Re: [PATCH 6.6.y] netfilter: nf_tables: use timestamp to check for set element timeout
From: Pablo Neira Ayuso
Date: Tue Mar 18 2025 - 18:19:41 EST
Hi Greg, Sasha,
This backport is correct, please apply to -stable 6.6
On Mon, Mar 17, 2025 at 04:16:32PM +0800, jianqi.ren.cn@xxxxxxxxxxxxx wrote:
> From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
>
> [ Upstream commit 7395dfacfff65e9938ac0889dafa1ab01e987d15 ]
>
> Add a timestamp field at the beginning of the transaction, store it
> in the nftables per-netns area.
>
> Update set backend .insert, .deactivate and sync gc path to use the
> timestamp, this avoids that an element expires while control plane
> transaction is still unfinished.
>
> .lookup and .update, which are used from packet path, still use the
> current time to check if the element has expired. And .get path and dump
> also since this runs lockless under rcu read size lock. Then, there is
> async gc which also needs to check the current time since it runs
> asynchronously from a workqueue.
>
> Fixes: c3e1b005ed1c ("netfilter: nf_tables: add set element timeout support")
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> Signed-off-by: Jianqi Ren <jianqi.ren.cn@xxxxxxxxxxxxx>
> Signed-off-by: He Zhe <zhe.he@xxxxxxxxxxxxx>
Reviewed-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Tested-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>