projects / openwrt / openwrt.git / blob
? search:


bae2e2879e6f0b96a555c717e653cb7125e071d3
[openwrt/openwrt.git] / target / linux / generic / backport-4.14 / 335-netfilter-nf_tables-add-single-table-list-for-all-fa.patch
1 From: Pablo Neira Ayuso <pablo@netfilter.org>
2 Date: Tue, 9 Jan 2018 02:38:03 +0100
3 Subject: [PATCH] netfilter: nf_tables: add single table list for all families
4
5 Place all existing user defined tables in struct net *, instead of
6 having one list per family. This saves us from one level of indentation
7 in netlink dump functions.
8
9 Place pointer to struct nft_af_info in struct nft_table temporarily, as
10 we still need this to put back reference module reference counter on
11 table removal.
12
13 This patch comes in preparation for the removal of struct nft_af_info.
14
15 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
16 ---
17
18 --- a/include/net/netfilter/nf_tables.h
19 +++ b/include/net/netfilter/nf_tables.h
20 @@ -143,22 +143,22 @@ static inline void nft_data_debug(const
21 * struct nft_ctx - nf_tables rule/set context
22 *
23 * @net: net namespace
24 - * @afi: address family info
25 * @table: the table the chain is contained in
26 * @chain: the chain the rule is contained in
27 * @nla: netlink attributes
28 * @portid: netlink portID of the original message
29 * @seq: netlink sequence number
30 + * @family: protocol family
31 * @report: notify via unicast netlink message
32 */
33 struct nft_ctx {
34 struct net *net;
35 - struct nft_af_info *afi;
36 struct nft_table *table;
37 struct nft_chain *chain;
38 const struct nlattr * const *nla;
39 u32 portid;
40 u32 seq;
41 + u8 family;
42 bool report;
43 };
44
45 @@ -939,6 +939,7 @@ unsigned int nft_do_chain(struct nft_pkt
46 * @use: number of chain references to this table
47 * @flags: table flag (see enum nft_table_flags)
48 * @genmask: generation mask
49 + * @afinfo: address family info
50 * @name: name of the table
51 */
52 struct nft_table {
53 @@ -951,6 +952,7 @@ struct nft_table {
54 u32 use;
55 u16 flags:14,
56 genmask:2;
57 + struct nft_af_info *afi;
58 char *name;
59 };
60
61 @@ -960,13 +962,11 @@ struct nft_table {
62 * @list: used internally
63 * @family: address family
64 * @owner: module owner
65 - * @tables: used internally
66 */
67 struct nft_af_info {
68 struct list_head list;
69 int family;
70 struct module *owner;
71 - struct list_head tables;
72 };
73
74 int nft_register_afinfo(struct net *, struct nft_af_info *);
75 --- a/include/net/netns/nftables.h
76 +++ b/include/net/netns/nftables.h
77 @@ -8,6 +8,7 @@ struct nft_af_info;
78
79 struct netns_nftables {
80 struct list_head af_info;
81 + struct list_head tables;
82 struct list_head commit_list;
83 struct nft_af_info *ipv4;
84 struct nft_af_info *ipv6;
85 --- a/net/netfilter/nf_tables_api.c
86 +++ b/net/netfilter/nf_tables_api.c
87 @@ -37,7 +37,6 @@ static LIST_HEAD(nf_tables_flowtables);
88 */
89 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
90 {
91 - INIT_LIST_HEAD(&afi->tables);
92 nfnl_lock(NFNL_SUBSYS_NFTABLES);
93 list_add_tail_rcu(&afi->list, &net->nft.af_info);
94 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
95 @@ -99,13 +98,13 @@ static void nft_ctx_init(struct nft_ctx
96 struct net *net,
97 const struct sk_buff *skb,
98 const struct nlmsghdr *nlh,
99 - struct nft_af_info *afi,
100 + u8 family,
101 struct nft_table *table,
102 struct nft_chain *chain,
103 const struct nlattr * const *nla)
104 {
105 ctx->net = net;
106 - ctx->afi = afi;
107 + ctx->family = family;
108 ctx->table = table;
109 ctx->chain = chain;
110 ctx->nla = nla;
111 @@ -385,30 +384,31 @@ static int nft_delflowtable(struct nft_c
112 * Tables
113 */
114
115 -static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
116 +static struct nft_table *nft_table_lookup(const struct net *net,
117 const struct nlattr *nla,
118 - u8 genmask)
119 + u8 family, u8 genmask)
120 {
121 struct nft_table *table;
122
123 - list_for_each_entry(table, &afi->tables, list) {
124 + list_for_each_entry(table, &net->nft.tables, list) {
125 if (!nla_strcmp(nla, table->name) &&
126 + table->afi->family == family &&
127 nft_active_genmask(table, genmask))
128 return table;
129 }
130 return NULL;
131 }
132
133 -static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
134 +static struct nft_table *nf_tables_table_lookup(const struct net *net,
135 const struct nlattr *nla,
136 - u8 genmask)
137 + u8 family, u8 genmask)
138 {
139 struct nft_table *table;
140
141 if (nla == NULL)
142 return ERR_PTR(-EINVAL);
143
144 - table = nft_table_lookup(afi, nla, genmask);
145 + table = nft_table_lookup(net, nla, family, genmask);
146 if (table != NULL)
147 return table;
148
149 @@ -507,7 +507,7 @@ static void nf_tables_table_notify(const
150 goto err;
151
152 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
153 - event, 0, ctx->afi->family, ctx->table);
154 + event, 0, ctx->family, ctx->table);
155 if (err < 0) {
156 kfree_skb(skb);
157 goto err;
158 @@ -524,7 +524,6 @@ static int nf_tables_dump_tables(struct
159 struct netlink_callback *cb)
160 {
161 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
162 - const struct nft_af_info *afi;
163 const struct nft_table *table;
164 unsigned int idx = 0, s_idx = cb->args[0];
165 struct net *net = sock_net(skb->sk);
166 @@ -533,30 +532,27 @@ static int nf_tables_dump_tables(struct
167 rcu_read_lock();
168 cb->seq = net->nft.base_seq;
169
170 - list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
171 - if (family != NFPROTO_UNSPEC && family != afi->family)
172 + list_for_each_entry_rcu(table, &net->nft.tables, list) {
173 + if (family != NFPROTO_UNSPEC && family != table->afi->family)
174 continue;
175
176 - list_for_each_entry_rcu(table, &afi->tables, list) {
177 - if (idx < s_idx)
178 - goto cont;
179 - if (idx > s_idx)
180 - memset(&cb->args[1], 0,
181 - sizeof(cb->args) - sizeof(cb->args[0]));
182 - if (!nft_is_active(net, table))
183 - continue;
184 - if (nf_tables_fill_table_info(skb, net,
185 - NETLINK_CB(cb->skb).portid,
186 - cb->nlh->nlmsg_seq,
187 - NFT_MSG_NEWTABLE,
188 - NLM_F_MULTI,
189 - afi->family, table) < 0)
190 - goto done;
191 + if (idx < s_idx)
192 + goto cont;
193 + if (idx > s_idx)
194 + memset(&cb->args[1], 0,
195 + sizeof(cb->args) - sizeof(cb->args[0]));
196 + if (!nft_is_active(net, table))
197 + continue;
198 + if (nf_tables_fill_table_info(skb, net,
199 + NETLINK_CB(cb->skb).portid,
200 + cb->nlh->nlmsg_seq,
201 + NFT_MSG_NEWTABLE, NLM_F_MULTI,
202 + table->afi->family, table) < 0)
203 + goto done;
204
205 - nl_dump_check_consistent(cb, nlmsg_hdr(skb));
206 + nl_dump_check_consistent(cb, nlmsg_hdr(skb));
207 cont:
208 - idx++;
209 - }
210 + idx++;
211 }
212 done:
213 rcu_read_unlock();
214 @@ -588,7 +584,8 @@ static int nf_tables_gettable(struct net
215 if (IS_ERR(afi))
216 return PTR_ERR(afi);
217
218 - table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
219 + table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], afi->family,
220 + genmask);
221 if (IS_ERR(table))
222 return PTR_ERR(table);
223
224 @@ -719,7 +716,7 @@ static int nf_tables_newtable(struct net
225 return PTR_ERR(afi);
226
227 name = nla[NFTA_TABLE_NAME];
228 - table = nf_tables_table_lookup(afi, name, genmask);
229 + table = nf_tables_table_lookup(net, name, afi->family, genmask);
230 if (IS_ERR(table)) {
231 if (PTR_ERR(table) != -ENOENT)
232 return PTR_ERR(table);
233 @@ -729,7 +726,7 @@ static int nf_tables_newtable(struct net
234 if (nlh->nlmsg_flags & NLM_F_REPLACE)
235 return -EOPNOTSUPP;
236
237 - nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
238 + nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
239 return nf_tables_updtable(&ctx);
240 }
241
242 @@ -756,14 +753,15 @@ static int nf_tables_newtable(struct net
243 INIT_LIST_HEAD(&table->sets);
244 INIT_LIST_HEAD(&table->objects);
245 INIT_LIST_HEAD(&table->flowtables);
246 + table->afi = afi;
247 table->flags = flags;
248
249 - nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
250 + nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
251 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
252 if (err < 0)
253 goto err4;
254
255 - list_add_tail_rcu(&table->list, &afi->tables);
256 + list_add_tail_rcu(&table->list, &net->nft.tables);
257 return 0;
258 err4:
259 kfree(table->name);
260 @@ -837,30 +835,28 @@ out:
261
262 static int nft_flush(struct nft_ctx *ctx, int family)
263 {
264 - struct nft_af_info *afi;
265 struct nft_table *table, *nt;
266 const struct nlattr * const *nla = ctx->nla;
267 int err = 0;
268
269 - list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
270 - if (family != AF_UNSPEC && afi->family != family)
271 + list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
272 + if (family != AF_UNSPEC && table->afi->family != family)
273 continue;
274
275 - ctx->afi = afi;
276 - list_for_each_entry_safe(table, nt, &afi->tables, list) {
277 - if (!nft_is_active_next(ctx->net, table))
278 - continue;
279 + ctx->family = table->afi->family;
280
281 - if (nla[NFTA_TABLE_NAME] &&
282 - nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
283 - continue;
284 + if (!nft_is_active_next(ctx->net, table))
285 + continue;
286
287 - ctx->table = table;
288 + if (nla[NFTA_TABLE_NAME] &&
289 + nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
290 + continue;
291
292 - err = nft_flush_table(ctx);
293 - if (err < 0)
294 - goto out;
295 - }
296 + ctx->table = table;
297 +
298 + err = nft_flush_table(ctx);
299 + if (err < 0)
300 + goto out;
301 }
302 out:
303 return err;
304 @@ -878,7 +874,7 @@ static int nf_tables_deltable(struct net
305 int family = nfmsg->nfgen_family;
306 struct nft_ctx ctx;
307
308 - nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
309 + nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
310 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
311 return nft_flush(&ctx, family);
312
313 @@ -886,7 +882,8 @@ static int nf_tables_deltable(struct net
314 if (IS_ERR(afi))
315 return PTR_ERR(afi);
316
317 - table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
318 + table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], afi->family,
319 + genmask);
320 if (IS_ERR(table))
321 return PTR_ERR(table);
322
323 @@ -894,7 +891,7 @@ static int nf_tables_deltable(struct net
324 table->use > 0)
325 return -EBUSY;
326
327 - ctx.afi = afi;
328 + ctx.family = afi->family;
329 ctx.table = table;
330
331 return nft_flush_table(&ctx);
332 @@ -906,7 +903,7 @@ static void nf_tables_table_destroy(stru
333
334 kfree(ctx->table->name);
335 kfree(ctx->table);
336 - module_put(ctx->afi->owner);
337 + module_put(ctx->table->afi->owner);
338 }
339
340 int nft_register_chain_type(const struct nf_chain_type *ctype)
341 @@ -1107,7 +1104,7 @@ static void nf_tables_chain_notify(const
342 goto err;
343
344 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
345 - event, 0, ctx->afi->family, ctx->table,
346 + event, 0, ctx->family, ctx->table,
347 ctx->chain);
348 if (err < 0) {
349 kfree_skb(skb);
350 @@ -1125,7 +1122,6 @@ static int nf_tables_dump_chains(struct
351 struct netlink_callback *cb)
352 {
353 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
354 - const struct nft_af_info *afi;
355 const struct nft_table *table;
356 const struct nft_chain *chain;
357 unsigned int idx = 0, s_idx = cb->args[0];
358 @@ -1135,31 +1131,30 @@ static int nf_tables_dump_chains(struct
359 rcu_read_lock();
360 cb->seq = net->nft.base_seq;
361
362 - list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
363 - if (family != NFPROTO_UNSPEC && family != afi->family)
364 + list_for_each_entry_rcu(table, &net->nft.tables, list) {
365 + if (family != NFPROTO_UNSPEC && family != table->afi->family)
366 continue;
367
