netfilter: nf_flow_table: do not flow offload deleted conntrack entries - openslx/kernel-qcow2-linux.git

diff options

author	Taehee Yoo	2019-04-30 15:56:14 +0200
committer	Pablo Neira Ayuso	2019-05-06 15:15:09 +0200
commit	8cd2bc981c5335cacc432cba7666c2741c3e912f (patch)
tree	8de1f99a7e53dfc00f572dfb356ffa46b4be1ae0 /net/bridge
parent	netfilter: nf_conntrack_h323: Remove deprecated config check (diff)
download	kernel-qcow2-linux-8cd2bc981c5335cacc432cba7666c2741c3e912f.tar.gz kernel-qcow2-linux-8cd2bc981c5335cacc432cba7666c2741c3e912f.tar.xz kernel-qcow2-linux-8cd2bc981c5335cacc432cba7666c2741c3e912f.zip

netfilter: nf_flow_table: do not flow offload deleted conntrack entries

Conntrack entries can be deleted by the masquerade module. In that case, flow offload should be deleted too, but GC and data-path of flow offload do not check for conntrack status bits, hence flow offload entries will be removed only by the timeout. Update garbage collector and data-path to check for ct->status. If IPS_DYING_BIT is set, garbage collector removes flow offload entries and data-path routine ignores them. Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'net/bridge')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: