search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
[linux/fpc-iii.git] / net / netfilter / nft_compat.c
blob6428856ccbecaf1b3668934ba707553b7e9d8f33
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org>
4 *
5 * This software has been sponsored by Sophos Astaro <http://www.sophos.com>
6 */
7
8 #include <linux/kernel.h>
9 #include <linux/init.h>
10 #include <linux/module.h>
11 #include <linux/netlink.h>
12 #include <linux/netfilter.h>
13 #include <linux/netfilter/nfnetlink.h>
14 #include <linux/netfilter/nf_tables.h>
15 #include <linux/netfilter/nf_tables_compat.h>
16 #include <linux/netfilter/x_tables.h>
17 #include <linux/netfilter_ipv4/ip_tables.h>
18 #include <linux/netfilter_ipv6/ip6_tables.h>
19 #include <linux/netfilter_bridge/ebtables.h>
20 #include <linux/netfilter_arp/arp_tables.h>
21 #include <net/netfilter/nf_tables.h>
22
23 /* Used for matches where *info is larger than X byte */
24 #define NFT_MATCH_LARGE_THRESH 192
25
26 struct nft_xt_match_priv {
27 void *info;
28 };
29
30 static refcount_t nft_compat_pending_destroy = REFCOUNT_INIT(1);
31
32 static int nft_compat_chain_validate_dependency(const struct nft_ctx *ctx,
33 const char *tablename)
34 {
35 enum nft_chain_types type = NFT_CHAIN_T_DEFAULT;
36 const struct nft_chain *chain = ctx->chain;
37 const struct nft_base_chain *basechain;
38
39 if (!tablename ||
40 !nft_is_base_chain(chain))
41 return 0;
42
43 basechain = nft_base_chain(chain);
44 if (strcmp(tablename, "nat") == 0) {
45 if (ctx->family != NFPROTO_BRIDGE)
46 type = NFT_CHAIN_T_NAT;
47 if (basechain->type->type != type)
48 return -EINVAL;
49 }
50
51 return 0;
52 }
53
54 union nft_entry {
55 struct ipt_entry e4;
56 struct ip6t_entry e6;
57 struct ebt_entry ebt;
58 struct arpt_entry arp;
59 };
60
61 static inline void
62 nft_compat_set_par(struct xt_action_param *par, void *xt, const void *xt_info)
63 {
64 par->target = xt;
65 par->targinfo = xt_info;
66 par->hotdrop = false;
67 }
68
69 static void nft_target_eval_xt(const struct nft_expr *expr,
70 struct nft_regs *regs,
71 const struct nft_pktinfo *pkt)
72 {
73 void *info = nft_expr_priv(expr);
74 struct xt_target *target = expr->ops->data;
75 struct sk_buff *skb = pkt->skb;
76 int ret;
77
78 nft_compat_set_par((struct xt_action_param *)&pkt->xt, target, info);
79
80 ret = target->target(skb, &pkt->xt);
81
82 if (pkt->xt.hotdrop)
83 ret = NF_DROP;
84
85 switch (ret) {
86 case XT_CONTINUE:
87 regs->verdict.code = NFT_CONTINUE;
88 break;
89 default:
90 regs->verdict.code = ret;
91 break;
92 }
93 }
94
95 static void nft_target_eval_bridge(const struct nft_expr *expr,
96 struct nft_regs *regs,
97 const struct nft_pktinfo *pkt)
98 {
99 void *info = nft_expr_priv(expr);
100 struct xt_target *target = expr->ops->data;
101 struct sk_buff *skb = pkt->skb;
102 int ret;
103
104 nft_compat_set_par((struct xt_action_param *)&pkt->xt, target, info);
105
106 ret = target->target(skb, &pkt->xt);
107
108 if (pkt->xt.hotdrop)
109 ret = NF_DROP;
110
111 switch (ret) {
112 case EBT_ACCEPT:
113 regs->verdict.code = NF_ACCEPT;
114 break;
115 case EBT_DROP:
116 regs->verdict.code = NF_DROP;
117 break;
118 case EBT_CONTINUE:
119 regs->verdict.code = NFT_CONTINUE;
120 break;
121 case EBT_RETURN:
122 regs->verdict.code = NFT_RETURN;
123 break;
124 default:
125 regs->verdict.code = ret;
126 break;
127 }
128 }
129
130 static const struct nla_policy nft_target_policy[NFTA_TARGET_MAX + 1] = {
131 [NFTA_TARGET_NAME] = { .type = NLA_NUL_STRING },
132 [NFTA_TARGET_REV] = { .type = NLA_U32 },
133 [NFTA_TARGET_INFO] = { .type = NLA_BINARY },
134 };
135
136 static void
137 nft_target_set_tgchk_param(struct xt_tgchk_param *par,
138 const struct nft_ctx *ctx,
139 struct xt_target *target, void *info,
140 union nft_entry *entry, u16 proto, bool inv)
141 {
142 par->net = ctx->net;
143 par->table = ctx->table->name;
144 switch (ctx->family) {
145 case AF_INET:
146 entry->e4.ip.proto = proto;
147 entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
148 break;
149 case AF_INET6:
150 if (proto)
151 entry->e6.ipv6.flags |= IP6T_F_PROTO;
152
153 entry->e6.ipv6.proto = proto;
154 entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
155 break;
156 case NFPROTO_BRIDGE:
157 entry->ebt.ethproto = (__force __be16)proto;
158 entry->ebt.invflags = inv ? EBT_IPROTO : 0;
159 break;
160 case NFPROTO_ARP:
161 break;
162 }
163 par->entryinfo = entry;
164 par->target = target;
165 par->targinfo = info;
166 if (nft_is_base_chain(ctx->chain)) {
167 const struct nft_base_chain *basechain =
168 nft_base_chain(ctx->chain);
169 const struct nf_hook_ops *ops = &basechain->ops;
170
171 par->hook_mask = 1 << ops->hooknum;
172 } else {
173 par->hook_mask = 0;
174 }
175 par->family = ctx->family;
176 par->nft_compat = true;
177 }
178
179 static void target_compat_from_user(struct xt_target *t, void *in, void *out)
180 {
181 int pad;
182
183 memcpy(out, in, t->targetsize);
184 pad = XT_ALIGN(t->targetsize) - t->targetsize;
185 if (pad > 0)
186 memset(out + t->targetsize, 0, pad);
187 }
188
189 static const struct nla_policy nft_rule_compat_policy[NFTA_RULE_COMPAT_MAX + 1] = {
190 [NFTA_RULE_COMPAT_PROTO] = { .type = NLA_U32 },
191 [NFTA_RULE_COMPAT_FLAGS] = { .type = NLA_U32 },
192 };
193
194 static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv)
195 {
196 struct nlattr *tb[NFTA_RULE_COMPAT_MAX+1];
197 u32 flags;
198 int err;
199
200 err = nla_parse_nested_deprecated(tb, NFTA_RULE_COMPAT_MAX, attr,
201 nft_rule_compat_policy, NULL);
202 if (err < 0)
203 return err;
204
205 if (!tb[NFTA_RULE_COMPAT_PROTO] || !tb[NFTA_RULE_COMPAT_FLAGS])
206 return -EINVAL;
207
208 flags = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_FLAGS]));
209 if (flags & ~NFT_RULE_COMPAT_F_MASK)
210 return -EINVAL;
211 if (flags & NFT_RULE_COMPAT_F_INV)
212 *inv = true;
213
214 *proto = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO]));
215 return 0;
216 }
217
218 static int
219 nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
220 const struct nlattr * const tb[])
221 {
222 void *info = nft_expr_priv(expr);
223 struct xt_target *target = expr->ops->data;
224 struct xt_tgchk_param par;
225 size_t size = XT_ALIGN(nla_len(tb[NFTA_TARGET_INFO]));
226 u16 proto = 0;
227 bool inv = false;
228 union nft_entry e = {};
229 int ret;
230
231 target_compat_from_user(target, nla_data(tb[NFTA_TARGET_INFO]), info);
232
233 if (ctx->nla[NFTA_RULE_COMPAT]) {
234 ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
235 if (ret < 0)
236 return ret;
237 }
238
239 nft_target_set_tgchk_param(&par, ctx, target, info, &e, proto, inv);
240
241 /* xtables matches or targets can have side effects, e.g.
