Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
From: Sven Auhagen <sven.auhagen@voleatech.de>
To: netfilter-devel@vger.kernel.org
Cc: pablo@netfilter.org
Subject: [PATCH 1/1] Remove flow offload when ct is removed from userspace
Date: Sat, 23 May 2020 13:25:33 +0200
Message-ID: <20200523112533.zocclvnhlx23qhph@SvensMacBookAir.sven.lan> (raw)

When a ct is removed from user space through a netlink
message it currently returns an error. This
effectively makes a flow undeleteable from user space.

This causes issues when for example the interface IP changes
when using DHCP since the flow has SNAT and DNAT information
attached that are now not updated.

Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
---
 include/net/netfilter/nf_flow_table.h |  2 ++
 net/netfilter/nf_conntrack_netlink.c  | 10 ++++++++++
 net/netfilter/nf_flow_table_core.c    | 24 ++++++++++++++++++++++++
 3 files changed, 36 insertions(+)

diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index c54a7f707e50..51e300e30e62 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -177,6 +177,8 @@ struct flow_offload_tuple_rhash *flow_offload_lookup(struct nf_flowtable *flow_t
 						     struct flow_offload_tuple *tuple);
 void nf_flow_table_cleanup(struct net_device *dev);
 
+void nf_flow_table_ct_remove(struct nf_conn *ct);
+
 int nf_flow_table_init(struct nf_flowtable *flow_table);
 void nf_flow_table_free(struct nf_flowtable *flow_table);
 
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 9ddfcd002d3b..0048a2b597a0 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -51,6 +51,10 @@
 #include <net/netfilter/nf_nat_helper.h>
 #endif
 
+#if IS_ENABLED(CONFIG_NF_FLOW_TABLE_INET)
+#include <net/netfilter/nf_flow_table.h>
+#endif
+
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_conntrack.h>
 
@@ -1310,8 +1314,14 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
 	ct = nf_ct_tuplehash_to_ctrack(h);
 
 	if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) {
+#if IS_ENABLED(CONFIG_NF_FLOW_TABLE_INET)
+		nf_flow_table_ct_remove(ct);
+		nf_ct_put(ct);
+		return 0;
+#else
 		nf_ct_put(ct);
 		return -EBUSY;
+#endif
 	}
 
 	if (cda[CTA_ID]) {
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 42da6e337276..9660448ca2d3 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -607,6 +607,30 @@ void nf_flow_table_cleanup(struct net_device *dev)
 }
 EXPORT_SYMBOL_GPL(nf_flow_table_cleanup);
 
+static void nf_flow_offload_ct_remove_step(struct flow_offload *flow,
+					   void *data)
+{
+	struct nf_conn *ct = data;
+
+	if (ct == flow->ct)
+		set_bit(NF_FLOW_TEARDOWN, &flow->flags);
+}
+
+void nf_flow_table_ct_remove(struct nf_conn *ct)
+{
+	struct nf_flowtable *flow_table;
+
+	if (!test_bit(IPS_OFFLOAD_BIT, &ct->status))
+		return;
+
+	list_for_each_entry(flow_table, &flowtables, list) {
+		nf_flow_table_iterate(flow_table,
+				      nf_flow_offload_ct_remove_step,
+				      ct);
+	}
+}
+EXPORT_SYMBOL_GPL(nf_flow_table_ct_remove);
+
 void nf_flow_table_free(struct nf_flowtable *flow_table)
 {
 	mutex_lock(&flowtable_lock);
-- 
2.20.1


                 reply index

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200523112533.zocclvnhlx23qhph@SvensMacBookAir.sven.lan \
    --to=sven.auhagen@voleatech.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git