shortcut-fe: Update kernel UDP timeout value on seen reply packets
Change-Id: Icd742058c2019188a4034609becf7d4d9e12949c
Signed-off-by: Xiaoping Fan <xfan@codeaurora.org>
diff --git a/shortcut-fe/sfe_cm.c b/shortcut-fe/sfe_cm.c
index c2e581e..72e5f34 100644
--- a/shortcut-fe/sfe_cm.c
+++ b/shortcut-fe/sfe_cm.c
@@ -29,6 +29,7 @@
#include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_zones.h>
#include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_conntrack_timeout.h>
#include <linux/netfilter/xt_dscp.h>
#include <linux/if_bridge.h>
@@ -857,6 +858,37 @@
}
spin_unlock_bh(&ct->lock);
break;
+ case IPPROTO_UDP:
+ /*
+ * In Linux connection track, UDP flow has two timeout values:
+ * /proc/sys/net/netfilter/nf_conntrack_udp_timeout:
+ * this is for uni-direction UDP flow, normally its value is 60 seconds
+ * /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream:
+ * this is for bi-direction UDP flow, normally its value is 180 seconds
+ *
+ * Linux will update timer of UDP flow to stream timeout once it seen packets
+ * in reply direction. But if flow is accelerated by NSS or SFE, Linux won't
+ * see any packets. So we have to do the same thing in our stats sync message.
+ */
+ if (!test_bit(IPS_ASSURED_BIT, &ct->status) && acct) {
+ u_int64_t reply_pkts = atomic64_read(&SFE_ACCT_COUNTER(acct)[IP_CT_DIR_REPLY].packets);
+
+ if (reply_pkts != 0) {
+ struct nf_conntrack_l4proto *l4proto;
+ unsigned int *timeouts;
+
+ set_bit(IPS_SEEN_REPLY_BIT, &ct->status);
+ set_bit(IPS_ASSURED_BIT, &ct->status);
+
+ l4proto = __nf_ct_l4proto_find((sis->is_v6 ? AF_INET6 : AF_INET), IPPROTO_UDP);
+ timeouts = nf_ct_timeout_lookup(&init_net, ct, l4proto);
+
+ spin_lock_bh(&ct->lock);
+ ct->timeout.expires = jiffies + timeouts[UDP_CT_REPLIED];
+ spin_unlock_bh(&ct->lock);
+ }
+ }
+ break;
}
/*