787f62ef8f0b2a0d9ca8e1fb360a6c06115b40fc
[librecmc/librecmc.git] /
1 From: Pablo Neira Ayuso <pablo@netfilter.org>
2 Date: Tue, 9 Jan 2018 02:38:03 +0100
3 Subject: [PATCH] netfilter: nf_tables: add single table list for all families
4
5 Place all existing user defined tables in struct net *, instead of
6 having one list per family. This saves us from one level of indentation
7 in netlink dump functions.
8
9 Place pointer to struct nft_af_info in struct nft_table temporarily, as
10 we still need this to put back reference module reference counter on
11 table removal.
12
13 This patch comes in preparation for the removal of struct nft_af_info.
14
15 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
16 ---
17
18 --- a/include/net/netfilter/nf_tables.h
19 +++ b/include/net/netfilter/nf_tables.h
20 @@ -143,22 +143,22 @@ static inline void nft_data_debug(const
21   *     struct nft_ctx - nf_tables rule/set context
22   *
23   *     @net: net namespace
24 - *     @afi: address family info
25   *     @table: the table the chain is contained in
26   *     @chain: the chain the rule is contained in
27   *     @nla: netlink attributes
28   *     @portid: netlink portID of the original message
29   *     @seq: netlink sequence number
30 + *     @family: protocol family
31   *     @report: notify via unicast netlink message
32   */
33  struct nft_ctx {
34         struct net                      *net;
35 -       struct nft_af_info              *afi;
36         struct nft_table                *table;
37         struct nft_chain                *chain;
38         const struct nlattr * const     *nla;
39         u32                             portid;
40         u32                             seq;
41 +       u8                              family;
42         bool                            report;
43  };
44  
45 @@ -939,6 +939,7 @@ unsigned int nft_do_chain(struct nft_pkt
46   *     @use: number of chain references to this table
47   *     @flags: table flag (see enum nft_table_flags)
48   *     @genmask: generation mask
49 + *     @afinfo: address family info
50   *     @name: name of the table
51   */
52  struct nft_table {
53 @@ -951,6 +952,7 @@ struct nft_table {
54         u32                             use;
55         u16                             flags:14,
56                                         genmask:2;
57 +       struct nft_af_info              *afi;
58         char                            *name;
59  };
60  
61 @@ -960,13 +962,11 @@ struct nft_table {
62   *     @list: used internally
63   *     @family: address family
64   *     @owner: module owner
65 - *     @tables: used internally
66   */
67  struct nft_af_info {
68         struct list_head                list;
69         int                             family;
70         struct module                   *owner;
71 -       struct list_head                tables;
72  };
73  
74  int nft_register_afinfo(struct net *, struct nft_af_info *);
75 --- a/include/net/netns/nftables.h
76 +++ b/include/net/netns/nftables.h
77 @@ -8,6 +8,7 @@ struct nft_af_info;
78  
79  struct netns_nftables {
80         struct list_head        af_info;
81 +       struct list_head        tables;
82         struct list_head        commit_list;
83         struct nft_af_info      *ipv4;
84         struct nft_af_info      *ipv6;
85 --- a/net/netfilter/nf_tables_api.c
86 +++ b/net/netfilter/nf_tables_api.c
87 @@ -37,7 +37,6 @@ static LIST_HEAD(nf_tables_flowtables);
88   */
89  int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
90  {
91 -       INIT_LIST_HEAD(&afi->tables);
92         nfnl_lock(NFNL_SUBSYS_NFTABLES);
93         list_add_tail_rcu(&afi->list, &net->nft.af_info);
94         nfnl_unlock(NFNL_SUBSYS_NFTABLES);
95 @@ -99,13 +98,13 @@ static void nft_ctx_init(struct nft_ctx
96                          struct net *net,
97                          const struct sk_buff *skb,
98                          const struct nlmsghdr *nlh,
99 -                        struct nft_af_info *afi,
100 +                        u8 family,
101                          struct nft_table *table,
102                          struct nft_chain *chain,
103                          const struct nlattr * const *nla)
104  {
105         ctx->net        = net;
106 -       ctx->afi        = afi;
107 +       ctx->family     = family;
108         ctx->table      = table;
109         ctx->chain      = chain;
110         ctx->nla        = nla;
111 @@ -385,30 +384,31 @@ static int nft_delflowtable(struct nft_c
112   * Tables
113   */
114  
115 -static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
116 +static struct nft_table *nft_table_lookup(const struct net *net,
117                                           const struct nlattr *nla,
118 -                                         u8 genmask)
119 +                                         u8 family, u8 genmask)
120  {
121         struct nft_table *table;
122  
123 -       list_for_each_entry(table, &afi->tables, list) {
124 +       list_for_each_entry(table, &net->nft.tables, list) {
125                 if (!nla_strcmp(nla, table->name) &&
126 +                   table->afi->family == family &&
127                     nft_active_genmask(table, genmask))
128                         return table;
129         }
130         return NULL;
131  }
132  
133 -static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
134 +static struct nft_table *nf_tables_table_lookup(const struct net *net,
135                                                 const struct nlattr *nla,
136 -                                               u8 genmask)
137 +                                               u8 family, u8 genmask)
138  {
139         struct nft_table *table;
140  
141         if (nla == NULL)
142                 return ERR_PTR(-EINVAL);
143  
144 -       table = nft_table_lookup(afi, nla, genmask);
145 +       table = nft_table_lookup(net, nla, family, genmask);
146         if (table != NULL)
147                 return table;
148  
149 @@ -507,7 +507,7 @@ static void nf_tables_table_notify(const
150                 goto err;
151  
152         err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
153 -                                       event, 0, ctx->afi->family, ctx->table);
154 +                                       event, 0, ctx->family, ctx->table);
155         if (err < 0) {
156                 kfree_skb(skb);
157                 goto err;
158 @@ -524,7 +524,6 @@ static int nf_tables_dump_tables(struct
159                                  struct netlink_callback *cb)
160  {
161         const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
162 -       const struct nft_af_info *afi;
163         const struct nft_table *table;
164         unsigned int idx = 0, s_idx = cb->args[0];
165         struct net *net = sock_net(skb->sk);
166 @@ -533,30 +532,27 @@ static int nf_tables_dump_tables(struct
167         rcu_read_lock();
168         cb->seq = net->nft.base_seq;
169  
170 -       list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
171 -               if (family != NFPROTO_UNSPEC && family != afi->family)
172 +       list_for_each_entry_rcu(table, &net->nft.tables, list) {
173 +               if (family != NFPROTO_UNSPEC && family != table->afi->family)
174                         continue;
175  
176 -               list_for_each_entry_rcu(table, &afi->tables, list) {
177 -                       if (idx < s_idx)
178 -                               goto cont;
179 -                       if (idx > s_idx)
180 -                               memset(&cb->args[1], 0,
181 -                                      sizeof(cb->args) - sizeof(cb->args[0]));
182 -                       if (!nft_is_active(net, table))
183 -                               continue;
184 -                       if (nf_tables_fill_table_info(skb, net,
185 -                                                     NETLINK_CB(cb->skb).portid,
186 -                                                     cb->nlh->nlmsg_seq,
187 -                                                     NFT_MSG_NEWTABLE,
188 -                                                     NLM_F_MULTI,
189 -                                                     afi->family, table) < 0)
190 -                               goto done;
191 +               if (idx < s_idx)
192 +                       goto cont;
193 +               if (idx > s_idx)
194 +                       memset(&cb->args[1], 0,
195 +                              sizeof(cb->args) - sizeof(cb->args[0]));
196 +               if (!nft_is_active(net, table))
197 +                       continue;
198 +               if (nf_tables_fill_table_info(skb, net,
199 +                                             NETLINK_CB(cb->skb).portid,
200 +                                             cb->nlh->nlmsg_seq,
201 +                                             NFT_MSG_NEWTABLE, NLM_F_MULTI,
202 +                                             table->afi->family, table) < 0)
203 +                       goto done;
204  
205 -                       nl_dump_check_consistent(cb, nlmsg_hdr(skb));
206 +               nl_dump_check_consistent(cb, nlmsg_hdr(skb));
207  cont:
208 -                       idx++;
209 -               }
210 +               idx++;
211         }
212  done:
213         rcu_read_unlock();
214 @@ -588,7 +584,8 @@ static int nf_tables_gettable(struct net
215         if (IS_ERR(afi))
216                 return PTR_ERR(afi);
217  
218 -       table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
219 +       table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], afi->family,
220 +                                      genmask);
221         if (IS_ERR(table))
222                 return PTR_ERR(table);
223  
224 @@ -719,7 +716,7 @@ static int nf_tables_newtable(struct net
225                 return PTR_ERR(afi);
226  
227         name = nla[NFTA_TABLE_NAME];
228 -       table = nf_tables_table_lookup(afi, name, genmask);
229 +       table = nf_tables_table_lookup(net, name, afi->family, genmask);
230         if (IS_ERR(table)) {
231                 if (PTR_ERR(table) != -ENOENT)
232                         return PTR_ERR(table);
233 @@ -729,7 +726,7 @@ static int nf_tables_newtable(struct net
234                 if (nlh->nlmsg_flags & NLM_F_REPLACE)
235                         return -EOPNOTSUPP;
236  
237 -               nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
238 +               nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
239                 return nf_tables_updtable(&ctx);
240         }
241  
242 @@ -756,14 +753,15 @@ static int nf_tables_newtable(struct net
243         INIT_LIST_HEAD(&table->sets);
244         INIT_LIST_HEAD(&table->objects);
245         INIT_LIST_HEAD(&table->flowtables);
246 +       table->afi = afi;
247         table->flags = flags;
248  
249 -       nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
250 +       nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
251         err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
252         if (err < 0)
253                 goto err4;
254  
255 -       list_add_tail_rcu(&table->list, &afi->tables);
256 +       list_add_tail_rcu(&table->list, &net->nft.tables);
257         return 0;
258  err4:
259         kfree(table->name);
260 @@ -837,30 +835,28 @@ out:
261  
262  static int nft_flush(struct nft_ctx *ctx, int family)
263  {
264 -       struct nft_af_info *afi;
265         struct nft_table *table, *nt;
266         const struct nlattr * const *nla = ctx->nla;
267         int err = 0;
268  
269 -       list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
270 -               if (family != AF_UNSPEC && afi->family != family)
271 +       list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
272 +               if (family != AF_UNSPEC && table->afi->family != family)
273                         continue;
274  
275 -               ctx->afi = afi;
276 -               list_for_each_entry_safe(table, nt, &afi->tables, list) {
277 -                       if (!nft_is_active_next(ctx->net, table))
278 -                               continue;
279 +               ctx->family = table->afi->family;
280  
281 -                       if (nla[NFTA_TABLE_NAME] &&
282 -                           nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
283 -                               continue;
284 +               if (!nft_is_active_next(ctx->net, table))
285 +                       continue;
286  
287 -                       ctx->table = table;
288 +               if (nla[NFTA_TABLE_NAME] &&
289 +                   nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
290 +                       continue;
291  
292 -                       err = nft_flush_table(ctx);
293 -                       if (err < 0)
294 -                               goto out;
295 -               }
296 +               ctx->table = table;
297 +
298 +               err = nft_flush_table(ctx);
299 +               if (err < 0)
300 +                       goto out;
301         }
302  out:
303         return err;
304 @@ -878,7 +874,7 @@ static int nf_tables_deltable(struct net
305         int family = nfmsg->nfgen_family;
306         struct nft_ctx ctx;
307  
308 -       nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
309 +       nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
310         if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
311                 return nft_flush(&ctx, family);
312  
313 @@ -886,7 +882,8 @@ static int nf_tables_deltable(struct net
314         if (IS_ERR(afi))
315                 return PTR_ERR(afi);
316  
317 -       table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
318 +       table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], afi->family,
319 +                                      genmask);
320         if (IS_ERR(table))
321                 return PTR_ERR(table);
322  
323 @@ -894,7 +891,7 @@ static int nf_tables_deltable(struct net
324             table->use > 0)
325                 return -EBUSY;
326  
327 -       ctx.afi = afi;
328 +       ctx.family = afi->family;
329         ctx.table = table;
330  
331         return nft_flush_table(&ctx);
332 @@ -906,7 +903,7 @@ static void nf_tables_table_destroy(stru
333  
334         kfree(ctx->table->name);
335         kfree(ctx->table);
336 -       module_put(ctx->afi->owner);
337 +       module_put(ctx->table->afi->owner);
338  }
339  
340  int nft_register_chain_type(const struct nf_chain_type *ctype)
341 @@ -1107,7 +1104,7 @@ static void nf_tables_chain_notify(const
342                 goto err;
343  
344         err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
345 -                                       event, 0, ctx->afi->family, ctx->table,
346 +                                       event, 0, ctx->family, ctx->table,
347                                         ctx->chain);
348         if (err < 0) {
349                 kfree_skb(skb);
350 @@ -1125,7 +1122,6 @@ static int nf_tables_dump_chains(struct
351                                  struct netlink_callback *cb)
352  {
353         const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
354 -       const struct nft_af_info *afi;
355         const struct nft_table *table;
356         const struct nft_chain *chain;
357         unsigned int idx = 0, s_idx = cb->args[0];
358 @@ -1135,31 +1131,30 @@ static int nf_tables_dump_chains(struct
359         rcu_read_lock();
360         cb->seq = net->nft.base_seq;
361  
362 -       list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
363 -               if (family != NFPROTO_UNSPEC && family != afi->family)
364 +       list_for_each_entry_rcu(table, &net->nft.tables, list) {
365 +               if (family != NFPROTO_UNSPEC && family != table->afi->family)
366                         continue;
367  
368 -               list_for_each_entry_rcu(table, &afi->tables, list) {
369 -                       list_for_each_entry_rcu(chain, &table->chains, list) {
370 -                               if (idx < s_idx)
371 -                                       goto cont;
372 -                               if (idx > s_idx)
373 -                                       memset(&cb->args[1], 0,
374 -                                              sizeof(cb->args) - sizeof(cb->args[0]));
375 -                               if (!nft_is_active(net, chain))
376 -                                       continue;
377 -                               if (nf_tables_fill_chain_info(skb, net,
378 -                                                             NETLINK_CB(cb->skb).portid,
379 -                                                             cb->nlh->nlmsg_seq,
380 -                                                             NFT_MSG_NEWCHAIN,
381 -                                                             NLM_F_MULTI,
382 -                                                             afi->family, table, chain) < 0)
383 -                                       goto done;
384 +               list_for_each_entry_rcu(chain, &table->chains, list) {
385 +                       if (idx < s_idx)
386 +                               goto cont;
387 +                       if (idx > s_idx)
388 +                               memset(&cb->args[1], 0,
389 +                                      sizeof(cb->args) - sizeof(cb->args[0]));
390 +                       if (!nft_is_active(net, chain))
391 +                               continue;
392 +                       if (nf_tables_fill_chain_info(skb, net,
393 +                                                     NETLINK_CB(cb->skb).portid,
394 +                                                     cb->nlh->nlmsg_seq,
395 +                                                     NFT_MSG_NEWCHAIN,
396 +                                                     NLM_F_MULTI,
397 +                                                     table->afi->family, table,
398 +                                                     chain) < 0)
399 +                               goto done;
400  
401 -                               nl_dump_check_consistent(cb, nlmsg_hdr(skb));
402 +                       nl_dump_check_consistent(cb, nlmsg_hdr(skb));
403  cont:
404 -                               idx++;
405 -                       }
406 +                       idx++;
407                 }
408         }
409  done:
410 @@ -1193,7 +1188,8 @@ static int nf_tables_getchain(struct net
411         if (IS_ERR(afi))
412                 return PTR_ERR(afi);
413  
414 -       table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
415 +       table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family,
416 +                                      genmask);
417         if (IS_ERR(table))
418                 return PTR_ERR(table);
419  
420 @@ -1301,8 +1297,8 @@ struct nft_chain_hook {
421  
422  static int nft_chain_parse_hook(struct net *net,
423                                 const struct nlattr * const nla[],
424 -                               struct nft_af_info *afi,
425 -                               struct nft_chain_hook *hook, bool create)
426 +                               struct nft_chain_hook *hook, u8 family,
427 +                               bool create)
428  {
429         struct nlattr *ha[NFTA_HOOK_MAX + 1];
430         const struct nf_chain_type *type;
431 @@ -1321,10 +1317,10 @@ static int nft_chain_parse_hook(struct n
432         hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
433         hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
434  
435 -       type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
436 +       type = chain_type[family][NFT_CHAIN_T_DEFAULT];
437         if (nla[NFTA_CHAIN_TYPE]) {
438                 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
439 -                                                  afi->family, create);
440 +                                                  family, create);
441                 if (IS_ERR(type))
442                         return PTR_ERR(type);
443         }
444 @@ -1336,7 +1332,7 @@ static int nft_chain_parse_hook(struct n
445         hook->type = type;
446  
447         hook->dev = NULL;
448 -       if (afi->family == NFPROTO_NETDEV) {
449 +       if (family == NFPROTO_NETDEV) {
450                 char ifname[IFNAMSIZ];
451  
452                 if (!ha[NFTA_HOOK_DEV]) {
453 @@ -1371,7 +1367,6 @@ static int nf_tables_addchain(struct nft
454  {
455         const struct nlattr * const *nla = ctx->nla;
456         struct nft_table *table = ctx->table;
457 -       struct nft_af_info *afi = ctx->afi;
458         struct nft_base_chain *basechain;
459         struct nft_stats __percpu *stats;
460         struct net *net = ctx->net;
461 @@ -1385,7 +1380,7 @@ static int nf_tables_addchain(struct nft
462                 struct nft_chain_hook hook;
463                 struct nf_hook_ops *ops;
464  
465 -               err = nft_chain_parse_hook(net, nla, afi, &hook, create);
466 +               err = nft_chain_parse_hook(net, nla, &hook, family, create);
467                 if (err < 0)
468                         return err;
469  
470 @@ -1478,7 +1473,7 @@ static int nf_tables_updchain(struct nft
471                 if (!nft_is_base_chain(chain))
472                         return -EBUSY;
473  
474 -               err = nft_chain_parse_hook(ctx->net, nla, ctx->afi, &hook,
475 +               err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
476                                            create);
477                 if (err < 0)
478                         return err;
479 @@ -1571,7 +1566,8 @@ static int nf_tables_newchain(struct net
480         if (IS_ERR(afi))
481                 return PTR_ERR(afi);
482  
483 -       table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
484 +       table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family,
485 +                                      genmask);
486         if (IS_ERR(table))
487                 return PTR_ERR(table);
488  
489 @@ -1611,7 +1607,7 @@ static int nf_tables_newchain(struct net
490                 }
491         }
492  
493 -       nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
494 +       nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
495  
496         if (chain != NULL) {
497                 if (nlh->nlmsg_flags & NLM_F_EXCL)
498 @@ -1645,7 +1641,8 @@ static int nf_tables_delchain(struct net
499         if (IS_ERR(afi))
500                 return PTR_ERR(afi);
501  
502 -       table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
503 +       table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family,
504 +                                      genmask);
505         if (IS_ERR(table))
506                 return PTR_ERR(table);
507  
508 @@ -1657,7 +1654,7 @@ static int nf_tables_delchain(struct net
509             chain->use > 0)
510                 return -EBUSY;
511  
512 -       nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
513 +       nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
514  
515         use = chain->use;
516         list_for_each_entry(rule, &chain->rules, list) {
517 @@ -1822,7 +1819,7 @@ static int nf_tables_expr_parse(const st
518         if (err < 0)
519                 return err;
520  
521 -       type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
522 +       type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
523         if (IS_ERR(type))
524                 return PTR_ERR(type);
525  
526 @@ -2045,7 +2042,7 @@ static void nf_tables_rule_notify(const
527                 goto err;
528  
529         err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
530 -                                      event, 0, ctx->afi->family, ctx->table,
531 +                                      event, 0, ctx->family, ctx->table,
532                                        ctx->chain, rule);
533         if (err < 0) {
534                 kfree_skb(skb);
535 @@ -2069,7 +2066,6 @@ static int nf_tables_dump_rules(struct s
536  {
537         const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
538         const struct nft_rule_dump_ctx *ctx = cb->data;
539 -       const struct nft_af_info *afi;
540         const struct nft_table *table;
541         const struct nft_chain *chain;
542         const struct nft_rule *rule;
543 @@ -2080,39 +2076,37 @@ static int nf_tables_dump_rules(struct s
544         rcu_read_lock();
545         cb->seq = net->nft.base_seq;
546  
547 -       list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
548 -               if (family != NFPROTO_UNSPEC && family != afi->family)
549 +       list_for_each_entry_rcu(table, &net->nft.tables, list) {
550 +               if (family != NFPROTO_UNSPEC && family != table->afi->family)
551 +                       continue;
552 +
553 +               if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
554                         continue;
555  
556 -               list_for_each_entry_rcu(table, &afi->tables, list) {
