[PATCH 0/3] add userdata and comment support for chains

[PATCH 0/3] add userdata and comment support for chains

[Jose M. Guisado Gomez]

This patch series adds userdata storage for chains and also support
for comments when adding a chain.

Userdata can be extended for other purposes in the future.

nftables patch relies on already_set[1] function to check for possible
duplicates when specifying a comment.

[1] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200910164019.86192-1-guigom@riseup.net/


nf-next:

  netfilter: nf_tables: add userdata attributes to nft_chain

 include/net/netfilter/nf_tables.h        |  2 ++
 include/uapi/linux/netfilter/nf_tables.h |  2 ++
 net/netfilter/nf_tables_api.c            | 19 +++++++++++++++++++
 3 files changed, 23 insertions(+)

libnftnl:

  chain: add userdata and comment support

 include/libnftnl/chain.h            |  1 +
 include/libnftnl/udata.h            |  6 ++++++
 include/linux/netfilter/nf_tables.h |  2 ++
 src/chain.c                         | 31 +++++++++++++++++++++++++++++
 4 files changed, 40 insertions(+)

nftables:

  src: add comment support for chains

 include/rule.h                                |  1 +
 src/mnl.c                                     | 11 +++++++
 src/netlink.c                                 | 32 +++++++++++++++++++
 src/parser_bison.y                            |  8 +++++
 src/rule.c                                    |  3 ++
 .../testcases/optionals/comments_chain_0      | 12 +++++++
 .../optionals/dumps/comments_chain_0.nft      |  5 +++
 7 files changed, 72 insertions(+)
 create mode 100755 tests/shell/testcases/optionals/comments_chain_0
 create mode 100644 tests/shell/testcases/optionals/dumps/comments_chain_0.nft


-- 
2.27.0

[PATCH nf-next 1/3] netfilter: nf_tables: add userdata attributes to nft_chain

[Jose M. Guisado Gomez]

Enables storing userdata for nft_chain. Field udata points to user data
and udlen stores its length.

Adds new attribute flag NFTA_CHAIN_USERDATA.

Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
---
 include/net/netfilter/nf_tables.h        |  2 ++
 include/uapi/linux/netfilter/nf_tables.h |  2 ++
 net/netfilter/nf_tables_api.c            | 19 +++++++++++++++++++
 3 files changed, 23 insertions(+)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 8ceca0e419b3..4686fafbfd8a 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -952,6 +952,8 @@ struct nft_chain {
 					bound:1,
 					genmask:2;
 	char				*name;
+	u16				udlen;
+	u8				*udata;
 
 	/* Only used during control plane commit phase: */
 	struct nft_rule			**rules_next;
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 3c2469b43742..352ee51707a1 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -208,6 +208,7 @@ enum nft_chain_flags {
  * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes)
  * @NFTA_CHAIN_FLAGS: chain flags
  * @NFTA_CHAIN_ID: uniquely identifies a chain in a transaction (NLA_U32)
+ * @NFTA_CHAIN_USERDATA: user data (NLA_BINARY)
  */
 enum nft_chain_attributes {
 	NFTA_CHAIN_UNSPEC,
@@ -222,6 +223,7 @@ enum nft_chain_attributes {
 	NFTA_CHAIN_PAD,
 	NFTA_CHAIN_FLAGS,
 	NFTA_CHAIN_ID,
+	NFTA_CHAIN_USERDATA,
 	__NFTA_CHAIN_MAX
 };
 #define NFTA_CHAIN_MAX		(__NFTA_CHAIN_MAX - 1)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 84c0c1aaae99..c8065c6eae86 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1306,6 +1306,8 @@ static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
 	[NFTA_CHAIN_COUNTERS]	= { .type = NLA_NESTED },
 	[NFTA_CHAIN_FLAGS]	= { .type = NLA_U32 },
 	[NFTA_CHAIN_ID]		= { .type = NLA_U32 },
+	[NFTA_CHAIN_USERDATA]	= { .type = NLA_BINARY,
+				    .len = NFT_USERDATA_MAXLEN },
 };
 
 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
@@ -1447,6 +1449,10 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
 	if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
 		goto nla_put_failure;
 
+	if (chain->udata &&
+	    nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
+		goto nla_put_failure;
+
 	nlmsg_end(skb, nlh);
 	return 0;
 
@@ -1978,6 +1984,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
 	struct nft_trans *trans;
 	struct nft_chain *chain;
 	struct nft_rule **rules;
+	u16 udlen = 0;
 	int err;
 
 	if (table->use == UINT_MAX)
@@ -2052,6 +2059,18 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
 		goto err1;
 	}
 
+	if (nla[NFTA_CHAIN_USERDATA]) {
+		udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
+		chain->udata = kzalloc(udlen, GFP_KERNEL);
+		if (chain->udata == NULL) {
+			err = -ENOMEM;
+			goto err1;
+		}
+
+		nla_memcpy(chain->udata, nla[NFTA_CHAIN_USERDATA], udlen);
+		chain->udlen = udlen;
+	}
+
 	rules = nf_tables_chain_alloc_rules(chain, 0);
 	if (!rules) {
 		err = -ENOMEM;
-- 
2.27.0

[PATCH libnftnl 2/3] chain: add userdata and comment support

[Jose M. Guisado Gomez]

Adds NFTNL_CHAIN_USERDATA, in order to support userdata for chains.

Adds NFTNL_UDATA_CHAIN_COMMENT chain userdata type to support storing a
comment.

Relies on NFTA_CHAIN_USERDATA.

Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
---
 include/libnftnl/chain.h            |  1 +
 include/libnftnl/udata.h            |  6 ++++++
 include/linux/netfilter/nf_tables.h |  2 ++
 src/chain.c                         | 31 +++++++++++++++++++++++++++++
 4 files changed, 40 insertions(+)

diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
index 0e57a5a..f56e581 100644
--- a/include/libnftnl/chain.h
+++ b/include/libnftnl/chain.h
@@ -34,6 +34,7 @@ enum nftnl_chain_attr {
 	NFTNL_CHAIN_DEVICES,
 	NFTNL_CHAIN_FLAGS,
 	NFTNL_CHAIN_ID,
+	NFTNL_CHAIN_USERDATA,
 	__NFTNL_CHAIN_MAX
 };
 #define NFTNL_CHAIN_MAX (__NFTNL_CHAIN_MAX - 1)
diff --git a/include/libnftnl/udata.h b/include/libnftnl/udata.h
index 2e38fcc..dbf3a60 100644
--- a/include/libnftnl/udata.h
+++ b/include/libnftnl/udata.h
@@ -15,6 +15,12 @@ enum nftnl_udata_table_types {
 };
 #define NFTNL_UDATA_TABLE_MAX (__NFTNL_UDATA_TABLE_MAX - 1)
 
+enum nftnl_udata_chain_types {
+	NFTNL_UDATA_CHAIN_COMMENT,
+	__NFTNL_UDATA_CHAIN_MAX
+};
+#define NFTNL_UDATA_CHAIN_MAX (__NFTNL_UDATA_CHAIN_MAX - 1)
+
 enum nftnl_udata_rule_types {
 	NFTNL_UDATA_RULE_COMMENT,
 	NFTNL_UDATA_RULE_EBTABLES_POLICY,
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 8099777..77d178a 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -197,6 +197,7 @@ enum nft_table_attributes {
  * @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING)
  * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes)
  * @NFTA_CHAIN_FLAGS: chain flags
+ * @NFTA_CHAIN_USERDATA: user data (NLA_BINARY)
  */
 enum nft_chain_attributes {
 	NFTA_CHAIN_UNSPEC,
@@ -211,6 +212,7 @@ enum nft_chain_attributes {
 	NFTA_CHAIN_PAD,
 	NFTA_CHAIN_FLAGS,
 	NFTA_CHAIN_ID,
+	NFTA_CHAIN_USERDATA,
 	__NFTA_CHAIN_MAX
 };
 #define NFTA_CHAIN_MAX		(__NFTA_CHAIN_MAX - 1)
diff --git a/src/chain.c b/src/chain.c
index 94efa90..aac9da6 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -51,6 +51,11 @@ struct nftnl_chain {
 	uint32_t	flags;
 	uint32_t	chain_id;
 
+	struct {
+		void		*data;
+		uint32_t	len;
+	} user;
+
 	struct list_head rule_list;
 };
 
@@ -125,6 +130,8 @@ void nftnl_chain_free(const struct nftnl_chain *c)
 		xfree(c->type);
 	if (c->flags & (1 << NFTNL_CHAIN_DEV))
 		xfree(c->dev);
+	if (c->flags & (1 << NFTNL_CHAIN_USERDATA))
+		xfree(c->user.data);
 	if (c->flags & (1 << NFTNL_CHAIN_DEVICES)) {
 		for (i = 0; i < c->dev_array_len; i++)
 			xfree(c->dev_array[i]);
@@ -290,6 +297,16 @@ int nftnl_chain_set_data(struct nftnl_chain *c, uint16_t attr,
 	case NFTNL_CHAIN_ID:
 		memcpy(&c->chain_id, data, sizeof(c->chain_id));
 		break;
+	case NFTNL_CHAIN_USERDATA:
+		if (c->flags & (1 << NFTNL_CHAIN_USERDATA))
+			xfree(c->user.data);
+
+		c->user.data = malloc(data_len);
+		if (!c->user.data)
+			return -1;
+		memcpy(c->user.data, data, data_len);
+		c->user.len = data_len;
+		break;
 	}
 	c->flags |= (1 << attr);
 	return 0;
@@ -391,6 +408,9 @@ const void *nftnl_chain_get_data(const struct nftnl_chain *c, uint16_t attr,
 	case NFTNL_CHAIN_ID:
 		*data_len = sizeof(uint32_t);
 		return &c->chain_id;
+	case NFTNL_CHAIN_USERDATA:
+		*data_len = c->user.len;
+		return c->user.data;
 	}
 	return NULL;
 }
@@ -513,6 +533,8 @@ void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_ch
 		mnl_attr_put_u32(nlh, NFTA_CHAIN_FLAGS, htonl(c->chain_flags));
 	if (c->flags & (1 << NFTNL_CHAIN_ID))
 		mnl_attr_put_u32(nlh, NFTA_CHAIN_ID, htonl(c->chain_id));
+	if (c->flags & (1 << NFTNL_CHAIN_USERDATA))
+		mnl_attr_put(nlh, NFTA_CHAIN_USERDATA, c->user.len, c->user.data);
 }
 
 EXPORT_SYMBOL(nftnl_chain_rule_add);
@@ -576,6 +598,10 @@ static int nftnl_chain_parse_attr_cb(const struct nlattr *attr, void *data)
 		if (mnl_attr_validate(attr, MNL_TYPE_U64) < 0)
 			abi_breakage();
 		break;
+	case NFTA_CHAIN_USERDATA:
+		if (mnl_attr_validate(attr, MNL_TYPE_BINARY) < 0)
+			abi_breakage();
+		break;
 	}
 
 	tb[type] = attr;
@@ -777,6 +803,11 @@ int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *c)
 		c->chain_id = ntohl(mnl_attr_get_u32(tb[NFTA_CHAIN_ID]));
 		c->flags |= (1 << NFTNL_CHAIN_ID);
 	}
+	if (tb[NFTA_CHAIN_USERDATA]) {
+		nftnl_chain_set_data(c, NFTNL_CHAIN_USERDATA,
+				     mnl_attr_get_payload(tb[NFTA_CHAIN_USERDATA]),
+				     mnl_attr_get_payload_len(tb[NFTA_CHAIN_USERDATA]));
+	}
 
 	c->family = nfg->nfgen_family;
 	c->flags |= (1 << NFTNL_CHAIN_FAMILY);
-- 
2.27.0

[PATCH nftables 3/3] src: add comment support for chains

[Jose M. Guisado Gomez]

This patch enables the user to specify a comment when adding a chain.

Relies on kernel space supporting userdata for chains.

> nft add table ip filter
> nft add chain ip filter input { comment "test"\; type filter hook input priority 0\; policy accept\; }
> list ruleset

table ip filter {
	chain input {
		comment "test"
		type filter hook input priority filter; policy accept;
	}
}

Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
---
 include/rule.h                                |  1 +
 src/mnl.c                                     | 11 +++++++
 src/netlink.c                                 | 32 +++++++++++++++++++
 src/parser_bison.y                            |  8 +++++
 src/rule.c                                    |  3 ++
 .../testcases/optionals/comments_chain_0      | 12 +++++++
 .../optionals/dumps/comments_chain_0.nft      |  5 +++
 7 files changed, 72 insertions(+)
 create mode 100755 tests/shell/testcases/optionals/comments_chain_0
 create mode 100644 tests/shell/testcases/optionals/dumps/comments_chain_0.nft

diff --git a/include/rule.h b/include/rule.h
index 837005b1..ffe8daab 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -225,6 +225,7 @@ struct chain {
 	struct location		location;
 	unsigned int		refcnt;
 	uint32_t		flags;
+	const char		*comment;
 	struct {
 		struct location		loc;
 		struct prio_spec	priority;
diff --git a/src/mnl.c b/src/mnl.c
index ca4f4b2a..3e0de103 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -612,6 +612,7 @@ err:
 int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd,
 		      unsigned int flags)
 {
+	struct nftnl_udata_buf *udbuf;
 	int priority, policy, i = 0;
 	struct nftnl_chain *nlc;
 	unsigned int ifname_len;
@@ -672,6 +673,16 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd,
 
 			xfree(dev_array);
 		}
+		if (cmd->chain->comment) {
+			udbuf = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
+			if (!udbuf)
+				memory_allocation_error();
+			if (!nftnl_udata_put_strz(udbuf, NFTNL_UDATA_CHAIN_COMMENT, cmd->chain->comment))
+				memory_allocation_error();
+			nftnl_chain_set_data(nlc, NFTNL_CHAIN_USERDATA, nftnl_udata_buf_data(udbuf),
+					     nftnl_udata_buf_len(udbuf));
+			nftnl_udata_buf_free(udbuf);
+		}
 	}
 	netlink_dump_chain(nlc, ctx);
 
diff --git a/src/netlink.c b/src/netlink.c
index 6912b018..f8ac2b9e 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -472,12 +472,34 @@ void netlink_dump_chain(const struct nftnl_chain *nlc, struct netlink_ctx *ctx)
 	fprintf(fp, "\n");
 }
 
+static int chain_parse_udata_cb(const struct nftnl_udata *attr, void *data)
+{
+	unsigned char *value = nftnl_udata_get(attr);
+	uint8_t type = nftnl_udata_type(attr);
+	const struct nftnl_udata **tb = data;
+	uint8_t len = nftnl_udata_len(attr);
+
+	switch (type) {
+		case NFTNL_UDATA_CHAIN_COMMENT:
+			if (value[len - 1] != '\0')
+				return -1;
+			break;
+		default:
+			return 0;
+	}
+	tb[type] = attr;
+	return 0;
+}
+
 struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx,
 					const struct nftnl_chain *nlc)
 {
+	const struct nftnl_udata *ud[NFTNL_UDATA_OBJ_MAX + 1] = {};
 	int priority, policy, len = 0, i;
 	const char * const *dev_array;
 	struct chain *chain;
+	const char *udata;
+	uint32_t ulen;
 
 	chain = chain_alloc(nftnl_chain_get_str(nlc, NFTNL_CHAIN_NAME));
 	chain->handle.family =
@@ -534,6 +556,16 @@ struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx,
 		chain->flags        |= CHAIN_F_BASECHAIN;
 	}
 
+	if (nftnl_chain_is_set(nlc, NFTNL_CHAIN_USERDATA)) {
+		udata = nftnl_chain_get_data(nlc, NFTNL_CHAIN_USERDATA, &ulen);
+		if (nftnl_udata_parse(udata, ulen, chain_parse_udata_cb, ud) < 0) {
+			netlink_io_error(ctx, NULL, "Cannot parse userdata");
+			return NULL;
+		}
+		if (ud[NFTNL_UDATA_CHAIN_COMMENT])
+			chain->comment = xstrdup(nftnl_udata_get(ud[NFTNL_UDATA_CHAIN_COMMENT]));
+	}
+
 	return chain;
 }
 
diff --git a/src/parser_bison.y b/src/parser_bison.y
index c7ea520c..4c71cd61 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1724,6 +1724,14 @@ chain_block		:	/* empty */	{ $$ = $<chain>-1; }
 				list_add_tail(&$2->list, &$1->rules);
 				$$ = $1;
 			}
+			|	chain_block	comment_spec	stmt_separator
+			{
+				if (already_set($1->comment, &@2, state)) {
+					xfree($2);
+					YYERROR;
+				}
+				$1->comment = $2;
+			}
 			;
 
 subchain_block		:	/* empty */	{ $$ = $<chain>-1; }
diff --git a/src/rule.c b/src/rule.c
index dabb3579..d75b36c4 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -929,6 +929,7 @@ void chain_free(struct chain *chain)
 	xfree(chain->dev_array);
 	expr_free(chain->priority.expr);
 	expr_free(chain->policy);
+	xfree(chain->comment);
 	xfree(chain);
 }
 
