netfilter: nf_tables: validate hooks in NAT expressions

The user can crash the kernel if it uses any of the existing NAT expressions from the wrong hook, so add some code to validate this when loading the rule. This patch introduces nft_chain_validate_hooks() which is based on an existing function in the bridge version of the reject expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2015-01-14 09:33:57 -0500
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2015-01-19 08:52:39 -0500
commit: 75e8d06d4308436055d1a78a2c02bf6328ba724d (patch)
tree: 64fcef16df64c35c2f3ceca20982d3723a2637c4 /net
parent: 2061dcd6bff8b774b4fac8b0739b6be3f87bc9f2 (diff)
5 files changed, 88 insertions, 50 deletions
diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
index b0330aecbf97..3244aead0926 100644
--- a/net/bridge/netfilter/nft_reject_bridge.c
+++ b/net/bridge/netfilter/nft_reject_bridge.c
@@ -265,22 +265,12 @@ out:
        data[NFT_REG_VERDICT].verdict = NF_DROP;
 }
-static int nft_reject_bridge_validate_hooks(const struct nft_chain *chain)
+static int nft_reject_bridge_validate(const struct nft_ctx *ctx,
+                                      const struct nft_expr *expr,
+                                      const struct nft_data **data)
 {
-        struct nft_base_chain *basechain;
+        return nft_chain_validate_hooks(ctx->chain, (1 << NF_BR_PRE_ROUTING) |
+                                                    (1 << NF_BR_LOCAL_IN));
-        if (chain->flags & NFT_BASE_CHAIN) {
-                basechain = nft_base_chain(chain);
-                switch (basechain->ops[0].hooknum) {
-                case NF_BR_PRE_ROUTING:
-                case NF_BR_LOCAL_IN:
-                        break;
-                default:
-                        return -EOPNOTSUPP;
-                }
-        }
-        return 0;
 }
 static int nft_reject_bridge_init(const struct nft_ctx *ctx,
@@ -290,7 +280,7 @@ static int nft_reject_bridge_init(const struct nft_ctx *ctx,
        struct nft_reject *priv = nft_expr_priv(expr);
        int icmp_code, err;
-        err = nft_reject_bridge_validate_hooks(ctx->chain);
+        err = nft_reject_bridge_validate(ctx, expr, NULL);
        if (err < 0)
                return err;
@@ -341,13 +331,6 @@ nla_put_failure:
        return -1;
 }
-static int nft_reject_bridge_validate(const struct nft_ctx *ctx,
-                                      const struct nft_expr *expr,
-                                      const struct nft_data **data)
-{
-        return nft_reject_bridge_validate_hooks(ctx->chain);
-}
 static struct nft_expr_type nft_reject_bridge_type;
 static const struct nft_expr_ops nft_reject_bridge_ops = {
        .type           = &nft_reject_bridge_type,
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 3b3ddb4fb9ee..7e686948ddca 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3753,6 +3753,24 @@ int nft_chain_validate_dependency(const struct nft_chain *chain,
 }
 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
+int nft_chain_validate_hooks(const struct nft_chain *chain,
+                             unsigned int hook_flags)
+{
+        struct nft_base_chain *basechain;
+        if (chain->flags & NFT_BASE_CHAIN) {
+                basechain = nft_base_chain(chain);
+                if ((1 << basechain->ops[0].hooknum) & hook_flags)
+                        return 0;
+                return -EOPNOTSUPP;
+        }
+        return 0;
+}
+EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
 /*
 * Loop detection - walk through the ruleset beginning at the destination chain
 * of a new jump until either the source chain is reached (loop) or all
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
index d1ffd5eb3a9b..9aea747b43ea 100644
--- a/net/netfilter/nft_masq.c
+++ b/net/netfilter/nft_masq.c
@@ -21,6 +21,21 @@ const struct nla_policy nft_masq_policy[NFTA_MASQ_MAX + 1] = {
 };
 EXPORT_SYMBOL_GPL(nft_masq_policy);
+int nft_masq_validate(const struct nft_ctx *ctx,
+                      const struct nft_expr *expr,
+                      const struct nft_data **data)
+{
+        int err;
+        err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
+        if (err < 0)
+                return err;
+        return nft_chain_validate_hooks(ctx->chain,
+                                        (1 << NF_INET_POST_ROUTING));
+}
+EXPORT_SYMBOL_GPL(nft_masq_validate);
 int nft_masq_init(const struct nft_ctx *ctx,
                  const struct nft_expr *expr,
                  const struct nlattr * const tb[])
@@ -28,8 +43,8 @@ int nft_masq_init(const struct nft_ctx *ctx,
        struct nft_masq *priv = nft_expr_priv(expr);
        int err;
-        err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
+        err = nft_masq_validate(ctx, expr, NULL);
-        if (err < 0)
+        if (err)
                return err;
        if (tb[NFTA_MASQ_FLAGS] == NULL)
@@ -60,12 +75,5 @@ nla_put_failure:
 }
 EXPORT_SYMBOL_GPL(nft_masq_dump);
-int nft_masq_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
-                      const struct nft_data **data)
-{
-        return nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
-}
-EXPORT_SYMBOL_GPL(nft_masq_validate);
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index aff54fb1c8a0..a0837c6c9283 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -88,17 +88,40 @@ static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = {
        [NFTA_NAT_FLAGS]         = { .type = NLA_U32 },
 };
-static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+static int nft_nat_validate(const struct nft_ctx *ctx,
-                        const struct nlattr * const tb[])
+                            const struct nft_expr *expr,
+                            const struct nft_data **data)
 {
        struct nft_nat *priv = nft_expr_priv(expr);
-        u32 family;
        int err;
        err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
        if (err < 0)
                return err;
+        switch (priv->type) {
+        case NFT_NAT_SNAT:
+                err = nft_chain_validate_hooks(ctx->chain,
+                                               (1 << NF_INET_POST_ROUTING) |
+                                               (1 << NF_INET_LOCAL_IN));
+                break;
+        case NFT_NAT_DNAT:
+                err = nft_chain_validate_hooks(ctx->chain,
+                                               (1 << NF_INET_PRE_ROUTING) |
+                                               (1 << NF_INET_LOCAL_OUT));
+                break;
+        }
+        return err;
+}
+static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+                        const struct nlattr * const tb[])
+{
+        struct nft_nat *priv = nft_expr_priv(expr);
+        u32 family;
+        int err;
        if (tb[NFTA_NAT_TYPE] == NULL ||
            (tb[NFTA_NAT_REG_ADDR_MIN] == NULL &&
             tb[NFTA_NAT_REG_PROTO_MIN] == NULL))
@@ -115,6 +138,10 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
                return -EINVAL;
        }
+        err = nft_nat_validate(ctx, expr, NULL);
+        if (err < 0)
+                return err;
        if (tb[NFTA_NAT_FAMILY] == NULL)
                return -EINVAL;
@@ -219,13 +246,6 @@ nla_put_failure:
        return -1;
 }
-static int nft_nat_validate(const struct nft_ctx *ctx,
-                            const struct nft_expr *expr,
-                            const struct nft_data **data)
-{
-        return nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
-}
 static struct nft_expr_type nft_nat_type;
 static const struct nft_expr_ops nft_nat_ops = {
        .type           = &nft_nat_type,
diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
index 9e8093f28311..d7e9e93a4e90 100644
--- a/net/netfilter/nft_redir.c
+++ b/net/netfilter/nft_redir.c
@@ -23,6 +23,22 @@ const struct nla_policy nft_redir_policy[NFTA_REDIR_MAX + 1] = {
 };
 EXPORT_SYMBOL_GPL(nft_redir_policy);
+int nft_redir_validate(const struct nft_ctx *ctx,
+                       const struct nft_expr *expr,
+                       const struct nft_data **data)
+{
+        int err;
+        err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
+        if (err < 0)
+                return err;
+        return nft_chain_validate_hooks(ctx->chain,
+                                        (1 << NF_INET_PRE_ROUTING) |
+                                        (1 << NF_INET_LOCAL_OUT));
+}
+EXPORT_SYMBOL_GPL(nft_redir_validate);
 int nft_redir_init(const struct nft_ctx *ctx,
                   const struct nft_expr *expr,
                   const struct nlattr * const tb[])
@@ -30,7 +46,7 @@ int nft_redir_init(const struct nft_ctx *ctx,
        struct nft_redir *priv = nft_expr_priv(expr);
        int err;
-        err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
+        err = nft_redir_validate(ctx, expr, NULL);
        if (err < 0)
                return err;
@@ -88,12 +104,5 @@ nla_put_failure:
 }
 EXPORT_SYMBOL_GPL(nft_redir_dump);
-int nft_redir_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
-                       const struct nft_data **data)
-{
-        return nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
-}
-EXPORT_SYMBOL_GPL(nft_redir_validate);
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");
author	Pablo Neira Ayuso <pablo@netfilter.org>	2015-01-14 09:33:57 -0500
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2015-01-19 08:52:39 -0500
commit	75e8d06d4308436055d1a78a2c02bf6328ba724d (patch)
tree	64fcef16df64c35c2f3ceca20982d3723a2637c4 /net
parent	2061dcd6bff8b774b4fac8b0739b6be3f87bc9f2 (diff)

diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c index b0330aecbf97..3244aead0926 100644 --- a/net/bridge/netfilter/nft_reject_bridge.c +++ b/net/bridge/netfilter/nft_reject_bridge.c
@@ -265,22 +265,12 @@ out:
265	data[NFT_REG_VERDICT].verdict = NF_DROP;	265	data[NFT_REG_VERDICT].verdict = NF_DROP;
266	}	266	}
267		267
268	static int nft_reject_bridge_validate_hooks(const struct nft_chain *chain)	268	static int nft_reject_bridge_validate(const struct nft_ctx *ctx,
		269	const struct nft_expr *expr,
		270	const struct nft_data **data)
269	{	271	{
270	struct nft_base_chain *basechain;	272	return nft_chain_validate_hooks(ctx->chain, (1 << NF_BR_PRE_ROUTING) \|
271		273	(1 << NF_BR_LOCAL_IN));
272	if (chain->flags & NFT_BASE_CHAIN) {
273	basechain = nft_base_chain(chain);
274
275	switch (basechain->ops[0].hooknum) {
276	case NF_BR_PRE_ROUTING:
277	case NF_BR_LOCAL_IN:
278	break;
279	default:
280	return -EOPNOTSUPP;
281	}
282	}
283	return 0;
284	}	274	}
285		275
286	static int nft_reject_bridge_init(const struct nft_ctx *ctx,	276	static int nft_reject_bridge_init(const struct nft_ctx *ctx,
@@ -290,7 +280,7 @@ static int nft_reject_bridge_init(const struct nft_ctx *ctx,
290	struct nft_reject *priv = nft_expr_priv(expr);	280	struct nft_reject *priv = nft_expr_priv(expr);
291	int icmp_code, err;	281	int icmp_code, err;
292		282
293	err = nft_reject_bridge_validate_hooks(ctx->chain);	283	err = nft_reject_bridge_validate(ctx, expr, NULL);
294	if (err < 0)	284	if (err < 0)
295	return err;	285	return err;
296		286
@@ -341,13 +331,6 @@ nla_put_failure:
341	return -1;	331	return -1;
342	}	332	}
343		333
344	static int nft_reject_bridge_validate(const struct nft_ctx *ctx,
345	const struct nft_expr *expr,
346	const struct nft_data **data)
347	{
348	return nft_reject_bridge_validate_hooks(ctx->chain);
349	}
350
351	static struct nft_expr_type nft_reject_bridge_type;	334	static struct nft_expr_type nft_reject_bridge_type;
352	static const struct nft_expr_ops nft_reject_bridge_ops = {	335	static const struct nft_expr_ops nft_reject_bridge_ops = {
