netfilter: nft_connlimit: add support to object update operation

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This is useful to update the limit or flags without clearing the
connections tracked. Use READ_ONCE() on packetpath as it can be modified
on controlplane.

Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Fernando Fernandez Mancera and committed by

Pablo Neira Ayuso 4 months ago c4cbe4a4 69894e5b

+12 -1

1 changed file

expand all

net

netfilter

nft_connlimit.c

+12 -1

net/netfilter/nft_connlimit.c

··· 44 44 45 45 count = READ_ONCE(priv->list->count); 46 46 47 - if ((count > priv->limit) ^ priv->invert) { 47 + if ((count > READ_ONCE(priv->limit)) ^ READ_ONCE(priv->invert)) { 48 48 regs->verdict.code = NFT_BREAK; 49 49 return; 50 50 } ··· 131 131 return nft_connlimit_do_init(ctx, tb, priv); 132 132 } 133 133 134 + static void nft_connlimit_obj_update(struct nft_object *obj, 135 + struct nft_object *newobj) 136 + { 137 + struct nft_connlimit *newpriv = nft_obj_data(newobj); 138 + struct nft_connlimit *priv = nft_obj_data(obj); 139 + 140 + WRITE_ONCE(priv->limit, newpriv->limit); 141 + WRITE_ONCE(priv->invert, newpriv->invert); 142 + } 143 + 134 144 static void nft_connlimit_obj_destroy(const struct nft_ctx *ctx, 135 145 struct nft_object *obj) 136 146 { ··· 170 160 .init = nft_connlimit_obj_init, 171 161 .destroy = nft_connlimit_obj_destroy, 172 162 .dump = nft_connlimit_obj_dump, 163 + .update = nft_connlimit_obj_update, 173 164 }; 174 165 175 166 static struct nft_object_type nft_connlimit_obj_type __read_mostly = {