netfilter: nf_conncount: make nf_conncount_gc_list() to disable BH

For convenience when performing GC over the connection list, make
nf_conncount_gc_list() to disable BH. This unifies the behavior with
nf_conncount_add() and nf_conncount_count().

Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 0ffc5ff78a71426a3b8581c24bc2a78da7cca17b..d8893e172444d23940bee132d5baf9b129c11839 100644 (file)
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -278,8 +278,8 @@ void nf_conncount_list_init(struct nf_conncount_list *list)
 EXPORT_SYMBOL_GPL(nf_conncount_list_init);
 
 /* Return true if the list is empty. Must be called with BH disabled. */
-bool nf_conncount_gc_list(struct net *net,
-                         struct nf_conncount_list *list)
+static bool __nf_conncount_gc_list(struct net *net,
+                                  struct nf_conncount_list *list)
 {
        const struct nf_conntrack_tuple_hash *found;
        struct nf_conncount_tuple *conn, *conn_n;
@@ -291,10 +291,6 @@ bool nf_conncount_gc_list(struct net *net,
        if ((u32)jiffies == READ_ONCE(list->last_gc))
                return false;
 
-       /* don't bother if other cpu is already doing GC */
-       if (!spin_trylock(&list->list_lock))
-               return false;
-
        list_for_each_entry_safe(conn, conn_n, &list->head, node) {
                found = find_or_evict(net, list, conn);
                if (IS_ERR(found)) {
@@ -323,7 +319,21 @@ bool nf_conncount_gc_list(struct net *net,
        if (!list->count)
                ret = true;
        list->last_gc = (u32)jiffies;
-       spin_unlock(&list->list_lock);
+
+       return ret;
+}
+
+bool nf_conncount_gc_list(struct net *net,
+                         struct nf_conncount_list *list)
+{
+       bool ret;
+
+       /* don't bother if other cpu is already doing GC */
+       if (!spin_trylock_bh(&list->list_lock))
+               return false;
+
+       ret = __nf_conncount_gc_list(net, list);
+       spin_unlock_bh(&list->list_lock);
 
        return ret;
 }

diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c
index 5df7134131d29f8bd0f1100ead0beca891f70e85..41770bde39d337dfa057e2f66871de3a2887fb78 100644 (file)
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@@ -223,13 +223,8 @@ static void nft_connlimit_destroy_clone(const struct nft_ctx *ctx,
 static bool nft_connlimit_gc(struct net *net, const struct nft_expr *expr)
 {
        struct nft_connlimit *priv = nft_expr_priv(expr);
-       bool ret;
 
-       local_bh_disable();
-       ret = nf_conncount_gc_list(net, priv->list);
-       local_bh_enable();
-
-       return ret;
+       return nf_conncount_gc_list(net, priv->list);
 }
 
 static struct nft_expr_type nft_connlimit_type;