diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-01-08 20:38:03 -0500 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-01-10 09:32:08 -0500 |
| commit | 36596dadf54a920d26286cf9f421fb4ef648b51f (patch) | |
| tree | e9e5cdd54acb21f0ccfa88c851bb7f6418bc4609 | |
| parent | 1ea26cca52e46c0f29ee9fdd567312ba93a7d651 (diff) | |
netfilter: nf_tables: add single table list for all families
Place all existing user defined tables in struct net *, instead of
having one list per family. This saves us from one level of indentation
in netlink dump functions.
Place pointer to struct nft_af_info in struct nft_table temporarily, as
we still need this to put back reference module reference counter on
table removal.
This patch comes in preparation for the removal of struct nft_af_info.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | include/net/netfilter/nf_tables.h | 8 | ||||
| -rw-r--r-- | include/net/netns/nftables.h | 1 | ||||
| -rw-r--r-- | net/netfilter/nf_tables_api.c | 509 | ||||
| -rw-r--r-- | net/netfilter/nf_tables_netdev.c | 21 | ||||
| -rw-r--r-- | net/netfilter/nft_compat.c | 16 | ||||
| -rw-r--r-- | net/netfilter/nft_ct.c | 16 | ||||
| -rw-r--r-- | net/netfilter/nft_flow_offload.c | 4 | ||||
| -rw-r--r-- | net/netfilter/nft_log.c | 4 | ||||
| -rw-r--r-- | net/netfilter/nft_masq.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nft_meta.c | 4 | ||||
| -rw-r--r-- | net/netfilter/nft_nat.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nft_redir.c | 2 |
12 files changed, 286 insertions, 303 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 9a85893a5e30..c55e836e6a2f 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h | |||
| @@ -143,22 +143,22 @@ static inline void nft_data_debug(const struct nft_data *data) | |||
| 143 | * struct nft_ctx - nf_tables rule/set context | 143 | * struct nft_ctx - nf_tables rule/set context |
| 144 | * | 144 | * |
| 145 | * @net: net namespace | 145 | * @net: net namespace |
| 146 | * @afi: address family info | ||
| 147 | * @table: the table the chain is contained in | 146 | * @table: the table the chain is contained in |
| 148 | * @chain: the chain the rule is contained in | 147 | * @chain: the chain the rule is contained in |
| 149 | * @nla: netlink attributes | 148 | * @nla: netlink attributes |
| 150 | * @portid: netlink portID of the original message | 149 | * @portid: netlink portID of the original message |
| 151 | * @seq: netlink sequence number | 150 | * @seq: netlink sequence number |
| 151 | * @family: protocol family | ||
| 152 | * @report: notify via unicast netlink message | 152 | * @report: notify via unicast netlink message |
| 153 | */ | 153 | */ |
| 154 | struct nft_ctx { | 154 | struct nft_ctx { |
| 155 | struct net *net; | 155 | struct net *net; |
| 156 | struct nft_af_info *afi; | ||
| 157 | struct nft_table *table; | 156 | struct nft_table *table; |
| 158 | struct nft_chain *chain; | 157 | struct nft_chain *chain; |
| 159 | const struct nlattr * const *nla; | 158 | const struct nlattr * const *nla; |
| 160 | u32 portid; | 159 | u32 portid; |
| 161 | u32 seq; | 160 | u32 seq; |
| 161 | u8 family; | ||
| 162 | bool report; | 162 | bool report; |
| 163 | }; | 163 | }; |
| 164 | 164 | ||
| @@ -949,6 +949,7 @@ unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv); | |||
| 949 | * @use: number of chain references to this table | 949 | * @use: number of chain references to this table |
| 950 | * @flags: table flag (see enum nft_table_flags) | 950 | * @flags: table flag (see enum nft_table_flags) |
| 951 | * @genmask: generation mask | 951 | * @genmask: generation mask |
| 952 | * @afinfo: address family info | ||
| 952 | * @name: name of the table | 953 | * @name: name of the table |
| 953 | */ | 954 | */ |
| 954 | struct nft_table { | 955 | struct nft_table { |
| @@ -961,6 +962,7 @@ struct nft_table { | |||
| 961 | u32 use; | 962 | u32 use; |
| 962 | u16 flags:14, | 963 | u16 flags:14, |
| 963 | genmask:2; | 964 | genmask:2; |
| 965 | struct nft_af_info *afi; | ||
| 964 | char *name; | 966 | char *name; |
| 965 | }; | 967 | }; |
| 966 | 968 | ||
| @@ -970,13 +972,11 @@ struct nft_table { | |||
| 970 | * @list: used internally | 972 | * @list: used internally |
| 971 | * @family: address family | 973 | * @family: address family |
| 972 | * @owner: module owner | 974 | * @owner: module owner |
| 973 | * @tables: used internally | ||
| 974 | */ | 975 | */ |
| 975 | struct nft_af_info { | 976 | struct nft_af_info { |
| 976 | struct list_head list; | 977 | struct list_head list; |
| 977 | int family; | 978 | int family; |
| 978 | struct module *owner; | 979 | struct module *owner; |
| 979 | struct list_head tables; | ||
| 980 | }; | 980 | }; |
| 981 | 981 | ||
| 982 | int nft_register_afinfo(struct net *, struct nft_af_info *); | 982 | int nft_register_afinfo(struct net *, struct nft_af_info *); |
diff --git a/include/net/netns/nftables.h b/include/net/netns/nftables.h index 4109b5f3010f..7f86a63ac21f 100644 --- a/include/net/netns/nftables.h +++ b/include/net/netns/nftables.h | |||
| @@ -8,6 +8,7 @@ struct nft_af_info; | |||
| 8 | 8 | ||
| 9 | struct netns_nftables { | 9 | struct netns_nftables { |
| 10 | struct list_head af_info; | 10 | struct list_head af_info; |
| 11 | struct list_head tables; | ||
| 11 | struct list_head commit_list; | 12 | struct list_head commit_list; |
| 12 | struct nft_af_info *ipv4; | 13 | struct nft_af_info *ipv4; |
| 13 | struct nft_af_info *ipv6; | 14 | struct nft_af_info *ipv6; |
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 9efcbe27789d..084d1f553c46 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c | |||
| @@ -37,7 +37,6 @@ static LIST_HEAD(nf_tables_flowtables); | |||
| 37 | */ | 37 | */ |
| 38 | int nft_register_afinfo(struct net *net, struct nft_af_info *afi) | 38 | int nft_register_afinfo(struct net *net, struct nft_af_info *afi) |
| 39 | { | 39 | { |
| 40 | INIT_LIST_HEAD(&afi->tables); | ||
| 41 | nfnl_lock(NFNL_SUBSYS_NFTABLES); | 40 | nfnl_lock(NFNL_SUBSYS_NFTABLES); |
| 42 | list_add_tail_rcu(&afi->list, &net->nft.af_info); | 41 | list_add_tail_rcu(&afi->list, &net->nft.af_info); |
| 43 | nfnl_unlock(NFNL_SUBSYS_NFTABLES); | 42 | nfnl_unlock(NFNL_SUBSYS_NFTABLES); |
| @@ -99,13 +98,13 @@ static void nft_ctx_init(struct nft_ctx *ctx, | |||
| 99 | struct net *net, | 98 | struct net *net, |
| 100 | const struct sk_buff *skb, | 99 | const struct sk_buff *skb, |
| 101 | const struct nlmsghdr *nlh, | 100 | const struct nlmsghdr *nlh, |
| 102 | struct nft_af_info *afi, | 101 | u8 family, |
| 103 | struct nft_table *table, | 102 | struct nft_table *table, |
| 104 | struct nft_chain *chain, | 103 | struct nft_chain *chain, |
| 105 | const struct nlattr * const *nla) | 104 | const struct nlattr * const *nla) |
| 106 | { | 105 | { |
| 107 | ctx->net = net; | 106 | ctx->net = net; |
| 108 | ctx->afi = afi; | 107 | ctx->family = family; |
| 109 | ctx->table = table; | 108 | ctx->table = table; |
| 110 | ctx->chain = chain; | 109 | ctx->chain = chain; |
| 111 | ctx->nla = nla; | 110 | ctx->nla = nla; |
| @@ -385,30 +384,31 @@ static int nft_delflowtable(struct nft_ctx *ctx, | |||
| 385 | * Tables | 384 | * Tables |
| 386 | */ | 385 | */ |
| 387 | 386 | ||
| 388 | static struct nft_table *nft_table_lookup(const struct nft_af_info *afi, | 387 | static struct nft_table *nft_table_lookup(const struct net *net, |
| 389 | const struct nlattr *nla, | 388 | const struct nlattr *nla, |
| 390 | u8 genmask) | 389 | u8 family, u8 genmask) |
| 391 | { | 390 | { |
| 392 | struct nft_table *table; | 391 | struct nft_table *table; |
| 393 | 392 | ||
| 394 | list_for_each_entry(table, &afi->tables, list) { | 393 | list_for_each_entry(table, &net->nft.tables, list) { |
| 395 | if (!nla_strcmp(nla, table->name) && | 394 | if (!nla_strcmp(nla, table->name) && |
| 395 | table->afi->family == family && | ||
| 396 | nft_active_genmask(table, genmask)) | 396 | nft_active_genmask(table, genmask)) |
| 397 | return table; | 397 | return table; |
| 398 | } | 398 | } |
| 399 | return NULL; | 399 | return NULL; |
| 400 | } | 400 | } |
| 401 | 401 | ||
| 402 | static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi, | 402 | static struct nft_table *nf_tables_table_lookup(const struct net *net, |
| 403 | const struct nlattr *nla, | 403 | const struct nlattr *nla, |
| 404 | u8 genmask) | 404 | u8 family, u8 genmask) |
| 405 | { | 405 | { |
| 406 | struct nft_table *table; | 406 | struct nft_table *table; |
| 407 | 407 | ||
| 408 | if (nla == NULL) | 408 | if (nla == NULL) |
| 409 | return ERR_PTR(-EINVAL); | 409 | return ERR_PTR(-EINVAL); |
| 410 | 410 | ||
| 411 | table = nft_table_lookup(afi, nla, genmask); | 411 | table = nft_table_lookup(net, nla, family, genmask); |
| 412 | if (table != NULL) | 412 | if (table != NULL) |
| 413 | return table; | 413 | return table; |
| 414 | 414 | ||
| @@ -507,7 +507,7 @@ static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) | |||
| 507 | goto err; | 507 | goto err; |
| 508 | 508 | ||
| 509 | err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, | 509 | err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, |
| 510 | event, 0, ctx->afi->family, ctx->table); | 510 | event, 0, ctx->family, ctx->table); |
| 511 | if (err < 0) { | 511 | if (err < 0) { |
| 512 | kfree_skb(skb); | 512 | kfree_skb(skb); |
| 513 | goto err; | 513 | goto err; |
| @@ -524,7 +524,6 @@ static int nf_tables_dump_tables(struct sk_buff *skb, | |||
| 524 | struct netlink_callback *cb) | 524 | struct netlink_callback *cb) |
| 525 | { | 525 | { |
