search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'trace-v5.11-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt...
[linux/fpc-iii.git] / net / netfilter / nft_dynset.c
blob0b053f75cd6047c1ba619dc540b7cf544699786d
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2015 Patrick McHardy <kaber@trash.net>
4 */
5
6 #include <linux/kernel.h>
7 #include <linux/module.h>
8 #include <linux/init.h>
9 #include <linux/netlink.h>
10 #include <linux/netfilter.h>
11 #include <linux/netfilter/nf_tables.h>
12 #include <net/netfilter/nf_tables.h>
13 #include <net/netfilter/nf_tables_core.h>
14
15 struct nft_dynset {
16 struct nft_set *set;
17 struct nft_set_ext_tmpl tmpl;
18 enum nft_dynset_ops op:8;
19 enum nft_registers sreg_key:8;
20 enum nft_registers sreg_data:8;
21 bool invert;
22 bool expr;
23 u8 num_exprs;
24 u64 timeout;
25 struct nft_expr *expr_array[NFT_SET_EXPR_MAX];
26 struct nft_set_binding binding;
27 };
28
29 static int nft_dynset_expr_setup(const struct nft_dynset *priv,
30 const struct nft_set_ext *ext)
31 {
32 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
33 struct nft_expr *expr;
34 int i;
35
36 for (i = 0; i < priv->num_exprs; i++) {
37 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
38 if (nft_expr_clone(expr, priv->expr_array[i]) < 0)
39 return -1;
40
41 elem_expr->size += priv->expr_array[i]->ops->size;
42 }
43
44 return 0;
45 }
46
47 static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr,
48 struct nft_regs *regs)
49 {
50 const struct nft_dynset *priv = nft_expr_priv(expr);
51 struct nft_set_ext *ext;
52 u64 timeout;
53 void *elem;
54
55 if (!atomic_add_unless(&set->nelems, 1, set->size))
56 return NULL;
57
58 timeout = priv->timeout ? : set->timeout;
59 elem = nft_set_elem_init(set, &priv->tmpl,
60 &regs->data[priv->sreg_key], NULL,
61 &regs->data[priv->sreg_data],
62 timeout, 0, GFP_ATOMIC);
63 if (elem == NULL)
64 goto err1;
65
66 ext = nft_set_elem_ext(set, elem);
67 if (priv->num_exprs && nft_dynset_expr_setup(priv, ext) < 0)
68 goto err2;
69
70 return elem;
71
72 err2:
73 nft_set_elem_destroy(set, elem, false);
74 err1:
75 if (set->size)
76 atomic_dec(&set->nelems);
77 return NULL;
78 }
79
80 void nft_dynset_eval(const struct nft_expr *expr,
81 struct nft_regs *regs, const struct nft_pktinfo *pkt)
82 {
83 const struct nft_dynset *priv = nft_expr_priv(expr);
84 struct nft_set *set = priv->set;
85 const struct nft_set_ext *ext;
86 u64 timeout;
87
88 if (priv->op == NFT_DYNSET_OP_DELETE) {
89 set->ops->delete(set, &regs->data[priv->sreg_key]);
90 return;
91 }
92
93 if (set->ops->update(set, &regs->data[priv->sreg_key], nft_dynset_new,
94 expr, regs, &ext)) {
95 if (priv->op == NFT_DYNSET_OP_UPDATE &&
96 nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
97 timeout = priv->timeout ? : set->timeout;
98 *nft_set_ext_expiration(ext) = get_jiffies_64() + timeout;
99 }
100
101 nft_set_elem_update_expr(ext, regs, pkt);
102
103 if (priv->invert)
104 regs->verdict.code = NFT_BREAK;
105 return;
106 }
107
108 if (!priv->invert)
109 regs->verdict.code = NFT_BREAK;
110 }
111
112 static void nft_dynset_ext_add_expr(struct nft_dynset *priv)
113 {
114 u8 size = 0;
115 int i;
116
117 for (i = 0; i < priv->num_exprs; i++)
118 size += priv->expr_array[i]->ops->size;
119
120 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_EXPRESSIONS,
121 sizeof(struct nft_set_elem_expr) + size);
122 }
123
124 static struct nft_expr *
125 nft_dynset_expr_alloc(const struct nft_ctx *ctx, const struct nft_set *set,
126 const struct nlattr *attr, int pos)
127 {
128 struct nft_expr *expr;
129 int err;
130
131 expr = nft_set_elem_expr_alloc(ctx, set, attr);
132 if (IS_ERR(expr))
133 return expr;
134
135 if (set->exprs[pos] && set->exprs[pos]->ops != expr->ops) {
136 err = -EOPNOTSUPP;
137 goto err_dynset_expr;
138 }
139
140 return expr;
141
142 err_dynset_expr:
143 nft_expr_destroy(ctx, expr);
144 return ERR_PTR(err);
145 }
146
147 static const struct nla_policy nft_dynset_policy[NFTA_DYNSET_MAX + 1] = {
148 [NFTA_DYNSET_SET_NAME] = { .type = NLA_STRING,
149 .len = NFT_SET_MAXNAMELEN - 1 },
150 [NFTA_DYNSET_SET_ID] = { .type = NLA_U32 },
151 [NFTA_DYNSET_OP] = { .type = NLA_U32 },
152 [NFTA_DYNSET_SREG_KEY] = { .type = NLA_U32 },
153 [NFTA_DYNSET_SREG_DATA] = { .type = NLA_U32 },
154 [NFTA_DYNSET_TIMEOUT] = { .type = NLA_U64 },
155 [NFTA_DYNSET_EXPR] = { .type = NLA_NESTED },
156 [NFTA_DYNSET_FLAGS] = { .type = NLA_U32 },
157 [NFTA_DYNSET_EXPRESSIONS] = { .type = NLA_NESTED },
158 };
159
160 static int nft_dynset_init(const struct nft_ctx *ctx,
161 const struct nft_expr *expr,
162 const struct nlattr * const tb[])
163 {
164 struct nft_dynset *priv = nft_expr_priv(expr);
165 u8 genmask = nft_genmask_next(ctx->net);
166 struct nft_set *set;
167 u64 timeout;
168 int err, i;
169
170 lockdep_assert_held(&ctx->net->nft.commit_mutex);
171
172 if (tb[NFTA_DYNSET_SET_NAME] == NULL ||
173 tb[NFTA_DYNSET_OP] == NULL ||
174 tb[NFTA_DYNSET_SREG_KEY] == NULL)
175 return -EINVAL;
176
177 if (tb[NFTA_DYNSET_FLAGS]) {
178 u32 flags = ntohl(nla_get_be32(tb[NFTA_DYNSET_FLAGS]));
179 if (flags & ~(NFT_DYNSET_F_INV | NFT_DYNSET_F_EXPR))
180 return -EOPNOTSUPP;
181 if (flags & NFT_DYNSET_F_INV)
182 priv->invert = true;
183 if (flags & NFT_DYNSET_F_EXPR)
184 priv->expr = true;
185 }
186
187 set = nft_set_lookup_global(ctx->net, ctx->table,
188 tb[NFTA_DYNSET_SET_NAME],
189 tb[NFTA_DYNSET_SET_ID], genmask);
190 if (IS_ERR(set))
191 return PTR_ERR(set);
192
193 if (set->ops->update == NULL)
194 return -EOPNOTSUPP;
195
196 if (set->flags & NFT_SET_CONSTANT)
197 return -EBUSY;
198
199 priv->op = ntohl(nla_get_be32(tb[NFTA_DYNSET_OP]));
200 switch (priv->op) {
201 case NFT_DYNSET_OP_ADD:
202 case NFT_DYNSET_OP_DELETE:
203 break;
204 case NFT_DYNSET_OP_UPDATE:
205 if (!(set->flags & NFT_SET_TIMEOUT))
206 return -EOPNOTSUPP;
207 break;
208 default:
209 return -EOPNOTSUPP;
210 }
211
212 timeout = 0;
213 if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
214 if (!(set->flags & NFT_SET_TIMEOUT))
215 return -EOPNOTSUPP;
216
217 err = nf_msecs_to_jiffies64(tb[NFTA_DYNSET_TIMEOUT], &timeout);
218 if (err)
219 return err;
220 }
221
222 priv->sreg_key = nft_parse_register(tb[NFTA_DYNSET_SREG_KEY]);
223 err = nft_validate_register_load(priv->sreg_key, set->klen);
224 if (err < 0)
225 return err;
226
227 if (tb[NFTA_DYNSET_SREG_DATA] != NULL) {
228 if (!(set->flags & NFT_SET_MAP))
229 return -EOPNOTSUPP;
230 if (set->dtype == NFT_DATA_VERDICT)
231 return -EOPNOTSUPP;
232
233 priv->sreg_data = nft_parse_register(tb[NFTA_DYNSET_SREG_DATA]);
234 err = nft_validate_register_load(priv->sreg_data, set->dlen);
235 if (err < 0)
236 return err;
237 } else if (set->flags & NFT_SET_MAP)
238 return -EINVAL;
239
240 if ((tb[NFTA_DYNSET_EXPR] || tb[NFTA_DYNSET_EXPRESSIONS]) &&
241 !(set->flags & NFT_SET_EVAL))
242 return -EINVAL;
243
244 if (tb[NFTA_DYNSET_EXPR]) {
245 struct nft_expr *dynset_expr;
246
247 dynset_expr = nft_dynset_expr_alloc(ctx, set,
248 tb[NFTA_DYNSET_EXPR], 0);
249 if (IS_ERR(dynset_expr))
250 return PTR_ERR(dynset_expr);
251
252 priv->num_exprs++;
253 priv->expr_array[0] = dynset_expr;
254
255 if (set->num_exprs > 1 ||
256 (set->num_exprs == 1 &&
257 dynset_expr->ops != set->exprs[0]->ops)) {
258 err = -EOPNOTSUPP;
259 goto err_expr_free;
260 }
261 } else if (tb[NFTA_DYNSET_EXPRESSIONS]) {
262 struct nft_expr *dynset_expr;
263 struct nlattr *tmp;
264 int left;
265
266 if (!priv->expr)
267 return -EINVAL;
268
269 i = 0;
270 nla_for_each_nested(tmp, tb[NFTA_DYNSET_EXPRESSIONS], left) {
271 if (i == NFT_SET_EXPR_MAX) {
272 err = -E2BIG;
273 goto err_expr_free;
274 }
275 if (nla_type(tmp) != NFTA_LIST_ELEM) {
276 err = -EINVAL;
277 goto err_expr_free;
278 }
279 dynset_expr = nft_dynset_expr_alloc(ctx, set, tmp, i);
280 if (IS_ERR(dynset_expr)) {
281 err = PTR_ERR(dynset_expr);
282 goto err_expr_free;
283 }
284 priv->expr_array[i] = dynset_expr;
285 priv->num_exprs++;
286
287 if (set->num_exprs &&
288 dynset_expr->ops != set->exprs[i]->ops) {
289 err = -EOPNOTSUPP;
290 goto err_expr_free;
291 }
292 i++;
293 }
294 if (set->num_exprs && set->num_exprs != i) {
295 err = -EOPNOTSUPP;
296 goto err_expr_free;
297 }
298 }
299
300 nft_set_ext_prepare(&priv->tmpl);
301 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_KEY, set->klen);
302 if (set->flags & NFT_SET_MAP)
303 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_DATA, set->dlen);
304
305 if (priv->num_exprs)
306 nft_dynset_ext_add_expr(priv);
307
308 if (set->flags & NFT_SET_TIMEOUT) {
309 if (timeout || set->timeout)
310 nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_EXPIRATION);
311 }
312
313 priv->timeout = timeout;
314
315 err = nf_tables_bind_set(ctx, set, &priv->binding);
316 if (err < 0)
317 goto err_expr_free;
318
319 if (set->size == 0)
320 set->size = 0xffff;
321
