UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf 

Pablo Neira Ayuso says:

====================
The following patchset contains Netfilter fixes for net:

1) Fix deadlock in nfnetlink due to missing mutex release in error path,
   from Ziyang Xuan.

2) Clean up pending autoload module list from nf_tables_exit_net() path,
   from Shigeru Yoshida.

3) Fixes for the netfilter's reverse path selftest, from Phil Sutter.

All of these bugs have been around for several releases.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller 2022-11-09 14:57:42 +00:00
parent 5d041588e9 58bb78ce02
commit 27c064ae14
3 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
net/netfilter/nf_tables_api.c
View File

@ -10090,7 +10090,8 @@ static void __net_exit nf_tables_exit_net(struct net *net)
struct nftables_pernet *nft_net = nft_pernet(net);
mutex_lock(&nft_net->commit_mutex);
if (!list_empty(&nft_net->commit_list))
if (!list_empty(&nft_net->commit_list) ||
!list_empty(&nft_net->module_list))
__nf_tables_abort(net, NFNL_ABORT_NONE);
__nft_release_tables(net);
mutex_unlock(&nft_net->commit_mutex);

1
net/netfilter/nfnetlink.c
View File

@ -294,6 +294,7 @@ replay:
nfnl_lock(subsys_id);
if (nfnl_dereference_protected(subsys_id) != ss ||
nfnetlink_find_client(type, ss) != nc) {
nfnl_unlock(subsys_id);
err = -EAGAIN;
break;
}

14
tools/testing/selftests/netfilter/rpath.sh
View File

@ -15,7 +15,7 @@ fi
if ip6tables-legacy --version >/dev/null 2>&1; then
ip6tables='ip6tables-legacy'
elif ! ip6tables --version >/dev/null 2>&1; then
elif ip6tables --version >/dev/null 2>&1; then
ip6tables='ip6tables'
else
ip6tables=''
@ -62,9 +62,11 @@ ip -net "$ns1" a a fec0:42::2/64 dev v0 nodad
ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad
# firewall matches to test
ip netns exec "$ns2" "$iptables" -t raw -A PREROUTING -s 192.168.0.0/16 -m rpfilter
ip netns exec "$ns2" "$ip6tables" -t raw -A PREROUTING -s fec0::/16 -m rpfilter
ip netns exec "$ns2" nft -f - <<EOF
[ -n "$iptables" ] && ip netns exec "$ns2" \
"$iptables" -t raw -A PREROUTING -s 192.168.0.0/16 -m rpfilter
[ -n "$ip6tables" ] && ip netns exec "$ns2" \
"$ip6tables" -t raw -A PREROUTING -s fec0::/16 -m rpfilter
[ -n "$nft" ] && ip netns exec "$ns2" $nft -f - <<EOF
table inet t {
chain c {
type filter hook prerouting priority raw;
@ -106,8 +108,8 @@ testrun() {
if [ -n "$nft" ]; then
(
echo "delete table inet t";
ip netns exec "$ns2" nft -s list table inet t;
) | ip netns exec "$ns2" nft -f -
ip netns exec "$ns2" $nft -s list table inet t;
) | ip netns exec "$ns2" $nft -f -
fi
# test 1: martian traffic should fail rpfilter matches