Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2227997/?format=api
{ "id": 2227997, "url": "http://patchwork.ozlabs.org/api/patches/2227997/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260424190513.32823-6-pablo@netfilter.org/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260424190513.32823-6-pablo@netfilter.org>", "list_archive_url": null, "date": "2026-04-24T19:05:07", "name": "[net,05/11] netfilter: nf_tables: add hook transactions for device deletions", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "2985b22bbd64091ada2122fb4e51a5def91677eb", "submitter": { "id": 1315, "url": "http://patchwork.ozlabs.org/api/people/1315/?format=api", "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260424190513.32823-6-pablo@netfilter.org/mbox/", "series": [ { "id": 501399, "url": "http://patchwork.ozlabs.org/api/series/501399/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=501399", "date": "2026-04-24T19:05:02", "name": "[net,01/11] netfilter: arp_tables: fix IEEE1394 ARP payload parsing", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/501399/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2227997/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2227997/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <netfilter-devel+bounces-12186-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=WA+6AAsq;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12186-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"WA+6AAsq\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124", "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org" ], "Received": [ "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g2Mt74pMqz1yDD\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 25 Apr 2026 05:07:59 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id A02C73036D4C\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 24 Apr 2026 19:05:55 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id CAB193FA5CD;\n\tFri, 24 Apr 2026 19:05:54 +0000 (UTC)", "from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 286683FA5CA;\n\tFri, 24 Apr 2026 19:05:52 +0000 (UTC)", "from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id 56B3360286;\n\tFri, 24 Apr 2026 21:05:49 +0200 (CEST)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777057554; cv=none;\n b=X3eNbHx2fzWyiihDd26AUILoXmoTdB+q7cbU9xTFmPZP3EoiLlxv97vXFUZQ3dX2eKmqvHg9WDRO1Q61pGSzIjhx+RzO14672oDEGoF/GuWK6NGtpQq4hMoe7MuqfmcueogdVAPng67MKzdFjB3NWcUb7WENJbAuxwXA/rWySg0=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777057554; c=relaxed/simple;\n\tbh=tiXidqUbNev0evwbpmb54scG2rFPHYhnommIwVYmqXM=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=Mf705/MT+RNYZiYI8Ok3x4P9eWtWqLYJasORwZD4/qJJLDZ7gTnOcq4lSiyAWtqhay/Ly8r3RyRkoOu8re9v9Qdbq5gMehzwo3C7ml+xWoFFfZF76PZe1NtHJEZt9VUcHAk2H+OOGcNj+4PbACtB1KD/sE0DPQrf1P/6h3MC6KQ=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=WA+6AAsq; arc=none smtp.client-ip=217.70.190.124", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1777057550;\n\tbh=I4RmoCEllRVAsT+CVPk+zh7LWLnvSCtt7ZkfefCtIug=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=WA+6AAsqw57f27lpdO8LOCWrzmVhyzUqYF1a1GuARhOEuG0RCfIZY3bVi3++qAxID\n\t Mn7NJkBz3YmUQIes6F1fzo8Qk0FeC3UrlCSlrfTSosAekzYLr1UEf9nI4ensqQjkl+\n\t AV3y2YsJ81R2nVq/sxgc5kTC6XZ2mKFPOGbYSJUI2CnPm5GMQIRI+EyyhwntlBHn75\n\t v3Vml0FXj+lo+ZRZizuK+3TDHhDdodmIbyjM+jBIPsPEtHvqejknXU4/Mog32fOYZv\n\t rraLbPiTHAI0UuCg13AkCKw6pdCYdRlGwVgZ2fw/8Ctpm10StOi1pzWn+0gs0kAz79\n\t dC56wShUkZeIw==", "From": "Pablo Neira Ayuso <pablo@netfilter.org>", "To": "netfilter-devel@vger.kernel.org", "Cc": "davem@davemloft.net,\n\tnetdev@vger.kernel.org,\n\tkuba@kernel.org,\n\tpabeni@redhat.com,\n\tedumazet@google.com,\n\tfw@strlen.de,\n\thorms@kernel.org", "Subject": "[PATCH net 05/11] netfilter: nf_tables: add hook transactions for\n device deletions", "Date": "Fri, 24 Apr 2026 21:05:07 +0200", "Message-ID": "<20260424190513.32823-6-pablo@netfilter.org>", "X-Mailer": "git-send-email 2.47.3", "In-Reply-To": "<20260424190513.32823-1-pablo@netfilter.org>", "References": "<20260424190513.32823-1-pablo@netfilter.org>", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "Restore the flag that indicates that the hook is going away, ie.\nNFT_HOOK_REMOVE, but add a new transaction object to track deletion\nof hooks without altering the basechain/flowtable hook_list during\nthe preparation phase.\n\nThe existing approach that moves the hook from the basechain/flowtable\nhook_list to transaction hook_list breaks netlink dump path readers\nof this RCU-protected list.\n\nIt should be possible use an array for nft_trans_hook to store the\ndeleted hooks to compact the representation but I am not expecting\nmany hook object, specially now that wildcard support for devices\nis in place.\n\nNote that the nft_trans_chain_hooks() list contains a list of struct\nnft_trans_hook objects for DELCHAIN and DELFLOWTABLE commands, while\nthis list stores struct nft_hook objects for NEWCHAIN and NEWFLOWTABLE.\nNote that new commands can be updated to use nft_trans_hook for\nconsistency.\n\nThis patch also adapts the event notification path to deal with the list\nof hook transactions.\n\nFixes: 7d937b107108 (\"netfilter: nf_tables: support for deleting devices in an existing netdev chain\")\nFixes: b6d9014a3335 (\"netfilter: nf_tables: delete flowtable hooks via transaction list\")\nReported-by: Xiang Mei <xmei5@asu.edu>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\n include/net/netfilter/nf_tables.h | 13 ++\n net/netfilter/nf_tables_api.c | 264 +++++++++++++++++++++++-------\n 2 files changed, 217 insertions(+), 60 deletions(-)", "diff": "diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h\nindex 2c0173d9309c..cff7b773e972 100644\n--- a/include/net/netfilter/nf_tables.h\n+++ b/include/net/netfilter/nf_tables.h\n@@ -1204,12 +1204,15 @@ struct nft_stats {\n \tstruct u64_stats_sync\tsyncp;\n };\n \n+#define NFT_HOOK_REMOVE\t(1 << 0)\n+\n struct nft_hook {\n \tstruct list_head\tlist;\n \tstruct list_head\tops_list;\n \tstruct rcu_head\t\trcu;\n \tchar\t\t\tifname[IFNAMSIZ];\n \tu8\t\t\tifnamelen;\n+\tu8\t\t\tflags;\n };\n \n struct nf_hook_ops *nft_hook_find_ops(const struct nft_hook *hook,\n@@ -1664,6 +1667,16 @@ struct nft_trans {\n \tu8\t\t\t\tput_net:1;\n };\n \n+/**\n+ * struct nft_trans_hook - nf_tables hook update in transaction\n+ * @list: used internally\n+ * @hook: struct nft_hook with the device hook\n+ */\n+struct nft_trans_hook {\n+\tstruct list_head\t\tlist;\n+\tstruct nft_hook\t\t\t*hook;\n+};\n+\n /**\n * struct nft_trans_binding - nf_tables object with binding support in transaction\n * @nft_trans: base structure, MUST be first member\ndiff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c\nindex ae10116af923..d20ce5c36d31 100644\n--- a/net/netfilter/nf_tables_api.c\n+++ b/net/netfilter/nf_tables_api.c\n@@ -380,6 +380,32 @@ static void nft_netdev_hook_unlink_free_rcu(struct nft_hook *hook)\n \tnft_netdev_hook_free_rcu(hook);\n }\n \n+static void nft_trans_hook_destroy(struct nft_trans_hook *trans_hook)\n+{\n+\tlist_del(&trans_hook->list);\n+\tkfree(trans_hook);\n+}\n+\n+static void nft_netdev_unregister_trans_hook(struct net *net,\n+\t\t\t\t\t const struct nft_table *table,\n+\t\t\t\t\t struct list_head *hook_list)\n+{\n+\tstruct nft_trans_hook *trans_hook, *next;\n+\tstruct nf_hook_ops *ops;\n+\tstruct nft_hook *hook;\n+\n+\tlist_for_each_entry_safe(trans_hook, next, hook_list, list) {\n+\t\thook = trans_hook->hook;\n+\n+\t\tif (!(table->flags & NFT_TABLE_F_DORMANT)) {\n+\t\t\tlist_for_each_entry(ops, &hook->ops_list, list)\n+\t\t\t\tnf_unregister_net_hook(net, ops);\n+\t\t}\n+\t\tnft_netdev_hook_unlink_free_rcu(hook);\n+\t\tnft_trans_hook_destroy(trans_hook);\n+\t}\n+}\n+\n static void nft_netdev_unregister_hooks(struct net *net,\n \t\t\t\t\tstruct list_head *hook_list,\n \t\t\t\t\tbool release_netdev)\n@@ -1946,15 +1972,69 @@ static int nft_nla_put_hook_dev(struct sk_buff *skb, struct nft_hook *hook)\n \treturn nla_put_string(skb, attr, hook->ifname);\n }\n \n+struct nft_hook_dump_ctx {\n+\tstruct nft_hook *first;\n+\tint n;\n+};\n+\n+static int nft_dump_basechain_hook_one(struct sk_buff *skb,\n+\t\t\t\t struct nft_hook *hook,\n+\t\t\t\t struct nft_hook_dump_ctx *dump_ctx)\n+{\n+\tif (!dump_ctx->first)\n+\t\tdump_ctx->first = hook;\n+\n+\tif (nft_nla_put_hook_dev(skb, hook))\n+\t\treturn -1;\n+\n+\tdump_ctx->n++;\n+\n+\treturn 0;\n+}\n+\n+static int nft_dump_basechain_hook_list(struct sk_buff *skb,\n+\t\t\t\t\tconst struct net *net,\n+\t\t\t\t\tconst struct list_head *hook_list,\n+\t\t\t\t\tstruct nft_hook_dump_ctx *dump_ctx)\n+{\n+\tstruct nft_hook *hook;\n+\tint err;\n+\n+\tlist_for_each_entry_rcu(hook, hook_list, list,\n+\t\t\t\tlockdep_commit_lock_is_held(net)) {\n+\t\terr = nft_dump_basechain_hook_one(skb, hook, dump_ctx);\n+\t\tif (err < 0)\n+\t\t\treturn err;\n+\t}\n+\n+\treturn 0;\n+}\n+\n+static int nft_dump_basechain_trans_hook_list(struct sk_buff *skb,\n+\t\t\t\t\t const struct list_head *trans_hook_list,\n+\t\t\t\t\t struct nft_hook_dump_ctx *dump_ctx)\n+{\n+\tstruct nft_trans_hook *trans_hook;\n+\tint err;\n+\n+\tlist_for_each_entry(trans_hook, trans_hook_list, list) {\n+\t\terr = nft_dump_basechain_hook_one(skb, trans_hook->hook, dump_ctx);\n+\t\tif (err < 0)\n+\t\t\treturn err;\n+\t}\n+\n+\treturn 0;\n+}\n+\n static int nft_dump_basechain_hook(struct sk_buff *skb,\n \t\t\t\t const struct net *net, int family,\n \t\t\t\t const struct nft_base_chain *basechain,\n-\t\t\t\t const struct list_head *hook_list)\n+\t\t\t\t const struct list_head *hook_list,\n+\t\t\t\t const struct list_head *trans_hook_list)\n {\n \tconst struct nf_hook_ops *ops = &basechain->ops;\n-\tstruct nft_hook *hook, *first = NULL;\n+\tstruct nft_hook_dump_ctx dump_hook_ctx = {};\n \tstruct nlattr *nest, *nest_devs;\n-\tint n = 0;\n \n \tnest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);\n \tif (nest == NULL)\n@@ -1969,23 +2049,23 @@ static int nft_dump_basechain_hook(struct sk_buff *skb,\n \t\tif (!nest_devs)\n \t\t\tgoto nla_put_failure;\n \n-\t\tif (!hook_list)\n+\t\tif (!hook_list && !trans_hook_list)\n \t\t\thook_list = &basechain->hook_list;\n \n-\t\tlist_for_each_entry_rcu(hook, hook_list, list,\n-\t\t\t\t\tlockdep_commit_lock_is_held(net)) {\n-\t\t\tif (!first)\n-\t\t\t\tfirst = hook;\n-\n-\t\t\tif (nft_nla_put_hook_dev(skb, hook))\n-\t\t\t\tgoto nla_put_failure;\n-\t\t\tn++;\n+\t\tif (hook_list &&\n+\t\t nft_dump_basechain_hook_list(skb, net, hook_list, &dump_hook_ctx)) {\n+\t\t\tgoto nla_put_failure;\n+\t\t} else if (trans_hook_list &&\n+\t\t\t nft_dump_basechain_trans_hook_list(skb, trans_hook_list,\n+\t\t\t\t\t\t\t &dump_hook_ctx)) {\n+\t\t\tgoto nla_put_failure;\n \t\t}\n+\n \t\tnla_nest_end(skb, nest_devs);\n \n-\t\tif (n == 1 &&\n-\t\t !hook_is_prefix(first) &&\n-\t\t nla_put_string(skb, NFTA_HOOK_DEV, first->ifname))\n+\t\tif (dump_hook_ctx.n == 1 &&\n+\t\t !hook_is_prefix(dump_hook_ctx.first) &&\n+\t\t nla_put_string(skb, NFTA_HOOK_DEV, dump_hook_ctx.first->ifname))\n \t\t\tgoto nla_put_failure;\n \t}\n \tnla_nest_end(skb, nest);\n@@ -1999,7 +2079,8 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,\n \t\t\t\t u32 portid, u32 seq, int event, u32 flags,\n \t\t\t\t int family, const struct nft_table *table,\n \t\t\t\t const struct nft_chain *chain,\n-\t\t\t\t const struct list_head *hook_list)\n+\t\t\t\t const struct list_head *hook_list,\n+\t\t\t\t const struct list_head *trans_hook_list)\n {\n \tstruct nlmsghdr *nlh;\n \n@@ -2015,7 +2096,7 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,\n \t\t\t NFTA_CHAIN_PAD))\n \t\tgoto nla_put_failure;\n \n-\tif (!hook_list &&\n+\tif (!hook_list && !trans_hook_list &&\n \t (event == NFT_MSG_DELCHAIN ||\n \t event == NFT_MSG_DESTROYCHAIN)) {\n \t\tnlmsg_end(skb, nlh);\n@@ -2026,7 +2107,8 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,\n \t\tconst struct nft_base_chain *basechain = nft_base_chain(chain);\n \t\tstruct nft_stats __percpu *stats;\n \n-\t\tif (nft_dump_basechain_hook(skb, net, family, basechain, hook_list))\n+\t\tif (nft_dump_basechain_hook(skb, net, family, basechain,\n+\t\t\t\t\t hook_list, trans_hook_list))\n \t\t\tgoto nla_put_failure;\n \n \t\tif (nla_put_be32(skb, NFTA_CHAIN_POLICY,\n@@ -2062,7 +2144,8 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,\n }\n \n static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,\n-\t\t\t\t const struct list_head *hook_list)\n+\t\t\t\t const struct list_head *hook_list,\n+\t\t\t\t const struct list_head *trans_hook_list)\n {\n \tstruct nftables_pernet *nft_net;\n \tstruct sk_buff *skb;\n@@ -2082,7 +2165,7 @@ static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,\n \n \terr = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,\n \t\t\t\t\tevent, flags, ctx->family, ctx->table,\n-\t\t\t\t\tctx->chain, hook_list);\n+\t\t\t\t\tctx->chain, hook_list, trans_hook_list);\n \tif (err < 0) {\n \t\tkfree_skb(skb);\n \t\tgoto err;\n@@ -2128,7 +2211,7 @@ static int nf_tables_dump_chains(struct sk_buff *skb,\n \t\t\t\t\t\t NFT_MSG_NEWCHAIN,\n \t\t\t\t\t\t NLM_F_MULTI,\n \t\t\t\t\t\t table->family, table,\n-\t\t\t\t\t\t chain, NULL) < 0)\n+\t\t\t\t\t\t chain, NULL, NULL) < 0)\n \t\t\t\tgoto done;\n \n \t\t\tnl_dump_check_consistent(cb, nlmsg_hdr(skb));\n@@ -2182,7 +2265,7 @@ static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,\n \n \terr = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,\n \t\t\t\t\tinfo->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,\n-\t\t\t\t\t0, family, table, chain, NULL);\n+\t\t\t\t\t0, family, table, chain, NULL, NULL);\n \tif (err < 0)\n \t\tgoto err_fill_chain_info;\n \n@@ -2345,8 +2428,12 @@ static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,\n \n \tlist_for_each_entry(hook, hook_list, list) {\n \t\tif (!strncmp(hook->ifname, this->ifname,\n-\t\t\t min(hook->ifnamelen, this->ifnamelen)))\n+\t\t\t min(hook->ifnamelen, this->ifnamelen))) {\n+\t\t\tif (hook->flags & NFT_HOOK_REMOVE)\n+\t\t\t\tcontinue;\n+\n \t\t\treturn hook;\n+\t\t}\n \t}\n \n \treturn NULL;\n@@ -3105,6 +3192,32 @@ static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,\n \treturn nf_tables_addchain(&ctx, family, policy, flags, extack);\n }\n \n+static int nft_trans_delhook(struct nft_hook *hook,\n+\t\t\t struct list_head *del_list)\n+{\n+\tstruct nft_trans_hook *trans_hook;\n+\n+\ttrans_hook = kmalloc_obj(*trans_hook, GFP_KERNEL);\n+\tif (!trans_hook)\n+\t\treturn -ENOMEM;\n+\n+\ttrans_hook->hook = hook;\n+\tlist_add_tail(&trans_hook->list, del_list);\n+\thook->flags |= NFT_HOOK_REMOVE;\n+\n+\treturn 0;\n+}\n+\n+static void nft_trans_delhook_abort(struct list_head *del_list)\n+{\n+\tstruct nft_trans_hook *trans_hook, *next;\n+\n+\tlist_for_each_entry_safe(trans_hook, next, del_list, list) {\n+\t\ttrans_hook->hook->flags &= ~NFT_HOOK_REMOVE;\n+\t\tnft_trans_hook_destroy(trans_hook);\n+\t}\n+}\n+\n static int nft_delchain_hook(struct nft_ctx *ctx,\n \t\t\t struct nft_base_chain *basechain,\n \t\t\t struct netlink_ext_ack *extack)\n@@ -3131,7 +3244,10 @@ static int nft_delchain_hook(struct nft_ctx *ctx,\n \t\t\terr = -ENOENT;\n \t\t\tgoto err_chain_del_hook;\n \t\t}\n-\t\tlist_move(&hook->list, &chain_del_list);\n+\t\tif (nft_trans_delhook(hook, &chain_del_list) < 0) {\n+\t\t\terr = -ENOMEM;\n+\t\t\tgoto err_chain_del_hook;\n+\t\t}\n \t}\n \n \ttrans = nft_trans_alloc_chain(ctx, NFT_MSG_DELCHAIN);\n@@ -3151,7 +3267,7 @@ static int nft_delchain_hook(struct nft_ctx *ctx,\n \treturn 0;\n \n err_chain_del_hook:\n-\tlist_splice(&chain_del_list, &basechain->hook_list);\n+\tnft_trans_delhook_abort(&chain_del_list);\n \tnft_chain_release_hook(&chain_hook);\n \n \treturn err;\n@@ -8941,6 +9057,24 @@ static void nft_hooks_destroy(struct list_head *hook_list)\n \t\tnft_netdev_hook_unlink_free_rcu(hook);\n }\n \n+static void nft_flowtable_unregister_trans_hook(struct net *net,\n+\t\t\t\t\t\tstruct nft_flowtable *flowtable,\n+\t\t\t\t\t\tstruct list_head *hook_list)\n+{\n+\tstruct nft_trans_hook *trans_hook, *next;\n+\tstruct nf_hook_ops *ops;\n+\tstruct nft_hook *hook;\n+\n+\tlist_for_each_entry_safe(trans_hook, next, hook_list, list) {\n+\t\thook = trans_hook->hook;\n+\t\tlist_for_each_entry(ops, &hook->ops_list, list)\n+\t\t\tnft_unregister_flowtable_ops(net, flowtable, ops);\n+\n+\t\tnft_netdev_hook_unlink_free_rcu(hook);\n+\t\tnft_trans_hook_destroy(trans_hook);\n+\t}\n+}\n+\n static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,\n \t\t\t\tstruct nft_flowtable *flowtable,\n \t\t\t\tstruct netlink_ext_ack *extack)\n@@ -9199,7 +9333,10 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx,\n \t\t\terr = -ENOENT;\n \t\t\tgoto err_flowtable_del_hook;\n \t\t}\n-\t\tlist_move(&hook->list, &flowtable_del_list);\n+\t\tif (nft_trans_delhook(hook, &flowtable_del_list) < 0) {\n+\t\t\terr = -ENOMEM;\n+\t\t\tgoto err_flowtable_del_hook;\n+\t\t}\n \t}\n \n \ttrans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,\n@@ -9220,7 +9357,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx,\n \treturn 0;\n \n err_flowtable_del_hook:\n-\tlist_splice(&flowtable_del_list, &flowtable->hook_list);\n+\tnft_trans_delhook_abort(&flowtable_del_list);\n \tnft_flowtable_hook_release(&flowtable_hook);\n \n \treturn err;\n@@ -9285,8 +9422,10 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,\n \t\t\t\t\t u32 portid, u32 seq, int event,\n \t\t\t\t\t u32 flags, int family,\n \t\t\t\t\t struct nft_flowtable *flowtable,\n-\t\t\t\t\t struct list_head *hook_list)\n+\t\t\t\t\t struct list_head *hook_list,\n+\t\t\t\t\t struct list_head *trans_hook_list)\n {\n+\tstruct nft_trans_hook *trans_hook;\n \tstruct nlattr *nest, *nest_devs;\n \tstruct nft_hook *hook;\n \tstruct nlmsghdr *nlh;\n@@ -9303,7 +9442,7 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,\n \t\t\t NFTA_FLOWTABLE_PAD))\n \t\tgoto nla_put_failure;\n \n-\tif (!hook_list &&\n+\tif (!hook_list && !trans_hook_list &&\n \t (event == NFT_MSG_DELFLOWTABLE ||\n \t event == NFT_MSG_DESTROYFLOWTABLE)) {\n \t\tnlmsg_end(skb, nlh);\n@@ -9325,13 +9464,20 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,\n \tif (!nest_devs)\n \t\tgoto nla_put_failure;\n \n-\tif (!hook_list)\n+\tif (!hook_list && !trans_hook_list)\n \t\thook_list = &flowtable->hook_list;\n \n-\tlist_for_each_entry_rcu(hook, hook_list, list,\n-\t\t\t\tlockdep_commit_lock_is_held(net)) {\n-\t\tif (nft_nla_put_hook_dev(skb, hook))\n-\t\t\tgoto nla_put_failure;\n+\tif (hook_list) {\n+\t\tlist_for_each_entry_rcu(hook, hook_list, list,\n+\t\t\t\t\tlockdep_commit_lock_is_held(net)) {\n+\t\t\tif (nft_nla_put_hook_dev(skb, hook))\n+\t\t\t\tgoto nla_put_failure;\n+\t\t}\n+\t} else if (trans_hook_list) {\n+\t\tlist_for_each_entry(trans_hook, trans_hook_list, list) {\n+\t\t\tif (nft_nla_put_hook_dev(skb, trans_hook->hook))\n+\t\t\t\tgoto nla_put_failure;\n+\t\t}\n \t}\n \tnla_nest_end(skb, nest_devs);\n \tnla_nest_end(skb, nest);\n@@ -9385,7 +9531,7 @@ static int nf_tables_dump_flowtable(struct sk_buff *skb,\n \t\t\t\t\t\t\t NFT_MSG_NEWFLOWTABLE,\n \t\t\t\t\t\t\t NLM_F_MULTI | NLM_F_APPEND,\n \t\t\t\t\t\t\t table->family,\n-\t\t\t\t\t\t\t flowtable, NULL) < 0)\n+\t\t\t\t\t\t\t flowtable, NULL, NULL) < 0)\n \t\t\t\tgoto done;\n \n \t\t\tnl_dump_check_consistent(cb, nlmsg_hdr(skb));\n@@ -9485,7 +9631,7 @@ static int nf_tables_getflowtable(struct sk_buff *skb,\n \terr = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,\n \t\t\t\t\t info->nlh->nlmsg_seq,\n \t\t\t\t\t NFT_MSG_NEWFLOWTABLE, 0, family,\n-\t\t\t\t\t flowtable, NULL);\n+\t\t\t\t\t flowtable, NULL, NULL);\n \tif (err < 0)\n \t\tgoto err_fill_flowtable_info;\n \n@@ -9498,7 +9644,9 @@ static int nf_tables_getflowtable(struct sk_buff *skb,\n \n static void nf_tables_flowtable_notify(struct nft_ctx *ctx,\n \t\t\t\t struct nft_flowtable *flowtable,\n-\t\t\t\t struct list_head *hook_list, int event)\n+\t\t\t\t struct list_head *hook_list,\n+\t\t\t\t struct list_head *trans_hook_list,\n+\t\t\t\t int event)\n {\n \tstruct nftables_pernet *nft_net = nft_pernet(ctx->net);\n \tstruct sk_buff *skb;\n@@ -9518,7 +9666,8 @@ static void nf_tables_flowtable_notify(struct nft_ctx *ctx,\n \n \terr = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,\n \t\t\t\t\t ctx->seq, event, flags,\n-\t\t\t\t\t ctx->family, flowtable, hook_list);\n+\t\t\t\t\t ctx->family, flowtable,\n+\t\t\t\t\t hook_list, trans_hook_list);\n \tif (err < 0) {\n \t\tkfree_skb(skb);\n \t\tgoto err;\n@@ -10052,9 +10201,7 @@ static void nft_commit_release(struct nft_trans *trans)\n \t\tbreak;\n \tcase NFT_MSG_DELCHAIN:\n \tcase NFT_MSG_DESTROYCHAIN:\n-\t\tif (nft_trans_chain_update(trans))\n-\t\t\tnft_hooks_destroy(&nft_trans_chain_hooks(trans));\n-\t\telse\n+\t\tif (!nft_trans_chain_update(trans))\n \t\t\tnf_tables_chain_destroy(nft_trans_chain(trans));\n \t\tbreak;\n \tcase NFT_MSG_DELRULE:\n@@ -10075,9 +10222,7 @@ static void nft_commit_release(struct nft_trans *trans)\n \t\tbreak;\n \tcase NFT_MSG_DELFLOWTABLE:\n \tcase NFT_MSG_DESTROYFLOWTABLE:\n-\t\tif (nft_trans_flowtable_update(trans))\n-\t\t\tnft_hooks_destroy(&nft_trans_flowtable_hooks(trans));\n-\t\telse\n+\t\tif (!nft_trans_flowtable_update(trans))\n \t\t\tnf_tables_flowtable_destroy(nft_trans_flowtable(trans));\n \t\tbreak;\n \t}\n@@ -10837,31 +10982,28 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)\n \t\t\tif (nft_trans_chain_update(trans)) {\n \t\t\t\tnft_chain_commit_update(nft_trans_container_chain(trans));\n \t\t\t\tnf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN,\n-\t\t\t\t\t\t &nft_trans_chain_hooks(trans));\n+\t\t\t\t\t\t &nft_trans_chain_hooks(trans), NULL);\n \t\t\t\tlist_splice_rcu(&nft_trans_chain_hooks(trans),\n \t\t\t\t\t\t&nft_trans_basechain(trans)->hook_list);\n \t\t\t\t/* trans destroyed after rcu grace period */\n \t\t\t} else {\n \t\t\t\tnft_chain_commit_drop_policy(nft_trans_container_chain(trans));\n \t\t\t\tnft_clear(net, nft_trans_chain(trans));\n-\t\t\t\tnf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN, NULL);\n+\t\t\t\tnf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN, NULL, NULL);\n \t\t\t\tnft_trans_destroy(trans);\n \t\t\t}\n \t\t\tbreak;\n \t\tcase NFT_MSG_DELCHAIN:\n \t\tcase NFT_MSG_DESTROYCHAIN:\n \t\t\tif (nft_trans_chain_update(trans)) {\n-\t\t\t\tnf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,\n+\t\t\t\tnf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN, NULL,\n \t\t\t\t\t\t &nft_trans_chain_hooks(trans));\n-\t\t\t\tif (!(table->flags & NFT_TABLE_F_DORMANT)) {\n-\t\t\t\t\tnft_netdev_unregister_hooks(net,\n-\t\t\t\t\t\t\t\t &nft_trans_chain_hooks(trans),\n-\t\t\t\t\t\t\t\t true);\n-\t\t\t\t}\n+\t\t\t\tnft_netdev_unregister_trans_hook(net, table,\n+\t\t\t\t\t\t\t\t &nft_trans_chain_hooks(trans));\n \t\t\t} else {\n \t\t\t\tnft_chain_del(nft_trans_chain(trans));\n \t\t\t\tnf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,\n-\t\t\t\t\t\t NULL);\n+\t\t\t\t\t\t NULL, NULL);\n \t\t\t\tnf_tables_unregister_hook(ctx.net, ctx.table,\n \t\t\t\t\t\t\t nft_trans_chain(trans));\n \t\t\t}\n@@ -10967,6 +11109,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)\n \t\t\t\tnf_tables_flowtable_notify(&ctx,\n \t\t\t\t\t\t\t nft_trans_flowtable(trans),\n \t\t\t\t\t\t\t &nft_trans_flowtable_hooks(trans),\n+\t\t\t\t\t\t\t NULL,\n \t\t\t\t\t\t\t NFT_MSG_NEWFLOWTABLE);\n \t\t\t\tlist_splice_rcu(&nft_trans_flowtable_hooks(trans),\n \t\t\t\t\t\t&nft_trans_flowtable(trans)->hook_list);\n@@ -10975,6 +11118,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)\n \t\t\t\tnf_tables_flowtable_notify(&ctx,\n \t\t\t\t\t\t\t nft_trans_flowtable(trans),\n \t\t\t\t\t\t\t NULL,\n+\t\t\t\t\t\t\t NULL,\n \t\t\t\t\t\t\t NFT_MSG_NEWFLOWTABLE);\n \t\t\t}\n \t\t\tnft_trans_destroy(trans);\n@@ -10984,16 +11128,18 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)\n \t\t\tif (nft_trans_flowtable_update(trans)) {\n \t\t\t\tnf_tables_flowtable_notify(&ctx,\n \t\t\t\t\t\t\t nft_trans_flowtable(trans),\n+\t\t\t\t\t\t\t NULL,\n \t\t\t\t\t\t\t &nft_trans_flowtable_hooks(trans),\n \t\t\t\t\t\t\t trans->msg_type);\n-\t\t\t\tnft_unregister_flowtable_net_hooks(net,\n-\t\t\t\t\t\t\t\t nft_trans_flowtable(trans),\n-\t\t\t\t\t\t\t\t &nft_trans_flowtable_hooks(trans));\n+\t\t\t\tnft_flowtable_unregister_trans_hook(net,\n+\t\t\t\t\t\t\t\t nft_trans_flowtable(trans),\n+\t\t\t\t\t\t\t\t &nft_trans_flowtable_hooks(trans));\n \t\t\t} else {\n \t\t\t\tlist_del_rcu(&nft_trans_flowtable(trans)->list);\n \t\t\t\tnf_tables_flowtable_notify(&ctx,\n \t\t\t\t\t\t\t nft_trans_flowtable(trans),\n \t\t\t\t\t\t\t NULL,\n+\t\t\t\t\t\t\t NULL,\n \t\t\t\t\t\t\t trans->msg_type);\n \t\t\t\tnft_unregister_flowtable_net_hooks(net,\n \t\t\t\t\t\tnft_trans_flowtable(trans),\n@@ -11157,8 +11303,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)\n \t\tcase NFT_MSG_DELCHAIN:\n \t\tcase NFT_MSG_DESTROYCHAIN:\n \t\t\tif (nft_trans_chain_update(trans)) {\n-\t\t\t\tlist_splice(&nft_trans_chain_hooks(trans),\n-\t\t\t\t\t &nft_trans_basechain(trans)->hook_list);\n+\t\t\t\tnft_trans_delhook_abort(&nft_trans_chain_hooks(trans));\n \t\t\t} else {\n \t\t\t\tnft_use_inc_restore(&table->use);\n \t\t\t\tnft_clear(trans->net, nft_trans_chain(trans));\n@@ -11272,8 +11417,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)\n \t\tcase NFT_MSG_DELFLOWTABLE:\n \t\tcase NFT_MSG_DESTROYFLOWTABLE:\n \t\t\tif (nft_trans_flowtable_update(trans)) {\n-\t\t\t\tlist_splice(&nft_trans_flowtable_hooks(trans),\n-\t\t\t\t\t &nft_trans_flowtable(trans)->hook_list);\n+\t\t\t\tnft_trans_delhook_abort(&nft_trans_flowtable_hooks(trans));\n \t\t\t} else {\n \t\t\t\tnft_use_inc_restore(&table->use);\n \t\t\t\tnft_clear(trans->net, nft_trans_flowtable(trans));\n", "prefixes": [ "net", "05/11" ] }