From: Victor Julien <vjulien@oisf.net>
Date: Tue, 17 Sep 2024 18:52:14 +0000 (+0200)
Subject: flow/manager: in offline mode, use owning threads time
X-Git-Tag: suricata-8.0.0-beta1~588
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ef396f7509ccef47afa949eb1f463a29130213b5;p=thirdparty%2Fsuricata.git

flow/manager: in offline mode, use owning threads time

As this may mean that a threads ts is a bit ahead of the minimum time
the flow manager normally uses, it can evict flows a bit faster.

Ticket: #7455.
---

diff --git a/src/flow-manager.c b/src/flow-manager.c
index 2a3d6f6f6a..52c7586a4f 100644
--- a/src/flow-manager.c
+++ b/src/flow-manager.c
@@ -198,9 +198,19 @@ static bool FlowManagerFlowTimeout(Flow *f, SCTime_t ts, uint32_t *next_ts, cons
     if (*next_ts == 0 || (uint32_t)SCTIME_SECS(timesout_at) < *next_ts)
         *next_ts = (uint32_t)SCTIME_SECS(timesout_at);
 
-    /* do the timeout check */
-    if (SCTIME_CMP_LT(ts, timesout_at)) {
-        return false;
+    /* if time is live, we just use the `ts` */
+    if (TimeModeIsLive() || f->thread_id[0] == 0) {
+        /* do the timeout check */
+        if (SCTIME_CMP_LT(ts, timesout_at)) {
+            return false;
+        }
+    } else {
+        /* offline: take last ts from "owning" thread */
+        SCTime_t checkts = TmThreadsGetThreadTime(f->thread_id[0]);
+        /* do the timeout check */
+        if (SCTIME_CMP_LT(checkts, timesout_at)) {
+            return false;
+        }
     }
 
     return true;