Revert "netfilter: nf_tables: use timestamp to check for set element timeout"
This reverts commit 7d64835c13.
This commit is contained in:
Ksawlii
parent
c44e98a853
commit
73844bf19d
5 changed files with 12 additions and 42 deletions
|
|
@ -13,7 +13,6 @@
|
||||||
#include <net/netfilter/nf_flow_table.h>
|
#include <net/netfilter/nf_flow_table.h>
|
||||||
#include <net/netlink.h>
|
#include <net/netlink.h>
|
||||||
#include <net/flow_offload.h>
|
#include <net/flow_offload.h>
|
||||||
#include <net/netns/generic.h>
|
|
||||||
|
|
||||||
#define NFT_MAX_HOOKS (NF_INET_INGRESS + 1)
|
#define NFT_MAX_HOOKS (NF_INET_INGRESS + 1)
|
||||||
|
|
||||||
|
|
@ -687,16 +686,10 @@ static inline struct nft_expr *nft_set_ext_expr(const struct nft_set_ext *ext)
|
||||||
return nft_set_ext(ext, NFT_SET_EXT_EXPR);
|
return nft_set_ext(ext, NFT_SET_EXT_EXPR);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline bool __nft_set_elem_expired(const struct nft_set_ext *ext,
|
|
||||||
u64 tstamp)
|
|
||||||
{
|
|
||||||
return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
|
|
||||||
time_after_eq64(tstamp, *nft_set_ext_expiration(ext));
|
|
||||||
}
|
|
||||||
|
|
||||||
static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
|
static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
|
||||||
{
|
{
|
||||||
return __nft_set_elem_expired(ext, get_jiffies_64());
|
return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
|
||||||
|
time_is_before_eq_jiffies64(*nft_set_ext_expiration(ext));
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
|
static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
|
||||||
|
|
@ -1587,19 +1580,9 @@ struct nftables_pernet {
|
||||||
struct list_head module_list;
|
struct list_head module_list;
|
||||||
struct list_head notify_list;
|
struct list_head notify_list;
|
||||||
struct mutex commit_mutex;
|
struct mutex commit_mutex;
|
||||||
u64 tstamp;
|
|
||||||
unsigned int base_seq;
|
unsigned int base_seq;
|
||||||
u8 validate_state;
|
u8 validate_state;
|
||||||
unsigned int gc_seq;
|
unsigned int gc_seq;
|
||||||
};
|
};
|
||||||
|
|
||||||
extern unsigned int nf_tables_net_id;
|
|
||||||
|
|
||||||
static inline u64 nft_net_tstamp(const struct net *net)
|
|
||||||
{
|
|
||||||
struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
|
|
||||||
|
|
||||||
return nft_net->tstamp;
|
|
||||||
}
|
|
||||||
|
|
||||||
#endif /* _NET_NF_TABLES_H */
|
#endif /* _NET_NF_TABLES_H */
|
||||||
|
|
|
||||||
|
|
@ -9034,7 +9034,6 @@ static bool nf_tables_valid_genid(struct net *net, u32 genid)
|
||||||
bool genid_ok;
|
bool genid_ok;
|
||||||
|
|
||||||
mutex_lock(&nft_net->commit_mutex);
|
mutex_lock(&nft_net->commit_mutex);
|
||||||
nft_net->tstamp = get_jiffies_64();
|
|
||||||
|
|
||||||
genid_ok = genid == 0 || nft_net->base_seq == genid;
|
genid_ok = genid == 0 || nft_net->base_seq == genid;
|
||||||
if (!genid_ok)
|
if (!genid_ok)
|
||||||
|
|
|
||||||
|
|
@ -38,7 +38,6 @@ struct nft_rhash_cmp_arg {
|
||||||
const struct nft_set *set;
|
const struct nft_set *set;
|
||||||
const u32 *key;
|
const u32 *key;
|
||||||
u8 genmask;
|
u8 genmask;
|
||||||
u64 tstamp;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
static inline u32 nft_rhash_key(const void *data, u32 len, u32 seed)
|
static inline u32 nft_rhash_key(const void *data, u32 len, u32 seed)
|
||||||
|
|
@ -65,7 +64,7 @@ static inline int nft_rhash_cmp(struct rhashtable_compare_arg *arg,
|
||||||
return 1;
|
return 1;
|
||||||
if (nft_set_elem_is_dead(&he->ext))
|
if (nft_set_elem_is_dead(&he->ext))
|
||||||
return 1;
|
return 1;
|
||||||
if (__nft_set_elem_expired(&he->ext, x->tstamp))
|
if (nft_set_elem_expired(&he->ext))
|
||||||
return 1;
|
return 1;
|
||||||
if (!nft_set_elem_active(&he->ext, x->genmask))
|
if (!nft_set_elem_active(&he->ext, x->genmask))
|
||||||
return 1;
|
return 1;
|
||||||
|
|
@ -89,7 +88,6 @@ static bool nft_rhash_lookup(const struct net *net, const struct nft_set *set,
|
||||||
.genmask = nft_genmask_cur(net),
|
.genmask = nft_genmask_cur(net),
|
||||||
.set = set,
|
.set = set,
|
||||||
.key = key,
|
.key = key,
|
||||||
.tstamp = get_jiffies_64(),
|
|
||||||
};
|
};
|
||||||
|
|
||||||
he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);
|
he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);
|
||||||
|
|
@ -108,7 +106,6 @@ static void *nft_rhash_get(const struct net *net, const struct nft_set *set,
|
||||||
.genmask = nft_genmask_cur(net),
|
.genmask = nft_genmask_cur(net),
|
||||||
.set = set,
|
.set = set,
|
||||||
.key = elem->key.val.data,
|
.key = elem->key.val.data,
|
||||||
.tstamp = get_jiffies_64(),
|
|
||||||
};
|
};
|
||||||
|
|
||||||
he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);
|
he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);
|
||||||
|
|
@ -132,7 +129,6 @@ static bool nft_rhash_update(struct nft_set *set, const u32 *key,
|
||||||
.genmask = NFT_GENMASK_ANY,
|
.genmask = NFT_GENMASK_ANY,
|
||||||
.set = set,
|
.set = set,
|
||||||
.key = key,
|
.key = key,
|
||||||
.tstamp = get_jiffies_64(),
|
|
||||||
};
|
};
|
||||||
|
|
||||||
he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);
|
he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);
|
||||||
|
|
@ -176,7 +172,6 @@ static int nft_rhash_insert(const struct net *net, const struct nft_set *set,
|
||||||
.genmask = nft_genmask_next(net),
|
.genmask = nft_genmask_next(net),
|
||||||
.set = set,
|
.set = set,
|
||||||
.key = elem->key.val.data,
|
.key = elem->key.val.data,
|
||||||
.tstamp = nft_net_tstamp(net),
|
|
||||||
};
|
};
|
||||||
struct nft_rhash_elem *prev;
|
struct nft_rhash_elem *prev;
|
||||||
|
|
||||||
|
|
@ -219,7 +214,6 @@ static void *nft_rhash_deactivate(const struct net *net,
|
||||||
.genmask = nft_genmask_next(net),
|
.genmask = nft_genmask_next(net),
|
||||||
.set = set,
|
.set = set,
|
||||||
.key = elem->key.val.data,
|
.key = elem->key.val.data,
|
||||||
.tstamp = nft_net_tstamp(net),
|
|
||||||
};
|
};
|
||||||
|
|
||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
|
|
|
||||||
|
|
@ -504,7 +504,6 @@ out:
|
||||||
* @set: nftables API set representation
|
* @set: nftables API set representation
|
||||||
* @data: Key data to be matched against existing elements
|
* @data: Key data to be matched against existing elements
|
||||||
* @genmask: If set, check that element is active in given genmask
|
* @genmask: If set, check that element is active in given genmask
|
||||||
* @tstamp: timestamp to check for expired elements
|
|
||||||
*
|
*
|
||||||
* This is essentially the same as the lookup function, except that it matches
|
* This is essentially the same as the lookup function, except that it matches
|
||||||
* key data against the uncommitted copy and doesn't use preallocated maps for
|
* key data against the uncommitted copy and doesn't use preallocated maps for
|
||||||
|
|
@ -514,8 +513,7 @@ out:
|
||||||
*/
|
*/
|
||||||
static struct nft_pipapo_elem *pipapo_get(const struct net *net,
|
static struct nft_pipapo_elem *pipapo_get(const struct net *net,
|
||||||
const struct nft_set *set,
|
const struct nft_set *set,
|
||||||
const u8 *data, u8 genmask,
|
const u8 *data, u8 genmask)
|
||||||
u64 tstamp)
|
|
||||||
{
|
{
|
||||||
struct nft_pipapo_elem *ret = ERR_PTR(-ENOENT);
|
struct nft_pipapo_elem *ret = ERR_PTR(-ENOENT);
|
||||||
struct nft_pipapo *priv = nft_set_priv(set);
|
struct nft_pipapo *priv = nft_set_priv(set);
|
||||||
|
|
@ -568,7 +566,7 @@ next_match:
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
if (last) {
|
if (last) {
|
||||||
if (__nft_set_elem_expired(&f->mt[b].e->ext, tstamp))
|
if (nft_set_elem_expired(&f->mt[b].e->ext))
|
||||||
goto next_match;
|
goto next_match;
|
||||||
if ((genmask &&
|
if ((genmask &&
|
||||||
!nft_set_elem_active(&f->mt[b].e->ext, genmask)))
|
!nft_set_elem_active(&f->mt[b].e->ext, genmask)))
|
||||||
|
|
@ -605,7 +603,7 @@ static void *nft_pipapo_get(const struct net *net, const struct nft_set *set,
|
||||||
const struct nft_set_elem *elem, unsigned int flags)
|
const struct nft_set_elem *elem, unsigned int flags)
|
||||||
{
|
{
|
||||||
return pipapo_get(net, set, (const u8 *)elem->key.val.data,
|
return pipapo_get(net, set, (const u8 *)elem->key.val.data,
|
||||||
nft_genmask_cur(net), get_jiffies_64());
|
nft_genmask_cur(net));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -1199,7 +1197,6 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set,
|
||||||
struct nft_pipapo *priv = nft_set_priv(set);
|
struct nft_pipapo *priv = nft_set_priv(set);
|
||||||
struct nft_pipapo_match *m = priv->clone;
|
struct nft_pipapo_match *m = priv->clone;
|
||||||
u8 genmask = nft_genmask_next(net);
|
u8 genmask = nft_genmask_next(net);
|
||||||
u64 tstamp = nft_net_tstamp(net);
|
|
||||||
struct nft_pipapo_field *f;
|
struct nft_pipapo_field *f;
|
||||||
const u8 *start_p, *end_p;
|
const u8 *start_p, *end_p;
|
||||||
int i, bsize_max, err = 0;
|
int i, bsize_max, err = 0;
|
||||||
|
|
@ -1209,7 +1206,7 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set,
|
||||||
else
|
else
|
||||||
end = start;
|
end = start;
|
||||||
|
|
||||||
dup = pipapo_get(net, set, start, genmask, tstamp);
|
dup = pipapo_get(net, set, start, genmask);
|
||||||
if (!IS_ERR(dup)) {
|
if (!IS_ERR(dup)) {
|
||||||
/* Check if we already have the same exact entry */
|
/* Check if we already have the same exact entry */
|
||||||
const struct nft_data *dup_key, *dup_end;
|
const struct nft_data *dup_key, *dup_end;
|
||||||
|
|
@ -1231,7 +1228,7 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set,
|
||||||
|
|
||||||
if (PTR_ERR(dup) == -ENOENT) {
|
if (PTR_ERR(dup) == -ENOENT) {
|
||||||
/* Look for partially overlapping entries */
|
/* Look for partially overlapping entries */
|
||||||
dup = pipapo_get(net, set, end, nft_genmask_next(net), tstamp);
|
dup = pipapo_get(net, set, end, nft_genmask_next(net));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (PTR_ERR(dup) != -ENOENT) {
|
if (PTR_ERR(dup) != -ENOENT) {
|
||||||
|
|
@ -1583,7 +1580,6 @@ static void pipapo_gc(const struct nft_set *_set, struct nft_pipapo_match *m)
|
||||||
struct nft_set *set = (struct nft_set *) _set;
|
struct nft_set *set = (struct nft_set *) _set;
|
||||||
struct nft_pipapo *priv = nft_set_priv(set);
|
struct nft_pipapo *priv = nft_set_priv(set);
|
||||||
struct net *net = read_pnet(&set->net);
|
struct net *net = read_pnet(&set->net);
|
||||||
u64 tstamp = nft_net_tstamp(net);
|
|
||||||
int rules_f0, first_rule = 0;
|
int rules_f0, first_rule = 0;
|
||||||
struct nft_trans_gc *gc;
|
struct nft_trans_gc *gc;
|
||||||
|
|
||||||
|
|
@ -1617,7 +1613,7 @@ static void pipapo_gc(const struct nft_set *_set, struct nft_pipapo_match *m)
|
||||||
/* synchronous gc never fails, there is no need to set on
|
/* synchronous gc never fails, there is no need to set on
|
||||||
* NFT_SET_ELEM_DEAD_BIT.
|
* NFT_SET_ELEM_DEAD_BIT.
|
||||||
*/
|
*/
|
||||||
if (__nft_set_elem_expired(&e->ext, tstamp)) {
|
if (nft_set_elem_expired(&e->ext)) {
|
||||||
priv->dirty = true;
|
priv->dirty = true;
|
||||||
|
|
||||||
gc = nft_trans_gc_queue_sync(gc, GFP_ATOMIC);
|
gc = nft_trans_gc_queue_sync(gc, GFP_ATOMIC);
|
||||||
|
|
@ -1776,7 +1772,7 @@ static void *pipapo_deactivate(const struct net *net, const struct nft_set *set,
|
||||||
{
|
{
|
||||||
struct nft_pipapo_elem *e;
|
struct nft_pipapo_elem *e;
|
||||||
|
|
||||||
e = pipapo_get(net, set, data, nft_genmask_next(net), nft_net_tstamp(net));
|
e = pipapo_get(net, set, data, nft_genmask_next(net));
|
||||||
if (IS_ERR(e))
|
if (IS_ERR(e))
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -316,7 +316,6 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
|
||||||
struct nft_rbtree *priv = nft_set_priv(set);
|
struct nft_rbtree *priv = nft_set_priv(set);
|
||||||
u8 cur_genmask = nft_genmask_cur(net);
|
u8 cur_genmask = nft_genmask_cur(net);
|
||||||
u8 genmask = nft_genmask_next(net);
|
u8 genmask = nft_genmask_next(net);
|
||||||
u64 tstamp = nft_net_tstamp(net);
|
|
||||||
int d;
|
int d;
|
||||||
|
|
||||||
/* Descend the tree to search for an existing element greater than the
|
/* Descend the tree to search for an existing element greater than the
|
||||||
|
|
@ -364,7 +363,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
|
||||||
/* perform garbage collection to avoid bogus overlap reports
|
/* perform garbage collection to avoid bogus overlap reports
|
||||||
* but skip new elements in this transaction.
|
* but skip new elements in this transaction.
|
||||||
*/
|
*/
|
||||||
if (__nft_set_elem_expired(&rbe->ext, tstamp) &&
|
if (nft_set_elem_expired(&rbe->ext) &&
|
||||||
nft_set_elem_active(&rbe->ext, cur_genmask)) {
|
nft_set_elem_active(&rbe->ext, cur_genmask)) {
|
||||||
const struct nft_rbtree_elem *removed_end;
|
const struct nft_rbtree_elem *removed_end;
|
||||||
|
|
||||||
|
|
@ -551,7 +550,6 @@ static void *nft_rbtree_deactivate(const struct net *net,
|
||||||
const struct rb_node *parent = priv->root.rb_node;
|
const struct rb_node *parent = priv->root.rb_node;
|
||||||
struct nft_rbtree_elem *rbe, *this = elem->priv;
|
struct nft_rbtree_elem *rbe, *this = elem->priv;
|
||||||
u8 genmask = nft_genmask_next(net);
|
u8 genmask = nft_genmask_next(net);
|
||||||
u64 tstamp = nft_net_tstamp(net);
|
|
||||||
int d;
|
int d;
|
||||||
|
|
||||||
while (parent != NULL) {
|
while (parent != NULL) {
|
||||||
|
|
@ -572,7 +570,7 @@ static void *nft_rbtree_deactivate(const struct net *net,
|
||||||
nft_rbtree_interval_end(this)) {
|
nft_rbtree_interval_end(this)) {
|
||||||
parent = parent->rb_right;
|
parent = parent->rb_right;
|
||||||
continue;
|
continue;
|
||||||
} else if (__nft_set_elem_expired(&rbe->ext, tstamp)) {
|
} else if (nft_set_elem_expired(&rbe->ext)) {
|
||||||
break;
|
break;
|
||||||
} else if (!nft_set_elem_active(&rbe->ext, genmask)) {
|
} else if (!nft_set_elem_active(&rbe->ext, genmask)) {
|
||||||
parent = parent->rb_left;
|
parent = parent->rb_left;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue