search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
perf bpf: Move perf_event_output() from stdio.h to bpf.h
[linux/fpc-iii.git] / net / netfilter / nft_compat.c
blob7334e0b80a5effe521bb807dda2ab259a62df8d8
1 /*
2 * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 *
8 * This software has been sponsored by Sophos Astaro <http://www.sophos.com>
9 */
10
11 #include <linux/kernel.h>
12 #include <linux/init.h>
13 #include <linux/module.h>
14 #include <linux/netlink.h>
15 #include <linux/netfilter.h>
16 #include <linux/netfilter/nfnetlink.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <linux/netfilter/nf_tables_compat.h>
19 #include <linux/netfilter/x_tables.h>
20 #include <linux/netfilter_ipv4/ip_tables.h>
21 #include <linux/netfilter_ipv6/ip6_tables.h>
22 #include <linux/netfilter_bridge/ebtables.h>
23 #include <linux/netfilter_arp/arp_tables.h>
24 #include <net/netfilter/nf_tables.h>
25
26 struct nft_xt {
27 struct list_head head;
28 struct nft_expr_ops ops;
29 unsigned int refcnt;
30
31 /* Unlike other expressions, ops doesn't have static storage duration.
32 * nft core assumes they do. We use kfree_rcu so that nft core can
33 * can check expr->ops->size even after nft_compat->destroy() frees
34 * the nft_xt struct that holds the ops structure.
35 */
36 struct rcu_head rcu_head;
37 };
38
39 /* Used for matches where *info is larger than X byte */
40 #define NFT_MATCH_LARGE_THRESH 192
41
42 struct nft_xt_match_priv {
43 void *info;
44 };
45
46 static bool nft_xt_put(struct nft_xt *xt)
47 {
48 if (--xt->refcnt == 0) {
49 list_del(&xt->head);
50 kfree_rcu(xt, rcu_head);
51 return true;
52 }
53
54 return false;
55 }
56
57 static int nft_compat_chain_validate_dependency(const struct nft_ctx *ctx,
58 const char *tablename)
59 {
60 enum nft_chain_types type = NFT_CHAIN_T_DEFAULT;
61 const struct nft_chain *chain = ctx->chain;
62 const struct nft_base_chain *basechain;
63
64 if (!tablename ||
65 !nft_is_base_chain(chain))
66 return 0;
67
68 basechain = nft_base_chain(chain);
69 if (strcmp(tablename, "nat") == 0) {
70 if (ctx->family != NFPROTO_BRIDGE)
71 type = NFT_CHAIN_T_NAT;
72 if (basechain->type->type != type)
73 return -EINVAL;
74 }
75
76 return 0;
77 }
78
79 union nft_entry {
80 struct ipt_entry e4;
81 struct ip6t_entry e6;
82 struct ebt_entry ebt;
83 struct arpt_entry arp;
84 };
85
86 static inline void
87 nft_compat_set_par(struct xt_action_param *par, void *xt, const void *xt_info)
88 {
89 par->target = xt;
90 par->targinfo = xt_info;
91 par->hotdrop = false;
92 }
93
94 static void nft_target_eval_xt(const struct nft_expr *expr,
95 struct nft_regs *regs,
96 const struct nft_pktinfo *pkt)
97 {
98 void *info = nft_expr_priv(expr);
99 struct xt_target *target = expr->ops->data;
100 struct sk_buff *skb = pkt->skb;
101 int ret;
102
103 nft_compat_set_par((struct xt_action_param *)&pkt->xt, target, info);
104
105 ret = target->target(skb, &pkt->xt);
106
107 if (pkt->xt.hotdrop)
108 ret = NF_DROP;
109
110 switch (ret) {
111 case XT_CONTINUE:
112 regs->verdict.code = NFT_CONTINUE;
113 break;
114 default:
115 regs->verdict.code = ret;
116 break;
117 }
118 }
119
120 static void nft_target_eval_bridge(const struct nft_expr *expr,
121 struct nft_regs *regs,
122 const struct nft_pktinfo *pkt)
123 {
124 void *info = nft_expr_priv(expr);
125 struct xt_target *target = expr->ops->data;
126 struct sk_buff *skb = pkt->skb;
127 int ret;
128
129 nft_compat_set_par((struct xt_action_param *)&pkt->xt, target, info);
130
131 ret = target->target(skb, &pkt->xt);
132
133 if (pkt->xt.hotdrop)
134 ret = NF_DROP;
135
136 switch (ret) {
137 case EBT_ACCEPT:
138 regs->verdict.code = NF_ACCEPT;
139 break;
140 case EBT_DROP:
141 regs->verdict.code = NF_DROP;
142 break;
143 case EBT_CONTINUE:
144 regs->verdict.code = NFT_CONTINUE;
145 break;
146 case EBT_RETURN:
147 regs->verdict.code = NFT_RETURN;
148 break;
149 default:
150 regs->verdict.code = ret;
151 break;
152 }
153 }
154
155 static const struct nla_policy nft_target_policy[NFTA_TARGET_MAX + 1] = {
156 [NFTA_TARGET_NAME] = { .type = NLA_NUL_STRING },
157 [NFTA_TARGET_REV] = { .type = NLA_U32 },
158 [NFTA_TARGET_INFO] = { .type = NLA_BINARY },
159 };
160
161 static void
162 nft_target_set_tgchk_param(struct xt_tgchk_param *par,
163 const struct nft_ctx *ctx,
164 struct xt_target *target, void *info,
165 union nft_entry *entry, u16 proto, bool inv)
166 {
167 par->net = ctx->net;
168 par->table = ctx->table->name;
169 switch (ctx->family) {
170 case AF_INET:
171 entry->e4.ip.proto = proto;
172 entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
173 break;
174 case AF_INET6:
175 if (proto)
176 entry->e6.ipv6.flags |= IP6T_F_PROTO;
177
178 entry->e6.ipv6.proto = proto;
179 entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
180 break;
181 case NFPROTO_BRIDGE:
182 entry->ebt.ethproto = (__force __be16)proto;
183 entry->ebt.invflags = inv ? EBT_IPROTO : 0;
184 break;
185 case NFPROTO_ARP:
186 break;
187 }
188 par->entryinfo = entry;
189 par->target = target;
190 par->targinfo = info;
191 if (nft_is_base_chain(ctx->chain)) {
192 const struct nft_base_chain *basechain =
193 nft_base_chain(ctx->chain);
194 const struct nf_hook_ops *ops = &basechain->ops;
195
196 par->hook_mask = 1 << ops->hooknum;
197 } else {
198 par->hook_mask = 0;
199 }
200 par->family = ctx->family;
201 par->nft_compat = true;
202 }
203
204 static void target_compat_from_user(struct xt_target *t, void *in, void *out)
205 {
206 int pad;
207
208 memcpy(out, in, t->targetsize);
209 pad = XT_ALIGN(t->targetsize) - t->targetsize;
210 if (pad > 0)
211 memset(out + t->targetsize, 0, pad);
212 }
213
214 static const struct nla_policy nft_rule_compat_policy[NFTA_RULE_COMPAT_MAX + 1] = {
215 [NFTA_RULE_COMPAT_PROTO] = { .type = NLA_U32 },
216 [NFTA_RULE_COMPAT_FLAGS] = { .type = NLA_U32 },
217 };
218
219 static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv)
220 {
221 struct nlattr *tb[NFTA_RULE_COMPAT_MAX+1];
222 u32 flags;
223 int err;
224
225 err = nla_parse_nested(tb, NFTA_RULE_COMPAT_MAX, attr,
226 nft_rule_compat_policy, NULL);
227 if (err < 0)
228 return err;
229
230 if (!tb[NFTA_RULE_COMPAT_PROTO] || !tb[NFTA_RULE_COMPAT_FLAGS])
231 return -EINVAL;
232
233 flags = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_FLAGS]));
234 if (flags & ~NFT_RULE_COMPAT_F_MASK)
235 return -EINVAL;
236 if (flags & NFT_RULE_COMPAT_F_INV)
237 *inv = true;
238
239 *proto = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO]));
240 return 0;
241 }
242
243 static int
244 nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
245 const struct nlattr * const tb[])
246 {
247 void *info = nft_expr_priv(expr);
248 struct xt_target *target = expr->ops->data;
249 struct xt_tgchk_param par;
250 size_t size = XT_ALIGN(nla_len(tb[NFTA_TARGET_INFO]));
251 struct nft_xt *nft_xt;
