Florian Westphal <fw@xxxxxxxxx> wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > > +static int
> > > +cmp_exp_timeout(const struct nf_expect *exp1, const struct nf_expect *exp2,
> > > + unsigned int flags)
> > > +{
> > > + return exp1->timeout == exp2->timeout;
> > > +}
> >
> > The timeout comparison needs to implement the __NFCT_CMP_TIMEOUT
> > logic, similar to nfct_cmp. Otherwise nfexp_cmp will break in
> > conntrackd with expect sync mode.
>
> You're right of course. I'll implement this and send a v2 of this
> patch.
Hrm, I think a better option is to not compare the expectation timeout
in the first place. I think the timeout is an irrelevant meta detail;
if the actual expectations are identical, nfexp_cmp should say so even
if they happen to have different timeouts.
In case users want a timeout compare, they could simply
nfexp_get_attr_u32(e1, ATTR_EXP_TIMEOUT) == ..._u32(e2, ATTR_EXP_TIMEOUT)?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
