Re: [PATCH net-next 3/4] netfilter: nf_tables: Fix check the err for FLOW_BLOCK_BIND setup call

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This one is incomplete, right? I'm attaching an alternative patch.

On Wed, Nov 13, 2019 at 12:46:41PM +0800, wenxu@xxxxxxxxx wrote:
> From: wenxu <wenxu@xxxxxxxxx>
> 
> Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
> Signed-off-by: wenxu <wenxu@xxxxxxxxx>
> ---
>  net/netfilter/nf_tables_api.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 2dc636f..0a00812 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -5995,8 +5995,12 @@ static int nft_register_flowtable_net_hooks(struct net *net,
>  			}
>  		}
>  
> -		flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
> -					    FLOW_BLOCK_BIND);
> +		err = flowtable->data.type->setup(&flowtable->data,
> +						  hook->ops.dev,
> +						  FLOW_BLOCK_BIND);
> +		if (err < 0)
> +			goto err_unregister_net_hooks;
> +
>  		err = nf_register_net_hook(net, &hook->ops);
>  		if (err < 0)
>  			goto err_unregister_net_hooks;
> -- 
> 1.8.3.1
> 

>From a6e05e56907673e21948c6ae53f45494b25fc0aa Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date: Fri, 15 Nov 2019 00:22:55 +0100
Subject: [PATCH] netfilter: nf_tables: unbind callbacks if flowtable hook
 registration fails

Undo the callback binding before unregistering the existing hooks.

Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Reported-by: wenxu <wenxu@xxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
 net/netfilter/nf_tables_api.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2dc636faa322..ad3882e14e82 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5998,8 +5998,12 @@ static int nft_register_flowtable_net_hooks(struct net *net,
 		flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
 					    FLOW_BLOCK_BIND);
 		err = nf_register_net_hook(net, &hook->ops);
-		if (err < 0)
+		if (err < 0) {
+			flowtable->data.type->setup(&flowtable->data,
+						    hook->ops.dev,
+						    FLOW_BLOCK_UNBIND);
 			goto err_unregister_net_hooks;
+		}
 
 		i++;
 	}
-- 
2.11.0
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux