xref: /linux/net/netfilter/nf_tables_api.c (revision 42eb1ca711b6f3c0cc09d872ff49fa7aa17a56e1) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4  *
5  * Development of this code funded by Astaro AG (http://www.astaro.com/)
6  */
7 
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter_ipv4.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_flow_table.h>
21 #include <net/netfilter/nf_tables_core.h>
22 #include <net/netfilter/nf_tables.h>
23 #include <net/netfilter/nf_tables_offload.h>
24 #include <net/net_namespace.h>
25 #include <net/sock.h>
26 
27 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
28 #define NFT_SET_MAX_ANONLEN 16
29 
30 /* limit compaction to avoid huge kmalloc/krealloc sizes. */
31 #define NFT_MAX_SET_NELEMS ((2048 - sizeof(struct nft_trans_elem)) / sizeof(struct nft_trans_one_elem))
32 
33 unsigned int nf_tables_net_id __read_mostly;
34 
35 static LIST_HEAD(nf_tables_expressions);
36 static LIST_HEAD(nf_tables_objects);
37 static LIST_HEAD(nf_tables_flowtables);
38 static LIST_HEAD(nf_tables_gc_list);
39 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
40 static DEFINE_SPINLOCK(nf_tables_gc_list_lock);
41 
42 enum {
43 	NFT_VALIDATE_SKIP	= 0,
44 	NFT_VALIDATE_NEED,
45 	NFT_VALIDATE_DO,
46 };
47 
48 static struct rhltable nft_objname_ht;
49 
50 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
51 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
52 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
53 
54 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
55 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
56 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
57 
58 static const struct rhashtable_params nft_chain_ht_params = {
59 	.head_offset		= offsetof(struct nft_chain, rhlhead),
60 	.key_offset		= offsetof(struct nft_chain, name),
61 	.hashfn			= nft_chain_hash,
62 	.obj_hashfn		= nft_chain_hash_obj,
63 	.obj_cmpfn		= nft_chain_hash_cmp,
64 	.automatic_shrinking	= true,
65 };
66 
67 static const struct rhashtable_params nft_objname_ht_params = {
68 	.head_offset		= offsetof(struct nft_object, rhlhead),
69 	.key_offset		= offsetof(struct nft_object, key),
70 	.hashfn			= nft_objname_hash,
71 	.obj_hashfn		= nft_objname_hash_obj,
72 	.obj_cmpfn		= nft_objname_hash_cmp,
73 	.automatic_shrinking	= true,
74 };
75 
76 struct nft_audit_data {
77 	struct nft_table *table;
78 	int entries;
79 	int op;
80 	struct list_head list;
81 };
82 
83 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
84 	[NFT_MSG_NEWTABLE]	= AUDIT_NFT_OP_TABLE_REGISTER,
85 	[NFT_MSG_GETTABLE]	= AUDIT_NFT_OP_INVALID,
86 	[NFT_MSG_DELTABLE]	= AUDIT_NFT_OP_TABLE_UNREGISTER,
87 	[NFT_MSG_NEWCHAIN]	= AUDIT_NFT_OP_CHAIN_REGISTER,
88 	[NFT_MSG_GETCHAIN]	= AUDIT_NFT_OP_INVALID,
89 	[NFT_MSG_DELCHAIN]	= AUDIT_NFT_OP_CHAIN_UNREGISTER,
90 	[NFT_MSG_NEWRULE]	= AUDIT_NFT_OP_RULE_REGISTER,
91 	[NFT_MSG_GETRULE]	= AUDIT_NFT_OP_INVALID,
92 	[NFT_MSG_DELRULE]	= AUDIT_NFT_OP_RULE_UNREGISTER,
93 	[NFT_MSG_NEWSET]	= AUDIT_NFT_OP_SET_REGISTER,
94 	[NFT_MSG_GETSET]	= AUDIT_NFT_OP_INVALID,
95 	[NFT_MSG_DELSET]	= AUDIT_NFT_OP_SET_UNREGISTER,
96 	[NFT_MSG_NEWSETELEM]	= AUDIT_NFT_OP_SETELEM_REGISTER,
97 	[NFT_MSG_GETSETELEM]	= AUDIT_NFT_OP_INVALID,
98 	[NFT_MSG_DELSETELEM]	= AUDIT_NFT_OP_SETELEM_UNREGISTER,
99 	[NFT_MSG_NEWGEN]	= AUDIT_NFT_OP_GEN_REGISTER,
100 	[NFT_MSG_GETGEN]	= AUDIT_NFT_OP_INVALID,
101 	[NFT_MSG_TRACE]		= AUDIT_NFT_OP_INVALID,
102 	[NFT_MSG_NEWOBJ]	= AUDIT_NFT_OP_OBJ_REGISTER,
103 	[NFT_MSG_GETOBJ]	= AUDIT_NFT_OP_INVALID,
104 	[NFT_MSG_DELOBJ]	= AUDIT_NFT_OP_OBJ_UNREGISTER,
105 	[NFT_MSG_GETOBJ_RESET]	= AUDIT_NFT_OP_OBJ_RESET,
106 	[NFT_MSG_NEWFLOWTABLE]	= AUDIT_NFT_OP_FLOWTABLE_REGISTER,
107 	[NFT_MSG_GETFLOWTABLE]	= AUDIT_NFT_OP_INVALID,
108 	[NFT_MSG_DELFLOWTABLE]	= AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
109 	[NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET,
110 };
111 
112 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
113 {
114 	switch (table->validate_state) {
115 	case NFT_VALIDATE_SKIP:
116 		WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
117 		break;
118 	case NFT_VALIDATE_NEED:
119 		break;
120 	case NFT_VALIDATE_DO:
121 		if (new_validate_state == NFT_VALIDATE_NEED)
122 			return;
123 	}
124 
125 	table->validate_state = new_validate_state;
126 }
127 
128 static bool nft_chain_vstate_valid(const struct nft_ctx *ctx,
129 				   const struct nft_chain *chain)
130 {
131 	const struct nft_base_chain *base_chain;
132 	enum nft_chain_types type;
133 	u8 hooknum;
134 
135 	if (WARN_ON_ONCE(!nft_is_base_chain(ctx->chain)))
136 		return false;
137 
138 	base_chain = nft_base_chain(ctx->chain);
139 	hooknum = base_chain->ops.hooknum;
140 	type = base_chain->type->type;
141 
142 	/* chain is already validated for this call depth */
143 	if (chain->vstate.depth >= ctx->level &&
144 	    chain->vstate.hook_mask[type] & BIT(hooknum))
145 		return true;
146 
147 	return false;
148 }
149 
150 static void nf_tables_trans_destroy_work(struct work_struct *w);
151 
152 static void nft_trans_gc_work(struct work_struct *work);
153 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work);
154 
155 static void nft_ctx_init(struct nft_ctx *ctx,
156 			 struct net *net,
157 			 const struct sk_buff *skb,
158 			 const struct nlmsghdr *nlh,
159 			 u8 family,
160 			 struct nft_table *table,
161 			 struct nft_chain *chain,
162 			 const struct nlattr * const *nla)
163 {
164 	ctx->net	= net;
165 	ctx->family	= family;
166 	ctx->level	= 0;
167 	ctx->table	= table;
168 	ctx->chain	= chain;
169 	ctx->nla   	= nla;
170 	ctx->portid	= NETLINK_CB(skb).portid;
171 	ctx->report	= nlmsg_report(nlh);
172 	ctx->flags	= nlh->nlmsg_flags;
173 	ctx->seq	= nlh->nlmsg_seq;
174 
175 	bitmap_zero(ctx->reg_inited, NFT_REG32_NUM);
176 }
177 
178 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
179 					 int msg_type, u32 size)
180 {
181 	struct nft_trans *trans;
182 
183 	trans = kzalloc(size, GFP_KERNEL);
184 	if (trans == NULL)
185 		return NULL;
186 
187 	INIT_LIST_HEAD(&trans->list);
188 	trans->msg_type = msg_type;
189 
190 	trans->net = ctx->net;
191 	trans->table = ctx->table;
192 	trans->seq = ctx->seq;
193 	trans->flags = ctx->flags;
194 	trans->report = ctx->report;
195 
196 	return trans;
197 }
198 
199 static struct nft_trans_binding *nft_trans_get_binding(struct nft_trans *trans)
200 {
201 	switch (trans->msg_type) {
202 	case NFT_MSG_NEWCHAIN:
203 	case NFT_MSG_NEWSET:
204 		return container_of(trans, struct nft_trans_binding, nft_trans);
205 	}
206 
207 	return NULL;
208 }
209 
210 static void nft_trans_list_del(struct nft_trans *trans)
211 {
212 	struct nft_trans_binding *trans_binding;
213 
214 	list_del(&trans->list);
215 
216 	trans_binding = nft_trans_get_binding(trans);
217 	if (trans_binding)
218 		list_del(&trans_binding->binding_list);
219 }
220 
221 static void nft_trans_destroy(struct nft_trans *trans)
222 {
223 	nft_trans_list_del(trans);
224 	kfree(trans);
225 }
226 
227 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
228 				 bool bind)
229 {
230 	struct nftables_pernet *nft_net;
231 	struct net *net = ctx->net;
232 	struct nft_trans *trans;
233 
234 	if (!nft_set_is_anonymous(set))
235 		return;
236 
237 	nft_net = nft_pernet(net);
238 	list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
239 		switch (trans->msg_type) {
240 		case NFT_MSG_NEWSET:
241 			if (nft_trans_set(trans) == set)
242 				nft_trans_set_bound(trans) = bind;
243 			break;
244 		case NFT_MSG_NEWSETELEM:
245 			if (nft_trans_elem_set(trans) == set)
246 				nft_trans_elem_set_bound(trans) = bind;
247 			break;
248 		}
249 	}
250 }
251 
252 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
253 {
254 	return __nft_set_trans_bind(ctx, set, true);
255 }
256 
257 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
258 {
259 	return __nft_set_trans_bind(ctx, set, false);
260 }
261 
262 static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
263 				   struct nft_chain *chain, bool bind)
264 {
265 	struct nftables_pernet *nft_net;
266 	struct net *net = ctx->net;
267 	struct nft_trans *trans;
268 
269 	if (!nft_chain_binding(chain))
270 		return;
271 
272 	nft_net = nft_pernet(net);
273 	list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
274 		switch (trans->msg_type) {
275 		case NFT_MSG_NEWCHAIN:
276 			if (nft_trans_chain(trans) == chain)
277 				nft_trans_chain_bound(trans) = bind;
278 			break;
279 		case NFT_MSG_NEWRULE:
280 			if (nft_trans_rule_chain(trans) == chain)
281 				nft_trans_rule_bound(trans) = bind;
282 			break;
283 		}
284 	}
285 }
286 
287 static void nft_chain_trans_bind(const struct nft_ctx *ctx,
288 				 struct nft_chain *chain)
289 {
290 	__nft_chain_trans_bind(ctx, chain, true);
291 }
292 
293 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
294 {
295 	if (!nft_chain_binding(chain))
296 		return 0;
297 
298 	if (nft_chain_binding(ctx->chain))
299 		return -EOPNOTSUPP;
300 
301 	if (chain->bound)
302 		return -EBUSY;
303 
304 	if (!nft_use_inc(&chain->use))
305 		return -EMFILE;
306 
307 	chain->bound = true;
308 	nft_chain_trans_bind(ctx, chain);
309 
310 	return 0;
311 }
312 
313 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
314 {
315 	__nft_chain_trans_bind(ctx, chain, false);
316 }
317 
318 static int nft_netdev_register_hooks(struct net *net,
319 				     struct list_head *hook_list)
320 {
321 	struct nf_hook_ops *ops;
322 	struct nft_hook *hook;
323 	int err, j;
324 
325 	j = 0;
326 	list_for_each_entry(hook, hook_list, list) {
327 		list_for_each_entry(ops, &hook->ops_list, list) {
328 			err = nf_register_net_hook(net, ops);
329 			if (err < 0)
330 				goto err_register;
331 
332 			j++;
333 		}
334 	}
335 	return 0;
336 
337 err_register:
338 	list_for_each_entry(hook, hook_list, list) {
339 		list_for_each_entry(ops, &hook->ops_list, list) {
340 			if (j-- <= 0)
341 				break;
342 
343 			nf_unregister_net_hook(net, ops);
344 		}
345 	}
346 	return err;
347 }
348 
349 static void nft_netdev_hook_free_ops(struct nft_hook *hook)
350 {
351 	struct nf_hook_ops *ops, *next;
352 
353 	list_for_each_entry_safe(ops, next, &hook->ops_list, list) {
354 		list_del(&ops->list);
355 		kfree(ops);
356 	}
357 }
358 
359 static void nft_netdev_hook_free(struct nft_hook *hook)
360 {
361 	nft_netdev_hook_free_ops(hook);
362 	kfree(hook);
363 }
364 
365 static void __nft_netdev_hook_free_rcu(struct rcu_head *rcu)
366 {
367 	struct nft_hook *hook = container_of(rcu, struct nft_hook, rcu);
368 
369 	nft_netdev_hook_free(hook);
370 }
371 
372 static void nft_netdev_hook_free_rcu(struct nft_hook *hook)
373 {
374 	call_rcu(&hook->rcu, __nft_netdev_hook_free_rcu);
375 }
376 
377 static void nft_netdev_hook_unlink_free_rcu(struct nft_hook *hook)
378 {
379 	list_del_rcu(&hook->list);
380 	nft_netdev_hook_free_rcu(hook);
381 }
382 
383 static void nft_trans_hook_destroy(struct nft_trans_hook *trans_hook)
384 {
385 	list_del(&trans_hook->list);
386 	kfree(trans_hook);
387 }
388 
389 static void nft_netdev_unregister_trans_hook(struct net *net,
390 					     const struct nft_table *table,
391 					     struct list_head *hook_list)
392 {
393 	struct nft_trans_hook *trans_hook, *next;
394 	struct nf_hook_ops *ops;
395 	struct nft_hook *hook;
396 
397 	list_for_each_entry_safe(trans_hook, next, hook_list, list) {
398 		hook = trans_hook->hook;
399 
400 		if (!(table->flags & NFT_TABLE_F_DORMANT)) {
401 			list_for_each_entry(ops, &hook->ops_list, list)
402 				nf_unregister_net_hook(net, ops);
403 		}
404 		nft_netdev_hook_unlink_free_rcu(hook);
405 		nft_trans_hook_destroy(trans_hook);
406 	}
407 }
408 
409 static void nft_netdev_unregister_hooks(struct net *net,
410 					const struct nft_table *table,
411 					struct list_head *hook_list,
412 					bool release_netdev)
413 {
414 	struct nft_hook *hook, *next;
415 	struct nf_hook_ops *ops;
416 
417 	list_for_each_entry_safe(hook, next, hook_list, list) {
418 		if (!(table->flags & NFT_TABLE_F_DORMANT)) {
419 			list_for_each_entry(ops, &hook->ops_list, list)
420 				nf_unregister_net_hook(net, ops);
421 		}
422 		if (release_netdev)
423 			nft_netdev_hook_unlink_free_rcu(hook);
424 	}
425 }
426 
427 static int nf_tables_register_hook(struct net *net,
428 				   const struct nft_table *table,
429 				   struct nft_chain *chain)
430 {
431 	struct nft_base_chain *basechain;
432 	const struct nf_hook_ops *ops;
433 
434 	if (table->flags & NFT_TABLE_F_DORMANT ||
435 	    !nft_is_base_chain(chain))
436 		return 0;
437 
438 	basechain = nft_base_chain(chain);
439 	ops = &basechain->ops;
440 
441 	if (basechain->type->ops_register)
442 		return basechain->type->ops_register(net, ops);
443 
444 	if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
445 		return nft_netdev_register_hooks(net, &basechain->hook_list);
446 
447 	return nf_register_net_hook(net, &basechain->ops);
448 }
449 
450 static void __nf_tables_unregister_hook(struct net *net,
451 					const struct nft_table *table,
452 					struct nft_chain *chain,
453 					bool release_netdev)
454 {
455 	struct nft_base_chain *basechain;
456 	const struct nf_hook_ops *ops;
457 
458 	if (!nft_is_base_chain(chain))
459 		return;
460 	basechain = nft_base_chain(chain);
461 	ops = &basechain->ops;
462 
463 	/* must also be called for dormant tables */
464 	if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
465 		nft_netdev_unregister_hooks(net, table, &basechain->hook_list,
466 					    release_netdev);
467 		return;
468 	}
469 
470 	if (table->flags & NFT_TABLE_F_DORMANT)
471 		return;
472 
473 	if (basechain->type->ops_unregister)
474 		return basechain->type->ops_unregister(net, ops);
475 
476 	nf_unregister_net_hook(net, &basechain->ops);
477 }
478 
479 static void nf_tables_unregister_hook(struct net *net,
480 				      const struct nft_table *table,
481 				      struct nft_chain *chain)
482 {
483 	return __nf_tables_unregister_hook(net, table, chain, false);
484 }
485 
486 static bool nft_trans_collapse_set_elem_allowed(const struct nft_trans_elem *a, const struct nft_trans_elem *b)
487 {
488 	/* NB: the ->bound equality check is defensive, at this time we only merge
489 	 * a new nft_trans_elem transaction request with the transaction tail
490 	 * element, but a->bound != b->bound would imply a NEWRULE transaction
491 	 * is queued in-between.
492 	 *
493 	 * The set check is mandatory, the NFT_MAX_SET_NELEMS check prevents
494 	 * huge krealloc() requests.
495 	 */
496 	return a->set == b->set && a->bound == b->bound && a->nelems < NFT_MAX_SET_NELEMS;
497 }
498 
499 static bool nft_trans_collapse_set_elem(struct nftables_pernet *nft_net,
500 					struct nft_trans_elem *tail,
501 					struct nft_trans_elem *trans)
502 {
503 	unsigned int nelems, old_nelems = tail->nelems;
504 	struct nft_trans_elem *new_trans;
505 
506 	if (!nft_trans_collapse_set_elem_allowed(tail, trans))
507 		return false;
508 
509 	/* "cannot happen", at this time userspace element add
510 	 * requests always allocate a new transaction element.
511 	 *
512 	 * This serves as a reminder to adjust the list_add_tail
513 	 * logic below in case this ever changes.
514 	 */
515 	if (WARN_ON_ONCE(trans->nelems != 1))
516 		return false;
517 
518 	if (check_add_overflow(old_nelems, trans->nelems, &nelems))
519 		return false;
520 
521 	/* krealloc might free tail which invalidates list pointers */
522 	list_del_init(&tail->nft_trans.list);
523 
524 	new_trans = krealloc(tail, struct_size(tail, elems, nelems),
525 			     GFP_KERNEL);
526 	if (!new_trans) {
527 		list_add_tail(&tail->nft_trans.list,
528 			      &nft_net->commit_list);
529 		return false;
530 	}
531 
532 	/*
533 	 * new_trans->nft_trans.list contains garbage, but
534 	 * list_add_tail() doesn't care.
535 	 */
536 	new_trans->nelems = nelems;
537 	new_trans->elems[old_nelems] = trans->elems[0];
538 	list_add_tail(&new_trans->nft_trans.list, &nft_net->commit_list);
539 
540 	return true;
541 }
542 
543 static bool nft_trans_try_collapse(struct nftables_pernet *nft_net,
544 				   struct nft_trans *trans)
545 {
546 	struct nft_trans *tail;
547 
548 	if (list_empty(&nft_net->commit_list))
549 		return false;
550 
551 	tail = list_last_entry(&nft_net->commit_list, struct nft_trans, list);
552 
553 	if (tail->msg_type != trans->msg_type)
554 		return false;
555 
556 	switch (trans->msg_type) {
557 	case NFT_MSG_NEWSETELEM:
558 	case NFT_MSG_DELSETELEM:
559 		return nft_trans_collapse_set_elem(nft_net,
560 						   nft_trans_container_elem(tail),
561 						   nft_trans_container_elem(trans));
562 	}
563 
564 	return false;
565 }
566 
567 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
568 {
569 	struct nftables_pernet *nft_net = nft_pernet(net);
570 	struct nft_trans_binding *binding;
571 	struct nft_trans_set *trans_set;
572 
573 	list_add_tail(&trans->list, &nft_net->commit_list);
574 
575 	binding = nft_trans_get_binding(trans);
576 	if (!binding)
577 		return;
578 
579 	switch (trans->msg_type) {
580 	case NFT_MSG_NEWSET:
581 		trans_set = nft_trans_container_set(trans);
582 
583 		if (!nft_trans_set_update(trans) &&
584 		    nft_set_is_anonymous(nft_trans_set(trans)))
585 			list_add_tail(&binding->binding_list, &nft_net->binding_list);
586 
587 		list_add_tail(&trans_set->list_trans_newset, &nft_net->commit_set_list);
588 		break;
589 	case NFT_MSG_NEWCHAIN:
590 		if (!nft_trans_chain_update(trans) &&
591 		    nft_chain_binding(nft_trans_chain(trans)))
592 			list_add_tail(&binding->binding_list, &nft_net->binding_list);
593 		break;
594 	}
595 }
596 
597 static void nft_trans_commit_list_add_elem(struct net *net, struct nft_trans *trans)
598 {
599 	struct nftables_pernet *nft_net = nft_pernet(net);
600 
601 	WARN_ON_ONCE(trans->msg_type != NFT_MSG_NEWSETELEM &&
602 		     trans->msg_type != NFT_MSG_DELSETELEM);
603 
604 	if (nft_trans_try_collapse(nft_net, trans)) {
605 		kfree(trans);
606 		return;
607 	}
608 
609 	nft_trans_commit_list_add_tail(net, trans);
610 }
611 
612 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
613 {
614 	struct nft_trans *trans;
615 
616 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
617 	if (trans == NULL)
618 		return -ENOMEM;
619 
620 	if (msg_type == NFT_MSG_NEWTABLE)
621 		nft_activate_next(ctx->net, ctx->table);
622 
623 	nft_trans_commit_list_add_tail(ctx->net, trans);
624 	return 0;
625 }
626 
627 static int nft_deltable(struct nft_ctx *ctx)
628 {
629 	int err;
630 
631 	err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
632 	if (err < 0)
633 		return err;
634 
635 	nft_deactivate_next(ctx->net, ctx->table);
636 	return err;
637 }
638 
639 static struct nft_trans *
640 nft_trans_alloc_chain(const struct nft_ctx *ctx, int msg_type)
641 {
642 	struct nft_trans_chain *trans_chain;
643 	struct nft_trans *trans;
644 
645 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
646 	if (!trans)
647 		return NULL;
648 
649 	trans_chain = nft_trans_container_chain(trans);
650 	INIT_LIST_HEAD(&trans_chain->nft_trans_binding.binding_list);
651 	trans_chain->chain = ctx->chain;
652 
653 	return trans;
654 }
655 
656 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
657 {
658 	struct nft_trans *trans;
659 
660 	trans = nft_trans_alloc_chain(ctx, msg_type);
661 	if (trans == NULL)
662 		return ERR_PTR(-ENOMEM);
663 
664 	if (msg_type == NFT_MSG_NEWCHAIN) {
665 		nft_activate_next(ctx->net, ctx->chain);
666 
667 		if (ctx->nla[NFTA_CHAIN_ID]) {
668 			nft_trans_chain_id(trans) =
669 				ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
670 		}
671 	}
672 	nft_trans_commit_list_add_tail(ctx->net, trans);
673 
674 	return trans;
675 }
676 
677 static int nft_delchain(struct nft_ctx *ctx)
678 {
679 	struct nft_trans *trans;
680 
681 	trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
682 	if (IS_ERR(trans))
683 		return PTR_ERR(trans);
684 
685 	nft_use_dec(&ctx->table->use);
686 	nft_deactivate_next(ctx->net, ctx->chain);
687 
688 	return 0;
689 }
690 
691 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
692 {
693 	struct nft_expr *expr;
694 
695 	expr = nft_expr_first(rule);
696 	while (nft_expr_more(rule, expr)) {
697 		if (expr->ops->activate)
698 			expr->ops->activate(ctx, expr);
699 
700 		expr = nft_expr_next(expr);
701 	}
702 }
703 
704 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
705 			      enum nft_trans_phase phase)
706 {
707 	struct nft_expr *expr;
708 
709 	expr = nft_expr_first(rule);
710 	while (nft_expr_more(rule, expr)) {
711 		if (expr->ops->deactivate)
712 			expr->ops->deactivate(ctx, expr, phase);
713 
714 		expr = nft_expr_next(expr);
715 	}
716 }
717 
718 static int
719 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
720 {
721 	/* You cannot delete the same rule twice */
722 	if (nft_is_active_next(ctx->net, rule)) {
723 		nft_deactivate_next(ctx->net, rule);
724 		nft_use_dec(&ctx->chain->use);
725 		return 0;
726 	}
727 	return -ENOENT;
728 }
729 
730 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
731 					    struct nft_rule *rule)
732 {
733 	struct nft_trans *trans;
734 
735 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
736 	if (trans == NULL)
737 		return NULL;
738 
739 	if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
740 		nft_trans_rule_id(trans) =
741 			ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
742 	}
743 	nft_trans_rule(trans) = rule;
744 	nft_trans_rule_chain(trans) = ctx->chain;
745 	nft_trans_commit_list_add_tail(ctx->net, trans);
746 
747 	return trans;
748 }
749 
750 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
751 {
752 	struct nft_flow_rule *flow;
753 	struct nft_trans *trans;
754 	int err;
755 
756 	trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
757 	if (trans == NULL)
758 		return -ENOMEM;
759 
760 	if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
761 		flow = nft_flow_rule_create(ctx->net, rule);
762 		if (IS_ERR(flow)) {
763 			nft_trans_destroy(trans);
764 			return PTR_ERR(flow);
765 		}
766 
767 		nft_trans_flow_rule(trans) = flow;
768 	}
769 
770 	err = nf_tables_delrule_deactivate(ctx, rule);
771 	if (err < 0) {
772 		nft_trans_destroy(trans);
773 		return err;
774 	}
775 	nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
776 
777 	return 0;
778 }
779 
780 static int nft_delrule_by_chain(struct nft_ctx *ctx)
781 {
782 	struct nft_rule *rule;
783 	int err;
784 
785 	list_for_each_entry(rule, &ctx->chain->rules, list) {
786 		if (!nft_is_active_next(ctx->net, rule))
787 			continue;
788 
789 		err = nft_delrule(ctx, rule);
790 		if (err < 0)
791 			return err;
792 	}
793 	return 0;
794 }
795 
796 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
797 			       struct nft_set *set,
798 			       const struct nft_set_desc *desc)
799 {
800 	struct nft_trans_set *trans_set;
801 	struct nft_trans *trans;
802 
803 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
804 	if (trans == NULL)
805 		return -ENOMEM;
806 
807 	trans_set = nft_trans_container_set(trans);
808 	INIT_LIST_HEAD(&trans_set->nft_trans_binding.binding_list);
809 	INIT_LIST_HEAD(&trans_set->list_trans_newset);
810 
811 	if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
812 		nft_trans_set_id(trans) =
813 			ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
814 		nft_activate_next(ctx->net, set);
815 	}
816 	nft_trans_set(trans) = set;
817 	if (desc) {
818 		nft_trans_set_update(trans) = true;
819 		nft_trans_set_gc_int(trans) = desc->gc_int;
820 		nft_trans_set_timeout(trans) = desc->timeout;
821 		nft_trans_set_size(trans) = desc->size;
822 	}
823 	nft_trans_commit_list_add_tail(ctx->net, trans);
824 
825 	return 0;
826 }
827 
828 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
829 			     struct nft_set *set)
830 {
831 	return __nft_trans_set_add(ctx, msg_type, set, NULL);
832 }
833 
834 static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
835 				  struct nft_set *set,
836 				  const struct nft_set_iter *iter,
837 				  struct nft_elem_priv *elem_priv)
838 {
839 	struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
840 
841 	if (!nft_set_elem_active(ext, iter->genmask))
842 		return 0;
843 
844 	nft_set_elem_change_active(ctx->net, set, ext);
845 	nft_setelem_data_deactivate(ctx->net, set, elem_priv);
846 
847 	return 0;
848 }
849 
850 struct nft_set_elem_catchall {
851 	struct list_head	list;
852 	struct rcu_head		rcu;
853 	struct nft_elem_priv	*elem;
854 };
855 
856 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
857 					struct nft_set *set)
858 {
859 	u8 genmask = nft_genmask_next(ctx->net);
860 	struct nft_set_elem_catchall *catchall;
861 	struct nft_set_ext *ext;
862 
863 	list_for_each_entry(catchall, &set->catchall_list, list) {
864 		ext = nft_set_elem_ext(set, catchall->elem);
865 		if (!nft_set_elem_active(ext, genmask))
866 			continue;
867 
868 		nft_set_elem_change_active(ctx->net, set, ext);
869 		nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
870 	}
871 }
872 
873 /* Use NFT_ITER_UPDATE iterator even if this may be called from the preparation
874  * phase, the set clone might already exist from a previous command, or it might
875  * be a set that is going away and does not require a clone. The netns and
876  * netlink release paths also need to work on the live set.
877  */
878 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set)
879 {
880 	struct nft_set_iter iter = {
881 		.genmask	= nft_genmask_next(ctx->net),
882 		.type		= NFT_ITER_UPDATE,
883 		.fn		= nft_mapelem_deactivate,
884 	};
885 
886 	set->ops->walk(ctx, set, &iter);
887 	WARN_ON_ONCE(iter.err);
888 
889 	nft_map_catchall_deactivate(ctx, set);
890 }
891 
892 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
893 {
894 	int err;
895 
896 	err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
897 	if (err < 0)
898 		return err;
899 
900 	if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
901 		nft_map_deactivate(ctx, set);
902 
903 	nft_deactivate_next(ctx->net, set);
904 	nft_use_dec(&ctx->table->use);
905 
906 	return err;
907 }
908 
909 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
910 			     struct nft_object *obj)
911 {
912 	struct nft_trans *trans;
913 
914 	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
915 	if (trans == NULL)
916 		return -ENOMEM;
917 
918 	if (msg_type == NFT_MSG_NEWOBJ)
919 		nft_activate_next(ctx->net, obj);
920 
921 	nft_trans_obj(trans) = obj;
922 	nft_trans_commit_list_add_tail(ctx->net, trans);
923 
924 	return 0;
925 }
926 
927 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
928 {
929 	int err;
930 
931 	err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
932 	if (err < 0)
933 		return err;
934 
935 	nft_deactivate_next(ctx->net, obj);
936 	nft_use_dec(&ctx->table->use);
937 
938 	return err;
939 }
940 
941 static struct nft_trans *
942 nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
943 		        struct nft_flowtable *flowtable)
944 {
945 	struct nft_trans *trans;
946 
947 	trans = nft_trans_alloc(ctx, msg_type,
948 				sizeof(struct nft_trans_flowtable));
949 	if (trans == NULL)
950 		return ERR_PTR(-ENOMEM);
951 
952 	if (msg_type == NFT_MSG_NEWFLOWTABLE)
953 		nft_activate_next(ctx->net, flowtable);
954 
955 	INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
956 	nft_trans_flowtable(trans) = flowtable;
957 	nft_trans_commit_list_add_tail(ctx->net, trans);
958 
959 	return trans;
960 }
961 
962 static int nft_delflowtable(struct nft_ctx *ctx,
963 			    struct nft_flowtable *flowtable)
964 {
965 	struct nft_trans *trans;
966 
967 	trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
968 	if (IS_ERR(trans))
969 		return PTR_ERR(trans);
970 
971 	nft_deactivate_next(ctx->net, flowtable);
972 	nft_use_dec(&ctx->table->use);
973 
974 	return 0;
975 }
976 
977 /*
978  * Tables
979  */
980 
981 static struct nft_table *nft_table_lookup(const struct net *net,
982 					  const struct nlattr *nla,
983 					  u8 family, u8 genmask, u32 nlpid)
984 {
985 	struct nftables_pernet *nft_net;
986 	struct nft_table *table;
987 
988 	if (nla == NULL)
989 		return ERR_PTR(-EINVAL);
990 
991 	nft_net = nft_pernet(net);
992 	list_for_each_entry_rcu(table, &nft_net->tables, list,
993 				lockdep_is_held(&nft_net->commit_mutex)) {
994 		if (!nla_strcmp(nla, table->name) &&
995 		    table->family == family &&
996 		    nft_active_genmask(table, genmask)) {
997 			if (nft_table_has_owner(table) &&
998 			    nlpid && table->nlpid != nlpid)
999 				return ERR_PTR(-EPERM);
1000 
1001 			return table;
1002 		}
1003 	}
1004 
1005 	return ERR_PTR(-ENOENT);
1006 }
1007 
1008 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
1009 						   const struct nlattr *nla,
1010 						   int family, u8 genmask, u32 nlpid)
1011 {
1012 	struct nftables_pernet *nft_net;
1013 	struct nft_table *table;
1014 
1015 	nft_net = nft_pernet(net);
1016 	list_for_each_entry(table, &nft_net->tables, list) {
1017 		if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
1018 		    table->family == family &&
1019 		    nft_active_genmask(table, genmask)) {
1020 			if (nft_table_has_owner(table) &&
1021 			    nlpid && table->nlpid != nlpid)
1022 				return ERR_PTR(-EPERM);
1023 
1024 			return table;
1025 		}
1026 	}
1027 
1028 	return ERR_PTR(-ENOENT);
1029 }
1030 
1031 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
1032 {
1033 	return ++table->hgenerator;
1034 }
1035 
1036 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
1037 
1038 static const struct nft_chain_type *
1039 __nft_chain_type_get(u8 family, enum nft_chain_types type)
1040 {
1041 	if (family >= NFPROTO_NUMPROTO ||
1042 	    type >= NFT_CHAIN_T_MAX)
1043 		return NULL;
1044 
1045 	return chain_type[family][type];
1046 }
1047 
1048 static const struct nft_chain_type *
1049 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
1050 {
1051 	const struct nft_chain_type *type;
1052 	int i;
1053 
1054 	for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
1055 		type = __nft_chain_type_get(family, i);
1056 		if (!type)
1057 			continue;
1058 		if (!nla_strcmp(nla, type->name))
1059 			return type;
1060 	}
1061 	return NULL;
1062 }
1063 
1064 struct nft_module_request {
1065 	struct list_head	list;
1066 	char			module[MODULE_NAME_LEN];
1067 	bool			done;
1068 };
1069 
1070 #ifdef CONFIG_MODULES
1071 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
1072 				      ...)
1073 {
1074 	char module_name[MODULE_NAME_LEN];
1075 	struct nftables_pernet *nft_net;
1076 	struct nft_module_request *req;
1077 	va_list args;
1078 	int ret;
1079 
1080 	va_start(args, fmt);
1081 	ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
1082 	va_end(args);
1083 	if (ret >= MODULE_NAME_LEN)
1084 		return 0;
1085 
1086 	nft_net = nft_pernet(net);
1087 	list_for_each_entry(req, &nft_net->module_list, list) {
1088 		if (!strcmp(req->module, module_name)) {
1089 			if (req->done)
1090 				return 0;
1091 
1092 			/* A request to load this module already exists. */
1093 			return -EAGAIN;
1094 		}
1095 	}
1096 
1097 	req = kmalloc_obj(*req);
1098 	if (!req)
1099 		return -ENOMEM;
1100 
1101 	req->done = false;
1102 	strscpy(req->module, module_name, MODULE_NAME_LEN);
1103 	list_add_tail(&req->list, &nft_net->module_list);
1104 
1105 	return -EAGAIN;
1106 }
1107 EXPORT_SYMBOL_GPL(nft_request_module);
1108 #endif
1109 
1110 static void lockdep_nfnl_nft_mutex_not_held(void)
1111 {
1112 #ifdef CONFIG_PROVE_LOCKING
1113 	if (debug_locks)
1114 		WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
1115 #endif
1116 }
1117 
1118 static const struct nft_chain_type *
1119 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
1120 			    u8 family, bool autoload)
1121 {
1122 	const struct nft_chain_type *type;
1123 
1124 	type = __nf_tables_chain_type_lookup(nla, family);
1125 	if (type != NULL)
1126 		return type;
1127 
1128 	lockdep_nfnl_nft_mutex_not_held();
1129 #ifdef CONFIG_MODULES
1130 	if (autoload) {
1131 		if (nft_request_module(net, "nft-chain-%u-%.*s", family,
1132 				       nla_len(nla),
1133 				       (const char *)nla_data(nla)) == -EAGAIN)
1134 			return ERR_PTR(-EAGAIN);
1135 	}
1136 #endif
1137 	return ERR_PTR(-ENOENT);
1138 }
1139 
1140 static unsigned int nft_base_seq(const struct net *net)
1141 {
1142 	return READ_ONCE(net->nft.base_seq);
1143 }
1144 
1145 static __be16 nft_base_seq_be16(const struct net *net)
1146 {
1147 	return htons(nft_base_seq(net) & 0xffff);
1148 }
1149 
1150 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
1151 	[NFTA_TABLE_NAME]	= { .type = NLA_STRING,
1152 				    .len = NFT_TABLE_MAXNAMELEN - 1 },
1153 	[NFTA_TABLE_FLAGS]	= NLA_POLICY_MASK(NLA_BE32, NFT_TABLE_F_MASK),
1154 	[NFTA_TABLE_HANDLE]	= { .type = NLA_U64 },
1155 	[NFTA_TABLE_USERDATA]	= { .type = NLA_BINARY,
1156 				    .len = NFT_USERDATA_MAXLEN }
1157 };
1158 
1159 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
1160 				     u32 portid, u32 seq, int event, u32 flags,
1161 				     int family, const struct nft_table *table)
1162 {
1163 	struct nlmsghdr *nlh;
1164 
1165 	nlh = nfnl_msg_put(skb, portid, seq,
1166 			   nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event),
1167 			   flags, family, NFNETLINK_V0, nft_base_seq_be16(net));
1168 	if (!nlh)
1169 		goto nla_put_failure;
1170 
1171 	if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
1172 	    nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
1173 	    nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
1174 			 NFTA_TABLE_PAD))
1175 		goto nla_put_failure;
1176 
1177 	if (event == NFT_MSG_DELTABLE ||
1178 	    event == NFT_MSG_DESTROYTABLE) {
1179 		nlmsg_end(skb, nlh);
1180 		return 0;
1181 	}
1182 
1183 	if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
1184 			 htonl(table->flags & NFT_TABLE_F_MASK)))
1185 		goto nla_put_failure;
1186 
1187 	if (nft_table_has_owner(table) &&
1188 	    nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
1189 		goto nla_put_failure;
1190 
1191 	if (table->udata) {
1192 		if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
1193 			goto nla_put_failure;
1194 	}
1195 
1196 	nlmsg_end(skb, nlh);
1197 	return 0;
1198 
1199 nla_put_failure:
1200 	nlmsg_trim(skb, nlh);
1201 	return -1;
1202 }
1203 
1204 struct nftnl_skb_parms {
1205 	bool report;
1206 };
1207 #define NFT_CB(skb)	(*(struct nftnl_skb_parms*)&((skb)->cb))
1208 
1209 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
1210 			       struct list_head *notify_list)
1211 {
1212 	NFT_CB(skb).report = report;
1213 	list_add_tail(&skb->list, notify_list);
1214 }
1215 
1216 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
1217 {
1218 	struct nftables_pernet *nft_net;
1219 	struct sk_buff *skb;
1220 	u16 flags = 0;
1221 	int err;
1222 
1223 	if (!ctx->report &&
1224 	    !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1225 		return;
1226 
1227 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1228 	if (skb == NULL)
1229 		goto err;
1230 
1231 	if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1232 		flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1233 
1234 	err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
1235 					event, flags, ctx->family, ctx->table);
1236 	if (err < 0) {
1237 		kfree_skb(skb);
1238 		goto err;
1239 	}
1240 
1241 	nft_net = nft_pernet(ctx->net);
1242 	nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1243 	return;
1244 err:
1245 	nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1246 }
1247 
1248 static int nf_tables_dump_tables(struct sk_buff *skb,
1249 				 struct netlink_callback *cb)
1250 {
1251 	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1252 	struct nftables_pernet *nft_net;
1253 	const struct nft_table *table;
1254 	unsigned int idx = 0, s_idx = cb->args[0];
1255 	struct net *net = sock_net(skb->sk);
1256 	int family = nfmsg->nfgen_family;
1257 
1258 	rcu_read_lock();
1259 	nft_net = nft_pernet(net);
1260 	cb->seq = nft_base_seq(net);
1261 
1262 	list_for_each_entry_rcu(table, &nft_net->tables, list) {
1263 		if (family != NFPROTO_UNSPEC && family != table->family)
1264 			continue;
1265 
1266 		if (idx < s_idx)
1267 			goto cont;
1268 		if (idx > s_idx)
1269 			memset(&cb->args[1], 0,
1270 			       sizeof(cb->args) - sizeof(cb->args[0]));
1271 		if (!nft_is_active(net, table))
1272 			continue;
1273 		if (nf_tables_fill_table_info(skb, net,
1274 					      NETLINK_CB(cb->skb).portid,
1275 					      cb->nlh->nlmsg_seq,
1276 					      NFT_MSG_NEWTABLE, NLM_F_MULTI,
1277 					      table->family, table) < 0)
1278 			goto done;
1279 
1280 		nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1281 cont:
1282 		idx++;
1283 	}
1284 done:
1285 	rcu_read_unlock();
1286 	cb->args[0] = idx;
1287 	return skb->len;
1288 }
1289 
1290 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
1291 				      const struct nlmsghdr *nlh,
1292 				      struct netlink_dump_control *c)
1293 {
1294 	int err;
1295 
1296 	if (!try_module_get(THIS_MODULE))
1297 		return -EINVAL;
1298 
1299 	rcu_read_unlock();
1300 	err = netlink_dump_start(nlsk, skb, nlh, c);
1301 	rcu_read_lock();
1302 	module_put(THIS_MODULE);
1303 
1304 	return err;
1305 }
1306 
1307 /* called with rcu_read_lock held */
1308 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
1309 			      const struct nlattr * const nla[])
1310 {
1311 	struct netlink_ext_ack *extack = info->extack;
1312 	u8 genmask = nft_genmask_cur(info->net);
1313 	u8 family = info->nfmsg->nfgen_family;
1314 	const struct nft_table *table;
1315 	struct net *net = info->net;
1316 	struct sk_buff *skb2;
1317 	int err;
1318 
1319 	if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1320 		struct netlink_dump_control c = {
1321 			.dump = nf_tables_dump_tables,
1322 			.module = THIS_MODULE,
1323 		};
1324 
1325 		return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1326 	}
1327 
1328 	table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
1329 	if (IS_ERR(table)) {
1330 		NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
1331 		return PTR_ERR(table);
1332 	}
1333 
1334 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1335 	if (!skb2)
1336 		return -ENOMEM;
1337 
1338 	err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
1339 					info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
1340 					0, family, table);
1341 	if (err < 0)
1342 		goto err_fill_table_info;
1343 
1344 	return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1345 
1346 err_fill_table_info:
1347 	kfree_skb(skb2);
1348 	return err;
1349 }
1350 
1351 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
1352 {
1353 	struct nft_chain *chain;
1354 	u32 i = 0;
1355 
1356 	list_for_each_entry(chain, &table->chains, list) {
1357 		if (!nft_is_active_next(net, chain))
1358 			continue;
1359 		if (!nft_is_base_chain(chain))
1360 			continue;
1361 
1362 		if (cnt && i++ == cnt)
1363 			break;
1364 
1365 		nf_tables_unregister_hook(net, table, chain);
1366 	}
1367 }
1368 
1369 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1370 {
1371 	struct nft_chain *chain;
1372 	int err, i = 0;
1373 
1374 	list_for_each_entry(chain, &table->chains, list) {
1375 		if (!nft_is_active_next(net, chain))
1376 			continue;
1377 		if (!nft_is_base_chain(chain))
1378 			continue;
1379 
1380 		err = nf_tables_register_hook(net, table, chain);
1381 		if (err < 0)
1382 			goto err_register_hooks;
1383 
1384 		i++;
1385 	}
1386 	return 0;
1387 
1388 err_register_hooks:
1389 	if (i)
1390 		nft_table_disable(net, table, i);
1391 	return err;
1392 }
1393 
1394 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1395 {
1396 	table->flags &= ~NFT_TABLE_F_DORMANT;
1397 	nft_table_disable(net, table, 0);
1398 	table->flags |= NFT_TABLE_F_DORMANT;
1399 }
1400 
1401 #define __NFT_TABLE_F_INTERNAL		(NFT_TABLE_F_MASK + 1)
1402 #define __NFT_TABLE_F_WAS_DORMANT	(__NFT_TABLE_F_INTERNAL << 0)
1403 #define __NFT_TABLE_F_WAS_AWAKEN	(__NFT_TABLE_F_INTERNAL << 1)
1404 #define __NFT_TABLE_F_WAS_ORPHAN	(__NFT_TABLE_F_INTERNAL << 2)
1405 #define __NFT_TABLE_F_UPDATE		(__NFT_TABLE_F_WAS_DORMANT | \
1406 					 __NFT_TABLE_F_WAS_AWAKEN | \
1407 					 __NFT_TABLE_F_WAS_ORPHAN)
1408 
1409 static bool nft_table_pending_update(const struct nft_ctx *ctx)
1410 {
1411 	struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1412 	struct nft_trans *trans;
1413 
1414 	if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
1415 		return true;
1416 
1417 	list_for_each_entry(trans, &nft_net->commit_list, list) {
1418 		if (trans->table == ctx->table &&
1419 		    ((trans->msg_type == NFT_MSG_NEWCHAIN &&
1420 		      nft_trans_chain_update(trans)) ||
1421 		     (trans->msg_type == NFT_MSG_DELCHAIN &&
1422 		      nft_is_base_chain(nft_trans_chain(trans)))))
1423 			return true;
1424 	}
1425 
1426 	return false;
1427 }
1428 
1429 static int nf_tables_updtable(struct nft_ctx *ctx)
1430 {
1431 	struct nft_trans *trans;
1432 	u32 flags;
1433 	int ret;
1434 
1435 	if (!ctx->nla[NFTA_TABLE_FLAGS])
1436 		return 0;
1437 
1438 	flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1439 	if (flags & ~NFT_TABLE_F_MASK)
1440 		return -EOPNOTSUPP;
1441 
1442 	if (flags == (ctx->table->flags & NFT_TABLE_F_MASK))
1443 		return 0;
1444 
1445 	if ((nft_table_has_owner(ctx->table) &&
1446 	     !(flags & NFT_TABLE_F_OWNER)) ||
1447 	    (flags & NFT_TABLE_F_OWNER &&
1448 	     !nft_table_is_orphan(ctx->table)))
1449 		return -EOPNOTSUPP;
1450 
1451 	if ((flags ^ ctx->table->flags) & NFT_TABLE_F_PERSIST)
1452 		return -EOPNOTSUPP;
1453 
1454 	/* No dormant off/on/off/on games in single transaction */
1455 	if (nft_table_pending_update(ctx))
1456 		return -EINVAL;
1457 
1458 	trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1459 				sizeof(struct nft_trans_table));
1460 	if (trans == NULL)
1461 		return -ENOMEM;
1462 
1463 	if ((flags & NFT_TABLE_F_DORMANT) &&
1464 	    !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1465 		ctx->table->flags |= NFT_TABLE_F_DORMANT;
1466 		if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1467 			ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1468 	} else if (!(flags & NFT_TABLE_F_DORMANT) &&
1469 		   ctx->table->flags & NFT_TABLE_F_DORMANT) {
1470 		ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1471 		if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1472 			ret = nf_tables_table_enable(ctx->net, ctx->table);
1473 			if (ret < 0)
1474 				goto err_register_hooks;
1475 
1476 			ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1477 		}
1478 	}
1479 
1480 	if ((flags & NFT_TABLE_F_OWNER) &&
1481 	    !nft_table_has_owner(ctx->table)) {
1482 		ctx->table->nlpid = ctx->portid;
1483 		ctx->table->flags |= NFT_TABLE_F_OWNER |
1484 				     __NFT_TABLE_F_WAS_ORPHAN;
1485 	}
1486 
1487 	nft_trans_table_update(trans) = true;
1488 	nft_trans_commit_list_add_tail(ctx->net, trans);
1489 
1490 	return 0;
1491 
1492 err_register_hooks:
1493 	ctx->table->flags |= NFT_TABLE_F_DORMANT;
1494 	nft_trans_destroy(trans);
1495 	return ret;
1496 }
1497 
1498 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1499 {
1500 	const char *name = data;
1501 
1502 	return jhash(name, strlen(name), seed);
1503 }
1504 
1505 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1506 {
1507 	const struct nft_chain *chain = data;
1508 
1509 	return nft_chain_hash(chain->name, 0, seed);
1510 }
1511 
1512 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1513 			      const void *ptr)
1514 {
1515 	const struct nft_chain *chain = ptr;
1516 	const char *name = arg->key;
1517 
1518 	return strcmp(chain->name, name);
1519 }
1520 
1521 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1522 {
1523 	const struct nft_object_hash_key *k = data;
1524 
1525 	seed ^= hash_ptr(k->table, 32);
1526 
1527 	return jhash(k->name, strlen(k->name), seed);
1528 }
1529 
1530 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1531 {
1532 	const struct nft_object *obj = data;
1533 
1534 	return nft_objname_hash(&obj->key, 0, seed);
1535 }
1536 
1537 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1538 				const void *ptr)
1539 {
1540 	const struct nft_object_hash_key *k = arg->key;
1541 	const struct nft_object *obj = ptr;
1542 
1543 	if (obj->key.table != k->table)
1544 		return -1;
1545 
1546 	return strcmp(obj->key.name, k->name);
1547 }
1548 
1549 static bool nft_supported_family(u8 family)
1550 {
1551 	return false
1552 #ifdef CONFIG_NF_TABLES_INET
1553 		|| family == NFPROTO_INET
1554 #endif
1555 #ifdef CONFIG_NF_TABLES_IPV4
1556 		|| family == NFPROTO_IPV4
1557 #endif
1558 #ifdef CONFIG_NF_TABLES_ARP
1559 		|| family == NFPROTO_ARP
1560 #endif
1561 #ifdef CONFIG_NF_TABLES_NETDEV
1562 		|| family == NFPROTO_NETDEV
1563 #endif
1564 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1565 		|| family == NFPROTO_BRIDGE
1566 #endif
1567 #ifdef CONFIG_NF_TABLES_IPV6
1568 		|| family == NFPROTO_IPV6
1569 #endif
1570 		;
1571 }
1572 
1573 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1574 			      const struct nlattr * const nla[])
1575 {
1576 	struct nftables_pernet *nft_net = nft_pernet(info->net);
1577 	struct netlink_ext_ack *extack = info->extack;
1578 	u8 genmask = nft_genmask_next(info->net);
1579 	u8 family = info->nfmsg->nfgen_family;
1580 	struct net *net = info->net;
1581 	const struct nlattr *attr;
1582 	struct nft_table *table;
1583 	struct nft_ctx ctx;
1584 	u32 flags = 0;
1585 	int err;
1586 
1587 	if (!nft_supported_family(family))
1588 		return -EOPNOTSUPP;
1589 
1590 	lockdep_assert_held(&nft_net->commit_mutex);
1591 	attr = nla[NFTA_TABLE_NAME];
1592 	table = nft_table_lookup(net, attr, family, genmask,
1593 				 NETLINK_CB(skb).portid);
1594 	if (IS_ERR(table)) {
1595 		if (PTR_ERR(table) != -ENOENT)
1596 			return PTR_ERR(table);
1597 	} else {
1598 		if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1599 			NL_SET_BAD_ATTR(extack, attr);
1600 			return -EEXIST;
1601 		}
1602 		if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1603 			return -EOPNOTSUPP;
1604 
1605 		nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1606 
1607 		return nf_tables_updtable(&ctx);
1608 	}
1609 
1610 	if (nla[NFTA_TABLE_FLAGS]) {
1611 		flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1612 		if (flags & ~NFT_TABLE_F_MASK)
1613 			return -EOPNOTSUPP;
1614 	}
1615 
1616 	err = -ENOMEM;
1617 	table = kzalloc_obj(*table, GFP_KERNEL_ACCOUNT);
1618 	if (table == NULL)
1619 		goto err_kzalloc;
1620 
1621 	table->validate_state = nft_net->validate_state;
1622 	table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1623 	if (table->name == NULL)
1624 		goto err_strdup;
1625 
1626 	if (nla[NFTA_TABLE_USERDATA]) {
1627 		table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1628 		if (table->udata == NULL)
1629 			goto err_table_udata;
1630 
1631 		table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1632 	}
1633 
1634 	err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1635 	if (err)
1636 		goto err_chain_ht;
1637 
1638 	INIT_LIST_HEAD(&table->chains);
1639 	INIT_LIST_HEAD(&table->sets);
1640 	INIT_LIST_HEAD(&table->objects);
1641 	INIT_LIST_HEAD(&table->flowtables);
1642 	table->family = family;
1643 	table->flags = flags;
1644 	table->handle = ++nft_net->table_handle;
1645 	if (table->flags & NFT_TABLE_F_OWNER)
1646 		table->nlpid = NETLINK_CB(skb).portid;
1647 
1648 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1649 	err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1650 	if (err < 0)
1651 		goto err_trans;
1652 
1653 	list_add_tail_rcu(&table->list, &nft_net->tables);
1654 	return 0;
1655 err_trans:
1656 	rhltable_destroy(&table->chains_ht);
1657 err_chain_ht:
1658 	kfree(table->udata);
1659 err_table_udata:
1660 	kfree(table->name);
1661 err_strdup:
1662 	kfree(table);
1663 err_kzalloc:
1664 	return err;
1665 }
1666 
1667 static int nft_flush_table(struct nft_ctx *ctx)
1668 {
1669 	struct nft_flowtable *flowtable, *nft;
1670 	struct nft_chain *chain, *nc;
1671 	struct nft_object *obj, *ne;
1672 	struct nft_set *set, *ns;
1673 	int err;
1674 
1675 	list_for_each_entry(chain, &ctx->table->chains, list) {
1676 		if (!nft_is_active_next(ctx->net, chain))
1677 			continue;
1678 
1679 		if (nft_chain_binding(chain))
1680 			continue;
1681 
1682 		ctx->chain = chain;
1683 
1684 		err = nft_delrule_by_chain(ctx);
1685 		if (err < 0)
1686 			goto out;
1687 	}
1688 
1689 	list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1690 		if (!nft_is_active_next(ctx->net, set))
1691 			continue;
1692 
1693 		if (nft_set_is_anonymous(set))
1694 			continue;
1695 
1696 		err = nft_delset(ctx, set);
1697 		if (err < 0)
1698 			goto out;
1699 	}
1700 
1701 	list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1702 		if (!nft_is_active_next(ctx->net, flowtable))
1703 			continue;
1704 
1705 		err = nft_delflowtable(ctx, flowtable);
1706 		if (err < 0)
1707 			goto out;
1708 	}
1709 
1710 	list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1711 		if (!nft_is_active_next(ctx->net, obj))
1712 			continue;
1713 