@@ -1220,6 +1221,8 @@ static void chain_print_declaration(const struct chain *chain,
 	nft_print(octx, "\tchain %s {", chain->handle.chain.name);
 	if (nft_output_handle(octx))
 		nft_print(octx, " # handle %" PRIu64, chain->handle.handle.id);
+	if (chain->comment)
+		nft_print(octx, "\n\t\tcomment \"%s\"", chain->comment);
 	nft_print(octx, "\n");
 	if (chain->flags & CHAIN_F_BASECHAIN) {
 		nft_print(octx, "\t\ttype %s hook %s", chain->type,
diff --git a/tests/shell/testcases/optionals/comments_chain_0 b/tests/shell/testcases/optionals/comments_chain_0
new file mode 100755
index 00000000..fba961c7
--- /dev/null
+++ b/tests/shell/testcases/optionals/comments_chain_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+EXPECTED='table ip test_table {
+	chain test_chain {
+		comment "test"
+	}
+}
+'
+
+set -e
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/optionals/dumps/comments_chain_0.nft b/tests/shell/testcases/optionals/dumps/comments_chain_0.nft
new file mode 100644
index 00000000..be3d8f33
--- /dev/null
+++ b/tests/shell/testcases/optionals/dumps/comments_chain_0.nft
@@ -0,0 +1,5 @@
+table ip test_table {
+	chain test_chain {
+		comment "test"
+	}
+}
-- 
2.27.0

Re: [PATCH nf-next 1/3] netfilter: nf_tables: add userdata attributes to nft_chain

[Pablo Neira Ayuso]

On Mon, Sep 21, 2020 at 03:28:21PM +0200, Jose M. Guisado Gomez wrote:
> Enables storing userdata for nft_chain. Field udata points to user data
> and udlen stores its length.
> 
> Adds new attribute flag NFTA_CHAIN_USERDATA.
> 
> Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
> ---
>  include/net/netfilter/nf_tables.h        |  2 ++
>  include/uapi/linux/netfilter/nf_tables.h |  2 ++
>  net/netfilter/nf_tables_api.c            | 19 +++++++++++++++++++
>  3 files changed, 23 insertions(+)
> 
> diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
> index 8ceca0e419b3..4686fafbfd8a 100644
> --- a/include/net/netfilter/nf_tables.h
> +++ b/include/net/netfilter/nf_tables.h
> @@ -952,6 +952,8 @@ struct nft_chain {
>  					bound:1,
>  					genmask:2;
>  	char				*name;
> +	u16				udlen;
> +	u8				*udata;
>  
>  	/* Only used during control plane commit phase: */
>  	struct nft_rule			**rules_next;
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index 3c2469b43742..352ee51707a1 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -208,6 +208,7 @@ enum nft_chain_flags {
>   * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes)
>   * @NFTA_CHAIN_FLAGS: chain flags
>   * @NFTA_CHAIN_ID: uniquely identifies a chain in a transaction (NLA_U32)
> + * @NFTA_CHAIN_USERDATA: user data (NLA_BINARY)
>   */
>  enum nft_chain_attributes {
>  	NFTA_CHAIN_UNSPEC,
> @@ -222,6 +223,7 @@ enum nft_chain_attributes {
>  	NFTA_CHAIN_PAD,
>  	NFTA_CHAIN_FLAGS,
>  	NFTA_CHAIN_ID,
> +	NFTA_CHAIN_USERDATA,
>  	__NFTA_CHAIN_MAX
>  };
>  #define NFTA_CHAIN_MAX		(__NFTA_CHAIN_MAX - 1)
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 84c0c1aaae99..c8065c6eae86 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
[...]
> @@ -2052,6 +2059,18 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
>  		goto err1;
>  	}
>  
> +	if (nla[NFTA_CHAIN_USERDATA]) {
> +		udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
> +		chain->udata = kzalloc(udlen, GFP_KERNEL);
> +		if (chain->udata == NULL) {
> +			err = -ENOMEM;
> +			goto err1;
> +		}
> +
> +		nla_memcpy(chain->udata, nla[NFTA_CHAIN_USERDATA], udlen);
> +		chain->udlen = udlen;
> +	}
> +
>  	rules = nf_tables_chain_alloc_rules(chain, 0);
>  	if (!rules) {
>  		err = -ENOMEM;

Hm, kfree(chain->udata) from the error path is missing?

While working at this, probably you can rename all those ugly err1;
basic-like goto style in the same patch.

Thanks.