The iteration needs to happen in the right location, __nf_ct_l4proto_unregister_one().
Currently its in nf_ct_l4proto_unregister which will only consider first
protocol in the array whereas nf_ct_l4proto_unregister_one() leaves
conntracks added by to-be-removed tracker behind.
Fixes: 2c41f33c1b703 ("netfilter: move table iteration out of netns exit paths")
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
net/netfilter/nf_conntrack_proto.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index d88841fbc560..50b1d1e7c7e7 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -474,6 +474,10 @@ static void __nf_ct_l4proto_unregister_one(const struct nf_conntrack_l4proto *l4
) != l4proto);
rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
&nf_conntrack_l4proto_generic);
+
+ synchronize_net();
+ /* Remove all contrack entries for this protocol */
+ nf_ct_iterate_destroy(kill_l4proto, (void *)l4proto);
}
void nf_ct_l4proto_unregister_one(const struct nf_conntrack_l4proto *l4proto)
@@ -481,8 +485,6 @@ void nf_ct_l4proto_unregister_one(const struct nf_conntrack_l4proto *l4proto)
mutex_lock(&nf_ct_proto_mutex);
__nf_ct_l4proto_unregister_one(l4proto);
mutex_unlock(&nf_ct_proto_mutex);
-
- synchronize_rcu();
}
EXPORT_SYMBOL_GPL(nf_ct_l4proto_unregister_one);
@@ -549,10 +551,6 @@ void nf_ct_l4proto_unregister(const struct nf_conntrack_l4proto * const l4proto[
while (num_proto-- != 0)
__nf_ct_l4proto_unregister_one(l4proto[num_proto]);
mutex_unlock(&nf_ct_proto_mutex);
-
- synchronize_net();
- /* Remove all contrack entries for this protocol */
- nf_ct_iterate_destroy(kill_l4proto, (void *)l4proto);
}
EXPORT_SYMBOL_GPL(nf_ct_l4proto_unregister);
--
2.16.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
