diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-28 19:32:44 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-29 23:40:58 +0200 |
commit | 7840b9224d5b84c41a8f5a5ddd919c7f7614901f (patch) | |
tree | e5bc163dceb70623cbaa0a86f96cc117e90a2514 /src/evaluate.c | |
parent | ac4b25b3ca045fbbed86773a91da52d9d7ee3091 (diff) |
evaluate: remove table from cache on delete table
The following ruleset crashes nft if loaded twice, via nft -ef:
add table inet filter
delete table inet filter
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
iifname { "eth0" } counter accept
}
}
If the table contains anonymous sets, such as __set0, then delete + add
table might result in nft reusing the existing stale __set0 in the cache.
The problem is that nft gets confused and it reuses the existing stale
__set0 instead of the new anonymous set __set0 with the same name.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
-rw-r--r-- | src/evaluate.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 26d73959..a84e9609 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -4172,6 +4172,18 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd) } } +static void table_del_cache(struct eval_ctx *ctx, struct cmd *cmd) +{ + struct table *table; + + table = table_lookup(&cmd->handle, &ctx->nft->cache); + if (!table) + return; + + list_del(&table->list); + table_free(table); +} + static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd) { switch (cmd->obj) { @@ -4180,7 +4192,10 @@ static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd) case CMD_OBJ_SET: case CMD_OBJ_RULE: case CMD_OBJ_CHAIN: + return 0; case CMD_OBJ_TABLE: + table_del_cache(ctx, cmd); + return 0; case CMD_OBJ_FLOWTABLE: case CMD_OBJ_COUNTER: case CMD_OBJ_QUOTA: |