[PATCH] nf_conntrack_core: Updated nf_conntrack to destroy/refresh conn irrespective of del_timer status

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Currently NF_CONNTRACK assumes that a running timer is present before refreshing
the connection or destroying it. This may not be the case when, for example,
another forwarding engine hooks up to it to listen to new connections
but disables the NF_CONNTRACK timer in order to have more control.
In such a scenario, only control packets may be terminated to NF_CONNTRACK for
it to decode and update the connection status. It will not impact the present
scenario of kernel forwarding without the aid of any forwarding engine. 

Signed-off-by: Kapil Juneja <Kapil.Juneja@xxxxxxxxxxxxx>
Signed-off-by: Emil Medve <Emilian.Medve@xxxxxxxxxxxxx>
---
 net/netfilter/nf_conntrack_core.c |   16 ++++++++++------
 1 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index a4d5cde..2d1f83c 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -791,10 +791,14 @@ void __nf_ct_refresh_acct(struct nf_conn *ct,
 		/* Only update the timeout if the new timeout is at least
 		   HZ jiffies from the old timeout. Need del_timer for race
 		   avoidance (may already be dying). */
-		if (newtime - ct->timeout.expires >= HZ
-		    && del_timer(&ct->timeout)) {
-			ct->timeout.expires = newtime;
-			add_timer(&ct->timeout);
+		if (newtime - ct->timeout.expires >= HZ) {
+			/*
+			 * The timer could have already been deleted
+			 * while still alive (for example connection
+			 * offloaded to a forwarding module other than
+			 * the kernel stack).
+			 */
+			mod_timer(&ct->timeout, newtime);
 			event = IPCT_REFRESH;
 		}
 	}
@@ -928,8 +932,8 @@ nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), void *data)
 
 	while ((ct = get_next_corpse(iter, data, &bucket)) != NULL) {
 		/* Time to push up daises... */
-		if (del_timer(&ct->timeout))
-			death_by_timeout((unsigned long)ct);
+		del_timer(&ct->timeout);
+		death_by_timeout((unsigned long)ct);
 		/* ... else the timer will get him soon. */
 
 		nf_ct_put(ct);
-- 
1.5.3.3

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux