netfilter: nft_set_hash: GC reaps elements with conncount for dynamic…

… sets only conncount has its own GC handler which determines when to reap stale elements, this is convenient for dynamic sets. However, this also reaps non-dynamic sets with static configurations coming from control plane. Always run connlimit gc handler but honor feedback to reap element if this set is dynamic. Fixes: 290180e ("netfilter: nf_tables: add connlimit support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
mariux64 · Apr 2, 2025 · 9d74da1 · 9d74da1
1 parent ed3ba9b
commit 9d74da1
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
@@ -309,7 +309,8 @@ static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set,
 
 	nft_setelem_expr_foreach(expr, elem_expr, size) {
 		if (expr->ops->gc &&
-		    expr->ops->gc(read_pnet(&set->net), expr))
+		    expr->ops->gc(read_pnet(&set->net), expr) &&
+		    set->flags & NFT_SET_EVAL)
 			return true;
 	}