On Mon, 14 Jan 2019 at 22:30, Florian Westphal <fw@xxxxxxxxx> wrote: > > Taehee Yoo reports multiple race conditions in nft_compat. > Example: > while true; do > iptables-nft -t nat -I POSTROUTING -m string --string \ > ap --algo kmp -j MASQUERADE & > nft flush ruleset & > done > > There are two different, but related issues: > 1. race between concurrent users in the same namespace > 2. race between concurrent users in different namespaces. > > This series attempts to resolve this as follows: > First patch makes use of refcount_t type: Using plain integer doesn't > work anymore, as there is no central mutex guarding it anymore. > > Second patch makes the nft_xt object lists scoped per netns to > prevent a nft client in one netns from grabbing an object instantiated > in another namespace (other netns could free it before we can > increment reference count). > > Last patch enforces the 'destroy hook must not have side effect' rule. > > Please let me know if you see any further problems with this. > I tried to avoid patch #2, but i found no other solution (other than > fudging with nf_tables core). > > nft_compat.c | 189 ++++++++++++++++++++++++++++++++++++++++++++--------------- > 1 file changed, 142 insertions(+), 47 deletions(-) > > Hi Florian! I have tested this patchset. It works well and I think there is no bug in this patchset. Thanks!
