--- zzzz-none-000/linux-4.1.38/net/netfilter/nf_conntrack_proto_tcp.c	2017-01-18 18:48:06.000000000 +0000
+++ bcm63-7582-715/linux-4.1.38/net/netfilter/nf_conntrack_proto_tcp.c	2020-11-25 10:06:48.000000000 +0000
@@ -33,10 +33,18 @@
 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
 
+#if defined(CONFIG_BCM_KF_BLOG) && defined(CONFIG_BLOG)
+#include <linux/blog.h>
+#endif
+
+#if defined(CONFIG_BCM_KF_NETFILTER)
+static int nf_ct_tcp_be_liberal __read_mostly = 1;
+#else
 /* "Be conservative in what you do,
     be liberal in what you accept from others."
     If it's non-zero, we mark only out of window RST segments as INVALID. */
 static int nf_ct_tcp_be_liberal __read_mostly = 0;
+#endif
 
 /* If it is set to zero, we disable picking up already established
    connections. */
@@ -71,7 +79,11 @@
 static unsigned int tcp_timeouts[TCP_CONNTRACK_TIMEOUT_MAX] __read_mostly = {
 	[TCP_CONNTRACK_SYN_SENT]	= 2 MINS,
 	[TCP_CONNTRACK_SYN_RECV]	= 60 SECS,
+#if defined(CONFIG_BCM_KF_BLOG) && defined(CONFIG_BLOG)
+	[TCP_CONNTRACK_ESTABLISHED]	= BLOG_NAT_TCP_DEFAULT_IDLE_TIMEOUT,
+#else
 	[TCP_CONNTRACK_ESTABLISHED]	= 5 DAYS,
+#endif
 	[TCP_CONNTRACK_FIN_WAIT]	= 2 MINS,
 	[TCP_CONNTRACK_CLOSE_WAIT]	= 60 SECS,
 	[TCP_CONNTRACK_LAST_ACK]	= 30 SECS,
@@ -85,6 +97,10 @@
 	[TCP_CONNTRACK_UNACK]		= 5 MINS,
 };
 
+#if defined(CONFIG_BCM_KF_BLOG) && defined(CONFIG_BLOG)
+unsigned int *tcp_timeout_established_blog_p = &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED];
+#endif
+
 #define sNO TCP_CONNTRACK_NONE
 #define sSS TCP_CONNTRACK_SYN_SENT
 #define sSR TCP_CONNTRACK_SYN_RECV
@@ -872,6 +888,12 @@
 		}
 		/* Fall through */
 	case TCP_CONNTRACK_IGNORE:
+#if defined(CONFIG_BCM_KF_BLOG) && defined(CONFIG_BLOG)
+		blog_lock();
+		blog_skip((struct sk_buff *)skb, blog_skip_reason_ct_tcp_state_ignore);
+		blog_unlock();
+#endif
+
 		/* Ignored packets:
 		 *
 		 * Our connection entry may be out of sync, so ignore
@@ -1051,6 +1073,30 @@
 		 old_state, new_state);
 
 	ct->proto.tcp.state = new_state;
+
+#if defined(CONFIG_BCM_KF_BLOG) && defined(CONFIG_BLOG)
+	blog_lock();
+	/* Abort and make this conntrack not BLOG eligible */
+	if (th->fin || th->rst) {
+		if ((ct->blog_key[IP_CT_DIR_ORIGINAL] != BLOG_KEY_FC_INVALID)
+		    || (ct->blog_key[IP_CT_DIR_REPLY] != BLOG_KEY_FC_INVALID)) {
+			blog_notify(DESTROY_FLOWTRACK, (void*)ct,
+					(uint32_t)ct->blog_key[IP_CT_DIR_ORIGINAL],
+					(uint32_t)ct->blog_key[IP_CT_DIR_REPLY]);
+
+			/* Safe: In case blog client does not set key to 0 explicilty */
+			ct->blog_key[IP_CT_DIR_ORIGINAL] = BLOG_KEY_FC_INVALID;
+			ct->blog_key[IP_CT_DIR_REPLY] = BLOG_KEY_FC_INVALID;
+		}
+		if (th->fin) {
+			clear_bit(IPS_BLOG_BIT, &ct->status);
+		}
+	}
+	if (ct->proto.tcp.state !=  TCP_CONNTRACK_ESTABLISHED)
+		blog_skip((struct sk_buff *)skb, blog_skip_reason_ct_tcp_state_not_est);
+	blog_unlock();
+#endif
+
 	if (old_state != new_state
 	    && new_state == TCP_CONNTRACK_FIN_WAIT)
 		ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
@@ -1094,6 +1140,14 @@
 		set_bit(IPS_ASSURED_BIT, &ct->status);
 		nf_conntrack_event_cache(IPCT_ASSURED, ct);
 	}
+#if defined(CONFIG_BCM_KF_NETFILTER)
+	if (new_state == TCP_CONNTRACK_ESTABLISHED) {
+		if (ct->derived_timeout == 0xFFFFFFFF)
+			timeout = 0xFFFFFFFF - jiffies;
+		else if (ct->derived_timeout > 0)
+			timeout = ct->derived_timeout;
+	}
+#endif
 	nf_ct_refresh_acct(ct, ctinfo, skb, timeout);
 
 	return NF_ACCEPT;
@@ -1401,6 +1455,19 @@
 };
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 
+#if defined(CONFIG_BCM_KF_BLOG) && defined(CONFIG_BLOG)
+int tcp_timeout_estd_proc_hndlr(struct ctl_table *table, int write,
+		void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+	int ret;
+	ret = proc_dointvec_jiffies(table, write, buffer, lenp, ppos);
+	/* on success update the blog time out to be same as tcp_timeout_established */
+	if (!ret)
+		blog_nat_tcp_def_idle_timeout = (unsigned int)*tcp_timeout_established_blog_p;
+	return ret;
+}
+#endif
+
 #ifdef CONFIG_SYSCTL
 static struct ctl_table tcp_sysctl_table[] = {
 	{
@@ -1419,7 +1486,11 @@
 		.procname	= "nf_conntrack_tcp_timeout_established",
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
+#if defined(CONFIG_BCM_KF_BLOG) && defined(CONFIG_BLOG)
+		.proc_handler	= tcp_timeout_estd_proc_hndlr,
+#else
 		.proc_handler	= proc_dointvec_jiffies,
+#endif
 	},
 	{
 		.procname	= "nf_conntrack_tcp_timeout_fin_wait",
@@ -1508,7 +1579,11 @@
 		.procname	= "ip_conntrack_tcp_timeout_established",
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
+#if defined(CONFIG_BCM_KF_BLOG) && defined(CONFIG_BLOG)
+		.proc_handler	= tcp_timeout_estd_proc_hndlr,
+#else
 		.proc_handler	= proc_dointvec_jiffies,
+#endif
 	},
 	{
 		.procname	= "ip_conntrack_tcp_timeout_fin_wait",
@@ -1584,6 +1659,9 @@
 
 	pn->ctl_table[0].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT];
 	pn->ctl_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];
+#if defined(CONFIG_BCM_KF_BLOG) && defined(CONFIG_BLOG)
+        tcp_timeout_established_blog_p = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
+#endif	
 	pn->ctl_table[2].data = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
 	pn->ctl_table[3].data = &tn->timeouts[TCP_CONNTRACK_FIN_WAIT];
 	pn->ctl_table[4].data = &tn->timeouts[TCP_CONNTRACK_CLOSE_WAIT];