1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8#include <linux/module.h>
9#include <linux/init.h>
10#include <linux/list.h>
11#include <linux/skbuff.h>
12#include <linux/netlink.h>
13#include <linux/vmalloc.h>
14#include <linux/rhashtable.h>
15#include <linux/audit.h>
16#include <linux/netfilter.h>
17#include <linux/netfilter/nfnetlink.h>
18#include <linux/netfilter/nf_tables.h>
19#include <net/netfilter/nf_flow_table.h>
20#include <net/netfilter/nf_tables_core.h>
21#include <net/netfilter/nf_tables.h>
22#include <net/netfilter/nf_tables_offload.h>
23#include <net/net_namespace.h>
24#include <net/sock.h>
25
26#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27#define NFT_SET_MAX_ANONLEN 16
28
29unsigned int nf_tables_net_id __read_mostly;
30
31static LIST_HEAD(nf_tables_expressions);
32static LIST_HEAD(nf_tables_objects);
33static LIST_HEAD(nf_tables_flowtables);
34static LIST_HEAD(nf_tables_destroy_list);
35static LIST_HEAD(nf_tables_gc_list);
36static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
37static DEFINE_SPINLOCK(nf_tables_gc_list_lock);
38
39enum {
40 NFT_VALIDATE_SKIP = 0,
41 NFT_VALIDATE_NEED,
42 NFT_VALIDATE_DO,
43};
44
45static struct rhltable nft_objname_ht;
46
47static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
48static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
49static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
50
51static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
52static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
53static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
54
55static const struct rhashtable_params nft_chain_ht_params = {
56 .head_offset = offsetof(struct nft_chain, rhlhead),
57 .key_offset = offsetof(struct nft_chain, name),
58 .hashfn = nft_chain_hash,
59 .obj_hashfn = nft_chain_hash_obj,
60 .obj_cmpfn = nft_chain_hash_cmp,
61 .automatic_shrinking = true,
62};
63
64static const struct rhashtable_params nft_objname_ht_params = {
65 .head_offset = offsetof(struct nft_object, rhlhead),
66 .key_offset = offsetof(struct nft_object, key),
67 .hashfn = nft_objname_hash,
68 .obj_hashfn = nft_objname_hash_obj,
69 .obj_cmpfn = nft_objname_hash_cmp,
70 .automatic_shrinking = true,
71};
72
73struct nft_audit_data {
74 struct nft_table *table;
75 int entries;
76 int op;
77 struct list_head list;
78};
79
80static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
81 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
82 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
83 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
84 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
85 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
86 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
87 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
88 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
89 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
90 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
91 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
92 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
93 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
94 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
95 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
96 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
97 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
98 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
99 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
100 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
101 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
102 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
103 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
104 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
105 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
106 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET,
107};
108
109static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
110{
111 switch (table->validate_state) {
112 case NFT_VALIDATE_SKIP:
113 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
114 break;
115 case NFT_VALIDATE_NEED:
116 break;
117 case NFT_VALIDATE_DO:
118 if (new_validate_state == NFT_VALIDATE_NEED)
119 return;
120 }
121
122 table->validate_state = new_validate_state;
123}
124static void nf_tables_trans_destroy_work(struct work_struct *w);
125static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
126
127static void nft_trans_gc_work(struct work_struct *work);
128static DECLARE_WORK(trans_gc_work, nft_trans_gc_work);
129
130static void nft_ctx_init(struct nft_ctx *ctx,
131 struct net *net,
132 const struct sk_buff *skb,
133 const struct nlmsghdr *nlh,
134 u8 family,
135 struct nft_table *table,
136 struct nft_chain *chain,
137 const struct nlattr * const *nla)
138{
139 ctx->net = net;
140 ctx->family = family;
141 ctx->level = 0;
142 ctx->table = table;
143 ctx->chain = chain;
144 ctx->nla = nla;
145 ctx->portid = NETLINK_CB(skb).portid;
146 ctx->report = nlmsg_report(nlh);
147 ctx->flags = nlh->nlmsg_flags;
148 ctx->seq = nlh->nlmsg_seq;
149}
150
151static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
152 int msg_type, u32 size, gfp_t gfp)
153{
154 struct nft_trans *trans;
155
156 trans = kzalloc(size: sizeof(struct nft_trans) + size, flags: gfp);
157 if (trans == NULL)
158 return NULL;
159
160 INIT_LIST_HEAD(list: &trans->list);
161 INIT_LIST_HEAD(list: &trans->binding_list);
162 trans->msg_type = msg_type;
163 trans->ctx = *ctx;
164
165 return trans;
166}
167
168static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
169 int msg_type, u32 size)
170{
171 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
172}
173
174static void nft_trans_list_del(struct nft_trans *trans)
175{
176 list_del(entry: &trans->list);
177 list_del(entry: &trans->binding_list);
178}
179
180static void nft_trans_destroy(struct nft_trans *trans)
181{
182 nft_trans_list_del(trans);
183 kfree(objp: trans);
184}
185
186static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
187 bool bind)
188{
189 struct nftables_pernet *nft_net;
190 struct net *net = ctx->net;
191 struct nft_trans *trans;
192
193 if (!nft_set_is_anonymous(set))
194 return;
195
196 nft_net = nft_pernet(net);
197 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
198 switch (trans->msg_type) {
199 case NFT_MSG_NEWSET:
200 if (nft_trans_set(trans) == set)
201 nft_trans_set_bound(trans) = bind;
202 break;
203 case NFT_MSG_NEWSETELEM:
204 if (nft_trans_elem_set(trans) == set)
205 nft_trans_elem_set_bound(trans) = bind;
206 break;
207 }
208 }
209}
210
211static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
212{
213 return __nft_set_trans_bind(ctx, set, bind: true);
214}
215
216static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
217{
218 return __nft_set_trans_bind(ctx, set, bind: false);
219}
220
221static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
222 struct nft_chain *chain, bool bind)
223{
224 struct nftables_pernet *nft_net;
225 struct net *net = ctx->net;
226 struct nft_trans *trans;
227
228 if (!nft_chain_binding(chain))
229 return;
230
231 nft_net = nft_pernet(net);
232 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
233 switch (trans->msg_type) {
234 case NFT_MSG_NEWCHAIN:
235 if (nft_trans_chain(trans) == chain)
236 nft_trans_chain_bound(trans) = bind;
237 break;
238 case NFT_MSG_NEWRULE:
239 if (trans->ctx.chain == chain)
240 nft_trans_rule_bound(trans) = bind;
241 break;
242 }
243 }
244}
245
246static void nft_chain_trans_bind(const struct nft_ctx *ctx,
247 struct nft_chain *chain)
248{
249 __nft_chain_trans_bind(ctx, chain, bind: true);
250}
251
252int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
253{
254 if (!nft_chain_binding(chain))
255 return 0;
256
257 if (nft_chain_binding(chain: ctx->chain))
258 return -EOPNOTSUPP;
259
260 if (chain->bound)
261 return -EBUSY;
262
263 if (!nft_use_inc(use: &chain->use))
264 return -EMFILE;
265
266 chain->bound = true;
267 nft_chain_trans_bind(ctx, chain);
268
269 return 0;
270}
271
272void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
273{
274 __nft_chain_trans_bind(ctx, chain, bind: false);
275}
276
277static int nft_netdev_register_hooks(struct net *net,
278 struct list_head *hook_list)
279{
280 struct nft_hook *hook;
281 int err, j;
282
283 j = 0;
284 list_for_each_entry(hook, hook_list, list) {
285 err = nf_register_net_hook(net, ops: &hook->ops);
286 if (err < 0)
287 goto err_register;
288
289 j++;
290 }
291 return 0;
292
293err_register:
294 list_for_each_entry(hook, hook_list, list) {
295 if (j-- <= 0)
296 break;
297
298 nf_unregister_net_hook(net, ops: &hook->ops);
299 }
300 return err;
301}
302
303static void nft_netdev_unregister_hooks(struct net *net,
304 struct list_head *hook_list,
305 bool release_netdev)
306{
307 struct nft_hook *hook, *next;
308
309 list_for_each_entry_safe(hook, next, hook_list, list) {
310 nf_unregister_net_hook(net, ops: &hook->ops);
311 if (release_netdev) {
312 list_del(entry: &hook->list);
313 kfree_rcu(hook, rcu);
314 }
315 }
316}
317
318static int nf_tables_register_hook(struct net *net,
319 const struct nft_table *table,
320 struct nft_chain *chain)
321{
322 struct nft_base_chain *basechain;
323 const struct nf_hook_ops *ops;
324
325 if (table->flags & NFT_TABLE_F_DORMANT ||
326 !nft_is_base_chain(chain))
327 return 0;
328
329 basechain = nft_base_chain(chain);
330 ops = &basechain->ops;
331
332 if (basechain->type->ops_register)
333 return basechain->type->ops_register(net, ops);
334
335 if (nft_base_chain_netdev(family: table->family, hooknum: basechain->ops.hooknum))
336 return nft_netdev_register_hooks(net, hook_list: &basechain->hook_list);
337
338 return nf_register_net_hook(net, ops: &basechain->ops);
339}
340
341static void __nf_tables_unregister_hook(struct net *net,
342 const struct nft_table *table,
343 struct nft_chain *chain,
344 bool release_netdev)
345{
346 struct nft_base_chain *basechain;
347 const struct nf_hook_ops *ops;
348
349 if (table->flags & NFT_TABLE_F_DORMANT ||
350 !nft_is_base_chain(chain))
351 return;
352 basechain = nft_base_chain(chain);
353 ops = &basechain->ops;
354
355 if (basechain->type->ops_unregister)
356 return basechain->type->ops_unregister(net, ops);
357
358 if (nft_base_chain_netdev(family: table->family, hooknum: basechain->ops.hooknum))
359 nft_netdev_unregister_hooks(net, hook_list: &basechain->hook_list,
360 release_netdev);
361 else
362 nf_unregister_net_hook(net, ops: &basechain->ops);
363}
364
365static void nf_tables_unregister_hook(struct net *net,
366 const struct nft_table *table,
367 struct nft_chain *chain)
368{
369 return __nf_tables_unregister_hook(net, table, chain, release_netdev: false);
370}
371
372static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
373{
374 struct nftables_pernet *nft_net = nft_pernet(net);
375
376 switch (trans->msg_type) {
377 case NFT_MSG_NEWSET:
378 if (!nft_trans_set_update(trans) &&
379 nft_set_is_anonymous(nft_trans_set(trans)))
380 list_add_tail(new: &trans->binding_list, head: &nft_net->binding_list);
381 break;
382 case NFT_MSG_NEWCHAIN:
383 if (!nft_trans_chain_update(trans) &&
384 nft_chain_binding(nft_trans_chain(trans)))
385 list_add_tail(new: &trans->binding_list, head: &nft_net->binding_list);
386 break;
387 }
388
389 list_add_tail(new: &trans->list, head: &nft_net->commit_list);
390}
391
392static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
393{
394 struct nft_trans *trans;
395
396 trans = nft_trans_alloc(ctx, msg_type, size: sizeof(struct nft_trans_table));
397 if (trans == NULL)
398 return -ENOMEM;
399
400 if (msg_type == NFT_MSG_NEWTABLE)
401 nft_activate_next(ctx->net, ctx->table);
402
403 nft_trans_commit_list_add_tail(net: ctx->net, trans);
404 return 0;
405}
406
407static int nft_deltable(struct nft_ctx *ctx)
408{
409 int err;
410
411 err = nft_trans_table_add(ctx, msg_type: NFT_MSG_DELTABLE);
412 if (err < 0)
413 return err;
414
415 nft_deactivate_next(ctx->net, ctx->table);
416 return err;
417}
418
419static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
420{
421 struct nft_trans *trans;
422
423 trans = nft_trans_alloc(ctx, msg_type, size: sizeof(struct nft_trans_chain));
424 if (trans == NULL)
425 return ERR_PTR(error: -ENOMEM);
426
427 if (msg_type == NFT_MSG_NEWCHAIN) {
428 nft_activate_next(ctx->net, ctx->chain);
429
430 if (ctx->nla[NFTA_CHAIN_ID]) {
431 nft_trans_chain_id(trans) =
432 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
433 }
434 }
435 nft_trans_chain(trans) = ctx->chain;
436 nft_trans_commit_list_add_tail(net: ctx->net, trans);
437
438 return trans;
439}
440
441static int nft_delchain(struct nft_ctx *ctx)
442{
443 struct nft_trans *trans;
444
445 trans = nft_trans_chain_add(ctx, msg_type: NFT_MSG_DELCHAIN);
446 if (IS_ERR(ptr: trans))
447 return PTR_ERR(ptr: trans);
448
449 nft_use_dec(use: &ctx->table->use);
450 nft_deactivate_next(ctx->net, ctx->chain);
451
452 return 0;
453}
454
455void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
456{
457 struct nft_expr *expr;
458
459 expr = nft_expr_first(rule);
460 while (nft_expr_more(rule, expr)) {
461 if (expr->ops->activate)
462 expr->ops->activate(ctx, expr);
463
464 expr = nft_expr_next(expr);
465 }
466}
467
468void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
469 enum nft_trans_phase phase)
470{
471 struct nft_expr *expr;
472
473 expr = nft_expr_first(rule);
474 while (nft_expr_more(rule, expr)) {
475 if (expr->ops->deactivate)
476 expr->ops->deactivate(ctx, expr, phase);
477
478 expr = nft_expr_next(expr);
479 }
480}
481
482static int
483nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
484{
485 /* You cannot delete the same rule twice */
486 if (nft_is_active_next(ctx->net, rule)) {
487 nft_deactivate_next(ctx->net, rule);
488 nft_use_dec(use: &ctx->chain->use);
489 return 0;
490 }
491 return -ENOENT;
492}
493
494static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
495 struct nft_rule *rule)
496{
497 struct nft_trans *trans;
498
499 trans = nft_trans_alloc(ctx, msg_type, size: sizeof(struct nft_trans_rule));
500 if (trans == NULL)
501 return NULL;
502
503 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
504 nft_trans_rule_id(trans) =
505 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
506 }
507 nft_trans_rule(trans) = rule;
508 nft_trans_commit_list_add_tail(net: ctx->net, trans);
509
510 return trans;
511}
512
513static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
514{
515 struct nft_flow_rule *flow;
516 struct nft_trans *trans;
517 int err;
518
519 trans = nft_trans_rule_add(ctx, msg_type: NFT_MSG_DELRULE, rule);
520 if (trans == NULL)
521 return -ENOMEM;
522
523 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
524 flow = nft_flow_rule_create(net: ctx->net, rule);
525 if (IS_ERR(ptr: flow)) {
526 nft_trans_destroy(trans);
527 return PTR_ERR(ptr: flow);
528 }
529
530 nft_trans_flow_rule(trans) = flow;
531 }
532
533 err = nf_tables_delrule_deactivate(ctx, rule);
534 if (err < 0) {
535 nft_trans_destroy(trans);
536 return err;
537 }
538 nft_rule_expr_deactivate(ctx, rule, phase: NFT_TRANS_PREPARE);
539
540 return 0;
541}
542
543static int nft_delrule_by_chain(struct nft_ctx *ctx)
544{
545 struct nft_rule *rule;
546 int err;
547
548 list_for_each_entry(rule, &ctx->chain->rules, list) {
549 if (!nft_is_active_next(ctx->net, rule))
550 continue;
551
552 err = nft_delrule(ctx, rule);
553 if (err < 0)
554 return err;
555 }
556 return 0;
557}
558
559static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
560 struct nft_set *set,
561 const struct nft_set_desc *desc)
562{
563 struct nft_trans *trans;
564
565 trans = nft_trans_alloc(ctx, msg_type, size: sizeof(struct nft_trans_set));
566 if (trans == NULL)
567 return -ENOMEM;
568
569 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
570 nft_trans_set_id(trans) =
571 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
572 nft_activate_next(ctx->net, set);
573 }
574 nft_trans_set(trans) = set;
575 if (desc) {
576 nft_trans_set_update(trans) = true;
577 nft_trans_set_gc_int(trans) = desc->gc_int;
578 nft_trans_set_timeout(trans) = desc->timeout;
579 nft_trans_set_size(trans) = desc->size;
580 }
581 nft_trans_commit_list_add_tail(net: ctx->net, trans);
582
583 return 0;
584}
585
586static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
587 struct nft_set *set)
588{
589 return __nft_trans_set_add(ctx, msg_type, set, NULL);
590}
591
592static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
593 struct nft_set *set,
594 const struct nft_set_iter *iter,
595 struct nft_elem_priv *elem_priv)
596{
597 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
598
599 if (!nft_set_elem_active(ext, genmask: iter->genmask))
600 return 0;
601
602 nft_set_elem_change_active(net: ctx->net, set, ext);
603 nft_setelem_data_deactivate(net: ctx->net, set, elem_priv);
604
605 return 0;
606}
607
608struct nft_set_elem_catchall {
609 struct list_head list;
610 struct rcu_head rcu;
611 struct nft_elem_priv *elem;
612};
613
614static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
615 struct nft_set *set)
616{
617 u8 genmask = nft_genmask_next(net: ctx->net);
618 struct nft_set_elem_catchall *catchall;
619 struct nft_set_ext *ext;
620
621 list_for_each_entry(catchall, &set->catchall_list, list) {
622 ext = nft_set_elem_ext(set, elem_priv: catchall->elem);
623 if (!nft_set_elem_active(ext, genmask))
624 continue;
625
626 nft_set_elem_change_active(net: ctx->net, set, ext);
627 nft_setelem_data_deactivate(net: ctx->net, set, elem_priv: catchall->elem);
628 break;
629 }
630}
631
632static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set)
633{
634 struct nft_set_iter iter = {
635 .genmask = nft_genmask_next(net: ctx->net),
636 .type = NFT_ITER_UPDATE,
637 .fn = nft_mapelem_deactivate,
638 };
639
640 set->ops->walk(ctx, set, &iter);
641 WARN_ON_ONCE(iter.err);
642
643 nft_map_catchall_deactivate(ctx, set);
644}
645
646static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
647{
648 int err;
649
650 err = nft_trans_set_add(ctx, msg_type: NFT_MSG_DELSET, set);
651 if (err < 0)
652 return err;
653
654 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
655 nft_map_deactivate(ctx, set);
656
657 nft_deactivate_next(ctx->net, set);
658 nft_use_dec(use: &ctx->table->use);
659
660 return err;
661}
662
663static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
664 struct nft_object *obj)
665{
666 struct nft_trans *trans;
667
668 trans = nft_trans_alloc(ctx, msg_type, size: sizeof(struct nft_trans_obj));
669 if (trans == NULL)
670 return -ENOMEM;
671
672 if (msg_type == NFT_MSG_NEWOBJ)
673 nft_activate_next(ctx->net, obj);
674
675 nft_trans_obj(trans) = obj;
676 nft_trans_commit_list_add_tail(net: ctx->net, trans);
677
678 return 0;
679}
680
681static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
682{
683 int err;
684
685 err = nft_trans_obj_add(ctx, msg_type: NFT_MSG_DELOBJ, obj);
686 if (err < 0)
687 return err;
688
689 nft_deactivate_next(ctx->net, obj);
690 nft_use_dec(use: &ctx->table->use);
691
692 return err;
693}
694
695static struct nft_trans *
696nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
697 struct nft_flowtable *flowtable)
698{
699 struct nft_trans *trans;
700
701 trans = nft_trans_alloc(ctx, msg_type,
702 size: sizeof(struct nft_trans_flowtable));
703 if (trans == NULL)
704 return ERR_PTR(error: -ENOMEM);
705
706 if (msg_type == NFT_MSG_NEWFLOWTABLE)
707 nft_activate_next(ctx->net, flowtable);
708
709 INIT_LIST_HEAD(list: &nft_trans_flowtable_hooks(trans));
710 nft_trans_flowtable(trans) = flowtable;
711 nft_trans_commit_list_add_tail(net: ctx->net, trans);
712
713 return trans;
714}
715
716static int nft_delflowtable(struct nft_ctx *ctx,
717 struct nft_flowtable *flowtable)
718{
719 struct nft_trans *trans;
720
721 trans = nft_trans_flowtable_add(ctx, msg_type: NFT_MSG_DELFLOWTABLE, flowtable);
722 if (IS_ERR(ptr: trans))
723 return PTR_ERR(ptr: trans);
724
725 nft_deactivate_next(ctx->net, flowtable);
726 nft_use_dec(use: &ctx->table->use);
727
728 return 0;
729}
730
731static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
732{
733 int i;
734
735 for (i = track->regs[dreg].num_reg; i > 0; i--)
736 __nft_reg_track_cancel(track, dreg: dreg - i);
737}
738
739static void __nft_reg_track_update(struct nft_regs_track *track,
740 const struct nft_expr *expr,
741 u8 dreg, u8 num_reg)
742{
743 track->regs[dreg].selector = expr;
744 track->regs[dreg].bitwise = NULL;
745 track->regs[dreg].num_reg = num_reg;
746}
747
748void nft_reg_track_update(struct nft_regs_track *track,
749 const struct nft_expr *expr, u8 dreg, u8 len)
750{
751 unsigned int regcount;
752 int i;
753
754 __nft_reg_track_clobber(track, dreg);
755
756 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
757 for (i = 0; i < regcount; i++, dreg++)
758 __nft_reg_track_update(track, expr, dreg, num_reg: i);
759}
760EXPORT_SYMBOL_GPL(nft_reg_track_update);
761
762void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
763{
764 unsigned int regcount;
765 int i;
766
767 __nft_reg_track_clobber(track, dreg);
768
769 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
770 for (i = 0; i < regcount; i++, dreg++)
771 __nft_reg_track_cancel(track, dreg);
772}
773EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
774
775void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
776{
777 track->regs[dreg].selector = NULL;
778 track->regs[dreg].bitwise = NULL;
779 track->regs[dreg].num_reg = 0;
780}
781EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
782
783/*
784 * Tables
785 */
786
787static struct nft_table *nft_table_lookup(const struct net *net,
788 const struct nlattr *nla,
789 u8 family, u8 genmask, u32 nlpid)
790{
791 struct nftables_pernet *nft_net;
792 struct nft_table *table;
793
794 if (nla == NULL)
795 return ERR_PTR(error: -EINVAL);
796
797 nft_net = nft_pernet(net);
798 list_for_each_entry_rcu(table, &nft_net->tables, list,
799 lockdep_is_held(&nft_net->commit_mutex)) {
800 if (!nla_strcmp(nla, str: table->name) &&
801 table->family == family &&
802 nft_active_genmask(table, genmask)) {
803 if (nft_table_has_owner(table) &&
804 nlpid && table->nlpid != nlpid)
805 return ERR_PTR(error: -EPERM);
806
807 return table;
808 }
809 }
810
811 return ERR_PTR(error: -ENOENT);
812}
813
814static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
815 const struct nlattr *nla,
816 int family, u8 genmask, u32 nlpid)
817{
818 struct nftables_pernet *nft_net;
819 struct nft_table *table;
820
821 nft_net = nft_pernet(net);
822 list_for_each_entry(table, &nft_net->tables, list) {
823 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
824 table->family == family &&
825 nft_active_genmask(table, genmask)) {
826 if (nft_table_has_owner(table) &&
827 nlpid && table->nlpid != nlpid)
828 return ERR_PTR(error: -EPERM);
829
830 return table;
831 }
832 }
833
834 return ERR_PTR(error: -ENOENT);
835}
836
837static inline u64 nf_tables_alloc_handle(struct nft_table *table)
838{
839 return ++table->hgenerator;
840}
841
842static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
843
844static const struct nft_chain_type *
845__nft_chain_type_get(u8 family, enum nft_chain_types type)
846{
847 if (family >= NFPROTO_NUMPROTO ||
848 type >= NFT_CHAIN_T_MAX)
849 return NULL;
850
851 return chain_type[family][type];
852}
853
854static const struct nft_chain_type *
855__nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
856{
857 const struct nft_chain_type *type;
858 int i;
859
860 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
861 type = __nft_chain_type_get(family, type: i);
862 if (!type)
863 continue;
864 if (!nla_strcmp(nla, str: type->name))
865 return type;
866 }
867 return NULL;
868}
869
870struct nft_module_request {
871 struct list_head list;
872 char module[MODULE_NAME_LEN];
873 bool done;
874};
875
876#ifdef CONFIG_MODULES
877__printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
878 ...)
879{
880 char module_name[MODULE_NAME_LEN];
881 struct nftables_pernet *nft_net;
882 struct nft_module_request *req;
883 va_list args;
884 int ret;
885
886 va_start(args, fmt);
887 ret = vsnprintf(buf: module_name, MODULE_NAME_LEN, fmt, args);
888 va_end(args);
889 if (ret >= MODULE_NAME_LEN)
890 return 0;
891
892 nft_net = nft_pernet(net);
893 list_for_each_entry(req, &nft_net->module_list, list) {
894 if (!strcmp(req->module, module_name)) {
895 if (req->done)
896 return 0;
897
898 /* A request to load this module already exists. */
899 return -EAGAIN;
900 }
901 }
902
903 req = kmalloc(size: sizeof(*req), GFP_KERNEL);
904 if (!req)
905 return -ENOMEM;
906
907 req->done = false;
908 strscpy(req->module, module_name, MODULE_NAME_LEN);
909 list_add_tail(new: &req->list, head: &nft_net->module_list);
910
911 return -EAGAIN;
912}
913EXPORT_SYMBOL_GPL(nft_request_module);
914#endif
915
916static void lockdep_nfnl_nft_mutex_not_held(void)
917{
918#ifdef CONFIG_PROVE_LOCKING
919 if (debug_locks)
920 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
921#endif
922}
923
924static const struct nft_chain_type *
925nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
926 u8 family, bool autoload)
927{
928 const struct nft_chain_type *type;
929
930 type = __nf_tables_chain_type_lookup(nla, family);
931 if (type != NULL)
932 return type;
933
934 lockdep_nfnl_nft_mutex_not_held();
935#ifdef CONFIG_MODULES
936 if (autoload) {
937 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
938 nla_len(nla),
939 (const char *)nla_data(nla)) == -EAGAIN)
940 return ERR_PTR(error: -EAGAIN);
941 }
942#endif
943 return ERR_PTR(error: -ENOENT);
944}
945
946static __be16 nft_base_seq(const struct net *net)
947{
948 struct nftables_pernet *nft_net = nft_pernet(net);
949
950 return htons(nft_net->base_seq & 0xffff);
951}
952
953static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
954 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
955 .len = NFT_TABLE_MAXNAMELEN - 1 },
956 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
957 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
958 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
959 .len = NFT_USERDATA_MAXLEN }
960};
961
962static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
963 u32 portid, u32 seq, int event, u32 flags,
964 int family, const struct nft_table *table)
965{
966 struct nlmsghdr *nlh;
967
968 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, msg_type: event);
969 nlh = nfnl_msg_put(skb, portid, seq, type: event, flags, family,
970 NFNETLINK_V0, res_id: nft_base_seq(net));
971 if (!nlh)
972 goto nla_put_failure;
973
974 if (nla_put_string(skb, attrtype: NFTA_TABLE_NAME, str: table->name) ||
975 nla_put_be32(skb, attrtype: NFTA_TABLE_USE, htonl(table->use)) ||
976 nla_put_be64(skb, attrtype: NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
977 padattr: NFTA_TABLE_PAD))
978 goto nla_put_failure;
979
980 if (event == NFT_MSG_DELTABLE) {
981 nlmsg_end(skb, nlh);
982 return 0;
983 }
984
985 if (nla_put_be32(skb, attrtype: NFTA_TABLE_FLAGS,
986 htonl(table->flags & NFT_TABLE_F_MASK)))
987 goto nla_put_failure;
988
989 if (nft_table_has_owner(table) &&
990 nla_put_be32(skb, attrtype: NFTA_TABLE_OWNER, htonl(table->nlpid)))
991 goto nla_put_failure;
992
993 if (table->udata) {
994 if (nla_put(skb, attrtype: NFTA_TABLE_USERDATA, attrlen: table->udlen, data: table->udata))
995 goto nla_put_failure;
996 }
997
998 nlmsg_end(skb, nlh);
999 return 0;
1000
1001nla_put_failure:
1002 nlmsg_trim(skb, mark: nlh);
1003 return -1;
1004}
1005
1006struct nftnl_skb_parms {
1007 bool report;
1008};
1009#define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
1010
1011static void nft_notify_enqueue(struct sk_buff *skb, bool report,
1012 struct list_head *notify_list)
1013{
1014 NFT_CB(skb).report = report;
1015 list_add_tail(new: &skb->list, head: notify_list);
1016}
1017
1018static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
1019{
1020 struct nftables_pernet *nft_net;
1021 struct sk_buff *skb;
1022 u16 flags = 0;
1023 int err;
1024
1025 if (!ctx->report &&
1026 !nfnetlink_has_listeners(net: ctx->net, NFNLGRP_NFTABLES))
1027 return;
1028
1029 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1030 if (skb == NULL)
1031 goto err;
1032
1033 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1034 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1035
1036 err = nf_tables_fill_table_info(skb, net: ctx->net, portid: ctx->portid, seq: ctx->seq,
1037 event, flags, family: ctx->family, table: ctx->table);
1038 if (err < 0) {
1039 kfree_skb(skb);
1040 goto err;
1041 }
1042
1043 nft_net = nft_pernet(net: ctx->net);
1044 nft_notify_enqueue(skb, report: ctx->report, notify_list: &nft_net->notify_list);
1045 return;
1046err:
1047 nfnetlink_set_err(net: ctx->net, portid: ctx->portid, NFNLGRP_NFTABLES, error: -ENOBUFS);
1048}
1049
1050static int nf_tables_dump_tables(struct sk_buff *skb,
1051 struct netlink_callback *cb)
1052{
1053 const struct nfgenmsg *nfmsg = nlmsg_data(nlh: cb->nlh);
1054 struct nftables_pernet *nft_net;
1055 const struct nft_table *table;
1056 unsigned int idx = 0, s_idx = cb->args[0];
1057 struct net *net = sock_net(sk: skb->sk);
1058 int family = nfmsg->nfgen_family;
1059
1060 rcu_read_lock();
1061 nft_net = nft_pernet(net);
1062 cb->seq = READ_ONCE(nft_net->base_seq);
1063
1064 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1065 if (family != NFPROTO_UNSPEC && family != table->family)
1066 continue;
1067
1068 if (idx < s_idx)
1069 goto cont;
1070 if (idx > s_idx)
1071 memset(&cb->args[1], 0,
1072 sizeof(cb->args) - sizeof(cb->args[0]));
1073 if (!nft_is_active(net, table))
1074 continue;
1075 if (nf_tables_fill_table_info(skb, net,
1076 NETLINK_CB(cb->skb).portid,
1077 seq: cb->nlh->nlmsg_seq,
1078 event: NFT_MSG_NEWTABLE, NLM_F_MULTI,
1079 family: table->family, table) < 0)
1080 goto done;
1081
1082 nl_dump_check_consistent(cb, nlh: nlmsg_hdr(skb));
1083cont:
1084 idx++;
1085 }
1086done:
1087 rcu_read_unlock();
1088 cb->args[0] = idx;
1089 return skb->len;
1090}
1091
1092static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
1093 const struct nlmsghdr *nlh,
1094 struct netlink_dump_control *c)
1095{
1096 int err;
1097
1098 if (!try_module_get(THIS_MODULE))
1099 return -EINVAL;
1100
1101 rcu_read_unlock();
1102 err = netlink_dump_start(ssk: nlsk, skb, nlh, control: c);
1103 rcu_read_lock();
1104 module_put(THIS_MODULE);
1105
1106 return err;
1107}
1108
1109/* called with rcu_read_lock held */
1110static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
1111 const struct nlattr * const nla[])
1112{
1113 struct netlink_ext_ack *extack = info->extack;
1114 u8 genmask = nft_genmask_cur(net: info->net);
1115 u8 family = info->nfmsg->nfgen_family;
1116 const struct nft_table *table;
1117 struct net *net = info->net;
1118 struct sk_buff *skb2;
1119 int err;
1120
1121 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1122 struct netlink_dump_control c = {
1123 .dump = nf_tables_dump_tables,
1124 .module = THIS_MODULE,
1125 };
1126
1127 return nft_netlink_dump_start_rcu(nlsk: info->sk, skb, nlh: info->nlh, c: &c);
1128 }
1129
1130 table = nft_table_lookup(net, nla: nla[NFTA_TABLE_NAME], family, genmask, nlpid: 0);
1131 if (IS_ERR(ptr: table)) {
1132 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
1133 return PTR_ERR(ptr: table);
1134 }
1135
1136 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1137 if (!skb2)
1138 return -ENOMEM;
1139
1140 err = nf_tables_fill_table_info(skb: skb2, net, NETLINK_CB(skb).portid,
1141 seq: info->nlh->nlmsg_seq, event: NFT_MSG_NEWTABLE,
1142 flags: 0, family, table);
1143 if (err < 0)
1144 goto err_fill_table_info;
1145
1146 return nfnetlink_unicast(skb: skb2, net, NETLINK_CB(skb).portid);
1147
1148err_fill_table_info:
1149 kfree_skb(skb: skb2);
1150 return err;
1151}
1152
1153static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
1154{
1155 struct nft_chain *chain;
1156 u32 i = 0;
1157
1158 list_for_each_entry(chain, &table->chains, list) {
1159 if (!nft_is_active_next(net, chain))
1160 continue;
1161 if (!nft_is_base_chain(chain))
1162 continue;
1163
1164 if (cnt && i++ == cnt)
1165 break;
1166
1167 nf_tables_unregister_hook(net, table, chain);
1168 }
1169}
1170
1171static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1172{
1173 struct nft_chain *chain;
1174 int err, i = 0;
1175
1176 list_for_each_entry(chain, &table->chains, list) {
1177 if (!nft_is_active_next(net, chain))
1178 continue;
1179 if (!nft_is_base_chain(chain))
1180 continue;
1181
1182 err = nf_tables_register_hook(net, table, chain);
1183 if (err < 0)
1184 goto err_register_hooks;
1185
1186 i++;
1187 }
1188 return 0;
1189
1190err_register_hooks:
1191 if (i)
1192 nft_table_disable(net, table, cnt: i);
1193 return err;
1194}
1195
1196static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1197{
1198 table->flags &= ~NFT_TABLE_F_DORMANT;
1199 nft_table_disable(net, table, cnt: 0);
1200 table->flags |= NFT_TABLE_F_DORMANT;
1201}
1202
1203#define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1204#define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1205#define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1206#define __NFT_TABLE_F_WAS_ORPHAN (__NFT_TABLE_F_INTERNAL << 2)
1207#define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1208 __NFT_TABLE_F_WAS_AWAKEN | \
1209 __NFT_TABLE_F_WAS_ORPHAN)
1210
1211static bool nft_table_pending_update(const struct nft_ctx *ctx)
1212{
1213 struct nftables_pernet *nft_net = nft_pernet(net: ctx->net);
1214 struct nft_trans *trans;
1215
1216 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
1217 return true;
1218
1219 list_for_each_entry(trans, &nft_net->commit_list, list) {
1220 if (trans->ctx.table == ctx->table &&
1221 ((trans->msg_type == NFT_MSG_NEWCHAIN &&
1222 nft_trans_chain_update(trans)) ||
1223 (trans->msg_type == NFT_MSG_DELCHAIN &&
1224 nft_is_base_chain(chain: trans->ctx.chain))))
1225 return true;
1226 }
1227
1228 return false;
1229}
1230
1231static int nf_tables_updtable(struct nft_ctx *ctx)
1232{
1233 struct nft_trans *trans;
1234 u32 flags;
1235 int ret;
1236
1237 if (!ctx->nla[NFTA_TABLE_FLAGS])
1238 return 0;
1239
1240 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1241 if (flags & ~NFT_TABLE_F_MASK)
1242 return -EOPNOTSUPP;
1243
1244 if (flags == (ctx->table->flags & NFT_TABLE_F_MASK))
1245 return 0;
1246
1247 if ((nft_table_has_owner(table: ctx->table) &&
1248 !(flags & NFT_TABLE_F_OWNER)) ||
1249 (flags & NFT_TABLE_F_OWNER &&
1250 !nft_table_is_orphan(table: ctx->table)))
1251 return -EOPNOTSUPP;
1252
1253 if ((flags ^ ctx->table->flags) & NFT_TABLE_F_PERSIST)
1254 return -EOPNOTSUPP;
1255
1256 /* No dormant off/on/off/on games in single transaction */
1257 if (nft_table_pending_update(ctx))
1258 return -EINVAL;
1259
1260 trans = nft_trans_alloc(ctx, msg_type: NFT_MSG_NEWTABLE,
1261 size: sizeof(struct nft_trans_table));
1262 if (trans == NULL)
1263 return -ENOMEM;
1264
1265 if ((flags & NFT_TABLE_F_DORMANT) &&
1266 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1267 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1268 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1269 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1270 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1271 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1272 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1273 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1274 ret = nf_tables_table_enable(net: ctx->net, table: ctx->table);
1275 if (ret < 0)
1276 goto err_register_hooks;
1277
1278 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1279 }
1280 }
1281
1282 if ((flags & NFT_TABLE_F_OWNER) &&
1283 !nft_table_has_owner(table: ctx->table)) {
1284 ctx->table->nlpid = ctx->portid;
1285 ctx->table->flags |= NFT_TABLE_F_OWNER |
1286 __NFT_TABLE_F_WAS_ORPHAN;
1287 }
1288
1289 nft_trans_table_update(trans) = true;
1290 nft_trans_commit_list_add_tail(net: ctx->net, trans);
1291
1292 return 0;
1293
1294err_register_hooks:
1295 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1296 nft_trans_destroy(trans);
1297 return ret;
1298}
1299
1300static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1301{
1302 const char *name = data;
1303
1304 return jhash(key: name, strlen(name), initval: seed);
1305}
1306
1307static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1308{
1309 const struct nft_chain *chain = data;
1310
1311 return nft_chain_hash(data: chain->name, len: 0, seed);
1312}
1313
1314static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1315 const void *ptr)
1316{
1317 const struct nft_chain *chain = ptr;
1318 const char *name = arg->key;
1319
1320 return strcmp(chain->name, name);
1321}
1322
1323static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1324{
1325 const struct nft_object_hash_key *k = data;
1326
1327 seed ^= hash_ptr(ptr: k->table, bits: 32);
1328
1329 return jhash(key: k->name, strlen(k->name), initval: seed);
1330}
1331
1332static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1333{
1334 const struct nft_object *obj = data;
1335
1336 return nft_objname_hash(data: &obj->key, len: 0, seed);
1337}
1338
1339static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1340 const void *ptr)
1341{
1342 const struct nft_object_hash_key *k = arg->key;
1343 const struct nft_object *obj = ptr;
1344
1345 if (obj->key.table != k->table)
1346 return -1;
1347
1348 return strcmp(obj->key.name, k->name);
1349}
1350
1351static bool nft_supported_family(u8 family)
1352{
1353 return false
1354#ifdef CONFIG_NF_TABLES_INET
1355 || family == NFPROTO_INET
1356#endif
1357#ifdef CONFIG_NF_TABLES_IPV4
1358 || family == NFPROTO_IPV4
1359#endif
1360#ifdef CONFIG_NF_TABLES_ARP
1361 || family == NFPROTO_ARP
1362#endif
1363#ifdef CONFIG_NF_TABLES_NETDEV
1364 || family == NFPROTO_NETDEV
1365#endif
1366#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1367 || family == NFPROTO_BRIDGE
1368#endif
1369#ifdef CONFIG_NF_TABLES_IPV6
1370 || family == NFPROTO_IPV6
1371#endif
1372 ;
1373}
1374
1375static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1376 const struct nlattr * const nla[])
1377{
1378 struct nftables_pernet *nft_net = nft_pernet(net: info->net);
1379 struct netlink_ext_ack *extack = info->extack;
1380 u8 genmask = nft_genmask_next(net: info->net);
1381 u8 family = info->nfmsg->nfgen_family;
1382 struct net *net = info->net;
1383 const struct nlattr *attr;
1384 struct nft_table *table;
1385 struct nft_ctx ctx;
1386 u32 flags = 0;
1387 int err;
1388
1389 if (!nft_supported_family(family))
1390 return -EOPNOTSUPP;
1391
1392 lockdep_assert_held(&nft_net->commit_mutex);
1393 attr = nla[NFTA_TABLE_NAME];
1394 table = nft_table_lookup(net, nla: attr, family, genmask,
1395 NETLINK_CB(skb).portid);
1396 if (IS_ERR(ptr: table)) {
1397 if (PTR_ERR(ptr: table) != -ENOENT)
1398 return PTR_ERR(ptr: table);
1399 } else {
1400 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1401 NL_SET_BAD_ATTR(extack, attr);
1402 return -EEXIST;
1403 }
1404 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1405 return -EOPNOTSUPP;
1406
1407 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, NULL, nla);
1408
1409 return nf_tables_updtable(ctx: &ctx);
1410 }
1411
1412 if (nla[NFTA_TABLE_FLAGS]) {
1413 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1414 if (flags & ~NFT_TABLE_F_MASK)
1415 return -EOPNOTSUPP;
1416 }
1417
1418 err = -ENOMEM;
1419 table = kzalloc(size: sizeof(*table), GFP_KERNEL_ACCOUNT);
1420 if (table == NULL)
1421 goto err_kzalloc;
1422
1423 table->validate_state = nft_net->validate_state;
1424 table->name = nla_strdup(nla: attr, GFP_KERNEL_ACCOUNT);
1425 if (table->name == NULL)
1426 goto err_strdup;
1427
1428 if (nla[NFTA_TABLE_USERDATA]) {
1429 table->udata = nla_memdup(src: nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1430 if (table->udata == NULL)
1431 goto err_table_udata;
1432
1433 table->udlen = nla_len(nla: nla[NFTA_TABLE_USERDATA]);
1434 }
1435
1436 err = rhltable_init(hlt: &table->chains_ht, params: &nft_chain_ht_params);
1437 if (err)
1438 goto err_chain_ht;
1439
1440 INIT_LIST_HEAD(list: &table->chains);
1441 INIT_LIST_HEAD(list: &table->sets);
1442 INIT_LIST_HEAD(list: &table->objects);
1443 INIT_LIST_HEAD(list: &table->flowtables);
1444 table->family = family;
1445 table->flags = flags;
1446 table->handle = ++nft_net->table_handle;
1447 if (table->flags & NFT_TABLE_F_OWNER)
1448 table->nlpid = NETLINK_CB(skb).portid;
1449
1450 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, NULL, nla);
1451 err = nft_trans_table_add(ctx: &ctx, msg_type: NFT_MSG_NEWTABLE);
1452 if (err < 0)
1453 goto err_trans;
1454
1455 list_add_tail_rcu(new: &table->list, head: &nft_net->tables);
1456 return 0;
1457err_trans:
1458 rhltable_destroy(hlt: &table->chains_ht);
1459err_chain_ht:
1460 kfree(objp: table->udata);
1461err_table_udata:
1462 kfree(objp: table->name);
1463err_strdup:
1464 kfree(objp: table);
1465err_kzalloc:
1466 return err;
1467}
1468
1469static int nft_flush_table(struct nft_ctx *ctx)
1470{
1471 struct nft_flowtable *flowtable, *nft;
1472 struct nft_chain *chain, *nc;
1473 struct nft_object *obj, *ne;
1474 struct nft_set *set, *ns;
1475 int err;
1476
1477 list_for_each_entry(chain, &ctx->table->chains, list) {
1478 if (!nft_is_active_next(ctx->net, chain))
1479 continue;
1480
1481 if (nft_chain_binding(chain))
1482 continue;
1483
1484 ctx->chain = chain;
1485
1486 err = nft_delrule_by_chain(ctx);
1487 if (err < 0)
1488 goto out;
1489 }
1490
1491 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1492 if (!nft_is_active_next(ctx->net, set))
1493 continue;
1494
1495 if (nft_set_is_anonymous(set))
1496 continue;
1497
1498 err = nft_delset(ctx, set);
1499 if (err < 0)
1500 goto out;
1501 }
1502
1503 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1504 if (!nft_is_active_next(ctx->net, flowtable))
1505 continue;
1506
1507 err = nft_delflowtable(ctx, flowtable);
1508 if (err < 0)
1509 goto out;
1510 }
1511
1512 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1513 if (!nft_is_active_next(ctx->net, obj))
1514 continue;
1515
1516 err = nft_delobj(ctx, obj);
1517 if (err < 0)
1518 goto out;
1519 }
1520
1521 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1522 if (!nft_is_active_next(ctx->net, chain))
1523 continue;
1524
1525 if (nft_chain_binding(chain))
1526 continue;
1527
1528 ctx->chain = chain;
1529
1530 err = nft_delchain(ctx);
1531 if (err < 0)
1532 goto out;
1533 }
1534
1535 err = nft_deltable(ctx);
1536out:
1537 return err;
1538}
1539
1540static int nft_flush(struct nft_ctx *ctx, int family)
1541{
1542 struct nftables_pernet *nft_net = nft_pernet(net: ctx->net);
1543 const struct nlattr * const *nla = ctx->nla;
1544 struct nft_table *table, *nt;
1545 int err = 0;
1546
1547 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1548 if (family != AF_UNSPEC && table->family != family)
1549 continue;
1550
1551 ctx->family = table->family;
1552
1553 if (!nft_is_active_next(ctx->net, table))
1554 continue;
1555
1556 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1557 continue;
1558
1559 if (nla[NFTA_TABLE_NAME] &&
1560 nla_strcmp(nla: nla[NFTA_TABLE_NAME], str: table->name) != 0)
1561 continue;
1562
1563 ctx->table = table;
1564
1565 err = nft_flush_table(ctx);
1566 if (err < 0)
1567 goto out;
1568 }
1569out:
1570 return err;
1571}
1572
1573static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1574 const struct nlattr * const nla[])
1575{
1576 struct netlink_ext_ack *extack = info->extack;
1577 u8 genmask = nft_genmask_next(net: info->net);
1578 u8 family = info->nfmsg->nfgen_family;
1579 struct net *net = info->net;
1580 const struct nlattr *attr;
1581 struct nft_table *table;
1582 struct nft_ctx ctx;
1583
1584 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family: 0, NULL, NULL, nla);
1585 if (family == AF_UNSPEC ||
1586 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1587 return nft_flush(ctx: &ctx, family);
1588
1589 if (nla[NFTA_TABLE_HANDLE]) {
1590 attr = nla[NFTA_TABLE_HANDLE];
1591 table = nft_table_lookup_byhandle(net, nla: attr, family, genmask,
1592 NETLINK_CB(skb).portid);
1593 } else {
1594 attr = nla[NFTA_TABLE_NAME];
1595 table = nft_table_lookup(net, nla: attr, family, genmask,
1596 NETLINK_CB(skb).portid);
1597 }
1598
1599 if (IS_ERR(ptr: table)) {
1600 if (PTR_ERR(ptr: table) == -ENOENT &&
1601 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1602 return 0;
1603
1604 NL_SET_BAD_ATTR(extack, attr);
1605 return PTR_ERR(ptr: table);
1606 }
1607
1608 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1609 table->use > 0)
1610 return -EBUSY;
1611
1612 ctx.family = family;
1613 ctx.table = table;
1614
1615 return nft_flush_table(ctx: &ctx);
1616}
1617
1618static void nf_tables_table_destroy(struct nft_ctx *ctx)
1619{
1620 if (WARN_ON(ctx->table->use > 0))
1621 return;
1622
1623 rhltable_destroy(hlt: &ctx->table->chains_ht);
1624 kfree(objp: ctx->table->name);
1625 kfree(objp: ctx->table->udata);
1626 kfree(objp: ctx->table);
1627}
1628
1629void nft_register_chain_type(const struct nft_chain_type *ctype)
1630{
1631 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1632 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1633 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1634 return;
1635 }
1636 chain_type[ctype->family][ctype->type] = ctype;
1637 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1638}
1639EXPORT_SYMBOL_GPL(nft_register_chain_type);
1640
1641void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1642{
1643 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1644 chain_type[ctype->family][ctype->type] = NULL;
1645 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1646}
1647EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1648
1649/*
1650 * Chains
1651 */
1652
1653static struct nft_chain *
1654nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1655{
1656 struct nft_chain *chain;
1657
1658 list_for_each_entry(chain, &table->chains, list) {
1659 if (chain->handle == handle &&
1660 nft_active_genmask(chain, genmask))
1661 return chain;
1662 }
1663
1664 return ERR_PTR(error: -ENOENT);
1665}
1666
1667static bool lockdep_commit_lock_is_held(const struct net *net)
1668{
1669#ifdef CONFIG_PROVE_LOCKING
1670 struct nftables_pernet *nft_net = nft_pernet(net);
1671
1672 return lockdep_is_held(&nft_net->commit_mutex);
1673#else
1674 return true;
1675#endif
1676}
1677
1678static struct nft_chain *nft_chain_lookup(struct net *net,
1679 struct nft_table *table,
1680 const struct nlattr *nla, u8 genmask)
1681{
1682 char search[NFT_CHAIN_MAXNAMELEN + 1];
1683 struct rhlist_head *tmp, *list;
1684 struct nft_chain *chain;
1685
1686 if (nla == NULL)
1687 return ERR_PTR(error: -EINVAL);
1688
1689 nla_strscpy(dst: search, nla, dstsize: sizeof(search));
1690
1691 WARN_ON(!rcu_read_lock_held() &&
1692 !lockdep_commit_lock_is_held(net));
1693
1694 chain = ERR_PTR(error: -ENOENT);
1695 rcu_read_lock();
1696 list = rhltable_lookup(hlt: &table->chains_ht, key: search, params: nft_chain_ht_params);
1697 if (!list)
1698 goto out_unlock;
1699
1700 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1701 if (nft_active_genmask(chain, genmask))
1702 goto out_unlock;
1703 }
1704 chain = ERR_PTR(error: -ENOENT);
1705out_unlock:
1706 rcu_read_unlock();
1707 return chain;
1708}
1709
1710static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1711 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1712 .len = NFT_TABLE_MAXNAMELEN - 1 },
1713 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1714 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1715 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1716 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1717 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1718 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1719 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1720 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1721 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1722 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1723 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1724 .len = NFT_USERDATA_MAXLEN },
1725};
1726
1727static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1728 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1729 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1730 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1731 .len = IFNAMSIZ - 1 },
1732};
1733
1734static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1735{
1736 struct nft_stats *cpu_stats, total;
1737 struct nlattr *nest;
1738 unsigned int seq;
1739 u64 pkts, bytes;
1740 int cpu;
1741
1742 if (!stats)
1743 return 0;
1744
1745 memset(&total, 0, sizeof(total));
1746 for_each_possible_cpu(cpu) {
1747 cpu_stats = per_cpu_ptr(stats, cpu);
1748 do {
1749 seq = u64_stats_fetch_begin(syncp: &cpu_stats->syncp);
1750 pkts = cpu_stats->pkts;
1751 bytes = cpu_stats->bytes;
1752 } while (u64_stats_fetch_retry(syncp: &cpu_stats->syncp, start: seq));
1753 total.pkts += pkts;
1754 total.bytes += bytes;
1755 }
1756 nest = nla_nest_start_noflag(skb, attrtype: NFTA_CHAIN_COUNTERS);
1757 if (nest == NULL)
1758 goto nla_put_failure;
1759
1760 if (nla_put_be64(skb, attrtype: NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1761 padattr: NFTA_COUNTER_PAD) ||
1762 nla_put_be64(skb, attrtype: NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1763 padattr: NFTA_COUNTER_PAD))
1764 goto nla_put_failure;
1765
1766 nla_nest_end(skb, start: nest);
1767 return 0;
1768
1769nla_put_failure:
1770 return -ENOSPC;
1771}
1772
1773static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1774 const struct nft_base_chain *basechain,
1775 const struct list_head *hook_list)
1776{
1777 const struct nf_hook_ops *ops = &basechain->ops;
1778 struct nft_hook *hook, *first = NULL;
1779 struct nlattr *nest, *nest_devs;
1780 int n = 0;
1781
1782 nest = nla_nest_start_noflag(skb, attrtype: NFTA_CHAIN_HOOK);
1783 if (nest == NULL)
1784 goto nla_put_failure;
1785 if (nla_put_be32(skb, attrtype: NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1786 goto nla_put_failure;
1787 if (nla_put_be32(skb, attrtype: NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1788 goto nla_put_failure;
1789
1790 if (nft_base_chain_netdev(family, hooknum: ops->hooknum)) {
1791 nest_devs = nla_nest_start_noflag(skb, attrtype: NFTA_HOOK_DEVS);
1792 if (!nest_devs)
1793 goto nla_put_failure;
1794
1795 if (!hook_list)
1796 hook_list = &basechain->hook_list;
1797
1798 list_for_each_entry(hook, hook_list, list) {
1799 if (!first)
1800 first = hook;
1801
1802 if (nla_put_string(skb, attrtype: NFTA_DEVICE_NAME,
1803 str: hook->ops.dev->name))
1804 goto nla_put_failure;
1805 n++;
1806 }
1807 nla_nest_end(skb, start: nest_devs);
1808
1809 if (n == 1 &&
1810 nla_put_string(skb, attrtype: NFTA_HOOK_DEV, str: first->ops.dev->name))
1811 goto nla_put_failure;
1812 }
1813 nla_nest_end(skb, start: nest);
1814
1815 return 0;
1816nla_put_failure:
1817 return -1;
1818}
1819
1820static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1821 u32 portid, u32 seq, int event, u32 flags,
1822 int family, const struct nft_table *table,
1823 const struct nft_chain *chain,
1824 const struct list_head *hook_list)
1825{
1826 struct nlmsghdr *nlh;
1827
1828 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, msg_type: event);
1829 nlh = nfnl_msg_put(skb, portid, seq, type: event, flags, family,
1830 NFNETLINK_V0, res_id: nft_base_seq(net));
1831 if (!nlh)
1832 goto nla_put_failure;
1833
1834 if (nla_put_string(skb, attrtype: NFTA_CHAIN_TABLE, str: table->name) ||
1835 nla_put_string(skb, attrtype: NFTA_CHAIN_NAME, str: chain->name) ||
1836 nla_put_be64(skb, attrtype: NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1837 padattr: NFTA_CHAIN_PAD))
1838 goto nla_put_failure;
1839
1840 if (event == NFT_MSG_DELCHAIN && !hook_list) {
1841 nlmsg_end(skb, nlh);
1842 return 0;
1843 }
1844
1845 if (nft_is_base_chain(chain)) {
1846 const struct nft_base_chain *basechain = nft_base_chain(chain);
1847 struct nft_stats __percpu *stats;
1848
1849 if (nft_dump_basechain_hook(skb, family, basechain, hook_list))
1850 goto nla_put_failure;
1851
1852 if (nla_put_be32(skb, attrtype: NFTA_CHAIN_POLICY,
1853 htonl(basechain->policy)))
1854 goto nla_put_failure;
1855
1856 if (nla_put_string(skb, attrtype: NFTA_CHAIN_TYPE, str: basechain->type->name))
1857 goto nla_put_failure;
1858
1859 stats = rcu_dereference_check(basechain->stats,
1860 lockdep_commit_lock_is_held(net));
1861 if (nft_dump_stats(skb, stats))
1862 goto nla_put_failure;
1863 }
1864
1865 if (chain->flags &&
1866 nla_put_be32(skb, attrtype: NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1867 goto nla_put_failure;
1868
1869 if (nla_put_be32(skb, attrtype: NFTA_CHAIN_USE, htonl(chain->use)))
1870 goto nla_put_failure;
1871
1872 if (chain->udata &&
1873 nla_put(skb, attrtype: NFTA_CHAIN_USERDATA, attrlen: chain->udlen, data: chain->udata))
1874 goto nla_put_failure;
1875
1876 nlmsg_end(skb, nlh);
1877 return 0;
1878
1879nla_put_failure:
1880 nlmsg_trim(skb, mark: nlh);
1881 return -1;
1882}
1883
1884static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
1885 const struct list_head *hook_list)
1886{
1887 struct nftables_pernet *nft_net;
1888 struct sk_buff *skb;
1889 u16 flags = 0;
1890 int err;
1891
1892 if (!ctx->report &&
1893 !nfnetlink_has_listeners(net: ctx->net, NFNLGRP_NFTABLES))
1894 return;
1895
1896 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1897 if (skb == NULL)
1898 goto err;
1899
1900 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1901 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1902
1903 err = nf_tables_fill_chain_info(skb, net: ctx->net, portid: ctx->portid, seq: ctx->seq,
1904 event, flags, family: ctx->family, table: ctx->table,
1905 chain: ctx->chain, hook_list);
1906 if (err < 0) {
1907 kfree_skb(skb);
1908 goto err;
1909 }
1910
1911 nft_net = nft_pernet(net: ctx->net);
1912 nft_notify_enqueue(skb, report: ctx->report, notify_list: &nft_net->notify_list);
1913 return;
1914err:
1915 nfnetlink_set_err(net: ctx->net, portid: ctx->portid, NFNLGRP_NFTABLES, error: -ENOBUFS);
1916}
1917
1918static int nf_tables_dump_chains(struct sk_buff *skb,
1919 struct netlink_callback *cb)
1920{
1921 const struct nfgenmsg *nfmsg = nlmsg_data(nlh: cb->nlh);
1922 unsigned int idx = 0, s_idx = cb->args[0];
1923 struct net *net = sock_net(sk: skb->sk);
1924 int family = nfmsg->nfgen_family;
1925 struct nftables_pernet *nft_net;
1926 const struct nft_table *table;
1927 const struct nft_chain *chain;
1928
1929 rcu_read_lock();
1930 nft_net = nft_pernet(net);
1931 cb->seq = READ_ONCE(nft_net->base_seq);
1932
1933 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1934 if (family != NFPROTO_UNSPEC && family != table->family)
1935 continue;
1936
1937 list_for_each_entry_rcu(chain, &table->chains, list) {
1938 if (idx < s_idx)
1939 goto cont;
1940 if (idx > s_idx)
1941 memset(&cb->args[1], 0,
1942 sizeof(cb->args) - sizeof(cb->args[0]));
1943 if (!nft_is_active(net, chain))
1944 continue;
1945 if (nf_tables_fill_chain_info(skb, net,
1946 NETLINK_CB(cb->skb).portid,
1947 seq: cb->nlh->nlmsg_seq,
1948 event: NFT_MSG_NEWCHAIN,
1949 NLM_F_MULTI,
1950 family: table->family, table,
1951 chain, NULL) < 0)
1952 goto done;
1953
1954 nl_dump_check_consistent(cb, nlh: nlmsg_hdr(skb));
1955cont:
1956 idx++;
1957 }
1958 }
1959done:
1960 rcu_read_unlock();
1961 cb->args[0] = idx;
1962 return skb->len;
1963}
1964
1965/* called with rcu_read_lock held */
1966static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
1967 const struct nlattr * const nla[])
1968{
1969 struct netlink_ext_ack *extack = info->extack;
1970 u8 genmask = nft_genmask_cur(net: info->net);
1971 u8 family = info->nfmsg->nfgen_family;
1972 const struct nft_chain *chain;
1973 struct net *net = info->net;
1974 struct nft_table *table;
1975 struct sk_buff *skb2;
1976 int err;
1977
1978 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1979 struct netlink_dump_control c = {
1980 .dump = nf_tables_dump_chains,
1981 .module = THIS_MODULE,
1982 };
1983
1984 return nft_netlink_dump_start_rcu(nlsk: info->sk, skb, nlh: info->nlh, c: &c);
1985 }
1986
1987 table = nft_table_lookup(net, nla: nla[NFTA_CHAIN_TABLE], family, genmask, nlpid: 0);
1988 if (IS_ERR(ptr: table)) {
1989 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1990 return PTR_ERR(ptr: table);
1991 }
1992
1993 chain = nft_chain_lookup(net, table, nla: nla[NFTA_CHAIN_NAME], genmask);
1994 if (IS_ERR(ptr: chain)) {
1995 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1996 return PTR_ERR(ptr: chain);
1997 }
1998
1999 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2000 if (!skb2)
2001 return -ENOMEM;
2002
2003 err = nf_tables_fill_chain_info(skb: skb2, net, NETLINK_CB(skb).portid,
2004 seq: info->nlh->nlmsg_seq, event: NFT_MSG_NEWCHAIN,
2005 flags: 0, family, table, chain, NULL);
2006 if (err < 0)
2007 goto err_fill_chain_info;
2008
2009 return nfnetlink_unicast(skb: skb2, net, NETLINK_CB(skb).portid);
2010
2011err_fill_chain_info:
2012 kfree_skb(skb: skb2);
2013 return err;
2014}
2015
2016static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
2017 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
2018 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
2019};
2020
2021static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
2022{
2023 struct nlattr *tb[NFTA_COUNTER_MAX+1];
2024 struct nft_stats __percpu *newstats;
2025 struct nft_stats *stats;
2026 int err;
2027
2028 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, nla: attr,
2029 policy: nft_counter_policy, NULL);
2030 if (err < 0)
2031 return ERR_PTR(error: err);
2032
2033 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
2034 return ERR_PTR(error: -EINVAL);
2035
2036 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
2037 if (newstats == NULL)
2038 return ERR_PTR(error: -ENOMEM);
2039
2040 /* Restore old counters on this cpu, no problem. Per-cpu statistics
2041 * are not exposed to userspace.
