Re: [PATCH nf] netfilter: nf_tables: don't unregister hook when table is dormant

Florian Westphal <fw@xxxxxxxxx> · Wed, 2 Apr 2025 12:49:59 +0200

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> I just made another pass today on this, I think this needs to be:
> 
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index c2df81b7e950..a133e1c175ce 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -2839,11 +2839,11 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
>                         err = nft_netdev_register_hooks(ctx->net, &hook.list);
>                         if (err < 0)
>                                 goto err_hooks;
> +
> +                       unregister = true;
>                 }
>         }
>  
> -       unregister = true;
> -
>         if (nla[NFTA_CHAIN_COUNTERS]) {
>                 if (!nft_is_base_chain(chain)) {
>                         err = -EOPNOTSUPP;
> 
> This is the rationale:

[..]

I've marked the patch as rejected.  I'm not sure what the pre and
postconditions for non-netdev is in this function, so I won't send a v2.