git.ipfire.org Git - thirdparty/kernel/stable.git/commit

netfilter: nf_conncount: rework API to use sk_buff directly

[ Upstream commit be102eb6a0e7c03db00e50540622f4e43b2d2844 ]

When using nf_conncount infrastructure for non-confirmed connections a
duplicated track is possible due to an optimization introduced since
commit d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC").

In order to fix this introduce a new conncount API that receives
directly an sk_buff struct. It fetches the tuple and zone and the
corresponding ct from it. It comes with both existing conncount variants
nf_conncount_count_skb() and nf_conncount_add_skb(). In addition remove
the old API and adjust all the users to use the new one.

This way, for each sk_buff struct it is possible to check if there is a
ct present and already confirmed. If so, skip the add operation.

Fixes: d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 69894e5b4c5e ("netfilter: nft_connlimit: update the count if add was skipped")
Signed-off-by: Sasha Levin <sashal@kernel.org>

author	Fernando Fernandez Mancera <fmancera@suse.de>
	Fri, 21 Nov 2025 00:14:30 +0000 (01:14 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 19 Jan 2026 12:09:35 +0000 (13:09 +0100)
commit	b160895d6bc9690459b16ef87799c9bd456af3ec
tree	462f831fc8710f6a5aa3e15028378b74e232d889	tree \| snapshot
parent	be69850b461e7b491d87a22e33ab76fdd04b725e	commit \| diff

include/net/netfilter/nf_conntrack_count.h		diff \| blob \| blame \| history
net/netfilter/nf_conncount.c		diff \| blob \| blame \| history
net/netfilter/nft_connlimit.c		diff \| blob \| blame \| history
net/netfilter/xt_connlimit.c		diff \| blob \| blame \| history
net/openvswitch/conntrack.c		diff \| blob \| blame \| history