Taehee Yoo reports multiple race conditions in nft_compat. Example: while true; do iptables-nft -t nat -I POSTROUTING -m string --string \ ap --algo kmp -j MASQUERADE & nft flush ruleset & done There are two different, but related issues: 1. race between concurrent users in the same namespace 2. race between concurrent users in different namespaces. This series attempts to resolve this as follows: First patch makes use of refcount_t type: Using plain integer doesn't work anymore, as there is no central mutex guarding it anymore. Second patch makes the nft_xt object lists scoped per netns to prevent a nft client in one netns from grabbing an object instantiated in another namespace (other netns could free it before we can increment reference count). Last patch enforces the 'destroy hook must not have side effect' rule. Please let me know if you see any further problems with this. I tried to avoid patch #2, but i found no other solution (other than fudging with nf_tables core). nft_compat.c | 189 ++++++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 142 insertions(+), 47 deletions(-)
