[SRU][F:linux-bluefield][PATCH] UBUNTU: SAUCE: netfilter: conntrack: Check offload bit on table dump

[Daniel Jurgens]

From: Roi Dayan <roid at nvidia.com>

BugLink: https://bugs.launchpad.net/bugs/1929458

If the conntrack entry is owned by the flow table offload infrastructure
then don't do garbage collect when dumping the entries.
The entry offload timeout might not be updated as the flow timeout being
updated.

To reproduce the issue we can do conntrack -L or cat
/proc/net/nf_conntrack while rules being offloaded.
Sometimes rules will get deleted because ct timeout expired.
So check the offload bit like gc_worker() as others loops does.

This is not a final fix and still being investigated why ct initial timeout
was not enough before offload path updated the ct timeout to a day.

Fixes: 90964016e5d3 ("netfilter: nf_conntrack: add IPS_OFFLOAD status bit")
Signed-off-by: Roi Dayan <roid at nvidia.com>
Signed-off-by: Daniel Jurgens <danielj at nvidia.com>
---
 include/net/netfilter/nf_conntrack.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index c7bfddf..4f51b62 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -276,7 +276,7 @@ static inline bool nf_ct_is_expired(const struct nf_conn *ct)
 static inline bool nf_ct_should_gc(const struct nf_conn *ct)
 {
 	return nf_ct_is_expired(ct) && nf_ct_is_confirmed(ct) &&
-	       !nf_ct_is_dying(ct);
+	       !nf_ct_is_dying(ct) && !test_bit(IPS_OFFLOAD_BIT, &ct->status);
 }
 
 #define	NF_CT_DAY	(86400 * HZ)
-- 
1.8.3.1