Message ID | 20230404183817.7312-2-witu@nvidia.com |
---|---|
State | New |
Headers | show |
Series | netfilter: ctnetlink: Support offloaded conntrack entry deletion | expand |
On 23/04/04 09:38PM, William Tu wrote: > From: Paul Blakey <paulb@nvidia.com> > > BugLink: https://bugs.launchpad.net/bugs/2015293 > > Currently, offloaded conntrack entries (flows) can only be deleted > after they are removed from offload, which is either by timeout, > tcp state change or tc ct rule deletion. This can cause issues for > users wishing to manually delete or flush existing entries. > > Support deletion of offloaded conntrack entries. > > Example usage: > # Delete all offloaded (and non offloaded) conntrack entries > # whose source address is 1.2.3.4 > $ conntrack -D -s 1.2.3.4 > # Delete all entries > $ conntrack -F > > Signed-off-by: Paul Blakey <paulb@nvidia.com> > Reviewed-by: Simon Horman <simon.horman@corigine.com> > Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> > Signed-off-by: Florian Westphal <fw@strlen.de> > (cherry picked from commit 9b7c68b3911aef84afa4cbfc31bce20f10570d51) This is in linux-next from next-20230403. That should be mentioned here (we can do that when we apply the patch though). > Signed-off-by: Paul Blakey <paulb@nvidia.com> > Signed-off-by: William Tu <witu@nvidia.com> Acked-by: Andrei Gherzan <andrei.gherzan@canonical.com> > --- > net/netfilter/nf_conntrack_netlink.c | 8 -------- > 1 file changed, 8 deletions(-) > > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c > index d6339db2c540..f92154882a0b 100644 > --- a/net/netfilter/nf_conntrack_netlink.c > +++ b/net/netfilter/nf_conntrack_netlink.c > @@ -1229,9 +1229,6 @@ static const struct nla_policy ct_nla_policy[CTA_MAX+1] = { > > static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data) > { > - if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) > - return 0; > - > return ctnetlink_filter_match(ct, data); > } > > @@ -1294,11 +1291,6 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, > > ct = nf_ct_tuplehash_to_ctrack(h); > > - if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) { > - nf_ct_put(ct); > - return -EBUSY; > - } > - > if (cda[CTA_ID]) { > __be32 id = nla_get_be32(cda[CTA_ID]); > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index d6339db2c540..f92154882a0b 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1229,9 +1229,6 @@ static const struct nla_policy ct_nla_policy[CTA_MAX+1] = { static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data) { - if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) - return 0; - return ctnetlink_filter_match(ct, data); } @@ -1294,11 +1291,6 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, ct = nf_ct_tuplehash_to_ctrack(h); - if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) { - nf_ct_put(ct); - return -EBUSY; - } - if (cda[CTA_ID]) { __be32 id = nla_get_be32(cda[CTA_ID]);