* [PATCH nf] netfilter: nf_tables: skip deactivation of deleted rules in bound chain
@ 2023-09-06 22:12 Pablo Neira Ayuso
0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2023-09-06 22:12 UTC (permalink / raw)
To: netfilter-devel
Rules can still be deleted from unbound chains. Mark them as deleted
in the next generation so they are not reachable anymore. Skip deleted
rules when this (now) bound chain is removed.
Fixes: 0a771f7b266b ("netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_immediate.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index fccb3cf7749c..d6d1d94532eb 100644
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -135,8 +135,13 @@ static void nft_immediate_chain_deactivate(const struct nft_ctx *ctx,
chain_ctx = *ctx;
chain_ctx.chain = chain;
- list_for_each_entry(rule, &chain->rules, list)
+ list_for_each_entry(rule, &chain->rules, list) {
+ if (!nft_is_active_next(ctx->net, rule))
+ continue;
+
+ nft_deactivate_next(ctx->net, rule);
nft_rule_expr_deactivate(&chain_ctx, rule, phase);
+ }
}
static void nft_immediate_deactivate(const struct nft_ctx *ctx,
--
2.30.2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2023-09-06 22:12 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-06 22:12 [PATCH nf] netfilter: nf_tables: skip deactivation of deleted rules in bound chain Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).