xref: /linux/net/netfilter/nf_tables_api.c (revision a460513ed4b6994bfeb7bd86f72853140bc1ac12) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4  *
5  * Development of this code funded by Astaro AG (http://www.astaro.com/)
6  */
7 
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25 
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27 
28 static LIST_HEAD(nf_tables_expressions);
29 static LIST_HEAD(nf_tables_objects);
30 static LIST_HEAD(nf_tables_flowtables);
31 static LIST_HEAD(nf_tables_destroy_list);
32 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
33 static u64 table_handle;
34 
35 enum {
36 	NFT_VALIDATE_SKIP	= 0,
37 	NFT_VALIDATE_NEED,
38 	NFT_VALIDATE_DO,
39 };
40 
41 static struct rhltable nft_objname_ht;
42 
43 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
44 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
45 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
46 
47 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
48 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
49 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
50 
51 static const struct rhashtable_params nft_chain_ht_params = {
52 	.head_offset		= offsetof(struct nft_chain, rhlhead),
53 	.key_offset		= offsetof(struct nft_chain, name),
54 	.hashfn			= nft_chain_hash,
55 	.obj_hashfn		= nft_chain_hash_obj,
56 	.obj_cmpfn		= nft_chain_hash_cmp,
57 	.automatic_shrinking	= true,
58 };
59 
60 static const struct rhashtable_params nft_objname_ht_params = {
61 	.head_offset		= offsetof(struct nft_object, rhlhead),
62 	.key_offset		= offsetof(struct nft_object, key),
63 	.hashfn			= nft_objname_hash,
64 	.obj_hashfn		= nft_objname_hash_obj,
65 	.obj_cmpfn		= nft_objname_hash_cmp,
66 	.automatic_shrinking	= true,
67 };
68 
69 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
70 {
71 	switch (net->nft.validate_state) {
72 	case NFT_VALIDATE_SKIP:
73 		WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
74 		break;
75 	case NFT_VALIDATE_NEED:
76 		break;
77 	case NFT_VALIDATE_DO:
78 		if (new_validate_state == NFT_VALIDATE_NEED)
79 			return;
80 	}
81 
82 	net->nft.validate_state = new_validate_state;
83 }
84 static void nf_tables_trans_destroy_work(struct work_struct *w);
85 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
86 
87 static void nft_ctx_init(struct nft_ctx *ctx,
88 			 struct net *net,
89 			 const struct sk_buff *skb,
90 			 const struct nlmsghdr *nlh,
91 			 u8 family,
92 			 struct nft_table *table,
93 			 struct nft_chain *chain,
94 			 const struct nlattr * const *nla)
95 {
96 	ctx->net	= net;
97 	ctx->family	= family;
98 	ctx->level	= 0;
99 	ctx->table	= table;
100 	ctx->chain	= chain;
101 	ctx->nla   	= nla;
102 	ctx->portid	= NETLINK_CB(skb).portid;
103 	ctx->report	= nlmsg_report(nlh);
104 	ctx->flags	= nlh->nlmsg_flags;
105 	ctx->seq	= nlh->nlmsg_seq;
106 }
107 
108 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
109 					     int msg_type, u32 size, gfp_t gfp)
110 {
111 	struct nft_trans *trans;
112 
113 	trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
114 	if (trans == NULL)
115 		return NULL;
116 
117 	trans->msg_type = msg_type;
118 	trans->ctx	= *ctx;
119 
120 	return trans;
121 }
122 
123 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
124 					 int msg_type, u32 size)
125 {
126 	return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
127 }
128 
129 static void nft_trans_destroy(struct nft_trans *trans)
130 {
131 	list_del(&trans->list);
132 	kfree(trans);
133 }
134 
135 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
136 {
137 	struct net *net = ctx->net;
138 	struct nft_trans *trans;
139 
140 	if (!nft_set_is_anonymous(set))
141 		return;
142 
143 	list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
144 		switch (trans->msg_type) {
145 		case NFT_MSG_NEWSET:
146 			if (nft_trans_set(trans) == set)
147 				nft_trans_set_bound(trans) = true;
148 			break;
149 		case NFT_MSG_NEWSETELEM:
150 			if (nft_trans_elem_set(trans) == set)
151 				nft_trans_elem_set_bound(trans) = true;
152 			break;
153 		}
154 	}
155 }
156 
157 static int nft_netdev_register_hooks(struct net *net,
158 				     struct list_head *hook_list)
159 {
160 	struct nft_hook *hook;
161 	int err, j;
162 
163 	j = 0;
164 	list_for_each_entry(hook, hook_list, list) {
165 		err = nf_register_net_hook(net, &hook->ops);
166 		if (err < 0)
167 			goto err_register;
168 
169 		j++;
170 	}
171 	return 0;
172 
173 err_register:
174 	list_for_each_entry(hook, hook_list, list) {
175 		if (j-- <= 0)
176 			break;
177 
178 		nf_unregister_net_hook(net, &hook->ops);
179 	}
180 	return err;
181 }
182 
183 static void nft_netdev_unregister_hooks(struct net *net,
184 					struct list_head *hook_list)
185 {
186 	struct nft_hook *hook;
187 
188 	list_for_each_entry(hook, hook_list, list)
189 		nf_unregister_net_hook(net, &hook->ops);
190 }
191 
192 static int nf_tables_register_hook(struct net *net,
193 				   const struct nft_table *table,
194 				   struct nft_chain *chain)
195 {
196 	struct nft_base_chain *basechain;
197 	const struct nf_hook_ops *ops;
198 
199 	if (table->flags & NFT_TABLE_F_DORMANT ||
200 	    !nft_is_base_chain(chain))
201 		return 0;
202 
203 	basechain = nft_base_chain(chain);
204 	ops = &basechain->ops;
205 
206 	if (basechain->type->ops_register)
207 		return basechain->type->ops_register(net, ops);
208 
209 	if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
210 		return nft_netdev_register_hooks(net, &basechain->hook_list);
211 
212 	return nf_register_net_hook(net, &basechain->ops);
213 }
214 
215 static void nf_tables_unregister_hook(struct net *net,
216 				      const struct nft_table *table,
217 				      struct nft_chain *chain)
218 {
219 	struct nft_base_chain *basechain;
220 	const struct nf_hook_ops *ops;
221 
222 	if (table->flags & NFT_TABLE_F_DORMANT ||
223 	    !nft_is_base_chain(chain))
224 		return;
225 	basechain = nft_base_chain(chain);
226 	ops = &basechain->ops;
227 
228 	if (basechain->type->ops_unregister)
229 		return basechain->type->ops_unregister(net, ops);
230 
231 	if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
232 		nft_netdev_unregister_hooks(net, &basechain->hook_list);
233 	else
234 		nf_unregister_net_hook(net, &basechain->ops);
235 }
236 
237 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
238 {
239 	struct nft_trans *trans;
240 
241 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
242 	if (trans == NULL)
243 		return -ENOMEM;
244 
245 	if (msg_type == NFT_MSG_NEWTABLE)
246 		nft_activate_next(ctx->net, ctx->table);
247 
248 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
249 	return 0;
250 }
251 
252 static int nft_deltable(struct nft_ctx *ctx)
253 {
254 	int err;
255 
256 	err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
257 	if (err < 0)
258 		return err;
259 
260 	nft_deactivate_next(ctx->net, ctx->table);
261 	return err;
262 }
263 
264 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
265 {
266 	struct nft_trans *trans;
267 
268 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
269 	if (trans == NULL)
270 		return ERR_PTR(-ENOMEM);
271 
272 	if (msg_type == NFT_MSG_NEWCHAIN) {
273 		nft_activate_next(ctx->net, ctx->chain);
274 
275 		if (ctx->nla[NFTA_CHAIN_ID]) {
276 			nft_trans_chain_id(trans) =
277 				ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
278 		}
279 	}
280 
281 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
282 	return trans;
283 }
284 
285 static int nft_delchain(struct nft_ctx *ctx)
286 {
287 	struct nft_trans *trans;
288 
289 	trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
290 	if (IS_ERR(trans))
291 		return PTR_ERR(trans);
292 
293 	ctx->table->use--;
294 	nft_deactivate_next(ctx->net, ctx->chain);
295 
296 	return 0;
297 }
298 
299 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
300 				   struct nft_rule *rule)
301 {
302 	struct nft_expr *expr;
303 
304 	expr = nft_expr_first(rule);
305 	while (nft_expr_more(rule, expr)) {
306 		if (expr->ops->activate)
307 			expr->ops->activate(ctx, expr);
308 
309 		expr = nft_expr_next(expr);
310 	}
311 }
312 
313 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
314 				     struct nft_rule *rule,
315 				     enum nft_trans_phase phase)
316 {
317 	struct nft_expr *expr;
318 
319 	expr = nft_expr_first(rule);
320 	while (nft_expr_more(rule, expr)) {
321 		if (expr->ops->deactivate)
322 			expr->ops->deactivate(ctx, expr, phase);
323 
324 		expr = nft_expr_next(expr);
325 	}
326 }
327 
328 static int
329 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
330 {
331 	/* You cannot delete the same rule twice */
332 	if (nft_is_active_next(ctx->net, rule)) {
333 		nft_deactivate_next(ctx->net, rule);
334 		ctx->chain->use--;
335 		return 0;
336 	}
337 	return -ENOENT;
338 }
339 
340 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
341 					    struct nft_rule *rule)
342 {
343 	struct nft_trans *trans;
344 
345 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
346 	if (trans == NULL)
347 		return NULL;
348 
349 	if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
350 		nft_trans_rule_id(trans) =
351 			ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
352 	}
353 	nft_trans_rule(trans) = rule;
354 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
355 
356 	return trans;
357 }
358 
359 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
360 {
361 	struct nft_flow_rule *flow;
362 	struct nft_trans *trans;
363 	int err;
364 
365 	trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
366 	if (trans == NULL)
367 		return -ENOMEM;
368 
369 	if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
370 		flow = nft_flow_rule_create(ctx->net, rule);
371 		if (IS_ERR(flow)) {
372 			nft_trans_destroy(trans);
373 			return PTR_ERR(flow);
374 		}
375 
376 		nft_trans_flow_rule(trans) = flow;
377 	}
378 
379 	err = nf_tables_delrule_deactivate(ctx, rule);
380 	if (err < 0) {
381 		nft_trans_destroy(trans);
382 		return err;
383 	}
384 	nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
385 
386 	return 0;
387 }
388 
389 static int nft_delrule_by_chain(struct nft_ctx *ctx)
390 {
391 	struct nft_rule *rule;
392 	int err;
393 
394 	list_for_each_entry(rule, &ctx->chain->rules, list) {
395 		if (!nft_is_active_next(ctx->net, rule))
396 			continue;
397 
398 		err = nft_delrule(ctx, rule);
399 		if (err < 0)
400 			return err;
401 	}
402 	return 0;
403 }
404 
405 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
406 			     struct nft_set *set)
407 {
408 	struct nft_trans *trans;
409 
410 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
411 	if (trans == NULL)
412 		return -ENOMEM;
413 
414 	if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
415 		nft_trans_set_id(trans) =
416 			ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
417 		nft_activate_next(ctx->net, set);
418 	}
419 	nft_trans_set(trans) = set;
420 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
421 
422 	return 0;
423 }
424 
425 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
426 {
427 	int err;
428 
429 	err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
430 	if (err < 0)
431 		return err;
432 
433 	nft_deactivate_next(ctx->net, set);
434 	ctx->table->use--;
435 
436 	return err;
437 }
438 
439 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
440 			     struct nft_object *obj)
441 {
442 	struct nft_trans *trans;
443 
444 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
445 	if (trans == NULL)
446 		return -ENOMEM;
447 
448 	if (msg_type == NFT_MSG_NEWOBJ)
449 		nft_activate_next(ctx->net, obj);
450 
451 	nft_trans_obj(trans) = obj;
452 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
453 
454 	return 0;
455 }
456 
457 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
458 {
459 	int err;
460 
461 	err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
462 	if (err < 0)
463 		return err;
464 
465 	nft_deactivate_next(ctx->net, obj);
466 	ctx->table->use--;
467 
468 	return err;
469 }
470 
471 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
472 				   struct nft_flowtable *flowtable)
473 {
474 	struct nft_trans *trans;
475 
476 	trans = nft_trans_alloc(ctx, msg_type,
477 				sizeof(struct nft_trans_flowtable));
478 	if (trans == NULL)
479 		return -ENOMEM;
480 
481 	if (msg_type == NFT_MSG_NEWFLOWTABLE)
482 		nft_activate_next(ctx->net, flowtable);
483 
484 	nft_trans_flowtable(trans) = flowtable;
485 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
486 
487 	return 0;
488 }
489 
490 static int nft_delflowtable(struct nft_ctx *ctx,
491 			    struct nft_flowtable *flowtable)
492 {
493 	int err;
494 
495 	err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
496 	if (err < 0)
497 		return err;
498 
499 	nft_deactivate_next(ctx->net, flowtable);
500 	ctx->table->use--;
501 
502 	return err;
503 }
504 
505 /*
506  * Tables
507  */
508 
509 static struct nft_table *nft_table_lookup(const struct net *net,
510 					  const struct nlattr *nla,
511 					  u8 family, u8 genmask, u32 nlpid)
512 {
513 	struct nft_table *table;
514 
515 	if (nla == NULL)
516 		return ERR_PTR(-EINVAL);
517 
518 	list_for_each_entry_rcu(table, &net->nft.tables, list,
519 				lockdep_is_held(&net->nft.commit_mutex)) {
520 		if (!nla_strcmp(nla, table->name) &&
521 		    table->family == family &&
522 		    nft_active_genmask(table, genmask)) {
523 			if (nft_table_has_owner(table) &&
524 			    table->nlpid != nlpid)
525 				return ERR_PTR(-EPERM);
526 
527 			return table;
528 		}
529 	}
530 
531 	return ERR_PTR(-ENOENT);
532 }
533 
534 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
535 						   const struct nlattr *nla,
536 						   u8 genmask)
537 {
538 	struct nft_table *table;
539 
540 	list_for_each_entry(table, &net->nft.tables, list) {
541 		if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
542 		    nft_active_genmask(table, genmask))
543 			return table;
544 	}
545 
546 	return ERR_PTR(-ENOENT);
547 }
548 
549 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
550 {
551 	return ++table->hgenerator;
552 }
553 
554 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
555 
556 static const struct nft_chain_type *
557 __nft_chain_type_get(u8 family, enum nft_chain_types type)
558 {
559 	if (family >= NFPROTO_NUMPROTO ||
560 	    type >= NFT_CHAIN_T_MAX)
561 		return NULL;
562 
563 	return chain_type[family][type];
564 }
565 
566 static const struct nft_chain_type *
567 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
568 {
569 	const struct nft_chain_type *type;
570 	int i;
571 
572 	for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
573 		type = __nft_chain_type_get(family, i);
574 		if (!type)
575 			continue;
576 		if (!nla_strcmp(nla, type->name))
577 			return type;
578 	}
579 	return NULL;
580 }
581 
582 struct nft_module_request {
583 	struct list_head	list;
584 	char			module[MODULE_NAME_LEN];
585 	bool			done;
586 };
587 
588 #ifdef CONFIG_MODULES
589 static __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
590 					     ...)
591 {
592 	char module_name[MODULE_NAME_LEN];
593 	struct nft_module_request *req;
594 	va_list args;
595 	int ret;
596 
597 	va_start(args, fmt);
598 	ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
599 	va_end(args);
600 	if (ret >= MODULE_NAME_LEN)
601 		return 0;
602 
603 	list_for_each_entry(req, &net->nft.module_list, list) {
604 		if (!strcmp(req->module, module_name)) {
605 			if (req->done)
606 				return 0;
607 
608 			/* A request to load this module already exists. */
609 			return -EAGAIN;
610 		}
611 	}
612 
613 	req = kmalloc(sizeof(*req), GFP_KERNEL);
614 	if (!req)
615 		return -ENOMEM;
616 
617 	req->done = false;
618 	strlcpy(req->module, module_name, MODULE_NAME_LEN);
619 	list_add_tail(&req->list, &net->nft.module_list);
620 
621 	return -EAGAIN;
622 }
623 #endif
624 
625 static void lockdep_nfnl_nft_mutex_not_held(void)
626 {
627 #ifdef CONFIG_PROVE_LOCKING
628 	if (debug_locks)
629 		WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
630 #endif
631 }
632 
633 static const struct nft_chain_type *
634 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
635 			    u8 family, bool autoload)
636 {
637 	const struct nft_chain_type *type;
638 
639 	type = __nf_tables_chain_type_lookup(nla, family);
640 	if (type != NULL)
641 		return type;
642 
643 	lockdep_nfnl_nft_mutex_not_held();
644 #ifdef CONFIG_MODULES
645 	if (autoload) {
646 		if (nft_request_module(net, "nft-chain-%u-%.*s", family,
647 				       nla_len(nla),
648 				       (const char *)nla_data(nla)) == -EAGAIN)
649 			return ERR_PTR(-EAGAIN);
650 	}
651 #endif
652 	return ERR_PTR(-ENOENT);
653 }
654 
655 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
656 	[NFTA_TABLE_NAME]	= { .type = NLA_STRING,
657 				    .len = NFT_TABLE_MAXNAMELEN - 1 },
658 	[NFTA_TABLE_FLAGS]	= { .type = NLA_U32 },
659 	[NFTA_TABLE_HANDLE]	= { .type = NLA_U64 },
660 	[NFTA_TABLE_USERDATA]	= { .type = NLA_BINARY,
661 				    .len = NFT_USERDATA_MAXLEN }
662 };
663 
664 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
665 				     u32 portid, u32 seq, int event, u32 flags,
666 				     int family, const struct nft_table *table)
667 {
668 	struct nlmsghdr *nlh;
669 	struct nfgenmsg *nfmsg;
670 
671 	event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
672 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
673 	if (nlh == NULL)
674 		goto nla_put_failure;
675 
676 	nfmsg = nlmsg_data(nlh);
677 	nfmsg->nfgen_family	= family;
678 	nfmsg->version		= NFNETLINK_V0;
679 	nfmsg->res_id		= htons(net->nft.base_seq & 0xffff);
680 
681 	if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
682 	    nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
683 	    nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
684 	    nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
685 			 NFTA_TABLE_PAD))
686 		goto nla_put_failure;
687 	if (nft_table_has_owner(table) &&
688 	    nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
689 		goto nla_put_failure;
690 
691 	if (table->udata) {
692 		if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
693 			goto nla_put_failure;
694 	}
695 
696 	nlmsg_end(skb, nlh);
697 	return 0;
698 
699 nla_put_failure:
700 	nlmsg_trim(skb, nlh);
701 	return -1;
702 }
703 
704 struct nftnl_skb_parms {
705 	bool report;
706 };
707 #define NFT_CB(skb)	(*(struct nftnl_skb_parms*)&((skb)->cb))
708 
709 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
710 			       struct list_head *notify_list)
711 {
712 	NFT_CB(skb).report = report;
713 	list_add_tail(&skb->list, notify_list);
714 }
715 
716 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
717 {
718 	struct sk_buff *skb;
719 	int err;
720 	char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0",
721 			      ctx->table->name, ctx->table->handle);
722 
723 	audit_log_nfcfg(buf,
724 			ctx->family,
725 			ctx->table->use,
726 			event == NFT_MSG_NEWTABLE ?
727 				AUDIT_NFT_OP_TABLE_REGISTER :
728 				AUDIT_NFT_OP_TABLE_UNREGISTER,
729 			GFP_KERNEL);
730 	kfree(buf);
731 
732 	if (!ctx->report &&
733 	    !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
734 		return;
735 
736 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
737 	if (skb == NULL)
738 		goto err;
739 
740 	err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
741 					event, 0, ctx->family, ctx->table);
742 	if (err < 0) {
743 		kfree_skb(skb);
744 		goto err;
745 	}
746 
747 	nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
748 	return;
749 err:
750 	nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
751 }
752 
753 static int nf_tables_dump_tables(struct sk_buff *skb,
754 				 struct netlink_callback *cb)
755 {
756 	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
757 	const struct nft_table *table;
758 	unsigned int idx = 0, s_idx = cb->args[0];
759 	struct net *net = sock_net(skb->sk);
760 	int family = nfmsg->nfgen_family;
761 
762 	rcu_read_lock();
763 	cb->seq = net->nft.base_seq;
764 
765 	list_for_each_entry_rcu(table, &net->nft.tables, list) {
766 		if (family != NFPROTO_UNSPEC && family != table->family)
767 			continue;
768 
769 		if (idx < s_idx)
770 			goto cont;
771 		if (idx > s_idx)
772 			memset(&cb->args[1], 0,
773 			       sizeof(cb->args) - sizeof(cb->args[0]));
774 		if (!nft_is_active(net, table))
775 			continue;
776 		if (nf_tables_fill_table_info(skb, net,
777 					      NETLINK_CB(cb->skb).portid,
778 					      cb->nlh->nlmsg_seq,
779 					      NFT_MSG_NEWTABLE, NLM_F_MULTI,
780 					      table->family, table) < 0)
781 			goto done;
782 
783 		nl_dump_check_consistent(cb, nlmsg_hdr(skb));
784 cont:
785 		idx++;
786 	}
787 done:
788 	rcu_read_unlock();
789 	cb->args[0] = idx;
790 	return skb->len;
791 }
792 
793 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
794 				      const struct nlmsghdr *nlh,
795 				      struct netlink_dump_control *c)
796 {
797 	int err;
798 
799 	if (!try_module_get(THIS_MODULE))
800 		return -EINVAL;
801 
802 	rcu_read_unlock();
803 	err = netlink_dump_start(nlsk, skb, nlh, c);
804 	rcu_read_lock();
805 	module_put(THIS_MODULE);
806 
807 	return err;
808 }
809 
810 /* called with rcu_read_lock held */
811 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
812 			      struct sk_buff *skb, const struct nlmsghdr *nlh,
813 			      const struct nlattr * const nla[],
814 			      struct netlink_ext_ack *extack)
815 {
816 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
817 	u8 genmask = nft_genmask_cur(net);
818 	const struct nft_table *table;
819 	struct sk_buff *skb2;
820 	int family = nfmsg->nfgen_family;
821 	int err;
822 
823 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
824 		struct netlink_dump_control c = {
825 			.dump = nf_tables_dump_tables,
826 			.module = THIS_MODULE,
827 		};
828 
829 		return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
830 	}
831 
832 	table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
833 	if (IS_ERR(table)) {
834 		NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
835 		return PTR_ERR(table);
836 	}
837 
838 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
839 	if (!skb2)
840 		return -ENOMEM;
841 
842 	err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
843 					nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
844 					family, table);
845 	if (err < 0)
846 		goto err_fill_table_info;
847 
848 	return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
849 
850 err_fill_table_info:
851 	kfree_skb(skb2);
852 	return err;
853 }
854 
855 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
856 {
857 	struct nft_chain *chain;
858 	u32 i = 0;
859 
860 	list_for_each_entry(chain, &table->chains, list) {
861 		if (!nft_is_active_next(net, chain))
862 			continue;
863 		if (!nft_is_base_chain(chain))
864 			continue;
865 
866 		if (cnt && i++ == cnt)
867 			break;
868 
869 		nf_tables_unregister_hook(net, table, chain);
870 	}
871 }
872 
873 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
874 {
875 	struct nft_chain *chain;
876 	int err, i = 0;
877 
878 	list_for_each_entry(chain, &table->chains, list) {
879 		if (!nft_is_active_next(net, chain))
880 			continue;
881 		if (!nft_is_base_chain(chain))
882 			continue;
883 
884 		err = nf_tables_register_hook(net, table, chain);
885 		if (err < 0)
886 			goto err_register_hooks;
887 
888 		i++;
889 	}
890 	return 0;
891 
892 err_register_hooks:
893 	if (i)
894 		nft_table_disable(net, table, i);
895 	return err;
896 }
897 
898 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
899 {
900 	nft_table_disable(net, table, 0);
901 }
902 
903 enum {
904 	NFT_TABLE_STATE_UNCHANGED	= 0,
905 	NFT_TABLE_STATE_DORMANT,
906 	NFT_TABLE_STATE_WAKEUP
907 };
908 
909 static int nf_tables_updtable(struct nft_ctx *ctx)
910 {
911 	struct nft_trans *trans;
912 	u32 flags;
913 	int ret = 0;
914 
915 	if (!ctx->nla[NFTA_TABLE_FLAGS])
916 		return 0;
917 
918 	flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
919 	if (flags & ~NFT_TABLE_F_MASK)
920 		return -EOPNOTSUPP;
921 
922 	if (flags == ctx->table->flags)
923 		return 0;
924 
925 	if ((nft_table_has_owner(ctx->table) &&
926 	     !(flags & NFT_TABLE_F_OWNER)) ||
927 	    (!nft_table_has_owner(ctx->table) &&
928 	     flags & NFT_TABLE_F_OWNER))
929 		return -EOPNOTSUPP;
930 
931 	trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
932 				sizeof(struct nft_trans_table));
933 	if (trans == NULL)
934 		return -ENOMEM;
935 
936 	if ((flags & NFT_TABLE_F_DORMANT) &&
937 	    !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
938 		nft_trans_table_state(trans) = NFT_TABLE_STATE_DORMANT;
939 	} else if (!(flags & NFT_TABLE_F_DORMANT) &&
940 		   ctx->table->flags & NFT_TABLE_F_DORMANT) {
941 		ret = nf_tables_table_enable(ctx->net, ctx->table);
942 		if (ret >= 0)
943 			nft_trans_table_state(trans) = NFT_TABLE_STATE_WAKEUP;
944 	}
945 	if (ret < 0)
946 		goto err;
947 
948 	nft_trans_table_flags(trans) = flags;
949 	nft_trans_table_update(trans) = true;
950 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
951 	return 0;
952 err:
953 	nft_trans_destroy(trans);
954 	return ret;
955 }
956 
957 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
958 {
959 	const char *name = data;
960 
961 	return jhash(name, strlen(name), seed);
962 }
963 
964 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
965 {
966 	const struct nft_chain *chain = data;
967 
968 	return nft_chain_hash(chain->name, 0, seed);
969 }
970 
971 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
972 			      const void *ptr)
973 {
974 	const struct nft_chain *chain = ptr;
975 	const char *name = arg->key;
976 
977 	return strcmp(chain->name, name);
978 }
979 
980 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
981 {
982 	const struct nft_object_hash_key *k = data;
983 
984 	seed ^= hash_ptr(k->table, 32);
985 
986 	return jhash(k->name, strlen(k->name), seed);
987 }
988 
989 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
990 {
991 	const struct nft_object *obj = data;
992 
993 	return nft_objname_hash(&obj->key, 0, seed);
994 }
995 
996 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
997 				const void *ptr)
998 {
999 	const struct nft_object_hash_key *k = arg->key;
1000 	const struct nft_object *obj = ptr;
1001 
1002 	if (obj->key.table != k->table)
1003 		return -1;
1004 
1005 	return strcmp(obj->key.name, k->name);
1006 }
1007 
1008 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
1009 			      struct sk_buff *skb, const struct nlmsghdr *nlh,
1010 			      const struct nlattr * const nla[],
1011 			      struct netlink_ext_ack *extack)
1012 {
1013 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1014 	u8 genmask = nft_genmask_next(net);
1015 	int family = nfmsg->nfgen_family;
1016 	const struct nlattr *attr;
1017 	struct nft_table *table;
1018 	struct nft_ctx ctx;
1019 	u32 flags = 0;
1020 	int err;
1021 
1022 	lockdep_assert_held(&net->nft.commit_mutex);
1023 	attr = nla[NFTA_TABLE_NAME];
1024 	table = nft_table_lookup(net, attr, family, genmask,
1025 				 NETLINK_CB(skb).portid);
1026 	if (IS_ERR(table)) {
1027 		if (PTR_ERR(table) != -ENOENT)
1028 			return PTR_ERR(table);
1029 	} else {
1030 		if (nlh->nlmsg_flags & NLM_F_EXCL) {
1031 			NL_SET_BAD_ATTR(extack, attr);
1032 			return -EEXIST;
1033 		}
1034 		if (nlh->nlmsg_flags & NLM_F_REPLACE)
1035 			return -EOPNOTSUPP;
1036 
1037 		nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1038 		return nf_tables_updtable(&ctx);
1039 	}
1040 
1041 	if (nla[NFTA_TABLE_FLAGS]) {
1042 		flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1043 		if (flags & ~NFT_TABLE_F_MASK)
1044 			return -EOPNOTSUPP;
1045 	}
1046 
1047 	err = -ENOMEM;
1048 	table = kzalloc(sizeof(*table), GFP_KERNEL);
1049 	if (table == NULL)
1050 		goto err_kzalloc;
1051 
1052 	table->name = nla_strdup(attr, GFP_KERNEL);
1053 	if (table->name == NULL)
1054 		goto err_strdup;
1055 
1056 	if (nla[NFTA_TABLE_USERDATA]) {
1057 		table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL);
1058 		if (table->udata == NULL)
1059 			goto err_table_udata;
1060 
1061 		table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1062 	}
1063 
1064 	err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1065 	if (err)
1066 		goto err_chain_ht;
1067 
1068 	INIT_LIST_HEAD(&table->chains);
1069 	INIT_LIST_HEAD(&table->sets);
1070 	INIT_LIST_HEAD(&table->objects);
1071 	INIT_LIST_HEAD(&table->flowtables);
1072 	table->family = family;
1073 	table->flags = flags;
1074 	table->handle = ++table_handle;
1075 	if (table->flags & NFT_TABLE_F_OWNER)
1076 		table->nlpid = NETLINK_CB(skb).portid;
1077 
1078 	nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1079 	err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1080 	if (err < 0)
1081 		goto err_trans;
1082 
1083 	list_add_tail_rcu(&table->list, &net->nft.tables);
1084 	return 0;
1085 err_trans:
1086 	rhltable_destroy(&table->chains_ht);
1087 err_chain_ht:
1088 	kfree(table->udata);
1089 err_table_udata:
1090 	kfree(table->name);
1091 err_strdup:
1092 	kfree(table);
1093 err_kzalloc:
1094 	return err;
1095 }
1096 
1097 static int nft_flush_table(struct nft_ctx *ctx)
1098 {
1099 	struct nft_flowtable *flowtable, *nft;
1100 	struct nft_chain *chain, *nc;
1101 	struct nft_object *obj, *ne;
1102 	struct nft_set *set, *ns;
1103 	int err;
1104 
1105 	list_for_each_entry(chain, &ctx->table->chains, list) {
1106 		if (!nft_is_active_next(ctx->net, chain))
1107 			continue;
1108 
1109 		if (nft_chain_is_bound(chain))
1110 			continue;
1111 
1112 		ctx->chain = chain;
1113 
1114 		err = nft_delrule_by_chain(ctx);
1115 		if (err < 0)
1116 			goto out;
1117 	}
1118 
1119 	list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1120 		if (!nft_is_active_next(ctx->net, set))
1121 			continue;
1122 
1123 		if (nft_set_is_anonymous(set) &&
1124 		    !list_empty(&set->bindings))
1125 			continue;
1126 
1127 		err = nft_delset(ctx, set);
1128 		if (err < 0)
1129 			goto out;
1130 	}
1131 
1132 	list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1133 		if (!nft_is_active_next(ctx->net, flowtable))
1134 			continue;
1135 
1136 		err = nft_delflowtable(ctx, flowtable);
1137 		if (err < 0)
1138 			goto out;
1139 	}
1140 
1141 	list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1142 		if (!nft_is_active_next(ctx->net, obj))
1143 			continue;
1144 
1145 		err = nft_delobj(ctx, obj);
1146 		if (err < 0)
1147 			goto out;
1148 	}
1149 
1150 	list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1151 		if (!nft_is_active_next(ctx->net, chain))
1152 			continue;
1153 
1154 		if (nft_chain_is_bound(chain))
1155 			continue;
1156 
1157 		ctx->chain = chain;
1158 
1159 		err = nft_delchain(ctx);
1160 		if (err < 0)
1161 			goto out;
1162 	}
1163 
1164 	err = nft_deltable(ctx);
1165 out:
1166 	return err;
1167 }
1168 
1169 static int nft_flush(struct nft_ctx *ctx, int family)
1170 {
1171 	struct nft_table *table, *nt;
1172 	const struct nlattr * const *nla = ctx->nla;
1173 	int err = 0;
1174 
1175 	list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1176 		if (family != AF_UNSPEC && table->family != family)
1177 			continue;
1178 
1179 		ctx->family = table->family;
1180 
1181 		if (!nft_is_active_next(ctx->net, table))
1182 			continue;
1183 
1184 		if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1185 			continue;
1186 
1187 		if (nla[NFTA_TABLE_NAME] &&
1188 		    nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1189 			continue;
1190 
1191 		ctx->table = table;
1192 
1193 		err = nft_flush_table(ctx);
1194 		if (err < 0)
1195 			goto out;
1196 	}
1197 out:
1198 	return err;
1199 }
1200 
1201 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1202 			      struct sk_buff *skb, const struct nlmsghdr *nlh,
1203 			      const struct nlattr * const nla[],
1204 			      struct netlink_ext_ack *extack)
1205 {
1206 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1207 	u8 genmask = nft_genmask_next(net);
1208 	int family = nfmsg->nfgen_family;
1209 	const struct nlattr *attr;
1210 	struct nft_table *table;
1211 	struct nft_ctx ctx;
1212 
1213 	nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1214 	if (family == AF_UNSPEC ||
1215 	    (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1216 		return nft_flush(&ctx, family);
1217 
1218 	if (nla[NFTA_TABLE_HANDLE]) {
1219 		attr = nla[NFTA_TABLE_HANDLE];
1220 		table = nft_table_lookup_byhandle(net, attr, genmask);
1221 	} else {
1222 		attr = nla[NFTA_TABLE_NAME];
1223 		table = nft_table_lookup(net, attr, family, genmask,
1224 					 NETLINK_CB(skb).portid);
1225 	}
1226 
1227 	if (IS_ERR(table)) {
1228 		NL_SET_BAD_ATTR(extack, attr);
1229 		return PTR_ERR(table);
1230 	}
1231 
1232 	if (nlh->nlmsg_flags & NLM_F_NONREC &&
1233 	    table->use > 0)
1234 		return -EBUSY;
1235 
1236 	ctx.family = family;
1237 	ctx.table = table;
1238 
1239 	return nft_flush_table(&ctx);
1240 }
1241 
1242 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1243 {
1244 	if (WARN_ON(ctx->table->use > 0))
1245 		return;
1246 
1247 	rhltable_destroy(&ctx->table->chains_ht);
1248 	kfree(ctx->table->name);
1249 	kfree(ctx->table->udata);
1250 	kfree(ctx->table);
1251 }
1252 
1253 void nft_register_chain_type(const struct nft_chain_type *ctype)
1254 {
1255 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
1256 	if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1257 		nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1258 		return;
1259 	}
1260 	chain_type[ctype->family][ctype->type] = ctype;
1261 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1262 }
1263 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1264 
1265 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1266 {
1267 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
1268 	chain_type[ctype->family][ctype->type] = NULL;
1269 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1270 }
1271 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1272 
1273 /*
1274  * Chains
1275  */
1276 
1277 static struct nft_chain *
1278 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1279 {
1280 	struct nft_chain *chain;
1281 
1282 	list_for_each_entry(chain, &table->chains, list) {
1283 		if (chain->handle == handle &&
1284 		    nft_active_genmask(chain, genmask))
1285 			return chain;
1286 	}
1287 
1288 	return ERR_PTR(-ENOENT);
1289 }
1290 
1291 static bool lockdep_commit_lock_is_held(const struct net *net)
1292 {
1293 #ifdef CONFIG_PROVE_LOCKING
1294 	return lockdep_is_held(&net->nft.commit_mutex);
1295 #else
1296 	return true;
1297 #endif
1298 }
1299 
1300 static struct nft_chain *nft_chain_lookup(struct net *net,
1301 					  struct nft_table *table,
1302 					  const struct nlattr *nla, u8 genmask)
1303 {
1304 	char search[NFT_CHAIN_MAXNAMELEN + 1];
1305 	struct rhlist_head *tmp, *list;
1306 	struct nft_chain *chain;
1307 
1308 	if (nla == NULL)
1309 		return ERR_PTR(-EINVAL);
1310 
1311 	nla_strscpy(search, nla, sizeof(search));
1312 
1313 	WARN_ON(!rcu_read_lock_held() &&
1314 		!lockdep_commit_lock_is_held(net));
1315 
1316 	chain = ERR_PTR(-ENOENT);
1317 	rcu_read_lock();
1318 	list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1319 	if (!list)
1320 		goto out_unlock;
1321 
1322 	rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1323 		if (nft_active_genmask(chain, genmask))
1324 			goto out_unlock;
1325 	}
1326 	chain = ERR_PTR(-ENOENT);
1327 out_unlock:
1328 	rcu_read_unlock();
1329 	return chain;
1330 }
1331 
1332 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1333 	[NFTA_CHAIN_TABLE]	= { .type = NLA_STRING,
1334 				    .len = NFT_TABLE_MAXNAMELEN - 1 },
1335 	[NFTA_CHAIN_HANDLE]	= { .type = NLA_U64 },
1336 	[NFTA_CHAIN_NAME]	= { .type = NLA_STRING,
1337 				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
1338 	[NFTA_CHAIN_HOOK]	= { .type = NLA_NESTED },
1339 	[NFTA_CHAIN_POLICY]	= { .type = NLA_U32 },
1340 	[NFTA_CHAIN_TYPE]	= { .type = NLA_STRING,
1341 				    .len = NFT_MODULE_AUTOLOAD_LIMIT },
1342 	[NFTA_CHAIN_COUNTERS]	= { .type = NLA_NESTED },
1343 	[NFTA_CHAIN_FLAGS]	= { .type = NLA_U32 },
1344 	[NFTA_CHAIN_ID]		= { .type = NLA_U32 },
1345 	[NFTA_CHAIN_USERDATA]	= { .type = NLA_BINARY,
1346 				    .len = NFT_USERDATA_MAXLEN },
1347 };
1348 
1349 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1350 	[NFTA_HOOK_HOOKNUM]	= { .type = NLA_U32 },
1351 	[NFTA_HOOK_PRIORITY]	= { .type = NLA_U32 },
1352 	[NFTA_HOOK_DEV]		= { .type = NLA_STRING,
1353 				    .len = IFNAMSIZ - 1 },
1354 };
1355 
1356 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1357 {
1358 	struct nft_stats *cpu_stats, total;
1359 	struct nlattr *nest;
1360 	unsigned int seq;
1361 	u64 pkts, bytes;
1362 	int cpu;
1363 
1364 	if (!stats)
1365 		return 0;
1366 
1367 	memset(&total, 0, sizeof(total));
1368 	for_each_possible_cpu(cpu) {
1369 		cpu_stats = per_cpu_ptr(stats, cpu);
1370 		do {
1371 			seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1372 			pkts = cpu_stats->pkts;
1373 			bytes = cpu_stats->bytes;
1374 		} while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1375 		total.pkts += pkts;
1376 		total.bytes += bytes;
1377 	}
1378 	nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1379 	if (nest == NULL)
1380 		goto nla_put_failure;
1381 
1382 	if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1383 			 NFTA_COUNTER_PAD) ||
1384 	    nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1385 			 NFTA_COUNTER_PAD))
1386 		goto nla_put_failure;
1387 
1388 	nla_nest_end(skb, nest);
1389 	return 0;
1390 
1391 nla_put_failure:
1392 	return -ENOSPC;
1393 }
1394 
1395 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1396 				   const struct nft_base_chain *basechain)
1397 {
1398 	const struct nf_hook_ops *ops = &basechain->ops;
1399 	struct nft_hook *hook, *first = NULL;
1400 	struct nlattr *nest, *nest_devs;
1401 	int n = 0;
1402 
1403 	nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1404 	if (nest == NULL)
1405 		goto nla_put_failure;
1406 	if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1407 		goto nla_put_failure;
1408 	if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1409 		goto nla_put_failure;
1410 
1411 	if (nft_base_chain_netdev(family, ops->hooknum)) {
1412 		nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1413 		list_for_each_entry(hook, &basechain->hook_list, list) {
1414 			if (!first)
1415 				first = hook;
1416 
1417 			if (nla_put_string(skb, NFTA_DEVICE_NAME,
1418 					   hook->ops.dev->name))
1419 				goto nla_put_failure;
1420 			n++;
1421 		}
1422 		nla_nest_end(skb, nest_devs);
1423 
1424 		if (n == 1 &&
1425 		    nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1426 			goto nla_put_failure;
1427 	}
1428 	nla_nest_end(skb, nest);
1429 
1430 	return 0;
1431 nla_put_failure:
1432 	return -1;
1433 }
1434 
1435 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1436 				     u32 portid, u32 seq, int event, u32 flags,
1437 				     int family, const struct nft_table *table,
1438 				     const struct nft_chain *chain)
1439 {
1440 	struct nlmsghdr *nlh;
1441 	struct nfgenmsg *nfmsg;
1442 
1443 	event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1444 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1445 	if (nlh == NULL)
1446 		goto nla_put_failure;
1447 
1448 	nfmsg = nlmsg_data(nlh);
1449 	nfmsg->nfgen_family	= family;
1450 	nfmsg->version		= NFNETLINK_V0;
1451 	nfmsg->res_id		= htons(net->nft.base_seq & 0xffff);
1452 
1453 	if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1454 		goto nla_put_failure;
1455 	if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1456 			 NFTA_CHAIN_PAD))
1457 		goto nla_put_failure;
1458 	if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1459 		goto nla_put_failure;
1460 
1461 	if (nft_is_base_chain(chain)) {
1462 		const struct nft_base_chain *basechain = nft_base_chain(chain);
1463 		struct nft_stats __percpu *stats;
1464 
1465 		if (nft_dump_basechain_hook(skb, family, basechain))
1466 			goto nla_put_failure;
1467 
1468 		if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1469 				 htonl(basechain->policy)))
1470 			goto nla_put_failure;
1471 
1472 		if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1473 			goto nla_put_failure;
1474 
1475 		stats = rcu_dereference_check(basechain->stats,
1476 					      lockdep_commit_lock_is_held(net));
1477 		if (nft_dump_stats(skb, stats))
1478 			goto nla_put_failure;
1479 	}
1480 
1481 	if (chain->flags &&
1482 	    nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1483 		goto nla_put_failure;
1484 
1485 	if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1486 		goto nla_put_failure;
1487 
1488 	if (chain->udata &&
1489 	    nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1490 		goto nla_put_failure;
1491 
1492 	nlmsg_end(skb, nlh);
1493 	return 0;
1494 
1495 nla_put_failure:
1496 	nlmsg_trim(skb, nlh);
1497 	return -1;
1498 }
1499 
1500 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1501 {
1502 	struct sk_buff *skb;
1503 	int err;
1504 	char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
1505 			      ctx->table->name, ctx->table->handle,
1506 			      ctx->chain->name, ctx->chain->handle);
1507 
1508 	audit_log_nfcfg(buf,
1509 			ctx->family,
1510 			ctx->chain->use,
1511 			event == NFT_MSG_NEWCHAIN ?
1512 				AUDIT_NFT_OP_CHAIN_REGISTER :
1513 				AUDIT_NFT_OP_CHAIN_UNREGISTER,
1514 			GFP_KERNEL);
1515 	kfree(buf);
1516 
1517 	if (!ctx->report &&
1518 	    !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1519 		return;
1520 
1521 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1522 	if (skb == NULL)
1523 		goto err;
1524 
1525 	err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1526 					event, 0, ctx->family, ctx->table,
1527 					ctx->chain);
1528 	if (err < 0) {
1529 		kfree_skb(skb);
1530 		goto err;
1531 	}
1532 
1533 	nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
1534 	return;
1535 err:
1536 	nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1537 }
1538 
1539 static int nf_tables_dump_chains(struct sk_buff *skb,
1540 				 struct netlink_callback *cb)
1541 {
1542 	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1543 	const struct nft_table *table;
1544 	const struct nft_chain *chain;
1545 	unsigned int idx = 0, s_idx = cb->args[0];
1546 	struct net *net = sock_net(skb->sk);
1547 	int family = nfmsg->nfgen_family;
1548 
1549 	rcu_read_lock();
1550 	cb->seq = net->nft.base_seq;
1551 
1552 	list_for_each_entry_rcu(table, &net->nft.tables, list) {
1553 		if (family != NFPROTO_UNSPEC && family != table->family)
1554 			continue;
1555 
1556 		list_for_each_entry_rcu(chain, &table->chains, list) {
1557 			if (idx < s_idx)
1558 				goto cont;
1559 			if (idx > s_idx)
1560 				memset(&cb->args[1], 0,
1561 				       sizeof(cb->args) - sizeof(cb->args[0]));
1562 			if (!nft_is_active(net, chain))
1563 				continue;
1564 			if (nf_tables_fill_chain_info(skb, net,
1565 						      NETLINK_CB(cb->skb).portid,
1566 						      cb->nlh->nlmsg_seq,
1567 						      NFT_MSG_NEWCHAIN,
1568 						      NLM_F_MULTI,
1569 						      table->family, table,
1570 						      chain) < 0)
1571 				goto done;
1572 
1573 			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1574 cont:
1575 			idx++;
1576 		}
1577 	}
1578 done:
1579 	rcu_read_unlock();
1580 	cb->args[0] = idx;
1581 	return skb->len;
1582 }
1583 
1584 /* called with rcu_read_lock held */
1585 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1586 			      struct sk_buff *skb, const struct nlmsghdr *nlh,
1587 			      const struct nlattr * const nla[],
1588 			      struct netlink_ext_ack *extack)
1589 {
1590 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1591 	u8 genmask = nft_genmask_cur(net);
1592 	const struct nft_chain *chain;
1593 	struct nft_table *table;
1594 	struct sk_buff *skb2;
1595 	int family = nfmsg->nfgen_family;
1596 	int err;
1597 
1598 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
1599 		struct netlink_dump_control c = {
1600 			.dump = nf_tables_dump_chains,
1601 			.module = THIS_MODULE,
1602 		};
1603 
1604 		return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1605 	}
1606 
1607 	table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1608 	if (IS_ERR(table)) {
1609 		NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1610 		return PTR_ERR(table);
1611 	}
1612 
1613 	chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1614 	if (IS_ERR(chain)) {
1615 		NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1616 		return PTR_ERR(chain);
1617 	}
1618 
1619 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1620 	if (!skb2)
1621 		return -ENOMEM;
1622 
1623 	err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1624 					nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1625 					family, table, chain);
1626 	if (err < 0)
1627 		goto err_fill_chain_info;
1628 
1629 	return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1630 
1631 err_fill_chain_info:
1632 	kfree_skb(skb2);
1633 	return err;
1634 }
1635 
1636 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1637 	[NFTA_COUNTER_PACKETS]	= { .type = NLA_U64 },
1638 	[NFTA_COUNTER_BYTES]	= { .type = NLA_U64 },
1639 };
1640 
1641 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1642 {
1643 	struct nlattr *tb[NFTA_COUNTER_MAX+1];
1644 	struct nft_stats __percpu *newstats;
1645 	struct nft_stats *stats;
1646 	int err;
1647 
1648 	err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1649 					  nft_counter_policy, NULL);
1650 	if (err < 0)
1651 		return ERR_PTR(err);
1652 
1653 	if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1654 		return ERR_PTR(-EINVAL);
1655 
1656 	newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1657 	if (newstats == NULL)
1658 		return ERR_PTR(-ENOMEM);
1659 
1660 	/* Restore old counters on this cpu, no problem. Per-cpu statistics
1661 	 * are not exposed to userspace.
1662 	 */
1663 	preempt_disable();
1664 	stats = this_cpu_ptr(newstats);
1665 	stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1666 	stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1667 	preempt_enable();
1668 
1669 	return newstats;
1670 }
1671 
1672 static void nft_chain_stats_replace(struct nft_trans *trans)
1673 {
1674 	struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1675 
1676 	if (!nft_trans_chain_stats(trans))
1677 		return;
1678 
1679 	nft_trans_chain_stats(trans) =
1680 		rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1681 				    lockdep_commit_lock_is_held(trans->ctx.net));
1682 
1683 	if (!nft_trans_chain_stats(trans))
1684 		static_branch_inc(&nft_counters_enabled);
1685 }
1686 
1687 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1688 {
1689 	struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1690 	struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1691 
1692 	if (g0 != g1)
1693 		kvfree(g1);
1694 	kvfree(g0);
1695 
1696 	/* should be NULL either via abort or via successful commit */
1697 	WARN_ON_ONCE(chain->rules_next);
1698 	kvfree(chain->rules_next);
1699 }
1700 
1701 void nf_tables_chain_destroy(struct nft_ctx *ctx)
1702 {
1703 	struct nft_chain *chain = ctx->chain;
1704 	struct nft_hook *hook, *next;
1705 
1706 	if (WARN_ON(chain->use > 0))
1707 		return;
1708 
1709 	/* no concurrent access possible anymore */
1710 	nf_tables_chain_free_chain_rules(chain);
1711 
1712 	if (nft_is_base_chain(chain)) {
1713 		struct nft_base_chain *basechain = nft_base_chain(chain);
1714 
1715 		if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
1716 			list_for_each_entry_safe(hook, next,
1717 						 &basechain->hook_list, list) {
1718 				list_del_rcu(&hook->list);
1719 				kfree_rcu(hook, rcu);
1720 			}
1721 		}
1722 		module_put(basechain->type->owner);
1723 		if (rcu_access_pointer(basechain->stats)) {
1724 			static_branch_dec(&nft_counters_enabled);
1725 			free_percpu(rcu_dereference_raw(basechain->stats));
1726 		}
1727 		kfree(chain->name);
1728 		kfree(chain->udata);
1729 		kfree(basechain);
1730 	} else {
1731 		kfree(chain->name);
1732 		kfree(chain->udata);
1733 		kfree(chain);
1734 	}
1735 }
1736 
1737 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1738 					      const struct nlattr *attr)
1739 {
1740 	struct net_device *dev;
1741 	char ifname[IFNAMSIZ];
1742 	struct nft_hook *hook;
1743 	int err;
1744 
1745 	hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1746 	if (!hook) {
1747 		err = -ENOMEM;
1748 		goto err_hook_alloc;
1749 	}
1750 
1751 	nla_strscpy(ifname, attr, IFNAMSIZ);
1752 	/* nf_tables_netdev_event() is called under rtnl_mutex, this is
1753 	 * indirectly serializing all the other holders of the commit_mutex with
1754 	 * the rtnl_mutex.
1755 	 */
1756 	dev = __dev_get_by_name(net, ifname);
1757 	if (!dev) {
1758 		err = -ENOENT;
1759 		goto err_hook_dev;
1760 	}
1761 	hook->ops.dev = dev;
1762 	hook->inactive = false;
1763 
1764 	return hook;
1765 
1766 err_hook_dev:
1767 	kfree(hook);
1768 err_hook_alloc:
1769 	return ERR_PTR(err);
1770 }
1771 
1772 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1773 					   const struct nft_hook *this)
1774 {
1775 	struct nft_hook *hook;
1776 
1777 	list_for_each_entry(hook, hook_list, list) {
1778 		if (this->ops.dev == hook->ops.dev)
1779 			return hook;
1780 	}
1781 
1782 	return NULL;
1783 }
1784 
1785 static int nf_tables_parse_netdev_hooks(struct net *net,
1786 					const struct nlattr *attr,
1787 					struct list_head *hook_list)
1788 {
1789 	struct nft_hook *hook, *next;
1790 	const struct nlattr *tmp;
1791 	int rem, n = 0, err;
1792 
1793 	nla_for_each_nested(tmp, attr, rem) {
1794 		if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1795 			err = -EINVAL;
1796 			goto err_hook;
1797 		}
1798 
1799 		hook = nft_netdev_hook_alloc(net, tmp);
1800 		if (IS_ERR(hook)) {
1801 			err = PTR_ERR(hook);
1802 			goto err_hook;
1803 		}
1804 		if (nft_hook_list_find(hook_list, hook)) {
1805 			kfree(hook);
1806 			err = -EEXIST;
1807 			goto err_hook;
1808 		}
1809 		list_add_tail(&hook->list, hook_list);
1810 		n++;
1811 
1812 		if (n == NFT_NETDEVICE_MAX) {
1813 			err = -EFBIG;
1814 			goto err_hook;
1815 		}
1816 	}
1817 
1818 	return 0;
1819 
1820 err_hook:
1821 	list_for_each_entry_safe(hook, next, hook_list, list) {
1822 		list_del(&hook->list);
1823 		kfree(hook);
1824 	}
1825 	return err;
1826 }
1827 
1828 struct nft_chain_hook {
1829 	u32				num;
1830 	s32				priority;
1831 	const struct nft_chain_type	*type;
1832 	struct list_head		list;
1833 };
1834 
1835 static int nft_chain_parse_netdev(struct net *net,
1836 				  struct nlattr *tb[],
1837 				  struct list_head *hook_list)
1838 {
1839 	struct nft_hook *hook;
1840 	int err;
1841 
1842 	if (tb[NFTA_HOOK_DEV]) {
1843 		hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1844 		if (IS_ERR(hook))
1845 			return PTR_ERR(hook);
1846 
1847 		list_add_tail(&hook->list, hook_list);
1848 	} else if (tb[NFTA_HOOK_DEVS]) {
1849 		err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1850 						   hook_list);
1851 		if (err < 0)
1852 			return err;
1853 
1854 		if (list_empty(hook_list))
1855 			return -EINVAL;
1856 	} else {
1857 		return -EINVAL;
1858 	}
1859 
1860 	return 0;
1861 }
1862 
1863 static int nft_chain_parse_hook(struct net *net,
1864 				const struct nlattr * const nla[],
1865 				struct nft_chain_hook *hook, u8 family,
1866 				bool autoload)
1867 {
1868 	struct nlattr *ha[NFTA_HOOK_MAX + 1];
1869 	const struct nft_chain_type *type;
1870 	int err;
1871 
1872 	lockdep_assert_held(&net->nft.commit_mutex);
1873 	lockdep_nfnl_nft_mutex_not_held();
1874 
1875 	err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1876 					  nla[NFTA_CHAIN_HOOK],
1877 					  nft_hook_policy, NULL);
1878 	if (err < 0)
1879 		return err;
1880 
1881 	if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1882 	    ha[NFTA_HOOK_PRIORITY] == NULL)
1883 		return -EINVAL;
1884 
1885 	hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1886 	hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1887 
1888 	type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1889 	if (!type)
1890 		return -EOPNOTSUPP;
1891 
1892 	if (nla[NFTA_CHAIN_TYPE]) {
1893 		type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1894 						   family, autoload);
1895 		if (IS_ERR(type))
1896 			return PTR_ERR(type);
1897 	}
1898 	if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1899 		return -EOPNOTSUPP;
1900 
1901 	if (type->type == NFT_CHAIN_T_NAT &&
1902 	    hook->priority <= NF_IP_PRI_CONNTRACK)
1903 		return -EOPNOTSUPP;
1904 
1905 	if (!try_module_get(type->owner))
1906 		return -ENOENT;
1907 
1908 	hook->type = type;
1909 
1910 	INIT_LIST_HEAD(&hook->list);
1911 	if (nft_base_chain_netdev(family, hook->num)) {
1912 		err = nft_chain_parse_netdev(net, ha, &hook->list);
1913 		if (err < 0) {
1914 			module_put(type->owner);
1915 			return err;
1916 		}
1917 	} else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1918 		module_put(type->owner);
1919 		return -EOPNOTSUPP;
1920 	}
1921 
1922 	return 0;
1923 }
1924 
1925 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1926 {
1927 	struct nft_hook *h, *next;
1928 
1929 	list_for_each_entry_safe(h, next, &hook->list, list) {
1930 		list_del(&h->list);
1931 		kfree(h);
1932 	}
1933 	module_put(hook->type->owner);
1934 }
1935 
1936 struct nft_rules_old {
1937 	struct rcu_head h;
1938 	struct nft_rule **start;
1939 };
1940 
1941 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1942 						     unsigned int alloc)
1943 {
1944 	if (alloc > INT_MAX)
1945 		return NULL;
1946 
1947 	alloc += 1;	/* NULL, ends rules */
1948 	if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1949 		return NULL;
1950 
1951 	alloc *= sizeof(struct nft_rule *);
1952 	alloc += sizeof(struct nft_rules_old);
1953 
1954 	return kvmalloc(alloc, GFP_KERNEL);
1955 }
1956 
1957 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1958 				    const struct nft_chain_hook *hook,
1959 				    struct nft_chain *chain)
1960 {
1961 	ops->pf		= family;
1962 	ops->hooknum	= hook->num;
1963 	ops->priority	= hook->priority;
1964 	ops->priv	= chain;
1965 	ops->hook	= hook->type->hooks[ops->hooknum];
1966 }
1967 
1968 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1969 			      struct nft_chain_hook *hook, u32 flags)
1970 {
1971 	struct nft_chain *chain;
1972 	struct nft_hook *h;
1973 
1974 	basechain->type = hook->type;
1975 	INIT_LIST_HEAD(&basechain->hook_list);
1976 	chain = &basechain->chain;
1977 
1978 	if (nft_base_chain_netdev(family, hook->num)) {
1979 		list_splice_init(&hook->list, &basechain->hook_list);
1980 		list_for_each_entry(h, &basechain->hook_list, list)
1981 			nft_basechain_hook_init(&h->ops, family, hook, chain);
1982 
1983 		basechain->ops.hooknum	= hook->num;
1984 		basechain->ops.priority	= hook->priority;
1985 	} else {
1986 		nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1987 	}
1988 
1989 	chain->flags |= NFT_CHAIN_BASE | flags;
1990 	basechain->policy = NF_ACCEPT;
1991 	if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1992 	    nft_chain_offload_priority(basechain) < 0)
1993 		return -EOPNOTSUPP;
1994 
1995 	flow_block_init(&basechain->flow_block);
1996 
1997 	return 0;
1998 }
1999 
2000 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2001 {
2002 	int err;
2003 
2004 	err = rhltable_insert_key(&table->chains_ht, chain->name,
2005 				  &chain->rhlhead, nft_chain_ht_params);
2006 	if (err)
2007 		return err;
2008 
2009 	list_add_tail_rcu(&chain->list, &table->chains);
2010 
2011 	return 0;
2012 }
2013 
2014 static u64 chain_id;
2015 
2016 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2017 			      u8 policy, u32 flags)
2018 {
2019 	const struct nlattr * const *nla = ctx->nla;
2020 	struct nft_table *table = ctx->table;
2021 	struct nft_base_chain *basechain;
2022 	struct nft_stats __percpu *stats;
2023 	struct net *net = ctx->net;
2024 	char name[NFT_NAME_MAXLEN];
2025 	struct nft_trans *trans;
2026 	struct nft_chain *chain;
2027 	struct nft_rule **rules;
2028 	int err;
2029 
2030 	if (table->use == UINT_MAX)
2031 		return -EOVERFLOW;
2032 
2033 	if (nla[NFTA_CHAIN_HOOK]) {
2034 		struct nft_chain_hook hook;
2035 
2036 		if (flags & NFT_CHAIN_BINDING)
2037 			return -EOPNOTSUPP;
2038 
2039 		err = nft_chain_parse_hook(net, nla, &hook, family, true);
2040 		if (err < 0)
2041 			return err;
2042 
2043 		basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
2044 		if (basechain == NULL) {
2045 			nft_chain_release_hook(&hook);
2046 			return -ENOMEM;
2047 		}
2048 		chain = &basechain->chain;
2049 
2050 		if (nla[NFTA_CHAIN_COUNTERS]) {
2051 			stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2052 			if (IS_ERR(stats)) {
2053 				nft_chain_release_hook(&hook);
2054 				kfree(basechain);
2055 				return PTR_ERR(stats);
2056 			}
2057 			rcu_assign_pointer(basechain->stats, stats);
2058 			static_branch_inc(&nft_counters_enabled);
2059 		}
2060 
2061 		err = nft_basechain_init(basechain, family, &hook, flags);
2062 		if (err < 0) {
2063 			nft_chain_release_hook(&hook);
2064 			kfree(basechain);
2065 			return err;
2066 		}
2067 	} else {
2068 		if (flags & NFT_CHAIN_BASE)
2069 			return -EINVAL;
2070 		if (flags & NFT_CHAIN_HW_OFFLOAD)
2071 			return -EOPNOTSUPP;
2072 
2073 		chain = kzalloc(sizeof(*chain), GFP_KERNEL);
2074 		if (chain == NULL)
2075 			return -ENOMEM;
2076 
2077 		chain->flags = flags;
2078 	}
2079 	ctx->chain = chain;
2080 
2081 	INIT_LIST_HEAD(&chain->rules);
2082 	chain->handle = nf_tables_alloc_handle(table);
2083 	chain->table = table;
2084 
2085 	if (nla[NFTA_CHAIN_NAME]) {
2086 		chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2087 	} else {
2088 		if (!(flags & NFT_CHAIN_BINDING)) {
2089 			err = -EINVAL;
2090 			goto err_destroy_chain;
2091 		}
2092 
2093 		snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2094 		chain->name = kstrdup(name, GFP_KERNEL);
2095 	}
2096 
2097 	if (!chain->name) {
2098 		err = -ENOMEM;
2099 		goto err_destroy_chain;
2100 	}
2101 
2102 	if (nla[NFTA_CHAIN_USERDATA]) {
2103 		chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL);
2104 		if (chain->udata == NULL) {
2105 			err = -ENOMEM;
2106 			goto err_destroy_chain;
2107 		}
2108 		chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2109 	}
2110 
2111 	rules = nf_tables_chain_alloc_rules(chain, 0);
2112 	if (!rules) {
2113 		err = -ENOMEM;
2114 		goto err_destroy_chain;
2115 	}
2116 
2117 	*rules = NULL;
2118 	rcu_assign_pointer(chain->rules_gen_0, rules);
2119 	rcu_assign_pointer(chain->rules_gen_1, rules);
2120 
2121 	err = nf_tables_register_hook(net, table, chain);
2122 	if (err < 0)
2123 		goto err_destroy_chain;
2124 
2125 	trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2126 	if (IS_ERR(trans)) {
2127 		err = PTR_ERR(trans);
2128 		goto err_unregister_hook;
2129 	}
2130 
2131 	nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2132 	if (nft_is_base_chain(chain))
2133 		nft_trans_chain_policy(trans) = policy;
2134 
2135 	err = nft_chain_add(table, chain);
2136 	if (err < 0) {
2137 		nft_trans_destroy(trans);
2138 		goto err_unregister_hook;
2139 	}
2140 
2141 	table->use++;
2142 
2143 	return 0;
2144 err_unregister_hook:
2145 	nf_tables_unregister_hook(net, table, chain);
2146 err_destroy_chain:
2147 	nf_tables_chain_destroy(ctx);
2148 
2149 	return err;
2150 }
2151 
2152 static bool nft_hook_list_equal(struct list_head *hook_list1,
2153 				struct list_head *hook_list2)
2154 {
2155 	struct nft_hook *hook;
2156 	int n = 0, m = 0;
2157 
2158 	n = 0;
2159 	list_for_each_entry(hook, hook_list2, list) {
2160 		if (!nft_hook_list_find(hook_list1, hook))
2161 			return false;
2162 
2163 		n++;
2164 	}
2165 	list_for_each_entry(hook, hook_list1, list)
2166 		m++;
2167 
2168 	return n == m;
2169 }
2170 
2171 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2172 			      u32 flags, const struct nlattr *attr,
2173 			      struct netlink_ext_ack *extack)
2174 {
2175 	const struct nlattr * const *nla = ctx->nla;
2176 	struct nft_table *table = ctx->table;
2177 	struct nft_chain *chain = ctx->chain;
2178 	struct nft_base_chain *basechain;
2179 	struct nft_stats *stats = NULL;
2180 	struct nft_chain_hook hook;
2181 	struct nf_hook_ops *ops;
2182 	struct nft_trans *trans;
2183 	int err;
2184 
2185 	if (chain->flags ^ flags)
2186 		return -EOPNOTSUPP;
2187 
2188 	if (nla[NFTA_CHAIN_HOOK]) {
2189 		if (!nft_is_base_chain(chain)) {
2190 			NL_SET_BAD_ATTR(extack, attr);
2191 			return -EEXIST;
2192 		}
2193 		err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2194 					   false);
2195 		if (err < 0)
2196 			return err;
2197 
2198 		basechain = nft_base_chain(chain);
2199 		if (basechain->type != hook.type) {
2200 			nft_chain_release_hook(&hook);
2201 			NL_SET_BAD_ATTR(extack, attr);
2202 			return -EEXIST;
2203 		}
2204 
2205 		if (nft_base_chain_netdev(ctx->family, hook.num)) {
2206 			if (!nft_hook_list_equal(&basechain->hook_list,
2207 						 &hook.list)) {
2208 				nft_chain_release_hook(&hook);
2209 				NL_SET_BAD_ATTR(extack, attr);
2210 				return -EEXIST;
2211 			}
2212 		} else {
2213 			ops = &basechain->ops;
2214 			if (ops->hooknum != hook.num ||
2215 			    ops->priority != hook.priority) {
2216 				nft_chain_release_hook(&hook);
2217 				NL_SET_BAD_ATTR(extack, attr);
2218 				return -EEXIST;
2219 			}
2220 		}
2221 		nft_chain_release_hook(&hook);
2222 	}
2223 
2224 	if (nla[NFTA_CHAIN_HANDLE] &&
2225 	    nla[NFTA_CHAIN_NAME]) {
2226 		struct nft_chain *chain2;
2227 
2228 		chain2 = nft_chain_lookup(ctx->net, table,
2229 					  nla[NFTA_CHAIN_NAME], genmask);
2230 		if (!IS_ERR(chain2)) {
2231 			NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2232 			return -EEXIST;
2233 		}
2234 	}
2235 
2236 	if (nla[NFTA_CHAIN_COUNTERS]) {
2237 		if (!nft_is_base_chain(chain))
2238 			return -EOPNOTSUPP;
2239 
2240 		stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2241 		if (IS_ERR(stats))
2242 			return PTR_ERR(stats);
2243 	}
2244 
2245 	err = -ENOMEM;
2246 	trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2247 				sizeof(struct nft_trans_chain));
2248 	if (trans == NULL)
2249 		goto err;
2250 
2251 	nft_trans_chain_stats(trans) = stats;
2252 	nft_trans_chain_update(trans) = true;
2253 
2254 	if (nla[NFTA_CHAIN_POLICY])
2255 		nft_trans_chain_policy(trans) = policy;
2256 	else
2257 		nft_trans_chain_policy(trans) = -1;
2258 
2259 	if (nla[NFTA_CHAIN_HANDLE] &&
2260 	    nla[NFTA_CHAIN_NAME]) {
2261 		struct nft_trans *tmp;
2262 		char *name;
2263 
2264 		err = -ENOMEM;
2265 		name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2266 		if (!name)
2267 			goto err;
2268 
2269 		err = -EEXIST;
2270 		list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2271 			if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2272 			    tmp->ctx.table == table &&
2273 			    nft_trans_chain_update(tmp) &&
2274 			    nft_trans_chain_name(tmp) &&
2275 			    strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2276 				NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2277 				kfree(name);
2278 				goto err;
2279 			}
2280 		}
2281 
2282 		nft_trans_chain_name(trans) = name;
2283 	}
2284 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2285 
2286 	return 0;
2287 err:
2288 	free_percpu(stats);
2289 	kfree(trans);
2290 	return err;
2291 }
2292 
2293 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2294 					       const struct nlattr *nla)
2295 {
2296 	u32 id = ntohl(nla_get_be32(nla));
2297 	struct nft_trans *trans;
2298 
2299 	list_for_each_entry(trans, &net->nft.commit_list, list) {
2300 		struct nft_chain *chain = trans->ctx.chain;
2301 
2302 		if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2303 		    id == nft_trans_chain_id(trans))
2304 			return chain;
2305 	}
2306 	return ERR_PTR(-ENOENT);
2307 }
2308 
2309 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2310 			      struct sk_buff *skb, const struct nlmsghdr *nlh,
2311 			      const struct nlattr * const nla[],
2312 			      struct netlink_ext_ack *extack)
2313 {
2314 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2315 	u8 genmask = nft_genmask_next(net);
2316 	int family = nfmsg->nfgen_family;
2317 	struct nft_chain *chain = NULL;
2318 	const struct nlattr *attr;
2319 	struct nft_table *table;
2320 	u8 policy = NF_ACCEPT;
2321 	struct nft_ctx ctx;
2322 	u64 handle = 0;
2323 	u32 flags = 0;
2324 
2325 	lockdep_assert_held(&net->nft.commit_mutex);
2326 
2327 	table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2328 				 NETLINK_CB(skb).portid);
2329 	if (IS_ERR(table)) {
2330 		NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2331 		return PTR_ERR(table);
2332 	}
2333 
2334 	chain = NULL;
2335 	attr = nla[NFTA_CHAIN_NAME];
2336 
2337 	if (nla[NFTA_CHAIN_HANDLE]) {
2338 		handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2339 		chain = nft_chain_lookup_byhandle(table, handle, genmask);
2340 		if (IS_ERR(chain)) {
2341 			NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2342 			return PTR_ERR(chain);
2343 		}
2344 		attr = nla[NFTA_CHAIN_HANDLE];
2345 	} else if (nla[NFTA_CHAIN_NAME]) {
2346 		chain = nft_chain_lookup(net, table, attr, genmask);
2347 		if (IS_ERR(chain)) {
2348 			if (PTR_ERR(chain) != -ENOENT) {
2349 				NL_SET_BAD_ATTR(extack, attr);
2350 				return PTR_ERR(chain);
2351 			}
2352 			chain = NULL;
2353 		}
2354 	} else if (!nla[NFTA_CHAIN_ID]) {
2355 		return -EINVAL;
2356 	}
2357 
2358 	if (nla[NFTA_CHAIN_POLICY]) {
2359 		if (chain != NULL &&
2360 		    !nft_is_base_chain(chain)) {
2361 			NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2362 			return -EOPNOTSUPP;
2363 		}
2364 
2365 		if (chain == NULL &&
2366 		    nla[NFTA_CHAIN_HOOK] == NULL) {
2367 			NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2368 			return -EOPNOTSUPP;
2369 		}
2370 
2371 		policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2372 		switch (policy) {
2373 		case NF_DROP:
2374 		case NF_ACCEPT:
2375 			break;
2376 		default:
2377 			return -EINVAL;
2378 		}
2379 	}
2380 
2381 	if (nla[NFTA_CHAIN_FLAGS])
2382 		flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2383 	else if (chain)
2384 		flags = chain->flags;
2385 
2386 	if (flags & ~NFT_CHAIN_FLAGS)
2387 		return -EOPNOTSUPP;
2388 
2389 	nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2390 
2391 	if (chain != NULL) {
2392 		if (nlh->nlmsg_flags & NLM_F_EXCL) {
2393 			NL_SET_BAD_ATTR(extack, attr);
2394 			return -EEXIST;
2395 		}
2396 		if (nlh->nlmsg_flags & NLM_F_REPLACE)
2397 			return -EOPNOTSUPP;
2398 
2399 		flags |= chain->flags & NFT_CHAIN_BASE;
2400 		return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2401 					  extack);
2402 	}
2403 
2404 	return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2405 }
2406 
2407 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2408 			      struct sk_buff *skb, const struct nlmsghdr *nlh,
2409 			      const struct nlattr * const nla[],
2410 			      struct netlink_ext_ack *extack)
2411 {
2412 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2413 	u8 genmask = nft_genmask_next(net);
2414 	int family = nfmsg->nfgen_family;
2415 	const struct nlattr *attr;
2416 	struct nft_table *table;
2417 	struct nft_chain *chain;
2418 	struct nft_rule *rule;
2419 	struct nft_ctx ctx;
2420 	u64 handle;
2421 	u32 use;
2422 	int err;
2423 
2424 	table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2425 				 NETLINK_CB(skb).portid);
2426 	if (IS_ERR(table)) {
2427 		NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2428 		return PTR_ERR(table);
2429 	}
2430 
2431 	if (nla[NFTA_CHAIN_HANDLE]) {
2432 		attr = nla[NFTA_CHAIN_HANDLE];
2433 		handle = be64_to_cpu(nla_get_be64(attr));
2434 		chain = nft_chain_lookup_byhandle(table, handle, genmask);
2435 	} else {
2436 		attr = nla[NFTA_CHAIN_NAME];
2437 		chain = nft_chain_lookup(net, table, attr, genmask);
2438 	}
2439 	if (IS_ERR(chain)) {
2440 		NL_SET_BAD_ATTR(extack, attr);
2441 		return PTR_ERR(chain);
2442 	}
2443 
2444 	if (nlh->nlmsg_flags & NLM_F_NONREC &&
2445 	    chain->use > 0)
2446 		return -EBUSY;
2447 
2448 	nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2449 
2450 	use = chain->use;
2451 	list_for_each_entry(rule, &chain->rules, list) {
2452 		if (!nft_is_active_next(net, rule))
2453 			continue;
2454 		use--;
2455 
2456 		err = nft_delrule(&ctx, rule);
2457 		if (err < 0)
2458 			return err;
2459 	}
2460 
2461 	/* There are rules and elements that are still holding references to us,
2462 	 * we cannot do a recursive removal in this case.
2463 	 */
2464 	if (use > 0) {
2465 		NL_SET_BAD_ATTR(extack, attr);
2466 		return -EBUSY;
2467 	}
2468 
2469 	return nft_delchain(&ctx);
2470 }
2471 
2472 /*
2473  * Expressions
2474  */
2475 
2476 /**
2477  *	nft_register_expr - register nf_tables expr type
2478  *	@type: expr type
2479  *
2480  *	Registers the expr type for use with nf_tables. Returns zero on
2481  *	success or a negative errno code otherwise.
2482  */
2483 int nft_register_expr(struct nft_expr_type *type)
2484 {
2485 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
2486 	if (type->family == NFPROTO_UNSPEC)
2487 		list_add_tail_rcu(&type->list, &nf_tables_expressions);
2488 	else
2489 		list_add_rcu(&type->list, &nf_tables_expressions);
2490 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2491 	return 0;
2492 }
2493 EXPORT_SYMBOL_GPL(nft_register_expr);
2494 
2495 /**
2496  *	nft_unregister_expr - unregister nf_tables expr type
2497  *	@type: expr type
2498  *
2499  * 	Unregisters the expr typefor use with nf_tables.
2500  */
2501 void nft_unregister_expr(struct nft_expr_type *type)
2502 {
2503 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
2504 	list_del_rcu(&type->list);
2505 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2506 }
2507 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2508 
2509 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2510 						       struct nlattr *nla)
2511 {
2512 	const struct nft_expr_type *type, *candidate = NULL;
2513 
2514 	list_for_each_entry(type, &nf_tables_expressions, list) {
2515 		if (!nla_strcmp(nla, type->name)) {
2516 			if (!type->family && !candidate)
2517 				candidate = type;
2518 			else if (type->family == family)
2519 				candidate = type;
2520 		}
2521 	}
2522 	return candidate;
2523 }
2524 
2525 #ifdef CONFIG_MODULES
2526 static int nft_expr_type_request_module(struct net *net, u8 family,
2527 					struct nlattr *nla)
2528 {
2529 	if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2530 			       nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2531 		return -EAGAIN;
2532 
2533 	return 0;
2534 }
2535 #endif
2536 
2537 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2538 						     u8 family,
2539 						     struct nlattr *nla)
2540 {
2541 	const struct nft_expr_type *type;
2542 
2543 	if (nla == NULL)
2544 		return ERR_PTR(-EINVAL);
2545 
2546 	type = __nft_expr_type_get(family, nla);
2547 	if (type != NULL && try_module_get(type->owner))
2548 		return type;
2549 
2550 	lockdep_nfnl_nft_mutex_not_held();
2551 #ifdef CONFIG_MODULES
2552 	if (type == NULL) {
2553 		if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2554 			return ERR_PTR(-EAGAIN);
2555 
2556 		if (nft_request_module(net, "nft-expr-%.*s",
2557 				       nla_len(nla),
2558 				       (char *)nla_data(nla)) == -EAGAIN)
2559 			return ERR_PTR(-EAGAIN);
2560 	}
2561 #endif
2562 	return ERR_PTR(-ENOENT);
2563 }
2564 
2565 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2566 	[NFTA_EXPR_NAME]	= { .type = NLA_STRING,
2567 				    .len = NFT_MODULE_AUTOLOAD_LIMIT },
2568 	[NFTA_EXPR_DATA]	= { .type = NLA_NESTED },
2569 };
2570 
2571 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2572 				    const struct nft_expr *expr)
2573 {
2574 	if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2575 		goto nla_put_failure;
2576 
2577 	if (expr->ops->dump) {
2578 		struct nlattr *data = nla_nest_start_noflag(skb,
2579 							    NFTA_EXPR_DATA);
2580 		if (data == NULL)
2581 			goto nla_put_failure;
2582 		if (expr->ops->dump(skb, expr) < 0)
2583 			goto nla_put_failure;
2584 		nla_nest_end(skb, data);
2585 	}
2586 
2587 	return skb->len;
2588 
2589 nla_put_failure:
2590 	return -1;
2591 };
2592 
2593 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2594 		  const struct nft_expr *expr)
2595 {
2596 	struct nlattr *nest;
2597 
2598 	nest = nla_nest_start_noflag(skb, attr);
2599 	if (!nest)
2600 		goto nla_put_failure;
2601 	if (nf_tables_fill_expr_info(skb, expr) < 0)
2602 		goto nla_put_failure;
2603 	nla_nest_end(skb, nest);
2604 	return 0;
2605 
2606 nla_put_failure:
2607 	return -1;
2608 }
2609 
2610 struct nft_expr_info {
2611 	const struct nft_expr_ops	*ops;
2612 	const struct nlattr		*attr;
2613 	struct nlattr			*tb[NFT_EXPR_MAXATTR + 1];
2614 };
2615 
2616 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2617 				const struct nlattr *nla,
2618 				struct nft_expr_info *info)
2619 {
2620 	const struct nft_expr_type *type;
2621 	const struct nft_expr_ops *ops;
2622 	struct nlattr *tb[NFTA_EXPR_MAX + 1];
2623 	int err;
2624 
2625 	err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2626 					  nft_expr_policy, NULL);
2627 	if (err < 0)
2628 		return err;
2629 
2630 	type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2631 	if (IS_ERR(type))
2632 		return PTR_ERR(type);
2633 
2634 	if (tb[NFTA_EXPR_DATA]) {
2635 		err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2636 						  tb[NFTA_EXPR_DATA],
2637 						  type->policy, NULL);
2638 		if (err < 0)
2639 			goto err1;
2640 	} else
2641 		memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2642 
2643 	if (type->select_ops != NULL) {
2644 		ops = type->select_ops(ctx,
2645 				       (const struct nlattr * const *)info->tb);
2646 		if (IS_ERR(ops)) {
2647 			err = PTR_ERR(ops);
2648 #ifdef CONFIG_MODULES
2649 			if (err == -EAGAIN)
2650 				if (nft_expr_type_request_module(ctx->net,
2651 								 ctx->family,
2652 								 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2653 					err = -ENOENT;
2654 #endif
2655 			goto err1;
2656 		}
2657 	} else
2658 		ops = type->ops;
2659 
2660 	info->attr = nla;
2661 	info->ops = ops;
2662 
2663 	return 0;
2664 
2665 err1:
2666 	module_put(type->owner);
2667 	return err;
2668 }
2669 
2670 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2671 			     const struct nft_expr_info *info,
2672 			     struct nft_expr *expr)
2673 {
2674 	const struct nft_expr_ops *ops = info->ops;
2675 	int err;
2676 
2677 	expr->ops = ops;
2678 	if (ops->init) {
2679 		err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2680 		if (err < 0)
2681 			goto err1;
2682 	}
2683 
2684 	return 0;
2685 err1:
2686 	expr->ops = NULL;
2687 	return err;
2688 }
2689 
2690 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2691 				   struct nft_expr *expr)
2692 {
2693 	const struct nft_expr_type *type = expr->ops->type;
2694 
2695 	if (expr->ops->destroy)
2696 		expr->ops->destroy(ctx, expr);
2697 	module_put(type->owner);
2698 }
2699 
2700 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2701 				      const struct nlattr *nla)
2702 {
2703 	struct nft_expr_info info;
2704 	struct nft_expr *expr;
2705 	struct module *owner;
2706 	int err;
2707 
2708 	err = nf_tables_expr_parse(ctx, nla, &info);
2709 	if (err < 0)
2710 		goto err1;
2711 
2712 	err = -ENOMEM;
2713 	expr = kzalloc(info.ops->size, GFP_KERNEL);
2714 	if (expr == NULL)
2715 		goto err2;
2716 
2717 	err = nf_tables_newexpr(ctx, &info, expr);
2718 	if (err < 0)
2719 		goto err3;
2720 
2721 	return expr;
2722 err3:
2723 	kfree(expr);
2724 err2:
2725 	owner = info.ops->type->owner;
2726 	if (info.ops->type->release_ops)
2727 		info.ops->type->release_ops(info.ops);
2728 
2729 	module_put(owner);
2730 err1:
2731 	return ERR_PTR(err);
2732 }
2733 
2734 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2735 {
2736 	int err;
2737 
2738 	if (src->ops->clone) {
2739 		dst->ops = src->ops;
2740 		err = src->ops->clone(dst, src);
2741 		if (err < 0)
2742 			return err;
2743 	} else {
2744 		memcpy(dst, src, src->ops->size);
2745 	}
2746 
2747 	__module_get(src->ops->type->owner);
2748 
2749 	return 0;
2750 }
2751 
2752 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2753 {
2754 	nf_tables_expr_destroy(ctx, expr);
2755 	kfree(expr);
2756 }
2757 
2758 /*
2759  * Rules
2760  */
2761 
2762 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2763 					  u64 handle)
2764 {
2765 	struct nft_rule *rule;
2766 
2767 	// FIXME: this sucks
2768 	list_for_each_entry_rcu(rule, &chain->rules, list) {
2769 		if (handle == rule->handle)
2770 			return rule;
2771 	}
2772 
2773 	return ERR_PTR(-ENOENT);
2774 }
2775 
2776 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2777 					const struct nlattr *nla)
2778 {
2779 	if (nla == NULL)
2780 		return ERR_PTR(-EINVAL);
2781 
2782 	return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2783 }
2784 
2785 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2786 	[NFTA_RULE_TABLE]	= { .type = NLA_STRING,
2787 				    .len = NFT_TABLE_MAXNAMELEN - 1 },
2788 	[NFTA_RULE_CHAIN]	= { .type = NLA_STRING,
2789 				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
2790 	[NFTA_RULE_HANDLE]	= { .type = NLA_U64 },
2791 	[NFTA_RULE_EXPRESSIONS]	= { .type = NLA_NESTED },
2792 	[NFTA_RULE_COMPAT]	= { .type = NLA_NESTED },
2793 	[NFTA_RULE_POSITION]	= { .type = NLA_U64 },
2794 	[NFTA_RULE_USERDATA]	= { .type = NLA_BINARY,
2795 				    .len = NFT_USERDATA_MAXLEN },
2796 	[NFTA_RULE_ID]		= { .type = NLA_U32 },
2797 	[NFTA_RULE_POSITION_ID]	= { .type = NLA_U32 },
2798 	[NFTA_RULE_CHAIN_ID]	= { .type = NLA_U32 },
2799 };
2800 
2801 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2802 				    u32 portid, u32 seq, int event,
2803 				    u32 flags, int family,
2804 				    const struct nft_table *table,
2805 				    const struct nft_chain *chain,
2806 				    const struct nft_rule *rule,
2807 				    const struct nft_rule *prule)
2808 {
2809 	struct nlmsghdr *nlh;
2810 	struct nfgenmsg *nfmsg;
2811 	const struct nft_expr *expr, *next;
2812 	struct nlattr *list;
2813 	u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2814 
2815 	nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2816 	if (nlh == NULL)
2817 		goto nla_put_failure;
2818 
2819 	nfmsg = nlmsg_data(nlh);
2820 	nfmsg->nfgen_family	= family;
2821 	nfmsg->version		= NFNETLINK_V0;
2822 	nfmsg->res_id		= htons(net->nft.base_seq & 0xffff);
2823 
2824 	if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2825 		goto nla_put_failure;
2826 	if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2827 		goto nla_put_failure;
2828 	if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2829 			 NFTA_RULE_PAD))
2830 		goto nla_put_failure;
2831 
2832 	if (event != NFT_MSG_DELRULE && prule) {
2833 		if (nla_put_be64(skb, NFTA_RULE_POSITION,
2834 				 cpu_to_be64(prule->handle),
2835 				 NFTA_RULE_PAD))
2836 			goto nla_put_failure;
2837 	}
2838 
2839 	list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2840 	if (list == NULL)
2841 		goto nla_put_failure;
2842 	nft_rule_for_each_expr(expr, next, rule) {
2843 		if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2844 			goto nla_put_failure;
2845 	}
2846 	nla_nest_end(skb, list);
2847 
2848 	if (rule->udata) {
2849 		struct nft_userdata *udata = nft_userdata(rule);
2850 		if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2851 			    udata->data) < 0)
2852 			goto nla_put_failure;
2853 	}
2854 
2855 	nlmsg_end(skb, nlh);
2856 	return 0;
2857 
2858 nla_put_failure:
2859 	nlmsg_trim(skb, nlh);
2860 	return -1;
2861 }
2862 
2863 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2864 				  const struct nft_rule *rule, int event)
2865 {
2866 	struct sk_buff *skb;
2867 	int err;
2868 	char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
2869 			      ctx->table->name, ctx->table->handle,
2870 			      ctx->chain->name, ctx->chain->handle);
2871 
2872 	audit_log_nfcfg(buf,
2873 			ctx->family,
2874 			rule->handle,
2875 			event == NFT_MSG_NEWRULE ?
2876 				AUDIT_NFT_OP_RULE_REGISTER :
2877 				AUDIT_NFT_OP_RULE_UNREGISTER,
2878 			GFP_KERNEL);
2879 	kfree(buf);
2880 
2881 	if (!ctx->report &&
2882 	    !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2883 		return;
2884 
2885 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2886 	if (skb == NULL)
2887 		goto err;
2888 
2889 	err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2890 				       event, 0, ctx->family, ctx->table,
2891 				       ctx->chain, rule, NULL);
2892 	if (err < 0) {
2893 		kfree_skb(skb);
2894 		goto err;
2895 	}
2896 
2897 	nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
2898 	return;
2899 err:
2900 	nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2901 }
2902 
2903 struct nft_rule_dump_ctx {
2904 	char *table;
2905 	char *chain;
2906 };
2907 
2908 static int __nf_tables_dump_rules(struct sk_buff *skb,
2909 				  unsigned int *idx,
2910 				  struct netlink_callback *cb,
2911 				  const struct nft_table *table,
2912 				  const struct nft_chain *chain)
2913 {
2914 	struct net *net = sock_net(skb->sk);
2915 	const struct nft_rule *rule, *prule;
2916 	unsigned int s_idx = cb->args[0];
2917 
2918 	prule = NULL;
2919 	list_for_each_entry_rcu(rule, &chain->rules, list) {
2920 		if (!nft_is_active(net, rule))
2921 			goto cont_skip;
2922 		if (*idx < s_idx)
2923 			goto cont;
2924 		if (*idx > s_idx) {
2925 			memset(&cb->args[1], 0,
2926 					sizeof(cb->args) - sizeof(cb->args[0]));
2927 		}
2928 		if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2929 					cb->nlh->nlmsg_seq,
2930 					NFT_MSG_NEWRULE,
2931 					NLM_F_MULTI | NLM_F_APPEND,
2932 					table->family,
2933 					table, chain, rule, prule) < 0)
2934 			return 1;
2935 
2936 		nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2937 cont:
2938 		prule = rule;
2939 cont_skip:
2940 		(*idx)++;
2941 	}
2942 	return 0;
2943 }
2944 
2945 static int nf_tables_dump_rules(struct sk_buff *skb,
2946 				struct netlink_callback *cb)
2947 {
2948 	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2949 	const struct nft_rule_dump_ctx *ctx = cb->data;
2950 	struct nft_table *table;
2951 	const struct nft_chain *chain;
2952 	unsigned int idx = 0;
2953 	struct net *net = sock_net(skb->sk);
2954 	int family = nfmsg->nfgen_family;
2955 
2956 	rcu_read_lock();
2957 	cb->seq = net->nft.base_seq;
2958 
2959 	list_for_each_entry_rcu(table, &net->nft.tables, list) {
2960 		if (family != NFPROTO_UNSPEC && family != table->family)
2961 			continue;
2962 
2963 		if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2964 			continue;
2965 
2966 		if (ctx && ctx->table && ctx->chain) {
2967 			struct rhlist_head *list, *tmp;
2968 
2969 			list = rhltable_lookup(&table->chains_ht, ctx->chain,
2970 					       nft_chain_ht_params);
2971 			if (!list)
2972 				goto done;
2973 
2974 			rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2975 				if (!nft_is_active(net, chain))
2976 					continue;
2977 				__nf_tables_dump_rules(skb, &idx,
2978 						       cb, table, chain);
2979 				break;
2980 			}
2981 			goto done;
2982 		}
2983 
2984 		list_for_each_entry_rcu(chain, &table->chains, list) {
2985 			if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2986 				goto done;
2987 		}
2988 
2989 		if (ctx && ctx->table)
2990 			break;
2991 	}
2992 done:
2993 	rcu_read_unlock();
2994 
2995 	cb->args[0] = idx;
2996 	return skb->len;
2997 }
2998 
2999 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3000 {
3001 	const struct nlattr * const *nla = cb->data;
3002 	struct nft_rule_dump_ctx *ctx = NULL;
3003 
3004 	if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
3005 		ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
3006 		if (!ctx)
3007 			return -ENOMEM;
3008 
3009 		if (nla[NFTA_RULE_TABLE]) {
3010 			ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
3011 							GFP_ATOMIC);
3012 			if (!ctx->table) {
3013 				kfree(ctx);
3014 				return -ENOMEM;
3015 			}
3016 		}
3017 		if (nla[NFTA_RULE_CHAIN]) {
3018 			ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
3019 						GFP_ATOMIC);
3020 			if (!ctx->chain) {
3021 				kfree(ctx->table);
3022 				kfree(ctx);
3023 				return -ENOMEM;
3024 			}
3025 		}
3026 	}
3027 
3028 	cb->data = ctx;
3029 	return 0;
3030 }
3031 
3032 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3033 {
3034 	struct nft_rule_dump_ctx *ctx = cb->data;
3035 
3036 	if (ctx) {
3037 		kfree(ctx->table);
3038 		kfree(ctx->chain);
3039 		kfree(ctx);
3040 	}
3041 	return 0;
3042 }
3043 
3044 /* called with rcu_read_lock held */
3045 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
3046 			     struct sk_buff *skb, const struct nlmsghdr *nlh,
3047 			     const struct nlattr * const nla[],
3048 			     struct netlink_ext_ack *extack)
3049 {
3050 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3051 	u8 genmask = nft_genmask_cur(net);
3052 	const struct nft_chain *chain;
3053 	const struct nft_rule *rule;
3054 	struct nft_table *table;
3055 	struct sk_buff *skb2;
3056 	int family = nfmsg->nfgen_family;
3057 	int err;
3058 
3059 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
3060 		struct netlink_dump_control c = {
3061 			.start= nf_tables_dump_rules_start,
3062 			.dump = nf_tables_dump_rules,
3063 			.done = nf_tables_dump_rules_done,
3064 			.module = THIS_MODULE,
3065 			.data = (void *)nla,
3066 		};
3067 
3068 		return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3069 	}
3070 
3071 	table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3072 	if (IS_ERR(table)) {
3073 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3074 		return PTR_ERR(table);
3075 	}
3076 
3077 	chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3078 	if (IS_ERR(chain)) {
3079 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3080 		return PTR_ERR(chain);
3081 	}
3082 
3083 	rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3084 	if (IS_ERR(rule)) {
3085 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3086 		return PTR_ERR(rule);
3087 	}
3088 
3089 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3090 	if (!skb2)
3091 		return -ENOMEM;
3092 
3093 	err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3094 				       nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3095 				       family, table, chain, rule, NULL);
3096 	if (err < 0)
3097 		goto err_fill_rule_info;
3098 
3099 	return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3100 
3101 err_fill_rule_info:
3102 	kfree_skb(skb2);
3103 	return err;
3104 }
3105 
3106 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3107 				   struct nft_rule *rule)
3108 {
3109 	struct nft_expr *expr, *next;
3110 
3111 	/*
3112 	 * Careful: some expressions might not be initialized in case this
3113 	 * is called on error from nf_tables_newrule().
3114 	 */
3115 	expr = nft_expr_first(rule);
3116 	while (nft_expr_more(rule, expr)) {
3117 		next = nft_expr_next(expr);
3118 		nf_tables_expr_destroy(ctx, expr);
3119 		expr = next;
3120 	}
3121 	kfree(rule);
3122 }
3123 
3124 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3125 {
3126 	nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3127 	nf_tables_rule_destroy(ctx, rule);
3128 }
3129 
3130 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3131 {
3132 	struct nft_expr *expr, *last;
3133 	const struct nft_data *data;
3134 	struct nft_rule *rule;
3135 	int err;
3136 
3137 	if (ctx->level == NFT_JUMP_STACK_SIZE)
3138 		return -EMLINK;
3139 
3140 	list_for_each_entry(rule, &chain->rules, list) {
3141 		if (!nft_is_active_next(ctx->net, rule))
3142 			continue;
3143 
3144 		nft_rule_for_each_expr(expr, last, rule) {
3145 			if (!expr->ops->validate)
3146 				continue;
3147 
3148 			err = expr->ops->validate(ctx, expr, &data);
3149 			if (err < 0)
3150 				return err;
3151 		}
3152 	}
3153 
3154 	return 0;
3155 }
3156 EXPORT_SYMBOL_GPL(nft_chain_validate);
3157 
3158 static int nft_table_validate(struct net *net, const struct nft_table *table)
3159 {
3160 	struct nft_chain *chain;
3161 	struct nft_ctx ctx = {
3162 		.net	= net,
3163 		.family	= table->family,
3164 	};
3165 	int err;
3166 
3167 	list_for_each_entry(chain, &table->chains, list) {
3168 		if (!nft_is_base_chain(chain))
3169 			continue;
3170 
3171 		ctx.chain = chain;
3172 		err = nft_chain_validate(&ctx, chain);
3173 		if (err < 0)
3174 			return err;
3175 	}
3176 
3177 	return 0;
3178 }
3179 
3180 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3181 					     const struct nlattr *nla);
3182 
3183 #define NFT_RULE_MAXEXPRS	128
3184 
3185 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
3186 			     struct sk_buff *skb, const struct nlmsghdr *nlh,
3187 			     const struct nlattr * const nla[],
3188 			     struct netlink_ext_ack *extack)
3189 {
3190 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3191 	u8 genmask = nft_genmask_next(net);
3192 	struct nft_expr_info *info = NULL;
3193 	int family = nfmsg->nfgen_family;
3194 	struct nft_flow_rule *flow;
3195 	struct nft_table *table;
3196 	struct nft_chain *chain;
3197 	struct nft_rule *rule, *old_rule = NULL;
3198 	struct nft_userdata *udata;
3199 	struct nft_trans *trans = NULL;
3200 	struct nft_expr *expr;
3201 	struct nft_ctx ctx;
3202 	struct nlattr *tmp;
3203 	unsigned int size, i, n, ulen = 0, usize = 0;
3204 	int err, rem;
3205 	u64 handle, pos_handle;
3206 
3207 	lockdep_assert_held(&net->nft.commit_mutex);
3208 
3209 	table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3210 				 NETLINK_CB(skb).portid);
3211 	if (IS_ERR(table)) {
3212 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3213 		return PTR_ERR(table);
3214 	}
3215 
3216 	if (nla[NFTA_RULE_CHAIN]) {
3217 		chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3218 					 genmask);
3219 		if (IS_ERR(chain)) {
3220 			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3221 			return PTR_ERR(chain);
3222 		}
3223 		if (nft_chain_is_bound(chain))
3224 			return -EOPNOTSUPP;
3225 
3226 	} else if (nla[NFTA_RULE_CHAIN_ID]) {
3227 		chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
3228 		if (IS_ERR(chain)) {
3229 			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3230 			return PTR_ERR(chain);
3231 		}
3232 	} else {
3233 		return -EINVAL;
3234 	}
3235 
3236 	if (nla[NFTA_RULE_HANDLE]) {
3237 		handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3238 		rule = __nft_rule_lookup(chain, handle);
3239 		if (IS_ERR(rule)) {
3240 			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3241 			return PTR_ERR(rule);
3242 		}
3243 
3244 		if (nlh->nlmsg_flags & NLM_F_EXCL) {
3245 			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3246 			return -EEXIST;
3247 		}
3248 		if (nlh->nlmsg_flags & NLM_F_REPLACE)
3249 			old_rule = rule;
3250 		else
3251 			return -EOPNOTSUPP;
3252 	} else {
3253 		if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
3254 		    nlh->nlmsg_flags & NLM_F_REPLACE)
3255 			return -EINVAL;
3256 		handle = nf_tables_alloc_handle(table);
3257 
3258 		if (chain->use == UINT_MAX)
3259 			return -EOVERFLOW;
3260 
3261 		if (nla[NFTA_RULE_POSITION]) {
3262 			pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3263 			old_rule = __nft_rule_lookup(chain, pos_handle);
3264 			if (IS_ERR(old_rule)) {
3265 				NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3266 				return PTR_ERR(old_rule);
3267 			}
3268 		} else if (nla[NFTA_RULE_POSITION_ID]) {
3269 			old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3270 			if (IS_ERR(old_rule)) {
3271 				NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3272 				return PTR_ERR(old_rule);
3273 			}
3274 		}
3275 	}
3276 
3277 	nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3278 
3279 	n = 0;
3280 	size = 0;
3281 	if (nla[NFTA_RULE_EXPRESSIONS]) {
3282 		info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3283 				      sizeof(struct nft_expr_info),
3284 				      GFP_KERNEL);
3285 		if (!info)
3286 			return -ENOMEM;
3287 
3288 		nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3289 			err = -EINVAL;
3290 			if (nla_type(tmp) != NFTA_LIST_ELEM)
3291 				goto err1;
3292 			if (n == NFT_RULE_MAXEXPRS)
3293 				goto err1;
3294 			err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3295 			if (err < 0)
3296 				goto err1;
3297 			size += info[n].ops->size;
3298 			n++;
3299 		}
3300 	}
3301 	/* Check for overflow of dlen field */
3302 	err = -EFBIG;
3303 	if (size >= 1 << 12)
3304 		goto err1;
3305 
3306 	if (nla[NFTA_RULE_USERDATA]) {
3307 		ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3308 		if (ulen > 0)
3309 			usize = sizeof(struct nft_userdata) + ulen;
3310 	}
3311 
3312 	err = -ENOMEM;
3313 	rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3314 	if (rule == NULL)
3315 		goto err1;
3316 
3317 	nft_activate_next(net, rule);
3318 
3319 	rule->handle = handle;
3320 	rule->dlen   = size;
3321 	rule->udata  = ulen ? 1 : 0;
3322 
3323 	if (ulen) {
3324 		udata = nft_userdata(rule);
3325 		udata->len = ulen - 1;
3326 		nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3327 	}
3328 
3329 	expr = nft_expr_first(rule);
3330 	for (i = 0; i < n; i++) {
3331 		err = nf_tables_newexpr(&ctx, &info[i], expr);
3332 		if (err < 0) {
3333 			NL_SET_BAD_ATTR(extack, info[i].attr);
3334 			goto err2;
3335 		}
3336 
3337 		if (info[i].ops->validate)
3338 			nft_validate_state_update(net, NFT_VALIDATE_NEED);
3339 
3340 		info[i].ops = NULL;
3341 		expr = nft_expr_next(expr);
3342 	}
3343 
3344 	if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3345 		trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3346 		if (trans == NULL) {
3347 			err = -ENOMEM;
3348 			goto err2;
3349 		}
3350 		err = nft_delrule(&ctx, old_rule);
3351 		if (err < 0) {
3352 			nft_trans_destroy(trans);
3353 			goto err2;
3354 		}
3355 
3356 		list_add_tail_rcu(&rule->list, &old_rule->list);
3357 	} else {
3358 		trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3359 		if (!trans) {
3360 			err = -ENOMEM;
3361 			goto err2;
3362 		}
3363 
3364 		if (nlh->nlmsg_flags & NLM_F_APPEND) {
3365 			if (old_rule)
3366 				list_add_rcu(&rule->list, &old_rule->list);
3367 			else
3368 				list_add_tail_rcu(&rule->list, &chain->rules);
3369 		 } else {
3370 			if (old_rule)
3371 				list_add_tail_rcu(&rule->list, &old_rule->list);
3372 			else
3373 				list_add_rcu(&rule->list, &chain->rules);
3374 		}
3375 	}
3376 	kvfree(info);
3377 	chain->use++;
3378 
3379 	if (net->nft.validate_state == NFT_VALIDATE_DO)
3380 		return nft_table_validate(net, table);
3381 
3382 	if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3383 		flow = nft_flow_rule_create(net, rule);
3384 		if (IS_ERR(flow))
3385 			return PTR_ERR(flow);
3386 
3387 		nft_trans_flow_rule(trans) = flow;
3388 	}
3389 
3390 	return 0;
3391 err2:
3392 	nf_tables_rule_release(&ctx, rule);
3393 err1:
3394 	for (i = 0; i < n; i++) {
3395 		if (info[i].ops) {
3396 			module_put(info[i].ops->type->owner);
3397 			if (info[i].ops->type->release_ops)
3398 				info[i].ops->type->release_ops(info[i].ops);
3399 		}
3400 	}
3401 	kvfree(info);
3402 	return err;
3403 }
3404 
3405 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3406 					     const struct nlattr *nla)
3407 {
3408 	u32 id = ntohl(nla_get_be32(nla));
3409 	struct nft_trans *trans;
3410 
3411 	list_for_each_entry(trans, &net->nft.commit_list, list) {
3412 		struct nft_rule *rule = nft_trans_rule(trans);
3413 
3414 		if (trans->msg_type == NFT_MSG_NEWRULE &&
3415 		    id == nft_trans_rule_id(trans))
3416 			return rule;
3417 	}
3418 	return ERR_PTR(-ENOENT);
3419 }
3420 
3421 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3422 			     struct sk_buff *skb, const struct nlmsghdr *nlh,
3423 			     const struct nlattr * const nla[],
3424 			     struct netlink_ext_ack *extack)
3425 {
3426 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3427 	u8 genmask = nft_genmask_next(net);
3428 	struct nft_table *table;
3429 	struct nft_chain *chain = NULL;
3430 	struct nft_rule *rule;
3431 	int family = nfmsg->nfgen_family, err = 0;
3432 	struct nft_ctx ctx;
3433 
3434 	table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3435 				 NETLINK_CB(skb).portid);
3436 	if (IS_ERR(table)) {
3437 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3438 		return PTR_ERR(table);
3439 	}
3440 
3441 	if (nla[NFTA_RULE_CHAIN]) {
3442 		chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3443 					 genmask);
3444 		if (IS_ERR(chain)) {
3445 			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3446 			return PTR_ERR(chain);
3447 		}
3448 		if (nft_chain_is_bound(chain))
3449 			return -EOPNOTSUPP;
3450 	}
3451 
3452 	nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3453 
3454 	if (chain) {
3455 		if (nla[NFTA_RULE_HANDLE]) {
3456 			rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3457 			if (IS_ERR(rule)) {
3458 				NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3459 				return PTR_ERR(rule);
3460 			}
3461 
3462 			err = nft_delrule(&ctx, rule);
3463 		} else if (nla[NFTA_RULE_ID]) {
3464 			rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3465 			if (IS_ERR(rule)) {
3466 				NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3467 				return PTR_ERR(rule);
3468 			}
3469 
3470 			err = nft_delrule(&ctx, rule);
3471 		} else {
3472 			err = nft_delrule_by_chain(&ctx);
3473 		}
3474 	} else {
3475 		list_for_each_entry(chain, &table->chains, list) {
3476 			if (!nft_is_active_next(net, chain))
3477 				continue;
3478 
3479 			ctx.chain = chain;
3480 			err = nft_delrule_by_chain(&ctx);
3481 			if (err < 0)
3482 				break;
3483 		}
3484 	}
3485 
3486 	return err;
3487 }
3488 
3489 /*
3490  * Sets
3491  */
3492 static const struct nft_set_type *nft_set_types[] = {
3493 	&nft_set_hash_fast_type,
3494 	&nft_set_hash_type,
3495 	&nft_set_rhash_type,
3496 	&nft_set_bitmap_type,
3497 	&nft_set_rbtree_type,
3498 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3499 	&nft_set_pipapo_avx2_type,
3500 #endif
3501 	&nft_set_pipapo_type,
3502 };
3503 
3504 #define NFT_SET_FEATURES	(NFT_SET_INTERVAL | NFT_SET_MAP | \
3505 				 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3506 				 NFT_SET_EVAL)
3507 
3508 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3509 {
3510 	return (flags & type->features) == (flags & NFT_SET_FEATURES);
3511 }
3512 
3513 /*
3514  * Select a set implementation based on the data characteristics and the
3515  * given policy. The total memory use might not be known if no size is
3516  * given, in that case the amount of memory per element is used.
3517  */
3518 static const struct nft_set_ops *
3519 nft_select_set_ops(const struct nft_ctx *ctx,
3520 		   const struct nlattr * const nla[],
3521 		   const struct nft_set_desc *desc,
3522 		   enum nft_set_policies policy)
3523 {
3524 	const struct nft_set_ops *ops, *bops;
3525 	struct nft_set_estimate est, best;
3526 	const struct nft_set_type *type;
3527 	u32 flags = 0;
3528 	int i;
3529 
3530 	lockdep_assert_held(&ctx->net->nft.commit_mutex);
3531 	lockdep_nfnl_nft_mutex_not_held();
3532 
3533 	if (nla[NFTA_SET_FLAGS] != NULL)
3534 		flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3535 
3536 	bops	    = NULL;
3537 	best.size   = ~0;
3538 	best.lookup = ~0;
3539 	best.space  = ~0;
3540 
3541 	for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3542 		type = nft_set_types[i];
3543 		ops = &type->ops;
3544 
3545 		if (!nft_set_ops_candidate(type, flags))
3546 			continue;
3547 		if (!ops->estimate(desc, flags, &est))
3548 			continue;
3549 
3550 		switch (policy) {
3551 		case NFT_SET_POL_PERFORMANCE:
3552 			if (est.lookup < best.lookup)
3553 				break;
3554 			if (est.lookup == best.lookup &&
3555 			    est.space < best.space)
3556 				break;
3557 			continue;
3558 		case NFT_SET_POL_MEMORY:
3559 			if (!desc->size) {
3560 				if (est.space < best.space)
3561 					break;
3562 				if (est.space == best.space &&
3563 				    est.lookup < best.lookup)
3564 					break;
3565 			} else if (est.size < best.size || !bops) {
3566 				break;
3567 			}
3568 			continue;
3569 		default:
3570 			break;
3571 		}
3572 
3573 		bops = ops;
3574 		best = est;
3575 	}
3576 
3577 	if (bops != NULL)
3578 		return bops;
3579 
3580 	return ERR_PTR(-EOPNOTSUPP);
3581 }
3582 
3583 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3584 	[NFTA_SET_TABLE]		= { .type = NLA_STRING,
3585 					    .len = NFT_TABLE_MAXNAMELEN - 1 },
3586 	[NFTA_SET_NAME]			= { .type = NLA_STRING,
3587 					    .len = NFT_SET_MAXNAMELEN - 1 },
3588 	[NFTA_SET_FLAGS]		= { .type = NLA_U32 },
3589 	[NFTA_SET_KEY_TYPE]		= { .type = NLA_U32 },
3590 	[NFTA_SET_KEY_LEN]		= { .type = NLA_U32 },
3591 	[NFTA_SET_DATA_TYPE]		= { .type = NLA_U32 },
3592 	[NFTA_SET_DATA_LEN]		= { .type = NLA_U32 },
3593 	[NFTA_SET_POLICY]		= { .type = NLA_U32 },
3594 	[NFTA_SET_DESC]			= { .type = NLA_NESTED },
3595 	[NFTA_SET_ID]			= { .type = NLA_U32 },
3596 	[NFTA_SET_TIMEOUT]		= { .type = NLA_U64 },
3597 	[NFTA_SET_GC_INTERVAL]		= { .type = NLA_U32 },
3598 	[NFTA_SET_USERDATA]		= { .type = NLA_BINARY,
3599 					    .len  = NFT_USERDATA_MAXLEN },
3600 	[NFTA_SET_OBJ_TYPE]		= { .type = NLA_U32 },
3601 	[NFTA_SET_HANDLE]		= { .type = NLA_U64 },
3602 	[NFTA_SET_EXPR]			= { .type = NLA_NESTED },
3603 	[NFTA_SET_EXPRESSIONS]		= { .type = NLA_NESTED },
3604 };
3605 
3606 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3607 	[NFTA_SET_DESC_SIZE]		= { .type = NLA_U32 },
3608 	[NFTA_SET_DESC_CONCAT]		= { .type = NLA_NESTED },
3609 };
3610 
3611 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3612 				     const struct sk_buff *skb,
3613 				     const struct nlmsghdr *nlh,
3614 				     const struct nlattr * const nla[],
3615 				     struct netlink_ext_ack *extack,
3616 				     u8 genmask, u32 nlpid)
3617 {
3618 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3619 	int family = nfmsg->nfgen_family;
3620 	struct nft_table *table = NULL;
3621 
3622 	if (nla[NFTA_SET_TABLE] != NULL) {
3623 		table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3624 					 genmask, nlpid);
3625 		if (IS_ERR(table)) {
3626 			NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3627 			return PTR_ERR(table);
3628 		}
3629 	}
3630 
3631 	nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3632 	return 0;
3633 }
3634 
3635 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3636 				      const struct nlattr *nla, u8 genmask)
3637 {
3638 	struct nft_set *set;
3639 
3640 	if (nla == NULL)
3641 		return ERR_PTR(-EINVAL);
3642 
3643 	list_for_each_entry_rcu(set, &table->sets, list) {
3644 		if (!nla_strcmp(nla, set->name) &&
3645 		    nft_active_genmask(set, genmask))
3646 			return set;
3647 	}
3648 	return ERR_PTR(-ENOENT);
3649 }
3650 
3651 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3652 					       const struct nlattr *nla,
3653 					       u8 genmask)
3654 {
3655 	struct nft_set *set;
3656 
3657 	list_for_each_entry(set, &table->sets, list) {
3658 		if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3659 		    nft_active_genmask(set, genmask))
3660 			return set;
3661 	}
3662 	return ERR_PTR(-ENOENT);
3663 }
3664 
3665 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3666 					   const struct nlattr *nla, u8 genmask)
3667 {
3668 	struct nft_trans *trans;
3669 	u32 id = ntohl(nla_get_be32(nla));
3670 
3671 	list_for_each_entry(trans, &net->nft.commit_list, list) {
3672 		if (trans->msg_type == NFT_MSG_NEWSET) {
3673 			struct nft_set *set = nft_trans_set(trans);
3674 
3675 			if (id == nft_trans_set_id(trans) &&
3676 			    nft_active_genmask(set, genmask))
3677 				return set;
3678 		}
3679 	}
3680 	return ERR_PTR(-ENOENT);
3681 }
3682 
3683 struct nft_set *nft_set_lookup_global(const struct net *net,
3684 				      const struct nft_table *table,
3685 				      const struct nlattr *nla_set_name,
3686 				      const struct nlattr *nla_set_id,
3687 				      u8 genmask)
3688 {
3689 	struct nft_set *set;
3690 
3691 	set = nft_set_lookup(table, nla_set_name, genmask);
3692 	if (IS_ERR(set)) {
3693 		if (!nla_set_id)
3694 			return set;
3695 
3696 		set = nft_set_lookup_byid(net, nla_set_id, genmask);
3697 	}
3698 	return set;
3699 }
3700 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3701 
3702 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3703 				    const char *name)
3704 {
3705 	const struct nft_set *i;
3706 	const char *p;
3707 	unsigned long *inuse;
3708 	unsigned int n = 0, min = 0;
3709 
3710 	p = strchr(name, '%');
3711 	if (p != NULL) {
3712 		if (p[1] != 'd' || strchr(p + 2, '%'))
3713 			return -EINVAL;
3714 
3715 		inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3716 		if (inuse == NULL)
3717 			return -ENOMEM;
3718 cont:
3719 		list_for_each_entry(i, &ctx->table->sets, list) {
3720 			int tmp;
3721 
3722 			if (!nft_is_active_next(ctx->net, set))
3723 				continue;
3724 			if (!sscanf(i->name, name, &tmp))
3725 				continue;
3726 			if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3727 				continue;
3728 
3729 			set_bit(tmp - min, inuse);
3730 		}
3731 
3732 		n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3733 		if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3734 			min += BITS_PER_BYTE * PAGE_SIZE;
3735 			memset(inuse, 0, PAGE_SIZE);
3736 			goto cont;
3737 		}
3738 		free_page((unsigned long)inuse);
3739 	}
3740 
3741 	set->name = kasprintf(GFP_KERNEL, name, min + n);
3742 	if (!set->name)
3743 		return -ENOMEM;
3744 
3745 	list_for_each_entry(i, &ctx->table->sets, list) {
3746 		if (!nft_is_active_next(ctx->net, i))
3747 			continue;
3748 		if (!strcmp(set->name, i->name)) {
3749 			kfree(set->name);
3750 			set->name = NULL;
3751 			return -ENFILE;
3752 		}
3753 	}
3754 	return 0;
3755 }
3756 
3757 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3758 {
3759 	u64 ms = be64_to_cpu(nla_get_be64(nla));
3760 	u64 max = (u64)(~((u64)0));
3761 
3762 	max = div_u64(max, NSEC_PER_MSEC);
3763 	if (ms >= max)
3764 		return -ERANGE;
3765 
3766 	ms *= NSEC_PER_MSEC;
3767 	*result = nsecs_to_jiffies64(ms);
3768 	return 0;
3769 }
3770 
3771 __be64 nf_jiffies64_to_msecs(u64 input)
3772 {
3773 	return cpu_to_be64(jiffies64_to_msecs(input));
3774 }
3775 
3776 static int nf_tables_fill_set_concat(struct sk_buff *skb,
3777 				     const struct nft_set *set)
3778 {
3779 	struct nlattr *concat, *field;
3780 	int i;
3781 
3782 	concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3783 	if (!concat)
3784 		return -ENOMEM;
3785 
3786 	for (i = 0; i < set->field_count; i++) {
3787 		field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3788 		if (!field)
3789 			return -ENOMEM;
3790 
3791 		if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3792 				 htonl(set->field_len[i])))
3793 			return -ENOMEM;
3794 
3795 		nla_nest_end(skb, field);
3796 	}
3797 
3798 	nla_nest_end(skb, concat);
3799 
3800 	return 0;
3801 }
3802 
3803 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3804 			      const struct nft_set *set, u16 event, u16 flags)
3805 {
3806 	struct nfgenmsg *nfmsg;
3807 	struct nlmsghdr *nlh;
3808 	u32 portid = ctx->portid;
3809 	struct nlattr *nest;
3810 	u32 seq = ctx->seq;
3811 	int i;
3812 
3813 	event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3814 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3815 			flags);
3816 	if (nlh == NULL)
3817 		goto nla_put_failure;
3818 
3819 	nfmsg = nlmsg_data(nlh);
3820 	nfmsg->nfgen_family	= ctx->family;
3821 	nfmsg->version		= NFNETLINK_V0;
3822 	nfmsg->res_id		= htons(ctx->net->nft.base_seq & 0xffff);
3823 
3824 	if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3825 		goto nla_put_failure;
3826 	if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3827 		goto nla_put_failure;
3828 	if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3829 			 NFTA_SET_PAD))
3830 		goto nla_put_failure;
3831 	if (set->flags != 0)
3832 		if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3833 			goto nla_put_failure;
3834 
3835 	if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3836 		goto nla_put_failure;
3837 	if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3838 		goto nla_put_failure;
3839 	if (set->flags & NFT_SET_MAP) {
3840 		if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3841 			goto nla_put_failure;
3842 		if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3843 			goto nla_put_failure;
3844 	}
3845 	if (set->flags & NFT_SET_OBJECT &&
3846 	    nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3847 		goto nla_put_failure;
3848 
3849 	if (set->timeout &&
3850 	    nla_put_be64(skb, NFTA_SET_TIMEOUT,
3851 			 nf_jiffies64_to_msecs(set->timeout),
3852 			 NFTA_SET_PAD))
3853 		goto nla_put_failure;
3854 	if (set->gc_int &&
3855 	    nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3856 		goto nla_put_failure;
3857 
3858 	if (set->policy != NFT_SET_POL_PERFORMANCE) {
3859 		if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3860 			goto nla_put_failure;
3861 	}
3862 
3863 	if (set->udata &&
3864 	    nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3865 		goto nla_put_failure;
3866 
3867 	nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3868 	if (!nest)
3869 		goto nla_put_failure;
3870 	if (set->size &&
3871 	    nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3872 		goto nla_put_failure;
3873 
3874 	if (set->field_count > 1 &&
3875 	    nf_tables_fill_set_concat(skb, set))
3876 		goto nla_put_failure;
3877 
3878 	nla_nest_end(skb, nest);
3879 
3880 	if (set->num_exprs == 1) {
3881 		nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
3882 		if (nf_tables_fill_expr_info(skb, set->exprs[0]) < 0)
3883 			goto nla_put_failure;
3884 
3885 		nla_nest_end(skb, nest);
3886 	} else if (set->num_exprs > 1) {
3887 		nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
3888 		if (nest == NULL)
3889 			goto nla_put_failure;
3890 
3891 		for (i = 0; i < set->num_exprs; i++) {
3892 			if (nft_expr_dump(skb, NFTA_LIST_ELEM,
3893 					  set->exprs[i]) < 0)
3894 				goto nla_put_failure;
3895 		}
3896 		nla_nest_end(skb, nest);
3897 	}
3898 
3899 	nlmsg_end(skb, nlh);
3900 	return 0;
3901 
3902 nla_put_failure:
3903 	nlmsg_trim(skb, nlh);
3904 	return -1;
3905 }
3906 
3907 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3908 				 const struct nft_set *set, int event,
3909 			         gfp_t gfp_flags)
3910 {
3911 	struct sk_buff *skb;
3912 	u32 portid = ctx->portid;
3913 	int err;
3914 	char *buf = kasprintf(gfp_flags, "%s:%llu;%s:%llu",
3915 			      ctx->table->name, ctx->table->handle,
3916 			      set->name, set->handle);
3917 
3918 	audit_log_nfcfg(buf,
3919 			ctx->family,
3920 			set->field_count,
3921 			event == NFT_MSG_NEWSET ?
3922 				AUDIT_NFT_OP_SET_REGISTER :
3923 				AUDIT_NFT_OP_SET_UNREGISTER,
3924 			gfp_flags);
3925 	kfree(buf);
3926 
3927 	if (!ctx->report &&
3928 	    !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3929 		return;
3930 
3931 	skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3932 	if (skb == NULL)
3933 		goto err;
3934 
3935 	err = nf_tables_fill_set(skb, ctx, set, event, 0);
3936 	if (err < 0) {
3937 		kfree_skb(skb);
3938 		goto err;
3939 	}
3940 
3941 	nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
3942 	return;
3943 err:
3944 	nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3945 }
3946 
3947 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3948 {
3949 	const struct nft_set *set;
3950 	unsigned int idx, s_idx = cb->args[0];
3951 	struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3952 	struct net *net = sock_net(skb->sk);
3953 	struct nft_ctx *ctx = cb->data, ctx_set;
3954 
3955 	if (cb->args[1])
3956 		return skb->len;
3957 
3958 	rcu_read_lock();
3959 	cb->seq = net->nft.base_seq;
3960 
3961 	list_for_each_entry_rcu(table, &net->nft.tables, list) {
3962 		if (ctx->family != NFPROTO_UNSPEC &&
3963 		    ctx->family != table->family)
3964 			continue;
3965 
3966 		if (ctx->table && ctx->table != table)
3967 			continue;
3968 
3969 		if (cur_table) {
3970 			if (cur_table != table)
3971 				continue;
3972 
3973 			cur_table = NULL;
3974 		}
3975 		idx = 0;
3976 		list_for_each_entry_rcu(set, &table->sets, list) {
3977 			if (idx < s_idx)
3978 				goto cont;
3979 			if (!nft_is_active(net, set))
3980 				goto cont;
3981 
3982 			ctx_set = *ctx;
3983 			ctx_set.table = table;
3984 			ctx_set.family = table->family;
3985 
3986 			if (nf_tables_fill_set(skb, &ctx_set, set,
3987 					       NFT_MSG_NEWSET,
3988 					       NLM_F_MULTI) < 0) {
3989 				cb->args[0] = idx;
3990 				cb->args[2] = (unsigned long) table;
3991 				goto done;
3992 			}
3993 			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3994 cont:
3995 			idx++;
3996 		}
3997 		if (s_idx)
3998 			s_idx = 0;
3999 	}
4000 	cb->args[1] = 1;
4001 done:
4002 	rcu_read_unlock();
4003 	return skb->len;
4004 }
4005 
4006 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4007 {
4008 	struct nft_ctx *ctx_dump = NULL;
4009 
4010 	ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4011 	if (ctx_dump == NULL)
4012 		return -ENOMEM;
4013 
4014 	cb->data = ctx_dump;
4015 	return 0;
4016 }
4017 
4018 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4019 {
4020 	kfree(cb->data);
4021 	return 0;
4022 }
4023 
4024 /* called with rcu_read_lock held */
4025 static int nf_tables_getset(struct net *net, struct sock *nlsk,
4026 			    struct sk_buff *skb, const struct nlmsghdr *nlh,
4027 			    const struct nlattr * const nla[],
4028 			    struct netlink_ext_ack *extack)
4029 {
4030 	u8 genmask = nft_genmask_cur(net);
4031 	const struct nft_set *set;
4032 	struct nft_ctx ctx;
4033 	struct sk_buff *skb2;
4034 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4035 	int err;
4036 
4037 	/* Verify existence before starting dump */
4038 	err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4039 					genmask, 0);
4040 	if (err < 0)
4041 		return err;
4042 
4043 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
4044 		struct netlink_dump_control c = {
4045 			.start = nf_tables_dump_sets_start,
4046 			.dump = nf_tables_dump_sets,
4047 			.done = nf_tables_dump_sets_done,
4048 			.data = &ctx,
4049 			.module = THIS_MODULE,
4050 		};
4051 
4052 		return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4053 	}
4054 
4055 	/* Only accept unspec with dump */
4056 	if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4057 		return -EAFNOSUPPORT;
4058 	if (!nla[NFTA_SET_TABLE])
4059 		return -EINVAL;
4060 
4061 	set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
4062 	if (IS_ERR(set))
4063 		return PTR_ERR(set);
4064 
4065 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4066 	if (skb2 == NULL)
4067 		return -ENOMEM;
4068 
4069 	err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4070 	if (err < 0)
4071 		goto err_fill_set_info;
4072 
4073 	return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4074 
4075 err_fill_set_info:
4076 	kfree_skb(skb2);
4077 	return err;
4078 }
4079 
4080 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4081 	[NFTA_SET_FIELD_LEN]	= { .type = NLA_U32 },
4082 };
4083 
4084 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4085 				     struct nft_set_desc *desc)
4086 {
4087 	struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4088 	u32 len;
4089 	int err;
4090 
4091 	err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4092 					  nft_concat_policy, NULL);
4093 	if (err < 0)
4094 		return err;
4095 
4096 	if (!tb[NFTA_SET_FIELD_LEN])
4097 		return -EINVAL;
4098 
4099 	len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4100 
4101 	if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
4102 		return -E2BIG;
4103 
4104 	desc->field_len[desc->field_count++] = len;
4105 
4106 	return 0;
4107 }
4108 
4109 static int nft_set_desc_concat(struct nft_set_desc *desc,
4110 			       const struct nlattr *nla)
4111 {
4112 	struct nlattr *attr;
4113 	int rem, err;
4114 
4115 	nla_for_each_nested(attr, nla, rem) {
4116 		if (nla_type(attr) != NFTA_LIST_ELEM)
4117 			return -EINVAL;
4118 
4119 		err = nft_set_desc_concat_parse(attr, desc);
4120 		if (err < 0)
4121 			return err;
4122 	}
4123 
4124 	return 0;
4125 }
4126 
4127 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4128 				    const struct nlattr *nla)
4129 {
4130 	struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4131 	int err;
4132 
4133 	err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4134 					  nft_set_desc_policy, NULL);
4135 	if (err < 0)
4136 		return err;
4137 
4138 	if (da[NFTA_SET_DESC_SIZE] != NULL)
4139 		desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4140 	if (da[NFTA_SET_DESC_CONCAT])
4141 		err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4142 
4143 	return err;
4144 }
4145 
4146 static int nf_tables_newset(struct net *net, struct sock *nlsk,
4147 			    struct sk_buff *skb, const struct nlmsghdr *nlh,
4148 			    const struct nlattr * const nla[],
4149 			    struct netlink_ext_ack *extack)
4150 {
4151 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4152 	u8 genmask = nft_genmask_next(net);
4153 	int family = nfmsg->nfgen_family;
4154 	const struct nft_set_ops *ops;
4155 	struct nft_expr *expr = NULL;
4156 	struct nft_table *table;
4157 	struct nft_set *set;
4158 	struct nft_ctx ctx;
4159 	char *name;
4160 	u64 size;
4161 	u64 timeout;
4162 	u32 ktype, dtype, flags, policy, gc_int, objtype;
4163 	struct nft_set_desc desc;
4164 	unsigned char *udata;
4165 	u16 udlen;
4166 	int err;
4167 	int i;
4168 
4169 	if (nla[NFTA_SET_TABLE] == NULL ||
4170 	    nla[NFTA_SET_NAME] == NULL ||
4171 	    nla[NFTA_SET_KEY_LEN] == NULL ||
4172 	    nla[NFTA_SET_ID] == NULL)
4173 		return -EINVAL;
4174 
4175 	memset(&desc, 0, sizeof(desc));
4176 
4177 	ktype = NFT_DATA_VALUE;
4178 	if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4179 		ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4180 		if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4181 			return -EINVAL;
4182 	}
4183 
4184 	desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4185 	if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4186 		return -EINVAL;
4187 
4188 	flags = 0;
4189 	if (nla[NFTA_SET_FLAGS] != NULL) {
4190 		flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4191 		if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4192 			      NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4193 			      NFT_SET_MAP | NFT_SET_EVAL |
4194 			      NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
4195 			return -EOPNOTSUPP;
4196 		/* Only one of these operations is supported */
4197 		if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4198 			     (NFT_SET_MAP | NFT_SET_OBJECT))
4199 			return -EOPNOTSUPP;
4200 		if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4201 			     (NFT_SET_EVAL | NFT_SET_OBJECT))
4202 			return -EOPNOTSUPP;
4203 	}
4204 
4205 	dtype = 0;
4206 	if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4207 		if (!(flags & NFT_SET_MAP))
4208 			return -EINVAL;
4209 
4210 		dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4211 		if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4212 		    dtype != NFT_DATA_VERDICT)
4213 			return -EINVAL;
4214 
4215 		if (dtype != NFT_DATA_VERDICT) {
4216 			if (nla[NFTA_SET_DATA_LEN] == NULL)
4217 				return -EINVAL;
4218 			desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4219 			if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4220 				return -EINVAL;
4221 		} else
4222 			desc.dlen = sizeof(struct nft_verdict);
4223 	} else if (flags & NFT_SET_MAP)
4224 		return -EINVAL;
4225 
4226 	if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4227 		if (!(flags & NFT_SET_OBJECT))
4228 			return -EINVAL;
4229 
4230 		objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4231 		if (objtype == NFT_OBJECT_UNSPEC ||
4232 		    objtype > NFT_OBJECT_MAX)
4233 			return -EOPNOTSUPP;
4234 	} else if (flags & NFT_SET_OBJECT)
4235 		return -EINVAL;
4236 	else
4237 		objtype = NFT_OBJECT_UNSPEC;
4238 
4239 	timeout = 0;
4240 	if (nla[NFTA_SET_TIMEOUT] != NULL) {
4241 		if (!(flags & NFT_SET_TIMEOUT))
4242 			return -EINVAL;
4243 
4244 		err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4245 		if (err)
4246 			return err;
4247 	}
4248 	gc_int = 0;
4249 	if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4250 		if (!(flags & NFT_SET_TIMEOUT))
4251 			return -EINVAL;
4252 		gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4253 	}
4254 
4255 	policy = NFT_SET_POL_PERFORMANCE;
4256 	if (nla[NFTA_SET_POLICY] != NULL)
4257 		policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4258 
4259 	if (nla[NFTA_SET_DESC] != NULL) {
4260 		err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4261 		if (err < 0)
4262 			return err;
4263 	}
4264 
4265 	if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
4266 		desc.expr = true;
4267 
4268 	table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
4269 				 NETLINK_CB(skb).portid);
4270 	if (IS_ERR(table)) {
4271 		NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4272 		return PTR_ERR(table);
4273 	}
4274 
4275 	nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4276 
4277 	set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4278 	if (IS_ERR(set)) {
4279 		if (PTR_ERR(set) != -ENOENT) {
4280 			NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4281 			return PTR_ERR(set);
4282 		}
4283 	} else {
4284 		if (nlh->nlmsg_flags & NLM_F_EXCL) {
4285 			NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4286 			return -EEXIST;
4287 		}
4288 		if (nlh->nlmsg_flags & NLM_F_REPLACE)
4289 			return -EOPNOTSUPP;
4290 
4291 		return 0;
4292 	}
4293 
4294 	if (!(nlh->nlmsg_flags & NLM_F_CREATE))
4295 		return -ENOENT;
4296 
4297 	ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4298 	if (IS_ERR(ops))
4299 		return PTR_ERR(ops);
4300 
4301 	udlen = 0;
4302 	if (nla[NFTA_SET_USERDATA])
4303 		udlen = nla_len(nla[NFTA_SET_USERDATA]);
4304 
4305 	size = 0;
4306 	if (ops->privsize != NULL)
4307 		size = ops->privsize(nla, &desc);
4308 
4309 	set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
4310 	if (!set)
4311 		return -ENOMEM;
4312 
4313 	name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4314 	if (!name) {
4315 		err = -ENOMEM;
4316 		goto err_set_name;
4317 	}
4318 
4319 	err = nf_tables_set_alloc_name(&ctx, set, name);
4320 	kfree(name);
4321 	if (err < 0)
4322 		goto err_set_alloc_name;
4323 
4324 	if (nla[NFTA_SET_EXPR]) {
4325 		expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4326 		if (IS_ERR(expr)) {
4327 			err = PTR_ERR(expr);
4328 			goto err_set_alloc_name;
4329 		}
4330 		set->exprs[0] = expr;
4331 		set->num_exprs++;
4332 	} else if (nla[NFTA_SET_EXPRESSIONS]) {
4333 		struct nft_expr *expr;
4334 		struct nlattr *tmp;
4335 		int left;
4336 
4337 		if (!(flags & NFT_SET_EXPR)) {
4338 			err = -EINVAL;
4339 			goto err_set_alloc_name;
4340 		}
4341 		i = 0;
4342 		nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4343 			if (i == NFT_SET_EXPR_MAX) {
4344 				err = -E2BIG;
4345 				goto err_set_init;
4346 			}
4347 			if (nla_type(tmp) != NFTA_LIST_ELEM) {
4348 				err = -EINVAL;
4349 				goto err_set_init;
4350 			}
4351 			expr = nft_set_elem_expr_alloc(&ctx, set, tmp);
4352 			if (IS_ERR(expr)) {
4353 				err = PTR_ERR(expr);
4354 				goto err_set_init;
4355 			}
4356 			set->exprs[i++] = expr;
4357 			set->num_exprs++;
4358 		}
4359 	}
4360 
4361 	udata = NULL;
4362 	if (udlen) {
4363 		udata = set->data + size;
4364 		nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4365 	}
4366 
4367 	INIT_LIST_HEAD(&set->bindings);
4368 	set->table = table;
4369 	write_pnet(&set->net, net);
4370 	set->ops   = ops;
4371 	set->ktype = ktype;
4372 	set->klen  = desc.klen;
4373 	set->dtype = dtype;
4374 	set->objtype = objtype;
4375 	set->dlen  = desc.dlen;
4376 	set->flags = flags;
4377 	set->size  = desc.size;
4378 	set->policy = policy;
4379 	set->udlen  = udlen;
4380 	set->udata  = udata;
4381 	set->timeout = timeout;
4382 	set->gc_int = gc_int;
4383 	set->handle = nf_tables_alloc_handle(table);
4384 
4385 	set->field_count = desc.field_count;
4386 	for (i = 0; i < desc.field_count; i++)
4387 		set->field_len[i] = desc.field_len[i];
4388 
4389 	err = ops->init(set, &desc, nla);
4390 	if (err < 0)
4391 		goto err_set_init;
4392 
4393 	err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4394 	if (err < 0)
4395 		goto err_set_trans;
4396 
4397 	list_add_tail_rcu(&set->list, &table->sets);
4398 	table->use++;
4399 	return 0;
4400 
4401 err_set_trans:
4402 	ops->destroy(set);
4403 err_set_init:
4404 	for (i = 0; i < set->num_exprs; i++)
4405 		nft_expr_destroy(&ctx, set->exprs[i]);
4406 err_set_alloc_name:
4407 	kfree(set->name);
4408 err_set_name:
4409 	kvfree(set);
4410 	return err;
4411 }
4412 
4413 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4414 {
4415 	int i;
4416 
4417 	if (WARN_ON(set->use > 0))
4418 		return;
4419 
4420 	for (i = 0; i < set->num_exprs; i++)
4421 		nft_expr_destroy(ctx, set->exprs[i]);
4422 
4423 	set->ops->destroy(set);
4424 	kfree(set->name);
4425 	kvfree(set);
4426 }
4427 
4428 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4429 			    struct sk_buff *skb, const struct nlmsghdr *nlh,
4430 			    const struct nlattr * const nla[],
4431 			    struct netlink_ext_ack *extack)
4432 {
4433 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4434 	u8 genmask = nft_genmask_next(net);
4435 	const struct nlattr *attr;
4436 	struct nft_set *set;
4437 	struct nft_ctx ctx;
4438 	int err;
4439 
4440 	if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4441 		return -EAFNOSUPPORT;
4442 	if (nla[NFTA_SET_TABLE] == NULL)
4443 		return -EINVAL;
4444 
4445 	err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4446 					genmask, NETLINK_CB(skb).portid);
4447 	if (err < 0)
4448 		return err;
4449 
4450 	if (nla[NFTA_SET_HANDLE]) {
4451 		attr = nla[NFTA_SET_HANDLE];
4452 		set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4453 	} else {
4454 		attr = nla[NFTA_SET_NAME];
4455 		set = nft_set_lookup(ctx.table, attr, genmask);
4456 	}
4457 
4458 	if (IS_ERR(set)) {
4459 		NL_SET_BAD_ATTR(extack, attr);
4460 		return PTR_ERR(set);
4461 	}
4462 	if (set->use ||
4463 	    (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4464 		NL_SET_BAD_ATTR(extack, attr);
4465 		return -EBUSY;
4466 	}
4467 
4468 	return nft_delset(&ctx, set);
4469 }
4470 
4471 static int nft_validate_register_store(const struct nft_ctx *ctx,
4472 				       enum nft_registers reg,
4473 				       const struct nft_data *data,
4474 				       enum nft_data_types type,
4475 				       unsigned int len);
4476 
4477 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4478 					struct nft_set *set,
4479 					const struct nft_set_iter *iter,
4480 					struct nft_set_elem *elem)
4481 {
4482 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4483 	enum nft_registers dreg;
4484 
4485 	dreg = nft_type_to_reg(set->dtype);
4486 	return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4487 					   set->dtype == NFT_DATA_VERDICT ?
4488 					   NFT_DATA_VERDICT : NFT_DATA_VALUE,
4489 					   set->dlen);
4490 }
4491 
4492 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4493 		       struct nft_set_binding *binding)
4494 {
4495 	struct nft_set_binding *i;
4496 	struct nft_set_iter iter;
4497 
4498 	if (set->use == UINT_MAX)
4499 		return -EOVERFLOW;
4500 
4501 	if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4502 		return -EBUSY;
4503 
4504 	if (binding->flags & NFT_SET_MAP) {
4505 		/* If the set is already bound to the same chain all
4506 		 * jumps are already validated for that chain.
4507 		 */
4508 		list_for_each_entry(i, &set->bindings, list) {
4509 			if (i->flags & NFT_SET_MAP &&
4510 			    i->chain == binding->chain)
4511 				goto bind;
4512 		}
4513 
4514 		iter.genmask	= nft_genmask_next(ctx->net);
4515 		iter.skip 	= 0;
4516 		iter.count	= 0;
4517 		iter.err	= 0;
4518 		iter.fn		= nf_tables_bind_check_setelem;
4519 
4520 		set->ops->walk(ctx, set, &iter);
4521 		if (iter.err < 0)
4522 			return iter.err;
4523 	}
4524 bind:
4525 	binding->chain = ctx->chain;
4526 	list_add_tail_rcu(&binding->list, &set->bindings);
4527 	nft_set_trans_bind(ctx, set);
4528 	set->use++;
4529 
4530 	return 0;
4531 }
4532 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4533 
4534 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4535 				 struct nft_set_binding *binding, bool event)
4536 {
4537 	list_del_rcu(&binding->list);
4538 
4539 	if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4540 		list_del_rcu(&set->list);
4541 		if (event)
4542 			nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4543 					     GFP_KERNEL);
4544 	}
4545 }
4546 
4547 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4548 			      struct nft_set_binding *binding,
4549 			      enum nft_trans_phase phase)
4550 {
4551 	switch (phase) {
4552 	case NFT_TRANS_PREPARE:
4553 		set->use--;
4554 		return;
4555 	case NFT_TRANS_ABORT:
4556 	case NFT_TRANS_RELEASE:
4557 		set->use--;
4558 		fallthrough;
4559 	default:
4560 		nf_tables_unbind_set(ctx, set, binding,
4561 				     phase == NFT_TRANS_COMMIT);
4562 	}
4563 }
4564 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4565 
4566 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4567 {
4568 	if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4569 		nft_set_destroy(ctx, set);
4570 }
4571 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4572 
4573 const struct nft_set_ext_type nft_set_ext_types[] = {
4574 	[NFT_SET_EXT_KEY]		= {
4575 		.align	= __alignof__(u32),
4576 	},
4577 	[NFT_SET_EXT_DATA]		= {
4578 		.align	= __alignof__(u32),
4579 	},
4580 	[NFT_SET_EXT_EXPRESSIONS]	= {
4581 		.align	= __alignof__(struct nft_set_elem_expr),
4582 	},
4583 	[NFT_SET_EXT_OBJREF]		= {
4584 		.len	= sizeof(struct nft_object *),
4585 		.align	= __alignof__(struct nft_object *),
4586 	},
4587 	[NFT_SET_EXT_FLAGS]		= {
4588 		.len	= sizeof(u8),
4589 		.align	= __alignof__(u8),
4590 	},
4591 	[NFT_SET_EXT_TIMEOUT]		= {
4592 		.len	= sizeof(u64),
4593 		.align	= __alignof__(u64),
4594 	},
4595 	[NFT_SET_EXT_EXPIRATION]	= {
4596 		.len	= sizeof(u64),
4597 		.align	= __alignof__(u64),
4598 	},
4599 	[NFT_SET_EXT_USERDATA]		= {
4600 		.len	= sizeof(struct nft_userdata),
4601 		.align	= __alignof__(struct nft_userdata),
4602 	},
4603 	[NFT_SET_EXT_KEY_END]		= {
4604 		.align	= __alignof__(u32),
4605 	},
4606 };
4607 
4608 /*
4609  * Set elements
4610  */
4611 
4612 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4613 	[NFTA_SET_ELEM_KEY]		= { .type = NLA_NESTED },
4614 	[NFTA_SET_ELEM_DATA]		= { .type = NLA_NESTED },
4615 	[NFTA_SET_ELEM_FLAGS]		= { .type = NLA_U32 },
4616 	[NFTA_SET_ELEM_TIMEOUT]		= { .type = NLA_U64 },
4617 	[NFTA_SET_ELEM_EXPIRATION]	= { .type = NLA_U64 },
4618 	[NFTA_SET_ELEM_USERDATA]	= { .type = NLA_BINARY,
4619 					    .len = NFT_USERDATA_MAXLEN },
4620 	[NFTA_SET_ELEM_EXPR]		= { .type = NLA_NESTED },
4621 	[NFTA_SET_ELEM_OBJREF]		= { .type = NLA_STRING,
4622 					    .len = NFT_OBJ_MAXNAMELEN - 1 },
4623 	[NFTA_SET_ELEM_KEY_END]		= { .type = NLA_NESTED },
4624 	[NFTA_SET_ELEM_EXPRESSIONS]	= { .type = NLA_NESTED },
4625 };
4626 
4627 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4628 	[NFTA_SET_ELEM_LIST_TABLE]	= { .type = NLA_STRING,
4629 					    .len = NFT_TABLE_MAXNAMELEN - 1 },
4630 	[NFTA_SET_ELEM_LIST_SET]	= { .type = NLA_STRING,
4631 					    .len = NFT_SET_MAXNAMELEN - 1 },
4632 	[NFTA_SET_ELEM_LIST_ELEMENTS]	= { .type = NLA_NESTED },
4633 	[NFTA_SET_ELEM_LIST_SET_ID]	= { .type = NLA_U32 },
4634 };
4635 
4636 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4637 				      const struct sk_buff *skb,
4638 				      const struct nlmsghdr *nlh,
4639 				      const struct nlattr * const nla[],
4640 				      struct netlink_ext_ack *extack,
4641 				      u8 genmask, u32 nlpid)
4642 {
4643 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4644 	int family = nfmsg->nfgen_family;
4645 	struct nft_table *table;
4646 
4647 	table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4648 				 genmask, nlpid);
4649 	if (IS_ERR(table)) {
4650 		NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4651 		return PTR_ERR(table);
4652 	}
4653 
4654 	nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4655 	return 0;
4656 }
4657 
4658 static int nft_set_elem_expr_dump(struct sk_buff *skb,
4659 				  const struct nft_set *set,
4660 				  const struct nft_set_ext *ext)
4661 {
4662 	struct nft_set_elem_expr *elem_expr;
4663 	u32 size, num_exprs = 0;
4664 	struct nft_expr *expr;
4665 	struct nlattr *nest;
4666 
4667 	elem_expr = nft_set_ext_expr(ext);
4668 	nft_setelem_expr_foreach(expr, elem_expr, size)
4669 		num_exprs++;
4670 
4671 	if (num_exprs == 1) {
4672 		expr = nft_setelem_expr_at(elem_expr, 0);
4673 		if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr) < 0)
4674 			return -1;
4675 
4676 		return 0;
4677 	} else if (num_exprs > 1) {
4678 		nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
4679 		if (nest == NULL)
4680 			goto nla_put_failure;
4681 
4682 		nft_setelem_expr_foreach(expr, elem_expr, size) {
4683 			expr = nft_setelem_expr_at(elem_expr, size);
4684 			if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
4685 				goto nla_put_failure;
4686 		}
4687 		nla_nest_end(skb, nest);
4688 	}
4689 	return 0;
4690 
4691 nla_put_failure:
4692 	return -1;
4693 }
4694 
4695 static int nf_tables_fill_setelem(struct sk_buff *skb,
4696 				  const struct nft_set *set,
4697 				  const struct nft_set_elem *elem)
4698 {
4699 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4700 	unsigned char *b = skb_tail_pointer(skb);
4701 	struct nlattr *nest;
4702 
4703 	nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4704 	if (nest == NULL)
4705 		goto nla_put_failure;
4706 
4707 	if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4708 			  NFT_DATA_VALUE, set->klen) < 0)
4709 		goto nla_put_failure;
4710 
4711 	if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4712 	    nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4713 			  NFT_DATA_VALUE, set->klen) < 0)
4714 		goto nla_put_failure;
4715 
4716 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4717 	    nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4718 			  set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4719 			  set->dlen) < 0)
4720 		goto nla_put_failure;
4721 
4722 	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
4723 	    nft_set_elem_expr_dump(skb, set, ext))
4724 		goto nla_put_failure;
4725 
4726 	if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4727 	    nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4728 			   (*nft_set_ext_obj(ext))->key.name) < 0)
4729 		goto nla_put_failure;
4730 
4731 	if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4732 	    nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4733 		         htonl(*nft_set_ext_flags(ext))))
4734 		goto nla_put_failure;
4735 
4736 	if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4737 	    nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4738 			 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4739 			 NFTA_SET_ELEM_PAD))
4740 		goto nla_put_failure;
4741 
4742 	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4743 		u64 expires, now = get_jiffies_64();
4744 
4745 		expires = *nft_set_ext_expiration(ext);
4746 		if (time_before64(now, expires))
4747 			expires -= now;
4748 		else
4749 			expires = 0;
4750 
4751 		if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4752 				 nf_jiffies64_to_msecs(expires),
4753 				 NFTA_SET_ELEM_PAD))
4754 			goto nla_put_failure;
4755 	}
4756 
4757 	if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4758 		struct nft_userdata *udata;
4759 
4760 		udata = nft_set_ext_userdata(ext);
4761 		if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4762 			    udata->len + 1, udata->data))
4763 			goto nla_put_failure;
4764 	}
4765 
4766 	nla_nest_end(skb, nest);
4767 	return 0;
4768 
4769 nla_put_failure:
4770 	nlmsg_trim(skb, b);
4771 	return -EMSGSIZE;
4772 }
4773 
4774 struct nft_set_dump_args {
4775 	const struct netlink_callback	*cb;
4776 	struct nft_set_iter		iter;
4777 	struct sk_buff			*skb;
4778 };
4779 
4780 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4781 				  struct nft_set *set,
4782 				  const struct nft_set_iter *iter,
4783 				  struct nft_set_elem *elem)
4784 {
4785 	struct nft_set_dump_args *args;
4786 
4787 	args = container_of(iter, struct nft_set_dump_args, iter);
4788 	return nf_tables_fill_setelem(args->skb, set, elem);
4789 }
4790 
4791 struct nft_set_dump_ctx {
4792 	const struct nft_set	*set;
4793 	struct nft_ctx		ctx;
4794 };
4795 
4796 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4797 {
4798 	struct nft_set_dump_ctx *dump_ctx = cb->data;
4799 	struct net *net = sock_net(skb->sk);
4800 	struct nft_table *table;
4801 	struct nft_set *set;
4802 	struct nft_set_dump_args args;
4803 	bool set_found = false;
4804 	struct nfgenmsg *nfmsg;
4805 	struct nlmsghdr *nlh;
4806 	struct nlattr *nest;
4807 	u32 portid, seq;
4808 	int event;
4809 
4810 	rcu_read_lock();
4811 	list_for_each_entry_rcu(table, &net->nft.tables, list) {
4812 		if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4813 		    dump_ctx->ctx.family != table->family)
4814 			continue;
4815 
4816 		if (table != dump_ctx->ctx.table)
4817 			continue;
4818 
4819 		list_for_each_entry_rcu(set, &table->sets, list) {
4820 			if (set == dump_ctx->set) {
4821 				set_found = true;
4822 				break;
4823 			}
4824 		}
4825 		break;
4826 	}
4827 
4828 	if (!set_found) {
4829 		rcu_read_unlock();
4830 		return -ENOENT;
4831 	}
4832 
4833 	event  = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4834 	portid = NETLINK_CB(cb->skb).portid;
4835 	seq    = cb->nlh->nlmsg_seq;
4836 
4837 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4838 			NLM_F_MULTI);
4839 	if (nlh == NULL)
4840 		goto nla_put_failure;
4841 
4842 	nfmsg = nlmsg_data(nlh);
4843 	nfmsg->nfgen_family = table->family;
4844 	nfmsg->version      = NFNETLINK_V0;
4845 	nfmsg->res_id	    = htons(net->nft.base_seq & 0xffff);
4846 
4847 	if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4848 		goto nla_put_failure;
4849 	if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4850 		goto nla_put_failure;
4851 
4852 	nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4853 	if (nest == NULL)
4854 		goto nla_put_failure;
4855 
4856 	args.cb			= cb;
4857 	args.skb		= skb;
4858 	args.iter.genmask	= nft_genmask_cur(net);
4859 	args.iter.skip		= cb->args[0];
4860 	args.iter.count		= 0;
4861 	args.iter.err		= 0;
4862 	args.iter.fn		= nf_tables_dump_setelem;
4863 	set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4864 	rcu_read_unlock();
4865 
4866 	nla_nest_end(skb, nest);
4867 	nlmsg_end(skb, nlh);
4868 
4869 	if (args.iter.err && args.iter.err != -EMSGSIZE)
4870 		return args.iter.err;
4871 	if (args.iter.count == cb->args[0])
4872 		return 0;
4873 
4874 	cb->args[0] = args.iter.count;
4875 	return skb->len;
4876 
4877 nla_put_failure:
4878 	rcu_read_unlock();
4879 	return -ENOSPC;
4880 }
4881 
4882 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4883 {
4884 	struct nft_set_dump_ctx *dump_ctx = cb->data;
4885 
4886 	cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4887 
4888 	return cb->data ? 0 : -ENOMEM;
4889 }
4890 
4891 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4892 {
4893 	kfree(cb->data);
4894 	return 0;
4895 }
4896 
4897 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4898 				       const struct nft_ctx *ctx, u32 seq,
4899 				       u32 portid, int event, u16 flags,
4900 				       const struct nft_set *set,
4901 				       const struct nft_set_elem *elem)
4902 {
4903 	struct nfgenmsg *nfmsg;
4904 	struct nlmsghdr *nlh;
4905 	struct nlattr *nest;
4906 	int err;
4907 
4908 	event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4909 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4910 			flags);
4911 	if (nlh == NULL)
4912 		goto nla_put_failure;
4913 
4914 	nfmsg = nlmsg_data(nlh);
4915 	nfmsg->nfgen_family	= ctx->family;
4916 	nfmsg->version		= NFNETLINK_V0;
4917 	nfmsg->res_id		= htons(ctx->net->nft.base_seq & 0xffff);
4918 
4919 	if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4920 		goto nla_put_failure;
4921 	if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4922 		goto nla_put_failure;
4923 
4924 	nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4925 	if (nest == NULL)
4926 		goto nla_put_failure;
4927 
4928 	err = nf_tables_fill_setelem(skb, set, elem);
4929 	if (err < 0)
4930 		goto nla_put_failure;
4931 
4932 	nla_nest_end(skb, nest);
4933 
4934 	nlmsg_end(skb, nlh);
4935 	return 0;
4936 
4937 nla_put_failure:
4938 	nlmsg_trim(skb, nlh);
4939 	return -1;
4940 }
4941 
4942 static int nft_setelem_parse_flags(const struct nft_set *set,
4943 				   const struct nlattr *attr, u32 *flags)
4944 {
4945 	if (attr == NULL)
4946 		return 0;
4947 
4948 	*flags = ntohl(nla_get_be32(attr));
4949 	if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4950 		return -EINVAL;
4951 	if (!(set->flags & NFT_SET_INTERVAL) &&
4952 	    *flags & NFT_SET_ELEM_INTERVAL_END)
4953 		return -EINVAL;
4954 
4955 	return 0;
4956 }
4957 
4958 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
4959 				 struct nft_data *key, struct nlattr *attr)
4960 {
4961 	struct nft_data_desc desc;
4962 	int err;
4963 
4964 	err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
4965 	if (err < 0)
4966 		return err;
4967 
4968 	if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4969 		nft_data_release(key, desc.type);
4970 		return -EINVAL;
4971 	}
4972 
4973 	return 0;
4974 }
4975 
4976 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
4977 				  struct nft_data_desc *desc,
4978 				  struct nft_data *data,
4979 				  struct nlattr *attr)
4980 {
4981 	int err;
4982 
4983 	err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
4984 	if (err < 0)
4985 		return err;
4986 
4987 	if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
4988 		nft_data_release(data, desc->type);
4989 		return -EINVAL;
4990 	}
4991 
4992 	return 0;
4993 }
4994 
4995 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4996 			    const struct nlattr *attr)
4997 {
4998 	struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4999 	struct nft_set_elem elem;
5000 	struct sk_buff *skb;
5001 	uint32_t flags = 0;
5002 	void *priv;
5003 	int err;
5004 
5005 	err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5006 					  nft_set_elem_policy, NULL);
5007 	if (err < 0)
5008 		return err;
5009 
5010 	if (!nla[NFTA_SET_ELEM_KEY])
5011 		return -EINVAL;
5012 
5013 	err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5014 	if (err < 0)
5015 		return err;
5016 
5017 	err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5018 				    nla[NFTA_SET_ELEM_KEY]);
5019 	if (err < 0)
5020 		return err;
5021 
5022 	if (nla[NFTA_SET_ELEM_KEY_END]) {
5023 		err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5024 					    nla[NFTA_SET_ELEM_KEY_END]);
5025 		if (err < 0)
5026 			return err;
5027 	}
5028 
5029 	priv = set->ops->get(ctx->net, set, &elem, flags);
5030 	if (IS_ERR(priv))
5031 		return PTR_ERR(priv);
5032 
5033 	elem.priv = priv;
5034 
5035 	err = -ENOMEM;
5036 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
5037 	if (skb == NULL)
5038 		return err;
5039 
5040 	err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
5041 					  NFT_MSG_NEWSETELEM, 0, set, &elem);
5042 	if (err < 0)
5043 		goto err_fill_setelem;
5044 
5045 	return nfnetlink_unicast(skb, ctx->net, ctx->portid);
5046 
5047 err_fill_setelem:
5048 	kfree_skb(skb);
5049 	return err;
5050 }
5051 
5052 /* called with rcu_read_lock held */
5053 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
5054 				struct sk_buff *skb, const struct nlmsghdr *nlh,
5055 				const struct nlattr * const nla[],
5056 				struct netlink_ext_ack *extack)
5057 {
5058 	u8 genmask = nft_genmask_cur(net);
5059 	struct nft_set *set;
5060 	struct nlattr *attr;
5061 	struct nft_ctx ctx;
5062 	int rem, err = 0;
5063 
5064 	err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5065 					 genmask, NETLINK_CB(skb).portid);
5066 	if (err < 0)
5067 		return err;
5068 
5069 	set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5070 	if (IS_ERR(set))
5071 		return PTR_ERR(set);
5072 
5073 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
5074 		struct netlink_dump_control c = {
5075 			.start = nf_tables_dump_set_start,
5076 			.dump = nf_tables_dump_set,
5077 			.done = nf_tables_dump_set_done,
5078 			.module = THIS_MODULE,
5079 		};
5080 		struct nft_set_dump_ctx dump_ctx = {
5081 			.set = set,
5082 			.ctx = ctx,
5083 		};
5084 
5085 		c.data = &dump_ctx;
5086 		return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5087 	}
5088 
5089 	if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
5090 		return -EINVAL;
5091 
5092 	nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5093 		err = nft_get_set_elem(&ctx, set, attr);
5094 		if (err < 0)
5095 			break;
5096 	}
5097 
5098 	return err;
5099 }
5100 
5101 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
5102 				     const struct nft_set *set,
5103 				     const struct nft_set_elem *elem,
5104 				     int event, u16 flags)
5105 {
5106 	struct net *net = ctx->net;
5107 	u32 portid = ctx->portid;
5108 	struct sk_buff *skb;
5109 	int err;
5110 	char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
5111 			      ctx->table->name, ctx->table->handle,
5112 			      set->name, set->handle);
5113 
5114 	audit_log_nfcfg(buf,
5115 			ctx->family,
5116 			set->handle,
5117 			event == NFT_MSG_NEWSETELEM ?
5118 				AUDIT_NFT_OP_SETELEM_REGISTER :
5119 				AUDIT_NFT_OP_SETELEM_UNREGISTER,
5120 			GFP_KERNEL);
5121 	kfree(buf);
5122 
5123 	if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5124 		return;
5125 
5126 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5127 	if (skb == NULL)
5128 		goto err;
5129 
5130 	err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
5131 					  set, elem);
5132 	if (err < 0) {
5133 		kfree_skb(skb);
5134 		goto err;
5135 	}
5136 
5137 	nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
5138 	return;
5139 err:
5140 	nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5141 }
5142 
5143 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
5144 					      int msg_type,
5145 					      struct nft_set *set)
5146 {
5147 	struct nft_trans *trans;
5148 
5149 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
5150 	if (trans == NULL)
5151 		return NULL;
5152 
5153 	nft_trans_elem_set(trans) = set;
5154 	return trans;
5155 }
5156 
5157 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
5158 					 const struct nft_set *set,
5159 					 const struct nlattr *attr)
5160 {
5161 	struct nft_expr *expr;
5162 	int err;
5163 
5164 	expr = nft_expr_init(ctx, attr);
5165 	if (IS_ERR(expr))
5166 		return expr;
5167 
5168 	err = -EOPNOTSUPP;
5169 	if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
5170 		goto err_set_elem_expr;
5171 
5172 	if (expr->ops->type->flags & NFT_EXPR_GC) {
5173 		if (set->flags & NFT_SET_TIMEOUT)
5174 			goto err_set_elem_expr;
5175 		if (!set->ops->gc_init)
5176 			goto err_set_elem_expr;
5177 		set->ops->gc_init(set);
5178 	}
5179 
5180 	return expr;
5181 
5182 err_set_elem_expr:
5183 	nft_expr_destroy(ctx, expr);
5184 	return ERR_PTR(err);
5185 }
5186 
5187 void *nft_set_elem_init(const struct nft_set *set,
5188 			const struct nft_set_ext_tmpl *tmpl,
5189 			const u32 *key, const u32 *key_end,
5190 			const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5191 {
5192 	struct nft_set_ext *ext;
5193 	void *elem;
5194 
5195 	elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5196 	if (elem == NULL)
5197 		return NULL;
5198 
5199 	ext = nft_set_elem_ext(set, elem);
5200 	nft_set_ext_init(ext, tmpl);
5201 
5202 	memcpy(nft_set_ext_key(ext), key, set->klen);
5203 	if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
5204 		memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
5205 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5206 		memcpy(nft_set_ext_data(ext), data, set->dlen);
5207 	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5208 		*nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5209 		if (expiration == 0)
5210 			*nft_set_ext_expiration(ext) += timeout;
5211 	}
5212 	if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5213 		*nft_set_ext_timeout(ext) = timeout;
5214 
5215 	return elem;
5216 }
5217 
5218 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5219 					struct nft_expr *expr)
5220 {
5221 	if (expr->ops->destroy_clone) {
5222 		expr->ops->destroy_clone(ctx, expr);
5223 		module_put(expr->ops->type->owner);
5224 	} else {
5225 		nf_tables_expr_destroy(ctx, expr);
5226 	}
5227 }
5228 
5229 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5230 				      struct nft_set_elem_expr *elem_expr)
5231 {
5232 	struct nft_expr *expr;
5233 	u32 size;
5234 
5235 	nft_setelem_expr_foreach(expr, elem_expr, size)
5236 		__nft_set_elem_expr_destroy(ctx, expr);
5237 }
5238 
5239 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5240 			  bool destroy_expr)
5241 {
5242 	struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5243 	struct nft_ctx ctx = {
5244 		.net	= read_pnet(&set->net),
5245 		.family	= set->table->family,
5246 	};
5247 
5248 	nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5249 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5250 		nft_data_release(nft_set_ext_data(ext), set->dtype);
5251 	if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5252 		nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5253 
5254 	if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5255 		(*nft_set_ext_obj(ext))->use--;
5256 	kfree(elem);
5257 }
5258 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5259 
5260 /* Only called from commit path, nft_set_elem_deactivate() already deals with
5261  * the refcounting from the preparation phase.
5262  */
5263 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5264 				       const struct nft_set *set, void *elem)
5265 {
5266 	struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5267 
5268 	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5269 		nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5270 
5271 	kfree(elem);
5272 }
5273 
5274 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
5275 			    struct nft_expr *expr_array[])
5276 {
5277 	struct nft_expr *expr;
5278 	int err, i, k;
5279 
5280 	for (i = 0; i < set->num_exprs; i++) {
5281 		expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL);
5282 		if (!expr)
5283 			goto err_expr;
5284 
5285 		err = nft_expr_clone(expr, set->exprs[i]);
5286 		if (err < 0) {
5287 			nft_expr_destroy(ctx, expr);
5288 			goto err_expr;
5289 		}
5290 		expr_array[i] = expr;
5291 	}
5292 
5293 	return 0;
5294 
5295 err_expr:
5296 	for (k = i - 1; k >= 0; k--)
5297 		nft_expr_destroy(ctx, expr_array[k]);
5298 
5299 	return -ENOMEM;
5300 }
5301 
5302 static void nft_set_elem_expr_setup(const struct nft_set_ext *ext, int i,
5303 				    struct nft_expr *expr_array[])
5304 {
5305 	struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
5306 	struct nft_expr *expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
5307 
5308 	memcpy(expr, expr_array[i], expr_array[i]->ops->size);
5309 	elem_expr->size += expr_array[i]->ops->size;
5310 	kfree(expr_array[i]);
5311 	expr_array[i] = NULL;
5312 }
5313 
5314 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5315 			    const struct nlattr *attr, u32 nlmsg_flags)
5316 {
5317 	struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
5318 	struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5319 	u8 genmask = nft_genmask_next(ctx->net);
5320 	u32 flags = 0, size = 0, num_exprs = 0;
5321 	struct nft_set_ext_tmpl tmpl;
5322 	struct nft_set_ext *ext, *ext2;
5323 	struct nft_set_elem elem;
5324 	struct nft_set_binding *binding;
5325 	struct nft_object *obj = NULL;
5326 	struct nft_userdata *udata;
5327 	struct nft_data_desc desc;
5328 	enum nft_registers dreg;
5329 	struct nft_trans *trans;
5330 	u64 timeout;
5331 	u64 expiration;
5332 	int err, i;
5333 	u8 ulen;
5334 
5335 	err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5336 					  nft_set_elem_policy, NULL);
5337 	if (err < 0)
5338 		return err;
5339 
5340 	if (nla[NFTA_SET_ELEM_KEY] == NULL)
5341 		return -EINVAL;
5342 
5343 	nft_set_ext_prepare(&tmpl);
5344 
5345 	err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5346 	if (err < 0)
5347 		return err;
5348 	if (flags != 0)
5349 		nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5350 
5351 	if (set->flags & NFT_SET_MAP) {
5352 		if (nla[NFTA_SET_ELEM_DATA] == NULL &&
5353 		    !(flags & NFT_SET_ELEM_INTERVAL_END))
5354 			return -EINVAL;
5355 	} else {
5356 		if (nla[NFTA_SET_ELEM_DATA] != NULL)
5357 			return -EINVAL;
5358 	}
5359 
5360 	if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
5361 	     (nla[NFTA_SET_ELEM_DATA] ||
5362 	      nla[NFTA_SET_ELEM_OBJREF] ||
5363 	      nla[NFTA_SET_ELEM_TIMEOUT] ||
5364 	      nla[NFTA_SET_ELEM_EXPIRATION] ||
5365 	      nla[NFTA_SET_ELEM_USERDATA] ||
5366 	      nla[NFTA_SET_ELEM_EXPR] ||
5367 	      nla[NFTA_SET_ELEM_EXPRESSIONS]))
5368 		return -EINVAL;
5369 
5370 	timeout = 0;
5371 	if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
5372 		if (!(set->flags & NFT_SET_TIMEOUT))
5373 			return -EINVAL;
5374 		err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
5375 					    &timeout);
5376 		if (err)
5377 			return err;
5378 	} else if (set->flags & NFT_SET_TIMEOUT) {
5379 		timeout = set->timeout;
5380 	}
5381 
5382 	expiration = 0;
5383 	if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5384 		if (!(set->flags & NFT_SET_TIMEOUT))
5385 			return -EINVAL;
5386 		err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5387 					    &expiration);
5388 		if (err)
5389 			return err;
5390 	}
5391 
5392 	if (nla[NFTA_SET_ELEM_EXPR]) {
5393 		struct nft_expr *expr;
5394 
5395 		if (set->num_exprs && set->num_exprs != 1)
5396 			return -EOPNOTSUPP;
5397 
5398 		expr = nft_set_elem_expr_alloc(ctx, set,
5399 					       nla[NFTA_SET_ELEM_EXPR]);
5400 		if (IS_ERR(expr))
5401 			return PTR_ERR(expr);
5402 
5403 		expr_array[0] = expr;
5404 		num_exprs = 1;
5405 
5406 		if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
5407 			err = -EOPNOTSUPP;
5408 			goto err_set_elem_expr;
5409 		}
5410 	} else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
5411 		struct nft_expr *expr;
5412 		struct nlattr *tmp;
5413 		int left;
5414 
5415 		i = 0;
5416 		nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
5417 			if (i == NFT_SET_EXPR_MAX ||
5418 			    (set->num_exprs && set->num_exprs == i)) {
5419 				err = -E2BIG;
5420 				goto err_set_elem_expr;
5421 			}
5422 			if (nla_type(tmp) != NFTA_LIST_ELEM) {
5423 				err = -EINVAL;
5424 				goto err_set_elem_expr;
5425 			}
5426 			expr = nft_set_elem_expr_alloc(ctx, set, tmp);
5427 			if (IS_ERR(expr)) {
5428 				err = PTR_ERR(expr);
5429 				goto err_set_elem_expr;
5430 			}
5431 			expr_array[i] = expr;
5432 			num_exprs++;
5433 
5434 			if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
5435 				err = -EOPNOTSUPP;
5436 				goto err_set_elem_expr;
5437 			}
5438 			i++;
5439 		}
5440 		if (set->num_exprs && set->num_exprs != i) {
5441 			err = -EOPNOTSUPP;
5442 			goto err_set_elem_expr;
5443 		}
5444 	} else if (set->num_exprs > 0) {
5445 		err = nft_set_elem_expr_clone(ctx, set, expr_array);
5446 		if (err < 0)
5447 			goto err_set_elem_expr_clone;
5448 
5449 		num_exprs = set->num_exprs;
5450 	}
5451 
5452 	err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5453 				    nla[NFTA_SET_ELEM_KEY]);
5454 	if (err < 0)
5455 		goto err_set_elem_expr;
5456 
5457 	nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5458 
5459 	if (nla[NFTA_SET_ELEM_KEY_END]) {
5460 		err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5461 					    nla[NFTA_SET_ELEM_KEY_END]);
5462 		if (err < 0)
5463 			goto err_parse_key;
5464 
5465 		nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5466 	}
5467 
5468 	if (timeout > 0) {
5469 		nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5470 		if (timeout != set->timeout)
5471 			nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5472 	}
5473 
5474 	if (num_exprs) {
5475 		for (i = 0; i < num_exprs; i++)
5476 			size += expr_array[i]->ops->size;
5477 
5478 		nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
5479 				       sizeof(struct nft_set_elem_expr) +
5480 				       size);
5481 	}
5482 
5483 	if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5484 		if (!(set->flags & NFT_SET_OBJECT)) {
5485 			err = -EINVAL;
5486 			goto err_parse_key_end;
5487 		}
5488 		obj = nft_obj_lookup(ctx->net, ctx->table,
5489 				     nla[NFTA_SET_ELEM_OBJREF],
5490 				     set->objtype, genmask);
5491 		if (IS_ERR(obj)) {
5492 			err = PTR_ERR(obj);
5493 			goto err_parse_key_end;
5494 		}
5495 		nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5496 	}
5497 
5498 	if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5499 		err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
5500 					     nla[NFTA_SET_ELEM_DATA]);
5501 		if (err < 0)
5502 			goto err_parse_key_end;
5503 
5504 		dreg = nft_type_to_reg(set->dtype);
5505 		list_for_each_entry(binding, &set->bindings, list) {
5506 			struct nft_ctx bind_ctx = {
5507 				.net	= ctx->net,
5508 				.family	= ctx->family,
5509 				.table	= ctx->table,
5510 				.chain	= (struct nft_chain *)binding->chain,
5511 			};
5512 
5513 			if (!(binding->flags & NFT_SET_MAP))
5514 				continue;
5515 
5516 			err = nft_validate_register_store(&bind_ctx, dreg,
5517 							  &elem.data.val,
5518 							  desc.type, desc.len);
5519 			if (err < 0)
5520 				goto err_parse_data;
5521 
5522 			if (desc.type == NFT_DATA_VERDICT &&
5523 			    (elem.data.val.verdict.code == NFT_GOTO ||
5524 			     elem.data.val.verdict.code == NFT_JUMP))
5525 				nft_validate_state_update(ctx->net,
5526 							  NFT_VALIDATE_NEED);
5527 		}
5528 
5529 		nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5530 	}
5531 
5532 	/* The full maximum length of userdata can exceed the maximum
5533 	 * offset value (U8_MAX) for following extensions, therefor it
5534 	 * must be the last extension added.
5535 	 */
5536 	ulen = 0;
5537 	if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5538 		ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5539 		if (ulen > 0)
5540 			nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5541 					       ulen);
5542 	}
5543 
5544 	err = -ENOMEM;
5545 	elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5546 				      elem.key_end.val.data, elem.data.val.data,
5547 				      timeout, expiration, GFP_KERNEL);
5548 	if (elem.priv == NULL)
5549 		goto err_parse_data;
5550 
5551 	ext = nft_set_elem_ext(set, elem.priv);
5552 	if (flags)
5553 		*nft_set_ext_flags(ext) = flags;
5554 	if (ulen > 0) {
5555 		udata = nft_set_ext_userdata(ext);
5556 		udata->len = ulen - 1;
5557 		nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5558 	}
5559 	if (obj) {
5560 		*nft_set_ext_obj(ext) = obj;
5561 		obj->use++;
5562 	}
5563 	for (i = 0; i < num_exprs; i++)
5564 		nft_set_elem_expr_setup(ext, i, expr_array);
5565 
5566 	trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5567 	if (trans == NULL)
5568 		goto err_trans;
5569 
5570 	ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5571 	err = set->ops->insert(ctx->net, set, &elem, &ext2);
5572 	if (err) {
5573 		if (err == -EEXIST) {
5574 			if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5575 			    nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5576 			    nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5577 			    nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
5578 				goto err_element_clash;
5579 			if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5580 			     nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5581 			     memcmp(nft_set_ext_data(ext),
5582 				    nft_set_ext_data(ext2), set->dlen) != 0) ||
5583 			    (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5584 			     nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5585 			     *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5586 				goto err_element_clash;
5587 			else if (!(nlmsg_flags & NLM_F_EXCL))
5588 				err = 0;
5589 		} else if (err == -ENOTEMPTY) {
5590 			/* ENOTEMPTY reports overlapping between this element
5591 			 * and an existing one.
5592 			 */
5593 			err = -EEXIST;
5594 		}
5595 		goto err_element_clash;
5596 	}
5597 
5598 	if (set->size &&
5599 	    !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5600 		err = -ENFILE;
5601 		goto err_set_full;
5602 	}
5603 
5604 	nft_trans_elem(trans) = elem;
5605 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5606 	return 0;
5607 
5608 err_set_full:
5609 	set->ops->remove(ctx->net, set, &elem);
5610 err_element_clash:
5611 	kfree(trans);
5612 err_trans:
5613 	if (obj)
5614 		obj->use--;
5615 
5616 	nf_tables_set_elem_destroy(ctx, set, elem.priv);
5617 err_parse_data:
5618 	if (nla[NFTA_SET_ELEM_DATA] != NULL)
5619 		nft_data_release(&elem.data.val, desc.type);
5620 err_parse_key_end:
5621 	nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5622 err_parse_key:
5623 	nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5624 err_set_elem_expr:
5625 	for (i = 0; i < num_exprs && expr_array[i]; i++)
5626 		nft_expr_destroy(ctx, expr_array[i]);
5627 err_set_elem_expr_clone:
5628 	return err;
5629 }
5630 
5631 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
5632 				struct sk_buff *skb, const struct nlmsghdr *nlh,
5633 				const struct nlattr * const nla[],
5634 				struct netlink_ext_ack *extack)
5635 {
5636 	u8 genmask = nft_genmask_next(net);
5637 	const struct nlattr *attr;
5638 	struct nft_set *set;
5639 	struct nft_ctx ctx;
5640 	int rem, err;
5641 
5642 	if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
5643 		return -EINVAL;
5644 
5645 	err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5646 					 genmask, NETLINK_CB(skb).portid);
5647 	if (err < 0)
5648 		return err;
5649 
5650 	set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
5651 				    nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
5652 	if (IS_ERR(set))
5653 		return PTR_ERR(set);
5654 
5655 	if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5656 		return -EBUSY;
5657 
5658 	nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5659 		err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
5660 		if (err < 0)
5661 			return err;
5662 	}
5663 
5664 	if (net->nft.validate_state == NFT_VALIDATE_DO)
5665 		return nft_table_validate(net, ctx.table);
5666 
5667 	return 0;
5668 }
5669 
5670 /**
5671  *	nft_data_hold - hold a nft_data item
5672  *
5673  *	@data: struct nft_data to release
5674  *	@type: type of data
5675  *
5676  *	Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5677  *	NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
5678  *	NFT_GOTO verdicts. This function must be called on active data objects
5679  *	from the second phase of the commit protocol.
5680  */
5681 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
5682 {
5683 	struct nft_chain *chain;
5684 	struct nft_rule *rule;
5685 
5686 	if (type == NFT_DATA_VERDICT) {
5687 		switch (data->verdict.code) {
5688 		case NFT_JUMP:
5689 		case NFT_GOTO:
5690 			chain = data->verdict.chain;
5691 			chain->use++;
5692 
5693 			if (!nft_chain_is_bound(chain))
5694 				break;
5695 
5696 			chain->table->use++;
5697 			list_for_each_entry(rule, &chain->rules, list)
5698 				chain->use++;
5699 
5700 			nft_chain_add(chain->table, chain);
5701 			break;
5702 		}
5703 	}
5704 }
5705 
5706 static void nft_set_elem_activate(const struct net *net,
5707 				  const struct nft_set *set,
5708 				  struct nft_set_elem *elem)
5709 {
5710 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5711 
5712 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5713 		nft_data_hold(nft_set_ext_data(ext), set->dtype);
5714 	if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5715 		(*nft_set_ext_obj(ext))->use++;
5716 }
5717 
5718 static void nft_set_elem_deactivate(const struct net *net,
5719 				    const struct nft_set *set,
5720 				    struct nft_set_elem *elem)
5721 {
5722 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5723 
5724 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5725 		nft_data_release(nft_set_ext_data(ext), set->dtype);
5726 	if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5727 		(*nft_set_ext_obj(ext))->use--;
5728 }
5729 
5730 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5731 			   const struct nlattr *attr)
5732 {
5733 	struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5734 	struct nft_set_ext_tmpl tmpl;
5735 	struct nft_set_elem elem;
5736 	struct nft_set_ext *ext;
5737 	struct nft_trans *trans;
5738 	u32 flags = 0;
5739 	void *priv;
5740 	int err;
5741 
5742 	err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5743 					  nft_set_elem_policy, NULL);
5744 	if (err < 0)
5745 		return err;
5746 
5747 	if (nla[NFTA_SET_ELEM_KEY] == NULL)
5748 		return -EINVAL;
5749 
5750 	nft_set_ext_prepare(&tmpl);
5751 
5752 	err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5753 	if (err < 0)
5754 		return err;
5755 	if (flags != 0)
5756 		nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5757 
5758 	err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5759 				    nla[NFTA_SET_ELEM_KEY]);
5760 	if (err < 0)
5761 		return err;
5762 
5763 	nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5764 
5765 	if (nla[NFTA_SET_ELEM_KEY_END]) {
5766 		err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5767 					    nla[NFTA_SET_ELEM_KEY_END]);
5768 		if (err < 0)
5769 			return err;
5770 
5771 		nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5772 	}
5773 
5774 	err = -ENOMEM;
5775 	elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5776 				      elem.key_end.val.data, NULL, 0, 0,
5777 				      GFP_KERNEL);
5778 	if (elem.priv == NULL)
5779 		goto fail_elem;
5780 
5781 	ext = nft_set_elem_ext(set, elem.priv);
5782 	if (flags)
5783 		*nft_set_ext_flags(ext) = flags;
5784 
5785 	trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5786 	if (trans == NULL)
5787 		goto fail_trans;
5788 
5789 	priv = set->ops->deactivate(ctx->net, set, &elem);
5790 	if (priv == NULL) {
5791 		err = -ENOENT;
5792 		goto fail_ops;
5793 	}
5794 	kfree(elem.priv);
5795 	elem.priv = priv;
5796 
5797 	nft_set_elem_deactivate(ctx->net, set, &elem);
5798 
5799 	nft_trans_elem(trans) = elem;
5800 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5801 	return 0;
5802 
5803 fail_ops:
5804 	kfree(trans);
5805 fail_trans:
5806 	kfree(elem.priv);
5807 fail_elem:
5808 	nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5809 	return err;
5810 }
5811 
5812 static int nft_flush_set(const struct nft_ctx *ctx,
5813 			 struct nft_set *set,
5814 			 const struct nft_set_iter *iter,
5815 			 struct nft_set_elem *elem)
5816 {
5817 	struct nft_trans *trans;
5818 	int err;
5819 
5820 	trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5821 				    sizeof(struct nft_trans_elem), GFP_ATOMIC);
5822 	if (!trans)
5823 		return -ENOMEM;
5824 
5825 	if (!set->ops->flush(ctx->net, set, elem->priv)) {
5826 		err = -ENOENT;
5827 		goto err1;
5828 	}
5829 	set->ndeact++;
5830 
5831 	nft_set_elem_deactivate(ctx->net, set, elem);
5832 	nft_trans_elem_set(trans) = set;
5833 	nft_trans_elem(trans) = *elem;
5834 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5835 
5836 	return 0;
5837 err1:
5838 	kfree(trans);
5839 	return err;
5840 }
5841 
5842 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5843 				struct sk_buff *skb, const struct nlmsghdr *nlh,
5844 				const struct nlattr * const nla[],
5845 				struct netlink_ext_ack *extack)
5846 {
5847 	u8 genmask = nft_genmask_next(net);
5848 	const struct nlattr *attr;
5849 	struct nft_set *set;
5850 	struct nft_ctx ctx;
5851 	int rem, err = 0;
5852 
5853 	err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5854 					 genmask, NETLINK_CB(skb).portid);
5855 	if (err < 0)
5856 		return err;
5857 
5858 	set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5859 	if (IS_ERR(set))
5860 		return PTR_ERR(set);
5861 	if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5862 		return -EBUSY;
5863 
5864 	if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5865 		struct nft_set_iter iter = {
5866 			.genmask	= genmask,
5867 			.fn		= nft_flush_set,
5868 		};
5869 		set->ops->walk(&ctx, set, &iter);
5870 
5871 		return iter.err;
5872 	}
5873 
5874 	nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5875 		err = nft_del_setelem(&ctx, set, attr);
5876 		if (err < 0)
5877 			break;
5878 
5879 		set->ndeact++;
5880 	}
5881 	return err;
5882 }
5883 
5884 void nft_set_gc_batch_release(struct rcu_head *rcu)
5885 {
5886 	struct nft_set_gc_batch *gcb;
5887 	unsigned int i;
5888 
5889 	gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5890 	for (i = 0; i < gcb->head.cnt; i++)
5891 		nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5892 	kfree(gcb);
5893 }
5894 
5895 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5896 						gfp_t gfp)
5897 {
5898 	struct nft_set_gc_batch *gcb;
5899 
5900 	gcb = kzalloc(sizeof(*gcb), gfp);
5901 	if (gcb == NULL)
5902 		return gcb;
5903 	gcb->head.set = set;
5904 	return gcb;
5905 }
5906 
5907 /*
5908  * Stateful objects
5909  */
5910 
5911 /**
5912  *	nft_register_obj- register nf_tables stateful object type
5913  *	@obj_type: object type
5914  *
5915  *	Registers the object type for use with nf_tables. Returns zero on
5916  *	success or a negative errno code otherwise.
5917  */
5918 int nft_register_obj(struct nft_object_type *obj_type)
5919 {
5920 	if (obj_type->type == NFT_OBJECT_UNSPEC)
5921 		return -EINVAL;
5922 
5923 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
5924 	list_add_rcu(&obj_type->list, &nf_tables_objects);
5925 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5926 	return 0;
5927 }
5928 EXPORT_SYMBOL_GPL(nft_register_obj);
5929 
5930 /**
5931  *	nft_unregister_obj - unregister nf_tables object type
5932  *	@obj_type: object type
5933  *
5934  * 	Unregisters the object type for use with nf_tables.
