netfilter: nf_tables: release objects on netns destruction

ummakynes · ummakynes · commit df05ef874b28 · 2015-12-28T18:34:35.000+01:00
We have to release the existing objects on netns removal otherwise we
leak them. Chains are unregistered in first place to make sure no
packets are walking on our rules and sets anymore.

The object release happens by when we unregister the family via
nft_release_afinfo() which is called from nft_unregister_afinfo() from
the corresponding __net_exit path in every family.

Reported-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
@@ -880,7 +880,7 @@ struct nft_af_info {
 };
 
 int nft_register_afinfo(struct net *, struct nft_af_info *);
-void nft_unregister_afinfo(struct nft_af_info *);
+void nft_unregister_afinfo(struct net *, struct nft_af_info *);
 
 int nft_register_chain_type(const struct nf_chain_type *);
 void nft_unregister_chain_type(const struct nf_chain_type *);
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
@@ -141,7 +141,7 @@ static int nf_tables_bridge_init_net(struct net *net)
 
 static void nf_tables_bridge_exit_net(struct net *net)
 {
-	nft_unregister_afinfo(net->nft.bridge);
+	nft_unregister_afinfo(net, net->nft.bridge);
 	kfree(net->nft.bridge);
 }
 
diff --git a/net/ipv4/netfilter/nf_tables_arp.c b/net/ipv4/netfilter/nf_tables_arp.c
@@ -57,7 +57,7 @@ static int nf_tables_arp_init_net(struct net *net)
 
 static void nf_tables_arp_exit_net(struct net *net)
 {
-	nft_unregister_afinfo(net->nft.arp);
+	nft_unregister_afinfo(net, net->nft.arp);
 	kfree(net->nft.arp);
 }
 
diff --git a/net/ipv4/netfilter/nf_tables_ipv4.c b/net/ipv4/netfilter/nf_tables_ipv4.c
@@ -78,7 +78,7 @@ static int nf_tables_ipv4_init_net(struct net *net)
 
 static void nf_tables_ipv4_exit_net(struct net *net)
 {
-	nft_unregister_afinfo(net->nft.ipv4);
+	nft_unregister_afinfo(net, net->nft.ipv4);
 	kfree(net->nft.ipv4);
 }
 
diff --git a/net/ipv6/netfilter/nf_tables_ipv6.c b/net/ipv6/netfilter/nf_tables_ipv6.c
@@ -77,7 +77,7 @@ static int nf_tables_ipv6_init_net(struct net *net)
 
 static void nf_tables_ipv6_exit_net(struct net *net)
 {
-	nft_unregister_afinfo(net->nft.ipv6);
+	nft_unregister_afinfo(net, net->nft.ipv6);
 	kfree(net->nft.ipv6);
 }
 
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
@@ -41,16 +41,19 @@ int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
 }
 EXPORT_SYMBOL_GPL(nft_register_afinfo);
 
+static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
+
 /**
  *	nft_unregister_afinfo - unregister nf_tables address family info
  *
  *	@afi: address family info to unregister
  *
  *	Unregister the address family for use with nf_tables.
  */
-void nft_unregister_afinfo(struct nft_af_info *afi)
+void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
 {
 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
+	__nft_release_afinfo(net, afi);
 	list_del_rcu(&afi->list);
 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
 }
@@ -4579,14 +4582,54 @@ int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
 }
 EXPORT_SYMBOL_GPL(nft_data_dump);
 
-static int nf_tables_init_net(struct net *net)
+static int __net_init nf_tables_init_net(struct net *net)
 {
 	INIT_LIST_HEAD(&net->nft.af_info);
 	INIT_LIST_HEAD(&net->nft.commit_list);
 	net->nft.base_seq = 1;
 	return 0;
 }
 
+/* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
+static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
+{
+	struct nft_table *table, *nt;
+	struct nft_chain *chain, *nc;
+	struct nft_rule *rule, *nr;
+	struct nft_set *set, *ns;
+	struct nft_ctx ctx = {
+		.net	= net,
+		.afi	= afi,
+	};
+
+	list_for_each_entry_safe(table, nt, &afi->tables, list) {
+		list_for_each_entry(chain, &table->chains, list)
+			nf_tables_unregister_hooks(table, chain, afi->nops);
+		/* No packets are walking on these chains anymore. */
+		ctx.table = table;
+		list_for_each_entry(chain, &table->chains, list) {
+			ctx.chain = chain;
+			list_for_each_entry_safe(rule, nr, &chain->rules, list) {
+				list_del(&rule->list);
+				chain->use--;
+				nf_tables_rule_destroy(&ctx, rule);
+			}
+		}
+		list_for_each_entry_safe(set, ns, &table->sets, list) {
+			list_del(&set->list);
+			table->use--;
+			nft_set_destroy(set);
+		}
+		list_for_each_entry_safe(chain, nc, &table->chains, list) {
+			list_del(&chain->list);
+			table->use--;
+			nf_tables_chain_destroy(chain);
+		}
+		list_del(&table->list);
+		nf_tables_table_destroy(&ctx);
+	}
+}
+
 static struct pernet_operations nf_tables_net_ops = {
 	.init	= nf_tables_init_net,
 };
diff --git a/net/netfilter/nf_tables_inet.c b/net/netfilter/nf_tables_inet.c
@@ -57,7 +57,7 @@ static int __net_init nf_tables_inet_init_net(struct net *net)
 
 static void __net_exit nf_tables_inet_exit_net(struct net *net)
 {
-	nft_unregister_afinfo(net->nft.inet);
+	nft_unregister_afinfo(net, net->nft.inet);
 	kfree(net->nft.inet);
 }
 
diff --git a/net/netfilter/nf_tables_netdev.c b/net/netfilter/nf_tables_netdev.c
@@ -139,7 +139,7 @@ static int nf_tables_netdev_init_net(struct net *net)
 
 static void nf_tables_netdev_exit_net(struct net *net)
 {
-	nft_unregister_afinfo(net->nft.netdev);
+	nft_unregister_afinfo(net, net->nft.netdev);
 	kfree(net->nft.netdev);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -141,7 +141,7 @@ static int nf_tables_bridge_init_net(struct net *net)`
`141`	`141`
`142`	`142`	`static void nf_tables_bridge_exit_net(struct net *net)`
`143`	`143`	`{`
`144`		`- nft_unregister_afinfo(net->nft.bridge);`
	`144`	`+ nft_unregister_afinfo(net, net->nft.bridge);`
`145`	`145`	`kfree(net->nft.bridge);`
`146`	`146`	`}`
`147`	`147`
Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ static int nf_tables_arp_init_net(struct net *net)`
`57`	`57`
`58`	`58`	`static void nf_tables_arp_exit_net(struct net *net)`
`59`	`59`	`{`
`60`		`- nft_unregister_afinfo(net->nft.arp);`
	`60`	`+ nft_unregister_afinfo(net, net->nft.arp);`
`61`	`61`	`kfree(net->nft.arp);`
`62`	`62`	`}`
`63`	`63`
Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ static int nf_tables_ipv4_init_net(struct net *net)`
`78`	`78`
`79`	`79`	`static void nf_tables_ipv4_exit_net(struct net *net)`
`80`	`80`	`{`
`81`		`- nft_unregister_afinfo(net->nft.ipv4);`
	`81`	`+ nft_unregister_afinfo(net, net->nft.ipv4);`
`82`	`82`	`kfree(net->nft.ipv4);`
`83`	`83`	`}`
`84`	`84`
Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ static int nf_tables_ipv6_init_net(struct net *net)`
`77`	`77`
`78`	`78`	`static void nf_tables_ipv6_exit_net(struct net *net)`
`79`	`79`	`{`
`80`		`- nft_unregister_afinfo(net->nft.ipv6);`
	`80`	`+ nft_unregister_afinfo(net, net->nft.ipv6);`
`81`	`81`	`kfree(net->nft.ipv6);`
`82`	`82`	`}`
`83`	`83`
Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ static int __net_init nf_tables_inet_init_net(struct net *net)`
`57`	`57`
`58`	`58`	`static void __net_exit nf_tables_inet_exit_net(struct net *net)`
`59`	`59`	`{`
`60`		`- nft_unregister_afinfo(net->nft.inet);`
	`60`	`+ nft_unregister_afinfo(net, net->nft.inet);`
`61`	`61`	`kfree(net->nft.inet);`
`62`	`62`	`}`
`63`	`63`
Original file line number	Diff line number	Diff line change
`@@ -139,7 +139,7 @@ static int nf_tables_netdev_init_net(struct net *net)`
`139`	`139`
`140`	`140`	`static void nf_tables_netdev_exit_net(struct net *net)`
`141`	`141`	`{`
`142`		`- nft_unregister_afinfo(net->nft.netdev);`
	`142`	`+ nft_unregister_afinfo(net, net->nft.netdev);`
`143`	`143`	`kfree(net->nft.netdev);`
`144`	`144`	`}`
`145`	`145`