From: Greg Kroah-Hartman Date: Thu, 1 Jun 2023 10:27:33 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.4.245~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=253efd95d6668ce09a3ca37a725a30124f766f8b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: netfilter-ctnetlink-support-offloaded-conntrack-entry-deletion.patch --- diff --git a/queue-5.15/netfilter-ctnetlink-support-offloaded-conntrack-entry-deletion.patch b/queue-5.15/netfilter-ctnetlink-support-offloaded-conntrack-entry-deletion.patch new file mode 100644 index 00000000000..de2bb5d9206 --- /dev/null +++ b/queue-5.15/netfilter-ctnetlink-support-offloaded-conntrack-entry-deletion.patch @@ -0,0 +1,57 @@ +From 9b7c68b3911aef84afa4cbfc31bce20f10570d51 Mon Sep 17 00:00:00 2001 +From: Paul Blakey +Date: Wed, 22 Mar 2023 09:35:32 +0200 +Subject: netfilter: ctnetlink: Support offloaded conntrack entry deletion + +From: Paul Blakey + +commit 9b7c68b3911aef84afa4cbfc31bce20f10570d51 upstream. + +Currently, offloaded conntrack entries (flows) can only be deleted +after they are removed from offload, which is either by timeout, +tcp state change or tc ct rule deletion. This can cause issues for +users wishing to manually delete or flush existing entries. + +Support deletion of offloaded conntrack entries. + +Example usage: + # Delete all offloaded (and non offloaded) conntrack entries + # whose source address is 1.2.3.4 + $ conntrack -D -s 1.2.3.4 + # Delete all entries + $ conntrack -F + +Signed-off-by: Paul Blakey +Reviewed-by: Simon Horman +Acked-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Cc: Demi Marie Obenour +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_netlink.c | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -1546,9 +1546,6 @@ static const struct nla_policy ct_nla_po + + static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data) + { +- if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) +- return 0; +- + return ctnetlink_filter_match(ct, data); + } + +@@ -1612,11 +1609,6 @@ static int ctnetlink_del_conntrack(struc + + ct = nf_ct_tuplehash_to_ctrack(h); + +- if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) { +- nf_ct_put(ct); +- return -EBUSY; +- } +- + if (cda[CTA_ID]) { + __be32 id = nla_get_be32(cda[CTA_ID]); + diff --git a/queue-5.15/series b/queue-5.15/series index 7b9adedb0f1..dc5c102e82d 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -39,3 +39,4 @@ revert-android-binder-stop-saving-a-pointer-to-the-vma.patch binder-add-lockless-binder_alloc_-set-get-_vma.patch binder-fix-uaf-of-alloc-vma-in-race-with-munmap.patch ipv-4-6-raw-fix-output-xfrm-lookup-wrt-protocol.patch +netfilter-ctnetlink-support-offloaded-conntrack-entry-deletion.patch