diff options
author | Florian Westphal <fw@strlen.de> | 2021-04-07 21:43:40 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-04-10 21:18:24 +0200 |
commit | d163a925ebbc6eb5b562b0f1d72c7e817aa75c40 (patch) | |
tree | e8cd49d2df51c8418824ec07a858953c783454a4 /net/ipv4/netfilter/arp_tables.c | |
parent | 7ee3c61dcd28bf6e290e06ad382f13511dc790e9 (diff) | |
download | linux-d163a925ebbc6eb5b562b0f1d72c7e817aa75c40.tar.gz linux-d163a925ebbc6eb5b562b0f1d72c7e817aa75c40.tar.bz2 linux-d163a925ebbc6eb5b562b0f1d72c7e817aa75c40.zip |
netfilter: arp_tables: add pre_exit hook for table unregister
Same problem that also existed in iptables/ip(6)tables, when
arptable_filter is removed there is no longer a wait period before the
table/ruleset is free'd.
Unregister the hook in pre_exit, then remove the table in the exit
function.
This used to work correctly because the old nf_hook_unregister API
did unconditional synchronize_net.
The per-net hook unregister function uses call_rcu instead.
Fixes: b9e69e127397 ("netfilter: xtables: don't hook tables by default")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv4/netfilter/arp_tables.c')
-rw-r--r-- | net/ipv4/netfilter/arp_tables.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index d1e04d2b5170..6c26533480dd 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -1539,10 +1539,15 @@ out_free: return ret; } -void arpt_unregister_table(struct net *net, struct xt_table *table, - const struct nf_hook_ops *ops) +void arpt_unregister_table_pre_exit(struct net *net, struct xt_table *table, + const struct nf_hook_ops *ops) { nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); +} +EXPORT_SYMBOL(arpt_unregister_table_pre_exit); + +void arpt_unregister_table(struct net *net, struct xt_table *table) +{ __arpt_unregister_table(net, table); } |