Commit ee895a30 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Flush the cleanup xtables worker to make sure destructors
   have completed, from Florian Westphal.

2) iifgroup is matching erroneously, also from Florian.

3) Add selftest for meta interface matching, from Florian Westphal.

4) Move nf_ct_offload_timeout() to header, from Roi Dayan.

5) Call nf_ct_offload_timeout() from flow_offload_add() to
   make sure garbage collection does not evict offloaded flow,
   from Roi Dayan.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents bab9693a 4203b19c

include/net/netfilter/nf_conntrack.h

+12 −0
Original line number Diff line number Diff line
@@ -279,6 +279,18 @@ static inline bool nf_ct_should_gc(const struct nf_conn *ct) 
	       !nf_ct_is_dying(ct);

}



#define	NF_CT_DAY	(86400 * HZ)



/* Set an arbitrary timeout large enough not to ever expire, this save

 * us a check for the IPS_OFFLOAD_BIT from the packet path via

 * nf_ct_is_expired().

 */

static inline void nf_ct_offload_timeout(struct nf_conn *ct)

{

	if (nf_ct_expires(ct) < NF_CT_DAY / 2)

		ct->timeout = nfct_time_stamp + NF_CT_DAY;

}



struct kernel_param;



int nf_conntrack_set_hashsize(const char *val, const struct kernel_param *kp);

include/net/netfilter/nf_tables.h

+2 −0
Original line number Diff line number Diff line
@@ -1507,4 +1507,6 @@ void nft_chain_filter_fini(void); 


void __init nft_chain_route_init(void);

void nft_chain_route_fini(void);



void nf_tables_trans_destroy_flush_work(void);

#endif /* _NET_NF_TABLES_H */

net/netfilter/nf_conntrack_core.c

+0 −12
Original line number Diff line number Diff line
@@ -1344,18 +1344,6 @@ static bool gc_worker_can_early_drop(const struct nf_conn *ct) 
	return false;

}



#define	DAY	(86400 * HZ)



/* Set an arbitrary timeout large enough not to ever expire, this save

 * us a check for the IPS_OFFLOAD_BIT from the packet path via

 * nf_ct_is_expired().

 */

static void nf_ct_offload_timeout(struct nf_conn *ct)

{

	if (nf_ct_expires(ct) < DAY / 2)

		ct->timeout = nfct_time_stamp + DAY;

}



static void gc_worker(struct work_struct *work)

{

	unsigned int min_interval = max(HZ / GC_MAX_BUCKETS_DIV, 1u);

net/netfilter/nf_flow_table_core.c

+2 −0
Original line number Diff line number Diff line
@@ -243,6 +243,8 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow) 
		return err;

	}



	nf_ct_offload_timeout(flow->ct);



	if (nf_flowtable_hw_offload(flow_table)) {

		__set_bit(NF_FLOW_HW, &flow->flags);

		nf_flow_offload_add(flow_table, flow);

net/netfilter/nf_tables_api.c

+8 −2
Original line number Diff line number Diff line
@@ -7390,6 +7390,12 @@ static void nf_tables_trans_destroy_work(struct work_struct *w) 
	}

}



void nf_tables_trans_destroy_flush_work(void)

{

	flush_work(&trans_destroy_work);

}

EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);



static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)

{

	struct nft_rule *rule;
@@ -7572,9 +7578,9 @@ static void nf_tables_commit_release(struct net *net) 
	spin_unlock(&nf_tables_destroy_list_lock);



	nf_tables_module_autoload_cleanup(net);

	mutex_unlock(&net->nft.commit_mutex);



	schedule_work(&trans_destroy_work);



	mutex_unlock(&net->nft.commit_mutex);

}



static int nf_tables_commit(struct net *net, struct sk_buff *skb)