search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
printf: Remove unused 'bprintf'
[drm/drm-misc.git] / net / netfilter / nft_dynset.c
blob88922e0e8e83771f008f959db4fe2a26c4fd6563
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2015 Patrick McHardy <kaber@trash.net>
4 */
5
6 #include <linux/kernel.h>
7 #include <linux/module.h>
8 #include <linux/init.h>
9 #include <linux/netlink.h>
10 #include <linux/netfilter.h>
11 #include <linux/netfilter/nf_tables.h>
12 #include <net/netfilter/nf_tables.h>
13 #include <net/netfilter/nf_tables_core.h>
14
15 struct nft_dynset {
16 struct nft_set *set;
17 struct nft_set_ext_tmpl tmpl;
18 enum nft_dynset_ops op:8;
19 u8 sreg_key;
20 u8 sreg_data;
21 bool invert;
22 bool expr;
23 u8 num_exprs;
24 u64 timeout;
25 struct nft_expr *expr_array[NFT_SET_EXPR_MAX];
26 struct nft_set_binding binding;
27 };
28
29 static int nft_dynset_expr_setup(const struct nft_dynset *priv,
30 const struct nft_set_ext *ext)
31 {
32 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
33 struct nft_expr *expr;
34 int i;
35
36 for (i = 0; i < priv->num_exprs; i++) {
37 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
38 if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0)
39 return -1;
40
41 elem_expr->size += priv->expr_array[i]->ops->size;
42 }
43
44 return 0;
45 }
46
47 static struct nft_elem_priv *nft_dynset_new(struct nft_set *set,
48 const struct nft_expr *expr,
49 struct nft_regs *regs)
50 {
51 const struct nft_dynset *priv = nft_expr_priv(expr);
52 struct nft_set_ext *ext;
53 void *elem_priv;
54 u64 timeout;
55
56 if (!atomic_add_unless(&set->nelems, 1, set->size))
57 return NULL;
58
59 timeout = priv->timeout ? : READ_ONCE(set->timeout);
60 elem_priv = nft_set_elem_init(set, &priv->tmpl,
61 &regs->data[priv->sreg_key], NULL,
62 &regs->data[priv->sreg_data],
63 timeout, 0, GFP_ATOMIC);
64 if (IS_ERR(elem_priv))
65 goto err1;
66
67 ext = nft_set_elem_ext(set, elem_priv);
68 if (priv->num_exprs && nft_dynset_expr_setup(priv, ext) < 0)
69 goto err2;
70
71 return elem_priv;
72
73 err2:
74 nft_set_elem_destroy(set, elem_priv, false);
75 err1:
76 if (set->size)
77 atomic_dec(&set->nelems);
78 return NULL;
79 }
80
81 void nft_dynset_eval(const struct nft_expr *expr,
82 struct nft_regs *regs, const struct nft_pktinfo *pkt)
83 {
84 const struct nft_dynset *priv = nft_expr_priv(expr);
85 struct nft_set *set = priv->set;
86 const struct nft_set_ext *ext;
87 u64 timeout;
88
89 if (priv->op == NFT_DYNSET_OP_DELETE) {
90 set->ops->delete(set, &regs->data[priv->sreg_key]);
91 return;
92 }
93
94 if (set->ops->update(set, &regs->data[priv->sreg_key], nft_dynset_new,
95 expr, regs, &ext)) {
96 if (priv->op == NFT_DYNSET_OP_UPDATE &&
97 nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
98 READ_ONCE(nft_set_ext_timeout(ext)->timeout) != 0) {
99 timeout = priv->timeout ? : READ_ONCE(set->timeout);
100 WRITE_ONCE(nft_set_ext_timeout(ext)->expiration, get_jiffies_64() + timeout);
101 }
102
103 nft_set_elem_update_expr(ext, regs, pkt);
104
105 if (priv->invert)
