netfilter: conntrack: add nf_ct_iterate_destroy

sledgehammer to be used on module unload (to remove affected conntracks from all namespaces). It will also flag all unconfirmed conntracks as dying, i.e. they will not be committed to main table. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2017-05-21 12:52:57 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2017-05-29 12:46:10 +0200
commit: 2843fb69980b84dfa939733c91dceae533aa89e9 (patch)
tree: 80efc8446362851d478a9d421991d7f2f0b7effd /include/net/netfilter/nf_conntrack.h
parent: netfilter: conntrack: don't call iter for non-confirmed conntracks (diff)
download: linux-dev-2843fb69980b84dfa939733c91dceae533aa89e9.tar.xz
linux-dev-2843fb69980b84dfa939733c91dceae533aa89e9.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index f21180ea4558..48407569585d 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -229,6 +229,10 @@ void nf_ct_iterate_cleanup_net(struct net *net,
 			       int (*iter)(struct nf_conn *i, void *data),
 			       void *data, u32 portid, int report);
 
+/* also set unconfirmed conntracks as dying. Only use in module exit path. */
+void nf_ct_iterate_destroy(int (*iter)(struct nf_conn *i, void *data),
+			   void *data);
+
 struct nf_conntrack_zone;
 
 void nf_conntrack_free(struct nf_conn *ct);
author	Florian Westphal <fw@strlen.de>	2017-05-21 12:52:57 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2017-05-29 12:46:10 +0200
commit	2843fb69980b84dfa939733c91dceae533aa89e9 (patch)
tree	80efc8446362851d478a9d421991d7f2f0b7effd /include/net/netfilter/nf_conntrack.h
parent	netfilter: conntrack: don't call iter for non-confirmed conntracks (diff)
download	linux-dev-2843fb69980b84dfa939733c91dceae533aa89e9.tar.xz linux-dev-2843fb69980b84dfa939733c91dceae533aa89e9.zip