Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says: ==================== Netfilter/IPVS fixes for net The following patchset contains Netfilter updates for your net tree, they are: 1) Fix missing initialization of the range structure (allocated in the stack) in nft_masq_{ipv4, ipv6}_eval, from Daniel Borkmann. 2) Make sure the data we receive from userspace contains the req_version structure, otherwise return an error incomplete on truncated input. From Dan Carpenter. 3) Fix handling og skb->sk which may cause incorrect handling of connections from a local process. Via Simon Horman, patch from Calvin Owens. 4) Fix wrong netns in nft_compat when setting target and match params structure. 5) Relax chain type validation in nft_compat that was recently included, this broke the matches that need to be run from the route chain type. Now iptables-test.py automated regression tests report success again and we avoid the only possible problematic case, which is the use of nat targets out of nat chain type. 6) Use match->table to validate the tablename, instead of the match->name. Again patch for nft_compat. 7) Restore the synchronous release of objects from the commit and abort path in nf_tables. This is causing two major problems: splats when using nft_compat, given that matches and targets may sleep and call_rcu is invoked from softirq context. Moreover Patrick reported possible event notification reordering when rules refer to anonymous sets. 8) Fix race condition in between packets that are being confirmed by conntrack and the ctnetlink flush operation. This happens since the removal of the central spinlock. Thanks to Jesper D. Brouer to looking into this. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2014-11-16 14:23:56 -0500
committer: David S. Miller <davem@davemloft.net> 2014-11-16 14:23:56 -0500
commit: f1227c5c1b6efc588a9db769e2e89c125f3d6191 (patch)
tree: 01362a10ff8df5769290e906e656a07c3d4ac603 /net
parent: 35717d8d6fc6fc50692273d6667a0a575c26aa93 (diff)
parent: 5195c14c8b27cc0b18220ddbf0e5ad3328a04187 (diff)
7 files changed, 32 insertions, 56 deletions
diff --git a/net/ipv4/netfilter/nft_masq_ipv4.c b/net/ipv4/netfilter/nft_masq_ipv4.c
index c1023c445920..665de06561cd 100644
--- a/net/ipv4/netfilter/nft_masq_ipv4.c
+++ b/net/ipv4/netfilter/nft_masq_ipv4.c
@@ -24,6 +24,7 @@ static void nft_masq_ipv4_eval(const struct nft_expr *expr,
        struct nf_nat_range range;
        unsigned int verdict;
+        memset(&range, 0, sizeof(range));
        range.flags = priv->flags;
        verdict = nf_nat_masquerade_ipv4(pkt->skb, pkt->ops->hooknum,
diff --git a/net/ipv6/netfilter/nft_masq_ipv6.c b/net/ipv6/netfilter/nft_masq_ipv6.c
index 8a7ac685076d..529c119cbb14 100644
--- a/net/ipv6/netfilter/nft_masq_ipv6.c
+++ b/net/ipv6/netfilter/nft_masq_ipv6.c
@@ -25,6 +25,7 @@ static void nft_masq_ipv6_eval(const struct nft_expr *expr,
        struct nf_nat_range range;
        unsigned int verdict;
+        memset(&range, 0, sizeof(range));
        range.flags = priv->flags;
        verdict = nf_nat_masquerade_ipv6(pkt->skb, &range, pkt->out);
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 86f9d76b1464..d259da3ce67a 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1863,6 +1863,12 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
        if (*op < IP_SET_OP_VERSION) {
                /* Check the version at the beginning of operations */
                struct ip_set_req_version *req_version = data;
+                if (*len < sizeof(struct ip_set_req_version)) {
+                        ret = -EINVAL;
+                        goto done;
+                }
                if (req_version->version != IPSET_PROTOCOL) {
                        ret = -EPROTO;
                        goto done;
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 437a3663ad03..bd90bf8107da 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -846,6 +846,8 @@ ip_vs_prepare_tunneled_skb(struct sk_buff *skb, int skb_af,
                new_skb = skb_realloc_headroom(skb, max_headroom);
                if (!new_skb)
                        goto error;
+                if (skb->sk)
+                        skb_set_owner_w(new_skb, skb->sk);
                consume_skb(skb);
                skb = new_skb;
        }
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 5016a6929085..2c699757bccf 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -611,12 +611,16 @@ __nf_conntrack_confirm(struct sk_buff *skb)
         */
        NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
        pr_debug("Confirming conntrack %p\n", ct);
-        /* We have to check the DYING flag inside the lock to prevent
-           a race against nf_ct_get_next_corpse() possibly called from
+        /* We have to check the DYING flag after unlink to prevent
-           user context, else we insert an already 'dead' hash, blocking
+         * a race against nf_ct_get_next_corpse() possibly called from
-           further use of that particular connection -JM */
+         * user context, else we insert an already 'dead' hash, blocking
+         * further use of that particular connection -JM.