5935  */
5936 void nft_unregister_obj(struct nft_object_type *obj_type)
5937 {
5938 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
5939 	list_del_rcu(&obj_type->list);
5940 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5941 }
5942 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5943 
5944 struct nft_object *nft_obj_lookup(const struct net *net,
5945 				  const struct nft_table *table,
5946 				  const struct nlattr *nla, u32 objtype,
5947 				  u8 genmask)
5948 {
5949 	struct nft_object_hash_key k = { .table = table };
5950 	char search[NFT_OBJ_MAXNAMELEN];
5951 	struct rhlist_head *tmp, *list;
5952 	struct nft_object *obj;
5953 
5954 	nla_strscpy(search, nla, sizeof(search));
5955 	k.name = search;
5956 
5957 	WARN_ON_ONCE(!rcu_read_lock_held() &&
5958 		     !lockdep_commit_lock_is_held(net));
5959 
5960 	rcu_read_lock();
5961 	list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5962 	if (!list)
5963 		goto out;
5964 
5965 	rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5966 		if (objtype == obj->ops->type->type &&
5967 		    nft_active_genmask(obj, genmask)) {
5968 			rcu_read_unlock();
5969 			return obj;
5970 		}
5971 	}
5972 out:
5973 	rcu_read_unlock();
5974 	return ERR_PTR(-ENOENT);
5975 }
5976 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5977 
5978 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5979 						  const struct nlattr *nla,
5980 						  u32 objtype, u8 genmask)
5981 {
5982 	struct nft_object *obj;
5983 
5984 	list_for_each_entry(obj, &table->objects, list) {
5985 		if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5986 		    objtype == obj->ops->type->type &&
5987 		    nft_active_genmask(obj, genmask))
5988 			return obj;
5989 	}
5990 	return ERR_PTR(-ENOENT);
5991 }
5992 
5993 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5994 	[NFTA_OBJ_TABLE]	= { .type = NLA_STRING,
5995 				    .len = NFT_TABLE_MAXNAMELEN - 1 },
5996 	[NFTA_OBJ_NAME]		= { .type = NLA_STRING,
5997 				    .len = NFT_OBJ_MAXNAMELEN - 1 },
5998 	[NFTA_OBJ_TYPE]		= { .type = NLA_U32 },
5999 	[NFTA_OBJ_DATA]		= { .type = NLA_NESTED },
6000 	[NFTA_OBJ_HANDLE]	= { .type = NLA_U64},
6001 	[NFTA_OBJ_USERDATA]	= { .type = NLA_BINARY,
6002 				    .len = NFT_USERDATA_MAXLEN },
6003 };
6004 
6005 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
6006 				       const struct nft_object_type *type,
6007 				       const struct nlattr *attr)
6008 {
6009 	struct nlattr **tb;
6010 	const struct nft_object_ops *ops;
6011 	struct nft_object *obj;
6012 	int err = -ENOMEM;
6013 
6014 	tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
6015 	if (!tb)
6016 		goto err1;
6017 
6018 	if (attr) {
6019 		err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
6020 						  type->policy, NULL);
6021 		if (err < 0)
6022 			goto err2;
6023 	} else {
6024 		memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
6025 	}
6026 
6027 	if (type->select_ops) {
6028 		ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
6029 		if (IS_ERR(ops)) {
6030 			err = PTR_ERR(ops);
6031 			goto err2;
6032 		}
6033 	} else {
6034 		ops = type->ops;
6035 	}
6036 
6037 	err = -ENOMEM;
6038 	obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
6039 	if (!obj)
6040 		goto err2;
6041 
6042 	err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
6043 	if (err < 0)
6044 		goto err3;
6045 
6046 	obj->ops = ops;
6047 
6048 	kfree(tb);
6049 	return obj;
6050 err3:
6051 	kfree(obj);
6052 err2:
6053 	kfree(tb);
6054 err1:
6055 	return ERR_PTR(err);
6056 }
6057 
6058 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
6059 			   struct nft_object *obj, bool reset)
6060 {
6061 	struct nlattr *nest;
6062 
6063 	nest = nla_nest_start_noflag(skb, attr);
6064 	if (!nest)
6065 		goto nla_put_failure;
6066 	if (obj->ops->dump(skb, obj, reset) < 0)
6067 		goto nla_put_failure;
6068 	nla_nest_end(skb, nest);
6069 	return 0;
6070 
6071 nla_put_failure:
6072 	return -1;
6073 }
6074 
6075 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
6076 {
6077 	const struct nft_object_type *type;
6078 
6079 	list_for_each_entry(type, &nf_tables_objects, list) {
6080 		if (objtype == type->type)
6081 			return type;
6082 	}
6083 	return NULL;
6084 }
6085 
6086 static const struct nft_object_type *
6087 nft_obj_type_get(struct net *net, u32 objtype)
6088 {
6089 	const struct nft_object_type *type;
6090 
6091 	type = __nft_obj_type_get(objtype);
6092 	if (type != NULL && try_module_get(type->owner))
6093 		return type;
6094 
6095 	lockdep_nfnl_nft_mutex_not_held();
6096 #ifdef CONFIG_MODULES
6097 	if (type == NULL) {
6098 		if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
6099 			return ERR_PTR(-EAGAIN);
6100 	}
6101 #endif
6102 	return ERR_PTR(-ENOENT);
6103 }
6104 
6105 static int nf_tables_updobj(const struct nft_ctx *ctx,
6106 			    const struct nft_object_type *type,
6107 			    const struct nlattr *attr,
6108 			    struct nft_object *obj)
6109 {
6110 	struct nft_object *newobj;
6111 	struct nft_trans *trans;
6112 	int err;
6113 
6114 	trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
6115 				sizeof(struct nft_trans_obj));
6116 	if (!trans)
6117 		return -ENOMEM;
6118 
6119 	newobj = nft_obj_init(ctx, type, attr);
6120 	if (IS_ERR(newobj)) {
6121 		err = PTR_ERR(newobj);
6122 		goto err_free_trans;
6123 	}
6124 
6125 	nft_trans_obj(trans) = obj;
6126 	nft_trans_obj_update(trans) = true;
6127 	nft_trans_obj_newobj(trans) = newobj;
6128 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6129 
6130 	return 0;
6131 
6132 err_free_trans:
6133 	kfree(trans);
6134 	return err;
6135 }
6136 
6137 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
6138 			    struct sk_buff *skb, const struct nlmsghdr *nlh,
6139 			    const struct nlattr * const nla[],
6140 			    struct netlink_ext_ack *extack)
6141 {
6142 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6143 	const struct nft_object_type *type;
6144 	u8 genmask = nft_genmask_next(net);
6145 	int family = nfmsg->nfgen_family;
6146 	struct nft_table *table;
6147 	struct nft_object *obj;
6148 	struct nft_ctx ctx;
6149 	u32 objtype;
6150 	int err;
6151 
6152 	if (!nla[NFTA_OBJ_TYPE] ||
6153 	    !nla[NFTA_OBJ_NAME] ||
6154 	    !nla[NFTA_OBJ_DATA])
6155 		return -EINVAL;
6156 
6157 	table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6158 				 NETLINK_CB(skb).portid);
6159 	if (IS_ERR(table)) {
6160 		NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6161 		return PTR_ERR(table);
6162 	}
6163 
6164 	objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6165 	obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6166 	if (IS_ERR(obj)) {
6167 		err = PTR_ERR(obj);
6168 		if (err != -ENOENT) {
6169 			NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6170 			return err;
6171 		}
6172 	} else {
6173 		if (nlh->nlmsg_flags & NLM_F_EXCL) {
6174 			NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6175 			return -EEXIST;
6176 		}
6177 		if (nlh->nlmsg_flags & NLM_F_REPLACE)
6178 			return -EOPNOTSUPP;
6179 
6180 		type = __nft_obj_type_get(objtype);
6181 		nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6182 
6183 		return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
6184 	}
6185 
6186 	nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6187 
6188 	type = nft_obj_type_get(net, objtype);
6189 	if (IS_ERR(type))
6190 		return PTR_ERR(type);
6191 
6192 	obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
6193 	if (IS_ERR(obj)) {
6194 		err = PTR_ERR(obj);
6195 		goto err_init;
6196 	}
6197 	obj->key.table = table;
6198 	obj->handle = nf_tables_alloc_handle(table);
6199 
6200 	obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
6201 	if (!obj->key.name) {
6202 		err = -ENOMEM;
6203 		goto err_strdup;
6204 	}
6205 
6206 	if (nla[NFTA_OBJ_USERDATA]) {
6207 		obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL);
6208 		if (obj->udata == NULL)
6209 			goto err_userdata;
6210 
6211 		obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
6212 	}
6213 
6214 	err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
6215 	if (err < 0)
6216 		goto err_trans;
6217 
6218 	err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
6219 			      nft_objname_ht_params);
6220 	if (err < 0)
6221 		goto err_obj_ht;
6222 
6223 	list_add_tail_rcu(&obj->list, &table->objects);
6224 	table->use++;
6225 	return 0;
6226 err_obj_ht:
6227 	/* queued in transaction log */
6228 	INIT_LIST_HEAD(&obj->list);
6229 	return err;
6230 err_trans:
6231 	kfree(obj->key.name);
6232 err_userdata:
6233 	kfree(obj->udata);
6234 err_strdup:
6235 	if (obj->ops->destroy)
6236 		obj->ops->destroy(&ctx, obj);
6237 	kfree(obj);
6238 err_init:
6239 	module_put(type->owner);
6240 	return err;
6241 }
6242 
6243 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
6244 				   u32 portid, u32 seq, int event, u32 flags,
6245 				   int family, const struct nft_table *table,
6246 				   struct nft_object *obj, bool reset)
6247 {
6248 	struct nfgenmsg *nfmsg;
6249 	struct nlmsghdr *nlh;
6250 
6251 	event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6252 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6253 	if (nlh == NULL)
6254 		goto nla_put_failure;
6255 
6256 	nfmsg = nlmsg_data(nlh);
6257 	nfmsg->nfgen_family	= family;
6258 	nfmsg->version		= NFNETLINK_V0;
6259 	nfmsg->res_id		= htons(net->nft.base_seq & 0xffff);
6260 
6261 	if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
6262 	    nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
6263 	    nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
6264 	    nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
6265 	    nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
6266 	    nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
6267 			 NFTA_OBJ_PAD))
6268 		goto nla_put_failure;
6269 
6270 	if (obj->udata &&
6271 	    nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
6272 		goto nla_put_failure;
6273 
6274 	nlmsg_end(skb, nlh);
6275 	return 0;
6276 
6277 nla_put_failure:
6278 	nlmsg_trim(skb, nlh);
6279 	return -1;
6280 }
6281 
6282 struct nft_obj_filter {
6283 	char		*table;
6284 	u32		type;
6285 };
6286 
6287 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
6288 {
6289 	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6290 	const struct nft_table *table;
6291 	unsigned int idx = 0, s_idx = cb->args[0];
6292 	struct nft_obj_filter *filter = cb->data;
6293 	struct net *net = sock_net(skb->sk);
6294 	int family = nfmsg->nfgen_family;
6295 	struct nft_object *obj;
6296 	bool reset = false;
6297 
6298 	if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6299 		reset = true;
6300 
6301 	rcu_read_lock();
6302 	cb->seq = net->nft.base_seq;
6303 
6304 	list_for_each_entry_rcu(table, &net->nft.tables, list) {
6305 		if (family != NFPROTO_UNSPEC && family != table->family)
6306 			continue;
6307 
6308 		list_for_each_entry_rcu(obj, &table->objects, list) {
6309 			if (!nft_is_active(net, obj))
6310 				goto cont;
6311 			if (idx < s_idx)
6312 				goto cont;
6313 			if (idx > s_idx)
6314 				memset(&cb->args[1], 0,
6315 				       sizeof(cb->args) - sizeof(cb->args[0]));
6316 			if (filter && filter->table &&
6317 			    strcmp(filter->table, table->name))
6318 				goto cont;
6319 			if (filter &&
6320 			    filter->type != NFT_OBJECT_UNSPEC &&
6321 			    obj->ops->type->type != filter->type)
6322 				goto cont;
6323 
6324 			if (reset) {
6325 				char *buf = kasprintf(GFP_ATOMIC,
6326 						      "%s:%llu;?:0",
6327 						      table->name,
6328 						      table->handle);
6329 
6330 				audit_log_nfcfg(buf,
6331 						family,
6332 						obj->handle,
6333 						AUDIT_NFT_OP_OBJ_RESET,
6334 						GFP_ATOMIC);
6335 				kfree(buf);
6336 			}
6337 
6338 			if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
6339 						    cb->nlh->nlmsg_seq,
6340 						    NFT_MSG_NEWOBJ,
6341 						    NLM_F_MULTI | NLM_F_APPEND,
6342 						    table->family, table,
6343 						    obj, reset) < 0)
6344 				goto done;
6345 
6346 			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6347 cont:
6348 			idx++;
6349 		}
6350 	}
6351 done:
6352 	rcu_read_unlock();
6353 
6354 	cb->args[0] = idx;
6355 	return skb->len;
6356 }
6357 
6358 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
6359 {
6360 	const struct nlattr * const *nla = cb->data;
6361 	struct nft_obj_filter *filter = NULL;
6362 
6363 	if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
6364 		filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6365 		if (!filter)
6366 			return -ENOMEM;
6367 
6368 		if (nla[NFTA_OBJ_TABLE]) {
6369 			filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
6370 			if (!filter->table) {
6371 				kfree(filter);
6372 				return -ENOMEM;
6373 			}
6374 		}
6375 
6376 		if (nla[NFTA_OBJ_TYPE])
6377 			filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6378 	}
6379 
6380 	cb->data = filter;
6381 	return 0;
6382 }
6383 
6384 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
6385 {
6386 	struct nft_obj_filter *filter = cb->data;
6387 
6388 	if (filter) {
6389 		kfree(filter->table);
6390 		kfree(filter);
6391 	}
6392 
6393 	return 0;
6394 }
6395 
6396 /* called with rcu_read_lock held */
6397 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
6398 			    struct sk_buff *skb, const struct nlmsghdr *nlh,
6399 			    const struct nlattr * const nla[],
6400 			    struct netlink_ext_ack *extack)
6401 {
6402 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6403 	u8 genmask = nft_genmask_cur(net);
6404 	int family = nfmsg->nfgen_family;
6405 	const struct nft_table *table;
6406 	struct nft_object *obj;
6407 	struct sk_buff *skb2;
6408 	bool reset = false;
6409 	u32 objtype;
6410 	int err;
6411 
6412 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
6413 		struct netlink_dump_control c = {
6414 			.start = nf_tables_dump_obj_start,
6415 			.dump = nf_tables_dump_obj,
6416 			.done = nf_tables_dump_obj_done,
6417 			.module = THIS_MODULE,
6418 			.data = (void *)nla,
6419 		};
6420 
6421 		return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6422 	}
6423 
6424 	if (!nla[NFTA_OBJ_NAME] ||
6425 	    !nla[NFTA_OBJ_TYPE])
6426 		return -EINVAL;
6427 
6428 	table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
6429 	if (IS_ERR(table)) {
6430 		NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6431 		return PTR_ERR(table);
6432 	}
6433 
6434 	objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6435 	obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6436 	if (IS_ERR(obj)) {
6437 		NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6438 		return PTR_ERR(obj);
6439 	}
6440 
6441 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6442 	if (!skb2)
6443 		return -ENOMEM;
6444 
6445 	if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6446 		reset = true;
6447 
6448 	if (reset) {
6449 		char *buf = kasprintf(GFP_ATOMIC, "%s:%llu;?:0",
6450 				      table->name, table->handle);
6451 
6452 		audit_log_nfcfg(buf,
6453 				family,
6454 				obj->handle,
6455 				AUDIT_NFT_OP_OBJ_RESET,
6456 				GFP_ATOMIC);
6457 		kfree(buf);
6458 	}
6459 
6460 	err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
6461 				      nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
6462 				      family, table, obj, reset);
6463 	if (err < 0)
6464 		goto err_fill_obj_info;
6465 
6466 	return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6467 
6468 err_fill_obj_info:
6469 	kfree_skb(skb2);
6470 	return err;
6471 }
6472 
6473 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6474 {
6475 	if (obj->ops->destroy)
6476 		obj->ops->destroy(ctx, obj);
6477 
6478 	module_put(obj->ops->type->owner);
6479 	kfree(obj->key.name);
6480 	kfree(obj->udata);
6481 	kfree(obj);
6482 }
6483 
6484 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
6485 			    struct sk_buff *skb, const struct nlmsghdr *nlh,
6486 			    const struct nlattr * const nla[],
6487 			    struct netlink_ext_ack *extack)
6488 {
6489 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6490 	u8 genmask = nft_genmask_next(net);
6491 	int family = nfmsg->nfgen_family;
6492 	const struct nlattr *attr;
6493 	struct nft_table *table;
6494 	struct nft_object *obj;
6495 	struct nft_ctx ctx;
6496 	u32 objtype;
6497 
6498 	if (!nla[NFTA_OBJ_TYPE] ||
6499 	    (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
6500 		return -EINVAL;
6501 
6502 	table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6503 				 NETLINK_CB(skb).portid);
6504 	if (IS_ERR(table)) {
6505 		NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6506 		return PTR_ERR(table);
6507 	}
6508 
6509 	objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6510 	if (nla[NFTA_OBJ_HANDLE]) {
6511 		attr = nla[NFTA_OBJ_HANDLE];
6512 		obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
6513 	} else {
6514 		attr = nla[NFTA_OBJ_NAME];
6515 		obj = nft_obj_lookup(net, table, attr, objtype, genmask);
6516 	}
6517 
6518 	if (IS_ERR(obj)) {
6519 		NL_SET_BAD_ATTR(extack, attr);
6520 		return PTR_ERR(obj);
6521 	}
6522 	if (obj->use > 0) {
6523 		NL_SET_BAD_ATTR(extack, attr);
6524 		return -EBUSY;
6525 	}
6526 
6527 	nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6528 
6529 	return nft_delobj(&ctx, obj);
6530 }
6531 
6532 void nft_obj_notify(struct net *net, const struct nft_table *table,
6533 		    struct nft_object *obj, u32 portid, u32 seq, int event,
6534 		    int family, int report, gfp_t gfp)
6535 {
6536 	struct sk_buff *skb;
6537 	int err;
6538 	char *buf = kasprintf(gfp, "%s:%llu;?:0",
6539 			      table->name, table->handle);
6540 
6541 	audit_log_nfcfg(buf,
6542 			family,
6543 			obj->handle,
6544 			event == NFT_MSG_NEWOBJ ?
6545 				AUDIT_NFT_OP_OBJ_REGISTER :
6546 				AUDIT_NFT_OP_OBJ_UNREGISTER,
6547 			gfp);
6548 	kfree(buf);
6549 
6550 	if (!report &&
6551 	    !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6552 		return;
6553 
6554 	skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
6555 	if (skb == NULL)
6556 		goto err;
6557 
6558 	err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
6559 				      table, obj, false);
6560 	if (err < 0) {
6561 		kfree_skb(skb);
6562 		goto err;
6563 	}
6564 
6565 	nft_notify_enqueue(skb, report, &net->nft.notify_list);
6566 	return;
6567 err:
6568 	nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6569 }
6570 EXPORT_SYMBOL_GPL(nft_obj_notify);
6571 
6572 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
6573 				 struct nft_object *obj, int event)
6574 {
6575 	nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
6576 		       ctx->family, ctx->report, GFP_KERNEL);
6577 }
6578 
6579 /*
6580  * Flow tables
6581  */
6582 void nft_register_flowtable_type(struct nf_flowtable_type *type)
6583 {
6584 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
6585 	list_add_tail_rcu(&type->list, &nf_tables_flowtables);
6586 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6587 }
6588 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
6589 
6590 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
6591 {
6592 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
6593 	list_del_rcu(&type->list);
6594 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6595 }
6596 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
6597 
6598 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
6599 	[NFTA_FLOWTABLE_TABLE]		= { .type = NLA_STRING,
6600 					    .len = NFT_NAME_MAXLEN - 1 },
6601 	[NFTA_FLOWTABLE_NAME]		= { .type = NLA_STRING,
6602 					    .len = NFT_NAME_MAXLEN - 1 },
6603 	[NFTA_FLOWTABLE_HOOK]		= { .type = NLA_NESTED },
6604 	[NFTA_FLOWTABLE_HANDLE]		= { .type = NLA_U64 },
6605 	[NFTA_FLOWTABLE_FLAGS]		= { .type = NLA_U32 },
6606 };
6607 
6608 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
6609 					   const struct nlattr *nla, u8 genmask)
6610 {
6611 	struct nft_flowtable *flowtable;
6612 
6613 	list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6614 		if (!nla_strcmp(nla, flowtable->name) &&
6615 		    nft_active_genmask(flowtable, genmask))
6616 			return flowtable;
6617 	}
6618 	return ERR_PTR(-ENOENT);
6619 }
6620 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
6621 
6622 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
6623 				    struct nft_flowtable *flowtable,
6624 				    enum nft_trans_phase phase)
6625 {
6626 	switch (phase) {
6627 	case NFT_TRANS_PREPARE:
6628 	case NFT_TRANS_ABORT:
6629 	case NFT_TRANS_RELEASE:
6630 		flowtable->use--;
6631 		fallthrough;
6632 	default:
6633 		return;
6634 	}
6635 }
6636 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
6637 
6638 static struct nft_flowtable *
6639 nft_flowtable_lookup_byhandle(const struct nft_table *table,
6640 			      const struct nlattr *nla, u8 genmask)
6641 {
6642        struct nft_flowtable *flowtable;
6643 
6644        list_for_each_entry(flowtable, &table->flowtables, list) {
6645                if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
6646                    nft_active_genmask(flowtable, genmask))
6647                        return flowtable;
6648        }
6649        return ERR_PTR(-ENOENT);
6650 }
6651 
6652 struct nft_flowtable_hook {
6653 	u32			num;
6654 	int			priority;
6655 	struct list_head	list;
6656 };
6657 
6658 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
6659 	[NFTA_FLOWTABLE_HOOK_NUM]	= { .type = NLA_U32 },
6660 	[NFTA_FLOWTABLE_HOOK_PRIORITY]	= { .type = NLA_U32 },
6661 	[NFTA_FLOWTABLE_HOOK_DEVS]	= { .type = NLA_NESTED },
6662 };
6663 
6664 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
6665 				    const struct nlattr *attr,
6666 				    struct nft_flowtable_hook *flowtable_hook,
6667 				    struct nft_flowtable *flowtable, bool add)
6668 {
6669 	struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
6670 	struct nft_hook *hook;
6671 	int hooknum, priority;
6672 	int err;
6673 
6674 	INIT_LIST_HEAD(&flowtable_hook->list);
6675 
6676 	err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
6677 					  nft_flowtable_hook_policy, NULL);
6678 	if (err < 0)
6679 		return err;
6680 
6681 	if (add) {
6682 		if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
6683 		    !tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
6684 			return -EINVAL;
6685 
6686 		hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6687 		if (hooknum != NF_NETDEV_INGRESS)
6688 			return -EOPNOTSUPP;
6689 
6690 		priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6691 
6692 		flowtable_hook->priority	= priority;
6693 		flowtable_hook->num		= hooknum;
6694 	} else {
6695 		if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
6696 			hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6697 			if (hooknum != flowtable->hooknum)
6698 				return -EOPNOTSUPP;
6699 		}
6700 
6701 		if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
6702 			priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6703 			if (priority != flowtable->data.priority)
6704 				return -EOPNOTSUPP;
6705 		}
6706 
6707 		flowtable_hook->priority	= flowtable->data.priority;
6708 		flowtable_hook->num		= flowtable->hooknum;
6709 	}
6710 
6711 	if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
6712 		err = nf_tables_parse_netdev_hooks(ctx->net,
6713 						   tb[NFTA_FLOWTABLE_HOOK_DEVS],
6714 						   &flowtable_hook->list);
6715 		if (err < 0)
6716 			return err;
6717 	}
6718 
6719 	list_for_each_entry(hook, &flowtable_hook->list, list) {
6720 		hook->ops.pf		= NFPROTO_NETDEV;
6721 		hook->ops.hooknum	= flowtable_hook->num;
6722 		hook->ops.priority	= flowtable_hook->priority;
6723 		hook->ops.priv		= &flowtable->data;
6724 		hook->ops.hook		= flowtable->data.type->hook;
6725 	}
6726 
6727 	return err;
6728 }
6729 
6730 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
6731 {
6732 	const struct nf_flowtable_type *type;
6733 
6734 	list_for_each_entry(type, &nf_tables_flowtables, list) {
6735 		if (family == type->family)
6736 			return type;
6737 	}
6738 	return NULL;
6739 }
6740 
6741 static const struct nf_flowtable_type *
6742 nft_flowtable_type_get(struct net *net, u8 family)
6743 {
6744 	const struct nf_flowtable_type *type;
6745 
6746 	type = __nft_flowtable_type_get(family);
6747 	if (type != NULL && try_module_get(type->owner))
6748 		return type;
6749 
6750 	lockdep_nfnl_nft_mutex_not_held();
6751 #ifdef CONFIG_MODULES
6752 	if (type == NULL) {
6753 		if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
6754 			return ERR_PTR(-EAGAIN);
6755 	}
6756 #endif
6757 	return ERR_PTR(-ENOENT);
6758 }
6759 
6760 /* Only called from error and netdev event paths. */
6761 static void nft_unregister_flowtable_hook(struct net *net,
6762 					  struct nft_flowtable *flowtable,
6763 					  struct nft_hook *hook)
6764 {
6765 	nf_unregister_net_hook(net, &hook->ops);
6766 	flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6767 				    FLOW_BLOCK_UNBIND);
6768 }
6769 
6770 static void nft_unregister_flowtable_net_hooks(struct net *net,
6771 					       struct list_head *hook_list)
6772 {
6773 	struct nft_hook *hook;
6774 
6775 	list_for_each_entry(hook, hook_list, list)
6776 		nf_unregister_net_hook(net, &hook->ops);
6777 }
6778 
6779 static int nft_register_flowtable_net_hooks(struct net *net,
6780 					    struct nft_table *table,
6781 					    struct list_head *hook_list,
6782 					    struct nft_flowtable *flowtable)
6783 {
6784 	struct nft_hook *hook, *hook2, *next;
6785 	struct nft_flowtable *ft;
6786 	int err, i = 0;
6787 
6788 	list_for_each_entry(hook, hook_list, list) {
6789 		list_for_each_entry(ft, &table->flowtables, list) {
6790 			if (!nft_is_active_next(net, ft))
6791 				continue;
6792 
6793 			list_for_each_entry(hook2, &ft->hook_list, list) {
6794 				if (hook->ops.dev == hook2->ops.dev &&
6795 				    hook->ops.pf == hook2->ops.pf) {
6796 					err = -EEXIST;
6797 					goto err_unregister_net_hooks;
6798 				}
6799 			}
6800 		}
6801 
6802 		err = flowtable->data.type->setup(&flowtable->data,
6803 						  hook->ops.dev,
6804 						  FLOW_BLOCK_BIND);
6805 		if (err < 0)
6806 			goto err_unregister_net_hooks;
6807 
6808 		err = nf_register_net_hook(net, &hook->ops);
6809 		if (err < 0) {
6810 			flowtable->data.type->setup(&flowtable->data,
6811 						    hook->ops.dev,
6812 						    FLOW_BLOCK_UNBIND);
6813 			goto err_unregister_net_hooks;
6814 		}
6815 
6816 		i++;
6817 	}
6818 
6819 	return 0;
6820 
6821 err_unregister_net_hooks:
6822 	list_for_each_entry_safe(hook, next, hook_list, list) {
6823 		if (i-- <= 0)
6824 			break;
6825 
6826 		nft_unregister_flowtable_hook(net, flowtable, hook);
6827 		list_del_rcu(&hook->list);
6828 		kfree_rcu(hook, rcu);
6829 	}
6830 
6831 	return err;
6832 }
6833 
6834 static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
6835 {
6836 	struct nft_hook *hook, *next;
6837 
6838 	list_for_each_entry_safe(hook, next, hook_list, list) {
6839 		list_del_rcu(&hook->list);
6840 		kfree_rcu(hook, rcu);
6841 	}
6842 }
6843 
6844 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
6845 				struct nft_flowtable *flowtable)
6846 {
6847 	const struct nlattr * const *nla = ctx->nla;
6848 	struct nft_flowtable_hook flowtable_hook;
6849 	struct nft_hook *hook, *next;
6850 	struct nft_trans *trans;
6851 	bool unregister = false;
6852 	u32 flags;
6853 	int err;
6854 
6855 	err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6856 				       &flowtable_hook, flowtable, false);
6857 	if (err < 0)
6858 		return err;
6859 
6860 	list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6861 		if (nft_hook_list_find(&flowtable->hook_list, hook)) {
6862 			list_del(&hook->list);
6863 			kfree(hook);
6864 		}
6865 	}
6866 
6867 	if (nla[NFTA_FLOWTABLE_FLAGS]) {
6868 		flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6869 		if (flags & ~NFT_FLOWTABLE_MASK)
6870 			return -EOPNOTSUPP;
6871 		if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
6872 		    (flags & NFT_FLOWTABLE_HW_OFFLOAD))
6873 			return -EOPNOTSUPP;
6874 	} else {
6875 		flags = flowtable->data.flags;
6876 	}
6877 
6878 	err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
6879 					       &flowtable_hook.list, flowtable);
6880 	if (err < 0)
6881 		goto err_flowtable_update_hook;
6882 
6883 	trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
6884 				sizeof(struct nft_trans_flowtable));
6885 	if (!trans) {
6886 		unregister = true;
6887 		err = -ENOMEM;
6888 		goto err_flowtable_update_hook;
6889 	}
6890 
6891 	nft_trans_flowtable_flags(trans) = flags;
6892 	nft_trans_flowtable(trans) = flowtable;
6893 	nft_trans_flowtable_update(trans) = true;
6894 	INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6895 	list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
6896 
6897 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6898 
6899 	return 0;
6900 
6901 err_flowtable_update_hook:
6902 	list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6903 		if (unregister)
6904 			nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
6905 		list_del_rcu(&hook->list);
6906 		kfree_rcu(hook, rcu);
6907 	}
6908 
6909 	return err;
6910 
6911 }
6912 
6913 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6914 				  struct sk_buff *skb,
6915 				  const struct nlmsghdr *nlh,
6916 				  const struct nlattr * const nla[],
6917 				  struct netlink_ext_ack *extack)
6918 {
6919 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6920 	struct nft_flowtable_hook flowtable_hook;
6921 	const struct nf_flowtable_type *type;
6922 	u8 genmask = nft_genmask_next(net);
6923 	int family = nfmsg->nfgen_family;
6924 	struct nft_flowtable *flowtable;
6925 	struct nft_hook *hook, *next;
6926 	struct nft_table *table;
6927 	struct nft_ctx ctx;
6928 	int err;
6929 
6930 	if (!nla[NFTA_FLOWTABLE_TABLE] ||
6931 	    !nla[NFTA_FLOWTABLE_NAME] ||
6932 	    !nla[NFTA_FLOWTABLE_HOOK])
6933 		return -EINVAL;
6934 
6935 	table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6936 				 genmask, NETLINK_CB(skb).portid);
6937 	if (IS_ERR(table)) {
6938 		NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6939 		return PTR_ERR(table);
6940 	}
6941 
6942 	flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6943 					 genmask);
6944 	if (IS_ERR(flowtable)) {
6945 		err = PTR_ERR(flowtable);
6946 		if (err != -ENOENT) {
6947 			NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6948 			return err;
6949 		}
6950 	} else {
6951 		if (nlh->nlmsg_flags & NLM_F_EXCL) {
6952 			NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6953 			return -EEXIST;
6954 		}
6955 
6956 		nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6957 
6958 		return nft_flowtable_update(&ctx, nlh, flowtable);
6959 	}
6960 
6961 	nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6962 
6963 	flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6964 	if (!flowtable)
6965 		return -ENOMEM;
6966 
6967 	flowtable->table = table;
6968 	flowtable->handle = nf_tables_alloc_handle(table);
6969 	INIT_LIST_HEAD(&flowtable->hook_list);
6970 
6971 	flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6972 	if (!flowtable->name) {
6973 		err = -ENOMEM;
6974 		goto err1;
6975 	}
6976 
6977 	type = nft_flowtable_type_get(net, family);
6978 	if (IS_ERR(type)) {
6979 		err = PTR_ERR(type);
6980 		goto err2;
6981 	}
6982 
6983 	if (nla[NFTA_FLOWTABLE_FLAGS]) {
6984 		flowtable->data.flags =
6985 			ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6986 		if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
6987 			err = -EOPNOTSUPP;
6988 			goto err3;
6989 		}
6990 	}
6991 
6992 	write_pnet(&flowtable->data.net, net);
6993 	flowtable->data.type = type;
6994 	err = type->init(&flowtable->data);
6995 	if (err < 0)
6996 		goto err3;
6997 
6998 	err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6999 				       &flowtable_hook, flowtable, true);
7000 	if (err < 0)
7001 		goto err4;
7002 
7003 	list_splice(&flowtable_hook.list, &flowtable->hook_list);
7004 	flowtable->data.priority = flowtable_hook.priority;
7005 	flowtable->hooknum = flowtable_hook.num;
7006 
7007 	err = nft_register_flowtable_net_hooks(ctx.net, table,
7008 					       &flowtable->hook_list,
7009 					       flowtable);
7010 	if (err < 0) {
7011 		nft_flowtable_hooks_destroy(&flowtable->hook_list);
7012 		goto err4;
7013 	}
7014 
7015 	err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
7016 	if (err < 0)
7017 		goto err5;
7018 
7019 	list_add_tail_rcu(&flowtable->list, &table->flowtables);
7020 	table->use++;
7021 
7022 	return 0;
7023 err5:
7024 	list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7025 		nft_unregister_flowtable_hook(net, flowtable, hook);
7026 		list_del_rcu(&hook->list);
7027 		kfree_rcu(hook, rcu);
7028 	}
7029 err4:
7030 	flowtable->data.type->free(&flowtable->data);
7031 err3:
7032 	module_put(type->owner);
7033 err2:
7034 	kfree(flowtable->name);
7035 err1:
7036 	kfree(flowtable);
7037 	return err;
7038 }
7039 
7040 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
7041 {
7042 	struct nft_hook *this, *next;
7043 
7044 	list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
7045 		list_del(&this->list);
7046 		kfree(this);
7047 	}
7048 }
7049 
7050 static int nft_delflowtable_hook(struct nft_ctx *ctx,
7051 				 struct nft_flowtable *flowtable)
7052 {
7053 	const struct nlattr * const *nla = ctx->nla;
7054 	struct nft_flowtable_hook flowtable_hook;
7055 	struct nft_hook *this, *hook;
7056 	struct nft_trans *trans;
7057 	int err;
7058 
7059 	err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
7060 				       &flowtable_hook, flowtable, false);
7061 	if (err < 0)
7062 		return err;
7063 
7064 	list_for_each_entry(this, &flowtable_hook.list, list) {
7065 		hook = nft_hook_list_find(&flowtable->hook_list, this);
7066 		if (!hook) {
7067 			err = -ENOENT;
7068 			goto err_flowtable_del_hook;
7069 		}
7070 		hook->inactive = true;
7071 	}
7072 
7073 	trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
7074 				sizeof(struct nft_trans_flowtable));
7075 	if (!trans) {
7076 		err = -ENOMEM;
7077 		goto err_flowtable_del_hook;
7078 	}
7079 
7080 	nft_trans_flowtable(trans) = flowtable;
7081 	nft_trans_flowtable_update(trans) = true;
7082 	INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
7083 	nft_flowtable_hook_release(&flowtable_hook);
7084 
7085 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
7086 
7087 	return 0;
7088 
7089 err_flowtable_del_hook:
7090 	list_for_each_entry(this, &flowtable_hook.list, list) {
7091 		hook = nft_hook_list_find(&flowtable->hook_list, this);
7092 		if (!hook)
7093 			break;
7094 
7095 		hook->inactive = false;
7096 	}
7097 	nft_flowtable_hook_release(&flowtable_hook);
7098 
7099 	return err;
7100 }
7101 
7102 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
7103 				  struct sk_buff *skb,
7104 				  const struct nlmsghdr *nlh,
7105 				  const struct nlattr * const nla[],
7106 				  struct netlink_ext_ack *extack)
7107 {
7108 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
7109 	u8 genmask = nft_genmask_next(net);
7110 	int family = nfmsg->nfgen_family;
7111 	struct nft_flowtable *flowtable;
7112 	const struct nlattr *attr;
7113 	struct nft_table *table;
7114 	struct nft_ctx ctx;
7115 
7116 	if (!nla[NFTA_FLOWTABLE_TABLE] ||
7117 	    (!nla[NFTA_FLOWTABLE_NAME] &&
7118 	     !nla[NFTA_FLOWTABLE_HANDLE]))
7119 		return -EINVAL;
7120 
7121 	table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7122 				 genmask, NETLINK_CB(skb).portid);
7123 	if (IS_ERR(table)) {
7124 		NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
7125 		return PTR_ERR(table);
7126 	}
7127 
7128 	if (nla[NFTA_FLOWTABLE_HANDLE]) {
7129 		attr = nla[NFTA_FLOWTABLE_HANDLE];
7130 		flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
7131 	} else {
7132 		attr = nla[NFTA_FLOWTABLE_NAME];
7133 		flowtable = nft_flowtable_lookup(table, attr, genmask);
7134 	}
7135 
7136 	if (IS_ERR(flowtable)) {
7137 		NL_SET_BAD_ATTR(extack, attr);
7138 		return PTR_ERR(flowtable);
7139 	}
7140 
7141 	nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
7142 
7143 	if (nla[NFTA_FLOWTABLE_HOOK])
7144 		return nft_delflowtable_hook(&ctx, flowtable);
7145 
7146 	if (flowtable->use > 0) {
7147 		NL_SET_BAD_ATTR(extack, attr);
7148 		return -EBUSY;
7149 	}
7150 
7151 	return nft_delflowtable(&ctx, flowtable);
7152 }
7153 
7154 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
7155 					 u32 portid, u32 seq, int event,
7156 					 u32 flags, int family,
7157 					 struct nft_flowtable *flowtable,
7158 					 struct list_head *hook_list)
7159 {
7160 	struct nlattr *nest, *nest_devs;
7161 	struct nfgenmsg *nfmsg;
7162 	struct nft_hook *hook;
7163 	struct nlmsghdr *nlh;
7164 
7165 	event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7166 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
7167 	if (nlh == NULL)
7168 		goto nla_put_failure;
7169 
7170 	nfmsg = nlmsg_data(nlh);
7171 	nfmsg->nfgen_family	= family;
7172 	nfmsg->version		= NFNETLINK_V0;
7173 	nfmsg->res_id		= htons(net->nft.base_seq & 0xffff);
7174 
7175 	if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
7176 	    nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
7177 	    nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
7178 	    nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
7179 			 NFTA_FLOWTABLE_PAD) ||
7180 	    nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
7181 		goto nla_put_failure;
7182 
7183 	nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
7184 	if (!nest)
7185 		goto nla_put_failure;
7186 	if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
7187 	    nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
7188 		goto nla_put_failure;
7189 
7190 	nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
7191 	if (!nest_devs)
7192 		goto nla_put_failure;
7193 
7194 	list_for_each_entry_rcu(hook, hook_list, list) {
7195 		if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
7196 			goto nla_put_failure;
7197 	}
7198 	nla_nest_end(skb, nest_devs);
7199 	nla_nest_end(skb, nest);
7200 
7201 	nlmsg_end(skb, nlh);
7202 	return 0;
7203 
7204 nla_put_failure:
7205 	nlmsg_trim(skb, nlh);
7206 	return -1;
7207 }
7208 
7209 struct nft_flowtable_filter {
7210 	char		*table;
7211 };
7212 
7213 static int nf_tables_dump_flowtable(struct sk_buff *skb,
7214 				    struct netlink_callback *cb)
7215 {
7216 	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7217 	struct nft_flowtable_filter *filter = cb->data;
7218 	unsigned int idx = 0, s_idx = cb->args[0];
7219 	struct net *net = sock_net(skb->sk);
7220 	int family = nfmsg->nfgen_family;
7221 	struct nft_flowtable *flowtable;
7222 	const struct nft_table *table;
7223 
7224 	rcu_read_lock();
7225 	cb->seq = net->nft.base_seq;
7226 
7227 	list_for_each_entry_rcu(table, &net->nft.tables, list) {
7228 		if (family != NFPROTO_UNSPEC && family != table->family)
7229 			continue;
7230 
7231 		list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7232 			if (!nft_is_active(net, flowtable))
7233 				goto cont;
7234 			if (idx < s_idx)
7235 				goto cont;
7236 			if (idx > s_idx)
7237 				memset(&cb->args[1], 0,
7238 				       sizeof(cb->args) - sizeof(cb->args[0]));
7239 			if (filter && filter->table &&
7240 			    strcmp(filter->table, table->name))
7241 				goto cont;
7242 
7243 			if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
7244 							  cb->nlh->nlmsg_seq,
7245 							  NFT_MSG_NEWFLOWTABLE,
7246 							  NLM_F_MULTI | NLM_F_APPEND,
7247 							  table->family,
7248 							  flowtable,
7249 							  &flowtable->hook_list) < 0)
7250 				goto done;
7251 
7252 			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7253 cont:
7254 			idx++;
7255 		}
7256 	}
7257 done:
7258 	rcu_read_unlock();
7259 
7260 	cb->args[0] = idx;
7261 	return skb->len;
7262 }
7263 
7264 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
7265 {
7266 	const struct nlattr * const *nla = cb->data;
7267 	struct nft_flowtable_filter *filter = NULL;
7268 
7269 	if (nla[NFTA_FLOWTABLE_TABLE]) {
7270 		filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
7271 		if (!filter)
7272 			return -ENOMEM;
7273 
7274 		filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
7275 					   GFP_ATOMIC);
7276 		if (!filter->table) {
7277 			kfree(filter);
7278 			return -ENOMEM;
7279 		}
7280 	}
7281 
7282 	cb->data = filter;
7283 	return 0;
7284 }
7285 
7286 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
7287 {
7288 	struct nft_flowtable_filter *filter = cb->data;
7289 
7290 	if (!filter)
7291 		return 0;
7292 
7293 	kfree(filter->table);
7294 	kfree(filter);
7295 
7296 	return 0;
7297 }
7298 
7299 /* called with rcu_read_lock held */
7300 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
7301 				  struct sk_buff *skb,
7302 				  const struct nlmsghdr *nlh,
7303 				  const struct nlattr * const nla[],
7304 				  struct netlink_ext_ack *extack)
7305 {
7306 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
7307 	u8 genmask = nft_genmask_cur(net);
7308 	int family = nfmsg->nfgen_family;
7309 	struct nft_flowtable *flowtable;
7310 	const struct nft_table *table;
7311 	struct sk_buff *skb2;
7312 	int err;
7313 
7314 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
7315 		struct netlink_dump_control c = {
7316 			.start = nf_tables_dump_flowtable_start,
7317 			.dump = nf_tables_dump_flowtable,
7318 			.done = nf_tables_dump_flowtable_done,
7319 			.module = THIS_MODULE,
7320 			.data = (void *)nla,
7321 		};
7322 
7323 		return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
7324 	}
7325 
7326 	if (!nla[NFTA_FLOWTABLE_NAME])
7327 		return -EINVAL;
7328 
7329 	table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7330 				 genmask, 0);
7331 	if (IS_ERR(table))
7332 		return PTR_ERR(table);
7333 
7334 	flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7335 					 genmask);
7336 	if (IS_ERR(flowtable))
7337 		return PTR_ERR(flowtable);
7338 
7339 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7340 	if (!skb2)
7341 		return -ENOMEM;
7342 
7343 	err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
7344 					    nlh->nlmsg_seq,
7345 					    NFT_MSG_NEWFLOWTABLE, 0, family,
7346 					    flowtable, &flowtable->hook_list);
7347 	if (err < 0)
7348 		goto err_fill_flowtable_info;
7349 
7350 	return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7351 
7352 err_fill_flowtable_info:
7353 	kfree_skb(skb2);
7354 	return err;
7355 }
7356 
7357 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
7358 				       struct nft_flowtable *flowtable,
7359 				       struct list_head *hook_list,
7360 				       int event)
7361 {
7362 	struct sk_buff *skb;
7363 	int err;
7364 	char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
7365 			      flowtable->table->name, flowtable->table->handle,
7366 			      flowtable->name, flowtable->handle);
7367 
7368 	audit_log_nfcfg(buf,
7369 			ctx->family,
7370 			flowtable->hooknum,
7371 			event == NFT_MSG_NEWFLOWTABLE ?
7372 				AUDIT_NFT_OP_FLOWTABLE_REGISTER :
7373 				AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
7374 			GFP_KERNEL);
7375 	kfree(buf);
7376 
7377 	if (!ctx->report &&
7378 	    !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
7379 		return;
7380 
7381 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7382 	if (skb == NULL)
7383 		goto err;
7384 
7385 	err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
7386 					    ctx->seq, event, 0,
7387 					    ctx->family, flowtable, hook_list);
7388 	if (err < 0) {
7389 		kfree_skb(skb);
7390 		goto err;
7391 	}
7392 
7393 	nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
7394 	return;
7395 err:
7396 	nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
7397 }
7398 
7399 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
7400 {
7401 	struct nft_hook *hook, *next;
7402 
7403 	flowtable->data.type->free(&flowtable->data);
7404 	list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7405 		flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7406 					    FLOW_BLOCK_UNBIND);
7407 		list_del_rcu(&hook->list);
7408 		kfree(hook);
7409 	}
7410 	kfree(flowtable->name);
7411 	module_put(flowtable->data.type->owner);
7412 	kfree(flowtable);
7413 }
7414 
7415 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
7416 				   u32 portid, u32 seq)
7417 {
7418 	struct nlmsghdr *nlh;
7419 	struct nfgenmsg *nfmsg;
7420 	char buf[TASK_COMM_LEN];
7421 	int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
7422 
7423 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
7424 	if (nlh == NULL)
7425 		goto nla_put_failure;
7426 
7427 	nfmsg = nlmsg_data(nlh);
7428 	nfmsg->nfgen_family	= AF_UNSPEC;
7429 	nfmsg->version		= NFNETLINK_V0;
7430 	nfmsg->res_id		= htons(net->nft.base_seq & 0xffff);
7431 
7432 	if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
7433 	    nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
7434 	    nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
7435 		goto nla_put_failure;
7436 
7437 	nlmsg_end(skb, nlh);
7438 	return 0;
7439 
7440 nla_put_failure:
7441 	nlmsg_trim(skb, nlh);
7442 	return -EMSGSIZE;
7443 }
7444 
7445 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
7446 				struct nft_flowtable *flowtable)
7447 {
7448 	struct nft_hook *hook;
7449 
7450 	list_for_each_entry(hook, &flowtable->hook_list, list) {
7451 		if (hook->ops.dev != dev)
7452 			continue;
7453 
7454 		/* flow_offload_netdev_event() cleans up entries for us. */
7455 		nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
7456 		list_del_rcu(&hook->list);
7457 		kfree_rcu(hook, rcu);
7458 		break;
7459 	}
7460 }
7461 
7462 static int nf_tables_flowtable_event(struct notifier_block *this,
7463 				     unsigned long event, void *ptr)
7464 {
7465 	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
7466 	struct nft_flowtable *flowtable;
7467 	struct nft_table *table;
7468 	struct net *net;
7469 
7470 	if (event != NETDEV_UNREGISTER)
7471 		return 0;
7472 
7473 	net = dev_net(dev);
7474 	mutex_lock(&net->nft.commit_mutex);
7475 	list_for_each_entry(table, &net->nft.tables, list) {
7476 		list_for_each_entry(flowtable, &table->flowtables, list) {
7477 			nft_flowtable_event(event, dev, flowtable);
7478 		}
7479 	}
7480 	mutex_unlock(&net->nft.commit_mutex);
7481 
7482 	return NOTIFY_DONE;
7483 }
7484 
7485 static struct notifier_block nf_tables_flowtable_notifier = {
7486 	.notifier_call	= nf_tables_flowtable_event,
7487 };
7488 
7489 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
7490 				 int event)
7491 {
7492 	struct nlmsghdr *nlh = nlmsg_hdr(skb);
7493 	struct sk_buff *skb2;
7494 	int err;
7495 
7496 	audit_log_nfcfg("?:0;?:0", 0, net->nft.base_seq,
7497 			AUDIT_NFT_OP_GEN_REGISTER, GFP_KERNEL);
7498 
7499 	if (!nlmsg_report(nlh) &&
7500 	    !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7501 		return;
7502 
7503 	skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7504 	if (skb2 == NULL)
7505 		goto err;
7506 
7507 	err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7508 				      nlh->nlmsg_seq);
7509 	if (err < 0) {
7510 		kfree_skb(skb2);
7511 		goto err;
7512 	}
7513 
7514 	nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7515 		       nlmsg_report(nlh), GFP_KERNEL);
7516 	return;
7517 err:
7518 	nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7519 			  -ENOBUFS);
7520 }
7521 
7522 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
7523 			    struct sk_buff *skb, const struct nlmsghdr *nlh,
7524 			    const struct nlattr * const nla[],
7525 			    struct netlink_ext_ack *extack)
7526 {
7527 	struct sk_buff *skb2;
7528 	int err;
7529 
7530 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7531 	if (skb2 == NULL)
7532 		return -ENOMEM;
7533 
7534 	err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7535 				      nlh->nlmsg_seq);
7536 	if (err < 0)
7537 		goto err_fill_gen_info;
7538 
7539 	return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7540 
7541 err_fill_gen_info:
7542 	kfree_skb(skb2);
7543 	return err;
7544 }
7545 
7546 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
7547 	[NFT_MSG_NEWTABLE] = {
7548 		.call_batch	= nf_tables_newtable,
7549 		.attr_count	= NFTA_TABLE_MAX,
7550 		.policy		= nft_table_policy,
7551 	},
7552 	[NFT_MSG_GETTABLE] = {
7553 		.call_rcu	= nf_tables_gettable,
7554 		.attr_count	= NFTA_TABLE_MAX,
7555 		.policy		= nft_table_policy,
7556 	},
7557 	[NFT_MSG_DELTABLE] = {
7558 		.call_batch	= nf_tables_deltable,
7559 		.attr_count	= NFTA_TABLE_MAX,
7560 		.policy		= nft_table_policy,
7561 	},
7562 	[NFT_MSG_NEWCHAIN] = {
7563 		.call_batch	= nf_tables_newchain,
7564 		.attr_count	= NFTA_CHAIN_MAX,
7565 		.policy		= nft_chain_policy,
7566 	},
7567 	[NFT_MSG_GETCHAIN] = {
7568 		.call_rcu	= nf_tables_getchain,
7569 		.attr_count	= NFTA_CHAIN_MAX,
7570 		.policy		= nft_chain_policy,
7571 	},
7572 	[NFT_MSG_DELCHAIN] = {
7573 		.call_batch	= nf_tables_delchain,
7574 		.attr_count	= NFTA_CHAIN_MAX,
7575 		.policy		= nft_chain_policy,
7576 	},
7577 	[NFT_MSG_NEWRULE] = {
7578 		.call_batch	= nf_tables_newrule,
7579 		.attr_count	= NFTA_RULE_MAX,
7580 		.policy		= nft_rule_policy,
7581 	},
7582 	[NFT_MSG_GETRULE] = {
7583 		.call_rcu	= nf_tables_getrule,
7584 		.attr_count	= NFTA_RULE_MAX,
7585 		.policy		= nft_rule_policy,
7586 	},
7587 	[NFT_MSG_DELRULE] = {
7588 		.call_batch	= nf_tables_delrule,
7589 		.attr_count	= NFTA_RULE_MAX,
7590 		.policy		= nft_rule_policy,
7591 	},
7592 	[NFT_MSG_NEWSET] = {
7593 		.call_batch	= nf_tables_newset,
7594 		.attr_count	= NFTA_SET_MAX,
7595 		.policy		= nft_set_policy,
7596 	},
7597 	[NFT_MSG_GETSET] = {
7598 		.call_rcu	= nf_tables_getset,
7599 		.attr_count	= NFTA_SET_MAX,
7600 		.policy		= nft_set_policy,
7601 	},
7602 	[NFT_MSG_DELSET] = {
7603 		.call_batch	= nf_tables_delset,
7604 		.attr_count	= NFTA_SET_MAX,
7605 		.policy		= nft_set_policy,
7606 	},
7607 	[NFT_MSG_NEWSETELEM] = {
7608 		.call_batch	= nf_tables_newsetelem,
7609 		.attr_count	= NFTA_SET_ELEM_LIST_MAX,
7610 		.policy		= nft_set_elem_list_policy,
7611 	},
7612 	[NFT_MSG_GETSETELEM] = {
7613 		.call_rcu	= nf_tables_getsetelem,
7614 		.attr_count	= NFTA_SET_ELEM_LIST_MAX,
7615 		.policy		= nft_set_elem_list_policy,
7616 	},
7617 	[NFT_MSG_DELSETELEM] = {
7618 		.call_batch	= nf_tables_delsetelem,
7619 		.attr_count	= NFTA_SET_ELEM_LIST_MAX,
7620 		.policy		= nft_set_elem_list_policy,
7621 	},
7622 	[NFT_MSG_GETGEN] = {
7623 		.call_rcu	= nf_tables_getgen,
7624 	},
7625 	[NFT_MSG_NEWOBJ] = {
7626 		.call_batch	= nf_tables_newobj,
7627 		.attr_count	= NFTA_OBJ_MAX,
7628 		.policy		= nft_obj_policy,
7629 	},
7630 	[NFT_MSG_GETOBJ] = {
7631 		.call_rcu	= nf_tables_getobj,
7632 		.attr_count	= NFTA_OBJ_MAX,
7633 		.policy		= nft_obj_policy,
7634 	},
7635 	[NFT_MSG_DELOBJ] = {
7636 		.call_batch	= nf_tables_delobj,
7637 		.attr_count	= NFTA_OBJ_MAX,
7638 		.policy		= nft_obj_policy,
7639 	},
7640 	[NFT_MSG_GETOBJ_RESET] = {
7641 		.call_rcu	= nf_tables_getobj,
7642 		.attr_count	= NFTA_OBJ_MAX,
7643 		.policy		= nft_obj_policy,
7644 	},
7645 	[NFT_MSG_NEWFLOWTABLE] = {
7646 		.call_batch	= nf_tables_newflowtable,
7647 		.attr_count	= NFTA_FLOWTABLE_MAX,
7648 		.policy		= nft_flowtable_policy,
7649 	},
7650 	[NFT_MSG_GETFLOWTABLE] = {
7651 		.call_rcu	= nf_tables_getflowtable,
7652 		.attr_count	= NFTA_FLOWTABLE_MAX,
7653 		.policy		= nft_flowtable_policy,
7654 	},
7655 	[NFT_MSG_DELFLOWTABLE] = {
7656 		.call_batch	= nf_tables_delflowtable,
7657 		.attr_count	= NFTA_FLOWTABLE_MAX,
7658 		.policy		= nft_flowtable_policy,
7659 	},
7660 };
7661 
7662 static int nf_tables_validate(struct net *net)
7663 {
7664 	struct nft_table *table;
7665 
7666 	switch (net->nft.validate_state) {
7667 	case NFT_VALIDATE_SKIP:
7668 		break;
7669 	case NFT_VALIDATE_NEED:
7670 		nft_validate_state_update(net, NFT_VALIDATE_DO);
7671 		fallthrough;
7672 	case NFT_VALIDATE_DO:
7673 		list_for_each_entry(table, &net->nft.tables, list) {
7674 			if (nft_table_validate(net, table) < 0)
7675 				return -EAGAIN;
7676 		}
7677 		break;
7678 	}
7679 
7680 	return 0;
7681 }
7682 
7683 /* a drop policy has to be deferred until all rules have been activated,
7684  * otherwise a large ruleset that contains a drop-policy base chain will
7685  * cause all packets to get dropped until the full transaction has been
7686  * processed.
7687  *
7688  * We defer the drop policy until the transaction has been finalized.
7689  */
7690 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
7691 {
7692 	struct nft_base_chain *basechain;
7693 
7694 	if (nft_trans_chain_policy(trans) != NF_DROP)
7695 		return;
7696 
7697 	if (!nft_is_base_chain(trans->ctx.chain))
7698 		return;
7699 
7700 	basechain = nft_base_chain(trans->ctx.chain);
7701 	basechain->policy = NF_DROP;
7702 }
7703 
7704 static void nft_chain_commit_update(struct nft_trans *trans)
7705 {
7706 	struct nft_base_chain *basechain;
7707 
7708 	if (nft_trans_chain_name(trans)) {
7709 		rhltable_remove(&trans->ctx.table->chains_ht,
7710 				&trans->ctx.chain->rhlhead,
7711 				nft_chain_ht_params);
7712 		swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
7713 		rhltable_insert_key(&trans->ctx.table->chains_ht,
7714 				    trans->ctx.chain->name,
7715 				    &trans->ctx.chain->rhlhead,
7716 				    nft_chain_ht_params);
7717 	}
7718 
7719 	if (!nft_is_base_chain(trans->ctx.chain))
7720 		return;
7721 
7722 	nft_chain_stats_replace(trans);
7723 
7724 	basechain = nft_base_chain(trans->ctx.chain);
7725 
7726 	switch (nft_trans_chain_policy(trans)) {
7727 	case NF_DROP:
7728 	case NF_ACCEPT:
7729 		basechain->policy = nft_trans_chain_policy(trans);
7730 		break;
7731 	}
7732 }
7733 
7734 static void nft_obj_commit_update(struct nft_trans *trans)
7735 {
7736 	struct nft_object *newobj;
7737 	struct nft_object *obj;
7738 
7739 	obj = nft_trans_obj(trans);
7740 	newobj = nft_trans_obj_newobj(trans);
7741 
7742 	if (obj->ops->update)
7743 		obj->ops->update(obj, newobj);
7744 
7745 	kfree(newobj);
7746 }
7747 
7748 static void nft_commit_release(struct nft_trans *trans)
7749 {
7750 	switch (trans->msg_type) {
7751 	case NFT_MSG_DELTABLE:
7752 		nf_tables_table_destroy(&trans->ctx);
7753 		break;
7754 	case NFT_MSG_NEWCHAIN:
7755 		free_percpu(nft_trans_chain_stats(trans));
7756 		kfree(nft_trans_chain_name(trans));
7757 		break;
7758 	case NFT_MSG_DELCHAIN:
7759 		nf_tables_chain_destroy(&trans->ctx);
7760 		break;
7761 	case NFT_MSG_DELRULE:
7762 		nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7763 		break;
7764 	case NFT_MSG_DELSET:
7765 		nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7766 		break;
7767 	case NFT_MSG_DELSETELEM:
7768 		nf_tables_set_elem_destroy(&trans->ctx,
7769 					   nft_trans_elem_set(trans),
7770 					   nft_trans_elem(trans).priv);
7771 		break;
7772 	case NFT_MSG_DELOBJ:
7773 		nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7774 		break;
7775 	case NFT_MSG_DELFLOWTABLE:
7776 		if (nft_trans_flowtable_update(trans))
7777 			nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
7778 		else
7779 			nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7780 		break;
7781 	}
7782 
7783 	if (trans->put_net)
7784 		put_net(trans->ctx.net);
7785 
7786 	kfree(trans);
7787 }
7788 
7789 static void nf_tables_trans_destroy_work(struct work_struct *w)
7790 {
7791 	struct nft_trans *trans, *next;
7792 	LIST_HEAD(head);
7793 
7794 	spin_lock(&nf_tables_destroy_list_lock);
7795 	list_splice_init(&nf_tables_destroy_list, &head);
7796 	spin_unlock(&nf_tables_destroy_list_lock);
7797 
7798 	if (list_empty(&head))
7799 		return;
7800 
7801 	synchronize_rcu();
7802 
7803 	list_for_each_entry_safe(trans, next, &head, list) {
7804 		list_del(&trans->list);
7805 		nft_commit_release(trans);
7806 	}
7807 }
7808 
7809 void nf_tables_trans_destroy_flush_work(void)
7810 {
7811 	flush_work(&trans_destroy_work);
7812 }
7813 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
7814 
7815 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
7816 {
7817 	struct nft_rule *rule;
7818 	unsigned int alloc = 0;
7819 	int i;
7820 
7821 	/* already handled or inactive chain? */
7822 	if (chain->rules_next || !nft_is_active_next(net, chain))
7823 		return 0;
7824 
7825 	rule = list_entry(&chain->rules, struct nft_rule, list);
7826 	i = 0;
7827 
7828 	list_for_each_entry_continue(rule, &chain->rules, list) {
7829 		if (nft_is_active_next(net, rule))
7830 			alloc++;
7831 	}
7832 
7833 	chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
7834 	if (!chain->rules_next)
7835 		return -ENOMEM;
7836 
7837 	list_for_each_entry_continue(rule, &chain->rules, list) {
7838 		if (nft_is_active_next(net, rule))
7839 			chain->rules_next[i++] = rule;
7840 	}
7841 
7842 	chain->rules_next[i] = NULL;
7843 	return 0;
7844 }
7845 
7846 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
7847 {
7848 	struct nft_trans *trans, *next;
7849 
7850 	list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7851 		struct nft_chain *chain = trans->ctx.chain;
7852 
7853 		if (trans->msg_type == NFT_MSG_NEWRULE ||
7854 		    trans->msg_type == NFT_MSG_DELRULE) {
7855 			kvfree(chain->rules_next);
7856 			chain->rules_next = NULL;
7857 		}
7858 	}
7859 }
7860 
7861 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
7862 {
7863 	struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
7864 
7865 	kvfree(o->start);
7866 }
7867 
7868 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
7869 {
7870 	struct nft_rule **r = rules;
7871 	struct nft_rules_old *old;
7872 
7873 	while (*r)
7874 		r++;
7875 
7876 	r++;	/* rcu_head is after end marker */
7877 	old = (void *) r;
7878 	old->start = rules;
7879 
7880 	call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
7881 }
7882 
7883 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
7884 {
7885 	struct nft_rule **g0, **g1;
7886 	bool next_genbit;
7887 
7888 	next_genbit = nft_gencursor_next(net);
7889 
7890 	g0 = rcu_dereference_protected(chain->rules_gen_0,
7891 				       lockdep_commit_lock_is_held(net));
7892 	g1 = rcu_dereference_protected(chain->rules_gen_1,
7893 				       lockdep_commit_lock_is_held(net));
7894 
7895 	/* No changes to this chain? */
7896 	if (chain->rules_next == NULL) {
7897 		/* chain had no change in last or next generation */
7898 		if (g0 == g1)
7899 			return;
7900 		/*
7901 		 * chain had no change in this generation; make sure next
7902 		 * one uses same rules as current generation.
7903 		 */
7904 		if (next_genbit) {
7905 			rcu_assign_pointer(chain->rules_gen_1, g0);
7906 			nf_tables_commit_chain_free_rules_old(g1);
7907 		} else {
7908 			rcu_assign_pointer(chain->rules_gen_0, g1);
7909 			nf_tables_commit_chain_free_rules_old(g0);
7910 		}
7911 
7912 		return;
7913 	}
7914 
7915 	if (next_genbit)
7916 		rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
7917 	else
7918 		rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
7919 
7920 	chain->rules_next = NULL;
7921 
7922 	if (g0 == g1)
7923 		return;
7924 
7925 	if (next_genbit)
7926 		nf_tables_commit_chain_free_rules_old(g1);
7927 	else
7928 		nf_tables_commit_chain_free_rules_old(g0);
7929 }
7930 
7931 static void nft_obj_del(struct nft_object *obj)
7932 {
7933 	rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
7934 	list_del_rcu(&obj->list);
7935 }
7936 
7937 void nft_chain_del(struct nft_chain *chain)
7938 {
7939 	struct nft_table *table = chain->table;
7940 
7941 	WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
7942 				     nft_chain_ht_params));
7943 	list_del_rcu(&chain->list);
7944 }
7945 
7946 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable,
7947 				    struct list_head *hook_list)
7948 {
7949 	struct nft_hook *hook, *next;
7950 
7951 	list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7952 		if (hook->inactive)
7953 			list_move(&hook->list, hook_list);
7954 	}
7955 }
7956 
7957 static void nf_tables_module_autoload_cleanup(struct net *net)
7958 {
7959 	struct nft_module_request *req, *next;
7960 
7961 	WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
7962 	list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
7963 		WARN_ON_ONCE(!req->done);
7964 		list_del(&req->list);
7965 		kfree(req);
7966 	}
7967 }
7968 
7969 static void nf_tables_commit_release(struct net *net)
7970 {
7971 	struct nft_trans *trans;
7972 
7973 	/* all side effects have to be made visible.
7974 	 * For example, if a chain named 'foo' has been deleted, a
7975 	 * new transaction must not find it anymore.
7976 	 *
7977 	 * Memory reclaim happens asynchronously from work queue
7978 	 * to prevent expensive synchronize_rcu() in commit phase.
7979 	 */
7980 	if (list_empty(&net->nft.commit_list)) {
7981 		nf_tables_module_autoload_cleanup(net);
7982 		mutex_unlock(&net->nft.commit_mutex);
7983 		return;
7984 	}
7985 
7986 	trans = list_last_entry(&net->nft.commit_list,
7987 				struct nft_trans, list);
7988 	get_net(trans->ctx.net);
7989 	WARN_ON_ONCE(trans->put_net);
7990 
7991 	trans->put_net = true;
7992 	spin_lock(&nf_tables_destroy_list_lock);
7993 	list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7994 	spin_unlock(&nf_tables_destroy_list_lock);
7995 
7996 	nf_tables_module_autoload_cleanup(net);
7997 	schedule_work(&trans_destroy_work);
7998 
7999 	mutex_unlock(&net->nft.commit_mutex);
8000 }
8001 
8002 static void nft_commit_notify(struct net *net, u32 portid)
8003 {
8004 	struct sk_buff *batch_skb = NULL, *nskb, *skb;
8005 	unsigned char *data;
8006 	int len;
8007 
8008 	list_for_each_entry_safe(skb, nskb, &net->nft.notify_list, list) {
8009 		if (!batch_skb) {
8010 new_batch:
8011 			batch_skb = skb;
8012 			len = NLMSG_GOODSIZE - skb->len;
8013 			list_del(&skb->list);
8014 			continue;
8015 		}
8016 		len -= skb->len;
8017 		if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
8018 			data = skb_put(batch_skb, skb->len);
8019 			memcpy(data, skb->data, skb->len);
8020 			list_del(&skb->list);
8021 			kfree_skb(skb);
8022 			continue;
8023 		}
8024 		nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
8025 			       NFT_CB(batch_skb).report, GFP_KERNEL);
8026 		goto new_batch;
8027 	}
8028 
8029 	if (batch_skb) {
8030 		nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
8031 			       NFT_CB(batch_skb).report, GFP_KERNEL);
8032 	}
8033 
8034 	WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
8035 }
8036 
8037 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
8038 {
8039 	struct nft_trans *trans, *next;
8040 	struct nft_trans_elem *te;
8041 	struct nft_chain *chain;
8042 	struct nft_table *table;
8043 	int err;
8044 
8045 	if (list_empty(&net->nft.commit_list)) {
8046 		mutex_unlock(&net->nft.commit_mutex);
8047 		return 0;
8048 	}
8049 
8050 	/* 0. Validate ruleset, otherwise roll back for error reporting. */
8051 	if (nf_tables_validate(net) < 0)
8052 		return -EAGAIN;
8053 
8054 	err = nft_flow_rule_offload_commit(net);
8055 	if (err < 0)
8056 		return err;
8057 
8058 	/* 1.  Allocate space for next generation rules_gen_X[] */
8059 	list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
8060 		int ret;
8061 
8062 		if (trans->msg_type == NFT_MSG_NEWRULE ||
8063 		    trans->msg_type == NFT_MSG_DELRULE) {
8064 			chain = trans->ctx.chain;
8065 
8066 			ret = nf_tables_commit_chain_prepare(net, chain);
8067 			if (ret < 0) {
8068 				nf_tables_commit_chain_prepare_cancel(net);
8069 				return ret;
8070 			}
8071 		}
8072 	}
8073 
8074 	/* step 2.  Make rules_gen_X visible to packet path */
8075 	list_for_each_entry(table, &net->nft.tables, list) {
8076 		list_for_each_entry(chain, &table->chains, list)
8077 			nf_tables_commit_chain(net, chain);
8078 	}
8079 
8080 	/*
8081 	 * Bump generation counter, invalidate any dump in progress.
8082 	 * Cannot fail after this point.
8083 	 */
8084 	while (++net->nft.base_seq == 0);
8085 
8086 	/* step 3. Start new generation, rules_gen_X now in use. */
8087 	net->nft.gencursor = nft_gencursor_next(net);
8088 
8089 	list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
8090 		switch (trans->msg_type) {
8091 		case NFT_MSG_NEWTABLE:
8092 			if (nft_trans_table_update(trans)) {
8093 				if (nft_trans_table_state(trans) == NFT_TABLE_STATE_DORMANT)
8094 					nf_tables_table_disable(net, trans->ctx.table);
8095 
8096 				trans->ctx.table->flags = nft_trans_table_flags(trans);
8097 			} else {
8098 				nft_clear(net, trans->ctx.table);
8099 			}
8100 			nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
8101 			nft_trans_destroy(trans);
8102 			break;
8103 		case NFT_MSG_DELTABLE:
8104 			list_del_rcu(&trans->ctx.table->list);
8105 			nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
8106 			break;
8107 		case NFT_MSG_NEWCHAIN:
8108 			if (nft_trans_chain_update(trans)) {
8109 				nft_chain_commit_update(trans);
8110 				nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8111 				/* trans destroyed after rcu grace period */
8112 			} else {
8113 				nft_chain_commit_drop_policy(trans);
8114 				nft_clear(net, trans->ctx.chain);
8115 				nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8116 				nft_trans_destroy(trans);
8117 			}
8118 			break;
8119 		case NFT_MSG_DELCHAIN:
8120 			nft_chain_del(trans->ctx.chain);
8121 			nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
8122 			nf_tables_unregister_hook(trans->ctx.net,
8123 						  trans->ctx.table,
8124 						  trans->ctx.chain);
8125 			break;
8126 		case NFT_MSG_NEWRULE:
8127 			nft_clear(trans->ctx.net, nft_trans_rule(trans));
8128 			nf_tables_rule_notify(&trans->ctx,
8129 					      nft_trans_rule(trans),
8130 					      NFT_MSG_NEWRULE);
8131 			nft_trans_destroy(trans);
8132 			break;
8133 		case NFT_MSG_DELRULE:
8134 			list_del_rcu(&nft_trans_rule(trans)->list);
8135 			nf_tables_rule_notify(&trans->ctx,
8136 					      nft_trans_rule(trans),
8137 					      NFT_MSG_DELRULE);
8138 			nft_rule_expr_deactivate(&trans->ctx,
8139 						 nft_trans_rule(trans),
8140 						 NFT_TRANS_COMMIT);
8141 			break;
8142 		case NFT_MSG_NEWSET:
8143 			nft_clear(net, nft_trans_set(trans));
8144 			/* This avoids hitting -EBUSY when deleting the table
8145 			 * from the transaction.
