From f9dcdc7fefcab5ec9b15b0f3c87dfebef37ecaa3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Tue, 8 May 2018 09:40:43 +0200 Subject: kernel: mark source kernel for netfilter backports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This helps keeping track on patches & adding new kernels in the future. Signed-off-by: Rafał Miłecki --- ...f_tables-add-single-table-list-for-all-fa.patch | 1450 ++++++++++++++++++++ 1 file changed, 1450 insertions(+) create mode 100644 target/linux/generic/backport-4.14/335-v4.16-netfilter-nf_tables-add-single-table-list-for-all-fa.patch (limited to 'target/linux/generic/backport-4.14/335-v4.16-netfilter-nf_tables-add-single-table-list-for-all-fa.patch') diff --git a/target/linux/generic/backport-4.14/335-v4.16-netfilter-nf_tables-add-single-table-list-for-all-fa.patch b/target/linux/generic/backport-4.14/335-v4.16-netfilter-nf_tables-add-single-table-list-for-all-fa.patch new file mode 100644 index 0000000000..6fedd00eb0 --- /dev/null +++ b/target/linux/generic/backport-4.14/335-v4.16-netfilter-nf_tables-add-single-table-list-for-all-fa.patch @@ -0,0 +1,1450 @@ +From: Pablo Neira Ayuso +Date: Tue, 9 Jan 2018 02:38:03 +0100 +Subject: [PATCH] netfilter: nf_tables: add single table list for all families + +Place all existing user defined tables in struct net *, instead of +having one list per family. This saves us from one level of indentation +in netlink dump functions. + +Place pointer to struct nft_af_info in struct nft_table temporarily, as +we still need this to put back reference module reference counter on +table removal. + +This patch comes in preparation for the removal of struct nft_af_info. + +Signed-off-by: Pablo Neira Ayuso +--- + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -143,22 +143,22 @@ static inline void nft_data_debug(const + * struct nft_ctx - nf_tables rule/set context + * + * @net: net namespace +- * @afi: address family info + * @table: the table the chain is contained in + * @chain: the chain the rule is contained in + * @nla: netlink attributes + * @portid: netlink portID of the original message + * @seq: netlink sequence number ++ * @family: protocol family + * @report: notify via unicast netlink message + */ + struct nft_ctx { + struct net *net; +- struct nft_af_info *afi; + struct nft_table *table; + struct nft_chain *chain; + const struct nlattr * const *nla; + u32 portid; + u32 seq; ++ u8 family; + bool report; + }; + +@@ -939,6 +939,7 @@ unsigned int nft_do_chain(struct nft_pkt + * @use: number of chain references to this table + * @flags: table flag (see enum nft_table_flags) + * @genmask: generation mask ++ * @afinfo: address family info + * @name: name of the table + */ + struct nft_table { +@@ -951,6 +952,7 @@ struct nft_table { + u32 use; + u16 flags:14, + genmask:2; ++ struct nft_af_info *afi; + char *name; + }; + +@@ -960,13 +962,11 @@ struct nft_table { + * @list: used internally + * @family: address family + * @owner: module owner +- * @tables: used internally + */ + struct nft_af_info { + struct list_head list; + int family; + struct module *owner; +- struct list_head tables; + }; + + int nft_register_afinfo(struct net *, struct nft_af_info *); +--- a/include/net/netns/nftables.h ++++ b/include/net/netns/nftables.h +@@ -8,6 +8,7 @@ struct nft_af_info; + + struct netns_nftables { + struct list_head af_info; ++ struct list_head tables; + struct list_head commit_list; + struct nft_af_info *ipv4; + struct nft_af_info *ipv6; +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -37,7 +37,6 @@ static LIST_HEAD(nf_tables_flowtables); + */ + int nft_register_afinfo(struct net *net, struct nft_af_info *afi) + { +- INIT_LIST_HEAD(&afi->tables); + nfnl_lock(NFNL_SUBSYS_NFTABLES); + list_add_tail_rcu(&afi->list, &net->nft.af_info); + nfnl_unlock(NFNL_SUBSYS_NFTABLES); +@@ -99,13 +98,13 @@ static void nft_ctx_init(struct nft_ctx + struct net *net, + const struct sk_buff *skb, + const struct nlmsghdr *nlh, +- struct nft_af_info *afi, ++ u8 family, + struct nft_table *table, + struct nft_chain *chain, + const struct nlattr * const *nla) + { + ctx->net = net; +- ctx->afi = afi; ++ ctx->family = family; + ctx->table = table; + ctx->chain = chain; + ctx->nla = nla; +@@ -385,30 +384,31 @@ static int nft_delflowtable(struct nft_c + * Tables + */ + +-static struct nft_table *nft_table_lookup(const struct nft_af_info *afi, ++static struct nft_table *nft_table_lookup(const struct net *net, + const struct nlattr *nla, +- u8 genmask) ++ u8 family, u8 genmask) + { + struct nft_table *table; + +- list_for_each_entry(table, &afi->tables, list) { ++ list_for_each_entry(table, &net->nft.tables, list) { + if (!nla_strcmp(nla, table->name) && ++ table->afi->family == family && + nft_active_genmask(table, genmask)) + return table; + } + return NULL; + } + +-static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi, ++static struct nft_table *nf_tables_table_lookup(const struct net *net, + const struct nlattr *nla, +- u8 genmask) ++ u8 family, u8 genmask) + { + struct nft_table *table; + + if (nla == NULL) + return ERR_PTR(-EINVAL); + +- table = nft_table_lookup(afi, nla, genmask); ++ table = nft_table_lookup(net, nla, family, genmask); + if (table != NULL) + return table; + +@@ -507,7 +507,7 @@ static void nf_tables_table_notify(const + goto err; + + err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, +- event, 0, ctx->afi->family, ctx->table); ++ event, 0, ctx->family, ctx->table); + if (err < 0) { + kfree_skb(skb); + goto err; +@@ -524,7 +524,6 @@ static int nf_tables_dump_tables(struct + struct netlink_callback *cb) + { + const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); +- const struct nft_af_info *afi; + const struct nft_table *table; + unsigned int idx = 0, s_idx = cb->args[0]; + struct net *net = sock_net(skb->sk); +@@ -533,30 +532,27 @@ static int nf_tables_dump_tables(struct + rcu_read_lock(); + cb->seq = net->nft.base_seq; + +- list_for_each_entry_rcu(afi, &net->nft.af_info, list) { +- if (family != NFPROTO_UNSPEC && family != afi->family) ++ list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ if (family != NFPROTO_UNSPEC && family != table->afi->family) + continue; + +- list_for_each_entry_rcu(table, &afi->tables, list) { +- if (idx < s_idx) +- goto cont; +- if (idx > s_idx) +- memset(&cb->args[1], 0, +- sizeof(cb->args) - sizeof(cb->args[0])); +- if (!nft_is_active(net, table)) +- continue; +- if (nf_tables_fill_table_info(skb, net, +- NETLINK_CB(cb->skb).portid, +- cb->nlh->nlmsg_seq, +- NFT_MSG_NEWTABLE, +- NLM_F_MULTI, +- afi->family, table) < 0) +- goto done; ++ if (idx < s_idx) ++ goto cont; ++ if (idx > s_idx) ++ memset(&cb->args[1], 0, ++ sizeof(cb->args) - sizeof(cb->args[0])); ++ if (!nft_is_active(net, table)) ++ continue; ++ if (nf_tables_fill_table_info(skb, net, ++ NETLINK_CB(cb->skb).portid, ++ cb->nlh->nlmsg_seq, ++ NFT_MSG_NEWTABLE, NLM_F_MULTI, ++ table->afi->family, table) < 0) ++ goto done; + +- nl_dump_check_consistent(cb, nlmsg_hdr(skb)); ++ nl_dump_check_consistent(cb, nlmsg_hdr(skb)); + cont: +- idx++; +- } ++ idx++; + } + done: + rcu_read_unlock(); +@@ -588,7 +584,8 @@ static int nf_tables_gettable(struct net + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], afi->family, ++ genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +@@ -719,7 +716,7 @@ static int nf_tables_newtable(struct net + return PTR_ERR(afi); + + name = nla[NFTA_TABLE_NAME]; +- table = nf_tables_table_lookup(afi, name, genmask); ++ table = nf_tables_table_lookup(net, name, afi->family, genmask); + if (IS_ERR(table)) { + if (PTR_ERR(table) != -ENOENT) + return PTR_ERR(table); +@@ -729,7 +726,7 @@ static int nf_tables_newtable(struct net + if (nlh->nlmsg_flags & NLM_F_REPLACE) + return -EOPNOTSUPP; + +- nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla); ++ nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); + return nf_tables_updtable(&ctx); + } + +@@ -756,14 +753,15 @@ static int nf_tables_newtable(struct net + INIT_LIST_HEAD(&table->sets); + INIT_LIST_HEAD(&table->objects); + INIT_LIST_HEAD(&table->flowtables); ++ table->afi = afi; + table->flags = flags; + +- nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla); ++ nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); + err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); + if (err < 0) + goto err4; + +- list_add_tail_rcu(&table->list, &afi->tables); ++ list_add_tail_rcu(&table->list, &net->nft.tables); + return 0; + err4: + kfree(table->name); +@@ -837,30 +835,28 @@ out: + + static int nft_flush(struct nft_ctx *ctx, int family) + { +- struct nft_af_info *afi; + struct nft_table *table, *nt; + const struct nlattr * const *nla = ctx->nla; + int err = 0; + +- list_for_each_entry(afi, &ctx->net->nft.af_info, list) { +- if (family != AF_UNSPEC && afi->family != family) ++ list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) { ++ if (family != AF_UNSPEC && table->afi->family != family) + continue; + +- ctx->afi = afi; +- list_for_each_entry_safe(table, nt, &afi->tables, list) { +- if (!nft_is_active_next(ctx->net, table)) +- continue; ++ ctx->family = table->afi->family; + +- if (nla[NFTA_TABLE_NAME] && +- nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) +- continue; ++ if (!nft_is_active_next(ctx->net, table)) ++ continue; + +- ctx->table = table; ++ if (nla[NFTA_TABLE_NAME] && ++ nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) ++ continue; + +- err = nft_flush_table(ctx); +- if (err < 0) +- goto out; +- } ++ ctx->table = table; ++ ++ err = nft_flush_table(ctx); ++ if (err < 0) ++ goto out; + } + out: + return err; +@@ -878,7 +874,7 @@ static int nf_tables_deltable(struct net + int family = nfmsg->nfgen_family; + struct nft_ctx ctx; + +- nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla); ++ nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla); + if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL) + return nft_flush(&ctx, family); + +@@ -886,7 +882,8 @@ static int nf_tables_deltable(struct net + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], afi->family, ++ genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +@@ -894,7 +891,7 @@ static int nf_tables_deltable(struct net + table->use > 0) + return -EBUSY; + +- ctx.afi = afi; ++ ctx.family = afi->family; + ctx.table = table; + + return nft_flush_table(&ctx); +@@ -906,7 +903,7 @@ static void nf_tables_table_destroy(stru + + kfree(ctx->table->name); + kfree(ctx->table); +- module_put(ctx->afi->owner); ++ module_put(ctx->table->afi->owner); + } + + int nft_register_chain_type(const struct nf_chain_type *ctype) +@@ -1107,7 +1104,7 @@ static void nf_tables_chain_notify(const + goto err; + + err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, +- event, 0, ctx->afi->family, ctx->table, ++ event, 0, ctx->family, ctx->table, + ctx->chain); + if (err < 0) { + kfree_skb(skb); +@@ -1125,7 +1122,6 @@ static int nf_tables_dump_chains(struct + struct netlink_callback *cb) + { + const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); +- const struct nft_af_info *afi; + const struct nft_table *table; + const struct nft_chain *chain; + unsigned int idx = 0, s_idx = cb->args[0]; +@@ -1135,31 +1131,30 @@ static int nf_tables_dump_chains(struct + rcu_read_lock(); + cb->seq = net->nft.base_seq; + +- list_for_each_entry_rcu(afi, &net->nft.af_info, list) { +- if (family != NFPROTO_UNSPEC && family != afi->family) ++ list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ if (family != NFPROTO_UNSPEC && family != table->afi->family) + continue; + +- list_for_each_entry_rcu(table, &afi->tables, list) { +- list_for_each_entry_rcu(chain, &table->chains, list) { +- if (idx < s_idx) +- goto cont; +- if (idx > s_idx) +- memset(&cb->args[1], 0, +- sizeof(cb->args) - sizeof(cb->args[0])); +- if (!nft_is_active(net, chain)) +- continue; +- if (nf_tables_fill_chain_info(skb, net, +- NETLINK_CB(cb->skb).portid, +- cb->nlh->nlmsg_seq, +- NFT_MSG_NEWCHAIN, +- NLM_F_MULTI, +- afi->family, table, chain) < 0) +- goto done; ++ list_for_each_entry_rcu(chain, &table->chains, list) { ++ if (idx < s_idx) ++ goto cont; ++ if (idx > s_idx) ++ memset(&cb->args[1], 0, ++ sizeof(cb->args) - sizeof(cb->args[0])); ++ if (!nft_is_active(net, chain)) ++ continue; ++ if (nf_tables_fill_chain_info(skb, net, ++ NETLINK_CB(cb->skb).portid, ++ cb->nlh->nlmsg_seq, ++ NFT_MSG_NEWCHAIN, ++ NLM_F_MULTI, ++ table->afi->family, table, ++ chain) < 0) ++ goto done; + +- nl_dump_check_consistent(cb, nlmsg_hdr(skb)); ++ nl_dump_check_consistent(cb, nlmsg_hdr(skb)); + cont: +- idx++; +- } ++ idx++; + } + } + done: +@@ -1193,7 +1188,8 @@ static int nf_tables_getchain(struct net + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family, ++ genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +@@ -1301,8 +1297,8 @@ struct nft_chain_hook { + + static int nft_chain_parse_hook(struct net *net, + const struct nlattr * const nla[], +- struct nft_af_info *afi, +- struct nft_chain_hook *hook, bool create) ++ struct nft_chain_hook *hook, u8 family, ++ bool create) + { + struct nlattr *ha[NFTA_HOOK_MAX + 1]; + const struct nf_chain_type *type; +@@ -1321,10 +1317,10 @@ static int nft_chain_parse_hook(struct n + hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); + hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); + +- type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT]; ++ type = chain_type[family][NFT_CHAIN_T_DEFAULT]; + if (nla[NFTA_CHAIN_TYPE]) { + type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE], +- afi->family, create); ++ family, create); + if (IS_ERR(type)) + return PTR_ERR(type); + } +@@ -1336,7 +1332,7 @@ static int nft_chain_parse_hook(struct n + hook->type = type; + + hook->dev = NULL; +- if (afi->family == NFPROTO_NETDEV) { ++ if (family == NFPROTO_NETDEV) { + char ifname[IFNAMSIZ]; + + if (!ha[NFTA_HOOK_DEV]) { +@@ -1371,7 +1367,6 @@ static int nf_tables_addchain(struct nft + { + const struct nlattr * const *nla = ctx->nla; + struct nft_table *table = ctx->table; +- struct nft_af_info *afi = ctx->afi; + struct nft_base_chain *basechain; + struct nft_stats __percpu *stats; + struct net *net = ctx->net; +@@ -1385,7 +1380,7 @@ static int nf_tables_addchain(struct nft + struct nft_chain_hook hook; + struct nf_hook_ops *ops; + +- err = nft_chain_parse_hook(net, nla, afi, &hook, create); ++ err = nft_chain_parse_hook(net, nla, &hook, family, create); + if (err < 0) + return err; + +@@ -1478,7 +1473,7 @@ static int nf_tables_updchain(struct nft + if (!nft_is_base_chain(chain)) + return -EBUSY; + +- err = nft_chain_parse_hook(ctx->net, nla, ctx->afi, &hook, ++ err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family, + create); + if (err < 0) + return err; +@@ -1571,7 +1566,8 @@ static int nf_tables_newchain(struct net + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family, ++ genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +@@ -1611,7 +1607,7 @@ static int nf_tables_newchain(struct net + } + } + +- nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla); ++ nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla); + + if (chain != NULL) { + if (nlh->nlmsg_flags & NLM_F_EXCL) +@@ -1645,7 +1641,8 @@ static int nf_tables_delchain(struct net + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family, ++ genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +@@ -1657,7 +1654,7 @@ static int nf_tables_delchain(struct net + chain->use > 0) + return -EBUSY; + +- nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla); ++ nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla); + + use = chain->use; + list_for_each_entry(rule, &chain->rules, list) { +@@ -1822,7 +1819,7 @@ static int nf_tables_expr_parse(const st + if (err < 0) + return err; + +- type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]); ++ type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]); + if (IS_ERR(type)) + return PTR_ERR(type); + +@@ -2045,7 +2042,7 @@ static void nf_tables_rule_notify(const + goto err; + + err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, +- event, 0, ctx->afi->family, ctx->table, ++ event, 0, ctx->family, ctx->table, + ctx->chain, rule); + if (err < 0) { + kfree_skb(skb); +@@ -2069,7 +2066,6 @@ static int nf_tables_dump_rules(struct s + { + const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + const struct nft_rule_dump_ctx *ctx = cb->data; +- const struct nft_af_info *afi; + const struct nft_table *table; + const struct nft_chain *chain; + const struct nft_rule *rule; +@@ -2080,39 +2076,37 @@ static int nf_tables_dump_rules(struct s + rcu_read_lock(); + cb->seq = net->nft.base_seq; + +- list_for_each_entry_rcu(afi, &net->nft.af_info, list) { +- if (family != NFPROTO_UNSPEC && family != afi->family) ++ list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ if (family != NFPROTO_UNSPEC && family != table->afi->family) ++ continue; ++ ++ if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0) + continue; + +- list_for_each_entry_rcu(table, &afi->tables, list) { +- if (ctx && ctx->table && +- strcmp(ctx->table, table->name) != 0) ++ list_for_each_entry_rcu(chain, &table->chains, list) { ++ if (ctx && ctx->chain && ++ strcmp(ctx->chain, chain->name) != 0) + continue; + +- list_for_each_entry_rcu(chain, &table->chains, list) { +- if (ctx && ctx->chain && +- strcmp(ctx->chain, chain->name) != 0) +- continue; +- +- list_for_each_entry_rcu(rule, &chain->rules, list) { +- if (!nft_is_active(net, rule)) +- goto cont; +- if (idx < s_idx) +- goto cont; +- if (idx > s_idx) +- memset(&cb->args[1], 0, +- sizeof(cb->args) - sizeof(cb->args[0])); +- if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, +- cb->nlh->nlmsg_seq, +- NFT_MSG_NEWRULE, +- NLM_F_MULTI | NLM_F_APPEND, +- afi->family, table, chain, rule) < 0) +- goto done; ++ list_for_each_entry_rcu(rule, &chain->rules, list) { ++ if (!nft_is_active(net, rule)) ++ goto cont; ++ if (idx < s_idx) ++ goto cont; ++ if (idx > s_idx) ++ memset(&cb->args[1], 0, ++ sizeof(cb->args) - sizeof(cb->args[0])); ++ if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, ++ cb->nlh->nlmsg_seq, ++ NFT_MSG_NEWRULE, ++ NLM_F_MULTI | NLM_F_APPEND, ++ table->afi->family, ++ table, chain, rule) < 0) ++ goto done; + +- nl_dump_check_consistent(cb, nlmsg_hdr(skb)); ++ nl_dump_check_consistent(cb, nlmsg_hdr(skb)); + cont: +- idx++; +- } ++ idx++; + } + } + } +@@ -2190,7 +2184,8 @@ static int nf_tables_getrule(struct net + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family, ++ genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +@@ -2267,7 +2262,8 @@ static int nf_tables_newrule(struct net + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family, ++ genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +@@ -2306,7 +2302,7 @@ static int nf_tables_newrule(struct net + return PTR_ERR(old_rule); + } + +- nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla); ++ nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla); + + n = 0; + size = 0; +@@ -2441,7 +2437,8 @@ static int nf_tables_delrule(struct net + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family, ++ genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +@@ -2452,7 +2449,7 @@ static int nf_tables_delrule(struct net + return PTR_ERR(chain); + } + +- nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla); ++ nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla); + + if (chain) { + if (nla[NFTA_RULE_HANDLE]) { +@@ -2650,13 +2647,13 @@ static int nft_ctx_init_from_setattr(str + if (afi == NULL) + return -EAFNOSUPPORT; + +- table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], +- genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], ++ afi->family, genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + } + +- nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla); ++ nft_ctx_init(ctx, net, skb, nlh, afi->family, table, NULL, nla); + return 0; + } + +@@ -2783,7 +2780,7 @@ static int nf_tables_fill_set(struct sk_ + goto nla_put_failure; + + nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = ctx->afi->family; ++ nfmsg->nfgen_family = ctx->family; + nfmsg->version = NFNETLINK_V0; + nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); + +@@ -2875,10 +2872,8 @@ static int nf_tables_dump_sets(struct sk + { + const struct nft_set *set; + unsigned int idx, s_idx = cb->args[0]; +- struct nft_af_info *afi; + struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; + struct net *net = sock_net(skb->sk); +- int cur_family = cb->args[3]; + struct nft_ctx *ctx = cb->data, ctx_set; + + if (cb->args[1]) +@@ -2887,51 +2882,44 @@ static int nf_tables_dump_sets(struct sk + rcu_read_lock(); + cb->seq = net->nft.base_seq; + +- list_for_each_entry_rcu(afi, &net->nft.af_info, list) { +- if (ctx->afi && ctx->afi != afi) ++ list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ if (ctx->family != NFPROTO_UNSPEC && ++ ctx->family != table->afi->family) + continue; + +- if (cur_family) { +- if (afi->family != cur_family) +- continue; ++ if (ctx->table && ctx->table != table) ++ continue; + +- cur_family = 0; +- } +- list_for_each_entry_rcu(table, &afi->tables, list) { +- if (ctx->table && ctx->table != table) ++ if (cur_table) { ++ if (cur_table != table) + continue; + +- if (cur_table) { +- if (cur_table != table) +- continue; ++ cur_table = NULL; ++ } ++ idx = 0; ++ list_for_each_entry_rcu(set, &table->sets, list) { ++ if (idx < s_idx) ++ goto cont; ++ if (!nft_is_active(net, set)) ++ goto cont; + +- cur_table = NULL; ++ ctx_set = *ctx; ++ ctx_set.table = table; ++ ctx_set.family = table->afi->family; ++ ++ if (nf_tables_fill_set(skb, &ctx_set, set, ++ NFT_MSG_NEWSET, ++ NLM_F_MULTI) < 0) { ++ cb->args[0] = idx; ++ cb->args[2] = (unsigned long) table; ++ goto done; + } +- idx = 0; +- list_for_each_entry_rcu(set, &table->sets, list) { +- if (idx < s_idx) +- goto cont; +- if (!nft_is_active(net, set)) +- goto cont; +- +- ctx_set = *ctx; +- ctx_set.table = table; +- ctx_set.afi = afi; +- if (nf_tables_fill_set(skb, &ctx_set, set, +- NFT_MSG_NEWSET, +- NLM_F_MULTI) < 0) { +- cb->args[0] = idx; +- cb->args[2] = (unsigned long) table; +- cb->args[3] = afi->family; +- goto done; +- } +- nl_dump_check_consistent(cb, nlmsg_hdr(skb)); ++ nl_dump_check_consistent(cb, nlmsg_hdr(skb)); + cont: +- idx++; +- } +- if (s_idx) +- s_idx = 0; ++ idx++; + } ++ if (s_idx) ++ s_idx = 0; + } + cb->args[1] = 1; + done: +@@ -3141,11 +3129,12 @@ static int nf_tables_newset(struct net * + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], afi->family, ++ genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +- nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla); ++ nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); + + set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask); + if (IS_ERR(set)) { +@@ -3410,12 +3399,12 @@ static int nft_ctx_init_from_elemattr(st + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE], +- genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], ++ afi->family, genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +- nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla); ++ nft_ctx_init(ctx, net, skb, nlh, afi->family, table, NULL, nla); + return 0; + } + +@@ -3520,7 +3509,6 @@ static int nf_tables_dump_set(struct sk_ + { + struct nft_set_dump_ctx *dump_ctx = cb->data; + struct net *net = sock_net(skb->sk); +- struct nft_af_info *afi; + struct nft_table *table; + struct nft_set *set; + struct nft_set_dump_args args; +@@ -3532,21 +3520,19 @@ static int nf_tables_dump_set(struct sk_ + int event; + + rcu_read_lock(); +- list_for_each_entry_rcu(afi, &net->nft.af_info, list) { +- if (afi != dump_ctx->ctx.afi) ++ list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ if (dump_ctx->ctx.family != NFPROTO_UNSPEC && ++ dump_ctx->ctx.family != table->afi->family) + continue; + +- list_for_each_entry_rcu(table, &afi->tables, list) { +- if (table != dump_ctx->ctx.table) +- continue; ++ if (table != dump_ctx->ctx.table) ++ continue; + +- list_for_each_entry_rcu(set, &table->sets, list) { +- if (set == dump_ctx->set) { +- set_found = true; +- break; +- } ++ list_for_each_entry_rcu(set, &table->sets, list) { ++ if (set == dump_ctx->set) { ++ set_found = true; ++ break; + } +- break; + } + break; + } +@@ -3566,7 +3552,7 @@ static int nf_tables_dump_set(struct sk_ + goto nla_put_failure; + + nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = afi->family; ++ nfmsg->nfgen_family = table->afi->family; + nfmsg->version = NFNETLINK_V0; + nfmsg->res_id = htons(net->nft.base_seq & 0xffff); + +@@ -3668,7 +3654,7 @@ static int nf_tables_fill_setelem_info(s + goto nla_put_failure; + + nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = ctx->afi->family; ++ nfmsg->nfgen_family = ctx->family; + nfmsg->version = NFNETLINK_V0; + nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); + +@@ -3912,7 +3898,7 @@ static int nft_add_set_elem(struct nft_c + list_for_each_entry(binding, &set->bindings, list) { + struct nft_ctx bind_ctx = { + .net = ctx->net, +- .afi = ctx->afi, ++ .family = ctx->family, + .table = ctx->table, + .chain = (struct nft_chain *)binding->chain, + }; +@@ -4459,7 +4445,8 @@ static int nf_tables_newobj(struct net * + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family, ++ genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +@@ -4477,7 +4464,7 @@ static int nf_tables_newobj(struct net * + return 0; + } + +- nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla); ++ nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); + + type = nft_obj_type_get(objtype); + if (IS_ERR(type)) +@@ -4554,7 +4541,6 @@ struct nft_obj_filter { + static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) + { + const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); +- const struct nft_af_info *afi; + const struct nft_table *table; + unsigned int idx = 0, s_idx = cb->args[0]; + struct nft_obj_filter *filter = cb->data; +@@ -4569,38 +4555,37 @@ static int nf_tables_dump_obj(struct sk_ + rcu_read_lock(); + cb->seq = net->nft.base_seq; + +- list_for_each_entry_rcu(afi, &net->nft.af_info, list) { +- if (family != NFPROTO_UNSPEC && family != afi->family) ++ list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ if (family != NFPROTO_UNSPEC && family != table->afi->family) + continue; + +- list_for_each_entry_rcu(table, &afi->tables, list) { +- list_for_each_entry_rcu(obj, &table->objects, list) { +- if (!nft_is_active(net, obj)) +- goto cont; +- if (idx < s_idx) +- goto cont; +- if (idx > s_idx) +- memset(&cb->args[1], 0, +- sizeof(cb->args) - sizeof(cb->args[0])); +- if (filter && filter->table[0] && +- strcmp(filter->table, table->name)) +- goto cont; +- if (filter && +- filter->type != NFT_OBJECT_UNSPEC && +- obj->ops->type->type != filter->type) +- goto cont; ++ list_for_each_entry_rcu(obj, &table->objects, list) { ++ if (!nft_is_active(net, obj)) ++ goto cont; ++ if (idx < s_idx) ++ goto cont; ++ if (idx > s_idx) ++ memset(&cb->args[1], 0, ++ sizeof(cb->args) - sizeof(cb->args[0])); ++ if (filter && filter->table[0] && ++ strcmp(filter->table, table->name)) ++ goto cont; ++ if (filter && ++ filter->type != NFT_OBJECT_UNSPEC && ++ obj->ops->type->type != filter->type) ++ goto cont; + +- if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid, +- cb->nlh->nlmsg_seq, +- NFT_MSG_NEWOBJ, +- NLM_F_MULTI | NLM_F_APPEND, +- afi->family, table, obj, reset) < 0) +- goto done; ++ if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid, ++ cb->nlh->nlmsg_seq, ++ NFT_MSG_NEWOBJ, ++ NLM_F_MULTI | NLM_F_APPEND, ++ table->afi->family, table, ++ obj, reset) < 0) ++ goto done; + +- nl_dump_check_consistent(cb, nlmsg_hdr(skb)); ++ nl_dump_check_consistent(cb, nlmsg_hdr(skb)); + cont: +- idx++; +- } ++ idx++; + } + } + done: +@@ -4687,7 +4672,8 @@ static int nf_tables_getobj(struct net * + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family, ++ genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +@@ -4747,7 +4733,8 @@ static int nf_tables_delobj(struct net * + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family, ++ genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +@@ -4758,7 +4745,7 @@ static int nf_tables_delobj(struct net * + if (obj->use > 0) + return -EBUSY; + +- nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla); ++ nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); + + return nft_delobj(&ctx, obj); + } +@@ -4796,7 +4783,7 @@ static void nf_tables_obj_notify(const s + struct nft_object *obj, int event) + { + nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event, +- ctx->afi->family, ctx->report, GFP_KERNEL); ++ ctx->family, ctx->report, GFP_KERNEL); + } + + /* +@@ -4986,7 +4973,7 @@ void nft_flow_table_iterate(struct net * + + rcu_read_lock(); + list_for_each_entry_rcu(afi, &net->nft.af_info, list) { +- list_for_each_entry_rcu(table, &afi->tables, list) { ++ list_for_each_entry_rcu(table, &net->nft.tables, list) { + list_for_each_entry_rcu(flowtable, &table->flowtables, list) { + iter(&flowtable->data, data); + } +@@ -5034,7 +5021,8 @@ static int nf_tables_newflowtable(struct + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], ++ afi->family, genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +@@ -5051,7 +5039,7 @@ static int nf_tables_newflowtable(struct + return 0; + } + +- nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla); ++ nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); + + flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL); + if (!flowtable) +@@ -5132,7 +5120,8 @@ static int nf_tables_delflowtable(struct + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], ++ afi->family, genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +@@ -5143,7 +5132,7 @@ static int nf_tables_delflowtable(struct + if (flowtable->use > 0) + return -EBUSY; + +- nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla); ++ nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); + + return nft_delflowtable(&ctx, flowtable); + } +@@ -5212,40 +5201,37 @@ static int nf_tables_dump_flowtable(stru + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; + struct nft_flowtable *flowtable; +- const struct nft_af_info *afi; + const struct nft_table *table; + + rcu_read_lock(); + cb->seq = net->nft.base_seq; + +- list_for_each_entry_rcu(afi, &net->nft.af_info, list) { +- if (family != NFPROTO_UNSPEC && family != afi->family) ++ list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ if (family != NFPROTO_UNSPEC && family != table->afi->family) + continue; + +- list_for_each_entry_rcu(table, &afi->tables, list) { +- list_for_each_entry_rcu(flowtable, &table->flowtables, list) { +- if (!nft_is_active(net, flowtable)) +- goto cont; +- if (idx < s_idx) +- goto cont; +- if (idx > s_idx) +- memset(&cb->args[1], 0, +- sizeof(cb->args) - sizeof(cb->args[0])); +- if (filter && filter->table[0] && +- strcmp(filter->table, table->name)) +- goto cont; ++ list_for_each_entry_rcu(flowtable, &table->flowtables, list) { ++ if (!nft_is_active(net, flowtable)) ++ goto cont; ++ if (idx < s_idx) ++ goto cont; ++ if (idx > s_idx) ++ memset(&cb->args[1], 0, ++ sizeof(cb->args) - sizeof(cb->args[0])); ++ if (filter && filter->table[0] && ++ strcmp(filter->table, table->name)) ++ goto cont; + +- if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, +- cb->nlh->nlmsg_seq, +- NFT_MSG_NEWFLOWTABLE, +- NLM_F_MULTI | NLM_F_APPEND, +- afi->family, flowtable) < 0) +- goto done; ++ if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, ++ cb->nlh->nlmsg_seq, ++ NFT_MSG_NEWFLOWTABLE, ++ NLM_F_MULTI | NLM_F_APPEND, ++ table->afi->family, flowtable) < 0) ++ goto