netfilter: flowtable: remove dying bit, use teardown bit instead
authorPablo Neira Ayuso <pablo@netfilter.org>
Sun, 5 Jan 2020 21:00:57 +0000 (22:00 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Thu, 16 Jan 2020 14:51:49 +0000 (15:51 +0100)
The dying bit removes the conntrack entry if the netdev that owns this
flow is going down. Instead, use the teardown mechanism to push back the
flow to conntrack to let the classic software path decide what to do
with it.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/net/netfilter/nf_flow_table.h
net/netfilter/nf_flow_table_core.c

index 415b8f49d1509f1fa48ee45d4e9917d70a20054e..4ad924d5f983d7ccdf74069032d2056f59cca84f 100644 (file)
@@ -85,7 +85,6 @@ struct flow_offload_tuple_rhash {
 
 #define FLOW_OFFLOAD_SNAT      0x1
 #define FLOW_OFFLOAD_DNAT      0x2
-#define FLOW_OFFLOAD_DYING     0x4
 #define FLOW_OFFLOAD_TEARDOWN  0x8
 #define FLOW_OFFLOAD_HW                0x10
 #define FLOW_OFFLOAD_HW_DYING  0x20
@@ -134,10 +133,6 @@ int nf_flow_table_init(struct nf_flowtable *flow_table);
 void nf_flow_table_free(struct nf_flowtable *flow_table);
 
 void flow_offload_teardown(struct flow_offload *flow);
-static inline void flow_offload_dead(struct flow_offload *flow)
-{
-       flow->flags |= FLOW_OFFLOAD_DYING;
-}
 
 int nf_flow_snat_port(const struct flow_offload *flow,
                      struct sk_buff *skb, unsigned int thoff,
index 9e6de2bbeccb8b07e3afff597b586a29d7742d7c..a9ed93a9e0074a6a2ffef8cb97ade1271859d8df 100644 (file)
@@ -182,8 +182,6 @@ void flow_offload_free(struct flow_offload *flow)
        default:
                break;
        }
-       if (flow->flags & FLOW_OFFLOAD_DYING)
-               nf_ct_delete(flow->ct, 0, 0);
        nf_ct_put(flow->ct);
        kfree_rcu(flow, rcu_head);
 }
@@ -300,7 +298,7 @@ flow_offload_lookup(struct nf_flowtable *flow_table,
 
        dir = tuplehash->tuple.dir;
        flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
-       if (flow->flags & (FLOW_OFFLOAD_DYING | FLOW_OFFLOAD_TEARDOWN))
+       if (flow->flags & FLOW_OFFLOAD_TEARDOWN)
                return NULL;
 
        if (unlikely(nf_ct_is_dying(flow->ct)))
@@ -349,7 +347,7 @@ static void nf_flow_offload_gc_step(struct flow_offload *flow, void *data)
        struct nf_flowtable *flow_table = data;
 
        if (nf_flow_has_expired(flow) || nf_ct_is_dying(flow->ct) ||
-           (flow->flags & (FLOW_OFFLOAD_DYING | FLOW_OFFLOAD_TEARDOWN))) {
+           (flow->flags & FLOW_OFFLOAD_TEARDOWN)) {
                if (flow->flags & FLOW_OFFLOAD_HW) {
                        if (!(flow->flags & FLOW_OFFLOAD_HW_DYING))
                                nf_flow_offload_del(flow_table, flow);
@@ -523,7 +521,7 @@ static void nf_flow_table_do_cleanup(struct flow_offload *flow, void *data)
        if (net_eq(nf_ct_net(flow->ct), dev_net(dev)) &&
            (flow->tuplehash[0].tuple.iifidx == dev->ifindex ||
             flow->tuplehash[1].tuple.iifidx == dev->ifindex))
-               flow_offload_dead(flow);
+               flow_offload_teardown(flow);
 }
 
 static void nf_flow_table_iterate_cleanup(struct nf_flowtable *flowtable,