1714 		err = nft_delobj(ctx, obj);
1715 		if (err < 0)
1716 			goto out;
1717 	}
1718 
1719 	list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1720 		if (!nft_is_active_next(ctx->net, chain))
1721 			continue;
1722 
1723 		if (nft_chain_binding(chain))
1724 			continue;
1725 
1726 		ctx->chain = chain;
1727 
1728 		err = nft_delchain(ctx);
1729 		if (err < 0)
1730 			goto out;
1731 	}
1732 
1733 	err = nft_deltable(ctx);
1734 out:
1735 	return err;
1736 }
1737 
1738 static int nft_flush(struct nft_ctx *ctx, int family)
1739 {
1740 	struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1741 	const struct nlattr * const *nla = ctx->nla;
1742 	struct nft_table *table, *nt;
1743 	int err = 0;
1744 
1745 	list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1746 		if (family != AF_UNSPEC && table->family != family)
1747 			continue;
1748 
1749 		ctx->family = table->family;
1750 
1751 		if (!nft_is_active_next(ctx->net, table))
1752 			continue;
1753 
1754 		if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1755 			continue;
1756 
1757 		if (nla[NFTA_TABLE_NAME] &&
1758 		    nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1759 			continue;
1760 
1761 		ctx->table = table;
1762 
1763 		err = nft_flush_table(ctx);
1764 		if (err < 0)
1765 			goto out;
1766 	}
1767 out:
1768 	return err;
1769 }
1770 
1771 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1772 			      const struct nlattr * const nla[])
1773 {
1774 	struct netlink_ext_ack *extack = info->extack;
1775 	u8 genmask = nft_genmask_next(info->net);
1776 	u8 family = info->nfmsg->nfgen_family;
1777 	struct net *net = info->net;
1778 	const struct nlattr *attr;
1779 	struct nft_table *table;
1780 	struct nft_ctx ctx;
1781 
1782 	nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1783 	if (family == AF_UNSPEC ||
1784 	    (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1785 		return nft_flush(&ctx, family);
1786 
1787 	if (nla[NFTA_TABLE_HANDLE]) {
1788 		attr = nla[NFTA_TABLE_HANDLE];
1789 		table = nft_table_lookup_byhandle(net, attr, family, genmask,
1790 						  NETLINK_CB(skb).portid);
1791 	} else {
1792 		attr = nla[NFTA_TABLE_NAME];
1793 		table = nft_table_lookup(net, attr, family, genmask,
1794 					 NETLINK_CB(skb).portid);
1795 	}
1796 
1797 	if (IS_ERR(table)) {
1798 		if (PTR_ERR(table) == -ENOENT &&
1799 		    NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1800 			return 0;
1801 
1802 		NL_SET_BAD_ATTR(extack, attr);
1803 		return PTR_ERR(table);
1804 	}
1805 
1806 	if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1807 	    table->use > 0)
1808 		return -EBUSY;
1809 
1810 	ctx.family = family;
1811 	ctx.table = table;
1812 
1813 	return nft_flush_table(&ctx);
1814 }
1815 
1816 static void nf_tables_table_destroy(struct nft_table *table)
1817 {
1818 	if (WARN_ON(table->use > 0))
1819 		return;
1820 
1821 	rhltable_destroy(&table->chains_ht);
1822 	kfree(table->name);
1823 	kfree(table->udata);
1824 	kfree(table);
1825 }
1826 
1827 void nft_register_chain_type(const struct nft_chain_type *ctype)
1828 {
1829 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
1830 	if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1831 		nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1832 		return;
1833 	}
1834 	chain_type[ctype->family][ctype->type] = ctype;
1835 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1836 }
1837 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1838 
1839 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1840 {
1841 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
1842 	chain_type[ctype->family][ctype->type] = NULL;
1843 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1844 }
1845 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1846 
1847 /*
1848  * Chains
1849  */
1850 
1851 static struct nft_chain *
1852 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1853 {
1854 	struct nft_chain *chain;
1855 
1856 	list_for_each_entry(chain, &table->chains, list) {
1857 		if (chain->handle == handle &&
1858 		    nft_active_genmask(chain, genmask))
1859 			return chain;
1860 	}
1861 
1862 	return ERR_PTR(-ENOENT);
1863 }
1864 
1865 static bool lockdep_commit_lock_is_held(const struct net *net)
1866 {
1867 #ifdef CONFIG_PROVE_LOCKING
1868 	struct nftables_pernet *nft_net = nft_pernet(net);
1869 
1870 	return lockdep_is_held(&nft_net->commit_mutex);
1871 #else
1872 	return true;
1873 #endif
1874 }
1875 
1876 static struct nft_chain *nft_chain_lookup(struct net *net,
1877 					  struct nft_table *table,
1878 					  const struct nlattr *nla, u8 genmask)
1879 {
1880 	char search[NFT_CHAIN_MAXNAMELEN + 1];
1881 	struct rhlist_head *tmp, *list;
1882 	struct nft_chain *chain;
1883 
1884 	if (nla == NULL)
1885 		return ERR_PTR(-EINVAL);
1886 
1887 	nla_strscpy(search, nla, sizeof(search));
1888 
1889 	WARN_ON(!rcu_read_lock_held() &&
1890 		!lockdep_commit_lock_is_held(net));
1891 
1892 	chain = ERR_PTR(-ENOENT);
1893 	rcu_read_lock();
1894 	list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1895 	if (!list)
1896 		goto out_unlock;
1897 
1898 	rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1899 		if (nft_active_genmask(chain, genmask))
1900 			goto out_unlock;
1901 	}
1902 	chain = ERR_PTR(-ENOENT);
1903 out_unlock:
1904 	rcu_read_unlock();
1905 	return chain;
1906 }
1907 
1908 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1909 	[NFTA_CHAIN_TABLE]	= { .type = NLA_STRING,
1910 				    .len = NFT_TABLE_MAXNAMELEN - 1 },
1911 	[NFTA_CHAIN_HANDLE]	= { .type = NLA_U64 },
1912 	[NFTA_CHAIN_NAME]	= { .type = NLA_STRING,
1913 				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
1914 	[NFTA_CHAIN_HOOK]	= { .type = NLA_NESTED },
1915 	[NFTA_CHAIN_POLICY]	= { .type = NLA_U32 },
1916 	[NFTA_CHAIN_TYPE]	= { .type = NLA_STRING,
1917 				    .len = NFT_MODULE_AUTOLOAD_LIMIT },
1918 	[NFTA_CHAIN_COUNTERS]	= { .type = NLA_NESTED },
1919 	[NFTA_CHAIN_FLAGS]	= NLA_POLICY_MASK(NLA_BE32, NFT_CHAIN_FLAGS),
1920 	[NFTA_CHAIN_ID]		= { .type = NLA_U32 },
1921 	[NFTA_CHAIN_USERDATA]	= { .type = NLA_BINARY,
1922 				    .len = NFT_USERDATA_MAXLEN },
1923 };
1924 
1925 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1926 	[NFTA_HOOK_HOOKNUM]	= { .type = NLA_U32 },
1927 	[NFTA_HOOK_PRIORITY]	= { .type = NLA_U32 },
1928 	[NFTA_HOOK_DEV]		= { .type = NLA_STRING,
1929 				    .len = IFNAMSIZ - 1 },
1930 };
1931 
1932 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1933 {
1934 	struct nft_stats *cpu_stats, total;
1935 	struct nlattr *nest;
1936 	unsigned int seq;
1937 	u64 pkts, bytes;
1938 	int cpu;
1939 
1940 	if (!stats)
1941 		return 0;
1942 
1943 	memset(&total, 0, sizeof(total));
1944 	for_each_possible_cpu(cpu) {
1945 		cpu_stats = per_cpu_ptr(stats, cpu);
1946 		do {
1947 			seq = u64_stats_fetch_begin(&cpu_stats->syncp);
1948 			pkts = cpu_stats->pkts;
1949 			bytes = cpu_stats->bytes;
1950 		} while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
1951 		total.pkts += pkts;
1952 		total.bytes += bytes;
1953 	}
1954 	nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1955 	if (nest == NULL)
1956 		goto nla_put_failure;
1957 
1958 	if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1959 			 NFTA_COUNTER_PAD) ||
1960 	    nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1961 			 NFTA_COUNTER_PAD))
1962 		goto nla_put_failure;
1963 
1964 	nla_nest_end(skb, nest);
1965 	return 0;
1966 
1967 nla_put_failure:
1968 	return -ENOSPC;
1969 }
1970 
1971 static bool hook_is_prefix(struct nft_hook *hook)
1972 {
1973 	return strlen(hook->ifname) >= hook->ifnamelen;
1974 }
1975 
1976 static int nft_nla_put_hook_dev(struct sk_buff *skb, struct nft_hook *hook)
1977 {
1978 	int attr = hook_is_prefix(hook) ? NFTA_DEVICE_PREFIX : NFTA_DEVICE_NAME;
1979 
1980 	return nla_put_string(skb, attr, hook->ifname);
1981 }
1982 
1983 struct nft_hook_dump_ctx {
1984 	struct nft_hook *first;
1985 	int n;
1986 };
1987 
1988 static int nft_dump_basechain_hook_one(struct sk_buff *skb,
1989 				       struct nft_hook *hook,
1990 				       struct nft_hook_dump_ctx *dump_ctx)
1991 {
1992 	if (!dump_ctx->first)
1993 		dump_ctx->first = hook;
1994 
1995 	if (nft_nla_put_hook_dev(skb, hook))
1996 		return -1;
1997 
1998 	dump_ctx->n++;
1999 
2000 	return 0;
2001 }
2002 
2003 static int nft_dump_basechain_hook_list(struct sk_buff *skb,
2004 					const struct net *net,
2005 					const struct list_head *hook_list,
2006 					struct nft_hook_dump_ctx *dump_ctx)
2007 {
2008 	struct nft_hook *hook;
2009 	int err;
2010 
2011 	list_for_each_entry_rcu(hook, hook_list, list,
2012 				lockdep_commit_lock_is_held(net)) {
2013 		err = nft_dump_basechain_hook_one(skb, hook, dump_ctx);
2014 		if (err < 0)
2015 			return err;
2016 	}
2017 
2018 	return 0;
2019 }
2020 
2021 static int nft_dump_basechain_trans_hook_list(struct sk_buff *skb,
2022 					      const struct list_head *trans_hook_list,
2023 					      struct nft_hook_dump_ctx *dump_ctx)
2024 {
2025 	struct nft_trans_hook *trans_hook;
2026 	int err;
2027 
2028 	list_for_each_entry(trans_hook, trans_hook_list, list) {
2029 		err = nft_dump_basechain_hook_one(skb, trans_hook->hook, dump_ctx);
2030 		if (err < 0)
2031 			return err;
2032 	}
2033 
2034 	return 0;
2035 }
2036 
2037 static int nft_dump_basechain_hook(struct sk_buff *skb,
2038 				   const struct net *net, int family,
2039 				   const struct nft_base_chain *basechain,
2040 				   const struct list_head *hook_list,
2041 				   const struct list_head *trans_hook_list)
2042 {
2043 	const struct nf_hook_ops *ops = &basechain->ops;
2044 	struct nft_hook_dump_ctx dump_hook_ctx = {};
2045 	struct nlattr *nest, *nest_devs;
2046 
2047 	nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
2048 	if (nest == NULL)
2049 		goto nla_put_failure;
2050 	if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
2051 		goto nla_put_failure;
2052 	if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
2053 		goto nla_put_failure;
2054 
2055 	if (nft_base_chain_netdev(family, ops->hooknum)) {
2056 		nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
2057 		if (!nest_devs)
2058 			goto nla_put_failure;
2059 
2060 		if (!hook_list && !trans_hook_list)
2061 			hook_list = &basechain->hook_list;
2062 
2063 		if (hook_list &&
2064 		    nft_dump_basechain_hook_list(skb, net, hook_list, &dump_hook_ctx)) {
2065 			goto nla_put_failure;
2066 		} else if (trans_hook_list &&
2067 			   nft_dump_basechain_trans_hook_list(skb, trans_hook_list,
2068 							      &dump_hook_ctx)) {
2069 			goto nla_put_failure;
2070 		}
2071 
2072 		nla_nest_end(skb, nest_devs);
2073 
2074 		if (dump_hook_ctx.n == 1 &&
2075 		    !hook_is_prefix(dump_hook_ctx.first) &&
2076 		    nla_put_string(skb, NFTA_HOOK_DEV, dump_hook_ctx.first->ifname))
2077 			goto nla_put_failure;
2078 	}
2079 	nla_nest_end(skb, nest);
2080 
2081 	return 0;
2082 nla_put_failure:
2083 	return -1;
2084 }
2085 
2086 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
2087 				     u32 portid, u32 seq, int event, u32 flags,
2088 				     int family, const struct nft_table *table,
2089 				     const struct nft_chain *chain,
2090 				     const struct list_head *hook_list,
2091 				     const struct list_head *trans_hook_list)
2092 {
2093 	struct nlmsghdr *nlh;
2094 
2095 	nlh = nfnl_msg_put(skb, portid, seq,
2096 			   nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event),
2097 			   flags, family, NFNETLINK_V0, nft_base_seq_be16(net));
2098 	if (!nlh)
2099 		goto nla_put_failure;
2100 
2101 	if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) ||
2102 	    nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) ||
2103 	    nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
2104 			 NFTA_CHAIN_PAD))
2105 		goto nla_put_failure;
2106 
2107 	if (!hook_list && !trans_hook_list &&
2108 	    (event == NFT_MSG_DELCHAIN ||
2109 	     event == NFT_MSG_DESTROYCHAIN)) {
2110 		nlmsg_end(skb, nlh);
2111 		return 0;
2112 	}
2113 
2114 	if (nft_is_base_chain(chain)) {
2115 		const struct nft_base_chain *basechain = nft_base_chain(chain);
2116 		struct nft_stats __percpu *stats;
2117 
2118 		if (nft_dump_basechain_hook(skb, net, family, basechain,
2119 					    hook_list, trans_hook_list))
2120 			goto nla_put_failure;
2121 
2122 		if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
2123 				 htonl(basechain->policy)))
2124 			goto nla_put_failure;
2125 
2126 		if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
2127 			goto nla_put_failure;
2128 
2129 		stats = rcu_dereference_check(basechain->stats,
2130 					      lockdep_commit_lock_is_held(net));
2131 		if (nft_dump_stats(skb, stats))
2132 			goto nla_put_failure;
2133 	}
2134 
2135 	if (chain->flags &&
2136 	    nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
2137 		goto nla_put_failure;
2138 
2139 	if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
2140 		goto nla_put_failure;
2141 
2142 	if (chain->udata &&
2143 	    nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
2144 		goto nla_put_failure;
2145 
2146 	nlmsg_end(skb, nlh);
2147 	return 0;
2148 
2149 nla_put_failure:
2150 	nlmsg_trim(skb, nlh);
2151 	return -1;
2152 }
2153 
2154 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
2155 				   const struct list_head *hook_list,
2156 				   const struct list_head *trans_hook_list)
2157 {
2158 	struct nftables_pernet *nft_net;
2159 	struct sk_buff *skb;
2160 	u16 flags = 0;
2161 	int err;
2162 
2163 	if (!ctx->report &&
2164 	    !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2165 		return;
2166 
2167 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2168 	if (skb == NULL)
2169 		goto err;
2170 
2171 	if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
2172 		flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
2173 
2174 	err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
2175 					event, flags, ctx->family, ctx->table,
2176 					ctx->chain, hook_list, trans_hook_list);
2177 	if (err < 0) {
2178 		kfree_skb(skb);
2179 		goto err;
2180 	}
2181 
2182 	nft_net = nft_pernet(ctx->net);
2183 	nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
2184 	return;
2185 err:
2186 	nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2187 }
2188 
2189 static int nf_tables_dump_chains(struct sk_buff *skb,
2190 				 struct netlink_callback *cb)
2191 {
2192 	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2193 	unsigned int idx = 0, s_idx = cb->args[0];
2194 	struct net *net = sock_net(skb->sk);
2195 	int family = nfmsg->nfgen_family;
2196 	struct nftables_pernet *nft_net;
2197 	const struct nft_table *table;
2198 	const struct nft_chain *chain;
2199 
2200 	rcu_read_lock();
2201 	nft_net = nft_pernet(net);
2202 	cb->seq = nft_base_seq(net);
2203 
2204 	list_for_each_entry_rcu(table, &nft_net->tables, list) {
2205 		if (family != NFPROTO_UNSPEC && family != table->family)
2206 			continue;
2207 
2208 		list_for_each_entry_rcu(chain, &table->chains, list) {
2209 			if (idx < s_idx)
2210 				goto cont;
2211 			if (idx > s_idx)
2212 				memset(&cb->args[1], 0,
2213 				       sizeof(cb->args) - sizeof(cb->args[0]));
2214 			if (!nft_is_active(net, chain))
2215 				continue;
2216 			if (nf_tables_fill_chain_info(skb, net,
2217 						      NETLINK_CB(cb->skb).portid,
2218 						      cb->nlh->nlmsg_seq,
2219 						      NFT_MSG_NEWCHAIN,
2220 						      NLM_F_MULTI,
2221 						      table->family, table,
2222 						      chain, NULL, NULL) < 0)
2223 				goto done;
2224 
2225 			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2226 cont:
2227 			idx++;
2228 		}
2229 	}
2230 done:
2231 	rcu_read_unlock();
2232 	cb->args[0] = idx;
2233 	return skb->len;
2234 }
2235 
2236 /* called with rcu_read_lock held */
2237 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
2238 			      const struct nlattr * const nla[])
2239 {
2240 	struct netlink_ext_ack *extack = info->extack;
2241 	u8 genmask = nft_genmask_cur(info->net);
2242 	u8 family = info->nfmsg->nfgen_family;
2243 	const struct nft_chain *chain;
2244 	struct net *net = info->net;
2245 	struct nft_table *table;
2246 	struct sk_buff *skb2;
2247 	int err;
2248 
2249 	if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
2250 		struct netlink_dump_control c = {
2251 			.dump = nf_tables_dump_chains,
2252 			.module = THIS_MODULE,
2253 		};
2254 
2255 		return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
2256 	}
2257 
2258 	table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
2259 	if (IS_ERR(table)) {
2260 		NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2261 		return PTR_ERR(table);
2262 	}
2263 
2264 	chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
2265 	if (IS_ERR(chain)) {
2266 		NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2267 		return PTR_ERR(chain);
2268 	}
2269 
2270 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2271 	if (!skb2)
2272 		return -ENOMEM;
2273 
2274 	err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
2275 					info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
2276 					0, family, table, chain, NULL, NULL);
2277 	if (err < 0)
2278 		goto err_fill_chain_info;
2279 
2280 	return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
2281 
2282 err_fill_chain_info:
2283 	kfree_skb(skb2);
2284 	return err;
2285 }
2286 
2287 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
2288 	[NFTA_COUNTER_PACKETS]	= { .type = NLA_U64 },
2289 	[NFTA_COUNTER_BYTES]	= { .type = NLA_U64 },
2290 };
2291 
2292 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
2293 {
2294 	struct nlattr *tb[NFTA_COUNTER_MAX+1];
2295 	struct nft_stats __percpu *newstats;
2296 	struct nft_stats *stats;
2297 	int err;
2298 
2299 	err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
2300 					  nft_counter_policy, NULL);
2301 	if (err < 0)
2302 		return ERR_PTR_PCPU(err);
2303 
2304 	if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
2305 		return ERR_PTR_PCPU(-EINVAL);
2306 
2307 	newstats = netdev_alloc_pcpu_stats(struct nft_stats);
2308 	if (newstats == NULL)
2309 		return ERR_PTR_PCPU(-ENOMEM);
2310 
2311 	/* Restore old counters on this cpu, no problem. Per-cpu statistics
2312 	 * are not exposed to userspace.
2313 	 */
2314 	preempt_disable();
2315 	stats = this_cpu_ptr(newstats);
2316 	stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
2317 	stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
2318 	preempt_enable();
2319 
2320 	return newstats;
2321 }
2322 
2323 static void nft_chain_stats_replace(struct nft_trans_chain *trans)
2324 {
2325 	const struct nft_trans *t = &trans->nft_trans_binding.nft_trans;
2326 	struct nft_base_chain *chain = nft_base_chain(trans->chain);
2327 
2328 	if (!trans->stats)
2329 		return;
2330 
2331 	trans->stats =
2332 		rcu_replace_pointer(chain->stats, trans->stats,
2333 				    lockdep_commit_lock_is_held(t->net));
2334 
2335 	if (!trans->stats)
2336 		static_branch_inc(&nft_counters_enabled);
2337 }
2338 
2339 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
2340 {
2341 	struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
2342 	struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
2343 
2344 	if (g0 != g1)
2345 		kvfree(g1);
2346 	kvfree(g0);
2347 
2348 	/* should be NULL either via abort or via successful commit */
2349 	WARN_ON_ONCE(chain->blob_next);
2350 	kvfree(chain->blob_next);
2351 }
2352 
2353 void nf_tables_chain_destroy(struct nft_chain *chain)
2354 {
2355 	const struct nft_table *table = chain->table;
2356 	struct nft_hook *hook, *next;
2357 
2358 	if (WARN_ON(chain->use > 0))
2359 		return;
2360 
2361 	/* no concurrent access possible anymore */
2362 	nf_tables_chain_free_chain_rules(chain);
2363 
2364 	if (nft_is_base_chain(chain)) {
2365 		struct nft_base_chain *basechain = nft_base_chain(chain);
2366 
2367 		if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2368 			list_for_each_entry_safe(hook, next,
2369 						 &basechain->hook_list, list)
2370 				nft_netdev_hook_unlink_free_rcu(hook);
2371 		}
2372 		module_put(basechain->type->owner);
2373 		if (rcu_access_pointer(basechain->stats)) {
2374 			static_branch_dec(&nft_counters_enabled);
2375 			free_percpu(rcu_dereference_raw(basechain->stats));
2376 		}
2377 		kfree(chain->name);
2378 		kfree(chain->udata);
2379 		kfree(basechain);
2380 	} else {
2381 		kfree(chain->name);
2382 		kfree(chain->udata);
2383 		kfree(chain);
2384 	}
2385 }
2386 
2387 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
2388 					      const struct nlattr *attr,
2389 					      bool prefix)
2390 {
2391 	struct nf_hook_ops *ops;
2392 	struct net_device *dev;
2393 	struct nft_hook *hook;
2394 	int err;
2395 
2396 	hook = kzalloc_obj(struct nft_hook, GFP_KERNEL_ACCOUNT);
2397 	if (!hook)
2398 		return ERR_PTR(-ENOMEM);
2399 
2400 	INIT_LIST_HEAD(&hook->ops_list);
2401 
2402 	err = nla_strscpy(hook->ifname, attr, IFNAMSIZ);
2403 	if (err < 0)
2404 		goto err_hook_free;
2405 
2406 	/* include the terminating NUL-char when comparing non-prefixes */
2407 	hook->ifnamelen = strlen(hook->ifname) + !prefix;
2408 
2409 	/* nf_tables_netdev_event() is called under rtnl_mutex, this is
2410 	 * indirectly serializing all the other holders of the commit_mutex with
2411 	 * the rtnl_mutex.
2412 	 */
2413 	for_each_netdev(net, dev) {
2414 		if (strncmp(dev->name, hook->ifname, hook->ifnamelen))
2415 			continue;
2416 
2417 		ops = kzalloc_obj(struct nf_hook_ops, GFP_KERNEL_ACCOUNT);
2418 		if (!ops) {
2419 			err = -ENOMEM;
2420 			goto err_hook_free;
2421 		}
2422 		ops->dev = dev;
2423 		list_add_tail(&ops->list, &hook->ops_list);
2424 	}
2425 	return hook;
2426 
2427 err_hook_free:
2428 	nft_netdev_hook_free(hook);
2429 	return ERR_PTR(err);
2430 }
2431 
2432 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
2433 					   const struct nft_hook *this)
2434 {
2435 	struct nft_hook *hook;
2436 
2437 	list_for_each_entry(hook, hook_list, list) {
2438 		if (!strncmp(hook->ifname, this->ifname,
2439 			     min(hook->ifnamelen, this->ifnamelen))) {
2440 			if (hook->flags & NFT_HOOK_REMOVE)
2441 				continue;
2442 
2443 			return hook;
2444 		}
2445 	}
2446 
2447 	return NULL;
2448 }
2449 
2450 static int nf_tables_parse_netdev_hooks(struct net *net,
2451 					const struct nlattr *attr,
2452 					struct list_head *hook_list,
2453 					struct netlink_ext_ack *extack)
2454 {
2455 	struct nft_hook *hook, *next;
2456 	const struct nlattr *tmp;
2457 	int rem, n = 0, err;
2458 	bool prefix;
2459 
2460 	nla_for_each_nested(tmp, attr, rem) {
2461 		switch (nla_type(tmp)) {
2462 		case NFTA_DEVICE_NAME:
2463 			prefix = false;
2464 			break;
2465 		case NFTA_DEVICE_PREFIX:
2466 			prefix = true;
2467 			break;
2468 		default:
2469 			err = -EINVAL;
2470 			goto err_hook;
2471 		}
2472 
2473 		hook = nft_netdev_hook_alloc(net, tmp, prefix);
2474 		if (IS_ERR(hook)) {
2475 			NL_SET_BAD_ATTR(extack, tmp);
2476 			err = PTR_ERR(hook);
2477 			goto err_hook;
2478 		}
2479 		if (nft_hook_list_find(hook_list, hook)) {
2480 			NL_SET_BAD_ATTR(extack, tmp);
2481 			nft_netdev_hook_free(hook);
2482 			err = -EEXIST;
2483 			goto err_hook;
2484 		}
2485 		list_add_tail(&hook->list, hook_list);
2486 		n++;
2487 
2488 		if (n == NFT_NETDEVICE_MAX) {
2489 			err = -EFBIG;
2490 			goto err_hook;
2491 		}
2492 	}
2493 
2494 	return 0;
2495 
2496 err_hook:
2497 	list_for_each_entry_safe(hook, next, hook_list, list) {
2498 		list_del(&hook->list);
2499 		nft_netdev_hook_free(hook);
2500 	}
2501 	return err;
2502 }
2503 
2504 struct nft_chain_hook {
2505 	u32				num;
2506 	s32				priority;
2507 	const struct nft_chain_type	*type;
2508 	struct list_head		list;
2509 };
2510 
2511 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
2512 				  struct list_head *hook_list,
2513 				  struct netlink_ext_ack *extack, u32 flags)
2514 {
2515 	struct nft_hook *hook;
2516 	int err;
2517 
2518 	if (tb[NFTA_HOOK_DEV]) {
2519 		hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV], false);
2520 		if (IS_ERR(hook)) {
2521 			NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2522 			return PTR_ERR(hook);
2523 		}
2524 
2525 		list_add_tail(&hook->list, hook_list);
2526 	} else if (tb[NFTA_HOOK_DEVS]) {
2527 		err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2528 						   hook_list, extack);
2529 		if (err < 0)
2530 			return err;
2531 
2532 	}
2533 
2534 	if (flags & NFT_CHAIN_HW_OFFLOAD &&
2535 	    list_empty(hook_list))
2536 		return -EINVAL;
2537 
2538 	return 0;
2539 }
2540 
2541 static int nft_chain_parse_hook(struct net *net,
2542 				struct nft_base_chain *basechain,
2543 				const struct nlattr * const nla[],
2544 				struct nft_chain_hook *hook, u8 family,
2545 				u32 flags, struct netlink_ext_ack *extack)
2546 {
2547 	struct nftables_pernet *nft_net = nft_pernet(net);
2548 	struct nlattr *ha[NFTA_HOOK_MAX + 1];
2549 	const struct nft_chain_type *type;
2550 	int err;
2551 
2552 	lockdep_assert_held(&nft_net->commit_mutex);
2553 	lockdep_nfnl_nft_mutex_not_held();
2554 
2555 	err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2556 					  nla[NFTA_CHAIN_HOOK],
2557 					  nft_hook_policy, NULL);
2558 	if (err < 0)
2559 		return err;
2560 
2561 	if (!basechain) {
2562 		if (!ha[NFTA_HOOK_HOOKNUM] ||
2563 		    !ha[NFTA_HOOK_PRIORITY]) {
2564 			NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2565 			return -ENOENT;
2566 		}
2567 
2568 		hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2569 		hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2570 
2571 		type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2572 		if (!type)
2573 			return -EOPNOTSUPP;
2574 
2575 		if (nla[NFTA_CHAIN_TYPE]) {
2576 			type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2577 							   family, true);
2578 			if (IS_ERR(type)) {
2579 				NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2580 				return PTR_ERR(type);
2581 			}
2582 		}
2583 		if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2584 			return -EOPNOTSUPP;
2585 
2586 		if (type->type == NFT_CHAIN_T_NAT &&
2587 		    hook->priority <= NF_IP_PRI_CONNTRACK)
2588 			return -EOPNOTSUPP;
2589 	} else {
2590 		if (ha[NFTA_HOOK_HOOKNUM]) {
2591 			hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2592 			if (hook->num != basechain->ops.hooknum)
2593 				return -EOPNOTSUPP;
2594 		}
2595 		if (ha[NFTA_HOOK_PRIORITY]) {
2596 			hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2597 			if (hook->priority != basechain->ops.priority)
2598 				return -EOPNOTSUPP;
2599 		}
2600 
2601 		if (nla[NFTA_CHAIN_TYPE]) {
2602 			type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
2603 							     family);
2604 			if (!type) {
2605 				NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2606 				return -ENOENT;
2607 			}
2608 		} else {
2609 			type = basechain->type;
2610 		}
2611 	}
2612 
2613 	if (!try_module_get(type->owner)) {
2614 		if (nla[NFTA_CHAIN_TYPE])
2615 			NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2616 		return -ENOENT;
2617 	}
2618 
2619 	hook->type = type;
2620 
2621 	INIT_LIST_HEAD(&hook->list);
2622 	if (nft_base_chain_netdev(family, hook->num)) {
2623 		err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags);
2624 		if (err < 0) {
2625 			module_put(type->owner);
2626 			return err;
2627 		}
2628 	} else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2629 		module_put(type->owner);
2630 		return -EOPNOTSUPP;
2631 	}
2632 
2633 	return 0;
2634 }
2635 
2636 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2637 {
2638 	struct nft_hook *h, *next;
2639 
2640 	list_for_each_entry_safe(h, next, &hook->list, list) {
2641 		list_del(&h->list);
2642 		nft_netdev_hook_free(h);
2643 	}
2644 	module_put(hook->type->owner);
2645 }
2646 
2647 static void nft_last_rule(const struct nft_chain *chain, const void *ptr)
2648 {
2649 	struct nft_rule_dp_last *lrule;
2650 
2651 	BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0);
2652 
2653 	lrule = (struct nft_rule_dp_last *)ptr;
2654 	lrule->end.is_last = 1;
2655 	lrule->chain = chain;
2656 	/* blob size does not include the trailer rule */
2657 }
2658 
2659 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2660 							 unsigned int size)
2661 {
2662 	struct nft_rule_blob *blob;
2663 
2664 	if (size > INT_MAX)
2665 		return NULL;
2666 
2667 	size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last);
2668 
2669 	blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2670 	if (!blob)
2671 		return NULL;
2672 
2673 	blob->size = 0;
2674 	nft_last_rule(chain, blob->data);
2675 
2676 	return blob;
2677 }
2678 
2679 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2680 				    const struct nft_chain_hook *hook,
2681 				    struct nft_chain *chain)
2682 {
2683 	ops->pf			= family;
2684 	ops->hooknum		= hook->num;
2685 	ops->priority		= hook->priority;
2686 	ops->priv		= chain;
2687 	ops->hook		= hook->type->hooks[ops->hooknum];
2688 	ops->hook_ops_type	= NF_HOOK_OP_NF_TABLES;
2689 }
2690 
2691 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2692 			      struct nft_chain_hook *hook, u32 flags)
2693 {
2694 	struct nft_chain *chain;
2695 	struct nf_hook_ops *ops;
2696 	struct nft_hook *h;
2697 
2698 	basechain->type = hook->type;
2699 	INIT_LIST_HEAD(&basechain->hook_list);
2700 	chain = &basechain->chain;
2701 
2702 	if (nft_base_chain_netdev(family, hook->num)) {
2703 		list_splice_init(&hook->list, &basechain->hook_list);
2704 		list_for_each_entry(h, &basechain->hook_list, list) {
2705 			list_for_each_entry(ops, &h->ops_list, list)
2706 				nft_basechain_hook_init(ops, family, hook, chain);
2707 		}
2708 	}
2709 	nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2710 
2711 	chain->flags |= NFT_CHAIN_BASE | flags;
2712 	basechain->policy = NF_ACCEPT;
2713 	if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2714 	    !nft_chain_offload_support(basechain)) {
2715 		list_splice_init(&basechain->hook_list, &hook->list);
2716 		return -EOPNOTSUPP;
2717 	}
2718 
2719 	flow_block_init(&basechain->flow_block);
2720 
2721 	return 0;
2722 }
2723 
2724 int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2725 {
2726 	int err;
2727 
2728 	err = rhltable_insert_key(&table->chains_ht, chain->name,
2729 				  &chain->rhlhead, nft_chain_ht_params);
2730 	if (err)
2731 		return err;
2732 
2733 	list_add_tail_rcu(&chain->list, &table->chains);
2734 
2735 	return 0;
2736 }
2737 
2738 static u64 chain_id;
2739 
2740 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 policy,
2741 			      u32 flags, struct netlink_ext_ack *extack)
2742 {
2743 	const struct nlattr * const *nla = ctx->nla;
2744 	struct nft_table *table = ctx->table;
2745 	struct nft_base_chain *basechain;
2746 	struct net *net = ctx->net;
2747 	char name[NFT_NAME_MAXLEN];
2748 	struct nft_rule_blob *blob;
2749 	struct nft_trans *trans;
2750 	struct nft_chain *chain;
2751 	int err;
2752 
2753 	if (nla[NFTA_CHAIN_HOOK]) {
2754 		struct nft_stats __percpu *stats = NULL;
2755 		struct nft_chain_hook hook = {};
2756 
2757 		if (table->flags & __NFT_TABLE_F_UPDATE)
2758 			return -EINVAL;
2759 
2760 		if (flags & NFT_CHAIN_BINDING)
2761 			return -EOPNOTSUPP;
2762 
2763 		err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags,
2764 					   extack);
2765 		if (err < 0)
2766 			return err;
2767 
2768 		basechain = kzalloc_obj(*basechain, GFP_KERNEL_ACCOUNT);
2769 		if (basechain == NULL) {
2770 			nft_chain_release_hook(&hook);
2771 			return -ENOMEM;
2772 		}
2773 		chain = &basechain->chain;
2774 
2775 		if (nla[NFTA_CHAIN_COUNTERS]) {
2776 			stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2777 			if (IS_ERR_PCPU(stats)) {
2778 				nft_chain_release_hook(&hook);
2779 				kfree(basechain);
2780 				return PTR_ERR_PCPU(stats);
2781 			}
2782 			rcu_assign_pointer(basechain->stats, stats);
2783 		}
2784 
2785 		err = nft_basechain_init(basechain, family, &hook, flags);
2786 		if (err < 0) {
2787 			nft_chain_release_hook(&hook);
2788 			kfree(basechain);
2789 			free_percpu(stats);
2790 			return err;
2791 		}
2792 		if (stats)
2793 			static_branch_inc(&nft_counters_enabled);
2794 	} else {
2795 		if (flags & NFT_CHAIN_BASE)
2796 			return -EINVAL;
2797 		if (flags & NFT_CHAIN_HW_OFFLOAD)
2798 			return -EOPNOTSUPP;
2799 
2800 		chain = kzalloc_obj(*chain, GFP_KERNEL_ACCOUNT);
2801 		if (chain == NULL)
2802 			return -ENOMEM;
2803 
2804 		chain->flags = flags;
2805 	}
2806 	ctx->chain = chain;
2807 
2808 	INIT_LIST_HEAD(&chain->rules);
2809 	chain->handle = nf_tables_alloc_handle(table);
2810 	chain->table = table;
2811 
2812 	if (nla[NFTA_CHAIN_NAME]) {
2813 		chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2814 	} else {
2815 		if (!(flags & NFT_CHAIN_BINDING)) {
2816 			err = -EINVAL;
2817 			goto err_destroy_chain;
2818 		}
2819 
2820 		snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2821 		chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2822 	}
2823 
2824 	if (!chain->name) {
2825 		err = -ENOMEM;
2826 		goto err_destroy_chain;
2827 	}
2828 
2829 	if (nla[NFTA_CHAIN_USERDATA]) {
2830 		chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2831 		if (chain->udata == NULL) {
2832 			err = -ENOMEM;
2833 			goto err_destroy_chain;
2834 		}
2835 		chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2836 	}
2837 
2838 	blob = nf_tables_chain_alloc_rules(chain, 0);
2839 	if (!blob) {
2840 		err = -ENOMEM;
2841 		goto err_destroy_chain;
2842 	}
2843 
2844 	RCU_INIT_POINTER(chain->blob_gen_0, blob);
2845 	RCU_INIT_POINTER(chain->blob_gen_1, blob);
2846 
2847 	if (!nft_use_inc(&table->use)) {
2848 		err = -EMFILE;
2849 		goto err_destroy_chain;
2850 	}
2851 
2852 	trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2853 	if (IS_ERR(trans)) {
2854 		err = PTR_ERR(trans);
2855 		goto err_trans;
2856 	}
2857 
2858 	nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2859 	if (nft_is_base_chain(chain))
2860 		nft_trans_chain_policy(trans) = policy;
2861 
2862 	err = nft_chain_add(table, chain);
2863 	if (err < 0)
2864 		goto err_chain_add;
2865 
2866 	/* This must be LAST to ensure no packets are walking over this chain. */
2867 	err = nf_tables_register_hook(net, table, chain);
2868 	if (err < 0)
2869 		goto err_register_hook;
2870 
2871 	return 0;
2872 
2873 err_register_hook:
2874 	nft_chain_del(chain);
2875 	synchronize_rcu();
2876 err_chain_add:
2877 	nft_trans_destroy(trans);
2878 err_trans:
2879 	nft_use_dec_restore(&table->use);
2880 err_destroy_chain:
2881 	nf_tables_chain_destroy(chain);
2882 
2883 	return err;
2884 }
2885 
2886 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2887 			      u32 flags, const struct nlattr *attr,
2888 			      struct netlink_ext_ack *extack)
2889 {
2890 	const struct nlattr * const *nla = ctx->nla;
2891 	struct nft_base_chain *basechain = NULL;
2892 	struct nft_table *table = ctx->table;
2893 	struct nft_chain *chain = ctx->chain;
2894 	struct nft_chain_hook hook = {};
2895 	struct nft_stats __percpu *stats = NULL;
2896 	struct nftables_pernet *nft_net;
2897 	struct nft_hook *h, *next;
2898 	struct nf_hook_ops *ops;
2899 	struct nft_trans *trans;
2900 	bool unregister = false;
2901 	int err;
2902 
2903 	if (chain->flags ^ flags)
2904 		return -EOPNOTSUPP;
2905 
2906 	INIT_LIST_HEAD(&hook.list);
2907 
2908 	if (nla[NFTA_CHAIN_HOOK]) {
2909 		if (!nft_is_base_chain(chain)) {
2910 			NL_SET_BAD_ATTR(extack, attr);
2911 			return -EEXIST;
2912 		}
2913 
2914 		basechain = nft_base_chain(chain);
2915 		err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2916 					   ctx->family, flags, extack);
2917 		if (err < 0)
2918 			return err;
2919 
2920 		if (basechain->type != hook.type) {
2921 			nft_chain_release_hook(&hook);
2922 			NL_SET_BAD_ATTR(extack, attr);
2923 			return -EEXIST;
2924 		}
2925 
2926 		if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2927 			list_for_each_entry_safe(h, next, &hook.list, list) {
2928 				list_for_each_entry(ops, &h->ops_list, list) {
2929 					ops->pf		= basechain->ops.pf;
2930 					ops->hooknum	= basechain->ops.hooknum;
2931 					ops->priority	= basechain->ops.priority;
2932 					ops->priv	= basechain->ops.priv;
2933 					ops->hook	= basechain->ops.hook;
2934 				}
2935 
2936 				if (nft_hook_list_find(&basechain->hook_list, h)) {
2937 					list_del(&h->list);
2938 					nft_netdev_hook_free(h);
2939 					continue;
2940 				}
2941 
2942 				nft_net = nft_pernet(ctx->net);
2943 				list_for_each_entry(trans, &nft_net->commit_list, list) {
2944 					if (trans->msg_type != NFT_MSG_NEWCHAIN ||
2945 					    trans->table != ctx->table ||
2946 					    !nft_trans_chain_update(trans))
2947 						continue;
2948 
2949 					if (nft_hook_list_find(&nft_trans_chain_hooks(trans), h)) {
2950 						nft_chain_release_hook(&hook);
2951 						return -EEXIST;
2952 					}
2953 				}
2954 			}
2955 		} else {
2956 			ops = &basechain->ops;
2957 			if (ops->hooknum != hook.num ||
2958 			    ops->priority != hook.priority) {
2959 				nft_chain_release_hook(&hook);
2960 				NL_SET_BAD_ATTR(extack, attr);
2961 				return -EEXIST;
2962 			}
2963 		}
2964 	}
2965 
2966 	if (nla[NFTA_CHAIN_HANDLE] &&
2967 	    nla[NFTA_CHAIN_NAME]) {
2968 		struct nft_chain *chain2;
2969 
2970 		chain2 = nft_chain_lookup(ctx->net, table,
2971 					  nla[NFTA_CHAIN_NAME], genmask);
2972 		if (!IS_ERR(chain2)) {
2973 			NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2974 			err = -EEXIST;
2975 			goto err_hooks;
2976 		}
2977 	}
2978 
2979 	if (table->flags & __NFT_TABLE_F_UPDATE &&
2980 	    !list_empty(&hook.list)) {
2981 		NL_SET_BAD_ATTR(extack, attr);
2982 		err = -EOPNOTSUPP;
2983 		goto err_hooks;
2984 	}
2985 
2986 	if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2987 	    nft_is_base_chain(chain) &&
2988 	    !list_empty(&hook.list)) {
2989 		basechain = nft_base_chain(chain);
2990 		ops = &basechain->ops;
2991 
2992 		if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2993 			err = nft_netdev_register_hooks(ctx->net, &hook.list);
2994 			if (err < 0)
2995 				goto err_hooks;
2996 
2997 			unregister = true;
2998 		}
2999 	}
3000 
3001 	if (nla[NFTA_CHAIN_COUNTERS]) {
3002 		if (!nft_is_base_chain(chain)) {
3003 			err = -EOPNOTSUPP;
3004 			goto err_hooks;
3005 		}
3006 
3007 		stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
3008 		if (IS_ERR_PCPU(stats)) {
3009 			err = PTR_ERR_PCPU(stats);
3010 			goto err_hooks;
3011 		}
3012 	}
3013 
3014 	err = -ENOMEM;
3015 	trans = nft_trans_alloc_chain(ctx, NFT_MSG_NEWCHAIN);
3016 	if (trans == NULL)
3017 		goto err_trans;
3018 
3019 	nft_trans_chain_stats(trans) = stats;
3020 	nft_trans_chain_update(trans) = true;
3021 
3022 	if (nla[NFTA_CHAIN_POLICY])
3023 		nft_trans_chain_policy(trans) = policy;
3024 	else
3025 		nft_trans_chain_policy(trans) = -1;
3026 
3027 	if (nla[NFTA_CHAIN_HANDLE] &&
3028 	    nla[NFTA_CHAIN_NAME]) {
3029 		struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3030 		struct nft_trans *tmp;
3031 		char *name;
3032 
3033 		err = -ENOMEM;
3034 		name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
3035 		if (!name)
3036 			goto err_trans;
3037 
3038 		err = -EEXIST;
3039 		list_for_each_entry(tmp, &nft_net->commit_list, list) {
3040 			if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
3041 			    tmp->table == table &&
3042 			    nft_trans_chain_update(tmp) &&
3043 			    nft_trans_chain_name(tmp) &&
3044 			    strcmp(name, nft_trans_chain_name(tmp)) == 0) {
3045 				NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
3046 				kfree(name);
3047 				goto err_trans;
3048 			}
3049 		}
3050 
3051 		nft_trans_chain_name(trans) = name;
3052 	}
3053 
3054 	nft_trans_basechain(trans) = basechain;
3055 	INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
3056 	list_splice(&hook.list, &nft_trans_chain_hooks(trans));
3057 	if (nla[NFTA_CHAIN_HOOK])
3058 		module_put(hook.type->owner);
3059 
3060 	nft_trans_commit_list_add_tail(ctx->net, trans);
3061 
3062 	return 0;
3063 
3064 err_trans:
3065 	free_percpu(stats);
3066 	kfree(trans);
3067 err_hooks:
3068 	if (nla[NFTA_CHAIN_HOOK]) {
3069 		list_for_each_entry_safe(h, next, &hook.list, list) {
3070 			if (unregister) {
3071 				list_for_each_entry(ops, &h->ops_list, list)
3072 					nf_unregister_net_hook(ctx->net, ops);
3073 			}
3074 			/* hook.list is on stack, no need for list_del_rcu() */
3075 			list_del(&h->list);
3076 			nft_netdev_hook_free_rcu(h);
3077 		}
3078 		module_put(hook.type->owner);
3079 	}
3080 
3081 	return err;
3082 }
3083 
3084 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
3085 					       const struct nft_table *table,
3086 					       const struct nlattr *nla, u8 genmask)
3087 {
3088 	struct nftables_pernet *nft_net = nft_pernet(net);
3089 	u32 id = ntohl(nla_get_be32(nla));
3090 	struct nft_trans *trans;
3091 
3092 	list_for_each_entry(trans, &nft_net->commit_list, list) {
3093 		if (trans->msg_type == NFT_MSG_NEWCHAIN &&
3094 		    nft_trans_chain(trans)->table == table &&
3095 		    id == nft_trans_chain_id(trans) &&
3096 		    nft_active_genmask(nft_trans_chain(trans), genmask))
3097 			return nft_trans_chain(trans);
3098 	}
3099 	return ERR_PTR(-ENOENT);
3100 }
3101 
3102 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
3103 			      const struct nlattr * const nla[])
3104 {
3105 	struct nftables_pernet *nft_net = nft_pernet(info->net);
3106 	struct netlink_ext_ack *extack = info->extack;
3107 	u8 genmask = nft_genmask_next(info->net);
3108 	u8 family = info->nfmsg->nfgen_family;
3109 	struct nft_chain *chain = NULL;
3110 	struct net *net = info->net;
3111 	const struct nlattr *attr;
3112 	struct nft_table *table;
3113 	u8 policy = NF_ACCEPT;
3114 	struct nft_ctx ctx;
3115 	u64 handle = 0;
3116 	u32 flags = 0;
3117 
3118 	lockdep_assert_held(&nft_net->commit_mutex);
3119 
3120 	table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
3121 				 NETLINK_CB(skb).portid);
3122 	if (IS_ERR(table)) {
3123 		NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
3124 		return PTR_ERR(table);
3125 	}
3126 
3127 	chain = NULL;
3128 	attr = nla[NFTA_CHAIN_NAME];
3129 
3130 	if (nla[NFTA_CHAIN_HANDLE]) {
3131 		handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
3132 		chain = nft_chain_lookup_byhandle(table, handle, genmask);
3133 		if (IS_ERR(chain)) {
3134 			NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
3135 			return PTR_ERR(chain);
3136 		}
3137 		attr = nla[NFTA_CHAIN_HANDLE];
3138 	} else if (nla[NFTA_CHAIN_NAME]) {
3139 		chain = nft_chain_lookup(net, table, attr, genmask);
3140 		if (IS_ERR(chain)) {
3141 			if (PTR_ERR(chain) != -ENOENT) {
3142 				NL_SET_BAD_ATTR(extack, attr);
3143 				return PTR_ERR(chain);
3144 			}
3145 			chain = NULL;
3146 		}
3147 	} else if (!nla[NFTA_CHAIN_ID]) {
3148 		return -EINVAL;
3149 	}
3150 
3151 	if (nla[NFTA_CHAIN_POLICY]) {
3152 		if (chain != NULL &&
3153 		    !nft_is_base_chain(chain)) {
3154 			NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
3155 			return -EOPNOTSUPP;
3156 		}
3157 
3158 		if (chain == NULL &&
3159 		    nla[NFTA_CHAIN_HOOK] == NULL) {
3160 			NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
3161 			return -EOPNOTSUPP;
3162 		}
3163 
3164 		policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
3165 		switch (policy) {
3166 		case NF_DROP:
3167 		case NF_ACCEPT:
3168 			break;
3169 		default:
3170 			return -EINVAL;
3171 		}
3172 	}
3173 
3174 	if (nla[NFTA_CHAIN_FLAGS])
3175 		flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
3176 	else if (chain)
3177 		flags = chain->flags;
3178 
3179 	if (flags & ~NFT_CHAIN_FLAGS)
3180 		return -EOPNOTSUPP;
3181 
3182 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3183 
3184 	if (chain != NULL) {
3185 		if (chain->flags & NFT_CHAIN_BINDING)
3186 			return -EINVAL;
3187 
3188 		if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
3189 			NL_SET_BAD_ATTR(extack, attr);
3190 			return -EEXIST;
3191 		}
3192 		if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
3193 			return -EOPNOTSUPP;
3194 
3195 		flags |= chain->flags & NFT_CHAIN_BASE;
3196 		return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
3197 					  extack);
3198 	}
3199 
3200 	return nf_tables_addchain(&ctx, family, policy, flags, extack);
3201 }
3202 
3203 static int nft_trans_delhook(struct nft_hook *hook,
3204 			     struct list_head *del_list)
3205 {
3206 	struct nft_trans_hook *trans_hook;
3207 
3208 	trans_hook = kmalloc_obj(*trans_hook, GFP_KERNEL);
3209 	if (!trans_hook)
3210 		return -ENOMEM;
3211 
3212 	trans_hook->hook = hook;
3213 	list_add_tail(&trans_hook->list, del_list);
3214 	hook->flags |= NFT_HOOK_REMOVE;
3215 
3216 	return 0;
3217 }
3218 
3219 static void nft_trans_delhook_abort(struct list_head *del_list)
3220 {
3221 	struct nft_trans_hook *trans_hook, *next;
3222 
3223 	list_for_each_entry_safe(trans_hook, next, del_list, list) {
3224 		trans_hook->hook->flags &= ~NFT_HOOK_REMOVE;
3225 		nft_trans_hook_destroy(trans_hook);
3226 	}
3227 }
3228 
3229 static int nft_delchain_hook(struct nft_ctx *ctx,
3230 			     struct nft_base_chain *basechain,
3231 			     struct netlink_ext_ack *extack)
3232 {
3233 	const struct nft_chain *chain = &basechain->chain;
3234 	const struct nlattr * const *nla = ctx->nla;
3235 	struct nft_chain_hook chain_hook = {};
3236 	struct nft_hook *this, *hook;
3237 	LIST_HEAD(chain_del_list);
3238 	struct nft_trans *trans;
3239 	int err;
3240 
3241 	if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
3242 		return -EOPNOTSUPP;
3243 
3244 	err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
3245 				   ctx->family, chain->flags, extack);
3246 	if (err < 0)
3247 		return err;
3248 
3249 	list_for_each_entry(this, &chain_hook.list, list) {
3250 		hook = nft_hook_list_find(&basechain->hook_list, this);
3251 		if (!hook) {
3252 			err = -ENOENT;
3253 			goto err_chain_del_hook;
3254 		}
3255 		if (nft_trans_delhook(hook, &chain_del_list) < 0) {
3256 			err = -ENOMEM;
3257 			goto err_chain_del_hook;
3258 		}
3259 	}
3260 
3261 	trans = nft_trans_alloc_chain(ctx, NFT_MSG_DELCHAIN);
3262 	if (!trans) {
3263 		err = -ENOMEM;
3264 		goto err_chain_del_hook;
3265 	}
3266 
3267 	nft_trans_basechain(trans) = basechain;
3268 	nft_trans_chain_update(trans) = true;
3269 	INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
3270 	list_splice(&chain_del_list, &nft_trans_chain_hooks(trans));
3271 	nft_chain_release_hook(&chain_hook);
3272 
3273 	nft_trans_commit_list_add_tail(ctx->net, trans);
3274 
3275 	return 0;
3276 
3277 err_chain_del_hook:
3278 	nft_trans_delhook_abort(&chain_del_list);
3279 	nft_chain_release_hook(&chain_hook);
3280 
3281 	return err;
3282 }
3283 
3284 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
3285 			      const struct nlattr * const nla[])
3286 {
3287 	struct netlink_ext_ack *extack = info->extack;
3288 	u8 genmask = nft_genmask_next(info->net);
3289 	u8 family = info->nfmsg->nfgen_family;
3290 	struct net *net = info->net;
3291 	const struct nlattr *attr;
3292 	struct nft_table *table;
3293 	struct nft_chain *chain;
3294 	struct nft_rule *rule;
3295 	struct nft_ctx ctx;
3296 	u64 handle;
3297 	u32 use;
3298 	int err;
3299 
3300 	table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
3301 				 NETLINK_CB(skb).portid);
3302 	if (IS_ERR(table)) {
3303 		NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
3304 		return PTR_ERR(table);
3305 	}
3306 
3307 	if (nla[NFTA_CHAIN_HANDLE]) {
3308 		attr = nla[NFTA_CHAIN_HANDLE];
3309 		handle = be64_to_cpu(nla_get_be64(attr));
3310 		chain = nft_chain_lookup_byhandle(table, handle, genmask);
3311 	} else {
3312 		attr = nla[NFTA_CHAIN_NAME];
3313 		chain = nft_chain_lookup(net, table, attr, genmask);
3314 	}
3315 	if (IS_ERR(chain)) {
3316 		if (PTR_ERR(chain) == -ENOENT &&
3317 		    NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
3318 			return 0;
3319 
3320 		NL_SET_BAD_ATTR(extack, attr);
3321 		return PTR_ERR(chain);
3322 	}
3323 
3324 	if (nft_chain_binding(chain))
3325 		return -EOPNOTSUPP;
3326 
3327 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3328 
3329 	if (nla[NFTA_CHAIN_HOOK]) {
3330 		if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN ||
3331 		    chain->flags & NFT_CHAIN_HW_OFFLOAD)
3332 			return -EOPNOTSUPP;
3333 
3334 		if (nft_is_base_chain(chain)) {
3335 			struct nft_base_chain *basechain = nft_base_chain(chain);
3336 
3337 			if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
3338 				return nft_delchain_hook(&ctx, basechain, extack);
3339 		}
3340 	}
3341 
3342 	if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
3343 	    chain->use > 0)
3344 		return -EBUSY;
3345 
3346 	use = chain->use;
3347 	list_for_each_entry(rule, &chain->rules, list) {
3348 		if (!nft_is_active_next(net, rule))
3349 			continue;
3350 		use--;
3351 
3352 		err = nft_delrule(&ctx, rule);
3353 		if (err < 0)
3354 			return err;
3355 	}
3356 
3357 	/* There are rules and elements that are still holding references to us,
3358 	 * we cannot do a recursive removal in this case.
