On Fri, Jul 24, 2020 at 01:34:46PM +0200, Florian Westphal wrote: > Pablo Neira found that after recent update of xt_IDLETIMER the > iptables-nft tests sometimes show an error. > > He tracked this down to the delayed cleanup used by nf_tables core: > del rule (transaction A) > add rule (transaction B) > > Its possible that by time transaction B (both in same netns) runs, > the xt target destructor has not been invoked yet. > > For native nft expressions this is no problem because all expressions > that have such side effects make sure these are handled from the commit > phase, rather than async cleanup. > > For nft_compat however this isn't true. > > Instead of forcing synchronous behaviour for nft_compat, keep track > of the number of outstanding destructor calls. > > When we attempt to create a new expression, flush the cleanup worker > to make sure destructors have completed. Applied, thanks.
