diff options
author | Phil Sutter <phil@nwl.cc> | 2022-09-28 23:26:42 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2022-09-30 16:09:06 +0200 |
commit | 545edb7a8ef0a8acf991b1b7857fddc24d7b151a (patch) | |
tree | ad5c041c31728c7a8d6b6ff542d93578ee271a10 /include/linux/netfilter/nf_tables_compat.h | |
parent | 0f1fbeca73b9dfcf19e04eb5ce4718528c01c2f1 (diff) |
monitor: Sanitize startup race condition
During startup, 'nft monitor' first fetches the current ruleset and then
keeps this cache up to date based on received events. This is racey, as
any ruleset changes in between the initial fetch and the socket opening
are not recognized.
This script demonstrates the problem:
| #!/bin/bash
|
| while true; do
| nft flush ruleset
| iptables-nft -A FORWARD
| done &
| maniploop=$!
|
| trap "kill $maniploop; kill \$!; wait" EXIT
|
| while true; do
| nft monitor rules >/dev/null &
| sleep 0.2
| kill $!
| done
If the table add event is missed, the rule add event callback fails to
deserialize the rule and calls abort().
Avoid the inconvenient program exit by returning NULL from
netlink_delinearize_rule() instead of aborting and make callers check
the return value.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'include/linux/netfilter/nf_tables_compat.h')
0 files changed, 0 insertions, 0 deletions