tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: remove nf_ct_unconfirmed_destroy helper

This helper tags connections not yet in the conntrack table as
dying. These nf_conn entries will be dropped instead when the
core attempts to insert them from the input or postrouting
'confirm' hook.

After the previous change, the entries get unlinked from the
list earlier, so that by the time the actual exit hook runs,
new connections no longer have a timeout policy assigned.

Its enough to walk the hashtable instead.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by
Pablo Neira Ayuso 17438b42 78222bac

+3 -18
-3
include/net/netfilter/nf_conntrack.h
··· 237 237 return nf_ct_delete(ct, 0, 0); 238 238 } 239 239 240 - /* Set all unconfirmed conntrack as dying */ 241 - void nf_ct_unconfirmed_destroy(struct net *); 242 - 243 240 /* Iterate over all conntracks: if iter returns true, it's deleted. */ 244 241 void nf_ct_iterate_cleanup_net(struct net *net, 245 242 int (*iter)(struct nf_conn *i, void *data),
-14
net/netfilter/nf_conntrack_core.c
··· 2431 2431 } 2432 2432 } 2433 2433 2434 - void nf_ct_unconfirmed_destroy(struct net *net) 2435 - { 2436 - struct nf_conntrack_net *cnet = nf_ct_pernet(net); 2437 - 2438 - might_sleep(); 2439 - 2440 - if (atomic_read(&cnet->count) > 0) { 2441 - __nf_ct_unconfirmed_destroy(net); 2442 - nf_queue_nf_hook_drop(net); 2443 - synchronize_net(); 2444 - } 2445 - } 2446 - EXPORT_SYMBOL_GPL(nf_ct_unconfirmed_destroy); 2447 - 2448 2434 void nf_ct_iterate_cleanup_net(struct net *net, 2449 2435 int (*iter)(struct nf_conn *i, void *data), 2450 2436 void *data, u32 portid, int report)