On Fri, Aug 24, 2018 at 08:43:36AM +0200, Florian Westphal wrote: > Using a private template is problematic: > > 1. We can't assign both a zone and a timeout policy > (zone assigns a conntrack template, so we hit problem 1) > 2. Using a template needs to take care of ct refcount, else we'll > eventually free the private template due to ->use underflow. > > This patch reworks template policy to instead work with existing conntrack. > > As long as such conntrack has not yet been placed into the hash table > (unconfirmed) we can still add the timeout extension. > > The only caveat is that we now need to update/correct ct->timeout to > reflect the initial/new state, otherwise the conntrack entry retains the > default 'new' timeout. > > Side effect of this change is that setting the policy must > now occur from chains that are evaluated *after* the conntrack lookup > has taken place. > > No released kernel contains the timeout policy feature yet, so this change > should be ok. Also applied, thanks Florian.
