809 out:
810         return err;
811 }
812 
813 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
814                               struct sk_buff *skb, const struct nlmsghdr *nlh,
815                               const struct nlattr * const nla[])
816 {
817         const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
818         struct nft_af_info *afi;
819         struct nft_table *table;
820         int family = nfmsg->nfgen_family;
821         struct nft_ctx ctx;
822 
823         nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
824         if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
825                 return nft_flush(&ctx, family);
826 
827         afi = nf_tables_afinfo_lookup(net, family, false);
828         if (IS_ERR(afi))
829                 return PTR_ERR(afi);
830 
831         table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
832         if (IS_ERR(table))
833                 return PTR_ERR(table);
834 
835         ctx.afi = afi;
836         ctx.table = table;
837 
838         return nft_flush_table(&ctx);
839 }
840 
841 static void nf_tables_table_destroy(struct nft_ctx *ctx)
842 {
843         BUG_ON(ctx->table->use > 0);
844 
845         kfree(ctx->table);
846         module_put(ctx->afi->owner);
847 }
848 
849 int nft_register_chain_type(const struct nf_chain_type *ctype)
850 {
851         int err = 0;
852 
853         nfnl_lock(NFNL_SUBSYS_NFTABLES);
854         if (chain_type[ctype->family][ctype->type] != NULL) {
855                 err = -EBUSY;
856                 goto out;
857         }
858         chain_type[ctype->family][ctype->type] = ctype;
859 out:
860         nfnl_unlock(NFNL_SUBSYS_NFTABLES);
861         return err;
862 }
863 EXPORT_SYMBOL_GPL(nft_register_chain_type);
864 
865 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
866 {
867         nfnl_lock(NFNL_SUBSYS_NFTABLES);
868         chain_type[ctype->family][ctype->type] = NULL;
869         nfnl_unlock(NFNL_SUBSYS_NFTABLES);
870 }
871 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
872 
873 /*
874  * Chains
875  */
876 
877 static struct nft_chain *
878 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
879 {
880         struct nft_chain *chain;
881 
882         list_for_each_entry(chain, &table->chains, list) {
883                 if (chain->handle == handle)
884                         return chain;
885         }
886 
887         return ERR_PTR(-ENOENT);
888 }
889 
890 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
891                                                 const struct nlattr *nla)
892 {
893         struct nft_chain *chain;
894 
895         if (nla == NULL)
896                 return ERR_PTR(-EINVAL);
897 
898         list_for_each_entry(chain, &table->chains, list) {
899                 if (!nla_strcmp(nla, chain->name))
900                         return chain;
901         }
902 
903         return ERR_PTR(-ENOENT);
904 }
905 
906 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
907         [NFTA_CHAIN_TABLE]      = { .type = NLA_STRING },
908         [NFTA_CHAIN_HANDLE]     = { .type = NLA_U64 },
909         [NFTA_CHAIN_NAME]       = { .type = NLA_STRING,
910                                     .len = NFT_CHAIN_MAXNAMELEN - 1 },
911         [NFTA_CHAIN_HOOK]       = { .type = NLA_NESTED },
912         [NFTA_CHAIN_POLICY]     = { .type = NLA_U32 },
913         [NFTA_CHAIN_TYPE]       = { .type = NLA_STRING },
914         [NFTA_CHAIN_COUNTERS]   = { .type = NLA_NESTED },
915 };
916 
917 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
918         [NFTA_HOOK_HOOKNUM]     = { .type = NLA_U32 },
919         [NFTA_HOOK_PRIORITY]    = { .type = NLA_U32 },
920         [NFTA_HOOK_DEV]         = { .type = NLA_STRING,
921                                     .len = IFNAMSIZ - 1 },
922 };
923 
924 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
925 {
926         struct nft_stats *cpu_stats, total;
927         struct nlattr *nest;
928         unsigned int seq;
929         u64 pkts, bytes;
930         int cpu;
931 
932         memset(&total, 0, sizeof(total));
933         for_each_possible_cpu(cpu) {
934                 cpu_stats = per_cpu_ptr(stats, cpu);
935                 do {
936                         seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
937                         pkts = cpu_stats->pkts;
938                         bytes = cpu_stats->bytes;
939                 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
940                 total.pkts += pkts;
941                 total.bytes += bytes;
942         }
943         nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
944         if (nest == NULL)
945                 goto nla_put_failure;
946 
947         if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
948             nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
949                 goto nla_put_failure;
950 
951         nla_nest_end(skb, nest);
952         return 0;
953 
954 nla_put_failure:
955         return -ENOSPC;
956 }
957 
958 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
959                                      u32 portid, u32 seq, int event, u32 flags,
960                                      int family, const struct nft_table *table,
961                                      const struct nft_chain *chain)
962 {
963         struct nlmsghdr *nlh;
964         struct nfgenmsg *nfmsg;
965 
966         event |= NFNL_SUBSYS_NFTABLES << 8;
967         nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
968         if (nlh == NULL)
969                 goto nla_put_failure;
970 
971         nfmsg = nlmsg_data(nlh);
972         nfmsg->nfgen_family     = family;
973         nfmsg->version          = NFNETLINK_V0;
974         nfmsg->res_id           = htons(net->nft.base_seq & 0xffff);
975 
976         if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
977                 goto nla_put_failure;
978         if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
979                 goto nla_put_failure;
980         if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
981                 goto nla_put_failure;
982 
983         if (chain->flags & NFT_BASE_CHAIN) {
984                 const struct nft_base_chain *basechain = nft_base_chain(chain);
985                 const struct nf_hook_ops *ops = &basechain->ops[0];
986                 struct nlattr *nest;
987 
988                 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
989                 if (nest == NULL)
990                         goto nla_put_failure;
991                 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
992                         goto nla_put_failure;
993                 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
994                         goto nla_put_failure;
995                 if (basechain->dev_name[0] &&
996                     nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
997                         goto nla_put_failure;
998                 nla_nest_end(skb, nest);
999 
1000                 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1001                                  htonl(basechain->policy)))
1002                         goto nla_put_failure;
1003 
1004                 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1005                         goto nla_put_failure;
1006 
1007                 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
1008                         goto nla_put_failure;
1009         }
1010 
1011         if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1012                 goto nla_put_failure;
1013 
1014         nlmsg_end(skb, nlh);
1015         return 0;
1016 
1017 nla_put_failure:
1018         nlmsg_trim(skb, nlh);
1019         return -1;
1020 }
1021 
1022 static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1023 {
1024         struct sk_buff *skb;
1025         int err;
1026 
1027         if (!ctx->report &&
1028             !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1029                 return 0;
1030 
1031         err = -ENOBUFS;
1032         skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1033         if (skb == NULL)
1034                 goto err;
1035 
1036         err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1037                                         event, 0, ctx->afi->family, ctx->table,
1038                                         ctx->chain);
1039         if (err < 0) {
1040                 kfree_skb(skb);
1041                 goto err;
1042         }
1043 
1044         err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1045                              ctx->report, GFP_KERNEL);
1046 err:
1047         if (err < 0) {
1048                 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1049                                   err);
1050         }
1051         return err;
1052 }
1053 
1054 static int nf_tables_dump_chains(struct sk_buff *skb,
1055                                  struct netlink_callback *cb)
1056 {
1057         const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1058         const struct nft_af_info *afi;
1059         const struct nft_table *table;
1060         const struct nft_chain *chain;
1061         unsigned int idx = 0, s_idx = cb->args[0];
1062         struct net *net = sock_net(skb->sk);
1063         int family = nfmsg->nfgen_family;
1064 
1065         rcu_read_lock();
1066         cb->seq = net->nft.base_seq;
1067 
1068         list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1069                 if (family != NFPROTO_UNSPEC && family != afi->family)
1070                         continue;
1071 
1072                 list_for_each_entry_rcu(table, &afi->tables, list) {
1073                         list_for_each_entry_rcu(chain, &table->chains, list) {
1074                                 if (idx < s_idx)
1075                                         goto cont;
1076                                 if (idx > s_idx)
1077                                         memset(&cb->args[1], 0,
1078                                                sizeof(cb->args) - sizeof(cb->args[0]));
1079                                 if (nf_tables_fill_chain_info(skb, net,
1080                                                               NETLINK_CB(cb->skb).portid,
1081                                                               cb->nlh->nlmsg_seq,
1082                                                               NFT_MSG_NEWCHAIN,
1083                                                               NLM_F_MULTI,
1084                                                               afi->family, table, chain) < 0)
1085                                         goto done;
1086 
1087                                 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1088 cont:
1089                                 idx++;
1090                         }
1091                 }
1092         }
1093 done:
1094         rcu_read_unlock();
1095         cb->args[0] = idx;
1096         return skb->len;
1097 }
1098 
1099 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1100                               struct sk_buff *skb, const struct nlmsghdr *nlh,
1101                               const struct nlattr * const nla[])
1102 {
1103         const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1104         const struct nft_af_info *afi;
1105         const struct nft_table *table;
1106         const struct nft_chain *chain;
1107         struct sk_buff *skb2;
1108         int family = nfmsg->nfgen_family;
1109         int err;
1110 
1111         if (nlh->nlmsg_flags & NLM_F_DUMP) {
1112                 struct netlink_dump_control c = {
1113                         .dump = nf_tables_dump_chains,
1114                 };
1115                 return netlink_dump_start(nlsk, skb, nlh, &c);
1116         }
1117 
1118         afi = nf_tables_afinfo_lookup(net, family, false);
1119         if (IS_ERR(afi))
1120                 return PTR_ERR(afi);
1121 
1122         table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1123         if (IS_ERR(table))
1124                 return PTR_ERR(table);
1125         if (table->flags & NFT_TABLE_INACTIVE)
1126                 return -ENOENT;
1127 
1128         chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1129         if (IS_ERR(chain))
1130                 return PTR_ERR(chain);
1131         if (chain->flags & NFT_CHAIN_INACTIVE)
1132                 return -ENOENT;
1133 
1134         skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1135         if (!skb2)
1136                 return -ENOMEM;
1137 
1138         err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1139                                         nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1140                                         family, table, chain);
1141         if (err < 0)
1142                 goto err;
1143 
1144         return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1145 
1146 err:
1147         kfree_skb(skb2);
1148         return err;
1149 }
1150 
1151 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1152         [NFTA_COUNTER_PACKETS]  = { .type = NLA_U64 },
1153         [NFTA_COUNTER_BYTES]    = { .type = NLA_U64 },
1154 };
1155 
1156 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1157 {
1158         struct nlattr *tb[NFTA_COUNTER_MAX+1];
1159         struct nft_stats __percpu *newstats;
1160         struct nft_stats *stats;
1161         int err;
1162 
1163         err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
1164         if (err < 0)
1165                 return ERR_PTR(err);
1166 
1167         if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1168                 return ERR_PTR(-EINVAL);
1169 
1170         newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1171         if (newstats == NULL)
1172                 return ERR_PTR(-ENOMEM);
1173 
1174         /* Restore old counters on this cpu, no problem. Per-cpu statistics
1175          * are not exposed to userspace.
