git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Florian Westphal <fw@strlen.de>
	Wed, 6 May 2026 10:07:17 +0000 (12:07 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 7 May 2026 23:30:16 +0000 (01:30 +0200)
commit	b4597d5fd7d2f8cebfffd40dffb5e003cc78964c
tree	a63f2c2ae8c0119b9f7cfdf7ac87536a5ef60542	tree \| snapshot
parent	d338693d778579b676a61346849bebd892427158	commit \| diff

netfilter: x_tables: add and use xtables_unregister_table_exit

Previous change added xtables_unregister_table_pre_exit to detach the
table from the packetpath and to unlink it from the active table list.
In case of rmmod, userspace that is doing set/getsockopt for this table
will not be able to re-instantiate the table:
1. The larval table has been removed already
2. existing instantiated table is no longer on the xt pernet table list.

This adds the second stage helper:

unlink the table from the dying list, free the hook ops (if any) and do
the audit notification. It replaces xt_unregister_table().

Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default")
Reported-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Tristan Madani <tristan@talencesecurity.com>
Closes: https://lore.kernel.org/netfilter-devel/20260429175613.1459342-1-tristmd@gmail.com/
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/linux/netfilter/x_tables.h		diff \| blob \| blame \| history
net/ipv4/netfilter/arp_tables.c		diff \| blob \| blame \| history
net/ipv4/netfilter/ip_tables.c		diff \| blob \| blame \| history
net/ipv4/netfilter/iptable_nat.c		diff \| blob \| blame \| history
net/ipv6/netfilter/ip6_tables.c		diff \| blob \| blame \| history
net/ipv6/netfilter/ip6table_nat.c		diff \| blob \| blame \| history
net/netfilter/x_tables.c		diff \| blob \| blame \| history