diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2025-03-21 23:24:20 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2025-04-02 22:50:56 +0200 |
| commit | 9d74da1177c800eb3d51c13f9821b7b0683845a5 (patch) | |
| tree | 6d10a227eecb828b89c0dadb72f1717a14ed3c4e /net | |
| parent | ed3ba9b6e280e14cc3148c1b226ba453f02fa76c (diff) | |
netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only
conncount has its own GC handler which determines when to reap stale
elements, this is convenient for dynamic sets. However, this also reaps
non-dynamic sets with static configurations coming from control plane.
Always run connlimit gc handler but honor feedback to reap element if
this set is dynamic.
Fixes: 290180e2448c ("netfilter: nf_tables: add connlimit support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/nft_set_hash.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index 8bfac4185ac7..abb0c8ec6371 100644 --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -309,7 +309,8 @@ static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set, nft_setelem_expr_foreach(expr, elem_expr, size) { if (expr->ops->gc && - expr->ops->gc(read_pnet(&set->net), expr)) + expr->ops->gc(read_pnet(&set->net), expr) && + set->flags & NFT_SET_EVAL) return true; } |