Message ID | 20240905232920.5481-2-pablo@netfilter.org (mailing list archive) |
---|---|
State | Accepted |
Commit | 1ef7f50ccc6e8e2b5de96ad1e304684a277a3055 |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [net-next,01/16] netfilter: ctnetlink: support CTA_FILTER for flush | expand |
Hello: This series was applied to netdev/net-next.git (main) by Pablo Neira Ayuso <pablo@netfilter.org>: On Fri, 6 Sep 2024 01:29:05 +0200 you wrote: > From: Changliang Wu <changliang.wu@smartx.com> > > From cb8aa9a, we can use kernel side filtering for dump, but > this capability is not available for flush. > > This Patch allows advanced filter with CTA_FILTER for flush > > [...] Here is the summary with links: - [net-next,01/16] netfilter: ctnetlink: support CTA_FILTER for flush https://git.kernel.org/netdev/net-next/c/1ef7f50ccc6e - [net-next,02/16] netfilter: nft_counter: Use u64_stats_t for statistic. https://git.kernel.org/netdev/net-next/c/4a1d3acd6ea8 - [net-next,03/16] netfilter: Use kmemdup_array instead of kmemdup for multiple allocation https://git.kernel.org/netdev/net-next/c/20eb5e7cb78c - [net-next,04/16] netfilter: conntrack: Convert to use ERR_CAST() https://git.kernel.org/netdev/net-next/c/09c0d0aef56b - [net-next,05/16] netfilter: nf_tables: drop unused 3rd argument from validate callback ops https://git.kernel.org/netdev/net-next/c/eaf9b2c875ec - [net-next,06/16] netfilter: nf_tables: Correct spelling in nf_tables.h https://git.kernel.org/netdev/net-next/c/85dfb34bb7d2 - [net-next,07/16] netfilter: nf_tables: Add missing Kernel doc https://git.kernel.org/netdev/net-next/c/c362646b6fc1 - [net-next,08/16] netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire https://git.kernel.org/netdev/net-next/c/e0c47281723f - [net-next,09/16] netfilter: nf_tables: reject element expiration with no timeout https://git.kernel.org/netdev/net-next/c/d2dc429ecb4e - [net-next,10/16] netfilter: nf_tables: reject expiration higher than timeout https://git.kernel.org/netdev/net-next/c/c0f38a8c6017 - [net-next,11/16] netfilter: nf_tables: remove annotation to access set timeout while holding lock https://git.kernel.org/netdev/net-next/c/15d8605c0cf4 - [net-next,12/16] netfilter: nft_dynset: annotate data-races around set timeout https://git.kernel.org/netdev/net-next/c/c5ad8ed61fa8 - [net-next,13/16] netfilter: nf_tables: annotate data-races around element expiration https://git.kernel.org/netdev/net-next/c/73d3c04b710f - [net-next,14/16] netfilter: nf_tables: consolidate timeout extension for elements https://git.kernel.org/netdev/net-next/c/4c5daea9af4f - [net-next,15/16] netfilter: nf_tables: zero timeout means element never times out https://git.kernel.org/netdev/net-next/c/8bfb74ae12fa - [net-next,16/16] netfilter: nf_tables: set element timeout update support https://git.kernel.org/netdev/net-next/c/4201f3938914 You are awesome, thank you!
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 4cbf71d0786b..123e2e933e9b 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1579,9 +1579,6 @@ static int ctnetlink_flush_conntrack(struct net *net, }; if (ctnetlink_needs_filter(family, cda)) { - if (cda[CTA_FILTER]) - return -EOPNOTSUPP; - filter = ctnetlink_alloc_filter(cda, family); if (IS_ERR(filter)) return PTR_ERR(filter); @@ -1610,14 +1607,14 @@ static int ctnetlink_del_conntrack(struct sk_buff *skb, if (err < 0) return err; - if (cda[CTA_TUPLE_ORIG]) + if (cda[CTA_TUPLE_ORIG] && !cda[CTA_FILTER]) err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, family, &zone); - else if (cda[CTA_TUPLE_REPLY]) + else if (cda[CTA_TUPLE_REPLY] && !cda[CTA_FILTER]) err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, family, &zone); else { - u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC; + u8 u3 = info->nfmsg->version || cda[CTA_FILTER] ? family : AF_UNSPEC; return ctnetlink_flush_conntrack(info->net, cda, NETLINK_CB(skb).portid,