diff options
| author | David S. Miller <davem@davemloft.net> | 2022-11-09 17:57:42 +0300 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2022-11-09 17:57:42 +0300 |
| commit | 27c064ae14d1a80c790ce019759500c95a2a9551 (patch) | |
| tree | 3e2f1b905074d21636567aad5e8d5d5d4a53f364 | |
| parent | 5d041588e9f6aa79e4abfc26d93c948f15d4d5eb (diff) | |
| parent | 58bb78ce02269c0cf5b1f2bd2e4a605500b44c6b (diff) | |
| download | linux-27c064ae14d1a80c790ce019759500c95a2a9551.tar.xz | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Pablo Neira Ayuso says:
====================
The following patchset contains Netfilter fixes for net:
1) Fix deadlock in nfnetlink due to missing mutex release in error path,
from Ziyang Xuan.
2) Clean up pending autoload module list from nf_tables_exit_net() path,
from Shigeru Yoshida.
3) Fixes for the netfilter's reverse path selftest, from Phil Sutter.
All of these bugs have been around for several releases.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/netfilter/nf_tables_api.c | 3 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink.c | 1 | ||||
| -rwxr-xr-x | tools/testing/selftests/netfilter/rpath.sh | 14 |
3 files changed, 11 insertions, 7 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 76bd4d03dbda..e7152d599d73 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -10090,7 +10090,8 @@ static void __net_exit nf_tables_exit_net(struct net *net) struct nftables_pernet *nft_net = nft_pernet(net); mutex_lock(&nft_net->commit_mutex); - if (!list_empty(&nft_net->commit_list)) + if (!list_empty(&nft_net->commit_list) || + !list_empty(&nft_net->module_list)) __nf_tables_abort(net, NFNL_ABORT_NONE); __nft_release_tables(net); mutex_unlock(&nft_net->commit_mutex); diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index 9c44518cb70f..6d18fb346868 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c @@ -294,6 +294,7 @@ replay: nfnl_lock(subsys_id); if (nfnl_dereference_protected(subsys_id) != ss || nfnetlink_find_client(type, ss) != nc) { + nfnl_unlock(subsys_id); err = -EAGAIN; break; } diff --git a/tools/testing/selftests/netfilter/rpath.sh b/tools/testing/selftests/netfilter/rpath.sh index 2d8da7bd8ab7..f7311e66d219 100755 --- a/tools/testing/selftests/netfilter/rpath.sh +++ b/tools/testing/selftests/netfilter/rpath.sh @@ -15,7 +15,7 @@ fi if ip6tables-legacy --version >/dev/null 2>&1; then ip6tables='ip6tables-legacy' -elif ! ip6tables --version >/dev/null 2>&1; then +elif ip6tables --version >/dev/null 2>&1; then ip6tables='ip6tables' else ip6tables='' @@ -62,9 +62,11 @@ ip -net "$ns1" a a fec0:42::2/64 dev v0 nodad ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad # firewall matches to test -ip netns exec "$ns2" "$iptables" -t raw -A PREROUTING -s 192.168.0.0/16 -m rpfilter -ip netns exec "$ns2" "$ip6tables" -t raw -A PREROUTING -s fec0::/16 -m rpfilter -ip netns exec "$ns2" nft -f - <<EOF +[ -n "$iptables" ] && ip netns exec "$ns2" \ + "$iptables" -t raw -A PREROUTING -s 192.168.0.0/16 -m rpfilter +[ -n "$ip6tables" ] && ip netns exec "$ns2" \ + "$ip6tables" -t raw -A PREROUTING -s fec0::/16 -m rpfilter +[ -n "$nft" ] && ip netns exec "$ns2" $nft -f - <<EOF table inet t { chain c { type filter hook prerouting priority raw; @@ -106,8 +108,8 @@ testrun() { if [ -n "$nft" ]; then ( echo "delete table inet t"; - ip netns exec "$ns2" nft -s list table inet t; - ) | ip netns exec "$ns2" nft -f - + ip netns exec "$ns2" $nft -s list table inet t; + ) | ip netns exec "$ns2" $nft -f - fi # test 1: martian traffic should fail rpfilter matches |