Skip to content

Commit

Permalink
netfilter: nft_set_rbtree: .deactivate fails if element has expired
Browse files Browse the repository at this point in the history 
This allows to remove an expired element which is not possible in other
existing set backends, this is more noticeable if gc-interval is high so
expired elements remain in the tree. On-demand gc also does not help in
this case, because this is delete element path. Return NULL if element
has expired.

Fixes: 8d8540c ("netfilter: nft_set_rbtree: add timeout support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
  • Loading branch information
@ummakynes
ummakynes authored and Florian Westphal committed Oct 18, 2023
1 parent 2e2d9c7 commit d111692
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions net/netfilter/nft_set_rbtree.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -568,6 +568,8 @@ static void *nft_rbtree_deactivate(const struct net *net,
nft_rbtree_interval_end(this)) {
parent = parent->rb_right;
continue;
} else if (nft_set_elem_expired(&rbe->ext)) {
break;
} else if (!nft_set_elem_active(&rbe->ext, genmask)) {
parent = parent->rb_left;
continue;
Expand Down

0 comments on commit d111692

Please sign in to comment.