106 regs->verdict.code = NFT_BREAK;
107 return;
108 }
109
110 if (!priv->invert)
111 regs->verdict.code = NFT_BREAK;
112 }
113
114 static void nft_dynset_ext_add_expr(struct nft_dynset *priv)
115 {
116 u8 size = 0;
117 int i;
118
119 for (i = 0; i < priv->num_exprs; i++)
120 size += priv->expr_array[i]->ops->size;
121
122 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_EXPRESSIONS,
123 sizeof(struct nft_set_elem_expr) + size);
124 }
125
126 static struct nft_expr *
127 nft_dynset_expr_alloc(const struct nft_ctx *ctx, const struct nft_set *set,
128 const struct nlattr *attr, int pos)
129 {
130 struct nft_expr *expr;
131 int err;
132
133 expr = nft_set_elem_expr_alloc(ctx, set, attr);
134 if (IS_ERR(expr))
135 return expr;
136
137 if (set->exprs[pos] && set->exprs[pos]->ops != expr->ops) {
138 err = -EOPNOTSUPP;
139 goto err_dynset_expr;
140 }
141
142 return expr;
143
144 err_dynset_expr:
145 nft_expr_destroy(ctx, expr);
146 return ERR_PTR(err);
147 }
148
149 static const struct nla_policy nft_dynset_policy[NFTA_DYNSET_MAX + 1] = {
150 [NFTA_DYNSET_SET_NAME] = { .type = NLA_STRING,
151 .len = NFT_SET_MAXNAMELEN - 1 },
152 [NFTA_DYNSET_SET_ID] = { .type = NLA_U32 },
153 [NFTA_DYNSET_OP] = NLA_POLICY_MAX(NLA_BE32, 255),
154 [NFTA_DYNSET_SREG_KEY] = { .type = NLA_U32 },
155 [NFTA_DYNSET_SREG_DATA] = { .type = NLA_U32 },
156 [NFTA_DYNSET_TIMEOUT] = { .type = NLA_U64 },
157 [NFTA_DYNSET_EXPR] = { .type = NLA_NESTED },
158 [NFTA_DYNSET_FLAGS] = { .type = NLA_U32 },
159 [NFTA_DYNSET_EXPRESSIONS] = { .type = NLA_NESTED },
160 };
161
162 static int nft_dynset_init(const struct nft_ctx *ctx,
163 const struct nft_expr *expr,
164 const struct nlattr * const tb[])
165 {
166 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
167 struct nft_dynset *priv = nft_expr_priv(expr);
168 u8 genmask = nft_genmask_next(ctx->net);
169 struct nft_set *set;
170 u64 timeout;
171 int err, i;
172
173 lockdep_assert_held(&nft_net->commit_mutex);
174
175 if (tb[NFTA_DYNSET_SET_NAME] == NULL ||
176 tb[NFTA_DYNSET_OP] == NULL ||
177 tb[NFTA_DYNSET_SREG_KEY] == NULL)
178 return -EINVAL;
179
180 if (tb[NFTA_DYNSET_FLAGS]) {
181 u32 flags = ntohl(nla_get_be32(tb[NFTA_DYNSET_FLAGS]));
182 if (flags & ~(NFT_DYNSET_F_INV | NFT_DYNSET_F_EXPR))
183 return -EOPNOTSUPP;
184 if (flags & NFT_DYNSET_F_INV)
185 priv->invert = true;
186 if (flags & NFT_DYNSET_F_EXPR)
187 priv->expr = true;
188 }
189
190 set = nft_set_lookup_global(ctx->net, ctx->table,
191 tb[NFTA_DYNSET_SET_NAME],
192 tb[NFTA_DYNSET_SET_ID], genmask);
193 if (IS_ERR(set))
194 return PTR_ERR(set);
195
196 if (set->flags & NFT_SET_OBJECT)
197 return -EOPNOTSUPP;
198
199 if (set->ops->update == NULL)
200 return -EOPNOTSUPP;
201
202 if (set->flags & NFT_SET_CONSTANT)
203 return -EBUSY;
204
205 priv->op = ntohl(nla_get_be32(tb[NFTA_DYNSET_OP]));
206 if (priv->op > NFT_DYNSET_OP_DELETE)
207 return -EOPNOTSUPP;
208
209 timeout = 0;
210 if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
211 if (!(set->flags & NFT_SET_TIMEOUT))
212 return -EOPNOTSUPP;
213
214 err = nf_msecs_to_jiffies64(tb[NFTA_DYNSET_TIMEOUT], &timeout);
215 if (err)
216 return err;
217 }
218
219 err = nft_parse_register_load(ctx, tb[NFTA_DYNSET_SREG_KEY], &priv->sreg_key,
220 set->klen);
221 if (err < 0)
222 return err;
223
224 if (tb[NFTA_DYNSET_SREG_DATA] != NULL) {
225 if (!(set->flags & NFT_SET_MAP))
226 return -EOPNOTSUPP;
227 if (set->dtype == NFT_DATA_VERDICT)
228 return -EOPNOTSUPP;
229
230 err = nft_parse_register_load(ctx, tb[NFTA_DYNSET_SREG_DATA],
231 &priv->sreg_data, set->dlen);
232 if (err < 0)
233 return err;
234 } else if (set->flags & NFT_SET_MAP)
235 return -EINVAL;
236
237 if ((tb[NFTA_DYNSET_EXPR] || tb[NFTA_DYNSET_EXPRESSIONS]) &&
238 !(set->flags & NFT_SET_EVAL))
239 return -EINVAL;
240
241 if (tb[NFTA_DYNSET_EXPR]) {
242 struct nft_expr *dynset_expr;
243
244 dynset_expr = nft_dynset_expr_alloc(ctx, set,
245 tb[NFTA_DYNSET_EXPR], 0);
246 if (IS_ERR(dynset_expr))
247 return PTR_ERR(dynset_expr);
248
249 priv->num_exprs++;
250 priv->expr_array[0] = dynset_expr;
251
252 if (set->num_exprs > 1 ||
253 (set->num_exprs == 1 &&
254 dynset_expr->ops != set->exprs[0]->ops)) {
255 err = -EOPNOTSUPP;
256 goto err_expr_free;
257 }
258 } else if (tb[NFTA_DYNSET_EXPRESSIONS]) {
259 struct nft_expr *dynset_expr;
260 struct nlattr *tmp;
261 int left;
262
263 if (!priv->expr)
264 return -EINVAL;
265
266 i = 0;
267 nla_for_each_nested(tmp, tb[NFTA_DYNSET_EXPRESSIONS], left) {
268 if (i == NFT_SET_EXPR_MAX) {
269 err = -E2BIG;
270 goto err_expr_free;
271 }
272 if (nla_type(tmp) != NFTA_LIST_ELEM) {
273 err = -EINVAL;
274 goto err_expr_free;
275 }
276 dynset_expr = nft_dynset_expr_alloc(ctx, set, tmp, i);
277 if (IS_ERR(dynset_expr)) {
278 err = PTR_ERR(dynset_expr);
279 goto err_expr_free;
280 }
281 priv->expr_array[i] = dynset_expr;
282 priv->num_exprs++;
283
284 if (set->num_exprs) {
285 if (i >= set->num_exprs) {
286 err = -EINVAL;
287 goto err_expr_free;
288 }
289 if (dynset_expr->ops != set->exprs[i]->ops) {
290 err = -EOPNOTSUPP;
291 goto err_expr_free;
292 }
293 }
294 i++;
295 }
296 if (set->num_exprs && set->num_exprs != i) {
297 err = -EOPNOTSUPP;
298 goto err_expr_free;
299 }
300 } else if (set->num_exprs > 0) {
301 err = nft_set_elem_expr_clone(ctx, set, priv->expr_array);
302 if (err < 0)
303 return err;
304
305 priv->num_exprs = set->num_exprs;
306 }
307
308 nft_set_ext_prepare(&priv->tmpl);
309 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_KEY, set->klen);
310 if (set->flags & NFT_SET_MAP)
311 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_DATA, set->dlen);
312
313 if (priv->num_exprs)
314 nft_dynset_ext_add_expr(priv);
315
316 if (set->flags & NFT_SET_TIMEOUT &&
317 (timeout || READ_ONCE(set->timeout)))
318 nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_TIMEOUT);
319
320 priv->timeout = timeout;
321
322 err = nf_tables_bind_set(ctx, set, &priv->binding);
323 if (err < 0)
324 goto err_expr_free;
325
326 if (set->size == 0)
327 set->size = 0xffff;
328
329 priv->set = set;
330 return 0;
331
332 err_expr_free:
