projects / platform / kernel / linux-rpi.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next
[platform/kernel/linux-rpi.git] / net / netfilter / nf_conntrack_core.c
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 430bb52..70c4f89 100644 (file)
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1371,9 +1371,6 @@ static unsigned int early_drop_list(struct net *net,
        hlist_nulls_for_each_entry_rcu(h, n, head, hnnode) {
                tmp = nf_ct_tuplehash_to_ctrack(h);
 
-               if (test_bit(IPS_OFFLOAD_BIT, &tmp->status))
-                       continue;
-
                if (nf_ct_is_expired(tmp)) {
                        nf_ct_gc_expired(tmp);
                        continue;
@@ -1443,11 +1440,14 @@ static bool gc_worker_skip_ct(const struct nf_conn *ct)
 static bool gc_worker_can_early_drop(const struct nf_conn *ct)
 {
        const struct nf_conntrack_l4proto *l4proto;
+       u8 protonum = nf_ct_protonum(ct);
 
+       if (test_bit(IPS_OFFLOAD_BIT, &ct->status) && protonum != IPPROTO_UDP)
+               return false;
        if (!test_bit(IPS_ASSURED_BIT, &ct->status))
                return true;
 
-       l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
+       l4proto = nf_ct_l4proto_find(protonum);
        if (l4proto->can_early_drop && l4proto->can_early_drop(ct))
                return true;
 
@@ -1504,7 +1504,8 @@ static void gc_worker(struct work_struct *work)
 
                        if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) {
                                nf_ct_offload_timeout(tmp);
-                               continue;
+                               if (!nf_conntrack_max95)
+                                       continue;
                        }
 
                        if (expired_count > GC_SCAN_EXPIRED_MAX) {
Domain: System / Kernel;