search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Linux 5.2
[linux-2.6/linux-2.6-arm.git] / net / netfilter / nft_dynset.c
blob505bdfc66801f122049ea8dfef572e4a3c320fed
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2015 Patrick McHardy <kaber@trash.net>
4 */
5
6 #include <linux/kernel.h>
7 #include <linux/module.h>
8 #include <linux/init.h>
9 #include <linux/netlink.h>
10 #include <linux/netfilter.h>
11 #include <linux/netfilter/nf_tables.h>
12 #include <net/netfilter/nf_tables.h>
13 #include <net/netfilter/nf_tables_core.h>
14
15 struct nft_dynset {
16 struct nft_set *set;
17 struct nft_set_ext_tmpl tmpl;
18 enum nft_dynset_ops op:8;
19 enum nft_registers sreg_key:8;
20 enum nft_registers sreg_data:8;
21 bool invert;
22 u64 timeout;
23 struct nft_expr *expr;
24 struct nft_set_binding binding;
25 };
26
27 static int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
28 {
29 int err;
30
31 if (src->ops->clone) {
32 dst->ops = src->ops;
33 err = src->ops->clone(dst, src);
34 if (err < 0)
35 return err;
36 } else {
37 memcpy(dst, src, src->ops->size);
38 }
39
40 __module_get(src->ops->type->owner);
41 return 0;
42 }
43
44 static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr,
45 struct nft_regs *regs)
46 {
47 const struct nft_dynset *priv = nft_expr_priv(expr);
48 struct nft_set_ext *ext;
49 u64 timeout;
50 void *elem;
51
52 if (!atomic_add_unless(&set->nelems, 1, set->size))
53 return NULL;
54
55 timeout = priv->timeout ? : set->timeout;
56 elem = nft_set_elem_init(set, &priv->tmpl,
57 &regs->data[priv->sreg_key],
58 &regs->data[priv->sreg_data],
59 timeout, GFP_ATOMIC);
60 if (elem == NULL)
61 goto err1;
62
63 ext = nft_set_elem_ext(set, elem);
64 if (priv->expr != NULL &&
65 nft_expr_clone(nft_set_ext_expr(ext), priv->expr) < 0)
66 goto err2;
67
68 return elem;
69
70 err2:
71 nft_set_elem_destroy(set, elem, false);
72 err1:
73 if (set->size)
74 atomic_dec(&set->nelems);
75 return NULL;
76 }
77
78 void nft_dynset_eval(const struct nft_expr *expr,
79 struct nft_regs *regs, const struct nft_pktinfo *pkt)
80 {
81 const struct nft_dynset *priv = nft_expr_priv(expr);
82 struct nft_set *set = priv->set;
83 const struct nft_set_ext *ext;
84 const struct nft_expr *sexpr;
85 u64 timeout;
86
87 if (set->ops->update(set, &regs->data[priv->sreg_key], nft_dynset_new,
88 expr, regs, &ext)) {
89 sexpr = NULL;
90 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
91 sexpr = nft_set_ext_expr(ext);
92
93 if (priv->op == NFT_DYNSET_OP_UPDATE &&
94 nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
95 timeout = priv->timeout ? : set->timeout;
96 *nft_set_ext_expiration(ext) = get_jiffies_64() + timeout;
97 }
98
99 if (sexpr != NULL)
100 sexpr->ops->eval(sexpr, regs, pkt);
101
102 if (priv->invert)
103 regs->verdict.code = NFT_BREAK;
104 return;
105 }
106
107 if (!priv->invert)
108 regs->verdict.code = NFT_BREAK;
109 }
110
111 static const struct nla_policy nft_dynset_policy[NFTA_DYNSET_MAX + 1] = {
112 [NFTA_DYNSET_SET_NAME] = { .type = NLA_STRING,
113 .len = NFT_SET_MAXNAMELEN - 1 },
114 [NFTA_DYNSET_SET_ID] = { .type = NLA_U32 },
115 [NFTA_DYNSET_OP] = { .type = NLA_U32 },
116 [NFTA_DYNSET_SREG_KEY] = { .type = NLA_U32 },
117 [NFTA_DYNSET_SREG_DATA] = { .type = NLA_U32 },
118 [NFTA_DYNSET_TIMEOUT] = { .type = NLA_U64 },
119 [NFTA_DYNSET_EXPR] = { .type = NLA_NESTED },
120 [NFTA_DYNSET_FLAGS] = { .type = NLA_U32 },
121 };
122
123 static int nft_dynset_init(const struct nft_ctx *ctx,
124 const struct nft_expr *expr,
125 const struct nlattr * const tb[])
126 {
127 struct nft_dynset *priv = nft_expr_priv(expr);
128 u8 genmask = nft_genmask_next(ctx->net);
129 struct nft_set *set;
130 u64 timeout;
131 int err;
132
133 lockdep_assert_held(&ctx->net->nft.commit_mutex);
134
135 if (tb[NFTA_DYNSET_SET_NAME] == NULL ||
136 tb[NFTA_DYNSET_OP] == NULL ||
137 tb[NFTA_DYNSET_SREG_KEY] == NULL)
138 return -EINVAL;
139
140 if (tb[NFTA_DYNSET_FLAGS]) {
141 u32 flags = ntohl(nla_get_be32(tb[NFTA_DYNSET_FLAGS]));
142
143 if (flags & ~NFT_DYNSET_F_INV)
144 return -EINVAL;
145 if (flags & NFT_DYNSET_F_INV)
146 priv->invert = true;
147 }
148
149 set = nft_set_lookup_global(ctx->net, ctx->table,
150 tb[NFTA_DYNSET_SET_NAME],
151 tb[NFTA_DYNSET_SET_ID], genmask);
152 if (IS_ERR(set))
153 return PTR_ERR(set);
154
155 if (set->ops->update == NULL)
156 return -EOPNOTSUPP;
157
158 if (set->flags & NFT_SET_CONSTANT)
159 return -EBUSY;
160
161 priv->op = ntohl(nla_get_be32(tb[NFTA_DYNSET_OP]));
162 switch (priv->op) {
163 case NFT_DYNSET_OP_ADD:
164 break;
165 case NFT_DYNSET_OP_UPDATE:
166 if (!(set->flags & NFT_SET_TIMEOUT))
167 return -EOPNOTSUPP;
168 break;
169 default:
170 return -EOPNOTSUPP;
171 }
172
173 timeout = 0;
174 if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
175 if (!(set->flags & NFT_SET_TIMEOUT))
176 return -EINVAL;
177 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
178 tb[NFTA_DYNSET_TIMEOUT])));
179 }
180
181 priv->sreg_key = nft_parse_register(tb[NFTA_DYNSET_SREG_KEY]);
182 err = nft_validate_register_load(priv->sreg_key, set->klen);
183 if (err < 0)
184 return err;
185
186 if (tb[NFTA_DYNSET_SREG_DATA] != NULL) {
187 if (!(set->flags & NFT_SET_MAP))
188 return -EINVAL;
189 if (set->dtype == NFT_DATA_VERDICT)
190 return -EOPNOTSUPP;
191
192 priv->sreg_data = nft_parse_register(tb[NFTA_DYNSET_SREG_DATA]);
193 err = nft_validate_register_load(priv->sreg_data, set->dlen);
194 if (err < 0)
195 return err;
196 } else if (set->flags & NFT_SET_MAP)
197 return -EINVAL;
198
199 if (tb[NFTA_DYNSET_EXPR] != NULL) {
200 if (!(set->flags & NFT_SET_EVAL))
201 return -EINVAL;
202
203 priv->expr = nft_expr_init(ctx, tb[NFTA_DYNSET_EXPR]);
204 if (IS_ERR(priv->expr))
205 return PTR_ERR(priv->expr);
206
207 err = -EOPNOTSUPP;
208 if (!(priv->expr->ops->type->flags & NFT_EXPR_STATEFUL))
209 goto err1;
210
211 if (priv->expr->ops->type->flags & NFT_EXPR_GC) {
212 if (set->flags & NFT_SET_TIMEOUT)
213 goto err1;
214 if (!set->ops->gc_init)
215 goto err1;
216 set->ops->gc_init(set);
217 }
218 }
219
220 nft_set_ext_prepare(&priv->tmpl);
221 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_KEY, set->klen);
222 if (set->flags & NFT_SET_MAP)
223 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_DATA, set->dlen);
224 if (priv->expr != NULL)
225 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_EXPR,
226 priv->expr->ops->size);
227 if (set->flags & NFT_SET_TIMEOUT) {
228 if (timeout || set->timeout)
229 nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_EXPIRATION);
230 }
231
232 priv->timeout = timeout;
233
234 err = nf_tables_bind_set(ctx, set, &priv->binding);
235 if (err < 0)
236 goto err1;
237
238 if (set->size == 0)
239 set->size = 0xffff;
240
241 priv->set = set;
242 return 0;
243
244 err1:
245 if (priv->expr != NULL)
246 nft_expr_destroy(ctx, priv->expr);
247 return err;
248 }
249
250 static void nft_dynset_deactivate(const struct nft_ctx *ctx,
251 const struct nft_expr *expr,
252 enum nft_trans_phase phase)
253 {
254 struct nft_dynset *priv = nft_expr_priv(expr);
255
256 nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
257 }
258
259 static void nft_dynset_activate(const struct nft_ctx *ctx,
260 const struct nft_expr *expr)
261 {
262 struct nft_dynset *priv = nft_expr_priv(expr);
263
264 priv->set->use++;
265 }
266
267 static void nft_dynset_destroy(const struct nft_ctx *ctx,
268 const struct nft_expr *expr)
269 {
270 struct nft_dynset *priv = nft_expr_priv(expr);
271
272 if (priv->expr != NULL)
273 nft_expr_destroy(ctx, priv->expr);
274
275 nf_tables_destroy_set(ctx, priv->set);
276 }
277
278 static int nft_dynset_dump(struct sk_buff *skb, const struct nft_expr *expr)
279 {
280 const struct nft_dynset *priv = nft_expr_priv(expr);
281 u32 flags = priv->invert ? NFT_DYNSET_F_INV : 0;
282
283 if (nft_dump_register(skb, NFTA_DYNSET_SREG_KEY, priv->sreg_key))
284 goto nla_put_failure;
285 if (priv->set->flags & NFT_SET_MAP &&
286 nft_dump_register(skb, NFTA_DYNSET_SREG_DATA, priv->sreg_data))
287 goto nla_put_failure;
288 if (nla_put_be32(skb, NFTA_DYNSET_OP, htonl(priv->op)))
289 goto nla_put_failure;
290 if (nla_put_string(skb, NFTA_DYNSET_SET_NAME, priv->set->name))
291 goto nla_put_failure;
292 if (nla_put_be64(skb, NFTA_DYNSET_TIMEOUT,
293 cpu_to_be64(jiffies_to_msecs(priv->timeout)),
294 NFTA_DYNSET_PAD))
295 goto nla_put_failure;
296 if (priv->expr && nft_expr_dump(skb, NFTA_DYNSET_EXPR, priv->expr))
297 goto nla_put_failure;
298 if (nla_put_be32(skb, NFTA_DYNSET_FLAGS, htonl(flags)))
299 goto nla_put_failure;
300 return 0;
301
302 nla_put_failure:
303 return -1;
304 }
305
306 static const struct nft_expr_ops nft_dynset_ops = {
307 .type = &nft_dynset_type,
308 .size = NFT_EXPR_SIZE(sizeof(struct nft_dynset)),
309 .eval = nft_dynset_eval,
310 .init = nft_dynset_init,
311 .destroy = nft_dynset_destroy,
312 .activate = nft_dynset_activate,
313 .deactivate = nft_dynset_deactivate,
314 .dump = nft_dynset_dump,
315 };
316
317 struct nft_expr_type nft_dynset_type __read_mostly = {
318 .name = "dynset",
319 .ops = &nft_dynset_ops,
320 .policy = nft_dynset_policy,
321 .maxattr = NFTA_DYNSET_MAX,
322 .owner = THIS_MODULE,
323 };
Mirror of linux-2.6-arm at arm.linux.org.uk