Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e97d9404 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: flowtables: use fixed renew timeout on teardown 



This is one of the very few external callers of ->get_timeouts(),

We can use a fixed timeout instead, conntrack core will refresh this in
case a new packet comes within this period.

Use of ESTABLISHED timeout seems way too huge anyway.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 6542df2f

net/netfilter/nf_flow_table_core.c

+5 −8
Original line number Diff line number Diff line
@@ -107,11 +107,12 @@ static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp) 
	tcp->seen[1].td_maxwin = 0;

}



#define NF_FLOWTABLE_TCP_PICKUP_TIMEOUT	(120 * HZ)

#define NF_FLOWTABLE_UDP_PICKUP_TIMEOUT	(30 * HZ)



static void flow_offload_fixup_ct_state(struct nf_conn *ct)

{

	const struct nf_conntrack_l4proto *l4proto;

	struct net *net = nf_ct_net(ct);

	unsigned int *timeouts;

	unsigned int timeout;

	int l4num;
@@ -123,14 +124,10 @@ static void flow_offload_fixup_ct_state(struct nf_conn *ct) 
	if (!l4proto)

		return;



	timeouts = l4proto->get_timeouts(net);

	if (!timeouts)

		return;



	if (l4num == IPPROTO_TCP)

		timeout = timeouts[TCP_CONNTRACK_ESTABLISHED];

		timeout = NF_FLOWTABLE_TCP_PICKUP_TIMEOUT;

	else if (l4num == IPPROTO_UDP)

		timeout = timeouts[UDP_CT_REPLIED];

		timeout = NF_FLOWTABLE_UDP_PICKUP_TIMEOUT;

	else

		return;