netfilter: nft_compat: check extension hook mask only if set

If the x_tables extension comes with no hook mask, skip this validation.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index f5a7cb68694e76db73dec897ad51305f29bb8981..b89f4f65b2a0fbbcd725001e58ae373ab2c3156b 100644 (file)
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -305,7 +305,7 @@ static int nft_target_validate(const struct nft_ctx *ctx,
                const struct nf_hook_ops *ops = &basechain->ops[0];
 
                hook_mask = 1 << ops->hooknum;
-               if (!(hook_mask & target->hooks))
+               if (target->hooks && !(hook_mask & target->hooks))
                        return -EINVAL;
 
                ret = nft_compat_chain_validate_dependency(target->table,
@@ -484,7 +484,7 @@ static int nft_match_validate(const struct nft_ctx *ctx,
                const struct nf_hook_ops *ops = &basechain->ops[0];
 
                hook_mask = 1 << ops->hooknum;
-               if (!(hook_mask & match->hooks))
+               if (match->hooks && !(hook_mask & match->hooks))
                        return -EINVAL;
 
                ret = nft_compat_chain_validate_dependency(match->table,