netfilter: nf_tables: disable toggling dormant table state more than …

…once

jira VUlN-597
subsystem-sync netfilter:nf_tables 4.18.0-534
commit-author Florian Westphal <[email protected]>
commit c9bd265
upstream-diff Onced again cherry-pick pulls in unrelated cruft,
the patch itself is fine - as per usual the source of truth is
4.18.0-534

nft -f -<<EOF
add table ip t
add table ip t { flags dormant; }
add chain ip t c { type filter hook input priority 0; }
add table ip t
EOF

Triggers a splat from nf core on next table delete because we lose
track of right hook register state:

WARNING: CPU: 2 PID: 1597 at net/netfilter/core.c:501 __nf_unregister_net_hook
RIP: 0010:__nf_unregister_net_hook+0x41b/0x570
 nf_unregister_net_hook+0xb4/0xf0
 __nf_tables_unregister_hook+0x160/0x1d0
[..]

The above should have table in *active* state, but in fact no
hooks were registered.

Reject on/off/on games rather than attempting to fix this.

Fixes: 179d9ba ("netfilter: nf_tables: fix table flag updates")
	Reported-by: "Lee, Cherie-Anne" <[email protected]>
	Cc: Bing-Jhong Billy Jheng <[email protected]>
	Cc: [email protected]
	Signed-off-by: Florian Westphal <[email protected]>
(cherry picked from commit c9bd265)
	Signed-off-by: Greg Rose <[email protected]>

net/netfilter/nf_tables_api.c

@@ -970,6 +970,10 @@ static int nf_tables_updtable(struct nft_ctx *ctx)
 	if (flags == ctx->table->flags)
 		return 0;
 
+	/* No dormant off/on/off/on games in single transaction */
+	if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
+		return -EINVAL;
+
 	trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
 				sizeof(struct nft_trans_table));
 	if (trans == NULL)