Skip to content

Commit

Permalink
netfilter: nft_set_rbtree: .deactivate fails if element has expired
Browse files Browse the repository at this point in the history 
commit d111692 upstream.

This allows to remove an expired element which is not possible in other
existing set backends, this is more noticeable if gc-interval is high so
expired elements remain in the tree. On-demand gc also does not help in
this case, because this is delete element path. Return NULL if element
has expired.

Fixes: 8d8540c ("netfilter: nft_set_rbtree: add timeout support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
@ummakynes @gregkh
ummakynes authored and gregkh committed Oct 25, 2023
1 parent d9d289b commit 0697918
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions net/netfilter/nft_set_rbtree.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -568,6 +568,8 @@ static void *nft_rbtree_deactivate(const struct net *net,
nft_rbtree_interval_end(this)) {
parent = parent->rb_right;
continue;
} else if (nft_set_elem_expired(&rbe->ext)) {
break;
} else if (!nft_set_elem_active(&rbe->ext, genmask)) {
parent = parent->rb_left;
continue;
Expand Down

0 comments on commit 0697918

Please sign in to comment.