netfilter: nft_set_rbtree: .deactivate fails if element has expired
commit d111692a59c1470ae530cbb39bcf0346c950ecc7 upstream.
This allows to remove an expired element which is not possible in other
existing set backends, this is more noticeable if gc-interval is high so
expired elements remain in the tree. On-demand gc also does not help in
this case, because this is delete element path. Return NULL if element
has expired.
Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Pablo Neira Ayuso
Ksawlii
parent
e7627cae4b
commit
6ec5dda291
1 changed files with 2 additions and 0 deletions
|
|
@ -570,6 +570,8 @@ static void *nft_rbtree_deactivate(const struct net *net,
|
||||||
nft_rbtree_interval_end(this)) {
|
nft_rbtree_interval_end(this)) {
|
||||||
parent = parent->rb_right;
|
parent = parent->rb_right;
|
||||||
continue;
|
continue;
|
||||||
|
} else if (nft_set_elem_expired(&rbe->ext)) {
|
||||||
|
break;
|
||||||
} else if (!nft_set_elem_active(&rbe->ext, genmask)) {
|
} else if (!nft_set_elem_active(&rbe->ext, genmask)) {
|
||||||
parent = parent->rb_left;
|
parent = parent->rb_left;
|
||||||
continue;
|
continue;
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue