On Tue, Nov 28, 2017 at 01:12:44AM +0100, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > On Wed, Nov 15, 2017 at 03:01:13PM -0800, Jay Elliott wrote: > > > When the conntracking code multiplies a timeout by HZ, it can overflow > > > from positive to negative; this causes it to instantly expire. To > > > protect against this the multiplication is done in 64-bit so we can > > > prevent it from exceeding INT_MAX. > > > > This is something you must be observing via conntrack utility or > > conntrackd? > > nf_ct_is_expired() will consider a ct as expired if the delta > between current time and the (future) timeout is > 2**31. > > This triggers when ctnetlink configures a timeout larger than 2**31. > > The patch looks correct to me. > > Acked-by: Florian Westphal <fw@xxxxxxxxx> I'll pass this to net instead, this is likely breaking conntrackd. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
