whiterose

linux unikernel
Log | Files | Refs | README | LICENSE | git clone https://git.ne02ptzero.me/git/whiterose

nf_tables_api.c (186219B)


      1 /*
      2  * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
      3  *
      4  * This program is free software; you can redistribute it and/or modify
      5  * it under the terms of the GNU General Public License version 2 as
      6  * published by the Free Software Foundation.
      7  *
      8  * Development of this code funded by Astaro AG (http://www.astaro.com/)
      9  */
     10 
     11 #include <linux/module.h>
     12 #include <linux/init.h>
     13 #include <linux/list.h>
     14 #include <linux/skbuff.h>
     15 #include <linux/netlink.h>
     16 #include <linux/vmalloc.h>
     17 #include <linux/rhashtable.h>
     18 #include <linux/netfilter.h>
     19 #include <linux/netfilter/nfnetlink.h>
     20 #include <linux/netfilter/nf_tables.h>
     21 #include <net/netfilter/nf_flow_table.h>
     22 #include <net/netfilter/nf_tables_core.h>
     23 #include <net/netfilter/nf_tables.h>
     24 #include <net/net_namespace.h>
     25 #include <net/sock.h>
     26 
     27 static LIST_HEAD(nf_tables_expressions);
     28 static LIST_HEAD(nf_tables_objects);
     29 static LIST_HEAD(nf_tables_flowtables);
     30 static LIST_HEAD(nf_tables_destroy_list);
     31 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
     32 static u64 table_handle;
     33 
     34 enum {
     35 	NFT_VALIDATE_SKIP	= 0,
     36 	NFT_VALIDATE_NEED,
     37 	NFT_VALIDATE_DO,
     38 };
     39 
     40 static struct rhltable nft_objname_ht;
     41 
     42 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
     43 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
     44 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
     45 
     46 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
     47 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
     48 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
     49 
     50 static const struct rhashtable_params nft_chain_ht_params = {
     51 	.head_offset		= offsetof(struct nft_chain, rhlhead),
     52 	.key_offset		= offsetof(struct nft_chain, name),
     53 	.hashfn			= nft_chain_hash,
     54 	.obj_hashfn		= nft_chain_hash_obj,
     55 	.obj_cmpfn		= nft_chain_hash_cmp,
     56 	.locks_mul		= 1,
     57 	.automatic_shrinking	= true,
     58 };
     59 
     60 static const struct rhashtable_params nft_objname_ht_params = {
     61 	.head_offset		= offsetof(struct nft_object, rhlhead),
     62 	.key_offset		= offsetof(struct nft_object, key),
     63 	.hashfn			= nft_objname_hash,
     64 	.obj_hashfn		= nft_objname_hash_obj,
     65 	.obj_cmpfn		= nft_objname_hash_cmp,
     66 	.automatic_shrinking	= true,
     67 };
     68 
     69 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
     70 {
     71 	switch (net->nft.validate_state) {
     72 	case NFT_VALIDATE_SKIP:
     73 		WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
     74 		break;
     75 	case NFT_VALIDATE_NEED:
     76 		break;
     77 	case NFT_VALIDATE_DO:
     78 		if (new_validate_state == NFT_VALIDATE_NEED)
     79 			return;
     80 	}
     81 
     82 	net->nft.validate_state = new_validate_state;
     83 }
     84 static void nf_tables_trans_destroy_work(struct work_struct *w);
     85 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
     86 
     87 static void nft_ctx_init(struct nft_ctx *ctx,
     88 			 struct net *net,
     89 			 const struct sk_buff *skb,
     90 			 const struct nlmsghdr *nlh,
     91 			 u8 family,
     92 			 struct nft_table *table,
     93 			 struct nft_chain *chain,
     94 			 const struct nlattr * const *nla)
     95 {
     96 	ctx->net	= net;
     97 	ctx->family	= family;
     98 	ctx->level	= 0;
     99 	ctx->table	= table;
    100 	ctx->chain	= chain;
    101 	ctx->nla   	= nla;
    102 	ctx->portid	= NETLINK_CB(skb).portid;
    103 	ctx->report	= nlmsg_report(nlh);
    104 	ctx->seq	= nlh->nlmsg_seq;
    105 }
    106 
    107 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
    108 					     int msg_type, u32 size, gfp_t gfp)
    109 {
    110 	struct nft_trans *trans;
    111 
    112 	trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
    113 	if (trans == NULL)
    114 		return NULL;
    115 
    116 	trans->msg_type = msg_type;
    117 	trans->ctx	= *ctx;
    118 
    119 	return trans;
    120 }
    121 
    122 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
    123 					 int msg_type, u32 size)
    124 {
    125 	return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
    126 }
    127 
    128 static void nft_trans_destroy(struct nft_trans *trans)
    129 {
    130 	list_del(&trans->list);
    131 	kfree(trans);
    132 }
    133 
    134 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
    135 {
    136 	struct net *net = ctx->net;
    137 	struct nft_trans *trans;
    138 
    139 	if (!nft_set_is_anonymous(set))
    140 		return;
    141 
    142 	list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
    143 		if (trans->msg_type == NFT_MSG_NEWSET &&
    144 		    nft_trans_set(trans) == set) {
    145 			set->bound = true;
    146 			break;
    147 		}
    148 	}
    149 }
    150 
    151 static int nf_tables_register_hook(struct net *net,
    152 				   const struct nft_table *table,
    153 				   struct nft_chain *chain)
    154 {
    155 	const struct nft_base_chain *basechain;
    156 	const struct nf_hook_ops *ops;
    157 
    158 	if (table->flags & NFT_TABLE_F_DORMANT ||
    159 	    !nft_is_base_chain(chain))
    160 		return 0;
    161 
    162 	basechain = nft_base_chain(chain);
    163 	ops = &basechain->ops;
    164 
    165 	if (basechain->type->ops_register)
    166 		return basechain->type->ops_register(net, ops);
    167 
    168 	return nf_register_net_hook(net, ops);
    169 }
    170 
    171 static void nf_tables_unregister_hook(struct net *net,
    172 				      const struct nft_table *table,
    173 				      struct nft_chain *chain)
    174 {
    175 	const struct nft_base_chain *basechain;
    176 	const struct nf_hook_ops *ops;
    177 
    178 	if (table->flags & NFT_TABLE_F_DORMANT ||
    179 	    !nft_is_base_chain(chain))
    180 		return;
    181 	basechain = nft_base_chain(chain);
    182 	ops = &basechain->ops;
    183 
    184 	if (basechain->type->ops_unregister)
    185 		return basechain->type->ops_unregister(net, ops);
    186 
    187 	nf_unregister_net_hook(net, ops);
    188 }
    189 
    190 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
    191 {
    192 	struct nft_trans *trans;
    193 
    194 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
    195 	if (trans == NULL)
    196 		return -ENOMEM;
    197 
    198 	if (msg_type == NFT_MSG_NEWTABLE)
    199 		nft_activate_next(ctx->net, ctx->table);
    200 
    201 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
    202 	return 0;
    203 }
    204 
    205 static int nft_deltable(struct nft_ctx *ctx)
    206 {
    207 	int err;
    208 
    209 	err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
    210 	if (err < 0)
    211 		return err;
    212 
    213 	nft_deactivate_next(ctx->net, ctx->table);
    214 	return err;
    215 }
    216 
    217 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
    218 {
    219 	struct nft_trans *trans;
    220 
    221 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
    222 	if (trans == NULL)
    223 		return -ENOMEM;
    224 
    225 	if (msg_type == NFT_MSG_NEWCHAIN)
    226 		nft_activate_next(ctx->net, ctx->chain);
    227 
    228 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
    229 	return 0;
    230 }
    231 
    232 static int nft_delchain(struct nft_ctx *ctx)
    233 {
    234 	int err;
    235 
    236 	err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
    237 	if (err < 0)
    238 		return err;
    239 
    240 	ctx->table->use--;
    241 	nft_deactivate_next(ctx->net, ctx->chain);
    242 
    243 	return err;
    244 }
    245 
    246 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
    247 				   struct nft_rule *rule)
    248 {
    249 	struct nft_expr *expr;
    250 
    251 	expr = nft_expr_first(rule);
    252 	while (expr != nft_expr_last(rule) && expr->ops) {
    253 		if (expr->ops->activate)
    254 			expr->ops->activate(ctx, expr);
    255 
    256 		expr = nft_expr_next(expr);
    257 	}
    258 }
    259 
    260 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
    261 				     struct nft_rule *rule,
    262 				     enum nft_trans_phase phase)
    263 {
    264 	struct nft_expr *expr;
    265 
    266 	expr = nft_expr_first(rule);
    267 	while (expr != nft_expr_last(rule) && expr->ops) {
    268 		if (expr->ops->deactivate)
    269 			expr->ops->deactivate(ctx, expr, phase);
    270 
    271 		expr = nft_expr_next(expr);
    272 	}
    273 }
    274 
    275 static int
    276 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
    277 {
    278 	/* You cannot delete the same rule twice */
    279 	if (nft_is_active_next(ctx->net, rule)) {
    280 		nft_deactivate_next(ctx->net, rule);
    281 		ctx->chain->use--;
    282 		return 0;
    283 	}
    284 	return -ENOENT;
    285 }
    286 
    287 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
    288 					    struct nft_rule *rule)
    289 {
    290 	struct nft_trans *trans;
    291 
    292 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
    293 	if (trans == NULL)
    294 		return NULL;
    295 
    296 	if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
    297 		nft_trans_rule_id(trans) =
    298 			ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
    299 	}
    300 	nft_trans_rule(trans) = rule;
    301 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
    302 
    303 	return trans;
    304 }
    305 
    306 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
    307 {
    308 	struct nft_trans *trans;
    309 	int err;
    310 
    311 	trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
    312 	if (trans == NULL)
    313 		return -ENOMEM;
    314 
    315 	err = nf_tables_delrule_deactivate(ctx, rule);
    316 	if (err < 0) {
    317 		nft_trans_destroy(trans);
    318 		return err;
    319 	}
    320 	nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
    321 
    322 	return 0;
    323 }
    324 
    325 static int nft_delrule_by_chain(struct nft_ctx *ctx)
    326 {
    327 	struct nft_rule *rule;
    328 	int err;
    329 
    330 	list_for_each_entry(rule, &ctx->chain->rules, list) {
    331 		if (!nft_is_active_next(ctx->net, rule))
    332 			continue;
    333 
    334 		err = nft_delrule(ctx, rule);
    335 		if (err < 0)
    336 			return err;
    337 	}
    338 	return 0;
    339 }
    340 
    341 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
    342 			     struct nft_set *set)
    343 {
    344 	struct nft_trans *trans;
    345 
    346 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
    347 	if (trans == NULL)
    348 		return -ENOMEM;
    349 
    350 	if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
    351 		nft_trans_set_id(trans) =
    352 			ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
    353 		nft_activate_next(ctx->net, set);
    354 	}
    355 	nft_trans_set(trans) = set;
    356 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
    357 
    358 	return 0;
    359 }
    360 
    361 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
    362 {
    363 	int err;
    364 
    365 	err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
    366 	if (err < 0)
    367 		return err;
    368 
    369 	nft_deactivate_next(ctx->net, set);
    370 	ctx->table->use--;
    371 
    372 	return err;
    373 }
    374 
    375 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
    376 			     struct nft_object *obj)
    377 {
    378 	struct nft_trans *trans;
    379 
    380 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
    381 	if (trans == NULL)
    382 		return -ENOMEM;
    383 
    384 	if (msg_type == NFT_MSG_NEWOBJ)
    385 		nft_activate_next(ctx->net, obj);
    386 
    387 	nft_trans_obj(trans) = obj;
    388 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
    389 
    390 	return 0;
    391 }
    392 
    393 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
    394 {
    395 	int err;
    396 
    397 	err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
    398 	if (err < 0)
    399 		return err;
    400 
    401 	nft_deactivate_next(ctx->net, obj);
    402 	ctx->table->use--;
    403 
    404 	return err;
    405 }
    406 
    407 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
    408 				   struct nft_flowtable *flowtable)
    409 {
    410 	struct nft_trans *trans;
    411 
    412 	trans = nft_trans_alloc(ctx, msg_type,
    413 				sizeof(struct nft_trans_flowtable));
    414 	if (trans == NULL)
    415 		return -ENOMEM;
    416 
    417 	if (msg_type == NFT_MSG_NEWFLOWTABLE)
    418 		nft_activate_next(ctx->net, flowtable);
    419 
    420 	nft_trans_flowtable(trans) = flowtable;
    421 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
    422 
    423 	return 0;
    424 }
    425 
    426 static int nft_delflowtable(struct nft_ctx *ctx,
    427 			    struct nft_flowtable *flowtable)
    428 {
    429 	int err;
    430 
    431 	err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
    432 	if (err < 0)
    433 		return err;
    434 
    435 	nft_deactivate_next(ctx->net, flowtable);
    436 	ctx->table->use--;
    437 
    438 	return err;
    439 }
    440 
    441 /*
    442  * Tables
    443  */
    444 
    445 static struct nft_table *nft_table_lookup(const struct net *net,
    446 					  const struct nlattr *nla,
    447 					  u8 family, u8 genmask)
    448 {
    449 	struct nft_table *table;
    450 
    451 	if (nla == NULL)
    452 		return ERR_PTR(-EINVAL);
    453 
    454 	list_for_each_entry_rcu(table, &net->nft.tables, list) {
    455 		if (!nla_strcmp(nla, table->name) &&
    456 		    table->family == family &&
    457 		    nft_active_genmask(table, genmask))
    458 			return table;
    459 	}
    460 
    461 	return ERR_PTR(-ENOENT);
    462 }
    463 
    464 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
    465 						   const struct nlattr *nla,
    466 						   u8 genmask)
    467 {
    468 	struct nft_table *table;
    469 
    470 	list_for_each_entry(table, &net->nft.tables, list) {
    471 		if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
    472 		    nft_active_genmask(table, genmask))
    473 			return table;
    474 	}
    475 
    476 	return ERR_PTR(-ENOENT);
    477 }
    478 
    479 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
    480 {
    481 	return ++table->hgenerator;
    482 }
    483 
    484 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
    485 
    486 static const struct nft_chain_type *
    487 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
    488 {
    489 	int i;
    490 
    491 	for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
    492 		if (chain_type[family][i] != NULL &&
    493 		    !nla_strcmp(nla, chain_type[family][i]->name))
    494 			return chain_type[family][i];
    495 	}
    496 	return NULL;
    497 }
    498 
    499 /*
    500  * Loading a module requires dropping mutex that guards the
    501  * transaction.
    502  * We first need to abort any pending transactions as once
    503  * mutex is unlocked a different client could start a new
    504  * transaction.  It must not see any 'future generation'
    505  * changes * as these changes will never happen.
    506  */
    507 #ifdef CONFIG_MODULES
    508 static int __nf_tables_abort(struct net *net);
    509 
    510 static void nft_request_module(struct net *net, const char *fmt, ...)
    511 {
    512 	char module_name[MODULE_NAME_LEN];
    513 	va_list args;
    514 	int ret;
    515 
    516 	__nf_tables_abort(net);
    517 
    518 	va_start(args, fmt);
    519 	ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
    520 	va_end(args);
    521 	if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
    522 		return;
    523 
    524 	mutex_unlock(&net->nft.commit_mutex);
    525 	request_module("%s", module_name);
    526 	mutex_lock(&net->nft.commit_mutex);
    527 }
    528 #endif
    529 
    530 static void lockdep_nfnl_nft_mutex_not_held(void)
    531 {
    532 #ifdef CONFIG_PROVE_LOCKING
    533 	WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
    534 #endif
    535 }
    536 
    537 static const struct nft_chain_type *
    538 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
    539 			    u8 family, bool autoload)
    540 {
    541 	const struct nft_chain_type *type;
    542 
    543 	type = __nf_tables_chain_type_lookup(nla, family);
    544 	if (type != NULL)
    545 		return type;
    546 
    547 	lockdep_nfnl_nft_mutex_not_held();
    548 #ifdef CONFIG_MODULES
    549 	if (autoload) {
    550 		nft_request_module(net, "nft-chain-%u-%.*s", family,
    551 				   nla_len(nla), (const char *)nla_data(nla));
    552 		type = __nf_tables_chain_type_lookup(nla, family);
    553 		if (type != NULL)
    554 			return ERR_PTR(-EAGAIN);
    555 	}
    556 #endif
    557 	return ERR_PTR(-ENOENT);
    558 }
    559 
    560 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
    561 	[NFTA_TABLE_NAME]	= { .type = NLA_STRING,
    562 				    .len = NFT_TABLE_MAXNAMELEN - 1 },
    563 	[NFTA_TABLE_FLAGS]	= { .type = NLA_U32 },
    564 	[NFTA_TABLE_HANDLE]	= { .type = NLA_U64 },
    565 };
    566 
    567 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
    568 				     u32 portid, u32 seq, int event, u32 flags,
    569 				     int family, const struct nft_table *table)
    570 {
    571 	struct nlmsghdr *nlh;
    572 	struct nfgenmsg *nfmsg;
    573 
    574 	event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
    575 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
    576 	if (nlh == NULL)
    577 		goto nla_put_failure;
    578 
    579 	nfmsg = nlmsg_data(nlh);
    580 	nfmsg->nfgen_family	= family;
    581 	nfmsg->version		= NFNETLINK_V0;
    582 	nfmsg->res_id		= htons(net->nft.base_seq & 0xffff);
    583 
    584 	if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
    585 	    nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
    586 	    nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
    587 	    nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
    588 			 NFTA_TABLE_PAD))
    589 		goto nla_put_failure;
    590 
    591 	nlmsg_end(skb, nlh);
    592 	return 0;
    593 
    594 nla_put_failure:
    595 	nlmsg_trim(skb, nlh);
    596 	return -1;
    597 }
    598 
    599 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
    600 {
    601 	struct sk_buff *skb;
    602 	int err;
    603 
    604 	if (!ctx->report &&
    605 	    !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
    606 		return;
    607 
    608 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
    609 	if (skb == NULL)
    610 		goto err;
    611 
    612 	err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
    613 					event, 0, ctx->family, ctx->table);
    614 	if (err < 0) {
    615 		kfree_skb(skb);
    616 		goto err;
    617 	}
    618 
    619 	nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
    620 		       ctx->report, GFP_KERNEL);
    621 	return;
    622 err:
    623 	nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
    624 }
    625 
    626 static int nf_tables_dump_tables(struct sk_buff *skb,
    627 				 struct netlink_callback *cb)
    628 {
    629 	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
    630 	const struct nft_table *table;
    631 	unsigned int idx = 0, s_idx = cb->args[0];
    632 	struct net *net = sock_net(skb->sk);
    633 	int family = nfmsg->nfgen_family;
    634 
    635 	rcu_read_lock();
    636 	cb->seq = net->nft.base_seq;
    637 
    638 	list_for_each_entry_rcu(table, &net->nft.tables, list) {
    639 		if (family != NFPROTO_UNSPEC && family != table->family)
    640 			continue;
    641 
    642 		if (idx < s_idx)
    643 			goto cont;
    644 		if (idx > s_idx)
    645 			memset(&cb->args[1], 0,
    646 			       sizeof(cb->args) - sizeof(cb->args[0]));
    647 		if (!nft_is_active(net, table))
    648 			continue;
    649 		if (nf_tables_fill_table_info(skb, net,
    650 					      NETLINK_CB(cb->skb).portid,
    651 					      cb->nlh->nlmsg_seq,
    652 					      NFT_MSG_NEWTABLE, NLM_F_MULTI,
    653 					      table->family, table) < 0)
    654 			goto done;
    655 
    656 		nl_dump_check_consistent(cb, nlmsg_hdr(skb));
    657 cont:
    658 		idx++;
    659 	}
    660 done:
    661 	rcu_read_unlock();
    662 	cb->args[0] = idx;
    663 	return skb->len;
    664 }
    665 
    666 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
    667 				      const struct nlmsghdr *nlh,
    668 				      struct netlink_dump_control *c)
    669 {
    670 	int err;
    671 
    672 	if (!try_module_get(THIS_MODULE))
    673 		return -EINVAL;
    674 
    675 	rcu_read_unlock();
    676 	err = netlink_dump_start(nlsk, skb, nlh, c);
    677 	rcu_read_lock();
    678 	module_put(THIS_MODULE);
    679 
    680 	return err;
    681 }
    682 
    683 /* called with rcu_read_lock held */
    684 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
    685 			      struct sk_buff *skb, const struct nlmsghdr *nlh,
    686 			      const struct nlattr * const nla[],
    687 			      struct netlink_ext_ack *extack)
    688 {
    689 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
    690 	u8 genmask = nft_genmask_cur(net);
    691 	const struct nft_table *table;
    692 	struct sk_buff *skb2;
    693 	int family = nfmsg->nfgen_family;
    694 	int err;
    695 
    696 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
    697 		struct netlink_dump_control c = {
    698 			.dump = nf_tables_dump_tables,
    699 			.module = THIS_MODULE,
    700 		};
    701 
    702 		return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
    703 	}
    704 
    705 	table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
    706 	if (IS_ERR(table)) {
    707 		NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
    708 		return PTR_ERR(table);
    709 	}
    710 
    711 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
    712 	if (!skb2)
    713 		return -ENOMEM;
    714 
    715 	err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
    716 					nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
    717 					family, table);
    718 	if (err < 0)
    719 		goto err;
    720 
    721 	return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
    722 
    723 err:
    724 	kfree_skb(skb2);
    725 	return err;
    726 }
    727 
    728 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
    729 {
    730 	struct nft_chain *chain;
    731 	u32 i = 0;
    732 
    733 	list_for_each_entry(chain, &table->chains, list) {
    734 		if (!nft_is_active_next(net, chain))
    735 			continue;
    736 		if (!nft_is_base_chain(chain))
    737 			continue;
    738 
    739 		if (cnt && i++ == cnt)
    740 			break;
    741 
    742 		nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
    743 	}
    744 }
    745 
    746 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
    747 {
    748 	struct nft_chain *chain;
    749 	int err, i = 0;
    750 
    751 	list_for_each_entry(chain, &table->chains, list) {
    752 		if (!nft_is_active_next(net, chain))
    753 			continue;
    754 		if (!nft_is_base_chain(chain))
    755 			continue;
    756 
    757 		err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
    758 		if (err < 0)
    759 			goto err;
    760 
    761 		i++;
    762 	}
    763 	return 0;
    764 err:
    765 	if (i)
    766 		nft_table_disable(net, table, i);
    767 	return err;
    768 }
    769 
    770 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
    771 {
    772 	nft_table_disable(net, table, 0);
    773 }
    774 
    775 static int nf_tables_updtable(struct nft_ctx *ctx)
    776 {
    777 	struct nft_trans *trans;
    778 	u32 flags;
    779 	int ret = 0;
    780 
    781 	if (!ctx->nla[NFTA_TABLE_FLAGS])
    782 		return 0;
    783 
    784 	flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
    785 	if (flags & ~NFT_TABLE_F_DORMANT)
    786 		return -EINVAL;
    787 
    788 	if (flags == ctx->table->flags)
    789 		return 0;
    790 
    791 	trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
    792 				sizeof(struct nft_trans_table));
    793 	if (trans == NULL)
    794 		return -ENOMEM;
    795 
    796 	if ((flags & NFT_TABLE_F_DORMANT) &&
    797 	    !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
    798 		nft_trans_table_enable(trans) = false;
    799 	} else if (!(flags & NFT_TABLE_F_DORMANT) &&
    800 		   ctx->table->flags & NFT_TABLE_F_DORMANT) {
    801 		ret = nf_tables_table_enable(ctx->net, ctx->table);
    802 		if (ret >= 0) {
    803 			ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
    804 			nft_trans_table_enable(trans) = true;
    805 		}
    806 	}
    807 	if (ret < 0)
    808 		goto err;
    809 
    810 	nft_trans_table_update(trans) = true;
    811 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
    812 	return 0;
    813 err:
    814 	nft_trans_destroy(trans);
    815 	return ret;
    816 }
    817 
    818 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
    819 {
    820 	const char *name = data;
    821 
    822 	return jhash(name, strlen(name), seed);
    823 }
    824 
    825 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
    826 {
    827 	const struct nft_chain *chain = data;
    828 
    829 	return nft_chain_hash(chain->name, 0, seed);
    830 }
    831 
    832 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
    833 			      const void *ptr)
    834 {
    835 	const struct nft_chain *chain = ptr;
    836 	const char *name = arg->key;
    837 
    838 	return strcmp(chain->name, name);
    839 }
    840 
    841 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
    842 {
    843 	const struct nft_object_hash_key *k = data;
    844 
    845 	seed ^= hash_ptr(k->table, 32);
    846 
    847 	return jhash(k->name, strlen(k->name), seed);
    848 }
    849 
    850 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
    851 {
    852 	const struct nft_object *obj = data;
    853 
    854 	return nft_objname_hash(&obj->key, 0, seed);
    855 }
    856 
    857 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
    858 				const void *ptr)
    859 {
    860 	const struct nft_object_hash_key *k = arg->key;
    861 	const struct nft_object *obj = ptr;
    862 
    863 	if (obj->key.table != k->table)
    864 		return -1;
    865 
    866 	return strcmp(obj->key.name, k->name);
    867 }
    868 
    869 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
    870 			      struct sk_buff *skb, const struct nlmsghdr *nlh,
    871 			      const struct nlattr * const nla[],
    872 			      struct netlink_ext_ack *extack)
    873 {
    874 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
    875 	u8 genmask = nft_genmask_next(net);
    876 	int family = nfmsg->nfgen_family;
    877 	const struct nlattr *attr;
    878 	struct nft_table *table;
    879 	u32 flags = 0;
    880 	struct nft_ctx ctx;
    881 	int err;
    882 
    883 	lockdep_assert_held(&net->nft.commit_mutex);
    884 	attr = nla[NFTA_TABLE_NAME];
    885 	table = nft_table_lookup(net, attr, family, genmask);
    886 	if (IS_ERR(table)) {
    887 		if (PTR_ERR(table) != -ENOENT)
    888 			return PTR_ERR(table);
    889 	} else {
    890 		if (nlh->nlmsg_flags & NLM_F_EXCL) {
    891 			NL_SET_BAD_ATTR(extack, attr);
    892 			return -EEXIST;
    893 		}
    894 		if (nlh->nlmsg_flags & NLM_F_REPLACE)
    895 			return -EOPNOTSUPP;
    896 
    897 		nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
    898 		return nf_tables_updtable(&ctx);
    899 	}
    900 
    901 	if (nla[NFTA_TABLE_FLAGS]) {
    902 		flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
    903 		if (flags & ~NFT_TABLE_F_DORMANT)
    904 			return -EINVAL;
    905 	}
    906 
    907 	err = -ENOMEM;
    908 	table = kzalloc(sizeof(*table), GFP_KERNEL);
    909 	if (table == NULL)
    910 		goto err_kzalloc;
    911 
    912 	table->name = nla_strdup(attr, GFP_KERNEL);
    913 	if (table->name == NULL)
    914 		goto err_strdup;
    915 
    916 	err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
    917 	if (err)
    918 		goto err_chain_ht;
    919 
    920 	INIT_LIST_HEAD(&table->chains);
    921 	INIT_LIST_HEAD(&table->sets);
    922 	INIT_LIST_HEAD(&table->objects);
    923 	INIT_LIST_HEAD(&table->flowtables);
    924 	table->family = family;
    925 	table->flags = flags;
    926 	table->handle = ++table_handle;
    927 
    928 	nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
    929 	err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
    930 	if (err < 0)
    931 		goto err_trans;
    932 
    933 	list_add_tail_rcu(&table->list, &net->nft.tables);
    934 	return 0;
    935 err_trans:
    936 	rhltable_destroy(&table->chains_ht);
    937 err_chain_ht:
    938 	kfree(table->name);
    939 err_strdup:
    940 	kfree(table);
    941 err_kzalloc:
    942 	return err;
    943 }
    944 
    945 static int nft_flush_table(struct nft_ctx *ctx)
    946 {
    947 	struct nft_flowtable *flowtable, *nft;
    948 	struct nft_chain *chain, *nc;
    949 	struct nft_object *obj, *ne;
    950 	struct nft_set *set, *ns;
    951 	int err;
    952 
    953 	list_for_each_entry(chain, &ctx->table->chains, list) {
    954 		if (!nft_is_active_next(ctx->net, chain))
    955 			continue;
    956 
    957 		ctx->chain = chain;
    958 
    959 		err = nft_delrule_by_chain(ctx);
    960 		if (err < 0)
    961 			goto out;
    962 	}
    963 
    964 	list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
    965 		if (!nft_is_active_next(ctx->net, set))
    966 			continue;
    967 
    968 		if (nft_set_is_anonymous(set) &&
    969 		    !list_empty(&set->bindings))
    970 			continue;
    971 
    972 		err = nft_delset(ctx, set);
    973 		if (err < 0)
    974 			goto out;
    975 	}
    976 
    977 	list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
    978 		err = nft_delflowtable(ctx, flowtable);
    979 		if (err < 0)
    980 			goto out;
    981 	}
    982 
    983 	list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
    984 		err = nft_delobj(ctx, obj);
    985 		if (err < 0)
    986 			goto out;
    987 	}
    988 
    989 	list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
    990 		if (!nft_is_active_next(ctx->net, chain))
    991 			continue;
    992 
    993 		ctx->chain = chain;
    994 
    995 		err = nft_delchain(ctx);
    996 		if (err < 0)
    997 			goto out;
    998 	}
    999 
   1000 	err = nft_deltable(ctx);
   1001 out:
   1002 	return err;
   1003 }
   1004 
   1005 static int nft_flush(struct nft_ctx *ctx, int family)
   1006 {
   1007 	struct nft_table *table, *nt;
   1008 	const struct nlattr * const *nla = ctx->nla;
   1009 	int err = 0;
   1010 
   1011 	list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
   1012 		if (family != AF_UNSPEC && table->family != family)
   1013 			continue;
   1014 
   1015 		ctx->family = table->family;
   1016 
   1017 		if (!nft_is_active_next(ctx->net, table))
   1018 			continue;
   1019 
   1020 		if (nla[NFTA_TABLE_NAME] &&
