--- /dev/null
+From 9b7c68b3911aef84afa4cbfc31bce20f10570d51 Mon Sep 17 00:00:00 2001
+From: Paul Blakey <paulb@nvidia.com>
+Date: Wed, 22 Mar 2023 09:35:32 +0200
+Subject: netfilter: ctnetlink: Support offloaded conntrack entry deletion
+
+From: Paul Blakey <paulb@nvidia.com>
+
+commit 9b7c68b3911aef84afa4cbfc31bce20f10570d51 upstream.
+
+Currently, offloaded conntrack entries (flows) can only be deleted
+after they are removed from offload, which is either by timeout,
+tcp state change or tc ct rule deletion. This can cause issues for
+users wishing to manually delete or flush existing entries.
+
+Support deletion of offloaded conntrack entries.
+
+Example usage:
+ # Delete all offloaded (and non offloaded) conntrack entries
+ # whose source address is 1.2.3.4
+ $ conntrack -D -s 1.2.3.4
+ # Delete all entries
+ $ conntrack -F
+
+Signed-off-by: Paul Blakey <paulb@nvidia.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Cc: Demi Marie Obenour <demi@invisiblethingslab.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -1546,9 +1546,6 @@ static const struct nla_policy ct_nla_po
+
+ static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data)
+ {
+- if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
+- return 0;
+-
+ return ctnetlink_filter_match(ct, data);
+ }
+
+@@ -1612,11 +1609,6 @@ static int ctnetlink_del_conntrack(struc
+
+ ct = nf_ct_tuplehash_to_ctrack(h);
+
+- if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) {
+- nf_ct_put(ct);
+- return -EBUSY;
+- }
+-
+ if (cda[CTA_ID]) {
+ __be32 id = nla_get_be32(cda[CTA_ID]);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
