From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 21 Mar 2025 22:24:20 +0000 (+0100)
Subject: netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only
X-Git-Tag: v6.15-rc1~19^2~8^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9d74da1177c800eb3d51c13f9821b7b0683845a5;p=thirdparty%2Fkernel%2Flinux.git

netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only

conncount has its own GC handler which determines when to reap stale
elements, this is convenient for dynamic sets. However, this also reaps
non-dynamic sets with static configurations coming from control plane.
Always run connlimit gc handler but honor feedback to reap element if
this set is dynamic.

Fixes: 290180e2448c ("netfilter: nf_tables: add connlimit support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index 8bfac4185ac79..abb0c8ec63719 100644
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -309,7 +309,8 @@ static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set,
 
 	nft_setelem_expr_foreach(expr, elem_expr, size) {
 		if (expr->ops->gc &&
-		    expr->ops->gc(read_pnet(&set->net), expr))
+		    expr->ops->gc(read_pnet(&set->net), expr) &&
+		    set->flags & NFT_SET_EVAL)
 			return true;
 	}