Hi Pablo,
On Mon, May 11, 2020 at 12:03:56AM +0200, Pablo Neira Ayuso wrote:
> On Wed, May 06, 2020 at 01:11:07PM +0200, Phil Sutter wrote:
> > Expired intervals would still match and be dumped to user space until
> > garbage collection wiped them out. Make sure they stop matching and
> > disappear (from users' perspective) as soon as they expire.
> >
> > Fixes: 8d8540c4f5e03 ("netfilter: nft_set_rbtree: add timeout support")
> > Signed-off-by: Phil Sutter <phil@xxxxxx>
> > ---
> > net/netfilter/nft_set_rbtree.c | 10 ++++++++--
> > 1 file changed, 8 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
> > index 3ffef454d4699..8efcea03a4cbb 100644
> > --- a/net/netfilter/nft_set_rbtree.c
> > +++ b/net/netfilter/nft_set_rbtree.c
> > @@ -75,7 +75,8 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set
> > } else if (d > 0)
> > parent = rcu_dereference_raw(parent->rb_right);
> > else {
> > - if (!nft_set_elem_active(&rbe->ext, genmask)) {
> > + if (!nft_set_elem_active(&rbe->ext, genmask) ||
> > + nft_set_elem_expired(&rbe->ext)) {
>
> It seems _insert() does not allow for duplicates. I think it's better
> if you just:
>
> return false;
>
> in case in case the element has expired, right?
Ah yes, thanks. I'll send a v2.
Thanks, Phil
