Rules can still be deleted from unbound chains. Mark them as deleted
in the next generation so they are not reachable anymore. Skip deleted
rules when this (now) bound chain is removed.
Fixes: 0a771f7b266b ("netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
net/netfilter/nft_immediate.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index fccb3cf7749c..d6d1d94532eb 100644
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -135,8 +135,13 @@ static void nft_immediate_chain_deactivate(const struct nft_ctx *ctx,
chain_ctx = *ctx;
chain_ctx.chain = chain;
- list_for_each_entry(rule, &chain->rules, list)
+ list_for_each_entry(rule, &chain->rules, list) {
+ if (!nft_is_active_next(ctx->net, rule))
+ continue;
+
+ nft_deactivate_next(ctx->net, rule);
nft_rule_expr_deactivate(&chain_ctx, rule, phase);
+ }
}
static void nft_immediate_deactivate(const struct nft_ctx *ctx,
--
2.30.2
