netfilter: nf_tables: discard table flag update with pending basechain deletion

Hook unregistration is deferred to the commit phase, same occurs with
hook updates triggered by the table dormant flag. When both commands are
combined, this results in deleting a basechain while leaving its hook
still registered in the core.

Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index e02d0ae4f4364d6a4f077d5483bfc451d2826cc3..d89d779467197a0846406e0b0ce6938e8a3d404d 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1209,10 +1209,11 @@ static bool nft_table_pending_update(const struct nft_ctx *ctx)
                return true;
 
        list_for_each_entry(trans, &nft_net->commit_list, list) {
-               if ((trans->msg_type == NFT_MSG_NEWCHAIN ||
-                    trans->msg_type == NFT_MSG_DELCHAIN) &&
-                   trans->ctx.table == ctx->table &&
-                   nft_trans_chain_update(trans))
+               if (trans->ctx.table == ctx->table &&
+                   ((trans->msg_type == NFT_MSG_NEWCHAIN &&
+                     nft_trans_chain_update(trans)) ||
+                    (trans->msg_type == NFT_MSG_DELCHAIN &&
+                     nft_is_base_chain(trans->ctx.chain))))
                        return true;
        }