From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 21 Mar 2025 22:24:20 +0000 (+0100)
Subject: netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only
X-Git-Tag: v6.12.23~101
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=86bd9609fd3ec64e4807117d635e187d523b3438;p=thirdparty%2Fkernel%2Fstable.git

netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only

[ Upstream commit 9d74da1177c800eb3d51c13f9821b7b0683845a5 ]

conncount has its own GC handler which determines when to reap stale
elements, this is convenient for dynamic sets. However, this also reaps
non-dynamic sets with static configurations coming from control plane.
Always run connlimit gc handler but honor feedback to reap element if
this set is dynamic.

Fixes: 290180e2448c ("netfilter: nf_tables: add connlimit support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index b93f046ac7d1e..4b3452dff2ec0 100644
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -309,7 +309,8 @@ static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set,
 
 	nft_setelem_expr_foreach(expr, elem_expr, size) {
 		if (expr->ops->gc &&
-		    expr->ops->gc(read_pnet(&set->net), expr))
+		    expr->ops->gc(read_pnet(&set->net), expr) &&
+		    set->flags & NFT_SET_EVAL)
 			return true;
 	}