netfilter: nft_connlimit: add support to object update operation

This is useful to update the limit or flags without clearing the connections tracked. Use READ_ONCE() on packetpath as it can be modified on controlplane. Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2025-12-07 20:06:24 +00:00 · 2025-11-24 17:36:58 +01:00
parent 69894e5b4c
commit c4cbe4a4df
1 changed files with 12 additions and 1 deletions
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@@ -44,7 +44,7 @@ static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,
 	count = READ_ONCE(priv->list->count);
-	if ((count > priv->limit) ^ priv->invert) {
+	if ((count > READ_ONCE(priv->limit)) ^ READ_ONCE(priv->invert)) {
 		regs->verdict.code = NFT_BREAK;
 		return;
 	}
@@ -131,6 +131,16 @@ static int nft_connlimit_obj_init(const struct nft_ctx *ctx,
 	return nft_connlimit_do_init(ctx, tb, priv);
 }
 static void nft_connlimit_obj_update(struct nft_object *obj,
 				     struct nft_object *newobj)
 {
 	struct nft_connlimit *newpriv = nft_obj_data(newobj);
 	struct nft_connlimit *priv = nft_obj_data(obj);
 	WRITE_ONCE(priv->limit, newpriv->limit);
 	WRITE_ONCE(priv->invert, newpriv->invert);
 }
 static void nft_connlimit_obj_destroy(const struct nft_ctx *ctx,
 				      struct nft_object *obj)
 {
@@ -160,6 +170,7 @@ static const struct nft_object_ops nft_connlimit_obj_ops = {
 	.init		= nft_connlimit_obj_init,
 	.destroy	= nft_connlimit_obj_destroy,
 	.dump		= nft_connlimit_obj_dump,
 	.update		= nft_connlimit_obj_update,
 };
 static struct nft_object_type nft_connlimit_obj_type __read_mostly = {