netfilter: nf_tables: use new transaction infrastructure to handle table

#define nft_trans_chain_policy(trans)	\

	(((struct nft_trans_chain *)trans->data)->policy)

struct nft_trans_table {

	bool		update;

	bool		enable;

};

#define nft_trans_table_update(trans)	\

	(((struct nft_trans_table *)trans->data)->update)

#define nft_trans_table_enable(trans)	\

	(((struct nft_trans_table *)trans->data)->enable)

static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)

{

	return (struct nft_expr *)&rule->data[0];

	return skb->len;

}

/* Internal table flags */

#define NFT_TABLE_INACTIVE	(1 << 15)

static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,

			      const struct nlmsghdr *nlh,

			      const struct nlattr * const nla[])

	table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);

	if (IS_ERR(table))

		return PTR_ERR(table);

	if (table->flags & NFT_TABLE_INACTIVE)

		return -ENOENT;

	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);

	if (!skb2)

static int nf_tables_updtable(struct nft_ctx *ctx)

{

	const struct nfgenmsg *nfmsg = nlmsg_data(ctx->nlh);

	int family = nfmsg->nfgen_family, ret = 0;

	struct nft_trans *trans;

	u32 flags;

	int ret = 0;

	if (!ctx->nla[NFTA_TABLE_FLAGS])

		return 0;

	if (flags & ~NFT_TABLE_F_DORMANT)

		return -EINVAL;

	trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,

				sizeof(struct nft_trans_table));

	if (trans == NULL)

		return -ENOMEM;

	if ((flags & NFT_TABLE_F_DORMANT) &&

	    !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {

		nf_tables_table_disable(ctx->afi, ctx->table);

		ctx->table->flags |= NFT_TABLE_F_DORMANT;

		nft_trans_table_enable(trans) = false;

	} else if (!(flags & NFT_TABLE_F_DORMANT) &&

		   ctx->table->flags & NFT_TABLE_F_DORMANT) {

		ret = nf_tables_table_enable(ctx->afi, ctx->table);

		if (ret >= 0)

		if (ret >= 0) {

			ctx->table->flags &= ~NFT_TABLE_F_DORMANT;

			nft_trans_table_enable(trans) = true;

		}

	}

	if (ret < 0)

		goto err;

	nf_tables_table_notify(ctx->skb, ctx->nlh, ctx->table,

			       NFT_MSG_NEWTABLE, family);

	nft_trans_table_update(trans) = true;

	list_add_tail(&trans->list, &ctx->net->nft.commit_list);

	return 0;

err:

	nft_trans_destroy(trans);

	return ret;

}

static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)

{

	struct nft_trans *trans;

	trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));

	if (trans == NULL)

		return -ENOMEM;

	if (msg_type == NFT_MSG_NEWTABLE)

		ctx->table->flags |= NFT_TABLE_INACTIVE;

	list_add_tail(&trans->list, &ctx->net->nft.commit_list);

	return 0;

}

static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,

			      const struct nlmsghdr *nlh,

			      const struct nlattr * const nla[])

	int family = nfmsg->nfgen_family;

	u32 flags = 0;

	struct nft_ctx ctx;

	int err;

	afi = nf_tables_afinfo_lookup(net, family, true);

	if (IS_ERR(afi))

	}

	if (table != NULL) {

		if (table->flags & NFT_TABLE_INACTIVE)

			return -ENOENT;

		if (nlh->nlmsg_flags & NLM_F_EXCL)

			return -EEXIST;

		if (nlh->nlmsg_flags & NLM_F_REPLACE)

	INIT_LIST_HEAD(&table->sets);

	table->flags = flags;

	nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);

	err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);

	if (err < 0) {

		kfree(table);

		module_put(afi->owner);

		return err;

	}

	list_add_tail(&table->list, &afi->tables);

	nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);

	return 0;

}

	struct nft_af_info *afi;

	struct nft_table *table;

	struct net *net = sock_net(skb->sk);

	int family = nfmsg->nfgen_family;

	int family = nfmsg->nfgen_family, err;

	struct nft_ctx ctx;

	afi = nf_tables_afinfo_lookup(net, family, false);

	if (IS_ERR(afi))

	table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);

	if (IS_ERR(table))

		return PTR_ERR(table);

	if (table->flags & NFT_TABLE_INACTIVE)

		return -ENOENT;

	if (!list_empty(&table->chains) || !list_empty(&table->sets))

		return -EBUSY;

	nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);

	err = nft_trans_table_add(&ctx, NFT_MSG_DELTABLE);

	if (err < 0)

		return err;

	list_del(&table->list);

	nf_tables_table_notify(skb, nlh, table, NFT_MSG_DELTABLE, family);

	kfree(table);

	module_put(afi->owner);

	return 0;

}

static void nf_tables_table_destroy(struct nft_ctx *ctx)

{

	kfree(ctx->table);

	module_put(ctx->afi->owner);

}

int nft_register_chain_type(const struct nf_chain_type *ctype)

{

	int err = 0;

	table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);

	if (IS_ERR(table))

		return PTR_ERR(table);

	if (table->flags & NFT_TABLE_INACTIVE)

		return -ENOENT;

	chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);

	if (IS_ERR(chain))

	table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);

	if (IS_ERR(table))

		return PTR_ERR(table);

	if (table->flags & NFT_TABLE_INACTIVE)

		return -ENOENT;

	chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);

	if (IS_ERR(chain))

	table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);

	if (IS_ERR(table))

		return PTR_ERR(table);

	if (table->flags & NFT_TABLE_INACTIVE)

		return -ENOENT;

	chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);

	if (IS_ERR(chain))

	table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);

	if (IS_ERR(table))

		return PTR_ERR(table);

	if (table->flags & NFT_TABLE_INACTIVE)

		return -ENOENT;

	if (nla[NFTA_RULE_CHAIN]) {

		chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);

		table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);

		if (IS_ERR(table))

			return PTR_ERR(table);

		if (table->flags & NFT_TABLE_INACTIVE)

			return -ENOENT;

	}

	nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);

static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,

				      const struct sk_buff *skb,

				      const struct nlmsghdr *nlh,

				      const struct nlattr * const nla[])

				      const struct nlattr * const nla[],

				      bool trans)

{

	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);

	struct nft_af_info *afi;

	table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);

	if (IS_ERR(table))

		return PTR_ERR(table);

	if (!trans && (table->flags & NFT_TABLE_INACTIVE))

		return -ENOENT;

	nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);

	return 0;

	if (err < 0)

		return err;

	err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla);

	err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla,

					 false);

	if (err < 0)

		return err;

	struct nft_ctx ctx;

	int err;

	err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);

	err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);

	if (err < 0)

		return err;

	struct nft_ctx ctx;

	int rem, err;

	err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);

	err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, true);

	if (err < 0)

		return err;

	struct nft_ctx ctx;

	int rem, err;

	err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);

	err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);

	if (err < 0)

		return err;

static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {

	[NFT_MSG_NEWTABLE] = {

		.call		= nf_tables_newtable,

		.call_batch	= nf_tables_newtable,

		.attr_count	= NFTA_TABLE_MAX,

		.policy		= nft_table_policy,

	},

		.policy		= nft_table_policy,

	},

	[NFT_MSG_DELTABLE] = {

		.call		= nf_tables_deltable,

		.call_batch	= nf_tables_deltable,

		.attr_count	= NFTA_TABLE_MAX,

		.policy		= nft_table_policy,

	},

	list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {

		switch (trans->msg_type) {

		case NFT_MSG_NEWTABLE:

			if (nft_trans_table_update(trans)) {

				if (!nft_trans_table_enable(trans)) {

					nf_tables_table_disable(trans->ctx.afi,

								trans->ctx.table);

					trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;

				}

			} else {

				trans->ctx.table->flags &= ~NFT_TABLE_INACTIVE;

			}

			nf_tables_table_notify(trans->ctx.skb, trans->ctx.nlh,

					       trans->ctx.table,

					       NFT_MSG_NEWTABLE,

					       trans->ctx.afi->family);

			nft_trans_destroy(trans);

			break;

		case NFT_MSG_DELTABLE:

			nf_tables_table_notify(trans->ctx.skb, trans->ctx.nlh,

					       trans->ctx.table,

					       NFT_MSG_DELTABLE,

					       trans->ctx.afi->family);

			break;

		case NFT_MSG_NEWCHAIN:

			if (nft_trans_chain_update(trans))

				nft_chain_commit_update(trans);

	/* Now we can safely release unused old rules */

	list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {

		switch (trans->msg_type) {

		case NFT_MSG_DELTABLE:

			nf_tables_table_destroy(&trans->ctx);

			break;

		case NFT_MSG_DELCHAIN:

			nf_tables_chain_destroy(trans->ctx.chain);

			break;

	list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {

		switch (trans->msg_type) {

		case NFT_MSG_NEWTABLE:

			if (nft_trans_table_update(trans)) {

				if (nft_trans_table_enable(trans)) {

					nf_tables_table_disable(trans->ctx.afi,

								trans->ctx.table);

					trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;

				}

				nft_trans_destroy(trans);

			} else {

				list_del(&trans->ctx.table->list);

			}

			break;

		case NFT_MSG_DELTABLE:

			list_add_tail(&trans->ctx.table->list,

				      &trans->ctx.afi->tables);

			nft_trans_destroy(trans);

			break;

		case NFT_MSG_NEWCHAIN:

			if (nft_trans_chain_update(trans)) {

				if (nft_trans_chain_stats(trans))

	list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {

		switch (trans->msg_type) {

		case NFT_MSG_NEWTABLE:

			nf_tables_table_destroy(&trans->ctx);

			break;

		case NFT_MSG_NEWCHAIN:

			nf_tables_chain_destroy(trans->ctx.chain);

			break;