557 -                       if (ctx && ctx->table &&
558 -                           strcmp(ctx->table, table->name) != 0)
559 +               list_for_each_entry_rcu(chain, &table->chains, list) {
560 +                       if (ctx && ctx->chain &&
561 +                           strcmp(ctx->chain, chain->name) != 0)
562                                 continue;
563  
564 -                       list_for_each_entry_rcu(chain, &table->chains, list) {
565 -                               if (ctx && ctx->chain &&
566 -                                   strcmp(ctx->chain, chain->name) != 0)
567 -                                       continue;
568 -
569 -                               list_for_each_entry_rcu(rule, &chain->rules, list) {
570 -                                       if (!nft_is_active(net, rule))
571 -                                               goto cont;
572 -                                       if (idx < s_idx)
573 -                                               goto cont;
574 -                                       if (idx > s_idx)
575 -                                               memset(&cb->args[1], 0,
576 -                                                      sizeof(cb->args) - sizeof(cb->args[0]));
577 -                                       if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
578 -                                                                     cb->nlh->nlmsg_seq,
579 -                                                                     NFT_MSG_NEWRULE,
580 -                                                                     NLM_F_MULTI | NLM_F_APPEND,
581 -                                                                     afi->family, table, chain, rule) < 0)
582 -                                               goto done;
583 +                       list_for_each_entry_rcu(rule, &chain->rules, list) {
584 +                               if (!nft_is_active(net, rule))
585 +                                       goto cont;
586 +                               if (idx < s_idx)
587 +                                       goto cont;
588 +                               if (idx > s_idx)
589 +                                       memset(&cb->args[1], 0,
590 +                                              sizeof(cb->args) - sizeof(cb->args[0]));
591 +                               if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
592 +                                                             cb->nlh->nlmsg_seq,
593 +                                                             NFT_MSG_NEWRULE,
594 +                                                             NLM_F_MULTI | NLM_F_APPEND,
595 +                                                             table->afi->family,
596 +                                                             table, chain, rule) < 0)
597 +                                       goto done;
598  
599 -                                       nl_dump_check_consistent(cb, nlmsg_hdr(skb));
600 +                               nl_dump_check_consistent(cb, nlmsg_hdr(skb));
601  cont:
602 -                                       idx++;
603 -                               }
604 +                               idx++;
605                         }
606                 }
607         }
608 @@ -2190,7 +2184,8 @@ static int nf_tables_getrule(struct net
609         if (IS_ERR(afi))
610                 return PTR_ERR(afi);
611  
612 -       table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
613 +       table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family,
614 +                                      genmask);
615         if (IS_ERR(table))
616                 return PTR_ERR(table);
617  
618 @@ -2267,7 +2262,8 @@ static int nf_tables_newrule(struct net
619         if (IS_ERR(afi))
620                 return PTR_ERR(afi);
621  
622 -       table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
623 +       table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family,
624 +                                      genmask);
625         if (IS_ERR(table))
626                 return PTR_ERR(table);
627  
628 @@ -2306,7 +2302,7 @@ static int nf_tables_newrule(struct net
629                         return PTR_ERR(old_rule);
630         }
631  
632 -       nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
633 +       nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
634  
635         n = 0;
636         size = 0;
637 @@ -2446,7 +2442,8 @@ static int nf_tables_delrule(struct net
638         if (IS_ERR(afi))
639                 return PTR_ERR(afi);
640  
641 -       table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
642 +       table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family,
643 +                                      genmask);
644         if (IS_ERR(table))
645                 return PTR_ERR(table);
646  
647 @@ -2457,7 +2454,7 @@ static int nf_tables_delrule(struct net
648                         return PTR_ERR(chain);
649         }
650  
651 -       nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
652 +       nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
653  
654         if (chain) {
655                 if (nla[NFTA_RULE_HANDLE]) {
656 @@ -2655,13 +2652,13 @@ static int nft_ctx_init_from_setattr(str
657                 if (afi == NULL)
658                         return -EAFNOSUPPORT;
659  
660 -               table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
661 -                                              genmask);
662 +               table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE],
663 +                                              afi->family, genmask);
664                 if (IS_ERR(table))
665                         return PTR_ERR(table);
666         }
667  
668 -       nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
669 +       nft_ctx_init(ctx, net, skb, nlh, afi->family, table, NULL, nla);
670         return 0;
671  }
672  
673 @@ -2788,7 +2785,7 @@ static int nf_tables_fill_set(struct sk_
674                 goto nla_put_failure;
675  
676         nfmsg = nlmsg_data(nlh);
677 -       nfmsg->nfgen_family     = ctx->afi->family;
678 +       nfmsg->nfgen_family     = ctx->family;
679         nfmsg->version          = NFNETLINK_V0;
680         nfmsg->res_id           = htons(ctx->net->nft.base_seq & 0xffff);
681  
682 @@ -2880,10 +2877,8 @@ static int nf_tables_dump_sets(struct sk
683  {
684         const struct nft_set *set;
685         unsigned int idx, s_idx = cb->args[0];
686 -       struct nft_af_info *afi;
687         struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
688         struct net *net = sock_net(skb->sk);
689 -       int cur_family = cb->args[3];
690         struct nft_ctx *ctx = cb->data, ctx_set;
691  
692         if (cb->args[1])
693 @@ -2892,51 +2887,44 @@ static int nf_tables_dump_sets(struct sk
694         rcu_read_lock();
695         cb->seq = net->nft.base_seq;
696  
697 -       list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
698 -               if (ctx->afi && ctx->afi != afi)
699 +       list_for_each_entry_rcu(table, &net->nft.tables, list) {
700 +               if (ctx->family != NFPROTO_UNSPEC &&
701 +                   ctx->family != table->afi->family)
702                         continue;
703  
704 -               if (cur_family) {
705 -                       if (afi->family != cur_family)
706 -                               continue;
707 +               if (ctx->table && ctx->table != table)
708 +                       continue;
709  
710 -                       cur_family = 0;
711 -               }
712 -               list_for_each_entry_rcu(table, &afi->tables, list) {
713 -                       if (ctx->table && ctx->table != table)
714 +               if (cur_table) {
715 +                       if (cur_table != table)
716                                 continue;
717  
718 -                       if (cur_table) {
719 -                               if (cur_table != table)
720 -                                       continue;
721 +                       cur_table = NULL;
722 +               }
723 +               idx = 0;
724 +               list_for_each_entry_rcu(set, &table->sets, list) {
725 +                       if (idx < s_idx)
726 +                               goto cont;
727 +                       if (!nft_is_active(net, set))
728 +                               goto cont;
729  
730 -                               cur_table = NULL;
731 +                       ctx_set = *ctx;
732 +                       ctx_set.table = table;
733 +                       ctx_set.family = table->afi->family;
734 +
735 +                       if (nf_tables_fill_set(skb, &ctx_set, set,
736 +                                              NFT_MSG_NEWSET,
737 +                                              NLM_F_MULTI) < 0) {
738 +                               cb->args[0] = idx;
739 +                               cb->args[2] = (unsigned long) table;
740 +                               goto done;
741                         }
742 -                       idx = 0;
743 -                       list_for_each_entry_rcu(set, &table->sets, list) {
744 -                               if (idx < s_idx)
745 -                                       goto cont;
746 -                               if (!nft_is_active(net, set))
747 -                                       goto cont;
748 -
749 -                               ctx_set = *ctx;
750 -                               ctx_set.table = table;
751 -                               ctx_set.afi = afi;
752 -                               if (nf_tables_fill_set(skb, &ctx_set, set,
753 -                                                      NFT_MSG_NEWSET,
754 -                                                      NLM_F_MULTI) < 0) {
755 -                                       cb->args[0] = idx;
756 -                                       cb->args[2] = (unsigned long) table;
757 -                                       cb->args[3] = afi->family;
758 -                                       goto done;
759 -                               }
760 -                               nl_dump_check_consistent(cb, nlmsg_hdr(skb));
761 +                       nl_dump_check_consistent(cb, nlmsg_hdr(skb));
762  cont:
763 -                               idx++;
764 -                       }
765 -                       if (s_idx)
766 -                               s_idx = 0;
767 +                       idx++;
768                 }
769 +               if (s_idx)
770 +                       s_idx = 0;
771         }
772         cb->args[1] = 1;
773  done:
774 @@ -3146,11 +3134,12 @@ static int nf_tables_newset(struct net *
775         if (IS_ERR(afi))
776                 return PTR_ERR(afi);
777  
778 -       table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
779 +       table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], afi->family,
780 +                                      genmask);
781         if (IS_ERR(table))
782                 return PTR_ERR(table);
783  
784 -       nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
785 +       nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
786  
787         set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
788         if (IS_ERR(set)) {
789 @@ -3417,12 +3406,12 @@ static int nft_ctx_init_from_elemattr(st
790         if (IS_ERR(afi))
791                 return PTR_ERR(afi);
792  
793 -       table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
794 -                                      genmask);
795 +       table = nf_tables_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE],
796 +                                      afi->family, genmask);
797         if (IS_ERR(table))
798                 return PTR_ERR(table);
799  
800 -       nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
801 +       nft_ctx_init(ctx, net, skb, nlh, afi->family, table, NULL, nla);
802         return 0;
803  }
804  
805 @@ -3527,7 +3516,6 @@ static int nf_tables_dump_set(struct sk_
806  {
807         struct nft_set_dump_ctx *dump_ctx = cb->data;
808         struct net *net = sock_net(skb->sk);
809 -       struct nft_af_info *afi;
810         struct nft_table *table;
811         struct nft_set *set;
812         struct nft_set_dump_args args;
813 @@ -3539,21 +3527,19 @@ static int nf_tables_dump_set(struct sk_
814         int event;
815  
816         rcu_read_lock();
817 -       list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
818 -               if (afi != dump_ctx->ctx.afi)
819 +       list_for_each_entry_rcu(table, &net->nft.tables, list) {
820 +               if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
821 +                   dump_ctx->ctx.family != table->afi->family)
822                         continue;
823  
824 -               list_for_each_entry_rcu(table, &afi->tables, list) {
825 -                       if (table != dump_ctx->ctx.table)
826 -                               continue;
827 +               if (table != dump_ctx->ctx.table)
828 +                       continue;
829  
830 -                       list_for_each_entry_rcu(set, &table->sets, list) {
831 -                               if (set == dump_ctx->set) {
832 -                                       set_found = true;
833 -                                       break;
834 -                               }
835 +               list_for_each_entry_rcu(set, &table->sets, list) {
836 +                       if (set == dump_ctx->set) {
837 +                               set_found = true;
838 +                               break;
839                         }
840 -                       break;
841                 }
842                 break;
843         }
844 @@ -3573,7 +3559,7 @@ static int nf_tables_dump_set(struct sk_
845                 goto nla_put_failure;
846  
847         nfmsg = nlmsg_data(nlh);
848 -       nfmsg->nfgen_family = afi->family;
849 +       nfmsg->nfgen_family = table->afi->family;
850         nfmsg->version      = NFNETLINK_V0;
851         nfmsg->res_id       = htons(net->nft.base_seq & 0xffff);
852  
853 @@ -3675,7 +3661,7 @@ static int nf_tables_fill_setelem_info(s
854                 goto nla_put_failure;
855  
856         nfmsg = nlmsg_data(nlh);
857 -       nfmsg->nfgen_family     = ctx->afi->family;
858 +       nfmsg->nfgen_family     = ctx->family;
859         nfmsg->version          = NFNETLINK_V0;
860         nfmsg->res_id           = htons(ctx->net->nft.base_seq & 0xffff);
861  
862 @@ -3919,7 +3905,7 @@ static int nft_add_set_elem(struct nft_c
863                 list_for_each_entry(binding, &set->bindings, list) {
864                         struct nft_ctx bind_ctx = {
865                                 .net    = ctx->net,
866 -                               .afi    = ctx->afi,
867 +                               .family = ctx->family,
868                                 .table  = ctx->table,
869                                 .chain  = (struct nft_chain *)binding->chain,
870                         };
871 @@ -4466,7 +4452,8 @@ static int nf_tables_newobj(struct net *
872         if (IS_ERR(afi))
873                 return PTR_ERR(afi);
874  
875 -       table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
876 +       table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family,
877 +                                      genmask);
878         if (IS_ERR(table))
879                 return PTR_ERR(table);
880  
881 @@ -4484,7 +4471,7 @@ static int nf_tables_newobj(struct net *
882                 return 0;
883         }
884  
885 -       nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
886 +       nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
887  
888         type = nft_obj_type_get(objtype);
889         if (IS_ERR(type))
890 @@ -4561,7 +4548,6 @@ struct nft_obj_filter {
891  static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
892  {
893         const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
894 -       const struct nft_af_info *afi;
895         const struct nft_table *table;
896         unsigned int idx = 0, s_idx = cb->args[0];
897         struct nft_obj_filter *filter = cb->data;
898 @@ -4576,38 +4562,37 @@ static int nf_tables_dump_obj(struct sk_
899         rcu_read_lock();
900         cb->seq = net->nft.base_seq;
901  
902 -       list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
903 -               if (family != NFPROTO_UNSPEC && family != afi->family)
904 +       list_for_each_entry_rcu(table, &net->nft.tables, list) {
905 +               if (family != NFPROTO_UNSPEC && family != table->afi->family)
906                         continue;
