ACK/Cmnt: [SRU][F:linux-bluefield][PATCH v1 1/1] netfilter: ctnetlink: Support offloaded conntrack entry deletion

Andrei Gherzan andrei.gherzan at canonical.com
Wed Apr 5 13:11:51 UTC 2023 

On 23/04/04 09:38PM, William Tu wrote:
> From: Paul Blakey <paulb at nvidia.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/2015293
> 
> Currently, offloaded conntrack entries (flows) can only be deleted
> after they are removed from offload, which is either by timeout,
> tcp state change or tc ct rule deletion. This can cause issues for
> users wishing to manually delete or flush existing entries.
> 
> Support deletion of offloaded conntrack entries.
> 
> Example usage:
>  # Delete all offloaded (and non offloaded) conntrack entries
>  # whose source address is 1.2.3.4
>  $ conntrack -D -s 1.2.3.4
>  # Delete all entries
>  $ conntrack -F
> 
> Signed-off-by: Paul Blakey <paulb at nvidia.com>
> Reviewed-by: Simon Horman <simon.horman at corigine.com>
> Acked-by: Pablo Neira Ayuso <pablo at netfilter.org>
> Signed-off-by: Florian Westphal <fw at strlen.de>
> (cherry picked from commit 9b7c68b3911aef84afa4cbfc31bce20f10570d51)

This is in linux-next from next-20230403. That should be mentioned here
(we can do that when we apply the patch though).

> Signed-off-by: Paul Blakey <paulb at nvidia.com>
> Signed-off-by: William Tu <witu at nvidia.com>

Acked-by: Andrei Gherzan <andrei.gherzan at canonical.com>

> ---
>  net/netfilter/nf_conntrack_netlink.c | 8 --------
>  1 file changed, 8 deletions(-)
> 
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index d6339db2c540..f92154882a0b 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -1229,9 +1229,6 @@ static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
>  
>  static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data)
>  {
> -	if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
> -		return 0;
> -
>  	return ctnetlink_filter_match(ct, data);
>  }
>  
> @@ -1294,11 +1291,6 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
>  
>  	ct = nf_ct_tuplehash_to_ctrack(h);
>  
> -	if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) {
> -		nf_ct_put(ct);
> -		return -EBUSY;
> -	}
> -
>  	if (cda[CTA_ID]) {
>  		__be32 id = nla_get_be32(cda[CTA_ID]);
>  
> -- 
> 2.34.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

-- 
Andrei Gherzan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230405/8a48119d/attachment-0001.sig>

More information about the kernel-team mailing list