git.ipfire.org Git - thirdparty/linux.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 15 Apr 2026 20:58:23 +0000 (22:58 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 21 Apr 2026 10:48:44 +0000 (12:48 +0200)
commit	10f79dbd7719d1da9f5884d13060322d8729f091
tree	07e6446f39217720eb5d7af6dc5caf63ec5f18f6	tree \| snapshot
parent	a6134e62dba2ea4f760b29d5226907f447c92400	commit \| diff

netfilter: nf_tables: add hook transactions for device deletions

Restore the flag that indicates that the hook is going away, ie.
NFT_HOOK_REMOVE, but add a new transaction object to track deletion
of hooks without altering the basechain/flowtable hook_list during
the preparation phase.

The existing approach that moves the hook from the basechain/flowtable
hook_list to transaction hook_list breaks netlink dump path readers
of this RCU-protected list.

It should be possible use an array for nft_trans_hook to store the
deleted hooks to compact the representation but I am not expecting
many hook object, specially now that wildcard support for devices
is in place.

Note that the nft_trans_chain_hooks() list contains a list of struct
nft_trans_hook objects for DELCHAIN and DELFLOWTABLE commands, while
this list stores struct nft_hook objects for NEWCHAIN and NEWFLOWTABLE.
Note that new commands can be updated to use nft_trans_hook for
consistency.

This patch also adapts the event notification path to deal with the list
of hook transactions.

Fixes: 7d937b107108 ("netfilter: nf_tables: support for deleting devices in an existing netdev chain")
Fixes: b6d9014a3335 ("netfilter: nf_tables: delete flowtable hooks via transaction list")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/nf_tables.h		diff \| blob \| blame \| history
net/netfilter/nf_tables_api.c		diff \| blob \| blame \| history