907  
908 -               list_for_each_entry_rcu(table, &afi->tables, list) {
909 -                       list_for_each_entry_rcu(obj, &table->objects, list) {
910 -                               if (!nft_is_active(net, obj))
911 -                                       goto cont;
912 -                               if (idx < s_idx)
913 -                                       goto cont;
914 -                               if (idx > s_idx)
915 -                                       memset(&cb->args[1], 0,
916 -                                              sizeof(cb->args) - sizeof(cb->args[0]));
917 -                               if (filter && filter->table[0] &&
918 -                                   strcmp(filter->table, table->name))
919 -                                       goto cont;
920 -                               if (filter &&
921 -                                   filter->type != NFT_OBJECT_UNSPEC &&
922 -                                   obj->ops->type->type != filter->type)
923 -                                       goto cont;
924 +               list_for_each_entry_rcu(obj, &table->objects, list) {
925 +                       if (!nft_is_active(net, obj))
926 +                               goto cont;
927 +                       if (idx < s_idx)
928 +                               goto cont;
929 +                       if (idx > s_idx)
930 +                               memset(&cb->args[1], 0,
931 +                                      sizeof(cb->args) - sizeof(cb->args[0]));
932 +                       if (filter && filter->table[0] &&
933 +                           strcmp(filter->table, table->name))
934 +                               goto cont;
935 +                       if (filter &&
936 +                           filter->type != NFT_OBJECT_UNSPEC &&
937 +                           obj->ops->type->type != filter->type)
938 +                               goto cont;
939  
940 -                               if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
941 -                                                           cb->nlh->nlmsg_seq,
942 -                                                           NFT_MSG_NEWOBJ,
943 -                                                           NLM_F_MULTI | NLM_F_APPEND,
944 -                                                           afi->family, table, obj, reset) < 0)
945 -                                       goto done;
946 +                       if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
947 +                                                   cb->nlh->nlmsg_seq,
948 +                                                   NFT_MSG_NEWOBJ,
949 +                                                   NLM_F_MULTI | NLM_F_APPEND,
950 +                                                   table->afi->family, table,
951 +                                                   obj, reset) < 0)
952 +                               goto done;
953  
954 -                               nl_dump_check_consistent(cb, nlmsg_hdr(skb));
955 +                       nl_dump_check_consistent(cb, nlmsg_hdr(skb));
956  cont:
957 -                               idx++;
958 -                       }
959 +                       idx++;
960                 }
961         }
962  done:
963 @@ -4694,7 +4679,8 @@ static int nf_tables_getobj(struct net *
964         if (IS_ERR(afi))
965                 return PTR_ERR(afi);
966  
967 -       table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
968 +       table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family,
969 +                                      genmask);
970         if (IS_ERR(table))
971                 return PTR_ERR(table);
972  
973 @@ -4754,7 +4740,8 @@ static int nf_tables_delobj(struct net *
974         if (IS_ERR(afi))
975                 return PTR_ERR(afi);
976  
977 -       table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
978 +       table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family,
979 +                                      genmask);
980         if (IS_ERR(table))
981                 return PTR_ERR(table);
982  
983 @@ -4765,7 +4752,7 @@ static int nf_tables_delobj(struct net *
984         if (obj->use > 0)
985                 return -EBUSY;
986  
987 -       nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
988 +       nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
989  
990         return nft_delobj(&ctx, obj);
991  }
992 @@ -4803,7 +4790,7 @@ static void nf_tables_obj_notify(const s
993                                  struct nft_object *obj, int event)
994  {
995         nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
996 -                      ctx->afi->family, ctx->report, GFP_KERNEL);
997 +                      ctx->family, ctx->report, GFP_KERNEL);
998  }
999  
1000  /*
1001 @@ -4993,7 +4980,7 @@ void nft_flow_table_iterate(struct net *
1002  
1003         rcu_read_lock();
1004         list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1005 -               list_for_each_entry_rcu(table, &afi->tables, list) {
1006 +               list_for_each_entry_rcu(table, &net->nft.tables, list) {
1007                         list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
1008                                 iter(&flowtable->data, data);
1009                         }
1010 @@ -5041,7 +5028,8 @@ static int nf_tables_newflowtable(struct
1011         if (IS_ERR(afi))
1012                 return PTR_ERR(afi);
1013  
1014 -       table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask);
1015 +       table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
1016 +                                      afi->family, genmask);
1017         if (IS_ERR(table))
1018                 return PTR_ERR(table);
1019  
1020 @@ -5058,7 +5046,7 @@ static int nf_tables_newflowtable(struct
1021                 return 0;
1022         }
1023  
1024 -       nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
1025 +       nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
1026  
1027         flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
1028         if (!flowtable)
1029 @@ -5139,7 +5127,8 @@ static int nf_tables_delflowtable(struct
1030         if (IS_ERR(afi))
1031                 return PTR_ERR(afi);
1032  
1033 -       table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask);
1034 +       table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
1035 +                                      afi->family, genmask);
1036         if (IS_ERR(table))
1037                 return PTR_ERR(table);
1038  
1039 @@ -5150,7 +5139,7 @@ static int nf_tables_delflowtable(struct
1040         if (flowtable->use > 0)
1041                 return -EBUSY;
1042  
1043 -       nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
1044 +       nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
1045  
1046         return nft_delflowtable(&ctx, flowtable);
1047  }
1048 @@ -5219,40 +5208,37 @@ static int nf_tables_dump_flowtable(stru
1049         struct net *net = sock_net(skb->sk);
1050         int family = nfmsg->nfgen_family;
1051         struct nft_flowtable *flowtable;
1052 -       const struct nft_af_info *afi;
1053         const struct nft_table *table;
1054  
1055         rcu_read_lock();
1056         cb->seq = net->nft.base_seq;
1057  
1058 -       list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1059 -               if (family != NFPROTO_UNSPEC && family != afi->family)
1060 +       list_for_each_entry_rcu(table, &net->nft.tables, list) {
1061 +               if (family != NFPROTO_UNSPEC && family != table->afi->family)
1062                         continue;
1063  
1064 -               list_for_each_entry_rcu(table, &afi->tables, list) {
1065 -                       list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
1066 -                               if (!nft_is_active(net, flowtable))
1067 -                                       goto cont;
1068 -                               if (idx < s_idx)
1069 -                                       goto cont;
1070 -                               if (idx > s_idx)
1071 -                                       memset(&cb->args[1], 0,
1072 -                                              sizeof(cb->args) - sizeof(cb->args[0]));
1073 -                               if (filter && filter->table[0] &&
1074 -                                   strcmp(filter->table, table->name))
1075 -                                       goto cont;
1076 +               list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
1077 +                       if (!nft_is_active(net, flowtable))
1078 +                               goto cont;
1079 +                       if (idx < s_idx)
1080 +                               goto cont;
1081 +                       if (idx > s_idx)
1082 +                               memset(&cb->args[1], 0,
1083 +                                      sizeof(cb->args) - sizeof(cb->args[0]));
1084 +                       if (filter && filter->table[0] &&
1085 +                           strcmp(filter->table, table->name))
1086 +                               goto cont;
1087  
1088 -                               if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
1089 -                                                                 cb->nlh->nlmsg_seq,
1090 -                                                                 NFT_MSG_NEWFLOWTABLE,
1091 -                                                                 NLM_F_MULTI | NLM_F_APPEND,
1092 -                                                                 afi->family, flowtable) < 0)
1093 -                                       goto done;
1094 +                       if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
1095 +                                                         cb->nlh->nlmsg_seq,
1096 +                                                         NFT_MSG_NEWFLOWTABLE,
1097 +                                                         NLM_F_MULTI | NLM_F_APPEND,
1098 +                                                         table->afi->family, flowtable) < 0)
1099 +                               goto done;
1100  
1101 -                               nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1102 +                       nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1103  cont:
1104 -                               idx++;
1105 -                       }
1106 +                       idx++;
1107                 }
1108         }
1109  done:
1110 @@ -5337,7 +5323,8 @@ static int nf_tables_getflowtable(struct
1111         if (IS_ERR(afi))
1112                 return PTR_ERR(afi);
1113  
1114 -       table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask);
1115 +       table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
1116 +                                      afi->family, genmask);
1117         if (IS_ERR(table))
1118                 return PTR_ERR(table);
1119  
1120 @@ -5380,7 +5367,7 @@ static void nf_tables_flowtable_notify(s
1121  
1122         err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
1123                                             ctx->seq, event, 0,
1124 -                                           ctx->afi->family, flowtable);
1125 +                                           ctx->family, flowtable);
1126         if (err < 0) {
1127                 kfree_skb(skb);
1128                 goto err;
1129 @@ -5458,17 +5445,14 @@ static int nf_tables_flowtable_event(str
1130         struct net_device *dev = netdev_notifier_info_to_dev(ptr);
1131         struct nft_flowtable *flowtable;
1132         struct nft_table *table;
1133 -       struct nft_af_info *afi;
1134  
1135         if (event != NETDEV_UNREGISTER)
1136                 return 0;
1137  
1138         nfnl_lock(NFNL_SUBSYS_NFTABLES);
1139 -       list_for_each_entry(afi, &dev_net(dev)->nft.af_info, list) {
1140 -               list_for_each_entry(table, &afi->tables, list) {
1141 -                       list_for_each_entry(flowtable, &table->flowtables, list) {
1142 -                               nft_flowtable_event(event, dev, flowtable);
1143 -                       }
1144 +       list_for_each_entry(table, &dev_net(dev)->nft.tables, list) {
1145 +               list_for_each_entry(flowtable, &table->flowtables, list) {
1146 +                       nft_flowtable_event(event, dev, flowtable);
1147                 }
1148         }
1149         nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1150 @@ -6487,6 +6471,7 @@ EXPORT_SYMBOL_GPL(nft_data_dump);
1151  static int __net_init nf_tables_init_net(struct net *net)
1152  {
1153         INIT_LIST_HEAD(&net->nft.af_info);
1154 +       INIT_LIST_HEAD(&net->nft.tables);
1155         INIT_LIST_HEAD(&net->nft.commit_list);
1156         net->nft.base_seq = 1;
1157         return 0;
1158 @@ -6523,10 +6508,10 @@ static void __nft_release_afinfo(struct
1159         struct nft_set *set, *ns;
1160         struct nft_ctx ctx = {
1161                 .net    = net,
1162 -               .afi    = afi,
1163 +               .family = afi->family,
1164         };
1165  
1166 -       list_for_each_entry_safe(table, nt, &afi->tables, list) {
1167 +       list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
1168                 list_for_each_entry(chain, &table->chains, list)
1169                         nf_tables_unregister_hook(net, table, chain);
1170                 list_for_each_entry(flowtable, &table->flowtables, list)
1171 --- a/net/netfilter/nf_tables_netdev.c
1172 +++ b/net/netfilter/nf_tables_netdev.c
1173 @@ -107,7 +107,6 @@ static int nf_tables_netdev_event(struct
1174                                   unsigned long event, void *ptr)
1175  {
1176         struct net_device *dev = netdev_notifier_info_to_dev(ptr);
1177 -       struct nft_af_info *afi;
1178         struct nft_table *table;
1179         struct nft_chain *chain, *nr;
1180         struct nft_ctx ctx = {
1181 @@ -119,20 +118,18 @@ static int nf_tables_netdev_event(struct
1182                 return NOTIFY_DONE;
1183  
1184         nfnl_lock(NFNL_SUBSYS_NFTABLES);
1185 -       list_for_each_entry(afi, &dev_net(dev)->nft.af_info, list) {
1186 -               ctx.afi = afi;
1187 -               if (afi->family != NFPROTO_NETDEV)
1188 +       list_for_each_entry(table, &ctx.net->nft.tables, list) {
1189 +               if (table->afi->family != NFPROTO_NETDEV)
1190                         continue;
1191  
1192 -               list_for_each_entry(table, &afi->tables, list) {
1193 -                       ctx.table = table;
1194 -                       list_for_each_entry_safe(chain, nr, &table->chains, list) {
1195 -                               if (!nft_is_base_chain(chain))
1196 -                                       continue;
1197 +               ctx.family = table->afi->family;
1198 +               ctx.table = table;
1199 +               list_for_each_entry_safe(chain, nr, &table->chains, list) {
1200 +                       if (!nft_is_base_chain(chain))
1201 +                               continue;
1202  
1203 -                               ctx.chain = chain;
1204 -                               nft_netdev_event(event, dev, &ctx);
1205 -                       }
1206 +                       ctx.chain = chain;
1207 +                       nft_netdev_event(event, dev, &ctx);
1208                 }
1209         }
1210         nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1211 --- a/net/netfilter/nft_compat.c
1212 +++ b/net/netfilter/nft_compat.c
1213 @@ -144,7 +144,7 @@ nft_target_set_tgchk_param(struct xt_tgc
1214  {
1215         par->net        = ctx->net;
1216         par->table      = ctx->table->name;
1217 -       switch (ctx->afi->family) {
1218 +       switch (ctx->family) {
1219         case AF_INET:
1220                 entry->e4.ip.proto = proto;
1221                 entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
1222 @@ -175,7 +175,7 @@ nft_target_set_tgchk_param(struct xt_tgc
1223         } else {
1224                 par->hook_mask = 0;
1225         }
1226 -       par->family     = ctx->afi->family;
1227 +       par->family     = ctx->family;
1228         par->nft_compat = true;
1229  }
1230  
1231 @@ -267,7 +267,7 @@ nft_target_destroy(const struct nft_ctx
1232         par.net = ctx->net;
1233         par.target = target;
1234         par.targinfo = info;
1235 -       par.family = ctx->afi->family;
1236 +       par.family = ctx->family;
1237         if (par.target->destroy != NULL)
1238                 par.target->destroy(&par);
1239  
1240 @@ -358,7 +358,7 @@ nft_match_set_mtchk_param(struct xt_mtch
1241  {
1242         par->net        = ctx->net;
1243         par->table      = ctx->table->name;
1244 -       switch (ctx->afi->family) {
1245 +       switch (ctx->family) {
1246         case AF_INET:
1247                 entry->e4.ip.proto = proto;
1248                 entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
1249 @@ -389,7 +389,7 @@ nft_match_set_mtchk_param(struct xt_mtch
1250         } else {
1251                 par->hook_mask = 0;
1252         }
1253 -       par->family     = ctx->afi->family;
1254 +       par->family     = ctx->family;
1255         par->nft_compat = true;
1256  }
1257  
1258 @@ -446,7 +446,7 @@ nft_match_destroy(const struct nft_ctx *
1259         par.net = ctx->net;
1260         par.match = match;
1261         par.matchinfo = info;
1262 -       par.family = ctx->afi->family;
1263 +       par.family = ctx->family;
1264         if (par.match->destroy != NULL)
1265                 par.match->destroy(&par);
1266  
1267 @@ -648,7 +648,7 @@ nft_match_select_ops(const struct nft_ct
1268  
1269         mt_name = nla_data(tb[NFTA_MATCH_NAME]);
1270         rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
1271 -       family = ctx->afi->family;
1272 +       family = ctx->family;
1273  
1274         /* Re-use the existing match if it's already loaded. */
1275         list_for_each_entry(nft_match, &nft_match_list, head) {
1276 @@ -733,7 +733,7 @@ nft_target_select_ops(const struct nft_c
1277  
1278         tg_name = nla_data(tb[NFTA_TARGET_NAME]);
1279         rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
1280 -       family = ctx->afi->family;
1281 +       family = ctx->family;
1282  
1283         /* Re-use the existing target if it's already loaded. */
1284         list_for_each_entry(nft_target, &nft_target_list, head) {
1285 --- a/net/netfilter/nft_ct.c
1286 +++ b/net/netfilter/nft_ct.c
1287 @@ -405,7 +405,7 @@ static int nft_ct_get_init(const struct
1288                 if (tb[NFTA_CT_DIRECTION] == NULL)
1289                         return -EINVAL;
1290  
1291 -               switch (ctx->afi->family) {
1292 +               switch (ctx->family) {
1293                 case NFPROTO_IPV4:
1294                         len = FIELD_SIZEOF(struct nf_conntrack_tuple,
1295                                            src.u3.ip);
1296 @@ -456,7 +456,7 @@ static int nft_ct_get_init(const struct
1297         if (err < 0)
1298                 return err;
1299  
1300 -       err = nf_ct_netns_get(ctx->net, ctx->afi->family);
1301 +       err = nf_ct_netns_get(ctx->net, ctx->family);
1302         if (err < 0)
1303                 return err;
1304  
1305 @@ -550,7 +550,7 @@ static int nft_ct_set_init(const struct
1306         if (err < 0)
1307                 goto err1;
1308  
1309 -       err = nf_ct_netns_get(ctx->net, ctx->afi->family);
1310 +       err = nf_ct_netns_get(ctx->net, ctx->family);
1311         if (err < 0)
1312                 goto err1;
1313  
1314 @@ -564,7 +564,7 @@ err1:
1315  static void nft_ct_get_destroy(const struct nft_ctx *ctx,
1316                                const struct nft_expr *expr)
1317  {
1318 -       nf_ct_netns_put(ctx->net, ctx->afi->family);
1319 +       nf_ct_netns_put(ctx->net, ctx->family);
1320  }
1321  
1322  static void nft_ct_set_destroy(const struct nft_ctx *ctx,
1323 @@ -573,7 +573,7 @@ static void nft_ct_set_destroy(const str
1324         struct nft_ct *priv = nft_expr_priv(expr);
1325  
1326         __nft_ct_set_destroy(ctx, priv);
1327 -       nf_ct_netns_put(ctx->net, ctx->afi->family);
1328 +       nf_ct_netns_put(ctx->net, ctx->family);
1329  }
1330  
1331  static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
1332 @@ -734,7 +734,7 @@ static int nft_ct_helper_obj_init(const
1333         struct nft_ct_helper_obj *priv = nft_obj_data(obj);
1334         struct nf_conntrack_helper *help4, *help6;
1335         char name[NF_CT_HELPER_NAME_LEN];
1336 -       int family = ctx->afi->family;
1337 +       int family = ctx->family;
1338  
1339         if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO])
1340                 return -EINVAL;
1341 @@ -753,14 +753,14 @@ static int nft_ct_helper_obj_init(const
1342  
1343         switch (family) {
1344         case NFPROTO_IPV4:
1345 -               if (ctx->afi->family == NFPROTO_IPV6)
1346 +               if (ctx->family == NFPROTO_IPV6)
1347                         return -EINVAL;
1348  
1349                 help4 = nf_conntrack_helper_try_module_get(name, family,
1350                                                            priv->l4proto);
1351                 break;
1352         case NFPROTO_IPV6:
1353 -               if (ctx->afi->family == NFPROTO_IPV4)
1354 +               if (ctx->family == NFPROTO_IPV4)
1355                         return -EINVAL;
1356  
1357                 help6 = nf_conntrack_helper_try_module_get(name, family,
1358 --- a/net/netfilter/nft_flow_offload.c
1359 +++ b/net/netfilter/nft_flow_offload.c
1360 @@ -151,7 +151,7 @@ static int nft_flow_offload_init(const s
1361         priv->flowtable = flowtable;
1362         flowtable->use++;
1363  
1364 -       return nf_ct_netns_get(ctx->net, ctx->afi->family);
1365 +       return nf_ct_netns_get(ctx->net, ctx->family);
1366  }
1367  
1368  static void nft_flow_offload_destroy(const struct nft_ctx *ctx,
1369 @@ -160,7 +160,7 @@ static void nft_flow_offload_destroy(con
1370         struct nft_flow_offload *priv = nft_expr_priv(expr);
1371  
1372         priv->flowtable->use--;
1373 -       nf_ct_netns_put(ctx->net, ctx->afi->family);
1374 +       nf_ct_netns_put(ctx->net, ctx->family);
1375  }
1376  
1377  static int nft_flow_offload_dump(struct sk_buff *skb, const struct nft_expr *expr)
1378 --- a/net/netfilter/nft_log.c
1379 +++ b/net/netfilter/nft_log.c
1380 @@ -112,7 +112,7 @@ static int nft_log_init(const struct nft
1381                 break;
1382         }
1383  
1384 -       err = nf_logger_find_get(ctx->afi->family, li->type);
1385 +       err = nf_logger_find_get(ctx->family, li->type);
1386         if (err < 0)
1387                 goto err1;
1388  
1389 @@ -133,7 +133,7 @@ static void nft_log_destroy(const struct
1390         if (priv->prefix != nft_log_null_prefix)
1391                 kfree(priv->prefix);
1392  
1393 -       nf_logger_put(ctx->afi->family, li->type);
1394 +       nf_logger_put(ctx->family, li->type);
1395  }
1396  
1397  static int nft_log_dump(struct sk_buff *skb, const struct nft_expr *expr)
1398 --- a/net/netfilter/nft_masq.c
1399 +++ b/net/netfilter/nft_masq.c
1400 @@ -73,7 +73,7 @@ int nft_masq_init(const struct nft_ctx *
1401                 }
1402         }
1403  
1404 -       return nf_ct_netns_get(ctx->net, ctx->afi->family);
1405 +       return nf_ct_netns_get(ctx->net, ctx->family);
1406  }
1407  EXPORT_SYMBOL_GPL(nft_masq_init);
1408  
1409 --- a/net/netfilter/nft_meta.c
1410 +++ b/net/netfilter/nft_meta.c
1411 @@ -339,7 +339,7 @@ static int nft_meta_get_validate(const s
1412         if (priv->key != NFT_META_SECPATH)
1413                 return 0;
1414  
1415 -       switch (ctx->afi->family) {
1416 +       switch (ctx->family) {
1417         case NFPROTO_NETDEV:
1418                 hooks = 1 << NF_NETDEV_INGRESS;
1419                 break;
1420 @@ -370,7 +370,7 @@ int nft_meta_set_validate(const struct n
1421         if (priv->key != NFT_META_PKTTYPE)
1422                 return 0;
1423  
1424 -       switch (ctx->afi->family) {
1425 +       switch (ctx->family) {
1426         case NFPROTO_BRIDGE:
1427                 hooks = 1 << NF_BR_PRE_ROUTING;
1428                 break;
1429 --- a/net/netfilter/nft_nat.c
1430 +++ b/net/netfilter/nft_nat.c
1431 @@ -142,7 +142,7 @@ static int nft_nat_init(const struct nft
1432                 return -EINVAL;
1433  
1434         family = ntohl(nla_get_be32(tb[NFTA_NAT_FAMILY]));
1435 -       if (family != ctx->afi->family)
1436 +       if (family != ctx->family)
1437                 return -EOPNOTSUPP;
1438  
1439         switch (family) {
1440 --- a/net/netfilter/nft_redir.c
1441 +++ b/net/netfilter/nft_redir.c
1442 @@ -75,7 +75,7 @@ int nft_redir_init(const struct nft_ctx
1443                         return -EINVAL;
1444         }
1445  
1446 -       return nf_ct_netns_get(ctx->net, ctx->afi->family);
1447 +       return nf_ct_netns_get(ctx->net, ctx->family);
1448  }
1449  EXPORT_SYMBOL_GPL(nft_redir_init);
1450