netfilter: add and use nf_ct_unconfirmed_destroy

This also removes __nf_ct_unconfirmed_destroy() call from nf_ct_iterate_cleanup_net, so that function can be used only when missing conntracks from unconfirmed list isn't a problem. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: add and use nf_ct_unconfirmed_destroy
This also removes __nf_ct_unconfirmed_destroy() call from nf_ct_iterate_cleanup_net, so that function can be used only when missing conntracks from unconfirmed list isn't a problem. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal · Pablo Neira Ayuso
1 parent ac7b848390
Showing 3 changed files with 15 additions and 4 deletions Side-by-side Diff
include/net/netfilter/nf_conntrack.h
net/netfilter/nf_conntrack_core.c
net/netfilter/nfnetlink_cttimeout.c
@@ -224,6 +224,9 @@
 			       enum ip_conntrack_dir dir,
 			       u32 seq);
  
+/* Set all unconfirmed conntrack as dying */
+void nf_ct_unconfirmed_destroy(struct net *);
+
 /* Iterate over all conntracks: if iter returns true, it's deleted. */
 void nf_ct_iterate_cleanup_net(struct net *net,
 			       int (*iter)(struct nf_conn *i, void *data),
@@ -1686,6 +1686,17 @@
 	}
 }
  
+void nf_ct_unconfirmed_destroy(struct net *net)
+{
+	might_sleep();
+
+	if (atomic_read(&net->ct.count) > 0) {
+		__nf_ct_unconfirmed_destroy(net);
+		synchronize_net();
+	}
+}
+EXPORT_SYMBOL_GPL(nf_ct_unconfirmed_destroy);
+
 void nf_ct_iterate_cleanup_net(struct net *net,
 			       int (*iter)(struct nf_conn *i, void *data),
 			       void *data, u32 portid, int report)
  
@@ -1697,13 +1708,9 @@
 	if (atomic_read(&net->ct.count) == 0)
 		return;
  
-	__nf_ct_unconfirmed_destroy(net);
-
 	d.iter = iter;
 	d.data = data;
 	d.net = net;
-
-	synchronize_net();
  
 	nf_ct_iterate_cleanup(iter_net_only, &d, portid, report);
 }
@@ -570,6 +570,7 @@
 {
 	struct ctnl_timeout *cur, *tmp;
  
+	nf_ct_unconfirmed_destroy(net);
 	ctnl_untimeout(net, NULL);
  
 	list_for_each_entry_safe(cur, tmp, &net->nfct_timeout_list, head) {
...	...	@@ -224,6 +224,9 @@
224	224	enum ip_conntrack_dir dir,
225	225	u32 seq);
226	226
	227	+/* Set all unconfirmed conntrack as dying */
	228	+void nf_ct_unconfirmed_destroy(struct net *);
	229	+
227	230	/* Iterate over all conntracks: if iter returns true, it's deleted. */
228	231	void nf_ct_iterate_cleanup_net(struct net *net,
229	232	int (iter)(struct nf_conn i, void *data),
...	...	@@ -1686,6 +1686,17 @@
1686	1686	}
1687	1687	}
1688	1688
	1689	+void nf_ct_unconfirmed_destroy(struct net *net)
	1690	+{
	1691	+ might_sleep();
	1692	+
	1693	+ if (atomic_read(&net->ct.count) > 0) {
	1694	+ __nf_ct_unconfirmed_destroy(net);
	1695	+ synchronize_net();
	1696	+ }
	1697	+}
	1698	+EXPORT_SYMBOL_GPL(nf_ct_unconfirmed_destroy);
	1699	+
1689	1700	void nf_ct_iterate_cleanup_net(struct net *net,
1690	1701	int (iter)(struct nf_conn i, void *data),
1691	1702	void *data, u32 portid, int report)
1692	1703
...	...	@@ -1697,13 +1708,9 @@
1697	1708	if (atomic_read(&net->ct.count) == 0)
1698	1709	return;
1699	1710
1700		- __nf_ct_unconfirmed_destroy(net);
1701		-
1702	1711	d.iter = iter;
1703	1712	d.data = data;
1704	1713	d.net = net;
1705		-
1706		- synchronize_net();
1707	1714
1708	1715	nf_ct_iterate_cleanup(iter_net_only, &d, portid, report);
1709	1716	}
...	...	@@ -570,6 +570,7 @@
570	570	{
571	571	struct ctnl_timeout cur, tmp;
572	572
	573	+ nf_ct_unconfirmed_destroy(net);
573	574	ctnl_untimeout(net, NULL);
574	575
575	576	list_for_each_entry_safe(cur, tmp, &net->nfct_timeout_list, head) {