368 - list_for_each_entry_rcu(table, &afi->tables, list) {
369 - list_for_each_entry_rcu(chain, &table->chains, list) {
370 - if (idx < s_idx)
371 - goto cont;
372 - if (idx > s_idx)
373 - memset(&cb->args[1], 0,
374 - sizeof(cb->args) - sizeof(cb->args[0]));
375 - if (!nft_is_active(net, chain))
376 - continue;
377 - if (nf_tables_fill_chain_info(skb, net,
378 - NETLINK_CB(cb->skb).portid,
379 - cb->nlh->nlmsg_seq,
380 - NFT_MSG_NEWCHAIN,
381 - NLM_F_MULTI,
382 - afi->family, table, chain) < 0)
383 - goto done;
384 + list_for_each_entry_rcu(chain, &table->chains, list) {
385 + if (idx < s_idx)
386 + goto cont;
387 + if (idx > s_idx)
388 + memset(&cb->args[1], 0,
389 + sizeof(cb->args) - sizeof(cb->args[0]));
390 + if (!nft_is_active(net, chain))
391 + continue;
392 + if (nf_tables_fill_chain_info(skb, net,
393 + NETLINK_CB(cb->skb).portid,
394 + cb->nlh->nlmsg_seq,
395 + NFT_MSG_NEWCHAIN,
396 + NLM_F_MULTI,
397 + table->afi->family, table,
398 + chain) < 0)
399 + goto done;
400
401 - nl_dump_check_consistent(cb, nlmsg_hdr(skb));
402 + nl_dump_check_consistent(cb, nlmsg_hdr(skb));
403 cont:
404 - idx++;
405 - }
406 + idx++;
407 }
408 }
409 done:
410 @@ -1193,7 +1188,8 @@ static int nf_tables_getchain(struct net
411 if (IS_ERR(afi))
412 return PTR_ERR(afi);
413
414 - table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
415 + table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family,
416 + genmask);
417 if (IS_ERR(table))
418 return PTR_ERR(table);
419
420 @@ -1301,8 +1297,8 @@ struct nft_chain_hook {
421
422 static int nft_chain_parse_hook(struct net *net,
423 const struct nlattr * const nla[],
424 - struct nft_af_info *afi,
425 - struct nft_chain_hook *hook, bool create)
426 + struct nft_chain_hook *hook, u8 family,
427 + bool create)
428 {
429 struct nlattr *ha[NFTA_HOOK_MAX + 1];
430 const struct nf_chain_type *type;
431 @@ -1321,10 +1317,10 @@ static int nft_chain_parse_hook(struct n
432 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
433 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
434
435 - type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
436 + type = chain_type[family][NFT_CHAIN_T_DEFAULT];
437 if (nla[NFTA_CHAIN_TYPE]) {
438 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
439 - afi->family, create);
440 + family, create);
441 if (IS_ERR(type))
442 return PTR_ERR(type);
443 }
444 @@ -1336,7 +1332,7 @@ static int nft_chain_parse_hook(struct n
445 hook->type = type;
446
447 hook->dev = NULL;
448 - if (afi->family == NFPROTO_NETDEV) {
449 + if (family == NFPROTO_NETDEV) {
450 char ifname[IFNAMSIZ];
451
452 if (!ha[NFTA_HOOK_DEV]) {
453 @@ -1371,7 +1367,6 @@ static int nf_tables_addchain(struct nft
454 {
455 const struct nlattr * const *nla = ctx->nla;
456 struct nft_table *table = ctx->table;
457 - struct nft_af_info *afi = ctx->afi;
458 struct nft_base_chain *basechain;
459 struct nft_stats __percpu *stats;
460 struct net *net = ctx->net;
461 @@ -1385,7 +1380,7 @@ static int nf_tables_addchain(struct nft
462 struct nft_chain_hook hook;
463 struct nf_hook_ops *ops;
464
465 - err = nft_chain_parse_hook(net, nla, afi, &hook, create);
466 + err = nft_chain_parse_hook(net, nla, &hook, family, create);
467 if (err < 0)
468 return err;
469
470 @@ -1478,7 +1473,7 @@ static int nf_tables_updchain(struct nft
471 if (!nft_is_base_chain(chain))
472 return -EBUSY;
473
474 - err = nft_chain_parse_hook(ctx->net, nla, ctx->afi, &hook,
475 + err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
476 create);
477 if (err < 0)
478 return err;
479 @@ -1571,7 +1566,8 @@ static int nf_tables_newchain(struct net
480 if (IS_ERR(afi))
481 return PTR_ERR(afi);
482
483 - table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
484 + table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family,
485 + genmask);
486 if (IS_ERR(table))
487 return PTR_ERR(table);
488
489 @@ -1611,7 +1607,7 @@ static int nf_tables_newchain(struct net
490 }
491 }
492
493 - nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
494 + nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
495
496 if (chain != NULL) {
497 if (nlh->nlmsg_flags & NLM_F_EXCL)
498 @@ -1645,7 +1641,8 @@ static int nf_tables_delchain(struct net
499 if (IS_ERR(afi))
500 return PTR_ERR(afi);
501
502 - table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
503 + table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family,
504 + genmask);
505 if (IS_ERR(table))
506 return PTR_ERR(table);
507
508 @@ -1657,7 +1654,7 @@ static int nf_tables_delchain(struct net
509 chain->use > 0)
510 return -EBUSY;
511
512 - nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
513 + nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
514
515 use = chain->use;
516 list_for_each_entry(rule, &chain->rules, list) {
517 @@ -1822,7 +1819,7 @@ static int nf_tables_expr_parse(const st
518 if (err < 0)
519 return err;
520
521 - type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
522 + type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
523 if (IS_ERR(type))
524 return PTR_ERR(type);
525
526 @@ -2045,7 +2042,7 @@ static void nf_tables_rule_notify(const
527 goto err;
528
529 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
530 - event, 0, ctx->afi->family, ctx->table,
531 + event, 0, ctx->family, ctx->table,
532 ctx->chain, rule);
533 if (err < 0) {
534 kfree_skb(skb);
535 @@ -2069,7 +2066,6 @@ static int nf_tables_dump_rules(struct s
536 {
537 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
538 const struct nft_rule_dump_ctx *ctx = cb->data;
539 - const struct nft_af_info *afi;
540 const struct nft_table *table;
541 const struct nft_chain *chain;
542 const struct nft_rule *rule;
543 @@ -2080,39 +2076,37 @@ static int nf_tables_dump_rules(struct s
544 rcu_read_lock();
545 cb->seq = net->nft.base_seq;
546
547 - list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
