git.ipfire.org Git - thirdparty/linux.git/commit

netfilter: nf_conntrack_expect: use conntrack GC to reap expectations

This patch replaces the timer API by GC worker approach for
expectations, as it already happened in many other subsystems.

Use the existing conntrack GC worker to iterate over the local list of
expectations in the master conntrack to reap expired expectations.
Check IPS_HELPER_BIT to run GC for expectations, set it on for nft_ct
expectation which nevers sets it. Hold the expectation spinlock while
iterating over the master conntrack expectation list to synchronize with
nf_ct_remove_expectations(). This also performs runtime packet path
garbage collection through the expectation insertion and lookup
functions while walking over one of the chains of the global expectation
hashtables. Unconfirmed conntrack entries are skipped since ct->ext can
be reallocated and dying are skipped since those will be gone soon.
Set on IPS_HELPER_BIT if the helper ct extension is added, then the new
GC worker does not need to bump the ct refcount to check if the ct->ext
helper is available.

This removes the extra bump on the refcount for expectation timers, this
allows to remove several nf_ct_expect_put() calls after the unlink,
after this update only refcount remains at 1 while on the expectation
hashes.

This patch implicitly addresses a race with the existing timer API
allowing an expectation to access a stale exp->master pointer which has
been already released when expectation removal loses races with an
expiring timer, ie. timer_del() reporting false.

Add a new NF_CT_EXPECT_DEAD flag to reap this expectation via GC. This
is needed by nf_conntrack_unexpect_related() which is called in error
paths to invalidate newly created expectations that has been added into
the hashes. These expectactions cannot be inmediately released as GC or
nf_ct_remove_expectations() could race to make it. On expectation
insert, the runtime GC reaps stale expectations before checking the
expectation limit set by policy.

Set current timestamp in nf_ct_expect_alloc(), then add the expectation
policy timeout (or custom timeout specified added on top of this) to
specify the expectation lifetime.

Fixes: bffcaad9afdf ("netfilter: ctnetlink: ensure safe access to master conntrack")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 18 Jun 2026 11:56:38 +0000 (13:56 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Sat, 20 Jun 2026 22:18:27 +0000 (00:18 +0200)
commit	b8b09dc2bf35a00d4e0556b5d6308c7b917ebda2
tree	96ae163ee8d536889414e20b1f755c5c3ae61aa8	tree \| snapshot
parent	af8d6ae09c0a5f8b8a0d5680203c74b3c1daa85b	commit \| diff

include/net/netfilter/nf_conntrack_expect.h		diff \| blob \| blame \| history
include/uapi/linux/netfilter/nf_conntrack_common.h		diff \| blob \| blame \| history
net/netfilter/nf_conntrack_core.c		diff \| blob \| blame \| history
net/netfilter/nf_conntrack_expect.c		diff \| blob \| blame \| history
net/netfilter/nf_conntrack_h323_main.c		diff \| blob \| blame \| history
net/netfilter/nf_conntrack_helper.c		diff \| blob \| blame \| history
net/netfilter/nf_conntrack_netlink.c		diff \| blob \| blame \| history
net/netfilter/nf_conntrack_sip.c		diff \| blob \| blame \| history
net/netfilter/nft_ct.c		diff \| blob \| blame \| history