242 * creation/destruction of /proc files.
243 * The xt ->destroy functions are run asynchronously from
244 * work queue. If we have pending invocations we thus
245 * need to wait for those to finish.
246 */
247 if (refcount_read(&nft_compat_pending_destroy) > 1)
248 nf_tables_trans_destroy_flush_work();
249
250 ret = xt_check_target(&par, size, proto, inv);
251 if (ret < 0)
252 return ret;
253
254 /* The standard target cannot be used */
255 if (!target->target)
256 return -EINVAL;
257
258 return 0;
259 }
260
261 static void __nft_mt_tg_destroy(struct module *me, const struct nft_expr *expr)
262 {
263 refcount_dec(&nft_compat_pending_destroy);
264 module_put(me);
265 kfree(expr->ops);
266 }
267
268 static void
269 nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
270 {
271 struct xt_target *target = expr->ops->data;
272 void *info = nft_expr_priv(expr);
273 struct module *me = target->me;
274 struct xt_tgdtor_param par;
275
276 par.net = ctx->net;
277 par.target = target;
278 par.targinfo = info;
279 par.family = ctx->family;
280 if (par.target->destroy != NULL)
281 par.target->destroy(&par);
282
283 __nft_mt_tg_destroy(me, expr);
284 }
285
286 static int nft_extension_dump_info(struct sk_buff *skb, int attr,
287 const void *info,
288 unsigned int size, unsigned int user_size)
289 {
290 unsigned int info_size, aligned_size = XT_ALIGN(size);
291 struct nlattr *nla;
292
293 nla = nla_reserve(skb, attr, aligned_size);
294 if (!nla)
295 return -1;
296
297 info_size = user_size ? : size;
298 memcpy(nla_data(nla), info, info_size);
299 memset(nla_data(nla) + info_size, 0, aligned_size - info_size);
300
301 return 0;
302 }
303
304 static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
305 {
306 const struct xt_target *target = expr->ops->data;
307 void *info = nft_expr_priv(expr);
308
309 if (nla_put_string(skb, NFTA_TARGET_NAME, target->name) ||
310 nla_put_be32(skb, NFTA_TARGET_REV, htonl(target->revision)) ||
311 nft_extension_dump_info(skb, NFTA_TARGET_INFO, info,
312 target->targetsize, target->usersize))
313 goto nla_put_failure;
314
315 return 0;
316
317 nla_put_failure:
318 return -1;
319 }
320
321 static int nft_target_validate(const struct nft_ctx *ctx,
322 const struct nft_expr *expr,
323 const struct nft_data **data)
324 {
325 struct xt_target *target = expr->ops->data;
326 unsigned int hook_mask = 0;
327 int ret;
328
329 if (nft_is_base_chain(ctx->chain)) {
330 const struct nft_base_chain *basechain =
331 nft_base_chain(ctx->chain);
332 const struct nf_hook_ops *ops = &basechain->ops;
333
334 hook_mask = 1 << ops->hooknum;
335 if (target->hooks && !(hook_mask & target->hooks))
336 return -EINVAL;
337
338 ret = nft_compat_chain_validate_dependency(ctx, target->table);
339 if (ret < 0)
340 return ret;
341 }
342 return 0;
343 }
344
345 static void __nft_match_eval(const struct nft_expr *expr,
346 struct nft_regs *regs,
347 const struct nft_pktinfo *pkt,
348 void *info)
349 {
350 struct xt_match *match = expr->ops->data;
351 struct sk_buff *skb = pkt->skb;
352 bool ret;
353
354 nft_compat_set_par((struct xt_action_param *)&pkt->xt, match, info);
355
356 ret = match->match(skb, (struct xt_action_param *)&pkt->xt);
357
358 if (pkt->xt.hotdrop) {
359 regs->verdict.code = NF_DROP;
360 return;
361 }
362
363 switch (ret ? 1 : 0) {
364 case 1:
365 regs->verdict.code = NFT_CONTINUE;
366 break;
367 case 0:
368 regs->verdict.code = NFT_BREAK;
369 break;
370 }
371 }
372
373 static void nft_match_large_eval(const struct nft_expr *expr,
374 struct nft_regs *regs,
375 const struct nft_pktinfo *pkt)
376 {
377 struct nft_xt_match_priv *priv = nft_expr_priv(expr);
378
379 __nft_match_eval(expr, regs, pkt, priv->info);
380 }
381
382 static void nft_match_eval(const struct nft_expr *expr,
383 struct nft_regs *regs,
384 const struct nft_pktinfo *pkt)
385 {
386 __nft_match_eval(expr, regs, pkt, nft_expr_priv(expr));
387 }
388
389 static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
390 [NFTA_MATCH_NAME] = { .type = NLA_NUL_STRING },
391 [NFTA_MATCH_REV] = { .type = NLA_U32 },
392 [NFTA_MATCH_INFO] = { .type = NLA_BINARY },
393 };
394
395 /* struct xt_mtchk_param and xt_tgchk_param look very similar */
396 static void
397 nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
398 struct xt_match *match, void *info,
399 union nft_entry *entry, u16 proto, bool inv)
400 {
401 par->net = ctx->net;
402 par->table = ctx->table->name;
403 switch (ctx->family) {
404 case AF_INET:
405 entry->e4.ip.proto = proto;
406 entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
407 break;
408 case AF_INET6:
409 if (proto)
410 entry->e6.ipv6.flags |= IP6T_F_PROTO;
411
412 entry->e6.ipv6.proto = proto;
413 entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
414 break;
415 case NFPROTO_BRIDGE:
416 entry->ebt.ethproto = (__force __be16)proto;
417 entry->ebt.invflags = inv ? EBT_IPROTO : 0;
418 break;
419 case NFPROTO_ARP:
420 break;
421 }
422 par->entryinfo = entry;
423 par->match = match;
424 par->matchinfo = info;
425 if (nft_is_base_chain(ctx->chain)) {
426 const struct nft_base_chain *basechain =
427 nft_base_chain(ctx->chain);
428 const struct nf_hook_ops *ops = &basechain->ops;
429
430 par->hook_mask = 1 << ops->hooknum;
431 } else {
432 par->hook_mask = 0;
433 }
434 par->family = ctx->family;
435 par->nft_compat = true;
436 }
437
438 static void match_compat_from_user(struct xt_match *m, void *in, void *out)
439 {
440 int pad;
441
442 memcpy(out, in, m->matchsize);
443 pad = XT_ALIGN(m->matchsize) - m->matchsize;
444 if (pad > 0)
445 memset(out + m->matchsize, 0, pad);
446 }
447
448 static int
449 __nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
450 const struct nlattr * const tb[],
451 void *info)
452 {
453 struct xt_match *match = expr->ops->data;
454 struct xt_mtchk_param par;
455 size_t size = XT_ALIGN(nla_len(tb[NFTA_MATCH_INFO]));
456 u16 proto = 0;
457 bool inv = false;
458 union nft_entry e = {};
459 int ret;
460
461 match_compat_from_user(match, nla_data(tb[NFTA_MATCH_INFO]), info);
462
463 if (ctx->nla[NFTA_RULE_COMPAT]) {
464 ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
465 if (ret < 0)
466 return ret;
467 }
468
469 nft_match_set_mtchk_param(&par, ctx, match, info, &e, proto, inv);
470
471 return xt_check_match(&par, size, proto, inv);
472 }
473
474 static int
475 nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
476 const struct nlattr * const tb[])
477 {
478 return __nft_match_init(ctx, expr, tb, nft_expr_priv(expr));
479 }
480
481 static int
482 nft_match_large_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
483 const struct nlattr * const tb[])
484 {
485 struct nft_xt_match_priv *priv = nft_expr_priv(expr);
486 struct xt_match *m = expr->ops->data;
487 int ret;
488
489 priv->info = kmalloc(XT_ALIGN(m->matchsize), GFP_KERNEL);
490 if (!priv->info)
491 return -ENOMEM;
492
493 ret = __nft_match_init(ctx, expr, tb, priv->info);
494 if (ret)
495 kfree(priv->info);
496 return ret;
497 }
498
499 static void
500 __nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr,
501 void *info)
502 {
503 struct xt_match *match = expr->ops->data;
504 struct module *me = match->me;
505 struct xt_mtdtor_param par;
506
507 par.net = ctx->net;
508 par.match = match;
509 par.matchinfo = info;
510 par.family = ctx->family;
511 if (par.match->destroy != NULL)
512 par.match->destroy(&par);
513
514 __nft_mt_tg_destroy(me, expr);
515 }
516
517 static void
518 nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
519 {
520 __nft_match_destroy(ctx, expr, nft_expr_priv(expr));
521 }
522
523 static void
524 nft_match_large_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
525 {
526 struct nft_xt_match_priv *priv = nft_expr_priv(expr);
527
528 __nft_match_destroy(ctx, expr, priv->info);
529 kfree(priv->info);
530 }
531
532 static int __nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr,
533 void *info)
534 {
535 struct xt_match *match = expr->ops->data;
536
537 if (nla_put_string(skb, NFTA_MATCH_NAME, match->name) ||
538 nla_put_be32(skb, NFTA_MATCH_REV, htonl(match->revision)) ||
539 nft_extension_dump_info(skb, NFTA_MATCH_INFO, info,
540 match->matchsize, match->usersize))
541 goto nla_put_failure;
542
543 return 0;
544
545 nla_put_failure:
546 return -1;
547 }
548
549 static int nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr)
550 {
551 return __nft_match_dump(skb, expr, nft_expr_priv(expr));
552 }
553
554 static int nft_match_large_dump(struct sk_buff *skb, const struct nft_expr *e)
555 {
556 struct nft_xt_match_priv *priv = nft_expr_priv(e);
557
558 return __nft_match_dump(skb, e, priv->info);
559 }
560
561 static int nft_match_validate(const struct nft_ctx *ctx,
562 const struct nft_expr *expr,
563 const struct nft_data **data)
564 {
565 struct xt_match *match = expr->ops->data;
566 unsigned int hook_mask = 0;
567 int ret;
568
569 if (nft_is_base_chain(ctx->chain)) {
570 const struct nft_base_chain *basechain =
571 nft_base_chain(ctx->chain);
572 const struct nf_hook_ops *ops = &basechain->ops;
573
574 hook_mask = 1 << ops->hooknum;
575 if (match->hooks && !(hook_mask & match->hooks))
576 return -EINVAL;
577
578 ret = nft_compat_chain_validate_dependency(ctx, match->table);
579 if (ret < 0)
580 return ret;
581 }
582 return 0;
583 }
584
585 static int
586 nfnl_compat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
587 int event, u16 family, const char *name,
588 int rev, int target)
589 {
590 struct nlmsghdr *nlh;
591 struct nfgenmsg *nfmsg;
592 unsigned int flags = portid ? NLM_F_MULTI : 0;
593
594 event = nfnl_msg_type(NFNL_SUBSYS_NFT_COMPAT, event);
595 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
596 if (nlh == NULL)
597 goto nlmsg_failure;
598
599 nfmsg = nlmsg_data(nlh);
600 nfmsg->nfgen_family = family;
601 nfmsg->version = NFNETLINK_V0;
602 nfmsg->res_id = 0;
603
604 if (nla_put_string(skb, NFTA_COMPAT_NAME, name) ||
605 nla_put_be32(skb, NFTA_COMPAT_REV, htonl(rev)) ||
606 nla_put_be32(skb, NFTA_COMPAT_TYPE, htonl(target)))
607 goto nla_put_failure;
608
609 nlmsg_end(skb, nlh);
610 return skb->len;
611
612 nlmsg_failure:
613 nla_put_failure:
614 nlmsg_cancel(skb, nlh);
615 return -1;
616 }
617
618 static int nfnl_compat_get_rcu(struct net *net, struct sock *nfnl,
619 struct sk_buff *skb, const struct nlmsghdr *nlh,
620 const struct nlattr * const tb[],
621 struct netlink_ext_ack *extack)
622 {
623 int ret = 0, target;
624 struct nfgenmsg *nfmsg;
625 const char *fmt;
626 const char *name;
627 u32 rev;
628 struct sk_buff *skb2;
629
630 if (tb[NFTA_COMPAT_NAME] == NULL ||
631 tb[NFTA_COMPAT_REV] == NULL ||
632 tb[NFTA_COMPAT_TYPE] == NULL)
633 return -EINVAL;
634
635 name = nla_data(tb[NFTA_COMPAT_NAME]);
636 rev = ntohl(nla_get_be32(tb[NFTA_COMPAT_REV]));
637 target = ntohl(nla_get_be32(tb[NFTA_COMPAT_TYPE]));
638
639 nfmsg = nlmsg_data(nlh);
640
641 switch(nfmsg->nfgen_family) {
642 case AF_INET:
643 fmt = "ipt_%s";
644 break;
645 case AF_INET6:
646 fmt = "ip6t_%s";
647 break;
648 case NFPROTO_BRIDGE:
649 fmt = "ebt_%s";
650 break;
651 case NFPROTO_ARP:
652 fmt = "arpt_%s";
653 break;
654 default:
655 pr_err("nft_compat: unsupported protocol %d\n",
656 nfmsg->nfgen_family);
657 return -EINVAL;
658 }
659
660 if (!try_module_get(THIS_MODULE))
661 return -EINVAL;
662
663 rcu_read_unlock();
664 try_then_request_module(xt_find_revision(nfmsg->nfgen_family, name,
665 rev, target, &ret),
666 fmt, name);
667 if (ret < 0)
668 goto out_put;
669
670 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
671 if (skb2 == NULL) {
672 ret = -ENOMEM;
673 goto out_put;
674 }
675
676 /* include the best revision for this extension in the message */
677 if (nfnl_compat_fill_info(skb2, NETLINK_CB(skb).portid,
678 nlh->nlmsg_seq,
679 NFNL_MSG_TYPE(nlh->nlmsg_type),
680 NFNL_MSG_COMPAT_GET,
681 nfmsg->nfgen_family,
682 name, ret, target) <= 0) {
683 kfree_skb(skb2);
684 goto out_put;
685 }
686
687 ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid,
688 MSG_DONTWAIT);
689 if (ret > 0)
690 ret = 0;
691 out_put:
692 rcu_read_lock();
693 module_put(THIS_MODULE);
694 return ret == -EAGAIN ? -ENOBUFS : ret;
695 }
696
697 static const struct nla_policy nfnl_compat_policy_get[NFTA_COMPAT_MAX+1] = {
698 [NFTA_COMPAT_NAME] = { .type = NLA_NUL_STRING,
699 .len = NFT_COMPAT_NAME_MAX-1 },
700 [NFTA_COMPAT_REV] = { .type = NLA_U32 },
701 [NFTA_COMPAT_TYPE] = { .type = NLA_U32 },
702 };
703
