netfilter: nf_tables: discard table flag update with pending basechain deletion

commit 1bc83a019bbe268be3526406245ec28c2458a518 upstream.

Hook unregistration is deferred to the commit phase, same occurs with
hook updates triggered by the table dormant flag. When both commands are
combined, this results in deleting a basechain while leaving its hook
still registered in the core.

Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 4585dc60b3e2f003bbbd5e016906584f59724b9a..21581bae700c4a3454a1143bdc561d7711f3a833 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1207,10 +1207,11 @@ static bool nft_table_pending_update(const struct nft_ctx *ctx)
                return true;
 
        list_for_each_entry(trans, &nft_net->commit_list, list) {
-               if ((trans->msg_type == NFT_MSG_NEWCHAIN ||
-                    trans->msg_type == NFT_MSG_DELCHAIN) &&
-                   trans->ctx.table == ctx->table &&
-                   nft_trans_chain_update(trans))
+               if (trans->ctx.table == ctx->table &&
+                   ((trans->msg_type == NFT_MSG_NEWCHAIN &&
+                     nft_trans_chain_update(trans)) ||
+                    (trans->msg_type == NFT_MSG_DELCHAIN &&
+                     nft_is_base_chain(trans->ctx.chain))))
                        return true;
        }