1176          */
1177         preempt_disable();
1178         stats = this_cpu_ptr(newstats);
1179         stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1180         stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1181         preempt_enable();
1182 
1183         return newstats;
1184 }
1185 
1186 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1187                                     struct nft_stats __percpu *newstats)
1188 {
1189         if (newstats == NULL)
1190                 return;
1191 
1192         if (chain->stats) {
1193                 struct nft_stats __percpu *oldstats =
1194                                 nft_dereference(chain->stats);
1195 
1196                 rcu_assign_pointer(chain->stats, newstats);
1197                 synchronize_rcu();
1198                 free_percpu(oldstats);
1199         } else
1200                 rcu_assign_pointer(chain->stats, newstats);
1201 }
1202 
1203 static void nf_tables_chain_destroy(struct nft_chain *chain)
1204 {
1205         BUG_ON(chain->use > 0);
1206 
1207         if (chain->flags & NFT_BASE_CHAIN) {
1208                 struct nft_base_chain *basechain = nft_base_chain(chain);
1209 
1210                 module_put(basechain->type->owner);
1211                 free_percpu(basechain->stats);
1212                 if (basechain->ops[0].dev != NULL)
1213                         dev_put(basechain->ops[0].dev);
1214                 kfree(basechain);
1215         } else {
1216                 kfree(chain);
1217         }
1218 }
1219 
1220 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1221                               struct sk_buff *skb, const struct nlmsghdr *nlh,
1222                               const struct nlattr * const nla[])
1223 {
1224         const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1225         const struct nlattr * uninitialized_var(name);
1226         struct nft_af_info *afi;
1227         struct nft_table *table;
1228         struct nft_chain *chain;
1229         struct nft_base_chain *basechain = NULL;
1230         struct nlattr *ha[NFTA_HOOK_MAX + 1];
1231         int family = nfmsg->nfgen_family;
1232         struct net_device *dev = NULL;
1233         u8 policy = NF_ACCEPT;
1234         u64 handle = 0;
1235         unsigned int i;
1236         struct nft_stats __percpu *stats;
1237         int err;
1238         bool create;
1239         struct nft_ctx ctx;
1240 
1241         create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1242 
1243         afi = nf_tables_afinfo_lookup(net, family, true);
1244         if (IS_ERR(afi))
1245                 return PTR_ERR(afi);
1246 
1247         table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1248         if (IS_ERR(table))
1249                 return PTR_ERR(table);
1250 
1251         chain = NULL;
1252         name = nla[NFTA_CHAIN_NAME];
1253 
1254         if (nla[NFTA_CHAIN_HANDLE]) {
1255                 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1256                 chain = nf_tables_chain_lookup_byhandle(table, handle);
1257                 if (IS_ERR(chain))
1258                         return PTR_ERR(chain);
1259         } else {
1260                 chain = nf_tables_chain_lookup(table, name);
1261                 if (IS_ERR(chain)) {
1262                         if (PTR_ERR(chain) != -ENOENT)
1263                                 return PTR_ERR(chain);
1264                         chain = NULL;
1265                 }
1266         }
1267 
1268         if (nla[NFTA_CHAIN_POLICY]) {
1269                 if ((chain != NULL &&
1270                     !(chain->flags & NFT_BASE_CHAIN)))
1271                         return -EOPNOTSUPP;
1272 
1273                 if (chain == NULL &&
1274                     nla[NFTA_CHAIN_HOOK] == NULL)
1275                         return -EOPNOTSUPP;
1276 
1277                 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1278                 switch (policy) {
1279                 case NF_DROP:
1280                 case NF_ACCEPT:
1281                         break;
1282                 default:
1283                         return -EINVAL;
1284                 }
1285         }
1286 
1287         if (chain != NULL) {
1288                 struct nft_stats *stats = NULL;
1289                 struct nft_trans *trans;
1290 
1291                 if (chain->flags & NFT_CHAIN_INACTIVE)
1292                         return -ENOENT;
1293                 if (nlh->nlmsg_flags & NLM_F_EXCL)
1294                         return -EEXIST;
1295                 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1296                         return -EOPNOTSUPP;
1297 
1298                 if (nla[NFTA_CHAIN_HANDLE] && name &&
1299                     !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
1300                         return -EEXIST;
1301 
1302                 if (nla[NFTA_CHAIN_COUNTERS]) {
1303                         if (!(chain->flags & NFT_BASE_CHAIN))
1304                                 return -EOPNOTSUPP;
1305 
1306                         stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1307                         if (IS_ERR(stats))
1308                                 return PTR_ERR(stats);
1309                 }
1310 
1311                 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1312                 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1313                                         sizeof(struct nft_trans_chain));
1314                 if (trans == NULL) {
1315                         free_percpu(stats);
1316                         return -ENOMEM;
1317                 }
1318 
1319                 nft_trans_chain_stats(trans) = stats;
1320                 nft_trans_chain_update(trans) = true;
1321 
1322                 if (nla[NFTA_CHAIN_POLICY])
1323                         nft_trans_chain_policy(trans) = policy;
1324                 else
1325                         nft_trans_chain_policy(trans) = -1;
1326 
1327                 if (nla[NFTA_CHAIN_HANDLE] && name) {
1328                         nla_strlcpy(nft_trans_chain_name(trans), name,
1329                                     NFT_CHAIN_MAXNAMELEN);
1330                 }
1331                 list_add_tail(&trans->list, &net->nft.commit_list);
1332                 return 0;
1333         }
1334 
1335         if (table->use == UINT_MAX)
1336                 return -EOVERFLOW;
1337 
1338         if (nla[NFTA_CHAIN_HOOK]) {
1339                 const struct nf_chain_type *type;
1340                 struct nf_hook_ops *ops;
1341                 nf_hookfn *hookfn;
1342                 u32 hooknum, priority;
1343 
1344                 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1345                 if (nla[NFTA_CHAIN_TYPE]) {
1346                         type = nf_tables_chain_type_lookup(afi,
1347                                                            nla[NFTA_CHAIN_TYPE],
1348                                                            create);
1349                         if (IS_ERR(type))
1350                                 return PTR_ERR(type);
1351                 }
1352 
1353                 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1354                                        nft_hook_policy);
1355                 if (err < 0)
1356                         return err;
1357                 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1358                     ha[NFTA_HOOK_PRIORITY] == NULL)
1359                         return -EINVAL;
1360 
1361                 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1362                 if (hooknum >= afi->nhooks)
1363                         return -EINVAL;
1364                 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1365 
1366                 if (!(type->hook_mask & (1 << hooknum)))
1367                         return -EOPNOTSUPP;
1368                 if (!try_module_get(type->owner))
1369                         return -ENOENT;
1370                 hookfn = type->hooks[hooknum];
1371 
1372                 if (afi->flags & NFT_AF_NEEDS_DEV) {
1373                         char ifname[IFNAMSIZ];
1374 
1375                         if (!ha[NFTA_HOOK_DEV]) {
1376                                 module_put(type->owner);
1377                                 return -EOPNOTSUPP;
1378                         }
1379 
1380                         nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1381                         dev = dev_get_by_name(net, ifname);
1382                         if (!dev) {
1383                                 module_put(type->owner);
1384                                 return -ENOENT;
1385                         }
1386                 } else if (ha[NFTA_HOOK_DEV]) {
1387                         module_put(type->owner);
1388                         return -EOPNOTSUPP;
1389                 }
1390 
1391                 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1392                 if (basechain == NULL) {
1393                         module_put(type->owner);
1394                         if (dev != NULL)
1395                                 dev_put(dev);
1396                         return -ENOMEM;
1397                 }
1398 
1399                 if (dev != NULL)
1400                         strncpy(basechain->dev_name, dev->name, IFNAMSIZ);
1401 
1402                 if (nla[NFTA_CHAIN_COUNTERS]) {
1403                         stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1404                         if (IS_ERR(stats)) {
1405                                 module_put(type->owner);
1406                                 kfree(basechain);
1407                                 if (dev != NULL)
1408                                         dev_put(dev);
1409                                 return PTR_ERR(stats);
1410                         }
1411                         basechain->stats = stats;
1412                 } else {
1413                         stats = netdev_alloc_pcpu_stats(struct nft_stats);
1414                         if (stats == NULL) {
1415                                 module_put(type->owner);
1416                                 kfree(basechain);
1417                                 if (dev != NULL)
1418                                         dev_put(dev);
1419                                 return -ENOMEM;
1420                         }
1421                         rcu_assign_pointer(basechain->stats, stats);
1422                 }
1423 
1424                 write_pnet(&basechain->pnet, net);
1425                 basechain->type = type;
1426                 chain = &basechain->chain;
1427 
1428                 for (i = 0; i < afi->nops; i++) {
1429                         ops = &basechain->ops[i];
1430                         ops->pf         = family;
1431                         ops->hooknum    = hooknum;
1432                         ops->priority   = priority;
1433                         ops->priv       = chain;
1434                         ops->hook       = afi->hooks[ops->hooknum];
1435                         ops->dev        = dev;
1436                         if (hookfn)
1437                                 ops->hook = hookfn;
1438                         if (afi->hook_ops_init)
1439                                 afi->hook_ops_init(ops, i);
1440                 }
1441 
1442                 chain->flags |= NFT_BASE_CHAIN;
1443                 basechain->policy = policy;
1444         } else {
1445                 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1446                 if (chain == NULL)
1447                         return -ENOMEM;
1448         }
1449 
1450         INIT_LIST_HEAD(&chain->rules);
1451         chain->handle = nf_tables_alloc_handle(table);
1452         chain->table = table;
1453         nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1454 
1455         err = nf_tables_register_hooks(table, chain, afi->nops);
1456         if (err < 0)
1457                 goto err1;
1458 
1459         nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1460         err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1461         if (err < 0)
1462                 goto err2;
1463 
1464         table->use++;
1465         list_add_tail_rcu(&chain->list, &table->chains);
1466         return 0;
1467 err2:
1468         nf_tables_unregister_hooks(table, chain, afi->nops);
1469 err1:
1470         nf_tables_chain_destroy(chain);
1471         return err;
1472 }
1473 
1474 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1475                               struct sk_buff *skb, const struct nlmsghdr *nlh,
1476                               const struct nlattr * const nla[])
1477 {
1478         const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1479         struct nft_af_info *afi;
1480         struct nft_table *table;
1481         struct nft_chain *chain;
1482         int family = nfmsg->nfgen_family;
1483         struct nft_ctx ctx;
1484 
1485         afi = nf_tables_afinfo_lookup(net, family, false);
1486         if (IS_ERR(afi))
1487                 return PTR_ERR(afi);
1488 
1489         table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1490         if (IS_ERR(table))
1491                 return PTR_ERR(table);
1492 
1493         chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1494         if (IS_ERR(chain))
1495                 return PTR_ERR(chain);
1496         if (chain->use > 0)
1497                 return -EBUSY;
1498 
1499         nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1500 
1501         return nft_delchain(&ctx);
1502 }
1503 
1504 /*
1505  * Expressions
1506  */
1507 
1508 /**
1509  *      nft_register_expr - register nf_tables expr type
1510  *      @ops: expr type
1511  *
1512  *      Registers the expr type for use with nf_tables. Returns zero on
1513  *      success or a negative errno code otherwise.
1514  */
1515 int nft_register_expr(struct nft_expr_type *type)
1516 {
1517         nfnl_lock(NFNL_SUBSYS_NFTABLES);
1518         if (type->family == NFPROTO_UNSPEC)
1519                 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1520         else
1521                 list_add_rcu(&type->list, &nf_tables_expressions);
1522         nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1523         return 0;
1524 }
1525 EXPORT_SYMBOL_GPL(nft_register_expr);
1526 
1527 /**
1528  *      nft_unregister_expr - unregister nf_tables expr type
1529  *      @ops: expr type
1530  *
1531  *      Unregisters the expr typefor use with nf_tables.
1532  */
1533 void nft_unregister_expr(struct nft_expr_type *type)
1534 {
1535         nfnl_lock(NFNL_SUBSYS_NFTABLES);
1536         list_del_rcu(&type->list);
1537         nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1538 }
1539 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1540 
1541 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1542                                                        struct nlattr *nla)
1543 {
1544         const struct nft_expr_type *type;
1545 
1546         list_for_each_entry(type, &nf_tables_expressions, list) {
1547                 if (!nla_strcmp(nla, type->name) &&
1548                     (!type->family || type->family == family))
1549                         return type;
1550         }
1551         return NULL;
1552 }
1553 
1554 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1555                                                      struct nlattr *nla)
1556 {
1557         const struct nft_expr_type *type;
1558 
1559         if (nla == NULL)
1560                 return ERR_PTR(-EINVAL);
1561 
1562         type = __nft_expr_type_get(family, nla);
1563         if (type != NULL && try_module_get(type->owner))
1564                 return type;
1565 
1566 #ifdef CONFIG_MODULES
1567         if (type == NULL) {
1568                 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1569                 request_module("nft-expr-%u-%.*s", family,
1570                                nla_len(nla), (char *)nla_data(nla));
1571                 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1572                 if (__nft_expr_type_get(family, nla))
1573                         return ERR_PTR(-EAGAIN);
1574 
1575                 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1576                 request_module("nft-expr-%.*s",
1577                                nla_len(nla), (char *)nla_data(nla));
1578                 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1579                 if (__nft_expr_type_get(family, nla))
1580                         return ERR_PTR(-EAGAIN);
1581         }
1582 #endif
1583         return ERR_PTR(-ENOENT);
1584 }
1585 
1586 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1587         [NFTA_EXPR_NAME]        = { .type = NLA_STRING },
1588         [NFTA_EXPR_DATA]        = { .type = NLA_NESTED },
1589 };
1590 
1591 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1592                                     const struct nft_expr *expr)
1593 {
1594         if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1595                 goto nla_put_failure;
1596 
1597         if (expr->ops->dump) {
1598                 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1599                 if (data == NULL)
1600                         goto nla_put_failure;
1601                 if (expr->ops->dump(skb, expr) < 0)
1602                         goto nla_put_failure;
1603                 nla_nest_end(skb, data);
1604         }
1605 
1606         return skb->len;
1607 
1608 nla_put_failure:
1609         return -1;
1610 };
1611 
1612 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1613                   const struct nft_expr *expr)
1614 {
1615         struct nlattr *nest;
1616 
1617         nest = nla_nest_start(skb, attr);
1618         if (!nest)
1619                 goto nla_put_failure;
1620         if (nf_tables_fill_expr_info(skb, expr) < 0)
1621                 goto nla_put_failure;
1622         nla_nest_end(skb, nest);
1623         return 0;
1624 
1625 nla_put_failure:
1626         return -1;
1627 }
1628 
1629 struct nft_expr_info {
1630         const struct nft_expr_ops       *ops;
1631         struct nlattr                   *tb[NFT_EXPR_MAXATTR + 1];
1632 };
1633 
1634 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1635                                 const struct nlattr *nla,
1636                                 struct nft_expr_info *info)
1637 {
1638         const struct nft_expr_type *type;
1639         const struct nft_expr_ops *ops;
1640         struct nlattr *tb[NFTA_EXPR_MAX + 1];
1641         int err;
1642 
1643         err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1644         if (err < 0)
1645                 return err;
1646 
1647         type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1648         if (IS_ERR(type))
1649                 return PTR_ERR(type);
1650 
1651         if (tb[NFTA_EXPR_DATA]) {
1652                 err = nla_parse_nested(info->tb, type->maxattr,
1653                                        tb[NFTA_EXPR_DATA], type->policy);
1654                 if (err < 0)
1655                         goto err1;
1656         } else
1657                 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1658 
1659         if (type->select_ops != NULL) {
1660                 ops = type->select_ops(ctx,
1661                                        (const struct nlattr * const *)info->tb);
1662                 if (IS_ERR(ops)) {
1663                         err = PTR_ERR(ops);
1664                         goto err1;
1665                 }
1666         } else
1667                 ops = type->ops;
1668 
1669         info->ops = ops;
1670         return 0;
1671 
1672 err1:
1673         module_put(type->owner);
1674         return err;
1675 }
1676 
1677 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1678                              const struct nft_expr_info *info,
1679                              struct nft_expr *expr)
1680 {
1681         const struct nft_expr_ops *ops = info->ops;
1682         int err;
1683 
1684         expr->ops = ops;
1685         if (ops->init) {
1686                 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1687                 if (err < 0)
1688                         goto err1;
1689         }
1690 
1691         return 0;
1692 
1693 err1:
1694         expr->ops = NULL;
1695         return err;
1696 }
1697 
1698 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1699                                    struct nft_expr *expr)
1700 {
1701         if (expr->ops->destroy)
1702                 expr->ops->destroy(ctx, expr);
1703         module_put(expr->ops->type->owner);
1704 }
1705 
1706 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1707                                const struct nlattr *nla)
1708 {
1709         struct nft_expr_info info;
1710         struct nft_expr *expr;
1711         int err;
