netfilter: nf_tables_offload: fix check the chain offload flag

[ Upstream commit c83de17dd6308fb74696923e5245de0e3c427206 ]

In the nft_indr_block_cb the chain should check the flag with
NFT_CHAIN_HW_OFFLOAD.

Fixes: 9a32669fecfb ("netfilter: nf_tables_offload: support indr block call")
Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index 96a64e7..914cd06 100644 (file)
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -437,7 +437,7 @@ static void nft_indr_block_cb(struct net_device *dev,
 
        mutex_lock(&net->nft.commit_mutex);
        chain = __nft_offload_get_chain(dev);
-       if (chain) {
+       if (chain && chain->flags & NFT_CHAIN_HW_OFFLOAD) {
                struct nft_base_chain *basechain;
 
                basechain = nft_base_chain(chain);