--- /dev/null
+From 4914109a8e1e494c6aa9852f9e84ec77a5fc643f Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 16 Jul 2023 17:09:17 -0400
+Subject: netfilter: allow exp not to be removed in nf_ct_find_expectation
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 4914109a8e1e494c6aa9852f9e84ec77a5fc643f upstream.
+
+Currently nf_conntrack_in() calling nf_ct_find_expectation() will
+remove the exp from the hash table. However, in some scenario, we
+expect the exp not to be removed when the created ct will not be
+confirmed, like in OVS and TC conntrack in the following patches.
+
+This patch allows exp not to be removed by setting IPS_CONFIRMED
+in the status of the tmpl.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Aaron Conole <aconole@redhat.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/netfilter/nf_conntrack_expect.h | 2 +-
+ net/netfilter/nf_conntrack_core.c | 2 +-
+ net/netfilter/nf_conntrack_expect.c | 4 ++--
+ net/netfilter/nft_ct.c | 2 ++
+ 4 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/include/net/netfilter/nf_conntrack_expect.h
++++ b/include/net/netfilter/nf_conntrack_expect.h
+@@ -100,7 +100,7 @@ nf_ct_expect_find_get(struct net *net,
+ struct nf_conntrack_expect *
+ nf_ct_find_expectation(struct net *net,
+ const struct nf_conntrack_zone *zone,
+- const struct nf_conntrack_tuple *tuple);
++ const struct nf_conntrack_tuple *tuple, bool unlink);
+
+ void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp,
+ u32 portid, int report);
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1770,7 +1770,7 @@ init_conntrack(struct net *net, struct n
+ cnet = nf_ct_pernet(net);
+ if (cnet->expect_count) {
+ spin_lock_bh(&nf_conntrack_expect_lock);
+- exp = nf_ct_find_expectation(net, zone, tuple);
++ exp = nf_ct_find_expectation(net, zone, tuple, !tmpl || nf_ct_is_confirmed(tmpl));
+ if (exp) {
+ pr_debug("expectation arrives ct=%p exp=%p\n",
+ ct, exp);
+--- a/net/netfilter/nf_conntrack_expect.c
++++ b/net/netfilter/nf_conntrack_expect.c
+@@ -171,7 +171,7 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_find_get)
+ struct nf_conntrack_expect *
+ nf_ct_find_expectation(struct net *net,
+ const struct nf_conntrack_zone *zone,
+- const struct nf_conntrack_tuple *tuple)
++ const struct nf_conntrack_tuple *tuple, bool unlink)
+ {
+ struct nf_conntrack_net *cnet = nf_ct_pernet(net);
+ struct nf_conntrack_expect *i, *exp = NULL;
+@@ -211,7 +211,7 @@ nf_ct_find_expectation(struct net *net,
+ !refcount_inc_not_zero(&exp->master->ct_general.use)))
+ return NULL;
+
+- if (exp->flags & NF_CT_EXPECT_PERMANENT) {
++ if (exp->flags & NF_CT_EXPECT_PERMANENT || !unlink) {
+ refcount_inc(&exp->use);
+ return exp;
+ } else if (del_timer(&exp->timeout)) {
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -272,6 +272,7 @@ static void nft_ct_set_zone_eval(const s
+ regs->verdict.code = NF_DROP;
+ return;
+ }
++ __set_bit(IPS_CONFIRMED_BIT, &ct->status);
+ }
+
+ nf_ct_set(skb, ct, IP_CT_NEW);
+@@ -378,6 +379,7 @@ static bool nft_ct_tmpl_alloc_pcpu(void)
+ return false;
+ }
+
++ __set_bit(IPS_CONFIRMED_BIT, &tmp->status);
+ per_cpu(nft_ct_pcpu_template, cpu) = tmp;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