252 u16 proto = 0;
253 bool inv = false;
254 union nft_entry e = {};
255 int ret;
256
257 target_compat_from_user(target, nla_data(tb[NFTA_TARGET_INFO]), info);
258
259 if (ctx->nla[NFTA_RULE_COMPAT]) {
260 ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
261 if (ret < 0)
262 return ret;
263 }
264
265 nft_target_set_tgchk_param(&par, ctx, target, info, &e, proto, inv);
266
267 ret = xt_check_target(&par, size, proto, inv);
268 if (ret < 0)
269 return ret;
270
271 /* The standard target cannot be used */
272 if (!target->target)
273 return -EINVAL;
274
275 nft_xt = container_of(expr->ops, struct nft_xt, ops);
276 nft_xt->refcnt++;
277 return 0;
278 }
279
280 static void
281 nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
282 {
283 struct xt_target *target = expr->ops->data;
284 void *info = nft_expr_priv(expr);
285 struct xt_tgdtor_param par;
286
287 par.net = ctx->net;
288 par.target = target;
289 par.targinfo = info;
290 par.family = ctx->family;
291 if (par.target->destroy != NULL)
292 par.target->destroy(&par);
293
294 if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
295 module_put(target->me);
296 }
297
298 static int nft_extension_dump_info(struct sk_buff *skb, int attr,
299 const void *info,
300 unsigned int size, unsigned int user_size)
301 {
302 unsigned int info_size, aligned_size = XT_ALIGN(size);
303 struct nlattr *nla;
304
305 nla = nla_reserve(skb, attr, aligned_size);
306 if (!nla)
307 return -1;
308
309 info_size = user_size ? : size;
310 memcpy(nla_data(nla), info, info_size);
311 memset(nla_data(nla) + info_size, 0, aligned_size - info_size);
312
313 return 0;
314 }
315
316 static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
317 {
318 const struct xt_target *target = expr->ops->data;
319 void *info = nft_expr_priv(expr);
320
321 if (nla_put_string(skb, NFTA_TARGET_NAME, target->name) ||
322 nla_put_be32(skb, NFTA_TARGET_REV, htonl(target->revision)) ||
323 nft_extension_dump_info(skb, NFTA_TARGET_INFO, info,
324 target->targetsize, target->usersize))
325 goto nla_put_failure;
326
327 return 0;
328
329 nla_put_failure:
330 return -1;
331 }
332
333 static int nft_target_validate(const struct nft_ctx *ctx,
334 const struct nft_expr *expr,
335 const struct nft_data **data)
336 {
337 struct xt_target *target = expr->ops->data;
338 unsigned int hook_mask = 0;
339 int ret;
340
341 if (nft_is_base_chain(ctx->chain)) {
342 const struct nft_base_chain *basechain =
343 nft_base_chain(ctx->chain);
344 const struct nf_hook_ops *ops = &basechain->ops;
345
346 hook_mask = 1 << ops->hooknum;
347 if (target->hooks && !(hook_mask & target->hooks))
348 return -EINVAL;
349
350 ret = nft_compat_chain_validate_dependency(ctx, target->table);
351 if (ret < 0)
352 return ret;
353 }
354 return 0;
355 }
356
357 static void __nft_match_eval(const struct nft_expr *expr,
358 struct nft_regs *regs,
359 const struct nft_pktinfo *pkt,
360 void *info)
361 {
362 struct xt_match *match = expr->ops->data;
363 struct sk_buff *skb = pkt->skb;
364 bool ret;
365
366 nft_compat_set_par((struct xt_action_param *)&pkt->xt, match, info);
367
368 ret = match->match(skb, (struct xt_action_param *)&pkt->xt);
369
370 if (pkt->xt.hotdrop) {
371 regs->verdict.code = NF_DROP;
372 return;
373 }
374
375 switch (ret ? 1 : 0) {
376 case 1:
377 regs->verdict.code = NFT_CONTINUE;
378 break;
379 case 0:
380 regs->verdict.code = NFT_BREAK;
