[PATCH nf 2/2] netfilter: flowtable: use UDP timeout after flow teardown

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Do not subtract flow timeout from UDP timeout, simply use UDP timeout
instead. Users can tweak UDP conntrack timeouts leading to zero
conntrack timeout when handing over the flow back to classic conntrack
path.

Fixes: e5eaac2beb54 ("netfilter: flowtable: fix TCP flow teardown")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
Follow up patch after:
[nf] netfilter: flowtable: infer TCP state and timeout before flow teardown
which should have been 1/2.

 net/netfilter/nf_flow_table_core.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 481fe3d96bbc..21286775cb32 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -165,7 +165,7 @@ void flow_offload_route_init(struct flow_offload *flow,
 }
 EXPORT_SYMBOL_GPL(flow_offload_route_init);
 
-static s32 flow_offload_fixup_tcp(struct net *net, struct nf_conn *ct,
+static u32 flow_offload_fixup_tcp(struct net *net, struct nf_conn *ct,
 				  enum tcp_conntrack tcp_state)
 {
 	struct nf_tcp_net *tn = nf_tcp_pernet(net);
@@ -187,7 +187,7 @@ static void flow_offload_fixup_ct(struct nf_conn *ct)
 {
 	struct net *net = nf_ct_net(ct);
 	int l4num = nf_ct_protonum(ct);
-	s32 timeout;
+	u32 timeout;
 
 	if (l4num == IPPROTO_TCP) {
 		timeout = flow_offload_fixup_tcp(net, ct,
@@ -199,14 +199,10 @@ static void flow_offload_fixup_ct(struct nf_conn *ct)
 			UDP_CT_REPLIED : UDP_CT_UNREPLIED;
 
 		timeout = tn->timeouts[state];
-		timeout -= tn->offload_timeout;
 	} else {
 		return;
 	}
 
-	if (timeout < 0)
-		timeout = 0;
-
 	if (nf_flow_timeout_delta(READ_ONCE(ct->timeout)) > (__s32)timeout)
 		WRITE_ONCE(ct->timeout, nfct_time_stamp + timeout);
 }
-- 
2.30.2





[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux