netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only

ummakynes · gregkh · commit 86bd9609fd3e · 2025-04-10T14:39:33.000+02:00
[ Upstream commit 9d74da1 ] conncount has its own GC handler which determines when to reap stale elements, this is convenient for dynamic sets. However, this also reaps non-dynamic sets with static configurations coming from control plane. Always run connlimit gc handler but honor feedback to reap element if this set is dynamic. Fixes: 290180e ("netfilter: nf_tables: add connlimit support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
@@ -309,7 +309,8 @@ static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set,
 
 	nft_setelem_expr_foreach(expr, elem_expr, size) {
 		if (expr->ops->gc &&
-		    expr->ops->gc(read_pnet(&set->net), expr))
+		    expr->ops->gc(read_pnet(&set->net), expr) &&
+		    set->flags & NFT_SET_EVAL)
 			return true;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -309,7 +309,8 @@ static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set,`
`309`	`309`
`310`	`310`	`nft_setelem_expr_foreach(expr, elem_expr, size) {`
`311`	`311`	`if (expr->ops->gc &&`
`312`		`- expr->ops->gc(read_pnet(&set->net), expr))`
	`312`	`+ expr->ops->gc(read_pnet(&set->net), expr) &&`
	`313`	`+ set->flags & NFT_SET_EVAL)`
`313`	`314`	`return true;`
`314`	`315`	`}`
`315`	`316`