From patchwork Fri Apr 8 10:56:10 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arturo Borrero X-Patchwork-Id: 607970 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3qhGbt0trhz9snm for ; Fri, 8 Apr 2016 20:56:26 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758118AbcDHK4Y (ORCPT ); Fri, 8 Apr 2016 06:56:24 -0400 Received: from smtp3.cica.es ([150.214.5.190]:51569 "EHLO smtp.cica.es" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1755900AbcDHK4Y (ORCPT ); Fri, 8 Apr 2016 06:56:24 -0400 Received: from localhost (unknown [127.0.0.1]) by smtp.cica.es (Postfix) with ESMTP id 4726051F2AA; Fri, 8 Apr 2016 10:56:16 +0000 (UTC) X-Virus-Scanned: amavisd-new at cica.es Received: from smtp.cica.es ([127.0.0.1]) by localhost (mail.cica.es [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Q62UVhzmnko; Fri, 8 Apr 2016 12:56:11 +0200 (CEST) Received: from nfdev2.cica.es (nfdev2.cica.es [IPv6:2a00:9ac0:c1ca:31::221]) by smtp.cica.es (Postfix) with ESMTP id E48BE51F211; Fri, 8 Apr 2016 12:56:10 +0200 (CEST) Subject: [nf_tables PATCH] netfilter: nf_tables: invert chain deletion abort path From: Arturo Borrero Gonzalez To: netfilter-devel@vger.kernel.org Cc: pablo@netfilter.org Date: Fri, 08 Apr 2016 12:56:10 +0200 Message-ID: <146011296985.3580.3314850969369156279.stgit@nfdev2.cica.es> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Before this patch, chain deletetion abort path re-add chains in reverse order of what was originally in the ruleset. Invert the order, so the ruleset is exactly the same after abort. Example, using 2 config files: ruleset_good.nft: --- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ==== 8< ==== flush ruleset table ip t { chain c1 { } chain c2 { } chain c3 { } } ==== 8< ==== ruleset_bad.nft: ==== 8< ==== flush ruleset table ip t { chain c1 { } chain c2 { jump c6 } chain c3 { } } ==== 8< ==== before this patch: % nft -f ruleset_good.nft % nft -f ruleset_bad.nft % nft list ruleset table ip t { chain c3 { } chain c2 { } chain c1 { } } [ note, inverse order of chain listing ] after this patch: % nft -f ruleset_good.nft % nft -f ruleset_bad.nft % nft list ruleset table ip t { chain c1 { } chain c2 { } chain c3 { } } [ note, same order of chain listing ] Signed-off-by: Arturo Borrero Gonzalez --- net/netfilter/nf_tables_api.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 2011977..8578cc6 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -4060,8 +4060,8 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb) break; case NFT_MSG_DELCHAIN: trans->ctx.table->use++; - list_add_tail_rcu(&trans->ctx.chain->list, - &trans->ctx.table->chains); + list_add_rcu(&trans->ctx.chain->list, + &trans->ctx.table->chains); nft_trans_destroy(trans); break; case NFT_MSG_NEWRULE: