WARNING [.]: at net/netfilter/nf_tables_api.c:1885
6.3.4-201.fc38.x86_64 #1
nft_immediate_destroy+0xc1/0xd0 [nf_tables]
__nf_tables_abort+0x4b9/0xb20 [nf_tables]
nf_tables_abort+0x39/0x50 [nf_tables]
nfnetlink_rcv_batch+0x47c/0x8e0 [nfnetlink]
nfnetlink_rcv+0x179/0x1a0 [nfnetlink]
netlink_unicast+0x19e/0x290
This is because of chain->use underflow, at time destroy
function is called, ->use has wrapped back to -1.
Fixed via
"netfilter: nf_tables: fix chain binding transaction logic".
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
.../testcases/transactions/anon_chain_loop | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
create mode 100755 tests/shell/testcases/transactions/anon_chain_loop
diff --git a/tests/shell/testcases/transactions/anon_chain_loop b/tests/shell/testcases/transactions/anon_chain_loop
new file mode 100755
index 000000000000..1820fb74485b
--- /dev/null
+++ b/tests/shell/testcases/transactions/anon_chain_loop
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# anon chains with c1 -> c2 recursive jump, expect failure
+$NFT -f - <<EOF
+table ip t {
+ chain c2 { }
+ chain c1 { }
+}
+
+add bla c1 ip saddr 127.0.0.1 jump { jump c2; }
+add bla c2 ip saddr 127.0.0.1 jump { jump c1; }
+EOF
+
+if [ $? -eq 0 ] ; then
+ echo "E: able to load bad ruleset" >&2
+ exit 1
+fi
+
+exit 0
--
2.40.1