1712 
1713         err = nf_tables_expr_parse(ctx, nla, &info);
1714         if (err < 0)
1715                 goto err1;
1716 
1717         err = -ENOMEM;
1718         expr = kzalloc(info.ops->size, GFP_KERNEL);
1719         if (expr == NULL)
1720                 goto err2;
1721 
1722         err = nf_tables_newexpr(ctx, &info, expr);
1723         if (err < 0)
1724                 goto err2;
1725 
1726         return expr;
1727 err2:
1728         module_put(info.ops->type->owner);
1729 err1:
1730         return ERR_PTR(err);
1731 }
1732 
1733 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1734 {
1735         nf_tables_expr_destroy(ctx, expr);
1736         kfree(expr);
1737 }
1738 
1739 /*
1740  * Rules
1741  */
1742 
1743 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1744                                                 u64 handle)
1745 {
1746         struct nft_rule *rule;
1747 
1748         // FIXME: this sucks
1749         list_for_each_entry(rule, &chain->rules, list) {
1750                 if (handle == rule->handle)
1751                         return rule;
1752         }
1753 
1754         return ERR_PTR(-ENOENT);
1755 }
1756 
1757 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1758                                               const struct nlattr *nla)
1759 {
1760         if (nla == NULL)
1761                 return ERR_PTR(-EINVAL);
1762 
1763         return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1764 }
1765 
1766 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1767         [NFTA_RULE_TABLE]       = { .type = NLA_STRING },
1768         [NFTA_RULE_CHAIN]       = { .type = NLA_STRING,
1769                                     .len = NFT_CHAIN_MAXNAMELEN - 1 },
1770         [NFTA_RULE_HANDLE]      = { .type = NLA_U64 },
1771         [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1772         [NFTA_RULE_COMPAT]      = { .type = NLA_NESTED },
1773         [NFTA_RULE_POSITION]    = { .type = NLA_U64 },
1774         [NFTA_RULE_USERDATA]    = { .type = NLA_BINARY,
1775                                     .len = NFT_USERDATA_MAXLEN },
1776 };
1777 
1778 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1779                                     u32 portid, u32 seq, int event,
1780                                     u32 flags, int family,
1781                                     const struct nft_table *table,
1782                                     const struct nft_chain *chain,
1783                                     const struct nft_rule *rule)
1784 {
1785         struct nlmsghdr *nlh;
1786         struct nfgenmsg *nfmsg;
1787         const struct nft_expr *expr, *next;
1788         struct nlattr *list;
1789         const struct nft_rule *prule;
1790         int type = event | NFNL_SUBSYS_NFTABLES << 8;
1791 
1792         nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1793                         flags);
1794         if (nlh == NULL)
1795                 goto nla_put_failure;
1796 
1797         nfmsg = nlmsg_data(nlh);
1798         nfmsg->nfgen_family     = family;
1799         nfmsg->version          = NFNETLINK_V0;
1800         nfmsg->res_id           = htons(net->nft.base_seq & 0xffff);
1801 
1802         if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1803                 goto nla_put_failure;
1804         if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1805                 goto nla_put_failure;
1806         if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1807                 goto nla_put_failure;
1808 
1809         if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1810                 prule = list_entry(rule->list.prev, struct nft_rule, list);
1811                 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1812                                  cpu_to_be64(prule->handle)))
1813                         goto nla_put_failure;
1814         }
1815 
1816         list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1817         if (list == NULL)
1818                 goto nla_put_failure;
1819         nft_rule_for_each_expr(expr, next, rule) {
1820                 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1821                         goto nla_put_failure;
1822         }
1823         nla_nest_end(skb, list);
1824 
1825         if (rule->udata) {
1826                 struct nft_userdata *udata = nft_userdata(rule);
1827                 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
1828                             udata->data) < 0)
1829                         goto nla_put_failure;
1830         }
1831 
1832         nlmsg_end(skb, nlh);
1833         return 0;
1834 
1835 nla_put_failure:
1836         nlmsg_trim(skb, nlh);
1837         return -1;
1838 }
1839 
1840 static int nf_tables_rule_notify(const struct nft_ctx *ctx,
1841                                  const struct nft_rule *rule,
1842                                  int event)
1843 {
1844         struct sk_buff *skb;
1845         int err;
1846 
1847         if (!ctx->report &&
1848             !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1849                 return 0;
1850 
1851         err = -ENOBUFS;
1852         skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1853         if (skb == NULL)
1854                 goto err;
1855 
1856         err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
1857                                        event, 0, ctx->afi->family, ctx->table,
1858                                        ctx->chain, rule);
1859         if (err < 0) {
1860                 kfree_skb(skb);
1861                 goto err;
1862         }
1863 
1864         err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1865                              ctx->report, GFP_KERNEL);
1866 err:
1867         if (err < 0) {
1868                 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1869                                   err);
1870         }
1871         return err;
1872 }
1873 
1874 static int nf_tables_dump_rules(struct sk_buff *skb,
1875                                 struct netlink_callback *cb)
1876 {
1877         const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1878         const struct nft_af_info *afi;
1879         const struct nft_table *table;
1880         const struct nft_chain *chain;
1881         const struct nft_rule *rule;
1882         unsigned int idx = 0, s_idx = cb->args[0];
1883         struct net *net = sock_net(skb->sk);
1884         int family = nfmsg->nfgen_family;
1885 
1886         rcu_read_lock();
1887         cb->seq = net->nft.base_seq;
1888 
1889         list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1890                 if (family != NFPROTO_UNSPEC && family != afi->family)
1891                         continue;
1892 
1893                 list_for_each_entry_rcu(table, &afi->tables, list) {
1894                         list_for_each_entry_rcu(chain, &table->chains, list) {
1895                                 list_for_each_entry_rcu(rule, &chain->rules, list) {
1896                                         if (!nft_rule_is_active(net, rule))
1897                                                 goto cont;
1898                                         if (idx < s_idx)
1899                                                 goto cont;
1900                                         if (idx > s_idx)
1901                                                 memset(&cb->args[1], 0,
1902                                                        sizeof(cb->args) - sizeof(cb->args[0]));
1903                                         if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
1904                                                                       cb->nlh->nlmsg_seq,
1905                                                                       NFT_MSG_NEWRULE,
1906                                                                       NLM_F_MULTI | NLM_F_APPEND,
1907                                                                       afi->family, table, chain, rule) < 0)
1908                                                 goto done;
1909 
1910                                         nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1911 cont:
1912                                         idx++;
1913                                 }
1914                         }
1915                 }
1916         }
1917 done:
1918         rcu_read_unlock();
1919 
1920         cb->args[0] = idx;
1921         return skb->len;
1922 }
1923 
1924 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
1925                              struct sk_buff *skb, const struct nlmsghdr *nlh,
1926                              const struct nlattr * const nla[])
1927 {
1928         const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1929         const struct nft_af_info *afi;
1930         const struct nft_table *table;
1931         const struct nft_chain *chain;
1932         const struct nft_rule *rule;
1933         struct sk_buff *skb2;
1934         int family = nfmsg->nfgen_family;
1935         int err;
1936 
1937         if (nlh->nlmsg_flags & NLM_F_DUMP) {
1938                 struct netlink_dump_control c = {
1939                         .dump = nf_tables_dump_rules,
1940                 };
1941                 return netlink_dump_start(nlsk, skb, nlh, &c);
1942         }
1943 
1944         afi = nf_tables_afinfo_lookup(net, family, false);
1945         if (IS_ERR(afi))
1946                 return PTR_ERR(afi);
1947 
1948         table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1949         if (IS_ERR(table))
1950                 return PTR_ERR(table);
1951         if (table->flags & NFT_TABLE_INACTIVE)
1952                 return -ENOENT;
1953 
1954         chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1955         if (IS_ERR(chain))
1956                 return PTR_ERR(chain);
1957         if (chain->flags & NFT_CHAIN_INACTIVE)
1958                 return -ENOENT;
1959 
1960         rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1961         if (IS_ERR(rule))
1962                 return PTR_ERR(rule);
1963 
1964         skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1965         if (!skb2)
1966                 return -ENOMEM;
1967 
1968         err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
1969                                        nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1970                                        family, table, chain, rule);
1971         if (err < 0)
1972                 goto err;
1973 
1974         return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1975 
1976 err:
1977         kfree_skb(skb2);
1978         return err;
1979 }
1980 
1981 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
1982                                    struct nft_rule *rule)
1983 {
1984         struct nft_expr *expr;
1985 
1986         /*
1987          * Careful: some expressions might not be initialized in case this
1988          * is called on error from nf_tables_newrule().
1989          */
1990         expr = nft_expr_first(rule);
1991         while (expr->ops && expr != nft_expr_last(rule)) {
1992                 nf_tables_expr_destroy(ctx, expr);
1993                 expr = nft_expr_next(expr);
1994         }
1995         kfree(rule);
1996 }
1997 
1998 #define NFT_RULE_MAXEXPRS       128
1999 
2000 static struct nft_expr_info *info;
2001 
2002 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2003                              struct sk_buff *skb, const struct nlmsghdr *nlh,
2004                              const struct nlattr * const nla[])
2005 {
2006         const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2007         struct nft_af_info *afi;
2008         struct nft_table *table;
2009         struct nft_chain *chain;
2010         struct nft_rule *rule, *old_rule = NULL;
2011         struct nft_userdata *udata;
2012         struct nft_trans *trans = NULL;
2013         struct nft_expr *expr;
2014         struct nft_ctx ctx;
2015         struct nlattr *tmp;
2016         unsigned int size, i, n, ulen = 0, usize = 0;
2017         int err, rem;
2018         bool create;
2019         u64 handle, pos_handle;
2020 
2021         create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2022 
2023         afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2024         if (IS_ERR(afi))
2025                 return PTR_ERR(afi);
2026 
2027         table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
2028         if (IS_ERR(table))
2029                 return PTR_ERR(table);
2030 
2031         chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
2032         if (IS_ERR(chain))
2033                 return PTR_ERR(chain);
2034 
2035         if (nla[NFTA_RULE_HANDLE]) {
2036                 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2037                 rule = __nf_tables_rule_lookup(chain, handle);
2038                 if (IS_ERR(rule))
2039                         return PTR_ERR(rule);
2040 
2041                 if (nlh->nlmsg_flags & NLM_F_EXCL)
2042                         return -EEXIST;
2043                 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2044                         old_rule = rule;
2045                 else
2046                         return -EOPNOTSUPP;
2047         } else {
2048                 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2049                         return -EINVAL;
2050                 handle = nf_tables_alloc_handle(table);
2051 
2052                 if (chain->use == UINT_MAX)
2053                         return -EOVERFLOW;
2054         }
2055 
2056         if (nla[NFTA_RULE_POSITION]) {
2057                 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2058                         return -EOPNOTSUPP;
2059 
2060                 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2061                 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2062                 if (IS_ERR(old_rule))
2063                         return PTR_ERR(old_rule);
2064         }
2065 
2066         nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2067 
2068         n = 0;
2069         size = 0;
2070         if (nla[NFTA_RULE_EXPRESSIONS]) {
2071                 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2072                         err = -EINVAL;
2073                         if (nla_type(tmp) != NFTA_LIST_ELEM)
2074                                 goto err1;
2075                         if (n == NFT_RULE_MAXEXPRS)
2076                                 goto err1;
2077                         err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2078                         if (err < 0)
2079                                 goto err1;
2080                         size += info[n].ops->size;
2081                         n++;
2082                 }
2083         }
2084         /* Check for overflow of dlen field */
2085         err = -EFBIG;
2086         if (size >= 1 << 12)
2087                 goto err1;
2088 
2089         if (nla[NFTA_RULE_USERDATA]) {
2090                 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2091                 if (ulen > 0)
2092                         usize = sizeof(struct nft_userdata) + ulen;
2093         }
2094 
2095         err = -ENOMEM;
2096         rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2097         if (rule == NULL)
2098                 goto err1;
2099 
2100         nft_rule_activate_next(net, rule);
2101 
2102         rule->handle = handle;
2103         rule->dlen   = size;
2104         rule->udata  = ulen ? 1 : 0;
2105 
2106         if (ulen) {
2107                 udata = nft_userdata(rule);
2108                 udata->len = ulen - 1;
2109                 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2110         }
2111 
2112         expr = nft_expr_first(rule);
2113         for (i = 0; i < n; i++) {
2114                 err = nf_tables_newexpr(&ctx, &info[i], expr);
2115                 if (err < 0)
2116                         goto err2;
2117                 info[i].ops = NULL;
2118                 expr = nft_expr_next(expr);
2119         }
2120 
2121         if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2122                 if (nft_rule_is_active_next(net, old_rule)) {
2123                         trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2124                                                    old_rule);
2125                         if (trans == NULL) {
2126                                 err = -ENOMEM;
2127                                 goto err2;
2128                         }
2129                         nft_rule_deactivate_next(net, old_rule);
2130                         chain->use--;
2131                         list_add_tail_rcu(&rule->list, &old_rule->list);
2132                 } else {
2133                         err = -ENOENT;
2134                         goto err2;
2135                 }
2136         } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2137                 if (old_rule)
2138                         list_add_rcu(&rule->list, &old_rule->list);
2139                 else
2140                         list_add_tail_rcu(&rule->list, &chain->rules);
2141         else {
2142                 if (old_rule)
2143                         list_add_tail_rcu(&rule->list, &old_rule->list);
2144                 else
2145                         list_add_rcu(&rule->list, &chain->rules);
2146         }
2147 
2148         if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2149                 err = -ENOMEM;
2150                 goto err3;
2151         }
2152         chain->use++;
2153         return 0;
2154 
2155 err3:
2156         list_del_rcu(&rule->list);
2157 err2:
2158         nf_tables_rule_destroy(&ctx, rule);
2159 err1:
2160         for (i = 0; i < n; i++) {
2161                 if (info[i].ops != NULL)
2162                         module_put(info[i].ops->type->owner);
2163         }
2164         return err;
2165 }
2166 
2167 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2168                              struct sk_buff *skb, const struct nlmsghdr *nlh,
2169                              const struct nlattr * const nla[])
2170 {
2171         const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2172         struct nft_af_info *afi;
2173         struct nft_table *table;
2174         struct nft_chain *chain = NULL;
2175         struct nft_rule *rule;
2176         int family = nfmsg->nfgen_family, err = 0;
2177         struct nft_ctx ctx;
2178 
2179         afi = nf_tables_afinfo_lookup(net, family, false);
2180         if (IS_ERR(afi))
2181                 return PTR_ERR(afi);
2182 
2183         table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
2184         if (IS_ERR(table))
2185                 return PTR_ERR(table);
2186 
2187         if (nla[NFTA_RULE_CHAIN]) {
2188                 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
2189                 if (IS_ERR(chain))
2190                         return PTR_ERR(chain);
2191         }
2192 
2193         nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2194 
2195         if (chain) {
2196                 if (nla[NFTA_RULE_HANDLE]) {
2197                         rule = nf_tables_rule_lookup(chain,
2198                                                      nla[NFTA_RULE_HANDLE]);
2199                         if (IS_ERR(rule))
2200                                 return PTR_ERR(rule);
2201 
2202                         err = nft_delrule(&ctx, rule);
2203                 } else {
2204                         err = nft_delrule_by_chain(&ctx);
2205                 }
2206         } else {
2207                 list_for_each_entry(chain, &table->chains, list) {
2208                         ctx.chain = chain;
2209                         err = nft_delrule_by_chain(&ctx);
2210                         if (err < 0)
2211                                 break;
2212                 }
2213         }
2214 
2215         return err;
2216 }
2217 
2218 /*
2219  * Sets
2220  */
2221 
2222 static LIST_HEAD(nf_tables_set_ops);
2223 
2224 int nft_register_set(struct nft_set_ops *ops)
2225 {
2226         nfnl_lock(NFNL_SUBSYS_NFTABLES);
2227         list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
2228         nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2229         return 0;
2230 }
2231 EXPORT_SYMBOL_GPL(nft_register_set);
2232 
2233 void nft_unregister_set(struct nft_set_ops *ops)
2234 {
2235         nfnl_lock(NFNL_SUBSYS_NFTABLES);
2236         list_del_rcu(&ops->list);
2237         nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2238 }
2239 EXPORT_SYMBOL_GPL(nft_unregister_set);
2240 
2241 /*
2242  * Select a set implementation based on the data characteristics and the
2243  * given policy. The total memory use might not be known if no size is
2244  * given, in that case the amount of memory per element is used.
2245  */
2246 static const struct nft_set_ops *
2247 nft_select_set_ops(const struct nlattr * const nla[],
2248                    const struct nft_set_desc *desc,
2249                    enum nft_set_policies policy)
2250 {
2251         const struct nft_set_ops *ops, *bops;
2252         struct nft_set_estimate est, best;
2253         u32 features;
2254 
2255 #ifdef CONFIG_MODULES
2256         if (list_empty(&nf_tables_set_ops)) {
2257                 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2258                 request_module("nft-set");
2259                 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2260                 if (!list_empty(&nf_tables_set_ops))
2261                         return ERR_PTR(-EAGAIN);
2262         }
2263 #endif
2264         features = 0;
2265         if (nla[NFTA_SET_FLAGS] != NULL) {
2266                 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2267                 features &= NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_TIMEOUT;
2268         }
2269 
2270         bops       = NULL;
2271         best.size  = ~0;
2272         best.class = ~0;
2273 
2274         list_for_each_entry(ops, &nf_tables_set_ops, list) {
2275                 if ((ops->features & features) != features)
2276                         continue;
2277                 if (!ops->estimate(desc, features, &est))
2278                         continue;
2279 
2280                 switch (policy) {
2281                 case NFT_SET_POL_PERFORMANCE:
2282                         if (est.class < best.class)
2283                                 break;
2284                         if (est.class == best.class && est.size < best.size)
2285                                 break;
2286                         continue;
2287                 case NFT_SET_POL_MEMORY:
2288                         if (est.size < best.size)
2289                                 break;
2290                         if (est.size == best.size && est.class < best.class)
2291                                 break;
2292                         continue;
2293                 default:
2294                         break;
2295                 }
2296 
2297                 if (!try_module_get(ops->owner))
2298                         continue;
2299                 if (bops != NULL)
2300                         module_put(bops->owner);
2301 
2302                 bops = ops;
2303                 best = est;
2304         }
2305 
2306         if (bops != NULL)
2307                 return bops;
2308 
2309         return ERR_PTR(-EOPNOTSUPP);
2310 }
2311 
2312 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2313         [NFTA_SET_TABLE]                = { .type = NLA_STRING },
2314         [NFTA_SET_NAME]                 = { .type = NLA_STRING,
2315                                             .len = IFNAMSIZ - 1 },
2316         [NFTA_SET_FLAGS]                = { .type = NLA_U32 },
2317         [NFTA_SET_KEY_TYPE]             = { .type = NLA_U32 },
2318         [NFTA_SET_KEY_LEN]              = { .type = NLA_U32 },
2319         [NFTA_SET_DATA_TYPE]            = { .type = NLA_U32 },
2320         [NFTA_SET_DATA_LEN]             = { .type = NLA_U32 },
2321         [NFTA_SET_POLICY]               = { .type = NLA_U32 },
2322         [NFTA_SET_DESC]                 = { .type = NLA_NESTED },
2323         [NFTA_SET_ID]                   = { .type = NLA_U32 },
2324         [NFTA_SET_TIMEOUT]              = { .type = NLA_U64 },
2325         [NFTA_SET_GC_INTERVAL]          = { .type = NLA_U32 },
2326         [NFTA_SET_USERDATA]             = { .type = NLA_BINARY,
2327                                             .len  = NFT_USERDATA_MAXLEN },
2328 };
2329 
2330 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2331         [NFTA_SET_DESC_SIZE]            = { .type = NLA_U32 },
2332 };
2333 
2334 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2335                                      const struct sk_buff *skb,
2336                                      const struct nlmsghdr *nlh,
2337                                      const struct nlattr * const nla[])
2338 {
2339         const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2340         struct nft_af_info *afi = NULL;
2341         struct nft_table *table = NULL;
2342 
2343         if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2344                 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2345                 if (IS_ERR(afi))
2346                         return PTR_ERR(afi);
2347         }
2348 
2349         if (nla[NFTA_SET_TABLE] != NULL) {
2350                 if (afi == NULL)
2351                         return -EAFNOSUPPORT;
2352 
2353                 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2354                 if (IS_ERR(table))
2355                         return PTR_ERR(table);
2356         }
2357 
2358         nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2359         return 0;
2360 }
2361 
2362 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2363                                      const struct nlattr *nla)
2364 {
2365         struct nft_set *set;
2366 
2367         if (nla == NULL)
2368                 return ERR_PTR(-EINVAL);
2369 
2370         list_for_each_entry(set, &table->sets, list) {
2371                 if (!nla_strcmp(nla, set->name))
2372                         return set;
2373         }
2374         return ERR_PTR(-ENOENT);
2375 }
2376 
2377 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2378                                           const struct nlattr *nla)
2379 {
2380         struct nft_trans *trans;
2381         u32 id = ntohl(nla_get_be32(nla));
2382 
2383         list_for_each_entry(trans, &net->nft.commit_list, list) {
2384                 if (trans->msg_type == NFT_MSG_NEWSET &&
2385                     id == nft_trans_set_id(trans))
2386                         return nft_trans_set(trans);
2387         }
2388         return ERR_PTR(-ENOENT);
2389 }
2390 
2391 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2392                                     const char *name)
2393 {
2394         const struct nft_set *i;
2395         const char *p;
2396         unsigned long *inuse;
2397         unsigned int n = 0, min = 0;
2398 
2399         p = strnchr(name, IFNAMSIZ, '%');
2400         if (p != NULL) {
2401                 if (p[1] != 'd' || strchr(p + 2, '%'))
2402                         return -EINVAL;
2403 
2404                 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2405                 if (inuse == NULL)
2406                         return -ENOMEM;
2407 cont:
2408                 list_for_each_entry(i, &ctx->table->sets, list) {
2409                         int tmp;
2410 
2411                         if (!sscanf(i->name, name, &tmp))
2412                                 continue;
2413                         if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2414                                 continue;
2415 
2416                         set_bit(tmp - min, inuse);
2417                 }
2418 
2419                 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2420                 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2421                         min += BITS_PER_BYTE * PAGE_SIZE;
2422                         memset(inuse, 0, PAGE_SIZE);
2423                         goto cont;
2424                 }
2425                 free_page((unsigned long)inuse);
2426         }
2427 
2428         snprintf(set->name, sizeof(set->name), name, min + n);
2429         list_for_each_entry(i, &ctx->table->sets, list) {
2430                 if (!strcmp(set->name, i->name))
2431                         return -ENFILE;
2432         }
2433         return 0;
2434 }
2435 
2436 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2437                               const struct nft_set *set, u16 event, u16 flags)
2438 {
2439         struct nfgenmsg *nfmsg;
2440         struct nlmsghdr *nlh;
2441         struct nlattr *desc;
2442         u32 portid = ctx->portid;
2443         u32 seq = ctx->seq;
2444 
2445         event |= NFNL_SUBSYS_NFTABLES << 8;
2446         nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2447                         flags);
2448         if (nlh == NULL)
2449                 goto nla_put_failure;
2450 
2451         nfmsg = nlmsg_data(nlh);
2452         nfmsg->nfgen_family     = ctx->afi->family;
2453         nfmsg->version          = NFNETLINK_V0;
2454         nfmsg->res_id           = htons(ctx->net->nft.base_seq & 0xffff);
2455 
2456         if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2457                 goto nla_put_failure;
2458         if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2459                 goto nla_put_failure;
2460         if (set->flags != 0)
2461                 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2462                         goto nla_put_failure;
2463 
2464         if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2465                 goto nla_put_failure;
2466         if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2467                 goto nla_put_failure;
2468         if (set->flags & NFT_SET_MAP) {
2469                 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2470                         goto nla_put_failure;
2471                 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2472                         goto nla_put_failure;
2473         }
2474 
2475         if (set->timeout &&
2476             nla_put_be64(skb, NFTA_SET_TIMEOUT, cpu_to_be64(set->timeout)))
2477                 goto nla_put_failure;
2478         if (set->gc_int &&
2479             nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2480                 goto nla_put_failure;
2481 
2482         if (set->policy != NFT_SET_POL_PERFORMANCE) {
2483                 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2484                         goto nla_put_failure;
2485         }
2486 
2487         if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2488                 goto nla_put_failure;
2489 
2490         desc = nla_nest_start(skb, NFTA_SET_DESC);
2491         if (desc == NULL)
2492                 goto nla_put_failure;
2493         if (set->size &&
2494             nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2495                 goto nla_put_failure;
2496         nla_nest_end(skb, desc);
2497 
2498         nlmsg_end(skb, nlh);
2499         return 0;
2500 
2501 nla_put_failure:
2502         nlmsg_trim(skb, nlh);
2503         return -1;
2504 }
2505 
2506 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2507                                 const struct nft_set *set,
2508                                 int event, gfp_t gfp_flags)
2509 {
2510         struct sk_buff *skb;
2511         u32 portid = ctx->portid;
2512         int err;
2513 
2514         if (!ctx->report &&
2515             !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2516                 return 0;
2517 
2518         err = -ENOBUFS;
2519         skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2520         if (skb == NULL)
2521                 goto err;
2522 
2523         err = nf_tables_fill_set(skb, ctx, set, event, 0);
2524         if (err < 0) {
2525                 kfree_skb(skb);
2526                 goto err;
2527         }
2528 
2529         err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES,
2530                              ctx->report, gfp_flags);
2531 err:
2532         if (err < 0)
2533                 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2534         return err;
2535 }
2536 
2537 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2538 {
2539         const struct nft_set *set;
2540         unsigned int idx, s_idx = cb->args[0];
2541         struct nft_af_info *afi;
2542         struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2543         struct net *net = sock_net(skb->sk);
2544         int cur_family = cb->args[3];
2545         struct nft_ctx *ctx = cb->data, ctx_set;
2546 
2547         if (cb->args[1])
2548                 return skb->len;
2549 
2550         rcu_read_lock();
2551         cb->seq = net->nft.base_seq;
2552 
2553         list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2554                 if (ctx->afi && ctx->afi != afi)
2555                         continue;
2556 
2557                 if (cur_family) {
2558                         if (afi->family != cur_family)
2559                                 continue;
2560 
2561                         cur_family = 0;
2562                 }
2563                 list_for_each_entry_rcu(table, &afi->tables, list) {
2564                         if (ctx->table && ctx->table != table)
2565                                 continue;
2566 
2567                         if (cur_table) {
2568                                 if (cur_table != table)
2569                                         continue;
2570 
2571                                 cur_table = NULL;
2572                         }
2573                         idx = 0;
2574                         list_for_each_entry_rcu(set, &table->sets, list) {
2575                                 if (idx < s_idx)
2576                                         goto cont;
2577 
2578                                 ctx_set = *ctx;
2579                                 ctx_set.table = table;
2580                                 ctx_set.afi = afi;
2581                                 if (nf_tables_fill_set(skb, &ctx_set, set,
2582                                                        NFT_MSG_NEWSET,
2583                                                        NLM_F_MULTI) < 0) {
2584                                         cb->args[0] = idx;
2585                                         cb->args[2] = (unsigned long) table;
2586                                         cb->args[3] = afi->family;
2587                                         goto done;
2588                                 }
2589                                 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2590 cont:
2591                                 idx++;
2592                         }
2593                         if (s_idx)
2594                                 s_idx = 0;
2595                 }
2596         }
2597         cb->args[1] = 1;
2598 done:
2599         rcu_read_unlock();
2600         return skb->len;
2601 }
2602 
2603 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2604 {
2605         kfree(cb->data);
2606         return 0;
2607 }
2608 
2609 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2610                             struct sk_buff *skb, const struct nlmsghdr *nlh,
2611                             const struct nlattr * const nla[])
2612 {
2613         const struct nft_set *set;
2614         struct nft_ctx ctx;
2615         struct sk_buff *skb2;
2616         const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2617         int err;
2618 
2619         /* Verify existence before starting dump */
2620         err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla);
2621         if (err < 0)
2622                 return err;
2623 
2624         if (nlh->nlmsg_flags & NLM_F_DUMP) {
2625                 struct netlink_dump_control c = {
2626                         .dump = nf_tables_dump_sets,
2627                         .done = nf_tables_dump_sets_done,
2628                 };
2629                 struct nft_ctx *ctx_dump;
2630 
2631                 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2632                 if (ctx_dump == NULL)
2633                         return -ENOMEM;
2634 
2635                 *ctx_dump = ctx;
2636                 c.data = ctx_dump;
2637 
2638                 return netlink_dump_start(nlsk, skb, nlh, &c);
2639         }
2640 
2641         /* Only accept unspec with dump */
2642         if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2643                 return -EAFNOSUPPORT;
2644 
2645         set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2646         if (IS_ERR(set))
2647                 return PTR_ERR(set);
2648         if (set->flags & NFT_SET_INACTIVE)
2649                 return -ENOENT;
2650 
2651         skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2652         if (skb2 == NULL)
2653                 return -ENOMEM;
2654 
2655         err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2656         if (err < 0)
2657                 goto err;
2658 
2659         return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2660 
2661 err:
2662         kfree_skb(skb2);
2663         return err;
2664 }
2665 
2666 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2667                                     struct nft_set_desc *desc,
2668                                     const struct nlattr *nla)
2669 {
2670         struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2671         int err;
2672 
2673         err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2674         if (err < 0)
2675                 return err;
2676 
2677         if (da[NFTA_SET_DESC_SIZE] != NULL)
2678                 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2679 
2680         return 0;
2681 }
2682 
2683 static int nf_tables_newset(struct net *net, struct sock *nlsk,
2684                             struct sk_buff *skb, const struct nlmsghdr *nlh,
2685                             const struct nlattr * const nla[])
2686 {
2687         const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2688         const struct nft_set_ops *ops;
2689         struct nft_af_info *afi;
2690         struct nft_table *table;
2691         struct nft_set *set;
2692         struct nft_ctx ctx;
2693         char name[IFNAMSIZ];
2694         unsigned int size;
2695         bool create;
2696         u64 timeout;
2697         u32 ktype, dtype, flags, policy, gc_int;
2698         struct nft_set_desc desc;
2699         unsigned char *udata;
2700         u16 udlen;
2701         int err;
2702 
2703         if (nla[NFTA_SET_TABLE] == NULL ||
2704             nla[NFTA_SET_NAME] == NULL ||
2705             nla[NFTA_SET_KEY_LEN] == NULL ||
2706             nla[NFTA_SET_ID] == NULL)
2707                 return -EINVAL;
2708 
2709         memset(&desc, 0, sizeof(desc));
2710 
2711         ktype = NFT_DATA_VALUE;
2712         if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2713                 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2714                 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2715                         return -EINVAL;
2716         }
2717 
2718         desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2719         if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
2720                 return -EINVAL;
2721 
2722         flags = 0;
2723         if (nla[NFTA_SET_FLAGS] != NULL) {
2724                 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2725                 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2726                               NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
2727                               NFT_SET_MAP | NFT_SET_EVAL))
2728                         return -EINVAL;
2729                 /* Only one of both operations is supported */
2730                 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL)) ==
2731                              (NFT_SET_MAP | NFT_SET_EVAL))
2732                         return -EOPNOTSUPP;
2733         }
2734 
2735         dtype = 0;
2736         if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2737                 if (!(flags & NFT_SET_MAP))
2738                         return -EINVAL;
2739 
2740                 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2741                 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2742                     dtype != NFT_DATA_VERDICT)
2743                         return -EINVAL;
2744 
2745                 if (dtype != NFT_DATA_VERDICT) {
2746                         if (nla[NFTA_SET_DATA_LEN] == NULL)
2747                                 return -EINVAL;
2748                         desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2749                         if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
2750                                 return -EINVAL;
2751                 } else
2752                         desc.dlen = sizeof(struct nft_verdict);
2753         } else if (flags & NFT_SET_MAP)
2754                 return -EINVAL;
2755 
2756         timeout = 0;
2757         if (nla[NFTA_SET_TIMEOUT] != NULL) {
2758                 if (!(flags & NFT_SET_TIMEOUT))
2759                         return -EINVAL;
2760                 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_TIMEOUT]));
2761         }
2762         gc_int = 0;
2763         if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
2764                 if (!(flags & NFT_SET_TIMEOUT))
2765                         return -EINVAL;
2766                 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
2767         }
2768 
2769         policy = NFT_SET_POL_PERFORMANCE;
2770         if (nla[NFTA_SET_POLICY] != NULL)
2771                 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2772 
2773         if (nla[NFTA_SET_DESC] != NULL) {
2774                 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2775                 if (err < 0)
2776                         return err;
2777         }
2778 
2779         create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2780 
2781         afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2782         if (IS_ERR(afi))
2783                 return PTR_ERR(afi);
2784 
2785         table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2786         if (IS_ERR(table))
2787                 return PTR_ERR(table);
2788 
2789         nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
2790 
2791         set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2792         if (IS_ERR(set)) {
2793                 if (PTR_ERR(set) != -ENOENT)
2794                         return PTR_ERR(set);
2795                 set = NULL;
2796         }
2797 
2798         if (set != NULL) {
2799                 if (nlh->nlmsg_flags & NLM_F_EXCL)
2800                         return -EEXIST;
2801                 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2802                         return -EOPNOTSUPP;
2803                 return 0;
2804         }
2805 
2806         if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2807                 return -ENOENT;
2808 
2809         ops = nft_select_set_ops(nla, &desc, policy);
2810         if (IS_ERR(ops))
2811                 return PTR_ERR(ops);
2812 
2813         udlen = 0;
2814         if (nla[NFTA_SET_USERDATA])
2815                 udlen = nla_len(nla[NFTA_SET_USERDATA]);
2816 
2817         size = 0;
2818         if (ops->privsize != NULL)
2819                 size = ops->privsize(nla);
2820 
2821         err = -ENOMEM;
2822         set = kzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
2823         if (set == NULL)
2824                 goto err1;
2825 
2826         nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2827         err = nf_tables_set_alloc_name(&ctx, set, name);
2828         if (err < 0)
2829                 goto err2;
2830 
2831         udata = NULL;
2832         if (udlen) {
2833                 udata = set->data + size;
2834                 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
2835         }
2836 
2837         INIT_LIST_HEAD(&set->bindings);
2838         write_pnet(&set->pnet, net);
2839         set->ops   = ops;
2840         set->ktype = ktype;
2841         set->klen  = desc.klen;
2842         set->dtype = dtype;
2843         set->dlen  = desc.dlen;
2844         set->flags = flags;
2845         set->size  = desc.size;
2846         set->policy = policy;
2847         set->udlen  = udlen;
2848         set->udata  = udata;
2849         set->timeout = timeout;
2850         set->gc_int = gc_int;
2851 
2852         err = ops->init(set, &desc, nla);
2853         if (err < 0)
2854                 goto err2;
2855 
2856         err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2857         if (err < 0)
2858                 goto err2;
2859 
2860         list_add_tail_rcu(&set->list, &table->sets);
2861         table->use++;
2862         return 0;
2863 
2864 err2:
2865         kfree(set);
2866 err1:
2867         module_put(ops->owner);
2868         return err;
2869 }
2870 
2871 static void nft_set_destroy(struct nft_set *set)
2872 {
2873         set->ops->destroy(set);
2874         module_put(set->ops->owner);
2875         kfree(set);
2876 }
2877 
2878 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2879 {
2880         list_del_rcu(&set->list);
2881         nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
2882         nft_set_destroy(set);
2883 }
2884 
2885 static int nf_tables_delset(struct net *net, struct sock *nlsk,
2886                             struct sk_buff *skb, const struct nlmsghdr *nlh,
2887                             const struct nlattr * const nla[])
2888 {
2889         const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2890         struct nft_set *set;
2891         struct nft_ctx ctx;
2892         int err;
2893 
2894         if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2895                 return -EAFNOSUPPORT;
2896         if (nla[NFTA_SET_TABLE] == NULL)
2897                 return -EINVAL;
2898 
2899         err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla);
2900         if (err < 0)
2901                 return err;
2902 
2903         set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2904         if (IS_ERR(set))
2905                 return PTR_ERR(set);
2906         if (!list_empty(&set->bindings))
2907                 return -EBUSY;
2908 
2909         return nft_delset(&ctx, set);
2910 }
2911 
2912 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2913                                         const struct nft_set *set,
2914                                         const struct nft_set_iter *iter,
2915                                         const struct nft_set_elem *elem)
2916 {
2917         const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
2918         enum nft_registers dreg;
2919 
2920         dreg = nft_type_to_reg(set->dtype);
2921         return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
2922                                            set->dtype == NFT_DATA_VERDICT ?
2923                                            NFT_DATA_VERDICT : NFT_DATA_VALUE,
2924                                            set->dlen);
2925 }
2926 
2927 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2928                        struct nft_set_binding *binding)
2929 {
2930         struct nft_set_binding *i;
2931         struct nft_set_iter iter;
2932 
2933         if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2934                 return -EBUSY;
2935 
2936         if (binding->flags & NFT_SET_MAP) {
2937                 /* If the set is already bound to the same chain all
2938                  * jumps are already validated for that chain.
2939                  */
2940                 list_for_each_entry(i, &set->bindings, list) {
2941                         if (binding->flags & NFT_SET_MAP &&
2942                             i->chain == binding->chain)
2943                                 goto bind;
2944                 }
2945 
2946                 iter.skip       = 0;
2947                 iter.count      = 0;
2948                 iter.err        = 0;
2949                 iter.fn         = nf_tables_bind_check_setelem;
2950 
2951                 set->ops->walk(ctx, set, &iter);
2952                 if (iter.err < 0) {
2953                         /* Destroy anonymous sets if binding fails */
2954                         if (set->flags & NFT_SET_ANONYMOUS)
2955                                 nf_tables_set_destroy(ctx, set);
2956 
2957                         return iter.err;
2958                 }
2959         }
2960 bind:
2961         binding->chain = ctx->chain;
2962         list_add_tail_rcu(&binding->list, &set->bindings);
2963         return 0;
2964 }
2965 
2966 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2967                           struct nft_set_binding *binding)
2968 {
2969         list_del_rcu(&binding->list);
2970 
2971         if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
2972             !(set->flags & NFT_SET_INACTIVE))
2973                 nf_tables_set_destroy(ctx, set);
2974 }
2975 
2976 const struct nft_set_ext_type nft_set_ext_types[] = {
2977         [NFT_SET_EXT_KEY]               = {
2978                 .align  = __alignof__(u32),
2979         },
2980         [NFT_SET_EXT_DATA]              = {
2981                 .align  = __alignof__(u32),
2982         },
2983         [NFT_SET_EXT_EXPR]              = {
2984                 .align  = __alignof__(struct nft_expr),
2985         },
2986         [NFT_SET_EXT_FLAGS]             = {
2987                 .len    = sizeof(u8),
2988                 .align  = __alignof__(u8),
2989         },
2990         [NFT_SET_EXT_TIMEOUT]           = {
2991                 .len    = sizeof(u64),
2992                 .align  = __alignof__(u64),
2993         },
2994         [NFT_SET_EXT_EXPIRATION]        = {
2995                 .len    = sizeof(unsigned long),
2996                 .align  = __alignof__(unsigned long),
2997         },
2998         [NFT_SET_EXT_USERDATA]          = {
2999                 .len    = sizeof(struct nft_userdata),
3000                 .align  = __alignof__(struct nft_userdata),
3001         },
3002 };
3003 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3004 
3005 /*
3006  * Set elements
3007  */
3008 
3009 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3010         [NFTA_SET_ELEM_KEY]             = { .type = NLA_NESTED },
3011         [NFTA_SET_ELEM_DATA]            = { .type = NLA_NESTED },
3012         [NFTA_SET_ELEM_FLAGS]           = { .type = NLA_U32 },
3013         [NFTA_SET_ELEM_TIMEOUT]         = { .type = NLA_U64 },
3014         [NFTA_SET_ELEM_USERDATA]        = { .type = NLA_BINARY,
3015                                             .len = NFT_USERDATA_MAXLEN },
3016 };
3017 
3018 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3019         [NFTA_SET_ELEM_LIST_TABLE]      = { .type = NLA_STRING },
3020         [NFTA_SET_ELEM_LIST_SET]        = { .type = NLA_STRING },
3021         [NFTA_SET_ELEM_LIST_ELEMENTS]   = { .type = NLA_NESTED },
3022         [NFTA_SET_ELEM_LIST_SET_ID]     = { .type = NLA_U32 },
3023 };
3024 
3025 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3026                                       const struct sk_buff *skb,
3027                                       const struct nlmsghdr *nlh,
3028                                       const struct nlattr * const nla[])
3029 {
3030         const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3031         struct nft_af_info *afi;
3032         struct nft_table *table;
3033 
3034         afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3035         if (IS_ERR(afi))
3036                 return PTR_ERR(afi);
3037 
3038         table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
3039         if (IS_ERR(table))
3040                 return PTR_ERR(table);
3041 
3042         nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3043         return 0;
3044 }
3045 
3046 static int nf_tables_fill_setelem(struct sk_buff *skb,
3047                                   const struct nft_set *set,
3048                                   const struct nft_set_elem *elem)
3049 {
3050         const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3051         unsigned char *b = skb_tail_pointer(skb);
3052         struct nlattr *nest;
3053 
3054         nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3055         if (nest == NULL)
3056                 goto nla_put_failure;
3057 
3058         if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3059                           NFT_DATA_VALUE, set->klen) < 0)
3060                 goto nla_put_failure;
3061 
3062         if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3063             nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3064                           set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3065                           set->dlen) < 0)
3066                 goto nla_put_failure;
3067 
3068         if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3069             nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3070                 goto nla_put_failure;
3071 
3072         if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3073             nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3074                          htonl(*nft_set_ext_flags(ext))))
3075                 goto nla_put_failure;
3076 
3077         if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3078             nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3079                          cpu_to_be64(*nft_set_ext_timeout(ext))))
3080                 goto nla_put_failure;
3081 
3082         if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3083                 unsigned long expires, now = jiffies;
3084 
3085                 expires = *nft_set_ext_expiration(ext);
3086                 if (time_before(now, expires))
3087                         expires -= now;
3088                 else
3089                         expires = 0;
3090 
3091                 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3092                                  cpu_to_be64(jiffies_to_msecs(expires))))
3093                         goto nla_put_failure;
3094         }
3095 
3096         if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3097                 struct nft_userdata *udata;
3098 
3099                 udata = nft_set_ext_userdata(ext);
3100                 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3101                             udata->len + 1, udata->data))
3102                         goto nla_put_failure;
3103         }
3104 
3105         nla_nest_end(skb, nest);
3106         return 0;
3107 
3108 nla_put_failure:
3109         nlmsg_trim(skb, b);
3110         return -EMSGSIZE;
3111 }
3112 
3113 struct nft_set_dump_args {
3114         const struct netlink_callback   *cb;
3115         struct nft_set_iter             iter;
3116         struct sk_buff                  *skb;
3117 };
3118 
3119 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3120                                   const struct nft_set *set,
3121                                   const struct nft_set_iter *iter,
3122                                   const struct nft_set_elem *elem)
3123 {
3124         struct nft_set_dump_args *args;
3125 
3126         args = container_of(iter, struct nft_set_dump_args, iter);
3127         return nf_tables_fill_setelem(args->skb, set, elem);
3128 }
3129 
3130 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3131 {
3132         struct net *net = sock_net(skb->sk);
3133         const struct nft_set *set;
3134         struct nft_set_dump_args args;
3135         struct nft_ctx ctx;
3136         struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
3137         struct nfgenmsg *nfmsg;
3138         struct nlmsghdr *nlh;
3139         struct nlattr *nest;
3140         u32 portid, seq;
3141         int event, err;
3142 
3143         err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
3144                           NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
3145         if (err < 0)
3146                 return err;
3147 
3148         err = nft_ctx_init_from_elemattr(&ctx, net, cb->skb, cb->nlh,
3149                                          (void *)nla);
3150         if (err < 0)
3151                 return err;
3152         if (ctx.table->flags & NFT_TABLE_INACTIVE)
3153                 return -ENOENT;
3154 
3155         set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3156         if (IS_ERR(set))
3157                 return PTR_ERR(set);
3158         if (set->flags & NFT_SET_INACTIVE)
3159                 return -ENOENT;
3160 
3161         event  = NFT_MSG_NEWSETELEM;
3162         event |= NFNL_SUBSYS_NFTABLES << 8;
3163         portid = NETLINK_CB(cb->skb).portid;
3164         seq    = cb->nlh->nlmsg_seq;
3165 
3166         nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3167                         NLM_F_MULTI);
3168         if (nlh == NULL)
3169                 goto nla_put_failure;
3170 
3171         nfmsg = nlmsg_data(nlh);
3172         nfmsg->nfgen_family = ctx.afi->family;
3173         nfmsg->version      = NFNETLINK_V0;
3174         nfmsg->res_id       = htons(ctx.net->nft.base_seq & 0xffff);
3175 
3176         if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
3177                 goto nla_put_failure;
3178         if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3179                 goto nla_put_failure;
3180 
3181         nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3182         if (nest == NULL)
3183                 goto nla_put_failure;
3184 
3185         args.cb         = cb;
3186         args.skb        = skb;
3187         args.iter.skip  = cb->args[0];
3188         args.iter.count = 0;
3189         args.iter.err   = 0;
3190         args.iter.fn    = nf_tables_dump_setelem;
3191         set->ops->walk(&ctx, set, &args.iter);
3192 
3193         nla_nest_end(skb, nest);
3194         nlmsg_end(skb, nlh);
3195 
3196         if (args.iter.err && args.iter.err != -EMSGSIZE)
3197                 return args.iter.err;
3198         if (args.iter.count == cb->args[0])
3199                 return 0;
3200 
3201         cb->args[0] = args.iter.count;
3202         return skb->len;
3203 
3204 nla_put_failure:
3205         return -ENOSPC;
3206 }
3207 
3208 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3209                                 struct sk_buff *skb, const struct nlmsghdr *nlh,
3210                                 const struct nlattr * const nla[])
3211 {
3212         const struct nft_set *set;
3213         struct nft_ctx ctx;
3214         int err;
3215 
3216         err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla);
3217         if (err < 0)
3218                 return err;
3219         if (ctx.table->flags & NFT_TABLE_INACTIVE)
3220                 return -ENOENT;
3221 
3222         set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3223         if (IS_ERR(set))
3224                 return PTR_ERR(set);
3225         if (set->flags & NFT_SET_INACTIVE)
3226                 return -ENOENT;
3227 
3228         if (nlh->nlmsg_flags & NLM_F_DUMP) {
3229                 struct netlink_dump_control c = {
3230                         .dump = nf_tables_dump_set,
3231                 };
3232                 return netlink_dump_start(nlsk, skb, nlh, &c);
3233         }
3234         return -EOPNOTSUPP;
3235 }
3236 
3237 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3238                                        const struct nft_ctx *ctx, u32 seq,
3239                                        u32 portid, int event, u16 flags,
3240                                        const struct nft_set *set,
3241                                        const struct nft_set_elem *elem)
3242 {
3243         struct nfgenmsg *nfmsg;
3244         struct nlmsghdr *nlh;
3245         struct nlattr *nest;
3246         int err;
3247 
3248         event |= NFNL_SUBSYS_NFTABLES << 8;
3249         nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3250                         flags);
3251         if (nlh == NULL)
3252                 goto nla_put_failure;
3253 
3254         nfmsg = nlmsg_data(nlh);
3255         nfmsg->nfgen_family     = ctx->afi->family;
3256         nfmsg->version          = NFNETLINK_V0;
3257         nfmsg->res_id           = htons(ctx->net->nft.base_seq & 0xffff);
3258 
3259         if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3260                 goto nla_put_failure;
3261         if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3262                 goto nla_put_failure;
3263 
3264         nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3265         if (nest == NULL)
3266                 goto nla_put_failure;
3267 
3268         err = nf_tables_fill_setelem(skb, set, elem);
3269         if (err < 0)
3270                 goto nla_put_failure;
3271 
3272         nla_nest_end(skb, nest);
3273 
3274         nlmsg_end(skb, nlh);
3275         return 0;
3276 
3277 nla_put_failure:
3278         nlmsg_trim(skb, nlh);
3279         return -1;
3280 }
3281 
3282 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
3283                                     const struct nft_set *set,
3284                                     const struct nft_set_elem *elem,
3285                                     int event, u16 flags)
3286 {
3287         struct net *net = ctx->net;
3288         u32 portid = ctx->portid;
3289         struct sk_buff *skb;
3290         int err;
3291 
3292         if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3293                 return 0;
3294 
3295         err = -ENOBUFS;
3296         skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3297         if (skb == NULL)
3298                 goto err;
3299 
3300         err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3301                                           set, elem);
3302         if (err < 0) {
3303                 kfree_skb(skb);
3304                 goto err;
3305         }
3306 
3307         err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3308                              GFP_KERNEL);
3309 err:
3310         if (err < 0)
3311                 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
3312         return err;
3313 }
3314 
3315 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3316                                               int msg_type,
3317                                               struct nft_set *set)
3318 {
3319         struct nft_trans *trans;
3320 
3321         trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3322         if (trans == NULL)
3323                 return NULL;
3324 
3325         nft_trans_elem_set(trans) = set;
3326         return trans;
3327 }
3328 
3329 void *nft_set_elem_init(const struct nft_set *set,
3330                         const struct nft_set_ext_tmpl *tmpl,
3331                         const u32 *key, const u32 *data,
3332                         u64 timeout, gfp_t gfp)
3333 {
3334         struct nft_set_ext *ext;
3335         void *elem;
3336 
3337         elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3338         if (elem == NULL)
3339                 return NULL;
3340 
3341         ext = nft_set_elem_ext(set, elem);
3342         nft_set_ext_init(ext, tmpl);
3343 
3344         memcpy(nft_set_ext_key(ext), key, set->klen);
3345         if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3346                 memcpy(nft_set_ext_data(ext), data, set->dlen);
3347         if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3348                 *nft_set_ext_expiration(ext) =
3349                         jiffies + msecs_to_jiffies(timeout);
3350         if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3351                 *nft_set_ext_timeout(ext) = timeout;
3352 
3353         return elem;
3354 }
3355 
3356 void nft_set_elem_destroy(const struct nft_set *set, void *elem)
3357 {
3358         struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3359 
3360         nft_data_uninit(nft_set_ext_key(ext), NFT_DATA_VALUE);
3361         if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3362                 nft_data_uninit(nft_set_ext_data(ext), set->dtype);
3363         if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3364                 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3365 
3366         kfree(elem);
3367 }
3368 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3369 
3370 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3371                             const struct nlattr *attr)
3372 {
3373         struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3374         struct nft_data_desc d1, d2;
3375         struct nft_set_ext_tmpl tmpl;
3376         struct nft_set_ext *ext;
3377         struct nft_set_elem elem;
3378         struct nft_set_binding *binding;
3379         struct nft_userdata *udata;
3380         struct nft_data data;
3381         enum nft_registers dreg;
3382         struct nft_trans *trans;
3383         u64 timeout;
3384         u32 flags;
3385         u8 ulen;
3386         int err;
3387 
3388         err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3389                                nft_set_elem_policy);
3390         if (err < 0)
3391                 return err;
3392 
3393         if (nla[NFTA_SET_ELEM_KEY] == NULL)
3394                 return -EINVAL;
3395 
3396         nft_set_ext_prepare(&tmpl);
3397 
3398         flags = 0;
3399         if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
3400                 flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
3401                 if (flags & ~NFT_SET_ELEM_INTERVAL_END)
3402                         return -EINVAL;
3403                 if (!(set->flags & NFT_SET_INTERVAL) &&
3404                     flags & NFT_SET_ELEM_INTERVAL_END)
3405                         return -EINVAL;
