From: Florian Westphal <fw@strlen.de>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [RFC nf-next 0/4] netfilter: conntrack: allow insertion of clashing entries
Date: Mon, 13 Jan 2020 15:04:45 +0100 [thread overview]
Message-ID: <20200113140445.GI795@breakpoint.cc> (raw)
In-Reply-To: <20200108134500.31727-1-fw@strlen.de>
Florian Westphal <fw@strlen.de> wrote:
> This series allows conntrack to insert a duplicate conntrack entry
> if the reply direction doesn't result in a clash with a different
> original connection.
>
> Background:
>
> kubernetes creates load-balancing rules for DNS using
> -m statistics, e.g.:
> -p udp --dport 53 -m statistics --mode random ... -j DNAT --to-destination x
> -p udp --dport 53 -m statistics --mode random ... -j DNAT --to-destination y
>
> When the resolver sends an A and AAAA request back-to-back from
> different threads on the same socket, this has a high chance of a connection
> tracking clash at insertion time.
>
> This in turn results in a drop of the clashing udp packet which then
> results in a 5 second DNS timeout.
I'd really like to get feedback for this patch set.
If its deemed unacceptable thats OK, at least I can then tell users they
must change their rulesets to make this work.
If someone has alternative ideas on how to resolve this I'd be
interested as well.
next prev parent reply other threads:[~2020-01-13 14:04 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-08 13:44 [RFC nf-next 0/4] netfilter: conntrack: allow insertion of clashing entries Florian Westphal
2020-01-08 13:44 ` [RFC nf-next 1/4] netfilter: conntrack: remove two args from resolve_clash Florian Westphal
2020-01-08 13:44 ` [RFC nf-next 2/4] netfilter: conntrack: place confirm-bit setting in a helper Florian Westphal
2020-01-08 13:44 ` [RFC nf-next 3/4] netfilter: conntrack: split resolve_clash function Florian Westphal
2020-01-08 13:45 ` [RFC nf-next 4/4] netfilter: conntrack: allow insertion of duplicate/clashing entries Florian Westphal
2020-01-13 14:04 ` Florian Westphal [this message]
2020-01-13 23:53 ` [RFC nf-next 0/4] netfilter: conntrack: allow insertion of clashing entries Florian Westphal
2020-01-14 21:14 ` Kadlecsik József
2020-01-14 22:21 ` Florian Westphal
2020-01-15 7:58 ` Kadlecsik József
2020-01-16 11:19 ` Pablo Neira Ayuso
2020-01-16 11:37 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200113140445.GI795@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.