[PATCH nf 1/2] netfilter: nftables: missing transaction object on flowtable deletion

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH nf 1/2] netfilter: nftables: missing transaction object on flowtable deletion
@ 2021-03-17 20:19 Pablo Neira Ayuso
  2021-03-17 20:19 ` [PATCH nf 2/2] netfilter: nftables: skip hook overlap logic if flowtable is stale Pablo Neira Ayuso
  2021-03-18  0:21 ` [PATCH nf 1/2] netfilter: nftables: missing transaction object on flowtable deletion Pablo Neira Ayuso
  0 siblings, 2 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2021-03-17 20:19 UTC (permalink / raw)
  To: netfilter-devel

The delete flowtable command does not create a transaction if the
NFTA_FLOWTABLE_HOOK attribute is specified, hence, the flowtable
is never deleted.

Fixes: abadb2f865d7 ("netfilter: nf_tables: delete devices from flowtable")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 224c8e537cb3..6b97a0c7b6d3 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7090,6 +7090,7 @@ static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
 	const struct nlattr *attr;
 	struct nft_table *table;
 	struct nft_ctx ctx;
+	int err;
 
 	if (!nla[NFTA_FLOWTABLE_TABLE] ||
 	    (!nla[NFTA_FLOWTABLE_NAME] &&
@@ -7118,8 +7119,11 @@ static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
 
 	nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
 
-	if (nla[NFTA_FLOWTABLE_HOOK])
-		return nft_delflowtable_hook(&ctx, flowtable);
+	if (nla[NFTA_FLOWTABLE_HOOK]) {
+		err = nft_delflowtable_hook(&ctx, flowtable);
+		if (err < 0)
+			return err;
+	}
 
 	if (flowtable->use > 0) {
 		NL_SET_BAD_ATTR(extack, attr);
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH nf 2/2] netfilter: nftables: skip hook overlap logic if flowtable is stale
  2021-03-17 20:19 [PATCH nf 1/2] netfilter: nftables: missing transaction object on flowtable deletion Pablo Neira Ayuso
@ 2021-03-17 20:19 ` Pablo Neira Ayuso
  2021-03-18  0:21 ` [PATCH nf 1/2] netfilter: nftables: missing transaction object on flowtable deletion Pablo Neira Ayuso
  1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2021-03-17 20:19 UTC (permalink / raw)
  To: netfilter-devel

If the flowtable has been previously removed in this batch, skip the
hook overlap checks. This fixes spurious EEXIST errors when removing and
adding the flowtable in the same batch.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 6b97a0c7b6d3..1195f0ac6d37 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6783,6 +6783,9 @@ static int nft_register_flowtable_net_hooks(struct net *net,
 
 	list_for_each_entry(hook, hook_list, list) {
 		list_for_each_entry(ft, &table->flowtables, list) {
+			if (!nft_is_active_next(net, ft))
+				continue;
+
 			list_for_each_entry(hook2, &ft->hook_list, list) {
 				if (hook->ops.dev == hook2->ops.dev &&
 				    hook->ops.pf == hook2->ops.pf) {
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH nf 1/2] netfilter: nftables: missing transaction object on flowtable deletion
  2021-03-17 20:19 [PATCH nf 1/2] netfilter: nftables: missing transaction object on flowtable deletion Pablo Neira Ayuso
  2021-03-17 20:19 ` [PATCH nf 2/2] netfilter: nftables: skip hook overlap logic if flowtable is stale Pablo Neira Ayuso
@ 2021-03-18  0:21 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2021-03-18  0:21 UTC (permalink / raw)
  To: netfilter-devel

On Wed, Mar 17, 2021 at 09:19:56PM +0100, Pablo Neira Ayuso wrote:
> The delete flowtable command does not create a transaction if the
> NFTA_FLOWTABLE_HOOK attribute is specified, hence, the flowtable
> is never deleted.

Scratch this.

The existing code is correct. Userspace only includes
NFTA_FLOWTABLE_HOOK when performing an incremental deletion of devices
in the flowtable.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-03-18  0:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-17 20:19 [PATCH nf 1/2] netfilter: nftables: missing transaction object on flowtable deletion Pablo Neira Ayuso
2021-03-17 20:19 ` [PATCH nf 2/2] netfilter: nftables: skip hook overlap logic if flowtable is stale Pablo Neira Ayuso
2021-03-18  0:21 ` [PATCH nf 1/2] netfilter: nftables: missing transaction object on flowtable deletion Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.