conntrackd: use a permanent handler for flush operations

In 6f5666a29cb7cbff08ce926ee1edb84a311ff6ee, I moved the flush
operation into a child process and to use a disposable handler
to perform flush requests. This patch adds a dedicated flush
handler since there is a possible race condition that can
happen if the child process ends before we have received all
the event messages that the flush request has triggered.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 2 insertions, 21 deletions

diff --git a/src/sync-mode.c b/src/sync-mode.c
index 2da3604..102ecac 100644
--- a/src/sync-mode.c
+++ b/src/sync-mode.c
@@ -203,35 +203,16 @@ static void interface_handler(void)
 		interface_candidate();
 }
 
-/* this is called once the flusher process has finished */
-static void flush_done_cb(void *data)
-{
-	struct nfct_handle *h = data;
-	origin_unregister(h);
-	nfct_close(h);
-}
-
 static void do_reset_cache_alarm(struct alarm_block *a, void *data)
 {
-	struct nfct_handle *h;
-
-	/* disposable flusher handler */
-	h = nfct_open(CONNTRACK, 0);
-	if (h == NULL) {
-		dlog(LOG_ERR, "cannot open flusher handler");
-		return;
-	}
-	/* register this handler as the origin of a flush operation */
-	origin_register(h, CTD_ORIGIN_FLUSH);
-
 	STATE(stats).nl_kernel_table_flush++;
 	dlog(LOG_NOTICE, "flushing kernel conntrack table (scheduled)");
 
 	/* fork a child process that performs the flush operation,
 	 * meanwhile the parent process handles events. */
 	if (fork_process_new(CTD_PROC_FLUSH, CTD_PROC_F_EXCL,
-			     flush_done_cb, h) == 0) {
-		nl_flush_conntrack_table(h);
+			     NULL, NULL) == 0) {
+		nl_flush_conntrack_table(STATE(flush));
 		exit(EXIT_SUCCESS);
 	}
 	/* this is not required if events don't get lost */