* [PATCH nf 0/2] arp,ebtables: add pre_exit hooks for arp/ebtable hook unregister
@ 2021-04-07 19:43 Florian Westphal
2021-04-07 19:43 ` [PATCH nf 1/2] netfilter: bridge: add pre_exit hooks for ebtable unregistration Florian Westphal
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Florian Westphal @ 2021-04-07 19:43 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
arptables and ebtables need the same fixup that was added for
ip/ip6tables: synchronize_rcu() is needed before ruleset can be free'd.
Add pre_exit hooks for this.
Florian Westphal (2):
netfilter: bridge: add pre_exit hooks for ebtable unregistration
netfilter: arp_tables: netfilter: bridge: add pre_exit hook for table
unregister
include/linux/netfilter_arp/arp_tables.h | 5 ++--
include/linux/netfilter_bridge/ebtables.h | 5 ++--
net/bridge/netfilter/ebtable_broute.c | 8 +++++-
net/bridge/netfilter/ebtable_filter.c | 8 +++++-
net/bridge/netfilter/ebtable_nat.c | 8 +++++-
net/bridge/netfilter/ebtables.c | 30 ++++++++++++++++++++---
net/ipv4/netfilter/arp_tables.c | 9 +++++--
net/ipv4/netfilter/arptable_filter.c | 10 +++++++-
8 files changed, 70 insertions(+), 13 deletions(-)
--
2.26.3
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH nf 1/2] netfilter: bridge: add pre_exit hooks for ebtable unregistration
2021-04-07 19:43 [PATCH nf 0/2] arp,ebtables: add pre_exit hooks for arp/ebtable hook unregister Florian Westphal
@ 2021-04-07 19:43 ` Florian Westphal
2021-04-07 19:43 ` [PATCH nf 2/2] netfilter: arp_tables: netfilter: bridge: add pre_exit hook for table unregister Florian Westphal
2021-04-10 19:17 ` [PATCH nf 0/2] arp,ebtables: add pre_exit hooks for arp/ebtable hook unregister Pablo Neira Ayuso
2 siblings, 0 replies; 4+ messages in thread
From: Florian Westphal @ 2021-04-07 19:43 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Just like ip/ip6/arptables, the hooks have to be removed, then
synchronize_rcu() has to be called to make sure no more packets are being
processed before the ruleset data is released.
Place the hook unregistration in the pre_exit hook, then call the new
ebtables pre_exit function from there.
Years ago, when first netns support got added for netfilter+ebtables,
this used an older (now removed) netfilter hook unregister API, that did
a unconditional synchronize_rcu().
Now that all is done with call_rcu, ebtable_{filter,nat,broute} pernet exit
handlers may free the ebtable ruleset while packets are still in flight.
This can only happens on module removal, not during netns exit.
The new function expects the table name, not the table struct.
This is because upcoming patch set (targeting -next) will remove all
net->xt.{nat,filter,broute}_table instances, this makes it necessary
to avoid external references to those member variables.
The existing APIs will be converted, so follow the upcoming scheme of
passing name + hook type instead.
Fixes: aee12a0a3727e ("ebtables: remove nf_hook_register usage")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/linux/netfilter_bridge/ebtables.h | 5 ++--
net/bridge/netfilter/ebtable_broute.c | 8 +++++-
net/bridge/netfilter/ebtable_filter.c | 8 +++++-
net/bridge/netfilter/ebtable_nat.c | 8 +++++-
net/bridge/netfilter/ebtables.c | 30 ++++++++++++++++++++---
5 files changed, 51 insertions(+), 8 deletions(-)
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h
index 2f5c4e6ecd8a..3a956145a25c 100644
--- a/include/linux/netfilter_bridge/ebtables.h
+++ b/include/linux/netfilter_bridge/ebtables.h
@@ -110,8 +110,9 @@ extern int ebt_register_table(struct net *net,
const struct ebt_table *table,
const struct nf_hook_ops *ops,
struct ebt_table **res);
-extern void ebt_unregister_table(struct net *net, struct ebt_table *table,
- const struct nf_hook_ops *);
+extern void ebt_unregister_table(struct net *net, struct ebt_table *table);
+void ebt_unregister_table_pre_exit(struct net *net, const char *tablename,
+ const struct nf_hook_ops *ops);
extern unsigned int ebt_do_table(struct sk_buff *skb,
const struct nf_hook_state *state,
struct ebt_table *table);
diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c
index 66e7af165494..32bc2821027f 100644
--- a/net/bridge/netfilter/ebtable_broute.c
