On Mon, Jan 14, 2019 at 02:28:47PM +0100, Florian Westphal wrote: > Taehee Yoo reports multiple race conditions in nft_compat. > Example: > while true; do > iptables-nft -t nat -I POSTROUTING -m string --string \ > ap --algo kmp -j MASQUERADE & > nft flush ruleset & > done > > There are two different, but related issues: > 1. race between concurrent users in the same namespace > 2. race between concurrent users in different namespaces. > > This series attempts to resolve this as follows: > First patch makes use of refcount_t type: Using plain integer doesn't > work anymore, as there is no central mutex guarding it anymore.i > > Second patch makes the nft_xt object lists scoped per netns to > prevent a nft client in one netns from grabbing an object instantiated > in another namespace (other netns could free it before we can > increment reference count). > > Last patch enforces the 'destroy hook must not have side effect' rule. Series applied, thanks Florian.
