netfilter: ctnetlink: support CTA_FILTER for flush

From cb8aa9a, we can use kernel side filtering for dump, but
this capability is not available for flush.

This Patch allows advanced filter with CTA_FILTER for flush

Performace
1048576 ct flows in total, delete 50,000 flows by origin src ip
3.06s -> dump all, compare and delete
584ms -> directly flush with filter

Signed-off-by: Changliang Wu <changliang.wu@smartx.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 4cbf71d..123e2e9 100644 (file)
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1579,9 +1579,6 @@ static int ctnetlink_flush_conntrack(struct net *net,
        };
 
        if (ctnetlink_needs_filter(family, cda)) {
-               if (cda[CTA_FILTER])
-                       return -EOPNOTSUPP;
-
                filter = ctnetlink_alloc_filter(cda, family);
                if (IS_ERR(filter))
                        return PTR_ERR(filter);
@@ -1610,14 +1607,14 @@ static int ctnetlink_del_conntrack(struct sk_buff *skb,
        if (err < 0)
                return err;
 
-       if (cda[CTA_TUPLE_ORIG])
+       if (cda[CTA_TUPLE_ORIG] && !cda[CTA_FILTER])
                err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
                                            family, &zone);
-       else if (cda[CTA_TUPLE_REPLY])
+       else if (cda[CTA_TUPLE_REPLY] && !cda[CTA_FILTER])
                err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
                                            family, &zone);
        else {
-               u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC;
+               u8 u3 = info->nfmsg->version || cda[CTA_FILTER] ? family : AF_UNSPEC;
 
                return ctnetlink_flush_conntrack(info->net, cda,
                                                 NETLINK_CB(skb).portid,