Merge tag 'nf-25-07-17' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

/* use after obtaining a reference count */

static inline bool nf_ct_should_gc(const struct nf_conn *ct)

{

	return nf_ct_is_expired(ct) && nf_ct_is_confirmed(ct) &&

	       !nf_ct_is_dying(ct);

	if (!nf_ct_is_confirmed(ct))

		return false;

	/* load ct->timeout after is_confirmed() test.

	 * Pairs with __nf_conntrack_confirm() which:

	 * 1. Increases ct->timeout value

	 * 2. Inserts ct into rcu hlist

	 * 3. Sets the confirmed bit

	 * 4. Unlocks the hlist lock

	 */

	smp_acquire__after_ctrl_dep();

	return nf_ct_is_expired(ct) && !nf_ct_is_dying(ct);

}

#define	NF_CT_DAY	(86400 * HZ)

int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);

void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);

struct nft_hook;

void nf_tables_chain_device_notify(const struct nft_chain *chain,

				   const struct nft_hook *hook,

				   const struct net_device *dev, int event);

enum nft_chain_types {

	NFT_CHAIN_T_DEFAULT = 0,

	NFT_CHAIN_T_ROUTE,

	NFT_MSG_DESTROYOBJ,

	NFT_MSG_DESTROYFLOWTABLE,

	NFT_MSG_GETSETELEM_RESET,

	NFT_MSG_NEWDEV,

	NFT_MSG_DELDEV,

	NFT_MSG_MAX,

};

 * enum nft_device_attributes - nf_tables device netlink attributes

 *

 * @NFTA_DEVICE_NAME: name of this device (NLA_STRING)

 * @NFTA_DEVICE_TABLE: table containing the flowtable or chain hooking into the device (NLA_STRING)

 * @NFTA_DEVICE_FLOWTABLE: flowtable hooking into the device (NLA_STRING)

 * @NFTA_DEVICE_CHAIN: chain hooking into the device (NLA_STRING)

 * @NFTA_DEVICE_SPEC: hook spec matching the device (NLA_STRING)

 */

enum nft_devices_attributes {

	NFTA_DEVICE_UNSPEC,

	NFTA_DEVICE_NAME,

	NFTA_DEVICE_TABLE,

	NFTA_DEVICE_FLOWTABLE,

	NFTA_DEVICE_CHAIN,

	NFTA_DEVICE_SPEC,

	__NFTA_DEVICE_MAX

};

#define NFTA_DEVICE_MAX		(__NFTA_DEVICE_MAX - 1)

#define NFNLGRP_ACCT_QUOTA		NFNLGRP_ACCT_QUOTA

	NFNLGRP_NFTRACE,

#define NFNLGRP_NFTRACE			NFNLGRP_NFTRACE

	NFNLGRP_NFT_DEV,

#define NFNLGRP_NFT_DEV			NFNLGRP_NFT_DEV

	__NFNLGRP_MAX,

};

#define NFNLGRP_MAX	(__NFNLGRP_MAX - 1)

	hlist_nulls_add_head_rcu(&loser_ct->tuplehash[IP_CT_DIR_REPLY].hnnode,

				 &nf_conntrack_hash[repl_idx]);

	/* confirmed bit must be set after hlist add, not before:

	 * loser_ct can still be visible to other cpu due to

	 * SLAB_TYPESAFE_BY_RCU.

	 */

	smp_mb__before_atomic();

	set_bit(IPS_CONFIRMED_BIT, &loser_ct->status);

	NF_CT_STAT_INC(net, clash_resolve);

	return NF_ACCEPT;

	 * user context, else we insert an already 'dead' hash, blocking

	 * further use of that particular connection -JM.

	 */

	ct->status |= IPS_CONFIRMED;

	if (unlikely(nf_ct_is_dying(ct))) {

		NF_CT_STAT_INC(net, insert_failed);

		goto dying;

		}

	}

	/* Timer relative to confirmation time, not original

	/* Timeout is relative to confirmation time, not original

	   setting time, otherwise we'd get timer wrap in

	   weird delay cases. */

	ct->timeout += nfct_time_stamp;

	__nf_conntrack_insert_prepare(ct);

	/* Since the lookup is lockless, hash insertion must be done after

	 * starting the timer and setting the CONFIRMED bit. The RCU barriers

	 * guarantee that no other CPU can find the conntrack before the above

	 * stores are visible.

	 * setting ct->timeout. The RCU barriers guarantee that no other CPU

	 * can find the conntrack before the above stores are visible.

	 */

	__nf_conntrack_hash_insert(ct, hash, reply_hash);

	/* IPS_CONFIRMED unset means 'ct not (yet) in hash', conntrack lookups

	 * skip entries that lack this bit.  This happens when a CPU is looking

	 * at a stale entry that is being recycled due to SLAB_TYPESAFE_BY_RCU

	 * or when another CPU encounters this entry right after the insertion

	 * but before the set-confirm-bit below.  This bit must not be set until

	 * after __nf_conntrack_hash_insert().

	 */

	smp_mb__before_atomic();

	set_bit(IPS_CONFIRMED_BIT, &ct->status);

	nf_conntrack_double_unlock(hash, reply_hash);

	local_bh_enable();