3359 	 */
3360 	if (use > 0) {
3361 		NL_SET_BAD_ATTR(extack, attr);
3362 		return -EBUSY;
3363 	}
3364 
3365 	return nft_delchain(&ctx);
3366 }
3367 
3368 /*
3369  * Expressions
3370  */
3371 
3372 /**
3373  *	nft_register_expr - register nf_tables expr type
3374  *	@type: expr type
3375  *
3376  *	Registers the expr type for use with nf_tables. Returns zero on
3377  *	success or a negative errno code otherwise.
3378  */
3379 int nft_register_expr(struct nft_expr_type *type)
3380 {
3381 	if (unlikely(type->maxattr > NFT_EXPR_MAXATTR)) {
3382 		DEBUG_NET_WARN_ON_ONCE(1);
3383 		return -ENOMEM;
3384 	}
3385 
3386 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
3387 	if (type->family == NFPROTO_UNSPEC)
3388 		list_add_tail_rcu(&type->list, &nf_tables_expressions);
3389 	else
3390 		list_add_rcu(&type->list, &nf_tables_expressions);
3391 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3392 	return 0;
3393 }
3394 EXPORT_SYMBOL_GPL(nft_register_expr);
3395 
3396 /**
3397  *	nft_unregister_expr - unregister nf_tables expr type
3398  *	@type: expr type
3399  *
3400  * 	Unregisters the expr typefor use with nf_tables.
3401  */
3402 void nft_unregister_expr(struct nft_expr_type *type)
3403 {
3404 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
3405 	list_del_rcu(&type->list);
3406 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3407 }
3408 EXPORT_SYMBOL_GPL(nft_unregister_expr);
3409 
3410 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
3411 						       struct nlattr *nla)
3412 {
3413 	const struct nft_expr_type *type, *candidate = NULL;
3414 
3415 	list_for_each_entry_rcu(type, &nf_tables_expressions, list) {
3416 		if (!nla_strcmp(nla, type->name)) {
3417 			if (!type->family && !candidate)
3418 				candidate = type;
3419 			else if (type->family == family)
3420 				candidate = type;
3421 		}
3422 	}
3423 	return candidate;
3424 }
3425 
3426 #ifdef CONFIG_MODULES
3427 static int nft_expr_type_request_module(struct net *net, u8 family,
3428 					struct nlattr *nla)
3429 {
3430 	if (nft_request_module(net, "nft-expr-%u-%.*s", family,
3431 			       nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
3432 		return -EAGAIN;
3433 
3434 	return 0;
3435 }
3436 #endif
3437 
3438 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
3439 						     u8 family,
3440 						     struct nlattr *nla)
3441 {
3442 	const struct nft_expr_type *type;
3443 
3444 	if (nla == NULL)
3445 		return ERR_PTR(-EINVAL);
3446 
3447 	rcu_read_lock();
3448 	type = __nft_expr_type_get(family, nla);
3449 	if (type != NULL && try_module_get(type->owner)) {
3450 		rcu_read_unlock();
3451 		return type;
3452 	}
3453 	rcu_read_unlock();
3454 
3455 	lockdep_nfnl_nft_mutex_not_held();
3456 #ifdef CONFIG_MODULES
3457 	if (type == NULL) {
3458 		if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
3459 			return ERR_PTR(-EAGAIN);
3460 
3461 		if (nft_request_module(net, "nft-expr-%.*s",
3462 				       nla_len(nla),
3463 				       (char *)nla_data(nla)) == -EAGAIN)
3464 			return ERR_PTR(-EAGAIN);
3465 	}
3466 #endif
3467 	return ERR_PTR(-ENOENT);
3468 }
3469 
3470 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
3471 	[NFTA_EXPR_NAME]	= { .type = NLA_STRING,
3472 				    .len = NFT_MODULE_AUTOLOAD_LIMIT },
3473 	[NFTA_EXPR_DATA]	= { .type = NLA_NESTED },
3474 };
3475 
3476 static int nf_tables_fill_expr_info(struct sk_buff *skb,
3477 				    const struct nft_expr *expr, bool reset)
3478 {
3479 	if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
3480 		goto nla_put_failure;
3481 
3482 	if (expr->ops->dump) {
3483 		struct nlattr *data = nla_nest_start_noflag(skb,
3484 							    NFTA_EXPR_DATA);
3485 		if (data == NULL)
3486 			goto nla_put_failure;
3487 		if (expr->ops->dump(skb, expr, reset) < 0)
3488 			goto nla_put_failure;
3489 		nla_nest_end(skb, data);
3490 	}
3491 
3492 	return skb->len;
3493 
3494 nla_put_failure:
3495 	return -1;
3496 };
3497 
3498 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
3499 		  const struct nft_expr *expr, bool reset)
3500 {
3501 	struct nlattr *nest;
3502 
3503 	nest = nla_nest_start_noflag(skb, attr);
3504 	if (!nest)
3505 		goto nla_put_failure;
3506 	if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
3507 		goto nla_put_failure;
3508 	nla_nest_end(skb, nest);
3509 	return 0;
3510 
3511 nla_put_failure:
3512 	return -1;
3513 }
3514 
3515 struct nft_expr_info {
3516 	const struct nft_expr_ops	*ops;
3517 	const struct nlattr		*attr;
3518 	struct nlattr			*tb[NFT_EXPR_MAXATTR + 1];
3519 };
3520 
3521 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
3522 				const struct nlattr *nla,
3523 				struct nft_expr_info *info)
3524 {
3525 	const struct nft_expr_type *type;
3526 	const struct nft_expr_ops *ops;
3527 	struct nlattr *tb[NFTA_EXPR_MAX + 1];
3528 	int err;
3529 
3530 	err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3531 					  nft_expr_policy, NULL);
3532 	if (err < 0)
3533 		return err;
3534 
3535 	type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
3536 	if (IS_ERR(type))
3537 		return PTR_ERR(type);
3538 
3539 	if (tb[NFTA_EXPR_DATA]) {
3540 		err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3541 						  tb[NFTA_EXPR_DATA],
3542 						  type->policy, NULL);
3543 		if (err < 0)
3544 			goto err1;
3545 	} else
3546 		memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
3547 
3548 	if (type->select_ops != NULL) {
3549 		ops = type->select_ops(ctx,
3550 				       (const struct nlattr * const *)info->tb);
3551 		if (IS_ERR(ops)) {
3552 			err = PTR_ERR(ops);
3553 #ifdef CONFIG_MODULES
3554 			if (err == -EAGAIN)
3555 				if (nft_expr_type_request_module(ctx->net,
3556 								 ctx->family,
3557 								 tb[NFTA_EXPR_NAME]) != -EAGAIN)
3558 					err = -ENOENT;
3559 #endif
3560 			goto err1;
3561 		}
3562 	} else
3563 		ops = type->ops;
3564 
3565 	info->attr = nla;
3566 	info->ops = ops;
3567 
3568 	return 0;
3569 
3570 err1:
3571 	module_put(type->owner);
3572 	return err;
3573 }
3574 
3575 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
3576 			 struct nft_expr_info *info)
3577 {
3578 	struct nlattr *tb[NFTA_EXPR_MAX + 1];
3579 	const struct nft_expr_type *type;
3580 	int err;
3581 
3582 	err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3583 					  nft_expr_policy, NULL);
3584 	if (err < 0)
3585 		return err;
3586 
3587 	if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME])
3588 		return -EINVAL;
3589 
3590 	rcu_read_lock();
3591 
3592 	type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
3593 	if (!type) {
3594 		err = -ENOENT;
3595 		goto out_unlock;
3596 	}
3597 
3598 	if (!type->inner_ops) {
3599 		err = -EOPNOTSUPP;
3600 		goto out_unlock;
3601 	}
3602 
3603 	err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3604 					  tb[NFTA_EXPR_DATA],
3605 					  type->policy, NULL);
3606 	if (err < 0)
3607 		goto out_unlock;
3608 
3609 	info->attr = nla;
3610 	info->ops = type->inner_ops;
3611 
3612 	/* No module reference will be taken on type->owner.
3613 	 * Presence of type->inner_ops implies that the expression
3614 	 * is builtin, so it cannot go away.
3615 	 */
3616 	rcu_read_unlock();
3617 	return 0;
3618 
3619 out_unlock:
3620 	rcu_read_unlock();
3621 	return err;
3622 }
3623 
3624 static int nf_tables_newexpr(const struct nft_ctx *ctx,
3625 			     const struct nft_expr_info *expr_info,
3626 			     struct nft_expr *expr)
3627 {
3628 	const struct nft_expr_ops *ops = expr_info->ops;
3629 	int err;
3630 
3631 	expr->ops = ops;
3632 	if (ops->init) {
3633 		err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
3634 		if (err < 0)
3635 			goto err1;
3636 	}
3637 
3638 	return 0;
3639 err1:
3640 	expr->ops = NULL;
3641 	return err;
3642 }
3643 
3644 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
3645 				   struct nft_expr *expr)
3646 {
3647 	const struct nft_expr_type *type = expr->ops->type;
3648 
3649 	if (expr->ops->destroy)
3650 		expr->ops->destroy(ctx, expr);
3651 	module_put(type->owner);
3652 }
3653 
3654 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3655 				      const struct nlattr *nla)
3656 {
3657 	struct nft_expr_info expr_info;
3658 	struct nft_expr *expr;
3659 	struct module *owner;
3660 	int err;
3661 
3662 	err = nf_tables_expr_parse(ctx, nla, &expr_info);
3663 	if (err < 0)
3664 		goto err_expr_parse;
3665 
3666 	err = -EOPNOTSUPP;
3667 	if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3668 		goto err_expr_stateful;
3669 
3670 	err = -ENOMEM;
3671 	expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3672 	if (expr == NULL)
3673 		goto err_expr_stateful;
3674 
3675 	err = nf_tables_newexpr(ctx, &expr_info, expr);
3676 	if (err < 0)
3677 		goto err_expr_new;
3678 
3679 	return expr;
3680 err_expr_new:
3681 	kfree(expr);
3682 err_expr_stateful:
3683 	owner = expr_info.ops->type->owner;
3684 	if (expr_info.ops->type->release_ops)
3685 		expr_info.ops->type->release_ops(expr_info.ops);
3686 
3687 	module_put(owner);
3688 err_expr_parse:
3689 	return ERR_PTR(err);
3690 }
3691 
3692 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp)
3693 {
3694 	int err;
3695 
3696 	if (unlikely(!src->ops->clone)) {
3697 		DEBUG_NET_WARN_ON_ONCE(1);
3698 		return -EINVAL;
3699 	}
3700 
3701 	dst->ops = src->ops;
3702 	err = src->ops->clone(dst, src, gfp);
3703 	if (err < 0)
3704 		return err;
3705 
3706 	__module_get(src->ops->type->owner);
3707 
3708 	return 0;
3709 }
3710 
3711 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3712 {
3713 	nf_tables_expr_destroy(ctx, expr);
3714 	kfree(expr);
3715 }
3716 
3717 /*
3718  * Rules
3719  */
3720 
3721 static struct nft_rule *__nft_rule_lookup(const struct net *net,
3722 					  const struct nft_chain *chain,
3723 					  u64 handle)
3724 {
3725 	struct nft_rule *rule;
3726 
3727 	// FIXME: this sucks
3728 	list_for_each_entry_rcu(rule, &chain->rules, list,
3729 				lockdep_commit_lock_is_held(net)) {
3730 		if (handle == rule->handle)
3731 			return rule;
3732 	}
3733 
3734 	return ERR_PTR(-ENOENT);
3735 }
3736 
3737 static struct nft_rule *nft_rule_lookup(const struct net *net,
3738 					const struct nft_chain *chain,
3739 					const struct nlattr *nla)
3740 {
3741 	if (nla == NULL)
3742 		return ERR_PTR(-EINVAL);
3743 
3744 	return __nft_rule_lookup(net, chain, be64_to_cpu(nla_get_be64(nla)));
3745 }
3746 
3747 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3748 	[NFTA_RULE_TABLE]	= { .type = NLA_STRING,
3749 				    .len = NFT_TABLE_MAXNAMELEN - 1 },
3750 	[NFTA_RULE_CHAIN]	= { .type = NLA_STRING,
3751 				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
3752 	[NFTA_RULE_HANDLE]	= { .type = NLA_U64 },
3753 	[NFTA_RULE_EXPRESSIONS]	= NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
3754 	[NFTA_RULE_COMPAT]	= { .type = NLA_NESTED },
3755 	[NFTA_RULE_POSITION]	= { .type = NLA_U64 },
3756 	[NFTA_RULE_USERDATA]	= { .type = NLA_BINARY,
3757 				    .len = NFT_USERDATA_MAXLEN },
3758 	[NFTA_RULE_ID]		= { .type = NLA_U32 },
3759 	[NFTA_RULE_POSITION_ID]	= { .type = NLA_U32 },
3760 	[NFTA_RULE_CHAIN_ID]	= { .type = NLA_U32 },
3761 };
3762 
3763 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3764 				    u32 portid, u32 seq, int event,
3765 				    u32 flags, int family,
3766 				    const struct nft_table *table,
3767 				    const struct nft_chain *chain,
3768 				    const struct nft_rule *rule, u64 handle,
3769 				    bool reset)
3770 {
3771 	struct nlmsghdr *nlh;
3772 	const struct nft_expr *expr, *next;
3773 	struct nlattr *list;
3774 	u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3775 
3776 	nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3777 			   nft_base_seq_be16(net));
3778 	if (!nlh)
3779 		goto nla_put_failure;
3780 
3781 	if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3782 		goto nla_put_failure;
3783 	if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3784 		goto nla_put_failure;
3785 	if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3786 			 NFTA_RULE_PAD))
3787 		goto nla_put_failure;
3788 
3789 	if (event != NFT_MSG_DELRULE && handle) {
3790 		if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3791 				 NFTA_RULE_PAD))
3792 			goto nla_put_failure;
3793 	}
3794 
3795 	if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3796 		nft_flow_rule_stats(chain, rule);
3797 
3798 	list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3799 	if (list == NULL)
3800 		goto nla_put_failure;
3801 	nft_rule_for_each_expr(expr, next, rule) {
3802 		if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
3803 			goto nla_put_failure;
3804 	}
3805 	nla_nest_end(skb, list);
3806 
3807 	if (rule->udata) {
3808 		struct nft_userdata *udata = nft_userdata(rule);
3809 		if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3810 			    udata->data) < 0)
3811 			goto nla_put_failure;
3812 	}
3813 
3814 	nlmsg_end(skb, nlh);
3815 	return 0;
3816 
3817 nla_put_failure:
3818 	nlmsg_trim(skb, nlh);
3819 	return -1;
3820 }
3821 
3822 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3823 				  const struct nft_rule *rule, int event)
3824 {
3825 	struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3826 	const struct nft_rule *prule;
3827 	struct sk_buff *skb;
3828 	u64 handle = 0;
3829 	u16 flags = 0;
3830 	int err;
3831 
3832 	if (!ctx->report &&
3833 	    !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3834 		return;
3835 
3836 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3837 	if (skb == NULL)
3838 		goto err;
3839 
3840 	if (event == NFT_MSG_NEWRULE &&
3841 	    !list_is_first(&rule->list, &ctx->chain->rules) &&
3842 	    !list_is_last(&rule->list, &ctx->chain->rules)) {
3843 		prule = list_prev_entry(rule, list);
3844 		handle = prule->handle;
3845 	}
3846 	if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3847 		flags |= NLM_F_APPEND;
3848 	if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3849 		flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3850 
3851 	err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3852 				       event, flags, ctx->family, ctx->table,
3853 				       ctx->chain, rule, handle, false);
3854 	if (err < 0) {
3855 		kfree_skb(skb);
3856 		goto err;
3857 	}
3858 
3859 	nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3860 	return;
3861 err:
3862 	nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3863 }
3864 
3865 static void audit_log_rule_reset(const struct nft_table *table,
3866 				 unsigned int base_seq,
3867 				 unsigned int nentries)
3868 {
3869 	char *buf = kasprintf(GFP_ATOMIC, "%s:%u",
3870 			      table->name, base_seq);
3871 
3872 	audit_log_nfcfg(buf, table->family, nentries,
3873 			AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3874 	kfree(buf);
3875 }
3876 
3877 struct nft_rule_dump_ctx {
3878 	unsigned int s_idx;
3879 	char *table;
3880 	char *chain;
3881 	bool reset;
3882 };
3883 
3884 static int __nf_tables_dump_rules(struct sk_buff *skb,
3885 				  unsigned int *idx,
3886 				  struct netlink_callback *cb,
3887 				  const struct nft_table *table,
3888 				  const struct nft_chain *chain)
3889 {
3890 	struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3891 	struct net *net = sock_net(skb->sk);
3892 	const struct nft_rule *rule, *prule;
3893 	unsigned int entries = 0;
3894 	int ret = 0;
3895 	u64 handle;
3896 
3897 	prule = NULL;
3898 	list_for_each_entry_rcu(rule, &chain->rules, list) {
3899 		if (!nft_is_active(net, rule))
3900 			goto cont_skip;
3901 		if (*idx < ctx->s_idx)
3902 			goto cont;
3903 		if (prule)
3904 			handle = prule->handle;
3905 		else
3906 			handle = 0;
3907 
3908 		if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3909 					cb->nlh->nlmsg_seq,
3910 					NFT_MSG_NEWRULE,
3911 					NLM_F_MULTI | NLM_F_APPEND,
3912 					table->family,
3913 					table, chain, rule, handle, ctx->reset) < 0) {
3914 			ret = 1;
3915 			break;
3916 		}
3917 		entries++;
3918 		nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3919 cont:
3920 		prule = rule;
3921 cont_skip:
3922 		(*idx)++;
3923 	}
3924 
3925 	if (ctx->reset && entries)
3926 		audit_log_rule_reset(table, cb->seq, entries);
3927 
3928 	return ret;
3929 }
3930 
3931 static int nf_tables_dump_rules(struct sk_buff *skb,
3932 				struct netlink_callback *cb)
3933 {
3934 	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3935 	struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3936 	struct nft_table *table;
3937 	const struct nft_chain *chain;
3938 	unsigned int idx = 0;
3939 	struct net *net = sock_net(skb->sk);
3940 	int family = nfmsg->nfgen_family;
3941 	struct nftables_pernet *nft_net;
3942 
3943 	rcu_read_lock();
3944 	nft_net = nft_pernet(net);
3945 	cb->seq = nft_base_seq(net);
3946 
3947 	list_for_each_entry_rcu(table, &nft_net->tables, list) {
3948 		if (family != NFPROTO_UNSPEC && family != table->family)
3949 			continue;
3950 
3951 		if (ctx->table && strcmp(ctx->table, table->name) != 0)
3952 			continue;
3953 
3954 		if (ctx->table && ctx->chain) {
3955 			struct rhlist_head *list, *tmp;
3956 
3957 			list = rhltable_lookup(&table->chains_ht, ctx->chain,
3958 					       nft_chain_ht_params);
3959 			if (!list)
3960 				goto done;
3961 
3962 			rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3963 				if (!nft_is_active(net, chain))
3964 					continue;
3965 				__nf_tables_dump_rules(skb, &idx,
3966 						       cb, table, chain);
3967 				break;
3968 			}
3969 			goto done;
3970 		}
3971 
3972 		list_for_each_entry_rcu(chain, &table->chains, list) {
3973 			if (__nf_tables_dump_rules(skb, &idx,
3974 						   cb, table, chain))
3975 				goto done;
3976 		}
3977 
3978 		if (ctx->table)
3979 			break;
3980 	}
3981 done:
3982 	rcu_read_unlock();
3983 
3984 	ctx->s_idx = idx;
3985 	return skb->len;
3986 }
3987 
3988 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3989 {
3990 	struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3991 	const struct nlattr * const *nla = cb->data;
3992 
3993 	BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
3994 
3995 	if (nla[NFTA_RULE_TABLE]) {
3996 		ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], GFP_ATOMIC);
3997 		if (!ctx->table)
3998 			return -ENOMEM;
3999 	}
4000 	if (nla[NFTA_RULE_CHAIN]) {
4001 		ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], GFP_ATOMIC);
4002 		if (!ctx->chain) {
4003 			kfree(ctx->table);
4004 			return -ENOMEM;
4005 		}
4006 	}
4007 	if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET)
4008 		ctx->reset = true;
4009 
4010 	return 0;
4011 }
4012 
4013 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
4014 {
4015 	struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
4016 
4017 	kfree(ctx->table);
4018 	kfree(ctx->chain);
4019 	return 0;
4020 }
4021 
4022 /* Caller must hold rcu read lock or transaction mutex */
4023 static struct sk_buff *
4024 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info,
4025 			 const struct nlattr * const nla[], bool reset)
4026 {
4027 	struct netlink_ext_ack *extack = info->extack;
4028 	u8 genmask = nft_genmask_cur(info->net);
4029 	u8 family = info->nfmsg->nfgen_family;
4030 	const struct nft_chain *chain;
4031 	const struct nft_rule *rule;
4032 	struct net *net = info->net;
4033 	struct nft_table *table;
4034 	struct sk_buff *skb2;
4035 	int err;
4036 
4037 	table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
4038 	if (IS_ERR(table)) {
4039 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4040 		return ERR_CAST(table);
4041 	}
4042 
4043 	chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
4044 	if (IS_ERR(chain)) {
4045 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4046 		return ERR_CAST(chain);
4047 	}
4048 
4049 	rule = nft_rule_lookup(net, chain, nla[NFTA_RULE_HANDLE]);
4050 	if (IS_ERR(rule)) {
4051 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4052 		return ERR_CAST(rule);
4053 	}
4054 
4055 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4056 	if (!skb2)
4057 		return ERR_PTR(-ENOMEM);
4058 
4059 	err = nf_tables_fill_rule_info(skb2, net, portid,
4060 				       info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
4061 				       family, table, chain, rule, 0, reset);
4062 	if (err < 0) {
4063 		kfree_skb(skb2);
4064 		return ERR_PTR(err);
4065 	}
4066 
4067 	return skb2;
4068 }
4069 
4070 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
4071 			     const struct nlattr * const nla[])
4072 {
4073 	u32 portid = NETLINK_CB(skb).portid;
4074 	struct net *net = info->net;
4075 	struct sk_buff *skb2;
4076 	bool reset = false;
4077 	char *buf;
4078 
4079 	if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4080 		struct netlink_dump_control c = {
4081 			.start= nf_tables_dump_rules_start,
4082 			.dump = nf_tables_dump_rules,
4083 			.done = nf_tables_dump_rules_done,
4084 			.module = THIS_MODULE,
4085 			.data = (void *)nla,
4086 		};
4087 
4088 		return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4089 	}
4090 
4091 	if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET)
4092 		reset = true;
4093 
4094 	skb2 = nf_tables_getrule_single(portid, info, nla, reset);
4095 	if (IS_ERR(skb2))
4096 		return PTR_ERR(skb2);
4097 
4098 	if (!reset)
4099 		return nfnetlink_unicast(skb2, net, portid);
4100 
4101 	buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
4102 			nla_len(nla[NFTA_RULE_TABLE]),
4103 			(char *)nla_data(nla[NFTA_RULE_TABLE]),
4104 			nft_base_seq(net));
4105 	audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
4106 			AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
4107 	kfree(buf);
4108 
4109 	return nfnetlink_unicast(skb2, net, portid);
4110 }
4111 
4112 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
4113 {
4114 	struct nft_expr *expr, *next;
4115 
4116 	/*
4117 	 * Careful: some expressions might not be initialized in case this
4118 	 * is called on error from nf_tables_newrule().
4119 	 */
4120 	expr = nft_expr_first(rule);
4121 	while (nft_expr_more(rule, expr)) {
4122 		next = nft_expr_next(expr);
4123 		nf_tables_expr_destroy(ctx, expr);
4124 		expr = next;
4125 	}
4126 	kfree(rule);
4127 }
4128 
4129 /* can only be used if rule is no longer visible to dumps */
4130 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
4131 {
4132 	WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net));
4133 
4134 	nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
4135 	nf_tables_rule_destroy(ctx, rule);
4136 }
4137 
4138 static void nft_chain_vstate_update(const struct nft_ctx *ctx, struct nft_chain *chain)
4139 {
4140 	const struct nft_base_chain *base_chain;
4141 	enum nft_chain_types type;
4142 	u8 hooknum;
4143 
4144 	/* ctx->chain must hold the calling base chain. */
4145 	if (WARN_ON_ONCE(!nft_is_base_chain(ctx->chain))) {
4146 		memset(&chain->vstate, 0, sizeof(chain->vstate));
4147 		return;
4148 	}
4149 
4150 	base_chain = nft_base_chain(ctx->chain);
4151 	hooknum = base_chain->ops.hooknum;
4152 	type = base_chain->type->type;
4153 
4154 	BUILD_BUG_ON(BIT(NF_INET_NUMHOOKS) > U8_MAX);
4155 
4156 	chain->vstate.hook_mask[type] |= BIT(hooknum);
4157 	if (chain->vstate.depth < ctx->level)
4158 		chain->vstate.depth = ctx->level;
4159 }
4160 
4161 /** nft_chain_validate - loop detection and hook validation
4162  *
4163  * @ctx: context containing call depth and base chain
4164  * @chain: chain to validate
4165  *
4166  * Walk through the rules of the given chain and chase all jumps/gotos
4167  * and set lookups until either the jump limit is hit or all reachable
4168  * chains have been validated.
4169  */
4170 int nft_chain_validate(const struct nft_ctx *ctx, struct nft_chain *chain)
4171 {
4172 	struct nft_expr *expr, *last;
4173 	struct nft_rule *rule;
4174 	int err;
4175 
4176 	BUILD_BUG_ON(NFT_JUMP_STACK_SIZE > 255);
4177 	if (ctx->level == NFT_JUMP_STACK_SIZE)
4178 		return -EMLINK;
4179 
4180 	if (ctx->level > 0) {
4181 		/* jumps to base chains are not allowed. */
4182 		if (nft_is_base_chain(chain))
4183 			return -ELOOP;
4184 
4185 		if (nft_chain_vstate_valid(ctx, chain))
4186 			return 0;
4187 	}
4188 
4189 	list_for_each_entry(rule, &chain->rules, list) {
4190 		if (fatal_signal_pending(current))
4191 			return -EINTR;
4192 
4193 		if (!nft_is_active_next(ctx->net, rule))
4194 			continue;
4195 
4196 		nft_rule_for_each_expr(expr, last, rule) {
4197 			if (!expr->ops->validate)
4198 				continue;
4199 
4200 			/* This may call nft_chain_validate() recursively,
4201 			 * callers that do so must increment ctx->level.
4202 			 */
4203 			err = expr->ops->validate(ctx, expr);
4204 			if (err < 0)
4205 				return err;
4206 		}
4207 
4208 		cond_resched();
4209 	}
4210 
4211 	nft_chain_vstate_update(ctx, chain);
4212 	return 0;
4213 }
4214 
4215 static int nft_table_validate(struct net *net, const struct nft_table *table)
4216 {
4217 	struct nft_chain *chain;
4218 	struct nft_ctx ctx = {
4219 		.net	= net,
4220 		.table	= (struct nft_table *)table,
4221 		.family	= table->family,
4222 	};
4223 	int err = 0;
4224 
4225 	list_for_each_entry(chain, &table->chains, list) {
4226 		if (!nft_is_base_chain(chain))
4227 			continue;
4228 
4229 		ctx.chain = chain;
4230 		err = nft_chain_validate(&ctx, chain);
4231 		if (err < 0)
4232 			goto err;
4233 	}
4234 
4235 err:
4236 	list_for_each_entry(chain, &table->chains, list)
4237 		memset(&chain->vstate, 0, sizeof(chain->vstate));
4238 
4239 	return err;
4240 }
4241 
4242 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
4243 			 const struct nft_set_iter *iter,
4244 			 struct nft_elem_priv *elem_priv)
4245 {
4246 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
4247 	struct nft_ctx *pctx = (struct nft_ctx *)ctx;
4248 	const struct nft_data *data;
4249 	int err;
4250 
4251 	if (!nft_set_elem_active(ext, iter->genmask))
4252 		return 0;
4253 
4254 	if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4255 	    *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
4256 		return 0;
4257 
4258 	data = nft_set_ext_data(ext);
4259 	switch (data->verdict.code) {
4260 	case NFT_JUMP:
4261 	case NFT_GOTO:
4262 		pctx->level++;
4263 		err = nft_chain_validate(ctx, data->verdict.chain);
4264 		if (err < 0)
4265 			return err;
4266 		pctx->level--;
4267 		break;
4268 	default:
4269 		break;
4270 	}
4271 
4272 	return 0;
4273 }
4274 
4275 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
4276 {
4277 	struct nft_set_iter dummy_iter = {
4278 		.genmask	= nft_genmask_next(ctx->net),
4279 	};
4280 	struct nft_set_elem_catchall *catchall;
4281 
4282 	struct nft_set_ext *ext;
4283 	int ret = 0;
4284 
4285 	list_for_each_entry_rcu(catchall, &set->catchall_list, list,
4286 				lockdep_commit_lock_is_held(ctx->net)) {
4287 		ext = nft_set_elem_ext(set, catchall->elem);
4288 		if (!nft_set_elem_active(ext, dummy_iter.genmask))
4289 			continue;
4290 
4291 		ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem);
4292 		if (ret < 0)
4293 			return ret;
4294 	}
4295 
4296 	return ret;
4297 }
4298 
4299 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4300 					     const struct nft_chain *chain,
4301 					     const struct nlattr *nla);
4302 
4303 #define NFT_RULE_MAXEXPRS	128
4304 
4305 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
4306 			     const struct nlattr * const nla[])
4307 {
4308 	struct nftables_pernet *nft_net = nft_pernet(info->net);
4309 	struct netlink_ext_ack *extack = info->extack;
4310 	unsigned int size, i, n, ulen = 0, usize = 0;
4311 	u8 genmask = nft_genmask_next(info->net);
4312 	struct nft_rule *rule, *old_rule = NULL;
4313 	struct nft_expr_info *expr_info = NULL;
4314 	u8 family = info->nfmsg->nfgen_family;
4315 	struct nft_flow_rule *flow = NULL;
4316 	struct net *net = info->net;
4317 	struct nft_userdata *udata;
4318 	struct nft_table *table;
4319 	struct nft_chain *chain;
4320 	struct nft_trans *trans;
4321 	u64 handle, pos_handle;
4322 	struct nft_expr *expr;
4323 	struct nft_ctx ctx;
4324 	struct nlattr *tmp;
4325 	int err, rem;
4326 
4327 	lockdep_assert_held(&nft_net->commit_mutex);
4328 
4329 	table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4330 				 NETLINK_CB(skb).portid);
4331 	if (IS_ERR(table)) {
4332 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4333 		return PTR_ERR(table);
4334 	}
4335 
4336 	if (nla[NFTA_RULE_CHAIN]) {
4337 		chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4338 					 genmask);
4339 		if (IS_ERR(chain)) {
4340 			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4341 			return PTR_ERR(chain);
4342 		}
4343 
4344 	} else if (nla[NFTA_RULE_CHAIN_ID]) {
4345 		chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID],
4346 					      genmask);
4347 		if (IS_ERR(chain)) {
4348 			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
4349 			return PTR_ERR(chain);
4350 		}
4351 	} else {
4352 		return -EINVAL;
4353 	}
4354 
4355 	if (nft_chain_is_bound(chain))
4356 		return -EOPNOTSUPP;
4357 
4358 	if (nla[NFTA_RULE_HANDLE]) {
4359 		handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
4360 		rule = __nft_rule_lookup(net, chain, handle);
4361 		if (IS_ERR(rule)) {
4362 			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4363 			return PTR_ERR(rule);
4364 		}
4365 
4366 		if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4367 			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4368 			return -EEXIST;
4369 		}
4370 		if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4371 			old_rule = rule;
4372 		else
4373 			return -EOPNOTSUPP;
4374 	} else {
4375 		if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
4376 		    info->nlh->nlmsg_flags & NLM_F_REPLACE)
4377 			return -EINVAL;
4378 		handle = nf_tables_alloc_handle(table);
4379 
4380 		if (nla[NFTA_RULE_POSITION]) {
4381 			pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
4382 			old_rule = __nft_rule_lookup(net, chain, pos_handle);
4383 			if (IS_ERR(old_rule)) {
4384 				NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
4385 				return PTR_ERR(old_rule);
4386 			}
4387 		} else if (nla[NFTA_RULE_POSITION_ID]) {
4388 			old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
4389 			if (IS_ERR(old_rule)) {
4390 				NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
4391 				return PTR_ERR(old_rule);
4392 			}
4393 		}
4394 	}
4395 
4396 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4397 
4398 	n = 0;
4399 	size = 0;
4400 	if (nla[NFTA_RULE_EXPRESSIONS]) {
4401 		expr_info = kvmalloc_objs(struct nft_expr_info,
4402 					  NFT_RULE_MAXEXPRS);
4403 		if (!expr_info)
4404 			return -ENOMEM;
4405 
4406 		nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
4407 			err = -EINVAL;
4408 			if (nla_type(tmp) != NFTA_LIST_ELEM)
4409 				goto err_release_expr;
4410 			if (n == NFT_RULE_MAXEXPRS)
4411 				goto err_release_expr;
4412 			err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
4413 			if (err < 0) {
4414 				NL_SET_BAD_ATTR(extack, tmp);
4415 				goto err_release_expr;
4416 			}
4417 			size += expr_info[n].ops->size;
4418 			n++;
4419 		}
4420 	}
4421 	/* Check for overflow of dlen field */
4422 	err = -EFBIG;
4423 	if (size >= 1 << 12)
4424 		goto err_release_expr;
4425 
4426 	if (nla[NFTA_RULE_USERDATA]) {
4427 		ulen = nla_len(nla[NFTA_RULE_USERDATA]);
4428 		if (ulen > 0)
4429 			usize = sizeof(struct nft_userdata) + ulen;
4430 	}
4431 
4432 	err = -ENOMEM;
4433 	rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
4434 	if (rule == NULL)
4435 		goto err_release_expr;
4436 
4437 	nft_activate_next(net, rule);
4438 
4439 	rule->handle = handle;
4440 	rule->dlen   = size;
4441 	rule->udata  = ulen ? 1 : 0;
4442 
4443 	if (ulen) {
4444 		udata = nft_userdata(rule);
4445 		udata->len = ulen - 1;
4446 		nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
4447 	}
4448 
4449 	expr = nft_expr_first(rule);
4450 	for (i = 0; i < n; i++) {
4451 		err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
4452 		if (err < 0) {
4453 			NL_SET_BAD_ATTR(extack, expr_info[i].attr);
4454 			goto err_release_rule;
4455 		}
4456 
4457 		if (expr_info[i].ops->validate)
4458 			nft_validate_state_update(table, NFT_VALIDATE_NEED);
4459 
4460 		expr_info[i].ops = NULL;
4461 		expr = nft_expr_next(expr);
4462 	}
4463 
4464 	if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
4465 		flow = nft_flow_rule_create(net, rule);
4466 		if (IS_ERR(flow)) {
4467 			err = PTR_ERR(flow);
4468 			goto err_release_rule;
4469 		}
4470 	}
4471 
4472 	if (!nft_use_inc(&chain->use)) {
4473 		err = -EMFILE;
4474 		goto err_destroy_flow;
4475 	}
4476 
4477 	if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
4478 		if (nft_chain_binding(chain)) {
4479 			err = -EOPNOTSUPP;
4480 			goto err_destroy_flow_rule;
4481 		}
4482 
4483 		err = nft_delrule(&ctx, old_rule);
4484 		if (err < 0)
4485 			goto err_destroy_flow_rule;
4486 
4487 		trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4488 		if (trans == NULL) {
4489 			err = -ENOMEM;
4490 			goto err_destroy_flow_rule;
4491 		}
4492 		list_add_tail_rcu(&rule->list, &old_rule->list);
4493 	} else {
4494 		trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4495 		if (!trans) {
4496 			err = -ENOMEM;
4497 			goto err_destroy_flow_rule;
4498 		}
4499 
4500 		if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
4501 			if (old_rule)
4502 				list_add_rcu(&rule->list, &old_rule->list);
4503 			else
4504 				list_add_tail_rcu(&rule->list, &chain->rules);
4505 		 } else {
4506 			if (old_rule)
4507 				list_add_tail_rcu(&rule->list, &old_rule->list);
4508 			else
4509 				list_add_rcu(&rule->list, &chain->rules);
4510 		}
4511 	}
4512 	kvfree(expr_info);
4513 
4514 	if (flow)
4515 		nft_trans_flow_rule(trans) = flow;
4516 
4517 	if (table->validate_state == NFT_VALIDATE_DO)
4518 		return nft_table_validate(net, table);
4519 
4520 	return 0;
4521 
4522 err_destroy_flow_rule:
4523 	nft_use_dec_restore(&chain->use);
4524 err_destroy_flow:
4525 	if (flow)
4526 		nft_flow_rule_destroy(flow);
4527 err_release_rule:
4528 	nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
4529 	nf_tables_rule_destroy(&ctx, rule);
4530 err_release_expr:
4531 	for (i = 0; i < n; i++) {
4532 		if (expr_info[i].ops) {
4533 			module_put(expr_info[i].ops->type->owner);
4534 			if (expr_info[i].ops->type->release_ops)
4535 				expr_info[i].ops->type->release_ops(expr_info[i].ops);
4536 		}
4537 	}
4538 	kvfree(expr_info);
4539 
4540 	return err;
4541 }
4542 
4543 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4544 					     const struct nft_chain *chain,
4545 					     const struct nlattr *nla)
4546 {
4547 	struct nftables_pernet *nft_net = nft_pernet(net);
4548 	u32 id = ntohl(nla_get_be32(nla));
4549 	struct nft_trans *trans;
4550 
4551 	list_for_each_entry(trans, &nft_net->commit_list, list) {
4552 		if (trans->msg_type == NFT_MSG_NEWRULE &&
4553 		    nft_trans_rule_chain(trans) == chain &&
4554 		    id == nft_trans_rule_id(trans))
4555 			return nft_trans_rule(trans);
4556 	}
4557 	return ERR_PTR(-ENOENT);
4558 }
4559 
4560 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
4561 			     const struct nlattr * const nla[])
4562 {
4563 	struct netlink_ext_ack *extack = info->extack;
4564 	u8 genmask = nft_genmask_next(info->net);
4565 	u8 family = info->nfmsg->nfgen_family;
4566 	struct nft_chain *chain = NULL;
4567 	struct net *net = info->net;
4568 	struct nft_table *table;
4569 	struct nft_rule *rule;
4570 	struct nft_ctx ctx;
4571 	int err = 0;
4572 
4573 	table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4574 				 NETLINK_CB(skb).portid);
4575 	if (IS_ERR(table)) {
4576 		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4577 		return PTR_ERR(table);
4578 	}
4579 
4580 	if (nla[NFTA_RULE_CHAIN]) {
4581 		chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4582 					 genmask);
4583 		if (IS_ERR(chain)) {
4584 			if (PTR_ERR(chain) == -ENOENT &&
4585 			    NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4586 				return 0;
4587 
4588 			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4589 			return PTR_ERR(chain);
4590 		}
4591 		if (nft_chain_binding(chain))
4592 			return -EOPNOTSUPP;
4593 	}
4594 
4595 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4596 
4597 	if (chain) {
4598 		if (nla[NFTA_RULE_HANDLE]) {
4599 			rule = nft_rule_lookup(info->net, chain, nla[NFTA_RULE_HANDLE]);
4600 			if (IS_ERR(rule)) {
4601 				if (PTR_ERR(rule) == -ENOENT &&
4602 				    NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4603 					return 0;
4604 
4605 				NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4606 				return PTR_ERR(rule);
4607 			}
4608 
4609 			err = nft_delrule(&ctx, rule);
4610 		} else if (nla[NFTA_RULE_ID]) {
4611 			rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
4612 			if (IS_ERR(rule)) {
4613 				NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
4614 				return PTR_ERR(rule);
4615 			}
4616 
4617 			err = nft_delrule(&ctx, rule);
4618 		} else {
4619 			err = nft_delrule_by_chain(&ctx);
4620 		}
4621 	} else {
4622 		list_for_each_entry(chain, &table->chains, list) {
4623 			if (!nft_is_active_next(net, chain))
4624 				continue;
4625 			if (nft_chain_binding(chain))
4626 				continue;
4627 
4628 			ctx.chain = chain;
4629 			err = nft_delrule_by_chain(&ctx);
4630 			if (err < 0)
4631 				break;
4632 		}
4633 	}
4634 
4635 	return err;
4636 }
4637 
4638 /*
4639  * Sets
4640  */
4641 static const struct nft_set_type *nft_set_types[] = {
4642 	&nft_set_hash_fast_type,
4643 	&nft_set_hash_type,
4644 	&nft_set_rhash_type,
4645 	&nft_set_bitmap_type,
4646 	&nft_set_rbtree_type,
4647 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
4648 	&nft_set_pipapo_avx2_type,
4649 #endif
4650 	&nft_set_pipapo_type,
4651 };
4652 
4653 #define NFT_SET_FEATURES	(NFT_SET_INTERVAL | NFT_SET_MAP | \
4654 				 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
4655 				 NFT_SET_EVAL)
4656 
4657 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
4658 {
4659 	return (flags & type->features) == (flags & NFT_SET_FEATURES);
4660 }
4661 
4662 /*
4663  * Select a set implementation based on the data characteristics and the
4664  * given policy. The total memory use might not be known if no size is
4665  * given, in that case the amount of memory per element is used.
4666  */
4667 static const struct nft_set_ops *
4668 nft_select_set_ops(const struct nft_ctx *ctx, u32 flags,
4669 		   const struct nft_set_desc *desc)
4670 {
4671 	struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4672 	const struct nft_set_ops *ops, *bops;
4673 	struct nft_set_estimate est, best;
4674 	const struct nft_set_type *type;
4675 	int i;
4676 
4677 	lockdep_assert_held(&nft_net->commit_mutex);
4678 	lockdep_nfnl_nft_mutex_not_held();
4679 
4680 	bops	    = NULL;
4681 	best.size   = ~0;
4682 	best.lookup = ~0;
4683 	best.space  = ~0;
4684 
4685 	for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
4686 		type = nft_set_types[i];
4687 		ops = &type->ops;
4688 
4689 		if (!nft_set_ops_candidate(type, flags))
4690 			continue;
4691 		if (!ops->estimate(desc, flags, &est))
4692 			continue;
4693 
4694 		switch (desc->policy) {
4695 		case NFT_SET_POL_PERFORMANCE:
4696 			if (est.lookup < best.lookup)
4697 				break;
4698 			if (est.lookup == best.lookup &&
4699 			    est.space < best.space)
4700 				break;
4701 			continue;
4702 		case NFT_SET_POL_MEMORY:
4703 			if (!desc->size) {
4704 				if (est.space < best.space)
4705 					break;
4706 				if (est.space == best.space &&
4707 				    est.lookup < best.lookup)
4708 					break;
4709 			} else if (est.size < best.size || !bops) {
4710 				break;
4711 			}
4712 			continue;
4713 		default:
4714 			break;
4715 		}
4716 
4717 		bops = ops;
4718 		best = est;
4719 	}
4720 
4721 	if (bops != NULL)
4722 		return bops;
4723 
4724 	return ERR_PTR(-EOPNOTSUPP);
4725 }
4726 
4727 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
4728 	[NFTA_SET_TABLE]		= { .type = NLA_STRING,
4729 					    .len = NFT_TABLE_MAXNAMELEN - 1 },
4730 	[NFTA_SET_NAME]			= { .type = NLA_STRING,
4731 					    .len = NFT_SET_MAXNAMELEN - 1 },
4732 	[NFTA_SET_FLAGS]		= NLA_POLICY_MASK(NLA_BE32,
4733 							  NFT_SET_ANONYMOUS |
4734 							  NFT_SET_CONSTANT |
4735 							  NFT_SET_INTERVAL |
4736 							  NFT_SET_MAP |
4737 							  NFT_SET_TIMEOUT |
4738 							  NFT_SET_EVAL |
4739 							  NFT_SET_OBJECT |
4740 							  NFT_SET_CONCAT |
4741 							  NFT_SET_EXPR),
4742 	[NFTA_SET_KEY_TYPE]		= { .type = NLA_U32 },
4743 	[NFTA_SET_KEY_LEN]		= { .type = NLA_U32 },
4744 	[NFTA_SET_DATA_TYPE]		= { .type = NLA_U32 },
4745 	[NFTA_SET_DATA_LEN]		= { .type = NLA_U32 },
4746 	[NFTA_SET_POLICY]		= { .type = NLA_U32 },
4747 	[NFTA_SET_DESC]			= { .type = NLA_NESTED },
4748 	[NFTA_SET_ID]			= { .type = NLA_U32 },
4749 	[NFTA_SET_TIMEOUT]		= { .type = NLA_U64 },
4750 	[NFTA_SET_GC_INTERVAL]		= { .type = NLA_U32 },
4751 	[NFTA_SET_USERDATA]		= { .type = NLA_BINARY,
4752 					    .len  = NFT_USERDATA_MAXLEN },
4753 	[NFTA_SET_OBJ_TYPE]		= { .type = NLA_U32 },
4754 	[NFTA_SET_HANDLE]		= { .type = NLA_U64 },
4755 	[NFTA_SET_EXPR]			= { .type = NLA_NESTED },
4756 	[NFTA_SET_EXPRESSIONS]		= NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
4757 	[NFTA_SET_TYPE]			= { .type = NLA_REJECT },
4758 	[NFTA_SET_COUNT]		= { .type = NLA_REJECT },
4759 };
4760 
4761 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4762 	[NFTA_SET_FIELD_LEN]	= { .type = NLA_U32 },
4763 };
4764 
4765 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4766 	[NFTA_SET_DESC_SIZE]		= { .type = NLA_U32 },
4767 	[NFTA_SET_DESC_CONCAT]		= NLA_POLICY_NESTED_ARRAY(nft_concat_policy),
4768 };
4769 
4770 static struct nft_set *nft_set_lookup(const struct net *net,
4771 				      const struct nft_table *table,
4772 				      const struct nlattr *nla, u8 genmask)
4773 {
4774 	struct nft_set *set;
4775 
4776 	if (nla == NULL)
4777 		return ERR_PTR(-EINVAL);
4778 
4779 	list_for_each_entry_rcu(set, &table->sets, list,
4780 				lockdep_commit_lock_is_held(net)) {
4781 		if (!nla_strcmp(nla, set->name) &&
4782 		    nft_active_genmask(set, genmask))
4783 			return set;
4784 	}
4785 	return ERR_PTR(-ENOENT);
4786 }
4787 
4788 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4789 					       const struct nlattr *nla,
4790 					       u8 genmask)
4791 {
4792 	struct nft_set *set;
4793 
4794 	list_for_each_entry(set, &table->sets, list) {
4795 		if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4796 		    nft_active_genmask(set, genmask))
4797 			return set;
4798 	}
4799 	return ERR_PTR(-ENOENT);
4800 }
4801 
4802 static struct nft_set *nft_set_lookup_byid(const struct net *net,
4803 					   const struct nft_table *table,
4804 					   const struct nlattr *nla, u8 genmask)
4805 {
4806 	struct nftables_pernet *nft_net = nft_pernet(net);
4807 	u32 id = ntohl(nla_get_be32(nla));
4808 	struct nft_trans_set *trans;
4809 
4810 	/* its likely the id we need is at the tail, not at start */
4811 	list_for_each_entry_reverse(trans, &nft_net->commit_set_list, list_trans_newset) {
4812 		struct nft_set *set = trans->set;
4813 
4814 		if (id == trans->set_id &&
4815 		    set->table == table &&
4816 		    nft_active_genmask(set, genmask))
4817 			return set;
4818 	}
4819 	return ERR_PTR(-ENOENT);
4820 }
4821 
4822 struct nft_set *nft_set_lookup_global(const struct net *net,
4823 				      const struct nft_table *table,
4824 				      const struct nlattr *nla_set_name,
4825 				      const struct nlattr *nla_set_id,
4826 				      u8 genmask)
4827 {
4828 	struct nft_set *set;
4829 
4830 	set = nft_set_lookup(net, table, nla_set_name, genmask);
4831 	if (IS_ERR(set)) {
4832 		if (!nla_set_id)
4833 			return set;
4834 
4835 		set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
4836 	}
4837 	return set;
4838 }
4839 
4840 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4841 				    const char *name)
4842 {
4843 	const struct nft_set *i;
4844 	const char *p;
4845 	unsigned long *inuse;
4846 	unsigned int n = 0, min = 0;
4847 
4848 	p = strchr(name, '%');
4849 	if (p != NULL) {
4850 		if (p[1] != 'd' || strchr(p + 2, '%'))
4851 			return -EINVAL;
4852 
4853 		if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN)
4854 			return -EINVAL;
4855 
4856 		inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4857 		if (inuse == NULL)
4858 			return -ENOMEM;
4859 cont:
4860 		list_for_each_entry(i, &ctx->table->sets, list) {
4861 			int tmp;
4862 
4863 			if (!nft_is_active_next(ctx->net, i))
4864 				continue;
4865 			if (!sscanf(i->name, name, &tmp))
4866 				continue;
4867 			if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4868 				continue;
4869 
4870 			set_bit(tmp - min, inuse);
4871 		}
4872 
4873 		n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
4874 		if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4875 			min += BITS_PER_BYTE * PAGE_SIZE;
4876 			memset(inuse, 0, PAGE_SIZE);
4877 			goto cont;
4878 		}
4879 		free_page((unsigned long)inuse);
4880 	}
4881 
4882 	set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
4883 	if (!set->name)
4884 		return -ENOMEM;
4885 
4886 	list_for_each_entry(i, &ctx->table->sets, list) {
4887 		if (!nft_is_active_next(ctx->net, i))
4888 			continue;
4889 		if (!strcmp(set->name, i->name)) {
4890 			kfree(set->name);
4891 			set->name = NULL;
4892 			return -ENFILE;
4893 		}
4894 	}
4895 	return 0;
4896 }
4897 
4898 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4899 {
4900 	u64 ms = be64_to_cpu(nla_get_be64(nla));
4901 	u64 max = (u64)(~((u64)0));
4902 
4903 	max = div_u64(max, NSEC_PER_MSEC);
4904 	if (ms >= max)
4905 		return -ERANGE;
4906 
4907 	ms *= NSEC_PER_MSEC;
4908 	*result = nsecs_to_jiffies64(ms) ? : !!ms;
4909 	return 0;
4910 }
4911 
4912 __be64 nf_jiffies64_to_msecs(u64 input)
4913 {
4914 	return cpu_to_be64(jiffies64_to_msecs(input));
4915 }
4916 
4917 static int nf_tables_fill_set_concat(struct sk_buff *skb,
4918 				     const struct nft_set *set)
4919 {
4920 	struct nlattr *concat, *field;
4921 	int i;
4922 
4923 	concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
4924 	if (!concat)
4925 		return -ENOMEM;
4926 
4927 	for (i = 0; i < set->field_count; i++) {
4928 		field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4929 		if (!field)
4930 			return -ENOMEM;
4931 
4932 		if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
4933 				 htonl(set->field_len[i])))
4934 			return -ENOMEM;
4935 
4936 		nla_nest_end(skb, field);
4937 	}
4938 
4939 	nla_nest_end(skb, concat);
4940 
4941 	return 0;
4942 }
4943 
4944 static u32 nft_set_userspace_size(const struct nft_set_ops *ops, u32 size)
4945 {
4946 	if (ops->usize)
4947 		return ops->usize(size);
4948 
4949 	return size;
4950 }
4951 
4952 static noinline_for_stack int
4953 nf_tables_fill_set_info(struct sk_buff *skb, const struct nft_set *set)
4954 {
4955 	unsigned int nelems;
4956 	char str[40];
4957 	int ret;
4958 
4959 	ret = snprintf(str, sizeof(str), "%ps", set->ops);
4960 
4961 	/* Not expected to happen and harmless: NFTA_SET_TYPE is dumped
4962 	 * to userspace purely for informational/debug purposes.
4963 	 */
4964 	DEBUG_NET_WARN_ON_ONCE(ret >= sizeof(str));
4965 
4966 	if (nla_put_string(skb, NFTA_SET_TYPE, str))
4967 		return -EMSGSIZE;
4968 
4969 	nelems = nft_set_userspace_size(set->ops, atomic_read(&set->nelems));
4970 	return nla_put_be32(skb, NFTA_SET_COUNT, htonl(nelems));
4971 }
4972 
4973 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4974 			      const struct nft_set *set, u16 event, u16 flags)
4975 {
4976 	u64 timeout = READ_ONCE(set->timeout);
4977 	u32 gc_int = READ_ONCE(set->gc_int);
4978 	u32 portid = ctx->portid;
4979 	struct nlmsghdr *nlh;
4980 	struct nlattr *nest;
4981 	u32 seq = ctx->seq;
4982 	int i;
4983 
4984 	nlh = nfnl_msg_put(skb, portid, seq,
4985 			   nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event),
4986 			   flags, ctx->family, NFNETLINK_V0,
4987 			   nft_base_seq_be16(ctx->net));
4988 	if (!nlh)
4989 		goto nla_put_failure;
4990 
4991 	if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4992 		goto nla_put_failure;
4993 	if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4994 		goto nla_put_failure;
4995 	if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4996 			 NFTA_SET_PAD))
4997 		goto nla_put_failure;
4998 
4999 	if (event == NFT_MSG_DELSET ||
5000 	    event == NFT_MSG_DESTROYSET) {
5001 		nlmsg_end(skb, nlh);
5002 		return 0;
5003 	}
5004 
5005 	if (set->flags != 0)
5006 		if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
5007 			goto nla_put_failure;
5008 
5009 	if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
5010 		goto nla_put_failure;
5011 	if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
5012 		goto nla_put_failure;
5013 	if (set->flags & NFT_SET_MAP) {
5014 		if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
5015 			goto nla_put_failure;
5016 		if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
5017 			goto nla_put_failure;
5018 	}
5019 	if (set->flags & NFT_SET_OBJECT &&
5020 	    nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
5021 		goto nla_put_failure;
5022 
5023 	if (timeout &&
5024 	    nla_put_be64(skb, NFTA_SET_TIMEOUT,
5025 			 nf_jiffies64_to_msecs(timeout),
5026 			 NFTA_SET_PAD))
5027 		goto nla_put_failure;
5028 	if (gc_int &&
5029 	    nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
5030 		goto nla_put_failure;
5031 
5032 	if (set->policy != NFT_SET_POL_PERFORMANCE) {
5033 		if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
5034 			goto nla_put_failure;
5035 	}
5036 
5037 	if (set->udata &&
5038 	    nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
5039 		goto nla_put_failure;
5040 
5041 	nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
5042 	if (!nest)
5043 		goto nla_put_failure;
5044 	if (set->size &&
5045 	    nla_put_be32(skb, NFTA_SET_DESC_SIZE,
5046 			 htonl(nft_set_userspace_size(set->ops, set->size))))
5047 		goto nla_put_failure;
5048 
5049 	if (set->field_count > 1 &&
5050 	    nf_tables_fill_set_concat(skb, set))
5051 		goto nla_put_failure;
5052 
5053 	nla_nest_end(skb, nest);
5054 
5055 	if (nf_tables_fill_set_info(skb, set))
5056 		goto nla_put_failure;
5057 
5058 	if (set->num_exprs == 1) {
5059 		nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
5060 		if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
5061 			goto nla_put_failure;
5062 
5063 		nla_nest_end(skb, nest);
5064 	} else if (set->num_exprs > 1) {
5065 		nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
5066 		if (nest == NULL)
5067 			goto nla_put_failure;
5068 
5069 		for (i = 0; i < set->num_exprs; i++) {
5070 			if (nft_expr_dump(skb, NFTA_LIST_ELEM,
5071 					  set->exprs[i], false) < 0)
5072 				goto nla_put_failure;
5073 		}
5074 		nla_nest_end(skb, nest);
5075 	}
5076 
5077 	nlmsg_end(skb, nlh);
5078 	return 0;
5079 
5080 nla_put_failure:
5081 	nlmsg_trim(skb, nlh);
5082 	return -1;
5083 }
5084 
5085 static void nf_tables_set_notify(const struct nft_ctx *ctx,
5086 				 const struct nft_set *set, int event,
5087 			         gfp_t gfp_flags)
5088 {
5089 	struct nftables_pernet *nft_net = nft_pernet(ctx->net);
5090 	u32 portid = ctx->portid;
5091 	struct sk_buff *skb;
5092 	u16 flags = 0;
5093 	int err;
5094 
5095 	if (!ctx->report &&
5096 	    !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5097 		return;
5098 
5099 	skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
5100 	if (skb == NULL)
5101 		goto err;
5102 
5103 	if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
5104 		flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
5105 
5106 	err = nf_tables_fill_set(skb, ctx, set, event, flags);
5107 	if (err < 0) {
5108 		kfree_skb(skb);
5109 		goto err;
5110 	}
5111 
5112 	nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
5113 	return;
5114 err:
5115 	nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5116 }
5117 
5118 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
5119 {
5120 	const struct nft_set *set;
5121 	unsigned int idx, s_idx = cb->args[0];
5122 	struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
5123 	struct net *net = sock_net(skb->sk);
5124 	struct nft_ctx *ctx = cb->data, ctx_set;
5125 	struct nftables_pernet *nft_net;
5126 
5127 	if (cb->args[1])
5128 		return skb->len;
5129 
5130 	rcu_read_lock();
5131 	nft_net = nft_pernet(net);
5132 	cb->seq = nft_base_seq(net);
5133 
5134 	list_for_each_entry_rcu(table, &nft_net->tables, list) {
5135 		if (ctx->family != NFPROTO_UNSPEC &&
5136 		    ctx->family != table->family)
5137 			continue;
5138 
5139 		if (ctx->table && ctx->table != table)
5140 			continue;
5141 
5142 		if (cur_table) {
5143 			if (cur_table != table)
5144 				continue;
5145 
5146 			cur_table = NULL;
5147 		}
5148 		idx = 0;
5149 		list_for_each_entry_rcu(set, &table->sets, list) {
5150 			if (idx < s_idx)
5151 				goto cont;
5152 			if (!nft_is_active(net, set))
5153 				goto cont;
5154 
5155 			ctx_set = *ctx;
5156 			ctx_set.table = table;
5157 			ctx_set.family = table->family;
5158 
5159 			if (nf_tables_fill_set(skb, &ctx_set, set,
5160 					       NFT_MSG_NEWSET,
5161 					       NLM_F_MULTI) < 0) {
5162 				cb->args[0] = idx;
5163 				cb->args[2] = (unsigned long) table;
5164 				goto done;
5165 			}
5166 			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5167 cont:
5168 			idx++;
5169 		}
5170 		if (s_idx)
5171 			s_idx = 0;
5172 	}
5173 	cb->args[1] = 1;
5174 done:
5175 	rcu_read_unlock();
5176 	return skb->len;
5177 }
5178 
5179 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
5180 {
5181 	struct nft_ctx *ctx_dump = NULL;
5182 
5183 	ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
5184 	if (ctx_dump == NULL)
5185 		return -ENOMEM;
5186 
5187 	cb->data = ctx_dump;
5188 	return 0;
5189 }
5190 
5191 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
5192 {
5193 	kfree(cb->data);
5194 	return 0;
5195 }
5196 
5197 /* called with rcu_read_lock held */
5198 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
5199 			    const struct nlattr * const nla[])
5200 {
5201 	struct netlink_ext_ack *extack = info->extack;
5202 	u8 genmask = nft_genmask_cur(info->net);
5203 	u8 family = info->nfmsg->nfgen_family;
5204 	struct nft_table *table = NULL;
5205 	struct net *net = info->net;
5206 	const struct nft_set *set;
5207 	struct sk_buff *skb2;
5208 	struct nft_ctx ctx;
5209 	int err;
5210 
5211 	if (nla[NFTA_SET_TABLE]) {
5212 		table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5213 					 genmask, 0);
5214 		if (IS_ERR(table)) {
5215 			NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5216 			return PTR_ERR(table);
5217 		}
5218 	}
5219 
5220 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5221 
5222 	if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
5223 		struct netlink_dump_control c = {
5224 			.start = nf_tables_dump_sets_start,
5225 			.dump = nf_tables_dump_sets,
5226 			.done = nf_tables_dump_sets_done,
5227 			.data = &ctx,
5228 			.module = THIS_MODULE,
5229 		};
5230 
5231 		return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
5232 	}
5233 
5234 	/* Only accept unspec with dump */
5235 	if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5236 		return -EAFNOSUPPORT;
5237 	if (!nla[NFTA_SET_TABLE])
5238 		return -EINVAL;
5239 
5240 	set = nft_set_lookup(net, table, nla[NFTA_SET_NAME], genmask);
5241 	if (IS_ERR(set)) {
5242 		NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5243 		return PTR_ERR(set);
5244 	}
5245 
5246 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5247 	if (skb2 == NULL)
5248 		return -ENOMEM;
5249 
5250 	err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
5251 	if (err < 0)
5252 		goto err_fill_set_info;
5253 
5254 	return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
5255 
5256 err_fill_set_info:
5257 	kfree_skb(skb2);
5258 	return err;
5259 }
5260 
5261 static int nft_set_desc_concat_parse(const struct nlattr *attr,
5262 				     struct nft_set_desc *desc)
5263 {
5264 	struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
5265 	u32 len;
5266 	int err;
5267 
5268 	if (desc->field_count >= ARRAY_SIZE(desc->field_len))
5269 		return -E2BIG;
5270 
5271 	err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
5272 					  nft_concat_policy, NULL);
5273 	if (err < 0)
5274 		return err;
5275 
5276 	if (!tb[NFTA_SET_FIELD_LEN])
5277 		return -EINVAL;
5278 
5279 	len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
5280 	if (!len || len > U8_MAX)
5281 		return -EINVAL;
5282 
5283 	desc->field_len[desc->field_count++] = len;
5284 
5285 	return 0;
5286 }
5287 
5288 static int nft_set_desc_concat(struct nft_set_desc *desc,
5289 			       const struct nlattr *nla)
5290 {
5291 	u32 len = 0, num_regs;
5292 	struct nlattr *attr;
5293 	int rem, err, i;
5294 
5295 	nla_for_each_nested(attr, nla, rem) {
5296 		if (nla_type(attr) != NFTA_LIST_ELEM)
5297 			return -EINVAL;
5298 
5299 		err = nft_set_desc_concat_parse(attr, desc);
5300 		if (err < 0)
5301 			return err;
5302 	}
5303 
5304 	for (i = 0; i < desc->field_count; i++)
5305 		len += round_up(desc->field_len[i], sizeof(u32));
5306 
5307 	if (len != desc->klen)
5308 		return -EINVAL;
5309 
5310 	num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
5311 	if (num_regs > NFT_REG32_COUNT)
5312 		return -E2BIG;
5313 
5314 	return 0;
5315 }
5316 
5317 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
5318 				    const struct nlattr *nla)
5319 {
5320 	struct nlattr *da[NFTA_SET_DESC_MAX + 1];
5321 	int err;
5322 
5323 	err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
5324 					  nft_set_desc_policy, NULL);
5325 	if (err < 0)
5326 		return err;
5327 
5328 	if (da[NFTA_SET_DESC_SIZE] != NULL)
5329 		desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
5330 	if (da[NFTA_SET_DESC_CONCAT])
5331 		err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
5332 
5333 	return err;
5334 }
5335 
5336 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
5337 			      const struct nlattr * const *nla,
5338 			      struct nft_expr **exprs, int *num_exprs,
5339 			      u32 flags)
5340 {
5341 	struct nft_expr *expr;
5342 	int err, i;
5343 
5344 	if (nla[NFTA_SET_EXPR]) {
5345 		expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
5346 		if (IS_ERR(expr)) {
5347 			err = PTR_ERR(expr);
5348 			goto err_set_expr_alloc;
5349 		}
5350 		exprs[0] = expr;
5351 		(*num_exprs)++;
5352 	} else if (nla[NFTA_SET_EXPRESSIONS]) {
5353 		struct nlattr *tmp;
5354 		int left;
5355 
5356 		if (!(flags & NFT_SET_EXPR)) {
5357 			err = -EINVAL;
5358 			goto err_set_expr_alloc;
5359 		}
5360 		i = 0;
5361 		nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
5362 			if (i == NFT_SET_EXPR_MAX) {
5363 				err = -E2BIG;
5364 				goto err_set_expr_alloc;
5365 			}
5366 			if (nla_type(tmp) != NFTA_LIST_ELEM) {
5367 				err = -EINVAL;
5368 				goto err_set_expr_alloc;
5369 			}
5370 			expr = nft_set_elem_expr_alloc(ctx, set, tmp);
5371 			if (IS_ERR(expr)) {
5372 				err = PTR_ERR(expr);
5373 				goto err_set_expr_alloc;
5374 			}
5375 			exprs[i++] = expr;
5376 			(*num_exprs)++;
5377 		}
5378 	}
5379 
5380 	return 0;
5381 
5382 err_set_expr_alloc:
5383 	for (i = 0; i < *num_exprs; i++)
5384 		nft_expr_destroy(ctx, exprs[i]);
5385 
5386 	return err;
5387 }
5388 
5389 static bool nft_set_is_same(const struct nft_set *set,
5390 			    const struct nft_set_desc *desc,
5391 			    struct nft_expr *exprs[], u32 num_exprs, u32 flags)
5392 {
5393 	int i;
5394 
5395 	if (set->ktype != desc->ktype ||
5396 	    set->dtype != desc->dtype ||
5397 	    set->flags != flags ||
5398 	    set->klen != desc->klen ||
5399 	    set->dlen != desc->dlen ||
5400 	    set->field_count != desc->field_count ||
5401 	    set->num_exprs != num_exprs)
5402 		return false;
5403 
5404 	for (i = 0; i < desc->field_count; i++) {
5405 		if (set->field_len[i] != desc->field_len[i])
5406 			return false;
5407 	}
5408 
5409 	for (i = 0; i < num_exprs; i++) {
5410 		if (set->exprs[i]->ops != exprs[i]->ops)
5411 			return false;
5412 	}
5413 
5414 	return true;
5415 }
5416 
5417 static u32 nft_set_kernel_size(const struct nft_set_ops *ops,
5418 			       const struct nft_set_desc *desc)
5419 {
5420 	if (ops->ksize)
5421 		return ops->ksize(desc->size);
5422 
5423 	return desc->size;
5424 }
5425 
5426 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
5427 			    const struct nlattr * const nla[])
5428 {
5429 	struct netlink_ext_ack *extack = info->extack;
5430 	u8 genmask = nft_genmask_next(info->net);
5431 	u8 family = info->nfmsg->nfgen_family;
5432 	const struct nft_set_ops *ops;
5433 	struct net *net = info->net;
5434 	struct nft_set_desc desc;
5435 	struct nft_table *table;
5436 	unsigned char *udata;
5437 	struct nft_set *set;
5438 	struct nft_ctx ctx;
5439 	size_t alloc_size;
5440 	int num_exprs = 0;
5441 	char *name;
5442 	int err, i;
5443 	u16 udlen;
5444 	u32 flags;
5445 	u64 size;
5446 
5447 	if (nla[NFTA_SET_TABLE] == NULL ||
5448 	    nla[NFTA_SET_NAME] == NULL ||
5449 	    nla[NFTA_SET_KEY_LEN] == NULL ||
5450 	    nla[NFTA_SET_ID] == NULL)
5451 		return -EINVAL;
5452 
5453 	memset(&desc, 0, sizeof(desc));
5454 
5455 	desc.ktype = NFT_DATA_VALUE;
5456 	if (nla[NFTA_SET_KEY_TYPE] != NULL) {
5457 		desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
5458 		if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
5459 			return -EINVAL;
5460 	}
5461 
5462 	desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
5463 	if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
5464 		return -EINVAL;
5465 
5466 	flags = 0;
5467 	if (nla[NFTA_SET_FLAGS] != NULL) {
5468 		flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
5469 		if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
5470 			      NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
5471 			      NFT_SET_MAP | NFT_SET_EVAL |
5472 			      NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
5473 			return -EOPNOTSUPP;
5474 		/* Only one of these operations is supported */
5475 		if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
5476 			     (NFT_SET_MAP | NFT_SET_OBJECT))
5477 			return -EOPNOTSUPP;
5478 		if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
5479 			     (NFT_SET_EVAL | NFT_SET_OBJECT))
5480 			return -EOPNOTSUPP;
5481 		if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) ==
5482 			     (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT))
5483 			return -EOPNOTSUPP;
5484 		if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) ==
5485 			     (NFT_SET_CONSTANT | NFT_SET_TIMEOUT))
5486 			return -EOPNOTSUPP;
5487 	}
5488 
5489 	desc.dtype = 0;
5490 	if (nla[NFTA_SET_DATA_TYPE] != NULL) {
5491 		if (!(flags & NFT_SET_MAP))
5492 			return -EINVAL;
5493 
5494 		desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
5495 		if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
5496 		    desc.dtype != NFT_DATA_VERDICT)
5497 			return -EINVAL;
5498 
5499 		if (desc.dtype != NFT_DATA_VERDICT) {
5500 			if (nla[NFTA_SET_DATA_LEN] == NULL)
5501 				return -EINVAL;
5502 			desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
5503 			if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
5504 				return -EINVAL;
5505 		} else
5506 			desc.dlen = sizeof(struct nft_verdict);
5507 	} else if (flags & NFT_SET_MAP)
5508 		return -EINVAL;
5509 
5510 	if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
5511 		if (!(flags & NFT_SET_OBJECT))
5512 			return -EINVAL;
5513 
5514 		desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
5515 		if (desc.objtype == NFT_OBJECT_UNSPEC ||
5516 		    desc.objtype > NFT_OBJECT_MAX)
5517 			return -EOPNOTSUPP;
5518 	} else if (flags & NFT_SET_OBJECT)
5519 		return -EINVAL;
5520 	else
5521 		desc.objtype = NFT_OBJECT_UNSPEC;
5522 
5523 	desc.timeout = 0;
5524 	if (nla[NFTA_SET_TIMEOUT] != NULL) {
5525 		if (!(flags & NFT_SET_TIMEOUT))
5526 			return -EINVAL;
5527 
5528 		if (flags & NFT_SET_ANONYMOUS)
5529 			return -EOPNOTSUPP;
5530 
5531 		err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
5532 		if (err)
5533 			return err;
5534 	}
5535 	desc.gc_int = 0;
5536 	if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
5537 		if (!(flags & NFT_SET_TIMEOUT))
5538 			return -EINVAL;
5539 
5540 		if (flags & NFT_SET_ANONYMOUS)
5541 			return -EOPNOTSUPP;
5542 
5543 		desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
5544 	}
5545 
5546 	desc.policy = NFT_SET_POL_PERFORMANCE;
5547 	if (nla[NFTA_SET_POLICY] != NULL) {
5548 		desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
5549 		switch (desc.policy) {
5550 		case NFT_SET_POL_PERFORMANCE:
5551 		case NFT_SET_POL_MEMORY:
5552 			break;
5553 		default:
5554 			return -EOPNOTSUPP;
5555 		}
5556 	}
5557 
5558 	if (nla[NFTA_SET_DESC] != NULL) {
5559 		err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
5560 		if (err < 0)
5561 			return err;
5562 
5563 		if (desc.field_count > 1) {
5564 			if (!(flags & NFT_SET_CONCAT))
5565 				return -EINVAL;
5566 		} else if (flags & NFT_SET_CONCAT) {
5567 			return -EINVAL;
5568 		}
5569 	} else if (flags & NFT_SET_CONCAT) {
5570 		return -EINVAL;
5571 	}
5572 
5573 	if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
5574 		desc.expr = true;
5575 
5576 	table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
5577 				 NETLINK_CB(skb).portid);
5578 	if (IS_ERR(table)) {
5579 		NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5580 		return PTR_ERR(table);
5581 	}
5582 
5583 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5584 
5585 	set = nft_set_lookup(net, table, nla[NFTA_SET_NAME], genmask);
5586 	if (IS_ERR(set)) {
5587 		if (PTR_ERR(set) != -ENOENT) {
5588 			NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5589 			return PTR_ERR(set);
5590 		}
5591 	} else {
5592 		struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
5593 
5594 		if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
5595 			NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5596 			return -EEXIST;
5597 		}
5598 		if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
5599 			return -EOPNOTSUPP;
5600 
5601 		if (nft_set_is_anonymous(set))
5602 			return -EOPNOTSUPP;
5603 
5604 		err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
5605 		if (err < 0)
5606 			return err;
5607 
5608 		if (desc.size)
5609 			desc.size = nft_set_kernel_size(set->ops, &desc);
5610 
5611 		err = 0;
5612 		if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
5613 			NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5614 			err = -EEXIST;
5615 		}
5616 
5617 		for (i = 0; i < num_exprs; i++)
5618 			nft_expr_destroy(&ctx, exprs[i]);
5619 
5620 		if (err < 0)
5621 			return err;
5622 
5623 		return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
5624 	}
5625 
5626 	if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
5627 		return -ENOENT;
5628 
5629 	ops = nft_select_set_ops(&ctx, flags, &desc);
5630 	if (IS_ERR(ops))
5631 		return PTR_ERR(ops);
5632 
5633 	if (desc.size)
5634 		desc.size = nft_set_kernel_size(ops, &desc);
5635 
5636 	udlen = 0;
5637 	if (nla[NFTA_SET_USERDATA])
5638 		udlen = nla_len(nla[NFTA_SET_USERDATA]);
5639 
5640 	size = 0;
5641 	if (ops->privsize != NULL)
5642 		size = ops->privsize(nla, &desc);
5643 	alloc_size = sizeof(*set) + size + udlen;
5644 	if (alloc_size < size || alloc_size > INT_MAX)
5645 		return -ENOMEM;
5646 
5647 	if (!nft_use_inc(&table->use))
5648 		return -EMFILE;
5649 
5650 	set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
5651 	if (!set) {
5652 		err = -ENOMEM;
5653 		goto err_alloc;
5654 	}
5655 
5656 	name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
5657 	if (!name) {
5658 		err = -ENOMEM;
5659 		goto err_set_name;
5660 	}
5661 
5662 	err = nf_tables_set_alloc_name(&ctx, set, name);
5663 	kfree(name);
5664 	if (err < 0)
5665 		goto err_set_name;
5666 
5667 	udata = NULL;
5668 	if (udlen) {
5669 		udata = set->data + size;
5670 		nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
5671 	}
5672 
5673 	INIT_LIST_HEAD(&set->bindings);
5674 	INIT_LIST_HEAD(&set->catchall_list);
5675 	refcount_set(&set->refs, 1);
5676 	set->table = table;
5677 	write_pnet(&set->net, net);
5678 	set->ops = ops;
5679 	set->ktype = desc.ktype;
5680 	set->klen = desc.klen;
5681 	set->dtype = desc.dtype;
5682 	set->objtype = desc.objtype;
5683 	set->dlen = desc.dlen;
5684 	set->flags = flags;
5685 	set->size = desc.size;
5686 	set->policy = desc.policy;
5687 	set->udlen = udlen;
5688 	set->udata = udata;
5689 	set->timeout = desc.timeout;
5690 	set->gc_int = desc.gc_int;
5691 
5692 	set->field_count = desc.field_count;
5693 	for (i = 0; i < desc.field_count; i++)
5694 		set->field_len[i] = desc.field_len[i];
5695 
5696 	err = ops->init(set, &desc, nla);
5697 	if (err < 0)
5698 		goto err_set_init;
5699 
5700 	err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
5701 	if (err < 0)
5702 		goto err_set_destroy;
5703 
5704 	set->num_exprs = num_exprs;
5705 	set->handle = nf_tables_alloc_handle(table);
5706 	INIT_LIST_HEAD(&set->pending_update);
5707 
5708 	err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
5709 	if (err < 0)
5710 		goto err_set_expr_alloc;
5711 
5712 	list_add_tail_rcu(&set->list, &table->sets);
5713 
5714 	return 0;
5715 
5716 err_set_expr_alloc:
5717 	for (i = 0; i < set->num_exprs; i++)
5718 		nft_expr_destroy(&ctx, set->exprs[i]);
5719 err_set_destroy:
5720 	ops->destroy(&ctx, set);
5721 err_set_init:
5722 	kfree(set->name);
5723 err_set_name:
5724 	kvfree(set);
5725 err_alloc:
5726 	nft_use_dec_restore(&table->use);
5727 
5728 	return err;
5729 }
5730 
5731 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
5732 				     struct nft_set *set)
5733 {
5734 	struct nft_set_elem_catchall *next, *catchall;
5735 
5736 	list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5737 		list_del_rcu(&catchall->list);
5738 		nf_tables_set_elem_destroy(ctx, set, catchall->elem);
5739 		kfree_rcu(catchall, rcu);
5740 	}
5741 }
5742 
5743 static void nft_set_put(struct nft_set *set)
5744 {
5745 	if (refcount_dec_and_test(&set->refs)) {
5746 		kfree(set->name);
5747 		kvfree(set);
5748 	}
5749 }
5750 
5751 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
5752 {
5753 	int i;
5754 
5755 	if (WARN_ON(set->use > 0))
5756 		return;
5757 
5758 	for (i = 0; i < set->num_exprs; i++)
5759 		nft_expr_destroy(ctx, set->exprs[i]);
5760 
5761 	set->ops->destroy(ctx, set);
5762 	nft_set_catchall_destroy(ctx, set);
5763 	nft_set_put(set);
5764 }
5765 
5766 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
5767 			    const struct nlattr * const nla[])
5768 {
5769 	struct netlink_ext_ack *extack = info->extack;
5770 	u8 genmask = nft_genmask_next(info->net);
5771 	u8 family = info->nfmsg->nfgen_family;
5772 	struct net *net = info->net;
5773 	const struct nlattr *attr;
5774 	struct nft_table *table;
5775 	struct nft_set *set;
5776 	struct nft_ctx ctx;
5777 
5778 	if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5779 		return -EAFNOSUPPORT;
5780 
5781 	table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5782 				 genmask, NETLINK_CB(skb).portid);
5783 	if (IS_ERR(table)) {
5784 		NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5785 		return PTR_ERR(table);
5786 	}
5787 
5788 	if (nla[NFTA_SET_HANDLE]) {
5789 		attr = nla[NFTA_SET_HANDLE];
5790 		set = nft_set_lookup_byhandle(table, attr, genmask);
5791 	} else {
5792 		attr = nla[NFTA_SET_NAME];
5793 		set = nft_set_lookup(net, table, attr, genmask);
5794 	}
5795 
5796 	if (IS_ERR(set)) {
5797 		if (PTR_ERR(set) == -ENOENT &&
5798 		    NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
5799 			return 0;
5800 
5801 		NL_SET_BAD_ATTR(extack, attr);
5802 		return PTR_ERR(set);
5803 	}
5804 	if (set->use ||
5805 	    (info->nlh->nlmsg_flags & NLM_F_NONREC &&
5806 	     atomic_read(&set->nelems) > 0)) {
5807 		NL_SET_BAD_ATTR(extack, attr);
5808 		return -EBUSY;
5809 	}
5810 
5811 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5812 
5813 	return nft_delset(&ctx, set);
5814 }
5815 
5816 static int nft_validate_register_store(const struct nft_ctx *ctx,
5817 				       enum nft_registers reg,
5818 				       const struct nft_data *data,
5819 				       enum nft_data_types type,
5820 				       unsigned int len);
5821 
5822 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
5823 				     struct nft_set *set,
5824 				     struct nft_elem_priv *elem_priv)
5825 {
5826 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5827 	enum nft_registers dreg;
5828 
5829 	dreg = nft_type_to_reg(set->dtype);
5830 	return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
5831 					   set->dtype == NFT_DATA_VERDICT ?
5832 					   NFT_DATA_VERDICT : NFT_DATA_VALUE,
5833 					   set->dlen);
5834 }
5835 
5836 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
5837 					struct nft_set *set,
5838 					const struct nft_set_iter *iter,
5839 					struct nft_elem_priv *elem_priv)
5840 {
5841 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5842 
5843 	if (!nft_set_elem_active(ext, iter->genmask))
5844 		return 0;
5845 
5846 	return nft_setelem_data_validate(ctx, set, elem_priv);
5847 }
5848 
5849 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
5850 				       struct nft_set *set)
5851 {
5852 	u8 genmask = nft_genmask_next(ctx->net);
5853 	struct nft_set_elem_catchall *catchall;
5854 	struct nft_set_ext *ext;
5855 	int ret = 0;
5856 
5857 	list_for_each_entry_rcu(catchall, &set->catchall_list, list,
5858 				lockdep_commit_lock_is_held(ctx->net)) {
5859 		ext = nft_set_elem_ext(set, catchall->elem);
5860 		if (!nft_set_elem_active(ext, genmask))
5861 			continue;
5862 
5863 		ret = nft_setelem_data_validate(ctx, set, catchall->elem);
5864 		if (ret < 0)
5865 			break;
5866 	}
5867 
5868 	return ret;
5869 }
5870 
5871 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5872 		       struct nft_set_binding *binding)
5873 {
5874 	struct nft_set_binding *i;
5875 	struct nft_set_iter iter = {
5876 		.genmask	= nft_genmask_next(ctx->net),
5877 		.type		= NFT_ITER_UPDATE,
5878 		.fn		= nf_tables_bind_check_setelem,
5879 	};
5880 
5881 	if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5882 		return -EBUSY;
5883 
5884 	if (binding->flags & NFT_SET_MAP) {
5885 		/* If the set is already bound to the same chain all
5886 		 * jumps are already validated for that chain.
5887 		 */
5888 		list_for_each_entry(i, &set->bindings, list) {
5889 			if (i->flags & NFT_SET_MAP &&
5890 			    i->chain == binding->chain)
5891 				goto bind;
5892 		}
5893 
5894 		set->ops->walk(ctx, set, &iter);
5895 		if (!iter.err)
5896 			iter.err = nft_set_catchall_bind_check(ctx, set);
5897 
5898 		if (iter.err < 0)
5899 			return iter.err;
5900 	}
5901 bind:
5902 	if (!nft_use_inc(&set->use))
5903 		return -EMFILE;
5904 
5905 	binding->chain = ctx->chain;
5906 	list_add_tail_rcu(&binding->list, &set->bindings);
5907 	nft_set_trans_bind(ctx, set);
5908 
5909 	return 0;
5910 }
5911 
5912 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5913 				 struct nft_set_binding *binding, bool event)
5914 {
5915 	list_del_rcu(&binding->list);
5916 
5917 	if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
5918 		list_del_rcu(&set->list);
5919 		set->dead = 1;
5920 		if (event)
5921 			nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
5922 					     GFP_KERNEL);
5923 	}
5924 }
5925 
5926 static void nft_setelem_data_activate(const struct net *net,
5927 				      const struct nft_set *set,
5928 				      struct nft_elem_priv *elem_priv);
5929 
5930 static int nft_mapelem_activate(const struct nft_ctx *ctx,
5931 				struct nft_set *set,
5932 				const struct nft_set_iter *iter,
5933 				struct nft_elem_priv *elem_priv)
5934 {
5935 	struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5936 
5937 	/* called from abort path, reverse check to undo changes. */
5938 	if (nft_set_elem_active(ext, iter->genmask))
5939 		return 0;
5940 
5941 	nft_clear(ctx->net, ext);
5942 	nft_setelem_data_activate(ctx->net, set, elem_priv);
5943 
5944 	return 0;
5945 }
5946 
5947 static void nft_map_catchall_activate(const struct nft_ctx *ctx,
5948 				      struct nft_set *set)
5949 {
5950 	u8 genmask = nft_genmask_next(ctx->net);
5951 	struct nft_set_elem_catchall *catchall;
5952 	struct nft_set_ext *ext;
5953 
5954 	list_for_each_entry(catchall, &set->catchall_list, list) {
5955 		ext = nft_set_elem_ext(set, catchall->elem);
5956 		if (nft_set_elem_active(ext, genmask))
5957 			continue;
5958 
5959 		nft_clear(ctx->net, ext);
5960 		nft_setelem_data_activate(ctx->net, set, catchall->elem);
5961 	}
5962 }
5963 
5964 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set)
5965 {
5966 	struct nft_set_iter iter = {
5967 		.genmask	= nft_genmask_next(ctx->net),
5968 		.type		= NFT_ITER_UPDATE,
5969 		.fn		= nft_mapelem_activate,
5970 	};
5971 
5972 	set->ops->walk(ctx, set, &iter);
5973 	WARN_ON_ONCE(iter.err);
5974 
5975 	nft_map_catchall_activate(ctx, set);
5976 }
5977 
5978 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5979 {
5980 	if (nft_set_is_anonymous(set)) {
5981 		if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5982 			nft_map_activate(ctx, set);
5983 
5984 		nft_clear(ctx->net, set);
5985 	}
5986 
5987 	nft_use_inc_restore(&set->use);
5988 }
5989 
5990 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5991 			      struct nft_set_binding *binding,
5992 			      enum nft_trans_phase phase)
5993 {
5994 	WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net));
5995 
5996 	switch (phase) {
5997 	case NFT_TRANS_PREPARE_ERROR:
5998 		nft_set_trans_unbind(ctx, set);
5999 		if (nft_set_is_anonymous(set))
6000 			nft_deactivate_next(ctx->net, set);
6001 		else
6002 			list_del_rcu(&binding->list);
6003 
6004 		nft_use_dec(&set->use);
6005 		break;
6006 	case NFT_TRANS_PREPARE:
6007 		if (nft_set_is_anonymous(set)) {
6008 			if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
6009 				nft_map_deactivate(ctx, set);
6010 
6011 			nft_deactivate_next(ctx->net, set);
6012 		}
6013 		nft_use_dec(&set->use);
6014 		return;
6015 	case NFT_TRANS_ABORT:
6016 	case NFT_TRANS_RELEASE:
6017 		if (nft_set_is_anonymous(set) &&
6018 		    set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
6019 			nft_map_deactivate(ctx, set);
6020 
6021 		nft_use_dec(&set->use);
6022 		fallthrough;
6023 	default:
6024 		nf_tables_unbind_set(ctx, set, binding,
6025 				     phase == NFT_TRANS_COMMIT);
6026 	}
6027 }
6028 
6029 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
6030 {
6031 	if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
6032 		nft_set_destroy(ctx, set);
6033 }
6034 
6035 const struct nft_set_ext_type nft_set_ext_types[] = {
6036 	[NFT_SET_EXT_KEY]		= {
6037 		.align	= __alignof__(u32),
6038 	},
6039 	[NFT_SET_EXT_DATA]		= {
6040 		.align	= __alignof__(u32),
6041 	},
6042 	[NFT_SET_EXT_EXPRESSIONS]	= {
6043 		.align	= __alignof__(struct nft_set_elem_expr),
6044 	},
6045 	[NFT_SET_EXT_OBJREF]		= {
6046 		.len	= sizeof(struct nft_object *),
6047 		.align	= __alignof__(struct nft_object *),
6048 	},
6049 	[NFT_SET_EXT_FLAGS]		= {
6050 		.len	= sizeof(u8),
6051 		.align	= __alignof__(u8),
6052 	},
6053 	[NFT_SET_EXT_TIMEOUT]		= {
6054 		.len	= sizeof(struct nft_timeout),
6055 		.align	= __alignof__(struct nft_timeout),
6056 	},
6057 	[NFT_SET_EXT_USERDATA]		= {
6058 		.len	= sizeof(struct nft_userdata),
6059 		.align	= __alignof__(struct nft_userdata),
6060 	},
6061 	[NFT_SET_EXT_KEY_END]		= {
6062 		.align	= __alignof__(u32),
6063 	},
6064 };
6065 
6066 /*
6067  * Set elements
6068  */
6069 
6070 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
6071 	[NFTA_SET_ELEM_KEY]		= { .type = NLA_NESTED },
6072 	[NFTA_SET_ELEM_DATA]		= { .type = NLA_NESTED },
6073 	[NFTA_SET_ELEM_FLAGS]		= NLA_POLICY_MASK(NLA_BE32, NFT_SET_ELEM_INTERVAL_END |
6074 								    NFT_SET_ELEM_CATCHALL),
6075 	[NFTA_SET_ELEM_TIMEOUT]		= { .type = NLA_U64 },
6076 	[NFTA_SET_ELEM_EXPIRATION]	= { .type = NLA_U64 },
6077 	[NFTA_SET_ELEM_USERDATA]	= { .type = NLA_BINARY,
6078 					    .len = NFT_USERDATA_MAXLEN },
6079 	[NFTA_SET_ELEM_EXPR]		= { .type = NLA_NESTED },
6080 	[NFTA_SET_ELEM_OBJREF]		= { .type = NLA_STRING,
6081 					    .len = NFT_OBJ_MAXNAMELEN - 1 },
6082 	[NFTA_SET_ELEM_KEY_END]		= { .type = NLA_NESTED },
6083 	[NFTA_SET_ELEM_EXPRESSIONS]	= NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
6084 };
6085 
6086 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
6087 	[NFTA_SET_ELEM_LIST_TABLE]	= { .type = NLA_STRING,
6088 					    .len = NFT_TABLE_MAXNAMELEN - 1 },
6089 	[NFTA_SET_ELEM_LIST_SET]	= { .type = NLA_STRING,
6090 					    .len = NFT_SET_MAXNAMELEN - 1 },
6091 	[NFTA_SET_ELEM_LIST_ELEMENTS]	= NLA_POLICY_NESTED_ARRAY(nft_set_elem_policy),
6092 	[NFTA_SET_ELEM_LIST_SET_ID]	= { .type = NLA_U32 },
6093 };
6094 
6095 static int nft_set_elem_expr_dump(struct sk_buff *skb,
6096 				  const struct nft_set *set,
6097 				  const struct nft_set_ext *ext,
6098 				  bool reset)
6099 {
6100 	struct nft_set_elem_expr *elem_expr;
6101 	u32 size, num_exprs = 0;
6102 	struct nft_expr *expr;
6103 	struct nlattr *nest;
6104 
6105 	elem_expr = nft_set_ext_expr(ext);
6106 	nft_setelem_expr_foreach(expr, elem_expr, size)
6107 		num_exprs++;
6108 
6109 	if (num_exprs == 1) {
6110 		expr = nft_setelem_expr_at(elem_expr, 0);
6111 		if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0)
6112 			return -1;
6113 
6114 		return 0;
6115 	} else if (num_exprs > 1) {
6116 		nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
6117 		if (nest == NULL)
6118 			goto nla_put_failure;
6119 
6120 		nft_setelem_expr_foreach(expr, elem_expr, size) {
6121 			expr = nft_setelem_expr_at(elem_expr, size);
6122 			if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
6123 				goto nla_put_failure;
6124 		}
6125 		nla_nest_end(skb, nest);
6126 	}
6127 	return 0;
6128 
6129 nla_put_failure:
6130 	return -1;
6131 }
6132 
6133 static int nf_tables_fill_setelem(struct sk_buff *skb,
6134 				  const struct nft_set *set,
6135 				  const struct nft_elem_priv *elem_priv,
6136 				  bool reset)
6137 {
6138 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6139 	unsigned char *b = skb_tail_pointer(skb);
6140 	struct nlattr *nest;
6141 
6142 	nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
6143 	if (nest == NULL)
6144 		goto nla_put_failure;
6145 
6146 	if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
6147 	    nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
6148 			  NFT_DATA_VALUE, set->klen) < 0)
6149 		goto nla_put_failure;
6150 
6151 	if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
6152 	    nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
6153 			  NFT_DATA_VALUE, set->klen) < 0)
6154 		goto nla_put_failure;
6155 
6156 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6157 	    nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
6158 			  nft_set_datatype(set), set->dlen) < 0)
6159 		goto nla_put_failure;
6160 
6161 	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
6162 	    nft_set_elem_expr_dump(skb, set, ext, reset))
6163 		goto nla_put_failure;
6164 
6165 	if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
6166 	    nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
6167 			   (*nft_set_ext_obj(ext))->key.name) < 0)
6168 		goto nla_put_failure;
6169 
6170 	if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6171 	    nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
6172 		         htonl(*nft_set_ext_flags(ext))))
6173 		goto nla_put_failure;
6174 
6175 	if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
6176 		u64 timeout = READ_ONCE(nft_set_ext_timeout(ext)->timeout);
6177 		u64 set_timeout = READ_ONCE(set->timeout);
6178 		__be64 msecs = 0;
6179 
6180 		if (set_timeout != timeout) {
6181 			msecs = nf_jiffies64_to_msecs(timeout);
6182 			if (nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, msecs,
6183 					 NFTA_SET_ELEM_PAD))
6184 				goto nla_put_failure;
6185 		}
6186 
6187 		if (timeout > 0) {
6188 			u64 expires, now = get_jiffies_64();
6189 
6190 			expires = READ_ONCE(nft_set_ext_timeout(ext)->expiration);
6191 			if (time_before64(now, expires))
6192 				expires -= now;
6193 			else
6194 				expires = 0;
6195 
6196 			if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
6197 					 nf_jiffies64_to_msecs(expires),
6198 					 NFTA_SET_ELEM_PAD))
6199 				goto nla_put_failure;
6200 		}
6201 	}
6202 
6203 	if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
6204 		struct nft_userdata *udata;
6205 
6206 		udata = nft_set_ext_userdata(ext);
6207 		if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
6208 			    udata->len + 1, udata->data))
6209 			goto nla_put_failure;
6210 	}
6211 
6212 	nla_nest_end(skb, nest);
6213 	return 0;
6214 
6215 nla_put_failure:
6216 	nlmsg_trim(skb, b);
6217 	return -EMSGSIZE;
6218 }
6219 
6220 struct nft_set_dump_args {
6221 	const struct netlink_callback	*cb;
6222 	struct nft_set_iter		iter;
6223 	struct sk_buff			*skb;
6224 	bool				reset;
6225 };
6226 
6227 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
6228 				  struct nft_set *set,
6229 				  const struct nft_set_iter *iter,
6230 				  struct nft_elem_priv *elem_priv)
6231 {
6232 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6233 	struct nft_set_dump_args *args;
6234 
6235 	if (!nft_set_elem_active(ext, iter->genmask))
6236 		return 0;
6237 
6238 	if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
6239 		return 0;
6240 
6241 	args = container_of(iter, struct nft_set_dump_args, iter);
6242 	return nf_tables_fill_setelem(args->skb, set, elem_priv, args->reset);
6243 }
6244 
6245 static void audit_log_nft_set_reset(const struct nft_table *table,
6246 				    unsigned int base_seq,
6247 				    unsigned int nentries)
6248 {
6249 	char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
6250 
6251 	audit_log_nfcfg(buf, table->family, nentries,
6252 			AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC);
6253 	kfree(buf);
6254 }
6255 
6256 struct nft_set_dump_ctx {
6257 	const struct nft_set	*set;
6258 	struct nft_ctx		ctx;
6259 	bool			reset;
6260 };
6261 
6262 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
6263 				 const struct nft_set *set, bool reset,
6264 				 unsigned int base_seq)
6265 {
6266 	struct nft_set_elem_catchall *catchall;
6267 	u8 genmask = nft_genmask_cur(net);
6268 	struct nft_set_ext *ext;
6269 	int ret = 0;
6270 
6271 	list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6272 		ext = nft_set_elem_ext(set, catchall->elem);
6273 		if (!nft_set_elem_active(ext, genmask) ||
6274 		    nft_set_elem_expired(ext))
6275 			continue;
6276 
6277 		ret = nf_tables_fill_setelem(skb, set, catchall->elem, reset);
6278 		if (reset && !ret)
6279 			audit_log_nft_set_reset(set->table, base_seq, 1);
6280 		break;
6281 	}
6282 
6283 	return ret;
6284 }
6285 
6286 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
6287 {
6288 	struct nft_set_dump_ctx *dump_ctx = cb->data;
6289 	struct net *net = sock_net(skb->sk);
6290 	struct nftables_pernet *nft_net;
6291 	struct nft_table *table;
6292 	struct nft_set *set;
6293 	struct nft_set_dump_args args = {
6294 		.cb = cb,
6295 		.skb = skb,
6296 		.reset = dump_ctx->reset,
6297 		.iter = {
6298 			.genmask = nft_genmask_cur(net),
6299 			.type = NFT_ITER_READ,
6300 			.skip = cb->args[0],
6301 			.fn = nf_tables_dump_setelem,
6302 		},
6303 	};
6304 	bool set_found = false;
6305 	struct nlmsghdr *nlh;
6306 	struct nlattr *nest;
6307 	u32 portid, seq;
6308 	int event;
6309 
6310 	rcu_read_lock();
6311 	nft_net = nft_pernet(net);
6312 	cb->seq = nft_base_seq(net);
6313 
6314 	list_for_each_entry_rcu(table, &nft_net->tables, list) {
6315 		if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
6316 		    dump_ctx->ctx.family != table->family)
6317 			continue;
6318 
6319 		if (table != dump_ctx->ctx.table)
6320 			continue;
6321 
6322 		list_for_each_entry_rcu(set, &table->sets, list) {
6323 			if (set == dump_ctx->set) {
6324 				set_found = true;
6325 				break;
6326 			}
6327 		}
6328 		break;
6329 	}
6330 
6331 	if (!set_found) {
6332 		rcu_read_unlock();
6333 		return -ENOENT;
6334 	}
6335 
6336 	event  = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
6337 	portid = NETLINK_CB(cb->skb).portid;
6338 	seq    = cb->nlh->nlmsg_seq;
6339 
6340 	nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
6341 			   table->family, NFNETLINK_V0, nft_base_seq_be16(net));
6342 	if (!nlh)
6343 		goto nla_put_failure;
6344 
6345 	if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
6346 		goto nla_put_failure;
6347 	if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
6348 		goto nla_put_failure;
6349 
6350 	nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
6351 	if (nest == NULL)
6352 		goto nla_put_failure;
6353 
6354 	set->ops->walk(&dump_ctx->ctx, set, &args.iter);
6355 
6356 	if (!args.iter.err && args.iter.count == cb->args[0])
6357 		args.iter.err = nft_set_catchall_dump(net, skb, set,
6358 						      dump_ctx->reset, cb->seq);
6359 	nla_nest_end(skb, nest);
6360 	nlmsg_end(skb, nlh);
6361 
6362 	if (dump_ctx->reset && args.iter.count > args.iter.skip)
6363 		audit_log_nft_set_reset(table, cb->seq,
6364 					args.iter.count - args.iter.skip);
6365 
6366 	rcu_read_unlock();
6367 
6368 	if (args.iter.err && args.iter.err != -EMSGSIZE)
6369 		return args.iter.err;
6370 	if (args.iter.count == cb->args[0])
6371 		return 0;
6372 
6373 	cb->args[0] = args.iter.count;
6374 	return skb->len;
6375 
6376 nla_put_failure:
6377 	rcu_read_unlock();
6378 	return -ENOSPC;
6379 }
6380 
6381 static int nf_tables_dump_set_start(struct netlink_callback *cb)
6382 {
6383 	struct nft_set_dump_ctx *dump_ctx = cb->data;
6384 
6385 	cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
6386 
6387 	return cb->data ? 0 : -ENOMEM;
6388 }
6389 
6390 static int nf_tables_dump_set_done(struct netlink_callback *cb)
6391 {
6392 	kfree(cb->data);
6393 	return 0;
6394 }
6395 
6396 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
6397 				       const struct nft_ctx *ctx, u32 seq,
6398 				       u32 portid, int event, u16 flags,
6399 				       const struct nft_set *set,
6400 				       const struct nft_elem_priv *elem_priv,
6401 				       bool reset)
6402 {
6403 	struct nlmsghdr *nlh;
6404 	struct nlattr *nest;
6405 	int err;
6406 
6407 	event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6408 	nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
6409 			   NFNETLINK_V0, nft_base_seq_be16(ctx->net));
6410 	if (!nlh)
6411 		goto nla_put_failure;
6412 
6413 	if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
6414 		goto nla_put_failure;
6415 	if (nla_put_string(skb, NFTA_SET_NAME, set->name))
6416 		goto nla_put_failure;
6417 
6418 	nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
6419 	if (nest == NULL)
6420 		goto nla_put_failure;
6421 
6422 	err = nf_tables_fill_setelem(skb, set, elem_priv, reset);
6423 	if (err < 0)
6424 		goto nla_put_failure;
6425 
6426 	nla_nest_end(skb, nest);
6427 
6428 	nlmsg_end(skb, nlh);
6429 	return 0;
6430 
6431 nla_put_failure:
6432 	nlmsg_trim(skb, nlh);
6433 	return -1;
6434 }
6435 
6436 static int nft_setelem_parse_flags(const struct nft_set *set,
6437 				   const struct nlattr *attr, u32 *flags)
6438 {
6439 	if (attr == NULL)
6440 		return 0;
6441 
6442 	*flags = ntohl(nla_get_be32(attr));
6443 	if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6444 		return -EOPNOTSUPP;
6445 	if (!(set->flags & NFT_SET_INTERVAL) &&
6446 	    *flags & NFT_SET_ELEM_INTERVAL_END)
6447 		return -EINVAL;
6448 	if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
6449 	    (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6450 		return -EINVAL;
6451 
6452 	return 0;
6453 }
6454 
6455 static int nft_setelem_parse_key(struct nft_ctx *ctx, const struct nft_set *set,
6456 				 struct nft_data *key, struct nlattr *attr)
6457 {
6458 	struct nft_data_desc desc = {
6459 		.type	= NFT_DATA_VALUE,
6460 		.size	= NFT_DATA_VALUE_MAXLEN,
6461 		.len	= set->klen,
6462 	};
6463 
6464 	return nft_data_init(ctx, key, &desc, attr);
6465 }
6466 
6467 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
6468 				  struct nft_data_desc *desc,
6469 				  struct nft_data *data,
6470 				  struct nlattr *attr)
6471 {
6472 	u32 dtype;
6473 
6474 	if (set->dtype == NFT_DATA_VERDICT)
6475 		dtype = NFT_DATA_VERDICT;
6476 	else
6477 		dtype = NFT_DATA_VALUE;
6478 
6479 	desc->type = dtype;
6480 	desc->size = NFT_DATA_VALUE_MAXLEN;
6481 	desc->len = set->dlen;
6482 	desc->flags = NFT_DATA_DESC_SETELEM;
6483 
6484 	return nft_data_init(ctx, data, desc, attr);
6485 }
6486 
6487 static void *nft_setelem_catchall_get(const struct net *net,
6488 				      const struct nft_set *set)
6489 {
6490 	struct nft_set_elem_catchall *catchall;
6491 	u8 genmask = nft_genmask_cur(net);
6492 	struct nft_set_ext *ext;
6493 	void *priv = NULL;
6494 
6495 	list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6496 		ext = nft_set_elem_ext(set, catchall->elem);
6497 		if (!nft_set_elem_active(ext, genmask) ||
6498 		    nft_set_elem_expired(ext))
6499 			continue;
6500 
6501 		priv = catchall->elem;
6502 		break;
6503 	}
6504 
6505 	return priv;
6506 }
6507 
6508 static int nft_setelem_get(struct nft_ctx *ctx, const struct nft_set *set,
6509 			   struct nft_set_elem *elem, u32 flags)
6510 {
6511 	void *priv;
6512 
6513 	if (!(flags & NFT_SET_ELEM_CATCHALL)) {
6514 		priv = set->ops->get(ctx->net, set, elem, flags);
6515 		if (IS_ERR(priv))
6516 			return PTR_ERR(priv);
6517 	} else {
6518 		priv = nft_setelem_catchall_get(ctx->net, set);
6519 		if (!priv)
6520 			return -ENOENT;
6521 	}
6522 	elem->priv = priv;
6523 
6524 	return 0;
6525 }
6526 
6527 static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set,
6528 			    const struct nlattr *attr, bool reset)
6529 {
6530 	struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6531 	struct nft_set_elem elem;
6532 	struct sk_buff *skb;
6533 	uint32_t flags = 0;
6534 	int err;
6535 
6536 	err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6537 					  nft_set_elem_policy, NULL);
6538 	if (err < 0)
6539 		return err;
6540 
6541 	err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6542 	if (err < 0)
6543 		return err;
6544 
6545 	if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6546 		return -EINVAL;
6547 
6548 	if (nla[NFTA_SET_ELEM_KEY]) {
6549 		err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6550 					    nla[NFTA_SET_ELEM_KEY]);
6551 		if (err < 0)
6552 			return err;
6553 	}
6554 
6555 	if (nla[NFTA_SET_ELEM_KEY_END]) {
6556 		err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6557 					    nla[NFTA_SET_ELEM_KEY_END]);
6558 		if (err < 0)
6559 			return err;
6560 	}
6561 
6562 	err = nft_setelem_get(ctx, set, &elem, flags);
6563 	if (err < 0)
6564 		return err;
6565 
6566 	err = -ENOMEM;
6567 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
6568 	if (skb == NULL)
6569 		return err;
6570 
6571 	err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
6572 					  NFT_MSG_NEWSETELEM, 0, set, elem.priv,
6573 					  reset);
6574 	if (err < 0)
6575 		goto err_fill_setelem;
6576 
6577 	return nfnetlink_unicast(skb, ctx->net, ctx->portid);
6578 
6579 err_fill_setelem:
6580 	kfree_skb(skb);
6581 	return err;
6582 }
6583 
6584 static int nft_set_dump_ctx_init(struct nft_set_dump_ctx *dump_ctx,
6585 				 const struct sk_buff *skb,
6586 				 const struct nfnl_info *info,
6587 				 const struct nlattr * const nla[],
6588 				 bool reset)
6589 {
6590 	struct netlink_ext_ack *extack = info->extack;
6591 	u8 genmask = nft_genmask_cur(info->net);
6592 	u8 family = info->nfmsg->nfgen_family;
6593 	struct net *net = info->net;
6594 	struct nft_table *table;
6595 	struct nft_set *set;
6596 
6597 	table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6598 				 genmask, 0);
6599 	if (IS_ERR(table)) {
6600 		NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6601 		return PTR_ERR(table);
6602 	}
6603 
6604 	set = nft_set_lookup(net, table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6605 	if (IS_ERR(set)) {
6606 		NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
6607 		return PTR_ERR(set);
6608 	}
6609 
6610 	nft_ctx_init(&dump_ctx->ctx, net, skb,
6611 		     info->nlh, family, table, NULL, nla);
6612 	dump_ctx->set = set;
6613 	dump_ctx->reset = reset;
6614 	return 0;
6615 }
6616 
6617 /* called with rcu_read_lock held */
6618 static int nf_tables_getsetelem(struct sk_buff *skb,
6619 				const struct nfnl_info *info,
6620 				const struct nlattr * const nla[])
6621 {
6622 	struct netlink_ext_ack *extack = info->extack;
6623 	struct nft_set_dump_ctx dump_ctx;
6624 	int rem, err = 0, nelems = 0;
6625 	struct net *net = info->net;
6626 	struct nlattr *attr;
6627 	bool reset = false;
6628 
6629 	if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETSETELEM_RESET)
6630 		reset = true;
6631 
6632 	if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6633 		struct netlink_dump_control c = {
6634 			.start = nf_tables_dump_set_start,
6635 			.dump = nf_tables_dump_set,
6636 			.done = nf_tables_dump_set_done,
6637 			.module = THIS_MODULE,
6638 		};
6639 
6640 		err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, reset);
6641 		if (err)
6642 			return err;
6643 
6644 		c.data = &dump_ctx;
6645 		return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6646 	}
6647 
6648 	if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6649 		return -EINVAL;
6650 
6651 	err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, reset);
6652 	if (err)
6653 		return err;
6654 
6655 	nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6656 		err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, reset);
6657 		if (err < 0) {
6658 			NL_SET_BAD_ATTR(extack, attr);
6659 			break;
6660 		}
6661 		nelems++;
6662 	}
6663 	if (reset)
6664 		audit_log_nft_set_reset(dump_ctx.ctx.table, nft_base_seq(net),
6665 					nelems);
6666 
6667 	return err;
6668 }
6669 
6670 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
6671 				     const struct nft_set *set,
6672 				     const struct nft_elem_priv *elem_priv,
6673 				     int event)
6674 {
6675 	struct nftables_pernet *nft_net;
6676 	struct net *net = ctx->net;
6677 	u32 portid = ctx->portid;
6678 	struct sk_buff *skb;
6679 	u16 flags = 0;
6680 	int err;
6681 
6682 	if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6683 		return;
6684 
6685 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6686 	if (skb == NULL)
6687 		goto err;
6688 
6689 	if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
6690 		flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
6691 
6692 	err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
6693 					  set, elem_priv, false);
6694 	if (err < 0) {
6695 		kfree_skb(skb);
6696 		goto err;
6697 	}
6698 
6699 	nft_net = nft_pernet(net);
6700 	nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
6701 	return;
6702 err:
6703 	nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6704 }
6705 
6706 static struct nft_trans *nft_trans_elem_alloc(const struct nft_ctx *ctx,
6707 					      int msg_type,
6708 					      struct nft_set *set)
6709 {
6710 	struct nft_trans_elem *te;
6711 	struct nft_trans *trans;
6712 
6713 	trans = nft_trans_alloc(ctx, msg_type, struct_size(te, elems, 1));
6714 	if (trans == NULL)
6715 		return NULL;
6716 
6717 	te = nft_trans_container_elem(trans);
6718 	te->nelems = 1;
6719 	te->set = set;
6720 
6721 	return trans;
6722 }
6723 
6724 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
6725 					 const struct nft_set *set,
6726 					 const struct nlattr *attr)
6727 {
6728 	struct nft_expr *expr;
6729 	int err;
6730 
6731 	expr = nft_expr_init(ctx, attr);
6732 	if (IS_ERR(expr))
6733 		return expr;
6734 
6735 	err = -EOPNOTSUPP;
6736 	if (expr->ops->type->flags & NFT_EXPR_GC) {
6737 		if (set->flags & NFT_SET_TIMEOUT)
6738 			goto err_set_elem_expr;
6739 		if (!set->ops->gc_init)
6740 			goto err_set_elem_expr;
6741 		set->ops->gc_init(set);
6742 	}
6743 
6744 	return expr;
6745 
6746 err_set_elem_expr:
6747 	nft_expr_destroy(ctx, expr);
6748 	return ERR_PTR(err);
6749 }
6750 
6751 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
6752 {
6753 	len += nft_set_ext_types[id].len;
6754 	if (len > tmpl->ext_len[id] ||
6755 	    len > U8_MAX)
6756 		return -1;
6757 
6758 	return 0;
6759 }
6760 
6761 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
6762 			      void *to, const void *from, u32 len)
6763 {
6764 	if (nft_set_ext_check(tmpl, id, len) < 0)
6765 		return -1;
6766 
6767 	memcpy(to, from, len);
6768 
6769 	return 0;
6770 }
6771 
6772 struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
6773 					const struct nft_set_ext_tmpl *tmpl,
6774 					const u32 *key, const u32 *key_end,
6775 					const u32 *data,
6776 					u64 timeout, u64 expiration, gfp_t gfp)
6777 {
6778 	struct nft_set_ext *ext;
6779 	void *elem;
6780 
6781 	elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
6782 	if (elem == NULL)
6783 		return ERR_PTR(-ENOMEM);
6784 
6785 	ext = nft_set_elem_ext(set, elem);
6786 	nft_set_ext_init(ext, tmpl);
6787 
6788 	if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
6789 	    nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
6790 			       nft_set_ext_key(ext), key, set->klen) < 0)
6791 		goto err_ext_check;
6792 
6793 	if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
6794 	    nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
6795 			       nft_set_ext_key_end(ext), key_end, set->klen) < 0)
6796 		goto err_ext_check;
6797 
6798 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6799 	    nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
6800 			       nft_set_ext_data(ext), data, set->dlen) < 0)
6801 		goto err_ext_check;
6802 
6803 	if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
6804 		nft_set_ext_timeout(ext)->timeout = timeout;
6805 
6806 		if (expiration == 0)
6807 			expiration = timeout;
6808 
6809 		nft_set_ext_timeout(ext)->expiration = get_jiffies_64() + expiration;
6810 	}
6811 
6812 	return elem;
6813 
6814 err_ext_check:
6815 	kfree(elem);
6816 
6817 	return ERR_PTR(-EINVAL);
6818 }
6819 
6820 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6821 					struct nft_expr *expr)
6822 {
6823 	if (expr->ops->destroy_clone) {
6824 		expr->ops->destroy_clone(ctx, expr);
6825 		module_put(expr->ops->type->owner);
6826 	} else {
6827 		nf_tables_expr_destroy(ctx, expr);
6828 	}
6829 }
6830 
6831 void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6832 			       struct nft_set_elem_expr *elem_expr)
6833 {
6834 	struct nft_expr *expr;
6835 	u32 size;
6836 
6837 	nft_setelem_expr_foreach(expr, elem_expr, size)
6838 		__nft_set_elem_expr_destroy(ctx, expr);
6839 }
6840 
6841 /* Drop references and destroy. Called from gc, dynset and abort path. */
6842 static void __nft_set_elem_destroy(const struct nft_ctx *ctx,
6843 				   const struct nft_set *set,
6844 				   const struct nft_elem_priv *elem_priv,
6845 				   bool destroy_expr)
6846 {
6847 	struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6848 
6849 	nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
6850 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6851 		nft_data_release(nft_set_ext_data(ext), set->dtype);
6852 	if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6853 		nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6854 	if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6855 		nft_use_dec(&(*nft_set_ext_obj(ext))->use);
6856 
6857 	kfree(elem_priv);
6858 }
6859 
6860 /* Drop references and destroy. Called from gc and dynset. */
6861 void nft_set_elem_destroy(const struct nft_set *set,
6862 			  const struct nft_elem_priv *elem_priv,
6863 			  bool destroy_expr)
6864 {
6865 	struct nft_ctx ctx = {
6866 		.net	= read_pnet(&set->net),
6867 		.family	= set->table->family,
6868 	};
6869 
6870 	__nft_set_elem_destroy(&ctx, set, elem_priv, destroy_expr);
6871 }
6872 
6873 /* Drop references and destroy. Called from abort path. */
6874 static void nft_trans_set_elem_destroy(const struct nft_ctx *ctx, struct nft_trans_elem *te)
6875 {
6876 	int i;
6877 
6878 	for (i = 0; i < te->nelems; i++) {
6879 		/* skip update request, see nft_trans_elems_new_abort() */
6880 		if (!te->elems[i].priv)
6881 			continue;
6882 
6883 		__nft_set_elem_destroy(ctx, te->set, te->elems[i].priv, true);
6884 	}
6885 }
6886 
6887 /* Destroy element. References have been already dropped in the preparation
6888  * path via nft_setelem_data_deactivate().
6889  */
6890 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
6891 				const struct nft_set *set,
6892 				const struct nft_elem_priv *elem_priv)
6893 {
6894 	struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6895 
6896 	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6897 		nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6898 
6899 	kfree(elem_priv);
6900 }
6901 
6902 static void nft_trans_elems_destroy(const struct nft_ctx *ctx,
6903 				    const struct nft_trans_elem *te)
6904 {
6905 	int i;
6906 
6907 	for (i = 0; i < te->nelems; i++)
6908 		nf_tables_set_elem_destroy(ctx, te->set, te->elems[i].priv);
6909 }
6910 
6911 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
6912 			    struct nft_expr *expr_array[])
6913 {
6914 	struct nft_expr *expr;
6915 	int err, i, k;
6916 
6917 	for (i = 0; i < set->num_exprs; i++) {
6918 		expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
6919 		if (!expr)
6920 			goto err_expr;
6921 
6922 		err = nft_expr_clone(expr, set->exprs[i], GFP_KERNEL_ACCOUNT);
6923 		if (err < 0) {
6924 			kfree(expr);
6925 			goto err_expr;
6926 		}
6927 		expr_array[i] = expr;
6928 	}
6929 
6930 	return 0;
6931 
6932 err_expr:
6933 	for (k = i - 1; k >= 0; k--)
6934 		nft_expr_destroy(ctx, expr_array[k]);
6935 
6936 	return -ENOMEM;
6937 }
6938 
6939 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
6940 				   const struct nft_set_ext_tmpl *tmpl,
6941 				   const struct nft_set_ext *ext,
6942 				   struct nft_expr *expr_array[],
6943 				   u32 num_exprs)
6944 {
6945 	struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
6946 	u32 len = sizeof(struct nft_set_elem_expr);
6947 	struct nft_expr *expr;
6948 	int i, err;
6949 
6950 	if (num_exprs == 0)
6951 		return 0;
6952 
6953 	for (i = 0; i < num_exprs; i++)
6954 		len += expr_array[i]->ops->size;
6955 
6956 	if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
6957 		return -EINVAL;
6958 
6959 	for (i = 0; i < num_exprs; i++) {
6960 		expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
6961 		err = nft_expr_clone(expr, expr_array[i], GFP_KERNEL_ACCOUNT);
6962 		if (err < 0)
6963 			goto err_elem_expr_setup;
6964 
6965 		elem_expr->size += expr_array[i]->ops->size;
6966 		nft_expr_destroy(ctx, expr_array[i]);
6967 		expr_array[i] = NULL;
6968 	}
6969 
6970 	return 0;
6971 
6972 err_elem_expr_setup:
6973 	for (; i < num_exprs; i++) {
6974 		nft_expr_destroy(ctx, expr_array[i]);
6975 		expr_array[i] = NULL;
6976 	}
6977 
6978 	return -ENOMEM;
6979 }
6980 
6981 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
6982 					    const struct nft_set *set)
6983 {
6984 	struct nft_set_elem_catchall *catchall;
6985 	u8 genmask = nft_genmask_cur(net);
6986 	struct nft_set_ext *ext;
6987 
6988 	list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6989 		ext = nft_set_elem_ext(set, catchall->elem);
6990 		if (nft_set_elem_active(ext, genmask) &&
6991 		    !nft_set_elem_expired(ext) &&
6992 		    !nft_set_elem_is_dead(ext))
6993 			return ext;
6994 	}
6995 
6996 	return NULL;
6997 }
6998 
6999 static int nft_setelem_catchall_insert(const struct net *net,
7000 				       struct nft_set *set,
7001 				       const struct nft_set_elem *elem,
7002 				       struct nft_elem_priv **priv)
7003 {
7004 	struct nft_set_elem_catchall *catchall;
7005 	u8 genmask = nft_genmask_next(net);
7006 	struct nft_set_ext *ext;
7007 
7008 	list_for_each_entry(catchall, &set->catchall_list, list) {
7009 		ext = nft_set_elem_ext(set, catchall->elem);
7010 		if (nft_set_elem_active(ext, genmask)) {
7011 			*priv = catchall->elem;
7012 			return -EEXIST;
7013 		}
7014 	}
7015 
7016 	catchall = kmalloc_obj(*catchall, GFP_KERNEL_ACCOUNT);
7017 	if (!catchall)
7018 		return -ENOMEM;
7019 
7020 	catchall->elem = elem->priv;
7021 	list_add_tail_rcu(&catchall->list, &set->catchall_list);
7022 
7023 	return 0;
7024 }
7025 
7026 static int nft_setelem_insert(const struct net *net,
7027 			      struct nft_set *set,
7028 			      const struct nft_set_elem *elem,
7029 			      struct nft_elem_priv **elem_priv,
7030 			      unsigned int flags)
7031 {
7032 	int ret;
7033 
7034 	if (flags & NFT_SET_ELEM_CATCHALL)
7035 		ret = nft_setelem_catchall_insert(net, set, elem, elem_priv);
7036 	else
7037 		ret = set->ops->insert(net, set, elem, elem_priv);
7038 
7039 	return ret;
7040 }
7041 
7042 static bool nft_setelem_is_catchall(const struct nft_set *set,
7043 				    const struct nft_elem_priv *elem_priv)
7044 {
7045 	struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7046 
7047 	if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7048 	    *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
7049 		return true;
7050 
7051 	return false;
7052 }
7053 
7054 static void nft_setelem_activate(struct net *net, struct nft_set *set,
7055 				 struct nft_elem_priv *elem_priv)
7056 {
7057 	struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7058 
7059 	if (nft_setelem_is_catchall(set, elem_priv)) {
7060 		nft_clear(net, ext);
7061 	} else {
7062 		set->ops->activate(net, set, elem_priv);
7063 	}
7064 }
7065 
7066 static void nft_trans_elem_update(const struct nft_set *set,
7067 				  const struct nft_trans_one_elem *elem)
7068 {
7069 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7070 	const struct nft_elem_update *update = elem->update;
7071 
7072 	if (update->flags & NFT_TRANS_UPD_TIMEOUT)
7073 		WRITE_ONCE(nft_set_ext_timeout(ext)->timeout, update->timeout);
7074 
7075 	if (update->flags & NFT_TRANS_UPD_EXPIRATION)
7076 		WRITE_ONCE(nft_set_ext_timeout(ext)->expiration, get_jiffies_64() + update->expiration);
7077 }
7078 
7079 static void nft_trans_elems_add(const struct nft_ctx *ctx,
7080 				struct nft_trans_elem *te)
7081 {
7082 	int i;
7083 
7084 	for (i = 0; i < te->nelems; i++) {
7085 		struct nft_trans_one_elem *elem = &te->elems[i];
7086 
7087 		if (elem->update)
7088 			nft_trans_elem_update(te->set, elem);
7089 		else
7090 			nft_setelem_activate(ctx->net, te->set, elem->priv);
7091 
7092 		nf_tables_setelem_notify(ctx, te->set, elem->priv,
7093 					 NFT_MSG_NEWSETELEM);
7094 		kfree(elem->update);
7095 	}
7096 }
7097 
7098 static int nft_setelem_catchall_deactivate(const struct net *net,
7099 					   struct nft_set *set,
7100 					   struct nft_set_elem *elem)
7101 {
7102 	struct nft_set_elem_catchall *catchall;
7103 	struct nft_set_ext *ext;
7104 
7105 	list_for_each_entry(catchall, &set->catchall_list, list) {
7106 		ext = nft_set_elem_ext(set, catchall->elem);
7107 		if (!nft_is_active_next(net, ext))
7108 			continue;
7109 
7110 		kfree(elem->priv);
7111 		elem->priv = catchall->elem;
7112 		nft_set_elem_change_active(net, set, ext);
7113 		return 0;
7114 	}
7115 
7116 	return -ENOENT;
7117 }
7118 
7119 static int __nft_setelem_deactivate(const struct net *net,
7120 				    struct nft_set *set,
7121 				    struct nft_set_elem *elem)
7122 {
7123 	void *priv;
7124 
7125 	priv = set->ops->deactivate(net, set, elem);
7126 	if (!priv)
7127 		return -ENOENT;
7128 
7129 	kfree(elem->priv);
7130 	elem->priv = priv;
7131 	set->ndeact++;
7132 
7133 	return 0;
7134 }
7135 
7136 static int nft_setelem_deactivate(const struct net *net,
7137 				  struct nft_set *set,
7138 				  struct nft_set_elem *elem, u32 flags)
7139 {
7140 	int ret;
7141 
7142 	if (flags & NFT_SET_ELEM_CATCHALL)
7143 		ret = nft_setelem_catchall_deactivate(net, set, elem);
7144 	else
7145 		ret = __nft_setelem_deactivate(net, set, elem);
7146 
7147 	return ret;
7148 }
7149 
7150 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
7151 {
7152 	list_del_rcu(&catchall->list);
7153 	kfree_rcu(catchall, rcu);
7154 }
7155 
7156 static void nft_setelem_catchall_remove(const struct net *net,
7157 					const struct nft_set *set,
7158 					struct nft_elem_priv *elem_priv)
7159 {
7160 	struct nft_set_elem_catchall *catchall, *next;
7161 
7162 	list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
7163 		if (catchall->elem == elem_priv) {
7164 			nft_setelem_catchall_destroy(catchall);
7165 			break;
7166 		}
7167 	}
7168 }
7169 
7170 static void nft_setelem_remove(const struct net *net,
7171 			       const struct nft_set *set,
7172 			       struct nft_elem_priv *elem_priv)
7173 {
7174 	if (nft_setelem_is_catchall(set, elem_priv))
7175 		nft_setelem_catchall_remove(net, set, elem_priv);
7176 	else
7177 		set->ops->remove(net, set, elem_priv);
7178 }
7179 
7180 static void nft_trans_elems_remove(const struct nft_ctx *ctx,
7181 				   const struct nft_trans_elem *te)
7182 {
7183 	int i;
7184 
7185 	for (i = 0; i < te->nelems; i++) {
7186 		WARN_ON_ONCE(te->elems[i].update);
7187 
7188 		nf_tables_setelem_notify(ctx, te->set,
7189 					 te->elems[i].priv,
7190 					 te->nft_trans.msg_type);
7191 
7192 		nft_setelem_remove(ctx->net, te->set, te->elems[i].priv);
7193 		if (!nft_setelem_is_catchall(te->set, te->elems[i].priv)) {
7194 			atomic_dec(&te->set->nelems);
7195 			te->set->ndeact--;
7196 		}
7197 	}
7198 }
7199 
7200 static bool nft_setelem_valid_key_end(const struct nft_set *set,
7201 				      struct nlattr **nla, u32 flags)
7202 {
7203 	if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
7204 			  (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
7205 		if (flags & NFT_SET_ELEM_INTERVAL_END)
7206 			return false;
7207 
7208 		if (nla[NFTA_SET_ELEM_KEY_END] &&
7209 		    flags & NFT_SET_ELEM_CATCHALL)
7210 			return false;
7211 	} else {
7212 		if (nla[NFTA_SET_ELEM_KEY_END])
7213 			return false;
7214 	}
7215 
7216 	return true;
7217 }
7218 
7219 static u32 nft_set_maxsize(const struct nft_set *set)
7220 {
7221 	u32 maxsize, delta;
7222 
7223 	if (!set->size)
7224 		return UINT_MAX;
7225 
7226 	if (set->ops->adjust_maxsize)
7227 		delta = set->ops->adjust_maxsize(set);
7228 	else
7229 		delta = 0;
7230 
7231 	if (check_add_overflow(set->size, set->ndeact, &maxsize))
7232 		return UINT_MAX;
7233 
7234 	if (check_add_overflow(maxsize, delta, &maxsize))
7235 		return UINT_MAX;
7236 
7237 	return maxsize;
7238 }
7239 
7240 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
7241 			    const struct nlattr *attr, u32 nlmsg_flags)
7242 {
7243 	struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
7244 	struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7245 	u8 genmask = nft_genmask_next(ctx->net);
7246 	u32 flags = 0, size = 0, num_exprs = 0;
7247 	struct nft_set_ext_tmpl tmpl;
7248 	struct nft_set_ext *ext, *ext2;
7249 	struct nft_set_elem elem;
7250 	struct nft_set_binding *binding;
7251 	struct nft_elem_priv *elem_priv;
7252 	struct nft_object *obj = NULL;
7253 	struct nft_userdata *udata;
7254 	struct nft_data_desc desc;
7255 	enum nft_registers dreg;
7256 	struct nft_trans *trans;
7257 	bool set_full = false;
7258 	u64 expiration;
7259 	u64 timeout;
7260 	int err, i;
7261 	u8 ulen;
7262 
7263 	err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7264 					  nft_set_elem_policy, NULL);
7265 	if (err < 0)
7266 		return err;
7267 
7268 	nft_set_ext_prepare(&tmpl);
7269 
7270 	err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7271 	if (err < 0)
7272 		return err;
7273 
7274 	if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
7275 	    (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
7276 		return -EINVAL;
7277 
7278 	if (flags != 0) {
7279 		err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7280 		if (err < 0)
7281 			return err;
7282 	}
7283 
7284 	if (set->flags & NFT_SET_MAP) {
7285 		if (nla[NFTA_SET_ELEM_DATA] == NULL &&
7286 		    !(flags & NFT_SET_ELEM_INTERVAL_END))
7287 			return -EINVAL;
7288 	} else {
7289 		if (nla[NFTA_SET_ELEM_DATA] != NULL)
7290 			return -EINVAL;
7291 	}
7292 
7293 	if (set->flags & NFT_SET_OBJECT) {
7294 		if (!nla[NFTA_SET_ELEM_OBJREF] &&
7295 		    !(flags & NFT_SET_ELEM_INTERVAL_END))
7296 			return -EINVAL;
7297 	} else {
7298 		if (nla[NFTA_SET_ELEM_OBJREF])
7299 			return -EINVAL;
7300 	}
7301 
7302 	if (!nft_setelem_valid_key_end(set, nla, flags))
7303 		return -EINVAL;
7304 
7305 	if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
7306 	     (nla[NFTA_SET_ELEM_DATA] ||
7307 	      nla[NFTA_SET_ELEM_OBJREF] ||
7308 	      nla[NFTA_SET_ELEM_TIMEOUT] ||
7309 	      nla[NFTA_SET_ELEM_EXPIRATION] ||
7310 	      nla[NFTA_SET_ELEM_USERDATA] ||
7311 	      nla[NFTA_SET_ELEM_EXPR] ||
7312 	      nla[NFTA_SET_ELEM_KEY_END] ||
7313 	      nla[NFTA_SET_ELEM_EXPRESSIONS]))
7314 		return -EINVAL;
7315 
7316 	timeout = 0;
7317 	if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
7318 		if (!(set->flags & NFT_SET_TIMEOUT))
7319 			return -EINVAL;
7320 		err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
7321 					    &timeout);
7322 		if (err)
7323 			return err;
7324 	} else if (set->flags & NFT_SET_TIMEOUT &&
7325 		   !(flags & NFT_SET_ELEM_INTERVAL_END)) {
7326 		timeout = set->timeout;
7327 	}
7328 
7329 	expiration = 0;
7330 	if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
7331 		if (!(set->flags & NFT_SET_TIMEOUT))
7332 			return -EINVAL;
7333 		if (timeout == 0)
7334 			return -EOPNOTSUPP;
7335 
7336 		err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
7337 					    &expiration);
7338 		if (err)
7339 			return err;
7340 
7341 		if (expiration > timeout)
7342 			return -ERANGE;
7343 	}
7344 
7345 	if (nla[NFTA_SET_ELEM_EXPR]) {
7346 		struct nft_expr *expr;
7347 
7348 		if (set->num_exprs && set->num_exprs != 1)
7349 			return -EOPNOTSUPP;
7350 
7351 		expr = nft_set_elem_expr_alloc(ctx, set,
7352 					       nla[NFTA_SET_ELEM_EXPR]);
7353 		if (IS_ERR(expr))
7354 			return PTR_ERR(expr);
7355 
7356 		expr_array[0] = expr;
7357 		num_exprs = 1;
7358 
7359 		if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
7360 			err = -EOPNOTSUPP;
7361 			goto err_set_elem_expr;
7362 		}
7363 	} else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
7364 		struct nft_expr *expr;
7365 		struct nlattr *tmp;
7366 		int left;
7367 
7368 		i = 0;
7369 		nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
7370 			if (i == NFT_SET_EXPR_MAX ||
7371 			    (set->num_exprs && set->num_exprs == i)) {
7372 				err = -E2BIG;
7373 				goto err_set_elem_expr;
7374 			}
7375 			if (nla_type(tmp) != NFTA_LIST_ELEM) {
7376 				err = -EINVAL;
7377 				goto err_set_elem_expr;
7378 			}
7379 			expr = nft_set_elem_expr_alloc(ctx, set, tmp);
7380 			if (IS_ERR(expr)) {
7381 				err = PTR_ERR(expr);
7382 				goto err_set_elem_expr;
7383 			}
7384 			expr_array[i] = expr;
7385 			num_exprs++;
7386 
7387 			if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
7388 				err = -EOPNOTSUPP;
7389 				goto err_set_elem_expr;
7390 			}
7391 			i++;
7392 		}
7393 		if (set->num_exprs && set->num_exprs != i) {
7394 			err = -EOPNOTSUPP;
7395 			goto err_set_elem_expr;
7396 		}
7397 	} else if (set->num_exprs > 0 &&
7398 		   !(flags & NFT_SET_ELEM_INTERVAL_END)) {
7399 		err = nft_set_elem_expr_clone(ctx, set, expr_array);
7400 		if (err < 0)
7401 			goto err_set_elem_expr_clone;
7402 
7403 		num_exprs = set->num_exprs;
7404 	}
7405 
7406 	if (nla[NFTA_SET_ELEM_KEY]) {
7407 		err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7408 					    nla[NFTA_SET_ELEM_KEY]);
7409 		if (err < 0)
7410 			goto err_set_elem_expr;
7411 
7412 		err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7413 		if (err < 0)
7414 			goto err_parse_key;
7415 	}
7416 
7417 	if (nla[NFTA_SET_ELEM_KEY_END]) {
7418 		err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7419 					    nla[NFTA_SET_ELEM_KEY_END]);
7420 		if (err < 0)
7421 			goto err_parse_key;
7422 
7423 		err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7424 		if (err < 0)
7425 			goto err_parse_key_end;
7426 	}
7427 
7428 	if (set->flags & NFT_SET_TIMEOUT) {
7429 		err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
7430 		if (err < 0)
7431 			goto err_parse_key_end;
7432 	}
7433 
7434 	if (num_exprs) {
7435 		for (i = 0; i < num_exprs; i++)
7436 			size += expr_array[i]->ops->size;
7437 
7438 		err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
7439 					     sizeof(struct nft_set_elem_expr) + size);
7440 		if (err < 0)
7441 			goto err_parse_key_end;
7442 	}
7443 
7444 	if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
7445 		obj = nft_obj_lookup(ctx->net, ctx->table,
7446 				     nla[NFTA_SET_ELEM_OBJREF],
7447 				     set->objtype, genmask);
7448 		if (IS_ERR(obj)) {
7449 			err = PTR_ERR(obj);
7450 			obj = NULL;
7451 			goto err_parse_key_end;
7452 		}
7453 
7454 		if (!nft_use_inc(&obj->use)) {
7455 			err = -EMFILE;
7456 			obj = NULL;
7457 			goto err_parse_key_end;
7458 		}
7459 
7460 		err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
7461 		if (err < 0)
7462 			goto err_parse_key_end;
7463 	}
7464 
7465 	if (nla[NFTA_SET_ELEM_DATA] != NULL) {
7466 		err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
7467 					     nla[NFTA_SET_ELEM_DATA]);
7468 		if (err < 0)
7469 			goto err_parse_key_end;
7470 
7471 		dreg = nft_type_to_reg(set->dtype);
7472 		list_for_each_entry(binding, &set->bindings, list) {
7473 			struct nft_ctx bind_ctx = {
7474 				.net	= ctx->net,
7475 				.family	= ctx->family,
7476 				.table	= ctx->table,
7477 				.chain	= (struct nft_chain *)binding->chain,
7478 			};
7479 
7480 			if (!(binding->flags & NFT_SET_MAP))
7481 				continue;
7482 
7483 			err = nft_validate_register_store(&bind_ctx, dreg,
7484 							  &elem.data.val,
7485 							  desc.type, desc.len);
7486 			if (err < 0)
7487 				goto err_parse_data;
7488 
7489 			if (desc.type == NFT_DATA_VERDICT &&
7490 			    (elem.data.val.verdict.code == NFT_GOTO ||
7491 			     elem.data.val.verdict.code == NFT_JUMP))
7492 				nft_validate_state_update(ctx->table,
7493 							  NFT_VALIDATE_NEED);
7494 		}
7495 
7496 		err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
7497 		if (err < 0)
7498 			goto err_parse_data;
7499 	}
7500 
7501 	/* The full maximum length of userdata can exceed the maximum
7502 	 * offset value (U8_MAX) for following extensions, therefor it
7503 	 * must be the last extension added.
7504 	 */
7505 	ulen = 0;
7506 	if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
7507 		ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
7508 		if (ulen > 0) {
7509 			err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
7510 						     ulen);
7511 			if (err < 0)
7512 				goto err_parse_data;
7513 		}
7514 	}
7515 
7516 	elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7517 				      elem.key_end.val.data, elem.data.val.data,
7518 				      timeout, expiration, GFP_KERNEL_ACCOUNT);
7519 	if (IS_ERR(elem.priv)) {
7520 		err = PTR_ERR(elem.priv);
7521 		goto err_parse_data;
7522 	}
7523 
7524 	ext = nft_set_elem_ext(set, elem.priv);
7525 	if (flags)
7526 		*nft_set_ext_flags(ext) = flags;
7527 
7528 	if (obj)
7529 		*nft_set_ext_obj(ext) = obj;
7530 
7531 	if (ulen > 0) {
7532 		if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
7533 			err = -EINVAL;
7534 			goto err_elem_free;
7535 		}
7536 		udata = nft_set_ext_userdata(ext);
7537 		udata->len = ulen - 1;
7538 		nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
7539 	}
7540 	err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
7541 	if (err < 0)
7542 		goto err_elem_free;
7543 
7544 	if (!(flags & NFT_SET_ELEM_CATCHALL)) {
7545 		unsigned int max = nft_set_maxsize(set), nelems;
7546 
7547 		nelems = atomic_inc_return(&set->nelems);
7548 		if (nelems > max)
7549 			set_full = true;
7550 	}
7551 
7552 	trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
7553 	if (trans == NULL) {
7554 		err = -ENOMEM;
7555 		goto err_set_size;
7556 	}
7557 
7558 	ext->genmask = nft_genmask_cur(ctx->net);
7559 
7560 	err = nft_setelem_insert(ctx->net, set, &elem, &elem_priv, flags);
7561 	if (err) {
7562 		if (err == -EEXIST) {
7563 			ext2 = nft_set_elem_ext(set, elem_priv);
7564 			if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
7565 			    nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
7566 			    nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
7567 			    nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
7568 				goto err_element_clash;
7569 			if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
7570 			     nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
7571 			     memcmp(nft_set_ext_data(ext),
7572 				    nft_set_ext_data(ext2), set->dlen) != 0) ||
7573 			    (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
7574 			     nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
7575 			     *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
7576 				goto err_element_clash;
7577 			else if (!(nlmsg_flags & NLM_F_EXCL)) {
7578 				err = 0;
7579 				if (nft_set_ext_exists(ext2, NFT_SET_EXT_TIMEOUT)) {
7580 					struct nft_elem_update update = { };
7581 
7582 					if (timeout != nft_set_ext_timeout(ext2)->timeout) {
7583 						update.timeout = timeout;
7584 						if (expiration == 0)
7585 							expiration = timeout;
7586 
7587 						update.flags |= NFT_TRANS_UPD_TIMEOUT;
7588 					}
7589 					if (expiration) {
7590 						update.expiration = expiration;
7591 						update.flags |= NFT_TRANS_UPD_EXPIRATION;
7592 					}
7593 
7594 					if (update.flags) {
7595 						struct nft_trans_one_elem *ue;
7596 
7597 						ue = &nft_trans_container_elem(trans)->elems[0];
7598 
7599 						ue->update = kmemdup(&update, sizeof(update), GFP_KERNEL);
7600 						if (!ue->update) {
7601 							err = -ENOMEM;
7602 							goto err_element_clash;
7603 						}
7604 
7605 						ue->priv = elem_priv;
7606 						nft_trans_commit_list_add_elem(ctx->net, trans);
7607 						goto err_set_size;
7608 					}
7609 				}
7610 			}
7611 		} else if (err == -ENOTEMPTY) {
7612 			/* ENOTEMPTY reports overlapping between this element
7613 			 * and an existing one.
7614 			 */
7615 			err = -EEXIST;
7616 		} else if (err == -ECANCELED) {
7617 			/* ECANCELED reports an existing nul-element in
7618 			 * interval sets.
7619 			 */
7620 			err = 0;
7621 		}
7622 		goto err_element_clash;
7623 	}
7624 
7625 	nft_trans_container_elem(trans)->elems[0].priv = elem.priv;
7626 	nft_trans_commit_list_add_elem(ctx->net, trans);
7627 
7628 	return set_full ? -ENFILE : 0;
7629 
7630 err_element_clash:
7631 	kfree(trans);
7632 err_set_size:
7633 	if (!(flags & NFT_SET_ELEM_CATCHALL))
7634 		atomic_dec(&set->nelems);
7635 err_elem_free:
7636 	nf_tables_set_elem_destroy(ctx, set, elem.priv);
7637 err_parse_data:
7638 	if (nla[NFTA_SET_ELEM_DATA] != NULL)
7639 		nft_data_release(&elem.data.val, desc.type);
7640 err_parse_key_end:
7641 	if (obj)
7642 		nft_use_dec_restore(&obj->use);
7643 
7644 	nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7645 err_parse_key:
7646 	nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7647 err_set_elem_expr:
7648 	for (i = 0; i < num_exprs && expr_array[i]; i++)
7649 		nft_expr_destroy(ctx, expr_array[i]);
7650 err_set_elem_expr_clone:
7651 	return err;
7652 }
7653 
7654 static int nf_tables_newsetelem(struct sk_buff *skb,
7655 				const struct nfnl_info *info,
7656 				const struct nlattr * const nla[])
7657 {
7658 	struct netlink_ext_ack *extack = info->extack;
7659 	u8 genmask = nft_genmask_next(info->net);
7660 	u8 family = info->nfmsg->nfgen_family;
7661 	struct net *net = info->net;
7662 	const struct nlattr *attr;
7663 	struct nft_table *table;
7664 	struct nft_set *set;
7665 	struct nft_ctx ctx;
7666 	int rem, err;
7667 
7668 	if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
7669 		return -EINVAL;
7670 
7671 	table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7672 				 genmask, NETLINK_CB(skb).portid);
7673 	if (IS_ERR(table)) {
7674 		NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7675 		return PTR_ERR(table);
7676 	}
7677 
7678 	set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
7679 				    nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
7680 	if (IS_ERR(set)) {
7681 		NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7682 		return PTR_ERR(set);
7683 	}
7684 
7685 	if (!list_empty(&set->bindings) &&
7686 	    (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
7687 		return -EBUSY;
7688 
7689 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7690 
7691 	nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7692 		err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
7693 		if (err < 0) {
7694 			NL_SET_BAD_ATTR(extack, attr);
7695 			return err;
7696 		}
7697 	}
7698 
7699 	if (table->validate_state == NFT_VALIDATE_DO)
7700 		return nft_table_validate(net, table);
7701 
7702 	return 0;
7703 }
7704 
7705 /**
7706  *	nft_data_hold - hold a nft_data item
7707  *
7708  *	@data: struct nft_data to release
7709  *	@type: type of data
7710  *
7711  *	Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7712  *	NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
7713  *	NFT_GOTO verdicts. This function must be called on active data objects
7714  *	from the second phase of the commit protocol.
7715  */
7716 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
7717 {
7718 	struct nft_chain *chain;
7719 
7720 	if (type == NFT_DATA_VERDICT) {
7721 		switch (data->verdict.code) {
7722 		case NFT_JUMP:
7723 		case NFT_GOTO:
7724 			chain = data->verdict.chain;
7725 			nft_use_inc_restore(&chain->use);
7726 			break;
7727 		}
7728 	}
7729 }
7730 
7731 static int nft_setelem_active_next(const struct net *net,
7732 				   const struct nft_set *set,
7733 				   struct nft_elem_priv *elem_priv)
7734 {
7735 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7736 	u8 genmask = nft_genmask_next(net);
7737 
7738 	return nft_set_elem_active(ext, genmask);
7739 }
7740 
7741 static void nft_setelem_data_activate(const struct net *net,
7742 				      const struct nft_set *set,
7743 				      struct nft_elem_priv *elem_priv)
7744 {
7745 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7746 
7747 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7748 		nft_data_hold(nft_set_ext_data(ext), set->dtype);
7749 	if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7750 		nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use);
7751 }
7752 
7753 void nft_setelem_data_deactivate(const struct net *net,
7754 				 const struct nft_set *set,
7755 				 struct nft_elem_priv *elem_priv)
7756 {
7757 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7758 
7759 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7760 		nft_data_release(nft_set_ext_data(ext), set->dtype);
7761 	if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7762 		nft_use_dec(&(*nft_set_ext_obj(ext))->use);
7763 }
7764 
7765 /* similar to nft_trans_elems_remove, but called from abort path to undo newsetelem.
7766  * No notifications and no ndeact changes.
7767  *
7768  * Returns true if set had been added to (i.e., elements need to be removed again).
7769  */
7770 static bool nft_trans_elems_new_abort(const struct nft_ctx *ctx,
7771 				      struct nft_trans_elem *te)
7772 {
7773 	bool removed = false;
7774 	int i;
7775 
7776 	for (i = 0; i < te->nelems; i++) {
7777 		if (te->elems[i].update) {
7778 			kfree(te->elems[i].update);
7779 			te->elems[i].update = NULL;
7780 			/* Update request, so do not release this element */
7781 			te->elems[i].priv = NULL;
7782 			continue;
7783 		}
7784 
7785 		if (!te->set->ops->abort_skip_removal ||
7786 		    nft_setelem_is_catchall(te->set, te->elems[i].priv))
7787 			nft_setelem_remove(ctx->net, te->set, te->elems[i].priv);
7788 
7789 		if (!nft_setelem_is_catchall(te->set, te->elems[i].priv))
7790 			atomic_dec(&te->set->nelems);
7791 
7792 		removed = true;
7793 	}
7794 
7795 	return removed;
7796 }
7797 
7798 /* Called from abort path to undo DELSETELEM/DESTROYSETELEM. */
7799 static void nft_trans_elems_destroy_abort(const struct nft_ctx *ctx,
7800 					  const struct nft_trans_elem *te)
7801 {
7802 	int i;
7803 
7804 	for (i = 0; i < te->nelems; i++) {
7805 		if (!nft_setelem_active_next(ctx->net, te->set, te->elems[i].priv)) {
7806 			nft_setelem_data_activate(ctx->net, te->set, te->elems[i].priv);
7807 			nft_setelem_activate(ctx->net, te->set, te->elems[i].priv);
7808 		}
7809 
7810 		if (!nft_setelem_is_catchall(te->set, te->elems[i].priv))
7811 			te->set->ndeact--;
7812 	}
7813 }
7814 
7815 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
7816 			   const struct nlattr *attr)
7817 {
7818 	struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7819 	struct nft_set_ext_tmpl tmpl;
7820 	struct nft_set_elem elem;
7821 	struct nft_set_ext *ext;
7822 	struct nft_trans *trans;
7823 	u32 flags = 0;
7824 	int err;
7825 
7826 	err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7827 					  nft_set_elem_policy, NULL);
7828 	if (err < 0)
7829 		return err;
7830 
7831 	err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7832 	if (err < 0)
7833 		return err;
7834 
7835 	if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
7836 		return -EINVAL;
7837 
7838 	if (!nft_setelem_valid_key_end(set, nla, flags))
7839 		return -EINVAL;
7840 
7841 	nft_set_ext_prepare(&tmpl);
7842 
7843 	if (flags != 0) {
7844 		err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7845 		if (err < 0)
7846 			return err;
7847 	}
7848 
7849 	if (nla[NFTA_SET_ELEM_KEY]) {
7850 		err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7851 					    nla[NFTA_SET_ELEM_KEY]);
7852 		if (err < 0)
7853 			return err;
7854 
7855 		err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7856 		if (err < 0)
7857 			goto fail_elem;
7858 	}
7859 
7860 	if (nla[NFTA_SET_ELEM_KEY_END]) {
7861 		err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7862 					    nla[NFTA_SET_ELEM_KEY_END]);
7863 		if (err < 0)
7864 			goto fail_elem;
7865 
7866 		err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7867 		if (err < 0)
7868 			goto fail_elem_key_end;
7869 	}
7870 
7871 	err = -ENOMEM;
7872 	elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7873 				      elem.key_end.val.data, NULL, 0, 0,
7874 				      GFP_KERNEL_ACCOUNT);
7875 	if (IS_ERR(elem.priv)) {
7876 		err = PTR_ERR(elem.priv);
7877 		goto fail_elem_key_end;
7878 	}
7879 
7880 	ext = nft_set_elem_ext(set, elem.priv);
7881 	if (flags)
7882 		*nft_set_ext_flags(ext) = flags;
7883 
7884 	trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7885 	if (trans == NULL)
7886 		goto fail_trans;
7887 
7888 	err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
7889 	if (err < 0)
7890 		goto fail_ops;
7891 
7892 	nft_setelem_data_deactivate(ctx->net, set, elem.priv);
7893 
7894 	nft_trans_container_elem(trans)->elems[0].priv = elem.priv;
7895 	nft_trans_commit_list_add_elem(ctx->net, trans);
7896 	return 0;
7897 
7898 fail_ops:
7899 	kfree(trans);
7900 fail_trans:
7901 	kfree(elem.priv);
7902 fail_elem_key_end:
7903 	nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7904 fail_elem:
7905 	nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7906 	return err;
7907 }
7908 
7909 static int nft_setelem_flush(const struct nft_ctx *ctx,
7910 			     struct nft_set *set,
7911 			     const struct nft_set_iter *iter,
7912 			     struct nft_elem_priv *elem_priv)
7913 {
7914 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7915 	struct nft_trans *trans;
7916 
7917 	if (!nft_set_elem_active(ext, iter->genmask))
7918 		return 0;
7919 
7920 	trans = nft_trans_alloc(ctx, NFT_MSG_DELSETELEM,
7921 				struct_size_t(struct nft_trans_elem, elems, 1));
7922 	if (!trans)
7923 		return -ENOMEM;
7924 
7925 	set->ops->flush(ctx->net, set, elem_priv);
7926 	set->ndeact++;
7927 
7928 	nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7929 	nft_trans_elem_set(trans) = set;
7930 	nft_trans_container_elem(trans)->nelems = 1;
7931 	nft_trans_container_elem(trans)->elems[0].priv = elem_priv;
7932 	nft_trans_commit_list_add_elem(ctx->net, trans);
7933 
7934 	return 0;
7935 }
7936 
7937 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
7938 				    struct nft_set *set,
7939 				    struct nft_elem_priv *elem_priv)
7940 {
7941 	struct nft_trans *trans;
7942 
7943 	trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7944 	if (!trans)
7945 		return -ENOMEM;
7946 
7947 	nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7948 	nft_trans_container_elem(trans)->elems[0].priv = elem_priv;
7949 	nft_trans_commit_list_add_elem(ctx->net, trans);
7950 
7951 	return 0;
7952 }
7953 
7954 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
7955 				  struct nft_set *set)
7956 {
7957 	u8 genmask = nft_genmask_next(ctx->net);
7958 	struct nft_set_elem_catchall *catchall;
7959 	struct nft_set_ext *ext;
7960 	int ret = 0;
7961 
7962 	list_for_each_entry_rcu(catchall, &set->catchall_list, list,
7963 				lockdep_commit_lock_is_held(ctx->net)) {
7964 		ext = nft_set_elem_ext(set, catchall->elem);
7965 		if (!nft_set_elem_active(ext, genmask))
7966 			continue;
7967 
7968 		ret = __nft_set_catchall_flush(ctx, set, catchall->elem);
7969 		if (ret < 0)
7970 			break;
7971 		nft_set_elem_change_active(ctx->net, set, ext);
7972 	}
7973 
7974 	return ret;
7975 }
7976 
7977 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
7978 {
7979 	/* The set backend might need to clone the set, do it now from the
7980 	 * preparation phase, use NFT_ITER_UPDATE_CLONE iterator type.
7981 	 */
7982 	struct nft_set_iter iter = {
7983 		.genmask	= genmask,
7984 		.type		= NFT_ITER_UPDATE_CLONE,
7985 		.fn		= nft_setelem_flush,
7986 	};
7987 
7988 	set->ops->walk(ctx, set, &iter);
7989 	if (!iter.err)
7990 		iter.err = nft_set_catchall_flush(ctx, set);
7991 
7992 	return iter.err;
7993 }
7994 
7995 static int nf_tables_delsetelem(struct sk_buff *skb,
7996 				const struct nfnl_info *info,
7997 				const struct nlattr * const nla[])
7998 {
7999 	struct netlink_ext_ack *extack = info->extack;
8000 	u8 genmask = nft_genmask_next(info->net);
8001 	u8 family = info->nfmsg->nfgen_family;
8002 	struct net *net = info->net;
8003 	const struct nlattr *attr;
8004 	struct nft_table *table;
8005 	struct nft_set *set;
8006 	struct nft_ctx ctx;
8007 	int rem, err = 0;
8008 
8009 	table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
8010 				 genmask, NETLINK_CB(skb).portid);
8011 	if (IS_ERR(table)) {
8012 		NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
8013 		return PTR_ERR(table);
8014 	}
8015 
8016 	set = nft_set_lookup(net, table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
8017 	if (IS_ERR(set)) {
8018 		NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
8019 		return PTR_ERR(set);
8020 	}
8021 
8022 	if (nft_set_is_anonymous(set))
8023 		return -EOPNOTSUPP;
8024 
8025 	if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
8026 		return -EBUSY;
8027 
8028 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8029 
8030 	if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
8031 		return nft_set_flush(&ctx, set, genmask);
8032 
8033 	nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
8034 		err = nft_del_setelem(&ctx, set, attr);
8035 		if (err == -ENOENT &&
8036 		    NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
8037 			continue;
8038 
8039 		if (err < 0) {
8040 			NL_SET_BAD_ATTR(extack, attr);
8041 			return err;
8042 		}
8043 	}
8044 
8045 	return 0;
8046 }
8047 
8048 /*
8049  * Stateful objects
8050  */
8051 
8052 /**
8053  *	nft_register_obj- register nf_tables stateful object type
8054  *	@obj_type: object type
8055  *
8056  *	Registers the object type for use with nf_tables. Returns zero on
8057  *	success or a negative errno code otherwise.
8058  */
8059 int nft_register_obj(struct nft_object_type *obj_type)
8060 {
8061 	if (obj_type->type == NFT_OBJECT_UNSPEC)
8062 		return -EINVAL;
8063 
8064 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
8065 	list_add_rcu(&obj_type->list, &nf_tables_objects);
8066 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8067 	return 0;
8068 }
8069 EXPORT_SYMBOL_GPL(nft_register_obj);
8070 
8071 /**
8072  *	nft_unregister_obj - unregister nf_tables object type
8073  *	@obj_type: object type
8074  *
8075  * 	Unregisters the object type for use with nf_tables.
8076  */
8077 void nft_unregister_obj(struct nft_object_type *obj_type)
8078 {
8079 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
8080 	list_del_rcu(&obj_type->list);
8081 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8082 }
8083 EXPORT_SYMBOL_GPL(nft_unregister_obj);
8084 
8085 struct nft_object *nft_obj_lookup(const struct net *net,
8086 				  const struct nft_table *table,
8087 				  const struct nlattr *nla, u32 objtype,
8088 				  u8 genmask)
8089 {
8090 	struct nft_object_hash_key k = { .table = table };
8091 	char search[NFT_OBJ_MAXNAMELEN];
8092 	struct rhlist_head *tmp, *list;
8093 	struct nft_object *obj;
8094 
8095 	nla_strscpy(search, nla, sizeof(search));
8096 	k.name = search;
8097 
8098 	WARN_ON_ONCE(!rcu_read_lock_held() &&
8099 		     !lockdep_commit_lock_is_held(net));
8100 
8101 	rcu_read_lock();
8102 	list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
8103 	if (!list)
8104 		goto out;
8105 
8106 	rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
8107 		if (objtype == obj->ops->type->type &&
8108 		    nft_active_genmask(obj, genmask)) {
8109 			rcu_read_unlock();
8110 			return obj;
8111 		}
8112 	}
8113 out:
8114 	rcu_read_unlock();
8115 	return ERR_PTR(-ENOENT);
8116 }
8117 
8118 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
8119 						  const struct nlattr *nla,
8120 						  u32 objtype, u8 genmask)
8121 {
8122 	struct nft_object *obj;
8123 
8124 	list_for_each_entry(obj, &table->objects, list) {
8125 		if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
8126 		    objtype == obj->ops->type->type &&
8127 		    nft_active_genmask(obj, genmask))
8128 			return obj;
8129 	}
8130 	return ERR_PTR(-ENOENT);
8131 }
8132 
8133 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
8134 	[NFTA_OBJ_TABLE]	= { .type = NLA_STRING,
8135 				    .len = NFT_TABLE_MAXNAMELEN - 1 },
8136 	[NFTA_OBJ_NAME]		= { .type = NLA_STRING,
8137 				    .len = NFT_OBJ_MAXNAMELEN - 1 },
8138 	[NFTA_OBJ_TYPE]		= { .type = NLA_U32 },
8139 	[NFTA_OBJ_DATA]		= { .type = NLA_NESTED },
8140 	[NFTA_OBJ_HANDLE]	= { .type = NLA_U64},
8141 	[NFTA_OBJ_USERDATA]	= { .type = NLA_BINARY,
8142 				    .len = NFT_USERDATA_MAXLEN },
8143 };
8144 
8145 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
8146 				       const struct nft_object_type *type,
8147 				       const struct nlattr *attr)
8148 {
8149 	struct nlattr **tb;
8150 	const struct nft_object_ops *ops;
8151 	struct nft_object *obj;
8152 	int err = -ENOMEM;
8153 
8154 	tb = kmalloc_objs(*tb, type->maxattr + 1);
8155 	if (!tb)
8156 		goto err1;
8157 
8158 	if (attr) {
8159 		err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
8160 						  type->policy, NULL);
8161 		if (err < 0)
8162 			goto err2;
8163 	} else {
8164 		memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
8165 	}
8166 
8167 	if (type->select_ops) {
8168 		ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
8169 		if (IS_ERR(ops)) {
8170 			err = PTR_ERR(ops);
8171 			goto err2;
8172 		}
8173 	} else {
8174 		ops = type->ops;
8175 	}
8176 
8177 	err = -ENOMEM;
8178 	obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
8179 	if (!obj)
8180 		goto err2;
8181 
8182 	err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
8183 	if (err < 0)
8184 		goto err3;
8185 
8186 	obj->ops = ops;
8187 
8188 	kfree(tb);
8189 	return obj;
8190 err3:
8191 	kfree(obj);
8192 err2:
8193 	kfree(tb);
8194 err1:
8195 	return ERR_PTR(err);
8196 }
8197 
8198 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
8199 			   struct nft_object *obj, bool reset)
8200 {
8201 	struct nlattr *nest;
8202 
8203 	nest = nla_nest_start_noflag(skb, attr);
8204 	if (!nest)
8205 		goto nla_put_failure;
8206 	if (obj->ops->dump(skb, obj, reset) < 0)
8207 		goto nla_put_failure;
8208 	nla_nest_end(skb, nest);
8209 	return 0;
8210 
8211 nla_put_failure:
8212 	return -1;
8213 }
8214 
8215 static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family)
8216 {
8217 	const struct nft_object_type *type;
8218 
8219 	list_for_each_entry_rcu(type, &nf_tables_objects, list) {
8220 		if (type->family != NFPROTO_UNSPEC &&
8221 		    type->family != family)
8222 			continue;
8223 
8224 		if (objtype == type->type)
8225 			return type;
8226 	}
8227 	return NULL;
8228 }
8229 
8230 static const struct nft_object_type *
8231 nft_obj_type_get(struct net *net, u32 objtype, u8 family)
8232 {
8233 	const struct nft_object_type *type;
8234 
8235 	rcu_read_lock();
8236 	type = __nft_obj_type_get(objtype, family);
8237 	if (type != NULL && try_module_get(type->owner)) {
8238 		rcu_read_unlock();
8239 		return type;
8240 	}
8241 	rcu_read_unlock();
8242 
8243 	lockdep_nfnl_nft_mutex_not_held();
8244 #ifdef CONFIG_MODULES
8245 	if (type == NULL) {
8246 		if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
8247 			return ERR_PTR(-EAGAIN);
8248 	}
8249 #endif
8250 	return ERR_PTR(-ENOENT);
8251 }
8252 
8253 static int nf_tables_updobj(const struct nft_ctx *ctx,
8254 			    const struct nft_object_type *type,
8255 			    const struct nlattr *attr,
8256 			    struct nft_object *obj)
8257 {
8258 	struct nft_object *newobj;
8259 	struct nft_trans *trans;
8260 	int err = -ENOMEM;
8261 
8262 	/* caller must have obtained type->owner reference. */
8263 	trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
8264 				sizeof(struct nft_trans_obj));
8265 	if (!trans)
8266 		goto err_trans;
8267 
8268 	newobj = nft_obj_init(ctx, type, attr);
8269 	if (IS_ERR(newobj)) {
8270 		err = PTR_ERR(newobj);
8271 		goto err_free_trans;
8272 	}
8273 
8274 	nft_trans_obj(trans) = obj;
8275 	nft_trans_obj_update(trans) = true;
8276 	nft_trans_obj_newobj(trans) = newobj;
8277 	nft_trans_commit_list_add_tail(ctx->net, trans);
8278 
8279 	return 0;
8280 
8281 err_free_trans:
8282 	kfree(trans);
8283 err_trans:
8284 	module_put(type->owner);
8285 	return err;
8286 }
8287 
8288 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
8289 			    const struct nlattr * const nla[])
8290 {
8291 	struct netlink_ext_ack *extack = info->extack;
8292 	u8 genmask = nft_genmask_next(info->net);
8293 	u8 family = info->nfmsg->nfgen_family;
8294 	const struct nft_object_type *type;
8295 	struct net *net = info->net;
8296 	struct nft_table *table;
8297 	struct nft_object *obj;
8298 	struct nft_ctx ctx;
8299 	u32 objtype;
8300 	int err;
8301 
8302 	if (!nla[NFTA_OBJ_TYPE] ||
8303 	    !nla[NFTA_OBJ_NAME] ||
8304 	    !nla[NFTA_OBJ_DATA])
8305 		return -EINVAL;
8306 
8307 	table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
8308 				 NETLINK_CB(skb).portid);
8309 	if (IS_ERR(table)) {
8310 		NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8311 		return PTR_ERR(table);
8312 	}
8313 
8314 	objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8315 	obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
8316 	if (IS_ERR(obj)) {
8317 		err = PTR_ERR(obj);
8318 		if (err != -ENOENT) {
8319 			NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8320 			return err;
8321 		}
8322 	} else {
8323 		if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
8324 			NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8325 			return -EEXIST;
8326 		}
8327 		if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
8328 			return -EOPNOTSUPP;
8329 
8330 		if (!obj->ops->update)
8331 			return 0;
8332 
8333 		type = nft_obj_type_get(net, objtype, family);
8334 		if (IS_ERR(type)) {
8335 			DEBUG_NET_WARN_ON_ONCE(1);
8336 			return PTR_ERR(type);
8337 		}
8338 
8339 		nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8340 
8341 		/* type->owner reference is put when transaction object is released. */
8342 		return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
8343 	}
8344 
8345 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8346 
8347 	if (!nft_use_inc(&table->use))
8348 		return -EMFILE;
8349 
8350 	type = nft_obj_type_get(net, objtype, family);
8351 	if (IS_ERR(type)) {
8352 		err = PTR_ERR(type);
8353 		goto err_type;
8354 	}
8355 
8356 	obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
8357 	if (IS_ERR(obj)) {
8358 		err = PTR_ERR(obj);
8359 		goto err_init;
8360 	}
8361 	obj->key.table = table;
8362 	obj->handle = nf_tables_alloc_handle(table);
8363 
8364 	obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
8365 	if (!obj->key.name) {
8366 		err = -ENOMEM;
8367 		goto err_strdup;
8368 	}
8369 
8370 	if (nla[NFTA_OBJ_USERDATA]) {
8371 		obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
8372 		if (obj->udata == NULL)
8373 			goto err_userdata;
8374 
8375 		obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
8376 	}
8377 
8378 	err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
8379 	if (err < 0)
8380 		goto err_trans;
8381 
8382 	err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
8383 			      nft_objname_ht_params);
8384 	if (err < 0)
8385 		goto err_obj_ht;
8386 
8387 	list_add_tail_rcu(&obj->list, &table->objects);
8388 
8389 	return 0;
8390 err_obj_ht:
8391 	/* queued in transaction log */
8392 	INIT_LIST_HEAD(&obj->list);
8393 	return err;
8394 err_trans:
8395 	kfree(obj->udata);
8396 err_userdata:
8397 	kfree(obj->key.name);
8398 err_strdup:
8399 	if (obj->ops->destroy)
8400 		obj->ops->destroy(&ctx, obj);
8401 	kfree(obj);
8402 err_init:
8403 	module_put(type->owner);
8404 err_type:
8405 	nft_use_dec_restore(&table->use);
8406 
8407 	return err;
8408 }
8409 
8410 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
8411 				   u32 portid, u32 seq, int event, u32 flags,
8412 				   int family, const struct nft_table *table,
8413 				   struct nft_object *obj, bool reset)
8414 {
8415 	struct nlmsghdr *nlh;
8416 
8417 	nlh = nfnl_msg_put(skb, portid, seq,
8418 			   nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event),
8419 			   flags, family, NFNETLINK_V0, nft_base_seq_be16(net));
8420 	if (!nlh)
8421 		goto nla_put_failure;
8422 
8423 	if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
8424 	    nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
8425 	    nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
8426 	    nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
8427 			 NFTA_OBJ_PAD))
8428 		goto nla_put_failure;
8429 
8430 	if (event == NFT_MSG_DELOBJ ||
8431 	    event == NFT_MSG_DESTROYOBJ) {
8432 		nlmsg_end(skb, nlh);
8433 		return 0;
8434 	}
8435 
8436 	if (nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
8437 	    nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
8438 		goto nla_put_failure;
8439 
8440 	if (obj->udata &&
8441 	    nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
8442 		goto nla_put_failure;
8443 
8444 	nlmsg_end(skb, nlh);
8445 	return 0;
8446 
8447 nla_put_failure:
8448 	nlmsg_trim(skb, nlh);
8449 	return -1;
8450 }
8451 
8452 static void audit_log_obj_reset(const struct nft_table *table,
8453 				unsigned int base_seq, unsigned int nentries)
8454 {
8455 	char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
8456 
8457 	audit_log_nfcfg(buf, table->family, nentries,
8458 			AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
8459 	kfree(buf);
8460 }
8461 
8462 struct nft_obj_dump_ctx {
8463 	unsigned int	s_idx;
8464 	char		*table;
8465 	u32		type;
8466 	bool		reset;
8467 };
8468 
8469 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
8470 {
8471 	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
8472 	struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8473 	struct net *net = sock_net(skb->sk);
8474 	int family = nfmsg->nfgen_family;
8475 	struct nftables_pernet *nft_net;
8476 	const struct nft_table *table;
8477 	unsigned int entries = 0;
8478 	struct nft_object *obj;
8479 	unsigned int idx = 0;
8480 	int rc = 0;
8481 
8482 	rcu_read_lock();
8483 	nft_net = nft_pernet(net);
8484 	cb->seq = nft_base_seq(net);
8485 
8486 	list_for_each_entry_rcu(table, &nft_net->tables, list) {
8487 		if (family != NFPROTO_UNSPEC && family != table->family)
8488 			continue;
8489 
8490 		entries = 0;
8491 		list_for_each_entry_rcu(obj, &table->objects, list) {
8492 			if (!nft_is_active(net, obj))
8493 				goto cont;
8494 			if (idx < ctx->s_idx)
8495 				goto cont;
8496 			if (ctx->table && strcmp(ctx->table, table->name))
8497 				goto cont;
8498 			if (ctx->type != NFT_OBJECT_UNSPEC &&
8499 			    obj->ops->type->type != ctx->type)
8500 				goto cont;
8501 
8502 			rc = nf_tables_fill_obj_info(skb, net,
8503 						     NETLINK_CB(cb->skb).portid,
8504 						     cb->nlh->nlmsg_seq,
8505 						     NFT_MSG_NEWOBJ,
8506 						     NLM_F_MULTI | NLM_F_APPEND,
8507 						     table->family, table,
8508 						     obj, ctx->reset);
8509 			if (rc < 0)
8510 				break;
8511 
8512 			entries++;
8513 			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8514 cont:
8515 			idx++;
8516 		}
8517 		if (ctx->reset && entries)
8518 			audit_log_obj_reset(table, nft_base_seq(net), entries);
8519 		if (rc < 0)
8520 			break;
8521 	}
8522 	rcu_read_unlock();
8523 
8524 	ctx->s_idx = idx;
8525 	return skb->len;
8526 }
8527 
8528 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
8529 {
8530 	struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8531 	const struct nlattr * const *nla = cb->data;
8532 
8533 	BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
8534 
8535 	if (nla[NFTA_OBJ_TABLE]) {
8536 		ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
8537 		if (!ctx->table)
8538 			return -ENOMEM;
8539 	}
8540 
8541 	if (nla[NFTA_OBJ_TYPE])
8542 		ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8543 
8544 	if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
8545 		ctx->reset = true;
8546 
8547 	return 0;
8548 }
8549 
8550 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
8551 {
8552 	struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8553 
8554 	kfree(ctx->table);
8555 
8556 	return 0;
8557 }
8558 
8559 /* Caller must hold rcu read lock or transaction mutex */
8560 static struct sk_buff *
8561 nf_tables_getobj_single(u32 portid, const struct nfnl_info *info,
8562 			const struct nlattr * const nla[], bool reset)
8563 {
8564 	struct netlink_ext_ack *extack = info->extack;
8565 	u8 genmask = nft_genmask_cur(info->net);
8566 	u8 family = info->nfmsg->nfgen_family;
8567 	const struct nft_table *table;
8568 	struct net *net = info->net;
8569 	struct nft_object *obj;
8570 	struct sk_buff *skb2;
8571 	u32 objtype;
8572 	int err;
8573 
8574 	if (!nla[NFTA_OBJ_NAME] ||
8575 	    !nla[NFTA_OBJ_TYPE])
8576 		return ERR_PTR(-EINVAL);
8577 
8578 	table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
8579 	if (IS_ERR(table)) {
8580 		NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8581 		return ERR_CAST(table);
8582 	}
8583 
8584 	objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8585 	obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
8586 	if (IS_ERR(obj)) {
8587 		NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8588 		return ERR_CAST(obj);
8589 	}
8590 
8591 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8592 	if (!skb2)
8593 		return ERR_PTR(-ENOMEM);
8594 
8595 	err = nf_tables_fill_obj_info(skb2, net, portid,
8596 				      info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
8597 				      family, table, obj, reset);
8598 	if (err < 0) {
8599 		kfree_skb(skb2);
8600 		return ERR_PTR(err);
8601 	}
8602 
8603 	return skb2;
8604 }
8605 
8606 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
8607 			    const struct nlattr * const nla[])
8608 {
8609 	u32 portid = NETLINK_CB(skb).portid;
8610 	struct net *net = info->net;
8611 	struct sk_buff *skb2;
8612 	bool reset = false;
8613 	char *buf;
8614 
8615 	if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8616 		struct netlink_dump_control c = {
8617 			.start = nf_tables_dump_obj_start,
8618 			.dump = nf_tables_dump_obj,
8619 			.done = nf_tables_dump_obj_done,
8620 			.module = THIS_MODULE,
8621 			.data = (void *)nla,
8622 		};
8623 
8624 		return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8625 	}
8626 
8627 	if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
8628 		reset = true;
8629 
8630 	skb2 = nf_tables_getobj_single(portid, info, nla, reset);
8631 	if (IS_ERR(skb2))
8632 		return PTR_ERR(skb2);
8633 
8634 	if (!reset)
8635 		return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
8636 
8637 	buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
8638 			nla_len(nla[NFTA_OBJ_TABLE]),
8639 			(char *)nla_data(nla[NFTA_OBJ_TABLE]),
8640 			nft_base_seq(net));
8641 	audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
8642 			AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
8643 	kfree(buf);
8644 
8645 	return nfnetlink_unicast(skb2, net, portid);
8646 }
8647 
8648 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
8649 {
8650 	if (obj->ops->destroy)
8651 		obj->ops->destroy(ctx, obj);
8652 
8653 	module_put(obj->ops->type->owner);
8654 	kfree(obj->key.name);
8655 	kfree(obj->udata);
8656 	kfree(obj);
8657 }
8658 
8659 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
8660 			    const struct nlattr * const nla[])
8661 {
8662 	struct netlink_ext_ack *extack = info->extack;
8663 	u8 genmask = nft_genmask_next(info->net);
8664 	u8 family = info->nfmsg->nfgen_family;
8665 	struct net *net = info->net;
8666 	const struct nlattr *attr;
8667 	struct nft_table *table;
8668 	struct nft_object *obj;
8669 	struct nft_ctx ctx;
8670 	u32 objtype;
8671 
8672 	if (!nla[NFTA_OBJ_TYPE] ||
8673 	    (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
8674 		return -EINVAL;
8675 
8676 	table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
8677 				 NETLINK_CB(skb).portid);
8678 	if (IS_ERR(table)) {
8679 		NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8680 		return PTR_ERR(table);
8681 	}
8682 
8683 	objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8684 	if (nla[NFTA_OBJ_HANDLE]) {
8685 		attr = nla[NFTA_OBJ_HANDLE];
8686 		obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
8687 	} else {
8688 		attr = nla[NFTA_OBJ_NAME];
8689 		obj = nft_obj_lookup(net, table, attr, objtype, genmask);
8690 	}
8691 
8692 	if (IS_ERR(obj)) {
8693 		if (PTR_ERR(obj) == -ENOENT &&
8694 		    NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
8695 			return 0;
8696 
8697 		NL_SET_BAD_ATTR(extack, attr);
8698 		return PTR_ERR(obj);
8699 	}
8700 	if (obj->use > 0) {
8701 		NL_SET_BAD_ATTR(extack, attr);
8702 		return -EBUSY;
8703 	}
8704 
8705 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8706 
8707 	return nft_delobj(&ctx, obj);
8708 }
8709 
8710 static void
8711 __nft_obj_notify(struct net *net, const struct nft_table *table,
8712 		 struct nft_object *obj, u32 portid, u32 seq, int event,
8713 		 u16 flags, int family, int report, gfp_t gfp)
8714 {
8715 	struct nftables_pernet *nft_net = nft_pernet(net);
8716 	struct sk_buff *skb;
8717 	int err;
8718 
8719 	if (!report &&
8720 	    !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8721 		return;
8722 
8723 	skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
8724 	if (skb == NULL)
8725 		goto err;
8726 
8727 	err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
8728 				      flags & (NLM_F_CREATE | NLM_F_EXCL),
8729 				      family, table, obj, false);
8730 	if (err < 0) {
8731 		kfree_skb(skb);
8732 		goto err;
8733 	}
8734 
8735 	nft_notify_enqueue(skb, report, &nft_net->notify_list);
8736 	return;
8737 err:
8738 	nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
8739 }
8740 
8741 void nft_obj_notify(struct net *net, const struct nft_table *table,
8742 		    struct nft_object *obj, u32 portid, u32 seq, int event,
8743 		    u16 flags, int family, int report, gfp_t gfp)
8744 {
8745 	char *buf = kasprintf(gfp, "%s:%u",
8746 			      table->name, nft_base_seq(net));
8747 
8748 	audit_log_nfcfg(buf,
8749 			family,
8750 			obj->handle,
8751 			event == NFT_MSG_NEWOBJ ?
8752 				 AUDIT_NFT_OP_OBJ_REGISTER :
8753 				 AUDIT_NFT_OP_OBJ_UNREGISTER,
8754 			gfp);
8755 	kfree(buf);
8756 
8757 	__nft_obj_notify(net, table, obj, portid, seq, event,
8758 			 flags, family, report, gfp);
8759 }
8760 EXPORT_SYMBOL_GPL(nft_obj_notify);
8761 
8762 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
8763 				 struct nft_object *obj, int event)
8764 {
8765 	__nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid,
8766 			 ctx->seq, event, ctx->flags, ctx->family,
8767 			 ctx->report, GFP_KERNEL);
8768 }
8769 
8770 /*
8771  * Flow tables
8772  */
8773 void nft_register_flowtable_type(struct nf_flowtable_type *type)
8774 {
8775 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
8776 	list_add_tail_rcu(&type->list, &nf_tables_flowtables);
8777 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8778 }
8779 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
8780 
8781 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
8782 {
8783 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
8784 	list_del_rcu(&type->list);
8785 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8786 }
8787 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
8788 
8789 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
8790 	[NFTA_FLOWTABLE_TABLE]		= { .type = NLA_STRING,
8791 					    .len = NFT_NAME_MAXLEN - 1 },
8792 	[NFTA_FLOWTABLE_NAME]		= { .type = NLA_STRING,
8793 					    .len = NFT_NAME_MAXLEN - 1 },
8794 	[NFTA_FLOWTABLE_HOOK]		= { .type = NLA_NESTED },
8795 	[NFTA_FLOWTABLE_HANDLE]		= { .type = NLA_U64 },
8796 	[NFTA_FLOWTABLE_FLAGS]		= NLA_POLICY_MASK(NLA_BE32, NFT_FLOWTABLE_MASK),
8797 };
8798 
8799 struct nft_flowtable *nft_flowtable_lookup(const struct net *net,
8800 					   const struct nft_table *table,
8801 					   const struct nlattr *nla, u8 genmask)
8802 {
8803 	struct nft_flowtable *flowtable;
8804 
8805 	list_for_each_entry_rcu(flowtable, &table->flowtables, list,
8806 				lockdep_commit_lock_is_held(net)) {
8807 		if (!nla_strcmp(nla, flowtable->name) &&
8808 		    nft_active_genmask(flowtable, genmask))
8809 			return flowtable;
8810 	}
8811 	return ERR_PTR(-ENOENT);
8812 }
8813 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
8814 
8815 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
8816 				    struct nft_flowtable *flowtable,
8817 				    enum nft_trans_phase phase)
8818 {
8819 	switch (phase) {
8820 	case NFT_TRANS_PREPARE_ERROR:
8821 	case NFT_TRANS_PREPARE:
8822 	case NFT_TRANS_ABORT:
8823 	case NFT_TRANS_RELEASE:
8824 		nft_use_dec(&flowtable->use);
8825 		fallthrough;
8826 	default:
8827 		return;
8828 	}
8829 }
8830 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
8831 
8832 static struct nft_flowtable *
8833 nft_flowtable_lookup_byhandle(const struct nft_table *table,
8834 			      const struct nlattr *nla, u8 genmask)
8835 {
8836        struct nft_flowtable *flowtable;
8837 
8838        list_for_each_entry(flowtable, &table->flowtables, list) {
8839                if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
8840                    nft_active_genmask(flowtable, genmask))
8841                        return flowtable;
8842        }
8843        return ERR_PTR(-ENOENT);
8844 }
8845 
8846 struct nft_flowtable_hook {
8847 	u32			num;
8848 	int			priority;
8849 	struct list_head	list;
8850 };
8851 
8852 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
8853 	[NFTA_FLOWTABLE_HOOK_NUM]	= { .type = NLA_U32 },
8854 	[NFTA_FLOWTABLE_HOOK_PRIORITY]	= { .type = NLA_U32 },
8855 	[NFTA_FLOWTABLE_HOOK_DEVS]	= { .type = NLA_NESTED },
8856 };
8857 
8858 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
8859 				    const struct nlattr * const nla[],
8860 				    struct nft_flowtable_hook *flowtable_hook,
8861 				    struct nft_flowtable *flowtable,
8862 				    struct netlink_ext_ack *extack, bool add)
8863 {
8864 	struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
8865 	struct nf_hook_ops *ops;
8866 	struct nft_hook *hook;
8867 	int hooknum, priority;
8868 	int err;
8869 
8870 	INIT_LIST_HEAD(&flowtable_hook->list);
8871 
8872 	err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
8873 					  nla[NFTA_FLOWTABLE_HOOK],
8874 					  nft_flowtable_hook_policy, NULL);
8875 	if (err < 0)
8876 		return err;
8877 
8878 	if (add) {
8879 		if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
8880 		    !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8881 			NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8882 			return -ENOENT;
8883 		}
8884 
8885 		hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8886 		if (hooknum != NF_NETDEV_INGRESS)
8887 			return -EOPNOTSUPP;
8888 
8889 		priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8890 
8891 		flowtable_hook->priority	= priority;
8892 		flowtable_hook->num		= hooknum;
8893 	} else {
8894 		if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
8895 			hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8896 			if (hooknum != flowtable->hooknum)
8897 				return -EOPNOTSUPP;
8898 		}
8899 
8900 		if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8901 			priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8902 			if (priority != flowtable->data.priority)
8903 				return -EOPNOTSUPP;
8904 		}
8905 
8906 		flowtable_hook->priority	= flowtable->data.priority;
8907 		flowtable_hook->num		= flowtable->hooknum;
8908 	}
8909 
8910 	if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
8911 		err = nf_tables_parse_netdev_hooks(ctx->net,
8912 						   tb[NFTA_FLOWTABLE_HOOK_DEVS],
8913 						   &flowtable_hook->list,
8914 						   extack);
8915 		if (err < 0)
8916 			return err;
8917 	}
8918 
8919 	list_for_each_entry(hook, &flowtable_hook->list, list) {
8920 		list_for_each_entry(ops, &hook->ops_list, list) {
8921 			ops->pf			= NFPROTO_NETDEV;
8922 			ops->hooknum		= flowtable_hook->num;
8923 			ops->priority		= flowtable_hook->priority;
8924 			ops->priv		= &flowtable->data;
8925 			ops->hook		= flowtable->data.type->hook;
8926 			ops->hook_ops_type	= NF_HOOK_OP_NFT_FT;
8927 		}
8928 	}
8929 
8930 	return err;
8931 }
8932 
8933 /* call under rcu_read_lock */
8934 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
8935 {
8936 	const struct nf_flowtable_type *type;
8937 
8938 	list_for_each_entry_rcu(type, &nf_tables_flowtables, list) {
8939 		if (family == type->family)
8940 			return type;
8941 	}
8942 	return NULL;
8943 }
8944 
8945 static const struct nf_flowtable_type *
8946 nft_flowtable_type_get(struct net *net, u8 family)
8947 {
8948 	const struct nf_flowtable_type *type;
8949 
8950 	rcu_read_lock();
8951 	type = __nft_flowtable_type_get(family);
8952 	if (type != NULL && try_module_get(type->owner)) {
8953 		rcu_read_unlock();
8954 		return type;
8955 	}
8956 	rcu_read_unlock();
8957 
8958 	lockdep_nfnl_nft_mutex_not_held();
8959 #ifdef CONFIG_MODULES
8960 	if (type == NULL) {
8961 		if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
8962 			return ERR_PTR(-EAGAIN);
8963 	}
8964 #endif
8965 	return ERR_PTR(-ENOENT);
8966 }
8967 
8968 /* Only called from error and netdev event paths. */
8969 static void nft_unregister_flowtable_ops(struct net *net,
8970 					 struct nft_flowtable *flowtable,
8971 					 struct nf_hook_ops *ops)
8972 {
8973 	nf_unregister_net_hook(net, ops);
8974 	flowtable->data.type->setup(&flowtable->data, ops->dev,
8975 				    FLOW_BLOCK_UNBIND);
8976 }
8977 
8978 static void __nft_unregister_flowtable_net_hooks(struct net *net,
8979 						 struct nft_flowtable *flowtable,
8980 						 struct list_head *hook_list,
8981 					         bool release_netdev)
8982 {
8983 	struct nft_hook *hook, *next;
8984 	struct nf_hook_ops *ops;
8985 
8986 	list_for_each_entry_safe(hook, next, hook_list, list) {
8987 		list_for_each_entry(ops, &hook->ops_list, list)
8988 			nft_unregister_flowtable_ops(net, flowtable, ops);
8989 		if (release_netdev)
8990 			nft_netdev_hook_unlink_free_rcu(hook);
8991 	}
8992 }
8993 
8994 static void nft_unregister_flowtable_net_hooks(struct net *net,
8995 					       struct nft_flowtable *flowtable,
8996 					       struct list_head *hook_list)
8997 {
8998 	__nft_unregister_flowtable_net_hooks(net, flowtable, hook_list, false);
8999 }
9000 
9001 static int nft_register_flowtable_ops(struct net *net,
9002 				      struct nft_flowtable *flowtable,
9003 				      struct nf_hook_ops *ops)
9004 {
9005 	int err;
9006 
9007 	err = flowtable->data.type->setup(&flowtable->data,
9008 					  ops->dev, FLOW_BLOCK_BIND);
9009 	if (err < 0)
9010 		return err;
9011 
9012 	err = nf_register_net_hook(net, ops);
9013 	if (!err)
9014 		return 0;
9015 
9016 	flowtable->data.type->setup(&flowtable->data,
9017 				    ops->dev, FLOW_BLOCK_UNBIND);
9018 	return err;
9019 }
9020 
9021 static int nft_register_flowtable_net_hooks(struct net *net,
9022 					    struct nft_table *table,
9023 					    struct list_head *hook_list,
9024 					    struct nft_flowtable *flowtable)
9025 {
9026 	struct nft_hook *hook, *next;
9027 	struct nft_flowtable *ft;
9028 	struct nf_hook_ops *ops;
9029 	int err, i = 0;
9030 
9031 	list_for_each_entry(hook, hook_list, list) {
9032 		list_for_each_entry(ft, &table->flowtables, list) {
9033 			if (!nft_is_active_next(net, ft))
9034 				continue;
9035 
9036 			if (nft_hook_list_find(&ft->hook_list, hook)) {
9037 				err = -EEXIST;
9038 				goto err_unregister_net_hooks;
9039 			}
9040 		}
9041 
9042 		list_for_each_entry(ops, &hook->ops_list, list) {
9043 			err = nft_register_flowtable_ops(net, flowtable, ops);
9044 			if (err < 0)
9045 				goto err_unregister_net_hooks;
9046 
9047 			i++;
9048 		}
9049 	}
9050 
9051 	return 0;
9052 
9053 err_unregister_net_hooks:
9054 	list_for_each_entry_safe(hook, next, hook_list, list) {
9055 		list_for_each_entry(ops, &hook->ops_list, list) {
9056 			if (i-- <= 0)
9057 				break;
9058 
9059 			nft_unregister_flowtable_ops(net, flowtable, ops);
9060 		}
9061 		nft_netdev_hook_unlink_free_rcu(hook);
9062 	}
9063 
9064 	return err;
9065 }
9066 
9067 static void nft_hooks_destroy(struct list_head *hook_list)
9068 {
9069 	struct nft_hook *hook, *next;
9070 
9071 	list_for_each_entry_safe(hook, next, hook_list, list)
9072 		nft_netdev_hook_unlink_free_rcu(hook);
9073 }
9074 
9075 static void nft_flowtable_unregister_trans_hook(struct net *net,
9076 						struct nft_flowtable *flowtable,
9077 						struct list_head *hook_list)
9078 {
9079 	struct nft_trans_hook *trans_hook, *next;
9080 	struct nf_hook_ops *ops;
9081 	struct nft_hook *hook;
9082 
9083 	list_for_each_entry_safe(trans_hook, next, hook_list, list) {
9084 		hook = trans_hook->hook;
9085 		list_for_each_entry(ops, &hook->ops_list, list)
9086 			nft_unregister_flowtable_ops(net, flowtable, ops);
9087 
9088 		nft_netdev_hook_unlink_free_rcu(hook);
9089 		nft_trans_hook_destroy(trans_hook);
9090 	}
9091 }
9092 
9093 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
9094 				struct nft_flowtable *flowtable,
9095 				struct netlink_ext_ack *extack)
9096 {
9097 	const struct nlattr * const *nla = ctx->nla;
9098 	struct nft_flowtable_hook flowtable_hook;
9099 	struct nftables_pernet *nft_net;
9100 	struct nft_hook *hook, *next;
9101 	struct nf_hook_ops *ops;
9102 	struct nft_trans *trans;
9103 	bool unregister = false;
9104 	u32 flags;
9105 	int err;
9106 
9107 	err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
9108 				       extack, false);
9109 	if (err < 0)
9110 		return err;
9111 
9112 	list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
9113 		if (nft_hook_list_find(&flowtable->hook_list, hook)) {
9114 			list_del(&hook->list);
9115 			nft_netdev_hook_free(hook);
9116 			continue;
9117 		}
9118 
9119 		nft_net = nft_pernet(ctx->net);
9120 		list_for_each_entry(trans, &nft_net->commit_list, list) {
9121 			if (trans->msg_type != NFT_MSG_NEWFLOWTABLE ||
9122 			    trans->table != ctx->table ||
9123 			    !nft_trans_flowtable_update(trans))
9124 				continue;
9125 
9126 			if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) {
9127 				err = -EEXIST;
9128 				goto err_flowtable_update_hook;
9129 			}
9130 		}
9131 	}
9132 
9133 	if (nla[NFTA_FLOWTABLE_FLAGS]) {
9134 		flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
9135 		if (flags & ~NFT_FLOWTABLE_MASK) {
9136 			err = -EOPNOTSUPP;
9137 			goto err_flowtable_update_hook;
9138 		}
9139 		if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
9140 		    (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
9141 			err = -EOPNOTSUPP;
9142 			goto err_flowtable_update_hook;
9143 		}
9144 	} else {
9145 		flags = flowtable->data.flags;
9146 	}
9147 
9148 	err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
9149 					       &flowtable_hook.list, flowtable);
9150 	if (err < 0)
9151 		goto err_flowtable_update_hook;
9152 
9153 	trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
9154 				sizeof(struct nft_trans_flowtable));
9155 	if (!trans) {
9156 		unregister = true;
9157 		err = -ENOMEM;
9158 		goto err_flowtable_update_hook;
9159 	}
9160 
9161 	nft_trans_flowtable_flags(trans) = flags;
9162 	nft_trans_flowtable(trans) = flowtable;
9163 	nft_trans_flowtable_update(trans) = true;
9164 	INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
9165 	list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
9166 
9167 	nft_trans_commit_list_add_tail(ctx->net, trans);
9168 
9169 	return 0;
9170 
9171 err_flowtable_update_hook:
9172 	list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
9173 		if (unregister) {
9174 			list_for_each_entry(ops, &hook->ops_list, list)
9175 				nft_unregister_flowtable_ops(ctx->net,
9176 							     flowtable, ops);
9177 		}
9178 		nft_netdev_hook_unlink_free_rcu(hook);
9179 	}
9180 
9181 	return err;
9182 
9183 }
9184 
9185 static int nf_tables_newflowtable(struct sk_buff *skb,
9186 				  const struct nfnl_info *info,
9187 				  const struct nlattr * const nla[])
9188 {
9189 	struct netlink_ext_ack *extack = info->extack;
9190 	struct nft_flowtable_hook flowtable_hook;
9191 	u8 genmask = nft_genmask_next(info->net);
9192 	u8 family = info->nfmsg->nfgen_family;
9193 	const struct nf_flowtable_type *type;
9194 	struct nft_flowtable *flowtable;
9195 	struct net *net = info->net;
9196 	struct nft_table *table;
9197 	struct nft_trans *trans;
9198 	struct nft_ctx ctx;
9199 	int err;
9200 
9201 	if (!nla[NFTA_FLOWTABLE_TABLE] ||
9202 	    !nla[NFTA_FLOWTABLE_NAME] ||
9203 	    !nla[NFTA_FLOWTABLE_HOOK])
9204 		return -EINVAL;
9205 
9206 	table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9207 				 genmask, NETLINK_CB(skb).portid);
9208 	if (IS_ERR(table)) {
9209 		NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
9210 		return PTR_ERR(table);
9211 	}
9212 
9213 	flowtable = nft_flowtable_lookup(net, table, nla[NFTA_FLOWTABLE_NAME],
9214 					 genmask);
9215 	if (IS_ERR(flowtable)) {
9216 		err = PTR_ERR(flowtable);
9217 		if (err != -ENOENT) {
9218 			NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9219 			return err;
9220 		}
9221 	} else {
9222 		if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
9223 			NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9224 			return -EEXIST;
9225 		}
9226 
9227 		nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
9228 
9229 		return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
9230 	}
9231 
9232 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
9233 
9234 	if (!nft_use_inc(&table->use))
9235 		return -EMFILE;
9236 
9237 	flowtable = kzalloc_obj(*flowtable, GFP_KERNEL_ACCOUNT);
9238 	if (!flowtable) {
9239 		err = -ENOMEM;
9240 		goto flowtable_alloc;
9241 	}
9242 
9243 	flowtable->table = table;
9244 	flowtable->handle = nf_tables_alloc_handle(table);
9245 	INIT_LIST_HEAD(&flowtable->hook_list);
9246 
9247 	flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
9248 	if (!flowtable->name) {
9249 		err = -ENOMEM;
9250 		goto err1;
9251 	}
9252 
9253 	type = nft_flowtable_type_get(net, family);
9254 	if (IS_ERR(type)) {
9255 		err = PTR_ERR(type);
9256 		goto err2;
9257 	}
9258 
9259 	if (nla[NFTA_FLOWTABLE_FLAGS]) {
9260 		flowtable->data.flags =
9261 			ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
9262 		if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
9263 			err = -EOPNOTSUPP;
9264 			goto err3;
9265 		}
9266 	}
9267 
9268 	write_pnet(&flowtable->data.net, net);
9269 	flowtable->data.type = type;
9270 	err = type->init(&flowtable->data);
9271 	if (err < 0)
9272 		goto err3;
9273 
9274 	err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
9275 				       extack, true);
9276 	if (err < 0)
9277 		goto err_flowtable_parse_hooks;
9278 
9279 	list_splice(&flowtable_hook.list, &flowtable->hook_list);
9280 	flowtable->data.priority = flowtable_hook.priority;
9281 	flowtable->hooknum = flowtable_hook.num;
9282 
9283 	trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
9284 	if (IS_ERR(trans)) {
9285 		err = PTR_ERR(trans);
9286 		goto err_flowtable_trans;
9287 	}
9288 
9289 	/* This must be LAST to ensure no packets are walking over this flowtable. */
9290 	err = nft_register_flowtable_net_hooks(ctx.net, table,
9291 					       &flowtable->hook_list,
9292 					       flowtable);
9293 	if (err < 0)
9294 		goto err_flowtable_hooks;
9295 
9296 	list_add_tail_rcu(&flowtable->list, &table->flowtables);
9297 
9298 	return 0;
9299 
9300 err_flowtable_hooks:
9301 	synchronize_rcu();
9302 	nft_trans_destroy(trans);
9303 err_flowtable_trans:
9304 	nft_hooks_destroy(&flowtable->hook_list);
9305 err_flowtable_parse_hooks:
9306 	flowtable->data.type->free(&flowtable->data);
9307 err3:
9308 	module_put(type->owner);
9309 err2:
9310 	kfree(flowtable->name);
9311 err1:
9312 	kfree(flowtable);
9313 flowtable_alloc:
9314 	nft_use_dec_restore(&table->use);
9315 
9316 	return err;
9317 }
9318 
9319 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
9320 {
9321 	struct nft_hook *this, *next;
9322 
9323 	list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
9324 		list_del(&this->list);
9325 		nft_netdev_hook_free(this);
9326 	}
9327 }
9328 
9329 static int nft_delflowtable_hook(struct nft_ctx *ctx,
9330 				 struct nft_flowtable *flowtable,
9331 				 struct netlink_ext_ack *extack)
9332 {
9333 	const struct nlattr * const *nla = ctx->nla;
9334 	struct nft_flowtable_hook flowtable_hook;
9335 	LIST_HEAD(flowtable_del_list);
9336 	struct nft_hook *this, *hook;
9337 	struct nft_trans *trans;
9338 	int err;
9339 
9340 	err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
9341 				       extack, false);
9342 	if (err < 0)
9343 		return err;
9344 
9345 	list_for_each_entry(this, &flowtable_hook.list, list) {
9346 		hook = nft_hook_list_find(&flowtable->hook_list, this);
9347 		if (!hook) {
9348 			err = -ENOENT;
9349 			goto err_flowtable_del_hook;
9350 		}
9351 		if (nft_trans_delhook(hook, &flowtable_del_list) < 0) {
9352 			err = -ENOMEM;
9353 			goto err_flowtable_del_hook;
9354 		}
9355 	}
9356 
9357 	trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
9358 				sizeof(struct nft_trans_flowtable));
9359 	if (!trans) {
9360 		err = -ENOMEM;
9361 		goto err_flowtable_del_hook;
9362 	}
9363 
9364 	nft_trans_flowtable(trans) = flowtable;
9365 	nft_trans_flowtable_update(trans) = true;
9366 	INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
9367 	list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
9368 	nft_flowtable_hook_release(&flowtable_hook);
9369 
9370 	nft_trans_commit_list_add_tail(ctx->net, trans);
9371 
9372 	return 0;
9373 
9374 err_flowtable_del_hook:
9375 	nft_trans_delhook_abort(&flowtable_del_list);
9376 	nft_flowtable_hook_release(&flowtable_hook);
9377 
9378 	return err;
9379 }
9380 
9381 static int nf_tables_delflowtable(struct sk_buff *skb,
9382 				  const struct nfnl_info *info,
9383 				  const struct nlattr * const nla[])
9384 {
9385 	struct netlink_ext_ack *extack = info->extack;
9386 	u8 genmask = nft_genmask_next(info->net);
9387 	u8 family = info->nfmsg->nfgen_family;
9388 	struct nft_flowtable *flowtable;
9389 	struct net *net = info->net;
9390 	const struct nlattr *attr;
9391 	struct nft_table *table;
9392 	struct nft_ctx ctx;
9393 
9394 	if (!nla[NFTA_FLOWTABLE_TABLE] ||
9395 	    (!nla[NFTA_FLOWTABLE_NAME] &&
9396 	     !nla[NFTA_FLOWTABLE_HANDLE]))
9397 		return -EINVAL;
9398 
9399 	table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9400 				 genmask, NETLINK_CB(skb).portid);
9401 	if (IS_ERR(table)) {
9402 		NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
9403 		return PTR_ERR(table);
9404 	}
9405 
9406 	if (nla[NFTA_FLOWTABLE_HANDLE]) {
9407 		attr = nla[NFTA_FLOWTABLE_HANDLE];
9408 		flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
9409 	} else {
9410 		attr = nla[NFTA_FLOWTABLE_NAME];
9411 		flowtable = nft_flowtable_lookup(net, table, attr, genmask);
9412 	}
9413 
9414 	if (IS_ERR(flowtable)) {
9415 		if (PTR_ERR(flowtable) == -ENOENT &&
9416 		    NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
9417 			return 0;
9418 
9419 		NL_SET_BAD_ATTR(extack, attr);
9420 		return PTR_ERR(flowtable);
9421 	}
9422 
9423 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
9424 
9425 	if (nla[NFTA_FLOWTABLE_HOOK])
9426 		return nft_delflowtable_hook(&ctx, flowtable, extack);
9427 
9428 	if (flowtable->use > 0) {
9429 		NL_SET_BAD_ATTR(extack, attr);
9430 		return -EBUSY;
9431 	}
9432 
9433 	return nft_delflowtable(&ctx, flowtable);
9434 }
9435 
9436 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
9437 					 u32 portid, u32 seq, int event,
9438 					 u32 flags, int family,
9439 					 struct nft_flowtable *flowtable,
9440 					 struct list_head *hook_list,
9441 					 struct list_head *trans_hook_list)
9442 {
9443 	struct nft_trans_hook *trans_hook;
9444 	struct nlattr *nest, *nest_devs;
9445 	struct nft_hook *hook;
9446 	struct nlmsghdr *nlh;
9447 
9448 	nlh = nfnl_msg_put(skb, portid, seq,
9449 			   nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event),
9450 			   flags, family, NFNETLINK_V0, nft_base_seq_be16(net));
9451 	if (!nlh)
9452 		goto nla_put_failure;
9453 
9454 	if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
9455 	    nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
9456 	    nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
9457 			 NFTA_FLOWTABLE_PAD))
9458 		goto nla_put_failure;
9459 
9460 	if (!hook_list && !trans_hook_list &&
9461 	    (event == NFT_MSG_DELFLOWTABLE ||
9462 	     event == NFT_MSG_DESTROYFLOWTABLE)) {
9463 		nlmsg_end(skb, nlh);
9464 		return 0;
9465 	}
9466 
9467 	if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
9468 	    nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
9469 		goto nla_put_failure;
9470 
9471 	nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
9472 	if (!nest)
9473 		goto nla_put_failure;
9474 	if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
9475 	    nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
9476 		goto nla_put_failure;
9477 
9478 	nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
9479 	if (!nest_devs)
9480 		goto nla_put_failure;
9481 
9482 	if (!hook_list && !trans_hook_list)
9483 		hook_list = &flowtable->hook_list;
9484 
9485 	if (hook_list) {
9486 		list_for_each_entry_rcu(hook, hook_list, list,
9487 					lockdep_commit_lock_is_held(net)) {
9488 			if (nft_nla_put_hook_dev(skb, hook))
9489 				goto nla_put_failure;
9490 		}
9491 	} else if (trans_hook_list) {
9492 		list_for_each_entry(trans_hook, trans_hook_list, list) {
9493 			if (nft_nla_put_hook_dev(skb, trans_hook->hook))
9494 				goto nla_put_failure;
9495 		}
9496 	}
9497 	nla_nest_end(skb, nest_devs);
9498 	nla_nest_end(skb, nest);
9499 
9500 	nlmsg_end(skb, nlh);
9501 	return 0;
9502 
9503 nla_put_failure:
9504 	nlmsg_trim(skb, nlh);
9505 	return -1;
9506 }
9507 
9508 struct nft_flowtable_filter {
9509 	char		*table;
9510 };
9511 
9512 static int nf_tables_dump_flowtable(struct sk_buff *skb,
9513 				    struct netlink_callback *cb)
9514 {
9515 	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
9516 	struct nft_flowtable_filter *filter = cb->data;
9517 	unsigned int idx = 0, s_idx = cb->args[0];
9518 	struct net *net = sock_net(skb->sk);
9519 	int family = nfmsg->nfgen_family;
9520 	struct nft_flowtable *flowtable;
9521 	struct nftables_pernet *nft_net;
9522 	const struct nft_table *table;
9523 
9524 	rcu_read_lock();
9525 	nft_net = nft_pernet(net);
9526 	cb->seq = nft_base_seq(net);
9527 
9528 	list_for_each_entry_rcu(table, &nft_net->tables, list) {
9529 		if (family != NFPROTO_UNSPEC && family != table->family)
9530 			continue;
9531 
9532 		list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
9533 			if (!nft_is_active(net, flowtable))
9534 				goto cont;
9535 			if (idx < s_idx)
9536 				goto cont;
9537 			if (idx > s_idx)
9538 				memset(&cb->args[1], 0,
9539 				       sizeof(cb->args) - sizeof(cb->args[0]));
9540 			if (filter && filter->table &&
9541 			    strcmp(filter->table, table->name))
9542 				goto cont;
9543 
9544 			if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
9545 							  cb->nlh->nlmsg_seq,
9546 							  NFT_MSG_NEWFLOWTABLE,
9547 							  NLM_F_MULTI | NLM_F_APPEND,
9548 							  table->family,
9549 							  flowtable, NULL, NULL) < 0)
9550 				goto done;
9551 
9552 			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
9553 cont:
9554 			idx++;
9555 		}
9556 	}
9557 done:
9558 	rcu_read_unlock();
9559 
9560 	cb->args[0] = idx;
9561 	return skb->len;
9562 }
9563 
9564 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
9565 {
9566 	const struct nlattr * const *nla = cb->data;
9567 	struct nft_flowtable_filter *filter = NULL;
9568 
9569 	if (nla[NFTA_FLOWTABLE_TABLE]) {
9570 		filter = kzalloc_obj(*filter, GFP_ATOMIC);
9571 		if (!filter)
9572 			return -ENOMEM;
9573 
9574 		filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
9575 					   GFP_ATOMIC);
9576 		if (!filter->table) {
9577 			kfree(filter);
9578 			return -ENOMEM;
9579 		}
9580 	}
9581 
9582 	cb->data = filter;
9583 	return 0;
9584 }
9585 
9586 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
9587 {
9588 	struct nft_flowtable_filter *filter = cb->data;
9589 
9590 	if (!filter)
9591 		return 0;
9592 
9593 	kfree(filter->table);
9594 	kfree(filter);
9595 
9596 	return 0;
9597 }
9598 
9599 /* called with rcu_read_lock held */
9600 static int nf_tables_getflowtable(struct sk_buff *skb,
9601 				  const struct nfnl_info *info,
9602 				  const struct nlattr * const nla[])
9603 {
9604 	struct netlink_ext_ack *extack = info->extack;
9605 	u8 genmask = nft_genmask_cur(info->net);
9606 	u8 family = info->nfmsg->nfgen_family;
9607 	struct nft_flowtable *flowtable;
9608 	const struct nft_table *table;
9609 	struct net *net = info->net;
9610 	struct sk_buff *skb2;
9611 	int err;
9612 
9613 	if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
9614 		struct netlink_dump_control c = {
9615 			.start = nf_tables_dump_flowtable_start,
9616 			.dump = nf_tables_dump_flowtable,
9617 			.done = nf_tables_dump_flowtable_done,
9618 			.module = THIS_MODULE,
9619 			.data = (void *)nla,
9620 		};
9621 
9622 		return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
9623 	}
9624 
9625 	if (!nla[NFTA_FLOWTABLE_NAME])
9626 		return -EINVAL;
9627 
9628 	table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9629 				 genmask, 0);
9630 	if (IS_ERR(table)) {
9631 		NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
9632 		return PTR_ERR(table);
9633 	}
9634 
9635 	flowtable = nft_flowtable_lookup(net, table, nla[NFTA_FLOWTABLE_NAME],
9636 					 genmask);
9637 	if (IS_ERR(flowtable)) {
9638 		NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9639 		return PTR_ERR(flowtable);
9640 	}
9641 
9642 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9643 	if (!skb2)
9644 		return -ENOMEM;
9645 
9646 	err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
9647 					    info->nlh->nlmsg_seq,
9648 					    NFT_MSG_NEWFLOWTABLE, 0, family,
9649 					    flowtable, NULL, NULL);
9650 	if (err < 0)
9651 		goto err_fill_flowtable_info;
9652 
9653 	return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
9654 
9655 err_fill_flowtable_info:
9656 	kfree_skb(skb2);
9657 	return err;
9658 }
9659 
9660 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
9661 				       struct nft_flowtable *flowtable,
9662 				       struct list_head *hook_list,
9663 				       struct list_head *trans_hook_list,
9664 				       int event)
9665 {
9666 	struct nftables_pernet *nft_net = nft_pernet(ctx->net);
9667 	struct sk_buff *skb;
9668 	u16 flags = 0;
9669 	int err;
9670 
9671 	if (!ctx->report &&
9672 	    !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
9673 		return;
9674 
9675 	skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9676 	if (skb == NULL)
9677 		goto err;
9678 
9679 	if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
9680 		flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
9681 
9682 	err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
9683 					    ctx->seq, event, flags,
9684 					    ctx->family, flowtable,
9685 					    hook_list, trans_hook_list);
9686 	if (err < 0) {
9687 		kfree_skb(skb);
9688 		goto err;
9689 	}
9690 
9691 	nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
9692 	return;
9693 err:
9694 	nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
9695 }
9696 
9697 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
9698 {
9699 	flowtable->data.type->free(&flowtable->data);
9700 	nft_hooks_destroy(&flowtable->hook_list);
9701 	kfree(flowtable->name);
9702 	module_put(flowtable->data.type->owner);
9703 	kfree(flowtable);
9704 }
9705 
9706 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
9707 				   u32 portid, u32 seq)
9708 {
9709 	struct nlmsghdr *nlh;
9710 	char buf[TASK_COMM_LEN];
9711 	int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
9712 
9713 	nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
9714 			   NFNETLINK_V0, nft_base_seq_be16(net));
9715 	if (!nlh)
9716 		goto nla_put_failure;
9717 
9718 	if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_base_seq(net))) ||
9719 	    nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
9720 	    nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
9721 		goto nla_put_failure;
9722 
9723 	nlmsg_end(skb, nlh);
9724 	return 0;
9725 
9726 nla_put_failure:
9727 	nlmsg_trim(skb, nlh);
9728 	return -EMSGSIZE;
9729 }
9730 
9731 struct nf_hook_ops *nft_hook_find_ops(const struct nft_hook *hook,
9732 				      const struct net_device *dev)
9733 {
9734 	struct nf_hook_ops *ops;
9735 
9736 	list_for_each_entry(ops, &hook->ops_list, list) {
9737 		if (ops->dev == dev)
9738 			return ops;
9739 	}
9740 	return NULL;
9741 }
9742 EXPORT_SYMBOL_GPL(nft_hook_find_ops);
9743 
9744 struct nf_hook_ops *nft_hook_find_ops_rcu(const struct nft_hook *hook,
9745 					  const struct net_device *dev)
9746 {
9747 	struct nf_hook_ops *ops;
9748 
9749 	list_for_each_entry_rcu(ops, &hook->ops_list, list) {
9750 		if (ops->dev == dev)
9751 			return ops;
9752 	}
9753 	return NULL;
9754 }
9755 EXPORT_SYMBOL_GPL(nft_hook_find_ops_rcu);
9756 
9757 static int nft_flowtable_event(unsigned long event, struct net_device *dev,
9758 			       struct nft_flowtable *flowtable, bool changename)
9759 {
9760 	struct nf_hook_ops *ops;
9761 	struct nft_hook *hook;
9762 	bool match;
9763 
9764 	list_for_each_entry(hook, &flowtable->hook_list, list) {
9765 		ops = nft_hook_find_ops(hook, dev);
9766 		match = !strncmp(hook->ifname, dev->name, hook->ifnamelen);
9767 
9768 		switch (event) {
9769 		case NETDEV_UNREGISTER:
9770 			/* NOP if not found or new name still matching */
9771 			if (!ops || (changename && match))
9772 				continue;
9773 
9774 			/* flow_offload_netdev_event() cleans up entries for us. */
9775 			nft_unregister_flowtable_ops(dev_net(dev),
9776 						     flowtable, ops);
9777 			list_del_rcu(&ops->list);
9778 			kfree_rcu(ops, rcu);
9779 			break;
9780 		case NETDEV_REGISTER:
9781 			/* NOP if not matching or already registered */
9782 			if (!match || ops)
9783 				continue;
9784 
9785 			ops = kzalloc_obj(struct nf_hook_ops,
9786 					  GFP_KERNEL_ACCOUNT);
9787 			if (!ops)
9788 				return 1;
9789 
9790 			ops->pf			= NFPROTO_NETDEV;
9791 			ops->hooknum		= flowtable->hooknum;
9792 			ops->priority		= flowtable->data.priority;
9793 			ops->priv		= &flowtable->data;
9794 			ops->hook		= flowtable->data.type->hook;
9795 			ops->hook_ops_type	= NF_HOOK_OP_NFT_FT;
9796 			ops->dev		= dev;
9797 			if (nft_register_flowtable_ops(dev_net(dev),
9798 						       flowtable, ops)) {
9799 				kfree(ops);
9800 				return 1;
9801 			}
9802 			list_add_tail_rcu(&ops->list, &hook->ops_list);
9803 			break;
9804 		}
9805 		break;
9806 	}
9807 	return 0;
9808 }
9809 
9810 static int __nf_tables_flowtable_event(unsigned long event,
9811 				       struct net_device *dev,
9812 				       bool changename)
9813 {
9814 	struct nftables_pernet *nft_net = nft_pernet(dev_net(dev));
9815 	struct nft_flowtable *flowtable;
9816 	struct nft_table *table;
9817 
9818 	list_for_each_entry(table, &nft_net->tables, list) {
9819 		list_for_each_entry(flowtable, &table->flowtables, list) {
9820 			if (nft_flowtable_event(event, dev,
9821 						flowtable, changename))
9822 				return 1;
9823 		}
9824 	}
9825 	return 0;
9826 }
9827 
9828 static int nf_tables_flowtable_event(struct notifier_block *this,
9829 				     unsigned long event, void *ptr)
9830 {
9831 	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
9832 	struct nftables_pernet *nft_net;
9833 	int ret = NOTIFY_DONE;
9834 	struct net *net;
9835 
9836 	if (event != NETDEV_REGISTER &&
9837 	    event != NETDEV_UNREGISTER &&
9838 	    event != NETDEV_CHANGENAME)
9839 		return NOTIFY_DONE;
9840 
9841 	net = dev_net(dev);
9842 	nft_net = nft_pernet(net);
9843 	mutex_lock(&nft_net->commit_mutex);
9844 
9845 	if (event == NETDEV_CHANGENAME) {
9846 		if (__nf_tables_flowtable_event(NETDEV_REGISTER, dev, true)) {
9847 			ret = NOTIFY_BAD;
9848 			goto out_unlock;
9849 		}
9850 		__nf_tables_flowtable_event(NETDEV_UNREGISTER, dev, true);
9851 	} else if (__nf_tables_flowtable_event(event, dev, false)) {
9852 		ret = NOTIFY_BAD;
9853 	}
9854 out_unlock:
9855 	mutex_unlock(&nft_net->commit_mutex);
9856 	return ret;
9857 }
9858 
9859 static struct notifier_block nf_tables_flowtable_notifier = {
9860 	.notifier_call	= nf_tables_flowtable_event,
9861 };
9862 
9863 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
9864 				 int event)
9865 {
9866 	struct nlmsghdr *nlh = nlmsg_hdr(skb);
9867 	struct sk_buff *skb2;
9868 	int err;
9869 
9870 	if (!nlmsg_report(nlh) &&
9871 	    !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
9872 		return;
9873 
9874 	skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9875 	if (skb2 == NULL)
9876 		goto err;
9877 
9878 	err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
9879 				      nlh->nlmsg_seq);
9880 	if (err < 0) {
9881 		kfree_skb(skb2);
9882 		goto err;
9883 	}
9884 
9885 	nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9886 		       nlmsg_report(nlh), GFP_KERNEL);
9887 	return;
9888 err:
9889 	nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9890 			  -ENOBUFS);
9891 }
9892 
9893 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
9894 			    const struct nlattr * const nla[])
9895 {
9896 	struct sk_buff *skb2;
9897 	int err;
9898 
9899 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9900 	if (skb2 == NULL)
9901 		return -ENOMEM;
9902 
9903 	err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
9904 				      info->nlh->nlmsg_seq);
9905 	if (err < 0)
9906 		goto err_fill_gen_info;
9907 
9908 	return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
9909 
9910 err_fill_gen_info:
9911 	kfree_skb(skb2);
9912 	return err;
9913 }
9914 
9915 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
9916 	[NFT_MSG_NEWTABLE] = {
9917 		.call		= nf_tables_newtable,
9918 		.type		= NFNL_CB_BATCH,
9919 		.attr_count	= NFTA_TABLE_MAX,
9920 		.policy		= nft_table_policy,
9921 	},
9922 	[NFT_MSG_GETTABLE] = {
9923 		.call		= nf_tables_gettable,
9924 		.type		= NFNL_CB_RCU,
9925 		.attr_count	= NFTA_TABLE_MAX,
9926 		.policy		= nft_table_policy,
9927 	},
9928 	[NFT_MSG_DELTABLE] = {
9929 		.call		= nf_tables_deltable,
9930 		.type		= NFNL_CB_BATCH,
9931 		.attr_count	= NFTA_TABLE_MAX,
9932 		.policy		= nft_table_policy,
9933 	},
9934 	[NFT_MSG_DESTROYTABLE] = {
9935 		.call		= nf_tables_deltable,
9936 		.type		= NFNL_CB_BATCH,
9937 		.attr_count	= NFTA_TABLE_MAX,
9938 		.policy		= nft_table_policy,
9939 	},
9940 	[NFT_MSG_NEWCHAIN] = {
9941 		.call		= nf_tables_newchain,
9942 		.type		= NFNL_CB_BATCH,
9943 		.attr_count	= NFTA_CHAIN_MAX,
9944 		.policy		= nft_chain_policy,
9945 	},
9946 	[NFT_MSG_GETCHAIN] = {
9947 		.call		= nf_tables_getchain,
9948 		.type		= NFNL_CB_RCU,
9949 		.attr_count	= NFTA_CHAIN_MAX,
9950 		.policy		= nft_chain_policy,
9951 	},
9952 	[NFT_MSG_DELCHAIN] = {
9953 		.call		= nf_tables_delchain,
9954 		.type		= NFNL_CB_BATCH,
9955 		.attr_count	= NFTA_CHAIN_MAX,
9956 		.policy		= nft_chain_policy,
9957 	},
9958 	[NFT_MSG_DESTROYCHAIN] = {
9959 		.call		= nf_tables_delchain,
9960 		.type		= NFNL_CB_BATCH,
9961 		.attr_count	= NFTA_CHAIN_MAX,
9962 		.policy		= nft_chain_policy,
9963 	},
9964 	[NFT_MSG_NEWRULE] = {
9965 		.call		= nf_tables_newrule,
9966 		.type		= NFNL_CB_BATCH,
9967 		.attr_count	= NFTA_RULE_MAX,
9968 		.policy		= nft_rule_policy,
9969 	},
9970 	[NFT_MSG_GETRULE] = {
9971 		.call		= nf_tables_getrule,
9972 		.type		= NFNL_CB_RCU,
9973 		.attr_count	= NFTA_RULE_MAX,
9974 		.policy		= nft_rule_policy,
9975 	},
9976 	[NFT_MSG_GETRULE_RESET] = {
9977 		.call		= nf_tables_getrule,
9978 		.type		= NFNL_CB_RCU,
9979 		.attr_count	= NFTA_RULE_MAX,
9980 		.policy		= nft_rule_policy,
9981 	},
9982 	[NFT_MSG_DELRULE] = {
9983 		.call		= nf_tables_delrule,
9984 		.type		= NFNL_CB_BATCH,
9985 		.attr_count	= NFTA_RULE_MAX,
9986 		.policy		= nft_rule_policy,
9987 	},
9988 	[NFT_MSG_DESTROYRULE] = {
9989 		.call		= nf_tables_delrule,
9990 		.type		= NFNL_CB_BATCH,
9991 		.attr_count	= NFTA_RULE_MAX,
9992 		.policy		= nft_rule_policy,
9993 	},
9994 	[NFT_MSG_NEWSET] = {
9995 		.call		= nf_tables_newset,
9996 		.type		= NFNL_CB_BATCH,
9997 		.attr_count	= NFTA_SET_MAX,
9998 		.policy		= nft_set_policy,
9999 	},
10000 	[NFT_MSG_GETSET] = {
10001 		.call		= nf_tables_getset,
10002 		.type		= NFNL_CB_RCU,
10003 		.attr_count	= NFTA_SET_MAX,
10004 		.policy		= nft_set_policy,
10005 	},
10006 	[NFT_MSG_DELSET] = {
10007 		.call		= nf_tables_delset,
10008 		.type		= NFNL_CB_BATCH,
10009 		.attr_count	= NFTA_SET_MAX,
10010 		.policy		= nft_set_policy,
10011 	},
10012 	[NFT_MSG_DESTROYSET] = {
10013 		.call		= nf_tables_delset,
10014 		.type		= NFNL_CB_BATCH,
10015 		.attr_count	= NFTA_SET_MAX,
10016 		.policy		= nft_set_policy,
10017 	},
10018 	[NFT_MSG_NEWSETELEM] = {
10019 		.call		= nf_tables_newsetelem,
10020 		.type		= NFNL_CB_BATCH,
10021 		.attr_count	= NFTA_SET_ELEM_LIST_MAX,
10022 		.policy		= nft_set_elem_list_policy,
10023 	},
10024 	[NFT_MSG_GETSETELEM] = {
10025 		.call		= nf_tables_getsetelem,
10026 		.type		= NFNL_CB_RCU,
10027 		.attr_count	= NFTA_SET_ELEM_LIST_MAX,
10028 		.policy		= nft_set_elem_list_policy,
10029 	},
10030 	[NFT_MSG_GETSETELEM_RESET] = {
10031 		.call		= nf_tables_getsetelem,
10032 		.type		= NFNL_CB_RCU,
10033 		.attr_count	= NFTA_SET_ELEM_LIST_MAX,
10034 		.policy		= nft_set_elem_list_policy,
10035 	},
10036 	[NFT_MSG_DELSETELEM] = {
10037 		.call		= nf_tables_delsetelem,
10038 		.type		= NFNL_CB_BATCH,
10039 		.attr_count	= NFTA_SET_ELEM_LIST_MAX,
10040 		.policy		= nft_set_elem_list_policy,
10041 	},
10042 	[NFT_MSG_DESTROYSETELEM] = {
10043 		.call		= nf_tables_delsetelem,
10044 		.type		= NFNL_CB_BATCH,
10045 		.attr_count	= NFTA_SET_ELEM_LIST_MAX,
10046 		.policy		= nft_set_elem_list_policy,
10047 	},
10048 	[NFT_MSG_GETGEN] = {
10049 		.call		= nf_tables_getgen,
10050 		.type		= NFNL_CB_RCU,
10051 	},
10052 	[NFT_MSG_NEWOBJ] = {
10053 		.call		= nf_tables_newobj,
10054 		.type		= NFNL_CB_BATCH,
10055 		.attr_count	= NFTA_OBJ_MAX,
10056 		.policy		= nft_obj_policy,
10057 	},
10058 	[NFT_MSG_GETOBJ] = {
10059 		.call		= nf_tables_getobj,
10060 		.type		= NFNL_CB_RCU,
10061 		.attr_count	= NFTA_OBJ_MAX,
10062 		.policy		= nft_obj_policy,
10063 	},
10064 	[NFT_MSG_DELOBJ] = {
10065 		.call		= nf_tables_delobj,
10066 		.type		= NFNL_CB_BATCH,
10067 		.attr_count	= NFTA_OBJ_MAX,
10068 		.policy		= nft_obj_policy,
10069 	},
10070 	[NFT_MSG_DESTROYOBJ] = {
10071 		.call		= nf_tables_delobj,
10072 		.type		= NFNL_CB_BATCH,
10073 		.attr_count	= NFTA_OBJ_MAX,
10074 		.policy		= nft_obj_policy,
10075 	},
10076 	[NFT_MSG_GETOBJ_RESET] = {
10077 		.call		= nf_tables_getobj,
10078 		.type		= NFNL_CB_RCU,
10079 		.attr_count	= NFTA_OBJ_MAX,
10080 		.policy		= nft_obj_policy,
10081 	},
10082 	[NFT_MSG_NEWFLOWTABLE] = {
10083 		.call		= nf_tables_newflowtable,
10084 		.type		= NFNL_CB_BATCH,
10085 		.attr_count	= NFTA_FLOWTABLE_MAX,
10086 		.policy		= nft_flowtable_policy,
10087 	},
10088 	[NFT_MSG_GETFLOWTABLE] = {
10089 		.call		= nf_tables_getflowtable,
10090 		.type		= NFNL_CB_RCU,
10091 		.attr_count	= NFTA_FLOWTABLE_MAX,
10092 		.policy		= nft_flowtable_policy,
10093 	},
10094 	[NFT_MSG_DELFLOWTABLE] = {
10095 		.call		= nf_tables_delflowtable,
10096 		.type		= NFNL_CB_BATCH,
10097 		.attr_count	= NFTA_FLOWTABLE_MAX,
10098 		.policy		= nft_flowtable_policy,
10099 	},
10100 	[NFT_MSG_DESTROYFLOWTABLE] = {
10101 		.call		= nf_tables_delflowtable,
10102 		.type		= NFNL_CB_BATCH,
10103 		.attr_count	= NFTA_FLOWTABLE_MAX,
10104 		.policy		= nft_flowtable_policy,
10105 	},
10106 };
10107 
10108 static int nf_tables_validate(struct net *net)
10109 {
10110 	struct nftables_pernet *nft_net = nft_pernet(net);
10111 	struct nft_table *table;
10112 
10113 	list_for_each_entry(table, &nft_net->tables, list) {
10114 		switch (table->validate_state) {
10115 		case NFT_VALIDATE_SKIP:
10116 			continue;
10117 		case NFT_VALIDATE_NEED:
10118 			nft_validate_state_update(table, NFT_VALIDATE_DO);
10119 			fallthrough;
10120 		case NFT_VALIDATE_DO:
10121 			if (nft_table_validate(net, table) < 0)
10122 				return -EAGAIN;
10123 
10124 			nft_validate_state_update(table, NFT_VALIDATE_SKIP);
10125 			break;
10126 		}
10127 	}
10128 
10129 	return 0;
10130 }
10131 
10132 /* a drop policy has to be deferred until all rules have been activated,
10133  * otherwise a large ruleset that contains a drop-policy base chain will
10134  * cause all packets to get dropped until the full transaction has been
10135  * processed.
10136  *
10137  * We defer the drop policy until the transaction has been finalized.
10138  */
10139 static void nft_chain_commit_drop_policy(struct nft_trans_chain *trans)
10140 {
10141 	struct nft_base_chain *basechain;
10142 
10143 	if (trans->policy != NF_DROP)
10144 		return;
10145 
10146 	if (!nft_is_base_chain(trans->chain))
10147 		return;
10148 
10149 	basechain = nft_base_chain(trans->chain);
10150 	basechain->policy = NF_DROP;
10151 }
10152 
10153 static void nft_chain_commit_update(struct nft_trans_chain *trans)
10154 {
10155 	struct nft_table *table = trans->nft_trans_binding.nft_trans.table;
10156 	struct nft_base_chain *basechain;
10157 
10158 	if (trans->name) {
10159 		rhltable_remove(&table->chains_ht,
10160 				&trans->chain->rhlhead,
10161 				nft_chain_ht_params);
10162 		swap(trans->chain->name, trans->name);
10163 		rhltable_insert_key(&table->chains_ht,
10164 				    trans->chain->name,
10165 				    &trans->chain->rhlhead,
10166 				    nft_chain_ht_params);
10167 	}
10168 
10169 	if (!nft_is_base_chain(trans->chain))
10170 		return;
10171 
10172 	nft_chain_stats_replace(trans);
10173 
10174 	basechain = nft_base_chain(trans->chain);
10175 
10176 	switch (trans->policy) {
10177 	case NF_DROP:
10178 	case NF_ACCEPT:
10179 		basechain->policy = trans->policy;
10180 		break;
10181 	}
10182 }
10183 
10184 static void nft_obj_commit_update(const struct nft_ctx *ctx,
10185 				  struct nft_trans *trans)
10186 {
10187 	struct nft_object *newobj;
10188 	struct nft_object *obj;
10189 
10190 	obj = nft_trans_obj(trans);
10191 	newobj = nft_trans_obj_newobj(trans);
10192 
10193 	if (WARN_ON_ONCE(!obj->ops->update))
10194 		return;
10195 
10196 	obj->ops->update(obj, newobj);
10197 	nft_obj_destroy(ctx, newobj);
10198 }
10199 
10200 static void nft_commit_release(struct nft_trans *trans)
10201 {
10202 	struct nft_ctx ctx = {
10203 		.net = trans->net,
10204 	};
10205 
10206 	nft_ctx_update(&ctx, trans);
10207 
10208 	switch (trans->msg_type) {
10209 	case NFT_MSG_DELTABLE:
10210 	case NFT_MSG_DESTROYTABLE:
10211 		nf_tables_table_destroy(trans->table);
10212 		break;
10213 	case NFT_MSG_NEWCHAIN:
10214 		free_percpu(nft_trans_chain_stats(trans));
10215 		kfree(nft_trans_chain_name(trans));
10216 		break;
10217 	case NFT_MSG_DELCHAIN:
10218 	case NFT_MSG_DESTROYCHAIN:
10219 		if (!nft_trans_chain_update(trans))
10220 			nf_tables_chain_destroy(nft_trans_chain(trans));
10221 		break;
10222 	case NFT_MSG_DELRULE:
10223 	case NFT_MSG_DESTROYRULE:
10224 		nf_tables_rule_destroy(&ctx, nft_trans_rule(trans));
10225 		break;
10226 	case NFT_MSG_DELSET:
10227 	case NFT_MSG_DESTROYSET:
10228 		nft_set_destroy(&ctx, nft_trans_set(trans));
10229 		break;
10230 	case NFT_MSG_DELSETELEM:
10231 	case NFT_MSG_DESTROYSETELEM:
10232 		nft_trans_elems_destroy(&ctx, nft_trans_container_elem(trans));
10233 		break;
10234 	case NFT_MSG_DELOBJ:
10235 	case NFT_MSG_DESTROYOBJ:
10236 		nft_obj_destroy(&ctx, nft_trans_obj(trans));
10237 		break;
10238 	case NFT_MSG_DELFLOWTABLE:
10239 	case NFT_MSG_DESTROYFLOWTABLE:
10240 		if (!nft_trans_flowtable_update(trans))
10241 			nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
10242 		break;
10243 	}
10244 
10245 	if (trans->put_net)
10246 		put_net(trans->net);
10247 
10248 	kfree(trans);
10249 }
10250 
10251 static void nf_tables_trans_destroy_work(struct work_struct *w)
10252 {
10253 	struct nftables_pernet *nft_net = container_of(w, struct nftables_pernet, destroy_work);
10254 	struct nft_trans *trans, *next;
10255 	LIST_HEAD(head);
10256 
10257 	spin_lock(&nf_tables_destroy_list_lock);
10258 	list_splice_init(&nft_net->destroy_list, &head);
10259 	spin_unlock(&nf_tables_destroy_list_lock);
10260 
10261 	if (list_empty(&head))
10262 		return;
10263 
10264 	synchronize_rcu();
10265 
10266 	list_for_each_entry_safe(trans, next, &head, list) {
10267 		nft_trans_list_del(trans);
10268 		nft_commit_release(trans);
10269 	}
10270 }
10271 
10272 void nf_tables_trans_destroy_flush_work(struct net *net)
10273 {
10274 	struct nftables_pernet *nft_net = nft_pernet(net);
10275 
10276 	flush_work(&nft_net->destroy_work);
10277 }
10278 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
10279 
10280 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
10281 {
10282 	const struct nft_expr *expr, *last;
10283 	unsigned int size, data_size;
10284 	void *data, *data_boundary;
10285 	struct nft_rule_dp *prule;
10286 	struct nft_rule *rule;
10287 
10288 	/* already handled or inactive chain? */
10289 	if (chain->blob_next || !nft_is_active_next(net, chain))
10290 		return 0;
10291 
10292 	data_size = 0;
10293 	list_for_each_entry(rule, &chain->rules, list) {
10294 		if (nft_is_active_next(net, rule)) {
10295 			data_size += sizeof(*prule) + rule->dlen;
10296 			if (data_size > INT_MAX)
10297 				return -ENOMEM;
10298 		}
10299 	}
10300 
10301 	chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size);
10302 	if (!chain->blob_next)
10303 		return -ENOMEM;
10304 
10305 	data = (void *)chain->blob_next->data;
10306 	data_boundary = data + data_size;
10307 	size = 0;
10308 
10309 	list_for_each_entry(rule, &chain->rules, list) {
10310 		if (!nft_is_active_next(net, rule))
10311 			continue;
10312 
10313 		prule = (struct nft_rule_dp *)data;
10314 		data += offsetof(struct nft_rule_dp, data);
10315 		if (unlikely(data > data_boundary)) {
10316 			DEBUG_NET_WARN_ON_ONCE(1);
10317 			return -ENOMEM;
10318 		}
10319 
10320 		size = 0;
10321 		nft_rule_for_each_expr(expr, last, rule) {
10322 			if (unlikely(data + size + expr->ops->size > data_boundary)) {
10323 				DEBUG_NET_WARN_ON_ONCE(1);
10324 				return -ENOMEM;
10325 			}
10326 
10327 			memcpy(data + size, expr, expr->ops->size);
10328 			size += expr->ops->size;
10329 		}
10330 		if (unlikely(size >= 1 << 12)) {
10331 			DEBUG_NET_WARN_ON_ONCE(1);
10332 			return -ENOMEM;
10333 		}
10334 
10335 		prule->handle = rule->handle;
10336 		prule->dlen = size;
10337 		prule->is_last = 0;
10338 
10339 		data += size;
10340 		size = 0;
10341 		chain->blob_next->size += (unsigned long)(data - (void *)prule);
10342 	}
10343 
10344 	if (unlikely(data > data_boundary)) {
10345 		DEBUG_NET_WARN_ON_ONCE(1);
10346 		return -ENOMEM;
10347 	}
10348 
10349 	prule = (struct nft_rule_dp *)data;
10350 	nft_last_rule(chain, prule);
10351 
10352 	return 0;
10353 }
10354 
10355 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
10356 {
10357 	struct nftables_pernet *nft_net = nft_pernet(net);
10358 	struct nft_trans *trans, *next;
10359 
10360 	list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10361 		if (trans->msg_type == NFT_MSG_NEWRULE ||
10362 		    trans->msg_type == NFT_MSG_DELRULE) {
10363 			struct nft_chain *chain = nft_trans_rule_chain(trans);
10364 
10365 			kvfree(chain->blob_next);
10366 			chain->blob_next = NULL;
10367 		}
10368 	}
10369 }
10370 
10371 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h)
10372 {
10373 	struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h);
10374 
10375 	kvfree(l->blob);
10376 }
10377 
10378 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
10379 {
10380 	struct nft_rule_dp_last *last;
10381 
10382 	/* last rule trailer is after end marker */
10383 	last = (void *)blob + sizeof(*blob) + blob->size;
10384 	last->blob = blob;
10385 
10386 	call_rcu(&last->h, __nf_tables_commit_chain_free_rules);
10387 }
10388 
10389 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
10390 {
10391 	struct nft_rule_blob *g0, *g1;
10392 	bool next_genbit;
10393 
10394 	next_genbit = nft_gencursor_next(net);
10395 
10396 	g0 = rcu_dereference_protected(chain->blob_gen_0,
10397 				       lockdep_commit_lock_is_held(net));
10398 	g1 = rcu_dereference_protected(chain->blob_gen_1,
10399 				       lockdep_commit_lock_is_held(net));
10400 
10401 	/* No changes to this chain? */
10402 	if (chain->blob_next == NULL) {
10403 		/* chain had no change in last or next generation */
10404 		if (g0 == g1)
10405 			return;
10406 		/*
10407 		 * chain had no change in this generation; make sure next
10408 		 * one uses same rules as current generation.
10409 		 */
10410 		if (next_genbit) {
10411 			rcu_assign_pointer(chain->blob_gen_1, g0);
10412 			nf_tables_commit_chain_free_rules_old(g1);
10413 		} else {
10414 			rcu_assign_pointer(chain->blob_gen_0, g1);
10415 			nf_tables_commit_chain_free_rules_old(g0);
10416 		}
10417 
10418 		return;
10419 	}
10420 
10421 	if (next_genbit)
10422 		rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
10423 	else
10424 		rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
10425 
10426 	chain->blob_next = NULL;
10427 
10428 	if (g0 == g1)
10429 		return;
10430 
10431 	if (next_genbit)
10432 		nf_tables_commit_chain_free_rules_old(g1);
10433 	else
10434 		nf_tables_commit_chain_free_rules_old(g0);
10435 }
10436 
10437 static void nft_obj_del(struct nft_object *obj)
10438 {
10439 	rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
10440 	list_del_rcu(&obj->list);
10441 }
10442 
10443 void nft_chain_del(struct nft_chain *chain)
10444 {
10445 	struct nft_table *table = chain->table;
10446 
10447 	WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
10448 				     nft_chain_ht_params));
10449 	list_del_rcu(&chain->list);
10450 }
10451 
10452 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx,
10453 					struct nft_trans_gc *trans)
10454 {
10455 	struct nft_elem_priv **priv = trans->priv;
10456 	unsigned int i;
10457 
10458 	for (i = 0; i < trans->count; i++) {
10459 		nft_setelem_data_deactivate(ctx->net, trans->set, priv[i]);
10460 		nft_setelem_remove(ctx->net, trans->set, priv[i]);
10461 	}
10462 }
10463 
10464 void nft_trans_gc_destroy(struct nft_trans_gc *trans)
10465 {
10466 	nft_set_put(trans->set);
10467 	put_net(trans->net);
10468 	kfree(trans);
10469 }
10470 
10471 static void nft_trans_gc_trans_free(struct rcu_head *rcu)
10472 {
10473 	struct nft_elem_priv *elem_priv;
10474 	struct nft_trans_gc *trans;
10475 	struct nft_ctx ctx = {};
10476 	unsigned int i;
10477 
10478 	trans = container_of(rcu, struct nft_trans_gc, rcu);
10479 	ctx.net	= read_pnet(&trans->set->net);
10480 
10481 	for (i = 0; i < trans->count; i++) {
10482 		elem_priv = trans->priv[i];
10483 		if (!nft_setelem_is_catchall(trans->set, elem_priv))
10484 			atomic_dec(&trans->set->nelems);
10485 
10486 		nf_tables_set_elem_destroy(&ctx, trans->set, elem_priv);
10487 	}
10488 
10489 	nft_trans_gc_destroy(trans);
10490 }
10491 
10492 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans)
10493 {
10494 	struct nftables_pernet *nft_net;
10495 	struct nft_ctx ctx = {};
10496 
10497 	nft_net = nft_pernet(trans->net);
10498 
10499 	mutex_lock(&nft_net->commit_mutex);
10500 
10501 	/* Check for race with transaction, otherwise this batch refers to
10502 	 * stale objects that might not be there anymore. Skip transaction if
10503 	 * set has been destroyed from control plane transaction in case gc
10504 	 * worker loses race.
10505 	 */
10506 	if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) {
10507 		mutex_unlock(&nft_net->commit_mutex);
10508 		return false;
10509 	}
10510 
10511 	ctx.net = trans->net;
10512 	ctx.table = trans->set->table;
10513 
10514 	nft_trans_gc_setelem_remove(&ctx, trans);
10515 	mutex_unlock(&nft_net->commit_mutex);
10516 
10517 	return true;
10518 }
10519 
10520 static void nft_trans_gc_work(struct work_struct *work)
10521 {
10522 	struct nft_trans_gc *trans, *next;
10523 	LIST_HEAD(trans_gc_list);
10524 
10525 	spin_lock(&nf_tables_gc_list_lock);
10526 	list_splice_init(&nf_tables_gc_list, &trans_gc_list);
10527 	spin_unlock(&nf_tables_gc_list_lock);
10528 
10529 	list_for_each_entry_safe(trans, next, &trans_gc_list, list) {
10530 		list_del(&trans->list);
10531 		if (!nft_trans_gc_work_done(trans)) {
10532 			nft_trans_gc_destroy(trans);
10533 			continue;
10534 		}
10535 		call_rcu(&trans->rcu, nft_trans_gc_trans_free);
10536 	}
10537 }
10538 
10539 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
10540 					unsigned int gc_seq, gfp_t gfp)
10541 {
10542 	struct net *net = read_pnet(&set->net);
10543 	struct nft_trans_gc *trans;
10544 
10545 	trans = kzalloc_obj(*trans, gfp);
10546 	if (!trans)
10547 		return NULL;
10548 
10549 	trans->net = maybe_get_net(net);
10550 	if (!trans->net) {
10551 		kfree(trans);
10552 		return NULL;
10553 	}
10554 
10555 	refcount_inc(&set->refs);
10556 	trans->set = set;
10557 	trans->seq = gc_seq;
10558 
10559 	return trans;
10560 }
10561 
10562 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv)
10563 {
10564 	trans->priv[trans->count++] = priv;
10565 }
10566 
10567 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans)
10568 {
10569 	spin_lock(&nf_tables_gc_list_lock);
10570 	list_add_tail(&trans->list, &nf_tables_gc_list);
10571 	spin_unlock(&nf_tables_gc_list_lock);
10572 
10573 	schedule_work(&trans_gc_work);
10574 }
10575 
10576 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc,
10577 					      unsigned int gc_seq, gfp_t gfp)
10578 {
10579 	struct nft_set *set;
10580 
10581 	if (nft_trans_gc_space(gc))
10582 		return gc;
10583 
10584 	set = gc->set;
10585 	nft_trans_gc_queue_work(gc);
10586 
10587 	return nft_trans_gc_alloc(set, gc_seq, gfp);
10588 }
10589 
10590 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans)
10591 {
10592 	if (trans->count == 0) {
10593 		nft_trans_gc_destroy(trans);
10594 		return;
10595 	}
10596 
10597 	nft_trans_gc_queue_work(trans);
10598 }
10599 
10600 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp)
10601 {
10602 	struct nft_set *set;
10603 
10604 	if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)))
10605 		return NULL;
10606 
10607 	if (nft_trans_gc_space(gc))
10608 		return gc;
10609 
10610 	set = gc->set;
10611 	call_rcu(&gc->rcu, nft_trans_gc_trans_free);
10612 
10613 	return nft_trans_gc_alloc(set, 0, gfp);
10614 }
10615 
10616 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans)
10617 {
10618 	WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net));
10619 
10620 	if (trans->count == 0) {
10621 		nft_trans_gc_destroy(trans);
10622 		return;
10623 	}
10624 
10625 	call_rcu(&trans->rcu, nft_trans_gc_trans_free);
10626 }
10627 
10628 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc,
10629 						 unsigned int gc_seq)
10630 {
10631 	struct nft_set_elem_catchall *catchall;
10632 	const struct nft_set *set = gc->set;
10633 	struct nft_set_ext *ext;
10634 
10635 	list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
10636 		ext = nft_set_elem_ext(set, catchall->elem);
10637 
10638 		if (!nft_set_elem_expired(ext))
10639 			continue;
10640 		if (nft_set_elem_is_dead(ext))
10641 			goto dead_elem;
10642 
10643 		nft_set_elem_dead(ext);
10644 dead_elem:
10645 		gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC);
10646 		if (!gc)
10647 			return NULL;
10648 
10649 		nft_trans_gc_elem_add(gc, catchall->elem);
10650 	}
10651 
10652 	return gc;
10653 }
10654 
10655 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc)
10656 {
10657 	struct nft_set_elem_catchall *catchall, *next;
10658 	u64 tstamp = nft_net_tstamp(gc->net);
10659 	const struct nft_set *set = gc->set;
10660 	struct nft_elem_priv *elem_priv;
10661 	struct nft_set_ext *ext;
10662 
10663 	WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net));
10664 
10665 	list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
10666 		ext = nft_set_elem_ext(set, catchall->elem);
10667 
10668 		if (!__nft_set_elem_expired(ext, tstamp))
10669 			continue;
10670 
10671 		gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
10672 		if (!gc)
10673 			return NULL;
10674 
10675 		elem_priv = catchall->elem;
10676 		nft_setelem_data_deactivate(gc->net, gc->set, elem_priv);
10677 		nft_setelem_catchall_destroy(catchall);
10678 		nft_trans_gc_elem_add(gc, elem_priv);
10679 	}
10680 
10681 	return gc;
10682 }
10683 
10684 static void nf_tables_module_autoload_cleanup(struct net *net)
10685 {
10686 	struct nftables_pernet *nft_net = nft_pernet(net);
10687 	struct nft_module_request *req, *next;
10688 
10689 	WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
10690 	list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
10691 		WARN_ON_ONCE(!req->done);
10692 		list_del(&req->list);
10693 		kfree(req);
10694 	}
10695 }
10696 
10697 static void nf_tables_commit_release(struct net *net)
10698 {
10699 	struct nftables_pernet *nft_net = nft_pernet(net);
10700 	struct nft_trans *trans;
10701 
10702 	/* all side effects have to be made visible.
10703 	 * For example, if a chain named 'foo' has been deleted, a
10704 	 * new transaction must not find it anymore.
10705 	 *
10706 	 * Memory reclaim happens asynchronously from work queue
10707 	 * to prevent expensive synchronize_rcu() in commit phase.
10708 	 */
10709 	if (list_empty(&nft_net->commit_list)) {
10710 		nf_tables_module_autoload_cleanup(net);
10711 		mutex_unlock(&nft_net->commit_mutex);
10712 		return;
10713 	}
10714 
10715 	trans = list_last_entry(&nft_net->commit_list,
10716 				struct nft_trans, list);
10717 	get_net(trans->net);
10718 	WARN_ON_ONCE(trans->put_net);
10719 
10720 	trans->put_net = true;
10721 	spin_lock(&nf_tables_destroy_list_lock);
10722 	list_splice_tail_init(&nft_net->commit_list, &nft_net->destroy_list);
10723 	spin_unlock(&nf_tables_destroy_list_lock);
10724 
10725 	nf_tables_module_autoload_cleanup(net);
10726 	schedule_work(&nft_net->destroy_work);
10727 
10728 	mutex_unlock(&nft_net->commit_mutex);
10729 }
10730 
10731 static void nft_commit_notify(struct net *net, u32 portid)
10732 {
10733 	struct nftables_pernet *nft_net = nft_pernet(net);
10734 	struct sk_buff *batch_skb = NULL, *nskb, *skb;
10735 	unsigned char *data;
10736 	int len;
10737 
10738 	list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
10739 		if (!batch_skb) {
10740 new_batch:
10741 			batch_skb = skb;
10742 			len = NLMSG_GOODSIZE - skb->len;
10743 			list_del(&skb->list);
10744 			continue;
10745 		}
10746 		len -= skb->len;
10747 		if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
10748 			data = skb_put(batch_skb, skb->len);
10749 			memcpy(data, skb->data, skb->len);
10750 			list_del(&skb->list);
10751 			kfree_skb(skb);
10752 			continue;
10753 		}
10754 		nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10755 			       NFT_CB(batch_skb).report, GFP_KERNEL);
10756 		goto new_batch;
10757 	}
10758 
10759 	if (batch_skb) {
10760 		nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10761 			       NFT_CB(batch_skb).report, GFP_KERNEL);
10762 	}
10763 
10764 	WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
10765 }
10766 
10767 static int nf_tables_commit_audit_alloc(struct list_head *adl,
10768 					struct nft_table *table)
10769 {
10770 	struct nft_audit_data *adp;
10771 
10772 	list_for_each_entry(adp, adl, list) {
10773 		if (adp->table == table)
10774 			return 0;
10775 	}
10776 	adp = kzalloc_obj(*adp);
10777 	if (!adp)
10778 		return -ENOMEM;
10779 	adp->table = table;
10780 	list_add(&adp->list, adl);
10781 	return 0;
10782 }
10783 
10784 static void nf_tables_commit_audit_free(struct list_head *adl)
10785 {
10786 	struct nft_audit_data *adp, *adn;
10787 
10788 	list_for_each_entry_safe(adp, adn, adl, list) {
10789 		list_del(&adp->list);
10790 		kfree(adp);
10791 	}
10792 }
10793 
10794 /* nft audit emits the number of elements that get added/removed/updated,
10795  * so NEW/DELSETELEM needs to increment based on the total elem count.
10796  */
10797 static unsigned int nf_tables_commit_audit_entrycount(const struct nft_trans *trans)
10798 {
10799 	switch (trans->msg_type) {
10800 	case NFT_MSG_NEWSETELEM:
10801 	case NFT_MSG_DELSETELEM:
10802 		return nft_trans_container_elem(trans)->nelems;
10803 	}
10804 
10805 	return 1;
10806 }
10807 
10808 static void nf_tables_commit_audit_collect(struct list_head *adl,
10809 					   const struct nft_trans *trans, u32 op)
10810 {
10811 	const struct nft_table *table = trans->table;
10812 	struct nft_audit_data *adp;
10813 
10814 	list_for_each_entry(adp, adl, list) {
10815 		if (adp->table == table)
10816 			goto found;
10817 	}
10818 	WARN_ONCE(1, "table=%s not expected in commit list", table->name);
10819 	return;
10820 found:
10821 	adp->entries += nf_tables_commit_audit_entrycount(trans);
10822 	if (!adp->op || adp->op > op)
10823 		adp->op = op;
10824 }
10825 
10826 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
10827 
10828 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
10829 {
10830 	struct nft_audit_data *adp, *adn;
10831 	char aubuf[AUNFTABLENAMELEN];
10832 
10833 	list_for_each_entry_safe(adp, adn, adl, list) {
10834 		snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
10835 			 generation);
10836 		audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
10837 				nft2audit_op[adp->op], GFP_KERNEL);
10838 		list_del(&adp->list);
10839 		kfree(adp);
10840 	}
10841 }
10842 
10843 static void nft_set_commit_update(struct list_head *set_update_list)
10844 {
10845 	struct nft_set *set, *next;
10846 
10847 	list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10848 		list_del_init(&set->pending_update);
10849 
10850 		if (!set->ops->commit || set->dead)
10851 			continue;
10852 
10853 		set->ops->commit(set);
10854 	}
10855 }
10856 
10857 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net)
10858 {
10859 	unsigned int gc_seq;
10860 
10861 	/* Bump gc counter, it becomes odd, this is the busy mark. */
10862 	gc_seq = READ_ONCE(nft_net->gc_seq);
10863 	WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10864 
10865 	return gc_seq;
10866 }
10867 
10868 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq)
10869 {
10870 	WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10871 }
10872 
10873 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
10874 {
10875 	struct nftables_pernet *nft_net = nft_pernet(net);
10876 	const struct nlmsghdr *nlh = nlmsg_hdr(skb);
10877 	struct nft_trans_binding *trans_binding;
10878 	struct nft_trans *trans, *next;
10879 	unsigned int base_seq, gc_seq;
10880 	LIST_HEAD(set_update_list);
10881 	struct nft_trans_elem *te;
10882 	struct nft_chain *chain;
10883 	struct nft_table *table;
10884 	struct nft_ctx ctx;
10885 	LIST_HEAD(adl);
10886 	int err;
10887 
10888 	if (list_empty(&nft_net->commit_list)) {
10889 		mutex_unlock(&nft_net->commit_mutex);
10890 		return 0;
10891 	}
10892 
10893 	nft_ctx_init(&ctx, net, skb, nlh, NFPROTO_UNSPEC, NULL, NULL, NULL);
10894 
10895 	list_for_each_entry(trans_binding, &nft_net->binding_list, binding_list) {
10896 		trans = &trans_binding->nft_trans;
10897 		switch (trans->msg_type) {
10898 		case NFT_MSG_NEWSET:
10899 			if (!nft_trans_set_update(trans) &&
10900 			    nft_set_is_anonymous(nft_trans_set(trans)) &&
10901 			    !nft_trans_set_bound(trans)) {
10902 				pr_warn_once("nftables ruleset with unbound set\n");
10903 				return -EINVAL;
10904 			}
10905 			break;
10906 		case NFT_MSG_NEWCHAIN:
10907 			if (!nft_trans_chain_update(trans) &&
10908 			    nft_chain_binding(nft_trans_chain(trans)) &&
10909 			    !nft_trans_chain_bound(trans)) {
10910 				pr_warn_once("nftables ruleset with unbound chain\n");
10911 				return -EINVAL;
10912 			}
10913 			break;
10914 		default:
10915 			WARN_ONCE(1, "Unhandled bind type %d", trans->msg_type);
10916 			break;
10917 		}
10918 	}
10919 
10920 	/* 0. Validate ruleset, otherwise roll back for error reporting. */
10921 	if (nf_tables_validate(net) < 0) {
10922 		nft_net->validate_state = NFT_VALIDATE_DO;
10923 		return -EAGAIN;
10924 	}
10925 
10926 	err = nft_flow_rule_offload_commit(net);
10927 	if (err < 0)
10928 		return err;
10929 
10930 	/* 1.  Allocate space for next generation rules_gen_X[] */
10931 	list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10932 		struct nft_table *table = trans->table;
10933 		int ret;
10934 
10935 		ret = nf_tables_commit_audit_alloc(&adl, table);
10936 		if (ret) {
10937 			nf_tables_commit_chain_prepare_cancel(net);
10938 			nf_tables_commit_audit_free(&adl);
10939 			return ret;
10940 		}
10941 		if (trans->msg_type == NFT_MSG_NEWRULE ||
10942 		    trans->msg_type == NFT_MSG_DELRULE) {
10943 			chain = nft_trans_rule_chain(trans);
10944 
10945 			ret = nf_tables_commit_chain_prepare(net, chain);
10946 			if (ret < 0) {
10947 				nf_tables_commit_chain_prepare_cancel(net);
10948 				nf_tables_commit_audit_free(&adl);
10949 				return ret;
10950 			}
10951 		}
10952 	}
10953 
10954 	/* step 2.  Make rules_gen_X visible to packet path */
10955 	list_for_each_entry(table, &nft_net->tables, list) {
10956 		list_for_each_entry(chain, &table->chains, list)
10957 			nf_tables_commit_chain(net, chain);
10958 	}
10959 
10960 	/*
10961 	 * Bump generation counter, invalidate any dump in progress.
10962 	 * Cannot fail after this point.
10963 	 */
10964 	base_seq = nft_base_seq(net);
10965 	while (++base_seq == 0)
10966 		;
10967 
10968 	/* pairs with smp_load_acquire in nft_lookup_eval */
10969 	smp_store_release(&net->nft.base_seq, base_seq);
10970 
10971 	gc_seq = nft_gc_seq_begin(nft_net);
10972 
10973 	/* step 3. Start new generation, rules_gen_X now in use. */
10974 	net->nft.gencursor = nft_gencursor_next(net);
10975 
10976 	list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10977 		struct nft_table *table = trans->table;
10978 
10979 		nft_ctx_update(&ctx, trans);
10980 
10981 		nf_tables_commit_audit_collect(&adl, trans, trans->msg_type);
10982 		switch (trans->msg_type) {
10983 		case NFT_MSG_NEWTABLE:
10984 			if (nft_trans_table_update(trans)) {
10985 				if (!(table->flags & __NFT_TABLE_F_UPDATE)) {
10986 					nft_trans_destroy(trans);
10987 					break;
10988 				}
10989 				if (table->flags & NFT_TABLE_F_DORMANT)
10990 					nf_tables_table_disable(net, table);
10991 
10992 				table->flags &= ~__NFT_TABLE_F_UPDATE;
10993 			} else {
10994 				nft_clear(net, table);
10995 			}
10996 			nf_tables_table_notify(&ctx, NFT_MSG_NEWTABLE);
10997 			nft_trans_destroy(trans);
10998 			break;
10999 		case NFT_MSG_DELTABLE:
11000 		case NFT_MSG_DESTROYTABLE:
11001 			list_del_rcu(&table->list);
11002 			nf_tables_table_notify(&ctx, trans->msg_type);
11003 			break;
11004 		case NFT_MSG_NEWCHAIN:
11005 			if (nft_trans_chain_update(trans)) {
11006 				nft_chain_commit_update(nft_trans_container_chain(trans));
11007 				nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN,
11008 						       &nft_trans_chain_hooks(trans), NULL);
11009 				list_splice_rcu(&nft_trans_chain_hooks(trans),
11010 						&nft_trans_basechain(trans)->hook_list);
11011 				/* trans destroyed after rcu grace period */
11012 			} else {
11013 				nft_chain_commit_drop_policy(nft_trans_container_chain(trans));
11014 				nft_clear(net, nft_trans_chain(trans));
11015 				nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN, NULL, NULL);
11016 				nft_trans_destroy(trans);
11017 			}
11018 			break;
11019 		case NFT_MSG_DELCHAIN:
11020 		case NFT_MSG_DESTROYCHAIN:
11021 			if (nft_trans_chain_update(trans)) {
11022 				nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN, NULL,
11023 						       &nft_trans_chain_hooks(trans));
11024 				nft_netdev_unregister_trans_hook(net, table,
11025 								 &nft_trans_chain_hooks(trans));
11026 			} else {
11027 				nft_chain_del(nft_trans_chain(trans));
11028 				nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,
11029 						       NULL, NULL);
11030 				nf_tables_unregister_hook(ctx.net, ctx.table,
11031 							  nft_trans_chain(trans));
11032 			}
11033 			break;
11034 		case NFT_MSG_NEWRULE:
11035 			nft_clear(net, nft_trans_rule(trans));
11036 			nf_tables_rule_notify(&ctx, nft_trans_rule(trans),
11037 					      NFT_MSG_NEWRULE);
11038 			if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
11039 				nft_flow_rule_destroy(nft_trans_flow_rule(trans));
11040 
11041 			nft_trans_destroy(trans);
11042 			break;
11043 		case NFT_MSG_DELRULE:
11044 		case NFT_MSG_DESTROYRULE:
11045 			list_del_rcu(&nft_trans_rule(trans)->list);
11046 			nf_tables_rule_notify(&ctx, nft_trans_rule(trans),
11047 					      trans->msg_type);
11048 			nft_rule_expr_deactivate(&ctx, nft_trans_rule(trans),
11049 						 NFT_TRANS_COMMIT);
11050 
11051 			if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
11052 				nft_flow_rule_destroy(nft_trans_flow_rule(trans));
11053 			break;
11054 		case NFT_MSG_NEWSET:
11055 			list_del(&nft_trans_container_set(trans)->list_trans_newset);
11056 			if (nft_trans_set_update(trans)) {
11057 				struct nft_set *set = nft_trans_set(trans);
11058 
11059 				WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
11060 				WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
11061 
11062 				if (nft_trans_set_size(trans))
11063 					WRITE_ONCE(set->size, nft_trans_set_size(trans));
11064 			} else {
11065 				nft_clear(net, nft_trans_set(trans));
11066 				/* This avoids hitting -EBUSY when deleting the table
11067 				 * from the transaction.
11068 				 */
11069 				if (nft_set_is_anonymous(nft_trans_set(trans)) &&
11070 				    !list_empty(&nft_trans_set(trans)->bindings))
11071 					nft_use_dec(&table->use);
11072 			}
11073 			nf_tables_set_notify(&ctx, nft_trans_set(trans),
11074 					     NFT_MSG_NEWSET, GFP_KERNEL);
11075 			nft_trans_destroy(trans);
11076 			break;
11077 		case NFT_MSG_DELSET:
11078 		case NFT_MSG_DESTROYSET:
11079 			nft_trans_set(trans)->dead = 1;
11080 			list_del_rcu(&nft_trans_set(trans)->list);
11081 			nf_tables_set_notify(&ctx, nft_trans_set(trans),
11082 					     trans->msg_type, GFP_KERNEL);
11083 			break;
11084 		case NFT_MSG_NEWSETELEM:
11085 			te = nft_trans_container_elem(trans);
11086 
11087 			nft_trans_elems_add(&ctx, te);
11088 
11089 			if (te->set->ops->commit &&
11090 			    list_empty(&te->set->pending_update)) {
11091 				list_add_tail(&te->set->pending_update,
11092 					      &set_update_list);
11093 			}
11094 			nft_trans_destroy(trans);
11095 			break;
11096 		case NFT_MSG_DELSETELEM:
11097 		case NFT_MSG_DESTROYSETELEM:
11098 			te = nft_trans_container_elem(trans);
11099 
11100 			nft_trans_elems_remove(&ctx, te);
11101 
11102 			if (te->set->ops->commit &&
11103 			    list_empty(&te->set->pending_update)) {
11104 				list_add_tail(&te->set->pending_update,
11105 					      &set_update_list);
11106 			}
11107 			break;
11108 		case NFT_MSG_NEWOBJ:
11109 			if (nft_trans_obj_update(trans)) {
11110 				nft_obj_commit_update(&ctx, trans);
11111 				nf_tables_obj_notify(&ctx,
11112 						     nft_trans_obj(trans),
11113 						     NFT_MSG_NEWOBJ);
11114 			} else {
11115 				nft_clear(net, nft_trans_obj(trans));
11116 				nf_tables_obj_notify(&ctx,
11117 						     nft_trans_obj(trans),
11118 						     NFT_MSG_NEWOBJ);
11119 				nft_trans_destroy(trans);
11120 			}
11121 			break;
11122 		case NFT_MSG_DELOBJ:
11123 		case NFT_MSG_DESTROYOBJ:
11124 			nft_obj_del(nft_trans_obj(trans));
11125 			nf_tables_obj_notify(&ctx, nft_trans_obj(trans),
11126 					     trans->msg_type);
11127 			break;
11128 		case NFT_MSG_NEWFLOWTABLE:
11129 			if (nft_trans_flowtable_update(trans)) {
11130 				nft_trans_flowtable(trans)->data.flags =
11131 					nft_trans_flowtable_flags(trans);
11132 				nf_tables_flowtable_notify(&ctx,
11133 							   nft_trans_flowtable(trans),
11134 							   &nft_trans_flowtable_hooks(trans),
11135 							   NULL,
11136 							   NFT_MSG_NEWFLOWTABLE);
11137 				list_splice_rcu(&nft_trans_flowtable_hooks(trans),
11138 						&nft_trans_flowtable(trans)->hook_list);
11139 			} else {
11140 				nft_clear(net, nft_trans_flowtable(trans));
11141 				nf_tables_flowtable_notify(&ctx,
11142 							   nft_trans_flowtable(trans),
11143 							   NULL,
11144 							   NULL,
11145 							   NFT_MSG_NEWFLOWTABLE);
11146 			}
11147 			nft_trans_destroy(trans);
11148 			break;
11149 		case NFT_MSG_DELFLOWTABLE:
11150 		case NFT_MSG_DESTROYFLOWTABLE:
11151 			if (nft_trans_flowtable_update(trans)) {
11152 				nf_tables_flowtable_notify(&ctx,
11153 							   nft_trans_flowtable(trans),
11154 							   NULL,
11155 							   &nft_trans_flowtable_hooks(trans),
11156 							   trans->msg_type);
11157 				nft_flowtable_unregister_trans_hook(net,
11158 								    nft_trans_flowtable(trans),
11159 								    &nft_trans_flowtable_hooks(trans));
11160 			} else {
11161 				list_del_rcu(&nft_trans_flowtable(trans)->list);
11162 				nf_tables_flowtable_notify(&ctx,
11163 							   nft_trans_flowtable(trans),
11164 							   NULL,
11165 							   NULL,
11166 							   trans->msg_type);
11167 				nft_unregister_flowtable_net_hooks(net,
11168 						nft_trans_flowtable(trans),
11169 						&nft_trans_flowtable(trans)->hook_list);
11170 			}
11171 			break;
11172 		}
11173 	}
11174 
11175 	nft_set_commit_update(&set_update_list);
11176 
11177 	nft_commit_notify(net, NETLINK_CB(skb).portid);
11178 	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
11179 	nf_tables_commit_audit_log(&adl, nft_base_seq(net));
11180 
11181 	nft_gc_seq_end(nft_net, gc_seq);
11182 	nft_net->validate_state = NFT_VALIDATE_SKIP;
11183 	nf_tables_commit_release(net);
11184 
11185 	return 0;
11186 }
11187 
11188 static void nf_tables_module_autoload(struct net *net)
11189 {
11190 	struct nftables_pernet *nft_net = nft_pernet(net);
11191 	struct nft_module_request *req, *next;
11192 	LIST_HEAD(module_list);
11193 
11194 	list_splice_init(&nft_net->module_list, &module_list);
11195 	mutex_unlock(&nft_net->commit_mutex);
11196 	list_for_each_entry_safe(req, next, &module_list, list) {
11197 		request_module("%s", req->module);
11198 		req->done = true;
11199 	}
11200 	mutex_lock(&nft_net->commit_mutex);
11201 	list_splice(&module_list, &nft_net->module_list);
11202 }
11203 
11204 static void nf_tables_abort_release(struct nft_trans *trans)
11205 {
11206 	struct nft_ctx ctx = { };
11207 
11208 	nft_ctx_update(&ctx, trans);
11209 
11210 	switch (trans->msg_type) {
11211 	case NFT_MSG_NEWTABLE:
11212 		nf_tables_table_destroy(trans->table);
11213 		break;
11214 	case NFT_MSG_NEWCHAIN:
11215 		if (nft_trans_chain_update(trans))
11216 			nft_hooks_destroy(&nft_trans_chain_hooks(trans));
11217 		else
11218 			nf_tables_chain_destroy(nft_trans_chain(trans));
11219 		break;
11220 	case NFT_MSG_NEWRULE:
11221 		nf_tables_rule_destroy(&ctx, nft_trans_rule(trans));
11222 		break;
11223 	case NFT_MSG_NEWSET:
11224 		nft_set_destroy(&ctx, nft_trans_set(trans));
11225 		break;
11226 	case NFT_MSG_NEWSETELEM:
11227 		nft_trans_set_elem_destroy(&ctx, nft_trans_container_elem(trans));
11228 		break;
11229 	case NFT_MSG_NEWOBJ:
11230 		nft_obj_destroy(&ctx, nft_trans_obj(trans));
11231 		break;
11232 	case NFT_MSG_NEWFLOWTABLE:
11233 		if (nft_trans_flowtable_update(trans))
11234 			nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
11235 		else
11236 			nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
11237 		break;
11238 	}
11239 	kfree(trans);
11240 }
11241 
11242 static void nft_set_abort_update(struct list_head *set_update_list)
11243 {
11244 	struct nft_set *set, *next;
11245 
11246 	list_for_each_entry_safe(set, next, set_update_list, pending_update) {
11247 		list_del_init(&set->pending_update);
11248 
11249 		if (!set->ops->abort)
11250 			continue;
11251 
11252 		set->ops->abort(set);
11253 	}
11254 }
11255 
11256 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
11257 {
11258 	struct nftables_pernet *nft_net = nft_pernet(net);
11259 	struct nft_trans *trans, *next;
11260 	LIST_HEAD(set_update_list);
11261 	struct nft_trans_elem *te;
11262 	struct nft_ctx ctx = {
11263 		.net = net,
11264 	};
11265 	int err = 0;
11266 
11267 	if (action == NFNL_ABORT_VALIDATE &&
11268 	    nf_tables_validate(net) < 0)
11269 		err = -EAGAIN;
11270 
11271 	list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
11272 					 list) {
11273 		struct nft_table *table = trans->table;
11274 
11275 		nft_ctx_update(&ctx, trans);
11276 
11277 		switch (trans->msg_type) {
11278 		case NFT_MSG_NEWTABLE:
11279 			if (nft_trans_table_update(trans)) {
11280 				if (!(table->flags & __NFT_TABLE_F_UPDATE)) {
11281 					nft_trans_destroy(trans);
11282 					break;
11283 				}
11284 				if (table->flags & __NFT_TABLE_F_WAS_DORMANT) {
11285 					nf_tables_table_disable(net, table);
11286 					table->flags |= NFT_TABLE_F_DORMANT;
11287 				} else if (table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
11288 					table->flags &= ~NFT_TABLE_F_DORMANT;
11289 				}
11290 				if (table->flags & __NFT_TABLE_F_WAS_ORPHAN) {
11291 					table->flags &= ~NFT_TABLE_F_OWNER;
11292 					table->nlpid = 0;
11293 				}
11294 				table->flags &= ~__NFT_TABLE_F_UPDATE;
11295 				nft_trans_destroy(trans);
11296 			} else {
11297 				list_del_rcu(&table->list);
11298 			}
11299 			break;
11300 		case NFT_MSG_DELTABLE:
11301 		case NFT_MSG_DESTROYTABLE:
11302 			nft_clear(trans->net, table);
11303 			nft_trans_destroy(trans);
11304 			break;
11305 		case NFT_MSG_NEWCHAIN:
11306 			if (nft_trans_chain_update(trans)) {
11307 				nft_netdev_unregister_hooks(net, table,
11308 							    &nft_trans_chain_hooks(trans),
11309 							    true);
11310 				free_percpu(nft_trans_chain_stats(trans));
11311 				kfree(nft_trans_chain_name(trans));
11312 				nft_trans_destroy(trans);
11313 			} else {
11314 				if (nft_trans_chain_bound(trans)) {
11315 					nft_trans_destroy(trans);
11316 					break;
11317 				}
11318 				nft_use_dec_restore(&table->use);
11319 				nft_chain_del(nft_trans_chain(trans));
11320 				nf_tables_unregister_hook(trans->net, table,
11321 							  nft_trans_chain(trans));
11322 			}
11323 			break;
11324 		case NFT_MSG_DELCHAIN:
11325 		case NFT_MSG_DESTROYCHAIN:
11326 			if (nft_trans_chain_update(trans)) {
11327 				nft_trans_delhook_abort(&nft_trans_chain_hooks(trans));
11328 			} else {
11329 				nft_use_inc_restore(&table->use);
11330 				nft_clear(trans->net, nft_trans_chain(trans));
11331 			}
11332 			nft_trans_destroy(trans);
11333 			break;
11334 		case NFT_MSG_NEWRULE:
11335 			if (nft_trans_rule_bound(trans)) {
11336 				nft_trans_destroy(trans);
11337 				break;
11338 			}
11339 			nft_use_dec_restore(&nft_trans_rule_chain(trans)->use);
11340 			list_del_rcu(&nft_trans_rule(trans)->list);
11341 			nft_rule_expr_deactivate(&ctx,
11342 						 nft_trans_rule(trans),
11343 						 NFT_TRANS_ABORT);
11344 			if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
11345 				nft_flow_rule_destroy(nft_trans_flow_rule(trans));
11346 			break;
11347 		case NFT_MSG_DELRULE:
11348 		case NFT_MSG_DESTROYRULE:
11349 			nft_use_inc_restore(&nft_trans_rule_chain(trans)->use);
11350 			nft_clear(trans->net, nft_trans_rule(trans));
11351 			nft_rule_expr_activate(&ctx, nft_trans_rule(trans));
11352 			if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
11353 				nft_flow_rule_destroy(nft_trans_flow_rule(trans));
11354 
11355 			nft_trans_destroy(trans);
11356 			break;
11357 		case NFT_MSG_NEWSET:
11358 			list_del(&nft_trans_container_set(trans)->list_trans_newset);
11359 			if (nft_trans_set_update(trans)) {
11360 				nft_trans_destroy(trans);
11361 				break;
11362 			}
11363 			nft_use_dec_restore(&table->use);
11364 			if (nft_trans_set_bound(trans)) {
11365 				nft_trans_destroy(trans);
11366 				break;
11367 			}
11368 			nft_trans_set(trans)->dead = 1;
11369 			list_del_rcu(&nft_trans_set(trans)->list);
11370 			break;
11371 		case NFT_MSG_DELSET:
11372 		case NFT_MSG_DESTROYSET:
11373 			nft_use_inc_restore(&table->use);
11374 			nft_clear(trans->net, nft_trans_set(trans));
11375 			if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11376 				nft_map_activate(&ctx, nft_trans_set(trans));
11377 
11378 			nft_trans_destroy(trans);
11379 			break;
11380 		case NFT_MSG_NEWSETELEM:
11381 			if (nft_trans_elem_set_bound(trans)) {
11382 				nft_trans_destroy(trans);
11383 				break;
11384 			}
11385 			te = nft_trans_container_elem(trans);
11386 			if (!nft_trans_elems_new_abort(&ctx, te)) {
11387 				nft_trans_destroy(trans);
11388 				break;
11389 			}
11390 
11391 			if (te->set->ops->abort &&
11392 			    list_empty(&te->set->pending_update)) {
11393 				list_add_tail(&te->set->pending_update,
11394 					      &set_update_list);
11395 			}
11396 			break;
11397 		case NFT_MSG_DELSETELEM:
11398 		case NFT_MSG_DESTROYSETELEM:
11399 			te = nft_trans_container_elem(trans);
11400 
11401 			nft_trans_elems_destroy_abort(&ctx, te);
11402 
11403 			if (te->set->ops->abort &&
11404 			    list_empty(&te->set->pending_update)) {
11405 				list_add_tail(&te->set->pending_update,
11406 					      &set_update_list);
11407 			}
11408 			nft_trans_destroy(trans);
11409 			break;
11410 		case NFT_MSG_NEWOBJ:
11411 			if (nft_trans_obj_update(trans)) {
11412 				nft_obj_destroy(&ctx, nft_trans_obj_newobj(trans));
11413 				nft_trans_destroy(trans);
11414 			} else {
11415 				nft_use_dec_restore(&table->use);
11416 				nft_obj_del(nft_trans_obj(trans));
11417 			}
11418 			break;
11419 		case NFT_MSG_DELOBJ:
11420 		case NFT_MSG_DESTROYOBJ:
11421 			nft_use_inc_restore(&table->use);
11422 			nft_clear(trans->net, nft_trans_obj(trans));
11423 			nft_trans_destroy(trans);
11424 			break;
11425 		case NFT_MSG_NEWFLOWTABLE:
11426 			if (nft_trans_flowtable_update(trans)) {
11427 				nft_unregister_flowtable_net_hooks(net,
11428 						nft_trans_flowtable(trans),
11429 						&nft_trans_flowtable_hooks(trans));
11430 			} else {
11431 				nft_use_dec_restore(&table->use);
11432 				list_del_rcu(&nft_trans_flowtable(trans)->list);
11433 				nft_unregister_flowtable_net_hooks(net,
11434 						nft_trans_flowtable(trans),
11435 						&nft_trans_flowtable(trans)->hook_list);
11436 			}
11437 			break;
11438 		case NFT_MSG_DELFLOWTABLE:
11439 		case NFT_MSG_DESTROYFLOWTABLE:
11440 			if (nft_trans_flowtable_update(trans)) {
11441 				nft_trans_delhook_abort(&nft_trans_flowtable_hooks(trans));
11442 			} else {
11443 				nft_use_inc_restore(&table->use);
11444 				nft_clear(trans->net, nft_trans_flowtable(trans));
11445 			}
11446 			nft_trans_destroy(trans);
11447 			break;
11448 		}
11449 	}
11450 
11451 	WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list));
11452 
11453 	nft_set_abort_update(&set_update_list);
11454 
11455 	synchronize_rcu();
11456 
11457 	list_for_each_entry_safe_reverse(trans, next,
11458 					 &nft_net->commit_list, list) {
11459 		nft_trans_list_del(trans);
11460 		nf_tables_abort_release(trans);
11461 	}
11462 
11463 	return err;
11464 }
11465 
11466 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
11467 			   enum nfnl_abort_action action)
11468 {
11469 	struct nftables_pernet *nft_net = nft_pernet(net);
11470 	unsigned int gc_seq;
11471 	int ret;
11472 
11473 	gc_seq = nft_gc_seq_begin(nft_net);
11474 	ret = __nf_tables_abort(net, action);
11475 	nft_gc_seq_end(nft_net, gc_seq);
11476 
11477 	if (action == NFNL_ABORT_NONE) {
11478 		struct nft_table *table;
11479 
11480 		list_for_each_entry(table, &nft_net->tables, list)
11481 			table->validate_state = NFT_VALIDATE_SKIP;
11482 	}
11483 
11484 	WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
11485 
11486 	/* module autoload needs to happen after GC sequence update because it
11487 	 * temporarily releases and grabs mutex again.
11488 	 */
11489 	if (action == NFNL_ABORT_AUTOLOAD)
11490 		nf_tables_module_autoload(net);
11491 	else
11492 		nf_tables_module_autoload_cleanup(net);
11493 
11494 	mutex_unlock(&nft_net->commit_mutex);
11495 
11496 	return ret;
11497 }
11498 
11499 static bool nf_tables_valid_genid(struct net *net, u32 genid)
11500 {
11501 	struct nftables_pernet *nft_net = nft_pernet(net);
11502 	bool genid_ok;
11503 
11504 	mutex_lock(&nft_net->commit_mutex);
11505 	nft_net->tstamp = get_jiffies_64();
11506 
11507 	genid_ok = genid == 0 || nft_base_seq(net) == genid;
11508 	if (!genid_ok)
11509 		mutex_unlock(&nft_net->commit_mutex);
11510 
11511 	/* else, commit mutex has to be released by commit or abort function */
11512 	return genid_ok;
11513 }
11514 
11515 static const struct nfnetlink_subsystem nf_tables_subsys = {
11516 	.name		= "nf_tables",
11517 	.subsys_id	= NFNL_SUBSYS_NFTABLES,
11518 	.cb_count	= NFT_MSG_MAX,
11519 	.cb		= nf_tables_cb,
11520 	.commit		= nf_tables_commit,
11521 	.abort		= nf_tables_abort,
11522 	.valid_genid	= nf_tables_valid_genid,
11523 	.owner		= THIS_MODULE,
11524 };
11525 
11526 int nft_chain_validate_dependency(const struct nft_chain *chain,
11527 				  enum nft_chain_types type)
11528 {
11529 	const struct nft_base_chain *basechain;
11530 
11531 	if (nft_is_base_chain(chain)) {
11532 		basechain = nft_base_chain(chain);
11533 		if (basechain->type->type != type)
11534 			return -EOPNOTSUPP;
11535 	}
11536 	return 0;
11537 }
11538 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
11539 
11540 int nft_chain_validate_hooks(const struct nft_chain *chain,
11541 			     unsigned int hook_flags)
11542 {
11543 	struct nft_base_chain *basechain;
11544 
11545 	if (nft_is_base_chain(chain)) {
11546 		basechain = nft_base_chain(chain);
11547 
11548 		if ((1 << basechain->ops.hooknum) & hook_flags)
11549 			return 0;
11550 
11551 		return -EOPNOTSUPP;
11552 	}
11553 
11554 	return 0;
11555 }
11556 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
11557 
11558 /**
11559  *	nft_parse_u32_check - fetch u32 attribute and check for maximum value
11560  *
11561  *	@attr: netlink attribute to fetch value from
11562  *	@max: maximum value to be stored in dest
11563  *	@dest: pointer to the variable
11564  *
11565  *	Parse, check and store a given u32 netlink attribute into variable.
11566  *	This function returns -ERANGE if the value goes over maximum value.
11567  *	Otherwise a 0 is returned and the attribute value is stored in the
11568  *	destination variable.
11569  */
11570 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
11571 {
11572 	u32 val;
11573 
11574 	val = ntohl(nla_get_be32(attr));
11575 	if (val > max)
11576 		return -ERANGE;
11577 
11578 	*dest = val;
11579 	return 0;
11580 }
11581 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
11582 
11583 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
11584 {
11585 	unsigned int reg;
11586 
11587 	reg = ntohl(nla_get_be32(attr));
11588 	switch (reg) {
11589 	case NFT_REG_VERDICT...NFT_REG_4:
11590 		*preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
11591 		break;
11592 	case NFT_REG32_00...NFT_REG32_15:
11593 		*preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
11594 		break;
11595 	default:
11596 		return -ERANGE;
11597 	}
11598 
11599 	return 0;
11600 }
11601 
11602 /**
11603  *	nft_dump_register - dump a register value to a netlink attribute
11604  *
11605  *	@skb: socket buffer
11606  *	@attr: attribute number
11607  *	@reg: register number
11608  *
11609  *	Construct a netlink attribute containing the register number. For
11610  *	compatibility reasons, register numbers being a multiple of 4 are
11611  *	translated to the corresponding 128 bit register numbers.
11612  */
11613 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
11614 {
11615 	if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
11616 		reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
11617 	else
11618 		reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
11619 
11620 	return nla_put_be32(skb, attr, htonl(reg));
11621 }
11622 EXPORT_SYMBOL_GPL(nft_dump_register);
11623 
11624 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
11625 {
11626 	if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11627 		return -EINVAL;
11628 	if (len == 0)
11629 		return -EINVAL;
11630 	if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
11631 		return -ERANGE;
11632 
11633 	return 0;
11634 }
11635 
11636 int nft_parse_register_load(const struct nft_ctx *ctx,
11637 			    const struct nlattr *attr, u8 *sreg, u32 len)
11638 {
11639 	int err, invalid_reg;
11640 	u32 reg, next_register;
11641 
11642 	err = nft_parse_register(attr, &reg);
11643 	if (err < 0)
11644 		return err;
11645 
11646 	err = nft_validate_register_load(reg, len);
11647 	if (err < 0)
11648 		return err;
11649 
11650 	next_register = DIV_ROUND_UP(len, NFT_REG32_SIZE) + reg;
11651 
11652 	/* Can't happen: nft_validate_register_load() should have failed */
11653 	if (unlikely(next_register > NFT_REG32_NUM)) {
11654 		DEBUG_NET_WARN_ON_ONCE(1);
11655 		return -EINVAL;
11656 	}
11657 
11658 	/* find first register that did not see an earlier store. */
11659 	invalid_reg = find_next_zero_bit(ctx->reg_inited, NFT_REG32_NUM, reg);
11660 
11661 	/* invalid register within the range that we're loading from? */
11662 	if (invalid_reg < next_register)
11663 		return -ENODATA;
11664 
11665 	*sreg = reg;
11666 	return 0;
11667 }
11668 EXPORT_SYMBOL_GPL(nft_parse_register_load);
11669 
11670 static void nft_saw_register_store(const struct nft_ctx *__ctx,
11671 				   int reg, unsigned int len)
11672 {
11673 	unsigned int registers = DIV_ROUND_UP(len, NFT_REG32_SIZE);
11674 	struct nft_ctx *ctx = (struct nft_ctx *)__ctx;
11675 
11676 	if (WARN_ON_ONCE(len == 0 || reg < 0))
11677 		return;
11678 
11679 	bitmap_set(ctx->reg_inited, reg, registers);
11680 }
11681 
11682 static int nft_validate_register_store(const struct nft_ctx *ctx,
11683 				       enum nft_registers reg,
11684 				       const struct nft_data *data,
11685 				       enum nft_data_types type,
11686 				       unsigned int len)
11687 {
11688 	switch (reg) {
11689 	case NFT_REG_VERDICT:
11690 		if (type != NFT_DATA_VERDICT)
11691 			return -EINVAL;
11692 		break;
11693 	default:
11694 		if (type != NFT_DATA_VALUE)
11695 			return -EINVAL;
11696 
11697 		if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11698 			return -EINVAL;
11699 		if (len == 0)
11700 			return -EINVAL;
11701 		if (reg * NFT_REG32_SIZE + len >
11702 		    sizeof_field(struct nft_regs, data))
11703 			return -ERANGE;
11704 
11705 		break;
11706 	}
11707 
11708 	nft_saw_register_store(ctx, reg, len);
11709 	return 0;
11710 }
11711 
11712 int nft_parse_register_store(const struct nft_ctx *ctx,
11713 			     const struct nlattr *attr, u8 *dreg,
11714 			     const struct nft_data *data,
11715 			     enum nft_data_types type, unsigned int len)
11716 {
11717 	int err;
11718 	u32 reg;
11719 
11720 	err = nft_parse_register(attr, &reg);
11721 	if (err < 0)
11722 		return err;
11723 
11724 	err = nft_validate_register_store(ctx, reg, data, type, len);
11725 	if (err < 0)
11726 		return err;
11727 
11728 	*dreg = reg;
11729 	return 0;
11730 }
11731 EXPORT_SYMBOL_GPL(nft_parse_register_store);
11732 
11733 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
11734 	[NFTA_VERDICT_CODE]	= { .type = NLA_U32 },
11735 	[NFTA_VERDICT_CHAIN]	= { .type = NLA_STRING,
11736 				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
11737 	[NFTA_VERDICT_CHAIN_ID]	= { .type = NLA_U32 },
11738 };
11739 
11740 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
11741 			    struct nft_data_desc *desc, const struct nlattr *nla)
11742 {
11743 	u8 genmask = nft_genmask_next(ctx->net);
11744 	struct nlattr *tb[NFTA_VERDICT_MAX + 1];
11745 	struct nft_chain *chain;
11746 	int err;
11747 
11748 	err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
11749 					  nft_verdict_policy, NULL);
11750 	if (err < 0)
11751 		return err;
11752 
11753 	if (!tb[NFTA_VERDICT_CODE])
11754 		return -EINVAL;
11755 
11756 	/* zero padding hole for memcmp */
11757 	memset(data, 0, sizeof(*data));
11758 	data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
11759 
11760 	switch (data->verdict.code) {
11761 	case NF_ACCEPT:
11762 	case NF_DROP:
11763 	case NFT_CONTINUE:
11764 	case NFT_BREAK:
11765 	case NFT_RETURN:
11766 		break;
11767 	case NFT_JUMP:
11768 	case NFT_GOTO:
11769 		if (tb[NFTA_VERDICT_CHAIN]) {
11770 			chain = nft_chain_lookup(ctx->net, ctx->table,
11771 						 tb[NFTA_VERDICT_CHAIN],
11772 						 genmask);
11773 		} else if (tb[NFTA_VERDICT_CHAIN_ID]) {
11774 			chain = nft_chain_lookup_byid(ctx->net, ctx->table,
11775 						      tb[NFTA_VERDICT_CHAIN_ID],
11776 						      genmask);
11777 			if (IS_ERR(chain))
11778 				return PTR_ERR(chain);
11779 		} else {
11780 			return -EINVAL;
11781 		}
11782 
11783 		if (IS_ERR(chain))
11784 			return PTR_ERR(chain);
11785 		if (nft_is_base_chain(chain))
11786 			return -EOPNOTSUPP;
11787 		if (nft_chain_is_bound(chain))
11788 			return -EINVAL;
11789 		if (desc->flags & NFT_DATA_DESC_SETELEM &&
11790 		    chain->flags & NFT_CHAIN_BINDING)
11791 			return -EINVAL;
11792 		if (!nft_use_inc(&chain->use))
11793 			return -EMFILE;
11794 
11795 		data->verdict.chain = chain;
11796 		break;
11797 	case NF_QUEUE:
11798 		/* The nft_queue expression is used for this purpose, an
11799 		 * immediate NF_QUEUE verdict should not ever be seen here.
11800 		 */
11801 		fallthrough;
11802 	default:
11803 		return -EINVAL;
11804 	}
11805 
11806 	desc->len = sizeof(data->verdict);
11807 
11808 	return 0;
11809 }
11810 
11811 static void nft_verdict_uninit(const struct nft_data *data)
11812 {
11813 	struct nft_chain *chain;
11814 
11815 	switch (data->verdict.code) {
11816 	case NFT_JUMP:
11817 	case NFT_GOTO:
11818 		chain = data->verdict.chain;
11819 		nft_use_dec(&chain->use);
11820 		break;
11821 	}
11822 }
11823 
11824 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
11825 {
11826 	struct nlattr *nest;
11827 
11828 	nest = nla_nest_start_noflag(skb, type);
11829 	if (!nest)
11830 		goto nla_put_failure;
11831 
11832 	if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
11833 		goto nla_put_failure;
11834 
11835 	switch (v->code) {
11836 	case NFT_JUMP:
11837 	case NFT_GOTO:
11838 		if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
11839 				   v->chain->name))
11840 			goto nla_put_failure;
11841 	}
11842 	nla_nest_end(skb, nest);
11843 	return 0;
11844 
11845 nla_put_failure:
11846 	return -1;
11847 }
11848 
11849 static int nft_value_init(const struct nft_ctx *ctx,
11850 			  struct nft_data *data, struct nft_data_desc *desc,
11851 			  const struct nlattr *nla)
11852 {
11853 	unsigned int len;
11854 
11855 	len = nla_len(nla);
11856 	if (len == 0)
11857 		return -EINVAL;
11858 	if (len > desc->size)
11859 		return -EOVERFLOW;
11860 	if (desc->len) {
11861 		if (len != desc->len)
11862 			return -EINVAL;
11863 	} else {
11864 		desc->len = len;
11865 	}
11866 
11867 	nla_memcpy(data->data, nla, len);
11868 
11869 	return 0;
11870 }
11871 
11872 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
11873 			  unsigned int len)
11874 {
11875 	return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
11876 }
11877 
11878 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
11879 	[NFTA_DATA_VALUE]	= { .type = NLA_BINARY },
11880 	[NFTA_DATA_VERDICT]	= { .type = NLA_NESTED },
11881 };
11882 
11883 /**
11884  *	nft_data_init - parse nf_tables data netlink attributes
11885  *
11886  *	@ctx: context of the expression using the data
11887  *	@data: destination struct nft_data
11888  *	@desc: data description
11889  *	@nla: netlink attribute containing data
11890  *
11891  *	Parse the netlink data attributes and initialize a struct nft_data.
11892  *	The type and length of data are returned in the data description.
11893  *
11894  *	The caller can indicate that it only wants to accept data of type
11895  *	NFT_DATA_VALUE by passing NULL for the ctx argument.
11896  */
11897 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
11898 		  struct nft_data_desc *desc, const struct nlattr *nla)
11899 {
11900 	struct nlattr *tb[NFTA_DATA_MAX + 1];
11901 	int err;
11902 
11903 	if (unlikely(!desc->size)) {
11904 		DEBUG_NET_WARN_ON_ONCE(1);
11905 		return -EINVAL;
11906 	}
11907 
11908 	err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
11909 					  nft_data_policy, NULL);
11910 	if (err < 0)
11911 		return err;
11912 
11913 	if (tb[NFTA_DATA_VALUE]) {
11914 		if (desc->type != NFT_DATA_VALUE)
11915 			return -EINVAL;
11916 
11917 		err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
11918 	} else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
11919 		if (desc->type != NFT_DATA_VERDICT)
11920 			return -EINVAL;
11921 
11922 		err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
11923 	} else {
11924 		err = -EINVAL;
11925 	}
11926 
11927 	return err;
11928 }
11929 EXPORT_SYMBOL_GPL(nft_data_init);
11930 
11931 /**
11932  *	nft_data_release - release a nft_data item
11933  *
11934  *	@data: struct nft_data to release
11935  *	@type: type of data
11936  *
11937  *	Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
11938  *	all others need to be released by calling this function.
11939  */
11940 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
11941 {
11942 	if (type < NFT_DATA_VERDICT)
11943 		return;
11944 	switch (type) {
11945 	case NFT_DATA_VERDICT:
11946 		return nft_verdict_uninit(data);
11947 	default:
11948 		WARN_ON(1);
11949 	}
11950 }
11951 
11952 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
11953 		  enum nft_data_types type, unsigned int len)
11954 {
11955 	struct nlattr *nest;
11956 	int err;
11957 
11958 	nest = nla_nest_start_noflag(skb, attr);
11959 	if (nest == NULL)
11960 		return -1;
11961 
11962 	switch (type) {
11963 	case NFT_DATA_VALUE:
11964 		err = nft_value_dump(skb, data, len);
11965 		break;
11966 	case NFT_DATA_VERDICT:
11967 		err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
11968 		break;
11969 	default:
11970 		err = -EINVAL;
11971 		DEBUG_NET_WARN_ON_ONCE(1);
11972 	}
11973 
11974 	nla_nest_end(skb, nest);
11975 	return err;
11976 }
11977 
11978 static void __nft_release_hook(struct net *net, struct nft_table *table)
11979 {
11980 	struct nft_flowtable *flowtable;
11981 	struct nft_chain *chain;
11982 
11983 	list_for_each_entry(chain, &table->chains, list)
11984 		__nf_tables_unregister_hook(net, table, chain, true);
11985 	list_for_each_entry(flowtable, &table->flowtables, list)
11986 		__nft_unregister_flowtable_net_hooks(net, flowtable,
11987 						     &flowtable->hook_list,
11988 						     true);
11989 }
11990 
11991 static void __nft_release_hooks(struct net *net)
11992 {
11993 	struct nftables_pernet *nft_net = nft_pernet(net);
11994 	struct nft_table *table;
11995 
11996 	list_for_each_entry(table, &nft_net->tables, list) {
11997 		if (nft_table_has_owner(table))
11998 			continue;
11999 
12000 		__nft_release_hook(net, table);
12001 	}
12002 }
12003 
12004 static void __nft_release_table(struct net *net, struct nft_table *table)
12005 {
12006 	struct nft_flowtable *flowtable, *nf;
12007 	struct nft_chain *chain, *nc;
12008 	struct nft_object *obj, *ne;
12009 	struct nft_rule *rule, *nr;
12010 	struct nft_set *set, *ns;
12011 	struct nft_ctx ctx = {
12012 		.net	= net,
12013 		.family	= NFPROTO_NETDEV,
12014 	};
12015 
12016 	ctx.family = table->family;
12017 	ctx.table = table;
12018 	list_for_each_entry(chain, &table->chains, list) {
12019 		if (nft_chain_binding(chain))
12020 			continue;
12021 
12022 		ctx.chain = chain;
12023 		list_for_each_entry_safe(rule, nr, &chain->rules, list) {
12024 			list_del(&rule->list);
12025 			nft_use_dec(&chain->use);
12026 			nf_tables_rule_release(&ctx, rule);
12027 		}
12028 	}
12029 	list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
12030 		list_del(&flowtable->list);
12031 		nft_use_dec(&table->use);
12032 		nf_tables_flowtable_destroy(flowtable);
12033 	}
12034 	list_for_each_entry_safe(set, ns, &table->sets, list) {
12035 		list_del(&set->list);
12036 		nft_use_dec(&table->use);
12037 		if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
12038 			nft_map_deactivate(&ctx, set);
12039 
12040 		nft_set_destroy(&ctx, set);
12041 	}
12042 	list_for_each_entry_safe(obj, ne, &table->objects, list) {
12043 		nft_obj_del(obj);
12044 		nft_use_dec(&table->use);
12045 		nft_obj_destroy(&ctx, obj);
12046 	}
12047 	list_for_each_entry_safe(chain, nc, &table->chains, list) {
12048 		nft_chain_del(chain);
12049 		nft_use_dec(&table->use);
12050 		nf_tables_chain_destroy(chain);
12051 	}
12052 	nf_tables_table_destroy(table);
12053 }
12054 
12055 static void __nft_release_tables(struct net *net)
12056 {
12057 	struct nftables_pernet *nft_net = nft_pernet(net);
12058 	struct nft_table *table, *nt;
12059 
12060 	list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
12061 		if (nft_table_has_owner(table))
12062 			continue;
12063 
12064 		list_del(&table->list);
12065 
12066 		__nft_release_table(net, table);
12067 	}
12068 }
12069 
12070 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
12071 			    void *ptr)
12072 {
12073 	struct nft_table *table, *to_delete[8];
12074 	struct nftables_pernet *nft_net;
12075 	struct netlink_notify *n = ptr;
12076 	struct net *net = n->net;
12077 	unsigned int deleted;
12078 	bool restart = false;
12079 	unsigned int gc_seq;
12080 
12081 	if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
12082 		return NOTIFY_DONE;
12083 
12084 	nft_net = nft_pernet(net);
12085 	deleted = 0;
12086 	mutex_lock(&nft_net->commit_mutex);
12087 
12088 	gc_seq = nft_gc_seq_begin(nft_net);
12089 
12090 	nf_tables_trans_destroy_flush_work(net);
12091 again:
12092 	list_for_each_entry(table, &nft_net->tables, list) {
12093 		if (nft_table_has_owner(table) &&
12094 		    n->portid == table->nlpid) {
12095 			if (table->flags & NFT_TABLE_F_PERSIST) {
12096 				table->flags &= ~NFT_TABLE_F_OWNER;
12097 				continue;
12098 			}
12099 			__nft_release_hook(net, table);
12100 			list_del_rcu(&table->list);
12101 			to_delete[deleted++] = table;
12102 			if (deleted >= ARRAY_SIZE(to_delete))
12103 				break;
12104 		}
12105 	}
12106 	if (deleted) {
12107 		restart = deleted >= ARRAY_SIZE(to_delete);
12108 		synchronize_rcu();
12109 		while (deleted)
12110 			__nft_release_table(net, to_delete[--deleted]);
12111 
12112 		if (restart)
12113 			goto again;
12114 	}
12115 	nft_gc_seq_end(nft_net, gc_seq);
12116 
12117 	mutex_unlock(&nft_net->commit_mutex);
12118 
12119 	return NOTIFY_DONE;
12120 }
12121 
12122 static struct notifier_block nft_nl_notifier = {
12123 	.notifier_call  = nft_rcv_nl_event,
12124 };
12125 
12126 static int __net_init nf_tables_init_net(struct net *net)
12127 {
12128 	struct nftables_pernet *nft_net = nft_pernet(net);
12129 
12130 	INIT_LIST_HEAD(&nft_net->tables);
12131 	INIT_LIST_HEAD(&nft_net->commit_list);
12132 	INIT_LIST_HEAD(&nft_net->destroy_list);
12133 	INIT_LIST_HEAD(&nft_net->commit_set_list);
12134 	INIT_LIST_HEAD(&nft_net->binding_list);
12135 	INIT_LIST_HEAD(&nft_net->module_list);
12136 	INIT_LIST_HEAD(&nft_net->notify_list);
12137 	mutex_init(&nft_net->commit_mutex);
12138 	net->nft.base_seq = 1;
12139 	nft_net->gc_seq = 0;
12140 	nft_net->validate_state = NFT_VALIDATE_SKIP;
12141 	INIT_WORK(&nft_net->destroy_work, nf_tables_trans_destroy_work);
12142 
12143 	return 0;
12144 }
12145 
12146 static void __net_exit nf_tables_pre_exit_net(struct net *net)
12147 {
12148 	struct nftables_pernet *nft_net = nft_pernet(net);
12149 
12150 	mutex_lock(&nft_net->commit_mutex);
12151 	__nft_release_hooks(net);
12152 	mutex_unlock(&nft_net->commit_mutex);
12153 }
12154 
12155 static void __net_exit nf_tables_exit_net(struct net *net)
12156 {
12157 	struct nftables_pernet *nft_net = nft_pernet(net);
12158 	unsigned int gc_seq;
12159 
12160 	mutex_lock(&nft_net->commit_mutex);
12161 
12162 	gc_seq = nft_gc_seq_begin(nft_net);
12163 
12164 	WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
12165 	WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list));
12166 
12167 	if (!list_empty(&nft_net->module_list))
12168 		nf_tables_module_autoload_cleanup(net);
12169 
12170 	cancel_work_sync(&nft_net->destroy_work);
12171 	__nft_release_tables(net);
12172 
12173 	nft_gc_seq_end(nft_net, gc_seq);
12174 
12175 	mutex_unlock(&nft_net->commit_mutex);
12176 
12177 	WARN_ON_ONCE(!list_empty(&nft_net->tables));
12178 	WARN_ON_ONCE(!list_empty(&nft_net->module_list));
12179 	WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
12180 	WARN_ON_ONCE(!list_empty(&nft_net->destroy_list));
12181 }
12182 
12183 static void nf_tables_exit_batch(struct list_head *net_exit_list)
12184 {
12185 	flush_work(&trans_gc_work);
12186 }
12187 
12188 static struct pernet_operations nf_tables_net_ops = {
12189 	.init		= nf_tables_init_net,
12190 	.pre_exit	= nf_tables_pre_exit_net,
12191 	.exit		= nf_tables_exit_net,
12192 	.exit_batch	= nf_tables_exit_batch,
12193 	.id		= &nf_tables_net_id,
12194 	.size		= sizeof(struct nftables_pernet),
12195 };
12196 
12197 static int __init nf_tables_module_init(void)
12198 {
12199 	int err;
12200 
12201 	BUILD_BUG_ON(offsetof(struct nft_trans_table, nft_trans) != 0);
12202 	BUILD_BUG_ON(offsetof(struct nft_trans_chain, nft_trans_binding.nft_trans) != 0);
12203 	BUILD_BUG_ON(offsetof(struct nft_trans_rule, nft_trans) != 0);
12204 	BUILD_BUG_ON(offsetof(struct nft_trans_set, nft_trans_binding.nft_trans) != 0);
12205 	BUILD_BUG_ON(offsetof(struct nft_trans_elem, nft_trans) != 0);
12206 	BUILD_BUG_ON(offsetof(struct nft_trans_obj, nft_trans) != 0);
12207 	BUILD_BUG_ON(offsetof(struct nft_trans_flowtable, nft_trans) != 0);
12208 
12209 	err = register_pernet_subsys(&nf_tables_net_ops);
12210 	if (err < 0)
12211 		return err;
12212 
12213 	err = nft_chain_filter_init();
12214 	if (err < 0)
12215 		goto err_chain_filter;
12216 
12217 	err = nf_tables_core_module_init();
12218 	if (err < 0)
12219 		goto err_core_module;
12220 
12221 	err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
12222 	if (err < 0)
12223 		goto err_netdev_notifier;
12224 
12225 	err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
12226 	if (err < 0)
12227 		goto err_rht_objname;
12228 
12229 	err = nft_offload_init();
12230 	if (err < 0)
12231 		goto err_offload;
12232 
12233 	err = netlink_register_notifier(&nft_nl_notifier);
12234 	if (err < 0)
12235 		goto err_netlink_notifier;
12236 
12237 	/* must be last */
12238 	err = nfnetlink_subsys_register(&nf_tables_subsys);
12239 	if (err < 0)
12240 		goto err_nfnl_subsys;
12241 
12242 	nft_chain_route_init();
12243 
12244 	return err;
12245 
12246 err_nfnl_subsys:
12247 	netlink_unregister_notifier(&nft_nl_notifier);
12248 err_netlink_notifier:
12249 	nft_offload_exit();
12250 err_offload:
12251 	rhltable_destroy(&nft_objname_ht);
12252 err_rht_objname:
12253 	unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
12254 err_netdev_notifier:
12255 	nf_tables_core_module_exit();
12256 err_core_module:
12257 	nft_chain_filter_fini();
12258 err_chain_filter:
12259 	unregister_pernet_subsys(&nf_tables_net_ops);
12260 	return err;
12261 }
12262 
12263 static void __exit nf_tables_module_exit(void)
12264 {
12265 	nfnetlink_subsys_unregister(&nf_tables_subsys);
12266 	netlink_unregister_notifier(&nft_nl_notifier);
12267 	nft_offload_exit();
12268 	unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
12269 	nft_chain_filter_fini();
12270 	nft_chain_route_fini();
12271 	unregister_pernet_subsys(&nf_tables_net_ops);
12272 	cancel_work_sync(&trans_gc_work);
12273 	rcu_barrier();
12274 	rhltable_destroy(&nft_objname_ht);
12275 	nf_tables_core_module_exit();
12276 }
12277 
12278 module_init(nf_tables_module_init);
12279 module_exit(nf_tables_module_exit);
12280 
12281 MODULE_LICENSE("GPL");
12282 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
12283 MODULE_DESCRIPTION("Framework for packet filtering and classification");
12284 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
12285