   1021 		    nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
   1022 			continue;
   1023 
   1024 		ctx->table = table;
   1025 
   1026 		err = nft_flush_table(ctx);
   1027 		if (err < 0)
   1028 			goto out;
   1029 	}
   1030 out:
   1031 	return err;
   1032 }
   1033 
   1034 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
   1035 			      struct sk_buff *skb, const struct nlmsghdr *nlh,
   1036 			      const struct nlattr * const nla[],
   1037 			      struct netlink_ext_ack *extack)
   1038 {
   1039 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   1040 	u8 genmask = nft_genmask_next(net);
   1041 	int family = nfmsg->nfgen_family;
   1042 	const struct nlattr *attr;
   1043 	struct nft_table *table;
   1044 	struct nft_ctx ctx;
   1045 
   1046 	nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
   1047 	if (family == AF_UNSPEC ||
   1048 	    (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
   1049 		return nft_flush(&ctx, family);
   1050 
   1051 	if (nla[NFTA_TABLE_HANDLE]) {
   1052 		attr = nla[NFTA_TABLE_HANDLE];
   1053 		table = nft_table_lookup_byhandle(net, attr, genmask);
   1054 	} else {
   1055 		attr = nla[NFTA_TABLE_NAME];
   1056 		table = nft_table_lookup(net, attr, family, genmask);
   1057 	}
   1058 
   1059 	if (IS_ERR(table)) {
   1060 		NL_SET_BAD_ATTR(extack, attr);
   1061 		return PTR_ERR(table);
   1062 	}
   1063 
   1064 	if (nlh->nlmsg_flags & NLM_F_NONREC &&
   1065 	    table->use > 0)
   1066 		return -EBUSY;
   1067 
   1068 	ctx.family = family;
   1069 	ctx.table = table;
   1070 
   1071 	return nft_flush_table(&ctx);
   1072 }
   1073 
   1074 static void nf_tables_table_destroy(struct nft_ctx *ctx)
   1075 {
   1076 	if (WARN_ON(ctx->table->use > 0))
   1077 		return;
   1078 
   1079 	rhltable_destroy(&ctx->table->chains_ht);
   1080 	kfree(ctx->table->name);
   1081 	kfree(ctx->table);
   1082 }
   1083 
   1084 void nft_register_chain_type(const struct nft_chain_type *ctype)
   1085 {
   1086 	if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
   1087 		return;
   1088 
   1089 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
   1090 	if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
   1091 		nfnl_unlock(NFNL_SUBSYS_NFTABLES);
   1092 		return;
   1093 	}
   1094 	chain_type[ctype->family][ctype->type] = ctype;
   1095 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
   1096 }
   1097 EXPORT_SYMBOL_GPL(nft_register_chain_type);
   1098 
   1099 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
   1100 {
   1101 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
   1102 	chain_type[ctype->family][ctype->type] = NULL;
   1103 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
   1104 }
   1105 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
   1106 
   1107 /*
   1108  * Chains
   1109  */
   1110 
   1111 static struct nft_chain *
   1112 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
   1113 {
   1114 	struct nft_chain *chain;
   1115 
   1116 	list_for_each_entry(chain, &table->chains, list) {
   1117 		if (chain->handle == handle &&
   1118 		    nft_active_genmask(chain, genmask))
   1119 			return chain;
   1120 	}
   1121 
   1122 	return ERR_PTR(-ENOENT);
   1123 }
   1124 
   1125 static bool lockdep_commit_lock_is_held(const struct net *net)
   1126 {
   1127 #ifdef CONFIG_PROVE_LOCKING
   1128 	return lockdep_is_held(&net->nft.commit_mutex);
   1129 #else
   1130 	return true;
   1131 #endif
   1132 }
   1133 
   1134 static struct nft_chain *nft_chain_lookup(struct net *net,
   1135 					  struct nft_table *table,
   1136 					  const struct nlattr *nla, u8 genmask)
   1137 {
   1138 	char search[NFT_CHAIN_MAXNAMELEN + 1];
   1139 	struct rhlist_head *tmp, *list;
   1140 	struct nft_chain *chain;
   1141 
   1142 	if (nla == NULL)
   1143 		return ERR_PTR(-EINVAL);
   1144 
   1145 	nla_strlcpy(search, nla, sizeof(search));
   1146 
   1147 	WARN_ON(!rcu_read_lock_held() &&
   1148 		!lockdep_commit_lock_is_held(net));
   1149 
   1150 	chain = ERR_PTR(-ENOENT);
   1151 	rcu_read_lock();
   1152 	list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
   1153 	if (!list)
   1154 		goto out_unlock;
   1155 
   1156 	rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
   1157 		if (nft_active_genmask(chain, genmask))
   1158 			goto out_unlock;
   1159 	}
   1160 	chain = ERR_PTR(-ENOENT);
   1161 out_unlock:
   1162 	rcu_read_unlock();
   1163 	return chain;
   1164 }
   1165 
   1166 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
   1167 	[NFTA_CHAIN_TABLE]	= { .type = NLA_STRING,
   1168 				    .len = NFT_TABLE_MAXNAMELEN - 1 },
   1169 	[NFTA_CHAIN_HANDLE]	= { .type = NLA_U64 },
   1170 	[NFTA_CHAIN_NAME]	= { .type = NLA_STRING,
   1171 				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
   1172 	[NFTA_CHAIN_HOOK]	= { .type = NLA_NESTED },
   1173 	[NFTA_CHAIN_POLICY]	= { .type = NLA_U32 },
   1174 	[NFTA_CHAIN_TYPE]	= { .type = NLA_STRING },
   1175 	[NFTA_CHAIN_COUNTERS]	= { .type = NLA_NESTED },
   1176 };
   1177 
   1178 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
   1179 	[NFTA_HOOK_HOOKNUM]	= { .type = NLA_U32 },
   1180 	[NFTA_HOOK_PRIORITY]	= { .type = NLA_U32 },
   1181 	[NFTA_HOOK_DEV]		= { .type = NLA_STRING,
   1182 				    .len = IFNAMSIZ - 1 },
   1183 };
   1184 
   1185 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
   1186 {
   1187 	struct nft_stats *cpu_stats, total;
   1188 	struct nlattr *nest;
   1189 	unsigned int seq;
   1190 	u64 pkts, bytes;
   1191 	int cpu;
   1192 
   1193 	memset(&total, 0, sizeof(total));
   1194 	for_each_possible_cpu(cpu) {
   1195 		cpu_stats = per_cpu_ptr(stats, cpu);
   1196 		do {
   1197 			seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
   1198 			pkts = cpu_stats->pkts;
   1199 			bytes = cpu_stats->bytes;
   1200 		} while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
   1201 		total.pkts += pkts;
   1202 		total.bytes += bytes;
   1203 	}
   1204 	nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
   1205 	if (nest == NULL)
   1206 		goto nla_put_failure;
   1207 
   1208 	if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
   1209 			 NFTA_COUNTER_PAD) ||
   1210 	    nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
   1211 			 NFTA_COUNTER_PAD))
   1212 		goto nla_put_failure;
   1213 
   1214 	nla_nest_end(skb, nest);
   1215 	return 0;
   1216 
   1217 nla_put_failure:
   1218 	return -ENOSPC;
   1219 }
   1220 
   1221 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
   1222 				     u32 portid, u32 seq, int event, u32 flags,
   1223 				     int family, const struct nft_table *table,
   1224 				     const struct nft_chain *chain)
   1225 {
   1226 	struct nlmsghdr *nlh;
   1227 	struct nfgenmsg *nfmsg;
   1228 
   1229 	event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
   1230 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
   1231 	if (nlh == NULL)
   1232 		goto nla_put_failure;
   1233 
   1234 	nfmsg = nlmsg_data(nlh);
   1235 	nfmsg->nfgen_family	= family;
   1236 	nfmsg->version		= NFNETLINK_V0;
   1237 	nfmsg->res_id		= htons(net->nft.base_seq & 0xffff);
   1238 
   1239 	if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
   1240 		goto nla_put_failure;
   1241 	if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
   1242 			 NFTA_CHAIN_PAD))
   1243 		goto nla_put_failure;
   1244 	if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
   1245 		goto nla_put_failure;
   1246 
   1247 	if (nft_is_base_chain(chain)) {
   1248 		const struct nft_base_chain *basechain = nft_base_chain(chain);
   1249 		const struct nf_hook_ops *ops = &basechain->ops;
   1250 		struct nlattr *nest;
   1251 
   1252 		nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
   1253 		if (nest == NULL)
   1254 			goto nla_put_failure;
   1255 		if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
   1256 			goto nla_put_failure;
   1257 		if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
   1258 			goto nla_put_failure;
   1259 		if (basechain->dev_name[0] &&
   1260 		    nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
   1261 			goto nla_put_failure;
   1262 		nla_nest_end(skb, nest);
   1263 
   1264 		if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
   1265 				 htonl(basechain->policy)))
   1266 			goto nla_put_failure;
   1267 
   1268 		if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
   1269 			goto nla_put_failure;
   1270 
   1271 		if (rcu_access_pointer(basechain->stats) &&
   1272 		    nft_dump_stats(skb, rcu_dereference(basechain->stats)))
   1273 			goto nla_put_failure;
   1274 	}
   1275 
   1276 	if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
   1277 		goto nla_put_failure;
   1278 
   1279 	nlmsg_end(skb, nlh);
   1280 	return 0;
   1281 
   1282 nla_put_failure:
   1283 	nlmsg_trim(skb, nlh);
   1284 	return -1;
   1285 }
   1286 
   1287 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
   1288 {
   1289 	struct sk_buff *skb;
   1290 	int err;
   1291 
   1292 	if (!ctx->report &&
   1293 	    !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
   1294 		return;
   1295 
   1296 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
   1297 	if (skb == NULL)
   1298 		goto err;
   1299 
   1300 	err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
   1301 					event, 0, ctx->family, ctx->table,
   1302 					ctx->chain);
   1303 	if (err < 0) {
   1304 		kfree_skb(skb);
   1305 		goto err;
   1306 	}
   1307 
   1308 	nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
   1309 		       ctx->report, GFP_KERNEL);
   1310 	return;
   1311 err:
   1312 	nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
   1313 }
   1314 
   1315 static int nf_tables_dump_chains(struct sk_buff *skb,
   1316 				 struct netlink_callback *cb)
   1317 {
   1318 	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
   1319 	const struct nft_table *table;
   1320 	const struct nft_chain *chain;
   1321 	unsigned int idx = 0, s_idx = cb->args[0];
   1322 	struct net *net = sock_net(skb->sk);
   1323 	int family = nfmsg->nfgen_family;
   1324 
   1325 	rcu_read_lock();
   1326 	cb->seq = net->nft.base_seq;
   1327 
   1328 	list_for_each_entry_rcu(table, &net->nft.tables, list) {
   1329 		if (family != NFPROTO_UNSPEC && family != table->family)
   1330 			continue;
   1331 
   1332 		list_for_each_entry_rcu(chain, &table->chains, list) {
   1333 			if (idx < s_idx)
   1334 				goto cont;
   1335 			if (idx > s_idx)
   1336 				memset(&cb->args[1], 0,
   1337 				       sizeof(cb->args) - sizeof(cb->args[0]));
   1338 			if (!nft_is_active(net, chain))
   1339 				continue;
   1340 			if (nf_tables_fill_chain_info(skb, net,
   1341 						      NETLINK_CB(cb->skb).portid,
   1342 						      cb->nlh->nlmsg_seq,
   1343 						      NFT_MSG_NEWCHAIN,
   1344 						      NLM_F_MULTI,
   1345 						      table->family, table,
   1346 						      chain) < 0)
   1347 				goto done;
   1348 
   1349 			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
   1350 cont:
   1351 			idx++;
   1352 		}
   1353 	}
   1354 done:
   1355 	rcu_read_unlock();
   1356 	cb->args[0] = idx;
   1357 	return skb->len;
   1358 }
   1359 
   1360 /* called with rcu_read_lock held */
   1361 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
   1362 			      struct sk_buff *skb, const struct nlmsghdr *nlh,
   1363 			      const struct nlattr * const nla[],
   1364 			      struct netlink_ext_ack *extack)
   1365 {
   1366 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   1367 	u8 genmask = nft_genmask_cur(net);
   1368 	const struct nft_chain *chain;
   1369 	struct nft_table *table;
   1370 	struct sk_buff *skb2;
   1371 	int family = nfmsg->nfgen_family;
   1372 	int err;
   1373 
   1374 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
   1375 		struct netlink_dump_control c = {
   1376 			.dump = nf_tables_dump_chains,
   1377 			.module = THIS_MODULE,
   1378 		};
   1379 
   1380 		return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
   1381 	}
   1382 
   1383 	table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
   1384 	if (IS_ERR(table)) {
   1385 		NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
   1386 		return PTR_ERR(table);
   1387 	}
   1388 
   1389 	chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
   1390 	if (IS_ERR(chain)) {
   1391 		NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
   1392 		return PTR_ERR(chain);
   1393 	}
   1394 
   1395 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
   1396 	if (!skb2)
   1397 		return -ENOMEM;
   1398 
   1399 	err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
   1400 					nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
   1401 					family, table, chain);
   1402 	if (err < 0)
   1403 		goto err;
   1404 
   1405 	return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
   1406 
   1407 err:
   1408 	kfree_skb(skb2);
   1409 	return err;
   1410 }
   1411 
   1412 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
   1413 	[NFTA_COUNTER_PACKETS]	= { .type = NLA_U64 },
   1414 	[NFTA_COUNTER_BYTES]	= { .type = NLA_U64 },
   1415 };
   1416 
   1417 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
   1418 {
   1419 	struct nlattr *tb[NFTA_COUNTER_MAX+1];
   1420 	struct nft_stats __percpu *newstats;
   1421 	struct nft_stats *stats;
   1422 	int err;
   1423 
   1424 	err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
   1425 			       NULL);
   1426 	if (err < 0)
   1427 		return ERR_PTR(err);
   1428 
   1429 	if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
   1430 		return ERR_PTR(-EINVAL);
   1431 
   1432 	newstats = netdev_alloc_pcpu_stats(struct nft_stats);
   1433 	if (newstats == NULL)
   1434 		return ERR_PTR(-ENOMEM);
   1435 
   1436 	/* Restore old counters on this cpu, no problem. Per-cpu statistics
   1437 	 * are not exposed to userspace.
   1438 	 */
   1439 	preempt_disable();
   1440 	stats = this_cpu_ptr(newstats);
   1441 	stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
   1442 	stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
   1443 	preempt_enable();
   1444 
   1445 	return newstats;
   1446 }
   1447 
   1448 static void nft_chain_stats_replace(struct net *net,
   1449 				    struct nft_base_chain *chain,
   1450 				    struct nft_stats __percpu *newstats)
   1451 {
   1452 	struct nft_stats __percpu *oldstats;
   1453 
   1454 	if (newstats == NULL)
   1455 		return;
   1456 
   1457 	if (rcu_access_pointer(chain->stats)) {
   1458 		oldstats = rcu_dereference_protected(chain->stats,
   1459 					lockdep_commit_lock_is_held(net));
   1460 		rcu_assign_pointer(chain->stats, newstats);
   1461 		synchronize_rcu();
   1462 		free_percpu(oldstats);
   1463 	} else {
   1464 		rcu_assign_pointer(chain->stats, newstats);
   1465 		static_branch_inc(&nft_counters_enabled);
   1466 	}
   1467 }
   1468 
   1469 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
   1470 {
   1471 	struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
   1472 	struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
   1473 
   1474 	if (g0 != g1)
   1475 		kvfree(g1);
   1476 	kvfree(g0);
   1477 
   1478 	/* should be NULL either via abort or via successful commit */
   1479 	WARN_ON_ONCE(chain->rules_next);
   1480 	kvfree(chain->rules_next);
   1481 }
   1482 
   1483 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
   1484 {
   1485 	struct nft_chain *chain = ctx->chain;
   1486 
   1487 	if (WARN_ON(chain->use > 0))
   1488 		return;
   1489 
   1490 	/* no concurrent access possible anymore */
   1491 	nf_tables_chain_free_chain_rules(chain);
   1492 
   1493 	if (nft_is_base_chain(chain)) {
   1494 		struct nft_base_chain *basechain = nft_base_chain(chain);
   1495 
   1496 		module_put(basechain->type->owner);
   1497 		if (rcu_access_pointer(basechain->stats)) {
   1498 			static_branch_dec(&nft_counters_enabled);
   1499 			free_percpu(rcu_dereference_raw(basechain->stats));
   1500 		}
   1501 		kfree(chain->name);
   1502 		kfree(basechain);
   1503 	} else {
   1504 		kfree(chain->name);
   1505 		kfree(chain);
   1506 	}
   1507 }
   1508 
   1509 struct nft_chain_hook {
   1510 	u32				num;
   1511 	s32				priority;
   1512 	const struct nft_chain_type	*type;
   1513 	struct net_device		*dev;
   1514 };
   1515 
   1516 static int nft_chain_parse_hook(struct net *net,
   1517 				const struct nlattr * const nla[],
   1518 				struct nft_chain_hook *hook, u8 family,
   1519 				bool autoload)
   1520 {
   1521 	struct nlattr *ha[NFTA_HOOK_MAX + 1];
   1522 	const struct nft_chain_type *type;
   1523 	struct net_device *dev;
   1524 	int err;
   1525 
   1526 	lockdep_assert_held(&net->nft.commit_mutex);
   1527 	lockdep_nfnl_nft_mutex_not_held();
   1528 
   1529 	err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
   1530 			       nft_hook_policy, NULL);
   1531 	if (err < 0)
   1532 		return err;
   1533 
   1534 	if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
   1535 	    ha[NFTA_HOOK_PRIORITY] == NULL)
   1536 		return -EINVAL;
   1537 
   1538 	hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
   1539 	hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
   1540 
   1541 	type = chain_type[family][NFT_CHAIN_T_DEFAULT];
   1542 	if (nla[NFTA_CHAIN_TYPE]) {
   1543 		type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
   1544 						   family, autoload);
   1545 		if (IS_ERR(type))
   1546 			return PTR_ERR(type);
   1547 	}
   1548 	if (!(type->hook_mask & (1 << hook->num)))
   1549 		return -EOPNOTSUPP;
   1550 
   1551 	if (type->type == NFT_CHAIN_T_NAT &&
   1552 	    hook->priority <= NF_IP_PRI_CONNTRACK)
   1553 		return -EOPNOTSUPP;
   1554 
   1555 	if (!try_module_get(type->owner))
   1556 		return -ENOENT;
   1557 
   1558 	hook->type = type;
   1559 
   1560 	hook->dev = NULL;
   1561 	if (family == NFPROTO_NETDEV) {
   1562 		char ifname[IFNAMSIZ];
   1563 
   1564 		if (!ha[NFTA_HOOK_DEV]) {
   1565 			module_put(type->owner);
   1566 			return -EOPNOTSUPP;
   1567 		}
   1568 
   1569 		nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
   1570 		dev = __dev_get_by_name(net, ifname);
   1571 		if (!dev) {
   1572 			module_put(type->owner);
   1573 			return -ENOENT;
   1574 		}
   1575 		hook->dev = dev;
   1576 	} else if (ha[NFTA_HOOK_DEV]) {
   1577 		module_put(type->owner);
   1578 		return -EOPNOTSUPP;
   1579 	}
   1580 
   1581 	return 0;
   1582 }
   1583 
   1584 static void nft_chain_release_hook(struct nft_chain_hook *hook)
   1585 {
   1586 	module_put(hook->type->owner);
   1587 }
   1588 
   1589 struct nft_rules_old {
   1590 	struct rcu_head h;
   1591 	struct nft_rule **start;
   1592 };
   1593 
   1594 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
   1595 						     unsigned int alloc)
   1596 {
   1597 	if (alloc > INT_MAX)
   1598 		return NULL;
   1599 
   1600 	alloc += 1;	/* NULL, ends rules */
   1601 	if (sizeof(struct nft_rule *) > INT_MAX / alloc)
   1602 		return NULL;
   1603 
   1604 	alloc *= sizeof(struct nft_rule *);
   1605 	alloc += sizeof(struct nft_rules_old);
   1606 
   1607 	return kvmalloc(alloc, GFP_KERNEL);
   1608 }
   1609 
   1610 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
   1611 			      u8 policy)
   1612 {
   1613 	const struct nlattr * const *nla = ctx->nla;
   1614 	struct nft_table *table = ctx->table;
   1615 	struct nft_base_chain *basechain;
   1616 	struct nft_stats __percpu *stats;
   1617 	struct net *net = ctx->net;
   1618 	struct nft_chain *chain;
   1619 	struct nft_rule **rules;
   1620 	int err;
   1621 
   1622 	if (table->use == UINT_MAX)
   1623 		return -EOVERFLOW;
   1624 
   1625 	if (nla[NFTA_CHAIN_HOOK]) {
   1626 		struct nft_chain_hook hook;
   1627 		struct nf_hook_ops *ops;
   1628 
   1629 		err = nft_chain_parse_hook(net, nla, &hook, family, true);
   1630 		if (err < 0)
   1631 			return err;
   1632 
   1633 		basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
   1634 		if (basechain == NULL) {
   1635 			nft_chain_release_hook(&hook);
   1636 			return -ENOMEM;
   1637 		}
   1638 
   1639 		if (hook.dev != NULL)
   1640 			strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
   1641 
   1642 		if (nla[NFTA_CHAIN_COUNTERS]) {
   1643 			stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
   1644 			if (IS_ERR(stats)) {
   1645 				nft_chain_release_hook(&hook);
   1646 				kfree(basechain);
   1647 				return PTR_ERR(stats);
   1648 			}
   1649 			rcu_assign_pointer(basechain->stats, stats);
   1650 			static_branch_inc(&nft_counters_enabled);
   1651 		}
   1652 
   1653 		basechain->type = hook.type;
   1654 		chain = &basechain->chain;
   1655 
   1656 		ops		= &basechain->ops;
   1657 		ops->pf		= family;
   1658 		ops->hooknum	= hook.num;
   1659 		ops->priority	= hook.priority;
   1660 		ops->priv	= chain;
   1661 		ops->hook	= hook.type->hooks[ops->hooknum];
   1662 		ops->dev	= hook.dev;
   1663 
   1664 		chain->flags |= NFT_BASE_CHAIN;
   1665 		basechain->policy = policy;
   1666 	} else {
   1667 		chain = kzalloc(sizeof(*chain), GFP_KERNEL);
   1668 		if (chain == NULL)
   1669 			return -ENOMEM;
   1670 	}
   1671 	ctx->chain = chain;
   1672 
   1673 	INIT_LIST_HEAD(&chain->rules);
   1674 	chain->handle = nf_tables_alloc_handle(table);
   1675 	chain->table = table;
   1676 	chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
   1677 	if (!chain->name) {
   1678 		err = -ENOMEM;
   1679 		goto err1;
   1680 	}
   1681 
   1682 	rules = nf_tables_chain_alloc_rules(chain, 0);
   1683 	if (!rules) {
   1684 		err = -ENOMEM;
   1685 		goto err1;
   1686 	}
   1687 
   1688 	*rules = NULL;
   1689 	rcu_assign_pointer(chain->rules_gen_0, rules);
   1690 	rcu_assign_pointer(chain->rules_gen_1, rules);
   1691 
   1692 	err = nf_tables_register_hook(net, table, chain);
   1693 	if (err < 0)
   1694 		goto err1;
   1695 
   1696 	err = rhltable_insert_key(&table->chains_ht, chain->name,
   1697 				  &chain->rhlhead, nft_chain_ht_params);
   1698 	if (err)
   1699 		goto err2;
   1700 
   1701 	err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
   1702 	if (err < 0) {
   1703 		rhltable_remove(&table->chains_ht, &chain->rhlhead,
   1704 				nft_chain_ht_params);
   1705 		goto err2;
   1706 	}
   1707 
   1708 	table->use++;
   1709 	list_add_tail_rcu(&chain->list, &table->chains);
   1710 
   1711 	return 0;
   1712 err2:
   1713 	nf_tables_unregister_hook(net, table, chain);
   1714 err1:
   1715 	nf_tables_chain_destroy(ctx);
   1716 
   1717 	return err;
   1718 }
   1719 
   1720 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy)
   1721 {
   1722 	const struct nlattr * const *nla = ctx->nla;
   1723 	struct nft_table *table = ctx->table;
   1724 	struct nft_chain *chain = ctx->chain;
   1725 	struct nft_base_chain *basechain;
   1726 	struct nft_stats *stats = NULL;
   1727 	struct nft_chain_hook hook;
   1728 	struct nf_hook_ops *ops;
   1729 	struct nft_trans *trans;
   1730 	int err;
   1731 
   1732 	if (nla[NFTA_CHAIN_HOOK]) {
   1733 		if (!nft_is_base_chain(chain))
   1734 			return -EBUSY;
   1735 
   1736 		err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
   1737 					   false);
   1738 		if (err < 0)
   1739 			return err;
   1740 
   1741 		basechain = nft_base_chain(chain);
   1742 		if (basechain->type != hook.type) {
   1743 			nft_chain_release_hook(&hook);
   1744 			return -EBUSY;
   1745 		}
   1746 
   1747 		ops = &basechain->ops;
   1748 		if (ops->hooknum != hook.num ||
   1749 		    ops->priority != hook.priority ||
   1750 		    ops->dev != hook.dev) {
   1751 			nft_chain_release_hook(&hook);
   1752 			return -EBUSY;
   1753 		}
   1754 		nft_chain_release_hook(&hook);
   1755 	}
   1756 
   1757 	if (nla[NFTA_CHAIN_HANDLE] &&
   1758 	    nla[NFTA_CHAIN_NAME]) {
   1759 		struct nft_chain *chain2;
   1760 
   1761 		chain2 = nft_chain_lookup(ctx->net, table,
   1762 					  nla[NFTA_CHAIN_NAME], genmask);
   1763 		if (!IS_ERR(chain2))
   1764 			return -EEXIST;
   1765 	}
   1766 
   1767 	if (nla[NFTA_CHAIN_COUNTERS]) {
   1768 		if (!nft_is_base_chain(chain))
   1769 			return -EOPNOTSUPP;
   1770 
   1771 		stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
   1772 		if (IS_ERR(stats))
   1773 			return PTR_ERR(stats);
   1774 	}
   1775 
   1776 	err = -ENOMEM;
   1777 	trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
   1778 				sizeof(struct nft_trans_chain));
   1779 	if (trans == NULL)
   1780 		goto err;
   1781 
   1782 	nft_trans_chain_stats(trans) = stats;
   1783 	nft_trans_chain_update(trans) = true;
   1784 
   1785 	if (nla[NFTA_CHAIN_POLICY])
   1786 		nft_trans_chain_policy(trans) = policy;
   1787 	else
   1788 		nft_trans_chain_policy(trans) = -1;
   1789 
   1790 	if (nla[NFTA_CHAIN_HANDLE] &&
   1791 	    nla[NFTA_CHAIN_NAME]) {
   1792 		struct nft_trans *tmp;
   1793 		char *name;
   1794 
   1795 		err = -ENOMEM;
   1796 		name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
   1797 		if (!name)
   1798 			goto err;
   1799 
   1800 		err = -EEXIST;
   1801 		list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
   1802 			if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
   1803 			    tmp->ctx.table == table &&
   1804 			    nft_trans_chain_update(tmp) &&
   1805 			    nft_trans_chain_name(tmp) &&
   1806 			    strcmp(name, nft_trans_chain_name(tmp)) == 0) {
   1807 				kfree(name);
   1808 				goto err;
   1809 			}
   1810 		}
   1811 
   1812 		nft_trans_chain_name(trans) = name;
   1813 	}
   1814 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
   1815 
   1816 	return 0;
   1817 err:
   1818 	free_percpu(stats);
   1819 	kfree(trans);
   1820 	return err;
   1821 }
   1822 
   1823 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
   1824 			      struct sk_buff *skb, const struct nlmsghdr *nlh,
   1825 			      const struct nlattr * const nla[],
   1826 			      struct netlink_ext_ack *extack)
   1827 {
   1828 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   1829 	u8 genmask = nft_genmask_next(net);
   1830 	int family = nfmsg->nfgen_family;
   1831 	const struct nlattr *attr;
   1832 	struct nft_table *table;
   1833 	struct nft_chain *chain;
   1834 	u8 policy = NF_ACCEPT;
   1835 	struct nft_ctx ctx;
   1836 	u64 handle = 0;
   1837 
   1838 	lockdep_assert_held(&net->nft.commit_mutex);
   1839 
   1840 	table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
   1841 	if (IS_ERR(table)) {
   1842 		NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
   1843 		return PTR_ERR(table);
   1844 	}
   1845 
   1846 	chain = NULL;
   1847 	attr = nla[NFTA_CHAIN_NAME];
   1848 
   1849 	if (nla[NFTA_CHAIN_HANDLE]) {
   1850 		handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
   1851 		chain = nft_chain_lookup_byhandle(table, handle, genmask);
   1852 		if (IS_ERR(chain)) {
   1853 			NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
   1854 			return PTR_ERR(chain);
   1855 		}
   1856 		attr = nla[NFTA_CHAIN_HANDLE];
   1857 	} else {
   1858 		chain = nft_chain_lookup(net, table, attr, genmask);
   1859 		if (IS_ERR(chain)) {
   1860 			if (PTR_ERR(chain) != -ENOENT) {
   1861 				NL_SET_BAD_ATTR(extack, attr);
   1862 				return PTR_ERR(chain);
   1863 			}
   1864 			chain = NULL;
   1865 		}
   1866 	}
   1867 
   1868 	if (nla[NFTA_CHAIN_POLICY]) {
   1869 		if (chain != NULL &&
   1870 		    !nft_is_base_chain(chain)) {
   1871 			NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
   1872 			return -EOPNOTSUPP;
   1873 		}
   1874 
   1875 		if (chain == NULL &&
   1876 		    nla[NFTA_CHAIN_HOOK] == NULL) {
   1877 			NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
   1878 			return -EOPNOTSUPP;
   1879 		}
   1880 
   1881 		policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
   1882 		switch (policy) {
   1883 		case NF_DROP:
   1884 		case NF_ACCEPT:
   1885 			break;
   1886 		default:
   1887 			return -EINVAL;
   1888 		}
   1889 	}
   1890 
   1891 	nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
   1892 
   1893 	if (chain != NULL) {
   1894 		if (nlh->nlmsg_flags & NLM_F_EXCL) {
   1895 			NL_SET_BAD_ATTR(extack, attr);
   1896 			return -EEXIST;
   1897 		}
   1898 		if (nlh->nlmsg_flags & NLM_F_REPLACE)
   1899 			return -EOPNOTSUPP;
   1900 
   1901 		return nf_tables_updchain(&ctx, genmask, policy);
   1902 	}
   1903 
   1904 	return nf_tables_addchain(&ctx, family, genmask, policy);
   1905 }
   1906 
   1907 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
   1908 			      struct sk_buff *skb, const struct nlmsghdr *nlh,
   1909 			      const struct nlattr * const nla[],
   1910 			      struct netlink_ext_ack *extack)
   1911 {
   1912 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   1913 	u8 genmask = nft_genmask_next(net);
   1914 	int family = nfmsg->nfgen_family;
   1915 	const struct nlattr *attr;
   1916 	struct nft_table *table;
   1917 	struct nft_chain *chain;
   1918 	struct nft_rule *rule;
   1919 	struct nft_ctx ctx;
   1920 	u64 handle;
   1921 	u32 use;
   1922 	int err;
   1923 
   1924 	table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
   1925 	if (IS_ERR(table)) {
   1926 		NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
   1927 		return PTR_ERR(table);
   1928 	}
   1929 
   1930 	if (nla[NFTA_CHAIN_HANDLE]) {
   1931 		attr = nla[NFTA_CHAIN_HANDLE];
   1932 		handle = be64_to_cpu(nla_get_be64(attr));
   1933 		chain = nft_chain_lookup_byhandle(table, handle, genmask);
   1934 	} else {
   1935 		attr = nla[NFTA_CHAIN_NAME];
   1936 		chain = nft_chain_lookup(net, table, attr, genmask);
   1937 	}
   1938 	if (IS_ERR(chain)) {
   1939 		NL_SET_BAD_ATTR(extack, attr);
   1940 		return PTR_ERR(chain);
   1941 	}
   1942 
   1943 	if (nlh->nlmsg_flags & NLM_F_NONREC &&
   1944 	    chain->use > 0)
   1945 		return -EBUSY;
   1946 
   1947 	nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
   1948 
   1949 	use = chain->use;
   1950 	list_for_each_entry(rule, &chain->rules, list) {
   1951 		if (!nft_is_active_next(net, rule))
   1952 			continue;
   1953 		use--;
   1954 
   1955 		err = nft_delrule(&ctx, rule);
   1956 		if (err < 0)
   1957 			return err;
   1958 	}
   1959 
   1960 	/* There are rules and elements that are still holding references to us,
   1961 	 * we cannot do a recursive removal in this case.
   1962 	 */
   1963 	if (use > 0) {
   1964 		NL_SET_BAD_ATTR(extack, attr);
   1965 		return -EBUSY;
   1966 	}
   1967 
   1968 	return nft_delchain(&ctx);
   1969 }
   1970 
   1971 /*
   1972  * Expressions
   1973  */
   1974 
   1975 /**
   1976  *	nft_register_expr - register nf_tables expr type
   1977  *	@ops: expr type
   1978  *
   1979  *	Registers the expr type for use with nf_tables. Returns zero on
   1980  *	success or a negative errno code otherwise.
   1981  */
   1982 int nft_register_expr(struct nft_expr_type *type)
   1983 {
   1984 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
   1985 	if (type->family == NFPROTO_UNSPEC)
   1986 		list_add_tail_rcu(&type->list, &nf_tables_expressions);
   1987 	else
   1988 		list_add_rcu(&type->list, &nf_tables_expressions);
   1989 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
   1990 	return 0;
   1991 }
   1992 EXPORT_SYMBOL_GPL(nft_register_expr);
   1993 
   1994 /**
   1995  *	nft_unregister_expr - unregister nf_tables expr type
   1996  *	@ops: expr type
   1997  *
   1998  * 	Unregisters the expr typefor use with nf_tables.
   1999  */
   2000 void nft_unregister_expr(struct nft_expr_type *type)
   2001 {
   2002 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
   2003 	list_del_rcu(&type->list);
   2004 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
   2005 }
   2006 EXPORT_SYMBOL_GPL(nft_unregister_expr);
   2007 
   2008 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
   2009 						       struct nlattr *nla)
   2010 {
   2011 	const struct nft_expr_type *type;
   2012 
   2013 	list_for_each_entry(type, &nf_tables_expressions, list) {
   2014 		if (!nla_strcmp(nla, type->name) &&
   2015 		    (!type->family || type->family == family))
   2016 			return type;
   2017 	}
   2018 	return NULL;
   2019 }
   2020 
   2021 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
   2022 						     u8 family,
   2023 						     struct nlattr *nla)
   2024 {
   2025 	const struct nft_expr_type *type;
   2026 
   2027 	if (nla == NULL)
   2028 		return ERR_PTR(-EINVAL);
   2029 
   2030 	type = __nft_expr_type_get(family, nla);
   2031 	if (type != NULL && try_module_get(type->owner))
   2032 		return type;
   2033 
   2034 	lockdep_nfnl_nft_mutex_not_held();
   2035 #ifdef CONFIG_MODULES
   2036 	if (type == NULL) {
   2037 		nft_request_module(net, "nft-expr-%u-%.*s", family,
   2038 				   nla_len(nla), (char *)nla_data(nla));
   2039 		if (__nft_expr_type_get(family, nla))
   2040 			return ERR_PTR(-EAGAIN);
   2041 
   2042 		nft_request_module(net, "nft-expr-%.*s",
   2043 				   nla_len(nla), (char *)nla_data(nla));
   2044 		if (__nft_expr_type_get(family, nla))
   2045 			return ERR_PTR(-EAGAIN);
   2046 	}
   2047 #endif
   2048 	return ERR_PTR(-ENOENT);
   2049 }
   2050 
   2051 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
   2052 	[NFTA_EXPR_NAME]	= { .type = NLA_STRING },
   2053 	[NFTA_EXPR_DATA]	= { .type = NLA_NESTED },
   2054 };
   2055 
   2056 static int nf_tables_fill_expr_info(struct sk_buff *skb,
   2057 				    const struct nft_expr *expr)
   2058 {
   2059 	if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
   2060 		goto nla_put_failure;
   2061 
   2062 	if (expr->ops->dump) {
   2063 		struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
   2064 		if (data == NULL)
   2065 			goto nla_put_failure;
   2066 		if (expr->ops->dump(skb, expr) < 0)
   2067 			goto nla_put_failure;
   2068 		nla_nest_end(skb, data);
   2069 	}
   2070 
   2071 	return skb->len;
   2072 
   2073 nla_put_failure:
   2074 	return -1;
   2075 };
   2076 
   2077 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
   2078 		  const struct nft_expr *expr)
   2079 {
   2080 	struct nlattr *nest;
   2081 
   2082 	nest = nla_nest_start(skb, attr);
   2083 	if (!nest)
   2084 		goto nla_put_failure;
   2085 	if (nf_tables_fill_expr_info(skb, expr) < 0)
   2086 		goto nla_put_failure;
   2087 	nla_nest_end(skb, nest);
   2088 	return 0;
   2089 
   2090 nla_put_failure:
   2091 	return -1;
   2092 }
   2093 
   2094 struct nft_expr_info {
   2095 	const struct nft_expr_ops	*ops;
   2096 	struct nlattr			*tb[NFT_EXPR_MAXATTR + 1];
   2097 };
   2098 
   2099 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
   2100 				const struct nlattr *nla,
   2101 				struct nft_expr_info *info)
   2102 {
   2103 	const struct nft_expr_type *type;
   2104 	const struct nft_expr_ops *ops;
   2105 	struct nlattr *tb[NFTA_EXPR_MAX + 1];
   2106 	int err;
   2107 
   2108 	err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
   2109 	if (err < 0)
   2110 		return err;
   2111 
   2112 	type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
   2113 	if (IS_ERR(type))
   2114 		return PTR_ERR(type);
   2115 
   2116 	if (tb[NFTA_EXPR_DATA]) {
   2117 		err = nla_parse_nested(info->tb, type->maxattr,
   2118 				       tb[NFTA_EXPR_DATA], type->policy, NULL);
   2119 		if (err < 0)
   2120 			goto err1;
   2121 	} else
   2122 		memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
   2123 
   2124 	if (type->select_ops != NULL) {
   2125 		ops = type->select_ops(ctx,
   2126 				       (const struct nlattr * const *)info->tb);
   2127 		if (IS_ERR(ops)) {
   2128 			err = PTR_ERR(ops);
   2129 			goto err1;
   2130 		}
   2131 	} else
   2132 		ops = type->ops;
   2133 
   2134 	info->ops = ops;
   2135 	return 0;
   2136 
   2137 err1:
   2138 	module_put(type->owner);
   2139 	return err;
   2140 }
   2141 
   2142 static int nf_tables_newexpr(const struct nft_ctx *ctx,
   2143 			     const struct nft_expr_info *info,
   2144 			     struct nft_expr *expr)
   2145 {
   2146 	const struct nft_expr_ops *ops = info->ops;
   2147 	int err;
   2148 
   2149 	expr->ops = ops;
   2150 	if (ops->init) {
   2151 		err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
   2152 		if (err < 0)
   2153 			goto err1;
   2154 	}
   2155 
   2156 	return 0;
   2157 err1:
   2158 	expr->ops = NULL;
   2159 	return err;
   2160 }
   2161 
   2162 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
   2163 				   struct nft_expr *expr)
   2164 {
   2165 	const struct nft_expr_type *type = expr->ops->type;
   2166 
   2167 	if (expr->ops->destroy)
   2168 		expr->ops->destroy(ctx, expr);
   2169 	module_put(type->owner);
   2170 }
   2171 
   2172 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
   2173 			       const struct nlattr *nla)
   2174 {
   2175 	struct nft_expr_info info;
   2176 	struct nft_expr *expr;
   2177 	struct module *owner;
   2178 	int err;
   2179 
   2180 	err = nf_tables_expr_parse(ctx, nla, &info);
   2181 	if (err < 0)
   2182 		goto err1;
   2183 
   2184 	err = -ENOMEM;
   2185 	expr = kzalloc(info.ops->size, GFP_KERNEL);
   2186 	if (expr == NULL)
   2187 		goto err2;
   2188 
   2189 	err = nf_tables_newexpr(ctx, &info, expr);
   2190 	if (err < 0)
   2191 		goto err3;
   2192 
   2193 	return expr;
   2194 err3:
   2195 	kfree(expr);
   2196 err2:
   2197 	owner = info.ops->type->owner;
   2198 	if (info.ops->type->release_ops)
   2199 		info.ops->type->release_ops(info.ops);
   2200 
   2201 	module_put(owner);
   2202 err1:
   2203 	return ERR_PTR(err);
   2204 }
   2205 
   2206 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
   2207 {
   2208 	nf_tables_expr_destroy(ctx, expr);
   2209 	kfree(expr);
   2210 }
   2211 
   2212 /*
   2213  * Rules
   2214  */
   2215 
   2216 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
   2217 					  u64 handle)
   2218 {
   2219 	struct nft_rule *rule;
   2220 
   2221 	// FIXME: this sucks
   2222 	list_for_each_entry_rcu(rule, &chain->rules, list) {
   2223 		if (handle == rule->handle)
   2224 			return rule;
   2225 	}
   2226 
   2227 	return ERR_PTR(-ENOENT);
   2228 }
   2229 
   2230 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
   2231 					const struct nlattr *nla)
   2232 {
   2233 	if (nla == NULL)
   2234 		return ERR_PTR(-EINVAL);
   2235 
   2236 	return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
   2237 }
   2238 
   2239 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
   2240 	[NFTA_RULE_TABLE]	= { .type = NLA_STRING,
   2241 				    .len = NFT_TABLE_MAXNAMELEN - 1 },
   2242 	[NFTA_RULE_CHAIN]	= { .type = NLA_STRING,
   2243 				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
   2244 	[NFTA_RULE_HANDLE]	= { .type = NLA_U64 },
   2245 	[NFTA_RULE_EXPRESSIONS]	= { .type = NLA_NESTED },
   2246 	[NFTA_RULE_COMPAT]	= { .type = NLA_NESTED },
   2247 	[NFTA_RULE_POSITION]	= { .type = NLA_U64 },
   2248 	[NFTA_RULE_USERDATA]	= { .type = NLA_BINARY,
   2249 				    .len = NFT_USERDATA_MAXLEN },
   2250 	[NFTA_RULE_ID]		= { .type = NLA_U32 },
   2251 	[NFTA_RULE_POSITION_ID]	= { .type = NLA_U32 },
   2252 };
   2253 
   2254 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
   2255 				    u32 portid, u32 seq, int event,
   2256 				    u32 flags, int family,
   2257 				    const struct nft_table *table,
   2258 				    const struct nft_chain *chain,
   2259 				    const struct nft_rule *rule)
   2260 {
   2261 	struct nlmsghdr *nlh;
   2262 	struct nfgenmsg *nfmsg;
   2263 	const struct nft_expr *expr, *next;
   2264 	struct nlattr *list;
   2265 	const struct nft_rule *prule;
   2266 	u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
   2267 
   2268 	nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
   2269 	if (nlh == NULL)
   2270 		goto nla_put_failure;
   2271 
   2272 	nfmsg = nlmsg_data(nlh);
   2273 	nfmsg->nfgen_family	= family;
   2274 	nfmsg->version		= NFNETLINK_V0;
   2275 	nfmsg->res_id		= htons(net->nft.base_seq & 0xffff);
   2276 
   2277 	if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
   2278 		goto nla_put_failure;
   2279 	if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
   2280 		goto nla_put_failure;
   2281 	if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
   2282 			 NFTA_RULE_PAD))
   2283 		goto nla_put_failure;
   2284 
   2285 	if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
   2286 		prule = list_prev_entry(rule, list);
   2287 		if (nla_put_be64(skb, NFTA_RULE_POSITION,
   2288 				 cpu_to_be64(prule->handle),
   2289 				 NFTA_RULE_PAD))
   2290 			goto nla_put_failure;
   2291 	}
   2292 
   2293 	list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
   2294 	if (list == NULL)
   2295 		goto nla_put_failure;
   2296 	nft_rule_for_each_expr(expr, next, rule) {
   2297 		if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
   2298 			goto nla_put_failure;
   2299 	}
   2300 	nla_nest_end(skb, list);
   2301 
   2302 	if (rule->udata) {
   2303 		struct nft_userdata *udata = nft_userdata(rule);
   2304 		if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
   2305 			    udata->data) < 0)
   2306 			goto nla_put_failure;
   2307 	}
   2308 
   2309 	nlmsg_end(skb, nlh);
   2310 	return 0;
   2311 
   2312 nla_put_failure:
   2313 	nlmsg_trim(skb, nlh);
   2314 	return -1;
   2315 }
   2316 
   2317 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
   2318 				  const struct nft_rule *rule, int event)
   2319 {
   2320 	struct sk_buff *skb;
   2321 	int err;
   2322 
   2323 	if (!ctx->report &&
   2324 	    !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
   2325 		return;
   2326 
   2327 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
   2328 	if (skb == NULL)
   2329 		goto err;
   2330 
   2331 	err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
   2332 				       event, 0, ctx->family, ctx->table,
   2333 				       ctx->chain, rule);
   2334 	if (err < 0) {
   2335 		kfree_skb(skb);
   2336 		goto err;
   2337 	}
   2338 
   2339 	nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
   2340 		       ctx->report, GFP_KERNEL);
   2341 	return;
   2342 err:
   2343 	nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
   2344 }
   2345 
   2346 struct nft_rule_dump_ctx {
   2347 	char *table;
   2348 	char *chain;
   2349 };
   2350 
   2351 static int __nf_tables_dump_rules(struct sk_buff *skb,
   2352 				  unsigned int *idx,
   2353 				  struct netlink_callback *cb,
   2354 				  const struct nft_table *table,
   2355 				  const struct nft_chain *chain)
   2356 {
   2357 	struct net *net = sock_net(skb->sk);
   2358 	unsigned int s_idx = cb->args[0];
   2359 	const struct nft_rule *rule;
   2360 
   2361 	list_for_each_entry_rcu(rule, &chain->rules, list) {
   2362 		if (!nft_is_active(net, rule))
   2363 			goto cont;
   2364 		if (*idx < s_idx)
   2365 			goto cont;
   2366 		if (*idx > s_idx) {
   2367 			memset(&cb->args[1], 0,
   2368 					sizeof(cb->args) - sizeof(cb->args[0]));
   2369 		}
   2370 		if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
   2371 					cb->nlh->nlmsg_seq,
   2372 					NFT_MSG_NEWRULE,
   2373 					NLM_F_MULTI | NLM_F_APPEND,
   2374 					table->family,
   2375 					table, chain, rule) < 0)
   2376 			return 1;
   2377 
   2378 		nl_dump_check_consistent(cb, nlmsg_hdr(skb));
   2379 cont:
   2380 		(*idx)++;
   2381 	}
   2382 	return 0;
   2383 }
   2384 
   2385 static int nf_tables_dump_rules(struct sk_buff *skb,
   2386 				struct netlink_callback *cb)
   2387 {
   2388 	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
   2389 	const struct nft_rule_dump_ctx *ctx = cb->data;
   2390 	struct nft_table *table;
   2391 	const struct nft_chain *chain;
   2392 	unsigned int idx = 0;
   2393 	struct net *net = sock_net(skb->sk);
   2394 	int family = nfmsg->nfgen_family;
   2395 
   2396 	rcu_read_lock();
   2397 	cb->seq = net->nft.base_seq;
   2398 
   2399 	list_for_each_entry_rcu(table, &net->nft.tables, list) {
   2400 		if (family != NFPROTO_UNSPEC && family != table->family)
   2401 			continue;
   2402 
   2403 		if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
   2404 			continue;
   2405 
   2406 		if (ctx && ctx->table && ctx->chain) {
   2407 			struct rhlist_head *list, *tmp;
   2408 
   2409 			list = rhltable_lookup(&table->chains_ht, ctx->chain,
   2410 					       nft_chain_ht_params);
   2411 			if (!list)
   2412 				goto done;
   2413 
   2414 			rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
   2415 				if (!nft_is_active(net, chain))
   2416 					continue;
   2417 				__nf_tables_dump_rules(skb, &idx,
   2418 						       cb, table, chain);
   2419 				break;
   2420 			}
   2421 			goto done;
   2422 		}
   2423 
   2424 		list_for_each_entry_rcu(chain, &table->chains, list) {
   2425 			if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
   2426 				goto done;
   2427 		}
   2428 
   2429 		if (ctx && ctx->table)
   2430 			break;
   2431 	}
   2432 done:
   2433 	rcu_read_unlock();
   2434 
   2435 	cb->args[0] = idx;
   2436 	return skb->len;
   2437 }
   2438 
   2439 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
   2440 {
   2441 	const struct nlattr * const *nla = cb->data;
   2442 	struct nft_rule_dump_ctx *ctx = NULL;
   2443 
   2444 	if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
   2445 		ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
   2446 		if (!ctx)
   2447 			return -ENOMEM;
   2448 
   2449 		if (nla[NFTA_RULE_TABLE]) {
   2450 			ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
   2451 							GFP_ATOMIC);
   2452 			if (!ctx->table) {
   2453 				kfree(ctx);
   2454 				return -ENOMEM;
   2455 			}
   2456 		}
   2457 		if (nla[NFTA_RULE_CHAIN]) {
   2458 			ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
   2459 						GFP_ATOMIC);
   2460 			if (!ctx->chain) {
   2461 				kfree(ctx->table);
   2462 				kfree(ctx);
   2463 				return -ENOMEM;
   2464 			}
   2465 		}
   2466 	}
   2467 
   2468 	cb->data = ctx;
   2469 	return 0;
   2470 }
   2471 
   2472 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
   2473 {
   2474 	struct nft_rule_dump_ctx *ctx = cb->data;
   2475 
   2476 	if (ctx) {
   2477 		kfree(ctx->table);
   2478 		kfree(ctx->chain);
   2479 		kfree(ctx);
   2480 	}
   2481 	return 0;
   2482 }
   2483 
   2484 /* called with rcu_read_lock held */
   2485 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
   2486 			     struct sk_buff *skb, const struct nlmsghdr *nlh,
   2487 			     const struct nlattr * const nla[],
   2488 			     struct netlink_ext_ack *extack)
   2489 {
   2490 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   2491 	u8 genmask = nft_genmask_cur(net);
   2492 	const struct nft_chain *chain;
   2493 	const struct nft_rule *rule;
   2494 	struct nft_table *table;
   2495 	struct sk_buff *skb2;
   2496 	int family = nfmsg->nfgen_family;
   2497 	int err;
   2498 
   2499 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
   2500 		struct netlink_dump_control c = {
   2501 			.start= nf_tables_dump_rules_start,
   2502 			.dump = nf_tables_dump_rules,
   2503 			.done = nf_tables_dump_rules_done,
   2504 			.module = THIS_MODULE,
   2505 			.data = (void *)nla,
   2506 		};
   2507 
   2508 		return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
   2509 	}
   2510 
   2511 	table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
   2512 	if (IS_ERR(table)) {
   2513 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
   2514 		return PTR_ERR(table);
   2515 	}
   2516 
   2517 	chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
   2518 	if (IS_ERR(chain)) {
   2519 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
   2520 		return PTR_ERR(chain);
   2521 	}
   2522 
   2523 	rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
   2524 	if (IS_ERR(rule)) {
   2525 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
   2526 		return PTR_ERR(rule);
   2527 	}
   2528 
   2529 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
   2530 	if (!skb2)
   2531 		return -ENOMEM;
   2532 
   2533 	err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
   2534 				       nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
   2535 				       family, table, chain, rule);
   2536 	if (err < 0)
   2537 		goto err;
   2538 
   2539 	return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
   2540 
   2541 err:
   2542 	kfree_skb(skb2);
   2543 	return err;
   2544 }
   2545 
   2546 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
   2547 				   struct nft_rule *rule)
   2548 {
   2549 	struct nft_expr *expr, *next;
   2550 
   2551 	/*
   2552 	 * Careful: some expressions might not be initialized in case this
   2553 	 * is called on error from nf_tables_newrule().
   2554 	 */
   2555 	expr = nft_expr_first(rule);
   2556 	while (expr != nft_expr_last(rule) && expr->ops) {
   2557 		next = nft_expr_next(expr);
   2558 		nf_tables_expr_destroy(ctx, expr);
   2559 		expr = next;
   2560 	}
   2561 	kfree(rule);
   2562 }
   2563 
   2564 static void nf_tables_rule_release(const struct nft_ctx *ctx,
   2565 				   struct nft_rule *rule)
   2566 {
   2567 	nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
   2568 	nf_tables_rule_destroy(ctx, rule);
   2569 }
   2570 
   2571 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
   2572 {
   2573 	struct nft_expr *expr, *last;
   2574 	const struct nft_data *data;
   2575 	struct nft_rule *rule;
   2576 	int err;
   2577 
   2578 	if (ctx->level == NFT_JUMP_STACK_SIZE)
   2579 		return -EMLINK;
   2580 
   2581 	list_for_each_entry(rule, &chain->rules, list) {
   2582 		if (!nft_is_active_next(ctx->net, rule))
   2583 			continue;
   2584 
   2585 		nft_rule_for_each_expr(expr, last, rule) {
   2586 			if (!expr->ops->validate)
   2587 				continue;
   2588 
   2589 			err = expr->ops->validate(ctx, expr, &data);
   2590 			if (err < 0)
   2591 				return err;
   2592 		}
   2593 	}
   2594 
   2595 	return 0;
   2596 }
   2597 EXPORT_SYMBOL_GPL(nft_chain_validate);
   2598 
   2599 static int nft_table_validate(struct net *net, const struct nft_table *table)
   2600 {
   2601 	struct nft_chain *chain;
   2602 	struct nft_ctx ctx = {
   2603 		.net	= net,
   2604 		.family	= table->family,
   2605 	};
   2606 	int err;
   2607 
   2608 	list_for_each_entry(chain, &table->chains, list) {
   2609 		if (!nft_is_base_chain(chain))
   2610 			continue;
   2611 
   2612 		ctx.chain = chain;
   2613 		err = nft_chain_validate(&ctx, chain);
   2614 		if (err < 0)
   2615 			return err;
   2616 	}
   2617 
   2618 	return 0;
   2619 }
   2620 
   2621 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
   2622 					     const struct nlattr *nla);
   2623 
   2624 #define NFT_RULE_MAXEXPRS	128
   2625 
   2626 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
   2627 			     struct sk_buff *skb, const struct nlmsghdr *nlh,
   2628 			     const struct nlattr * const nla[],
   2629 			     struct netlink_ext_ack *extack)
   2630 {
   2631 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   2632 	u8 genmask = nft_genmask_next(net);
   2633 	struct nft_expr_info *info = NULL;
   2634 	int family = nfmsg->nfgen_family;
   2635 	struct nft_table *table;
   2636 	struct nft_chain *chain;
   2637 	struct nft_rule *rule, *old_rule = NULL;
   2638 	struct nft_userdata *udata;
   2639 	struct nft_trans *trans = NULL;
   2640 	struct nft_expr *expr;
   2641 	struct nft_ctx ctx;
   2642 	struct nlattr *tmp;
   2643 	unsigned int size, i, n, ulen = 0, usize = 0;
   2644 	int err, rem;
   2645 	u64 handle, pos_handle;
   2646 
   2647 	lockdep_assert_held(&net->nft.commit_mutex);
   2648 
   2649 	table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
   2650 	if (IS_ERR(table)) {
   2651 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
   2652 		return PTR_ERR(table);
   2653 	}
   2654 
   2655 	chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
   2656 	if (IS_ERR(chain)) {
   2657 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
   2658 		return PTR_ERR(chain);
   2659 	}
   2660 
   2661 	if (nla[NFTA_RULE_HANDLE]) {
   2662 		handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
   2663 		rule = __nft_rule_lookup(chain, handle);
   2664 		if (IS_ERR(rule)) {
   2665 			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
   2666 			return PTR_ERR(rule);
   2667 		}
   2668 
   2669 		if (nlh->nlmsg_flags & NLM_F_EXCL) {
   2670 			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
   2671 			return -EEXIST;
   2672 		}
   2673 		if (nlh->nlmsg_flags & NLM_F_REPLACE)
   2674 			old_rule = rule;
   2675 		else
   2676 			return -EOPNOTSUPP;
   2677 	} else {
   2678 		if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
   2679 		    nlh->nlmsg_flags & NLM_F_REPLACE)
   2680 			return -EINVAL;
   2681 		handle = nf_tables_alloc_handle(table);
   2682 
   2683 		if (chain->use == UINT_MAX)
   2684 			return -EOVERFLOW;
   2685 
   2686 		if (nla[NFTA_RULE_POSITION]) {
   2687 			pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
   2688 			old_rule = __nft_rule_lookup(chain, pos_handle);
   2689 			if (IS_ERR(old_rule)) {
   2690 				NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
   2691 				return PTR_ERR(old_rule);
   2692 			}
   2693 		} else if (nla[NFTA_RULE_POSITION_ID]) {
   2694 			old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
   2695 			if (IS_ERR(old_rule)) {
   2696 				NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
   2697 				return PTR_ERR(old_rule);
   2698 			}
   2699 		}
   2700 	}
   2701 
   2702 	nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
   2703 
   2704 	n = 0;
   2705 	size = 0;
   2706 	if (nla[NFTA_RULE_EXPRESSIONS]) {
   2707 		info = kvmalloc_array(NFT_RULE_MAXEXPRS,
   2708 				      sizeof(struct nft_expr_info),
   2709 				      GFP_KERNEL);
   2710 		if (!info)
   2711 			return -ENOMEM;
   2712 
   2713 		nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
   2714 			err = -EINVAL;
   2715 			if (nla_type(tmp) != NFTA_LIST_ELEM)
   2716 				goto err1;
   2717 			if (n == NFT_RULE_MAXEXPRS)
   2718 				goto err1;
   2719 			err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
   2720 			if (err < 0)
   2721 				goto err1;
   2722 			size += info[n].ops->size;
   2723 			n++;
   2724 		}
   2725 	}
   2726 	/* Check for overflow of dlen field */
   2727 	err = -EFBIG;
   2728 	if (size >= 1 << 12)
   2729 		goto err1;
   2730 
   2731 	if (nla[NFTA_RULE_USERDATA]) {
   2732 		ulen = nla_len(nla[NFTA_RULE_USERDATA]);
   2733 		if (ulen > 0)
   2734 			usize = sizeof(struct nft_userdata) + ulen;
   2735 	}
   2736 
   2737 	err = -ENOMEM;
   2738 	rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
   2739 	if (rule == NULL)
   2740 		goto err1;
   2741 
   2742 	nft_activate_next(net, rule);
   2743 
   2744 	rule->handle = handle;
   2745 	rule->dlen   = size;
   2746 	rule->udata  = ulen ? 1 : 0;
   2747 
   2748 	if (ulen) {
   2749 		udata = nft_userdata(rule);
   2750 		udata->len = ulen - 1;
   2751 		nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
   2752 	}
   2753 
   2754 	expr = nft_expr_first(rule);
   2755 	for (i = 0; i < n; i++) {
   2756 		err = nf_tables_newexpr(&ctx, &info[i], expr);
   2757 		if (err < 0)
   2758 			goto err2;
   2759 
   2760 		if (info[i].ops->validate)
   2761 			nft_validate_state_update(net, NFT_VALIDATE_NEED);
   2762 
   2763 		info[i].ops = NULL;
   2764 		expr = nft_expr_next(expr);
   2765 	}
   2766 
   2767 	if (nlh->nlmsg_flags & NLM_F_REPLACE) {
   2768 		trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
   2769 		if (trans == NULL) {
   2770 			err = -ENOMEM;
   2771 			goto err2;
   2772 		}
   2773 		err = nft_delrule(&ctx, old_rule);
   2774 		if (err < 0) {
   2775 			nft_trans_destroy(trans);
   2776 			goto err2;
   2777 		}
   2778 
   2779 		list_add_tail_rcu(&rule->list, &old_rule->list);
   2780 	} else {
   2781 		if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
   2782 			err = -ENOMEM;
   2783 			goto err2;
   2784 		}
   2785 
   2786 		if (nlh->nlmsg_flags & NLM_F_APPEND) {
   2787 			if (old_rule)
   2788 				list_add_rcu(&rule->list, &old_rule->list);
   2789 			else
   2790 				list_add_tail_rcu(&rule->list, &chain->rules);
   2791 		 } else {
   2792 			if (old_rule)
   2793 				list_add_tail_rcu(&rule->list, &old_rule->list);
   2794 			else
   2795 				list_add_rcu(&rule->list, &chain->rules);
   2796 		}
   2797 	}
   2798 	kvfree(info);
   2799 	chain->use++;
   2800 
   2801 	if (net->nft.validate_state == NFT_VALIDATE_DO)
   2802 		return nft_table_validate(net, table);
   2803 
   2804 	return 0;
   2805 err2:
   2806 	nf_tables_rule_release(&ctx, rule);
   2807 err1:
   2808 	for (i = 0; i < n; i++) {
   2809 		if (info[i].ops) {
   2810 			module_put(info[i].ops->type->owner);
   2811 			if (info[i].ops->type->release_ops)
   2812 				info[i].ops->type->release_ops(info[i].ops);
   2813 		}
   2814 	}
   2815 	kvfree(info);
   2816 	return err;
   2817 }
   2818 
   2819 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
   2820 					     const struct nlattr *nla)
   2821 {
   2822 	u32 id = ntohl(nla_get_be32(nla));
   2823 	struct nft_trans *trans;
   2824 
   2825 	list_for_each_entry(trans, &net->nft.commit_list, list) {
   2826 		struct nft_rule *rule = nft_trans_rule(trans);
   2827 
   2828 		if (trans->msg_type == NFT_MSG_NEWRULE &&
   2829 		    id == nft_trans_rule_id(trans))
   2830 			return rule;
   2831 	}
   2832 	return ERR_PTR(-ENOENT);
   2833 }
   2834 
   2835 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
   2836 			     struct sk_buff *skb, const struct nlmsghdr *nlh,
   2837 			     const struct nlattr * const nla[],
   2838 			     struct netlink_ext_ack *extack)
   2839 {
   2840 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   2841 	u8 genmask = nft_genmask_next(net);
   2842 	struct nft_table *table;
   2843 	struct nft_chain *chain = NULL;
   2844 	struct nft_rule *rule;
   2845 	int family = nfmsg->nfgen_family, err = 0;
   2846 	struct nft_ctx ctx;
   2847 
   2848 	table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
   2849 	if (IS_ERR(table)) {
   2850 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
   2851 		return PTR_ERR(table);
   2852 	}
   2853 
   2854 	if (nla[NFTA_RULE_CHAIN]) {
   2855 		chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
   2856 					 genmask);
   2857 		if (IS_ERR(chain)) {
   2858 			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
   2859 			return PTR_ERR(chain);
   2860 		}
   2861 	}
   2862 
   2863 	nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
   2864 
   2865 	if (chain) {
   2866 		if (nla[NFTA_RULE_HANDLE]) {
   2867 			rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
   2868 			if (IS_ERR(rule)) {
   2869 				NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
   2870 				return PTR_ERR(rule);
   2871 			}
   2872 
   2873 			err = nft_delrule(&ctx, rule);
   2874 		} else if (nla[NFTA_RULE_ID]) {
   2875 			rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
   2876 			if (IS_ERR(rule)) {
   2877 				NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
   2878 				return PTR_ERR(rule);
   2879 			}
   2880 
   2881 			err = nft_delrule(&ctx, rule);
   2882 		} else {
   2883 			err = nft_delrule_by_chain(&ctx);
   2884 		}
   2885 	} else {
   2886 		list_for_each_entry(chain, &table->chains, list) {
   2887 			if (!nft_is_active_next(net, chain))
   2888 				continue;
   2889 
   2890 			ctx.chain = chain;
   2891 			err = nft_delrule_by_chain(&ctx);
   2892 			if (err < 0)
   2893 				break;
   2894 		}
   2895 	}
   2896 
   2897 	return err;
   2898 }
   2899 
   2900 /*
   2901  * Sets
   2902  */
   2903 
   2904 static LIST_HEAD(nf_tables_set_types);
   2905 
   2906 int nft_register_set(struct nft_set_type *type)
   2907 {
   2908 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
   2909 	list_add_tail_rcu(&type->list, &nf_tables_set_types);
   2910 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
   2911 	return 0;
   2912 }
   2913 EXPORT_SYMBOL_GPL(nft_register_set);
   2914 
   2915 void nft_unregister_set(struct nft_set_type *type)
   2916 {
   2917 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
   2918 	list_del_rcu(&type->list);
   2919 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
   2920 }
   2921 EXPORT_SYMBOL_GPL(nft_unregister_set);
   2922 
   2923 #define NFT_SET_FEATURES	(NFT_SET_INTERVAL | NFT_SET_MAP | \
   2924 				 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
   2925 				 NFT_SET_EVAL)
   2926 
   2927 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
   2928 {
   2929 	return (flags & type->features) == (flags & NFT_SET_FEATURES);
   2930 }
   2931 
   2932 /*
   2933  * Select a set implementation based on the data characteristics and the
   2934  * given policy. The total memory use might not be known if no size is
   2935  * given, in that case the amount of memory per element is used.
   2936  */
   2937 static const struct nft_set_ops *
   2938 nft_select_set_ops(const struct nft_ctx *ctx,
   2939 		   const struct nlattr * const nla[],
   2940 		   const struct nft_set_desc *desc,
   2941 		   enum nft_set_policies policy)
   2942 {
   2943 	const struct nft_set_ops *ops, *bops;
   2944 	struct nft_set_estimate est, best;
   2945 	const struct nft_set_type *type;
   2946 	u32 flags = 0;
   2947 
   2948 	lockdep_assert_held(&ctx->net->nft.commit_mutex);
   2949 	lockdep_nfnl_nft_mutex_not_held();
   2950 #ifdef CONFIG_MODULES
   2951 	if (list_empty(&nf_tables_set_types)) {
   2952 		nft_request_module(ctx->net, "nft-set");
   2953 		if (!list_empty(&nf_tables_set_types))
   2954 			return ERR_PTR(-EAGAIN);
   2955 	}
   2956 #endif
   2957 	if (nla[NFTA_SET_FLAGS] != NULL)
   2958 		flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
   2959 
   2960 	bops	    = NULL;
   2961 	best.size   = ~0;
   2962 	best.lookup = ~0;
   2963 	best.space  = ~0;
   2964 
   2965 	list_for_each_entry(type, &nf_tables_set_types, list) {
   2966 		ops = &type->ops;
   2967 
   2968 		if (!nft_set_ops_candidate(type, flags))
   2969 			continue;
   2970 		if (!ops->estimate(desc, flags, &est))
   2971 			continue;
   2972 
   2973 		switch (policy) {
   2974 		case NFT_SET_POL_PERFORMANCE:
   2975 			if (est.lookup < best.lookup)
   2976 				break;
   2977 			if (est.lookup == best.lookup &&
   2978 			    est.space < best.space)
   2979 				break;
   2980 			continue;
   2981 		case NFT_SET_POL_MEMORY:
   2982 			if (!desc->size) {
   2983 				if (est.space < best.space)
   2984 					break;
   2985 				if (est.space == best.space &&
   2986 				    est.lookup < best.lookup)
   2987 					break;
   2988 			} else if (est.size < best.size || !bops) {
   2989 				break;
   2990 			}
   2991 			continue;
   2992 		default:
   2993 			break;
   2994 		}
   2995 
   2996 		if (!try_module_get(type->owner))
   2997 			continue;
   2998 		if (bops != NULL)
   2999 			module_put(to_set_type(bops)->owner);
   3000 
   3001 		bops = ops;
   3002 		best = est;
   3003 	}
   3004 
   3005 	if (bops != NULL)
   3006 		return bops;
   3007 
   3008 	return ERR_PTR(-EOPNOTSUPP);
   3009 }
   3010 
   3011 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
   3012 	[NFTA_SET_TABLE]		= { .type = NLA_STRING,
   3013 					    .len = NFT_TABLE_MAXNAMELEN - 1 },
   3014 	[NFTA_SET_NAME]			= { .type = NLA_STRING,
   3015 					    .len = NFT_SET_MAXNAMELEN - 1 },
   3016 	[NFTA_SET_FLAGS]		= { .type = NLA_U32 },
   3017 	[NFTA_SET_KEY_TYPE]		= { .type = NLA_U32 },
   3018 	[NFTA_SET_KEY_LEN]		= { .type = NLA_U32 },
   3019 	[NFTA_SET_DATA_TYPE]		= { .type = NLA_U32 },
   3020 	[NFTA_SET_DATA_LEN]		= { .type = NLA_U32 },
   3021 	[NFTA_SET_POLICY]		= { .type = NLA_U32 },
   3022 	[NFTA_SET_DESC]			= { .type = NLA_NESTED },
   3023 	[NFTA_SET_ID]			= { .type = NLA_U32 },
   3024 	[NFTA_SET_TIMEOUT]		= { .type = NLA_U64 },
   3025 	[NFTA_SET_GC_INTERVAL]		= { .type = NLA_U32 },
   3026 	[NFTA_SET_USERDATA]		= { .type = NLA_BINARY,
   3027 					    .len  = NFT_USERDATA_MAXLEN },
   3028 	[NFTA_SET_OBJ_TYPE]		= { .type = NLA_U32 },
   3029 	[NFTA_SET_HANDLE]		= { .type = NLA_U64 },
   3030 };
   3031 
   3032 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
   3033 	[NFTA_SET_DESC_SIZE]		= { .type = NLA_U32 },
   3034 };
   3035 
   3036 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
   3037 				     const struct sk_buff *skb,
   3038 				     const struct nlmsghdr *nlh,
   3039 				     const struct nlattr * const nla[],
   3040 				     struct netlink_ext_ack *extack,
   3041 				     u8 genmask)
   3042 {
   3043 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   3044 	int family = nfmsg->nfgen_family;
   3045 	struct nft_table *table = NULL;
   3046 
   3047 	if (nla[NFTA_SET_TABLE] != NULL) {
   3048 		table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
   3049 					 genmask);
   3050 		if (IS_ERR(table)) {
   3051 			NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
   3052 			return PTR_ERR(table);
   3053 		}
   3054 	}
   3055 
   3056 	nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
   3057 	return 0;
   3058 }
   3059 
   3060 static struct nft_set *nft_set_lookup(const struct nft_table *table,
   3061 				      const struct nlattr *nla, u8 genmask)
   3062 {
   3063 	struct nft_set *set;
   3064 
   3065 	if (nla == NULL)
   3066 		return ERR_PTR(-EINVAL);
   3067 
   3068 	list_for_each_entry_rcu(set, &table->sets, list) {
   3069 		if (!nla_strcmp(nla, set->name) &&
   3070 		    nft_active_genmask(set, genmask))
   3071 			return set;
   3072 	}
   3073 	return ERR_PTR(-ENOENT);
   3074 }
   3075 
   3076 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
   3077 					       const struct nlattr *nla,
   3078 					       u8 genmask)
   3079 {
   3080 	struct nft_set *set;
   3081 
   3082 	list_for_each_entry(set, &table->sets, list) {
   3083 		if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
   3084 		    nft_active_genmask(set, genmask))
   3085 			return set;
   3086 	}
   3087 	return ERR_PTR(-ENOENT);
   3088 }
   3089 
   3090 static struct nft_set *nft_set_lookup_byid(const struct net *net,
   3091 					   const struct nlattr *nla, u8 genmask)
   3092 {
   3093 	struct nft_trans *trans;
   3094 	u32 id = ntohl(nla_get_be32(nla));
   3095 
   3096 	list_for_each_entry(trans, &net->nft.commit_list, list) {
   3097 		if (trans->msg_type == NFT_MSG_NEWSET) {
   3098 			struct nft_set *set = nft_trans_set(trans);
   3099 
   3100 			if (id == nft_trans_set_id(trans) &&
   3101 			    nft_active_genmask(set, genmask))
   3102 				return set;
   3103 		}
   3104 	}
   3105 	return ERR_PTR(-ENOENT);
   3106 }
   3107 
   3108 struct nft_set *nft_set_lookup_global(const struct net *net,
   3109 				      const struct nft_table *table,
   3110 				      const struct nlattr *nla_set_name,
   3111 				      const struct nlattr *nla_set_id,
   3112 				      u8 genmask)
   3113 {
   3114 	struct nft_set *set;
   3115 
   3116 	set = nft_set_lookup(table, nla_set_name, genmask);
   3117 	if (IS_ERR(set)) {
   3118 		if (!nla_set_id)
   3119 			return set;
   3120 
   3121 		set = nft_set_lookup_byid(net, nla_set_id, genmask);
   3122 	}
   3123 	return set;
   3124 }
   3125 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
   3126 
   3127 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
   3128 				    const char *name)
   3129 {
   3130 	const struct nft_set *i;
   3131 	const char *p;
   3132 	unsigned long *inuse;
   3133 	unsigned int n = 0, min = 0;
   3134 
   3135 	p = strchr(name, '%');
   3136 	if (p != NULL) {
   3137 		if (p[1] != 'd' || strchr(p + 2, '%'))
   3138 			return -EINVAL;
   3139 
   3140 		inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
   3141 		if (inuse == NULL)
   3142 			return -ENOMEM;
   3143 cont:
   3144 		list_for_each_entry(i, &ctx->table->sets, list) {
   3145 			int tmp;
   3146 
   3147 			if (!nft_is_active_next(ctx->net, set))
   3148 				continue;
   3149 			if (!sscanf(i->name, name, &tmp))
   3150 				continue;
   3151 			if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
   3152 				continue;
   3153 
   3154 			set_bit(tmp - min, inuse);
   3155 		}
   3156 
   3157 		n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
   3158 		if (n >= BITS_PER_BYTE * PAGE_SIZE) {
   3159 			min += BITS_PER_BYTE * PAGE_SIZE;
   3160 			memset(inuse, 0, PAGE_SIZE);
   3161 			goto cont;
   3162 		}
   3163 		free_page((unsigned long)inuse);
   3164 	}
   3165 
   3166 	set->name = kasprintf(GFP_KERNEL, name, min + n);
   3167 	if (!set->name)
   3168 		return -ENOMEM;
   3169 
   3170 	list_for_each_entry(i, &ctx->table->sets, list) {
   3171 		if (!nft_is_active_next(ctx->net, i))
   3172 			continue;
   3173 		if (!strcmp(set->name, i->name)) {
   3174 			kfree(set->name);
   3175 			return -ENFILE;
   3176 		}
   3177 	}
   3178 	return 0;
   3179 }
   3180 
   3181 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
   3182 {
   3183 	u64 ms = be64_to_cpu(nla_get_be64(nla));
   3184 	u64 max = (u64)(~((u64)0));
   3185 
   3186 	max = div_u64(max, NSEC_PER_MSEC);
   3187 	if (ms >= max)
   3188 		return -ERANGE;
   3189 
   3190 	ms *= NSEC_PER_MSEC;
   3191 	*result = nsecs_to_jiffies64(ms);
   3192 	return 0;
   3193 }
   3194 
   3195 static __be64 nf_jiffies64_to_msecs(u64 input)
   3196 {
   3197 	u64 ms = jiffies64_to_nsecs(input);
   3198 
   3199 	return cpu_to_be64(div_u64(ms, NSEC_PER_MSEC));
   3200 }
   3201 
   3202 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
   3203 			      const struct nft_set *set, u16 event, u16 flags)
   3204 {
   3205 	struct nfgenmsg *nfmsg;
   3206 	struct nlmsghdr *nlh;
   3207 	struct nlattr *desc;
   3208 	u32 portid = ctx->portid;
   3209 	u32 seq = ctx->seq;
   3210 
   3211 	event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
   3212 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
   3213 			flags);
   3214 	if (nlh == NULL)
   3215 		goto nla_put_failure;
   3216 
   3217 	nfmsg = nlmsg_data(nlh);
   3218 	nfmsg->nfgen_family	= ctx->family;
   3219 	nfmsg->version		= NFNETLINK_V0;
   3220 	nfmsg->res_id		= htons(ctx->net->nft.base_seq & 0xffff);
   3221 
   3222 	if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
   3223 		goto nla_put_failure;
   3224 	if (nla_put_string(skb, NFTA_SET_NAME, set->name))
   3225 		goto nla_put_failure;
   3226 	if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
   3227 			 NFTA_SET_PAD))
   3228 		goto nla_put_failure;
   3229 	if (set->flags != 0)
   3230 		if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
   3231 			goto nla_put_failure;
   3232 
   3233 	if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
   3234 		goto nla_put_failure;
   3235 	if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
   3236 		goto nla_put_failure;
   3237 	if (set->flags & NFT_SET_MAP) {
   3238 		if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
   3239 			goto nla_put_failure;
   3240 		if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
   3241 			goto nla_put_failure;
   3242 	}
   3243 	if (set->flags & NFT_SET_OBJECT &&
   3244 	    nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
   3245 		goto nla_put_failure;
   3246 
   3247 	if (set->timeout &&
   3248 	    nla_put_be64(skb, NFTA_SET_TIMEOUT,
   3249 			 nf_jiffies64_to_msecs(set->timeout),
   3250 			 NFTA_SET_PAD))
   3251 		goto nla_put_failure;
   3252 	if (set->gc_int &&
   3253 	    nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
   3254 		goto nla_put_failure;
   3255 
   3256 	if (set->policy != NFT_SET_POL_PERFORMANCE) {
   3257 		if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
   3258 			goto nla_put_failure;
   3259 	}
   3260 
   3261 	if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
   3262 		goto nla_put_failure;
   3263 
   3264 	desc = nla_nest_start(skb, NFTA_SET_DESC);
   3265 	if (desc == NULL)
   3266 		goto nla_put_failure;
   3267 	if (set->size &&
   3268 	    nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
   3269 		goto nla_put_failure;
   3270 	nla_nest_end(skb, desc);
   3271 
   3272 	nlmsg_end(skb, nlh);
   3273 	return 0;
   3274 
   3275 nla_put_failure:
   3276 	nlmsg_trim(skb, nlh);
   3277 	return -1;
   3278 }
   3279 
   3280 static void nf_tables_set_notify(const struct nft_ctx *ctx,
   3281 				 const struct nft_set *set, int event,
   3282 			         gfp_t gfp_flags)
   3283 {
   3284 	struct sk_buff *skb;
   3285 	u32 portid = ctx->portid;
   3286 	int err;
   3287 
   3288 	if (!ctx->report &&
   3289 	    !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
   3290 		return;
   3291 
   3292 	skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
   3293 	if (skb == NULL)
   3294 		goto err;
   3295 
   3296 	err = nf_tables_fill_set(skb, ctx, set, event, 0);
   3297 	if (err < 0) {
   3298 		kfree_skb(skb);
   3299 		goto err;
   3300 	}
   3301 
   3302 	nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
   3303 		       gfp_flags);
   3304 	return;
   3305 err:
   3306 	nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
   3307 }
   3308 
   3309 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
   3310 {
   3311 	const struct nft_set *set;
   3312 	unsigned int idx, s_idx = cb->args[0];
   3313 	struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
   3314 	struct net *net = sock_net(skb->sk);
   3315 	struct nft_ctx *ctx = cb->data, ctx_set;
   3316 
   3317 	if (cb->args[1])
   3318 		return skb->len;
   3319 
   3320 	rcu_read_lock();
   3321 	cb->seq = net->nft.base_seq;
   3322 
   3323 	list_for_each_entry_rcu(table, &net->nft.tables, list) {
   3324 		if (ctx->family != NFPROTO_UNSPEC &&
   3325 		    ctx->family != table->family)
   3326 			continue;
   3327 
   3328 		if (ctx->table && ctx->table != table)
   3329 			continue;
   3330 
   3331 		if (cur_table) {
   3332 			if (cur_table != table)
   3333 				continue;
   3334 
   3335 			cur_table = NULL;
   3336 		}
   3337 		idx = 0;
   3338 		list_for_each_entry_rcu(set, &table->sets, list) {
   3339 			if (idx < s_idx)
   3340 				goto cont;
   3341 			if (!nft_is_active(net, set))
   3342 				goto cont;
   3343 
   3344 			ctx_set = *ctx;
   3345 			ctx_set.table = table;
   3346 			ctx_set.family = table->family;
   3347 
   3348 			if (nf_tables_fill_set(skb, &ctx_set, set,
   3349 					       NFT_MSG_NEWSET,
   3350 					       NLM_F_MULTI) < 0) {
   3351 				cb->args[0] = idx;
   3352 				cb->args[2] = (unsigned long) table;
   3353 				goto done;
   3354 			}
   3355 			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
   3356 cont:
   3357 			idx++;
   3358 		}
   3359 		if (s_idx)
   3360 			s_idx = 0;
   3361 	}
   3362 	cb->args[1] = 1;
   3363 done:
   3364 	rcu_read_unlock();
   3365 	return skb->len;
   3366 }
   3367 
   3368 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
   3369 {
   3370 	struct nft_ctx *ctx_dump = NULL;
   3371 
   3372 	ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
   3373 	if (ctx_dump == NULL)
   3374 		return -ENOMEM;
   3375 
   3376 	cb->data = ctx_dump;
   3377 	return 0;
   3378 }
   3379 
   3380 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
   3381 {
   3382 	kfree(cb->data);
   3383 	return 0;
   3384 }
   3385 
   3386 /* called with rcu_read_lock held */
   3387 static int nf_tables_getset(struct net *net, struct sock *nlsk,
   3388 			    struct sk_buff *skb, const struct nlmsghdr *nlh,
   3389 			    const struct nlattr * const nla[],
   3390 			    struct netlink_ext_ack *extack)
   3391 {
   3392 	u8 genmask = nft_genmask_cur(net);
   3393 	const struct nft_set *set;
   3394 	struct nft_ctx ctx;
   3395 	struct sk_buff *skb2;
   3396 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   3397 	int err;
   3398 
   3399 	/* Verify existence before starting dump */
   3400 	err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
   3401 					genmask);
   3402 	if (err < 0)
   3403 		return err;
   3404 
   3405 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
   3406 		struct netlink_dump_control c = {
   3407 			.start = nf_tables_dump_sets_start,
   3408 			.dump = nf_tables_dump_sets,
   3409 			.done = nf_tables_dump_sets_done,
   3410 			.data = &ctx,
   3411 			.module = THIS_MODULE,
   3412 		};
   3413 
   3414 		return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
   3415 	}
   3416 
   3417 	/* Only accept unspec with dump */
   3418 	if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
   3419 		return -EAFNOSUPPORT;
   3420 	if (!nla[NFTA_SET_TABLE])
   3421 		return -EINVAL;
   3422 
   3423 	set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
   3424 	if (IS_ERR(set))
   3425 		return PTR_ERR(set);
   3426 
   3427 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
   3428 	if (skb2 == NULL)
   3429 		return -ENOMEM;
   3430 
   3431 	err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
   3432 	if (err < 0)
   3433 		goto err;
   3434 
   3435 	return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
   3436 
   3437 err:
   3438 	kfree_skb(skb2);
   3439 	return err;
   3440 }
   3441 
   3442 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
   3443 				    struct nft_set_desc *desc,
   3444 				    const struct nlattr *nla)
   3445 {
   3446 	struct nlattr *da[NFTA_SET_DESC_MAX + 1];
   3447 	int err;
   3448 
   3449 	err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
   3450 			       nft_set_desc_policy, NULL);
   3451 	if (err < 0)
   3452 		return err;
   3453 
   3454 	if (da[NFTA_SET_DESC_SIZE] != NULL)
   3455 		desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
   3456 
   3457 	return 0;
   3458 }
   3459 
   3460 static int nf_tables_newset(struct net *net, struct sock *nlsk,
   3461 			    struct sk_buff *skb, const struct nlmsghdr *nlh,
   3462 			    const struct nlattr * const nla[],
   3463 			    struct netlink_ext_ack *extack)
   3464 {
   3465 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   3466 	u8 genmask = nft_genmask_next(net);
   3467 	int family = nfmsg->nfgen_family;
   3468 	const struct nft_set_ops *ops;
   3469 	struct nft_table *table;
   3470 	struct nft_set *set;
   3471 	struct nft_ctx ctx;
   3472 	char *name;
   3473 	u64 size;
   3474 	u64 timeout;
   3475 	u32 ktype, dtype, flags, policy, gc_int, objtype;
   3476 	struct nft_set_desc desc;
   3477 	unsigned char *udata;
   3478 	u16 udlen;
   3479 	int err;
   3480 
   3481 	if (nla[NFTA_SET_TABLE] == NULL ||
   3482 	    nla[NFTA_SET_NAME] == NULL ||
   3483 	    nla[NFTA_SET_KEY_LEN] == NULL ||
   3484 	    nla[NFTA_SET_ID] == NULL)
   3485 		return -EINVAL;
   3486 
   3487 	memset(&desc, 0, sizeof(desc));
   3488 
   3489 	ktype = NFT_DATA_VALUE;
   3490 	if (nla[NFTA_SET_KEY_TYPE] != NULL) {
   3491 		ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
   3492 		if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
   3493 			return -EINVAL;
   3494 	}
   3495 
   3496 	desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
   3497 	if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
   3498 		return -EINVAL;
   3499 
   3500 	flags = 0;
   3501 	if (nla[NFTA_SET_FLAGS] != NULL) {
   3502 		flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
   3503 		if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
   3504 			      NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
   3505 			      NFT_SET_MAP | NFT_SET_EVAL |
   3506 			      NFT_SET_OBJECT))
   3507 			return -EINVAL;
   3508 		/* Only one of these operations is supported */
   3509 		if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
   3510 			     (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
   3511 			return -EOPNOTSUPP;
   3512 	}
   3513 
   3514 	dtype = 0;
   3515 	if (nla[NFTA_SET_DATA_TYPE] != NULL) {
   3516 		if (!(flags & NFT_SET_MAP))
   3517 			return -EINVAL;
   3518 
   3519 		dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
   3520 		if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
   3521 		    dtype != NFT_DATA_VERDICT)
   3522 			return -EINVAL;
   3523 
   3524 		if (dtype != NFT_DATA_VERDICT) {
   3525 			if (nla[NFTA_SET_DATA_LEN] == NULL)
   3526 				return -EINVAL;
   3527 			desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
   3528 			if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
   3529 				return -EINVAL;
   3530 		} else
   3531 			desc.dlen = sizeof(struct nft_verdict);
   3532 	} else if (flags & NFT_SET_MAP)
   3533 		return -EINVAL;
   3534 
   3535 	if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
   3536 		if (!(flags & NFT_SET_OBJECT))
   3537 			return -EINVAL;
   3538 
   3539 		objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
   3540 		if (objtype == NFT_OBJECT_UNSPEC ||
   3541 		    objtype > NFT_OBJECT_MAX)
   3542 			return -EINVAL;
   3543 	} else if (flags & NFT_SET_OBJECT)
   3544 		return -EINVAL;
   3545 	else
   3546 		objtype = NFT_OBJECT_UNSPEC;
   3547 
   3548 	timeout = 0;
   3549 	if (nla[NFTA_SET_TIMEOUT] != NULL) {
   3550 		if (!(flags & NFT_SET_TIMEOUT))
   3551 			return -EINVAL;
   3552 
   3553 		err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
   3554 		if (err)
   3555 			return err;
   3556 	}
   3557 	gc_int = 0;
   3558 	if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
   3559 		if (!(flags & NFT_SET_TIMEOUT))
   3560 			return -EINVAL;
   3561 		gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
   3562 	}
   3563 
   3564 	policy = NFT_SET_POL_PERFORMANCE;
   3565 	if (nla[NFTA_SET_POLICY] != NULL)
   3566 		policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
   3567 
   3568 	if (nla[NFTA_SET_DESC] != NULL) {
   3569 		err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
   3570 		if (err < 0)
   3571 			return err;
   3572 	}
   3573 
   3574 	table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
   3575 	if (IS_ERR(table)) {
   3576 		NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
   3577 		return PTR_ERR(table);
   3578 	}
   3579 
   3580 	nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
   3581 
   3582 	set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
   3583 	if (IS_ERR(set)) {
   3584 		if (PTR_ERR(set) != -ENOENT) {
   3585 			NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
   3586 			return PTR_ERR(set);
   3587 		}
   3588 	} else {
   3589 		if (nlh->nlmsg_flags & NLM_F_EXCL) {
   3590 			NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
   3591 			return -EEXIST;
   3592 		}
   3593 		if (nlh->nlmsg_flags & NLM_F_REPLACE)
   3594 			return -EOPNOTSUPP;
   3595 
   3596 		return 0;
   3597 	}
   3598 
   3599 	if (!(nlh->nlmsg_flags & NLM_F_CREATE))
   3600 		return -ENOENT;
   3601 
   3602 	ops = nft_select_set_ops(&ctx, nla, &desc, policy);
   3603 	if (IS_ERR(ops))
   3604 		return PTR_ERR(ops);
   3605 
   3606 	udlen = 0;
   3607 	if (nla[NFTA_SET_USERDATA])
   3608 		udlen = nla_len(nla[NFTA_SET_USERDATA]);
   3609 
   3610 	size = 0;
   3611 	if (ops->privsize != NULL)
   3612 		size = ops->privsize(nla, &desc);
   3613 
   3614 	set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
   3615 	if (!set) {
   3616 		err = -ENOMEM;
   3617 		goto err1;
   3618 	}
   3619 
   3620 	name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
   3621 	if (!name) {
   3622 		err = -ENOMEM;
   3623 		goto err2;
   3624 	}
   3625 
   3626 	err = nf_tables_set_alloc_name(&ctx, set, name);
   3627 	kfree(name);
   3628 	if (err < 0)
   3629 		goto err2;
   3630 
   3631 	udata = NULL;
   3632 	if (udlen) {
   3633 		udata = set->data + size;
   3634 		nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
   3635 	}
   3636 
   3637 	INIT_LIST_HEAD(&set->bindings);
   3638 	set->table = table;
   3639 	write_pnet(&set->net, net);
   3640 	set->ops   = ops;
   3641 	set->ktype = ktype;
   3642 	set->klen  = desc.klen;
   3643 	set->dtype = dtype;
   3644 	set->objtype = objtype;
   3645 	set->dlen  = desc.dlen;
   3646 	set->flags = flags;
   3647 	set->size  = desc.size;
   3648 	set->policy = policy;
   3649 	set->udlen  = udlen;
   3650 	set->udata  = udata;
   3651 	set->timeout = timeout;
   3652 	set->gc_int = gc_int;
   3653 	set->handle = nf_tables_alloc_handle(table);
   3654 
   3655 	err = ops->init(set, &desc, nla);
   3656 	if (err < 0)
   3657 		goto err3;
   3658 
   3659 	err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
   3660 	if (err < 0)
   3661 		goto err4;
   3662 
   3663 	list_add_tail_rcu(&set->list, &table->sets);
   3664 	table->use++;
   3665 	return 0;
   3666 
   3667 err4:
   3668 	ops->destroy(set);
   3669 err3:
   3670 	kfree(set->name);
   3671 err2:
   3672 	kvfree(set);
   3673 err1:
   3674 	module_put(to_set_type(ops)->owner);
   3675 	return err;
   3676 }
   3677 
   3678 static void nft_set_destroy(struct nft_set *set)
   3679 {
   3680 	if (WARN_ON(set->use > 0))
   3681 		return;
   3682 
   3683 	set->ops->destroy(set);
   3684 	module_put(to_set_type(set->ops)->owner);
   3685 	kfree(set->name);
   3686 	kvfree(set);
   3687 }
   3688 
   3689 static int nf_tables_delset(struct net *net, struct sock *nlsk,
   3690 			    struct sk_buff *skb, const struct nlmsghdr *nlh,
   3691 			    const struct nlattr * const nla[],
   3692 			    struct netlink_ext_ack *extack)
   3693 {
   3694 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   3695 	u8 genmask = nft_genmask_next(net);
   3696 	const struct nlattr *attr;
   3697 	struct nft_set *set;
   3698 	struct nft_ctx ctx;
   3699 	int err;
   3700 
   3701 	if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
   3702 		return -EAFNOSUPPORT;
   3703 	if (nla[NFTA_SET_TABLE] == NULL)
   3704 		return -EINVAL;
   3705 
   3706 	err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
   3707 					genmask);
   3708 	if (err < 0)
   3709 		return err;
   3710 
   3711 	if (nla[NFTA_SET_HANDLE]) {
   3712 		attr = nla[NFTA_SET_HANDLE];
   3713 		set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
   3714 	} else {
   3715 		attr = nla[NFTA_SET_NAME];
   3716 		set = nft_set_lookup(ctx.table, attr, genmask);
   3717 	}
   3718 
   3719 	if (IS_ERR(set)) {
   3720 		NL_SET_BAD_ATTR(extack, attr);
   3721 		return PTR_ERR(set);
   3722 	}
   3723 	if (set->use ||
   3724 	    (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
   3725 		NL_SET_BAD_ATTR(extack, attr);
   3726 		return -EBUSY;
   3727 	}
   3728 
   3729 	return nft_delset(&ctx, set);
   3730 }
   3731 
   3732 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
   3733 					struct nft_set *set,
   3734 					const struct nft_set_iter *iter,
   3735 					struct nft_set_elem *elem)
   3736 {
   3737 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
   3738 	enum nft_registers dreg;
   3739 
   3740 	dreg = nft_type_to_reg(set->dtype);
   3741 	return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
   3742 					   set->dtype == NFT_DATA_VERDICT ?
   3743 					   NFT_DATA_VERDICT : NFT_DATA_VALUE,
   3744 					   set->dlen);
   3745 }
   3746 
   3747 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
   3748 		       struct nft_set_binding *binding)
   3749 {
   3750 	struct nft_set_binding *i;
   3751 	struct nft_set_iter iter;
   3752 
   3753 	if (set->use == UINT_MAX)
   3754 		return -EOVERFLOW;
   3755 
   3756 	if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
   3757 		return -EBUSY;
   3758 
   3759 	if (binding->flags & NFT_SET_MAP) {
   3760 		/* If the set is already bound to the same chain all
   3761 		 * jumps are already validated for that chain.
   3762 		 */
   3763 		list_for_each_entry(i, &set->bindings, list) {
   3764 			if (i->flags & NFT_SET_MAP &&
   3765 			    i->chain == binding->chain)
   3766 				goto bind;
   3767 		}
   3768 
   3769 		iter.genmask	= nft_genmask_next(ctx->net);
   3770 		iter.skip 	= 0;
   3771 		iter.count	= 0;
   3772 		iter.err	= 0;
   3773 		iter.fn		= nf_tables_bind_check_setelem;
   3774 
   3775 		set->ops->walk(ctx, set, &iter);
   3776 		if (iter.err < 0)
   3777 			return iter.err;
   3778 	}
   3779 bind:
   3780 	binding->chain = ctx->chain;
   3781 	list_add_tail_rcu(&binding->list, &set->bindings);
   3782 	nft_set_trans_bind(ctx, set);
   3783 	set->use++;
   3784 
   3785 	return 0;
   3786 }
   3787 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
   3788 
   3789 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
   3790 			  struct nft_set_binding *binding, bool event)
   3791 {
   3792 	list_del_rcu(&binding->list);
   3793 
   3794 	if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
   3795 		list_del_rcu(&set->list);
   3796 		if (event)
   3797 			nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
   3798 					     GFP_KERNEL);
   3799 	}
   3800 }
   3801 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
   3802 
   3803 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
   3804 			      struct nft_set_binding *binding,
   3805 			      enum nft_trans_phase phase)
   3806 {
   3807 	switch (phase) {
   3808 	case NFT_TRANS_PREPARE:
   3809 		set->use--;
   3810 		return;
   3811 	case NFT_TRANS_ABORT:
   3812 	case NFT_TRANS_RELEASE:
   3813 		set->use--;
   3814 		/* fall through */
   3815 	default:
   3816 		nf_tables_unbind_set(ctx, set, binding,
   3817 				     phase == NFT_TRANS_COMMIT);
   3818 	}
   3819 }
   3820 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
   3821 
   3822 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
   3823 {
   3824 	if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
   3825 		nft_set_destroy(set);
   3826 }
   3827 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
   3828 
   3829 const struct nft_set_ext_type nft_set_ext_types[] = {
   3830 	[NFT_SET_EXT_KEY]		= {
   3831 		.align	= __alignof__(u32),
   3832 	},
   3833 	[NFT_SET_EXT_DATA]		= {
   3834 		.align	= __alignof__(u32),
   3835 	},
   3836 	[NFT_SET_EXT_EXPR]		= {
   3837 		.align	= __alignof__(struct nft_expr),
   3838 	},
   3839 	[NFT_SET_EXT_OBJREF]		= {
   3840 		.len	= sizeof(struct nft_object *),
   3841 		.align	= __alignof__(struct nft_object *),
   3842 	},
   3843 	[NFT_SET_EXT_FLAGS]		= {
   3844 		.len	= sizeof(u8),
   3845 		.align	= __alignof__(u8),
   3846 	},
   3847 	[NFT_SET_EXT_TIMEOUT]		= {
   3848 		.len	= sizeof(u64),
   3849 		.align	= __alignof__(u64),
   3850 	},
   3851 	[NFT_SET_EXT_EXPIRATION]	= {
   3852 		.len	= sizeof(u64),
   3853 		.align	= __alignof__(u64),
   3854 	},
   3855 	[NFT_SET_EXT_USERDATA]		= {
   3856 		.len	= sizeof(struct nft_userdata),
   3857 		.align	= __alignof__(struct nft_userdata),
   3858 	},
   3859 };
   3860 EXPORT_SYMBOL_GPL(nft_set_ext_types);
   3861 
   3862 /*
   3863  * Set elements
   3864  */
   3865 
   3866 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
   3867 	[NFTA_SET_ELEM_KEY]		= { .type = NLA_NESTED },
   3868 	[NFTA_SET_ELEM_DATA]		= { .type = NLA_NESTED },
   3869 	[NFTA_SET_ELEM_FLAGS]		= { .type = NLA_U32 },
   3870 	[NFTA_SET_ELEM_TIMEOUT]		= { .type = NLA_U64 },
   3871 	[NFTA_SET_ELEM_USERDATA]	= { .type = NLA_BINARY,
   3872 					    .len = NFT_USERDATA_MAXLEN },
   3873 	[NFTA_SET_ELEM_EXPR]		= { .type = NLA_NESTED },
   3874 	[NFTA_SET_ELEM_OBJREF]		= { .type = NLA_STRING },
   3875 };
   3876 
   3877 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
   3878 	[NFTA_SET_ELEM_LIST_TABLE]	= { .type = NLA_STRING,
   3879 					    .len = NFT_TABLE_MAXNAMELEN - 1 },
   3880 	[NFTA_SET_ELEM_LIST_SET]	= { .type = NLA_STRING,
   3881 					    .len = NFT_SET_MAXNAMELEN - 1 },
   3882 	[NFTA_SET_ELEM_LIST_ELEMENTS]	= { .type = NLA_NESTED },
   3883 	[NFTA_SET_ELEM_LIST_SET_ID]	= { .type = NLA_U32 },
   3884 };
   3885 
   3886 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
   3887 				      const struct sk_buff *skb,
   3888 				      const struct nlmsghdr *nlh,
   3889 				      const struct nlattr * const nla[],
   3890 				      struct netlink_ext_ack *extack,
   3891 				      u8 genmask)
   3892 {
   3893 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   3894 	int family = nfmsg->nfgen_family;
   3895 	struct nft_table *table;
   3896 
   3897 	table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
   3898 				 genmask);
   3899 	if (IS_ERR(table)) {
   3900 		NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
   3901 		return PTR_ERR(table);
   3902 	}
   3903 
   3904 	nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
   3905 	return 0;
   3906 }
   3907 
   3908 static int nf_tables_fill_setelem(struct sk_buff *skb,
   3909 				  const struct nft_set *set,
   3910 				  const struct nft_set_elem *elem)
   3911 {
   3912 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
   3913 	unsigned char *b = skb_tail_pointer(skb);
   3914 	struct nlattr *nest;
   3915 
   3916 	nest = nla_nest_start(skb, NFTA_LIST_ELEM);
   3917 	if (nest == NULL)
   3918 		goto nla_put_failure;
   3919 
   3920 	if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
   3921 			  NFT_DATA_VALUE, set->klen) < 0)
   3922 		goto nla_put_failure;
   3923 
   3924 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
   3925 	    nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
   3926 			  set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
   3927 			  set->dlen) < 0)
   3928 		goto nla_put_failure;
   3929 
   3930 	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
   3931 	    nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
   3932 		goto nla_put_failure;
   3933 
   3934 	if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
   3935 	    nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
   3936 			   (*nft_set_ext_obj(ext))->key.name) < 0)
   3937 		goto nla_put_failure;
   3938 
   3939 	if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
   3940 	    nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
   3941 		         htonl(*nft_set_ext_flags(ext))))
   3942 		goto nla_put_failure;
   3943 
   3944 	if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
   3945 	    nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
   3946 			 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
   3947 			 NFTA_SET_ELEM_PAD))
   3948 		goto nla_put_failure;
   3949 
   3950 	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
   3951 		u64 expires, now = get_jiffies_64();
   3952 
   3953 		expires = *nft_set_ext_expiration(ext);
   3954 		if (time_before64(now, expires))
   3955 			expires -= now;
   3956 		else
   3957 			expires = 0;
   3958 
   3959 		if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
   3960 				 nf_jiffies64_to_msecs(expires),
   3961 				 NFTA_SET_ELEM_PAD))
   3962 			goto nla_put_failure;
   3963 	}
   3964 
   3965 	if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
   3966 		struct nft_userdata *udata;
   3967 
   3968 		udata = nft_set_ext_userdata(ext);
   3969 		if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
   3970 			    udata->len + 1, udata->data))
   3971 			goto nla_put_failure;
   3972 	}
   3973 
   3974 	nla_nest_end(skb, nest);
   3975 	return 0;
   3976 
   3977 nla_put_failure:
   3978 	nlmsg_trim(skb, b);
   3979 	return -EMSGSIZE;
   3980 }
   3981 
   3982 struct nft_set_dump_args {
   3983 	const struct netlink_callback	*cb;
   3984 	struct nft_set_iter		iter;
   3985 	struct sk_buff			*skb;
   3986 };
   3987 
   3988 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
   3989 				  struct nft_set *set,
   3990 				  const struct nft_set_iter *iter,
   3991 				  struct nft_set_elem *elem)
   3992 {
   3993 	struct nft_set_dump_args *args;
   3994 
   3995 	args = container_of(iter, struct nft_set_dump_args, iter);
   3996 	return nf_tables_fill_setelem(args->skb, set, elem);
   3997 }
   3998 
   3999 struct nft_set_dump_ctx {
   4000 	const struct nft_set	*set;
   4001 	struct nft_ctx		ctx;
   4002 };
   4003 
   4004 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
   4005 {
   4006 	struct nft_set_dump_ctx *dump_ctx = cb->data;
   4007 	struct net *net = sock_net(skb->sk);
   4008 	struct nft_table *table;
   4009 	struct nft_set *set;
   4010 	struct nft_set_dump_args args;
   4011 	bool set_found = false;
   4012 	struct nfgenmsg *nfmsg;
   4013 	struct nlmsghdr *nlh;
   4014 	struct nlattr *nest;
   4015 	u32 portid, seq;
   4016 	int event;
   4017 
   4018 	rcu_read_lock();
   4019 	list_for_each_entry_rcu(table, &net->nft.tables, list) {
   4020 		if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
   4021 		    dump_ctx->ctx.family != table->family)
   4022 			continue;
   4023 
   4024 		if (table != dump_ctx->ctx.table)
   4025 			continue;
   4026 
   4027 		list_for_each_entry_rcu(set, &table->sets, list) {
   4028 			if (set == dump_ctx->set) {
   4029 				set_found = true;
   4030 				break;
   4031 			}
   4032 		}
   4033 		break;
   4034 	}
   4035 
   4036 	if (!set_found) {
   4037 		rcu_read_unlock();
   4038 		return -ENOENT;
   4039 	}
   4040 
   4041 	event  = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
   4042 	portid = NETLINK_CB(cb->skb).portid;
   4043 	seq    = cb->nlh->nlmsg_seq;
   4044 
   4045 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
   4046 			NLM_F_MULTI);
   4047 	if (nlh == NULL)
   4048 		goto nla_put_failure;
   4049 
   4050 	nfmsg = nlmsg_data(nlh);
   4051 	nfmsg->nfgen_family = table->family;
   4052 	nfmsg->version      = NFNETLINK_V0;
   4053 	nfmsg->res_id	    = htons(net->nft.base_seq & 0xffff);
   4054 
   4055 	if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
   4056 		goto nla_put_failure;
   4057 	if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
   4058 		goto nla_put_failure;
   4059 
   4060 	nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
   4061 	if (nest == NULL)
   4062 		goto nla_put_failure;
   4063 
   4064 	args.cb			= cb;
   4065 	args.skb		= skb;
   4066 	args.iter.genmask	= nft_genmask_cur(net);
   4067 	args.iter.skip		= cb->args[0];
   4068 	args.iter.count		= 0;
   4069 	args.iter.err		= 0;
   4070 	args.iter.fn		= nf_tables_dump_setelem;
   4071 	set->ops->walk(&dump_ctx->ctx, set, &args.iter);
   4072 	rcu_read_unlock();
   4073 
   4074 	nla_nest_end(skb, nest);
   4075 	nlmsg_end(skb, nlh);
   4076 
   4077 	if (args.iter.err && args.iter.err != -EMSGSIZE)
   4078 		return args.iter.err;
   4079 	if (args.iter.count == cb->args[0])
   4080 		return 0;
   4081 
   4082 	cb->args[0] = args.iter.count;
   4083 	return skb->len;
   4084 
   4085 nla_put_failure:
   4086 	rcu_read_unlock();
   4087 	return -ENOSPC;
   4088 }
   4089 
   4090 static int nf_tables_dump_set_start(struct netlink_callback *cb)
   4091 {
   4092 	struct nft_set_dump_ctx *dump_ctx = cb->data;
   4093 
   4094 	cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
   4095 
   4096 	return cb->data ? 0 : -ENOMEM;
   4097 }
   4098 
   4099 static int nf_tables_dump_set_done(struct netlink_callback *cb)
   4100 {
   4101 	kfree(cb->data);
   4102 	return 0;
   4103 }
   4104 
   4105 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
   4106 				       const struct nft_ctx *ctx, u32 seq,
   4107 				       u32 portid, int event, u16 flags,
   4108 				       const struct nft_set *set,
   4109 				       const struct nft_set_elem *elem)
   4110 {
   4111 	struct nfgenmsg *nfmsg;
   4112 	struct nlmsghdr *nlh;
   4113 	struct nlattr *nest;
   4114 	int err;
   4115 
   4116 	event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
   4117 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
   4118 			flags);
   4119 	if (nlh == NULL)
   4120 		goto nla_put_failure;
   4121 
   4122 	nfmsg = nlmsg_data(nlh);
   4123 	nfmsg->nfgen_family	= ctx->family;
   4124 	nfmsg->version		= NFNETLINK_V0;
   4125 	nfmsg->res_id		= htons(ctx->net->nft.base_seq & 0xffff);
   4126 
   4127 	if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
   4128 		goto nla_put_failure;
   4129 	if (nla_put_string(skb, NFTA_SET_NAME, set->name))
   4130 		goto nla_put_failure;
   4131 
   4132 	nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
   4133 	if (nest == NULL)
   4134 		goto nla_put_failure;
   4135 
   4136 	err = nf_tables_fill_setelem(skb, set, elem);
   4137 	if (err < 0)
   4138 		goto nla_put_failure;
   4139 
   4140 	nla_nest_end(skb, nest);
   4141 
   4142 	nlmsg_end(skb, nlh);
   4143 	return 0;
   4144 
   4145 nla_put_failure:
   4146 	nlmsg_trim(skb, nlh);
   4147 	return -1;
   4148 }
   4149 
   4150 static int nft_setelem_parse_flags(const struct nft_set *set,
   4151 				   const struct nlattr *attr, u32 *flags)
   4152 {
   4153 	if (attr == NULL)
   4154 		return 0;
   4155 
   4156 	*flags = ntohl(nla_get_be32(attr));
   4157 	if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
   4158 		return -EINVAL;
   4159 	if (!(set->flags & NFT_SET_INTERVAL) &&
   4160 	    *flags & NFT_SET_ELEM_INTERVAL_END)
   4161 		return -EINVAL;
   4162 
   4163 	return 0;
   4164 }
   4165 
   4166 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
   4167 			    const struct nlattr *attr)
   4168 {
   4169 	struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
   4170 	struct nft_data_desc desc;
   4171 	struct nft_set_elem elem;
   4172 	struct sk_buff *skb;
   4173 	uint32_t flags = 0;
   4174 	void *priv;
   4175 	int err;
   4176 
   4177 	err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
   4178 			       nft_set_elem_policy, NULL);
   4179 	if (err < 0)
   4180 		return err;
   4181 
   4182 	if (!nla[NFTA_SET_ELEM_KEY])
   4183 		return -EINVAL;
   4184 
   4185 	err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
   4186 	if (err < 0)
   4187 		return err;
   4188 
   4189 	err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
   4190 			    nla[NFTA_SET_ELEM_KEY]);
   4191 	if (err < 0)
   4192 		return err;
   4193 
   4194 	err = -EINVAL;
   4195 	if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
   4196 		return err;
   4197 
   4198 	priv = set->ops->get(ctx->net, set, &elem, flags);
   4199 	if (IS_ERR(priv))
   4200 		return PTR_ERR(priv);
   4201 
   4202 	elem.priv = priv;
   4203 
   4204 	err = -ENOMEM;
   4205 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
   4206 	if (skb == NULL)
   4207 		goto err1;
   4208 
   4209 	err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
   4210 					  NFT_MSG_NEWSETELEM, 0, set, &elem);
   4211 	if (err < 0)
   4212 		goto err2;
   4213 
   4214 	err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
   4215 	/* This avoids a loop in nfnetlink. */
   4216 	if (err < 0)
   4217 		goto err1;
   4218 
   4219 	return 0;
   4220 err2:
   4221 	kfree_skb(skb);
   4222 err1:
   4223 	/* this avoids a loop in nfnetlink. */
   4224 	return err == -EAGAIN ? -ENOBUFS : err;
   4225 }
   4226 
   4227 /* called with rcu_read_lock held */
   4228 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
   4229 				struct sk_buff *skb, const struct nlmsghdr *nlh,
   4230 				const struct nlattr * const nla[],
   4231 				struct netlink_ext_ack *extack)
   4232 {
   4233 	u8 genmask = nft_genmask_cur(net);
   4234 	struct nft_set *set;
   4235 	struct nlattr *attr;
   4236 	struct nft_ctx ctx;
   4237 	int rem, err = 0;
   4238 
   4239 	err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
   4240 					 genmask);
   4241 	if (err < 0)
   4242 		return err;
   4243 
   4244 	set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
   4245 	if (IS_ERR(set))
   4246 		return PTR_ERR(set);
   4247 
   4248 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
   4249 		struct netlink_dump_control c = {
   4250 			.start = nf_tables_dump_set_start,
   4251 			.dump = nf_tables_dump_set,
   4252 			.done = nf_tables_dump_set_done,
   4253 			.module = THIS_MODULE,
   4254 		};
   4255 		struct nft_set_dump_ctx dump_ctx = {
   4256 			.set = set,
   4257 			.ctx = ctx,
   4258 		};
   4259 
   4260 		c.data = &dump_ctx;
   4261 		return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
   4262 	}
   4263 
   4264 	if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
   4265 		return -EINVAL;
   4266 
   4267 	nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
   4268 		err = nft_get_set_elem(&ctx, set, attr);
   4269 		if (err < 0)
   4270 			break;
   4271 	}
   4272 
   4273 	return err;
   4274 }
   4275 
   4276 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
   4277 				     const struct nft_set *set,
   4278 				     const struct nft_set_elem *elem,
   4279 				     int event, u16 flags)
   4280 {
   4281 	struct net *net = ctx->net;
   4282 	u32 portid = ctx->portid;
   4283 	struct sk_buff *skb;
   4284 	int err;
   4285 
   4286 	if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
   4287 		return;
   4288 
   4289 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
   4290 	if (skb == NULL)
   4291 		goto err;
   4292 
   4293 	err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
   4294 					  set, elem);
   4295 	if (err < 0) {
   4296 		kfree_skb(skb);
   4297 		goto err;
   4298 	}
   4299 
   4300 	nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
   4301 		       GFP_KERNEL);
   4302 	return;
   4303 err:
   4304 	nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
   4305 }
   4306 
   4307 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
   4308 					      int msg_type,
   4309 					      struct nft_set *set)
   4310 {
   4311 	struct nft_trans *trans;
   4312 
   4313 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
   4314 	if (trans == NULL)
   4315 		return NULL;
   4316 
   4317 	nft_trans_elem_set(trans) = set;
   4318 	return trans;
   4319 }
   4320 
   4321 void *nft_set_elem_init(const struct nft_set *set,
   4322 			const struct nft_set_ext_tmpl *tmpl,
   4323 			const u32 *key, const u32 *data,
   4324 			u64 timeout, gfp_t gfp)
   4325 {
   4326 	struct nft_set_ext *ext;
   4327 	void *elem;
   4328 
   4329 	elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
   4330 	if (elem == NULL)
   4331 		return NULL;
   4332 
   4333 	ext = nft_set_elem_ext(set, elem);
   4334 	nft_set_ext_init(ext, tmpl);
   4335 
   4336 	memcpy(nft_set_ext_key(ext), key, set->klen);
   4337 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
   4338 		memcpy(nft_set_ext_data(ext), data, set->dlen);
   4339 	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
   4340 		*nft_set_ext_expiration(ext) =
   4341 			get_jiffies_64() + timeout;
   4342 	if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
   4343 		*nft_set_ext_timeout(ext) = timeout;
   4344 
   4345 	return elem;
   4346 }
   4347 
   4348 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
   4349 			  bool destroy_expr)
   4350 {
   4351 	struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
   4352 	struct nft_ctx ctx = {
   4353 		.net	= read_pnet(&set->net),
   4354 		.family	= set->table->family,
   4355 	};
   4356 
   4357 	nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
   4358 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
   4359 		nft_data_release(nft_set_ext_data(ext), set->dtype);
   4360 	if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
   4361 		struct nft_expr *expr = nft_set_ext_expr(ext);
   4362 
   4363 		if (expr->ops->destroy_clone) {
   4364 			expr->ops->destroy_clone(&ctx, expr);
   4365 			module_put(expr->ops->type->owner);
   4366 		} else {
   4367 			nf_tables_expr_destroy(&ctx, expr);
   4368 		}
   4369 	}
   4370 	if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
   4371 		(*nft_set_ext_obj(ext))->use--;
   4372 	kfree(elem);
   4373 }
   4374 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
   4375 
   4376 /* Only called from commit path, nft_set_elem_deactivate() already deals with
   4377  * the refcounting from the preparation phase.
   4378  */
   4379 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
   4380 				       const struct nft_set *set, void *elem)
   4381 {
   4382 	struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
   4383 
   4384 	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
   4385 		nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
   4386 	kfree(elem);
   4387 }
   4388 
   4389 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
   4390 			    const struct nlattr *attr, u32 nlmsg_flags)
   4391 {
   4392 	struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
   4393 	u8 genmask = nft_genmask_next(ctx->net);
   4394 	struct nft_data_desc d1, d2;
   4395 	struct nft_set_ext_tmpl tmpl;
   4396 	struct nft_set_ext *ext, *ext2;
   4397 	struct nft_set_elem elem;
   4398 	struct nft_set_binding *binding;
   4399 	struct nft_object *obj = NULL;
   4400 	struct nft_userdata *udata;
   4401 	struct nft_data data;
   4402 	enum nft_registers dreg;
   4403 	struct nft_trans *trans;
   4404 	u32 flags = 0;
   4405 	u64 timeout;
   4406 	u8 ulen;
   4407 	int err;
   4408 
   4409 	err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
   4410 			       nft_set_elem_policy, NULL);
   4411 	if (err < 0)
   4412 		return err;
   4413 
   4414 	if (nla[NFTA_SET_ELEM_KEY] == NULL)
   4415 		return -EINVAL;
   4416 
   4417 	nft_set_ext_prepare(&tmpl);
   4418 
   4419 	err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
   4420 	if (err < 0)
   4421 		return err;
   4422 	if (flags != 0)
   4423 		nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
   4424 
   4425 	if (set->flags & NFT_SET_MAP) {
   4426 		if (nla[NFTA_SET_ELEM_DATA] == NULL &&
   4427 		    !(flags & NFT_SET_ELEM_INTERVAL_END))
   4428 			return -EINVAL;
   4429 		if (nla[NFTA_SET_ELEM_DATA] != NULL &&
   4430 		    flags & NFT_SET_ELEM_INTERVAL_END)
   4431 			return -EINVAL;
   4432 	} else {
   4433 		if (nla[NFTA_SET_ELEM_DATA] != NULL)
   4434 			return -EINVAL;
   4435 	}
   4436 
   4437 	timeout = 0;
   4438 	if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
   4439 		if (!(set->flags & NFT_SET_TIMEOUT))
   4440 			return -EINVAL;
   4441 		err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
   4442 					    &timeout);
   4443 		if (err)
   4444 			return err;
   4445 	} else if (set->flags & NFT_SET_TIMEOUT) {
   4446 		timeout = set->timeout;
   4447 	}
   4448 
   4449 	err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
   4450 			    nla[NFTA_SET_ELEM_KEY]);
   4451 	if (err < 0)
   4452 		goto err1;
   4453 	err = -EINVAL;
   4454 	if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
   4455 		goto err2;
   4456 
   4457 	nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
   4458 	if (timeout > 0) {
   4459 		nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
   4460 		if (timeout != set->timeout)
   4461 			nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
   4462 	}
   4463 
   4464 	if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
   4465 		if (!(set->flags & NFT_SET_OBJECT)) {
   4466 			err = -EINVAL;
   4467 			goto err2;
   4468 		}
   4469 		obj = nft_obj_lookup(ctx->net, ctx->table,
   4470 				     nla[NFTA_SET_ELEM_OBJREF],
   4471 				     set->objtype, genmask);
   4472 		if (IS_ERR(obj)) {
   4473 			err = PTR_ERR(obj);
   4474 			goto err2;
   4475 		}
   4476 		nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
   4477 	}
   4478 
   4479 	if (nla[NFTA_SET_ELEM_DATA] != NULL) {
   4480 		err = nft_data_init(ctx, &data, sizeof(data), &d2,
   4481 				    nla[NFTA_SET_ELEM_DATA]);
   4482 		if (err < 0)
   4483 			goto err2;
   4484 
   4485 		err = -EINVAL;
   4486 		if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
   4487 			goto err3;
   4488 
   4489 		dreg = nft_type_to_reg(set->dtype);
   4490 		list_for_each_entry(binding, &set->bindings, list) {
   4491 			struct nft_ctx bind_ctx = {
   4492 				.net	= ctx->net,
   4493 				.family	= ctx->family,
   4494 				.table	= ctx->table,
   4495 				.chain	= (struct nft_chain *)binding->chain,
   4496 			};
   4497 
   4498 			if (!(binding->flags & NFT_SET_MAP))
   4499 				continue;
   4500 
   4501 			err = nft_validate_register_store(&bind_ctx, dreg,
   4502 							  &data,
   4503 							  d2.type, d2.len);
   4504 			if (err < 0)
   4505 				goto err3;
   4506 
   4507 			if (d2.type == NFT_DATA_VERDICT &&
   4508 			    (data.verdict.code == NFT_GOTO ||
   4509 			     data.verdict.code == NFT_JUMP))
   4510 				nft_validate_state_update(ctx->net,
   4511 							  NFT_VALIDATE_NEED);
   4512 		}
   4513 
   4514 		nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
   4515 	}
   4516 
   4517 	/* The full maximum length of userdata can exceed the maximum
   4518 	 * offset value (U8_MAX) for following extensions, therefor it
   4519 	 * must be the last extension added.
   4520 	 */
   4521 	ulen = 0;
   4522 	if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
   4523 		ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
   4524 		if (ulen > 0)
   4525 			nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
   4526 					       ulen);
   4527 	}
   4528 
   4529 	err = -ENOMEM;
   4530 	elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
   4531 				      timeout, GFP_KERNEL);
   4532 	if (elem.priv == NULL)
   4533 		goto err3;
   4534 
   4535 	ext = nft_set_elem_ext(set, elem.priv);
   4536 	if (flags)
   4537 		*nft_set_ext_flags(ext) = flags;
   4538 	if (ulen > 0) {
   4539 		udata = nft_set_ext_userdata(ext);
   4540 		udata->len = ulen - 1;
   4541 		nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
   4542 	}
   4543 	if (obj) {
   4544 		*nft_set_ext_obj(ext) = obj;
   4545 		obj->use++;
   4546 	}
   4547 
   4548 	trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
   4549 	if (trans == NULL)
   4550 		goto err4;
   4551 
   4552 	ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
   4553 	err = set->ops->insert(ctx->net, set, &elem, &ext2);
   4554 	if (err) {
   4555 		if (err == -EEXIST) {
   4556 			if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
   4557 			    nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
   4558 			    nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
   4559 			    nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
   4560 				err = -EBUSY;
   4561 				goto err5;
   4562 			}
   4563 			if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
   4564 			     nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
   4565 			     memcmp(nft_set_ext_data(ext),
   4566 				    nft_set_ext_data(ext2), set->dlen) != 0) ||
   4567 			    (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
   4568 			     nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
   4569 			     *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
   4570 				err = -EBUSY;
   4571 			else if (!(nlmsg_flags & NLM_F_EXCL))
   4572 				err = 0;
   4573 		}
   4574 		goto err5;
   4575 	}
   4576 
   4577 	if (set->size &&
   4578 	    !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
   4579 		err = -ENFILE;
   4580 		goto err6;
   4581 	}
   4582 
   4583 	nft_trans_elem(trans) = elem;
   4584 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
   4585 	return 0;
   4586 
   4587 err6:
   4588 	set->ops->remove(ctx->net, set, &elem);
   4589 err5:
   4590 	kfree(trans);
   4591 err4:
   4592 	if (obj)
   4593 		obj->use--;
   4594 	kfree(elem.priv);
   4595 err3:
   4596 	if (nla[NFTA_SET_ELEM_DATA] != NULL)
   4597 		nft_data_release(&data, d2.type);
   4598 err2:
   4599 	nft_data_release(&elem.key.val, d1.type);
   4600 err1:
   4601 	return err;
   4602 }
   4603 
   4604 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
   4605 				struct sk_buff *skb, const struct nlmsghdr *nlh,
   4606 				const struct nlattr * const nla[],
   4607 				struct netlink_ext_ack *extack)
   4608 {
   4609 	u8 genmask = nft_genmask_next(net);
   4610 	const struct nlattr *attr;
   4611 	struct nft_set *set;
   4612 	struct nft_ctx ctx;
   4613 	int rem, err;
   4614 
   4615 	if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
   4616 		return -EINVAL;
   4617 
   4618 	err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
   4619 					 genmask);
   4620 	if (err < 0)
   4621 		return err;
   4622 
   4623 	set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
   4624 				    nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
   4625 	if (IS_ERR(set))
   4626 		return PTR_ERR(set);
   4627 
   4628 	if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
   4629 		return -EBUSY;
   4630 
   4631 	nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
   4632 		err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
   4633 		if (err < 0)
   4634 			return err;
   4635 	}
   4636 
   4637 	if (net->nft.validate_state == NFT_VALIDATE_DO)
   4638 		return nft_table_validate(net, ctx.table);
   4639 
   4640 	return 0;
   4641 }
   4642 
   4643 /**
   4644  *	nft_data_hold - hold a nft_data item
   4645  *
   4646  *	@data: struct nft_data to release
   4647  *	@type: type of data
   4648  *
   4649  *	Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
   4650  *	NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
   4651  *	NFT_GOTO verdicts. This function must be called on active data objects
   4652  *	from the second phase of the commit protocol.
   4653  */
   4654 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
   4655 {
   4656 	if (type == NFT_DATA_VERDICT) {
   4657 		switch (data->verdict.code) {
   4658 		case NFT_JUMP:
   4659 		case NFT_GOTO:
   4660 			data->verdict.chain->use++;
   4661 			break;
   4662 		}
   4663 	}
   4664 }
   4665 
   4666 static void nft_set_elem_activate(const struct net *net,
   4667 				  const struct nft_set *set,
   4668 				  struct nft_set_elem *elem)
   4669 {
   4670 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
   4671 
   4672 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
   4673 		nft_data_hold(nft_set_ext_data(ext), set->dtype);
   4674 	if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
   4675 		(*nft_set_ext_obj(ext))->use++;
   4676 }
   4677 
   4678 static void nft_set_elem_deactivate(const struct net *net,
   4679 				    const struct nft_set *set,
   4680 				    struct nft_set_elem *elem)
   4681 {
   4682 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
   4683 
   4684 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
   4685 		nft_data_release(nft_set_ext_data(ext), set->dtype);
   4686 	if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
   4687 		(*nft_set_ext_obj(ext))->use--;
   4688 }
   4689 
   4690 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
   4691 			   const struct nlattr *attr)
   4692 {
   4693 	struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
   4694 	struct nft_set_ext_tmpl tmpl;
   4695 	struct nft_data_desc desc;
   4696 	struct nft_set_elem elem;
   4697 	struct nft_set_ext *ext;
   4698 	struct nft_trans *trans;
   4699 	u32 flags = 0;
   4700 	void *priv;
   4701 	int err;
   4702 
   4703 	err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
   4704 			       nft_set_elem_policy, NULL);
   4705 	if (err < 0)
   4706 		goto err1;
   4707 
   4708 	err = -EINVAL;
   4709 	if (nla[NFTA_SET_ELEM_KEY] == NULL)
   4710 		goto err1;
   4711 
   4712 	nft_set_ext_prepare(&tmpl);
   4713 
   4714 	err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
   4715 	if (err < 0)
   4716 		return err;
   4717 	if (flags != 0)
   4718 		nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
   4719 
   4720 	err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
   4721 			    nla[NFTA_SET_ELEM_KEY]);
   4722 	if (err < 0)
   4723 		goto err1;
   4724 
   4725 	err = -EINVAL;
   4726 	if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
   4727 		goto err2;
   4728 
   4729 	nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
   4730 
   4731 	err = -ENOMEM;
   4732 	elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
   4733 				      GFP_KERNEL);
   4734 	if (elem.priv == NULL)
   4735 		goto err2;
   4736 
   4737 	ext = nft_set_elem_ext(set, elem.priv);
   4738 	if (flags)
   4739 		*nft_set_ext_flags(ext) = flags;
   4740 
   4741 	trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
   4742 	if (trans == NULL) {
   4743 		err = -ENOMEM;
   4744 		goto err3;
   4745 	}
   4746 
   4747 	priv = set->ops->deactivate(ctx->net, set, &elem);
   4748 	if (priv == NULL) {
   4749 		err = -ENOENT;
   4750 		goto err4;
   4751 	}
   4752 	kfree(elem.priv);
   4753 	elem.priv = priv;
   4754 
   4755 	nft_set_elem_deactivate(ctx->net, set, &elem);
   4756 
   4757 	nft_trans_elem(trans) = elem;
   4758 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
   4759 	return 0;
   4760 
   4761 err4:
   4762 	kfree(trans);
   4763 err3:
   4764 	kfree(elem.priv);
   4765 err2:
   4766 	nft_data_release(&elem.key.val, desc.type);
   4767 err1:
   4768 	return err;
   4769 }
   4770 
   4771 static int nft_flush_set(const struct nft_ctx *ctx,
   4772 			 struct nft_set *set,
   4773 			 const struct nft_set_iter *iter,
   4774 			 struct nft_set_elem *elem)
   4775 {
   4776 	struct nft_trans *trans;
   4777 	int err;
   4778 
   4779 	trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
   4780 				    sizeof(struct nft_trans_elem), GFP_ATOMIC);
   4781 	if (!trans)
   4782 		return -ENOMEM;
   4783 
   4784 	if (!set->ops->flush(ctx->net, set, elem->priv)) {
   4785 		err = -ENOENT;
   4786 		goto err1;
   4787 	}
   4788 	set->ndeact++;
   4789 
   4790 	nft_set_elem_deactivate(ctx->net, set, elem);
   4791 	nft_trans_elem_set(trans) = set;
   4792 	nft_trans_elem(trans) = *elem;
   4793 	list_add_tail(&trans->list, &ctx->net->nft.commit_list);
   4794 
   4795 	return 0;
   4796 err1:
   4797 	kfree(trans);
   4798 	return err;
   4799 }
   4800 
   4801 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
   4802 				struct sk_buff *skb, const struct nlmsghdr *nlh,
   4803 				const struct nlattr * const nla[],
   4804 				struct netlink_ext_ack *extack)
   4805 {
   4806 	u8 genmask = nft_genmask_next(net);
   4807 	const struct nlattr *attr;
   4808 	struct nft_set *set;
   4809 	struct nft_ctx ctx;
   4810 	int rem, err = 0;
   4811 
   4812 	err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
   4813 					 genmask);
   4814 	if (err < 0)
   4815 		return err;
   4816 
   4817 	set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
   4818 	if (IS_ERR(set))
   4819 		return PTR_ERR(set);
   4820 	if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
   4821 		return -EBUSY;
   4822 
   4823 	if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
   4824 		struct nft_set_iter iter = {
   4825 			.genmask	= genmask,
   4826 			.fn		= nft_flush_set,
   4827 		};
   4828 		set->ops->walk(&ctx, set, &iter);
   4829 
   4830 		return iter.err;
   4831 	}
   4832 
   4833 	nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
   4834 		err = nft_del_setelem(&ctx, set, attr);
   4835 		if (err < 0)
   4836 			break;
   4837 
   4838 		set->ndeact++;
   4839 	}
   4840 	return err;
   4841 }
   4842 
   4843 void nft_set_gc_batch_release(struct rcu_head *rcu)
   4844 {
   4845 	struct nft_set_gc_batch *gcb;
   4846 	unsigned int i;
   4847 
   4848 	gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
   4849 	for (i = 0; i < gcb->head.cnt; i++)
   4850 		nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
   4851 	kfree(gcb);
   4852 }
   4853 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
   4854 
   4855 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
   4856 						gfp_t gfp)
   4857 {
   4858 	struct nft_set_gc_batch *gcb;
   4859 
   4860 	gcb = kzalloc(sizeof(*gcb), gfp);
   4861 	if (gcb == NULL)
   4862 		return gcb;
   4863 	gcb->head.set = set;
   4864 	return gcb;
   4865 }
   4866 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
   4867 
   4868 /*
   4869  * Stateful objects
   4870  */
   4871 
   4872 /**
   4873  *	nft_register_obj- register nf_tables stateful object type
   4874  *	@obj: object type
   4875  *
   4876  *	Registers the object type for use with nf_tables. Returns zero on
   4877  *	success or a negative errno code otherwise.
   4878  */
   4879 int nft_register_obj(struct nft_object_type *obj_type)
   4880 {
   4881 	if (obj_type->type == NFT_OBJECT_UNSPEC)
   4882 		return -EINVAL;
   4883 
   4884 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
   4885 	list_add_rcu(&obj_type->list, &nf_tables_objects);
   4886 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
   4887 	return 0;
   4888 }
   4889 EXPORT_SYMBOL_GPL(nft_register_obj);
   4890 
   4891 /**
   4892  *	nft_unregister_obj - unregister nf_tables object type
   4893  *	@obj: object type
   4894  *
   4895  * 	Unregisters the object type for use with nf_tables.
   4896  */
   4897 void nft_unregister_obj(struct nft_object_type *obj_type)
   4898 {
   4899 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
   4900 	list_del_rcu(&obj_type->list);
   4901 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
   4902 }
   4903 EXPORT_SYMBOL_GPL(nft_unregister_obj);
   4904 
   4905 struct nft_object *nft_obj_lookup(const struct net *net,
   4906 				  const struct nft_table *table,
   4907 				  const struct nlattr *nla, u32 objtype,
   4908 				  u8 genmask)
   4909 {
   4910 	struct nft_object_hash_key k = { .table = table };
   4911 	char search[NFT_OBJ_MAXNAMELEN];
   4912 	struct rhlist_head *tmp, *list;
   4913 	struct nft_object *obj;
   4914 
   4915 	nla_strlcpy(search, nla, sizeof(search));
   4916 	k.name = search;
   4917 
   4918 	WARN_ON_ONCE(!rcu_read_lock_held() &&
   4919 		     !lockdep_commit_lock_is_held(net));
   4920 
   4921 	rcu_read_lock();
   4922 	list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
   4923 	if (!list)
   4924 		goto out;
   4925 
   4926 	rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
   4927 		if (objtype == obj->ops->type->type &&
   4928 		    nft_active_genmask(obj, genmask)) {
   4929 			rcu_read_unlock();
   4930 			return obj;
   4931 		}
   4932 	}
   4933 out:
   4934 	rcu_read_unlock();
   4935 	return ERR_PTR(-ENOENT);
   4936 }
   4937 EXPORT_SYMBOL_GPL(nft_obj_lookup);
   4938 
   4939 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
   4940 						  const struct nlattr *nla,
   4941 						  u32 objtype, u8 genmask)
   4942 {
   4943 	struct nft_object *obj;
   4944 
   4945 	list_for_each_entry(obj, &table->objects, list) {
   4946 		if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
   4947 		    objtype == obj->ops->type->type &&
   4948 		    nft_active_genmask(obj, genmask))
   4949 			return obj;
   4950 	}
   4951 	return ERR_PTR(-ENOENT);
   4952 }
   4953 
   4954 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
   4955 	[NFTA_OBJ_TABLE]	= { .type = NLA_STRING,
   4956 				    .len = NFT_TABLE_MAXNAMELEN - 1 },
   4957 	[NFTA_OBJ_NAME]		= { .type = NLA_STRING,
   4958 				    .len = NFT_OBJ_MAXNAMELEN - 1 },
   4959 	[NFTA_OBJ_TYPE]		= { .type = NLA_U32 },
   4960 	[NFTA_OBJ_DATA]		= { .type = NLA_NESTED },
   4961 	[NFTA_OBJ_HANDLE]	= { .type = NLA_U64},
   4962 };
   4963 
   4964 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
   4965 				       const struct nft_object_type *type,
   4966 				       const struct nlattr *attr)
   4967 {
   4968 	struct nlattr **tb;
   4969 	const struct nft_object_ops *ops;
   4970 	struct nft_object *obj;
   4971 	int err = -ENOMEM;
   4972 
   4973 	tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
   4974 	if (!tb)
   4975 		goto err1;
   4976 
   4977 	if (attr) {
   4978 		err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
   4979 				       NULL);
   4980 		if (err < 0)
   4981 			goto err2;
   4982 	} else {
   4983 		memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
   4984 	}
   4985 
   4986 	if (type->select_ops) {
   4987 		ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
   4988 		if (IS_ERR(ops)) {
   4989 			err = PTR_ERR(ops);
   4990 			goto err2;
   4991 		}
   4992 	} else {
   4993 		ops = type->ops;
   4994 	}
   4995 
   4996 	err = -ENOMEM;
   4997 	obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
   4998 	if (!obj)
   4999 		goto err2;
   5000 
   5001 	err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
   5002 	if (err < 0)
   5003 		goto err3;
   5004 
   5005 	obj->ops = ops;
   5006 
   5007 	kfree(tb);
   5008 	return obj;
   5009 err3:
   5010 	kfree(obj);
   5011 err2:
   5012 	kfree(tb);
   5013 err1:
   5014 	return ERR_PTR(err);
   5015 }
   5016 
   5017 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
   5018 			   struct nft_object *obj, bool reset)
   5019 {
   5020 	struct nlattr *nest;
   5021 
   5022 	nest = nla_nest_start(skb, attr);
   5023 	if (!nest)
   5024 		goto nla_put_failure;
   5025 	if (obj->ops->dump(skb, obj, reset) < 0)
   5026 		goto nla_put_failure;
   5027 	nla_nest_end(skb, nest);
   5028 	return 0;
   5029 
   5030 nla_put_failure:
   5031 	return -1;
   5032 }
   5033 
   5034 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
   5035 {
   5036 	const struct nft_object_type *type;
   5037 
   5038 	list_for_each_entry(type, &nf_tables_objects, list) {
   5039 		if (objtype == type->type)
   5040 			return type;
   5041 	}
   5042 	return NULL;
   5043 }
   5044 
   5045 static const struct nft_object_type *
   5046 nft_obj_type_get(struct net *net, u32 objtype)
   5047 {
   5048 	const struct nft_object_type *type;
   5049 
   5050 	type = __nft_obj_type_get(objtype);
   5051 	if (type != NULL && try_module_get(type->owner))
   5052 		return type;
   5053 
   5054 	lockdep_nfnl_nft_mutex_not_held();
   5055 #ifdef CONFIG_MODULES
   5056 	if (type == NULL) {
   5057 		nft_request_module(net, "nft-obj-%u", objtype);
   5058 		if (__nft_obj_type_get(objtype))
   5059 			return ERR_PTR(-EAGAIN);
   5060 	}
   5061 #endif
   5062 	return ERR_PTR(-ENOENT);
   5063 }
   5064 
   5065 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
   5066 			    struct sk_buff *skb, const struct nlmsghdr *nlh,
   5067 			    const struct nlattr * const nla[],
   5068 			    struct netlink_ext_ack *extack)
   5069 {
   5070 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   5071 	const struct nft_object_type *type;
   5072 	u8 genmask = nft_genmask_next(net);
   5073 	int family = nfmsg->nfgen_family;
   5074 	struct nft_table *table;
   5075 	struct nft_object *obj;
   5076 	struct nft_ctx ctx;
   5077 	u32 objtype;
   5078 	int err;
   5079 
   5080 	if (!nla[NFTA_OBJ_TYPE] ||
   5081 	    !nla[NFTA_OBJ_NAME] ||
   5082 	    !nla[NFTA_OBJ_DATA])
   5083 		return -EINVAL;
   5084 
   5085 	table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
   5086 	if (IS_ERR(table)) {
   5087 		NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
   5088 		return PTR_ERR(table);
   5089 	}
   5090 
   5091 	objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
   5092 	obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
   5093 	if (IS_ERR(obj)) {
   5094 		err = PTR_ERR(obj);
   5095 		if (err != -ENOENT) {
   5096 			NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
   5097 			return err;
   5098 		}
   5099 	} else {
   5100 		if (nlh->nlmsg_flags & NLM_F_EXCL) {
   5101 			NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
   5102 			return -EEXIST;
   5103 		}
   5104 		return 0;
   5105 	}
   5106 
   5107 	nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
   5108 
   5109 	type = nft_obj_type_get(net, objtype);
   5110 	if (IS_ERR(type))
   5111 		return PTR_ERR(type);
   5112 
   5113 	obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
   5114 	if (IS_ERR(obj)) {
   5115 		err = PTR_ERR(obj);
   5116 		goto err1;
   5117 	}
   5118 	obj->key.table = table;
   5119 	obj->handle = nf_tables_alloc_handle(table);
   5120 
   5121 	obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
   5122 	if (!obj->key.name) {
   5123 		err = -ENOMEM;
   5124 		goto err2;
   5125 	}
   5126 
   5127 	err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
   5128 	if (err < 0)
   5129 		goto err3;
   5130 
   5131 	err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
   5132 			      nft_objname_ht_params);
   5133 	if (err < 0)
   5134 		goto err4;
   5135 
   5136 	list_add_tail_rcu(&obj->list, &table->objects);
   5137 	table->use++;
   5138 	return 0;
   5139 err4:
   5140 	/* queued in transaction log */
   5141 	INIT_LIST_HEAD(&obj->list);
   5142 	return err;
   5143 err3:
   5144 	kfree(obj->key.name);
   5145 err2:
   5146 	if (obj->ops->destroy)
   5147 		obj->ops->destroy(&ctx, obj);
   5148 	kfree(obj);
   5149 err1:
   5150 	module_put(type->owner);
   5151 	return err;
   5152 }
   5153 
   5154 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
   5155 				   u32 portid, u32 seq, int event, u32 flags,
   5156 				   int family, const struct nft_table *table,
   5157 				   struct nft_object *obj, bool reset)
   5158 {
   5159 	struct nfgenmsg *nfmsg;
   5160 	struct nlmsghdr *nlh;
   5161 
   5162 	event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
   5163 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
   5164 	if (nlh == NULL)
   5165 		goto nla_put_failure;
   5166 
   5167 	nfmsg = nlmsg_data(nlh);
   5168 	nfmsg->nfgen_family	= family;
   5169 	nfmsg->version		= NFNETLINK_V0;
   5170 	nfmsg->res_id		= htons(net->nft.base_seq & 0xffff);
   5171 
   5172 	if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
   5173 	    nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
   5174 	    nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
   5175 	    nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
   5176 	    nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
   5177 	    nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
   5178 			 NFTA_OBJ_PAD))
   5179 		goto nla_put_failure;
   5180 
   5181 	nlmsg_end(skb, nlh);
   5182 	return 0;
   5183 
   5184 nla_put_failure:
   5185 	nlmsg_trim(skb, nlh);
   5186 	return -1;
   5187 }
   5188 
   5189 struct nft_obj_filter {
   5190 	char		*table;
   5191 	u32		type;
   5192 };
   5193 
   5194 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
   5195 {
   5196 	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
   5197 	const struct nft_table *table;
   5198 	unsigned int idx = 0, s_idx = cb->args[0];
   5199 	struct nft_obj_filter *filter = cb->data;
   5200 	struct net *net = sock_net(skb->sk);
   5201 	int family = nfmsg->nfgen_family;
   5202 	struct nft_object *obj;
   5203 	bool reset = false;
   5204 
   5205 	if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
   5206 		reset = true;
   5207 
   5208 	rcu_read_lock();
   5209 	cb->seq = net->nft.base_seq;
   5210 
   5211 	list_for_each_entry_rcu(table, &net->nft.tables, list) {
   5212 		if (family != NFPROTO_UNSPEC && family != table->family)
   5213 			continue;
   5214 
   5215 		list_for_each_entry_rcu(obj, &table->objects, list) {
   5216 			if (!nft_is_active(net, obj))
   5217 				goto cont;
   5218 			if (idx < s_idx)
   5219 				goto cont;
   5220 			if (idx > s_idx)
   5221 				memset(&cb->args[1], 0,
   5222 				       sizeof(cb->args) - sizeof(cb->args[0]));
   5223 			if (filter && filter->table &&
   5224 			    strcmp(filter->table, table->name))
   5225 				goto cont;
   5226 			if (filter &&
   5227 			    filter->type != NFT_OBJECT_UNSPEC &&
   5228 			    obj->ops->type->type != filter->type)
   5229 				goto cont;
   5230 
   5231 			if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
   5232 						    cb->nlh->nlmsg_seq,
   5233 						    NFT_MSG_NEWOBJ,
   5234 						    NLM_F_MULTI | NLM_F_APPEND,
   5235 						    table->family, table,
   5236 						    obj, reset) < 0)
   5237 				goto done;
   5238 
   5239 			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
   5240 cont:
   5241 			idx++;
   5242 		}
   5243 	}
   5244 done:
   5245 	rcu_read_unlock();
   5246 
   5247 	cb->args[0] = idx;
   5248 	return skb->len;
   5249 }
   5250 
   5251 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
   5252 {
   5253 	const struct nlattr * const *nla = cb->data;
   5254 	struct nft_obj_filter *filter = NULL;
   5255 
   5256 	if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
   5257 		filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
   5258 		if (!filter)
   5259 			return -ENOMEM;
   5260 
   5261 		if (nla[NFTA_OBJ_TABLE]) {
   5262 			filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
   5263 			if (!filter->table) {
   5264 				kfree(filter);
   5265 				return -ENOMEM;
   5266 			}
   5267 		}
   5268 
   5269 		if (nla[NFTA_OBJ_TYPE])
   5270 			filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
   5271 	}
   5272 
   5273 	cb->data = filter;
   5274 	return 0;
   5275 }
   5276 
   5277 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
   5278 {
   5279 	struct nft_obj_filter *filter = cb->data;
   5280 
   5281 	if (filter) {
   5282 		kfree(filter->table);
   5283 		kfree(filter);
   5284 	}
   5285 
   5286 	return 0;
   5287 }
   5288 
   5289 /* called with rcu_read_lock held */
   5290 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
   5291 			    struct sk_buff *skb, const struct nlmsghdr *nlh,
   5292 			    const struct nlattr * const nla[],
   5293 			    struct netlink_ext_ack *extack)
   5294 {
   5295 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   5296 	u8 genmask = nft_genmask_cur(net);
   5297 	int family = nfmsg->nfgen_family;
   5298 	const struct nft_table *table;
   5299 	struct nft_object *obj;
   5300 	struct sk_buff *skb2;
   5301 	bool reset = false;
   5302 	u32 objtype;
   5303 	int err;
   5304 
   5305 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
   5306 		struct netlink_dump_control c = {
   5307 			.start = nf_tables_dump_obj_start,
   5308 			.dump = nf_tables_dump_obj,
   5309 			.done = nf_tables_dump_obj_done,
   5310 			.module = THIS_MODULE,
   5311 			.data = (void *)nla,
   5312 		};
   5313 
   5314 		return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
   5315 	}
   5316 
   5317 	if (!nla[NFTA_OBJ_NAME] ||
   5318 	    !nla[NFTA_OBJ_TYPE])
   5319 		return -EINVAL;
   5320 
   5321 	table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
   5322 	if (IS_ERR(table)) {
   5323 		NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
   5324 		return PTR_ERR(table);
   5325 	}
   5326 
   5327 	objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
   5328 	obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
   5329 	if (IS_ERR(obj)) {
   5330 		NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
   5331 		return PTR_ERR(obj);
   5332 	}
   5333 
   5334 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
   5335 	if (!skb2)
   5336 		return -ENOMEM;
   5337 
   5338 	if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
   5339 		reset = true;
   5340 
   5341 	err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
   5342 				      nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
   5343 				      family, table, obj, reset);
   5344 	if (err < 0)
   5345 		goto err;
   5346 
   5347 	return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
   5348 err:
   5349 	kfree_skb(skb2);
   5350 	return err;
   5351 }
   5352 
   5353 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
   5354 {
   5355 	if (obj->ops->destroy)
   5356 		obj->ops->destroy(ctx, obj);
   5357 
   5358 	module_put(obj->ops->type->owner);
   5359 	kfree(obj->key.name);
   5360 	kfree(obj);
   5361 }
   5362 
   5363 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
   5364 			    struct sk_buff *skb, const struct nlmsghdr *nlh,
   5365 			    const struct nlattr * const nla[],
   5366 			    struct netlink_ext_ack *extack)
   5367 {
   5368 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   5369 	u8 genmask = nft_genmask_next(net);
   5370 	int family = nfmsg->nfgen_family;
   5371 	const struct nlattr *attr;
   5372 	struct nft_table *table;
   5373 	struct nft_object *obj;
   5374 	struct nft_ctx ctx;
   5375 	u32 objtype;
   5376 
   5377 	if (!nla[NFTA_OBJ_TYPE] ||
   5378 	    (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
   5379 		return -EINVAL;
   5380 
   5381 	table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
   5382 	if (IS_ERR(table)) {
   5383 		NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
   5384 		return PTR_ERR(table);
   5385 	}
   5386 
   5387 	objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
   5388 	if (nla[NFTA_OBJ_HANDLE]) {
   5389 		attr = nla[NFTA_OBJ_HANDLE];
   5390 		obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
   5391 	} else {
   5392 		attr = nla[NFTA_OBJ_NAME];
   5393 		obj = nft_obj_lookup(net, table, attr, objtype, genmask);
   5394 	}
   5395 
   5396 	if (IS_ERR(obj)) {
   5397 		NL_SET_BAD_ATTR(extack, attr);
   5398 		return PTR_ERR(obj);
   5399 	}
   5400 	if (obj->use > 0) {
   5401 		NL_SET_BAD_ATTR(extack, attr);
   5402 		return -EBUSY;
   5403 	}
   5404 
   5405 	nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
   5406 
   5407 	return nft_delobj(&ctx, obj);
   5408 }
   5409 
   5410 void nft_obj_notify(struct net *net, const struct nft_table *table,
   5411 		    struct nft_object *obj, u32 portid, u32 seq, int event,
   5412 		    int family, int report, gfp_t gfp)
   5413 {
   5414 	struct sk_buff *skb;
   5415 	int err;
   5416 
   5417 	if (!report &&
   5418 	    !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
   5419 		return;
   5420 
   5421 	skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
   5422 	if (skb == NULL)
   5423 		goto err;
   5424 
   5425 	err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
   5426 				      table, obj, false);
   5427 	if (err < 0) {
   5428 		kfree_skb(skb);
   5429 		goto err;
   5430 	}
   5431 
   5432 	nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
   5433 	return;
   5434 err:
   5435 	nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
   5436 }
   5437 EXPORT_SYMBOL_GPL(nft_obj_notify);
   5438 
   5439 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
   5440 				 struct nft_object *obj, int event)
   5441 {
   5442 	nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
   5443 		       ctx->family, ctx->report, GFP_KERNEL);
   5444 }
   5445 
   5446 /*
   5447  * Flow tables
   5448  */
   5449 void nft_register_flowtable_type(struct nf_flowtable_type *type)
   5450 {
   5451 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
   5452 	list_add_tail_rcu(&type->list, &nf_tables_flowtables);
   5453 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
   5454 }
   5455 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
   5456 
   5457 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
   5458 {
   5459 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
   5460 	list_del_rcu(&type->list);
   5461 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
   5462 }
   5463 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
   5464 
   5465 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
   5466 	[NFTA_FLOWTABLE_TABLE]		= { .type = NLA_STRING,
   5467 					    .len = NFT_NAME_MAXLEN - 1 },
   5468 	[NFTA_FLOWTABLE_NAME]		= { .type = NLA_STRING,
   5469 					    .len = NFT_NAME_MAXLEN - 1 },
   5470 	[NFTA_FLOWTABLE_HOOK]		= { .type = NLA_NESTED },
   5471 	[NFTA_FLOWTABLE_HANDLE]		= { .type = NLA_U64 },
   5472 };
   5473 
   5474 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
   5475 					   const struct nlattr *nla, u8 genmask)
   5476 {
   5477 	struct nft_flowtable *flowtable;
   5478 
   5479 	list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
   5480 		if (!nla_strcmp(nla, flowtable->name) &&
   5481 		    nft_active_genmask(flowtable, genmask))
   5482 			return flowtable;
   5483 	}
   5484 	return ERR_PTR(-ENOENT);
   5485 }
   5486 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
   5487 
   5488 static struct nft_flowtable *
   5489 nft_flowtable_lookup_byhandle(const struct nft_table *table,
   5490 			      const struct nlattr *nla, u8 genmask)
   5491 {
   5492        struct nft_flowtable *flowtable;
   5493 
   5494        list_for_each_entry(flowtable, &table->flowtables, list) {
   5495                if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
   5496                    nft_active_genmask(flowtable, genmask))
   5497                        return flowtable;
   5498        }
   5499        return ERR_PTR(-ENOENT);
   5500 }
   5501 
   5502 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
   5503 				   const struct nlattr *attr,
   5504 				   struct net_device *dev_array[], int *len)
   5505 {
   5506 	const struct nlattr *tmp;
   5507 	struct net_device *dev;
   5508 	char ifname[IFNAMSIZ];
   5509 	int rem, n = 0, err;
   5510 
   5511 	nla_for_each_nested(tmp, attr, rem) {
   5512 		if (nla_type(tmp) != NFTA_DEVICE_NAME) {
   5513 			err = -EINVAL;
   5514 			goto err1;
   5515 		}
   5516 
   5517 		nla_strlcpy(ifname, tmp, IFNAMSIZ);
   5518 		dev = __dev_get_by_name(ctx->net, ifname);
   5519 		if (!dev) {
   5520 			err = -ENOENT;
   5521 			goto err1;
   5522 		}
   5523 
   5524 		dev_array[n++] = dev;
   5525 		if (n == NFT_FLOWTABLE_DEVICE_MAX) {
   5526 			err = -EFBIG;
   5527 			goto err1;
   5528 		}
   5529 	}
   5530 	if (!len)
   5531 		return -EINVAL;
   5532 
   5533 	err = 0;
   5534 err1:
   5535 	*len = n;
   5536 	return err;
   5537 }
   5538 
   5539 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
   5540 	[NFTA_FLOWTABLE_HOOK_NUM]	= { .type = NLA_U32 },
   5541 	[NFTA_FLOWTABLE_HOOK_PRIORITY]	= { .type = NLA_U32 },
   5542 	[NFTA_FLOWTABLE_HOOK_DEVS]	= { .type = NLA_NESTED },
   5543 };
   5544 
   5545 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
   5546 					  const struct nlattr *attr,
   5547 					  struct nft_flowtable *flowtable)
   5548 {
   5549 	struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
   5550 	struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
   5551 	struct nf_hook_ops *ops;
   5552 	int hooknum, priority;
   5553 	int err, n = 0, i;
   5554 
   5555 	err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
   5556 			       nft_flowtable_hook_policy, NULL);
   5557 	if (err < 0)
   5558 		return err;
   5559 
   5560 	if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
   5561 	    !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
   5562 	    !tb[NFTA_FLOWTABLE_HOOK_DEVS])
   5563 		return -EINVAL;
   5564 
   5565 	hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
   5566 	if (hooknum != NF_NETDEV_INGRESS)
   5567 		return -EINVAL;
   5568 
   5569 	priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
   5570 
   5571 	err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
   5572 				      dev_array, &n);
   5573 	if (err < 0)
   5574 		return err;
   5575 
   5576 	ops = kcalloc(n, sizeof(struct nf_hook_ops), GFP_KERNEL);
   5577 	if (!ops)
   5578 		return -ENOMEM;
   5579 
   5580 	flowtable->hooknum	= hooknum;
   5581 	flowtable->priority	= priority;
   5582 	flowtable->ops		= ops;
   5583 	flowtable->ops_len	= n;
   5584 
   5585 	for (i = 0; i < n; i++) {
   5586 		flowtable->ops[i].pf		= NFPROTO_NETDEV;
   5587 		flowtable->ops[i].hooknum	= hooknum;
   5588 		flowtable->ops[i].priority	= priority;
   5589 		flowtable->ops[i].priv		= &flowtable->data;
   5590 		flowtable->ops[i].hook		= flowtable->data.type->hook;
   5591 		flowtable->ops[i].dev		= dev_array[i];
   5592 	}
   5593 
   5594 	return err;
   5595 }
   5596 
   5597 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
   5598 {
   5599 	const struct nf_flowtable_type *type;
   5600 
   5601 	list_for_each_entry(type, &nf_tables_flowtables, list) {
   5602 		if (family == type->family)
   5603 			return type;
   5604 	}
   5605 	return NULL;
   5606 }
   5607 
   5608 static const struct nf_flowtable_type *
   5609 nft_flowtable_type_get(struct net *net, u8 family)
   5610 {
   5611 	const struct nf_flowtable_type *type;
   5612 
   5613 	type = __nft_flowtable_type_get(family);
   5614 	if (type != NULL && try_module_get(type->owner))
   5615 		return type;
   5616 
   5617 	lockdep_nfnl_nft_mutex_not_held();
   5618 #ifdef CONFIG_MODULES
   5619 	if (type == NULL) {
   5620 		nft_request_module(net, "nf-flowtable-%u", family);
   5621 		if (__nft_flowtable_type_get(family))
   5622 			return ERR_PTR(-EAGAIN);
   5623 	}
   5624 #endif
   5625 	return ERR_PTR(-ENOENT);
   5626 }
   5627 
   5628 static void nft_unregister_flowtable_net_hooks(struct net *net,
   5629 					       struct nft_flowtable *flowtable)
   5630 {
   5631 	int i;
   5632 
   5633 	for (i = 0; i < flowtable->ops_len; i++) {
   5634 		if (!flowtable->ops[i].dev)
   5635 			continue;
   5636 
   5637 		nf_unregister_net_hook(net, &flowtable->ops[i]);
   5638 	}
   5639 }
   5640 
   5641 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
   5642 				  struct sk_buff *skb,
   5643 				  const struct nlmsghdr *nlh,
   5644 				  const struct nlattr * const nla[],
   5645 				  struct netlink_ext_ack *extack)
   5646 {
   5647 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   5648 	const struct nf_flowtable_type *type;
   5649 	struct nft_flowtable *flowtable, *ft;
   5650 	u8 genmask = nft_genmask_next(net);
   5651 	int family = nfmsg->nfgen_family;
   5652 	struct nft_table *table;
   5653 	struct nft_ctx ctx;
   5654 	int err, i, k;
   5655 
   5656 	if (!nla[NFTA_FLOWTABLE_TABLE] ||
   5657 	    !nla[NFTA_FLOWTABLE_NAME] ||
   5658 	    !nla[NFTA_FLOWTABLE_HOOK])
   5659 		return -EINVAL;
   5660 
   5661 	table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
   5662 				 genmask);
   5663 	if (IS_ERR(table)) {
   5664 		NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
   5665 		return PTR_ERR(table);
   5666 	}
   5667 
   5668 	flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
   5669 					 genmask);
   5670 	if (IS_ERR(flowtable)) {
   5671 		err = PTR_ERR(flowtable);
   5672 		if (err != -ENOENT) {
   5673 			NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
   5674 			return err;
   5675 		}
   5676 	} else {
   5677 		if (nlh->nlmsg_flags & NLM_F_EXCL) {
   5678 			NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
   5679 			return -EEXIST;
   5680 		}
   5681 
   5682 		return 0;
   5683 	}
   5684 
   5685 	nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
   5686 
   5687 	flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
   5688 	if (!flowtable)
   5689 		return -ENOMEM;
   5690 
   5691 	flowtable->table = table;
   5692 	flowtable->handle = nf_tables_alloc_handle(table);
   5693 
   5694 	flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
   5695 	if (!flowtable->name) {
   5696 		err = -ENOMEM;
   5697 		goto err1;
   5698 	}
   5699 
   5700 	type = nft_flowtable_type_get(net, family);
   5701 	if (IS_ERR(type)) {
   5702 		err = PTR_ERR(type);
   5703 		goto err2;
   5704 	}
   5705 
   5706 	flowtable->data.type = type;
   5707 	err = type->init(&flowtable->data);
   5708 	if (err < 0)
   5709 		goto err3;
   5710 
   5711 	err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
   5712 					     flowtable);
   5713 	if (err < 0)
   5714 		goto err4;
   5715 
   5716 	for (i = 0; i < flowtable->ops_len; i++) {
   5717 		if (!flowtable->ops[i].dev)
   5718 			continue;
   5719 
   5720 		list_for_each_entry(ft, &table->flowtables, list) {
   5721 			for (k = 0; k < ft->ops_len; k++) {
   5722 				if (!ft->ops[k].dev)
   5723 					continue;
   5724 
   5725 				if (flowtable->ops[i].dev == ft->ops[k].dev &&
   5726 				    flowtable->ops[i].pf == ft->ops[k].pf) {
   5727 					err = -EBUSY;
   5728 					goto err5;
   5729 				}
   5730 			}
   5731 		}
   5732 
   5733 		err = nf_register_net_hook(net, &flowtable->ops[i]);
   5734 		if (err < 0)
   5735 			goto err5;
   5736 	}
   5737 
   5738 	err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
   5739 	if (err < 0)
   5740 		goto err6;
   5741 
   5742 	list_add_tail_rcu(&flowtable->list, &table->flowtables);
   5743 	table->use++;
   5744 
   5745 	return 0;
   5746 err6:
   5747 	i = flowtable->ops_len;
   5748 err5:
   5749 	for (k = i - 1; k >= 0; k--)
   5750 		nf_unregister_net_hook(net, &flowtable->ops[k]);
   5751 
   5752 	kfree(flowtable->ops);
   5753 err4:
   5754 	flowtable->data.type->free(&flowtable->data);
   5755 err3:
   5756 	module_put(type->owner);
   5757 err2:
   5758 	kfree(flowtable->name);
   5759 err1:
   5760 	kfree(flowtable);
   5761 	return err;
   5762 }
   5763 
   5764 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
   5765 				  struct sk_buff *skb,
   5766 				  const struct nlmsghdr *nlh,
   5767 				  const struct nlattr * const nla[],
   5768 				  struct netlink_ext_ack *extack)
   5769 {
   5770 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   5771 	u8 genmask = nft_genmask_next(net);
   5772 	int family = nfmsg->nfgen_family;
   5773 	struct nft_flowtable *flowtable;
   5774 	const struct nlattr *attr;
   5775 	struct nft_table *table;
   5776 	struct nft_ctx ctx;
   5777 
   5778 	if (!nla[NFTA_FLOWTABLE_TABLE] ||
   5779 	    (!nla[NFTA_FLOWTABLE_NAME] &&
   5780 	     !nla[NFTA_FLOWTABLE_HANDLE]))
   5781 		return -EINVAL;
   5782 
   5783 	table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
   5784 				 genmask);
   5785 	if (IS_ERR(table)) {
   5786 		NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
   5787 		return PTR_ERR(table);
   5788 	}
   5789 
   5790 	if (nla[NFTA_FLOWTABLE_HANDLE]) {
   5791 		attr = nla[NFTA_FLOWTABLE_HANDLE];
   5792 		flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
   5793 	} else {
   5794 		attr = nla[NFTA_FLOWTABLE_NAME];
   5795 		flowtable = nft_flowtable_lookup(table, attr, genmask);
   5796 	}
   5797 
   5798 	if (IS_ERR(flowtable)) {
   5799 		NL_SET_BAD_ATTR(extack, attr);
   5800 		return PTR_ERR(flowtable);
   5801 	}
   5802 	if (flowtable->use > 0) {
   5803 		NL_SET_BAD_ATTR(extack, attr);
   5804 		return -EBUSY;
   5805 	}
   5806 
   5807 	nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
   5808 
   5809 	return nft_delflowtable(&ctx, flowtable);
   5810 }
   5811 
   5812 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
   5813 					 u32 portid, u32 seq, int event,
   5814 					 u32 flags, int family,
   5815 					 struct nft_flowtable *flowtable)
   5816 {
   5817 	struct nlattr *nest, *nest_devs;
   5818 	struct nfgenmsg *nfmsg;
   5819 	struct nlmsghdr *nlh;
   5820 	int i;
   5821 
   5822 	event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
   5823 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
   5824 	if (nlh == NULL)
   5825 		goto nla_put_failure;
   5826 
   5827 	nfmsg = nlmsg_data(nlh);
   5828 	nfmsg->nfgen_family	= family;
   5829 	nfmsg->version		= NFNETLINK_V0;
   5830 	nfmsg->res_id		= htons(net->nft.base_seq & 0xffff);
   5831 
   5832 	if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
   5833 	    nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
   5834 	    nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
   5835 	    nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
   5836 			 NFTA_FLOWTABLE_PAD))
   5837 		goto nla_put_failure;
   5838 
   5839 	nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
   5840 	if (!nest)
   5841 		goto nla_put_failure;
   5842 	if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
   5843 	    nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
   5844 		goto nla_put_failure;
   5845 
   5846 	nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
   5847 	if (!nest_devs)
   5848 		goto nla_put_failure;
   5849 
   5850 	for (i = 0; i < flowtable->ops_len; i++) {
   5851 		const struct net_device *dev = READ_ONCE(flowtable->ops[i].dev);
   5852 
   5853 		if (dev &&
   5854 		    nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
   5855 			goto nla_put_failure;
   5856 	}
   5857 	nla_nest_end(skb, nest_devs);
   5858 	nla_nest_end(skb, nest);
   5859 
   5860 	nlmsg_end(skb, nlh);
   5861 	return 0;
   5862 
   5863 nla_put_failure:
   5864 	nlmsg_trim(skb, nlh);
   5865 	return -1;
   5866 }
   5867 
   5868 struct nft_flowtable_filter {
   5869 	char		*table;
   5870 };
   5871 
   5872 static int nf_tables_dump_flowtable(struct sk_buff *skb,
   5873 				    struct netlink_callback *cb)
   5874 {
   5875 	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
   5876 	struct nft_flowtable_filter *filter = cb->data;
   5877 	unsigned int idx = 0, s_idx = cb->args[0];
   5878 	struct net *net = sock_net(skb->sk);
   5879 	int family = nfmsg->nfgen_family;
   5880 	struct nft_flowtable *flowtable;
   5881 	const struct nft_table *table;
   5882 
   5883 	rcu_read_lock();
   5884 	cb->seq = net->nft.base_seq;
   5885 
   5886 	list_for_each_entry_rcu(table, &net->nft.tables, list) {
   5887 		if (family != NFPROTO_UNSPEC && family != table->family)
   5888 			continue;
   5889 
   5890 		list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
   5891 			if (!nft_is_active(net, flowtable))
   5892 				goto cont;
   5893 			if (idx < s_idx)
   5894 				goto cont;
   5895 			if (idx > s_idx)
   5896 				memset(&cb->args[1], 0,
   5897 				       sizeof(cb->args) - sizeof(cb->args[0]));
   5898 			if (filter && filter->table &&
   5899 			    strcmp(filter->table, table->name))
   5900 				goto cont;
   5901 
   5902 			if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
   5903 							  cb->nlh->nlmsg_seq,
   5904 							  NFT_MSG_NEWFLOWTABLE,
   5905 							  NLM_F_MULTI | NLM_F_APPEND,
   5906 							  table->family, flowtable) < 0)
   5907 				goto done;
   5908 
   5909 			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
   5910 cont:
   5911 			idx++;
   5912 		}
   5913 	}
   5914 done:
   5915 	rcu_read_unlock();
   5916 
   5917 	cb->args[0] = idx;
   5918 	return skb->len;
   5919 }
   5920 
   5921 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
   5922 {
   5923 	const struct nlattr * const *nla = cb->data;
   5924 	struct nft_flowtable_filter *filter = NULL;
   5925 
   5926 	if (nla[NFTA_FLOWTABLE_TABLE]) {
   5927 		filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
   5928 		if (!filter)
   5929 			return -ENOMEM;
   5930 
   5931 		filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
   5932 					   GFP_ATOMIC);
   5933 		if (!filter->table) {
   5934 			kfree(filter);
   5935 			return -ENOMEM;
   5936 		}
   5937 	}
   5938 
   5939 	cb->data = filter;
   5940 	return 0;
   5941 }
   5942 
   5943 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
   5944 {
   5945 	struct nft_flowtable_filter *filter = cb->data;
   5946 
   5947 	if (!filter)
   5948 		return 0;
   5949 
   5950 	kfree(filter->table);
   5951 	kfree(filter);
   5952 
   5953 	return 0;
   5954 }
   5955 
   5956 /* called with rcu_read_lock held */
   5957 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
   5958 				  struct sk_buff *skb,
   5959 				  const struct nlmsghdr *nlh,
   5960 				  const struct nlattr * const nla[],
   5961 				  struct netlink_ext_ack *extack)
   5962 {
   5963 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
   5964 	u8 genmask = nft_genmask_cur(net);
   5965 	int family = nfmsg->nfgen_family;
   5966 	struct nft_flowtable *flowtable;
   5967 	const struct nft_table *table;
   5968 	struct sk_buff *skb2;
   5969 	int err;
   5970 
   5971 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
   5972 		struct netlink_dump_control c = {
   5973 			.start = nf_tables_dump_flowtable_start,
   5974 			.dump = nf_tables_dump_flowtable,
   5975 			.done = nf_tables_dump_flowtable_done,
   5976 			.module = THIS_MODULE,
   5977 			.data = (void *)nla,
   5978 		};
   5979 
   5980 		return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
   5981 	}
   5982 
   5983 	if (!nla[NFTA_FLOWTABLE_NAME])
   5984 		return -EINVAL;
   5985 
   5986 	table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
   5987 				 genmask);
   5988 	if (IS_ERR(table))
   5989 		return PTR_ERR(table);
   5990 
   5991 	flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
   5992 					 genmask);
   5993 	if (IS_ERR(flowtable))
   5994 		return PTR_ERR(flowtable);
   5995 
   5996 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
   5997 	if (!skb2)
   5998 		return -ENOMEM;
   5999 
   6000 	err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
   6001 					    nlh->nlmsg_seq,
   6002 					    NFT_MSG_NEWFLOWTABLE, 0, family,
   6003 					    flowtable);
   6004 	if (err < 0)
   6005 		goto err;
   6006 
   6007 	return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
   6008 err:
   6009 	kfree_skb(skb2);
   6010 	return err;
   6011 }
   6012 
   6013 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
   6014 				       struct nft_flowtable *flowtable,
   6015 				       int event)
   6016 {
   6017 	struct sk_buff *skb;
   6018 	int err;
   6019 
   6020 	if (ctx->report &&
   6021 	    !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
   6022 		return;
   6023 
   6024 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
   6025 	if (skb == NULL)
   6026 		goto err;
   6027 
   6028 	err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
   6029 					    ctx->seq, event, 0,
   6030 					    ctx->family, flowtable);
   6031 	if (err < 0) {
   6032 		kfree_skb(skb);
   6033 		goto err;
   6034 	}
   6035 
   6036 	nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
   6037 		       ctx->report, GFP_KERNEL);
   6038 	return;
   6039 err:
   6040 	nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
   6041 }
   6042 
   6043 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
   6044 {
   6045 	kfree(flowtable->ops);
   6046 	kfree(flowtable->name);
   6047 	flowtable->data.type->free(&flowtable->data);
   6048 	module_put(flowtable->data.type->owner);
   6049 	kfree(flowtable);
   6050 }
   6051 
   6052 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
   6053 				   u32 portid, u32 seq)
   6054 {
   6055 	struct nlmsghdr *nlh;
   6056 	struct nfgenmsg *nfmsg;
   6057 	char buf[TASK_COMM_LEN];
   6058 	int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
   6059 
   6060 	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
   6061 	if (nlh == NULL)
   6062 		goto nla_put_failure;
   6063 
   6064 	nfmsg = nlmsg_data(nlh);
   6065 	nfmsg->nfgen_family	= AF_UNSPEC;
   6066 	nfmsg->version		= NFNETLINK_V0;
   6067 	nfmsg->res_id		= htons(net->nft.base_seq & 0xffff);
   6068 
   6069 	if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
   6070 	    nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
   6071 	    nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
   6072 		goto nla_put_failure;
   6073 
   6074 	nlmsg_end(skb, nlh);
   6075 	return 0;
   6076 
   6077 nla_put_failure:
   6078 	nlmsg_trim(skb, nlh);
   6079 	return -EMSGSIZE;
   6080 }
   6081 
   6082 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
   6083 				struct nft_flowtable *flowtable)
   6084 {
   6085 	int i;
   6086 
   6087 	for (i = 0; i < flowtable->ops_len; i++) {
   6088 		if (flowtable->ops[i].dev != dev)
   6089 			continue;
   6090 
   6091 		nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
   6092 		flowtable->ops[i].dev = NULL;
   6093 		break;
   6094 	}
   6095 }
   6096 
   6097 static int nf_tables_flowtable_event(struct notifier_block *this,
   6098 				     unsigned long event, void *ptr)
   6099 {
   6100 	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
   6101 	struct nft_flowtable *flowtable;
   6102 	struct nft_table *table;
   6103 	struct net *net;
   6104 
   6105 	if (event != NETDEV_UNREGISTER)
   6106 		return 0;
   6107 
   6108 	net = dev_net(dev);
   6109 	mutex_lock(&net->nft.commit_mutex);
   6110 	list_for_each_entry(table, &net->nft.tables, list) {
   6111 		list_for_each_entry(flowtable, &table->flowtables, list) {
   6112 			nft_flowtable_event(event, dev, flowtable);
   6113 		}
   6114 	}
   6115 	mutex_unlock(&net->nft.commit_mutex);
   6116 
   6117 	return NOTIFY_DONE;
   6118 }
   6119 
   6120 static struct notifier_block nf_tables_flowtable_notifier = {
   6121 	.notifier_call	= nf_tables_flowtable_event,
   6122 };
   6123 
   6124 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
   6125 				 int event)
   6126 {
   6127 	struct nlmsghdr *nlh = nlmsg_hdr(skb);
   6128 	struct sk_buff *skb2;
   6129 	int err;
   6130 
   6131 	if (nlmsg_report(nlh) &&
   6132 	    !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
   6133 		return;
   6134 
   6135 	skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
   6136 	if (skb2 == NULL)
   6137 		goto err;
   6138 
   6139 	err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
   6140 				      nlh->nlmsg_seq);
   6141 	if (err < 0) {
   6142 		kfree_skb(skb2);
   6143 		goto err;
   6144 	}
   6145 
   6146 	nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
   6147 		       nlmsg_report(nlh), GFP_KERNEL);
   6148 	return;
   6149 err:
   6150 	nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
   6151 			  -ENOBUFS);
   6152 }
   6153 
   6154 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
   6155 			    struct sk_buff *skb, const struct nlmsghdr *nlh,
   6156 			    const struct nlattr * const nla[],
   6157 			    struct netlink_ext_ack *extack)
   6158 {
   6159 	struct sk_buff *skb2;
   6160 	int err;
   6161 
   6162 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
   6163 	if (skb2 == NULL)
   6164 		return -ENOMEM;
   6165 
   6166 	err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
   6167 				      nlh->nlmsg_seq);
   6168 	if (err < 0)
   6169 		goto err;
   6170 
   6171 	return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
   6172 err:
   6173 	kfree_skb(skb2);
   6174 	return err;
   6175 }
   6176 
   6177 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
   6178 	[NFT_MSG_NEWTABLE] = {
   6179 		.call_batch	= nf_tables_newtable,
   6180 		.attr_count	= NFTA_TABLE_MAX,
   6181 		.policy		= nft_table_policy,
   6182 	},
   6183 	[NFT_MSG_GETTABLE] = {
   6184 		.call_rcu	= nf_tables_gettable,
   6185 		.attr_count	= NFTA_TABLE_MAX,
   6186 		.policy		= nft_table_policy,
   6187 	},
   6188 	[NFT_MSG_DELTABLE] = {
   6189 		.call_batch	= nf_tables_deltable,
   6190 		.attr_count	= NFTA_TABLE_MAX,
   6191 		.policy		= nft_table_policy,
   6192 	},
   6193 	[NFT_MSG_NEWCHAIN] = {
   6194 		.call_batch	= nf_tables_newchain,
   6195 		.attr_count	= NFTA_CHAIN_MAX,
   6196 		.policy		= nft_chain_policy,
   6197 	},
   6198 	[NFT_MSG_GETCHAIN] = {
   6199 		.call_rcu	= nf_tables_getchain,
   6200 		.attr_count	= NFTA_CHAIN_MAX,
   6201 		.policy		= nft_chain_policy,
   6202 	},
   6203 	[NFT_MSG_DELCHAIN] = {
   6204 		.call_batch	= nf_tables_delchain,
   6205 		.attr_count	= NFTA_CHAIN_MAX,
   6206 		.policy		= nft_chain_policy,
   6207 	},
   6208 	[NFT_MSG_NEWRULE] = {
   6209 		.call_batch	= nf_tables_newrule,
   6210 		.attr_count	= NFTA_RULE_MAX,
   6211 		.policy		= nft_rule_policy,
   6212 	},
   6213 	[NFT_MSG_GETRULE] = {
   6214 		.call_rcu	= nf_tables_getrule,
   6215 		.attr_count	= NFTA_RULE_MAX,
   6216 		.policy		= nft_rule_policy,
   6217 	},
   6218 	[NFT_MSG_DELRULE] = {
   6219 		.call_batch	= nf_tables_delrule,
   6220 		.attr_count	= NFTA_RULE_MAX,
   6221 		.policy		= nft_rule_policy,
   6222 	},
   6223 	[NFT_MSG_NEWSET] = {
   6224 		.call_batch	= nf_tables_newset,
   6225 		.attr_count	= NFTA_SET_MAX,
   6226 		.policy		= nft_set_policy,
   6227 	},
   6228 	[NFT_MSG_GETSET] = {
   6229 		.call_rcu	= nf_tables_getset,
   6230 		.attr_count	= NFTA_SET_MAX,
   6231 		.policy		= nft_set_policy,
   6232 	},
   6233 	[NFT_MSG_DELSET] = {
   6234 		.call_batch	= nf_tables_delset,
   6235 		.attr_count	= NFTA_SET_MAX,
   6236 		.policy		= nft_set_policy,
   6237 	},
   6238 	[NFT_MSG_NEWSETELEM] = {
   6239 		.call_batch	= nf_tables_newsetelem,
   6240 		.attr_count	= NFTA_SET_ELEM_LIST_MAX,
   6241 		.policy		= nft_set_elem_list_policy,
   6242 	},
   6243 	[NFT_MSG_GETSETELEM] = {
   6244 		.call_rcu	= nf_tables_getsetelem,
   6245 		.attr_count	= NFTA_SET_ELEM_LIST_MAX,
   6246 		.policy		= nft_set_elem_list_policy,
   6247 	},
   6248 	[NFT_MSG_DELSETELEM] = {
   6249 		.call_batch	= nf_tables_delsetelem,
   6250 		.attr_count	= NFTA_SET_ELEM_LIST_MAX,
   6251 		.policy		= nft_set_elem_list_policy,
   6252 	},
   6253 	[NFT_MSG_GETGEN] = {
   6254 		.call_rcu	= nf_tables_getgen,
   6255 	},
   6256 	[NFT_MSG_NEWOBJ] = {
   6257 		.call_batch	= nf_tables_newobj,
   6258 		.attr_count	= NFTA_OBJ_MAX,
   6259 		.policy		= nft_obj_policy,
   6260 	},
   6261 	[NFT_MSG_GETOBJ] = {
   6262 		.call_rcu	= nf_tables_getobj,
   6263 		.attr_count	= NFTA_OBJ_MAX,
   6264 		.policy		= nft_obj_policy,
   6265 	},
   6266 	[NFT_MSG_DELOBJ] = {
   6267 		.call_batch	= nf_tables_delobj,
   6268 		.attr_count	= NFTA_OBJ_MAX,
   6269 		.policy		= nft_obj_policy,
   6270 	},
   6271 	[NFT_MSG_GETOBJ_RESET] = {
   6272 		.call_rcu	= nf_tables_getobj,
   6273 		.attr_count	= NFTA_OBJ_MAX,
   6274 		.policy		= nft_obj_policy,
   6275 	},
   6276 	[NFT_MSG_NEWFLOWTABLE] = {
   6277 		.call_batch	= nf_tables_newflowtable,
   6278 		.attr_count	= NFTA_FLOWTABLE_MAX,
   6279 		.policy		= nft_flowtable_policy,
   6280 	},
   6281 	[NFT_MSG_GETFLOWTABLE] = {
   6282 		.call_rcu	= nf_tables_getflowtable,
   6283 		.attr_count	= NFTA_FLOWTABLE_MAX,
   6284 		.policy		= nft_flowtable_policy,
   6285 	},
   6286 	[NFT_MSG_DELFLOWTABLE] = {
   6287 		.call_batch	= nf_tables_delflowtable,
   6288 		.attr_count	= NFTA_FLOWTABLE_MAX,
   6289 		.policy		= nft_flowtable_policy,
   6290 	},
   6291 };
   6292 
   6293 static int nf_tables_validate(struct net *net)
   6294 {
   6295 	struct nft_table *table;
   6296 
   6297 	switch (net->nft.validate_state) {
   6298 	case NFT_VALIDATE_SKIP:
   6299 		break;
   6300 	case NFT_VALIDATE_NEED:
   6301 		nft_validate_state_update(net, NFT_VALIDATE_DO);
   6302 		/* fall through */
   6303 	case NFT_VALIDATE_DO:
   6304 		list_for_each_entry(table, &net->nft.tables, list) {
   6305 			if (nft_table_validate(net, table) < 0)
   6306 				return -EAGAIN;
   6307 		}
   6308 		break;
   6309 	}
   6310 
   6311 	return 0;
   6312 }
   6313 
   6314 static void nft_chain_commit_update(struct nft_trans *trans)
   6315 {
   6316 	struct nft_base_chain *basechain;
   6317 
   6318 	if (nft_trans_chain_name(trans)) {
   6319 		rhltable_remove(&trans->ctx.table->chains_ht,
   6320 				&trans->ctx.chain->rhlhead,
   6321 				nft_chain_ht_params);
   6322 		swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
   6323 		rhltable_insert_key(&trans->ctx.table->chains_ht,
   6324 				    trans->ctx.chain->name,
   6325 				    &trans->ctx.chain->rhlhead,
   6326 				    nft_chain_ht_params);
   6327 	}
   6328 
   6329 	if (!nft_is_base_chain(trans->ctx.chain))
   6330 		return;
   6331 
   6332 	basechain = nft_base_chain(trans->ctx.chain);
   6333 	nft_chain_stats_replace(trans->ctx.net, basechain,
   6334 				nft_trans_chain_stats(trans));
   6335 
   6336 	switch (nft_trans_chain_policy(trans)) {
   6337 	case NF_DROP:
   6338 	case NF_ACCEPT:
   6339 		basechain->policy = nft_trans_chain_policy(trans);
   6340 		break;
   6341 	}
   6342 }
   6343 
   6344 static void nft_commit_release(struct nft_trans *trans)
   6345 {
   6346 	switch (trans->msg_type) {
   6347 	case NFT_MSG_DELTABLE:
   6348 		nf_tables_table_destroy(&trans->ctx);
   6349 		break;
   6350 	case NFT_MSG_NEWCHAIN:
   6351 		kfree(nft_trans_chain_name(trans));
   6352 		break;
   6353 	case NFT_MSG_DELCHAIN:
   6354 		nf_tables_chain_destroy(&trans->ctx);
   6355 		break;
   6356 	case NFT_MSG_DELRULE:
   6357 		nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
   6358 		break;
   6359 	case NFT_MSG_DELSET:
   6360 		nft_set_destroy(nft_trans_set(trans));
   6361 		break;
   6362 	case NFT_MSG_DELSETELEM:
   6363 		nf_tables_set_elem_destroy(&trans->ctx,
   6364 					   nft_trans_elem_set(trans),
   6365 					   nft_trans_elem(trans).priv);
   6366 		break;
   6367 	case NFT_MSG_DELOBJ:
   6368 		nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
   6369 		break;
   6370 	case NFT_MSG_DELFLOWTABLE:
   6371 		nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
   6372 		break;
   6373 	}
   6374 
   6375 	if (trans->put_net)
   6376 		put_net(trans->ctx.net);
   6377 
   6378 	kfree(trans);
   6379 }
   6380 
   6381 static void nf_tables_trans_destroy_work(struct work_struct *w)
   6382 {
   6383 	struct nft_trans *trans, *next;
   6384 	LIST_HEAD(head);
   6385 
   6386 	spin_lock(&nf_tables_destroy_list_lock);
   6387 	list_splice_init(&nf_tables_destroy_list, &head);
   6388 	spin_unlock(&nf_tables_destroy_list_lock);
   6389 
   6390 	if (list_empty(&head))
   6391 		return;
   6392 
   6393 	synchronize_rcu();
   6394 
   6395 	list_for_each_entry_safe(trans, next, &head, list) {
   6396 		list_del(&trans->list);
   6397 		nft_commit_release(trans);
   6398 	}
   6399 }
   6400 
   6401 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
   6402 {
   6403 	struct nft_rule *rule;
   6404 	unsigned int alloc = 0;
   6405 	int i;
   6406 
   6407 	/* already handled or inactive chain? */
   6408 	if (chain->rules_next || !nft_is_active_next(net, chain))
   6409 		return 0;
   6410 
   6411 	rule = list_entry(&chain->rules, struct nft_rule, list);
   6412 	i = 0;
   6413 
   6414 	list_for_each_entry_continue(rule, &chain->rules, list) {
   6415 		if (nft_is_active_next(net, rule))
   6416 			alloc++;
   6417 	}
   6418 
   6419 	chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
   6420 	if (!chain->rules_next)
   6421 		return -ENOMEM;
   6422 
   6423 	list_for_each_entry_continue(rule, &chain->rules, list) {
   6424 		if (nft_is_active_next(net, rule))
   6425 			chain->rules_next[i++] = rule;
   6426 	}
   6427 
   6428 	chain->rules_next[i] = NULL;
   6429 	return 0;
   6430 }
   6431 
   6432 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
   6433 {
   6434 	struct nft_trans *trans, *next;
   6435 
   6436 	list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
   6437 		struct nft_chain *chain = trans->ctx.chain;
   6438 
   6439 		if (trans->msg_type == NFT_MSG_NEWRULE ||
   6440 		    trans->msg_type == NFT_MSG_DELRULE) {
   6441 			kvfree(chain->rules_next);
   6442 			chain->rules_next = NULL;
   6443 		}
   6444 	}
   6445 }
   6446 
   6447 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
   6448 {
   6449 	struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
   6450 
   6451 	kvfree(o->start);
   6452 }
   6453 
   6454 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
   6455 {
   6456 	struct nft_rule **r = rules;
   6457 	struct nft_rules_old *old;
   6458 
   6459 	while (*r)
   6460 		r++;
   6461 
   6462 	r++;	/* rcu_head is after end marker */
   6463 	old = (void *) r;
   6464 	old->start = rules;
   6465 
   6466 	call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
   6467 }
   6468 
   6469 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
   6470 {
   6471 	struct nft_rule **g0, **g1;
   6472 	bool next_genbit;
   6473 
   6474 	next_genbit = nft_gencursor_next(net);
   6475 
   6476 	g0 = rcu_dereference_protected(chain->rules_gen_0,
   6477 				       lockdep_commit_lock_is_held(net));
   6478 	g1 = rcu_dereference_protected(chain->rules_gen_1,
   6479 				       lockdep_commit_lock_is_held(net));
   6480 
   6481 	/* No changes to this chain? */
   6482 	if (chain->rules_next == NULL) {
   6483 		/* chain had no change in last or next generation */
   6484 		if (g0 == g1)
   6485 			return;
   6486 		/*
   6487 		 * chain had no change in this generation; make sure next
   6488 		 * one uses same rules as current generation.
   6489 		 */
   6490 		if (next_genbit) {
   6491 			rcu_assign_pointer(chain->rules_gen_1, g0);
   6492 			nf_tables_commit_chain_free_rules_old(g1);
   6493 		} else {
   6494 			rcu_assign_pointer(chain->rules_gen_0, g1);
   6495 			nf_tables_commit_chain_free_rules_old(g0);
   6496 		}
   6497 
   6498 		return;
   6499 	}
   6500 
   6501 	if (next_genbit)
   6502 		rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
   6503 	else
   6504 		rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
   6505 
   6506 	chain->rules_next = NULL;
   6507 
   6508 	if (g0 == g1)
   6509 		return;
   6510 
   6511 	if (next_genbit)
   6512 		nf_tables_commit_chain_free_rules_old(g1);
   6513 	else
   6514 		nf_tables_commit_chain_free_rules_old(g0);
   6515 }
   6516 
   6517 static void nft_obj_del(struct nft_object *obj)
   6518 {
   6519 	rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
   6520 	list_del_rcu(&obj->list);
   6521 }
   6522 
   6523 static void nft_chain_del(struct nft_chain *chain)
   6524 {
   6525 	struct nft_table *table = chain->table;
   6526 
   6527 	WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
   6528 				     nft_chain_ht_params));
   6529 	list_del_rcu(&chain->list);
   6530 }
   6531 
   6532 static void nf_tables_commit_release(struct net *net)
   6533 {
   6534 	struct nft_trans *trans;
   6535 
   6536 	/* all side effects have to be made visible.
   6537 	 * For example, if a chain named 'foo' has been deleted, a
   6538 	 * new transaction must not find it anymore.
   6539 	 *
   6540 	 * Memory reclaim happens asynchronously from work queue
   6541 	 * to prevent expensive synchronize_rcu() in commit phase.
   6542 	 */
   6543 	if (list_empty(&net->nft.commit_list)) {
   6544 		mutex_unlock(&net->nft.commit_mutex);
   6545 		return;
   6546 	}
   6547 
   6548 	trans = list_last_entry(&net->nft.commit_list,
   6549 				struct nft_trans, list);
   6550 	get_net(trans->ctx.net);
   6551 	WARN_ON_ONCE(trans->put_net);
   6552 
   6553 	trans->put_net = true;
   6554 	spin_lock(&nf_tables_destroy_list_lock);
   6555 	list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
   6556 	spin_unlock(&nf_tables_destroy_list_lock);
   6557 
   6558 	mutex_unlock(&net->nft.commit_mutex);
   6559 
   6560 	schedule_work(&trans_destroy_work);
   6561 }
   6562 
   6563 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
   6564 {
   6565 	struct nft_trans *trans, *next;
   6566 	struct nft_trans_elem *te;
   6567 	struct nft_chain *chain;
   6568 	struct nft_table *table;
   6569 
   6570 	if (list_empty(&net->nft.commit_list)) {
   6571 		mutex_unlock(&net->nft.commit_mutex);
   6572 		return 0;
   6573 	}
   6574 
   6575 	/* 0. Validate ruleset, otherwise roll back for error reporting. */
   6576 	if (nf_tables_validate(net) < 0)
   6577 		return -EAGAIN;
   6578 
   6579 	/* 1.  Allocate space for next generation rules_gen_X[] */
   6580 	list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
   6581 		int ret;
   6582 
   6583 		if (trans->msg_type == NFT_MSG_NEWRULE ||
   6584 		    trans->msg_type == NFT_MSG_DELRULE) {
   6585 			chain = trans->ctx.chain;
   6586 
   6587 			ret = nf_tables_commit_chain_prepare(net, chain);
   6588 			if (ret < 0) {
   6589 				nf_tables_commit_chain_prepare_cancel(net);
   6590 				return ret;
   6591 			}
   6592 		}
   6593 	}
   6594 
   6595 	/* step 2.  Make rules_gen_X visible to packet path */
   6596 	list_for_each_entry(table, &net->nft.tables, list) {
   6597 		list_for_each_entry(chain, &table->chains, list)
   6598 			nf_tables_commit_chain(net, chain);
   6599 	}
   6600 
   6601 	/*
   6602 	 * Bump generation counter, invalidate any dump in progress.
   6603 	 * Cannot fail after this point.
   6604 	 */
   6605 	while (++net->nft.base_seq == 0);
   6606 
   6607 	/* step 3. Start new generation, rules_gen_X now in use. */
   6608 	net->nft.gencursor = nft_gencursor_next(net);
   6609 
   6610 	list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
   6611 		switch (trans->msg_type) {
   6612 		case NFT_MSG_NEWTABLE:
   6613 			if (nft_trans_table_update(trans)) {
   6614 				if (!nft_trans_table_enable(trans)) {
   6615 					nf_tables_table_disable(net,
   6616 								trans->ctx.table);
   6617 					trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
   6618 				}
   6619 			} else {
   6620 				nft_clear(net, trans->ctx.table);
   6621 			}
   6622 			nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
   6623 			nft_trans_destroy(trans);
   6624 			break;
   6625 		case NFT_MSG_DELTABLE:
   6626 			list_del_rcu(&trans->ctx.table->list);
   6627 			nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
   6628 			break;
   6629 		case NFT_MSG_NEWCHAIN:
   6630 			if (nft_trans_chain_update(trans)) {
   6631 				nft_chain_commit_update(trans);
   6632 				nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
   6633 				/* trans destroyed after rcu grace period */
   6634 			} else {
   6635 				nft_clear(net, trans->ctx.chain);
   6636 				nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
   6637 				nft_trans_destroy(trans);
   6638 			}
   6639 			break;
   6640 		case NFT_MSG_DELCHAIN:
   6641 			nft_chain_del(trans->ctx.chain);
   6642 			nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
   6643 			nf_tables_unregister_hook(trans->ctx.net,
   6644 						  trans->ctx.table,
   6645 						  trans->ctx.chain);
   6646 			break;
   6647 		case NFT_MSG_NEWRULE:
   6648 			nft_clear(trans->ctx.net, nft_trans_rule(trans));
   6649 			nf_tables_rule_notify(&trans->ctx,
   6650 					      nft_trans_rule(trans),
   6651 					      NFT_MSG_NEWRULE);
   6652 			nft_trans_destroy(trans);
   6653 			break;
   6654 		case NFT_MSG_DELRULE:
   6655 			list_del_rcu(&nft_trans_rule(trans)->list);
   6656 			nf_tables_rule_notify(&trans->ctx,
   6657 					      nft_trans_rule(trans),
   6658 					      NFT_MSG_DELRULE);
   6659 			nft_rule_expr_deactivate(&trans->ctx,
   6660 						 nft_trans_rule(trans),
   6661 						 NFT_TRANS_COMMIT);
   6662 			break;
   6663 		case NFT_MSG_NEWSET:
   6664 			nft_clear(net, nft_trans_set(trans));
   6665 			/* This avoids hitting -EBUSY when deleting the table
   6666 			 * from the transaction.
   6667 			 */
   6668 			if (nft_set_is_anonymous(nft_trans_set(trans)) &&
   6669 			    !list_empty(&nft_trans_set(trans)->bindings))
   6670 				trans->ctx.table->use--;
   6671 
   6672 			nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
   6673 					     NFT_MSG_NEWSET, GFP_KERNEL);
   6674 			nft_trans_destroy(trans);
   6675 			break;
   6676 		case NFT_MSG_DELSET:
   6677 			list_del_rcu(&nft_trans_set(trans)->list);
   6678 			nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
   6679 					     NFT_MSG_DELSET, GFP_KERNEL);
   6680 			break;
   6681 		case NFT_MSG_NEWSETELEM:
   6682 			te = (struct nft_trans_elem *)trans->data;
   6683 
   6684 			te->set->ops->activate(net, te->set, &te->elem);
   6685 			nf_tables_setelem_notify(&trans->ctx, te->set,
   6686 						 &te->elem,
   6687 						 NFT_MSG_NEWSETELEM, 0);
   6688 			nft_trans_destroy(trans);
   6689 			break;
   6690 		case NFT_MSG_DELSETELEM:
   6691 			te = (struct nft_trans_elem *)trans->data;
   6692 
   6693 			nf_tables_setelem_notify(&trans->ctx, te->set,
   6694 						 &te->elem,
   6695 						 NFT_MSG_DELSETELEM, 0);
   6696 			te->set->ops->remove(net, te->set, &te->elem);
   6697 			atomic_dec(&te->set->nelems);
   6698 			te->set->ndeact--;
   6699 			break;
   6700 		case NFT_MSG_NEWOBJ:
   6701 			nft_clear(net, nft_trans_obj(trans));
   6702 			nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
   6703 					     NFT_MSG_NEWOBJ);
   6704 			nft_trans_destroy(trans);
   6705 			break;
   6706 		case NFT_MSG_DELOBJ:
   6707 			nft_obj_del(nft_trans_obj(trans));
   6708 			nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
   6709 					     NFT_MSG_DELOBJ);
   6710 			break;
   6711 		case NFT_MSG_NEWFLOWTABLE:
   6712 			nft_clear(net, nft_trans_flowtable(trans));
   6713 			nf_tables_flowtable_notify(&trans->ctx,
   6714 						   nft_trans_flowtable(trans),
   6715 						   NFT_MSG_NEWFLOWTABLE);
   6716 			nft_trans_destroy(trans);
   6717 			break;
   6718 		case NFT_MSG_DELFLOWTABLE:
   6719 			list_del_rcu(&nft_trans_flowtable(trans)->list);
   6720 			nf_tables_flowtable_notify(&trans->ctx,
   6721 						   nft_trans_flowtable(trans),
   6722 						   NFT_MSG_DELFLOWTABLE);
   6723 			nft_unregister_flowtable_net_hooks(net,
   6724 					nft_trans_flowtable(trans));
   6725 			break;
   6726 		}
   6727 	}
   6728 
   6729 	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
   6730 	nf_tables_commit_release(net);
   6731 
   6732 	return 0;
   6733 }
   6734 
   6735 static void nf_tables_abort_release(struct nft_trans *trans)
   6736 {
   6737 	switch (trans->msg_type) {
   6738 	case NFT_MSG_NEWTABLE:
   6739 		nf_tables_table_destroy(&trans->ctx);
   6740 		break;
   6741 	case NFT_MSG_NEWCHAIN:
   6742 		nf_tables_chain_destroy(&trans->ctx);
   6743 		break;
   6744 	case NFT_MSG_NEWRULE:
   6745 		nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
   6746 		break;
   6747 	case NFT_MSG_NEWSET:
   6748 		nft_set_destroy(nft_trans_set(trans));
   6749 		break;
   6750 	case NFT_MSG_NEWSETELEM:
   6751 		nft_set_elem_destroy(nft_trans_elem_set(trans),
   6752 				     nft_trans_elem(trans).priv, true);
   6753 		break;
   6754 	case NFT_MSG_NEWOBJ:
   6755 		nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
   6756 		break;
   6757 	case NFT_MSG_NEWFLOWTABLE:
   6758 		nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
   6759 		break;
   6760 	}
   6761 	kfree(trans);
   6762 }
   6763 
   6764 static int __nf_tables_abort(struct net *net)
   6765 {
   6766 	struct nft_trans *trans, *next;
   6767 	struct nft_trans_elem *te;
   6768 
   6769 	list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
   6770 					 list) {
   6771 		switch (trans->msg_type) {
   6772 		case NFT_MSG_NEWTABLE:
   6773 			if (nft_trans_table_update(trans)) {
   6774 				if (nft_trans_table_enable(trans)) {
   6775 					nf_tables_table_disable(net,
   6776 								trans->ctx.table);
   6777 					trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
   6778 				}
   6779 				nft_trans_destroy(trans);
   6780 			} else {
   6781 				list_del_rcu(&trans->ctx.table->list);
   6782 			}
   6783 			break;
   6784 		case NFT_MSG_DELTABLE:
   6785 			nft_clear(trans->ctx.net, trans->ctx.table);
   6786 			nft_trans_destroy(trans);
   6787 			break;
   6788 		case NFT_MSG_NEWCHAIN:
   6789 			if (nft_trans_chain_update(trans)) {
   6790 				free_percpu(nft_trans_chain_stats(trans));
   6791 				kfree(nft_trans_chain_name(trans));
   6792 				nft_trans_destroy(trans);
   6793 			} else {
   6794 				trans->ctx.table->use--;
   6795 				nft_chain_del(trans->ctx.chain);
   6796 				nf_tables_unregister_hook(trans->ctx.net,
   6797 							  trans->ctx.table,
   6798 							  trans->ctx.chain);
   6799 			}
   6800 			break;
   6801 		case NFT_MSG_DELCHAIN:
   6802 			trans->ctx.table->use++;
   6803 			nft_clear(trans->ctx.net, trans->ctx.chain);
   6804 			nft_trans_destroy(trans);
   6805 			break;
   6806 		case NFT_MSG_NEWRULE:
   6807 			trans->ctx.chain->use--;
   6808 			list_del_rcu(&nft_trans_rule(trans)->list);
   6809 			nft_rule_expr_deactivate(&trans->ctx,
   6810 						 nft_trans_rule(trans),
   6811 						 NFT_TRANS_ABORT);
   6812 			break;
   6813 		case NFT_MSG_DELRULE:
   6814 			trans->ctx.chain->use++;
   6815 			nft_clear(trans->ctx.net, nft_trans_rule(trans));
   6816 			nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
   6817 			nft_trans_destroy(trans);
   6818 			break;
   6819 		case NFT_MSG_NEWSET:
   6820 			trans->ctx.table->use--;
   6821 			if (nft_trans_set(trans)->bound) {
   6822 				nft_trans_destroy(trans);
   6823 				break;
   6824 			}
   6825 			list_del_rcu(&nft_trans_set(trans)->list);
   6826 			break;
   6827 		case NFT_MSG_DELSET:
   6828 			trans->ctx.table->use++;
   6829 			nft_clear(trans->ctx.net, nft_trans_set(trans));
   6830 			nft_trans_destroy(trans);
   6831 			break;
   6832 		case NFT_MSG_NEWSETELEM:
   6833 			if (nft_trans_elem_set(trans)->bound) {
   6834 				nft_trans_destroy(trans);
   6835 				break;
   6836 			}
   6837 			te = (struct nft_trans_elem *)trans->data;
   6838 			te->set->ops->remove(net, te->set, &te->elem);
   6839 			atomic_dec(&te->set->nelems);
   6840 			break;
   6841 		case NFT_MSG_DELSETELEM:
   6842 			te = (struct nft_trans_elem *)trans->data;
   6843 
   6844 			nft_set_elem_activate(net, te->set, &te->elem);
   6845 			te->set->ops->activate(net, te->set, &te->elem);
   6846 			te->set->ndeact--;
   6847 
   6848 			nft_trans_destroy(trans);
   6849 			break;
   6850 		case NFT_MSG_NEWOBJ:
   6851 			trans->ctx.table->use--;
   6852 			nft_obj_del(nft_trans_obj(trans));
   6853 			break;
   6854 		case NFT_MSG_DELOBJ:
   6855 			trans->ctx.table->use++;
   6856 			nft_clear(trans->ctx.net, nft_trans_obj(trans));
   6857 			nft_trans_destroy(trans);
   6858 			break;
   6859 		case NFT_MSG_NEWFLOWTABLE:
   6860 			trans->ctx.table->use--;
   6861 			list_del_rcu(&nft_trans_flowtable(trans)->list);
   6862 			nft_unregister_flowtable_net_hooks(net,
   6863 					nft_trans_flowtable(trans));
   6864 			break;
   6865 		case NFT_MSG_DELFLOWTABLE:
   6866 			trans->ctx.table->use++;
   6867 			nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
   6868 			nft_trans_destroy(trans);
   6869 			break;
   6870 		}
   6871 	}
   6872 
   6873 	synchronize_rcu();
   6874 
   6875 	list_for_each_entry_safe_reverse(trans, next,
   6876 					 &net->nft.commit_list, list) {
   6877 		list_del(&trans->list);
   6878 		nf_tables_abort_release(trans);
   6879 	}
   6880 
   6881 	return 0;
   6882 }
   6883 
   6884 static void nf_tables_cleanup(struct net *net)
   6885 {
   6886 	nft_validate_state_update(net, NFT_VALIDATE_SKIP);
   6887 }
   6888 
   6889 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
   6890 {
   6891 	int ret = __nf_tables_abort(net);
   6892 
   6893 	mutex_unlock(&net->nft.commit_mutex);
   6894 
   6895 	return ret;
   6896 }
   6897 
   6898 static bool nf_tables_valid_genid(struct net *net, u32 genid)
   6899 {
   6900 	bool genid_ok;
   6901 
   6902 	mutex_lock(&net->nft.commit_mutex);
   6903 
   6904 	genid_ok = genid == 0 || net->nft.base_seq == genid;
   6905 	if (!genid_ok)
   6906 		mutex_unlock(&net->nft.commit_mutex);
   6907 
   6908 	/* else, commit mutex has to be released by commit or abort function */
   6909 	return genid_ok;
   6910 }
   6911 
   6912 static const struct nfnetlink_subsystem nf_tables_subsys = {
   6913 	.name		= "nf_tables",
   6914 	.subsys_id	= NFNL_SUBSYS_NFTABLES,
   6915 	.cb_count	= NFT_MSG_MAX,
   6916 	.cb		= nf_tables_cb,
   6917 	.commit		= nf_tables_commit,
   6918 	.abort		= nf_tables_abort,
   6919 	.cleanup	= nf_tables_cleanup,
   6920 	.valid_genid	= nf_tables_valid_genid,
   6921 	.owner		= THIS_MODULE,
   6922 };
   6923 
   6924 int nft_chain_validate_dependency(const struct nft_chain *chain,
   6925 				  enum nft_chain_types type)
   6926 {
   6927 	const struct nft_base_chain *basechain;
   6928 
   6929 	if (nft_is_base_chain(chain)) {
   6930 		basechain = nft_base_chain(chain);
   6931 		if (basechain->type->type != type)
   6932 			return -EOPNOTSUPP;
   6933 	}
   6934 	return 0;
   6935 }
   6936 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
   6937 
   6938 int nft_chain_validate_hooks(const struct nft_chain *chain,
   6939 			     unsigned int hook_flags)
   6940 {
   6941 	struct nft_base_chain *basechain;
   6942 
   6943 	if (nft_is_base_chain(chain)) {
   6944 		basechain = nft_base_chain(chain);
   6945 
   6946 		if ((1 << basechain->ops.hooknum) & hook_flags)
   6947 			return 0;
   6948 
   6949 		return -EOPNOTSUPP;
   6950 	}
   6951 
   6952 	return 0;
   6953 }
   6954 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
   6955 
   6956 /*
   6957  * Loop detection - walk through the ruleset beginning at the destination chain
   6958  * of a new jump until either the source chain is reached (loop) or all
   6959  * reachable chains have been traversed.
   6960  *
   6961  * The loop check is performed whenever a new jump verdict is added to an
   6962  * expression or verdict map or a verdict map is bound to a new chain.
   6963  */
   6964 
   6965 static int nf_tables_check_loops(const struct nft_ctx *ctx,
   6966 				 const struct nft_chain *chain);
   6967 
   6968 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
   6969 					struct nft_set *set,
   6970 					const struct nft_set_iter *iter,
   6971 					struct nft_set_elem *elem)
   6972 {
   6973 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
   6974 	const struct nft_data *data;
   6975 
   6976 	if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
   6977 	    *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
   6978 		return 0;
   6979 
   6980 	data = nft_set_ext_data(ext);
   6981 	switch (data->verdict.code) {
   6982 	case NFT_JUMP:
   6983 	case NFT_GOTO:
   6984 		return nf_tables_check_loops(ctx, data->verdict.chain);
   6985 	default:
   6986 		return 0;
   6987 	}
   6988 }
   6989 
   6990 static int nf_tables_check_loops(const struct nft_ctx *ctx,
   6991 				 const struct nft_chain *chain)
   6992 {
   6993 	const struct nft_rule *rule;
   6994 	const struct nft_expr *expr, *last;
   6995 	struct nft_set *set;
   6996 	struct nft_set_binding *binding;
   6997 	struct nft_set_iter iter;
   6998 
   6999 	if (ctx->chain == chain)
   7000 		return -ELOOP;
   7001 
   7002 	list_for_each_entry(rule, &chain->rules, list) {
   7003 		nft_rule_for_each_expr(expr, last, rule) {
   7004 			struct nft_immediate_expr *priv;
   7005 			const struct nft_data *data;
   7006 			int err;
   7007 
   7008 			if (strcmp(expr->ops->type->name, "immediate"))
   7009 				continue;
   7010 
   7011 			priv = nft_expr_priv(expr);
   7012 			if (priv->dreg != NFT_REG_VERDICT)
   7013 				continue;
   7014 
   7015 			data = &priv->data;
   7016 			switch (data->verdict.code) {
   7017 			case NFT_JUMP:
   7018 			case NFT_GOTO:
   7019 				err = nf_tables_check_loops(ctx,
   7020 							data->verdict.chain);
   7021 				if (err < 0)
   7022 					return err;
   7023 			default:
   7024 				break;
   7025 			}
   7026 		}
   7027 	}
   7028 
   7029 	list_for_each_entry(set, &ctx->table->sets, list) {
   7030 		if (!nft_is_active_next(ctx->net, set))
   7031 			continue;
   7032 		if (!(set->flags & NFT_SET_MAP) ||
   7033 		    set->dtype != NFT_DATA_VERDICT)
   7034 			continue;
   7035 
   7036 		list_for_each_entry(binding, &set->bindings, list) {
   7037 			if (!(binding->flags & NFT_SET_MAP) ||
   7038 			    binding->chain != chain)
   7039 				continue;
   7040 
   7041 			iter.genmask	= nft_genmask_next(ctx->net);
   7042 			iter.skip 	= 0;
   7043 			iter.count	= 0;
   7044 			iter.err	= 0;
   7045 			iter.fn		= nf_tables_loop_check_setelem;
   7046 
   7047 			set->ops->walk(ctx, set, &iter);
   7048 			if (iter.err < 0)
   7049 				return iter.err;
   7050 		}
   7051 	}
   7052 
   7053 	return 0;
   7054 }
   7055 
   7056 /**
   7057  *	nft_parse_u32_check - fetch u32 attribute and check for maximum value
   7058  *
   7059  *	@attr: netlink attribute to fetch value from
   7060  *	@max: maximum value to be stored in dest
   7061  *	@dest: pointer to the variable
   7062  *
   7063  *	Parse, check and store a given u32 netlink attribute into variable.
   7064  *	This function returns -ERANGE if the value goes over maximum value.
   7065  *	Otherwise a 0 is returned and the attribute value is stored in the
   7066  *	destination variable.
   7067  */
   7068 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
   7069 {
   7070 	u32 val;
   7071 
   7072 	val = ntohl(nla_get_be32(attr));
   7073 	if (val > max)
   7074 		return -ERANGE;
   7075 
   7076 	*dest = val;
   7077 	return 0;
   7078 }
   7079 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
   7080 
   7081 /**
   7082  *	nft_parse_register - parse a register value from a netlink attribute
   7083  *
   7084  *	@attr: netlink attribute
   7085  *
   7086  *	Parse and translate a register value from a netlink attribute.
   7087  *	Registers used to be 128 bit wide, these register numbers will be
   7088  *	mapped to the corresponding 32 bit register numbers.
   7089  */
   7090 unsigned int nft_parse_register(const struct nlattr *attr)
   7091 {
   7092 	unsigned int reg;
   7093 
   7094 	reg = ntohl(nla_get_be32(attr));
   7095 	switch (reg) {
   7096 	case NFT_REG_VERDICT...NFT_REG_4:
   7097 		return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
   7098 	default:
   7099 		return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
   7100 	}
   7101 }
   7102 EXPORT_SYMBOL_GPL(nft_parse_register);
   7103 
   7104 /**
   7105  *	nft_dump_register - dump a register value to a netlink attribute
   7106  *
   7107  *	@skb: socket buffer
   7108  *	@attr: attribute number
   7109  *	@reg: register number
   7110  *
   7111  *	Construct a netlink attribute containing the register number. For
   7112  *	compatibility reasons, register numbers being a multiple of 4 are
   7113  *	translated to the corresponding 128 bit register numbers.
   7114  */
   7115 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
   7116 {
   7117 	if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
   7118 		reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
   7119 	else
   7120 		reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
   7121 
   7122 	return nla_put_be32(skb, attr, htonl(reg));
   7123 }
   7124 EXPORT_SYMBOL_GPL(nft_dump_register);
   7125 
   7126 /**
   7127  *	nft_validate_register_load - validate a load from a register
   7128  *
   7129  *	@reg: the register number
   7130  *	@len: the length of the data
   7131  *
   7132  * 	Validate that the input register is one of the general purpose
   7133  * 	registers and that the length of the load is within the bounds.
   7134  */
   7135 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
   7136 {
   7137 	if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
   7138 		return -EINVAL;
   7139 	if (len == 0)
   7140 		return -EINVAL;
   7141 	if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
   7142 		return -ERANGE;
   7143 
   7144 	return 0;
   7145 }
   7146 EXPORT_SYMBOL_GPL(nft_validate_register_load);
   7147 
   7148 /**
   7149  *	nft_validate_register_store - validate an expressions' register store
   7150  *
   7151  *	@ctx: context of the expression performing the load
   7152  * 	@reg: the destination register number
   7153  * 	@data: the data to load
   7154  * 	@type: the data type
   7155  * 	@len: the length of the data
   7156  *
   7157  * 	Validate that a data load uses the appropriate data type for
   7158  * 	the destination register and the length is within the bounds.
   7159  * 	A value of NULL for the data means that its runtime gathered
   7160  * 	data.
   7161  */
   7162 int nft_validate_register_store(const struct nft_ctx *ctx,
   7163 				enum nft_registers reg,
   7164 				const struct nft_data *data,
   7165 				enum nft_data_types type, unsigned int len)
   7166 {
   7167 	int err;
   7168 
   7169 	switch (reg) {
   7170 	case NFT_REG_VERDICT:
   7171 		if (type != NFT_DATA_VERDICT)
   7172 			return -EINVAL;
   7173 
   7174 		if (data != NULL &&
   7175 		    (data->verdict.code == NFT_GOTO ||
   7176 		     data->verdict.code == NFT_JUMP)) {
   7177 			err = nf_tables_check_loops(ctx, data->verdict.chain);
   7178 			if (err < 0)
   7179 				return err;
   7180 		}
   7181 
   7182 		return 0;
   7183 	default:
   7184 		if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
   7185 			return -EINVAL;
   7186 		if (len == 0)
   7187 			return -EINVAL;
   7188 		if (reg * NFT_REG32_SIZE + len >
   7189 		    FIELD_SIZEOF(struct nft_regs, data))
   7190 			return -ERANGE;
   7191 
   7192 		if (data != NULL && type != NFT_DATA_VALUE)
   7193 			return -EINVAL;
   7194 		return 0;
   7195 	}
   7196 }
   7197 EXPORT_SYMBOL_GPL(nft_validate_register_store);
   7198 
   7199 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
   7200 	[NFTA_VERDICT_CODE]	= { .type = NLA_U32 },
   7201 	[NFTA_VERDICT_CHAIN]	= { .type = NLA_STRING,
   7202 				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
   7203 };
   7204 
   7205 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
   7206 			    struct nft_data_desc *desc, const struct nlattr *nla)
   7207 {
   7208 	u8 genmask = nft_genmask_next(ctx->net);
   7209 	struct nlattr *tb[NFTA_VERDICT_MAX + 1];
   7210 	struct nft_chain *chain;
   7211 	int err;
   7212 
   7213 	err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
   7214 			       NULL);
   7215 	if (err < 0)
   7216 		return err;
   7217 
   7218 	if (!tb[NFTA_VERDICT_CODE])
   7219 		return -EINVAL;
   7220 	data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
   7221 
   7222 	switch (data->verdict.code) {
   7223 	default:
   7224 		switch (data->verdict.code & NF_VERDICT_MASK) {
   7225 		case NF_ACCEPT:
   7226 		case NF_DROP:
   7227 		case NF_QUEUE:
   7228 			break;
   7229 		default:
   7230 			return -EINVAL;
   7231 		}
   7232 		/* fall through */
   7233 	case NFT_CONTINUE:
   7234 	case NFT_BREAK:
   7235 	case NFT_RETURN:
   7236 		break;
   7237 	case NFT_JUMP:
   7238 	case NFT_GOTO:
   7239 		if (!tb[NFTA_VERDICT_CHAIN])
   7240 			return -EINVAL;
   7241 		chain = nft_chain_lookup(ctx->net, ctx->table,
   7242 					 tb[NFTA_VERDICT_CHAIN], genmask);
   7243 		if (IS_ERR(chain))
   7244 			return PTR_ERR(chain);
   7245 		if (nft_is_base_chain(chain))
   7246 			return -EOPNOTSUPP;
   7247 
   7248 		chain->use++;
   7249 		data->verdict.chain = chain;
   7250 		break;
   7251 	}
   7252 
   7253 	desc->len = sizeof(data->verdict);
   7254 	desc->type = NFT_DATA_VERDICT;
   7255 	return 0;
   7256 }
   7257 
   7258 static void nft_verdict_uninit(const struct nft_data *data)
   7259 {
   7260 	switch (data->verdict.code) {
   7261 	case NFT_JUMP:
   7262 	case NFT_GOTO:
   7263 		data->verdict.chain->use--;
   7264 		break;
   7265 	}
   7266 }
   7267 
   7268 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
   7269 {
   7270 	struct nlattr *nest;
   7271 
   7272 	nest = nla_nest_start(skb, type);
   7273 	if (!nest)
   7274 		goto nla_put_failure;
   7275 
   7276 	if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
   7277 		goto nla_put_failure;
   7278 
   7279 	switch (v->code) {
   7280 	case NFT_JUMP:
   7281 	case NFT_GOTO:
   7282 		if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
   7283 				   v->chain->name))
   7284 			goto nla_put_failure;
   7285 	}
   7286 	nla_nest_end(skb, nest);
   7287 	return 0;
   7288 
   7289 nla_put_failure:
   7290 	return -1;
   7291 }
   7292 
   7293 static int nft_value_init(const struct nft_ctx *ctx,
   7294 			  struct nft_data *data, unsigned int size,
   7295 			  struct nft_data_desc *desc, const struct nlattr *nla)
   7296 {
   7297 	unsigned int len;
   7298 
   7299 	len = nla_len(nla);
   7300 	if (len == 0)
   7301 		return -EINVAL;
   7302 	if (len > size)
   7303 		return -EOVERFLOW;
   7304 
   7305 	nla_memcpy(data->data, nla, len);
   7306 	desc->type = NFT_DATA_VALUE;
   7307 	desc->len  = len;
   7308 	return 0;
   7309 }
   7310 
   7311 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
   7312 			  unsigned int len)
   7313 {
   7314 	return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
   7315 }
   7316 
   7317 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
   7318 	[NFTA_DATA_VALUE]	= { .type = NLA_BINARY },
   7319 	[NFTA_DATA_VERDICT]	= { .type = NLA_NESTED },
   7320 };
   7321 
   7322 /**
   7323  *	nft_data_init - parse nf_tables data netlink attributes
   7324  *
   7325  *	@ctx: context of the expression using the data
   7326  *	@data: destination struct nft_data
   7327  *	@size: maximum data length
   7328  *	@desc: data description
   7329  *	@nla: netlink attribute containing data
   7330  *
   7331  *	Parse the netlink data attributes and initialize a struct nft_data.
   7332  *	The type and length of data are returned in the data description.
   7333  *
   7334  *	The caller can indicate that it only wants to accept data of type
   7335  *	NFT_DATA_VALUE by passing NULL for the ctx argument.
   7336  */
   7337 int nft_data_init(const struct nft_ctx *ctx,
   7338 		  struct nft_data *data, unsigned int size,
   7339 		  struct nft_data_desc *desc, const struct nlattr *nla)
   7340 {
   7341 	struct nlattr *tb[NFTA_DATA_MAX + 1];
   7342 	int err;
   7343 
   7344 	err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
   7345 	if (err < 0)
   7346 		return err;
   7347 
   7348 	if (tb[NFTA_DATA_VALUE])
   7349 		return nft_value_init(ctx, data, size, desc,
   7350 				      tb[NFTA_DATA_VALUE]);
   7351 	if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
   7352 		return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
   7353 	return -EINVAL;
   7354 }
   7355 EXPORT_SYMBOL_GPL(nft_data_init);
   7356 
   7357 /**
   7358  *	nft_data_release - release a nft_data item
   7359  *
   7360  *	@data: struct nft_data to release
   7361  *	@type: type of data
   7362  *
   7363  *	Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
   7364  *	all others need to be released by calling this function.
   7365  */
   7366 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
   7367 {
   7368 	if (type < NFT_DATA_VERDICT)
   7369 		return;
   7370 	switch (type) {
   7371 	case NFT_DATA_VERDICT:
   7372 		return nft_verdict_uninit(data);
   7373 	default:
   7374 		WARN_ON(1);
   7375 	}
   7376 }
   7377 EXPORT_SYMBOL_GPL(nft_data_release);
   7378 
   7379 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
   7380 		  enum nft_data_types type, unsigned int len)
   7381 {
   7382 	struct nlattr *nest;
   7383 	int err;
   7384 
   7385 	nest = nla_nest_start(skb, attr);
   7386 	if (nest == NULL)
   7387 		return -1;
   7388 
   7389 	switch (type) {
   7390 	case NFT_DATA_VALUE:
   7391 		err = nft_value_dump(skb, data, len);
   7392 		break;
   7393 	case NFT_DATA_VERDICT:
   7394 		err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
   7395 		break;
   7396 	default:
   7397 		err = -EINVAL;
   7398 		WARN_ON(1);
   7399 	}
   7400 
   7401 	nla_nest_end(skb, nest);
   7402 	return err;
   7403 }
   7404 EXPORT_SYMBOL_GPL(nft_data_dump);
   7405 
   7406 int __nft_release_basechain(struct nft_ctx *ctx)
   7407 {
   7408 	struct nft_rule *rule, *nr;
   7409 
   7410 	if (WARN_ON(!nft_is_base_chain(ctx->chain)))
   7411 		return 0;
   7412 
   7413 	nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
   7414 	list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
   7415 		list_del(&rule->list);
   7416 		ctx->chain->use--;
   7417 		nf_tables_rule_release(ctx, rule);
   7418 	}
   7419 	nft_chain_del(ctx->chain);
   7420 	ctx->table->use--;
   7421 	nf_tables_chain_destroy(ctx);
   7422 
   7423 	return 0;
   7424 }
   7425 EXPORT_SYMBOL_GPL(__nft_release_basechain);
   7426 
   7427 static void __nft_release_tables(struct net *net)
   7428 {
   7429 	struct nft_flowtable *flowtable, *nf;
   7430 	struct nft_table *table, *nt;
   7431 	struct nft_chain *chain, *nc;
   7432 	struct nft_object *obj, *ne;
   7433 	struct nft_rule *rule, *nr;
   7434 	struct nft_set *set, *ns;
   7435 	struct nft_ctx ctx = {
   7436 		.net	= net,
   7437 		.family	= NFPROTO_NETDEV,
   7438 	};
   7439 
   7440 	list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
   7441 		ctx.family = table->family;
   7442 
   7443 		list_for_each_entry(chain, &table->chains, list)
   7444 			nf_tables_unregister_hook(net, table, chain);
   7445 		/* No packets are walking on these chains anymore. */
   7446 		ctx.table = table;
   7447 		list_for_each_entry(chain, &table->chains, list) {
   7448 			ctx.chain = chain;
   7449 			list_for_each_entry_safe(rule, nr, &chain->rules, list) {
   7450 				list_del(&rule->list);
   7451 				chain->use--;
   7452 				nf_tables_rule_release(&ctx, rule);
   7453 			}
   7454 		}
   7455 		list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
   7456 			list_del(&flowtable->list);
   7457 			table->use--;
   7458 			nf_tables_flowtable_destroy(flowtable);
   7459 		}
   7460 		list_for_each_entry_safe(set, ns, &table->sets, list) {
   7461 			list_del(&set->list);
   7462 			table->use--;
   7463 			nft_set_destroy(set);
   7464 		}
   7465 		list_for_each_entry_safe(obj, ne, &table->objects, list) {
   7466 			nft_obj_del(obj);
   7467 			table->use--;
   7468 			nft_obj_destroy(&ctx, obj);
   7469 		}
   7470 		list_for_each_entry_safe(chain, nc, &table->chains, list) {
   7471 			ctx.chain = chain;
   7472 			nft_chain_del(chain);
   7473 			table->use--;
   7474 			nf_tables_chain_destroy(&ctx);
   7475 		}
   7476 		list_del(&table->list);
   7477 		nf_tables_table_destroy(&ctx);
   7478 	}
   7479 }
   7480 
   7481 static int __net_init nf_tables_init_net(struct net *net)
   7482 {
   7483 	INIT_LIST_HEAD(&net->nft.tables);
   7484 	INIT_LIST_HEAD(&net->nft.commit_list);
   7485 	mutex_init(&net->nft.commit_mutex);
   7486 	net->nft.base_seq = 1;
   7487 	net->nft.validate_state = NFT_VALIDATE_SKIP;
   7488 
   7489 	return 0;
   7490 }
   7491 
   7492 static void __net_exit nf_tables_exit_net(struct net *net)
   7493 {
   7494 	mutex_lock(&net->nft.commit_mutex);
   7495 	if (!list_empty(&net->nft.commit_list))
   7496 		__nf_tables_abort(net);
   7497 	__nft_release_tables(net);
   7498 	mutex_unlock(&net->nft.commit_mutex);
   7499 	WARN_ON_ONCE(!list_empty(&net->nft.tables));
   7500 }
   7501 
   7502 static struct pernet_operations nf_tables_net_ops = {
   7503 	.init	= nf_tables_init_net,
   7504 	.exit	= nf_tables_exit_net,
   7505 };
   7506 
   7507 static int __init nf_tables_module_init(void)
   7508 {
   7509 	int err;
   7510 
   7511 	spin_lock_init(&nf_tables_destroy_list_lock);
   7512 	err = register_pernet_subsys(&nf_tables_net_ops);
   7513 	if (err < 0)
   7514 		return err;
   7515 
   7516 	err = nft_chain_filter_init();
   7517 	if (err < 0)
   7518 		goto err1;
   7519 
   7520 	err = nf_tables_core_module_init();
   7521 	if (err < 0)
   7522 		goto err2;
   7523 
   7524 	err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
   7525 	if (err < 0)
   7526 		goto err3;
   7527 
   7528 	err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
   7529 	if (err < 0)
   7530 		goto err4;
   7531 
   7532 	/* must be last */
   7533 	err = nfnetlink_subsys_register(&nf_tables_subsys);
   7534 	if (err < 0)
   7535 		goto err5;
   7536 
   7537 	return err;
   7538 err5:
   7539 	rhltable_destroy(&nft_objname_ht);
   7540 err4:
   7541 	unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
   7542 err3:
   7543 	nf_tables_core_module_exit();
   7544 err2:
   7545 	nft_chain_filter_fini();
   7546 err1:
   7547 	unregister_pernet_subsys(&nf_tables_net_ops);
   7548 	return err;
   7549 }
   7550 
   7551 static void __exit nf_tables_module_exit(void)
   7552 {
   7553 	nfnetlink_subsys_unregister(&nf_tables_subsys);
   7554 	unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
   7555 	nft_chain_filter_fini();
   7556 	unregister_pernet_subsys(&nf_tables_net_ops);
   7557 	cancel_work_sync(&trans_destroy_work);
   7558 	rcu_barrier();
   7559 	rhltable_destroy(&nft_objname_ht);
   7560 	nf_tables_core_module_exit();
   7561 }
   7562 
   7563 module_init(nf_tables_module_init);
   7564 module_exit(nf_tables_module_exit);
   7565 
   7566 MODULE_LICENSE("GPL");
   7567 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
   7568 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);