| 526 | const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); | 526 | const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); |
| 527 | const struct nft_af_info *afi; | ||
| 528 | const struct nft_table *table; | 527 | const struct nft_table *table; |
| 529 | unsigned int idx = 0, s_idx = cb->args[0]; | 528 | unsigned int idx = 0, s_idx = cb->args[0]; |
| 530 | struct net *net = sock_net(skb->sk); | 529 | struct net *net = sock_net(skb->sk); |
| @@ -533,30 +532,27 @@ static int nf_tables_dump_tables(struct sk_buff *skb, | |||
| 533 | rcu_read_lock(); | 532 | rcu_read_lock(); |
| 534 | cb->seq = net->nft.base_seq; | 533 | cb->seq = net->nft.base_seq; |
| 535 | 534 | ||
| 536 | list_for_each_entry_rcu(afi, &net->nft.af_info, list) { | 535 | list_for_each_entry_rcu(table, &net->nft.tables, list) { |
| 537 | if (family != NFPROTO_UNSPEC && family != afi->family) | 536 | if (family != NFPROTO_UNSPEC && family != table->afi->family) |
| 538 | continue; | 537 | continue; |
| 539 | 538 | ||
| 540 | list_for_each_entry_rcu(table, &afi->tables, list) { | 539 | if (idx < s_idx) |
| 541 | if (idx < s_idx) | 540 | goto cont; |
| 542 | goto cont; | 541 | if (idx > s_idx) |
| 543 | if (idx > s_idx) | 542 | memset(&cb->args[1], 0, |
| 544 | memset(&cb->args[1], 0, | 543 | sizeof(cb->args) - sizeof(cb->args[0])); |
| 545 | sizeof(cb->args) - sizeof(cb->args[0])); | 544 | if (!nft_is_active(net, table)) |
| 546 | if (!nft_is_active(net, table)) | 545 | continue; |
| 547 | continue; | 546 | if (nf_tables_fill_table_info(skb, net, |
| 548 | if (nf_tables_fill_table_info(skb, net, | 547 | NETLINK_CB(cb->skb).portid, |
| 549 | NETLINK_CB(cb->skb).portid, | 548 | cb->nlh->nlmsg_seq, |
| 550 | cb->nlh->nlmsg_seq, | 549 | NFT_MSG_NEWTABLE, NLM_F_MULTI, |
| 551 | NFT_MSG_NEWTABLE, | 550 | table->afi->family, table) < 0) |
| 552 | NLM_F_MULTI, | 551 | goto done; |
| 553 | afi->family, table) < 0) | 552 | |
| 554 | goto done; | 553 | nl_dump_check_consistent(cb, nlmsg_hdr(skb)); |
| 555 | |||
| 556 | nl_dump_check_consistent(cb, nlmsg_hdr(skb)); | ||
| 557 | cont: | 554 | cont: |
| 558 | idx++; | 555 | idx++; |
| 559 | } | ||
| 560 | } | 556 | } |
| 561 | done: | 557 | done: |
| 562 | rcu_read_unlock(); | 558 | rcu_read_unlock(); |
| @@ -588,7 +584,8 @@ static int nf_tables_gettable(struct net *net, struct sock *nlsk, | |||
| 588 | if (IS_ERR(afi)) | 584 | if (IS_ERR(afi)) |
| 589 | return PTR_ERR(afi); | 585 | return PTR_ERR(afi); |
| 590 | 586 | ||
| 591 | table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask); | 587 | table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], afi->family, |
| 588 | genmask); | ||
| 592 | if (IS_ERR(table)) | 589 | if (IS_ERR(table)) |
| 593 | return PTR_ERR(table); | 590 | return PTR_ERR(table); |
| 594 | 591 | ||
| @@ -719,7 +716,7 @@ static int nf_tables_newtable(struct net *net, struct sock *nlsk, | |||
| 719 | return PTR_ERR(afi); | 716 | return PTR_ERR(afi); |
| 720 | 717 | ||
| 721 | name = nla[NFTA_TABLE_NAME]; | 718 | name = nla[NFTA_TABLE_NAME]; |
| 722 | table = nf_tables_table_lookup(afi, name, genmask); | 719 | table = nf_tables_table_lookup(net, name, afi->family, genmask); |
| 723 | if (IS_ERR(table)) { | 720 | if (IS_ERR(table)) { |
| 724 | if (PTR_ERR(table) != -ENOENT) | 721 | if (PTR_ERR(table) != -ENOENT) |
| 725 | return PTR_ERR(table); | 722 | return PTR_ERR(table); |
| @@ -729,7 +726,7 @@ static int nf_tables_newtable(struct net *net, struct sock *nlsk, | |||
| 729 | if (nlh->nlmsg_flags & NLM_F_REPLACE) | 726 | if (nlh->nlmsg_flags & NLM_F_REPLACE) |
| 730 | return -EOPNOTSUPP; | 727 | return -EOPNOTSUPP; |
| 731 | 728 | ||
| 732 | nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla); | 729 | nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); |
| 733 | return nf_tables_updtable(&ctx); | 730 | return nf_tables_updtable(&ctx); |
| 734 | } | 731 | } |
| 735 | 732 | ||
| @@ -756,14 +753,15 @@ static int nf_tables_newtable(struct net *net, struct sock *nlsk, | |||
| 756 | INIT_LIST_HEAD(&table->sets); | 753 | INIT_LIST_HEAD(&table->sets); |
| 757 | INIT_LIST_HEAD(&table->objects); | 754 | INIT_LIST_HEAD(&table->objects); |
| 758 | INIT_LIST_HEAD(&table->flowtables); | 755 | INIT_LIST_HEAD(&table->flowtables); |
| 756 | table->afi = afi; | ||
| 759 | table->flags = flags; | 757 | table->flags = flags; |
| 760 | 758 | ||
| 761 | nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla); | 759 | nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); |
| 762 | err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); | 760 | err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); |
| 763 | if (err < 0) | 761 | if (err < 0) |
| 764 | goto err4; | 762 | goto err4; |
| 765 | 763 | ||
| 766 | list_add_tail_rcu(&table->list, &afi->tables); | 764 | list_add_tail_rcu(&table->list, &net->nft.tables); |
| 767 | return 0; | 765 | return 0; |
| 768 | err4: | 766 | err4: |
| 769 | kfree(table->name); | 767 | kfree(table->name); |
| @@ -837,30 +835,28 @@ out: | |||
| 837 | 835 | ||
| 838 | static int nft_flush(struct nft_ctx *ctx, int family) | 836 | static int nft_flush(struct nft_ctx *ctx, int family) |
| 839 | { | 837 | { |
| 840 | struct nft_af_info *afi; | ||
| 841 | struct nft_table *table, *nt; | 838 | struct nft_table *table, *nt; |
| 842 | const struct nlattr * const *nla = ctx->nla; | 839 | const struct nlattr * const *nla = ctx->nla; |
| 843 | int err = 0; | 840 | int err = 0; |
| 844 | 841 | ||
| 845 | list_for_each_entry(afi, &ctx->net->nft.af_info, list) { | 842 | list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) { |
| 846 | if (family != AF_UNSPEC && afi->family != family) | 843 | if (family != AF_UNSPEC && table->afi->family != family) |
| 847 | continue; | 844 | continue; |
| 848 | 845 | ||
| 849 | ctx->afi = afi; | 846 | ctx->family = table->afi->family; |
| 850 | list_for_each_entry_safe(table, nt, &afi->tables, list) { | ||
| 851 | if (!nft_is_active_next(ctx->net, table)) | ||
| 852 | continue; | ||
| 853 | 847 | ||
| 854 | if (nla[NFTA_TABLE_NAME] && | 848 | if (!nft_is_active_next(ctx->net, table)) |
| 855 | nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) | 849 | continue; |
| 856 | continue; | ||
| 857 | 850 | ||
| 858 | ctx->table = table; | 851 | if (nla[NFTA_TABLE_NAME] && |
| 852 | nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) | ||
| 853 | continue; | ||
| 859 | 854 | ||
| 860 | err = nft_flush_table(ctx); | 855 | ctx->table = table; |
| 861 | if (err < 0) | 856 | |
| 862 | goto out; | 857 | err = nft_flush_table(ctx); |
| 863 | } | 858 | if (err < 0) |
| 859 | goto out; | ||
| 864 | } | 860 | } |
| 865 | out: | 861 | out: |
| 866 | return err; | 862 | return err; |
| @@ -878,7 +874,7 @@ static int nf_tables_deltable(struct net *net, struct sock *nlsk, | |||
| 878 | int family = nfmsg->nfgen_family; | 874 | int family = nfmsg->nfgen_family; |
| 879 | struct nft_ctx ctx; | 875 | struct nft_ctx ctx; |
| 880 | 876 | ||
| 881 | nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla); | 877 | nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla); |
| 882 | if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL) | 878 | if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL) |
| 883 | return nft_flush(&ctx, family); | 879 | return nft_flush(&ctx, family); |
| 884 | 880 | ||
| @@ -886,7 +882,8 @@ static int nf_tables_deltable(struct net *net, struct sock *nlsk, | |||
| 886 | if (IS_ERR(afi)) | 882 | if (IS_ERR(afi)) |
| 887 | return PTR_ERR(afi); | 883 | return PTR_ERR(afi); |
| 888 | 884 | ||
| 889 | table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask); | 885 | table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], afi->family, |
| 886 | genmask); | ||
| 890 | if (IS_ERR(table)) | 887 | if (IS_ERR(table)) |
| 891 | return PTR_ERR(table); | 888 | return PTR_ERR(table); |
| 892 | 889 | ||
| @@ -894,7 +891,7 @@ static int nf_tables_deltable(struct net *net, struct sock *nlsk, | |||
| 894 | table->use > 0) | 891 | table->use > 0) |
| 895 | return -EBUSY; | 892 | return -EBUSY; |
| 896 | 893 | ||
| 897 | ctx.afi = afi; | 894 | ctx.family = afi->family; |
| 898 | ctx.table = table; | 895 | ctx.table = table; |
| 899 | 896 | ||
| 900 | return nft_flush_table(&ctx); | 897 | return nft_flush_table(&ctx); |
| @@ -906,7 +903,7 @@ static void nf_tables_table_destroy(struct nft_ctx *ctx) | |||
| 906 | 903 | ||
| 907 | kfree(ctx->table->name); | 904 | kfree(ctx->table->name); |
| 908 | kfree(ctx->table); | 905 | kfree(ctx->table); |
| 909 | module_put(ctx->afi->owner); | 906 | module_put(ctx->table->afi->owner); |
| 910 | } | 907 | } |
| 911 | 908 | ||
| 912 | int nft_register_chain_type(const struct nf_chain_type *ctype) | 909 | int nft_register_chain_type(const struct nf_chain_type *ctype) |
| @@ -1107,7 +1104,7 @@ static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event) | |||
| 1107 | goto err; | 1104 | goto err; |
| 1108 | 1105 | ||
| 1109 | err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, | 1106 | err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, |
| 1110 | event, 0, ctx->afi->family, ctx->table, | 1107 | event, 0, ctx->family, ctx->table, |
| 1111 | ctx->chain); | 1108 | ctx->chain); |
| 1112 | if (err < 0) { | 1109 | if (err < 0) { |
| 1113 | kfree_skb(skb); | 1110 | kfree_skb(skb); |
| @@ -1125,7 +1122,6 @@ static int nf_tables_dump_chains(struct sk_buff *skb, | |||
| 1125 | struct netlink_callback *cb) | 1122 | struct netlink_callback *cb) |
| 1126 | { | 1123 | { |
| 1127 | const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); | 1124 | const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); |
| 1128 | const struct nft_af_info *afi; | ||
| 1129 | const struct nft_table *table; | 1125 | const struct nft_table *table; |
| 1130 | const struct nft_chain *chain; | 1126 | const struct nft_chain *chain; |
| 1131 | unsigned int idx = 0, s_idx = cb->args[0]; | 1127 | unsigned int idx = 0, s_idx = cb->args[0]; |
| @@ -1135,31 +1131,30 @@ static int nf_tables_dump_chains(struct sk_buff *skb, | |||
| 1135 | rcu_read_lock(); | 1131 | rcu_read_lock(); |
| 1136 | cb->seq = net->nft.base_seq; | 1132 | cb->seq = net->nft.base_seq; |
| 1137 | 1133 | ||
| 1138 | list_for_each_entry_rcu(afi, &net->nft.af_info, list) { | 1134 | list_for_each_entry_rcu(table, &net->nft.tables, list) { |
| 1139 | if (family != NFPROTO_UNSPEC && family != afi->family) | 1135 | if (family != NFPROTO_UNSPEC && family != table->afi->family) |
| 1140 | continue; | 1136 | continue; |
| 1141 | 1137 | ||
| 1142 | list_for_each_entry_rcu(table, &afi->tables, list) { | 1138 | list_for_each_entry_rcu(chain, &table->chains, list) { |
| 1143 | list_for_each_entry_rcu(chain, &table->chains, list) { | 1139 | if (idx < s_idx) |
| 1144 | if (idx < s_idx) | 1140 | goto cont; |
| 1145 | goto cont; | 1141 | if (idx > s_idx) |
| 1146 | if (idx > s_idx) | 1142 | memset(&cb->args[1], 0, |
| 1147 | memset(&cb->args[1], 0, | 1143 | sizeof(cb->args) - sizeof(cb->args[0])); |
| 1148 | sizeof(cb->args) - sizeof(cb->args[0])); | 1144 | if (!nft_is_active(net, chain)) |
| 1149 | if (!nft_is_active(net, chain)) | 1145 | continue; |
| 1150 | continue; | 1146 | if (nf_tables_fill_chain_info(skb, net, |
| 1151 | if (nf_tables_fill_chain_info(skb, net, | 1147 | NETLINK_CB(cb->skb).portid, |
| 1152 | NETLINK_CB(cb->skb).portid, | 1148 | cb->nlh->nlmsg_seq, |
| 1153 | cb->nlh->nlmsg_seq, | 1149 | NFT_MSG_NEWCHAIN, |
| 1154 | NFT_MSG_NEWCHAIN, | 1150 | NLM_F_MULTI, |
| 1155 | NLM_F_MULTI, | 1151 | table->afi->family, table, |
| 1156 | afi->family, table, chain) < 0) | 1152 | chain) < 0) |
| 1157 | goto done; | 1153 | goto done; |
| 1158 | 1154 | ||
| 1159 | nl_dump_check_consistent(cb, nlmsg_hdr(skb)); | 1155 | nl_dump_check_consistent(cb, nlmsg_hdr(skb)); |
| 1160 | cont: | 1156 | cont: |
| 1161 | idx++; | 1157 | idx++; |
| 1162 | } | ||
| 1163 | } | 1158 | } |
| 1164 | } | 1159 | } |
| 1165 | done: | 1160 | done: |
| @@ -1193,7 +1188,8 @@ static int nf_tables_getchain(struct net *net, struct sock *nlsk, | |||
| 1193 | if (IS_ERR(afi)) | 1188 | if (IS_ERR(afi)) |
| 1194 | return PTR_ERR(afi); | 1189 | return PTR_ERR(afi); |
| 1195 | 1190 | ||
| 1196 | table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask); | 1191 | table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family, |
| 1192 | genmask); | ||
| 1197 | if (IS_ERR(table)) | 1193 | if (IS_ERR(table)) |
| 1198 | return PTR_ERR(table); | 1194 | return PTR_ERR(table); |
| 1199 | 1195 | ||
| @@ -1301,8 +1297,8 @@ struct nft_chain_hook { | |||
| 1301 | 1297 | ||
| 1302 | static int nft_chain_parse_hook(struct net *net, | 1298 | static int nft_chain_parse_hook(struct net *net, |
| 1303 | const struct nlattr * const nla[], | 1299 | const struct nlattr * const nla[], |
| 1304 | struct nft_af_info *afi, | 1300 | struct nft_chain_hook *hook, u8 family, |
| 1305 | struct nft_chain_hook *hook, bool create) | 1301 | bool create) |
| 1306 | { | 1302 | { |
| 1307 | struct nlattr *ha[NFTA_HOOK_MAX + 1]; | 1303 | struct nlattr *ha[NFTA_HOOK_MAX + 1]; |
| 1308 | const struct nf_chain_type *type; | 1304 | const struct nf_chain_type *type; |
| @@ -1321,10 +1317,10 @@ static int nft_chain_parse_hook(struct net *net, | |||
| 1321 | hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); | 1317 | hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); |
| 1322 | hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); | 1318 | hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); |
| 1323 | 1319 | ||
| 1324 | type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT]; | 1320 | type = chain_type[family][NFT_CHAIN_T_DEFAULT]; |
| 1325 | if (nla[NFTA_CHAIN_TYPE]) { | 1321 | if (nla[NFTA_CHAIN_TYPE]) { |
| 1326 | type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE], | 1322 | type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE], |
| 1327 | afi->family, create); | 1323 | family, create); |
| 1328 | if (IS_ERR(type)) | 1324 | if (IS_ERR(type)) |
| 1329 | return PTR_ERR(type); | 1325 | return PTR_ERR(type); |
| 1330 | } | 1326 | } |
| @@ -1341,7 +1337,7 @@ static int nft_chain_parse_hook(struct net *net, | |||
| 1341 | hook->type = type; | 1337 | hook->type = type; |
| 1342 | 1338 | ||
| 1343 | hook->dev = NULL; | 1339 | hook->dev = NULL; |
| 1344 | if (afi->family == NFPROTO_NETDEV) { | 1340 | if (family == NFPROTO_NETDEV) { |
| 1345 | char ifname[IFNAMSIZ]; | 1341 | char ifname[IFNAMSIZ]; |
| 1346 | 1342 | ||
| 1347 | if (!ha[NFTA_HOOK_DEV]) { | 1343 | if (!ha[NFTA_HOOK_DEV]) { |
| @@ -1376,7 +1372,6 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, | |||
| 1376 | { | 1372 | { |
| 1377 | const struct nlattr * const *nla = ctx->nla; | 1373 | const struct nlattr * const *nla = ctx->nla; |
| 1378 | struct nft_table *table = ctx->table; | 1374 | struct nft_table *table = ctx->table; |
| 1379 | struct nft_af_info *afi = ctx->afi; | ||
| 1380 | struct nft_base_chain *basechain; | 1375 | struct nft_base_chain *basechain; |
| 1381 | struct nft_stats __percpu *stats; | 1376 | struct nft_stats __percpu *stats; |
| 1382 | struct net *net = ctx->net; | 1377 | struct net *net = ctx->net; |
| @@ -1390,7 +1385,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, | |||
| 1390 | struct nft_chain_hook hook; | 1385 | struct nft_chain_hook hook; |
| 1391 | struct nf_hook_ops *ops; | 1386 | struct nf_hook_ops *ops; |
| 1392 | 1387 | ||
| 1393 | err = nft_chain_parse_hook(net, nla, afi, &hook, create); | 1388 | err = nft_chain_parse_hook(net, nla, &hook, family, create); |
| 1394 | if (err < 0) | 1389 | if (err < 0) |
| 1395 | return err; | 1390 | return err; |
| 1396 | 1391 | ||
| @@ -1483,7 +1478,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, | |||
| 1483 | if (!nft_is_base_chain(chain)) | 1478 | if (!nft_is_base_chain(chain)) |
| 1484 | return -EBUSY; | 1479 | return -EBUSY; |
| 1485 | 1480 | ||
| 1486 | err = nft_chain_parse_hook(ctx->net, nla, ctx->afi, &hook, | 1481 | err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family, |
| 1487 | create); | 1482 | create); |
| 1488 | if (err < 0) | 1483 | if (err < 0) |
| 1489 | return err; | 1484 | return err; |
| @@ -1576,7 +1571,8 @@ static int nf_tables_newchain(struct net *net, struct sock *nlsk, | |||
| 1576 | if (IS_ERR(afi)) | 1571 | if (IS_ERR(afi)) |
| 1577 | return PTR_ERR(afi); | 1572 | return PTR_ERR(afi); |
| 1578 | 1573 | ||
| 1579 | table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask); | 1574 | table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family, |
| 1575 | genmask); | ||
| 1580 | if (IS_ERR(table)) | 1576 | if (IS_ERR(table)) |
| 1581 | return PTR_ERR(table); | 1577 | return PTR_ERR(table); |
| 1582 | 1578 | ||
| @@ -1616,7 +1612,7 @@ static int nf_tables_newchain(struct net *net, struct sock *nlsk, | |||
| 1616 | } | 1612 | } |
| 1617 | } | 1613 | } |
| 1618 | 1614 | ||
| 1619 | nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla); | 1615 | nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla); |
| 1620 | 1616 | ||
| 1621 | if (chain != NULL) { | 1617 | if (chain != NULL) { |
| 1622 | if (nlh->nlmsg_flags & NLM_F_EXCL) | 1618 | if (nlh->nlmsg_flags & NLM_F_EXCL) |
| @@ -1650,7 +1646,8 @@ static int nf_tables_delchain(struct net *net, struct sock *nlsk, | |||
| 1650 | if (IS_ERR(afi)) | 1646 | if (IS_ERR(afi)) |
| 1651 | return PTR_ERR(afi); | 1647 | return PTR_ERR(afi); |
| 1652 | 1648 | ||
| 1653 | table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask); | 1649 | table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family, |
| 1650 | genmask); | ||
| 1654 | if (IS_ERR(table)) | 1651 | if (IS_ERR(table)) |
| 1655 | return PTR_ERR(table); | 1652 | return PTR_ERR(table); |
| 1656 | 1653 | ||
| @@ -1662,7 +1659,7 @@ static int nf_tables_delchain(struct net *net, struct sock *nlsk, | |||
| 1662 | chain->use > 0) | 1659 | chain->use > 0) |
| 1663 | return -EBUSY; | 1660 | return -EBUSY; |
| 1664 | 1661 | ||
| 1665 | nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla); | 1662 | nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla); |
| 1666 | 1663 | ||
| 1667 | use = chain->use; | 1664 | use = chain->use; |
| 1668 | list_for_each_entry(rule, &chain->rules, list) { | 1665 | list_for_each_entry(rule, &chain->rules, list) { |
| @@ -1827,7 +1824,7 @@ static int nf_tables_expr_parse(const struct nft_ctx *ctx, | |||
| 1827 | if (err < 0) | 1824 | if (err < 0) |
| 1828 | return err; | 1825 | return err; |
| 1829 | 1826 | ||
| 1830 | type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]); | 1827 | type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]); |
| 1831 | if (IS_ERR(type)) | 1828 | if (IS_ERR(type)) |
| 1832 | return PTR_ERR(type); | 1829 | return PTR_ERR(type); |
| 1833 | 1830 | ||
| @@ -2050,7 +2047,7 @@ static void nf_tables_rule_notify(const struct nft_ctx *ctx, | |||
| 2050 | goto err; | 2047 | goto err; |
| 2051 | 2048 | ||
| 2052 | err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, | 2049 | err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, |
| 2053 | event, 0, ctx->afi->family, ctx->table, | 2050 | event, 0, ctx->family, ctx->table, |