2042 */
2043 preempt_disable();
2044 stats = this_cpu_ptr(newstats);
2045 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
2046 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
2047 preempt_enable();
2048
2049 return newstats;
2050}
2051
2052static void nft_chain_stats_replace(struct nft_trans *trans)
2053{
2054 struct nft_base_chain *chain = nft_base_chain(chain: trans->ctx.chain);
2055
2056 if (!nft_trans_chain_stats(trans))
2057 return;
2058
2059 nft_trans_chain_stats(trans) =
2060 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
2061 lockdep_commit_lock_is_held(trans->ctx.net));
2062
2063 if (!nft_trans_chain_stats(trans))
2064 static_branch_inc(&nft_counters_enabled);
2065}
2066
2067static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
2068{
2069 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
2070 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
2071
2072 if (g0 != g1)
2073 kvfree(addr: g1);
2074 kvfree(addr: g0);
2075
2076 /* should be NULL either via abort or via successful commit */
2077 WARN_ON_ONCE(chain->blob_next);
2078 kvfree(addr: chain->blob_next);
2079}
2080
2081void nf_tables_chain_destroy(struct nft_ctx *ctx)
2082{
2083 struct nft_chain *chain = ctx->chain;
2084 struct nft_hook *hook, *next;
2085
2086 if (WARN_ON(chain->use > 0))
2087 return;
2088
2089 /* no concurrent access possible anymore */
2090 nf_tables_chain_free_chain_rules(chain);
2091
2092 if (nft_is_base_chain(chain)) {
2093 struct nft_base_chain *basechain = nft_base_chain(chain);
2094
2095 if (nft_base_chain_netdev(family: ctx->family, hooknum: basechain->ops.hooknum)) {
2096 list_for_each_entry_safe(hook, next,
2097 &basechain->hook_list, list) {
2098 list_del_rcu(entry: &hook->list);
2099 kfree_rcu(hook, rcu);
2100 }
2101 }
2102 module_put(module: basechain->type->owner);
2103 if (rcu_access_pointer(basechain->stats)) {
2104 static_branch_dec(&nft_counters_enabled);
2105 free_percpu(rcu_dereference_raw(basechain->stats));
2106 }
2107 kfree(objp: chain->name);
2108 kfree(objp: chain->udata);
2109 kfree(objp: basechain);
2110 } else {
2111 kfree(objp: chain->name);
2112 kfree(objp: chain->udata);
2113 kfree(objp: chain);
2114 }
2115}
2116
2117static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
2118 const struct nlattr *attr)
2119{
2120 struct net_device *dev;
2121 char ifname[IFNAMSIZ];
2122 struct nft_hook *hook;
2123 int err;
2124
2125 hook = kzalloc(size: sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
2126 if (!hook) {
2127 err = -ENOMEM;
2128 goto err_hook_alloc;
2129 }
2130
2131 nla_strscpy(dst: ifname, nla: attr, IFNAMSIZ);
2132 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
2133 * indirectly serializing all the other holders of the commit_mutex with
2134 * the rtnl_mutex.
2135 */
2136 dev = __dev_get_by_name(net, name: ifname);
2137 if (!dev) {
2138 err = -ENOENT;
2139 goto err_hook_dev;
2140 }
2141 hook->ops.dev = dev;
2142
2143 return hook;
2144
2145err_hook_dev:
2146 kfree(objp: hook);
2147err_hook_alloc:
2148 return ERR_PTR(error: err);
2149}
2150
2151static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
2152 const struct nft_hook *this)
2153{
2154 struct nft_hook *hook;
2155
2156 list_for_each_entry(hook, hook_list, list) {
2157 if (this->ops.dev == hook->ops.dev)
2158 return hook;
2159 }
2160
2161 return NULL;
2162}
2163
2164static int nf_tables_parse_netdev_hooks(struct net *net,
2165 const struct nlattr *attr,
2166 struct list_head *hook_list,
2167 struct netlink_ext_ack *extack)
2168{
2169 struct nft_hook *hook, *next;
2170 const struct nlattr *tmp;
2171 int rem, n = 0, err;
2172
2173 nla_for_each_nested(tmp, attr, rem) {
2174 if (nla_type(nla: tmp) != NFTA_DEVICE_NAME) {
2175 err = -EINVAL;
2176 goto err_hook;
2177 }
2178
2179 hook = nft_netdev_hook_alloc(net, attr: tmp);
2180 if (IS_ERR(ptr: hook)) {
2181 NL_SET_BAD_ATTR(extack, tmp);
2182 err = PTR_ERR(ptr: hook);
2183 goto err_hook;
2184 }
2185 if (nft_hook_list_find(hook_list, this: hook)) {
2186 NL_SET_BAD_ATTR(extack, tmp);
2187 kfree(objp: hook);
2188 err = -EEXIST;
2189 goto err_hook;
2190 }
2191 list_add_tail(new: &hook->list, head: hook_list);
2192 n++;
2193
2194 if (n == NFT_NETDEVICE_MAX) {
2195 err = -EFBIG;
2196 goto err_hook;
2197 }
2198 }
2199
2200 return 0;
2201
2202err_hook:
2203 list_for_each_entry_safe(hook, next, hook_list, list) {
2204 list_del(entry: &hook->list);
2205 kfree(objp: hook);
2206 }
2207 return err;
2208}
2209
2210struct nft_chain_hook {
2211 u32 num;
2212 s32 priority;
2213 const struct nft_chain_type *type;
2214 struct list_head list;
2215};
2216
2217static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
2218 struct list_head *hook_list,
2219 struct netlink_ext_ack *extack, u32 flags)
2220{
2221 struct nft_hook *hook;
2222 int err;
2223
2224 if (tb[NFTA_HOOK_DEV]) {
2225 hook = nft_netdev_hook_alloc(net, attr: tb[NFTA_HOOK_DEV]);
2226 if (IS_ERR(ptr: hook)) {
2227 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2228 return PTR_ERR(ptr: hook);
2229 }
2230
2231 list_add_tail(new: &hook->list, head: hook_list);
2232 } else if (tb[NFTA_HOOK_DEVS]) {
2233 err = nf_tables_parse_netdev_hooks(net, attr: tb[NFTA_HOOK_DEVS],
2234 hook_list, extack);
2235 if (err < 0)
2236 return err;
2237
2238 }
2239
2240 if (flags & NFT_CHAIN_HW_OFFLOAD &&
2241 list_empty(head: hook_list))
2242 return -EINVAL;
2243
2244 return 0;
2245}
2246
2247static int nft_chain_parse_hook(struct net *net,
2248 struct nft_base_chain *basechain,
2249 const struct nlattr * const nla[],
2250 struct nft_chain_hook *hook, u8 family,
2251 u32 flags, struct netlink_ext_ack *extack)
2252{
2253 struct nftables_pernet *nft_net = nft_pernet(net);
2254 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2255 const struct nft_chain_type *type;
2256 int err;
2257
2258 lockdep_assert_held(&nft_net->commit_mutex);
2259 lockdep_nfnl_nft_mutex_not_held();
2260
2261 err = nla_parse_nested_deprecated(tb: ha, NFTA_HOOK_MAX,
2262 nla: nla[NFTA_CHAIN_HOOK],
2263 policy: nft_hook_policy, NULL);
2264 if (err < 0)
2265 return err;
2266
2267 if (!basechain) {
2268 if (!ha[NFTA_HOOK_HOOKNUM] ||
2269 !ha[NFTA_HOOK_PRIORITY]) {
2270 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2271 return -ENOENT;
2272 }
2273
2274 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2275 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2276
2277 type = __nft_chain_type_get(family, type: NFT_CHAIN_T_DEFAULT);
2278 if (!type)
2279 return -EOPNOTSUPP;
2280
2281 if (nla[NFTA_CHAIN_TYPE]) {
2282 type = nf_tables_chain_type_lookup(net, nla: nla[NFTA_CHAIN_TYPE],
2283 family, autoload: true);
2284 if (IS_ERR(ptr: type)) {
2285 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2286 return PTR_ERR(ptr: type);
2287 }
2288 }
2289 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2290 return -EOPNOTSUPP;
2291
2292 if (type->type == NFT_CHAIN_T_NAT &&
2293 hook->priority <= NF_IP_PRI_CONNTRACK)
2294 return -EOPNOTSUPP;
2295 } else {
2296 if (ha[NFTA_HOOK_HOOKNUM]) {
2297 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2298 if (hook->num != basechain->ops.hooknum)
2299 return -EOPNOTSUPP;
2300 }
2301 if (ha[NFTA_HOOK_PRIORITY]) {
2302 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2303 if (hook->priority != basechain->ops.priority)
2304 return -EOPNOTSUPP;
2305 }
2306
2307 if (nla[NFTA_CHAIN_TYPE]) {
2308 type = __nf_tables_chain_type_lookup(nla: nla[NFTA_CHAIN_TYPE],
2309 family);
2310 if (!type) {
2311 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2312 return -ENOENT;
2313 }
2314 } else {
2315 type = basechain->type;
2316 }
2317 }
2318
2319 if (!try_module_get(module: type->owner)) {
2320 if (nla[NFTA_CHAIN_TYPE])
2321 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2322 return -ENOENT;
2323 }
2324
2325 hook->type = type;
2326
2327 INIT_LIST_HEAD(list: &hook->list);
2328 if (nft_base_chain_netdev(family, hooknum: hook->num)) {
2329 err = nft_chain_parse_netdev(net, tb: ha, hook_list: &hook->list, extack, flags);
2330 if (err < 0) {
2331 module_put(module: type->owner);
2332 return err;
2333 }
2334 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2335 module_put(module: type->owner);
2336 return -EOPNOTSUPP;
2337 }
2338
2339 return 0;
2340}
2341
2342static void nft_chain_release_hook(struct nft_chain_hook *hook)
2343{
2344 struct nft_hook *h, *next;
2345
2346 list_for_each_entry_safe(h, next, &hook->list, list) {
2347 list_del(entry: &h->list);
2348 kfree(objp: h);
2349 }
2350 module_put(module: hook->type->owner);
2351}
2352
2353static void nft_last_rule(const struct nft_chain *chain, const void *ptr)
2354{
2355 struct nft_rule_dp_last *lrule;
2356
2357 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0);
2358
2359 lrule = (struct nft_rule_dp_last *)ptr;
2360 lrule->end.is_last = 1;
2361 lrule->chain = chain;
2362 /* blob size does not include the trailer rule */
2363}
2364
2365static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2366 unsigned int size)
2367{
2368 struct nft_rule_blob *blob;
2369
2370 if (size > INT_MAX)
2371 return NULL;
2372
2373 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last);
2374
2375 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2376 if (!blob)
2377 return NULL;
2378
2379 blob->size = 0;
2380 nft_last_rule(chain, ptr: blob->data);
2381
2382 return blob;
2383}
2384
2385static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2386 const struct nft_chain_hook *hook,
2387 struct nft_chain *chain)
2388{
2389 ops->pf = family;
2390 ops->hooknum = hook->num;
2391 ops->priority = hook->priority;
2392 ops->priv = chain;
2393 ops->hook = hook->type->hooks[ops->hooknum];
2394 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2395}
2396
2397static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2398 struct nft_chain_hook *hook, u32 flags)
2399{
2400 struct nft_chain *chain;
2401 struct nft_hook *h;
2402
2403 basechain->type = hook->type;
2404 INIT_LIST_HEAD(list: &basechain->hook_list);
2405 chain = &basechain->chain;
2406
2407 if (nft_base_chain_netdev(family, hooknum: hook->num)) {
2408 list_splice_init(list: &hook->list, head: &basechain->hook_list);
2409 list_for_each_entry(h, &basechain->hook_list, list)
2410 nft_basechain_hook_init(ops: &h->ops, family, hook, chain);
2411 }
2412 nft_basechain_hook_init(ops: &basechain->ops, family, hook, chain);
2413
2414 chain->flags |= NFT_CHAIN_BASE | flags;
2415 basechain->policy = NF_ACCEPT;
2416 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2417 !nft_chain_offload_support(basechain)) {
2418 list_splice_init(list: &basechain->hook_list, head: &hook->list);
2419 return -EOPNOTSUPP;
2420 }
2421
2422 flow_block_init(flow_block: &basechain->flow_block);
2423
2424 return 0;
2425}
2426
2427int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2428{
2429 int err;
2430
2431 err = rhltable_insert_key(hlt: &table->chains_ht, key: chain->name,
2432 list: &chain->rhlhead, params: nft_chain_ht_params);
2433 if (err)
2434 return err;
2435
2436 list_add_tail_rcu(new: &chain->list, head: &table->chains);
2437
2438 return 0;
2439}
2440
2441static u64 chain_id;
2442
2443static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2444 u8 policy, u32 flags,
2445 struct netlink_ext_ack *extack)
2446{
2447 const struct nlattr * const *nla = ctx->nla;
2448 struct nft_table *table = ctx->table;
2449 struct nft_base_chain *basechain;
2450 struct net *net = ctx->net;
2451 char name[NFT_NAME_MAXLEN];
2452 struct nft_rule_blob *blob;
2453 struct nft_trans *trans;
2454 struct nft_chain *chain;
2455 int err;
2456
2457 if (nla[NFTA_CHAIN_HOOK]) {
2458 struct nft_stats __percpu *stats = NULL;
2459 struct nft_chain_hook hook = {};
2460
2461 if (table->flags & __NFT_TABLE_F_UPDATE)
2462 return -EINVAL;
2463
2464 if (flags & NFT_CHAIN_BINDING)
2465 return -EOPNOTSUPP;
2466
2467 err = nft_chain_parse_hook(net, NULL, nla, hook: &hook, family, flags,
2468 extack);
2469 if (err < 0)
2470 return err;
2471
2472 basechain = kzalloc(size: sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2473 if (basechain == NULL) {
2474 nft_chain_release_hook(hook: &hook);
2475 return -ENOMEM;
2476 }
2477 chain = &basechain->chain;
2478
2479 if (nla[NFTA_CHAIN_COUNTERS]) {
2480 stats = nft_stats_alloc(attr: nla[NFTA_CHAIN_COUNTERS]);
2481 if (IS_ERR(ptr: stats)) {
2482 nft_chain_release_hook(hook: &hook);
2483 kfree(objp: basechain);
2484 return PTR_ERR(ptr: stats);
2485 }
2486 rcu_assign_pointer(basechain->stats, stats);
2487 }
2488
2489 err = nft_basechain_init(basechain, family, hook: &hook, flags);
2490 if (err < 0) {
2491 nft_chain_release_hook(hook: &hook);
2492 kfree(objp: basechain);
2493 free_percpu(pdata: stats);
2494 return err;
2495 }
2496 if (stats)
2497 static_branch_inc(&nft_counters_enabled);
2498 } else {
2499 if (flags & NFT_CHAIN_BASE)
2500 return -EINVAL;
2501 if (flags & NFT_CHAIN_HW_OFFLOAD)
2502 return -EOPNOTSUPP;
2503
2504 chain = kzalloc(size: sizeof(*chain), GFP_KERNEL_ACCOUNT);
2505 if (chain == NULL)
2506 return -ENOMEM;
2507
2508 chain->flags = flags;
2509 }
2510 ctx->chain = chain;
2511
2512 INIT_LIST_HEAD(list: &chain->rules);
2513 chain->handle = nf_tables_alloc_handle(table);
2514 chain->table = table;
2515
2516 if (nla[NFTA_CHAIN_NAME]) {
2517 chain->name = nla_strdup(nla: nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2518 } else {
2519 if (!(flags & NFT_CHAIN_BINDING)) {
2520 err = -EINVAL;
2521 goto err_destroy_chain;
2522 }
2523
2524 snprintf(buf: name, size: sizeof(name), fmt: "__chain%llu", ++chain_id);
2525 chain->name = kstrdup(s: name, GFP_KERNEL_ACCOUNT);
2526 }
2527
2528 if (!chain->name) {
2529 err = -ENOMEM;
2530 goto err_destroy_chain;
2531 }
2532
2533 if (nla[NFTA_CHAIN_USERDATA]) {
2534 chain->udata = nla_memdup(src: nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2535 if (chain->udata == NULL) {
2536 err = -ENOMEM;
2537 goto err_destroy_chain;
2538 }
2539 chain->udlen = nla_len(nla: nla[NFTA_CHAIN_USERDATA]);
2540 }
2541
2542 blob = nf_tables_chain_alloc_rules(chain, size: 0);
2543 if (!blob) {
2544 err = -ENOMEM;
2545 goto err_destroy_chain;
2546 }
2547
2548 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2549 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2550
2551 if (!nft_use_inc(use: &table->use)) {
2552 err = -EMFILE;
2553 goto err_destroy_chain;
2554 }
2555
2556 trans = nft_trans_chain_add(ctx, msg_type: NFT_MSG_NEWCHAIN);
2557 if (IS_ERR(ptr: trans)) {
2558 err = PTR_ERR(ptr: trans);
2559 goto err_trans;
2560 }
2561
2562 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2563 if (nft_is_base_chain(chain))
2564 nft_trans_chain_policy(trans) = policy;
2565
2566 err = nft_chain_add(table, chain);
2567 if (err < 0)
2568 goto err_chain_add;
2569
2570 /* This must be LAST to ensure no packets are walking over this chain. */
2571 err = nf_tables_register_hook(net, table, chain);
2572 if (err < 0)
2573 goto err_register_hook;
2574
2575 return 0;
2576
2577err_register_hook:
2578 nft_chain_del(chain);
2579err_chain_add:
2580 nft_trans_destroy(trans);
2581err_trans:
2582 nft_use_dec_restore(use: &table->use);
2583err_destroy_chain:
2584 nf_tables_chain_destroy(ctx);
2585
2586 return err;
2587}
2588
2589static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2590 u32 flags, const struct nlattr *attr,
2591 struct netlink_ext_ack *extack)
2592{
2593 const struct nlattr * const *nla = ctx->nla;
2594 struct nft_base_chain *basechain = NULL;
2595 struct nft_table *table = ctx->table;
2596 struct nft_chain *chain = ctx->chain;
2597 struct nft_chain_hook hook = {};
2598 struct nft_stats *stats = NULL;
2599 struct nft_hook *h, *next;
2600 struct nf_hook_ops *ops;
2601 struct nft_trans *trans;
2602 bool unregister = false;
2603 int err;
2604
2605 if (chain->flags ^ flags)
2606 return -EOPNOTSUPP;
2607
2608 INIT_LIST_HEAD(list: &hook.list);
2609
2610 if (nla[NFTA_CHAIN_HOOK]) {
2611 if (!nft_is_base_chain(chain)) {
2612 NL_SET_BAD_ATTR(extack, attr);
2613 return -EEXIST;
2614 }
2615
2616 basechain = nft_base_chain(chain);
2617 err = nft_chain_parse_hook(net: ctx->net, basechain, nla, hook: &hook,
2618 family: ctx->family, flags, extack);
2619 if (err < 0)
2620 return err;
2621
2622 if (basechain->type != hook.type) {
2623 nft_chain_release_hook(hook: &hook);
2624 NL_SET_BAD_ATTR(extack, attr);
2625 return -EEXIST;
2626 }
2627
2628 if (nft_base_chain_netdev(family: ctx->family, hooknum: basechain->ops.hooknum)) {
2629 list_for_each_entry_safe(h, next, &hook.list, list) {
2630 h->ops.pf = basechain->ops.pf;
2631 h->ops.hooknum = basechain->ops.hooknum;
2632 h->ops.priority = basechain->ops.priority;
2633 h->ops.priv = basechain->ops.priv;
2634 h->ops.hook = basechain->ops.hook;
2635
2636 if (nft_hook_list_find(hook_list: &basechain->hook_list, this: h)) {
2637 list_del(entry: &h->list);
2638 kfree(objp: h);
2639 }
2640 }
2641 } else {
2642 ops = &basechain->ops;
2643 if (ops->hooknum != hook.num ||
2644 ops->priority != hook.priority) {
2645 nft_chain_release_hook(hook: &hook);
2646 NL_SET_BAD_ATTR(extack, attr);
2647 return -EEXIST;
2648 }
2649 }
2650 }
2651
2652 if (nla[NFTA_CHAIN_HANDLE] &&
2653 nla[NFTA_CHAIN_NAME]) {
2654 struct nft_chain *chain2;
2655
2656 chain2 = nft_chain_lookup(net: ctx->net, table,
2657 nla: nla[NFTA_CHAIN_NAME], genmask);
2658 if (!IS_ERR(ptr: chain2)) {
2659 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2660 err = -EEXIST;
2661 goto err_hooks;
2662 }
2663 }
2664
2665 if (table->flags & __NFT_TABLE_F_UPDATE &&
2666 !list_empty(head: &hook.list)) {
2667 NL_SET_BAD_ATTR(extack, attr);
2668 err = -EOPNOTSUPP;
2669 goto err_hooks;
2670 }
2671
2672 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2673 nft_is_base_chain(chain) &&
2674 !list_empty(head: &hook.list)) {
2675 basechain = nft_base_chain(chain);
2676 ops = &basechain->ops;
2677
2678 if (nft_base_chain_netdev(family: table->family, hooknum: basechain->ops.hooknum)) {
2679 err = nft_netdev_register_hooks(net: ctx->net, hook_list: &hook.list);
2680 if (err < 0)
2681 goto err_hooks;
2682 }
2683 }
2684
2685 unregister = true;
2686
2687 if (nla[NFTA_CHAIN_COUNTERS]) {
2688 if (!nft_is_base_chain(chain)) {
2689 err = -EOPNOTSUPP;
2690 goto err_hooks;
2691 }
2692
2693 stats = nft_stats_alloc(attr: nla[NFTA_CHAIN_COUNTERS]);
2694 if (IS_ERR(ptr: stats)) {
2695 err = PTR_ERR(ptr: stats);
2696 goto err_hooks;
2697 }
2698 }
2699
2700 err = -ENOMEM;
2701 trans = nft_trans_alloc(ctx, msg_type: NFT_MSG_NEWCHAIN,
2702 size: sizeof(struct nft_trans_chain));
2703 if (trans == NULL)
2704 goto err_trans;
2705
2706 nft_trans_chain_stats(trans) = stats;
2707 nft_trans_chain_update(trans) = true;
2708
2709 if (nla[NFTA_CHAIN_POLICY])
2710 nft_trans_chain_policy(trans) = policy;
2711 else
2712 nft_trans_chain_policy(trans) = -1;
2713
2714 if (nla[NFTA_CHAIN_HANDLE] &&
2715 nla[NFTA_CHAIN_NAME]) {
2716 struct nftables_pernet *nft_net = nft_pernet(net: ctx->net);
2717 struct nft_trans *tmp;
2718 char *name;
2719
2720 err = -ENOMEM;
2721 name = nla_strdup(nla: nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2722 if (!name)
2723 goto err_trans;
2724
2725 err = -EEXIST;
2726 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2727 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2728 tmp->ctx.table == table &&
2729 nft_trans_chain_update(tmp) &&
2730 nft_trans_chain_name(tmp) &&
2731 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2732 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2733 kfree(objp: name);
2734 goto err_trans;
2735 }
2736 }
2737
2738 nft_trans_chain_name(trans) = name;
2739 }
2740
2741 nft_trans_basechain(trans) = basechain;
2742 INIT_LIST_HEAD(list: &nft_trans_chain_hooks(trans));
2743 list_splice(list: &hook.list, head: &nft_trans_chain_hooks(trans));
2744 if (nla[NFTA_CHAIN_HOOK])
2745 module_put(module: hook.type->owner);
2746
2747 nft_trans_commit_list_add_tail(net: ctx->net, trans);
2748
2749 return 0;
2750
2751err_trans:
2752 free_percpu(pdata: stats);
2753 kfree(objp: trans);
2754err_hooks:
2755 if (nla[NFTA_CHAIN_HOOK]) {
2756 list_for_each_entry_safe(h, next, &hook.list, list) {
2757 if (unregister)
2758 nf_unregister_net_hook(net: ctx->net, ops: &h->ops);
2759 list_del(entry: &h->list);
2760 kfree_rcu(h, rcu);
2761 }
2762 module_put(module: hook.type->owner);
2763 }
2764
2765 return err;
2766}
2767
2768static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2769 const struct nft_table *table,
2770 const struct nlattr *nla, u8 genmask)
2771{
2772 struct nftables_pernet *nft_net = nft_pernet(net);
2773 u32 id = ntohl(nla_get_be32(nla));
2774 struct nft_trans *trans;
2775
2776 list_for_each_entry(trans, &nft_net->commit_list, list) {
2777 struct nft_chain *chain = trans->ctx.chain;
2778
2779 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2780 chain->table == table &&
2781 id == nft_trans_chain_id(trans) &&
2782 nft_active_genmask(chain, genmask))
2783 return chain;
2784 }
2785 return ERR_PTR(error: -ENOENT);
2786}
2787
2788static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2789 const struct nlattr * const nla[])
2790{
2791 struct nftables_pernet *nft_net = nft_pernet(net: info->net);
2792 struct netlink_ext_ack *extack = info->extack;
2793 u8 genmask = nft_genmask_next(net: info->net);
2794 u8 family = info->nfmsg->nfgen_family;
2795 struct nft_chain *chain = NULL;
2796 struct net *net = info->net;
2797 const struct nlattr *attr;
2798 struct nft_table *table;
2799 u8 policy = NF_ACCEPT;
2800 struct nft_ctx ctx;
2801 u64 handle = 0;
2802 u32 flags = 0;
2803
2804 lockdep_assert_held(&nft_net->commit_mutex);
2805
2806 table = nft_table_lookup(net, nla: nla[NFTA_CHAIN_TABLE], family, genmask,
2807 NETLINK_CB(skb).portid);
2808 if (IS_ERR(ptr: table)) {
2809 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2810 return PTR_ERR(ptr: table);
2811 }
2812
2813 chain = NULL;
2814 attr = nla[NFTA_CHAIN_NAME];
2815
2816 if (nla[NFTA_CHAIN_HANDLE]) {
2817 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2818 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2819 if (IS_ERR(ptr: chain)) {
2820 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2821 return PTR_ERR(ptr: chain);
2822 }
2823 attr = nla[NFTA_CHAIN_HANDLE];
2824 } else if (nla[NFTA_CHAIN_NAME]) {
2825 chain = nft_chain_lookup(net, table, nla: attr, genmask);
2826 if (IS_ERR(ptr: chain)) {
2827 if (PTR_ERR(ptr: chain) != -ENOENT) {
2828 NL_SET_BAD_ATTR(extack, attr);
2829 return PTR_ERR(ptr: chain);
2830 }
2831 chain = NULL;
2832 }
2833 } else if (!nla[NFTA_CHAIN_ID]) {
2834 return -EINVAL;
2835 }
2836
2837 if (nla[NFTA_CHAIN_POLICY]) {
2838 if (chain != NULL &&
2839 !nft_is_base_chain(chain)) {
2840 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2841 return -EOPNOTSUPP;
2842 }
2843
2844 if (chain == NULL &&
2845 nla[NFTA_CHAIN_HOOK] == NULL) {
2846 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2847 return -EOPNOTSUPP;
2848 }
2849
2850 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2851 switch (policy) {
2852 case NF_DROP:
2853 case NF_ACCEPT:
2854 break;
2855 default:
2856 return -EINVAL;
2857 }
2858 }
2859
2860 if (nla[NFTA_CHAIN_FLAGS])
2861 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2862 else if (chain)
2863 flags = chain->flags;
2864
2865 if (flags & ~NFT_CHAIN_FLAGS)
2866 return -EOPNOTSUPP;
2867
2868 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, chain, nla);
2869
2870 if (chain != NULL) {
2871 if (chain->flags & NFT_CHAIN_BINDING)
2872 return -EINVAL;
2873
2874 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2875 NL_SET_BAD_ATTR(extack, attr);
2876 return -EEXIST;
2877 }
2878 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2879 return -EOPNOTSUPP;
2880
2881 flags |= chain->flags & NFT_CHAIN_BASE;
2882 return nf_tables_updchain(ctx: &ctx, genmask, policy, flags, attr,
2883 extack);
2884 }
2885
2886 return nf_tables_addchain(ctx: &ctx, family, genmask, policy, flags, extack);
2887}
2888
2889static int nft_delchain_hook(struct nft_ctx *ctx,
2890 struct nft_base_chain *basechain,
2891 struct netlink_ext_ack *extack)
2892{
2893 const struct nft_chain *chain = &basechain->chain;
2894 const struct nlattr * const *nla = ctx->nla;
2895 struct nft_chain_hook chain_hook = {};
2896 struct nft_hook *this, *hook;
2897 LIST_HEAD(chain_del_list);
2898 struct nft_trans *trans;
2899 int err;
2900
2901 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
2902 return -EOPNOTSUPP;
2903
2904 err = nft_chain_parse_hook(net: ctx->net, basechain, nla, hook: &chain_hook,
2905 family: ctx->family, flags: chain->flags, extack);
2906 if (err < 0)
2907 return err;
2908
2909 list_for_each_entry(this, &chain_hook.list, list) {
2910 hook = nft_hook_list_find(hook_list: &basechain->hook_list, this);
2911 if (!hook) {
2912 err = -ENOENT;
2913 goto err_chain_del_hook;
2914 }
2915 list_move(list: &hook->list, head: &chain_del_list);
2916 }
2917
2918 trans = nft_trans_alloc(ctx, msg_type: NFT_MSG_DELCHAIN,
2919 size: sizeof(struct nft_trans_chain));
2920 if (!trans) {
2921 err = -ENOMEM;
2922 goto err_chain_del_hook;
2923 }
2924
2925 nft_trans_basechain(trans) = basechain;
2926 nft_trans_chain_update(trans) = true;
2927 INIT_LIST_HEAD(list: &nft_trans_chain_hooks(trans));
2928 list_splice(list: &chain_del_list, head: &nft_trans_chain_hooks(trans));
2929 nft_chain_release_hook(hook: &chain_hook);
2930
2931 nft_trans_commit_list_add_tail(net: ctx->net, trans);
2932
2933 return 0;
2934
2935err_chain_del_hook:
2936 list_splice(list: &chain_del_list, head: &basechain->hook_list);
2937 nft_chain_release_hook(hook: &chain_hook);
2938
2939 return err;
2940}
2941
2942static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2943 const struct nlattr * const nla[])
2944{
2945 struct netlink_ext_ack *extack = info->extack;
2946 u8 genmask = nft_genmask_next(net: info->net);
2947 u8 family = info->nfmsg->nfgen_family;
2948 struct net *net = info->net;
2949 const struct nlattr *attr;
2950 struct nft_table *table;
2951 struct nft_chain *chain;
2952 struct nft_rule *rule;
2953 struct nft_ctx ctx;
2954 u64 handle;
2955 u32 use;
2956 int err;
2957
2958 table = nft_table_lookup(net, nla: nla[NFTA_CHAIN_TABLE], family, genmask,
2959 NETLINK_CB(skb).portid);
2960 if (IS_ERR(ptr: table)) {
2961 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2962 return PTR_ERR(ptr: table);
2963 }
2964
2965 if (nla[NFTA_CHAIN_HANDLE]) {
2966 attr = nla[NFTA_CHAIN_HANDLE];
2967 handle = be64_to_cpu(nla_get_be64(attr));
2968 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2969 } else {
2970 attr = nla[NFTA_CHAIN_NAME];
2971 chain = nft_chain_lookup(net, table, nla: attr, genmask);
2972 }
2973 if (IS_ERR(ptr: chain)) {
2974 if (PTR_ERR(ptr: chain) == -ENOENT &&
2975 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
2976 return 0;
2977
2978 NL_SET_BAD_ATTR(extack, attr);
2979 return PTR_ERR(ptr: chain);
2980 }
2981
2982 if (nft_chain_binding(chain))
2983 return -EOPNOTSUPP;
2984
2985 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, chain, nla);
2986
2987 if (nla[NFTA_CHAIN_HOOK]) {
2988 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN ||
2989 chain->flags & NFT_CHAIN_HW_OFFLOAD)
2990 return -EOPNOTSUPP;
2991
2992 if (nft_is_base_chain(chain)) {
2993 struct nft_base_chain *basechain = nft_base_chain(chain);
2994
2995 if (nft_base_chain_netdev(family: table->family, hooknum: basechain->ops.hooknum))
2996 return nft_delchain_hook(ctx: &ctx, basechain, extack);
2997 }
2998 }
2999
3000 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
3001 chain->use > 0)
3002 return -EBUSY;
3003
3004 use = chain->use;
3005 list_for_each_entry(rule, &chain->rules, list) {
3006 if (!nft_is_active_next(net, rule))
3007 continue;
3008 use--;
3009
3010 err = nft_delrule(ctx: &ctx, rule);
3011 if (err < 0)
3012 return err;
3013 }
3014
3015 /* There are rules and elements that are still holding references to us,
3016 * we cannot do a recursive removal in this case.
3017 */
3018 if (use > 0) {
3019 NL_SET_BAD_ATTR(extack, attr);
3020 return -EBUSY;
3021 }
3022
3023 return nft_delchain(ctx: &ctx);
3024}
3025
3026/*
3027 * Expressions
3028 */
3029
3030/**
3031 * nft_register_expr - register nf_tables expr type
3032 * @type: expr type
3033 *
3034 * Registers the expr type for use with nf_tables. Returns zero on
3035 * success or a negative errno code otherwise.
3036 */
3037int nft_register_expr(struct nft_expr_type *type)
3038{
3039 if (WARN_ON_ONCE(type->maxattr > NFT_EXPR_MAXATTR))
3040 return -ENOMEM;
3041
3042 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3043 if (type->family == NFPROTO_UNSPEC)
3044 list_add_tail_rcu(new: &type->list, head: &nf_tables_expressions);
3045 else
3046 list_add_rcu(new: &type->list, head: &nf_tables_expressions);
3047 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3048 return 0;
3049}
3050EXPORT_SYMBOL_GPL(nft_register_expr);
3051
3052/**
3053 * nft_unregister_expr - unregister nf_tables expr type
3054 * @type: expr type
3055 *
3056 * Unregisters the expr typefor use with nf_tables.
3057 */
3058void nft_unregister_expr(struct nft_expr_type *type)
3059{
3060 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3061 list_del_rcu(entry: &type->list);
3062 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3063}
3064EXPORT_SYMBOL_GPL(nft_unregister_expr);
3065
3066static const struct nft_expr_type *__nft_expr_type_get(u8 family,
3067 struct nlattr *nla)
3068{
3069 const struct nft_expr_type *type, *candidate = NULL;
3070
3071 list_for_each_entry_rcu(type, &nf_tables_expressions, list) {
3072 if (!nla_strcmp(nla, str: type->name)) {
3073 if (!type->family && !candidate)
3074 candidate = type;
3075 else if (type->family == family)
3076 candidate = type;
3077 }
3078 }
3079 return candidate;
3080}
3081
3082#ifdef CONFIG_MODULES
3083static int nft_expr_type_request_module(struct net *net, u8 family,
3084 struct nlattr *nla)
3085{
3086 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
3087 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
3088 return -EAGAIN;
3089
3090 return 0;
3091}
3092#endif
3093
3094static const struct nft_expr_type *nft_expr_type_get(struct net *net,
3095 u8 family,
3096 struct nlattr *nla)
3097{
3098 const struct nft_expr_type *type;
3099
3100 if (nla == NULL)
3101 return ERR_PTR(error: -EINVAL);
3102
3103 rcu_read_lock();
3104 type = __nft_expr_type_get(family, nla);
3105 if (type != NULL && try_module_get(module: type->owner)) {
3106 rcu_read_unlock();
3107 return type;
3108 }
3109 rcu_read_unlock();
3110
3111 lockdep_nfnl_nft_mutex_not_held();
3112#ifdef CONFIG_MODULES
3113 if (type == NULL) {
3114 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
3115 return ERR_PTR(error: -EAGAIN);
3116
3117 if (nft_request_module(net, "nft-expr-%.*s",
3118 nla_len(nla),
3119 (char *)nla_data(nla)) == -EAGAIN)
3120 return ERR_PTR(error: -EAGAIN);
3121 }
3122#endif
3123 return ERR_PTR(error: -ENOENT);
3124}
3125
3126static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
3127 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
3128 .len = NFT_MODULE_AUTOLOAD_LIMIT },
3129 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
3130};
3131
3132static int nf_tables_fill_expr_info(struct sk_buff *skb,
3133 const struct nft_expr *expr, bool reset)
3134{
3135 if (nla_put_string(skb, attrtype: NFTA_EXPR_NAME, str: expr->ops->type->name))
3136 goto nla_put_failure;
3137
3138 if (expr->ops->dump) {
3139 struct nlattr *data = nla_nest_start_noflag(skb,
3140 attrtype: NFTA_EXPR_DATA);
3141 if (data == NULL)
3142 goto nla_put_failure;
3143 if (expr->ops->dump(skb, expr, reset) < 0)
3144 goto nla_put_failure;
3145 nla_nest_end(skb, start: data);
3146 }
3147
3148 return skb->len;
3149
3150nla_put_failure:
3151 return -1;
3152};
3153
3154int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
3155 const struct nft_expr *expr, bool reset)
3156{
3157 struct nlattr *nest;
3158
3159 nest = nla_nest_start_noflag(skb, attrtype: attr);
3160 if (!nest)
3161 goto nla_put_failure;
3162 if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
3163 goto nla_put_failure;
3164 nla_nest_end(skb, start: nest);
3165 return 0;
3166
3167nla_put_failure:
3168 return -1;
3169}
3170
3171struct nft_expr_info {
3172 const struct nft_expr_ops *ops;
3173 const struct nlattr *attr;
3174 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
3175};
3176
3177static int nf_tables_expr_parse(const struct nft_ctx *ctx,
3178 const struct nlattr *nla,
3179 struct nft_expr_info *info)
3180{
3181 const struct nft_expr_type *type;
3182 const struct nft_expr_ops *ops;
3183 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3184 int err;
3185
3186 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3187 policy: nft_expr_policy, NULL);
3188 if (err < 0)
3189 return err;
3190
3191 type = nft_expr_type_get(net: ctx->net, family: ctx->family, nla: tb[NFTA_EXPR_NAME]);
3192 if (IS_ERR(ptr: type))
3193 return PTR_ERR(ptr: type);
3194
3195 if (tb[NFTA_EXPR_DATA]) {
3196 err = nla_parse_nested_deprecated(tb: info->tb, maxtype: type->maxattr,
3197 nla: tb[NFTA_EXPR_DATA],
3198 policy: type->policy, NULL);
3199 if (err < 0)
3200 goto err1;
3201 } else
3202 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
3203
3204 if (type->select_ops != NULL) {
3205 ops = type->select_ops(ctx,
3206 (const struct nlattr * const *)info->tb);
3207 if (IS_ERR(ptr: ops)) {
3208 err = PTR_ERR(ptr: ops);
3209#ifdef CONFIG_MODULES
3210 if (err == -EAGAIN)
3211 if (nft_expr_type_request_module(net: ctx->net,
3212 family: ctx->family,
3213 nla: tb[NFTA_EXPR_NAME]) != -EAGAIN)
3214 err = -ENOENT;
3215#endif
3216 goto err1;
3217 }
3218 } else
3219 ops = type->ops;
3220
3221 info->attr = nla;
3222 info->ops = ops;
3223
3224 return 0;
3225
3226err1:
3227 module_put(module: type->owner);
3228 return err;
3229}
3230
3231int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
3232 struct nft_expr_info *info)
3233{
3234 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3235 const struct nft_expr_type *type;
3236 int err;
3237
3238 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3239 policy: nft_expr_policy, NULL);
3240 if (err < 0)
3241 return err;
3242
3243 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME])
3244 return -EINVAL;
3245
3246 type = __nft_expr_type_get(family: ctx->family, nla: tb[NFTA_EXPR_NAME]);
3247 if (!type)
3248 return -ENOENT;
3249
3250 if (!type->inner_ops)
3251 return -EOPNOTSUPP;
3252
3253 err = nla_parse_nested_deprecated(tb: info->tb, maxtype: type->maxattr,
3254 nla: tb[NFTA_EXPR_DATA],
3255 policy: type->policy, NULL);
3256 if (err < 0)
3257 goto err_nla_parse;
3258
3259 info->attr = nla;
3260 info->ops = type->inner_ops;
3261
3262 return 0;
3263
3264err_nla_parse:
3265 return err;
3266}
3267
3268static int nf_tables_newexpr(const struct nft_ctx *ctx,
3269 const struct nft_expr_info *expr_info,
3270 struct nft_expr *expr)
3271{
3272 const struct nft_expr_ops *ops = expr_info->ops;
3273 int err;
3274
3275 expr->ops = ops;
3276 if (ops->init) {
3277 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
3278 if (err < 0)
3279 goto err1;
3280 }
3281
3282 return 0;
3283err1:
3284 expr->ops = NULL;
3285 return err;
3286}
3287
3288static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
3289 struct nft_expr *expr)
3290{
3291 const struct nft_expr_type *type = expr->ops->type;
3292
3293 if (expr->ops->destroy)
3294 expr->ops->destroy(ctx, expr);
3295 module_put(module: type->owner);
3296}
3297
3298static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3299 const struct nlattr *nla)
3300{
3301 struct nft_expr_info expr_info;
3302 struct nft_expr *expr;
3303 struct module *owner;
3304 int err;
3305
3306 err = nf_tables_expr_parse(ctx, nla, info: &expr_info);
3307 if (err < 0)
3308 goto err_expr_parse;
3309
3310 err = -EOPNOTSUPP;
3311 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3312 goto err_expr_stateful;
3313
3314 err = -ENOMEM;
3315 expr = kzalloc(size: expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3316 if (expr == NULL)
3317 goto err_expr_stateful;
3318
3319 err = nf_tables_newexpr(ctx, expr_info: &expr_info, expr);
3320 if (err < 0)
3321 goto err_expr_new;
3322
3323 return expr;
3324err_expr_new:
3325 kfree(objp: expr);
3326err_expr_stateful:
3327 owner = expr_info.ops->type->owner;
3328 if (expr_info.ops->type->release_ops)
3329 expr_info.ops->type->release_ops(expr_info.ops);
3330
3331 module_put(module: owner);
3332err_expr_parse:
3333 return ERR_PTR(error: err);
3334}
3335
3336int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
3337{
3338 int err;
3339
3340 if (WARN_ON_ONCE(!src->ops->clone))
3341 return -EINVAL;
3342
3343 dst->ops = src->ops;
3344 err = src->ops->clone(dst, src);
3345 if (err < 0)
3346 return err;
3347
3348 __module_get(module: src->ops->type->owner);
3349
3350 return 0;
3351}
3352
3353void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3354{
3355 nf_tables_expr_destroy(ctx, expr);
3356 kfree(objp: expr);
3357}
3358
3359/*
3360 * Rules
3361 */
3362
3363static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
3364 u64 handle)
3365{
3366 struct nft_rule *rule;
3367
3368 // FIXME: this sucks
3369 list_for_each_entry_rcu(rule, &chain->rules, list) {
3370 if (handle == rule->handle)
3371 return rule;
3372 }
3373
3374 return ERR_PTR(error: -ENOENT);
3375}
3376
3377static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
3378 const struct nlattr *nla)
3379{
3380 if (nla == NULL)
3381 return ERR_PTR(error: -EINVAL);
3382
3383 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
3384}
3385
3386static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3387 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
3388 .len = NFT_TABLE_MAXNAMELEN - 1 },
3389 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
3390 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3391 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
3392 [NFTA_RULE_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
3393 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
3394 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3395 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3396 .len = NFT_USERDATA_MAXLEN },
3397 [NFTA_RULE_ID] = { .type = NLA_U32 },
3398 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3399 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3400};
3401
3402static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3403 u32 portid, u32 seq, int event,
3404 u32 flags, int family,
3405 const struct nft_table *table,
3406 const struct nft_chain *chain,
3407 const struct nft_rule *rule, u64 handle,
3408 bool reset)
3409{
3410 struct nlmsghdr *nlh;
3411 const struct nft_expr *expr, *next;
3412 struct nlattr *list;
3413 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, msg_type: event);
3414
3415 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3416 res_id: nft_base_seq(net));
3417 if (!nlh)
3418 goto nla_put_failure;
3419
3420 if (nla_put_string(skb, attrtype: NFTA_RULE_TABLE, str: table->name))
3421 goto nla_put_failure;
3422 if (nla_put_string(skb, attrtype: NFTA_RULE_CHAIN, str: chain->name))
3423 goto nla_put_failure;
3424 if (nla_put_be64(skb, attrtype: NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3425 padattr: NFTA_RULE_PAD))
3426 goto nla_put_failure;
3427
3428 if (event != NFT_MSG_DELRULE && handle) {
3429 if (nla_put_be64(skb, attrtype: NFTA_RULE_POSITION, cpu_to_be64(handle),
3430 padattr: NFTA_RULE_PAD))
3431 goto nla_put_failure;
3432 }
3433
3434 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3435 nft_flow_rule_stats(chain, rule);
3436
3437 list = nla_nest_start_noflag(skb, attrtype: NFTA_RULE_EXPRESSIONS);
3438 if (list == NULL)
3439 goto nla_put_failure;
3440 nft_rule_for_each_expr(expr, next, rule) {
3441 if (nft_expr_dump(skb, attr: NFTA_LIST_ELEM, expr, reset) < 0)
3442 goto nla_put_failure;
3443 }
3444 nla_nest_end(skb, start: list);
3445
3446 if (rule->udata) {
3447 struct nft_userdata *udata = nft_userdata(rule);
3448 if (nla_put(skb, attrtype: NFTA_RULE_USERDATA, attrlen: udata->len + 1,
3449 data: udata->data) < 0)
3450 goto nla_put_failure;
3451 }
3452
3453 nlmsg_end(skb, nlh);
3454 return 0;
3455
3456nla_put_failure:
3457 nlmsg_trim(skb, mark: nlh);
3458 return -1;
3459}
3460
3461static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3462 const struct nft_rule *rule, int event)
3463{
3464 struct nftables_pernet *nft_net = nft_pernet(net: ctx->net);
3465 const struct nft_rule *prule;
3466 struct sk_buff *skb;
3467 u64 handle = 0;
3468 u16 flags = 0;
3469 int err;
3470
3471 if (!ctx->report &&
3472 !nfnetlink_has_listeners(net: ctx->net, NFNLGRP_NFTABLES))
3473 return;
3474
3475 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3476 if (skb == NULL)
3477 goto err;
3478
3479 if (event == NFT_MSG_NEWRULE &&
3480 !list_is_first(list: &rule->list, head: &ctx->chain->rules) &&
3481 !list_is_last(list: &rule->list, head: &ctx->chain->rules)) {
3482 prule = list_prev_entry(rule, list);
3483 handle = prule->handle;
3484 }
3485 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3486 flags |= NLM_F_APPEND;
3487 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3488 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3489
3490 err = nf_tables_fill_rule_info(skb, net: ctx->net, portid: ctx->portid, seq: ctx->seq,
3491 event, flags, family: ctx->family, table: ctx->table,
3492 chain: ctx->chain, rule, handle, reset: false);
3493 if (err < 0) {
3494 kfree_skb(skb);
3495 goto err;
3496 }
3497
3498 nft_notify_enqueue(skb, report: ctx->report, notify_list: &nft_net->notify_list);
3499 return;
3500err:
3501 nfnetlink_set_err(net: ctx->net, portid: ctx->portid, NFNLGRP_NFTABLES, error: -ENOBUFS);
3502}
3503
3504static void audit_log_rule_reset(const struct nft_table *table,
3505 unsigned int base_seq,
3506 unsigned int nentries)
3507{
3508 char *buf = kasprintf(GFP_ATOMIC, fmt: "%s:%u",
3509 table->name, base_seq);
3510
3511 audit_log_nfcfg(name: buf, af: table->family, nentries,
3512 op: AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3513 kfree(objp: buf);
3514}
3515
3516struct nft_rule_dump_ctx {
3517 unsigned int s_idx;
3518 char *table;
3519 char *chain;
3520 bool reset;
3521};
3522
3523static int __nf_tables_dump_rules(struct sk_buff *skb,
3524 unsigned int *idx,
3525 struct netlink_callback *cb,
3526 const struct nft_table *table,
3527 const struct nft_chain *chain)
3528{
3529 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3530 struct net *net = sock_net(sk: skb->sk);
3531 const struct nft_rule *rule, *prule;
3532 unsigned int entries = 0;
3533 int ret = 0;
3534 u64 handle;
3535
3536 prule = NULL;
3537 list_for_each_entry_rcu(rule, &chain->rules, list) {
3538 if (!nft_is_active(net, rule))
3539 goto cont_skip;
3540 if (*idx < ctx->s_idx)
3541 goto cont;
3542 if (prule)
3543 handle = prule->handle;
3544 else
3545 handle = 0;
3546
3547 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3548 seq: cb->nlh->nlmsg_seq,
3549 event: NFT_MSG_NEWRULE,
3550 NLM_F_MULTI | NLM_F_APPEND,
3551 family: table->family,
3552 table, chain, rule, handle, reset: ctx->reset) < 0) {
3553 ret = 1;
3554 break;
3555 }
3556 entries++;
3557 nl_dump_check_consistent(cb, nlh: nlmsg_hdr(skb));
3558cont:
3559 prule = rule;
3560cont_skip:
3561 (*idx)++;
3562 }
3563
3564 if (ctx->reset && entries)
3565 audit_log_rule_reset(table, base_seq: cb->seq, nentries: entries);
3566
3567 return ret;
3568}
3569
3570static int nf_tables_dump_rules(struct sk_buff *skb,
3571 struct netlink_callback *cb)
3572{
3573 const struct nfgenmsg *nfmsg = nlmsg_data(nlh: cb->nlh);
3574 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3575 struct nft_table *table;
3576 const struct nft_chain *chain;
3577 unsigned int idx = 0;
3578 struct net *net = sock_net(sk: skb->sk);
3579 int family = nfmsg->nfgen_family;
3580 struct nftables_pernet *nft_net;
3581
3582 rcu_read_lock();
3583 nft_net = nft_pernet(net);
3584 cb->seq = READ_ONCE(nft_net->base_seq);
3585
3586 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3587 if (family != NFPROTO_UNSPEC && family != table->family)
3588 continue;
3589
3590 if (ctx->table && strcmp(ctx->table, table->name) != 0)
3591 continue;
3592
3593 if (ctx->table && ctx->chain) {
3594 struct rhlist_head *list, *tmp;
3595
3596 list = rhltable_lookup(hlt: &table->chains_ht, key: ctx->chain,
3597 params: nft_chain_ht_params);
3598 if (!list)
3599 goto done;
3600
3601 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3602 if (!nft_is_active(net, chain))
3603 continue;
3604 __nf_tables_dump_rules(skb, idx: &idx,
3605 cb, table, chain);
3606 break;
3607 }
3608 goto done;
3609 }
3610
3611 list_for_each_entry_rcu(chain, &table->chains, list) {
3612 if (__nf_tables_dump_rules(skb, idx: &idx,
3613 cb, table, chain))
3614 goto done;
3615 }
3616
3617 if (ctx->table)
3618 break;
3619 }
3620done:
3621 rcu_read_unlock();
3622
3623 ctx->s_idx = idx;
3624 return skb->len;
3625}
3626
3627static int nf_tables_dumpreset_rules(struct sk_buff *skb,
3628 struct netlink_callback *cb)
3629{
3630 struct nftables_pernet *nft_net = nft_pernet(net: sock_net(sk: skb->sk));
3631 int ret;
3632
3633 /* Mutex is held is to prevent that two concurrent dump-and-reset calls
3634 * do not underrun counters and quotas. The commit_mutex is used for
3635 * the lack a better lock, this is not transaction path.
3636 */
3637 mutex_lock(&nft_net->commit_mutex);
3638 ret = nf_tables_dump_rules(skb, cb);
3639 mutex_unlock(lock: &nft_net->commit_mutex);
3640
3641 return ret;
3642}
3643
3644static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3645{
3646 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3647 const struct nlattr * const *nla = cb->data;
3648
3649 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
3650
3651 if (nla[NFTA_RULE_TABLE]) {
3652 ctx->table = nla_strdup(nla: nla[NFTA_RULE_TABLE], GFP_ATOMIC);
3653 if (!ctx->table)
3654 return -ENOMEM;
3655 }
3656 if (nla[NFTA_RULE_CHAIN]) {
3657 ctx->chain = nla_strdup(nla: nla[NFTA_RULE_CHAIN], GFP_ATOMIC);
3658 if (!ctx->chain) {
3659 kfree(objp: ctx->table);
3660 return -ENOMEM;
3661 }
3662 }
3663 return 0;
3664}
3665
3666static int nf_tables_dumpreset_rules_start(struct netlink_callback *cb)
3667{
3668 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3669
3670 ctx->reset = true;
3671
3672 return nf_tables_dump_rules_start(cb);
3673}
3674
3675static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3676{
3677 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3678
3679 kfree(objp: ctx->table);
3680 kfree(objp: ctx->chain);
3681 return 0;
3682}
3683
3684/* called with rcu_read_lock held */
3685static struct sk_buff *
3686nf_tables_getrule_single(u32 portid, const struct nfnl_info *info,
3687 const struct nlattr * const nla[], bool reset)
3688{
3689 struct netlink_ext_ack *extack = info->extack;
3690 u8 genmask = nft_genmask_cur(net: info->net);
3691 u8 family = info->nfmsg->nfgen_family;
3692 const struct nft_chain *chain;
3693 const struct nft_rule *rule;
3694 struct net *net = info->net;
3695 struct nft_table *table;
3696 struct sk_buff *skb2;
3697 int err;
3698
3699 table = nft_table_lookup(net, nla: nla[NFTA_RULE_TABLE], family, genmask, nlpid: 0);
3700 if (IS_ERR(ptr: table)) {
3701 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3702 return ERR_CAST(ptr: table);
3703 }
3704
3705 chain = nft_chain_lookup(net, table, nla: nla[NFTA_RULE_CHAIN], genmask);
3706 if (IS_ERR(ptr: chain)) {
3707 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3708 return ERR_CAST(ptr: chain);
3709 }
3710
3711 rule = nft_rule_lookup(chain, nla: nla[NFTA_RULE_HANDLE]);
3712 if (IS_ERR(ptr: rule)) {
3713 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3714 return ERR_CAST(ptr: rule);
3715 }
3716
3717 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3718 if (!skb2)
3719 return ERR_PTR(error: -ENOMEM);
3720
3721 err = nf_tables_fill_rule_info(skb: skb2, net, portid,
3722 seq: info->nlh->nlmsg_seq, event: NFT_MSG_NEWRULE, flags: 0,
3723 family, table, chain, rule, handle: 0, reset);
3724 if (err < 0) {
3725 kfree_skb(skb: skb2);
3726 return ERR_PTR(error: err);
3727 }
3728
3729 return skb2;
3730}
3731
3732static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3733 const struct nlattr * const nla[])
3734{
3735 u32 portid = NETLINK_CB(skb).portid;
3736 struct net *net = info->net;
3737 struct sk_buff *skb2;
3738
3739 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3740 struct netlink_dump_control c = {
3741 .start= nf_tables_dump_rules_start,
3742 .dump = nf_tables_dump_rules,
3743 .done = nf_tables_dump_rules_done,
3744 .module = THIS_MODULE,
3745 .data = (void *)nla,
3746 };
3747
3748 return nft_netlink_dump_start_rcu(nlsk: info->sk, skb, nlh: info->nlh, c: &c);
3749 }
3750
3751 skb2 = nf_tables_getrule_single(portid, info, nla, reset: false);
3752 if (IS_ERR(ptr: skb2))
3753 return PTR_ERR(ptr: skb2);
3754
3755 return nfnetlink_unicast(skb: skb2, net, portid);
3756}
3757
3758static int nf_tables_getrule_reset(struct sk_buff *skb,
3759 const struct nfnl_info *info,
3760 const struct nlattr * const nla[])
3761{
3762 struct nftables_pernet *nft_net = nft_pernet(net: info->net);
3763 u32 portid = NETLINK_CB(skb).portid;
3764 struct net *net = info->net;
3765 struct sk_buff *skb2;
3766 char *buf;
3767
3768 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3769 struct netlink_dump_control c = {
3770 .start= nf_tables_dumpreset_rules_start,
3771 .dump = nf_tables_dumpreset_rules,
3772 .done = nf_tables_dump_rules_done,
3773 .module = THIS_MODULE,
3774 .data = (void *)nla,
3775 };
3776
3777 return nft_netlink_dump_start_rcu(nlsk: info->sk, skb, nlh: info->nlh, c: &c);
3778 }
3779
3780 if (!try_module_get(THIS_MODULE))
3781 return -EINVAL;
3782 rcu_read_unlock();
3783 mutex_lock(&nft_net->commit_mutex);
3784 skb2 = nf_tables_getrule_single(portid, info, nla, reset: true);
3785 mutex_unlock(lock: &nft_net->commit_mutex);
3786 rcu_read_lock();
3787 module_put(THIS_MODULE);
3788
3789 if (IS_ERR(ptr: skb2))
3790 return PTR_ERR(ptr: skb2);
3791
3792 buf = kasprintf(GFP_ATOMIC, fmt: "%.*s:%u",
3793 nla_len(nla: nla[NFTA_RULE_TABLE]),
3794 (char *)nla_data(nla: nla[NFTA_RULE_TABLE]),
3795 nft_net->base_seq);
3796 audit_log_nfcfg(name: buf, af: info->nfmsg->nfgen_family, nentries: 1,
3797 op: AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3798 kfree(objp: buf);
3799
3800 return nfnetlink_unicast(skb: skb2, net, portid);
3801}
3802
3803void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
3804{
3805 struct nft_expr *expr, *next;
3806
3807 /*
3808 * Careful: some expressions might not be initialized in case this
3809 * is called on error from nf_tables_newrule().
3810 */
3811 expr = nft_expr_first(rule);
3812 while (nft_expr_more(rule, expr)) {
3813 next = nft_expr_next(expr);
3814 nf_tables_expr_destroy(ctx, expr);
3815 expr = next;
3816 }
3817 kfree(objp: rule);
3818}
3819
3820static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3821{
3822 nft_rule_expr_deactivate(ctx, rule, phase: NFT_TRANS_RELEASE);
3823 nf_tables_rule_destroy(ctx, rule);
3824}
3825
3826int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3827{
3828 struct nft_expr *expr, *last;
3829 const struct nft_data *data;
3830 struct nft_rule *rule;
3831 int err;
3832
3833 if (ctx->level == NFT_JUMP_STACK_SIZE)
3834 return -EMLINK;
3835
3836 list_for_each_entry(rule, &chain->rules, list) {
3837 if (fatal_signal_pending(current))
3838 return -EINTR;
3839
3840 if (!nft_is_active_next(ctx->net, rule))
3841 continue;
3842
3843 nft_rule_for_each_expr(expr, last, rule) {
3844 if (!expr->ops->validate)
3845 continue;
3846
3847 err = expr->ops->validate(ctx, expr, &data);
3848 if (err < 0)
3849 return err;
3850 }
3851 }
3852
3853 return 0;
3854}
3855EXPORT_SYMBOL_GPL(nft_chain_validate);
3856
3857static int nft_table_validate(struct net *net, const struct nft_table *table)
3858{
3859 struct nft_chain *chain;
3860 struct nft_ctx ctx = {
3861 .net = net,
3862 .family = table->family,
3863 };
3864 int err;
3865
3866 list_for_each_entry(chain, &table->chains, list) {
3867 if (!nft_is_base_chain(chain))
3868 continue;
3869
3870 ctx.chain = chain;
3871 err = nft_chain_validate(&ctx, chain);
3872 if (err < 0)
3873 return err;
3874
3875 cond_resched();
3876 }
3877
3878 return 0;
3879}
3880
3881int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
3882 const struct nft_set_iter *iter,
3883 struct nft_elem_priv *elem_priv)
3884{
3885 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
3886 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
3887 const struct nft_data *data;
3888 int err;
3889
3890 if (!nft_set_elem_active(ext, genmask: iter->genmask))
3891 return 0;
3892
3893 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_FLAGS) &&
3894 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
3895 return 0;
3896
3897 data = nft_set_ext_data(ext);
3898 switch (data->verdict.code) {
3899 case NFT_JUMP:
3900 case NFT_GOTO:
3901 pctx->level++;
3902 err = nft_chain_validate(ctx, data->verdict.chain);
3903 if (err < 0)
3904 return err;
3905 pctx->level--;
3906 break;
3907 default:
3908 break;
3909 }
3910
3911 return 0;
3912}
3913
3914int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
3915{
3916 struct nft_set_iter dummy_iter = {
3917 .genmask = nft_genmask_next(net: ctx->net),
3918 };
3919 struct nft_set_elem_catchall *catchall;
3920
3921 struct nft_set_ext *ext;
3922 int ret = 0;
3923
3924 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
3925 ext = nft_set_elem_ext(set, elem_priv: catchall->elem);
3926 if (!nft_set_elem_active(ext, genmask: dummy_iter.genmask))
3927 continue;
3928
3929 ret = nft_setelem_validate(ctx, set, iter: &dummy_iter, elem_priv: catchall->elem);
3930 if (ret < 0)
3931 return ret;
3932 }
3933
3934 return ret;
3935}
3936
3937static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3938 const struct nft_chain *chain,
3939 const struct nlattr *nla);
3940
3941#define NFT_RULE_MAXEXPRS 128
3942
3943static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
3944 const struct nlattr * const nla[])
3945{
3946 struct nftables_pernet *nft_net = nft_pernet(net: info->net);
3947 struct netlink_ext_ack *extack = info->extack;
3948 unsigned int size, i, n, ulen = 0, usize = 0;
3949 u8 genmask = nft_genmask_next(net: info->net);
3950 struct nft_rule *rule, *old_rule = NULL;
3951 struct nft_expr_info *expr_info = NULL;
3952 u8 family = info->nfmsg->nfgen_family;
3953 struct nft_flow_rule *flow = NULL;
3954 struct net *net = info->net;
3955 struct nft_userdata *udata;
3956 struct nft_table *table;
3957 struct nft_chain *chain;
3958 struct nft_trans *trans;
3959 u64 handle, pos_handle;
3960 struct nft_expr *expr;
3961 struct nft_ctx ctx;
3962 struct nlattr *tmp;
3963 int err, rem;
3964
3965 lockdep_assert_held(&nft_net->commit_mutex);
3966
3967 table = nft_table_lookup(net, nla: nla[NFTA_RULE_TABLE], family, genmask,
3968 NETLINK_CB(skb).portid);
3969 if (IS_ERR(ptr: table)) {
3970 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3971 return PTR_ERR(ptr: table);
3972 }
3973
3974 if (nla[NFTA_RULE_CHAIN]) {
3975 chain = nft_chain_lookup(net, table, nla: nla[NFTA_RULE_CHAIN],
3976 genmask);
3977 if (IS_ERR(ptr: chain)) {
3978 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3979 return PTR_ERR(ptr: chain);
3980 }
3981
3982 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3983 chain = nft_chain_lookup_byid(net, table, nla: nla[NFTA_RULE_CHAIN_ID],
3984 genmask);
3985 if (IS_ERR(ptr: chain)) {
3986 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3987 return PTR_ERR(ptr: chain);
3988 }
3989 } else {
3990 return -EINVAL;
3991 }
3992
3993 if (nft_chain_is_bound(chain))
3994 return -EOPNOTSUPP;
3995
3996 if (nla[NFTA_RULE_HANDLE]) {
3997 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3998 rule = __nft_rule_lookup(chain, handle);
3999 if (IS_ERR(ptr: rule)) {
4000 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4001 return PTR_ERR(ptr: rule);
4002 }
4003
4004 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4005 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4006 return -EEXIST;
4007 }
4008 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4009 old_rule = rule;
4010 else
4011 return -EOPNOTSUPP;
4012 } else {
4013 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
4014 info->nlh->nlmsg_flags & NLM_F_REPLACE)
4015 return -EINVAL;
4016 handle = nf_tables_alloc_handle(table);
4017
4018 if (nla[NFTA_RULE_POSITION]) {
4019 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
4020 old_rule = __nft_rule_lookup(chain, handle: pos_handle);
4021 if (IS_ERR(ptr: old_rule)) {
4022 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
4023 return PTR_ERR(ptr: old_rule);
4024 }
4025 } else if (nla[NFTA_RULE_POSITION_ID]) {
4026 old_rule = nft_rule_lookup_byid(net, chain, nla: nla[NFTA_RULE_POSITION_ID]);
4027 if (IS_ERR(ptr: old_rule)) {
4028 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
4029 return PTR_ERR(ptr: old_rule);
4030 }
4031 }
4032 }
4033
4034 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, chain, nla);
4035
4036 n = 0;
4037 size = 0;
4038 if (nla[NFTA_RULE_EXPRESSIONS]) {
4039 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
4040 size: sizeof(struct nft_expr_info),
4041 GFP_KERNEL);
4042 if (!expr_info)
4043 return -ENOMEM;
4044
4045 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
4046 err = -EINVAL;
4047 if (nla_type(nla: tmp) != NFTA_LIST_ELEM)
4048 goto err_release_expr;
4049 if (n == NFT_RULE_MAXEXPRS)
4050 goto err_release_expr;
4051 err = nf_tables_expr_parse(ctx: &ctx, nla: tmp, info: &expr_info[n]);
4052 if (err < 0) {
4053 NL_SET_BAD_ATTR(extack, tmp);
4054 goto err_release_expr;
4055 }
4056 size += expr_info[n].ops->size;
4057 n++;
4058 }
4059 }
4060 /* Check for overflow of dlen field */
4061 err = -EFBIG;
4062 if (size >= 1 << 12)
4063 goto err_release_expr;
4064
4065 if (nla[NFTA_RULE_USERDATA]) {
4066 ulen = nla_len(nla: nla[NFTA_RULE_USERDATA]);
4067 if (ulen > 0)
4068 usize = sizeof(struct nft_userdata) + ulen;
4069 }
4070
4071 err = -ENOMEM;
4072 rule = kzalloc(size: sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
4073 if (rule == NULL)
4074 goto err_release_expr;
4075
4076 nft_activate_next(net, rule);
4077
4078 rule->handle = handle;
4079 rule->dlen = size;
4080 rule->udata = ulen ? 1 : 0;
4081
4082 if (ulen) {
4083 udata = nft_userdata(rule);
4084 udata->len = ulen - 1;
4085 nla_memcpy(dest: udata->data, src: nla[NFTA_RULE_USERDATA], count: ulen);
4086 }
4087
4088 expr = nft_expr_first(rule);
4089 for (i = 0; i < n; i++) {
4090 err = nf_tables_newexpr(ctx: &ctx, expr_info: &expr_info[i], expr);
4091 if (err < 0) {
4092 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
4093 goto err_release_rule;
4094 }
4095
4096 if (expr_info[i].ops->validate)
4097 nft_validate_state_update(table, new_validate_state: NFT_VALIDATE_NEED);
4098
4099 expr_info[i].ops = NULL;
4100 expr = nft_expr_next(expr);
4101 }
4102
4103 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
4104 flow = nft_flow_rule_create(net, rule);
4105 if (IS_ERR(ptr: flow)) {
4106 err = PTR_ERR(ptr: flow);
4107 goto err_release_rule;
4108 }
4109 }
4110
4111 if (!nft_use_inc(use: &chain->use)) {
4112 err = -EMFILE;
4113 goto err_release_rule;
4114 }
4115
4116 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
4117 if (nft_chain_binding(chain)) {
4118 err = -EOPNOTSUPP;
4119 goto err_destroy_flow_rule;
4120 }
4121
4122 err = nft_delrule(ctx: &ctx, rule: old_rule);
4123 if (err < 0)
4124 goto err_destroy_flow_rule;
4125
4126 trans = nft_trans_rule_add(ctx: &ctx, msg_type: NFT_MSG_NEWRULE, rule);
4127 if (trans == NULL) {
4128 err = -ENOMEM;
4129 goto err_destroy_flow_rule;
4130 }
4131 list_add_tail_rcu(new: &rule->list, head: &old_rule->list);
4132 } else {
4133 trans = nft_trans_rule_add(ctx: &ctx, msg_type: NFT_MSG_NEWRULE, rule);
4134 if (!trans) {
4135 err = -ENOMEM;
4136 goto err_destroy_flow_rule;
4137 }
4138
4139 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
4140 if (old_rule)
4141 list_add_rcu(new: &rule->list, head: &old_rule->list);
4142 else
4143 list_add_tail_rcu(new: &rule->list, head: &chain->rules);
4144 } else {
4145 if (old_rule)
4146 list_add_tail_rcu(new: &rule->list, head: &old_rule->list);
4147 else
4148 list_add_rcu(new: &rule->list, head: &chain->rules);
4149 }
4150 }
4151 kvfree(addr: expr_info);
4152
4153 if (flow)
4154 nft_trans_flow_rule(trans) = flow;
4155
4156 if (table->validate_state == NFT_VALIDATE_DO)
4157 return nft_table_validate(net, table);
4158
4159 return 0;
4160
4161err_destroy_flow_rule:
4162 nft_use_dec_restore(use: &chain->use);
4163 if (flow)
4164 nft_flow_rule_destroy(flow);
4165err_release_rule:
4166 nft_rule_expr_deactivate(ctx: &ctx, rule, phase: NFT_TRANS_PREPARE_ERROR);
4167 nf_tables_rule_destroy(ctx: &ctx, rule);
4168err_release_expr:
4169 for (i = 0; i < n; i++) {
4170 if (expr_info[i].ops) {
4171 module_put(module: expr_info[i].ops->type->owner);
4172 if (expr_info[i].ops->type->release_ops)
4173 expr_info[i].ops->type->release_ops(expr_info[i].ops);
4174 }
4175 }
4176 kvfree(addr: expr_info);
4177
4178 return err;
4179}
4180
4181static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4182 const struct nft_chain *chain,
4183 const struct nlattr *nla)
4184{
4185 struct nftables_pernet *nft_net = nft_pernet(net);
4186 u32 id = ntohl(nla_get_be32(nla));
4187 struct nft_trans *trans;
4188
4189 list_for_each_entry(trans, &nft_net->commit_list, list) {
4190 if (trans->msg_type == NFT_MSG_NEWRULE &&
4191 trans->ctx.chain == chain &&
4192 id == nft_trans_rule_id(trans))
4193 return nft_trans_rule(trans);
4194 }
4195 return ERR_PTR(error: -ENOENT);
4196}
4197
4198static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
4199 const struct nlattr * const nla[])
4200{
4201 struct netlink_ext_ack *extack = info->extack;
4202 u8 genmask = nft_genmask_next(net: info->net);
4203 u8 family = info->nfmsg->nfgen_family;
4204 struct nft_chain *chain = NULL;
4205 struct net *net = info->net;
4206 struct nft_table *table;
4207 struct nft_rule *rule;
4208 struct nft_ctx ctx;
4209 int err = 0;
4210
4211 table = nft_table_lookup(net, nla: nla[NFTA_RULE_TABLE], family, genmask,
4212 NETLINK_CB(skb).portid);
4213 if (IS_ERR(ptr: table)) {
4214 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4215 return PTR_ERR(ptr: table);
4216 }
4217
4218 if (nla[NFTA_RULE_CHAIN]) {
4219 chain = nft_chain_lookup(net, table, nla: nla[NFTA_RULE_CHAIN],
4220 genmask);
4221 if (IS_ERR(ptr: chain)) {
4222 if (PTR_ERR(ptr: chain) == -ENOENT &&
4223 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4224 return 0;
4225
4226 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4227 return PTR_ERR(ptr: chain);
4228 }
4229 if (nft_chain_binding(chain))
4230 return -EOPNOTSUPP;
4231 }
4232
4233 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, chain, nla);
4234
4235 if (chain) {
4236 if (nla[NFTA_RULE_HANDLE]) {
4237 rule = nft_rule_lookup(chain, nla: nla[NFTA_RULE_HANDLE]);
4238 if (IS_ERR(ptr: rule)) {
4239 if (PTR_ERR(ptr: rule) == -ENOENT &&
4240 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4241 return 0;
4242
4243 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4244 return PTR_ERR(ptr: rule);
4245 }
4246
4247 err = nft_delrule(ctx: &ctx, rule);
4248 } else if (nla[NFTA_RULE_ID]) {
4249 rule = nft_rule_lookup_byid(net, chain, nla: nla[NFTA_RULE_ID]);
4250 if (IS_ERR(ptr: rule)) {
4251 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
4252 return PTR_ERR(ptr: rule);
4253 }
4254
4255 err = nft_delrule(ctx: &ctx, rule);
4256 } else {
4257 err = nft_delrule_by_chain(ctx: &ctx);
4258 }
4259 } else {
4260 list_for_each_entry(chain, &table->chains, list) {
4261 if (!nft_is_active_next(net, chain))
4262 continue;
4263 if (nft_chain_binding(chain))
4264 continue;
4265
4266 ctx.chain = chain;
4267 err = nft_delrule_by_chain(ctx: &ctx);
4268 if (err < 0)
4269 break;
4270 }
4271 }
4272
4273 return err;
4274}
4275
4276/*
4277 * Sets
4278 */
4279static const struct nft_set_type *nft_set_types[] = {
4280 &nft_set_hash_fast_type,
4281 &nft_set_hash_type,
4282 &nft_set_rhash_type,
4283 &nft_set_bitmap_type,
4284 &nft_set_rbtree_type,
4285#if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
4286 &nft_set_pipapo_avx2_type,
4287#endif
4288 &nft_set_pipapo_type,
4289};
4290
4291#define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
4292 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
4293 NFT_SET_EVAL)
4294
4295static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
4296{
4297 return (flags & type->features) == (flags & NFT_SET_FEATURES);
4298}
4299
4300/*
4301 * Select a set implementation based on the data characteristics and the
4302 * given policy. The total memory use might not be known if no size is
4303 * given, in that case the amount of memory per element is used.
