On Tue, 9 Oct 2018 at 08:19, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> Hi Taehee,
>
Hi Pablo,
Thank you for your review!
> I can reproduce it, so this is a bug :-). Still one question below:
>
> On Tue, Oct 02, 2018 at 02:17:14AM +0900, Taehee Yoo wrote:
> [...]
> > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> > index f0159eea2978..42487d01a3ed 100644
> > --- a/net/netfilter/nf_tables_api.c
> > +++ b/net/netfilter/nf_tables_api.c
> > @@ -7280,9 +7280,6 @@ static void __nft_release_tables(struct net *net)
> >
> > list_for_each_entry(chain, &table->chains, list)
> > nf_tables_unregister_hook(net, table, chain);
> > - list_for_each_entry(flowtable, &table->flowtables, list)
> > - nf_unregister_net_hooks(net, flowtable->ops,
> > - flowtable->ops_len);
>
> Hm, why do we still need for basechains with device, ie. from ingress?
> I might be missing something...
>
As far as I know, at this point, all types of basechains(arp, ipv4, ipv6, ...)
are unregistered. ingress basechains are already unregistered by
notifier_call(nf_tables_netdev_event) but other types of basechains
still exist in chain list. so that this code is still needed.
But I might have misunderstood about your mention.
If so, please let me know about that.
Thanks!
> > /* No packets are walking on these chains anymore. */
> > ctx.table = table;
> > list_for_each_entry(chain, &table->chains, list) {
> > --
> > 2.17.1
> >