548 - if (family != NFPROTO_UNSPEC && family != afi->family)
549 + list_for_each_entry_rcu(table, &net->nft.tables, list) {
550 + if (family != NFPROTO_UNSPEC && family != table->afi->family)
551 continue;
552
553 - list_for_each_entry_rcu(table, &afi->tables, list) {
554 - if (ctx && ctx->table &&
555 - strcmp(ctx->table, table->name) != 0)
556 - continue;
557 + if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
558 + continue;
559
560 - list_for_each_entry_rcu(chain, &table->chains, list) {
561 - if (ctx && ctx->chain &&
562 - strcmp(ctx->chain, chain->name) != 0)
563 - continue;
564 + list_for_each_entry_rcu(chain, &table->chains, list) {
565 + if (ctx && ctx->chain &&
566 + strcmp(ctx->chain, chain->name) != 0)
567 + continue;
568
569 - list_for_each_entry_rcu(rule, &chain->rules, list) {
570 - if (!nft_is_active(net, rule))
571 - goto cont;
572 - if (idx < s_idx)
573 - goto cont;
574 - if (idx > s_idx)
575 - memset(&cb->args[1], 0,
576 - sizeof(cb->args) - sizeof(cb->args[0]));
577 - if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
578 - cb->nlh->nlmsg_seq,
579 - NFT_MSG_NEWRULE,
580 - NLM_F_MULTI | NLM_F_APPEND,
581 - afi->family, table, chain, rule) < 0)
582 - goto done;
583 + list_for_each_entry_rcu(rule, &chain->rules, list) {
584 + if (!nft_is_active(net, rule))
585 + goto cont;
586 + if (idx < s_idx)
587 + goto cont;
588 + if (idx > s_idx)
589 + memset(&cb->args[1], 0,
590 + sizeof(cb->args) - sizeof(cb->args[0]));
591 + if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
592 + cb->nlh->nlmsg_seq,
593 + NFT_MSG_NEWRULE,
594 + NLM_F_MULTI | NLM_F_APPEND,
595 + table->afi->family,
596 + table, chain, rule) < 0)
597 + goto done;
598
599 - nl_dump_check_consistent(cb, nlmsg_hdr(skb));
600 + nl_dump_check_consistent(cb, nlmsg_hdr(skb));
601 cont:
602 - idx++;
603 - }
604 + idx++;
605 }
606 }
607 }
608 @@ -2190,7 +2184,8 @@ static int nf_tables_getrule(struct net
609 if (IS_ERR(afi))
610 return PTR_ERR(afi);
611
612 - table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
613 + table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family,
614 + genmask);
615 if (IS_ERR(table))
616 return PTR_ERR(table);
617
618 @@ -2267,7 +2262,8 @@ static int nf_tables_newrule(struct net
619 if (IS_ERR(afi))
620 return PTR_ERR(afi);
621
622 - table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
623 + table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family,
624 + genmask);
625 if (IS_ERR(table))
626 return PTR_ERR(table);
627
628 @@ -2306,7 +2302,7 @@ static int nf_tables_newrule(struct net
629 return PTR_ERR(old_rule);
630 }
631
632 - nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
633 + nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
634
635 n = 0;
636 size = 0;
637 @@ -2441,7 +2437,8 @@ static int nf_tables_delrule(struct net
638 if (IS_ERR(afi))
639 return PTR_ERR(afi);
640
641 - table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
642 + table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family,
643 + genmask);
644 if (IS_ERR(table))
645 return PTR_ERR(table);
646
647 @@ -2452,7 +2449,7 @@ static int nf_tables_delrule(struct net
648 return PTR_ERR(chain);
649 }
650
651 - nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
652 + nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
653
654 if (chain) {
655 if (nla[NFTA_RULE_HANDLE]) {
656 @@ -2650,13 +2647,13 @@ static int nft_ctx_init_from_setattr(str
657 if (afi == NULL)
658 return -EAFNOSUPPORT;
659
660 - table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
661 - genmask);
662 + table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE],
663 + afi->family, genmask);
664 if (IS_ERR(table))
665 return PTR_ERR(table);
666 }
667
668 - nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
669 + nft_ctx_init(ctx, net, skb, nlh, afi->family, table, NULL, nla);
670 return 0;
671 }
672
673 @@ -2783,7 +2780,7 @@ static int nf_tables_fill_set(struct sk_
674 goto nla_put_failure;
675
676 nfmsg = nlmsg_data(nlh);
677 - nfmsg->nfgen_family = ctx->afi->family;
678 + nfmsg->nfgen_family = ctx->family;
679 nfmsg->version = NFNETLINK_V0;
680 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
681
682 @@ -2875,10 +2872,8 @@ static int nf_tables_dump_sets(struct sk
683 {
684 const struct nft_set *set;
685 unsigned int idx, s_idx = cb->args[0];
686 - struct nft_af_info *afi;
687 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
688 struct net *net = sock_net(skb->sk);
689 - int cur_family = cb->args[3];
690 struct nft_ctx *ctx = cb->data, ctx_set;
691
692 if (cb->args[1])
693 @@ -2887,51 +2882,44 @@ static int nf_tables_dump_sets(struct sk
694 rcu_read_lock();
695 cb->seq = net->nft.base_seq;
696
697 - list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
698 - if (ctx->afi && ctx->afi != afi)
699 + list_for_each_entry_rcu(table, &net->nft.tables, list) {
700 + if (ctx->family != NFPROTO_UNSPEC &&
701 + ctx->family != table->afi->family)
702 continue;
703
704 - if (cur_family) {
705 - if (afi->family != cur_family)
706 + if (ctx->table && ctx->table != table)
707 + continue;
708 +
709 + if (cur_table) {
710 + if (cur_table != table)
711 continue;
712
713 - cur_family = 0;
714 + cur_table = NULL;
715 }
716 - list_for_each_entry_rcu(table, &afi->tables, list) {
717 - if (ctx->table && ctx->table != table)
718 - continue;
719 + idx = 0;
720 + list_for_each_entry_rcu(set, &table->sets, list) {
721 + if (idx < s_idx)
722 + goto cont;
723 + if (!nft_is_active(net, set))
724 + goto cont;
725
726 - if (cur_table) {
727 - if (cur_table != table)
728 - continue;
729 + ctx_set = *ctx;
730 + ctx_set.table = table;
731 + ctx_set.family = table->afi->family;
732
733 - cur_table = NULL;
734 + if (nf_tables_fill_set(skb, &ctx_set, set,
735 + NFT_MSG_NEWSET,
736 + NLM_F_MULTI) < 0) {
737 + cb->args[0] = idx;
738 + cb->args[2] = (unsigned long) table;
