/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <linux/if.h>
#include <linux/netfilter/nf_tables.h>
#include <linux/netfilter/nfnetlink.h>

#include "netlink-types-internal.h"

static const NLAPolicy nfnl_nft_table_policies[] = {
        [NFTA_TABLE_NAME]  = BUILD_POLICY_WITH_SIZE(STRING, NFT_TABLE_MAXNAMELEN - 1),
        [NFTA_TABLE_FLAGS] = BUILD_POLICY(U32),
};

DEFINE_POLICY_SET(nfnl_nft_table);

static const NLAPolicy nfnl_nft_chain_hook_policies[] = {
        [NFTA_HOOK_HOOKNUM]  = BUILD_POLICY(U32),
        [NFTA_HOOK_PRIORITY] = BUILD_POLICY(U32),
        [NFTA_HOOK_DEV]      = BUILD_POLICY_WITH_SIZE(STRING, IFNAMSIZ - 1),
};

DEFINE_POLICY_SET(nfnl_nft_chain_hook);

static const NLAPolicy nfnl_nft_chain_policies[] = {
        [NFTA_CHAIN_TABLE] = BUILD_POLICY_WITH_SIZE(STRING, NFT_TABLE_MAXNAMELEN - 1),
        [NFTA_CHAIN_NAME]  = BUILD_POLICY_WITH_SIZE(STRING, NFT_TABLE_MAXNAMELEN - 1),
        [NFTA_CHAIN_HOOK]  = BUILD_POLICY_NESTED(nfnl_nft_chain_hook),
        [NFTA_CHAIN_TYPE]  = BUILD_POLICY_WITH_SIZE(STRING, 16),
        [NFTA_CHAIN_FLAGS] = BUILD_POLICY(U32),
};

DEFINE_POLICY_SET(nfnl_nft_chain);

static const NLAPolicy nfnl_nft_expr_meta_policies[] = {
        [NFTA_META_DREG] = BUILD_POLICY(U32),
        [NFTA_META_KEY]  = BUILD_POLICY(U32),
        [NFTA_META_SREG] = BUILD_POLICY(U32),
};

static const NLAPolicy nfnl_nft_expr_payload_policies[] = {
        [NFTA_PAYLOAD_DREG]   = BUILD_POLICY(U32),
        [NFTA_PAYLOAD_BASE]   = BUILD_POLICY(U32),
        [NFTA_PAYLOAD_OFFSET] = BUILD_POLICY(U32),
        [NFTA_PAYLOAD_LEN]    = BUILD_POLICY(U32),
};

static const NLAPolicy nfnl_nft_expr_nat_policies[] = {
        [NFTA_NAT_TYPE]          = BUILD_POLICY(U32),
        [NFTA_NAT_FAMILY]        = BUILD_POLICY(U32),
        [NFTA_NAT_REG_ADDR_MIN]  = BUILD_POLICY(U32),
        [NFTA_NAT_REG_ADDR_MAX]  = BUILD_POLICY(U32),
        [NFTA_NAT_REG_PROTO_MIN] = BUILD_POLICY(U32),
        [NFTA_NAT_REG_PROTO_MAX] = BUILD_POLICY(U32),
        [NFTA_NAT_FLAGS]         = BUILD_POLICY(U32),
};

static const NLAPolicy nfnl_nft_data_policies[] = {
        [NFTA_DATA_VALUE] = { .type = NETLINK_TYPE_BINARY },
};

DEFINE_POLICY_SET(nfnl_nft_data);

static const NLAPolicy nfnl_nft_expr_bitwise_policies[] = {
        [NFTA_BITWISE_SREG] = BUILD_POLICY(U32),
        [NFTA_BITWISE_DREG] = BUILD_POLICY(U32),
        [NFTA_BITWISE_LEN]  = BUILD_POLICY(U32),
        [NFTA_BITWISE_MASK] = BUILD_POLICY_NESTED(nfnl_nft_data),
        [NFTA_BITWISE_XOR]  = BUILD_POLICY_NESTED(nfnl_nft_data),
};

static const NLAPolicy nfnl_nft_expr_cmp_policies[] = {
        [NFTA_CMP_SREG] = BUILD_POLICY(U32),
        [NFTA_CMP_OP]   = BUILD_POLICY(U32),
        [NFTA_CMP_DATA] = BUILD_POLICY_NESTED(nfnl_nft_data),
};

