]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
netfilter: nf_tables: reverse order in rule replacement expansion
authorPablo Neira Ayuso <pablo@netfilter.org>
Fri, 24 Sep 2021 22:27:38 +0000 (00:27 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Tue, 28 Sep 2021 11:04:56 +0000 (13:04 +0200)
Deactivate old rule first, then append the new rule, so rule replacement
notification via netlink first reports the deletion of the old rule with
handle X in first place, then it adds the new rule (reusing the handle X
of the replaced old rule).

Note that the abort path releases the transaction that has been created
by nft_delrule() on error.

Fixes: ca08987885a1 ("netfilter: nf_tables: deactivate expressions in rule replecement routine")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nf_tables_api.c

index 085783b14075cc33ce22081eef86fecc4dac38ec..c8acd26c720190f5f52538fdb113071c604dd3f5 100644 (file)
@@ -3419,17 +3419,15 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
        }
 
        if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
+               err = nft_delrule(&ctx, old_rule);
+               if (err < 0)
+                       goto err_destroy_flow_rule;
+
                trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
                if (trans == NULL) {
                        err = -ENOMEM;
                        goto err_destroy_flow_rule;
                }
-               err = nft_delrule(&ctx, old_rule);
-               if (err < 0) {
-                       nft_trans_destroy(trans);
-                       goto err_destroy_flow_rule;
-               }
-
                list_add_tail_rcu(&rule->list, &old_rule->list);
        } else {
                trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);