From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nft 3/3] evaluate: remove table from cache on delete table
Date: Tue, 28 Jul 2020 20:28:54 +0200 [thread overview]
Message-ID: <20200728182854.4473-3-pablo@netfilter.org> (raw)
In-Reply-To: <20200728182854.4473-1-pablo@netfilter.org>
The following ruleset crashes nft if loaded twice, via nft -ef:
add table inet filter
delete table inet filter
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
iifname { "eth0" } counter accept
}
}
If the table contains anonymous sets, such as __set0, then delete + add
table might result in nft reusing the existing stale __set0 in the cache.
The problem is that nft gets confused and it reuses the existing stale
__set0 instead of the new anonymous set __set0 with the same name.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 15 +++++++++++++++
tests/shell/testcases/sets/0053echo_0 | 16 ++++++++++++++++
tests/shell/testcases/sets/dumps/0053echo_0.nft | 6 ++++++
3 files changed, 37 insertions(+)
create mode 100755 tests/shell/testcases/sets/0053echo_0
create mode 100644 tests/shell/testcases/sets/dumps/0053echo_0.nft
diff --git a/src/evaluate.c b/src/evaluate.c
index 26d73959db58..a84e9609c1ff 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4172,6 +4172,18 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd)
}
}
+static void table_del_cache(struct eval_ctx *ctx, struct cmd *cmd)
+{
+ struct table *table;
+
+ table = table_lookup(&cmd->handle, &ctx->nft->cache);
+ if (!table)
+ return;
+
+ list_del(&table->list);
+ table_free(table);
+}
+
static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd)
{
switch (cmd->obj) {
@@ -4180,7 +4192,10 @@ static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_SET:
case CMD_OBJ_RULE:
case CMD_OBJ_CHAIN:
+ return 0;
case CMD_OBJ_TABLE:
+ table_del_cache(ctx, cmd);
+ return 0;
case CMD_OBJ_FLOWTABLE:
case CMD_OBJ_COUNTER:
case CMD_OBJ_QUOTA:
diff --git a/tests/shell/testcases/sets/0053echo_0 b/tests/shell/testcases/sets/0053echo_0
new file mode 100755
index 000000000000..6bb03c28b268
--- /dev/null
+++ b/tests/shell/testcases/sets/0053echo_0
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="add table inet filter
+delete table inet filter
+
+table inet filter {
+ chain input {
+ type filter hook input priority filter; policy drop;
+ iifname { lo } ip saddr { 10.0.0.0/8 } ip daddr { 192.168.100.62 } tcp dport { 2001 } counter accept
+ }
+}
+"
+
+$NFT -ef - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/sets/dumps/0053echo_0.nft b/tests/shell/testcases/sets/dumps/0053echo_0.nft
new file mode 100644
index 000000000000..6a8166360ceb
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0053echo_0.nft
@@ -0,0 +1,6 @@
+table inet filter {
+ chain input {
+ type filter hook input priority filter; policy drop;
+ iifname { "lo" } ip saddr { 10.0.0.0/8 } ip daddr { 192.168.100.62 } tcp dport { 2001 } counter packets 0 bytes 0 accept
+ }
+}
--
2.20.1
prev parent reply other threads:[~2020-07-28 18:29 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-28 18:28 [PATCH nft 1/3] evaluate: flush set cache from the evaluation phase Pablo Neira Ayuso
2020-07-28 18:28 ` [PATCH nft 2/3] src: remove cache lookups after " Pablo Neira Ayuso
2020-07-28 18:28 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200728182854.4473-3-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).