739 + goto done;
740 }
741 - idx = 0;
742 - list_for_each_entry_rcu(set, &table->sets, list) {
743 - if (idx < s_idx)
744 - goto cont;
745 - if (!nft_is_active(net, set))
746 - goto cont;
747 -
748 - ctx_set = *ctx;
749 - ctx_set.table = table;
750 - ctx_set.afi = afi;
751 - if (nf_tables_fill_set(skb, &ctx_set, set,
752 - NFT_MSG_NEWSET,
753 - NLM_F_MULTI) < 0) {
754 - cb->args[0] = idx;
755 - cb->args[2] = (unsigned long) table;
756 - cb->args[3] = afi->family;
757 - goto done;
758 - }
759 - nl_dump_check_consistent(cb, nlmsg_hdr(skb));
760 + nl_dump_check_consistent(cb, nlmsg_hdr(skb));
761 cont:
762 - idx++;
763 - }
764 - if (s_idx)
765 - s_idx = 0;
766 + idx++;
767 }
768 + if (s_idx)
769 + s_idx = 0;
770 }
771 cb->args[1] = 1;
772 done:
773 @@ -3141,11 +3129,12 @@ static int nf_tables_newset(struct net *
774 if (IS_ERR(afi))
775 return PTR_ERR(afi);
776
777 - table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
778 + table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], afi->family,
779 + genmask);
780 if (IS_ERR(table))
781 return PTR_ERR(table);
782
783 - nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
784 + nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
785
786 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
787 if (IS_ERR(set)) {
788 @@ -3410,12 +3399,12 @@ static int nft_ctx_init_from_elemattr(st
789 if (IS_ERR(afi))
790 return PTR_ERR(afi);
791
792 - table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
793 - genmask);
794 + table = nf_tables_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE],
795 + afi->family, genmask);
796 if (IS_ERR(table))
797 return PTR_ERR(table);
798
799 - nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
800 + nft_ctx_init(ctx, net, skb, nlh, afi->family, table, NULL, nla);
801 return 0;
802 }
803
804 @@ -3520,7 +3509,6 @@ static int nf_tables_dump_set(struct sk_
805 {
806 struct nft_set_dump_ctx *dump_ctx = cb->data;
807 struct net *net = sock_net(skb->sk);
808 - struct nft_af_info *afi;
809 struct nft_table *table;
810 struct nft_set *set;
811 struct nft_set_dump_args args;
812 @@ -3532,21 +3520,19 @@ static int nf_tables_dump_set(struct sk_
813 int event;
814
815 rcu_read_lock();
816 - list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
817 - if (afi != dump_ctx->ctx.afi)
818 + list_for_each_entry_rcu(table, &net->nft.tables, list) {
819 + if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
820 + dump_ctx->ctx.family != table->afi->family)
821 continue;
822
823 - list_for_each_entry_rcu(table, &afi->tables, list) {
824 - if (table != dump_ctx->ctx.table)
825 - continue;
826 + if (table != dump_ctx->ctx.table)
827 + continue;
828
829 - list_for_each_entry_rcu(set, &table->sets, list) {
830 - if (set == dump_ctx->set) {
831 - set_found = true;
832 - break;
833 - }
834 + list_for_each_entry_rcu(set, &table->sets, list) {
835 + if (set == dump_ctx->set) {
836 + set_found = true;
837 + break;
838 }
839 - break;
840 }
841 break;
842 }
843 @@ -3566,7 +3552,7 @@ static int nf_tables_dump_set(struct sk_
844 goto nla_put_failure;
845
846 nfmsg = nlmsg_data(nlh);
847 - nfmsg->nfgen_family = afi->family;
848 + nfmsg->nfgen_family = table->afi->family;
849 nfmsg->version = NFNETLINK_V0;
850 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
851
852 @@ -3668,7 +3654,7 @@ static int nf_tables_fill_setelem_info(s
853 goto nla_put_failure;
854
855 nfmsg = nlmsg_data(nlh);
856 - nfmsg->nfgen_family = ctx->afi->family;
857 + nfmsg->nfgen_family = ctx->family;
858 nfmsg->version = NFNETLINK_V0;
859 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
860
861 @@ -3912,7 +3898,7 @@ static int nft_add_set_elem(struct nft_c
862 list_for_each_entry(binding, &set->bindings, list) {
863 struct nft_ctx bind_ctx = {
864 .net = ctx->net,
865 - .afi = ctx->afi,
866 + .family = ctx->family,
867 .table = ctx->table,
868 .chain = (struct nft_chain *)binding->chain,
869 };
870 @@ -4459,7 +4445,8 @@ static int nf_tables_newobj(struct net *
871 if (IS_ERR(afi))
872 return PTR_ERR(afi);
873
874 - table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
875 + table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family,
876 + genmask);
877 if (IS_ERR(table))
878 return PTR_ERR(table);
879
880 @@ -4477,7 +4464,7 @@ static int nf_tables_newobj(struct net *
881 return 0;
882 }
883
884 - nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
885 + nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
886
887 type = nft_obj_type_get(objtype);
888 if (IS_ERR(type))
889 @@ -4554,7 +4541,6 @@ struct nft_obj_filter {
890 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
891 {
892 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
893 - const struct nft_af_info *afi;
894 const struct nft_table *table;
895 unsigned int idx = 0, s_idx = cb->args[0];
896 struct nft_obj_filter *filter = cb->data;
897 @@ -4569,38 +4555,37 @@ static int nf_tables_dump_obj(struct sk_
898 rcu_read_lock();
899 cb->seq = net->nft.base_seq;
900
901 - list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
902 - if (family != NFPROTO_UNSPEC && family != afi->family)
903 + list_for_each_entry_rcu(table, &net->nft.tables, list) {
904 + if (family != NFPROTO_UNSPEC && family != table->afi->family)
905 continue;
906
907 - list_for_each_entry_rcu(table, &afi->tables, list) {
908 - list_for_each_entry_rcu(obj, &table->objects, list) {
909 - if (!nft_is_active(net, obj))
910 - goto cont;
911 - if (idx < s_idx)
912 - goto cont;
913 - if (idx > s_idx)
914 - memset(&cb->args[1], 0,
915 - sizeof(cb->args) - sizeof(cb->args[0]));
916 - if (filter && filter->table[0] &&
917 - strcmp(filter->table, table->name))
918 - goto cont;
919 - if (filter &&
920 - filter->type != NFT_OBJECT_UNSPEC &&
921 - obj->ops->type->type != filter->type)
922 - goto cont;
923 + list_for_each_entry_rcu(obj, &table->objects, list) {