| 2054 | ctx->chain, rule); | 2051 | ctx->chain, rule); |
| 2055 | if (err < 0) { | 2052 | if (err < 0) { |
| 2056 | kfree_skb(skb); | 2053 | kfree_skb(skb); |
| @@ -2074,7 +2071,6 @@ static int nf_tables_dump_rules(struct sk_buff *skb, | |||
| 2074 | { | 2071 | { |
| 2075 | const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); | 2072 | const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); |
| 2076 | const struct nft_rule_dump_ctx *ctx = cb->data; | 2073 | const struct nft_rule_dump_ctx *ctx = cb->data; |
| 2077 | const struct nft_af_info *afi; | ||
| 2078 | const struct nft_table *table; | 2074 | const struct nft_table *table; |
| 2079 | const struct nft_chain *chain; | 2075 | const struct nft_chain *chain; |
| 2080 | const struct nft_rule *rule; | 2076 | const struct nft_rule *rule; |
| @@ -2085,39 +2081,37 @@ static int nf_tables_dump_rules(struct sk_buff *skb, | |||
| 2085 | rcu_read_lock(); | 2081 | rcu_read_lock(); |
| 2086 | cb->seq = net->nft.base_seq; | 2082 | cb->seq = net->nft.base_seq; |
| 2087 | 2083 | ||
| 2088 | list_for_each_entry_rcu(afi, &net->nft.af_info, list) { | 2084 | list_for_each_entry_rcu(table, &net->nft.tables, list) { |
| 2089 | if (family != NFPROTO_UNSPEC && family != afi->family) | 2085 | if (family != NFPROTO_UNSPEC && family != table->afi->family) |
| 2086 | continue; | ||
| 2087 | |||
| 2088 | if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0) | ||
| 2090 | continue; | 2089 | continue; |
| 2091 | 2090 | ||
| 2092 | list_for_each_entry_rcu(table, &afi->tables, list) { | 2091 | list_for_each_entry_rcu(chain, &table->chains, list) { |
| 2093 | if (ctx && ctx->table && | 2092 | if (ctx && ctx->chain && |
| 2094 | strcmp(ctx->table, table->name) != 0) | 2093 | strcmp(ctx->chain, chain->name) != 0) |
| 2095 | continue; | 2094 | continue; |
| 2096 | 2095 | ||
| 2097 | list_for_each_entry_rcu(chain, &table->chains, list) { | 2096 | list_for_each_entry_rcu(rule, &chain->rules, list) { |
| 2098 | if (ctx && ctx->chain && | 2097 | if (!nft_is_active(net, rule)) |
| 2099 | strcmp(ctx->chain, chain->name) != 0) | 2098 | goto cont; |
| 2100 | continue; | 2099 | if (idx < s_idx) |
| 2101 | 2100 | goto cont; | |
| 2102 | list_for_each_entry_rcu(rule, &chain->rules, list) { | 2101 | if (idx > s_idx) |
| 2103 | if (!nft_is_active(net, rule)) | 2102 | memset(&cb->args[1], 0, |
| 2104 | goto cont; | 2103 | sizeof(cb->args) - sizeof(cb->args[0])); |
| 2105 | if (idx < s_idx) | 2104 | if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, |
| 2106 | goto cont; | 2105 | cb->nlh->nlmsg_seq, |
| 2107 | if (idx > s_idx) | 2106 | NFT_MSG_NEWRULE, |
| 2108 | memset(&cb->args[1], 0, | 2107 | NLM_F_MULTI | NLM_F_APPEND, |
| 2109 | sizeof(cb->args) - sizeof(cb->args[0])); | 2108 | table->afi->family, |
| 2110 | if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, | 2109 | table, chain, rule) < 0) |
| 2111 | cb->nlh->nlmsg_seq, | 2110 | goto done; |
| 2112 | NFT_MSG_NEWRULE, | 2111 | |
| 2113 | NLM_F_MULTI | NLM_F_APPEND, | 2112 | nl_dump_check_consistent(cb, nlmsg_hdr(skb)); |
| 2114 | afi->family, table, chain, rule) < 0) | ||
| 2115 | goto done; | ||
| 2116 | |||
| 2117 | nl_dump_check_consistent(cb, nlmsg_hdr(skb)); | ||
| 2118 | cont: | 2113 | cont: |
| 2119 | idx++; | 2114 | idx++; |
| 2120 | } | ||
| 2121 | } | 2115 | } |
| 2122 | } | 2116 | } |
| 2123 | } | 2117 | } |
| @@ -2195,7 +2189,8 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk, | |||
| 2195 | if (IS_ERR(afi)) | 2189 | if (IS_ERR(afi)) |
| 2196 | return PTR_ERR(afi); | 2190 | return PTR_ERR(afi); |
| 2197 | 2191 | ||
| 2198 | table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask); | 2192 | table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family, |
| 2193 | genmask); | ||
| 2199 | if (IS_ERR(table)) | 2194 | if (IS_ERR(table)) |
| 2200 | return PTR_ERR(table); | 2195 | return PTR_ERR(table); |
| 2201 | 2196 | ||
| @@ -2272,7 +2267,8 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, | |||
| 2272 | if (IS_ERR(afi)) | 2267 | if (IS_ERR(afi)) |
| 2273 | return PTR_ERR(afi); | 2268 | return PTR_ERR(afi); |
| 2274 | 2269 | ||
| 2275 | table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask); | 2270 | table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family, |
| 2271 | genmask); | ||
| 2276 | if (IS_ERR(table)) | 2272 | if (IS_ERR(table)) |
| 2277 | return PTR_ERR(table); | 2273 | return PTR_ERR(table); |
| 2278 | 2274 | ||
| @@ -2311,7 +2307,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, | |||
| 2311 | return PTR_ERR(old_rule); | 2307 | return PTR_ERR(old_rule); |
| 2312 | } | 2308 | } |
| 2313 | 2309 | ||
| 2314 | nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla); | 2310 | nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla); |
| 2315 | 2311 | ||
| 2316 | n = 0; | 2312 | n = 0; |
| 2317 | size = 0; | 2313 | size = 0; |
| @@ -2446,7 +2442,8 @@ static int nf_tables_delrule(struct net *net, struct sock *nlsk, | |||
| 2446 | if (IS_ERR(afi)) | 2442 | if (IS_ERR(afi)) |
| 2447 | return PTR_ERR(afi); | 2443 | return PTR_ERR(afi); |
| 2448 | 2444 | ||
| 2449 | table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask); | 2445 | table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family, |
| 2446 | genmask); | ||
| 2450 | if (IS_ERR(table)) | 2447 | if (IS_ERR(table)) |
| 2451 | return PTR_ERR(table); | 2448 | return PTR_ERR(table); |
| 2452 | 2449 | ||
| @@ -2457,7 +2454,7 @@ static int nf_tables_delrule(struct net *net, struct sock *nlsk, | |||
| 2457 | return PTR_ERR(chain); | 2454 | return PTR_ERR(chain); |
| 2458 | } | 2455 | } |
| 2459 | 2456 | ||
| 2460 | nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla); | 2457 | nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla); |
| 2461 | 2458 | ||
| 2462 | if (chain) { | 2459 | if (chain) { |
| 2463 | if (nla[NFTA_RULE_HANDLE]) { | 2460 | if (nla[NFTA_RULE_HANDLE]) { |
| @@ -2650,13 +2647,13 @@ static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net, | |||
| 2650 | if (afi == NULL) | 2647 | if (afi == NULL) |
| 2651 | return -EAFNOSUPPORT; | 2648 | return -EAFNOSUPPORT; |
| 2652 | 2649 | ||
| 2653 | table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], | 2650 | table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], |
| 2654 | genmask); | 2651 | afi->family, genmask); |
| 2655 | if (IS_ERR(table)) | 2652 | if (IS_ERR(table)) |
| 2656 | return PTR_ERR(table); | 2653 | return PTR_ERR(table); |
| 2657 | } | 2654 | } |
| 2658 | 2655 | ||
| 2659 | nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla); | 2656 | nft_ctx_init(ctx, net, skb, nlh, afi->family, table, NULL, nla); |
| 2660 | return 0; | 2657 | return 0; |
| 2661 | } | 2658 | } |
| 2662 | 2659 | ||
| @@ -2783,7 +2780,7 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, | |||
| 2783 | goto nla_put_failure; | 2780 | goto nla_put_failure; |
| 2784 | 2781 | ||
| 2785 | nfmsg = nlmsg_data(nlh); | 2782 | nfmsg = nlmsg_data(nlh); |
| 2786 | nfmsg->nfgen_family = ctx->afi->family; | 2783 | nfmsg->nfgen_family = ctx->family; |
| 2787 | nfmsg->version = NFNETLINK_V0; | 2784 | nfmsg->version = NFNETLINK_V0; |
| 2788 | nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); | 2785 | nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); |
| 2789 | 2786 | ||
| @@ -2875,10 +2872,8 @@ static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) | |||
| 2875 | { | 2872 | { |
| 2876 | const struct nft_set *set; | 2873 | const struct nft_set *set; |
| 2877 | unsigned int idx, s_idx = cb->args[0]; | 2874 | unsigned int idx, s_idx = cb->args[0]; |
| 2878 | struct nft_af_info *afi; | ||
| 2879 | struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; | 2875 | struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; |
| 2880 | struct net *net = sock_net(skb->sk); | 2876 | struct net *net = sock_net(skb->sk); |
| 2881 | int cur_family = cb->args[3]; | ||
| 2882 | struct nft_ctx *ctx = cb->data, ctx_set; | 2877 | struct nft_ctx *ctx = cb->data, ctx_set; |
| 2883 | 2878 | ||
| 2884 | if (cb->args[1]) | 2879 | if (cb->args[1]) |
| @@ -2887,51 +2882,44 @@ static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) | |||
| 2887 | rcu_read_lock(); | 2882 | rcu_read_lock(); |
| 2888 | cb->seq = net->nft.base_seq; | 2883 | cb->seq = net->nft.base_seq; |
| 2889 | 2884 | ||
| 2890 | list_for_each_entry_rcu(afi, &net->nft.af_info, list) { | 2885 | list_for_each_entry_rcu(table, &net->nft.tables, list) { |
| 2891 | if (ctx->afi && ctx->afi != afi) | 2886 | if (ctx->family != NFPROTO_UNSPEC && |
| 2887 | ctx->family != table->afi->family) | ||
| 2888 | continue; | ||
| 2889 | |||
| 2890 | if (ctx->table && ctx->table != table) | ||
| 2892 | continue; | 2891 | continue; |
| 2893 | 2892 | ||
| 2894 | if (cur_family) { | 2893 | if (cur_table) { |
| 2895 | if (afi->family != cur_family) | 2894 | if (cur_table != table) |
| 2896 | continue; | 2895 | continue; |
| 2897 | 2896 | ||
| 2898 | cur_family = 0; | 2897 | cur_table = NULL; |
| 2899 | } | 2898 | } |
| 2900 | list_for_each_entry_rcu(table, &afi->tables, list) { | 2899 | idx = 0; |
| 2901 | if (ctx->table && ctx->table != table) | 2900 | list_for_each_entry_rcu(set, &table->sets, list) { |
| 2902 | continue; | 2901 | if (idx < s_idx) |
| 2902 | goto cont; | ||
| 2903 | if (!nft_is_active(net, set)) | ||
| 2904 | goto cont; | ||
| 2903 | 2905 | ||
| 2904 | if (cur_table) { | 2906 | ctx_set = *ctx; |
| 2905 | if (cur_table != table) | 2907 | ctx_set.table = table; |
| 2906 | continue; | 2908 | ctx_set.family = table->afi->family; |
| 2907 | 2909 | ||
| 2908 | cur_table = NULL; | 2910 | if (nf_tables_fill_set(skb, &ctx_set, set, |
| 2911 | NFT_MSG_NEWSET, | ||
| 2912 | NLM_F_MULTI) < 0) { | ||
| 2913 | cb->args[0] = idx; | ||
| 2914 | cb->args[2] = (unsigned long) table; | ||
| 2915 | goto done; | ||
| 2909 | } | 2916 | } |
| 2910 | idx = 0; | 2917 | nl_dump_check_consistent(cb, nlmsg_hdr(skb)); |
| 2911 | list_for_each_entry_rcu(set, &table->sets, list) { | ||
| 2912 | if (idx < s_idx) | ||
| 2913 | goto cont; | ||
| 2914 | if (!nft_is_active(net, set)) | ||
| 2915 | goto cont; | ||
| 2916 | |||
| 2917 | ctx_set = *ctx; | ||
| 2918 | ctx_set.table = table; | ||
| 2919 | ctx_set.afi = afi; | ||
| 2920 | if (nf_tables_fill_set(skb, &ctx_set, set, | ||
| 2921 | NFT_MSG_NEWSET, | ||
| 2922 | NLM_F_MULTI) < 0) { | ||
| 2923 | cb->args[0] = idx; | ||
| 2924 | cb->args[2] = (unsigned long) table; | ||
| 2925 | cb->args[3] = afi->family; | ||
| 2926 | goto done; | ||
| 2927 | } | ||
| 2928 | nl_dump_check_consistent(cb, nlmsg_hdr(skb)); | ||
| 2929 | cont: | 2918 | cont: |
| 2930 | idx++; | 2919 | idx++; |
| 2931 | } | ||
| 2932 | if (s_idx) | ||
| 2933 | s_idx = 0; | ||
| 2934 | } | 2920 | } |
| 2921 | if (s_idx) | ||
| 2922 | s_idx = 0; | ||
| 2935 | } | 2923 | } |
| 2936 | cb->args[1] = 1; | 2924 | cb->args[1] = 1; |
| 2937 | done: | 2925 | done: |
| @@ -3141,11 +3129,12 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk, | |||
| 3141 | if (IS_ERR(afi)) | 3129 | if (IS_ERR(afi)) |
| 3142 | return PTR_ERR(afi); | 3130 | return PTR_ERR(afi); |
| 3143 | 3131 | ||
| 3144 | table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask); | 3132 | table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], afi->family, |
| 3133 | genmask); | ||
| 3145 | if (IS_ERR(table)) | 3134 | if (IS_ERR(table)) |
| 3146 | return PTR_ERR(table); | 3135 | return PTR_ERR(table); |
| 3147 | 3136 | ||
| 3148 | nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla); | 3137 | nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); |
| 3149 | 3138 | ||
| 3150 | set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask); | 3139 | set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask); |
| 3151 | if (IS_ERR(set)) { | 3140 | if (IS_ERR(set)) { |
| @@ -3410,12 +3399,12 @@ static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net, | |||
| 3410 | if (IS_ERR(afi)) | 3399 | if (IS_ERR(afi)) |
| 3411 | return PTR_ERR(afi); | 3400 | return PTR_ERR(afi); |
| 3412 | 3401 | ||
| 3413 | table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE], | 3402 | table = nf_tables_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], |
| 3414 | genmask); | 3403 | afi->family, genmask); |
| 3415 | if (IS_ERR(table)) | 3404 | if (IS_ERR(table)) |
| 3416 | return PTR_ERR(table); | 3405 | return PTR_ERR(table); |
| 3417 | 3406 | ||
| 3418 | nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla); | 3407 | nft_ctx_init(ctx, net, skb, nlh, afi->family, table, NULL, nla); |
| 3419 | return 0; | 3408 | return 0; |
| 3420 | } | 3409 | } |
| 3421 | 3410 | ||
| @@ -3520,7 +3509,6 @@ static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) | |||
| 3520 | { | 3509 | { |
| 3521 | struct nft_set_dump_ctx *dump_ctx = cb->data; | 3510 | struct nft_set_dump_ctx *dump_ctx = cb->data; |
| 3522 | struct net *net = sock_net(skb->sk); | 3511 | struct net *net = sock_net(skb->sk); |
| 3523 | struct nft_af_info *afi; | ||
| 3524 | struct nft_table *table; | 3512 | struct nft_table *table; |
| 3525 | struct nft_set *set; | 3513 | struct nft_set *set; |
| 3526 | struct nft_set_dump_args args; | 3514 | struct nft_set_dump_args args; |
| @@ -3532,21 +3520,19 @@ static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) | |||
| 3532 | int event; | 3520 | int event; |
| 3533 | 3521 | ||
| 3534 | rcu_read_lock(); | 3522 | rcu_read_lock(); |
| 3535 | list_for_each_entry_rcu(afi, &net->nft.af_info, list) { | 3523 | list_for_each_entry_rcu(table, &net->nft.tables, list) { |
| 3536 | if (afi != dump_ctx->ctx.afi) | 3524 | if (dump_ctx->ctx.family != NFPROTO_UNSPEC && |
| 3525 | dump_ctx->ctx.family != table->afi->family) | ||
| 3537 | continue; | 3526 | continue; |
| 3538 | 3527 | ||
| 3539 | list_for_each_entry_rcu(table, &afi->tables, list) { | 3528 | if (table != dump_ctx->ctx.table) |
| 3540 | if (table != dump_ctx->ctx.table) | 3529 | continue; |
| 3541 | continue; | ||
| 3542 | 3530 | ||
| 3543 | list_for_each_entry_rcu(set, &table->sets, list) { | 3531 | list_for_each_entry_rcu(set, &table->sets, list) { |
| 3544 | if (set == dump_ctx->set) { | 3532 | if (set == dump_ctx->set) { |
| 3545 | set_found = true; | 3533 | set_found = true; |
| 3546 | break; | 3534 | break; |
| 3547 | } | ||
| 3548 | } | 3535 | } |
| 3549 | break; | ||
| 3550 | } | 3536 | } |
| 3551 | break; | 3537 | break; |
| 3552 | } | 3538 | } |
| @@ -3566,7 +3552,7 @@ static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) | |||
| 3566 | goto nla_put_failure; | 3552 | goto nla_put_failure; |
| 3567 | 3553 | ||
| 3568 | nfmsg = nlmsg_data(nlh); | 3554 | nfmsg = nlmsg_data(nlh); |
| 3569 | nfmsg->nfgen_family = afi->family; | 3555 | nfmsg->nfgen_family = table->afi->family; |
| 3570 | nfmsg->version = NFNETLINK_V0; | 3556 | nfmsg->version = NFNETLINK_V0; |
| 3571 | nfmsg->res_id = htons(net->nft.base_seq & 0xffff); | 3557 | nfmsg->res_id = htons(net->nft.base_seq & 0xffff); |
| 3572 | 3558 | ||
| @@ -3629,7 +3615,7 @@ static int nf_tables_fill_setelem_info(struct sk_buff *skb, | |||
| 3629 | goto nla_put_failure; | 3615 | goto nla_put_failure; |
| 3630 | 3616 | ||
| 3631 | nfmsg = nlmsg_data(nlh); | 3617 | nfmsg = nlmsg_data(nlh); |
| 3632 | nfmsg->nfgen_family = ctx->afi->family; | 3618 | nfmsg->nfgen_family = ctx->family; |
| 3633 | nfmsg->version = NFNETLINK_V0; | 3619 | nfmsg->version = NFNETLINK_V0; |
| 3634 | nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); | 3620 | nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); |
| 3635 | 3621 | ||
| @@ -3986,7 +3972,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, | |||
| 3986 | list_for_each_entry(binding, &set->bindings, list) { | 3972 | list_for_each_entry(binding, &set->bindings, list) { |
| 3987 | struct nft_ctx bind_ctx = { | 3973 | struct nft_ctx bind_ctx = { |
| 3988 | .net = ctx->net, | 3974 | .net = ctx->net, |
| 3989 | .afi = ctx->afi, | 3975 | .family = ctx->family, |
| 3990 | .table = ctx->table, | 3976 | .table = ctx->table, |
| 3991 | .chain = (struct nft_chain *)binding->chain, | 3977 | .chain = (struct nft_chain *)binding->chain, |
| 3992 | }; | 3978 | }; |
| @@ -4533,7 +4519,8 @@ static int nf_tables_newobj(struct net *net, struct sock *nlsk, | |||
| 4533 | if (IS_ERR(afi)) | 4519 | if (IS_ERR(afi)) |
| 4534 | return PTR_ERR(afi); | 4520 | return PTR_ERR(afi); |
| 4535 | 4521 | ||
| 4536 | table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask); | 4522 | table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family, |
| 4523 | genmask); | ||
| 4537 | if (IS_ERR(table)) | 4524 | if (IS_ERR(table)) |
| 4538 | return PTR_ERR(table); | 4525 | return PTR_ERR(table); |
| 4539 | 4526 | ||
| @@ -4551,7 +4538,7 @@ static int nf_tables_newobj(struct net *net, struct sock *nlsk, | |||
| 4551 | return 0; | 4538 | return 0; |
| 4552 | } | 4539 | } |
| 4553 | 4540 | ||
| 4554 | nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla); | 4541 | nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); |
| 4555 | 4542 | ||
| 4556 | type = nft_obj_type_get(objtype); | 4543 | type = nft_obj_type_get(objtype); |
| 4557 | if (IS_ERR(type)) | 4544 | if (IS_ERR(type)) |
| @@ -4628,7 +4615,6 @@ struct nft_obj_filter { | |||
| 4628 | static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) | 4615 | static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) |
| 4629 | { | 4616 | { |
| 4630 | const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); | 4617 | const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); |
| 4631 | const struct nft_af_info *afi; | ||
| 4632 | const struct nft_table *table; | 4618 | const struct nft_table *table; |
| 4633 | unsigned int idx = 0, s_idx = cb->args[0]; | 4619 | unsigned int idx = 0, s_idx = cb->args[0]; |
| 4634 | struct nft_obj_filter *filter = cb->data; | 4620 | struct nft_obj_filter *filter = cb->data; |
| @@ -4643,38 +4629,37 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) | |||
| 4643 | rcu_read_lock(); | 4629 | rcu_read_lock(); |
| 4644 | cb->seq = net->nft.base_seq; | 4630 | cb->seq = net->nft.base_seq; |
| 4645 | 4631 | ||
| 4646 | list_for_each_entry_rcu(afi, &net->nft.af_info, list) { | 4632 | list_for_each_entry_rcu(table, &net->nft.tables, list) { |
| 4647 | if (family != NFPROTO_UNSPEC && family != afi->family) | 4633 | if (family != NFPROTO_UNSPEC && family != table->afi->family) |
| 4648 | continue; | 4634 | continue; |
| 4649 | 4635 | ||
| 4650 | list_for_each_entry_rcu(table, &afi->tables, list) { | 4636 | list_for_each_entry_rcu(obj, &table->objects, list) { |
| 4651 | list_for_each_entry_rcu(obj, &table->objects, list) { | 4637 | if (!nft_is_active(net, obj)) |
| 4652 | if (!nft_is_active(net, obj)) | 4638 | goto cont; |
| 4653 | goto cont; | 4639 | if (idx < s_idx) |
| 4654 | if (idx < s_idx) | 4640 | goto cont; |
| 4655 | goto cont; | 4641 | if (idx > s_idx) |
| 4656 | if (idx > s_idx) | 4642 | memset(&cb->args[1], 0, |
| 4657 | memset(&cb->args[1], 0, | 4643 | sizeof(cb->args) - sizeof(cb->args[0])); |
| 4658 | sizeof(cb->args) - sizeof(cb->args[0])); | 4644 | if (filter && filter->table[0] && |
| 4659 | if (filter && filter->table[0] && | 4645 | strcmp(filter->table, table->name)) |
| 4660 | strcmp(filter->table, table->name)) | 4646 | goto cont; |
| 4661 | goto cont; | 4647 | if (filter && |
| 4662 | if (filter && | 4648 | filter->type != NFT_OBJECT_UNSPEC && |
| 4663 | filter->type != NFT_OBJECT_UNSPEC && | 4649 | obj->ops->type->type != filter->type) |
| 4664 | obj->ops->type->type != filter->type) | 4650 | goto cont; |
| 4665 | goto cont; | ||
| 4666 | 4651 | ||
| 4667 | if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid, | 4652 | if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid, |
| 4668 | cb->nlh->nlmsg_seq, | 4653 | cb->nlh->nlmsg_seq, |
| 4669 | NFT_MSG_NEWOBJ, | 4654 | NFT_MSG_NEWOBJ, |
| 4670 | NLM_F_MULTI | NLM_F_APPEND, | 4655 | NLM_F_MULTI | NLM_F_APPEND, |
| 4671 | afi->family, table, obj, reset) < 0) | 4656 | table->afi->family, table, |
| 4672 | goto done; | 4657 | obj, reset) < 0) |
| 4658 | goto done; | ||
| 4673 | 4659 | ||
| 4674 | nl_dump_check_consistent(cb, nlmsg_hdr(skb)); | 4660 | nl_dump_check_consistent(cb, nlmsg_hdr(skb)); |
| 4675 | cont: | 4661 | cont: |
| 4676 | idx++; | 4662 | idx++; |
| 4677 | } | ||
| 4678 | } | 4663 | } |
| 4679 | } | 4664 | } |
| 4680 | done: | 4665 | done: |
| @@ -4761,7 +4746,8 @@ static int nf_tables_getobj(struct net *net, struct sock *nlsk, | |||
| 4761 | if (IS_ERR(afi)) | 4746 | if (IS_ERR(afi)) |
| 4762 | return PTR_ERR(afi); | 4747 | return PTR_ERR(afi); |
| 4763 | 4748 | ||
| 4764 | table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask); | 4749 | table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family, |
| 4750 | genmask); | ||
| 4765 | if (IS_ERR(table)) | 4751 | if (IS_ERR(table)) |
| 4766 | return PTR_ERR(table); | 4752 | return PTR_ERR(table); |
| 4767 | 4753 | ||
| @@ -4821,7 +4807,8 @@ static int nf_tables_delobj(struct net *net, struct sock *nlsk, | |||
| 4821 | if (IS_ERR(afi)) | 4807 | if (IS_ERR(afi)) |
| 4822 | return PTR_ERR(afi); | 4808 | return PTR_ERR(afi); |
| 4823 | 4809 | ||
| 4824 | table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask); | 4810 | table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family, |
| 4811 | genmask); | ||
| 4825 | if (IS_ERR(table)) | 4812 | if (IS_ERR(table)) |
| 4826 | return PTR_ERR(table); | 4813 | return PTR_ERR(table); |
| 4827 | 4814 | ||
| @@ -4832,7 +4819,7 @@ static int nf_tables_delobj(struct net *net, struct sock *nlsk, | |||
| 4832 | if (obj->use > 0) | 4819 | if (obj->use > 0) |
| 4833 | return -EBUSY; | 4820 | return -EBUSY; |
| 4834 | 4821 | ||
| 4835 | nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla); | 4822 | nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); |
| 4836 | 4823 | ||
| 4837 | return nft_delobj(&ctx, obj); | 4824 | return nft_delobj(&ctx, obj); |
| 4838 | } | 4825 | } |
| @@ -4870,7 +4857,7 @@ static void nf_tables_obj_notify(const struct nft_ctx *ctx, | |||
| 4870 | struct nft_object *obj, int event) | 4857 | struct nft_object *obj, int event) |
| 4871 | { | 4858 | { |
| 4872 | nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event, | 4859 | nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event, |
| 4873 | ctx->afi->family, ctx->report, GFP_KERNEL); | 4860 | ctx->family, ctx->report, GFP_KERNEL); |
| 4874 | } | 4861 | } |
| 4875 | 4862 | ||
| 4876 | /* | 4863 | /* |
| @@ -5060,7 +5047,7 @@ void nft_flow_table_iterate(struct net *net, | |||
| 5060 | 5047 | ||
| 5061 | rcu_read_lock(); | 5048 | rcu_read_lock(); |
| 5062 | list_for_each_entry_rcu(afi, &net->nft.af_info, list) { | 5049 | list_for_each_entry_rcu(afi, &net->nft.af_info, list) { |
| 5063 | list_for_each_entry_rcu(table, &afi->tables, list) { | 5050 | list_for_each_entry_rcu(table, &net->nft.tables, list) { |
| 5064 | list_for_each_entry_rcu(flowtable, &table->flowtables, list) { | 5051 | list_for_each_entry_rcu(flowtable, &table->flowtables, list) { |
| 5065 | iter(&flowtable->data, data); | 5052 | iter(&flowtable->data, data); |
| 5066 | } | 5053 | } |
| @@ -5108,7 +5095,8 @@ static int nf_tables_newflowtable(struct net *net, struct sock *nlsk, | |||
| 5108 | if (IS_ERR(afi)) | 5095 | if (IS_ERR(afi)) |
| 5109 | return PTR_ERR(afi); | 5096 | return PTR_ERR(afi); |
| 5110 | 5097 | ||
| 5111 | table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask); | 5098 | table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], |
| 5099 | afi->family, genmask); | ||
| 5112 | if (IS_ERR(table)) | 5100 | if (IS_ERR(table)) |
| 5113 | return PTR_ERR(table); | 5101 | return PTR_ERR(table); |
| 5114 | 5102 | ||
| @@ -5125,7 +5113,7 @@ static int nf_tables_newflowtable(struct net *net, struct sock *nlsk, | |||
| 5125 | return 0; | 5113 | return 0; |
| 5126 | } | 5114 | } |
| 5127 | 5115 | ||
| 5128 | nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla); | 5116 | nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); |
| 5129 | 5117 | ||
| 5130 | flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL); | 5118 | flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL); |
| 5131 | if (!flowtable) | 5119 | if (!flowtable) |
| @@ -5206,7 +5194,8 @@ static int nf_tables_delflowtable(struct net *net, struct sock *nlsk, | |||
| 5206 | if (IS_ERR(afi)) | 5194 | if (IS_ERR(afi)) |
| 5207 | return PTR_ERR(afi); | 5195 | return PTR_ERR(afi); |
| 5208 | 5196 | ||
| 5209 | table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask); | 5197 | table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], |
| 5198 | afi->family, genmask); | ||
| 5210 | if (IS_ERR(table)) | 5199 | if (IS_ERR(table)) |
| 5211 | return PTR_ERR(table); | 5200 | return PTR_ERR(table); |
| 5212 | 5201 | ||
| @@ -5217,7 +5206,7 @@ static int nf_tables_delflowtable(struct net *net, struct sock *nlsk, | |||
| 5217 | if (flowtable->use > 0) | 5206 | if (flowtable->use > 0) |
| 5218 | return -EBUSY; | 5207 | return -EBUSY; |
| 5219 | 5208 | ||
| 5220 | nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla); | 5209 | nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); |
| 5221 | 5210 | ||
| 5222 | return nft_delflowtable(&ctx, flowtable); | 5211 | return nft_delflowtable(&ctx, flowtable); |
| 5223 | } | 5212 | } |
| @@ -5286,40 +5275,37 @@ static int nf_tables_dump_flowtable(struct sk_buff *skb, | |||
| 5286 | struct net *net = sock_net(skb->sk); | 5275 | struct net *net = sock_net(skb->sk); |
| 5287 | int family = nfmsg->nfgen_family; | 5276 | int family = nfmsg->nfgen_family; |
| 5288 | struct nft_flowtable *flowtable; | 5277 | struct nft_flowtable *flowtable; |
| 5289 | const struct nft_af_info *afi; | ||
| 5290 | const struct nft_table *table; | 5278 | const struct nft_table *table; |
| 5291 | 5279 | ||
| 5292 | rcu_read_lock(); | 5280 | rcu_read_lock(); |
| 5293 | cb->seq = net->nft.base_seq; | 5281 | cb->seq = net->nft.base_seq; |
| 5294 | 5282 | ||
| 5295 | list_for_each_entry_rcu(afi, &net->nft.af_info, list) { | 5283 | list_for_each_entry_rcu(table, &net->nft.tables, list) { |
| 5296 | if (family != NFPROTO_UNSPEC && family != afi->family) | 5284 | if (family != NFPROTO_UNSPEC && family != table->afi->family) |
| 5297 | continue; | 5285 | continue; |
| 5298 | 5286 | ||
| 5299 | list_for_each_entry_rcu(table, &afi->tables, list) { | 5287 | list_for_each_entry_rcu(flowtable, &table->flowtables, list) { |
| 5300 | list_for_each_entry_rcu(flowtable, &table->flowtables, list) { | 5288 | if (!nft_is_active(net, flowtable)) |
| 5301 | if (!nft_is_active(net, flowtable)) | 5289 | goto cont; |
| 5302 | goto cont; | 5290 | if (idx < s_idx) |
| 5303 | if (idx < s_idx) | 5291 | goto cont; |
| 5304 | goto cont; | 5292 | if (idx > s_idx) |
| 5305 | if (idx > s_idx) | 5293 | memset(&cb->args[1], 0, |
| 5306 | memset(&cb->args[1], 0, | 5294 | sizeof(cb->args) - sizeof(cb->args[0])); |
| 5307 | sizeof(cb->args) - sizeof(cb->args[0])); | 5295 | if (filter && filter->table[0] && |
| 5308 | if (filter && filter->table[0] && | 5296 | strcmp(filter->table, table->name)) |
| 5309 | strcmp(filter->table, table->name)) | 5297 | goto cont; |
| 5310 | goto cont; | ||
| 5311 | 5298 | ||
| 5312 | if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, | 5299 | if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, |
| 5313 | cb->nlh->nlmsg_seq, | 5300 | cb->nlh->nlmsg_seq, |
| 5314 | NFT_MSG_NEWFLOWTABLE, | 5301 | NFT_MSG_NEWFLOWTABLE, |
| 5315 | NLM_F_MULTI | NLM_F_APPEND, | 5302 | NLM_F_MULTI | NLM_F_APPEND, |
| 5316 | afi->family, flowtable) < 0) | 5303 | table->afi->family, flowtable) < 0) |
| 5317 | goto done; | 5304 | goto done; |
| 5318 | 5305 | ||
| 5319 | nl_dump_check_consistent(cb, nlmsg_hdr(skb)); | 5306 | nl_dump_check_consistent(cb, nlmsg_hdr(skb)); |
| 5320 | cont: | 5307 | cont: |
| 5321 | idx++; | 5308 | idx++; |
| 5322 | } | ||
| 5323 | } | 5309 | } |
| 5324 | } | 5310 | } |
| 5325 | done: | 5311 | done: |
| @@ -5402,7 +5388,8 @@ static int nf_tables_getflowtable(struct net *net, struct sock *nlsk, | |||
| 5402 | if (IS_ERR(afi)) | 5388 | if (IS_ERR(afi)) |
| 5403 | return PTR_ERR(afi); | 5389 | return PTR_ERR(afi); |
| 5404 | 5390 | ||
| 5405 | table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask); | 5391 | table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], |
| 5392 | afi->family, genmask); | ||
| 5406 | if (IS_ERR(table)) | 5393 | if (IS_ERR(table)) |
| 5407 | return PTR_ERR(table); | 5394 | return PTR_ERR(table); |
| 5408 | 5395 | ||
| @@ -5445,7 +5432,7 @@ static void nf_tables_flowtable_notify(struct nft_ctx *ctx, | |||
| 5445 | 5432 | ||
| 5446 | err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid, | 5433 | err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid, |
| 5447 | ctx->seq, event, 0, | 5434 | ctx->seq, event, 0, |
| 5448 | ctx->afi->family, flowtable); | 5435 | ctx->family, flowtable); |
| 5449 | if (err < 0) { | 5436 | if (err < 0) { |
| 5450 | kfree_skb(skb); | 5437 | kfree_skb(skb); |
| 5451 | goto err; | 5438 | goto err; |
| @@ -5523,17 +5510,14 @@ static int nf_tables_flowtable_event(struct notifier_block *this, | |||
| 5523 | struct net_device *dev = netdev_notifier_info_to_dev(ptr); | 5510 | struct net_device *dev = netdev_notifier_info_to_dev(ptr); |
| 5524 | struct nft_flowtable *flowtable; | 5511 | struct nft_flowtable *flowtable; |
| 5525 | struct nft_table *table; | 5512 | struct nft_table *table; |
| 5526 | struct nft_af_info *afi; | ||
| 5527 | 5513 | ||
| 5528 | if (event != NETDEV_UNREGISTER) | 5514 | if (event != NETDEV_UNREGISTER) |
| 5529 | return 0; | 5515 | return 0; |
| 5530 | 5516 | ||
| 5531 | nfnl_lock(NFNL_SUBSYS_NFTABLES); | 5517 | nfnl_lock(NFNL_SUBSYS_NFTABLES); |
| 5532 | list_for_each_entry(afi, &dev_net(dev)->nft.af_info, list) { | 5518 | list_for_each_entry(table, &dev_net(dev)->nft.tables, list) { |
| 5533 | list_for_each_entry(table, &afi->tables, list) { | 5519 | list_for_each_entry(flowtable, &table->flowtables, list) { |
| 5534 | list_for_each_entry(flowtable, &table->flowtables, list) { | 5520 | nft_flowtable_event(event, dev, flowtable); |
| 5535 | nft_flowtable_event(event, dev, flowtable); | ||
| 5536 | } | ||
| 5537 | } | 5521 | } |
| 5538 | } | 5522 | } |
| 5539 | nfnl_unlock(NFNL_SUBSYS_NFTABLES); | 5523 | nfnl_unlock(NFNL_SUBSYS_NFTABLES); |
| @@ -6552,6 +6536,7 @@ EXPORT_SYMBOL_GPL(nft_data_dump); | |||
| 6552 | static int __net_init nf_tables_init_net(struct net *net) | 6536 | static int __net_init nf_tables_init_net(struct net *net) |
| 6553 | { | 6537 | { |
| 6554 | INIT_LIST_HEAD(&net->nft.af_info); | 6538 | INIT_LIST_HEAD(&net->nft.af_info); |
| 6539 | INIT_LIST_HEAD(&net->nft.tables); | ||
| 6555 | INIT_LIST_HEAD(&net->nft.commit_list); | 6540 | INIT_LIST_HEAD(&net->nft.commit_list); |
| 6556 | net->nft.base_seq = 1; | 6541 | net->nft.base_seq = 1; |
| 6557 | return 0; | 6542 | return 0; |
| @@ -6594,10 +6579,10 @@ static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi) | |||
| 6594 | struct nft_set *set, *ns; | 6579 | struct nft_set *set, *ns; |
| 6595 | struct nft_ctx ctx = { | 6580 | struct nft_ctx ctx = { |
| 6596 | .net = net, | 6581 | .net = net, |
| 6597 | .afi = afi, | 6582 | .family = afi->family, |
| 6598 | }; | 6583 | }; |
| 6599 | 6584 | ||
| 6600 | list_for_each_entry_safe(table, nt, &afi->tables, list) { | 6585 | list_for_each_entry_safe(table, nt, &net->nft.tables, list) { |
| 6601 | list_for_each_entry(chain, &table->chains, list) | 6586 | list_for_each_entry(chain, &table->chains, list) |
| 6602 | nf_tables_unregister_hook(net, table, chain); | 6587 | nf_tables_unregister_hook(net, table, chain); |
| 6603 | list_for_each_entry(flowtable, &table->flowtables, list) | 6588 | list_for_each_entry(flowtable, &table->flowtables, list) |
diff --git a/net/netfilter/nf_tables_netdev.c b/net/netfilter/nf_tables_netdev.c index c7f671daa7d0..01b61a67a2ac 100644 --- a/net/netfilter/nf_tables_netdev.c +++ b/net/netfilter/nf_tables_netdev.c | |||
| @@ -107,7 +107,6 @@ static int nf_tables_netdev_event(struct notifier_block *this, | |||
| 107 | unsigned long event, void *ptr) | 107 | unsigned long event, void *ptr) |
| 108 | { | 108 | { |
| 109 | struct net_device *dev = netdev_notifier_info_to_dev(ptr); | 109 | struct net_device *dev = netdev_notifier_info_to_dev(ptr); |
| 110 | struct nft_af_info *afi; | ||
| 111 | struct nft_table *table; | 110 | struct nft_table *table; |
| 112 | struct nft_chain *chain, *nr; | 111 | struct nft_chain *chain, *nr; |
| 113 | struct nft_ctx ctx = { | 112 | struct nft_ctx ctx = { |
| @@ -119,20 +118,18 @@ static int nf_tables_netdev_event(struct notifier_block *this, | |||
| 119 | return NOTIFY_DONE; | 118 | return NOTIFY_DONE; |
| 120 | 119 | ||
| 121 | nfnl_lock(NFNL_SUBSYS_NFTABLES); | 120 | nfnl_lock(NFNL_SUBSYS_NFTABLES); |
| 122 | list_for_each_entry(afi, &dev_net(dev)->nft.af_info, list) { | 121 | list_for_each_entry(table, &ctx.net->nft.tables, list) { |
| 123 | ctx.afi = afi; | 122 | if (table->afi->family != NFPROTO_NETDEV) |
| 124 | if (afi->family != NFPROTO_NETDEV) | ||
| 125 | continue; | 123 | continue; |
| 126 | 124 | ||
| 127 | list_for_each_entry(table, &afi->tables, list) { | 125 | ctx.family = table->afi->family; |
| 128 | ctx.table = table; | 126 | ctx.table = table; |
| 129 | list_for_each_entry_safe(chain, nr, &table->chains, list) { | 127 | list_for_each_entry_safe(chain, nr, &table->chains, list) { |
| 130 | if (!nft_is_base_chain(chain)) | 128 | if (!nft_is_base_chain(chain)) |
| 131 | continue; | 129 | continue; |
| 132 | 130 | ||
| 133 | ctx.chain = chain; | 131 | ctx.chain = chain; |
| 134 | nft_netdev_event(event, dev, &ctx); | 132 | nft_netdev_event(event, dev, &ctx); |
| 135 | } | ||
| 136 | } | 133 | } |
| 137 | } | 134 | } |
| 138 | nfnl_unlock(NFNL_SUBSYS_NFTABLES); | 135 | nfnl_unlock(NFNL_SUBSYS_NFTABLES); |
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c index dcff0dc8d28b..7fa17e241c14 100644 --- a/net/netfilter/nft_compat.c +++ b/net/netfilter/nft_compat.c | |||
| @@ -144,7 +144,7 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par, | |||
| 144 | { | 144 | { |
| 145 | par->net = ctx->net; | 145 | par->net = ctx->net; |
| 146 | par->table = ctx->table->name; | 146 | par->table = ctx->table->name; |
| 147 | switch (ctx->afi->family) { | 147 | switch (ctx->family) { |
| 148 | case AF_INET: | 148 | case AF_INET: |
| 149 | entry->e4.ip.proto = proto; | 149 | entry->e4.ip.proto = proto; |
| 150 | entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0; | 150 | entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0; |
| @@ -175,7 +175,7 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par, | |||
| 175 | } else { | 175 | } else { |
| 176 | par->hook_mask = 0; | 176 | par->hook_mask = 0; |
| 177 | } | 177 | } |
| 178 | par->family = ctx->afi->family; | 178 | par->family = ctx->family; |
| 179 | par->nft_compat = true; | 179 | par->nft_compat = true; |
| 180 | } | 180 | } |
| 181 | 181 | ||
| @@ -267,7 +267,7 @@ nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr) | |||
| 267 | par.net = ctx->net; | 267 | par.net = ctx->net; |
| 268 | par.target = target; | 268 | par.target = target; |
| 269 | par.targinfo = info; | 269 | par.targinfo = info; |
| 270 | par.family = ctx->afi->family; | 270 | par.family = ctx->family; |
| 271 | if (par.target->destroy != NULL) | 271 | if (par.target->destroy != NULL) |
| 272 | par.target->destroy(&par); | 272 | par.target->destroy(&par); |
| 273 | 273 | ||
| @@ -358,7 +358,7 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx, | |||
| 358 | { | 358 | { |
| 359 | par->net = ctx->net; | 359 | par->net = ctx->net; |
| 360 | par->table = ctx->table->name; | 360 | par->table = ctx->table->name; |
| 361 | switch (ctx->afi->family) { | 361 | switch (ctx->family) { |
| 362 | case AF_INET: | 362 | case AF_INET: |
| 363 | entry->e4.ip.proto = proto; | 363 | entry->e4.ip.proto = proto; |
| 364 | entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0; | 364 | entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0; |
| @@ -389,7 +389,7 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx, | |||
| 389 | } else { | 389 | } else { |
| 390 | par->hook_mask = 0; | 390 | par->hook_mask = 0; |
| 391 | } | 391 | } |
| 392 | par->family = ctx->afi->family; | 392 | par->family = ctx->family; |
| 393 | par->nft_compat = true; | 393 | par->nft_compat = true; |
| 394 | } | 394 | } |
| 395 | 395 | ||
| @@ -446,7 +446,7 @@ nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr) | |||
| 446 | par.net = ctx->net; | 446 | par.net = ctx->net; |
| 447 | par.match = match; | 447 | par.match = match; |
| 448 | par.matchinfo = info; | 448 | par.matchinfo = info; |
| 449 | par.family = ctx->afi->family; | 449 | par.family = ctx->family; |
| 450 | if (par.match->destroy != NULL) | 450 | if (par.match->destroy != NULL) |
| 451 | par.match->destroy(&par); | 451 | par.match->destroy(&par); |
| 452 | 452 | ||
| @@ -648,7 +648,7 @@ nft_match_select_ops(const struct nft_ctx *ctx, | |||
| 648 | 648 | ||
| 649 | mt_name = nla_data(tb[NFTA_MATCH_NAME]); | 649 | mt_name = nla_data(tb[NFTA_MATCH_NAME]); |
| 650 | rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV])); | 650 | rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV])); |
| 651 | family = ctx->afi->family; | 651 | family = ctx->family; |
| 652 | 652 | ||
| 653 | /* Re-use the existing match if it's already loaded. */ | 653 | /* Re-use the existing match if it's already loaded. */ |
| 654 | list_for_each_entry(nft_match, &nft_match_list, head) { | 654 | list_for_each_entry(nft_match, &nft_match_list, head) { |
| @@ -733,7 +733,7 @@ nft_target_select_ops(const struct nft_ctx *ctx, | |||
| 733 | 733 | ||
| 734 | tg_name = nla_data(tb[NFTA_TARGET_NAME]); | 734 | tg_name = nla_data(tb[NFTA_TARGET_NAME]); |
| 735 | rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV])); | 735 | rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV])); |
| 736 | family = ctx->afi->family; | 736 | family = ctx->family; |
| 737 | 737 | ||
| 738 | /* Re-use the existing target if it's already loaded. */ | 738 | /* Re-use the existing target if it's already loaded. */ |
| 739 | list_for_each_entry(nft_target, &nft_target_list, head) { | 739 | list_for_each_entry(nft_target, &nft_target_list, head) { |
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index 2647b895f4b0..6ab274b14484 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c | |||
| @@ -405,7 +405,7 @@ static int nft_ct_get_init(const struct nft_ctx *ctx, | |||
| 405 | if (tb[NFTA_CT_DIRECTION] == NULL) | 405 | if (tb[NFTA_CT_DIRECTION] == NULL) |
| 406 | return -EINVAL; | 406 | return -EINVAL; |
| 407 | 407 | ||
| 408 | switch (ctx->afi->family) { | 408 | switch (ctx->family) { |
| 409 | case NFPROTO_IPV4: | 409 | case NFPROTO_IPV4: |
| 410 | len = FIELD_SIZEOF(struct nf_conntrack_tuple, | 410 | len = FIELD_SIZEOF(struct nf_conntrack_tuple, |
| 411 | src.u3.ip); | 411 | src.u3.ip); |
| @@ -456,7 +456,7 @@ static int nft_ct_get_init(const struct nft_ctx *ctx, | |||
| 456 | if (err < 0) | 456 | if (err < 0) |
| 457 | return err; | 457 | return err; |
| 458 | 458 | ||
| 459 | err = nf_ct_netns_get(ctx->net, ctx->afi->family); | 459 | err = nf_ct_netns_get(ctx->net, ctx->family); |
| 460 | if (err < 0) | 460 | if (err < 0) |
| 461 | return err; | 461 | return err; |
| 462 | 462 | ||
| @@ -550,7 +550,7 @@ static int nft_ct_set_init(const struct nft_ctx *ctx, | |||
| 550 | if (err < 0) | 550 | if (err < 0) |
| 551 | goto err1; | 551 | goto err1; |
| 552 | 552 | ||
| 553 | err = nf_ct_netns_get(ctx->net, ctx->afi->family); | 553 | err = nf_ct_netns_get(ctx->net, ctx->family); |
| 554 | if (err < 0) | 554 | if (err < 0) |
| 555 | goto err1; | 555 | goto err1; |
| 556 | 556 | ||
| @@ -564,7 +564,7 @@ err1: | |||
| 564 | static void nft_ct_get_destroy(const struct nft_ctx *ctx, | 564 | static void nft_ct_get_destroy(const struct nft_ctx *ctx, |
| 565 | const struct nft_expr *expr) | 565 | const struct nft_expr *expr) |
| 566 | { | 566 | { |
| 567 | nf_ct_netns_put(ctx->net, ctx->afi->family); | 567 | nf_ct_netns_put(ctx->net, ctx->family); |
| 568 | } | 568 | } |
| 569 | 569 | ||
| 570 | static void nft_ct_set_destroy(const struct nft_ctx *ctx, | 570 | static void nft_ct_set_destroy(const struct nft_ctx *ctx, |
| @@ -573,7 +573,7 @@ static void nft_ct_set_destroy(const struct nft_ctx *ctx, | |||
| 573 | struct nft_ct *priv = nft_expr_priv(expr); | 573 | struct nft_ct *priv = nft_expr_priv(expr); |
| 574 | 574 | ||
| 575 | __nft_ct_set_destroy(ctx, priv); | 575 | __nft_ct_set_destroy(ctx, priv); |
| 576 | nf_ct_netns_put(ctx->net, ctx->afi->family); | 576 | nf_ct_netns_put(ctx->net, ctx->family); |
| 577 | } | 577 | } |
| 578 | 578 | ||
| 579 | static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr) | 579 | static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr) |
| @@ -734,7 +734,7 @@ static int nft_ct_helper_obj_init(const struct nft_ctx *ctx, | |||
| 734 | struct nft_ct_helper_obj *priv = nft_obj_data(obj); | 734 | struct nft_ct_helper_obj *priv = nft_obj_data(obj); |
| 735 | struct nf_conntrack_helper *help4, *help6; | 735 | struct nf_conntrack_helper *help4, *help6; |
| 736 | char name[NF_CT_HELPER_NAME_LEN]; | 736 | char name[NF_CT_HELPER_NAME_LEN]; |
| 737 | int family = ctx->afi->family; | 737 | int family = ctx->family; |
| 738 | 738 | ||
| 739 | if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO]) | 739 | if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO]) |
| 740 | return -EINVAL; | 740 | return -EINVAL; |
| @@ -753,14 +753,14 @@ static int nft_ct_helper_obj_init(const struct nft_ctx *ctx, | |||
| 753 | 753 | ||
| 754 | switch (family) { | 754 | switch (family) { |
| 755 | case NFPROTO_IPV4: | 755 | case NFPROTO_IPV4: |
| 756 | if (ctx->afi->family == NFPROTO_IPV6) | 756 | if (ctx->family == NFPROTO_IPV6) |
| 757 | return -EINVAL; | 757 | return -EINVAL; |
| 758 | 758 | ||
| 759 | help4 = nf_conntrack_helper_try_module_get(name, family, | 759 | help4 = nf_conntrack_helper_try_module_get(name, family, |
| 760 | priv->l4proto); | 760 | priv->l4proto); |
| 761 | break; | 761 | break; |
| 762 | case NFPROTO_IPV6: | 762 | case NFPROTO_IPV6: |
| 763 | if (ctx->afi->family == NFPROTO_IPV4) | 763 | if (ctx->family == NFPROTO_IPV4) |
| 764 | return -EINVAL; | 764 | return -EINVAL; |
| 765 | 765 | ||
| 766 | help6 = nf_conntrack_helper_try_module_get(name, family, | 766 | help6 = nf_conntrack_helper_try_module_get(name, family, |
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index dd38785dfed9..4503b8dcf9c0 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c | |||
| @@ -151,7 +151,7 @@ static int nft_flow_offload_init(const struct nft_ctx *ctx, | |||
| 151 | priv->flowtable = flowtable; | 151 | priv->flowtable = flowtable; |
| 152 | flowtable->use++; | 152 | flowtable->use++; |
| 153 | 153 | ||
| 154 | return nf_ct_netns_get(ctx->net, ctx->afi->family); | 154 | return nf_ct_netns_get(ctx->net, ctx->family); |
| 155 | } | 155 | } |
| 156 | 156 | ||
| 157 | static void nft_flow_offload_destroy(const struct nft_ctx *ctx, | 157 | static void nft_flow_offload_destroy(const struct nft_ctx *ctx, |
| @@ -160,7 +160,7 @@ static void nft_flow_offload_destroy(const struct nft_ctx *ctx, | |||
| 160 | struct nft_flow_offload *priv = nft_expr_priv(expr); | 160 | struct nft_flow_offload *priv = nft_expr_priv(expr); |
| 161 | 161 | ||
| 162 | priv->flowtable->use--; | 162 | priv->flowtable->use--; |
| 163 | nf_ct_netns_put(ctx->net, ctx->afi->family); | 163 | nf_ct_netns_put(ctx->net, ctx->family); |
| 164 | } | 164 | } |
| 165 | 165 | ||
| 166 | static int nft_flow_offload_dump(struct sk_buff *skb, const struct nft_expr *expr) | 166 | static int nft_flow_offload_dump(struct sk_buff *skb, const struct nft_expr *expr) |
diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c index 6f6e64423643..a27be36dc0af 100644 --- a/net/netfilter/nft_log.c +++ b/net/netfilter/nft_log.c | |||
| @@ -112,7 +112,7 @@ static int nft_log_init(const struct nft_ctx *ctx, | |||
| 112 | break; | 112 | break; |
| 113 | } | 113 | } |
| 114 | 114 | ||
| 115 | err = nf_logger_find_get(ctx->afi->family, li->type); | 115 | err = nf_logger_find_get(ctx->family, li->type); |
| 116 | if (err < 0) | 116 | if (err < 0) |
| 117 | goto err1; | 117 | goto err1; |
| 118 | 118 | ||
| @@ -133,7 +133,7 @@ static void nft_log_destroy(const struct nft_ctx *ctx, | |||
| 133 | if (priv->prefix != nft_log_null_prefix) | 133 | if (priv->prefix != nft_log_null_prefix) |
| 134 | kfree(priv->prefix); | 134 | kfree(priv->prefix); |
| 135 | 135 | ||
| 136 | nf_logger_put(ctx->afi->family, li->type); | 136 | nf_logger_put(ctx->family, li->type); |
| 137 | } | 137 | } |
| 138 | 138 | ||
| 139 | static int nft_log_dump(struct sk_buff *skb, const struct nft_expr *expr) | 139 | static int nft_log_dump(struct sk_buff *skb, const struct nft_expr *expr) |
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c index 6ac03d4266c9..9d8655bc1bea 100644 --- a/net/netfilter/nft_masq.c +++ b/net/netfilter/nft_masq.c | |||
| @@ -73,7 +73,7 @@ int nft_masq_init(const struct nft_ctx *ctx, | |||
| 73 | } | 73 | } |
| 74 | } | 74 | } |
| 75 | 75 | ||
| 76 | return nf_ct_netns_get(ctx->net, ctx->afi->family); | 76 | return nf_ct_netns_get(ctx->net, ctx->family); |
| 77 | } | 77 | } |
| 78 | EXPORT_SYMBOL_GPL(nft_masq_init); | 78 | EXPORT_SYMBOL_GPL(nft_masq_init); |
| 79 | 79 | ||
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index 1a91e676f13e..8fb91940e2e7 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c | |||
| @@ -339,7 +339,7 @@ static int nft_meta_get_validate(const struct nft_ctx *ctx, | |||
| 339 | if (priv->key != NFT_META_SECPATH) | 339 | if (priv->key != NFT_META_SECPATH) |
| 340 | return 0; | 340 | return 0; |
| 341 | 341 | ||
| 342 | switch (ctx->afi->family) { | 342 | switch (ctx->family) { |
| 343 | case NFPROTO_NETDEV: | 343 | case NFPROTO_NETDEV: |
| 344 | hooks = 1 << NF_NETDEV_INGRESS; | 344 | hooks = 1 << NF_NETDEV_INGRESS; |
| 345 | break; | 345 | break; |
| @@ -370,7 +370,7 @@ int nft_meta_set_validate(const struct nft_ctx *ctx, | |||
| 370 | if (priv->key != NFT_META_PKTTYPE) | 370 | if (priv->key != NFT_META_PKTTYPE) |
| 371 | return 0; | 371 | return 0; |
| 372 | 372 | ||
| 373 | switch (ctx->afi->family) { | 373 | switch (ctx->family) { |
| 374 | case NFPROTO_BRIDGE: | 374 | case NFPROTO_BRIDGE: |
| 375 | hooks = 1 << NF_BR_PRE_ROUTING; | 375 | hooks = 1 << NF_BR_PRE_ROUTING; |
| 376 | break; | 376 | break; |
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c index ed548d06b6dd..1f36954c2ba9 100644 --- a/net/netfilter/nft_nat.c +++ b/net/netfilter/nft_nat.c | |||
| @@ -142,7 +142,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, | |||
| 142 | return -EINVAL; | 142 | return -EINVAL; |
| 143 | 143 | ||
| 144 | family = ntohl(nla_get_be32(tb[NFTA_NAT_FAMILY])); | 144 | family = ntohl(nla_get_be32(tb[NFTA_NAT_FAMILY])); |
| 145 | if (family != ctx->afi->family) | 145 | if (family != ctx->family) |
| 146 | return -EOPNOTSUPP; | 146 | return -EOPNOTSUPP; |
| 147 | 147 | ||
| 148 | switch (family) { | 148 | switch (family) { |
diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c index 1e66538bf0ff..c64cbe78dee7 100644 --- a/net/netfilter/nft_redir.c +++ b/net/netfilter/nft_redir.c | |||
| @@ -75,7 +75,7 @@ int nft_redir_init(const struct nft_ctx *ctx, | |||
| 75 | return -EINVAL; | 75 | return -EINVAL; |
| 76 | } | 76 | } |
| 77 | 77 | ||
| 78 | return nf_ct_netns_get(ctx->net, ctx->afi->family); | 78 | return nf_ct_netns_get(ctx->net, ctx->family); |
| 79 | } | 79 | } |
| 80 | EXPORT_SYMBOL_GPL(nft_redir_init); | 80 | EXPORT_SYMBOL_GPL(nft_redir_init); |
| 81 | 81 | ||