+++ b/net/bridge/netfilter/ebtable_broute.c
@@ -105,14 +105,20 @@ static int __net_init broute_net_init(struct net *net)
&net->xt.broute_table);
}
+static void __net_exit broute_net_pre_exit(struct net *net)
+{
+ ebt_unregister_table_pre_exit(net, "broute", &ebt_ops_broute);
+}
+
static void __net_exit broute_net_exit(struct net *net)
{
- ebt_unregister_table(net, net->xt.broute_table, &ebt_ops_broute);
+ ebt_unregister_table(net, net->xt.broute_table);
}
static struct pernet_operations broute_net_ops = {
.init = broute_net_init,
.exit = broute_net_exit,
+ .pre_exit = broute_net_pre_exit,
};
static int __init ebtable_broute_init(void)
diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c
index 78cb9b21022d..bcf982e12f16 100644
--- a/net/bridge/netfilter/ebtable_filter.c
+++ b/net/bridge/netfilter/ebtable_filter.c
@@ -99,14 +99,20 @@ static int __net_init frame_filter_net_init(struct net *net)
&net->xt.frame_filter);
}
+static void __net_exit frame_filter_net_pre_exit(struct net *net)
+{
+ ebt_unregister_table_pre_exit(net, "filter", ebt_ops_filter);
+}
+
static void __net_exit frame_filter_net_exit(struct net *net)
{
- ebt_unregister_table(net, net->xt.frame_filter, ebt_ops_filter);
+ ebt_unregister_table(net, net->xt.frame_filter);
}
static struct pernet_operations frame_filter_net_ops = {
.init = frame_filter_net_init,
.exit = frame_filter_net_exit,
+ .pre_exit = frame_filter_net_pre_exit,
};
static int __init ebtable_filter_init(void)
diff --git a/net/bridge/netfilter/ebtable_nat.c b/net/bridge/netfilter/ebtable_nat.c
index 0888936ef853..0d092773f816 100644
--- a/net/bridge/netfilter/ebtable_nat.c
+++ b/net/bridge/netfilter/ebtable_nat.c
@@ -99,14 +99,20 @@ static int __net_init frame_nat_net_init(struct net *net)
&net->xt.frame_nat);
}
+static void __net_exit frame_nat_net_pre_exit(struct net *net)
+{
+ ebt_unregister_table_pre_exit(net, "nat", ebt_ops_nat);
+}
+
static void __net_exit frame_nat_net_exit(struct net *net)
{
- ebt_unregister_table(net, net->xt.frame_nat, ebt_ops_nat);
+ ebt_unregister_table(net, net->xt.frame_nat);
}
static struct pernet_operations frame_nat_net_ops = {
.init = frame_nat_net_init,
.exit = frame_nat_net_exit,
+ .pre_exit = frame_nat_net_pre_exit,
};
static int __init ebtable_nat_init(void)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index ebe33b60efd6..d481ff24a150 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1232,10 +1232,34 @@ int ebt_register_table(struct net *net, const struct ebt_table *input_table,
return ret;
}
-void ebt_unregister_table(struct net *net, struct ebt_table *table,
- const struct nf_hook_ops *ops)
+static struct ebt_table *__ebt_find_table(struct net *net, const char *name)
+{
+ struct ebt_table *t;
+
+ mutex_lock(&ebt_mutex);
+
+ list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
+ if (strcmp(t->name, name) == 0) {
+ mutex_unlock(&ebt_mutex);
+ return t;
+ }
+ }
+
+ mutex_unlock(&ebt_mutex);
+ return NULL;
+}
+
+void ebt_unregister_table_pre_exit(struct net *net, const char *name, const struct nf_hook_ops *ops)
+{
+ struct ebt_table *table = __ebt_find_table(net, name);
+
+ if (table)
+ nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
+}
+EXPORT_SYMBOL(ebt_unregister_table_pre_exit);
+
+void ebt_unregister_table(struct net *net, struct ebt_table *table)
{
- nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
__ebt_unregister_table(net, table);
}
--
2.26.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH nf 2/2] netfilter: arp_tables: netfilter: bridge: add pre_exit hook for table unregister
2021-04-07 19:43 [PATCH nf 0/2] arp,ebtables: add pre_exit hooks for arp/ebtable hook unregister Florian Westphal
2021-04-07 19:43 ` [PATCH nf 1/2] netfilter: bridge: add pre_exit hooks for ebtable unregistration Florian Westphal
@ 2021-04-07 19:43 ` Florian Westphal
2021-04-10 19:17 ` [PATCH nf 0/2] arp,ebtables: add pre_exit hooks for arp/ebtable hook unregister Pablo Neira Ayuso
2 siblings, 0 replies; 4+ messages in thread
From: Florian Westphal @ 2021-04-07 19:43 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Same problem that also existed in iptables/ip(6)tables, when
arptable_filter is removed there is no longer a wait period before the
table/ruleset is free'd.
Unregister the hook in pre_exit, then remove the table in the exit
function.
This used to work correctly because the old nf_hook_unregister API
did unconditional synchronize_net.
The per-net hook unregister function uses call_rcu instead.
Fixes: b9e69e127397 ("netfilter: xtables: don't hook tables by default")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/linux/netfilter_arp/arp_tables.h | 5 +++--
net/ipv4/netfilter/arp_tables.c | 9 +++++++--
net/ipv4/netfilter/arptable_filter.c | 10 +++++++++-
3 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 7d3537c40ec9..26a13294318c 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -52,8 +52,9 @@ extern void *arpt_alloc_initial_table(const struct xt_table *);
int arpt_register_table(struct net *net, const struct xt_table *table,
const struct arpt_replace *repl,
const struct nf_hook_ops *ops, struct xt_table **res);
-void arpt_unregister_table(struct net *net, struct xt_table *table,
- const struct nf_hook_ops *ops);
+void arpt_unregister_table(struct net *net, struct xt_table *table);
+void arpt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
+ const struct nf_hook_ops *ops);
extern unsigned int arpt_do_table(struct sk_buff *skb,
const struct nf_hook_state *state,
struct xt_table *table);
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index d1e04d2b5170..6c26533480dd 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1539,10 +1539,15 @@ int arpt_register_table(struct net *net,
return ret;
}
-void arpt_unregister_table(struct net *net, struct xt_table *table,
- const struct nf_hook_ops *ops)
+void arpt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
+ const struct nf_hook_ops *ops)
{
nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
+}
+EXPORT_SYMBOL(arpt_unregister_table_pre_exit);
+
+void arpt_unregister_table(struct net *net, struct xt_table *table)
+{
__arpt_unregister_table(net, table);
}
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index c216b9ad3bb2..6c300ba5634e 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -56,16 +56,24 @@ static int __net_init arptable_filter_table_init(struct net *net)
return err;
}
+static void __net_exit arptable_filter_net_pre_exit(struct net *net)
+{
+ if (net->ipv4.arptable_filter)
+ arpt_unregister_table_pre_exit(net, net->ipv4.arptable_filter,
+ arpfilter_ops);
+}
+
static void __net_exit arptable_filter_net_exit(struct net *net)
{
if (!net->ipv4.arptable_filter)
return;
- arpt_unregister_table(net, net->ipv4.arptable_filter, arpfilter_ops);
+ arpt_unregister_table(net, net->ipv4.arptable_filter);
net->ipv4.arptable_filter = NULL;
}
static struct pernet_operations arptable_filter_net_ops = {
.exit = arptable_filter_net_exit,
+ .pre_exit = arptable_filter_net_pre_exit,
};
static int __init arptable_filter_init(void)
--
2.26.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH nf 0/2] arp,ebtables: add pre_exit hooks for arp/ebtable hook unregister
2021-04-07 19:43 [PATCH nf 0/2] arp,ebtables: add pre_exit hooks for arp/ebtable hook unregister Florian Westphal
2021-04-07 19:43 ` [PATCH nf 1/2] netfilter: bridge: add pre_exit hooks for ebtable unregistration Florian Westphal
2021-04-07 19:43 ` [PATCH nf 2/2] netfilter: arp_tables: netfilter: bridge: add pre_exit hook for table unregister Florian Westphal
@ 2021-04-10 19:17 ` Pablo Neira Ayuso
2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2021-04-10 19:17 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Wed, Apr 07, 2021 at 09:43:38PM +0200, Florian Westphal wrote:
> arptables and ebtables need the same fixup that was added for
> ip/ip6tables: synchronize_rcu() is needed before ruleset can be free'd.
>
> Add pre_exit hooks for this.
Applied, thanks Florian.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-04-10 19:17 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-07 19:43 [PATCH nf 0/2] arp,ebtables: add pre_exit hooks for arp/ebtable hook unregister Florian Westphal
2021-04-07 19:43 ` [PATCH nf 1/2] netfilter: bridge: add pre_exit hooks for ebtable unregistration Florian Westphal
2021-04-07 19:43 ` [PATCH nf 2/2] netfilter: arp_tables: netfilter: bridge: add pre_exit hook for table unregister Florian Westphal
2021-04-10 19:17 ` [PATCH nf 0/2] arp,ebtables: add pre_exit hooks for arp/ebtable hook unregister Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.