yes, It's an another problem. I will send another patch to fix it.
在 2019/9/4 4:06, Pablo Neira Ayuso 写道:
> On Tue, Sep 03, 2019 at 11:15:27AM +0800, wenxu@xxxxxxxxx wrote:
>> diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
>> index 113ac40..ca9e0cb 100644
>> --- a/net/netfilter/nf_tables_offload.c
>> +++ b/net/netfilter/nf_tables_offload.c
>> @@ -357,11 +357,12 @@ static void nft_indr_block_cb(struct net_device *dev,
>> const struct nft_table *table;
>> const struct nft_chain *chain;
>>
>> - list_for_each_entry_rcu(table, &net->nft.tables, list) {
>> + mutex_lock(&net->nft.commit_mutex);
>> + list_for_each_entry(table, &net->nft.tables, list) {
>> if (table->family != NFPROTO_NETDEV)
>> continue;
>>
>> - list_for_each_entry_rcu(chain, &table->chains, list) {
>> + list_for_each_entry(chain, &table->chains, list) {
>> if (!nft_is_base_chain(chain))
>> continue;
> nft_indr_block_cb() does not check for the offload flag in the
> basechain...
>
