Skip to content
/ linux Public
forked from torvalds/linux

Commit

Permalink
netfilter: nft_set_rbtree: .deactivate fails if element has expired
Browse files Browse the repository at this point in the history 
commit d111692 upstream.

This allows to remove an expired element which is not possible in other
existing set backends, this is more noticeable if gc-interval is high so
expired elements remain in the tree. On-demand gc also does not help in
this case, because this is delete element path. Return NULL if element
has expired.

Fixes: 8d8540c ("netfilter: nft_set_rbtree: add timeout support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
@ummakynes @gregkh
ummakynes authored and gregkh committed Oct 23, 2023
1 parent 74a409c commit aa3f0e1
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions net/netfilter/nft_set_rbtree.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -568,6 +568,8 @@ static void *nft_rbtree_deactivate(const struct net *net,
nft_rbtree_interval_end(this)) {
parent = parent->rb_right;
continue;
} else if (nft_set_elem_expired(&rbe->ext)) {
break;
} else if (!nft_set_elem_active(&rbe->ext, genmask)) {
parent = parent->rb_left;
continue;
Expand Down

0 comments on commit aa3f0e1

Please sign in to comment.