3406                 if (flags != 0)
3407                         nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3408         }
3409 
3410         if (set->flags & NFT_SET_MAP) {
3411                 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3412                     !(flags & NFT_SET_ELEM_INTERVAL_END))
3413                         return -EINVAL;
3414                 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3415                     flags & NFT_SET_ELEM_INTERVAL_END)
3416                         return -EINVAL;
3417         } else {
3418                 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3419                         return -EINVAL;
3420         }
3421 
3422         timeout = 0;
3423         if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3424                 if (!(set->flags & NFT_SET_TIMEOUT))
3425                         return -EINVAL;
3426                 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_ELEM_TIMEOUT]));
3427         } else if (set->flags & NFT_SET_TIMEOUT) {
3428                 timeout = set->timeout;
3429         }
3430 
3431         err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3432                             nla[NFTA_SET_ELEM_KEY]);
3433         if (err < 0)
3434                 goto err1;
3435         err = -EINVAL;
3436         if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3437                 goto err2;
3438 
3439         nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3440         if (timeout > 0) {
3441                 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3442                 if (timeout != set->timeout)
3443                         nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3444         }
3445 
3446         if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3447                 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3448                                     nla[NFTA_SET_ELEM_DATA]);
3449                 if (err < 0)
3450                         goto err2;
3451 
3452                 err = -EINVAL;
3453                 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3454                         goto err3;
3455 
3456                 dreg = nft_type_to_reg(set->dtype);
3457                 list_for_each_entry(binding, &set->bindings, list) {
3458                         struct nft_ctx bind_ctx = {
3459                                 .afi    = ctx->afi,
3460                                 .table  = ctx->table,
3461                                 .chain  = (struct nft_chain *)binding->chain,
3462                         };
3463 
3464                         if (!(binding->flags & NFT_SET_MAP))
3465                                 continue;
3466 
3467                         err = nft_validate_register_store(&bind_ctx, dreg,
3468                                                           &data,
3469                                                           d2.type, d2.len);
3470                         if (err < 0)
3471                                 goto err3;
3472                 }
3473 
3474                 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3475         }
3476 
3477         /* The full maximum length of userdata can exceed the maximum
3478          * offset value (U8_MAX) for following extensions, therefor it
3479          * must be the last extension added.
3480          */
3481         ulen = 0;
3482         if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3483                 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
3484                 if (ulen > 0)
3485                         nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
3486                                                ulen);
3487         }
3488 
3489         err = -ENOMEM;
3490         elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
3491                                       timeout, GFP_KERNEL);
3492         if (elem.priv == NULL)
3493                 goto err3;
3494 
3495         ext = nft_set_elem_ext(set, elem.priv);
3496         if (flags)
3497                 *nft_set_ext_flags(ext) = flags;
3498         if (ulen > 0) {
3499                 udata = nft_set_ext_userdata(ext);
3500                 udata->len = ulen - 1;
3501                 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
3502         }
3503 
3504         trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3505         if (trans == NULL)
3506                 goto err4;
3507 
3508         ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
3509         err = set->ops->insert(set, &elem);
3510         if (err < 0)
3511                 goto err5;
3512 
3513         nft_trans_elem(trans) = elem;
3514         list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3515         return 0;
3516 
3517 err5:
3518         kfree(trans);
3519 err4:
3520         kfree(elem.priv);
3521 err3:
3522         if (nla[NFTA_SET_ELEM_DATA] != NULL)
3523                 nft_data_uninit(&data, d2.type);
3524 err2:
3525         nft_data_uninit(&elem.key.val, d1.type);
3526 err1:
3527         return err;
3528 }
3529 
3530 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
3531                                 struct sk_buff *skb, const struct nlmsghdr *nlh,
3532                                 const struct nlattr * const nla[])
3533 {
3534         const struct nlattr *attr;
3535         struct nft_set *set;
3536         struct nft_ctx ctx;
3537         int rem, err = 0;
3538 
3539         if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3540                 return -EINVAL;
3541 
3542         err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla);
3543         if (err < 0)
3544                 return err;
3545 
3546         set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3547         if (IS_ERR(set)) {
3548                 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3549                         set = nf_tables_set_lookup_byid(net,
3550                                         nla[NFTA_SET_ELEM_LIST_SET_ID]);
3551                 }
3552                 if (IS_ERR(set))
3553                         return PTR_ERR(set);
3554         }
3555 
3556         if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3557                 return -EBUSY;
3558 
3559         nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3560                 if (set->size &&
3561                     !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact))
3562                         return -ENFILE;
3563 
3564                 err = nft_add_set_elem(&ctx, set, attr);
3565                 if (err < 0) {
3566                         atomic_dec(&set->nelems);
3567                         break;
3568                 }
3569         }
3570         return err;
3571 }
3572 
3573 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3574                            const struct nlattr *attr)
3575 {
3576         struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3577         struct nft_data_desc desc;
3578         struct nft_set_elem elem;
3579         struct nft_trans *trans;
3580         int err;
3581 
3582         err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3583                                nft_set_elem_policy);
3584         if (err < 0)
3585                 goto err1;
3586 
3587         err = -EINVAL;
3588         if (nla[NFTA_SET_ELEM_KEY] == NULL)
3589                 goto err1;
3590 
3591         err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3592                             nla[NFTA_SET_ELEM_KEY]);
3593         if (err < 0)
3594                 goto err1;
3595 
3596         err = -EINVAL;
3597         if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3598                 goto err2;
3599 
3600         trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3601         if (trans == NULL) {
3602                 err = -ENOMEM;
3603                 goto err2;
3604         }
3605 
3606         elem.priv = set->ops->deactivate(set, &elem);
3607         if (elem.priv == NULL) {
3608                 err = -ENOENT;
3609                 goto err3;
3610         }
3611 
3612         nft_trans_elem(trans) = elem;
3613         list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3614         return 0;
3615 
3616 err3:
3617         kfree(trans);
3618 err2:
3619         nft_data_uninit(&elem.key.val, desc.type);
3620 err1:
3621         return err;
3622 }
3623 
3624 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
3625                                 struct sk_buff *skb, const struct nlmsghdr *nlh,
3626                                 const struct nlattr * const nla[])
3627 {
3628         const struct nlattr *attr;
3629         struct nft_set *set;
3630         struct nft_ctx ctx;
3631         int rem, err = 0;
3632 
3633         if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3634                 return -EINVAL;
3635 
3636         err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla);
3637         if (err < 0)
3638                 return err;
3639 
3640         set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3641         if (IS_ERR(set))
3642                 return PTR_ERR(set);
3643         if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3644                 return -EBUSY;
3645 
3646         nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3647                 err = nft_del_setelem(&ctx, set, attr);
3648                 if (err < 0)
3649                         break;
3650 
3651                 set->ndeact++;
3652         }
3653         return err;
3654 }
3655 
3656 void nft_set_gc_batch_release(struct rcu_head *rcu)
3657 {
3658         struct nft_set_gc_batch *gcb;
3659         unsigned int i;
3660 
3661         gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
3662         for (i = 0; i < gcb->head.cnt; i++)
3663                 nft_set_elem_destroy(gcb->head.set, gcb->elems[i]);
3664         kfree(gcb);
3665 }
3666 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
3667 
3668 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
3669                                                 gfp_t gfp)
3670 {
3671         struct nft_set_gc_batch *gcb;
3672 
3673         gcb = kzalloc(sizeof(*gcb), gfp);
3674         if (gcb == NULL)
3675                 return gcb;
3676         gcb->head.set = set;
3677         return gcb;
3678 }
3679 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
3680 
3681 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
3682                                    u32 portid, u32 seq)
3683 {
3684         struct nlmsghdr *nlh;
3685         struct nfgenmsg *nfmsg;
3686         int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWGEN;
3687 
3688         nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
3689         if (nlh == NULL)
3690                 goto nla_put_failure;
3691 
3692         nfmsg = nlmsg_data(nlh);
3693         nfmsg->nfgen_family     = AF_UNSPEC;
3694         nfmsg->version          = NFNETLINK_V0;
3695         nfmsg->res_id           = htons(net->nft.base_seq & 0xffff);
3696 
3697         if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)))
3698                 goto nla_put_failure;
3699 
3700         nlmsg_end(skb, nlh);
3701         return 0;
3702 
3703 nla_put_failure:
3704         nlmsg_trim(skb, nlh);
3705         return -EMSGSIZE;
3706 }
3707 
3708 static int nf_tables_gen_notify(struct net *net, struct sk_buff *skb, int event)
3709 {
3710         struct nlmsghdr *nlh = nlmsg_hdr(skb);
3711         struct sk_buff *skb2;
3712         int err;
3713 
3714         if (nlmsg_report(nlh) &&
3715             !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3716                 return 0;
3717 
3718         err = -ENOBUFS;
3719         skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3720         if (skb2 == NULL)
3721                 goto err;
3722 
3723         err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3724                                       nlh->nlmsg_seq);
3725         if (err < 0) {
3726                 kfree_skb(skb2);
3727                 goto err;
3728         }
3729 
3730         err = nfnetlink_send(skb2, net, NETLINK_CB(skb).portid,
3731                              NFNLGRP_NFTABLES, nlmsg_report(nlh), GFP_KERNEL);
3732 err:
3733         if (err < 0) {
3734                 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
3735                                   err);
3736         }
3737         return err;
3738 }
3739 
3740 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
3741                             struct sk_buff *skb, const struct nlmsghdr *nlh,
3742                             const struct nlattr * const nla[])
3743 {
3744         struct sk_buff *skb2;
3745         int err;
3746 
3747         skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3748         if (skb2 == NULL)
3749                 return -ENOMEM;
3750 
3751         err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3752                                       nlh->nlmsg_seq);
3753         if (err < 0)
3754                 goto err;
3755 
3756         return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3757 err:
3758         kfree_skb(skb2);
3759         return err;
3760 }
3761 
3762 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3763         [NFT_MSG_NEWTABLE] = {
3764                 .call_batch     = nf_tables_newtable,
3765                 .attr_count     = NFTA_TABLE_MAX,
3766                 .policy         = nft_table_policy,
3767         },
3768         [NFT_MSG_GETTABLE] = {
3769                 .call           = nf_tables_gettable,
3770                 .attr_count     = NFTA_TABLE_MAX,
3771                 .policy         = nft_table_policy,
3772         },
3773         [NFT_MSG_DELTABLE] = {
3774                 .call_batch     = nf_tables_deltable,
3775                 .attr_count     = NFTA_TABLE_MAX,
3776                 .policy         = nft_table_policy,
3777         },
3778         [NFT_MSG_NEWCHAIN] = {
3779                 .call_batch     = nf_tables_newchain,
3780                 .attr_count     = NFTA_CHAIN_MAX,
3781                 .policy         = nft_chain_policy,
3782         },
3783         [NFT_MSG_GETCHAIN] = {
3784                 .call           = nf_tables_getchain,
3785                 .attr_count     = NFTA_CHAIN_MAX,
3786                 .policy         = nft_chain_policy,
3787         },
3788         [NFT_MSG_DELCHAIN] = {
3789                 .call_batch     = nf_tables_delchain,
3790                 .attr_count     = NFTA_CHAIN_MAX,
3791                 .policy         = nft_chain_policy,
3792         },
3793         [NFT_MSG_NEWRULE] = {
3794                 .call_batch     = nf_tables_newrule,
3795                 .attr_count     = NFTA_RULE_MAX,
3796                 .policy         = nft_rule_policy,
3797         },
3798         [NFT_MSG_GETRULE] = {
3799                 .call           = nf_tables_getrule,
3800                 .attr_count     = NFTA_RULE_MAX,
3801                 .policy         = nft_rule_policy,
3802         },
3803         [NFT_MSG_DELRULE] = {
3804                 .call_batch     = nf_tables_delrule,
3805                 .attr_count     = NFTA_RULE_MAX,
3806                 .policy         = nft_rule_policy,
3807         },
3808         [NFT_MSG_NEWSET] = {
3809                 .call_batch     = nf_tables_newset,
3810                 .attr_count     = NFTA_SET_MAX,
3811                 .policy         = nft_set_policy,
3812         },
3813         [NFT_MSG_GETSET] = {
3814                 .call           = nf_tables_getset,
3815                 .attr_count     = NFTA_SET_MAX,
3816                 .policy         = nft_set_policy,
3817         },
3818         [NFT_MSG_DELSET] = {
3819                 .call_batch     = nf_tables_delset,
3820                 .attr_count     = NFTA_SET_MAX,
3821                 .policy         = nft_set_policy,
3822         },
3823         [NFT_MSG_NEWSETELEM] = {
3824                 .call_batch     = nf_tables_newsetelem,
3825                 .attr_count     = NFTA_SET_ELEM_LIST_MAX,
3826                 .policy         = nft_set_elem_list_policy,
3827         },
3828         [NFT_MSG_GETSETELEM] = {
3829                 .call           = nf_tables_getsetelem,
3830                 .attr_count     = NFTA_SET_ELEM_LIST_MAX,
3831                 .policy         = nft_set_elem_list_policy,
3832         },
3833         [NFT_MSG_DELSETELEM] = {
3834                 .call_batch     = nf_tables_delsetelem,
3835                 .attr_count     = NFTA_SET_ELEM_LIST_MAX,
3836                 .policy         = nft_set_elem_list_policy,
3837         },
3838         [NFT_MSG_GETGEN] = {
3839                 .call           = nf_tables_getgen,
3840         },
3841 };
3842 
3843 static void nft_chain_commit_update(struct nft_trans *trans)
3844 {
3845         struct nft_base_chain *basechain;
3846 
3847         if (nft_trans_chain_name(trans)[0])
3848                 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
3849 
3850         if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
3851                 return;
3852 
3853         basechain = nft_base_chain(trans->ctx.chain);
3854         nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
3855 
3856         switch (nft_trans_chain_policy(trans)) {
3857         case NF_DROP:
3858         case NF_ACCEPT:
3859                 basechain->policy = nft_trans_chain_policy(trans);
3860                 break;
3861         }
3862 }
3863 
3864 static void nf_tables_commit_release(struct nft_trans *trans)
3865 {
3866         switch (trans->msg_type) {
3867         case NFT_MSG_DELTABLE:
3868                 nf_tables_table_destroy(&trans->ctx);
3869                 break;
3870         case NFT_MSG_DELCHAIN:
3871                 nf_tables_chain_destroy(trans->ctx.chain);
3872                 break;
3873         case NFT_MSG_DELRULE:
3874                 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3875                 break;
3876         case NFT_MSG_DELSET:
3877                 nft_set_destroy(nft_trans_set(trans));
3878                 break;
3879         case NFT_MSG_DELSETELEM:
3880                 nft_set_elem_destroy(nft_trans_elem_set(trans),
3881                                      nft_trans_elem(trans).priv);
3882                 break;
3883         }
3884         kfree(trans);
3885 }
3886 
3887 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
3888 {
3889         struct nft_trans *trans, *next;
3890         struct nft_trans_elem *te;
3891 
3892         /* Bump generation counter, invalidate any dump in progress */
3893         while (++net->nft.base_seq == 0);
3894 
3895         /* A new generation has just started */
3896         net->nft.gencursor = nft_gencursor_next(net);
3897 
3898         /* Make sure all packets have left the previous generation before
3899          * purging old rules.
3900          */
3901         synchronize_rcu();
3902 
3903         list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3904                 switch (trans->msg_type) {
3905                 case NFT_MSG_NEWTABLE:
3906                         if (nft_trans_table_update(trans)) {
3907                                 if (!nft_trans_table_enable(trans)) {
3908                                         nf_tables_table_disable(trans->ctx.afi,
3909                                                                 trans->ctx.table);
3910                                         trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3911                                 }
3912                         } else {
3913                                 trans->ctx.table->flags &= ~NFT_TABLE_INACTIVE;
3914                         }
3915                         nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
3916                         nft_trans_destroy(trans);
3917                         break;
3918                 case NFT_MSG_DELTABLE:
3919                         nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
3920                         break;
3921                 case NFT_MSG_NEWCHAIN:
3922                         if (nft_trans_chain_update(trans))
3923                                 nft_chain_commit_update(trans);
3924                         else
3925                                 trans->ctx.chain->flags &= ~NFT_CHAIN_INACTIVE;
3926 
3927                         nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
3928                         nft_trans_destroy(trans);
3929                         break;
3930                 case NFT_MSG_DELCHAIN:
3931                         nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
3932                         nf_tables_unregister_hooks(trans->ctx.table,
3933                                                    trans->ctx.chain,
3934                                                    trans->ctx.afi->nops);
3935                         break;
3936                 case NFT_MSG_NEWRULE:
3937                         nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3938                         nf_tables_rule_notify(&trans->ctx,
3939                                               nft_trans_rule(trans),
3940                                               NFT_MSG_NEWRULE);
3941                         nft_trans_destroy(trans);
3942                         break;
3943                 case NFT_MSG_DELRULE:
3944                         list_del_rcu(&nft_trans_rule(trans)->list);
3945                         nf_tables_rule_notify(&trans->ctx,
3946                                               nft_trans_rule(trans),
3947                                               NFT_MSG_DELRULE);
3948                         break;
3949                 case NFT_MSG_NEWSET:
3950                         nft_trans_set(trans)->flags &= ~NFT_SET_INACTIVE;
3951                         /* This avoids hitting -EBUSY when deleting the table
3952                          * from the transaction.
3953                          */
3954                         if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
3955                             !list_empty(&nft_trans_set(trans)->bindings))
3956                                 trans->ctx.table->use--;
3957 
3958                         nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3959                                              NFT_MSG_NEWSET, GFP_KERNEL);
3960                         nft_trans_destroy(trans);
3961                         break;
3962                 case NFT_MSG_DELSET:
3963                         nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3964                                              NFT_MSG_DELSET, GFP_KERNEL);
3965                         break;
3966                 case NFT_MSG_NEWSETELEM:
3967                         te = (struct nft_trans_elem *)trans->data;
3968 
3969                         te->set->ops->activate(te->set, &te->elem);
3970                         nf_tables_setelem_notify(&trans->ctx, te->set,
3971                                                  &te->elem,
3972                                                  NFT_MSG_NEWSETELEM, 0);
3973                         nft_trans_destroy(trans);
3974                         break;
3975                 case NFT_MSG_DELSETELEM:
3976                         te = (struct nft_trans_elem *)trans->data;
3977 
3978                         nf_tables_setelem_notify(&trans->ctx, te->set,
3979                                                  &te->elem,
3980                                                  NFT_MSG_DELSETELEM, 0);
3981                         te->set->ops->remove(te->set, &te->elem);
3982                         atomic_dec(&te->set->nelems);
3983                         te->set->ndeact--;
3984                         break;
3985                 }
3986         }
3987 
3988         synchronize_rcu();
3989 
3990         list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3991                 list_del(&trans->list);
3992                 nf_tables_commit_release(trans);
3993         }
3994 
3995         nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
3996 
3997         return 0;
3998 }
3999 
4000 static void nf_tables_abort_release(struct nft_trans *trans)
4001 {
4002         switch (trans->msg_type) {
4003         case NFT_MSG_NEWTABLE:
4004                 nf_tables_table_destroy(&trans->ctx);
4005                 break;
4006         case NFT_MSG_NEWCHAIN:
4007                 nf_tables_chain_destroy(trans->ctx.chain);
4008                 break;
4009         case NFT_MSG_NEWRULE:
4010                 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4011                 break;
4012         case NFT_MSG_NEWSET:
4013                 nft_set_destroy(nft_trans_set(trans));
4014                 break;
4015         case NFT_MSG_NEWSETELEM:
4016                 nft_set_elem_destroy(nft_trans_elem_set(trans),
4017                                      nft_trans_elem(trans).priv);
4018                 break;
4019         }
4020         kfree(trans);
4021 }
4022 
4023 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
4024 {
4025         struct nft_trans *trans, *next;
4026         struct nft_trans_elem *te;
4027 
4028         list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
4029                                          list) {
4030                 switch (trans->msg_type) {
4031                 case NFT_MSG_NEWTABLE:
4032                         if (nft_trans_table_update(trans)) {
4033                                 if (nft_trans_table_enable(trans)) {
4034                                         nf_tables_table_disable(trans->ctx.afi,
4035                                                                 trans->ctx.table);
4036                                         trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4037                                 }
4038                                 nft_trans_destroy(trans);
4039                         } else {
4040                                 list_del_rcu(&trans->ctx.table->list);
4041                         }
4042                         break;
4043                 case NFT_MSG_DELTABLE:
4044                         list_add_tail_rcu(&trans->ctx.table->list,
4045                                           &trans->ctx.afi->tables);
4046                         nft_trans_destroy(trans);
4047                         break;
4048                 case NFT_MSG_NEWCHAIN:
4049                         if (nft_trans_chain_update(trans)) {
4050                                 free_percpu(nft_trans_chain_stats(trans));
4051 
4052                                 nft_trans_destroy(trans);
4053                         } else {
4054                                 trans->ctx.table->use--;
4055                                 list_del_rcu(&trans->ctx.chain->list);
4056                                 nf_tables_unregister_hooks(trans->ctx.table,
4057                                                            trans->ctx.chain,
4058                                                            trans->ctx.afi->nops);
4059                         }
4060                         break;
4061                 case NFT_MSG_DELCHAIN:
4062                         trans->ctx.table->use++;
4063                         list_add_tail_rcu(&trans->ctx.chain->list,
4064                                           &trans->ctx.table->chains);
4065                         nft_trans_destroy(trans);
4066                         break;
4067                 case NFT_MSG_NEWRULE:
4068                         trans->ctx.chain->use--;
4069                         list_del_rcu(&nft_trans_rule(trans)->list);
4070                         break;
4071                 case NFT_MSG_DELRULE:
4072                         trans->ctx.chain->use++;
4073                         nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
4074                         nft_trans_destroy(trans);
4075                         break;
4076                 case NFT_MSG_NEWSET:
4077                         trans->ctx.table->use--;
4078                         list_del_rcu(&nft_trans_set(trans)->list);
4079                         break;
4080                 case NFT_MSG_DELSET:
4081                         trans->ctx.table->use++;
4082                         list_add_tail_rcu(&nft_trans_set(trans)->list,
4083                                           &trans->ctx.table->sets);
4084                         nft_trans_destroy(trans);
4085                         break;
4086                 case NFT_MSG_NEWSETELEM:
4087                         te = (struct nft_trans_elem *)trans->data;
4088 
4089                         te->set->ops->remove(te->set, &te->elem);
4090                         atomic_dec(&te->set->nelems);
4091                         break;
4092                 case NFT_MSG_DELSETELEM:
4093                         te = (struct nft_trans_elem *)trans->data;
4094 
4095                         te->set->ops->activate(te->set, &te->elem);
4096                         te->set->ndeact--;
4097 
4098                         nft_trans_destroy(trans);
4099                         break;
4100                 }
4101         }
4102 
4103         synchronize_rcu();
4104 
4105         list_for_each_entry_safe_reverse(trans, next,
4106                                          &net->nft.commit_list, list) {
4107                 list_del(&trans->list);
4108                 nf_tables_abort_release(trans);
4109         }
4110 
4111         return 0;
4112 }
4113 
4114 static const struct nfnetlink_subsystem nf_tables_subsys = {
4115         .name           = "nf_tables",
4116         .subsys_id      = NFNL_SUBSYS_NFTABLES,
4117         .cb_count       = NFT_MSG_MAX,
4118         .cb             = nf_tables_cb,
4119         .commit         = nf_tables_commit,
4120         .abort          = nf_tables_abort,
4121 };
4122 
4123 int nft_chain_validate_dependency(const struct nft_chain *chain,
4124                                   enum nft_chain_type type)
4125 {
4126         const struct nft_base_chain *basechain;
4127 
4128         if (chain->flags & NFT_BASE_CHAIN) {
4129                 basechain = nft_base_chain(chain);
4130                 if (basechain->type->type != type)
4131                         return -EOPNOTSUPP;
4132         }
4133         return 0;
4134 }
4135 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
4136 
4137 int nft_chain_validate_hooks(const struct nft_chain *chain,
4138                              unsigned int hook_flags)
4139 {
4140         struct nft_base_chain *basechain;
4141 
4142         if (chain->flags & NFT_BASE_CHAIN) {
4143                 basechain = nft_base_chain(chain);
4144 
4145                 if ((1 << basechain->ops[0].hooknum) & hook_flags)
4146                         return 0;
4147 
4148                 return -EOPNOTSUPP;
4149         }
4150 
4151         return 0;
4152 }
4153 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
4154 
4155 /*
4156  * Loop detection - walk through the ruleset beginning at the destination chain
4157  * of a new jump until either the source chain is reached (loop) or all
4158  * reachable chains have been traversed.
4159  *
4160  * The loop check is performed whenever a new jump verdict is added to an
4161  * expression or verdict map or a verdict map is bound to a new chain.
4162  */
4163 
4164 static int nf_tables_check_loops(const struct nft_ctx *ctx,
4165                                  const struct nft_chain *chain);
4166 
4167 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
4168                                         const struct nft_set *set,
4169                                         const struct nft_set_iter *iter,
4170                                         const struct nft_set_elem *elem)
4171 {
4172         const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4173         const struct nft_data *data;
4174 
4175         if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4176             *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
4177                 return 0;
4178 
4179         data = nft_set_ext_data(ext);
4180         switch (data->verdict.code) {
4181         case NFT_JUMP:
4182         case NFT_GOTO:
4183                 return nf_tables_check_loops(ctx, data->verdict.chain);
4184         default:
4185                 return 0;
4186         }
4187 }
4188 
4189 static int nf_tables_check_loops(const struct nft_ctx *ctx,
4190                                  const struct nft_chain *chain)
4191 {
4192         const struct nft_rule *rule;
4193         const struct nft_expr *expr, *last;
4194         const struct nft_set *set;
4195         struct nft_set_binding *binding;
4196         struct nft_set_iter iter;
4197 
4198         if (ctx->chain == chain)
4199                 return -ELOOP;
4200 
4201         list_for_each_entry(rule, &chain->rules, list) {
4202                 nft_rule_for_each_expr(expr, last, rule) {
4203                         const struct nft_data *data = NULL;
4204                         int err;
4205 
4206                         if (!expr->ops->validate)
4207                                 continue;
4208 
4209                         err = expr->ops->validate(ctx, expr, &data);
4210                         if (err < 0)
4211                                 return err;
4212 
4213                         if (data == NULL)
4214                                 continue;
4215 
4216                         switch (data->verdict.code) {
4217                         case NFT_JUMP:
4218                         case NFT_GOTO:
4219                                 err = nf_tables_check_loops(ctx,
4220                                                         data->verdict.chain);
4221                                 if (err < 0)
4222                                         return err;
4223                         default:
4224                                 break;
4225                         }
4226                 }
4227         }
4228 
4229         list_for_each_entry(set, &ctx->table->sets, list) {
4230                 if (!(set->flags & NFT_SET_MAP) ||
4231                     set->dtype != NFT_DATA_VERDICT)
4232                         continue;
4233 
4234                 list_for_each_entry(binding, &set->bindings, list) {
4235                         if (!(binding->flags & NFT_SET_MAP) ||
4236                             binding->chain != chain)
4237                                 continue;
4238 
4239                         iter.skip       = 0;
4240                         iter.count      = 0;
4241                         iter.err        = 0;
4242                         iter.fn         = nf_tables_loop_check_setelem;
4243 
4244                         set->ops->walk(ctx, set, &iter);
4245                         if (iter.err < 0)
4246                                 return iter.err;
4247                 }
4248         }
4249 
4250         return 0;
4251 }
4252 
4253 /**
4254  *      nft_parse_register - parse a register value from a netlink attribute
4255  *
4256  *      @attr: netlink attribute
4257  *
4258  *      Parse and translate a register value from a netlink attribute.
4259  *      Registers used to be 128 bit wide, these register numbers will be
4260  *      mapped to the corresponding 32 bit register numbers.
4261  */
4262 unsigned int nft_parse_register(const struct nlattr *attr)
4263 {
4264         unsigned int reg;
4265 
4266         reg = ntohl(nla_get_be32(attr));
4267         switch (reg) {
4268         case NFT_REG_VERDICT...NFT_REG_4:
4269                 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
4270         default:
4271                 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
4272         }
4273 }
4274 EXPORT_SYMBOL_GPL(nft_parse_register);
4275 
4276 /**
4277  *      nft_dump_register - dump a register value to a netlink attribute
4278  *
4279  *      @skb: socket buffer
4280  *      @attr: attribute number
4281  *      @reg: register number
4282  *
4283  *      Construct a netlink attribute containing the register number. For
4284  *      compatibility reasons, register numbers being a multiple of 4 are
4285  *      translated to the corresponding 128 bit register numbers.
4286  */
4287 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
4288 {
4289         if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
4290                 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
4291         else
4292                 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
4293 
4294         return nla_put_be32(skb, attr, htonl(reg));
4295 }
4296 EXPORT_SYMBOL_GPL(nft_dump_register);
4297 
4298 /**
4299  *      nft_validate_register_load - validate a load from a register
4300  *
4301  *      @reg: the register number
4302  *      @len: the length of the data
4303  *
4304  *      Validate that the input register is one of the general purpose
4305  *      registers and that the length of the load is within the bounds.
4306  */
4307 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
4308 {
4309         if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4310                 return -EINVAL;
4311         if (len == 0)
4312                 return -EINVAL;
4313         if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
4314                 return -ERANGE;
4315 
4316         return 0;
4317 }
4318 EXPORT_SYMBOL_GPL(nft_validate_register_load);
4319 
4320 /**
4321  *      nft_validate_register_store - validate an expressions' register store
4322  *
4323  *      @ctx: context of the expression performing the load
4324  *      @reg: the destination register number
4325  *      @data: the data to load
4326  *      @type: the data type
4327  *      @len: the length of the data
4328  *
4329  *      Validate that a data load uses the appropriate data type for
4330  *      the destination register and the length is within the bounds.
4331  *      A value of NULL for the data means that its runtime gathered
4332  *      data.
4333  */
4334 int nft_validate_register_store(const struct nft_ctx *ctx,
4335                                 enum nft_registers reg,
4336                                 const struct nft_data *data,
4337                                 enum nft_data_types type, unsigned int len)
4338 {
4339         int err;
4340 
4341         switch (reg) {
4342         case NFT_REG_VERDICT:
4343                 if (type != NFT_DATA_VERDICT)
4344                         return -EINVAL;
4345 
4346                 if (data != NULL &&
4347                     (data->verdict.code == NFT_GOTO ||
4348                      data->verdict.code == NFT_JUMP)) {
4349                         err = nf_tables_check_loops(ctx, data->verdict.chain);
4350                         if (err < 0)
4351                                 return err;
4352 
4353                         if (ctx->chain->level + 1 >
4354                             data->verdict.chain->level) {
4355                                 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
4356                                         return -EMLINK;
4357                                 data->verdict.chain->level = ctx->chain->level + 1;
4358                         }
4359                 }
4360 
4361                 return 0;
4362         default:
4363                 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4364                         return -EINVAL;
4365                 if (len == 0)
4366                         return -EINVAL;
4367                 if (reg * NFT_REG32_SIZE + len >
4368                     FIELD_SIZEOF(struct nft_regs, data))
4369                         return -ERANGE;
4370 
4371                 if (data != NULL && type != NFT_DATA_VALUE)
4372                         return -EINVAL;
4373                 return 0;
4374         }
4375 }
4376 EXPORT_SYMBOL_GPL(nft_validate_register_store);
4377 
4378 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
4379         [NFTA_VERDICT_CODE]     = { .type = NLA_U32 },
4380         [NFTA_VERDICT_CHAIN]    = { .type = NLA_STRING,
4381                                     .len = NFT_CHAIN_MAXNAMELEN - 1 },
4382 };
4383 
4384 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
4385                             struct nft_data_desc *desc, const struct nlattr *nla)
4386 {
4387         struct nlattr *tb[NFTA_VERDICT_MAX + 1];
4388         struct nft_chain *chain;
4389         int err;
4390 
4391         err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
4392         if (err < 0)
4393                 return err;
4394 
4395         if (!tb[NFTA_VERDICT_CODE])
4396                 return -EINVAL;
4397         data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
4398 
4399         switch (data->verdict.code) {
4400         default:
4401                 switch (data->verdict.code & NF_VERDICT_MASK) {
4402                 case NF_ACCEPT:
4403                 case NF_DROP:
4404                 case NF_QUEUE:
4405                         break;
4406                 default:
4407                         return -EINVAL;
4408                 }
4409                 /* fall through */
4410         case NFT_CONTINUE:
4411         case NFT_BREAK:
4412         case NFT_RETURN:
4413                 break;
4414         case NFT_JUMP:
4415         case NFT_GOTO:
4416                 if (!tb[NFTA_VERDICT_CHAIN])
4417                         return -EINVAL;
4418                 chain = nf_tables_chain_lookup(ctx->table,
4419                                                tb[NFTA_VERDICT_CHAIN]);
4420                 if (IS_ERR(chain))
4421                         return PTR_ERR(chain);
4422                 if (chain->flags & NFT_BASE_CHAIN)
4423                         return -EOPNOTSUPP;
4424 
4425                 chain->use++;
4426                 data->verdict.chain = chain;
4427                 break;
4428         }
4429 
4430         desc->len = sizeof(data->verdict);
4431         desc->type = NFT_DATA_VERDICT;
4432         return 0;
4433 }
4434 
4435 static void nft_verdict_uninit(const struct nft_data *data)
4436 {
4437         switch (data->verdict.code) {
4438         case NFT_JUMP:
4439         case NFT_GOTO:
4440                 data->verdict.chain->use--;
4441                 break;
4442         }
4443 }
4444 
4445 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
4446 {
4447         struct nlattr *nest;
4448 
4449         nest = nla_nest_start(skb, type);
4450         if (!nest)
4451                 goto nla_put_failure;
4452 
4453         if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
4454                 goto nla_put_failure;
4455 
4456         switch (v->code) {
4457         case NFT_JUMP:
4458         case NFT_GOTO:
4459                 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
4460                                    v->chain->name))
4461                         goto nla_put_failure;
4462         }
4463         nla_nest_end(skb, nest);
4464         return 0;
4465 
4466 nla_put_failure:
4467         return -1;
4468 }
4469 
4470 static int nft_value_init(const struct nft_ctx *ctx,
4471                           struct nft_data *data, unsigned int size,
4472                           struct nft_data_desc *desc, const struct nlattr *nla)
4473 {
4474         unsigned int len;
4475 
4476         len = nla_len(nla);
4477         if (len == 0)
4478                 return -EINVAL;
4479         if (len > size)
4480                 return -EOVERFLOW;
4481 
4482         nla_memcpy(data->data, nla, len);
4483         desc->type = NFT_DATA_VALUE;
4484         desc->len  = len;
4485         return 0;
4486 }
4487 
4488 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
4489                           unsigned int len)
4490 {
4491         return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
4492 }
4493 
4494 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
4495         [NFTA_DATA_VALUE]       = { .type = NLA_BINARY },
4496         [NFTA_DATA_VERDICT]     = { .type = NLA_NESTED },
4497 };
4498 
4499 /**
4500  *      nft_data_init - parse nf_tables data netlink attributes
4501  *
4502  *      @ctx: context of the expression using the data
4503  *      @data: destination struct nft_data
4504  *      @size: maximum data length
4505  *      @desc: data description
4506  *      @nla: netlink attribute containing data
4507  *
4508  *      Parse the netlink data attributes and initialize a struct nft_data.
4509  *      The type and length of data are returned in the data description.
4510  *
4511  *      The caller can indicate that it only wants to accept data of type
4512  *      NFT_DATA_VALUE by passing NULL for the ctx argument.
4513  */
4514 int nft_data_init(const struct nft_ctx *ctx,
4515                   struct nft_data *data, unsigned int size,
4516                   struct nft_data_desc *desc, const struct nlattr *nla)
4517 {
4518         struct nlattr *tb[NFTA_DATA_MAX + 1];
4519         int err;
4520 
4521         err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
4522         if (err < 0)
4523                 return err;
4524 
4525         if (tb[NFTA_DATA_VALUE])
4526                 return nft_value_init(ctx, data, size, desc,
4527                                       tb[NFTA_DATA_VALUE]);
4528         if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
4529                 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
4530         return -EINVAL;
4531 }
4532 EXPORT_SYMBOL_GPL(nft_data_init);
4533 
4534 /**
4535  *      nft_data_uninit - release a nft_data item
4536  *
4537  *      @data: struct nft_data to release
4538  *      @type: type of data
4539  *
4540  *      Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4541  *      all others need to be released by calling this function.
4542  */
4543 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
4544 {
4545         if (type < NFT_DATA_VERDICT)
4546                 return;
4547         switch (type) {
4548         case NFT_DATA_VERDICT:
4549                 return nft_verdict_uninit(data);
4550         default:
4551                 WARN_ON(1);
4552         }
4553 }
4554 EXPORT_SYMBOL_GPL(nft_data_uninit);
4555 
4556 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
4557                   enum nft_data_types type, unsigned int len)
4558 {
4559         struct nlattr *nest;
4560         int err;
4561 
4562         nest = nla_nest_start(skb, attr);
4563         if (nest == NULL)
4564                 return -1;
4565 
4566         switch (type) {
4567         case NFT_DATA_VALUE:
4568                 err = nft_value_dump(skb, data, len);
4569                 break;
4570         case NFT_DATA_VERDICT:
4571                 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
4572                 break;
4573         default:
4574                 err = -EINVAL;
4575                 WARN_ON(1);
4576         }
4577 
4578         nla_nest_end(skb, nest);
4579         return err;
4580 }
4581 EXPORT_SYMBOL_GPL(nft_data_dump);
4582 
4583 static int __net_init nf_tables_init_net(struct net *net)
4584 {
4585         INIT_LIST_HEAD(&net->nft.af_info);
4586         INIT_LIST_HEAD(&net->nft.commit_list);
4587         net->nft.base_seq = 1;
4588         return 0;
4589 }
4590 
4591 int __nft_release_basechain(struct nft_ctx *ctx)
4592 {
4593         struct nft_rule *rule, *nr;
4594 
4595         BUG_ON(!(ctx->chain->flags & NFT_BASE_CHAIN));
4596 
4597         nf_tables_unregister_hooks(ctx->chain->table, ctx->chain,
4598                                    ctx->afi->nops);
4599         list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
4600                 list_del(&rule->list);
4601                 ctx->chain->use--;
4602                 nf_tables_rule_destroy(ctx, rule);
4603         }
4604         list_del(&ctx->chain->list);
4605         ctx->table->use--;
4606         nf_tables_chain_destroy(ctx->chain);
4607 
4608         return 0;
4609 }
4610 EXPORT_SYMBOL_GPL(__nft_release_basechain);
4611 
4612 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
4613 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
4614 {
4615         struct nft_table *table, *nt;
4616         struct nft_chain *chain, *nc;
4617         struct nft_rule *rule, *nr;
4618         struct nft_set *set, *ns;
4619         struct nft_ctx ctx = {
4620                 .net    = net,
4621                 .afi    = afi,
4622         };
4623 
4624         list_for_each_entry_safe(table, nt, &afi->tables, list) {
4625                 list_for_each_entry(chain, &table->chains, list)
4626                         nf_tables_unregister_hooks(table, chain, afi->nops);
4627                 /* No packets are walking on these chains anymore. */
4628                 ctx.table = table;
4629                 list_for_each_entry(chain, &table->chains, list) {
4630                         ctx.chain = chain;
4631                         list_for_each_entry_safe(rule, nr, &chain->rules, list) {
4632                                 list_del(&rule->list);
4633                                 chain->use--;
4634                                 nf_tables_rule_destroy(&ctx, rule);
4635                         }
4636                 }
4637                 list_for_each_entry_safe(set, ns, &table->sets, list) {
4638                         list_del(&set->list);
4639                         table->use--;
4640                         nft_set_destroy(set);
4641                 }
4642                 list_for_each_entry_safe(chain, nc, &table->chains, list) {
4643                         list_del(&chain->list);
4644                         table->use--;
4645                         nf_tables_chain_destroy(chain);
4646                 }
4647                 list_del(&table->list);
4648                 nf_tables_table_destroy(&ctx);
4649         }
4650 }
4651 
4652 static struct pernet_operations nf_tables_net_ops = {
4653         .init   = nf_tables_init_net,
4654 };
4655 
4656 static int __init nf_tables_module_init(void)
4657 {
4658         int err;
4659 
4660         info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
4661                        GFP_KERNEL);
4662         if (info == NULL) {
4663                 err = -ENOMEM;
4664                 goto err1;
4665         }
4666 
4667         err = nf_tables_core_module_init();
4668         if (err < 0)
4669                 goto err2;
4670 
4671         err = nfnetlink_subsys_register(&nf_tables_subsys);
4672         if (err < 0)
4673                 goto err3;
4674 
4675         pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
4676         return register_pernet_subsys(&nf_tables_net_ops);
4677 err3:
4678         nf_tables_core_module_exit();
4679 err2:
4680         kfree(info);
4681 err1:
4682         return err;
4683 }
4684 
4685 static void __exit nf_tables_module_exit(void)
4686 {
4687         unregister_pernet_subsys(&nf_tables_net_ops);
4688         nfnetlink_subsys_unregister(&nf_tables_subsys);
4689         rcu_barrier();
4690         nf_tables_core_module_exit();
4691         kfree(info);
4692 }
4693 
4694 module_init(nf_tables_module_init);
4695 module_exit(nf_tables_module_exit);
4696 
4697 MODULE_LICENSE("GPL");
4698 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
4699 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
4700 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp