netfilter: x_tables: unregister the templates first

When the module is going away we need to zap the template
first.  Else there is a small race window where userspace
could instantiate a new table after the pernet exit function
has removed the current table.

Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default")
Reported-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Tristan Madani <tristan@talencesecurity.com>
Closes: https://lore.kernel.org/netfilter-devel/20260429175613.1459342-1-tristmd@gmail.com/
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 393d9a8c77390055c2e0019501069137983fe033..382345567a600aad00f687a6cce83cc338120ca2 100644 (file)
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -82,8 +82,8 @@ static int __init arptable_filter_init(void)
 
 static void __exit arptable_filter_fini(void)
 {
-       unregister_pernet_subsys(&arptable_filter_net_ops);
        xt_unregister_template(&packet_filter);
+       unregister_pernet_subsys(&arptable_filter_net_ops);
        kfree(arpfilter_ops);
 }
 

diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index b2fbd9651d61aa3b8fb019f1d61b7ce9ad52c884..0dea754a91209a83f8522aa06fb7b5d43dafa228 100644 (file)
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -101,8 +101,8 @@ static int __init iptable_filter_init(void)
 
 static void __exit iptable_filter_fini(void)
 {
-       unregister_pernet_subsys(&iptable_filter_net_ops);
        xt_unregister_template(&packet_filter);
+       unregister_pernet_subsys(&iptable_filter_net_ops);
        kfree(filter_ops);
 }
 

diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index a99e619961975f5eb43195af5c0c805f2666dfa8..4d3b124923080ba4e63d55f1eaa9294cfbb9d067 100644 (file)
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -135,8 +135,8 @@ static int __init iptable_mangle_init(void)
 
 static void __exit iptable_mangle_fini(void)
 {
-       unregister_pernet_subsys(&iptable_mangle_net_ops);
        xt_unregister_template(&packet_mangler);
+       unregister_pernet_subsys(&iptable_mangle_net_ops);
        kfree(mangle_ops);
 }
 

diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 42511721e538a0c96a5b048f411d785ea4b49481..6f7afec7954bd4e87ae051a91ca779f41dea78b4 100644 (file)
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -100,9 +100,9 @@ static int __init iptable_raw_init(void)
 
 static void __exit iptable_raw_fini(void)
 {
+       xt_unregister_template(&packet_raw);
        unregister_pernet_subsys(&iptable_raw_net_ops);
        kfree(rawtable_ops);
-       xt_unregister_template(&packet_raw);
 }
 
 module_init(iptable_raw_init);

diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 4646bf6d7d2bd639a27b6112b71956c7e2e7b414..81175c20ccbe8dc3087c73e93eacef03ea07d603 100644 (file)
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -89,9 +89,9 @@ static int __init iptable_security_init(void)
 
 static void __exit iptable_security_fini(void)
 {
+       xt_unregister_template(&security_table);
        unregister_pernet_subsys(&iptable_security_net_ops);
        kfree(sectbl_ops);
-       xt_unregister_template(&security_table);
 }
 
 module_init(iptable_security_init);

diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index f05a9e4b2c6762ea364bd680f53e5fb3305d37a7..cf561919bde84c285c9a9f6e7dba76f66ed89ca9 100644 (file)
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -100,8 +100,8 @@ static int __init ip6table_filter_init(void)
 
 static void __exit ip6table_filter_fini(void)
 {
-       unregister_pernet_subsys(&ip6table_filter_net_ops);
        xt_unregister_template(&packet_filter);
+       unregister_pernet_subsys(&ip6table_filter_net_ops);
        kfree(filter_ops);
 }
 

diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index afa4a5703e433951fc579e26c231c0e9dcc49aad..1a758f2bc5379c4bed20825ebabcd6538851e7d1 100644 (file)
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -128,8 +128,8 @@ static int __init ip6table_mangle_init(void)
 
 static void __exit ip6table_mangle_fini(void)
 {
-       unregister_pernet_subsys(&ip6table_mangle_net_ops);
        xt_unregister_template(&packet_mangler);
+       unregister_pernet_subsys(&ip6table_mangle_net_ops);
        kfree(mangle_ops);
 }
 

diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 32d2da81c52a7dbf600b26866cc22bcfd7633eb3..923455921c1ddf2858869ae7a7ef3b02595de4fc 100644 (file)
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -98,8 +98,8 @@ static int __init ip6table_raw_init(void)
 
 static void __exit ip6table_raw_fini(void)
 {
-       unregister_pernet_subsys(&ip6table_raw_net_ops);
        xt_unregister_template(&packet_raw);
+       unregister_pernet_subsys(&ip6table_raw_net_ops);
        kfree(rawtable_ops);
 }
 

diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 3dfd8d6ea4b906943dfaf004d03ca200a75cec5d..c44834d93fc792c51b95ad1f62d12ffce686e5fe 100644 (file)
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -88,8 +88,8 @@ static int __init ip6table_security_init(void)
 
 static void __exit ip6table_security_fini(void)
 {
-       unregister_pernet_subsys(&ip6table_security_net_ops);
        xt_unregister_template(&security_table);
+       unregister_pernet_subsys(&ip6table_security_net_ops);
        kfree(sectbl_ops);
 }