333 for (i = 0; i < priv->num_exprs; i++)
334 nft_expr_destroy(ctx, priv->expr_array[i]);
335 return err;
336 }
337
338 static void nft_dynset_deactivate(const struct nft_ctx *ctx,
339 const struct nft_expr *expr,
340 enum nft_trans_phase phase)
341 {
342 struct nft_dynset *priv = nft_expr_priv(expr);
343
344 nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
345 }
346
347 static void nft_dynset_activate(const struct nft_ctx *ctx,
348 const struct nft_expr *expr)
349 {
350 struct nft_dynset *priv = nft_expr_priv(expr);
351
352 nf_tables_activate_set(ctx, priv->set);
353 }
354
355 static void nft_dynset_destroy(const struct nft_ctx *ctx,
356 const struct nft_expr *expr)
357 {
358 struct nft_dynset *priv = nft_expr_priv(expr);
359 int i;
360
361 for (i = 0; i < priv->num_exprs; i++)
362 nft_expr_destroy(ctx, priv->expr_array[i]);
363
364 nf_tables_destroy_set(ctx, priv->set);
365 }
366
367 static int nft_dynset_dump(struct sk_buff *skb,
368 const struct nft_expr *expr, bool reset)
369 {
370 const struct nft_dynset *priv = nft_expr_priv(expr);
371 u32 flags = priv->invert ? NFT_DYNSET_F_INV : 0;
372 int i;
373
374 if (nft_dump_register(skb, NFTA_DYNSET_SREG_KEY, priv->sreg_key))
375 goto nla_put_failure;
376 if (priv->set->flags & NFT_SET_MAP &&
377 nft_dump_register(skb, NFTA_DYNSET_SREG_DATA, priv->sreg_data))
378 goto nla_put_failure;
379 if (nla_put_be32(skb, NFTA_DYNSET_OP, htonl(priv->op)))
380 goto nla_put_failure;
381 if (nla_put_string(skb, NFTA_DYNSET_SET_NAME, priv->set->name))
382 goto nla_put_failure;
383 if (nla_put_be64(skb, NFTA_DYNSET_TIMEOUT,
384 nf_jiffies64_to_msecs(priv->timeout),
385 NFTA_DYNSET_PAD))
386 goto nla_put_failure;
387 if (priv->set->num_exprs == 0) {
388 if (priv->num_exprs == 1) {
389 if (nft_expr_dump(skb, NFTA_DYNSET_EXPR,
390 priv->expr_array[0], reset))
391 goto nla_put_failure;
392 } else if (priv->num_exprs > 1) {
393 struct nlattr *nest;
394
395 nest = nla_nest_start_noflag(skb, NFTA_DYNSET_EXPRESSIONS);
396 if (!nest)
397 goto nla_put_failure;
398
399 for (i = 0; i < priv->num_exprs; i++) {
400 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
401 priv->expr_array[i], reset))
402 goto nla_put_failure;
403 }
404 nla_nest_end(skb, nest);
405 }
406 }
407 if (nla_put_be32(skb, NFTA_DYNSET_FLAGS, htonl(flags)))
408 goto nla_put_failure;
409 return 0;
410
411 nla_put_failure:
412 return -1;
413 }
414
415 static const struct nft_expr_ops nft_dynset_ops = {
416 .type = &nft_dynset_type,
417 .size = NFT_EXPR_SIZE(sizeof(struct nft_dynset)),
418 .eval = nft_dynset_eval,
419 .init = nft_dynset_init,
420 .destroy = nft_dynset_destroy,
421 .activate = nft_dynset_activate,
422 .deactivate = nft_dynset_deactivate,
423 .dump = nft_dynset_dump,
424 .reduce = NFT_REDUCE_READONLY,
425 };
426
427 struct nft_expr_type nft_dynset_type __read_mostly = {
428 .name = "dynset",
429 .ops = &nft_dynset_ops,
430 .policy = nft_dynset_policy,
431 .maxattr = NFTA_DYNSET_MAX,
432 .owner = THIS_MODULE,
433 };
Kernel DRM miscellaneous fixes and cross-tree changes