8146 			 */
8147 			if (nft_set_is_anonymous(nft_trans_set(trans)) &&
8148 			    !list_empty(&nft_trans_set(trans)->bindings))
8149 				trans->ctx.table->use--;
8150 
8151 			nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8152 					     NFT_MSG_NEWSET, GFP_KERNEL);
8153 			nft_trans_destroy(trans);
8154 			break;
8155 		case NFT_MSG_DELSET:
8156 			list_del_rcu(&nft_trans_set(trans)->list);
8157 			nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8158 					     NFT_MSG_DELSET, GFP_KERNEL);
8159 			break;
8160 		case NFT_MSG_NEWSETELEM:
8161 			te = (struct nft_trans_elem *)trans->data;
8162 
8163 			te->set->ops->activate(net, te->set, &te->elem);
8164 			nf_tables_setelem_notify(&trans->ctx, te->set,
8165 						 &te->elem,
8166 						 NFT_MSG_NEWSETELEM, 0);
8167 			nft_trans_destroy(trans);
8168 			break;
8169 		case NFT_MSG_DELSETELEM:
8170 			te = (struct nft_trans_elem *)trans->data;
8171 
8172 			nf_tables_setelem_notify(&trans->ctx, te->set,
8173 						 &te->elem,
8174 						 NFT_MSG_DELSETELEM, 0);
8175 			te->set->ops->remove(net, te->set, &te->elem);
8176 			atomic_dec(&te->set->nelems);
8177 			te->set->ndeact--;
8178 			break;
8179 		case NFT_MSG_NEWOBJ:
8180 			if (nft_trans_obj_update(trans)) {
8181 				nft_obj_commit_update(trans);
8182 				nf_tables_obj_notify(&trans->ctx,
8183 						     nft_trans_obj(trans),
8184 						     NFT_MSG_NEWOBJ);
8185 			} else {
8186 				nft_clear(net, nft_trans_obj(trans));
8187 				nf_tables_obj_notify(&trans->ctx,
8188 						     nft_trans_obj(trans),
8189 						     NFT_MSG_NEWOBJ);
8190 				nft_trans_destroy(trans);
8191 			}
8192 			break;
8193 		case NFT_MSG_DELOBJ:
8194 			nft_obj_del(nft_trans_obj(trans));
8195 			nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
8196 					     NFT_MSG_DELOBJ);
8197 			break;
8198 		case NFT_MSG_NEWFLOWTABLE:
8199 			if (nft_trans_flowtable_update(trans)) {
8200 				nft_trans_flowtable(trans)->data.flags =
8201 					nft_trans_flowtable_flags(trans);
8202 				nf_tables_flowtable_notify(&trans->ctx,
8203 							   nft_trans_flowtable(trans),
8204 							   &nft_trans_flowtable_hooks(trans),
8205 							   NFT_MSG_NEWFLOWTABLE);
8206 				list_splice(&nft_trans_flowtable_hooks(trans),
8207 					    &nft_trans_flowtable(trans)->hook_list);
8208 			} else {
8209 				nft_clear(net, nft_trans_flowtable(trans));
8210 				nf_tables_flowtable_notify(&trans->ctx,
8211 							   nft_trans_flowtable(trans),
8212 							   &nft_trans_flowtable(trans)->hook_list,
8213 							   NFT_MSG_NEWFLOWTABLE);
8214 			}
8215 			nft_trans_destroy(trans);
8216 			break;
8217 		case NFT_MSG_DELFLOWTABLE:
8218 			if (nft_trans_flowtable_update(trans)) {
8219 				nft_flowtable_hooks_del(nft_trans_flowtable(trans),
8220 							&nft_trans_flowtable_hooks(trans));
8221 				nf_tables_flowtable_notify(&trans->ctx,
8222 							   nft_trans_flowtable(trans),
8223 							   &nft_trans_flowtable_hooks(trans),
8224 							   NFT_MSG_DELFLOWTABLE);
8225 				nft_unregister_flowtable_net_hooks(net,
8226 								   &nft_trans_flowtable_hooks(trans));
8227 			} else {
8228 				list_del_rcu(&nft_trans_flowtable(trans)->list);
8229 				nf_tables_flowtable_notify(&trans->ctx,
8230 							   nft_trans_flowtable(trans),
8231 							   &nft_trans_flowtable(trans)->hook_list,
8232 							   NFT_MSG_DELFLOWTABLE);
8233 				nft_unregister_flowtable_net_hooks(net,
8234 						&nft_trans_flowtable(trans)->hook_list);
8235 			}
8236 			break;
8237 		}
8238 	}
8239 
8240 	nft_commit_notify(net, NETLINK_CB(skb).portid);
8241 	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
8242 	nf_tables_commit_release(net);
8243 
8244 	return 0;
8245 }
8246 
8247 static void nf_tables_module_autoload(struct net *net)
8248 {
8249 	struct nft_module_request *req, *next;
8250 	LIST_HEAD(module_list);
8251 
8252 	list_splice_init(&net->nft.module_list, &module_list);
8253 	mutex_unlock(&net->nft.commit_mutex);
8254 	list_for_each_entry_safe(req, next, &module_list, list) {
8255 		request_module("%s", req->module);
8256 		req->done = true;
8257 	}
8258 	mutex_lock(&net->nft.commit_mutex);
8259 	list_splice(&module_list, &net->nft.module_list);
8260 }
8261 
8262 static void nf_tables_abort_release(struct nft_trans *trans)
8263 {
8264 	switch (trans->msg_type) {
8265 	case NFT_MSG_NEWTABLE:
8266 		nf_tables_table_destroy(&trans->ctx);
8267 		break;
8268 	case NFT_MSG_NEWCHAIN:
8269 		nf_tables_chain_destroy(&trans->ctx);
8270 		break;
8271 	case NFT_MSG_NEWRULE:
8272 		nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8273 		break;
8274 	case NFT_MSG_NEWSET:
8275 		nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8276 		break;
8277 	case NFT_MSG_NEWSETELEM:
8278 		nft_set_elem_destroy(nft_trans_elem_set(trans),
8279 				     nft_trans_elem(trans).priv, true);
8280 		break;
8281 	case NFT_MSG_NEWOBJ:
8282 		nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8283 		break;
8284 	case NFT_MSG_NEWFLOWTABLE:
8285 		if (nft_trans_flowtable_update(trans))
8286 			nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8287 		else
8288 			nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8289 		break;
8290 	}
8291 	kfree(trans);
8292 }
8293 
8294 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
8295 {
8296 	struct nft_trans *trans, *next;
8297 	struct nft_trans_elem *te;
8298 	struct nft_hook *hook;
8299 
8300 	if (action == NFNL_ABORT_VALIDATE &&
8301 	    nf_tables_validate(net) < 0)
8302 		return -EAGAIN;
8303 
8304 	list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
8305 					 list) {
8306 		switch (trans->msg_type) {
8307 		case NFT_MSG_NEWTABLE:
8308 			if (nft_trans_table_update(trans)) {
8309 				if (nft_trans_table_state(trans) == NFT_TABLE_STATE_WAKEUP)
8310 					nf_tables_table_disable(net, trans->ctx.table);
8311 
8312 				nft_trans_destroy(trans);
8313 			} else {
8314 				list_del_rcu(&trans->ctx.table->list);
8315 			}
8316 			break;
8317 		case NFT_MSG_DELTABLE:
8318 			nft_clear(trans->ctx.net, trans->ctx.table);
8319 			nft_trans_destroy(trans);
8320 			break;
8321 		case NFT_MSG_NEWCHAIN:
8322 			if (nft_trans_chain_update(trans)) {
8323 				free_percpu(nft_trans_chain_stats(trans));
8324 				kfree(nft_trans_chain_name(trans));
8325 				nft_trans_destroy(trans);
8326 			} else {
8327 				if (nft_chain_is_bound(trans->ctx.chain)) {
8328 					nft_trans_destroy(trans);
8329 					break;
8330 				}
8331 				trans->ctx.table->use--;
8332 				nft_chain_del(trans->ctx.chain);
8333 				nf_tables_unregister_hook(trans->ctx.net,
8334 							  trans->ctx.table,
8335 							  trans->ctx.chain);
8336 			}
8337 			break;
8338 		case NFT_MSG_DELCHAIN:
8339 			trans->ctx.table->use++;
8340 			nft_clear(trans->ctx.net, trans->ctx.chain);
8341 			nft_trans_destroy(trans);
8342 			break;
8343 		case NFT_MSG_NEWRULE:
8344 			trans->ctx.chain->use--;
8345 			list_del_rcu(&nft_trans_rule(trans)->list);
8346 			nft_rule_expr_deactivate(&trans->ctx,
8347 						 nft_trans_rule(trans),
8348 						 NFT_TRANS_ABORT);
8349 			break;
8350 		case NFT_MSG_DELRULE:
8351 			trans->ctx.chain->use++;
8352 			nft_clear(trans->ctx.net, nft_trans_rule(trans));
8353 			nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
8354 			nft_trans_destroy(trans);
8355 			break;
8356 		case NFT_MSG_NEWSET:
8357 			trans->ctx.table->use--;
8358 			if (nft_trans_set_bound(trans)) {
8359 				nft_trans_destroy(trans);
8360 				break;
8361 			}
8362 			list_del_rcu(&nft_trans_set(trans)->list);
8363 			break;
8364 		case NFT_MSG_DELSET:
8365 			trans->ctx.table->use++;
8366 			nft_clear(trans->ctx.net, nft_trans_set(trans));
8367 			nft_trans_destroy(trans);
8368 			break;
8369 		case NFT_MSG_NEWSETELEM:
8370 			if (nft_trans_elem_set_bound(trans)) {
8371 				nft_trans_destroy(trans);
8372 				break;
8373 			}
8374 			te = (struct nft_trans_elem *)trans->data;
8375 			te->set->ops->remove(net, te->set, &te->elem);
8376 			atomic_dec(&te->set->nelems);
8377 			break;
8378 		case NFT_MSG_DELSETELEM:
8379 			te = (struct nft_trans_elem *)trans->data;
8380 
8381 			nft_set_elem_activate(net, te->set, &te->elem);
8382 			te->set->ops->activate(net, te->set, &te->elem);
8383 			te->set->ndeact--;
8384 
8385 			nft_trans_destroy(trans);
8386 			break;
8387 		case NFT_MSG_NEWOBJ:
8388 			if (nft_trans_obj_update(trans)) {
8389 				kfree(nft_trans_obj_newobj(trans));
8390 				nft_trans_destroy(trans);
8391 			} else {
8392 				trans->ctx.table->use--;
8393 				nft_obj_del(nft_trans_obj(trans));
8394 			}
8395 			break;
8396 		case NFT_MSG_DELOBJ:
8397 			trans->ctx.table->use++;
8398 			nft_clear(trans->ctx.net, nft_trans_obj(trans));
8399 			nft_trans_destroy(trans);
8400 			break;
8401 		case NFT_MSG_NEWFLOWTABLE:
8402 			if (nft_trans_flowtable_update(trans)) {
8403 				nft_unregister_flowtable_net_hooks(net,
8404 						&nft_trans_flowtable_hooks(trans));
8405 			} else {
8406 				trans->ctx.table->use--;
8407 				list_del_rcu(&nft_trans_flowtable(trans)->list);
8408 				nft_unregister_flowtable_net_hooks(net,
8409 						&nft_trans_flowtable(trans)->hook_list);
8410 			}
8411 			break;
8412 		case NFT_MSG_DELFLOWTABLE:
8413 			if (nft_trans_flowtable_update(trans)) {
8414 				list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)
8415 					hook->inactive = false;
8416 			} else {
8417 				trans->ctx.table->use++;
8418 				nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
8419 			}
8420 			nft_trans_destroy(trans);
8421 			break;
8422 		}
8423 	}
8424 
8425 	synchronize_rcu();
8426 
8427 	list_for_each_entry_safe_reverse(trans, next,
8428 					 &net->nft.commit_list, list) {
8429 		list_del(&trans->list);
8430 		nf_tables_abort_release(trans);
8431 	}
8432 
8433 	if (action == NFNL_ABORT_AUTOLOAD)
8434 		nf_tables_module_autoload(net);
8435 	else
8436 		nf_tables_module_autoload_cleanup(net);
8437 
8438 	return 0;
8439 }
8440 
8441 static void nf_tables_cleanup(struct net *net)
8442 {
8443 	nft_validate_state_update(net, NFT_VALIDATE_SKIP);
8444 }
8445 
8446 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
8447 			   enum nfnl_abort_action action)
8448 {
8449 	int ret = __nf_tables_abort(net, action);
8450 
8451 	mutex_unlock(&net->nft.commit_mutex);
8452 
8453 	return ret;
8454 }
8455 
8456 static bool nf_tables_valid_genid(struct net *net, u32 genid)
8457 {
8458 	bool genid_ok;
8459 
8460 	mutex_lock(&net->nft.commit_mutex);
8461 
8462 	genid_ok = genid == 0 || net->nft.base_seq == genid;
8463 	if (!genid_ok)
8464 		mutex_unlock(&net->nft.commit_mutex);
8465 
8466 	/* else, commit mutex has to be released by commit or abort function */
8467 	return genid_ok;
8468 }
8469 
8470 static const struct nfnetlink_subsystem nf_tables_subsys = {
8471 	.name		= "nf_tables",
8472 	.subsys_id	= NFNL_SUBSYS_NFTABLES,
8473 	.cb_count	= NFT_MSG_MAX,
8474 	.cb		= nf_tables_cb,
8475 	.commit		= nf_tables_commit,
8476 	.abort		= nf_tables_abort,
8477 	.cleanup	= nf_tables_cleanup,
8478 	.valid_genid	= nf_tables_valid_genid,
8479 	.owner		= THIS_MODULE,
8480 };
8481 
8482 int nft_chain_validate_dependency(const struct nft_chain *chain,
8483 				  enum nft_chain_types type)
8484 {
8485 	const struct nft_base_chain *basechain;
8486 
8487 	if (nft_is_base_chain(chain)) {
8488 		basechain = nft_base_chain(chain);
8489 		if (basechain->type->type != type)
8490 			return -EOPNOTSUPP;
8491 	}
8492 	return 0;
8493 }
8494 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
8495 
8496 int nft_chain_validate_hooks(const struct nft_chain *chain,
8497 			     unsigned int hook_flags)
8498 {
8499 	struct nft_base_chain *basechain;
8500 
8501 	if (nft_is_base_chain(chain)) {
8502 		basechain = nft_base_chain(chain);
8503 
8504 		if ((1 << basechain->ops.hooknum) & hook_flags)
8505 			return 0;
8506 
8507 		return -EOPNOTSUPP;
8508 	}
8509 
8510 	return 0;
8511 }
8512 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
8513 
8514 /*
8515  * Loop detection - walk through the ruleset beginning at the destination chain
8516  * of a new jump until either the source chain is reached (loop) or all
8517  * reachable chains have been traversed.
8518  *
8519  * The loop check is performed whenever a new jump verdict is added to an
8520  * expression or verdict map or a verdict map is bound to a new chain.
8521  */
8522 
8523 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8524 				 const struct nft_chain *chain);
8525 
8526 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
8527 					struct nft_set *set,
8528 					const struct nft_set_iter *iter,
8529 					struct nft_set_elem *elem)
8530 {
8531 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
8532 	const struct nft_data *data;
8533 
8534 	if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
8535 	    *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
8536 		return 0;
8537 
8538 	data = nft_set_ext_data(ext);
8539 	switch (data->verdict.code) {
8540 	case NFT_JUMP:
8541 	case NFT_GOTO:
8542 		return nf_tables_check_loops(ctx, data->verdict.chain);
8543 	default:
8544 		return 0;
8545 	}
8546 }
8547 
8548 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8549 				 const struct nft_chain *chain)
8550 {
8551 	const struct nft_rule *rule;
8552 	const struct nft_expr *expr, *last;
8553 	struct nft_set *set;
8554 	struct nft_set_binding *binding;
8555 	struct nft_set_iter iter;
8556 
8557 	if (ctx->chain == chain)
8558 		return -ELOOP;
8559 
8560 	list_for_each_entry(rule, &chain->rules, list) {
8561 		nft_rule_for_each_expr(expr, last, rule) {
8562 			struct nft_immediate_expr *priv;
8563 			const struct nft_data *data;
8564 			int err;
8565 
8566 			if (strcmp(expr->ops->type->name, "immediate"))
8567 				continue;
8568 
8569 			priv = nft_expr_priv(expr);
8570 			if (priv->dreg != NFT_REG_VERDICT)
8571 				continue;
8572 
8573 			data = &priv->data;
8574 			switch (data->verdict.code) {
8575 			case NFT_JUMP:
8576 			case NFT_GOTO:
8577 				err = nf_tables_check_loops(ctx,
8578 							data->verdict.chain);
8579 				if (err < 0)
8580 					return err;
8581 				break;
8582 			default:
8583 				break;
8584 			}
8585 		}
8586 	}
8587 
8588 	list_for_each_entry(set, &ctx->table->sets, list) {
8589 		if (!nft_is_active_next(ctx->net, set))
8590 			continue;
8591 		if (!(set->flags & NFT_SET_MAP) ||
8592 		    set->dtype != NFT_DATA_VERDICT)
8593 			continue;
8594 
8595 		list_for_each_entry(binding, &set->bindings, list) {
8596 			if (!(binding->flags & NFT_SET_MAP) ||
8597 			    binding->chain != chain)
8598 				continue;
8599 
8600 			iter.genmask	= nft_genmask_next(ctx->net);
8601 			iter.skip 	= 0;
8602 			iter.count	= 0;
8603 			iter.err	= 0;
8604 			iter.fn		= nf_tables_loop_check_setelem;
8605 
8606 			set->ops->walk(ctx, set, &iter);
8607 			if (iter.err < 0)
8608 				return iter.err;
8609 		}
8610 	}
8611 
8612 	return 0;
8613 }
8614 
8615 /**
8616  *	nft_parse_u32_check - fetch u32 attribute and check for maximum value
8617  *
8618  *	@attr: netlink attribute to fetch value from
8619  *	@max: maximum value to be stored in dest
8620  *	@dest: pointer to the variable
8621  *
8622  *	Parse, check and store a given u32 netlink attribute into variable.
8623  *	This function returns -ERANGE if the value goes over maximum value.
8624  *	Otherwise a 0 is returned and the attribute value is stored in the
8625  *	destination variable.
8626  */
8627 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
8628 {
8629 	u32 val;
8630 
8631 	val = ntohl(nla_get_be32(attr));
8632 	if (val > max)
8633 		return -ERANGE;
8634 
8635 	*dest = val;
8636 	return 0;
8637 }
8638 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
8639 
8640 /**
8641  *	nft_parse_register - parse a register value from a netlink attribute
8642  *
8643  *	@attr: netlink attribute
8644  *
8645  *	Parse and translate a register value from a netlink attribute.
8646  *	Registers used to be 128 bit wide, these register numbers will be
8647  *	mapped to the corresponding 32 bit register numbers.
8648  */
8649 static unsigned int nft_parse_register(const struct nlattr *attr)
8650 {
8651 	unsigned int reg;
8652 
8653 	reg = ntohl(nla_get_be32(attr));
8654 	switch (reg) {
8655 	case NFT_REG_VERDICT...NFT_REG_4:
8656 		return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
8657 	default:
8658 		return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
8659 	}
8660 }
8661 
8662 /**
8663  *	nft_dump_register - dump a register value to a netlink attribute
8664  *
8665  *	@skb: socket buffer
8666  *	@attr: attribute number
8667  *	@reg: register number
8668  *
8669  *	Construct a netlink attribute containing the register number. For
8670  *	compatibility reasons, register numbers being a multiple of 4 are
8671  *	translated to the corresponding 128 bit register numbers.
8672  */
8673 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
8674 {
8675 	if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
8676 		reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
8677 	else
8678 		reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
8679 
8680 	return nla_put_be32(skb, attr, htonl(reg));
8681 }
8682 EXPORT_SYMBOL_GPL(nft_dump_register);
8683 
8684 /**
8685  *	nft_validate_register_load - validate a load from a register
8686  *
8687  *	@reg: the register number
8688  *	@len: the length of the data
8689  *
8690  * 	Validate that the input register is one of the general purpose
8691  * 	registers and that the length of the load is within the bounds.
8692  */
8693 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
8694 {
8695 	if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8696 		return -EINVAL;
8697 	if (len == 0)
8698 		return -EINVAL;
8699 	if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
8700 		return -ERANGE;
8701 
8702 	return 0;
8703 }
8704 
8705 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
8706 {
8707 	u32 reg;
8708 	int err;
8709 
8710 	reg = nft_parse_register(attr);
8711 	err = nft_validate_register_load(reg, len);
8712 	if (err < 0)
8713 		return err;
8714 
8715 	*sreg = reg;
8716 	return 0;
8717 }
8718 EXPORT_SYMBOL_GPL(nft_parse_register_load);
8719 
8720 /**
8721  *	nft_validate_register_store - validate an expressions' register store
8722  *
8723  *	@ctx: context of the expression performing the load
8724  * 	@reg: the destination register number
8725  * 	@data: the data to load
8726  * 	@type: the data type
8727  * 	@len: the length of the data
8728  *
8729  * 	Validate that a data load uses the appropriate data type for
8730  * 	the destination register and the length is within the bounds.
8731  * 	A value of NULL for the data means that its runtime gathered
8732  * 	data.
8733  */
8734 static int nft_validate_register_store(const struct nft_ctx *ctx,
8735 				       enum nft_registers reg,
8736 				       const struct nft_data *data,
8737 				       enum nft_data_types type,
8738 				       unsigned int len)
8739 {
8740 	int err;
8741 
8742 	switch (reg) {
8743 	case NFT_REG_VERDICT:
8744 		if (type != NFT_DATA_VERDICT)
8745 			return -EINVAL;
8746 
8747 		if (data != NULL &&
8748 		    (data->verdict.code == NFT_GOTO ||
8749 		     data->verdict.code == NFT_JUMP)) {
8750 			err = nf_tables_check_loops(ctx, data->verdict.chain);
8751 			if (err < 0)
8752 				return err;
8753 		}
8754 
8755 		return 0;
8756 	default:
8757 		if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8758 			return -EINVAL;
8759 		if (len == 0)
8760 			return -EINVAL;
8761 		if (reg * NFT_REG32_SIZE + len >
8762 		    sizeof_field(struct nft_regs, data))
8763 			return -ERANGE;
8764 
8765 		if (data != NULL && type != NFT_DATA_VALUE)
8766 			return -EINVAL;
8767 		return 0;
8768 	}
8769 }
8770 
8771 int nft_parse_register_store(const struct nft_ctx *ctx,
8772 			     const struct nlattr *attr, u8 *dreg,
8773 			     const struct nft_data *data,
8774 			     enum nft_data_types type, unsigned int len)
8775 {
8776 	int err;
8777 	u32 reg;
8778 
8779 	reg = nft_parse_register(attr);
8780 	err = nft_validate_register_store(ctx, reg, data, type, len);
8781 	if (err < 0)
8782 		return err;
8783 
8784 	*dreg = reg;
8785 	return 0;
8786 }
8787 EXPORT_SYMBOL_GPL(nft_parse_register_store);
8788 
8789 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
8790 	[NFTA_VERDICT_CODE]	= { .type = NLA_U32 },
8791 	[NFTA_VERDICT_CHAIN]	= { .type = NLA_STRING,
8792 				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
8793 	[NFTA_VERDICT_CHAIN_ID]	= { .type = NLA_U32 },
8794 };
8795 
8796 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
8797 			    struct nft_data_desc *desc, const struct nlattr *nla)
8798 {
8799 	u8 genmask = nft_genmask_next(ctx->net);
8800 	struct nlattr *tb[NFTA_VERDICT_MAX + 1];
8801 	struct nft_chain *chain;
8802 	int err;
8803 
8804 	err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
8805 					  nft_verdict_policy, NULL);
8806 	if (err < 0)
8807 		return err;
8808 
8809 	if (!tb[NFTA_VERDICT_CODE])
8810 		return -EINVAL;
8811 	data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
8812 
8813 	switch (data->verdict.code) {
8814 	default:
8815 		switch (data->verdict.code & NF_VERDICT_MASK) {
8816 		case NF_ACCEPT:
8817 		case NF_DROP:
8818 		case NF_QUEUE:
8819 			break;
8820 		default:
8821 			return -EINVAL;
8822 		}
8823 		fallthrough;
8824 	case NFT_CONTINUE:
8825 	case NFT_BREAK:
8826 	case NFT_RETURN:
8827 		break;
8828 	case NFT_JUMP:
8829 	case NFT_GOTO:
8830 		if (tb[NFTA_VERDICT_CHAIN]) {
8831 			chain = nft_chain_lookup(ctx->net, ctx->table,
8832 						 tb[NFTA_VERDICT_CHAIN],
8833 						 genmask);
8834 		} else if (tb[NFTA_VERDICT_CHAIN_ID]) {
8835 			chain = nft_chain_lookup_byid(ctx->net,
8836 						      tb[NFTA_VERDICT_CHAIN_ID]);
8837 			if (IS_ERR(chain))
8838 				return PTR_ERR(chain);
8839 		} else {
8840 			return -EINVAL;
8841 		}
8842 
8843 		if (IS_ERR(chain))
8844 			return PTR_ERR(chain);
8845 		if (nft_is_base_chain(chain))
8846 			return -EOPNOTSUPP;
8847 
8848 		chain->use++;
8849 		data->verdict.chain = chain;
8850 		break;
8851 	}
8852 
8853 	desc->len = sizeof(data->verdict);
8854 	desc->type = NFT_DATA_VERDICT;
8855 	return 0;
8856 }
8857 
8858 static void nft_verdict_uninit(const struct nft_data *data)
8859 {
8860 	struct nft_chain *chain;
8861 	struct nft_rule *rule;
8862 
8863 	switch (data->verdict.code) {
8864 	case NFT_JUMP:
8865 	case NFT_GOTO:
8866 		chain = data->verdict.chain;
8867 		chain->use--;
8868 
8869 		if (!nft_chain_is_bound(chain))
8870 			break;
8871 
8872 		chain->table->use--;
8873 		list_for_each_entry(rule, &chain->rules, list)
8874 			chain->use--;
8875 
8876 		nft_chain_del(chain);
8877 		break;
8878 	}
8879 }
8880 
8881 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
8882 {
8883 	struct nlattr *nest;
8884 
8885 	nest = nla_nest_start_noflag(skb, type);
8886 	if (!nest)
8887 		goto nla_put_failure;
8888 
8889 	if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
8890 		goto nla_put_failure;
8891 
8892 	switch (v->code) {
8893 	case NFT_JUMP:
8894 	case NFT_GOTO:
8895 		if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
8896 				   v->chain->name))
8897 			goto nla_put_failure;
8898 	}
8899 	nla_nest_end(skb, nest);
8900 	return 0;
8901 
8902 nla_put_failure:
8903 	return -1;
8904 }
8905 
8906 static int nft_value_init(const struct nft_ctx *ctx,
8907 			  struct nft_data *data, unsigned int size,
8908 			  struct nft_data_desc *desc, const struct nlattr *nla)
8909 {
8910 	unsigned int len;
8911 
8912 	len = nla_len(nla);
8913 	if (len == 0)
8914 		return -EINVAL;
8915 	if (len > size)
8916 		return -EOVERFLOW;
8917 
8918 	nla_memcpy(data->data, nla, len);
8919 	desc->type = NFT_DATA_VALUE;
8920 	desc->len  = len;
8921 	return 0;
8922 }
8923 
8924 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
8925 			  unsigned int len)
8926 {
8927 	return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
8928 }
8929 
8930 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
8931 	[NFTA_DATA_VALUE]	= { .type = NLA_BINARY },
8932 	[NFTA_DATA_VERDICT]	= { .type = NLA_NESTED },
8933 };
8934 
8935 /**
8936  *	nft_data_init - parse nf_tables data netlink attributes
8937  *
8938  *	@ctx: context of the expression using the data
8939  *	@data: destination struct nft_data
8940  *	@size: maximum data length
8941  *	@desc: data description
8942  *	@nla: netlink attribute containing data
8943  *
8944  *	Parse the netlink data attributes and initialize a struct nft_data.
8945  *	The type and length of data are returned in the data description.
8946  *
8947  *	The caller can indicate that it only wants to accept data of type
8948  *	NFT_DATA_VALUE by passing NULL for the ctx argument.
8949  */
8950 int nft_data_init(const struct nft_ctx *ctx,
8951 		  struct nft_data *data, unsigned int size,
8952 		  struct nft_data_desc *desc, const struct nlattr *nla)
8953 {
8954 	struct nlattr *tb[NFTA_DATA_MAX + 1];
8955 	int err;
8956 
8957 	err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
8958 					  nft_data_policy, NULL);
8959 	if (err < 0)
8960 		return err;
8961 
8962 	if (tb[NFTA_DATA_VALUE])
8963 		return nft_value_init(ctx, data, size, desc,
8964 				      tb[NFTA_DATA_VALUE]);
8965 	if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
8966 		return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
8967 	return -EINVAL;
8968 }
8969 EXPORT_SYMBOL_GPL(nft_data_init);
8970 
8971 /**
8972  *	nft_data_release - release a nft_data item
8973  *
8974  *	@data: struct nft_data to release
8975  *	@type: type of data
8976  *
8977  *	Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
8978  *	all others need to be released by calling this function.
8979  */
8980 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
8981 {
8982 	if (type < NFT_DATA_VERDICT)
8983 		return;
8984 	switch (type) {
8985 	case NFT_DATA_VERDICT:
8986 		return nft_verdict_uninit(data);
8987 	default:
8988 		WARN_ON(1);
8989 	}
8990 }
8991 EXPORT_SYMBOL_GPL(nft_data_release);
8992 
8993 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
8994 		  enum nft_data_types type, unsigned int len)
8995 {
8996 	struct nlattr *nest;
8997 	int err;
8998 
8999 	nest = nla_nest_start_noflag(skb, attr);
9000 	if (nest == NULL)
9001 		return -1;
9002 
9003 	switch (type) {
9004 	case NFT_DATA_VALUE:
9005 		err = nft_value_dump(skb, data, len);
9006 		break;
9007 	case NFT_DATA_VERDICT:
9008 		err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
9009 		break;
9010 	default:
9011 		err = -EINVAL;
9012 		WARN_ON(1);
9013 	}
9014 
9015 	nla_nest_end(skb, nest);
9016 	return err;
9017 }
9018 EXPORT_SYMBOL_GPL(nft_data_dump);
9019 
9020 int __nft_release_basechain(struct nft_ctx *ctx)
9021 {
9022 	struct nft_rule *rule, *nr;
9023 
9024 	if (WARN_ON(!nft_is_base_chain(ctx->chain)))
9025 		return 0;
9026 
9027 	nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
9028 	list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
9029 		list_del(&rule->list);
9030 		ctx->chain->use--;
9031 		nf_tables_rule_release(ctx, rule);
9032 	}
9033 	nft_chain_del(ctx->chain);
9034 	ctx->table->use--;
9035 	nf_tables_chain_destroy(ctx);
9036 
9037 	return 0;
9038 }
9039 EXPORT_SYMBOL_GPL(__nft_release_basechain);
9040 
9041 static void __nft_release_hook(struct net *net, struct nft_table *table)
9042 {
9043 	struct nft_chain *chain;
9044 
9045 	list_for_each_entry(chain, &table->chains, list)
9046 		nf_tables_unregister_hook(net, table, chain);
9047 }
9048 
9049 static void __nft_release_hooks(struct net *net)
9050 {
9051 	struct nft_table *table;
9052 
9053 	list_for_each_entry(table, &net->nft.tables, list) {
9054 		if (nft_table_has_owner(table))
9055 			continue;
9056 
9057 		__nft_release_hook(net, table);
9058 	}
9059 }
9060 
9061 static void __nft_release_table(struct net *net, struct nft_table *table)
9062 {
9063 	struct nft_flowtable *flowtable, *nf;
9064 	struct nft_chain *chain, *nc;
9065 	struct nft_object *obj, *ne;
9066 	struct nft_rule *rule, *nr;
9067 	struct nft_set *set, *ns;
9068 	struct nft_ctx ctx = {
9069 		.net	= net,
9070 		.family	= NFPROTO_NETDEV,
9071 	};
9072 
9073 	ctx.family = table->family;
9074 	ctx.table = table;
9075 	list_for_each_entry(chain, &table->chains, list) {
9076 		ctx.chain = chain;
9077 		list_for_each_entry_safe(rule, nr, &chain->rules, list) {
9078 			list_del(&rule->list);
9079 			chain->use--;
9080 			nf_tables_rule_release(&ctx, rule);
9081 		}
9082 	}
9083 	list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
9084 		list_del(&flowtable->list);
9085 		table->use--;
9086 		nf_tables_flowtable_destroy(flowtable);
9087 	}
9088 	list_for_each_entry_safe(set, ns, &table->sets, list) {
9089 		list_del(&set->list);
9090 		table->use--;
9091 		nft_set_destroy(&ctx, set);
9092 	}
9093 	list_for_each_entry_safe(obj, ne, &table->objects, list) {
9094 		nft_obj_del(obj);
9095 		table->use--;
9096 		nft_obj_destroy(&ctx, obj);
9097 	}
9098 	list_for_each_entry_safe(chain, nc, &table->chains, list) {
9099 		ctx.chain = chain;
9100 		nft_chain_del(chain);
9101 		table->use--;
9102 		nf_tables_chain_destroy(&ctx);
9103 	}
9104 	list_del(&table->list);
9105 	nf_tables_table_destroy(&ctx);
9106 }
9107 
9108 static void __nft_release_tables(struct net *net)
9109 {
9110 	struct nft_table *table, *nt;
9111 
9112 	list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
9113 		if (nft_table_has_owner(table))
9114 			continue;
9115 
9116 		__nft_release_table(net, table);
9117 	}
9118 }
9119 
9120 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
9121 			    void *ptr)
9122 {
9123 	struct netlink_notify *n = ptr;
9124 	struct nft_table *table, *nt;
9125 	struct net *net = n->net;
9126 	bool release = false;
9127 
9128 	if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
9129 		return NOTIFY_DONE;
9130 
9131 	mutex_lock(&net->nft.commit_mutex);
9132 	list_for_each_entry(table, &net->nft.tables, list) {
9133 		if (nft_table_has_owner(table) &&
9134 		    n->portid == table->nlpid) {
9135 			__nft_release_hook(net, table);
9136 			release = true;
9137 		}
9138 	}
9139 	if (release) {
9140 		synchronize_rcu();
9141 		list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
9142 			if (nft_table_has_owner(table) &&
9143 			    n->portid == table->nlpid)
9144 				__nft_release_table(net, table);
9145 		}
9146 	}
9147 	mutex_unlock(&net->nft.commit_mutex);
9148 
9149 	return NOTIFY_DONE;
9150 }
9151 
9152 static struct notifier_block nft_nl_notifier = {
9153 	.notifier_call  = nft_rcv_nl_event,
9154 };
9155 
9156 static int __net_init nf_tables_init_net(struct net *net)
9157 {
9158 	INIT_LIST_HEAD(&net->nft.tables);
9159 	INIT_LIST_HEAD(&net->nft.commit_list);
9160 	INIT_LIST_HEAD(&net->nft.module_list);
9161 	INIT_LIST_HEAD(&net->nft.notify_list);
9162 	mutex_init(&net->nft.commit_mutex);
9163 	net->nft.base_seq = 1;
9164 	net->nft.validate_state = NFT_VALIDATE_SKIP;
9165 
9166 	return 0;
9167 }
9168 
9169 static void __net_exit nf_tables_pre_exit_net(struct net *net)
9170 {
9171 	__nft_release_hooks(net);
9172 }
9173 
9174 static void __net_exit nf_tables_exit_net(struct net *net)
9175 {
9176 	mutex_lock(&net->nft.commit_mutex);
9177 	if (!list_empty(&net->nft.commit_list))
9178 		__nf_tables_abort(net, NFNL_ABORT_NONE);
9179 	__nft_release_tables(net);
9180 	mutex_unlock(&net->nft.commit_mutex);
9181 	WARN_ON_ONCE(!list_empty(&net->nft.tables));
9182 	WARN_ON_ONCE(!list_empty(&net->nft.module_list));
9183 	WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
9184 }
9185 
9186 static struct pernet_operations nf_tables_net_ops = {
9187 	.init		= nf_tables_init_net,
9188 	.pre_exit	= nf_tables_pre_exit_net,
9189 	.exit		= nf_tables_exit_net,
9190 };
9191 
9192 static int __init nf_tables_module_init(void)
9193 {
9194 	int err;
9195 
9196 	spin_lock_init(&nf_tables_destroy_list_lock);
9197 	err = register_pernet_subsys(&nf_tables_net_ops);
9198 	if (err < 0)
9199 		return err;
9200 
9201 	err = nft_chain_filter_init();
9202 	if (err < 0)
9203 		goto err_chain_filter;
9204 
9205 	err = nf_tables_core_module_init();
9206 	if (err < 0)
9207 		goto err_core_module;
9208 
9209 	err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
9210 	if (err < 0)
9211 		goto err_netdev_notifier;
9212 
9213 	err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
9214 	if (err < 0)
9215 		goto err_rht_objname;
9216 
9217 	err = nft_offload_init();
9218 	if (err < 0)
9219 		goto err_offload;
9220 
9221 	err = netlink_register_notifier(&nft_nl_notifier);
9222 	if (err < 0)
9223 		goto err_netlink_notifier;
9224 
9225 	/* must be last */
9226 	err = nfnetlink_subsys_register(&nf_tables_subsys);
9227 	if (err < 0)
9228 		goto err_nfnl_subsys;
9229 
9230 	nft_chain_route_init();
9231 
9232 	return err;
9233 
9234 err_nfnl_subsys:
9235 	netlink_unregister_notifier(&nft_nl_notifier);
9236 err_netlink_notifier:
9237 	nft_offload_exit();
9238 err_offload:
9239 	rhltable_destroy(&nft_objname_ht);
9240 err_rht_objname:
9241 	unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9242 err_netdev_notifier:
9243 	nf_tables_core_module_exit();
9244 err_core_module:
9245 	nft_chain_filter_fini();
9246 err_chain_filter:
9247 	unregister_pernet_subsys(&nf_tables_net_ops);
9248 	return err;
9249 }
9250 
9251 static void __exit nf_tables_module_exit(void)
9252 {
9253 	nfnetlink_subsys_unregister(&nf_tables_subsys);
9254 	netlink_unregister_notifier(&nft_nl_notifier);
9255 	nft_offload_exit();
9256 	unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9257 	nft_chain_filter_fini();
9258 	nft_chain_route_fini();
9259 	unregister_pernet_subsys(&nf_tables_net_ops);
9260 	cancel_work_sync(&trans_destroy_work);
9261 	rcu_barrier();
9262 	rhltable_destroy(&nft_objname_ht);
9263 	nf_tables_core_module_exit();
9264 }
9265 
9266 module_init(nf_tables_module_init);
9267 module_exit(nf_tables_module_exit);
9268 
9269 MODULE_LICENSE("GPL");
9270 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
9271 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
9272