From: Greg Kroah-Hartman Date: Thu, 1 Jun 2023 10:27:13 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.4.245~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=875eb99979fe4751cd2b1659cbf2f6ddf22e4f8c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: netfilter-ctnetlink-support-offloaded-conntrack-entry-deletion.patch --- diff --git a/queue-5.4/netfilter-ctnetlink-support-offloaded-conntrack-entry-deletion.patch b/queue-5.4/netfilter-ctnetlink-support-offloaded-conntrack-entry-deletion.patch new file mode 100644 index 00000000000..55f03fbdb39 --- /dev/null +++ b/queue-5.4/netfilter-ctnetlink-support-offloaded-conntrack-entry-deletion.patch @@ -0,0 +1,57 @@ +From 9b7c68b3911aef84afa4cbfc31bce20f10570d51 Mon Sep 17 00:00:00 2001 +From: Paul Blakey +Date: Wed, 22 Mar 2023 09:35:32 +0200 +Subject: netfilter: ctnetlink: Support offloaded conntrack entry deletion + +From: Paul Blakey + +commit 9b7c68b3911aef84afa4cbfc31bce20f10570d51 upstream. + +Currently, offloaded conntrack entries (flows) can only be deleted +after they are removed from offload, which is either by timeout, +tcp state change or tc ct rule deletion. This can cause issues for +users wishing to manually delete or flush existing entries. + +Support deletion of offloaded conntrack entries. + +Example usage: + # Delete all offloaded (and non offloaded) conntrack entries + # whose source address is 1.2.3.4 + $ conntrack -D -s 1.2.3.4 + # Delete all entries + $ conntrack -F + +Signed-off-by: Paul Blakey +Reviewed-by: Simon Horman +Acked-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Cc: Demi Marie Obenour +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_netlink.c | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -1229,9 +1229,6 @@ static const struct nla_policy ct_nla_po + + static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data) + { +- if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) +- return 0; +- + return ctnetlink_filter_match(ct, data); + } + +@@ -1294,11 +1291,6 @@ static int ctnetlink_del_conntrack(struc + + ct = nf_ct_tuplehash_to_ctrack(h); + +- if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) { +- nf_ct_put(ct); +- return -EBUSY; +- } +- + if (cda[CTA_ID]) { + __be32 id = nla_get_be32(cda[CTA_ID]); + diff --git a/queue-5.4/series b/queue-5.4/series index e0a7091107f..8081de96ba0 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -13,3 +13,4 @@ io_uring-have-io_kill_timeout-honor-the-request-references.patch bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch binder-fix-uaf-caused-by-faulty-buffer-cleanup.patch ipv-4-6-raw-fix-output-xfrm-lookup-wrt-protocol.patch +netfilter-ctnetlink-support-offloaded-conntrack-entry-deletion.patch