@@ -177,6 +177,8 @@ struct flow_offload_tuple_rhash *flow_offload_lookup(struct nf_flowtable *flow_t
struct flow_offload_tuple *tuple);
void nf_flow_table_cleanup(struct net_device *dev);
+void nf_flow_table_ct_remove(struct nf_conn *ct);
+
int nf_flow_table_init(struct nf_flowtable *flow_table);
void nf_flow_table_free(struct nf_flowtable *flow_table);
@@ -51,6 +51,10 @@
#include <net/netfilter/nf_nat_helper.h>
#endif
+#if IS_ENABLED(CONFIG_NF_FLOW_TABLE_INET)
+#include <net/netfilter/nf_flow_table.h>
+#endif
+
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_conntrack.h>
@@ -1310,8 +1314,14 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
ct = nf_ct_tuplehash_to_ctrack(h);
if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) {
+#if IS_ENABLED(CONFIG_NF_FLOW_TABLE_INET)
+ nf_flow_table_ct_remove(ct);
+ nf_ct_put(ct);
+ return 0;
+#else
nf_ct_put(ct);
return -EBUSY;
+#endif
}
if (cda[CTA_ID]) {
@@ -607,6 +607,30 @@ void nf_flow_table_cleanup(struct net_device *dev)
}
EXPORT_SYMBOL_GPL(nf_flow_table_cleanup);
+static void nf_flow_offload_ct_remove_step(struct flow_offload *flow,
+ void *data)
+{
+ struct nf_conn *ct = data;
+
+ if (ct == flow->ct)
+ set_bit(NF_FLOW_TEARDOWN, &flow->flags);
+}
+
+void nf_flow_table_ct_remove(struct nf_conn *ct)
+{
+ struct nf_flowtable *flow_table;
+
+ if (!test_bit(IPS_OFFLOAD_BIT, &ct->status))
+ return;
+
+ list_for_each_entry(flow_table, &flowtables, list) {
+ nf_flow_table_iterate(flow_table,
+ nf_flow_offload_ct_remove_step,
+ ct);
+ }
+}
+EXPORT_SYMBOL_GPL(nf_flow_table_ct_remove);
+
void nf_flow_table_free(struct nf_flowtable *flow_table)
{
mutex_lock(&flowtable_lock);
When a ct is removed from user space through a netlink message it currently returns an error. This effectively makes a flow undeleteable from user space. This causes issues when for example the interface IP changes when using DHCP since the flow has SNAT and DNAT information attached that are now not updated. Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de> --- include/net/netfilter/nf_flow_table.h | 2 ++ net/netfilter/nf_conntrack_netlink.c | 10 ++++++++++ net/netfilter/nf_flow_table_core.c | 24 ++++++++++++++++++++++++ 3 files changed, 36 insertions(+)