924 + if (!nft_is_active(net, obj))
925 + goto cont;
926 + if (idx < s_idx)
927 + goto cont;
928 + if (idx > s_idx)
929 + memset(&cb->args[1], 0,
930 + sizeof(cb->args) - sizeof(cb->args[0]));
931 + if (filter && filter->table[0] &&
932 + strcmp(filter->table, table->name))
933 + goto cont;
934 + if (filter &&
935 + filter->type != NFT_OBJECT_UNSPEC &&
936 + obj->ops->type->type != filter->type)
937 + goto cont;
938
939 - if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
940 - cb->nlh->nlmsg_seq,
941 - NFT_MSG_NEWOBJ,
942 - NLM_F_MULTI | NLM_F_APPEND,
943 - afi->family, table, obj, reset) < 0)
944 - goto done;
945 + if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
946 + cb->nlh->nlmsg_seq,
947 + NFT_MSG_NEWOBJ,
948 + NLM_F_MULTI | NLM_F_APPEND,
949 + table->afi->family, table,
950 + obj, reset) < 0)
951 + goto done;
952
953 - nl_dump_check_consistent(cb, nlmsg_hdr(skb));
954 + nl_dump_check_consistent(cb, nlmsg_hdr(skb));
955 cont:
956 - idx++;
957 - }
958 + idx++;
959 }
960 }
961 done:
962 @@ -4687,7 +4672,8 @@ static int nf_tables_getobj(struct net *
963 if (IS_ERR(afi))
964 return PTR_ERR(afi);
965
966 - table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
967 + table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family,
968 + genmask);
969 if (IS_ERR(table))
970 return PTR_ERR(table);
971
972 @@ -4747,7 +4733,8 @@ static int nf_tables_delobj(struct net *
973 if (IS_ERR(afi))
974 return PTR_ERR(afi);
975
976 - table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
977 + table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family,
978 + genmask);
979 if (IS_ERR(table))
980 return PTR_ERR(table);
981
982 @@ -4758,7 +4745,7 @@ static int nf_tables_delobj(struct net *
983 if (obj->use > 0)
984 return -EBUSY;
985
986 - nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
987 + nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
988
989 return nft_delobj(&ctx, obj);
990 }
991 @@ -4796,7 +4783,7 @@ static void nf_tables_obj_notify(const s
992 struct nft_object *obj, int event)
993 {
994 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
995 - ctx->afi->family, ctx->report, GFP_KERNEL);
996 + ctx->family, ctx->report, GFP_KERNEL);
997 }
998
999 /*
1000 @@ -4986,7 +4973,7 @@ void nft_flow_table_iterate(struct net *
1001
1002 rcu_read_lock();
1003 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1004 - list_for_each_entry_rcu(table, &afi->tables, list) {
1005 + list_for_each_entry_rcu(table, &net->nft.tables, list) {
1006 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
1007 iter(&flowtable->data, data);
1008 }
1009 @@ -5034,7 +5021,8 @@ static int nf_tables_newflowtable(struct
1010 if (IS_ERR(afi))
1011 return PTR_ERR(afi);
1012
1013 - table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask);
1014 + table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
1015 + afi->family, genmask);
1016 if (IS_ERR(table))
1017 return PTR_ERR(table);
1018
1019 @@ -5051,7 +5039,7 @@ static int nf_tables_newflowtable(struct
1020 return 0;
1021 }
1022
1023 - nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
1024 + nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
1025
1026 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
1027 if (!flowtable)
1028 @@ -5132,7 +5120,8 @@ static int nf_tables_delflowtable(struct
1029 if (IS_ERR(afi))
1030 return PTR_ERR(afi);
1031
1032 - table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask);
1033 + table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
1034 + afi->family, genmask);
1035 if (IS_ERR(table))
1036 return PTR_ERR(table);
1037
1038 @@ -5143,7 +5132,7 @@ static int nf_tables_delflowtable(struct
1039 if (flowtable->use > 0)
1040 return -EBUSY;
1041
1042 - nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
1043 + nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
1044
1045 return nft_delflowtable(&ctx, flowtable);
1046 }
1047 @@ -5212,40 +5201,37 @@ static int nf_tables_dump_flowtable(stru
1048 struct net *net = sock_net(skb->sk);
1049 int family = nfmsg->nfgen_family;
1050 struct nft_flowtable *flowtable;
1051 - const struct nft_af_info *afi;
1052 const struct nft_table *table;
1053
1054 rcu_read_lock();
1055 cb->seq = net->nft.base_seq;
1056
1057 - list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1058 - if (family != NFPROTO_UNSPEC && family != afi->family)
1059 + list_for_each_entry_rcu(table, &net->nft.tables, list) {
1060 + if (family != NFPROTO_UNSPEC && family != table->afi->family)
1061 continue;
1062
1063 - list_for_each_entry_rcu(table, &afi->tables, list) {
1064 - list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
1065 - if (!nft_is_active(net, flowtable))
1066 - goto cont;
1067 - if (idx < s_idx)
1068 - goto cont;
1069 - if (idx > s_idx)
1070 - memset(&cb->args[1], 0,
1071 - sizeof(cb->args) - sizeof(cb->args[0]));
1072 - if (filter && filter->table[0] &&
1073 - strcmp(filter->table, table->name))
1074 - goto cont;
1075 + list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
1076 + if (!nft_is_active(net, flowtable))
1077 + goto cont;
1078 + if (idx < s_idx)
1079 + goto cont;
1080 + if (idx > s_idx)
1081 + memset(&cb->args[1], 0,
1082 + sizeof(cb->args) - sizeof(cb->args[0]));
1083 + if (filter && filter->table[0] &&
1084 + strcmp(filter->table, table->name))
1085 + goto cont;
1086
1087 - if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
1088 - cb->nlh->nlmsg_seq,
1089 - NFT_MSG_NEWFLOWTABLE,
1090 - NLM_F_MULTI | NLM_F_APPEND,
1091 - afi->family, flowtable) < 0)
1092 - goto done;
1093 + if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
1094 + cb->nlh->nlmsg_seq,
1095 + NFT_MSG_NEWFLOWTABLE,
1096 + NLM_F_MULTI | NLM_F_APPEND,
1097 + table->afi->family, flowtable) < 0)
1098 + goto done;
1099
1100 - nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1101 + nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1102 cont:
1103 - idx++;
1104 - }
1105 + idx++;
1106 }
1107 }
1108 done:
1109 @@ -5328,7 +5314,8 @@ static int nf_tables_getflowtable(struct
1110 if (IS_ERR(afi))
1111 return PTR_ERR(afi);
1112
1113 - table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask);
1114 + table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
1115 + afi->family, genmask);
1116 if (IS_ERR(table))
1117 return PTR_ERR(table);
1118
1119 @@ -5371,7 +5358,7 @@ static void nf_tables_flowtable_notify(s
1120
1121 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
1122 ctx->seq, event, 0,
1123 - ctx->afi->family, flowtable);
1124 + ctx->family, flowtable);
1125 if (err < 0) {
1126 kfree_skb(skb);
1127 goto err;
1128 @@ -5449,17 +5436,14 @@ static int nf_tables_flowtable_event(str
1129 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
1130 struct nft_flowtable *flowtable;
1131 struct nft_table *table;
1132 - struct nft_af_info *afi;
1133
1134 if (event != NETDEV_UNREGISTER)
1135 return 0;
1136
1137 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1138 - list_for_each_entry(afi, &dev_net(dev)->nft.af_info, list) {
1139 - list_for_each_entry(table, &afi->tables, list) {
1140 - list_for_each_entry(flowtable, &table->flowtables, list) {
1141 - nft_flowtable_event(event, dev, flowtable);
1142 - }
1143 + list_for_each_entry(table, &dev_net(dev)->nft.tables, list) {
1144 + list_for_each_entry(flowtable, &table->flowtables, list) {
1145 + nft_flowtable_event(event, dev, flowtable);
1146 }
1147 }
1148 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1149 @@ -6478,6 +6462,7 @@ EXPORT_SYMBOL_GPL(nft_data_dump);
1150 static int __net_init nf_tables_init_net(struct net *net)
1151 {
1152 INIT_LIST_HEAD(&net->nft.af_info);
1153 + INIT_LIST_HEAD(&net->nft.tables);
1154 INIT_LIST_HEAD(&net->nft.commit_list);
1155 net->nft.base_seq = 1;
1156 return 0;
1157 @@ -6514,10 +6499,10 @@ static void __nft_release_afinfo(struct
1158 struct nft_set *set, *ns;
1159 struct nft_ctx ctx = {
1160 .net = net,
1161 - .afi = afi,
1162 + .family = afi->family,
1163 };
1164
1165 - list_for_each_entry_safe(table, nt, &afi->tables, list) {
1166 + list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
1167 list_for_each_entry(chain, &table->chains, list)
1168 nf_tables_unregister_hook(net, table, chain);
1169 list_for_each_entry(flowtable, &table->flowtables, list)
1170 --- a/net/netfilter/nf_tables_netdev.c
1171 +++ b/net/netfilter/nf_tables_netdev.c
1172 @@ -107,7 +107,6 @@ static int nf_tables_netdev_event(struct
1173 unsigned long event, void *ptr)
1174 {
1175 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
1176 - struct nft_af_info *afi;
1177 struct nft_table *table;
1178 struct nft_chain *chain, *nr;
1179 struct nft_ctx ctx = {
1180 @@ -119,20 +118,18 @@ static int nf_tables_netdev_event(struct
1181 return NOTIFY_DONE;
1182
1183 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1184 - list_for_each_entry(afi, &dev_net(dev)->nft.af_info, list) {
1185 - ctx.afi = afi;
1186 - if (afi->family != NFPROTO_NETDEV)
1187 + list_for_each_entry(table, &ctx.net->nft.tables, list) {
1188 + if (table->afi->family != NFPROTO_NETDEV)
1189 continue;
1190
1191 - list_for_each_entry(table, &afi->tables, list) {
1192 - ctx.table = table;
1193 - list_for_each_entry_safe(chain, nr, &table->chains, list) {
1194 - if (!nft_is_base_chain(chain))
1195 - continue;
1196 + ctx.family = table->afi->family;
1197 + ctx.table = table;
1198 + list_for_each_entry_safe(chain, nr, &table->chains, list) {
1199 + if (!nft_is_base_chain(chain))
1200 + continue;
1201
1202 - ctx.chain = chain;
1203 - nft_netdev_event(event, dev, &ctx);
1204 - }
1205 + ctx.chain = chain;
1206 + nft_netdev_event(event, dev, &ctx);
1207 }
1208 }
1209 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1210 --- a/net/netfilter/nft_compat.c
1211 +++ b/net/netfilter/nft_compat.c
1212 @@ -144,7 +144,7 @@ nft_target_set_tgchk_param(struct xt_tgc
1213 {
1214 par->net = ctx->net;
1215 par->table = ctx->table->name;
1216 - switch (ctx->afi->family) {
1217 + switch (ctx->family) {
1218 case AF_INET:
1219 entry->e4.ip.proto = proto;
1220 entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
1221 @@ -175,7 +175,7 @@ nft_target_set_tgchk_param(struct xt_tgc
1222 } else {
1223 par->hook_mask = 0;
1224 }
1225 - par->family = ctx->afi->family;
1226 + par->family = ctx->family;
1227 par->nft_compat = true;
1228 }
1229
1230 @@ -267,7 +267,7 @@ nft_target_destroy(const struct nft_ctx
1231 par.net = ctx->net;
1232 par.target = target;
1233 par.targinfo = info;
1234 - par.family = ctx->afi->family;
1235 + par.family = ctx->family;
1236 if (par.target->destroy != NULL)
1237 par.target->destroy(&par);
1238
1239 @@ -358,7 +358,7 @@ nft_match_set_mtchk_param(struct xt_mtch
1240 {
1241 par->net = ctx->net;
1242 par->table = ctx->table->name;
1243 - switch (ctx->afi->family) {
1244 + switch (ctx->family) {
1245 case AF_INET:
1246 entry->e4.ip.proto = proto;
1247 entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
1248 @@ -389,7 +389,7 @@ nft_match_set_mtchk_param(struct xt_mtch
1249 } else {
1250 par->hook_mask = 0;
1251 }
1252 - par->family = ctx->afi->family;
1253 + par->family = ctx->family;
1254 par->nft_compat = true;
1255 }
1256
1257 @@ -446,7 +446,7 @@ nft_match_destroy(const struct nft_ctx *
1258 par.net = ctx->net;
1259 par.match = match;
1260 par.matchinfo = info;
1261 - par.family = ctx->afi->family;
1262 + par.family = ctx->family;
1263 if (par.match->destroy != NULL)
1264 par.match->destroy(&par);
1265
1266 @@ -648,7 +648,7 @@ nft_match_select_ops(const struct nft_ct
1267
1268 mt_name = nla_data(tb[NFTA_MATCH_NAME]);
1269 rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
1270 - family = ctx->afi->family;
1271 + family = ctx->family;
1272
1273 /* Re-use the existing match if it's already loaded. */
1274 list_for_each_entry(nft_match, &nft_match_list, head) {
1275 @@ -733,7 +733,7 @@ nft_target_select_ops(const struct nft_c
1276
1277 tg_name = nla_data(tb[NFTA_TARGET_NAME]);
1278 rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
1279 - family = ctx->afi->family;
1280 + family = ctx->family;
1281
1282 /* Re-use the existing target if it's already loaded. */
1283 list_for_each_entry(nft_target, &nft_target_list, head) {
1284 --- a/net/netfilter/nft_ct.c
1285 +++ b/net/netfilter/nft_ct.c
1286 @@ -405,7 +405,7 @@ static int nft_ct_get_init(const struct
1287 if (tb[NFTA_CT_DIRECTION] == NULL)
1288 return -EINVAL;
1289
1290 - switch (ctx->afi->family) {
1291 + switch (ctx->family) {
1292 case NFPROTO_IPV4:
1293 len = FIELD_SIZEOF(struct nf_conntrack_tuple,
1294 src.u3.ip);
1295 @@ -456,7 +456,7 @@ static int nft_ct_get_init(const struct
1296 if (err < 0)
1297 return err;
1298
1299 - err = nf_ct_netns_get(ctx->net, ctx->afi->family);
1300 + err = nf_ct_netns_get(ctx->net, ctx->family);
1301 if (err < 0)
1302 return err;
1303
1304 @@ -550,7 +550,7 @@ static int nft_ct_set_init(const struct
1305 if (err < 0)
1306 goto err1;
1307
1308 - err = nf_ct_netns_get(ctx->net, ctx->afi->family);
1309 + err = nf_ct_netns_get(ctx->net, ctx->family);
1310 if (err < 0)
1311 goto err1;
1312
1313 @@ -564,7 +564,7 @@ err1:
1314 static void nft_ct_get_destroy(const struct nft_ctx *ctx,
1315 const struct nft_expr *expr)
1316 {
1317 - nf_ct_netns_put(ctx->net, ctx->afi->family);
1318 + nf_ct_netns_put(ctx->net, ctx->family);
1319 }
1320
1321 static void nft_ct_set_destroy(const struct nft_ctx *ctx,
1322 @@ -573,7 +573,7 @@ static void nft_ct_set_destroy(const str
1323 struct nft_ct *priv = nft_expr_priv(expr);
1324
1325 __nft_ct_set_destroy(ctx, priv);
1326 - nf_ct_netns_put(ctx->net, ctx->afi->family);
1327 + nf_ct_netns_put(ctx->net, ctx->family);
1328 }
1329
1330 static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
1331 @@ -734,7 +734,7 @@ static int nft_ct_helper_obj_init(const
1332 struct nft_ct_helper_obj *priv = nft_obj_data(obj);
1333 struct nf_conntrack_helper *help4, *help6;
1334 char name[NF_CT_HELPER_NAME_LEN];
1335 - int family = ctx->afi->family;
1336 + int family = ctx->family;
1337
1338 if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO])
1339 return -EINVAL;
1340 @@ -753,14 +753,14 @@ static int nft_ct_helper_obj_init(const
1341
1342 switch (family) {
1343 case NFPROTO_IPV4:
1344 - if (ctx->afi->family == NFPROTO_IPV6)
1345 + if (ctx->family == NFPROTO_IPV6)
1346 return -EINVAL;
1347
1348 help4 = nf_conntrack_helper_try_module_get(name, family,
1349 priv->l4proto);
1350 break;
1351 case NFPROTO_IPV6:
1352 - if (ctx->afi->family == NFPROTO_IPV4)
1353 + if (ctx->family == NFPROTO_IPV4)
1354 return -EINVAL;
1355
1356 help6 = nf_conntrack_helper_try_module_get(name, family,
1357 --- a/net/netfilter/nft_flow_offload.c
1358 +++ b/net/netfilter/nft_flow_offload.c
1359 @@ -151,7 +151,7 @@ static int nft_flow_offload_init(const s
1360 priv->flowtable = flowtable;
1361 flowtable->use++;
1362
1363 - return nf_ct_netns_get(ctx->net, ctx->afi->family);
1364 + return nf_ct_netns_get(ctx->net, ctx->family);
1365 }
1366
1367 static void nft_flow_offload_destroy(const struct nft_ctx *ctx,
1368 @@ -160,7 +160,7 @@ static void nft_flow_offload_destroy(con
1369 struct nft_flow_offload *priv = nft_expr_priv(expr);
1370
1371 priv->flowtable->use--;
1372 - nf_ct_netns_put(ctx->net, ctx->afi->family);
1373 + nf_ct_netns_put(ctx->net, ctx->family);
1374 }
1375
1376 static int nft_flow_offload_dump(struct sk_buff *skb, const struct nft_expr *expr)
1377 --- a/net/netfilter/nft_log.c
1378 +++ b/net/netfilter/nft_log.c
1379 @@ -112,7 +112,7 @@ static int nft_log_init(const struct nft
1380 break;
1381 }
1382
1383 - err = nf_logger_find_get(ctx->afi->family, li->type);
1384 + err = nf_logger_find_get(ctx->family, li->type);
1385 if (err < 0)
1386 goto err1;
1387
1388 @@ -133,7 +133,7 @@ static void nft_log_destroy(const struct
1389 if (priv->prefix != nft_log_null_prefix)
1390 kfree(priv->prefix);
1391
1392 - nf_logger_put(ctx->afi->family, li->type);
1393 + nf_logger_put(ctx->family, li->type);
1394 }
1395
1396 static int nft_log_dump(struct sk_buff *skb, const struct nft_expr *expr)
1397 --- a/net/netfilter/nft_masq.c
1398 +++ b/net/netfilter/nft_masq.c
1399 @@ -73,7 +73,7 @@ int nft_masq_init(const struct nft_ctx *
1400 }
1401 }
1402
1403 - return nf_ct_netns_get(ctx->net, ctx->afi->family);
1404 + return nf_ct_netns_get(ctx->net, ctx->family);
1405 }
1406 EXPORT_SYMBOL_GPL(nft_masq_init);
1407
1408 --- a/net/netfilter/nft_meta.c
1409 +++ b/net/netfilter/nft_meta.c
1410 @@ -339,7 +339,7 @@ static int nft_meta_get_validate(const s
1411 if (priv->key != NFT_META_SECPATH)
1412 return 0;
1413
1414 - switch (ctx->afi->family) {
1415 + switch (ctx->family) {
1416 case NFPROTO_NETDEV:
1417 hooks = 1 << NF_NETDEV_INGRESS;
1418 break;
1419 @@ -370,7 +370,7 @@ int nft_meta_set_validate(const struct n
1420 if (priv->key != NFT_META_PKTTYPE)
1421 return 0;
1422
1423 - switch (ctx->afi->family) {
1424 + switch (ctx->family) {
1425 case NFPROTO_BRIDGE:
1426 hooks = 1 << NF_BR_PRE_ROUTING;
1427 break;
1428 --- a/net/netfilter/nft_nat.c
1429 +++ b/net/netfilter/nft_nat.c
1430 @@ -142,7 +142,7 @@ static int nft_nat_init(const struct nft
1431 return -EINVAL;
1432
1433 family = ntohl(nla_get_be32(tb[NFTA_NAT_FAMILY]));
1434 - if (family != ctx->afi->family)
1435 + if (family != ctx->family)
1436 return -EOPNOTSUPP;
1437
1438 switch (family) {
1439 --- a/net/netfilter/nft_redir.c
1440 +++ b/net/netfilter/nft_redir.c
1441 @@ -75,7 +75,7 @@ int nft_redir_init(const struct nft_ctx
1442 return -EINVAL;
1443 }
1444
1445 - return nf_ct_netns_get(ctx->net, ctx->afi->family);
1446 + return nf_ct_netns_get(ctx->net, ctx->family);
1447 }
1448 EXPORT_SYMBOL_GPL(nft_redir_init);
1449
OpenWrt Source Repository