+         */
+        nf_ct_del_from_dying_or_unconfirmed_list(ct);
        if (unlikely(nf_ct_is_dying(ct))) {
+                nf_ct_add_to_dying_list(ct);
                nf_conntrack_double_unlock(hash, reply_hash);
                local_bh_enable();
                return NF_ACCEPT;
@@ -636,8 +640,6 @@ __nf_conntrack_confirm(struct sk_buff *skb)
                    zone == nf_ct_zone(nf_ct_tuplehash_to_ctrack(h)))
                        goto out;
-        nf_ct_del_from_dying_or_unconfirmed_list(ct);
        /* Timer relative to confirmation time, not original
           setting time, otherwise we'd get timer wrap in
           weird delay cases. */
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 11ab4b078f3b..66e8425dbfe7 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3484,13 +3484,8 @@ static void nft_chain_commit_update(struct nft_trans *trans)
        }
 }
-/* Schedule objects for release via rcu to make sure no packets are accesing
+static void nf_tables_commit_release(struct nft_trans *trans)
- * removed rules.
- */
-static void nf_tables_commit_release_rcu(struct rcu_head *rt)
 {
-        struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
        switch (trans->msg_type) {
        case NFT_MSG_DELTABLE:
                nf_tables_table_destroy(&trans->ctx);
@@ -3612,10 +3607,11 @@ static int nf_tables_commit(struct sk_buff *skb)
                }
        }
+        synchronize_rcu();
        list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
                list_del(&trans->list);
-                trans->ctx.nla = NULL;
+                nf_tables_commit_release(trans);
-                call_rcu(&trans->rcu_head, nf_tables_commit_release_rcu);
        }
        nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
@@ -3623,13 +3619,8 @@ static int nf_tables_commit(struct sk_buff *skb)
        return 0;
 }
-/* Schedule objects for release via rcu to make sure no packets are accesing
+static void nf_tables_abort_release(struct nft_trans *trans)
- * aborted rules.
- */
-static void nf_tables_abort_release_rcu(struct rcu_head *rt)
 {
-        struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
        switch (trans->msg_type) {
        case NFT_MSG_NEWTABLE:
                nf_tables_table_destroy(&trans->ctx);
@@ -3725,11 +3716,12 @@ static int nf_tables_abort(struct sk_buff *skb)
                }
        }
+        synchronize_rcu();
        list_for_each_entry_safe_reverse(trans, next,
                                         &net->nft.commit_list, list) {
                list_del(&trans->list);
-                trans->ctx.nla = NULL;
+                nf_tables_abort_release(trans);
-                call_rcu(&trans->rcu_head, nf_tables_abort_release_rcu);
        }
        return 0;
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 9d6d6f60a80f..265e190f2218 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -21,45 +21,17 @@
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <net/netfilter/nf_tables.h>
-static const struct {
-       const char       *name;
-       u8               type;
-} table_to_chaintype[] = {
-       { "filter",     NFT_CHAIN_T_DEFAULT },
-       { "raw",        NFT_CHAIN_T_DEFAULT },
-       { "security",   NFT_CHAIN_T_DEFAULT },
-       { "mangle",     NFT_CHAIN_T_ROUTE },
-       { "nat",        NFT_CHAIN_T_NAT },
-       { },
-};
-static int nft_compat_table_to_chaintype(const char *table)
-{
-        int i;
-        for (i = 0; table_to_chaintype[i].name != NULL; i++) {
-                if (strcmp(table_to_chaintype[i].name, table) == 0)
-                        return table_to_chaintype[i].type;
-        }
-        return -1;
-}
 static int nft_compat_chain_validate_dependency(const char *tablename,
                                                const struct nft_chain *chain)
 {
-        enum nft_chain_type type;
        const struct nft_base_chain *basechain;
        if (!tablename || !(chain->flags & NFT_BASE_CHAIN))
                return 0;
-        type = nft_compat_table_to_chaintype(tablename);
-        if (type < 0)
-                return -EINVAL;
        basechain = nft_base_chain(chain);
-        if (basechain->type->type != type)
+        if (strcmp(tablename, "nat") == 0 &&
+            basechain->type->type != NFT_CHAIN_T_NAT)
                return -EINVAL;
        return 0;
@@ -117,7 +89,7 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
                           struct xt_target *target, void *info,
                           union nft_entry *entry, u8 proto, bool inv)
 {
-        par->net        = &init_net;
+        par->net        = ctx->net;
        par->table      = ctx->table->name;
        switch (ctx->afi->family) {
        case AF_INET:
@@ -324,7 +296,7 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
                          struct xt_match *match, void *info,
                          union nft_entry *entry, u8 proto, bool inv)
 {
-        par->net        = &init_net;
+        par->net        = ctx->net;
        par->table      = ctx->table->name;
        switch (ctx->afi->family) {
        case AF_INET:
@@ -374,7 +346,7 @@ nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
        union nft_entry e = {};
        int ret;
-        ret = nft_compat_chain_validate_dependency(match->name, ctx->chain);
+        ret = nft_compat_chain_validate_dependency(match->table, ctx->chain);
        if (ret < 0)
                goto err;
@@ -448,7 +420,7 @@ static int nft_match_validate(const struct nft_ctx *ctx,
                if (!(hook_mask & match->hooks))
                        return -EINVAL;
-                ret = nft_compat_chain_validate_dependency(match->name,
+                ret = nft_compat_chain_validate_dependency(match->table,
                                                           ctx->chain);
                if (ret < 0)
                        return ret;
author	David S. Miller <davem@davemloft.net>	2014-11-16 14:23:56 -0500
committer	David S. Miller <davem@davemloft.net>	2014-11-16 14:23:56 -0500
commit	f1227c5c1b6efc588a9db769e2e89c125f3d6191 (patch)
tree	01362a10ff8df5769290e906e656a07c3d4ac603 /net
parent	35717d8d6fc6fc50692273d6667a0a575c26aa93 (diff)
parent	5195c14c8b27cc0b18220ddbf0e5ad3328a04187 (diff)

diff --git a/net/ipv4/netfilter/nft_masq_ipv4.c b/net/ipv4/netfilter/nft_masq_ipv4.c index c1023c445920..665de06561cd 100644 --- a/net/ipv4/netfilter/nft_masq_ipv4.c +++ b/net/ipv4/netfilter/nft_masq_ipv4.c
@@ -24,6 +24,7 @@ static void nft_masq_ipv4_eval(const struct nft_expr *expr,
24	struct nf_nat_range range;	24	struct nf_nat_range range;
25	unsigned int verdict;	25	unsigned int verdict;
26		26
		27	memset(&range, 0, sizeof(range));
27	range.flags = priv->flags;	28	range.flags = priv->flags;
28		29
29	verdict = nf_nat_masquerade_ipv4(pkt->skb, pkt->ops->hooknum,	30	verdict = nf_nat_masquerade_ipv4(pkt->skb, pkt->ops->hooknum,


diff --git a/net/ipv6/netfilter/nft_masq_ipv6.c b/net/ipv6/netfilter/nft_masq_ipv6.c index 8a7ac685076d..529c119cbb14 100644 --- a/net/ipv6/netfilter/nft_masq_ipv6.c +++ b/net/ipv6/netfilter/nft_masq_ipv6.c
@@ -25,6 +25,7 @@ static void nft_masq_ipv6_eval(const struct nft_expr *expr,
25	struct nf_nat_range range;	25	struct nf_nat_range range;
26	unsigned int verdict;	26	unsigned int verdict;
27		27
		28	memset(&range, 0, sizeof(range));
28	range.flags = priv->flags;	29	range.flags = priv->flags;
29		30
30	verdict = nf_nat_masquerade_ipv6(pkt->skb, &range, pkt->out);	31	verdict = nf_nat_masquerade_ipv6(pkt->skb, &range, pkt->out);


diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index 86f9d76b1464..d259da3ce67a 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c
@@ -1863,6 +1863,12 @@ ip_set_sockfn_get(struct sock sk, int optval, void __user user, int *len)
1863	if (*op < IP_SET_OP_VERSION) {	1863	if (*op < IP_SET_OP_VERSION) {
1864	/* Check the version at the beginning of operations */	1864	/* Check the version at the beginning of operations */
1865	struct ip_set_req_version *req_version = data;	1865	struct ip_set_req_version *req_version = data;
		1866
		1867	if (*len < sizeof(struct ip_set_req_version)) {
		1868	ret = -EINVAL;
		1869	goto done;
		1870	}
		1871
1866	if (req_version->version != IPSET_PROTOCOL) {	1872	if (req_version->version != IPSET_PROTOCOL) {
1867	ret = -EPROTO;	1873	ret = -EPROTO;
1868	goto done;	1874	goto done;


diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c index 437a3663ad03..bd90bf8107da 100644 --- a/net/netfilter/ipvs/ip_vs_xmit.c +++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -846,6 +846,8 @@ ip_vs_prepare_tunneled_skb(struct sk_buff *skb, int skb_af,
846	new_skb = skb_realloc_headroom(skb, max_headroom);	846	new_skb = skb_realloc_headroom(skb, max_headroom);
847	if (!new_skb)	847	if (!new_skb)
848	goto error;	848	goto error;
		849	if (skb->sk)
		850	skb_set_owner_w(new_skb, skb->sk);
849	consume_skb(skb);	851	consume_skb(skb);
850	skb = new_skb;	852	skb = new_skb;
851	}	853	}


diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 5016a6929085..2c699757bccf 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c
@@ -611,12 +611,16 @@ __nf_conntrack_confirm(struct sk_buff *skb)
611	*/	611	*/
612	NF_CT_ASSERT(!nf_ct_is_confirmed(ct));	612	NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
613	pr_debug("Confirming conntrack %p\n", ct);	613	pr_debug("Confirming conntrack %p\n", ct);
614	/* We have to check the DYING flag inside the lock to prevent	614
615	a race against nf_ct_get_next_corpse() possibly called from	615	/* We have to check the DYING flag after unlink to prevent
616	user context, else we insert an already 'dead' hash, blocking	616	* a race against nf_ct_get_next_corpse() possibly called from
617	further use of that particular connection -JM */	617	* user context, else we insert an already 'dead' hash, blocking
		618	* further use of that particular connection -JM.
		619	*/
		620	nf_ct_del_from_dying_or_unconfirmed_list(ct);
618		621
619	if (unlikely(nf_ct_is_dying(ct))) {	622	if (unlikely(nf_ct_is_dying(ct))) {
		623	nf_ct_add_to_dying_list(ct);
620	nf_conntrack_double_unlock(hash, reply_hash);	624	nf_conntrack_double_unlock(hash, reply_hash);
621	local_bh_enable();	625	local_bh_enable();
622	return NF_ACCEPT;	626	return NF_ACCEPT;
@@ -636,8 +640,6 @@ __nf_conntrack_confirm(struct sk_buff *skb)
636	zone == nf_ct_zone(nf_ct_tuplehash_to_ctrack(h)))	640	zone == nf_ct_zone(nf_ct_tuplehash_to_ctrack(h)))
637	goto out;	641	goto out;
638		642
639	nf_ct_del_from_dying_or_unconfirmed_list(ct);
640
641	/* Timer relative to confirmation time, not original	643	/* Timer relative to confirmation time, not original
642	setting time, otherwise we'd get timer wrap in	644	setting time, otherwise we'd get timer wrap in
643	weird delay cases. */	645	weird delay cases. */


diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 11ab4b078f3b..66e8425dbfe7 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c
@@ -3484,13 +3484,8 @@ static void nft_chain_commit_update(struct nft_trans *trans)
3484	}	3484	}
3485	}	3485	}
3486		3486
3487	/* Schedule objects for release via rcu to make sure no packets are accesing	3487	static void nf_tables_commit_release(struct nft_trans *trans)
3488	* removed rules.
3489	*/
3490	static void nf_tables_commit_release_rcu(struct rcu_head *rt)
3491	{	3488	{
3492	struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
3493
3494	switch (trans->msg_type) {	3489	switch (trans->msg_type) {
3495	case NFT_MSG_DELTABLE:	3490	case NFT_MSG_DELTABLE:
3496	nf_tables_table_destroy(&trans->ctx);	3491	nf_tables_table_destroy(&trans->ctx);
@@ -3612,10 +3607,11 @@ static int nf_tables_commit(struct sk_buff *skb)
3612	}	3607	}
3613	}	3608	}
3614		3609
		3610	synchronize_rcu();
		3611
3615	list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {	3612	list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3616	list_del(&trans->list);	3613	list_del(&trans->list);
3617	trans->ctx.nla = NULL;	3614	nf_tables_commit_release(trans);
3618	call_rcu(&trans->rcu_head, nf_tables_commit_release_rcu);
3619	}	3615	}
3620		3616
3621	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);	3617	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
@@ -3623,13 +3619,8 @@ static int nf_tables_commit(struct sk_buff *skb)
3623	return 0;	3619	return 0;
3624	}	3620	}
3625		3621
3626	/* Schedule objects for release via rcu to make sure no packets are accesing	3622	static void nf_tables_abort_release(struct nft_trans *trans)
3627	* aborted rules.
3628	*/
3629	static void nf_tables_abort_release_rcu(struct rcu_head *rt)
3630	{	3623	{
3631	struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
3632
3633	switch (trans->msg_type) {	3624	switch (trans->msg_type) {
3634	case NFT_MSG_NEWTABLE:	3625	case NFT_MSG_NEWTABLE:
3635	nf_tables_table_destroy(&trans->ctx);	3626	nf_tables_table_destroy(&trans->ctx);
@@ -3725,11 +3716,12 @@ static int nf_tables_abort(struct sk_buff *skb)
3725	}	3716	}
3726	}	3717	}
3727		3718
		3719	synchronize_rcu();
		3720
3728	list_for_each_entry_safe_reverse(trans, next,	3721	list_for_each_entry_safe_reverse(trans, next,
3729	&net->nft.commit_list, list) {	3722	&net->nft.commit_list, list) {
3730	list_del(&trans->list);	3723	list_del(&trans->list);
3731	trans->ctx.nla = NULL;	3724	nf_tables_abort_release(trans);
3732	call_rcu(&trans->rcu_head, nf_tables_abort_release_rcu);
3733	}	3725	}
3734		3726
3735	return 0;	3727	return 0;


diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c index 9d6d6f60a80f..265e190f2218 100644 --- a/net/netfilter/nft_compat.c +++ b/net/netfilter/nft_compat.c
@@ -21,45 +21,17 @@
21	#include <linux/netfilter_ipv6/ip6_tables.h>	21	#include <linux/netfilter_ipv6/ip6_tables.h>
22	#include <net/netfilter/nf_tables.h>	22	#include <net/netfilter/nf_tables.h>
23		23
24	static const struct {
25	const char *name;
26	u8 type;
27	} table_to_chaintype[] = {
28	{ "filter", NFT_CHAIN_T_DEFAULT },
29	{ "raw", NFT_CHAIN_T_DEFAULT },
30	{ "security", NFT_CHAIN_T_DEFAULT },
31	{ "mangle", NFT_CHAIN_T_ROUTE },
32	{ "nat", NFT_CHAIN_T_NAT },
33	{ },
34	};
35
36	static int nft_compat_table_to_chaintype(const char *table)
37	{
38	int i;
39
40	for (i = 0; table_to_chaintype[i].name != NULL; i++) {
41	if (strcmp(table_to_chaintype[i].name, table) == 0)
42	return table_to_chaintype[i].type;
43	}
44
45	return -1;
46	}
47
48	static int nft_compat_chain_validate_dependency(const char *tablename,	24	static int nft_compat_chain_validate_dependency(const char *tablename,
49	const struct nft_chain *chain)	25	const struct nft_chain *chain)
50	{	26	{
51	enum nft_chain_type type;
52	const struct nft_base_chain *basechain;	27	const struct nft_base_chain *basechain;
53		28
54	if (!tablename \|\| !(chain->flags & NFT_BASE_CHAIN))	29	if (!tablename \|\| !(chain->flags & NFT_BASE_CHAIN))
55	return 0;	30	return 0;
56		31
57	type = nft_compat_table_to_chaintype(tablename);
58	if (type < 0)
59	return -EINVAL;
60
61	basechain = nft_base_chain(chain);	32	basechain = nft_base_chain(chain);
62	if (basechain->type->type != type)	33	if (strcmp(tablename, "nat") == 0 &&
		34	basechain->type->type != NFT_CHAIN_T_NAT)
63	return -EINVAL;	35	return -EINVAL;
64		36
65	return 0;	37	return 0;
@@ -117,7 +89,7 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
117	struct xt_target target, void info,	89	struct xt_target target, void info,
118	union nft_entry *entry, u8 proto, bool inv)	90	union nft_entry *entry, u8 proto, bool inv)
119	{	91	{
120	par->net = &init_net;	92	par->net = ctx->net;
121	par->table = ctx->table->name;	93	par->table = ctx->table->name;
122	switch (ctx->afi->family) {	94	switch (ctx->afi->family) {
123	case AF_INET:	95	case AF_INET:
@@ -324,7 +296,7 @@ nft_match_set_mtchk_param(struct xt_mtchk_param par, const struct nft_ctx ctx,
324	struct xt_match match, void info,	296	struct xt_match match, void info,
325	union nft_entry *entry, u8 proto, bool inv)	297	union nft_entry *entry, u8 proto, bool inv)
326	{	298	{
327	par->net = &init_net;	299	par->net = ctx->net;
328	par->table = ctx->table->name;	300	par->table = ctx->table->name;
329	switch (ctx->afi->family) {	301	switch (ctx->afi->family) {
330	case AF_INET:	302	case AF_INET:
@@ -374,7 +346,7 @@ nft_match_init(const struct nft_ctx ctx, const struct nft_expr expr,
374	union nft_entry e = {};	346	union nft_entry e = {};
375	int ret;	347	int ret;
376		348
377	ret = nft_compat_chain_validate_dependency(match->name, ctx->chain);	349	ret = nft_compat_chain_validate_dependency(match->table, ctx->chain);
378	if (ret < 0)	350	if (ret < 0)
379	goto err;	351	goto err;
380		352
@@ -448,7 +420,7 @@ static int nft_match_validate(const struct nft_ctx *ctx,
448	if (!(hook_mask & match->hooks))	420	if (!(hook_mask & match->hooks))
449	return -EINVAL;	421	return -EINVAL;
450		422
451	ret = nft_compat_chain_validate_dependency(match->name,	423	ret = nft_compat_chain_validate_dependency(match->table,
452	ctx->chain);	424	ctx->chain);
453	if (ret < 0)	425	if (ret < 0)
454	return ret;	426	return ret;