704 static const struct nfnl_callback nfnl_nft_compat_cb[NFNL_MSG_COMPAT_MAX] = {
705 [NFNL_MSG_COMPAT_GET] = { .call_rcu = nfnl_compat_get_rcu,
706 .attr_count = NFTA_COMPAT_MAX,
707 .policy = nfnl_compat_policy_get },
708 };
709
710 static const struct nfnetlink_subsystem nfnl_compat_subsys = {
711 .name = "nft-compat",
712 .subsys_id = NFNL_SUBSYS_NFT_COMPAT,
713 .cb_count = NFNL_MSG_COMPAT_MAX,
714 .cb = nfnl_nft_compat_cb,
715 };
716
717 static struct nft_expr_type nft_match_type;
718
719 static void nft_mt_tg_deactivate(const struct nft_ctx *ctx,
720 const struct nft_expr *expr,
721 enum nft_trans_phase phase)
722 {
723 if (phase == NFT_TRANS_COMMIT)
724 refcount_inc(&nft_compat_pending_destroy);
725 }
726
727 static const struct nft_expr_ops *
728 nft_match_select_ops(const struct nft_ctx *ctx,
729 const struct nlattr * const tb[])
730 {
731 struct nft_expr_ops *ops;
732 struct xt_match *match;
733 unsigned int matchsize;
734 char *mt_name;
735 u32 rev, family;
736 int err;
737
738 if (tb[NFTA_MATCH_NAME] == NULL ||
739 tb[NFTA_MATCH_REV] == NULL ||
740 tb[NFTA_MATCH_INFO] == NULL)
741 return ERR_PTR(-EINVAL);
742
743 mt_name = nla_data(tb[NFTA_MATCH_NAME]);
744 rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
745 family = ctx->family;
746
747 match = xt_request_find_match(family, mt_name, rev);
748 if (IS_ERR(match))
749 return ERR_PTR(-ENOENT);
750
751 if (match->matchsize > nla_len(tb[NFTA_MATCH_INFO])) {
752 err = -EINVAL;
753 goto err;
754 }
755
756 ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL);
757 if (!ops) {
758 err = -ENOMEM;
759 goto err;
760 }
761
762 ops->type = &nft_match_type;
763 ops->eval = nft_match_eval;
764 ops->init = nft_match_init;
765 ops->deactivate = nft_mt_tg_deactivate,
766 ops->destroy = nft_match_destroy;
767 ops->dump = nft_match_dump;
768 ops->validate = nft_match_validate;
769 ops->data = match;
770
771 matchsize = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize));
772 if (matchsize > NFT_MATCH_LARGE_THRESH) {
773 matchsize = NFT_EXPR_SIZE(sizeof(struct nft_xt_match_priv));
774
775 ops->eval = nft_match_large_eval;
776 ops->init = nft_match_large_init;
777 ops->destroy = nft_match_large_destroy;
778 ops->dump = nft_match_large_dump;
779 }
780
781 ops->size = matchsize;
782
783 return ops;
784 err:
785 module_put(match->me);
786 return ERR_PTR(err);
787 }
788
789 static void nft_match_release_ops(const struct nft_expr_ops *ops)
790 {
791 struct xt_match *match = ops->data;
792
793 module_put(match->me);
794 kfree(ops);
795 }
796
797 static struct nft_expr_type nft_match_type __read_mostly = {
798 .name = "match",
799 .select_ops = nft_match_select_ops,
800 .release_ops = nft_match_release_ops,
801 .policy = nft_match_policy,
802 .maxattr = NFTA_MATCH_MAX,
803 .owner = THIS_MODULE,
804 };
805
806 static struct nft_expr_type nft_target_type;
807
808 static const struct nft_expr_ops *
809 nft_target_select_ops(const struct nft_ctx *ctx,
810 const struct nlattr * const tb[])
811 {
812 struct nft_expr_ops *ops;
813 struct xt_target *target;
814 char *tg_name;
815 u32 rev, family;
816 int err;
817
818 if (tb[NFTA_TARGET_NAME] == NULL ||
819 tb[NFTA_TARGET_REV] == NULL ||
820 tb[NFTA_TARGET_INFO] == NULL)
821 return ERR_PTR(-EINVAL);
822
823 tg_name = nla_data(tb[NFTA_TARGET_NAME]);
824 rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
825 family = ctx->family;
826
827 if (strcmp(tg_name, XT_ERROR_TARGET) == 0 ||
828 strcmp(tg_name, XT_STANDARD_TARGET) == 0 ||
829 strcmp(tg_name, "standard") == 0)
830 return ERR_PTR(-EINVAL);
831
832 target = xt_request_find_target(family, tg_name, rev);
833 if (IS_ERR(target))
834 return ERR_PTR(-ENOENT);
835
836 if (!target->target) {
837 err = -EINVAL;
838 goto err;
839 }
840
841 if (target->targetsize > nla_len(tb[NFTA_TARGET_INFO])) {
842 err = -EINVAL;
843 goto err;
844 }
845
846 ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL);
847 if (!ops) {
848 err = -ENOMEM;
849 goto err;
850 }
851
852 ops->type = &nft_target_type;
853 ops->size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize));
854 ops->init = nft_target_init;
855 ops->destroy = nft_target_destroy;
856 ops->deactivate = nft_mt_tg_deactivate,
857 ops->dump = nft_target_dump;
858 ops->validate = nft_target_validate;
859 ops->data = target;
860
861 if (family == NFPROTO_BRIDGE)
862 ops->eval = nft_target_eval_bridge;
863 else
864 ops->eval = nft_target_eval_xt;
865
866 return ops;
867 err:
868 module_put(target->me);
869 return ERR_PTR(err);
870 }
871
872 static void nft_target_release_ops(const struct nft_expr_ops *ops)
873 {
874 struct xt_target *target = ops->data;
875
876 module_put(target->me);
877 kfree(ops);
878 }
879
880 static struct nft_expr_type nft_target_type __read_mostly = {
881 .name = "target",
882 .select_ops = nft_target_select_ops,
883 .release_ops = nft_target_release_ops,
884 .policy = nft_target_policy,
885 .maxattr = NFTA_TARGET_MAX,
886 .owner = THIS_MODULE,
887 };
888
889 static int __init nft_compat_module_init(void)
890 {
891 int ret;
892
893 ret = nft_register_expr(&nft_match_type);
894 if (ret < 0)
895 return ret;
896
897 ret = nft_register_expr(&nft_target_type);
898 if (ret < 0)
899 goto err_match;
900
901 ret = nfnetlink_subsys_register(&nfnl_compat_subsys);
902 if (ret < 0) {
903 pr_err("nft_compat: cannot register with nfnetlink.\n");
904 goto err_target;
905 }
906
907 return ret;
908 err_target:
909 nft_unregister_expr(&nft_target_type);
910 err_match:
911 nft_unregister_expr(&nft_match_type);
912 return ret;
913 }
914
915 static void __exit nft_compat_module_exit(void)
916 {
917 nfnetlink_subsys_unregister(&nfnl_compat_subsys);
918 nft_unregister_expr(&nft_target_type);
919 nft_unregister_expr(&nft_match_type);
920
921 WARN_ON_ONCE(refcount_read(&nft_compat_pending_destroy) != 1);
922 }
923
924 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFT_COMPAT);
925
926 module_init(nft_compat_module_init);
927 module_exit(nft_compat_module_exit);
928
929 MODULE_LICENSE("GPL");
930 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
931 MODULE_ALIAS_NFT_EXPR("match");
932 MODULE_ALIAS_NFT_EXPR("target");
933 MODULE_DESCRIPTION("x_tables over nftables support");
Linux with added FPC-III support