done; + +- nl_dump_check_consistent(cb, nlmsg_hdr(skb)); ++ nl_dump_check_consistent(cb, nlmsg_hdr(skb)); + cont: +- idx++; +- } ++ idx++; + } + } + done: +@@ -5330,7 +5316,8 @@ static int nf_tables_getflowtable(struct + if (IS_ERR(afi)) + return PTR_ERR(afi); + +- table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask); ++ table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], ++ afi->family, genmask); + if (IS_ERR(table)) + return PTR_ERR(table); + +@@ -5373,7 +5360,7 @@ static void nf_tables_flowtable_notify(s + + err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid, + ctx->seq, event, 0, +- ctx->afi->family, flowtable); ++ ctx->family, flowtable); + if (err < 0) { + kfree_skb(skb); + goto err; +@@ -5451,17 +5438,14 @@ static int nf_tables_flowtable_event(str + struct net_device *dev = netdev_notifier_info_to_dev(ptr); + struct nft_flowtable *flowtable; + struct nft_table *table; +- struct nft_af_info *afi; + + if (event != NETDEV_UNREGISTER) + return 0; + + nfnl_lock(NFNL_SUBSYS_NFTABLES); +- list_for_each_entry(afi, &dev_net(dev)->nft.af_info, list) { +- list_for_each_entry(table, &afi->tables, list) { +- list_for_each_entry(flowtable, &table->flowtables, list) { +- nft_flowtable_event(event, dev, flowtable); +- } ++ list_for_each_entry(table, &dev_net(dev)->nft.tables, list) { ++ list_for_each_entry(flowtable, &table->flowtables, list) { ++ nft_flowtable_event(event, dev, flowtable); + } + } + nfnl_unlock(NFNL_SUBSYS_NFTABLES); +@@ -6480,6 +6464,7 @@ EXPORT_SYMBOL_GPL(nft_data_dump); + static int __net_init nf_tables_init_net(struct net *net) + { + INIT_LIST_HEAD(&net->nft.af_info); ++ INIT_LIST_HEAD(&net->nft.tables); + INIT_LIST_HEAD(&net->nft.commit_list); + net->nft.base_seq = 1; + return 0; +@@ -6516,10 +6501,10 @@ static void __nft_release_afinfo(struct + struct nft_set *set, *ns; + struct nft_ctx ctx = { + .net = net, +- .afi = afi, ++ .family = afi->family, + }; + +- list_for_each_entry_safe(table, nt, &afi->tables, list) { ++ list_for_each_entry_safe(table, nt, &net->nft.tables, list) { + list_for_each_entry(chain, &table->chains, list) + nf_tables_unregister_hook(net, table, chain); + list_for_each_entry(flowtable, &table->flowtables, list) +--- a/net/netfilter/nf_tables_netdev.c ++++ b/net/netfilter/nf_tables_netdev.c +@@ -107,7 +107,6 @@ static int nf_tables_netdev_event(struct + unsigned long event, void *ptr) + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); +- struct nft_af_info *afi; + struct nft_table *table; + struct nft_chain *chain, *nr; + struct nft_ctx ctx = { +@@ -119,20 +118,18 @@ static int nf_tables_netdev_event(struct + return NOTIFY_DONE; + + nfnl_lock(NFNL_SUBSYS_NFTABLES); +- list_for_each_entry(afi, &dev_net(dev)->nft.af_info, list) { +- ctx.afi = afi; +- if (afi->family != NFPROTO_NETDEV) ++ list_for_each_entry(table, &ctx.net->nft.tables, list) { ++ if (table->afi->family != NFPROTO_NETDEV) + continue; + +- list_for_each_entry(table, &afi->tables, list) { +- ctx.table = table; +- list_for_each_entry_safe(chain, nr, &table->chains, list) { +- if (!nft_is_base_chain(chain)) +- continue; ++ ctx.family = table->afi->family; ++ ctx.table = table; ++ list_for_each_entry_safe(chain, nr, &table->chains, list) { ++ if (!nft_is_base_chain(chain)) ++ continue; + +- ctx.chain = chain; +- nft_netdev_event(event, dev, &ctx); +- } ++ ctx.chain = chain; ++ nft_netdev_event(event, dev, &ctx); + } + } + nfnl_unlock(NFNL_SUBSYS_NFTABLES); +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -144,7 +144,7 @@ nft_target_set_tgchk_param(struct xt_tgc + { + par->net = ctx->net; + par->table = ctx->table->name; +- switch (ctx->afi->family) { ++ switch (ctx->family) { + case AF_INET: + entry->e4.ip.proto = proto; + entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0; +@@ -175,7 +175,7 @@ nft_target_set_tgchk_param(struct xt_tgc + } else { + par->hook_mask = 0; + } +- par->family = ctx->afi->family; ++ par->family = ctx->family; + par->nft_compat = true; + } + +@@ -267,7 +267,7 @@ nft_target_destroy(const struct nft_ctx + par.net = ctx->net; + par.target = target; + par.targinfo = info; +- par.family = ctx->afi->family; ++ par.family = ctx->family; + if (par.target->destroy != NULL) + par.target->destroy(&par); + +@@ -358,7 +358,7 @@ nft_match_set_mtchk_param(struct xt_mtch + { + par->net = ctx->net; + par->table = ctx->table->name; +- switch (ctx->afi->family) { ++ switch (ctx->family) { + case AF_INET: + entry->e4.ip.proto = proto; + entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0; +@@ -389,7 +389,7 @@ nft_match_set_mtchk_param(struct xt_mtch + } else { + par->hook_mask = 0; + } +- par->family = ctx->afi->family; ++ par->family = ctx->family; + par->nft_compat = true; + } + +@@ -446,7 +446,7 @@ nft_match_destroy(const struct nft_ctx * + par.net = ctx->net; + par.match = match; + par.matchinfo = info; +- par.family = ctx->afi->family; ++ par.family = ctx->family; + if (par.match->destroy != NULL) + par.match->destroy(&par); + +@@ -648,7 +648,7 @@ nft_match_select_ops(const struct nft_ct + + mt_name = nla_data(tb[NFTA_MATCH_NAME]); + rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV])); +- family = ctx->afi->family; ++ family = ctx->family; + + /* Re-use the existing match if it's already loaded. */ + list_for_each_entry(nft_match, &nft_match_list, head) { +@@ -733,7 +733,7 @@ nft_target_select_ops(const struct nft_c + + tg_name = nla_data(tb[NFTA_TARGET_NAME]); + rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV])); +- family = ctx->afi->family; ++ family = ctx->family; + + /* Re-use the existing target if it's already loaded. */ + list_for_each_entry(nft_target, &nft_target_list, head) { +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -405,7 +405,7 @@ static int nft_ct_get_init(const struct + if (tb[NFTA_CT_DIRECTION] == NULL) + return -EINVAL; + +- switch (ctx->afi->family) { ++ switch (ctx->family) { + case NFPROTO_IPV4: + len = FIELD_SIZEOF(struct nf_conntrack_tuple, + src.u3.ip); +@@ -456,7 +456,7 @@ static int nft_ct_get_init(const struct + if (err < 0) + return err; + +- err = nf_ct_netns_get(ctx->net, ctx->afi->family); ++ err = nf_ct_netns_get(ctx->net, ctx->family); + if (err < 0) + return err; + +@@ -550,7 +550,7 @@ static int nft_ct_set_init(const struct + if (err < 0) + goto err1; + +- err = nf_ct_netns_get(ctx->net, ctx->afi->family); ++ err = nf_ct_netns_get(ctx->net, ctx->family); + if (err < 0) + goto err1; + +@@ -564,7 +564,7 @@ err1: + static void nft_ct_get_destroy(const struct nft_ctx *ctx, + const struct nft_expr *expr) + { +- nf_ct_netns_put(ctx->net, ctx->afi->family); ++ nf_ct_netns_put(ctx->net, ctx->family); + } + + static void nft_ct_set_destroy(const struct nft_ctx *ctx, +@@ -573,7 +573,7 @@ static void nft_ct_set_destroy(const str + struct nft_ct *priv = nft_expr_priv(expr); + + __nft_ct_set_destroy(ctx, priv); +- nf_ct_netns_put(ctx->net, ctx->afi->family); ++ nf_ct_netns_put(ctx->net, ctx->family); + } + + static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr) +@@ -734,7 +734,7 @@ static int nft_ct_helper_obj_init(const + struct nft_ct_helper_obj *priv = nft_obj_data(obj); + struct nf_conntrack_helper *help4, *help6; + char name[NF_CT_HELPER_NAME_LEN]; +- int family = ctx->afi->family; ++ int family = ctx->family; + + if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO]) + return -EINVAL; +@@ -753,14 +753,14 @@ static int nft_ct_helper_obj_init(const + + switch (family) { + case NFPROTO_IPV4: +- if (ctx->afi->family == NFPROTO_IPV6) ++ if (ctx->family == NFPROTO_IPV6) + return -EINVAL; + + help4 = nf_conntrack_helper_try_module_get(name, family, + priv->l4proto); + break; + case NFPROTO_IPV6: +- if (ctx->afi->family == NFPROTO_IPV4) ++ if (ctx->family == NFPROTO_IPV4) + return -EINVAL; + + help6 = nf_conntrack_helper_try_module_get(name, family, +--- a/net/netfilter/nft_flow_offload.c ++++ b/net/netfilter/nft_flow_offload.c +@@ -151,7 +151,7 @@ static int nft_flow_offload_init(const s + priv->flowtable = flowtable; + flowtable->use++; + +- return nf_ct_netns_get(ctx->net, ctx->afi->family); ++ return nf_ct_netns_get(ctx->net, ctx->family); + } + + static void nft_flow_offload_destroy(const struct nft_ctx *ctx, +@@ -160,7 +160,7 @@ static void nft_flow_offload_destroy(con + struct nft_flow_offload *priv = nft_expr_priv(expr); + + priv->flowtable->use--; +- nf_ct_netns_put(ctx->net, ctx->afi->family); ++ nf_ct_netns_put(ctx->net, ctx->family); + } + + static int nft_flow_offload_dump(struct sk_buff *skb, const struct nft_expr *expr) +--- a/net/netfilter/nft_log.c ++++ b/net/netfilter/nft_log.c +@@ -112,7 +112,7 @@ static int nft_log_init(const struct nft + break; + } + +- err = nf_logger_find_get(ctx->afi->family, li->type); ++ err = nf_logger_find_get(ctx->family, li->type); + if (err < 0) + goto err1; + +@@ -133,7 +133,7 @@ static void nft_log_destroy(const struct + if (priv->prefix != nft_log_null_prefix) + kfree(priv->prefix); + +- nf_logger_put(ctx->afi->family, li->type); ++ nf_logger_put(ctx->family, li->type); + } + + static int nft_log_dump(struct sk_buff *skb, const struct nft_expr *expr) +--- a/net/netfilter/nft_masq.c ++++ b/net/netfilter/nft_masq.c +@@ -73,7 +73,7 @@ int nft_masq_init(const struct nft_ctx * + } + } + +- return nf_ct_netns_get(ctx->net, ctx->afi->family); ++ return nf_ct_netns_get(ctx->net, ctx->family); + } + EXPORT_SYMBOL_GPL(nft_masq_init); + +--- a/net/netfilter/nft_meta.c ++++ b/net/netfilter/nft_meta.c +@@ -339,7 +339,7 @@ static int nft_meta_get_validate(const s + if (priv->key != NFT_META_SECPATH) + return 0; + +- switch (ctx->afi->family) { ++ switch (ctx->family) { + case NFPROTO_NETDEV: + hooks = 1 << NF_NETDEV_INGRESS; + break; +@@ -370,7 +370,7 @@ int nft_meta_set_validate(const struct n + if (priv->key != NFT_META_PKTTYPE) + return 0; + +- switch (ctx->afi->family) { ++ switch (ctx->family) { + case NFPROTO_BRIDGE: + hooks = 1 << NF_BR_PRE_ROUTING; + break; +--- a/net/netfilter/nft_nat.c ++++ b/net/netfilter/nft_nat.c +@@ -142,7 +142,7 @@ static int nft_nat_init(const struct nft + return -EINVAL; + + family = ntohl(nla_get_be32(tb[NFTA_NAT_FAMILY])); +- if (family != ctx->afi->family) ++ if (family != ctx->family) + return -EOPNOTSUPP; + + switch (family) { +--- a/net/netfilter/nft_redir.c ++++ b/net/netfilter/nft_redir.c +@@ -75,7 +75,7 @@ int nft_redir_init(const struct nft_ctx + return -EINVAL; + } + +- return nf_ct_netns_get(ctx->net, ctx->afi->family); ++ return nf_ct_netns_get(ctx->net, ctx->family); + } + EXPORT_SYMBOL_GPL(nft_redir_init); + -- cgit v1.2.3