4304 */
4305static const struct nft_set_ops *
4306nft_select_set_ops(const struct nft_ctx *ctx, u32 flags,
4307 const struct nft_set_desc *desc)
4308{
4309 struct nftables_pernet *nft_net = nft_pernet(net: ctx->net);
4310 const struct nft_set_ops *ops, *bops;
4311 struct nft_set_estimate est, best;
4312 const struct nft_set_type *type;
4313 int i;
4314
4315 lockdep_assert_held(&nft_net->commit_mutex);
4316 lockdep_nfnl_nft_mutex_not_held();
4317
4318 bops = NULL;
4319 best.size = ~0;
4320 best.lookup = ~0;
4321 best.space = ~0;
4322
4323 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
4324 type = nft_set_types[i];
4325 ops = &type->ops;
4326
4327 if (!nft_set_ops_candidate(type, flags))
4328 continue;
4329 if (!ops->estimate(desc, flags, &est))
4330 continue;
4331
4332 switch (desc->policy) {
4333 case NFT_SET_POL_PERFORMANCE:
4334 if (est.lookup < best.lookup)
4335 break;
4336 if (est.lookup == best.lookup &&
4337 est.space < best.space)
4338 break;
4339 continue;
4340 case NFT_SET_POL_MEMORY:
4341 if (!desc->size) {
4342 if (est.space < best.space)
4343 break;
4344 if (est.space == best.space &&
4345 est.lookup < best.lookup)
4346 break;
4347 } else if (est.size < best.size || !bops) {
4348 break;
4349 }
4350 continue;
4351 default:
4352 break;
4353 }
4354
4355 bops = ops;
4356 best = est;
4357 }
4358
4359 if (bops != NULL)
4360 return bops;
4361
4362 return ERR_PTR(error: -EOPNOTSUPP);
4363}
4364
4365static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
4366 [NFTA_SET_TABLE] = { .type = NLA_STRING,
4367 .len = NFT_TABLE_MAXNAMELEN - 1 },
4368 [NFTA_SET_NAME] = { .type = NLA_STRING,
4369 .len = NFT_SET_MAXNAMELEN - 1 },
4370 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
4371 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
4372 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
4373 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
4374 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
4375 [NFTA_SET_POLICY] = { .type = NLA_U32 },
4376 [NFTA_SET_DESC] = { .type = NLA_NESTED },
4377 [NFTA_SET_ID] = { .type = NLA_U32 },
4378 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
4379 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
4380 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
4381 .len = NFT_USERDATA_MAXLEN },
4382 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
4383 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
4384 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
4385 [NFTA_SET_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
4386};
4387
4388static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4389 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4390};
4391
4392static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4393 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
4394 [NFTA_SET_DESC_CONCAT] = NLA_POLICY_NESTED_ARRAY(nft_concat_policy),
4395};
4396
4397static struct nft_set *nft_set_lookup(const struct nft_table *table,
4398 const struct nlattr *nla, u8 genmask)
4399{
4400 struct nft_set *set;
4401
4402 if (nla == NULL)
4403 return ERR_PTR(error: -EINVAL);
4404
4405 list_for_each_entry_rcu(set, &table->sets, list) {
4406 if (!nla_strcmp(nla, str: set->name) &&
4407 nft_active_genmask(set, genmask))
4408 return set;
4409 }
4410 return ERR_PTR(error: -ENOENT);
4411}
4412
4413static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4414 const struct nlattr *nla,
4415 u8 genmask)
4416{
4417 struct nft_set *set;
4418
4419 list_for_each_entry(set, &table->sets, list) {
4420 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4421 nft_active_genmask(set, genmask))
4422 return set;
4423 }
4424 return ERR_PTR(error: -ENOENT);
4425}
4426
4427static struct nft_set *nft_set_lookup_byid(const struct net *net,
4428 const struct nft_table *table,
4429 const struct nlattr *nla, u8 genmask)
4430{
4431 struct nftables_pernet *nft_net = nft_pernet(net);
4432 u32 id = ntohl(nla_get_be32(nla));
4433 struct nft_trans *trans;
4434
4435 list_for_each_entry(trans, &nft_net->commit_list, list) {
4436 if (trans->msg_type == NFT_MSG_NEWSET) {
4437 struct nft_set *set = nft_trans_set(trans);
4438
4439 if (id == nft_trans_set_id(trans) &&
4440 set->table == table &&
4441 nft_active_genmask(set, genmask))
4442 return set;
4443 }
4444 }
4445 return ERR_PTR(error: -ENOENT);
4446}
4447
4448struct nft_set *nft_set_lookup_global(const struct net *net,
4449 const struct nft_table *table,
4450 const struct nlattr *nla_set_name,
4451 const struct nlattr *nla_set_id,
4452 u8 genmask)
4453{
4454 struct nft_set *set;
4455
4456 set = nft_set_lookup(table, nla: nla_set_name, genmask);
4457 if (IS_ERR(ptr: set)) {
4458 if (!nla_set_id)
4459 return set;
4460
4461 set = nft_set_lookup_byid(net, table, nla: nla_set_id, genmask);
4462 }
4463 return set;
4464}
4465EXPORT_SYMBOL_GPL(nft_set_lookup_global);
4466
4467static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4468 const char *name)
4469{
4470 const struct nft_set *i;
4471 const char *p;
4472 unsigned long *inuse;
4473 unsigned int n = 0, min = 0;
4474
4475 p = strchr(name, '%');
4476 if (p != NULL) {
4477 if (p[1] != 'd' || strchr(p + 2, '%'))
4478 return -EINVAL;
4479
4480 if (strnlen(p: name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN)
4481 return -EINVAL;
4482
4483 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4484 if (inuse == NULL)
4485 return -ENOMEM;
4486cont:
4487 list_for_each_entry(i, &ctx->table->sets, list) {
4488 int tmp;
4489
4490 if (!nft_is_active_next(ctx->net, i))
4491 continue;
4492 if (!sscanf(i->name, name, &tmp))
4493 continue;
4494 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4495 continue;
4496
4497 set_bit(nr: tmp - min, addr: inuse);
4498 }
4499
4500 n = find_first_zero_bit(addr: inuse, BITS_PER_BYTE * PAGE_SIZE);
4501 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4502 min += BITS_PER_BYTE * PAGE_SIZE;
4503 memset(inuse, 0, PAGE_SIZE);
4504 goto cont;
4505 }
4506 free_page((unsigned long)inuse);
4507 }
4508
4509 set->name = kasprintf(GFP_KERNEL_ACCOUNT, fmt: name, min + n);
4510 if (!set->name)
4511 return -ENOMEM;
4512
4513 list_for_each_entry(i, &ctx->table->sets, list) {
4514 if (!nft_is_active_next(ctx->net, i))
4515 continue;
4516 if (!strcmp(set->name, i->name)) {
4517 kfree(objp: set->name);
4518 set->name = NULL;
4519 return -ENFILE;
4520 }
4521 }
4522 return 0;
4523}
4524
4525int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4526{
4527 u64 ms = be64_to_cpu(nla_get_be64(nla));
4528 u64 max = (u64)(~((u64)0));
4529
4530 max = div_u64(dividend: max, NSEC_PER_MSEC);
4531 if (ms >= max)
4532 return -ERANGE;
4533
4534 ms *= NSEC_PER_MSEC;
4535 *result = nsecs_to_jiffies64(n: ms);
4536 return 0;
4537}
4538
4539__be64 nf_jiffies64_to_msecs(u64 input)
4540{
4541 return cpu_to_be64(jiffies64_to_msecs(input));
4542}
4543
4544static int nf_tables_fill_set_concat(struct sk_buff *skb,
4545 const struct nft_set *set)
4546{
4547 struct nlattr *concat, *field;
4548 int i;
4549
4550 concat = nla_nest_start_noflag(skb, attrtype: NFTA_SET_DESC_CONCAT);
4551 if (!concat)
4552 return -ENOMEM;
4553
4554 for (i = 0; i < set->field_count; i++) {
4555 field = nla_nest_start_noflag(skb, attrtype: NFTA_LIST_ELEM);
4556 if (!field)
4557 return -ENOMEM;
4558
4559 if (nla_put_be32(skb, attrtype: NFTA_SET_FIELD_LEN,
4560 htonl(set->field_len[i])))
4561 return -ENOMEM;
4562
4563 nla_nest_end(skb, start: field);
4564 }
4565
4566 nla_nest_end(skb, start: concat);
4567
4568 return 0;
4569}
4570
4571static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4572 const struct nft_set *set, u16 event, u16 flags)
4573{
4574 u64 timeout = READ_ONCE(set->timeout);
4575 u32 gc_int = READ_ONCE(set->gc_int);
4576 u32 portid = ctx->portid;
4577 struct nlmsghdr *nlh;
4578 struct nlattr *nest;
4579 u32 seq = ctx->seq;
4580 int i;
4581
4582 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, msg_type: event);
4583 nlh = nfnl_msg_put(skb, portid, seq, type: event, flags, family: ctx->family,
4584 NFNETLINK_V0, res_id: nft_base_seq(net: ctx->net));
4585 if (!nlh)
4586 goto nla_put_failure;
4587
4588 if (nla_put_string(skb, attrtype: NFTA_SET_TABLE, str: ctx->table->name))
4589 goto nla_put_failure;
4590 if (nla_put_string(skb, attrtype: NFTA_SET_NAME, str: set->name))
4591 goto nla_put_failure;
4592 if (nla_put_be64(skb, attrtype: NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4593 padattr: NFTA_SET_PAD))
4594 goto nla_put_failure;
4595
4596 if (event == NFT_MSG_DELSET) {
4597 nlmsg_end(skb, nlh);
4598 return 0;
4599 }
4600
4601 if (set->flags != 0)
4602 if (nla_put_be32(skb, attrtype: NFTA_SET_FLAGS, htonl(set->flags)))
4603 goto nla_put_failure;
4604
4605 if (nla_put_be32(skb, attrtype: NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4606 goto nla_put_failure;
4607 if (nla_put_be32(skb, attrtype: NFTA_SET_KEY_LEN, htonl(set->klen)))
4608 goto nla_put_failure;
4609 if (set->flags & NFT_SET_MAP) {
4610 if (nla_put_be32(skb, attrtype: NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4611 goto nla_put_failure;
4612 if (nla_put_be32(skb, attrtype: NFTA_SET_DATA_LEN, htonl(set->dlen)))
4613 goto nla_put_failure;
4614 }
4615 if (set->flags & NFT_SET_OBJECT &&
4616 nla_put_be32(skb, attrtype: NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4617 goto nla_put_failure;
4618
4619 if (timeout &&
4620 nla_put_be64(skb, attrtype: NFTA_SET_TIMEOUT,
4621 value: nf_jiffies64_to_msecs(input: timeout),
4622 padattr: NFTA_SET_PAD))
4623 goto nla_put_failure;
4624 if (gc_int &&
4625 nla_put_be32(skb, attrtype: NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4626 goto nla_put_failure;
4627
4628 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4629 if (nla_put_be32(skb, attrtype: NFTA_SET_POLICY, htonl(set->policy)))
4630 goto nla_put_failure;
4631 }
4632
4633 if (set->udata &&
4634 nla_put(skb, attrtype: NFTA_SET_USERDATA, attrlen: set->udlen, data: set->udata))
4635 goto nla_put_failure;
4636
4637 nest = nla_nest_start_noflag(skb, attrtype: NFTA_SET_DESC);
4638 if (!nest)
4639 goto nla_put_failure;
4640 if (set->size &&
4641 nla_put_be32(skb, attrtype: NFTA_SET_DESC_SIZE, htonl(set->size)))
4642 goto nla_put_failure;
4643
4644 if (set->field_count > 1 &&
4645 nf_tables_fill_set_concat(skb, set))
4646 goto nla_put_failure;
4647
4648 nla_nest_end(skb, start: nest);
4649
4650 if (set->num_exprs == 1) {
4651 nest = nla_nest_start_noflag(skb, attrtype: NFTA_SET_EXPR);
4652 if (nf_tables_fill_expr_info(skb, expr: set->exprs[0], reset: false) < 0)
4653 goto nla_put_failure;
4654
4655 nla_nest_end(skb, start: nest);
4656 } else if (set->num_exprs > 1) {
4657 nest = nla_nest_start_noflag(skb, attrtype: NFTA_SET_EXPRESSIONS);
4658 if (nest == NULL)
4659 goto nla_put_failure;
4660
4661 for (i = 0; i < set->num_exprs; i++) {
4662 if (nft_expr_dump(skb, attr: NFTA_LIST_ELEM,
4663 expr: set->exprs[i], reset: false) < 0)
4664 goto nla_put_failure;
4665 }
4666 nla_nest_end(skb, start: nest);
4667 }
4668
4669 nlmsg_end(skb, nlh);
4670 return 0;
4671
4672nla_put_failure:
4673 nlmsg_trim(skb, mark: nlh);
4674 return -1;
4675}
4676
4677static void nf_tables_set_notify(const struct nft_ctx *ctx,
4678 const struct nft_set *set, int event,
4679 gfp_t gfp_flags)
4680{
4681 struct nftables_pernet *nft_net = nft_pernet(net: ctx->net);
4682 u32 portid = ctx->portid;
4683 struct sk_buff *skb;
4684 u16 flags = 0;
4685 int err;
4686
4687 if (!ctx->report &&
4688 !nfnetlink_has_listeners(net: ctx->net, NFNLGRP_NFTABLES))
4689 return;
4690
4691 skb = nlmsg_new(NLMSG_GOODSIZE, flags: gfp_flags);
4692 if (skb == NULL)
4693 goto err;
4694
4695 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
4696 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
4697
4698 err = nf_tables_fill_set(skb, ctx, set, event, flags);
4699 if (err < 0) {
4700 kfree_skb(skb);
4701 goto err;
4702 }
4703
4704 nft_notify_enqueue(skb, report: ctx->report, notify_list: &nft_net->notify_list);
4705 return;
4706err:
4707 nfnetlink_set_err(net: ctx->net, portid, NFNLGRP_NFTABLES, error: -ENOBUFS);
4708}
4709
4710static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4711{
4712 const struct nft_set *set;
4713 unsigned int idx, s_idx = cb->args[0];
4714 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4715 struct net *net = sock_net(sk: skb->sk);
4716 struct nft_ctx *ctx = cb->data, ctx_set;
4717 struct nftables_pernet *nft_net;
4718
4719 if (cb->args[1])
4720 return skb->len;
4721
4722 rcu_read_lock();
4723 nft_net = nft_pernet(net);
4724 cb->seq = READ_ONCE(nft_net->base_seq);
4725
4726 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4727 if (ctx->family != NFPROTO_UNSPEC &&
4728 ctx->family != table->family)
4729 continue;
4730
4731 if (ctx->table && ctx->table != table)
4732 continue;
4733
4734 if (cur_table) {
4735 if (cur_table != table)
4736 continue;
4737
4738 cur_table = NULL;
4739 }
4740 idx = 0;
4741 list_for_each_entry_rcu(set, &table->sets, list) {
4742 if (idx < s_idx)
4743 goto cont;
4744 if (!nft_is_active(net, set))
4745 goto cont;
4746
4747 ctx_set = *ctx;
4748 ctx_set.table = table;
4749 ctx_set.family = table->family;
4750
4751 if (nf_tables_fill_set(skb, ctx: &ctx_set, set,
4752 event: NFT_MSG_NEWSET,
4753 NLM_F_MULTI) < 0) {
4754 cb->args[0] = idx;
4755 cb->args[2] = (unsigned long) table;
4756 goto done;
4757 }
4758 nl_dump_check_consistent(cb, nlh: nlmsg_hdr(skb));
4759cont:
4760 idx++;
4761 }
4762 if (s_idx)
4763 s_idx = 0;
4764 }
4765 cb->args[1] = 1;
4766done:
4767 rcu_read_unlock();
4768 return skb->len;
4769}
4770
4771static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4772{
4773 struct nft_ctx *ctx_dump = NULL;
4774
4775 ctx_dump = kmemdup(p: cb->data, size: sizeof(*ctx_dump), GFP_ATOMIC);
4776 if (ctx_dump == NULL)
4777 return -ENOMEM;
4778
4779 cb->data = ctx_dump;
4780 return 0;
4781}
4782
4783static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4784{
4785 kfree(objp: cb->data);
4786 return 0;
4787}
4788
4789/* called with rcu_read_lock held */
4790static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4791 const struct nlattr * const nla[])
4792{
4793 struct netlink_ext_ack *extack = info->extack;
4794 u8 genmask = nft_genmask_cur(net: info->net);
4795 u8 family = info->nfmsg->nfgen_family;
4796 struct nft_table *table = NULL;
4797 struct net *net = info->net;
4798 const struct nft_set *set;
4799 struct sk_buff *skb2;
4800 struct nft_ctx ctx;
4801 int err;
4802
4803 if (nla[NFTA_SET_TABLE]) {
4804 table = nft_table_lookup(net, nla: nla[NFTA_SET_TABLE], family,
4805 genmask, nlpid: 0);
4806 if (IS_ERR(ptr: table)) {
4807 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4808 return PTR_ERR(ptr: table);
4809 }
4810 }
4811
4812 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, NULL, nla);
4813
4814 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4815 struct netlink_dump_control c = {
4816 .start = nf_tables_dump_sets_start,
4817 .dump = nf_tables_dump_sets,
4818 .done = nf_tables_dump_sets_done,
4819 .data = &ctx,
4820 .module = THIS_MODULE,
4821 };
4822
4823 return nft_netlink_dump_start_rcu(nlsk: info->sk, skb, nlh: info->nlh, c: &c);
4824 }
4825
4826 /* Only accept unspec with dump */
4827 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4828 return -EAFNOSUPPORT;
4829 if (!nla[NFTA_SET_TABLE])
4830 return -EINVAL;
4831
4832 set = nft_set_lookup(table, nla: nla[NFTA_SET_NAME], genmask);
4833 if (IS_ERR(ptr: set)) {
4834 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4835 return PTR_ERR(ptr: set);
4836 }
4837
4838 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4839 if (skb2 == NULL)
4840 return -ENOMEM;
4841
4842 err = nf_tables_fill_set(skb: skb2, ctx: &ctx, set, event: NFT_MSG_NEWSET, flags: 0);
4843 if (err < 0)
4844 goto err_fill_set_info;
4845
4846 return nfnetlink_unicast(skb: skb2, net, NETLINK_CB(skb).portid);
4847
4848err_fill_set_info:
4849 kfree_skb(skb: skb2);
4850 return err;
4851}
4852
4853static int nft_set_desc_concat_parse(const struct nlattr *attr,
4854 struct nft_set_desc *desc)
4855{
4856 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4857 u32 len;
4858 int err;
4859
4860 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
4861 return -E2BIG;
4862
4863 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, nla: attr,
4864 policy: nft_concat_policy, NULL);
4865 if (err < 0)
4866 return err;
4867
4868 if (!tb[NFTA_SET_FIELD_LEN])
4869 return -EINVAL;
4870
4871 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4872 if (!len || len > U8_MAX)
4873 return -EINVAL;
4874
4875 desc->field_len[desc->field_count++] = len;
4876
4877 return 0;
4878}
4879
4880static int nft_set_desc_concat(struct nft_set_desc *desc,
4881 const struct nlattr *nla)
4882{
4883 u32 num_regs = 0, key_num_regs = 0;
4884 struct nlattr *attr;
4885 int rem, err, i;
4886
4887 nla_for_each_nested(attr, nla, rem) {
4888 if (nla_type(nla: attr) != NFTA_LIST_ELEM)
4889 return -EINVAL;
4890
4891 err = nft_set_desc_concat_parse(attr, desc);
4892 if (err < 0)
4893 return err;
4894 }
4895
4896 for (i = 0; i < desc->field_count; i++)
4897 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
4898
4899 key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
4900 if (key_num_regs != num_regs)
4901 return -EINVAL;
4902
4903 if (num_regs > NFT_REG32_COUNT)
4904 return -E2BIG;
4905
4906 return 0;
4907}
4908
4909static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4910 const struct nlattr *nla)
4911{
4912 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4913 int err;
4914
4915 err = nla_parse_nested_deprecated(tb: da, NFTA_SET_DESC_MAX, nla,
4916 policy: nft_set_desc_policy, NULL);
4917 if (err < 0)
4918 return err;
4919
4920 if (da[NFTA_SET_DESC_SIZE] != NULL)
4921 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4922 if (da[NFTA_SET_DESC_CONCAT])
4923 err = nft_set_desc_concat(desc, nla: da[NFTA_SET_DESC_CONCAT]);
4924
4925 return err;
4926}
4927
4928static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
4929 const struct nlattr * const *nla,
4930 struct nft_expr **exprs, int *num_exprs,
4931 u32 flags)
4932{
4933 struct nft_expr *expr;
4934 int err, i;
4935
4936 if (nla[NFTA_SET_EXPR]) {
4937 expr = nft_set_elem_expr_alloc(ctx, set, attr: nla[NFTA_SET_EXPR]);
4938 if (IS_ERR(ptr: expr)) {
4939 err = PTR_ERR(ptr: expr);
4940 goto err_set_expr_alloc;
4941 }
4942 exprs[0] = expr;
4943 (*num_exprs)++;
4944 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4945 struct nlattr *tmp;
4946 int left;
4947
4948 if (!(flags & NFT_SET_EXPR)) {
4949 err = -EINVAL;
4950 goto err_set_expr_alloc;
4951 }
4952 i = 0;
4953 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4954 if (i == NFT_SET_EXPR_MAX) {
4955 err = -E2BIG;
4956 goto err_set_expr_alloc;
4957 }
4958 if (nla_type(nla: tmp) != NFTA_LIST_ELEM) {
4959 err = -EINVAL;
4960 goto err_set_expr_alloc;
4961 }
4962 expr = nft_set_elem_expr_alloc(ctx, set, attr: tmp);
4963 if (IS_ERR(ptr: expr)) {
4964 err = PTR_ERR(ptr: expr);
4965 goto err_set_expr_alloc;
4966 }
4967 exprs[i++] = expr;
4968 (*num_exprs)++;
4969 }
4970 }
4971
4972 return 0;
4973
4974err_set_expr_alloc:
4975 for (i = 0; i < *num_exprs; i++)
4976 nft_expr_destroy(ctx, expr: exprs[i]);
4977
4978 return err;
4979}
4980
4981static bool nft_set_is_same(const struct nft_set *set,
4982 const struct nft_set_desc *desc,
4983 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
4984{
4985 int i;
4986
4987 if (set->ktype != desc->ktype ||
4988 set->dtype != desc->dtype ||
4989 set->flags != flags ||
4990 set->klen != desc->klen ||
4991 set->dlen != desc->dlen ||
4992 set->field_count != desc->field_count ||
4993 set->num_exprs != num_exprs)
4994 return false;
4995
4996 for (i = 0; i < desc->field_count; i++) {
4997 if (set->field_len[i] != desc->field_len[i])
4998 return false;
4999 }
5000
5001 for (i = 0; i < num_exprs; i++) {
5002 if (set->exprs[i]->ops != exprs[i]->ops)
5003 return false;
5004 }
5005
5006 return true;
5007}
5008
5009static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
5010 const struct nlattr * const nla[])
5011{
5012 struct netlink_ext_ack *extack = info->extack;
5013 u8 genmask = nft_genmask_next(net: info->net);
5014 u8 family = info->nfmsg->nfgen_family;
5015 const struct nft_set_ops *ops;
5016 struct net *net = info->net;
5017 struct nft_set_desc desc;
5018 struct nft_table *table;
5019 unsigned char *udata;
5020 struct nft_set *set;
5021 struct nft_ctx ctx;
5022 size_t alloc_size;
5023 int num_exprs = 0;
5024 char *name;
5025 int err, i;
5026 u16 udlen;
5027 u32 flags;
5028 u64 size;
5029
5030 if (nla[NFTA_SET_TABLE] == NULL ||
5031 nla[NFTA_SET_NAME] == NULL ||
5032 nla[NFTA_SET_KEY_LEN] == NULL ||
5033 nla[NFTA_SET_ID] == NULL)
5034 return -EINVAL;
5035
5036 memset(&desc, 0, sizeof(desc));
5037
5038 desc.ktype = NFT_DATA_VALUE;
5039 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
5040 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
5041 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
5042 return -EINVAL;
5043 }
5044
5045 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
5046 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
5047 return -EINVAL;
5048
5049 flags = 0;
5050 if (nla[NFTA_SET_FLAGS] != NULL) {
5051 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
5052 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
5053 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
5054 NFT_SET_MAP | NFT_SET_EVAL |
5055 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
5056 return -EOPNOTSUPP;
5057 /* Only one of these operations is supported */
5058 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
5059 (NFT_SET_MAP | NFT_SET_OBJECT))
5060 return -EOPNOTSUPP;
5061 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
5062 (NFT_SET_EVAL | NFT_SET_OBJECT))
5063 return -EOPNOTSUPP;
5064 if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) ==
5065 (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT))
5066 return -EOPNOTSUPP;
5067 if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) ==
5068 (NFT_SET_CONSTANT | NFT_SET_TIMEOUT))
5069 return -EOPNOTSUPP;
5070 }
5071
5072 desc.dtype = 0;
5073 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
5074 if (!(flags & NFT_SET_MAP))
5075 return -EINVAL;
5076
5077 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
5078 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
5079 desc.dtype != NFT_DATA_VERDICT)
5080 return -EINVAL;
5081
5082 if (desc.dtype != NFT_DATA_VERDICT) {
5083 if (nla[NFTA_SET_DATA_LEN] == NULL)
5084 return -EINVAL;
5085 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
5086 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
5087 return -EINVAL;
5088 } else
5089 desc.dlen = sizeof(struct nft_verdict);
5090 } else if (flags & NFT_SET_MAP)
5091 return -EINVAL;
5092
5093 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
5094 if (!(flags & NFT_SET_OBJECT))
5095 return -EINVAL;
5096
5097 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
5098 if (desc.objtype == NFT_OBJECT_UNSPEC ||
5099 desc.objtype > NFT_OBJECT_MAX)
5100 return -EOPNOTSUPP;
5101 } else if (flags & NFT_SET_OBJECT)
5102 return -EINVAL;
5103 else
5104 desc.objtype = NFT_OBJECT_UNSPEC;
5105
5106 desc.timeout = 0;
5107 if (nla[NFTA_SET_TIMEOUT] != NULL) {
5108 if (!(flags & NFT_SET_TIMEOUT))
5109 return -EINVAL;
5110
5111 if (flags & NFT_SET_ANONYMOUS)
5112 return -EOPNOTSUPP;
5113
5114 err = nf_msecs_to_jiffies64(nla: nla[NFTA_SET_TIMEOUT], result: &desc.timeout);
5115 if (err)
5116 return err;
5117 }
5118 desc.gc_int = 0;
5119 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
5120 if (!(flags & NFT_SET_TIMEOUT))
5121 return -EINVAL;
5122
5123 if (flags & NFT_SET_ANONYMOUS)
5124 return -EOPNOTSUPP;
5125
5126 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
5127 }
5128
5129 desc.policy = NFT_SET_POL_PERFORMANCE;
5130 if (nla[NFTA_SET_POLICY] != NULL) {
5131 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
5132 switch (desc.policy) {
5133 case NFT_SET_POL_PERFORMANCE:
5134 case NFT_SET_POL_MEMORY:
5135 break;
5136 default:
5137 return -EOPNOTSUPP;
5138 }
5139 }
5140
5141 if (nla[NFTA_SET_DESC] != NULL) {
5142 err = nf_tables_set_desc_parse(desc: &desc, nla: nla[NFTA_SET_DESC]);
5143 if (err < 0)
5144 return err;
5145
5146 if (desc.field_count > 1) {
5147 if (!(flags & NFT_SET_CONCAT))
5148 return -EINVAL;
5149 } else if (flags & NFT_SET_CONCAT) {
5150 return -EINVAL;
5151 }
5152 } else if (flags & NFT_SET_CONCAT) {
5153 return -EINVAL;
5154 }
5155
5156 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
5157 desc.expr = true;
5158
5159 table = nft_table_lookup(net, nla: nla[NFTA_SET_TABLE], family, genmask,
5160 NETLINK_CB(skb).portid);
5161 if (IS_ERR(ptr: table)) {
5162 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5163 return PTR_ERR(ptr: table);
5164 }
5165
5166 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, NULL, nla);
5167
5168 set = nft_set_lookup(table, nla: nla[NFTA_SET_NAME], genmask);
5169 if (IS_ERR(ptr: set)) {
5170 if (PTR_ERR(ptr: set) != -ENOENT) {
5171 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5172 return PTR_ERR(ptr: set);
5173 }
5174 } else {
5175 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
5176
5177 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
5178 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5179 return -EEXIST;
5180 }
5181 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
5182 return -EOPNOTSUPP;
5183
5184 if (nft_set_is_anonymous(set))
5185 return -EOPNOTSUPP;
5186
5187 err = nft_set_expr_alloc(ctx: &ctx, set, nla, exprs, num_exprs: &num_exprs, flags);
5188 if (err < 0)
5189 return err;
5190
5191 err = 0;
5192 if (!nft_set_is_same(set, desc: &desc, exprs, num_exprs, flags)) {
5193 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5194 err = -EEXIST;
5195 }
5196
5197 for (i = 0; i < num_exprs; i++)
5198 nft_expr_destroy(ctx: &ctx, expr: exprs[i]);
5199
5200 if (err < 0)
5201 return err;
5202
5203 return __nft_trans_set_add(ctx: &ctx, msg_type: NFT_MSG_NEWSET, set, desc: &desc);
5204 }
5205
5206 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
5207 return -ENOENT;
5208
5209 ops = nft_select_set_ops(ctx: &ctx, flags, desc: &desc);
5210 if (IS_ERR(ptr: ops))
5211 return PTR_ERR(ptr: ops);
5212
5213 udlen = 0;
5214 if (nla[NFTA_SET_USERDATA])
5215 udlen = nla_len(nla: nla[NFTA_SET_USERDATA]);
5216
5217 size = 0;
5218 if (ops->privsize != NULL)
5219 size = ops->privsize(nla, &desc);
5220 alloc_size = sizeof(*set) + size + udlen;
5221 if (alloc_size < size || alloc_size > INT_MAX)
5222 return -ENOMEM;
5223
5224 if (!nft_use_inc(use: &table->use))
5225 return -EMFILE;
5226
5227 set = kvzalloc(size: alloc_size, GFP_KERNEL_ACCOUNT);
5228 if (!set) {
5229 err = -ENOMEM;
5230 goto err_alloc;
5231 }
5232
5233 name = nla_strdup(nla: nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
5234 if (!name) {
5235 err = -ENOMEM;
5236 goto err_set_name;
5237 }
5238
5239 err = nf_tables_set_alloc_name(ctx: &ctx, set, name);
5240 kfree(objp: name);
5241 if (err < 0)
5242 goto err_set_name;
5243
5244 udata = NULL;
5245 if (udlen) {
5246 udata = set->data + size;
5247 nla_memcpy(dest: udata, src: nla[NFTA_SET_USERDATA], count: udlen);
5248 }
5249
5250 INIT_LIST_HEAD(list: &set->bindings);
5251 INIT_LIST_HEAD(list: &set->catchall_list);
5252 refcount_set(r: &set->refs, n: 1);
5253 set->table = table;
5254 write_pnet(pnet: &set->net, net);
5255 set->ops = ops;
5256 set->ktype = desc.ktype;
5257 set->klen = desc.klen;
5258 set->dtype = desc.dtype;
5259 set->objtype = desc.objtype;
5260 set->dlen = desc.dlen;
5261 set->flags = flags;
5262 set->size = desc.size;
5263 set->policy = desc.policy;
5264 set->udlen = udlen;
5265 set->udata = udata;
5266 set->timeout = desc.timeout;
5267 set->gc_int = desc.gc_int;
5268
5269 set->field_count = desc.field_count;
5270 for (i = 0; i < desc.field_count; i++)
5271 set->field_len[i] = desc.field_len[i];
5272
5273 err = ops->init(set, &desc, nla);
5274 if (err < 0)
5275 goto err_set_init;
5276
5277 err = nft_set_expr_alloc(ctx: &ctx, set, nla, exprs: set->exprs, num_exprs: &num_exprs, flags);
5278 if (err < 0)
5279 goto err_set_destroy;
5280
5281 set->num_exprs = num_exprs;
5282 set->handle = nf_tables_alloc_handle(table);
5283 INIT_LIST_HEAD(list: &set->pending_update);
5284
5285 err = nft_trans_set_add(ctx: &ctx, msg_type: NFT_MSG_NEWSET, set);
5286 if (err < 0)
5287 goto err_set_expr_alloc;
5288
5289 list_add_tail_rcu(new: &set->list, head: &table->sets);
5290
5291 return 0;
5292
5293err_set_expr_alloc:
5294 for (i = 0; i < set->num_exprs; i++)
5295 nft_expr_destroy(ctx: &ctx, expr: set->exprs[i]);
5296err_set_destroy:
5297 ops->destroy(&ctx, set);
5298err_set_init:
5299 kfree(objp: set->name);
5300err_set_name:
5301 kvfree(addr: set);
5302err_alloc:
5303 nft_use_dec_restore(use: &table->use);
5304
5305 return err;
5306}
5307
5308static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
5309 struct nft_set *set)
5310{
5311 struct nft_set_elem_catchall *next, *catchall;
5312
5313 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5314 list_del_rcu(entry: &catchall->list);
5315 nf_tables_set_elem_destroy(ctx, set, elem_priv: catchall->elem);
5316 kfree_rcu(catchall, rcu);
5317 }
5318}
5319
5320static void nft_set_put(struct nft_set *set)
5321{
5322 if (refcount_dec_and_test(r: &set->refs)) {
5323 kfree(objp: set->name);
5324 kvfree(addr: set);
5325 }
5326}
5327
5328static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
5329{
5330 int i;
5331
5332 if (WARN_ON(set->use > 0))
5333 return;
5334
5335 for (i = 0; i < set->num_exprs; i++)
5336 nft_expr_destroy(ctx, expr: set->exprs[i]);
5337
5338 set->ops->destroy(ctx, set);
5339 nft_set_catchall_destroy(ctx, set);
5340 nft_set_put(set);
5341}
5342
5343static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
5344 const struct nlattr * const nla[])
5345{
5346 struct netlink_ext_ack *extack = info->extack;
5347 u8 genmask = nft_genmask_next(net: info->net);
5348 u8 family = info->nfmsg->nfgen_family;
5349 struct net *net = info->net;
5350 const struct nlattr *attr;
5351 struct nft_table *table;
5352 struct nft_set *set;
5353 struct nft_ctx ctx;
5354
5355 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5356 return -EAFNOSUPPORT;
5357
5358 table = nft_table_lookup(net, nla: nla[NFTA_SET_TABLE], family,
5359 genmask, NETLINK_CB(skb).portid);
5360 if (IS_ERR(ptr: table)) {
5361 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5362 return PTR_ERR(ptr: table);
5363 }
5364
5365 if (nla[NFTA_SET_HANDLE]) {
5366 attr = nla[NFTA_SET_HANDLE];
5367 set = nft_set_lookup_byhandle(table, nla: attr, genmask);
5368 } else {
5369 attr = nla[NFTA_SET_NAME];
5370 set = nft_set_lookup(table, nla: attr, genmask);
5371 }
5372
5373 if (IS_ERR(ptr: set)) {
5374 if (PTR_ERR(ptr: set) == -ENOENT &&
5375 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
5376 return 0;
5377
5378 NL_SET_BAD_ATTR(extack, attr);
5379 return PTR_ERR(ptr: set);
5380 }
5381 if (set->use ||
5382 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
5383 atomic_read(v: &set->nelems) > 0)) {
5384 NL_SET_BAD_ATTR(extack, attr);
5385 return -EBUSY;
5386 }
5387
5388 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, NULL, nla);
5389
5390 return nft_delset(ctx: &ctx, set);
5391}
5392
5393static int nft_validate_register_store(const struct nft_ctx *ctx,
5394 enum nft_registers reg,
5395 const struct nft_data *data,
5396 enum nft_data_types type,
5397 unsigned int len);
5398
5399static int nft_setelem_data_validate(const struct nft_ctx *ctx,
5400 struct nft_set *set,
5401 struct nft_elem_priv *elem_priv)
5402{
5403 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5404 enum nft_registers dreg;
5405
5406 dreg = nft_type_to_reg(type: set->dtype);
5407 return nft_validate_register_store(ctx, reg: dreg, data: nft_set_ext_data(ext),
5408 type: set->dtype == NFT_DATA_VERDICT ?
5409 NFT_DATA_VERDICT : NFT_DATA_VALUE,
5410 len: set->dlen);
5411}
5412
5413static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
5414 struct nft_set *set,
5415 const struct nft_set_iter *iter,
5416 struct nft_elem_priv *elem_priv)
5417{
5418 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5419
5420 if (!nft_set_elem_active(ext, genmask: iter->genmask))
5421 return 0;
5422
5423 return nft_setelem_data_validate(ctx, set, elem_priv);
5424}
5425
5426static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
5427 struct nft_set *set)
5428{
5429 u8 genmask = nft_genmask_next(net: ctx->net);
5430 struct nft_set_elem_catchall *catchall;
5431 struct nft_set_ext *ext;
5432 int ret = 0;
5433
5434 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5435 ext = nft_set_elem_ext(set, elem_priv: catchall->elem);
5436 if (!nft_set_elem_active(ext, genmask))
5437 continue;
5438
5439 ret = nft_setelem_data_validate(ctx, set, elem_priv: catchall->elem);
5440 if (ret < 0)
5441 break;
5442 }
5443
5444 return ret;
5445}
5446
5447int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5448 struct nft_set_binding *binding)
5449{
5450 struct nft_set_binding *i;
5451 struct nft_set_iter iter;
5452
5453 if (!list_empty(head: &set->bindings) && nft_set_is_anonymous(set))
5454 return -EBUSY;
5455
5456 if (binding->flags & NFT_SET_MAP) {
5457 /* If the set is already bound to the same chain all
5458 * jumps are already validated for that chain.
5459 */
5460 list_for_each_entry(i, &set->bindings, list) {
5461 if (i->flags & NFT_SET_MAP &&
5462 i->chain == binding->chain)
5463 goto bind;
5464 }
5465
5466 iter.genmask = nft_genmask_next(net: ctx->net);
5467 iter.type = NFT_ITER_UPDATE;
5468 iter.skip = 0;
5469 iter.count = 0;
5470 iter.err = 0;
5471 iter.fn = nf_tables_bind_check_setelem;
5472
5473 set->ops->walk(ctx, set, &iter);
5474 if (!iter.err)
5475 iter.err = nft_set_catchall_bind_check(ctx, set);
5476
5477 if (iter.err < 0)
5478 return iter.err;
5479 }
5480bind:
5481 if (!nft_use_inc(use: &set->use))
5482 return -EMFILE;
5483
5484 binding->chain = ctx->chain;
5485 list_add_tail_rcu(new: &binding->list, head: &set->bindings);
5486 nft_set_trans_bind(ctx, set);
5487
5488 return 0;
5489}
5490EXPORT_SYMBOL_GPL(nf_tables_bind_set);
5491
5492static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5493 struct nft_set_binding *binding, bool event)
5494{
5495 list_del_rcu(entry: &binding->list);
5496
5497 if (list_empty(head: &set->bindings) && nft_set_is_anonymous(set)) {
5498 list_del_rcu(entry: &set->list);
5499 set->dead = 1;
5500 if (event)
5501 nf_tables_set_notify(ctx, set, event: NFT_MSG_DELSET,
5502 GFP_KERNEL);
5503 }
5504}
5505
5506static void nft_setelem_data_activate(const struct net *net,
5507 const struct nft_set *set,
5508 struct nft_elem_priv *elem_priv);
5509
5510static int nft_mapelem_activate(const struct nft_ctx *ctx,
5511 struct nft_set *set,
5512 const struct nft_set_iter *iter,
5513 struct nft_elem_priv *elem_priv)
5514{
5515 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5516
5517 /* called from abort path, reverse check to undo changes. */
5518 if (nft_set_elem_active(ext, genmask: iter->genmask))
5519 return 0;
5520
5521 nft_clear(ctx->net, ext);
5522 nft_setelem_data_activate(net: ctx->net, set, elem_priv);
5523
5524 return 0;
5525}
5526
5527static void nft_map_catchall_activate(const struct nft_ctx *ctx,
5528 struct nft_set *set)
5529{
5530 u8 genmask = nft_genmask_next(net: ctx->net);
5531 struct nft_set_elem_catchall *catchall;
5532 struct nft_set_ext *ext;
5533
5534 list_for_each_entry(catchall, &set->catchall_list, list) {
5535 ext = nft_set_elem_ext(set, elem_priv: catchall->elem);
5536 if (!nft_set_elem_active(ext, genmask))
5537 continue;
5538
5539 nft_clear(ctx->net, ext);
5540 nft_setelem_data_activate(net: ctx->net, set, elem_priv: catchall->elem);
5541 break;
5542 }
5543}
5544
5545static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set)
5546{
5547 struct nft_set_iter iter = {
5548 .genmask = nft_genmask_next(net: ctx->net),
5549 .type = NFT_ITER_UPDATE,
5550 .fn = nft_mapelem_activate,
5551 };
5552
5553 set->ops->walk(ctx, set, &iter);
5554 WARN_ON_ONCE(iter.err);
5555
5556 nft_map_catchall_activate(ctx, set);
5557}
5558
5559void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5560{
5561 if (nft_set_is_anonymous(set)) {
5562 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5563 nft_map_activate(ctx, set);
5564
5565 nft_clear(ctx->net, set);
5566 }
5567
5568 nft_use_inc_restore(use: &set->use);
5569}
5570EXPORT_SYMBOL_GPL(nf_tables_activate_set);
5571
5572void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5573 struct nft_set_binding *binding,
5574 enum nft_trans_phase phase)
5575{
5576 switch (phase) {
5577 case NFT_TRANS_PREPARE_ERROR:
5578 nft_set_trans_unbind(ctx, set);
5579 if (nft_set_is_anonymous(set))
5580 nft_deactivate_next(ctx->net, set);
5581 else
5582 list_del_rcu(entry: &binding->list);
5583
5584 nft_use_dec(use: &set->use);
5585 break;
5586 case NFT_TRANS_PREPARE:
5587 if (nft_set_is_anonymous(set)) {
5588 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5589 nft_map_deactivate(ctx, set);
5590
5591 nft_deactivate_next(ctx->net, set);
5592 }
5593 nft_use_dec(use: &set->use);
5594 return;
5595 case NFT_TRANS_ABORT:
5596 case NFT_TRANS_RELEASE:
5597 if (nft_set_is_anonymous(set) &&
5598 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5599 nft_map_deactivate(ctx, set);
5600
5601 nft_use_dec(use: &set->use);
5602 fallthrough;
5603 default:
5604 nf_tables_unbind_set(ctx, set, binding,
5605 event: phase == NFT_TRANS_COMMIT);
5606 }
5607}
5608EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
5609
5610void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
5611{
5612 if (list_empty(head: &set->bindings) && nft_set_is_anonymous(set))
5613 nft_set_destroy(ctx, set);
5614}
5615EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
5616
5617const struct nft_set_ext_type nft_set_ext_types[] = {
5618 [NFT_SET_EXT_KEY] = {
5619 .align = __alignof__(u32),
5620 },
5621 [NFT_SET_EXT_DATA] = {
5622 .align = __alignof__(u32),
5623 },
5624 [NFT_SET_EXT_EXPRESSIONS] = {
5625 .align = __alignof__(struct nft_set_elem_expr),
5626 },
5627 [NFT_SET_EXT_OBJREF] = {
5628 .len = sizeof(struct nft_object *),
5629 .align = __alignof__(struct nft_object *),
5630 },
5631 [NFT_SET_EXT_FLAGS] = {
5632 .len = sizeof(u8),
5633 .align = __alignof__(u8),
5634 },
5635 [NFT_SET_EXT_TIMEOUT] = {
5636 .len = sizeof(u64),
5637 .align = __alignof__(u64),
5638 },
5639 [NFT_SET_EXT_EXPIRATION] = {
5640 .len = sizeof(u64),
5641 .align = __alignof__(u64),
5642 },
5643 [NFT_SET_EXT_USERDATA] = {
5644 .len = sizeof(struct nft_userdata),
5645 .align = __alignof__(struct nft_userdata),
5646 },
5647 [NFT_SET_EXT_KEY_END] = {
5648 .align = __alignof__(u32),
5649 },
5650};
5651
5652/*
5653 * Set elements
5654 */
5655
5656static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
5657 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
5658 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
5659 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
5660 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
5661 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
5662 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
5663 .len = NFT_USERDATA_MAXLEN },
5664 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
5665 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
5666 .len = NFT_OBJ_MAXNAMELEN - 1 },
5667 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
5668 [NFTA_SET_ELEM_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
5669};
5670
5671static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
5672 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
5673 .len = NFT_TABLE_MAXNAMELEN - 1 },
5674 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
5675 .len = NFT_SET_MAXNAMELEN - 1 },
5676 [NFTA_SET_ELEM_LIST_ELEMENTS] = NLA_POLICY_NESTED_ARRAY(nft_set_elem_policy),
5677 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
5678};
5679
5680static int nft_set_elem_expr_dump(struct sk_buff *skb,
5681 const struct nft_set *set,
5682 const struct nft_set_ext *ext,
5683 bool reset)
5684{
5685 struct nft_set_elem_expr *elem_expr;
5686 u32 size, num_exprs = 0;
5687 struct nft_expr *expr;
5688 struct nlattr *nest;
5689
5690 elem_expr = nft_set_ext_expr(ext);
5691 nft_setelem_expr_foreach(expr, elem_expr, size)
5692 num_exprs++;
5693
5694 if (num_exprs == 1) {
5695 expr = nft_setelem_expr_at(elem_expr, 0);
5696 if (nft_expr_dump(skb, attr: NFTA_SET_ELEM_EXPR, expr, reset) < 0)
5697 return -1;
5698
5699 return 0;
5700 } else if (num_exprs > 1) {
5701 nest = nla_nest_start_noflag(skb, attrtype: NFTA_SET_ELEM_EXPRESSIONS);
5702 if (nest == NULL)
5703 goto nla_put_failure;
5704
5705 nft_setelem_expr_foreach(expr, elem_expr, size) {
5706 expr = nft_setelem_expr_at(elem_expr, size);
5707 if (nft_expr_dump(skb, attr: NFTA_LIST_ELEM, expr, reset) < 0)
5708 goto nla_put_failure;
5709 }
5710 nla_nest_end(skb, start: nest);
5711 }
5712 return 0;
5713
5714nla_put_failure:
5715 return -1;
5716}
5717
5718static int nf_tables_fill_setelem(struct sk_buff *skb,
5719 const struct nft_set *set,
5720 const struct nft_elem_priv *elem_priv,
5721 bool reset)
5722{
5723 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5724 unsigned char *b = skb_tail_pointer(skb);
5725 struct nlattr *nest;
5726
5727 nest = nla_nest_start_noflag(skb, attrtype: NFTA_LIST_ELEM);
5728 if (nest == NULL)
5729 goto nla_put_failure;
5730
5731 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_KEY) &&
5732 nft_data_dump(skb, attr: NFTA_SET_ELEM_KEY, data: nft_set_ext_key(ext),
5733 type: NFT_DATA_VALUE, len: set->klen) < 0)
5734 goto nla_put_failure;
5735
5736 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_KEY_END) &&
5737 nft_data_dump(skb, attr: NFTA_SET_ELEM_KEY_END, data: nft_set_ext_key_end(ext),
5738 type: NFT_DATA_VALUE, len: set->klen) < 0)
5739 goto nla_put_failure;
5740
5741 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_DATA) &&
5742 nft_data_dump(skb, attr: NFTA_SET_ELEM_DATA, data: nft_set_ext_data(ext),
5743 type: set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
5744 len: set->dlen) < 0)
5745 goto nla_put_failure;
5746
5747 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_EXPRESSIONS) &&
5748 nft_set_elem_expr_dump(skb, set, ext, reset))
5749 goto nla_put_failure;
5750
5751 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_OBJREF) &&
5752 nla_put_string(skb, attrtype: NFTA_SET_ELEM_OBJREF,
5753 str: (*nft_set_ext_obj(ext))->key.name) < 0)
5754 goto nla_put_failure;
5755
5756 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_FLAGS) &&
5757 nla_put_be32(skb, attrtype: NFTA_SET_ELEM_FLAGS,
5758 htonl(*nft_set_ext_flags(ext))))
5759 goto nla_put_failure;
5760
5761 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_TIMEOUT) &&
5762 nla_put_be64(skb, attrtype: NFTA_SET_ELEM_TIMEOUT,
5763 value: nf_jiffies64_to_msecs(input: *nft_set_ext_timeout(ext)),
5764 padattr: NFTA_SET_ELEM_PAD))
5765 goto nla_put_failure;
5766
5767 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_EXPIRATION)) {
5768 u64 expires, now = get_jiffies_64();
5769
5770 expires = *nft_set_ext_expiration(ext);
5771 if (time_before64(now, expires))
5772 expires -= now;
5773 else
5774 expires = 0;
5775
5776 if (nla_put_be64(skb, attrtype: NFTA_SET_ELEM_EXPIRATION,
5777 value: nf_jiffies64_to_msecs(input: expires),
5778 padattr: NFTA_SET_ELEM_PAD))
5779 goto nla_put_failure;
5780 }
5781
5782 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_USERDATA)) {
5783 struct nft_userdata *udata;
5784
5785 udata = nft_set_ext_userdata(ext);
5786 if (nla_put(skb, attrtype: NFTA_SET_ELEM_USERDATA,
5787 attrlen: udata->len + 1, data: udata->data))
5788 goto nla_put_failure;
5789 }
5790
5791 nla_nest_end(skb, start: nest);
5792 return 0;
5793
5794nla_put_failure:
5795 nlmsg_trim(skb, mark: b);
5796 return -EMSGSIZE;
5797}
5798
5799struct nft_set_dump_args {
5800 const struct netlink_callback *cb;
5801 struct nft_set_iter iter;
5802 struct sk_buff *skb;
5803 bool reset;
5804};
5805
5806static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
5807 struct nft_set *set,
5808 const struct nft_set_iter *iter,
5809 struct nft_elem_priv *elem_priv)
5810{
5811 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5812 struct nft_set_dump_args *args;
5813
5814 if (!nft_set_elem_active(ext, genmask: iter->genmask))
5815 return 0;
5816
5817 if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
5818 return 0;
5819
5820 args = container_of(iter, struct nft_set_dump_args, iter);
5821 return nf_tables_fill_setelem(skb: args->skb, set, elem_priv, reset: args->reset);
5822}
5823
5824static void audit_log_nft_set_reset(const struct nft_table *table,
5825 unsigned int base_seq,
5826 unsigned int nentries)
5827{
5828 char *buf = kasprintf(GFP_ATOMIC, fmt: "%s:%u", table->name, base_seq);
5829
5830 audit_log_nfcfg(name: buf, af: table->family, nentries,
5831 op: AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC);
5832 kfree(objp: buf);
5833}
5834
5835struct nft_set_dump_ctx {
5836 const struct nft_set *set;
5837 struct nft_ctx ctx;
5838 bool reset;
5839};
5840
5841static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
5842 const struct nft_set *set, bool reset,
5843 unsigned int base_seq)
5844{
5845 struct nft_set_elem_catchall *catchall;
5846 u8 genmask = nft_genmask_cur(net);
5847 struct nft_set_ext *ext;
5848 int ret = 0;
5849
5850 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5851 ext = nft_set_elem_ext(set, elem_priv: catchall->elem);
5852 if (!nft_set_elem_active(ext, genmask) ||
5853 nft_set_elem_expired(ext))
5854 continue;
5855
5856 ret = nf_tables_fill_setelem(skb, set, elem_priv: catchall->elem, reset);
5857 if (reset && !ret)
5858 audit_log_nft_set_reset(table: set->table, base_seq, nentries: 1);
5859 break;
5860 }
5861
5862 return ret;
5863}
5864
5865static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
5866{
5867 struct nft_set_dump_ctx *dump_ctx = cb->data;
5868 struct net *net = sock_net(sk: skb->sk);
5869 struct nftables_pernet *nft_net;
5870 struct nft_table *table;
5871 struct nft_set *set;
5872 struct nft_set_dump_args args;
5873 bool set_found = false;
5874 struct nlmsghdr *nlh;
5875 struct nlattr *nest;
5876 u32 portid, seq;
5877 int event;
5878
5879 rcu_read_lock();
5880 nft_net = nft_pernet(net);
5881 cb->seq = READ_ONCE(nft_net->base_seq);
5882
5883 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5884 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
5885 dump_ctx->ctx.family != table->family)
5886 continue;
5887
5888 if (table != dump_ctx->ctx.table)
5889 continue;
5890
5891 list_for_each_entry_rcu(set, &table->sets, list) {
5892 if (set == dump_ctx->set) {
5893 set_found = true;
5894 break;
5895 }
5896 }
5897 break;
5898 }
5899
5900 if (!set_found) {
5901 rcu_read_unlock();
5902 return -ENOENT;
5903 }
5904
5905 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, msg_type: NFT_MSG_NEWSETELEM);
5906 portid = NETLINK_CB(cb->skb).portid;
5907 seq = cb->nlh->nlmsg_seq;
5908
5909 nlh = nfnl_msg_put(skb, portid, seq, type: event, NLM_F_MULTI,
5910 family: table->family, NFNETLINK_V0, res_id: nft_base_seq(net));
5911 if (!nlh)
5912 goto nla_put_failure;
5913
5914 if (nla_put_string(skb, attrtype: NFTA_SET_ELEM_LIST_TABLE, str: table->name))
5915 goto nla_put_failure;
5916 if (nla_put_string(skb, attrtype: NFTA_SET_ELEM_LIST_SET, str: set->name))
5917 goto nla_put_failure;
5918
5919 nest = nla_nest_start_noflag(skb, attrtype: NFTA_SET_ELEM_LIST_ELEMENTS);
5920 if (nest == NULL)
5921 goto nla_put_failure;
5922
5923 args.cb = cb;
5924 args.skb = skb;
5925 args.reset = dump_ctx->reset;
5926 args.iter.genmask = nft_genmask_cur(net);
5927 args.iter.type = NFT_ITER_READ;
5928 args.iter.skip = cb->args[0];
5929 args.iter.count = 0;
5930 args.iter.err = 0;
5931 args.iter.fn = nf_tables_dump_setelem;
5932 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
5933
5934 if (!args.iter.err && args.iter.count == cb->args[0])
5935 args.iter.err = nft_set_catchall_dump(net, skb, set,
5936 reset: dump_ctx->reset, base_seq: cb->seq);
5937 nla_nest_end(skb, start: nest);
5938 nlmsg_end(skb, nlh);
5939
5940 rcu_read_unlock();
5941
5942 if (args.iter.err && args.iter.err != -EMSGSIZE)
5943 return args.iter.err;
5944 if (args.iter.count == cb->args[0])
5945 return 0;
5946
5947 cb->args[0] = args.iter.count;
5948 return skb->len;
5949
5950nla_put_failure:
5951 rcu_read_unlock();
5952 return -ENOSPC;
5953}
5954
5955static int nf_tables_dumpreset_set(struct sk_buff *skb,
5956 struct netlink_callback *cb)
5957{
5958 struct nftables_pernet *nft_net = nft_pernet(net: sock_net(sk: skb->sk));
5959 struct nft_set_dump_ctx *dump_ctx = cb->data;
5960 int ret, skip = cb->args[0];
5961
5962 mutex_lock(&nft_net->commit_mutex);
5963
5964 ret = nf_tables_dump_set(skb, cb);
5965
5966 if (cb->args[0] > skip)
5967 audit_log_nft_set_reset(table: dump_ctx->ctx.table, base_seq: cb->seq,
5968 nentries: cb->args[0] - skip);
5969
5970 mutex_unlock(lock: &nft_net->commit_mutex);
5971
5972 return ret;
5973}
5974
5975static int nf_tables_dump_set_start(struct netlink_callback *cb)
5976{
5977 struct nft_set_dump_ctx *dump_ctx = cb->data;
5978
5979 cb->data = kmemdup(p: dump_ctx, size: sizeof(*dump_ctx), GFP_ATOMIC);
5980
5981 return cb->data ? 0 : -ENOMEM;
5982}
5983
5984static int nf_tables_dump_set_done(struct netlink_callback *cb)
5985{
5986 kfree(objp: cb->data);
5987 return 0;
5988}
5989
5990static int nf_tables_fill_setelem_info(struct sk_buff *skb,
5991 const struct nft_ctx *ctx, u32 seq,
5992 u32 portid, int event, u16 flags,
5993 const struct nft_set *set,
5994 const struct nft_elem_priv *elem_priv,
5995 bool reset)
5996{
5997 struct nlmsghdr *nlh;
5998 struct nlattr *nest;
5999 int err;
6000
6001 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, msg_type: event);
6002 nlh = nfnl_msg_put(skb, portid, seq, type: event, flags, family: ctx->family,
6003 NFNETLINK_V0, res_id: nft_base_seq(net: ctx->net));
6004 if (!nlh)
6005 goto nla_put_failure;
6006
6007 if (nla_put_string(skb, attrtype: NFTA_SET_TABLE, str: ctx->table->name))
6008 goto nla_put_failure;
6009 if (nla_put_string(skb, attrtype: NFTA_SET_NAME, str: set->name))
6010 goto nla_put_failure;
6011
6012 nest = nla_nest_start_noflag(skb, attrtype: NFTA_SET_ELEM_LIST_ELEMENTS);
6013 if (nest == NULL)
6014 goto nla_put_failure;
6015
6016 err = nf_tables_fill_setelem(skb, set, elem_priv, reset);
6017 if (err < 0)
6018 goto nla_put_failure;
6019
6020 nla_nest_end(skb, start: nest);
6021
6022 nlmsg_end(skb, nlh);
6023 return 0;
6024
6025nla_put_failure:
6026 nlmsg_trim(skb, mark: nlh);
6027 return -1;
6028}
6029
6030static int nft_setelem_parse_flags(const struct nft_set *set,
6031 const struct nlattr *attr, u32 *flags)
6032{
6033 if (attr == NULL)
6034 return 0;
6035
6036 *flags = ntohl(nla_get_be32(attr));
6037 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6038 return -EOPNOTSUPP;
6039 if (!(set->flags & NFT_SET_INTERVAL) &&
6040 *flags & NFT_SET_ELEM_INTERVAL_END)
6041 return -EINVAL;
6042 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
6043 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6044 return -EINVAL;
6045
6046 return 0;
6047}
6048
6049static int nft_setelem_parse_key(struct nft_ctx *ctx, const struct nft_set *set,
6050 struct nft_data *key, struct nlattr *attr)
6051{
6052 struct nft_data_desc desc = {
6053 .type = NFT_DATA_VALUE,
6054 .size = NFT_DATA_VALUE_MAXLEN,
6055 .len = set->klen,
6056 };
6057
6058 return nft_data_init(ctx, data: key, desc: &desc, nla: attr);
6059}
6060
6061static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
6062 struct nft_data_desc *desc,
6063 struct nft_data *data,
6064 struct nlattr *attr)
6065{
6066 u32 dtype;
6067
6068 if (set->dtype == NFT_DATA_VERDICT)
6069 dtype = NFT_DATA_VERDICT;
6070 else
6071 dtype = NFT_DATA_VALUE;
6072
6073 desc->type = dtype;
6074 desc->size = NFT_DATA_VALUE_MAXLEN;
6075 desc->len = set->dlen;
6076 desc->flags = NFT_DATA_DESC_SETELEM;
6077
6078 return nft_data_init(ctx, data, desc, nla: attr);
6079}
6080
6081static void *nft_setelem_catchall_get(const struct net *net,
6082 const struct nft_set *set)
6083{
6084 struct nft_set_elem_catchall *catchall;
6085 u8 genmask = nft_genmask_cur(net);
6086 struct nft_set_ext *ext;
6087 void *priv = NULL;
6088
6089 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6090 ext = nft_set_elem_ext(set, elem_priv: catchall->elem);
6091 if (!nft_set_elem_active(ext, genmask) ||
6092 nft_set_elem_expired(ext))
6093 continue;
6094
6095 priv = catchall->elem;
6096 break;
6097 }
6098
6099 return priv;
6100}
6101
6102static int nft_setelem_get(struct nft_ctx *ctx, const struct nft_set *set,
6103 struct nft_set_elem *elem, u32 flags)
6104{
6105 void *priv;
6106
6107 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
6108 priv = set->ops->get(ctx->net, set, elem, flags);
6109 if (IS_ERR(ptr: priv))
6110 return PTR_ERR(ptr: priv);
6111 } else {
6112 priv = nft_setelem_catchall_get(net: ctx->net, set);
6113 if (!priv)
6114 return -ENOENT;
6115 }
6116 elem->priv = priv;
6117
6118 return 0;
6119}
6120
6121static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set,
6122 const struct nlattr *attr, bool reset)
6123{
6124 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6125 struct nft_set_elem elem;
6126 struct sk_buff *skb;
6127 uint32_t flags = 0;
6128 int err;
6129
6130 err = nla_parse_nested_deprecated(tb: nla, NFTA_SET_ELEM_MAX, nla: attr,
6131 policy: nft_set_elem_policy, NULL);
6132 if (err < 0)
6133 return err;
6134
6135 err = nft_setelem_parse_flags(set, attr: nla[NFTA_SET_ELEM_FLAGS], flags: &flags);
6136 if (err < 0)
6137 return err;
6138
6139 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6140 return -EINVAL;
6141
6142 if (nla[NFTA_SET_ELEM_KEY]) {
6143 err = nft_setelem_parse_key(ctx, set, key: &elem.key.val,
6144 attr: nla[NFTA_SET_ELEM_KEY]);
6145 if (err < 0)
6146 return err;
6147 }
6148
6149 if (nla[NFTA_SET_ELEM_KEY_END]) {
6150 err = nft_setelem_parse_key(ctx, set, key: &elem.key_end.val,
6151 attr: nla[NFTA_SET_ELEM_KEY_END]);
6152 if (err < 0)
6153 return err;
6154 }
6155
6156 err = nft_setelem_get(ctx, set, elem: &elem, flags);
6157 if (err < 0)
6158 return err;
6159
6160 err = -ENOMEM;
6161 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
6162 if (skb == NULL)
6163 return err;
6164
6165 err = nf_tables_fill_setelem_info(skb, ctx, seq: ctx->seq, portid: ctx->portid,
6166 event: NFT_MSG_NEWSETELEM, flags: 0, set, elem_priv: elem.priv,
6167 reset);
6168 if (err < 0)
6169 goto err_fill_setelem;
6170
6171 return nfnetlink_unicast(skb, net: ctx->net, portid: ctx->portid);
6172
6173err_fill_setelem:
6174 kfree_skb(skb);
6175 return err;
6176}
6177
6178static int nft_set_dump_ctx_init(struct nft_set_dump_ctx *dump_ctx,
6179 const struct sk_buff *skb,
6180 const struct nfnl_info *info,
6181 const struct nlattr * const nla[],
6182 bool reset)
6183{
6184 struct netlink_ext_ack *extack = info->extack;
6185 u8 genmask = nft_genmask_cur(net: info->net);
6186 u8 family = info->nfmsg->nfgen_family;
6187 struct net *net = info->net;
6188 struct nft_table *table;
6189 struct nft_set *set;
6190
6191 table = nft_table_lookup(net, nla: nla[NFTA_SET_ELEM_LIST_TABLE], family,
6192 genmask, nlpid: 0);
6193 if (IS_ERR(ptr: table)) {
6194 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6195 return PTR_ERR(ptr: table);
6196 }
6197
6198 set = nft_set_lookup(table, nla: nla[NFTA_SET_ELEM_LIST_SET], genmask);
6199 if (IS_ERR(ptr: set)) {
6200 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
6201 return PTR_ERR(ptr: set);
6202 }
6203
6204 nft_ctx_init(ctx: &dump_ctx->ctx, net, skb,
6205 nlh: info->nlh, family, table, NULL, nla);
6206 dump_ctx->set = set;
6207 dump_ctx->reset = reset;
6208 return 0;
6209}
6210
6211/* called with rcu_read_lock held */
6212static int nf_tables_getsetelem(struct sk_buff *skb,
6213 const struct nfnl_info *info,
6214 const struct nlattr * const nla[])
6215{
6216 struct netlink_ext_ack *extack = info->extack;
6217 struct nft_set_dump_ctx dump_ctx;
6218 struct nlattr *attr;
6219 int rem, err = 0;
6220
6221 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6222 struct netlink_dump_control c = {
6223 .start = nf_tables_dump_set_start,
6224 .dump = nf_tables_dump_set,
6225 .done = nf_tables_dump_set_done,
6226 .module = THIS_MODULE,
6227 };
6228
6229 err = nft_set_dump_ctx_init(dump_ctx: &dump_ctx, skb, info, nla, reset: false);
6230 if (err)
6231 return err;
6232
6233 c.data = &dump_ctx;
6234 return nft_netlink_dump_start_rcu(nlsk: info->sk, skb, nlh: info->nlh, c: &c);
6235 }
6236
6237 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6238 return -EINVAL;
6239
6240 err = nft_set_dump_ctx_init(dump_ctx: &dump_ctx, skb, info, nla, reset: false);
6241 if (err)
6242 return err;
6243
6244 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6245 err = nft_get_set_elem(ctx: &dump_ctx.ctx, set: dump_ctx.set, attr, reset: false);
6246 if (err < 0) {
6247 NL_SET_BAD_ATTR(extack, attr);
6248 break;
6249 }
6250 }
6251
6252 return err;
6253}
6254
6255static int nf_tables_getsetelem_reset(struct sk_buff *skb,
6256 const struct nfnl_info *info,
6257 const struct nlattr * const nla[])
6258{
6259 struct nftables_pernet *nft_net = nft_pernet(net: info->net);
6260 struct netlink_ext_ack *extack = info->extack;
6261 struct nft_set_dump_ctx dump_ctx;
6262 int rem, err = 0, nelems = 0;
6263 struct nlattr *attr;
6264
6265 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6266 struct netlink_dump_control c = {
6267 .start = nf_tables_dump_set_start,
6268 .dump = nf_tables_dumpreset_set,
6269 .done = nf_tables_dump_set_done,
6270 .module = THIS_MODULE,
6271 };
6272
6273 err = nft_set_dump_ctx_init(dump_ctx: &dump_ctx, skb, info, nla, reset: true);
6274 if (err)
6275 return err;
6276
6277 c.data = &dump_ctx;
6278 return nft_netlink_dump_start_rcu(nlsk: info->sk, skb, nlh: info->nlh, c: &c);
6279 }
6280
6281 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6282 return -EINVAL;
6283
6284 if (!try_module_get(THIS_MODULE))
6285 return -EINVAL;
6286 rcu_read_unlock();
6287 mutex_lock(&nft_net->commit_mutex);
6288 rcu_read_lock();
6289
6290 err = nft_set_dump_ctx_init(dump_ctx: &dump_ctx, skb, info, nla, reset: true);
6291 if (err)
6292 goto out_unlock;
6293
6294 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6295 err = nft_get_set_elem(ctx: &dump_ctx.ctx, set: dump_ctx.set, attr, reset: true);
6296 if (err < 0) {
6297 NL_SET_BAD_ATTR(extack, attr);
6298 break;
6299 }
6300 nelems++;
6301 }
6302 audit_log_nft_set_reset(table: dump_ctx.ctx.table, base_seq: nft_net->base_seq, nentries: nelems);
6303
6304out_unlock:
6305 rcu_read_unlock();
6306 mutex_unlock(lock: &nft_net->commit_mutex);
6307 rcu_read_lock();
6308 module_put(THIS_MODULE);
6309
6310 return err;
6311}
6312
6313static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
6314 const struct nft_set *set,
6315 const struct nft_elem_priv *elem_priv,
6316 int event)
6317{
6318 struct nftables_pernet *nft_net;
6319 struct net *net = ctx->net;
6320 u32 portid = ctx->portid;
6321 struct sk_buff *skb;
6322 u16 flags = 0;
6323 int err;
6324
6325 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6326 return;
6327
6328 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6329 if (skb == NULL)
6330 goto err;
6331
6332 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
6333 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
6334
6335 err = nf_tables_fill_setelem_info(skb, ctx, seq: 0, portid, event, flags,
6336 set, elem_priv, reset: false);
6337 if (err < 0) {
6338 kfree_skb(skb);
6339 goto err;
6340 }
6341
6342 nft_net = nft_pernet(net);
6343 nft_notify_enqueue(skb, report: ctx->report, notify_list: &nft_net->notify_list);
6344 return;
6345err:
6346 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, error: -ENOBUFS);
6347}
6348
6349static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
6350 int msg_type,
6351 struct nft_set *set)
6352{
6353 struct nft_trans *trans;
6354
6355 trans = nft_trans_alloc(ctx, msg_type, size: sizeof(struct nft_trans_elem));
6356 if (trans == NULL)
6357 return NULL;
6358
6359 nft_trans_elem_set(trans) = set;
6360 return trans;
6361}
6362
6363struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
6364 const struct nft_set *set,
6365 const struct nlattr *attr)
6366{
6367 struct nft_expr *expr;
6368 int err;
6369
6370 expr = nft_expr_init(ctx, nla: attr);
6371 if (IS_ERR(ptr: expr))
6372 return expr;
6373
6374 err = -EOPNOTSUPP;
6375 if (expr->ops->type->flags & NFT_EXPR_GC) {
6376 if (set->flags & NFT_SET_TIMEOUT)
6377 goto err_set_elem_expr;
6378 if (!set->ops->gc_init)
6379 goto err_set_elem_expr;
6380 set->ops->gc_init(set);
6381 }
6382
6383 return expr;
6384
6385err_set_elem_expr:
6386 nft_expr_destroy(ctx, expr);
6387 return ERR_PTR(error: err);
6388}
6389
6390static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
6391{
6392 len += nft_set_ext_types[id].len;
6393 if (len > tmpl->ext_len[id] ||
6394 len > U8_MAX)
6395 return -1;
6396
6397 return 0;
6398}
6399
6400static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
6401 void *to, const void *from, u32 len)
6402{
6403 if (nft_set_ext_check(tmpl, id, len) < 0)
6404 return -1;
6405
6406 memcpy(to, from, len);
6407
6408 return 0;
6409}
6410
6411struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
6412 const struct nft_set_ext_tmpl *tmpl,
6413 const u32 *key, const u32 *key_end,
6414 const u32 *data,
6415 u64 timeout, u64 expiration, gfp_t gfp)
6416{
6417 struct nft_set_ext *ext;
6418 void *elem;
6419
6420 elem = kzalloc(size: set->ops->elemsize + tmpl->len, flags: gfp);
6421 if (elem == NULL)
6422 return ERR_PTR(error: -ENOMEM);
6423
6424 ext = nft_set_elem_ext(set, elem_priv: elem);
6425 nft_set_ext_init(ext, tmpl);
6426
6427 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_KEY) &&
6428 nft_set_ext_memcpy(tmpl, id: NFT_SET_EXT_KEY,
6429 to: nft_set_ext_key(ext), from: key, len: set->klen) < 0)
6430 goto err_ext_check;
6431
6432 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_KEY_END) &&
6433 nft_set_ext_memcpy(tmpl, id: NFT_SET_EXT_KEY_END,
6434 to: nft_set_ext_key_end(ext), from: key_end, len: set->klen) < 0)
6435 goto err_ext_check;
6436
6437 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_DATA) &&
6438 nft_set_ext_memcpy(tmpl, id: NFT_SET_EXT_DATA,
6439 to: nft_set_ext_data(ext), from: data, len: set->dlen) < 0)
6440 goto err_ext_check;
6441
6442 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_EXPIRATION)) {
6443 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
6444 if (expiration == 0)
6445 *nft_set_ext_expiration(ext) += timeout;
6446 }
6447 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_TIMEOUT))
6448 *nft_set_ext_timeout(ext) = timeout;
6449
6450 return elem;
6451
6452err_ext_check:
6453 kfree(objp: elem);
6454
6455 return ERR_PTR(error: -EINVAL);
6456}
6457
6458static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6459 struct nft_expr *expr)
6460{
6461 if (expr->ops->destroy_clone) {
6462 expr->ops->destroy_clone(ctx, expr);
6463 module_put(module: expr->ops->type->owner);
6464 } else {
6465 nf_tables_expr_destroy(ctx, expr);
6466 }
6467}
6468
6469static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6470 struct nft_set_elem_expr *elem_expr)
6471{
6472 struct nft_expr *expr;
6473 u32 size;
6474
6475 nft_setelem_expr_foreach(expr, elem_expr, size)
6476 __nft_set_elem_expr_destroy(ctx, expr);
6477}
6478
6479/* Drop references and destroy. Called from gc, dynset and abort path. */
6480void nft_set_elem_destroy(const struct nft_set *set,
6481 const struct nft_elem_priv *elem_priv,
6482 bool destroy_expr)
6483{
6484 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6485 struct nft_ctx ctx = {
6486 .net = read_pnet(pnet: &set->net),
6487 .family = set->table->family,
6488 };
6489
6490 nft_data_release(data: nft_set_ext_key(ext), type: NFT_DATA_VALUE);
6491 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_DATA))
6492 nft_data_release(data: nft_set_ext_data(ext), type: set->dtype);
6493 if (destroy_expr && nft_set_ext_exists(ext, id: NFT_SET_EXT_EXPRESSIONS))
6494 nft_set_elem_expr_destroy(ctx: &ctx, elem_expr: nft_set_ext_expr(ext));
6495 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_OBJREF))
6496 nft_use_dec(use: &(*nft_set_ext_obj(ext))->use);
6497
6498 kfree(objp: elem_priv);
6499}
6500EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
6501
6502/* Destroy element. References have been already dropped in the preparation
6503 * path via nft_setelem_data_deactivate().
6504 */
6505void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
6506 const struct nft_set *set,
6507 const struct nft_elem_priv *elem_priv)
6508{
6509 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6510
6511 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_EXPRESSIONS))
6512 nft_set_elem_expr_destroy(ctx, elem_expr: nft_set_ext_expr(ext));
6513
6514 kfree(objp: elem_priv);
6515}
6516
6517int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
6518 struct nft_expr *expr_array[])
6519{
6520 struct nft_expr *expr;
6521 int err, i, k;
6522
6523 for (i = 0; i < set->num_exprs; i++) {
6524 expr = kzalloc(size: set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
6525 if (!expr)
6526 goto err_expr;
6527
6528 err = nft_expr_clone(dst: expr, src: set->exprs[i]);
6529 if (err < 0) {
6530 kfree(objp: expr);
6531 goto err_expr;
6532 }
6533 expr_array[i] = expr;
6534 }
6535
6536 return 0;
6537
6538err_expr:
6539 for (k = i - 1; k >= 0; k--)
6540 nft_expr_destroy(ctx, expr: expr_array[k]);
6541
6542 return -ENOMEM;
6543}
6544
6545static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
6546 const struct nft_set_ext_tmpl *tmpl,
6547 const struct nft_set_ext *ext,
6548 struct nft_expr *expr_array[],
6549 u32 num_exprs)
6550{
6551 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
6552 u32 len = sizeof(struct nft_set_elem_expr);
6553 struct nft_expr *expr;
6554 int i, err;
6555
6556 if (num_exprs == 0)
6557 return 0;
6558
6559 for (i = 0; i < num_exprs; i++)
6560 len += expr_array[i]->ops->size;
6561
6562 if (nft_set_ext_check(tmpl, id: NFT_SET_EXT_EXPRESSIONS, len) < 0)
6563 return -EINVAL;
6564
6565 for (i = 0; i < num_exprs; i++) {
6566 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
6567 err = nft_expr_clone(dst: expr, src: expr_array[i]);
6568 if (err < 0)
6569 goto err_elem_expr_setup;
6570
6571 elem_expr->size += expr_array[i]->ops->size;
6572 nft_expr_destroy(ctx, expr: expr_array[i]);
6573 expr_array[i] = NULL;
6574 }
6575
6576 return 0;
6577
6578err_elem_expr_setup:
6579 for (; i < num_exprs; i++) {
6580 nft_expr_destroy(ctx, expr: expr_array[i]);
6581 expr_array[i] = NULL;
6582 }
6583
6584 return -ENOMEM;
6585}
6586
6587struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
6588 const struct nft_set *set)
6589{
6590 struct nft_set_elem_catchall *catchall;
6591 u8 genmask = nft_genmask_cur(net);
6592 struct nft_set_ext *ext;
6593
6594 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6595 ext = nft_set_elem_ext(set, elem_priv: catchall->elem);
6596 if (nft_set_elem_active(ext, genmask) &&
6597 !nft_set_elem_expired(ext) &&
6598 !nft_set_elem_is_dead(ext))
6599 return ext;
6600 }
6601
6602 return NULL;
6603}
6604EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
6605
6606static int nft_setelem_catchall_insert(const struct net *net,
6607 struct nft_set *set,
6608 const struct nft_set_elem *elem,
6609 struct nft_elem_priv **priv)
6610{
6611 struct nft_set_elem_catchall *catchall;
6612 u8 genmask = nft_genmask_next(net);
6613 struct nft_set_ext *ext;
6614
6615 list_for_each_entry(catchall, &set->catchall_list, list) {
6616 ext = nft_set_elem_ext(set, elem_priv: catchall->elem);
6617 if (nft_set_elem_active(ext, genmask)) {
6618 *priv = catchall->elem;
6619 return -EEXIST;
6620 }
6621 }
6622
6623 catchall = kmalloc(size: sizeof(*catchall), GFP_KERNEL);
6624 if (!catchall)
6625 return -ENOMEM;
6626
6627 catchall->elem = elem->priv;
6628 list_add_tail_rcu(new: &catchall->list, head: &set->catchall_list);
6629
6630 return 0;
6631}
6632
6633static int nft_setelem_insert(const struct net *net,
6634 struct nft_set *set,
6635 const struct nft_set_elem *elem,
6636 struct nft_elem_priv **elem_priv,
6637 unsigned int flags)
6638{
6639 int ret;
6640
6641 if (flags & NFT_SET_ELEM_CATCHALL)
6642 ret = nft_setelem_catchall_insert(net, set, elem, priv: elem_priv);
6643 else
6644 ret = set->ops->insert(net, set, elem, elem_priv);
6645
6646 return ret;
6647}
6648
6649static bool nft_setelem_is_catchall(const struct nft_set *set,
6650 const struct nft_elem_priv *elem_priv)
6651{
6652 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6653
6654 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_FLAGS) &&
6655 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
6656 return true;
6657
6658 return false;
6659}
6660
6661static void nft_setelem_activate(struct net *net, struct nft_set *set,
6662 struct nft_elem_priv *elem_priv)
6663{
6664 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6665
6666 if (nft_setelem_is_catchall(set, elem_priv)) {
6667 nft_clear(net, ext);
6668 } else {
6669 set->ops->activate(net, set, elem_priv);
6670 }
6671}
6672
6673static int nft_setelem_catchall_deactivate(const struct net *net,
6674 struct nft_set *set,
6675 struct nft_set_elem *elem)
6676{
6677 struct nft_set_elem_catchall *catchall;
6678 struct nft_set_ext *ext;
6679
6680 list_for_each_entry(catchall, &set->catchall_list, list) {
6681 ext = nft_set_elem_ext(set, elem_priv: catchall->elem);
6682 if (!nft_is_active_next(net, ext))
6683 continue;
6684
6685 kfree(objp: elem->priv);
6686 elem->priv = catchall->elem;
6687 nft_set_elem_change_active(net, set, ext);
6688 return 0;
6689 }
6690
6691 return -ENOENT;
6692}
6693
6694static int __nft_setelem_deactivate(const struct net *net,
6695 struct nft_set *set,
6696 struct nft_set_elem *elem)
6697{
6698 void *priv;
6699
6700 priv = set->ops->deactivate(net, set, elem);
6701 if (!priv)
6702 return -ENOENT;
6703
6704 kfree(objp: elem->priv);
6705 elem->priv = priv;
6706 set->ndeact++;
6707
6708 return 0;
6709}
6710
6711static int nft_setelem_deactivate(const struct net *net,
6712 struct nft_set *set,
6713 struct nft_set_elem *elem, u32 flags)
6714{
6715 int ret;
6716
6717 if (flags & NFT_SET_ELEM_CATCHALL)
6718 ret = nft_setelem_catchall_deactivate(net, set, elem);
6719 else
6720 ret = __nft_setelem_deactivate(net, set, elem);
6721
6722 return ret;
6723}
6724
6725static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
6726{
6727 list_del_rcu(entry: &catchall->list);
6728 kfree_rcu(catchall, rcu);
6729}
6730
6731static void nft_setelem_catchall_remove(const struct net *net,
6732 const struct nft_set *set,
6733 struct nft_elem_priv *elem_priv)
6734{
6735 struct nft_set_elem_catchall *catchall, *next;
6736
6737 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
6738 if (catchall->elem == elem_priv) {
6739 nft_setelem_catchall_destroy(catchall);
6740 break;
6741 }
6742 }
6743}
6744
6745static void nft_setelem_remove(const struct net *net,
6746 const struct nft_set *set,
6747 struct nft_elem_priv *elem_priv)
6748{
6749 if (nft_setelem_is_catchall(set, elem_priv))
6750 nft_setelem_catchall_remove(net, set, elem_priv);
6751 else
6752 set->ops->remove(net, set, elem_priv);
6753}
6754
6755static bool nft_setelem_valid_key_end(const struct nft_set *set,
6756 struct nlattr **nla, u32 flags)
6757{
6758 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
6759 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
6760 if (flags & NFT_SET_ELEM_INTERVAL_END)
6761 return false;
6762
6763 if (nla[NFTA_SET_ELEM_KEY_END] &&
6764 flags & NFT_SET_ELEM_CATCHALL)
6765 return false;
6766 } else {
6767 if (nla[NFTA_SET_ELEM_KEY_END])
6768 return false;
6769 }
6770
6771 return true;
6772}
6773
6774static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
6775 const struct nlattr *attr, u32 nlmsg_flags)
6776{
6777 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
6778 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6779 u8 genmask = nft_genmask_next(net: ctx->net);
6780 u32 flags = 0, size = 0, num_exprs = 0;
6781 struct nft_set_ext_tmpl tmpl;
6782 struct nft_set_ext *ext, *ext2;
6783 struct nft_set_elem elem;
6784 struct nft_set_binding *binding;
6785 struct nft_elem_priv *elem_priv;
6786 struct nft_object *obj = NULL;
6787 struct nft_userdata *udata;
6788 struct nft_data_desc desc;
6789 enum nft_registers dreg;
6790 struct nft_trans *trans;
6791 u64 expiration;
6792 u64 timeout;
6793 int err, i;
6794 u8 ulen;
6795
6796 err = nla_parse_nested_deprecated(tb: nla, NFTA_SET_ELEM_MAX, nla: attr,
6797 policy: nft_set_elem_policy, NULL);
6798 if (err < 0)
6799 return err;
6800
6801 nft_set_ext_prepare(tmpl: &tmpl);
6802
6803 err = nft_setelem_parse_flags(set, attr: nla[NFTA_SET_ELEM_FLAGS], flags: &flags);
6804 if (err < 0)
6805 return err;
6806
6807 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
6808 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
6809 return -EINVAL;
6810
6811 if (flags != 0) {
6812 err = nft_set_ext_add(tmpl: &tmpl, id: NFT_SET_EXT_FLAGS);
6813 if (err < 0)
6814 return err;
6815 }
6816
6817 if (set->flags & NFT_SET_MAP) {
6818 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
6819 !(flags & NFT_SET_ELEM_INTERVAL_END))
6820 return -EINVAL;
6821 } else {
6822 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6823 return -EINVAL;
6824 }
6825
6826 if (set->flags & NFT_SET_OBJECT) {
6827 if (!nla[NFTA_SET_ELEM_OBJREF] &&
6828 !(flags & NFT_SET_ELEM_INTERVAL_END))
6829 return -EINVAL;
6830 } else {
6831 if (nla[NFTA_SET_ELEM_OBJREF])
6832 return -EINVAL;
6833 }
6834
6835 if (!nft_setelem_valid_key_end(set, nla, flags))
6836 return -EINVAL;
6837
6838 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
6839 (nla[NFTA_SET_ELEM_DATA] ||
6840 nla[NFTA_SET_ELEM_OBJREF] ||
6841 nla[NFTA_SET_ELEM_TIMEOUT] ||
6842 nla[NFTA_SET_ELEM_EXPIRATION] ||
6843 nla[NFTA_SET_ELEM_USERDATA] ||
6844 nla[NFTA_SET_ELEM_EXPR] ||
6845 nla[NFTA_SET_ELEM_KEY_END] ||
6846 nla[NFTA_SET_ELEM_EXPRESSIONS]))
6847 return -EINVAL;
6848
6849 timeout = 0;
6850 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
6851 if (!(set->flags & NFT_SET_TIMEOUT))
6852 return -EINVAL;
6853 err = nf_msecs_to_jiffies64(nla: nla[NFTA_SET_ELEM_TIMEOUT],
6854 result: &timeout);
6855 if (err)
6856 return err;
6857 } else if (set->flags & NFT_SET_TIMEOUT &&
6858 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6859 timeout = READ_ONCE(set->timeout);
6860 }
6861
6862 expiration = 0;
6863 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
6864 if (!(set->flags & NFT_SET_TIMEOUT))
6865 return -EINVAL;
6866 err = nf_msecs_to_jiffies64(nla: nla[NFTA_SET_ELEM_EXPIRATION],
6867 result: &expiration);
6868 if (err)
6869 return err;
6870 }
6871
6872 if (nla[NFTA_SET_ELEM_EXPR]) {
6873 struct nft_expr *expr;
6874
6875 if (set->num_exprs && set->num_exprs != 1)
6876 return -EOPNOTSUPP;
6877
6878 expr = nft_set_elem_expr_alloc(ctx, set,
6879 attr: nla[NFTA_SET_ELEM_EXPR]);
6880 if (IS_ERR(ptr: expr))
6881 return PTR_ERR(ptr: expr);
6882
6883 expr_array[0] = expr;
6884 num_exprs = 1;
6885
6886 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
6887 err = -EOPNOTSUPP;
6888 goto err_set_elem_expr;
6889 }
6890 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
6891 struct nft_expr *expr;
6892 struct nlattr *tmp;
6893 int left;
6894
6895 i = 0;
6896 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
6897 if (i == NFT_SET_EXPR_MAX ||
6898 (set->num_exprs && set->num_exprs == i)) {
6899 err = -E2BIG;
6900 goto err_set_elem_expr;
6901 }
6902 if (nla_type(nla: tmp) != NFTA_LIST_ELEM) {
6903 err = -EINVAL;
6904 goto err_set_elem_expr;
6905 }
6906 expr = nft_set_elem_expr_alloc(ctx, set, attr: tmp);
6907 if (IS_ERR(ptr: expr)) {
6908 err = PTR_ERR(ptr: expr);
6909 goto err_set_elem_expr;
6910 }
6911 expr_array[i] = expr;
6912 num_exprs++;
6913
6914 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
6915 err = -EOPNOTSUPP;
6916 goto err_set_elem_expr;
6917 }
6918 i++;
6919 }
6920 if (set->num_exprs && set->num_exprs != i) {
6921 err = -EOPNOTSUPP;
6922 goto err_set_elem_expr;
6923 }
6924 } else if (set->num_exprs > 0 &&
6925 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6926 err = nft_set_elem_expr_clone(ctx, set, expr_array);
6927 if (err < 0)
6928 goto err_set_elem_expr_clone;
6929
6930 num_exprs = set->num_exprs;
6931 }
6932
6933 if (nla[NFTA_SET_ELEM_KEY]) {
6934 err = nft_setelem_parse_key(ctx, set, key: &elem.key.val,
6935 attr: nla[NFTA_SET_ELEM_KEY]);
6936 if (err < 0)
6937 goto err_set_elem_expr;
6938
6939 err = nft_set_ext_add_length(tmpl: &tmpl, id: NFT_SET_EXT_KEY, len: set->klen);
6940 if (err < 0)
6941 goto err_parse_key;
6942 }
6943
6944 if (nla[NFTA_SET_ELEM_KEY_END]) {
6945 err = nft_setelem_parse_key(ctx, set, key: &elem.key_end.val,
6946 attr: nla[NFTA_SET_ELEM_KEY_END]);
6947 if (err < 0)
6948 goto err_parse_key;
6949
6950 err = nft_set_ext_add_length(tmpl: &tmpl, id: NFT_SET_EXT_KEY_END, len: set->klen);
6951 if (err < 0)
6952 goto err_parse_key_end;
6953 }
6954
6955 if (timeout > 0) {
6956 err = nft_set_ext_add(tmpl: &tmpl, id: NFT_SET_EXT_EXPIRATION);
6957 if (err < 0)
6958 goto err_parse_key_end;
6959
6960 if (timeout != READ_ONCE(set->timeout)) {
6961 err = nft_set_ext_add(tmpl: &tmpl, id: NFT_SET_EXT_TIMEOUT);
6962 if (err < 0)
6963 goto err_parse_key_end;
6964 }
6965 }
6966
6967 if (num_exprs) {
6968 for (i = 0; i < num_exprs; i++)
6969 size += expr_array[i]->ops->size;
6970
6971 err = nft_set_ext_add_length(tmpl: &tmpl, id: NFT_SET_EXT_EXPRESSIONS,
6972 len: sizeof(struct nft_set_elem_expr) + size);
6973 if (err < 0)
6974 goto err_parse_key_end;
6975 }
6976
6977 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
6978 obj = nft_obj_lookup(net: ctx->net, table: ctx->table,
6979 nla: nla[NFTA_SET_ELEM_OBJREF],
6980 objtype: set->objtype, genmask);
6981 if (IS_ERR(ptr: obj)) {
6982 err = PTR_ERR(ptr: obj);
6983 obj = NULL;
6984 goto err_parse_key_end;
6985 }
6986
6987 if (!nft_use_inc(use: &obj->use)) {
6988 err = -EMFILE;
6989 obj = NULL;
6990 goto err_parse_key_end;
6991 }
6992
6993 err = nft_set_ext_add(tmpl: &tmpl, id: NFT_SET_EXT_OBJREF);
6994 if (err < 0)
6995 goto err_parse_key_end;
6996 }
6997
6998 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
6999 err = nft_setelem_parse_data(ctx, set, desc: &desc, data: &elem.data.val,
7000 attr: nla[NFTA_SET_ELEM_DATA]);
7001 if (err < 0)
7002 goto err_parse_key_end;
7003
7004 dreg = nft_type_to_reg(type: set->dtype);
7005 list_for_each_entry(binding, &set->bindings, list) {
7006 struct nft_ctx bind_ctx = {
7007 .net = ctx->net,
7008 .family = ctx->family,
7009 .table = ctx->table,
7010 .chain = (struct nft_chain *)binding->chain,
7011 };
7012
7013 if (!(binding->flags & NFT_SET_MAP))
7014 continue;
7015
7016 err = nft_validate_register_store(ctx: &bind_ctx, reg: dreg,
7017 data: &elem.data.val,
7018 type: desc.type, len: desc.len);
7019 if (err < 0)
7020 goto err_parse_data;
7021
7022 if (desc.type == NFT_DATA_VERDICT &&
7023 (elem.data.val.verdict.code == NFT_GOTO ||
7024 elem.data.val.verdict.code == NFT_JUMP))
7025 nft_validate_state_update(table: ctx->table,
7026 new_validate_state: NFT_VALIDATE_NEED);
7027 }
7028
7029 err = nft_set_ext_add_length(tmpl: &tmpl, id: NFT_SET_EXT_DATA, len: desc.len);
7030 if (err < 0)
7031 goto err_parse_data;
7032 }
7033
7034 /* The full maximum length of userdata can exceed the maximum
7035 * offset value (U8_MAX) for following extensions, therefor it
7036 * must be the last extension added.
7037 */
7038 ulen = 0;
7039 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
7040 ulen = nla_len(nla: nla[NFTA_SET_ELEM_USERDATA]);
7041 if (ulen > 0) {
7042 err = nft_set_ext_add_length(tmpl: &tmpl, id: NFT_SET_EXT_USERDATA,
7043 len: ulen);
7044 if (err < 0)
7045 goto err_parse_data;
7046 }
7047 }
7048
7049 elem.priv = nft_set_elem_init(set, tmpl: &tmpl, key: elem.key.val.data,
7050 key_end: elem.key_end.val.data, data: elem.data.val.data,
7051 timeout, expiration, GFP_KERNEL_ACCOUNT);
7052 if (IS_ERR(ptr: elem.priv)) {
7053 err = PTR_ERR(ptr: elem.priv);
7054 goto err_parse_data;
7055 }
7056
7057 ext = nft_set_elem_ext(set, elem_priv: elem.priv);
7058 if (flags)
7059 *nft_set_ext_flags(ext) = flags;
7060
7061 if (obj)
7062 *nft_set_ext_obj(ext) = obj;
7063
7064 if (ulen > 0) {
7065 if (nft_set_ext_check(tmpl: &tmpl, id: NFT_SET_EXT_USERDATA, len: ulen) < 0) {
7066 err = -EINVAL;
7067 goto err_elem_free;
7068 }
7069 udata = nft_set_ext_userdata(ext);
7070 udata->len = ulen - 1;
7071 nla_memcpy(dest: &udata->data, src: nla[NFTA_SET_ELEM_USERDATA], count: ulen);
7072 }
7073 err = nft_set_elem_expr_setup(ctx, tmpl: &tmpl, ext, expr_array, num_exprs);
7074 if (err < 0)
7075 goto err_elem_free;
7076
7077 trans = nft_trans_elem_alloc(ctx, msg_type: NFT_MSG_NEWSETELEM, set);
7078 if (trans == NULL) {
7079 err = -ENOMEM;
7080 goto err_elem_free;
7081 }
7082
7083 ext->genmask = nft_genmask_cur(net: ctx->net);
7084
7085 err = nft_setelem_insert(net: ctx->net, set, elem: &elem, elem_priv: &elem_priv, flags);
7086 if (err) {
7087 if (err == -EEXIST) {
7088 ext2 = nft_set_elem_ext(set, elem_priv);
7089 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_DATA) ^
7090 nft_set_ext_exists(ext: ext2, id: NFT_SET_EXT_DATA) ||
7091 nft_set_ext_exists(ext, id: NFT_SET_EXT_OBJREF) ^
7092 nft_set_ext_exists(ext: ext2, id: NFT_SET_EXT_OBJREF))
7093 goto err_element_clash;
7094 if ((nft_set_ext_exists(ext, id: NFT_SET_EXT_DATA) &&
7095 nft_set_ext_exists(ext: ext2, id: NFT_SET_EXT_DATA) &&
7096 memcmp(p: nft_set_ext_data(ext),
7097 q: nft_set_ext_data(ext: ext2), size: set->dlen) != 0) ||
7098 (nft_set_ext_exists(ext, id: NFT_SET_EXT_OBJREF) &&
7099 nft_set_ext_exists(ext: ext2, id: NFT_SET_EXT_OBJREF) &&
7100 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext: ext2)))
7101 goto err_element_clash;
7102 else if (!(nlmsg_flags & NLM_F_EXCL))
7103 err = 0;
7104 } else if (err == -ENOTEMPTY) {
7105 /* ENOTEMPTY reports overlapping between this element
7106 * and an existing one.
7107 */
7108 err = -EEXIST;
7109 }
7110 goto err_element_clash;
7111 }
7112
7113 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
7114 unsigned int max = set->size ? set->size + set->ndeact : UINT_MAX;
7115
7116 if (!atomic_add_unless(v: &set->nelems, a: 1, u: max)) {
7117 err = -ENFILE;
7118 goto err_set_full;
7119 }
7120 }
7121
7122 nft_trans_elem_priv(trans) = elem.priv;
7123 nft_trans_commit_list_add_tail(net: ctx->net, trans);
7124 return 0;
7125
7126err_set_full:
7127 nft_setelem_remove(net: ctx->net, set, elem_priv: elem.priv);
7128err_element_clash:
7129 kfree(objp: trans);
7130err_elem_free:
7131 nf_tables_set_elem_destroy(ctx, set, elem_priv: elem.priv);
7132err_parse_data:
7133 if (nla[NFTA_SET_ELEM_DATA] != NULL)
7134 nft_data_release(data: &elem.data.val, type: desc.type);
7135err_parse_key_end:
7136 if (obj)
7137 nft_use_dec_restore(use: &obj->use);
7138
7139 nft_data_release(data: &elem.key_end.val, type: NFT_DATA_VALUE);
7140err_parse_key:
7141 nft_data_release(data: &elem.key.val, type: NFT_DATA_VALUE);
7142err_set_elem_expr:
7143 for (i = 0; i < num_exprs && expr_array[i]; i++)
7144 nft_expr_destroy(ctx, expr: expr_array[i]);
7145err_set_elem_expr_clone:
7146 return err;
7147}
7148
7149static int nf_tables_newsetelem(struct sk_buff *skb,
7150 const struct nfnl_info *info,
7151 const struct nlattr * const nla[])
7152{
7153 struct netlink_ext_ack *extack = info->extack;
7154 u8 genmask = nft_genmask_next(net: info->net);
7155 u8 family = info->nfmsg->nfgen_family;
7156 struct net *net = info->net;
7157 const struct nlattr *attr;
7158 struct nft_table *table;
7159 struct nft_set *set;
7160 struct nft_ctx ctx;
7161 int rem, err;
7162
7163 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
7164 return -EINVAL;
7165
7166 table = nft_table_lookup(net, nla: nla[NFTA_SET_ELEM_LIST_TABLE], family,
7167 genmask, NETLINK_CB(skb).portid);
7168 if (IS_ERR(ptr: table)) {
7169 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7170 return PTR_ERR(ptr: table);
7171 }
7172
7173 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
7174 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
7175 if (IS_ERR(ptr: set)) {
7176 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7177 return PTR_ERR(ptr: set);
7178 }
7179
7180 if (!list_empty(head: &set->bindings) &&
7181 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
7182 return -EBUSY;
7183
7184 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, NULL, nla);
7185
7186 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7187 err = nft_add_set_elem(ctx: &ctx, set, attr, nlmsg_flags: info->nlh->nlmsg_flags);
7188 if (err < 0) {
7189 NL_SET_BAD_ATTR(extack, attr);
7190 return err;
7191 }
7192 }
7193
7194 if (table->validate_state == NFT_VALIDATE_DO)
7195 return nft_table_validate(net, table);
7196
7197 return 0;
7198}
7199
7200/**
7201 * nft_data_hold - hold a nft_data item
7202 *
7203 * @data: struct nft_data to release
7204 * @type: type of data
7205 *
7206 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7207 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
7208 * NFT_GOTO verdicts. This function must be called on active data objects
7209 * from the second phase of the commit protocol.
7210 */
7211void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
7212{
7213 struct nft_chain *chain;
7214
7215 if (type == NFT_DATA_VERDICT) {
7216 switch (data->verdict.code) {
7217 case NFT_JUMP:
7218 case NFT_GOTO:
7219 chain = data->verdict.chain;
7220 nft_use_inc_restore(use: &chain->use);
7221 break;
7222 }
7223 }
7224}
7225
7226static int nft_setelem_active_next(const struct net *net,
7227 const struct nft_set *set,
7228 struct nft_elem_priv *elem_priv)
7229{
7230 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7231 u8 genmask = nft_genmask_next(net);
7232
7233 return nft_set_elem_active(ext, genmask);
7234}
7235
7236static void nft_setelem_data_activate(const struct net *net,
7237 const struct nft_set *set,
7238 struct nft_elem_priv *elem_priv)
7239{
7240 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7241
7242 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_DATA))
7243 nft_data_hold(data: nft_set_ext_data(ext), type: set->dtype);
7244 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_OBJREF))
7245 nft_use_inc_restore(use: &(*nft_set_ext_obj(ext))->use);
7246}
7247
7248void nft_setelem_data_deactivate(const struct net *net,
7249 const struct nft_set *set,
7250 struct nft_elem_priv *elem_priv)
7251{
7252 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7253
7254 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_DATA))
7255 nft_data_release(data: nft_set_ext_data(ext), type: set->dtype);
7256 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_OBJREF))
7257 nft_use_dec(use: &(*nft_set_ext_obj(ext))->use);
7258}
7259
7260static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
7261 const struct nlattr *attr)
7262{
7263 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7264 struct nft_set_ext_tmpl tmpl;
7265 struct nft_set_elem elem;
7266 struct nft_set_ext *ext;
7267 struct nft_trans *trans;
7268 u32 flags = 0;
7269 int err;
7270
7271 err = nla_parse_nested_deprecated(tb: nla, NFTA_SET_ELEM_MAX, nla: attr,
7272 policy: nft_set_elem_policy, NULL);
7273 if (err < 0)
7274 return err;
7275
7276 err = nft_setelem_parse_flags(set, attr: nla[NFTA_SET_ELEM_FLAGS], flags: &flags);
7277 if (err < 0)
7278 return err;
7279
7280 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
7281 return -EINVAL;
7282
7283 if (!nft_setelem_valid_key_end(set, nla, flags))
7284 return -EINVAL;
7285
7286 nft_set_ext_prepare(tmpl: &tmpl);
7287
7288 if (flags != 0) {
7289 err = nft_set_ext_add(tmpl: &tmpl, id: NFT_SET_EXT_FLAGS);
7290 if (err < 0)
7291 return err;
7292 }
7293
7294 if (nla[NFTA_SET_ELEM_KEY]) {
7295 err = nft_setelem_parse_key(ctx, set, key: &elem.key.val,
7296 attr: nla[NFTA_SET_ELEM_KEY]);
7297 if (err < 0)
7298 return err;
7299
7300 err = nft_set_ext_add_length(tmpl: &tmpl, id: NFT_SET_EXT_KEY, len: set->klen);
7301 if (err < 0)
7302 goto fail_elem;
7303 }
7304
7305 if (nla[NFTA_SET_ELEM_KEY_END]) {
7306 err = nft_setelem_parse_key(ctx, set, key: &elem.key_end.val,
7307 attr: nla[NFTA_SET_ELEM_KEY_END]);
7308 if (err < 0)
7309 goto fail_elem;
7310
7311 err = nft_set_ext_add_length(tmpl: &tmpl, id: NFT_SET_EXT_KEY_END, len: set->klen);
7312 if (err < 0)
7313 goto fail_elem_key_end;
7314 }
7315
7316 err = -ENOMEM;
7317 elem.priv = nft_set_elem_init(set, tmpl: &tmpl, key: elem.key.val.data,
7318 key_end: elem.key_end.val.data, NULL, timeout: 0, expiration: 0,
7319 GFP_KERNEL_ACCOUNT);
7320 if (IS_ERR(ptr: elem.priv)) {
7321 err = PTR_ERR(ptr: elem.priv);
7322 goto fail_elem_key_end;
7323 }
7324
7325 ext = nft_set_elem_ext(set, elem_priv: elem.priv);
7326 if (flags)
7327 *nft_set_ext_flags(ext) = flags;
7328
7329 trans = nft_trans_elem_alloc(ctx, msg_type: NFT_MSG_DELSETELEM, set);
7330 if (trans == NULL)
7331 goto fail_trans;
7332
7333 err = nft_setelem_deactivate(net: ctx->net, set, elem: &elem, flags);
7334 if (err < 0)
7335 goto fail_ops;
7336
7337 nft_setelem_data_deactivate(net: ctx->net, set, elem_priv: elem.priv);
7338
7339 nft_trans_elem_priv(trans) = elem.priv;
7340 nft_trans_commit_list_add_tail(net: ctx->net, trans);
7341 return 0;
7342
7343fail_ops:
7344 kfree(objp: trans);
7345fail_trans:
7346 kfree(objp: elem.priv);
7347fail_elem_key_end:
7348 nft_data_release(data: &elem.key_end.val, type: NFT_DATA_VALUE);
7349fail_elem:
7350 nft_data_release(data: &elem.key.val, type: NFT_DATA_VALUE);
7351 return err;
7352}
7353
7354static int nft_setelem_flush(const struct nft_ctx *ctx,
7355 struct nft_set *set,
7356 const struct nft_set_iter *iter,
7357 struct nft_elem_priv *elem_priv)
7358{
7359 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7360 struct nft_trans *trans;
7361
7362 if (!nft_set_elem_active(ext, genmask: iter->genmask))
7363 return 0;
7364
7365 trans = nft_trans_alloc_gfp(ctx, msg_type: NFT_MSG_DELSETELEM,
7366 size: sizeof(struct nft_trans_elem), GFP_ATOMIC);
7367 if (!trans)
7368 return -ENOMEM;
7369
7370 set->ops->flush(ctx->net, set, elem_priv);
7371 set->ndeact++;
7372
7373 nft_setelem_data_deactivate(net: ctx->net, set, elem_priv);
7374 nft_trans_elem_set(trans) = set;
7375 nft_trans_elem_priv(trans) = elem_priv;
7376 nft_trans_commit_list_add_tail(net: ctx->net, trans);
7377
7378 return 0;
7379}
7380
7381static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
7382 struct nft_set *set,
7383 struct nft_elem_priv *elem_priv)
7384{
7385 struct nft_trans *trans;
7386
7387 trans = nft_trans_alloc_gfp(ctx, msg_type: NFT_MSG_DELSETELEM,
7388 size: sizeof(struct nft_trans_elem), GFP_KERNEL);
7389 if (!trans)
7390 return -ENOMEM;
7391
7392 nft_setelem_data_deactivate(net: ctx->net, set, elem_priv);
7393 nft_trans_elem_set(trans) = set;
7394 nft_trans_elem_priv(trans) = elem_priv;
7395 nft_trans_commit_list_add_tail(net: ctx->net, trans);
7396
7397 return 0;
7398}
7399
7400static int nft_set_catchall_flush(const struct nft_ctx *ctx,
7401 struct nft_set *set)
7402{
7403 u8 genmask = nft_genmask_next(net: ctx->net);
7404 struct nft_set_elem_catchall *catchall;
7405 struct nft_set_ext *ext;
7406 int ret = 0;
7407
7408 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
7409 ext = nft_set_elem_ext(set, elem_priv: catchall->elem);
7410 if (!nft_set_elem_active(ext, genmask))
7411 continue;
7412
7413 ret = __nft_set_catchall_flush(ctx, set, elem_priv: catchall->elem);
7414 if (ret < 0)
7415 break;
7416 nft_set_elem_change_active(net: ctx->net, set, ext);
7417 }
7418
7419 return ret;
7420}
7421
7422static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
7423{
7424 struct nft_set_iter iter = {
7425 .genmask = genmask,
7426 .type = NFT_ITER_UPDATE,
7427 .fn = nft_setelem_flush,
7428 };
7429
7430 set->ops->walk(ctx, set, &iter);
7431 if (!iter.err)
7432 iter.err = nft_set_catchall_flush(ctx, set);
7433
7434 return iter.err;
7435}
7436
7437static int nf_tables_delsetelem(struct sk_buff *skb,
7438 const struct nfnl_info *info,
7439 const struct nlattr * const nla[])
7440{
7441 struct netlink_ext_ack *extack = info->extack;
7442 u8 genmask = nft_genmask_next(net: info->net);
7443 u8 family = info->nfmsg->nfgen_family;
7444 struct net *net = info->net;
7445 const struct nlattr *attr;
7446 struct nft_table *table;
7447 struct nft_set *set;
7448 struct nft_ctx ctx;
7449 int rem, err = 0;
7450
7451 table = nft_table_lookup(net, nla: nla[NFTA_SET_ELEM_LIST_TABLE], family,
7452 genmask, NETLINK_CB(skb).portid);
7453 if (IS_ERR(ptr: table)) {
7454 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7455 return PTR_ERR(ptr: table);
7456 }
7457
7458 set = nft_set_lookup(table, nla: nla[NFTA_SET_ELEM_LIST_SET], genmask);
7459 if (IS_ERR(ptr: set)) {
7460 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7461 return PTR_ERR(ptr: set);
7462 }
7463
7464 if (nft_set_is_anonymous(set))
7465 return -EOPNOTSUPP;
7466
7467 if (!list_empty(head: &set->bindings) && (set->flags & NFT_SET_CONSTANT))
7468 return -EBUSY;
7469
7470 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, NULL, nla);
7471
7472 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
7473 return nft_set_flush(ctx: &ctx, set, genmask);
7474
7475 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7476 err = nft_del_setelem(ctx: &ctx, set, attr);
7477 if (err == -ENOENT &&
7478 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
7479 continue;
7480
7481 if (err < 0) {
7482 NL_SET_BAD_ATTR(extack, attr);
7483 return err;
7484 }
7485 }
7486
7487 return 0;
7488}
7489
7490/*
7491 * Stateful objects
7492 */
7493
7494/**
7495 * nft_register_obj- register nf_tables stateful object type
7496 * @obj_type: object type
7497 *
7498 * Registers the object type for use with nf_tables. Returns zero on
7499 * success or a negative errno code otherwise.
7500 */
7501int nft_register_obj(struct nft_object_type *obj_type)
7502{
7503 if (obj_type->type == NFT_OBJECT_UNSPEC)
7504 return -EINVAL;
7505
7506 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7507 list_add_rcu(new: &obj_type->list, head: &nf_tables_objects);
7508 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7509 return 0;
7510}
7511EXPORT_SYMBOL_GPL(nft_register_obj);
7512
7513/**
7514 * nft_unregister_obj - unregister nf_tables object type
7515 * @obj_type: object type
7516 *
7517 * Unregisters the object type for use with nf_tables.
7518 */
7519void nft_unregister_obj(struct nft_object_type *obj_type)
7520{
7521 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7522 list_del_rcu(entry: &obj_type->list);
7523 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7524}
7525EXPORT_SYMBOL_GPL(nft_unregister_obj);
7526
7527struct nft_object *nft_obj_lookup(const struct net *net,
7528 const struct nft_table *table,
7529 const struct nlattr *nla, u32 objtype,
7530 u8 genmask)
7531{
7532 struct nft_object_hash_key k = { .table = table };
7533 char search[NFT_OBJ_MAXNAMELEN];
7534 struct rhlist_head *tmp, *list;
7535 struct nft_object *obj;
7536
7537 nla_strscpy(dst: search, nla, dstsize: sizeof(search));
7538 k.name = search;
7539
7540 WARN_ON_ONCE(!rcu_read_lock_held() &&
7541 !lockdep_commit_lock_is_held(net));
7542
7543 rcu_read_lock();
7544 list = rhltable_lookup(hlt: &nft_objname_ht, key: &k, params: nft_objname_ht_params);
7545 if (!list)
7546 goto out;
7547
7548 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
7549 if (objtype == obj->ops->type->type &&
7550 nft_active_genmask(obj, genmask)) {
7551 rcu_read_unlock();
7552 return obj;
7553 }
7554 }
7555out:
7556 rcu_read_unlock();
7557 return ERR_PTR(error: -ENOENT);
7558}
7559EXPORT_SYMBOL_GPL(nft_obj_lookup);
7560
7561static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
7562 const struct nlattr *nla,
7563 u32 objtype, u8 genmask)
7564{
7565 struct nft_object *obj;
7566
7567 list_for_each_entry(obj, &table->objects, list) {
7568 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
7569 objtype == obj->ops->type->type &&
7570 nft_active_genmask(obj, genmask))
7571 return obj;
7572 }
7573 return ERR_PTR(error: -ENOENT);
7574}
7575
7576static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
7577 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
7578 .len = NFT_TABLE_MAXNAMELEN - 1 },
7579 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
7580 .len = NFT_OBJ_MAXNAMELEN - 1 },
7581 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
7582 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
7583 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
7584 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
7585 .len = NFT_USERDATA_MAXLEN },
7586};
7587
7588static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
7589 const struct nft_object_type *type,
7590 const struct nlattr *attr)
7591{
7592 struct nlattr **tb;
7593 const struct nft_object_ops *ops;
7594 struct nft_object *obj;
7595 int err = -ENOMEM;
7596
7597 tb = kmalloc_array(n: type->maxattr + 1, size: sizeof(*tb), GFP_KERNEL);
7598 if (!tb)
7599 goto err1;
7600
7601 if (attr) {
7602 err = nla_parse_nested_deprecated(tb, maxtype: type->maxattr, nla: attr,
7603 policy: type->policy, NULL);
7604 if (err < 0)
7605 goto err2;
7606 } else {
7607 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
7608 }
7609
7610 if (type->select_ops) {
7611 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
7612 if (IS_ERR(ptr: ops)) {
7613 err = PTR_ERR(ptr: ops);
7614 goto err2;
7615 }
7616 } else {
7617 ops = type->ops;
7618 }
7619
7620 err = -ENOMEM;
7621 obj = kzalloc(size: sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
7622 if (!obj)
7623 goto err2;
7624
7625 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
7626 if (err < 0)
7627 goto err3;
7628
7629 obj->ops = ops;
7630
7631 kfree(objp: tb);
7632 return obj;
7633err3:
7634 kfree(objp: obj);
7635err2:
7636 kfree(objp: tb);
7637err1:
7638 return ERR_PTR(error: err);
7639}
7640
7641static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
7642 struct nft_object *obj, bool reset)
7643{
7644 struct nlattr *nest;
7645
7646 nest = nla_nest_start_noflag(skb, attrtype: attr);
7647 if (!nest)
7648 goto nla_put_failure;
7649 if (obj->ops->dump(skb, obj, reset) < 0)
7650 goto nla_put_failure;
7651 nla_nest_end(skb, start: nest);
7652 return 0;
7653
7654nla_put_failure:
7655 return -1;
7656}
7657
7658static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family)
7659{
7660 const struct nft_object_type *type;
7661
7662 list_for_each_entry_rcu(type, &nf_tables_objects, list) {
7663 if (type->family != NFPROTO_UNSPEC &&
7664 type->family != family)
7665 continue;
7666
7667 if (objtype == type->type)
7668 return type;
7669 }
7670 return NULL;
7671}
7672
7673static const struct nft_object_type *
7674nft_obj_type_get(struct net *net, u32 objtype, u8 family)
7675{
7676 const struct nft_object_type *type;
7677
7678 rcu_read_lock();
7679 type = __nft_obj_type_get(objtype, family);
7680 if (type != NULL && try_module_get(module: type->owner)) {
7681 rcu_read_unlock();
7682 return type;
7683 }
7684 rcu_read_unlock();
7685
7686 lockdep_nfnl_nft_mutex_not_held();
7687#ifdef CONFIG_MODULES
7688 if (type == NULL) {
7689 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
7690 return ERR_PTR(error: -EAGAIN);
7691 }
7692#endif
7693 return ERR_PTR(error: -ENOENT);
7694}
7695
7696static int nf_tables_updobj(const struct nft_ctx *ctx,
7697 const struct nft_object_type *type,
7698 const struct nlattr *attr,
7699 struct nft_object *obj)
7700{
7701 struct nft_object *newobj;
7702 struct nft_trans *trans;
7703 int err = -ENOMEM;
7704
7705 if (!try_module_get(module: type->owner))
7706 return -ENOENT;
7707
7708 trans = nft_trans_alloc(ctx, msg_type: NFT_MSG_NEWOBJ,
7709 size: sizeof(struct nft_trans_obj));
7710 if (!trans)
7711 goto err_trans;
7712
7713 newobj = nft_obj_init(ctx, type, attr);
7714 if (IS_ERR(ptr: newobj)) {
7715 err = PTR_ERR(ptr: newobj);
7716 goto err_free_trans;
7717 }
7718
7719 nft_trans_obj(trans) = obj;
7720 nft_trans_obj_update(trans) = true;
7721 nft_trans_obj_newobj(trans) = newobj;
7722 nft_trans_commit_list_add_tail(net: ctx->net, trans);
7723
7724 return 0;
7725
7726err_free_trans:
7727 kfree(objp: trans);
7728err_trans:
7729 module_put(module: type->owner);
7730 return err;
7731}
7732
7733static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
7734 const struct nlattr * const nla[])
7735{
7736 struct netlink_ext_ack *extack = info->extack;
7737 u8 genmask = nft_genmask_next(net: info->net);
7738 u8 family = info->nfmsg->nfgen_family;
7739 const struct nft_object_type *type;
7740 struct net *net = info->net;
7741 struct nft_table *table;
7742 struct nft_object *obj;
7743 struct nft_ctx ctx;
7744 u32 objtype;
7745 int err;
7746
7747 if (!nla[NFTA_OBJ_TYPE] ||
7748 !nla[NFTA_OBJ_NAME] ||
7749 !nla[NFTA_OBJ_DATA])
7750 return -EINVAL;
7751
7752 table = nft_table_lookup(net, nla: nla[NFTA_OBJ_TABLE], family, genmask,
7753 NETLINK_CB(skb).portid);
7754 if (IS_ERR(ptr: table)) {
7755 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7756 return PTR_ERR(ptr: table);
7757 }
7758
7759 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7760 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7761 if (IS_ERR(ptr: obj)) {
7762 err = PTR_ERR(ptr: obj);
7763 if (err != -ENOENT) {
7764 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7765 return err;
7766 }
7767 } else {
7768 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7769 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7770 return -EEXIST;
7771 }
7772 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
7773 return -EOPNOTSUPP;
7774
7775 type = __nft_obj_type_get(objtype, family);
7776 if (WARN_ON_ONCE(!type))
7777 return -ENOENT;
7778
7779 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, NULL, nla);
7780
7781 return nf_tables_updobj(ctx: &ctx, type, attr: nla[NFTA_OBJ_DATA], obj);
7782 }
7783
7784 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, NULL, nla);
7785
7786 if (!nft_use_inc(use: &table->use))
7787 return -EMFILE;
7788
7789 type = nft_obj_type_get(net, objtype, family);
7790 if (IS_ERR(ptr: type)) {
7791 err = PTR_ERR(ptr: type);
7792 goto err_type;
7793 }
7794
7795 obj = nft_obj_init(ctx: &ctx, type, attr: nla[NFTA_OBJ_DATA]);
7796 if (IS_ERR(ptr: obj)) {
7797 err = PTR_ERR(ptr: obj);
7798 goto err_init;
7799 }
7800 obj->key.table = table;
7801 obj->handle = nf_tables_alloc_handle(table);
7802
7803 obj->key.name = nla_strdup(nla: nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
7804 if (!obj->key.name) {
7805 err = -ENOMEM;
7806 goto err_strdup;
7807 }
7808
7809 if (nla[NFTA_OBJ_USERDATA]) {
7810 obj->udata = nla_memdup(src: nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
7811 if (obj->udata == NULL)
7812 goto err_userdata;
7813
7814 obj->udlen = nla_len(nla: nla[NFTA_OBJ_USERDATA]);
7815 }
7816
7817 err = nft_trans_obj_add(ctx: &ctx, msg_type: NFT_MSG_NEWOBJ, obj);
7818 if (err < 0)
7819 goto err_trans;
7820
7821 err = rhltable_insert(hlt: &nft_objname_ht, list: &obj->rhlhead,
7822 params: nft_objname_ht_params);
7823 if (err < 0)
7824 goto err_obj_ht;
7825
7826 list_add_tail_rcu(new: &obj->list, head: &table->objects);
7827
7828 return 0;
7829err_obj_ht:
7830 /* queued in transaction log */
7831 INIT_LIST_HEAD(list: &obj->list);
7832 return err;
7833err_trans:
7834 kfree(objp: obj->udata);
7835err_userdata:
7836 kfree(objp: obj->key.name);
7837err_strdup:
7838 if (obj->ops->destroy)
7839 obj->ops->destroy(&ctx, obj);
7840 kfree(objp: obj);
7841err_init:
7842 module_put(module: type->owner);
7843err_type:
7844 nft_use_dec_restore(use: &table->use);
7845
7846 return err;
7847}
7848
7849static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
7850 u32 portid, u32 seq, int event, u32 flags,
7851 int family, const struct nft_table *table,
7852 struct nft_object *obj, bool reset)
7853{
7854 struct nlmsghdr *nlh;
7855
7856 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, msg_type: event);
7857 nlh = nfnl_msg_put(skb, portid, seq, type: event, flags, family,
7858 NFNETLINK_V0, res_id: nft_base_seq(net));
7859 if (!nlh)
7860 goto nla_put_failure;
7861
7862 if (nla_put_string(skb, attrtype: NFTA_OBJ_TABLE, str: table->name) ||
7863 nla_put_string(skb, attrtype: NFTA_OBJ_NAME, str: obj->key.name) ||
7864 nla_put_be64(skb, attrtype: NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
7865 padattr: NFTA_OBJ_PAD))
7866 goto nla_put_failure;
7867
7868 if (event == NFT_MSG_DELOBJ) {
7869 nlmsg_end(skb, nlh);
7870 return 0;
7871 }
7872
7873 if (nla_put_be32(skb, attrtype: NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
7874 nla_put_be32(skb, attrtype: NFTA_OBJ_USE, htonl(obj->use)) ||
7875 nft_object_dump(skb, attr: NFTA_OBJ_DATA, obj, reset))
7876 goto nla_put_failure;
7877
7878 if (obj->udata &&
7879 nla_put(skb, attrtype: NFTA_OBJ_USERDATA, attrlen: obj->udlen, data: obj->udata))
7880 goto nla_put_failure;
7881
7882 nlmsg_end(skb, nlh);
7883 return 0;
7884
7885nla_put_failure:
7886 nlmsg_trim(skb, mark: nlh);
7887 return -1;
7888}
7889
7890static void audit_log_obj_reset(const struct nft_table *table,
7891 unsigned int base_seq, unsigned int nentries)
7892{
7893 char *buf = kasprintf(GFP_ATOMIC, fmt: "%s:%u", table->name, base_seq);
7894
7895 audit_log_nfcfg(name: buf, af: table->family, nentries,
7896 op: AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
7897 kfree(objp: buf);
7898}
7899
7900struct nft_obj_dump_ctx {
7901 unsigned int s_idx;
7902 char *table;
7903 u32 type;
7904 bool reset;
7905};
7906
7907static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
7908{
7909 const struct nfgenmsg *nfmsg = nlmsg_data(nlh: cb->nlh);
7910 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7911 struct net *net = sock_net(sk: skb->sk);
7912 int family = nfmsg->nfgen_family;
7913 struct nftables_pernet *nft_net;
7914 const struct nft_table *table;
7915 unsigned int entries = 0;
7916 struct nft_object *obj;
7917 unsigned int idx = 0;
7918 int rc = 0;
7919
7920 rcu_read_lock();
7921 nft_net = nft_pernet(net);
7922 cb->seq = READ_ONCE(nft_net->base_seq);
7923
7924 list_for_each_entry_rcu(table, &nft_net->tables, list) {
7925 if (family != NFPROTO_UNSPEC && family != table->family)
7926 continue;
7927
7928 entries = 0;
7929 list_for_each_entry_rcu(obj, &table->objects, list) {
7930 if (!nft_is_active(net, obj))
7931 goto cont;
7932 if (idx < ctx->s_idx)
7933 goto cont;
7934 if (ctx->table && strcmp(ctx->table, table->name))
7935 goto cont;
7936 if (ctx->type != NFT_OBJECT_UNSPEC &&
7937 obj->ops->type->type != ctx->type)
7938 goto cont;
7939
7940 rc = nf_tables_fill_obj_info(skb, net,
7941 NETLINK_CB(cb->skb).portid,
7942 seq: cb->nlh->nlmsg_seq,
7943 event: NFT_MSG_NEWOBJ,
7944 NLM_F_MULTI | NLM_F_APPEND,
7945 family: table->family, table,
7946 obj, reset: ctx->reset);
7947 if (rc < 0)
7948 break;
7949
7950 entries++;
7951 nl_dump_check_consistent(cb, nlh: nlmsg_hdr(skb));
7952cont:
7953 idx++;
7954 }
7955 if (ctx->reset && entries)
7956 audit_log_obj_reset(table, base_seq: nft_net->base_seq, nentries: entries);
7957 if (rc < 0)
7958 break;
7959 }
7960 rcu_read_unlock();
7961
7962 ctx->s_idx = idx;
7963 return skb->len;
7964}
7965
7966static int nf_tables_dump_obj_start(struct netlink_callback *cb)
7967{
7968 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7969 const struct nlattr * const *nla = cb->data;
7970
7971 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
7972
7973 if (nla[NFTA_OBJ_TABLE]) {
7974 ctx->table = nla_strdup(nla: nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
7975 if (!ctx->table)
7976 return -ENOMEM;
7977 }
7978
7979 if (nla[NFTA_OBJ_TYPE])
7980 ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7981
7982 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7983 ctx->reset = true;
7984
7985 return 0;
7986}
7987
7988static int nf_tables_dump_obj_done(struct netlink_callback *cb)
7989{
7990 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7991
7992 kfree(objp: ctx->table);
7993
7994 return 0;
7995}
7996
7997/* called with rcu_read_lock held */
7998static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
7999 const struct nlattr * const nla[])
8000{
8001 struct netlink_ext_ack *extack = info->extack;
8002 u8 genmask = nft_genmask_cur(net: info->net);
8003 u8 family = info->nfmsg->nfgen_family;
8004 const struct nft_table *table;
8005 struct net *net = info->net;
8006 struct nft_object *obj;
8007 struct sk_buff *skb2;
8008 bool reset = false;
8009 u32 objtype;
8010 int err;
8011
8012 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8013 struct netlink_dump_control c = {
8014 .start = nf_tables_dump_obj_start,
8015 .dump = nf_tables_dump_obj,
8016 .done = nf_tables_dump_obj_done,
8017 .module = THIS_MODULE,
8018 .data = (void *)nla,
8019 };
8020
8021 return nft_netlink_dump_start_rcu(nlsk: info->sk, skb, nlh: info->nlh, c: &c);
8022 }
8023
8024 if (!nla[NFTA_OBJ_NAME] ||
8025 !nla[NFTA_OBJ_TYPE])
8026 return -EINVAL;
8027
8028 table = nft_table_lookup(net, nla: nla[NFTA_OBJ_TABLE], family, genmask, nlpid: 0);
8029 if (IS_ERR(ptr: table)) {
8030 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8031 return PTR_ERR(ptr: table);
8032 }
8033
8034 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8035 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
8036 if (IS_ERR(ptr: obj)) {
8037 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8038 return PTR_ERR(ptr: obj);
8039 }
8040
8041 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8042 if (!skb2)
8043 return -ENOMEM;
8044
8045 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
8046 reset = true;
8047
8048 if (reset) {
8049 const struct nftables_pernet *nft_net;
8050 char *buf;
8051
8052 nft_net = nft_pernet(net);
8053 buf = kasprintf(GFP_ATOMIC, fmt: "%s:%u", table->name, nft_net->base_seq);
8054
8055 audit_log_nfcfg(name: buf,
8056 af: family,
8057 nentries: 1,
8058 op: AUDIT_NFT_OP_OBJ_RESET,
8059 GFP_ATOMIC);
8060 kfree(objp: buf);
8061 }
8062
8063 err = nf_tables_fill_obj_info(skb: skb2, net, NETLINK_CB(skb).portid,
8064 seq: info->nlh->nlmsg_seq, event: NFT_MSG_NEWOBJ, flags: 0,
8065 family, table, obj, reset);
8066 if (err < 0)
8067 goto err_fill_obj_info;
8068
8069 return nfnetlink_unicast(skb: skb2, net, NETLINK_CB(skb).portid);
8070
8071err_fill_obj_info:
8072 kfree_skb(skb: skb2);
8073 return err;
8074}
8075
8076static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
8077{
8078 if (obj->ops->destroy)
8079 obj->ops->destroy(ctx, obj);
8080
8081 module_put(module: obj->ops->type->owner);
8082 kfree(objp: obj->key.name);
8083 kfree(objp: obj->udata);
8084 kfree(objp: obj);
8085}
8086
8087static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
8088 const struct nlattr * const nla[])
8089{
8090 struct netlink_ext_ack *extack = info->extack;
8091 u8 genmask = nft_genmask_next(net: info->net);
8092 u8 family = info->nfmsg->nfgen_family;
8093 struct net *net = info->net;
8094 const struct nlattr *attr;
8095 struct nft_table *table;
8096 struct nft_object *obj;
8097 struct nft_ctx ctx;
8098 u32 objtype;
8099
8100 if (!nla[NFTA_OBJ_TYPE] ||
8101 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
8102 return -EINVAL;
8103
8104 table = nft_table_lookup(net, nla: nla[NFTA_OBJ_TABLE], family, genmask,
8105 NETLINK_CB(skb).portid);
8106 if (IS_ERR(ptr: table)) {
8107 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8108 return PTR_ERR(ptr: table);
8109 }
8110
8111 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8112 if (nla[NFTA_OBJ_HANDLE]) {
8113 attr = nla[NFTA_OBJ_HANDLE];
8114 obj = nft_obj_lookup_byhandle(table, nla: attr, objtype, genmask);
8115 } else {
8116 attr = nla[NFTA_OBJ_NAME];
8117 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
8118 }
8119
8120 if (IS_ERR(ptr: obj)) {
8121 if (PTR_ERR(ptr: obj) == -ENOENT &&
8122 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
8123 return 0;
8124
8125 NL_SET_BAD_ATTR(extack, attr);
8126 return PTR_ERR(ptr: obj);
8127 }
8128 if (obj->use > 0) {
8129 NL_SET_BAD_ATTR(extack, attr);
8130 return -EBUSY;
8131 }
8132
8133 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, NULL, nla);
8134
8135 return nft_delobj(ctx: &ctx, obj);
8136}
8137
8138static void
8139__nft_obj_notify(struct net *net, const struct nft_table *table,
8140 struct nft_object *obj, u32 portid, u32 seq, int event,
8141 u16 flags, int family, int report, gfp_t gfp)
8142{
8143 struct nftables_pernet *nft_net = nft_pernet(net);
8144 struct sk_buff *skb;
8145 int err;
8146
8147 if (!report &&
8148 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8149 return;
8150
8151 skb = nlmsg_new(NLMSG_GOODSIZE, flags: gfp);
8152 if (skb == NULL)
8153 goto err;
8154
8155 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
8156 flags: flags & (NLM_F_CREATE | NLM_F_EXCL),
8157 family, table, obj, reset: false);
8158 if (err < 0) {
8159 kfree_skb(skb);
8160 goto err;
8161 }
8162
8163 nft_notify_enqueue(skb, report, notify_list: &nft_net->notify_list);
8164 return;
8165err:
8166 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, error: -ENOBUFS);
8167}
8168
8169void nft_obj_notify(struct net *net, const struct nft_table *table,
8170 struct nft_object *obj, u32 portid, u32 seq, int event,
8171 u16 flags, int family, int report, gfp_t gfp)
8172{
8173 struct nftables_pernet *nft_net = nft_pernet(net);
8174 char *buf = kasprintf(gfp, fmt: "%s:%u",
8175 table->name, nft_net->base_seq);
8176
8177 audit_log_nfcfg(name: buf,
8178 af: family,
8179 nentries: obj->handle,
8180 op: event == NFT_MSG_NEWOBJ ?
8181 AUDIT_NFT_OP_OBJ_REGISTER :
8182 AUDIT_NFT_OP_OBJ_UNREGISTER,
8183 gfp);
8184 kfree(objp: buf);
8185
8186 __nft_obj_notify(net, table, obj, portid, seq, event,
8187 flags, family, report, gfp);
8188}
8189EXPORT_SYMBOL_GPL(nft_obj_notify);
8190
8191static void nf_tables_obj_notify(const struct nft_ctx *ctx,
8192 struct nft_object *obj, int event)
8193{
8194 __nft_obj_notify(net: ctx->net, table: ctx->table, obj, portid: ctx->portid,
8195 seq: ctx->seq, event, flags: ctx->flags, family: ctx->family,
8196 report: ctx->report, GFP_KERNEL);
8197}
8198
8199/*
8200 * Flow tables
8201 */
8202void nft_register_flowtable_type(struct nf_flowtable_type *type)
8203{
8204 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8205 list_add_tail_rcu(new: &type->list, head: &nf_tables_flowtables);
8206 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8207}
8208EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
8209
8210void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
8211{
8212 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8213 list_del_rcu(entry: &type->list);
8214 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8215}
8216EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
8217
8218static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
8219 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
8220 .len = NFT_NAME_MAXLEN - 1 },
8221 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
8222 .len = NFT_NAME_MAXLEN - 1 },
8223 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
8224 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
8225 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
8226};
8227
8228struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
8229 const struct nlattr *nla, u8 genmask)
8230{
8231 struct nft_flowtable *flowtable;
8232
8233 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8234 if (!nla_strcmp(nla, str: flowtable->name) &&
8235 nft_active_genmask(flowtable, genmask))
8236 return flowtable;
8237 }
8238 return ERR_PTR(error: -ENOENT);
8239}
8240EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
8241
8242void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
8243 struct nft_flowtable *flowtable,
8244 enum nft_trans_phase phase)
8245{
8246 switch (phase) {
8247 case NFT_TRANS_PREPARE_ERROR:
8248 case NFT_TRANS_PREPARE:
8249 case NFT_TRANS_ABORT:
8250 case NFT_TRANS_RELEASE:
8251 nft_use_dec(use: &flowtable->use);
8252 fallthrough;
8253 default:
8254 return;
8255 }
8256}
8257EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
8258
8259static struct nft_flowtable *
8260nft_flowtable_lookup_byhandle(const struct nft_table *table,
8261 const struct nlattr *nla, u8 genmask)
8262{
8263 struct nft_flowtable *flowtable;
8264
8265 list_for_each_entry(flowtable, &table->flowtables, list) {
8266 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
8267 nft_active_genmask(flowtable, genmask))
8268 return flowtable;
8269 }
8270 return ERR_PTR(error: -ENOENT);
8271}
8272
8273struct nft_flowtable_hook {
8274 u32 num;
8275 int priority;
8276 struct list_head list;
8277};
8278
8279static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
8280 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
8281 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
8282 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
8283};
8284
8285static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
8286 const struct nlattr * const nla[],
8287 struct nft_flowtable_hook *flowtable_hook,
8288 struct nft_flowtable *flowtable,
8289 struct netlink_ext_ack *extack, bool add)
8290{
8291 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
8292 struct nft_hook *hook;
8293 int hooknum, priority;
8294 int err;
8295
8296 INIT_LIST_HEAD(list: &flowtable_hook->list);
8297
8298 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
8299 nla: nla[NFTA_FLOWTABLE_HOOK],
8300 policy: nft_flowtable_hook_policy, NULL);
8301 if (err < 0)
8302 return err;
8303
8304 if (add) {
8305 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
8306 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8307 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8308 return -ENOENT;
8309 }
8310
8311 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8312 if (hooknum != NF_NETDEV_INGRESS)
8313 return -EOPNOTSUPP;
8314
8315 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8316
8317 flowtable_hook->priority = priority;
8318 flowtable_hook->num = hooknum;
8319 } else {
8320 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
8321 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8322 if (hooknum != flowtable->hooknum)
8323 return -EOPNOTSUPP;
8324 }
8325
8326 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8327 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8328 if (priority != flowtable->data.priority)
8329 return -EOPNOTSUPP;
8330 }
8331
8332 flowtable_hook->priority = flowtable->data.priority;
8333 flowtable_hook->num = flowtable->hooknum;
8334 }
8335
8336 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
8337 err = nf_tables_parse_netdev_hooks(net: ctx->net,
8338 attr: tb[NFTA_FLOWTABLE_HOOK_DEVS],
8339 hook_list: &flowtable_hook->list,
8340 extack);
8341 if (err < 0)
8342 return err;
8343 }
8344
8345 list_for_each_entry(hook, &flowtable_hook->list, list) {
8346 hook->ops.pf = NFPROTO_NETDEV;
8347 hook->ops.hooknum = flowtable_hook->num;
8348 hook->ops.priority = flowtable_hook->priority;
8349 hook->ops.priv = &flowtable->data;
8350 hook->ops.hook = flowtable->data.type->hook;
8351 }
8352
8353 return err;
8354}
8355
8356/* call under rcu_read_lock */
8357static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
8358{
8359 const struct nf_flowtable_type *type;
8360
8361 list_for_each_entry_rcu(type, &nf_tables_flowtables, list) {
8362 if (family == type->family)
8363 return type;
8364 }
8365 return NULL;
8366}
8367
8368static const struct nf_flowtable_type *
8369nft_flowtable_type_get(struct net *net, u8 family)
8370{
8371 const struct nf_flowtable_type *type;
8372
8373 rcu_read_lock();
8374 type = __nft_flowtable_type_get(family);
8375 if (type != NULL && try_module_get(module: type->owner)) {
8376 rcu_read_unlock();
8377 return type;
8378 }
8379 rcu_read_unlock();
8380
8381 lockdep_nfnl_nft_mutex_not_held();
8382#ifdef CONFIG_MODULES
8383 if (type == NULL) {
8384 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
8385 return ERR_PTR(error: -EAGAIN);
8386 }
8387#endif
8388 return ERR_PTR(error: -ENOENT);
8389}
8390
8391/* Only called from error and netdev event paths. */
8392static void nft_unregister_flowtable_hook(struct net *net,
8393 struct nft_flowtable *flowtable,
8394 struct nft_hook *hook)
8395{
8396 nf_unregister_net_hook(net, ops: &hook->ops);
8397 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8398 FLOW_BLOCK_UNBIND);
8399}
8400
8401static void __nft_unregister_flowtable_net_hooks(struct net *net,
8402 struct list_head *hook_list,
8403 bool release_netdev)
8404{
8405 struct nft_hook *hook, *next;
8406
8407 list_for_each_entry_safe(hook, next, hook_list, list) {
8408 nf_unregister_net_hook(net, ops: &hook->ops);
8409 if (release_netdev) {
8410 list_del(entry: &hook->list);
8411 kfree_rcu(hook, rcu);
8412 }
8413 }
8414}
8415
8416static void nft_unregister_flowtable_net_hooks(struct net *net,
8417 struct list_head *hook_list)
8418{
8419 __nft_unregister_flowtable_net_hooks(net, hook_list, release_netdev: false);
8420}
8421
8422static int nft_register_flowtable_net_hooks(struct net *net,
8423 struct nft_table *table,
8424 struct list_head *hook_list,
8425 struct nft_flowtable *flowtable)
8426{
8427 struct nft_hook *hook, *hook2, *next;
8428 struct nft_flowtable *ft;
8429 int err, i = 0;
8430
8431 list_for_each_entry(hook, hook_list, list) {
8432 list_for_each_entry(ft, &table->flowtables, list) {
8433 if (!nft_is_active_next(net, ft))
8434 continue;
8435
8436 list_for_each_entry(hook2, &ft->hook_list, list) {
8437 if (hook->ops.dev == hook2->ops.dev &&
8438 hook->ops.pf == hook2->ops.pf) {
8439 err = -EEXIST;
8440 goto err_unregister_net_hooks;
8441 }
8442 }
8443 }
8444
8445 err = flowtable->data.type->setup(&flowtable->data,
8446 hook->ops.dev,
8447 FLOW_BLOCK_BIND);
8448 if (err < 0)
8449 goto err_unregister_net_hooks;
8450
8451 err = nf_register_net_hook(net, ops: &hook->ops);
8452 if (err < 0) {
8453 flowtable->data.type->setup(&flowtable->data,
8454 hook->ops.dev,
8455 FLOW_BLOCK_UNBIND);
8456 goto err_unregister_net_hooks;
8457 }
8458
8459 i++;
8460 }
8461
8462 return 0;
8463
8464err_unregister_net_hooks:
8465 list_for_each_entry_safe(hook, next, hook_list, list) {
8466 if (i-- <= 0)
8467 break;
8468
8469 nft_unregister_flowtable_hook(net, flowtable, hook);
8470 list_del_rcu(entry: &hook->list);
8471 kfree_rcu(hook, rcu);
8472 }
8473
8474 return err;
8475}
8476
8477static void nft_hooks_destroy(struct list_head *hook_list)
8478{
8479 struct nft_hook *hook, *next;
8480
8481 list_for_each_entry_safe(hook, next, hook_list, list) {
8482 list_del_rcu(entry: &hook->list);
8483 kfree_rcu(hook, rcu);
8484 }
8485}
8486
8487static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
8488 struct nft_flowtable *flowtable,
8489 struct netlink_ext_ack *extack)
8490{
8491 const struct nlattr * const *nla = ctx->nla;
8492 struct nft_flowtable_hook flowtable_hook;
8493 struct nft_hook *hook, *next;
8494 struct nft_trans *trans;
8495 bool unregister = false;
8496 u32 flags;
8497 int err;
8498
8499 err = nft_flowtable_parse_hook(ctx, nla, flowtable_hook: &flowtable_hook, flowtable,
8500 extack, add: false);
8501 if (err < 0)
8502 return err;
8503
8504 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8505 if (nft_hook_list_find(hook_list: &flowtable->hook_list, this: hook)) {
8506 list_del(entry: &hook->list);
8507 kfree(objp: hook);
8508 }
8509 }
8510
8511 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8512 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8513 if (flags & ~NFT_FLOWTABLE_MASK) {
8514 err = -EOPNOTSUPP;
8515 goto err_flowtable_update_hook;
8516 }
8517 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
8518 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
8519 err = -EOPNOTSUPP;
8520 goto err_flowtable_update_hook;
8521 }
8522 } else {
8523 flags = flowtable->data.flags;
8524 }
8525
8526 err = nft_register_flowtable_net_hooks(net: ctx->net, table: ctx->table,
8527 hook_list: &flowtable_hook.list, flowtable);
8528 if (err < 0)
8529 goto err_flowtable_update_hook;
8530
8531 trans = nft_trans_alloc(ctx, msg_type: NFT_MSG_NEWFLOWTABLE,
8532 size: sizeof(struct nft_trans_flowtable));
8533 if (!trans) {
8534 unregister = true;
8535 err = -ENOMEM;
8536 goto err_flowtable_update_hook;
8537 }
8538
8539 nft_trans_flowtable_flags(trans) = flags;
8540 nft_trans_flowtable(trans) = flowtable;
8541 nft_trans_flowtable_update(trans) = true;
8542 INIT_LIST_HEAD(list: &nft_trans_flowtable_hooks(trans));
8543 list_splice(list: &flowtable_hook.list, head: &nft_trans_flowtable_hooks(trans));
8544
8545 nft_trans_commit_list_add_tail(net: ctx->net, trans);
8546
8547 return 0;
8548
8549err_flowtable_update_hook:
8550 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8551 if (unregister)
8552 nft_unregister_flowtable_hook(net: ctx->net, flowtable, hook);
8553 list_del_rcu(entry: &hook->list);
8554 kfree_rcu(hook, rcu);
8555 }
8556
8557 return err;
8558
8559}
8560
8561static int nf_tables_newflowtable(struct sk_buff *skb,
8562 const struct nfnl_info *info,
8563 const struct nlattr * const nla[])
8564{
8565 struct netlink_ext_ack *extack = info->extack;
8566 struct nft_flowtable_hook flowtable_hook;
8567 u8 genmask = nft_genmask_next(net: info->net);
8568 u8 family = info->nfmsg->nfgen_family;
8569 const struct nf_flowtable_type *type;
8570 struct nft_flowtable *flowtable;
8571 struct net *net = info->net;
8572 struct nft_table *table;
8573 struct nft_trans *trans;
8574 struct nft_ctx ctx;
8575 int err;
8576
8577 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8578 !nla[NFTA_FLOWTABLE_NAME] ||
8579 !nla[NFTA_FLOWTABLE_HOOK])
8580 return -EINVAL;
8581
8582 table = nft_table_lookup(net, nla: nla[NFTA_FLOWTABLE_TABLE], family,
8583 genmask, NETLINK_CB(skb).portid);
8584 if (IS_ERR(ptr: table)) {
8585 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8586 return PTR_ERR(ptr: table);
8587 }
8588
8589 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8590 genmask);
8591 if (IS_ERR(ptr: flowtable)) {
8592 err = PTR_ERR(ptr: flowtable);
8593 if (err != -ENOENT) {
8594 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8595 return err;
8596 }
8597 } else {
8598 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
8599 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8600 return -EEXIST;
8601 }
8602
8603 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, NULL, nla);
8604
8605 return nft_flowtable_update(ctx: &ctx, nlh: info->nlh, flowtable, extack);
8606 }
8607
8608 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, NULL, nla);
8609
8610 if (!nft_use_inc(use: &table->use))
8611 return -EMFILE;
8612
8613 flowtable = kzalloc(size: sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
8614 if (!flowtable) {
8615 err = -ENOMEM;
8616 goto flowtable_alloc;
8617 }
8618
8619 flowtable->table = table;
8620 flowtable->handle = nf_tables_alloc_handle(table);
8621 INIT_LIST_HEAD(list: &flowtable->hook_list);
8622
8623 flowtable->name = nla_strdup(nla: nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
8624 if (!flowtable->name) {
8625 err = -ENOMEM;
8626 goto err1;
8627 }
8628
8629 type = nft_flowtable_type_get(net, family);
8630 if (IS_ERR(ptr: type)) {
8631 err = PTR_ERR(ptr: type);
8632 goto err2;
8633 }
8634
8635 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8636 flowtable->data.flags =
8637 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8638 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
8639 err = -EOPNOTSUPP;
8640 goto err3;
8641 }
8642 }
8643
8644 write_pnet(pnet: &flowtable->data.net, net);
8645 flowtable->data.type = type;
8646 err = type->init(&flowtable->data);
8647 if (err < 0)
8648 goto err3;
8649
8650 err = nft_flowtable_parse_hook(ctx: &ctx, nla, flowtable_hook: &flowtable_hook, flowtable,
8651 extack, add: true);
8652 if (err < 0)
8653 goto err_flowtable_parse_hooks;
8654
8655 list_splice(list: &flowtable_hook.list, head: &flowtable->hook_list);
8656 flowtable->data.priority = flowtable_hook.priority;
8657 flowtable->hooknum = flowtable_hook.num;
8658
8659 trans = nft_trans_flowtable_add(ctx: &ctx, msg_type: NFT_MSG_NEWFLOWTABLE, flowtable);
8660 if (IS_ERR(ptr: trans)) {
8661 err = PTR_ERR(ptr: trans);
8662 goto err_flowtable_trans;
8663 }
8664
8665 /* This must be LAST to ensure no packets are walking over this flowtable. */
8666 err = nft_register_flowtable_net_hooks(net: ctx.net, table,
8667 hook_list: &flowtable->hook_list,
8668 flowtable);
8669 if (err < 0)
8670 goto err_flowtable_hooks;
8671
8672 list_add_tail_rcu(new: &flowtable->list, head: &table->flowtables);
8673
8674 return 0;
8675
8676err_flowtable_hooks:
8677 nft_trans_destroy(trans);
8678err_flowtable_trans:
8679 nft_hooks_destroy(hook_list: &flowtable->hook_list);
8680err_flowtable_parse_hooks:
8681 flowtable->data.type->free(&flowtable->data);
8682err3:
8683 module_put(module: type->owner);
8684err2:
8685 kfree(objp: flowtable->name);
8686err1:
8687 kfree(objp: flowtable);
8688flowtable_alloc:
8689 nft_use_dec_restore(use: &table->use);
8690
8691 return err;
8692}
8693
8694static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
8695{
8696 struct nft_hook *this, *next;
8697
8698 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
8699 list_del(entry: &this->list);
8700 kfree(objp: this);
8701 }
8702}
8703
8704static int nft_delflowtable_hook(struct nft_ctx *ctx,
8705 struct nft_flowtable *flowtable,
8706 struct netlink_ext_ack *extack)
8707{
8708 const struct nlattr * const *nla = ctx->nla;
8709 struct nft_flowtable_hook flowtable_hook;
8710 LIST_HEAD(flowtable_del_list);
8711 struct nft_hook *this, *hook;
8712 struct nft_trans *trans;
8713 int err;
8714
8715 err = nft_flowtable_parse_hook(ctx, nla, flowtable_hook: &flowtable_hook, flowtable,
8716 extack, add: false);
8717 if (err < 0)
8718 return err;
8719
8720 list_for_each_entry(this, &flowtable_hook.list, list) {
8721 hook = nft_hook_list_find(hook_list: &flowtable->hook_list, this);
8722 if (!hook) {
8723 err = -ENOENT;
8724 goto err_flowtable_del_hook;
8725 }
8726 list_move(list: &hook->list, head: &flowtable_del_list);
8727 }
8728
8729 trans = nft_trans_alloc(ctx, msg_type: NFT_MSG_DELFLOWTABLE,
8730 size: sizeof(struct nft_trans_flowtable));
8731 if (!trans) {
8732 err = -ENOMEM;
8733 goto err_flowtable_del_hook;
8734 }
8735
8736 nft_trans_flowtable(trans) = flowtable;
8737 nft_trans_flowtable_update(trans) = true;
8738 INIT_LIST_HEAD(list: &nft_trans_flowtable_hooks(trans));
8739 list_splice(list: &flowtable_del_list, head: &nft_trans_flowtable_hooks(trans));
8740 nft_flowtable_hook_release(flowtable_hook: &flowtable_hook);
8741
8742 nft_trans_commit_list_add_tail(net: ctx->net, trans);
8743
8744 return 0;
8745
8746err_flowtable_del_hook:
8747 list_splice(list: &flowtable_del_list, head: &flowtable->hook_list);
8748 nft_flowtable_hook_release(flowtable_hook: &flowtable_hook);
8749
8750 return err;
8751}
8752
8753static int nf_tables_delflowtable(struct sk_buff *skb,
8754 const struct nfnl_info *info,
8755 const struct nlattr * const nla[])
8756{
8757 struct netlink_ext_ack *extack = info->extack;
8758 u8 genmask = nft_genmask_next(net: info->net);
8759 u8 family = info->nfmsg->nfgen_family;
8760 struct nft_flowtable *flowtable;
8761 struct net *net = info->net;
8762 const struct nlattr *attr;
8763 struct nft_table *table;
8764 struct nft_ctx ctx;
8765
8766 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8767 (!nla[NFTA_FLOWTABLE_NAME] &&
8768 !nla[NFTA_FLOWTABLE_HANDLE]))
8769 return -EINVAL;
8770
8771 table = nft_table_lookup(net, nla: nla[NFTA_FLOWTABLE_TABLE], family,
8772 genmask, NETLINK_CB(skb).portid);
8773 if (IS_ERR(ptr: table)) {
8774 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8775 return PTR_ERR(ptr: table);
8776 }
8777
8778 if (nla[NFTA_FLOWTABLE_HANDLE]) {
8779 attr = nla[NFTA_FLOWTABLE_HANDLE];
8780 flowtable = nft_flowtable_lookup_byhandle(table, nla: attr, genmask);
8781 } else {
8782 attr = nla[NFTA_FLOWTABLE_NAME];
8783 flowtable = nft_flowtable_lookup(table, attr, genmask);
8784 }
8785
8786 if (IS_ERR(ptr: flowtable)) {
8787 if (PTR_ERR(ptr: flowtable) == -ENOENT &&
8788 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
8789 return 0;
8790
8791 NL_SET_BAD_ATTR(extack, attr);
8792 return PTR_ERR(ptr: flowtable);
8793 }
8794
8795 nft_ctx_init(ctx: &ctx, net, skb, nlh: info->nlh, family, table, NULL, nla);
8796
8797 if (nla[NFTA_FLOWTABLE_HOOK])
8798 return nft_delflowtable_hook(ctx: &ctx, flowtable, extack);
8799
8800 if (flowtable->use > 0) {
8801 NL_SET_BAD_ATTR(extack, attr);
8802 return -EBUSY;
8803 }
8804
8805 return nft_delflowtable(ctx: &ctx, flowtable);
8806}
8807
8808static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
8809 u32 portid, u32 seq, int event,
8810 u32 flags, int family,
8811 struct nft_flowtable *flowtable,
8812 struct list_head *hook_list)
8813{
8814 struct nlattr *nest, *nest_devs;
8815 struct nft_hook *hook;
8816 struct nlmsghdr *nlh;
8817
8818 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, msg_type: event);
8819 nlh = nfnl_msg_put(skb, portid, seq, type: event, flags, family,
8820 NFNETLINK_V0, res_id: nft_base_seq(net));
8821 if (!nlh)
8822 goto nla_put_failure;
8823
8824 if (nla_put_string(skb, attrtype: NFTA_FLOWTABLE_TABLE, str: flowtable->table->name) ||
8825 nla_put_string(skb, attrtype: NFTA_FLOWTABLE_NAME, str: flowtable->name) ||
8826 nla_put_be64(skb, attrtype: NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
8827 padattr: NFTA_FLOWTABLE_PAD))
8828 goto nla_put_failure;
8829
8830 if (event == NFT_MSG_DELFLOWTABLE && !hook_list) {
8831 nlmsg_end(skb, nlh);
8832 return 0;
8833 }
8834
8835 if (nla_put_be32(skb, attrtype: NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
8836 nla_put_be32(skb, attrtype: NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
8837 goto nla_put_failure;
8838
8839 nest = nla_nest_start_noflag(skb, attrtype: NFTA_FLOWTABLE_HOOK);
8840 if (!nest)
8841 goto nla_put_failure;
8842 if (nla_put_be32(skb, attrtype: NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
8843 nla_put_be32(skb, attrtype: NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
8844 goto nla_put_failure;
8845
8846 nest_devs = nla_nest_start_noflag(skb, attrtype: NFTA_FLOWTABLE_HOOK_DEVS);
8847 if (!nest_devs)
8848 goto nla_put_failure;
8849
8850 if (!hook_list)
8851 hook_list = &flowtable->hook_list;
8852
8853 list_for_each_entry_rcu(hook, hook_list, list) {
8854 if (nla_put_string(skb, attrtype: NFTA_DEVICE_NAME, str: hook->ops.dev->name))
8855 goto nla_put_failure;
8856 }
8857 nla_nest_end(skb, start: nest_devs);
8858 nla_nest_end(skb, start: nest);
8859
8860 nlmsg_end(skb, nlh);
8861 return 0;
8862
8863nla_put_failure:
8864 nlmsg_trim(skb, mark: nlh);
8865 return -1;
8866}
8867
8868struct nft_flowtable_filter {
8869 char *table;
8870};
8871
8872static int nf_tables_dump_flowtable(struct sk_buff *skb,
8873 struct netlink_callback *cb)
8874{
8875 const struct nfgenmsg *nfmsg = nlmsg_data(nlh: cb->nlh);
8876 struct nft_flowtable_filter *filter = cb->data;
8877 unsigned int idx = 0, s_idx = cb->args[0];
8878 struct net *net = sock_net(sk: skb->sk);
8879 int family = nfmsg->nfgen_family;
8880 struct nft_flowtable *flowtable;
8881 struct nftables_pernet *nft_net;
8882 const struct nft_table *table;
8883
8884 rcu_read_lock();
8885 nft_net = nft_pernet(net);
8886 cb->seq = READ_ONCE(nft_net->base_seq);
8887
8888 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8889 if (family != NFPROTO_UNSPEC && family != table->family)
8890 continue;
8891
8892 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8893 if (!nft_is_active(net, flowtable))
8894 goto cont;
8895 if (idx < s_idx)
8896 goto cont;
8897 if (idx > s_idx)
8898 memset(&cb->args[1], 0,
8899 sizeof(cb->args) - sizeof(cb->args[0]));
8900 if (filter && filter->table &&
8901 strcmp(filter->table, table->name))
8902 goto cont;
8903
8904 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
8905 seq: cb->nlh->nlmsg_seq,
8906 event: NFT_MSG_NEWFLOWTABLE,
8907 NLM_F_MULTI | NLM_F_APPEND,
8908 family: table->family,
8909 flowtable, NULL) < 0)
8910 goto done;
8911
8912 nl_dump_check_consistent(cb, nlh: nlmsg_hdr(skb));
8913cont:
8914 idx++;
8915 }
8916 }
8917done:
8918 rcu_read_unlock();
8919
8920 cb->args[0] = idx;
8921 return skb->len;
8922}
8923
8924static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
8925{
8926 const struct nlattr * const *nla = cb->data;
8927 struct nft_flowtable_filter *filter = NULL;
8928
8929 if (nla[NFTA_FLOWTABLE_TABLE]) {
8930 filter = kzalloc(size: sizeof(*filter), GFP_ATOMIC);
8931 if (!filter)
8932 return -ENOMEM;
8933
8934 filter->table = nla_strdup(nla: nla[NFTA_FLOWTABLE_TABLE],
8935 GFP_ATOMIC);
8936 if (!filter->table) {
8937 kfree(objp: filter);
8938 return -ENOMEM;
8939 }
8940 }
8941
8942 cb->data = filter;
8943 return 0;
8944}
8945
8946static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
8947{
8948 struct nft_flowtable_filter *filter = cb->data;
8949
8950 if (!filter)
8951 return 0;
8952
8953 kfree(objp: filter->table);
8954 kfree(objp: filter);
8955
8956 return 0;
8957}
8958
8959/* called with rcu_read_lock held */
8960static int nf_tables_getflowtable(struct sk_buff *skb,
8961 const struct nfnl_info *info,
8962 const struct nlattr * const nla[])
8963{
8964 struct netlink_ext_ack *extack = info->extack;
8965 u8 genmask = nft_genmask_cur(net: info->net);
8966 u8 family = info->nfmsg->nfgen_family;
8967 struct nft_flowtable *flowtable;
8968 const struct nft_table *table;
8969 struct net *net = info->net;
8970 struct sk_buff *skb2;
8971 int err;
8972
8973 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8974 struct netlink_dump_control c = {
8975 .start = nf_tables_dump_flowtable_start,
8976 .dump = nf_tables_dump_flowtable,
8977 .done = nf_tables_dump_flowtable_done,
8978 .module = THIS_MODULE,
8979 .data = (void *)nla,
8980 };
8981
8982 return nft_netlink_dump_start_rcu(nlsk: info->sk, skb, nlh: info->nlh, c: &c);
8983 }
8984
8985 if (!nla[NFTA_FLOWTABLE_NAME])
8986 return -EINVAL;
8987
8988 table = nft_table_lookup(net, nla: nla[NFTA_FLOWTABLE_TABLE], family,
8989 genmask, nlpid: 0);
8990 if (IS_ERR(ptr: table)) {
8991 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8992 return PTR_ERR(ptr: table);
8993 }
8994
8995 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8996 genmask);
8997 if (IS_ERR(ptr: flowtable)) {
8998 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8999 return PTR_ERR(ptr: flowtable);
9000 }
9001
9002 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9003 if (!skb2)
9004 return -ENOMEM;
9005
9006 err = nf_tables_fill_flowtable_info(skb: skb2, net, NETLINK_CB(skb).portid,
9007 seq: info->nlh->nlmsg_seq,
9008 event: NFT_MSG_NEWFLOWTABLE, flags: 0, family,
9009 flowtable, NULL);
9010 if (err < 0)
9011 goto err_fill_flowtable_info;
9012
9013 return nfnetlink_unicast(skb: skb2, net, NETLINK_CB(skb).portid);
9014
9015err_fill_flowtable_info:
9016 kfree_skb(skb: skb2);
9017 return err;
9018}
9019
9020static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
9021 struct nft_flowtable *flowtable,
9022 struct list_head *hook_list, int event)
9023{
9024 struct nftables_pernet *nft_net = nft_pernet(net: ctx->net);
9025 struct sk_buff *skb;
9026 u16 flags = 0;
9027 int err;
9028
9029 if (!ctx->report &&
9030 !nfnetlink_has_listeners(net: ctx->net, NFNLGRP_NFTABLES))
9031 return;
9032
9033 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9034 if (skb == NULL)
9035 goto err;
9036
9037 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
9038 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
9039
9040 err = nf_tables_fill_flowtable_info(skb, net: ctx->net, portid: ctx->portid,
9041 seq: ctx->seq, event, flags,
9042 family: ctx->family, flowtable, hook_list);
9043 if (err < 0) {
9044 kfree_skb(skb);
9045 goto err;
9046 }
9047
9048 nft_notify_enqueue(skb, report: ctx->report, notify_list: &nft_net->notify_list);
9049 return;
9050err:
9051 nfnetlink_set_err(net: ctx->net, portid: ctx->portid, NFNLGRP_NFTABLES, error: -ENOBUFS);
9052}
9053
9054static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
9055{
9056 struct nft_hook *hook, *next;
9057
9058 flowtable->data.type->free(&flowtable->data);
9059 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
9060 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
9061 FLOW_BLOCK_UNBIND);
9062 list_del_rcu(entry: &hook->list);
9063 kfree(objp: hook);
9064 }
9065 kfree(objp: flowtable->name);
9066 module_put(module: flowtable->data.type->owner);
9067 kfree(objp: flowtable);
9068}
9069
9070static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
9071 u32 portid, u32 seq)
9072{
9073 struct nftables_pernet *nft_net = nft_pernet(net);
9074 struct nlmsghdr *nlh;
9075 char buf[TASK_COMM_LEN];
9076 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, msg_type: NFT_MSG_NEWGEN);
9077
9078 nlh = nfnl_msg_put(skb, portid, seq, type: event, flags: 0, AF_UNSPEC,
9079 NFNETLINK_V0, res_id: nft_base_seq(net));
9080 if (!nlh)
9081 goto nla_put_failure;
9082
9083 if (nla_put_be32(skb, attrtype: NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
9084 nla_put_be32(skb, attrtype: NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
9085 nla_put_string(skb, attrtype: NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
9086 goto nla_put_failure;
9087
9088 nlmsg_end(skb, nlh);
9089 return 0;
9090
9091nla_put_failure:
9092 nlmsg_trim(skb, mark: nlh);
9093 return -EMSGSIZE;
9094}
9095
9096static void nft_flowtable_event(unsigned long event, struct net_device *dev,
9097 struct nft_flowtable *flowtable)
9098{
9099 struct nft_hook *hook;
9100
9101 list_for_each_entry(hook, &flowtable->hook_list, list) {
9102 if (hook->ops.dev != dev)
9103 continue;
9104
9105 /* flow_offload_netdev_event() cleans up entries for us. */
9106 nft_unregister_flowtable_hook(net: dev_net(dev), flowtable, hook);
9107 list_del_rcu(entry: &hook->list);
9108 kfree_rcu(hook, rcu);
9109 break;
9110 }
9111}
9112
9113static int nf_tables_flowtable_event(struct notifier_block *this,
9114 unsigned long event, void *ptr)
9115{
9116 struct net_device *dev = netdev_notifier_info_to_dev(info: ptr);
9117 struct nft_flowtable *flowtable;
9118 struct nftables_pernet *nft_net;
9119 struct nft_table *table;
9120 struct net *net;
9121
9122 if (event != NETDEV_UNREGISTER)
9123 return 0;
9124
9125 net = dev_net(dev);
9126 nft_net = nft_pernet(net);
9127 mutex_lock(&nft_net->commit_mutex);
9128 list_for_each_entry(table, &nft_net->tables, list) {
9129 list_for_each_entry(flowtable, &table->flowtables, list) {
9130 nft_flowtable_event(event, dev, flowtable);
9131 }
9132 }
9133 mutex_unlock(lock: &nft_net->commit_mutex);
9134
9135 return NOTIFY_DONE;
9136}
9137
9138static struct notifier_block nf_tables_flowtable_notifier = {
9139 .notifier_call = nf_tables_flowtable_event,
9140};
9141
9142static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
9143 int event)
9144{
9145 struct nlmsghdr *nlh = nlmsg_hdr(skb);
9146 struct sk_buff *skb2;
9147 int err;
9148
9149 if (!nlmsg_report(nlh) &&
9150 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
9151 return;
9152
9153 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9154 if (skb2 == NULL)
9155 goto err;
9156
9157 err = nf_tables_fill_gen_info(skb: skb2, net, NETLINK_CB(skb).portid,
9158 seq: nlh->nlmsg_seq);
9159 if (err < 0) {
9160 kfree_skb(skb: skb2);
9161 goto err;
9162 }
9163
9164 nfnetlink_send(skb: skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9165 echo: nlmsg_report(nlh), GFP_KERNEL);
9166 return;
9167err:
9168 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9169 error: -ENOBUFS);
9170}
9171
9172static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
9173 const struct nlattr * const nla[])
9174{
9175 struct sk_buff *skb2;
9176 int err;
9177
9178 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9179 if (skb2 == NULL)
9180 return -ENOMEM;
9181
9182 err = nf_tables_fill_gen_info(skb: skb2, net: info->net, NETLINK_CB(skb).portid,
9183 seq: info->nlh->nlmsg_seq);
9184 if (err < 0)
9185 goto err_fill_gen_info;
9186
9187 return nfnetlink_unicast(skb: skb2, net: info->net, NETLINK_CB(skb).portid);
9188
9189err_fill_gen_info:
9190 kfree_skb(skb: skb2);
9191 return err;
9192}
9193
9194static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
9195 [NFT_MSG_NEWTABLE] = {
9196 .call = nf_tables_newtable,
9197 .type = NFNL_CB_BATCH,
9198 .attr_count = NFTA_TABLE_MAX,
9199 .policy = nft_table_policy,
9200 },
9201 [NFT_MSG_GETTABLE] = {
9202 .call = nf_tables_gettable,
9203 .type = NFNL_CB_RCU,
9204 .attr_count = NFTA_TABLE_MAX,
9205 .policy = nft_table_policy,
9206 },
9207 [NFT_MSG_DELTABLE] = {
9208 .call = nf_tables_deltable,
9209 .type = NFNL_CB_BATCH,
9210 .attr_count = NFTA_TABLE_MAX,
9211 .policy = nft_table_policy,
9212 },
9213 [NFT_MSG_DESTROYTABLE] = {
9214 .call = nf_tables_deltable,
9215 .type = NFNL_CB_BATCH,
9216 .attr_count = NFTA_TABLE_MAX,
9217 .policy = nft_table_policy,
9218 },
9219 [NFT_MSG_NEWCHAIN] = {
9220 .call = nf_tables_newchain,
9221 .type = NFNL_CB_BATCH,
9222 .attr_count = NFTA_CHAIN_MAX,
9223 .policy = nft_chain_policy,
9224 },
9225 [NFT_MSG_GETCHAIN] = {
9226 .call = nf_tables_getchain,
9227 .type = NFNL_CB_RCU,
9228 .attr_count = NFTA_CHAIN_MAX,
9229 .policy = nft_chain_policy,
9230 },
9231 [NFT_MSG_DELCHAIN] = {
9232 .call = nf_tables_delchain,
9233 .type = NFNL_CB_BATCH,
9234 .attr_count = NFTA_CHAIN_MAX,
9235 .policy = nft_chain_policy,
9236 },
9237 [NFT_MSG_DESTROYCHAIN] = {
9238 .call = nf_tables_delchain,
9239 .type = NFNL_CB_BATCH,
9240 .attr_count = NFTA_CHAIN_MAX,
9241 .policy = nft_chain_policy,
9242 },
9243 [NFT_MSG_NEWRULE] = {
9244 .call = nf_tables_newrule,
9245 .type = NFNL_CB_BATCH,
9246 .attr_count = NFTA_RULE_MAX,
9247 .policy = nft_rule_policy,
9248 },
9249 [NFT_MSG_GETRULE] = {
9250 .call = nf_tables_getrule,
9251 .type = NFNL_CB_RCU,
9252 .attr_count = NFTA_RULE_MAX,
9253 .policy = nft_rule_policy,
9254 },
9255 [NFT_MSG_GETRULE_RESET] = {
9256 .call = nf_tables_getrule_reset,
9257 .type = NFNL_CB_RCU,
9258 .attr_count = NFTA_RULE_MAX,
9259 .policy = nft_rule_policy,
9260 },
9261 [NFT_MSG_DELRULE] = {
9262 .call = nf_tables_delrule,
9263 .type = NFNL_CB_BATCH,
9264 .attr_count = NFTA_RULE_MAX,
9265 .policy = nft_rule_policy,
9266 },
9267 [NFT_MSG_DESTROYRULE] = {
9268 .call = nf_tables_delrule,
9269 .type = NFNL_CB_BATCH,
9270 .attr_count = NFTA_RULE_MAX,
9271 .policy = nft_rule_policy,
9272 },
9273 [NFT_MSG_NEWSET] = {
9274 .call = nf_tables_newset,
9275 .type = NFNL_CB_BATCH,
9276 .attr_count = NFTA_SET_MAX,
9277 .policy = nft_set_policy,
9278 },
9279 [NFT_MSG_GETSET] = {
9280 .call = nf_tables_getset,
9281 .type = NFNL_CB_RCU,
9282 .attr_count = NFTA_SET_MAX,
9283 .policy = nft_set_policy,
9284 },
9285 [NFT_MSG_DELSET] = {
9286 .call = nf_tables_delset,
9287 .type = NFNL_CB_BATCH,
9288 .attr_count = NFTA_SET_MAX,
9289 .policy = nft_set_policy,
9290 },
9291 [NFT_MSG_DESTROYSET] = {
9292 .call = nf_tables_delset,
9293 .type = NFNL_CB_BATCH,
9294 .attr_count = NFTA_SET_MAX,
9295 .policy = nft_set_policy,
9296 },
9297 [NFT_MSG_NEWSETELEM] = {
9298 .call = nf_tables_newsetelem,
9299 .type = NFNL_CB_BATCH,
9300 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9301 .policy = nft_set_elem_list_policy,
9302 },
9303 [NFT_MSG_GETSETELEM] = {
9304 .call = nf_tables_getsetelem,
9305 .type = NFNL_CB_RCU,
9306 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9307 .policy = nft_set_elem_list_policy,
9308 },
9309 [NFT_MSG_GETSETELEM_RESET] = {
9310 .call = nf_tables_getsetelem_reset,
9311 .type = NFNL_CB_RCU,
9312 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9313 .policy = nft_set_elem_list_policy,
9314 },
9315 [NFT_MSG_DELSETELEM] = {
9316 .call = nf_tables_delsetelem,
9317 .type = NFNL_CB_BATCH,
9318 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9319 .policy = nft_set_elem_list_policy,
9320 },
9321 [NFT_MSG_DESTROYSETELEM] = {
9322 .call = nf_tables_delsetelem,
9323 .type = NFNL_CB_BATCH,
9324 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9325 .policy = nft_set_elem_list_policy,
9326 },
9327 [NFT_MSG_GETGEN] = {
9328 .call = nf_tables_getgen,
9329 .type = NFNL_CB_RCU,
9330 },
9331 [NFT_MSG_NEWOBJ] = {
9332 .call = nf_tables_newobj,
9333 .type = NFNL_CB_BATCH,
9334 .attr_count = NFTA_OBJ_MAX,
9335 .policy = nft_obj_policy,
9336 },
9337 [NFT_MSG_GETOBJ] = {
9338 .call = nf_tables_getobj,
9339 .type = NFNL_CB_RCU,
9340 .attr_count = NFTA_OBJ_MAX,
9341 .policy = nft_obj_policy,
9342 },
9343 [NFT_MSG_DELOBJ] = {
9344 .call = nf_tables_delobj,
9345 .type = NFNL_CB_BATCH,
9346 .attr_count = NFTA_OBJ_MAX,
9347 .policy = nft_obj_policy,
9348 },
9349 [NFT_MSG_DESTROYOBJ] = {
9350 .call = nf_tables_delobj,
9351 .type = NFNL_CB_BATCH,
9352 .attr_count = NFTA_OBJ_MAX,
9353 .policy = nft_obj_policy,
9354 },
9355 [NFT_MSG_GETOBJ_RESET] = {
9356 .call = nf_tables_getobj,
9357 .type = NFNL_CB_RCU,
9358 .attr_count = NFTA_OBJ_MAX,
9359 .policy = nft_obj_policy,
9360 },
9361 [NFT_MSG_NEWFLOWTABLE] = {
9362 .call = nf_tables_newflowtable,
9363 .type = NFNL_CB_BATCH,
9364 .attr_count = NFTA_FLOWTABLE_MAX,
9365 .policy = nft_flowtable_policy,
9366 },
9367 [NFT_MSG_GETFLOWTABLE] = {
9368 .call = nf_tables_getflowtable,
9369 .type = NFNL_CB_RCU,
9370 .attr_count = NFTA_FLOWTABLE_MAX,
9371 .policy = nft_flowtable_policy,
9372 },
9373 [NFT_MSG_DELFLOWTABLE] = {
9374 .call = nf_tables_delflowtable,
9375 .type = NFNL_CB_BATCH,
9376 .attr_count = NFTA_FLOWTABLE_MAX,
9377 .policy = nft_flowtable_policy,
9378 },
9379 [NFT_MSG_DESTROYFLOWTABLE] = {
9380 .call = nf_tables_delflowtable,
9381 .type = NFNL_CB_BATCH,
9382 .attr_count = NFTA_FLOWTABLE_MAX,
9383 .policy = nft_flowtable_policy,
9384 },
9385};
9386
9387static int nf_tables_validate(struct net *net)
9388{
9389 struct nftables_pernet *nft_net = nft_pernet(net);
9390 struct nft_table *table;
9391
9392 list_for_each_entry(table, &nft_net->tables, list) {
9393 switch (table->validate_state) {
9394 case NFT_VALIDATE_SKIP:
9395 continue;
9396 case NFT_VALIDATE_NEED:
9397 nft_validate_state_update(table, new_validate_state: NFT_VALIDATE_DO);
9398 fallthrough;
9399 case NFT_VALIDATE_DO:
9400 if (nft_table_validate(net, table) < 0)
9401 return -EAGAIN;
9402
9403 nft_validate_state_update(table, new_validate_state: NFT_VALIDATE_SKIP);
9404 break;
9405 }
9406 }
9407
9408 return 0;
9409}
9410
9411/* a drop policy has to be deferred until all rules have been activated,
9412 * otherwise a large ruleset that contains a drop-policy base chain will
9413 * cause all packets to get dropped until the full transaction has been
9414 * processed.
9415 *
9416 * We defer the drop policy until the transaction has been finalized.
9417 */
9418static void nft_chain_commit_drop_policy(struct nft_trans *trans)
9419{
9420 struct nft_base_chain *basechain;
9421
9422 if (nft_trans_chain_policy(trans) != NF_DROP)
9423 return;
9424
9425 if (!nft_is_base_chain(chain: trans->ctx.chain))
9426 return;
9427
9428 basechain = nft_base_chain(chain: trans->ctx.chain);
9429 basechain->policy = NF_DROP;
9430}
9431
9432static void nft_chain_commit_update(struct nft_trans *trans)
9433{
9434 struct nft_base_chain *basechain;
9435
9436 if (nft_trans_chain_name(trans)) {
9437 rhltable_remove(hlt: &trans->ctx.table->chains_ht,
9438 list: &trans->ctx.chain->rhlhead,
9439 params: nft_chain_ht_params);
9440 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
9441 rhltable_insert_key(hlt: &trans->ctx.table->chains_ht,
9442 key: trans->ctx.chain->name,
9443 list: &trans->ctx.chain->rhlhead,
9444 params: nft_chain_ht_params);
9445 }
9446
9447 if (!nft_is_base_chain(chain: trans->ctx.chain))
9448 return;
9449
9450 nft_chain_stats_replace(trans);
9451
9452 basechain = nft_base_chain(chain: trans->ctx.chain);
9453
9454 switch (nft_trans_chain_policy(trans)) {
9455 case NF_DROP:
9456 case NF_ACCEPT:
9457 basechain->policy = nft_trans_chain_policy(trans);
9458 break;
9459 }
9460}
9461
9462static void nft_obj_commit_update(struct nft_trans *trans)
9463{
9464 struct nft_object *newobj;
9465 struct nft_object *obj;
9466
9467 obj = nft_trans_obj(trans);
9468 newobj = nft_trans_obj_newobj(trans);
9469
9470 if (obj->ops->update)
9471 obj->ops->update(obj, newobj);
9472
9473 nft_obj_destroy(ctx: &trans->ctx, obj: newobj);
9474}
9475
9476static void nft_commit_release(struct nft_trans *trans)
9477{
9478 switch (trans->msg_type) {
9479 case NFT_MSG_DELTABLE:
9480 case NFT_MSG_DESTROYTABLE:
9481 nf_tables_table_destroy(ctx: &trans->ctx);
9482 break;
9483 case NFT_MSG_NEWCHAIN:
9484 free_percpu(nft_trans_chain_stats(trans));
9485 kfree(nft_trans_chain_name(trans));
9486 break;
9487 case NFT_MSG_DELCHAIN:
9488 case NFT_MSG_DESTROYCHAIN:
9489 if (nft_trans_chain_update(trans))
9490 nft_hooks_destroy(hook_list: &nft_trans_chain_hooks(trans));
9491 else
9492 nf_tables_chain_destroy(ctx: &trans->ctx);
9493 break;
9494 case NFT_MSG_DELRULE:
9495 case NFT_MSG_DESTROYRULE:
9496 nf_tables_rule_destroy(ctx: &trans->ctx, nft_trans_rule(trans));
9497 break;
9498 case NFT_MSG_DELSET:
9499 case NFT_MSG_DESTROYSET:
9500 nft_set_destroy(ctx: &trans->ctx, nft_trans_set(trans));
9501 break;
9502 case NFT_MSG_DELSETELEM:
9503 case NFT_MSG_DESTROYSETELEM:
9504 nf_tables_set_elem_destroy(ctx: &trans->ctx,
9505 nft_trans_elem_set(trans),
9506 nft_trans_elem_priv(trans));
9507 break;
9508 case NFT_MSG_DELOBJ:
9509 case NFT_MSG_DESTROYOBJ:
9510 nft_obj_destroy(ctx: &trans->ctx, nft_trans_obj(trans));
9511 break;
9512 case NFT_MSG_DELFLOWTABLE:
9513 case NFT_MSG_DESTROYFLOWTABLE:
9514 if (nft_trans_flowtable_update(trans))
9515 nft_hooks_destroy(hook_list: &nft_trans_flowtable_hooks(trans));
9516 else
9517 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
9518 break;
9519 }
9520
9521 if (trans->put_net)
9522 put_net(net: trans->ctx.net);
9523
9524 kfree(objp: trans);
9525}
9526
9527static void nf_tables_trans_destroy_work(struct work_struct *w)
9528{
9529 struct nft_trans *trans, *next;
9530 LIST_HEAD(head);
9531
9532 spin_lock(lock: &nf_tables_destroy_list_lock);
9533 list_splice_init(list: &nf_tables_destroy_list, head: &head);
9534 spin_unlock(lock: &nf_tables_destroy_list_lock);
9535
9536 if (list_empty(head: &head))
9537 return;
9538
9539 synchronize_rcu();
9540
9541 list_for_each_entry_safe(trans, next, &head, list) {
9542 nft_trans_list_del(trans);
9543 nft_commit_release(trans);
9544 }
9545}
9546
9547void nf_tables_trans_destroy_flush_work(void)
9548{
9549 flush_work(work: &trans_destroy_work);
9550}
9551EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
9552
9553static bool nft_expr_reduce(struct nft_regs_track *track,
9554 const struct nft_expr *expr)
9555{
9556 return false;
9557}
9558
9559static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
9560{
9561 const struct nft_expr *expr, *last;
9562 struct nft_regs_track track = {};
9563 unsigned int size, data_size;
9564 void *data, *data_boundary;
9565 struct nft_rule_dp *prule;
9566 struct nft_rule *rule;
9567
9568 /* already handled or inactive chain? */
9569 if (chain->blob_next || !nft_is_active_next(net, chain))
9570 return 0;
9571
9572 data_size = 0;
9573 list_for_each_entry(rule, &chain->rules, list) {
9574 if (nft_is_active_next(net, rule)) {
9575 data_size += sizeof(*prule) + rule->dlen;
9576 if (data_size > INT_MAX)
9577 return -ENOMEM;
9578 }
9579 }
9580
9581 chain->blob_next = nf_tables_chain_alloc_rules(chain, size: data_size);
9582 if (!chain->blob_next)
9583 return -ENOMEM;
9584
9585 data = (void *)chain->blob_next->data;
9586 data_boundary = data + data_size;
9587 size = 0;
9588
9589 list_for_each_entry(rule, &chain->rules, list) {
9590 if (!nft_is_active_next(net, rule))
9591 continue;
9592
9593 prule = (struct nft_rule_dp *)data;
9594 data += offsetof(struct nft_rule_dp, data);
9595 if (WARN_ON_ONCE(data > data_boundary))
9596 return -ENOMEM;
9597
9598 size = 0;
9599 track.last = nft_expr_last(rule);
9600 nft_rule_for_each_expr(expr, last, rule) {
9601 track.cur = expr;
9602
9603 if (nft_expr_reduce(track: &track, expr)) {
9604 expr = track.cur;
9605 continue;
9606 }
9607
9608 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
9609 return -ENOMEM;
9610
9611 memcpy(data + size, expr, expr->ops->size);
9612 size += expr->ops->size;
9613 }
9614 if (WARN_ON_ONCE(size >= 1 << 12))
9615 return -ENOMEM;
9616
9617 prule->handle = rule->handle;
9618 prule->dlen = size;
9619 prule->is_last = 0;
9620
9621 data += size;
9622 size = 0;
9623 chain->blob_next->size += (unsigned long)(data - (void *)prule);
9624 }
9625
9626 if (WARN_ON_ONCE(data > data_boundary))
9627 return -ENOMEM;
9628
9629 prule = (struct nft_rule_dp *)data;
9630 nft_last_rule(chain, ptr: prule);
9631
9632 return 0;
9633}
9634
9635static void nf_tables_commit_chain_prepare_cancel(struct net *net)
9636{
9637 struct nftables_pernet *nft_net = nft_pernet(net);
9638 struct nft_trans *trans, *next;
9639
9640 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9641 struct nft_chain *chain = trans->ctx.chain;
9642
9643 if (trans->msg_type == NFT_MSG_NEWRULE ||
9644 trans->msg_type == NFT_MSG_DELRULE) {
9645 kvfree(addr: chain->blob_next);
9646 chain->blob_next = NULL;
9647 }
9648 }
9649}
9650
9651static void __nf_tables_commit_chain_free_rules(struct rcu_head *h)
9652{
9653 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h);
9654
9655 kvfree(addr: l->blob);
9656}
9657
9658static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
9659{
9660 struct nft_rule_dp_last *last;
9661
9662 /* last rule trailer is after end marker */
9663 last = (void *)blob + sizeof(*blob) + blob->size;
9664 last->blob = blob;
9665
9666 call_rcu(head: &last->h, func: __nf_tables_commit_chain_free_rules);
9667}
9668
9669static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
9670{
9671 struct nft_rule_blob *g0, *g1;
9672 bool next_genbit;
9673
9674 next_genbit = nft_gencursor_next(net);
9675
9676 g0 = rcu_dereference_protected(chain->blob_gen_0,
9677 lockdep_commit_lock_is_held(net));
9678 g1 = rcu_dereference_protected(chain->blob_gen_1,
9679 lockdep_commit_lock_is_held(net));
9680
9681 /* No changes to this chain? */
9682 if (chain->blob_next == NULL) {
9683 /* chain had no change in last or next generation */
9684 if (g0 == g1)
9685 return;
9686 /*
9687 * chain had no change in this generation; make sure next
9688 * one uses same rules as current generation.
9689 */
9690 if (next_genbit) {
9691 rcu_assign_pointer(chain->blob_gen_1, g0);
9692 nf_tables_commit_chain_free_rules_old(blob: g1);
9693 } else {
9694 rcu_assign_pointer(chain->blob_gen_0, g1);
9695 nf_tables_commit_chain_free_rules_old(blob: g0);
9696 }
9697
9698 return;
9699 }
9700
9701 if (next_genbit)
9702 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
9703 else
9704 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
9705
9706 chain->blob_next = NULL;
9707
9708 if (g0 == g1)
9709 return;
9710
9711 if (next_genbit)
9712 nf_tables_commit_chain_free_rules_old(blob: g1);
9713 else
9714 nf_tables_commit_chain_free_rules_old(blob: g0);
9715}
9716
9717static void nft_obj_del(struct nft_object *obj)
9718{
9719 rhltable_remove(hlt: &nft_objname_ht, list: &obj->rhlhead, params: nft_objname_ht_params);
9720 list_del_rcu(entry: &obj->list);
9721}
9722
9723void nft_chain_del(struct nft_chain *chain)
9724{
9725 struct nft_table *table = chain->table;
9726
9727 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
9728 nft_chain_ht_params));
9729 list_del_rcu(entry: &chain->list);
9730}
9731
9732static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx,
9733 struct nft_trans_gc *trans)
9734{
9735 struct nft_elem_priv **priv = trans->priv;
9736 unsigned int i;
9737
9738 for (i = 0; i < trans->count; i++) {
9739 nft_setelem_data_deactivate(net: ctx->net, set: trans->set, elem_priv: priv[i]);
9740 nft_setelem_remove(net: ctx->net, set: trans->set, elem_priv: priv[i]);
9741 }
9742}
9743
9744void nft_trans_gc_destroy(struct nft_trans_gc *trans)
9745{
9746 nft_set_put(set: trans->set);
9747 put_net(net: trans->net);
9748 kfree(objp: trans);
9749}
9750
9751static void nft_trans_gc_trans_free(struct rcu_head *rcu)
9752{
9753 struct nft_elem_priv *elem_priv;
9754 struct nft_trans_gc *trans;
9755 struct nft_ctx ctx = {};
9756 unsigned int i;
9757
9758 trans = container_of(rcu, struct nft_trans_gc, rcu);
9759 ctx.net = read_pnet(pnet: &trans->set->net);
9760
9761 for (i = 0; i < trans->count; i++) {
9762 elem_priv = trans->priv[i];
9763 if (!nft_setelem_is_catchall(set: trans->set, elem_priv))
9764 atomic_dec(v: &trans->set->nelems);
9765
9766 nf_tables_set_elem_destroy(ctx: &ctx, set: trans->set, elem_priv);
9767 }
9768
9769 nft_trans_gc_destroy(trans);
9770}
9771
9772static bool nft_trans_gc_work_done(struct nft_trans_gc *trans)
9773{
9774 struct nftables_pernet *nft_net;
9775 struct nft_ctx ctx = {};
9776
9777 nft_net = nft_pernet(net: trans->net);
9778
9779 mutex_lock(&nft_net->commit_mutex);
9780
9781 /* Check for race with transaction, otherwise this batch refers to
9782 * stale objects that might not be there anymore. Skip transaction if
9783 * set has been destroyed from control plane transaction in case gc
9784 * worker loses race.
9785 */
9786 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) {
9787 mutex_unlock(lock: &nft_net->commit_mutex);
9788 return false;
9789 }
9790
9791 ctx.net = trans->net;
9792 ctx.table = trans->set->table;
9793
9794 nft_trans_gc_setelem_remove(ctx: &ctx, trans);
9795 mutex_unlock(lock: &nft_net->commit_mutex);
9796
9797 return true;
9798}
9799
9800static void nft_trans_gc_work(struct work_struct *work)
9801{
9802 struct nft_trans_gc *trans, *next;
9803 LIST_HEAD(trans_gc_list);
9804
9805 spin_lock(lock: &nf_tables_gc_list_lock);
9806 list_splice_init(list: &nf_tables_gc_list, head: &trans_gc_list);
9807 spin_unlock(lock: &nf_tables_gc_list_lock);
9808
9809 list_for_each_entry_safe(trans, next, &trans_gc_list, list) {
9810 list_del(entry: &trans->list);
9811 if (!nft_trans_gc_work_done(trans)) {
9812 nft_trans_gc_destroy(trans);
9813 continue;
9814 }
9815 call_rcu(head: &trans->rcu, func: nft_trans_gc_trans_free);
9816 }
9817}
9818
9819struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
9820 unsigned int gc_seq, gfp_t gfp)
9821{
9822 struct net *net = read_pnet(pnet: &set->net);
9823 struct nft_trans_gc *trans;
9824
9825 trans = kzalloc(size: sizeof(*trans), flags: gfp);
9826 if (!trans)
9827 return NULL;
9828
9829 trans->net = maybe_get_net(net);
9830 if (!trans->net) {
9831 kfree(objp: trans);
9832 return NULL;
9833 }
9834
9835 refcount_inc(r: &set->refs);
9836 trans->set = set;
9837 trans->seq = gc_seq;
9838
9839 return trans;
9840}
9841
9842void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv)
9843{
9844 trans->priv[trans->count++] = priv;
9845}
9846
9847static void nft_trans_gc_queue_work(struct nft_trans_gc *trans)
9848{
9849 spin_lock(lock: &nf_tables_gc_list_lock);
9850 list_add_tail(new: &trans->list, head: &nf_tables_gc_list);
9851 spin_unlock(lock: &nf_tables_gc_list_lock);
9852
9853 schedule_work(work: &trans_gc_work);
9854}
9855
9856static int nft_trans_gc_space(struct nft_trans_gc *trans)
9857{
9858 return NFT_TRANS_GC_BATCHCOUNT - trans->count;
9859}
9860
9861struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc,
9862 unsigned int gc_seq, gfp_t gfp)
9863{
9864 struct nft_set *set;
9865
9866 if (nft_trans_gc_space(trans: gc))
9867 return gc;
9868
9869 set = gc->set;
9870 nft_trans_gc_queue_work(trans: gc);
9871
9872 return nft_trans_gc_alloc(set, gc_seq, gfp);
9873}
9874
9875void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans)
9876{
9877 if (trans->count == 0) {
9878 nft_trans_gc_destroy(trans);
9879 return;
9880 }
9881
9882 nft_trans_gc_queue_work(trans);
9883}
9884
9885struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp)
9886{
9887 struct nft_set *set;
9888
9889 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)))
9890 return NULL;
9891
9892 if (nft_trans_gc_space(trans: gc))
9893 return gc;
9894
9895 set = gc->set;
9896 call_rcu(head: &gc->rcu, func: nft_trans_gc_trans_free);
9897
9898 return nft_trans_gc_alloc(set, gc_seq: 0, gfp);
9899}
9900
9901void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans)
9902{
9903 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net));
9904
9905 if (trans->count == 0) {
9906 nft_trans_gc_destroy(trans);
9907 return;
9908 }
9909
9910 call_rcu(head: &trans->rcu, func: nft_trans_gc_trans_free);
9911}
9912
9913struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc,
9914 unsigned int gc_seq)
9915{
9916 struct nft_set_elem_catchall *catchall;
9917 const struct nft_set *set = gc->set;
9918 struct nft_set_ext *ext;
9919
9920 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
9921 ext = nft_set_elem_ext(set, elem_priv: catchall->elem);
9922
9923 if (!nft_set_elem_expired(ext))
9924 continue;
9925 if (nft_set_elem_is_dead(ext))
9926 goto dead_elem;
9927
9928 nft_set_elem_dead(ext);
9929dead_elem:
9930 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC);
9931 if (!gc)
9932 return NULL;
9933
9934 nft_trans_gc_elem_add(trans: gc, priv: catchall->elem);
9935 }
9936
9937 return gc;
9938}
9939
9940struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc)
9941{
9942 struct nft_set_elem_catchall *catchall, *next;
9943 u64 tstamp = nft_net_tstamp(net: gc->net);
9944 const struct nft_set *set = gc->set;
9945 struct nft_elem_priv *elem_priv;
9946 struct nft_set_ext *ext;
9947
9948 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net));
9949
9950 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
9951 ext = nft_set_elem_ext(set, elem_priv: catchall->elem);
9952
9953 if (!__nft_set_elem_expired(ext, tstamp))
9954 continue;
9955
9956 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
9957 if (!gc)
9958 return NULL;
9959
9960 elem_priv = catchall->elem;
9961 nft_setelem_data_deactivate(net: gc->net, set: gc->set, elem_priv);
9962 nft_setelem_catchall_destroy(catchall);
9963 nft_trans_gc_elem_add(trans: gc, priv: elem_priv);
9964 }
9965
9966 return gc;
9967}
9968
9969static void nf_tables_module_autoload_cleanup(struct net *net)
9970{
9971 struct nftables_pernet *nft_net = nft_pernet(net);
9972 struct nft_module_request *req, *next;
9973
9974 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
9975 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
9976 WARN_ON_ONCE(!req->done);
9977 list_del(entry: &req->list);
9978 kfree(objp: req);
9979 }
9980}
9981
9982static void nf_tables_commit_release(struct net *net)
9983{
9984 struct nftables_pernet *nft_net = nft_pernet(net);
9985 struct nft_trans *trans;
9986
9987 /* all side effects have to be made visible.
9988 * For example, if a chain named 'foo' has been deleted, a
9989 * new transaction must not find it anymore.
9990 *
9991 * Memory reclaim happens asynchronously from work queue
9992 * to prevent expensive synchronize_rcu() in commit phase.
9993 */
9994 if (list_empty(head: &nft_net->commit_list)) {
9995 nf_tables_module_autoload_cleanup(net);
9996 mutex_unlock(lock: &nft_net->commit_mutex);
9997 return;
9998 }
9999
10000 trans = list_last_entry(&nft_net->commit_list,
10001 struct nft_trans, list);
10002 get_net(net: trans->ctx.net);
10003 WARN_ON_ONCE(trans->put_net);
10004
10005 trans->put_net = true;
10006 spin_lock(lock: &nf_tables_destroy_list_lock);
10007 list_splice_tail_init(list: &nft_net->commit_list, head: &nf_tables_destroy_list);
10008 spin_unlock(lock: &nf_tables_destroy_list_lock);
10009
10010 nf_tables_module_autoload_cleanup(net);
10011 schedule_work(work: &trans_destroy_work);
10012
10013 mutex_unlock(lock: &nft_net->commit_mutex);
10014}
10015
10016static void nft_commit_notify(struct net *net, u32 portid)
10017{
10018 struct nftables_pernet *nft_net = nft_pernet(net);
10019 struct sk_buff *batch_skb = NULL, *nskb, *skb;
10020 unsigned char *data;
10021 int len;
10022
10023 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
10024 if (!batch_skb) {
10025new_batch:
10026 batch_skb = skb;
10027 len = NLMSG_GOODSIZE - skb->len;
10028 list_del(entry: &skb->list);
10029 continue;
10030 }
10031 len -= skb->len;
10032 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
10033 data = skb_put(skb: batch_skb, len: skb->len);
10034 memcpy(data, skb->data, skb->len);
10035 list_del(entry: &skb->list);
10036 kfree_skb(skb);
10037 continue;
10038 }
10039 nfnetlink_send(skb: batch_skb, net, portid, NFNLGRP_NFTABLES,
10040 NFT_CB(batch_skb).report, GFP_KERNEL);
10041 goto new_batch;
10042 }
10043
10044 if (batch_skb) {
10045 nfnetlink_send(skb: batch_skb, net, portid, NFNLGRP_NFTABLES,
10046 NFT_CB(batch_skb).report, GFP_KERNEL);
10047 }
10048
10049 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
10050}
10051
10052static int nf_tables_commit_audit_alloc(struct list_head *adl,
10053 struct nft_table *table)
10054{
10055 struct nft_audit_data *adp;
10056
10057 list_for_each_entry(adp, adl, list) {
10058 if (adp->table == table)
10059 return 0;
10060 }
10061 adp = kzalloc(size: sizeof(*adp), GFP_KERNEL);
10062 if (!adp)
10063 return -ENOMEM;
10064 adp->table = table;
10065 list_add(new: &adp->list, head: adl);
10066 return 0;
10067}
10068
10069static void nf_tables_commit_audit_free(struct list_head *adl)
10070{
10071 struct nft_audit_data *adp, *adn;
10072
10073 list_for_each_entry_safe(adp, adn, adl, list) {
10074 list_del(entry: &adp->list);
10075 kfree(objp: adp);
10076 }
10077}
10078
10079static void nf_tables_commit_audit_collect(struct list_head *adl,
10080 struct nft_table *table, u32 op)
10081{
10082 struct nft_audit_data *adp;
10083
10084 list_for_each_entry(adp, adl, list) {
10085 if (adp->table == table)
10086 goto found;
10087 }
10088 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
10089 return;
10090found:
10091 adp->entries++;
10092 if (!adp->op || adp->op > op)
10093 adp->op = op;
10094}
10095
10096#define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
10097
10098static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
10099{
10100 struct nft_audit_data *adp, *adn;
10101 char aubuf[AUNFTABLENAMELEN];
10102
10103 list_for_each_entry_safe(adp, adn, adl, list) {
10104 snprintf(buf: aubuf, AUNFTABLENAMELEN, fmt: "%s:%u", adp->table->name,
10105 generation);
10106 audit_log_nfcfg(name: aubuf, af: adp->table->family, nentries: adp->entries,
10107 op: nft2audit_op[adp->op], GFP_KERNEL);
10108 list_del(entry: &adp->list);
10109 kfree(objp: adp);
10110 }
10111}
10112
10113static void nft_set_commit_update(struct list_head *set_update_list)
10114{
10115 struct nft_set *set, *next;
10116
10117 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10118 list_del_init(entry: &set->pending_update);
10119
10120 if (!set->ops->commit || set->dead)
10121 continue;
10122
10123 set->ops->commit(set);
10124 }
10125}
10126
10127static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net)
10128{
10129 unsigned int gc_seq;
10130
10131 /* Bump gc counter, it becomes odd, this is the busy mark. */
10132 gc_seq = READ_ONCE(nft_net->gc_seq);
10133 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10134
10135 return gc_seq;
10136}
10137
10138static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq)
10139{
10140 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10141}
10142
10143static int nf_tables_commit(struct net *net, struct sk_buff *skb)
10144{
10145 struct nftables_pernet *nft_net = nft_pernet(net);
10146 struct nft_trans *trans, *next;
10147 unsigned int base_seq, gc_seq;
10148 LIST_HEAD(set_update_list);
10149 struct nft_trans_elem *te;
10150 struct nft_chain *chain;
10151 struct nft_table *table;
10152 LIST_HEAD(adl);
10153 int err;
10154
10155 if (list_empty(head: &nft_net->commit_list)) {
10156 mutex_unlock(lock: &nft_net->commit_mutex);
10157 return 0;
10158 }
10159
10160 list_for_each_entry(trans, &nft_net->binding_list, binding_list) {
10161 switch (trans->msg_type) {
10162 case NFT_MSG_NEWSET:
10163 if (!nft_trans_set_update(trans) &&
10164 nft_set_is_anonymous(nft_trans_set(trans)) &&
10165 !nft_trans_set_bound(trans)) {
10166 pr_warn_once("nftables ruleset with unbound set\n");
10167 return -EINVAL;
10168 }
10169 break;
10170 case NFT_MSG_NEWCHAIN:
10171 if (!nft_trans_chain_update(trans) &&
10172 nft_chain_binding(nft_trans_chain(trans)) &&
10173 !nft_trans_chain_bound(trans)) {
10174 pr_warn_once("nftables ruleset with unbound chain\n");
10175 return -EINVAL;
10176 }
10177 break;
10178 }
10179 }
10180
10181 /* 0. Validate ruleset, otherwise roll back for error reporting. */
10182 if (nf_tables_validate(net) < 0) {
10183 nft_net->validate_state = NFT_VALIDATE_DO;
10184 return -EAGAIN;
10185 }
10186
10187 err = nft_flow_rule_offload_commit(net);
10188 if (err < 0)
10189 return err;
10190
10191 /* 1. Allocate space for next generation rules_gen_X[] */
10192 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10193 int ret;
10194
10195 ret = nf_tables_commit_audit_alloc(adl: &adl, table: trans->ctx.table);
10196 if (ret) {
10197 nf_tables_commit_chain_prepare_cancel(net);
10198 nf_tables_commit_audit_free(adl: &adl);
10199 return ret;
10200 }
10201 if (trans->msg_type == NFT_MSG_NEWRULE ||
10202 trans->msg_type == NFT_MSG_DELRULE) {
10203 chain = trans->ctx.chain;
10204
10205 ret = nf_tables_commit_chain_prepare(net, chain);
10206 if (ret < 0) {
10207 nf_tables_commit_chain_prepare_cancel(net);
10208 nf_tables_commit_audit_free(adl: &adl);
10209 return ret;
10210 }
10211 }
10212 }
10213
10214 /* step 2. Make rules_gen_X visible to packet path */
10215 list_for_each_entry(table, &nft_net->tables, list) {
10216 list_for_each_entry(chain, &table->chains, list)
10217 nf_tables_commit_chain(net, chain);
10218 }
10219
10220 /*
10221 * Bump generation counter, invalidate any dump in progress.
10222 * Cannot fail after this point.
10223 */
10224 base_seq = READ_ONCE(nft_net->base_seq);
10225 while (++base_seq == 0)
10226 ;
10227
10228 WRITE_ONCE(nft_net->base_seq, base_seq);
10229
10230 gc_seq = nft_gc_seq_begin(nft_net);
10231
10232 /* step 3. Start new generation, rules_gen_X now in use. */
10233 net->nft.gencursor = nft_gencursor_next(net);
10234
10235 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10236 nf_tables_commit_audit_collect(adl: &adl, table: trans->ctx.table,
10237 op: trans->msg_type);
10238 switch (trans->msg_type) {
10239 case NFT_MSG_NEWTABLE:
10240 if (nft_trans_table_update(trans)) {
10241 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
10242 nft_trans_destroy(trans);
10243 break;
10244 }
10245 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT)
10246 nf_tables_table_disable(net, table: trans->ctx.table);
10247
10248 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
10249 } else {
10250 nft_clear(net, trans->ctx.table);
10251 }
10252 nf_tables_table_notify(ctx: &trans->ctx, event: NFT_MSG_NEWTABLE);
10253 nft_trans_destroy(trans);
10254 break;
10255 case NFT_MSG_DELTABLE:
10256 case NFT_MSG_DESTROYTABLE:
10257 list_del_rcu(entry: &trans->ctx.table->list);
10258 nf_tables_table_notify(ctx: &trans->ctx, event: trans->msg_type);
10259 break;
10260 case NFT_MSG_NEWCHAIN:
10261 if (nft_trans_chain_update(trans)) {
10262 nft_chain_commit_update(trans);
10263 nf_tables_chain_notify(ctx: &trans->ctx, event: NFT_MSG_NEWCHAIN,
10264 hook_list: &nft_trans_chain_hooks(trans));
10265 list_splice(list: &nft_trans_chain_hooks(trans),
10266 head: &nft_trans_basechain(trans)->hook_list);
10267 /* trans destroyed after rcu grace period */
10268 } else {
10269 nft_chain_commit_drop_policy(trans);
10270 nft_clear(net, trans->ctx.chain);
10271 nf_tables_chain_notify(ctx: &trans->ctx, event: NFT_MSG_NEWCHAIN, NULL);
10272 nft_trans_destroy(trans);
10273 }
10274 break;
10275 case NFT_MSG_DELCHAIN:
10276 case NFT_MSG_DESTROYCHAIN:
10277 if (nft_trans_chain_update(trans)) {
10278 nf_tables_chain_notify(ctx: &trans->ctx, event: NFT_MSG_DELCHAIN,
10279 hook_list: &nft_trans_chain_hooks(trans));
10280 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT)) {
10281 nft_netdev_unregister_hooks(net,
10282 hook_list: &nft_trans_chain_hooks(trans),
10283 release_netdev: true);
10284 }
10285 } else {
10286 nft_chain_del(chain: trans->ctx.chain);
10287 nf_tables_chain_notify(ctx: &trans->ctx, event: NFT_MSG_DELCHAIN,
10288 NULL);
10289 nf_tables_unregister_hook(net: trans->ctx.net,
10290 table: trans->ctx.table,
10291 chain: trans->ctx.chain);
10292 }
10293 break;
10294 case NFT_MSG_NEWRULE:
10295 nft_clear(trans->ctx.net, nft_trans_rule(trans));
10296 nf_tables_rule_notify(ctx: &trans->ctx,
10297 nft_trans_rule(trans),
10298 event: NFT_MSG_NEWRULE);
10299 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10300 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10301
10302 nft_trans_destroy(trans);
10303 break;
10304 case NFT_MSG_DELRULE:
10305 case NFT_MSG_DESTROYRULE:
10306 list_del_rcu(entry: &nft_trans_rule(trans)->list);
10307 nf_tables_rule_notify(ctx: &trans->ctx,
10308 nft_trans_rule(trans),
10309 event: trans->msg_type);
10310 nft_rule_expr_deactivate(ctx: &trans->ctx,
10311 nft_trans_rule(trans),
10312 phase: NFT_TRANS_COMMIT);
10313
10314 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10315 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10316 break;
10317 case NFT_MSG_NEWSET:
10318 if (nft_trans_set_update(trans)) {
10319 struct nft_set *set = nft_trans_set(trans);
10320
10321 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
10322 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
10323
10324 if (nft_trans_set_size(trans))
10325 WRITE_ONCE(set->size, nft_trans_set_size(trans));
10326 } else {
10327 nft_clear(net, nft_trans_set(trans));
10328 /* This avoids hitting -EBUSY when deleting the table
10329 * from the transaction.
10330 */
10331 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
10332 !list_empty(head: &nft_trans_set(trans)->bindings))
10333 nft_use_dec(use: &trans->ctx.table->use);
10334 }
10335 nf_tables_set_notify(ctx: &trans->ctx, nft_trans_set(trans),
10336 event: NFT_MSG_NEWSET, GFP_KERNEL);
10337 nft_trans_destroy(trans);
10338 break;
10339 case NFT_MSG_DELSET:
10340 case NFT_MSG_DESTROYSET:
10341 nft_trans_set(trans)->dead = 1;
10342 list_del_rcu(entry: &nft_trans_set(trans)->list);
10343 nf_tables_set_notify(ctx: &trans->ctx, nft_trans_set(trans),
10344 event: trans->msg_type, GFP_KERNEL);
10345 break;
10346 case NFT_MSG_NEWSETELEM:
10347 te = (struct nft_trans_elem *)trans->data;
10348
10349 nft_setelem_activate(net, set: te->set, elem_priv: te->elem_priv);
10350 nf_tables_setelem_notify(ctx: &trans->ctx, set: te->set,
10351 elem_priv: te->elem_priv,
10352 event: NFT_MSG_NEWSETELEM);
10353 if (te->set->ops->commit &&
10354 list_empty(head: &te->set->pending_update)) {
10355 list_add_tail(new: &te->set->pending_update,
10356 head: &set_update_list);
10357 }
10358 nft_trans_destroy(trans);
10359 break;
10360 case NFT_MSG_DELSETELEM:
10361 case NFT_MSG_DESTROYSETELEM:
10362 te = (struct nft_trans_elem *)trans->data;
10363
10364 nf_tables_setelem_notify(ctx: &trans->ctx, set: te->set,
10365 elem_priv: te->elem_priv,
10366 event: trans->msg_type);
10367 nft_setelem_remove(net, set: te->set, elem_priv: te->elem_priv);
10368 if (!nft_setelem_is_catchall(set: te->set, elem_priv: te->elem_priv)) {
10369 atomic_dec(v: &te->set->nelems);
10370 te->set->ndeact--;
10371 }
10372 if (te->set->ops->commit &&
10373 list_empty(head: &te->set->pending_update)) {
10374 list_add_tail(new: &te->set->pending_update,
10375 head: &set_update_list);
10376 }
10377 break;
10378 case NFT_MSG_NEWOBJ:
10379 if (nft_trans_obj_update(trans)) {
10380 nft_obj_commit_update(trans);
10381 nf_tables_obj_notify(ctx: &trans->ctx,
10382 nft_trans_obj(trans),
10383 event: NFT_MSG_NEWOBJ);
10384 } else {
10385 nft_clear(net, nft_trans_obj(trans));
10386 nf_tables_obj_notify(ctx: &trans->ctx,
10387 nft_trans_obj(trans),
10388 event: NFT_MSG_NEWOBJ);
10389 nft_trans_destroy(trans);
10390 }
10391 break;
10392 case NFT_MSG_DELOBJ:
10393 case NFT_MSG_DESTROYOBJ:
10394 nft_obj_del(nft_trans_obj(trans));
10395 nf_tables_obj_notify(ctx: &trans->ctx, nft_trans_obj(trans),
10396 event: trans->msg_type);
10397 break;
10398 case NFT_MSG_NEWFLOWTABLE:
10399 if (nft_trans_flowtable_update(trans)) {
10400 nft_trans_flowtable(trans)->data.flags =
10401 nft_trans_flowtable_flags(trans);
10402 nf_tables_flowtable_notify(ctx: &trans->ctx,
10403 nft_trans_flowtable(trans),
10404 hook_list: &nft_trans_flowtable_hooks(trans),
10405 event: NFT_MSG_NEWFLOWTABLE);
10406 list_splice(list: &nft_trans_flowtable_hooks(trans),
10407 head: &nft_trans_flowtable(trans)->hook_list);
10408 } else {
10409 nft_clear(net, nft_trans_flowtable(trans));
10410 nf_tables_flowtable_notify(ctx: &trans->ctx,
10411 nft_trans_flowtable(trans),
10412 NULL,
10413 event: NFT_MSG_NEWFLOWTABLE);
10414 }
10415 nft_trans_destroy(trans);
10416 break;
10417 case NFT_MSG_DELFLOWTABLE:
10418 case NFT_MSG_DESTROYFLOWTABLE:
10419 if (nft_trans_flowtable_update(trans)) {
10420 nf_tables_flowtable_notify(ctx: &trans->ctx,
10421 nft_trans_flowtable(trans),
10422 hook_list: &nft_trans_flowtable_hooks(trans),
10423 event: trans->msg_type);
10424 nft_unregister_flowtable_net_hooks(net,
10425 hook_list: &nft_trans_flowtable_hooks(trans));
10426 } else {
10427 list_del_rcu(entry: &nft_trans_flowtable(trans)->list);
10428 nf_tables_flowtable_notify(ctx: &trans->ctx,
10429 nft_trans_flowtable(trans),
10430 NULL,
10431 event: trans->msg_type);
10432 nft_unregister_flowtable_net_hooks(net,
10433 hook_list: &nft_trans_flowtable(trans)->hook_list);
10434 }
10435 break;
10436 }
10437 }
10438
10439 nft_set_commit_update(set_update_list: &set_update_list);
10440
10441 nft_commit_notify(net, NETLINK_CB(skb).portid);
10442 nf_tables_gen_notify(net, skb, event: NFT_MSG_NEWGEN);
10443 nf_tables_commit_audit_log(adl: &adl, generation: nft_net->base_seq);
10444
10445 nft_gc_seq_end(nft_net, gc_seq);
10446 nft_net->validate_state = NFT_VALIDATE_SKIP;
10447 nf_tables_commit_release(net);
10448
10449 return 0;
10450}
10451
10452static void nf_tables_module_autoload(struct net *net)
10453{
10454 struct nftables_pernet *nft_net = nft_pernet(net);
10455 struct nft_module_request *req, *next;
10456 LIST_HEAD(module_list);
10457
10458 list_splice_init(list: &nft_net->module_list, head: &module_list);
10459 mutex_unlock(lock: &nft_net->commit_mutex);
10460 list_for_each_entry_safe(req, next, &module_list, list) {
10461 request_module("%s", req->module);
10462 req->done = true;
10463 }
10464 mutex_lock(&nft_net->commit_mutex);
10465 list_splice(list: &module_list, head: &nft_net->module_list);
10466}
10467
10468static void nf_tables_abort_release(struct nft_trans *trans)
10469{
10470 switch (trans->msg_type) {
10471 case NFT_MSG_NEWTABLE:
10472 nf_tables_table_destroy(ctx: &trans->ctx);
10473 break;
10474 case NFT_MSG_NEWCHAIN:
10475 if (nft_trans_chain_update(trans))
10476 nft_hooks_destroy(hook_list: &nft_trans_chain_hooks(trans));
10477 else
10478 nf_tables_chain_destroy(ctx: &trans->ctx);
10479 break;
10480 case NFT_MSG_NEWRULE:
10481 nf_tables_rule_destroy(ctx: &trans->ctx, nft_trans_rule(trans));
10482 break;
10483 case NFT_MSG_NEWSET:
10484 nft_set_destroy(ctx: &trans->ctx, nft_trans_set(trans));
10485 break;
10486 case NFT_MSG_NEWSETELEM:
10487 nft_set_elem_destroy(nft_trans_elem_set(trans),
10488 nft_trans_elem_priv(trans), true);
10489 break;
10490 case NFT_MSG_NEWOBJ:
10491 nft_obj_destroy(ctx: &trans->ctx, nft_trans_obj(trans));
10492 break;
10493 case NFT_MSG_NEWFLOWTABLE:
10494 if (nft_trans_flowtable_update(trans))
10495 nft_hooks_destroy(hook_list: &nft_trans_flowtable_hooks(trans));
10496 else
10497 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
10498 break;
10499 }
10500 kfree(objp: trans);
10501}
10502
10503static void nft_set_abort_update(struct list_head *set_update_list)
10504{
10505 struct nft_set *set, *next;
10506
10507 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10508 list_del_init(entry: &set->pending_update);
10509
10510 if (!set->ops->abort)
10511 continue;
10512
10513 set->ops->abort(set);
10514 }
10515}
10516
10517static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
10518{
10519 struct nftables_pernet *nft_net = nft_pernet(net);
10520 struct nft_trans *trans, *next;
10521 LIST_HEAD(set_update_list);
10522 struct nft_trans_elem *te;
10523 int err = 0;
10524
10525 if (action == NFNL_ABORT_VALIDATE &&
10526 nf_tables_validate(net) < 0)
10527 err = -EAGAIN;
10528
10529 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
10530 list) {
10531 switch (trans->msg_type) {
10532 case NFT_MSG_NEWTABLE:
10533 if (nft_trans_table_update(trans)) {
10534 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
10535 nft_trans_destroy(trans);
10536 break;
10537 }
10538 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) {
10539 nf_tables_table_disable(net, table: trans->ctx.table);
10540 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
10541 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
10542 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;
10543 }
10544 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_ORPHAN) {
10545 trans->ctx.table->flags &= ~NFT_TABLE_F_OWNER;
10546 trans->ctx.table->nlpid = 0;
10547 }
10548 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
10549 nft_trans_destroy(trans);
10550 } else {
10551 list_del_rcu(entry: &trans->ctx.table->list);
10552 }
10553 break;
10554 case NFT_MSG_DELTABLE:
10555 case NFT_MSG_DESTROYTABLE:
10556 nft_clear(trans->ctx.net, trans->ctx.table);
10557 nft_trans_destroy(trans);
10558 break;
10559 case NFT_MSG_NEWCHAIN:
10560 if (nft_trans_chain_update(trans)) {
10561 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT)) {
10562 nft_netdev_unregister_hooks(net,
10563 hook_list: &nft_trans_chain_hooks(trans),
10564 release_netdev: true);
10565 }
10566 free_percpu(nft_trans_chain_stats(trans));
10567 kfree(nft_trans_chain_name(trans));
10568 nft_trans_destroy(trans);
10569 } else {
10570 if (nft_trans_chain_bound(trans)) {
10571 nft_trans_destroy(trans);
10572 break;
10573 }
10574 nft_use_dec_restore(use: &trans->ctx.table->use);
10575 nft_chain_del(chain: trans->ctx.chain);
10576 nf_tables_unregister_hook(net: trans->ctx.net,
10577 table: trans->ctx.table,
10578 chain: trans->ctx.chain);
10579 }
10580 break;
10581 case NFT_MSG_DELCHAIN:
10582 case NFT_MSG_DESTROYCHAIN:
10583 if (nft_trans_chain_update(trans)) {
10584 list_splice(list: &nft_trans_chain_hooks(trans),
10585 head: &nft_trans_basechain(trans)->hook_list);
10586 } else {
10587 nft_use_inc_restore(use: &trans->ctx.table->use);
10588 nft_clear(trans->ctx.net, trans->ctx.chain);
10589 }
10590 nft_trans_destroy(trans);
10591 break;
10592 case NFT_MSG_NEWRULE:
10593 if (nft_trans_rule_bound(trans)) {
10594 nft_trans_destroy(trans);
10595 break;
10596 }
10597 nft_use_dec_restore(use: &trans->ctx.chain->use);
10598 list_del_rcu(entry: &nft_trans_rule(trans)->list);
10599 nft_rule_expr_deactivate(ctx: &trans->ctx,
10600 nft_trans_rule(trans),
10601 phase: NFT_TRANS_ABORT);
10602 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10603 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10604 break;
10605 case NFT_MSG_DELRULE:
10606 case NFT_MSG_DESTROYRULE:
10607 nft_use_inc_restore(use: &trans->ctx.chain->use);
10608 nft_clear(trans->ctx.net, nft_trans_rule(trans));
10609 nft_rule_expr_activate(ctx: &trans->ctx, nft_trans_rule(trans));
10610 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10611 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10612
10613 nft_trans_destroy(trans);
10614 break;
10615 case NFT_MSG_NEWSET:
10616 if (nft_trans_set_update(trans)) {
10617 nft_trans_destroy(trans);
10618 break;
10619 }
10620 nft_use_dec_restore(use: &trans->ctx.table->use);
10621 if (nft_trans_set_bound(trans)) {
10622 nft_trans_destroy(trans);
10623 break;
10624 }
10625 nft_trans_set(trans)->dead = 1;
10626 list_del_rcu(entry: &nft_trans_set(trans)->list);
10627 break;
10628 case NFT_MSG_DELSET:
10629 case NFT_MSG_DESTROYSET:
10630 nft_use_inc_restore(use: &trans->ctx.table->use);
10631 nft_clear(trans->ctx.net, nft_trans_set(trans));
10632 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
10633 nft_map_activate(ctx: &trans->ctx, nft_trans_set(trans));
10634
10635 nft_trans_destroy(trans);
10636 break;
10637 case NFT_MSG_NEWSETELEM:
10638 if (nft_trans_elem_set_bound(trans)) {
10639 nft_trans_destroy(trans);
10640 break;
10641 }
10642 te = (struct nft_trans_elem *)trans->data;
10643 nft_setelem_remove(net, set: te->set, elem_priv: te->elem_priv);
10644 if (!nft_setelem_is_catchall(set: te->set, elem_priv: te->elem_priv))
10645 atomic_dec(v: &te->set->nelems);
10646
10647 if (te->set->ops->abort &&
10648 list_empty(head: &te->set->pending_update)) {
10649 list_add_tail(new: &te->set->pending_update,
10650 head: &set_update_list);
10651 }
10652 break;
10653 case NFT_MSG_DELSETELEM:
10654 case NFT_MSG_DESTROYSETELEM:
10655 te = (struct nft_trans_elem *)trans->data;
10656
10657 if (!nft_setelem_active_next(net, set: te->set, elem_priv: te->elem_priv)) {
10658 nft_setelem_data_activate(net, set: te->set, elem_priv: te->elem_priv);
10659 nft_setelem_activate(net, set: te->set, elem_priv: te->elem_priv);
10660 }
10661 if (!nft_setelem_is_catchall(set: te->set, elem_priv: te->elem_priv))
10662 te->set->ndeact--;
10663
10664 if (te->set->ops->abort &&
10665 list_empty(head: &te->set->pending_update)) {
10666 list_add_tail(new: &te->set->pending_update,
10667 head: &set_update_list);
10668 }
10669 nft_trans_destroy(trans);
10670 break;
10671 case NFT_MSG_NEWOBJ:
10672 if (nft_trans_obj_update(trans)) {
10673 nft_obj_destroy(ctx: &trans->ctx, nft_trans_obj_newobj(trans));
10674 nft_trans_destroy(trans);
10675 } else {
10676 nft_use_dec_restore(use: &trans->ctx.table->use);
10677 nft_obj_del(nft_trans_obj(trans));
10678 }
10679 break;
10680 case NFT_MSG_DELOBJ:
10681 case NFT_MSG_DESTROYOBJ:
10682 nft_use_inc_restore(use: &trans->ctx.table->use);
10683 nft_clear(trans->ctx.net, nft_trans_obj(trans));
10684 nft_trans_destroy(trans);
10685 break;
10686 case NFT_MSG_NEWFLOWTABLE:
10687 if (nft_trans_flowtable_update(trans)) {
10688 nft_unregister_flowtable_net_hooks(net,
10689 hook_list: &nft_trans_flowtable_hooks(trans));
10690 } else {
10691 nft_use_dec_restore(use: &trans->ctx.table->use);
10692 list_del_rcu(entry: &nft_trans_flowtable(trans)->list);
10693 nft_unregister_flowtable_net_hooks(net,
10694 hook_list: &nft_trans_flowtable(trans)->hook_list);
10695 }
10696 break;
10697 case NFT_MSG_DELFLOWTABLE:
10698 case NFT_MSG_DESTROYFLOWTABLE:
10699 if (nft_trans_flowtable_update(trans)) {
10700 list_splice(list: &nft_trans_flowtable_hooks(trans),
10701 head: &nft_trans_flowtable(trans)->hook_list);
10702 } else {
10703 nft_use_inc_restore(use: &trans->ctx.table->use);
10704 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
10705 }
10706 nft_trans_destroy(trans);
10707 break;
10708 }
10709 }
10710
10711 nft_set_abort_update(set_update_list: &set_update_list);
10712
10713 synchronize_rcu();
10714
10715 list_for_each_entry_safe_reverse(trans, next,
10716 &nft_net->commit_list, list) {
10717 nft_trans_list_del(trans);
10718 nf_tables_abort_release(trans);
10719 }
10720
10721 return err;
10722}
10723
10724static int nf_tables_abort(struct net *net, struct sk_buff *skb,
10725 enum nfnl_abort_action action)
10726{
10727 struct nftables_pernet *nft_net = nft_pernet(net);
10728 unsigned int gc_seq;
10729 int ret;
10730
10731 gc_seq = nft_gc_seq_begin(nft_net);
10732 ret = __nf_tables_abort(net, action);
10733 nft_gc_seq_end(nft_net, gc_seq);
10734
10735 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
10736
10737 /* module autoload needs to happen after GC sequence update because it
10738 * temporarily releases and grabs mutex again.
10739 */
10740 if (action == NFNL_ABORT_AUTOLOAD)
10741 nf_tables_module_autoload(net);
10742 else
10743 nf_tables_module_autoload_cleanup(net);
10744
10745 mutex_unlock(lock: &nft_net->commit_mutex);
10746
10747 return ret;
10748}
10749
10750static bool nf_tables_valid_genid(struct net *net, u32 genid)
10751{
10752 struct nftables_pernet *nft_net = nft_pernet(net);
10753 bool genid_ok;
10754
10755 mutex_lock(&nft_net->commit_mutex);
10756 nft_net->tstamp = get_jiffies_64();
10757
10758 genid_ok = genid == 0 || nft_net->base_seq == genid;
10759 if (!genid_ok)
10760 mutex_unlock(lock: &nft_net->commit_mutex);
10761
10762 /* else, commit mutex has to be released by commit or abort function */
10763 return genid_ok;
10764}
10765
10766static const struct nfnetlink_subsystem nf_tables_subsys = {
10767 .name = "nf_tables",
10768 .subsys_id = NFNL_SUBSYS_NFTABLES,
10769 .cb_count = NFT_MSG_MAX,
10770 .cb = nf_tables_cb,
10771 .commit = nf_tables_commit,
10772 .abort = nf_tables_abort,
10773 .valid_genid = nf_tables_valid_genid,
10774 .owner = THIS_MODULE,
10775};
10776
10777int nft_chain_validate_dependency(const struct nft_chain *chain,
10778 enum nft_chain_types type)
10779{
10780 const struct nft_base_chain *basechain;
10781
10782 if (nft_is_base_chain(chain)) {
10783 basechain = nft_base_chain(chain);
10784 if (basechain->type->type != type)
10785 return -EOPNOTSUPP;
10786 }
10787 return 0;
10788}
10789EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
10790
10791int nft_chain_validate_hooks(const struct nft_chain *chain,
10792 unsigned int hook_flags)
10793{
10794 struct nft_base_chain *basechain;
10795
10796 if (nft_is_base_chain(chain)) {
10797 basechain = nft_base_chain(chain);
10798
10799 if ((1 << basechain->ops.hooknum) & hook_flags)
10800 return 0;
10801
10802 return -EOPNOTSUPP;
10803 }
10804
10805 return 0;
10806}
10807EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
10808
10809/*
10810 * Loop detection - walk through the ruleset beginning at the destination chain
10811 * of a new jump until either the source chain is reached (loop) or all
10812 * reachable chains have been traversed.
10813 *
10814 * The loop check is performed whenever a new jump verdict is added to an
10815 * expression or verdict map or a verdict map is bound to a new chain.
10816 */
10817
10818static int nf_tables_check_loops(const struct nft_ctx *ctx,
10819 const struct nft_chain *chain);
10820
10821static int nft_check_loops(const struct nft_ctx *ctx,
10822 const struct nft_set_ext *ext)
10823{
10824 const struct nft_data *data;
10825 int ret;
10826
10827 data = nft_set_ext_data(ext);
10828 switch (data->verdict.code) {
10829 case NFT_JUMP:
10830 case NFT_GOTO:
10831 ret = nf_tables_check_loops(ctx, chain: data->verdict.chain);
10832 break;
10833 default:
10834 ret = 0;
10835 break;
10836 }
10837
10838 return ret;
10839}
10840
10841static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
10842 struct nft_set *set,
10843 const struct nft_set_iter *iter,
10844 struct nft_elem_priv *elem_priv)
10845{
10846 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
10847
10848 if (!nft_set_elem_active(ext, genmask: iter->genmask))
10849 return 0;
10850
10851 if (nft_set_ext_exists(ext, id: NFT_SET_EXT_FLAGS) &&
10852 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
10853 return 0;
10854
10855 return nft_check_loops(ctx, ext);
10856}
10857
10858static int nft_set_catchall_loops(const struct nft_ctx *ctx,
10859 struct nft_set *set)
10860{
10861 u8 genmask = nft_genmask_next(net: ctx->net);
10862 struct nft_set_elem_catchall *catchall;
10863 struct nft_set_ext *ext;
10864 int ret = 0;
10865
10866 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
10867 ext = nft_set_elem_ext(set, elem_priv: catchall->elem);
10868 if (!nft_set_elem_active(ext, genmask))
10869 continue;
10870
10871 ret = nft_check_loops(ctx, ext);
10872 if (ret < 0)
10873 return ret;
10874 }
10875
10876 return ret;
10877}
10878
10879static int nf_tables_check_loops(const struct nft_ctx *ctx,
10880 const struct nft_chain *chain)
10881{
10882 const struct nft_rule *rule;
10883 const struct nft_expr *expr, *last;
10884 struct nft_set *set;
10885 struct nft_set_binding *binding;
10886 struct nft_set_iter iter;
10887
10888 if (ctx->chain == chain)
10889 return -ELOOP;
10890
10891 if (fatal_signal_pending(current))
10892 return -EINTR;
10893
10894 list_for_each_entry(rule, &chain->rules, list) {
10895 nft_rule_for_each_expr(expr, last, rule) {
10896 struct nft_immediate_expr *priv;
10897 const struct nft_data *data;
10898 int err;
10899
10900 if (strcmp(expr->ops->type->name, "immediate"))
10901 continue;
10902
10903 priv = nft_expr_priv(expr);
10904 if (priv->dreg != NFT_REG_VERDICT)
10905 continue;
10906
10907 data = &priv->data;
10908 switch (data->verdict.code) {
10909 case NFT_JUMP:
10910 case NFT_GOTO:
10911 err = nf_tables_check_loops(ctx,
10912 chain: data->verdict.chain);
10913 if (err < 0)
10914 return err;
10915 break;
10916 default:
10917 break;
10918 }
10919 }
10920 }
10921
10922 list_for_each_entry(set, &ctx->table->sets, list) {
10923 if (!nft_is_active_next(ctx->net, set))
10924 continue;
10925 if (!(set->flags & NFT_SET_MAP) ||
10926 set->dtype != NFT_DATA_VERDICT)
10927 continue;
10928
10929 list_for_each_entry(binding, &set->bindings, list) {
10930 if (!(binding->flags & NFT_SET_MAP) ||
10931 binding->chain != chain)
10932 continue;
10933
10934 iter.genmask = nft_genmask_next(net: ctx->net);
10935 iter.type = NFT_ITER_UPDATE;
10936 iter.skip = 0;
10937 iter.count = 0;
10938 iter.err = 0;
10939 iter.fn = nf_tables_loop_check_setelem;
10940
10941 set->ops->walk(ctx, set, &iter);
10942 if (!iter.err)
10943 iter.err = nft_set_catchall_loops(ctx, set);
10944
10945 if (iter.err < 0)
10946 return iter.err;
10947 }
10948 }
10949
10950 return 0;
10951}
10952
10953/**
10954 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
10955 *
10956 * @attr: netlink attribute to fetch value from
10957 * @max: maximum value to be stored in dest
10958 * @dest: pointer to the variable
10959 *
10960 * Parse, check and store a given u32 netlink attribute into variable.
10961 * This function returns -ERANGE if the value goes over maximum value.
10962 * Otherwise a 0 is returned and the attribute value is stored in the
10963 * destination variable.
10964 */
10965int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
10966{
10967 u32 val;
10968
10969 val = ntohl(nla_get_be32(attr));
10970 if (val > max)
10971 return -ERANGE;
10972
10973 *dest = val;
10974 return 0;
10975}
10976EXPORT_SYMBOL_GPL(nft_parse_u32_check);
10977
10978static int nft_parse_register(const struct nlattr *attr, u32 *preg)
10979{
10980 unsigned int reg;
10981
10982 reg = ntohl(nla_get_be32(attr));
10983 switch (reg) {
10984 case NFT_REG_VERDICT...NFT_REG_4:
10985 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
10986 break;
10987 case NFT_REG32_00...NFT_REG32_15:
10988 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
10989 break;
10990 default:
10991 return -ERANGE;
10992 }
10993
10994 return 0;
10995}
10996
10997/**
10998 * nft_dump_register - dump a register value to a netlink attribute
10999 *
11000 * @skb: socket buffer
11001 * @attr: attribute number
11002 * @reg: register number
11003 *
11004 * Construct a netlink attribute containing the register number. For
11005 * compatibility reasons, register numbers being a multiple of 4 are
11006 * translated to the corresponding 128 bit register numbers.
11007 */
11008int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
11009{
11010 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
11011 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
11012 else
11013 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
11014
11015 return nla_put_be32(skb, attrtype: attr, htonl(reg));
11016}
11017EXPORT_SYMBOL_GPL(nft_dump_register);
11018
11019static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
11020{
11021 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11022 return -EINVAL;
11023 if (len == 0)
11024 return -EINVAL;
11025 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
11026 return -ERANGE;
11027
11028 return 0;
11029}
11030
11031int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
11032{
11033 u32 reg;
11034 int err;
11035
11036 err = nft_parse_register(attr, preg: &reg);
11037 if (err < 0)
11038 return err;
11039
11040 err = nft_validate_register_load(reg, len);
11041 if (err < 0)
11042 return err;
11043
11044 *sreg = reg;
11045 return 0;
11046}
11047EXPORT_SYMBOL_GPL(nft_parse_register_load);
11048
11049static int nft_validate_register_store(const struct nft_ctx *ctx,
11050 enum nft_registers reg,
11051 const struct nft_data *data,
11052 enum nft_data_types type,
11053 unsigned int len)
11054{
11055 int err;
11056
11057 switch (reg) {
11058 case NFT_REG_VERDICT:
11059 if (type != NFT_DATA_VERDICT)
11060 return -EINVAL;
11061
11062 if (data != NULL &&
11063 (data->verdict.code == NFT_GOTO ||
11064 data->verdict.code == NFT_JUMP)) {
11065 err = nf_tables_check_loops(ctx, chain: data->verdict.chain);
11066 if (err < 0)
11067 return err;
11068 }
11069
11070 return 0;
11071 default:
11072 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11073 return -EINVAL;
11074 if (len == 0)
11075 return -EINVAL;
11076 if (reg * NFT_REG32_SIZE + len >
11077 sizeof_field(struct nft_regs, data))
11078 return -ERANGE;
11079
11080 if (data != NULL && type != NFT_DATA_VALUE)
11081 return -EINVAL;
11082 return 0;
11083 }
11084}
11085
11086int nft_parse_register_store(const struct nft_ctx *ctx,
11087 const struct nlattr *attr, u8 *dreg,
11088 const struct nft_data *data,
11089 enum nft_data_types type, unsigned int len)
11090{
11091 int err;
11092 u32 reg;
11093
11094 err = nft_parse_register(attr, preg: &reg);
11095 if (err < 0)
11096 return err;
11097
11098 err = nft_validate_register_store(ctx, reg, data, type, len);
11099 if (err < 0)
11100 return err;
11101
11102 *dreg = reg;
11103 return 0;
11104}
11105EXPORT_SYMBOL_GPL(nft_parse_register_store);
11106
11107static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
11108 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
11109 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
11110 .len = NFT_CHAIN_MAXNAMELEN - 1 },
11111 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
11112};
11113
11114static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
11115 struct nft_data_desc *desc, const struct nlattr *nla)
11116{
11117 u8 genmask = nft_genmask_next(net: ctx->net);
11118 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
11119 struct nft_chain *chain;
11120 int err;
11121
11122 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
11123 policy: nft_verdict_policy, NULL);
11124 if (err < 0)
11125 return err;
11126
11127 if (!tb[NFTA_VERDICT_CODE])
11128 return -EINVAL;
11129
11130 /* zero padding hole for memcmp */
11131 memset(data, 0, sizeof(*data));
11132 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
11133
11134 switch (data->verdict.code) {
11135 case NF_ACCEPT:
11136 case NF_DROP:
11137 case NF_QUEUE:
11138 break;
11139 case NFT_CONTINUE:
11140 case NFT_BREAK:
11141 case NFT_RETURN:
11142 break;
11143 case NFT_JUMP:
11144 case NFT_GOTO:
11145 if (tb[NFTA_VERDICT_CHAIN]) {
11146 chain = nft_chain_lookup(net: ctx->net, table: ctx->table,
11147 nla: tb[NFTA_VERDICT_CHAIN],
11148 genmask);
11149 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
11150 chain = nft_chain_lookup_byid(net: ctx->net, table: ctx->table,
11151 nla: tb[NFTA_VERDICT_CHAIN_ID],
11152 genmask);
11153 if (IS_ERR(ptr: chain))
11154 return PTR_ERR(ptr: chain);
11155 } else {
11156 return -EINVAL;
11157 }
11158
11159 if (IS_ERR(ptr: chain))
11160 return PTR_ERR(ptr: chain);
11161 if (nft_is_base_chain(chain))
11162 return -EOPNOTSUPP;
11163 if (nft_chain_is_bound(chain))
11164 return -EINVAL;
11165 if (desc->flags & NFT_DATA_DESC_SETELEM &&
11166 chain->flags & NFT_CHAIN_BINDING)
11167 return -EINVAL;
11168 if (!nft_use_inc(use: &chain->use))
11169 return -EMFILE;
11170
11171 data->verdict.chain = chain;
11172 break;
11173 default:
11174 return -EINVAL;
11175 }
11176
11177 desc->len = sizeof(data->verdict);
11178
11179 return 0;
11180}
11181
11182static void nft_verdict_uninit(const struct nft_data *data)
11183{
11184 struct nft_chain *chain;
11185
11186 switch (data->verdict.code) {
11187 case NFT_JUMP:
11188 case NFT_GOTO:
11189 chain = data->verdict.chain;
11190 nft_use_dec(use: &chain->use);
11191 break;
11192 }
11193}
11194
11195int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
11196{
11197 struct nlattr *nest;
11198
11199 nest = nla_nest_start_noflag(skb, attrtype: type);
11200 if (!nest)
11201 goto nla_put_failure;
11202
11203 if (nla_put_be32(skb, attrtype: NFTA_VERDICT_CODE, htonl(v->code)))
11204 goto nla_put_failure;
11205
11206 switch (v->code) {
11207 case NFT_JUMP:
11208 case NFT_GOTO:
11209 if (nla_put_string(skb, attrtype: NFTA_VERDICT_CHAIN,
11210 str: v->chain->name))
11211 goto nla_put_failure;
11212 }
11213 nla_nest_end(skb, start: nest);
11214 return 0;
11215
11216nla_put_failure:
11217 return -1;
11218}
11219
11220static int nft_value_init(const struct nft_ctx *ctx,
11221 struct nft_data *data, struct nft_data_desc *desc,
11222 const struct nlattr *nla)
11223{
11224 unsigned int len;
11225
11226 len = nla_len(nla);
11227 if (len == 0)
11228 return -EINVAL;
11229 if (len > desc->size)
11230 return -EOVERFLOW;
11231 if (desc->len) {
11232 if (len != desc->len)
11233 return -EINVAL;
11234 } else {
11235 desc->len = len;
11236 }
11237
11238 nla_memcpy(dest: data->data, src: nla, count: len);
11239
11240 return 0;
11241}
11242
11243static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
11244 unsigned int len)
11245{
11246 return nla_put(skb, attrtype: NFTA_DATA_VALUE, attrlen: len, data: data->data);
11247}
11248
11249static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
11250 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
11251 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
11252};
11253
11254/**
11255 * nft_data_init - parse nf_tables data netlink attributes
11256 *
11257 * @ctx: context of the expression using the data
11258 * @data: destination struct nft_data
11259 * @desc: data description
11260 * @nla: netlink attribute containing data
11261 *
11262 * Parse the netlink data attributes and initialize a struct nft_data.
11263 * The type and length of data are returned in the data description.
11264 *
11265 * The caller can indicate that it only wants to accept data of type
11266 * NFT_DATA_VALUE by passing NULL for the ctx argument.
11267 */
11268int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
11269 struct nft_data_desc *desc, const struct nlattr *nla)
11270{
11271 struct nlattr *tb[NFTA_DATA_MAX + 1];
11272 int err;
11273
11274 if (WARN_ON_ONCE(!desc->size))
11275 return -EINVAL;
11276
11277 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
11278 policy: nft_data_policy, NULL);
11279 if (err < 0)
11280 return err;
11281
11282 if (tb[NFTA_DATA_VALUE]) {
11283 if (desc->type != NFT_DATA_VALUE)
11284 return -EINVAL;
11285
11286 err = nft_value_init(ctx, data, desc, nla: tb[NFTA_DATA_VALUE]);
11287 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
11288 if (desc->type != NFT_DATA_VERDICT)
11289 return -EINVAL;
11290
11291 err = nft_verdict_init(ctx, data, desc, nla: tb[NFTA_DATA_VERDICT]);
11292 } else {
11293 err = -EINVAL;
11294 }
11295
11296 return err;
11297}
11298EXPORT_SYMBOL_GPL(nft_data_init);
11299
11300/**
11301 * nft_data_release - release a nft_data item
11302 *
11303 * @data: struct nft_data to release
11304 * @type: type of data
11305 *
11306 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
11307 * all others need to be released by calling this function.
11308 */
11309void nft_data_release(const struct nft_data *data, enum nft_data_types type)
11310{
11311 if (type < NFT_DATA_VERDICT)
11312 return;
11313 switch (type) {
11314 case NFT_DATA_VERDICT:
11315 return nft_verdict_uninit(data);
11316 default:
11317 WARN_ON(1);
11318 }
11319}
11320EXPORT_SYMBOL_GPL(nft_data_release);
11321
11322int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
11323 enum nft_data_types type, unsigned int len)
11324{
11325 struct nlattr *nest;
11326 int err;
11327
11328 nest = nla_nest_start_noflag(skb, attrtype: attr);
11329 if (nest == NULL)
11330 return -1;
11331
11332 switch (type) {
11333 case NFT_DATA_VALUE:
11334 err = nft_value_dump(skb, data, len);
11335 break;
11336 case NFT_DATA_VERDICT:
11337 err = nft_verdict_dump(skb, type: NFTA_DATA_VERDICT, v: &data->verdict);
11338 break;
11339 default:
11340 err = -EINVAL;
11341 WARN_ON(1);
11342 }
11343
11344 nla_nest_end(skb, start: nest);
11345 return err;
11346}
11347EXPORT_SYMBOL_GPL(nft_data_dump);
11348
11349int __nft_release_basechain(struct nft_ctx *ctx)
11350{
11351 struct nft_rule *rule, *nr;
11352
11353 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
11354 return 0;
11355
11356 nf_tables_unregister_hook(net: ctx->net, table: ctx->chain->table, chain: ctx->chain);
11357 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
11358 list_del(entry: &rule->list);
11359 nft_use_dec(use: &ctx->chain->use);
11360 nf_tables_rule_release(ctx, rule);
11361 }
11362 nft_chain_del(chain: ctx->chain);
11363 nft_use_dec(use: &ctx->table->use);
11364 nf_tables_chain_destroy(ctx);
11365
11366 return 0;
11367}
11368EXPORT_SYMBOL_GPL(__nft_release_basechain);
11369
11370static void __nft_release_hook(struct net *net, struct nft_table *table)
11371{
11372 struct nft_flowtable *flowtable;
11373 struct nft_chain *chain;
11374
11375 list_for_each_entry(chain, &table->chains, list)
11376 __nf_tables_unregister_hook(net, table, chain, release_netdev: true);
11377 list_for_each_entry(flowtable, &table->flowtables, list)
11378 __nft_unregister_flowtable_net_hooks(net, hook_list: &flowtable->hook_list,
11379 release_netdev: true);
11380}
11381
11382static void __nft_release_hooks(struct net *net)
11383{
11384 struct nftables_pernet *nft_net = nft_pernet(net);
11385 struct nft_table *table;
11386
11387 list_for_each_entry(table, &nft_net->tables, list) {
11388 if (nft_table_has_owner(table))
11389 continue;
11390
11391 __nft_release_hook(net, table);
11392 }
11393}
11394
11395static void __nft_release_table(struct net *net, struct nft_table *table)
11396{
11397 struct nft_flowtable *flowtable, *nf;
11398 struct nft_chain *chain, *nc;
11399 struct nft_object *obj, *ne;
11400 struct nft_rule *rule, *nr;
11401 struct nft_set *set, *ns;
11402 struct nft_ctx ctx = {
11403 .net = net,
11404 .family = NFPROTO_NETDEV,
11405 };
11406
11407 ctx.family = table->family;
11408 ctx.table = table;
11409 list_for_each_entry(chain, &table->chains, list) {
11410 if (nft_chain_binding(chain))
11411 continue;
11412
11413 ctx.chain = chain;
11414 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
11415 list_del(entry: &rule->list);
11416 nft_use_dec(use: &chain->use);
11417 nf_tables_rule_release(ctx: &ctx, rule);
11418 }
11419 }
11420 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
11421 list_del(entry: &flowtable->list);
11422 nft_use_dec(use: &table->use);
11423 nf_tables_flowtable_destroy(flowtable);
11424 }
11425 list_for_each_entry_safe(set, ns, &table->sets, list) {
11426 list_del(entry: &set->list);
11427 nft_use_dec(use: &table->use);
11428 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11429 nft_map_deactivate(ctx: &ctx, set);
11430
11431 nft_set_destroy(ctx: &ctx, set);
11432 }
11433 list_for_each_entry_safe(obj, ne, &table->objects, list) {
11434 nft_obj_del(obj);
11435 nft_use_dec(use: &table->use);
11436 nft_obj_destroy(ctx: &ctx, obj);
11437 }
11438 list_for_each_entry_safe(chain, nc, &table->chains, list) {
11439 ctx.chain = chain;
11440 nft_chain_del(chain);
11441 nft_use_dec(use: &table->use);
11442 nf_tables_chain_destroy(ctx: &ctx);
11443 }
11444 nf_tables_table_destroy(ctx: &ctx);
11445}
11446
11447static void __nft_release_tables(struct net *net)
11448{
11449 struct nftables_pernet *nft_net = nft_pernet(net);
11450 struct nft_table *table, *nt;
11451
11452 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
11453 if (nft_table_has_owner(table))
11454 continue;
11455
11456 list_del(entry: &table->list);
11457
11458 __nft_release_table(net, table);
11459 }
11460}
11461
11462static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
11463 void *ptr)
11464{
11465 struct nft_table *table, *to_delete[8];
11466 struct nftables_pernet *nft_net;
11467 struct netlink_notify *n = ptr;
11468 struct net *net = n->net;
11469 unsigned int deleted;
11470 bool restart = false;
11471 unsigned int gc_seq;
11472
11473 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
11474 return NOTIFY_DONE;
11475
11476 nft_net = nft_pernet(net);
11477 deleted = 0;
11478 mutex_lock(&nft_net->commit_mutex);
11479
11480 gc_seq = nft_gc_seq_begin(nft_net);
11481
11482 if (!list_empty(head: &nf_tables_destroy_list))
11483 nf_tables_trans_destroy_flush_work();
11484again:
11485 list_for_each_entry(table, &nft_net->tables, list) {
11486 if (nft_table_has_owner(table) &&
11487 n->portid == table->nlpid) {
11488 if (table->flags & NFT_TABLE_F_PERSIST) {
11489 table->flags &= ~NFT_TABLE_F_OWNER;
11490 continue;
11491 }
11492 __nft_release_hook(net, table);
11493 list_del_rcu(entry: &table->list);
11494 to_delete[deleted++] = table;
11495 if (deleted >= ARRAY_SIZE(to_delete))
11496 break;
11497 }
11498 }
11499 if (deleted) {
11500 restart = deleted >= ARRAY_SIZE(to_delete);
11501 synchronize_rcu();
11502 while (deleted)
11503 __nft_release_table(net, table: to_delete[--deleted]);
11504
11505 if (restart)
11506 goto again;
11507 }
11508 nft_gc_seq_end(nft_net, gc_seq);
11509
11510 mutex_unlock(lock: &nft_net->commit_mutex);
11511
11512 return NOTIFY_DONE;
11513}
11514
11515static struct notifier_block nft_nl_notifier = {
11516 .notifier_call = nft_rcv_nl_event,
11517};
11518
11519static int __net_init nf_tables_init_net(struct net *net)
11520{
11521 struct nftables_pernet *nft_net = nft_pernet(net);
11522
11523 INIT_LIST_HEAD(list: &nft_net->tables);
11524 INIT_LIST_HEAD(list: &nft_net->commit_list);
11525 INIT_LIST_HEAD(list: &nft_net->binding_list);
11526 INIT_LIST_HEAD(list: &nft_net->module_list);
11527 INIT_LIST_HEAD(list: &nft_net->notify_list);
11528 mutex_init(&nft_net->commit_mutex);
11529 nft_net->base_seq = 1;
11530 nft_net->gc_seq = 0;
11531 nft_net->validate_state = NFT_VALIDATE_SKIP;
11532
11533 return 0;
11534}
11535
11536static void __net_exit nf_tables_pre_exit_net(struct net *net)
11537{
11538 struct nftables_pernet *nft_net = nft_pernet(net);
11539
11540 mutex_lock(&nft_net->commit_mutex);
11541 __nft_release_hooks(net);
11542 mutex_unlock(lock: &nft_net->commit_mutex);
11543}
11544
11545static void __net_exit nf_tables_exit_net(struct net *net)
11546{
11547 struct nftables_pernet *nft_net = nft_pernet(net);
11548 unsigned int gc_seq;
11549
11550 mutex_lock(&nft_net->commit_mutex);
11551
11552 gc_seq = nft_gc_seq_begin(nft_net);
11553
11554 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
11555
11556 if (!list_empty(head: &nft_net->module_list))
11557 nf_tables_module_autoload_cleanup(net);
11558
11559 __nft_release_tables(net);
11560
11561 nft_gc_seq_end(nft_net, gc_seq);
11562
11563 mutex_unlock(lock: &nft_net->commit_mutex);
11564 WARN_ON_ONCE(!list_empty(&nft_net->tables));
11565 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
11566 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
11567}
11568
11569static void nf_tables_exit_batch(struct list_head *net_exit_list)
11570{
11571 flush_work(work: &trans_gc_work);
11572}
11573
11574static struct pernet_operations nf_tables_net_ops = {
11575 .init = nf_tables_init_net,
11576 .pre_exit = nf_tables_pre_exit_net,
11577 .exit = nf_tables_exit_net,
11578 .exit_batch = nf_tables_exit_batch,
11579 .id = &nf_tables_net_id,
11580 .size = sizeof(struct nftables_pernet),
11581};
11582
11583static int __init nf_tables_module_init(void)
11584{
11585 int err;
11586
11587 err = register_pernet_subsys(&nf_tables_net_ops);
11588 if (err < 0)
11589 return err;
11590
11591 err = nft_chain_filter_init();
11592 if (err < 0)
11593 goto err_chain_filter;
11594
11595 err = nf_tables_core_module_init();
11596 if (err < 0)
11597 goto err_core_module;
11598
11599 err = register_netdevice_notifier(nb: &nf_tables_flowtable_notifier);
11600 if (err < 0)
11601 goto err_netdev_notifier;
11602
11603 err = rhltable_init(hlt: &nft_objname_ht, params: &nft_objname_ht_params);
11604 if (err < 0)
11605 goto err_rht_objname;
11606
11607 err = nft_offload_init();
11608 if (err < 0)
11609 goto err_offload;
11610
11611 err = netlink_register_notifier(nb: &nft_nl_notifier);
11612 if (err < 0)
11613 goto err_netlink_notifier;
11614
11615 /* must be last */
11616 err = nfnetlink_subsys_register(n: &nf_tables_subsys);
11617 if (err < 0)
11618 goto err_nfnl_subsys;
11619
11620 nft_chain_route_init();
11621
11622 return err;
11623
11624err_nfnl_subsys:
11625 netlink_unregister_notifier(nb: &nft_nl_notifier);
11626err_netlink_notifier:
11627 nft_offload_exit();
11628err_offload:
11629 rhltable_destroy(hlt: &nft_objname_ht);
11630err_rht_objname:
11631 unregister_netdevice_notifier(nb: &nf_tables_flowtable_notifier);
11632err_netdev_notifier:
11633 nf_tables_core_module_exit();
11634err_core_module:
11635 nft_chain_filter_fini();
11636err_chain_filter:
11637 unregister_pernet_subsys(&nf_tables_net_ops);
11638 return err;
11639}
11640
11641static void __exit nf_tables_module_exit(void)
11642{
11643 nfnetlink_subsys_unregister(n: &nf_tables_subsys);
11644 netlink_unregister_notifier(nb: &nft_nl_notifier);
11645 nft_offload_exit();
11646 unregister_netdevice_notifier(nb: &nf_tables_flowtable_notifier);
11647 nft_chain_filter_fini();
11648 nft_chain_route_fini();
11649 nf_tables_trans_destroy_flush_work();
11650 unregister_pernet_subsys(&nf_tables_net_ops);
11651 cancel_work_sync(work: &trans_gc_work);
11652 cancel_work_sync(work: &trans_destroy_work);
11653 rcu_barrier();
11654 rhltable_destroy(hlt: &nft_objname_ht);
11655 nf_tables_core_module_exit();
11656}
11657
11658module_init(nf_tables_module_init);
11659module_exit(nf_tables_module_exit);
11660
11661MODULE_LICENSE("GPL");
11662MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
11663MODULE_DESCRIPTION("Framework for packet filtering and classification");
11664MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
11665

source code of linux/net/netfilter/nf_tables_api.c