mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2025-01-13 17:24:28 +08:00
netfilter: remove nf_ct_unconfirmed_destroy helper
This helper tags connections not yet in the conntrack table as dying. These nf_conn entries will be dropped instead when the core attempts to insert them from the input or postrouting 'confirm' hook. After the previous change, the entries get unlinked from the list earlier, so that by the time the actual exit hook runs, new connections no longer have a timeout policy assigned. Its enough to walk the hashtable instead. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
78222bacfc
commit
17438b42ce
@ -237,9 +237,6 @@ static inline bool nf_ct_kill(struct nf_conn *ct)
|
|||||||
return nf_ct_delete(ct, 0, 0);
|
return nf_ct_delete(ct, 0, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Set all unconfirmed conntrack as dying */
|
|
||||||
void nf_ct_unconfirmed_destroy(struct net *);
|
|
||||||
|
|
||||||
/* Iterate over all conntracks: if iter returns true, it's deleted. */
|
/* Iterate over all conntracks: if iter returns true, it's deleted. */
|
||||||
void nf_ct_iterate_cleanup_net(struct net *net,
|
void nf_ct_iterate_cleanup_net(struct net *net,
|
||||||
int (*iter)(struct nf_conn *i, void *data),
|
int (*iter)(struct nf_conn *i, void *data),
|
||||||
|
@ -2431,20 +2431,6 @@ __nf_ct_unconfirmed_destroy(struct net *net)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
void nf_ct_unconfirmed_destroy(struct net *net)
|
|
||||||
{
|
|
||||||
struct nf_conntrack_net *cnet = nf_ct_pernet(net);
|
|
||||||
|
|
||||||
might_sleep();
|
|
||||||
|
|
||||||
if (atomic_read(&cnet->count) > 0) {
|
|
||||||
__nf_ct_unconfirmed_destroy(net);
|
|
||||||
nf_queue_nf_hook_drop(net);
|
|
||||||
synchronize_net();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(nf_ct_unconfirmed_destroy);
|
|
||||||
|
|
||||||
void nf_ct_iterate_cleanup_net(struct net *net,
|
void nf_ct_iterate_cleanup_net(struct net *net,
|
||||||
int (*iter)(struct nf_conn *i, void *data),
|
int (*iter)(struct nf_conn *i, void *data),
|
||||||
void *data, u32 portid, int report)
|
void *data, u32 portid, int report)
|
||||||
|
@ -608,7 +608,9 @@ static void __net_exit cttimeout_net_exit(struct net *net)
|
|||||||
struct nfct_timeout_pernet *pernet = nfct_timeout_pernet(net);
|
struct nfct_timeout_pernet *pernet = nfct_timeout_pernet(net);
|
||||||
struct ctnl_timeout *cur, *tmp;
|
struct ctnl_timeout *cur, *tmp;
|
||||||
|
|
||||||
nf_ct_unconfirmed_destroy(net);
|
if (list_empty(&pernet->nfct_timeout_freelist))
|
||||||
|
return;
|
||||||
|
|
||||||
nf_ct_untimeout(net, NULL);
|
nf_ct_untimeout(net, NULL);
|
||||||
|
|
||||||
list_for_each_entry_safe(cur, tmp, &pernet->nfct_timeout_freelist, head) {
|
list_for_each_entry_safe(cur, tmp, &pernet->nfct_timeout_freelist, head) {
|
||||||
|
Loading…
Reference in New Issue
Block a user