Skip to content

L
linux
Commit 9ed81c8e authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files
Options

netfilter: flowtable: set NF_FLOW_TEARDOWN flag on entry expiration 

If the flow timer expires, the gc sets on the NF_FLOW_TEARDOWN flag.
Otherwise, the flowtable software path might race to refresh the
timeout, leaving the state machine in inconsistent state.

Fixes: c29f74e0 ("netfilter: nf_flow_table: hardware offload support")
Reported-by: default avatarPaul Blakey <paulb@mellanox.com>
Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 54ab49fd
Show whitespace changes
Inline Side-by-side
Showing with 5 additions and 3 deletions
net/netfilter/nf_flow_table_core.c
View file @ 9ed81c8e
......@@ -284,7 +284,7 @@ static void flow_offload_del(struct nf_flowtable *flow_table,
if (nf_flow_has_expired(flow))
flow_offload_fixup_ct(flow->ct);
else if (test_bit(NF_FLOW_TEARDOWN, &flow->flags))
else
flow_offload_fixup_ct_timeout(flow->ct);
flow_offload_free(flow);
......@@ -361,8 +361,10 @@ static void nf_flow_offload_gc_step(struct flow_offload *flow, void *data)
{
struct nf_flowtable *flow_table = data;
if (nf_flow_has_expired(flow) || nf_ct_is_dying(flow->ct) ||
test_bit(NF_FLOW_TEARDOWN, &flow->flags)) {
if (nf_flow_has_expired(flow) || nf_ct_is_dying(flow->ct))
set_bit(NF_FLOW_TEARDOWN, &flow->flags);
if (test_bit(NF_FLOW_TEARDOWN, &flow->flags)) {
if (test_bit(NF_FLOW_HW, &flow->flags)) {
if (!test_bit(NF_FLOW_HW_DYING, &flow->flags))
nf_flow_offload_del(flow_table, flow);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7