353	.type = &nft_reject_bridge_type,	336	.type = &nft_reject_bridge_type,


diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 3b3ddb4fb9ee..7e686948ddca 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c
@@ -3753,6 +3753,24 @@ int nft_chain_validate_dependency(const struct nft_chain *chain,
3753	}	3753	}
3754	EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);	3754	EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
3755		3755
		3756	int nft_chain_validate_hooks(const struct nft_chain *chain,
		3757	unsigned int hook_flags)
		3758	{
		3759	struct nft_base_chain *basechain;
		3760
		3761	if (chain->flags & NFT_BASE_CHAIN) {
		3762	basechain = nft_base_chain(chain);
		3763
		3764	if ((1 << basechain->ops[0].hooknum) & hook_flags)
		3765	return 0;
		3766
		3767	return -EOPNOTSUPP;
		3768	}
		3769
		3770	return 0;
		3771	}
		3772	EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
		3773
3756	/*	3774	/*
3757	* Loop detection - walk through the ruleset beginning at the destination chain	3775	* Loop detection - walk through the ruleset beginning at the destination chain
3758	* of a new jump until either the source chain is reached (loop) or all	3776	* of a new jump until either the source chain is reached (loop) or all


diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c index d1ffd5eb3a9b..9aea747b43ea 100644 --- a/net/netfilter/nft_masq.c +++ b/net/netfilter/nft_masq.c
@@ -21,6 +21,21 @@ const struct nla_policy nft_masq_policy[NFTA_MASQ_MAX + 1] = {
21	};	21	};
22	EXPORT_SYMBOL_GPL(nft_masq_policy);	22	EXPORT_SYMBOL_GPL(nft_masq_policy);
23		23
		24	int nft_masq_validate(const struct nft_ctx *ctx,
		25	const struct nft_expr *expr,
		26	const struct nft_data **data)
		27	{
		28	int err;
		29
		30	err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
		31	if (err < 0)
		32	return err;
		33
		34	return nft_chain_validate_hooks(ctx->chain,
		35	(1 << NF_INET_POST_ROUTING));
		36	}
		37	EXPORT_SYMBOL_GPL(nft_masq_validate);
		38
24	int nft_masq_init(const struct nft_ctx *ctx,	39	int nft_masq_init(const struct nft_ctx *ctx,
25	const struct nft_expr *expr,	40	const struct nft_expr *expr,
26	const struct nlattr * const tb[])	41	const struct nlattr * const tb[])
@@ -28,8 +43,8 @@ int nft_masq_init(const struct nft_ctx *ctx,
28	struct nft_masq *priv = nft_expr_priv(expr);	43	struct nft_masq *priv = nft_expr_priv(expr);
29	int err;	44	int err;
30		45
31	err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);	46	err = nft_masq_validate(ctx, expr, NULL);
32	if (err < 0)	47	if (err)
33	return err;	48	return err;
34		49
35	if (tb[NFTA_MASQ_FLAGS] == NULL)	50	if (tb[NFTA_MASQ_FLAGS] == NULL)
@@ -60,12 +75,5 @@ nla_put_failure:
60	}	75	}
61	EXPORT_SYMBOL_GPL(nft_masq_dump);	76	EXPORT_SYMBOL_GPL(nft_masq_dump);
62		77
63	int nft_masq_validate(const struct nft_ctx ctx, const struct nft_expr expr,
64	const struct nft_data **data)
65	{
66	return nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
67	}
68	EXPORT_SYMBOL_GPL(nft_masq_validate);
69
70	MODULE_LICENSE("GPL");	78	MODULE_LICENSE("GPL");
71	MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");	79	MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");


diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c index aff54fb1c8a0..a0837c6c9283 100644 --- a/net/netfilter/nft_nat.c +++ b/net/netfilter/nft_nat.c
@@ -88,17 +88,40 @@ static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = {
88	[NFTA_NAT_FLAGS] = { .type = NLA_U32 },	88	[NFTA_NAT_FLAGS] = { .type = NLA_U32 },
89	};	89	};
90		90
91	static int nft_nat_init(const struct nft_ctx ctx, const struct nft_expr expr,	91	static int nft_nat_validate(const struct nft_ctx *ctx,
92	const struct nlattr * const tb[])	92	const struct nft_expr *expr,
		93	const struct nft_data **data)
93	{	94	{
94	struct nft_nat *priv = nft_expr_priv(expr);	95	struct nft_nat *priv = nft_expr_priv(expr);
95	u32 family;
96	int err;	96	int err;
