nfct: add flow end timestamp on hashtable purge

In polling mode during normal operation, as well as in event mode with
hashtable when an overrun occurs, the hashtable is fully re-synced
against conntrack. When removing flows from the hashtable that are no
longer in conntrack, there is no way to get the actual end timestamp of
the flow from conntrack because it is already gone. Since the last
conntrack data in the hashtable for these flows will never contain an
end timestamp in this case, set_timestamp_from_ct() will always fall
back to using the current time, aka when the plugin determines that the
flow disappeared from conntrack. That is only an approximation, but
should be good enough; and certainly more accurate than no end timestamp
at all.

Signed-off-by: Corubba Smith <corubba@gmx.de>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index cdda74131749c727dfe07e015db190acc8bae4c4..fbebfb032a129e6eeb8c0e21fda1939e74e64898 100644 (file)
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -911,6 +911,7 @@ static int do_purge(void *data1, void *data2)
        /* if it is not in kernel anymore, purge it */
        ret = nfct_query(cpi->pgh, NFCT_Q_GET, ts->ct);
        if (ret == -1 && errno == ENOENT) {
+               set_timestamp_from_ct(ts, ts->ct, STOP);
                do_propagate_ct(upi, ts->ct, NFCT_T_DESTROY, ts);
                hashtable_del(cpi->ct_active, &ts->hashnode);
                nfct_destroy(ts->ct);