stuartl/linux-stable
1
0
Fork 0
mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable.git synced 2025-09-13 11:07:46 +10:00
Code Issues Releases Wiki Activity
master
linux-stable/include/net/netfilter
History
Pablo Neira Ayuso 735795f68b netfilter: flowtable: GC pushes back packets to classic path 
Since 41f2c7c342 ("net/sched: act_ct: Fix promotion of offloaded
unreplied tuple"), flowtable GC pushes back flows with IPS_SEEN_REPLY
back to classic path in every run, ie. every second. This is because of
a new check for NF_FLOW_HW_ESTABLISHED which is specific of sched/act_ct.

In Netfilter's flowtable case, NF_FLOW_HW_ESTABLISHED never gets set on
and IPS_SEEN_REPLY is unreliable since users decide when to offload the
flow before, such bit might be set on at a later stage.

Fix it by adding a custom .gc handler that sched/act_ct can use to
deal with its NF_FLOW_HW_ESTABLISHED bit.

Fixes: 41f2c7c342 ("net/sched: act_ct: Fix promotion of offloaded unreplied tuple")
Reported-by: Vladimir Smelhaus <vl.sm@email.cz>
Reviewed-by: Paul Blakey <paulb@nvidia.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2023-10-25 11:35:46 +02:00
..
ipv4
ipv6
br_netfilter.h
nf_bpf_link.h bpf: minimal support for programs hooked into netfilter framework 2023-04-21 11:34:14 -07:00
nf_conntrack_acct.h netfilter: conntrack: Remove unused function declarations 2023-08-08 13:02:00 +02:00
nf_conntrack_act_ct.h
nf_conntrack_bpf.h
nf_conntrack_bridge.h
nf_conntrack_core.h netfilter: conntrack: fix wrong ct->timeout value 2023-04-19 12:08:38 +02:00
nf_conntrack_count.h
nf_conntrack_ecache.h
nf_conntrack_expect.h netfilter: allow exp not to be removed in nf_ct_find_expectation 2023-07-20 10:06:36 +02:00
nf_conntrack_extend.h
nf_conntrack_helper.h netfilter: helper: Remove unused function declarations 2023-08-08 13:01:59 +02:00
nf_conntrack_l4proto.h
nf_conntrack_labels.h netfilter: conntrack: Remove unused function declarations 2023-08-08 13:02:00 +02:00
nf_conntrack_seqadj.h
nf_conntrack_synproxy.h
nf_conntrack_timeout.h
nf_conntrack_timestamp.h
nf_conntrack_tuple.h netfilter: conntrack: don't fold port numbers into addresses before hashing 2023-07-05 14:42:16 +02:00
nf_conntrack_zones.h
nf_conntrack.h netfilter: conntrack: Remove unused function declarations 2023-08-08 13:02:00 +02:00
nf_dup_netdev.h
nf_flow_table.h netfilter: flowtable: GC pushes back packets to classic path 2023-10-25 11:35:46 +02:00
nf_hooks_lwtunnel.h netfilter: add netfilter hooks to SRv6 data plane 2021-08-30 01:51:36 +02:00
nf_log.h
nf_nat_helper.h
nf_nat_masquerade.h
nf_nat_redirect.h
nf_nat.h
nf_queue.h
nf_reject.h
nf_socket.h
nf_synproxy.h
nf_tables_core.h
nf_tables_ipv4.h
nf_tables_ipv6.h
nf_tables_offload.h
nf_tables.h netfilter: nf_tables: fix memleak when more than 255 elements expired 2023-09-20 10:35:23 +02:00
nf_tproxy.h
nft_fib.h
nft_meta.h
nft_reject.h
xt_rateest.h