flow/manager: in offline mode, use owning threads time

As this may mean that a threads ts is a bit ahead of the minimum time
the flow manager normally uses, it can evict flows a bit faster.

Ticket: #7455.

diff --git a/src/flow-manager.c b/src/flow-manager.c
index 2a3d6f6f6a226534950d05674e432a7c43a478ef..52c7586a4f6ea6f69a40f32b425359c913db5b40 100644 (file)
--- a/src/flow-manager.c
+++ b/src/flow-manager.c
@@ -198,9 +198,19 @@ static bool FlowManagerFlowTimeout(Flow *f, SCTime_t ts, uint32_t *next_ts, cons
     if (*next_ts == 0 || (uint32_t)SCTIME_SECS(timesout_at) < *next_ts)
         *next_ts = (uint32_t)SCTIME_SECS(timesout_at);
 
-    /* do the timeout check */
-    if (SCTIME_CMP_LT(ts, timesout_at)) {
-        return false;
+    /* if time is live, we just use the `ts` */
+    if (TimeModeIsLive() || f->thread_id[0] == 0) {
+        /* do the timeout check */
+        if (SCTIME_CMP_LT(ts, timesout_at)) {
+            return false;
+        }
+    } else {
+        /* offline: take last ts from "owning" thread */
+        SCTime_t checkts = TmThreadsGetThreadTime(f->thread_id[0]);
+        /* do the timeout check */
+        if (SCTIME_CMP_LT(checkts, timesout_at)) {
+            return false;
+        }
     }
 
     return true;