Depending on your conntrackd configuration, events might get lost,
leaving stuck entries in the cache forever. Skip checking the conntrack
ID to allow for lazy cleanup by when a new entry that represented by the
same tuple.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
src/cache-ct.c | 11 +----------
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/src/cache-ct.c b/src/cache-ct.c
index fe01e165516c..f56e450e6cf2 100644
--- a/src/cache-ct.c
+++ b/src/cache-ct.c
@@ -90,21 +90,12 @@ cache_ct_hash(const void *data, const struct hashtable *table)
return ret;
}
-/* master conntrack of expectations have no ID */
-static inline int
-cache_ct_cmp_id(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2)
-{
- return nfct_attr_is_set(ct2, ATTR_ID) ?
- nfct_get_attr_u32(ct1, ATTR_ID) == nfct_get_attr_u32(ct2, ATTR_ID) : 1;
-}
-
static int cache_ct_cmp(const void *data1, const void *data2)
{
const struct cache_object *obj = data1;
const struct nf_conntrack *ct = data2;
- return nfct_cmp(obj->ptr, ct, NFCT_CMP_ORIG) &&
- cache_ct_cmp_id(obj->ptr, ct);
+ return nfct_cmp(obj->ptr, ct, NFCT_CMP_ORIG);
}
static void *cache_ct_alloc(void)
--
2.30.2
