diff mbox series

[net-next,01/16] netfilter: ctnetlink: support CTA_FILTER for flush

Message ID 20240905232920.5481-2-pablo@netfilter.org (mailing list archive)
State Accepted
Commit 1ef7f50ccc6e8e2b5de96ad1e304684a277a3055
Delegated to: Netdev Maintainers
Headers show
Series [net-next,01/16] netfilter: ctnetlink: support CTA_FILTER for flush | expand

Checks

Context Check Description
netdev/series_format warning Pull request is its own cover letter; Series longer than 15 patches (PR)
netdev/tree_selection success Clearly marked for net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 16 this patch: 16
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 2 maintainers not CCed: coreteam@netfilter.org kadlec@netfilter.org
netdev/build_clang success Errors and warnings before: 16 this patch: 16
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 17 this patch: 17
netdev/checkpatch warning WARNING: line length of 85 exceeds 80 columns
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-09-06--21-00 (tests: 721)

Commit Message

Pablo Neira Ayuso Sept. 5, 2024, 11:29 p.m. UTC 
From: Changliang Wu <changliang.wu@smartx.com>

From cb8aa9a, we can use kernel side filtering for dump, but
this capability is not available for flush.

This Patch allows advanced filter with CTA_FILTER for flush

Performace
1048576 ct flows in total, delete 50,000 flows by origin src ip
3.06s -> dump all, compare and delete
584ms -> directly flush with filter

Signed-off-by: Changliang Wu <changliang.wu@smartx.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_netlink.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

Comments

patchwork-bot+netdevbpf@kernel.org Sept. 7, 2024, 2:10 a.m. UTC | #1 
Hello:

This series was applied to netdev/net-next.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Fri,  6 Sep 2024 01:29:05 +0200 you wrote:
> From: Changliang Wu <changliang.wu@smartx.com>
> 
> From cb8aa9a, we can use kernel side filtering for dump, but
> this capability is not available for flush.
> 
> This Patch allows advanced filter with CTA_FILTER for flush
> 
> [...]

Here is the summary with links:
  - [net-next,01/16] netfilter: ctnetlink: support CTA_FILTER for flush
    https://git.kernel.org/netdev/net-next/c/1ef7f50ccc6e
  - [net-next,02/16] netfilter: nft_counter: Use u64_stats_t for statistic.
    https://git.kernel.org/netdev/net-next/c/4a1d3acd6ea8
  - [net-next,03/16] netfilter: Use kmemdup_array instead of kmemdup for multiple allocation
    https://git.kernel.org/netdev/net-next/c/20eb5e7cb78c
  - [net-next,04/16] netfilter: conntrack: Convert to use ERR_CAST()
    https://git.kernel.org/netdev/net-next/c/09c0d0aef56b
  - [net-next,05/16] netfilter: nf_tables: drop unused 3rd argument from validate callback ops
    https://git.kernel.org/netdev/net-next/c/eaf9b2c875ec
  - [net-next,06/16] netfilter: nf_tables: Correct spelling in nf_tables.h
    https://git.kernel.org/netdev/net-next/c/85dfb34bb7d2
  - [net-next,07/16] netfilter: nf_tables: Add missing Kernel doc
    https://git.kernel.org/netdev/net-next/c/c362646b6fc1
  - [net-next,08/16] netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire
    https://git.kernel.org/netdev/net-next/c/e0c47281723f
  - [net-next,09/16] netfilter: nf_tables: reject element expiration with no timeout
    https://git.kernel.org/netdev/net-next/c/d2dc429ecb4e
  - [net-next,10/16] netfilter: nf_tables: reject expiration higher than timeout
    https://git.kernel.org/netdev/net-next/c/c0f38a8c6017
  - [net-next,11/16] netfilter: nf_tables: remove annotation to access set timeout while holding lock
    https://git.kernel.org/netdev/net-next/c/15d8605c0cf4
  - [net-next,12/16] netfilter: nft_dynset: annotate data-races around set timeout
    https://git.kernel.org/netdev/net-next/c/c5ad8ed61fa8
  - [net-next,13/16] netfilter: nf_tables: annotate data-races around element expiration
    https://git.kernel.org/netdev/net-next/c/73d3c04b710f
  - [net-next,14/16] netfilter: nf_tables: consolidate timeout extension for elements
    https://git.kernel.org/netdev/net-next/c/4c5daea9af4f
  - [net-next,15/16] netfilter: nf_tables: zero timeout means element never times out
    https://git.kernel.org/netdev/net-next/c/8bfb74ae12fa
  - [net-next,16/16] netfilter: nf_tables: set element timeout update support
    https://git.kernel.org/netdev/net-next/c/4201f3938914

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 4cbf71d0786b..123e2e933e9b 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1579,9 +1579,6 @@  static int ctnetlink_flush_conntrack(struct net *net,
 	};
 
 	if (ctnetlink_needs_filter(family, cda)) {
-		if (cda[CTA_FILTER])
-			return -EOPNOTSUPP;
-
 		filter = ctnetlink_alloc_filter(cda, family);
 		if (IS_ERR(filter))
 			return PTR_ERR(filter);
@@ -1610,14 +1607,14 @@  static int ctnetlink_del_conntrack(struct sk_buff *skb,
 	if (err < 0)
 		return err;
 
-	if (cda[CTA_TUPLE_ORIG])
+	if (cda[CTA_TUPLE_ORIG] && !cda[CTA_FILTER])
 		err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
 					    family, &zone);
-	else if (cda[CTA_TUPLE_REPLY])
+	else if (cda[CTA_TUPLE_REPLY] && !cda[CTA_FILTER])
 		err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
 					    family, &zone);
 	else {
-		u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC;
+		u8 u3 = info->nfmsg->version || cda[CTA_FILTER] ? family : AF_UNSPEC;
 
 		return ctnetlink_flush_conntrack(info->net, cda,
 						 NETLINK_CB(skb).portid,