381 break;
382 }
383 }
384
385 static void nft_match_large_eval(const struct nft_expr *expr,
386 struct nft_regs *regs,
387 const struct nft_pktinfo *pkt)
388 {
389 struct nft_xt_match_priv *priv = nft_expr_priv(expr);
390
391 __nft_match_eval(expr, regs, pkt, priv->info);
392 }
393
394 static void nft_match_eval(const struct nft_expr *expr,
395 struct nft_regs *regs,
396 const struct nft_pktinfo *pkt)
397 {
398 __nft_match_eval(expr, regs, pkt, nft_expr_priv(expr));
399 }
400
401 static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
402 [NFTA_MATCH_NAME] = { .type = NLA_NUL_STRING },
403 [NFTA_MATCH_REV] = { .type = NLA_U32 },
404 [NFTA_MATCH_INFO] = { .type = NLA_BINARY },
405 };
406
407 /* struct xt_mtchk_param and xt_tgchk_param look very similar */
408 static void
409 nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
410 struct xt_match *match, void *info,
411 union nft_entry *entry, u16 proto, bool inv)
412 {
413 par->net = ctx->net;
414 par->table = ctx->table->name;
415 switch (ctx->family) {
416 case AF_INET:
417 entry->e4.ip.proto = proto;
418 entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
419 break;
420 case AF_INET6:
421 if (proto)
422 entry->e6.ipv6.flags |= IP6T_F_PROTO;
423
424 entry->e6.ipv6.proto = proto;
425 entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
426 break;
427 case NFPROTO_BRIDGE:
428 entry->ebt.ethproto = (__force __be16)proto;
429 entry->ebt.invflags = inv ? EBT_IPROTO : 0;
430 break;
431 case NFPROTO_ARP:
432 break;
433 }
434 par->entryinfo = entry;
435 par->match = match;
436 par->matchinfo = info;
437 if (nft_is_base_chain(ctx->chain)) {
438 const struct nft_base_chain *basechain =
439 nft_base_chain(ctx->chain);
440 const struct nf_hook_ops *ops = &basechain->ops;
441
442 par->hook_mask = 1 << ops->hooknum;
443 } else {
444 par->hook_mask = 0;
445 }
446 par->family = ctx->family;
447 par->nft_compat = true;
448 }
449
450 static void match_compat_from_user(struct xt_match *m, void *in, void *out)
451 {
452 int pad;
453
454 memcpy(out, in, m->matchsize);
455 pad = XT_ALIGN(m->matchsize) - m->matchsize;
456 if (pad > 0)
457 memset(out + m->matchsize, 0, pad);
458 }
459
460 static int
461 __nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
462 const struct nlattr * const tb[],
463 void *info)
464 {
465 struct xt_match *match = expr->ops->data;
466 struct xt_mtchk_param par;
467 size_t size = XT_ALIGN(nla_len(tb[NFTA_MATCH_INFO]));
468 struct nft_xt *nft_xt;
469 u16 proto = 0;
470 bool inv = false;
471 union nft_entry e = {};
472 int ret;
473
474 match_compat_from_user(match, nla_data(tb[NFTA_MATCH_INFO]), info);
475
476 if (ctx->nla[NFTA_RULE_COMPAT]) {
477 ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
478 if (ret < 0)
479 return ret;
480 }
481
482 nft_match_set_mtchk_param(&par, ctx, match, info, &e, proto, inv);
483
484 ret = xt_check_match(&par, size, proto, inv);
485 if (ret < 0)
486 return ret;
487
488 nft_xt = container_of(expr->ops, struct nft_xt, ops);
489 nft_xt->refcnt++;
490 return 0;
491 }
492
493 static int
494 nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
495 const struct nlattr * const tb[])
496 {
497 return __nft_match_init(ctx, expr, tb, nft_expr_priv(expr));
498 }
499
500 static int
501 nft_match_large_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
502 const struct nlattr * const tb[])
503 {
504 struct nft_xt_match_priv *priv = nft_expr_priv(expr);
505 struct xt_match *m = expr->ops->data;
506 int ret;
507
508 priv->info = kmalloc(XT_ALIGN(m->matchsize), GFP_KERNEL);
509 if (!priv->info)
510 return -ENOMEM;
511
512 ret = __nft_match_init(ctx, expr, tb, priv->info);
513 if (ret)
514 kfree(priv->info);
515 return ret;
516 }
517
518 static void
519 __nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr,
520 void *info)
521 {
522 struct xt_match *match = expr->ops->data;
523 struct module *me = match->me;
524 struct xt_mtdtor_param par;
525
526 par.net = ctx->net;
527 par.match = match;
528 par.matchinfo = info;
529 par.family = ctx->family;
530 if (par.match->destroy != NULL)
531 par.match->destroy(&par);
532
533 if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
534 module_put(me);
535 }
536
537 static void
538 nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
539 {
540 __nft_match_destroy(ctx, expr, nft_expr_priv(expr));
541 }
542
543 static void
544 nft_match_large_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
545 {
546 struct nft_xt_match_priv *priv = nft_expr_priv(expr);
547
548 __nft_match_destroy(ctx, expr, priv->info);
549 kfree(priv->info);
550 }
551
552 static int __nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr,
553 void *info)
554 {
555 struct xt_match *match = expr->ops->data;
556
557 if (nla_put_string(skb, NFTA_MATCH_NAME, match->name) ||
558 nla_put_be32(skb, NFTA_MATCH_REV, htonl(match->revision)) ||
559 nft_extension_dump_info(skb, NFTA_MATCH_INFO, info,
560 match->matchsize, match->usersize))
561 goto nla_put_failure;
562
563 return 0;
564
565 nla_put_failure:
566 return -1;
567 }
568
569 static int nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr)
570 {
571 return __nft_match_dump(skb, expr, nft_expr_priv(expr));
572 }
573
574 static int nft_match_large_dump(struct sk_buff *skb, const struct nft_expr *e)
575 {
576 struct nft_xt_match_priv *priv = nft_expr_priv(e);
577
578 return __nft_match_dump(skb, e, priv->info);
579 }
580
581 static int nft_match_validate(const struct nft_ctx *ctx,
582 const struct nft_expr *expr,
583 const struct nft_data **data)
584 {
585 struct xt_match *match = expr->ops->data;
586 unsigned int hook_mask = 0;
587 int ret;
588
589 if (nft_is_base_chain(ctx->chain)) {
590 const struct nft_base_chain *basechain =
591 nft_base_chain(ctx->chain);
592 const struct nf_hook_ops *ops = &basechain->ops;
593
594 hook_mask = 1 << ops->hooknum;
595 if (match->hooks && !(hook_mask & match->hooks))
596 return -EINVAL;
597
598 ret = nft_compat_chain_validate_dependency(ctx, match->table);
599 if (ret < 0)
600 return ret;
601 }
602 return 0;
603 }
604
605 static int
606 nfnl_compat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
607 int event, u16 family, const char *name,
608 int rev, int target)
609 {
610 struct nlmsghdr *nlh;
611 struct nfgenmsg *nfmsg;
612 unsigned int flags = portid ? NLM_F_MULTI : 0;
613
614 event = nfnl_msg_type(NFNL_SUBSYS_NFT_COMPAT, event);
615 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
616 if (nlh == NULL)
617 goto nlmsg_failure;
618
619 nfmsg = nlmsg_data(nlh);
620 nfmsg->nfgen_family = family;
621 nfmsg->version = NFNETLINK_V0;
622 nfmsg->res_id = 0;
623
624 if (nla_put_string(skb, NFTA_COMPAT_NAME, name) ||
625 nla_put_be32(skb, NFTA_COMPAT_REV, htonl(rev)) ||
626 nla_put_be32(skb, NFTA_COMPAT_TYPE, htonl(target)))
627 goto nla_put_failure;
628
629 nlmsg_end(skb, nlh);
630 return skb->len;
631
632 nlmsg_failure:
633 nla_put_failure:
634 nlmsg_cancel(skb, nlh);
635 return -1;
636 }
637
638 static int nfnl_compat_get_rcu(struct net *net, struct sock *nfnl,
639 struct sk_buff *skb, const struct nlmsghdr *nlh,
640 const struct nlattr * const tb[],
641 struct netlink_ext_ack *extack)
642 {
643 int ret = 0, target;
644 struct nfgenmsg *nfmsg;
645 const char *fmt;
646 const char *name;
647 u32 rev;
648 struct sk_buff *skb2;
649
650 if (tb[NFTA_COMPAT_NAME] == NULL ||
651 tb[NFTA_COMPAT_REV] == NULL ||
652 tb[NFTA_COMPAT_TYPE] == NULL)
653 return -EINVAL;
654
655 name = nla_data(tb[NFTA_COMPAT_NAME]);
656 rev = ntohl(nla_get_be32(tb[NFTA_COMPAT_REV]));
657 target = ntohl(nla_get_be32(tb[NFTA_COMPAT_TYPE]));
658
659 nfmsg = nlmsg_data(nlh);
660
661 switch(nfmsg->nfgen_family) {
662 case AF_INET:
663 fmt = "ipt_%s";
664 break;
665 case AF_INET6:
666 fmt = "ip6t_%s";
667 break;
668 case NFPROTO_BRIDGE:
669 fmt = "ebt_%s";
670 break;
671 case NFPROTO_ARP:
672 fmt = "arpt_%s";
673 break;
674 default:
675 pr_err("nft_compat: unsupported protocol %d\n",
676 nfmsg->nfgen_family);
677 return -EINVAL;
678 }
679
680 if (!try_module_get(THIS_MODULE))
681 return -EINVAL;
682
683 rcu_read_unlock();
684 try_then_request_module(xt_find_revision(nfmsg->nfgen_family, name,
685 rev, target, &ret),
686 fmt, name);
687 if (ret < 0)
688 goto out_put;
689
690 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
691 if (skb2 == NULL) {
692 ret = -ENOMEM;
693 goto out_put;
694 }
695
696 /* include the best revision for this extension in the message */
697 if (nfnl_compat_fill_info(skb2, NETLINK_CB(skb).portid,
698 nlh->nlmsg_seq,
699 NFNL_MSG_TYPE(nlh->nlmsg_type),
700 NFNL_MSG_COMPAT_GET,
701 nfmsg->nfgen_family,
702 name, ret, target) <= 0) {
703 kfree_skb(skb2);
704 goto out_put;
705 }
706
707 ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid,
708 MSG_DONTWAIT);
709 if (ret > 0)
710 ret = 0;
711 out_put:
712 rcu_read_lock();
713 module_put(THIS_MODULE);
714 return ret == -EAGAIN ? -ENOBUFS : ret;
715 }
716
717 static const struct nla_policy nfnl_compat_policy_get[NFTA_COMPAT_MAX+1] = {
718 [NFTA_COMPAT_NAME] = { .type = NLA_NUL_STRING,
719 .len = NFT_COMPAT_NAME_MAX-1 },
720 [NFTA_COMPAT_REV] = { .type = NLA_U32 },
721 [NFTA_COMPAT_TYPE] = { .type = NLA_U32 },
722 };
723
724 static const struct nfnl_callback nfnl_nft_compat_cb[NFNL_MSG_COMPAT_MAX] = {
725 [NFNL_MSG_COMPAT_GET] = { .call_rcu = nfnl_compat_get_rcu,
726 .attr_count = NFTA_COMPAT_MAX,
727 .policy = nfnl_compat_policy_get },
728 };
729
730 static const struct nfnetlink_subsystem nfnl_compat_subsys = {
731 .name = "nft-compat",
732 .subsys_id = NFNL_SUBSYS_NFT_COMPAT,
733 .cb_count = NFNL_MSG_COMPAT_MAX,
734 .cb = nfnl_nft_compat_cb,
735 };
736
737 static LIST_HEAD(nft_match_list);
738
739 static struct nft_expr_type nft_match_type;
740
741 static bool nft_match_cmp(const struct xt_match *match,
742 const char *name, u32 rev, u32 family)
743 {
744 return strcmp(match->name, name) == 0 && match->revision == rev &&
745 (match->family == NFPROTO_UNSPEC || match->family == family);
746 }
747
748 static const struct nft_expr_ops *
749 nft_match_select_ops(const struct nft_ctx *ctx,
750 const struct nlattr * const tb[])
751 {
752 struct nft_xt *nft_match;
753 struct xt_match *match;
754 unsigned int matchsize;
755 char *mt_name;
