From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [RFC v3 nf-next 11/15] netfilter: remove nf_ct_unconfirmed_destroy helper
Date: Thu, 3 Mar 2022 14:54:15 +0100 [thread overview]
Message-ID: <20220303135419.10837-12-fw@strlen.de> (raw)
In-Reply-To: <20220303135419.10837-1-fw@strlen.de>
This helper tags connetions not yet in the conntrack table as
dying. These nf_conn entries will be dropped instead when the
core attempts to insert them from the input or postrouting
'confirm' hook.
After the previous change, the entries get unlinked from the
list earlier, so that by the time the actual exit hook runs,
new connections no longer have a timeout policy assigned.
Its enough to walk the hashtable instead.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/net/netfilter/nf_conntrack.h | 3 ---
net/netfilter/nf_conntrack_core.c | 14 --------------
net/netfilter/nfnetlink_cttimeout.c | 4 +++-
3 files changed, 3 insertions(+), 18 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index dbbb0e206901..c823f0e33dcc 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -238,9 +238,6 @@ static inline bool nf_ct_kill(struct nf_conn *ct)
return nf_ct_delete(ct, 0, 0);
}
-/* Set all unconfirmed conntrack as dying */
-void nf_ct_unconfirmed_destroy(struct net *);
-
/* Iterate over all conntracks: if iter returns true, it's deleted. */
void nf_ct_iterate_cleanup_net(struct net *net,
int (*iter)(struct nf_conn *i, void *data),
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 6f7471ba0744..cbfd79dae8e7 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -2383,20 +2383,6 @@ __nf_ct_unconfirmed_destroy(struct net *net)
}
}
-void nf_ct_unconfirmed_destroy(struct net *net)
-{
- struct nf_conntrack_net *cnet = nf_ct_pernet(net);
-
- might_sleep();
-
- if (atomic_read(&cnet->count) > 0) {
- __nf_ct_unconfirmed_destroy(net);
- nf_queue_nf_hook_drop(net);
- synchronize_net();
- }
-}
-EXPORT_SYMBOL_GPL(nf_ct_unconfirmed_destroy);
-
void nf_ct_iterate_cleanup_net(struct net *net,
int (*iter)(struct nf_conn *i, void *data),
void *data, u32 portid, int report)
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index 5bd660b45976..a98cf956f7c7 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -609,7 +609,9 @@ static void __net_exit cttimeout_net_exit(struct net *net)
struct nfct_timeout_pernet *pernet = nfct_timeout_pernet(net);
struct ctnl_timeout *cur, *tmp;
- nf_ct_unconfirmed_destroy(net);
+ if (list_empty(&pernet->nfct_timeout_freelist))
+ return;
+
nf_ct_untimeout(net, NULL);
list_for_each_entry_safe(cur, tmp, &pernet->nfct_timeout_freelist, head) {
--
2.34.1
next prev parent reply other threads:[~2022-03-03 13:55 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-03 13:54 [RFC v3 nf-next 00/15] netfilter: conntrack: remove percpu lists Florian Westphal
2022-03-03 13:54 ` [RFC v3 nf-next 01/15] nfnetlink: handle already-released nl socket Florian Westphal
2022-03-03 13:54 ` [RFC v3 nf-next 02/15] netfilter: ctnetlink: make ecache event cb global again Florian Westphal
2022-03-03 13:54 ` [RFC v3 nf-next 03/15] netfilter: ecache: move to separate structure Florian Westphal
2022-03-03 13:54 ` [RFC v3 nf-next 04/15] netfilter: ecache: use dedicated list for event redelivery Florian Westphal
2022-03-03 13:54 ` [RFC v3 nf-next 05/15] netfilter: conntrack: split inner loop of list dumping to own function Florian Westphal
2022-03-03 13:54 ` [RFC v3 nf-next 06/15] netfilter: conntrack: include ecache dying list in dumps Florian Westphal
2022-03-03 13:54 ` [RFC v3 nf-next 07/15] netfilter: conntrack: remove the percpu dying list Florian Westphal
2022-03-03 13:54 ` [RFC v3 nf-next 08/15] netfilter: cttimeout: inc/dec module refcount per object, not per use refcount Florian Westphal
2022-03-03 13:54 ` [RFC v3 nf-next 09/15] netfilter: nfnetlink_cttimeout: use rcu protection in cttimeout_get_timeout Florian Westphal
2022-03-03 13:54 ` [RFC v3 nf-next 10/15] netfilter: cttimeout: decouple unlink and free on netns destruction Florian Westphal
2022-03-03 13:54 ` Florian Westphal [this message]
2022-03-03 13:54 ` [RFC v3 nf-next 12/15] netfilter: extensions: introduce extension genid count Florian Westphal
2022-03-03 13:54 ` [RFC v3 nf-next 13/15] netfilter: cttimeout: decouple unlink and free on netns destruction Florian Westphal
2022-03-03 13:54 ` [RFC v3 nf-next 14/15] netfilter: conntrack: remove __nf_ct_unconfirmed_destroy Florian Westphal
2022-03-03 13:54 ` [RFC v3 nf-next 15/15] netfilter: conntrack: remove unconfirmed list Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220303135419.10837-12-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).