97		97
98	err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);	98	err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
99	if (err < 0)	99	if (err < 0)
100	return err;	100	return err;
101		101
		102	switch (priv->type) {
		103	case NFT_NAT_SNAT:
		104	err = nft_chain_validate_hooks(ctx->chain,
		105	(1 << NF_INET_POST_ROUTING) \|
		106	(1 << NF_INET_LOCAL_IN));
		107	break;
		108	case NFT_NAT_DNAT:
		109	err = nft_chain_validate_hooks(ctx->chain,
		110	(1 << NF_INET_PRE_ROUTING) \|
		111	(1 << NF_INET_LOCAL_OUT));
		112	break;
		113	}
		114
		115	return err;
		116	}
		117
		118	static int nft_nat_init(const struct nft_ctx ctx, const struct nft_expr expr,
		119	const struct nlattr * const tb[])
		120	{
		121	struct nft_nat *priv = nft_expr_priv(expr);
		122	u32 family;
		123	int err;
		124
102	if (tb[NFTA_NAT_TYPE] == NULL \|\|	125	if (tb[NFTA_NAT_TYPE] == NULL \|\|
103	(tb[NFTA_NAT_REG_ADDR_MIN] == NULL &&	126	(tb[NFTA_NAT_REG_ADDR_MIN] == NULL &&
104	tb[NFTA_NAT_REG_PROTO_MIN] == NULL))	127	tb[NFTA_NAT_REG_PROTO_MIN] == NULL))
@@ -115,6 +138,10 @@ static int nft_nat_init(const struct nft_ctx ctx, const struct nft_expr expr,
115	return -EINVAL;	138	return -EINVAL;
116	}	139	}
117		140
		141	err = nft_nat_validate(ctx, expr, NULL);
		142	if (err < 0)
		143	return err;
		144
118	if (tb[NFTA_NAT_FAMILY] == NULL)	145	if (tb[NFTA_NAT_FAMILY] == NULL)
119	return -EINVAL;	146	return -EINVAL;
120		147
@@ -219,13 +246,6 @@ nla_put_failure:
219	return -1;	246	return -1;
220	}	247	}
221		248
222	static int nft_nat_validate(const struct nft_ctx *ctx,
223	const struct nft_expr *expr,
224	const struct nft_data **data)
225	{
226	return nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
227	}
228
229	static struct nft_expr_type nft_nat_type;	249	static struct nft_expr_type nft_nat_type;
230	static const struct nft_expr_ops nft_nat_ops = {	250	static const struct nft_expr_ops nft_nat_ops = {
231	.type = &nft_nat_type,	251	.type = &nft_nat_type,


diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c index 9e8093f28311..d7e9e93a4e90 100644 --- a/net/netfilter/nft_redir.c +++ b/net/netfilter/nft_redir.c
@@ -23,6 +23,22 @@ const struct nla_policy nft_redir_policy[NFTA_REDIR_MAX + 1] = {
23	};	23	};
24	EXPORT_SYMBOL_GPL(nft_redir_policy);	24	EXPORT_SYMBOL_GPL(nft_redir_policy);
25		25
		26	int nft_redir_validate(const struct nft_ctx *ctx,
		27	const struct nft_expr *expr,
		28	const struct nft_data **data)
		29	{
		30	int err;
		31
		32	err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
		33	if (err < 0)
		34	return err;
		35
		36	return nft_chain_validate_hooks(ctx->chain,
		37	(1 << NF_INET_PRE_ROUTING) \|
		38	(1 << NF_INET_LOCAL_OUT));
		39	}
		40	EXPORT_SYMBOL_GPL(nft_redir_validate);
		41
26	int nft_redir_init(const struct nft_ctx *ctx,	42	int nft_redir_init(const struct nft_ctx *ctx,
27	const struct nft_expr *expr,	43	const struct nft_expr *expr,
28	const struct nlattr * const tb[])	44	const struct nlattr * const tb[])
@@ -30,7 +46,7 @@ int nft_redir_init(const struct nft_ctx *ctx,
30	struct nft_redir *priv = nft_expr_priv(expr);	46	struct nft_redir *priv = nft_expr_priv(expr);
31	int err;	47	int err;
32		48
33	err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);	49	err = nft_redir_validate(ctx, expr, NULL);
34	if (err < 0)	50	if (err < 0)
35	return err;	51	return err;
36		52
@@ -88,12 +104,5 @@ nla_put_failure:
88	}	104	}
89	EXPORT_SYMBOL_GPL(nft_redir_dump);	105	EXPORT_SYMBOL_GPL(nft_redir_dump);
90		106
91	int nft_redir_validate(const struct nft_ctx ctx, const struct nft_expr expr,
92	const struct nft_data **data)
93	{
94	return nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
95	}
96	EXPORT_SYMBOL_GPL(nft_redir_validate);
97
98	MODULE_LICENSE("GPL");	107	MODULE_LICENSE("GPL");
99	MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");	108	MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");