From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: tristan@talencesecurity.com, Florian Westphal <fw@strlen.de>
Subject: [PATCH v3 nf 0/8] netfilter: xtables: fix module load and teardown races
Date: Wed, 6 May 2026 12:07:12 +0200 [thread overview]
Message-ID: <20260506100728.2664-1-fw@strlen.de> (raw)
v3:
- sashiko spotted a wrong error unwind in iptable_nat.c in last patch.
- alter Reported-by tag for Tristan Madani as requested
- no other changes.
1) Allow initial x_tables table replacement without emitting an audit log
message. Delay the register message until after hooks are wired up to
avoid unnecessary unregister logs during error unwinding.
2) Fix a NULL dereference by allocating hook ops before adding the table to
the per-netns list. Use `synchronize_rcu()` during error unwinding to
ensure the table stops processing packets before teardown. Defer audit log
register message until all operations succeed.
3) Refactor xtables to use a single `xt_unregister_table_pre_exit` function.
Eliminate code duplication by centralizing table unregistration logic
within the xtables core. ebtables cannot be changed due to incompatibility.
4) Unregister xtables templates before module removal. This prevents
a race condition where userspace instantiates a new table after the pernet
unreg removed the current table.
5) Add `xtables_unregister_table_exit` to fully unregister netfilter tables
during module removal. Unlink the table from dying lists, then free hook
operations.
6) Implement a two-stage removal scheme for ebtables following the x_tables
pattern. Assign table->ops while holding the ebt mutex to prevent exposing
partially-filled structures.
7) Fix ebtables module initialization race. Register the template last in
table initialization functions. Prevent table instantiation before pernet
operations are available.
8) Fix a race condition in x_tables module initialization. Ensure pernet ops
are fully set up before exposing the table to userspace.
Florian Westphal (8):
netfilter: x_tables: allow initial table replace without emitting
audit log message
netfilter: xtables: allocate hook ops while under mutex
netfilter: x_tables: add and use xt_unregister_table_pre_exit
netfilter: x_tables: unregister the templates first
netfilter: x_tables: add and use xtables_unregister_table_exit
netfilter: ebtables: move to two-stage removal scheme
netfilter: ebtables: close dangling table module init race
netfilter: x_tables: close dangling table module init race
include/linux/netfilter/x_tables.h | 4 +-
include/linux/netfilter_arp/arp_tables.h | 1 -
include/linux/netfilter_ipv4/ip_tables.h | 1 -
include/linux/netfilter_ipv6/ip6_tables.h | 1 -
net/bridge/netfilter/ebtable_broute.c | 14 +-
net/bridge/netfilter/ebtable_filter.c | 14 +-
net/bridge/netfilter/ebtable_nat.c | 12 +-
net/bridge/netfilter/ebtables.c | 60 +++++---
net/ipv4/netfilter/arp_tables.c | 53 +------
net/ipv4/netfilter/arptable_filter.c | 27 ++--
net/ipv4/netfilter/ip_tables.c | 59 +-------
net/ipv4/netfilter/iptable_filter.c | 27 ++--
net/ipv4/netfilter/iptable_mangle.c | 29 ++--
net/ipv4/netfilter/iptable_nat.c | 6 +-
net/ipv4/netfilter/iptable_raw.c | 26 ++--
net/ipv4/netfilter/iptable_security.c | 27 ++--
net/ipv6/netfilter/ip6_tables.c | 56 +------
net/ipv6/netfilter/ip6table_filter.c | 26 ++--
net/ipv6/netfilter/ip6table_mangle.c | 27 ++--
net/ipv6/netfilter/ip6table_nat.c | 6 +-
net/ipv6/netfilter/ip6table_raw.c | 24 +--
net/ipv6/netfilter/ip6table_security.c | 27 ++--
net/netfilter/x_tables.c | 177 ++++++++++++++++++----
23 files changed, 361 insertions(+), 343 deletions(-)
--
2.53.0
next reply other threads:[~2026-05-06 10:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-06 10:07 Florian Westphal [this message]
2026-05-06 10:07 ` [PATCH v3 nf 1/8] netfilter: x_tables: allow initial table replace without emitting audit log message Florian Westphal
2026-05-06 10:07 ` [PATCH v3 nf 2/8] netfilter: xtables: allocate hook ops while under mutex Florian Westphal
2026-05-06 10:07 ` [PATCH v3 nf 3/8] netfilter: x_tables: add and use xt_unregister_table_pre_exit Florian Westphal
2026-05-06 10:07 ` [PATCH v3 nf 4/8] netfilter: x_tables: unregister the templates first Florian Westphal
2026-05-06 10:07 ` [PATCH v3 nf 5/8] netfilter: x_tables: add and use xtables_unregister_table_exit Florian Westphal
2026-05-06 10:07 ` [PATCH v3 nf 6/8] netfilter: ebtables: move to two-stage removal scheme Florian Westphal
2026-05-06 10:07 ` [PATCH v3 nf 7/8] netfilter: ebtables: close dangling table module init race Florian Westphal
2026-05-06 10:07 ` [PATCH v3 nf 8/8] netfilter: x_tables: " Florian Westphal
2026-05-07 9:19 ` [PATCH v3 nf 9/8] netfilter: bridge: eb_tables: close " Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260506100728.2664-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=tristan@talencesecurity.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.