static const NLAPolicy nfnl_nft_expr_fib_policies[] = {
        [NFTA_FIB_DREG]   = BUILD_POLICY(U32),
        [NFTA_FIB_RESULT] = BUILD_POLICY(U32),
        [NFTA_FIB_FLAGS]  = BUILD_POLICY(U32),
};

static const NLAPolicy nfnl_nft_expr_lookup_policies[] = {
        [NFTA_LOOKUP_SET]   = { .type = NETLINK_TYPE_STRING },
        [NFTA_LOOKUP_SREG]  = BUILD_POLICY(U32),
        [NFTA_LOOKUP_DREG]  = BUILD_POLICY(U32),
        [NFTA_LOOKUP_FLAGS] = BUILD_POLICY(U32),
};

static const NLAPolicy nfnl_nft_expr_masq_policies[] = {
        [NFTA_MASQ_FLAGS]         = BUILD_POLICY(U32),
        [NFTA_MASQ_REG_PROTO_MIN] = BUILD_POLICY(U32),
        [NFTA_MASQ_REG_PROTO_MAX] = BUILD_POLICY(U32),
};

static const NLAPolicySetUnionElement nfnl_expr_data_policy_set_union_elements[] = {
        BUILD_UNION_ELEMENT_BY_STRING("bitwise", nfnl_nft_expr_bitwise),
        BUILD_UNION_ELEMENT_BY_STRING("cmp",     nfnl_nft_expr_cmp),
        BUILD_UNION_ELEMENT_BY_STRING("fib",     nfnl_nft_expr_fib),
        BUILD_UNION_ELEMENT_BY_STRING("lookup",  nfnl_nft_expr_lookup),
        BUILD_UNION_ELEMENT_BY_STRING("masq",    nfnl_nft_expr_masq),
        BUILD_UNION_ELEMENT_BY_STRING("meta",    nfnl_nft_expr_meta),
        BUILD_UNION_ELEMENT_BY_STRING("nat",     nfnl_nft_expr_nat),
        BUILD_UNION_ELEMENT_BY_STRING("payload", nfnl_nft_expr_payload),
};

DEFINE_POLICY_SET_UNION(nfnl_expr_data, NFTA_EXPR_NAME);

static const NLAPolicy nfnl_nft_rule_expr_policies[] = {
        [NFTA_EXPR_NAME] = BUILD_POLICY_WITH_SIZE(STRING, 16),
        [NFTA_EXPR_DATA] = BUILD_POLICY_NESTED_UNION_BY_STRING(nfnl_expr_data),
};

DEFINE_POLICY_SET(nfnl_nft_rule_expr);

static const NLAPolicy nfnl_nft_rule_policies[] = {
        [NFTA_RULE_TABLE]       = BUILD_POLICY_WITH_SIZE(STRING, NFT_TABLE_MAXNAMELEN - 1),
        [NFTA_RULE_CHAIN]       = BUILD_POLICY_WITH_SIZE(STRING, NFT_TABLE_MAXNAMELEN - 1),
        [NFTA_RULE_EXPRESSIONS] = BUILD_POLICY_NESTED(nfnl_nft_rule_expr),
};

DEFINE_POLICY_SET(nfnl_nft_rule);

static const NLAPolicy nfnl_nft_set_policies[] = {
        [NFTA_SET_TABLE]      = BUILD_POLICY_WITH_SIZE(STRING, NFT_TABLE_MAXNAMELEN - 1),
        [NFTA_SET_NAME]       = BUILD_POLICY_WITH_SIZE(STRING, NFT_TABLE_MAXNAMELEN - 1),
        [NFTA_SET_FLAGS]      = BUILD_POLICY(U32),
        [NFTA_SET_KEY_TYPE]   = BUILD_POLICY(U32),
        [NFTA_SET_KEY_LEN]    = BUILD_POLICY(U32),
        [NFTA_SET_DATA_TYPE]  = BUILD_POLICY(U32),
        [NFTA_SET_DATA_LEN]   = BUILD_POLICY(U32),
        [NFTA_SET_POLICY]     = BUILD_POLICY(U32),
        [NFTA_SET_ID]         = BUILD_POLICY(U32),
};

DEFINE_POLICY_SET(nfnl_nft_set);

static const NLAPolicy nfnl_nft_setelem_policies[] = {
        [NFTA_SET_ELEM_KEY]   = BUILD_POLICY_NESTED(nfnl_nft_data),
        [NFTA_SET_ELEM_DATA]  = BUILD_POLICY_NESTED(nfnl_nft_data),
        [NFTA_SET_ELEM_FLAGS] = BUILD_POLICY(U32),
};

DEFINE_POLICY_SET(nfnl_nft_setelem);

static const NLAPolicy nfnl_nft_setelem_list_policies[] = {
        [NFTA_SET_ELEM_LIST_TABLE]    = BUILD_POLICY_WITH_SIZE(STRING, NFT_TABLE_MAXNAMELEN - 1),
        [NFTA_SET_ELEM_LIST_SET]      = BUILD_POLICY_WITH_SIZE(STRING, NFT_TABLE_MAXNAMELEN - 1),
        [NFTA_SET_ELEM_LIST_ELEMENTS] = BUILD_POLICY_NESTED(nfnl_nft_setelem),
};

DEFINE_POLICY_SET(nfnl_nft_setelem_list);

static const NLAPolicy nfnl_subsys_nft_policies[] = {
        [NFT_MSG_DELTABLE]   = BUILD_POLICY_NESTED_WITH_SIZE(nfnl_nft_table,        sizeof(struct nfgenmsg)),
        [NFT_MSG_NEWTABLE]   = BUILD_POLICY_NESTED_WITH_SIZE(nfnl_nft_table,        sizeof(struct nfgenmsg)),
        [NFT_MSG_NEWCHAIN]   = BUILD_POLICY_NESTED_WITH_SIZE(nfnl_nft_chain,        sizeof(struct nfgenmsg)),
        [NFT_MSG_NEWRULE]    = BUILD_POLICY_NESTED_WITH_SIZE(nfnl_nft_rule,         sizeof(struct nfgenmsg)),
        [NFT_MSG_NEWSET]     = BUILD_POLICY_NESTED_WITH_SIZE(nfnl_nft_set,          sizeof(struct nfgenmsg)),
        [NFT_MSG_NEWSETELEM] = BUILD_POLICY_NESTED_WITH_SIZE(nfnl_nft_setelem_list, sizeof(struct nfgenmsg)),
        [NFT_MSG_DELSETELEM] = BUILD_POLICY_NESTED_WITH_SIZE(nfnl_nft_setelem_list, sizeof(struct nfgenmsg)),
};

DEFINE_POLICY_SET(nfnl_subsys_nft);

static const NLAPolicy nfnl_msg_batch_policies[] = {
        [NFNL_BATCH_GENID] = BUILD_POLICY(U32)
};

DEFINE_POLICY_SET(nfnl_msg_batch);

static const NLAPolicy nfnl_subsys_none_policies[] = {
        [NFNL_MSG_BATCH_BEGIN] = BUILD_POLICY_NESTED_WITH_SIZE(nfnl_msg_batch, sizeof(struct nfgenmsg)),
        [NFNL_MSG_BATCH_END]   = BUILD_POLICY_NESTED_WITH_SIZE(nfnl_msg_batch, sizeof(struct nfgenmsg)),
};

DEFINE_POLICY_SET(nfnl_subsys_none);

static const NLAPolicy nfnl_policies[] = {
        [NFNL_SUBSYS_NONE]     = BUILD_POLICY_NESTED(nfnl_subsys_none),
        [NFNL_SUBSYS_NFTABLES] = BUILD_POLICY_NESTED(nfnl_subsys_nft),
};

DEFINE_POLICY_SET(nfnl);

const NLAPolicy *nfnl_get_policy(uint16_t nlmsg_type) {
        const NLAPolicySet *subsys;

        subsys = policy_set_get_policy_set(&nfnl_policy_set, NFNL_SUBSYS_ID(nlmsg_type));
        if (!subsys)
                return NULL;

        return policy_set_get_policy(subsys, NFNL_MSG_TYPE(nlmsg_type));
}