322 priv->set = set;
323 return 0;
324
325 err_expr_free:
326 for (i = 0; i < priv->num_exprs; i++)
327 nft_expr_destroy(ctx, priv->expr_array[i]);
328 return err;
329 }
330
331 static void nft_dynset_deactivate(const struct nft_ctx *ctx,
332 const struct nft_expr *expr,
333 enum nft_trans_phase phase)
334 {
335 struct nft_dynset *priv = nft_expr_priv(expr);
336
337 nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
338 }
339
340 static void nft_dynset_activate(const struct nft_ctx *ctx,
341 const struct nft_expr *expr)
342 {
343 struct nft_dynset *priv = nft_expr_priv(expr);
344
345 priv->set->use++;
346 }
347
348 static void nft_dynset_destroy(const struct nft_ctx *ctx,
349 const struct nft_expr *expr)
350 {
351 struct nft_dynset *priv = nft_expr_priv(expr);
352 int i;
353
354 for (i = 0; i < priv->num_exprs; i++)
355 nft_expr_destroy(ctx, priv->expr_array[i]);
356
357 nf_tables_destroy_set(ctx, priv->set);
358 }
359
360 static int nft_dynset_dump(struct sk_buff *skb, const struct nft_expr *expr)
361 {
362 const struct nft_dynset *priv = nft_expr_priv(expr);
363 u32 flags = priv->invert ? NFT_DYNSET_F_INV : 0;
364 int i;
365
366 if (nft_dump_register(skb, NFTA_DYNSET_SREG_KEY, priv->sreg_key))
367 goto nla_put_failure;
368 if (priv->set->flags & NFT_SET_MAP &&
369 nft_dump_register(skb, NFTA_DYNSET_SREG_DATA, priv->sreg_data))
370 goto nla_put_failure;
371 if (nla_put_be32(skb, NFTA_DYNSET_OP, htonl(priv->op)))
372 goto nla_put_failure;
373 if (nla_put_string(skb, NFTA_DYNSET_SET_NAME, priv->set->name))
374 goto nla_put_failure;
375 if (nla_put_be64(skb, NFTA_DYNSET_TIMEOUT,
376 nf_jiffies64_to_msecs(priv->timeout),
377 NFTA_DYNSET_PAD))
378 goto nla_put_failure;
379 if (priv->num_exprs == 1) {
380 if (nft_expr_dump(skb, NFTA_DYNSET_EXPR, priv->expr_array[0]))
381 goto nla_put_failure;
382 } else if (priv->num_exprs > 1) {
383 struct nlattr *nest;
384
385 nest = nla_nest_start_noflag(skb, NFTA_DYNSET_EXPRESSIONS);
386 if (!nest)
387 goto nla_put_failure;
388
389 for (i = 0; i < priv->num_exprs; i++) {
390 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
391 priv->expr_array[i]))
392 goto nla_put_failure;
393 }
394 nla_nest_end(skb, nest);
395 }
396 if (nla_put_be32(skb, NFTA_DYNSET_FLAGS, htonl(flags)))
397 goto nla_put_failure;
398 return 0;
399
400 nla_put_failure:
401 return -1;
402 }
403
404 static const struct nft_expr_ops nft_dynset_ops = {
405 .type = &nft_dynset_type,
406 .size = NFT_EXPR_SIZE(sizeof(struct nft_dynset)),
407 .eval = nft_dynset_eval,
408 .init = nft_dynset_init,
409 .destroy = nft_dynset_destroy,
410 .activate = nft_dynset_activate,
411 .deactivate = nft_dynset_deactivate,
412 .dump = nft_dynset_dump,
413 };
414
415 struct nft_expr_type nft_dynset_type __read_mostly = {
416 .name = "dynset",
417 .ops = &nft_dynset_ops,
418 .policy = nft_dynset_policy,
419 .maxattr = NFTA_DYNSET_MAX,
420 .owner = THIS_MODULE,
421 };
Linux with added FPC-III support