Currently NF_CONNTRACK assumes that a running timer is present before refreshing the connection or destroying it. This may not be the case when, for example, another forwarding engine hooks up to it to listen to new connections but disables the NF_CONNTRACK timer in order to have more control. In such a scenario, only control packets may be terminated to NF_CONNTRACK for it to decode and update the connection status. It will not impact the present scenario of kernel forwarding without the aid of any forwarding engine. Signed-off-by: Kapil Juneja <Kapil.Juneja@xxxxxxxxxxxxx> Signed-off-by: Emil Medve <Emilian.Medve@xxxxxxxxxxxxx> --- net/netfilter/nf_conntrack_core.c | 16 ++++++++++------ 1 files changed, 10 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index a4d5cde..2d1f83c 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -791,10 +791,14 @@ void __nf_ct_refresh_acct(struct nf_conn *ct, /* Only update the timeout if the new timeout is at least HZ jiffies from the old timeout. Need del_timer for race avoidance (may already be dying). */ - if (newtime - ct->timeout.expires >= HZ - && del_timer(&ct->timeout)) { - ct->timeout.expires = newtime; - add_timer(&ct->timeout); + if (newtime - ct->timeout.expires >= HZ) { + /* + * The timer could have already been deleted + * while still alive (for example connection + * offloaded to a forwarding module other than + * the kernel stack). + */ + mod_timer(&ct->timeout, newtime); event = IPCT_REFRESH; } } @@ -928,8 +932,8 @@ nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), void *data) while ((ct = get_next_corpse(iter, data, &bucket)) != NULL) { /* Time to push up daises... */ - if (del_timer(&ct->timeout)) - death_by_timeout((unsigned long)ct); + del_timer(&ct->timeout); + death_by_timeout((unsigned long)ct); /* ... else the timer will get him soon. */ nf_ct_put(ct); -- 1.5.3.3 - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html