@@ -165,7 +165,7 @@ void flow_offload_route_init(struct flow_offload *flow,
}
EXPORT_SYMBOL_GPL(flow_offload_route_init);
-static s32 flow_offload_fixup_tcp(struct net *net, struct nf_conn *ct,
+static u32 flow_offload_fixup_tcp(struct net *net, struct nf_conn *ct,
enum tcp_conntrack tcp_state)
{
struct nf_tcp_net *tn = nf_tcp_pernet(net);
@@ -181,7 +181,7 @@ static void flow_offload_fixup_ct(struct nf_conn *ct)
{
struct net *net = nf_ct_net(ct);
int l4num = nf_ct_protonum(ct);
- s32 timeout;
+ u32 timeout;
if (l4num == IPPROTO_TCP) {
timeout = flow_offload_fixup_tcp(net, ct, ct->proto.tcp.state);
@@ -192,14 +192,10 @@ static void flow_offload_fixup_ct(struct nf_conn *ct)
UDP_CT_REPLIED : UDP_CT_UNREPLIED;
timeout = tn->timeouts[state];
- timeout -= tn->offload_timeout;
} else {
return;
}
- if (timeout < 0)
- timeout = 0;
-
if (nf_flow_timeout_delta(READ_ONCE(ct->timeout)) > (__s32)timeout)
WRITE_ONCE(ct->timeout, nfct_time_stamp + timeout);
}
Do not subtract flow timeout from UDP timeout, simply use UDP timeout instead. Users can tweak UDP conntrack timeouts leading to zero conntrack timeout when handing over the flow back to classic conntrack path. Fixes: e5eaac2beb54 ("netfilter: flowtable: fix TCP flow teardown") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- v2: no changes, just rebase on top of 1/2 net/netfilter/nf_flow_table_core.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-)