cache iterators: rework cache_reset_timers

This patch adds the clause PurgeTimeout that sets the new timer
when conntrackd -t is called. This command is particularly useful
when the sysadmin triggers hand-overs between several nodes without
rebooting as it reduces the timers of the remaining entries in
the kernel. Thus, avoiding clashes between new and old entries that
may trigger INVALID packets.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 11 insertions, 1 deletions

diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 33a435c..c7bce82 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -52,7 +52,7 @@ static void __kernel_filter_add_state(int value);
 %token T_GENERAL T_SYNC T_STATS T_RELAX_TRANSITIONS T_BUFFER_SIZE T_DELAY
 %token T_SYNC_MODE T_LISTEN_TO T_FAMILY T_RESEND_BUFFER_SIZE
 %token T_ALARM T_FTFW T_CHECKSUM T_WINDOWSIZE T_ON T_OFF
-%token T_REPLICATE T_FOR T_IFACE 
+%token T_REPLICATE T_FOR T_IFACE T_PURGE
 %token T_ESTABLISHED T_SYN_SENT T_SYN_RECV T_FIN_WAIT 
 %token T_CLOSE_WAIT T_LAST_ACK T_TIME_WAIT T_CLOSE T_LISTEN
 %token T_SYSLOG T_WRITE_THROUGH T_STAT_BUFFER_SIZE T_DESTROY_TIMEOUT
@@ -163,6 +163,11 @@ timeout: T_TIMEOUT T_NUMBER
 	conf.commit_timeout = $2;
 };
 
+purge: T_PURGE T_NUMBER
+{
+	conf.purge_timeout = $2;
+};
+
 checksum: T_CHECKSUM T_ON 
 {
 	conf.mcast.checksum = 0;
@@ -427,6 +432,7 @@ sync_list:
 sync_line: refreshtime
 	 | expiretime
 	 | timeout
+	 | purge
 	 | checksum
 	 | multicast_line
 	 | relax_transitions
@@ -987,6 +993,10 @@ init_config(char *filename)
 	if (CONFIG(commit_timeout) == 0)
 		CONFIG(commit_timeout) = 180;
 
+	/* default to 15 seconds: purge kernel entries */
+	if (CONFIG(purge_timeout) == 0)
+		CONFIG(purge_timeout) = 15;
+
 	/* default to 60 seconds of refresh time */
 	if (CONFIG(refresh) == 0)
 		CONFIG(refresh) = 60;