756 u32 rev, family;
757 int err;
758
759 if (tb[NFTA_MATCH_NAME] == NULL ||
760 tb[NFTA_MATCH_REV] == NULL ||
761 tb[NFTA_MATCH_INFO] == NULL)
762 return ERR_PTR(-EINVAL);
763
764 mt_name = nla_data(tb[NFTA_MATCH_NAME]);
765 rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
766 family = ctx->family;
767
768 /* Re-use the existing match if it's already loaded. */
769 list_for_each_entry(nft_match, &nft_match_list, head) {
770 struct xt_match *match = nft_match->ops.data;
771
772 if (nft_match_cmp(match, mt_name, rev, family))
773 return &nft_match->ops;
774 }
775
776 match = xt_request_find_match(family, mt_name, rev);
777 if (IS_ERR(match))
778 return ERR_PTR(-ENOENT);
779
780 if (match->matchsize > nla_len(tb[NFTA_MATCH_INFO])) {
781 err = -EINVAL;
782 goto err;
783 }
784
785 /* This is the first time we use this match, allocate operations */
786 nft_match = kzalloc(sizeof(struct nft_xt), GFP_KERNEL);
787 if (nft_match == NULL) {
788 err = -ENOMEM;
789 goto err;
790 }
791
792 nft_match->refcnt = 0;
793 nft_match->ops.type = &nft_match_type;
794 nft_match->ops.eval = nft_match_eval;
795 nft_match->ops.init = nft_match_init;
796 nft_match->ops.destroy = nft_match_destroy;
797 nft_match->ops.dump = nft_match_dump;
798 nft_match->ops.validate = nft_match_validate;
799 nft_match->ops.data = match;
800
801 matchsize = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize));
802 if (matchsize > NFT_MATCH_LARGE_THRESH) {
803 matchsize = NFT_EXPR_SIZE(sizeof(struct nft_xt_match_priv));
804
805 nft_match->ops.eval = nft_match_large_eval;
806 nft_match->ops.init = nft_match_large_init;
807 nft_match->ops.destroy = nft_match_large_destroy;
808 nft_match->ops.dump = nft_match_large_dump;
809 }
810
811 nft_match->ops.size = matchsize;
812
813 list_add(&nft_match->head, &nft_match_list);
814
815 return &nft_match->ops;
816 err:
817 module_put(match->me);
818 return ERR_PTR(err);
819 }
820
821 static struct nft_expr_type nft_match_type __read_mostly = {
822 .name = "match",
823 .select_ops = nft_match_select_ops,
824 .policy = nft_match_policy,
825 .maxattr = NFTA_MATCH_MAX,
826 .owner = THIS_MODULE,
827 };
828
829 static LIST_HEAD(nft_target_list);
830
831 static struct nft_expr_type nft_target_type;
832
833 static bool nft_target_cmp(const struct xt_target *tg,
834 const char *name, u32 rev, u32 family)
835 {
836 return strcmp(tg->name, name) == 0 && tg->revision == rev &&
837 (tg->family == NFPROTO_UNSPEC || tg->family == family);
838 }
839
840 static const struct nft_expr_ops *
841 nft_target_select_ops(const struct nft_ctx *ctx,
842 const struct nlattr * const tb[])
843 {
844 struct nft_xt *nft_target;
845 struct xt_target *target;
846 char *tg_name;
847 u32 rev, family;
848 int err;
849
850 if (tb[NFTA_TARGET_NAME] == NULL ||
851 tb[NFTA_TARGET_REV] == NULL ||
852 tb[NFTA_TARGET_INFO] == NULL)
853 return ERR_PTR(-EINVAL);
854
855 tg_name = nla_data(tb[NFTA_TARGET_NAME]);
856 rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
857 family = ctx->family;
858
859 if (strcmp(tg_name, XT_ERROR_TARGET) == 0 ||
860 strcmp(tg_name, XT_STANDARD_TARGET) == 0 ||
861 strcmp(tg_name, "standard") == 0)
862 return ERR_PTR(-EINVAL);
863
864 /* Re-use the existing target if it's already loaded. */
865 list_for_each_entry(nft_target, &nft_target_list, head) {
866 struct xt_target *target = nft_target->ops.data;
867
868 if (!target->target)
869 continue;
870
871 if (nft_target_cmp(target, tg_name, rev, family))
872 return &nft_target->ops;
873 }
874
875 target = xt_request_find_target(family, tg_name, rev);
876 if (IS_ERR(target))
877 return ERR_PTR(-ENOENT);
878
879 if (!target->target) {
880 err = -EINVAL;
881 goto err;
882 }
883
884 if (target->targetsize > nla_len(tb[NFTA_TARGET_INFO])) {
885 err = -EINVAL;
886 goto err;
887 }
888
889 /* This is the first time we use this target, allocate operations */
890 nft_target = kzalloc(sizeof(struct nft_xt), GFP_KERNEL);
891 if (nft_target == NULL) {
892 err = -ENOMEM;
893 goto err;
894 }
895
896 nft_target->refcnt = 0;
897 nft_target->ops.type = &nft_target_type;
898 nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize));
899 nft_target->ops.init = nft_target_init;
900 nft_target->ops.destroy = nft_target_destroy;
901 nft_target->ops.dump = nft_target_dump;
902 nft_target->ops.validate = nft_target_validate;
903 nft_target->ops.data = target;
904
905 if (family == NFPROTO_BRIDGE)
906 nft_target->ops.eval = nft_target_eval_bridge;
907 else
908 nft_target->ops.eval = nft_target_eval_xt;
909
910 list_add(&nft_target->head, &nft_target_list);
911
912 return &nft_target->ops;
913 err:
914 module_put(target->me);
915 return ERR_PTR(err);
916 }
917
918 static struct nft_expr_type nft_target_type __read_mostly = {
919 .name = "target",
920 .select_ops = nft_target_select_ops,
921 .policy = nft_target_policy,
922 .maxattr = NFTA_TARGET_MAX,
923 .owner = THIS_MODULE,
924 };
925
926 static int __init nft_compat_module_init(void)
927 {
928 int ret;
929
930 ret = nft_register_expr(&nft_match_type);
931 if (ret < 0)
932 return ret;
933
934 ret = nft_register_expr(&nft_target_type);
935 if (ret < 0)
936 goto err_match;
937
938 ret = nfnetlink_subsys_register(&nfnl_compat_subsys);
939 if (ret < 0) {
940 pr_err("nft_compat: cannot register with nfnetlink.\n");
941 goto err_target;
942 }
943
944 return ret;
945
946 err_target:
947 nft_unregister_expr(&nft_target_type);
948 err_match:
949 nft_unregister_expr(&nft_match_type);
950 return ret;
951 }
952
953 static void __exit nft_compat_module_exit(void)
954 {
955 struct nft_xt *xt, *next;
956
957 /* list should be empty here, it can be non-empty only in case there
958 * was an error that caused nft_xt expr to not be initialized fully
959 * and noone else requested the same expression later.
960 *
961 * In this case, the lists contain 0-refcount entries that still
962 * hold module reference.
963 */
964 list_for_each_entry_safe(xt, next, &nft_target_list, head) {
965 struct xt_target *target = xt->ops.data;
966
967 if (WARN_ON_ONCE(xt->refcnt))
968 continue;
969 module_put(target->me);
970 kfree(xt);
971 }
972
973 list_for_each_entry_safe(xt, next, &nft_match_list, head) {
974 struct xt_match *match = xt->ops.data;
975
976 if (WARN_ON_ONCE(xt->refcnt))
977 continue;
978 module_put(match->me);
979 kfree(xt);
980 }
981 nfnetlink_subsys_unregister(&nfnl_compat_subsys);
982 nft_unregister_expr(&nft_target_type);
983 nft_unregister_expr(&nft_match_type);
984 }
985
986 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFT_COMPAT);
987
988 module_init(nft_compat_module_init);
989 module_exit(nft_compat_module_exit);
990
991 MODULE_LICENSE("GPL");
992 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
993 MODULE_ALIAS_NFT_EXPR("match");
994 MODULE_ALIAS_NFT_EXPR("target");
Linux with added FPC-III support